|
本站严厉禁止求脱求破行为(包含无自我分析直接求思路),如发现此类求助主题请点击“举报”,让我们共同维护优质的学习环境!
30HB
最近想破个医学软件Simplant pro 13.0,这个软件有个获取floating license的子软件license Administrator(附件可下载)。按照常规步骤,我先打开软件,了解软件运作模式,首先软件会自动计算得到我电脑的Computer ID, 需要我填passward。如果输入错误,会弹出错误对话框:Add license failed Bad license....。
接着我载入OD。采用暂停法,找到了弹出这个错误对话框的Call,然后回退到程序领空。找到了好几个跳转跳过这个Call。该段反汇编代码为:
00404DB0 . 6A FF push -0x1
00404DB2 . 68 7DAA4200 push LicAdmin.0042AA7D
00404DB7 . 64:A1 0000000>mov eax,dword ptr fs:[0]
00404DBD . 50 push eax
00404DBE . 83EC 50 sub esp,0x50
00404DC1 . 53 push ebx
00404DC2 . 55 push ebp
00404DC3 . 56 push esi
00404DC4 . 57 push edi
00404DC5 . A1 706A4400 mov eax,dword ptr ds:[0x446A70]
00404DCA . 33C4 xor eax,esp
00404DCC . 50 push eax
00404DCD . 8D4424 64 lea eax,dword ptr ss:[esp+0x64]
00404DD1 . 64:A3 0000000>mov dword ptr fs:[0],eax
00404DD7 . 8BD9 mov ebx,ecx
00404DD9 . 895C24 30 mov dword ptr ss:[esp+0x30],ebx
00404DDD . 6A 01 push 0x1
00404DDF . E8 BC3F0200 call <jmp.&MFC80U.#6232>
00404DE4 . 33FF xor edi,edi
00404DE6 . 897C24 54 mov dword ptr ss:[esp+0x54],edi
00404DEA . 897C24 60 mov dword ptr ss:[esp+0x60],edi
00404DEE . 897C24 5C mov dword ptr ss:[esp+0x5C],edi
00404DF2 . 897C24 58 mov dword ptr ss:[esp+0x58],edi
00404DF6 . C74424 50 FC1>mov dword ptr ss:[esp+0x50],LicAdmin.004>
00404DFE . 68 68144300 push LicAdmin.00431468
00404E03 . 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
00404E07 . 897C24 70 mov dword ptr ss:[esp+0x70],edi
00404E0B . FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ; MFC80U.#6735
00404E11 . 68 68144300 push LicAdmin.00431468
00404E16 . 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
00404E1A . C64424 70 01 mov byte ptr ss:[esp+0x70],0x1
00404E1F . FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ; MFC80U.#6735
00404E25 . 8D83 68040000 lea eax,dword ptr ds:[ebx+0x468]
00404E2B . 50 push eax
00404E2C . 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C]
00404E30 . C64424 70 02 mov byte ptr ss:[esp+0x70],0x2
00404E35 . FF15 44064300 call dword ptr ds:[<&MFC80U.#280>] ; MFC80U.#280
00404E3B . C64424 6C 03 mov byte ptr ss:[esp+0x6C],0x3
00404E40 > 57 push edi
00404E41 . 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C]
00404E45 . 51 push ecx
00404E46 . 8D5424 1C lea edx,dword ptr ss:[esp+0x1C]
00404E4A . 52 push edx
00404E4B . 51 push ecx
00404E4C . 8BCC mov ecx,esp
00404E4E . 896424 3C mov dword ptr ss:[esp+0x3C],esp
00404E52 . 68 64194300 push LicAdmin.00431964
00404E57 . FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ; MFC80U.#6735
00404E5D . 51 push ecx
00404E5E . 8D4424 2C lea eax,dword ptr ss:[esp+0x2C]
00404E62 . 8BCC mov ecx,esp
00404E64 . 896424 54 mov dword ptr ss:[esp+0x54],esp
00404E68 . 50 push eax
00404E69 . C68424 840000>mov byte ptr ss:[esp+0x84],0x4
00404E71 . FF15 44064300 call dword ptr ds:[<&MFC80U.#280>] ; MFC80U.#280
00404E77 . C68424 800000>mov byte ptr ss:[esp+0x80],0x3
00404E7F . E8 BCA10000 call LicAdmin.0040F040
00404E84 . 83C4 14 add esp,0x14
00404E87 . 3BC7 cmp eax,edi
00404E89 . 75 12 jnz XLicAdmin.00404E9D
00404E8B . 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14]
00404E8F . FF15 DC014300 call dword ptr ds:[<&MFC80U.#3927>] ; MFC80U.#3928
00404E95 . 84C0 test al,al
00404E97 . 0F85 14020000 jnz LicAdmin.004050B1 假如这里改成jmp,跳到后面容易出现对话框:
00404E9D > 8D4C24 50 lea ecx,dword ptr ss:[esp+0x50]
00404EA1 . 51 push ecx
00404EA2 . 51 push ecx
00404EA3 . 8D5424 1C lea edx,dword ptr ss:[esp+0x1C]
00404EA7 . 8BCC mov ecx,esp
00404EA9 . 896424 48 mov dword ptr ss:[esp+0x48],esp
00404EAD . 52 push edx
00404EAE . FF15 44064300 call dword ptr ds:[<&MFC80U.#280>] ; MFC80U.#280
00404EB4 . 8B8B 38010000 mov ecx,dword ptr ds:[ebx+0x138]
00404EBA . 8B01 mov eax,dword ptr ds:[ecx]
00404EBC . 8B50 1C mov edx,dword ptr ds:[eax+0x1C]
00404EBF . FFD2 call edx
00404EC1 . 8BF0 mov esi,eax
00404EC3 . 83FE F8 cmp esi,-0x8
00404EC6 . 897424 2C mov dword ptr ss:[esp+0x2C],esi
00404ECA . 0F85 3E010000 jnz LicAdmin.0040500E
00404ED0 . 8B4424 58 mov eax,dword ptr ss:[esp+0x58]
00404ED4 . 3BC7 cmp eax,edi
00404ED6 . 0F8E 3A010000 jle LicAdmin.00405016
00404EDC > 85FF test edi,edi
00404EDE . 0F8C 24020000 jl LicAdmin.00405108
00404EE4 . 3BF8 cmp edi,eax
00404EE6 . 0F8D 1C020000 jge LicAdmin.00405108
00404EEC . 8B4424 54 mov eax,dword ptr ss:[esp+0x54]
00404EF0 . 51 push ecx
00404EF1 . 8BCC mov ecx,esp
00404EF3 . 896424 44 mov dword ptr ss:[esp+0x44],esp
00404EF7 . 68 68144300 push LicAdmin.00431468
00404EFC . 8D34B8 lea esi,dword ptr ds:[eax+edi*4]
00404EFF . FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ; MFC80U.#6735
00404F05 . 51 push ecx
00404F06 . 8BCC mov ecx,esp
00404F08 . 896424 4C mov dword ptr ss:[esp+0x4C],esp
00404F0C . 68 68144300 push LicAdmin.00431468
00404F11 . C64424 78 05 mov byte ptr ss:[esp+0x78],0x5
00404F16 . FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ; MFC80U.#6735
00404F1C . 51 push ecx
00404F1D . 8BCC mov ecx,esp
00404F1F . 896424 54 mov dword ptr ss:[esp+0x54],esp
00404F23 . 68 E81A4300 push LicAdmin.00431AE8 ; UNICODE "
"
00404F28 . C64424 7C 06 mov byte ptr ss:[esp+0x7C],0x6
00404F2D . FF15 60064300 call dword ptr ds:[<&MFC80U.#283>] ; MFC80U.#6735
00404F33 . 0FB64E 02 movzx ecx,byte ptr ds:[esi+0x2] 我试着把以上的跳转全nop掉,来到此处,但程序老出错。
00404F37 . 83E1 07 and ecx,0x7
00404F3A . 51 push ecx
00404F3B . 8D5424 38 lea edx,dword ptr ss:[esp+0x38]
00404F3F . 52 push edx
00404F40 . C68424 800000>mov byte ptr ss:[esp+0x80],0x7
00404F48 . E8 13F50000 call LicAdmin.00414460
00404F4D . 83C4 08 add esp,0x8
00404F50 . 8BE8 mov ebp,eax
00404F52 . 8D4424 30 lea eax,dword ptr ss:[esp+0x30]
00404F56 . 50 push eax
00404F57 . 8BCE mov ecx,esi
00404F59 . C64424 7C 08 mov byte ptr ss:[esp+0x7C],0x8
00404F5E . E8 9DF20000 call LicAdmin.00414200
00404F63 . 8BD8 mov ebx,eax
00404F65 . 8B0E mov ecx,dword ptr ds:[esi]
00404F67 . C1E9 04 shr ecx,0x4
00404F6A . 81E1 FF0F0000 and ecx,0xFFF
00404F70 . 51 push ecx
00404F71 . 8D5424 30 lea edx,dword ptr ss:[esp+0x30]
00404F75 . 52 push edx
00404F76 . C68424 800000>mov byte ptr ss:[esp+0x80],0x9
00404F7E . E8 2DFA0000 call LicAdmin.004149B0
00404F83 . 83C4 08 add esp,0x8
00404F86 . 8BF0 mov esi,eax
00404F88 . 8BCD mov ecx,ebp
00404F8A . C64424 78 0A mov byte ptr ss:[esp+0x78],0xA
00404F8F . FF15 74064300 call dword ptr ds:[<&MFC80U.#870>] ; MFC80U.#3391
00404F95 . 51 push ecx
00404F96 . 8BEC mov ebp,esp
00404F98 . 896424 5C mov dword ptr ss:[esp+0x5C],esp
00404F9C . 50 push eax
00404F9D . 8BCB mov ecx,ebx
00404F9F . FF15 74064300 call dword ptr ds:[<&MFC80U.#870>] ; MFC80U.#3391
00404FA5 . 50 push eax
00404FA6 . 8BCE mov ecx,esi
00404FA8 . FF15 74064300 call dword ptr ds:[<&MFC80U.#870>] ; MFC80U.#3391
00404FAE . 50 push eax
00404FAF . 68 B01A4300 push LicAdmin.00431AB0 ; UNICODE "%s v%s (%s) already exists" 这里最像注册成功的位置。但容易在 00404F03处,直接程序出错,无法来到 此处。
00404FB4 . 55 push ebp
00404FB5 . E8 969E0000 call LicAdmin.0040EE50
00404FBA . 83C4 14 add esp,0x14
00404FBD . 8D4424 2C lea eax,dword ptr ss:[esp+0x2C]
00404FC1 . 50 push eax
00404FC2 . C68424 800000>mov byte ptr ss:[esp+0x80],0xD
00404FCA . E8 71A20000 call LicAdmin.0040F240
00404FCF . 83C4 14 add esp,0x14
00404FD2 . 8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
00404FD6 . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
00404FDC . 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24]
00404FE0 . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
00404FE6 . C64424 6C 03 mov byte ptr ss:[esp+0x6C],0x3
00404FEB . 8D4C24 28 lea ecx,dword ptr ss:[esp+0x28]
00404FEF . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
00404FF5 . 8B4424 58 mov eax,dword ptr ss:[esp+0x58]
00404FF9 . 83C7 01 add edi,0x1
00404FFC . 3BF8 cmp edi,eax
00404FFE .^ 0F8C D8FEFFFF jl LicAdmin.00404EDC
00405004 . 8B7424 2C mov esi,dword ptr ss:[esp+0x2C]
00405008 . 8B5C24 30 mov ebx,dword ptr ss:[esp+0x30]
0040500C . EB 08 jmp XLicAdmin.00405016
0040500E > 3BF7 cmp esi,edi
00405010 .^ 0F8D 2AFEFFFF jge LicAdmin.00404E40
00405016 > 33FF xor edi,edi
00405018 . 57 push edi
00405019 . 57 push edi
0040501A . 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24]
0040501E . 51 push ecx
0040501F . 68 A41A4300 push LicAdmin.00431AA4 ; UNICODE "
"
00405024 . 68 7C1A4300 push LicAdmin.00431A7C ; UNICODE "Add Licenses failed"
00405029 . 51 push ecx
0040502A . 8BD4 mov edx,esp
0040502C . 896424 64 mov dword ptr ss:[esp+0x64],esp
00405030 . 52 push edx
00405031 . 8D8B 58010000 lea ecx,dword ptr ds:[ebx+0x158]
00405037 . E8 F4FE0000 call LicAdmin.00414F30
0040503C . 8D4424 54 lea eax,dword ptr ss:[esp+0x54]
00405040 . 56 push esi
00405041 . 50 push eax
00405042 . E8 A92B0100 call LicAdmin.00417BF0
00405047 . 83C4 10 add esp,0x10
0040504A . 50 push eax
0040504B . 8D4C24 4C lea ecx,dword ptr ss:[esp+0x4C]
0040504F . 51 push ecx
00405050 . C68424 840000>mov byte ptr ss:[esp+0x84],0xE
00405058 . E8 A3C8FFFF call LicAdmin.00401900
0040505D . 83C4 0C add esp,0xC
00405060 . 50 push eax
00405061 . 8D5424 44 lea edx,dword ptr ss:[esp+0x44]
00405065 . 52 push edx
00405066 . C68424 800000>mov byte ptr ss:[esp+0x80],0xF
0040506E . E8 EDC7FFFF call LicAdmin.00401860
00405073 . 83C4 0C add esp,0xC
00405076 . 8BC8 mov ecx,eax
00405078 . C64424 74 10 mov byte ptr ss:[esp+0x74],0x10
0040507D . FF15 74064300 call dword ptr ds:[<&MFC80U.#870>] ; MFC80U.#3391
00405083 . 50 push eax
00405084 . E8 113D0200 call <jmp.&MFC80U.#1118> 这个就是弹出Add license failed 的call.
00405089 . 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34]
0040508D . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
00405093 . 8D4C24 38 lea ecx,dword ptr ss:[esp+0x38]
00405097 . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
0040509D . 8D4C24 3C lea ecx,dword ptr ss:[esp+0x3C]
004050A1 . C64424 6C 03 mov byte ptr ss:[esp+0x6C],0x3
004050A6 . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
004050AC .^ E9 8FFDFFFF jmp LicAdmin.00404E40
004050B1 > 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 假如修改跳转,来到此处,往下走,会出现:Get computer ID failed。
004050B5 . C64424 6C 02 mov byte ptr ss:[esp+0x6C],0x2
004050BA . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
004050C0 . 8BCB mov ecx,ebx
004050C2 . E8 B9E3FFFF call LicAdmin.00403480
004050C7 . 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14]
004050CB . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
004050D1 . 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C]
004050D5 . FF15 98064300 call dword ptr ds:[<&MFC80U.#577>] ; MFC80U.#578
004050DB . 8B4424 54 mov eax,dword ptr ss:[esp+0x54]
004050DF . 3BC7 cmp eax,edi
004050E1 . C74424 50 3C1>mov dword ptr ss:[esp+0x50],LicAdmin.004>
004050E9 . 74 09 je XLicAdmin.004050F4
004050EB . 50 push eax ; /block
004050EC . E8 573D0200 call <jmp.&MFC80U.#266> ; \free
004050F1 . 83C4 04 add esp,0x4
004050F4 > 8B4C24 64 mov ecx,dword ptr ss:[esp+0x64]
004050F8 . 64:890D 00000>mov dword ptr fs:[0],ecx
004050FF . 59 pop ecx
00405100 . 5F pop edi
00405101 . 5E pop esi
00405102 . 5D pop ebp
00405103 . 5B pop ebx
00405104 . 83C4 5C add esp,0x5C
00405107 . C3 retn
00405108 > E9 993C0200 jmp <jmp.&MFC80U.#1176> 假如修改以上跳转,跳到这里,会跳出对话框:遇到无效参数。
而且这么一路走下来,也没见到寄存器里蹦出像样的密码。
其实别人电脑上有一个能用的,他给了我他的密码,是一长串数字,但由于该密码与电脑ID绑定,而且电脑ID无法通过改MAC地址来修改,所以就只能PJ了,当然假如能通过修改程序里的电脑ID,也是可以的。
另外,我用过这个软件,如果密码正确,不会弹出对话框的。不知道自己这么走有没有错误,不知谁能给点什么建议,万分感谢!
[img]file:///C:\Users\zgh\AppData\Roaming\Tencent\Users\337226508\QQ\WinTemp\RichOle\YOJ{1)D1CP7@Z`KN[[MZ]~Y.png[/img]
|
评分
-
参与人数 1 | HB +3 |
THX +1 |
收起
理由
|
黄景月
| + 3 |
+ 1 |
楼主牛叉啊,基础功底打得不错,恐怕,只有恒大才能解决了。 |
查看全部评分
|