破解系统美化专家
文/图 zjjtr
系统美化专家是一款专门用于美化、个性化Windows的软件。软件界面美观,操作简单方便,新手也可以将Windows改造得个性十足!它是一款共享软件,未注册会有这样那样限制,不是很爽,那就自己动手,丰衣足食吧。
简单的注册一下,发现没有注册提示,看来作者还有点安全意识嘛。再用PEiD查壳,发现加了ASPack 2.1的壳,直接用PEiD的脱壳插件脱了壳,再次检验是“Borland Delphi 6.0 - 7.0”编写的。没有错误提示,只能用万能断点了。用OD载入软件,F9运行,输入用户名“zjjtr”和密码“1234567890”,下万能断点,点注册,程序断了下来。
77D3352D F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
77D3352F 8BC8 MOV ECX,EAX
77D33531 83E1 03 AND ECX,3
77D33534 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
77D33536 E8 E3FBFFFF CALL USER32.77D3311E
77D3353B 5F POP EDI
看右边的寄存器窗口写着“zjjtr”,按F9,直到出现“1234567890”。选中EDI,右键点击“数据窗口跟随”,按F8,来到断点的下一个call,在左下角的窗口选中注册码,下内存访问断点,按F9。
004093E7 90 NOP
004093E8 /$ 53 PUSH EBX
004093E9 |. 56 PUSH ESI
004093EA |. 57 PUSH EDI;来到这里
004093EB |. 8BFA MOV EDI,EDX
004093ED |. 8BF0 MOV ESI,EAX
004093EF |. 8BC6 MOV EAX,ESI
004093F1 |. E8 12B8FFFF CALL xp2003_e.00404C08
;检验用户名注册码是否为空
004093F6 |. BB 01000000 MOV EBX,1
004093FB |. EB 01 JMP SHORT xp2003_e.004093FE
004093FD |> 43 /INC EBX
004093FE |> 3BC3 CMP EAX,EBX
00409400 |. 7C 07 |JL SHORT xp2003_e.00409409
00409402 |. 807C1E FF 20 |CMP BYTE PTR DS:[ESI+EBX-1],20
00409407 |.^ 76 F4 JBE SHORT xp2003_e.004093FD
00409409 |> 57 PUSH EDI
0040940A |. B9 FFFFFF7F MOV ECX,7FFFFFFF
0040940F |. 8BD3 MOV EDX,EBX
00409411 |. 8BC6 MOV EAX,ESI
00409413 |. E8 48BAFFFF CALL xp2003_e.00404E60
00409418 |. 5F POP EDI
00409419 |. 5E POP ESI
0040941A |. 5B POP EBX
0040941B . C3 RETN
一路F8,在0040941B处返回到下面的代码处。
005D9D52 . 33C0 XOR EAX,EAX
005D9D54 . 55 PUSH EBP
005D9D55 . 68 349E5D00 PUSH xp2003_e.005D9E34
005D9D5A . 64:FF30 PUSH DWORD PTR FS:[EAX]
005D9D5D . 64:8920 MOV DWORD PTR FS:[EAX],ESP
005D9D60 . 33D2 XOR EDX,EDX
005D9D62 . 55 PUSH EBP
005D9D63 . 68 F49D5D00 PUSH xp2003_e.005D9DF4
005D9D68 . 64:FF32 PUSH DWORD PTR FS:[EDX]
005D9D6B . 64:8922 MOV DWORD PTR FS:[EDX],ESP
005D9D6E . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005D9D71 . 8B83 04030000 MOV EAX,DWORD PTR DS:[EBX+304]
005D9D77 . E8 A4CFE6FF CALL xp2003_e.00446D20
005D9D7C . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005D9D7F . 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
005D9D82 . E8 61F6E2FF CALL xp2003_e.004093E8
005D9D87 . 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
;检验用户名是否为空
005D9D8B . 75 0C JNZ SHORT xp2003_e.005D9D99
005D9D8D . A1 B8056300 MOV EAX,DWORD PTR DS:[6305B8]
005D9D92 . E8 35A8E8FF CALL xp2003_e.004645CC
005D9D97 . EB 51 JMP SHORT xp2003_e.005D9DEA
005D9D99 > 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
005D9D9C . 8B83 08030000 MOV EAX,DWORD PTR DS:[EBX+308]
005D9DA2 . E8 79CFE6FF CALL xp2003_e.00446D20
005D9DA7 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
005D9DAA . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
005D9DAD . E8 36F6E2FF CALL xp2003_e.004093E8
005D9DB2 . 837D F4 00 CMP DWORD PTR SS:[EBP-C],0
;检验注册码是否为空
005D9DB6 . 75 0C JNZ SHORT xp2003_e.005D9DC4
005D9DB8 . A1 B8056300 MOV EAX,DWORD PTR DS:[6305B8]
005D9DBD . E8 0AA8E8FF CALL xp2003_e.004645CC
005D9DC2 . EB 26 JMP SHORT xp2003_e.005D9DEA
005D9DC4 > 8BC3 MOV EAX,EBX
005D9DC6 . E8 C9020000 CALL xp2003_e.005DA094
;算法call,F7跟入
005D9DCB . 84C0 TEST AL,AL
005D9DCD . 74 09 JE SHORT xp2003_e.005D9DD8
005D9DCF . 8BC3 MOV EAX,EBX
005D9DD1 . E8 6E000000 CALL xp2003_e.005D9E44
005D9DD6 . EB 12 JMP SHORT xp2003_e.005D9DEA
005D9DD8 > B8 F4010000 MOV EAX,1F4
005D9DDD > 48 DEC EAX
005D9DDE .^ 75 FD JNZ SHORT xp2003_e.005D9DDD
005D9DE0 . A1 B8056300 MOV EAX,DWORD PTR DS:[6305B8]
005D9DE5 . E8 E2A7E8FF CALL xp2003_e.004645CC
005D9DEA > 33C0 XOR EAX,EAX
005D9DEC . 5A POP EDX
005D9DED . 59 POP ECX
005D9DEE . 59 POP ECX
005D9DEF . 64:8910 MOV DWORD PTR FS:[EAX],EDX
005D9DF2 . EB 12 JMP SHORT xp2003_e.005D9E06
005D9DF4 .^ E9 27A2E2FF JMP xp2003_e.00404020
005D9DF9 . B8 F4010000 MOV EAX,1F4
005D9DFE > 48 DEC EAX
005D9DFF .^ 75 FD JNZ SHORT xp2003_e.005D9DFE
005D9E01 . E8 82A5E2FF CALL xp2003_e.00404388
005D9E06 > 33C0 XOR EAX,EAX
005D9E08 . 5A POP EDX
005D9E09 . 59 POP ECX
005D9E0A . 59 POP ECX
005D9E0B . 64:8910 MOV DWORD PTR FS:[EAX],EDX
005D9E0E . 68 3B9E5D00 PUSH xp2003_e.005D9E3B
005D9E13 > 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
005D9E16 . E8 35ABE2FF CALL xp2003_e.00404950
005D9E1B . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
005D9E1E . E8 2DABE2FF CALL xp2003_e.00404950
005D9E23 . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
005D9E26 . E8 25ABE2FF CALL xp2003_e.00404950
005D9E2B . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005D9E2E . E8 1DABE2FF CALL xp2003_e.00404950
005D9E33 . C3 RETN
005D9E34 .^ E9 9BA4E2FF JMP xp2003_e.004042D4
005D9E39 .^ EB D8 JMP SHORT xp2003_e.005D9E13
005D9E3B . 5F POP EDI
005D9E3C . 5E POP ESI
005D9E3D . 5B POP EBX
005D9E3E . 8BE5 MOV ESP,EBP
005D9E40 . 5D POP EBP
005D9E41 . C3 RETN
F7后又来到了这里。
005DA094 /$ 55 PUSH EBP
005DA095 |. 8BEC MOV EBP,ESP
005DA097 |. 83C4 E8 ADD ESP,-18
005DA09A |. 53 PUSH EBX
005DA09B |. 56 PUSH ESI
005DA09C |. 33D2 XOR EDX,EDX
005DA09E |. 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX
005DA0A1 |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
005DA0A4 |. 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX
005DA0A7 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
005DA0AA |. 33C0 XOR EAX,EAX
005DA0AC |. 55 PUSH EBP
005DA0AD |. 68 93A15D00 PUSH xp2003_e.005DA193
005DA0B2 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
005DA0B5 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
005DA0B8 |. 33DB XOR EBX,EBX
005DA0BA |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
005DA0BD |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005DA0C0 |. 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
005DA0C6 |. E8 55CCE6FF CALL xp2003_e.00446D20
;用户名长度放入EAX
005DA0CB |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
005DA0CE |. E8 35ABE2FF CALL xp2003_e.00404C08
005DA0D3 |. 8BF0 MOV ESI,EAX
005DA0D5 |. 85F6 TEST ESI,ESI
;用户名是否为空
005DA0D7 |. 7E 38 JLE SHORT xp2003_e.005DA111
005DA0D9 |. C745 F0 01000>MOV DWORD PTR SS:[EBP-10],1
005DA0E0 |> 8D45 EC /LEA EAX,DWORD PTR SS:[EBP-14]
005DA0E3 |. 50 |PUSH EAX
005DA0E4 |. B9 01000000 |MOV ECX,1
005DA0E9 |. 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10]
005DA0EC |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
005DA0EF |. E8 6CADE2FF |CALL xp2003_e.00404E60
005DA0F4 |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
005DA0F7 |. E8 04ADE2FF |CALL xp2003_e.00404E00
005DA0FC |. 8A00 |MOV AL,BYTE P