软件性质:管理软件
软件名:Navicat Premium
版本:11.0.5 x86
官方网站:http://anonymz.com/?http://www.navicat.com/products/navicat-premium
下载地址:http://anonymz.com/?http://download.navicat.com/download/navicat110_premium_en_x86.exe
使用工具:Winhex \ Ollydbg
性质:爆破
一直有在用这个软件。
支持MySQL, PGSQL , , MSSQL , SQLite 五大数据库。
how about Access? Sorry,它不支持。不过我在随便google到了一个打开.mdb文件的小软件: MDB View 1.03
http://www.onlinedown.net/soft/30990.htm
UPX 0.89.6 - 1.02 / 1.05 - 2.90 (Delphi) stub -> Markus & Laszlo
直接用官方upx脱了。
2004年产的,有NAG,不过很容易就去除了。
最近升级到11版了。之前的注册码不能用了。
官方售价 $499 ,这个价格我就不考虑购买了。。。
安装了最新版的,拖进PEiD 一看,
ASProtect v1.32 [Overlay] *
实际上应该是没有加壳的。
主程序 navicat.exe 丢进 OD ,没有提示代码被压缩或。后来在调试过程中也验证了这一点。
感谢Navicat Premium!这年头好不容易碰到一个不加壳的东西了!
主程序 navicat.exe 大小达 25MB ,而其64位的版本更是达35MB大小。
弹出试用对话框时按F12 停下,查看调用堆栈:
================================================================================================
Call stack of main thr3@d
Address Stack Procedure / arguments Called from Frame
0012FE1C 77D19418 Includes ntdll.KiFastSystemCallRet user32.77D19416 0012FE4C
0012FE20 0064A3FE <jmp.&user32.WaitMessage> navicat.0064A3F9 0012FE4C
0012FE50 0064961C ? navicat.0064A2B0 navicat.00649617 0012FE4C
0012FE74 00644E26 navicat.00649600 navicat.00644E21 0012FECC
我们到 navicat.00644E21 ,
往上走,到这个函数的开头:
00644C80 /$ 55 push ebp
在这里F2下断。
===========================================================================
Ctrl + F2 重新运行。程序断在 00644C80
此时Alt + K ,在OD中查看调用堆看不到任何东西。
不过右下角的stack frame窗口中(ESP指向的地址处)可以看到:
0012FED0 00C440FF RETURN to navicat.00C440FF
Ctrl+G ,跳到 00C440FF 看看。
00C440DE . E8 110A0000 call navicat.00C44AF4
00C440E3 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30]
00C440E6 . 8B90 C8030000 mov edx, dword ptr ds:[eax+0x3C8]
00C440EC . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30]
00C440EF . E8 4CE69FFF call navicat.00642740
00C440F4 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30]
00C440F7 . 8B10 mov edx, dword ptr ds:[eax] ; navicat.00C41E4C
00C440F9 . FF92 28010000 call near dword ptr ds:[edx+0x128] ; navicat.00644C80
==> 00C440FF . 33C0 xor eax, eax
00C44101 . 5A pop edx ; navicat.00C440FF
00C44102 . 59 pop ecx ; navicat.00C440FF
00C44103 . 59 pop ecx ; navicat.00C440FF
00C44104 . 64:8910 mov dword ptr fs:[eax], edx ; navicat.00C41E4C
00C44107 . 68 E344C400 push navicat.00C444E3
00C4410C > 8B45 D0 mov eax, dword ptr ss:[ebp-0x30]
00C4410F . E8 D0417CFF call navicat.004082E4
00C44114 . C3 retn
可以看到其上面的 call near dword ptr ds:[edx+0x128] (即call navicat.00644C80 )
程序正是从00644C80 返回到00C440FF的。
再往上可以看到
00C44086 . BA 3045C400 mov edx, navicat.00C44530 ; UNICODE "yyyy/mm/dd"
......
00C440BF . BA 5445C400 mov edx, navicat.00C44554 ; UNICODE "This is a limited 30-day trial version of PremiumSoft Navicat for evaluation purposes.
If you like "
再往上看,有一个跳转:
00C4405E . /0F8F 7F040000 jg navicat.00C444E3
这个跳转直接跳过了 00C440F9 到达 00C444E3了。
在 00C4405E 下断试试。
断下来,我们发现 EAX 值为0
那么 test eax,eax 将置 ZF 为 1.
00C4405E jg navicat.00C444E3 这个跳转无法实现了。
手动给ZF置0,发现程序直接跳过去启动了~~ 如果要暴破,可以直接修改00C4405E处为jmp 00C444E3
================================================================================================
好,现在来看看这一整个函数( 从 00C44030 到 00C44515 ):
00C44030 $ 55 push ebp
00C44031 . 8BEC mov ebp, esp
00C44033 . B9 0F000000 mov ecx, 0xF
00C44038 > 6A 00 push 0x0
00C4403A . 6A 00 push 0x0
00C4403C . 49 dec ecx
00C4403D .^ 75 F9 jnz short navicat.00C44038
00C4403F . 51 push ecx
00C44040 . 53 push ebx
00C44041 . 33D2 xor edx, edx ; ntdll.KiFastSystemCallRet
00C44043 . 55 push ebp
00C44044 . 68 1645C400 push navicat.00C44516
00C44049 . 64:FF32 push dword ptr fs:[edx]
00C4404C . 64:8922 mov dword ptr fs:[edx], esp
00C4404F . 84C0 test al, al ; Switch (cases 0..2)
00C44051 . 0F85 C5000000 jnz navicat.00C4411C
00C44057 . E8 9C2A7CFF call navicat.00406AF8 ; Case 0 of switch 00C4404F
00C4405C . 85C0 test eax, eax
00C4405E . 0F8F 7F040000 jg navicat.00C444E3
00C44064 . 33C9 xor ecx, ecx
00C44066 . B2 01 mov dl, 0x1
00C44068 . A1 F41DC400 mov eax, dword ptr ds:[0xC41DF4]
00C4406D . E8 C2467300 call navicat.01378734
00C44072 . 8945 D0 mov dword ptr ss:[ebp-0x30], eax
00C44075 . 33C0 xor eax, eax
00C44077 . 55 push ebp
00C44078 . 68 1541C400 push navicat.00C44115
00C4407D . 64:FF30 push dword ptr fs:[eax]
00C44080 . 64:8920 mov dword ptr fs:[eax], esp
00C44083 . 8D45 F8 lea eax, dword ptr ss:[ebp-0x8]
00C44086 . BA 3045C400 mov edx, navicat.00C44530 ; UNICODE "yyyy/mm/dd"
00C4408B . E8 70647CFF call navicat.0040A500
00C44090 . 8B05 B80E5101 mov eax, dword ptr ds:[0x1510EB8]
00C44096 . 8945 C8 mov dword ptr ss:[ebp-0x38], eax
00C44099 . 8B05 BC0E5101 mov eax, dword ptr ds:[0x1510EBC]
00C4409F . 8945 CC mov dword ptr ss:[ebp-0x34], eax
00C440A2 . FF75 CC push dword ptr ss:[ebp-0x34]
00C440A5 . FF75 C8 push dword ptr ss:[ebp-0x38] ; navicat.0064A369
00C440A8 . 8D4D F4 lea ecx, dword ptr ss:[ebp-0xC]
00C440AB . 8B15 EC935001 mov edx, dword ptr ds:[0x15093EC] ; navicat.0150CD18
00C440B1 . 8B45 F8 mov eax, dword ptr ss:[ebp-0x8] ; navicat.0165E5E0
00C440B4 . E8 B7807EFF call navicat.0042C170
00C440B9 . 8D45 FC lea eax, dword ptr ss:[ebp-0x4]
00C440BC . 8B4D F4 mov ecx, dword ptr ss:[ebp-0xC]
00C440BF . BA 5445C400 mov edx, navicat.00C44554 ; UNICODE "This is a limited 30-day trial version of PremiumSoft Navicat for evaluation purposes.
If you like "
00C440C4 . E8 B7727CFF call navicat.0040B380
00C440C9 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C440CC . 05 34040000 add eax, 0x434
00C440D1 . 8B55 FC mov edx, dword ptr ss:[ebp-0x4]
00C440D4 . E8 DF637CFF call navicat.0040A4B8
00C440D9 . 33D2 xor edx, edx ; ntdll.KiFastSystemCallRet
00C440DB . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C440DE . E8 110A0000 call navicat.00C44AF4
00C440E3 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C440E6 . 8B90 C8030000 mov edx, dword ptr ds:[eax+0x3C8]
00C440EC . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C440EF . E8 4CE69FFF call navicat.00642740
00C440F4 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C440F7 . 8B10 mov edx, dword ptr ds:[eax]
00C440F9 . FF92 28010000 call near dword ptr ds:[edx+0x128] ; 调用 00644C80 显示trial 窗口
00C440FF . 33C0 xor eax, eax
00C44101 . 5A pop edx ; user32.77D19418
00C44102 . 59 pop ecx ; user32.77D19418
00C44103 . 59 pop ecx ; user32.77D19418
00C44104 . 64:8910 mov dword ptr fs:[eax], edx ; ntdll.KiFastSystemCallRet
00C44107 . 68 E344C400 push navicat.00C444E3
00C4410C > 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4410F . E8 D0417CFF call navicat.004082E4
00C44114 . C3 retn
00C44115 .^ E9 5E547CFF jmp navicat.00409578
00C4411A .^ EB F0 jmp short navicat.00C4410C
00C4411C > 3C 01 cmp al, 0x1
00C4411E . 0F85 5D010000 jnz navicat.00C44281
00C44124 . 33C9 xor ecx, ecx ; Case 1 of switch 00C4404F
00C44126 . B2 01 mov dl, 0x1
00C44128 . A1 F41DC400 mov eax, dword ptr ds:[0xC41DF4]
00C4412D . E8 02467300 call navicat.01378734
00C44132 . 8945 D0 mov dword ptr ss:[ebp-0x30], eax
00C44135 . 33C0 xor eax, eax
00C44137 . 55 push ebp
00C44138 . 68 7A42C400 push navicat.00C4427A
00C4413D . 64:FF30 push dword ptr fs:[eax]
00C44140 . 64:8920 mov dword ptr fs:[eax], esp
00C44143 . 8D45 F0 lea eax, dword ptr ss:[ebp-0x10]
00C44146 . BA 3045C400 mov edx, navicat.00C44530 ; UNICODE "yyyy/mm/dd"
00C4414B . E8 B0637CFF call navicat.0040A500
00C44150 . 8B05 B80E5101 mov eax, dword ptr ds:[0x1510EB8]
00C44156 . 8945 C0 mov dword ptr ss:[ebp-0x40], eax
00C44159 . 8B05 BC0E5101 mov eax, dword ptr ds:[0x1510EBC]
00C4415F . 8945 C4 mov dword ptr ss:[ebp-0x3C], eax
00C44162 . FF75 C4 push dword ptr ss:[ebp-0x3C]
00C44165 . FF75 C0 push dword ptr ss:[ebp-0x40]
00C44168 . 8D4D EC lea ecx, dword ptr ss:[ebp-0x14]
00C4416B . 8B15 EC935001 mov edx, dword ptr ds:[0x15093EC] ; navicat.0150CD18
00C44171 . 8B45 F0 mov eax, dword ptr ss:[ebp-0x10]
00C44174 . E8 F77F7EFF call navicat.0042C170
00C44179 . 8D45 A4 lea eax, dword ptr ss:[ebp-0x5C]
00C4417C . 50 push eax
00C4417D . B8 E446C400 mov eax, navicat.00C446E4 ; UNICODE "Navicat"
00C44182 . 8945 94 mov dword ptr ss:[ebp-0x6C], eax
00C44185 . C645 98 11 mov byte ptr ss:[ebp-0x68], 0x11
00C44189 . 8B45 EC mov eax, dword ptr ss:[ebp-0x14]
00C4418C . 8945 9C mov dword ptr ss:[ebp-0x64], eax
00C4418F . C645 A0 11 mov byte ptr ss:[ebp-0x60], 0x11
00C44193 . 8D55 94 lea edx, dword ptr ss:[ebp-0x6C]
00C44196 . B9 01000000 mov ecx, 0x1
00C4419B . B8 0047C400 mov eax, navicat.00C44700 ; UNICODE "%s must be activated before %s."
00C441A0 . E8 EB4B7EFF call navicat.00428D90
00C441A5 . FF75 A4 push dword ptr ss:[ebp-0x5C]
00C441A8 . 68 4C47C400 push navicat.00C4474C ; UNICODE "
"
00C441AD . 68 6047C400 push navicat.00C44760 ; UNICODE "Do you want to activate now?"
00C441B2 . 8D45 FC lea eax, dword ptr ss:[ebp-0x4]
00C441B5 . BA 03000000 mov edx, 0x3
00C441BA . E8 49727CFF call navicat.0040B408
00C441BF . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C441C2 . 05 34040000 add eax, 0x434
00C441C7 . 8B55 FC mov edx, dword ptr ss:[ebp-0x4]
00C441CA . E8 E9627CFF call navicat.0040A4B8
00C441CF . 33D2 xor edx, edx ; ntdll.KiFastSystemCallRet
00C441D1 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C441D4 . E8 1B090000 call navicat.00C44AF4
00C441D9 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C441DC . 8B80 C8030000 mov eax, dword ptr ds:[eax+0x3C8]
00C441E2 . 8B50 48 mov edx, dword ptr ds:[eax+0x48]
00C441E5 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C441E8 . 8B80 C4030000 mov eax, dword ptr ds:[eax+0x3C4]
00C441EE . E8 852D90FF call navicat.00546F78
00C441F3 . BA 6C000000 mov edx, 0x6C
00C441F8 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C441FB . E8 74497300 call navicat.01378B74
00C44200 . 8B55 D0 mov edx, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44203 . 8B9A C8030000 mov ebx, dword ptr ds:[edx+0x3C8]
00C44209 . 8B53 48 mov edx, dword ptr ds:[ebx+0x48]
00C4420C . 2BD0 sub edx, eax
00C4420E . 8BC3 mov eax, ebx
00C44210 . E8 632D90FF call navicat.00546F78
00C44215 . BA A847C400 mov edx, navicat.00C447A8 ; UNICODE "Activation"
00C4421A . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4421D . E8 E23790FF call navicat.00547A04
00C44222 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44225 . 8B80 C4030000 mov eax, dword ptr ds:[eax+0x3C4]
00C4422B . BA CC47C400 mov edx, navicat.00C447CC ; UNICODE "Activate Later"
00C44230 . E8 CF3790FF call navicat.00547A04
00C44235 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44238 . 8B80 C8030000 mov eax, dword ptr ds:[eax+0x3C8]
00C4423E . BA F847C400 mov edx, navicat.00C447F8 ; UNICODE "Activate Now"
00C44243 . E8 BC3790FF call navicat.00547A04
00C44248 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4424B . 8B90 C8030000 mov edx, dword ptr ds:[eax+0x3C8]
00C44251 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44254 . E8 E7E49FFF call navicat.00642740
00C44259 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4425C . 8B10 mov edx, dword ptr ds:[eax]
00C4425E . FF92 28010000 call near dword ptr ds:[edx+0x128]
00C44264 . 33C0 xor eax, eax
00C44266 . 5A pop edx ; user32.77D19418
00C44267 . 59 pop ecx ; user32.77D19418
00C44268 . 59 pop ecx ; user32.77D19418
00C44269 . 64:8910 mov dword ptr fs:[eax], edx ; ntdll.KiFastSystemCallRet
00C4426C . 68 E344C400 push navicat.00C444E3
00C44271 > 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44274 . E8 6B407CFF call navicat.004082E4
00C44279 . C3 retn
00C4427A .^ E9 F9527CFF jmp navicat.00409578
00C4427F .^ EB F0 jmp short navicat.00C44271
00C44281 > 3C 02 cmp al, 0x2
00C44283 . 0F85 5A020000 jnz navicat.00C444E3
00C44289 . 33C9 xor ecx, ecx ; Case 2 of switch 00C4404F
00C4428B . B2 01 mov dl, 0x1
00C4428D . A1 F41DC400 mov eax, dword ptr ds:[0xC41DF4]
00C44292 . E8 9D447300 call navicat.01378734
00C44297 . 8945 D0 mov dword ptr ss:[ebp-0x30], eax
00C4429A . 33C0 xor eax, eax
00C4429C . 55 push ebp
00C4429D . 68 DC44C400 push navicat.00C444DC
00C442A2 . 64:FF30 push dword ptr fs:[eax]
00C442A5 . 64:8920 mov dword ptr fs:[eax], esp
00C442A8 . 8D45 E8 lea eax, dword ptr ss:[ebp-0x18]
00C442AB . BA 3045C400 mov edx, navicat.00C44530 ; UNICODE "yyyy/mm/dd"
00C442B0 . E8 4B627CFF call navicat.0040A500
00C442B5 . 8B05 B80E5101 mov eax, dword ptr ds:[0x1510EB8]
00C442BB . 8945 B8 mov dword ptr ss:[ebp-0x48], eax
00C442BE . 8B05 BC0E5101 mov eax, dword ptr ds:[0x1510EBC]
00C442C4 . 8945 BC mov dword ptr ss:[ebp-0x44], eax
00C442C7 . FF75 BC push dword ptr ss:[ebp-0x44] ; navicat.0065E5E0
00C442CA . FF75 B8 push dword ptr ss:[ebp-0x48]
00C442CD . 8D4D E4 lea ecx, dword ptr ss:[ebp-0x1C]
00C442D0 . 8B15 EC935001 mov edx, dword ptr ds:[0x15093EC] ; navicat.0150CD18
00C442D6 . 8B45 E8 mov eax, dword ptr ss:[ebp-0x18]
00C442D9 . E8 927E7EFF call navicat.0042C170
00C442DE . 8D45 FC lea eax, dword ptr ss:[ebp-0x4]
00C442E1 . 8B4D E4 mov ecx, dword ptr ss:[ebp-0x1C] ; navicat.0065E5E0
00C442E4 . BA 5445C400 mov edx, navicat.00C44554 ; UNICODE "This is a limited 30-day trial version of PremiumSoft Navicat for evaluation purposes.
If you like "
00C442E9 . E8 92707CFF call navicat.0040B380
00C442EE . 803D B00E5101>cmp byte ptr ds:[0x1510EB0], 0x6
00C442F5 . 0F85 81000000 jnz navicat.00C4437C
00C442FB . 8D45 E0 lea eax, dword ptr ss:[ebp-0x20]
00C442FE . BA 3045C400 mov edx, navicat.00C44530 ; UNICODE "yyyy/mm/dd"
00C44303 . E8 F8617CFF call navicat.0040A500
00C44308 . 8B05 B80E5101 mov eax, dword ptr ds:[0x1510EB8]
00C4430E . 8945 B0 mov dword ptr ss:[ebp-0x50], eax
00C44311 . 8B05 BC0E5101 mov eax, dword ptr ds:[0x1510EBC]
00C44317 . 8945 B4 mov dword ptr ss:[ebp-0x4C], eax
00C4431A . FF75 B4 push dword ptr ss:[ebp-0x4C]
00C4431D . FF75 B0 push dword ptr ss:[ebp-0x50] ; navicat.0065E5E0
00C44320 . 8D4D DC lea ecx, dword ptr ss:[ebp-0x24]
00C44323 . 8B15 EC935001 mov edx, dword ptr ds:[0x15093EC] ; navicat.0150CD18
00C44329 . 8B45 E0 mov eax, dword ptr ss:[ebp-0x20]
00C4432C . E8 3F7E7EFF call navicat.0042C170
00C44331 . 68 2048C400 push navicat.00C44820 ; UNICODE "The activation period has expired.
"
00C44336 . 8D45 90 lea eax, dword ptr ss:[ebp-0x70]
00C44339 . 50 push eax
00C4433A . B8 7848C400 mov eax, navicat.00C44878 ; UNICODE "support@navicat.com"
00C4433F . 8945 88 mov dword ptr ss:[ebp-0x78], eax
00C44342 . C645 8C 11 mov byte ptr ss:[ebp-0x74], 0x11
00C44346 . 8D55 88 lea edx, dword ptr ss:[ebp-0x78]
00C44349 . 33C9 xor ecx, ecx
00C4434B . B8 AC48C400 mov eax, navicat.00C448AC ; UNICODE "Please activate this product online or contact %s for any enquiry."
00C44350 . E8 3B4A7EFF call navicat.00428D90
00C44355 . FF75 90 push dword ptr ss:[ebp-0x70]
00C44358 . 68 4049C400 push navicat.00C44940 ; UNICODE "
"
00C4435D . 68 5449C400 push navicat.00C44954 ; UNICODE "Expiration Date"
00C44362 . 68 8049C400 push navicat.00C44980 ; UNICODE ": "
00C44367 . FF75 DC push dword ptr ss:[ebp-0x24] ; navicat.0064A419
00C4436A . 8D45 FC lea eax, dword ptr ss:[ebp-0x4]
00C4436D . BA 06000000 mov edx, 0x6
00C44372 . E8 91707CFF call navicat.0040B408
00C44377 . E9 85000000 jmp navicat.00C44401
00C4437C > 803D B00E5101>cmp byte ptr ds:[0x1510EB0], 0x7
00C44383 . 75 7C jnz short navicat.00C44401
00C44385 . 8D45 D8 lea eax, dword ptr ss:[ebp-0x28]
00C44388 . BA 3045C400 mov edx, navicat.00C44530 ; UNICODE "yyyy/mm/dd"
00C4438D . E8 6E617CFF call navicat.0040A500
00C44392 . 8B05 B80E5101 mov eax, dword ptr ds:[0x1510EB8]
00C44398 . 8945 A8 mov dword ptr ss:[ebp-0x58], eax
00C4439B . 8B05 BC0E5101 mov eax, dword ptr ds:[0x1510EBC]
00C443A1 . 8945 AC mov dword ptr ss:[ebp-0x54], eax
00C443A4 . FF75 AC push dword ptr ss:[ebp-0x54] ; navicat.004CDE5F
00C443A7 . FF75 A8 push dword ptr ss:[ebp-0x58] ; navicat.004CDE57
00C443AA . 8D4D D4 lea ecx, dword ptr ss:[ebp-0x2C]
00C443AD . 8B15 EC935001 mov edx, dword ptr ds:[0x15093EC] ; navicat.0150CD18
00C443B3 . 8B45 D8 mov eax, dword ptr ss:[ebp-0x28]
00C443B6 . E8 B57D7EFF call navicat.0042C170
00C443BB . 68 9449C400 push navicat.00C44994 ; UNICODE "This NFR license has expired.
"
00C443C0 . 8D45 84 lea eax, dword ptr ss:[ebp-0x7C]
00C443C3 . 50 push eax
00C443C4 . B8 7848C400 mov eax, navicat.00C44878 ; UNICODE "support@navicat.com"
00C443C9 . 8945 88 mov dword ptr ss:[ebp-0x78], eax
00C443CC . C645 8C 11 mov byte ptr ss:[ebp-0x74], 0x11
00C443D0 . 8D55 88 lea edx, dword ptr ss:[ebp-0x78]
00C443D3 . 33C9 xor ecx, ecx
00C443D5 . B8 E049C400 mov eax, navicat.00C449E0 ; UNICODE "Please contact %s for any enquiry."
00C443DA . E8 B1497EFF call navicat.00428D90
00C443DF . FF75 84 push dword ptr ss:[ebp-0x7C] ; navicat.004090C9
00C443E2 . 68 4049C400 push navicat.00C44940 ; UNICODE "
"
00C443E7 . 68 5449C400 push navicat.00C44954 ; UNICODE "Expiration Date"
00C443EC . 68 8049C400 push navicat.00C44980 ; UNICODE ": "
00C443F1 . FF75 D4 push dword ptr ss:[ebp-0x2C] ; navicat.0064A3FE
00C443F4 . 8D45 FC lea eax, dword ptr ss:[ebp-0x4]
00C443F7 . BA 06000000 mov edx, 0x6
00C443FC . E8 07707CFF call navicat.0040B408
00C44401 > 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44404 . 05 34040000 add eax, 0x434
00C44409 . 8B55 FC mov edx, dword ptr ss:[ebp-0x4]
00C4440C . E8 A7607CFF call navicat.0040A4B8
00C44411 . 33D2 xor edx, edx ; ntdll.KiFastSystemCallRet
00C44413 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44416 . E8 D9060000 call navicat.00C44AF4
00C4441B . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4441E . 8B80 C4030000 mov eax, dword ptr ds:[eax+0x3C4]
00C44424 . 33D2 xor edx, edx ; ntdll.KiFastSystemCallRet
00C44426 . 8B08 mov ecx, dword ptr ds:[eax]
00C44428 . FF91 80000000 call near dword ptr ds:[ecx+0x80]
00C4442E . 803D B00E5101>cmp byte ptr ds:[0x1510EB0], 0x6
00C44435 . 0F85 80000000 jnz navicat.00C444BB
00C4443B . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4443E . 8B80 C8030000 mov eax, dword ptr ds:[eax+0x3C8]
00C44444 . 8B50 48 mov edx, dword ptr ds:[eax+0x48]
00C44447 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4444A . 8B80 C4030000 mov eax, dword ptr ds:[eax+0x3C4]
00C44450 . E8 232B90FF call navicat.00546F78
00C44455 . BA 6C000000 mov edx, 0x6C
00C4445A . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4445D . E8 12477300 call navicat.01378B74
00C44462 . 8B55 D0 mov edx, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44465 . 8B9A C8030000 mov ebx, dword ptr ds:[edx+0x3C8]
00C4446B . 8B53 48 mov edx, dword ptr ds:[ebx+0x48]
00C4446E . 2BD0 sub edx, eax
00C44470 . 8BC3 mov eax, ebx
00C44472 . E8 012B90FF call navicat.00546F78
00C44477 . BA A847C400 mov edx, navicat.00C447A8 ; UNICODE "Activation"
00C4447C . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4447F . E8 803590FF call navicat.00547A04
00C44484 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C44487 . 8B80 C4030000 mov eax, dword ptr ds:[eax+0x3C4]
00C4448D . BA CC47C400 mov edx, navicat.00C447CC ; UNICODE "Activate Later"
00C44492 . E8 6D3590FF call navicat.00547A04
00C44497 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C4449A . 8B80 C8030000 mov eax, dword ptr ds:[eax+0x3C8]
00C444A0 . BA F847C400 mov edx, navicat.00C447F8 ; UNICODE "Activate Now"
00C444A5 . E8 5A3590FF call navicat.00547A04
00C444AA . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C444AD . 8B90 C8030000 mov edx, dword ptr ds:[eax+0x3C8]
00C444B3 . 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C444B6 . E8 85E29FFF call navicat.00642740
00C444BB > 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C444BE . 8B10 mov edx, dword ptr ds:[eax]
00C444C0 . FF92 28010000 call near dword ptr ds:[edx+0x128]
00C444C6 . 33C0 xor eax, eax
00C444C8 . 5A pop edx ; user32.77D19418
00C444C9 . 59 pop ecx ; user32.77D19418
00C444CA . 59 pop ecx ; user32.77D19418
00C444CB . 64:8910 mov dword ptr fs:[eax], edx ; ntdll.KiFastSystemCallRet
00C444CE . 68 E344C400 push navicat.00C444E3
00C444D3 > 8B45 D0 mov eax, dword ptr ss:[ebp-0x30] ; user32.77D19418
00C444D6 . E8 093E7CFF call navicat.004082E4
00C444DB . C3 retn
00C444DC .^ E9 97507CFF jmp navicat.00409578
00C444E1 .^ EB F0 jmp short navicat.00C444D3
00C444E3 > 33C0 xor eax, eax ; Default case of switch 00C4404F
00C444E5 . 5A pop edx ; user32.77D19418
00C444E6 . 59 pop ecx ; user32.77D19418
00C444E7 . 59 pop ecx ; user32.77D19418
00C444E8 . 64:8910 mov dword ptr fs:[eax], edx ; ntdll.KiFastSystemCallRet
00C444EB . 68 1D45C400 push navicat.00C4451D
00C444F0 > 8D45 84 lea eax, dword ptr ss:[ebp-0x7C]
00C444F3 . E8 E05B7CFF call navicat.0040A0D8
00C444F8 . 8D45 90 lea eax, dword ptr ss:[ebp-0x70]
00C444FB . E8 D85B7CFF call navicat.0040A0D8
00C44500 . 8D45 A4 lea eax, dword ptr ss:[ebp-0x5C]
00C44503 . E8 D05B7CFF call navicat.0040A0D8
00C44508 . 8D45 D4 lea eax, dword ptr ss:[ebp-0x2C]
00C4450B . BA 0B000000 mov edx, 0xB
00C44510 . E8 235C7CFF call navicat.0040A138
00C44515 . C3 retn
整个函数是一个switch语句:
switch( al )
{
case 0:
试用版,未过期,显示trial窗口
00C440BF . BA 5445C400 mov edx, navicat.00C44554 ; UNICODE "This is a limited 30-day trial version of PremiumSoft Navicat for evaluation purposes.
If you like "
case 1:
试用版,未过期,提示激活,显示trial窗口
00C4419B . B8 0047C400 mov eax, navicat.00C44700 ; UNICODE "%s must be activated before %s."
00C441AD . 68 6047C400 push navicat.00C44760 ; UNICODE "Do you want to activate now?"
00C4422B . BA CC47C400 mov edx, navicat.00C447CC ; UNICODE "Activate Later"
00C4423E . BA F847C400 mov edx, navicat.00C447F8 ; UNICODE "Activate Now"
case 2:
试用版已过期或NFR (NFR即Not For Retail)版授权已过期。
00C442E4 . BA 5445C400 mov edx, navicat.00C44554 ; UNICODE "This is a limited 30-day trial version of PremiumSoft Navicat for evaluation purposes.
If you like "
00C44331 . 68 2048C400 push navicat.00C44820 ; UNICODE "The activation period has expired.
"
00C4434B . B8 AC48C400 mov eax, navicat.00C448AC ; UNICODE "Please activate this product online or contact %s for any enquiry."
00C4435D . 68 5449C400 push navicat.00C44954 ; UNICODE "Expiration Date"
00C443BB . 68 9449C400 push navicat.00C44994 ; UNICODE "This NFR license has expired.
"
00C443E7 . 68 5449C400 push navicat.00C44954 ; UNICODE "Expiration Date"
}
================================================================================================
如果是已激活版本,那么肯定不会跳到这里来的。因此,我们在这个函数开头处下断:
00C44030 $ 55 push ebp
重新运行,断在 00C44030, Alt + K 查看调用堆栈:
Call stack of main thr3@d
Address Stack Procedure / arguments Called from Frame
0012FF70 014D7F59 ? navicat.00C44030 navicat.014D7F54
好了,我们再到 014D7F54 看看。
很明显,如果有跳转直接跳过 014D7F54 的,那么程序也会直接运行。
014D7F4D 8038 04 cmp byte ptr ds:[eax], 0x4
014D7F50 75 09 jnz short navicat.014D7F5B ;注意这个跳转
014D7F52 33C0 xor eax, eax
014D7F54 E8 D7C076FF call navicat.00C44030
014D7F59 EB 58 jmp short navicat.014D7FB3
014D7F5B A1 E4875001 mov eax, dword ptr ds:[0x15087E4]
014D7F60 0FB600 movzx eax, byte ptr ds:[eax]
014D7F63 04 FB add al, 0xFB
014D7F65 2C 03 sub al, 0x3
就在 014D7F54 这个call 上面的014D7F50处即有一个跳转。
我们在 014D7F4D处下断。然后重新运行。
可以看到 程序将0x4 与 ds段中的01510EB0 处一个全局变量作比较。
而目前这个变量的值是 0x4 .
很明显不会跳过014D7F54处的这个call.
由于这里是一个全局变量,因此,我们不临时改变跳转了,而是直接修改变量的值来测试程序运行结果。
修改 01510EB0 处的值为 00 看,那么程序应该会直接跳到 014D7F5B 了。也就不会执行014D7F54处的
如对本文有疑问, 点击进行留言回复!!
Getright 5 手动脱壳和重建IAT--第一部分(图)
我要评论
网友评论