此软件比较复杂,未注册前,给出注册框,并限定了使用次数,使用两百次之后,不能继续使用,哪怕是输入正确的注册码也不行,重装也不行。输入注册码之后,软件退出,在每次启动时都要重新判断注册码正确与否。
它在注册时采用了从电脑获取电脑码,并将输入的注册码进行计算,算得的值同电脑码进行比较,相等则表示注册正确。由于每台电脑的电脑码不同,保证了一个注册码只能够用于同一台电脑。
若用注册机的方法进行注册,由于在某些用户的机子上,已经超过了使用次数。这时注册已经晚了。所以没办法,最后还是采取暴力破解更可行。
在注册方面,作者设置了很多的障碍:输入的注册码有固定的前四位和后四位,只有中间的几位才参与计算;在程序入口,也设置了相当多的障碍,加了许多的判断,让我几乎迷失在无穷的跳转中,即使在子程序也加入了跳转。最后很无赖,只好跟踪正确注册的程序,才找到正确的路径。
写的有点长,对不起大家。
以下是对注册码的分析,然后是再对其进行暴力破解
运行TRW,装入!WNM,在出现对话框时,下BPX HMEMCPY,大家都是成年人,不用我说得太具体吧。
跟踪到以下代码:
016F:0048CB74 MOV EDX,[00496D34] 此处存的是“tt98
0615"
016F:0048CB7A MOVSX EAX,CX
016F:0048CB7D MOV DL,[EDX+EAX] 依次取出8,9,t,t
016F:0048CB80 CMP DL,3F
016F:0048CB83
JZ 0048CB8B
016F:0048CB85 CMP
[ESP+EAX+1C],DL 依次输入的注册码的第4,3,2,1位
016F:0048CB89 JNZ
0048CB8F
016F:0048CB8B DEC CX
016F:0048CB8D JNS 0048CB74
以上为比较前面四个字节是否为 tt98
016F:0048CB8F CMP CX,BYTE
-01
016F:0048CB93 JNZ 0048CB9A
016F:0048CB95
MOV EBP,01 =1
可能表示首四位是正确的
016F:0048CB9A MOV EDI,[00496CBC]
为 "0615"
016F:0048CBA0 MOV ECX,FFFFFFFF
016F:0048CBA5 SUB EAX,EAX
016F:0048CBA7 REPNE SCASB
016F:0048CBA9 NOT
ECX
016F:0048CBAB
DEC ECX
算出为4位
016F:0048CBAC LEA EDI,[ESP+1C]
为输入的注册码
016F:0048CBB0 MOV DX,CX
016F:0048CBB3
SUB EAX,EAX
016F:0048CBB5 MOV
ECX,FFFFFFFF
016F:0048CBBA REPNE SCASB
016F:0048CBBC NOT
ECX
016F:0048CBBE DEC
ECX 算出输入的注册码位数
016F:0048CBBF SUB CX,DX
减去4位
016F:0048CBC2 TEST CX,CX
016F:0048CBC5 JNG 0048CBF6
016F:0048CBC7
XOR SI,SI
016F:0048CBCA TEST DX,DX
016F:0048CBCD JNG 0048CBF0
016F:0048CBCF
MOV EAX,[00496CBC] 存的是0615的地址
016F:0048CBD4
MOVSX EDI,SI
016F:0048CBD7 MOV AL,[EAX+EDI]
0615中的0
016F:0048CBDA CMP AL,3F
小于F
016F:0048CBDC JZ
0048CBE9
016F:0048CBDE MOVSX EBX,CX
016F:0048CBE1
ADD EBX,EDI
016F:0048CBE3 CMP
[ESP+EBX+1C],AL
016F:0048CBE7 JNZ 0048CBF0
016F:0048CBE9 INC SI
016F:0048CBEB CMP
DX,SI
016F:0048CBEE JG 0048CBCF
以上几行比较后四位是否为0615
016F:0048CBF0 CMP
DX,SI
016F:0048CBF3 JNZ 0048CBF6
016F:0048CBF5
INC EBP 由48CB95,可知道
EBP=2,可能表示首四位和末四位都正确
016F:0048CBF6 CMP EBP,BYTE
+02
016F:0048CBF9 JZ 0048CC05
跳到下面,
016F:0048CBFB MOV EBP,FFFFFFFE
016F:0048CC00 JMP 0048CD05
016F:0048CC05
MOV EDI,[00496D34] 此处存的是“tt98 0615"
016F:0048CC0B MOV ECX,FFFFFFFF
016F:0048CC10 SUB EAX,EAX
016F:0048CC12
REPNE SCASB
016F:0048CC14 NOT ECX
ecx=5,这几行好像没什么用
016F:0048CC16
SUB EAX,EAX
016F:0048CC18 LEA
ESI,[ESP+ECX+1B] 为输入的注册码后的第五位,即tt98后面的一位的地址
016F:0048CC1C MOV
EDI,ESI
016F:0048CC1E
MOV ECX,FFFFFFFF
016F:0048CC23 REPNE SCASB
016F:0048CC25 NOT ECX
ecx=b,即tt98后面剩余的位数+1,包括0615
016F:0048CC27 MOV
EDI,[00496CBC] edi为0615地址
016F:0048CC2D
SUB EAX,EAX
016F:0048CC2F LEA EDX,[ECX-01]
edx=a,即tt98后面剩余的位数
016F:0048CC32
MOV ECX,FFFFFFFF
016F:0048CC37 REPNE SCASB
016F:0048CC39 NOT ECX
016F:0048CC3B DEC
ECX ECX=4
016F:0048CC3C MOV EAX,ESI
016F:0048CC3E SUB EAX,ECX
即输入的注册码位置
016F:0048CC40 MOV ECX,ESI
016F:0048CC42 MOV BYTE [EAX+EDX],00
即输入注册码的倒数第四位处,改位0,
以便于下面调用函数判断注册码中部(除tt98和
0165)的位数
016F:0048CC46 CALL
00491A20 !! : 判断输入的字符串是否满足要求,见子程序1
016F:0048CC4B TEST EAX,EAX
016F:0048CC4D JNZ 0048CC59
eax=1时,正确,跳转
016F:0048CC4F MOV
EBP,FFFFFFFD
016F:0048CC54 JMP 0048CD05
016F:0048CC59 MOV EDX,004930E8
此时存的“0604”字符
016F:0048CC5E MOV ECX,ESI
ESI为中间注册码首位地址
016F:0048CC60 MOV
EBP,FFFFFFFC
016F:0048CC65 CALL 00491A70
将其由字符串转换成二进制的数,见子程序2
016F:0048CC6A
CMP WORD [00496D28],BYTE +01
016F:0048CC72 MOV
ESI,EAX
016F:0048CC74 JNZ 0048CCCF
016F:0048CC76 MOV DI,[00496D2E]
016F:0048CC7D
MOV EDX,[00496CB0]
016F:0048CC83 SHR
DI,08
016F:0048CC87 MOV CX,[00496D2E]
016F:0048CC8E AND CX,FF
016F:0048CC93 CALL
0048C790
016F:0048CC98 ADD ESI,EAX
016F:0048CC9A TEST DI,DI
016F:0048CC9D JNZ
0048CCA9
016F:0048CC9F MOV EDX,[00496CB4]
016F:0048CCA5 MOV ECX,EDI
016F:0048CCA7
JMP SHORT 0048CCB4
016F:0048CCA9 MOV
CX,DI
016F:0048CCAC MOV EDX,[00496CB4]
016F:0048CCB2 INC CX
016F:0048CCB4 CALL
0048C790
016F:0048CCB9 MOV ECX,EAX
016F:0048CCBB TEST ECX,ECX
016F:0048CCBD JNZ
0048CCC6
016F:0048CCBF MOV EBP,FFFFFFFB
016F:0048CCC4 JMP SHORT 0048CCFC
016F:0048CCC6
MOV EAX,ESI
016F:0048CCC8 CDQ
016F:0048CCC9 IDIV ECX
016F:0048CCCB MOV
EBP,EDX
016F:0048CCCD JMP SHORT 0048CCFC
016F:0048CCCF CMP WORD [00496D28],BYTE +02
016F:0048CCD7 JNZ 0048CCFC
016F:0048CCD9
MOV DX,[00496D2E] 存的是 63 64,即6463
016F:0048CCE0 MOV EAX,[00496CB4]
输入的注册人名地址
016F:0048CCE5 PUSH EAX
016F:0048CCE6
MOV ECX,[00496CB0] 也是 输入的注册人名地址
016F:0048CCEC
PUSH ECX
016F:0048CCED MOV ECX,[00496AC4]
取出17EF7,十进制为98039,即我机子上的电脑码
016F:0048CCF3 CALL
0048C820 是由注册人名和电脑码算出一个数值
!!! 若将此值换算成十进制,即为正确的中间注册码
016F:0048CCF8 MOV EBP,EAX
016F:0048CCFA SUB EBP,ESI
016F:0048CCFC TEST EBP,EBP
016F:0048CCFE JZ 0048CD29
!!! 此值与原算得的二进制数比较,
相等表示输入的注册码正确,应跳转
016F:0048CD00 MOV EBP,FFFFFFFB
016F:0048CD05 TEST EBP,EBP
016F:0048CD07
JNL 0048CD29
016F:0048CD09 INC WORD [ESP+12]
016F:0048CD0E MOV AX,[ESP+12]
016F:0048CD13 CMP [00496D38],AX
016F:0048CD1A
JG NEAR 0048C913
016F:0048CD20 JMP
SHORT 0048CD29
016F:0048CD22 MOV EBP,[ESP+84]
016F:0048CD29 XOR ESI,ESI
016F:0048CD2B TEST EBP,EBP
016F:0048CD2D
JL NEAR 0048CE08 若注册码正确,不跳
016F:0048CD33 MOV AX,[ESP+12]
016F:0048CD38 CMP [00496D38],AX
016F:0048CD3F
JNG NEAR 0048CE08
016F:0048CD45 MOV
EDX,01
016F:0048CD4A MOV ECX,[ESP+12]
016F:0048CD4E CALL 0048C4C0
此处是判断是否过时,若过时,即使注册码对,也不能用
016F:0048CD53 TEST
EAX,EAX
016F:0048CD55 JZ 0048CDCD
过时则不跳转,应跳转
016F:0048CD57 PUSH
DWORD 1010
016F:0048CD5C MOV EBX,[00496D3C]
016F:0048CD62 MOVSX EAX,WORD [ESP+16]
016F:0048CD67
SHL EAX,02
016F:0048CD6A PUSH DWORD
004930E0
016F:0048CD6F LEA ECX,[EAX+EAX*2]
016F:0048CD72 LEA EDX,[ECX+ECX*4]
016F:0048CD75
MOV ECX,[ESP+1C]
016F:0048CD79 MOV
EAX,[EDX+EBX+34]
016F:0048CD7D PUSH EAX
016F:0048CD7E
PUSH ECX
016F:0048CD7F CALL `USER32!MessageBoxA`
出现过时框
016F:0048CD85 MOV ECX,[ESP+14]
016F:0048CD89 PUSH DWORD 1001
016F:0048CD8E
PUSH ECX
016F:0048CD8F CALL `USER32!GetDlgItem`
016F:0048CD95 MOV ECX,EAX
016F:0048CD97
CALL 0048B910
016F:0048CD9C MOV [00496A5E],SI
016F:0048CDA3 PUSH ESI
016F:0048CDA4 MOV
[004931C0],SI
016F:0048CDAB PUSH DWORD 8002
016F:0048CDB0 PUSH DWORD 0111
016F:0048CDB5
MOV ECX,[00496C80]
016F:0048CDBB PUSH
ECX
016F:0048CDBC CALL `USER32!SendMessageA`
016F:0048CDC2
POP EBP
016F:0048CDC3 POP EDI
016F:0048CDC4 POP ESI
016F:0048CDC5
POP EBX
016F:0048CDC6 ADD ESP,A8
016F:0048CDCC RET
016F:0048CDCD MOV
EAX,[ESP+14]
016F:0048CDD1 MOV ECX,[00496C80]
016F:0048CDD7 MOV BYTE [00496AB3],02
016F:0048CDDE
PUSH EAX
016F:0048CDDF PUSH DWORD 8000
016F:0048CDE4 PUSH DWORD 0111
016F:0048CDE9 PUSH
ECX
016F:0048CDEA CALL `USER32!SendMessageA`
016F:0048CDF0 MOV ECX,[ESP+14]
016F:0048CDF4
PUSH BYTE +01
016F:0048CDF6 PUSH ECX
016F:0048CDF7 CALL `USER32!EndDialog`
016F:0048CDFD
POP EBP
016F:0048CDFE POP EDI
016F:0048CDFF POP ESI
016F:0048CE00
POP EBX
016F:0048CE01 ADD ESP,A8
016F:0048CE07 RET
子程序1
016F:00491A20 PUSH ESI
016F:00491A21 MOV
EDX,ECX edx,ecx为注册码中间部分的起始地址
016F:00491A23
PUSH EDI
016F:00491A24 XOR ESI,ESI
016F:00491A26 MOV EDI,EDX
edi为注册码中间部分的起始地址
016F:00491A28 MOV
ECX,FFFFFFFF
016F:00491A2D SUB EAX,EAX
016F:00491A2F REPNE SCASB
016F:00491A31 NOT
ECX
016F:00491A33 DEC
ECX 中间部分的位数
016F:00491A34
TEST ECX,ECX
016F:00491A36 JNG
00491A56 位数小于1,跳转,但不出错;位数大于1,不跳
以下循环判断中间注册码是否满足条件
016F:00491A38 MOV
AL,[EDX+ESI] 取出字符
016F:00491A3B CMP
AL,30
016F:00491A3D JC 00491A5E
016F:00491A3F
CMP AL,39
016F:00491A41 JA
00491A5E 是否在0~9之间,不再,则出错输出EAX=0
016F:00491A43 INC
ESI
016F:00491A44 MOV
EDI,EDX
016F:00491A46 MOV ECX,FFFFFFFF
016F:00491A4B
SUB EAX,EAX
016F:00491A4D REPNE SCASB
016F:00491A4F
NOT ECX
016F:00491A51 DEC ECX
016F:00491A52 CMP ECX,ESI
016F:00491A54
JG 00491A38 循环判断
016F:00491A56
MOV EAX,01 正确,输出EAX=1
016F:00491A5B
POP EDI
016F:00491A5C POP ESI
016F:00491A5D RET
016F:00491A5E XOR
EAX,EAX
016F:00491A60 POP EDI
016F:00491A61
POP ESI
016F:00491A62 RET
子程序2
016F:00491A70 SUB
ESP,BYTE +08
016F:00491A73 MOV
[ESP+04],EDX 0604字符串
016F:00491A77 PUSH
EBX
016F:00491A78 MOV DWORD [ESP+04],00
016F:00491A80 PUSH ESI
016F:00491A81 PUSH
EDI
016F:00491A82 PUSH EBP
016F:00491A83
MOV ESI,01
016F:00491A88 PUSH ECX
016F:00491A89 MOV EBP,ECX
ESI为中间注册码首位地址
016F:00491A8B CALL
`KERNEL32!lstrlenA` 求出中间注册码长度
016F:00491A91 LEA
EDI,[EAX-01] EDI=长度-1
016F:00491A94
TEST EDI,EDI
016F:00491A96 JL 00491AD3
长度大于0则不跳,否则出错
以下循环
016F:00491A98 MOV
BL,[EBP+EDI+00] 依次取出中间注册码末位,末位-1,......
016F:00491A9C
CMP BL,30
016F:00491A9F JC
00491AAA
016F:00491AA1 CMP BL,39
016F:00491AA4
JA 00491AAA
是否在0~9之间
016F:00491AA6 TEST EDI,EDI
016F:00491AA8 JNL 00491AB8
肯定要跳
016F:00491AAA MOV ECX,00493504
016F:00491AAF MOV EDX,[ESP+14]
016F:00491AB3
CALL 00491600
016F:00491AB8 XOR
EAX,EAX
016F:00491ABA LEA ECX,[ESI+ESI*4]
由491A83知,esi开始1,算得ECX=5,以后依次esi*10,即10,100,1000.....
016F:00491ABD
MOV AL,BL
016F:00491ABF SUB
EAX,BYTE +30 将此字符转换成二进制数
016F:00491AC2 IMUL
EAX,ESI
016F:00491AC5
LEA ESI,[ECX*2+`DOSMGR_BackFill_Allowed`]
DOSMGR_BackFill_Allowed=0
算得ESI=10
016F:00491ACC ADD [ESP+10],EAX
原来的字符
016F:00491AD0 DEC EDI
016F:00491AD1
JNS 00491A98 循环,直至所有的字符
016F:00491AD3 MOV EAX,[ESP+10]
由上面的分析,可知此子程序将输入中间注册码
016F:00491AD7 POP
EBP
由字符串转换成二进制的数
016F:00491AD8
POP EDI
016F:00491AD9 POP ESI
016F:00491ADA POP EBX
016F:00491ADB
ADD ESP,BYTE +08
016F:00491ADE RET
总结一下,以上代码将输入的注册码进行判断,首先看注册码的起始和结尾的固定码是否正确,若正确判断中间注册码是否满足一定要求。然后取出本机的电脑码,由其算出正确的注册码。
关键点:
在48ccf3处,算出正确的注册码(要转换成十进制才能看到)
在48ccfe处与输入的注册码进行比较。
上面的这一段,其实是我的失败经验。因为我不知怎么乱搞,把注册次数搞成了0次,这下即使得到注册码也没用了,只好用暴力法破解。
分析文件入口处的代码:
016F:0048E01D MOV ECX,01
016F:0048E022
CALL 00490AA0
取得电脑信息码98039
016F:0048E027 XOR
EAX,EAX
016F:0048E029 MOV AX,[00496D32]
016F:0048E02F TEST
AH,C0
ah=f0
016F:0048E032 JNZ NEAR
0048E066 应该跳转
016F:0048E038 XOR EAX,EAX
016F:0048E03A
MOV AX,[00496D32]
016F:0048E040 TEST
AH,10
016F:0048E043 JZ NEAR 0048E066
[496d32]=10 表示次数已用完
016F:0048E049
PUSH BYTE +00
016F:0048E04B PUSH DWORD 8003
016F:0048E050 PUSH DWORD 0111
016F:0048E055
MOV EAX,[00496C80]
016F:0048E05A PUSH
EAX
016F:0048E05B CALL `USER32!SendMessageA`
次数已用完错误框
016F:0048E061 JMP
0048E06B
016F:0048E066 CALL 0048E680
016F:0048E06B
CMP DWORD [00493170],BYTE +00
016F:0048E072 JZ
NEAR 0048E08E
016F:0048E078 MOV ECX,[EBP-50]
016F:0048E07B CALL 00490CC0
若注册表中的注册码不对,显示开始的注册框,里面又有跳转见子程序3,要改
016F:0048E080 MOV [EBP-50],EAX
016F:0048E083
MOV ECX,[EBP-50]
016F:0048E086 CALL
00490D80
若注册码正确,即显示正确框,里面有跳转,见子程序4,要改
016F:0048E08B MOV
[EBP-50],EAX
016F:0048E08E CMP DWORD [EBP-50],BYTE
+01
016F:0048E092 JNZ NEAR 0048E0BF
016F:0048E098
XOR EAX,EAX
016F:0048E09A MOV
AX,[004931B8]
016F:0048E0A0 TEST EAX,EAX
016F:0048E0A2
JZ NEAR 0048E0BF
016F:0048E0A8 XOR
EAX,EAX
016F:0048E0AA MOV AX,[00496A9F]
016F:0048E0B0 TEST EAX,EAX
016F:0048E0B2 JZ
NEAR 0048E0BF
016F:0048E0B8 DEC WORD
[00496A9F]
016F:0048E0BF CMP DWORD [EBP-50],BYTE
+01
016F:0048E0C3 JNZ NEAR 0048E1D5
016F:0048E0C9
XOR EAX,EAX
016F:0048E0CB MOV
AX,[004931B8]
016F:0048E0D1 TEST EAX,EAX
016F:0048E0D3
JZ NEAR 0048E1D5
016F:0048E0D9 XOR
EAX,EAX
016F:0048E0DB MOV AX,[0049317C]
016F:0048E0E1 TEST AL,02
016F:0048E0E3 JNZ
NEAR 0048E107
016F:0048E0E9 CMP DWORD
[00493178],BYTE +00
016F:0048E0F0 JZ NEAR 0048E107
应该跳转
016F:0048E0F6
XOR EAX,EAX
016F:0048E0F8 MOV
AX,[0049317C]
016F:0048E0FE OR EAX,BYTE +02
016F:0048E101 MOV [0049317C],AX
016F:0048E107
XOR EAX,EAX
016F:0048E109 MOV
AX,[0049317C]
016F:0048E10F TEST AL,02
016F:0048E111
JZ NEAR 0048E146
应该跳转
016F:0048E117 CALL 00491250
016F:0048E11C MOV [004931B8],AX
016F:0048E122
XOR EAX,EAX
016F:0048E124 MOV
AX,[004931B8]
016F:0048E12A TEST EAX,EAX
016F:0048E12C
JNZ NEAR 0048E146
016F:0048E132 PUSH
BYTE +00
016F:0048E134 PUSH DWORD 004930B8
016F:0048E139
PUSH DWORD 004932DC
016F:0048E13E PUSH BYTE
+00
016F:0048E140 CALL `USER32!MessageBoxA`
server is full 错误信息
016F:0048E146
XOR EAX,EAX
016F:0048E148 MOV
AX,[0049317C]
016F:0048E14E TEST AL,01
016F:0048E150
JNZ NEAR 0048E1D5
016F:0048E156 CMP
DWORD [00493174],BYTE +00
016F:0048E15D JZ
NEAR 0048E198 应该跳转
016F:0048E163 MOVSX EAX,WORD [00496AB1]
016F:0048E16A
TEST EAX,EAX
016F:0048E16C JL NEAR
0048E198
016F:0048E172 MOVSX EAX,WORD [00496AB1]
016F:0048E179 SHL EAX,02
016F:0048E17C LEA
EAX,[EAX+EAX*2]
016F:0048E17F LEA
EAX,[EAX+EAX*4]
016F:0048E182 MOV ECX,[00496D3C]
016F:0048E188 XOR EDX,EDX
016F:0048E18A
MOV DX,[EAX+ECX+28]
016F:0048E18F TEST
DL,08
016F:0048E192 JNZ NEAR 0048E1C4
016F:0048E198
CMP DWORD [00493174],BYTE +00
016F:0048E19F JZ
NEAR 0048E1D5
应该跳转
016F:0048E1A5 MOVSX EAX,WORD [00496AB1]
016F:0048E1AC TEST EAX,EAX
016F:0048E1AE JNL
NEAR 0048E1D5
016F:0048E1B4 XOR EAX,EAX
016F:0048E1B6 MOV AX,[00496D44]
016F:0048E1BC
TEST AL,08
016F:0048E1BE JZ NEAR 0048E1D5
016F:0048E1C4 XOR EAX,EAX
016F:0048E1C6
MOV AX,[0049317C]
016F:0048E1CC OR
EAX,BYTE +01
016F:0048E1CF MOV [0049317C],AX
016F:0048E1D5 XOR EAX,EAX
016F:0048E1D7
MOV AX,[0049317C]
016F:0048E1DD TEST
EAX,EAX
016F:0048E1DF JZ NEAR 0048E2B7
应该跳转
016F:0048E1E5
CMP DWORD [EBP-50],BYTE +01
016F:0048E1E9 JNZ
NEAR 0048E2B7
016F:0048E1EF XOR EAX,EAX
016F:0048E1F1 MOV AX,[004931B8]
016F:0048E1F7
TEST EAX,EAX
016F:0048E1F9 JZ NEAR
0048E2B7
016F:0048E1FF LEA EAX,[EBP-64]
016F:0048E202
PUSH EAX
016F:0048E203 MOV EDX,00496C70
016F:0048E208 LEA ECX,[00496AA1]
016F:0048E20E
CALL 00491B50
016F:0048E213 MOV ECX,00496A40
016F:0048E218 ADD ECX,BYTE +61
016F:0048E21B
MOV EDX,[EAX]
016F:0048E21D MOV
[ECX],EDX
016F:0048E21F MOV EDX,[EAX+04]
016F:0048E222
MOV [ECX+04],EDX
016F:0048E225 MOV
EDX,[EAX+08]
016F:0048E228 MOV [ECX+08],EDX
016F:0048E22B MOV EAX,[EAX+0C]
016F:0048E22E
MOV [ECX+0C],EAX
016F:0048E231 CALL
00490640
016F:0048E236 TEST EAX,EAX
016F:0048E238
JNZ NEAR 0048E24D
016F:0048E23E MOV
EDX,004932D4
016F:0048E243 MOV ECX,004932B8
016F:0048E248 CALL 00491600
016F:0048E24D MOV
EDX,00496B40
016F:0048E252 LEA ECX,[00496AA1]
016F:0048E258 CALL 00490BC0
016F:0048E25D MOV
ECX,[EBP+10]
016F:0048E260 CALL 00491100
016F:0048E265 TEST EAX,EAX
016F:0048E267 JZ
NEAR 0048E295
016F:0048E26D CALL 00491080
016F:0048E272 MOV [EBP-50],EAX
016F:0048E275
PUSH BYTE +00
016F:0048E277 PUSH BYTE +00
016F:0048E279 PUSH BYTE +10
016F:0048E27B MOV
EAX,[00496C80]
016F:0048E280 PUSH EAX
016F:0048E281 CALL `USER32!SendMessageA`
016F:0048E287
MOV WORD [004931B8],00
016F:0048E290 JMP
0048E2B7
016F:0048E295 MOV DWORD
[EBP-50],00
016F:0048E29C MOV WORD [004931B8],00
016F:0048E2A5 PUSH BYTE +00
016F:0048E2A7 PUSH
BYTE +00
016F:0048E2A9 PUSH BYTE +10
016F:0048E2AB
MOV EAX,[00496C80]
016F:0048E2B0 PUSH
EAX
016F:0048E2B1 CALL `USER32!SendMessageA`
016F:0048E2B7
LEA EDX,[EBP-4C]
016F:0048E2BA LEA
ECX,[EBP-54]
016F:0048E2BD CALL 0048E3D0
016F:0048E2C2
MOV [EBP-48],EAX
016F:0048E2C5 PUSH
BYTE +00
016F:0048E2C7 PUSH BYTE +00
016F:0048E2C9
PUSH BYTE +10
016F:0048E2CB MOV EAX,[00496C80]
016F:0048E2D0 PUSH EAX
016F:0048E2D1 CALL
`USER32!SendMessageA`
016F:0048E2D7 CMP
DWORD [00493180],BYTE +02
016F:0048E2DE JZ NEAR
0048E32C
要改
016F:0048E2E4 CMP DWORD [EBP-50],BYTE
+01
016F:0048E2E8 JNZ NEAR 0048E32C
要改
016F:0048E2EE
XOR EAX,EAX
016F:0048E2F0 MOV
AX,[004931B8]
016F:0048E2F6 TEST EAX,EAX
016F:0048E2F8
JZ NEAR 0048E32C
要改
016F:0048E2FE MOV
EAX,[EBP+08]
016F:0048E301 PUSH EAX
016F:0048E302
PUSH DWORD 004931A8
016F:0048E307 CALL `USER32!UnregisterClassA`
016F:0048E30D XOR EAX,EAX
016F:0048E30F
MOV AX,[004931BC]
016F:0048E315 TEST
EAX,EAX
016F:0048E317 JZ NEAR 0048E32C
要改
016F:0048E31D MOV EAX,[EBP-4C]
016F:0048E320
PUSH EAX
016F:0048E321 LEA EDX,[EBP-54]
016F:0048E324 MOV ECX,[EBP-48]
016F:0048E327
CALL 0048E360
好了,就是它,但此过程中又有跳转,见下面子程序5,要改
016F:0048E32C CMP
DWORD [EBP-54],BYTE +00
016F:0048E330 JZ
NEAR 0048E33E
016F:0048E336 MOV ECX,[EBP-54]
016F:0048E339 CALL 004915F0
016F:0048E33E MOV
EAX,[EBP-50]
016F:0048E341 PUSH EAX
016F:0048E342 CALL `KERNEL32!ExitProcess`
016F:0048E348
MOV EAX,[EBP-50]
016F:0048E34B JMP
0048E350
016F:0048E350 POP EDI
016F:0048E351
POP ESI
016F:0048E352 POP EBX
016F:0048E353 LEAVE
016F:0048E354 RET
10
子程序3:若上次退出前输入的注册码正确,此处不显示注册码对话框,否则要显示
016F:00490CC0 TEST BYTE [00496D33],80
016F:00490CC7
PUSH ESI
016F:00490CC8 PUSH EDI
016F:00490CC9
MOV ESI,ECX
016F:00490CCB JZ
NEAR 00490D7A
016F:00490CD1 CMP WORD [004931B8],BYTE
+00
016F:00490CD9 JNZ 00490CE4
016F:00490CDB
CMP BYTE [00496AB3],02
016F:00490CE2 JNZ
00490D15
跳转
016F:00490CE4 CMP
WORD [00496AB1],BYTE +00
016F:00490CEC JL
00490D0B
016F:00490CEE MOVSX EAX,WORD [00496AB1]
016F:00490CF5 SHL EAX,02
016F:00490CF8 LEA
ECX,[EAX+EAX*2]
016F:00490CFB MOV
EAX,[00496D3C]
016F:00490D00 LEA EDX,[ECX+ECX*4]
016F:00490D03 CMP WORD [EDX+EAX+02],BYTE +00
016F:00490D09 JNZ 00490D15
016F:00490D0B
CMP WORD [00493160],BYTE +02
016F:00490D13 JNZ
00490D7A
016F:00490D15 XOR EDX,EDX
016F:00490D17 MOV ECX,68
016F:00490D1C
MOV ESI,00
016F:00490D21 CALL 00491510
016F:00490D26 MOV EDX,00496B20
016F:00490D2B
MOV ECX,EAX
016F:00490D2D MOV
[00496CC0],EAX
016F:00490D32 CALL 0048D4E0
016F:00490D37
TEST EAX,EAX
016F:00490D39 JZ 00490D4C
应该跳转
016F:00490D3B MOV EDX,0048D010
016F:00490D40
MOV ECX,00496B20
016F:00490D45 CALL
0048D680
即注册对话框
016F:00490D4A MOV ESI,EAX
016F:00490D4C MOV ECX,00496B20
到此处
016F:00490D51 CALL
0048B200
016F:00490D56 MOV EAX,[00496CC0]
016F:00490D5B MOV EDI,[00497394]
016F:00490D61
PUSH EAX
016F:00490D62 CALL EDI
016F:00490D64
PUSH EAX
016F:00490D65 CALL `KERNEL32!GlobalUnlock`
016F:00490D6B MOV EAX,[00496CC0]
016F:00490D70
PUSH EAX
016F:00490D71 CALL EDI
016F:00490D73
PUSH EAX
016F:00490D74 CALL `KERNEL32!GlobalFree`
016F:00490D7A MOV EAX,ESI
016F:00490D7C
POP EDI
016F:00490D7D POP ESI
子程序4:若上次退出前输入的注册码正确,显示注册人和注册名框,否则不显示
016F:00490D80
TEST BYTE [00496D33],40
016F:00490D87 PUSH
ESI
016F:00490D88 PUSH EDI
016F:00490D89 MOV
ESI,ECX
016F:00490D8B JZ NEAR 00490E86
016F:00490D91 CMP WORD [00496AB1],BYTE +00
016F:00490D99 JL 00490DBC
016F:00490D9B MOVSX
EAX,WORD [00496AB1]
016F:00490DA2 SHL EAX,02
016F:00490DA5 LEA ECX,[EAX+EAX*2]
016F:00490DA8
MOV EAX,[00496D3C]
016F:00490DAD LEA
EDX,[ECX+ECX*4]
016F:00490DB0 CMP WORD [EDX+EAX+02],BYTE
+00
016F:00490DB6 JNZ NEAR 00490E86
016F:00490DBC
CMP WORD [004931B8],BYTE +00
016F:00490DC4 JZ
00490DCF
016F:00490DC6 CMP BYTE [00496AB3],02
016F:00490DCD JZ 00490E00
016F:00490DCF
TEST BYTE [00496D33],80
016F:00490DD6 JNZ
NEAR 00490E86 不跳
016F:00490DDC TEST BYTE [00496D33],10
016F:00490DE3
JZ 00490E00
应该跳转
016F:00490DE5 MOV ECX,01
016F:00490DEA CALL 0048E700
次数用完对话框
016F:00490DEF TEST EAX,EAX
016F:00490DF1 JZ 00490E00
016F:00490DF3
TEST BYTE [00496D33],10
016F:00490DFA JNZ
NEAR 00490E86
016F:00490E00 XOR EDX,EDX
016F:00490E02 MOV ECX,6D
016F:00490E07
MOV ESI,00
016F:00490E0C CALL 00491510
016F:00490E11 MOV EDX,00496C90
016F:00490E16
MOV ECX,EAX
016F:00490E18 MOV
[00496D1C],EAX
016F:00490E1D CALL 0048D4E0
016F:00490E22
TEST EAX,EAX
016F:00490E24 JZ 00490E37
016F:00490E26 MOV EDX,0048D6C0
016F:00490E2B
MOV ECX,00496C90
016F:00490E30 CALL
0048D680 注册正确框,正确的注册名和注册码
016F:00490E35 MOV ESI,EAX
016F:00490E37
MOV ECX,00496C90
016F:00490E3C CALL
0048B200
016F:00490E41 MOV EAX,[00496D1C]
016F:00490E46 MOV EDI,[00497394]
016F:00490E4C
PUSH EAX
016F:00490E4D CALL EDI
016F:00490E4F
PUSH EAX
016F:00490E50 CALL `KERNEL32!GlobalUnlock`
016F:00490E56 MOV EAX,[00496D1C]
016F:00490E5B
PUSH EAX
016F:00490E5C CALL EDI
016F:00490E5E
PUSH EAX
016F:00490E5F CALL `KERNEL32!GlobalFree`
016F:00490E65 TEST BYTE [00496D33],10
016F:00490E6C
JNZ 00490E86
016F:00490E6E PUSH BYTE
+00
016F:00490E70 MOV EAX,[00496C80]
016F:00490E75
PUSH DWORD 8000
016F:00490E7A PUSH DWORD
0111
016F:00490E7F PUSH EAX
016F:00490E80 CALL
`USER32!SendMessageA`
016F:00490E86 MOV
EAX,ESI
016F:00490E88 POP EDI
016F:00490E89
POP ESI
ret
子程序5:进入正确的万能五笔程序,但进入前要判断一下。
016F:0048E360 PUSH ESI
016F:0048E361
PUSH EDI
016F:0048E362 MOV ESI,EDX
016F:0048E364 MOV EDI,[ESP+0C]
016F:0048E368
MOV EDX,[ECX+02]
016F:0048E36B XOR
EDX,[ECX+06]
016F:0048E36E XOR EDX,[ECX+0A]
016F:0048E371 ADD EDI,EDX
016F:0048E373
XOR EDX,EDX
016F:0048E375 MOV
EAX,[ECX+06]
016F:0048E378 INC EDX
016F:0048E379
XOR [EDI+EDX*4-04],EAX
016F:0048E37D INC
EDX
016F:0048E37E MOV EAX,[ECX+0A]
016F:0048E381 XOR [EDI+EDX*4-04],EAX
016F:0048E385
CMP EDX,BYTE +14
016F:0048E388 JL
0048E375
016F:0048E38A MOV ECX,[ESI]
016F:0048E38C CALL 004915F0
016F:0048E391 MOV
DWORD [ESI],00
016F:0048E397 CMP
WORD [004931B8],BYTE +00
016F:0048E39F JZ 0048E3AD
要改
016F:0048E3A1 CMP WORD [004931C0],BYTE +00
016F:0048E3A9
JZ 0048E3AD
016F:0048E3AB CALL EDI
就是它,正确的程序在此处,TNND,找死我了
016F:0048E3AD PUSH BYTE +00
016F:0048E3AF PUSH DWORD 00493328
016F:0048E3B4
PUSH DWORD 00493318
016F:0048E3B9 PUSH BYTE
+00
016F:0048E3BB CALL `USER32!MessageBoxA`
016F:0048E3C1
POP EDI
016F:0048E3C2 POP ESI
016F:0048E3C3 RET 04
好,总结以下,其实就是不断的判断障碍,
注册对话框在 48e07b call的子程序中。
正确的程序代码藏在 48e3ab call的子程序中。
知道了这一点(也是最困难的一点),就容易对症下药了。
其中要更改的地方有:
490d39
48e086 改为nop
48e2de
48e2e8
48e2f8
48e39f
48e3a9
当然不一定非得如此,只要能跳到48e3ab,其他的跳转应该也行。
- 标 题:万能五笔2001注册码分析及暴力破解 ---可怜的思考者 (27千字)
- 作 者:poorthinker
- 时 间:2002-4-15 15:24:34
- 链 接:http://bbs.pediy.com