- UID
- 2
注册时间2004-12-1
阅读权限255
最后登录1970-1-1
总坛主
TA的每日心情 | 难过
2024-4-22 14:49 |
|---|
签到天数: 11 天 [LV.3]偶尔看看II
|
【破文标题】星空电影院V2.01破解分析
【破文作者】飘云[PYG]
【破解平台】winxp
【作者邮箱】piaoyun04@163.com
【软件名称】星空电影院V2.01
【软件大小】2419KB
【下载地址】http://www3.skycn.com/soft/20221.html
【软件说明】是娱乐所属在线软件,包罗了全国和海外引进的3000多部动画片、电影、港台、大陆、日韩 、欧美电影,并设为独特的秘密观看区,足以使您一饱眼福。1000M光纤接入,IBM专业服务器组,提供在线观看使您即刻体验极速的全方位视觉感受。关于软件的更多特色介绍,速度快质量高的精彩视频,专人实时跟踪更新升级,本软件具有自动升级功能。 通过独特的合作资源,提供超过400套超高清晰的卫星电视节目,高速HBO大片,BBC新闻,日本MM、港台凤凰、华娱、星空、TVB系列,国内中央及各省卫星电视节目。
【破解工具】PEiD 0.92中文版、W32Dasm10.0汉化版、OD二哥修改版
【保护方式】序列号
【破解目的】学习破解。熟练应用各种工具。
【破解声明】我乃小菜鸟一只,偶得一点心得,愿与大家分享:)
【破解步骤】先用PEiD 0.92侦测,发现为Borland Delphi 6.0 - 7.0编写,未加壳;试着运行软件:我的机器码为:BFC61CBA 输入伪码:13579246,点“确定注册”出现“您输入的注册码13579246”不正确,请和作者联系”的错误窗口,呵呵!这是关键!
接下来W32DASM出场,在“串式参考”中找到:
:004B93C2 8D55F0 lea edx, dword ptr [ebp-10]
:004B93C5 8B45FC mov eax, dword ptr [ebp-04]
:004B93C8 8B8038030000 mov eax, dword ptr [eax+00000338]
:004B93CE E8A5DBF8FF call 00446F78
:004B93D3 837DF000 cmp dword ptr [ebp-10], 00000000 ========注册码是否为0
:004B93D7 741E je 004B93F7=========是0则死,不是
:004B93D9 8D55EC lea edx, dword ptr [ebp-14]
:004B93DC 8B45FC mov eax, dword ptr [ebp-04]
:004B93DF 8B8038030000 mov eax, dword ptr [eax+00000338]
:004B93E5 E88EDBF8FF call 00446F78
:004B93EA 8B45EC mov eax, dword ptr [ebp-14]
:004B93ED E882B0F4FF call 00404474
:004B93F2 83F808 cmp eax, 00000008 ==========是否超过8位
:004B93F5 7E0F jle 004B9406 ==========不跳则GAME OVER!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B93D7(C)
|
* Possible StringData Ref from Code Obj ->" 您输入的注册码无效,请重新输入。
“★★找到这里,向上看!”
|
:004B93F7 B860964B00 mov eax, 004B9660
:004B93FC E8CF73F7FF call 004307D0
:004B9401 E9BA010000 jmp 004B95C0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B93F5(C)
|
:004B9406 8D45E4 lea eax, dword ptr [ebp-1C] 符合要求则跳到这里。
:004B9409 50 push eax
:004B940A 8D55E0 lea edx, dword ptr [ebp-20]
:004B940D 8B45FC mov eax, dword ptr [ebp-04]
:004B9410 8B803C030000 mov eax, dword ptr [eax+0000033C]
:004B9416 E85DDBF8FF call 00446F78=========得到机器码
:004B941B 8B45E0 mov eax, dword ptr [ebp-20]
:004B941E B906000000 mov ecx, 00000006
:004B9423 BA01000000 mov edx, 00000001
:004B9428 E8A7B2F4FF call 004046D4========取机器码前6位
:004B942D 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004B9430 8D45E8 lea eax, dword ptr [ebp-18]
:004B9433 BA8C964B00 mov edx, 004B968C
:004B9438 E883B0F4FF call 004044C0
:004B943D 8B45E8 mov eax, dword ptr [ebp-18]
:004B9440 E847F7F4FF call 00408B8C
:004B9445 8BF0 mov esi, eax
:004B9447 33C0 xor eax, eax
:004B9449 55 push ebp
:004B944A 6877954B00 push 004B9577
:004B944F 64FF30 push dword ptr fs:[eax]
:004B9452 648920 mov dword ptr fs:[eax], esp
:004B9455 8D55DC lea edx, dword ptr [ebp-24]
:004B9458 8B45FC mov eax, dword ptr [ebp-04]
:004B945B 8B8038030000 mov eax, dword ptr [eax+00000338]
:004B9461 E812DBF8FF call 00446F78
:004B9466 8B45DC mov eax, dword ptr [ebp-24]========伪码13579246送到EAX
:004B9469 E81EF7F4FF call 00408B8C========★★★关键CALL1,跟进去!
:004B946E 8BD8 mov ebx, eax
:004B9470 8BC3 mov eax, ebx
:004B9472 2BC6 sub eax, esi========把你的伪码—机器码前6位
:004B9474 3B05C8A35400 cmp eax, dword ptr [0054A3C8]========与 [0054A3C8]中的数据(十进制的147258)比较
:004B947A 7438 je 004B94B4 ========等于0则注册成功
* Possible StringData Ref from Code Obj ->" 您输入的注册码 "
|
:004B947C 6898964B00 push 004B9698
:004B9481 8D55D4 lea edx, dword ptr [ebp-2C]
:004B9484 8B45FC mov eax, dword ptr [ebp-04]
:004B9487 8B8038030000 mov eax, dword ptr [eax+00000338]
:004B948D E8E6DAF8FF call 00446F78
:004B9492 FF75D4 push [ebp-2C]
* Possible StringData Ref from Code Obj ->" 不正确,请与作者联系。"
|
:004B9495 68B4964B00 push 004B96B4
:004B949A 8D45D8 lea eax, dword ptr [ebp-28]
:004B949D BA03000000 mov edx, 00000003
:004B94A2 E88DB0F4FF call 00404534
:004B94A7 8B45D8 mov eax, dword ptr [ebp-28]
:004B94AA E82173F7FF call 004307D0
:004B94AF E9B9000000 jmp 004B956D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B947A(C)
|
:004B94B4 8D55F4 lea edx, dword ptr [ebp-0C]
:004B94B7 A1CCA35400 mov eax, dword ptr [0054A3CC]
:004B94BC 03C3 add eax, ebx
:004B94BE E88DF5F4FF call 00408A50
:004B94C3 8D55C8 lea edx, dword ptr [ebp-38]
:004B94C6 A154A95400 mov eax, dword ptr [0054A954]
:004B94CB 8B00 mov eax, dword ptr [eax]
:004B94CD E882DEFAFF call 00467354
:004B94D2 8B45C8 mov eax, dword ptr [ebp-38]
:004B94D5 8D55CC lea edx, dword ptr [ebp-34]
:004B94D8 E80BFBF4FF call 00408FE8
:004B94DD FF75CC push [ebp-34]
* Possible StringData Ref from Code Obj ->"set"
|
:004B94E0 68D4964B00 push 004B96D4
:004B94E5 FF75F4 push [ebp-0C]
* Possible StringData Ref from Code Obj ->".ini"
|
:004B94E8 68E0964B00 push 004B96E0
:004B94ED 8D45D0 lea eax, dword ptr [ebp-30]
:004B94F0 BA04000000 mov edx, 00000004
:004B94F5 E83AB0F4FF call 00404534
:004B94FA 8B4DD0 mov ecx, dword ptr [ebp-30]
:004B94FD B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"豩C"
|
:004B94FF A1FC5E4300 mov eax, dword ptr [00435EFC]
:004B9504 E8A3CAF7FF call 00435FAC
:004B9509 8945F8 mov dword ptr [ebp-08], eax
:004B950C 33C0 xor eax, eax
:004B950E 55 push ebp
:004B950F 6844954B00 push 004B9544
:004B9514 64FF30 push dword ptr fs:[eax]
:004B9517 648920 mov dword ptr fs:[eax], esp
:004B951A 6A01 push 00000001
* Possible StringData Ref from Code Obj ->"Reg"
|
:004B951C B9F0964B00 mov ecx, 004B96F0
* Possible StringData Ref from Code Obj ->"Option"
|
:004B9521 BAFC964B00 mov edx, 004B96FC
:004B9526 8B45F8 mov eax, dword ptr [ebp-08]
:004B9529 8B18 mov ebx, dword ptr [eax]
:004B952B FF5314 call [ebx+14]
:004B952E 33C0 xor eax, eax
:004B9530 5A pop edx
:004B9531 59 pop ecx
:004B9532 59 pop ecx
:004B9533 648910 mov dword ptr fs:[eax], edx
:004B9536 684B954B00 push 004B954B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9549(U)
|
:004B953B 8B45F8 mov eax, dword ptr [ebp-08]
:004B953E E8819EF4FF call 004033C4
:004B9543 C3 ret
:004B9544 E9CFA5F4FF jmp 00403B18
:004B9549 EBF0 jmp 004B953B
:004B954B 6A00 push 00000000
:004B954D 668B0D2C964B00 mov cx, word ptr [004B962C]
:004B9554 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"注册成功。谢谢你支持正版软件!
请关闭软件重新"
->"启动[星空电影院]"
*********************************************************************************************
跟进关键CALL1:
00408B8C /$ 53 push ebx
00408B8D |. 56 push esi
00408B8E |. 83C4 F4 add esp,-0C
00408B91 |. 8BD8 mov ebx,eax
00408B93 |. 8BD4 mov edx,esp
00408B95 |. 8BC3 mov eax,ebx
00408B97 |. E8 50A2FFFF call 星空电影.00402DEC==========★★★关键CALL2,跟进去!!
00408B9C |. 8BF0 mov esi,eax
00408B9E |. 833C24 00 cmp dword ptr ss:[esp],0
00408BA2 |. 74 19 je short 星空电影.00408BBD
00408BA4 |. 895C24 04 mov dword ptr ss:[esp+4],ebx
00408BA8 |. C64424 08 0B mov byte ptr ss:[esp+8],0B
00408BAD |. 8D5424 04 lea edx,dword ptr ss:[esp+4]
00408BB1 |. A1 FCA65400 mov eax,dword ptr ds:[54A6FC]
00408BB6 |. 33C9 xor ecx,ecx
00408BB8 |. E8 CBF7FFFF call 星空电影.00408388
00408BBD |> 8BC6 mov eax,esi
00408BBF |. 83C4 0C add esp,0C
00408BC2 |. 5E pop esi
00408BC3 |. 5B pop ebx
00408BC4 \. C3 retn
************************************************************************************************
跟进关键CALL2:
00402DEC /$ 53 push ebx
00402DED |. 56 push esi
00402DEE |. 57 push edi
00402DEF |. 89C6 mov esi,eax========= ESI=EAX=伪码13579246
00402DF1 |. 50 push eax
00402DF2 |. 85C0 test eax,eax ========伪码是否输入
00402DF4 |. 74 6C je short 星空电影.00402E62========没有输入则GAME OVER
00402DF6 |. 31C0 xor eax,eax
00402DF8 |. 31DB xor ebx,ebx
00402DFA |. BF CCCCCC0C mov edi,0CCCCCCC=========0CCCCCCC送到EDI
00402DFF |> 8A1E /mov bl,byte ptr ds:[esi]========伪码一次送到BL
00402E01 |. 46 |inc esi========计数器加一
00402E02 |. 80FB 20 |cmp bl,20========是否空格
00402E05 |.^ 74 F8 \je short 星空电影.00402DFF
00402E07 |. B5 00 mov ch,0
00402E09 |. 80FB 2D cmp bl,2D========是否符号“-”
00402E0C |. 74 62 je short 星空电影.00402E70
00402E0E |. 80FB 2B cmp bl,2B========是否符号“+”
00402E11 |. 74 5F je short 星空电影.00402E72
00402E13 |> 80FB 24 cmp bl,24========是否符号“$”
00402E16 |. 74 5F je short 星空电影.00402E77
00402E18 |. 80FB 78 cmp bl,78========是否符号“x”
00402E1B |. 74 5A je short 星空电影.00402E77
00402E1D |. 80FB 58 cmp bl,58========是否符号“X”
00402E20 |. 74 55 je short 星空电影.00402E77
00402E22 |. 80FB 30 cmp bl,30========是否0
00402E25 |. 75 13 jnz short 星空电影.00402E3A ========不是则跳,必须跳,否则GAME OVER!
此处可以分析出:注册码不能为:空格 - + $ x X 0中任何一个
00402E27 |. 8A1E mov bl,byte ptr ds:[esi]
00402E29 |. 46 inc esi
00402E2A |. 80FB 78 cmp bl,78
00402E2D |. 74 48 je short 星空电影.00402E77
00402E2F |. 80FB 58 cmp bl,58
00402E32 |. 74 43 je short 星空电影.00402E77
00402E34 |. 84DB test bl,bl
00402E36 |. 74 20 je short 星空电影.00402E58
00402E38 |. EB 04 jmp short 星空电影.00402E3E
00402E3A |> 84DB test bl,bl ========是否还有没有取完?
00402E3C |. 74 2D je short 星空电影.00402E6B
00402E3E |> 80EB 30 /sub bl,30========减去30
00402E41 |. 80FB 09 |cmp bl,9========和9比较,看是否是数字?
00402E44 |. 77 25 |ja short 星空电影.00402E6B
00402E46 |. 39F8 |cmp eax,edi========是否大于0XCCCCCC
00402E48 |. 77 21 |ja short 星空电影.00402E6B
00402E4A |. 8D0480 |lea eax,dword ptr ds:[eax+eax*4]========eax=5eax
00402E4D |. 01C0 |add eax,eax========和前面一句一起看是:eax=6eax
00402E4F |. 01D8 |add eax,ebx
00402E51 |. 8A1E |mov bl,byte ptr ds:[esi]
00402E53 |. 46 |inc esi
00402E54 |. 84DB |test bl,bl========是否取完?
00402E56 |.^ 75 E6 \jnz short 星空电影.00402E3E 没有取完则循环
00402E58 |> FECD dec ch
00402E5A |. 74 09 je short 星空电影.00402E65
00402E5C |. 85C0 test eax,eax
00402E5E |. 7D 54 jge short 星空电影.00402EB4
00402E60 |. EB 09 jmp short 星空电影.00402E6B
.(以下省略部分代码)
.
.
.
.
00402EB4 |> 59 pop ecx
00402EB5 |. 31F6 xor esi,esi
00402EB7 |> 8932 mov dword ptr ds:[edx],esi
00402EB9 |. 5F pop edi
00402EBA |. 5E pop esi
00402EBB |. 5B pop ebx
00402EBC \. C3 retn========返回
其实这段代码就是把你的伪码转换成16进制
算发总结:
伪码的16进制—你的机器码前6位=十进制147258 则注册成功! |
|
IP卡
发表于 2005-2-21 19:13:23
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-2-22 15:52:50
发表于 2005-2-22 16:23:44
发表于 2005-3-16 17:55:17
发表于 2005-3-17 16:04:30
楼主