smart explorer6.00.17的破解。 (4千字)

看雪資料發表於2015-11-15

smart explorer6.00.17

1、一個極好用的網路瀏覽器,可惜無針對國人的註冊方法,此程式的限制在30天試用,註冊碼不難找,但程式註冊後要上網檢查,如為非法註冊則清除註冊碼,同時試用期歸0,因此重點在於網上驗證部分;那應該破哪呢,動態跟蹤不太現實,想起以前的印豪兄對“人體生物節律”的破解思路,就從網上驗證失效後出現的兩個網頁入手,一個關鍵字為“Evaluation Expired”,另一個的關鍵字為“expired.html”。

2、程式用aspack壓縮,用最新的AspackDieD解壓,對解壓後的檔案反彙編,找“Evaluation Expired”,可看到其來自兩處呼叫004BE88D及004CF821,分別過去看看如何跳過去;可知對如下關鍵點004CF810和
004BE86A可跳過對“Evaluation Expired”的呼叫。

* Referenced by a CALL at Addresses:
|:004BE88D  , :004CF821      *********  看看如何跳過去  **********     
|
:004BCE40 53                      push ebx
:004BCE41 8BD8                    mov ebx, eax
:004BCE43 8D83180B0000            lea eax, dword ptr [ebx+00000B18]
* Possible StringData Ref from Code Obj ->"( Evaluation Expired )"
                                  |
:004BCE49 BAE0CE4B00              mov edx, 004BCEE0
:004BCE4E E84D6FF4FF              call 00403DA0
:004BCE53 33D2                    xor edx, edx
:004BCE55 8B83C0090000            mov eax, dword ptr [ebx+000009C0]
:004BCE5B 8B08                    mov ecx, dword ptr [eax]
:004BCE5D FF515C                  call [ecx+5C]
:004BCE60 33D2                    xor edx, edx
:004BCE62 8B8344070000            mov eax, dword ptr [ebx+00000744]
:004BCE68 E81348F7FF              call 00431680

-------------------------------1 ----------------1---------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CF7EF(C)
|
:004CF801 33C0                    xor eax, eax
:004CF803 8983240A0000            mov dword ptr [ebx+00000A24], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CF7FF(U)
|
:004CF809 83BB240A000000          cmp dword ptr [ebx+00000A24], 00000000
:004CF810 7E0D                    jle 004CF81F        ***  這裡可跳過004CF821處的呼叫,nop掉 ***
:004CF812 C683210A000001          mov byte ptr [ebx+00000A21], 01
:004CF819 C645DB01                mov [ebp-25], 01
:004CF81D EB07                    jmp 004CF826

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CF810(C)
|
:004CF81F 8BC3                    mov eax, ebx
:004CF821 E81AD6FEFF              call 004BCE40

-------------------------------2 ------------------ 2------------------------------------------
* Possible StringData Ref from Code Obj ->"http://www.digitalcandle.com/php-bin/rc.php"
                                  |
:004BE85B 8B1568CB4D00            mov edx, dword ptr [004DCB68]
:004BE861 8BC3                    mov eax, ebx
:004BE863 E8C8FBFFFF              call 004BE430
:004BE868 84C0                    test al, al
:004BE86A 7540                    jne 004BE8AC      ***這裡可跳過004BE88D處的呼叫,讓它JMP***
:004BE86C C683280A000000          mov byte ptr [ebx+00000A28], 00

* Possible StringData Ref from Code Obj ->"UserName"
                                  |
:004BE873 BAE4E84B00              mov edx, 004BE8E4
:004BE878 8BC6                    mov eax, esi
:004BE87A E8154CF9FF              call 00453494

* Possible StringData Ref from Code Obj ->"SerialNo"
                                  |
:004BE87F BAF8E84B00              mov edx, 004BE8F8
:004BE884 8BC6                    mov eax, esi
:004BE886 E8094CF9FF              call 00453494
:004BE88B 8BC3                    mov eax, ebx
:004BE88D E8AEE5FFFF              call 004BCE40


3、接下來查詢“expired.html”,發現有如下4處呼叫,向上看看如何跳過它。程式碼如下。

***************************************************************************************
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C6D40(C)
|
:004C6D68 8BC6                    mov eax, esi
:004C6D6A E8957BFFFF              call 004BE904
:004C6D6F 84C0                    test al, al        *****此處改為b001
:004C6D71 7438                    je 004C6DAB     
:004C6D73 33D2                    xor edx, edx
:004C6D75 8BC6                    mov eax, esi
:004C6D77 E8604AF8FF              call 0044B7DC
:004C6D7C 8B80D0020000            mov eax, dword ptr [eax+000002D0]
:004C6D82 50                      push eax
:004C6D83 8B96640A0000            mov edx, dword ptr [esi+00000A64]
:004C6D89 8D45E4                  lea eax, dword ptr [ebp-1C]

* Possible StringData Ref from Code Obj ->"/expired.html"
                                  |
:004C6D8C 8B0D60CB4D00            mov ecx, dword ptr [004DCB60]

**************************************************************************************
:004BD259 80BB280A000000          cmp byte ptr [ebx+00000A28], 00
:004BD260 7407                    je 004BD269             
:004BD262 8BC3                    mov eax, ebx
:004BD264 E857150000              call 004BE7C0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD282(C)
|
:004BD296 8BC3                    mov eax, ebx
:004BD298 E8EF200000              call 004BF38C
:004BD29D 8BF0                    mov esi, eax
:004BD29F 85F6                    test esi, esi   
:004BD2A1 7441                    je 004BD2E4
:004BD2A3 8BC3                    mov eax, ebx
:004BD2A5 E85A160000              call 004BE904
:004BD2AA 84C0                    test al, al      *****此處改為b001
:004BD2AC 742F                    je 004BD2DD
:004BD2AE 8D45F8                  lea eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"/expired.html"
*******************************************************************************
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BD06A(C)
|
:004BD0AD 8BC3                    mov eax, ebx
:004BD0AF E850180000              call 004BE904
:004BD0B4 84C0                    test al, al        *****此處改為b001
:004BD0B6 7445                    je 004BD0FD
:004BD0B8 A104EA4D00              mov eax, dword ptr [004DEA04]
:004BD0BD E89AE6F8FF              call 0044B75C
:004BD0C2 8B80D0020000            mov eax, dword ptr [eax+000002D0]
:004BD0C8 50                      push eax
:004BD0C9 8D85E8FEFFFF            lea eax, dword ptr [ebp+FFFFFEE8]

* Possible StringData Ref from Code Obj ->"/expired.html"
********************************************************************************

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BCDA5(C)
|
:004BCDBB 8BC3                    mov eax, ebx
:004BCDBD E8421B0000              call 004BE904
:004BCDC2 84C0                    test al, al          *****此處改為b001
:004BCDC4 744E                    je 004BCE14
:004BCDC6 8BC3                    mov eax, ebx
:004BCDC8 E88FE9F8FF              call 0044B75C
:004BCDCD 8B80D0020000            mov eax, dword ptr [eax+000002D0]
:004BCDD3 50                      push eax
:004BCDD4 8D45F8                  lea eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"/expired.html"
                                  |
:004BCDD7 8B0D60CB4D00            mov ecx, dword ptr [004DCB60]
:004BCDDD 8B93640A0000            mov edx, dword ptr [ebx+00000A64]
:004BCDE3 E83072F4FF              call 00404018
:004BCDE8 8B55F8                  mov edx, dword ptr [ebp-08]
:004BCDEB 8D45FC                  lea eax, dword ptr [ebp-04]
:004BCDEE E88577F4FF              call 00404578
:004BCDF3 8B55FC                  mov edx, dword ptr [ebp-04]
:004BCDF6 58                      pop eax
:004BCDF7 E85821FCFF              call 0047EF54
:004BCDFC EB16                    jmp 004BCE14

相關文章