winamp的皮膚製作軟體skinner註冊框之去除篇 (爆破難度:中等) (4千字)

看雪資料發表於2001-03-18

winamp的皮膚製作軟體skinner註冊框之去除篇 (爆破難度:中等)

工具:softice for9x,w32dasm ver 8.93 ,hiew

首先用w32反彙編,在工具欄中找到strn ref按鈕,找到出錯的關鍵字:
"Wrong registration number!"
雙擊,它在程式中有兩個地址。來到這裡:
* Possible StringData Ref from Data Obj ->"Wrong registration number!"
                                  |
:00406C2E 6894584200              push 00425894
:00406C33 56                      push esi
向上查詢....
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406BB4(C)  *注意這裡!!!
|
:00406C22 83F801                  cmp eax, 00000001
:00406C25 751D                    jne 00406C44 *改這裡為je
:00406C27 6A00                    push 00000000
再雙擊來到這裡:
* Possible StringData Ref from Data Obj ->"Wrong registration number!"
                                  |
:0040B87A 6894584200              push 00425894
:0040B87F 56                      push esi
還是向上查詢:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B83A(C)
|
:0040B86E 83F801                  cmp eax, 00000001
:0040B871 751D                    jne 0040B890 *改為je
:0040B873 6A00                    push 00000000
以上只是把出錯資訊跳過。
記得這裡吧!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406BB4(C)  *找到這個跳轉地址
|
:00406C22 83F801                  cmp eax, 00000001
:00406C25 751D                    jne 00406C44
:00406C27 6A00                    push 00000000

來到這:
* Reference To: USER32.DialogBoxParamA, Ord:008Eh
                                  |
:00406BAB FF154C254300            Call dword ptr [0043254C]
:00406BB1 83F803                  cmp eax, 00000003
:00406BB4 756C                    jne 00406C22 *改為je,當你按ok時就會變為This product is licensed to

那位問了:“能不能一直讓它顯示This product is licensed to 呢?”當然能。再在串式內容參考清單中,找到This product is licensed to,雙擊它發現也有兩個地址,來到這裡:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406AC9(C)
|
:00406AD7 A33C524200              mov dword ptr [0042523C], eax
:00406ADC 85C0                    test eax, eax
:00406ADE 7440                    je 00406B20 *這裡改為jne
:00406AE0 8B742478                mov esi, dword ptr [esp+78]

* Possible StringData Ref from Data Obj ->" This product is licensed to "
                                  |
:00406AE4 6850594200              push 00425950
再執行試試。
可是問題又出來了,當你按註冊按鈕時還是會彈出註冊框,改掉它。執行程式來到註冊處,
用ice下斷bpx hmemcpy
按ok
程式被中斷, bc*清除斷點(以下同理),按f12來到這裡:
:00406D81 FFD7                    call edi *看到了嗎?這就是呼叫註冊框的call
:00406D83 8D442438                lea eax, dword ptr [esp+38] *程式會被中斷到這裡
:00406D87 6A29                    push 00000029
:00406D89 50                      push eax

向上查詢吧...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406D1B(C)
|
:00406D5B 668B442470              mov ax, word ptr [esp+70]
:00406D60 663D0100                cmp ax, 0001
:00406D64 0F8519010000            jne 00406E83 *改為je
再執行試試,怎麼樣?沒有了吧?
還有一個問題是:當你要儲存你做好的skin時,它還會彈出註冊框。
來吧幹掉它!
用ctrl+d 撥出ice
用bpx sendmessage下斷
程式被斷,按f12 n次來到這裡:(它的領空哦)
:0040B1B8 FFD7                    call edi
:0040B1BA 83F801                  cmp eax, 00000001
:0040B1BD 0F85CD060000            jne 0040B890
:0040B1C3 68027F0000              push 00007F02
:0040B1C8 6A00                    push 00000000
一直按f10,按啊,按啊,按啊......直到出現註冊框為止。應該是這裡:
* Possible Reference to Dialog: DialogID_00F0
                                  |
:0040B816 68F0000000              push 000000F0
:0040B81B 50                      push eax
:0040B81C FFD7                    call edi *這是那個出錯框
:0040B81E 85C0                    test eax, eax
:0040B820 746E                    je 0040B890
:0040B822 6A00                    push 00000000
:0040B824 A170FB4200              mov eax, dword ptr [0042FB70]
:0040B829 68006D4000              push 00406D00
:0040B82E 56                      push esi
向上查詢,來到:
:0040B7F6 FF15C0254300            Call dword ptr [004325C0]
:0040B7FC 833D3C52420000          cmp dword ptr [0042523C], 00000000
:0040B803 0F8587000000            jne 0040B890 *改為je
好了,試試吧!如果沒有錯的話。應該成功了!

相關文章