morning伸请入BCG破文之二
目标软件:中国计算机软件水平考试测试系统2.0版(程序员)http://www.csdn.net/cnshare/soft/7/7791.html
工具:TRW2000 1.23
1.启动目标软件后,启动TRW
2.在目标软件中点"注册"
3.出现注册对话框后,填入用户名:morning,注册号:12345678
4.CTRL+N 呼出TRW,下BPX HMEMCPY,F5返回目标软件
5.按下"立即注册",被TRW拦下,BC清除断点,下PMODULE来到目标领空
6.按F12七下(因为八下就完啦),再按F10无数直到下面:
.
.
.
.
.
.
.
015F:004045C8
DEC DWORD [ESI+1C]
015F:004045CB LEA
EAX,[EBP-08]
015F:004045CE MOV EDX,02
015F:004045D3 CALL 00497428
015F:004045D8 MOV
WORD [ESI+10],08
015F:004045DE MOV
WORD [ESI+10],20
015F:004045E4 XOR EAX,EAX
015F:004045E6 MOV [EBP-38],EAX
015F:004045E9
LEA EDX,[EBP-38]
015F:004045EC INC
DWORD [ESI+1C]
015F:004045EF MOV EAX,[EBX+02E8]
015F:004045F5 CALL 0045DF88
015F:004045FA LEA
EAX,[EBP-38]
015F:004045FD LEA EDX,[EBP-04]
015F:00404600 CALL 004974F8 <-------⑤在这里按F8进入(代码在最后)
015F:00404605 PUSH EAX
015F:00404606 DEC
DWORD [ESI+1C]
015F:00404609 LEA
EAX,[EBP-38]
015F:0040460C MOV EDX,02
015F:00404611
CALL 00497428 <------④到这里绕了一圈结果什么也没有,只好再向上
015F:00404616
POP ECX
015F:00404617 TEST CL,CL
<---------③这里一定是在测试标志位
015F:00404619 JZ NEAR
004048B4 <-------②找到这里,发现是从这里跳去的
015F:0040461F MOV
DL,01
015F:00404621 MOV EAX,[00439CEC]
015F:00404626 CALL 00439DEC
015F:0040462B MOV
EDI,EAX
015F:0040462D MOV [EBX+0304],EDI
015F:00404633 MOV EDX,80000002
.
.
.
.
.
015F:00404892 DEC DWORD
[ESI+1C]
015F:00404895 LEA EAX,[EBP-54]
015F:00404898
MOV EDX,02
015F:0040489D CALL 00497428
015F:004048A2 DEC DWORD [ESI+1C]
015F:004048A5
LEA EAX,[EBP-50]
015F:004048A8 MOV
EDX,02
015F:004048AD CALL 00497428
015F:004048B2
JMP SHORT 004048CC
015F:004048B4 MOV
EAX,[004B3C74]
015F:004048B9 PUSH BYTE +00
015F:004048BB MOV ECX,004AD9BE
015F:004048C0
MOV EDX,004AD99A
015F:004048C5 MOV
EAX,[EAX]
015F:004048C7 CALL 004972D0
<--------①这里一CALL就完了,所以向上找看是从哪里跳来的。
=============================================================
在015F:00404600 CALL 004974F8 按F8进入后看到
--------------------------------------------------
015F:004974F8 PUSH EBP <----------⑥先停在这里,按F10向下
015F:004974F9 MOV EBP,ESP
015F:004974FB
PUSH EBX
015F:004974FC MOV EAX,[EAX]⑦
<-----呵呵~~在这里可以看到我的12345678
015F:004974FE MOV
EDX,[EDX]⑧ <-----在这里就可以看到真的注册码啦
015F:00497500 CALL
004896D4⑨ <-----这个CALL是在比较注册码
015F:00497505 SETZ
AL
015F:00497508 AND EAX,BYTE
+01
015F:0049750B POP EBX
015F:0049750C
POP EBP
==============================================================
呵呵~~这是小弟写的第二篇破文,也是我破的第二个软件,如有什么错误请大家多多指教.
特别感谢6767大哥等人对我的教导,我想我一定会更加努力学习的.
morning
2001.9.10
☆祝老师们节日快乐☆
- 标 题:morning伸请入BCG破文之二 (3千字)
- 作 者:★morning★
- 时 间:2001-9-10 22:51:22
- 链 接:http://bbs.pediy.com