星期天在家无聊,很久没有动过软件了,就随便找了个LeapFTP的软件来实践一下Debug.(我菜,当然不敢找那
些厉害的软件下手。不然被搞的灰头土脸的就惨,一天都不会有好心情...扯远了还是回到程序中来)
Leap2.7程序下载地址:http://download.sohu.com/disk2/it/new/update/0212/lftp271.exe
作者:MachoMan[CCG]
注册名:[CCG] (China Cracking Group)
注册码:CCG1-CC2A-C1GD-UPVE
后附注册机
工具 :
soft ice 4.05
dasm32
步骤:
我先在注册名处输入'CCG'
然后输入假注册码'31415926'(Sunbird 的老办法)
再用ice 中的bpx hmemcpy下断点。再用F12进入程序空间。然后用
bd hmemcpy 屏蔽掉这个断点
在ice下用 S 30:0 L ffffffff '31415926' 命令查找我的注册码的位置
30:80607e02 30 31 34 31 35 39 32 36-00 00 00 00 00 00 00 00 31415926.............
接下来要做的就是对这个内存位置下断点
bpm 30: 80607e02(不同机器是可能不同的)
然后你就会在下面的位置004875D2发现伪注册码被判断,就是关键所在了。
* Referenced by a CALL at Addresses:
|:0048721F , :00487D85
|
:004875AC 55
push ebp
:004875AD 8BEC
mov ebp, esp
:004875AF 83C4F4
add esp, FFFFFFF4
:004875B2 53
push ebx
:004875B3 56
push esi
:004875B4 57
push edi
:004875B5 8955FC
mov dword ptr [ebp-04], edx
:004875B8 8B45FC
mov eax, dword ptr [ebp-04]
:004875BB E8F8CAF7FF call
004040B8
:004875C0 33C0
xor eax, eax
:004875C2 55
push ebp
:004875C3 6819774800 push
00487719
:004875C8 64FF30
push dword ptr fs:[eax]
:004875CB 648920
mov dword ptr fs:[eax], esp
:004875CE C645FB00
mov [ebp-05], 00
:004875D2 8B45FC
mov eax, dword ptr [ebp-04]//你可以发现注册码在[ebp-04]的地方'31415926'
:004875D5 E82AC9F7FF call
00403F04//这个函数是判断注册码的个数
:004875DA 83F813
cmp eax, 00000013;注册码是0x13(16进制)=19个字符
:004875DD 0F8520010000 jne 00487703;不是就洗白
:004875E3 8B45FC
mov eax, dword ptr [ebp-04]
:004875E6 8078042D
cmp byte ptr [eax+04], 2D;第5个字符为0x2D对应ASCII '-'
:004875EA 0F8513010000 jne 00487703;不是就洗白
:004875F0 8B45FC
mov eax, dword ptr [ebp-04]
:004875F3 8078092D
cmp byte ptr [eax+09], 2D;第10个字符为0x2D对应ASCII '-'
:004875F7 0F8506010000 jne 00487703;不是就洗白
:004875FD 8B45FC
mov eax, dword ptr [ebp-04]
:00487600 80780E2D
cmp byte ptr [eax+0E], 2D;第15个字符为0x2D对应ASCII '-'
:00487604 0F85F9000000 jne 00487703;不是就洗白,要想注册就不能洗白!在这里可以知道注册码的
;结构该是'****-****-****-****'这样的结构*代表一个字符
:0048760A 33F6
xor esi, esi
:0048760C 33FF
xor edi, edi
:0048760E 33C0
xor eax, eax
:00487610 8945F4
mov dword ptr [ebp-0C], eax
:00487613 BB01000000 mov ebx,
00000001
/******************************************************************************************/
//这下面从487618开始就是一个循环,它把你输入的注册码进行判断是否符合要求,其要求是第一组注册码
//的最后一个字符为数字,其余的3个为字符,第二组的倒数第2个为数字,其他三个为字符。第三组的倒数第
//3个为数字,其他三个为字符。如果符合其要求,则把前三组注册码分组求和,然后把这个3个和数,及3个
//和数的总和分别做一个这样的运算 (X+0x41)/0x1a+0x41--->最后一组的4个字符,可以知道注册码跟用户名
//无关
图示如下
****-****-****-****
sum1 sum2 sum3||||
||||____________________(sum1+sum2+sum3+0x41)/0x1a+0x41
|||
|||____________________(sum3+0x41)/0x1a+0x41
||
||_____________________
(sum2+0x41)/0x1a+0x41
|
|_______________________(sum1+0x41)/0x1a+0x41
/******************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048769E(C)
|
:00487618 8BC3
mov eax, ebx
:0048761A 2503000080 and eax,
80000003
:0048761F 7905
jns 00487626
:00487621 48
dec eax
:00487622 83C8FC
or eax, FFFFFFFC
:00487625 40
inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048761F(C)
|
:00487626 85C0
test eax, eax
:00487628 7516
jne 00487640
:0048762A 8B45FC
mov eax, dword ptr [ebp-04]
:0048762D 8A4418FF
mov al, byte ptr [eax+ebx-01]
:00487631 E84EFFFFFF call
00487584//这个调用作用是把你的注册码的一个字符进行识别。要求
//其必须其必须是一个数字,在'0'-'9'之间
//
:00487636 84C0
test al, al //判断返回值符合要求吗?如果不是,al是置0的
:00487638 0F84C5000000 je 00487703//判断返回值
:0048763E EB22
jmp 00487662//不能跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487628(C)
|
:00487640 8BC3
mov eax, ebx
:00487642 B905000000 mov ecx,
00000005
:00487647 99
cdq
:00487648 F7F9
idiv ecx
:0048764A 85D2
test edx, edx
:0048764C 7414
je 00487662
:0048764E 8B45FC
mov eax, dword ptr [ebp-04]
:00487651 8A4418FF
mov al, byte ptr [eax+ebx-01]
:00487655 E83EFFFFFF call
00487598//这个调用的作用是把你的注册码的一个字符进行识别。要求
//其必须是字符,而且其必须在'A'-'Z'之间,你可以根据地址找到
:0048765A 84C0
test al, al//判断返回值
:0048765C 0F84A1000000 je 00487703//不能跳!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048763E(U), :0048764C(C)
|
:00487662 8B45FC
mov eax, dword ptr [ebp-04]
:00487665 8A4418FF
mov al, byte ptr [eax+ebx-01]
:00487669 3C2D
cmp al, 2D //判断是字符'-'吗?
:0048766B 742D
je 0048769A//字符不参与计算,跳过循环
:0048766D 83FB05
cmp ebx, 00000005//
:00487670 7D0C
jge 0048767E
:00487672 8B55FC
mov edx, dword ptr [ebp-04]
:00487675 25FF000000 and eax,
000000FF
:0048767A 03F0
add esi, eax//esi 中放第一组注册码的和
:0048767C EB1C
jmp 0048769A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487670(C)
|
:0048767E 83FB0A
cmp ebx, 0000000A
:00487681 7D0C
jge 0048768F
:00487683 8B55FC
mov edx, dword ptr [ebp-04]//[ebp-04]
:00487686 25FF000000 and eax,
000000FF
:0048768B 03F8
add edi, eax//edi第二组注册码的和
:0048768D EB0B
jmp 0048769A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487681(C)
|
:0048768F 8B55FC
mov edx, dword ptr [ebp-04]
:00487692 25FF000000 and eax,
000000FF
:00487697 0145F4
add dword ptr [ebp-0C], eax//[ebp-0c]中放第三组注册码的和
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048766B(C), :0048767C(U), :0048768D(U)
|
:0048769A 43
inc ebx
:0048769B 83FB0F
cmp ebx, 0000000F//循环完了吗?
:0048769E 0F8574FFFFFF jne 00487618//如果没完继续
:004876A4 8D0C37
lea ecx, dword ptr [edi+esi]//这下边的就是生成注册码的最后4个字符
:004876A7 034DF4
add ecx, dword ptr [ebp-0C]
:004876AA 8BC6
mov eax, esi
:004876AC BB1A000000 mov ebx,
0000001A
:004876B1 99
cdq
:004876B2 F7FB
idiv ebx
:004876B4 83C241
add edx, 00000041
:004876B7 8B45FC
mov eax, dword ptr [ebp-04]
:004876BA 3A500F
cmp dl, byte ptr [eax+0F]
:004876BD 7544
jne 00487703
:004876BF 8BC7
mov eax, edi
:004876C1 BB1A000000 mov ebx,
0000001A
:004876C6 99
cdq
:004876C7 F7FB
idiv ebx
:004876C9 83C241
add edx, 00000041
:004876CC 8B45FC
mov eax, dword ptr [ebp-04]
:004876CF 3A5010
cmp dl, byte ptr [eax+10]
:004876D2 752F
jne 00487703
:004876D4 8B45F4
mov eax, dword ptr [ebp-0C]
:004876D7 BB1A000000 mov ebx,
0000001A
:004876DC 99
cdq
:004876DD F7FB
idiv ebx
:004876DF 83C241
add edx, 00000041
:004876E2 8B45FC
mov eax, dword ptr [ebp-04]
:004876E5 3A5011
cmp dl, byte ptr [eax+11]
:004876E8 7519
jne 00487703
:004876EA 8BC1
mov eax, ecx
:004876EC B91A000000 mov ecx,
0000001A
:004876F1 99
cdq
:004876F2 F7F9
idiv ecx
:004876F4 83C241
add edx, 00000041
:004876F7 8B45FC
mov eax, dword ptr [ebp-04]
:004876FA 3A5012
cmp dl, byte ptr [eax+12]
:004876FD 7504
jne 00487703
:004876FF C645FB01
mov [ebp-05], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004875DD(C), :004875EA(C), :004875F7(C), :00487604(C), :00487638(C)
|:0048765C(C), :004876BD(C), :004876D2(C), :004876E8(C), :004876FD(C)
|
:00487703 33C0
xor eax, eax
:00487705 5A
pop edx
:00487706 59
pop ecx
:00487707 59
pop ecx
:00487708 648910
mov dword ptr fs:[eax], edx
:0048770B 6820774800 push
00487720
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048771E(U)
|
:00487710 8D45FC
lea eax, dword ptr [ebp-04]
:00487713 E86CC5F7FF call
00403C84
:00487718 C3
ret
/*****************************************************************************************/
//判断数字(ASCII)调用
Referenced by a CALL at Address:
|:00487631
|
:00487584 8BD0
mov edx, eax
:00487586 80FA2F
cmp dl, 2F
:00487589 7608
jbe 00487593
:0048758B 80FA3A
cmp dl, 3A
:0048758E 7303
jnb 00487593
:00487590 B001
mov al, 01
:00487592 C3
/****************************************************************************************/
//字符判断调用
* Referenced by a CALL at Address:
|:00487655
|
:00487598 8BD0
mov edx, eax
:0048759A 80FA40
cmp dl, 40
:0048759D 7608
jbe 004875A7
:0048759F 80FA5B
cmp dl, 5B
:004875A2 7303
jnb 004875A7
:004875A4 B001
mov al, 01
:004875A6 C3
ret
//转摘请保持完整 AllRight Reserved By: [CCG]
- 标 题:贴个教学,初学者请进! (11千字)
- 作 者:machoman[CCG]
- 时 间:2001-4-20 14:48:01
- 链 接:http://bbs.pediy.com