Trace Arm BY Fpc
在追踪注册码计算过程时很容易到这里。
下面这个CALL的作用是:将输入的0X18字节的注册信息变换为0X10字节的注册码1。
* Referenced by a CALL at Addresses:
|:0048BB15 , :0048BB50 , :0048BBED , :0048BC48
|
:0048BDC8 55 push ebp
:0048BDC9 8BEC mov ebp, esp
:0048BDCB 83C4E4 add esp, FFFFFFE4
:0048BDCE 894DF8 mov dword ptr [ebp-08], ecx
Ecx指向输入的注册码
:0048BDD1 8955E4 mov dword ptr [ebp-1C], edx Edx好象等于18
:0048BDD4 8945FC mov dword ptr [ebp-04], eax
Eax指向一个字节的码表:
01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
上面的这三个MOV比较重要
:0048BDD7 8B45FC mov eax, dword ptr [ebp-04]
:0048BDDA 8B00 mov eax, dword ptr [eax]
:0048BDDC 8945F4 mov dword ptr [ebp-0C], eax
:0048BDDF 8B45FC mov eax, dword ptr [ebp-04]
:0048BDE2 8B4004 mov eax, dword ptr [eax+04]
:0048BDE5 8945F0 mov dword ptr [ebp-10], eax
:0048BDE8 8B45FC mov eax, dword ptr [ebp-04]
:0048BDEB 8B4008 mov eax, dword ptr [eax+08]
:0048BDEE 8945EC mov dword ptr [ebp-14], eax
:0048BDF1 8B45FC mov eax, dword ptr [ebp-04]
:0048BDF4 8B400C mov eax, dword ptr [eax+0C]
:0048BDF7 8945E8 mov dword ptr [ebp-18], eax
:0048BDFA 55 push ebp
:0048BDFB 8B45E8 mov eax, dword ptr [ebp-18]
:0048BDFE 50 push eax
:0048BDFF 8B45F8 mov eax, dword ptr [ebp-08]
:0048BE02 8B00 mov eax, dword ptr [eax]
:0048BE04 0578A46AD7 add eax, D76AA478
:0048BE09 50 push eax
:0048BE0A 6A07 push 00000007
:0048BE0C 8D45F4 lea eax, dword ptr [ebp-0C]
:0048BE0F 8B4DEC mov ecx, dword ptr [ebp-14]
:0048BE12 8B55F0 mov edx, dword ptr [ebp-10]
:0048BE15 E856FEFFFF call 0048BC70
:0048BE1A 59 pop ecx
:0048BE1B 55 push ebp
:0048BE1C 8B45EC mov eax, dword ptr [ebp-14]
:0048BE1F 50 push eax
:0048BE20 8B45F8 mov eax, dword ptr [ebp-08]
:0048BE23 8B4004 mov eax, dword ptr [eax+04]
:0048BE26 0556B7C7E8 add eax, E8C7B756
:0048BE2B 50 push eax
:0048BE2C 6A0C push 0000000C
:0048BE2E 8D45E8 lea eax, dword ptr [ebp-18]
:0048BE31 8B4DF0 mov ecx, dword ptr [ebp-10]
:0048BE34 8B55F4 mov edx, dword ptr [ebp-0C]
:0048BE37 E834FEFFFF call 0048BC70
。。。。。
:0048C653 59 pop ecx
:0048C654 55 push ebp
:0048C655 8B45F4 mov eax, dword ptr [ebp-0C]
:0048C658 50 push eax
:0048C659 8B45F8 mov eax, dword ptr [ebp-08]
:0048C65C 8B4024 mov eax, dword ptr [eax+24]
:0048C65F 0591D386EB add eax, EB86D391
:0048C664 50 push eax
:0048C665 6A15 push 00000015
:0048C667 8D45F0 lea eax, dword ptr [ebp-10]
:0048C66A 8B4DE8 mov ecx, dword ptr [ebp-18]
:0048C66D 8B55EC mov edx, dword ptr [ebp-14]
:0048C670 E8FFF6FFFF call 0048BD74
:0048C675 59 pop ecx
:0048C676 8B45FC mov eax, dword ptr [ebp-04]
:0048C679 8B55F4 mov edx, dword ptr [ebp-0C]
:0048C67C 0110 add dword ptr [eax], edx
:0048C67E 8B45FC mov eax, dword ptr [ebp-04]
:0048C681 8B55F0 mov edx, dword ptr [ebp-10]
:0048C684 015004 add dword ptr [eax+04], edx
:0048C687 8B45FC mov eax, dword ptr [ebp-04]
:0048C68A 8B55EC mov edx, dword ptr [ebp-14]
:0048C68D 015008 add dword ptr [eax+08], edx
:0048C690 8B45FC mov eax, dword ptr [ebp-04]
:0048C693 8B55E8 mov edx, dword ptr [ebp-18]
:0048C696 01500C add dword ptr [eax+0C], edx
:0048C699 8BE5 mov esp, ebp
:0048C69B 5D pop ebp
:0048C69C C20400 ret 0004
这一段非常长,结构却差不多,因此大部分内容都略过了。这个CALL过后会形成一个0X10字节的注册码1。接下来注册码1会被扩展为0X20字节,然后与已经计算好的0X3F0组字串相比较,与其中一组相同即可。
call 0048BC70是用于变换的一个CALL(共有四个),被调用16次:(真是变态!)
结合入口参数看
:0048BDFA 55 push ebp
:0048BDFB 8B45E8 mov eax, dword ptr [ebp-18]
:0048BDFE 50 push eax ;<1>
:0048BDFF 8B45F8 mov eax, dword ptr [ebp-08]
:0048BE02 8B00 mov eax, dword ptr [eax]
:0048BE04 0578A46AD7 add eax, D76AA478
:0048BE09 50 push eax ;<2>
:0048BE0A 6A07 push 00000007 ;<3>
:0048BE0C 8D45F4 lea eax, dword ptr [ebp-0C]
:0048BE0F 8B4DEC mov ecx, dword ptr [ebp-14]
:0048BE12 8B55F0 mov edx, dword ptr [ebp-10]
:0048BE15 E856FEFFFF call 0048BC70
:0048BE1A 59 pop ecx
Call(1):
* Referenced by a CALL at Addresses:
|:0048BE15 , :0048BE37 , :0048BE59 , :0048BE7B , :0048BE9D
|:0048BEBF , :0048BEE1 , :0048BF03 , :0048BF25 , :0048BF47
|:0048BF69 , :0048BF8B , :0048BFAD , :0048BFCF , :0048BFF1
|:0048C013
|
:0048BC70 55 push ebp
:0048BC71 8BEC mov ebp, esp
:0048BC73 83C4F4 add esp, FFFFFFF4
:0048BC76 894DF4 mov dword ptr [ebp-0C], ecx
:0048BC79 8955F8 mov dword ptr [ebp-08], edx
:0048BC7C 8945FC mov dword ptr [ebp-04], eax
:0048BC7F 8B45F4 mov eax, dword ptr [ebp-0C] ; Eax=Ecx
:0048BC82 334510 xor eax, dword ptr [ebp+10] ; Eax^=<1>
:0048BC85 2345F8 and eax, dword ptr [ebp-08] ; Eax&=Edx
:0048BC88 334510 xor eax, dword ptr [ebp+10] ; Eax^=<1>
:0048BC8B 03450C add eax, dword ptr [ebp+0C] ; Eax+=<2>
:0048BC8E 8B55FC mov edx, dword ptr [ebp-04]
:0048BC91 0102 add dword ptr [edx], eax ; Save it
:0048BC93 33C0 xor eax, eax
:0048BC95 8A4508 mov al, byte ptr [ebp+08] ; Eax=<3>
:0048BC98 B920000000 mov ecx, 00000020
:0048BC9D 2BC8 sub ecx, eax
:0048BC9F 8B45FC mov eax, dword ptr [ebp-04]
:0048BCA2 8B00 mov eax, dword ptr [eax]
:0048BCA4 D3E8 shr eax, cl
:0048BCA6 8A4D08 mov cl, byte ptr [ebp+08]
:0048BCA9 8B55FC mov edx, dword ptr [ebp-04]
:0048BCAC 8B12 mov edx, dword ptr [edx]
:0048BCAE D3E2 shl edx, cl ; And this part:
:0048BCB0 0BC2 or eax, edx ; Roll left N<3> bits
:0048BCB2 8B55FC mov edx, dword ptr [ebp-04]
:0048BCB5 8902 mov dword ptr [edx], eax
:0048BCB7 8B45FC mov eax, dword ptr [ebp-04]
:0048BCBA 8B55F8 mov edx, dword ptr [ebp-08]
:0048BCBD 0110 add dword ptr [eax], edx ; Add again
:0048BCBF 8BE5 mov esp, ebp
:0048BCC1 5D pop ebp
:0048BCC2 C20C00 ret 000C
For short, Call(1) looks like :
push ebp
mov ebp, esp
push ebx ; Ebx will serve as a Temp
push eax
push edx
mov eax, ecx
xor eax, dword ptr [ebp+10]
and eax, edx ; Shit! Cant write a KeyGen Coz of this
xor eax, dword ptr [ebp+10]
add eax, dword ptr [ebp+c]
mov ebx, eax ; Temp=Eax
mov al, byte ptr [ebp+08] ; Eax=<3>
mov cl, 20
sub cl, al
mov eax, ebx
shr eax, cl
mov cl, byte ptr [ebp+08]
mov edx, ebx
shl edx, cl ; And this part:
or eax, edx ; Roll left N<3> bits
pop edx
add eax, edx
mov ebx, eax
pop eax
mov dword ptr [eax], ebx
pop ebx
mov esp, ebp
pop ebp
ret 000C
本来是要追出注册码计算过程,然后写出注册机。这个注册机原理是根据3F0组字串写出逆过程,现在看是不可能了,原因就在于那个AND(不可逆)。所以ARM只能解压后再暴破。:-(
标 题:与peterchen大哥商榷,Active Registry Monitor的另一种轻松破解!!!
(5千字)
发信人:南木
时 间:2001-4-8 18:03:39
详细信息:
与peterchen大哥商榷,Active Registry Monitor的另一种轻松破解!!!
按照peterchen大哥的<<完美的暴力!>>一文的方法
seach:85C074BE8945F8--->75 也就是je->jne
^^
所有的限制都除去了,但遗憾的是---在我的机器上(W2000),'options'菜单中的子菜单'Settings'不能使用!不知道在Window98上能不能使用?
怎么办? 当然'操家伙'干掉它了!!!
.
.
.
:00496B63 E880D1F6FF call 00403CE8
:00496B68 83F818 cmp eax, 00000018----------->注册码是否是24位
:00496B6B 0F85A6000000 jne 00496C17
:00496B71 8B45EC mov eax, dword ptr [ebp-14]
:00496B74 E833D3F6FF call 00403EAC
:00496B79 8945F8 mov dword ptr [ebp-08], eax
:00496B7C 8B45F8 mov eax, dword ptr [ebp-08]
:00496B7F E864ECFFFF call 004957E8----------------------->关键对比!!!
:00496B84 84C0 test al, al
:00496B86 7478 je 00496C00------------------------->跳就死!!!
:00496B88 B201 mov dl, 01
:00496B8A A1F8D64400 mov eax, dword ptr [0044D6F8]
:00496B8F E8106DFBFF call 0044D8A4
:00496B94 8945F0 mov dword ptr [ebp-10], eax
:00496B97 BA01000080 mov edx, 80000001
:00496B9C 8B45F0 mov eax, dword ptr [ebp-10]
:00496B9F E8986DFBFF call 0044D93C
:00496BA4 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"\SOFTWARE\SmartLine Vision\ARM\Registration"
|
:00496BA6 BAE46C4900 mov edx, 00496CE4
:00496BAB 8B45F0 mov eax, dword ptr [ebp-10]
:00496BAE E8E56EFBFF call 0044DA98
:00496BB3 8845F7 mov byte ptr [ebp-09], al
:00496BB6 8D45E8 lea eax, dword ptr [ebp-18]
:00496BB9 8B55F8 mov edx, dword ptr [ebp-08]
:00496BBC E85FD0F6FF call 00403C20
:00496BC1 8B4DE8 mov ecx, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"Code"
|
:00496BC4 BA186D4900 mov edx, 00496D18
:00496BC9 8B45F0 mov eax, dword ptr [ebp-10]
:00496BCC E8F373FBFF call 0044DFC4
:00496BD1 6A00 push 00000000
:00496BD3 668B0D206D4900 mov cx, word ptr [00496D20]
:00496BDA B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Thank you for registering !"
|
:00496BDC B82C6D4900 mov eax, 00496D2C
:00496BE1 E8E6E4FBFF call 004550CC
:00496BE6 A124744B00 mov eax, dword ptr [004B7424]
:00496BEB 8B00 mov eax, dword ptr [eax]
:00496BED E83A27FBFF call 0044932C
:00496BF2 A1E8704B00 mov eax, dword ptr [004B70E8]
:00496BF7 C60001 mov byte ptr [eax], 01
:00496BFA C645FF01 mov [ebp-01], 01
:00496BFE EB2C jmp 00496C2C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00496B86(C)
|
:00496C00 6A00 push 00000000
:00496C02 668B0D206D4900 mov cx, word ptr [00496D20]
:00496C09 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->"The registration code is invalid!"
|
:00496C0B B8506D4900 mov eax, 00496D50
:00496C10 E8B7E4FBFF call 004550CC
:00496C15 EB15 jmp 00496C2C
.
.
.
.
由以上w32dam反汇编的代码可看出,(用查找文本"Thank you for registering"可轻易找到),
:00496B86 je 00496C00 是关键的跳跃,运行Active Registry Monitor,输入注册码123456781234567812345678(注意必须为24位),ctrl+D呼出softice ,下断点bpx showwindow
来到:00496B86 je 00496C00 用命令r fl z ,然后F5,弹出对话框---You have regestered version. Ok!! 马上启动Hex WorkShop 将84c07478b201改为84c07578b201,存盘,重新运行
Active Registry Monitor,哎呀,提示对话框'涛声依旧',随便输入注册码(24位),弹出对话框
---You have regestered version. 看来只成功了一半!!!
另一半在哪儿呢? 肯定是程序中的其它地方还进行了对比!!!
:00496B7F E864ECFFFF call 004957E8 该call为关键call,F8进去
看看,
* Referenced by a CALL at Addresses:
|:004958EE , :00496B7F ------------------------------------->增大眼睛哟!!!!
|
:004957E8 55 push ebp
:004957E9 8BEC mov ebp, esp
:004957EB 83C4D8 add esp, FFFFFFD8
:004957EE 33D2 xor edx, edx
.
.
.
原来:004958EE处也进行了对比,这下就清楚了,跳到
:004958EE E8F5FEFFFF call 004957E8
:004958F3 84C0 test al, al
:004958F5 740C je 00495903------------------>关键!!!
:004958F7 C645FF01 mov [ebp-01], 01
:004958FB A1E8704B00 mov eax, dword ptr [004B70E8]
:00495900 C60001 mov byte ptr [eax], 01
如法炮制,马上启动Hex WorkShop 将84c0740cc645ff01改为84c0750cc645ff01,存盘,重新运行
Active Registry Monitor,哎呀,提示对话框不见了,试一试'options'菜单中的子菜单'Settings'
,一切OK,大功告成!!!!!!
总结:
将84c07478b201改为84c07578b201
将84c0740cc645ff01改为84c0750cc645ff01