20CN网络安全小组论坛 - 编程破解 - [转帖]超速拨号器9.8版的破解

论坛: 编程破解标题: [转帖]超速拨号器9.8版的破解

作者: yongmin [yongmin]

论坛用户

作者：xss517
【文章标题】: 超速拨号器9.8版的破解
【文章作者】: xss517
【作者邮箱】: xss5172002@yahoo.com.cn
【作者主页】: 龙族/萧心/风云墙论坛
【作者QQ号】: 251496329
【软件名称】: 超速拨号器9.8版
【软件大小】: 800KB
【下载地址】: 自己搜索下载
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【编写语言】: Borland C++ 1999
【操作平台】: 2K,XP
【软件介绍】: 一个拨号软件，拿来练习
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这个是我的探索过程，没有搞出算法，只是让它能够正常使用。
软件作者自己说没注册只能使用六次，而且部分功能屏蔽，我试了一下，不能够添加自己的拨号号码。

PEID一查ASPack 2.12 -> Alexey Solodovnikov的壳，用peid自带的脱壳机脱出来是Borland C++ 1999编写的软件

ok，用dede3.5载入看看能否有所收获，不过没有找出有用的东西，汗

ollyice载入，使用超级字符串插件查找unicode

超级字串参考
地址反汇编文本字串
00401C6A mov edx, 005496BC :
00401D4E mov edx, 005496BF 共条记录
00401D5E mov edx, 005496C0 共条记录
00401DC1 mov edx, 005496C3 条记录
00402168 mov edx, 005496CC 共条记录TelTel
00402178 mov edx, 005496CD 共条记录TelTel
004021DB mov edx, 005496D0 条记录TelTel
00402317 push 005496D7 TelTel
004023E7 mov edx, 005496DE \regww1.dllc:\
00402576 mov edx, 005496DF \regww1.dllc:\
00402645 mov ebx, 005496EB c:\
00402732 mov edx, 005496EF wyx超速拔号器9.8版（已注册!)软件已过期！请注册后使用autotel.dat
00402771 mov edx, 005496F0 wyx超速拔号器9.8版（已注册!)软件已过期！请注册后使用autotel.dat
00402CBE mov edx, 005496F4 超速拔号器9.8版（已注册!)软件已过期！请注册后使用autotel.dat
00402D05 mov edx, 0054970E 软件已过期！请注册后使用autotel.dat
00402E0A mov edx, 00549727 autotel.dat
00402FA5 mov edx, 00549735 错误输入用户姓名!
00402FEA mov edx, 00549736 错误输入用户姓名!
00403062 mov edx, 00549748 错误输入电话号码!autotel.dat拔号确定删除吗?信息autotel.dat拔号挂断TelTel
004030A7 mov edx, 00549749 错误输入电话号码!autotel.dat拔号确定删除吗?信息autotel.dat拔号挂断TelTel
00403132 mov edx, 0054975B autotel.dat拔号确定删除吗?信息autotel.dat拔号挂断TelTel
004031BD mov edx, 00549767 拔号确定删除吗?信息autotel.dat拔号挂断TelTel
0040329C mov ecx, 0054977A 信息autotel.dat拔号挂断TelTel
004032A1 mov edx, 0054976E 确定删除吗?信息autotel.dat拔号挂断TelTel
004032D9 mov edx, 0054977F autotel.dat拔号挂断TelTel
00405AE0 mov ecx, 00405B94 Can't allocate the DIB handle

双击00402732 到以下代码段

00402C80 /. 55 push ebp
00402C81 |. 8BEC mov ebp, esp
00402C83 |. 83C4 D0 add esp, -30
00402C86 |. 53 push ebx
00402C87 |. 8BD8 mov ebx, eax
00402C89 |. B8 B09F5400 mov eax, 00549FB0
00402C8E |. E8 057D1200 call 0052A998
00402C93 |. 66:C745 E0 08>mov word ptr [ebp-20], 8
00402C99 |. 33D2 xor edx, edx
00402C9B |. 8D4D FC lea ecx, [local.1]
00402C9E |. 8955 FC mov [local.1], edx
00402CA1 |. FF45 EC inc [local.5]
00402CA4 |. FF45 EC inc [local.5]
00402CA7 |. 66:C745 E0 14>mov word ptr [ebp-20], 14
00402CAD |. 51 push ecx ; /Arg1
00402CAE |. E8 71FBFFFF call 00402824 ; \应该是一个关键call，f7跟入
00402CB3 |. 59 pop ecx
00402CB4 |. 84C0 test al, al
00402CB6 |. 74 35 je short 00402CED
00402CB8 |. 66:C745 E0 20>mov word ptr [ebp-20], 20
00402CBE |. BA F4965400 mov edx, 005496F4 ; 超速拔号器9.8版（已注册!)软件已过期！请注册后使用autotel.dat
00402CC3 |. 8D45 F8 lea eax, [local.2]
00402CC6 |. E8 1D211300 call 00534DE8
00402CCB |. FF45 EC inc [local.5]
00402CCE |. 8B10 mov edx, dword ptr [eax]
00402CD0 |. 8B83 F8020000 mov eax, dword ptr [ebx+2F8]
00402CD6 |. E8 79590300 call Te_controls::TTeDefaultForm::Set>
00402CDB |. FF4D EC dec [local.5]
00402CDE |. 8D45 F8 lea eax, [local.2]
00402CE1 |. BA 02000000 mov edx, 2
00402CE6 |. E8 71211300 call 00534E5C
00402CEB |. EB 7E jmp short 00402D6B
00402CED |> 6A 05 push 5 ; /Arg2 = 00000005
00402CEF |. 8D4D FC lea ecx, [local.1] ; |
00402CF2 |. 51 push ecx ; |Arg1
00402CF3 |. E8 10FDFFFF call 00402A08 ; \unpacked.00402A08
00402CF8 |. 83C4 08 add esp, 8
00402CFB |. 84C0 test al, al
00402CFD |. 75 4A jnz short 00402D49
00402CFF |. 66:C745 E0 2C>mov word ptr [ebp-20], 2C
00402D05 |. BA 0E975400 mov edx, 0054970E ; 软件已过期！请注册后使用autotel.dat
00402D0A |. 8D45 F4 lea eax, [local.3]
00402D0D |. E8 AA1B1300 call 005348BC
00402D12 |. FF45 EC inc [local.5]
00402D15 |. 8B00 mov eax, dword ptr [eax]
00402D17 |. E8 D09F0F00 call 004FCCEC
00402D1C |. FF4D EC dec [local.5]
00402D1F |. 8D45 F4 lea eax, [local.3]
00402D22 |. BA 02000000 mov edx, 2
00402D27 |. E8 001D1300 call 00534A2C
00402D2C |. 8B0D 341F5500 mov ecx, dword ptr [551F34] ; unpacked._Form5
00402D32 |. 8B01 mov eax, dword ptr [ecx]
00402D34 |. 8B10 mov edx, dword ptr [eax]
00402D36 |. FF92 E8000000 call dword ptr [edx+E8]
00402D3C |. 8B0D 00225500 mov ecx, dword ptr [552200] ; unpacked.00567D80
00402D42 |. 8B01 mov eax, dword ptr [ecx]
00402D44 |. E8 B7490F00 call 004F7700
00402D49 |> 33D2 xor edx, edx
00402D4B |. 8B83 10030000 mov eax, dword ptr [ebx+310]
00402D51 |. 8B08 mov ecx, dword ptr [eax]
00402D53 |. FF51 64 call dword ptr [ecx+64]
00402D56 |. 8B15 2C1F5500 mov edx, dword ptr [551F2C] ; unpacked._Form3
00402D5C |. 8B02 mov eax, dword ptr [edx]
00402D5E |. 8B80 10030000 mov eax, dword ptr [eax+310]
00402D64 |. B2 01 mov dl, 1
00402D66 |. 8B08 mov ecx, dword ptr [eax]
00402D68 |. FF51 64 call dword ptr [ecx+64]
00402D6B |> FF4D EC dec [local.5]
00402D6E |. FF4D EC dec [local.5]
00402D71 |. 8D45 FC lea eax, [local.1]
00402D74 |. BA 02000000 mov edx, 2
00402D79 |. E8 AE1C1300 call 00534A2C
00402D7E |. 8B4D D0 mov ecx, [local.12]
00402D81 |. 64:890D 00000>mov dword ptr fs:[0], ecx
00402D88 |. 5B pop ebx
00402D89 |. 8BE5 mov esp, ebp
00402D8B |. 5D pop ebp
00402D8C \. C3 retn

f7跟入的call

00402824 /$ 55 push ebp
00402825 |. 8BEC mov ebp, esp
00402827 |. 83C4 B0 add esp, -50
0040282A |. B8 F89D5400 mov eax, 00549DF8
0040282F |. 53 push ebx
00402830 |. 56 push esi
00402831 |. 57 push edi
00402832 |. 8B75 08 mov esi, [arg.1]
00402835 |. E8 5E811200 call 0052A998
0040283A |. 66:C745 C0 08>mov word ptr [ebp-40], 8
00402840 |. 56 push esi ; /Arg2
00402841 |. 33D2 xor edx, edx ; |
00402843 |. 8955 FC mov [local.1], edx ; |
00402846 |. 8D4D FC lea ecx, [local.1] ; |
00402849 |. 51 push ecx ; |Arg1
0040284A |. FF45 CC inc [local.13] ; |
0040284D |. E8 F2FCFFFF call 00402544 ; \unpacked.00402544
00402852 |. 83C4 08 add esp, 8
00402855 |. FF4D CC dec [local.13]
00402858 |. 8D45 FC lea eax, [local.1]
0040285B |. BA 02000000 mov edx, 2
00402860 |. E8 C7211300 call 00534A2C
00402865 |. 8B06 mov eax, dword ptr [esi]
00402867 |. E8 04EB0A00 call 004B1370 ; 感觉是又一个关键call
0040286C |. 84C0 test al, al
0040286E |. 75 11 jnz short 00402881
00402870 |. 33C0 xor eax, eax
00402872 |. 8B55 B0 mov edx, [local.20]
00402875 |. 64:8915 00000>mov dword ptr fs:[0], edx
0040287C |. E9 7E010000 jmp 004029FF
00402881 |> B2 01 mov dl, 1
00402883 |. A1 8CFA4900 mov eax, dword ptr [49FA8C]
00402888 |. E8 5FF6FFFF call 00401EEC
0040288D |. 8BD8 mov ebx, eax
0040288F |. 8B16 mov edx, dword ptr [esi]
00402891 |. 8BC3 mov eax, ebx
00402893 |. 8B08 mov ecx, dword ptr [eax]
00402895 |. FF51 68 call dword ptr [ecx+68]
00402898 |. 66:C745 C0 14>mov word ptr [ebp-40], 14
0040289E |. 33C0 xor eax, eax
004028A0 |. 8D4D F8 lea ecx, [local.2]
004028A3 |. 8945 F8 mov [local.2], eax
004028A6 |. 8BC3 mov eax, ebx
004028A8 |. FF45 CC inc [local.13]
004028AB |. 33D2 xor edx, edx
004028AD |. 8B38 mov edi, dword ptr [eax]
004028AF |. FF57 0C call dword ptr [edi+C]
004028B2 |. 8D45 F8 lea eax, [local.2]
004028B5 |. 33D2 xor edx, edx
004028B7 |. 50 push eax
004028B8 |. 56 push esi ; /Arg2
004028B9 |. 8955 F4 mov [local.3], edx ; |
004028BC |. 8D4D F4 lea ecx, [local.3] ; |
004028BF |. 51 push ecx ; |Arg1
004028C0 |. FF45 CC inc [local.13] ; |
004028C3 |. E8 C0FDFFFF call 00402688 ; \unpacked.00402688
004028C8 |. 83C4 08 add esp, 8
004028CB |. 8D55 F4 lea edx, [local.3]
004028CE |. 58 pop eax
004028CF |. E8 40221300 call 00534B14
004028D4 |. 50 push eax
004028D5 |. FF4D CC dec [local.13]
004028D8 |. 8D45 F8 lea eax, [local.2]
004028DB |. BA 02000000 mov edx, 2
004028E0 |. E8 47211300 call 00534A2C ; 好像是生产机器码的调用
004028E5 |. FF4D CC dec [local.13] ; |
004028E8 |. 8D45 F4 lea eax, [local.3] ; |
004028EB |. BA 02000000 mov edx, 2 ; |
004028F0 |. E8 37211300 call 00534A2C ; \unpacked.00534A2C
004028F5 |. 59 pop ecx
004028F6 |. 84C9 test cl, cl
004028F8 |. 74 38 je short 00402932
004028FA |. 8BF3 mov esi, ebx
004028FC |. 8975 EC mov [local.5], esi
004028FF |. 85F6 test esi, esi
00402901 |. 74 1E je short 00402921
00402903 |. 8B06 mov eax, dword ptr [esi]
00402905 |. 8945 F0 mov [local.4], eax
00402908 |. 66:C745 C0 2C>mov word ptr [ebp-40], 2C
0040290E |. BA 03000000 mov edx, 3
00402913 |. 8B45 EC mov eax, [local.5]
00402916 |. 8B08 mov ecx, dword ptr [eax]
00402918 |. FF51 FC call dword ptr [ecx-4]
0040291B |. 66:C745 C0 20>mov word ptr [ebp-40], 20
00402921 |> 33C0 xor eax, eax
00402923 |. 8B55 B0 mov edx, [local.20]
00402926 |. 64:8915 00000>mov dword ptr fs:[0], edx
0040292D |. E9 CD000000 jmp 004029FF
00402932 |> 66:C745 C0 38>mov word ptr [ebp-40], 38
00402938 |. 33C9 xor ecx, ecx
0040293A |. 8BC3 mov eax, ebx
0040293C |. 894D E8 mov [local.6], ecx
0040293F |. 8D4D E8 lea ecx, [local.6]
00402942 |. FF45 CC inc [local.13]
00402945 |. BA 01000000 mov edx, 1
0040294A |. 8B38 mov edi, dword ptr [eax]
0040294C |. FF57 0C call dword ptr [edi+C]
0040294F |. 8D45 E8 lea eax, [local.6]
00402952 |. 33D2 xor edx, edx
00402954 |. 50 push eax
00402955 |. 56 push esi ; /Arg2
00402956 |. 8955 E4 mov [local.7], edx ; |
00402959 |. 8D4D E4 lea ecx, [local.7] ; |
0040295C |. 51 push ecx ; |Arg1
0040295D |. FF45 CC inc [local.13] ; |
00402960 |. E8 97FDFFFF call 004026FC ; \unpacked.004026FC
00402965 |. 83C4 08 add esp, 8
00402968 |. 8D55 E4 lea edx, [local.7]
0040296B |. 58 pop eax
0040296C |. E8 A3211300 call 00534B14
00402971 |. 50 push eax
00402972 |. FF4D CC dec [local.13]
00402975 |. 8D45 E8 lea eax, [local.6]
00402978 |. BA 02000000 mov edx, 2
0040297D |. E8 AA201300 call 00534A2C
00402982 |. FF4D CC dec [local.13] ; |
00402985 |. 8D45 E4 lea eax, [local.7] ; |
00402988 |. BA 02000000 mov edx, 2 ; |
0040298D |. E8 9A201300 call 00534A2C ; \unpacked.00534A2C
00402992 |. 59 pop ecx
00402993 |. 84C9 test cl, cl
00402995 |. 74 35 je short 004029CC
00402997 |. 8BF3 mov esi, ebx
00402999 |. 8975 DC mov [local.9], esi
0040299C |. 85F6 test esi, esi
0040299E |. 74 1E je short 004029BE
004029A0 |. 8B06 mov eax, dword ptr [esi]
004029A2 |. 8945 E0 mov [local.8], eax
004029A5 |. 66:C745 C0 50>mov word ptr [ebp-40], 50
004029AB |. BA 03000000 mov edx, 3
004029B0 |. 8B45 DC mov eax, [local.9]
004029B3 |. 8B08 mov ecx, dword ptr [eax]
004029B5 |. FF51 FC call dword ptr [ecx-4]
004029B8 |. 66:C745 C0 44>mov word ptr [ebp-40], 44
004029BE |> 33C0 xor eax, eax
004029C0 |. 8B55 B0 mov edx, [local.20]
004029C3 |. 64:8915 00000>mov dword ptr fs:[0], edx
004029CA |. EB 33 jmp short 004029FF
004029CC |> 8BF3 mov esi, ebx
004029CE |. 8975 D4 mov [local.11], esi
004029D1 |. 85F6 test esi, esi
004029D3 |. 74 1E je short 004029F3
004029D5 |. 8B06 mov eax, dword ptr [esi]
004029D7 |. 8945 D8 mov [local.10], eax
004029DA |. 66:C745 C0 68>mov word ptr [ebp-40], 68
004029E0 |. BA 03000000 mov edx, 3
004029E5 |. 8B45 D4 mov eax, [local.11]
004029E8 |. 8B08 mov ecx, dword ptr [eax]
004029EA |. FF51 FC call dword ptr [ecx-4]
004029ED |. 66:C745 C0 5C>mov word ptr [ebp-40], 5C
004029F3 |> B0 01 mov al, 1
004029F5 |. 8B55 B0 mov edx, [local.20]
004029F8 |. 64:8915 00000>mov dword ptr fs:[0], edx
004029FF |> 5F pop edi
00402A00 |. 5E pop esi
00402A01 |. 5B pop ebx
00402A02 |. 8BE5 mov esp, ebp
00402A04 |. 5D pop ebp
00402A05 \. C3 retn

跟入到这里

004B1370 /$ 53 push ebx
004B1371 |. 8BD8 mov ebx, eax
004B1373 |. 8BC3 mov eax, ebx
004B1375 |. E8 8EFFFFFF call 004B1308 ; f7 跟入
004B137A |. 40 inc eax
004B137B |. 0F95C0 setne al
004B137E |. 5B pop ebx
004B137F \. C3 retn

跟入到这里

004B1308 /$ 55 push ebp
004B1309 |. 8BEC mov ebp, esp
004B130B |. 81C4 B4FEFFFF add esp, -14C
004B1311 |. 53 push ebx
004B1312 |. 8BD8 mov ebx, eax
004B1314 |. 8D85 B4FEFFFF lea eax, [local.83]
004B131A |. 50 push eax
004B131B |. 8BC3 mov eax, ebx
004B131D |. E8 9A080100 call 004C1BBC
004B1322 |. 50 push eax ; |FileName = "C:\windows\system32\regww1.dll"
004B1323 |. E8 5C6B0900 call <jmp.&KERNEL32.FindFirstFileA> ; \FindFirstFileA
004B1328 |. 83F8 FF cmp eax, -1 ; 这个文件很关键，是使用六次后里面变成0，我改成1，并把文件属性设为只读，就ok
004B132B |. 74 34 je short 004B1361
004B132D |. 50 push eax ; /hSearch
004B132E |. E8 4B6B0900 call <jmp.&KERNEL32.FindClose> ; \FindClose
004B1333 |. F685 B4FEFFFF>test byte ptr [ebp-14C], 10
004B133A |. 75 25 jnz short 004B1361
004B133C |. 8D45 F4 lea eax, [local.3]
004B133F |. 50 push eax ; /pLocalFileTime
004B1340 |. 8D85 C8FEFFFF lea eax, [local.78] ; |
004B1346 |. 50 push eax ; |pFileTime
004B1347 |. E8 2C6B0900 call <jmp.&KERNEL32.FileTimeToLocalFi>; \FileTimeToLocalFileTime
004B134C |. 8D45 FC lea eax, [local.1]
004B134F |. 50 push eax ; /pDOSTime
004B1350 |. 8D45 FE lea eax, dword ptr [ebp-2] ; |
004B1353 |. 50 push eax ; |pDOSDate
004B1354 |. 8D45 F4 lea eax, [local.3] ; |
004B1357 |. 50 push eax ; |pFileTime
004B1358 |. E8 156B0900 call <jmp.&KERNEL32.FileTimeToDosDate>; \FileTimeToDosDateTime
004B135D |. 85C0 test eax, eax
004B135F |. 75 07 jnz short 004B1368
004B1361 |> C745 FC FFFFF>mov [local.1], -1
004B1368 |> 8B45 FC mov eax, [local.1]
004B136B |. 5B pop ebx
004B136C |. 8BE5 mov esp, ebp
004B136E |. 5D pop ebp
004B136F \. C3 retn

我在使用六次后找到C:\windows\system32\regww1.dll文件，打开一看里面内容就一个数字：0，我试着改成1并且将其属性该为只读，再运行软件自定义拨号功能是可以用了，并且注册按扭变成了不可以状态。只是还是有未注册的字样在标题栏里，到此收工了。

--------------------------------------------------------------------------------
【经验总结】
1 它的自定义的号码存在autotel.dat里
2 C:\windows\system32\regww1.dll这个决定了是否还能使用，内容改成1后设为只读就可自定义号码了
3 是在是菜，搞不出算法注册，只能是半截子过程，希望高手能够给出完整答案

--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪,一蓑烟雨技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

地主发表时间: 07-06-07 09:29

论坛: 编程破解