这是一个很老的软件
其他论坛的同学找我帮忙才搞的。
他也没有注册码,启动时 要求 【输入 用户名 邮箱 注册码】,否则进不到主界面就退出。
加了个upx的壳,脱了后说有重定向。曾经使用upx -d 或是专脱工具都有上面所说的问题。
最后使用 Resource Tuner 2保存出来,但有报错提示
bp messageboxA 断下
关键看到了
00300F4E 90 NOP ; 貌似 跳走了,看来这下面的写入配置文件把注册信息(1)
00300F4F 90 NOP
00300F50 |> FF35 80B15300 PUSH DWORD PTR DS:[0x53B180] ; /邮R
00300F56 |. 8B35 98844A00 MOV ESI,DWORD PTR DS:[<&KERNEL32.Wri>; |kernel32.WritePrivateProfileStringW
00300F5C |. FFB5 48FFFFFF PUSH [LOCAL.46] ; |String
00300F62 |. 68 045D4E00 PUSH crack.004E5D04 ; |UserName
00300F67 |. 68 185D4E00 PUSH crack.004E5D18 ; |Registration
00300F6C |. FFD6 CALL NEAR ESI ; \WritePrivateProfileStringW
00300F6E |. FF35 80B15300 PUSH DWORD PTR DS:[0x53B180] ; /邮R
00300F74 |. FFB5 44FFFFFF PUSH [LOCAL.47] ; |String
00300F7A |. 68 C45C4E00 PUSH crack.004E5CC4 ; |OrganizationName
00300F7F |. 68 185D4E00 PUSH crack.004E5D18 ; |Registration
00300F84 |. FFD6 CALL NEAR ESI ; \WritePrivateProfileStringW
00300F86 |. FF35 80B15300 PUSH DWORD PTR DS:[0x53B180] ; /邮R
00300F8C |. FFB5 4CFFFFFF PUSH [LOCAL.45] ; |String
00300F92 |. 68 E85C4E00 PUSH crack.004E5CE8 ; |SerialNumber
00300F97 |. 68 185D4E00 PUSH crack.004E5D18 ; |Registration
00300F9C |. FFD6 CALL NEAR ESI ; \WritePrivateProfileStringW
00300F9E |> 6A FF PUSH -0x1
00300C8B 90 NOP ; (3)也不能让它直接走!
00300C8C 90 NOP
00300C8D 90 NOP
00300C8E 90 NOP
00300C8F 90 NOP
00300C90 90 NOP
00300C91 |. 8B95 44FFFFFF MOV EDX,[LOCAL.47]
00300C97 |. 8D85 34FFFFFF LEA EAX,[LOCAL.51]
00300C9D |. 50 PUSH EAX
00300C9E |. 8D85 3CFFFFFF LEA EAX,[LOCAL.49]
00300CA4 |. 50 PUSH EAX
00300CA5 |. 8D85 38FFFFFF LEA EAX,[LOCAL.50]
00300CAB |. 50 PUSH EAX
00300CAC |. 51 PUSH ECX
00300CAD |. FFB5 4CFFFFFF PUSH [LOCAL.45]
00300CB3 |. 8B8D 48FFFFFF MOV ECX,[LOCAL.46]
00300CB9 |. E8 62050000 CALL crack.00301220
00300CBE |. 83C4 14 ADD ESP,0x14
00300CC1 |. 83F8 01 CMP EAX,0x1
00300CC4 90 NOP ; 这里是最上边的跳走!(2)所以这里要NOP
00300CC5 90 NOP
00300CC6 90 NOP
00300CC7 90 NOP
00300CC8 90 NOP
00300CC9 90 NOP
得用硬件断点 逐级向上找
    最终将前后各处联系起来,最终破解成功。
源文件很大~~ 在此记录破解流程。
INI文件写入期间EmEditor随便播报写入了情况,动态调试的最大优点莫过于此。
[Settings]
Portable=0
[Teaching Control]
Admin=1
[Registration]
UserName=cuicui
OrganizationName=ninebell
SerialNumber=?????ò?????òí????òì????ò?íì?êé 原先发现的00000-10000-20000-30000-123456 变成了左面的乱码,不知何原因,不过已经不影响使用了。
01350F6E |. FF35 80B15801 PUSH DWORD PTR DS:[0x158B180] ; /FileName = "C:\Program Files (x86)\NJStar Chinese WP6\njstar.ini"
01350F74 |. FFB5 44FFFFFF PUSH [LOCAL.47] ; |String
01350F7A |. 68 C45C5301 PUSH crack.01535CC4 ; |OrganizationName
01350F7F |. 68 185D5301 PUSH crack.01535D18 ; |Registration
01350F84 |. FFD6 CALL NEAR ESI ; \WritePrivateProfileStringW
01350F86 |. FF35 80B15801 PUSH DWORD PTR DS:[0x158B180] ; /FileName = "C:\Program Files (x86)\NJStar Chinese WP6\njstar.ini"
01350F8C |. FFB5 4CFFFFFF PUSH [LOCAL.45] ; |String
01350F92 |. 68 E85C5301 PUSH crack.01535CE8 ; |SerialNumber
01350F97 |. 68 185D5301 PUSH crack.01535D18 ; |Registration
01350F9C |. FFD6 CALL NEAR ESI ; \WritePrivateProfileStringW
01350F9E |> 6A FF PUSH -0x1
01350FA0 |. 6A 40 PUSH 0x40
01350FA2 |. 68 2D4E0000 PUSH 0x4E2D
01350FA7 |. EB 09 JMP SHORT crack.01350FB2
01350FA9 |> 6A FF PUSH -0x1
01350FAB |. 6A 10 PUSH 0x10
01350FAD |. 68 2E4E0000 PUSH 0x4E2E
01350FB2 |> E8 C9A20100 CALL crack.0136B280
===================
01338F08 |. 50 PUSH EAX ; /String
01338F09 |. FF15 74854F01 CALL NEAR DWORD PTR DS:[<&KERNEL32.ls>; \lstrlenW
01338F0F |. 8BF0 MOV ESI,EAX
01338F11 |. 8D85 F4FDFFFF LEA EAX,[LOCAL.131]
01338F17 |. 50 PUSH EAX
01338F18 |. E8 54891800 CALL crack.014C1871
01338F1D |. 83C4 04 ADD ESP,0x4
01338F20 |. 66:837C70 FE >CMP WORD PTR DS:[EAX+ESI*2-0x2],0x5C
01338F26 |. 75 07 JNZ SHORT crack.01338F2F
01338F28 |. 33C9 XOR ECX,ECX
01338F2A |. 66:894C70 FE MOV WORD PTR DS:[EAX+ESI*2-0x2],CX
01338F2F |> 50 PUSH EAX
01338F30 |. 8987 B0080000 MOV DWORD PTR DS:[EDI+0x8B0],EAX
01338F36 |. 8D85 E4F9FFFF LEA EAX,[LOCAL.391]
01338F3C |. 68 B03E5401 PUSH crack.01543EB0 ; %s\njstar.ini
0028E59C 0028E5A2 UNICODE "00000-10000-20000-30000-123456"
00300F4E |. /74 4E JE SHORT crack.00300F9E ; 貌似 跳走了,看来这下面的写入配置文件把注册信息
00300F50 |> |FF35 80B15300 PUSH DWORD PTR DS:[0x53B180] ; /邮R
00300F56 |. |8B35 98844A00 MOV ESI,DWORD PTR DS:[<&KERNEL32.Wri>; |kernel32.WritePrivateProfileStringW
00300F5C |. |FFB5 48FFFFFF PUSH [LOCAL.46] ; |String
00300F62 |. |68 045D4E00 PUSH crack.004E5D04 ; |UserName
00300F67 |. |68 185D4E00 PUSH crack.004E5D18 ; |Registration
00300F6C |. |FFD6 CALL NEAR ESI ; \WritePrivateProfileStringW
00300F6E |. |FF35 80B15300 PUSH DWORD PTR DS:[0x53B180] ; /邮R
00300F74 |. |FFB5 44FFFFFF PUSH [LOCAL.47] ; |String
00300F7A |. |68 C45C4E00 PUSH crack.004E5CC4 ; |OrganizationName
00300F7F |. |68 185D4E00 PUSH crack.004E5D18 ; |Registration
00300F84 |. |FFD6 CALL NEAR ESI ; \WritePrivateProfileStringW
00300F86 |. |FF35 80B15300 PUSH DWORD PTR DS:[0x53B180] ; /邮R
00300F8C |. |FFB5 4CFFFFFF PUSH [LOCAL.45] ; |String
00300F92 |. |68 E85C4E00 PUSH crack.004E5CE8 ; |SerialNumber
00300F97 |. |68 185D4E00 PUSH crack.004E5D18 ; |Registration
00300F9C |. |FFD6 CALL NEAR ESI ; \WritePrivateProfileStringW
00300F9E |> \6A FF PUSH -0x1
00300CC4 |. /0F85 DF020000 JNZ crack.00300FA9 ; 这里是最上边的跳走!(2)
00300CCA |. |8B85 48FFFFFF MOV EAX,[LOCAL.46]
00300CD0 |. |8B35 74B15300 MOV ESI,DWORD PTR DS:[0x53B174] ; crack.0052A018
00300CD6 |. |83C6 F0 ADD ESI,-0x10
00300CD9 |. |8D50 F0 LEA EDX,DWORD PTR DS:[EAX-0x10]
00300CDC |. |3BD6 CMP EDX,ESI
00300CDE |. |74 4F JE SHORT crack.00300D2F
| 
