http://www.cybersitter.com
CYBERsitter 2000
輸入註冊碼之後的判斷:
:004D720F A1E0014E00 mov eax,
dword ptr [004E01E0]
:004D7214 8B00
mov eax, dword ptr [eax]
:004D7216 E80547FAFF call 0047B920
//判斷註冊碼
:004D721B 84C0
test al, al
:004D721D 751E
jne 004D723D
* Possible StringData Ref from Code Obj ->"The serial number you entered "
->"is invalid."
|
:004D721F B894854D00 mov eax,
004D8594
:004D7224 E86B53FAFF call 0047C594
啟動時的判斷也是呼叫同一個子程式:
:004C9454 A1E0014E00 mov eax,
dword ptr [004E01E0]
:004C9459 8B00
mov eax, dword ptr [eax]
:004C945B E8C024FBFF call 0047B920
//判斷註冊碼
:004C9460 8B155C014E00 mov edx, dword
ptr [004E015C]
:004C9466 8802
mov byte ptr [edx], al //儲存判斷的結果
:004C9468 A15C014E00 mov eax,
dword ptr [004E015C]
:004C946D 803800
cmp byte ptr [eax], 00 //檢查判斷的結果
:004C9470 755F
jne 004C94D1
:004C9472 A1E0014E00 mov eax,
dword ptr [004E01E0]
* Possible StringData Ref from Code Obj ->"Unregistered"
|
:004C9477 BAC0A24C00 mov edx,
004CA2C0
:004C947C E897AAF3FF call 00403F18
用來判斷註冊碼的子程式如下。顯然這個子程式只被以上兩處呼叫。如果把這個子程式的函式體改掉,讓它總返回1就行了。如果只修改輸入註冊碼時的那條判斷指令,則啟動時還是未註冊。另外,註冊碼很好找的,只要註冊碼的四部分能分別被4個數整除即可,這四個數可能是根據使用者名稱得來的。
* Referenced by a CALL at Addresses:
|:004C945B , :004D7216
|
:0047B920 55
push ebp
:0047B921 8BEC
mov ebp, esp
:0047B923 B904000000 mov ecx,
00000004
:0047B928 6A00
push 00000000
:0047B92A 6A00
push 00000000
:0047B92C 49
dec ecx
:0047B92D 75F9
jne 0047B928
......................................................
:0047BA65 B001
mov al, 01
:0047BA67 84C0
test al, al
:0047BA69 7410
je 0047BA7B
:0047BA6B 8B45EC
mov eax, dword ptr [ebp-14] //註冊碼第一部分
:0047BA6E E891E2F8FF call 00409D04
//atol( )
:0047BA73 99
cdq
:0047BA74 F7FB
idiv ebx
//整除嗎?
:0047BA76 85D2
test edx, edx
:0047BA78 0F94C0
sete al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BA69(C)
|
:0047BA7B 84C0
test al, al
:0047BA7D 7410
je 0047BA8F
:0047BA7F 8B45E8
mov eax, dword ptr [ebp-18] //註冊碼第二部分
:0047BA82 E87DE2F8FF call 00409D04
//atol( )
:0047BA87 99
cdq
:0047BA88 F7FE
idiv esi
//整除嗎?
:0047BA8A 85D2
test edx, edx
:0047BA8C 0F94C0
sete al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BA7D(C)
|
:0047BA8F 84C0
test al, al
:0047BA91 7411
je 0047BAA4
:0047BA93 8B45E4
mov eax, dword ptr [ebp-1C] //註冊碼第三部分
:0047BA96 E869E2F8FF call 00409D04
//atol( )
:0047BA9B 99
cdq
:0047BA9C F77DF4
idiv [ebp-0C]
//整除嗎
:0047BA9F 85D2
test edx, edx
:0047BAA1 0F94C0
sete al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BA91(C)
|
:0047BAA4 84C0
test al, al
:0047BAA6 7411
je 0047BAB9
:0047BAA8 8B45E0
mov eax, dword ptr [ebp-20] //註冊碼第三部分
:0047BAAB E854E2F8FF call 00409D04
//atol( )
:0047BAB0 99
cdq
:0047BAB1 F77DF0
idiv [ebp-10]
//整除嗎?
:0047BAB4 85D2
test edx, edx
:0047BAB6 0F94C0
sete al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BAA6(C)
|
:0047BAB9 8845FB
mov byte ptr [ebp-05], al //函式返回值
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047B95F(C), :0047BA00(U), :0047BA18(U), :0047BA30(U), :0047BA48(U)
|:0047BA5E(U)
|
:0047BABC 33C0
xor eax, eax
:0047BABE 5A
pop edx
:0047BABF 59
pop ecx
:0047BAC0 59
pop ecx
:0047BAC1 648910
mov dword ptr fs:[eax], edx
:0047BAC4 68E6BA4700 push 0047BAE6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BAE4(U)
|
:0047BAC9 8D45DC
lea eax, dword ptr [ebp-24]
:0047BACC BA05000000 mov edx,
00000005
:0047BAD1 E81284F8FF call 00403EE8
:0047BAD6 8D45FC
lea eax, dword ptr [ebp-04]
:0047BAD9 E8E683F8FF call 00403EC4
:0047BADE C3
ret
:0047BADF E9D87DF8FF jmp 004038BC
:0047BAE4 EBE3
jmp 0047BAC9
:0047BAE6 8A45FB
mov al, byte ptr [ebp-05] //函式返回值
:0047BAE9 5F
pop edi
:0047BAEA 5E
pop esi
:0047BAEB 5B
pop ebx
:0047BAEC 8BE5
mov esp, ebp
:0047BAEE 5D
pop ebp
:0047BAEF C3
ret