本帖最后由 cqr2287 于 2016-12-10 15:35 编辑
又是一天一个破解…………
这次破解软件如题………………
省略号分割线…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………
随便输入验证码
PEID查壳
无壳。好,od载入
然后,f9运行…………………………………………………………
随便输入
来到了系统领空,f12,返回程序领空
[Asm] 纯文本查看 复制代码 00403DEF |. E8 BC1E0000 call PDF转换?00405CB0
00403DF4 |. 50 push eax ; |Title = 00000001 ???
00403DF5 |. 8B45 08 mov eax,[arg.1] ; |
00403DF8 |. 50 push eax ; |Text = 00000001 ???
00403DF9 |. 8B4D E8 mov ecx,[local.6] ; |
00403DFC |. 8B51 04 mov edx,dword ptr ds:[ecx+0x4] ; |
00403DFF |. 52 push edx ; |hOwner = 00000016 ('##0C39A3BB-E8F3-4493-86F7-E51...',class='##0C39A3BB-E8F3-4493-86F7-E51...')
00403E00 |. FF15 60534300 call dword ptr ds:[<&USER32.MessageBoxW>>; \MessageBoxW
00403E06 |. 8945 EC mov [local.5],eax
注释里很清晰了对吧。下面call是调用MESSAGEBOXA的调用call
往上翻,看跳转
到了断首。。也没有
出call,看跳转
我擦,这么多调用
有12种情况出现注册失败。一一看。
第一个
[Asm] 纯文本查看 复制代码 00401EA0 |. /74 67 je short PDF转换?00401F09
00401EA2 |. |8D8D B4FDFFFF lea ecx,[local.147]
00401EA8 |. |E8 B3380000 call PDF转换?00405760
00401EAD |. |C745 FC 00000>mov [local.1],0x0
00401EB4 |. |68 8E000000 push 0x8E
00401EB9 |. |8D8D B4FDFFFF lea ecx,[local.147]
00401EBF |. |E8 EC3B0000 call PDF转换?00405AB0
00401EC4 |. |6A 00 push 0x0
00401EC6 |. |68 2C564300 push PDF转换?0043562C
00401ECB |. |8D8D B4FDFFFF lea ecx,[local.147]
00401ED1 |. |E8 DA3D0000 call PDF转换?00405CB0
00401ED6 |. |50 push eax
00401ED7 |. |8B8D FCF6FFFF mov ecx,[local.577] ; user32.760C2E3E
00401EDD |. |E8 9E1E0000 call PDF转换?00403D80
00401EE2 |. |C785 08F7FFFF>mov [local.574],0x0
00401EEC |. |C745 FC FFFFF>mov [local.1],-0x1
00401EF3 |. |8D8D B4FDFFFF lea ecx,[local.147]
00401EF9 |. |E8 42380000 call PDF转换?00405740
00401EFE |. |8B85 08F7FFFF mov eax,[local.574]
00401F04 |. |E9 DD020000 jmp PDF转换?004021E6
00401F09 |> \8D8D C0FDFFFF lea ecx,[local.144]
[Asm] 纯文本查看 复制代码 00401EA0 /EB 67 jmp short PDF转换?00401F09
00401EA2 |. |8D8D B4FDFFFF lea ecx,[local.147]
双击EIP返回,看第二个
两个跳转
都看看
都是jmp,不管了。
第三个
[Asm] 纯文本查看 复制代码 004023C4 |. /74 5B |je short PDF转换?00402421
004023C6 |. |68 86000000 |push 0x86
004023CB |. |8D4D EC |lea ecx,[local.5]
004023CE |. |E8 DD360000 |call PDF转换?00405AB0
004023D3 |. |6A 00 |push 0x0
004023D5 |. |68 9C564300 |push PDF转换?0043569C
004023DA |. |8D4D EC |lea ecx,[local.5]
004023DD |. |E8 CE380000 |call PDF转换?00405CB0
004023E2 |. |50 |push eax
004023E3 |. |8B8D 48FBFFFF |mov ecx,[local.302]
004023E9 |. |E8 92190000 |call PDF转换?00403D80
004023EE |. |C785 50FBFFFF>|mov [local.300],0x0
004023F8 |. |C645 FC 00 |mov byte ptr ss:[ebp-0x4],0x0
004023FC |. |8D4D EC |lea ecx,[local.5]
004023FF |. |E8 3C330000 |call PDF转换?00405740
00402404 |. |C745 FC FFFFF>|mov [local.1],-0x1
0040240B |. |8D8D 5CFBFFFF |lea ecx,[local.297]
00402411 |. |E8 1ABC0000 |call PDF转换?0040E030
00402416 |. |8B85 50FBFFFF |mov eax,[local.300]
0040241C |. |E9 86000000 |jmp PDF转换?004024A7
00402421 |>^\E9 42FFFFFF \jmp PDF转换?00402368
JE能跳。je改jmp
[Asm] 纯文本查看 复制代码 004023C2 |. 85D2 |test edx,edx
004023C4 EB 5B jmp short PDF转换?00402421
004023C6 |. 68 86000000 |push 0x86
004023CB |. 8D4D EC |lea ecx,[local.5]
第四个[Asm] 纯文本查看 复制代码 00402517 |. 83C1 6C add ecx,0x6C
0040251A |. E8 F1390000 call PDF转换?00405F10
0040251F |. 85C0 test eax,eax
00402521 |. 76 1A jbe short PDF转换?0040253D
00402523 |. 6A 04 push 0x4
00402525 |. 6A 00 push 0x0
00402527 |. 8D4D EC lea ecx,[local.5]
0040252A |. E8 81370000 call PDF转换?00405CB0
0040252F |. 50 push eax
00402530 |. 8B4D AC mov ecx,[local.21]
00402533 |. E8 48180000 call PDF转换?00403D80
00402538 |. 83F8 06 cmp eax,0x6
0040253B |. 74 1E je short PDF转换?0040255B
0040253D |> C745 C4 00000>mov [local.15],0x0
[Asm] 纯文本查看 复制代码 0040251A |. E8 F1390000 call PDF转换?00405F10
0040251F |. 85C0 test eax,eax
00402521 EB 1A jmp short PDF转换?0040253D
00402523 |. 6A 04 push 0x4
00402525 |. 6A 00 push 0x0
jbe改jmp
第五个
[Asm] 纯文本查看 复制代码 00402677 |. 83C1 6C add ecx,0x6C
0040267A |. E8 71120100 call PDF转换?004138F0
0040267F |. 85C0 test eax,eax
00402681 |. 7E 1A jle short PDF转换?0040269D
00402683 |. 6A 04 push 0x4
00402685 |. 6A 00 push 0x0
00402687 |. 8D4D F0 lea ecx,[local.4]
0040268A |. E8 21360000 call PDF转换?00405CB0
0040268F |. 50 push eax
00402690 |. 8B4D E4 mov ecx,[local.7]
00402693 |. E8 E8160000 call PDF转换?00403D80
00402698 |. 83F8 06 cmp eax,0x6
0040269B |. 74 1B je short PDF转换?004026B8
0040269D |> C745 EC 00000>mov [local.5],0x0
改jle为jmp
第六个
[Asm] 纯文本查看 复制代码 00402922 |. 50 push eax
00402923 |. 8B4D BC mov ecx,[local.17]
00402926 |. E8 55140000 call PDF转换?00403D80
0040292B |. C745 D4 00000>mov [local.11],0x0
00402932 |. C745 FC FFFFF>mov [local.1],-0x1
00402939 |. 8D4D E8 lea ecx,[local.6]
0040293C |. E8 FF2D0000 call PDF转换?00405740
00402941 |. 8B45 D4 mov eax,[local.11]
00402944 |. E9 78020000 jmp PDF转换?00402BC1
00402949 |> 8D4D F0 lea ecx,[local.4]
追踪跳转
[Asm] 纯文本查看 复制代码 004028E5 |. 894D BC mov [local.17],ecx
004028E8 |. 8B4D BC mov ecx,[local.17]
004028EB |. 83C1 6C add ecx,0x6C
004028EE |. E8 FD0F0100 call PDF转换?004138F0
004028F3 |. 85C0 test eax,eax
004028F5 |. 7F 52 jg short PDF转换?00402949
jg改jmp
[Asm] 纯文本查看 复制代码 004028EB |. 83C1 6C add ecx,0x6C
004028EE |. E8 FD0F0100 call PDF转换?004138F0
004028F3 |. 85C0 test eax,eax
004028F5 EB 52 jmp short PDF转换?00402949
004028F7 |. 8D4D E8 lea ecx,[local.6]
第七个
[Asm] 纯文本查看 复制代码 00402999 |. E8 12330000 call PDF转换?00405CB0
0040299E |. 50 push eax
0040299F |. 8B4D BC mov ecx,[local.17]
004029A2 |. E8 D9130000 call PDF转换?00403D80
004029A7 |. C745 D0 00000>mov [local.12],0x0
004029AE |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
004029B2 |. 8D4D E4 lea ecx,[local.7]
004029B5 |. E8 862D0000 call PDF转换?00405740
004029BA |. C745 FC FFFFF>mov [local.1],-0x1
004029C1 |. 8D4D F0 lea ecx,[local.4]
004029C4 |. E8 772D0000 call PDF转换?00405740
004029C9 |. 8B45 D0 mov eax,[local.12] ; PDF转换?00403E06
004029CC |. E9 F0010000 jmp PDF转换?00402BC1
004029D1 |> 8D4D F0 lea ecx,[local.4]
追踪跳转
[Asm] 纯文本查看 复制代码 0040296A |. E8 71330000 call PDF转换?00405CE0
0040296F |. 0FB6C8 movzx ecx,al
00402972 |. 85C9 test ecx,ecx
00402974 |. 74 5B je short PDF转换?004029D1
00402976 |. 8D4D E4 lea ecx,[local.7]
je改jmp
[Asm] 纯文本查看 复制代码 0040296A |. E8 71330000 call PDF转换?00405CE0
0040296F |. 0FB6C8 movzx ecx,al
00402972 |. 85C9 test ecx,ecx
00402974 EB 5B jmp short PDF转换?004029D1
00402976 |. 8D4D E4 lea ecx,[local.7]
第八处
[Asm] 纯文本查看 复制代码 00402A0D |. 8B4D BC mov ecx,[local.17]
00402A10 |. E8 6B130000 call PDF转换?00403D80
00402A15 |. C745 CC 00000>mov [local.13],0x0
00402A1C |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00402A20 |. 8D4D E0 lea ecx,[local.8]
00402A23 |. E8 182D0000 call PDF转换?00405740
00402A28 |. C745 FC FFFFF>mov [local.1],-0x1
00402A2F |. 8D4D F0 lea ecx,[local.4]
00402A32 |. E8 092D0000 call PDF转换?00405740
00402A37 |. 8B45 CC mov eax,[local.13]
00402A3A |. E9 82010000 jmp PDF转换?00402BC1
00402A3F |> 8B55 BC mov edx,[local.17]
追踪并修改
[Asm] 纯文本查看 复制代码 004029DA |. FF15 50524300 call dword ptr ds:[<&SHLWAPI.PathFileExi>; \PathFileExistsW
004029E0 |. 85C0 test eax,eax
004029E2 EB 5B jmp short PDF转换?00402A3F
004029E4 |. 8D4D E0 lea ecx,[local.8]
第九处
[Asm] 纯文本查看 复制代码 00402A92 |. E8 E9120000 call PDF转换?00403D80
00402A97 |. C745 C8 00000>mov [local.14],0x0
00402A9E |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00402AA2 |. 8D4D DC lea ecx,[local.9]
00402AA5 |. E8 962C0000 call PDF转换?00405740
00402AAA |. C745 FC FFFFF>mov [local.1],-0x1
00402AB1 |. 8D4D F0 lea ecx,[local.4]
00402AB4 |. E8 872C0000 call PDF转换?00405740
00402AB9 |. 8B45 C8 mov eax,[local.14]
00402ABC |. E9 00010000 jmp PDF转换?00402BC1
00402AC1 |> 8B4D BC mov ecx,[local.17]
追踪并修改
第一处
[Asm] 纯文本查看 复制代码 00402A3A |. /E9 82010000 jmp PDF转换?00402BC1
00402A3F |> |8B55 BC mov edx,[local.17]
00402A42 |. |83BA 90000000>cmp dword ptr ds:[edx+0x90],0x0
00402A49 |EB 76 jmp short PDF转换?00402AC1
00402A4B |. |6A 00 push 0x0
00402A4D |. |8B4D BC mov ecx,[local.17]
00402A50 |. |81C1 90000000 add ecx,0x90
第二个
[Asm] 纯文本查看 复制代码 00402A5C |. FF15 B0514300 call dword ptr ds:[<&KERNEL32.WaitForSin>; \WaitForSingleObject
00402A62 |. 85C0 test eax,eax
00402A64 EB 5B jmp short PDF转换?00402AC1
00402A66 |. 8D4D DC lea ecx,[local.9]
第十个
[Asm] 纯文本查看 复制代码 00402B27 |. E8 54120000 call PDF转换?00403D80
00402B2C |. C745 C4 00000>mov [local.15],0x0
00402B33 |. C645 FC 05 mov byte ptr ss:[ebp-0x4],0x5
00402B37 |. 8D4D D8 lea ecx,[local.10]
00402B3A |. E8 012C0000 call PDF转换?00405740
00402B3F |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00402B43 |. 8D4D EC lea ecx,[local.5]
00402B46 |. E8 05B30000 call PDF转换?0040DE50
00402B4B |. C745 FC FFFFF>mov [local.1],-0x1
00402B52 |. 8D4D F0 lea ecx,[local.4]
00402B55 |. E8 E62B0000 call PDF转换?00405740
00402B5A |. 8B45 C4 mov eax,[local.15]
00402B5D |. EB 62 jmp short PDF转换?00402BC1
00402B5F |> 8B4D BC mov ecx,[local.17]
追踪并修改
[Asm] 纯文本查看 复制代码 00402AEF |. E8 2C290000 call PDF转换?00405420
00402AF4 |. 0FB6C0 movzx eax,al
00402AF7 |. 85C0 test eax,eax
00402AF9 EB 64 jmp short PDF转换?00402B5F
00402AFB |. 8D4D D8 lea ecx,[local.10]
11个
[Asm] 纯文本查看 复制代码 00402E0E |. E8 6D0F0000 call PDF转换?00403D80
00402E13 |. C745 FC FFFFF>mov [local.1],-0x1
00402E1A |. 8D4D F0 lea ecx,[local.4]
00402E1D |. E8 1E290000 call PDF转换?00405740
00402E22 |. EB 12 jmp short PDF转换?00402E36
00402E24 |> 8B4D EC mov ecx,[local.5]
追踪并修改
[Asm] 纯文本查看 复制代码 00402DBB |. 83B8 90000000>cmp dword ptr ds:[eax+0x90],0x0
00402DC2 EB 60 jmp short PDF转换?00402E24
还有
[Asm] 纯文本查看 复制代码 00402DD5 |. FF15 B0514300 call dword ptr ds:[<&KERNEL32.WaitForSin>; \WaitForSingleObject
00402DDB |. 85C0 test eax,eax
00402DDD EB 45 jmp short PDF转换?00402E24
00402DDF |. 8D4D F0 lea ecx,[local.4]
最后一个
[Asm] 纯文本查看 复制代码 0040371D . E8 5E2D0000 call PDF转换?00406480
00403722 . 8BC8 mov ecx,eax
00403724 . E8 87250000 call PDF转换?00405CB0
00403729 . 50 push eax
0040372A . 6A 02 push 0x2
0040372C . 8B85 7CFDFFFF mov eax,dword ptr ss:[ebp-0x284]
00403732 . 50 push eax
00403733 . 8B8D C4FCFFFF mov ecx,dword ptr ss:[ebp-0x33C]
00403739 . 83C1 6C add ecx,0x6C
0040373C . E8 9F270000 call PDF转换?00405EE0
00403741 . 8B4D 0C mov ecx,dword ptr ss:[ebp+0xC] ; PDF转换?0043567C
00403744 . 8B11 mov edx,dword ptr ds:[ecx]
00403746 . 83C2 01 add edx,0x1
00403749 . 8B45 0C mov eax,dword ptr ss:[ebp+0xC] ; PDF转换?0043567C
0040374C . 8910 mov dword ptr ds:[eax],edx
0040374E . C645 FC 0B mov byte ptr ss:[ebp-0x4],0xB
00403752 . 8D8D 78FDFFFF lea ecx,dword ptr ss:[ebp-0x288]
00403758 . E8 E31F0000 call PDF转换?00405740
0040375D .^ E9 4CFDFFFF jmp PDF转换?004034AE
00403762 > C645 FC 0B mov byte ptr ss:[ebp-0x4],0xB
00403766 . 8D8D 78FDFFFF lea ecx,dword ptr ss:[ebp-0x288]
0040376C . E8 CF1F0000 call PDF转换?00405740
00403771 > 8D8D CCFDFFFF lea ecx,dword ptr ss:[ebp-0x234]
追踪并修改
[Asm] 纯文本查看 复制代码 004036C5 . FF15 50524300 call dword ptr ds:[<&SHLWAPI.PathFileExi>; \PathFileExistsW
004036CB . 85C0 test eax,eax
004036CD E9 9F000000 jmp PDF转换?00403771
004036D2 90 nop
004036D3 . 8D8D 78FDFFFF lea ecx,dword ptr ss:[ebp-0x288]
终于好了 累死我了,数学作业还没写呢
保存
我好累呀,呜呜
看看图
破解成功!
| 
[复制链接]
发表于 2016-7-31 19:03
|
发表于 2016-7-31 19:04
