color pilot
下载:ftp://ftp2.tiandown.com/pub/software/graphics/grp-oth/pilot.exe 1.8M color
图像处理软件
这个软件把一些字符串资源放在language目录下的INI文件中,以便支持多国语言。
把下面的[EBX+00000498]强行赋值为1就可以出现Register菜单:
001B:00487E10 CALL 00486C2C
001B:00487E15 TEST AL,AL
001B:00487E17 JZ 00487E22
001B:00487E19 MOV BYTE PTR [EBX+00000498],02
001B:00487E20 JMP 00487E29
001B:00487E22 MOV BYTE PTR [EBX+00000498],00
001B:00487E29 MOV EAX,EBX
001B:00487E2B CALL 0048B5E4
001B:00487E30 MOV AL,[EBX+00000498]
001B:00487E36 SUB AL,01
001B:00487E38 JB 00487E49
001B:00487E3A JZ 00487EA2
001B:00487E3C DEC AL
001B:00487E3E JZ 00487EDE
001B:00487E44 JMP 00487F13
判断注册码的地方如下:
001B:0047956B MOV EAX,[EBP-04]
001B:0047956E LEA ECX,[EBX+00000204]
001B:00479574 LEA EDX,[EBX+00000200]
001B:0047957A CALL 0047937C //检查注册码的格式并转换成整数
001B:0047957F TEST AL,AL
001B:00479581 JNZ 0047958C
001B:00479583 MOV EAX,EBX
001B:00479585 CALL 004792F8 //bad guy
001B:0047958A JMP 004795C1
001B:0047958C MOV ECX,[EBX+00000208]
001B:00479592 MOV EDX,[EBX+00000204]
001B:00479598 MOV EAX,[EBX+00000200]
001B:0047959E CALL 0044FA24 //判断注册码的值是否正确
001B:004795A3 TEST AL,AL
001B:004795A5 JNZ 004795B0
001B:004795A7 MOV EAX,EBX
001B:004795A9 CALL 004792F8 //bad guy
001B:004795AE JMP 004795C1
001B:004795B0 MOV EAX,EBX
001B:004795B2 CALL 004795E4
001B:004795B7 MOV DWORD PTR [EBX+00000150],00000001
先跟进上面的CALL 0047937C,看见它判断注册码的格式。其注册码格式为nnnnn-nnnnnnnnn-nnnn。
001B:004793EA MOV EDX,[EBP-04]
001B:004793ED MOV EAX,0047953C //横杠字符'-'
001B:004793F2 CALL 00403F60 //strstr( )
001B:004793F7 MOV EBX,EAX
001B:004793F9 TEST EBX,EBX
001B:004793FB JZ 004794FC //jump if bad guy
001B:00479401 LEA EAX,[EBP-0C]
001B:00479404 PUSH EAX
001B:00479405 MOV ECX,EBX
001B:00479407 DEC ECX
001B:00479408 MOV EDX,00000001
001B:0047940D MOV EAX,[EBP-04]
001B:00479410 CALL 00403ED8
001B:00479415 LEA EAX,[EBP-04]
001B:00479418 MOV ECX,EBX
001B:0047941A MOV EDX,00000001
001B:0047941F CALL 00403F18
001B:00479424 MOV EDX,[EBP-04]
001B:00479427 MOV EAX,0047953C //横杠字符
001B:0047942C CALL 00403F60 //strstr( )
001B:00479431 MOV EBX,EAX
001B:00479433 TEST EBX,EBX
001B:00479435 JZ 004794FC //jump if bad guy
001B:0047943B LEA EAX,[EBP-10]
001B:0047943E PUSH EAX
001B:0047943F MOV ECX,EBX
001B:00479441 DEC ECX
001B:00479442 MOV EDX,00000001
001B:00479447 MOV EAX,[EBP-04]
001B:0047944A CALL 00403ED8
001B:0047944F LEA EAX,[EBP-04]
001B:00479452 MOV ECX,EBX
001B:00479454 MOV EDX,00000001
001B:00479459 CALL 00403F18
001B:0047945E LEA EAX,[EBP-14]
001B:00479461 MOV EDX,[EBP-04]
001B:00479464 CALL 00403AF0
001B:00479469 XOR EAX,EAX
001B:0047946B PUSH EBP
001B:0047946C PUSH 004794E7
001B:00479471 PUSH DWORD PTR FS:[EAX]
001B:00479474 MOV FS:[EAX],ESP
001B:00479477 MOV EAX,[EBP-0C] //注册码第一部分
001B:0047947A CALL 00403CD4 //strlen( )
001B:0047947F CMP EAX,05 //长度必须为5
001B:00479482 JZ 0047948E //jump if good guy
001B:00479484 XOR EAX,EAX
001B:00479486 POP EDX
001B:00479487 POP ECX
001B:00479488 POP ECX
001B:00479489 MOV FS:[EAX],EDX
001B:0047948C JMP 004794FC
001B:0047948E MOV EAX,[EBP-0C] //注册码第一部分
001B:00479491 CALL 00407614 //atol( )
001B:00479496 MOV [ESI],EAX //保存第一部分
001B:00479498 MOV EAX,[EBP-10] //注册码第二部分
001B:0047949B CALL 00403CD4 //strlen( )
001B:004794A0 CMP EAX,09 //长度必须为9
001B:004794A3 JZ 004794AF
001B:004794A5 XOR EAX,EAX
001B:004794A7 POP EDX
001B:004794A8 POP ECX
001B:004794A9 POP ECX
001B:004794AA MOV FS:[EAX],EDX
001B:004794AD JMP 004794FC
001B:004794AF MOV EAX,[EBP-10] //注册码第二部分
001B:004794B2 CALL 00407614 //atol( )
001B:004794B7 MOV [EDI],EAX //保存第二部分
001B:004794B9 MOV EAX,[EBP-14] //注册码第三部分
001B:004794BC CALL 00403CD4 //strlen( )
001B:004794C1 CMP EAX,04 //长度必须为4
001B:004794C4 JZ 004794D0
001B:004794C6 XOR EAX,EAX
001B:004794C8 POP EDX
001B:004794C9 POP ECX
001B:004794CA POP ECX
001B:004794CB MOV FS:[EAX],EDX
001B:004794CE JMP 004794FC
001B:004794D0 MOV EAX,[EBP-14] //注册码第三部分
001B:004794D3 CALL 00407614 //atol( )
001B:004794D8 MOV EDX,[EBP+08]
001B:004794DB MOV [EDX],EAX //保存第三部分
001B:004794DD XOR EAX,EAX
001B:004794DF POP EDX
001B:004794E0 POP ECX
001B:004794E1 POP ECX
001B:004794E2 MOV FS:[EAX],EDX
001B:004794E5 JMP 004794F8
001B:004794E7 JMP 00403300
001B:004794EC CALL 004035A4
001B:004794F1 JMP 004794FC
001B:004794F3 CALL 004035A4
001B:004794F8 MOV BYTE PTR [EBP-05],01 //good guy
001B:004794FC XOR EAX,EAX
001B:004794FE POP EDX
001B:004794FF POP ECX
001B:00479500 POP ECX
001B:00479501 MOV FS:[EAX],EDX
001B:00479504 PUSH 00479526
001B:00479509 LEA EAX,[EBP-14]
001B:0047950C MOV EDX,00000003
001B:00479511 CALL 00403A7C
001B:00479516 LEA EAX,[EBP-04]
001B:00479519 CALL 00403A58
001B:0047951E RET
001B:0047951F JMP 004034FC
001B:00479524 JMP 00479509
001B:00479526 MOV AL,[EBP-05] //返回值
001B:00479529 POP EDI
001B:0047952A POP ESI
001B:0047952B POP EBX
001B:0047952C MOV ESP,EBP
判断完格式之后,就开始检查注册码的这三部分的值(下面的代码启动时也要调用的):
001B:0044FA24 PUSH EBX
001B:0044FA25 PUSH ESI
001B:0044FA26 PUSH EDI
001B:0044FA27 PUSH EBP
001B:0044FA28 ADD ESP,-34
001B:0044FA2B MOV EBP,ECX
001B:0044FA2D MOV EDI,EDX
001B:0044FA2F MOV ESI,EAX
001B:0044FA31 MOV DWORD PTR [ESP+08],D2F1A9FC
001B:0044FA39 MOV DWORD PTR [ESP+0C],3F50624D
001B:0044FA41 FLD REAL8 PTR [ESP+08]
001B:0044FA45 FMUL REAL4 PTR [0044FBF0]
001B:0044FA4B CALL 00402A04
001B:0044FA50 FLD REAL8 PTR [ESP+08]
001B:0044FA54 FMUL REAL4 PTR [0044FBF4]
001B:0044FA5A FMUL REAL8 PTR [ESP+08]
001B:0044FA5E FMUL REAL8 PTR [ESP+08]
001B:0044FA62 FSUBRP ST(1),ST
001B:0044FA64 FSTP REAL8 PTR [ESP]
001B:0044FA67 WAIT
001B:0044FA68 FLD REAL8 PTR [ESP]
001B:0044FA6B CALL 00402A54
001B:0044FA70 FSTP REAL8 PTR [ESP]
001B:0044FA73 WAIT
001B:0044FA74 MOV EAX,00000005
001B:0044FA79 FLD REAL8 PTR [ESP]
001B:0044FA7C FMUL REAL4 PTR [0044FBF8]
001B:0044FA82 FSTP REAL8 PTR [ESP]
001B:0044FA85 WAIT
001B:0044FA86 DEC EAX
001B:0044FA87 JNZ 0044FA79
001B:0044FA89 FLD REAL8 PTR [ESP]
001B:0044FA8C CALL 00402A78
001B:0044FA91 CDQ
001B:0044FA92 XOR EAX,EDX
001B:0044FA94 SUB EAX,EDX
001B:0044FA96 CMP EAX,ESI //注册码第一部分
001B:0044FA98 SETZ BL //bl = 1 if good guy
001B:0044FA9B FLD REAL8 PTR [ESP+08]
001B:0044FA9F CALL 00402A44
001B:0044FAA4 FSTP REAL10 PTR [ESP+10]
001B:0044FAA8 WAIT
001B:0044FAA9 FLD REAL8 PTR [ESP+08]
001B:0044FAAD FMUL REAL4 PTR [0044FBF4]
001B:0044FAB3 FLDLN2
001B:0044FAB5 FXCH ST(1)
001B:0044FAB7 FYL2X
001B:0044FAB9 FLD REAL10 PTR [ESP+10]
001B:0044FABD FMULP ST(1),ST
001B:0044FABF FSTP REAL10 PTR [ESP+1C]
001B:0044FAC3 WAIT
001B:0044FAC4 FLD REAL8 PTR [ESP+08]
001B:0044FAC8 CALL 00402A14
001B:0044FACD FSTP REAL10 PTR [ESP+28]
001B:0044FAD1 WAIT
001B:0044FAD2 FLD REAL8 PTR [ESP+08]
001B:0044FAD6 FMUL REAL4 PTR [0044FBF8]
001B:0044FADC FLDLN2
001B:0044FADE FXCH ST(1)
001B:0044FAE0 FYL2X
001B:0044FAE2 FLD REAL10 PTR [ESP+28]
001B:0044FAE6 FMULP ST(1),ST
001B:0044FAE8 FLD REAL10 PTR [ESP+1C]
001B:0044FAEC FSUBRP ST(1),ST
001B:0044FAEE FSTP REAL8 PTR [ESP]
001B:0044FAF1 WAIT
001B:0044FAF2 FLD REAL8 PTR [ESP]
001B:0044FAF5 CALL 00402A54
001B:0044FAFA FSTP REAL8 PTR [ESP]
001B:0044FAFD WAIT
001B:0044FAFE MOV EAX,00000009
001B:0044FB03 FLD REAL8 PTR [ESP]
001B:0044FB06 FMUL REAL4 PTR [0044FBF8]
001B:0044FB0C FSTP REAL8 PTR [ESP]
001B:0044FB0F WAIT
001B:0044FB10 DEC EAX
001B:0044FB11 JNZ 0044FB03
001B:0044FB13 FLD REAL8 PTR [ESP]
001B:0044FB16 CALL 00402A78
001B:0044FB1B CDQ
001B:0044FB1C XOR EAX,EDX
001B:0044FB1E SUB EAX,EDX
001B:0044FB20 TEST BL,BL
001B:0044FB22 JZ 0044FB28
001B:0044FB24 CMP EAX,EDI //注册码第二部分
001B:0044FB26 JZ 0044FB2C
001B:0044FB28 XOR EAX,EAX
001B:0044FB2A JMP 0044FB2E
001B:0044FB2C MOV AL,01
001B:0044FB2E MOV EBX,EAX
001B:0044FB30 FLD REAL8 PTR [ESP+08]
001B:0044FB34 FMUL REAL4 PTR [0044FBF4]
001B:0044FB3A CALL 00402A04
001B:0044FB3F FMUL REAL8 PTR [ESP+08]
001B:0044FB43 FMUL REAL8 PTR [ESP+08]
001B:0044FB47 FSTP REAL10 PTR [ESP+10]
001B:0044FB4B WAIT
001B:0044FB4C FLD REAL8 PTR [ESP+08]
001B:0044FB50 FMUL REAL4 PTR [0044FBFC]
001B:0044FB56 CALL 00402A44
001B:0044FB5B FSTP REAL10 PTR [ESP+1C]
001B:0044FB5F WAIT
001B:0044FB60 FLD REAL8 PTR [ESP+08]
001B:0044FB64 FMUL REAL4 PTR [0044FBF8]
001B:0044FB6A FLDLN2
001B:0044FB6C FXCH ST(1)
001B:0044FB6E FYL2X
001B:0044FB70 FLD REAL10 PTR [ESP+1C]
001B:0044FB74 FMULP ST(1),ST
001B:0044FB76 FLD REAL10 PTR [ESP+10]
001B:0044FB7A FADDP ST(1),ST
001B:0044FB7C FSTP REAL8 PTR [ESP]
001B:0044FB7F WAIT
001B:0044FB80 FLD REAL8 PTR [ESP]
001B:0044FB83 CALL 00402A54
001B:0044FB88 FSTP REAL8 PTR [ESP]
001B:0044FB8B WAIT
001B:0044FB8C MOV EAX,00000004
001B:0044FB91 FLD REAL8 PTR [ESP]
001B:0044FB94 FMUL REAL4 PTR [0044FBF8]
001B:0044FB9A FSTP REAL8 PTR [ESP]
001B:0044FB9D WAIT
001B:0044FB9E DEC EAX
001B:0044FB9F JNZ 0044FB91
001B:0044FBA1 FLD REAL8 PTR [ESP]
001B:0044FBA4 CALL 00402A78
001B:0044FBA9 CDQ
001B:0044FBAA XOR EAX,EDX
001B:0044FBAC SUB EAX,EDX
001B:0044FBAE TEST BL,BL
001B:0044FBB0 JZ 0044FBB6
001B:0044FBB2 CMP EAX,EBP //注册码第三部分
001B:0044FBB4 JZ 0044FBBA
001B:0044FBB6 XOR EAX,EAX
001B:0044FBB8 JMP 0044FBBC
001B:0044FBBA MOV AL,01
001B:0044FBBC MOV EBX,EAX
001B:0044FBBE FLD REAL10 PTR [0044FC00]
001B:0044FBC4 FADD REAL8 PTR [ESP+08]
001B:0044FBC8 FSTP REAL8 PTR [ESP+08]
001B:0044FBCC WAIT
001B:0044FBCD FLD REAL10 PTR [0044FC0C]
001B:0044FBD3 FCOMP REAL8 PTR [ESP+08]
001B:0044FBD7 FSTSW AX
001B:0044FBD9 SAHF
001B:0044FBDA SETBE AL
001B:0044FBDD OR AL,BL
001B:0044FBDF JZ 0044FA41
001B:0044FBE5 MOV EAX,EBX //返回值
001B:0044FBE7 ADD ESP,34
001B:0044FBEA POP EBP
001B:0044FBEB POP EDI
001B:0044FBEC POP ESI
001B:0044FBED POP EBX
001B:0044FBEE RET
至此找到注册码,注册码有很多个。但是输入之后还是unregistered,看来还有古怪,暂时也不知道注册码存放在哪里。