- UID
- 2932
注册时间2005-8-30
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2018-7-26 08:15 |
|---|
签到天数: 7 天 [LV.3]偶尔看看II
|
【破文标题】我的第一篇破文——家电维修管理系统v4.6三段比较找注册码
【破文作者】UnderGhosT
【破解平台】WinXP SP2
------------------------------------------------------------------------
【破解过程】这是我从入门以来写的第一篇破文。希望加点分~嘿嘿~
我记得这好象是作业来得,而且是在论坛上下的软件,但怎么也找不到原帖了~所以只能发在这里了~谅解,嘿嘿~作为PYG学员还没交过作业那,真是不好意思。自己上网确实不太方便555555~
断断续续学了一段时间破解。自己太懒了自学不刻苦:(,专业还与计算机一点边不沾,没有老师逼着学~;)
peid0.92查壳,呵呵,nothing found。flyodbg打开试试,没有“似乎被加壳,还要继续分析吗”的提示,有门!看看ASCii,发现字串krnln.fnr。莫非是易语言?还没加壳~这就好办了,找e.code断下~
:004DAEB5 55 push ebp 断在这里
:004DAEB6 8BEC mov ebp, esp
:004DAEB8 81EC5C000000 sub esp, 0000005C
:004DAEBE 6AFF push FFFFFFFF
:004DAEC0 6A08 push 00000008
:004DAEC2 682A080116 push 1601082A
:004DAEC7 6826080152 push 52010826
:004DAECC E81C080000 call 004DB6ED 假码第一段
:004DAED1 83C410 add esp, 00000010
:004DAED4 8945FC mov dword ptr [ebp-04], eax
:004DAED7 683C000000 push 0000003C
:004DAEDC FF75FC push [ebp-04]
:004DAEDF E827DEFBFF call 00498D0B
:004DAEE4 83C408 add esp, 00000008
:004DAEE7 83F800 cmp eax, 00000000
:004DAEEA B800000000 mov eax, 00000000
:004DAEEF 0F94C0 sete al
:004DAEF2 8945F8 mov dword ptr [ebp-08], eax
:004DAEF5 8B5DFC mov ebx, dword ptr [ebp-04]
:004DAEF8 85DB test ebx, ebx
:004DAEFA 7409 je 004DAF05
:004DAEFC 53 push ebx
:004DAEFD E8D3070000 call 004DB6D5
:004DAF02 83C404 add esp, 00000004
:004DAF6A 6AFF push FFFFFFFF 由004DAF09跳到这里
:004DAF6C 6A08 push 00000008
:004DAF6E 682E080116 push 1601082E
:004DAF73 6826080152 push 52010826
:004DAF78 E870070000 call 004DB6ED 算机器码的CALL
:004DAF7D 83C410 add esp, 00000010
:004DAF80 8945FC mov dword ptr [ebp-04], eax
:004DAF83 6804000080 push 80000004
:004DAF88 6A00 push 00000000
:004DAF8A 8B45FC mov eax, dword ptr [ebp-04]
:004DAF8D 85C0 test eax, eax
:004DAF8F 7505 jne 004DAF96
:004DAF91 B83C000000 mov eax, 0000003C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DAF8F(C)
|
:004DAF96 50 push eax
:004DAF97 6801000000 push 00000001
:004DAF9C BB64010000 mov ebx, 00000164
:004DAFA1 E83B070000 call 004DB6E1
:004DAFA6 83C410 add esp, 00000010
:004DAFA9 8945F4 mov dword ptr [ebp-0C], eax
:004DAFAC 8955F8 mov dword ptr [ebp-08], edx
:004DAFAF 8B5DFC mov ebx, dword ptr [ebp-04]
:004DAFB2 85DB test ebx, ebx
:004DAFB4 7409 je 004DAFBF
:004DAFB6 53 push ebx
:004DAFB7 E819070000 call 004DB6D5
:004DAFBC 83C404 add esp, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DAFB4(C)
|
:004DAFBF DD45F4 fld qword ptr [ebp-0C]
:004DAFC2 E8E1DDFBFF call 00498DA8
:004DAFC7 6801030080 push 80000301 EAX见第一段真码,此段应该在每个机器上都一样505354E1
:004DAFCC 6A00 push 00000000
:004DAFCE 50 push eax
:004DAFCF 6801000000 push 00000001
:004DAFD4 BBD4010000 mov ebx, 000001D4
:004DAFD9 E803070000 call 004DB6E1 将505354E1转为ASCii,第一段不一样则跳死
:004DAFDE 83C410 add esp, 00000010
:004DAFE1 8945F0 mov dword ptr [ebp-10], eax
:004DAFE4 6AFF push FFFFFFFF
:004DAFE6 6A08 push 00000008
:004DAFE8 682A080116 push 1601082A
:004DAFED 6826080152 push 52010826
:004DAFF2 E8F6060000 call 004DB6ED
:004DAFF7 83C410 add esp, 00000010
:004DAFFA 8945EC mov dword ptr [ebp-14], eax
:004DAFFD 8B45F0 mov eax, dword ptr [ebp-10]
:004DB000 50 push eax
:004DB001 FF75EC push [ebp-14]
:004DB004 E802DDFBFF call 00498D0B
:004DB009 83C408 add esp, 00000008
:004DB00C 83F800 cmp eax, 00000000
:004DB00F B800000000 mov eax, 00000000
:004DB014 0F94C0 sete al
:004DB017 8945E8 mov dword ptr [ebp-18], eax
:004DB01A 8B5DEC mov ebx, dword ptr [ebp-14]
:004DB01D 85DB test ebx, ebx
:004DB01F 7409 je 004DB02A
:004DB021 53 push ebx
:004DB022 E8AE060000 call 004DB6D5
:004DB027 83C404 add esp, 00000004
:004DB099 DD45DC fld qword ptr [ebp-24]
:004DB09C DC0D14210000 fmul qword ptr [00002114]
:004DB0A2 DD5DD4 fstp qword ptr [ebp-2C]
:004DB0A5 DD45D4 fld qword ptr [ebp-2C]
:004DB0A8 E8FBDCFBFF call 00498DA8 EAX见第二段
:004DB0AD 6801030080 push 80000301
:004DB0B2 6A00 push 00000000
:004DB0B4 50 push eax
:004DB0B5 6801000000 push 00000001
:004DB0BA BBD4010000 mov ebx, 000001D4
:004DB0BF E81D060000 call 004DB6E1
:004DB0C4 83C410 add esp, 00000010
:004DB0C7 8945D0 mov dword ptr [ebp-30], eax
:004DB0CA 6AFF push FFFFFFFF
:004DB0CC 6A08 push 00000008
:004DB0CE 6829080116 push 16010829
:004DB0D3 6826080152 push 52010826
:004DB0D8 E810060000 call 004DB6ED
:004DB0DD 83C410 add esp, 00000010
:004DB0E0 8945CC mov dword ptr [ebp-34], eax
:004DB0E3 8B45D0 mov eax, dword ptr [ebp-30]
:004DB0E6 50 push eax
:004DB0E7 FF75CC push [ebp-34]
:004DB0EA E81CDCFBFF call 00498D0B
:004DB0EF 83C408 add esp, 00000008
:004DB0F2 83F800 cmp eax, 00000000
:004DB0F5 B800000000 mov eax, 00000000
:004DB0FA 0F94C0 sete al
:004DB0FD 8945C8 mov dword ptr [ebp-38], eax
:004DB100 8B5DCC mov ebx, dword ptr [ebp-34]
:004DB103 85DB test ebx, ebx 第二段真码转为ASCii,假码和真码比较,ECX真,EDX假.这段真码根据机器码算出
:004DB105 7409 je 004DB110
:004DB107 53 push ebx
:004DB108 E8C8050000 call 004DB6D5
:004DB10D 83C404 add esp, 00000004
:004DB219 85C0 test eax, eax
:004DB21B 0F8460030000 je 004DB581 跳死
:004DB221 6AFF push FFFFFFFF
:004DB223 6A08 push 00000008
:004DB225 682A080116 push 1601082A
:004DB22A 6826080152 push 52010826
:004DB22F E8B9040000 call 004DB6ED
:004DB234 83C410 add esp, 00000010
:004DB237 8945FC mov dword ptr [ebp-04], eax
:004DB17F DD45BC fld qword ptr [ebp-44]
:004DB182 DC0D7D060000 fmul qword ptr [0000067D]
:004DB188 DD5DB4 fstp qword ptr [ebp-4C]
:004DB18B DD45B4 fld qword ptr [ebp-4C]
:004DB18E E815DCFBFF call 00498DA8
:004DB193 6801030080 push 80000301
:004DB198 6A00 push 00000000
:004DB19A 50 push eax
:004DB19B 6801000000 push 00000001
:004DB1A0 BBD4010000 mov ebx, 000001D4
:004DB1A5 E837050000 call 004DB6E1 根据机器码算出第三段 EAX可见ASCii码
:004DB1AA 83C410 add esp, 00000010
:004DB1AD 8945B0 mov dword ptr [ebp-50], eax
:004DB1B0 6AFF push FFFFFFFF
:004DB1B2 6A08 push 00000008
:004DB1B4 6828080116 push 16010828
:004DB1B9 6826080152 push 52010826
:004DB1BE E82A050000 call 004DB6ED
:004DB1C3 83C410 add esp, 00000010
:004DB1C6 8945AC mov dword ptr [ebp-54], eax
:004DB1C9 8B45B0 mov eax, dword ptr [ebp-50]
:004DB1CC 50 push eax
:004DB1CD FF75AC push [ebp-54]
:004DB1D0 E836DBFBFF call 00498D0B
:004DB1D5 83C408 add esp, 00000008
:004DB1D8 83F800 cmp eax, 00000000
:004DB1DB B800000000 mov eax, 00000000
:004DB1E0 0F94C0 sete al
:004DB1E3 8945A8 mov dword ptr [ebp-58], eax
:004DB1E6 8B5DAC mov ebx, dword ptr [ebp-54]
:004DB1E9 85DB test ebx, ebx
:004DB1EB 7409 je 004DB1F6
:004DB1ED 53 push ebx
:004DB1EE E8E2040000 call 004DB6D5
:004DB1F3 83C404 add esp, 00000004
------------------------------------------------------------------------
【破解总结】软件分三段比较,注册码计算与用户名无关,注册前HKEY_LOCAL_MACHINE\SOFTWARE\bkl\家电维修管理系统v4.6 未注册版 处数值可修改试用次数,注册后此处被替换为\家电维修管理系统v4.6 正式注册版 数值为注册码加用户名,如我的是:505354E1-C3E7FA8C-D2EDFBE9-UnderGhosT。
我还发现一个有意思的情况,若将HKEY_LOCAL_MACHINE\SOFTWARE\bkl\家电维修管理系统v4.6 未注册版手动替换为HKEY_LOCAL_MACHINE\SOFTWARE\bkl\家电维修管理系统v4.6 正式注册版,数值为空,即不用填注册码,则软件注册窗口提示可试用0次,但是实际上无限制,且不显示“未注册版”字样。
太懒,没细看算法。keymaker也没做,想用又不会跟的朋友就按照我上面的替换法用吧。
感谢大家看完。
PYG一周年生日快乐!
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢!
[ 本帖最后由 underghost 于 2005-12-14 06:33 PM 编辑 ] |
|
IP卡
发表于 2005-12-14 18:32:06
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-12-14 18:47:08
楼主
发表于 2005-12-14 19:06:49
发表于 2005-12-14 19:26:02
发表于 2005-12-15 12:09:43
