peter,交一篇FCG的作業:破解NetCaptor最新版6.5.0 Final的限制 (14千字)
〓破解NetCaptor最新版6.5.0 Final的限制〓
破解者:moonlite[BCG][FCG]
目標: NetCaptor最新版6.5.0 Final
應用平臺:Win9X/ME/WinNT/2K
軟體主頁:http://www.netcaptor.com/
大小:675k
軟體用途: 一個比IE好很多的瀏覽器,新版本功能多多,本人一直用它。
保護:ASPack 2.11c 殼,30天試用,提示註冊Nag窗,CRC校驗。
工具:TRW1.22, W32dasm,Caspr,Winhex
◆首先去掉它的時間限制:
首先,用Caspr脫掉外殼。
1)執行NetCaptor.exe,提示視窗彈出,告訴你已經Trial到第幾天了。。。(注:這個視窗只在特定的天數出現,如第1,5,10,15天等等)
點選按鈕“Try NetCaptor”,並Ctrl+D啟用,並來到TRW領空。Pmodule一次,並按F12+F10數次,會來到:
:00504643 E80498FDFF call 004DDE4C
:00504648 A1D46F5000 mov eax,
dword ptr [00506FD4]
:0050464D 8A00
mov al, byte ptr [eax]
:0050464F 3C02
cmp al, 02-------------------------->打補丁①:mov al,02★
:00504651 0F94C3
sete bl
:00504654 8B15D46F5000 mov edx, dword
ptr [00506FD4]
:0050465A 3C02
cmp al, 02
:0050465C 0F8498000000 je 005046FA
:00504662 8D45C0
lea eax, dword ptr [ebp-40]
:00504665 E86EECF9FF call 004A32D8
:0050466A 8B75C0
mov esi, dword ptr [ebp-40]
:0050466D A1D46F5000 mov eax,
dword ptr [00506FD4]
:00504672 897004
mov dword ptr [eax+04], esi
:00504675 A1D46F5000 mov eax,
dword ptr [00506FD4]
:0050467A 83FE1E
cmp esi, 0000001E---------------------|這個語句好面熟呵!!
:0050467D 7E08
jle 00504687---------------------------------->游標在此!
:0050467F A1D46F5000 mov eax,
dword ptr [00506FD4]
:00504684 C60001
mov byte ptr [eax], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0050467D(C)
|
:00504687 B9B6945000 mov ecx,
005094B6
:0050468C 8B15D46F5000 mov edx, dword
ptr [00506FD4]
:00504692 8B5204
mov edx, dword ptr [edx+04]
:00504695 A1D46F5000 mov eax,
dword ptr [00506FD4]
:0050469A 8A00
mov al, byte ptr [eax]
:0050469C E8EBF0FFFF call 0050378C------------------------->進這個CALL追下去,會call出Nag提示窗的~~
:005046A1 A0B6945000 mov al,
byte ptr [0050---------------->游標在此!
:005046A6 2C01
sub al, 01
Up↑往上看:你一定看到問題所在了吧?!我在0050464F處打第一個補丁。
◆解決它的CRC校驗:
它的CRC校驗很新穎。它不是在程式啟動過程中報錯,而是啟動完成後,大概1分鐘左右,才彈出出錯資訊,確定後程式退出。
可是――>啟動完成後,搜尋出錯的字串,卻搜不到;而出錯視窗彈出後,出錯的字串倒是可以搜尋得到,但是BPM下斷卻攔不到。
為了攔它還費了菜鳥的腦筋。我想既然啟動完成後不是馬上出錯,而是等一會。。。一定與時間函式有關。
來 BPX GetSystemTime試試:
呵,運氣真好!請看↓
F12+F10 會到這裡:
* Referenced by a CALL at Addresses:
|:004A2B7F , :004D2445 , :004D248B , :004D351C , :004D3CBA
|
:00402A3C 55
push ebp
:00402A3D 8BEC
mov ebp, esp
:00402A3F 83C4E8
add esp, FFFFFFE8
:00402A42 8D45E8
lea eax, dword ptr [ebp-18]
:00402A45 50
push eax
* Reference To: kernel32.GetSystemTime, Ord:0000h
|
:00402A46 E85DE8FFFF Call 004012A8
:00402A4B 0FB745F0 movzx
eax, word ptr [ebp-10]------------>游標在此!
:00402A4F 6BC03C
imul eax, 0000003C
:00402A52 660345F2 add
ax, word ptr [ebp-0E]
:00402A56 6BC03C
imul eax, 0000003C
:00402A59 31D2
xor edx, edx
:00402A5B 668B55F4 mov
dx, word ptr [ebp-0C]
:00402A5F 01D0
add eax, edx
:00402A61 69C0E8030000 imul eax, 000003E8
:00402A67 668B55F6 mov
dx, word ptr [ebp-0A]
:00402A6B 01D0
add eax, edx
:00402A6D 890544805000 mov dword ptr
[00508044], eax
:00402A73 8BE5
mov esp, ebp
:00402A75 5D
pop ebp
:00402A76 C3
ret
接著按F12+F10-->
* Possible StringData Ref from Code Obj ->"?]"
|
:004D30AE 6874314D00 push 004D3174
:004D30B3 64FF30
push dword ptr fs:[eax]
:004D30B6 648920
mov dword ptr fs:[eax], esp
:004D30B9 8BC3
mov eax, ebx
:004D30BB E8CC0B0000 call 004D3C8C
:004D30C0 8D45F4
lea eax, dword ptr [ebp-0C]
:004D30C3 E81002FDFF call 004A32D8
:004D30C8 8B8380080000 mov eax, dword
ptr [ebx+00000880]-------->游標在此!
:004D30CE 85C0
test eax, eax
:004D30D0 0F8483000000 je 004D3159
:004D30D6 33D2
xor edx, edx
:004D30D8 E81F32FDFF call 004A62FC
:004D30DD E8AEF7FCFF call 004A2890---------------------------->返回關鍵的eax值
:004D30E2 3DC0270900 cmp eax,
000927C0------------------------>eax值與927C0比較
:004D30E7 7E70
jle 004D3159----------------------------->eax值不比927C0大的話,CRC 就透過了!補丁②:jmp
004D3159★★
* Possible StringData Ref from Data Obj ->"@"
|
:004D30E9 A18C725000 mov eax,
dword ptr [0050728C]
:004D30EE 803800
cmp byte ptr [eax], 00
:004D30F1 7566
jne 004D3159
:004D30F3 8D4DF0
lea ecx, dword ptr [ebp-10]
:004D30F6 B293
mov dl, 93
* Possible StringData Ref from Code Obj ->"鎣縲蜚琰岢軸狳?
|
:004D30F8 B888314D00 mov eax,
004D3188------------------------>指向加密的“NetCaptor Error”
:004D30FD E836F8FCFF call 004A2938---------------------------->還原加密字串的CALL/進入----->
:004D3102 8B45F0
mov eax, dword ptr [ebp-10]-------------->指向還原後的“NetCaptor Error”
:004D3105 50
push eax--------------------------------->入棧儲存
:004D3106 8D4DEC
lea ecx, dword ptr [ebp-14]
:004D3109 B293
mov dl, 93
◇◇還原加密字串的CALL進入→裡面真的好精彩啊!◇◇
↓-------------------------------------------------------------------↓
* Referenced by a CALL at Addresses:
|:004A2A25 , :004A2ACC , :004A2B1C , :004A2D34 , :004A324A
|:004D30FD , :004D3110 , :004D32A8 , :004D32BB , :00503905
|:0050392D , :0050395B , :0050397D , :005039A5 , :005039CF
|:005039F7 , :00503A19 , :00503A48 , :00503AF4
|
:004A2938 55
push ebp
:004A2939 8BEC
mov ebp, esp
:004A293B 83C4F4
add esp, FFFFFFF4
:004A293E 53
push ebx
:004A293F 56
push esi
:004A2940 57
push edi
:004A2941 33DB
xor ebx, ebx
:004A2943 895DF4
mov dword ptr [ebp-0C], ebx
:004A2946 8BF1
mov esi, ecx
:004A2948 8855FB
mov byte ptr [ebp-05], dl-------------->解密引數93h
:004A294B 8945FC
mov dword ptr [ebp-04], eax------------>還原後的字串地址儲存到[ebp-04]
:004A294E 33C0
xor eax, eax
:004A2950 55
push ebp
* Possible StringData Ref from Code Obj ->"?^]3UJd0?P3ZYh)"
|
:004A2951 68A5294A00 push 004A29A5
:004A2956 64FF30
push dword ptr fs:[eax]
:004A2959 648920
mov dword ptr fs:[eax], esp
:004A295C 8B45FC
mov eax, dword ptr [ebp-04]
:004A295F E89416F6FF call 00403FF8-------------------------->算加密字串長度,並返回到eax
:004A2964 8BD8
mov ebx, eax--------------------------->將加密字串長度送ebx
:004A2966 85DB
test ebx, ebx
:004A2968 7E25
jle 004A298F
:004A296A BF01000000 mov edi,
00000001----------------------->edi置1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A298D(C)
|
:004A296F 8D45F4
lea eax, dword ptr [ebp-0C]------------>將解密後的字串地址送eax
:004A2972 8B55FC
mov edx, dword ptr [ebp-04]------------>指向加密的字串
:004A2975 8A543AFF mov
dl, byte ptr [edx+edi-01]---------->從加密的字串取一個字元
:004A2979 3255FB
xor dl, byte ptr [ebp-05]-------------->與93h 異或後,dl所儲存的就是解密後的字元了!
:004A297C E88315F6FF call 00403F04
:004A2981 8B55F4
mov edx, dword ptr [ebp-0C]------------>指向解密後的字串地址
:004A2984 8BC6
mov eax, esi
:004A2986 E87516F6FF call 00404000-------------------------->將還原後的字元送上述地址儲存
:004A298B 47
inc edi-------------------------------->edi加1
:004A298C 4B
dec ebx
:004A298D 75E0
jne 004A296F--------------------------->迴圈完了嗎?沒完就繼續↑
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A2968(C)
|
:004A298F 33C0
xor eax, eax
:004A2991 5A
pop edx
:004A2992 59
pop ecx
:004A2993 59
pop ecx
:004A2994 648910
mov dword ptr fs:[eax], edx
* Possible StringData Ref from Code Obj ->"_[迕U燉h)"
|
:004A2997 68AC294A00 push 004A29AC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A29AA(U)
|
:004A299C 8D45F4
lea eax, dword ptr [ebp-0C]
:004A299F E8B813F6FF call 00403D5C
:004A29A4 C3
ret
↑-------------------------------------------------------------------↑
繼續往下走...
* Possible StringData Ref from Code Obj ->"軀齔鎣縲蜚琰岢鯖鯧驍蝰齔喑聆鯿櫥蟒螋鱝蔣襻?
->"峴?鯢圉翅鼉噻?齒鯀序沌?
|
:004D310B B8A0314D00 mov eax,
004D31A0------------------------>指向加密的CRC出錯資訊
:004D3110 E823F8FCFF call 004A2938---------------------------->還原加密字串的CALL
:004D3115 8B45EC
mov eax, dword ptr [ebp-14]-------------->指向CRC出錯資訊(如下↓)
*******************************************
The NetCaptor executable has been damaged.
Please re-install NetCaptor.
*******************************************
:004D3118 50
push eax
:004D3119 6A00
push 00000000
:004D311B 8D4DE8
lea ecx, dword ptr [ebp-18]
:004D311E BAF8314D00 mov edx,
004D31F8
:004D3123 8BC3
mov eax, ebx
:004D3125 E85EC7FFFF call 004CF888
:004D312A 8B45E8
mov eax, dword ptr [ebp-18]
:004D312D 50
push eax
:004D312E 6A00
push 00000000
:004D3130 8D45FF
lea eax, dword ptr [ebp-01]
:004D3133 50
push eax
:004D3134 6A00
push 00000000
:004D3136 6A00
push 00000000
:004D3138 8D55E4
lea edx, dword ptr [ebp-1C]
* Possible StringData Ref from Code Obj ->"P"
|
:004D313B A184725000 mov eax,
dword ptr [00507284]
:004D3140 E82B35F3FF call 00406670
:004D3145 8B4DE4
mov ecx, dword ptr [ebp-1C]
:004D3148 8B5358
mov edx, dword ptr [ebx+58]
:004D314B 8BC3
mov eax, ebx
:004D314D E80AA40000 call 004DD55C---------------------------->CRC出錯啦!!
:004D3152 8BC3
mov eax, ebx
:004D3154 E8C7EAF7FF call 00451C20
 ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄ ̄
◆補充一點:
這樣改過後,還有一點美中不足的是:在About視窗,總會有“You are on day XX of your 30-day evaluation period.”文字。
讓我們美化美化。用W32dasm反彙編後,查詢該字串:
* Possible StringData Ref from Code Obj ->"NetCaptor 6.5.0"
|
:004C6277 BAA8634C00 mov edx,
004C63A8
:004C627C E873DBF3FF call 00403DF4
:004C6281 803DE48F500002 cmp byte ptr [00508FE4],
02
:004C6288 7527
jne 004C62B1------------------------------->不要跳呵|補丁③:nop 掉★★★
* Possible StringData Ref from Code Obj ->"Registered to: "
|
:004C628A 68C0634C00 push 004C63C0
:004C628F FF35EC8F5000 push dword ptr
[00508FEC]
:004C6295 6878634C00 push 004C6378
:004C629A 6878634C00 push 004C6378
:004C629F FF75F8
push [ebp-08]
:004C62A2 8D45F8
lea eax, dword ptr [ebp-08]
:004C62A5 BA05000000 mov edx,
00000005
:004C62AA E809DEF3FF call 004040B8
:004C62AF EB49
jmp 004C62FA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C6288(C)
|
* Possible StringData Ref from Code Obj ->"You are on day "---------------------|站在此往上看↑
|
:004C62B1 68D8634C00 push 004C63D8
:004C62B6 8D55E4
lea edx, dword ptr [ebp-1C]
:004C62B9 A1E88F5000 mov eax,
dword ptr [00508FE8]
:004C62BE E82935F4FF call 004097EC
:004C62C3 FF75E4
push [ebp-1C]
* Possible StringData Ref from Code Obj ->" of your "
|
:004C62C6 68F0634C00 push 004C63F0
:004C62CB 8D55E0
lea edx, dword ptr [ebp-20]
:004C62CE B81E000000 mov eax,
0000001E
:004C62D3 E81435F4FF call 004097EC
:004C62D8 FF75E0
push [ebp-20]
* Possible StringData Ref from Code Obj ->"-day evaluation period."
|
:004C62DB 6804644C00 push 004C6404
:004C62E0 6878634C00 push 004C6378
:004C62E5 6878634C00 push 004C6378
:004C62EA FF75F8
push [ebp-08]
------------------------------------☆
當然,為了Art of Crack的考慮,你可以修改其它地方,那就看你的了。好!
收工!
補丁① @offset 103a4f 3C02-->B002
補丁② @offset d24e7 7E70-->EB70
補丁③ @offset c5688 7527-->9090
2001-10-1 《完》
相關文章
- 破解WorkgroupMail 的30天的時間限制(FCG作業)---高手莫入! (10千字)2015-11-15AI
- 交一篇作業---破解Hedit 2.0的註冊碼 (7千字)2001-09-30
- BCG和FCG的作業,請PETER大哥笑納,勝新庫管王601版完美破解!!! (2千字)2001-09-14
- FCG的作業,regetjr去除廣告條 (7千字)2001-09-06
- 交作業了!!!!!!PECompact1.48破解過程 (6千字)2001-06-26
- 菜鳥之作--FanPlayer
V1.8--(FCG的一篇作業)在看雪論壇學習的成果 (13千字)2002-05-27
- PwlTool的功能限制的破解---DDXia[CCG] (8千字)2001-03-10
- 《NetStat4.0的破解實錄》---->為申請FCG而做 (10千字)2001-06-17
- 加入FCG的見面破文,初學者可以看 小球 peterchen 偽裝者等等不許看!! (4千字)2001-06-22
- VB輸入限制的記憶體破解 (2千字)2003-04-28記憶體
- 如何完美破解winhex9.73的功能限制! (8千字)2001-03-13
- 一個典型的時間限制軟體的破解 (4千字)2001-01-29
- CCproxy最新版破解,有個小小的玩笑 (17千字)2001-08-15
- 轉貼:破解時間限制的老文章(一) (2千字)2000-10-23
- 轉貼:破解時間限制的老文章(二) (2千字)2000-10-23
- 巨好的俄羅斯方塊時間限制破解 (1千字)2001-05-04
- 破解flax 1.31的校驗及功能限制 (3千字)2001-10-25
- 一篇破解入門 (7千字)2000-09-04
- Grduw最新版破解過程(爆破keyfile,nag,時間限制,暗樁,字元加密)... (10千字)2001-10-16字元加密
- CuteFTP最新版V4.2.4 線上註冊的破解 (10千字)2001-09-27FTP
- 貼一篇破解過程,本想作為加入BCG的第三篇.但: (2千字)2001-08-09
- 初學者請進(一篇破解javagirl的心得) (2千字)2000-05-09Java
- 轉一篇比較簡單的installshiled的破解 (2千字)2001-05-14
- 用“破解除錯”的方法修改序號產生器(SDK)功能――獻給自由的FCG和所有Cracker (23千字)2015-11-15除錯
- 破解webclaw――全憑眼力 (14千字)2001-05-21Web
- Tmaster6.0 破解(我的第一篇灌水) (4千字)2001-10-04AST
- 轉載一篇破解教程(vrv2000) 作者:飛刀浪子 (14千字)2001-03-29VR
- 轉載一篇破解教程(LeapFTP) (10千字)2001-03-29FTP
- 一篇破解教程-----面向初學者 (15千字)2001-04-01
- 小弟的一篇湊數的破解文章,是小弟解決的第一個密碼學軟體!(爆破哈!)
(14千字)2002-09-29密碼學
- WebTimeSync 5.2.0 破解過程 (14千字)2001-10-05Web
- 菜鳥破解一篇:vcrkme01 (11千字)2001-10-19
- ZTZ-IE網路瀏覽器的破解與序號產生器,應付PETERCHEN用的 (8千字)2001-08-11瀏覽器
- 翻譯一篇很簡單的暴力破解installshield! (6千字)2001-03-15
- 【限制】32G,作業系統限制?資料庫限制?2010-01-29作業系統資料庫
- 兩種破解 花貓時間精靈 v1.0 功能限制的方法,本人獻給破解初學者的第一篇破文!高手請匆入內~~
(24千字)2001-10-26
- pecompact1.50破解過程 (加入BCG的第一篇) (8千字)2001-06-28
- 分析破解某個軟體公司出的理財東東!
(14千字)2015-11-15