MindView 6.0版破解分析记录
MindView 6.0版破解分析记录1,从官方下载试用版装置,30天过期以后功用禁用只能看不再能修正
2,注册号由几部分组成:
C:\Program Files (x86)\MatchWare\MindView 6.0\sn.ini
C:\Program Files (x86)\MatchWare\MindView 6.0\Language\English\demoregister.ini
D:\ProgramData\mwas\MindView6.0.mwas (默许不会生成,JMP强写会生成一个空的
另外对于中显现的字串调用某个INI(004351C1 .68 C05E7C00 PUSH MindView.007C5EC0 ;resources\about.txt)
启动时经过 形式判别,譬如判别你是不是为demo形式
貌似注册码中会绑定机器码,输入注册码的当地只有一个,最终经过网上下载到的注册机中英文提示信息证明了前边的猜想【公然要修正hosts】文件才会多出一个激活码的选项
默许即便是注册成功了,也要重启验证的(联网)
这一个地方很关键,即便你前边都搞定也会联网激活的
从图中的参数明显可以看出 【网卡】也就证明了为啥
老外的注册机要修改hosts的内因了~~
右上寄存器的字串是啥呢?
再向下不远便看到了 ,机器ID 绑定号
00762268 $- FF25 4C3F7C00 JMP NEAR DWORD PTR DS:[<&mfc120u.#13>;mfc120u.6393E0F6
这个地方的上千处调用点,有几个很关键
点关于时,来到下面的地方 F7 跟入后不久发现
00435557 .68 945F7C00 PUSH MindView.007C5F94 ;Company
0043555C .68 885F7C00 PUSH MindView.007C5F88 ;About
00435561 .8B48 04 MOV ECX,DWORD PTR DS:
00435564 .8D5424 28 LEA EDX,DWORD PTR SS:
00435568 .52 PUSH EDX
00435569 .8B01 MOV EAX,DWORD PTR DS:
0043556B .FF90 8C000000 CALL NEAR DWORD PTR DS:
00435571 .A1 C4427C00 MOV EAX,DWORD PTR DS:[<&mwas.?s_IsAc>
00435576 .C64424 58 11MOV BYTE PTR SS:,0x11
0043557B .8338 00 CMP DWORD PTR DS:,0x0
0043557E .75 1E JNZ SHORT MindView.0043559E
00435580 .68 13040000 PUSH 0x413
00435585 .8D4C24 24 LEA ECX,DWORD PTR SS:
00435589 .FF15 D83F7C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#83>;mfc120u.6374FB55
0043558F .68 8E648500 PUSH MindView.0085648E
00435594 .8D4C24 20 LEA ECX,DWORD PTR SS:
00435598 .FF15 F43F7C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#15>;mfc120u.6389CEDE
0043559E >8D4C24 20 LEA ECX,DWORD PTR SS:
004355A2 .FF15 2C407C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#16>;mfc120u.6374B720
004355A8 .50 PUSH EAX
004355A9 .68 B0050000 PUSH 0x5B0
004355AE .8BCE MOV ECX,ESI
004355A9 .68 B0050000 PUSH 0x5B0 ;如是注册版的,这里便取到了用户名
004355AE .8BCE MOV ECX,ESI
004355B0 .E8 B3CC3200 CALL <JMP.&mfc120u.#13333>
004355B5 .8D4C24 1C LEA ECX,DWORD PTR SS:
004355B9 .FF15 2C407C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#16>;mfc120u.6374B720
004355BF .50 PUSH EAX
004355C0 .68 B1050000 PUSH 0x5B1
004355C5 .8BCE MOV ECX,ESI
004355C7 .E8 9CCC3200 CALL <JMP.&mfc120u.#13333>
004355CC .8D4C24 1C LEA ECX,DWORD PTR SS:
004355D0 .FF15 F83F7C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#10>;mfc120u.6374B446
004355D6 .8D4C24 20 LEA ECX,DWORD PTR SS:
004355DA .FF15 F83F7C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#10>;mfc120u.6374B446
004355E0 .8D4C24 24 LEA ECX,DWORD PTR SS:
004355E4 .FF15 F83F7C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#10>;mfc120u.6374B446
004355EA .8D4C24 10 LEA ECX,DWORD PTR SS:
004355EE .FF15 F83F7C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#10>;mfc120u.6374B446
004355F4 .8D4C24 18 LEA ECX,DWORD PTR SS:
004355F8 .FF15 F83F7C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#10>;mfc120u.6374B446
004355FE .8D4C24 38 LEA ECX,DWORD PTR SS:
00435602 .C64424 58 02MOV BYTE PTR SS:,0x2
00435607 .E8 9CCB3200 CALL <JMP.&mfc120u.#1444>
0043560C .8D4C24 28 LEA ECX,DWORD PTR SS:
00435610 .FF15 F83F7C00 CALL NEAR DWORD PTR DS:[<&mfc120u.#10>;mfc120u.6374B446
0043556B .FF90 8C000000 CALL NEAR DWORD PTR DS: ;<JMP.&mfcext.?GetProfileStringW@?$EApplicationBaseT@VCBCGPWinApp@@@@UAE?AV?
$CStringT@_WV?$StrTraitMFC_DLL@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W00@Z>
这边这句很有意思,得到欲配置字符串
00435571 .A1 C4427C00 MOV EAX,DWORD PTR DS:[<&mwas.?s_IsAc>
00435576 .C64424 58 11MOV BYTE PTR SS:,0x11
0043557B .8338 00 CMP DWORD PTR DS:,0x0
0043557E .75 1E JNZ SHORT MindView.0043559E
我们再给 点【激活按钮】前设一个消息断点
看到没? 注册激活成功的提示本来在这里!
------------------------------------------------------------------------
【破解总结】
先搞理解程序的运转流程与验证进程,比盲目的上来直接修正成功率要高许多。
网上有个内存补丁也罢,破解补丁也罢,不是吃瓜大众等现成的,而是用来剖析人家是怎么剖析和修正成功的,进程才是动态调试的乐趣和学习到的常识地点这才是闪光点
以下内容看看无妨 0056B945 . /0F84 87010000 JE MindView.0056BAD2 ;到这里时情况不明了,需要重新来跟才动态知道状态
0056B94B . |8B8424 C40000>MOV EAX,DWORD PTR SS: ;MindView.0084F0F0
0056B952 . |8D8C24 C40000>LEA ECX,DWORD PTR SS:
0056B959 . |FF50 1C CALL NEAR DWORD PTR DS:
0056B95C . |A8 01 TEST AL,0x1
0056B95E . |74 47 JE SHORT MindView.0056B9A7
0056B960 . |68 A8DE7F00 PUSH MindView.007FDEA8 ;Show Edu dialog
0056B965 . |56 PUSH ESI
0056B966 . |E8 05BFFFFF CALL MindView.00567870
0056B96B . |83C4 08 ADD ESP,0x8
0056B96E . |E8 D96C1F00 CALL <JMP.&mfc120u.#2214>
0056B973 . |85C0 TEST EAX,EAX
0056B975 . |74 09 JE SHORT MindView.0056B980
0056B977 . |8B10 MOV EDX,DWORD PTR DS:
0056B979 . |8BC8 MOV ECX,EAX
0056B97B . |FF52 7C CALL NEAR DWORD PTR DS:
0056B97E . |EB 02 JMP SHORT MindView.0056B982
00566DDD . /0F84 E0010000 JE MindView.00566FC3
00566DE3 . |6A 00 PUSH 0x0
00566DE5 . |E8 96B10700 CALL MindView.005E1F80
00566DEA . |BD 5CC07F00 MOV EBP,MindView.007FC05C ;on
00566DEF . |BA 64C07F00 MOV EDX,MindView.007FC064 ;off
00566DF4 . |6A 00 PUSH 0x0
00566DF6 . |8A88 BD720000 MOV CL,BYTE PTR DS:
00566DFC . |8BC5 MOV EAX,EBP
00566DFE . |84C9 TEST CL,CL
00566E00 . |0F44C2 CMOVE EAX,EDX
00566E03 . |50 PUSH EAX
00566E04 . |68 38D87F00 PUSH MindView.007FD838 ;Simple UI
00566E09 . |E8 7243F8FF CALL MindView.004EB180
00566E0E . |83C4 10 ADD ESP,0x10
00566E11 . |8D4C24 18 LEA ECX,DWORD PTR SS:
0073A290 $55 PUSH EBP
这里共有(本地调用来自 0049500D, 00564E5C, 00565A1A, 00565B62, 0056B93E, 006B1A48
最后两个很明显瞎子也懂跟啥有关系!
00564E63 /EB 12 JMP SHORT crack5.00564E77 这里修改了一下,果然标题DEMO字样消失
页:
[1]