美萍反黃專家 版本3.2破解實錄
================
破解時間:2001-12-8
軟體簡介:該軟體對抗TRW、SOFTICE、WD32SM、CRACKCODE等破解工具!
破解形式:註冊碼
破解工具:trw(除錯工具)、pw32dasm(反彙編)
破解作者:ybyb
具體破解過程:
第一部分,破解對抗
==============
一、用FI偵測,發現它用ASPACK殼,於是用caspr110解壓.
二、解除發現破解工具立即關機問題!
先執行shield.exe,它會自動檢測你的硬碟是否存在以下檔案,
如果存在就立即重新啟動電腦!黑名單如下:
記憶體中的:
1、softice
2、trw、
當然目錄下的:
1、CRACKCODE
2、WDAS
解決辦法:
* Referenced by a CALL at Addresses:
|:004740BB , :00474139 , :00476E3C , :00477647 , :0047853C
\
|
\
\ 所有發現黑名單的地方都調
用這個關機函式,
* Reference To: user32.ExitWindowsEx, Ord:0000h
/
|
/
:00407000 FF25F4164800 Jmp dword ptr
[004816F4]==>NOP掉 /
:00407006 8BC0
mov eax, eax
好了不再關機了,大家可以追註冊碼了。
=============================================================
第二部分,找註冊碼
1.w32dasm反彙編,串式參考"未註冊版本只能使用30天,現在還剩" 具體是:
** Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047735B(C)
|
:00477384 A1D4F24700 mov eax,
dword ptr [0047F2D4]<====== eax ,註冊標誌位
:00477389 3B05540C4800 cmp eax, dword
ptr [00480C54]<======這個不可忽略d 00480c54 為B
:0047738F 0F8404010000 je 00477499<====關鍵跳轉
:00477395 E85ABDFFFF call 004730F4
:0047739A A3E4F24700 mov dword
ptr [0047F2E4], eax
* Possible StringData Ref from Code Obj ->"未註冊版本只能使用30天,現在還剩"
|
:0047739F 68287A4700 push 00477A28
:004773A4 8D55A8
lea edx, dword ptr [ebp-58]
:004773A7 A1E8F24700 mov eax,
dword ptr [0047F2E8]
:004773AC 2B05E4F24700 sub eax, dword
ptr [0047F2E4]
:004773B2 40
inc eax
:004773B3 E85415F9FF call 0040890C
:004773B8 FF75A8
push [ebp-58]
:004773BB 68547A4700 push 00477A54
:004773C0 8D45AC
lea eax, dword ptr [ebp-54]
:004773C3 BA03000000 mov edx,
00000003
:004773C8 E87BCBF8FF call 00403F48
:004773CD 8B55AC
mov edx, dword ptr [ebp-54]
:004773D0 8B8380030000 mov eax, dword
ptr [ebx+00000380]
:004773D6 E8CD87FBFF call 0042FBA8
:004773DB 8B15E4F24700 mov edx, dword
ptr [0047F2E4]
:004773E1 8B8378030000 mov eax, dword
ptr [ebx+00000378]
:004773E7 E85442FEFF call 0045B640
:004773EC A1E8F24700 mov eax,
dword ptr [0047F2E8]
:004773F1 83E80F
sub eax, 0000000F
:004773F4 3B05E4F24700 cmp eax, dword
ptr [0047F2E4]
:004773FA 7D50
jge 0047744C
:004773FC 6A40
push 00000040
* Possible StringData Ref from Code Obj ->"註冊資訊"
|
:004773FE 68587A4700 push 00477A58
* Possible StringData Ref from Code Obj ->"軟體試用期還剩"
|
:00477403 686C7A4700 push 00477A6C
:00477408 8D55A0
lea edx, dword ptr [ebp-60]
:0047740B A1E8F24700 mov eax,
dword ptr [0047F2E8]
:00477410 40
inc eax
:00477411 2B05E4F24700 sub eax, dword
ptr [0047F2E4]
:00477417 E8F014F9FF call 0040890C
:0047741C FF75A0
push [ebp-60]
:0047741F 68547A4700 push 00477A54
* Possible StringData Ref from Code Obj ->",請趕快向美萍公司註冊(0371-8749676)"
|
:00477424 68847A4700 push 00477A84
:00477429 8D45A4
lea eax, dword ptr [ebp-5C]
:0047742C BA04000000 mov edx,
00000004
:00477431 E812CBF8FF call 00403F48
:00477436 8B45A4
mov eax, dword ptr [ebp-5C]
:00477439 E80ECCF8FF call 0040404C
:0047743E 50
push eax
:0047743F 8BC3
mov eax, ebx
:00477441 E80AE8FBFF call 00435C50
:00477446 50
push eax
2.w32dasm查詢選單,從頭查詢0047F2D4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047705C(C)
|
:0047706B 8B153C0A4800 mov edx, dword
ptr [00480A3C]
:00477071 A14C0A4800 mov eax,
dword ptr [00480A4C]
:00477076 E8F9D0F8FF call 00404174<====d
edx 見一長註冊碼,我的是
162778260300854525709 比方我輸入的是62778
:0047707B 85C0
test eax, eax
:0047707D 7E24
jle 004770A3
:0047707F A14C0A4800 mov eax,
dword ptr [00480A4C]
:00477084 E8FFCDF8FF call 00403E88
:00477089 83F805
cmp eax, 00000005
:0047708C 7515
jne 004770A3
:0047708E 8B153C0A4800 mov edx, dword
ptr [00480A3C]
:00477094 A14C0A4800 mov eax,
dword ptr [00480A4C]
:00477099 E8D6D0F8FF call 00404174
<=====計算你輸入註冊碼的開始位數
:0047709E A3D4F24700 mov dword
ptr [0047F2D4], eax <===EAX為2.而比較的是B所以我們知道我們該從第幾位輸了吧。
呵呵~~~~~~~~~可是這樣做了仍然不對,為什麼???記得在3.0以前我們知道黑名單裡有兩個TRW,後一個參與
註冊碼運算,前一個被發現後關機。可是這個版本是發現TRW後不僅關機還來干擾註冊碼的運算。所以我門該
把第一個TRW改為“ttt”(為任意三個字母)
再來看00477084處那個長碼,這次為11244327843548534316722 從B位開始取,為35485
所以:註冊名 ybyb
註冊碼 35485
寫不有錯的地方請大家指正.
(後話雖然快考試了,可是手癢的很啊!!!於是下載了美萍網管大師7.2,美萍安全衛士8.5來練習一下crackYY[CNCG] 解的網管大師也是從B位開始的.
安全衛士和網管大師大同小異,前者在 00475a13處 ? ebx 就見你的註冊碼了.
)
2001.12.08