3:08 2005-4-19

2003年电脑报光盘软件

上传下载类

LeapFTP v2.7.4.602                                      Released: 05/21/2003
----------------------------------------------------------------------------
Written by: David Turner
Distributed by: LeapWare


Borland 4-5编成,无壳


破解人:wofan[OCN]

目标:作成注册算号器

软件采用:
注册名算出序列号方式

这种类型保护,据我所知,好像十分脆弱!
因为它在光盘中,就一并破了它,作为练手。

果然,注册算号流程如行云流水,非常流利。

用C32Asm一下子就见到下面宝贵资料:
填入注册码:
name:wofan
code:123456


::00487EA9::  8D55 FC                  LEA EDX,[EBP-4]                         
::00487EAC::  E8 C30EF8FF              CALL 00408D74                           \:JMPUP
::00487EB1::  80BB F4020000 00         CMP BYTE PTR [EBX+2F4],0                                       从这一段看来,这里应该是比较,看是否有填入注册名或注册码,就在这下断吧!           
::00487EB8::  74 0E                    JE SHORT 00487EC8                        \:JMPDOWN
::00487EBA::  8B55 FC                  MOV EDX,[EBP-4]                                                    [EBP-4]=123456                        
::00487EBD::  8BC3                     MOV EAX,EBX                             
::00487EBF::  E8 88030000              CALL 0048824C                           \:JMPDOWN                   这个Call不会是算注册码吧,按F7跟进
::00487EC4::  84C0                     TEST AL,AL                              
::00487EC6::  75 26                    JNZ SHORT 00487EEE                      \:JMPDOWN
::00487EC8::  8B83 F0020000            MOV EAX,[EBX+2F0]                       \:BYJMP JmpBy:00487EB8,     [EBX+2F0]=214065  ?????
::00487ECE::  50                       PUSH EAX                                
::00487ECF::  8D55 F4                  LEA EDX,[EBP-C]                         
::00487ED2::  8B83 D0020000            MOV EAX,[EBX+2D0]                       
::00487ED8::  E8 3FBFFAFF              CALL 00433E1C                           \:JMPUP                      获得注册名长度EAX=5
::00487EDD::  8B55 F4                  MOV EDX,[EBP-C]                                                     [EBP-C]=wofan                       
::00487EE0::  8B4D FC                  MOV ECX,[EBP-4]                                                     [EBP-4]=123456                       
::00487EE3::  8BC3                     MOV EAX,EBX                                                         EBX=E954320    ????                           
::00487EE5::  E8 BA010000              CALL 004880A4                           \:JMPDOWN                    这里应该就是比较用的Call,按F7跟进
::00487EEA::  84C0                     TEST AL,AL                                                             al=0 玩完!!!!                             
::00487EEC::  74 62                    JE SHORT 00487F50                       \:JMPDOWN                     跳到:注册码不对之类的Msgbox!!
::00487EEE::  8D55 F0                  LEA EDX,[EBP-10]                        \:BYJMP JmpBy:00487EC6,
::00487EF1::  8B83 E4020000            MOV EAX,[EBX+2E4]                       
::00487EF7::  E8 20BFFAFF              CALL 00433E1C                           \:JMPUP
::00487EFC::  8B45 F0                  MOV EAX,[EBP-10]                        
::00487EFF::  50                       PUSH EAX                                
::00487F00::  8D55 EC                  LEA EDX,[EBP-14]                        
::00487F03::  8B83 D0020000            MOV EAX,[EBX+2D0]                       
::00487F09::  E8 0EBFFAFF              CALL 00433E1C                           \:JMPUP
::00487F0E::  8B4D EC                  MOV ECX,[EBP-14]                        
::00487F11::  8B93 EC020000            MOV EDX,[EBX+2EC]                       
::00487F17::  8BC3                     MOV EAX,EBX                             
::00487F19::  E8 AE040000              CALL 004883CC                           \:JMPDOWN
::00487F1E::  B8 9C7F4800              MOV EAX,487F9C                              \->: Thank You For Registering!
::00487F23::  E8 602EFDFF              CALL 0045AD88                           \:JMPUP
::00487F28::  C783 34020000 01000000   MOV DWORD PTR [EBX+234],1               
::00487F32::  8D55 E8                  LEA EDX,[EBP-18]                        
::00487F35::  8B83 D0020000            MOV EAX,[EBX+2D0]                       
::00487F3B::  E8 DCBEFAFF              CALL 00433E1C                           \:JMPUP
::00487F40::  8B55 E8                  MOV EDX,[EBP-18]                        
::00487F43::  8D83 E8020000            LEA EAX,[EBX+2E8]                       
::00487F49::  E8 FABDF7FF              CALL 00403D48                           \:JMPUP
::00487F4E::  EB 15                    JMP SHORT 00487F65                      \:JMPDOWN
::00487F50::  6A 00                    PUSH 0                                  \:BYJMP JmpBy:00487EEC,
::00487F52::  66:8B0D B87F4800         MOV CX,[487FB8]                         
::00487F59::  B2 01                    MOV DL,1                                
::00487F5B::  B8 C47F4800              MOV EAX,487FC4                              \->: The license key you entered is not valid.  To ensure accuracy, you should copy+paste the serial number directly from your order confirmation e-mail.  If you continue to have trouble, please contact: support@leapware.com.
::00487F60::  E8 2B2DFDFF              CALL 0045AC90                           \:JMPUP


填入注册名:wofan
填入注册码:123456
发现该注册码不符合格式,于是:
第二次输入注册码:ABC1-DC2A-E3GH-4GFE 



*****************************这个Call不会是算注册码吧,按F7跟进********************************
00488275   |.  E8 FABCF7FF                   call LeapFTP.00403F74             取得假注册码长度6
0048827A   |.  83F8 13                       cmp eax,13                         看来真注册码要&H13位,即19位!!
0048827D   |.  0F85 20010000                 jnz LeapFTP.004883A3              一跳就完!为了看下面的,将这里Nop掉!
00488283   |.  8B45 FC                       mov eax,dword ptr ss:[ebp-4]
00488286   |.  8078 04 2D                    cmp byte ptr ds:[eax+4],2D          第五位的ASCII应该是2D,2D就是连接符
0048828A   |.  0F85 13010000                 jnz LeapFTP.004883A3
00488290   |.  8B45 FC                       mov eax,dword ptr ss:[ebp-4]
00488293   |.  8078 09 2D                    cmp byte ptr ds:[eax+9],2D          第十位也是连接符
00488297   |.  0F85 06010000                 jnz LeapFTP.004883A3
0048829D   |.  8B45 FC                       mov eax,dword ptr ss:[ebp-4]
004882A0   |.  8078 0E 2D                    cmp byte ptr ds:[eax+E],2D          第十五位也是连接符,看来还是要重来了!
004882A4   |.  0F85 F9000000                 jnz LeapFTP.004883A3
004882AA   |.  33F6                          xor esi,esi                          ESI清零,以下同样是起初始化作用
004882AC   |.  33FF                          xor edi,edi
004882AE   |.  33C0                          xor eax,eax
004882B0   |.  8945 F4                       mov dword ptr ss:[ebp-C],eax
004882B3   |.  BB 01000000                   mov ebx,1                              EBX=1
004882B8   |>  8BC3                          /mov eax,ebx                           EAX=EBX=1(初值)以后的循环都到这里
004882BA   |.  25 03000080                   |and eax,80000003                      第四位,EAX=4时 先 and 80000003 
004882BF   |.  79 05                         |jns short LeapFTP.004882C6            没有符号,就到004882C6
004882C1   |.  48                            |dec eax
004882C2   |.  83C8 FC                       |or eax,FFFFFFFC
004882C5   |.  40                            |inc eax
004882C6   |>  85C0                          |test eax,eax                         没有符号跳到这里,
004882C8   |.  75 16                         |jnz short LeapFTP.004882E0           与的结果不为零,接受检查,看其ASCII码是否在40和5B之间
004882CA   |.  8B45 FC                       |mov eax,dword ptr ss:[ebp-4]   
004882CD   |.  8A4418 FF                     |mov al,byte ptr ds:[eax+ebx-1]
004882D1   |.  E8 4EFFFFFF                   |call LeapFTP.00488224                 为零时,如第4位,到这里接受特别检查
004882D6   |.  84C0                          |test al,al
004882D8   |.  0F84 C5000000                 |je LeapFTP.004883A3
004882DE   |.  EB 22                         |jmp short LeapFTP.00488302
004882E0   |>  8BC3                          |mov eax,ebx
004882E2   |.  B9 05000000                   |mov ecx,5                                到这里
004882E7   |.  99                            |cdq                                      双字变四字,扩展到EDX,EDX用来保存Idiv的余数
004882E8   |.  F7F9                          |idiv ecx                                 EAX idiv EDX
004882EA   |.  85D2                          |test edx,edx                             余数作与运算,修改Flag??,为零就跳!
004882EC   |.  74 14                         |je short LeapFTP.00488302                1 idiv 5  余数是1
004882EE   |.  8B45 FC                       |mov eax,dword ptr ss:[ebp-4]            假码[ebp-4]=1234-4321-5678-8765         
004882F1   |.  8A4418 FF                     |mov al,byte ptr ds:[eax+ebx-1]          第一次:[eax+ebx-1]指向第一位假码1的ASCII码31
004882F5   |.  E8 3EFFFFFF                   |call LeapFTP.00488238                   在这个Call里,它与40,5B比较,jb 40 会使 EAX xor EAX ,返回零   ,40就是@,41是大写字母A  ,5A就是大写的Z ,5B就是[        
004882FA   |.  84C0                          |test al,al                             
004882FC   |.  0F84 A1000000                 |je LeapFTP.004883A3                     LeapFTP.004883A3这可是死地,由此可见,注册码不应该是数字!而是位于 40 和 5B之间的字母!                   
00488302   |>  8B45 FC                       |mov eax,dword ptr ss:[ebp-4]
00488305   |.  8A4418 FF                     |mov al,byte ptr ds:[eax+ebx-1]
00488309   |.  3C 2D                         |cmp al,2D                                是不是连接符
0048830B   |.  74 2D                         |je short LeapFTP.0048833A                到循环尾部,连接符的ASCII当然不能累加,跳到循环尾部
0048830D   |.  83FB 05                       |cmp ebx,5                               看看是不是第五位,是第五位了,那就意味着要处理第二部分注册码了
00488310   |.  7D 0C                         |jge short LeapFTP.0048831E              是第五位,则到0048831E处理:第二部分注册码
00488312   |.  8B55 FC                       |mov edx,dword ptr ss:[ebp-4]
00488315   |.  25 FF000000                   |and eax,0FF                             屏蔽掉高四位,只取得低四位,这里是31
0048831A   |.  03F0                          |add esi,eax                             开始累加
0048831C   |.  EB 1C                         |jmp short LeapFTP.0048833A              处理结束,到循环尾部
0048831E   |>  83FB 0A                       |cmp ebx,0A                              是第十位吗?
00488321   |.  7D 0C                         |jge short LeapFTP.0048832F              是第十位,则到0048832F,处理第三部分注册码
00488323   |.  8B55 FC                       |mov edx,dword ptr ss:[ebp-4]
00488326   |.  25 FF000000                   |and eax,0FF
0048832B   |.  03F8                          |add edi,eax
0048832D   |.  EB 0B                         |jmp short LeapFTP.0048833A
0048832F   |>  8B55 FC                       |mov edx,dword ptr ss:[ebp-4]
00488332   |.  25 FF000000                   |and eax,0FF
00488337   |.  0145 F4                       |add dword ptr ss:[ebp-C],eax
0048833A   |>  43                            |inc ebx                               EBX自加1,指向下一位注册码2
0048833B   |.  83FB 0F                       |cmp ebx,0F                            EBX的值与0F相比
0048833E   |.^ 0F85 74FFFFFF                 \jnz LeapFTP.004882B8                  1 cmp F ,还没到15!继续循环。
00488344   |.  8D0C37                        lea ecx,dword ptr ds:[edi+esi]         是第十五位了吗?是的,那么就EDI+ESI存于ECX
00488347   |.  034D F4                       add ecx,dword ptr ss:[ebp-C]           把第三部分注册码的累加值也加起来,存于ECX           
0048834A   |.  8BC6                          mov eax,esi                            第一部分累加值送到EAX
0048834C   |.  BB 1A000000                   mov ebx,1A                             EBX=1A
00488351   |.  99                            cdq
00488352   |.  F7FB                          idiv ebx                               取余
00488354   |.  83C2 41                       add edx,41                             余数再加上41,就变成字母
00488357   |.  8B45 FC                       mov eax,dword ptr ss:[ebp-4]
0048835A   |.  3A50 0F                       cmp dl,byte ptr ds:[eax+F]             与第四部分假码的第一个比较
0048835D   |.  75 44                         jnz short LeapFTP.004883A3              相等就OK!继续下一步。否则就玩完!  爆破点1,Nop掉
0048835F   |.  8BC7                          mov eax,edi                             第二部分的累加值送到EAX
00488361   |.  BB 1A000000                   mov ebx,1A
00488366   |.  99                            cdq
00488367   |.  F7FB                          idiv ebx
00488369   |.  83C2 41                       add edx,41                             同样的操作
0048836C   |.  8B45 FC                       mov eax,dword ptr ss:[ebp-4]
0048836F   |.  3A50 10                       cmp dl,byte ptr ds:[eax+10]            与第四部分的第二个相比
00488372   |.  75 2F                         jnz short LeapFTP.004883A3                                                   爆破点2,Nop掉
00488374   |.  8B45 F4                       mov eax,dword ptr ss:[ebp-C]            
00488377   |.  BB 1A000000                   mov ebx,1A
0048837C   |.  99                            cdq
0048837D   |.  F7FB                          idiv ebx
0048837F   |.  83C2 41                       add edx,41
00488382   |.  8B45 FC                       mov eax,dword ptr ss:[ebp-4]
00488385   |.  3A50 11                       cmp dl,byte ptr ds:[eax+11]
00488388   |.  75 19                         jnz short LeapFTP.004883A3                                                爆破点3,Nop掉
0048838A   |.  8BC1                          mov eax,ecx
0048838C   |.  B9 1A000000                   mov ecx,1A
00488391   |.  99                            cdq
00488392   |.  F7F9                          idiv ecx
00488394   |.  83C2 41                       add edx,41
00488397   |.  8B45 FC                       mov eax,dword ptr ss:[ebp-4]
0048839A   |.  3A50 12                       cmp dl,byte ptr ds:[eax+12]
0048839D   |.  75 04                         jnz short LeapFTP.004883A3                                              爆破点4,Nop掉,然后,输入合法的假码即可,不过为什么要爆破呢?
0048839F   |.  C645 FB 01                    mov byte ptr ss:[ebp-5],1                一路过关,之后,给标志赋值!!
004883A3   |>  33C0                          xor eax,eax                              循环的尾部
004883A5   |.  5A                            pop edx
004883A6   |.  59                            pop ecx
004883A7   |.  59                            pop ecx
004883A8   |.  64:8910                       mov dword ptr fs:[eax],edx
004883AB   |.  68 C0834800                   push LeapFTP.004883C0
004883B0   |>  8D45 FC                       lea eax,dword ptr ss:[ebp-4]
004883B3   |.  E8 3CB9F7FF                   call LeapFTP.00403CF4               这个Call将标志byte ptr ss:[ebp-5]中的值转送到AL
004883B8   \.  C3                            retn                                返回去测试标志值!!


********这个Call将标志byte ptr ss:[ebp-5]中的值转送到AL*************************
004883C0    .  8A45 FB                       mov al,byte ptr ss:[ebp-5]
004883C3    .  5F                            pop edi
004883C4    .  5E                            pop esi
004883C5    .  5B                            pop ebx
004883C6    .  8BE5                          mov esp,ebp
004883C8    .  5D                            pop ebp
004883C9    .  C3                            retn
*********************************************************************************


**** 为零时,如第4,8,12,16位,到这里接受特别检查,即位数与8000003相与,结果为零时,进行特别检查****
00488224   /$  8BD0                          mov edx,eax         
00488226   |.  80FA 2F                       cmp dl,2F
00488229   |.  76 08                         jbe short LeapFTP.00488233   第4,8,10,14,18位注册码的ASCII不能be 2F  ,nb 3A
0048822B   |.  80FA 3A                       cmp dl,3A
0048822E   |.  73 03                         jnb short LeapFTP.00488233
00488230   |.  B0 01                         mov al,1
00488232   |.  C3                            retn
00488233   |>  33C0                          xor eax,eax               到了这里,就说明注册码不合法,AL得到0
00488235   \.  C3                            retn

如D的ASCII,44 大于2F合法,但是也大于3A,就不合法,要少于3A才好!!
这些特定位置的字符,应该在2F和3A之间!!意思就是说它们是0——9之间的数字!!


*******************************************************************************************
***************检查注册码的合法性,注册码的ASCII要在40和5B之间的字母***********************
00488236       8BC0                          mov eax,eax
00488238   /$  8BD0                          mov edx,eax
0048823A   |.  80FA 40                       cmp dl,40
0048823D   |.  76 08                         jbe short LeapFTP.00488247
0048823F   |.  80FA 5B                       cmp dl,5B
00488242   |.  73 03                         jnb short LeapFTP.00488247
00488244   |.  B0 01                         mov al,1
00488246   |.  C3                            retn
00488247   |>  33C0                          xor eax,eax               到了这里,说明注册码不合法,AL得到0
00488249   \.  C3                            retn

be 40
但是要:
nb 5B
即必须是字母!

********************************************************************************************

把这个循环总结一下:
假注册码:
ABC1-DC2A-E3GH-4GFE


注册与注册名无关!
注册码要19位
第5,10,15位必须是连接符“-”
第4,8,12,16(理论上,实际上它是第四部分中的!) 必须是0----9之间的数字!!!
其余必须是字母!!!


我把它分成四部分
第一部分ASCII累加,结果存于ESI中
asc("A")+ASC("B")+ASC("1")=&HF7  存在ESI中
第二部分ASCII累加,结果存于EDI中
DC2A 的ASCII分别为44,43,32,41              
44+43+32+41=&HFA                 存于EDI中
第三部分注册码的ASCII码值累加:结果存于  dword ptr ss:[ebp-C]
E3GH的ASCII码分别如下:
45 33 47 48
asc("E")+ASc("3")+asc("G")+asc("H")=&H107
累加得到&H107   存于:dword ptr ss:[ebp-C]


然后,前三部分的累加值累加,结果存于ECX

ESI+EDI+dword ptr ss:[ebp-C]=&H2F8

接着产生第四部分注册码:


第四部分注册码的第一个,第一部分注册码ASCII累加值F7  idiv  1A(一个固定数):
F7 idiv 1A-------EDX=D            D+41=4E("N")  这是第四部分第一个注册码!!!!
第二个:
FA idiv 1A------EDX=10           10+41=51("Q")  这是第四部分注册码的第二个!!!
第三个:
107 idiv 1A------EDX=3            3+41=44("D")  这是第三个!!!!
第四个:
2F8 idiv 1A------EDX=6            6+41=47("G") 这是第四部分注册码的第四个注册码的ASCII码!!

当然我的假码第四部分是:4GFE是不能通过验证的!


就用前面的假码作些修正,成为真的注册码:
注册名:wofan
注册码:ABC1-DC2A-E3GH-NQDG

好了,也作个注册算号器吧,其实像这种与注册名无关的注册码,作注册机是没有意义的。不过近来作注册机成了习惯行为。


注册机源码省略


用注册机生成另一个的效注册码:

RHM1-TA4C-Y9KZ-UIZB

  • 标 题: 答复
  • 作 者:好好学习2
  • 时 间:2005-04-21 00:03

这个有两种型式的注册码!
还有一种注册码是与注册名相关的:
輸入的註冊名:henhao 
  h 68*1*10-68*1+(1+1*4)=61D  
  e 65*2*10-65*2+(2+2*4)=BE0 
  n 6E*3*10-6E*3+(3+3*4)=1365 
  h 68*4*10-68*4+(4+4*4)=1874 
  a 61*5*10-65*5+(5+5*4)=1c84 
  o 6F*6*10-6F*6+(6+6*4)=2724 
                        + 
-------------------------------- 
                        =817E 十進製轉換=33150 

33150*33150+214065=1099136565

固定的214065-放到1099136565前面,组成:
214065-1099136565

这下你可以做个注册机了~~~~~~~~~