|
榮譽會員
|
AUTOcadR14.01中文版的破解[網路驗證及限制用戶]
軟體名稱: AUTOcadR14.01中文版
軟體類別: 地球人都知道
軟體介紹:地球人都知道
破解工具:ollydbg 1.09 ,W32DASM10,UltraEdit8.0,
AUTOcadR14.01中文版大家都很熟悉了吧,不多說。我從上海回來,又開始畫圖了,一年沒幹活,服務機構的軟體都變成正版了,哈哈。可是AUTOcadR14.01中文版是網路版,我們只買20個點,一個點多少錢不知道(我們還買了cad2002網路版也是20個點,一個點10000元啊!),想來不少。因此,我上晚了點數滿了,就會進不去,提示網路不許可,TMD!看看cad2002是Flexlm加密的,我功力太淺,那我就先拿R14開刀!
先反彙編acad.EXE,找找可疑點。好長時間啊,我的電腦是P4 1.6,用了10多分鐘。大略看看,沒什麼有用的。但還是沒白費。
最近用Ollydbg1.09不錯,還是用它試試吧。為了省事,先拔掉網線,這樣就肯定不能用cad驗證通過了。幸虧是P4,進去了。設什麼斷點呢?不知道,我倒!
反彙編還是有用的,隨便找幾個可疑點設斷,像什麼「FATAL ERROR」的地方等等,這要看運氣了。我運氣不錯,為什麼?因為我知道拔掉網線後,它還要去網路驗證,可是沒有網路,它會多試幾次,這就給了我們時間,我們執行它,看它在那裡有短暫的停頓,那裡就是驗證的地方!我就在那附近設斷,Ollydbg設斷很方便的,我喜歡。然後反覆試幾次,感覺它的停頓,追進它的CALL裡,這裡需要感覺,停頓是很明顯的,看著你的硬碟燈就會知道。我反覆的設斷,反覆的追進它的CALL啊!記住每次出現出錯提示的時候,所停留的call,下次就追進去。
我們終於來到這個CALL,多少次重啟動,我記不清了,Ollydbg好像不太穩定,美中不足!
第一部分
* Referenced by a CALL at Address:
|:00502E1E ;因為停頓,我們進來了。
|
:006ADA90 81EC0C040000 sub esp, 0000040C
:006ADA96 A1DCF2A700 mov eax, dword ptr [00A7F2DC]
:006ADA9B 8B0DFCF2A700 mov ecx, dword ptr [00A7F2FC]
:006ADAA1 03C8 add ecx, eax
:006ADAA3 53 push ebx
:006ADAA4 8D54240C lea edx, dword ptr [esp+0C]
:006ADAA8 56 push esi
:006ADAA9 57 push edi
* Possible StringData Ref from Data Obj ->"館?
|
:006ADAAA A1E8F2A700 mov eax, dword ptr [00A7F2E8]
:006ADAAF 6804040000 push 00000404
:006ADAB4 890DFCF2A700 mov dword ptr [00A7F2FC], ecx
:006ADABA 52 push edx
:006ADABB FF10 call dword ptr [eax]
:006ADABD 668BF0 mov si, ax
:006ADAC0 6685F6 test si, si
:006ADAC3 7543 jne 006ADB08
:006ADAC5 8D442414 lea eax, dword ptr [esp+14]
* Possible StringData Ref from Data Obj ->"P_?
|
:006ADAC9 8B1DF0F2A700 mov ebx, dword ptr [00A7F2F0]
:006ADACF 50 push eax
:006ADAD0 FF13 call dword ptr [ebx]
:006ADAD2 668BF0 mov si, ax
:006ADAD5 6685F6 test si, si
:006ADAD8 EB2E jmp 006ADB08
:006ADADA 8D442414 lea eax, dword ptr [esp+14]
:006ADADE 6840DE0000 push 0000DE40
:006ADAE3 50 push eax
* Possible StringData Ref from Data Obj ->"0a?
|
:006ADAE4 8B1DF8F2A700 mov ebx, dword ptr [00A7F2F8]
:006ADAEA FF13 call dword ptr [ebx]
:006ADAEC 668BF0 mov si, ax
:006ADAEF 6685F6 test si, si
:006ADAF2 7514 jne 006ADB08
:006ADAF4 A1DCF2A700 mov eax, dword ptr [00A7F2DC]
:006ADAF9 8B0DE0F2A700 mov ecx, dword ptr [00A7F2E0]
:006ADAFF 8B1481 mov edx, dword ptr [ecx+4*eax]
:006ADB02 C70201000000 mov dword ptr [edx], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:006ADAC3(C), :006ADAD8(U), :006ADAF2(C)
|
:006ADB08 8B0DDCF2A700 mov ecx, dword ptr [00A7F2DC]
:006ADB0E A1E0F2A700 mov eax, dword ptr [00A7F2E0]
:006ADB13 8B1488 mov edx, dword ptr [eax+4*ecx]
:006ADB16 833A00 cmp dword ptr [edx], 00000000
:006ADB19 0F8581000000 jne 006ADBA0 ;《《《《《
:006ADB1F BB01000000 mov ebx, 00000001
* Reference To: USER32.wsprintfA, Ord:0264h
|
:006ADB24 8B3DDC74B600 mov edi, dword ptr [00B674DC]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADB85(C)
|
:006ADB2A 8D44240C lea eax, dword ptr [esp+0C]
:006ADB2E 53 push ebx
* Possible StringData Ref from Data Obj ->"I/%d/0"
|
:006ADB2F 68D4F2A700 push 00A7F2D4
:006ADB34 50 push eax
:006ADB35 FFD7 call edi
:006ADB37 83C40C add esp, 0000000C
* Possible StringData Ref from Data Obj ->"F/CG"
|
:006ADB3A 68CCF2A700 push 00A7F2CC
:006ADB3F E8EC000000 call 006ADC30 ;有意思的call
:006ADB44 83C404 add esp, 00000004
:006ADB47 85C0 test eax, eax
:006ADB49 7C36 jl 006ADB81
:006ADB4B 8D44240C lea eax, dword ptr [esp+0C]
:006ADB4F 50 push eax
:006ADB50 E8DB000000 call 006ADC30
:006ADB55 83C404 add esp, 00000004
:006ADB58 85C0 test eax, eax
:006ADB5A 7C25 jl 006ADB81
* Possible StringData Ref from Data Obj ->"E/spMwprDpVaDjCrUs"
|
:006ADB5C 68B8F2A700 push 00A7F2B8
:006ADB61 E8CA000000 call 006ADC30 ;有意思的call
:006ADB66 83C404 add esp, 00000004
:006ADB69 85C0 test eax, eax
:006ADB6B 7C14 jl 006ADB81
* Possible StringData Ref from Data Obj ->"D/"
|
:006ADB6D 684CF2A700 push 00A7F24C
:006ADB72 E8B9000000 call 006ADC30 ;看看這個call是什麼,這是以後的事,現在不管它
:006ADB77 83C404 add esp, 00000004
:006ADB7A 3DFDDC0000 cmp eax, 0000DCFD ;看到什麼「0000DCFD」,多麼熟悉。現在也不管它
:006ADB7F 7408 je 006ADB89
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:006ADB49(C), :006ADB5A(C), :006ADB6B(C)
|
:006ADB81 43 inc ebx
:006ADB82 83FB04 cmp ebx, 00000004
:006ADB85 7EA3 jle 006ADB2A
:006ADB87 EB17 jmp 006ADBA0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADB7F(C)
|
:006ADB89 8B0DE0F2A700 mov ecx, dword ptr [00A7F2E0]
:006ADB8F 6633F6 xor si, si
:006ADB92 A1DCF2A700 mov eax, dword ptr [00A7F2DC]
:006ADB97 8B1481 mov edx, dword ptr [ecx+4*eax]
:006ADB9A C70202000000 mov dword ptr [edx], 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:006ADB19(C), :006ADB87(U)
|
:006ADBA0 8B0DDCF2A700 mov ecx, dword ptr [00A7F2DC]
:006ADBA6 A1E0F2A700 mov eax, dword ptr [00A7F2E0]
:006ADBAB 8B1488 mov edx, dword ptr [eax+4*ecx]
:006ADBAE 8D0C88 lea ecx, dword ptr [eax+4*ecx]
:006ADBB1 8B1DDCF2A700 mov ebx, dword ptr [00A7F2DC]
:006ADBB7 8B02 mov eax, dword ptr [edx]
:006ADBB9 35A9B50000 xor eax, 0000B5A9
:006ADBBE 03C3 add eax, ebx
:006ADBC0 A3FCF2A700 mov dword ptr [00A7F2FC], eax
:006ADBC5 8B11 mov edx, dword ptr [ecx]
:006ADBC7 833A00 cmp dword ptr [edx], 00000000
:006ADBCA 752F jne 006ADBFB
:006ADBCC E8AF000000 call 006ADC80 ;關鍵CALL,在這裡停留時間較長,進去看看[nop掉怎樣?]
:006ADBD1 35A9B50000 xor eax, 0000B5A9 ; eax異或B5A9.如果EAX=FFFFFFFF,那麼XOR之後是FFFF4A56,明白了嗎
:006ADBD6 3D564AFFFF cmp eax, FFFF4A56 ; 比較是否相等,當然不能相等!0 XOR B5A9當然不等FFFF4A56
:006ADBDB 741E je 006ADBFB ; 不能跳,那爆破可以嗎?[nop掉怎樣?9090]
:006ADBDD 6633F6 xor si, si
:006ADBE0 A1DCF2A700 mov eax, dword ptr [00A7F2DC]
:006ADBE5 66893580F3A700 mov word ptr [00A7F380], si
:006ADBEC 8B0DE0F2A700 mov ecx, dword ptr [00A7F2E0]
:006ADBF2 8B1481 mov edx, dword ptr [ecx+4*eax]
:006ADBF5 C70203000000 mov dword ptr [edx], 00000003
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:006ADBCA(C), :006ADBDB(C)
|
:006ADBFB 6683FE01 cmp si, 0001
:006ADBFF 5F pop edi
:006ADC00 1BC0 sbb eax, eax
:006ADC02 5E pop esi
:006ADC03 25536BFFFF and eax, FFFF6B53
:006ADC08 5B pop ebx
:006ADC09 05564A0000 add eax, 00004A56
:006ADC0E 81C40C040000 add esp, 0000040C
:006ADC14 66A37865A700 mov word ptr [00A76578], ax
:006ADC1A 6681357865A700A9B5 xor word ptr [00A76578], B5A9
:006ADC23 C3 ret
....
* Referenced by a CALL at Addresses:
|:006ADB3F , :006ADB50 , :006ADB61 , :006ADB72
| ;有意思的call,以後我們再去看
:006ADC30 8B542404 mov edx, dword ptr [esp+04]
:006ADC34 57 push edi
:006ADC35 8BFA mov edi, edx
:006ADC37 B9FFFFFFFF mov ecx, FFFFFFFF
:006ADC3C 2BC0 sub eax, eax
:006ADC3E F2 repnz
:006ADC3F AE scasb
:006ADC40 F7D1 not ecx
:006ADC42 49 dec ecx
:006ADC43 51 push ecx
:006ADC44 52 push edx
:006ADC45 E8F6BF2E00 call 00999C40 ;看看
:006ADC4A 0FBFC0 movsx eax, ax
:006ADC4D 83F8FF cmp eax, FFFFFFFF
:006ADC50 7405 je 006ADC57
:006ADC52 25FFFF0000 and eax, 0000FFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADC50(C)
|
:006ADC57 5F pop edi
:006ADC58 C3 ret
............
* Referenced by a CALL at Address:
|:008AFBA2
|
:006ADC60 8B0DFCF2A700 mov ecx, dword ptr [00A7F2FC]
:006ADC66 A1DCF2A700 mov eax, dword ptr [00A7F2DC]
:006ADC6B 2BC8 sub ecx, eax
:006ADC6D 8B442404 mov eax, dword ptr [esp+04]
:006ADC71 81F1A9B50000 xor ecx, 0000B5A9
:006ADC77 03C1 add eax, ecx
:006ADC79 C3 ret
:006ADC7A CC int 03
:006ADC7B CC int 03
:006ADC7C CC int 03
:006ADC7D CC int 03
:006ADC7E CC int 03
:006ADC7F CC int 03
* Referenced by a CALL at Address:
|:006ADBCC
|
* Possible StringData Ref from Data Obj ->"140"
|
:006ADC80 685CF3A700 push 00A7F35C
:006ADC85 E8D6000000 call 006ADD60 ; 關鍵CALL,在這裡停留時間較長,進去看看
:006ADC8A 83C404 add esp, 00000004
:006ADC8D 83F8FF cmp eax, FFFFFFFF
:006ADC90 7506 jne 006ADC98 ; 不等於-1,就跳。我們一定要跳,
:006ADC92 B8FFFFFFFF mov eax, FFFFFFFF ; 到這就死,eax=-1可不行
:006ADC97 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADC90(C)
|
:006ADC98 6A20 push 00000020 ; 來到這裡驗證用戶限制
* Possible StringData Ref from Data Obj ->"140"
|
:006ADC9A 685CF3A700 push 00A7F35C
:006ADC9F E83C010000 call 006ADDE0 ; 驗證的CALL,進去看看也沒有用,只要返回EAX=0即可。當然我看不懂!!!
:006ADCA4 83C408 add esp, 00000008
:006ADCA7 83F8FF cmp eax, FFFFFFFF ; 爆破改eax=0,當然前面的CALL裡我們已經讓eax=0了
:006ADCAA 7506 jne 006ADCB2 ; 不等於-1,就跳。我們一定要跳,
:006ADCAC B8FFFFFFFF mov eax, FFFFFFFF ; 到這就死,eax=-1可不行
:006ADCB1 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADCAA(C)
|
:006ADCB2 68A0DF6A00 push 006ADFA0
:006ADCB7 A140F3A700 mov eax, dword ptr [00A7F340]
:006ADCBC 6A3C push 0000003C
:006ADCBE 8B0D3CF3A700 mov ecx, dword ptr [00A7F33C]
:006ADCC4 50 push eax
:006ADCC5 51 push ecx
:006ADCC6 E8B5070000 call 006AE480
:006ADCCB 83C410 add esp, 00000010
:006ADCCE 33C0 xor eax, eax ; 走到這eax為0,返回,驗證成功
:006ADCD0 C3 ret
......
......
......
* Referenced by a CALL at Address:
|:006ADC85 ;從006ADC85 來得call
|
:006ADD60 E8BB030000 call 006AE120
:006ADD65 85C0 test eax, eax
:006ADD67 750B jne 006ADD74 ;一般是jmp過去的,一定跳
:006ADD69 E8B2050000 call 006AE320
:006ADD6E B8FFFFFFFF mov eax, FFFFFFFF
:006ADD73 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADD67(C)
|
:006ADD74 683CF3A700 push 00A7F33C
:006ADD79 E822070000 call 006AE4A0 ; CALL,進去看看發現讀文件ADESKSYS.DLL
:006ADD7E 8B4C2408 mov ecx, dword ptr [esp+08]
:006ADD82 83C404 add esp, 00000004
:006ADD85 A138F3A700 mov eax, dword ptr [00A7F338]
:006ADD8A 8B153CF3A700 mov edx, dword ptr [00A7F33C]
:006ADD90 C605B045AF0000 mov byte ptr [00AF45B0], 00
:006ADD97 6A00 push 00000000
:006ADD99 50 push eax
:006ADD9A 51 push ecx
:006ADD9B 68B045AF00 push 00AF45B0
:006ADDA0 52 push edx
:006ADDA1 E80A060000 call 006AE3B0 ;關鍵CALL,在這裡停留時間較長.進去看看發現讀文件ADESKSYS.DLL
$$$$$$*********************$$$$$$
* Referenced by a CALL at Address:
|:006ADDA1
|
:006AE3B0 A108F3A700 mov eax, dword ptr [00A7F308]
:006AE3B5 85C0 test eax, eax
:006AE3B7 7506 jne 006AE3BF
:006AE3B9 B8FFFFFFFF mov eax, FFFFFFFF
:006AE3BE C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006AE3B7(C)
|
:006AE3BF 8B442414 mov eax, dword ptr [esp+14]
:006AE3C3 8B4C2410 mov ecx, dword ptr [esp+10]
:006AE3C7 8B54240C mov edx, dword ptr [esp+0C]
:006AE3CB 50 push eax
:006AE3CC 8B44240C mov eax, dword ptr [esp+0C]
:006AE3D0 51 push ecx
:006AE3D1 8B4C240C mov ecx, dword ptr [esp+0C]
:006AE3D5 52 push edx
:006AE3D6 50 push eax
:006AE3D7 51 push ecx
:006AE3D8 FF1508F3A700 call dword ptr [00A7F308] ; 關鍵CALL,在這裡停留時間較長,進去看看是找ADESKSYSY.DLL,在裡面執行。看來ADESKSYSY.DLL很重要啊。
:006AE3DE C3 ret ; 返回eax,沒有網路許可證為ffffffff,有則為0
$$$$$$$$***************$$$$$$$
:006ADDA6 83C414 add esp, 00000014
:006ADDA9 A340F3A700 mov dword ptr [00A7F340], eax ; 返回的eax,沒有網路許可證為ffffffff,有則為0
:006ADDAE 85C0 test eax, eax ; 驗證eax為,0還是-1
:006ADDB0 7D06 jge 006ADDB8 ; 大於等於0,就跳。我們一定要跳,爆破改為jmp
:006ADDB2 B8FFFFFFFF mov eax, FFFFFFFF
:006ADDB7 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADDB0(C)
|
:006ADDB8 6A01 push 00000001
:006ADDBA A340F3A700 mov dword ptr [00A7F340], eax
:006ADDBF 6A0E push 0000000E
:006ADDC1 50 push eax
:006ADDC2 A13CF
:006ADDC2 A13CF3A700 mov eax, dword ptr [00A7F33C]
:006ADDC7 50 push eax
:006ADDC8 E813060000 call 006AE3E0
:006ADDCD 83C410 add esp, 00000010
:006ADDD0 33C0 xor eax, eax ; 走到這eax為0,返回,驗證網路許可證成功,下一步,驗證用戶數限
:006ADDD2 C3 ret
到此,可以看到驗證的地方,而我們可以爆破它了。
方法1:
* Referenced by a CALL at Address:
|:006ADBCC
|
* Possible StringData Ref from Data Obj ->"140"
|
:006ADC80 685CF3A700 push 00A7F35C
:006ADC85 E8D6000000 call 006ADD60 ; 關鍵CALL,在這裡停留時間較長,進去看看
:006ADC8A 83C404 add esp, 00000004
:006ADC8D 83F8FF cmp eax, FFFFFFFF ;改為 mov eax, 0
:006ADC90 7506 jne 006ADC98 ;改為 cmp eax, FFFFFFFF
:006ADC92 B8FFFFFFFF mov eax, FFFFFFFF ;改為 jne 006ADC98
:006ADC97 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADC90(C)
|
:006ADC98 6A20 push 00000020 ; 來到這裡驗證用戶限制
* Possible StringData Ref from Data Obj ->"140" |
:006ADC9A 685CF3A700 push 00A7F35C
:006ADC9F E83C010000 call 006ADDE0 ; 驗證的CALL,進去看看也沒有用,只要返回EAX=0即可。當然我看不懂!!!
:006ADCA4 83C408 add esp, 00000008
:006ADCA7 83F8FF cmp eax, FFFFFFFF ; 改為 mov eax, 0
:006ADCAA 7506 jne 006ADCB2 ; 改為 cmp eax, FFFFFFFF
:006ADCAC B8FFFFFFFF mov eax, FFFFFFFF ; jne 006ADCB2
:006ADCB1 C3 ret
應該還可以把它上面的2個CALL改為nop,這樣就不會去網路驗證了,節省時間啊!
方法2:
:006ADBCC E8AF000000 call 006ADC80 ;nop掉,9090909090
:006ADBD1 35A9B50000 xor eax, 0000B5A9
:006ADBD6 3D564AFFFF cmp eax, FFFF4A56
:006ADBDB 741E je 006ADBFB ; nop掉怎樣9090
--=========================
第二部分
現在我們看看那有意思的call,這也是我覺得有意思的地方
* Possible StringData Ref from Data Obj ->"F/CG"
|
:006ADB3A 68CCF2A700 push 00A7F2CC
:006ADB3F E8EC000000 call 006ADC30 ;有意思的call
:006ADB44 83C404 add esp, 00000004
:006ADB47 85C0 test eax, eax
:006ADB49 7C36 jl 006ADB81
:006ADB4B 8D44240C lea eax, dword ptr [esp+0C]
:006ADB4F 50 push eax
:006ADB50 E8DB000000 call 006ADC30
:006ADB55 83C404 add esp, 00000004
:006ADB58 85C0 test eax, eax
:006ADB5A 7C25 jl 006ADB81
* Possible StringData Ref from Data Obj ->"E/spMwprDpVaDjCrUs"
|
:006ADB5C 68B8F2A700 push 00A7F2B8
:006ADB61 E8CA000000 call 006ADC30 ;有意思的call
:006ADB66 83C404 add esp, 00000004
:006ADB69 85C0 test eax, eax
:006ADB6B 7C14 jl 006ADB81
* Possible StringData Ref from Data Obj ->"D/"
|
:006ADB6D 684CF2A700 push 00A7F24C
:006ADB72 E8B9000000 call 006ADC30 ;有意思的call,看看這個call是什麼,
:006ADB77 83C404 add esp, 00000004
:006ADB7A 3DFDDC0000 cmp eax, 0000DCFD ;看到什麼「0000DCFD」,多麼熟悉。
:006ADB7F 7408 je 006ADB89
不知道你們看過看雪精華3里關於autocad的一篇文章嗎?那是破解法文版的cadR14,其中就有「0000DCFD」問題。而這裡也有,是巧合嗎?^_^
* Referenced by a CALL at Addresses:
|:006ADB3F , :006ADB50 , :006ADB61 , :006ADB72
|進入這裡看看吧
:006ADC30 8B542404 mov edx, dword ptr [esp+04]
:006ADC34 57 push edi
:006ADC35 8BFA mov edi, edx
:006ADC37 B9FFFFFFFF mov ecx, FFFFFFFF
:006ADC3C 2BC0 sub eax, eax
:006ADC3E F2 repnz
:006ADC3F AE scasb
:006ADC40 F7D1 not ecx
:006ADC42 49 dec ecx
:006ADC43 51 push ecx
:006ADC44 52 push edx
:006ADC45 E8F6BF2E00 call 00999C40 ;讓我們進去看看
:006ADC4A 0FBFC0 movsx eax, ax
:006ADC4D 83F8FF cmp eax, FFFFFFFF
:006ADC50 7405 je 006ADC57
:006ADC52 25FFFF0000 and eax, 0000FFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006ADC50(C)
|
:006ADC57 5F pop edi
:006ADC58 C3 ret
--------
* Referenced by a CALL at Addresses:
|:006AD0B5 , :006ADC45
|;有意思的call來到這裡
:00999C40 83EC04 sub esp, 00000004
:00999C43 66833DC038AB0000 cmp word ptr [00AB38C0], 0000
:00999C4B 7518 jne 00999C65
:00999C4D 6804040000 push 00000404
:00999C52 68700AB600 push 00B60A70
:00999C57 E8B4FFFFFF call 00999C10
:00999C5C 66C705C038AB000100 mov word ptr [00AB38C0], 0001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00999C4B(C)
|
:00999C65 8D442402 lea eax, dword ptr [esp+02]
:00999C69 50 push eax
:00999C6A 668B442410 mov ax, word ptr [esp+10]
:00999C6F 50 push eax
:00999C70 8B442410 mov eax, dword ptr [esp+10]
:00999C74 50 push eax
:00999C75 68700AB600 push 00B60A70
:00999C7A E8D1220000 call 0099BF50 ; 裡面複雜啊,結果只是返回一個,就是下面的word ptr [esp+02]
:00999C7F 668B442402 mov ax, word ptr [esp+02] ;我們讓AX=DCFD怎樣?mov ax,dcfd,哈哈
:00999C84 83C404 add esp, 00000004
:00999C87 C20800 ret 0008
:00999C8A 8D9B00000000 lea ebx, dword ptr [ebx+00000000]
我們只改acad.exe的 :00999C7F 668B442402 mov ax, word ptr [esp+02]
為 :00999C7F 66b8fddc90 mov ax, 0000dcfd
執行acad.exe,哈哈進去了,別高興。又跳出一個對話視窗,要求輸入授權碼!可是網路版沒有授權碼啊!我想是否是改為「0000DCFD」後,已經變成單機版了?!隨便輸入幾個數,點確定,說授權碼錯誤,來上3遍,就退出了。
來,我們看看幹掉這個視窗,acad是否能用呢?
開啟Ollydbg,設什麼斷點呢?這次我們設USER32.MessageBoxA斷點,怎樣設?很簡單的,Ollydbg真不錯!
出現授權視窗,但是Ollydbg沒有中斷。別著急,填78787878,點擊確定。我們被攔下,這時我們可以刪除其餘不必要的斷點,只留這一個。一路走F9,出現錯誤信息,注意千萬不要關閉這個斷點。再點擊錯誤信息對話視窗的確定,這時被攔下,我們的工作開始了。
我們發現授權視窗有3個按鈕,1個是授權確定,1個是取消,還有一個是變灰的按鈕,是「延期」。
.......
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004F8EA4(C), :004F8EBA(C), :004F8EE4(C), :004F8EED(C), :004F92C8(C)
|:004F9313(U)
|來到這裡進入cad
:004F8E62 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:004F8E69 E806050000 call 004F9374
:004F8E6E 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004F8F04(U), :004F9089(U), :004F90F4(U), :004F921C(U), :004F92BB(U)
|:004F92F8(U), :004F9338(U), :004F935D(U)
|來到這裡失敗退出
:004F8E70 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004F8E73 5F pop edi
:004F8E74 64890D00000000 mov dword ptr fs:[00000000], ecx
:004F8E7B 5E pop esi
:004F8E7C 5B pop ebx
:004F8E7D 8BE5 mov esp, ebp
:004F8E7F 5D pop ebp
:004F8E80 C3 ret
.....
....省略
....
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F92D2(C)
| 來這裡,因為你有3次輸入CODE的機會
:004F9162 8D8D6CFFFFFF lea ecx, dword ptr [ebp+FFFFFF6C]
* Reference To: MFC42.Ordinal:09D2, Ord:09D2h
|
:004F9168 E85DEA4B00 Call 009B7BCA ;得到你點擊按鈕的返回值eax。
:004F916D 83F801 cmp eax, 00000001 ;分析得知eax,1是確定,2是取消,3是延期
:004F9170 0F854A010000 jne 004F92C0 ;不等於1,跳。我們跳去看看
:004F9176 8D8D6CFFFFFF lea ecx, dword ptr [ebp+FFFFFF6C] ;以下開始驗證了。算法我不想研究了,只是爆破,能用就好,
:004F917C E88F9A3400 call 00842C10
:004F9181 6A7F push 0000007F
:004F9183 8B00 mov eax, dword ptr [eax]
:004F9185 50 push eax
:004F9186 8D8D6CFEFFFF lea ecx, dword ptr [ebp+FFFFFE6C]
:004F918C 51 push ecx
:004F918D FFD3 call ebx
:004F918F 83C40C add esp, 0000000C
:004F9192 8D4DE4 lea ecx, dword ptr [ebp-1C]
:004F9195 8D55E0 lea edx, dword ptr [ebp-20]
:004F9198 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C]
:004F919E 51 push ecx
:004F919F 52 push edx
:004F91A0 50 push eax
:004F91A1 E81AD91400 call 00646AC0
:004F91A6 83C40C add esp, 0000000C
:004F91A9 85C0 test eax, eax
:004F91AB 7474 je 004F9221 ;跳去接著驗證吧,一定jmp!爆破
:004F91AD 8D4601 lea eax, dword ptr [esi+01]
:004F91B0 83F803 cmp eax, 00000003
:004F91B3 0F8D15010000 jnl 004F92CE ;,小於3次,再給你一次機會輸CODE
:004F91B9 68FF000000 push 000000FF
:004F91BE 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C]
:004F91C4 50 push eax
:004F91C5 68E0B5A500 push 00A5B5E0
:004F91CA 68F3110000 push 000011F3
:004F91CF E8EC8EFDFF call 004D20C0
:004F91D4 83C410 add esp, 00000010
:004F91D7 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C]
:004F91DD 50 push eax
:004F91DE 6A01 push 00000001
:004F91E0 6A01 push 00000001
:004F91E2 E8C9323B00 call 008AC4B0 ;這個call就是出錯對話視窗
:004F91E7 83C40C add esp, 0000000C
:004F91EA 83F806 cmp eax, 00000006
:004F91ED 0F84DB000000 je 004F92CE ;小於3次,再給你一次機會輸CODE
:004F91F3 83F801 cmp eax, 00000001
:004F91F6 0F84D2000000 je 004F92CE ;小於3次,再給你一次機會輸CODE
:004F91FC 57 push edi
:004F91FD 8B45EC mov eax, dword ptr [ebp-14]
:004F9200 50 push eax
:004F9201 6A00 push 00000000
:004F9203 E818973400 call 00842920
:004F9208 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:004F920F 83C40C add esp, 0000000C
:004F9212 E85D010000 call 004F9374
:004F9217 B801000000 mov eax, 00000001
:004F921C E94FFCFFFF jmp 004F8E70 ;只好退出,不讓你玩了!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F91AB(C)
|來了
:004F9221 8B45E4 mov eax, dword ptr [ebp-1C]
:004F9224 8B4DE0 mov ecx, dword ptr [ebp-20]
:004F9227 50 push eax
:004F9228 51 push ecx
:004F9229 E802D71400 call 00646930
:004F922E 83C408 add esp, 00000008
:004F9231 85C0 test eax, eax
:004F9233 0F84C4000000 je 004F92FD ;跳去接著驗證吧一定jmp!爆破
:004F9239 83F801 cmp eax, 00000001
:004F923C 7518 jne 004F9256 ;只好退出,不讓你玩了!
:004F923E 68FF000000 push 000000FF
:004F9243 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C]
:004F9249 50 push eax
:004F924A 68E0B5A500 push 00A5B5E0
:004F924F 68F2110000 push 000011F2
:004F9254 EB22 jmp 004F9278 ;只好退出,不讓你玩了!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F923C(C)
|
:004F9256 8D4601 lea eax, dword ptr [esi+01]
:004F9259 83F803 cmp eax, 00000003
:004F925C 0F8DB6000000 jnl 004F9318
:004F9262 68FF000000 push 000000FF
:004F9267 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C]
:004F926D 50 push eax
:004F926E 68E0B5A500 push 00A5B5E0
:004F9273 68F1110000 push 000011F1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F9254(U)
|
:004F9278 E8438EFDFF call 004D20C0
:004F927D 83C410 add esp, 00000010
:004F9280 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C]
:004F9286 50 push eax
:004F9287 6A01 push 00000001
:004F9289 E8E2323B00 call 008AC570
:004F928E 83C408 add esp, 00000008
:004F9291 83F806 cmp eax, 00000006
:004F9294 7438 je 004F92CE
:004F9296 83F801 cmp eax, 00000001
:004F9299 7433 je 004F92CE
:004F929B 57 push edi
:004F929C 8B45EC mov eax, dword ptr [ebp-14]
:004F929F 50 push eax
:004F92A0 6A00 push 00000000
:004F92A2 E879963400 call 00842920
:004F92A7 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:004F92AE 83C40C add esp, 0000000C
:004F92B1 E8BE000000 call 004F9374
:004F92B6 B801000000 mov eax, 00000001
:004F92BB E9B0FBFFFF jmp 004F8E70
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F9170(C)
|
:004F92C0 83F802 cmp eax, 00000002 ;比較等於2
:004F92C3 7478 je 004F933D ;你取消了,當然退出了!
:004F92C5 83F805 cmp eax, 00000005 ;比較等於5
:004F92C8 0F8494FBFFFF je 004F8E62 ;延期,意味著你可以使用!^_^
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004F91B3(C), :004F91ED(C), :004F91F6(C), :004F9294(C), :004F9299(C)
|
:004F92CE 46 inc esi ;再點擊錯誤信息對話視窗的確定,這時被攔下在這裡
:004F92CF 83FE03 cmp esi, 00000003 ;比較輸入了幾次錯誤授權CODE
:004F92D2 0F8C8AFEFFFF jl 004F9162 ;小於3就跳,意思是你可以輸入3次機會,去!
:004F92D8 57 push edi
:004F92D9 8B45EC mov eax, dword ptr [ebp-14]
:004F92DC 50 push eax
:004F92DD 6A01 push 00000001
:004F92DF E83C963400 call 00842920
:004F92E4 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:004F92EB 83C40C add esp, 0000000C
:004F92EE E881000000 call 004F9374
:004F92F3 B801000000 mov eax, 00000001
:004F92F8 E973FBFFFF jmp 004F8E70 ;超過3次錯誤在這裡玩完!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F9233(C)
|
:004F92FD 8B45E0 mov eax, dword ptr [ebp-20]
:004F9300 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004F9303 A3C865A700 mov dword ptr [00A765C8], eax
:004F9308 890DCC65A700 mov dword ptr [00A765CC], ecx
:004F930E E82D1FFBFF call 004AB240
:004F9313 E94AFBFFFF jmp 004F8E62 ;來到這,你可以用了!!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F925C(C)
|
:004F9318 57 push edi
:004F9319 8B45EC mov eax, dword ptr [ebp-14]
:004F931C 50 push eax
:004F931D 6A01 push 00000001
:004F931F E8FC953400 call 00842920
:004F9324 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:004F932B 83C40C add esp, 0000000C
:004F932E E841000000 call 004F9374
:004F9333 B801000000 mov eax, 00000001
:004F9338 E933FBFFFF
:004F9333 B801000000 mov eax, 00000001
:004F9338 E933FBFFFF jmp 004F8E70 ;只好退出,不讓你玩了!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F92C3(C)
|
:004F933D 57 push edi
:004F933E 8B45EC mov eax, dword ptr [ebp-14]
:004F9341 50 push eax
:004F9342 6A00 push 00000000
:004F9344 E8D7953400 call 00842920
:004F9349 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF
:004F9350 83C40C add esp, 0000000C
:004F9353 E81C000000 call 004F9374
:004F9358 B801000000 mov eax, 00000001
:004F935D E90EFBFFFF jmp 004F8E70 ;只好退出,不讓你玩了!
省略
===================================================
* Referenced by a CALL at Addresses:
|:004EDAD3 , :004EE45C , :004F2B9C , :004F2C2B , :004F2DB4
|:004F378A , :004F3819 , :004F9066 , :004F90D1 , :004F91E2
|:005030DF , :005480E9 , :005A073B , :006ADE61 , :0085D96F
|:0089A0E4 , :008A3D1C , :008A7809 , :008AC58C , :008AC669
|
:008AC4B0 83EC3C sub esp, 0000003C
:008AC4B3 53 push ebx
:008AC4B4 56 push esi
:008AC4B5 8B742448 mov esi, dword ptr [esp+48]
:008AC4B9 57 push edi
:008AC4BA 85F6 test esi, esi
:008AC4BC 7502 jne 008AC4C0
:008AC4BE 33F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008AC4BC(C)
|
:008AC4C0 8B7C2450 mov edi, dword ptr [esp+50]
:008AC4C4 85FF test edi, edi
:008AC4C6 7C05 jl 008AC4CD
:008AC4C8 83FF03 cmp edi, 00000003
:008AC4CB 7C02 jl 008AC4CF
.....
.....省略
.....
* Reference To: USER32.GetActiveWindow, Ord:00D5h
|
:008AC534 FF153875B600 Call dword ptr [00B67538]
:008AC53A 8B0D60B3A900 mov ecx, dword ptr [00A9B360]
:008AC540 3BC1 cmp eax, ecx
:008AC542 7407 je 008AC54B
:008AC544 51 push ecx
* Reference To: USER32.GetLastActivePopup, Ord:0108h
|
:008AC545 FF159076B600 Call dword ptr [00B67690]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:008AC542(C)
|
:008AC54B 8D4C240C lea ecx, dword ptr [esp+0C]
:008AC54F 56 push esi
:008AC550 8B542458 mov edx, dword ptr [esp+58]
:008AC554 51 push ecx
:008AC555 52 push edx
:008AC556 50 push eax
:008AC557 E8A4EFF9FF call 0084B500 ;從這裡去下面MessageBoxA的call
:008AC55C 83C410 add esp, 00000010
:008AC55F 5F pop edi
:008AC560 5E pop esi
:008AC561 5B pop ebx
:008AC562 83C43C add esp, 0000003C
:008AC565 C3 ret
* Referenced by a CALL at Addresses:
|:007DAE14 , :00861430 , :008AC557 , :008ACCC5 , :008ACF40
|:008AEA47
|
:0084B500 53 push ebx
:0084B501 56 push esi
:0084B502 57 push edi
:0084B503 33F6 xor esi, esi
* Reference To: MFC42.Ordinal:0490, Ord:0490h
|
:0084B505 E800C01600 Call 009B750A
:0084B50A 8B7804 mov edi, dword ptr [eax+04]
.....
....省略
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0084B52F(C), :0084B533(C)
|
:0084B53B 8B4C241C mov ecx, dword ptr [esp+1C]
:0084B53F 8B542410 mov edx, dword ptr [esp+10]
:0084B543 51 push ecx
:0084B544 50 push eax
:0084B545 8B44241C mov eax, dword ptr [esp+1C]
:0084B549 50 push eax
:0084B54A 52 push edx
* Reference To: USER32.MessageBoxA, Ord:0195h
|
:0084B54B FF15C074B600 Call dword ptr [00B674C0] ;我們的MessageBoxA斷點停在這裡!!!
:0084B551 85F6 test esi, esi
:0084B553 7403 je 0084B558
:0084B555 89777C mov dword ptr [edi+7C], esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0084B553(C)
|
:0084B558 5F pop edi
:0084B559 5E pop esi
:0084B55A 5B pop ebx
:0084B55B C3 ret
========================================================
到此,我們可以爆破它的授權註冊了。我們可以有很多方法,我用了比較省事的,我們讓他延期使用!
:004F9168 E85DEA4B00 Call 009B7BCA ;得到你點擊按鈕的返回值eax。
:004F916D 83F801 cmp eax, 00000001 ;分析得知eax,1是確定,2是取消,3是延期
:004F9170 0F854A010000 jne 004F92C0 ;不等於1,跳。我們跳去看看
我們改004F9168 E85DEA4B00 Call 009B7BCA 這一句為 mov eax,5 「B805000000」正好,這樣註冊視窗也跳過了。
第二部分總結,改該兩處成為單機版,這樣省下連接網路的時間,啟動會快一點,可能你感覺不到。
1.改 :00999C7F 668B442402 mov ax, word ptr [esp+02]
為 :00999C7F 66b8fddc90 mov ax, 0000dcfd
2.改 :004F9168 E85DEA4B00 Call 009B7BCA
為 :004F9168 B805000000 mov eax,00000005
¥¥¥※※※7※※※※※※※※※※※※※※
CADR14網路限制解決了,正版是要買,但不要化太多錢,都讓老外掙了!
下一步目標是CAD2002,Flexlm7.1f加密,我想也能爆破吧。但是好像CAD2002有antidebug,不能用Ollydbg。還有,如果我又CAD2002的Flexlm的liences,是否能直接在裡面改限制用戶數嫩呢?估計不能吧?那只好自己做無限制liences了。
--------------------------------------------------------------------------------
|