Help & Manual 3.0.4.619 破解 (15千字)

標題:Help & Manual 3.0.4.619 破解 (15千字)

發信人:sunrix

時間:2002-9-26 20:30:14

詳細資訊:

大家好，寫得比較亂，湊和著看看吧。一口氣發了幾篇，花了不少時間，最近我是不會再玩crack了，不過，我還是會常來論壇轉轉的，呵呵。

Help & Manual 3.0.4.619 破解筆記
================================
sunrise, 2002-9-26

軟體名稱：Help & Manual
軟體版本：3.0.4.619
軟體簡介：所見即所得的Help檔案製作工具
軟體主頁：http://www.helpandmanual.com
保護方式：14天使用期限+Nag screen，有簡單的反SOFTICE措施
使用工具：dede,ollydbg,hiew

主程式HelpMan_demo.exe未加殼，用PeID檢測，報告是delphi程式。這下
dede可派上用場了。用dede反編譯HelpMan_demo.exe，經過分析，程式開始
時出現的對話方塊的form是TFrmAbout

TFrmAbout.FormShow

00593268 55 push ebp
00593269 8BEC mov ebp, esp
0059326B B905000000 mov ecx, $00000005
00593270 6A00 push $00
00593272 6A00 push $00
00593274 49 dec ecx
00593275 75F9 jnz 00593270
00593277 51 push ecx
00593278 53 push ebx
00593279 56 push esi
0059327A 8BD8 mov ebx, eax
0059327C 33C0 xor eax, eax
0059327E 55 push ebp
0059327F 68AB345900 push $005934AB

***** TRY
|
00593284 64FF30 push dword ptr fs:[eax]
00593287 648920 mov fs:[eax], esp

* Reference to field TFrmAbout.OFFS_0211
|
0059328A 80BB1102000003 cmp byte ptr [ebx+$0211], $03
00593291 750D jnz 005932A0

* Reference to field TFrmAbout.OFFS_003C
|
00593293 8B533C mov edx, [ebx+$3C]
00593296 83C21E add edx, +$1E
00593299 8BC3 mov eax, ebx

* Reference to: controls.TControl.SetHeight(TControl;System.Integer);
|
0059329B E88C3BEAFF call 00436E2C

* Reference to field TFrmAbout.OFFS_0300
|
005932A0 8D8300030000 lea eax, [ebx+$0300]

* Possible String Reference to: 'http://www.ec-software.com/order.ht
| m'
|
005932A6 BAC0345900 mov edx, $005934C0

* Reference to: system.@LStrAsg;
|
005932AB E87C0BE7FF call 00403E2C

* Reference to TDM instance
|
005932B0 A1FCF76A00 mov eax, dword ptr [$6AF7FC]
005932B5 8B00 mov eax, [eax]

* Reference to field TDM.OFFS_006C
|
005932B7 83786C00 cmp dword ptr [eax+$6C], +$00 ;剩餘使用天數<0?
005932BB 0F8CAB000000 jl 0059336C
005932C1 8D45FC lea eax, [ebp-$04]
005932C4 50 push eax
005932C5 8D4DF8 lea ecx, [ebp-$08]

* Reference to TDM instance
|
005932C8 A1FCF76A00 mov eax, dword ptr [$6AF7FC]
005932CD 8B00 mov eax, [eax]

* Reference to field TDM.OFFS_0070
|
005932CF 8B4070 mov eax, [eax+$70]

* Possible String Reference to: 'EvalDue'
|
005932D2 BAF0345900 mov edx, $005934F0

* Reference to: classes.TStrings.GetValue(TStrings;System.AnsiString):System.AnsiString;
| or: nmextstr.TExStringList.GetValue(TExStringList;System.AnsiString):System.AnsiString;
|
005932D7 E82007E8FF call 004139FC
005932DC 8B45F8 mov eax, [ebp-$08]
005932DF 50 push eax
005932E0 8D55EC lea edx, [ebp-$14]

* Reference to TDM instance
|
005932E3 A1FCF76A00 mov eax, dword ptr [$6AF7FC]
005932E8 8B00 mov eax, [eax]

* Reference to field TDM.OFFS_006C
|
005932EA 8B406C mov eax, [eax+$6C]

* Reference to: sysutils.IntToStr(System.Integer):System.AnsiString;overload;
|
005932ED E8EA60E7FF call 004093DC
005932F2 8B45EC mov eax, [ebp-$14]
005932F5 8945F0 mov [ebp-$10], eax
005932F8 C645F40B mov byte ptr [ebp-$0C], $0B
005932FC 8D55F0 lea edx, [ebp-$10]
005932FF 33C9 xor ecx, ecx
00593301 58 pop eax

|
00593302 E87974E7FF call 0040A780
00593307 8B55FC mov edx, [ebp-$04]

      ;在about對話方塊上顯示剩餘的天數
* Reference to control TFrmAbout.PnlEval : TPanel
|
0059330A 8B83DC020000 mov eax, [ebx+$02DC]

* Reference to: controls.TControl.SetText(TControl;System.String);
|
00593310 E8EF42EAFF call 00437604
00593315 8D45E8 lea eax, [ebp-$18]
00593318 50 push eax

      以下略。。。

從上面的程式碼可知，使用天數是存在TDM類物件中傳給TFrmAbout.FormShow的，用dede
看看TDM的事件函式：

TDM.DMCreate

005891FC 55 push ebp
005891FD 8BEC mov ebp, esp
005891FF B933000000 mov ecx, $00000033
00589204 6A00 push $00
00589206 6A00 push $00
00589208 49 dec ecx
00589209 75F9 jnz 00589204
0058920B 53 push ebx
0058920C 56 push esi
0058920D 57 push edi
0058920E 8945F8 mov [ebp-$08], eax ;TDM類物件指標
00589211 33C0 xor eax, eax
00589213 55 push ebp

  略去一些無關程式碼

* Reference to: sysutils.Date:System.TDateTime;
|
0058948E E85D19E8FF call 0040ADF0

* Reference to: system.@TRUNC;
|
00589493 E82896E7FF call 00402AC0
00589498 8B55E4 mov edx, [ebp-$1C]

在dede的units info中可以發現 0052FFA0這個地址位於unit:RichEditOLE中
0058949B E8006BFAFF call 0052FFA0 ;***計算已經使用的天數，用負數表示

* Reference to GlobalVar_006B817C
|
005894A0 A37C816B00 mov dword ptr [$6B817C], eax ;儲存已經使用的天數

* Reference to DM
|
005894A5 8B45F8 mov eax, [ebp-$08]

* Reference to field TDM.OFFS_005D
          設定非註冊標誌。0表示未註冊，這是demo版，所以設成未註冊。
          修改這裡的指令，將設的值改為1，about對話方塊就是splash screen
          而不是nag screen
|
005894A8 C6405D00 mov byte ptr [eax+$5D], $00

  下面是隨機的反跟蹤softice的程式碼

  隨機生成一個0-29之間的整數，如果這個整數>=20，則呼叫反softice的程式碼

005894AC B81E000000 mov eax, $0000001E

* Reference to: system.@RandInt;
|
005894B1 E8D297E7FF call 00402C88
005894B6 83F814 cmp eax, +$14
005894B9 7C23 jl 005894DE
005894BB 33D2 xor edx, edx

* Reference to DM
|
005894BD 8B45F8 mov eax, [ebp-$08]

* Reference to : TDM.HasWi95()
|       HasWi95()呼叫CreateFileA 開啟"\\.\SICE"
005894C0 E8B3010000 call 00589678
005894C5 84C0 test al, al
005894C7 750E jnz 005894D7   ;有就跳
005894C9 33D2 xor edx, edx

* Reference to DM
|
005894CB 8B45F8 mov eax, [ebp-$08]

* Reference to : TDM.HasWiNT()

      HasWiNT()呼叫CreateFileA 開啟"\\.\NTICE"

005894CE E81D020000 call 005896F0
005894D3 84C0 test al, al
005894D5 7407 jz 005894DE
005894D7 EBFE jmp 005894D7   ;發現有softice就當機

* Reference to: system.@Halt0;
|
005894D9 E822A7E7FF call 00403C00
005894DE 33C0 xor eax, eax
005894E0 55 push ebp
005894E1 6878955800 push $00589578

***** TRY
|
005894E6 64FF30 push dword ptr fs:[eax]
005894E9 648920 mov fs:[eax], esp

      取程式的路徑和檔名

005894EC 8D85A0FEFFFF lea eax, [ebp+$FFFFFEA0]
005894F2 50 push eax
005894F3 8D9574FEFFFF lea edx, [ebp+$FFFFFE74]

* Reference to TApplication instance
|
005894F9 A1A8F76A00 mov eax, dword ptr [$6AF7A8]
005894FE 8B00 mov eax, [eax]

* Reference to: forms.TApplication.GetExeName(TApplication):System.AnsiString;
|
00589500 E81BD4ECFF call 00456920
00589505 8B8574FEFFFF mov eax, [ebp+$FFFFFE74]   ;->程式的路徑和檔名

      將取得的檔案的副檔名替換為.dpl

0058950B 8D8D78FEFFFF lea ecx, [ebp+$FFFFFE78]

* Possible String Reference to: '.dpl'
|
00589511 BA70965800 mov edx, $00589670

* Reference to: sysutils.ChangeFileExt(System.AnsiString;System.AnsiString):System.AnsiString;
|
00589516 E81504E8FF call 00409930
0058951B 8B8578FEFFFF mov eax, [ebp+$FFFFFE78] ;->副檔名換後的路徑和檔名

      查詢這個檔案
      我看了看，在我的機器上沒這個檔案

* Reference to: system.@LStrToPChar;
|
00589521 E812ADE7FF call 00404238
00589526 50 push eax

* Reference to: kernel32.FindFirstFileA()
|
00589527 E84CDAE7FF call 00406F78
0058952C 8BD8 mov ebx, eax
0058952E 83FBFF cmp ebx, -$01
00589531 743B jz 0058956E
00589533 8D45E8 lea eax, [ebp-$18]
00589536 50 push eax
00589537 8D85ACFEFFFF lea eax, [ebp+$FFFFFEAC]
0058953D 50 push eax

* Reference to: kernel32.FileTimeToLocalFileTime()
|
0058953E E825DAE7FF call 00406F68
00589543 85C0 test eax, eax
00589545 7421 jz 00589568
00589547 8D45FC lea eax, [ebp-$04]
0058954A 50 push eax
0058954B 8D45FE lea eax, [ebp-$02]
0058954E 50 push eax
0058954F 8D45E8 lea eax, [ebp-$18]
00589552 50 push eax

* Reference to: kernel32.FileTimeToDosDateTime()
|
00589553 E808DAE7FF call 00406F60
00589558 85C0 test eax, eax
0058955A 740C jz 00589568
0058955C 8B45FC mov eax, [ebp-$04]

* Reference to: sysutils.FileDateToDateTime(System.Integer):System.TDateTime;
|
0058955F E84009E8FF call 00409EA4
00589564 DD5DF0 fstp qword ptr [ebp-$10]
00589567 9B wait
00589568 53 push ebx

* Reference to: kernel32.FindClose()
|
00589569 E802DAE7FF call 00406F70
0058956E 33C0 xor eax, eax
00589570 5A pop edx
00589571 59 pop ecx
00589572 59 pop ecx
00589573 648910 mov fs:[eax], edx
00589576 EB0A jmp 00589582

****** EXCEPT
|
00589578 E99F9FE7FF jmp 0040351C

* Reference to: system.@DoneExcept;
|
0058957D E8F6A2E7FF call 00403878

****** END
|
* Reference to DM
|
00589582 8B45F8 mov eax, [ebp-$08]

* Reference to field TDM.OFFS_005C
|
00589585 C6405C01 mov byte ptr [eax+$5C], $01
00589589 A17C816B00 mov eax, dword ptr [$6B817C]
0058958E 83C00E add eax, +$0E   ;14天試用期-已經使用的天數(因為用負數表示)
                          ;得到剩餘天數
* Reference to DM
|
00589591 8B55F8 mov edx, [ebp-$08]

* Reference to field TDM.OFFS_006C
|
00589594 89426C mov [edx+$6C], eax   ;儲存剩餘天數

      又隨機反跟蹤，無聊：)

00589597 B201 mov dl, $01

* Reference to DM
|
00589599 8B45F8 mov eax, [ebp-$08]

* Reference to : TDM.HasWi95()
|
0058959C E8D7000000 call 00589678
005895A1 84C0 test al, al
005895A3 751F jnz 005895C4
005895A5 B201 mov dl, $01

* Reference to DM
|
005895A7 8B45F8 mov eax, [ebp-$08]

* Reference to : TDM.HasWiNT()
|
005895AA E841010000 call 005896F0
005895AF 84C0 test al, al
005895B1 7511 jnz 005895C4
005895B3 33D2 xor edx, edx
005895B5 33C0 xor eax, eax

|
005895B7 E8E469FAFF call 0052FFA0
005895BC 84C0 test al, al
005895BE 7504 jnz 005895C4
005895C0 33C0 xor eax, eax
005895C2 EB02 jmp 005895C6
005895C4 B001 mov al, $01

* Reference to DM
|
005895C6 8B55F8 mov edx, [ebp-$08]

* Reference to field TDM.OFFS_005C
|
005895C9 88425C mov [edx+$5C], al   ;有softice時，此標誌置1

* Reference to DM
|
005895CC 8B45F8 mov eax, [ebp-$08]

* Reference to field TDM.OFFS_006C
|
005895CF 8B406C mov eax, [eax+$6C] ;eax=剩餘天數
          剩餘天數應該>=0 <=14
005895D2 83F80E cmp eax, +$0E
005895D5 7F04 jnle 005895DB
005895D7 85C0 test eax, eax
005895D9 7D0A jnl 005895E5

* Reference to DM
|
005895DB 8B45F8 mov eax, [ebp-$08]

* Reference to field TDM.OFFS_006C
|
005895DE C7406CFFFFFFFF mov dword ptr [eax+$6C], $FFFFFFFF

      當前日期不能早於那個.dpl檔案的日期

* Reference to: sysutils.Date:System.TDateTime;
|
005895E5 E80618E8FF call 0040ADF0

* Reference to: system.@INT;
|
005895EA E88194E7FF call 00402A70
005895EF DBBD68FEFFFF fstp tbyte ptr [ebp+$FFFFFE68]
005895F5 9B wait
005895F6 DD45F0 fld qword ptr [ebp-$10]   ;.dpl檔案的日期

* Reference to: system.@INT;
|
005895F9 E87294E7FF call 00402A70
005895FE DBAD68FEFFFF fld tbyte ptr [ebp+$FFFFFE68]
00589604 DED9 fcompp
00589606 DFE0 fstsw ax
00589608 9E sahf
00589609 730A jnb 00589615

* Reference to DM
|
0058960B 8B45F8 mov eax, [ebp-$08]

* Reference to field TDM.OFFS_006C
|
0058960E C7406CFFFFFFFF mov dword ptr [eax+$6C], $FFFFFFFF
00589615 33C0 xor eax, eax
00589617 5A pop edx
00589618 59 pop ecx
00589619 59 pop ecx
0058961A 648910 mov fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '_^[]?
|
0058961D 683A965800 push $0058963A
00589622 8D8574FEFFFF lea eax, [ebp+$FFFFFE74]
00589628 BA0B000000 mov edx, $0000000B

* Reference to: system.@LStrArrayClr;
|
0058962D E8CAA7E7FF call 00403DFC
00589632 C3 ret

00589633 E998A1E7FF jmp 004037D0
00589638 EBE8 jmp 00589622

****** END
|
0058963A 5F pop edi
0058963B 5E pop esi
0058963C 5B pop ebx
0058963D 8BE5 mov esp, ebp
0058963F 5D pop ebp
00589640 C3 ret

patch:
1、去除14天使用限制：
將0058949B處的指令：E8006BFAFF call 0052FFA0 改為：xor eax,eax nop nop nop，表示已經使用天數為0
2、使程式啟動時About對話方塊由Nag screen變成splash screen。
將指令005894A8 C6405D00 mov byte ptr [eax+$5D], $00
                                ^^改成01
來看看Dede生成的dpr檔案：
begin
{
006A4D90 55 push ebp
006A4D91 8BEC mov ebp, esp
006A4D93 83C4F4 add esp, -$0C
006A4D96 53 push ebx
006A4D97 B870456A00 mov eax, $006A4570

* Reference to: sysinit.@InitExe;
|
006A4D9C E84720D6FF call 00406DE8

* Reference to TApplication instance
|
006A4DA1 8B1DA8F76A00 mov ebx, [$6AF7A8]
006A4DA7 8B0B mov ecx, [ebx]
006A4DA9 B201 mov dl, $01

* Reference to class TDM
|
006A4DAB A1BC905800 mov eax, dword ptr [$5890BC]

* Reference to: forms.TCustomForm.Create(TCustomForm;boolean;Classes.TComponent);
| or: forms.TDataModule.Create(TDataModule;boolean;Classes.TComponent);
|
006A4DB0 E83BEADAFF call 004537F0

* Reference to TDM instance
|
006A4DB5 8B15FCF76A00 mov edx, [$6AF7FC]
006A4DBB 8902 mov [edx], eax
006A4DBD 8B0B mov ecx, [ebx]
006A4DBF B201 mov dl, $01

* Reference to class TFrmAbout
|
006A4DC1 A1A82F5900 mov eax, dword ptr [$592FA8]

* Reference to: forms.TCustomForm.Create(TCustomForm;boolean;Classes.TComponent);
| or: forms.TDataModule.Create(TDataModule;boolean;Classes.TComponent);
|
006A4DC6 E8719EDAFF call 0044EC3C

* Reference to TFrmAbout instance
|
006A4DCB 8B1578F46A00 mov edx, [$6AF478]
006A4DD1 8902 mov [edx], eax

* Reference to TDM instance
|
006A4DD3 A1FCF76A00 mov eax, dword ptr [$6AF7FC]
006A4DD8 8B00 mov eax, [eax]

* Reference to field TDM.OFFS_005D
|               是註冊版本？
006A4DDA 80785D00 cmp byte ptr [eax+$5D], $00 ;0為demo版
006A4DDE 7425 jz 006A4E05

               如果是正式版,則檢查有無命令列引數，如果有，
               不顯示About對話方塊，如果無命令列引數，則
               顯示about對話方塊，但是於demo版不同，about對話
               框的ok按鈕不可見，about對話方塊作splash screen
               用，進入程式主介面後about對話方塊自動消失。
* Reference to: system.ParamCount:Integer;
|
006A4DE0 E85FDBD5FF call 00402944
006A4DE5 48 dec eax
006A4DE6 7F52 jnle 006A4E3A

* Reference to TFrmAbout instance
|
006A4DE8 A178F46A00 mov eax, dword ptr [$6AF478]
006A4DED 8B00 mov eax, [eax]

* Reference to: forms.TCustomForm.Show(TCustomForm);
|
006A4DEF E8E0DDDAFF call 00452BD4

* Reference to TFrmAbout instance
|
006A4DF4 A178F46A00 mov eax, dword ptr [$6AF478]
006A4DF9 8B00 mov eax, [eax]
006A4DFB 8B10 mov edx, [eax]

* Possible reference to virtual method TFrmAbout.OFFS_0080
|
006A4DFD FF9280000000 call dword ptr [edx+$0080]
006A4E03 EB35 jmp 006A4E3A

* Reference to TFrmAbout instance

      demo版轉此，使about對話方塊上的ok按鈕可見，使用者必須
      點選OK按鈕後，才能進入程式主介面。這裡ABout對話方塊
      就相當於nag screen.
|
006A4E05 A178F46A00 mov eax, dword ptr [$6AF478]
006A4E0A 8B00 mov eax, [eax]

* Reference to control TFrmAbout.BtnOK : TButton
|
006A4E0C 8B80D4020000 mov eax, [eax+$02D4]
006A4E12 B201 mov dl, $01

* Reference to: controls.TControl.SetVisible(TControl;System.Boolean);
|
006A4E14 E8D326D9FF call 004374EC

* Reference to TFrmAbout instance
|
006A4E19 A178F46A00 mov eax, dword ptr [$6AF478]
006A4E1E 8B00 mov eax, [eax]
006A4E20 8B10 mov edx, [eax]

* Possible reference to virtual method TFrmAbout.OFFS_00D8
|
006A4E22 FF92D8000000 call dword ptr [edx+$00D8]

* Reference to TDM instance
|
006A4E28 A1FCF76A00 mov eax, dword ptr [$6AF7FC]
006A4E2D 8B00 mov eax, [eax]

* Reference to field TDM.OFFS_006C
|
006A4E2F 83786C00 cmp dword ptr [eax+$6C], +$00
006A4E33 7D05 jnl 006A4E3A

* Reference to: system.@Halt0;
|
006A4E35 E8C6EDD5FF call 00403C00

          程式開始正常初始化

006A4E3A 8B03 mov eax, [ebx]

* Reference to: forms.TApplication.Initialize(TApplication);
| or: webbroker.TWebApplication.Initialize(TWebApplication);
|
006A4E3C E87F15DBFF call 004563C0
006A4E41 8B03 mov eax, [ebx]

==========================================================================
再來看看程式是如何得到軟體使用天數的吧：

:0052FFA0 55 push ebp
:0052FFA1 8BEC mov ebp, esp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052FF7C(C)
|
:0052FFA3 B905000000 mov ecx, 00000005

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052FFAD(C)
|
:0052FFA8 6A00 push 00000000
:0052FFAA 6A00 push 00000000
:0052FFAC 49 dec ecx
:0052FFAD 75F9 jne 0052FFA8
:0052FFAF 51 push ecx
:0052FFB0 53 push ebx
:0052FFB1 56 push esi
:0052FFB2 57 push edi
:0052FFB3 8955FC mov dword ptr [ebp-04], edx
:0052FFB6 8945F8 mov dword ptr [ebp-08], eax
:0052FFB9 33C0 xor eax, eax
:0052FFBB 55 push ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0052FF8D(C)
|
:0052FFBC 6846015300 push 00530146
:0052FFC1 64FF30 push dword ptr fs:[eax]
:0052FFC4 648920 mov dword ptr fs:[eax], esp

:0052FFC7 C745F446000000 mov [ebp-0C], 00000046
          建立TRegistry物件
:0052FFCE B201 mov dl, 01
:0052FFD0 A1388C4600 mov eax, dword ptr [00468C38]   ;TRegistry
:0052FFD5 E8CA8DF3FF call 00468DA4
:0052FFDA 8945F0 mov dword ptr [ebp-10], eax   ;TRegistry物件指標

:0052FFDD 33C0 xor eax, eax
:0052FFDF 55 push ebp
:0052FFE0 681C015300 push 0053011C
:0052FFE5 64FF30 push dword ptr fs:[eax]
:0052FFE8 648920 mov dword ptr fs:[eax], esp

          TRegistry物件的RootKey := HKCR
:0052FFEB BA00000080 mov edx, 80000000   ;HKCR

:0052FFF0 8B45F0 mov eax, dword ptr [ebp-10]
:0052FFF3 E8888EF3FF call 00468E80

:0052FFF8 C645EB00 mov [ebp-15], 00

          HKCR\RichOleLink.TOleLink.1這個Key存不存在？

* Possible StringData Ref from Code Obj ->"\RichOleLink.TOleLink.1"
|
:0052FFFC BA60015300 mov edx, 00530160
:00530001 8B45F0 mov eax, dword ptr [ebp-10]
:00530004 E87797F3FF call 00469780
:00530009 84C0 test al, al
:0053000B 0F84C4000000 je 005300D5   ;不存在，跳

          HKCR\RichOleLink.TOleLink.1\CLSID這個Key存不存在？

* Possible StringData Ref from Code Obj ->"\RichOleLink.TOleLink.1\CLSID"
|
:00530011 BA80015300 mov edx, 00530180
:00530016 8B45F0 mov eax, dword ptr [ebp-10]
:00530019 E86297F3FF call 00469780
:0053001E 84C0 test al, al
:00530020 0F84AF000000 je 005300D5   ;不存在，跳

          開啟(OpenKey)Key:HKCR\RichOleLink.TOleLink.1\CLSID

:00530026 33C9 xor ecx, ecx

* Possible StringData Ref from Code Obj ->"\RichOleLink.TOleLink.1\CLSID"
|
:00530028 BA80015300 mov edx, 00530180
:0053002D 8B45F0 mov eax, dword ptr [ebp-10]
:00530030 E88F8FF3FF call 00468FC4
          讀入key的預設值，其實這是一個假CLSID
:00530035 8D4DEC lea ecx, dword ptr [ebp-14]
:00530038 33D2 xor edx, edx       ;nil,default value
:0053003A 8B45F0 mov eax, dword ptr [ebp-10]
:0053003D E8DA94F3FF call 0046951C       ;ReadString
:00530042 33C0 xor eax, eax
:00530044 55 push ebp
:00530045 68CB005300 push 005300CB
:0053004A 64FF30 push dword ptr fs:[eax]
:0053004D 648920 mov dword ptr fs:[eax], esp
          取預設值的第26個字元開始的12個字元放入另一個字串
          預設值的形式如同一般的CLSID,在我的機器上是：
          {42BFA701-EC57-0000-C130-0000000092DB}，這是一個假CLSID，在HKCR\CLSID中是沒有的
                       ^^^^^^^^^^^^
                       這裡正好是第26個字元開始的12個字元
          提取後的字串是：'0000000092DB'

:00530050 8D45E0 lea eax, dword ptr [ebp-20]
:00530053 50 push eax
:00530054 B90C000000 mov ecx, 0000000C
:00530059 BA1A000000 mov edx, 0000001A
:0053005E 8B45EC mov eax, dword ptr [ebp-14]
:00530061 E81642EDFF call 0040427C
:00530066 8B4DE0 mov ecx, dword ptr [ebp-20] ;->提取的substring

:00530069 8D45E4 lea eax, dword ptr [ebp-1C]
:0053006C BAA8015300 mov edx, 005301A8   ;'$'
:00530071 E84A40EDFF call 004040C0
          剛才的字串串首加個字元'$'得到一個新字串，表示是
          十六進位制數字字串，
          然後轉換成數字
:00530076 8B45E4 mov eax, dword ptr [ebp-1C] ;->新字串
:00530079 E83E94EDFF call 004094BC   ;StrToInt

:0053007E 83E846 sub eax, 00000046

:00530081 2B45F8 sub eax, dword ptr [ebp-08]
:00530084 8945F4 mov dword ptr [ebp-0C], eax ;軟體已使用天數，用負數表示

  取預設值的第21個字元開始的4個字元放入另一個字串
          {42BFA701-EC57-0000-C130-0000000092DB}
            ^^^^這是這4個位置上的字元

:00530087 8D45D8 lea eax, dword ptr [ebp-28]
:0053008A 50 push eax
:0053008B B904000000 mov ecx, 00000004
:00530090 BA15000000 mov edx, 00000015
:00530095 8B45EC mov eax, dword ptr [ebp-14] ;剛才讀入的default value
:00530098 E8DF41EDFF call 0040427C
      同樣前面加上十六進位制識別符號'$'後，轉換成數字
:0053009D 8B4DD8 mov ecx, dword ptr [ebp-28]
:005300A0 8D45DC lea eax, dword ptr [ebp-24]
:005300A3 BAA8015300 mov edx, 005301A8   ;'$'
:005300A8 E81340EDFF call 004040C0
:005300AD 8B45DC mov eax, dword ptr [ebp-24]
:005300B0 E80794EDFF call 004094BC

:005300B5 2D00C00000 sub eax, 0000C000
:005300BA 3B45FC cmp eax, dword ptr [ebp-04]
:005300BD 0F9D45EB setnl byte ptr [ebp-15] ;似乎是比較年份？
:005300C1 33C0 xor eax, eax
:005300C3 5A pop edx
:005300C4 59 pop ecx
:005300C5 59 pop ecx
:005300C6 648910 mov dword ptr fs:[eax], edx
:005300C9 EB0A jmp 005300D5
:005300CB E94C34EDFF jmp 0040351C
:005300D0 E8A337EDFF call 00403878

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0053000B(C), :00530020(C), :005300C9(U)
|
:005300D5 807DEB00 cmp byte ptr [ebp-15], 00
:005300D9 752B jne 00530106
:005300DB B101 mov cl, 01

* Possible StringData Ref from Code Obj ->"\RichOleLink.TOleLink.1\CLSID"
|
:005300DD BA80015300 mov edx, 00530180
:005300E2 8B45F0 mov eax, dword ptr [ebp-10]
:005300E5 E8DA8EF3FF call 00468FC4
:005300EA 55 push ebp
:005300EB 8D45D4 lea eax, dword ptr [ebp-2C]
:005300EE E81DFEFFFF call 0052FF10
:005300F3 59 pop ecx
:005300F4 8B4DD4 mov ecx, dword ptr [ebp-2C]
:005300F7 33D2 xor edx, edx
:005300F9 8B45F0 mov eax, dword ptr [ebp-10]
:005300FC E8EF93F3FF call 004694F0
:00530101 33C0 xor eax, eax
:00530103 8945F4 mov dword ptr [ebp-0C], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005300D9(C)
|
:00530106 33C0 xor eax, eax
:00530108 5A pop edx
:00530109 59 pop ecx
:0053010A 59 pop ecx
:0053010B 648910 mov dword ptr fs:[eax], edx
:0053010E 6823015300 push 00530123

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00530121(U)
|
:00530113 8B45F0 mov eax, dword ptr [ebp-10]
:00530116 E8552FEDFF call 00403070
:0053011B C3 ret

:0053011C E9AF36EDFF jmp 004037D0
:00530121 EBF0 jmp 00530113
:00530123 33C0 xor eax, eax
:00530125 5A pop edx
:00530126 59 pop ecx
:00530127 59 pop ecx
:00530128 648910 mov dword ptr fs:[eax], edx
:0053012B 684D015300 push 0053014D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053014B(U)
|
:00530130 8D45D4 lea eax, dword ptr [ebp-2C]
:00530133 BA05000000 mov edx, 00000005
:00530138 E8BF3CEDFF call 00403DFC
:0053013D 8D45EC lea eax, dword ptr [ebp-14]
:00530140 E8933CEDFF call 00403DD8
:00530145 C3 ret

:00530146 E98536EDFF jmp 004037D0
:0053014B EBE3 jmp 00530130
:0053014D 8B45F4 mov eax, dword ptr [ebp-0C]
:00530150 5F pop edi
:00530151 5E pop esi
:00530152 5B pop ebx
:00530153 8BE5 mov esp, ebp
:00530155 5D pop ebp
:00530156 C3 ret

Help & Manual 3.0.4.619 破解 (15千字)

相關文章