Fast Browser 4.03破解过程
过程:
首先用language查到该软件是由pecompact加的壳,干掉他!
简单!用冲击波+TRW就搞定了!
由于该软件需要上网校验用户名和注册码,所以要先把这个功能干掉
所以用W32DASM查找:"Connect to the Internet now so "
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DB763(C)
|
:004DB77F A100645000 mov eax,
dword ptr [00506400]
:004DB784 803800
cmp byte ptr [eax], 00
:004DB787 751C
jne 004DB7A5
:004DB789 B811000000 mov eax,
00000011
:004DB78E E8D9BBFCFF call 004A736C
:004DB793 84C0
test al, al
:004DB795 741A
je 004DB7B1-----这里NOP掉
:004DB797 B810000000 mov eax,
00000010
:004DB79C E8CBBBFCFF call 004A736C
:004DB7A1 84C0
test al, al
:004DB7A3 740C
je 004DB7B1-----这里NOP掉
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DB787(C)
|
:004DB7A5 8BC3
mov eax, ebx
:004DB7A7 E818FDFFFF call 004DB4C4----跟进这个CALL看看
:004DB7AC E904010000 jmp 004DB8B5
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004DB795(C), :004DB7A3(C)
|
:004DB7B1 8D45FC
lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Connect to the Internet now so "-----向上看
------------------------------------------------call 004DB4C4:
进入后我们停到这里:
* Referenced by a CALL at Addresses:
|:004DB7A7 , :004DBDAF
|
:004DB4C4 55
push ebp
:004DB4C5 8BEC
mov ebp, esp
:004DB4C7 B906000000 mov ecx,
00000006
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DB4D1(C)
|
:004DB4CC 6A00
push 00000000
:004DB4CE 6A00
push 00000000
:004DB4D0 49
dec ecx
:004DB4D1 75F9
jne 004DB4CC
:004DB4D3 51
push ecx
:004DB4D4 53
push ebx
:004DB4D5 8BD8
mov ebx, eax
:004DB4D7 33C0
xor eax, eax
:004DB4D9 55
push ebp
:004DB4DA 68D7B64D00 push 004DB6D7
:004DB4DF 64FF30
push dword ptr fs:[eax]
:004DB4E2 648920
mov dword ptr fs:[eax], esp
:004DB4E5 A100645000 mov eax,
dword ptr [00506400]
:004DB4EA 803800
cmp byte ptr [eax], 00
:004DB4ED 752B
jne 004DB51A
:004DB4EF 8D55FC
lea edx, dword ptr [ebp-04]
:004DB4F2 8B83F4020000 mov eax, dword
ptr [ebx+000002F4]
:004DB4F8 E8EB9BF5FF call 004350E8
:004DB4FD 8B45FC
mov eax, dword ptr [ebp-04]
:004DB500 50
push eax
:004DB501 8D55F8
lea edx, dword ptr [ebp-08]
:004DB504 8B83F8020000 mov eax, dword
ptr [ebx+000002F8]
:004DB50A E8D99BF5FF call 004350E8
:004DB50F 8B45F8
mov eax, dword ptr [ebp-08]
:004DB512 5A
pop edx
:004DB513 E8C895FFFF call 004D4AE0
---------再跟进这个CALL,不要问为什么,我蒙的
:004DB518 EB29
jmp 004DB543
-------------------------------------------------------------------------------------------------
跟进call 004d4ae0后:
直觉是蒙对了(其实是试的!^O^)
* Referenced by a CALL at Addresses:
|:004D514A , :004DB513
|
:004D4AE0 55
push ebp
:004D4AE1 8BEC
mov ebp, esp
:004D4AE3 83C4F4
add esp, FFFFFFF4
:004D4AE6 53
push ebx
:004D4AE7 33C9
xor ecx, ecx
:004D4AE9 894DF4
mov dword ptr [ebp-0C], ecx
:004D4AEC 8955F8
mov dword ptr [ebp-08], edx
:004D4AEF 8945FC
mov dword ptr [ebp-04], eax
:004D4AF2 8B45FC
mov eax, dword ptr [ebp-04]
:004D4AF5 E8AAF6F2FF call 004041A4
:004D4AFA 8B45F8
mov eax, dword ptr [ebp-08]
:004D4AFD E8A2F6F2FF call 004041A4
:004D4B02 33C0
xor eax, eax
:004D4B04 55
push ebp
:004D4B05 68A74B4D00 push 004D4BA7
:004D4B0A 64FF30
push dword ptr fs:[eax]
:004D4B0D 648920
mov dword ptr fs:[eax], esp
:004D4B10 837DFC00 cmp
dword ptr [ebp-04], 00000000
:004D4B14 741E
je 004D4B34
:004D4B16 837DF800 cmp
dword ptr [ebp-08], 00000000
:004D4B1A 7418
je 004D4B34
:004D4B1C 8D55F4
lea edx, dword ptr [ebp-0C]
:004D4B1F 8B45FC
mov eax, dword ptr [ebp-04]
:004D4B22 E8D1FEFFFF call 004D49F8---这里一大堆乱七八糟的,好像是算法,俺不懂(~_~)
:004D4B27 8B55F4
mov edx, dword ptr [ebp-0C]--这里是真码
:004D4B2A 8B45F8
mov eax, dword ptr [ebp-08]--这里是假码
:004D4B2D E8CEF5F2FF call 00404100------------------这里是比较(记下,一会做注册机)
:004D4B32 7404
je 004D4B38-------------------相等就万事OK了!!!!!
-------------------------------------------------------------------------------------------------
进入CALL 00404100比较CALL后:
:00404100 53
push ebx
:00404101 56
push esi
:00404102 57
push edi
:00404103 89C6
mov esi, eax
:00404105 89D7
mov edi, edx
:00404107 39D0
cmp eax, edx ----关键比较!(记下一会儿做注册机)
:00404109 0F848F000000 je 0040419E
:0040410F 85F6
test esi, esi
:00404111 7468
je 0040417B
:00404113 85FF
test edi, edi
:00404115 746B
je 00404182
:00404117 8B46FC
mov eax, dword ptr [esi-04]
:0040411A 8B57FC
mov edx, dword ptr [edi-04]
:0040411D 29D0
sub eax, edx
:0040411F 7702
ja 00404123
:00404121 01C2
add edx, eax
用刘健英大侠编的注册机制作起来真的好方便!(非常感谢刘大侠!)
打开keymake后按F8进入制作另类注册机!
添加刚刚要记下的两个地方
分别是:中断地址 中断次数 第一字节 字节长度
4D4B2D 1
E8 5
404107 1
39 2
添加完毕后生成!运行注册机文件,自动带起FAST BROWSER在注册对话框中随便填入注册码,拦截成功!!!爽!
总结:
用户名:lllufh[BCG][CNCG]
注册码:31787131761427888
- 标 题:小黑,我教的CNCG的作业!! (6千字)
- 作 者:lllufh
- 时 间:2001-10-29 9:35:46
- 链 接:http://bbs.pediy.com