普析 AAWin 3.0
这个软件是光谱分析仪的控制软件,用来控制某厂的光谱分析机,我不明白为什么要在软件系统要加个注册码,序列号、甚至据用户说,它还带了个加密狗,天哪,生怕别人用?当系统重装,或者电脑损坏后,要找厂家重装,而厂家总是很忙。
注册码的验证耍了个小手段,利用线程来进行验证,线程的代码压缩了、加密了,也不知道放在哪,我也没去跟。线程在XP中是固定内存地址,比较容易找、定位,但现在用XP的公司越来越少了吧。偏偏 在WIN7中,这个注册码的验证线程的内存地址是变化的,不固定的,所以找到关键代码也没有用,现在网上的通用内存补丁机生成的补丁代码,都是针对固定的内存地址,唯有自己编写一个能搜索这个线程的补丁机,对内存代码进行修改,才能达到免输入注册码的效果。当然,你有空的话,追出序列号与注册码,也行,当然,这么专业的工作,不是一般人能完成的。
未输入注册码前,启动会提示:
05C80714 90 nop
05C80715 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0 序列号是否正确的标记位 90 83 7D F8 00 0F 94 C0 0F B6 C005C80719 0f94c0 sete al 90837D??000F94C00FB6C0??????????????750d
05C8071C 0FB6C0 movzx eax,al
05C8071F 8945 E8 mov dword ptr ss:[ebp-0x18],eax
05C80722 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0 为零就跳去提示序列号不正确 为1就不跳,正常启动
05C80726 75 0D jnz short 05C80735
05C80728 90 nop
05C80729 33D2 xor edx,edx
05C8072B 8955 EC mov dword ptr ss:[ebp-0x14],edx
05C8072E 90 nop
05C8072F 90 nop
05C80730 E9 D5000000 jmp 05C8080A
05C80735 90 nop
05C80736 8B0D FC99A502 mov ecx,dword ptr ds:[0x2A599FC]
05C8073C E8 277EF275 call System_W.7BBA8568 ; 提示序列号不正确
05C80741 90 nop
05C80742 B9 48BD0705 mov ecx,0x507BD48
05C80747 E8 6ABC4F73 call clr.7917C3B6
05C8074C 8945 A0 mov dword ptr ss:[ebp-0x60],eax
05C8074F 8B4D A0 mov ecx,dword ptr ss:[ebp-0x60]
05C80752 E8 810947FF call 050F10D8
05C80757 8B45 A0 mov eax,dword ptr ss:[ebp-0x60]
05C8075A 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
05C8075D FF75 C4 push dword ptr ss:[ebp-0x3C]
05C80760 8B4D B4 mov ecx,dword ptr ss:[ebp-0x4C]
05C80763 BA 58BC0705 mov edx,0x507BC58
05C80768 E8 812B5273 call clr.791A32EE
05C8076D 8B4D B4 mov ecx,dword ptr ss:[ebp-0x4C]
05C80770 BA 01000000 mov edx,0x1
05C80775 3909 cmp dword ptr ds:[ecx],ecx ; clr.792DEF58
05C80777 E8 A0908675 call System_W.7B4E981C
05C8077C 90 nop
05C8077D 8B4D B4 mov ecx,dword ptr ss:[ebp-0x4C]
05C80780 3909 cmp dword ptr ds:[ecx],ecx ; clr.792DEF58
05C80782 E8 C9638475 call System_W.7B4C6B50 ; 出现输入序列号的框
05C80787 90 nop
05C80788 8B4D B4 mov ecx,dword ptr ss:[ebp-0x4C]
05C8078B BA 4CBC0705 mov edx,0x507BC4C
05C80790 E8 53E76573 call clr.792DEEE8
05C80795 85C0 test eax,eax
05C80797 0f94c0 sete al
05C8079A 0FB6C0 movzx eax,al
05C8079D 8945 E8 mov dword ptr ss:[ebp-0x18],eax 8945E8837DE800
05C807A0 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0
05C807A4 75 63 jnz short 05C80809
05C807A6 90 nop
05C807A7 8B45 C8 mov eax,dword ptr ss:[ebp-0x38]
05C807AA 8945 9C mov dword ptr ss:[ebp-0x64],eax
05C807AD 8B45 C8 mov eax,dword ptr ss:[ebp-0x38]
05C807B0 8B40 24 mov eax,dword ptr ds:[eax+0x24]
05C807B3 8985 54FFFFFF mov dword ptr ss:[ebp-0xAC],eax
05C807B9 FF35 2893A502 push dword ptr ds:[0x2A59328]
05C807BF 8B8D 54FFFFFF mov ecx,dword ptr ss:[ebp-0xAC]
05C807C5 8B55 C0 mov edx,dword ptr ss:[ebp-0x40]
05C807C8 3909 cmp dword ptr ds:[ecx],ecx ; clr.792DEF58
05C807CA E8 E1D9CCFB call 0194E1B0
05C807CF 8945 98 mov dword ptr ss:[ebp-0x68],eax
05C807D2 8B55 9C mov edx,dword ptr ss:[ebp-0x64]
05C807D5 8B45 98 mov eax,dword ptr ss:[ebp-0x68]
05C807D8 8D52 2C lea edx,dword ptr ds:[edx+0x2C]
05C807DB E8 E0274C73 call clr.79142FC0
05C807E0 8B45 C8 mov eax,dword ptr ss:[ebp-0x38]
05C807E3 8B40 2C mov eax,dword ptr ds:[eax+0x2C]
05C807E6 8985 50FFFFFF mov dword ptr ss:[ebp-0xB0],eax
05C807EC FF75 C4 push dword ptr ss:[ebp-0x3C]
05C807EF 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
05C807F5 8B4D C8 mov ecx,dword ptr ss:[ebp-0x38]
05C807F8 FF15 A0535201 call dword ptr ds:[0x15253A0]
05C807FE 8945 E0 mov dword ptr ss:[ebp-0x20],eax
05C80801 0FB645 E0 movzx eax,byte ptr ss:[ebp-0x20]
05C80805 8945 F8 mov dword ptr ss:[ebp-0x8],eax
05C80808 90 nop
05C80809 90 nop
05C8080A 90 nop
05C8080B 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
05C8080E 8945 E8 mov dword ptr ss:[ebp-0x18],eax
05C80811 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0
05C80815 ^ 0F85 F9FEFFFF jnz 05C80714
05C8081B 90 nop
05C8081C 8BE5 mov esp,ebp
05C8081E 5D pop ebp
05C8081F C3 retn
05C80820 CC int3
WIN7的内存代码效果:代码地址完全不是定位的,每次启动,地址都会改变,甚至连堆栈的指针也会变。
07270714 90 nop
07270715 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
07270719 0f94c0 sete al
0727071C 0FB6C0 movzx eax,al
0727071F 8945 E8 mov dword ptr ss:[ebp-0x18],eax
07270722 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0
07270726 75 0D jnz short 07270735
07270728 90 nop
07270729 33D2 xor edx,edx ; clr.79729288
0727072B 8955 EC mov dword ptr ss:[ebp-0x14],edx ; clr.79729288
0727072E 90 nop
0727072F 90 nop
07270730 E9 D5000000 jmp 0727080A
07270735 90 nop
07270736 8B0D FC993704 mov ecx,dword ptr ds:[0x43799FC]
0727073C E8 4B2F8F74 call System_W.7BB6368C
07270741 90 nop
07270742 B9 48BD3B06 mov ecx,0x63BBD48
这是WIN7中修改内存后的代码:可以看到地址变了。只能用自己编程的补丁机,以下代码就是在内存里修改后的代码
06AF0700 90 nop
06AF0701 B8 01000000 mov eax,0x1
06AF0706 25 FF000000 and eax,0xFF
06AF070B 8945 EC mov dword ptr ss:[ebp-0x14],eax
06AF070E 90 nop
06AF070F E9 F7000000 jmp 06AF080B
06AF0714 90 nop
06AF0715 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
06AF0719 32C0 xor al,al
06AF071B 90 nop
06AF071C 0FB6C0 movzx eax,al
06AF071F 8945 E8 mov dword ptr ss:[ebp-0x18],eax
06AF0722 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0
06AF0726 75 0D jnz short 06AF0735
06AF0728 90 nop
06AF0729 33D2 xor edx,edx
06AF072B 8955 EC mov dword ptr ss:[ebp-0x14],edx
06AF072E 90 nop
06AF072F 90 nop
06AF0730 E9 D5000000 jmp 06AF080A
06AF0735 90 nop
06AF0736 8B0D FC995004 mov ecx,dword ptr ds:[0x45099FC]
06AF073C 90 nop 修改后的代码
06AF073D 90 nop
06AF073E 90 nop
06AF073F 90 nop
06AF0740 90 nop
06AF0741 90 nop
06AF0742 B9 48BD3603 mov ecx,0x336BD48
06AF0747 E8 4E246772 call clr.79162B9A
06AF074C 8945 A0 mov dword ptr ss:[ebp-0x60],eax
06AF074F 8B4D A0 mov ecx,dword ptr ss:[ebp-0x60]
06AF0752 E8 810996FF call 064510D8
06AF0757 8B45 A0 mov eax,dword ptr ss:[ebp-0x60]
06AF075A 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
06AF075D FF75 C4 push dword ptr ss:[ebp-0x3C]
06AF0760 8B4D B4 mov ecx,dword ptr ss:[ebp-0x4C]
06AF0763 BA 58BC3603 mov edx,0x336BC58
06AF0768 E8 09966E72 call clr.791D9D76
06AF076D 8B4D B4 mov ecx,dword ptr ss:[ebp-0x4C]
06AF0770 BA 01000000 mov edx,0x1
06AF0775 3909 cmp dword ptr ds:[ecx],ecx
06AF0777 E8 1894A174 call System_G.7B509B94
06AF077C 90 nop
06AF077D 8B4D B4 mov ecx,dword ptr ss:[ebp-0x4C]
06AF0780 3909 cmp dword ptr ds:[ecx],ecx
06AF0782 E8 C9679F74 call System_G.7B4E6F50
06AF0787 90 nop
06AF0788 8B4D B4 mov ecx,dword ptr ss:[ebp-0x4C]
06AF078B BA 4CBC3603 mov edx,0x336BC4C
06AF0790 E8 E73C7D72 call clr.792C447C
06AF0795 85C0 test eax,eax
06AF0797 0f94c0 sete al
06AF079A 0FB6C0 movzx eax,al
06AF079D 8945 E8 mov dword ptr ss:[ebp-0x18],eax
06AF07A0 837D E8 00 cmp dword ptr ss:[ebp-0x18],0x0
06AF07A4 EB 63 jmp short 06AF0809
06AF07A6 90 nop
注册表文件:如果没有序列号,会提示未注册,输入序列号。
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\pxGMP]
"backDBWorkDir"="C:\\Program Files (x86)\\pxGMP"
"DBWorkDir"="C:\\Program Files (x86)\\pxGMP\\GMP"
"AAPath"="C:\\Program Files (x86)\\Pgeneral\\AAWin 3.0"
"initGMPdll"="false"
"sernum42"="1111-1111-1111-1111"
"sernum4"="111111111111111111111111111111111111111111111111111"
tag:石墨管,空烧,进样器,光谱分析仪,光谱吸收
更多推荐
某 光谱分析 控制软件 注册码研究分析
发布评论