IPARMOR4.0 30 TIMES LIMITS CRACK AND REG
该软件DEMO版有运行30次限制,在注册窗口输入用户名及注册码后,
点按“注册”按钮无提示。
用fi240观察后知其为DELPHI编程,故用 DEDE 反编译,发现在下列
地址处为“注册”钮入口子程序:
(DEDE 2.50)
procedure TForm7.SpeedButton1Click(Sender: TObject);
begin
{
004A06DC 55
push ebp
004A06DD 8BEC
mov ebp, esp
004A06DF 81C4DCFEFFFF add
esp, $FFFFFEDC
004A06E5 53
push ebx
004A06E6 56
push esi
004A06E7 33C9
xor ecx, ecx
004A06E9 898DDCFEFFFF mov
[ebp+$FFFFFEDC], ecx
004A06EF 898DECFEFFFF mov
[ebp+$FFFFFEEC], ecx
004A06F5 898DE4FEFFFF mov
[ebp+$FFFFFEE4], ecx
004A06FB 898DE0FEFFFF mov
[ebp+$FFFFFEE0], ecx
004A0701 898DE8FEFFFF mov
[ebp+$FFFFFEE8], ecx
004A0707 898DF4FEFFFF mov
[ebp+$FFFFFEF4], ecx
004A070D 898DF0FEFFFF mov
[ebp+$FFFFFEF0], ecx
004A0713 898DFCFEFFFF mov
[ebp+$FFFFFEFC], ecx
004A0719 898DF8FEFFFF mov
[ebp+$FFFFFEF8], ecx
004A071F 8BD8
mov ebx, eax
004A0721 33C0
xor eax, eax
004A0723 55
push ebp
004A0724 681E094A00 push
$004A091E
***** TRY
|
004A0729 64FF30
push dword ptr fs:[eax]
004A072C 648920
mov fs:[eax], esp
004A072F 8D95F8FEFFFF lea
edx, [ebp+$FFFFFEF8]
* Reference to control TForm7.Edit2 : TEdit
|
004A0735 8B83E8020000 mov
eax, [ebx+$02E8]
* Reference to: controls.TControl.GetText(TControl):System.String;
|
004A073B E89CDEF8FF call
0042E5DC
-->计算用户名字符长度
004A0740 8B85F8FEFFFF mov
eax, [ebp+$FFFFFEF8]
004A0746 8D95FCFEFFFF lea
edx, [ebp+$FFFFFEFC]
* Reference to: sysutils.UpperCase(System.AnsiString):System.AnsiString;
|
004A074C E8B77FF6FF call
00408708
-->>用户名小写字母转换为大写字母
004A0751 8B95FCFEFFFF mov
edx, [ebp+$FFFFFEFC]
004A0757 8D8500FFFFFF lea
eax, [ebp+$FFFFFF00]
004A075D B9FF000000 mov
ecx, $000000FF
* Reference to: system.@LStrToString;
|
004A0762 E81939F6FF call
00404080
004A0767 8D9500FFFFFF lea
edx, [ebp+$FFFFFF00]
* Reference to control TForm7.tIceLock1 : tIceLock
|
004A076D 8B83D0020000 mov
eax, [ebx+$02D0]
|
004A0773 E828BCFEFF call
0048C3A0
004A0778 8D85F0FEFFFF lea
eax, [ebp+$FFFFFEF0]
* Reference to control TForm7.tIceLock1 : tIceLock
|
004A077E 8BB3D0020000 mov
esi, [ebx+$02D0]
* Reference to field tIceLock.OFFS_0024
|
004A0784 8D5624
lea edx, [esi+$24]
* Reference to: system.@LStrFromString(String;ShortString);
| or: system.@WStrFromString(WideString;ShortString);
|
004A0787 E8BC38F6FF call
00404048
004A078C 8B85F0FEFFFF mov
eax, [ebp+$FFFFFEF0]
004A0792 8D95F4FEFFFF lea
edx, [ebp+$FFFFFEF4]
* Reference to: sysutils.Trim(System.AnsiString):System.AnsiString;
|
004A0798 E8AF81F6FF call
0040894C
004A079D 8B95F4FEFFFF mov
edx, [ebp+$FFFFFEF4]
004A07A3 8D8500FFFFFF lea
eax, [ebp+$FFFFFF00]
004A07A9 B9FF000000 mov
ecx, $000000FF
* Reference to: system.@LStrToString;
|
004A07AE E8CD38F6FF call
00404080
004A07B3 8D9500FFFFFF lea
edx, [ebp+$FFFFFF00]
004A07B9 8BC6
mov eax, esi
|
004A07BB E8E0BBFEFF call
0048C3A0
004A07C0 8D95E8FEFFFF lea
edx, [ebp+$FFFFFEE8]
* Reference to control TForm7.Edit1 : TEdit
|
004A07C6 8B83DC020000 mov
eax, [ebx+$02DC]
* Reference to: controls.TControl.GetText(TControl):System.String;
|
004A07CC E80BDEF8FF call
0042E5DC
004A07D1 8B95E8FEFFFF mov
edx, [ebp+$FFFFFEE8]
004A07D7 8D8DECFEFFFF lea
ecx, [ebp+$FFFFFEEC]
* Reference to control TForm7.StringCrypt2000X1 : TStringCrypt2000X
|
004A07DD 8B83F0020000 mov
eax, [ebx+$02F0]
|
004A07E3 E8B0CFFEFF call
0048D798
004A07E8 8B85ECFEFFFF mov
eax, [ebp+$FFFFFEEC]
004A07EE 50
push eax
004A07EF 8D95E0FEFFFF lea
edx, [ebp+$FFFFFEE0]
* Reference to control TForm7.tIceLock1 : tIceLock
|
004A07F5 8B83D0020000 mov
eax, [ebx+$02D0]
* Reference to field tIceLock.OFFS_0224
|
004A07FB 8B8024020000 mov
eax, [eax+$0224]
004A0801 056D010000 add
eax, +$0000016D
* Reference to: sysutils.IntToStr(System.Integer):System.AnsiString;overload;
|
004A0806 E8F582F6FF call
00408B00
-->>计算注册码
004A080B 8B95E0FEFFFF mov
edx, [ebp+$FFFFFEE0]
-->>注册码进[EDX]
004A0811 8D8DE4FEFFFF lea
ecx, [ebp+$FFFFFEE4]
* Reference to control TForm7.StringCrypt2000X1 : TStringCrypt2000X
|
004A0817 8B83F0020000 mov
eax, [ebx+$02F0]
|
004A081D E876CFFEFF call
0048D798
004A0822 8B95E4FEFFFF mov
edx, [ebp+$FFFFFEE4]
004A0828 58
pop eax
* Reference to: system.@LStrCmp;
|
004A0829 E88639F6FF call
004041B4
004A082E 0F859B000000 jnz
004A08CF
-->>字符串比较,转移则FAILURE
不转移注册成功!!!!
* Reference to control TForm7.DiskInfo2000X1 : TDiskInfo2000X
|
004A0834 8B83EC020000 mov
eax, [ebx+$02EC]
* Reference to field TDiskInfo2000X.OFFS_0044
|
004A083A 8B5044
mov edx, [eax+$44]
004A083D 8D85DCFEFFFF lea
eax, [ebp+$FFFFFEDC]
004A0843 B934094A00 mov
ecx, $004A0934
* Reference to: system.@LStrCat3;
|
004A0848 E8A338F6FF call
004040F0
004A084D 8B95DCFEFFFF mov
edx, [ebp+$FFFFFEDC]
004A0853 8D8500FFFFFF lea
eax, [ebp+$FFFFFF00]
004A0859 B9FF000000 mov
ecx, $000000FF
* Reference to: system.@LStrToString;
|
004A085E E81D38F6FF call
00404080
004A0863 8D9500FFFFFF lea
edx, [ebp+$FFFFFF00]
* Reference to control TForm7.tIceLock1 : tIceLock
|
004A0869 8B83D0020000 mov
eax, [ebx+$02D0]
|
004A086F E82CBBFEFF call
0048C3A0
* Possible String Reference to: 'Register ok!'
|
004A0874 B840094A00 mov
eax, $004A0940
* Reference to: dialogs.ShowMessage(System.AnsiString);
|
004A0879 E8BA16FBFF call
00451F38
|
004A087E E885FDFFFF call
004A0608
* Reference to Form7
|
004A0883 A1F84C4B00 mov
eax, dword ptr [$4B4CF8]
* Reference to field Form7.OFFS_02D4
|
004A0888 8B80D4020000 mov
eax, [eax+$02D4]
* Possible String Reference to: 'registed!'
|
004A088E BA58094A00 mov
edx, $004A0958
* Reference to: controls.TControl.SetText(TControl;System.String);
|
004A0893 E874DDF8FF call
0042E60C
004A0898 33D2
xor edx, edx
* Reference to control TForm7.SpeedButton1 : TSpeedButton
|
004A089A 8B83E4020000 mov
eax, [ebx+$02E4]
* Reference to: controls.TControl.SetVisible(TControl;System.Boolean);
|
004A08A0 E84FDCF8FF call
0042E4F4
004A08A5 33D2
xor edx, edx
* Reference to control TForm7.Edit1 : TEdit
|
004A08A7 8B83DC020000 mov
eax, [ebx+$02DC]
* Reference to: controls.TControl.SetVisible(TControl;System.Boolean);
|
004A08AD E842DCF8FF call
0042E4F4
004A08B2 33D2
xor edx, edx
* Reference to control TForm7.Label3 : TLabel
|
004A08B4 8B83D8020000 mov
eax, [ebx+$02D8]
* Reference to: controls.TControl.SetVisible(TControl;System.Boolean);
|
004A08BA E835DCF8FF call
0042E4F4
* Possible String Reference to: 'registed'
|
004A08BF BA6C094A00 mov
edx, $004A096C
* Reference to control TForm7.Label2 : TLabel
|
004A08C4 8B83E0020000 mov
eax, [ebx+$02E0]
* Reference to: controls.TControl.SetText(TControl;System.String);
|
004A08CA E83DDDF8FF call
0042E60C
004A08CF 33C0
xor eax, eax
004A08D1 5A
pop edx
004A08D2 59
pop ecx
004A08D3 59
pop ecx
004A08D4 648910
mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '^[嬪]?
|
004A08D7 6825094A00 push
$004A0925
004A08DC 8D85DCFEFFFF lea
eax, [ebp+$FFFFFEDC]
004A08E2 BA03000000 mov
edx, $00000003
* Reference to: system.@LStrArrayClr;
|
004A08E7 E85C35F6FF call
00403E48
004A08EC 8D85E8FEFFFF lea
eax, [ebp+$FFFFFEE8]
* Reference to: system.@LStrClr(String);
|
004A08F2 E82D35F6FF call
00403E24
004A08F7 8D85ECFEFFFF lea
eax, [ebp+$FFFFFEEC]
004A08FD BA03000000 mov
edx, $00000003
* Reference to: system.@LStrArrayClr;
|
004A0902 E84135F6FF call
00403E48
004A0907 8D85F8FEFFFF lea
eax, [ebp+$FFFFFEF8]
* Reference to: system.@LStrClr(String);
|
004A090D E81235F6FF call
00403E24
004A0912 8D85FCFEFFFF lea
eax, [ebp+$FFFFFEFC]
* Reference to: system.@LStrClr(String);
|
004A0918 E80735F6FF call
00403E24
004A091D C3
ret
004A091E E9152FF6FF jmp
00403838
004A0923 EBB7
jmp 004A08DC
****** END
|
004A0925 5E
pop esi
004A0926 5B
pop ebx
004A0927 8BE5
mov esp, ebp
004A0929 5D
pop ebp
004A092A C3
ret
}
end ;
因此,在TRW2000 中下BPX 4A06DC 后,F5返回IPMARMOR,在注册窗口输入
用户名“CRACK123"及注册码"123123"后点击“注册”钮,立即被
TRW2000拦截到IPMARMOR领空,跟踪到4A0811处,用D EDX 显示注册码为
“1903395948”,
故:用户名 CRACK123
注册码 1903395948
若将4A082E处JNZ NEAR 4A08CF 改为NOP(6个),则成为任意注册版!!
请勿见笑,多提意见!!
〈END>
- 标 题:入门习作:木马克星IPARMOR4.0 30 TIMES LIMITS CRACK AND REG (10千字)
- 作 者:crack123
- 时 间:2001-6-22 17:38:20
- 链 接:http://bbs.pediy.com