-
-
Windows优化精灵 3.4
-
发表于: 2004-11-26 11:28 4895
-
求助如何解决Windows优化精灵 3.4 的自校验
Windows优化精灵 3.4
软件大小:3344KB
软件语言:简体中文
软件类别:国产软件/共享版/系统加强
运行环境:Win9x/Me/NT/2000/XP
软件介绍:
Windows优化精灵是一款强大的操作系统设置软件。个性化的设置满足初学者及设置高手们的需求。
Windows优化精灵为您提供系统修复、个性设置、IE安全、网络优化、系统优化等方面的设置,它还包揽
了系统垃圾文件清理、文件夹伪装实用功能,在使你系统清新的同时还可伪装保护你的文件。您是否还在
为Windows多种设置、Windows优化而烦恼?Windows优化精灵可以为您的Windows98/2000/ME/XP/2003操
作系统提供全方位的服务!Windows优化精灵内置的系统信息检测可显示操作系统及硬件设备的的大量信
息,并且集合了进程管理。目前Windows优化精灵提供了系统信息、系统修复、系统优化(磁盘缓存优化,
网络优化,文件系统/多媒体优化,桌面/菜单优化)、美化桌面、个性设置(IE背景设置,文件夹伪装,开机
提示,任务栏加文字信息)、ie设置、高级隐藏(磁盘隐藏,开始菜单隐藏)等功能设置。
下载地址:华军软件园
用peid查看发现是:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
OD载入脱壳
004895C0 W> 60 pushad
004895C1 BE 00F04500 mov esi,Windows?0045F000
004895C6 8DBE 0020FAFF lea edi,dword ptr ds:[esi+FFFA200>
004895CC 57 push edi
004895CD 83CD FF or ebp,FFFFFFFF
004895D0 EB 10 jmp short Windows?004895E2
004895D2 90 nop
004895D3 90 nop
004895D4 90 nop
004895D5 90 nop
004895D6 90 nop
004895D7 90 nop
004895D8 8A06 mov al,byte ptr ds:[esi]
004895DA 46 inc esi
004895DB 8807 mov byte ptr ds:[edi],al
004895DD 47 inc edi
004895DE 01DB add ebx,ebx
004895E0 75 07 jnz short Windows?004895E9
004895E2 8B1E mov ebx,dword ptr ds:[esi]
004895E4 83EE FC sub esi,-4
004895E7 11DB adc ebx,ebx
004895E9 ^ 72 ED jb short Windows?004895D8
004895EB B8 01000000 mov eax,1
004895F0 01DB add ebx,ebx
004895F2 75 07 jnz short Windows?004895FB
004895F4 8B1E mov ebx,dword ptr ds:[esi]
004895F6 83EE FC sub esi,-4
004895F9 11DB adc ebx,ebx
004895FB 11C0 adc eax,eax
004895FD 01DB add ebx,ebx
004895FF 73 0B jnb short Windows?0048960C
00489601 75 28 jnz short Windows?0048962B
00489603 8B1E mov ebx,dword ptr ds:[esi]
00489605 83EE FC sub esi,-4
00489608 11DB adc ebx,ebx
0048960A 72 1F jb short Windows?0048962B
0048960C 48 dec eax
0048960D 01DB add ebx,ebx
0048960F 75 07 jnz short Windows?00489618
00489611 8B1E mov ebx,dword ptr ds:[esi]
00489613 83EE FC sub esi,-4
00489616 11DB adc ebx,ebx
00489618 11C0 adc eax,eax
0048961A ^ EB D4 jmp short Windows?004895F0
0048961C 01DB add ebx,ebx
0048961E 75 07 jnz short Windows?00489627
00489620 8B1E mov ebx,dword ptr ds:[esi]
00489622 83EE FC sub esi,-4
00489625 11DB adc ebx,ebx
00489627 11C9 adc ecx,ecx
00489629 EB 52 jmp short Windows?0048967D
0048962B 31C9 xor ecx,ecx
0048962D 83E8 03 sub eax,3
00489630 72 11 jb short Windows?00489643
00489632 C1E0 08 shl eax,8
00489635 8A06 mov al,byte ptr ds:[esi]
00489637 46 inc esi
00489638 83F0 FF xor eax,FFFFFFFF
0048963B 74 75 je short Windows?004896B2
0048963D D1F8 sar eax,1
0048963F 89C5 mov ebp,eax
00489641 EB 0B jmp short Windows?0048964E
00489643 01DB add ebx,ebx
00489645 75 07 jnz short Windows?0048964E
00489647 8B1E mov ebx,dword ptr ds:[esi]
00489649 83EE FC sub esi,-4
0048964C 11DB adc ebx,ebx
0048964E ^ 72 CC jb short Windows?0048961C
00489650 41 inc ecx
00489651 01DB add ebx,ebx
00489653 75 07 jnz short Windows?0048965C
00489655 8B1E mov ebx,dword ptr ds:[esi]
00489657 83EE FC sub esi,-4
0048965A 11DB adc ebx,ebx
0048965C ^ 72 BE jb short Windows?0048961C
0048965E 01DB add ebx,ebx
00489660 75 07 jnz short Windows?00489669
00489662 8B1E mov ebx,dword ptr ds:[esi]
00489664 83EE FC sub esi,-4
00489667 11DB adc ebx,ebx
00489669 11C9 adc ecx,ecx
0048966B 01DB add ebx,ebx
0048966D ^ 73 EF jnb short Windows?0048965E
0048966F 75 09 jnz short Windows?0048967A
00489671 8B1E mov ebx,dword ptr ds:[esi]
00489673 83EE FC sub esi,-4
00489676 11DB adc ebx,ebx
00489678 ^ 73 E4 jnb short Windows?0048965E
0048967A 83C1 02 add ecx,2
0048967D 81FD 00FBFFFF cmp ebp,-500
00489683 83D1 02 adc ecx,2
00489686 8D142F lea edx,dword ptr ds:[edi+ebp]
00489689 83FD FC cmp ebp,-4
0048968C 76 0E jbe short Windows?0048969C
0048968E 8A02 mov al,byte ptr ds:[edx]
00489690 42 inc edx
00489691 8807 mov byte ptr ds:[edi],al
00489693 47 inc edi
00489694 49 dec ecx
00489695 ^ 75 F7 jnz short Windows?0048968E
00489697 ^ E9 42FFFFFF jmp Windows?004895DE
0048969C 8B02 mov eax,dword ptr ds:[edx]
0048969E 83C2 04 add edx,4
004896A1 8907 mov dword ptr ds:[edi],eax
004896A3 83C7 04 add edi,4
004896A6 83E9 04 sub ecx,4
004896A9 ^ 77 F1 ja short Windows?0048969C
004896AB 01CF add edi,ecx
004896AD ^ E9 2CFFFFFF jmp Windows?004895DE
004896B2 5E pop esi
004896B3 89F7 mov edi,esi
004896B5 B9 11000000 mov ecx,11
004896BA 8A07 mov al,byte ptr ds:[edi]
004896BC 47 inc edi
004896BD 2C E8 sub al,0E8
004896BF 3C 01 cmp al,1
004896C1 ^ 77 F7 ja short Windows?004896BA
004896C3 803F 00 cmp byte ptr ds:[edi],0
004896C6 ^ 75 F2 jnz short Windows?004896BA
004896C8 8B07 mov eax,dword ptr ds:[edi]
004896CA 8A5F 04 mov bl,byte ptr ds:[edi+4]
004896CD 66:C1E8 08 shr ax,8
004896D1 C1C0 10 rol eax,10
004896D4 86C4 xchg ah,al
004896D6 29F8 sub eax,edi
004896D8 80EB E8 sub bl,0E8
004896DB 01F0 add eax,esi
004896DD 8907 mov dword ptr ds:[edi],eax
004896DF 83C7 05 add edi,5
004896E2 88D8 mov al,bl
004896E4 ^ E2 D9 loopd short Windows?004896BF
004896E6 8DBE 00700800 lea edi,dword ptr ds:[esi+87000]
004896EC 8B07 mov eax,dword ptr ds:[edi]
004896EE 09C0 or eax,eax
004896F0 74 3C je short Windows?0048972E
004896F2 8B5F 04 mov ebx,dword ptr ds:[edi+4]
004896F5 8D8430 109F0800 lea eax,dword ptr ds:[eax+esi+89F>
004896FC 01F3 add ebx,esi
004896FE 50 push eax
004896FF 83C7 08 add edi,8
00489702 FF96 609F0800 call dword ptr ds:[esi+89F60]
00489708 95 xchg eax,ebp
00489709 8A07 mov al,byte ptr ds:[edi]
0048970B 47 inc edi
0048970C 08C0 or al,al
0048970E ^ 74 DC je short Windows?004896EC
00489710 89F9 mov ecx,edi
00489712 57 push edi
00489713 48 dec eax
00489714 F2:AE repne scas byte ptr es:[edi]
00489716 55 push ebp
00489717 FF96 649F0800 call dword ptr ds:[esi+89F64]
0048971D 09C0 or eax,eax
0048971F 74 07 je short Windows?00489728
00489721 8903 mov dword ptr ds:[ebx],eax
00489723 83C3 04 add ebx,4
00489726 ^ EB E1 jmp short Windows?00489709
00489728 FF96 689F0800 call dword ptr ds:[esi+89F68]
0048972E 61 popad
0048972F - E9 CC78F7FF jmp Windows?00401000 //jmp oep
入口点
00401000 E8 06000000 call Windows?0040100B///易语言入口,直接用Od的插件脱壳,重建输入表方式选择1
00401005 50 push eax
00401006 E8 A1010000 call Windows?004011AC ; jmp to kernel32.ExitProcess
0040100B 55 push ebp
0040100C 8BEC mov ebp,esp
0040100E 81C4 F0FEFFFF add esp,-110
00401014 EB 6D jmp short Windows?00401083
00401016 6B72 6E 6C imul esi,dword ptr ds:[edx+6E],6C
0040101A 6E outs dx,byte ptr es:[edi]
0040101B 2E:66:6E outs dx,byte ptr es:[edi]
0040101E 72 00 jb short Windows?00401020
00401020 6B72 6E 6C imul esi,dword ptr ds:[edx+6E],6C
00401024 6E outs dx,byte ptr es:[edi]
运行脱壳程序,屏幕一闪就退出了。
原来是有20次试用限制。
[HKEY_CURRENT_USER\Software\afengsoft\wos]
"used"=dword:00000006
删除就又可以试用20次.
解除自校验,这个就不是很简单,费了一些功夫。
首先在退出一瞬间看清程序授权给你是Demo版并判断使用次数,眼睛要快。这说明自校验在注册判断之后,先注册程序。
OD载入程序。
命令行下
bp CreateFileA
F9运行
77E5B476 k> 55 push ebp
77E5B477 8BEC mov ebp,esp
77E5B479 FF75 08 push dword ptr ss:[ebp+8]
77E5B47C E8 11FFFFFF call kernel32.77E5B392
77E5B481 85C0 test eax,eax
77E5B483 0F84 A3FF0100 je kernel32.77E7B42C
按到299下堆栈显示
0012FC8C 0046B7BA /CALL 到 CreateFileA 来自 Windows?0046B7B5
0012FC90 00200640 |FileName = "\\.\NTICE" //每按一次F9检查一种调试器。
0012FC94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FC98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FC9C 00000000 |pSecurity = NULL
0012FCA0 00000003 |Mode = OPEN_EXISTING
0012FCA4 00000080 |Attributes = NORMAL
0012FCA8 00000000 \hTemplateFile = NULL
继续
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\SIWVID"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\SICE"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\SIWDEBUG"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\NTiceD052"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\NTiced155"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\TRWDEBUG"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\TRW"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\TRW2000"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\TWX2002"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\SUPERBPM"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\BW2K"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\ICEDUMP"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\REGVXD"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\FILEVXD"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
再按F9程序运行,ALT+F9返回
0046E860 . E8 EF4D0100 call 111.00483654
0046E865 . 3965 E8 cmp dword ptr ss:[ebp-18],esp//Alt+F9到这里
0046E868 . 74 0D je short 111.0046E877
Ctrl+F9返回根据Od 信息栏提示返回。按了1次Ctrl+F9
0046EC72 C3 RETN
返回到
0046A41C . E8 C6420000 call 111.0046E6E7
0046A421 . 8945 AC mov dword ptr ss:[ebp-54],eax
0046A424 . 837D AC 01 cmp dword ptr ss:[ebp-54],1
0046A428 . 0F85 0F000000 jnz 111.0046A43D //改为jmp.
0046A42E . 6A 00 push 0
0046A430 . E8 E3910100 call 111.00483618
0046A435 . 83C4 04 add esp,4
0046A438 . E9 00000000 jmp 111.0046A43D
0046A43D > 68 04000080 push 80000004
0046A442 . 6A 00 push 0
0046A444 . 8D45 FC lea eax,dword ptr ss:[ebp-4]
0046A447 . 50 push eax
0046A448 . 68 01000000 push 1
0046A44D . BB 00010000 mov ebx,100
0046A452 . E8 E5910100 call 111.0048363C
0046A457 . 83C4 10 add esp,10
0046A45A . 8B5D FC mov ebx,dword ptr ss:[ebp-4]
0046A45D . E8 CDCDFFFF call 111.0046722F
0046A462 . 8945 AC mov dword ptr ss:[ebp-54],eax
0046A465 . 837D AC 00 cmp dword ptr ss:[ebp-54],0
0046A469 . 0F8E F9000000 jle 111.0046A568
0046A568 > \C745 B0 00000000 mov dword ptr ss:[ebp-50],0
0046A56F . 6A 00 push 0 ; /Arg2 = 00000000
0046A571 . FF75 B0 push dword ptr ss:[ebp-50] ; |Arg1
0046A574 . E8 FA460000 call 111.0046EC73 ; \111.0046EC73
0046A579 . 6A 00 push 0
0046A57B . 6A 00 push 0
0046A57D . 6A 00 push 0
0046A57F . 68 04000080 push 80000004
0046A584 . 6A 00 push 0
0046A586 . 68 1C4F4000 push 111.00404F1C ; ASCII "software\afengsoft\wos\used"
0046A58B . 68 01030080 push 80000301
0046A590 . 6A 00 push 0
0046A592 . 68 03000000 push 3
0046A597 . 68 03000000 push 3
0046A59C . BB 9C060000 mov ebx,69C
0046A5A1 . E8 96900100 call 111.0048363C
0046A5A6 . 83C4 28 add esp,28
0046A5A9 . 8945 F8 mov dword ptr ss:[ebp-8],eax
.......
0046A6C7 > \85C0 test eax,eax
0046A6C9 . 0F84 14000000 je 111.0046A6E3 // 改为jmp
0046A6CF . E8 6FFAFFFF call 111.0046A143
0046A6D4 . 6A 00 push 0
0046A6D6 . E8 3D8F0100 call 111.00483618
0046A6DB . 83C4 04 add esp,4
0046A6DE . E9 00000000 jmp 111.0046A6E3
0046A6E3 > 6A 00 push 0
0046A6E5 . 6A 00 push 0
0046A6E7 . 6A 00 push 0
0046A6E9 . 68 04000080 push 80000004
0046A6EE . 6A 00 push 0
0046A6F0 . 68 604F4000 push 111.00404F60 ; ASCII "software\afengsoft\wos\pwl"//注意这个键值,可以伪造注册用户名,现在当然没有。
0046A6F5 . 68 01030080 push 80000301
0046A6FA . 6A 00 push 0
0046A6FC . 68 03000000 push 3
...
0046A786 > \6A 00 push 0
0046A788 . 6A 00 push 0
0046A78A . 6A 00 push 0
0046A78C . 68 04000080 push 80000004
0046A791 . 6A 00 push 0
0046A793 . 68 7B4F4000 push 111.00404F7B ; ASCII "software\afengsoft\wos\productkey"//这个也没有。
0046A798 . 68 01030080 push 80000301
0046A79D . 6A 00 push 0
0046A79F . 68 03000000 push 3
0046A7A4 . 68 03000000 push 3
0046A7A9 . BB 98060000 mov ebx,698
0046A7AE . E8 898E0100 call 111.0048363C
F8往下,进入另一个调试器的检测
0012F924 1000DAC1 /CALL 到 CreateFileA 来自 krnln.1000DABB
0012F928 100D6FCC |FileName = "\\.\PhysicalDrive0"
0012F92C C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012F930 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012F934 00000000 |pSecurity = NULL
Alt+F9返回,Ctrl+F9
1000DB8B C3 retn
1000DC14 C3 retn
10065AE0 C3 retn
10028858 C3 retn
Ctrl+F9,F8
0046A8AB . E8 868D0100 call 111.00483636
0046A8B0 . 83C4 04 add esp,4
0046A8B3 > 6A 00 push 0
0046A8B5 . 6A 00 push 0
0046A8B7 . 6A 00 push 0
0046A8B9 . 68 04000080 push 80000004
0046A8BE . 6A 00 push 0
0046A8C0 . 68 9D4F4000 push 111.00404F9D ; ASCII "software\afengsoft\wos\yname"
0046A8C5 . 68 01030080 push 80000301
0046A8CA . 6A 00 push 0
0046A8CC . 68 03000000 push 3
0046A8D1 . 68 03000000 push 3
0046A8D6 . BB 98060000 mov ebx,698
....
0046AA3F . E8 F88B0100 call 111.0048363C
0046AA44 . 83C4 10 add esp,10
0046AA47 . 8985 84FFFFFF mov dword ptr ss:[ebp-7C],eax
0046AA4D . 68 01030080 push 80000301
0046AA52 . 6A 00 push 0
0046AA54 . 68 02000000 push 2
0046AA59 . 68 04000080 push 80000004
0046AA5E . 6A 00 push 0
0046AA60 . 68 C04F4000 push 111.00404FC0 ; ASCII "huangfengwei"
0046AA65 . 68 05000080 push 80000005
0046AA6A . 6A 00 push 0
......
0046AAFE . E8 338B0100 call 111.00483636
0046AB03 . 83C4 04 add esp,4
0046AB06 > 68 04000080 push 80000004
0046AB0B . 6A 00 push 0
0046AB0D . 68 CD4F4000 push 111.00404FCD ; ASCII "982722D814EAA7ED370973E37638C9E52A9BB616690A94810E52F6EAAE6D70BB9B801AF419268297615B801DFA49F98EBC0E07C3743C2B5FF9ADC79F5DF56305E622C90C5B1EE58669DA378FE2E7D9930AD5350009C344C997456812A5DAA71B0F8DFC2EBE216FB33D19C19868475E199939B99D91F65"...
0046AB12 . 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-84]
0046AB18 . 81F9 04000080 cmp ecx,80000004
0046AB1E . 74 0D je short 111.0046AB2D
0046AB20 . 68 05000000 push 5
........
0046AC70 . E8 C7890100 call 111.0048363C
0046AC75 . 83C4 10 add esp,10
0046AC78 . 8985 58FFFFFF mov dword ptr ss:[ebp-A8],eax
0046AC7E . DB85 58FFFFFF fild dword ptr ss:[ebp-A8]
0046AC84 . DD9D 58FFFFFF fstp qword ptr ss:[ebp-A8]
0046AC8A . DD85 58FFFFFF fld qword ptr ss:[ebp-A8]
0046AC90 DC db DC//点右键-分析-从模块中删除分析。
0046AC91 0D db 0D
0046AC92 C6 db C6
0046AC93 4E db 4E ; CHAR 'N'
0046AC94 40 db 40 ; CHAR '@'
0046AC95 00 db 00
0046AC96 DD db DD
0046AC97 9D db 9D
0046AC98 58 db 58 ; CHAR 'X'
0046AC99 FF db FF
0046AC9A FF db FF
0046AC9B FF db FF
0046AC9C 68 db 68 ; CHAR 'h'
0046AC9D 01 db 01
0046AC9E 03 db 03
0046AC9F 00 db 00
0046ACA0 80 db 80
...
0046AC9C 68 01030080 push 80000301//还原成这样
0046ACA1 6A 00 push 0
0046ACA3 68 04000000 push 4
0046ACA8 68 01030080 push 80000301
0046ACAD 6A 00 push 0
0046ACAF 68 05000000 push 5
0046ACB4 68 04000080 push 80000004
0046ACB9 6A 00 push 0
0046ACBB 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0046ACBE 85C0 test eax,eax
0046ACC0 75 05 jnz short 111.0046ACC7
0046ACC2 B8 05434000 mov eax,111.00404305
0046ACC7 50 push eax
0046ACC8 68 03000000 push 3
往下来到
0046AFDC 85C0 test eax,eax
0046AFDE 0F84 6B000000 je 111.0046B04F//爆破点1,跟着红线往下看你就是Demo用户,并且读取剩余次数。
0046AFE4 6A 00 push 0
0046AFE6 6A 00 push 0
0046AFE8 6A 00 push 0
0046AFEA 68 04000080 push 80000004
0046AFEF 6A 00 push 0
0046AFF1 68 9D4F4000 push 111.00404F9D ; ASCII "software\afengsoft\wos\yname"
0046AFF6 68 01030080 push 80000301
0046AFFB 6A 00 push 0
0046AFFD 68 03000000 push 3
0046B002 68 03000000 push 3
0046B007 BB 98060000 mov ebx,698
0046B00C E8 2B860100 call 111.0048363C
0046B011 83C4 28 add esp,28
0046B014 8945 B0 mov dword ptr ss:[ebp-50],eax
0046B017 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0046B01A 85DB test ebx,ebx
0046B01C 74 09 je short 111.0046B027
0046B01E 53 push ebx
0046B01F E8 12860100 call 111.00483636
0046B024 83C4 04 add esp,4
0046B027 8B45 B0 mov eax,dword ptr ss:[ebp-50]
0046B02A 8945 F0 mov dword ptr ss:[ebp-10],eax
0046B02D 6A 00 push 0
0046B02F 68 01000000 push 1
0046B034 6A FF push -1
0046B036 6A 02 push 2
0046B038 68 AA020126 push 260102AA
0046B03D 68 01000152 push 52010001
0046B042 E8 13860100 call 111.0048365A
0046B047 83C4 18 add esp,18
0046B04A E9 E4050000 jmp 111.0046B633
0046B04F 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0046B052 85DB test ebx,ebx
0046B054 /74 09 je short 111.0046B05F
0046B056 |53 push ebx
0046B057 |E8 DA850100 call 111.00483636
0046B05C |83C4 04 add esp,4
0046B05F \B8 CE504000 mov eax,111.004050CE ; ASCII "DEMO"
0046B064 8945 F0 mov dword ptr ss:[ebp-10],eax
0046B067 68 04000080 push 80000004
0046B06C 6A 00 push 0
0046B06E 68 1C4F4000 push 111.00404F1C ; ASCII "software\afengsoft\wos\used"
0046B073 68 01030080 push 80000301
0046B078 6A 00 push 0
0046B07A 68 03000000 push 3
0046B07F 68 02000000 push 2
0046B084 BB AC060000 mov ebx,6AC
....
0046B1EF /0F84 14000000 je 111.0046B209//这里再次判断,爆破点2
0046B1F5 |E8 49EFFFFF call 111.0046A143
0046B1FA |6A 00 push 0
0046B1FC |E8 17840100 call 111.00483618
0046B201 |83C4 04 add esp,4
0046B204 |E9 FF020000 jmp 111.0046B508
0046B209 \DB45 F8 fild dword ptr ss:[ebp-8]
0046B20C DD5D AC fstp qword ptr ss:[ebp-54]
0046B20F DD45 AC fld qword ptr ss:[ebp-54]
0046B212 DC05 894D4000 fadd qword ptr ds:[404D89]
0046B218 DD5D AC fstp qword ptr ss:[ebp-54]
0046B21B 68 01060080 push 80000601
0046B220 FF75 B0 push dword ptr ss:[ebp-50]
0046B223 FF75 AC push dword ptr ss:[ebp-54]
0046B226 68 04000080 push 80000004
0046B22B 6A 00 push 0
0046B22D 68 1C4F4000 push 111.00404F1C ; ASCII "software\afengsoft\wos\used"//读取剩余次数
0046B232 68 01030080 push 80000301
0046B237 6A 00 push 0
0046B239 68 03000000 push 3
0046B23E 68 03000000 push 3
0046B243 BB A4060000 mov ebx,6A4
爆破一
0046AFDE 0F84 6B000000 je 111.0046B04F
改为
0046AFDE 0F85 6B000000 jne 111.0046B04F
爆破二
0046B1EF 0F84 14000000 je 111.0046B209
0046B1EF 0F85 14000000 jne 111.0046B209
小弟找不到自校验比较的地方,请各位高手,斑竹指教指教/:D[PHP]
Windows优化精灵 3.4
软件大小:3344KB
软件语言:简体中文
软件类别:国产软件/共享版/系统加强
运行环境:Win9x/Me/NT/2000/XP
软件介绍:
Windows优化精灵是一款强大的操作系统设置软件。个性化的设置满足初学者及设置高手们的需求。
Windows优化精灵为您提供系统修复、个性设置、IE安全、网络优化、系统优化等方面的设置,它还包揽
了系统垃圾文件清理、文件夹伪装实用功能,在使你系统清新的同时还可伪装保护你的文件。您是否还在
为Windows多种设置、Windows优化而烦恼?Windows优化精灵可以为您的Windows98/2000/ME/XP/2003操
作系统提供全方位的服务!Windows优化精灵内置的系统信息检测可显示操作系统及硬件设备的的大量信
息,并且集合了进程管理。目前Windows优化精灵提供了系统信息、系统修复、系统优化(磁盘缓存优化,
网络优化,文件系统/多媒体优化,桌面/菜单优化)、美化桌面、个性设置(IE背景设置,文件夹伪装,开机
提示,任务栏加文字信息)、ie设置、高级隐藏(磁盘隐藏,开始菜单隐藏)等功能设置。
下载地址:华军软件园
用peid查看发现是:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
OD载入脱壳
004895C0 W> 60 pushad
004895C1 BE 00F04500 mov esi,Windows?0045F000
004895C6 8DBE 0020FAFF lea edi,dword ptr ds:[esi+FFFA200>
004895CC 57 push edi
004895CD 83CD FF or ebp,FFFFFFFF
004895D0 EB 10 jmp short Windows?004895E2
004895D2 90 nop
004895D3 90 nop
004895D4 90 nop
004895D5 90 nop
004895D6 90 nop
004895D7 90 nop
004895D8 8A06 mov al,byte ptr ds:[esi]
004895DA 46 inc esi
004895DB 8807 mov byte ptr ds:[edi],al
004895DD 47 inc edi
004895DE 01DB add ebx,ebx
004895E0 75 07 jnz short Windows?004895E9
004895E2 8B1E mov ebx,dword ptr ds:[esi]
004895E4 83EE FC sub esi,-4
004895E7 11DB adc ebx,ebx
004895E9 ^ 72 ED jb short Windows?004895D8
004895EB B8 01000000 mov eax,1
004895F0 01DB add ebx,ebx
004895F2 75 07 jnz short Windows?004895FB
004895F4 8B1E mov ebx,dword ptr ds:[esi]
004895F6 83EE FC sub esi,-4
004895F9 11DB adc ebx,ebx
004895FB 11C0 adc eax,eax
004895FD 01DB add ebx,ebx
004895FF 73 0B jnb short Windows?0048960C
00489601 75 28 jnz short Windows?0048962B
00489603 8B1E mov ebx,dword ptr ds:[esi]
00489605 83EE FC sub esi,-4
00489608 11DB adc ebx,ebx
0048960A 72 1F jb short Windows?0048962B
0048960C 48 dec eax
0048960D 01DB add ebx,ebx
0048960F 75 07 jnz short Windows?00489618
00489611 8B1E mov ebx,dword ptr ds:[esi]
00489613 83EE FC sub esi,-4
00489616 11DB adc ebx,ebx
00489618 11C0 adc eax,eax
0048961A ^ EB D4 jmp short Windows?004895F0
0048961C 01DB add ebx,ebx
0048961E 75 07 jnz short Windows?00489627
00489620 8B1E mov ebx,dword ptr ds:[esi]
00489622 83EE FC sub esi,-4
00489625 11DB adc ebx,ebx
00489627 11C9 adc ecx,ecx
00489629 EB 52 jmp short Windows?0048967D
0048962B 31C9 xor ecx,ecx
0048962D 83E8 03 sub eax,3
00489630 72 11 jb short Windows?00489643
00489632 C1E0 08 shl eax,8
00489635 8A06 mov al,byte ptr ds:[esi]
00489637 46 inc esi
00489638 83F0 FF xor eax,FFFFFFFF
0048963B 74 75 je short Windows?004896B2
0048963D D1F8 sar eax,1
0048963F 89C5 mov ebp,eax
00489641 EB 0B jmp short Windows?0048964E
00489643 01DB add ebx,ebx
00489645 75 07 jnz short Windows?0048964E
00489647 8B1E mov ebx,dword ptr ds:[esi]
00489649 83EE FC sub esi,-4
0048964C 11DB adc ebx,ebx
0048964E ^ 72 CC jb short Windows?0048961C
00489650 41 inc ecx
00489651 01DB add ebx,ebx
00489653 75 07 jnz short Windows?0048965C
00489655 8B1E mov ebx,dword ptr ds:[esi]
00489657 83EE FC sub esi,-4
0048965A 11DB adc ebx,ebx
0048965C ^ 72 BE jb short Windows?0048961C
0048965E 01DB add ebx,ebx
00489660 75 07 jnz short Windows?00489669
00489662 8B1E mov ebx,dword ptr ds:[esi]
00489664 83EE FC sub esi,-4
00489667 11DB adc ebx,ebx
00489669 11C9 adc ecx,ecx
0048966B 01DB add ebx,ebx
0048966D ^ 73 EF jnb short Windows?0048965E
0048966F 75 09 jnz short Windows?0048967A
00489671 8B1E mov ebx,dword ptr ds:[esi]
00489673 83EE FC sub esi,-4
00489676 11DB adc ebx,ebx
00489678 ^ 73 E4 jnb short Windows?0048965E
0048967A 83C1 02 add ecx,2
0048967D 81FD 00FBFFFF cmp ebp,-500
00489683 83D1 02 adc ecx,2
00489686 8D142F lea edx,dword ptr ds:[edi+ebp]
00489689 83FD FC cmp ebp,-4
0048968C 76 0E jbe short Windows?0048969C
0048968E 8A02 mov al,byte ptr ds:[edx]
00489690 42 inc edx
00489691 8807 mov byte ptr ds:[edi],al
00489693 47 inc edi
00489694 49 dec ecx
00489695 ^ 75 F7 jnz short Windows?0048968E
00489697 ^ E9 42FFFFFF jmp Windows?004895DE
0048969C 8B02 mov eax,dword ptr ds:[edx]
0048969E 83C2 04 add edx,4
004896A1 8907 mov dword ptr ds:[edi],eax
004896A3 83C7 04 add edi,4
004896A6 83E9 04 sub ecx,4
004896A9 ^ 77 F1 ja short Windows?0048969C
004896AB 01CF add edi,ecx
004896AD ^ E9 2CFFFFFF jmp Windows?004895DE
004896B2 5E pop esi
004896B3 89F7 mov edi,esi
004896B5 B9 11000000 mov ecx,11
004896BA 8A07 mov al,byte ptr ds:[edi]
004896BC 47 inc edi
004896BD 2C E8 sub al,0E8
004896BF 3C 01 cmp al,1
004896C1 ^ 77 F7 ja short Windows?004896BA
004896C3 803F 00 cmp byte ptr ds:[edi],0
004896C6 ^ 75 F2 jnz short Windows?004896BA
004896C8 8B07 mov eax,dword ptr ds:[edi]
004896CA 8A5F 04 mov bl,byte ptr ds:[edi+4]
004896CD 66:C1E8 08 shr ax,8
004896D1 C1C0 10 rol eax,10
004896D4 86C4 xchg ah,al
004896D6 29F8 sub eax,edi
004896D8 80EB E8 sub bl,0E8
004896DB 01F0 add eax,esi
004896DD 8907 mov dword ptr ds:[edi],eax
004896DF 83C7 05 add edi,5
004896E2 88D8 mov al,bl
004896E4 ^ E2 D9 loopd short Windows?004896BF
004896E6 8DBE 00700800 lea edi,dword ptr ds:[esi+87000]
004896EC 8B07 mov eax,dword ptr ds:[edi]
004896EE 09C0 or eax,eax
004896F0 74 3C je short Windows?0048972E
004896F2 8B5F 04 mov ebx,dword ptr ds:[edi+4]
004896F5 8D8430 109F0800 lea eax,dword ptr ds:[eax+esi+89F>
004896FC 01F3 add ebx,esi
004896FE 50 push eax
004896FF 83C7 08 add edi,8
00489702 FF96 609F0800 call dword ptr ds:[esi+89F60]
00489708 95 xchg eax,ebp
00489709 8A07 mov al,byte ptr ds:[edi]
0048970B 47 inc edi
0048970C 08C0 or al,al
0048970E ^ 74 DC je short Windows?004896EC
00489710 89F9 mov ecx,edi
00489712 57 push edi
00489713 48 dec eax
00489714 F2:AE repne scas byte ptr es:[edi]
00489716 55 push ebp
00489717 FF96 649F0800 call dword ptr ds:[esi+89F64]
0048971D 09C0 or eax,eax
0048971F 74 07 je short Windows?00489728
00489721 8903 mov dword ptr ds:[ebx],eax
00489723 83C3 04 add ebx,4
00489726 ^ EB E1 jmp short Windows?00489709
00489728 FF96 689F0800 call dword ptr ds:[esi+89F68]
0048972E 61 popad
0048972F - E9 CC78F7FF jmp Windows?00401000 //jmp oep
入口点
00401000 E8 06000000 call Windows?0040100B///易语言入口,直接用Od的插件脱壳,重建输入表方式选择1
00401005 50 push eax
00401006 E8 A1010000 call Windows?004011AC ; jmp to kernel32.ExitProcess
0040100B 55 push ebp
0040100C 8BEC mov ebp,esp
0040100E 81C4 F0FEFFFF add esp,-110
00401014 EB 6D jmp short Windows?00401083
00401016 6B72 6E 6C imul esi,dword ptr ds:[edx+6E],6C
0040101A 6E outs dx,byte ptr es:[edi]
0040101B 2E:66:6E outs dx,byte ptr es:[edi]
0040101E 72 00 jb short Windows?00401020
00401020 6B72 6E 6C imul esi,dword ptr ds:[edx+6E],6C
00401024 6E outs dx,byte ptr es:[edi]
运行脱壳程序,屏幕一闪就退出了。
原来是有20次试用限制。
[HKEY_CURRENT_USER\Software\afengsoft\wos]
"used"=dword:00000006
删除就又可以试用20次.
解除自校验,这个就不是很简单,费了一些功夫。
首先在退出一瞬间看清程序授权给你是Demo版并判断使用次数,眼睛要快。这说明自校验在注册判断之后,先注册程序。
OD载入程序。
命令行下
bp CreateFileA
F9运行
77E5B476 k> 55 push ebp
77E5B477 8BEC mov ebp,esp
77E5B479 FF75 08 push dword ptr ss:[ebp+8]
77E5B47C E8 11FFFFFF call kernel32.77E5B392
77E5B481 85C0 test eax,eax
77E5B483 0F84 A3FF0100 je kernel32.77E7B42C
按到299下堆栈显示
0012FC8C 0046B7BA /CALL 到 CreateFileA 来自 Windows?0046B7B5
0012FC90 00200640 |FileName = "\\.\NTICE" //每按一次F9检查一种调试器。
0012FC94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FC98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FC9C 00000000 |pSecurity = NULL
0012FCA0 00000003 |Mode = OPEN_EXISTING
0012FCA4 00000080 |Attributes = NORMAL
0012FCA8 00000000 \hTemplateFile = NULL
继续
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\SIWVID"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\SICE"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\SIWDEBUG"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\NTiceD052"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\NTiced155"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\TRWDEBUG"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\TRW"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\TRW2000"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\TWX2002"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\SUPERBPM"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\BW2K"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\ICEDUMP"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\REGVXD"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
0012FB8C 0046E865 /CALL 到 CreateFileA 来自 111.0046E860
0012FB90 00214158 |FileName = "\\.\FILEVXD"
0012FB94 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FB98 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FB9C 00000000 |pSecurity = NULL
0012FBA0 00000003 |Mode = OPEN_EXISTING
0012FBA4 00000080 |Attributes = NORMAL
0012FBA8 00000000 \hTemplateFile = NULL
再按F9程序运行,ALT+F9返回
0046E860 . E8 EF4D0100 call 111.00483654
0046E865 . 3965 E8 cmp dword ptr ss:[ebp-18],esp//Alt+F9到这里
0046E868 . 74 0D je short 111.0046E877
Ctrl+F9返回根据Od 信息栏提示返回。按了1次Ctrl+F9
0046EC72 C3 RETN
返回到
0046A41C . E8 C6420000 call 111.0046E6E7
0046A421 . 8945 AC mov dword ptr ss:[ebp-54],eax
0046A424 . 837D AC 01 cmp dword ptr ss:[ebp-54],1
0046A428 . 0F85 0F000000 jnz 111.0046A43D //改为jmp.
0046A42E . 6A 00 push 0
0046A430 . E8 E3910100 call 111.00483618
0046A435 . 83C4 04 add esp,4
0046A438 . E9 00000000 jmp 111.0046A43D
0046A43D > 68 04000080 push 80000004
0046A442 . 6A 00 push 0
0046A444 . 8D45 FC lea eax,dword ptr ss:[ebp-4]
0046A447 . 50 push eax
0046A448 . 68 01000000 push 1
0046A44D . BB 00010000 mov ebx,100
0046A452 . E8 E5910100 call 111.0048363C
0046A457 . 83C4 10 add esp,10
0046A45A . 8B5D FC mov ebx,dword ptr ss:[ebp-4]
0046A45D . E8 CDCDFFFF call 111.0046722F
0046A462 . 8945 AC mov dword ptr ss:[ebp-54],eax
0046A465 . 837D AC 00 cmp dword ptr ss:[ebp-54],0
0046A469 . 0F8E F9000000 jle 111.0046A568
0046A568 > \C745 B0 00000000 mov dword ptr ss:[ebp-50],0
0046A56F . 6A 00 push 0 ; /Arg2 = 00000000
0046A571 . FF75 B0 push dword ptr ss:[ebp-50] ; |Arg1
0046A574 . E8 FA460000 call 111.0046EC73 ; \111.0046EC73
0046A579 . 6A 00 push 0
0046A57B . 6A 00 push 0
0046A57D . 6A 00 push 0
0046A57F . 68 04000080 push 80000004
0046A584 . 6A 00 push 0
0046A586 . 68 1C4F4000 push 111.00404F1C ; ASCII "software\afengsoft\wos\used"
0046A58B . 68 01030080 push 80000301
0046A590 . 6A 00 push 0
0046A592 . 68 03000000 push 3
0046A597 . 68 03000000 push 3
0046A59C . BB 9C060000 mov ebx,69C
0046A5A1 . E8 96900100 call 111.0048363C
0046A5A6 . 83C4 28 add esp,28
0046A5A9 . 8945 F8 mov dword ptr ss:[ebp-8],eax
.......
0046A6C7 > \85C0 test eax,eax
0046A6C9 . 0F84 14000000 je 111.0046A6E3 // 改为jmp
0046A6CF . E8 6FFAFFFF call 111.0046A143
0046A6D4 . 6A 00 push 0
0046A6D6 . E8 3D8F0100 call 111.00483618
0046A6DB . 83C4 04 add esp,4
0046A6DE . E9 00000000 jmp 111.0046A6E3
0046A6E3 > 6A 00 push 0
0046A6E5 . 6A 00 push 0
0046A6E7 . 6A 00 push 0
0046A6E9 . 68 04000080 push 80000004
0046A6EE . 6A 00 push 0
0046A6F0 . 68 604F4000 push 111.00404F60 ; ASCII "software\afengsoft\wos\pwl"//注意这个键值,可以伪造注册用户名,现在当然没有。
0046A6F5 . 68 01030080 push 80000301
0046A6FA . 6A 00 push 0
0046A6FC . 68 03000000 push 3
...
0046A786 > \6A 00 push 0
0046A788 . 6A 00 push 0
0046A78A . 6A 00 push 0
0046A78C . 68 04000080 push 80000004
0046A791 . 6A 00 push 0
0046A793 . 68 7B4F4000 push 111.00404F7B ; ASCII "software\afengsoft\wos\productkey"//这个也没有。
0046A798 . 68 01030080 push 80000301
0046A79D . 6A 00 push 0
0046A79F . 68 03000000 push 3
0046A7A4 . 68 03000000 push 3
0046A7A9 . BB 98060000 mov ebx,698
0046A7AE . E8 898E0100 call 111.0048363C
F8往下,进入另一个调试器的检测
0012F924 1000DAC1 /CALL 到 CreateFileA 来自 krnln.1000DABB
0012F928 100D6FCC |FileName = "\\.\PhysicalDrive0"
0012F92C C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012F930 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012F934 00000000 |pSecurity = NULL
Alt+F9返回,Ctrl+F9
1000DB8B C3 retn
1000DC14 C3 retn
10065AE0 C3 retn
10028858 C3 retn
Ctrl+F9,F8
0046A8AB . E8 868D0100 call 111.00483636
0046A8B0 . 83C4 04 add esp,4
0046A8B3 > 6A 00 push 0
0046A8B5 . 6A 00 push 0
0046A8B7 . 6A 00 push 0
0046A8B9 . 68 04000080 push 80000004
0046A8BE . 6A 00 push 0
0046A8C0 . 68 9D4F4000 push 111.00404F9D ; ASCII "software\afengsoft\wos\yname"
0046A8C5 . 68 01030080 push 80000301
0046A8CA . 6A 00 push 0
0046A8CC . 68 03000000 push 3
0046A8D1 . 68 03000000 push 3
0046A8D6 . BB 98060000 mov ebx,698
....
0046AA3F . E8 F88B0100 call 111.0048363C
0046AA44 . 83C4 10 add esp,10
0046AA47 . 8985 84FFFFFF mov dword ptr ss:[ebp-7C],eax
0046AA4D . 68 01030080 push 80000301
0046AA52 . 6A 00 push 0
0046AA54 . 68 02000000 push 2
0046AA59 . 68 04000080 push 80000004
0046AA5E . 6A 00 push 0
0046AA60 . 68 C04F4000 push 111.00404FC0 ; ASCII "huangfengwei"
0046AA65 . 68 05000080 push 80000005
0046AA6A . 6A 00 push 0
......
0046AAFE . E8 338B0100 call 111.00483636
0046AB03 . 83C4 04 add esp,4
0046AB06 > 68 04000080 push 80000004
0046AB0B . 6A 00 push 0
0046AB0D . 68 CD4F4000 push 111.00404FCD ; ASCII "982722D814EAA7ED370973E37638C9E52A9BB616690A94810E52F6EAAE6D70BB9B801AF419268297615B801DFA49F98EBC0E07C3743C2B5FF9ADC79F5DF56305E622C90C5B1EE58669DA378FE2E7D9930AD5350009C344C997456812A5DAA71B0F8DFC2EBE216FB33D19C19868475E199939B99D91F65"...
0046AB12 . 8B8D 7CFFFFFF mov ecx,dword ptr ss:[ebp-84]
0046AB18 . 81F9 04000080 cmp ecx,80000004
0046AB1E . 74 0D je short 111.0046AB2D
0046AB20 . 68 05000000 push 5
........
0046AC70 . E8 C7890100 call 111.0048363C
0046AC75 . 83C4 10 add esp,10
0046AC78 . 8985 58FFFFFF mov dword ptr ss:[ebp-A8],eax
0046AC7E . DB85 58FFFFFF fild dword ptr ss:[ebp-A8]
0046AC84 . DD9D 58FFFFFF fstp qword ptr ss:[ebp-A8]
0046AC8A . DD85 58FFFFFF fld qword ptr ss:[ebp-A8]
0046AC90 DC db DC//点右键-分析-从模块中删除分析。
0046AC91 0D db 0D
0046AC92 C6 db C6
0046AC93 4E db 4E ; CHAR 'N'
0046AC94 40 db 40 ; CHAR '@'
0046AC95 00 db 00
0046AC96 DD db DD
0046AC97 9D db 9D
0046AC98 58 db 58 ; CHAR 'X'
0046AC99 FF db FF
0046AC9A FF db FF
0046AC9B FF db FF
0046AC9C 68 db 68 ; CHAR 'h'
0046AC9D 01 db 01
0046AC9E 03 db 03
0046AC9F 00 db 00
0046ACA0 80 db 80
...
0046AC9C 68 01030080 push 80000301//还原成这样
0046ACA1 6A 00 push 0
0046ACA3 68 04000000 push 4
0046ACA8 68 01030080 push 80000301
0046ACAD 6A 00 push 0
0046ACAF 68 05000000 push 5
0046ACB4 68 04000080 push 80000004
0046ACB9 6A 00 push 0
0046ACBB 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0046ACBE 85C0 test eax,eax
0046ACC0 75 05 jnz short 111.0046ACC7
0046ACC2 B8 05434000 mov eax,111.00404305
0046ACC7 50 push eax
0046ACC8 68 03000000 push 3
往下来到
0046AFDC 85C0 test eax,eax
0046AFDE 0F84 6B000000 je 111.0046B04F//爆破点1,跟着红线往下看你就是Demo用户,并且读取剩余次数。
0046AFE4 6A 00 push 0
0046AFE6 6A 00 push 0
0046AFE8 6A 00 push 0
0046AFEA 68 04000080 push 80000004
0046AFEF 6A 00 push 0
0046AFF1 68 9D4F4000 push 111.00404F9D ; ASCII "software\afengsoft\wos\yname"
0046AFF6 68 01030080 push 80000301
0046AFFB 6A 00 push 0
0046AFFD 68 03000000 push 3
0046B002 68 03000000 push 3
0046B007 BB 98060000 mov ebx,698
0046B00C E8 2B860100 call 111.0048363C
0046B011 83C4 28 add esp,28
0046B014 8945 B0 mov dword ptr ss:[ebp-50],eax
0046B017 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0046B01A 85DB test ebx,ebx
0046B01C 74 09 je short 111.0046B027
0046B01E 53 push ebx
0046B01F E8 12860100 call 111.00483636
0046B024 83C4 04 add esp,4
0046B027 8B45 B0 mov eax,dword ptr ss:[ebp-50]
0046B02A 8945 F0 mov dword ptr ss:[ebp-10],eax
0046B02D 6A 00 push 0
0046B02F 68 01000000 push 1
0046B034 6A FF push -1
0046B036 6A 02 push 2
0046B038 68 AA020126 push 260102AA
0046B03D 68 01000152 push 52010001
0046B042 E8 13860100 call 111.0048365A
0046B047 83C4 18 add esp,18
0046B04A E9 E4050000 jmp 111.0046B633
0046B04F 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0046B052 85DB test ebx,ebx
0046B054 /74 09 je short 111.0046B05F
0046B056 |53 push ebx
0046B057 |E8 DA850100 call 111.00483636
0046B05C |83C4 04 add esp,4
0046B05F \B8 CE504000 mov eax,111.004050CE ; ASCII "DEMO"
0046B064 8945 F0 mov dword ptr ss:[ebp-10],eax
0046B067 68 04000080 push 80000004
0046B06C 6A 00 push 0
0046B06E 68 1C4F4000 push 111.00404F1C ; ASCII "software\afengsoft\wos\used"
0046B073 68 01030080 push 80000301
0046B078 6A 00 push 0
0046B07A 68 03000000 push 3
0046B07F 68 02000000 push 2
0046B084 BB AC060000 mov ebx,6AC
....
0046B1EF /0F84 14000000 je 111.0046B209//这里再次判断,爆破点2
0046B1F5 |E8 49EFFFFF call 111.0046A143
0046B1FA |6A 00 push 0
0046B1FC |E8 17840100 call 111.00483618
0046B201 |83C4 04 add esp,4
0046B204 |E9 FF020000 jmp 111.0046B508
0046B209 \DB45 F8 fild dword ptr ss:[ebp-8]
0046B20C DD5D AC fstp qword ptr ss:[ebp-54]
0046B20F DD45 AC fld qword ptr ss:[ebp-54]
0046B212 DC05 894D4000 fadd qword ptr ds:[404D89]
0046B218 DD5D AC fstp qword ptr ss:[ebp-54]
0046B21B 68 01060080 push 80000601
0046B220 FF75 B0 push dword ptr ss:[ebp-50]
0046B223 FF75 AC push dword ptr ss:[ebp-54]
0046B226 68 04000080 push 80000004
0046B22B 6A 00 push 0
0046B22D 68 1C4F4000 push 111.00404F1C ; ASCII "software\afengsoft\wos\used"//读取剩余次数
0046B232 68 01030080 push 80000301
0046B237 6A 00 push 0
0046B239 68 03000000 push 3
0046B23E 68 03000000 push 3
0046B243 BB A4060000 mov ebx,6A4
爆破一
0046AFDE 0F84 6B000000 je 111.0046B04F
改为
0046AFDE 0F85 6B000000 jne 111.0046B04F
爆破二
0046B1EF 0F84 14000000 je 111.0046B209
0046B1EF 0F85 14000000 jne 111.0046B209
小弟找不到自校验比较的地方,请各位高手,斑竹指教指教/:D[PHP]
赞赏
他的文章
- [推荐]发个记事本大家玩玩 4378
- [原创]桌面天气秀3.7 分析篇 14597
- [下载]unpacked aUS v0.5 3376
- 快速脱EXEStealth + ACProtect篇[原创] 5862
- SoftSentry 2.11脱壳 7068
赞赏
雪币:
留言: