Network verification and cracking process of a Software

First, the OllyDbg loads the program.
0041865A> 6A 74 push 0x74
0041865C 68 58C24E00 push 004EC258
00418661 E8 F6010000 call 0041885C
00418666 33DB xor ebx, ebx
00418668 895D E0 mov dword ptr [ebp-0x20], ebx
0041866B 53 push ebx
Clean, qiqiang.
Open the program and select Vip. The prompt is as follows:
--------- Reference --------------
Internet Express friendly prompt
Free users cannot select VIP special services
Group! You are welcome to recharge your account to pay for it.
VIP users enjoy VIP services
----------------------------
So I used the plug-in to search for the Ascll code and kill it. Find:
0040FC80/7E 11 jle short 0040FC93
0040FC82 | 68 18A04E00 push 004EA018; Internet Express friendly reminder that free users cannot select vip dedicated server group! You are welcome to recharge your account to become our vip users and enjoy vip services.
0040FC87 | 8BCD mov ecx, ebp
0040FC89 | E8 0252 FFFF call 00404E90
0040FC8E | E9 47100000 jmp 001_cda

Jle is directly changed to jmp. I guess it is judged that the current selected item in the drop-down list box is greater than 9 (0 ~ 9 is a free server, where 0 is automatically selected .)
This sentence was also found:
Ultra String Reference, item 2082
Address = 004117CB
Disassembly = push 004EA0A0
Text String = test user hello, timed disconnection: The game is about to be started. Please exit in time to avoid game disconnection. You can initiate another dial-up acceleration 30 seconds later. Recharge your vip to enjoy the uninterrupted acceleration service.

Also go:
004117C5/0F85 8A000000 jnz 00411855
004117CB | 68 A0A04E00 push 004EA0A0
004117D0 | 8D4D CC lea ecx, dword ptr [ebp-0x34]
004117D3 | C687 9C110000 0> mov byte ptr [edi + 0x119C], 0x1
004117DA | FF15 1C224E00 call dword ptr [<& MFC71. #304>]; MFC71. #304

Jmp drop.

0040F3AF/74 0C je short 0040F3BD
0040F3B1 | 68 AC9A4E00 push 004E9AAC; Welcome to experience Internet Express for free. We sincerely look forward to your recognition of us!
0040F3B6 | 8BCE mov ecx, esi
0040F3B8 | E8 D35AFFFF call 00404E90
0040F3BD 8B96 C8110000 mov edx, dword ptr [esi + 0x11C8]

Jmp drop.

Basically, the complex problems that can be solved statically are harmonious. Therefore, save all the modifications to facilitate subsequent debugging.
Load the file we just saved, F9. The process ends. Directly execute the file.
Pull out the great message entry finder and drag the icon to the dialing button. Search (note that it cannot be in the debugging status .)
The function entry address for dialing is 0x0040FAE0.
Load OllyDbg and run the program. Process terminated, Ctrl + F2 reload, F9 started successfully.
Ctrl + G, paste 0x0040FAE0

0040FAE0 6A FF push-0x1

F2 disconnection. Switch back to the program and press dial. OD is blocked successfully.
Now we should play F8 ~
F2: cancel the breakpoint. Run it ~ Data window acquisition:
0012F63C 003A97F8 ASCII "20091024"
0012F640 00000008
0012F644 00000000
0012F648 00000011
0012F64C 0012F878
0012F650 003A6DA8 ASCII "C: WINDOWSsystem32"
0012F654 003A9820 ASCII "C: WINDOWS"
0012F658 00000012
0012F65C 7C930202 RETURN to ntdll.7C930202 from ntdll.7C92E8E6
0012F660 7C93017B RETURN to ntdll.7C93017B from ntdll.7C9301D1
0012F664 7C9301BB RETURN to ntdll.7C9301BB from ntdll.7C92E8E6
0012F668 003A6548 ASCII "test"
0012F66C 7C220078 MFC71.7C220078
0012F670 003A97F8 ASCII "20091024"
0012F674 003A97F8 ASCII "20091024"
0012F678 003AA9E0 ASCII "http://www.exunchi.com/mypage/index.php? Name = general_products_pay"
0012F67C 003A6DE8 ASCII "test"
0012F680 003A6420 ASCII "C: WINDOWSsystem32etapis32. dll"
0012F684 003AA9C0
0012F688 00000000
0012F68C 003A6E08 ASCII "091024"
0012F690 00000000

20091024 is the date of today!
0041005E 85FF test edi, edi
00410060 C68424 5C010000> mov byte ptr [esp + 0x15C], 0x12
00410068 BE 01000000 mov esi, 0x1
0041006D 0F87 2A010000 ja 00000019d
00410073 72 0A jb short 0041007F
00410075 397424 2C cmp dword ptr [esp + 0x2C], esi
00410079 0F83 1E010000 jnb 00000019d 'is a very suspicious sentence.
Therefore, Nop is dropped first. The following is the same as Nop.
The result is to run the 578 CF FF15 70254E00 call dword ptr [<& MFC71. #578>]; MFC71. #
004100D5 8D8C24 88000000 lea ecx, dword ptr [esp + 0x88]
004100DC E8 DD7E0000 call <jmp. & MFC71. #1452>
004100E1 68 E0374E00 push 004E37E0
004100E6 8D4424 4C lea &