软件名称: AUTOcadR14.01中文版
软件类别: 地球人都知道
软件介绍:地球人都知道
破解工具:ollydbg
1.09 ,W32DASM10,UltraEdit8.0,
AUTOcadR14.01中文版大家都很熟悉了吧,不多说。我从上海回来,又开始画图了,一年没干活,单位的软件都变成正版了,哈哈。可是AUTOcadR14.01中文版是网络版,我们只买20个点,一个点多少钱不知道(我们还买了cad2002网络版也是20个点,一个点10000元啊!),想来不少。因此,我上晚了点数满了,就会进不去,提示网络不许可,TMD!看看cad2002是Flexlm加密的,我功力太浅,那我就先拿R14开刀!
先反汇编acad.EXE,找找可疑点。好长时间啊,我的机子是P4 1.6,用了10多分钟。大略看看,没什么有用的。但还是没白费。
最近用Ollydbg1.09不错,还是用它试试吧。为了省事,先拔掉网线,这样就肯定不能用cad验证通过了。幸亏是P4,进去了。设什么断点呢?不知道,我倒!
反汇编还是有用的,随便找几个可疑点设断,象什么“FATAL ERROR”的地方等等,这要看运气了。我运气不错,为什么?因为我知道拔掉网线后,它还要去网络验证,可是没有网络,它会多试几次,这就给了我们时间,我们运行它,看它在那里有短暂的停顿,那里就是验证的地方!我就在那附近设断,Ollydbg设断很方便的,我喜欢。然后反复试几次,感觉它的停顿,追进它的CALL里,这里需要感觉,停顿是很明显的,看着你的硬盘灯就会知道。我反复的设断,反复的追进它的CALL啊!记住每次出现出错提示的时候,所停留的call,下次就追进去。
我们终于来到这个CALL,多少次重启动,我记不清了,Ollydbg好像不太稳定,美中不足!
第一部分
* Referenced by a CALL at Address:
|:00502E1E
;因为停顿,我们进来了。
|
:006ADA90 81EC0C040000 sub
esp, 0000040C
:006ADA96 A1DCF2A700
mov eax, dword ptr [00A7F2DC]
:006ADA9B 8B0DFCF2A700
mov ecx, dword ptr [00A7F2FC]
:006ADAA1 03C8
add ecx, eax
:006ADAA3 53
push ebx
:006ADAA4 8D54240C
lea edx, dword ptr [esp+0C]
:006ADAA8 56
push esi
:006ADAA9
57
push edi
* Possible StringData Ref from Data Obj ->"館?
|
:006ADAAA A1E8F2A700
mov eax, dword ptr [00A7F2E8]
:006ADAAF 6804040000
push 00000404
:006ADAB4 890DFCF2A700
mov dword ptr [00A7F2FC], ecx
:006ADABA
52
push edx
:006ADABB FF10
call dword ptr [eax]
:006ADABD 668BF0
mov si, ax
:006ADAC0 6685F6
test si, si
:006ADAC3 7543
jne 006ADB08
:006ADAC5 8D442414 lea
eax, dword ptr [esp+14]
* Possible StringData Ref from Data Obj ->"P_?
|
:006ADAC9 8B1DF0F2A700
mov ebx, dword ptr [00A7F2F0]
:006ADACF
50
push eax
:006ADAD0 FF13
call dword ptr [ebx]
:006ADAD2 668BF0
mov si, ax
:006ADAD5 6685F6
test si, si
:006ADAD8 EB2E
jmp 006ADB08
:006ADADA 8D442414 lea
eax, dword ptr [esp+14]
:006ADADE 6840DE0000
push 0000DE40
:006ADAE3 50
push eax
* Possible StringData
Ref from Data Obj ->"0a?
|
:006ADAE4
8B1DF8F2A700 mov ebx, dword ptr [00A7F2F8]
:006ADAEA FF13
call dword ptr [ebx]
:006ADAEC 668BF0
mov si, ax
:006ADAEF 6685F6
test si, si
:006ADAF2 7514
jne 006ADB08
:006ADAF4 A1DCF2A700 mov eax,
dword ptr [00A7F2DC]
:006ADAF9 8B0DE0F2A700
mov ecx, dword ptr [00A7F2E0]
:006ADAFF 8B1481
mov edx, dword ptr [ecx+4*eax]
:006ADB02 C70201000000 mov dword ptr
[edx], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump
at Addresses:
|:006ADAC3(C), :006ADAD8(U), :006ADAF2(C)
|
:006ADB08
8B0DDCF2A700 mov ecx, dword ptr [00A7F2DC]
:006ADB0E A1E0F2A700 mov
eax, dword ptr [00A7F2E0]
:006ADB13 8B1488
mov edx, dword ptr [eax+4*ecx]
:006ADB16 833A00
cmp dword ptr [edx], 00000000
:006ADB19 0F8581000000 jne 006ADBA0
;《《《《《
:006ADB1F BB01000000
mov ebx, 00000001
* Reference To: USER32.wsprintfA,
Ord:0264h
|
:006ADB24 8B3DDC74B600
mov edi, dword ptr [00B674DC]
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:006ADB85(C)
|
:006ADB2A 8D44240C
lea eax, dword ptr [esp+0C]
:006ADB2E 53
push ebx
* Possible StringData
Ref from Data Obj ->"I/%d/0"
|
:006ADB2F
68D4F2A700 push 00A7F2D4
:006ADB34 50
push eax
:006ADB35 FFD7
call edi
:006ADB37 83C40C
add esp, 0000000C
* Possible StringData
Ref from Data Obj ->"F/CG"
|
:006ADB3A
68CCF2A700 push 00A7F2CC
:006ADB3F E8EC000000 call 006ADC30
;有意思的call
:006ADB44 83C404
add esp, 00000004
:006ADB47 85C0
test eax, eax
:006ADB49
7C36 jl 006ADB81
:006ADB4B 8D44240C
lea eax, dword ptr [esp+0C]
:006ADB4F 50
push eax
:006ADB50 E8DB000000
call 006ADC30
:006ADB55 83C404
add esp, 00000004
:006ADB58 85C0
test eax, eax
:006ADB5A 7C25
jl 006ADB81
* Possible StringData Ref from Data
Obj ->"E/spMwprDpVaDjCrUs"
|
:006ADB5C
68B8F2A700 push 00A7F2B8
:006ADB61 E8CA000000 call 006ADC30
;有意思的call
:006ADB66 83C404
add esp, 00000004
:006ADB69 85C0
test eax, eax
:006ADB6B
7C14 jl 006ADB81
* Possible StringData Ref from Data Obj ->"D/"
|
:006ADB6D 684CF2A700
push 00A7F24C
:006ADB72 E8B9000000
call 006ADC30 ;看看这个call是什么,这是以后的事,现在不管它
:006ADB77 83C404
add esp, 00000004
:006ADB7A 3DFDDC0000
cmp eax, 0000DCFD ;看到什么“0000DCFD”,多么熟悉。现在也不管它
:006ADB7F 7408
je 006ADB89
* Referenced by a (U)nconditional or (C)onditional Jump
at Addresses:
|:006ADB49(C), :006ADB5A(C), :006ADB6B(C)
|
:006ADB81
43
inc ebx
:006ADB82 83FB04
cmp ebx, 00000004
:006ADB85 7EA3
jle 006ADB2A
:006ADB87 EB17
jmp 006ADBA0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADB7F(C)
|
:006ADB89 8B0DE0F2A700
mov ecx, dword ptr [00A7F2E0]
:006ADB8F 6633F6
xor si, si
:006ADB92 A1DCF2A700
mov eax, dword ptr [00A7F2DC]
:006ADB97
8B1481 mov edx,
dword ptr [ecx+4*eax]
:006ADB9A C70202000000
mov dword ptr [edx], 00000002
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:006ADB19(C), :006ADB87(U)
|
:006ADBA0 8B0DDCF2A700 mov ecx, dword
ptr [00A7F2DC]
:006ADBA6 A1E0F2A700
mov eax, dword ptr [00A7F2E0]
:006ADBAB 8B1488
mov edx, dword ptr [eax+4*ecx]
:006ADBAE 8D0C88
lea ecx, dword ptr [eax+4*ecx]
:006ADBB1 8B1DDCF2A700
mov ebx, dword ptr [00A7F2DC]
:006ADBB7 8B02
mov eax, dword ptr [edx]
:006ADBB9 35A9B50000 xor
eax, 0000B5A9
:006ADBBE 03C3
add eax, ebx
:006ADBC0 A3FCF2A700
mov dword ptr [00A7F2FC], eax
:006ADBC5 8B11
mov edx, dword
ptr [ecx]
:006ADBC7 833A00
cmp dword ptr [edx], 00000000
:006ADBCA 752F
jne 006ADBFB
:006ADBCC E8AF000000
call 006ADC80 ;关键CALL,在这里停留时间较长,进去看看[nop掉怎样?]
:006ADBD1 35A9B50000 xor
eax, 0000B5A9 ; eax异或B5A9.如果EAX=FFFFFFFF,那么XOR之后是FFFF4A56,明白了吗
:006ADBD6 3D564AFFFF cmp eax,
FFFF4A56 ; 比较是否相等,当然不能相等!0 XOR B5A9当然不等FFFF4A56
:006ADBDB 741E
je 006ADBFB
; 不能跳,那爆破可以吗?[nop掉怎样?9090]
:006ADBDD 6633F6
xor si, si
:006ADBE0 A1DCF2A700
mov eax, dword ptr [00A7F2DC]
:006ADBE5
66893580F3A700 mov word ptr [00A7F380], si
:006ADBEC 8B0DE0F2A700 mov ecx, dword
ptr [00A7F2E0]
:006ADBF2 8B1481
mov edx, dword ptr [ecx+4*eax]
:006ADBF5 C70203000000
mov dword ptr [edx], 00000003
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:006ADBCA(C), :006ADBDB(C)
|
:006ADBFB 6683FE01
cmp si, 0001
:006ADBFF 5F
pop edi
:006ADC00 1BC0
sbb eax, eax
:006ADC02 5E
pop esi
:006ADC03 25536BFFFF and
eax, FFFF6B53
:006ADC08 5B
pop ebx
:006ADC09 05564A0000
add eax, 00004A56
:006ADC0E 81C40C040000
add esp, 0000040C
:006ADC14 66A37865A700
mov word ptr [00A76578], ax
:006ADC1A
6681357865A700A9B5 xor word ptr [00A76578], B5A9
:006ADC23
C3
ret
....
* Referenced by a CALL at Addresses:
|:006ADB3F
, :006ADB50 , :006ADB61 , :006ADB72
| ;有意思的call,以后我们再去看
:006ADC30 8B542404
mov edx, dword ptr [esp+04]
:006ADC34 57
push edi
:006ADC35 8BFA
mov edi, edx
:006ADC37
B9FFFFFFFF mov ecx, FFFFFFFF
:006ADC3C 2BC0
sub eax, eax
:006ADC3E F2
repnz
:006ADC3F AE
scasb
:006ADC40 F7D1
not ecx
:006ADC42
49
dec ecx
:006ADC43 51
push ecx
:006ADC44 52
push edx
:006ADC45 E8F6BF2E00
call 00999C40 ;看看
:006ADC4A 0FBFC0
movsx eax, ax
:006ADC4D 83F8FF
cmp eax, FFFFFFFF
:006ADC50 7405
je 006ADC57
:006ADC52 25FFFF0000
and eax, 0000FFFF
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:006ADC50(C)
|
:006ADC57 5F
pop edi
:006ADC58 C3
ret
............
* Referenced by
a CALL at Address:
|:008AFBA2
|
:006ADC60 8B0DFCF2A700
mov ecx, dword ptr [00A7F2FC]
:006ADC66
A1DCF2A700 mov eax, dword ptr
[00A7F2DC]
:006ADC6B 2BC8
sub ecx, eax
:006ADC6D 8B442404
mov eax, dword ptr [esp+04]
:006ADC71
81F1A9B50000 xor ecx, 0000B5A9
:006ADC77
03C1 add
eax, ecx
:006ADC79 C3
ret
:006ADC7A CC
int 03
:006ADC7B CC
int 03
:006ADC7C CC
int 03
:006ADC7D CC
int 03
:006ADC7E CC
int 03
:006ADC7F CC
int 03
* Referenced by a CALL at Address:
|:006ADBCC
|
* Possible
StringData Ref from Data Obj ->"140"
|
:006ADC80 685CF3A700 push
00A7F35C
:006ADC85 E8D6000000
call 006ADD60 ; 关键CALL,在这里停留时间较长,进去看看
:006ADC8A 83C404
add esp, 00000004
:006ADC8D 83F8FF
cmp eax, FFFFFFFF
:006ADC90 7506
jne 006ADC98
; 不等于-1,就跳。我们一定要跳,
:006ADC92 B8FFFFFFFF
mov eax, FFFFFFFF
; 到这就死,eax=-1可不行
:006ADC97 C3
ret
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:006ADC90(C)
|
:006ADC98 6A20
push 00000020
; 来到这里验证用户限制
* Possible StringData Ref from Data Obj ->"140"
|
:006ADC9A 685CF3A700
push 00A7F35C
:006ADC9F E83C010000
call 006ADDE0 ;
验证的CALL,进去看看也没有用,只要返回EAX=0即可。当然我看不懂!!!
:006ADCA4 83C408
add esp, 00000008
:006ADCA7 83F8FF
cmp eax, FFFFFFFF
; 爆破改eax=0,当然前面的CALL里我们已经让eax=0了
:006ADCAA 7506
jne 006ADCB2
; 不等于-1,就跳。我们一定要跳,
:006ADCAC B8FFFFFFFF
mov eax, FFFFFFFF ; 到这就死,eax=-1可不行
:006ADCB1 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADCAA(C)
|
:006ADCB2 68A0DF6A00
push 006ADFA0
:006ADCB7 A140F3A700
mov eax, dword ptr [00A7F340]
:006ADCBC 6A3C
push 0000003C
:006ADCBE
8B0D3CF3A700 mov ecx, dword ptr [00A7F33C]
:006ADCC4 50
push eax
:006ADCC5 51
push ecx
:006ADCC6 E8B5070000
call 006AE480
:006ADCCB 83C410
add esp, 00000010
:006ADCCE
33C0 xor
eax, eax ; 走到这eax为0,返回,验证成功
:006ADCD0
C3
ret
......
......
......
* Referenced by a CALL at Address:
|:006ADC85
;从006ADC85 来得call
|
:006ADD60 E8BB030000
call 006AE120
:006ADD65 85C0
test eax, eax
:006ADD67
750B jne
006ADD74 ;一般是jmp过去的,一定跳
:006ADD69 E8B2050000
call 006AE320
:006ADD6E B8FFFFFFFF
mov eax, FFFFFFFF
:006ADD73 C3
ret
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADD67(C)
|
:006ADD74 683CF3A700
push 00A7F33C
:006ADD79 E822070000
call 006AE4A0 ; CALL,进去看看发现读文件ADESKSYS.DLL
:006ADD7E 8B4C2408 mov
ecx, dword ptr [esp+08]
:006ADD82 83C404
add esp, 00000004
:006ADD85 A138F3A700
mov eax, dword ptr [00A7F338]
:006ADD8A
8B153CF3A700 mov edx, dword ptr [00A7F33C]
:006ADD90 C605B045AF0000 mov byte ptr [00AF45B0],
00
:006ADD97 6A00
push 00000000
:006ADD99 50
push eax
:006ADD9A 51
push ecx
:006ADD9B
68B045AF00 push 00AF45B0
:006ADDA0 52
push edx
:006ADDA1 E80A060000
call 006AE3B0 ;关键CALL,在这里停留时间较长.进去看看发现读文件ADESKSYS.DLL
$$$$$$*********************$$$$$$
* Referenced by a CALL at Address:
|:006ADDA1
|
:006AE3B0
A108F3A700 mov eax, dword ptr
[00A7F308]
:006AE3B5 85C0
test eax, eax
:006AE3B7 7506
jne 006AE3BF
:006AE3B9 B8FFFFFFFF
mov eax, FFFFFFFF
:006AE3BE C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006AE3B7(C)
|
:006AE3BF 8B442414
mov eax, dword ptr [esp+14]
:006AE3C3 8B4C2410
mov ecx, dword ptr [esp+10]
:006AE3C7 8B54240C mov
edx, dword ptr [esp+0C]
:006AE3CB 50
push eax
:006AE3CC 8B44240C
mov eax, dword ptr [esp+0C]
:006AE3D0
51
push ecx
:006AE3D1 8B4C240C
mov ecx, dword ptr [esp+0C]
:006AE3D5 52
push edx
:006AE3D6 50
push eax
:006AE3D7 51
push ecx
:006AE3D8 FF1508F3A700
call dword ptr [00A7F308] ; 关键CALL,在这里停留时间较长,进去看看是找ADESKSYSY.DLL,在里面执行。看来ADESKSYSY.DLL很重要啊。
:006AE3DE C3
ret ; 返回eax,没有网络许可证为ffffffff,有则为0
$$$$$$$$***************$$$$$$$
:006ADDA6 83C414
add esp, 00000014
:006ADDA9 A340F3A700 mov dword
ptr [00A7F340], eax ; 返回的eax,没有网络许可证为ffffffff,有则为0
:006ADDAE
85C0 test
eax, eax ; 验证eax为,0还是-1
:006ADDB0 7D06
jge 006ADDB8
; 大于等于0,就跳。我们一定要跳,爆破改为jmp
:006ADDB2 B8FFFFFFFF
mov eax, FFFFFFFF
:006ADDB7 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADDB0(C)
|
:006ADDB8 6A01
push 00000001
:006ADDBA A340F3A700
mov dword ptr [00A7F340], eax
:006ADDBF 6A0E
push 0000000E
:006ADDC1
50
push eax
:006ADDC2 A13CF3A700
mov eax, dword ptr [00A7F33C]
:006ADDC7 50
push eax
:006ADDC8 E813060000
call 006AE3E0
:006ADDCD 83C410
add esp, 00000010
:006ADDD0 33C0
xor eax, eax ; 走到这eax为0,返回,验证网络许可证成功,下一步,验证用户数限
:006ADDD2 C3
ret
到此,可以看到验证的地方,而我们可以爆破它了。
方法1:
* Referenced by a CALL
at Address:
|:006ADBCC
|
* Possible StringData Ref from Data
Obj ->"140"
|
:006ADC80 685CF3A700
push 00A7F35C
:006ADC85 E8D6000000
call 006ADD60
; 关键CALL,在这里停留时间较长,进去看看
:006ADC8A 83C404
add esp, 00000004
:006ADC8D 83F8FF
cmp eax, FFFFFFFF
;改为 mov eax, 0
:006ADC90 7506
jne 006ADC98
;改为 cmp eax, FFFFFFFF
:006ADC92 B8FFFFFFFF
mov eax, FFFFFFFF ;改为 jne 006ADC98
:006ADC97 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:006ADC90(C)
|
:006ADC98 6A20
push 00000020
; 来到这里验证用户限制
* Possible StringData Ref from Data Obj ->"140"
|
:006ADC9A 685CF3A700
push 00A7F35C
:006ADC9F E83C010000
call 006ADDE0 ; 验证的CALL,进去看看也没有用,只要返回EAX=0即可。当然我看不懂!!!
:006ADCA4 83C408
add esp, 00000008
:006ADCA7 83F8FF
cmp eax, FFFFFFFF ; 改为 mov eax, 0
:006ADCAA 7506
jne 006ADCB2
; 改为 cmp eax, FFFFFFFF
:006ADCAC B8FFFFFFFF
mov eax, FFFFFFFF ; jne 006ADCB2
:006ADCB1 C3
ret
应该还可以把它上面的2个CALL改为nop,这样就不会去网络验证了,节省时间啊!
方法2:
:006ADBCC E8AF000000 call
006ADC80 ;nop掉,9090909090
:006ADBD1 35A9B50000
xor eax, 0000B5A9
:006ADBD6 3D564AFFFF
cmp eax, FFFF4A56
:006ADBDB
741E je 006ADBFB
; nop掉怎样9090
--=========================
第二部分
现在我们看看那有意思的call,这也是我觉得有意思的地方
* Possible StringData Ref from Data Obj ->"F/CG"
|
:006ADB3A 68CCF2A700
push 00A7F2CC
:006ADB3F E8EC000000
call 006ADC30 ;有意思的call
:006ADB44 83C404
add esp, 00000004
:006ADB47 85C0
test eax, eax
:006ADB49 7C36
jl 006ADB81
:006ADB4B 8D44240C
lea eax, dword ptr [esp+0C]
:006ADB4F 50
push eax
:006ADB50 E8DB000000 call
006ADC30
:006ADB55 83C404
add esp, 00000004
:006ADB58 85C0
test eax, eax
:006ADB5A 7C25
jl 006ADB81
* Possible StringData Ref from Data Obj ->"E/spMwprDpVaDjCrUs"
|
:006ADB5C 68B8F2A700
push 00A7F2B8
:006ADB61 E8CA000000
call 006ADC30 ;有意思的call
:006ADB66
83C404 add esp,
00000004
:006ADB69 85C0
test eax, eax
:006ADB6B 7C14
jl 006ADB81
* Possible StringData
Ref from Data Obj ->"D/"
|
:006ADB6D
684CF2A700 push 00A7F24C
:006ADB72 E8B9000000 call 006ADC30
;有意思的call,看看这个call是什么,
:006ADB77 83C404
add esp, 00000004
:006ADB7A
3DFDDC0000 cmp eax, 0000DCFD
;看到什么“0000DCFD”,多么熟悉。
:006ADB7F 7408
je 006ADB89
不知道你们看过看雪精华3里关于autocad的一篇文章吗?那是破解法文版的cadR14,其中就有“0000DCFD”问题。而这里也有,是巧合吗?^_^
* Referenced by a CALL at Addresses:
|:006ADB3F , :006ADB50
, :006ADB61 , :006ADB72
|进入这里看看吧
:006ADC30 8B542404
mov edx, dword ptr [esp+04]
:006ADC34 57
push edi
:006ADC35 8BFA
mov edi, edx
:006ADC37 B9FFFFFFFF
mov ecx, FFFFFFFF
:006ADC3C 2BC0
sub eax, eax
:006ADC3E
F2
repnz
:006ADC3F AE
scasb
:006ADC40 F7D1
not ecx
:006ADC42 49
dec ecx
:006ADC43
51
push ecx
:006ADC44 52
push edx
:006ADC45 E8F6BF2E00
call 00999C40 ;让我们进去看看
:006ADC4A
0FBFC0 movsx eax,
ax
:006ADC4D 83F8FF
cmp eax, FFFFFFFF
:006ADC50 7405
je 006ADC57
:006ADC52 25FFFF0000
and eax, 0000FFFF
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:006ADC50(C)
|
:006ADC57 5F
pop edi
:006ADC58 C3
ret
--------
* Referenced by
a CALL at Addresses:
|:006AD0B5 , :006ADC45
|;有意思的call来到这里
:00999C40 83EC04
sub esp, 00000004
:00999C43 66833DC038AB0000 cmp
word ptr [00AB38C0], 0000
:00999C4B 7518
jne 00999C65
:00999C4D 6804040000
push 00000404
:00999C52 68700AB600
push 00B60A70
:00999C57 E8B4FFFFFF
call 00999C10
:00999C5C 66C705C038AB000100
mov word ptr [00AB38C0], 0001
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00999C4B(C)
|
:00999C65 8D442402
lea eax, dword ptr [esp+02]
:00999C69 50
push eax
:00999C6A 668B442410
mov ax, word ptr [esp+10]
:00999C6F 50
push eax
:00999C70 8B442410
mov eax, dword ptr [esp+10]
:00999C74 50
push eax
:00999C75 68700AB600
push 00B60A70
:00999C7A E8D1220000
call 0099BF50 ; 里面复杂啊,结果只是返回一个,就是下面的word ptr [esp+02]
:00999C7F 668B442402 mov ax, word
ptr [esp+02] ;我们让AX=DCFD怎样?mov ax,dcfd,哈哈
:00999C84 83C404
add esp, 00000004
:00999C87
C20800 ret 0008
:00999C8A 8D9B00000000 lea
ebx, dword ptr [ebx+00000000]
我们只改acad.exe的 :00999C7F 668B442402
mov ax, word ptr [esp+02]
为 :00999C7F 66b8fddc90
mov ax, 0000dcfd
运行acad.exe,哈哈进去了,别高兴。又跳出一个对话框,要求输入授权码!可是网络版没有授权码啊!我想是否是改为“0000DCFD”后,已经变成单机版了?!随便输入几个数,点确定,说授权码错误,来上3遍,就退出了。
来,我们看看干掉这个窗口,acad是否能用呢?
打开Ollydbg,设什么断点呢?这次我们设USER32.MessageBoxA断点,怎样设?很简单的,Ollydbg真不错!
出现授权窗口,但是Ollydbg没有中断。别着急,填78787878,点击确定。我们被拦下,这时我们可以删除其余不必要的断点,只留这一个。一路走F9,出现错误信息,注意千万不要关闭这个断点。再点击错误信息对话框的确定,这时被拦下,我们的工作开始了。
我们发现授权窗口有3个按钮,1个是授权确定,1个是取消,还有一个是变灰的按钮,是“延期”。
.......
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004F8EA4(C), :004F8EBA(C), :004F8EE4(C), :004F8EED(C), :004F92C8(C)
|:004F9313(U)
|来到这里进入cad
:004F8E62 C745FCFFFFFFFF
mov [ebp-04], FFFFFFFF
:004F8E69 E806050000
call 004F9374
:004F8E6E 33C0
xor eax, eax
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:004F8F04(U), :004F9089(U), :004F90F4(U),
:004F921C(U), :004F92BB(U)
|:004F92F8(U), :004F9338(U), :004F935D(U)
|来到这里失败退出
:004F8E70 8B4DF4
mov ecx, dword ptr [ebp-0C]
:004F8E73 5F
pop edi
:004F8E74
64890D00000000 mov dword ptr fs:[00000000],
ecx
:004F8E7B 5E
pop esi
:004F8E7C 5B
pop ebx
:004F8E7D 8BE5
mov esp, ebp
:004F8E7F 5D
pop ebp
:004F8E80 C3
ret
.....
....省略
....
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004F92D2(C)
| 来这里,因为你有3次输入CODE的机会
:004F9162 8D8D6CFFFFFF lea ecx,
dword ptr [ebp+FFFFFF6C]
* Reference To: MFC42.Ordinal:09D2, Ord:09D2h
|
:004F9168
E85DEA4B00 Call 009B7BCA
;得到你点击按钮的返回值eax。
:004F916D 83F801
cmp eax, 00000001 ;分析得知eax,1是确定,2是取消,3是延期 ,<应该是5延期>
:004F9170 0F854A010000 jne 004F92C0
;不等于1,跳。我们跳去看看
:004F9176 8D8D6CFFFFFF
lea ecx, dword ptr [ebp+FFFFFF6C] ;以下开始验证了。算法我不想研究了,只是爆破,能用就好,
:004F917C E88F9A3400 call
00842C10
:004F9181 6A7F
push 0000007F
:004F9183 8B00
mov eax, dword ptr [eax]
:004F9185 50
push eax
:004F9186 8D8D6CFEFFFF
lea ecx, dword ptr [ebp+FFFFFE6C]
:004F918C 51
push ecx
:004F918D
FFD3 call
ebx
:004F918F 83C40C
add esp, 0000000C
:004F9192 8D4DE4
lea ecx, dword ptr [ebp-1C]
:004F9195 8D55E0
lea edx, dword ptr [ebp-20]
:004F9198 8D856CFEFFFF lea eax,
dword ptr [ebp+FFFFFE6C]
:004F919E 51
push ecx
:004F919F 52
push edx
:004F91A0
50
push eax
:004F91A1 E81AD91400
call 00646AC0
:004F91A6 83C40C
add esp, 0000000C
:004F91A9 85C0
test eax, eax
:004F91AB 7474
je 004F9221
;跳去接着验证吧,一定jmp!爆破
:004F91AD 8D4601
lea eax, dword ptr [esi+01]
:004F91B0 83F803
cmp eax, 00000003
:004F91B3
0F8D15010000 jnl 004F92CE ;,小于3次,再给你一次机会输CODE
:004F91B9 68FF000000 push
000000FF
:004F91BE 8D856CFEFFFF
lea eax, dword ptr [ebp+FFFFFE6C]
:004F91C4 50
push eax
:004F91C5 68E0B5A500
push 00A5B5E0
:004F91CA 68F3110000
push 000011F3
:004F91CF E8EC8EFDFF
call 004D20C0
:004F91D4 83C410
add esp, 00000010
:004F91D7 8D856CFEFFFF lea eax, dword
ptr [ebp+FFFFFE6C]
:004F91DD 50
push eax
:004F91DE 6A01
push 00000001
:004F91E0
6A01 push
00000001
:004F91E2 E8C9323B00
call 008AC4B0 ;这个call就是出错对话框
:004F91E7 83C40C
add esp, 0000000C
:004F91EA 83F806
cmp eax, 00000006
:004F91ED 0F84DB000000 je 004F92CE
;小于3次,再给你一次机会输CODE
:004F91F3 83F801
cmp eax, 00000001
:004F91F6 0F84D2000000
je 004F92CE ;小于3次,再给你一次机会输CODE
:004F91FC 57
push edi
:004F91FD 8B45EC
mov eax, dword ptr [ebp-14]
:004F9200 50
push eax
:004F9201 6A00
push 00000000
:004F9203 E818973400
call 00842920
:004F9208 C745FCFFFFFFFF
mov [ebp-04], FFFFFFFF
:004F920F 83C40C
add esp, 0000000C
:004F9212 E85D010000
call 004F9374
:004F9217 B801000000
mov eax, 00000001
:004F921C E94FFCFFFF
jmp 004F8E70 ;只好退出,不让你玩了!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F91AB(C)
|来了
:004F9221 8B45E4
mov eax, dword ptr [ebp-1C]
:004F9224 8B4DE0
mov ecx, dword ptr [ebp-20]
:004F9227 50
push eax
:004F9228 51
push ecx
:004F9229 E802D71400
call 00646930
:004F922E 83C408
add esp, 00000008
:004F9231
85C0 test
eax, eax
:004F9233 0F84C4000000
je 004F92FD ;跳去接着验证吧一定jmp!爆破
:004F9239 83F801
cmp eax, 00000001
:004F923C 7518
jne 004F9256
;只好退出,不让你玩了!
:004F923E 68FF000000
push 000000FF
:004F9243 8D856CFEFFFF
lea eax, dword ptr [ebp+FFFFFE6C]
:004F9249 50
push eax
:004F924A
68E0B5A500 push 00A5B5E0
:004F924F 68F2110000 push 000011F2
:004F9254 EB22
jmp 004F9278 ;只好退出,不让你玩了!
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004F923C(C)
|
:004F9256 8D4601
lea eax, dword ptr [esi+01]
:004F9259 83F803
cmp eax, 00000003
:004F925C 0F8DB6000000
jnl 004F9318
:004F9262 68FF000000
push 000000FF
:004F9267 8D856CFEFFFF
lea eax, dword ptr [ebp+FFFFFE6C]
:004F926D 50
push eax
:004F926E
68E0B5A500 push 00A5B5E0
:004F9273 68F1110000 push 000011F1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F9254(U)
|
:004F9278 E8438EFDFF
call 004D20C0
:004F927D 83C410
add esp, 00000010
:004F9280 8D856CFEFFFF
lea eax, dword ptr [ebp+FFFFFE6C]
:004F9286
50
push eax
:004F9287 6A01
push 00000001
:004F9289 E8E2323B00
call 008AC570
:004F928E 83C408
add esp, 00000008
:004F9291 83F806
cmp eax, 00000006
:004F9294 7438
je 004F92CE
:004F9296 83F801
cmp eax, 00000001
:004F9299 7433
je 004F92CE
:004F929B 57
push edi
:004F929C 8B45EC
mov eax, dword ptr [ebp-14]
:004F929F 50
push eax
:004F92A0 6A00
push 00000000
:004F92A2
E879963400 call 00842920
:004F92A7 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:004F92AE 83C40C
add esp, 0000000C
:004F92B1 E8BE000000
call 004F9374
:004F92B6 B801000000
mov eax, 00000001
:004F92BB E9B0FBFFFF
jmp 004F8E70
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004F9170(C)
|
:004F92C0 83F802
cmp eax, 00000002
;比较等于2
:004F92C3 7478
je 004F933D ;你取消了,当然退出了!
:004F92C5 83F805
cmp eax, 00000005
;比较等于5
:004F92C8 0F8494FBFFFF je
004F8E62 ;延期,意味着你可以使用!^_^
* Referenced by a (U)nconditional or
(C)onditional Jump at Addresses:
|:004F91B3(C), :004F91ED(C), :004F91F6(C),
:004F9294(C), :004F9299(C)
|
:004F92CE 46
inc esi ;再点击错误信息对话框的确定,这时被拦下在这里
:004F92CF 83FE03
cmp esi, 00000003 ;比较输入了几次错误授权CODE
:004F92D2 0F8C8AFEFFFF
jl 004F9162 ;小于3就跳,意思是你可以输入3次机会,去!
:004F92D8 57
push edi
:004F92D9 8B45EC
mov eax, dword ptr [ebp-14]
:004F92DC 50
push eax
:004F92DD
6A01 push
00000001
:004F92DF E83C963400
call 00842920
:004F92E4 C745FCFFFFFFFF
mov [ebp-04], FFFFFFFF
:004F92EB 83C40C
add esp, 0000000C
:004F92EE E881000000
call 004F9374
:004F92F3 B801000000
mov eax, 00000001
:004F92F8 E973FBFFFF
jmp 004F8E70 ;超过3次错误在这里玩完!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F9233(C)
|
:004F92FD 8B45E0
mov eax, dword ptr [ebp-20]
:004F9300 8B4DE4
mov ecx, dword ptr [ebp-1C]
:004F9303 A3C865A700 mov
dword ptr [00A765C8], eax
:004F9308 890DCC65A700
mov dword ptr [00A765CC], ecx
:004F930E E82D1FFBFF
call 004AB240
:004F9313 E94AFBFFFF
jmp 004F8E62 ;来到这,你可以用了!!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F925C(C)
|
:004F9318 57
push edi
:004F9319 8B45EC
mov eax, dword ptr [ebp-14]
:004F931C 50
push eax
:004F931D 6A01
push 00000001
:004F931F E8FC953400
call 00842920
:004F9324 C745FCFFFFFFFF
mov [ebp-04], FFFFFFFF
:004F932B 83C40C
add esp, 0000000C
:004F932E E841000000 call 004F9374
:004F9333 B801000000 mov
eax, 00000001
:004F9338 E933FBFFFF
jmp 004F8E70 ;只好退出,不让你玩了!
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:004F92C3(C)
|
:004F933D 57
push edi
:004F933E 8B45EC
mov eax, dword ptr [ebp-14]
:004F9341 50
push eax
:004F9342 6A00
push 00000000
:004F9344 E8D7953400
call 00842920
:004F9349 C745FCFFFFFFFF
mov [ebp-04], FFFFFFFF
:004F9350 83C40C
add esp, 0000000C
:004F9353 E81C000000
call 004F9374
:004F9358 B801000000
mov eax, 00000001
:004F935D E90EFBFFFF
jmp 004F8E70
;只好退出,不让你玩了!
省略
===================================================
* Referenced by a CALL at Addresses:
|:004EDAD3 , :004EE45C
, :004F2B9C , :004F2C2B , :004F2DB4
|:004F378A ,
:004F3819 , :004F9066 , :004F90D1 , :004F91E2
|:005030DF
, :005480E9 , :005A073B , :006ADE61 , :0085D96F
|:0089A0E4
, :008A3D1C , :008A7809 , :008AC58C , :008AC669
|
:008AC4B0 83EC3C
sub esp, 0000003C
:008AC4B3 53
push ebx
:008AC4B4 56
push esi
:008AC4B5 8B742448
mov esi, dword ptr [esp+48]
:008AC4B9 57
push edi
:008AC4BA 85F6
test esi, esi
:008AC4BC 7502
jne 008AC4C0
:008AC4BE 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008AC4BC(C)
|
:008AC4C0 8B7C2450
mov edi, dword ptr [esp+50]
:008AC4C4 85FF
test edi, edi
:008AC4C6
7C05 jl 008AC4CD
:008AC4C8 83FF03
cmp edi, 00000003
:008AC4CB 7C02
jl 008AC4CF
.....
.....省略
.....
* Reference To: USER32.GetActiveWindow, Ord:00D5h
|
:008AC534 FF153875B600
Call dword ptr [00B67538]
:008AC53A 8B0D60B3A900
mov ecx, dword ptr [00A9B360]
:008AC540 3BC1
cmp eax, ecx
:008AC542 7407
je 008AC54B
:008AC544 51
push ecx
* Reference To: USER32.GetLastActivePopup, Ord:0108h
|
:008AC545 FF159076B600
Call dword ptr [00B67690]
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:008AC542(C)
|
:008AC54B 8D4C240C
lea ecx, dword ptr [esp+0C]
:008AC54F 56
push esi
:008AC550 8B542458
mov edx, dword ptr [esp+58]
:008AC554 51
push ecx
:008AC555 52
push edx
:008AC556 50
push eax
:008AC557 E8A4EFF9FF
call 0084B500
;从这里去下面MessageBoxA的call
:008AC55C 83C410
add esp, 00000010
:008AC55F 5F
pop edi
:008AC560
5E
pop esi
:008AC561 5B
pop ebx
:008AC562 83C43C
add esp, 0000003C
:008AC565 C3
ret
* Referenced
by a CALL at Addresses:
|:007DAE14 , :00861430 , :008AC557
, :008ACCC5 , :008ACF40
|:008AEA47
|
:0084B500
53
push ebx
:0084B501 56
push esi
:0084B502 57
push edi
:0084B503 33F6
xor esi, esi
* Reference To: MFC42.Ordinal:0490, Ord:0490h
|
:0084B505 E800C01600
Call 009B750A
:0084B50A 8B7804
mov edi, dword ptr [eax+04]
.....
....省略
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:0084B52F(C), :0084B533(C)
|
:0084B53B 8B4C241C
mov ecx, dword ptr [esp+1C]
:0084B53F 8B542410
mov edx, dword ptr [esp+10]
:0084B543
51
push ecx
:0084B544 50
push eax
:0084B545 8B44241C
mov eax, dword ptr [esp+1C]
:0084B549 50
push eax
:0084B54A 52
push edx
* Reference To: USER32.MessageBoxA, Ord:0195h
|
:0084B54B FF15C074B600
Call dword ptr [00B674C0] ;我们的MessageBoxA断点停在这里!!!
:0084B551 85F6
test esi, esi
:0084B553 7403
je 0084B558
:0084B555 89777C
mov dword ptr [edi+7C], esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0084B553(C)
|
:0084B558 5F
pop edi
:0084B559 5E
pop esi
:0084B55A 5B
pop ebx
:0084B55B
C3
ret
========================================================
到此,我们可以爆破它的授权注册了。我们可以有很多方法,我用了比较省事的,我们让他延期使用!
:004F9168 E85DEA4B00
Call 009B7BCA ;得到你点击按钮的返回值eax。
:004F916D 83F801
cmp eax, 00000001 ;分析得知eax,1是确定,2是取消,3是延期
:004F9170 0F854A010000
jne 004F92C0 ;不等于1,跳。我们跳去看看
我们改004F9168
E85DEA4B00 Call 009B7BCA 这一句为 mov eax,5 “B805000000”正好,这样注册窗口也跳过了。
第二部分总结,改该两处成为单机版,这样省下连接网络的时间,启动会快一点,可能你感觉不到。
1.改 :00999C7F 668B442402 mov ax, word ptr [esp+02]
为 :00999C7F 66b8fddc90
mov ax, 0000dcfd
2.改
:004F9168 E85DEA4B00 Call 009B7BCA
为 :004F9168 B805000000
mov eax,00000005
¥¥¥※※※7※※※※※※※※※※※※※※
CADR14网络限制解决了,正版是要买,但不要化太多钱,都让老外挣了!
下一步目标是CAD2002,Flexlm7.1f加密,我想也能爆破吧。但是好象CAD2002有antidebug,不能用Ollydbg。还有,如果我又CAD2002的Flexlm的liences,是否能直接在里面改限制用户数嫩呢?估计不能吧?那只好自己做无限制liences了。