爆破MD5加密程序——驱动之加 1.21 [VB]
下载页面: http://xj.onlinedown.net/soft/17117.htm
软件大小: 2.93 MB
软件语言: 多国语言
软件类别: 共享版/备份工具
运行环境: Win9x/Me/NT/2000/XP
加入时间: 2003-8-13 10:41:12
下载次数: 988
软件评级: ****
【软件简介】:是一款驱动之家的驱动精灵的克隆版本。1、更专业的驱动备份功能:能够检测用户计算机系统中的硬件设备,将全部或任意部分硬件的驱动程序提取备份出来,并能够将备份出来的驱动程序做成Zip压缩文件或自解压文件。速度敏捷,这份工作快到只需30秒就能全部完成。通过驱动备份功能,大家可以完全免去重新安装系统后驱动程序丢失的烦恼,多台同配置机器也不再需要那数不胜数的驱动光盘了。此外,软件还支持局域网备份功能。2、更专业驱动还原功能:完全免去了新手不会安装驱动程序的烦恼,在重新安装系统后再也不需要一个一个手动安装驱动,只需点击一下按钮就能将您备份出来的驱动程序自动安装到系统上,干净利落。3、备份系统桌面的功能。4、备份文件加密的功能。5、3721上网助手模块。
【软件限制】:NAG、15天试用
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版、RegMon
—————————————————————————————————
【过 程】:
程序的前6位注册码是作者预置的,MD5值是:BB4E92EC6FBA2F7B93CF192D7CB9368DB,所以就只好爆破啦。只要作者保证已注册用户的密钥不泄露,恐怕是很难得到完整的注册码。程序在注册和启动时皆验证注册码。
Driver Backup Plus.exe 是ASPack v2.12壳,用AspackDie脱之。136K->520K。VB 6.0编写。
姓 名:fly
试炼码:135724689012
—————————————————————————————————
一、注册时的验证 下断 MSVBVM60.rtcLeftCharVar 就行了。
:00443374 8B957CFFFFFF mov edx, dword ptr [ebp+FFFFFF7C]
====>EDX=fly 用户名
…… …… 省 略 …… ……
:004433D8 8B957CFFFFFF mov edx, dword ptr [ebp+FFFFFF7C]
====>EDX=13572468901234567890 试炼码
* Reference To: MSVBVM60.rtcLeftCharVar, Ord:0269h
|
:0044342E FF15E8114000 Call dword ptr [004011E8]
====>取 试炼码 前6位:135724
…… …… 省 略 …… ……
:00443465 FF512C call [ecx+2C]
====>计算135724的MD5值=4DDCB6075647F0A96811CF0ACB291A93
…… …… 省 略 …… ……
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044346C(C)
|
:00443480 8B957CFFFFFF mov edx, dword ptr [ebp+FFFFFF7C]
====>EDX=4DDCB6075647F0A96811CF0ACB291A93
:00443486 52 push edx
* Possible StringData Ref from Code Obj ->"BB4E92EC6FBA2F7B93CF192D7CB9368DB"
|
:00443487 68E4904000 push 004090E4
* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:0044348C FF15E8104000 Call dword ptr [004010E8]
====>比较CALL!① 作者预置了用MD5加密的前6位注册码!
:00443492 8BF8 mov edi, eax
:00443494 8D8D7CFFFFFF lea ecx, dword ptr [ebp+FFFFFF7C]
:0044349A F7DF neg edi
:0044349C 1BFF sbb edi, edi
:0044349E F7DF neg edi
:004434A0 F7DF neg edi
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:004434A2 FF1528124000 Call dword ptr [00401228]
:004434A8 663BFE cmp di, si
:004434AB 0F8534080000 jne 00443CE5
====>跳则OVER! 爆破点 ① 也可以从上面改
…… …… 省 略 …… ……
:004434C2 FF512C call [ecx+2C]
====>计算fly的MD5值=AF17BC3B4A86A96A0F053A7E5F7C18BA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004434C9(C)
|
:004434DD 8B957CFFFFFF mov edx, dword ptr [ebp+FFFFFF7C]
====>EDX=AF17BC3B4A86A96A0F053A7E5F7C18BA
…… …… 省 略 …… ……
:00443533 FFD3 call ebx
====>取试炼码135724689012的第7位至第10位:6890
…… …… 省 略 …… ……
:0044356F FFD3 call ebx
====>取AF17BC3B4A86A96A0F053A7E5F7C18BA的第16至19位:A0F0
:00443571 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54]
:00443577 8D9534FFFFFF lea edx, dword ptr [ebp+FFFFFF34]
:0044357D 51 push ecx
:0044357E 52 push edx
* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
|
:0044357F FF15B8114000 Call dword ptr [004011B8]
====>比较CALL!②
:00443585 668985E0FEFFFF mov word ptr [ebp+FFFFFEE0], ax
:0044358C 8D8534FFFFFF lea eax, dword ptr [ebp+FFFFFF34]
:00443592 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54]
:00443598 50 push eax
:00443599 8D9544FFFFFF lea edx, dword ptr [ebp+FFFFFF44]
:0044359F 51 push ecx
:004435A0 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:004435A6 52 push edx
:004435A7 50 push eax
:004435A8 57 push edi
* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
|
:004435A9 8B3D34104000 mov edi, dword ptr [00401034]
:004435AF FFD7 call edi
:004435B1 83C414 add esp, 00000014
:004435B4 6639B5E0FEFFFF cmp word ptr [ebp+FFFFFEE0], si
:004435BB 0F8524070000 jne 00443CE5
====>跳则OVER!爆破点 ②
:004435C1 8D9514FFFFFF lea edx, dword ptr [ebp+FFFFFF14]
:004435C7 6A08 push 00000008
:004435C9 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:004435CF 8D4DA4 lea ecx, dword ptr [ebp-5C]
:004435D2 52 push edx
:004435D3 50 push eax
:004435D4 898D1CFFFFFF mov dword ptr [ebp+FFFFFF1C], ecx
:004435DA C78514FFFFFF08400000 mov dword ptr [ebp+FFFFFF14], 00004008
* Reference To: MSVBVM60.rtcRightCharVar, Ord:026Bh
|
:004435E4 FF1500124000 Call dword ptr [00401200]
====>取AF17BC3B4A86A96A0F053A7E5F7C18BA的最后8位:5F7C18BA
…… …… 省 略 …… ……
:00443619 FF522C call [edx+2C]
====>计算5F7C18BA的MD5值=3B300D0A6C82BE9E41C9D78365E9E442
…… …… 省 略 …… ……
:00443634 8B9578FFFFFF mov edx, dword ptr [ebp+FFFFFF78]
====>EDX=3B300D0A6C82BE9E41C9D78365E9E442
…… …… 省 略 …… ……
* Reference To: MSVBVM60.rtcRightCharVar, Ord:026Bh
|
:00443684 FF1500124000 Call dword ptr [00401200]
====>取试炼码135724689012的最后2位字符:12
…… …… 省 略 …… ……
:004436C5 FFD3 call ebx
====>取3B300D0A6C82BE9E41C9D78365E9E442的23、24位:83
:004436C7 8D8D64FFFFFF lea ecx, dword ptr [ebp+FFFFFF64]
:004436CD 8D9544FFFFFF lea edx, dword ptr [ebp+FFFFFF44]
:004436D3 51 push ecx
:004436D4 52 push edx
* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
|
:004436D5 FF15B8114000 Call dword ptr [004011B8]
====>比较CALL!③
:004436DB 668985E0FEFFFF mov word ptr [ebp+FFFFFEE0], ax
:004436E2 8D8544FFFFFF lea eax, dword ptr [ebp+FFFFFF44]
:004436E8 8D8D64FFFFFF lea ecx, dword ptr [ebp+FFFFFF64]
:004436EE 50 push eax
:004436EF 8D9554FFFFFF lea edx, dword ptr [ebp+FFFFFF54]
:004436F5 51 push ecx
:004436F6 52 push edx
:004436F7 6A03 push 00000003
:004436F9 FFD7 call edi
:004436FB 83C410 add esp, 00000010
:004436FE 6639B5E0FEFFFF cmp word ptr [ebp+FFFFFEE0], si
:00443705 0F85DA050000 jne 00443CE5
====>跳则OVER!爆破点 ③
…… …… 省 略 …… ……
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
|
:00443A49 FF1590104000 Call dword ptr [00401090]
====>呵呵,胜利女神!
————————————————————
二、程序重启后又变回未注册了,呵呵,启动时还有验证呀。
用RegMon知道程序把注册码保存在注册表中,所以在反汇编代码里搜索sserialnumber下断。
* Possible StringData Ref from Code Obj ->"sserialnumber"
|
:00435A87 68188F4000 push 00408F18
:00435A8C 8D954CFFFFFF lea edx, dword ptr [ebp+FFFFFF4C]
:00435A92 52 push edx
* Reference To: MSVBVM60.__vbaStrToAnsi, Ord:0000h
|
:00435A93 FF15D0114000 Call dword ptr [004011D0]
…… …… 省 略 …… ……
* Reference To: MSVBVM60.rtcLeftCharVar, Ord:0269h
|
:00435FCB FF15E8114000 Call dword ptr [004011E8]
====>取 试炼码 前6位:135724
…… …… 省 略 …… ……
:0043608D FF512C call [ecx+2C]
====>计算135724的MD5值=4DDCB6075647F0A96811CF0ACB291A93
…… …… 省 略 …… ……
:004360CE 8B955CFFFFFF mov edx, dword ptr [ebp+FFFFFF5C]
====>EDX=4DDCB6075647F0A96811CF0ACB291A93
:004360D4 52 push edx
* Possible StringData Ref from Code Obj ->"BB4E92EC6FBA2F7B93CF192D7CB9368DB"
|
:004360D5 68E4904000 push 004090E4
====>004090E4=BB4E92EC6FBA2F7B93CF192D7CB9368DB
* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
|
:004360DA FF15E8104000 Call dword ptr [004010E8]
====>比较CALL! ④
:004360E0 F7D8 neg eax
:004360E2 1BC0 sbb eax, eax
:004360E4 F7D8 neg eax
:004360E6 F7D8 neg eax
:004360E8 6689858CFEFFFF mov word ptr [ebp+FFFFFE8C], ax
:004360EF 8D8D5CFFFFFF lea ecx, dword ptr [ebp+FFFFFF5C]
* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
|
:004360F5 FF1528124000 Call dword ptr [00401228]
:004360FB 0FBF858CFEFFFF movsx eax, word ptr [ebp+FFFFFE8C]
:00436102 85C0 test eax, eax
:00436104 0F8480010000 je 0043628A
====>不跳则OVER! 爆破点 ④
…… …… 省 略 …… ……
:00436332 8BD0 mov edx, eax
====>EDX=fly 用户名
:00436334 8D8D58FFFFFF lea ecx, dword ptr [ebp+FFFFFF58]
* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
|
:0043633A FF15F0114000 Call dword ptr [004011F0]
:00436340 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54]
:00436346 51 push ecx
:00436347 8D9558FFFFFF lea edx, dword ptr [ebp+FFFFFF58]
:0043634D 52 push edx
:0043634E 8B8594FEFFFF mov eax, dword ptr [ebp+FFFFFE94]
:00436354 8B08 mov ecx, dword ptr [eax]
:00436356 8B9594FEFFFF mov edx, dword ptr [ebp+FFFFFE94]
:0043635C 52 push edx
:0043635D FF512C call [ecx+2C]
====>计算fly的MD5值=AF17BC3B4A86A96A0F053A7E5F7C18BA
…… …… 省 略 …… ……
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:0043644A FF15C8104000 Call dword ptr [004010C8]
====>取试炼码135724689012的第7位至第10位:6890
…… …… 省 略 …… ……
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:004364A1 FF15C8104000 Call dword ptr [004010C8]
====>取AF17BC3B4A86A96A0F053A7E5F7C18BA的第16至19位:A0F0
:004364A7 8D8D20FFFFFF lea ecx, dword ptr [ebp+FFFFFF20]
:004364AD 51 push ecx
:004364AE 8D9500FFFFFF lea edx, dword ptr [ebp+FFFFFF00]
:004364B4 52 push edx
* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
|
:004364B5 FF15B8114000 Call dword ptr [004011B8]
====>比较CALL! ⑤
…… …… 省 略 …… ……
:004364FC 85C9 test ecx, ecx
====> 爆破点 ⑤
:004364FE 0F8480010000 je 00436684
====>不跳则OVER!
…… …… 省 略 …… ……
* Reference To: MSVBVM60.rtcRightCharVar, Ord:026Bh
|
:004366AE FF1500124000 Call dword ptr [00401200]
====>取AF17BC3B4A86A96A0F053A7E5F7C18BA的最后8位:5F7C18BA
…… …… 省 略 …… ……
:00436723 FF522C call [edx+2C]
====>计算5F7C18BA的MD5值=3B300D0A6C82BE9E41C9D78365E9E442
…… …… 省 略 …… ……
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:00436803 FF15C8104000 Call dword ptr [004010C8]
====>取试炼码135724689012的最后2位字符:12
…… …… 省 略 …… ……
* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
|
:0043685A FF15C8104000 Call dword ptr [004010C8]
====>取3B300D0A6C82BE9E41C9D78365E9E442的23、24位:83
:00436860 8D8520FFFFFF lea eax, dword ptr [ebp+FFFFFF20]
:00436866 50 push eax
:00436867 8D8D00FFFFFF lea ecx, dword ptr [ebp+FFFFFF00]
:0043686D 51 push ecx
* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
|
:0043686E FF15B8114000 Call dword ptr [004011B8]
====>比较CALL! ⑥
…… …… 省 略 …… ……
:004368B5 85C0 test eax, eax
====> 爆破点 ⑥
:004368B7 0F8480010000 je 00436A3D
====>不跳则OVER!
…… …… 省 略 …… ……
:00436996 FF91B0020000 call dword ptr [ecx+000002B0]
====>要求注册的NAG!
:00436A14 E893FAFCFF call 004064AC
====>删除注册表中的用户名
—————————————————————————————————
【算 法 总 结】:
1、前6位注册码是作者预置的,MD5值是:BB4E92EC6FBA2F7B93CF192D7CB9368DB
呵呵,穷举?爆破?付款?等待密钥泄露?恐怕只有这几种办法啦
2、计算用户名fly的MD5值=AF17BC3B4A86A96A0F053A7E5F7C18BA
取其第16位至19位: A0F0 作为注册码的 第7、8、9、10位
3、取 AF17BC3B4A86A96A0F053A7E5F7C18BA 的最后8位:5F7C18BA
计算 5F7C18BA 的 MD5值=3B300D0A6C82BE9E41C9D78365E9E442
取其第23、24位: 83 作为注册码最后2位
—————————————————————————————————
【完 美 爆 破】:
1、00443480 8B957CFFFFFF mov edx, dword ptr [ebp+FFFFFF7C]
改为:BAE490400090 mov edx, 004090E4
2、004435BB 0F8524070000 jne 00443CE5
改为:909090909090 NOP掉
3、00443705 0F85DA050000 jne 00443CE5
改为:909090909090 NOP掉
4、004360CE 8B955CFFFFFF mov edx, dword ptr [ebp+FFFFFF5C]
改为:BAE490400090 mov edx, 004090E4
5、004364FC 85C9 test ecx, ecx
改为:33C9 xor ecx, ecx
6、004368B5 85C0 test eax, eax
改为:33C0 xor eax, eax
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINESoftwaredriver backup plus]
"firsttime"="9-24-2003"
"endtrialtime"="10-9-2003"
"lastvalid"="B7264EE8114E63CE5002DDDFEE7A8245"
"serialnumber"="135724A0F083"
"username"="fly"
—————————————————————————————————
, _/
/| _.-~/ _ , 青春都一饷
( /~ / ~-._ |
`\ _/ ~ ) 忍把浮名
_-~~~-.) )__/;;,. _ //'
/'_, --~ ~~~- ,;;___( (.-~~~-. 换了破解轻狂
`~ _( ,_..-- ( ,;'' / ~-- /._`
/~~//' /' `~ ) /--.._, )_ `~
" `~" " `" /~'` `\~~
" " "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-09-24 23:50