Chinaunix首页 | 论坛 | 博客

为理想而奋斗zhshujun.blog.chinaunix.net

首页 |  博文目录 |  关于我

zhshujun

  • 博客访问: 1998560
  • 博文数量: 346
  • 博客积分: 10221
  • 博客等级: 上将
  • 技术积分: 4079
  • 用 户 组: 普通用户
  • 注册时间: 2009-06-01 19:43
文章分类

全部博文(346)

文章存档

2012年(1)

2011年(102)

2010年(116)

2009年(127)

我的朋友
最近访客
推荐博文
相关博文
把玩 PowerShellPlus (2)

分类: WINDOWS

2011-02-21 13:22:53

PowerShellPlus的注册信息保存在什么地方呢?显示注册信息有两个地方,
第一个是程序启动时(Idera.Tools.Core.Form_Welcome)
调用栈为
0012ee38 0191d3ce Idera.Tools.Core.LicenseUI.StartupLicenseCheck()
0012ee58 0191d12e PSP.PSPlusApp.kjxYMeZu25(Boolean)
0012ee88 0191ca4f PSP.PSPlusApp..ctor()

0:006> !u 01e0002c
Normal JIT generated code
Idera.Tools.Core.LicenseUI.StartupLicenseCheck()
Begin 0192d248, size 23d
0192d248 55              push    ebp
0192d249 8bec            mov     ebp,esp
0192d24b 57              push    edi
0192d24c 56              push    esi
0192d24d 53              push    ebx
0192d24e 83ec0c          sub     esp,0Ch
0192d251 33d2            xor     edx,edx
0192d253 8955e8          mov     dword ptr [ebp-18h],edx
0192d256 ff15e001e001    call    dword ptr [+0x1e001df (01e001e0)] (Idera.Tools.Core.BBSProductLicense.ReadProductLicense(), mdToken: 0600004f)
0192d25c 8bf0            mov     esi,eax
0192d25e 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
0192d264 8bce            mov     ecx,esi
0192d266 e805499b77      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
0192d26b 85c0            test    eax,eax
0192d26d 7453            je      +0x192d2c1 (0192d2c2)         //如果读取LicenseKey.Lic失败
0192d26f ff15f801e001    call    dword ptr [+0x1e001f7 (01e001f8)] (Idera.Tools.Core.BBSProductLicense.ReadProductLicenseFromRegistry(), mdToken: 06000051)
0192d275 8bf0            mov     esi,eax
0192d277 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
0192d27d 8bce            mov     ecx,esi
0192d27f e8ec489b77      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
0192d284 85c0            test    eax,eax
0192d286 7508            jne     +0x192d28f (0192d290)
0192d288 8bce            mov     ecx,esi
0192d28a ff15ec01e001    call    dword ptr [+0x1e001eb (01e001ec)] (Idera.Tools.Core.BBSProductLicense.WriteProductLicense(System.String), mdToken: 06000050)
0192d290 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
0192d296 8bce            mov     ecx,esi
0192d298 e8d3489b77      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
0192d29d 85c0            test    eax,eax
0192d29f 7421            je      +0x192d2c1 (0192d2c2)
0192d2a1 ff151002e001    call    dword ptr [+0x1e0020f (01e00210)] (Idera.Tools.Core.BBSProductLicense.ReadTrialLicense(), mdToken: 06000053)
0192d2a7 8bf0            mov     esi,eax
0192d2a9 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
0192d2af 8bce            mov     ecx,esi
0192d2b1 e8ba489b77      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
0192d2b6 85c0            test    eax,eax
0192d2b8 7508            jne     +0x192d2c1 (0192d2c2)
0192d2ba 8bce            mov     ecx,esi
0192d2bc ff15ec01e001    call    dword ptr [+0x1e001eb (01e001ec)] (Idera.Tools.Core.BBSProductLicense.WriteProductLicense(System.String), mdToken: 06000050)
0192d2c2 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
0192d2c8 8bce            mov     ecx,esi
0192d2ca e8a1489b77      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
0192d2cf 85c0            test    eax,eax
0192d2d1 7431            je      +0x192d303 (0192d304)
0192d2d3 803da8cb990100  cmp     byte ptr [+0x199cba7 (0199cba8)],0
0192d2da 7420            je      +0x192d2fb (0192d2fc)
0192d2dc a14875eb02      mov     eax,dword ptr [+0x2eb7547 (02eb7548)] (Object: System.DateTime)
0192d2e1 83c004          add     eax,4
0192d2e4 3b08            cmp     ecx,dword ptr [eax]
0192d2e6 83ec08          sub     esp,8
0192d2e9 f30f7e00        movq    xmm0,mmword ptr [eax]
0192d2ed 660fd60424      movq    mmword ptr [esp],xmm0
0192d2f2 ff152802e001    call    dword ptr [+0x1e00227 (01e00228)] (Idera.Tools.Core.BBSProductLicense.GenerateBetaLicense(System.DateTime), mdToken: 06000055)
0192d2f8 8bf0            mov     esi,eax
0192d2fa eb08            jmp     +0x192d303 (0192d304)
0192d2fc ff151c02e001    call    dword ptr [+0x1e0021b (01e0021c)] (Idera.Tools.Core.BBSProductLicense.GenerateTrialLicense(), mdToken: 06000054)
0192d302 8bf0            mov     esi,eax
0192d304 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
0192d30a 8bce            mov     ecx,esi
0192d30c e85f489b77      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
0192d311 85c0            test    eax,eax
0192d313 7417            je      +0x192d32b (0192d32c)
0192d315 c745ec01000000  mov     dword ptr [ebp-14h],offset (00000001)
0192d31c 0fb605a8cb9901  movzx   eax,byte ptr [+0x199cba7 (0199cba8)]
0192d323 8945f0          mov     dword ptr [ebp-10h],eax
0192d326 33db            xor     ebx,ebx
0192d328 33ff            xor     edi,edi
0192d32a eb5c            jmp     +0x192d387 (0192d388)
0192d32c e8ffa49577      call    mscorlib_ni+0x1c7830 (79287830) (System.Reflection.Assembly.GetExecutingAssembly(), mdToken: 06001c31)
0192d331 8bc8            mov     ecx,eax
0192d333 8b01            mov     eax,dword ptr [ecx]
0192d335 ff504c          call    dword ptr [eax+4Ch]
0192d338 8bd8            mov     ebx,eax
0192d33a b9e803e001      mov     ecx,offset +0x1e003e7 (01e003e8) (MT: Idera.Tools.Core.BBSProductLicense)
0192d33f e8d84cc0ff      call    +0x153201b (0153201c) (JitHelp: CORINFO_HELP_NEWSFAST)
0192d344 8bf8            mov     edi,eax
0192d346 8b5318          mov     edx,dword ptr [ebx+18h]
0192d349 56              push    esi
0192d34a 8bcf            mov     ecx,edi
0192d34c ff15f000e001    call    dword ptr [+0x1e000ef (01e000f0)] (Idera.Tools.Core.BBSProductLicense..ctor(System.Version, System.String), mdToken: 0600003b)
0192d352 897de8          mov     dword ptr [ebp-18h],edi
0192d355 8d470c          lea     eax,[edi+0Ch]
0192d358 0fb6401c        movzx   eax,byte ptr [eax+1Ch]
0192d35c 8945ec          mov     dword ptr [ebp-14h],eax
0192d35f 8d470c          lea     eax,[edi+0Ch]
0192d362 80781c00        cmp     byte ptr [eax+1Ch],0
0192d366 7409            je      +0x192d370 (0192d371)
0192d368 0fb605a8cb9901  movzx   eax,byte ptr [+0x199cba7 (0199cba8)]
0192d36f eb02            jmp     +0x192d372 (0192d373)
0192d371 33c0            xor     eax,eax
0192d373 25ff000000      and     eax,offset +0xfe (000000ff)
0192d378 8945f0          mov     dword ptr [ebp-10h],eax
0192d37b 8d470c          lea     eax,[edi+0Ch]
0192d37e 8b5818          mov     ebx,dword ptr [eax+18h]
0192d381 8d7f0c          lea     edi,[edi+0Ch]
0192d384 0fb67f1d        movzx   edi,byte ptr [edi+1Dh]
0192d388 891d90cb9901    mov     dword ptr [+0x199cb8f (0199cb90)],ebx
0192d38e 85db            test    ebx,ebx
0192d390 7e0e            jle     +0x192d39f (0192d3a0)
0192d392 8bc7            mov     eax,edi
0192d394 0b45ec          or      eax,dword ptr [ebp-14h]
0192d397 0b45f0          or      eax,dword ptr [ebp-10h]
0192d39a 0f84c6000000    je      +0x192d465 (0192d466)
0192d3a0 b96805e001      mov     ecx,offset +0x1e00567 (01e00568) (MT: Idera.Tools.Core.Form_Welcome)
0192d3a5 e80db25578      call    mscorwks!JIT_NewCrossContext (79e885b7)
0192d3aa 8bf0            mov     esi,eax
0192d3ac ff75ec          push    dword ptr [ebp-14h]
0192d3af 53              push    ebx
0192d3b0 57              push    edi
0192d3b1 ff353c75eb02    push    dword ptr [+0x2eb753b (02eb753c)] ("3.0.1.0")
0192d3b7 ff355c75eb02    push    dword ptr [+0x2eb755b (02eb755c)] ("PowerShellPlus")
0192d3bd 8b55f0          mov     edx,dword ptr [ebp-10h]
0192d3c0 8bce            mov     ecx,esi
0192d3c2 e80d21c2ff      call    +0x154f4d3 (0154f4d4) (Idera.Tools.Core.Form_Welcome..ctor(Boolean, Boolean, Int32, Boolean, System.String, System.String), mdToken: 06000018)
0192d3c7 8bce            mov     ecx,esi

0192d484 c3              ret

在程序开始时设置断点,
0:000> sxe ld:mscorjit;g;.loadby sos mscorwks

此时,还未执行到PowerShellPlus的代码
0:000> !name2ee PowerShellPlus.exe PSP.PSPlusApp
Module: 01542c5c (PowerShellPlus.exe)
Token: 0×02000242
MethodTable:
EEClass:
Name: PSP.PSPlusApp

在PSPlusApp..ctor上加断点
0:000> !bpmd PowerShellPlus.exe PSP.PSPlusApp..ctor
Found 1 methods…
Adding pending breakpoints…
0:000> g 直到断点发生作用
发现Form_Welcome..ctor会在目录
C:\Documents and Settings\Huang\Local Settings\Application Data\PowerShellPlus 下加载程序的配置

第二个是Idera.Tools.Core.Form_ManageLicense
 
打开Manage License对话框,执行
>!dumpheap –type Form
发现对象Idera.Tools.Core.Form_ManageLicense:
07a1e498        1          392 Idera.Tools.Core.Form_ManageLicense

执行>!dumpmt –md 07a1e498,      
0beea710   07a1e424      JIT Idera.Tools.Core.Form_ManageLicense.LoadLicenseInformation()

跟踪至Idera.Tools.Core.BBSProductLicense, 这是最最核心的部分
JIT为NONE 的函数说明从未执行,可以不用考虑
0:005> !dumpmt -md 01df03e8        
EEClass: 01b86990
Module: 0198c78c
Name: Idera.Tools.Core.BBSProductLicense
mdToken: 0200000d  (ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
BaseSize: 0×30
ComponentSize: 0×0
Number of IFaces in IFaceMap: 0
Slots in VTable: 33
————————————–
MethodDesc Table
   Entry MethodDesc      JIT Name
79286aa0   79104924   PreJIT System.Object.ToString()
79286ac0   7910492c   PreJIT System.Object.Equals(System.Object)
79286b30   7910495c   PreJIT System.Object.GetHashCode()
792f7410   79104980   PreJIT System.Object.Finalize()
0154f41d   01df00dc     NONE Idera.Tools.Core.BBSProductLicense.get_OrginalScopeString()
0191d940   01df00e8      JIT Idera.Tools.Core.BBSProductLicense..ctor(System.Version, System.String)
0191d9c0   01df013c      JIT Idera.Tools.Core.BBSProductLicense.CleanseScopeString(System.String)
04946990   01df0154      JIT Idera.Tools.Core.BBSProductLicense.GetLicenseScopeStr(BBS.License.BBSLic)
049469c8   01df0160      JIT Idera.Tools.Core.BBSProductLicense.GetLicenseTypeStr(BBS.License.BBSLic)
04946a00   01df016c      JIT Idera.Tools.Core.BBSProductLicense.GetLicenseExpirationDateStr(BBS.License.BBSLic)
04946b50   01df0178      JIT Idera.Tools.Core.BBSProductLicense.GetLicenseDaysToExpirationStr(BBS.License.BBSLic)
04946578   01df019c      JIT Idera.Tools.Core.BBSProductLicense.FillLicenseData(System.String)
049468e0   01df01a8      JIT Idera.Tools.Core.BBSProductLicense.IsLicenseValid(BBS.License.BBSLic, System.String)
04946938   01df01c0      JIT Idera.Tools.Core.BBSProductLicense.IsLicenseProductIDValid(BBS.License.BBSLic)
049466c8   01df01cc      JIT Idera.Tools.Core.BBSProductLicense.LoadAndValidateLicense(System.String, BBS.License.BBSLic ByRef)
0191d498   01df01d8      JIT Idera.Tools.Core.BBSProductLicense.ReadProductLicense()

0:015> !name2ee ToolsCore Idera.Tools.Core.BBSProductLicense.ReadProductLicense
Module: 0198c78c (ToolsCore, Version=1.2.0.62, Culture=neutral, PublicKeyToken=null)
Token: 0x0600004f
MethodDesc: 01df01d8
Name: Idera.Tools.Core.BBSProductLicense.ReadProductLicense()
JITTED Code Address: 0191d498

0:015> !u 01df01d8
Normal JIT generated code
Idera.Tools.Core.BBSProductLicense.ReadProductLicense()
Begin 0191d498, size ee
0191d498 55              push    ebp
0191d499 8bec            mov     ebp,esp
0191d49b 57              push    edi
0191d49c 56              push    esi
0191d49d 53              push    ebx
0191d49e 83ec20          sub     esp,20h
0191d4a1 8d7dd4          lea     edi,[ebp-2Ch]
0191d4a4 b907000000      mov     ecx,offset +0×6 (00000007)
0191d4a9 33c0            xor     eax,eax
0191d4ab f3ab            rep stos dword ptr es:[edi]
0191d4ad 33c0            xor     eax,eax
0191d4af 8945e8          mov     dword ptr [ebp-18h],eax
0191d4b2 8b052c20e802    mov     eax,dword ptr [+0x2e8202b (02e8202c)] ("")
0191d4b8 8945dc          mov     dword ptr [ebp-24h],eax
0191d4bb 8b0d5c75eb02    mov     ecx,dword ptr [+0x2eb755b (02eb755c)] ("PowerShellPlus")
0191d4c1 ba01000000      mov     edx,offset (00000001)
0191d4c6 ff15540cdf01    call    dword ptr [+0x1df0c53 (01df0c54)] (Idera.Tools.Core.Helpers.GetApplicationDirectory(System.String, Boolean), mdToken: 0600005a)
0191d4cc 8b153021e802    mov     edx,dword ptr [+0x2e8212f (02e82130)] ("LicenseKey.Lic")
0191d4d2 8bc8            mov     ecx,eax
0191d4d4 e8e7bf9677      call    mscorlib_ni+0x1c94c0 (792894c0) (System.IO.Path.Combine(System.String, System.String), mdToken: 06003605)
0191d4d9 8945d8          mov     dword ptr [ebp-28h],eax
0191d4dc 8bc8            mov     ecx,eax
0191d4de e88dc19c77      call    mscorlib_ni+0×229670 (792e9670) (System.IO.File.Exists(System.String), mdToken: 06003520)
0191d4e3 85c0            test    eax,eax
0191d4e5 0f8490000000    je      +0x191d57a (0191d57b)
0191d4eb b980893179      mov     ecx,offset mscorlib_ni+0×258980 (79318980) (MT: System.IO.StreamReader)
0191d4f0 e8c2b05678      call    mscorwks!JIT_NewCrossContext (79e885b7)
0191d4f5 8bf0            mov     esi,eax
0191d4f7 8b55d8          mov     edx,dword ptr [ebp-28h]
0191d4fa 8bce            mov     ecx,esi
0191d4fc e8e76c9277      call    mscorlib_ni+0x1841e8 (792441e8) (System.IO.StreamReader..ctor(System.String), mdToken: 06003649)
0191d501 8975d4          mov     dword ptr [ebp-2Ch],esi
0191d504 8bce            mov     ecx,esi
0191d506 8b01            mov     eax,dword ptr [ecx]
0191d508 ff5064          call    dword ptr [eax+64h]
0191d50b 8bc8            mov     ecx,eax
0191d50d 85c9            test    ecx,ecx
0191d50f 740c            je      +0x191d51c (0191d51d)
0191d511 83790800        cmp     dword ptr [ecx+8],0
0191d515 0f94c0          sete    al
0191d518 0fb6c0          movzx   eax,al
0191d51b eb05            jmp     +0x191d521 (0191d522)
0191d51d b801000000      mov     eax,offset (00000001)
0191d522 85c0            test    eax,eax
0191d524 7510            jne     +0x191d535 (0191d536)
0191d526 6a04            push    4
0191d528 ba01000000      mov     edx,offset (00000001)
0191d52d ff157c0ddf01    call    dword ptr [+0x1df0d7b (01df0d7c)] (Idera.Tools.Core.EncryptionHelper.QuickDecryptInternal(System.String, Boolean, Idera.Tools.Core.EncryptionType), mdToken: 06000037)
0191d533 8945dc          mov     dword ptr [ebp-24h],eax
0191d536 8bce            mov     ecx,esi
0191d538 8b01            mov     eax,dword ptr [ecx]
0191d53a ff5044          call    dword ptr [eax+44h]
0191d53d c745e400000000  mov     dword ptr [ebp-1Ch],0
0191d544 c745e8fc000000  mov     dword ptr [ebp-18h],offset +0xfb (000000fc)
0191d54b 6864d59101      push    offset +0x191d563 (0191d564)
0191d550 eb00            jmp     +0x191d551 (0191d552)
0191d552 837dd400        cmp     dword ptr [ebp-2Ch],0
0191d556 7409            je      +0x191d560 (0191d561)
0191d558 8b4dd4          mov     ecx,dword ptr [ebp-2Ch]
0191d55b ff15900c5501    call    dword ptr [+0x1550c8f (01550c90)] ()
0191d561 58              pop     eax
0191d562 ffe0            jmp     eax
0191d564 c745e800000000  mov     dword ptr [ebp-18h],0
0191d56b eb0e            jmp     +0x191d57a (0191d57b)
0191d56d 8b052c20e802    mov     eax,dword ptr [+0x2e8202b (02e8202c)] ("")
0191d573 8945dc          mov     dword ptr [ebp-24h],eax
0191d576 e8b9465578      call    mscorwks!JIT_EndCatch (79e71c34)
0191d57b 8b45dc          mov     eax,dword ptr [ebp-24h]
0191d57e 8d65f4          lea     esp,[ebp-0Ch]
0191d581 5b              pop     ebx
0191d582 5e              pop     esi
0191d583 5f              pop     edi
0191d584 5d              pop     ebp
0191d585 c3              ret

跟踪BBSProductLicense.ReadProductLicense(),发现Lic文件存放于
C:\Documents and Settings\All Users\Application Data\Idera\PowerShellPlus\LicenseKey.Lic
如果删掉这个文件,Idera.Tools.Core.Form_ManageLicense 就会什么也不显示.
在关闭Idera.Tools.Core.Form_ManageLicense时,LicenseKey.Lic会被自动生成,
BBSProductLicense.ReadProductLicense也会被再次调用
这些动作都发生在Idera.Tools.Core.LicenseUI.DaysLeft()中
0:000> !u 04947c4e 
Normal JIT generated code
Idera.Tools.Core.LicenseUI.DaysLeft()
Begin 04947bf8, size 10c
04947bf8 55              push    ebp
04947bf9 8bec            mov     ebp,esp
04947bfb 57              push    edi
04947bfc 56              push    esi
04947bfd 53              push    ebx
04947bfe e89558fdfc      call    +0x191d497 (0191d498) (Idera.Tools.Core.BBSProductLicense.ReadProductLicense(), mdToken: 0600004f)
04947c03 8bf0            mov     esi,eax
04947c05 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
04947c0b 8bce            mov     ecx,esi
04947c0d e85e9f9974      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
04947c12 85c0            test    eax,eax
04947c14 7453            je      +0x4947c68 (04947c69)
04947c16 ff15f801df01    call    dword ptr [+0x1df01f7 (01df01f8)] (Idera.Tools.Core.BBSProductLicense.ReadProductLicenseFromRegistry(), mdToken: 06000051)
04947c1c 8bf0            mov     esi,eax
04947c1e 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
04947c24 8bce            mov     ecx,esi
04947c26 e8459f9974      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
04947c2b 85c0            test    eax,eax
04947c2d 7508            jne     +0x4947c36 (04947c37)
04947c2f 8bce            mov     ecx,esi
04947c31 ff15ec01df01    call    dword ptr [+0x1df01eb (01df01ec)] (Idera.Tools.Core.BBSProductLicense.WriteProductLicense(System.String), mdToken: 06000050)
04947c37 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
04947c3d 8bce            mov     ecx,esi
04947c3f e82c9f9974      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
04947c44 85c0            test    eax,eax
04947c46 7421            je      +0x4947c68 (04947c69)
04947c48 ff151002df01    call    dword ptr [+0x1df020f (01df0210)] (Idera.Tools.Core.BBSProductLicense.ReadTrialLicense(), mdToken: 06000053)
>>> 04947c4e 8bf0            mov     esi,eax
04947c50 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
04947c56 8bce            mov     ecx,esi
04947c58 e8139f9974      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
04947c5d 85c0            test    eax,eax
04947c5f 7508            jne     +0x4947c68 (04947c69)
04947c61 8bce            mov     ecx,esi
04947c63 ff15ec01df01    call    dword ptr [+0x1df01eb (01df01ec)] (Idera.Tools.Core.BBSProductLicense.WriteProductLicense(System.String), mdToken: 06000050)
04947c69 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
04947c6f 8bce            mov     ecx,esi
04947c71 e8fa9e9974      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
04947c76 85c0            test    eax,eax
04947c78 7431            je      +0x4947caa (04947cab)
04947c7a 803da8cb980100  cmp     byte ptr [+0x198cba7 (0198cba8)],0
04947c81 7420            je      +0x4947ca2 (04947ca3)
04947c83 a14875eb02      mov     eax,dword ptr [+0x2eb7547 (02eb7548)] (Object: System.DateTime)
04947c88 83c004          add     eax,4
04947c8b 3b08            cmp     ecx,dword ptr [eax]
04947c8d 83ec08          sub     esp,8
04947c90 f30f7e00        movq    xmm0,mmword ptr [eax]
04947c94 660fd60424      movq    mmword ptr [esp],xmm0
04947c99 ff152802df01    call    dword ptr [+0x1df0227 (01df0228)] (Idera.Tools.Core.BBSProductLicense.GenerateBetaLicense(System.DateTime), mdToken: 06000055)
04947c9f 8bf0            mov     esi,eax
04947ca1 eb08            jmp     +0x4947caa (04947cab)
04947ca3 ff151c02df01    call    dword ptr [+0x1df021b (01df021c)] (Idera.Tools.Core.BBSProductLicense.GenerateTrialLicense(), mdToken: 06000054)
04947ca9 8bf0            mov     esi,eax
04947cab 8b152c20e802    mov     edx,dword ptr [+0x2e8202b (02e8202c)] ("")
04947cb1 8bce            mov     ecx,esi
04947cb3 e8b89e9974      call    mscorlib_ni+0x221b70 (792e1b70) (System.String.Equals(System.String, System.String), mdToken: 06000143)
04947cb8 85c0            test    eax,eax
04947cba 7404            je      +0x4947cbf (04947cc0)
04947cbc 33d2            xor     edx,edx
04947cbe eb3d            jmp     +0x4947cfc (04947cfd)
04947cc0 e86bfb9374      call    mscorlib_ni+0x1c7830 (79287830) (System.Reflection.Assembly.GetExecutingAssembly(), mdToken: 06001c31)
04947cc5 8bc8            mov     ecx,eax
04947cc7 8b01            mov     eax,dword ptr [ecx]
04947cc9 ff504c          call    dword ptr [eax+4Ch]
04947ccc 8bd8            mov     ebx,eax
04947cce b9e803df01      mov     ecx,offset +0x1df03e7 (01df03e8) (MT: Idera.Tools.Core.BBSProductLicense)
04947cd3 e844a3befc      call    +0x153201b (0153201c) (JitHelp: CORINFO_HELP_NEWSFAST)
04947cd8 8bf8            mov     edi,eax
04947cda 8b5318          mov     edx,dword ptr [ebx+18h]
04947cdd 56              push    esi
04947cde 8bcf            mov     ecx,edi
04947ce0 e85b5cfdfc      call    +0x191d93f (0191d940) (Idera.Tools.Core.BBSProductLicense..ctor(System.Version, System.String), mdToken: 0600003b)
04947ce5 8d470c          lea     eax,[edi+0Ch]
04947ce8 38401c          cmp     byte ptr [eax+1Ch],al
04947ceb 8d470c          lea     eax,[edi+0Ch]
04947cee 38401c          cmp     byte ptr [eax+1Ch],al
04947cf1 8d470c          lea     eax,[edi+0Ch]
04947cf4 8b5018          mov     edx,dword ptr [eax+18h]
04947cf7 8d7f0c          lea     edi,[edi+0Ch]
04947cfa 38471d          cmp     byte ptr [edi+1Dh],al
04947cfd 8bc2            mov     eax,edx
04947cff 5b              pop     ebx
04947d00 5e              pop     esi
04947d01 5f              pop     edi
04947d02 5d              pop     ebp
04947d03 c3              ret

反汇编Idera.Tools.Core.BBSProductLicense.GenerateTrialLicense()的代码,
0:000> !u 048c648d 
Normal JIT generated code
Idera.Tools.Core.BBSProductLicense.GenerateTrialLicense()
Begin 048c63b8, size e7
048c63b8 55              push    ebp

048c6400 8bce            mov     ecx,esi
048c6402 ba0e000000      mov     edx,offset +0xd (0000000e)
048c6407 ff1540fddf01    call    dword ptr [+0x1dffd3f (01dffd40)] (BBS.License.BBSLic.set_DaysToExpiration(Int32), mdToken: 06000084)
048c640d 0fbf15accb9801  movsx   edx,word ptr [+0x198cbab (0198cbac)]
048c6414 8bce            mov     ecx,esi
048c6416 ff15c4fddf01    call    dword ptr [+0x1dffdc3 (01dffdc4)] (BBS.License.BBSLic.set_ProductID(Int16), mdToken: 0600008f)
048c641c e87f1bca75      call    System_ni+0x127fa0 (7a567fa0) (System.Net.Dns.GetHostName(), mdToken: 06001cb3)
048c6421 8bd0            mov     edx,eax
048c6423 8bce            mov     ecx,esi
048c6425 ff15b8fcdf01    call    dword ptr [+0x1dffcb7 (01dffcb8)] (BBS.License.BBSLic.SetScopeHash(System.String), mdToken: 06000078)
048c642b 8bce            mov     ecx,esi
048c642d ba01000000      mov     edx,offset (00000001)
048c6432 ff15f4fddf01    call    dword ptr [+0x1dffdf3 (01dffdf4)] (BBS.License.BBSLic.set_Limit1(Int32), mdToken: 06000093)
048c6438 8bce            mov     ecx,esi
048c643a ba01000000      mov     edx,offset (00000001)
048c643f ff150cfedf01    call    dword ptr [+0x1dffe0b (01dffe0c)] (BBS.License.BBSLic.set_Limit2(Int16), mdToken: 06000095)
048c6445 b9a8253379      mov     ecx,offset mscorlib_ni+0x2725a8 (793325a8) (MT: System.Version)
048c644a e8cdbbc6fc      call    +0x153201b (0153201c) (JitHelp: CORINFO_HELP_NEWSFAST)
048c644f 8bf8            mov     edi,eax
048c6451 6a01            push    1
048c6453 8bcf            mov     ecx,edi
048c6455 ba01000000      mov     edx,offset (00000001)
048c645a e8c12fa274      call    mscorlib_ni+0×229420 (792e9420) (System.Version..ctor(Int32, Int32), mdToken: 06001111)
048c645f 8bd7            mov     edx,edi
048c6461 8bce            mov     ecx,esi
048c6463 ff1570fddf01    call    dword ptr [+0x1dffd6f (01dffd70)] (BBS.License.BBSLic.set_ProductVersion(System.Version), mdToken: 06000088)
048c6469 ff155001df01    call    dword ptr [+0x1df014f (01df0150)] (Idera.Tools.Core.BBSProductLicense.PW(), mdToken: 06000043)
048c646f 8bd0            mov     edx,eax
048c6471 8bce            mov     ecx,esi
048c6473 ff15a0fcdf01    call    dword ptr [+0x1dffc9f (01dffca0)] (BBS.License.BBSLic.GetKeyString(Byte[]), mdToken: 06000076)
048c6479 8945dc          mov     dword ptr [ebp-24h],eax
048c647c 8bc8            mov     ecx,eax
048c647e ff15ec01df01    call    dword ptr [+0x1df01eb (01df01ec)] (Idera.Tools.Core.BBSProductLicense.WriteProductLicense(System.String), mdToken: 06000050)
048c6484 8b4ddc          mov     ecx,dword ptr [ebp-24h]
048c6487 ff153402df01    call    dword ptr [+0x1df0233 (01df0234)] (Idera.Tools.Core.BBSProductLicense.WriteTrialLicense(System.String), mdToken: 06000056)
>>> 048c648d eb05            jmp     +0x48c6493 (048c6494)
048c648f e8a0b75a75      call    mscorwks!JIT_EndCatch (79e71c34)
048c6494 8b45dc          mov     eax,dword ptr [ebp-24h]
048c6497 8d65f4          lea     esp,[ebp-0Ch]
048c649a 5b              pop     ebx
048c649b 5e              pop     esi
048c649c 5f              pop     edi
048c649d 5d              pop     ebp
048c649e c3              ret

可以发现
GenerateTrialLicense()会生成一个Lincense对象(BBS.License.BBSLic),其中包含Key, IsTrial等信息,再调用BBS.License.BBSLic.GetKeyString 根据BBSLic对象的内容得到一个string类型的Key,
WriteProductLicense和WriteTrialLicense会把这个key加密后写到 HKEY_LOCAL_MACHINE\Software\Microsoft\IDEBT26002.0\
 
和C:\Documents and Settings\All Users\Application Data\Idera\PowerShellPlus\LicenseKey.Lic中
把这个两个地方的key删掉,每次运行程序都会生成新的TrialLicense, 就可以一直试用下去

GenerateTrialLicense()的逻辑大致为
byte[] pw= Idera.Tools.Core.BBSProductLicense.PW();
BBS.License.BBSLic lic = new BBS.License.BBSLic(); 
lic.DaysToExpiration = 0x0C;
lic.SetScopeHash(System.Net.Dns.GetHostName());
lic.Limit1 = 1;
lic.Limit2 = 1;
lic.ProductVersion = new System.Version("1.1");
string key = lic.GetKeyString(pw);

0:000> !u 048c68d8 
Normal JIT generated code
Idera.Tools.Core.BBSProductLicense.PW()
Begin 048c68d8, size 7f
>>> 048c68d8 55              push    ebp

048c6956 c3              ret

查看返回值为是一个长度为20的byte array
0:000> r
eax=0d186ee8

0:000> !da 0d186ee8 
Name: System.Byte[]
MethodTable: 79333470
EEClass: 790eeb6c
Size: 32(0×20) bytes
Array: Rank 1, Number of elements 20, Type Byte
Element Methodtable: 79333520
[0] 0d186ef0

0:000> db 0d186ef0
0d186ef0  30 a1 8f 30 d8 af f1 c9-dc dc ac 50 97 ca 5d 96  0..0…….P..].
0d186f00  9a 64 e6 ba 00 00 00 00-00 00 00 00 00 00 00 00  .d…………..

BBS.License.BBSLic.GetKeyString的输入参数是Idera.Tools.Core.BBSProductLicense.PW()的返回值,
把0:000> db 0d186ef0的结果付给
lic.GetKeyString() ,但是每次lic.GetKeyString都返回null.

跟踪BBSLic.GetKeyString
0:007> !bpmd License4Net BBS.License.BBSLic.GetKeyString
0:000> !u 00d99785 
Normal JIT generated code
BBS.License.BBSLic.GetKeyString(Byte[])
Begin 00d99708, size 111
00d99708 55              push    ebp
00d99709 8bec            mov     ebp,esp
00d9970b 57              push    edi
00d9970c 56              push    esi
00d9970d 53              push    ebx
00d9970e 83ec60          sub     esp,60h
00d99711 64a1400e0000    mov     eax,dword ptr fs:[00000E40h]
00d99717 8945c8          mov     dword ptr [ebp-38h],eax
00d9971a c74598e8a6e779  mov     dword ptr [ebp-68h],offset mscorwks!InlinedCallFrame::`vftable’ (79e7a6e8)
00d99721 c74594218b40b2  mov     dword ptr [ebp-6Ch],0B2408B21h
00d99728 8b780c          mov     edi,dword ptr [eax+0Ch]
00d9972b 897d9c          mov     dword ptr [ebp-64h],edi
00d9972e 896db8          mov     dword ptr [ebp-48h],ebp
00d99731 8d7d98          lea     edi,[ebp-68h]
00d99734 c745a400000000  mov     dword ptr [ebp-5Ch],0
00d9973b 89780c          mov     dword ptr [eax+0Ch],edi
00d9973e c745f0218b40b2  mov     dword ptr [ebp-10h],0B2408B21h
00d99745 894dc0          mov     dword ptr [ebp-40h],ecx
00d99748 8bf2            mov     esi,edx
00d9974a 85f6            test    esi,esi
00d9974c 0f84a0000000    je      00d997f2
00d99752 ff15a4799e00    call    dword ptr ds:[9E79A4h] (.BBS.License.SecretSauce(), mdToken: 06000009)
00d99758 8bf8            mov     edi,eax                          ——SecretSauce()返回一个byte array,和传入参数比较
00d9975a 85ff            test    edi,edi
00d9975c 0f8490000000    je      00d997f2
00d99762 8b5e04          mov     ebx,dword ptr [esi+4]
00d99765 395f04          cmp     dword ptr [edi+4],ebx
00d99768 0f8584000000    jne     00d997f2
00d9976e 33c9            xor     ecx,ecx
00d99770 85db            test    ebx,ebx
00d99772 7e32            jle     00d997a6
00d99774 8b4604          mov     eax,dword ptr [esi+4]
00d99777 8945c4          mov     dword ptr [ebp-3Ch],eax
00d9977a 8b45c4          mov     eax,dword ptr [ebp-3Ch]         —-循环
00d9977d 3bc8            cmp     ecx,eax
00d9977f 0f838e000000    jae     00d99813
00d99785 0fb6440e08      movzx   eax,byte ptr [esi+ecx+8]
00d9978a 3b4f04          cmp     ecx,dword ptr [edi+4]
00d9978d 0f8380000000    jae     00d99813
00d99793 3a440f08        cmp     al,byte ptr [edi+ecx+8]
00d99797 7509            jne     00d997a2
00d99799 83c101          add     ecx,1
00d9979c 3bcb            cmp     ecx,ebx
00d9979e 7cda            jl      00d9977a                                  —–处理 GetKeyString的输入参数                                   
00d997a0 eb04            jmp     00d997a6
00d997a2 33c0            xor     eax,eax

00d99812 c3              ret
00d99813 e86c2b3379      call    mscorwks!JIT_RngChkFail (7a0cc384)
00d99818 cc              int     3

但进入循环时
此时 esi 指向传入的byte array ,edi 也指向也是一个长度为20的byte array, 然后逐一比较每个元素
发现 循环没能跑完,从
00d99793 3a440f08        cmp     al,byte ptr [edi+ecx+8]
00d99797 7509            jne     00d997a2       跳进失败的分支
00d99799 83c101          add     ecx,1
00d9979c 3bcb            cmp     ecx,ebx
00d9979e 7cda            jl      00d9977a           

SecretSauce()和BBSProductLicense.PW()的算法相同:
等同于
private byte[] CreatePW()
{
     Process process = Process.GetCurrentProcess();
     string name = process.Machine;
     string id = process.Id.ToString();
     string pw = name + id;
     System.Text.UnicodeEncoding ue = new UnicodeEncoding(false, true, false);
     byte[] bytes = ue.GetBytes(pw);
     System.Security.Cryptography.SHA1Managed sm = new System.Security.Cryptography.SHA1Managed();
     byte[] hashValue = sm.ComputeHash(bytes);
     return hashValue;
}

byte[] pw = CreatePW();
BBS.License.BBSLic lic = new BBS.License.BBSLic();
lic.DaysToExpiration = 1000;
lic.SetScopeHash(System.Net.Dns.GetHostName());
lic.Limit1 = 1;
lic.Limit2 = 1;
lic.IsTrial = false;
lic.ProductVersion = new System.Version("1.1");
string key = lic.GetKeyString(pw);
LicErr error = lic.LoadKeyString(key);     //此处显示OK
但把生成的Key填入Idera.Tools.Core.Form_AddLicense,仍然会显示错误:
 
对比PowerShellPlus自已生成的TrailKey.
BBS.License.BBSLic lic = new BBS.License.BBSLic();
LicErr error = lic.LoadKeyString(“AUW4X-L6ERM-6SZ92-VLTMF-QYC4MN”);
发现还需要设置
lic.ProductID = 0x0a28;
其实GenerateTrialLicense()已经中设置了ProductID,被我看漏了

完整的序列号生成代码如下:
//–引用License4Net.dll
byte[] pw = CreatePW();
BBS.License.BBSLic lic = new BBS.License.BBSLic();
lic.DaysToExpiration = 1000;
lic.SetScopeHash(System.Net.Dns.GetHostName());
lic.Limit1 = 1;
lic.Limit2 = 1;
lic.IsTrial = false;
lic.ProductID = 0x0a28;
lic.ProductVersion = new System.Version("1.1");
string key = lic.GetKeyString(pw);

private byte[] CreatePW()
{
    Process process = Process.GetCurrentProcess();
    string name = process.MachineName;
    string id = process.Id.ToString();
    string pw = name + id;
    System.Text.UnicodeEncoding ue = new UnicodeEncoding(false, true, false);
    byte[] bytes = ue.GetBytes(pw);
    System.Security.Cryptography.SHA1Managed sm = new System.Security.Cryptography.SHA1Managed();
    byte[] hashValue = sm.ComputeHash(bytes);
    return hashValue;
}

走了一些弯路,但也看到了更多的风景. 从程序的入口加断点看来不是明智的选择, 如果时机选择过早,模块尚未加载,!bpmd不会起作用,相比之下,在程序运行中加断点,会更加有效,精准.
———–完毕
阅读(3912) | 评论(1) | 转发(0) |
0

上一篇:存储备份软件--Legato Networker

下一篇:把玩 PowerShellPlus

给主人留下些什么吧!~~

chinaunix网友2011-03-06 16:53:48

很好的, 收藏了 推荐一个博客,提供很多免费软件编程电子书下载: http://free-ebooks.appspot.com

回复 | 举报
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6