最近搞了台vista 64位laptop, 不能运行cisco vpn client, 发现ncp-e vpn client 可以运行于Vista 32/64. 可是过了30天不能用了,vpnc只能在cygwin下运行,不是很稳定,没有办法,只能自己动手了。hoho
跟了几天,发现ncpcfg.dll被另外一个process/service调用然后反复设置过期。这个程序通过ncpcfg.dll操作ncp.db, SecondsOfTrial是2592000 (30天的秒数). SecondsOfInstall是安装的当天时期的秒(加密过)。没有时间去跟踪算法.hehe. 程序在安装启动的时候设置SetSecondsOfInstall为1,表示已经有SecondsOfInstall. 运行的时候比较当前时间和安装的时间,超过30天就不行运行了。
关键代码是。
:100025D4 85FF test edi, edi -- 测试有没有SecondsOfInstall
:100025D6 7534 jne 1000260C -- 有就到1000260C
:100025D8 83FD01 cmp ebp, 00000001 -- 设置了SetSecondsOfInstall?
:100025DB 752F jne 1000260C -- 有就到1000260C
简单办法就把上面的都改成90 (nop). 这样就永远不过期。 实在没有时间去分析算法了。忘各位见谅。 :-)
详细如下。
* Possible StringData Ref from Data Obj ->"SecondsOfTrial"
|
:1000256A 68BCCB0110 push 1001CBBC
:1000256F 56 push esi
* Reference To: ncpcfg.CfgReadParam
|
:10002570 E8D6EAFFFF call 1000104B
:10002575 8D442420 lea eax, dword ptr [esp+20]
:10002579 50 push eax
:1000257A E8D7300000 call 10005656
:1000257F 8D4C2424 lea ecx, dword ptr [esp+24]
:10002583 8BD8 mov ebx, eax
:10002585 51 push ecx
:10002586 68FF000000 push 000000FF
* Possible StringData Ref from Data Obj ->"SetSecondsOfInstall"
|
:1000258B 6820CC0110 push 1001CC20
:10002590 56 push esi
* Reference To: ncpcfg.CfgReadParam
|
:10002591 E8B5EAFFFF call 1000104B
:10002596 83C424 add esp, 00000024
:10002599 85C0 test eax, eax -- SetSecondsOfInstall value,
:1000259B 7511 jne 100025AE -- 如果已经有设置SetSecondsOfInstall?
:1000259D 8D542410 lea edx, dword ptr [esp+10] --没有设置
:100025A1 52 push edx
:100025A2 E8AF300000 call 10005656
:100025A7 83C404 add esp, 00000004
:100025AA 8BE8 mov ebp, eax
:100025AC EB02 jmp 100025B0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000259B(C)
|
:100025AE 33ED xor ebp, ebp -- ebp置0,表示没有设置SetSecondsOfInstall,
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100025AC(U)
|
:100025B0 8D442410 lea eax, dword ptr [esp+10] --读取SecondsOfInstall返回到esp+10
:100025B4 50 push eax
:100025B5 68FF000000 push 000000FF
* Possible StringData Ref from Data Obj ->"SecondsOfInstall"
|
:100025BA 68A8CB0110 push 1001CBA8
:100025BF 56 push esi
* Reference To: ncpcfg.CfgReadParam
|
:100025C0 E886EAFFFF call 1000104B
:100025C5 8D4C2420 lea ecx, dword ptr [esp+20]
:100025C9 51 push ecx
:100025CA E887300000 call 10005656 -- 返回到EAX, 被encoded 的值
:100025CF 8BF8 mov edi, eax -- 到EDI , 进行比较
:100025D1 83C414 add esp, 00000014
:100025D4 85FF test edi, edi -- 测试有没有SecondsOfInstall
:100025D6 7534 jne 1000260C -- 有就到1000260C
:100025D8 83FD01 cmp ebp, 00000001 -- 设置了SetSecondsOfInstall?
:100025DB 752F jne 1000260C -- 有就到1000260C
:100025DD E87E190000 call 10003F60 --当前时间的seconds
:100025E2 8BF8 mov edi, eax
:100025E4 E877190000 call 10003F60
:100025E9 50 push eax
:100025EA 8D542414 lea edx, dword ptr [esp+14]
* Possible StringData Ref from Data Obj ->"%lu"
|
:100025EE 68F0CB0110 push 1001CBF0
:100025F3 52 push edx
:100025F4 E8EC280000 call 10004EE5
:100025F9 8D44241C lea eax, dword ptr [esp+1C]
:100025FD 50 push eax
* Possible StringData Ref from Data Obj ->"SecondsOfInstall"
|
:100025FE 68A8CB0110 push 1001CBA8
:10002603 56 push esi
* Reference To: ncpcfg.CfgWriteParam -- 写入安装日期。
|
:10002604 E84CEAFFFF call 10001055
:10002609 83C418 add esp, 00000018
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100025D6(C), :100025DB(C)
|
:1000260C E84F190000 call 10003F60
:10002611 3BC7 cmp eax, edi
:10002613 7204 jb 10002619
:10002615 2BC7 sub eax, edi
:10002617 EB03 jmp 1000261C
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
