注册你的Windows Commander 4.54
这个是重复发的贴呀,先别忙骂我,以前写的没有对脱壳部分作详细说明,这次完善了一下,顺便介绍一下如何脱aspack的壳,手边有没有其他现成的,虽说webzip也是aspack压缩的,不过那个要上线验证,注册还没来得及搞,所以就用wincmd对付一下吧:)。
1.unpack(2001.9.9)
首先脱壳,用ti找到oep:54b2dc,接着用trw2000载入wincmd32.exe,下g
54b2dc,下suspend,用prodump 脱壳,选dump(full),接着按ctrl+n,f5退出trw。接着用ImportREC修复import
table,oep:14b2d8,rva:00159150,size:00000830。
1 0015924C
KERNEL32.dll 033C WinExec
1 001593E0 KERNEL32.dll 00C7
CreateProcessA
用add new section选项fix dump即可。用peditor改入口为0014b2dc。
2.carck(忘记了,最近2个月内做的吧)
如我所料,wincmd的注册方式基本没变化,但是此版加了新的crc校验,花了我不少时间:(
用加了icedump的s-ice加载NEWPE.EXE,下bpx readfile,按几次f12到wincmd地盘,接着按f10走到如下:
1.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CDA67(C)
|
:004CDA7D E8A65AF3FF
call 00403528
:004CDA82 83B80C00000000
cmp dword ptr [eax+0000000C], 00000000
:004CDA89 7521->9090
jne 004CDAAC->nop
:004CDA8B 8D85E2FEFFFF
lea eax, dword ptr [ebp+FFFFFEE2]
:004CDA91
50
push eax
:004CDA92 8D9570FAFFFF
lea edx, dword ptr [ebp+FFFFFA70]
2.将4cd7fc-4cd875的内容改为
add
eax,00000017
mov byte ptr [eax],00
add eax,00000003
mov byte ptr
[eax],7A
inc eax
mov byte ptr [eax],6F
inc eax
mov byte ptr
[eax],6D
inc eax
mov byte ptr [eax],62
inc eax
mov byte ptr
[eax],69
inc eax
mov byte ptr [eax],65
inc eax
mov byte ptr
[eax],79
inc eax
mov byte ptr [eax],13
inc eax
mov byte ptr
[eax],5B
inc eax
mov byte ptr [eax],43
inc eax
mov byte ptr
[eax],43
inc eax
mov byte ptr [eax],47
inc eax
mov byte ptr
[eax],5D
inc eax
mov byte ptr [eax],00
.
.
.
mov
byte ptr [eax],00
nop
ret
0517000000C600000503000000C6007A40C6000F40C6006D40C6006240C6006940C6006540C6007940C6007340C6005B40C6004340C6004340C6004740C6005D40C6000040C6000040C6000040C6000040C6000040C6000040C6000040C6000040C6000040C6000040C6000040C6000040C6000040C6000090C3
3.
* Possible Reference to String Resource ID=00016: "Specify
file type"
|
:004CDD02 B910000000
mov ecx, 00000010
:004CDD07 E8204DF3FF
call 00402A2C
:004CDD0C 0F84AE000000->e9af000000 je 004CDDC0->jmp
004CDDC0
:004CDD12 33DB
xor ebx, ebx
:004CDD14 33D2
xor edx, edx
4.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CDEBC(C)
|
:004CDECB 8D8558F8FFFF
lea eax, dword ptr [ebp+FFFFF858]
:004CDED1 8BD6
mov edx, esi
:004CDED3
E8688DF3FF->90 call 00406C40->nop
->33c9
->xor ecx,ecx
->8808
->mov bytes ptr[eax],cl
:004CDED8 BA9CE24C00
mov edx, 004CE29C
:004CDEDD 8D8558F8FFFF
lea eax, dword ptr [ebp+FFFFF858]
:004CDEE3
E8208EF3FF call 00406D08
5.
* Possible Reference to String Resource ID=00016: "Specify file type"
|
:004CE11D B910000000
mov ecx, 00000010
:004CE122 E80549F3FF
call 00402A2C
:004CE127 7402->eb02
je 004CE12B->jmp 004CE12B
:004CE129
33DB xor
ebx, ebx
6.
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0054B63B(C)
|
:0054B649 A1C00B5500
mov eax, dword ptr [00550BC0]
:0054B64E
E86134EDFF->eb00 call 0041EAB4->jmp 54B650
->eb00
->jmp 54B652
->90 ->nop
:0054B653 E85CDEFFFF call 005494B4
:0054B658 E87B0CECFF call
0040C2D8
:0054B65D A1CCF65400
mov eax, dword ptr [0054F6CC]
:0054B662 E8D102EDFF
call 0041B938
7.
:004DFE71 E8CA6DF2FF
call 00406C40
:004DFE76 8B4304
mov eax, dword ptr [ebx+04]
:004DFE79 83F808
cmp eax, 00000008
:004DFE7C 7F36->9090
jg 4DFEB4->nop
:004DFE7E 0F8459060000
je 004E04DD
8.
:004E8B6D A108D35400
mov eax, dword ptr [0054D308]
:004E8B72
2DB9230000 sub eax, 000023B9
:004E8B77 740a->EB0A jz 004E8B83->jmp
004E8B83
9.new crc check
:004E9969 50
push eax
:004E996A 6A00
push 00000000
:004E996C B92F010000 mov ecx,
0000012F
:004E9971 BA2D010000
mov edx, 0000012D
:004E9976 8B8324010000
mov eax, dword ptr [ebx+00000124]
:004E997C E823210500
call 0053BAA4
:004E9981 803D3CDE540000
cmp byte ptr [0054DE3C], 00
:004E9988 750A->eb0a
jne 004E9994->jmp 004E9994
好了就这么多了,要想知道为什么这么改,跟踪一次就知道了,不过我觉得没有特殊兴趣的话,还是算了吧,比较麻烦,没必要。其中的2.可以换成其他的名字。9.这个没有提示的crc校验真的令我头大呀,又是delphi编的,类似有crc校验的还有iptools,tag&rename,头痛呀:(,其中tag&rename这个已搞定;-)
zombieys[CCG]
2001.8.14
———————————————————————————————>
.-"
"-. cracked by zombieys[CCG] >
/ \
qq:1789655 >
| ★
| http://zombieys.yeah.net >
|, .-. .-. ,| http://zombieys.126.com
>
|)(__/ \__)(|
zombieys.cn.hongnet.com >
|/ /\ \|
>
(@_@) (_ ^^
_) Thanks for your supports >
_ )\_______\__|IIIIII|__/_____
>
_)@8@8{}<________|-\IIIIII/-|____China
Crack Group_zombieys___>
- 标 题:注册你的Windows Commander 4.54 (5千字)
- 作 者:zombieys
- 时 间:2001-9-14 12:09:01
- 链 接:http://bbs.pediy.com