Windows Lotto Pro 2000 V5.39

标题：Windows Lotto Pro 2000 V5.39之暴力破解 (10千字)
作者：KanKer
时间：2001-4-2 14:27:50
链接：http://bbs.pediy.com

Windows Lotto Pro 2000 V5.39之暴力破解

下载地址：ftp://datasol.intnet.net/pub/lotpro32.exe
软件说明：好像是国外的一个彩票软件，限制是时间限制和NAG屏，以及功能限制。
本次破解只讨论破解前两个限制，功能限制不在讨论之列。本软件用shrink
加壳。
工具：trw2k,bw2k02,wdasm893,ultraedit

过程：

1、脱壳
先执行bw2k02，点track，运行lotpro32.exe，发现入口值为6301f4（感谢D.boy给我们
做出如此好的工具）。用TRW载入程式，设断bpx 6301f4，运行后，在此处中断，下指令pedump
（感谢刘涛涛和朱南灏作出如此棒的工具），至此脱壳成功，运行无误。

2、用wdasm893反编译，不要指望能完全反完，不过一部分亦足矣。
查看字串框，发现下面一段"Thank you for continuing to use "，呵呵，这不正是NAG屏上的话么？双点该串，来到调用空间。上下翻动看看，还有几个相似的。于是可以断定此处为判断时间限制的关键之处。下面是该段程序：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C05(C)
|
:00624C7B 80EB01 sub bl, 01
:00624C7E 721D jb 00624C9D **不能跳**
:00624C80 0F8496000000 je 00624D1C **不能跳**

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C11(C)
|
:00624C86 80EB02 sub bl, 02
:00624C89 0F84A3000000 je 00624D32 **不能跳**
:00624C8F 80EB03 sub bl, 03
:00624C92 0F84B0000000 je 00624D48 **不能跳**
:00624C98 E9BF000000 jmp 00624D5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C7E(C)
|
:00624C9D 8B87A4030000 mov eax, dword ptr [edi+000003A4]
:00624CA3 E800E5E8FF call 004B31A8
:00624CA8 83F80F cmp eax, 0000000F
:00624CAB 7534 jne 00624CE1

* Possible StringData Ref from Code Obj ->"Thank you for your interest in "
->"Windows Lotto Pro 2000. You have "
->"been granted a license to use "
->"this program for evaluation. Your "
->"evaluation period will expire "
->"in "
|
:00624CAD 68444E6200 push 00624E44
:00624CB2 8B87A4030000 mov eax, dword ptr [edi+000003A4]
:00624CB8 E8EBE4E8FF call 004B31A8
:00624CBD 8D55F4 lea edx, dword ptr [ebp-0C]
:00624CC0 E8075ADEFF call 0040A6CC
:00624CC5 FF75F4 push [ebp-0C]

* Possible StringData Ref from Code Obj ->" days. "
|
:00624CC8 68F04E6200 push 00624EF0

* Possible StringData Ref from Code Obj ->"Click on the Register Now button "
->"below for registration benefits "
->"and information on how to register."
|
:00624CCD 68004F6200 push 00624F00
:00624CD2 8D45FC lea eax, dword ptr [ebp-04]
:00624CD5 BA04000000 mov edx, 00000004
:00624CDA E80DF5DDFF call 004041EC
:00624CDF EB32 jmp 00624D13

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624CAB(C)
|

* Possible StringData Ref from Code Obj ->"Thank you for continuing to use "
->"Windows Lotto Pro 2000. You have "
->"been granted a license to use "
->"this program for evaluation. Your "
->"evaluation period will expire "
->"in "
|
:00624CE1 68704F6200 push 00624F70
:00624CE6 8B87A4030000 mov eax, dword ptr [edi+000003A4]
:00624CEC E8B7E4E8FF call 004B31A8
:00624CF1 8D55F0 lea edx, dword ptr [ebp-10]
:00624CF4 E8D359DEFF call 0040A6CC
:00624CF9 FF75F0 push [ebp-10]

* Possible StringData Ref from Code Obj ->" days. "
|
:00624CFC 68F04E6200 push 00624EF0

* Possible StringData Ref from Code Obj ->"Click on the Register Now button "
->"below for registration benefits "
->"and information on how to register."
|
:00624D01 68004F6200 push 00624F00
:00624D06 8D45FC lea eax, dword ptr [ebp-04]
:00624D09 BA04000000 mov edx, 00000004
:00624D0E E8D9F4DDFF call 004041EC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624CDF(U)
|
:00624D13 C687680E000000 mov byte ptr [edi+00000E68], 00
:00624D1A EB40 jmp 00624D5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C80(C)
|
:00624D1C 8D45FC lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"The evaluation period for Windows "
->"Lotto Pro 2000 has expired. Click "
->"on the Register Now button below "
->"for registration benefits and "
->"information on how to register."
|
:00624D1F BA1C506200 mov edx, 0062501C
:00624D24 E81BF2DDFF call 00403F44
:00624D29 C687680E000001 mov byte ptr [edi+00000E68], 01
:00624D30 EB2A jmp 00624D5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C89(C)
|
:00624D32 8D45FC lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"The evaluation period for Windows "
->"Lotto Pro 2000 has expired. Click "
->"on the Register Now button below "
->"for registration benefits and "
->"information on how register."
|
:00624D35 BAC8506200 mov edx, 006250C8
:00624D3A E805F2DDFF call 00403F44
:00624D3F C687680E000001 mov byte ptr [edi+00000E68], 01
:00624D46 EB14 jmp 00624D5C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00624C92(C)
|
:00624D48 8D45FC lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"The evaluation period for Windows "
->"Lotto Pro 2000 has expired. Click "
->"on the Register Now button below "
->"for registration benefits and "
->"information on how to register."
|
:00624D4B BA1C506200 mov edx, 0062501C
:00624D50 E8EFF1DDFF call 00403F44
:00624D55 C687680E000001 mov byte ptr [edi+00000E68], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00624C98(U), :00624D1A(U), :00624D30(U), :00624D46(U)
|
:00624D5C 8B0DBC456300 mov ecx, dword ptr [006345BC]
:00624D62 8B09 mov ecx, dword ptr [ecx]
:00624D64 B201 mov dl, 01

把上面标志不能跳的地方NOP掉，该程式的时间限制便去掉了。
随便说一句，在字串框内也有关于功能限制的语句，看一下其跳转应该也可以改掉的，

3、NAG屏的破除，这里用的是SMC的技巧。
因为虽然已经脱壳，但里面还是有很多花指令的，跳来跳去的很烦，且很难定位到哪一个CALL是显NAG屏，也很难找到其跳转处，只是在shink段内打转。于是便想到用SMC去掉它。
（1）先用TRW追NAG屏，经过一层层的追踪，将会发现455c84处一过会显NAG屏。
:00455C84 E83BFEFFFF call 00455AC4
追进去，里面很简单：
:00455AC4 53 push ebx
:00455AC5 8BD8 mov ebx, eax
:00455AC7 B201 mov dl, 01
:00455AC9 8BC3 mov eax, ebx
:00455ACB E824CEFFFF call 004528F4 **若执行CALL，则NAG屏出现，所以应暂时跳过**
:00455AD0 8BC3 mov eax, ebx
:00455AD2 E8DD3FFEFF call 00439AB4 **此CALL一定要执行，否则程式窗口不全**
:00455AD7 5B pop ebx
:00455AD8 C3 ret

但程序跳出来后，会陷入循环检测中（因要求试用要点按钮的，NAG屏虽未出现但程式认为已以有了）。下面是循环检测段：
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455CF9(C)
|
:00455CB9 8B03 mov eax, dword ptr [ebx]
:00455CBB E8042F0000 call 00458BC4
:00455CC0 8B03 mov eax, dword ptr [ebx]
:00455CC2 80B88C00000000 cmp byte ptr [eax+0000008C], 00
:00455CC9 740F je 00455CDA
:00455CCB 8B45FC mov eax, dword ptr [ebp-04]
:00455CCE C7803402000002000000 mov dword ptr [ebx+00000234], 00000002
:00455CD8 EB14 jmp 00455CEE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00455CC9(C)
|
:00455CDA 8B45FC mov eax, dword ptr [ebp-04]
:00455CDD 83B83402000000 cmp dword ptr [eax+00000234], 00000000
:00455CE4 7408 je 00455CEE
:00455CE6 8B45FC mov eax, dword ptr [ebp-04]
:00455CE9 E826FDFFFF call 00455A14

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00455CD8(U), :00455CE4(C)
|
:00455CEE 8B45FC mov eax, dword ptr [ebp-04]
:00455CF1 8B8034020000 mov eax, dword ptr [eax+00000234]
:00455CF7 85C0 test eax, eax
:00455CF9 74BE je 00455CB9 **暂时将此处NOP掉即可**
:00455CFB 8945F8 mov [ebp-08],eax

经测试可知，只要将455cf9处的跳转NOP掉即可进入主程式。但此处不能永久改变，否则程式里面的许多窗体将不能显示了（因此处是公共CALL，给窗体一个关闭信号）。
至此打补丁的地方都找到了。

（2）先用topo给程式增加一段可写空间，应该增加一段新的（大小可设为50），而不要在存在的空间里面写，因为shrink好像还要用到。

1）:00455ACB E824CEFFFF call 004528F4 改为e930753700 jmp 7cd000（跳到补丁处）
恢复455acb原先的值，以使以后的程式正常执行。
7cd000: nop
7cd001:c705cb5a4500e824ceff mov dword[455acb],ffce24e8
7cd00b:c605cf5a4500ff mov byte[455acf],ff
7cd012:e9bb8ac8ff jmp 455ad2

2):00455CF9 74BE je 00455CB9 改为e919733700 jmp 7cd017（跳到补丁处）
恢复455cf9处的代码，以使以后的程式正常执行。
7cd017:c705f95c450074be8945 mov dword[455cf9],4589be74
7cd021:c605fd5c4500f8 mov byte[455cfd],f8
7cd028:e9ce8cc8ff jmp 455cfb

OK,至此程序的两个限制完全除掉。

该篇破的虽说有点难看，但里面提到bw2k02与TRW配合脱壳的方法、wdasm893破解的方法、smc方法相信对初学者还是有一定借鉴价值的。

注：该程式可完全用smc方法破掉，只是稍复杂一些罢了。

===========<完>==============

<Cracked by KanKer>