软件名称:OICQ 图形留言系统 v3.2
保护方式:注册码
破解人:TAE![BCG] TAE![FCG]
软件简介:一个ascii涂鸦工具,可以在QQ上使用!
下载地址:http://software.wx88.net/down/OICQ_setup.exe
前言:现在有许多cracker初学者总是指望在内存中找到注册码,本人以前也是如此,呵呵,但现在越来越难了,所以一定要掌握软件的算法,然后自己算注册码,这样对你的水平提高有很大好处的!这次应朋友所邀破解此软件!这个软件是在软件启动是判断注册码,现在很多软件都是如此了,呵呵广大Crack初学者一定要熟悉此类程序的跟踪方法!
它将输入的注册信息放在了注册表里,启动时读出信息,加以判断。
下断点Hmemcpy应该不难跟踪到这里:
:004B7C9C B201
mov dl, 01
:004B7C9E A134AE4900 mov eax,
dword ptr [0049AE34]
:004B7CA3 E88C32FEFF call 0049AF34
:004B7CA8 8BD8
mov ebx, eax
:004B7CAA BA03000080 mov edx,
80000003
:004B7CAF 8BC3
mov eax, ebx
:004B7CB1 E81E33FEFF call 0049AFD4
:004B7CB6 6A40
push 00000040
:004B7CB8 68487D4B00 push 004B7D48
* Possible StringData Ref from Code Obj ->"需要重新启动OICQ图形留言系统检测注册名/码匹配?
->"敕瘢?
|
:004B7CBD 68507D4B00 push 004B7D50
:004B7CC2 8B45FC
mov eax, dword ptr [ebp-04]
:004B7CC5 E816FDF7FF call 004379E0
:004B7CCA 50
push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004B7CCB E810FBF4FF Call 004077E0
:004B7CD0 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->".DEFAULT\Software\ABCSoft\Oicqpic"
\\原来将注册信息存在注册表里!
|
:004B7CD2 BA8C7D4B00 mov edx,
004B7D8C
:004B7CD7 8BC3
mov eax, ebx
:004B7CD9 E85E33FEFF call 0049B03C
:004B7CDE 8D55F4
lea edx, dword ptr [ebp-0C]
:004B7CE1 8B45FC
mov eax, dword ptr [ebp-04]
:004B7CE4 8B80E0020000 mov eax, dword
ptr [eax+000002E0]
:004B7CEA E8C99BF7FF call 004318B8
:004B7CEF 8B4DF4
mov ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"Name"
\\姓名
|
:004B7CF2 BAB87D4B00 mov edx,
004B7DB8
:004B7CF7 8BC3
mov eax, ebx
:004B7CF9 E8BA36FEFF call 0049B3B8
:004B7CFE 8BCE
mov ecx, esi
* Possible StringData Ref from Code Obj ->"Pass"
\\注册码
|
:004B7D00 BAC87D4B00 mov edx,
004B7DC8
:004B7D05 8BC3
mov eax, ebx
:004B7D07 E85037FEFF call 0049B45C
:004B7D0C 8BC3
mov eax, ebx
:004B7D0E E8DDB1F4FF call 00402EF0
:004B7D13 A1DC364C00 mov eax,
dword ptr [004C36DC]
:004B7D18 8B00
mov eax, dword ptr [eax]
:004B7D1A E89D7DF9FF call 0044FABC
:004B7D1F 33C0
xor eax, eax
:004B7D21 5A
pop edx
:004B7D22 59
pop ecx
:004B7D23 59
pop ecx
:004B7D24 648910
mov dword ptr fs:[eax], edx
:004B7D27 68417D4B00 push 004B7D41
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B7D3F(U)
|
:004B7D2C 8D45F4
lea eax, dword ptr [ebp-0C]
:004B7D2F BA02000000 mov edx,
00000002
:004B7D34 E8A3BEF4FF call 00403BDC
:004B7D39 C3
ret
既然知道它将信息放入注册表,那就好办多了!程序是在启动时判断是否注册的,所以用w32dasm反编译程序,然后查找Name,第一次找到的就是上面那里,再搜索一次可以找到下面这一处:
这里就是从注册表读出注册信息,然后判断注册码是否正确,正确则不再显示“未注册”字样。
* Possible StringData Ref from Code Obj ->".DEFAULT\Software\ABCSoft\Oicqpic"
|
:004BAE43 BA44AF4B00 mov edx,
004BAF44
:004BAE48 8BC6
mov eax, esi
:004BAE4A E8ED01FEFF call 0049B03C
\\这里判断注册表中是否有注册信息
:004BAE4F 84C0
test al, al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BADEA(C)
|
:004BAE51 744F
je 004BAEA2
:004BAE53 8D4DFC
lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Name"
|
:004BAE56 BA70AF4B00 mov edx,
004BAF70
:004BAE5B 8BC6
mov eax, esi
:004BAE5D E88205FEFF call 0049B3E4
:004BAE62 8B55FC
mov edx, dword ptr [ebp-04]
:004BAE65 8D8358040000 lea eax, dword
ptr [ebx+00000458]
:004BAE6B E89C8DF4FF call 00403C0C
* Possible StringData Ref from Code Obj ->"Pass"
|
:004BAE70 BA80AF4B00 mov edx,
004BAF80
:004BAE75 8BC6
mov eax, esi
:004BAE77 E8F405FEFF call 0049B470
:004BAE7C 89832C040000 mov dword ptr
[ebx+0000042C], eax
:004BAE82 8BC6
mov eax, esi
:004BAE84 E86780F4FF call 00402EF0
:004BAE89 8B8B2C040000 mov ecx, dword
ptr [ebx+0000042C]
:004BAE8F 8B9358040000 mov edx, dword
ptr [ebx+00000458]
:004BAE95 8BC3
mov eax, ebx
:004BAE97 E814010000 call 004BAFB0
\\这里是算码关键call,进去瞧瞧
:004BAE9C 888331040000 mov byte ptr
[ebx+00000431], al \\要注意al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BAE51(C)
|
:004BAEA2 80BB3104000000 cmp byte ptr [ebx+00000431],
00 \\看,其实关键就是返回的al值!
:004BAEA9 743A
je 004BAEE5
\\不跳就爽了!呵呵。
:004BAEAB A1B0494C00 mov eax,
dword ptr [004C49B0]
:004BAEB0 8B80E0030000 mov eax, dword
ptr [eax+000003E0]
:004BAEB6 8B80F0010000 mov eax, dword
ptr [eax+000001F0]
:004BAEBC BA03000000 mov edx,
00000003
:004BAEC1 E8F61EFAFF call 0045CDBC
:004BAEC6 50
push eax
:004BAEC7 8D45F8
lea eax, dword ptr [ebp-08]
:004BAECA 8B8B58040000 mov ecx, dword
ptr [ebx+00000458]
* Possible StringData Ref from Code Obj ->"注册人:"
|
:004BAED0 BA90AF4B00 mov edx,
004BAF90
:004BAED5 E8AA8FF4FF call 00403E84
:004BAEDA 8B55F8
mov edx, dword ptr [ebp-08]
:004BAEDD 58
pop eax
:004BAEDE E8511EFAFF call 0045CD34
:004BAEE3 EB27
jmp 004BAF0C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BAEA9(C)
|
:004BAEE5 8D55F4
lea edx, dword ptr [ebp-0C]
:004BAEE8 A1B0494C00 mov eax,
dword ptr [004C49B0]
:004BAEED E8C669F7FF call 004318B8
:004BAEF2 8D45F4
lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->" (未注册版本)"
|
:004BAEF5 BAA0AF4B00 mov edx,
004BAFA0
:004BAEFA E8418FF4FF call 00403E40
:004BAEFF 8B55F4
mov edx, dword ptr [ebp-0C]
:004BAF02 A1B0494C00 mov eax,
dword ptr [004C49B0]
:004BAF07 E8DC69F7FF call 004318E8
那我们就去那个关键call看看吧!
:004BAFB0 55
push ebp
:004BAFB1 8BEC
mov ebp, esp
:004BAFB3 83C4EC
add esp, FFFFFFEC
:004BAFB6 53
push ebx
:004BAFB7 56
push esi
:004BAFB8 33DB
xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BAF53(C), :004BAF5C(C)
|
:004BAFBA 895DEC
mov dword ptr [ebp-14], ebx
:004BAFBD 895DF4
mov dword ptr [ebp-0C], ebx
:004BAFC0 894DF8
mov dword ptr [ebp-08], ecx
:004BAFC3 8955FC
mov dword ptr [ebp-04], edx
:004BAFC6 8B45FC
mov eax, dword ptr [ebp-04]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BAF50(C)
|
:004BAFC9 E81E90F4FF call 00403FEC
:004BAFCE 33C0
xor eax, eax
:004BAFD0 55
push ebp
:004BAFD1 686EB04B00 push 004BB06E
:004BAFD6 64FF30
push dword ptr fs:[eax]
:004BAFD9 648920
mov dword ptr fs:[eax], esp
:004BAFDC 33F6
xor esi, esi
:004BAFDE 8D45F4
lea eax, dword ptr [ebp-0C]
:004BAFE1 8B55FC
mov edx, dword ptr [ebp-04]
:004BAFE4 E8678CF4FF call 00403C50
:004BAFE9 8B45F4
mov eax, dword ptr [ebp-0C]
:004BAFEC E8478EF4FF call 00403E38
:004BAFF1 85C0
test eax, eax
:004BAFF3 7E3D
jle 004BB032
:004BAFF5 8945F0
mov dword ptr [ebp-10], eax
:004BAFF8 BB01000000 mov ebx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BB030(C)
|
:004BAFFD 8D45EC
lea eax, dword ptr [ebp-14]
:004BB000 50
push eax
:004BB001 B901000000 mov ecx,
00000001
:004BB006 8BD3
mov edx, ebx
:004BB008 8B45F4
mov eax, dword ptr [ebp-0C]
:004BB00B E83090F4FF call 00404040
:004BB010 8B45EC
mov eax, dword ptr [ebp-14]
:004BB013 E8E48FF4FF call 00403FFC
:004BB018 8A00
mov al, byte ptr [eax] \\依次取名字的字符
:004BB01A 33D2
xor edx, edx \\清空寄存器
:004BB01C 8AD0
mov dl, al
\\将取出的字符ascii给dl
:004BB01E 8BCA
mov ecx, edx \\再给ecx
:004BB020 0FAFCA
imul ecx, edx \\ecx*edx,也就是将取出字符的ascii码开方!
:004BB023 8D4317
lea eax, dword ptr [ebx+17] \\ebx+17中依次是18、19。。。传给eax
:004BB026 F7EE
imul esi
\\乘esi,这里第一次esi是0,
:004BB028 03C8
add ecx, eax \\ecx+eax相加
:004BB02A 8BF1
mov esi, ecx \\保存运算结果到esi中
:004BB02C 43
inc ebx
\\计数,循环多少次?名字的字符串个数!
:004BB02D FF4DF0
dec [ebp-10]
:004BB030 75CB
jne 004BAFFD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BAFF3(C)
|
:004BB032 8B45F8
mov eax, dword ptr [ebp-08] \\这个是将输入的注册码Hex值给eax
:004BB035 2D4D050000 sub eax,
0000054D \\eax-0x54D传给eax
:004BB03A 3BF0
cmp esi, eax \\看结果是不是等于esi(上面运算出的值)
:004BB03C 7508
jne 004BB046 \\不能跳哟!
:004BB03E 85F6
test esi, esi
:004BB040 7404
je 004BB046
:004BB042 B301
mov bl, 01 \\看到这个了吧!哈哈哈哈!舒服呀!
:004BB044 EB02
jmp 004BB048
算法:
以姓名TAE!为例
A=0x54^2+0x18*0
B=0x41^2+0x19*A
C=0x45^2+0x20*B
D=0x21^2+0x21*C
SN=D+0x54D
得到注册码的简单方法:
到了 004BB032那一行,可以用下命令 ? esi+54D,即可得到正确注册码!!
一个可用的注册码:
Name:TAE!
Sn:126929743
下面这个ascii涂鸦就是用这个软件做的,呵呵!
.----.
_.'__ `.
.--(#)(##)---/#\
.' @ /###\
: , #####
`-..__.-' _.-\###/
`;_:
`"'
.'"""""`.
/, JOE ,\
// COOL! \\
`-._______.-'
___`. | .'___
(______|______)
- 标 题:OICQ 图形留言系统 v3.2注册码算法 不知有没有人贴过,呵呵! (11千字)
- 作 者:TAE!
- 时 间:2001-6-23 13:46:27
- 链 接:http://bbs.pediy.com