[转载]去除ExpressFS Server时间和NAG
<P>文章作者:qduwg</P><P><FONT face=宋体>题目:去除ExpressFSServer时间和NAG<BR>工具:Softice,ULTRAEDIT,PEID<BR>目的:去除NAG和时间限制<BR><BR>引子:今天又从2002电脑爱好者光盘找了一个小软件,就是这个FTP服务器,功能倒是没有试用,因为没有局域网环境。这个软件要求注册,试用期30天,而且是Keyfile形式的注册,注册码128位,我跟踪了很久发现没有处理这个文件数据的地方。先爆破了再说吧。拿PEID查看没有加壳,是DELPHI写的。<BR><BR>下断点bpxCreatefileA,F5退出SOFTICE,启动程序,被拦住。按一阵20多次F12,然后换F10跟踪,来到如下代码处:<BR>:004627C4E8532CFEFFcall0044541C//这个CALL显示主窗口。<BR>:004627C9E8C600FAFFcall00402894<BR>:004627CE85C0testeax,eax<BR>:004627D07E1Bjle004627ED//这里随其跳。<BR>:004627D28D55FCleaedx,dwordptr[ebp-04]<BR>:004627D5B801000000moveax,00000001<BR>:004627DAE81501FAFFcall004028F4<BR>:004627DF8B55FCmovedx,dwordptr[ebp-04]<BR>:004627E28B83C4020000moveax,dwordptr[ebx+000002C4]<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:00462773(C)<BR>|<BR>:004627E8E86FBEFFFFcall0045E65C//这个CALL关键<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:004627D0(C)<BR>:004627ED80BBB505000001cmpbyteptr[ebx+000005B5],01//[ebx+000005B5]里面的值1与1比较。<BR>:004627F47529jne0046281F//这里改为je,即75->74。<BR>:004627F6A1E0884600moveax,dwordptr[004688E0]<BR>:004627FBE87CD1FFFFcall0045F97C<BR>:0046280083F81Ecmpeax,0000001E<BR>:004628037C15jl0046281A<BR>:004628056A00push00000000<BR>:00462807668B0D94284600movcx,wordptr[00462894]<BR>:0046280E33D2xoredx,edx<BR>*PossibleStringDataReffromCodeObj->"ExpressFSServerhasexpired!"<BR>|<BR>:00462810B8A0284600moveax,004628A0<BR>:00462815E8AEB7FEFFcall0044DFC8<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:00462803(C)<BR>:0046281AE8A91C0000call004644C8//这个CALL出现NAG。<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddress:<BR>|:004627F4(C)<BR>|:0046281F80BBB505000000cmpbyteptr[ebx+000005B5],00//[ebx+000005B5]里面的1与0比较。<BR>:004628267416je0046283E//此处改为jne,即74->75。<BR>:00462828A1E0884600moveax,dwordptr[004688E0]<BR>:0046282DE84AD1FFFFcall0045F97C<BR>:0046283283F81Ecmpeax,0000001E<BR>:004628357C07jl0046283E<BR>:004628378BC3moveax,ebx<BR>:00462839E8262AFEFFcall00445264<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:<BR>|:00462826(C),:00462835(C)<BR>|<BR>:0046283E8BC3moveax,ebx<BR>:00462840E8EBF3FFFFcall00461C30<BR>:0046284584C0testal,al<BR>:00462847741Bje00462864//此处改为jne,即74->75。<BR>:004628498B8378030000moveax,dwordptr[ebx+00000378]<BR>:0046284F8B10movedx,dwordptr[eax]<BR>:00462851FF92B8000000calldwordptr[edx+000000B8]<BR>:0046285784C0testal,al<BR>:004628597409je00462864//此处改为jne,即74->75。<BR>:0046285B8BC3moveax,ebx<BR>:0046285DE816030000call00462B78<BR>:00462862EB0Ejmp00462872//这个CALL可以跳过后面(*)那个向导过程。<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:<BR>|:00462847(C),:00462859(C)<BR>|<BR>:00462864E82B00FAFFcall00402894<BR>:0046286985C0testeax,eax<BR>:0046286B7F05jg00462872<BR>:0046286DE852220000call00464AC4//这个CALL每次启动时都出现配置向导。(*)<BR>*Referencedbya(U)nconditionalor(C)onditionalJumpatAddresses:<BR>|:00462862(U),:0046286B(C)<BR>|<BR>:0046287233C0xoreax,eax<BR>:004628745Apopedx<BR>:0046287559popecx<BR>:0046287659popecx<BR>:00462877648910movdwordptrfs:[eax],edx<BR>================================================================<BR>经过上面的修改,发现启动程序时,窗口稍纵即逝,原来躲在系统托盘里了,不影响使用,右击其图标即可选择命令,打开窗口。我把时间加快一年,结果启动程序时,出现过期提示。下面也解决一下这个问题好了。下断点bpxgetlocaltime,F5退出SOFTICE,然后启动程序,被拦截。按一次F11即可回到主程序空间,换F10跟踪,经过一段代码跟踪后,我们来到下面代码处了,你会看到这段代码跟上面一段是互补的,重叠的,不同时刻调用不同功能,其他障碍都在前面解决了,可是如果过期则使用下面的代码逻辑:<BR><BR>004627FB|.E87CD1FFFFCALLXFSSVR.0045F97C//这个CALL取系统时间。<BR>00462800|.83F81ECMPEAX,1E//EAX放着使用的天数。<BR>:004628037C15jl0046281A//此处因为超期,不会跳转。直接修改为jg462872,机器码是7F6D。<BR>:004628056A00push00000000<BR>:00462807668B0D94284600movcx,wordptr[00462894]<BR>0046280E|.33D2XOREDX,EDX;|<BR>00462810|.B8A0284600MOVEAX,XFSSVR.004628A0;|ASCII"ExpressFSServerhasexpired!<BR><BR>Pleaseregisterimmediately!"<BR>00462815|.E8AEB7FEFFCALLXFSSVR.0044DFC8//这里就出过期窗口。<BR>0046281A|>E8A91C0000CALLXFSSVR.004644C8<BR>0046281F|>80BBB5050000>CMPBYTEPTRDS:[EBX+5B5],0<BR>00462826|.7416JESHORTXFSSVR.0046283E<BR>00462828|.A1E0884600MOVEAX,DWORDPTRDS:[4688E0]<BR>0046282D|.E84AD1FFFFCALLXFSSVR.0045F97C<BR>00462832|.83F81ECMPEAX,1E<BR>00462835|.7C07JLSHORTXFSSVR.0046283E<BR>00462837|.8BC3MOVEAX,EBX<BR>00462839|.E8262AFEFFCALLXFSSVR.00445264<BR>0046283E|>8BC3MOVEAX,EBX<BR>00462840|.E8EBF3FFFFCALLXFSSVR.00461C30<BR>00462845|.84C0TESTAL,AL<BR>00462847|.741BJESHORTXFSSVR.00462864<BR>00462849|.8B8378030000MOVEAX,DWORDPTRDS:[EBX+378]<BR>经过上述修改,启动程序发现立即退出了,肯定还有地方没有改掉。继续下同样断点,F11一次,然后F10跟踪到下面代码处,这段代码就是前面这段的后半部分:<BR>00462828|.A1E0884600MOVEAX,DWORDPTRDS:[4688E0]<BR>0046282D|.E84AD1FFFFCALLXFSSVR.0045F97C//此CALL取使用天数。<BR>00462832|.83F81ECMPEAX,1E//与1E比较,即30天。<BR>00462835|.7C07JLSHORTXFSSVR.0046283E//如果超期,这个不跳。修改为JMP无论如何也跳.机器码EB。<BR>00462837|.8BC3MOVEAX,EBX<BR>00462839|.E8262AFEFFCALLXFSSVR.00445264<BR>0046283E|>8BC3MOVEAX,EBX<BR>00462840|.E8EBF3FFFFCALLXFSSVR.00461C30<BR>00462845|.84C0TESTAL,AL<BR>00462847|.741BJESHORTXFSSVR.00462864<BR>================================================================<BR>还有一个地方,就是在点击窗口上的Launch按钮时,出现跟前面提到的一样的NAG。下面也一并搞掉。下断点bpxenablewindow,F5退出SOFTICE,然后点击Launch按钮,被拦住。这里如果下messageboxa则拦不住。如果换Createwindow函数可以拦住。按一次F11,5次F12来到下面代码处:<BR>00461C70.FF5160CALLDWORDPTRDS:[ECX+60]<BR>00461C73.66:BAEDFFMOVDX,0FFED//我们停在这里。<BR>00461C77.8B45FCMOVEAX,DWORDPTRSS:[EBP-4]<BR>00461C7A.E805A2FCFFCALLXFSSVR.0042BE84<BR>00461C7F.33D2XOREDX,EDX<BR>00461C81.55PUSHEBP<BR>00461C82.68EF214600PUSHXFSSVR.004621EF<BR>00461C87.64:FF32PUSHDWORDPTRFS:[EDX]<BR>00461C8A.64:8922MOVDWORDPTRFS:[EDX],ESP<BR>00461C8D.80FB01CMPBL,1<BR>00461C90.0F8519030000JNZXFSSVR.00461FAF<BR>00461C96.833DDC884600>CMPDWORDPTRDS:[4688DC],0<BR>00461C9D.0F850C030000JNZXFSSVR.00461FAF<BR>00461CA3.A1D8884600MOVEAX,DWORDPTRDS:[4688D8]<BR>00461CA8.80B8B5050000>CMPBYTEPTRDS:[EAX+5B5],0<BR>00461CAF.7405JESHORTXFSSVR.00461CB6//刚好这个跳转可以跳过下面这个CALL。修改74->EB。<BR>00461CB1.E812280000CALLXFSSVR.004644C8//这个CALL出现NAG。<BR>00461CB6>8D55C8LEAEDX,DWORDPTRSS:[EBP-38]<BR>00461CB9.8B45FCMOVEAX,DWORDPTRSS:[EBP-4]<BR>00461CBC.8B8064030000MOVEAX,DWORDPTRDS:[EAX+364]<BR>00461CC2.E8CD9FFCFFCALLXFSSVR.0042BC94<BR>================================================================<BR>后记:现在我们可以松口气了,看到拿掉NAG,且没有时间限制的软件,心里真是痛快!不过有时间还需要研究一下它的注册码算法。由于没有发现处理Keyfile文件的地方,所以,注册码怎么运算不得而知了。感谢您阅读此文!大侠不要扔鸡蛋过来哟!</FONT><BR></P>
页:
[1]