eBook Edit Pro 3.21破解手记
***************************************************
软件名称:eBook
Edit Pro 3.21
下载地址:http://www.eBookEdit.com
大 小:2.383MB(脱壳后)
加密方式:注册码
使用工具:TRW2000中文1.23注册版,fi2.5,keymake1.73,AspackDie
1.41
pj日期:2003年3月10日
***************************************************
软件说明:一个编辑eBook的软件,十分好用!指定一个含有网页文件的文件夹,它就会把它做成一个exe可执行文件的E书。
PJ说明:
我也是新手,学习破解还不到两个星期,不足之处,请大家批评指正!
本文件中提到的主文件,即用于制作E书的主运行程序ebookedit.exe
本文件中提到的exe文件,即制作为成品的E书文件
这个软件的注册方式很特别!
在主文件运行过程中,注册部分只有输入用户名和注册码,但除了保存这个信息在注册表的HKEY_CURRENT_USER\Software\Cybershare\Registration位置外(错的也保存),并不做任何检验注册码是否正确的动作。而真正的注册码检验部分是在生成的exe文件中,呵呵,很有意思吧!
如果在主文件当中输入的注册码不正确,那么生成的exe文件在运行的时候,会出现一个未注册的信息。由于exe文件可以脱离原生成程序运行,所以,我们可以判断出来,主文件在生成exe文件的过程中,已经将输入的用户名和注册码信息放入exe文件里了,那么exe文件一运行,就会将这部分信息提取出来,进行注册码正确检验。
得出的结论:要想得真正的注册码,不是研究主文件,而是研究生成的exe文件(找出这个关键,我费了2个小时)
1、先试用一下软件,运行出现欢迎画片,只有一个授权给:和注册键:,分别输入newlaos和78787878(学前辈的试用码),然后按正常步骤生成一个exe文件(不要太大),这里假设为crack.exe文件。
2、用fi2.5一看,exe文件加了一个aspack2.1的壳,用TRW2000可以手动脱壳,自动脱壳我选择了AspackDie 1.41(脱壳过程中,它会发现一个附加信息,选择“是”),生成unpack.exe文件。
3、用TRW2000载入unpack.exe文件,按F10步进(因为按F12一下就出现了未注册信息),来到下面代码段:
......
......
|
:0047C7DC A1D8F04000
mov eax, dword ptr [0040F0D8]
:0047C7E1 E8B260F9FF
call 00412898
:0047C7E6 A3D40A4800
mov dword ptr [00480AD4], eax
:0047C7EB
33C0 xor
eax, eax
:0047C7ED 55
push ebp
:0047C7EE 6859C84700
push 0047C859
:0047C7F3 64FF30
push dword ptr fs:[eax]
:0047C7F6 648920
mov dword ptr fs:[eax],
esp
:0047C7F9 A10CE84700 mov
eax, dword ptr [0047E80C]
:0047C7FE 8B00
mov eax, dword ptr [eax]
:0047C800 E8F7DBFCFF
call 0044A3FC
:0047C805 A10CE84700
mov eax, dword ptr [0047E80C]
:0047C80A
8B00 mov
eax, dword ptr [eax]
:0047C80C C6404B00
mov [eax+4B], 00
:0047C810 A1F0E64700
mov eax, dword ptr [0047E6F0]
:0047C815 8B15D40A4800
mov edx, dword ptr [00480AD4]
:0047C81B
8910 mov
dword ptr [eax], edx
:0047C81D 8B0D34E64700
mov ecx, dword ptr [0047E634]
:0047C823 A10CE84700
mov eax, dword ptr [0047E80C]
:0047C828 8B00
mov eax, dword ptr
[eax]
* Possible StringData
Ref from Code Obj ->"?C"
|
:0047C82A
8B15F0964700 mov edx, dword ptr [004796F0]
:0047C830
E8DFDBFCFF call 0044A414
<===因为一过这里就出现了未注册信息,所以F8进入(后面很多是这种情况)
:0047C835
A10CE84700 mov eax, dword ptr
[0047E80C]
:0047C83A 8B00
mov eax, dword ptr [eax]
:0047C83C E853DCFCFF
call 0044A494
:0047C841 33C0
xor eax, eax
:0047C843
5A pop
edx
:0047C844 59
pop ecx
:0047C845 59
pop ecx
:0047C846 648910
mov dword ptr fs:[eax], edx
:0047C849
6860C84700 push 0047C860
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047C85E(U)
|
:0047C84E
A1D40A4800 mov eax, dword ptr
[00480AD4]
:0047C853 E86866F8FF call
00402EC0
:0047C858 C3
ret
......
......
_______________________________F8来到下面代码段_______________________________________________
:0044A414
55 push
ebp
:0044A415 8BEC
mov ebp, esp
:0044A417 51
push ecx
:0044A418 53
push ebx
:0044A419 56
push
esi
:0044A41A 57
push edi
:0044A41B 894DFC
mov dword ptr [ebp-04], ecx
:0044A41E 8BDA
mov ebx, edx
:0044A420
8BF0 mov
esi, eax
:0044A422 8BC3
mov eax, ebx
:0044A424 FF50F4
call [eax-0C]
:0044A427 8BD8
mov ebx, eax
:0044A429 8B45FC
mov eax, dword ptr
[ebp-04]
:0044A42C 8918
mov dword ptr [eax], ebx
:0044A42E 33C0
xor eax, eax
:0044A430 55
push ebp
:0044A431
6852A44400 push 0044A452
:0044A436
64FF30 push dword
ptr fs:[eax]
:0044A439 648920
mov dword ptr fs:[eax], esp
:0044A43C 8BCE
mov ecx, esi
:0044A43E 83CAFF
or edx, FFFFFFFF
:0044A441
8BC3 mov
eax, ebx
:0044A443 8B38
mov edi, dword ptr [eax]
:0044A445 FF572C
call [edi+2C]
<===因为一过这里就出现了未注册信息,所以F8再进入
:0044A448
33C0 xor
eax, eax
:0044A44A 5A
pop edx
:0044A44B 59
pop ecx
:0044A44C 59
pop ecx
:0044A44D
648910 mov dword
ptr fs:[eax], edx
:0044A450 EB16
jmp 0044A468
:0044A452 E9158FFBFF
jmp 0040336C
:0044A457 8B45FC
mov eax, dword ptr [ebp-04]
:0044A45A
33D2 xor
edx, edx
:0044A45C 8910
mov dword ptr [eax], edx
:0044A45E E81192FBFF
call 00403674
:0044A463 E86092FBFF
call 004036C8
......
......
_______________________________F8来到下面代码段_______________________________________________
:0047C448
53 push
ebx
:0047C449 56
push esi
:0047C44A 84D2
test dl, dl
:0047C44C 7408
je 0047C456
<===不跳
:0047C44E 83C4F0
add esp, FFFFFFF0
:0047C451
E8AA6DF8FF call 00403200
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047C44C(C)
|
:0047C456
8BDA mov
ebx, edx
:0047C458 8BF0
mov esi, eax
:0047C45A 33D2
xor edx, edx
:0047C45C 8BC6
mov eax, esi
:0047C45E
E80571FCFF call 00443568
:0047C463
8BC6 mov
eax, esi
:0047C465 84DB
test bl, bl
:0047C467 740F
je 0047C478
<===不跳
:0047C469 E8EA6DF8FF
call 00403258 <===因为一过这里就出现了未注册信息,所以F8第三次进入(不要晕!胜利就在前方)
:0047C46E
648F0500000000 pop dword ptr fs:[00000000]
:0047C475
83C40C add esp,
0000000C
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0047C467(C)
|
:0047C478
8BC6 mov
eax, esi
:0047C47A 5E
pop esi
:0047C47B 5B
pop ebx
:0047C47C C3
ret
......
......
_______________________________F8来到下面代码段_______________________________________________
:00403258
50 push
eax
:00403259 8B10
mov edx, dword ptr [eax]
:0040325B FF52E4
call [edx-1C]
:0040325E 58
pop eax
:0040325F
C3 ret
......
_______________________________程序进到402EA5_______________________________________________
:00402EA5
648F0500000000 pop dword ptr fs:[00000000]
:00402EAC
83C40C add esp,
0000000C
:00402EAF C3
ret
......
_______________________________程序进到47AA21_______________________________________________
:0047AA21
89832C030000 mov dword ptr [ebx+0000032C],
eax
:0047AA27 33C0
xor eax, eax
:0047AA29 898330030000
mov dword ptr [ebx+00000330], eax
:0047AA2F 8BCB
mov ecx, ebx
:0047AA31
B201 mov
dl, 01
* Possible StringData
Ref from Code Obj ->"?C"
|
:0047AA33
A194614700 mov eax, dword ptr
[00476194]
:0047AA38 E82B8BFCFF call
00443568
:0047AA3D 8BF0
mov esi, eax
:0047AA3F 89B338030000
mov dword ptr [ebx+00000338], esi
:0047AA45 8BC6
mov eax, esi
:0047AA47
E844C8FCFF call 00447290
:0047AA4C
8B8338030000 mov eax, dword ptr [ebx+00000338]
:0047AA52
8998EC020000 mov dword ptr [eax+000002EC],
ebx
* Possible StringData
Ref from Code Obj ->"U嬱j"
|
:0047AA58
C780E8020000A8C14700 mov dword ptr [ebx+000002E8], 0047C1A8
:0047AA62
E8F1B1FFFF call 00475C58
:0047AA67
833DCC0A480000 cmp dword ptr [00480ACC], 00000000
:0047AA6E
740D je 0047AA7D
:0047AA70
8B15CC0A4800 mov edx, dword ptr [00480ACC]
:0047AA76
8BC3 mov
eax, ebx
:0047AA78 E893FDFFFF call
0047A810 <===因为一过这里就出现了未注册信息,所以F8第四次进入(呵呵!)
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047AA6E(C)
|
:0047AA7D
A1F4E74700 mov eax, dword ptr
[0047E7F4]
:0047AA82 C60000
mov byte ptr [eax], 00
:0047AA85 8BC3
mov eax, ebx
:0047AA87 E860140000
call 0047BEEC
:0047AA8C A1F4E74700
mov eax, dword ptr [0047E7F4]
:0047AA91
C60001 mov byte
ptr [eax], 01
:0047AA94 8BC3
mov eax, ebx
:0047AA96 E849140000
call 0047BEE4
:0047AA9B 8BC3
mov eax, ebx
:0047AA9D E832160000
call 0047C0D4
:0047AAA2 A1CC0A4800
mov eax, dword ptr [00480ACC]
......
......
_______________________________F8来到下面代码段_______________________________________________
:0047A810
55 push
ebp
:0047A811 8BEC
mov ebp, esp
:0047A813 83C4E8
add esp, FFFFFFE8
:0047A816 53
push ebx
:0047A817 56
push
esi
:0047A818 57
push edi
:0047A819 33C9
xor ecx, ecx
:0047A81B 894DEC
mov dword ptr [ebp-14], ecx
:0047A81E
894DE8 mov dword
ptr [ebp-18], ecx
:0047A821 8BDA
mov ebx, edx
:0047A823 8BF0
mov esi, eax
:0047A825 33C0
xor eax,
eax
:0047A827 55
push ebp
:0047A828 684AA94700
push 0047A94A
:0047A82D 64FF30
push dword ptr fs:[eax]
:0047A830 648920
mov dword ptr fs:[eax],
esp
:0047A833 8BC3
mov eax, ebx
:0047A835 E8F27DF9FF
call 0041262C
:0047A83A 8BD0
mov edx, eax
:0047A83C 83EA10
sub edx, 00000010
:0047A83F
33C9 xor
ecx, ecx
:0047A841 8BC3
mov eax, ebx
:0047A843 8B38
mov edi, dword ptr [eax]
:0047A845 FF570C
call [edi+0C]
:0047A848
8D55F0 lea edx,
dword ptr [ebp-10]
:0047A84B B910000000
mov ecx, 00000010
:0047A850 8BC3
mov eax, ebx
:0047A852 8B38
mov edi, dword ptr [eax]
:0047A854
FF5704 call [edi+04]
:0047A857
8B7DFC mov edi,
dword ptr [ebp-04]
:0047A85A 81FF97130000
cmp edi, 00001397
:0047A860 7440
je 0047A8A2
<===跳转了,不然就进看下面:-)
:0047A862 6A00
push 00000000
:0047A864 8D4DE8
lea ecx, dword ptr
[ebp-18]
:0047A867 33D2
xor edx, edx
:0047A869 8BC7
mov eax, edi
:0047A86B E8C0E0F8FF
call 00408930
:0047A870 8B4DE8
mov ecx, dword ptr [ebp-18]
:0047A873
8D45EC lea eax,
dword ptr [ebp-14]
*
Possible StringData Ref from Code Obj ->"这本 eBook 具有一个错误的签名. "
->"这个程序将被终止.
签名:
"
|
:0047A876 BA60A94700
mov edx, 0047A960
:0047A87B E8F095F8FF
call 00403E70
:0047A880 8B45EC
mov eax, dword ptr
[ebp-14]
:0047A883 668B0DB4A94700 mov cx,
word ptr [0047A9B4]
:0047A88A B201
mov dl, 01
:0047A88C E8D337FDFF
call 0044E064
:0047A891 A10CE84700
mov eax, dword ptr [0047E80C]
:0047A896 8B00
mov eax,
dword ptr [eax]
:0047A898 E8ABFCFCFF
call 0044A548
:0047A89D E98D000000
jmp 0047A92F
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A860(C)
|
:0047A8A2
8BC3 mov
eax, ebx <===程序跳到这里,继续往下走
:0047A8A4
E8837DF9FF call 0041262C
:0047A8A9
8BF8 mov
edi, eax
:0047A8AB 2B7DF0
sub edi, dword ptr [ebp-10]
:0047A8AE 89BE1C030000
mov dword ptr [esi+0000031C], edi
:0047A8B4 33C9
xor ecx,
ecx
:0047A8B6 8BD7
mov edx, edi
:0047A8B8 8BC3
mov eax, ebx
:0047A8BA 8B38
mov edi, dword ptr [eax]
:0047A8BC
FF570C call [edi+0C]
:0047A8BF
8BD3 mov
edx, ebx
:0047A8C1 8BC6
mov eax, esi
:0047A8C3 E858030000
call 0047AC20
:0047A8C8 8BD3
mov edx, ebx
:0047A8CA 8BC6
mov eax, esi
:0047A8CC
E807F5FFFF call 00479DD8 <===因为一过这里就出现了未注册信息,所以F8第五次进入(555555~~~~还要进)
:0047A8D1 8BD3
mov edx, ebx
:0047A8D3 8BC6
mov eax, esi
:0047A8D5 E816FAFFFF
call 0047A2F0
:0047A8DA 8BD3
mov edx,
ebx
:0047A8DC 8BC6
mov eax, esi
:0047A8DE E8C9F5FFFF
call 00479EAC
:0047A8E3 80BE6C03000000
cmp byte ptr [esi+0000036C], 00
:0047A8EA 7509
jne 0047A8F5
:0047A8EC 8BD3
mov edx,
ebx
:0047A8EE 8BC6
mov eax, esi
:0047A8F0 E83BFAFFFF
call 0047A330
......
......
_______________________________F8来到下面代码段_______________________________________________
:00479DD8
55 push
ebp
:00479DD9 8BEC
mov ebp, esp
:00479DDB 51
push ecx
:00479DDC 53
push ebx
:00479DDD 56
push
esi
:00479DDE 8BF2
mov esi, edx
:00479DE0 8BD8
mov ebx, eax
:00479DE2 8D9320030000
lea edx, dword ptr [ebx+00000320]
:00479DE8
8BC6 mov
eax, esi
:00479DEA E83DE5FFFF call
0047832C
:00479DEF 8D9324030000 lea
edx, dword ptr [ebx+00000324]
:00479DF5 8BC6
mov eax, esi
:00479DF7 E830E5FFFF
call 0047832C
:00479DFC 8D9328030000
lea edx, dword ptr [ebx+00000328]
:00479E02
8BC6 mov
eax, esi
:00479E04 E823E5FFFF call
0047832C
:00479E09 6A00
push 00000000
:00479E0B 8B9324030000
mov edx, dword ptr [ebx+00000324]
:00479E11 8B8320030000
mov eax, dword ptr [ebx+00000320]
*
Possible StringData Ref from Code Obj ->"~TurnIde@$IntoProfit$w/eBook$!>>YouC@n$ucceed!"
->"<<"
|
:00479E17 B9789E4700
mov ecx, 00479E78
:00479E1C E83BE2FFFF
call 0047805C <===算法CALL了,最后一次F8进入,看个究竟
:00479E21
84C0 test
al, al
:00479E23 7544
jne 00479E69 <===关键跳转(终于到了),爆破只针对每个exe文件,所以没多大意思
:00479E25
8BCB mov
ecx, ebx
:00479E27 B201
mov dl, 01
*
Possible StringData Ref from Code Obj ->"?C"
|
:00479E29 A1B4744700
mov eax, dword ptr [004774B4]
:00479E2E E83597FCFF
call 00443568
:00479E33 8945FC
mov dword ptr [ebp-04], eax
:00479E36
33C0 xor
eax, eax
:00479E38 55
push ebp
:00479E39 68629E4700
push 00479E62
:00479E3E 64FF30
push dword ptr fs:[eax]
:00479E41 648920
mov dword ptr fs:[eax],
esp
:00479E44 8B45FC
mov eax, dword ptr [ebp-04]
:00479E47 E88CD8FFFF
call 004776D8
:00479E4C 33C0
xor eax, eax
:00479E4E 5A
pop edx
:00479E4F
59 pop
ecx
:00479E50 59
pop ecx
:00479E51 648910
mov dword ptr fs:[eax], edx
:00479E54 68699E4700
push 00479E69
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00479E67(U)
|
:00479E59
8B45FC mov eax,
dword ptr [ebp-04]
:00479E5C E85F90F8FF
call 00402EC0
:00479E61 C3
ret
:00479E62
E9B997F8FF jmp 00403620
:00479E67
EBF0 jmp
00479E59
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00479E23(C)
|
:00479E69
5E pop
esi
:00479E6A 5B
pop ebx
:00479E6B 59
pop ecx
:00479E6C 5D
pop ebp
:00479E6D C3
ret
_______________________________F8来到下面代码段_______________________________________________
:0047805C
55 push
ebp <===此处下D EAX发现EAX=newlaos,下D EDX发现EDX=78787878
:0047805D
8BEC mov
ebp, esp
:0047805F 81C4FCFEFFFF add
esp, FFFFFEFC
:00478065 53
push ebx
:00478066 56
push esi
:00478067 57
push edi
:00478068
33DB xor
ebx, ebx
:0047806A 895DFC
mov dword ptr [ebp-04], ebx
:0047806D 8BF9
mov edi, ecx
:0047806F 8BF2
mov esi,
edx
:00478071 8BD8
mov ebx, eax
:00478073 8B4508
mov eax, dword ptr [ebp+08]
:00478076 E85DBFF8FF
call 00403FD8
:0047807B 33C0
xor eax,
eax
:0047807D 55
push ebp
:0047807E 68D7804700
push 004780D7
:00478083 64FF30
push dword ptr fs:[eax]
:00478086 648920
mov dword ptr fs:[eax],
esp
:00478089 8D85FCFEFFFF lea eax,
dword ptr [ebp+FFFFFEFC]
:0047808F 50
push eax
:00478090 8B4D08
mov ecx, dword ptr [ebp+08]
:00478093
8BD7 mov
edx, edi
:00478095 8BC3
mov eax, ebx
:00478097 E810FEFFFF
call 00477EAC <===此CALL算出与用户名相对应的注册码
:0047809C 8D95FCFEFFFF
lea edx, dword ptr [ebp+FFFFFEFC]
:004780A2
8D45FC lea eax,
dword ptr [ebp-04] <===此处下D EAX发现注册码,但位置不正确
:004780A5 E81EBDF8FF
call 00403DC8
:004780AA 8B45FC
mov eax, dword ptr [ebp-04] <===此处将真码放入EAX
:004780AD
8BD6 mov
edx, esi <===将假码78787878放入EDX,在这下命令D EAX可以看见注册码
:004780AF E880BEF8FF
call 00403F34
:004780B4
0F94C0 sete al
:004780B7
8BD8 mov
ebx, eax
:004780B9 33C0
xor eax, eax
:004780BB 5A
pop edx
:004780BC 59
pop ecx
:004780BD 59
pop
ecx
:004780BE 648910
mov dword ptr fs:[eax], edx
:004780C1 68DE804700
push 004780DE
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004780DC(U)
|
:004780C6
8D45FC lea eax,
dword ptr [ebp-04]
:004780C9 E8D6BAF8FF
call 00403BA4
:004780CE 8D4508
lea eax, dword ptr [ebp+08]
:004780D1 E8CEBAF8FF
call 00403BA4
:004780D6 C3
ret
4、制作内存注册机:(keymake
1.73)
一、选择F8 → 另类注册机!
程序名称:crack.exe
添加数据:
中断地址:004780AD
中断次数:1
第一字节:8B
指令长度:2
保存下列信息为注册码 → 内存方式
→ 寄存器 → EAX
二、选择内存方式:内存地址 → BF693C → 点生成,就有你乐的了(这一句是学老师的;)
三、内存注册机的使用:由于是针对生成的exe文件,如果要用注册机,就必须将exe文件改名为在制作注册机时定义的程序名称(本例制作出的注册机,使用时就应把exe文件改名为crack.exe),否则不能完成找注册码的工作。找到注册码,只取前面16字符就可以了!
5、我的注册信息
受权给:newlaos
注册键:EDwKZK84BuzRTYQ2