解密CCS Eval C5000 V1.20软件
来源:龙人计算机研究所 作者:站长 时间:2009-09-29 14:32:11
先将Softice相应目录下中的winice.dat文件打开,将
;exp=user.dll行中的;号去掉.
;exp=kernel32.dll行中的;号也去掉。
1.运行cc_app.exe ,在弹出license信息的时候,敲回车,出现输入注册码窗口.
2.输入12345678901234567890123456 (数字可以任意,26个就行)
3.^d 呼出SoftIce ,设断点 bpx getdlgitemtexta ,^d 回到windows下.
4.点击确定,SoftIce将截到断点,并弹出.
5.bc *,清楚所有断点.OK ,Let's GO !
6.此时能看见下面代码.
USER32!GetDlgItemTextA
001B:77E84E2A PUSH EBP //一路F10运行下去
001B:77E84E2B MOV EBP,ESP
001B:77E84E2D PUSH DWORD PTR [ESP+0C]
001B:77E84E31 PUSH DWORD PTR [EBP+08]
001B:77E84E34 CALL USER32!GetDlgItem
001B:77E84E39 TEST EAX,EAX
001B:77E84E3B JZ 77E84E4D
:u
001B:77E84E3D PUSH DWORD PTR [EBP+14]
001B:77E84E40 PUSH DWORD PTR [EBP+10]
001B:77E84E43 PUSH EAX
001B:77E84E44 CALL USER32!GetWindowTextA
001B:77E84E49 POP EBP
001B:77E84E4A RET 0010
001B:77E84E4D CMP DWORD PTR [EBP+14],00
001B:77E84E51 JZ 77E84E59
001B:00B729ED CALL USER32!GetDlgItemTextA
001B:00B729F2 CMP BYTE PTR [EBP-38],00
001B:00B729F6 JNZ 00B72A1F
001B:00B729F8 PUSH 00
001B:00B729FA PUSH 00B8BA87
001B:00B729FF PUSH 00007F04
001B:00B72A04 PUSH 00
001B:00B72A06 CALL USER32!LoadIconA
:u
001B:00B72A0B PUSH EAX
001B:00B72A0C PUSH 00B8BA78
001B:00B72A11 MOV ECX,[EBP+08]
001B:00B72A14 PUSH ECX
001B:00B72A15 CALL 00B758E8
001B:00B72A1A JMP 00B72AA4
001B:00B72A1F PUSH 00007F02
001B:00B72A24 PUSH 00
:u
001B:00B72A26 CALL USER32!LoadCursorA
001B:00B72A2B PUSH EAX
001B:00B72A2C CALL USER32!SetCursor
001B:00B72A31 LEA EAX,[EBP-38]
001B:00B72A34 PUSH EAX
001B:00B72A35 CALL 00B8428C <-------一直按F10,到此后,F8跟进去.
001B:00B72A3A POP ECX
001B:00B72A3B MOV [EBP-04],EAX
001B:00B729F6 JNZ 00B72A1F
9.Call 00B8428C 为以下代码.
001B:00B8428C PUSH EBP
001B:00B8428D MOV EBP,ESP
001B:00B8428F PUSH DWORD PTR [EBP+08]
001B:00B84292 CALL 00B8548A <-----------F8跟进去
001B:00B84297 POP ECX
001B:00B84298 POP EBP
001B:00B84299 RET
10.激动人心的时候要到了.
001B:00B8548A PUSH EBP
001B:00B8548B MOV EBP,ESP
001B:00B8548D ADD ESP,FFFFFE30
001B:00B85493 PUSH EBX
001B:00B85494 PUSH ESI
001B:00B85495 PUSH EDI
001B:00B85496 MOV EBX,[EBP+08]
001B:00B85499 CMP DWORD PTR [00B95970],00
:u
001B:00B854A0 JNZ 00B854AC //此处一定要跳转,如果你的三十天期限没到
001B:00B854A2 MOV EAX,FFFFFF98 //这里是不需要任何操作的。
001B:00B854A7 JMP 00B857F4 //改变跳转与否的方法我一般用 r fl=z
001B:00B854AC CMP DWORD PTR [00B95970],01
001B:00B854B3 JLE 00B854F9 //此处一定要跳转,如果你的三十天期限没到
001B:00B854B5 PUSH 00B95E01 //这里是不需要任何操作的。
001B:00B854BA PUSH DWORD PTR [00B9596C]
001B:00B854C0 CALL KERNEL32!GetProcAddress
:u
001B:00B854C5 MOV ESI,EAX
001B:00B854C7 TEST ESI,ESI
001B:00B854C9 JNZ 00B854D5
001B:00B854CB MOV EAX,FFFFFF97
001B:00B854D0 JMP 00B857F4
001B:00B854D5 CALL 00B88944
001B:00B854DA TEST EAX,EAX
001B:00B854DC JZ 00B854E8
:u
001B:00B854DE MOV EAX,FFFFFF93
001B:00B854E3 JMP 00B857F4
001B:00B854E8 PUSH EBX
001B:00B854E9 CALL ESI
001B:00B854EB MOV EBX,EAX
001B:00B854ED CALL 00B88A93
001B:00B854F2 MOV EAX,EBX
001B:00B854F4 JMP 00B857F4
:u
001B:00B854F9 PUSH 00B95E0F
001B:00B854FE CALL 00B89EEC
001B:00B85503 POP ECX
001B:00B85504 PUSH EBX
001B:00B85505 CALL 00B891FD
001B:00B8550A POP ECX
001B:00B8550B PUSH EBX
001B:00B8550C CALL KERNEL32!lstrlen
:u
001B:00B85511 CMP EAX,1A <-------一路F10到此,看到1A了吗?
现在明白为什么要输入26个数字了吧
001B:00B85514 JZ 00B85520
001B:00B85516 MOV EAX,FFFFFFFE <----如果长度不对,将输入返回值
001B:00B8551B JMP 00B857F4 并直接跳到返回处了.记住此处的这个跳转地址.
001B:00B85520 LEA EDX,[EBP-58]
001B:00B85523 PUSH EDX
001B:00B85524 PUSH 40FE0E30
001B:00B85529 PUSH 00
:u
001B:00B8552B PUSH 406CA000
001B:00B85530 PUSH 00
001B:00B85532 PUSH EBX
001B:00B85533 PUSH 01
001B:00B85535 CALL 00B88BFA
001B:00B8553A ADD ESP,1C
001B:00B8553D LEA ECX,[EBP-0168]
001B:00B85543 PUSH ECX
:u
001B:00B85544 LEA EAX,[EBP-58]
001B:00B85547 PUSH EAX
001B:00B85548 CALL 00B89085
001B:00B8554D ADD ESP,08
001B:00B85550 MOV DL,[EBP-0168]
001B:00B85556 MOV [EBP-01],DL
001B:00B85559 PUSH 0C
001B:00B8555B LEA ECX,[EBP-0168]
:u
001B:00B85561 PUSH ECX
001B:00B85562 CALL 00B8938B
001B:00B85567 ADD ESP,08
001B:00B8556A TEST AX,AX <---注意,开始做比较了
001B:00B8556D JZ 00B85579 <---看此时跳转否,如果不能跳转,执行 r fl=z ,改掉z标志位
001B:00B8556F MOV EAX,FFFFFFFE
001B:00B85574 JMP 00B857F4 <---熟悉吧.
001B:00B85579 MOV DL,[EBP-01]
:u
001B:00B8557C AND EDX,7F
001B:00B8557F MOV CL,[00B9A6D0]
001B:00B85585 AND ECX,7F
001B:00B85588 CMP EDX,ECX <---注意
001B:00B8558A JZ 00B85594 <---看此时跳转否,如果不能跳转,执行 r fl=z ,改掉z标志位
001B:00B8558C OR EAX,-01
001B:00B8558F JMP 00B857F4 <---熟悉吧
001B:00B85594 TEST BYTE PTR [EBP-01],80
:u
001B:00B85598 JZ 00B8571C
001B:00B8559E CMP DWORD PTR [00B9A6D4],00
001B:00B855A5 JGE 00B855B0
001B:00B855A7 CMP BYTE PTR [EBP-0167],00
001B:00B855AE JL 00B855C2
001B:00B855B0 CMP DWORD PTR [00B9A6D4],00
001B:00B855B7 JL 00B855D1
001B:00B855B9 CMP BYTE PTR [EBP-0167],00
:u
001B:00B855C0 JLE 00B855D1
001B:00B855C2 MOVSX ESI,BYTE PTR [EBP-0167]
001B:00B855C9 ADD ESI,[00B9A6D4]
001B:00B855CF JMP 00B855D7
001B:00B855D1 MOV ESI,[00B9A6D4]
001B:00B855D7 CMP DWORD PTR [00B95998],20
001B:00B855DE JGE 00B8563C
001B:00B855E0 CMP DWORD PTR [00B95998],00
:u
001B:00B855E7 JLE 00B8563C
001B:00B855E9 XOR EDI,EDI
001B:00B855EB PUSH DWORD PTR [00B95998]
001B:00B855F1 CALL 00B883CB
001B:00B855F6 POP ECX
001B:00B855F7 MOV EDX,EAX
001B:00B855F9 NOT EDI
001B:00B855FB MOV ECX,00000020
:u
001B:00B85600 SUB ECX,[00B95998]
001B:00B85606 SHL EDI,CL
001B:00B85608 NOT EDI
001B:00B8560A MOV EAX,[EBP-0164]
001B:00B85610 AND EAX,EDI
001B:00B85612 MOV [EBP-1C],EAX
001B:00B85615 MOV EAX,[EBP-1C]
001B:00B85618 ADD EAX,EDX
:u
001B:00B8561A CMP EDI,EAX
001B:00B8561C JAE 00B85620
001B:00B8561E MOV EAX,EDI
001B:00B85620 MOV ECX,[00B9A4D8]
001B:00B85626 SUB ECX,EDX
001B:00B85628 MOV EDX,ECX
001B:00B8562A MOV ECX,[EBP-0164]
001B:00B85630 SUB ECX,[EBP-1C]
:u
001B:00B85633 OR EDX,ECX
001B:00B85635 ADD EAX,EDX
001B:00B85637 MOV [EBP-14],EAX
001B:00B8563A JMP 00B85645
001B:00B8563C MOV EDX,[00B9A4D8]
001B:00B85642 MOV [EBP-14],EDX
001B:00B85645 LEA EAX,[EBP-24]
001B:00B85648 PUSH EAX
:u
001B:00B85649 LEA EDX,[EBP-20]
001B:00B8564C PUSH EDX
001B:00B8564D LEA ECX,[EBP-0160]
001B:00B85653 PUSH ECX
001B:00B85654 CALL 00B85E45
001B:00B85659 ADD ESP,0C
001B:00B8565C CMP DWORD PTR [EBP-24],00
001B:00B85660 JZ 00B85686
:u
001B:00B85662 MOV EAX,[00B9A4C8]
001B:00B85667 CMP EAX,[EBP-20]
001B:00B8566A JNZ 00B85686
001B:00B8566C MOV DX,[00B9A4CC]
001B:00B85673 SUB DX,[00B9A4D0]
001B:00B8567A ADD DX,[EBP-24]
001B:00B8567E MOV [EBP-16],DX
001B:00B85682 XOR EDI,EDI
:u
001B:00B85684 JMP 00B85697
001B:00B85686 MOV AX,[00B9A4CC]
001B:00B8568C MOV [EBP-16],AX
001B:00B85690 MOV DI,[00B9A4D0]
001B:00B85697 LEA EAX,[EBP-019C]
001B:00B8569D PUSH EAX
001B:00B8569E CALL 00B84A6F
001B:00B856A3 POP ECX
:u
001B:00B856A4 TEST EAX,EAX <---注意
001B:00B856A6 JZ 00B856B0 <---看此时跳转否,如果不能跳转,执行 r fl=z ,改掉z标志位
001B:00B856A8 OR EAX,-01
001B:00B856AB JMP 00B857F4
001B:00B856B0 LEA EDX,[EBP-01CF]
001B:00B856B6 PUSH EDX
001B:00B856B7 PUSH 40FE0E30
001B:00B856BC PUSH 00
:u
001B:00B856BE PUSH 406CA000
001B:00B856C3 PUSH 00
001B:00B856C5 PUSH DWORD PTR [00B9597C]
001B:00B856CB PUSH 01
001B:00B856CD CALL 00B88BFA
001B:00B856D2 ADD ESP,1C
001B:00B856D5 MOV BYTE PTR [EBP-01D0],00
001B:00B856DC PUSH EBX
:u
001B:00B856DD PUSH ESI
001B:00B856DE MOVZX ECX,WORD PTR [EBP-16]
001B:00B856E2 PUSH ECX
001B:00B856E3 PUSH DWORD PTR [00B9A4C8]
001B:00B856E9 PUSH DWORD PTR [EBP-14]
001B:00B856EC LEA EAX,[EBP-019C]
001B:00B856F2 PUSH EAX
001B:00B856F3 LEA EDX,[EBP-01D0]
:u
001B:00B856F9 PUSH EDX
001B:00B856FA CALL 00B85B01
001B:00B856FF ADD ESP,1C
001B:00B85702 TEST EAX,EAX
001B:00B85704 JZ 00B85710 <---看此时跳转否,如果不能跳转,执行 r fl=z ,改掉z标志位
001B:00B85706 MOV EAX,FFFFFFFE
001B:00B8570B JMP 00B857F4
001B:00B85710 LEA EDX,[EBP-08]
:u
001B:00B85713 PUSH EDX
001B:00B85714 CALL 00B896F3
001B:00B85719 POP ECX
001B:00B8571A JMP 00B8572F
001B:00B8571C LEA ECX,[EBP-08]
001B:00B8571F PUSH ECX
001B:00B85720 CALL 00B896F3
001B:00B85725 POP ECX
:u
001B:00B85726 MOVSX ESI,BYTE PTR [EBP-0167]
001B:00B8572D XOR EDI,EDI
001B:00B8572F LEA EAX,[EBP-015C]
001B:00B85735 PUSH EAX
001B:00B85736 PUSH 00B95E64
001B:00B8573B PUSH DWORD PTR [00B95978]
001B:00B85741 CALL 00B8601E
001B:00B85746 ADD ESP,0C
:u
001B:00B85749 LEA EDX,[EBP-015C]
001B:00B8574F PUSH EDX
001B:00B85750 CALL 00B87D29
001B:00B85755 POP ECX
001B:00B85756 MOV [EBP-10],EAX
001B:00B85759 TEST EAX,EAX
001B:00B8575B JGE 00B85773 <---看此时跳转否,如果不能跳转,执行 r fl=z ,改掉z标志位
001B:00B8575D PUSH FD
:u
001B:00B8575F PUSH 03
001B:00B85761 CALL 00B842B8
001B:00B85766 ADD ESP,08
001B:00B85769 MOV EAX,FFFFFFFD
001B:00B8576E JMP 00B857F4
001B:00B85773 PUSH EBX
001B:00B85774 PUSH DWORD PTR [EBP-10]
001B:00B85777 LEA EDX,[EBP-015C]
:u
001B:00B8577D PUSH EDX
001B:00B8577E CALL 00B87D4D
001B:00B85783 ADD ESP,0C
001B:00B85786 LEA ECX,[EBP-015C]
001B:00B8578C PUSH ECX
001B:00B8578D PUSH 00B95E6C
001B:00B85792 PUSH DWORD PTR [00B95978]
001B:00B85798 CALL 00B8601E
:u
001B:00B8579D ADD ESP,0C
001B:00B857A0 PUSH 00B95982
001B:00B857A5 PUSH 00B95E70
001B:00B857AA LEA EAX,[EBP-015C]
001B:00B857B0 PUSH EAX
001B:00B857B1 CALL 00B87DF9
001B:00B857B6 ADD ESP,0C
001B:00B857B9 MOV EBX,EAX
:u
001B:00B857BB TEST EAX,EAX
001B:00B857BD JZ 00B857C3 <---看此时跳转否,如果不能跳转,执行 r fl=z ,改掉z标志位
001B:00B857BF MOV EAX,EBX
001B:00B857C1 JMP 00B857F4 //好了,最后一个也摆平了,^d回到windows下吧
001B:00B857C3 MOV [00B9A6D4],ESI //你可以看到congratulation的消息了.
001B:00B857C9 PUSH DWORD PTR [EBP-08]
001B:00B857CC PUSH DWORD PTR [00B9A6D4]
001B:00B857D2 MOVZX EDX,DI
:u
001B:00B857D5 PUSH EDX
001B:00B857D6 PUSH DWORD PTR [00B95978]
001B:00B857DC CALL 00B85930
001B:00B857E1 ADD ESP,10
001B:00B857E4 PUSH 00
001B:00B857E6 LEA ECX,[EBP-0C]
001B:00B857E9 PUSH ECX
001B:00B857EA CALL 00B84D21
:u
001B:00B857EF ADD ESP,08
001B:00B857F2 XOR EAX,EAX
001B:00B857F4 POP EDI
001B:00B857F5 POP ESI
001B:00B857F6 POP EBX
001B:00B857F7 MOV ESP,EBP
001B:00B857F9 POP EBP
001B:00B857FA RET