LaunchIt NOW! Plus 2.5 自校驗破解
軟體名稱: LaunchIt NOW! Plus 2.5
適用系統:
Win 9x/ME/2000/XP
授權形式: 共享軟體
官方主頁: http://www.gemiscorp.com/
軟體下載:
http://www.webattack.com/dlnow/rdir.dll?id=105746 (1842k)
軟體簡介: 按下Ctrl+Tab就可以快捷地訪問設定檔案或資料夾的軟體,如同用Alt+Tab切換視窗一樣的軟體!
作者:炎之川
主頁:http://skipli.yeah.net/
宣告: 此文僅用於學習及交流,若要轉載請保持文章完整。
以前有朋友在漢化新世紀論壇上有人問的,我自己試了試,稀裡糊塗地就把這個自校驗給解決掉了,順便寫一下過程,請大家指教。
先用 Fileinfo 看看軟體有沒有加殼(不管是漢化還是破解,這都是好習慣^^)...Aspack 2.12的,於是用 aspackdie
1.41 脫掉殼。執行脫殼後的軟體,馬上彈出一個messagebox,告訴你軟體自校驗失敗,建議你用反病毒軟體檢查云云。ok,這個軟體自校驗還有提示,不像某些軟體連臉都不肯露一下,還算是善良了:)
然後按照慣例是用 W32dasm 反一下看看。在串式參考中找到了自校驗錯誤的提示,雙擊發現有兩處有此提示,於是先來到下面的程式碼段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402604(C)
|
:0040260D 6A00
push 00000000
:0040260F 8B8DA4F7FFFF
mov ecx, dword ptr [ebp+FFFFF7A4]
:00402615 E894BE0100
call 0041E4AE //
:0040261A
85C0 test
eax, eax //亂經典的比較語句 =)
:0040261C 7519
jne 00402637 //eax 不等就死,所以 jne -> jmp
:0040261E 6A10
push 00000010
* Possible Reference to String Resource ID=41346:
"The application integrity checking failed, possibly caused b" //自校驗失敗的提示資訊
|
:00402620 6882A10000
push 0000A182
:00402625 8B8DA4F7FFFF
mov ecx, dword ptr [ebp+FFFFF7A4]
:0040262B
E858C90100 call 0041EF88
:00402630 33C0
xor eax, eax
:00402632 E974050000
jmp 00402BAB
改完之後試著執行軟體,還是彈出了自校驗失敗的提示,不過仔細一點注意一下,發現未修改之前,執行軟體直接就彈出了出錯提示,而修改之後是先出現了系統托盤圖示(程式已經開始執行了),然後過了半秒再彈出提示資訊!有門!說明軟體驗證自校驗的地方不只一處,我們修改的地方是其中一處,還有其他的地方是在這裡校驗之後才繼續校驗的。
接下來看到串式參考中找到的另一處出錯提示:
* Possible Reference to String
Resource ID=00128: " LaunchIt NOW! Plus"
|
:00402590 C705FC63450080000000 mov dword ptr [004563FC], 00000080
* Possible Reference to String Resource ID=41346: "The application integrity
checking failed, possibly caused b" //提示資訊
|
:0040259A C7050064450082A10000 mov dword ptr [00456400],
0000A182
附近並沒有什麼跳轉可以找,所以要另想辦法。
用資源標記軟體如eXescope、Resource Hacker之類,開啟脫殼後的程式,在“字串”裡面找到自校驗出錯的語句,可以看到語句的ID為
41346,轉換為16進位制就是 0xA182,很明顯了,0040259A 這裡就是把出錯的提示送到 dword ptr [00456400] 中,也就是說,呼叫
dword ptr [00456400] 之處也與自校驗有關。
搜尋 dword ptr [00456400],來到下面的程式碼段:
:0041F068 55
push ebp
:0041F069 8BEC
mov ebp, esp
:0041F06B 6AFF
push FFFFFFFF
:0041F06D
68F2254400 push 004425F2
:0041F072 64A100000000 mov eax, dword
ptr fs:[00000000]
:0041F078 50
push eax
:0041F079 64892500000000
mov dword ptr fs:[00000000], esp
:0041F080 83EC08
sub esp, 00000008
:0041F083 8B4508
mov eax, dword ptr [ebp+08]
:0041F086 833800
cmp dword ptr [eax], 00000000
:0041F089 756B
jne 0041F0F6
//jne -> jmp
:0041F08B
C7050864450001000000 mov dword ptr [00456408], 00000001
:0041F095
8B0D68214500 mov ecx, dword ptr [00452168]
:0041F09B 894DEC
mov dword ptr [ebp-14], ecx
:0041F09E C745FC00000000
mov [ebp-04], 00000000
:0041F0A5 8B15FC634500
mov edx, dword ptr [004563FC]
:0041F0AB 52
push edx
:0041F0AC 8D4DEC
lea ecx, dword ptr [ebp-14]
:0041F0AF E81B920100
call 004382CF
:0041F0B4 A168214500
mov eax, dword ptr [00452168]
:0041F0B9 8945F0
mov dword ptr [ebp-10],
eax
:0041F0BC C645FC01
mov [ebp-04], 01
:0041F0C0 8B0D00644500
mov ecx, dword ptr [00456400] //在這裡呼叫,往上找跳轉
:0041F0C6 51
push ecx
:0041F0C7 8D4DF0
lea ecx, dword ptr [ebp-10]
:0041F0CA E800920100
call 004382CF
:0041F0CF 6A09
push 00000009
:0041F0D1 8D4DF0
lea ecx, dword ptr [ebp-10]
:0041F0D4 E83D900100 call
00438116
:0041F0D9 6810100000
push 00001010
:0041F0DE 8B55EC
mov edx, dword ptr [ebp-14]
:0041F0E1 52
push edx
:0041F0E2
8B45F0 mov eax,
dword ptr [ebp-10]
:0041F0E5 50
push eax
:0041F0E6 6A00
push 00000000
* Reference
To: USER32.MessageBoxA, Ord:01DEh //messagebox
|
:0041F0E8 FF1500454400
Call dword ptr [00444500]
:0041F0EE 6A00
push 00000000
兩處修改完成後測試一下,OK,搞定了!:)
總結一下,要解除自校驗,只需修改以下兩處即可:
0x261C: 75 -> EB
0x1F089:
75 -> EB