软件名:ResScope V1.35
大 小:435KB
下载地:http://go6.163.com/restools/rs010909.zip
保 护:加壳(很好脱);注册框(无注册成功、失败提示)
说 明:据说比 eXescope 更强的软件资源分析工具。我在 ResScope 中转了无数圈,找到了注册名,但无法找到注册码,还望大家指点迷津!!!!
破这个软件费了些周折。。。
注册时没有提示框,输入注册信息后,把注册信息放入了注册表,是不是程序启动时才进行注册判断呢?后来用regmon也无斩或,也就是启动时它没有读注册信息,那它是根据什么来判断已注册的呢?
既然软件中的保存功能和导出功能被禁止,那用它打开一个文件试试,再export resource 有错误信息了,呵呵~~~~
1.脱壳,查得是Aspack 2.001,用Unaspack可以脱
2.delphi程序,用dede打开程序,process。。。
dump successfull后,file-> load symbol file->vcl5.dsf,再看procedures,看一下RegUnit->Button1Click->disamssemble,果然只是把注册信息放入了注册表,没有进行注册判断。。。。
3.再看RXMain->Save Resource(为什么看这个?因为它就是export resource的事件,从它的additional data可以看到)->disamssemble,慢慢看,看到什么了?
***** TRY
|
004CA143 64FF30
push dword ptr fs:[eax]
004CA146 648920
mov fs:[eax], esp
|
004CA149 E85EF9FEFF call
004B9AAC ->关键call
004CA14E 84C0
test al, al
004CA150 7536
jnz 004CA188 ->这一跳就走了
|
004CA152 E891FDFEFF call
004B9EE8
004CA157 84C0
test al, al
004CA159 7407
jz 004CA162
|
004CA15B E8CCFAFEFF call
004B9C2C
004CA160 EB26
jmp 004CA188
004CA162 6A10
push $10
004CA164 A194654E00 mov
eax, dword ptr [$4E6594]
004CA169 8B00
mov eax, [eax]
* Reference to: system.@LStrToPChar;
|
004CA16B E8349FF3FF call
004040A4
004CA170 8BC8
mov ecx, eax
* Possible String Reference to: 'ResScope is shareware.Please downlo
|
ad the new edition.' ->错误提示
|
004CA172 BA44A64C00 mov
edx, $004CA644
* Reference to TApplication instance
|
004CA177 A1B0654E00 mov
eax, dword ptr [$4E65B0]
004CA17C 8B00
mov eax, [eax]
* Reference to: forms.TApplication.MessageBox(TApplication;System.PChar;System.PChar;System.Longint):System.Integer;
|
004CA17E E8E592F8FF call
00453468
004CA183 E992040000 jmp
004CA61A
004CA188 55
push ebp
进入call 004B9AAC 看看,双击。。。又看到什么了。。。
***** TRY
|
004B9ADF 64FF30
push dword ptr fs:[eax]
004B9AE2 648920
mov fs:[eax], esp
004B9AE5 BA02000080 mov
edx, $80000002
004B9AEA 8B45F8
mov eax, [ebp-$08]
* Reference to: registry.TRegistry.SetRootKey(TRegistry;Windows.HKEY);
|
004B9AED E84AF8FFFF call
004B933C
004B9AF2 B101
mov cl, $01
* Possible String Reference to: 'SOFTWARE\RESTOOLS\ResScope'
|
004B9AF4 BAF09B4B00 mov
edx, $004B9BF0
004B9AF9 8B45F8
mov eax, [ebp-$08]
* Reference to: registry.TRegistry.OpenKey(TRegistry;System.AnsiString;System.Boolean):System.Boolean;
|
004B9AFC E89FF8FFFF call
004B93A0
004B9B01 84C0
test al, al
004B9B03 0F8497000000 jz
004B9BA0
004B9B09 8D45F4
lea eax, [ebp-$0C]
* Reference to: system.@LStrClr(String);
|
004B9B0C E84FA1F4FF call
00403C60
004B9B11 8D45F0
lea eax, [ebp-$10]
* Reference to: system.@LStrClr(String);
|
004B9B14 E847A1F4FF call
00403C60
* Possible String Reference to: 'reguser'
|
004B9B19 BA149C4B00 mov
edx, $004B9C14
004B9B1E 8B45F8
mov eax, [ebp-$08]
* Reference to: registry.TRegistry.ValueExists(TRegistry;System.AnsiString):System.Boolean;
|
004B9B21 E8DEFBFFFF call
004B9704
004B9B26 84C0
test al, al
004B9B28 7410
jz 004B9B3A
004B9B2A 8D4DF4
lea ecx, [ebp-$0C]
* Possible String Reference to: 'reguser'
|
004B9B2D BA149C4B00 mov
edx, $004B9C14
004B9B32 8B45F8
mov eax, [ebp-$08]
* Reference to: registry.TRegistry.ReadString(TRegistry;System.AnsiString):System.AnsiString;
|
004B9B35 E82EFAFFFF call
004B9568
* Possible String Reference to: 'regcode'
|
004B9B3A BA249C4B00 mov
edx, $004B9C24
004B9B3F 8B45F8
mov eax, [ebp-$08]
* Reference to: registry.TRegistry.ValueExists(TRegistry;System.AnsiString):System.Boolean;
|
004B9B42 E8BDFBFFFF call
004B9704
004B9B47 84C0
test al, al
004B9B49 7410
jz 004B9B5B
004B9B4B 8D4DF0
lea ecx, [ebp-$10]
* Possible String Reference to: 'regcode'
|
004B9B4E BA249C4B00 mov
edx, $004B9C24
004B9B53 8B45F8
mov eax, [ebp-$08]
* Reference to: registry.TRegistry.ReadString(TRegistry;System.AnsiString):System.AnsiString;
|
004B9B56 E80DFAFFFF call
004B9568
004B9B5B 8B45F0
mov eax, [ebp-$10]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
004B9B5E E87DA3F4FF call
00403EE0
004B9B63 83F828
cmp eax, +$28 ->注册码要是40位
004B9B66 7538
jnz 004B9BA0
004B9B68 8B45F4
mov eax, [ebp-$0C]
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
004B9B6B E870A3F4FF call
00403EE0
004B9B70 85C0
test eax, eax
004B9B72 7E2C
jle 004B9BA0
004B9B74 68338C0000 push
$00008C33
004B9B79 8D45EC
lea eax, [ebp-$14]
004B9B7C 50
push eax
004B9B7D B982310000 mov
ecx, $00003182
004B9B82 BAD5030000 mov
edx, $000003D5
004B9B87 8B45F4
mov eax, [ebp-$0C]
|
004B9B8A E80DFCFFFF call
004B979C
004B9B8F 8B45EC
mov eax, [ebp-$14]
004B9B92 8B55F0
mov edx, [ebp-$10] ->真注册码
* Reference to: system.@LStrCmp;
|
004B9B95 E856A4F4FF call
00403FF0
004B9B9A 7504
jnz 004B9BA0 ->注册比较了
004B9B9C C645FF01 mov
byte ptr [ebp-$01], $01
004B9BA0 33C0
xor eax, eax
004B9BA2 5A
pop edx
004B9BA3 59
pop ecx
004B9BA4 59
pop ecx
004B9BA5 648910
mov fs:[eax], edx
****** FINALLY
从那些 reference 我们就可以看得很清楚了,它到底进行了什么操作。。。
现在知道该怎么做了吧!
4.用 trw2000 载入程序,下断点bpx 004B9B8F ,g,载入程序后,可以打开一个文件,再调用export resource 顺利中断。。。F10
两下,下命令 d edx ,看到注册码了吧,搞定,收工。(注意,要先输入40位的注册码,才可以下004B9B8F中断)
P.S. 其实这个软件也不错,可惜名气不及Exescope,何况用exescope也用惯了,没有用户还要注册,唉!借此宣传一下这个软件,支持国货嘛!