破解者: 我不说
难度: 容易
程序: Recover 4 all v1.04
工具:TRW2000 v1.22, W32Dasm, eXeScope.
过程:
运行程序,出现NAG窗口。退出程序,运行eXeScope,查找NAG窗口,
是dialog: 163,退出eXeScope。用W32Dasm打开Rec4all.exe,查找DialogID_00A3,
为什么?因为dec(163)=hex(A3).见到:
* Referenced by a CALL at Address:
|:0040F583
|
:00411440 8B442404 mov
eax, dword ptr [esp+04]
:00411444 56
push esi
:00411445 50
push eax
:00411446 8BF1
mov esi, ecx
* Possible Reference to Dialog: DialogID_00A3
|
:00411448 68A3000000 push 000000A3
:0041144D E8EB780100 call 00428D3D
:00411452 C706A03E4400 mov dword ptr
[esi], 00443EA0
:00411458 8BC6
mov eax, esi
:0041145A 5E
pop esi
:0041145B C20400
ret 0004
向上寻找0040F583,
* Referenced by a CALL at Address:
|:0040AE7E
|
:0040F560 6AFF
push FFFFFFFF
:0040F562 68D8144400 push 004414D8
:0040F567 64A100000000 mov eax, dword
ptr fs:[00000000]
:0040F56D 50
push eax
:0040F56E 64892500000000 mov dword ptr fs:[00000000],
esp
:0040F575 83EC6C
sub esp, 0000006C
:0040F578 E893F4FFFF call 0040EA10
:0040F57D 6A00
push 00000000
:0040F57F 8D4C2404 lea
ecx, dword ptr [esp+04]
:0040F583 E8B81E0000 call 00411440
:0040F588 8D4C2400 lea
ecx, dword ptr [esp]
:0040F58C C744247400000000 mov [esp+74], 00000000
:0040F594 E859980100 call 00428DF2
:0040F599 8D4C2400 lea
ecx, dword ptr [esp]
:0040F59D C7442474FFFFFFFF mov [esp+74], FFFFFFFF
:0040F5A5 E889940100 call 00428A33
:0040F5AA 8B4C246C mov
ecx, dword ptr [esp+6C]
:0040F5AE 64890D00000000 mov dword ptr fs:[00000000],
ecx
:0040F5B5 83C478
add esp, 00000078
:0040F5B8 C3
ret
再向上找0040AE7E,
:0040AE6D 8BCD
mov ecx, ebp
:0040AE6F E89C3B0000 call 0040EA10
:0040AE74 399DD0050000 cmp dword ptr
[ebp+000005D0], ebx
:0040AE7A 7522
jne 0040AE9E
:0040AE7C 8BCD
mov ecx, ebp
:0040AE7E E8DD460000 call 0040F560
:0040AE83 391DB84E4600 cmp dword ptr
[00464EB8], ebx
:0040AE89 0F858A000000 jne 0040AF19
:0040AE8F C7853002000001000000 mov dword ptr [ebp+00000230], 00000001
:0040AE99 E90A010000 jmp 0040AFA8
运行trw2000设置断点在0040AE74处,编辑ebp+5D0处的内存数值为非0,F5后,程序显示
注册成功。
重新在ebp+5D0内存处设断后运行程序,拦截如下
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040ACE3(C)
|
:0040AD6D 8BCD
mov ecx, ebp
:0040AD6F 895D58
mov dword ptr [ebp+58], ebx
:0040AD72 89B5E4430600 mov dword ptr
[ebp+000643E4], esi
:0040AD78 899D30020000 mov dword ptr
[ebp+00000230], ebx
:0040AD7E 899D38020000 mov dword ptr
[ebp+00000238], ebx
:0040AD84 899D3C020000 mov dword ptr
[ebp+0000023C], ebx
:0040AD8A 899DD0050000 mov dword ptr
[ebp+000005D0], ebx 《--
:0040AD90 C7455CFFFFFFFF mov [ebp+5C], FFFFFFFF
:0040AD97 899D88000000 mov dword ptr
[ebp+00000088], ebx
:0040AD9D 899D84000000 mov dword ptr
[ebp+00000084], ebx
:0040ADA3 899D80000000 mov dword ptr
[ebp+00000080], ebx
:0040ADA9 895D7C
mov dword ptr [ebp+7C], ebx
:0040ADAC 895D78
mov dword ptr [ebp+78], ebx
:0040ADAF 895D74
mov dword ptr [ebp+74], ebx
:0040ADB2 895D70
mov dword ptr [ebp+70], ebx
:0040ADB5 895D6C
mov dword ptr [ebp+6C], ebx
:0040ADB8 895D68
mov dword ptr [ebp+68], ebx
:0040ADBB 895D64
mov dword ptr [ebp+64], ebx
修改0040AD8A处的代码为89B5D0050000后,运行程序,爆破成功。
我研究了很长时间,也没把它的注册算法搞清楚,希望网上的各位高手,能给予指点,先谢过啦!
- 标 题:爆破recover 4 all 1.04 (4千字)
- 作 者:我不说
- 时 间:2001-10-8 12:54:22
- 链 接:http://bbs.pediy.com