STEP7KNOW_HOW_PROTECT version1.0 (Borland C++編寫) 暴破手記 (14千字)
STEP7KNOW_HOW_PROTECT version1.0 (Borland C++編寫) 暴破手記
說實在的, STEP7KNOW_HOW_PROTECT version1.0 是用來幹什麼的,本人到目前還不知道,如果哪位大俠知道的話請告訴一聲,好讓在下破個明目:)。這是前幾天一位網發到郵箱求破的,一直沒有時間,今天閒來無事,故拿出來練練手,反正閒著也是閒,呵呵。。。
編寫語言: Borland C++
工具:peid 0.8 and dede2.5 and
hiew6.82
BEGIN !
一,用peid 0.8開啟其可執行檔案S7know.exe,發現程式沒有加殼,由Borland
C++編寫。。。什麼?Borland C++ !頭暈。。。轉念一想,用dede應該可以吧。。。試試!
二,用dede2.5載入S7know.exe。。。。呵呵。。。。載入成功!這下好辦啦。。。讓我們開始吧。
三,在dede2.5視窗中選取“procedures”,發現unit name 視窗中共有四個專案,分別是“unitabout”
“unitmain” “unitreg” “unitselect” 在這裡。。。當然是先檢視“unitreg”了。。。可是當我開啟“unitreg”時卻發現裡面什麼也沒有。。。怎麼辦呢,還是選取“unitabout”看看:右邊視窗裡面有很多專案,選擇右邊視窗裡的“formshow”看看,雙擊開啟後出現以下這些不是垃圾的垃圾。。。
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
|
00407A73 E8E4870800
call 0049025C
00407A78
BE05000000 mov esi, $00000005
00407A7D 8D45FC
lea eax, [ebp-$04]
* Reference to field TAboutBox.OFFS_0304
|
00407A80 89B304030000 mov
[ebx+$0304], esi
00407A86 8BD6
mov edx, esi
00407A88 66C745E80800
mov word ptr [ebp-$18], $0008
|
00407A8E E80D280900 call
0049A2A0
00407A93 FF45F4
inc dword ptr [ebp-$0C]
00407A96 8B10
mov edx,
[eax]
* Reference to control TimeCount : TLabel
|
00407A98
8B83FC020000 mov eax, [ebx+$02FC]
|
00407A9E E839850500
call 0045FFDC
00407AA3 FF4DF4
dec dword ptr [ebp-$0C]
00407AA6
8D45FC lea
eax, [ebp-$04]
00407AA9 BA02000000
mov edx, $00000002
|
00407AAE E831280900
call 0049A2E4
* Reference
to field TAboutBox.OFFS_0308
|
00407AB3 80BB0803000000
cmp byte ptr [ebx+$0308], $00
00407ABA 7423
jz 00407ADF
<--------注意這裡!(改00407ABA 7423 jz 00407ADF
為00407ABA eb23 jmp 00407ADF)
00407ABC B201
mov dl, $01
* Reference to control TimerClose :
TTimer
|
00407ABE 8B83F8020000
mov eax, [ebx+$02F8]
|
00407AC4 E8C3120500
call 00458D8C
00407AC9
33D2 xor
edx, edx
* Reference to control OKButton : TButton
|
00407ACB
8B83E8020000 mov eax, [ebx+$02E8]
00407AD1 8B08
mov ecx, [eax]
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
不知你有沒有注意上面的“00407ABA 7423
jz 00407ADF”這一句,其作用是:當時間等於五秒時,將延時視窗中的ok按鈕的Enabled屬性由false變為true。。。呵呵,執行hiew,找到“00407ABA
7423 jz 00407ADF”這一句,改“00407ABA
7423 jz 00407ADF”為“00407ABA eb23
jmp 00407ADF” 即改“7423”為“eb23”,讓它永遠不會延時!
四,執行一下程式看看,發現延時視窗中的ok按鈕已經是可用的了(Enabled=true),
而從5到0的倒記時也已經失效,呵呵。。。成功了一小點,但當我把系統時間往後移三十天再執行程式時,發現程式裡的很多功能已經失效,說明程式的時間限制還未解決,讓我們乘勝追擊
,幹掉它!
五,回到dede2.5的工作介面,選取unitmain看看,呵呵,裡
面也有很多選項,在這裡我們還是選“formshow”。。。為什麼呢?因為程式決定各種功能是否受限時,一般是在show窗體的時候 進行設定的,當然也會有例外。。。還是那句話:見-雞-行-事。。。
雙擊開啟後:
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
|
00402007 E8D8820900
call 0049A2E4
0040200C 59
pop ecx
0040200D 84C9
test cl,
cl
0040200F 0F84D0030000 jz
004023E5 <------------注意這裡!(A)
00402015 66C78504FFFFFFE000 mov word ptr [ebp+$FFFFFF04],
$00E0
* Possible String Reference to: 'Path1'
|
0040201E
BA45C64900 mov edx, $0049C645
00402023 8D45BC
lea eax, [ebp-$44]
|
00402026 E8A5810900
call 0049A1D0
0040202B
FF8510FFFFFF inc dword ptr [ebp+$FFFFFF10]
00402031 8B10
mov edx, [eax]
00402033 8B85ECFEFFFF
mov eax, [ebp+$FFFFFEEC]
|
00402039
E85A040300 call 00432498
0040203E 33C9
xor ecx, ecx
00402040 BA02000000
mov edx, $00000002
00402045 8AC8
mov cl, al
00402047 83F901
cmp ecx, +$01
0040204A 1BC0
sbb eax, eax
0040204C
F7D8 neg
eax
0040204E 50
push eax
0040204F 8D45BC
lea eax, [ebp-$44]
00402052
FF8D10FFFFFF dec dword ptr [ebp+$FFFFFF10]
|
00402058 E887820900
call 0049A2E4
0040205D 59
pop ecx
0040205E 84C9
test cl,
cl
00402060 7466
jz 004020C8
00402062 BA51C64900
mov edx, $0049C651
00402067
8D45B4 lea
eax, [ebp-$4C]
|
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
004023D1 83FB04 cmp
ebx, +$04
004023D4 0F8E0CFFFFFF
jle 004022E6
004023DA 8B85ECFEFFFF
mov eax, [ebp+$FFFFFEEC]
|
004023E0
E893FC0200 call 00432078
004023E5 66C78504FFFFFF6401 mov word ptr
[ebp+$FFFFFF04], $0164
* Possible String Reference to: 'Software\S7KNOW\License'
|
004023EE BA82C64900
mov edx, $0049C682
004023F3 8D4580
lea eax, [ebp-$80]
|
004023F6 E8D57D0900 call
0049A1D0
004023FB FF8510FFFFFF
inc dword ptr [ebp+$FFFFFF10]
00402401 8B10
mov edx, [eax]
00402403 B101
mov cl, $01
00402405 8B85ECFEFFFF
mov eax, [ebp+$FFFFFEEC]
|
0040240B
E8FCFC0200 call 0043210C
00402410 50
push eax
00402411 FF8D10FFFFFF
dec dword ptr [ebp+$FFFFFF10]
00402417
8D4580 lea
eax, [ebp-$80]
0040241A BA02000000
mov edx, $00000002
|
0040241F E8C07E0900
call 0049A2E4
00402424
59 pop
ecx
00402425 84C9
test cl, cl
00402427 0F84E6040000
jz 00402913
<------------注意這裡!(B)
0040242D 66C78504FFFFFF7001 mov word ptr
[ebp+$FFFFFF04], $0170
* Possible String Reference to: 'Info1'
|
00402436 BA9AC64900 mov
edx, $0049C69A
0040243B 8D857CFFFFFF
lea eax, [ebp+$FFFFFF7C]
|。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
00402903 E8DC790900 call
0049A2E4
00402908 8B85ECFEFFFF
mov eax, [ebp+$FFFFFEEC]
|
0040290E E865F70200
call 00432078
00402913
66C78504FFFFFF1400 mov word ptr [ebp+$FFFFFF04], $0014
0040291C 8B9DECFEFFFF mov
ebx, [ebp+$FFFFFEEC]
00402922 899D30FFFFFF
mov [ebp+$FFFFFF30], ebx
00402928 85DB
test ebx, ebx
0040292A 742A
jz 00402956
<------------注意這裡!(C)
0040292C 8B03
mov eax,
[ebx]
0040292E 898534FFFFFF mov
[ebp+$FFFFFF34], eax
00402934 66C78504FFFFFF0C02
mov word ptr [ebp+$FFFFFF04], $020C
0040293D BA03000000
mov edx, $00000003
00402942
8B8530FFFFFF mov eax, [ebp+$FFFFFF30]
00402948 8B08
mov ecx, [eax]
0040294A FF51FC
call dword ptr [ecx-$04]
0040294D 66C78504FFFFFF0002 mov word ptr [ebp+$FFFFFF04],
$0200
00402956 6683BD06FFFFFF00 cmp
word ptr [ebp+$FFFFFF06], +$00
0040295E 7401
jz 00402961
<------------注意這裡!(D)
00402960 C3
ret
00402961 66C78504FFFFFF1802 mov
word ptr [ebp+$FFFFFF04], $0218
0040296A 33D2
xor edx, edx
0040296C
89952CFFFFFF mov [ebp+$FFFFFF2C],
edx
00402972 8D8D2CFFFFFF lea
ecx, [ebp+$FFFFFF2C]
00402978 FF8510FFFFFF
inc dword ptr [ebp+$FFFFFF10]
0040297E 8B85F0FEFFFF
mov eax, [ebp+$FFFFFEF0]
00402984
8B906C040000 mov edx, [eax+$046C]
0040298A 8B85F0FEFFFF mov
eax, [ebp+$FFFFFEF0]
|
00402990 E8F3420000
call 00406C88
00402995 8D952CFFFFFF
lea edx, [ebp+$FFFFFF2C]
0040299B
8B9DF0FEFFFF mov ebx, [ebp+$FFFFFEF0]
004029A1 81C368040000 add
ebx, $00000468
004029A7 8BC3
mov eax, ebx
|
004029A9
E866790900 call 0049A314
004029AE FF8D10FFFFFF dec
dword ptr [ebp+$FFFFFF10]
004029B4 8D852CFFFFFF
lea eax, [ebp+$FFFFFF2C]
004029BA BA02000000
mov edx, $00000002
|
004029BF E820790900 call
0049A2E4
004029C4 66C78504FFFFFF2402 mov
word ptr [ebp+$FFFFFF04], $0224
004029CD BA15C74900
mov edx, $0049C715
004029D2
8D8528FFFFFF lea eax, [ebp+$FFFFFF28]
|
004029D8 E8F3770900
call 0049A1D0
004029DD FF8510FFFFFF
inc dword ptr [ebp+$FFFFFF10]
004029E3 33C0
xor eax,
eax
004029E5 898524FFFFFF mov
[ebp+$FFFFFF24], eax
004029EB 8D9528FFFFFF
lea edx, [ebp+$FFFFFF28]
004029F1 FF8510FFFFFF
inc dword ptr [ebp+$FFFFFF10]
004029F7
8D8D24FFFFFF lea ecx, [ebp+$FFFFFF24]
004029FD 8B85F0FEFFFF mov
eax, [ebp+$FFFFFEF0]
00402A03 0558040000
add eax, +$00000458
|
00402A08
E82F790900 call 0049A33C
00402A0D 8D8524FFFFFF lea
eax, [ebp+$FFFFFF24]
00402A13 33D2
xor edx, edx
00402A15 899520FFFFFF
mov [ebp+$FFFFFF20], edx
00402A1B
8D8D20FFFFFF lea ecx, [ebp+$FFFFFF20]
00402A21 FF8510FFFFFF inc
dword ptr [ebp+$FFFFFF10]
00402A27 8B95F0FEFFFF
mov edx, [ebp+$FFFFFEF0]
00402A2D 81C25C040000
add edx, $0000045C
|
00402A33
E804790900 call 0049A33C
00402A38 8D9520FFFFFF lea
edx, [ebp+$FFFFFF20]
00402A3E 8BC3
mov eax, ebx
|
00402A40
E883790900 call 0049A3C8
00402A45 50
push eax
00402A46 FF8D10FFFFFF
dec dword ptr [ebp+$FFFFFF10]
00402A4C
8D8520FFFFFF lea eax, [ebp+$FFFFFF20]
00402A52 BA02000000 mov
edx, $00000002
|
00402A57 E888780900
call 0049A2E4
00402A5C FF8D10FFFFFF
dec dword ptr [ebp+$FFFFFF10]
00402A62
8D8524FFFFFF lea eax, [ebp+$FFFFFF24]
00402A68 BA02000000 mov
edx, $00000002
|
00402A6D E872780900
call 0049A2E4
00402A72 FF8D10FFFFFF
dec dword ptr [ebp+$FFFFFF10]
00402A78
8D8528FFFFFF lea eax, [ebp+$FFFFFF28]
00402A7E BA02000000 mov
edx, $00000002
|
00402A83 E85C780900
call 0049A2E4
00402A88 59
pop
ecx
00402A89 84C9
test cl, cl
00402A8B 7457
jz 00402AE4
<------------注意這裡!(E)
00402A8D 66C78504FFFFFF3002 mov word ptr
[ebp+$FFFFFF04], $0230
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
您看到了上面的“ <------------注意這裡!”從“(A)”到“(E)”嗎?看到就好辦了,它們都是jz跳轉語句,跳轉(A)的作用是當使用時間達到三十天時限制軟體的使用,但是當我們改“0040200F
0F84D0030000 jz 004023E5
”為“0040200F 90909090909090 nop
004023E5 ”後,執行程式時出現錯誤視窗,說明該程式在後面還有檢查程式碼完整性的地方,不用說,當然是上面的“ <------------注意這裡!”從“(B)”到“(E)”了,不信你試試!通通殺了。。。執行
hiew6.82:
1,0040200F 0F84D0030000 jz
004023E5 為0040200F 90909090909090 nop 004023E5
2,改00402427 0F84E6040000 jz
00402913為00402427 0F84E6040000 jz 00402913
3,改0040292A 742A jz
00402956 為0040292A 752A
jz 00402956
4,改0040295E
7401 jz 00402961 為0040295E
7501 jz 00402961
5,改00402A8B 7457 jz
00402AE4 為00402A8B 7557 jz
00402AE4
整個世界-----------清靜了-------------------
六,序號產生器:
.386
locals
jumps
.model flat,STDCALL
extrn MessageBoxA:Proc
extrn CreateFileA:Proc
extrn GetFileSizeA:Proc
extrn WriteFile:Proc
extrn SetFilePointer:Proc
extrn CloseHandle:Proc
extrn ExitProcess:Proc
extrn GetFileSize:Proc
.data
GENERIC_WRITE
equ 40000000h
OPEN_EXISTING equ
3
FILE_BEGIN equ
0
cur_byte db ?
liczba dd 0
uchwyt dd ?
zmiany:
db 144,15,22,0,0,144,16,22,0,0,144,17,22,0,0,144,18,22,0,0,144,19,22,0,0,144,20,22,0,0,144,21,22,0,0,235,96,22,0,0,235,19,23,0,0,235,198,23,0,0,235,121,24,0,0,235,179,25,0,0,133,40,26,0,0,235,42,31,0,0,235,94,31,0,0,235,139,32,0,0,117,186,112,0,0,0
num_mod dd 17
program_name db 'S7KNOW.exe',0
bad_size db '',0
main_error db '',0
success db '',0
other_errors db '',0
file_size
dd 822784
nazwa_pliku db 'S7KNOW.exe',0
.code
start:
push
0
push 0
push OPEN_EXISTING
push 0
push 0
push GENERIC_WRITE
push offset nazwa_pliku
call CreateFileA
cmp eax,0ffffffffh
jz error
mov uchwyt,eax
push 0
push uchwyt
call GetFileSize
cmp eax,file_size
jnz error_size
mov ecx,0
modify:
push
ecx
mov esi,offset zmiany
imul eax,ecx,5
add esi,eax
lodsb
mov cur_byte,al
lodsd
push FILE_BEGIN
push 0
push
eax
push uchwyt
call SetFilePointer
mov liczba,0
push 0
push offset liczba
push 1
push offset cur_byte
push uchwyt
call WriteFile
test eax,eax
jz error
pop ecx
inc ecx
cmp ecx,num_mod
jne modify
push 0
push offset program_name
push offset success
push 0
call MessageBoxA
end_:
push
uchwyt
call CloseHandle
push 0
call ExitProcess
error_size:
push 0
push offset main_error
push offset other_errors
push
0
call MessageBoxA
jmp end_
error:
push 0
push offset
main_error
push offset bad_size
push 0
call MessageBoxA
jmp
end_
end start
七,收工!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~轉載請保持完整性~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
作者:飛龍狗狗
郵箱:bluearc_arc@hotmail.com
QQ:40116000
相關文章
- VB黑客程式的暴破(修改)一例 (9千字)2003-02-06黑客
- C++手寫記憶體池2021-08-07C++記憶體
- oracle sqr編寫除錯手記2011-12-16Oracle除錯
- winrar2.71的破解和對暴破的一點想法 (4千字)2001-04-16
- 班門弄斧之暴破檔案整容專家 3.0 (6千字)2001-10-09
- 班門弄斧之暴破網頁特效小精靈 (6千字)2001-10-10網頁特效
- EasyBoot5.03脫殼+暴破2004-11-17boot
- *輔助工具 1.0 Encrypt by Stkman
完美暴破(應該只能用暴力了) (11千字)2002-04-03
- 暴破-AQUA 3D Screen Saver v1.5-水族館屏保程式
(15千字)2002-05-053D
- Borland C++ 6安裝Indy92010-03-21C++
- Borland C++ Builder的API後門 (轉)2007-12-07C++UIAPI
- 如何編寫 C++ 遊戲引擎2018-06-05C++遊戲引擎
- C++編寫DLL的方法2013-07-10C++
- C++ hpp檔案的編寫2019-01-02C++
- C++編寫pingIP的程式2014-07-28C++
- Borland C++ 5.02 IDE 中的 bug (轉)2008-07-18C++IDE
- MIDI軟體COMPOSER2.0暴破2002-01-14
- 做不來序號產生器,只好暴破Windows優化大師V4.3 (4千字)2001-11-02Windows優化
- Python呼叫C++編寫的方法2018-12-10PythonC++
- 使用Delphi呼叫C++編寫的DLL2008-09-08C++
- C#呼叫c++編寫的dll2009-03-11C#C++
- borland c++ bulder的檔案操作總結-2 (轉)2007-12-07C++
- borland c++ bulder的檔案操作總結-1 (轉)2007-12-29C++
- borland c++ bulder的檔案操作總結-3 (轉)2007-12-29C++
- borland c++ bulder的檔案操作總結-4 (轉)2007-12-29C++
- 自己動手寫Vector【Cherno C++教程】2022-03-15C++
- 《鐵甲風暴之黑色戰線》免CD破解手記 (5千字)2002-02-14
- C++ 的函式分檔案編寫2020-10-15C++函式
- 如何對登入介面加密欄位進行暴破?2022-08-25加密
- ROS2學習之旅(14)——編寫簡單的釋出者和訂閱者(C++)2021-07-14ROSC++
- vue外掛編寫小記2018-03-24Vue
- 編寫可移植C/C++程式的要點2020-04-06C++
- C++編寫自定義TCP包併傳送2019-01-04C++TCP
- 精讀《手寫SQL編譯器-回溯》2018-07-30SQL編譯
- Node腳手架編寫初學者教程2017-06-26
- 編輯手記:精通Android2012-08-28Android
- 手寫程式語言-如何為 GScript 編寫標準庫2022-10-17
- 貼一篇不完整的――從SemCAD1.4的暴破談FlexLM 7.2保護的破解
(10千字)2002-06-06Flex