http://www.cybersitter.com
CYBERsitter 2000
输入注册码之后的判断:
:004D720F A1E0014E00 mov eax,
dword ptr [004E01E0]
:004D7214 8B00
mov eax, dword ptr [eax]
:004D7216 E80547FAFF call 0047B920
//判断注册码
:004D721B 84C0
test al, al
:004D721D 751E
jne 004D723D
* Possible StringData Ref from Code Obj ->"The serial number you entered "
->"is invalid."
|
:004D721F B894854D00 mov eax,
004D8594
:004D7224 E86B53FAFF call 0047C594
启动时的判断也是调用同一个子程序:
:004C9454 A1E0014E00 mov eax,
dword ptr [004E01E0]
:004C9459 8B00
mov eax, dword ptr [eax]
:004C945B E8C024FBFF call 0047B920
//判断注册码
:004C9460 8B155C014E00 mov edx, dword
ptr [004E015C]
:004C9466 8802
mov byte ptr [edx], al //保存判断的结果
:004C9468 A15C014E00 mov eax,
dword ptr [004E015C]
:004C946D 803800
cmp byte ptr [eax], 00 //检查判断的结果
:004C9470 755F
jne 004C94D1
:004C9472 A1E0014E00 mov eax,
dword ptr [004E01E0]
* Possible StringData Ref from Code Obj ->"Unregistered"
|
:004C9477 BAC0A24C00 mov edx,
004CA2C0
:004C947C E897AAF3FF call 00403F18
用来判断注册码的子程序如下。显然这个子程序只被以上两处调用。如果把这个子程序的函数体改掉,让它总返回1就行了。如果只修改输入注册码时的那条判断指令,则启动时还是未注册。另外,注册码很好找的,只要注册码的四部分能分别被4个数整除即可,这四个数可能是根据用户名得来的。
* Referenced by a CALL at Addresses:
|:004C945B , :004D7216
|
:0047B920 55
push ebp
:0047B921 8BEC
mov ebp, esp
:0047B923 B904000000 mov ecx,
00000004
:0047B928 6A00
push 00000000
:0047B92A 6A00
push 00000000
:0047B92C 49
dec ecx
:0047B92D 75F9
jne 0047B928
......................................................
:0047BA65 B001
mov al, 01
:0047BA67 84C0
test al, al
:0047BA69 7410
je 0047BA7B
:0047BA6B 8B45EC
mov eax, dword ptr [ebp-14] //注册码第一部分
:0047BA6E E891E2F8FF call 00409D04
//atol( )
:0047BA73 99
cdq
:0047BA74 F7FB
idiv ebx
//整除吗?
:0047BA76 85D2
test edx, edx
:0047BA78 0F94C0
sete al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BA69(C)
|
:0047BA7B 84C0
test al, al
:0047BA7D 7410
je 0047BA8F
:0047BA7F 8B45E8
mov eax, dword ptr [ebp-18] //注册码第二部分
:0047BA82 E87DE2F8FF call 00409D04
//atol( )
:0047BA87 99
cdq
:0047BA88 F7FE
idiv esi
//整除吗?
:0047BA8A 85D2
test edx, edx
:0047BA8C 0F94C0
sete al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BA7D(C)
|
:0047BA8F 84C0
test al, al
:0047BA91 7411
je 0047BAA4
:0047BA93 8B45E4
mov eax, dword ptr [ebp-1C] //注册码第三部分
:0047BA96 E869E2F8FF call 00409D04
//atol( )
:0047BA9B 99
cdq
:0047BA9C F77DF4
idiv [ebp-0C]
//整除吗
:0047BA9F 85D2
test edx, edx
:0047BAA1 0F94C0
sete al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BA91(C)
|
:0047BAA4 84C0
test al, al
:0047BAA6 7411
je 0047BAB9
:0047BAA8 8B45E0
mov eax, dword ptr [ebp-20] //注册码第三部分
:0047BAAB E854E2F8FF call 00409D04
//atol( )
:0047BAB0 99
cdq
:0047BAB1 F77DF0
idiv [ebp-10]
//整除吗?
:0047BAB4 85D2
test edx, edx
:0047BAB6 0F94C0
sete al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BAA6(C)
|
:0047BAB9 8845FB
mov byte ptr [ebp-05], al //函数返回值
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047B95F(C), :0047BA00(U), :0047BA18(U), :0047BA30(U), :0047BA48(U)
|:0047BA5E(U)
|
:0047BABC 33C0
xor eax, eax
:0047BABE 5A
pop edx
:0047BABF 59
pop ecx
:0047BAC0 59
pop ecx
:0047BAC1 648910
mov dword ptr fs:[eax], edx
:0047BAC4 68E6BA4700 push 0047BAE6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BAE4(U)
|
:0047BAC9 8D45DC
lea eax, dword ptr [ebp-24]
:0047BACC BA05000000 mov edx,
00000005
:0047BAD1 E81284F8FF call 00403EE8
:0047BAD6 8D45FC
lea eax, dword ptr [ebp-04]
:0047BAD9 E8E683F8FF call 00403EC4
:0047BADE C3
ret
:0047BADF E9D87DF8FF jmp 004038BC
:0047BAE4 EBE3
jmp 0047BAC9
:0047BAE6 8A45FB
mov al, byte ptr [ebp-05] //函数返回值
:0047BAE9 5F
pop edi
:0047BAEA 5E
pop esi
:0047BAEB 5B
pop ebx
:0047BAEC 8BE5
mov esp, ebp
:0047BAEE 5D
pop ebp
:0047BAEF C3
ret
- 标 题:CYBERsitter 2000
- 作 者:1212
- 时 间:2000-10-9 19:37:29
- 链 接:http://bbs.pediy.com