KeyGhost V3.2 破解实录
作者:liangs
E-mail:liang_s@263.net
软件名称:KeyGhost V3.2
下载地址:http://sunhy.126.com
使用的工具
W32Dasm V8.93 超级中文版
Trw2000 ver1.22
首先连按两次ALT+F12呼出KeyGhost,在注册框中输入:liangs-787878,为什么是'liangs-787878'
而不是'liangs787878',下面你就知道了。然后下bpx hmemcpy,中断后,首先bd *,去掉所有中断,
再按18次F12。
* Possible StringData Ref from Code Obj ->"请合法使用软件"
|
:00475580 B888564700 mov eax,
00475688
:00475585 E842ADFDFF call 004502CC
:0047558A 837DFC00 cmp
dword ptr [ebp-04], 00000000 <---我们停在这;
:0047558E 0F8499000000 je 0047562D
:00475594 8D85FCFEFFFF lea eax, dword
ptr [ebp+FFFFFEFC]
:0047559A 8B55FC
mov edx, dword ptr [ebp-04] <---此处edx=liangs-787878;
:0047559D B9FF000000 mov ecx,
000000FF
:004755A2 E881E8F8FF call 00403E28
:004755A7 8D85FCFEFFFF lea eax, dword
ptr [ebp+FFFFFEFC]
:004755AD E8CAC2FFFF call 0047187C
<---判断输入的注册码的合法性,此处按F8跟入;
:004755B2 84C0
test al, al
:004755B4 7477
je 0047562D <---注册码错误就跳走;
:004755B6 B201
mov dl, 01
:004755B8 8B8340030000 mov eax, dword
ptr [ebx+00000340]
:004755BE E8F570FBFF call 0042C6B8
:004755C3 33D2
xor edx, edx
:004755C5 8B8318030000 mov eax, dword
ptr [ebx+00000318]
:004755CB E8E870FBFF call 0042C6B8
:004755D0 B201
mov dl, 01
:004755D2 8B8340040000 mov eax, dword
ptr [ebx+00000440]
:004755D8 8B08
mov ecx, dword ptr [eax]
:004755DA FF515C
call [ecx+5C]
:004755DD C605D1BA470001 mov byte ptr [0047BAD1],
01
* Possible StringData Ref from Code Obj ->"Code"
|
:004755E4 68A0564700 push 004756A0
:004755E9 8D95E8FEFFFF lea edx, dword
ptr [ebp+FFFFFEE8]
:004755EF 8B45FC
mov eax, dword ptr [ebp-04]
:004755F2 E84595FEFF call 0045EB3C
:004755F7 8B95E8FEFFFF mov edx, dword
ptr [ebp+FFFFFEE8]
:004755FD 8D85ECFEFFFF lea eax, dword
ptr [ebp+FFFFFEEC]
:00475603 E8A4F9F8FF call 00404FAC
:00475608 8D85ECFEFFFF lea eax, dword
ptr [ebp+FFFFFEEC]
:0047560E 50
push eax
* Possible StringData Ref from Code Obj ->"Software\Sun\Keyghost3xx"
|
:0047560F B9B0564700 mov ecx,
004756B0
:00475614 B202
mov dl, 02
:00475616 8B8310030000 mov eax, dword
ptr [ebx+00000310]
:0047561C E85F21FEFF call 00457780
* Possible StringData Ref from Code Obj ->"注册成功!谢谢您的支持!"
|
:00475621 B8D4564700 mov eax,
004756D4 <---注册码正确跳到此处;
:00475626 E885A9FDFF call 0044FFB0
:0047562B EB0A
jmp 00475637
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047558E(C), :004755B4(C)
|
* Possible StringData Ref from Code Obj ->"请购买本软件!见右侧注册说明!"
|
:0047562D B8F8564700 mov eax,
004756F8 <---注册码错误跳到此处;
:00475632 E879A9FDFF call 0044FFB0
---------------------------------------------------------------------------
跟入 call 0047187C 中:此Call用来判断输入的注册码的合法性
* Referenced by a CALL at Addresses:
|:004755AD , :00475979
|
:0047187C 55
push ebp
:0047187D 8BEC
mov ebp, esp
:0047187F 81C4ECFCFFFF add esp, FFFFFCEC
:00471885 53
push ebx
:00471886 56
push esi
:00471887 57
push edi
:00471888 33D2
xor edx, edx
:0047188A 8995F0FCFFFF mov dword ptr
[ebp+FFFFFCF0], edx
:00471890 8995ECFCFFFF mov dword ptr
[ebp+FFFFFCEC], edx
:00471896 8995F8FCFFFF mov dword ptr
[ebp+FFFFFCF8], edx
:0047189C 8995F4FCFFFF mov dword ptr
[ebp+FFFFFCF4], edx
:004718A2 8BF0
mov esi, eax
:004718A4 8DBDFFFEFFFF lea edi, dword
ptr [ebp+FFFFFEFF]
:004718AA 33C9
xor ecx, ecx
:004718AC 8A0E
mov cl, byte ptr [esi]
:004718AE 41
inc ecx
:004718AF F3
repz
:004718B0 A4
movsb
:004718B1 33C0
xor eax, eax
:004718B3 55
push ebp
:004718B4 68DE194700 push 004719DE
:004718B9 64FF30
push dword ptr fs:[eax]
:004718BC 648920
mov dword ptr fs:[eax], esp
:004718BF C645FF00 mov
[ebp-01], 00
:004718C3 8D85F4FCFFFF lea eax, dword
ptr [ebp+FFFFFCF4]
:004718C9 8D95FFFEFFFF lea edx, dword
ptr [ebp+FFFFFEFF]
:004718CF E81C25F9FF call 00403DF0
:004718D4 8B85F4FCFFFF mov eax, dword
ptr [ebp+FFFFFCF4]
:004718DA 8D95F8FCFFFF lea edx, dword
ptr [ebp+FFFFFCF8]
:004718E0 E82374F9FF call 00408D08
:004718E5 8B95F8FCFFFF mov edx, dword
ptr [ebp+FFFFFCF8]
:004718EB 8D85FFFEFFFF lea eax, dword
ptr [ebp+FFFFFEFF]
:004718F1 B9FF000000 mov ecx,
000000FF
:004718F6 E82D25F9FF call 00403E28
:004718FB 33DB
xor ebx, ebx
:004718FD C685FFFDFFFF00 mov byte ptr [ebp+FFFFFDFF],
00
:00471904 C685FFFCFFFF00 mov byte ptr [ebp+FFFFFCFF],
00
:0047190B 8D95FFFEFFFF lea edx, dword
ptr [ebp+FFFFFEFF]
:00471911 B8F0194700 mov eax,
004719F0
:00471916 E80511F9FF call 00402A20
<---判断输入的注册号是否是xxxx-yyyy的形式;
按F8跟入可知。
:0047191B 8BF0
mov esi, eax
:0047191D 85F6
test esi, esi
:0047191F 0F8E9B000000 jle 004719C0
<---注册号若不是xxxx-yyyy的形式则跳
这里千万不能跳,不然就OVER了。:-)
:00471925 8D85FFFDFFFF lea eax, dword
ptr [ebp+FFFFFDFF]
:0047192B 50
push eax
:0047192C 8BCE
mov ecx, esi
:0047192E 49
dec ecx
:0047192F BA01000000 mov edx,
00000001
:00471934 8D85FFFEFFFF lea eax, dword
ptr [ebp+FFFFFEFF]
:0047193A E8250FF9FF call 00402864
:0047193F 8D85FFFCFFFF lea eax, dword
ptr [ebp+FFFFFCFF]
:00471945 50
push eax
:00471946 33C9
xor ecx, ecx
:00471948 8A8DFFFEFFFF mov cl, byte
ptr [ebp+FFFFFEFF]
:0047194E 2BCE
sub ecx, esi
:00471950 8D5601
lea edx, dword ptr [esi+01]
:00471953 8D85FFFEFFFF lea eax, dword
ptr [ebp+FFFFFEFF]
:00471959 E8060FF9FF call 00402864
:0047195E 33D2
xor edx, edx
:00471960 8A95FFFDFFFF mov dl, byte
ptr [ebp+FFFFFDFF]
:00471966 85D2
test edx, edx
:00471968 7E16
jle 00471980
:0047196A 8D8500FEFFFF lea eax, dword
ptr [ebp+FFFFFE00]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047197E(C)
|
:00471970 33C9
xor ecx, ecx
:00471972 8A08
mov cl, byte ptr [eax]
:00471974 03D9
add ebx, ecx
:00471976 81C3A41D0F00 add ebx, 000F1DA4
:0047197C 40
inc eax
:0047197D 4A
dec edx
:0047197E 75F0
jne 00471970
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471968(C)
|
:00471980 8D85F0FCFFFF lea eax, dword
ptr [ebp+FFFFFCF0]
:00471986 8D95FFFCFFFF lea edx, dword
ptr [ebp+FFFFFCFF]
:0047198C E85F24F9FF call 00403DF0
:00471991 8B85F0FCFFFF mov eax, dword
ptr [ebp+FFFFFCF0]
:00471997 50
push eax
:00471998 8D95ECFCFFFF lea edx, dword
ptr [ebp+FFFFFCEC]
:0047199E 8BC3
mov eax, ebx
:004719A0 E8E374F9FF call 00408E88
<---用xxxx算出正确的注册码;
执行完上面这条语句后,EDX中就是
正确的注册码,我的是:5944406
:004719A5 8B95ECFCFFFF mov edx, dword
ptr [ebp+FFFFFCEC]
:004719AB 58
pop eax
:004719AC E8AB25F9FF call 00403F5C
<---判断yyyy与上面用xxxx算出的
注册码是否相等;
:004719B1 750D
jne 004719C0
<---不等就跳走;
:004719B3 80BD00FFFFFF61 cmp byte ptr [ebp+FFFFFF00],
61
:004719BA 7204
jb 004719C0
:004719BC C645FF01 mov
[ebp-01], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047191F(C), :004719B1(C), :004719BA(C)
|
:004719C0 33C0
xor eax, eax <---可爱的EAX标志被置0,就OVER了
:004719C2 5A
pop edx
:004719C3 59
pop ecx
:004719C4 59
pop ecx
:004719C5 648910
mov dword ptr fs:[eax], edx
:004719C8 68E5194700 push 004719E5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004719E3(U)
|
:004719CD 8D85ECFCFFFF lea eax, dword
ptr [ebp+FFFFFCEC]
:004719D3 BA04000000 mov edx,
00000004
:004719D8 E81322F9FF call 00403BF0
:004719DD C3
ret
--------------------------------------------------------------------------------
由 call 00402A20 跟入:此Call判断注册码是否为xxxx-yyyy的形式.
:00402A20 53
push ebx
:00402A21 56
push esi
:00402A22 57
push edi
:00402A23 89C6
mov esi, eax
:00402A25 89D7
mov edi, edx
:00402A27 31C9
xor ecx, ecx
:00402A29 8A0F
mov cl, byte ptr [edi]
:00402A2B 47
inc edi
:00402A2C 57
push edi
:00402A2D 31D2
xor edx, edx
:00402A2F 8A16
mov dl, byte ptr [esi]
:00402A31 46
inc esi
:00402A32 4A
dec edx
:00402A33 781B
js 00402A50
:00402A35 8A06
mov al, byte ptr [esi] <---将AL赋值'2D',也就是符号'-';
:00402A37 46
inc esi
:00402A38 29D1
sub ecx, edx
:00402A3A 7E14
jle 00402A50
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402A4E(U)
|
:00402A3C F2
repnz
:00402A3D AE
scasb <---循环依次取输入的注册码与AL中的'-'比较
:00402A3E 7510
jne 00402A50 <---注册码中没有'-'符就跳走;
:00402A40 89CB
mov ebx, ecx
:00402A42 56
push esi
:00402A43 57
push edi
:00402A44 89D1
mov ecx, edx
:00402A46 F3
repz
:00402A47 A6
cmpsb
:00402A48 5F
pop edi
:00402A49 5E
pop esi
:00402A4A 7409
je 00402A55
:00402A4C 89D9
mov ecx, ebx
:00402A4E EBEC
jmp 00402A3C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402A33(C), :00402A3A(C), :00402A3E(C)
|
:00402A50 5A
pop edx
:00402A51 31C0
xor eax, eax
:00402A53 EB05
jmp 00402A5A
整理一下我的注册码为:liangs-5944406
- 标 题:KeyGhost V3.2 破解实录 (11千字)
- 作 者:liangs
- 时 间:2000-8-17 23:20:25
- 链 接:http://bbs.pediy.com