【破文作者】 rdsnow[BCG][PYG]
【 E-mail 】 RDSNOW@163.COM
【 作者QQ 】 83757177
【文章题目】 驱动程序备份专家 V2.7 的注册
【软件名称】 驱动程序备份专家 V2.7
【下载地址】 http://www2.skycn.com/soft/8101.html
-------------------------------------------------------------------------------------------
【加密方式】 序列号
【破解工具】 FLYOD V1.10
【软件限制】 功能限制
【破解平台】 Microsoft Windows XP SP2
-------------------------------------------------------------------------------------------
【文章简介】
程序无壳,Borland Delphi 6.0 - 7.0编写,程序采用非明码比较,有少量的浮点运算,有检查程序是否被调试的代码,有SEH的知识。正好让偶等菜鸟学习一下。
-------------------------------------------------------------------------------------------
【破解过程】
输入假注册码一"9B7654321abcd",注意不是"987654321abcd",因为根据以下代码会将其中某些位置的字符转化为日期,有些数字会导致转为不成功,导致产生SEH异常,异常后直接跳到不成功的地方。偶看过代码,事先对假注册码做了一点调整。(详见0049DA69处)
OD载入后,来到这儿:
0049D87B . 33C0 XOR EAX,EAX
0049D87D . 55 PUSH EBP
0049D87E . 68 68DB4900 PUSH DriverSt.0049DB68
0049D883 . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049D886 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049D889 > E8 5292F6FF CALL <JMP.&kernel32.GetTickCount> ; [GetTickCount
0049D88E . 8BF0 MOV ESI,EAX
0049D890 . 68 D0070000 PUSH 7D0 ; /Timeout = 2000. ms
0049D895 . E8 BA06F7FF CALL <JMP.&kernel32.Sleep> ; \Sleep
0049D89A . 8B43 54 MOV EAX,DWORD PTR DS:[EBX+54]
0049D89D . 8078 04 00 CMP BYTE PTR DS:[EAX+4],0
0049D8A1 . 74 0A JE SHORT DriverSt.0049D8AD
0049D8A3 . 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0049D8A6 . 8BC3 MOV EAX,EBX
0049D8A8 . E8 27F9FFFF CALL DriverSt.0049D1D4
0049D8AD > E8 2E92F6FF CALL <JMP.&kernel32.GetTickCount> ; [GetTickCount
0049D8B2 . 81C6 CF070000 ADD ESI,7CF
0049D8B8 . 3BC6 CMP EAX,ESI
0049D8BA .^ 72 CD JB SHORT DriverSt.0049D889
连续出现两个GetTickCount,应该是检查程序有没有被调试
0049D8BC . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D8BF . E8 E06FF6FF CALL DriverSt.004048A4 ; 取得机器码的长度
0049D8C4 . 3B43 58 CMP EAX,DWORD PTR DS:[EBX+58] ; 机器码长度不大于50
0049D8C7 . 7F 19 JG SHORT DriverSt.0049D8E2
0049D8C9 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049D8CC . E8 D36FF6FF CALL DriverSt.004048A4 ; 取得机器码的长度
0049D8D1 . 3B43 5C CMP EAX,DWORD PTR DS:[EBX+5C]
0049D8D4 . 7C 0C JL SHORT DriverSt.0049D8E2 ; 机器码的长度不小于5
0049D8D6 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0049D8D9 . E8 C66FF6FF CALL DriverSt.004048A4 ; 取注册码的长度
0049D8DE . 85C0 TEST EAX,EAX
0049D8E0 . 75 09 JNZ SHORT DriverSt.0049D8EB ; 注册码不为空
0049D8E2 > C645 F7 00 MOV BYTE PTR SS:[EBP-9],0
0049D8E6 . E9 33020000 JMP DriverSt.0049DB1E
0049D8EB > 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0049D8EE . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0049D8F1 . E8 D6ADF6FF CALL DriverSt.004086CC ; 注册码小写转大写
0049D8F6 . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
0049D8F9 . 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
0049D8FC . E8 7B6DF6FF CALL DriverSt.0040467C
0049D901 . C645 F7 00 MOV BYTE PTR SS:[EBP-9],0
0049D905 . B1 01 MOV CL,1
0049D907 . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0049D90A . 8BC3 MOV EAX,EBX
0049D90C . E8 83FAFFFF CALL DriverSt.0049D394 ; 取得注册码的第二个字符,得到"B"
0049D911 . 84C0 TEST AL,AL
0049D913 . 0F85 05020000 JNZ DriverSt.0049DB1E
0049D919 . 33C9 XOR ECX,ECX
0049D91B . 55 PUSH EBP
0049D91C . 68 A4DA4900 PUSH DriverSt.0049DAA4 ; 压入SEH句柄
0049D921 . 64:FF31 PUSH DWORD PTR FS:[ECX]
0049D924 . 64:8921 MOV DWORD PTR FS:[ECX],ESP
0049D927 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049D92A . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0049D92D . 8A52 01 MOV DL,BYTE PTR DS:[EDX+1]
0049D930 . E8 976EF6FF CALL DriverSt.004047CC
0049D935 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0049D938 . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0049D93B . 8A52 09 MOV DL,BYTE PTR DS:[EDX+9] ; 注册码的第十个字符
0049D93E . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049D941 . C600 01 MOV BYTE PTR DS:[EAX],1
0049D944 . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
0049D947 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0049D94A . E8 BD57F6FF CALL DriverSt.0040310C
0049D94F . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0049D952 . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0049D955 . 8A52 07 MOV DL,BYTE PTR DS:[EDX+7] ; 注册码的第八个字符
0049D958 . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049D95B . C600 01 MOV BYTE PTR DS:[EAX],1
0049D95E . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0049D961 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0049D964 . B1 02 MOV CL,2
0049D966 . E8 7157F6FF CALL DriverSt.004030DC ; 连接上面的两个字符
0049D96B . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0049D96E . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049D971 . E8 D26EF6FF CALL DriverSt.00404848 ; 得到字符串"A2"
0049D976 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0049D979 . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0049D97C . 8A52 03 MOV DL,BYTE PTR DS:[EDX+3] ; 注册码的第四个字符
0049D97F . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049D982 . C600 01 MOV BYTE PTR DS:[EAX],1
0049D985 . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
0049D988 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0049D98B . E8 7C57F6FF CALL DriverSt.0040310C
0049D990 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0049D993 . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0049D996 . 8A52 05 MOV DL,BYTE PTR DS:[EDX+5] ; 注册码的第六个字符
0049D999 . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049D99C . C600 01 MOV BYTE PTR DS:[EAX],1
0049D99F . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0049D9A2 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0049D9A5 . B1 02 MOV CL,2
0049D9A7 . E8 3057F6FF CALL DriverSt.004030DC
0049D9AC . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0049D9AF . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
0049D9B2 . E8 5557F6FF CALL DriverSt.0040310C
0049D9B7 . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0049D9BA . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0049D9BD . 8A52 0B MOV DL,BYTE PTR DS:[EDX+B] ; 注册码的第十二个字符
0049D9C0 . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049D9C3 . C600 01 MOV BYTE PTR DS:[EAX],1
0049D9C6 . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
0049D9C9 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
0049D9CC . B1 03 MOV CL,3
0049D9CE . E8 0957F6FF CALL DriverSt.004030DC ; 连接上面的三个字符
0049D9D3 . 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
0049D9D6 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0049D9D9 . E8 6A6EF6FF CALL DriverSt.00404848 ; 得到字符串"64C"
0049D9DE . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
0049D9E1 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0049D9E4 . BA 84DB4900 MOV EDX,DriverSt.0049DB84
0049D9E9 . E8 026FF6FF CALL DriverSt.004048F0
0049D9EE . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
0049D9F1 . BA FFFF0000 MOV EDX,0FFFF
0049D9F6 . E8 69B3F6FF CALL DriverSt.00408D64 ; "B"转为整数得到0xB
0049D9FB . 8BF0 MOV ESI,EAX
0049D9FD . 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
0049DA00 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0049DA03 . BA 84DB4900 MOV EDX,DriverSt.0049DB84
0049DA08 . E8 E36EF6FF CALL DriverSt.004048F0
0049DA0D . 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
0049DA10 . BA FFFF0000 MOV EDX,0FFFF
0049DA15 . E8 4AB3F6FF CALL DriverSt.00408D64 ; "A2"转为整数得到0xA2
0049DA1A . 8BF8 MOV EDI,EAX
0049DA1C . 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
0049DA1F . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
0049DA22 . BA 84DB4900 MOV EDX,DriverSt.0049DB84
0049DA27 . E8 C46EF6FF CALL DriverSt.004048F0
0049DA2C . 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
0049DA2F . BA FFFF0000 MOV EDX,0FFFF
0049DA34 . E8 2BB3F6FF CALL DriverSt.00408D64 ; "64C"转为整数得到0x64C
0049DA39 . 8BD7 MOV EDX,EDI
0049DA3B . 0BD6 OR EDX,ESI
0049DA3D . 0BD0 OR EDX,EAX
0049DA3F . 81FA FFFF0000 CMP EDX,0FFFF
0049DA45 . 75 0F JNZ SHORT DriverSt.0049DA56
0049DA47 . 64:8F05 000000>POP DWORD PTR FS:[0]
0049DA4E . 83C4 08 ADD ESP,8
0049DA51 . E9 C8000000 JMP DriverSt.0049DB1E
0049DA56 > 8BD6 MOV EDX,ESI
0049DA58 . 66:83F2 07 XOR DX,7 ; 0xB ^ 0x7 = 0xC ,作月份,得到12月
0049DA5C . 8BF7 MOV ESI,EDI
0049DA5E . 66:81F6 B700 XOR SI,0B7 ; 0xA2 ^ 0xB7 = 0x15 ,作日期,得到15日
0049DA63 . 66:35 B705 XOR AX,5B7 ; 0x64C ^ 0x5B7 = 0x3FB,作年份,得到1018年,
连接上面的日期也就是得到了1018年12月15日
0049DA67 . 8BCE MOV ECX,ESI
0049DA69 . E8 A6CDF6FF CALL DriverSt.0040A814 ; 计算到某一天的天数,得到 -321423
上面已经压入了SEH句柄,如果将选定字符转换位年月日不成功,在上面的Call里面会被程序检查,然后产生SEH,直接跳到后面0049DAA4处执行,如:本来我的第一个试探注册码是"987654321abcd",取第二个字符"8",0x8^0x7=0xF,但一年只有12个月,所以转化不成功,跳到不成功的地方去了。
0049DA6E . DD5D E0 FSTP QWORD PTR SS:[EBP-20]
0049DA71 . 9B WAIT
0049DA72 . E8 65CFF6FF CALL DriverSt.0040A9DC ; 得到38503,进入看看
{0040A9DC /$ 83C4 E8 ADD ESP,-18
0040A9DF |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
0040A9E3 |. 50 PUSH EAX ; /pLocaltime
0040A9E4 |. E8 8FC0FFFF CALL <JMP.&kernel32.GetLocalTime> ; \GetLocalTime
0040A9E9 |. 66:8B4C24 0E MOV CX,WORD PTR SS:[ESP+E] ; 当前日期
0040A9EE |. 66:8B5424 0A MOV DX,WORD PTR SS:[ESP+A] ; 当前月份
0040A9F3 |. 66:8B4424 08 MOV AX,WORD PTR SS:[ESP+8] ; 当前年份
0040A9F8 |. E8 17FEFFFF CALL DriverSt.0040A814 ; 计算到某一天的天数,得到 38503
0040A9FD |. DD1C24 FSTP QWORD PTR SS:[ESP]
0040AA00 |. 9B WAIT
0040AA01 |. DD0424 FLD QWORD PTR SS:[ESP]
0040AA04 |. 83C4 18 ADD ESP,18
0040AA07 \. C3 RETN
}
0049DA77 . DC5D E0 FCOMP QWORD PTR SS:[EBP-20] ; 以上两个天数进行比较
0049DA7A . DFE0 FSTSW AX
0049DA7C . 9E SAHF
0049DA7D . 76 1B JBE SHORT DriverSt.0049DA9A ; 大于等于就跳走,继续验证
以上连续两次计算到某一天的天数,我也跟进去看过,具体到哪一天,没有看出来,还涉及到闰年,好在不影响继续调试,只要转化得到的日期,大于等于当前日期就可以继续校验。不过试探注册码要改了。用2099年吧,2099^0x5B7=0xD84,所以注册码第4、6、12的字符分别改为"D"、"8"、"4",试探注册码也改为"9B7D58321AB4D",(假注册码二),修改后果然跳走继续验证了。^_^
0049DA7F . DD45 E0 FLD QWORD PTR SS:[EBP-20]
0049DA82 . D81D 88DB4900 FCOMP DWORD PTR DS:[49DB88]
0049DA88 . DFE0 FSTSW AX
0049DA8A . 9E SAHF
0049DA8B . 74 0D JE SHORT DriverSt.0049DA9A
0049DA8D . 33C0 XOR EAX,EAX
0049DA8F . 5A POP EDX
0049DA90 . 59 POP ECX
0049DA91 . 59 POP ECX
0049DA92 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049DA95 . E9 84000000 JMP DriverSt.0049DB1E ; 跳向不成功
0049DA9A > 33C0 XOR EAX,EAX
0049DA9C . 5A POP EDX
0049DA9D . 59 POP ECX
0049DA9E . 59 POP ECX
0049DA9F . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049DAA2 . EB 11 JMP SHORT DriverSt.0049DAB5
0049DAA4 .^ E9 6362F6FF JMP DriverSt.00403D0C ; 如果转换为日期时出错,会产生异常,异常后,到这里继续执行,从这里走向不成功
0049DAA9 . E8 C665F6FF CALL DriverSt.00404074
0049DAAE . EB 6E JMP SHORT DriverSt.0049DB1E
0049DAB0 . E8 BF65F6FF CALL DriverSt.00404074
0049DAB5 > 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
0049DAB8 . 50 PUSH EAX
0049DAB9 . 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] ; 取修改后的假注册码"9B7D58321AB4D"
0049DABC . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 取机器码
0049DABF . 8BC3 MOV EAX,EBX
0049DAC1 . E8 76F0FFFF CALL DriverSt.0049CB3C ; 继续校验,校验不成功会得到"542264156124568746123",成功得到"645364631365423154824"
0049DAC6 . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
0049DAC9 . BA 94DB4900 MOV EDX,DriverSt.0049DB94 ; ASCII "645364631365423154824"
0049DACE . E8 99ACF6FF CALL DriverSt.0040876C ; 以上CALL的返回值是不是"645364631365423154824"
0049DAD3 . 85C0 TEST EAX,EAX
0049DAD5 . 75 06 JNZ SHORT DriverSt.0049DADD ; 不相等,就跳向不成功
0049DAD7 . C645 F7 01 MOV BYTE PTR SS:[EBP-9],1
0049DADB . EB 04 JMP SHORT DriverSt.0049DAE1
0049DADD > C645 F7 00 MOV BYTE PTR SS:[EBP-9],0
0049DAE1 > 807D F7 01 CMP BYTE PTR SS:[EBP-9],1
0049DAE5 . 75 37 JNZ SHORT DriverSt.0049DB1E
0049DAE7 . 8D43 50 LEA EAX,DWORD PTR DS:[EBX+50]
0049DAEA . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0049DAED . E8 466BF6FF CALL DriverSt.00404638
0049DAF2 . 8D43 60 LEA EAX,DWORD PTR DS:[EBX+60]
0049DAF5 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049DAF8 . E8 3B6BF6FF CALL DriverSt.00404638
0049DAFD . 8D43 68 LEA EAX,DWORD PTR DS:[EBX+68]
0049DB00 . 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
0049DB03 . E8 306BF6FF CALL DriverSt.00404638
0049DB08 . 8D43 44 LEA EAX,DWORD PTR DS:[EBX+44]
0049DB0B . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0049DB0E . E8 256BF6FF CALL DriverSt.00404638
0049DB13 . 8BC3 MOV EAX,EBX
0049DB15 . E8 C2020000 CALL DriverSt.0049DDDC
0049DB1A . C645 F7 01 MOV BYTE PTR SS:[EBP-9],1 ; 注册标记置1
0049DB1E > 33C0 XOR EAX,EAX
0049DB20 . 5A POP EDX
0049DB21 . 59 POP ECX
0049DB22 . 59 POP ECX
0049DB23 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
-------------------------------------------------------------------------------------------
049DAC1 CALL DriverSt.0049CB3C 校验不成功会得到"542264156124568746123",成功会得到"645364631365423154824"
进入这个CALL看看(此时的假注册码已经改为"9B7D58321AB4D"):
0049CB3C $ 55 PUSH EBP
0049CB3D . 8BEC MOV EBP,ESP
0049CB3F . 83C4 C4 ADD ESP,-3C
0049CB42 . 53 PUSH EBX
0049CB43 . 56 PUSH ESI
0049CB44 . 57 PUSH EDI
0049CB45 . 33DB XOR EBX,EBX
0049CB47 . 895D C4 MOV DWORD PTR SS:[EBP-3C],EBX
0049CB4A . 895D C8 MOV DWORD PTR SS:[EBP-38],EBX
0049CB4D . 895D CC MOV DWORD PTR SS:[EBP-34],EBX
0049CB50 . 895D D0 MOV DWORD PTR SS:[EBP-30],EBX
0049CB53 . 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
0049CB56 . 895D EC MOV DWORD PTR SS:[EBP-14],EBX
0049CB59 . 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0049CB5C . 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0049CB5F . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049CB62 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049CB65 . E8 2A7FF6FF CALL DriverSt.00404A94
0049CB6A . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0049CB6D . E8 227FF6FF CALL DriverSt.00404A94
0049CB72 . 33C0 XOR EAX,EAX
0049CB74 . 55 PUSH EBP
0049CB75 . 68 E0CE4900 PUSH DriverSt.0049CEE0
0049CB7A . 64:FF30 PUSH DWORD PTR FS:[EAX]
0049CB7D . 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049CB80 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0049CB83 . BA F8CE4900 MOV EDX,DriverSt.0049CEF8 ; ASCII "542264156124568746123",这是校验不成功得到的返回值
0049CB88 . E8 AB7AF6FF CALL DriverSt.00404638
0049CB8D . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049CB90 . E8 0F7DF6FF CALL DriverSt.004048A4 ; 取机器码的长度
0049CB95 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0049CB98 . 3B42 58 CMP EAX,DWORD PTR DS:[EDX+58]
0049CB9B . 0F8F 17030000 JG DriverSt.0049CEB8 ; 机器码长度不大于50
0049CBA1 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049CBA4 . E8 FB7CF6FF CALL DriverSt.004048A4
0049CBA9 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0049CBAC . 3B42 5C CMP EAX,DWORD PTR DS:[EDX+5C]
0049CBAF . 0F8C 03030000 JL DriverSt.0049CEB8 ; 机器码的长度不小于5
0049CBB5 . 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0049CBB8 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0049CBBB . 8A12 MOV DL,BYTE PTR DS:[EDX] ; 注册码的第一位
0049CBBD . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049CBC0 . C600 01 MOV BYTE PTR DS:[EAX],1
0049CBC3 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0049CBC6 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0049CBC9 . E8 3E65F6FF CALL DriverSt.0040310C
0049CBCE . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0049CBD1 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0049CBD4 . 8A52 02 MOV DL,BYTE PTR DS:[EDX+2] ; 注册码的第三位
0049CBD7 . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049CBDA . C600 01 MOV BYTE PTR DS:[EAX],1
0049CBDD . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
0049CBE0 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0049CBE3 . B1 02 MOV CL,2
0049CBE5 . E8 F264F6FF CALL DriverSt.004030DC
0049CBEA . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0049CBED . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049CBF0 . E8 537CF6FF CALL DriverSt.00404848 ; 连接成字符串"97"
0049CBF5 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049CBF8 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0049CBFB . 8A52 04 MOV DL,BYTE PTR DS:[EDX+4] ; 注册码的第5位
0049CBFE . E8 C97BF6FF CALL DriverSt.004047CC
0049CC03 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049CC06 . E8 997CF6FF CALL DriverSt.004048A4 ; 取机器码的长度,我的机器码长度是23
0049CC0B . 8BF0 MOV ESI,EAX
0049CC0D . 8975 D4 MOV DWORD PTR SS:[EBP-2C],ESI
0049CC10 . DB45 D4 FILD DWORD PTR SS:[EBP-2C]
0049CC13 . D835 10CF4900 FDIV DWORD PTR DS:[49CF10] ; 机器码的长度除以2
0049CC19 . E8 D263F6FF CALL DriverSt.00402FF0 ; 结果取整数,得到11
0049CC1E . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049CC21 . 0FB64402 FF MOVZX EAX,BYTE PTR DS:[EDX+EAX-1] ; 机器码的第11位
0049CC26 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049CC29 . 0FB612 MOVZX EDX,BYTE PTR DS:[EDX] ; 机器码的第1位
0049CC2C . 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
0049CC2F . 0FB649 01 MOVZX ECX,BYTE PTR DS:[ECX+1] ; 机器码的第2位
0049CC33 . 03D1 ADD EDX,ECX
0049CC35 . 03C2 ADD EAX,EDX
0049CC37 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049CC3A . 0FB65432 FF MOVZX EDX,BYTE PTR DS:[EDX+ESI-1] ; 机器码的最后一位
0049CC3F . 03C2 ADD EAX,EDX
0049CC41 . 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049CC44 . 0FB65432 FE MOVZX EDX,BYTE PTR DS:[EDX+ESI-2] ; 机器码的倒数第二位
0049CC49 . 03C2 ADD EAX,EDX ; 以上5位的ASC相加,得到0x100
0049CC4B . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0049CC4E . 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
0049CC51 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] ; 注册码得到的"97"
0049CC54 . BA 1CCF4900 MOV EDX,DriverSt.0049CF1C
0049CC59 . E8 927CF6FF CALL DriverSt.004048F0
0049CC5E . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
0049CC61 . BA FFFF0000 MOV EDX,0FFFF
0049CC66 . E8 F9C0F6FF CALL DriverSt.00408D64 ; 转换位数值0x97
0049CC6B . 8BF0 MOV ESI,EAX
0049CC6D . 81FE FFFF0000 CMP ESI,0FFFF
0049CC73 . 0F84 3F020000 JE DriverSt.0049CEB8
0049CC79 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049CC7C . 8B40 70 MOV EAX,DWORD PTR DS:[EAX+70]
0049CC7F . 99 CDQ
0049CC80 . F77D E8 IDIV DWORD PTR SS:[EBP-18] ; 0x14387B3 mod 0x100 0xB3
0049CC83 . 81E2 FF000000 AND EDX,0FF
0049CC89 . 3BF2 CMP ESI,EDX ; 余数跟0x97比
0049CC8B . 0F85 27020000 JNZ DriverSt.0049CEB8
0049CC91 . 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
0049CC94 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
0049CC97 . BA 1CCF4900 MOV EDX,DriverSt.0049CF1C
0049CC9C . E8 4F7CF6FF CALL DriverSt.004048F0
0049CCA1 . 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34]
0049CCA4 . BA FFFF0000 MOV EDX,0FFFF
0049CCA9 . E8 B6C0F6FF CALL DriverSt.00408D64 ; 注册码第五个字符"5"转为数值0x5
0049CCAE . 8BF0 MOV ESI,EAX
0049CCB0 . 81FE FFFF0000 CMP ESI,0FFFF
0049CCB6 . 0F84 FC010000 JE DriverSt.0049CEB8 ; 转化不成功就跳走
0049CCBC . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049CCBF . E8 E07BF6FF CALL DriverSt.004048A4 ; 机器码的长度
0049CCC4 . 3BF0 CMP ESI,EAX ; 奇怪,我得机器码长度23,不可能相等啊!
0049CCC6 . EB 15 JE SHORT DriverSt.0049CCDD ; 相等跳下去继续验证,这里暴力改为JMP 0049CCC6
高手帮看一下,因为我得机器码长度为23,但一个字符转为整数最多是15,不用暴力好像不行,不知道大家有没有遇到这种情况。
0049CCC8 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049CCCB . E8 D47BF6FF CALL DriverSt.004048A4
0049CCD0 . 83F8 10 CMP EAX,10
0049CCD3 . 7E 08 JLE SHORT DriverSt.0049CCDD
0049CCD5 . 85F6 TEST ESI,ESI
0049CCD7 . 0F85 DB010000 JNZ DriverSt.0049CEB8
0049CCDD > 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0049CCE0 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0049CCE3 . 8A52 06 MOV DL,BYTE PTR DS:[EDX+6] ; 注册码的第7位
0049CCE6 . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049CCE9 . C600 01 MOV BYTE PTR DS:[EAX],1
0049CCEC . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0049CCEF . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0049CCF2 . E8 1564F6FF CALL DriverSt.0040310C
0049CCF7 . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0049CCFA . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0049CCFD . 8A52 08 MOV DL,BYTE PTR DS:[EDX+8] ; 注册码的第9位
0049CD00 . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049CD03 . C600 01 MOV BYTE PTR DS:[EAX],1
0049CD06 . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
0049CD09 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0049CD0C . B1 02 MOV CL,2
0049CD0E . E8 C963F6FF CALL DriverSt.004030DC
0049CD13 . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0049CD16 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0049CD19 . E8 EE63F6FF CALL DriverSt.0040310C
0049CD1E . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0049CD21 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0049CD24 . 8A52 0A MOV DL,BYTE PTR DS:[EDX+A] ; 注册码的第11位
0049CD27 . 8850 01 MOV BYTE PTR DS:[EAX+1],DL
0049CD2A . C600 01 MOV BYTE PTR DS:[EAX],1
0049CD2D . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
0049CD30 . 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
0049CD33 . B1 03 MOV CL,3
0049CD35 . E8 A263F6FF CALL DriverSt.004030DC
0049CD3A . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
0049CD3D . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049CD40 . E8 037BF6FF CALL DriverSt.00404848 ; 连接得到字符串"31B"
0049CD45 . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
0049CD48 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0049CD4B . BA 1CCF4900 MOV EDX,DriverSt.0049CF1C
0049CD50 . E8 9B7BF6FF CALL DriverSt.004048F0
0049CD55 . 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
0049CD58 . BA FFFF0000 MOV EDX,0FFFF
0049CD5D . E8 02C0F6FF CALL DriverSt.00408D64 ; 字符串"31B"转化成整数0x31B
0049CD62 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0049CD65 . 817D E8 FFFF00>CMP DWORD PTR SS:[EBP-18],0FFFF
0049CD6C . 0F84 46010000 JE DriverSt.0049CEB8 ; 转化失败就跳向死亡
0049CD72 . 33F6 XOR ESI,ESI
0049CD74 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049CD77 . E8 287BF6FF CALL DriverSt.004048A4 ; 机器码的长度,准备循环
0049CD7C . 85C0 TEST EAX,EAX
0049CD7E . 7E 13 JLE SHORT DriverSt.0049CD93
0049CD80 . BB 01000000 MOV EBX,1
0049CD85 > 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049CD88 . 0FB6541A FF MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] ; 机器码的每一个字符
0049CD8D . 03F2 ADD ESI,EDX ; 循环求机器码的每一个字符的ASC的总和,得到0x48E
0049CD8F . 43 INC EBX
0049CD90 . 48 DEC EAX
0049CD91 .^ 75 F2 JNZ SHORT DriverSt.0049CD85
0049CD93 > C1E6 04 SHL ESI,4 ; 求得的和,左移4位,得到0x48E0
0049CD96 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049CD99 . 3370 74 XOR ESI,DWORD PTR DS:[EAX+74] ; 0x48E0^0x2357417=0x2353CF7
0049CD9C . 81E6 FF0F0000 AND ESI,0FFF ; 0x2353CF7&0xFFF=0xCF7
0049CDA2 . 8975 E4 MOV DWORD PTR SS:[EBP-1C],ESI
0049CDA5 . 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0049CDA8 . 3B45 E8 CMP EAX,DWORD PTR SS:[EBP-18] ; 0xCF7和0xB13比较
0049CDAB . 0F85 07010000 JNZ DriverSt.0049CEB8 ; 不相等就跳向死亡
0049CDB1 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0049CDB4 . E8 EB7AF6FF CALL DriverSt.004048A4 ; 注册码的长度
0049CDB9 . 83F8 0C CMP EAX,0C ; 长度应该是12
0049CDBC . 0F8E E9000000 JLE DriverSt.0049CEAB ; 长度是12跳向成功
0049CDC2 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049CDC5 . E8 1A78F6FF CALL DriverSt.004045E4
0049CDCA . 33C0 XOR EAX,EAX
0049CDCC . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
0049CDCF . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049CDD2 . E8 CD7AF6FF CALL DriverSt.004048A4
0049CDD7 . 85C0 TEST EAX,EAX
0049CDD9 . 7E 14 JLE SHORT DriverSt.0049CDEF
0049CDDB . BB 01000000 MOV EBX,1
0049CDE0 > 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0049CDE3 . 0FB6541A FF MOVZX EDX,BYTE PTR DS:[EDX+EBX-1]
0049CDE8 . 0155 E4 ADD DWORD PTR SS:[EBP-1C],EDX
0049CDEB . 43 INC EBX
0049CDEC . 48 DEC EAX
0049CDED .^ 75 F1 JNZ SHORT DriverSt.0049CDE0
0049CDEF > B8 FFFFFF07 MOV EAX,7FFFFFF
0049CDF4 . 99 CDQ
0049CDF5 . F77D E4 IDIV DWORD PTR SS:[EBP-1C]
0049CDF8 . F76D E4 IMUL DWORD PTR SS:[EBP-1C]
0049CDFB . 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
0049CDFE . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0049CE01 . E8 9E7AF6FF CALL DriverSt.004048A4
0049CE06 . 83E8 0C SUB EAX,0C
0049CE09 . 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0049CE0C . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049CE0F . 50 PUSH EAX
0049CE10 . 8B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
0049CE13 . BA 0D000000 MOV EDX,0D
0049CE18 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0049CE1B . E8 E47CF6FF CALL DriverSt.00404B04
0049CE20 . BF 1F000000 MOV EDI,1F
0049CE25 . BB 01000000 MOV EBX,1
0049CE2A > 8BCB MOV ECX,EBX
0049CE2C . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049CE2F . 8B40 78 MOV EAX,DWORD PTR DS:[EAX+78]
0049CE32 . 8BF0 MOV ESI,EAX
0049CE34 . D3E6 SHL ESI,CL
0049CE36 . 8BCF MOV ECX,EDI
0049CE38 . D3E8 SHR EAX,CL
0049CE3A . 0BF0 OR ESI,EAX
0049CE3C . 8BC6 MOV EAX,ESI
0049CE3E . 99 CDQ
0049CE3F . 33C2 XOR EAX,EDX
0049CE41 . 2BC2 SUB EAX,EDX
0049CE43 . 8BF0 MOV ESI,EAX
0049CE45 . 3B75 E4 CMP ESI,DWORD PTR SS:[EBP-1C]
0049CE48 . 7E 0A JLE SHORT DriverSt.0049CE54
0049CE4A . 8BC6 MOV EAX,ESI
0049CE4C . 99 CDQ
0049CE4D . F77D E4 IDIV DWORD PTR SS:[EBP-1C]
0049CE50 . 8BF2 MOV ESI,EDX
0049CE52 . EB 08 JMP SHORT DriverSt.0049CE5C
0049CE54 > 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
0049CE57 . 99 CDQ
0049CE58 . F7FE IDIV ESI
0049CE5A . 8BF2 MOV ESI,EDX
0049CE5C > 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
0049CE5F . 8BC6 MOV EAX,ESI
0049CE61 . 25 FF0F0000 AND EAX,0FFF
0049CE66 . BA 03000000 MOV EDX,3
0049CE6B . E8 90BEF6FF CALL DriverSt.00408D00
0049CE70 . 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
0049CE73 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049CE76 . E8 317AF6FF CALL DriverSt.004048AC
0049CE7B . 4F DEC EDI
0049CE7C . 43 INC EBX
0049CE7D . 83FB 21 CMP EBX,21
0049CE80 .^ 75 A8 JNZ SHORT DriverSt.0049CE2A
0049CE82 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049CE85 . 50 PUSH EAX
0049CE86 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049CE89 . 8B48 6C MOV ECX,DWORD PTR DS:[EAX+6C]
0049CE8C . 83E9 0C SUB ECX,0C
0049CE8F . BA 01000000 MOV EDX,1
0049CE94 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0049CE97 . E8 687CF6FF CALL DriverSt.00404B04
0049CE9C . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0049CE9F . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0049CEA2 . E8 15B9F6FF CALL DriverSt.004087BC
0049CEA7 . 85C0 TEST EAX,EAX
0049CEA9 . 75 0D JNZ SHORT DriverSt.0049CEB8
0049CEAB > 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0049CEAE . BA 28CF4900 MOV EDX,DriverSt.0049CF28 ; ASCII "645364631365423154824"这是校验成功的返回字符串,如果程序走到这儿就成功了。
0049CEB3 . E8 8077F6FF CALL DriverSt.00404638
0049CEB8 > 33C0 XOR EAX,EAX
0049CEBA . 5A POP EDX
0049CEBB . 59 POP ECX
0049CEBC . 59 POP ECX
0049CEBD . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049CEC0 . 68 E7CE4900 PUSH DriverSt.0049CEE7
0049CEC5 > 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
0049CEC8 . BA 04000000 MOV EDX,4
0049CECD . E8 3677F6FF CALL DriverSt.00404608
0049CED2 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0049CED5 . BA 04000000 MOV EDX,4
0049CEDA . E8 2977F6FF CALL DriverSt.00404608
0049CEDF . C3 RETN
最终得到我电脑上的注册码:"BB3D58C2FA74D"
-------------------------------------------------------------------------------------------
【破解心得】
注册码由12个字符组成,对各个字符的校验如下:
第偶数个字符满足:
注册码的第2个字符转化为整数,然后跟0x7异或,结果作为日期
注册码的第10、8个字符连接后,字符串转为整数,跟0xB7异或,结果作为月份
注册码的第4、6、12个字符连接,字符串转为整数,跟0x5B7异或,结果作为年份
以上日期、月份、年份组成的日期要在当前日期之后
第奇数个字符满足:
机器码的前两个字符,机器码的最后两个字符,机器码的中间的一个字符(机器码长度为偶数,如22个字符就取第11个字符,机器码长度为奇数,如23个字符也取第11个字符),以上五个字符的ASC求和,然后用0x14387B3对以上的结果取余,余数的最后两位分别填充注册码的第1、3个字符。
注册码的第五个字符要等于机器码的长度。(这一点好像很难做的,第五个字符最多是"F",转为整数15,而我得机器码是23位,这个地方我用了暴力破解,高手帮我看看这个程序,难道非强暴不可,"我想做个好人"。)
机器码的所有字符的ASC求和,结果左移4位,在跟0x2353CF7位与运算,结果的最后三位分别填充注册码的第7.9.11个字符。
-------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
-------------------------------------------------------------------------------------------
文章写于2005-6-7 11:26:02