破解目标:LeapFTP 2.7.3.600
官方主页:http://www.leapware.com/download.html
软件简介:ftp下載軟件。
下载地址:ftp://ftp.leapware.com/pub/lftp273.exe
使用工具:W32Dasm、Ollydbg、Windows
自带的计算器
這個程序用fi2.5檢測無殼,用W32Dasm,找到“感謝註冊”:
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00487B6C(C)
|
:00487B7C 8B83F0020000 mov eax, dword
ptr [ebx+000002F0]
:00487B82 50
push eax
:00487B83 8D55F4
lea edx, dword ptr [ebp-0C]
:00487B86 8B83D0020000 mov eax, dword
ptr [ebx+000002D0]
:00487B8C E833C0FAFF
call 00433BC4
:00487B91 8B55F4
mov edx, dword ptr [ebp-0C]
:00487B94 8B4DFC
mov ecx, dword ptr [ebp-04]
:00487B97 8BC3
mov eax, ebx
:00487B99 E8BA010000
call 00487D58 //註冊碼就在裏靣算出
:00487B9E 84C0
test al, al
//測試AL
:00487BA0 7462
je 00487C04 //為0就去死
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00487B7A(C)
|
:00487BA2 8D55F0
lea edx, dword ptr [ebp-10]
:00487BA5 8B83E4020000 mov eax,
dword ptr [ebx+000002E4]
:00487BAB E814C0FAFF
call 00433BC4
:00487BB0 8B45F0
mov eax, dword ptr [ebp-10]
:00487BB3
50
push eax
:00487BB4 8D55EC
lea edx, dword ptr [ebp-14]
:00487BB7 8B83D0020000
mov eax, dword ptr [ebx+000002D0]
:00487BBD E802C0FAFF
call 00433BC4
:00487BC2 8B4DEC
mov ecx, dword ptr [ebp-14]
:00487BC5 8B93EC020000 mov edx,
dword ptr [ebx+000002EC]
:00487BCB 8BC3
mov eax, ebx
:00487BCD E8AE040000
call 00488080
* Possible StringData
Ref from Code Obj ->"感谢你的注册!"
|
:00487BD2
B8507C4800 mov eax, 00487C50
:00487BD7 E8542FFDFF call 0045AB30
:00487BDC C7833402000001000000 mov dword ptr [ebx+00000234],
00000001
:00487BE6 8D55E8
lea edx, dword ptr [ebp-18]
:00487BE9 8B83D0020000
mov eax, dword ptr [ebx+000002D0]
:00487BEF E8D0BFFAFF
call 00433BC4
:00487BF4 8B55E8
mov edx, dword ptr [ebp-18]
:00487BF7 8D83E8020000 lea eax,
dword ptr [ebx+000002E8]
:00487BFD E846C1F7FF
call 00403D48
:00487C02 EB15
jmp 00487C19
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00487BA0(C)
|
:00487C04 6A00
push 00000000
:00487C06 668B0D6C7C4800
mov cx, word ptr [00487C6C]
:00487C0D B201
mov dl, 01
* Possible StringData
Ref from Code Obj ->"你输入的许可密匙是不正确的. 要确保准确, "
->"你应该直接总你的购买确认 E-Mail "
->"中复制并粘贴序列号. 如果你继续操作后碰到麻烦, "
->"请联系support@leapware.com."
|
:00487C0F B8787C4800
mov eax, 00487C78
:00487C14 E81F2EFDFF
call 0045AA38
****************************************************************
用Ollydbg加載LeapFTP.exe,運行,填上用戶名:henhao 註冊碼:78787878(隨便亂填)
在Ollydbg裏面00487B99処F2下斷,點軟件的"確定"註冊!
程序停在00487B99処,F7進去,我是個菜鳥,進去后,就感到頭開始慢慢的變大~~~~~
00487D58
/$ 55 PUSH EBP
00487D59 |.
8BEC MOV EBP,ESP
00487D5B |. 83C4
DC ADD ESP,-24
00487D5E |. 53
PUSH EBX
00487D5F |. 33DB
XOR EBX,EBX
00487D61 |. 895D DC
MOV DWORD PTR SS:[EBP-24],EBX
00487D64 |. 895D E0
MOV DWORD PTR SS:[EBP-20],EBX
00487D67 |. 895D EC
MOV DWORD PTR SS:[EBP-14],EBX
00487D6A |. 894D
F8 MOV DWORD PTR SS:[EBP-8],ECX
00487D6D
|. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00487D70
|. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00487D73
|. E8 B0C3F7FF CALL LeapFTP.00404128
00487D78 |. 8B45
F8 MOV EAX,DWORD PTR SS:[EBP-8]
00487D7B
|. E8 A8C3F7FF CALL LeapFTP.00404128
00487D80 |. 8B45
08 MOV EAX,DWORD PTR SS:[EBP+8]
00487D83
|. E8 A0C3F7FF CALL LeapFTP.00404128
00487D88 |. 33C0
XOR EAX,EAX
00487D8A |. 55
PUSH EBP
00487D8B |. 68 BB7E4800
PUSH LeapFTP.00487EBB
00487D90 |. 64:FF30
PUSH DWORD PTR FS:[EAX]
00487D93 |. 64:8920
MOV DWORD PTR FS:[EAX],ESP
00487D96 |. 33C0
XOR EAX,EAX
00487D98 |. 8945 F0
MOV DWORD PTR SS:[EBP-10],EAX
00487D9B |. 8945 F4
MOV DWORD PTR SS:[EBP-C],EAX
00487D9E |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
00487DA1 |. E8 CEC1F7FF
CALL LeapFTP.00403F74 //計算註冊名位數
00487DA6 |. 8BD0 MOV EDX,EAX
//位數edx
00487DA8 |. 85D2 TEST EDX,EDX
//測試註冊名是否為0
00487DAA |. 7E 33 JLE SHORT LeapFTP.00487DDF
//為0就跳
00487DAC |. B8 01000000
MOV EAX,1
===================開始計算======================
00487DB1 |> 8B4D FC
/MOV ECX,DWORD PTR SS:[EBP-4] //取註冊名
00487DB4 |. 0FB64C01 FF |MOVZX ECX,BYTE PTR DS:[ECX+EAX-1]
//逐位取注册名字符的 ASCII 值,这里以第一次计算为例,字符"h",ASCII 值 68
00487DB9 |. 0FAFC8
|IMUL ECX,EAX
//ECX*EAX 乘以儅前位數,儅前是第一位,再乘以整數10。就是68*1*10=680,(若儅前註冊名的ASCII是第二位數,就是68*2*10)
00487DBC |. 8BD9 |MOV EBX,ECX
//ECX*EAX計算結果入ebx
00487DBE |. C1E1 04 |SHL ECX,4
//
00487DC1 |. 2BCB |SUB ECX,EBX
//減法ecx-ebx
00487DC3 |. 894D E8 |MOV DWORD PTR SS:[EBP-18],ECX
//計算結果入ecx
00487DC6 |. DB45 E8
|FILD DWORD PTR SS:[EBP-18] //將計算結果十進製裝到st(0)
00487DC9 |. DC45 F0 |FADD QWORD PTR SS:[EBP-10]
//纍加以後裝到ST(0)
00487DCC |. 8D0C80
|LEA ECX,DWORD PTR DS:[EAX+EAX*4] //計算eax+eax*4,比如儅前是註冊名ASCII第一位數,計算方式就是:1+1*4,如果儅前是註冊名ASCII第二位,計算方式為:2+2*4,以此類推
00487DCF |. 894D E4 |MOV DWORD PTR SS:[EBP-1C],ECX
//結果入ecx
00487DD2 |. DB45 E4 |FILD DWORD
PTR SS:[EBP-1C] //將ecx的值十進製裝入st(0)
00487DD5
|. DEC1 |FADDP ST(1),ST
//ST(0),ST(1)在這裏纍加
00487DD7
|. DD5D F0 |FSTP QWORD PTR SS:[EBP-10]
//保存,執行一次出棧
00487DDA |. 9B
|WAIT
00487DDB |. 40
|INC EAX 計數器加1
00487DDC |. 4A
|DEC EDX
00487DDD |.^75 D2
\JNZ SHORT LeapFTP.00487DB1 //根據註冊名ASCII個數循環
我輸入的註冊名:henhao
h 68*1*10-68*1+(1+1*4)=61D
e 65*2*10-65*2+(2+2*4)=BE0
n 6E*3*10-6E*3+(3+3*4)=1365
h 68*4*10-68*4+(4+4*4)=1874
a 61*5*10-65*5+(5+5*4)=1c84
o 6F*6*10-6F*6+(6+6*4)=2724
+
--------------------------------
=817E 十進製轉換=33150
====================================================================
00487DDF |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
//取eax的值214065(一組固定註冊碼)
00487DE2 |. E8 BD0FF8FF
CALL LeapFTP.00408DA4 //轉換成16進製
00487DE7 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
//送到eax
00487DEA |. DB45 E8
FILD DWORD PTR SS:[EBP-18] //裝入
00487DED
|. DD45 F0 FLD QWORD PTR SS:[EBP-10]
//裝入上靣循環計算的結果(33150)
00487DF0 |. DC4D F0
FMUL QWORD PTR SS:[EBP-10] //[EBP-10]*[EBP-10]就是33150*33150
00487DF3 |. DEC1 FADDP ST(1),ST //st(0)+st(1)
00487DF5 |. DD5D F0 FSTP QWORD PTR SS:[EBP-10]
//裝入,然後再執行一次出棧
這裏的算法:
33150*33150+214065=1099136565
====================================================================
00487DF8 |. 9B WAIT
00487DF9
|. DD45 F0 FLD QWORD PTR SS:[EBP-10]
00487DFC
|. 83C4 F4 ADD ESP,-0C
00487DFF |. DB3C24
FSTP TBYTE PTR SS:[ESP]
; |
00487E02 |. 9B
WAIT
; |
00487E03 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
; |
00487E06 |. E8 C51EF8FF
CALL LeapFTP.00409CD0
; \LeapFTP.00409CD0
00487E0B |. 8D45 E0
LEA EAX,DWORD PTR SS:[EBP-20]
00487E0E |. 50
PUSH EAX
00487E0F |. 8B55 F8
MOV EDX,DWORD PTR SS:[EBP-8]
00487E12 |. B8 D47E4800
MOV EAX,LeapFTP.00487ED4
00487E17 |. E8 44C4F7FF
CALL LeapFTP.00404260 //這裏処理註冊碼為214065-XXXXXXXXXXXX形式
00487E1C |. 8BC8 MOV ECX,EAX
00487E1E |. 49 DEC ECX
00487E1F
|. BA 01000000 MOV EDX,1
00487E24 |. 8B45 F8
MOV EAX,DWORD PTR SS:[EBP-8]
00487E27 |. E8 50C3F7FF
CALL LeapFTP.0040417C
00487E2C |. 8B45 E0
MOV EAX,DWORD PTR SS:[EBP-20]
00487E2F |. 8B55 08
MOV EDX,DWORD PTR SS:[EBP+8]
00487E32 |. E8 4DC2F7FF
CALL LeapFTP.00404084
00487E37 |. 75 48
JNZ SHORT LeapFTP.00487E81
00487E39 |. 8D45 DC
LEA EAX,DWORD PTR SS:[EBP-24]
00487E3C |. 50
PUSH EAX
00487E3D |. 8B55 F8
MOV EDX,DWORD PTR SS:[EBP-8]
00487E40 |. B8 D47E4800
MOV EAX,LeapFTP.00487ED4
00487E45 |. E8 16C4F7FF
CALL LeapFTP.00404260
00487E4A |. 50
PUSH EAX
00487E4B |. 8B45 F8 MOV
EAX,DWORD PTR SS:[EBP-8]
00487E4E |. E8 21C1F7FF CALL
LeapFTP.00403F74
00487E53 |. 5A
POP EDX
00487E54 |. 2BC2 SUB EAX,EDX
00487E56 |. 50 PUSH EAX
00487E57 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00487E5A |. B8 D47E4800 MOV EAX,LeapFTP.00487ED4
00487E5F |. E8 FCC3F7FF CALL LeapFTP.00404260
00487E64
|. 8BD0 MOV EDX,EAX
00487E66 |. 42
INC EDX
00487E67 |. 8B45 F8
MOV EAX,DWORD PTR SS:[EBP-8]
00487E6A |. 59
POP ECX
00487E6B |. E8 0CC3F7FF
CALL LeapFTP.0040417C
00487E70 |. 8B45 DC
MOV EAX,DWORD PTR SS:[EBP-24]
00487E73 |. 8B55 EC
MOV EDX,DWORD PTR SS:[EBP-14]
00487E76 |. E8 09C2F7FF
CALL LeapFTP.00404084
00487E7B |. 75 04
JNZ SHORT LeapFTP.00487E81
00487E7D |. B3 01
MOV BL,1
00487E7F |. EB 02
JMP SHORT LeapFTP.00487E83
00487E81 |> 33DB
XOR EBX,EBX
00487E83 |> 33C0
XOR EAX,EAX
00487E85 |. 5A
POP EDX
00487E86 |. 59
POP ECX
00487E87 |. 59
POP ECX
00487E88 |. 64:8910 MOV DWORD PTR
FS:[EAX],EDX
00487E8B |. 68 C27E4800 PUSH LeapFTP.00487EC2
00487E90 |> 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00487E93 |. BA 02000000 MOV EDX,2
00487E98
|. E8 7BBEF7FF CALL LeapFTP.00403D18
00487E9D |. 8D45
EC LEA EAX,DWORD PTR SS:[EBP-14]
00487EA0
|. E8 4FBEF7FF CALL LeapFTP.00403CF4
00487EA5 |. 8D45
F8 LEA EAX,DWORD PTR SS:[EBP-8]
00487EA8
|. BA 02000000 MOV EDX,2
00487EAD |. E8 66BEF7FF
CALL LeapFTP.00403D18
00487EB2 |. 8D45 08
LEA EAX,DWORD PTR SS:[EBP+8]
00487EB5 |. E8 3ABEF7FF
CALL LeapFTP.00403CF4
00487EBA \. C3
RETN
00487EBB .^E9 CCB8F7FF JMP LeapFTP.0040378C
00487EC0 .^EB CE JMP SHORT LeapFTP.00487E90
00487EC2 . 8BC3 MOV EAX,EBX
00487EC4 . 5B POP EBX
00487EC5
. 8BE5 MOV ESP,EBP
00487EC7 . 5D
POP EBP
00487EC8 . C2 0400
RETN 4
//返囘
---------------------------------------------------------------------
通過我輸入的註冊名henhao經過計算就得到了我的註冊碼:214065-1099136565
---------------------------------------------------------------------
【注册信息保存】:
HKEY_CURRENT_USER\Software\LeapWare\Registry\LeapFTP
UserKey 214065-1099136565
UserName henhao
刪除這個,可以重新註冊!
----------------------------------------------------------------------
我想學習註冊機的製作,哪位老師能不能教教我這個怎麽用keymake製作註冊機,謝謝!!!
第一次寫的破文,望指正!!!
----------------------------------------------------------------------
好好學習
2003.05.09