BlindWrite Suite v5.1.5.132 的檔案補丁,寫得很屑
Software : BlindWrite Suite v5.1.5.132 的檔案補丁
能夠對“防拷保護”的光碟製作鏡象,能夠透過燒錄軟體將鏡象還原
http://www.vso-software.fr/
Tools -- : W32Dasm、OllyDbg、MASM32、WIN2000
Cracker : lq7972[bruceyu13@sina.com]
【】CloneCD 不支援那個電腦商送我的什麼牌子燒錄爛貨;聽說這個行,但只能 Try 20 Days
軟體開始就跳個東東出來說是"使用者要合法使用,任何非法行為及後果它不負責"云云(不曉得是不是這個意思?),
然後就是熟悉的介面:"This software is not ...",提供兩個按鈕:"Buy" OR "Try"(過期後自然只 Buy 了)
; $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
從紛亂的跟蹤記錄中整理出下面的報告:
軟體在 "Legal Disclarmer" 後開始註冊判斷~
【1】、靜態分析
; W32Dasm >>
; 查詢"BW5.Log"
; 這個地方軟體啟動時來,註冊判斷
:005DE6BC 55 push ebp
:005DE6BD 8BEC mov ebp, esp
:005DE6BF B90F000000 mov ecx, 0000000F
; ...
* Possible StringData Ref from Code Obj ->"BW5.Log"
|
:005DE751 B96CF05D00 mov ecx, 005DF06C
:005DE756 8B55FC mov edx, dword ptr [ebp-04]
:005DE759 8B9214050000 mov edx, dword ptr [edx+00000514]
; ...
:005E8EDA E8CDA6E1FF call 004035AC
:005E8EDF 807DF300 cmp byte ptr [ebp-0D], 00
:005E8EE3 750C jne 005E8EF1
:005E8EE5 8B45FC mov eax, dword ptr [ebp-04]
:005E8EE8 80B82305000000 cmp byte ptr [eax+00000523], 00
:005E8EEF 7425 je 005E8F16 ; 關鍵判斷,要 jump,因為
; ...
* Reference To: user32.PostQuitMessage, Ord:0000h
|
:005E8F11 E82EE6E1FF Call 00407544
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005E8EEF(C), :005E8F09(C)
|
:005E8F16 8B45FC mov eax, dword ptr [ebp-04]
:005E8F19 80B82305000000 cmp byte ptr [eax+00000523], 00
:005E8F20 750C jne 005E8F2E ; 關鍵判斷,不要 jump,因為
:005E8F22 8B45FC mov eax, dword ptr [ebp-04]
:005E8F25 80B82205000000 cmp byte ptr [eax+00000522], 00
:005E8F2C 743B je 005E8F69 ; 這裡
; ...
* Reference To: user32.PostQuitMessage, Ord:0000h
|
:005E8F64 E8DBE5E1FF Call 00407544
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005E8F2C(C), :005E8F5C(C)
|
:005E8F69 8B45FC mov eax, dword ptr [ebp-04]
; ...
【2】、動態跟蹤
; W32Dasm >>
; 查詢"This software is not free. But "
; -----------------------------------------------------------------------------------
:005DB51C 55 push ebp
; ...
:005DB52B E87CF9FFFF call 005DAEAC
; -----------------------------------------------------------------------------------
* Referenced by a CALL at Address:
|:005DB52B
|
:005DAEAC 55 push ebp
; ...
* Possible StringData Ref from Code Obj ->"This software is not free. But "
->"you can try it for free."
|
:005DAF16 BAA0B35D00 mov edx, 005DB3A0
; ...
; OllyDbg >>
005DB51C 處斷點,檢視堆疊:0047418B,這個就是 CALL 指令壓入的返回地址
; W32Dasm >>
; ...
:0047417B 8BD8 mov ebx, eax
:0047417D 8BD0 mov edx, eax
:0047417F 8B83CC020000 mov eax, dword ptr [ebx+000002CC]
:00474185 FF93C8020000 call dword ptr [ebx+000002C8] ; 就是這個 CALL 了
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474179(C)
|
:0047418B 5B pop ebx
; ...
【3】、修改總結
(1) 005E8EEF : 7425 → 7525 (Offset : 001E82EF)
(2) 005E8F20 : 750C → 740C (Offset : 001E8320)
(3) 00474185 : CALL NOP 掉(6個90) (Offset : 00073585)
或 005DB51C : 55 → CC (Offset : 001DA91C)
(4) 005D9998 : 7571 → 7471 (Offset : 001D8D98)
在 [Settings]->[Registration] 中是 "This software is registered to ",而非 "This software is in trial mode "
【4】、自己動手寫檔案補丁
雖然有 KeyMake ,但今天自己動手明天豐衣足食
; Patch.asm
; +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.386
.model flat, stdcall
option casemap : none
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DLG_MAIN equ 101
ICO_MAIN equ 102
IDC_BACKUP equ 1001
IDC_FILEEXT equ 1002
; ***************************************************************************************
PATCH_POS01 equ 001D8D98h
PATCH_POS02 equ 001DA91Ch
PATCH_POS03 equ 001E82EFh
PATCH_POS04 equ 001E8320h
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
hInstance dd ?
szNewFilename db MAX_PATH dup (?)
.data
szFileExtension db '.bak', 0
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.const
dbPatched01 db 74h, 71h
dbPatched02 db 0CCh
dbPatched03 db 75h, 25h
dbPatched04 db 74h, 0Ch
ddFileSize dd 3AD200h
szExeFilename db 'BW.exe', 0
szInfo db 'Info', 0
szOkInfo db 'Success ...', 0
szErrExec db '<BW.exe> not found!', 0
szErrFileSize db '<BW.exe> is incorrect size!', 0
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
; ***************************************************************************************
_ProcPatch proc
local @hFile, @lpBuffer, @lpTemp
pushad
invoke CreateFile, addr szExeFilename, GENERIC_READ or GENERIC_WRITE,\
0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
.if eax == INVALID_HANDLE_VALUE
invoke MessageBox, NULL, addr szErrExec, addr szInfo, MB_OK
.else
mov @hFile, eax
invoke GetFileSize, @hFile, NULL
.if eax != dword ptr [ddFileSize]
invoke MessageBox, NULL, addr szErrFileSize,\
addr szInfo, MB_OK
.else
; ***************************************************************************************
invoke SetFilePointer, @hFile, PATCH_POS01,\
NULL, FILE_BEGIN
invoke WriteFile, @hFile, addr dbPatched01, 2,\
addr @lpTemp, NULL
; ***************************************************************************************
invoke SetFilePointer, @hFile, PATCH_POS02,\
NULL, FILE_BEGIN
invoke WriteFile, @hFile, addr dbPatched02, 1,\
addr @lpTemp, NULL
; ***************************************************************************************
invoke SetFilePointer, @hFile, PATCH_POS03,\
NULL, FILE_BEGIN
invoke WriteFile, @hFile, addr dbPatched03, 2,\
addr @lpTemp, NULL
; ***************************************************************************************
invoke SetFilePointer, @hFile, PATCH_POS04,\
NULL, FILE_BEGIN
invoke WriteFile, @hFile, addr dbPatched04, 2,\
addr @lpTemp, NULL
; ***************************************************************************************
invoke MessageBox, NULL, addr szOkInfo, addr szInfo, MB_OK
.endif
.endif
popad
ret
_ProcPatch endp
; ***************************************************************************************
_ProcDlgMain proc uses ebx edi esi hWnd, wMsg, wParam, lParam
mov eax, wMsg
.if eax == WM_CLOSE
invoke EndDialog, hWnd, NULL
.elseif eax == WM_INITDIALOG
invoke SetDlgItemText, hWnd, IDC_FILEEXT, addr szFileExtension
invoke CheckDlgButton, hWnd, IDC_BACKUP, BST_CHECKED
.elseif eax == WM_COMMAND
mov eax, wParam
.if ax == IDOK
invoke IsDlgButtonChecked, hWnd, IDC_BACKUP
.if eax == BST_CHECKED
invoke GetDlgItemText, hWnd, IDC_FILEEXT,\
addr szFileExtension, sizeof szFileExtension
invoke lstrcpy, addr szNewFilename, addr szExeFilename
invoke lstrcat, addr szNewFilename, addr szFileExtension
invoke CopyFile, addr szExeFilename,\
addr szNewFilename, FALSE
.endif
call _ProcPatch
.elseif ax == IDCANCEL
invoke EndDialog, hWnd, NULL
.endif
.else
mov eax, FALSE
ret
.endif
mov eax, TRUE
ret
_ProcDlgMain endp
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, DLG_MAIN, NULL, addr _ProcDlgMain, NULL
invoke ExitProcess, NULL
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
// Patch.rc
// ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#include <resource.h>
#define DLG_MAIN 101
#define ICO_MAIN 102
#define IDC_BACKUP 1001
#define IDC_FILEEXT 1002
ICO_MAIN ICON "Patch.ico"
DLG_MAIN DIALOGEX 0, 0, 91, 109
STYLE DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "BlindWrite 檔案補丁"
FONT 10, "System"
BEGIN
DEFPUSHBUTTON "補丁",IDOK,9,62,31,12
PUSHBUTTON "退出",IDCANCEL,50,62,31,12
LTEXT "除去所有的限制\nCrack by lq7972\nbruceyu13@sina.com",
IDC_STATIC,9,28,72,28,WS_DISABLED,WS_EX_STATICEDGE
LTEXT "BlindWrite Suite\n v5.1.5.132 檔案補丁",IDC_STATIC,9,6,
72,18,WS_BORDER
GROUPBOX "",IDC_STATIC,8,77,73,25
CONTROL "檔案備份",IDC_BACKUP,"Button",BS_AUTOCHECKBOX |
WS_TABSTOP,14,88,43,8
EDITTEXT IDC_FILEEXT,58,86,19,12,ES_AUTOHSCROLL
END
# makefile
# ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
NAME = Patch
OBJS = $(NAME).obj
RES = $(NAME).res
LINK_FLAG = /subsystem:windows
ML_FLAG = /c /coff
$(NAME).exe: $(OBJS) $(RES)
Link $(LINK_FLAG) $(OBJS) $(RES)
.asm.obj:
ml $(ML_FLAG) $<
.rc.res:
rc $<
clean:
del *.obj
del *.res
相關文章
- 編寫一個檔案補丁2004-08-27
- 檔案補丁製作2015-11-15
- Linux檔案打補丁2019-03-30Linux
- 差異檔案(diff)和補丁檔案(patch)簡介2018-09-15
- Win10系統更新補丁檔案儲存在哪 開啟win10系統更新補丁檔案的方法2016-03-20Win10
- Win10系統補丁檔案儲存在哪裡 win10系統補丁儲存檔案的開啟方法2016-02-17Win10
- NC65如何匯出補丁(jar檔案)2018-12-17JAR
- AIX上Oracle安裝10204補丁出現寫檔案錯誤2010-05-13AIOracle
- ORACLE E-BUSINESS SUITE 12.2.3 RELEASE UPDATE PACK (補丁程式集)2014-08-07OracleUI
- 【補丁】Oracle補丁的知識及術語2020-08-05Oracle
- Oracle的補丁2011-11-24Oracle
- Oracle補丁集的補丁號Patch ID/Number速查2015-07-15Oracle
- oracle 補丁2014-06-05Oracle
- 12. Oracle版本、補丁及升級——12.2. 補丁及補丁集2020-03-18Oracle
- Oracle補丁術語介紹 PSU CPU補丁2016-12-20Oracle
- 怎麼樣安裝AIX 補丁或者補丁集2009-08-29AI
- Oracle的OPatch補丁更新2023-01-13Oracle
- PHP補丁[LAMP]2012-09-11PHPLAMP
- 軟體補丁2012-08-03
- HoudahSpot for Mac(多功能檔案搜尋軟體)v6.4.1啟用補丁2023-09-22Mac
- Oracle RAC更新補丁2019-08-21Oracle
- Oracle 安裝補丁2015-01-23Oracle
- 微軟重大補丁(轉)2007-08-24微軟
- Win10系統檔案管理器崩潰補丁怎麼安裝2018-07-15Win10
- 如何製作patch檔案及如何打patch 附帶linux打補丁命令2012-09-13Linux
- weblogic的版本及打補丁2018-06-27Web
- ORACLE打補丁的方法和案例2018-05-15Oracle
- 一個程式的開機補丁2004-11-19
- 批處理打補丁的方法2009-05-06
- 讓補丁的.zip格式害苦了2007-09-15
- 蘋果mac電腦多功能檔案搜尋:HoudahSpot破解中文版+補丁資源2023-12-26蘋果Mac
- c#釋出補丁2020-06-04C#
- Oracle補丁介紹一2018-09-02Oracle
- Pycharn破解補丁啟用2018-12-20
- oracle最新補丁查詢2018-07-23Oracle
- oracle打補丁回顧2021-12-02Oracle
- 資料庫補丁索引2017-09-14資料庫索引
- Oracle補丁集查詢2014-06-14Oracle