RegHance v1.1破解實錄 (5千字)

看雪資料發表於2001-03-26

前言:考試在即。還是忍不住寫了出來。寫這篇實錄花了一下午,這下考試懸了。。。


破解者: midi
級別:初級
目標: RegHance v1.1
下載: http://www.lavasoft.de/binary/awbin/regh.exe (632k)
工具: TRW2000 v1.22, W32Dasm, Hex WorkShop, UnPECompact 1.31, eXeScope,etc
作者對軟體的描述:

The standard registry editor that comes with windows, lacks functionality.
Reghance was designed to give you more overview and control, making it easy
to navigate and walk through your registry.

保護:a).開始彈出" About” nag視窗,須按“close this window" 才能回到主程式;
b).About 視窗中有"This tool is a shareware...";
c).退出程式時,彈出"About"的nag視窗,須等三、四秒才能關閉退出;
d).About 視窗的image中有"unregistered"字樣.

過程實錄:

1)。記得SunBird大哥常說凡事都要info一下。果不出所料,主程式RegHance.exe是用PECompact加的殼。UnPECompact 1.31脫之。。。

2)。

對a)====)

執行脫殼後的主程式,看到那個"About”nag視窗停在那裡,此時啟動TRW。對付這類nag視窗, 我懶得去考慮下什麼斷點,因為可能的斷點太多了。我常常採用一種最傻、但卻最有效的方法"左右手配合"--就是右手在點選那個“close this window" 鈕的同時,左手CTL+D (我覺得按CTL+D比較舒服)啟用TRW。(為此法我練了整整一個月的時間,多虧我有彈六絃琴的功底,哈哈。。)。TRW做起這活來真是爽極了!!


――KERNEL32!CancelWaitableTimer+011F__________

0177:BFF99A75 685C002A00 PUSH DWORD 002A005C
0177:BFF99A7A E85579FDFF CALL `KERNEL32!ord_00000001`
0177:BFF99A7F 3DC0000000 CMP EAX,C0
0177:BFF99A84 8BF0 MOV ESI,EAX<------光棒在這!
0177:BFF99A86 7505 JNZ BFF99A8D
0177:BFF99A88 E8FDB7FEFF CALL BFF8528A
0177:BFF99A8D 8BC6 MOV EAX,ESI
0177:BFF99A8F 5E POP ES

pmodule返回主程:

0177:0044D044 E84F66FBFF CALL 00403698
0177:0044D049 807DFB00 CMP BYTE [EBP-05],00
0177:0044D04D 7405 JZ 0044D054
0177:0044D04F E8E0A3FBFF CALL `USER32!WaitMessage`
0177:0044D054 33C0 XOR EAX,EAX<----光棒在這裡!
0177:0044D056 5A POP EDX
0177:0044D057 59 POP ECX
0177:0044D058 59 POP ECX
0177:0044D059 648910 MOV [FS:EAX],EDX
0177:0044D05C 6876D04400 PUSH DWORD 0044D076
0177:0044D061 8D45F0 LEA EAX,[EBP-10]
0177:0044D064 BA02000000 MOV EDX,02
0177:0044D069 E80E6BFBFF CALL 00403B7C

開始一次一次按F12+F10,目的是到底看看哪個call出這個nag視窗來。
需要用筆記下可疑的call或判斷的地址的,(?具體哪個地址可疑要憑感覺了)並按F9設斷。退出並重新執行主程,在nag視窗彈出以前會被TRW攔住去路。試著將判斷語句改向或將可疑的call nop 掉。。。一次次嘗試。。終於眼前一亮:

:004948A9 8BC3 mov eax, ebx
:004948AB E8342CFBFF call 004474E4
:004948B0 8BC3 mov eax, ebx
:004948B2 8B10 mov edx, dword ptr [eax]
:004948B4 FF92D8000000 call dword ptr [edx+000000D8]===>This will bring up the start nag screen, JUST nop it!
:004948BA 8BC3 mov eax, ebx
:004948BC E8CFE5F6FF call 00402E90
:004948C1 6850494900 push 00494950
:004948C6 E88953F7FF call 00409C54
:004948CB 83C4F8 add esp, FFFFFFF8
:004948CE DD1C24 fstp qword ptr [esp]
:004948D1 9B wait

至此,第一步完成!



對 b)----)

用W32Dasm反彙編脫殼後的主程式,奇怪的是竟然沒有SDR,只有Data Hex 和 Imp Fn.幸運的是在Hex Workshop中能查到"This tool is a shareware". 會有兩處,其中一處後面有"Thank you for your licensing reghance!"
記下它的offset:9A550,並在W32Dasm中找到相應的offset的地址:0049B150, Search 它後來到:


:0049B0E5 A1F0D64900 mov eax, dword ptr [0049D6F0]
:0049B0EA 83381A cmp dword ptr [eax], 0000001A
:0049B0ED 7512 jne 0049B101===(if license jmp)
:0049B0EF BA50B14900 mov edx, 0049B150======"This tool is shareware..."
:0049B0F4 8B83DC020000 mov eax, dword ptr [ebx+000002DC]
:0049B0FA E8A537F9FF call 0042E8A4
:0049B0FF EB10 jmp 0049B111

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049B0ED(C)
|
:0049B101 BA84B14900 mov edx, 0049B184
:0049B106 8B83DC020000 mov eax, dword ptr [ebx+000002DC]
:0049B10C E89337F9FF call 0042E8A4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049B0FF(U)
|
:0049B111 80BBF402000000 cmp byte ptr [ebx+000002F4], 00
:0049B118 742A je 0049B144
:0049B11A BAB8B14900 mov edx, 0049B1B8====WAIT 3 秒
:0049B11F 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:0049B125 E87A37F9FF call 0042E8A4
:0049B12A B201 mov dl, 01
:0049B12C 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:0049B132 E8ED56FBFF call 00450824
:0049B137 33D2 xor edx, edx
:0049B139 8B83D8020000 mov eax, dword ptr [ebx+000002D8]

只須在:0049B0ED處打補丁就可去掉About視窗中的“This tool is shareware..."

對c)---)

方法和a)一樣。點一下關閉程式,等delay視窗穩定下來後,運用"左右手配合"法。最後會來到:

......

:004464EA 8BC0 mov eax, eax
:004464EC 53 push ebx
:004464ED 6683B87A02000000 cmp word ptr [eax+0000027A], 0000
:004464F5 7412 je 00446509==if license, jmp and exit windows
:004464F7 8BCA mov ecx, edx
:004464F9 8BD8 mov ebx, eax
:004464FB 8BD0 mov edx, eax
:004464FD 8B837C020000 mov eax, dword ptr [ebx+0000027C]
:00446503 FF9378020000 call dword ptr [ebx+00000278] ==refer to the nag shareware reminder

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004464F5(C)
|
:00446509 5B pop ebx
:0044650A C3 ret

可以看到只須將:004464F5改改流向或將:00446503的call給nop掉,討厭的退出nag就沒了!

d)---)

最後一項我就不寫了,看一看前面的帖子就行了!(在此,midi向SunBird大哥致敬!--有機會小弟請客!^_^)

3)**總結**我的補丁是:

:004948B4 FF92D8000000-->909090909090;
:0049B0ED 7512-->EB12;
:004464F5 7412-->EB12



後語:這是我應peterchen兄的要求寫的第一篇破解實錄。各位大蝦莫見笑,多多指教!!
還望大家將破解的tip貼出來共同交流。。。
我的email: bestwishes66@ h o t m a i l . c o m

相關文章