Recover4All v1.03的破解探討 (7千字)

Recover4All v1.03的破解探討
工具:TRW2000和Wdasm v8.93
目標說明:每個人一定都有曾不小心誤刪檔案與目錄的經驗，通常要恢復誤刪檔案有時是相當困難的，
不妨先試試 Recover 4 all 看看，它能將剛剛所刪除的檔案找出來，但必須在Win95/98
下所刪除的檔案，它才能找出並救回來.
難度：中級?
=======================================================
引子：這是一篇破解討論性的文章，僅作為大家深入討論的依據。

執行程式，輸入Registration Name:sUpErbOss Registration Code:1122334455
按Ctrl-N切換到TRW2000下，打"BPX HMEMCPY"，點選“OK”按鈕，被攔下,打"BD *"。
按幾次F12鍵，回到Rec4All模組下，再一直按F10鍵，直到下面所指的重點(2)處：
:00411DE0 51 push ecx
:00411DE1 8BCD mov ecx, ebp
:00411DE3 E898A9FFFF call 0040C780
:00411DE8 50 push eax
:00411DE9 8D8C247C030000 lea ecx, dword ptr [esp+0000037C]
:00411DF0 C684243413000001 mov byte ptr [esp+00001334], 01
:00411DF8 E8B3220000 call 004140B0
:00411DFD 8D8C24500B0000 lea ecx, dword ptr [esp+00000B50]
:00411E04 C684243013000000 mov byte ptr [esp+00001330], 00
:00411E0C E8EF220000 call 00414100
:00411E11 8D83E8030000 lea eax, dword ptr [ebx+000003E8]
:00411E17 8D9424500B0000 lea edx, dword ptr [esp+00000B50]
:00411E1E 50 push eax
:00411E1F 52 push edx
:00411E20 8BCD mov ecx, ebp
:00411E22 E839B8FFFF call 0040D660
:00411E27 8DB340080000 lea esi, dword ptr [ebx+00000840]
:00411E2D 50 push eax
:00411E2E 8BCE mov ecx, esi
:00411E30 C684243413000002 mov byte ptr [esp+00001334], 02
:00411E38 E873220000 call 004140B0
:00411E3D 8D8C24500B0000 lea ecx, dword ptr [esp+00000B50]
:00411E44 C684243013000000 mov byte ptr [esp+00001330], 00
:00411E4C E8AF220000 call 00414100
:00411E51 81ECD8070000 sub esp, 000007D8
:00411E57 8BCC mov ecx, esp
:00411E59 89A424F4070000 mov dword ptr [esp+000007F4], esp
:00411E60 56 push esi
:00411E61 E82A220000 call 00414090
:00411E66 8D8C24500B0000 lea ecx, dword ptr [esp+00000B50]
:00411E6D E8FE200000 call 00413F70 <---重點(1)!!(比對升級碼)
:00411E72 85C0 test eax, eax
:00411E74 0F858C000000 jne 00411F06
.
.
.
:00411F93 E8E8A7FFFF call 0040C780 <----此Call根據註冊碼經過變形算出一個數
:00411F98 50 push eax
:00411F99 8D8C247C030000 lea ecx, dword ptr [esp+0000037C]
:00411FA0 C684243413000003 mov byte ptr [esp+00001334], 03
:00411FA8 E803210000 call 004140B0
:00411FAD 8D8C24500B0000 lea ecx, dword ptr [esp+00000B50]
:00411FB4 C684243013000000 mov byte ptr [esp+00001330], 00
:00411FBC E83F210000 call 00414100
:00411FC1 8D83E8030000 lea eax, dword ptr [ebx+000003E8]
:00411FC7 8D8C24500B0000 lea ecx, dword ptr [esp+00000B50]
:00411FCE 50 push eax
:00411FCF 51 push ecx
:00411FD0 8BCD mov ecx, ebp
:00411FD2 E889B6FFFF call 0040D660 <----此Call根據Name經過變形算出一個數
:00411FD7 8DB340080000 lea esi, dword ptr [ebx+00000840]
:00411FDD 50 push eax
:00411FDE 8BCE mov ecx, esi
:00411FE0 C684243413000004 mov byte ptr [esp+00001334], 04
:00411FE8 E8C3200000 call 004140B0
:00411FED 8D8C24500B0000 lea ecx, dword ptr [esp+00000B50]
:00411FF4 C684243013000000 mov byte ptr [esp+00001330], 00
:00411FFC E8FF200000 call 00414100
:00412001 81ECD8070000 sub esp, 000007D8
:00412007 8BCC mov ecx, esp
:00412009 89A424F4070000 mov dword ptr [esp+000007F4], esp
:00412010 56 push esi
:00412011 E87A200000 call 00414090
:00412016 8D8C24500B0000 lea ecx, dword ptr [esp+00000B50]
:0041201D E84E1F0000 call 00413F70 <---重點(2)!!(比對註冊碼）
:00412022 85C0 test eax, eax <---註冊成功的話，EAX=0
:00412024 7566 jne 0041208C

進入重點Call(2)後，按F10鍵，一直往下，來到核心Call，可別三心二意跑過站嘍！按F8鍵吧!!
:00413FD2 50 push eax
:00413FD3 E848FAFFFF call 00413A20 <------核心Call哦!!
:00413FD8 8D4C2418 lea ecx, dword ptr [esp+18]
:00413FDC 8BF0 mov esi, eax <----註冊碼正確的話,ESI=EAX=0
:00413FDE C7442410FFFFFFFF mov [esp+10], FFFFFFFF
:00413FE6 E815010000 call 00414100
:00413FEB 8BC6 mov eax, esi <----EAX=ESI=0
:00413FED 8B4C2408 mov ecx, dword ptr [esp+08]
:00413FF1 64890D00000000 mov dword ptr fs:[00000000], ecx
:00413FF8 5F pop edi
:00413FF9 5E pop esi
:00413FFA 83C40C add esp, 0000000C
:00413FFD C2D807 ret 07D8

進入到核心Call後，按F10鍵往下走，就到站啦！
:00413A59 56 push esi
:00413A5A 8BCF mov ecx, edi
:00413A5C 8BE8 mov ebp, eax
:00413A5E E81DFCFFFF call 00413680 <----注意哦!!
:00413A63 3BC5 cmp eax, ebp <----變形後的註冊碼比對處
:00413A65 77CD ja 00413A34 ---->必須滿足EAX=EBP<----
:00413A67 56 push esi
:00413A68 8BCB mov ecx, ebx
:00413A6A E811FCFFFF call 00413680 <----注意哦!!
:00413A6F 56 push esi
:00413A70 8BCF mov ecx, edi
:00413A72 8BE8 mov ebp, eax
:00413A74 E807FCFFFF call 00413680 <----注意哦!!
:00413A79 3BC5 cmp eax, ebp <---變形後的註冊碼比對處
:00413A7B 72C5 jb 00413A42 ---->必須滿足EAX=EBP<----
:00413A7D 85F6 test esi, esi <---有兩組變形碼比對！
:00413A7F 75CF jne 00413A50

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413A4E(C)
|
:00413A81 5F pop edi
:00413A82 5E pop esi
:00413A83 5D pop ebp
:00413A84 33C0 xor eax, eax <----EAX=0
:00413A86 5B pop ebx
:00413A87 C20400 ret 0004

====================================
:00413680 8B442404 mov eax, dword ptr [esp+04] <---Call 00413680的內容
:00413684 8B5108 mov edx, dword ptr [ecx+08]
:00413687 3BC2 cmp eax, edx
:00413689 7205 jb 00413690
:0041368B 33C0 xor eax, eax
:0041368D C20400 ret 0004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413689(C)
|
:00413690 8B09 mov ecx, dword ptr [ecx]
:00413692 8B0481 mov eax, dword ptr [ecx+4*eax] <---打"D ECX+4*EAX"
:00413695 C20400 ret 0004

在00413692處，記下ECX+4*EAX所表示的地址。（注意：必須是在啟動Rec4All，第一次點選"OK"按鈕後，跟蹤到此處時的地址值）
Why？因為每次重新按"OK"按鈕跟蹤Rec4All時，此處的地址是變動的，所以很難設定正確的斷點。但每次啟動Rec4All，
第一次點選"OK"按鈕後，此處的地址值是相同的。
我研究了很長時間，也沒把它的演算法搞清楚，希望網上的各位高手，能給予指點，先謝過啦！

Recover4All v1.03的破解探討 (7千字)

相關文章