explor2000的破解
ASProtect1.2以後版本加殼,ep=5f4690。
用bo2k找不到入口。手動跟蹤方法參見(1),脫殼方法參見(2)。
explor2000的破解方法如下。
先執行superbpm,再執行trw,下bpx 5f4690,g。
trw彈出後,下pedump c:\explor2k.exe 脫殼。
用w32dasm對脫殼後的explor2k.exe進行反彙編。在Refs/String Data Refrences中找'trialversion',找到後雙擊,看到下面這段(用find
text找也可)
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005D1D0E(U), :005D1D1A(C)
|
:005D1D2D 8D45F8
lea eax, dword ptr [ebp-08]
:005D1D30 8B1520D05F00 mov edx, dword
ptr [005FD020]
:005D1D36 E87523E3FF call
004040B0 ;這是一個關鍵的call
:005D1D3B 8B45F8
mov eax, dword ptr [ebp-08]
:005D1D3E E83524E3FF call
00404178 ;這裡不是關鍵,進去就知道
:005D1D43 85C0
test eax, eax
:005D1D45 0F8FD2000000 jg 005D1E1D
;跳就對了
:005D1D4B 833D28D05F0000 cmp dword ptr [005FD028],
00000000 ;[5fd028]中放的是剩餘天數
:005D1D52 7E47
jle 005D1D9B
:005D1D54 833D28D05F001E cmp dword ptr [005FD028],
0000001E ;試用期為30天
:005D1D5B 7E07
jle 005D1D64
:005D1D5D B805000000 mov eax,
00000005
:005D1D62 EB0B
jmp 005D1D6F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005D1D5B(C)
|
:005D1D64 B823000000 mov eax,
00000023
:005D1D69 2B0528D05F00 sub eax, dword
ptr [005FD028]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005D1D62(U)
|
:005D1D6F 83F80A
cmp eax, 0000000A
:005D1D72 7E05
jle 005D1D79
:005D1D74 B80A000000 mov eax,
0000000A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005D1D72(C)
|
:005D1D79 8B55FC
mov edx, dword ptr [ebp-04]
:005D1D7C 52
push edx
:005D1D7D 68641F5D00 push
005D1F64
:005D1D82 50
push eax
:005D1D83 8B45FC
mov eax, dword ptr [ebp-04]
:005D1D86 8B90FC040000 mov edx, dword
ptr [eax+000004FC]
:005D1D8C B103
mov cl, 03
:005D1D8E 8B45FC
mov eax, dword ptr [ebp-04]
:005D1D91 E812020000 call
005D1FA8
:005D1D96 E982000000 jmp 005D1E1D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005D1D52(C)
|
:005D1D9B E8140EE3FF call
00402BB4
:005D1DA0 B80A000000 mov eax,
0000000A
:005D1DA5 E8CE10E3FF call
00402E78
:005D1DAA 83F802
cmp eax, 00000002
:005D1DAD 7550
jne 005D1DFF
:005D1DAF 6A30
push 00000030
* Possible StringData Ref from Code Obj ->"EXPLOR2000"
|
:005D1DB1 68E01E5D00 push
005D1EE0
:005D1DB6 8D4DF4
lea ecx, dword ptr [ebp-0C]
:005D1DB9 8B45FC
mov eax, dword ptr [ebp-04]
:005D1DBC 8B8054050000 mov eax, dword
ptr [eax+00000554]
* Possible StringData Ref from Code Obj ->"TrialVersion"
|
:005D1DC2 BAF41E5D00 mov edx,
005D1EF4 ;顯示試用字樣
:005D1DC7 E838B0F5FF call
0052CE04
下bpx 5d1d36,trw彈出後按F8進入
0167:004040B0 31C9 XOR
ECX,ECX
0167:004040B2 85D2 TEST
EDX,EDX
0167:004040B4 7421 JZ
004040D7
0167:004040B6 52 PUSH
EDX
0167:004040B7 3A0A CMP
CL,[EDX] ;[edx]=[1333405]=0。把它改為1,bd,g。
0167:004040B9 7417 JZ
004040D2 ;嘿嘿,居然成為註冊版了。不過使用者名稱是亂碼。
0167:004040BB 3A4A01 CMP
CL,[EDX+01]
0167:004040BE 7411 JZ
004040D1
0167:004040C0 3A4A02 CMP
CL,[EDX+02]
0167:004040C3 740B JZ
004040D0
0167:004040C5 3A4A03 CMP
CL,[EDX+03]
0167:004040C8 7405 JZ
004040CF
0167:004040CA 83C204 ADD
EDX,BYTE +04
0167:004040CD EBE8 JMP
SHORT 004040B7
0167:004040CF 42 INC
EDX
0167:004040D0 42 INC
EDX
0167:004040D1 42 INC
EDX
0167:004040D2 89D1 MOV
ECX,EDX
0167:004040D4 5A POP
EDX
0167:004040D5 29D1 SUB
ECX,EDX
0167:004040D7 E904FFFFFF JMP 00403FE0
0167:004040DC C3 RET
因為4040b0經常被呼叫,所以不能在這裡修改。一種偷懶的方法是使用記憶體補丁ppatcher3.93。
把以下內容存為ppatcher.ppc,連同ppatcher.exe考到explor2000安裝目錄下,執行ppatcher.exe即可,連脫殼也不用了。
------------------------------------------------
#Process Patcher Configuration File
Version=3.93
WaitForWindowName=Explor2000
PatchAuthor=kingtall
DisplayName=Explor2000
Filename=Explor2000.exe
Filesize=933376
Address=0x1333405:0x00:0x01
#End of Configuration File
-----------------------------------------------
程式中一定有直接對[1333405]進行修改的地方,懶得再找了。哪位大哥找到了,別忘說一聲。
(1)
http://001.com.cn/forum/toye/14434.html
標 題:如何跟蹤ASProtect外殼加密過的程式? (7千字)
作 者:ljtt
時 間:2001-4-13 21:30:27
(2)
http://001.com.cn/forum/toye/15931.html
標 題:PicturesToExe3.51的脫殼 (2千字)
作 者:hying
時 間:2001-4-22 19:18:35