标题: 用冲击波找到入口为4A50CC,然后用trw2000载入unfoxall,下断点bpx 4a50cc,F5后又被拦截,下pedump
abc.exe,X退出,得到的abc.exe就是了。
内容:
- 标 题:unfoxall 2.1
- 作 者:CrackerABC[BCG]
- 时 间:2001-5-27 17:24:20
- 链 接:http://bbs.pediy.com
标题: 用冲击波找到入口为4A50CC,然后用trw2000载入unfoxall,下断点bpx 4a50cc,F5后又被拦截,下pedump
abc.exe,X退出,得到的abc.exe就是了。
内容:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048AAE4(C)
|
:0048AAF2 6A00
push 00000000
:0048AAF4 8D45F8
lea eax, dword ptr [ebp-08]
:0048AAF7 50
push eax
* Possible StringData Ref from Data Obj ->"UserName"
|
:0048AAF8 B9CCAD4800 mov ecx,
0048ADCC
* Possible StringData Ref from Data Obj ->"UserInfo"
|
:0048AAFD BAE0AD4800 mov edx,
0048ADE0
:0048AB02 8BC3
mov eax, ebx
:0048AB04 8B38
mov edi, dword ptr [eax]
:0048AB06 FF17
call dword ptr [edi]
:0048AB08 6A00
push 00000000
:0048AB0A 8D45F4
lea eax, dword ptr [ebp-0C]
:0048AB0D 50
push eax
* Possible StringData Ref from Data Obj ->"UserCompany"
|
:0048AB0E B9F4AD4800 mov ecx,
0048ADF4
* Possible StringData Ref from Data Obj ->"UserInfo"
|
:0048AB13 BAE0AD4800 mov edx,
0048ADE0
:0048AB18 8BC3
mov eax, ebx
:0048AB1A 8B38
mov edi, dword ptr [eax]
:0048AB1C FF17
call dword ptr [edi]
:0048AB1E 6A00
push 00000000
:0048AB20 8D45F0
lea eax, dword ptr [ebp-10]
:0048AB23 50
push eax
* Possible StringData Ref from Data Obj ->"UserEmail"
|
:0048AB24 B908AE4800 mov ecx,
0048AE08
* Possible StringData Ref from Data Obj ->"UserInfo"
|
:0048AB29 BAE0AD4800 mov edx,
0048ADE0
:0048AB2E 8BC3
mov eax, ebx
:0048AB30 8B38
mov edi, dword ptr [eax]
:0048AB32 FF17
call dword ptr [edi]
:0048AB34 6A00
push 00000000
:0048AB36 8D45EC
lea eax, dword ptr [ebp-14]
:0048AB39 50
push eax
* Possible StringData Ref from Data Obj ->"UserKey"
|
:0048AB3A B91CAE4800 mov ecx,
0048AE1C
* Possible StringData Ref from Data Obj ->"UserInfo"
|
:0048AB3F BAE0AD4800 mov edx,
0048ADE0
:0048AB44 8BC3
mov eax, ebx
:0048AB46 8B38
mov edi, dword ptr [eax]
:0048AB48 FF17
call dword ptr [edi] //----->设断点的地方
* Possible StringData Ref from Data Obj ->"[Not Registered]"
|
:0048AB4A 682CAE4800 push 0048AE2C
:0048AB4F 8D45E8
lea eax, dword ptr [ebp-18]
:0048AB52 50
push eax
* Possible StringData Ref from Data Obj ->"SerialNumber"
|
:0048AB53 B948AE4800 mov ecx,
0048AE48
* Possible StringData Ref from Data Obj ->"UserInfo"
|
:0048AB58 BAE0AD4800 mov edx,
0048ADE0
:0048AB5D 8BC3
mov eax, ebx
:0048AB5F 8B38
mov edi, dword ptr [eax]
:0048AB61 FF17
call dword ptr [edi]
:0048AB63 8D55E4
lea edx, dword ptr [ebp-1C]
:0048AB66 8B45F8
mov eax, dword ptr [ebp-08]
:0048AB69 E822D8F7FF call 00408390
:0048AB6E FF75E4
push [ebp-1C]
:0048AB71 8D55E0
lea edx, dword ptr [ebp-20]
:0048AB74 8B45F4
mov eax, dword ptr [ebp-0C]
:0048AB77 E814D8F7FF call 00408390
:0048AB7C FF75E0
push [ebp-20]
:0048AB7F 8D55DC
lea edx, dword ptr [ebp-24]
:0048AB82 8B45F0
mov eax, dword ptr [ebp-10]
:0048AB85 E806D8F7FF call 00408390
:0048AB8A FF75DC
push [ebp-24]
:0048AB8D A184864A00 mov eax,
dword ptr [004A8684]
:0048AB92 33D2
xor edx, edx
:0048AB94 52
push edx
:0048AB95 50
push eax
:0048AB96 8D45D4
lea eax, dword ptr [ebp-2C]
:0048AB99 E80AD9F7FF call 004084A8
:0048AB9E 8B45D4
mov eax, dword ptr [ebp-2C]
:0048ABA1 8D55D8
lea edx, dword ptr [ebp-28]
:0048ABA4 E8E7D7F7FF call 00408390
:0048ABA9 FF75D8
push [ebp-28]
:0048ABAC B8A8AA5400 mov eax,
0054AAA8
:0048ABB1 BA04000000 mov edx,
00000004
:0048ABB6 E80D93F7FF call 00403EC8
:0048ABBB B88CAA5400 mov eax,
0054AA8C
:0048ABC0 8B55E8
mov edx, dword ptr [ebp-18]
:0048ABC3 E81890F7FF call 00403BE0
:0048ABC8 A1A8AA5400 mov eax,
dword ptr [0054AAA8]
:0048ABCD E83692F7FF call 00403E08
:0048ABD2 50
push eax
:0048ABD3 B8A8AA5400 mov eax,
0054AAA8
:0048ABD8 E8FB93F7FF call 00403FD8
:0048ABDD 5A
pop edx
:0048ABDE E8F51DFEFF call 0046C9D8
:0048ABE3 35F4C5C2C4 xor eax,
C4C2C5F4
:0048ABE8 33D2
xor edx, edx
:0048ABEA 52
push edx
:0048ABEB 50
push eax
:0048ABEC 8D55E4
lea edx, dword ptr [ebp-1C]
:0048ABEF B808000000 mov eax,
00000008
:0048ABF4 E81FD9F7FF call 00408518
:0048ABF9 8B55E4
mov edx, dword ptr [ebp-1C]
:0048ABFC B8A8AA5400 mov eax,
0054AAA8
:0048AC01 E8DA8FF7FF call 00403BE0
:0048AC06 B890AA5400 mov eax,
0054AA90
:0048AC0B 8B158CAA5400 mov edx, dword
ptr [0054AA8C]
:0048AC11 E8CA8FF7FF call 00403BE0
:0048AC16 8B45EC
mov eax, dword ptr [ebp-14]
:0048AC19 8B15A8AA5400 mov edx, dword
ptr [0054AAA8]
:0048AC1F E8F492F7FF call 00403F18
:0048AC24 0F84A8000000 je 0048ACD2
:0048AC2A 33D2
xor edx, edx
:0048AC2C 8B86E4020000 mov eax, dword
ptr [esi+000002E4]
:0048AC32 E8851FFBFF call 0043CBBC
:0048AC37 33D2
xor edx, edx
:0048AC39 8B86E8020000 mov eax, dword
ptr [esi+000002E8]
:0048AC3F E8781FFBFF call 0043CBBC
:0048AC44 33D2
xor edx, edx
:0048AC46 8B86F0020000 mov eax, dword
ptr [esi+000002F0]
:0048AC4C E86B1FFBFF call 0043CBBC
:0048AC51 33D2
xor edx, edx
:0048AC53 8B86F4020000 mov eax, dword
ptr [esi+000002F4]
:0048AC59 E85E1FFBFF call 0043CBBC
:0048AC5E 33D2
xor edx, edx
:0048AC60 8B8644030000 mov eax, dword
ptr [esi+00000344]
:0048AC66 E8511FFBFF call 0043CBBC
:0048AC6B 33D2
xor edx, edx
:0048AC6D 8B8648030000 mov eax, dword
ptr [esi+00000348]
:0048AC73 E8441FFBFF call 0043CBBC
:0048AC78 33D2
xor edx, edx
:0048AC7A 8B8600030000 mov eax, dword
ptr [esi+00000300]
:0048AC80 8B08
mov ecx, dword ptr [eax]
:0048AC82 FF5160
call [ecx+60]
:0048AC85 33D2
xor edx, edx
:0048AC87 8B8604030000 mov eax, dword
ptr [esi+00000304]
:0048AC8D 8B08
mov ecx, dword ptr [eax]
:0048AC8F FF5160
call [ecx+60]
:0048AC92 33D2
xor edx, edx
:0048AC94 8B8608030000 mov eax, dword
ptr [esi+00000308]
:0048AC9A 8B08
mov ecx, dword ptr [eax]
:0048AC9C FF5160
call [ecx+60]
:0048AC9F 33D2
xor edx, edx
:0048ACA1 8B860C030000 mov eax, dword
ptr [esi+0000030C]
:0048ACA7 8B08
mov ecx, dword ptr [eax]
:0048ACA9 FF5160
call [ecx+60]
:0048ACAC 33D2
xor edx, edx
:0048ACAE 8B867C030000 mov eax, dword
ptr [esi+0000037C]
:0048ACB4 8B08
mov ecx, dword ptr [eax]
:0048ACB6 FF5160
call [ecx+60]
:0048ACB9 33D2
xor edx, edx
:0048ACBB 8B8680030000 mov eax, dword
ptr [esi+00000380]
:0048ACC1 8B08
mov ecx, dword ptr [eax]
:0048ACC3 FF5160
call [ecx+60]
:0048ACC6 8BC3
mov eax, ebx
:0048ACC8 E8CB82F7FF call 00402F98
:0048ACCD E9B1000000 jmp 0048AD83
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
UNFOXALL 2.1 注册码破解
破解者:NORDA
工具:TRW2000 1.23
过 程:
1、起动程序,命令按钮皆为灰色,不可用。点“帮助”中“关于UnFoxAll”菜单项,进入关于本
程序窗口,点“注册”按钮,填入姓名,公司,Email,点“生成注册文件”;
2、在UNFOXALL的目录中打开刚才生成的文件UNFOXALL.INI,填上SerialNumber=CYCYCYCY,关闭
并保存文件。按“注册UNFOXALL”,利用刚才生成的UNFOXALL.INI注册,关闭程序;
3、用TRW装载程序,设断点 BPX 48ab48
运行UNFOXALL
中断在此
016F:0048AB48 CALL NEAR [EDI]
016F:0048AB4A PUSH DWORD 0048AE2C
016F:0048AB4F LEA EAX,[EBP-18]
016F:0048AB52 PUSH EAX
016F:0048AB53 MOV ECX,0048AE48
016F:0048AB58 MOV EDX,0048ADE0
016F:0048AB5D MOV EAX,EBX
016F:0048AB5F MOV EDI,[EAX]
016F:0048AB61 CALL NEAR [EDI]
016F:0048AB63 LEA EDX,[EBP-1C]
016F:0048AB66 MOV EAX,[EBP-08]
016F:0048AB69 CALL 00408390
016F:0048AB6E PUSH DWORD [EBP-1C]
016F:0048AB71 LEA EDX,[EBP-20]
在设断点 BPX 403F41
G
中断大约二到三次以后,D ESI 可看见注册码
:00403F41 8B0E
mov ecx, dword ptr [esi] <----- D ESI 注册码
:00403F43 8B1F
mov ebx, dword ptr [edi] <----- D EDI 输入
CYCYCYCY
:00403F45 39D9
cmp ecx, ebx
:00403F47 7558
jne 00403FA1
后记:多谢CrackerABC[BCG]大哥转帖的贴子,使我从井风大哥的教学里学到很多.