开始用S-ICE追,发现了下面的程序:
* Reference To: MSVCRT._strlwr, Ord:01BEh
|
:00401401 FF157CB14100 Call dword ptr
[0041B17C]
:00401407 59
pop ecx
:00401408 6818B84100 push 0041B818
:0040140D FF3510B84100 push dword ptr
[0041B810]
:00401413 6890B74100 push 0041B790
:00401418 FF358CB74100 push dword ptr
[0041B78C]
:0040141E 6878B74100 push 0041B778
:00401423 FF3570B74100 push dword ptr
[0041B770]
:00401429 68F0B64100 push 0041B6F0
:0040142E FF35E8B64100 push dword ptr
[0041B6E8]
:00401434 E8A4080100 call 00411CDD
:00401439 83C420
add esp, 00000020
:0040143C FF7580
push [ebp-80]
:0040143F FF7584
push [ebp-7C]
:00401442 8D851CFFFFFF lea eax, dword
ptr [ebp+FFFFFF1C]
:00401448 50
push eax
:00401449 E8D4080100 call 00411D22
:0040144E 83C40C
add esp, 0000000C
:00401451 84C0
test al, al
:00401453 740C
je 00401461
:00401455 C7058C12420002000000 mov dword ptr [0042128C], 00000002<----unlimited版本
:0040145F EB5B
jmp 004014BC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401453(C)
|
:00401461 6868B64100 push 0041B668
:00401466 FF3560B64100 push dword ptr
[0041B660]
:0040146C 68E0B54100 push 0041B5E0
:00401471 FF35DCB54100 push dword ptr
[0041B5DC]
:00401477 68C8B54100 push 0041B5C8
:0040147C FF35C0B54100 push dword ptr
[0041B5C0]
:00401482 6840B54100 push 0041B540
:00401487 FF3538B54100 push dword ptr
[0041B538]
:0040148D E84B080100 call 00411CDD
:00401492 83C420
add esp, 00000020
:00401495 FF7580
push [ebp-80]
:00401498 FF7584
push [ebp-7C]
:0040149B 8D851CFFFFFF lea eax, dword
ptr [ebp+FFFFFF1C]
:004014A1 50
push eax
:004014A2 E87B080100 call 00411D22
:004014A7 83C40C
add esp, 0000000C
:004014AA 84C0
test al, al
:004014AC 0F84D3010000 je 00401685
:004014B2 C7058C12420001000000 mov dword ptr [0042128C], 00000001<---personal版本
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040145F(U)
|
:004014BC 8365FC00 and
dword ptr [ebp-04], 00000000
:004014C0 C78550FDFFFF02000080 mov dword ptr [ebp+FFFFFD50], 80000002
:004014CA 83A554FDFFFF00 and dword ptr [ebp+FFFFFD54],
00000000
:004014D1 C645FC01 mov
[ebp-04], 01
:004014D5 6A02
push 00000002
:004014D7 6818BF4100 push 0041BF18
:004014DC 8D8D50FDFFFF lea ecx, dword
ptr [ebp+FFFFFD50]
:004014E2 E8B4DE0000 call 0040F39B
:004014E7 8BC6
mov eax, esi
:004014E9 85C0
test eax, eax
:004014EB 741E
je 0040150B
:004014ED 56
push esi
:004014EE E894E90000 call 0040FE87
:004014F3 59
pop ecx
:004014F4 83C003
add eax, 00000003
:004014F7 24FC
and al, FC
:004014F9 E862440100 call 00415960
:004014FE 8BC4
mov eax, esp
:00401500 50
push eax
:00401501 56
push esi
:00401502 E895E90000 call 0040FE9C
:00401507 59
pop ecx
:00401508 59
pop ecx
:00401509 EB02
jmp 0040150D
但由于计算复杂,只好用W32Dasm了
上面版本用0042128C地址做标志,因此搜索0042128C,发现
=================================================================
* Referenced by a CALL at Address:
|:00402525
|
:00401148 A18C124200 mov eax,
dword ptr [0042128C]
:0040114D 83F801
cmp eax, 00000001
:00401150 7405
je 00401157
:00401152 83F802
cmp eax, 00000002
:00401155 7520
jne 00401177
=================================================================
上面的这段决定软件启动时是否出注册提示画面
=================================================================
* Referenced by a CALL at Addresses:
|:00401637 , :00403CB4 , :004051BA , :00405461
|
:004017C4 55
push ebp
:004017C5 8BEC
mov ebp, esp
:004017C7 83EC50
sub esp, 00000050
:004017CA A18C124200 mov eax,
dword ptr [0042128C]
:004017CF 56
push esi
:004017D0 83F801
cmp eax, 00000001
:004017D3 7434
je 00401809
:004017D5 83F802
cmp eax, 00000002
:004017D8 742F
je 00401809
:004017DA 8D45B0
lea eax, dword ptr [ebp-50]
:004017DD 6A50
push 00000050
:004017DF 50
push eax
=================================================================
上面的这段决定软件的版本(在软件窗口边框上显示)
好吧,我输入的注册码计算后,0042128C的标志肯定是"0"(否则我可以去买体育彩票了)
那麽该知道怎麽改了吧
把cmp eax, 00000001和cmp eax, 00000002中的01(或02)改为"0",一切OK