AUTOcadR14.01中文版的破解[網路驗證及限制用戶]
軟體名稱: AUTOcadR14.01中文版
軟體類別: 地球人都知道 軟體介紹:地球人都知道 破解工具:ollydbg 1.09 ,W32DASM10,UltraEdit8.0, AUTOcadR14.01中文版大家都很熟悉了吧,不多說。我從上海回來,又開始畫圖了,一年沒幹活,服務機構的軟體都變成正版了,哈哈。可是AUTOcadR14.01中文版是網路版,我們只買20個點,一個點多少錢不知道(我們還買了cad2002網路版也是20個點,一個點10000元啊!),想來不少。因此,我上晚了點數滿了,就會進不去,提示網路不許可,TMD!看看cad2002是Flexlm加密的,我功力太淺,那我就先拿R14開刀! 先反彙編acad.EXE,找找可疑點。好長時間啊,我的電腦是P4 1.6,用了10多分鐘。大略看看,沒什麼有用的。但還是沒白費。 最近用Ollydbg1.09不錯,還是用它試試吧。為了省事,先拔掉網線,這樣就肯定不能用cad驗證通過了。幸虧是P4,進去了。設什麼斷點呢?不知道,我倒! 反彙編還是有用的,隨便找幾個可疑點設斷,像什麼「FATAL ERROR」的地方等等,這要看運氣了。我運氣不錯,為什麼?因為我知道拔掉網線後,它還要去網路驗證,可是沒有網路,它會多試幾次,這就給了我們時間,我們執行它,看它在那裡有短暫的停頓,那裡就是驗證的地方!我就在那附近設斷,Ollydbg設斷很方便的,我喜歡。然後反覆試幾次,感覺它的停頓,追進它的CALL裡,這裡需要感覺,停頓是很明顯的,看著你的硬碟燈就會知道。我反覆的設斷,反覆的追進它的CALL啊!記住每次出現出錯提示的時候,所停留的call,下次就追進去。 我們終於來到這個CALL,多少次重啟動,我記不清了,Ollydbg好像不太穩定,美中不足! 第一部分 * Referenced by a CALL at Address: |:00502E1E ;因為停頓,我們進來了。 | :006ADA90 81EC0C040000 sub esp, 0000040C :006ADA96 A1DCF2A700 mov eax, dword ptr [00A7F2DC] :006ADA9B 8B0DFCF2A700 mov ecx, dword ptr [00A7F2FC] :006ADAA1 03C8 add ecx, eax :006ADAA3 53 push ebx :006ADAA4 8D54240C lea edx, dword ptr [esp+0C] :006ADAA8 56 push esi :006ADAA9 57 push edi * Possible StringData Ref from Data Obj ->"館? | :006ADAAA A1E8F2A700 mov eax, dword ptr [00A7F2E8] :006ADAAF 6804040000 push 00000404 :006ADAB4 890DFCF2A700 mov dword ptr [00A7F2FC], ecx :006ADABA 52 push edx :006ADABB FF10 call dword ptr [eax] :006ADABD 668BF0 mov si, ax :006ADAC0 6685F6 test si, si :006ADAC3 7543 jne 006ADB08 :006ADAC5 8D442414 lea eax, dword ptr [esp+14] * Possible StringData Ref from Data Obj ->"P_? | :006ADAC9 8B1DF0F2A700 mov ebx, dword ptr [00A7F2F0] :006ADACF 50 push eax :006ADAD0 FF13 call dword ptr [ebx] :006ADAD2 668BF0 mov si, ax :006ADAD5 6685F6 test si, si :006ADAD8 EB2E jmp 006ADB08 :006ADADA 8D442414 lea eax, dword ptr [esp+14] :006ADADE 6840DE0000 push 0000DE40 :006ADAE3 50 push eax * Possible StringData Ref from Data Obj ->"0a? | :006ADAE4 8B1DF8F2A700 mov ebx, dword ptr [00A7F2F8] :006ADAEA FF13 call dword ptr [ebx] :006ADAEC 668BF0 mov si, ax :006ADAEF 6685F6 test si, si :006ADAF2 7514 jne 006ADB08 :006ADAF4 A1DCF2A700 mov eax, dword ptr [00A7F2DC] :006ADAF9 8B0DE0F2A700 mov ecx, dword ptr [00A7F2E0] :006ADAFF 8B1481 mov edx, dword ptr [ecx+4*eax] :006ADB02 C70201000000 mov dword ptr [edx], 00000001 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:006ADAC3(C), :006ADAD8(U), :006ADAF2(C) | :006ADB08 8B0DDCF2A700 mov ecx, dword ptr [00A7F2DC] :006ADB0E A1E0F2A700 mov eax, dword ptr [00A7F2E0] :006ADB13 8B1488 mov edx, dword ptr [eax+4*ecx] :006ADB16 833A00 cmp dword ptr [edx], 00000000 :006ADB19 0F8581000000 jne 006ADBA0 ;《《《《《 :006ADB1F BB01000000 mov ebx, 00000001 * Reference To: USER32.wsprintfA, Ord:0264h | :006ADB24 8B3DDC74B600 mov edi, dword ptr [00B674DC] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADB85(C) | :006ADB2A 8D44240C lea eax, dword ptr [esp+0C] :006ADB2E 53 push ebx * Possible StringData Ref from Data Obj ->"I/%d/0" | :006ADB2F 68D4F2A700 push 00A7F2D4 :006ADB34 50 push eax :006ADB35 FFD7 call edi :006ADB37 83C40C add esp, 0000000C * Possible StringData Ref from Data Obj ->"F/CG" | :006ADB3A 68CCF2A700 push 00A7F2CC :006ADB3F E8EC000000 call 006ADC30 ;有意思的call :006ADB44 83C404 add esp, 00000004 :006ADB47 85C0 test eax, eax :006ADB49 7C36 jl 006ADB81 :006ADB4B 8D44240C lea eax, dword ptr [esp+0C] :006ADB4F 50 push eax :006ADB50 E8DB000000 call 006ADC30 :006ADB55 83C404 add esp, 00000004 :006ADB58 85C0 test eax, eax :006ADB5A 7C25 jl 006ADB81 * Possible StringData Ref from Data Obj ->"E/spMwprDpVaDjCrUs" | :006ADB5C 68B8F2A700 push 00A7F2B8 :006ADB61 E8CA000000 call 006ADC30 ;有意思的call :006ADB66 83C404 add esp, 00000004 :006ADB69 85C0 test eax, eax :006ADB6B 7C14 jl 006ADB81 * Possible StringData Ref from Data Obj ->"D/" | :006ADB6D 684CF2A700 push 00A7F24C :006ADB72 E8B9000000 call 006ADC30 ;看看這個call是什麼,這是以後的事,現在不管它 :006ADB77 83C404 add esp, 00000004 :006ADB7A 3DFDDC0000 cmp eax, 0000DCFD ;看到什麼「0000DCFD」,多麼熟悉。現在也不管它 :006ADB7F 7408 je 006ADB89 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:006ADB49(C), :006ADB5A(C), :006ADB6B(C) | :006ADB81 43 inc ebx :006ADB82 83FB04 cmp ebx, 00000004 :006ADB85 7EA3 jle 006ADB2A :006ADB87 EB17 jmp 006ADBA0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADB7F(C) | :006ADB89 8B0DE0F2A700 mov ecx, dword ptr [00A7F2E0] :006ADB8F 6633F6 xor si, si :006ADB92 A1DCF2A700 mov eax, dword ptr [00A7F2DC] :006ADB97 8B1481 mov edx, dword ptr [ecx+4*eax] :006ADB9A C70202000000 mov dword ptr [edx], 00000002 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:006ADB19(C), :006ADB87(U) | :006ADBA0 8B0DDCF2A700 mov ecx, dword ptr [00A7F2DC] :006ADBA6 A1E0F2A700 mov eax, dword ptr [00A7F2E0] :006ADBAB 8B1488 mov edx, dword ptr [eax+4*ecx] :006ADBAE 8D0C88 lea ecx, dword ptr [eax+4*ecx] :006ADBB1 8B1DDCF2A700 mov ebx, dword ptr [00A7F2DC] :006ADBB7 8B02 mov eax, dword ptr [edx] :006ADBB9 35A9B50000 xor eax, 0000B5A9 :006ADBBE 03C3 add eax, ebx :006ADBC0 A3FCF2A700 mov dword ptr [00A7F2FC], eax :006ADBC5 8B11 mov edx, dword ptr [ecx] :006ADBC7 833A00 cmp dword ptr [edx], 00000000 :006ADBCA 752F jne 006ADBFB :006ADBCC E8AF000000 call 006ADC80 ;關鍵CALL,在這裡停留時間較長,進去看看[nop掉怎樣?] :006ADBD1 35A9B50000 xor eax, 0000B5A9 ; eax異或B5A9.如果EAX=FFFFFFFF,那麼XOR之後是FFFF4A56,明白了嗎 :006ADBD6 3D564AFFFF cmp eax, FFFF4A56 ; 比較是否相等,當然不能相等!0 XOR B5A9當然不等FFFF4A56 :006ADBDB 741E je 006ADBFB ; 不能跳,那爆破可以嗎?[nop掉怎樣?9090] :006ADBDD 6633F6 xor si, si :006ADBE0 A1DCF2A700 mov eax, dword ptr [00A7F2DC] :006ADBE5 66893580F3A700 mov word ptr [00A7F380], si :006ADBEC 8B0DE0F2A700 mov ecx, dword ptr [00A7F2E0] :006ADBF2 8B1481 mov edx, dword ptr [ecx+4*eax] :006ADBF5 C70203000000 mov dword ptr [edx], 00000003 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:006ADBCA(C), :006ADBDB(C) | :006ADBFB 6683FE01 cmp si, 0001 :006ADBFF 5F pop edi :006ADC00 1BC0 sbb eax, eax :006ADC02 5E pop esi :006ADC03 25536BFFFF and eax, FFFF6B53 :006ADC08 5B pop ebx :006ADC09 05564A0000 add eax, 00004A56 :006ADC0E 81C40C040000 add esp, 0000040C :006ADC14 66A37865A700 mov word ptr [00A76578], ax :006ADC1A 6681357865A700A9B5 xor word ptr [00A76578], B5A9 :006ADC23 C3 ret .... * Referenced by a CALL at Addresses: |:006ADB3F , :006ADB50 , :006ADB61 , :006ADB72 | ;有意思的call,以後我們再去看 :006ADC30 8B542404 mov edx, dword ptr [esp+04] :006ADC34 57 push edi :006ADC35 8BFA mov edi, edx :006ADC37 B9FFFFFFFF mov ecx, FFFFFFFF :006ADC3C 2BC0 sub eax, eax :006ADC3E F2 repnz :006ADC3F AE scasb :006ADC40 F7D1 not ecx :006ADC42 49 dec ecx :006ADC43 51 push ecx :006ADC44 52 push edx :006ADC45 E8F6BF2E00 call 00999C40 ;看看 :006ADC4A 0FBFC0 movsx eax, ax :006ADC4D 83F8FF cmp eax, FFFFFFFF :006ADC50 7405 je 006ADC57 :006ADC52 25FFFF0000 and eax, 0000FFFF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADC50(C) | :006ADC57 5F pop edi :006ADC58 C3 ret ............ * Referenced by a CALL at Address: |:008AFBA2 | :006ADC60 8B0DFCF2A700 mov ecx, dword ptr [00A7F2FC] :006ADC66 A1DCF2A700 mov eax, dword ptr [00A7F2DC] :006ADC6B 2BC8 sub ecx, eax :006ADC6D 8B442404 mov eax, dword ptr [esp+04] :006ADC71 81F1A9B50000 xor ecx, 0000B5A9 :006ADC77 03C1 add eax, ecx :006ADC79 C3 ret :006ADC7A CC int 03 :006ADC7B CC int 03 :006ADC7C CC int 03 :006ADC7D CC int 03 :006ADC7E CC int 03 :006ADC7F CC int 03 * Referenced by a CALL at Address: |:006ADBCC | * Possible StringData Ref from Data Obj ->"140" | :006ADC80 685CF3A700 push 00A7F35C :006ADC85 E8D6000000 call 006ADD60 ; 關鍵CALL,在這裡停留時間較長,進去看看 :006ADC8A 83C404 add esp, 00000004 :006ADC8D 83F8FF cmp eax, FFFFFFFF :006ADC90 7506 jne 006ADC98 ; 不等於-1,就跳。我們一定要跳, :006ADC92 B8FFFFFFFF mov eax, FFFFFFFF ; 到這就死,eax=-1可不行 :006ADC97 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADC90(C) | :006ADC98 6A20 push 00000020 ; 來到這裡驗證用戶限制 * Possible StringData Ref from Data Obj ->"140" | :006ADC9A 685CF3A700 push 00A7F35C :006ADC9F E83C010000 call 006ADDE0 ; 驗證的CALL,進去看看也沒有用,只要返回EAX=0即可。當然我看不懂!!! :006ADCA4 83C408 add esp, 00000008 :006ADCA7 83F8FF cmp eax, FFFFFFFF ; 爆破改eax=0,當然前面的CALL裡我們已經讓eax=0了 :006ADCAA 7506 jne 006ADCB2 ; 不等於-1,就跳。我們一定要跳, :006ADCAC B8FFFFFFFF mov eax, FFFFFFFF ; 到這就死,eax=-1可不行 :006ADCB1 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADCAA(C) | :006ADCB2 68A0DF6A00 push 006ADFA0 :006ADCB7 A140F3A700 mov eax, dword ptr [00A7F340] :006ADCBC 6A3C push 0000003C :006ADCBE 8B0D3CF3A700 mov ecx, dword ptr [00A7F33C] :006ADCC4 50 push eax :006ADCC5 51 push ecx :006ADCC6 E8B5070000 call 006AE480 :006ADCCB 83C410 add esp, 00000010 :006ADCCE 33C0 xor eax, eax ; 走到這eax為0,返回,驗證成功 :006ADCD0 C3 ret ...... ...... ...... * Referenced by a CALL at Address: |:006ADC85 ;從006ADC85 來得call | :006ADD60 E8BB030000 call 006AE120 :006ADD65 85C0 test eax, eax :006ADD67 750B jne 006ADD74 ;一般是jmp過去的,一定跳 :006ADD69 E8B2050000 call 006AE320 :006ADD6E B8FFFFFFFF mov eax, FFFFFFFF :006ADD73 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADD67(C) | :006ADD74 683CF3A700 push 00A7F33C :006ADD79 E822070000 call 006AE4A0 ; CALL,進去看看發現讀文件ADESKSYS.DLL :006ADD7E 8B4C2408 mov ecx, dword ptr [esp+08] :006ADD82 83C404 add esp, 00000004 :006ADD85 A138F3A700 mov eax, dword ptr [00A7F338] :006ADD8A 8B153CF3A700 mov edx, dword ptr [00A7F33C] :006ADD90 C605B045AF0000 mov byte ptr [00AF45B0], 00 :006ADD97 6A00 push 00000000 :006ADD99 50 push eax :006ADD9A 51 push ecx :006ADD9B 68B045AF00 push 00AF45B0 :006ADDA0 52 push edx :006ADDA1 E80A060000 call 006AE3B0 ;關鍵CALL,在這裡停留時間較長.進去看看發現讀文件ADESKSYS.DLL $$$$$$*********************$$$$$$ * Referenced by a CALL at Address: |:006ADDA1 | :006AE3B0 A108F3A700 mov eax, dword ptr [00A7F308] :006AE3B5 85C0 test eax, eax :006AE3B7 7506 jne 006AE3BF :006AE3B9 B8FFFFFFFF mov eax, FFFFFFFF :006AE3BE C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006AE3B7(C) | :006AE3BF 8B442414 mov eax, dword ptr [esp+14] :006AE3C3 8B4C2410 mov ecx, dword ptr [esp+10] :006AE3C7 8B54240C mov edx, dword ptr [esp+0C] :006AE3CB 50 push eax :006AE3CC 8B44240C mov eax, dword ptr [esp+0C] :006AE3D0 51 push ecx :006AE3D1 8B4C240C mov ecx, dword ptr [esp+0C] :006AE3D5 52 push edx :006AE3D6 50 push eax :006AE3D7 51 push ecx :006AE3D8 FF1508F3A700 call dword ptr [00A7F308] ; 關鍵CALL,在這裡停留時間較長,進去看看是找ADESKSYSY.DLL,在裡面執行。看來ADESKSYSY.DLL很重要啊。 :006AE3DE C3 ret ; 返回eax,沒有網路許可證為ffffffff,有則為0 $$$$$$$$***************$$$$$$$ :006ADDA6 83C414 add esp, 00000014 :006ADDA9 A340F3A700 mov dword ptr [00A7F340], eax ; 返回的eax,沒有網路許可證為ffffffff,有則為0 :006ADDAE 85C0 test eax, eax ; 驗證eax為,0還是-1 :006ADDB0 7D06 jge 006ADDB8 ; 大於等於0,就跳。我們一定要跳,爆破改為jmp :006ADDB2 B8FFFFFFFF mov eax, FFFFFFFF :006ADDB7 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADDB0(C) | :006ADDB8 6A01 push 00000001 :006ADDBA A340F3A700 mov dword ptr [00A7F340], eax :006ADDBF 6A0E push 0000000E :006ADDC1 50 push eax :006ADDC2 A13CF :006ADDC2 A13CF3A700 mov eax, dword ptr [00A7F33C] :006ADDC7 50 push eax :006ADDC8 E813060000 call 006AE3E0 :006ADDCD 83C410 add esp, 00000010 :006ADDD0 33C0 xor eax, eax ; 走到這eax為0,返回,驗證網路許可證成功,下一步,驗證用戶數限 :006ADDD2 C3 ret 到此,可以看到驗證的地方,而我們可以爆破它了。 方法1: * Referenced by a CALL at Address: |:006ADBCC | * Possible StringData Ref from Data Obj ->"140" | :006ADC80 685CF3A700 push 00A7F35C :006ADC85 E8D6000000 call 006ADD60 ; 關鍵CALL,在這裡停留時間較長,進去看看 :006ADC8A 83C404 add esp, 00000004 :006ADC8D 83F8FF cmp eax, FFFFFFFF ;改為 mov eax, 0 :006ADC90 7506 jne 006ADC98 ;改為 cmp eax, FFFFFFFF :006ADC92 B8FFFFFFFF mov eax, FFFFFFFF ;改為 jne 006ADC98 :006ADC97 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADC90(C) | :006ADC98 6A20 push 00000020 ; 來到這裡驗證用戶限制 * Possible StringData Ref from Data Obj ->"140" | :006ADC9A 685CF3A700 push 00A7F35C :006ADC9F E83C010000 call 006ADDE0 ; 驗證的CALL,進去看看也沒有用,只要返回EAX=0即可。當然我看不懂!!! :006ADCA4 83C408 add esp, 00000008 :006ADCA7 83F8FF cmp eax, FFFFFFFF ; 改為 mov eax, 0 :006ADCAA 7506 jne 006ADCB2 ; 改為 cmp eax, FFFFFFFF :006ADCAC B8FFFFFFFF mov eax, FFFFFFFF ; jne 006ADCB2 :006ADCB1 C3 ret 應該還可以把它上面的2個CALL改為nop,這樣就不會去網路驗證了,節省時間啊! 方法2: :006ADBCC E8AF000000 call 006ADC80 ;nop掉,9090909090 :006ADBD1 35A9B50000 xor eax, 0000B5A9 :006ADBD6 3D564AFFFF cmp eax, FFFF4A56 :006ADBDB 741E je 006ADBFB ; nop掉怎樣9090 --========================= 第二部分 現在我們看看那有意思的call,這也是我覺得有意思的地方 * Possible StringData Ref from Data Obj ->"F/CG" | :006ADB3A 68CCF2A700 push 00A7F2CC :006ADB3F E8EC000000 call 006ADC30 ;有意思的call :006ADB44 83C404 add esp, 00000004 :006ADB47 85C0 test eax, eax :006ADB49 7C36 jl 006ADB81 :006ADB4B 8D44240C lea eax, dword ptr [esp+0C] :006ADB4F 50 push eax :006ADB50 E8DB000000 call 006ADC30 :006ADB55 83C404 add esp, 00000004 :006ADB58 85C0 test eax, eax :006ADB5A 7C25 jl 006ADB81 * Possible StringData Ref from Data Obj ->"E/spMwprDpVaDjCrUs" | :006ADB5C 68B8F2A700 push 00A7F2B8 :006ADB61 E8CA000000 call 006ADC30 ;有意思的call :006ADB66 83C404 add esp, 00000004 :006ADB69 85C0 test eax, eax :006ADB6B 7C14 jl 006ADB81 * Possible StringData Ref from Data Obj ->"D/" | :006ADB6D 684CF2A700 push 00A7F24C :006ADB72 E8B9000000 call 006ADC30 ;有意思的call,看看這個call是什麼, :006ADB77 83C404 add esp, 00000004 :006ADB7A 3DFDDC0000 cmp eax, 0000DCFD ;看到什麼「0000DCFD」,多麼熟悉。 :006ADB7F 7408 je 006ADB89 不知道你們看過看雪精華3里關於autocad的一篇文章嗎?那是破解法文版的cadR14,其中就有「0000DCFD」問題。而這裡也有,是巧合嗎?^_^ * Referenced by a CALL at Addresses: |:006ADB3F , :006ADB50 , :006ADB61 , :006ADB72 |進入這裡看看吧 :006ADC30 8B542404 mov edx, dword ptr [esp+04] :006ADC34 57 push edi :006ADC35 8BFA mov edi, edx :006ADC37 B9FFFFFFFF mov ecx, FFFFFFFF :006ADC3C 2BC0 sub eax, eax :006ADC3E F2 repnz :006ADC3F AE scasb :006ADC40 F7D1 not ecx :006ADC42 49 dec ecx :006ADC43 51 push ecx :006ADC44 52 push edx :006ADC45 E8F6BF2E00 call 00999C40 ;讓我們進去看看 :006ADC4A 0FBFC0 movsx eax, ax :006ADC4D 83F8FF cmp eax, FFFFFFFF :006ADC50 7405 je 006ADC57 :006ADC52 25FFFF0000 and eax, 0000FFFF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:006ADC50(C) | :006ADC57 5F pop edi :006ADC58 C3 ret -------- * Referenced by a CALL at Addresses: |:006AD0B5 , :006ADC45 |;有意思的call來到這裡 :00999C40 83EC04 sub esp, 00000004 :00999C43 66833DC038AB0000 cmp word ptr [00AB38C0], 0000 :00999C4B 7518 jne 00999C65 :00999C4D 6804040000 push 00000404 :00999C52 68700AB600 push 00B60A70 :00999C57 E8B4FFFFFF call 00999C10 :00999C5C 66C705C038AB000100 mov word ptr [00AB38C0], 0001 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00999C4B(C) | :00999C65 8D442402 lea eax, dword ptr [esp+02] :00999C69 50 push eax :00999C6A 668B442410 mov ax, word ptr [esp+10] :00999C6F 50 push eax :00999C70 8B442410 mov eax, dword ptr [esp+10] :00999C74 50 push eax :00999C75 68700AB600 push 00B60A70 :00999C7A E8D1220000 call 0099BF50 ; 裡面複雜啊,結果只是返回一個,就是下面的word ptr [esp+02] :00999C7F 668B442402 mov ax, word ptr [esp+02] ;我們讓AX=DCFD怎樣?mov ax,dcfd,哈哈 :00999C84 83C404 add esp, 00000004 :00999C87 C20800 ret 0008 :00999C8A 8D9B00000000 lea ebx, dword ptr [ebx+00000000] 我們只改acad.exe的 :00999C7F 668B442402 mov ax, word ptr [esp+02] 為 :00999C7F 66b8fddc90 mov ax, 0000dcfd 執行acad.exe,哈哈進去了,別高興。又跳出一個對話視窗,要求輸入授權碼!可是網路版沒有授權碼啊!我想是否是改為「0000DCFD」後,已經變成單機版了?!隨便輸入幾個數,點確定,說授權碼錯誤,來上3遍,就退出了。 來,我們看看幹掉這個視窗,acad是否能用呢? 開啟Ollydbg,設什麼斷點呢?這次我們設USER32.MessageBoxA斷點,怎樣設?很簡單的,Ollydbg真不錯! 出現授權視窗,但是Ollydbg沒有中斷。別著急,填78787878,點擊確定。我們被攔下,這時我們可以刪除其餘不必要的斷點,只留這一個。一路走F9,出現錯誤信息,注意千萬不要關閉這個斷點。再點擊錯誤信息對話視窗的確定,這時被攔下,我們的工作開始了。 我們發現授權視窗有3個按鈕,1個是授權確定,1個是取消,還有一個是變灰的按鈕,是「延期」。 ....... * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004F8EA4(C), :004F8EBA(C), :004F8EE4(C), :004F8EED(C), :004F92C8(C) |:004F9313(U) |來到這裡進入cad :004F8E62 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :004F8E69 E806050000 call 004F9374 :004F8E6E 33C0 xor eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004F8F04(U), :004F9089(U), :004F90F4(U), :004F921C(U), :004F92BB(U) |:004F92F8(U), :004F9338(U), :004F935D(U) |來到這裡失敗退出 :004F8E70 8B4DF4 mov ecx, dword ptr [ebp-0C] :004F8E73 5F pop edi :004F8E74 64890D00000000 mov dword ptr fs:[00000000], ecx :004F8E7B 5E pop esi :004F8E7C 5B pop ebx :004F8E7D 8BE5 mov esp, ebp :004F8E7F 5D pop ebp :004F8E80 C3 ret ..... ....省略 .... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F92D2(C) | 來這裡,因為你有3次輸入CODE的機會 :004F9162 8D8D6CFFFFFF lea ecx, dword ptr [ebp+FFFFFF6C] * Reference To: MFC42.Ordinal:09D2, Ord:09D2h | :004F9168 E85DEA4B00 Call 009B7BCA ;得到你點擊按鈕的返回值eax。 :004F916D 83F801 cmp eax, 00000001 ;分析得知eax,1是確定,2是取消,3是延期 :004F9170 0F854A010000 jne 004F92C0 ;不等於1,跳。我們跳去看看 :004F9176 8D8D6CFFFFFF lea ecx, dword ptr [ebp+FFFFFF6C] ;以下開始驗證了。算法我不想研究了,只是爆破,能用就好, :004F917C E88F9A3400 call 00842C10 :004F9181 6A7F push 0000007F :004F9183 8B00 mov eax, dword ptr [eax] :004F9185 50 push eax :004F9186 8D8D6CFEFFFF lea ecx, dword ptr [ebp+FFFFFE6C] :004F918C 51 push ecx :004F918D FFD3 call ebx :004F918F 83C40C add esp, 0000000C :004F9192 8D4DE4 lea ecx, dword ptr [ebp-1C] :004F9195 8D55E0 lea edx, dword ptr [ebp-20] :004F9198 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C] :004F919E 51 push ecx :004F919F 52 push edx :004F91A0 50 push eax :004F91A1 E81AD91400 call 00646AC0 :004F91A6 83C40C add esp, 0000000C :004F91A9 85C0 test eax, eax :004F91AB 7474 je 004F9221 ;跳去接著驗證吧,一定jmp!爆破 :004F91AD 8D4601 lea eax, dword ptr [esi+01] :004F91B0 83F803 cmp eax, 00000003 :004F91B3 0F8D15010000 jnl 004F92CE ;,小於3次,再給你一次機會輸CODE :004F91B9 68FF000000 push 000000FF :004F91BE 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C] :004F91C4 50 push eax :004F91C5 68E0B5A500 push 00A5B5E0 :004F91CA 68F3110000 push 000011F3 :004F91CF E8EC8EFDFF call 004D20C0 :004F91D4 83C410 add esp, 00000010 :004F91D7 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C] :004F91DD 50 push eax :004F91DE 6A01 push 00000001 :004F91E0 6A01 push 00000001 :004F91E2 E8C9323B00 call 008AC4B0 ;這個call就是出錯對話視窗 :004F91E7 83C40C add esp, 0000000C :004F91EA 83F806 cmp eax, 00000006 :004F91ED 0F84DB000000 je 004F92CE ;小於3次,再給你一次機會輸CODE :004F91F3 83F801 cmp eax, 00000001 :004F91F6 0F84D2000000 je 004F92CE ;小於3次,再給你一次機會輸CODE :004F91FC 57 push edi :004F91FD 8B45EC mov eax, dword ptr [ebp-14] :004F9200 50 push eax :004F9201 6A00 push 00000000 :004F9203 E818973400 call 00842920 :004F9208 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :004F920F 83C40C add esp, 0000000C :004F9212 E85D010000 call 004F9374 :004F9217 B801000000 mov eax, 00000001 :004F921C E94FFCFFFF jmp 004F8E70 ;只好退出,不讓你玩了! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F91AB(C) |來了 :004F9221 8B45E4 mov eax, dword ptr [ebp-1C] :004F9224 8B4DE0 mov ecx, dword ptr [ebp-20] :004F9227 50 push eax :004F9228 51 push ecx :004F9229 E802D71400 call 00646930 :004F922E 83C408 add esp, 00000008 :004F9231 85C0 test eax, eax :004F9233 0F84C4000000 je 004F92FD ;跳去接著驗證吧一定jmp!爆破 :004F9239 83F801 cmp eax, 00000001 :004F923C 7518 jne 004F9256 ;只好退出,不讓你玩了! :004F923E 68FF000000 push 000000FF :004F9243 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C] :004F9249 50 push eax :004F924A 68E0B5A500 push 00A5B5E0 :004F924F 68F2110000 push 000011F2 :004F9254 EB22 jmp 004F9278 ;只好退出,不讓你玩了! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F923C(C) | :004F9256 8D4601 lea eax, dword ptr [esi+01] :004F9259 83F803 cmp eax, 00000003 :004F925C 0F8DB6000000 jnl 004F9318 :004F9262 68FF000000 push 000000FF :004F9267 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C] :004F926D 50 push eax :004F926E 68E0B5A500 push 00A5B5E0 :004F9273 68F1110000 push 000011F1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F9254(U) | :004F9278 E8438EFDFF call 004D20C0 :004F927D 83C410 add esp, 00000010 :004F9280 8D856CFEFFFF lea eax, dword ptr [ebp+FFFFFE6C] :004F9286 50 push eax :004F9287 6A01 push 00000001 :004F9289 E8E2323B00 call 008AC570 :004F928E 83C408 add esp, 00000008 :004F9291 83F806 cmp eax, 00000006 :004F9294 7438 je 004F92CE :004F9296 83F801 cmp eax, 00000001 :004F9299 7433 je 004F92CE :004F929B 57 push edi :004F929C 8B45EC mov eax, dword ptr [ebp-14] :004F929F 50 push eax :004F92A0 6A00 push 00000000 :004F92A2 E879963400 call 00842920 :004F92A7 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :004F92AE 83C40C add esp, 0000000C :004F92B1 E8BE000000 call 004F9374 :004F92B6 B801000000 mov eax, 00000001 :004F92BB E9B0FBFFFF jmp 004F8E70 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F9170(C) | :004F92C0 83F802 cmp eax, 00000002 ;比較等於2 :004F92C3 7478 je 004F933D ;你取消了,當然退出了! :004F92C5 83F805 cmp eax, 00000005 ;比較等於5 :004F92C8 0F8494FBFFFF je 004F8E62 ;延期,意味著你可以使用!^_^ * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004F91B3(C), :004F91ED(C), :004F91F6(C), :004F9294(C), :004F9299(C) | :004F92CE 46 inc esi ;再點擊錯誤信息對話視窗的確定,這時被攔下在這裡 :004F92CF 83FE03 cmp esi, 00000003 ;比較輸入了幾次錯誤授權CODE :004F92D2 0F8C8AFEFFFF jl 004F9162 ;小於3就跳,意思是你可以輸入3次機會,去! :004F92D8 57 push edi :004F92D9 8B45EC mov eax, dword ptr [ebp-14] :004F92DC 50 push eax :004F92DD 6A01 push 00000001 :004F92DF E83C963400 call 00842920 :004F92E4 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :004F92EB 83C40C add esp, 0000000C :004F92EE E881000000 call 004F9374 :004F92F3 B801000000 mov eax, 00000001 :004F92F8 E973FBFFFF jmp 004F8E70 ;超過3次錯誤在這裡玩完! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F9233(C) | :004F92FD 8B45E0 mov eax, dword ptr [ebp-20] :004F9300 8B4DE4 mov ecx, dword ptr [ebp-1C] :004F9303 A3C865A700 mov dword ptr [00A765C8], eax :004F9308 890DCC65A700 mov dword ptr [00A765CC], ecx :004F930E E82D1FFBFF call 004AB240 :004F9313 E94AFBFFFF jmp 004F8E62 ;來到這,你可以用了!! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F925C(C) | :004F9318 57 push edi :004F9319 8B45EC mov eax, dword ptr [ebp-14] :004F931C 50 push eax :004F931D 6A01 push 00000001 :004F931F E8FC953400 call 00842920 :004F9324 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :004F932B 83C40C add esp, 0000000C :004F932E E841000000 call 004F9374 :004F9333 B801000000 mov eax, 00000001 :004F9338 E933FBFFFF :004F9333 B801000000 mov eax, 00000001 :004F9338 E933FBFFFF jmp 004F8E70 ;只好退出,不讓你玩了! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004F92C3(C) | :004F933D 57 push edi :004F933E 8B45EC mov eax, dword ptr [ebp-14] :004F9341 50 push eax :004F9342 6A00 push 00000000 :004F9344 E8D7953400 call 00842920 :004F9349 C745FCFFFFFFFF mov [ebp-04], FFFFFFFF :004F9350 83C40C add esp, 0000000C :004F9353 E81C000000 call 004F9374 :004F9358 B801000000 mov eax, 00000001 :004F935D E90EFBFFFF jmp 004F8E70 ;只好退出,不讓你玩了! 省略 =================================================== * Referenced by a CALL at Addresses: |:004EDAD3 , :004EE45C , :004F2B9C , :004F2C2B , :004F2DB4 |:004F378A , :004F3819 , :004F9066 , :004F90D1 , :004F91E2 |:005030DF , :005480E9 , :005A073B , :006ADE61 , :0085D96F |:0089A0E4 , :008A3D1C , :008A7809 , :008AC58C , :008AC669 | :008AC4B0 83EC3C sub esp, 0000003C :008AC4B3 53 push ebx :008AC4B4 56 push esi :008AC4B5 8B742448 mov esi, dword ptr [esp+48] :008AC4B9 57 push edi :008AC4BA 85F6 test esi, esi :008AC4BC 7502 jne 008AC4C0 :008AC4BE 33F6 xor esi, esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:008AC4BC(C) | :008AC4C0 8B7C2450 mov edi, dword ptr [esp+50] :008AC4C4 85FF test edi, edi :008AC4C6 7C05 jl 008AC4CD :008AC4C8 83FF03 cmp edi, 00000003 :008AC4CB 7C02 jl 008AC4CF ..... .....省略 ..... * Reference To: USER32.GetActiveWindow, Ord:00D5h | :008AC534 FF153875B600 Call dword ptr [00B67538] :008AC53A 8B0D60B3A900 mov ecx, dword ptr [00A9B360] :008AC540 3BC1 cmp eax, ecx :008AC542 7407 je 008AC54B :008AC544 51 push ecx * Reference To: USER32.GetLastActivePopup, Ord:0108h | :008AC545 FF159076B600 Call dword ptr [00B67690] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:008AC542(C) | :008AC54B 8D4C240C lea ecx, dword ptr [esp+0C] :008AC54F 56 push esi :008AC550 8B542458 mov edx, dword ptr [esp+58] :008AC554 51 push ecx :008AC555 52 push edx :008AC556 50 push eax :008AC557 E8A4EFF9FF call 0084B500 ;從這裡去下面MessageBoxA的call :008AC55C 83C410 add esp, 00000010 :008AC55F 5F pop edi :008AC560 5E pop esi :008AC561 5B pop ebx :008AC562 83C43C add esp, 0000003C :008AC565 C3 ret * Referenced by a CALL at Addresses: |:007DAE14 , :00861430 , :008AC557 , :008ACCC5 , :008ACF40 |:008AEA47 | :0084B500 53 push ebx :0084B501 56 push esi :0084B502 57 push edi :0084B503 33F6 xor esi, esi * Reference To: MFC42.Ordinal:0490, Ord:0490h | :0084B505 E800C01600 Call 009B750A :0084B50A 8B7804 mov edi, dword ptr [eax+04] ..... ....省略 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0084B52F(C), :0084B533(C) | :0084B53B 8B4C241C mov ecx, dword ptr [esp+1C] :0084B53F 8B542410 mov edx, dword ptr [esp+10] :0084B543 51 push ecx :0084B544 50 push eax :0084B545 8B44241C mov eax, dword ptr [esp+1C] :0084B549 50 push eax :0084B54A 52 push edx * Reference To: USER32.MessageBoxA, Ord:0195h | :0084B54B FF15C074B600 Call dword ptr [00B674C0] ;我們的MessageBoxA斷點停在這裡!!! :0084B551 85F6 test esi, esi :0084B553 7403 je 0084B558 :0084B555 89777C mov dword ptr [edi+7C], esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0084B553(C) | :0084B558 5F pop edi :0084B559 5E pop esi :0084B55A 5B pop ebx :0084B55B C3 ret ======================================================== 到此,我們可以爆破它的授權註冊了。我們可以有很多方法,我用了比較省事的,我們讓他延期使用! :004F9168 E85DEA4B00 Call 009B7BCA ;得到你點擊按鈕的返回值eax。 :004F916D 83F801 cmp eax, 00000001 ;分析得知eax,1是確定,2是取消,3是延期 :004F9170 0F854A010000 jne 004F92C0 ;不等於1,跳。我們跳去看看 我們改004F9168 E85DEA4B00 Call 009B7BCA 這一句為 mov eax,5 「B805000000」正好,這樣註冊視窗也跳過了。 第二部分總結,改該兩處成為單機版,這樣省下連接網路的時間,啟動會快一點,可能你感覺不到。 1.改 :00999C7F 668B442402 mov ax, word ptr [esp+02] 為 :00999C7F 66b8fddc90 mov ax, 0000dcfd 2.改 :004F9168 E85DEA4B00 Call 009B7BCA 為 :004F9168 B805000000 mov eax,00000005 ¥¥¥※※※7※※※※※※※※※※※※※※ CADR14網路限制解決了,正版是要買,但不要化太多錢,都讓老外掙了! 下一步目標是CAD2002,Flexlm7.1f加密,我想也能爆破吧。但是好像CAD2002有antidebug,不能用Ollydbg。還有,如果我又CAD2002的Flexlm的liences,是否能直接在裡面改限制用戶數嫩呢?估計不能吧?那只好自己做無限制liences了。 -------------------------------------------------------------------------------- |
所有時間均為台北時間。現在的時間是 06:23 AM。 |
Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2024, Jelsoft Enterprises Ltd.
『服務條款』
* 有問題不知道該怎麼解決嗎?請聯絡本站的系統管理員 *