滑鼠增強工具MouseStar 2.1破解過程:
CRACKTOOLS:regshot、trw2000 1.23、W32DASM中文版、Ultraedit 8.10a、language 2000 V4.5
1、習慣性動作:安裝前用REGSHOT搞一下。
2、習慣性動作:用language 2000 V4.5查檔案是否加殼,所幸,沒。
3、習慣性動作:用W32DASM反彙編一下,看是否有線索(即註冊失敗與成功的提示字串)
所幸找到三處“感謝註冊”,如下:
:0047E3A2 8D55F8
lea edx, dword ptr [ebp-08]
:0047E3A5 E88A9BF8FF call 00407F34
:0047E3AA 837DF800 cmp
dword ptr [ebp-08], 00000000
:0047E3AE 0F84C1000000 je 0047E475
:0047E3B4 8D55FC
lea edx, dword ptr [ebp-04]
:0047E3B7 A1284B4800 mov eax,
dword ptr [00484B28]
:0047E3BC 8B00
mov eax, dword ptr [eax]
:0047E3BE E861340000 call 00481824
:0047E3C3 8D55F0
lea edx, dword ptr [ebp-10]
:0047E3C6 8B83D4020000 mov eax, dword
ptr [ebx+000002D4]
:0047E3CC E8E7E6FAFF call 0042CAB8
:0047E3D1 8B45F0
mov eax, dword ptr [ebp-10] //直覺感到這裡是取我們輸入的註冊碼
:0047E3D4 8B55FC
mov edx, dword ptr [ebp-04] //則這裡就有可能是真正的註冊碼。
:0047E3D7 E8545AF8FF call 00403E30
:0047E3DC 0F8593000000 jne 0047E475
* Possible StringData Ref from Code Obj ->"感謝註冊"
|
:0047E3E2 BAB4E44700 mov edx,
0047E4B4
:0047E3E7 8B83D4020000 mov eax, dword
ptr [ebx+000002D4]
馬上用TRW2000來驗證一下,執行mousestar.exe,輸入註冊碼78787878,調出TRW2000,BPX 0047E3D1,F5,
點註冊,⊙_⊙,沒攔下?倒,看來直覺是失誤了,呵。
不怕再看下面:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00481107(C), :0048113B(U)
|
:00481153 8BC3
mov eax, ebx
:00481155 E80E030000 call 00481468
:0048115A 80BBBB04000000 cmp byte ptr [ebx+000004BB],
00
:00481161 7456
je 004811B9
* Possible StringData Ref from Code Obj ->"感謝註冊"
|
:00481163 BAC4124800 mov edx,
004812C4
還有:
:004818EC 0300
add eax, dword ptr [eax]
:004818EE 0000
add byte ptr [eax], al
:004818F0 312E
xor dword ptr [esi], ebp
:004818F2 3000
xor byte ptr [eax], al
:004818F4 55
push ebp
:004818F5 8BEC
mov ebp, esp
:004818F7 33C9
xor ecx, ecx
:004818F9 51
push ecx
:004818FA 51
push ecx
:004818FB 51
push ecx
:004818FC 51
push ecx
:004818FD 53
push ebx
:004818FE 8BD8
mov ebx, eax
:00481900 33C0
xor eax, eax
:00481902 55
push ebp
:00481903 68FC194800 push 004819FC
:00481908 64FF30
push dword ptr fs:[eax]
:0048190B 648920
mov dword ptr fs:[eax], esp
:0048190E 8D55F4
lea edx, dword ptr [ebp-0C]
:00481911 8B83A4030000 mov eax, dword
ptr [ebx+000003A4]
:00481917 E89CB1FAFF call 0042CAB8
:0048191C 8B45F4
mov eax, dword ptr [ebp-0C]
:0048191F 8D55F8
lea edx, dword ptr [ebp-08]
:00481922 E80D66F8FF call 00407F34
:00481927 837DF800 cmp
dword ptr [ebp-08], 00000000
:0048192B 0F84A3000000 je 004819D4
:00481931 8D55FC
lea edx, dword ptr [ebp-04]
:00481934 8BC3
mov eax, ebx
:00481936 E8E9FEFFFF call 00481824
:0048193B 8D55F0
lea edx, dword ptr [ebp-10]
:0048193E 8B83A4030000 mov eax, dword
ptr [ebx+000003A4]
:00481944 E86FB1FAFF call 0042CAB8
:00481949 8B45F0
mov eax, dword ptr [ebp-10] //這裡也象上面一樣喲
:0048194C 8B55FC
mov edx, dword ptr [ebp-04] //也下個斷點試試。
:0048194F E8DC24F8FF call 00403E30
//真假對比。
:00481954 757E
jne 004819D4
//暴破改這裡為NOP NOP
* Possible StringData Ref from Code Obj ->"感謝註冊"
|
:00481956 BA101A4800 mov edx,
00481A10
:0048195B 8B83A4030000 mov eax, dword
ptr [ebx+000003A4]
退出MouseStar,重複上次的操作,下BPX 00481949,F5,註冊,YES!攔到了。
F10兩次,走到0048194F上,
D EAX, 顯示78787878,有門,D EDX,顯示336b9f6b,明碼顯示?!就是它?!
抄下。BC *
重新執行MouseStar,用336b9f6b註冊,出現“感謝註冊”,成功。
退出MouseStar,第二次執行REGSHOT並對比:
**Original contents Maybe deleted or modified**
NONE!
**Keys&Values Modified | Added in the 2ndShot**
H.U\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component
Categories\{00021492-0000-0000-C000-000000000046}
H.U\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component
Categories\{00021492-0000-0000-C000-000000000046}\Enum
H.U\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component
Categories\{00021492-0000-0000-C000-000000000046}\Enum\Implementing: 1C 00 00
00 01 00 00 00 D1 07 07 00 05 00 1B 00 0A 00 35 00 39 00 8C 00 02 00 00 00 21
BF 5C 0E 5F D1 D0 11 83 01 00 AA 00 5B 43 83 81 45 E0 01 EE 4E D0 11 BF E9 00
AA 00 5B 43 83
H.U\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\@browselc.dll,-13138:
"連結(&L)"
H.U\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\@browselc.dll,-13137:
"地址(&A)"
H.U\.DEFAULT\Software\MouseStar 1.0
H.U\.DEFAULT\Software\MouseStar 1.0\Key: "336b9f6b" //呵呵,註冊碼在這
即然知道了比較的CALL,也就看進看看吧。先刪除H.U\.DEFAULT\Software\MouseStar 1.0\Key: "336b9f6b"
讓它還原成未註冊版。
用W32DASM開啟MouseStar.exe
進:0048194F E8DC24F8FF call 00403E30
:00403E30 53
push ebx
:00403E31 56
push esi
:00403E32 57
push edi
:00403E33 89C6
mov esi, eax
:00403E35 89D7
mov edi, edx
:00403E37 39D0
cmp eax, edx //就是這裡了。
:00403E39 0F848F000000 je 00403ECE
:00403E3F 85F6
test esi, esi
:00403E41 7468
je 00403EAB
:00403E43 85FF
test edi, edi
:00403E45 746B
je 00403EB2
:00403E47 8B46FC
mov eax, dword ptr [esi-04]
:00403E4A 8B57FC
mov edx, dword ptr [edi-04]
:00403E4D 29D0
sub eax, edx
:00403E4F 7702
ja 00403E53
:00403E51 01C2
add edx, eax
好,用CRACKCODE2000做個序號產生器
CRACKCODE.INI內容為:
[Options]
CommandLine=mousestar.exe
Mode=2
//程式執行到00481949賦值後回0040E30對比,所以用增強模式
First_Break_Address=48194F //呼叫的CALL的偏移地址
First_Break_Address_Code=E8 //此CALL的第一個位元組
First_Break_Address_Code_Lenth=5 //此呼叫語句共5個位元組
Second_Break_Address=403E37 //真假碼對比處的偏移地址
Second_Break_Address_Code=39 //語句的第一個位元組
Second_Break_Address_Code_Lenth=2 //共有2個位元組
Save_Code_Address=EDX //放真註冊碼的地方
測試,成功。
再試一下暴破,將:00481954處的757E改為9090,成功。
並自動寫登錄檔H.U\.DEFAULT\Software\MouseStar 1.0\Key: "336b9f6b"
皇賢
2001.7.27