医学软件Simplant pro 13.0的License Administrator新手破解,途中遇到一些困难
最近想破个医学软件Simplant pro 13.0,这个软件有个获取floating license的子软件license Administrator(附件可下载)。按照常规步骤,我先打开软件,了解软件运作模式,首先软件会自动计算得到我电脑的Computer ID, 需要我填passward。如果输入错误,会弹出错误对话框:Add license failedBad license....。接着我载入OD。采用暂停法,找到了弹出这个错误对话框的Call,然后回退到程序领空。找到了好几个跳转跳过这个Call。该段反汇编代码为:
00404DB0 .6A FF push -0x1
00404DB2 .68 7DAA4200 push LicAdmin.0042AA7D
00404DB7 .64:A1 0000000>mov eax,dword ptr fs:
00404DBD .50 push eax
00404DBE .83EC 50 sub esp,0x50
00404DC1 .53 push ebx
00404DC2 .55 push ebp
00404DC3 .56 push esi
00404DC4 .57 push edi
00404DC5 .A1 706A4400 mov eax,dword ptr ds:
00404DCA .33C4 xor eax,esp
00404DCC .50 push eax
00404DCD .8D4424 64 lea eax,dword ptr ss:
00404DD1 .64:A3 0000000>mov dword ptr fs:,eax
00404DD7 .8BD9 mov ebx,ecx
00404DD9 .895C24 30 mov dword ptr ss:,ebx
00404DDD .6A 01 push 0x1
00404DDF .E8 BC3F0200 call <jmp.&MFC80U.#6232>
00404DE4 .33FF xor edi,edi
00404DE6 .897C24 54 mov dword ptr ss:,edi
00404DEA .897C24 60 mov dword ptr ss:,edi
00404DEE .897C24 5C mov dword ptr ss:,edi
00404DF2 .897C24 58 mov dword ptr ss:,edi
00404DF6 .C74424 50 FC1>mov dword ptr ss:,LicAdmin.004>
00404DFE .68 68144300 push LicAdmin.00431468
00404E03 .8D4C24 20 lea ecx,dword ptr ss:
00404E07 .897C24 70 mov dword ptr ss:,edi
00404E0B .FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ;MFC80U.#6735
00404E11 .68 68144300 push LicAdmin.00431468
00404E16 .8D4C24 18 lea ecx,dword ptr ss:
00404E1A .C64424 70 01mov byte ptr ss:,0x1
00404E1F .FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ;MFC80U.#6735
00404E25 .8D83 68040000 lea eax,dword ptr ds:
00404E2B .50 push eax
00404E2C .8D4C24 1C lea ecx,dword ptr ss:
00404E30 .C64424 70 02mov byte ptr ss:,0x2
00404E35 .FF15 44064300 call dword ptr ds:[<&MFC80U.#280>] ;MFC80U.#280
00404E3B .C64424 6C 03mov byte ptr ss:,0x3
00404E40 >57 push edi
00404E41 .8D4C24 1C lea ecx,dword ptr ss:
00404E45 .51 push ecx
00404E46 .8D5424 1C lea edx,dword ptr ss:
00404E4A .52 push edx
00404E4B .51 push ecx
00404E4C .8BCC mov ecx,esp
00404E4E .896424 3C mov dword ptr ss:,esp
00404E52 .68 64194300 push LicAdmin.00431964
00404E57 .FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ;MFC80U.#6735
00404E5D .51 push ecx
00404E5E .8D4424 2C lea eax,dword ptr ss:
00404E62 .8BCC mov ecx,esp
00404E64 .896424 54 mov dword ptr ss:,esp
00404E68 .50 push eax
00404E69 .C68424 840000>mov byte ptr ss:,0x4
00404E71 .FF15 44064300 call dword ptr ds:[<&MFC80U.#280>] ;MFC80U.#280
00404E77 .C68424 800000>mov byte ptr ss:,0x3
00404E7F .E8 BCA10000 call LicAdmin.0040F040
00404E84 .83C4 14 add esp,0x14
00404E87 .3BC7 cmp eax,edi
00404E89 .75 12 jnz XLicAdmin.00404E9D
00404E8B .8D4C24 14 lea ecx,dword ptr ss:
00404E8F .FF15 DC014300 call dword ptr ds:[<&MFC80U.#3927>] ;MFC80U.#3928
00404E95 .84C0 test al,al
00404E97 .0F85 14020000 jnz LicAdmin.004050B1 假如这里改成jmp,跳到后面容易出现对话框:
00404E9D >8D4C24 50 lea ecx,dword ptr ss:
00404EA1 .51 push ecx
00404EA2 .51 push ecx
00404EA3 .8D5424 1C lea edx,dword ptr ss:
00404EA7 .8BCC mov ecx,esp
00404EA9 .896424 48 mov dword ptr ss:,esp
00404EAD .52 push edx
00404EAE .FF15 44064300 call dword ptr ds:[<&MFC80U.#280>] ;MFC80U.#280
00404EB4 .8B8B 38010000 mov ecx,dword ptr ds:
00404EBA .8B01 mov eax,dword ptr ds:
00404EBC .8B50 1C mov edx,dword ptr ds:
00404EBF .FFD2 call edx
00404EC1 .8BF0 mov esi,eax
00404EC3 .83FE F8 cmp esi,-0x8
00404EC6 .897424 2C mov dword ptr ss:,esi
00404ECA .0F85 3E010000 jnz LicAdmin.0040500E
00404ED0 .8B4424 58 mov eax,dword ptr ss:
00404ED4 .3BC7 cmp eax,edi
00404ED6 .0F8E 3A010000 jle LicAdmin.00405016
00404EDC >85FF test edi,edi
00404EDE .0F8C 24020000 jl LicAdmin.00405108
00404EE4 .3BF8 cmp edi,eax
00404EE6 .0F8D 1C020000 jge LicAdmin.00405108
00404EEC .8B4424 54 mov eax,dword ptr ss:
00404EF0 .51 push ecx
00404EF1 .8BCC mov ecx,esp
00404EF3 .896424 44 mov dword ptr ss:,esp
00404EF7 .68 68144300 push LicAdmin.00431468
00404EFC .8D34B8 lea esi,dword ptr ds:
00404EFF .FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ;MFC80U.#6735
00404F05 .51 push ecx
00404F06 .8BCC mov ecx,esp
00404F08 .896424 4C mov dword ptr ss:,esp
00404F0C .68 68144300 push LicAdmin.00431468
00404F11 .C64424 78 05mov byte ptr ss:,0x5
00404F16 .FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ;MFC80U.#6735
00404F1C .51 push ecx
00404F1D .8BCC mov ecx,esp
00404F1F .896424 54 mov dword ptr ss:,esp
00404F23 .68 E81A4300 push LicAdmin.00431AE8 ;UNICODE "
"
00404F28 .C64424 7C 06mov byte ptr ss:,0x6
00404F2D .FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ;MFC80U.#6735
00404F33 .0FB64E 02 movzx ecx,byte ptr ds: 我试着把以上的跳转全nop掉,来到此处,但程序老出错。{:5_127:}
00404F37 .83E1 07 and ecx,0x7
00404F3A .51 push ecx
00404F3B .8D5424 38 lea edx,dword ptr ss:
00404F3F .52 push edx
00404F40 .C68424 800000>mov byte ptr ss:,0x7
00404F48 .E8 13F50000 call LicAdmin.00414460
00404F4D .83C4 08 add esp,0x8
00404F50 .8BE8 mov ebp,eax
00404F52 .8D4424 30 lea eax,dword ptr ss:
00404F56 .50 push eax
00404F57 .8BCE mov ecx,esi
00404F59 .C64424 7C 08mov byte ptr ss:,0x8
00404F5E .E8 9DF20000 call LicAdmin.00414200
00404F63 .8BD8 mov ebx,eax
00404F65 .8B0E mov ecx,dword ptr ds:
00404F67 .C1E9 04 shr ecx,0x4
00404F6A .81E1 FF0F0000 and ecx,0xFFF
00404F70 .51 push ecx
00404F71 .8D5424 30 lea edx,dword ptr ss:
00404F75 .52 push edx
00404F76 .C68424 800000>mov byte ptr ss:,0x9
00404F7E .E8 2DFA0000 call LicAdmin.004149B0
00404F83 .83C4 08 add esp,0x8
00404F86 .8BF0 mov esi,eax
00404F88 .8BCD mov ecx,ebp
00404F8A .C64424 78 0Amov byte ptr ss:,0xA
00404F8F .FF15 74064300 call dword ptr ds:[<&MFC80U.#870>] ;MFC80U.#3391
00404F95 .51 push ecx
00404F96 .8BEC mov ebp,esp
00404F98 .896424 5C mov dword ptr ss:,esp
00404F9C .50 push eax
00404F9D .8BCB mov ecx,ebx
00404F9F .FF15 74064300 call dword ptr ds:[<&MFC80U.#870>] ;MFC80U.#3391
00404FA5 .50 push eax
00404FA6 .8BCE mov ecx,esi
00404FA8 .FF15 74064300 call dword ptr ds:[<&MFC80U.#870>] ;MFC80U.#3391
00404FAE .50 push eax
00404FAF .68 B01A4300 push LicAdmin.00431AB0 ;UNICODE "%s v%s (%s) already exists" 这里最像注册成功的位置。但容易在 00404F03处,直接程序出错,无法来到 此处。{:5_116:}
00404FB4 .55 push ebp
00404FB5 .E8 969E0000 call LicAdmin.0040EE50
00404FBA .83C4 14 add esp,0x14
00404FBD .8D4424 2C lea eax,dword ptr ss:
00404FC1 .50 push eax
00404FC2 .C68424 800000>mov byte ptr ss:,0xD
00404FCA .E8 71A20000 call LicAdmin.0040F240
00404FCF .83C4 14 add esp,0x14
00404FD2 .8D4C24 20 lea ecx,dword ptr ss:
00404FD6 .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
00404FDC .8D4C24 24 lea ecx,dword ptr ss:
00404FE0 .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
00404FE6 .C64424 6C 03mov byte ptr ss:,0x3
00404FEB .8D4C24 28 lea ecx,dword ptr ss:
00404FEF .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
00404FF5 .8B4424 58 mov eax,dword ptr ss:
00404FF9 .83C7 01 add edi,0x1
00404FFC .3BF8 cmp edi,eax
00404FFE .^ 0F8C D8FEFFFF jl LicAdmin.00404EDC
00405004 .8B7424 2C mov esi,dword ptr ss:
00405008 .8B5C24 30 mov ebx,dword ptr ss:
0040500C .EB 08 jmp XLicAdmin.00405016
0040500E >3BF7 cmp esi,edi
00405010 .^ 0F8D 2AFEFFFF jge LicAdmin.00404E40
00405016 >33FF xor edi,edi
00405018 .57 push edi
00405019 .57 push edi
0040501A .8D4C24 24 lea ecx,dword ptr ss:
0040501E .51 push ecx
0040501F .68 A41A4300 push LicAdmin.00431AA4 ;UNICODE "
"
00405024 .68 7C1A4300 push LicAdmin.00431A7C ;UNICODE "Add Licenses failed"
00405029 .51 push ecx
0040502A .8BD4 mov edx,esp
0040502C .896424 64 mov dword ptr ss:,esp
00405030 .52 push edx
00405031 .8D8B 58010000 lea ecx,dword ptr ds:
00405037 .E8 F4FE0000 call LicAdmin.00414F30
0040503C .8D4424 54 lea eax,dword ptr ss:
00405040 .56 push esi
00405041 .50 push eax
00405042 .E8 A92B0100 call LicAdmin.00417BF0
00405047 .83C4 10 add esp,0x10
0040504A .50 push eax
0040504B .8D4C24 4C lea ecx,dword ptr ss:
0040504F .51 push ecx
00405050 .C68424 840000>mov byte ptr ss:,0xE
00405058 .E8 A3C8FFFF call LicAdmin.00401900
0040505D .83C4 0C add esp,0xC
00405060 .50 push eax
00405061 .8D5424 44 lea edx,dword ptr ss:
00405065 .52 push edx
00405066 .C68424 800000>mov byte ptr ss:,0xF
0040506E .E8 EDC7FFFF call LicAdmin.00401860
00405073 .83C4 0C add esp,0xC
00405076 .8BC8 mov ecx,eax
00405078 .C64424 74 10mov byte ptr ss:,0x10
0040507D .FF15 74064300 call dword ptr ds:[<&MFC80U.#870>] ;MFC80U.#3391
00405083 .50 push eax
00405084 .E8 113D0200 call <jmp.&MFC80U.#1118> 这个就是弹出Add license failed 的call.
00405089 .8D4C24 34 lea ecx,dword ptr ss:
0040508D .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
00405093 .8D4C24 38 lea ecx,dword ptr ss:
00405097 .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
0040509D .8D4C24 3C lea ecx,dword ptr ss:
004050A1 .C64424 6C 03mov byte ptr ss:,0x3
004050A6 .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
004050AC .^ E9 8FFDFFFF jmp LicAdmin.00404E40
004050B1 >8D4C24 18 lea ecx,dword ptr ss: 假如修改跳转,来到此处,往下走,会出现:Get computer ID failed。
004050B5 .C64424 6C 02mov byte ptr ss:,0x2
004050BA .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
004050C0 .8BCB mov ecx,ebx
004050C2 .E8 B9E3FFFF call LicAdmin.00403480
004050C7 .8D4C24 14 lea ecx,dword ptr ss:
004050CB .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
004050D1 .8D4C24 1C lea ecx,dword ptr ss:
004050D5 .FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ;MFC80U.#578
004050DB .8B4424 54 mov eax,dword ptr ss:
004050DF .3BC7 cmp eax,edi
004050E1 .C74424 50 3C1>mov dword ptr ss:,LicAdmin.004>
004050E9 .74 09 je XLicAdmin.004050F4
004050EB .50 push eax ; /block
004050EC .E8 573D0200 call <jmp.&MFC80U.#266> ; \free
004050F1 .83C4 04 add esp,0x4
004050F4 >8B4C24 64 mov ecx,dword ptr ss:
004050F8 .64:890D 00000>mov dword ptr fs:,ecx
004050FF .59 pop ecx
00405100 .5F pop edi
00405101 .5E pop esi
00405102 .5D pop ebp
00405103 .5B pop ebx
00405104 .83C4 5C add esp,0x5C
00405107 .C3 retn
00405108 >E9 993C0200 jmp <jmp.&MFC80U.#1176> 假如修改以上跳转,跳到这里,会跳出对话框:遇到无效参数。
而且这么一路走下来,也没见到寄存器里蹦出像样的密码。
其实别人电脑上有一个能用的,他给了我他的密码,是一长串数字,但由于该密码与电脑ID绑定,而且电脑ID无法通过改MAC地址来修改,所以就只能PJ了,当然假如能通过修改程序里的电脑ID,也是可以的。
另外,我用过这个软件,如果密码正确,不会弹出对话框的。不知道自己这么走有没有错误,不知谁能给点什么建议,万分感谢!
file:///C:\Users\zgh\AppData\Roaming\Tencent\Users\337226508\QQ\WinTemp\RichOle\YOJ{1)D1CP7@Z`KN[~Y.png
{:5_117:}你要找正版注册码 .肯定不能nop,有些算法,你一旦nop了.,.他解密就不对了,.但是有种情况特殊..就是长度不对...可能需要nop一下
页:
[1]