- UID
- 68193
注册时间2010-6-1
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
本帖最后由 ifox 于 2010-6-2 15:11 编辑
Picture To Icon 2.4 注册窗口、保存功能、显示注册信息修改要点
启动显示要求注册的窗口,从字符串入手
=============================================
00424374 . FF51 FC call dword ptr [ecx-4]
00424377 . 66:C785 0CFFF>mov word ptr [ebp-F4], 1DC
00424380 > 8B15 64D15000 mov edx, dword ptr [50D164] ; Pic2Ico3._IconConverter
00424386 . 8B02 mov eax, dword ptr [edx]
00424388 . 80B8 F8030000>cmp byte ptr [eax+3F8], 0
0042438F 0F85 3B020000 jnz 004245D0 ;跳走则在注册窗口中显示Registerd,直接JMP走
00424395 . 8B15 64D15000 mov edx, dword ptr [50D164] ; Pic2Ico3._IconConverter
0042439B . 8B0A mov ecx, dword ptr [edx]
0042439D . 80B9 F9030000>cmp byte ptr [ecx+3F9], 0
004243A4 . 0F85 E2010000 jnz 0042458C ;跳走则显示Expired
004243AA . 66:C785 0CFFF>mov word ptr [ebp-F4], 1F4
004243B3 . 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
004243B9 . E8 12E7FDFF call 00402AD0
004243BE . 8BD0 mov edx, eax
004243C0 . FF85 18FFFFFF inc dword ptr [ebp-E8]
00424374 . FF51 FC call dword ptr [ecx-4]
00424377 . 66:C785 0CFFF>mov word ptr [ebp-F4], 1DC
00424380 > 8B15 64D15000 mov edx, dword ptr [50D164] ; Pic2Ico3._IconConverter
00424386 . 8B02 mov eax, dword ptr [edx]
00424388 . 80B8 F8030000>cmp byte ptr [eax+3F8], 0
0042438F 0F85 3B020000 jnz 004245D0
00424395 . 8B15 64D15000 mov edx, dword ptr [50D164] ; Pic2Ico3._IconConverter
0042439B . 8B0A mov ecx, dword ptr [edx]
0042439D . 80B9 F9030000>cmp byte ptr [ecx+3F9], 0
004243A4 . 0F85 E2010000 jnz 0042458C
004243AA . 66:C785 0CFFF>mov word ptr [ebp-F4], 1F4
004243B3 . 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
004243B9 . E8 12E7FDFF call 00402AD0
004243BE . 8BD0 mov edx, eax
004243C0 . FF85 18FFFFFF inc dword ptr [ebp-E8]
004243C6 . 8B0D 64D15000 mov ecx, dword ptr [50D164] ; Pic2Ico3._IconConverter
004243CC . 8B01 mov eax, dword ptr [ecx]
004243CE . 8B80 F4030000 mov eax, dword ptr [eax+3F4]
004243D4 . E8 5BB50300 call 0045F934
004243D9 . 8D95 34FFFFFF lea edx, dword ptr [ebp-CC]
004243DF . 52 push edx
004243E0 . 8D85 44FFFFFF lea eax, dword ptr [ebp-BC]
004243E6 . E8 E5E6FDFF call 00402AD0
004243EB . 8BD0 mov edx, eax
004243ED . FF85 18FFFFFF inc dword ptr [ebp-E8]
004243F3 . 8B0D 64D15000 mov ecx, dword ptr [50D164] ; Pic2Ico3._IconConverter
004243F9 . 8B01 mov eax, dword ptr [ecx]
004243FB . 8B80 F0030000 mov eax, dword ptr [eax+3F0]
00424401 . E8 2EB50300 call 0045F934
00424406 . 8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
0042440C . 52 push edx
0042440D . 8D85 40FFFFFF lea eax, dword ptr [ebp-C0]
00424413 . E8 B8E6FDFF call 00402AD0
00424418 . 8BC8 mov ecx, eax
0042441A . FF85 18FFFFFF inc dword ptr [ebp-E8]
00424420 . B8 03025000 mov eax, 00500203 ; (
00424425 . 5A pop edx
00424426 . E8 CD3C0C00 call 004E80F8
0042442B . 8D8D 40FFFFFF lea ecx, dword ptr [ebp-C0]
00424431 . 51 push ecx
00424432 . 8D85 38FFFFFF lea eax, dword ptr [ebp-C8]
00424438 . E8 93E6FDFF call 00402AD0
0042443D . 50 push eax
0042443E . FF85 18FFFFFF inc dword ptr [ebp-E8]
00424444 . BA 05025000 mov edx, 00500205 ; /21 uses,
00424449 . 8D85 3CFFFFFF lea eax, dword ptr [ebp-C4]
0042444F . E8 24350C00 call 004E7978
00424454 . FF85 18FFFFFF inc dword ptr [ebp-E8]
0042445A . 8D95 3CFFFFFF lea edx, dword ptr [ebp-C4]
00424460 . 59 pop ecx
00424461 . 58 pop eax
00424462 . E8 C9360C00 call 004E7B30
00424467 . 8D95 38FFFFFF lea edx, dword ptr [ebp-C8]
0042446D . 52 push edx
0042446E . 8D85 30FFFFFF lea eax, dword ptr [ebp-D0]
00424474 . E8 57E6FDFF call 00402AD0
00424479 . 8BC8 mov ecx, eax
0042447B . FF85 18FFFFFF inc dword ptr [ebp-E8]
00424481 . 58 pop eax
00424482 . 5A pop edx
00424483 . E8 A8360C00 call 004E7B30
00424488 . 8D8D 30FFFFFF lea ecx, dword ptr [ebp-D0]
0042448E . 51 push ecx
0042448F . 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
00424495 . E8 36E6FDFF call 00402AD0
0042449A . 50 push eax
0042449B . FF85 18FFFFFF inc dword ptr [ebp-E8]
004244A1 . BA 10025000 mov edx, 00500210 ; /15 days) picture to icon ( unregistered )
004244A6 . 8D85 2CFFFFFF lea eax, dword ptr [ebp-D4]
004244AC . E8 C7340C00 call 004E7978
004244B1 . FF85 18FFFFFF inc dword ptr [ebp-E8]
004244B7 . 8D95 2CFFFFFF lea edx, dword ptr [ebp-D4]
004244BD . 59 pop ecx
004244BE . 58 pop eax
004244BF . E8 6C360C00 call 004E7B30
004244C4 . 8D95 28FFFFFF lea edx, dword ptr [ebp-D8]
=================================================================================
逐层返回,来到前期代码要点:
0040A04F |. E8 E48E0100 call 00422F38
0040A054 |. 8B0D 70D15000 mov ecx, dword ptr [50D170] ; Pic2Ico3._Form3
0040A05A |. 8901 mov dword ptr [ecx], eax
0040A05C |. 8B45 D8 mov eax, dword ptr [ebp-28]
0040A05F |. 80B8 F8030000>cmp byte ptr [eax+3F8], 0
0040A066 75 10 jnz short 0040A078 ; 如果是非注册版本,则要绘制窗体FORM3,显示要注册的窗体,直接跳走
0040A068 |. 8B15 70D15000 mov edx, dword ptr [50D170] ; Pic2Ico3._Form3
0040A06E |. 8B02 mov eax, dword ptr [edx]
0040A070 |. 8B10 mov edx, dword ptr [eax]
0040A072 |. FF92 E8000000 call dword ptr [edx+E8]
0040A078 |> 8B4D D8 mov ecx, dword ptr [ebp-28]
0040A07B |. 80B9 F8030000>cmp byte ptr [ecx+3F8], 0
0040A082 |. 75 14 jnz short 0040A098
0040A084 |. 8B45 D8 mov eax, dword ptr [ebp-28]
为何如此修改,其实是通过下面的思路来的。
=================================================================================
查看程序的 About,找到unregisterd!字符,OD里找到如下代码:
0040A1A4 /. 55 push ebp
0040A1A5 |. 8BEC mov ebp, esp
0040A1A7 |. 83C4 C4 add esp, -3C
0040A1AA |. 8955 C4 mov dword ptr [ebp-3C], edx
0040A1AD |. 8945 C8 mov dword ptr [ebp-38], eax
0040A1B0 |. B8 D0E74F00 mov eax, 004FE7D0
0040A1B5 |. E8 12270D00 call 004DC8CC
0040A1BA |. 66:C745 DC 14>mov word ptr [ebp-24], 14
0040A1C0 |. BA 9DC74F00 mov edx, 004FC79D ; \n\nunregister!
0040A1C5 |. 8D45 FC lea eax, dword ptr [ebp-4]
0040A1C8 |. E8 ABD70D00 call 004E7978
0040A1CD |. FF45 E8 inc dword ptr [ebp-18]
0040A1D0 |. 66:C745 DC 08>mov word ptr [ebp-24], 8
0040A1D6 |. 8B55 C8 mov edx, dword ptr [ebp-38]
0040A1D9 |. 80BA F8030000>cmp byte ptr [edx+3F8], 0
0040A1E0 74 6D je short 0040A24F ;不调走则重绘窗体,显示下面的"register to",NOP掉
0040A1E2 |. 66:C745 DC 20>mov word ptr [ebp-24], 20
0040A1E8 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040A1EB |. E8 E088FFFF call 00402AD0
0040A1F0 |. 8BD0 mov edx, eax
0040A1F2 |. FF45 E8 inc dword ptr [ebp-18]
0040A1F5 |. 8B0D 70D15000 mov ecx, dword ptr [50D170] ; Pic2Ico3._Form3 还是窗体FORM3
0040A1FB |. 8B01 mov eax, dword ptr [ecx]
0040A1FD |. 8B80 00030000 mov eax, dword ptr [eax+300]
0040A203 |. E8 D8B60A00 call 004B58E0
0040A208 |. 8D55 F4 lea edx, dword ptr [ebp-C]
0040A20B |. 52 push edx
0040A20C |. 8D45 F0 lea eax, dword ptr [ebp-10]
0040A20F |. E8 BC88FFFF call 00402AD0
0040A214 |. 8BC8 mov ecx, eax
0040A216 |. FF45 E8 inc dword ptr [ebp-18]
0040A219 |. B8 ABC74F00 mov eax, 004FC7AB ; \n\nregister to
0040A21E |. 5A pop edx
===================================================================================
这样启动显示注册窗体没有了,About里显示给注册给设定用户,但是在使用Save时,程序自动退出,OD里下断点PostQuitMessage,找到主程序调用的相关代码:
004A8888 /$ E8 87AFFBFF call 00463814
004A888D |. 84C0 test al, al
004A888F |. 74 07 je short 004A8898
004A8891 |. 6A 00 push 0 ; /ExitCode = 0
004A8893 |. E8 7C320500 call <jmp.&USER32.PostQuitMessage> ; \PostQuitMessage
004A8898 \> C3 retn
本地调用来自 0040887F, 004089DD, 00408D4D, 0040A350, 00423C58, 004A515F
OD重新调试,点SAVE,查看相关CALL,去修改相关的调用前面的跳转,都跳过即可。
00408867 . /EB 2F jmp short 00408898
00408869 . |8B0D E0D65000 mov ecx, dword ptr [_IconConverter]
0040886F . |80B9 F8030000>cmp byte ptr [ecx+3F8], 0
00408876 . |75 20 jnz short 00408898
00408878 . |A1 40D45000 mov eax, dword ptr [50D440]
0040887D . |8B00 mov eax, dword ptr [eax]
0040887F . |E8 04000A00 call 004A8888
00408D28 . /EB 3A jmp short 00408D64
00408D2A . |A1 E0D65000 mov eax, dword ptr [_IconConverter]
00408D2F . |80B8 F9030000>cmp byte ptr [eax+3F9], 0
00408D36 . |74 2C je short 00408D64
00408D38 . |8B15 E0D65000 mov edx, dword ptr [_IconConverter]
00408D3E . |C682 F9030000>mov byte ptr [edx+3F9], 1
00408D45 . |8B0D 40D45000 mov ecx, dword ptr [50D440] ; Pic2Ico3.00514CDC
00408D4B . |8B01 mov eax, dword ptr [ecx]
00408D4D . |E8 36FB0900 call 004A8888
00408D52 . |8B95 04FFFFFF mov edx, dword ptr [ebp-FC]
00408D58 . |64:8915 00000>mov dword ptr fs:[0], edx
00408D5F . |E9 6D0D0000 jmp 00409AD1
=============================================================================================
修改完上面内容,发现SAVE不退出了,但是没有生成文件到指定位置,OD,从修改退出调用部分代码往后看,找到如下跳转,修改入下:
00408FDA . E8 F9EA0D00 call 004E7AD8
00408FDF . 59 pop ecx
00408FE0 . 84C9 test cl, cl
00408FE2 . EB 11 jmp short 00408FF5 ;跳走,写出要保存的文件到指定位置
00408FE4 . 8B85 04FFFFFF mov eax, dword ptr [ebp-FC]
00408FEA . 64:A3 0000000>mov dword ptr fs:[0], eax
00408FF0 . E9 DC0A0000 jmp 00409AD1
00408FF5 > 8B95 00FFFFFF mov edx, dword ptr [ebp-100]
=======================================================
关于BuyNow按钮和出来的注册窗体的提示,很简单的爆破,找到相关字符串,处理掉部分跳转即可。
窗体标题显示参考1的代码,修改方法如下:
00424374 . FF51 FC call dword ptr [ecx-4]
00424377 . 66:C785 0CFFF>mov word ptr [ebp-F4], 1DC
00424380 > 8B15 64D15000 mov edx, dword ptr [50D164] ; Pic2Ico3._IconConverter
00424386 . 8B02 mov eax, dword ptr [edx]
00424388 . 80B8 F8030000>cmp byte ptr [eax+3F8], 0
0042438F 0F85 3B020000 jnz 004245D0 ;跳走则在注册窗口中显示Registerd,直接JMP走
00424395 . 8B15 64D15000 mov edx, dword ptr [50D164] ; Pic2Ico3._IconConverter
0042439B . 8B0A mov ecx, dword ptr [edx]
0042439D . 80B9 F9030000>cmp byte ptr [ecx+3F9], 0
004243A4 . 0F85 E2010000 jnz 0042458C ;跳走则显示Expired
004243AA . 66:C785 0CFFF>mov word ptr [ebp-F4], 1F4
004243B3 . 8D85 34FFFFFF lea eax, dword ptr [ebp-CC]
注册确定提示信息修改如下:
00424CDD /0F84 1F020000 je 00424F02 ;NOP掉
00424CE3 |. |66:C745 B8 2C>mov word ptr [ebp-48], 2C
00424CE9 |. |8D45 F0 lea eax, dword ptr [ebp-10]
00424CEC |. |E8 DFDDFDFF call 00402AD0
00424CF1 |. |8BD0 mov edx, eax
00424CF3 |. |FF45 C4 inc dword ptr [ebp-3C]
00424CF6 |. |8B4D A4 mov ecx, dword ptr [ebp-5C]
00424CF9 |. |8B81 04030000 mov eax, dword ptr [ecx+304]
00424CFF |. |E8 DC0B0900 call 004B58E0
00424D04 |. |8D55 F0 lea edx, dword ptr [ebp-10]
00424D07 |. |8B45 A4 mov eax, dword ptr [ebp-5C]
00424D0A |. |05 1C030000 add eax, 31C
00424D0F |. |E8 F42D0C00 call 004E7B08
00424D14 |. |FF4D C4 dec dword ptr [ebp-3C]
00424D17 |. |8D45 F0 lea eax, dword ptr [ebp-10]
00424D1A |. |BA 02000000 mov edx, 2
00424D1F |. |E8 B42D0C00 call 004E7AD8
00424D24 |. |8B45 A4 mov eax, dword ptr [ebp-5C]
00424D27 |. |05 1C030000 add eax, 31C
00424D2C |. |E8 D3D0FDFF call 00401E04
00424D31 |. |0FBE50 17 movsx edx, byte ptr [eax+17]
00424D35 |. |83FA 30 cmp edx, 30
00424D38 |. |7C 16 jl short 00424D50
00424D3A |. |8B45 A4 mov eax, dword ptr [ebp-5C]
00424D3D |. |05 1C030000 add eax, 31C
00424D42 |. |E8 BDD0FDFF call 00401E04
00424D47 |. |0FBE50 17 movsx edx, byte ptr [eax+17]
00424D4B |. |83FA 39 cmp edx, 39
00424D4E |. |7E 0F jle short 00424D5F
00424D50 |> |8B0D 64D15000 mov ecx, dword ptr [50D164] ; unpacked._IconConverter
00424D56 |. |8B01 mov eax, dword ptr [ecx]
00424D58 |. |C680 F8030000>mov byte ptr [eax+3F8], 0
00424D5F |> |B2 01 mov dl, 1
00424D61 |. |A1 2CDA4500 mov eax, dword ptr [45DA2C]
00424D66 |. |E8 C18D0300 call 0045DB2C
00424D6B |. |8945 9C mov dword ptr [ebp-64], eax
00424D6E |. |BA 01000080 mov edx, 80000001
00424D73 |. |8B45 9C mov eax, dword ptr [ebp-64]
00424D76 |. |E8 692B0C00 call 004E78E4
00424D7B |. |8B15 64D15000 mov edx, dword ptr [50D164] ; unpacked._IconConverter
00424D81 |. |8B0A mov ecx, dword ptr [edx]
00424D83 |. |80B9 F8030000>cmp byte ptr [ecx+3F8], 0
00424D8A |. |0F84 06010000 je 00424E96
00424D90 |. |66:C745 B8 38>mov word ptr [ebp-48], 38
00424D96 |. |BA E5035000 mov edx, 005003E5 ; ASCII "Software\XTZY\Pic2Ico"
00424D9B |. |8D45 EC lea eax, dword ptr [ebp-14]
00424D9E |. |E8 D52B0C00 call 004E7978
00424DA3 |. |FF45 C4 inc dword ptr [ebp-3C]
00424DA6 |. |8B10 mov edx, dword ptr [eax]
00424DA8 |. |B1 01 mov cl, 1
00424DAA |. |8B45 9C mov eax, dword ptr [ebp-64]
00424DAD |. |E8 7E8E0300 call 0045DC30
00424DB2 |. |84C0 test al, al
00424DB4 |. |0F95C0 setne al
00424DB7 |. |83E0 01 and eax, 1
00424DBA |. |50 push eax
00424DBB |. |FF4D C4 dec dword ptr [ebp-3C]
00424DBE |. |8D45 EC lea eax, dword ptr [ebp-14]
00424DC1 |. |BA 02000000 mov edx, 2
00424DC6 |. |E8 0D2D0C00 call 004E7AD8
00424DCB |. |59 pop ecx
00424DCC |. |85C9 test ecx, ecx
00424DCE |. |0F84 C2000000 je 00424E96
00424DD4 |. |8D45 E4 lea eax, dword ptr [ebp-1C]
00424DD7 |. |E8 F4DCFDFF call 00402AD0
00424DDC |. |8BD0 mov edx, eax
00424DDE |. |FF45 C4 inc dword ptr [ebp-3C]
00424DE1 |. |8B4D A4 mov ecx, dword ptr [ebp-5C]
00424DE4 |. |8B81 04030000 mov eax, dword ptr [ecx+304]
00424DEA |. |E8 F10A0900 call 004B58E0
00424DEF |. |8D55 E4 lea edx, dword ptr [ebp-1C]
00424DF2 |. |FF32 push dword ptr [edx]
00424DF4 |. |66:C745 B8 44>mov word ptr [ebp-48], 44
00424DFA |. |BA FB035000 mov edx, 005003FB ; ASCII "NO"
00424DFF |. |8D45 E8 lea eax, dword ptr [ebp-18]
00424E02 |. |E8 712B0C00 call 004E7978
00424E07 |. |FF45 C4 inc dword ptr [ebp-3C]
00424E0A |. |8B10 mov edx, dword ptr [eax]
00424E0C |. |8B45 9C mov eax, dword ptr [ebp-64]
00424E0F |. |59 pop ecx
00424E10 |. |E8 B78F0300 call 0045DDCC
00424E15 |. |FF4D C4 dec dword ptr [ebp-3C]
00424E18 |. |8D45 E4 lea eax, dword ptr [ebp-1C]
00424E1B |. |BA 02000000 mov edx, 2
00424E20 |. |E8 B32C0C00 call 004E7AD8
00424E25 |. |FF4D C4 dec dword ptr [ebp-3C]
00424E28 |. |8D45 E8 lea eax, dword ptr [ebp-18]
00424E2B |. |BA 02000000 mov edx, 2
00424E30 |. |E8 A32C0C00 call 004E7AD8
00424E35 |. |8D45 DC lea eax, dword ptr [ebp-24]
00424E38 |. |E8 93DCFDFF call 00402AD0
00424E3D |. |8BD0 mov edx, eax
00424E3F |. |FF45 C4 inc dword ptr [ebp-3C]
00424E42 |. |8B4D A4 mov ecx, dword ptr [ebp-5C]
00424E45 |. |8B81 00030000 mov eax, dword ptr [ecx+300]
00424E4B |. |E8 900A0900 call 004B58E0
00424E50 |. |8D55 DC lea edx, dword ptr [ebp-24]
00424E53 |. |FF32 push dword ptr [edx]
00424E55 |. |66:C745 B8 50>mov word ptr [ebp-48], 50
00424E5B |. |BA FE035000 mov edx, 005003FE ; ASCII "Name"
00424E60 |. |8D45 E0 lea eax, dword ptr [ebp-20]
00424E63 |. |E8 102B0C00 call 004E7978
00424E68 |. |FF45 C4 inc dword ptr [ebp-3C]
00424E6B |. |8B10 mov edx, dword ptr [eax]
00424E6D |. |8B45 9C mov eax, dword ptr [ebp-64]
00424E70 |. |59 pop ecx
00424E71 |. |E8 568F0300 call 0045DDCC
00424E76 |. |FF4D C4 dec dword ptr [ebp-3C]
00424E79 |. |8D45 DC lea eax, dword ptr [ebp-24]
00424E7C |. |BA 02000000 mov edx, 2
00424E81 |. |E8 522C0C00 call 004E7AD8
00424E86 |. |FF4D C4 dec dword ptr [ebp-3C]
00424E89 |. |8D45 E0 lea eax, dword ptr [ebp-20]
00424E8C |. |BA 02000000 mov edx, 2
00424E91 |. |E8 422C0C00 call 004E7AD8
00424E96 |> |8B45 9C mov eax, dword ptr [ebp-64]
00424E99 |. |E8 FE8C0300 call 0045DB9C
00424E9E |. |8B55 9C mov edx, dword ptr [ebp-64]
00424EA1 |. |8955 D4 mov dword ptr [ebp-2C], edx
00424EA4 |. |837D D4 00 cmp dword ptr [ebp-2C], 0
00424EA8 |. |74 21 je short 00424ECB
00424EAA |. |8B4D D4 mov ecx, dword ptr [ebp-2C]
00424EAD |. |8B01 mov eax, dword ptr [ecx]
00424EAF |. |8945 D8 mov dword ptr [ebp-28], eax
00424EB2 |. |66:C745 B8 68>mov word ptr [ebp-48], 68
00424EB8 |. |BA 03000000 mov edx, 3
00424EBD |. |8B45 D4 mov eax, dword ptr [ebp-2C]
00424EC0 |. |8B08 mov ecx, dword ptr [eax]
00424EC2 |. |FF51 FC call dword ptr [ecx-4]
00424EC5 |. |66:C745 B8 5C>mov word ptr [ebp-48], 5C
00424ECB |> |66:C745 B8 74>mov word ptr [ebp-48], 74
00424ED1 |. |BA 03045000 mov edx, 00500403 ; ASCII "Register successfully!",LF,"Thank you."
00424ED6 |. |8D45 D0 lea eax, dword ptr [ebp-30]
00424ED9 |. |E8 9A2A0C00 call 004E7978
00424EDE |. |FF45 C4 inc dword ptr [ebp-3C]
00424EE1 |. |8B00 mov eax, dword ptr [eax]
00424EE3 |. |E8 80B00800 call 004AFF68
00424EE8 |. |FF4D C4 dec dword ptr [ebp-3C]
00424EEB |. |8D45 D0 lea eax, dword ptr [ebp-30]
00424EEE |. |BA 02000000 mov edx, 2
00424EF3 |. |E8 E02B0C00 call 004E7AD8
00424EF8 |. |8B45 A4 mov eax, dword ptr [ebp-5C]
00424EFB |. |E8 F0010800 call 004A50F0
00424F00 |. |EB 37 jmp short 00424F39
00424F02 |> \66:C745 B8 80>mov word ptr [ebp-48], 80
00424F08 |. BA 25045000 mov edx, 00500425 ; ASCII "Your registration code is invalid.",LF,"If you have purchased this software and get the wrong code, maybe you have not downloaded and installed the latest version. Or please send email to: support@exeicon.com ",LF
至此,软件修改应该是基本完成,有兴趣的朋友找找BUG,修改测试吧。
============================================================================================
后记:
看了别的兄弟的文章发现至少还有两处没有注意到的地方:
1、“X”号水印
2、时间限制
其他暂时没找到,学习再修改。
1、"X"水印的修改和坛子里修改一样
004381E2 |. 8B15 64D15000 mov edx, dword ptr [50D164] ; unpacked._IconConverter
004381E8 |. 8B0A mov ecx, dword ptr [edx]
004381EA |. 8A81 F9030000 mov al, byte ptr [ecx+3F9]
004381F0 |. 8845 B7 mov byte ptr [ebp-49], al
004381F3 |. 8B15 70D15000 mov edx, dword ptr [50D170] ; unpacked._Form3
004381F9 |. 8B02 mov eax, dword ptr [edx]
004381FB |. 05 1C030000 add eax, 31C
00438200 |. E8 17F2FCFF call 0040741C
00438205 |. 48 dec eax
00438206 |. 7E 53 jle short 0043825B
00438208 |. 66:C745 D0 08>mov word ptr [ebp-30], 8
0043820E |. BA 20355000 mov edx, 00503520 ; ASCII "FPJUNT"
00438213 |. 8D45 FC lea eax, dword ptr [ebp-4]
00438216 |. E8 5DF70A00 call 004E7978
0043821B |. FF45 DC inc dword ptr [ebp-24]
0043821E |. 8D55 FC lea edx, dword ptr [ebp-4]
00438221 |. 8B0D 70D15000 mov ecx, dword ptr [50D170] ; unpacked._Form3
00438227 |. 8B01 mov eax, dword ptr [ecx]
00438229 |. 05 1C030000 add eax, 31C
0043822E |. E8 B9FA0A00 call 004E7CEC
00438233 |. 85C0 test eax, eax
00438235 |. 0F95C2 setne dl
00438238 |. 83E2 01 and edx, 1
0043823B |. 52 push edx
0043823C |. FF4D DC dec dword ptr [ebp-24]
0043823F |. 8D45 FC lea eax, dword ptr [ebp-4]
00438242 |. BA 02000000 mov edx, 2
00438247 |. E8 8CF80A00 call 004E7AD8
0043824C |. 59 pop ecx
0043824D |. 84C9 test cl, cl
0043824F |. 74 06 je short 00438257
00438251 |. C645 B7 00 mov byte ptr [ebp-49], 0
00438255 |. EB 04 jmp short 0043825B
00438257 |> C645 B7 01 mov byte ptr [ebp-49], 1
0043825B |> 807D B7 00 cmp byte ptr [ebp-49], 0
0043825F E9 DE000000 jmp 00438342 ;直接跳走,不再打水印
00438264 90 nop
00438265 |. 8B45 BC mov eax, dword ptr [ebp-44]
00438268 |. 8B80 DC040000 mov eax, dword ptr [eax+4DC]
0043826E |. 8B10 mov edx, dword ptr [eax]
==================================================================================
2、时间限制导致操作程序自动退出,下断调试修改点如下:
=============
点LOAD ICON程序自动退出,找调用返回修改要点
00402D2C . 8995 A0FEFFFF mov dword ptr [ebp-160], edx
00402D32 . 8985 A4FEFFFF mov dword ptr [ebp-15C], eax
00402D38 . B8 74D14F00 mov eax, 004FD174
00402D3D . E8 8A9B0D00 call 004DC8CC
00402D42 . 8B95 A4FEFFFF mov edx, dword ptr [ebp-15C]
00402D48 . 80BA F8030000>cmp byte ptr [edx+3F8], 0
00402D4F EB 1A jmp short 00402D6B ;修改为JMP
00402D51 . 8B8D A4FEFFFF mov ecx, dword ptr [ebp-15C]
00402D57 . 83B9 F4030000>cmp dword ptr [ecx+3F4], 3C
00402D5E . 7E 0B jle short 00402D6B
00402D60 . 8B85 A4FEFFFF mov eax, dword ptr [ebp-15C]
00402D66 . E8 85230A00 call 004A50F0
点CAPTURE ICON退出,下断找到
00408430 . 55 push ebp
00408431 . 8BEC mov ebp, esp
00408433 . 81C4 8CFEFFFF add esp, -174
00408439 . 53 push ebx
0040843A . 56 push esi
0040843B . 57 push edi
0040843C . 8955 B0 mov dword ptr [ebp-50], edx
0040843F . 8945 B4 mov dword ptr [ebp-4C], eax
00408442 . B8 68E04F00 mov eax, 004FE068
00408447 . E8 80440D00 call 004DC8CC
0040844C . 8B55 B4 mov edx, dword ptr [ebp-4C]
0040844F . 80BA F8030000>cmp byte ptr [edx+3F8], 0
00408456 EB 14 jmp short 0040846C ;JMP跳走
00408458 . 8B4D B4 mov ecx, dword ptr [ebp-4C]
0040845B . 83B9 F4030000>cmp dword ptr [ecx+3F4], 3C
00408462 . 7E 08 jle short 0040846C
00408464 . 8B45 B4 mov eax, dword ptr [ebp-4C]
00408467 . E8 84CC0900 call 004A50F0
SAVE ICON时退出修改
00408939 . 8B0D E0D65000 mov ecx, dword ptr [_IconConverter]
0040893F . 80B9 F8030000>cmp byte ptr [ecx+3F8], 0
00408946 . 0F85 D4000000 jnz 00408A20 ;直接修改成JMP
0040894C . 8B45 FC mov eax, dword ptr [ebp-4]
0040894F . E8 BC730500 call 0045FD10
00408954 . 84C0 test al, al
00408956 0F84 C4000000 je 00408A20
0040895C . 66:C785 14FFF>mov word ptr [ebp-EC], 20
00408965 . E8 1A8C0500 call 00461584
0040896A . DD9D ECFEFFFF fstp qword ptr [ebp-114]
00408970 . 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
00408976 . E8 91BBFFFF call 0040450C
0040897B . E8 C4830D00 call 004E0D44
00408980 . 8985 F4FEFFFF mov dword ptr [ebp-10C], eax
00408986 . 66:C785 14FFF>mov word ptr [ebp-EC], 20
0040898F . 8B45 FC mov eax, dword ptr [ebp-4]
00408992 . E8 11730500 call 0045FCA8
00408997 . E8 30770500 call 004600CC
0040899C . DD9D E0FEFFFF fstp qword ptr [ebp-120]
004089A2 . 8D85 E0FEFFFF lea eax, dword ptr [ebp-120]
004089A8 . E8 5FBBFFFF call 0040450C
004089AD . E8 92830D00 call 004E0D44
004089B2 . 8985 E8FEFFFF mov dword ptr [ebp-118], eax
004089B8 . 8B95 F4FEFFFF mov edx, dword ptr [ebp-10C]
004089BE . 2B95 E8FEFFFF sub edx, dword ptr [ebp-118]
004089C4 . 83FA 0F cmp edx, 0F
004089C7 . 7E 3E jle short 00408A07
004089C9 . 8B0D E0D65000 mov ecx, dword ptr [_IconConverter]
004089CF . C681 F9030000>mov byte ptr [ecx+3F9], 1
004089D6 . A1 40D45000 mov eax, dword ptr [50D440]
004089DB . 8B00 mov eax, dword ptr [eax]
004089DD . E8 A6FE0900 call 004A8888
004089E2 . FF8D 20FFFFFF dec dword ptr [ebp-E0]
004089E8 . 8D45 FC lea eax, dword ptr [ebp-4]
004089EB . BA 02000000 mov edx, 2
004089F0 . E8 E3F00D00 call 004E7AD8
004089F5 . 8B8D 04FFFFFF mov ecx, dword ptr [ebp-FC]
004089FB . 64:890D 00000>mov dword ptr fs:[0], ecx
00408A02 . E9 CA100000 jmp 00409AD1
00408A07 > 66:C785 14FFF>mov word ptr [ebp-EC], 8
00408A10 . EB 0E jmp short 00408A20
00408A12 . 66:C785 14FFF>mov word ptr [ebp-EC], 28
00408A1B . E8 F2C30D00 call 004E4E12
00408A20 > FF8D 20FFFFFF dec dword ptr [ebp-E0]
=====================================================================
到现在为止能测试到的都测试了,不知道还有什么具体限制,传个修改后的文件,请大家帮忙测试及反馈。
Pic2Icon.part01.rar
(244.14 KB, 下载次数: 1)
Pic2Icon.part02.rar
(244.14 KB, 下载次数: 1)
Pic2Icon.part03.rar
(73.05 KB, 下载次数: 1)
|
评分
-
查看全部评分
|
IP卡
发表于 2010-6-2 11:11:55
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2010-6-2 11:38:25
