Kugle Regediter 1.0 注册码破解法(非明码)
作者:PaulYoung (属于 China Cracking Group )
软件:Kugle Regediter 1.0 ( http://61.134.4.193:8080/friendmake/utility/RegEditer.zip
)
简介:RegEditer是用来编辑、管理“注册表”设置的功能强大的工具。RegEditer为你提供了许多强大、有趣的功能。如强大的查找功能。大数据存储,将一个文件装入注册表。将注册表内容按图片看,将某一选定数据存入文件。批量替换指定字符串。注册表主键拷贝,粘贴。批量注册表数据拷贝粘贴。收藏夹、直接跳砖、地址输入支持。等功能是你能快速定位要编辑的内容。
加密:注册码
工具:SoftICE 4.05 334
日期:2001.11.02
************************************************************************************************
由于本人水平有限,文有错误之处,望高手指正!
填写用户名、假注册码(22位才能激活注册键),bpx hmemcpy 设断,按12次F12(13次出错),F10到……
:004BE694 8B45FC
mov eax, dword ptr [ebp-04] //你来到这里
:004BE697 E83C66FDFF call 00494CD8
//计算注册码,F8跟入
:004BE69C 84C0
test al, al
:004BE69E 745E
je 004BE6FE
F10继续跟踪……
:00494CD8 55
push ebp
:00494CD9 8BEC
mov ebp, esp
:00494CDB 33C9
xor ecx, ecx
:00494CDD 51
push ecx
:00494CDE 51
push ecx
:00494CDF 51
push ecx
:00494CE0 51
push ecx
:00494CE1 51
push ecx
:00494CE2 53
push ebx
:00494CE3 56
push esi
:00494CE4 57
push edi
:00494CE5 8945FC
mov dword ptr [ebp-04], eax
:00494CE8 8B45FC
mov eax, dword ptr [ebp-04]
:00494CEB E8A0FAF6FF call 00404790
:00494CF0 33C0
xor eax, eax
:00494CF2 55
push ebp
:00494CF3 684B4E4900 push 00494E4B
:00494CF8 64FF30
push dword ptr fs:[eax]
:00494CFB 648920
mov dword ptr fs:[eax], esp
:00494CFE 33DB
xor ebx, ebx
:00494D00 33C0
xor eax, eax
:00494D02 55
push ebp
:00494D03 68244E4900 push 00494E24
:00494D08 64FF30
push dword ptr fs:[eax]
:00494D0B 648920
mov dword ptr fs:[eax], esp
:00494D0E 8B45FC
mov eax, dword ptr [ebp-04]
:00494D11 E892F8F6FF call 004045A8
:00494D16 83F816
cmp eax, 00000016 //注册码是否为22位
:00494D19 740D
je 00494D28 //是则跳
:00494D1B 33C0
xor eax, eax //不跳则EAX清0
:00494D1D 5A
pop edx
:00494D1E 59
pop ecx
:00494D1F 59
pop ecx
:00494D20 648910
mov dword ptr fs:[eax], edx
:00494D23 E908010000 jmp 00494E30
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494D19(C)
|
:00494D28 8D45F0
lea eax, dword ptr [ebp-10]
:00494D2B E8C0F5F6FF call 004042F0
:00494D30 8D45F0
lea eax, dword ptr [ebp-10]
:00494D33 BA644E4900 mov edx,
00494E64 //把00494E64的值"K"放入EDX
:00494D38 E873F8F6FF call 004045B0
:00494D3D 8D45F0
lea eax, dword ptr [ebp-10]//保存到[ebp-10]这个变量
:00494D40 BA704E4900 mov edx,
00494E70 //把00494E70的值"G"放入EDX
:00494D45 E866F8F6FF call 004045B0
:00494D4A 8D45F0
lea eax, dword ptr [ebp-10]//保存到[ebp-10]这个变量
:00494D4D BA7C4E4900 mov edx,
00494E7C //把00494E7C的值"L"放入EDX
:00494D52 E859F8F6FF call 004045B0
:00494D57 8D45F0
lea eax, dword ptr [ebp-10]//保存到[ebp-10]这个变量
:00494D5A BA884E4900 mov edx,
00494E88 //把00494E5A的值"-"放入EDX
:00494D5F E84CF8F6FF call 004045B0
:00494D64 8B45F0
mov eax, dword ptr [ebp-10]//把[ebp-10]的值传送到EAX
:00494D67 E834FAF6FF call 004047A0
:00494D6C 50
push eax
:00494D6D 8B45FC
mov eax, dword ptr [ebp-04]
:00494D70 E82BFAF6FF call 004047A0
:00494D75 8BF0
mov esi, eax
:00494D77 8BC6
mov eax, esi
:00494D79 5A
pop edx
:00494D7A E83D45F7FF call 004092BC
:00494D7F 8BF8
mov edi, eax
:00494D81 3BFE
cmp edi, esi //注册码前4位是否为"KGL-"
:00494D83 740D
je 00494D92 //是则跳
:00494D85 33C0
xor eax, eax //不跳则EAX清0
:00494D87 5A
pop edx
:00494D88 59
pop ecx
:00494D89 59
pop ecx
:00494D8A 648910
mov dword ptr fs:[eax], edx
:00494D8D E99E000000 jmp 00494E30
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494D83(C)
|
:00494D92 8B45FC
mov eax, dword ptr [ebp-04]
:00494D95 8078032D cmp
byte ptr [eax+03], 2D //注册码第4位是否为"-"
:00494D99 7512
jne 00494DAD //不是则跳
:00494D9B 8B45FC
mov eax, dword ptr [ebp-04]
:00494D9E 80780A2D cmp
byte ptr [eax+0A], 2D //注册码第11位是否为"-"
:00494DA2 7509
jne 00494DAD //不是则跳
:00494DA4 8B45FC
mov eax, dword ptr [ebp-04]
:00494DA7 80780F2D cmp
byte ptr [eax+0F], 2D //注册码第16位是否为"-"
:00494DAB 740A
je 00494DB7 //是则跳
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00494D99(C), :00494DA2(C)
|
:00494DAD 33C0
xor eax, eax //第4、11位不为"-",则跳到此清0
:00494DAF 5A
pop edx
:00494DB0 59
pop ecx
:00494DB1 59
pop ecx
:00494DB2 648910
mov dword ptr fs:[eax], edx
:00494DB5 EB79
jmp 00494E30
至此,我们已经知道它的注册码格式为"KGL-XXXXXX-YYYY-ZZZZZZ",继续……
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494DAB(C)
|
:00494DB7 8D45F8
lea eax, dword ptr [ebp-08]
:00494DBA 50
push eax
:00494DBB B906000000 mov ecx,
00000006
:00494DC0 BA05000000 mov edx,
00000005
:00494DC5 8B45FC
mov eax, dword ptr [ebp-04]
:00494DC8 E833FAF6FF call 00404800
:00494DCD 8D45F4
lea eax, dword ptr [ebp-0C]
:00494DD0 50
push eax
:00494DD1 B904000000 mov ecx,
00000004
:00494DD6 BA0C000000 mov edx,
0000000C
:00494DDB 8B45FC
mov eax, dword ptr [ebp-04]
:00494DDE E81DFAF6FF call 00404800
:00494DE3 8D45EC
lea eax, dword ptr [ebp-14]
:00494DE6 50
push eax
:00494DE7 B906000000 mov ecx,
00000006
:00494DEC BA11000000 mov edx,
00000011
:00494DF1 8B45FC
mov eax, dword ptr [ebp-04]
:00494DF4 E807FAF6FF call 00404800
:00494DF9 8D4DF0
lea ecx, dword ptr [ebp-10]
:00494DFC 8B55F4
mov edx, dword ptr [ebp-0C] //把 YYYY 保存到EDX
:00494DFF 8B45F8
mov eax, dword ptr [ebp-08] //把 XXXXXX 保存到 EAX
:00494E02 E895FBFFFF call 0049499C
//根据 XXXXXX,YYYY,计算ZZZZZZ
:00494E07 8B45EC
mov eax, dword ptr [ebp-14] //把你输入的ZZZZZZ保存到EAX
:00494E0A 8B55F0
mov edx, dword ptr [ebp-10] //把真的ZZZZZZ保存到EDX
:00494E0D E8DAF8F6FF call 004046EC
//二者相等吗
:00494E12 7504
jne 00494E18 //相等则不跳
:00494E14 B301
mov bl, 01
:00494E16 EB02
jmp 00494E1A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00494E12(C)
|
:00494E18 33DB
xor ebx, ebx //ZZZZZZ 值错误则跳到此清0
跟着的就是保存用户名和注册码到注册表了,而且用户名与注册码无关。
本来想继续弄清楚软件是如何根据 XXXXXX 和 YYYY 计算出 ZZZZZZ 的,可惜水平有限,耐性有限,不知哪位高手能继续深入研究,写个注册机出来?
注册信息放在:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Kugle\RegEditer\V1.0]
"PATH"="C:\\Program Files\\Kugle\\RegEditer1.0"
"UserName"="PaulYoung[CCG]"
"Company"="CCG"
"AuthorizationCode"="KGL-efghij-lmno-4O6EX7"
- 标 题:Kugle Regediter 1.0 注册码破解法(非明码) (8千字)
- 作 者:paulyoung
- 时 间:2001-11-3 1:01:36
- 链 接:http://bbs.pediy.com