peter,交一篇FCG的作業：破解NetCaptor最新版6.5.0 Final的限制 (14千字)

〓破解NetCaptor最新版6.5.0 Final的限制〓

破解者：moonlite[BCG][FCG]
目標： NetCaptor最新版6.5.0 Final
應用平臺：Win9X/ME/WinNT/2K
軟體主頁：http://www.netcaptor.com/
大小：675k
軟體用途：一個比IE好很多的瀏覽器，新版本功能多多，本人一直用它。
保護：ASPack 2.11c 殼，30天試用，提示註冊Nag窗，CRC校驗。
工具：TRW1.22, W32dasm,Caspr,Winhex

◆首先去掉它的時間限制：

首先，用Caspr脫掉外殼。

1)執行NetCaptor.exe，提示視窗彈出，告訴你已經Trial到第幾天了。。。(注：這個視窗只在特定的天數出現，如第1，5，10，15天等等)
點選按鈕“Try NetCaptor”，並Ctrl+D啟用，並來到TRW領空。Pmodule一次，並按F12+F10數次，會來到：

:00504643 E80498FDFF call 004DDE4C
:00504648 A1D46F5000 mov eax, dword ptr [00506FD4]
:0050464D 8A00 mov al, byte ptr [eax]
:0050464F 3C02 cmp al, 02-------------------------->打補丁①：mov al,02★
:00504651 0F94C3 sete bl
:00504654 8B15D46F5000 mov edx, dword ptr [00506FD4]
:0050465A 3C02 cmp al, 02
:0050465C 0F8498000000 je 005046FA
:00504662 8D45C0 lea eax, dword ptr [ebp-40]
:00504665 E86EECF9FF call 004A32D8
:0050466A 8B75C0 mov esi, dword ptr [ebp-40]
:0050466D A1D46F5000 mov eax, dword ptr [00506FD4]
:00504672 897004 mov dword ptr [eax+04], esi
:00504675 A1D46F5000 mov eax, dword ptr [00506FD4]
:0050467A 83FE1E cmp esi, 0000001E---------------------|這個語句好面熟呵！！
:0050467D 7E08 jle 00504687---------------------------------->游標在此！
:0050467F A1D46F5000 mov eax, dword ptr [00506FD4]
:00504684 C60001 mov byte ptr [eax], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050467D(C)
|
:00504687 B9B6945000 mov ecx, 005094B6
:0050468C 8B15D46F5000 mov edx, dword ptr [00506FD4]
:00504692 8B5204 mov edx, dword ptr [edx+04]
:00504695 A1D46F5000 mov eax, dword ptr [00506FD4]
:0050469A 8A00 mov al, byte ptr [eax]
:0050469C E8EBF0FFFF call 0050378C------------------------->進這個CALL追下去，會call出Nag提示窗的~~
:005046A1 A0B6945000 mov al, byte ptr [0050---------------->游標在此！
:005046A6 2C01 sub al, 01

Up↑往上看：你一定看到問題所在了吧？！我在0050464F處打第一個補丁。

◆解決它的CRC校驗：

它的CRC校驗很新穎。它不是在程式啟動過程中報錯，而是啟動完成後，大概1分鐘左右，才彈出出錯資訊，確定後程式退出。
可是――>啟動完成後，搜尋出錯的字串，卻搜不到；而出錯視窗彈出後，出錯的字串倒是可以搜尋得到，但是BPM下斷卻攔不到。
為了攔它還費了菜鳥的腦筋。我想既然啟動完成後不是馬上出錯，而是等一會。。。一定與時間函式有關。
來 BPX GetSystemTime試試：
呵，運氣真好！請看↓

F12+F10 會到這裡：

* Referenced by a CALL at Addresses:
|:004A2B7F , :004D2445 , :004D248B , :004D351C , :004D3CBA
|
:00402A3C 55 push ebp
:00402A3D 8BEC mov ebp, esp
:00402A3F 83C4E8 add esp, FFFFFFE8
:00402A42 8D45E8 lea eax, dword ptr [ebp-18]
:00402A45 50 push eax

* Reference To: kernel32.GetSystemTime, Ord:0000h
|
:00402A46 E85DE8FFFF Call 004012A8
:00402A4B 0FB745F0 movzx eax, word ptr [ebp-10]------------>游標在此！
:00402A4F 6BC03C imul eax, 0000003C
:00402A52 660345F2 add ax, word ptr [ebp-0E]
:00402A56 6BC03C imul eax, 0000003C
:00402A59 31D2 xor edx, edx
:00402A5B 668B55F4 mov dx, word ptr [ebp-0C]
:00402A5F 01D0 add eax, edx
:00402A61 69C0E8030000 imul eax, 000003E8
:00402A67 668B55F6 mov dx, word ptr [ebp-0A]
:00402A6B 01D0 add eax, edx
:00402A6D 890544805000 mov dword ptr [00508044], eax
:00402A73 8BE5 mov esp, ebp
:00402A75 5D pop ebp
:00402A76 C3 ret

接著按F12+F10-->

* Possible StringData Ref from Code Obj ->"?]"
|
:004D30AE 6874314D00 push 004D3174
:004D30B3 64FF30 push dword ptr fs:[eax]
:004D30B6 648920 mov dword ptr fs:[eax], esp
:004D30B9 8BC3 mov eax, ebx
:004D30BB E8CC0B0000 call 004D3C8C
:004D30C0 8D45F4 lea eax, dword ptr [ebp-0C]
:004D30C3 E81002FDFF call 004A32D8
:004D30C8 8B8380080000 mov eax, dword ptr [ebx+00000880]-------->游標在此！
:004D30CE 85C0 test eax, eax
:004D30D0 0F8483000000 je 004D3159
:004D30D6 33D2 xor edx, edx
:004D30D8 E81F32FDFF call 004A62FC
:004D30DD E8AEF7FCFF call 004A2890---------------------------->返回關鍵的eax值
:004D30E2 3DC0270900 cmp eax, 000927C0------------------------>eax值與927C0比較
:004D30E7 7E70 jle 004D3159----------------------------->eax值不比927C0大的話，CRC 就透過了！補丁②：jmp 004D3159★★
* Possible StringData Ref from Data Obj ->"@"
|
:004D30E9 A18C725000 mov eax, dword ptr [0050728C]
:004D30EE 803800 cmp byte ptr [eax], 00
:004D30F1 7566 jne 004D3159
:004D30F3 8D4DF0 lea ecx, dword ptr [ebp-10]
:004D30F6 B293 mov dl, 93

* Possible StringData Ref from Code Obj ->"鎣縲蜚琰岢軸狳?
|
:004D30F8 B888314D00 mov eax, 004D3188------------------------>指向加密的“NetCaptor Error”
:004D30FD E836F8FCFF call 004A2938---------------------------->還原加密字串的CALL/進入----->
:004D3102 8B45F0 mov eax, dword ptr [ebp-10]-------------->指向還原後的“NetCaptor Error”
:004D3105 50 push eax--------------------------------->入棧儲存
:004D3106 8D4DEC lea ecx, dword ptr [ebp-14]
:004D3109 B293 mov dl, 93

◇◇還原加密字串的CALL進入→裡面真的好精彩啊！◇◇

↓-------------------------------------------------------------------↓

* Referenced by a CALL at Addresses:
|:004A2A25 , :004A2ACC , :004A2B1C , :004A2D34 , :004A324A
|:004D30FD , :004D3110 , :004D32A8 , :004D32BB , :00503905
|:0050392D , :0050395B , :0050397D , :005039A5 , :005039CF
|:005039F7 , :00503A19 , :00503A48 , :00503AF4
|
:004A2938 55 push ebp
:004A2939 8BEC mov ebp, esp
:004A293B 83C4F4 add esp, FFFFFFF4
:004A293E 53 push ebx
:004A293F 56 push esi
:004A2940 57 push edi
:004A2941 33DB xor ebx, ebx
:004A2943 895DF4 mov dword ptr [ebp-0C], ebx
:004A2946 8BF1 mov esi, ecx
:004A2948 8855FB mov byte ptr [ebp-05], dl-------------->解密引數93h
:004A294B 8945FC mov dword ptr [ebp-04], eax------------>還原後的字串地址儲存到[ebp-04]
:004A294E 33C0 xor eax, eax
:004A2950 55 push ebp

* Possible StringData Ref from Code Obj ->"?^]3UJd0?P3ZYh)"
|
:004A2951 68A5294A00 push 004A29A5
:004A2956 64FF30 push dword ptr fs:[eax]
:004A2959 648920 mov dword ptr fs:[eax], esp
:004A295C 8B45FC mov eax, dword ptr [ebp-04]
:004A295F E89416F6FF call 00403FF8-------------------------->算加密字串長度，並返回到eax
:004A2964 8BD8 mov ebx, eax--------------------------->將加密字串長度送ebx
:004A2966 85DB test ebx, ebx
:004A2968 7E25 jle 004A298F
:004A296A BF01000000 mov edi, 00000001----------------------->edi置1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A298D(C)
|
:004A296F 8D45F4 lea eax, dword ptr [ebp-0C]------------>將解密後的字串地址送eax
:004A2972 8B55FC mov edx, dword ptr [ebp-04]------------>指向加密的字串
:004A2975 8A543AFF mov dl, byte ptr [edx+edi-01]---------->從加密的字串取一個字元
:004A2979 3255FB xor dl, byte ptr [ebp-05]-------------->與93h 異或後，dl所儲存的就是解密後的字元了！
:004A297C E88315F6FF call 00403F04
:004A2981 8B55F4 mov edx, dword ptr [ebp-0C]------------>指向解密後的字串地址
:004A2984 8BC6 mov eax, esi
:004A2986 E87516F6FF call 00404000-------------------------->將還原後的字元送上述地址儲存
:004A298B 47 inc edi-------------------------------->edi加1
:004A298C 4B dec ebx
:004A298D 75E0 jne 004A296F--------------------------->迴圈完了嗎？沒完就繼續↑

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A2968(C)
|
:004A298F 33C0 xor eax, eax
:004A2991 5A pop edx
:004A2992 59 pop ecx
:004A2993 59 pop ecx
:004A2994 648910 mov dword ptr fs:[eax], edx

* Possible StringData Ref from Code Obj ->"_[迕U燉h)"
|
:004A2997 68AC294A00 push 004A29AC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A29AA(U)
|
:004A299C 8D45F4 lea eax, dword ptr [ebp-0C]
:004A299F E8B813F6FF call 00403D5C
:004A29A4 C3 ret

↑-------------------------------------------------------------------↑

繼續往下走...

* Possible StringData Ref from Code Obj ->"軀齔鎣縲蜚琰岢鯖鯧驍蝰齔喑聆鯿櫥蟒螋鱝蔣襻?
->"峴?鯢圉翅鼉噻?齒鯀序沌?
|
:004D310B B8A0314D00 mov eax, 004D31A0------------------------>指向加密的CRC出錯資訊
:004D3110 E823F8FCFF call 004A2938---------------------------->還原加密字串的CALL
:004D3115 8B45EC mov eax, dword ptr [ebp-14]-------------->指向CRC出錯資訊(如下↓)

*******************************************
The NetCaptor executable has been damaged.
Please re-install NetCaptor.
*******************************************

:004D3118 50 push eax
:004D3119 6A00 push 00000000
:004D311B 8D4DE8 lea ecx, dword ptr [ebp-18]
:004D311E BAF8314D00 mov edx, 004D31F8
:004D3123 8BC3 mov eax, ebx
:004D3125 E85EC7FFFF call 004CF888
:004D312A 8B45E8 mov eax, dword ptr [ebp-18]
:004D312D 50 push eax
:004D312E 6A00 push 00000000
:004D3130 8D45FF lea eax, dword ptr [ebp-01]
:004D3133 50 push eax
:004D3134 6A00 push 00000000
:004D3136 6A00 push 00000000
:004D3138 8D55E4 lea edx, dword ptr [ebp-1C]

* Possible StringData Ref from Code Obj ->"P"
|
:004D313B A184725000 mov eax, dword ptr [00507284]
:004D3140 E82B35F3FF call 00406670
:004D3145 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004D3148 8B5358 mov edx, dword ptr [ebx+58]
:004D314B 8BC3 mov eax, ebx
:004D314D E80AA40000 call 004DD55C---------------------------->CRC出錯啦！！
:004D3152 8BC3 mov eax, ebx
:004D3154 E8C7EAF7FF call 00451C20

￣￣￣￣￣￣￣￣￣￣￣￣￣

◆補充一點：
這樣改過後，還有一點美中不足的是：在About視窗，總會有“You are on day XX of your 30-day evaluation period.”文字。
讓我們美化美化。用W32dasm反彙編後，查詢該字串：

* Possible StringData Ref from Code Obj ->"NetCaptor 6.5.0"
|
:004C6277 BAA8634C00 mov edx, 004C63A8
:004C627C E873DBF3FF call 00403DF4
:004C6281 803DE48F500002 cmp byte ptr [00508FE4], 02
:004C6288 7527 jne 004C62B1------------------------------->不要跳呵|補丁③：nop 掉★★★

* Possible StringData Ref from Code Obj ->"Registered to: "
|
:004C628A 68C0634C00 push 004C63C0
:004C628F FF35EC8F5000 push dword ptr [00508FEC]
:004C6295 6878634C00 push 004C6378
:004C629A 6878634C00 push 004C6378
:004C629F FF75F8 push [ebp-08]
:004C62A2 8D45F8 lea eax, dword ptr [ebp-08]
:004C62A5 BA05000000 mov edx, 00000005
:004C62AA E809DEF3FF call 004040B8
:004C62AF EB49 jmp 004C62FA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C6288(C)
|

* Possible StringData Ref from Code Obj ->"You are on day "---------------------|站在此往上看↑
|
:004C62B1 68D8634C00 push 004C63D8
:004C62B6 8D55E4 lea edx, dword ptr [ebp-1C]
:004C62B9 A1E88F5000 mov eax, dword ptr [00508FE8]
:004C62BE E82935F4FF call 004097EC
:004C62C3 FF75E4 push [ebp-1C]

* Possible StringData Ref from Code Obj ->" of your "
|
:004C62C6 68F0634C00 push 004C63F0
:004C62CB 8D55E0 lea edx, dword ptr [ebp-20]
:004C62CE B81E000000 mov eax, 0000001E
:004C62D3 E81435F4FF call 004097EC
:004C62D8 FF75E0 push [ebp-20]

* Possible StringData Ref from Code Obj ->"-day evaluation period."
|
:004C62DB 6804644C00 push 004C6404
:004C62E0 6878634C00 push 004C6378
:004C62E5 6878634C00 push 004C6378
:004C62EA FF75F8 push [ebp-08]

------------------------------------☆

當然，為了Art of Crack的考慮，你可以修改其它地方，那就看你的了。好！
收工！

補丁①　　　　　　@offset 103a4f 3C02-->B002
補丁②　　　　　　@offset d24e7 7E70-->EB70
補丁③　　　　　　@offset c5688 7527-->9090

2001-10-1 《完》

peter,交一篇FCG的作業：破解NetCaptor最新版6.5.0 Final的限制 (14千字)

相關文章