NetCaptor6.5.0 Final

标题：peter,交一篇FCG的作业：破解NetCaptor最新版6.5.0 Final的限制 (14千字)
作者：moonlite
时间：2001-10-1 14:44:16
链接：http://bbs.pediy.com

〓破解NetCaptor最新版6.5.0 Final的限制〓

破解者：moonlite[BCG][FCG]
目标： NetCaptor最新版6.5.0 Final
应用平台：Win9X/ME/WinNT/2K
软件主页：http://www.netcaptor.com/
大小：675k
软件用途：一个比IE好很多的浏览器，新版本功能多多，本人一直用它。
保护：ASPack 2.11c 壳，30天试用，提示注册Nag窗，CRC校验。
工具：TRW1.22, W32dasm,Caspr,Winhex

◆首先去掉它的时间限制：

首先，用Caspr脱掉外壳。

1)运行NetCaptor.exe，提示窗口弹出，告诉你已经Trial到第几天了。。。(注：这个窗口只在特定的天数出现，如第1，5，10，15天等等)
点击按钮“Try NetCaptor”，并Ctrl+D激活，并来到TRW领空。Pmodule一次，并按F12+F10数次，会来到：

:00504643 E80498FDFF call 004DDE4C
:00504648 A1D46F5000 mov eax, dword ptr [00506FD4]
:0050464D 8A00 mov al, byte ptr [eax]
:0050464F 3C02 cmp al, 02-------------------------->打补丁①：mov al,02★
:00504651 0F94C3 sete bl
:00504654 8B15D46F5000 mov edx, dword ptr [00506FD4]
:0050465A 3C02 cmp al, 02
:0050465C 0F8498000000 je 005046FA
:00504662 8D45C0 lea eax, dword ptr [ebp-40]
:00504665 E86EECF9FF call 004A32D8
:0050466A 8B75C0 mov esi, dword ptr [ebp-40]
:0050466D A1D46F5000 mov eax, dword ptr [00506FD4]
:00504672 897004 mov dword ptr [eax+04], esi
:00504675 A1D46F5000 mov eax, dword ptr [00506FD4]
:0050467A 83FE1E cmp esi, 0000001E---------------------|这个语句好面熟呵！！
:0050467D 7E08 jle 00504687---------------------------------->光标在此！
:0050467F A1D46F5000 mov eax, dword ptr [00506FD4]
:00504684 C60001 mov byte ptr [eax], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050467D(C)
|
:00504687 B9B6945000 mov ecx, 005094B6
:0050468C 8B15D46F5000 mov edx, dword ptr [00506FD4]
:00504692 8B5204 mov edx, dword ptr [edx+04]
:00504695 A1D46F5000 mov eax, dword ptr [00506FD4]
:0050469A 8A00 mov al, byte ptr [eax]
:0050469C E8EBF0FFFF call 0050378C------------------------->进这个CALL追下去，会call出Nag提示窗的~~
:005046A1 A0B6945000 mov al, byte ptr [0050---------------->光标在此！
:005046A6 2C01 sub al, 01

Up↑往上看：你一定看到问题所在了吧？！我在0050464F处打第一个补丁。

◆解决它的CRC校验：

它的CRC校验很新颖。它不是在程序启动过程中报错，而是启动完成后，大概1分钟左右，才弹出出错信息，确定后程序退出。
可是——>启动完成后，搜索出错的字符串，却搜不到；而出错窗口弹出后，出错的字符串倒是可以搜索得到，但是BPM下断却拦不到。
为了拦它还费了菜鸟的脑筋。我想既然启动完成后不是马上出错，而是等一会。。。一定与时间函数有关。
来 BPX GetSystemTime试试：
呵，运气真好！请看↓

F12+F10 会到这里：

* Referenced by a CALL at Addresses:
|:004A2B7F , :004D2445 , :004D248B , :004D351C , :004D3CBA
|
:00402A3C 55 push ebp
:00402A3D 8BEC mov ebp, esp
:00402A3F 83C4E8 add esp, FFFFFFE8
:00402A42 8D45E8 lea eax, dword ptr [ebp-18]
:00402A45 50 push eax

* Reference To: kernel32.GetSystemTime, Ord:0000h
|
:00402A46 E85DE8FFFF Call 004012A8
:00402A4B 0FB745F0 movzx eax, word ptr [ebp-10]------------>光标在此！
:00402A4F 6BC03C imul eax, 0000003C
:00402A52 660345F2 add ax, word ptr [ebp-0E]
:00402A56 6BC03C imul eax, 0000003C
:00402A59 31D2 xor edx, edx
:00402A5B 668B55F4 mov dx, word ptr [ebp-0C]
:00402A5F 01D0 add eax, edx
:00402A61 69C0E8030000 imul eax, 000003E8
:00402A67 668B55F6 mov dx, word ptr [ebp-0A]
:00402A6B 01D0 add eax, edx
:00402A6D 890544805000 mov dword ptr [00508044], eax
:00402A73 8BE5 mov esp, ebp
:00402A75 5D pop ebp
:00402A76 C3 ret

接着按F12+F10-->

* Possible StringData Ref from Code Obj ->"?�雼]��"
|
:004D30AE 6874314D00 push 004D3174
:004D30B3 64FF30 push dword ptr fs:[eax]
:004D30B6 648920 mov dword ptr fs:[eax], esp
:004D30B9 8BC3 mov eax, ebx
:004D30BB E8CC0B0000 call 004D3C8C
:004D30C0 8D45F4 lea eax, dword ptr [ebp-0C]
:004D30C3 E81002FDFF call 004A32D8
:004D30C8 8B8380080000 mov eax, dword ptr [ebx+00000880]-------->光标在此！
:004D30CE 85C0 test eax, eax
:004D30D0 0F8483000000 je 004D3159
:004D30D6 33D2 xor edx, edx
:004D30D8 E81F32FDFF call 004A62FC
:004D30DD E8AEF7FCFF call 004A2890---------------------------->返回关键的eax值
:004D30E2 3DC0270900 cmp eax, 000927C0------------------------>eax值与927C0比较
:004D30E7 7E70 jle 004D3159----------------------------->eax值不比927C0大的话，CRC 就通过了！补丁②：jmp 004D3159★★
* Possible StringData Ref from Data Obj ->"@"
|
:004D30E9 A18C725000 mov eax, dword ptr [0050728C]
:004D30EE 803800 cmp byte ptr [eax], 00
:004D30F1 7566 jne 004D3159
:004D30F3 8D4DF0 lea ecx, dword ptr [ebp-10]
:004D30F6 B293 mov dl, 93

* Possible StringData Ref from Code Obj ->"蓥缧蜚琰岢轴狳?
|
:004D30F8 B888314D00 mov eax, 004D3188------------------------>指向加密的“NetCaptor Error”
:004D30FD E836F8FCFF call 004A2938---------------------------->还原加密字符串的CALL/进入----->
:004D3102 8B45F0 mov eax, dword ptr [ebp-10]-------------->指向还原后的“NetCaptor Error”
:004D3105 50 push eax--------------------------------->入栈保存
:004D3106 8D4DEC lea ecx, dword ptr [ebp-14]
:004D3109 B293 mov dl, 93

◇◇还原加密字符串的CALL进入→里面真的好精彩啊！◇◇

↓-------------------------------------------------------------------↓

* Referenced by a CALL at Addresses:
|:004A2A25 , :004A2ACC , :004A2B1C , :004A2D34 , :004A324A
|:004D30FD , :004D3110 , :004D32A8 , :004D32BB , :00503905
|:0050392D , :0050395B , :0050397D , :005039A5 , :005039CF
|:005039F7 , :00503A19 , :00503A48 , :00503AF4
|
:004A2938 55 push ebp
:004A2939 8BEC mov ebp, esp
:004A293B 83C4F4 add esp, FFFFFFF4
:004A293E 53 push ebx
:004A293F 56 push esi
:004A2940 57 push edi
:004A2941 33DB xor ebx, ebx
:004A2943 895DF4 mov dword ptr [ebp-0C], ebx
:004A2946 8BF1 mov esi, ecx
:004A2948 8855FB mov byte ptr [ebp-05], dl-------------->解密参数93h
:004A294B 8945FC mov dword ptr [ebp-04], eax------------>还原后的字符串地址保存到[ebp-04]
:004A294E 33C0 xor eax, eax
:004A2950 55 push ebp

* Possible StringData Ref from Code Obj ->"?�館媇悑3U貸d0?3ZY塰)"
|
:004A2951 68A5294A00 push 004A29A5
:004A2956 64FF30 push dword ptr fs:[eax]
:004A2959 648920 mov dword ptr fs:[eax], esp
:004A295C 8B45FC mov eax, dword ptr [ebp-04]
:004A295F E89416F6FF call 00403FF8-------------------------->算加密字符串长度，并返回到eax
:004A2964 8BD8 mov ebx, eax--------------------------->将加密字符串长度送ebx
:004A2966 85DB test ebx, ebx
:004A2968 7E25 jle 004A298F
:004A296A BF01000000 mov edi, 00000001----------------------->edi置1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A298D(C)
|
:004A296F 8D45F4 lea eax, dword ptr [ebp-0C]------------>将解密后的字符串地址送eax
:004A2972 8B55FC mov edx, dword ptr [ebp-04]------------>指向加密的字符串
:004A2975 8A543AFF mov dl, byte ptr [edx+edi-01]---------->从加密的字符串取一个字符
:004A2979 3255FB xor dl, byte ptr [ebp-05]-------------->与93h 异或后，dl所保存的就是解密后的字符了！
:004A297C E88315F6FF call 00403F04
:004A2981 8B55F4 mov edx, dword ptr [ebp-0C]------------>指向解密后的字符串地址
:004A2984 8BC6 mov eax, esi
:004A2986 E87516F6FF call 00404000-------------------------->将还原后的字符送上述地址保存
:004A298B 47 inc edi-------------------------------->edi加1
:004A298C 4B dec ebx
:004A298D 75E0 jne 004A296F--------------------------->循环完了吗？没完就继续↑

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A2968(C)
|
:004A298F 33C0 xor eax, eax
:004A2991 5A pop edx
:004A2992 59 pop ecx
:004A2993 59 pop ecx
:004A2994 648910 mov dword ptr fs:[eax], edx

* Possible StringData Ref from Code Obj ->"_[迕U炖h)"
|
:004A2997 68AC294A00 push 004A29AC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A29AA(U)
|
:004A299C 8D45F4 lea eax, dword ptr [ebp-0C]
:004A299F E8B813F6FF call 00403D5C
:004A29A4 C3 ret

↑-------------------------------------------------------------------↑

继续往下走...

* Possible StringData Ref from Code Obj ->"躯龀蓥缧蜚琰岢鲭鲳骁蝰�龀喑聆鳊橱蟒螋鲼蒋襻?
->"岘?鲵圉翅鼍噻?�齿鲧序沌?
|
:004D310B B8A0314D00 mov eax, 004D31A0------------------------>指向加密的CRC出错信息
:004D3110 E823F8FCFF call 004A2938---------------------------->还原加密字符串的CALL
:004D3115 8B45EC mov eax, dword ptr [ebp-14]-------------->指向CRC出错信息(如下↓)

*******************************************
The NetCaptor executable has been damaged.
Please re-install NetCaptor.
*******************************************

:004D3118 50 push eax
:004D3119 6A00 push 00000000
:004D311B 8D4DE8 lea ecx, dword ptr [ebp-18]
:004D311E BAF8314D00 mov edx, 004D31F8
:004D3123 8BC3 mov eax, ebx
:004D3125 E85EC7FFFF call 004CF888
:004D312A 8B45E8 mov eax, dword ptr [ebp-18]
:004D312D 50 push eax
:004D312E 6A00 push 00000000
:004D3130 8D45FF lea eax, dword ptr [ebp-01]
:004D3133 50 push eax
:004D3134 6A00 push 00000000
:004D3136 6A00 push 00000000
:004D3138 8D55E4 lea edx, dword ptr [ebp-1C]

* Possible StringData Ref from Code Obj ->"軇P"
|
:004D313B A184725000 mov eax, dword ptr [00507284]
:004D3140 E82B35F3FF call 00406670
:004D3145 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004D3148 8B5358 mov edx, dword ptr [ebx+58]
:004D314B 8BC3 mov eax, ebx
:004D314D E80AA40000 call 004DD55C---------------------------->CRC出错啦！！
:004D3152 8BC3 mov eax, ebx
:004D3154 E8C7EAF7FF call 00451C20

￣￣￣￣￣￣￣￣￣￣￣￣￣

◆补充一点：
这样改过后，还有一点美中不足的是：在About窗口，总会有“You are on day XX of your 30-day evaluation period.”文字。
让我们美化美化。用W32dasm反汇编后，查找该字符串：

* Possible StringData Ref from Code Obj ->"NetCaptor 6.5.0"
|
:004C6277 BAA8634C00 mov edx, 004C63A8
:004C627C E873DBF3FF call 00403DF4
:004C6281 803DE48F500002 cmp byte ptr [00508FE4], 02
:004C6288 7527 jne 004C62B1------------------------------->不要跳呵|补丁③：nop 掉★★★

* Possible StringData Ref from Code Obj ->"Registered to: "
|
:004C628A 68C0634C00 push 004C63C0
:004C628F FF35EC8F5000 push dword ptr [00508FEC]
:004C6295 6878634C00 push 004C6378
:004C629A 6878634C00 push 004C6378
:004C629F FF75F8 push [ebp-08]
:004C62A2 8D45F8 lea eax, dword ptr [ebp-08]
:004C62A5 BA05000000 mov edx, 00000005
:004C62AA E809DEF3FF call 004040B8
:004C62AF EB49 jmp 004C62FA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C6288(C)
|

* Possible StringData Ref from Code Obj ->"You are on day "---------------------|站在此往上看↑
|
:004C62B1 68D8634C00 push 004C63D8
:004C62B6 8D55E4 lea edx, dword ptr [ebp-1C]
:004C62B9 A1E88F5000 mov eax, dword ptr [00508FE8]
:004C62BE E82935F4FF call 004097EC
:004C62C3 FF75E4 push [ebp-1C]

* Possible StringData Ref from Code Obj ->" of your "
|
:004C62C6 68F0634C00 push 004C63F0
:004C62CB 8D55E0 lea edx, dword ptr [ebp-20]
:004C62CE B81E000000 mov eax, 0000001E
:004C62D3 E81435F4FF call 004097EC
:004C62D8 FF75E0 push [ebp-20]

* Possible StringData Ref from Code Obj ->"-day evaluation period."
|
:004C62DB 6804644C00 push 004C6404
:004C62E0 6878634C00 push 004C6378
:004C62E5 6878634C00 push 004C6378
:004C62EA FF75F8 push [ebp-08]

------------------------------------☆

当然，为了Art of Crack的考虑，你可以修改其它地方，那就看你的了。好！
收工！

补丁①　　　　　　@offset 103a4f 3C02-->B002
补丁②　　　　　　@offset d24e7 7E70-->EB70
补丁③　　　　　　@offset c5688 7527-->9090

2001-10-1 《完》