我也發個帖子，湊湊熱鬧：WINDOWS優化大師 v3.53“暗門”的解決過程 (7千字)

WINDOWS優化大師 v3.53“暗門”的解決過程（時空幻影於2001年4月6日）
最近許多人用在我寫的序號產生器時，遇到這樣一個問題：用生成的註冊碼輸入後，該軟體提示已註冊，但是在退出該軟體，然後再執行時又變成未註冊的了。
我先用CASPR（脫殼工具）脫掉該軟體的殼，然後在用W32DASM進行反彙編，檢視可疑字串，果然看到了“未註冊”（因為在該軟體執行後有“未註冊”字樣，所以我是從最後往前翻看到的，結果繞了一個圈子，如果從前面往後翻的話，我會解決的更快）。

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00524167(U), :00524173(U)
|
:00524185 8B4584 mov eax, dword ptr [ebp-7C]
:00524188 E8DFEDEDFF call 00402F6C
:0052418D 8B4580 mov eax, dword ptr [ebp-80]
:00524190 E8D7EDEDFF call 00402F6C
:00524195 8B45FC mov eax, dword ptr [ebp-04]
:00524198 E8933FFFFF call 00518130 <--把W32DASM的光棒移到該位置，點選工具欄的"Call"
:0052419D 85C0 test eax, eax
:0052419F 0F85A6000000 jne 0052424B <--當EAX為0時註冊成功，為1時則變為未註冊
:005241A5 8B45FC mov eax, dword ptr [ebp-04]
:005241A8 8B80D0070000 mov eax, dword ptr [eax+000007D0]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V3.53 (已註冊)"
|
:005241AE BAE06F5200 mov edx, 00526FE0
:005241B3 E808D6F0FF call 004317C0
:005241B8 B201 mov dl, 01
:005241BA A1246B4500 mov eax, dword ptr [00456B24]
:005241BF E8602AF3FF call 00456C24
:005241C4 898514FFFFFF mov dword ptr [ebp+FFFFFF14], eax
:005241CA BA02000080 mov edx, 80000002
:005241CF 8B8514FFFFFF mov eax, dword ptr [ebp+FFFFFF14]
:005241D5 E8EA2AF3FF call 00456CC4
:005241DA 33C9 xor ecx, ecx

* Possible StringData Ref from Code Obj ->"Software\Wom"
|
:005241DC BA98575200 mov edx, 00525798
:005241E1 8B8514FFFFFF mov eax, dword ptr [ebp+FFFFFF14]
:005241E7 E81C2CF3FF call 00456E08
:005241EC 84C0 test al, al
:005241EE 742F je 0052421F

* Possible StringData Ref from Code Obj ->"Masters"
|
:005241F0 BA08705200 mov edx, 00527008
:005241F5 8B8514FFFFFF mov eax, dword ptr [ebp+FFFFFF14]
:005241FB E8B833F3FF call 004575B8
:00524200 84C0 test al, al
:00524202 7410 je 00524214

* Possible StringData Ref from Code Obj ->"Masters"
|
:00524204 BA08705200 mov edx, 00527008
:00524209 8B8514FFFFFF mov eax, dword ptr [ebp+FFFFFF14]
:0052420F E8902EF3FF call 004570A4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00524202(C)
|
:00524214 8B8514FFFFFF mov eax, dword ptr [ebp+FFFFFF14]
:0052421A E8752AF3FF call 00456C94

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005241EE(C)
|
:0052421F 8B8514FFFFFF mov eax, dword ptr [ebp+FFFFFF14]
:00524225 E842EDEDFF call 00402F6C
:0052422A 8B45FC mov eax, dword ptr [ebp-04]
:0052422D 8B8060040000 mov eax, dword ptr [eax+00000460]
:00524233 33D2 xor edx, edx
:00524235 E86ED4F0FF call 004316A8
:0052423A B8283F5500 mov eax, 00553F28

* Possible StringData Ref from Code Obj ->"未註冊"
|
:0052423F BA18705200 mov edx, 00527018 <--雙擊“未註冊”後來到這，然後往上翻，看看
:00524244 E8C3FAEDFF call 00403D0C 有沒有與之相關的跳轉語句
:00524249 EB5F jmp 005242AA

//-----------------------------------------------------------------------------------------------

:00518130 55 push ebp <--點了"Call"以後來到這，然後往下翻
:00518131 8BEC mov ebp, esp
:00518133 81C48CFEFFFF add esp, FFFFFE8C
:00518139 53 push ebx
:0051813A 56 push esi
:0051813B 33D2 xor edx, edx

//-----------------------------------------------------------------------------------------------

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00518370(C), :0051837C(C)
|
:005183A9 8B95A0FEFFFF mov edx, dword ptr [ebp+FFFFFEA0]

* Possible StringData Ref from Code Obj ->"cr-wom" <--看著有點眼熟
|
:005183AF B8B8865100 mov eax, 005186B8
:005183B4 E86BBEEEFF call 00404224 <--判斷當前目錄下是否有含"cr-wom"的檔名
:005183B9 85C0 test eax, eax
:005183BB 742B je 005183E8 <--EAX為1的話就GAME OVER了
:005183BD 8B45FC mov eax, dword ptr [ebp-04]
:005183C0 8B80D0070000 mov eax, dword ptr [eax+000007D0]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V3.53 (未註冊)"
|
:005183C6 BA48865100 mov edx, 00518648
:005183CB E8F093F1FF call 004317C0
:005183D0 8BC6 mov eax, esi
:005183D2 E8BDE8F3FF call 00456C94
:005183D7 8BC6 mov eax, esi
:005183D9 E88EABEEFF call 00402F6C
:005183DE BB01000000 mov ebx, 00000001
:005183E3 E9CA010000 jmp 005185B2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005183BB(C)
|

* Possible StringData Ref from Code Obj ->"Windowsyhds.exe" <--看著更加眼熟了
|
:005183E8 B8C8865100 mov eax, 005186C8
:005183ED E8460DEFFF call 00409138 <--判斷判斷當前目錄下是否有含"Windowsyhds.exe"
:005183F2 84C0 test al, al 的檔名
:005183F4 751C jne 00518412 <--al為1的話就GAME OVER了

* Possible StringData Ref from Code Obj ->"fwd.txt"
|
:005183F6 B8E0865100 mov eax, 005186E0
:005183FB E8380DEFFF call 00409138 <--判斷判斷當前目錄下是否有含"fwd.txt"的檔名
:00518400 84C0 test al, al
:00518402 750E jne 00518412 <--al為1的話就GAME OVER了

* Possible StringData Ref from Code Obj ->"wom29a_k.exe"
|
:00518404 B8F0865100 mov eax, 005186F0
:00518409 E82A0DEFFF call 00409138 <--判斷判斷當前目錄下是否有含"wom29a_k.exe"的文
:0051840E 84C0 test al, al 件名
:00518410 742B je 0051843D <--al為1的話就GAME OVER了

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005183F4(C), :00518402(C)
|
:00518412 8B45FC mov eax, dword ptr [ebp-04]
:00518415 8B80D0070000 mov eax, dword ptr [eax+000007D0]

* Possible StringData Ref from Code Obj ->"Windows優化大師 V3.53 (未註冊)"
|
:0051841B BA48865100 mov edx, 00518648
:00518420 E89B93F1FF call 004317C0
:00518425 8BC6 mov eax, esi
:00518427 E868E8F3FF call 00456C94
:0051842C 8BC6 mov eax, esi
:0051842E E839ABEEFF call 00402F6C
:00518433 BB01000000 mov ebx, 00000001
:00518438 E975010000 jmp 005185B2

綜上所述，我們可以得出一個結論：那就是隻要該軟體目錄下有包含"cr-wom"字串的序號產生器檔名或者是以下三種檔名"Windowsyhds.exe"、"fwd.txt"、"wom29a_k.exe"的一種就變成未註冊的了，解決的辦法就是把序號產生器移到其他的目錄下，或者把序號產生器改名即可。

我也發個帖子，湊湊熱鬧：WINDOWS優化大師 v3.53“暗門”的解決過程 (7千字)

相關文章