小弟的第一篇破文。。。大家鼓励鼓励阿。。。
[目标]星空视频俱乐部 V1.75
[软件简介]《星空视频俱乐部》:最值得信赖的网络电影电视软件,添加超强音量控制功能,400多个国内外电视台,一千多部电影、写真集、电视剧、综艺节目,速度快质量高的精彩视频,专人实时跟踪更新升级,本软件具有自动升级功能。 通过独特的合作资源,提供超过400套超高清晰的卫星电视节目,高速HBO大片,BBC新闻,日本MM、港台凤凰、华娱、星空、TVB系列,国内中央及各省卫星电视节目;性感写真;搞笑小电影。
[工具]W32ASM无级版+OD+windows自带计算器
[保护方式] 采用硬件序列号,一机一注册码
[加入时间] 2005-1-12
Loading...........
PS:
我的机器码:B5016392
我尝试的注册码:78787878
先试着着注册一下,发现提示错误提示为”你输入的注册码78787878不正确,请与作者联系。“
用W32ASM无级版打开查找字符串,找到后进去,来到这里。。。
* Possible StringData Ref from Code Obj ->"你输入的注册码"
|
----->:0047BD99 68BCBF4700 push 0047BFBC
:0047BD9E 8D55D4 lea edx, dword ptr [ebp-2C]
:0047BDA1 8B45FC mov eax, dword ptr [ebp-04]
:0047BDA4 8B8008030000 mov eax, dword ptr [eax+00000308]
:0047BDAA E80927FCFF call 0043E4B8
:0047BDAF FF75D4 push [ebp-2C]
发现前面不是跳转过来的,那就是说是正确就跳走。。
好,来看前面那句:
:0047BD91 3B0540394C00 cmp eax, dword ptr [004C3940]
:0047BD97 7438 je 0047BDD1
那我们可以想象,前面的比较肯定就是,注册码的比较拉。。。
用OD打开,0047BD91下断,加载软件,随便注册一下,在这里断下,看到下面的就是比较的两组数据:
DS:[004C3940]=00023F3A
EAX=FF570443
看不出什么意思。。。。呵呵。。。是啊,那我们下前面点。。。
回来看看W32ASM,哦呵,看这里:
* Possible StringData Ref from Code Obj ->" 您输入的注册码无效,请从新输入。"
|
:0047BD14 B884BF4700 mov eax, 0047BF84
:0047BD19 E86A01FBFF call 0042BE88
:0047BD1E E9BC010000 jmp 0047BEDF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047BD12(C)
|
:0047BD23 8D45E4 lea eax, dword ptr [ebp-1C];就这里了,从这里开始吧
估计上面就是因为注册码有效才跳这里来的,不然就会显示注册码无效了。。呵呵
0047BD23下断,从来。。。
断下,一直按F8粗跟踪,密切关注右边的数据。。。
:0047BD23 8D45E4 lea eax, dword ptr [ebp-1C]//我们输入的注册码
:0047BD26 50 push eax
:0047BD27 8D55E0 lea edx, dword ptr [ebp-20]
:0047BD2A 8B45FC mov eax, dword ptr [ebp-04]
:0047BD2D 8B8004030000 mov eax, dword ptr [eax+00000304]
:0047BD33 E88027FCFF call 0043E4B8
计算后的数据:
EAX 00000008
ECX 0012F9A8
EDX 7FFE0304
EBX 00D2FE54
:0047BD38 8B45E0 mov eax, dword ptr [ebp-20]//机器序列号
:0047BD3B B906000000 mov ecx, 00000006
:0047BD40 BA01000000 mov edx, 00000001
:0047BD45 E84A88F8FF call 00404594
又是一个CALL后的数据
EAX 0012FBEC
ECX 00000000
EDX 00000000
EBX 00D2FE54
:0047BD4A 8B4DE4 mov ecx, dword ptr [ebp-1C]//机器码前6位
:0047BD4D 8D45E8 lea eax, dword ptr [ebp-18]
:0047BD50 BAB0BF4700 mov edx, 0047BFB0
:0047BD55 E82686F8FF call 00404380//步过
:0047BD5A 8B45E8 mov eax, dword ptr [ebp-18]//前面加了个”0x“
:0047BD5D E85AC8F8FF call 004085BC
EAX 00B50163
ECX 00D31D00 ASCII "0xB50163"
EDX 0012FB98
EBX 00D2FE54
:0047BD62 8BF0 mov esi, eax
:0047BD64 33C0 xor eax, eax
:0047BD66 55 push ebp
:0047BD67 6896BE4700 push 0047BE96
:0047BD6C 64FF30 push dword ptr fs:[eax]
:0047BD6F 648920 mov dword ptr fs:[eax], esp
:0047BD72 8D55DC lea edx, dword ptr [ebp-24]
:0047BD75 8B45FC mov eax, dword ptr [ebp-04]
:0047BD78 8B8008030000 mov eax, dword ptr [eax+00000308]
:0047BD7E E83527FCFF call 0043E4B8
:0047BD83 8B45DC mov eax, dword ptr [ebp-24]//我们的注册码
:0047BD86 E831C8F8FF call 004085BC
计算后数据:
EAX 04B23526
ECX 00D20914 ASCII "78787878"
EDX 0012FB8C
EBX 00D2FE54
:0047BD8B 8BD8 mov ebx, eax
:0047BD8D 8BC3 mov eax, ebx
:0047BD8F 2BC6 sub eax, esi//EAX-0xB50163??B50163不是就是我注册码的前6位啊。
:0047BD91 3B0540394C00 cmp eax, dword ptr [004C3940]//
EAX=03FD33C3 DS:[004C3940]=00023F3A
我们运行多次发现都是这个数字。。。。那我们就把他当常数吧(其实我后来去另外机子调试也是这个数字,他就是一个常数,不变的。),现在我们再总的分析一下,也就是说注册码计算后的值要等于0x23F3A+0xB50163=。。。计算器按几下下。。0xB7409D
好,这样我们关键就是要看他把我们的注册码怎么了一下,就是去那个
:0047BD86 E831C8F8FF call 004085BC
因为他计算了我们的注册码,然后和0xB7409D比较(其实是减了0xB50163和0x23F3A比较)。。
CALL下断,重加载程序。。。。
进去了。。
:004085BC 53 push ebx
:004085BD 56 push esi
:004085BE 83C4F4 add esp, FFFFFFF4
:004085C1 8BD8 mov ebx, eax
:004085C3 8BD4 mov edx, esp
:004085C5 8BC3 mov eax, ebx
:004085C7 E88CA7FFFF call 00402D58//调试后发现是核心
:004085CC 8BF0 mov esi, eax
:004085CE 833C2400 cmp dword ptr [esp], 00000000
:004085D2 7419 je 004085ED
:004085D4 895C2404 mov dword ptr [esp+04], ebx
:004085D8 C64424080B mov [esp+08], 0B
:004085DD 8D542404 lea edx, dword ptr [esp+04]
:004085E1 A1F43A4C00 mov eax, dword ptr [004C3AF4]
:004085E6 33C9 xor ecx, ecx
:004085E8 E833F9FFFF call 00407F20
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004085D2(C)
|
:004085ED 8BC6 mov eax, esi
:004085EF 83C40C add esp, 0000000C
:004085F2 5E pop esi
:004085F3 5B pop ebx
:004085F4 C3 ret
看起来不复杂。。。
那就看看核心吧。。
靠,太复杂了。。。
call 00402D58
:00402D58 53 push ebx
:00402D59 56 push esi
:00402D5A 57 push edi
:00402D5B 89C6 mov esi, eax
:00402D5D 50 push eax
:00402D5E 85C0 test eax, eax
:00402D60 746C je 00402DCE
:00402D62 31C0 xor eax, eax
:00402D64 31DB xor ebx, ebx
:00402D66 BFCCCCCC0C mov edi, 0CCCCCCC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D71(C)
|
:00402D6B 8A1E mov bl, byte ptr [esi]
:00402D6D 46 inc esi
:00402D6E 80FB20 cmp bl, 20
:00402D71 74F8 je 00402D6B
:00402D73 B500 mov ch, 00
:00402D75 80FB2D cmp bl, 2D
:00402D78 7462 je 00402DDC
:00402D7A 80FB2B cmp bl, 2B
:00402D7D 745F je 00402DDE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402DE1(U)
|
:00402D7F 80FB24 cmp bl, 24
:00402D82 745F je 00402DE3
:00402D84 80FB78 cmp bl, 78
:00402D87 745A je 00402DE3
:00402D89 80FB58 cmp bl, 58
:00402D8C 7455 je 00402DE3
:00402D8E 80FB30 cmp bl, 30
:00402D91 7513 jne 00402DA6
:00402D93 8A1E mov bl, byte ptr [esi]
:00402D95 46 inc esi
:00402D96 80FB78 cmp bl, 78
:00402D99 7448 je 00402DE3
:00402D9B 80FB58 cmp bl, 58
:00402D9E 7443 je 00402DE3
:00402DA0 84DB test bl, bl
:00402DA2 7420 je 00402DC4
:00402DA4 EB04 jmp 00402DAA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D91(C)
|
:00402DA6 84DB test bl, bl//前面一堆就是在判断是不是数字。。。
:00402DA8 742D je 00402DD7
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402DA4(U), :00402DC2(C)
|
|--------> :00402DAA 80EB30 sub bl, 30//ASCII码-0x30,转数字
| :00402DAD 80FB09 cmp bl, 09
| :00402DB0 7725 ja 00402DD7
| :00402DB2 39F8 cmp eax, edi
| :00402DB4 7721 ja 00402DD7
| :00402DB6 8D0480 lea eax, dword ptr [eax+4*eax]//*5
| :00402DB9 01C0 add eax, eax//*2(并上上面的,不就是*10啊)
| :00402DBB 01D8 add eax, ebx//加到原来的上去
| :00402DBD 8A1E mov bl, byte ptr [esi]
| :00402DBF 46 inc esi
| :00402DC0 84DB test bl, bl
-------- :00402DC2 75E6 jne 00402DAA
整个就是一位位取数,把我们的ASCII的数字变成10进制的。现在你看看你的EAX,是不是很熟悉啊,呵呵,就是出去我们要用的拉,0X4B23526(10进制就是“78787878”)(啊?不会把,这么简单)哈,就这么简单。。后面也不要跟了。。。
我们也可以做注册机了。。。走吧,下面不要看了。。。。。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402DA2(C)
|
:00402DC4 FECD dec ch
:00402DC6 7409 je 00402DD1
:00402DC8 85C0 test eax, eax
:00402DCA 7D54 jge 00402E20
:00402DCC EB09 jmp 00402DD7
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402D60(C), :00402DED(C)
|
:00402DCE 46 inc esi
:00402DCF EB06 jmp 00402DD7
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402DC6(C)
|
:00402DD1 F7D8 neg eax
:00402DD3 7E4B jle 00402E20
:00402DD5 7849 js 00402E20
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402DA8(C), :00402DB0(C), :00402DB4(C), :00402DCC(U), :00402DCF(U)
|:00402E05(C), :00402E0C(C)
|
:00402DD7 5B pop ebx
:00402DD8 29DE sub esi, ebx
:00402DDA EB47 jmp 00402E23
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D78(C)
|
:00402DDC FEC5 inc ch
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402D7D(C)
|
:00402DDE 8A1E mov bl, byte ptr [esi]
:00402DE0 46 inc esi
:00402DE1 EB9C jmp 00402D7F
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402D82(C), :00402D87(C), :00402D8C(C), :00402D99(C), :00402D9E(C)
|
:00402DE3 BFFFFFFF0F mov edi, 0FFFFFFF
:00402DE8 8A1E mov bl, byte ptr [esi]
:00402DEA 46 inc esi
:00402DEB 84DB test bl, bl
:00402DED 74DF je 00402DCE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402E18(C)
|
:00402DEF 80FB61 cmp bl, 61
:00402DF2 7203 jb 00402DF7
:00402DF4 80EB20 sub bl, 20
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402DF2(C)
|
:00402DF7 80EB30 sub bl, 30
:00402DFA 80FB09 cmp bl, 09
:00402DFD 760B jbe 00402E0A
:00402DFF 80EB11 sub bl, 11
:00402E02 80FB05 cmp bl, 05
:00402E05 77D0 ja 00402DD7
:00402E07 80C30A add bl, 0A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402DFD(C)
|
:00402E0A 39F8 cmp eax, edi
:00402E0C 77C9 ja 00402DD7
:00402E0E C1E004 shl eax, 04
:00402E11 01D8 add eax, ebx
:00402E13 8A1E mov bl, byte ptr [esi]
:00402E15 46 inc esi
:00402E16 84DB test bl, bl
:00402E18 75D5 jne 00402DEF
:00402E1A FECD dec ch
:00402E1C 7502 jne 00402E20
:00402E1E F7D8 neg eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402DCA(C), :00402DD3(C), :00402DD5(C), :00402E1C(C)
|
:00402E20 59 pop ecx
:00402E21 31F6 xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402DDA(U)
|
:00402E23 8932 mov dword ptr [edx], esi
:00402E25 5F pop edi
:00402E26 5E pop esi
:00402E27 5B pop ebx
:00402E28 C3 ret
。。OK。总结一下,算法就是把我们输入的注册码转为10进制,所以你必须要输入10进制的数字,然后J减去机器码前6位(16进制),必须等于0x23F3A。就这么简单。。
注册码=DEC(HEX(机器码前6位)+0x23F3A)
PS:此外还有就是注册码不可以超过8位,不然就没有上面的文章了。。。因为就不会来到我们下的断了。
注册机代码如下(C语言版):
#include <stdio.h>
void main()
{
long n1,n2=0x23f3a,serial;
printf("\t+++++++++++++4nilz Crack+++++++++++++++\n");
printf("\t+tHis Program has FuCkEd bY 4nil......+\n");
printf("\t+just meAn iT Is rbsh....OK share,THX.+\n");
printf("\t+++++++++++++++++++++++++++++++++++++++\n\n");
printf("Enter the machine code:");
scanf("%6X",&n1);
serial=n1+n2;
printf("Serial:%d",serial);
getch();
}
VC++6.0下调试通过。
也也!大功告成!
我废话多吧,谢谢观赏。。。。。睡觉拉,现在时刻0:24。。。困