软件简介:ABOOK是一个类似WIN里面的通讯录的软件,当然了,它的功能比通讯录更加完善。最新版本是2.5,你可以在PCONLINE下载到。
破解目标:未注册或EXPIRED的软件都会在启动软件时,弹出注册窗口,而且会在正式窗口出来后显示UNREGISTERED EVALUATION
VERSION字样,ABOUT的窗口就更加别指望会有注册了的字样了:( 很适合新手拿来开刀吧?
破解工具:WDASM,OLLYDBG
好,现在就来STEP BY STEP吧。
1. 先用FILEINFO看看有没有加壳,真幸运,没有!
2. 启动软件,选注册,随便填上名字和注册码,我的是winday & 11301230,确定。出错了吧,说是找不到某某文件,肯定是KEYFILE,用WDASM看看,原来是ABOOK.key,
我们手工做一个罗,不是不会做吧?;)
3. 把KEYFILE补上了,再运行注册试试,呵呵,这回说你是不正确的KEYFILE。好,我们再用WDASM看看,就到关键字:
:004021E4 50
push eax
* Possible Reference to String Resource
ID=59218: "The code is not correct. You may have used an invalid key or"
|
:004021E5 BE52E70000
mov esi, 0000E752
:004021EA E8513B0700
call 00475D40
:004021EF 83C410
add esp, 00000010
* Possible Reference to Menu: MenuID_0080
|
:004021F2 3D80000000
cmp eax, 00000080
:004021F7 A3F8915400
mov dword ptr [005491F8], eax
:004021FC 7761
ja 0040225F
:004021FE 33C9
xor ecx, ecx
:00402200 8A888C224000 mov cl, byte ptr
[eax+0040228C]
:00402206 FF248D68224000
jmp dword ptr [4*ecx+00402268]
* Possible Reference to String Resource
ID=59536: "Error reading key file"
|
:0040220D BE90E80000 mov
esi, 0000E890
:00402212 8BC6
mov eax, esi
:00402214 5E
pop esi
:00402215 C21000
ret 0010
* Possible Reference to String Resource ID=59397: "Can't open key file. Please
ensure that it's in the same fol"
|
:00402218 BE05E80000 mov
esi, 0000E805
:0040221D 8BC6
mov eax, esi
:0040221F 5E
pop esi
:00402220 C21000
ret 0010
* Possible Reference to String Resource ID=59537: "Error reading data in
key file"
|
:00402223 BE91E80000
mov esi, 0000E891
:00402228 8BC6
mov eax, esi
:0040222A 5E
pop esi
:0040222B C21000
ret 0010
* Possible Reference to String
Resource ID=59217: "Registration completed."
|
:0040222E BE51E70000
mov esi, 0000E751
:00402233 8BC6
mov eax, esi
:00402235 5E
pop esi
:00402236
C21000 ret 0010
* Possible Reference to String Resource ID=59218: "The code
is not correct. You may have used an invalid key or"
|
:00402239 BE52E70000
mov esi, 0000E752
:0040223E 8BC6
mov eax, esi
:00402240 5E
pop esi
:00402241
C21000 ret 0010
* Possible Reference to String Resource ID=59396: "Incorrect
key file.
Registration failed."
|
:00402244 BE04E80000 mov
esi, 0000E804
:00402249 8BC6
mov eax, esi
:0040224B 5E
pop esi
:0040224C C21000
ret 0010
* Possible Reference to String Resource ID=59395: "Incorrect user name.
Registration failed."
|
:0040224F
BE03E80000 mov esi, 0000E803
:00402254 8BC6
mov eax, esi
:00402256 5E
pop esi
:00402257 C21000
ret 0010
* Possible
Reference to String Resource ID=59398: "Incorrect Key.
Registration failed."
|
:0040225A BE06E80000
mov esi, 0000E806
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:004021FC(C)
|
:0040225F 8BC6
mov eax, esi
:00402261 5E
pop esi
:00402262 C21000
ret 0010
不难理解吧,00402206那里就是跳向我们出错的信息的,我们在00402244设断点,重新运行软件,拦截后一直按F8来到这里:
00401489 . >CMP EDI,E751
0040148F . >JE SHORT ABOOK.0040149E<------这里不跳就告诉你出了什么错
......
......
004014BB CALL ABOOK.00402310
004014C0
. >TEST EAX,EAX
004014C2 . >JNZ ABOOK.0040165D<------这里不跳注册窗口就出来罗
4. 聪明的你已经想到了吧,只要把上面的两个跳改一下不就完工了吗?你试试就知道了,你会发现窗口上还有EVALUATION的字样的,ABOUT里也没有改变。当然,你可以在WDASM中找到其他的EVALUATION字样,然后把前面的跳转也改了,那就真是完工了,可是这太麻烦了,而且我们改动的也只不过是一些表面的东西,功能上是否解决就不得而知了……
5. 其实只要我们细心一想就知道注册标志早已在0040148以前建立了,以后程序只要检查这个标志就知道你是否注册了,所以关键就是找这个标志。大家是否记得004014BB
CALL了402310然后就检查EAX了,这个CALL肯定有问题的,我们进去看看:
00402310 >MOV ECX,DWORD PTR
DS:[5491F8]<--把DS:[5491F8]值放到ECX
00402316 >XOR EAX,EAX<--EAX清0
00402318 >CMP ECX,1<---ECX为1吗?
0040231B >SETE AL<--真的话EAX就为1
0040231E >RETN
现在你想到什么?呵呵……我们顺藤摸瓜,选中402310右键选查找参考-地址常量,我们只看到一个是重要的就是:004021F7
MOV DWORD PTR DS:[5491F8],EAX
设断点,重运行,让我们看看EAX的值是多少?我这里是20:
004021EA
CALL ABOOK.00475D40<---就是这个CALL生成这个20的
.....
004760E7 MOV EAX,20<----看到了吧:)
6. 最后选中4760E7,按空格键把20改为1,COPY到EXE,保存,收工了。
就这样,只改动一个字节就注册了,爽吧?
----------------------------------------------------
我也只不过是新手啦,欢迎和我交流
windayjiang@21cn.com
- 标 题:一字节改动注册ABOOK,适合新手看;) (5千字)
- 作 者:windayjiang
- 时 间:2002-5-2
23:18:00
- 链 接:http://bbs.pediy.com