软件名称: Diskbase 5.11
软件下载: www.diskbase.com
软件用途: 这个软件的功能类似于CDCollection,就是能够存储CD的目录结构----数据库,以便离线查找.
工具: TRW2000 1.22 , W32dasm ,FileInfo v2.43
日期: 2000.5.18
作者: Fengy
特此,感谢toye和 bnbnf大哥对俺的帮助!!!
过程:
1) 使用 FileInfo v2.43 检测主程序“diskbase.exe”,没有壳的,是delphi编译的
2) 用W32dasm反编译diskbase.exe,结果如下:
主程序:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047735F(C)
|
:004773EE 8B45FC
mov eax, dword ptr [ebp-04]
:004773F1 8D9008020000 lea edx, dword
ptr [eax+00000208]
:004773F7 8B45FC
mov eax, dword ptr [ebp-04]
:004773FA 051C020000 add eax,
0000021C
:004773FF E82CF7FFFF call 00476B30
<<---- 注册验证过程,追入
:00477404 84C0
test al, al
:00477406 0F85BD000000 jne 004774C9
<<---- 分界点了
:0047740C C685B0FDFFFF00 mov byte ptr [ebp+FFFFFDB0],
00
* Possible StringData Ref from Code Obj ->"The DiskBase program is now registered.
"
|
<<---- 注册正确的提示信息
:00477413 BAFC754700 mov edx,
004775FC
:00477418 8D85B0FDFFFF lea eax, dword
ptr [ebp+FFFFFDB0]
:0047741E E841F4F8FF call 00406864
* Possible StringData Ref from Code Obj ->"Please make a backup copy of the
"
->"file:"
$
$
$
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00477406(C)
|
:004774C9 6A30
push 00000030
* Possible StringData Ref from Code Obj ->"DiskBase Registration"
|
:004774CB B944774700 mov ecx,
00477744
<<---- 注册错误的提示信息
* Possible StringData Ref from Code Obj ->"This license number is not valid.
"
->"Please check
if you entered all "
->"data in exactly
the same form "
->"in which you
received it."
|
:004774D0 BA5C774700 mov edx,
0047775C
:004774D5 A124864900 mov eax,
dword ptr [00498624]
:004774DA E815F3FAFF call 004267F4
**************************************************************************
* Referenced by a CALL at Addresses: 注册验证过程子程序
|:00476BB2 , :004773FF
|
:00476B30 55
push ebp
:00476B31 8BEC
mov ebp, esp
:00476B33 83C4E8
add esp, FFFFFFE8
:00476B36 8955F8
mov dword ptr [ebp-08], edx
:00476B39 8945FC
mov dword ptr [ebp-04], eax
:00476B3C C645F700 mov
[ebp-09], 00
:00476B40 8B45FC
mov eax, dword ptr [ebp-04]
:00476B43 E814F0FFFF call 00475B5C
:00476B48 8B55FC
mov edx, dword ptr [ebp-04]
:00476B4B 81C2A4000000 add edx, 000000A4
:00476B51 B8886B4700 mov eax,
00476B88
:00476B56 E8D1BEF8FF call 00402A2C
:00476B5B 85C0
test eax, eax
:00476B5D 7F20
jg 00476B7F
:00476B5F 8D55F0
lea edx, dword ptr [ebp-10]
:00476B62 8B45FC
mov eax, dword ptr [ebp-04]
:00476B65 E8B6F2FFFF call 00475E20
<<-----
根据你的注册信息计算注册码子程
:00476B6A 8B45F8
mov eax, dword ptr [ebp-08]
:00476B6D 8B4008
mov eax, dword ptr [eax+08] <<----- eax = 你随便输入的注册码
:00476B70 3B45F0
cmp eax, dword ptr [ebp-10] <<----- [ebp-10] 正确的注册码
:00476B73 750A
jne 00476B7F
<<------不一样就错了!!!
:00476B75 837DF000 cmp
dword ptr [ebp-10], 00000000
:00476B79 7404
je 00476B7F
:00476B7B C645F701 mov
[ebp-09], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00476B5D(C), :00476B73(C), :00476B79(C)
|
:00476B7F 8A45F7
mov al, byte ptr [ebp-09]
:00476B82 8BE5
mov esp, ebp
:00476B84 5D
pop ebp
:00476B85 C3
ret
***************************************************************
|
* Referenced by a CALL at Address: 计算regcode的子程序
|:00476B65
|
:00475E20 55
push ebp
:00475E21 8BEC
mov ebp, esp
:00475E23 83C4EC
add esp, FFFFFFEC
:00475E26 8955EC
mov dword ptr [ebp-14], edx
:00475E29 8945F0
mov dword ptr [ebp-10], eax
:00475E2C 33C0
xor eax, eax
:00475E2E 8945F4
mov dword ptr [ebp-0C], eax
:00475E31 C745FC78563412 mov [ebp-04], 12345678
<<---- 以下称为op1
:00475E38 C745F821436587 mov [ebp-08], 87654321
<<---- 以下称为op2 ;就是对这两个参数操作
:00475E3F 55
push ebp
:00475E40 8B45F0
mov eax, dword ptr [ebp-10]
:00475E43 83C024
add eax, 00000024
<<---- name :
:00475E46 E81DFFFFFF call 00475D68
:00475E4B 59
pop ecx
:00475E4C 55
push ebp
:00475E4D 8B45F0
mov eax, dword ptr [ebp-10]
:00475E50 83C064
add eax, 00000064 <<---- organization:
:00475E53 E810FFFFFF call 00475D68
:00475E58 59
pop ecx
:00475E59 55
push ebp
:00475E5A 8B45F0
mov eax, dword ptr [ebp-10] <<---- address1:
:00475E5D 05A4000000 add eax,
000000A4
:00475E62 E801FFFFFF call 00475D68
:00475E67 59
pop ecx
:00475E68 55
push ebp
:00475E69 8B45F0
mov eax, dword ptr [ebp-10]
:00475E6C 05E4000000 add eax,
000000E4 <<-----
address2:
:00475E71 E8F2FEFFFF call 00475D68
:00475E76 59
pop ecx
:00475E77 55
push ebp
:00475E78 8B45F0
mov eax, dword ptr [ebp-10]
:00475E7B 053C010000 add eax,
0000013C <<-----
City:
:00475E80 E8E3FEFFFF call 00475D68
:00475E85 59
pop ecx
:00475E86 8B45F0
mov eax, dword ptr [ebp-10]
:00475E89 698058020000C7000000 imul eax, dword ptr [eax+00000258],
000000C7
:00475E93 0145FC
add dword ptr [ebp-04], eax
:00475E96 8B45F0
mov eax, dword ptr [ebp-10]
:00475E99 8B8058020000 mov eax, dword
ptr [eax+00000258]
:00475E9F 05C7000000 add eax,
000000C7
:00475EA4 F76DF8
imul [ebp-08]
:00475EA7 8945F8
mov dword ptr [ebp-08], eax
:00475EAA 8B45FC
mov eax, dword ptr [ebp-04]
:00475EAD 0345F8
add eax, dword ptr [ebp-08]
:00475EB0 8B55EC
mov edx, dword ptr [ebp-14]
:00475EB3 8902
mov dword ptr [edx], eax
<<---- 注册码!!!恭喜!!!
:00475EB5 837DF40A cmp
dword ptr [ebp-0C], 0000000A
:00475EB9 7D07
jge 00475EC2
:00475EBB 8B45EC
mov eax, dword ptr [ebp-14]
:00475EBE 33D2
xor edx, edx
:00475EC0 8910
mov dword ptr [eax], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475EB9(C)
|
:00475EC2 8BE5
mov esp, ebp
:00475EC4 5D
pop ebp
:00475EC5 C3
ret
**********************************************************************
对用户输入信息的处理子程序--------用来生成为计算regcode的参数
|
:00475D68 55
push ebp
:00475D69 8BEC
mov ebp, esp
:00475D6B 81C4F4FEFFFF add esp, FFFFFEF4
:00475D71 56
push esi
:00475D72 57
push edi
:00475D73 8BF0
mov esi, eax
:00475D75 8DBDF4FEFFFF lea edi, dword
ptr [ebp+FFFFFEF4]
:00475D7B 33C9
xor ecx, ecx
:00475D7D 8A0E
mov cl, byte ptr [esi]
:00475D7F 41
inc ecx
:00475D80 F3
repz
:00475D81 A4
movsb
:00475D82 33C0
xor eax, eax
:00475D84 8A85F4FEFFFF mov al, byte
ptr [ebp+FFFFFEF4] <<---- string长度
:00475D8A 85C0
test eax, eax
:00475D8C 0F8E86000000 jle 00475E18
:00475D92 8945F4
mov dword ptr [ebp-0C], eax
:00475D95 C745FC01000000 mov [ebp-04], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475E16(C)
|
:00475D9C 8B45FC
mov eax, dword ptr [ebp-04]
:00475D9F 8A8405F4FEFFFF mov al, byte ptr
[ebp+eax-0000010C]
:00475DA6 8845FB
mov byte ptr [ebp-05], al
:00475DA9 807DFB61 cmp
byte ptr [ebp-05], 61 <<---- 'a'
:00475DAD 7206
jb 00475DB5
:00475DAF 807DFB7A cmp
byte ptr [ebp-05], 7A <<---- 'z'
:00475DB3 760C
jbe 00475DC1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475DAD(C)
|
:00475DB5 807DFB41 cmp
byte ptr [ebp-05], 41 <<----
'A'
:00475DB9 7255
jb 00475E10
:00475DBB 807DFB5A cmp
byte ptr [ebp-05], 5A <<----
'Z'
:00475DBF 774F
ja 00475E10
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475DB3(C)
|
:00475DC1 8B4508
mov eax, dword ptr [ebp+08]
:00475DC4 FF40F4
inc [eax-0C]
:00475DC7 8A45FB
mov al, byte ptr [ebp-05]
:00475DCA E8DDCCF8FF call 00402AAC
<<---- 转换为大写字母
:00475DCF 8845FB
mov byte ptr [ebp-05], al
:00475DD2 8A45FB
mov al, byte ptr [ebp-05]
:00475DD5 8D0480
lea eax, dword ptr [eax+4*eax] <<---- 从这就开始注册算法了,一个一个字符.注意!!!
:00475DD8 40
inc eax
:00475DD9 25FF000000 and eax,
000000FF
:00475DDE 8B5508
mov edx, dword ptr [ebp+08]
:00475DE1 0142FC
add dword ptr [edx-04], eax <<-----
[edx-04]= op1 +(string[i]*5+1)& 0xff)
:00475DE4 8B4508
mov eax, dword ptr [ebp+08]
:00475DE7 83C0FC
add eax, FFFFFFFC
:00475DEA B201
mov dl, 01
:00475DEC E81BFFFFFF call 00475D0C
<<---- 注册算法一部分
:00475DF1 8A45FB
mov al, byte ptr [ebp-05]
:00475DF4 8D0480
lea eax, dword ptr [eax+4*eax]
:00475DF7 40
inc eax
:00475DF8 25FF000000 and eax,
000000FF
:00475DFD 8B5508
mov edx, dword ptr [ebp+08]
:00475E00 0142F8
add dword ptr [edx-08], eax
:00475E03 8B4508
mov eax, dword ptr [ebp+08]
:00475E06 83C0F8
add eax, FFFFFFF8
:00475E09 B201
mov dl, 01
:00475E0B E828FFFFFF call 00475D38
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00475DB9(C), :00475DBF(C)
|
:00475E10 FF45FC
inc [ebp-04]
:00475E13 FF4DF4
dec [ebp-0C]
:00475E16 7584
jne 00475D9C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475D8C(C)
|
:00475E18 5F
pop edi
:00475E19 5E
pop esi
:00475E1A 8BE5
mov esp, ebp
:00475E1C 5D
pop ebp
:00475E1D C3
ret
****************************************************************
|
:00475D0C 55
push ebp
:00475D0D 8BEC
mov ebp, esp
:00475D0F 83C4F8
add esp, FFFFFFF8
:00475D12 8855FB
mov byte ptr [ebp-05], dl
:00475D15 8945FC
mov dword ptr [ebp-04], eax
:00475D18 807DFB00 cmp
byte ptr [ebp-05], 00
:00475D1C 7613
jbe 00475D31
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475D2F(C)
|
:00475D1E 55
push ebp
:00475D1F 8B45FC
mov eax, dword ptr [ebp-04]
:00475D22 E8B1FFFFFF call 00475CD8
:00475D27 59
pop ecx
:00475D28 FE4DFB
dec [ebp-05]
:00475D2B 807DFB00 cmp
byte ptr [ebp-05], 00
:00475D2F 77ED
ja 00475D1E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475D1C(C)
|
:00475D31 59
pop ecx
:00475D32 59
pop ecx
:00475D33 5D
pop ebp
:00475D34 C3
ret
****************************************************************
* Referenced by a CALL at Address:
|:00475D22
|
:00475CD8 55
push ebp
:00475CD9 8BEC
mov ebp, esp
:00475CDB 83C4F8
add esp, FFFFFFF8
:00475CDE 8945FC
mov dword ptr [ebp-04], eax
:00475CE1 8B45FC
mov eax, dword ptr [ebp-04]
:00475CE4 F6400380 test
[eax+03], 80
:00475CE8 0F9545FB setne
byte ptr [ebp-05] <<----
对这条语句要理解对,感谢toye&bnbnf
:00475CEC 807DFB00 cmp
byte ptr [ebp-05], 00
:00475CF0 7411
je 00475D03
:00475CF2 8B45FC
mov eax, dword ptr [ebp-04]
:00475CF5 8B00
mov eax, dword ptr [eax]
:00475CF7 03C0
add eax, eax
:00475CF9 83C801
or eax, 00000001
:00475CFC 8B55FC
mov edx, dword ptr [ebp-04]
:00475CFF 8902
mov dword ptr [edx], eax
:00475D01 EB05
jmp 00475D08
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475CF0(C)
|
:00475D03 8B45FC
mov eax, dword ptr [ebp-04]
:00475D06 D120
shl dword ptr [eax], 1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475D01(U)
|
:00475D08 59
pop ecx
:00475D09 59
pop ecx
:00475D0A 5D
pop ebp
:00475D0B C3
ret
****************************************************************
* Referenced by a CALL at Address:
|:00475E0B
|
:00475D38 55
push ebp
:00475D39 8BEC
mov ebp, esp
:00475D3B 83C4F8
add esp, FFFFFFF8
:00475D3E 8855FB
mov byte ptr [ebp-05], dl
:00475D41 8945FC
mov dword ptr [ebp-04], eax
:00475D44 33C0
xor eax, eax
:00475D46 8A45FB
mov al, byte ptr [ebp-05]
:00475D49 251F000080 and eax,
8000001F
:00475D4E 7905
jns 00475D55
:00475D50 48
dec eax
:00475D51 83C8E0
or eax, FFFFFFE0
:00475D54 40
inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475D4E(C)
|
:00475D55 B220
mov dl, 20
:00475D57 2AD0
sub dl, al
:00475D59 8B45FC
mov eax, dword ptr [ebp-04]
:00475D5C E8ABFFFFFF call 00475D0C
:00475D61 59
pop ecx
:00475D62 59
pop ecx
:00475D63 5D
pop ebp
:00475D64 C3
ret
在注册子程序对注册码的验证中(call 00475E20),通过输入的注册信息对 12345678 和87654321
操作,得到注册码的.
这里要注意的是,有两个flag分别针对0x12345678 和0x87654321操作数,就是setne那.
注册算法挺容易看明白的,关键是setne的操作.
3)几点说明
(1)在分界点直接修改jne 004774C9 --->je 004774C9 时,注册成功,生成keyfile,但是,下次,还提示要求注册.
(2)对于keyfile的注册方式,俺有很多地方不太明白,没概念;论坛上的winrar 和 ultraedit俺还在学习.能不能多介绍一些.
- 标 题:Diskbase 5.11的破解和注册算法(俺是新手) (18千字)
- 作 者:fengy
- 时 间:2001-5-21 18:13:26
- 链 接:http://bbs.pediy.com