AM-Notebook 6.3 注册KEY分析 与内存补丁:
来源:互联网 发布:java 串口封装类 编辑:程序博客网 时间:2024/03/29 01:00
006CB059 . E8 F63CD4FF call <jmp.&user32.MessageBoxW> ; \MessageBoxW
008F51C4 . E8 275EDDFF call 006CAFF0
008F51C9 . A1 70FABF00 mov eax, dword ptr [0xBFFA70]
008F51CE . 8B00 mov eax, dword ptr [eax]
008F51D0 . 8B80 AC030000 mov eax, dword ptr [eax+0x3AC]
008F51D6 . 33D2 xor edx, edx
008F51D8 . 8B08 mov ecx, dword ptr [eax]
008F51DA . FF51 68 call dword ptr [ecx+0x68]
008F51DD . 33C0 xor eax, eax
008F51DF . E8 205DDDFF call 006CAF04
008F51E4 . EB 0A jmp short 008F51F0
008F51E6 > B8 24538F00 mov eax, 008F5324 ; UNICODE "Sorry, but the entered License is not valid!"
008F51EB . E8 005EDDFF call 006CAFF0
008F5150 . E8 13D8DDFF call 006D2968
008F5155 . 837D F0 00 cmp dword ptr [ebp-0x10], 0x0
008F5159 . 0F84 87000000 je 008F51E6 ; 这一句感觉 超级重要
008F515F . 8D55 E8 lea edx, dword ptr [ebp-0x18]
008F5162 . A1 FCFEBF00 mov eax, dword ptr [0xBFFEFC]
008F5167 . 8B40 04 mov eax, dword ptr [eax+0x4]
008F516A . E8 1598DDFF call 006CE984
008F516F . FF75 E8 push dword ptr [ebp-0x18]
008F5172 . 68 40528F00 push 008F5240 ; UNICODE "notekey"
008F5177 . 68 5C528F00 push 008F525C
008F517C . 68 6C528F00 push 008F526C ; UNICODE ".bin"
008F5181 . 8D45 EC lea eax, dword ptr [ebp-0x14]
008F5184 . BA 04000000 mov edx, 0x4
008F5189 . E8 7E38B1FF call 00408A0C
008F518E . 8B45 EC mov eax, dword ptr [ebp-0x14]
008F5191 . 8B55 FC mov edx, dword ptr [ebp-0x4]
008F5194 . E8 FBB8DDFF call 006D0A94
008F5199 . 68 84528F00 push 008F5284 ; UNICODE "Registration complete."
008F519E . A1 3CFABF00 mov eax, dword ptr [0xBFFA3C]
008F51A3 . FF30 push dword ptr [eax]
008F51A5 . 68 C0528F00 push 008F52C0 ; UNICODE "Please restart "
008F51AA . 68 EC528F00 push 008F52EC ; UNICODE "AM-Notebook"
008F51AF . 68 10538F00 push 008F5310 ; UNICODE " !"
008F51B4 . 8D45 E4 lea eax, dword ptr [ebp-0x1C]
008F51B7 . BA 05000000 mov edx, 0x5
008F51BC . E8 4B38B1FF call 00408A0C
008F51C1 . 8B45 E4 mov eax, dword ptr [ebp-0x1C]
008F51C4 . E8 275EDDFF call 006CAFF0
008F51C9 . A1 70FABF00 mov eax, dword ptr [0xBFFA70]
008F51CE . 8B00 mov eax, dword ptr [eax]
008F51D0 . 8B80 AC030000 mov eax, dword ptr [eax+0x3AC]
008F51D6 . 33D2 xor edx, edx
008F51D8 . 8B08 mov ecx, dword ptr [eax]
008F51DA . FF51 68 call dword ptr [ecx+0x68]
008F51DD . 33C0 xor eax, eax
008F51DF . E8 205DDDFF call 006CAF04
008F51E4 . EB 0A jmp short 008F51F0
008F51E6 > B8 24538F00 mov eax, 008F5324 ; UNICODE "Sorry, but the entered License is not valid!"
008F51EB . E8 005EDDFF call 006CAFF0
008F51EB . E8 005EDDFF call 006CAFF0 断在了这里 ,所以得F7
006CB059 . E8 F63CD4FF call <jmp.&user32.MessageBoxW> ; \MessageBoxW F8一路到达这里就出错框了
=============
008F4E58 /$ 55 push ebp
008F4E59 |. 8BEC mov ebp, esp
008F4E5B |. 33C9 xor ecx, ecx
008F4E5D |. 51 push ecx
008F4E5E |. 51 push ecx
008F4E5F |. 51 push ecx
008F4E60 |. 51 push ecx
008F4E61 |. 51 push ecx
008F4E62 |. 51 push ecx
008F4E63 |. 51 push ecx
008F4E64 |. 51 push ecx
008F4E65 |. 53 push ebx
008F4E66 |. 56 push esi
008F4E67 |. 57 push edi
008F4E68 |. 8955 F4 mov dword ptr [ebp-0xC], edx
008F4E6B |. 8945 FC mov dword ptr [ebp-0x4], eax
008F4E6E |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4E71 |. E8 3E29B1FF call 004077B4
008F4E76 |. 33C0 xor eax, eax
008F4E78 |. 55 push ebp
008F4E79 |. 68 EE4F8F00 push 008F4FEE
008F4E7E |. 64:FF30 push dword ptr fs:[eax]
008F4E81 |. 64:8920 mov dword ptr fs:[eax], esp
008F4E84 |. 8B55 FC mov edx, dword ptr [ebp-0x4]
008F4E87 |. B8 08508F00 mov eax, 008F5008 ; UNICODE "-----KEY BEGIN KEY-----"
008F4E8C |. E8 2F3EB1FF call 00408CC0
008F4E91 |. 85C0 test eax, eax
008F4E93 |. 7E 10 jle short 008F4EA5
008F4E95 |. 8D48 17 lea ecx, dword ptr [eax+0x17]
008F4E98 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4E9B |. BA 01000000 mov edx, 0x1
008F4EA0 |. E8 F73CB1FF call 00408B9C
008F4EA5 |> 8B55 FC mov edx, dword ptr [ebp-0x4]
008F4EA8 |. B8 44508F00 mov eax, 008F5044 ; UNICODE "-----KEY END KEY-----"
008F4EAD |. E8 0E3EB1FF call 00408CC0
008F4EB2 |. 85C0 test eax, eax
008F4EB4 |. 7E 0E jle short 008F4EC4
008F4EB6 |. 8D55 FC lea edx, dword ptr [ebp-0x4]
008F4EB9 |. B9 FFFFFF7F mov ecx, 0x7FFFFFFF
008F4EBE |. 92 xchg eax, edx
008F4EBF |. E8 D83CB1FF call 00408B9C
008F4EC4 |> 8B55 FC mov edx, dword ptr [ebp-0x4]
008F4EC7 |. B8 7C508F00 mov eax, 008F507C ; UNICODE "REGEDIT4"
008F4ECC |. E8 EF3DB1FF call 00408CC0
008F4ED1 |. 85C0 test eax, eax
008F4ED3 |. 7E 10 jle short 008F4EE5
008F4ED5 |. 8D48 08 lea ecx, dword ptr [eax+0x8]
008F4ED8 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4EDB |. BA 01000000 mov edx, 0x1
008F4EE0 |. E8 B73CB1FF call 00408B9C
008F4EE5 |> 8D55 EC lea edx, dword ptr [ebp-0x14]
008F4EE8 |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4EEB |. E8 806EDDFF call 006CBD70
008F4EF0 |. 8B55 EC mov edx, dword ptr [ebp-0x14]
008F4EF3 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4EF6 |. E8 FD2BB1FF call 00407AF8
008F4EFB |. 6A 01 push 0x1
008F4EFD |. 8D45 E8 lea eax, dword ptr [ebp-0x18]
008F4F00 |. 50 push eax
008F4F01 |. 33C9 xor ecx, ecx
008F4F03 |. BA 9C508F00 mov edx, 008F509C
008F4F08 |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4F0B |. E8 6080DDFF call 006CCF70
008F4F10 |. 8B55 E8 mov edx, dword ptr [ebp-0x18]
008F4F13 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4F16 |. E8 DD2BB1FF call 00407AF8
008F4F1B |. 8B55 F4 mov edx, dword ptr [ebp-0xC]
008F4F1E |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4F21 |. E8 AA2BB8FF call 00477AD0
008F4F26 |. 8B45 F4 mov eax, dword ptr [ebp-0xC]
008F4F29 |. E8 A227B1FF call 004076D0
008F4F2E |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4F31 |. 85C0 test eax, eax
008F4F33 |. 74 05 je short 008F4F3A
008F4F35 |. 83E8 04 sub eax, 0x4
008F4F38 |. 8B00 mov eax, dword ptr [eax]
008F4F3A |> 85C0 test eax, eax
008F4F3C |. 7E 7D jle short 008F4FBB
008F4F3E |. 8945 F0 mov dword ptr [ebp-0x10], eax
008F4F41 |. BB 01000000 mov ebx, 0x1
008F4F46 |> 8BD3 /mov edx, ebx
008F4F48 |. 8B45 FC |mov eax, dword ptr [ebp-0x4]
008F4F4B |. 85C0 |test eax, eax
008F4F4D |. 74 05 |je short 008F4F54
008F4F4F |. 83E8 04 |sub eax, 0x4
008F4F52 |. 8B00 |mov eax, dword ptr [eax]
008F4F54 |> 8BF2 |mov esi, edx
008F4F56 |. 8BF8 |mov edi, eax
008F4F58 |. 2BFE |sub edi, esi
008F4F5A |. 7C 59 |jl short 008F4FB5
008F4F5C |. 47 |inc edi
008F4F5D |> 8D45 E4 |/lea eax, dword ptr [ebp-0x1C]
008F4F60 |. 50 ||push eax
008F4F61 |. 8BCE ||mov ecx, esi
008F4F63 |. 2BCB ||sub ecx, ebx
008F4F65 |. 41 ||inc ecx
008F4F66 |. 8BD3 ||mov edx, ebx
008F4F68 |. 8B45 FC ||mov eax, dword ptr [ebp-0x4]
008F4F6B |. E8 E43BB1FF ||call 00408B54
008F4F70 |. 8B55 E4 ||mov edx, dword ptr [ebp-0x1C]
008F4F73 |. 8D45 F8 ||lea eax, dword ptr [ebp-0x8]
008F4F76 |. B9 00000000 ||mov ecx, 0x0
008F4F7B |. E8 0C33B1FF ||call 0040828C
008F4F80 |. 8D55 E0 ||lea edx, dword ptr [ebp-0x20]
008F4F83 |. 8B45 F8 ||mov eax, dword ptr [ebp-0x8]
008F4F86 |. E8 DDD9DDFF ||call 006D2968
008F4F8B |. 8B55 E0 ||mov edx, dword ptr [ebp-0x20]
008F4F8E |. 8D45 F8 ||lea eax, dword ptr [ebp-0x8]
008F4F91 |. E8 062CB1FF ||call 00407B9C
008F4F96 |. 837D F8 00 ||cmp dword ptr [ebp-0x8], 0x0
008F4F9A |. 74 15 ||je short 008F4FB1
008F4F9C |. 8B45 F4 ||mov eax, dword ptr [ebp-0xC]
008F4F9F |. 50 ||push eax
008F4FA0 |. 8BCE ||mov ecx, esi
008F4FA2 |. 2BCB ||sub ecx, ebx
008F4FA4 |. 41 ||inc ecx
008F4FA5 |. 8BD3 ||mov edx, ebx
008F4FA7 |. 8B45 FC ||mov eax, dword ptr [ebp-0x4]
008F4FAA |. E8 A53BB1FF ||call 00408B54
008F4FAF |. EB 0A ||jmp short 008F4FBB
008F4FB1 |> 46 ||inc esi
008F4FB2 |. 4F ||dec edi
008F4FB3 |.^ 75 A8 |\jnz short 008F4F5D
008F4FB5 |> 43 |inc ebx
008F4FB6 |. FF4D F0 |dec dword ptr [ebp-0x10]
008F4FB9 |.^ 75 8B \jnz short 008F4F46
008F4FBB |> 33C0 xor eax, eax
008F4FBD |. 5A pop edx
008F4FBE |. 59 pop ecx
008F4FBF |. 59 pop ecx
008F4FC0 |. 64:8910 mov dword ptr fs:[eax], edx
008F4FC3 |. 68 F54F8F00 push 008F4FF5
008F4FC8 |> 8D45 E0 lea eax, dword ptr [ebp-0x20]
008F4FCB |. E8 2427B1FF call 004076F4
008F4FD0 |. 8D45 E4 lea eax, dword ptr [ebp-0x1C]
008F4FD3 |. BA 03000000 mov edx, 0x3
008F4FD8 |. E8 5327B1FF call 00407730
008F4FDD |. 8D45 F8 lea eax, dword ptr [ebp-0x8]
008F4FE0 |. E8 0F27B1FF call 004076F4
008F4FE5 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4FE8 |. E8 E326B1FF call 004076D0
008F4FED \. C3 retn
008F4FEE .^ E9 2D1CB1FF jmp 00406C20
008F4FF3 .^ EB D3 jmp short 008F4FC8
008F4FF5 . 5F pop edi
008F4FF6 . 5E pop esi
008F4FF7 . 5B pop ebx
008F4FF8 . 8BE5 mov esp, ebp
008F4FFA . 5D pop ebp
008F4FFB . C3 retn
008F4FFC B0 db B0
008F4FFD 04 db 04
008F4FFE 02 db 02
008F4FFF 00 db 00
008F5000 FF db FF
008F5001 FF db FF
008F5002 FF db FF
008F5003 FF db FF
008F5004 17 db 17
008F5005 00 db 00
008F5006 00 db 00
008F5007 00 db 00
008F5008 . 2D00 2D00 2D0>unicode "-----KEY"
008F5018 . 2000 4200 450>unicode " BEGIN K"
008F5028 . 4500 5900 2D0>unicode "EY-----",0
008F5038 B0 db B0
008F5039 04 db 04
008F503A 02 db 02
008F503B 00 db 00
008F503C FF db FF
008F503D FF db FF
008F503E FF db FF
008F503F FF db FF
008F5040 15 db 15
008F5041 00 db 00
008F5042 00 db 00
008F5043 00 db 00
008F5044 . 2D00 2D00 2D0>unicode "-----KEY"
008F5054 . 2000 4500 4E0>unicode " END KEY"
008F5064 . 2D00 2D00 2D0>unicode "-----",0
008F5070 B0 db B0
008F5071 04 db 04
008F5072 02 db 02
008F5073 00 db 00
008F5074 FF db FF
008F5075 FF db FF
008F5076 FF db FF
008F5077 FF db FF
008F5078 08 db 08
008F5079 00 db 00
008F507A 00005200 dd notebook.00520000 ; UNICODE "arkSalmon"
008F507E 45004700 dd notebook.00470045
008F5082 45004400 dd notebook.00440045
008F5086 49005400 dd notebook.00540049
008F508A 34 db 34 ; CHAR '4'
008F508B 00 db 00
008F508C 00 db 00
008F508D 00 db 00
008F508E 00 db 00
008F508F 00 db 00
008F5090 B0 db B0
008F5091 04 db 04
008F5092 02 db 02
008F5093 00 db 00
008F5094 . FFFFFFFF dd FFFFFFFF
008F5098 . 01000000 dd 00000001
008F509C . 20 00 ascii " ",0
008F509E 00 db 00
008F509F 00 db 00
008F50A0 . 53 push ebx
008F50A1 . 8BD8 mov ebx, eax
008F50A3 . 8B83 94030000 mov eax, dword ptr [ebx+0x394]
008F50A9 . 8B10 mov edx, dword ptr [eax]
008F50AB . FF92 08010000 call dword ptr [edx+0x108]
008F50B1 . 8B83 94030000 mov eax, dword ptr [ebx+0x394]
008F50B7 . E8 70C9C1FF call 00511A2C
008F50BC . 5B pop ebx
008F50BD . C3 retn
008F50BE 8BC0 mov eax, eax
008F50C0 /. 55 push ebp
008F50C1 |. 8BEC mov ebp, esp
008F50C3 |. 33C9 xor ecx, ecx
008F50C5 |. 51 push ecx
008F50C6 |. 51 push ecx
008F50C7 |. 51 push ecx
008F50C8 |. 51 push ecx
008F50C9 |. 51 push ecx
008F50CA |. 51 push ecx
008F50CB |. 51 push ecx
008F50CC |. 53 push ebx
008F50CD |. 8BD8 mov ebx, eax
008F50CF |. 33C0 xor eax, eax
008F50D1 |. 55 push ebp
008F50D2 |. 68 28528F00 push 008F5228
008F50D7 |. 64:FF30 push dword ptr fs:[eax]
008F50DA |. 64:8920 mov dword ptr fs:[eax], esp
008F50DD |. B8 01000000 mov eax, 0x1
008F50E2 |. E8 B167DDFF call 006CB898
008F50E7 |. 33C0 xor eax, eax
008F50E9 |. 55 push ebp
008F50EA |. 68 39518F00 push 008F5139
008F50EF |. 64:FF30 push dword ptr fs:[eax]
008F50F2 |. 64:8920 mov dword ptr fs:[eax], esp
008F50F5 |. 8D55 F4 lea edx, dword ptr [ebp-0xC]
008F50F8 |. 8B83 94030000 mov eax, dword ptr [ebx+0x394]
008F50FE |. 8B80 A0020000 mov eax, dword ptr [eax+0x2A0]
008F5104 |. 8B08 mov ecx, dword ptr [eax]
008F5106 |. FF51 1C call dword ptr [ecx+0x1C]
008F5109 |. 8B45 F4 mov eax, dword ptr [ebp-0xC]
008F510C |. 8D55 F8 lea edx, dword ptr [ebp-0x8]
008F510F |. E8 44FDFFFF call 008F4E58
008F5114 |. 8B55 F8 mov edx, dword ptr [ebp-0x8]
008F5117 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F511A |. B9 00000000 mov ecx, 0x0
008F511F |. E8 6831B1FF call 0040828C
008F5124 |. 33C0 xor eax, eax
008F5126 |. 5A pop edx
008F5127 |. 59 pop ecx
008F5128 |. 59 pop ecx
008F5129 |. 64:8910 mov dword ptr fs:[eax], edx
008F512C |. 68 40518F00 push 008F5140
008F5131 |> 33C0 xor eax, eax
008F5133 |. E8 6067DDFF call 006CB898
008F5138 \. C3 retn
008F5139 .^ E9 E21AB1FF jmp 00406C20
008F513E .^ EB F1 jmp short 008F5131
008F5140 . 837D FC 00 cmp dword ptr [ebp-0x4], 0x0
008F5144 . 0F84 9C000000 je 008F51E6
008F514A . 8D55 F0 lea edx, dword ptr [ebp-0x10]
008F514D . 8B45 FC mov eax, dword ptr [ebp-0x4]
008F5150 . E8 13D8DDFF call 006D2968
008F5155 . 837D F0 00 cmp dword ptr [ebp-0x10], 0x0
008F5159 . 0F84 87000000 je 008F51E6 ; 这一句感觉 超级重要
008F515F . 8D55 E8 lea edx, dword ptr [ebp-0x18]
008F5162 . A1 FCFEBF00 mov eax, dword ptr [0xBFFEFC]
008F5167 . 8B40 04 mov eax, dword ptr [eax+0x4]
008F516A . E8 1598DDFF call 006CE984
008F516F . FF75 E8 push dword ptr [ebp-0x18]
008F5172 . 68 40528F00 push 008F5240 ; UNICODE "notekey"
008F5177 . 68 5C528F00 push 008F525C
008F517C . 68 6C528F00 push 008F526C ; UNICODE ".bin"
008F5181 . 8D45 EC lea eax, dword ptr [ebp-0x14]
008F5184 . BA 04000000 mov edx, 0x4
008F5189 . E8 7E38B1FF call 00408A0C
008F518E . 8B45 EC mov eax, dword ptr [ebp-0x14]
008F5191 . 8B55 FC mov edx, dword ptr [ebp-0x4]
008F5194 . E8 FBB8DDFF call 006D0A94
008F5199 . 68 84528F00 push 008F5284 ; UNICODE "Registration complete."
008F519E . A1 3CFABF00 mov eax, dword ptr [0xBFFA3C]
008F51A3 . FF30 push dword ptr [eax]
008F51A5 . 68 C0528F00 push 008F52C0 ; UNICODE "Please restart "
008F51AA . 68 EC528F00 push 008F52EC ; UNICODE "AM-Notebook"
008F51AF . 68 10538F00 push 008F5310 ; UNICODE " !"
008F51B4 . 8D45 E4 lea eax, dword ptr [ebp-0x1C]
008F51B7 . BA 05000000 mov edx, 0x5
008F51BC . E8 4B38B1FF call 00408A0C
008F51C1 . 8B45 E4 mov eax, dword ptr [ebp-0x1C]
008F51C4 . E8 275EDDFF call 006CAFF0
008F51C9 . A1 70FABF00 mov eax, dword ptr [0xBFFA70]
008F51CE . 8B00 mov eax, dword ptr [eax]
008F51D0 . 8B80 AC030000 mov eax, dword ptr [eax+0x3AC]
008F51D6 . 33D2 xor edx, edx
008F51D8 . 8B08 mov ecx, dword ptr [eax]
008F51DA . FF51 68 call dword ptr [ecx+0x68]
008F51DD . 33C0 xor eax, eax
008F51DF . E8 205DDDFF call 006CAF04
008F51E4 . EB 0A jmp short 008F51F0
008F51E6 > B8 24538F00 mov eax, 008F5324 ; UNICODE "Sorry, but the entered License is not valid!"
008F51EB . E8 005EDDFF call 006CAFF0
008F4E58 /$ 55 push ebp
信息窗口下面
本地调用来自 008F510F, 008F53D8
008F510F |. E8 44FDFFFF call 008F4E58
008F53D8 |. E8 7BFAFFFF call 008F4E58 这两句很可能爆破后故事OK
-----KEY BEGIN KEY-----
sdfsfsdfsdfssdfsdfsdfssdsdfsfsdfsdfssdfsdfsddsd0998878787887fs
sddsd0998878787887fsddsd0998878787887fsddsd0998878787887
-----KEY END KEY-----
假的造好以后,从PUSH 开始 到KEY END KEY那几行的call 全部F2上,看情况?
果然断在 008F4E58 /$ 55 push ebp
008F516F . FF75 E8 push dword ptr [ebp-0x18]跟到这一句时,
发现重大结果
堆栈 ss:[0018F240]=02AC3C14, (UNICODE "C:\Users\Administrator\AppData\Roaming\aignes\AM-Notebook\config\")
008F518E . 8B45 EC mov eax, dword ptr [ebp-0x14] ; 这到这句时,更证明,我们分析的very good,因为下面的信息窗口中看到了完整的KEY路径
堆栈 ss:[0018F244]=02B2CFAC, (UNICODE "C:\Users\Administrator\AppData\Roaming\aignes\AM-Notebook\config\notekey1.bin")
eax=008F518E (notebook.008F518E)
C:\Users\Administrator\AppData\Roaming\aignes\AM-Notebook\config\notekey1.bin 果然生成了
接下来 下bp readfile
===================
==================
008F4E58 /$ 55 push ebp
008F4E59 |. 8BEC mov ebp, esp
008F4E5B |. 33C9 xor ecx, ecx
008F4E5D |. 51 push ecx
008F4E5E |. 51 push ecx
008F4E5F |. 51 push ecx
008F4E60 |. 51 push ecx
008F4E61 |. 51 push ecx
008F4E62 |. 51 push ecx
008F4E63 |. 51 push ecx
008F4E64 |. 51 push ecx
008F4E65 |. 53 push ebx
008F4E66 |. 56 push esi
008F4E67 |. 57 push edi
008F4E68 |. 8955 F4 mov dword ptr [ebp-0xC], edx
008F4E6B |. 8945 FC mov dword ptr [ebp-0x4], eax
008F4E6E |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4E71 |. E8 3E29B1FF call 004077B4
008F4E76 |. 33C0 xor eax, eax
008F4E78 |. 55 push ebp
008F4E79 |. 68 EE4F8F00 push 008F4FEE
008F4E7E |. 64:FF30 push dword ptr fs:[eax]
008F4E81 |. 64:8920 mov dword ptr fs:[eax], esp
008F4E84 |. 8B55 FC mov edx, dword ptr [ebp-0x4]
008F4E87 |. B8 08508F00 mov eax, 008F5008 ; UNICODE "-----KEY BEGIN KEY-----"
008F4E8C |. E8 2F3EB1FF call 00408CC0
008F4E91 |. 85C0 test eax, eax
008F4E93 |. 7E 10 jle short 008F4EA5 ; f8到这时,灰线,跳转未发生
008F4E95 |. 8D48 17 lea ecx, dword ptr [eax+0x17]
008F4E98 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4E9B |. BA 01000000 mov edx, 0x1
008F4EA0 |. E8 F73CB1FF call 00408B9C
008F4EA5 |> 8B55 FC mov edx, dword ptr [ebp-0x4]
008F4EA8 |. B8 44508F00 mov eax, 008F5044 ; UNICODE "-----KEY END KEY-----"
008F4EAD |. E8 0E3EB1FF call 00408CC0
008F4EB2 |. 85C0 test eax, eax
008F4EB4 |. 7E 0E jle short 008F4EC4 ; 同理,也是灰线,未发生跳,依然改O标志位
008F4EB6 |. 8D55 FC lea edx, dword ptr [ebp-0x4]
008F4EB9 |. B9 FFFFFF7F mov ecx, 0x7FFFFFFF
008F4EBE |. 92 xchg eax, edx
008F4EBF |. E8 D83CB1FF call 00408B9C
008F4EC4 |> 8B55 FC mov edx, dword ptr [ebp-0x4]
008F4EC7 |. B8 7C508F00 mov eax, 008F507C ; UNICODE "REGEDIT4"
008F4ECC |. E8 EF3DB1FF call 00408CC0
008F4ED1 |. 85C0 test eax, eax
008F4ED3 |. 7E 10 jle short 008F4EE5 ; 这次是发生,后面的状况不明?
008F4ED5 |. 8D48 08 lea ecx, dword ptr [eax+0x8]
008F4ED8 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4EDB |. BA 01000000 mov edx, 0x1
008F4EE0 |. E8 B73CB1FF call 00408B9C
008F4EE5 |> 8D55 EC lea edx, dword ptr [ebp-0x14]
008F4EE8 |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4EEB |. E8 806EDDFF call 006CBD70
008F4EF0 |. 8B55 EC mov edx, dword ptr [ebp-0x14]
008F4EF3 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4EF6 |. E8 FD2BB1FF call 00407AF8
008F4EFB |. 6A 01 push 0x1
008F4EFD |. 8D45 E8 lea eax, dword ptr [ebp-0x18]
008F4F00 |. 50 push eax
008F4F01 |. 33C9 xor ecx, ecx
008F4F03 |. BA 9C508F00 mov edx, 008F509C
008F4F08 |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4F0B |. E8 6080DDFF call 006CCF70
008F4F10 |. 8B55 E8 mov edx, dword ptr [ebp-0x18]
008F4F13 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4F16 |. E8 DD2BB1FF call 00407AF8
008F4F1B |. 8B55 F4 mov edx, dword ptr [ebp-0xC]
008F4F1E |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4F21 |. E8 AA2BB8FF call 00477AD0
008F4F26 |. 8B45 F4 mov eax, dword ptr [ebp-0xC]
008F4F29 |. E8 A227B1FF call 004076D0
008F4F2E |. 8B45 FC mov eax, dword ptr [ebp-0x4]
008F4F31 |. 85C0 test eax, eax
008F4F33 |. 74 05 je short 008F4F3A ; 改Z为1,让它发生,也许这里不对
008F4F35 |. 83E8 04 sub eax, 0x4
008F4F38 |. 8B00 mov eax, dword ptr [eax]
008F4F3A |> 85C0 test eax, eax
008F4F3C |. 7E 7D jle short 008F4FBB ; 这个未发生,不理会
008F4F3E |. 8945 F0 mov dword ptr [ebp-0x10], eax
008F4F41 |. BB 01000000 mov ebx, 0x1
008F4F46 |> 8BD3 /mov edx, ebx
008F4F48 |. 8B45 FC |mov eax, dword ptr [ebp-0x4]
008F4F4B |. 85C0 |test eax, eax
008F4F4D |. 74 05 |je short 008F4F54
008F4F4F |. 83E8 04 |sub eax, 0x4
008F4F52 |. 8B00 |mov eax, dword ptr [eax]
008F4F54 |> 8BF2 |mov esi, edx
008F4F56 |. 8BF8 |mov edi, eax
008F4F58 |. 2BFE |sub edi, esi
008F4F5A |. 7C 59 |jl short 008F4FB5
008F4F5C |. 47 |inc edi
008F4F5D |> 8D45 E4 |/lea eax, dword ptr [ebp-0x1C]
008F4F60 |. 50 ||push eax
008F4F61 |. 8BCE ||mov ecx, esi
008F4F63 |. 2BCB ||sub ecx, ebx
008F4F65 |. 41 ||inc ecx
008F4F66 |. 8BD3 ||mov edx, ebx
008F4F68 |. 8B45 FC ||mov eax, dword ptr [ebp-0x4]
008F4F6B |. E8 E43BB1FF ||call 00408B54
008F4F70 |. 8B55 E4 ||mov edx, dword ptr [ebp-0x1C]
008F4F73 |. 8D45 F8 ||lea eax, dword ptr [ebp-0x8]
008F4F76 |. B9 00000000 ||mov ecx, 0x0
008F4F7B |. E8 0C33B1FF ||call 0040828C
008F4F80 |. 8D55 E0 ||lea edx, dword ptr [ebp-0x20]
008F4F83 |. 8B45 F8 ||mov eax, dword ptr [ebp-0x8]
008F4F86 |. E8 DDD9DDFF ||call 006D2968
008F4F8B |. 8B55 E0 ||mov edx, dword ptr [ebp-0x20]
008F4F8E |. 8D45 F8 ||lea eax, dword ptr [ebp-0x8]
008F4F91 |. E8 062CB1FF ||call 00407B9C
008F4F96 |. 837D F8 00 ||cmp dword ptr [ebp-0x8], 0x0
008F4F9A |. 74 15 ||je short 008F4FB1
008F4F9C |. 8B45 F4 ||mov eax, dword ptr [ebp-0xC]
008F4F9F |. 50 ||push eax
008F4FA0 |. 8BCE ||mov ecx, esi
008F4FA2 |. 2BCB ||sub ecx, ebx
008F4FA4 |. 41 ||inc ecx
008F4FA5 |. 8BD3 ||mov edx, ebx
008F4FA7 |. 8B45 FC ||mov eax, dword ptr [ebp-0x4]
008F4FAA |. E8 A53BB1FF ||call 00408B54
008F4FAF |. EB 0A ||jmp short 008F4FBB
008F4FB1 |> 46 ||inc esi
008F4FB2 |. 4F ||dec edi
008F4FB3 |.^ 75 A8 |\jnz short 008F4F5D
008F4FB5 |> 43 |inc ebx
008F4FB6 |. FF4D F0 |dec dword ptr [ebp-0x10] ; 直接这里F4
008F4FB9 |.^ 75 8B \jnz short 008F4F46
008F4FBB |> 33C0 xor eax, eax
008F4FBD |. 5A pop edx
008F4FBE |. 59 pop ecx
008F4FBF |. 59 pop ecx
008F4FC0 |. 64:8910 mov dword ptr fs:[eax], edx
008F4FC3 |. 68 F54F8F00 push 008F4FF5
008F4FC8 |> 8D45 E0 lea eax, dword ptr [ebp-0x20]
008F4FCB |. E8 2427B1FF call 004076F4
008F4FD0 |. 8D45 E4 lea eax, dword ptr [ebp-0x1C]
008F4FD3 |. BA 03000000 mov edx, 0x3
008F4FD8 |. E8 5327B1FF call 00407730
008F4FDD |. 8D45 F8 lea eax, dword ptr [ebp-0x8]
008F4FE0 |. E8 0F27B1FF call 004076F4
008F4FE5 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F4FE8 |. E8 E326B1FF call 004076D0
008F4FED \. C3 retn
008F4FEE .^ E9 2D1CB1FF jmp 00406C20
008F4FF3 .^ EB D3 jmp short 008F4FC8
008F4FF5 . 5F pop edi
008F4FF6 . 5E pop esi
008F4FF7 . 5B pop ebx
008F4FF8 . 8BE5 mov esp, ebp
008F4FFA . 5D pop ebp
008F4FFB . C3 retn
008F4FFC B0 db B0
008F4FFD 04 db 04
008F4FFE 02 db 02
008F4FFF 00 db 00
008F5000 FF db FF
008F5001 FF db FF
008F5002 FF db FF
008F5003 FF db FF
008F5004 17 db 17
008F5005 00 db 00
008F5006 00 db 00
008F5007 00 db 00
008F5008 . 2D00 2D00 2D0>unicode "-----KEY"
008F5018 . 2000 4200 450>unicode " BEGIN K"
008F5028 . 4500 5900 2D0>unicode "EY-----",0
008F5038 B0 db B0
008F5039 04 db 04
008F503A 02 db 02
008F503B 00 db 00
008F503C FF db FF
008F503D FF db FF
008F503E FF db FF
008F503F FF db FF
008F5040 15 db 15
008F5041 00 db 00
008F5042 00 db 00
008F5043 00 db 00
008F5044 . 2D00 2D00 2D0>unicode "-----KEY"
008F5054 . 2000 4500 4E0>unicode " END KEY"
008F5064 . 2D00 2D00 2D0>unicode "-----",0
008F5070 B0 db B0
008F5071 04 db 04
008F5072 02 db 02
008F5073 00 db 00
008F5074 FF db FF
008F5075 FF db FF
008F5076 FF db FF
008F5077 FF db FF
008F5078 08 db 08
008F5079 00 db 00
008F507A 00005200 dd notebook.00520000 ; UNICODE "arkSalmon"
008F507E 45004700 dd notebook.00470045
008F5082 45004400 dd notebook.00440045
008F5086 49005400 dd notebook.00540049
008F508A 34 db 34 ; CHAR '4'
008F508B 00 db 00
008F508C 00 db 00
008F508D 00 db 00
008F508E 00 db 00
008F508F 00 db 00
008F5090 B0 db B0
008F5091 04 db 04
008F5092 02 db 02
008F5093 00 db 00
008F5094 . FFFFFFFF dd FFFFFFFF
008F5098 . 01000000 dd 00000001
008F509C . 20 00 ascii " ",0
008F509E 00 db 00
008F509F 00 db 00
008F50A0 . 53 push ebx
008F50A1 . 8BD8 mov ebx, eax
008F50A3 . 8B83 94030000 mov eax, dword ptr [ebx+0x394]
008F50A9 . 8B10 mov edx, dword ptr [eax]
008F50AB . FF92 08010000 call dword ptr [edx+0x108]
008F50B1 . 8B83 94030000 mov eax, dword ptr [ebx+0x394]
008F50B7 . E8 70C9C1FF call 00511A2C
008F50BC . 5B pop ebx
008F50BD . C3 retn
008F50BE 8BC0 mov eax, eax
008F50C0 /. 55 push ebp
008F50C1 |. 8BEC mov ebp, esp
008F50C3 |. 33C9 xor ecx, ecx
008F50C5 |. 51 push ecx
008F50C6 |. 51 push ecx
008F50C7 |. 51 push ecx
008F50C8 |. 51 push ecx
008F50C9 |. 51 push ecx
008F50CA |. 51 push ecx
008F50CB |. 51 push ecx
008F50CC |. 53 push ebx
008F50CD |. 8BD8 mov ebx, eax
008F50CF |. 33C0 xor eax, eax
008F50D1 |. 55 push ebp
008F50D2 |. 68 28528F00 push 008F5228
008F50D7 |. 64:FF30 push dword ptr fs:[eax]
008F50DA |. 64:8920 mov dword ptr fs:[eax], esp
008F50DD |. B8 01000000 mov eax, 0x1
008F50E2 |. E8 B167DDFF call 006CB898
008F50E7 |. 33C0 xor eax, eax
008F50E9 |. 55 push ebp
008F50EA |. 68 39518F00 push 008F5139
008F50EF |. 64:FF30 push dword ptr fs:[eax]
008F50F2 |. 64:8920 mov dword ptr fs:[eax], esp
008F50F5 |. 8D55 F4 lea edx, dword ptr [ebp-0xC]
008F50F8 |. 8B83 94030000 mov eax, dword ptr [ebx+0x394]
008F50FE |. 8B80 A0020000 mov eax, dword ptr [eax+0x2A0]
008F5104 |. 8B08 mov ecx, dword ptr [eax]
008F5106 |. FF51 1C call dword ptr [ecx+0x1C]
008F5109 |. 8B45 F4 mov eax, dword ptr [ebp-0xC]
008F510C |. 8D55 F8 lea edx, dword ptr [ebp-0x8]
008F510F E8 44FDFFFF call 008F4E58
008F5114 |. 8B55 F8 mov edx, dword ptr [ebp-0x8]
008F5117 |. 8D45 FC lea eax, dword ptr [ebp-0x4]
008F511A |. B9 00000000 mov ecx, 0x0
008F511F |. E8 6831B1FF call 0040828C
008F5124 |. 33C0 xor eax, eax
008F5126 |. 5A pop edx
008F5127 |. 59 pop ecx
008F5128 |. 59 pop ecx
008F5129 |. 64:8910 mov dword ptr fs:[eax], edx
008F512C |. 68 40518F00 push 008F5140
008F5131 |> 33C0 xor eax, eax
008F5133 |. E8 6067DDFF call 006CB898
008F5138 \. C3 retn
008F5139 .^ E9 E21AB1FF jmp 00406C20
008F513E .^ EB F1 jmp short 008F5131
008F5140 . 837D FC 00 cmp dword ptr [ebp-0x4], 0x0
008F5144 . 0F84 9C000000 je 008F51E6 ; 不能让它跳
008F514A . 8D55 F0 lea edx, dword ptr [ebp-0x10]
008F514D . 8B45 FC mov eax, dword ptr [ebp-0x4]
008F5150 . E8 13D8DDFF call 006D2968
008F5155 . 837D F0 00 cmp dword ptr [ebp-0x10], 0x0
008F5159 . 0F84 87000000 je 008F51E6 ; 这一句感觉 超级重要,还是不能让它跳~~
008F515F . 8D55 E8 lea edx, dword ptr [ebp-0x18]
008F5162 . A1 FCFEBF00 mov eax, dword ptr [0xBFFEFC]
008F5167 . 8B40 04 mov eax, dword ptr [eax+0x4]
008F516A . E8 1598DDFF call 006CE984
008F516F . FF75 E8 push dword ptr [ebp-0x18]
008F5172 . 68 40528F00 push 008F5240 ; UNICODE "notekey"
008F5177 . 68 5C528F00 push 008F525C
008F517C . 68 6C528F00 push 008F526C ; UNICODE ".bin"
008F5181 . 8D45 EC lea eax, dword ptr [ebp-0x14]
008F5184 . BA 04000000 mov edx, 0x4
008F5189 . E8 7E38B1FF call 00408A0C
008F518E . 8B45 EC mov eax, dword ptr [ebp-0x14] ; 这到这句时,更证明,我们分析的very good,因为下面的信息窗口中看到了完整的KEY路径
008F5191 . 8B55 FC mov edx, dword ptr [ebp-0x4]
008F5194 . E8 FBB8DDFF call 006D0A94
008F5199 . 68 84528F00 push 008F5284 ; UNICODE "Registration complete."
008F519E . A1 3CFABF00 mov eax, dword ptr [0xBFFA3C]
008F51A3 . FF30 push dword ptr [eax]
008F51A5 . 68 C0528F00 push 008F52C0 ; UNICODE "Please restart "
008F51AA . 68 EC528F00 push 008F52EC ; UNICODE "AM-Notebook"
008F51AF . 68 10538F00 push 008F5310 ; UNICODE " !"
008F51B4 . 8D45 E4 lea eax, dword ptr [ebp-0x1C]
008F51B7 . BA 05000000 mov edx, 0x5
008F51BC . E8 4B38B1FF call 00408A0C
008F51C1 . 8B45 E4 mov eax, dword ptr [ebp-0x1C]
008F51C4 . E8 275EDDFF call 006CAFF0 ; 注册成功,请重新启动~~
0045AFC7 |. 85C0 |test eax, eax
bp readfile堆栈回到这里后,来到此处============〉
0045AFB5 |. 8D45 FC |lea eax, dword ptr [ebp-0x4] ; |
0045AFB8 |. 50 |push eax ; |pBytesRead
0045AFB9 |. 6A 38 |push 0x38 ; |BytesToRead = 38 (56.)38字节应该是长度
0045AFBB |. 56 |push esi ; |Buffer
0045AFBC |. A1 54CFBC00 |mov eax, dword ptr [0xBCCF54] ; |
0045AFC1 |. 50 |push eax ; |hFile => NULL
0045AFC2 |. E8 7530FBFF |call <jmp.&kernel32.ReadFile> ; \ReadFile
0045AFC7 |. 85C0 |test eax, eax
0045AFC9 |. 74 05 |je short 0045AFD0
0045AFCB |. 833E 00 |cmp dword ptr [esi], 0x0
0045AFCE |.^ 75 BF \jnz short 0045AF8F
0045AF8F |> /837D FC 38 /cmp dword ptr [ebp-0x4], 0x38
0045AF93 |. |75 1E |jnz short 0045AFB3
0045AF95 |. |8BC6 |mov eax, esi
0045AF97 |. |E8 00FBFFFF |call 0045AA9C
0045AF9C |. |8B06 |mov eax, dword ptr [esi]
0045AF9E |. |50 |push eax ; /hEvent
0045AF9F |. |E8 F030FBFF |call <jmp.&kernel32.SetEvent> ; \SetEvent
0045AFA4 |. |6A 00 |push 0x0 ; /lParam = 0x0
0045AFA6 |. |6A 00 |push 0x0 ; |wParam = 0x0
0045AFA8 |. |6A 00 |push 0x0 ; |Message = WM_NULL
0045AFAA |. |8B46 04 |mov eax, dword ptr [esi+0x4] ; |
0045AFAD |. |50 |push eax ; |ThreadId
0045AFAE |. |E8 213EFBFF |call <jmp.&user32.PostThreadMessageW>; \PostThreadMessageW
0045AFB3 |> |6A 00 push 0x0 ; /pOverlapped = NULL
0045AFB5 |. |8D45 FC |lea eax, dword ptr [ebp-0x4] ; |
0045AFB8 |. |50 |push eax ; |pBytesRead
0045AFB9 |. |6A 38 |push 0x38 ; |BytesToRead = 38 (56.)
0045AFBB |. |56 |push esi ; |Buffer
0045AFBC |. |A1 54CFBC00 |mov eax, dword ptr [0xBCCF54] ; |
0045AFC1 |. |50 |push eax ; |hFile => 00000104 (window)
0045AFC2 |. |E8 7530FBFF |call <jmp.&kernel32.ReadFile> ; \ReadFile
0045AFC7 |. |85C0 |test eax, eax
0045AFC9 |74 05 je short 0045AFD0
0045AFCB |. |833E 00 |cmp dword ptr [esi], 0x0
0045AFCE |.^\75 BF \jnz short 0045AF8F
这一小段,非常有意思,判断是否是38个字节?完蛋就KO
0045AFD4 |. 8BE5 mov esp, ebp ; 尝试在这里下手~~~~
0057EC31 . E8 C6FCFFFF call 0057E8FC
0057EC36 . 33C0 xor eax, eax
0057EC38 . 5A pop edx
0057EC39 . 59 pop ecx
0057EC3A . 59 pop ecx
0057EC3B . 64:8910 mov dword ptr fs:[eax], edx
0057EC3E . EB 15 jmp short 0057EC55
0057EC40 .^ E9 277DE8FF jmp 0040696C
0057EC45 . 8B55 FC mov edx, dword ptr [ebp-0x4]
0057EC48 . 8B45 FC mov eax, dword ptr [ebp-0x4]
0057EC4B . E8 D0000000 call 0057ED20
0057EC50 . E8 3382E8FF call 00406E88
008FB599 . B9 84BC8F00 mov ecx, 008FBC84 ; config 启动时断下
00B47E84 . BA CC82B400 mov edx, 00B482CC ; config
00B4878E |. BA 0C89B400 mov edx, 00B4890C ; amnotebook_config\*
00B4878E |. BA 0C89B400 mov edx, 00B4890C ; amnotebook_config\*
00B49E0E |. BA B49EB400 mov edx, 00B49EB4 ; config
008FB85C . 8D45 FC lea eax, dword ptr [ebp-0x4]
008FB85F . E8 B01CDDFF call 006CD514
从上面的成果F8到这里时,发现 读C:\Users\Administrator\AppData\Roaming\aignes\AM-Notebook\config
008FB918 . 8B55 88 mov edx, dword ptr [ebp-0x78] ; 发现config……快出来了,慢点~~
008FBA4E . BA F8BC8F00 mov edx, 008FBCF8 ; nbcommon.ini
008FBA53 . E8 D4CEB0FF call 0040892C
008FBA58 . 8B85 7CFFFFFF mov eax, dword ptr [ebp-0x84]
008FBA5E . B9 58C08F00 mov ecx, 008FC058 ; Lite
008FBA63 . BA 40BD8F00 mov edx, 008FBD40 ; general
008FBA68 . E8 0F4ADDFF call 006D047C
008FBA6D . 8B45 80 mov eax, dword ptr [ebp-0x80]
008FBA70 . BA 5CBD8F00 mov edx, 008FBD5C ; 1
008FBA75 . E8 A2D0B0FF call 00408B1C
008FBA7A . 0F95C0 setne al 根据您的配置文件判断,你到底是便携版本还是……
008FBBDF . B9 34C18F00 mov ecx, 008FC134 ; SetupData 这是啥?说明这里判断注册表日期
008FBBE4 . BA 54C18F00 mov edx, 008FC154 ; \Software\aignes\amnotebook
008FBBE9 . B8 01000080 mov eax, 0x80000001
00B7F22A . B8 2004B800 mov eax, 00B80420 ; /minimize 这又是啥?notebook启动的参数
00B31061 . BA FC10B300 mov edx, 00B310FC ; .ext发现这东西,扩展名,靠,就用你当垫脚~果然启动断下
中文搜索引擎, 条目 10783
地址=008F7F99
反汇编=mov edx,008F8070
文本字符串=\Software\CLASSES\CLSID\
中文搜索引擎, 条目 10784
地址=008F8123
反汇编=mov edx,008F8284
文本字符串=\Software\CLASSES\CLSID\
中文搜索引擎, 条目 10785
地址=008F8178
反汇编=mov edx,008F82C4
文本字符串=InProcServer32
中文搜索引擎, 条目 10786
地址=008F8197
反汇编=mov edx,008F82C4
文本字符串=InProcServer32
以上这几行的作用是让你的注册表30天之后作废,软件过期
通过winhex学习又学会了内存断点:
mnubuynow
mnuerrorlog
但再反回到OD到得到的数值在未解压缩的段中
00B371D3 . 68 D47DB300 push 00B37DD4 ; .bin
直接能断下,并且看到寄存器窗口中
C:\Users\Administrator\AppData\Roaming\aignes\AM-Notebook\config路径~~
00B371FD . /74 7D je short 00B3727C 看来这句非常重要了
SETL 条件为假
4.0的,内存补丁,再改下面几行,buy now 字样可除。
00B371FD /74 7D je short 00B3727C ; 这里改成JMP
00B3728B /75 20 JNZ short 00B372AD ; JMP 同理,马上就有,也改
00B38127 /74 25 je short 00B3814E NOP,OD中成功,内存补丁没成功。
以上可能再努力下,就能彻底变成注册版本的了!!!!!!!
做内存补丁,还得加上以前的成果
00B7F1D7 . /74 0F je Xnotebook.00B7F1E8
00B812B3 /74 41 je Xnotebook.00B812F6 ;屏幕初始化
00B9105C . /74 41 je Xnotebook.00B9109F
00B38120 83B8 20010000>cmp dword ptr [eax+0x120], 0x0 改成 0x1试试
成功除掉ErrorLog字样
00B38127 |. /74 25 je short 00B3814E
00B9105C /EB 41 jmp short 00B9109F
eax=028EC81C, (UNICODE "C:\Users\Administrator\AppData\Roaming\aignes\AM-Notebook\config\notekey1.bin")
本地调用来自 0040A2FB, 0040AAAE, 0040AE7B, 0040AED8, 0040AF4D, 0040AF55, 0040B017, 0040B0E8, 0040B0F0, 0040F99F, 0041D193, 0042A328, 0042A479, 0042B1C2, 004454BC, 0044842D, 00449D04, 0044B354, 0044B546, 0044DD2B, 0044E621, 0044F693, 004506D2, M)
ebx=05B60B20
本地调用来自 0047D814, 004B0354, 004B0699, 004B0AA8, 004B40E1, 004B4155, 004B41A4, 004B41CB, 00556C55, 00556CD5, 0059F80D, 005A9D48, 005ABAD1, 005BFA77, 0062C69B, 0062CCD3, 0065FADF, 00666898, 006668BB, 006668D1, 00666991, 006669BA, 006785B7, M)
00B37205 . E8 B295B9FF call 006D07BC ; 这句时程序进到界面里
00B3720A . 8D85 74FFFFFF lea eax, dword ptr [ebp-0x8C]
00B37210 . 8B55 C4 mov edx, dword ptr [ebp-0x3C]
00B37213 . E8 D8158DFF call 004087F0 ; 终于看到读KEY的部分了
00B37218 . 8B85 74FFFFFF mov eax, dword ptr [ebp-0x8C]
00B3721E . 8D95 78FFFFFF lea edx, dword ptr [ebp-0x88]
00B37224 . E8 A70894FF call 00477AD0
00B37229 . 8B95 78FFFFFF mov edx, dword ptr [ebp-0x88]
00B3722F . 8D45 FC lea eax, dword ptr [ebp-0x4]
00B37232 . B9 00000000 mov ecx, 0x0
00B37237 . E8 50108DFF call 0040828C
00B3723C . 8D95 70FFFFFF lea edx, dword ptr [ebp-0x90]
00B37242 . 8B45 FC mov eax, dword ptr [ebp-0x4]
00B37245 . E8 1EB7B9FF call 006D2968
00B3724A . 8B95 70FFFFFF mov edx, dword ptr [ebp-0x90]
00B37250 . 8D45 FC lea eax, dword ptr [ebp-0x4]
00B37253 . E8 44098DFF call 00407B9C
00B37258 . 8D95 6CFFFFFF lea edx, dword ptr [ebp-0x94]
00B3725E . 8D45 FC lea eax, dword ptr [ebp-0x4]
00B37261 . E8 0E52B9FF call 006CC474
00B37266 . 8D55 F4 lea edx, dword ptr [ebp-0xC]
00B37269 . 8D45 FC lea eax, dword ptr [ebp-0x4]
00B3726C . E8 0352B9FF call 006CC474
00B37271 . 8D55 EC lea edx, dword ptr [ebp-0x14]
00B37274 . 8D45 FC lea eax, dword ptr [ebp-0x4]
00B37277 . E8 F851B9FF call 006CC474
00B3727C > 8D45 F8 lea eax, dword ptr [ebp-0x8]
00B3727F . 8B55 EC mov edx, dword ptr [ebp-0x14]
00B37282 . E8 15098DFF call 00407B9C ; 啥用 ? 不明
C:\Users\Administrator\AppData\Roaming\aignes\AM-Notebook\config\notekey1.bin
"-----KEY BEGIN KEY-----",0
This is a license files.
B7A6C2A1E6B6BEF19DD4C4839CBDFEF08592
"-----KEY END KEY-----",0
00B37322 . B8 EC7DB300 mov eax,notebook.00B37DEC ; B7A6C2A1E6B6BEF19DD4C4839CBDFEF08592
00B37213 . E8 D8158DFF call notebook.004087F0 key begin key 我们输入的假码
00407766 |> /8B13 /mov edx,dword ptr ds:[ebx] 以下是个小循环
00407768 |. |85D2 |test edx,edx
0040776A |. |74 1A |je Xnotebook.00407786
0040776C |. |C703 00000000 |mov dword ptr ds:[ebx],0x0
00407772 |. |8B4A F8 |mov ecx,dword ptr ds:[edx-0x8]
00407775 |. |49 |dec ecx
00407776 |. |7C 0E |jl Xnotebook.00407786
00407778 |. |F0:FF4A F8 |lock dec dword ptr ds:[edx-0x8]
0040777C |. |75 08 |jnz Xnotebook.00407786
0040777E |. |8D42 F4 |lea eax,dword ptr ds:[edx-0xC]
00407781 |. |E8 1ECDFFFF |call notebook.004044A4
00407786 |> |83C3 04 |add ebx,0x4
00407789 |. |4E |dec esi
0040778A |.^\75 DA \jnz Xnotebook.00407766
出来之后不久 就是便携版 PRO版 等版本的选择处了
===================
00B380F8 /$ 55 push ebp
00B380F9 |. 8BEC mov ebp,esp
00B380FB |. 6A 00 push 0x0
00B380FD |. 6A 00 push 0x0
00B380FF |. 53 push ebx
00B38100 |. 33C0 xor eax,eax
00B38102 |. 55 push ebp
00B38103 |. 68 6082B300 push notebook.00B38260
00B38108 |. 64:FF30 push dword ptr fs:[eax]
00B3810B |. 64:8920 mov dword ptr fs:[eax],esp
00B3810E |. E8 9DC88CFF call notebook.004049B0
00B38113 |. 8D45 FC lea eax,[local.1]
00B38116 |. E8 6DF0FFFF call notebook.00B37188
00B3811B |. A1 FCFEBF00 mov eax,dword ptr ds:[0xBFFEFC]
00B38120 |. 83B8 20010000>cmp dword ptr ds:[eax+0x120],0x0
00B38127 |. 74 25 je Xnotebook.00B3814E
00B38129 |. A1 20FEBF00 mov eax,dword ptr ds:[0xBFFE20]
00B3812E |. C740 08 01000>mov dword ptr ds:[eax+0x8],0x1
00B38135 |. A1 70FABF00 mov eax,dword ptr ds:[0xBFFA70]
00B3813A |. 8B00 mov eax,dword ptr ds:[eax]
00B3813C |. 8B80 C00B0000 mov eax,dword ptr ds:[eax+0xBC0]
00B38142 |. 33D2 xor edx,edx
00B38144 |. E8 DFD6ABFF call notebook.005F5828
00B38149 |. E9 F7000000 jmp notebook.00B38245
00B3814E |> A1 28F8BF00 mov eax,dword ptr ds:[0xBFF828]
00B38153 |. 8038 00 cmp byte ptr ds:[eax],0x0
00B38156 |. 74 73 je Xnotebook.00B381CB
00B38158 |. 68 7882B300 push notebook.00B38278 ; The portable PRO Edition doesn't have a trial period and requires a license key.
00B3815D |. A1 3CFABF00 mov eax,dword ptr ds:[0xBFFA3C]
00B38162 |. FF30 push dword ptr ds:[eax]
00B38164 |. A1 3CFABF00 mov eax,dword ptr ds:[0xBFFA3C]
00B38169 |. FF30 push dword ptr ds:[eax]
00B3816B |. 68 2883B300 push notebook.00B38328 ; If you haven't purchased AM-Notebook yet and want to evaluate the PRO Edition,
00B38170 |. A1 3CFABF00 mov eax,dword ptr ds:[0xBFFA3C]
00B38175 |. FF30 push dword ptr ds:[eax]
00B38177 |. 68 D483B300 push notebook.00B383D4 ; then you can do that by installing the desktop version to your hard disk.
00B3817C |. 8D45 F8 lea eax,[local.2]
00B3817F |. BA 06000000 mov edx,0x6
00B38184 |. E8 83088DFF call notebook.00408A0C
00B38189 |. 8B45 F8 mov eax,[local.2]
00B3818C |. E8 0F2FB9FF call notebook.006CB0A0
00B38191 |. 8B0D 00F6BF00 mov ecx,dword ptr ds:[0xBFF600] ; notebook.00C07970
00B38197 |. A1 B8FCBF00 mov eax,dword ptr ds:[0xBFFCB8]
00B3819C |. 8B00 mov eax,dword ptr ds:[eax]
00B3819E |. 8B15 D84B8F00 mov edx,dword ptr ds:[0x8F4BD8] ; notebook.008F4C30
00B381A4 |. E8 6F68A4FF call notebook.0057EA18
00B381A9 |. A1 00F6BF00 mov eax,dword ptr ds:[0xBFF600]
00B381AE |. 8B00 mov eax,dword ptr ds:[eax]
00B381B0 |. 8B10 mov edx,dword ptr ds:[eax]
00B381B2 |. FF92 14010000 call dword ptr ds:[edx+0x114]
00B381B8 |. A1 00F6BF00 mov eax,dword ptr ds:[0xBFF600]
00B381BD |. 8B00 mov eax,dword ptr ds:[eax]
00B381BF |. E8 0421A4FF call notebook.0057A2C8
00B381C4 |. 33C0 xor eax,eax
00B381C6 |. E8 392DB9FF call notebook.006CAF04
00B381CB |> 68 5B020000 push 0x25B
00B381D0 |. 6A 1E push 0x1E
00B381D2 |. 6A 01 push 0x1
00B381D4 |. B9 02000000 mov ecx,0x2
00B381D9 |. BA 7484B300 mov edx,notebook.00B38474 ; AM-Notebook
00B381DE |. B8 9884B300 mov eax,notebook.00B38498 ; \Software\aignes\amnotebook
00B381E3 |. E8 DCF8DBFF call notebook.008F7AC4
00B381E8 |. 8BD8 mov ebx,eax
00B381EA |. A1 FCFEBF00 mov eax,dword ptr ds:[0xBFFEFC]
00B381EF |. 8998 38010000 mov dword ptr ds:[eax+0x138],ebx
00B381F5 |. A1 FCFEBF00 mov eax,dword ptr ds:[0xBFFEFC]
00B381FA |. 83FB 1E cmp ebx,0x1E =============>当你跟到这里的时候,自然明白是比较是否为30天,下一句修改就是开关啦!
00B381FD 7E 46 jle Xnotebook.00B38245
破解之后的内存补丁欣赏:是不是感觉跟正版的一样$@$
下载地址: http://www.ctfile.com/info/ebY147568
- AM-Notebook 6.3 注册KEY分析 与内存补丁:
- 代码补丁点分析与反制-笔记
- 注册机和补丁
- 补丁git format-patch && git-am用法
- bus总线分析与注册
- 最好用的笔记软件AM-NoteBook 和 AllMyNotes
- Am 命令分析
- (转)Linux共享内存使用常见陷阱与分析(3)-ftok是否一定会产生唯一的key值
- PowerDesigner15官方正式版+注册补丁
- PowerDesigner15官方正式版+注册补丁
- PowerDesigner15官方正式版+注册补丁
- PowerDesigner15官方正式版+注册补丁
- PowerDesigner15官方正式版+注册补丁
- PowerDesigner15官方正式版+注册补丁
- PowerDesigner15.1汉化+注册补丁
- Android热补丁原理简单分析与问题思考
- ipyhon 与 ipython notebook
- 逆向飞鸽传书(内存补丁)
- LeetCode之Spiral Matrix
- Java面试宝典2014版
- DS1621在Linux下的IIC接口驱动设计
- the project file '' has been renamed or is no longer in the solution 解决办法
- 类型转换 CString String int 相互转换
- AM-Notebook 6.3 注册KEY分析 与内存补丁:
- 在JSP页面中通过JS动态显示时间程序
- HR面试问题
- Ruby Gem 慢甚至超时问题
- String Match & Observer & Decorator & A* Search Algorithm & RW Lock
- 写在工作八周年之际
- Libxml2如何生成格式化的XML文件
- 用perl提取文件中某几列
- java内部类总结