盲打之友V2.5破解过程
工具:trw2000
Hview
W32dasm 8.93黄金中文版
破解:crackjack[BCG]
未注册版本的限制:1、只能练习2分钟。2、只能运行三次,超过三次必须重新启动系统才能继续使用
我们仍然是用两种方法来注册它:爆破和注册机。
一、爆破:
用W32DASM反汇编程序,在串式参考中查找"软件注册失败!
请重新注册!",双击它,会转到下面的代码:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00469C5C(C)
|
* Possible StringData Ref from Code Obj ->"软件注册失败!
请重新注册!"
|
:00469C9B B89C9D4600 mov eax,
00469D9C
:00469CA0 E8EB22FEFF call 0044BF90
:00469CA5 EB0A
jmp 00469CB1
从代码来看,是从地址00469C5C跳转来的,我们看看这个地址的代码:
:00469C4A E8A559FFFF call 0045F5F4
:00469C4F 8B55F4
mov edx, dword ptr [ebp-0C]
:00469C52 8B45F8
mov eax, dword ptr [ebp-08]
:00469C55 E8BA57FFFF call 0045F414
<=====计算和比较注册码
:00469C5A 84C0
test al, al
:00469C5C 743D
je 00469C9B <=====跳到注册失败的地方
:00469C5E 8B45FC
mov eax, dword ptr [ebp-04]
:00469C61 E8B656FFFF call 0045F31C
<=====尝试把注册码写入注册表
:00469C66 84C0
test al, al
:00469C68 7425
je 00469C8F <=====如果失败则跳
* Possible StringData Ref from Code Obj ->"恭喜!恭喜!
软件注册成功!" <=====注册成功
|
:00469C6A B8049D4600 mov eax,
00469D04
:00469C6F E81C23FEFF call 0044BF90
:00469C74 33D2
xor edx, edx
:00469C76 8B8620040000 mov eax, dword
ptr [esi+00000420]
:00469C7C E84716FCFF call 0042B2C8
好了,我们知道00469C55是关键CALL,所以要F8进入,看它是在什么地方会给al赋值的:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045F448(C), :0045F45C(C), :0045F4E9(C), :0045F4EE(C), :0045F535(C)
|:0045F53A(C)
|
:0045F561 33C0
xor eax, eax
:0045F563 5A
pop edx
:0045F564 59
pop ecx
:0045F565 59
pop ecx
:0045F566 648910
mov dword ptr fs:[eax], edx
:0045F569 687EF54500 push 0045F57E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F57C(U)
|
:0045F56E 8D45F0
lea eax, dword ptr [ebp-10]
:0045F571 E89A43FAFF call 00403910
:0045F576 C3
ret
:0045F577 E9543EFAFF jmp 004033D0
:0045F57C EBF0
jmp 0045F56E
:0045F57E 8A45F7
mov al, byte ptr [ebp-09] <=====取标志,如果注册码错误,则al=0,所以我
们把它改为mov al,01;NOP
:0045F581 5F
pop edi
:0045F582 5E
pop esi
:0045F583 5B
pop ebx
:0045F584 8BE5
mov esp, ebp
:0045F586 5D
pop ebp
:0045F587 C3
ret
我们知道这段代码一共有6个地址跳到这里,这6个地址都是注册码错误或者是没有注册时都会跳到这里,所以只要我
们改掉0045F57E地址的代码就可以了。
如果你对它的注册算法感兴趣,请继续看下去吧:
二、注册算法:
该软件的注册码形式是 123456-7890ab-cdefgh-ijklmn,运算方法是取注册码的奇数位(假设我们输入的注册码是前面
所说的,则取出的注册码是13579acegikm),然后通过计算后,得出注册码的偶数位。
我们F8进入00469C55处的CALL:
:0045F414 55
push ebp
:0045F415 8BEC
mov ebp, esp
:0045F417 83C4E4
add esp, FFFFFFE4
:0045F41A 53
push ebx
:0045F41B 56
push esi
:0045F41C 57
push edi
:0045F41D 33C9
xor ecx, ecx
:0045F41F 894DF0
mov dword ptr [ebp-10], ecx
:0045F422 8955F8
mov dword ptr [ebp-08], edx
:0045F425 8945FC
mov dword ptr [ebp-04], eax
:0045F428 33C0
xor eax, eax
:0045F42A 55
push ebp
:0045F42B 6877F54500 push 0045F577
:0045F430 64FF30
push dword ptr fs:[eax]
:0045F433 648920
mov dword ptr fs:[eax], esp
:0045F436 C645F700 mov
[ebp-09], 00
:0045F43A 8B45FC
mov eax, dword ptr [ebp-04]
:0045F43D E84A47FAFF call 00403B8C
<=====计算奇数位的注册码长度,EAX=长度
:0045F442 3B05B0EC4600 cmp eax, dword
ptr [0046ECB0] <=====和0C比较
:0045F448 0F8513010000 jne 0045F561
<=====不相等则跳到注册失败
:0045F44E 8B45F8
mov eax, dword ptr [ebp-08]
:0045F451 E83647FAFF call 00403B8C
<=====计算偶数位的注册码长度,EAX=长度
:0045F456 3B05B0EC4600 cmp eax, dword
ptr [0046ECB0] <=====和0C比较
:0045F45C 0F85FF000000 jne 0045F561
<=====不相等则跳到注册失败
:0045F462 33FF
xor edi, edi
:0045F464 A1B4EC4600 mov eax,
dword ptr [0046ECB4] <=====取得计算系数5945H
:0045F469 8945EC
mov dword ptr [ebp-14], eax <=====保存以用于计算
:0045F46C A1BCEC4600 mov eax,
dword ptr [0046ECBC] <=====取得计算系数F3B4H
:0045F471 8945E8
mov dword ptr [ebp-18], eax <=====保存以用于计算
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F40E(C)
|
:0045F474 8B45FC
mov eax, dword ptr [ebp-04]
:0045F477 E81047FAFF call 00403B8C
:0045F47C 85C0
test eax, eax
:0045F47E 7C16
jl 0045F496
:0045F480 40
inc eax
:0045F481 8945E4
mov dword ptr [ebp-1C], eax
:0045F484 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <====这里的代码是计算奇数位注册码的
总和,作为计算第一个偶数的计算系数,结果放在EDI中
|:0045F494(C)
|
:0045F486 8B45FC
mov eax, dword ptr [ebp-04]
:0045F489 0FB64430FF movzx eax,
byte ptr [eax+esi-01] <=====取奇数位注册码
:0045F48E 03F8
add edi, eax
<=====累加
:0045F490 46
inc esi
:0045F491 FF4DE4
dec [ebp-1C]
:0045F494 75F0
jne 0045F486
<=====没有加完则继续加
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <=====计算偶数位的代码
|:0045F47E(C)
|
:0045F496 A1B8EC4600 mov eax,
dword ptr [0046ECB8] <=====取计算系数C499H
:0045F49B 2145EC
and dword ptr [ebp-14], eax <=====与 EDI 异或(结果假设为R1)
:0045F49E 8D45F0
lea eax, dword ptr [ebp-10]
:0045F4A1 8B15B0EC4600 mov edx, dword
ptr [0046ECB0]
:0045F4A7 E8104AFAFF call 00403EBC
:0045F4AC A1C0EC4600 mov eax,
dword ptr [0046ECC0] <=====取计算系数5908H
:0045F4B1 2145E8
and dword ptr [ebp-18], eax <=====与F3B4 异或(结果假设为R2)
:0045F4B4 A1B0EC4600 mov eax,
dword ptr [0046ECB0]
:0045F4B9 85C0
test eax, eax
:0045F4BB 0F8E91000000 jle 0045F552
:0045F4C1 8945E4
mov dword ptr [ebp-1C], eax
:0045F4C4 BE01000000 mov esi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F54C(C)
|
:0045F4C9 8B45FC
mov eax, dword ptr [ebp-04]
:0045F4CC 33DB
xor ebx, ebx
:0045F4CE 8A5C30FF mov
bl, byte ptr [eax+esi-01] <====取注册码
:0045F4D2 83FB30
cmp ebx, 00000030 <====比较是否是数字
:0045F4D5 7C05
jl 0045F4DC <=====不是则跳到下一个比较
:0045F4D7 83FB39
cmp ebx, 00000039
:0045F4DA 7E14
jle 0045F4F0 <=====是则跳到注册码计算处
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F4D5(C)
|
:0045F4DC 83FB41
cmp ebx, 00000041
:0045F4DF 7C05
jl 0045F4E6 <=====比较是否是大写字母
:0045F4E1 83FB5A
cmp ebx, 0000005A
:0045F4E4 7E0A
jle 0045F4F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F4DF(C)
|
:0045F4E6 83FB61
cmp ebx, 00000061 <=====比较是否是小写字母
:0045F4E9 7C76
jl 0045F561
:0045F4EB 83FB7A
cmp ebx, 0000007A
:0045F4EE 7F71
jg 0045F561 <=====如果都不是,则注册失败
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
<====这里是注册码的计算
|:0045F4DA(C), :0045F4E4(C)
|
:0045F4F0 8B45FC
mov eax, dword ptr [ebp-04] <=====取奇数位注册码(N)
:0045F4F3 0FB64430FF movzx eax,
byte ptr [eax+esi-01] <=====EAX=注册码
:0045F4F8 8BD0
mov edx, eax
<=====EDX=EAX
:0045F4FA 03D7
add edx, edi <====EDX=EAX+EDI
:0045F4FC 0FAF55EC imul
edx, dword ptr [ebp-14] <=====EDX=EDX*R1
:0045F500 8B4DFC
mov ecx, dword ptr [ebp-04]
:0045F503 0FB60C31 movzx
ecx, byte ptr [ecx+esi] <=====取N+1位的注册码(ECX)
:0045F507 33F9
xor edi, ecx
<=====EDI=EDI XOR ECX
:0045F509 0FAF7DE8 imul
edi, dword ptr [ebp-18] <=====EDI=EDI * R2
:0045F50D 03D7
add edx, edi
<=====EDX=EDX+EDI
:0045F50F 8BFA
mov edi, edx
<=====EDI=EDX
:0045F511 C1EF08
shr edi, 08
<=====EDI右移8位,同时这个结果作为下一
位注册码的计算系数
:0045F514 8B55FC
mov edx, dword ptr [ebp-04]
:0045F517 8BD8
mov ebx, eax <=====EBX=N
:0045F519 33DF
xor ebx, edi <=====EBX=EBX xor EDI
:0045F51B 83E37F
and ebx, 0000007F <=====EBX=EBX and 7F(取EBX中的一个BL,作为相应偶数
位的注册码)
:0045F51E 83FB30
cmp ebx, 00000030 <=====比较结果是不是数字
:0045F521 7C05
jl 0045F528
:0045F523 83FB39
cmp ebx, 00000039
:0045F526 7E14
jle 0045F53C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F521(C)
|
:0045F528 83FB41
cmp ebx, 00000041 <=====比较结果是不是大写字母
:0045F52B 7C05
jl 0045F532
:0045F52D 83FB5A
cmp ebx, 0000005A
:0045F530 7E0A
jle 0045F53C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F52B(C)
|
:0045F532 83FB61
cmp ebx, 00000061 <======比较结果是不是小写字母
:0045F535 7C2A
jl 0045F561
:0045F537 83FB7A
cmp ebx, 0000007A
:0045F53A 7F25
jg 0045F561 <======如果都不是,则注册失败
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045F526(C), :0045F530(C)
|
:0045F53C 8D45F0
lea eax, dword ptr [ebp-10]
:0045F53F E81848FAFF call 00403D5C
:0045F544 885C30FF mov
byte ptr [eax+esi-01], bl <=====保存结果
:0045F548 46
inc esi
:0045F549 FF4DE4
dec [ebp-1C] <=====计算完了吗?
:0045F54C 0F8577FFFFFF jne 0045F4C9
<======没有则继续计算
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F4BB(C)
|
:0045F552 8B45F0
mov eax, dword ptr [ebp-10] <=====取输入的偶数位假注册码
:0045F555 8B55F8
mov edx, dword ptr [ebp-08] <=====取计算出来的注册码
:0045F558 E83F47FAFF call 00403C9C
<=====比较注册码
:0045F55D 0F9445F7 sete
byte ptr [ebp-09] <=====按比较的结果设注册标志
好了,注册算法清楚了,注册机我就不能一时编出来的,这个软件不能用另类的注册机制作软件来制作,只能用编程来穷
举出它的注册码了.等几天吧,我再发表我的注册机.