鼠标增强工具MouseStar 2.1破解过程:
CRACKTOOLS:regshot、trw2000 1.23、W32DASM中文版、Ultraedit 8.10a、language 2000 V4.5
1、习惯性动作:安装前用REGSHOT搞一下。
2、习惯性动作:用language 2000 V4.5查文件是否加壳,所幸,没。
3、习惯性动作:用W32DASM反汇编一下,看是否有线索(即注册失败与成功的提示字符串)
所幸找到三处“感谢注册”,如下:
:0047E3A2 8D55F8
lea edx, dword ptr [ebp-08]
:0047E3A5 E88A9BF8FF call 00407F34
:0047E3AA 837DF800 cmp
dword ptr [ebp-08], 00000000
:0047E3AE 0F84C1000000 je 0047E475
:0047E3B4 8D55FC
lea edx, dword ptr [ebp-04]
:0047E3B7 A1284B4800 mov eax,
dword ptr [00484B28]
:0047E3BC 8B00
mov eax, dword ptr [eax]
:0047E3BE E861340000 call 00481824
:0047E3C3 8D55F0
lea edx, dword ptr [ebp-10]
:0047E3C6 8B83D4020000 mov eax, dword
ptr [ebx+000002D4]
:0047E3CC E8E7E6FAFF call 0042CAB8
:0047E3D1 8B45F0
mov eax, dword ptr [ebp-10] //直觉感到这里是取我们输入的注册码
:0047E3D4 8B55FC
mov edx, dword ptr [ebp-04] //则这里就有可能是真正的注册码。
:0047E3D7 E8545AF8FF call 00403E30
:0047E3DC 0F8593000000 jne 0047E475
* Possible StringData Ref from Code Obj ->"感谢注册"
|
:0047E3E2 BAB4E44700 mov edx,
0047E4B4
:0047E3E7 8B83D4020000 mov eax, dword
ptr [ebx+000002D4]
马上用TRW2000来验证一下,运行mousestar.exe,输入注册码78787878,调出TRW2000,BPX 0047E3D1,F5,
点注册,⊙_⊙,没拦下?倒,看来直觉是失误了,呵。
不怕再看下面:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00481107(C), :0048113B(U)
|
:00481153 8BC3
mov eax, ebx
:00481155 E80E030000 call 00481468
:0048115A 80BBBB04000000 cmp byte ptr [ebx+000004BB],
00
:00481161 7456
je 004811B9
* Possible StringData Ref from Code Obj ->"感谢注册"
|
:00481163 BAC4124800 mov edx,
004812C4
还有:
:004818EC 0300
add eax, dword ptr [eax]
:004818EE 0000
add byte ptr [eax], al
:004818F0 312E
xor dword ptr [esi], ebp
:004818F2 3000
xor byte ptr [eax], al
:004818F4 55
push ebp
:004818F5 8BEC
mov ebp, esp
:004818F7 33C9
xor ecx, ecx
:004818F9 51
push ecx
:004818FA 51
push ecx
:004818FB 51
push ecx
:004818FC 51
push ecx
:004818FD 53
push ebx
:004818FE 8BD8
mov ebx, eax
:00481900 33C0
xor eax, eax
:00481902 55
push ebp
:00481903 68FC194800 push 004819FC
:00481908 64FF30
push dword ptr fs:[eax]
:0048190B 648920
mov dword ptr fs:[eax], esp
:0048190E 8D55F4
lea edx, dword ptr [ebp-0C]
:00481911 8B83A4030000 mov eax, dword
ptr [ebx+000003A4]
:00481917 E89CB1FAFF call 0042CAB8
:0048191C 8B45F4
mov eax, dword ptr [ebp-0C]
:0048191F 8D55F8
lea edx, dword ptr [ebp-08]
:00481922 E80D66F8FF call 00407F34
:00481927 837DF800 cmp
dword ptr [ebp-08], 00000000
:0048192B 0F84A3000000 je 004819D4
:00481931 8D55FC
lea edx, dword ptr [ebp-04]
:00481934 8BC3
mov eax, ebx
:00481936 E8E9FEFFFF call 00481824
:0048193B 8D55F0
lea edx, dword ptr [ebp-10]
:0048193E 8B83A4030000 mov eax, dword
ptr [ebx+000003A4]
:00481944 E86FB1FAFF call 0042CAB8
:00481949 8B45F0
mov eax, dword ptr [ebp-10] //这里也象上面一样哟
:0048194C 8B55FC
mov edx, dword ptr [ebp-04] //也下个断点试试。
:0048194F E8DC24F8FF call 00403E30
//真假对比。
:00481954 757E
jne 004819D4
//暴破改这里为NOP NOP
* Possible StringData Ref from Code Obj ->"感谢注册"
|
:00481956 BA101A4800 mov edx,
00481A10
:0048195B 8B83A4030000 mov eax, dword
ptr [ebx+000003A4]
退出MouseStar,重复上次的操作,下BPX 00481949,F5,注册,YES!拦到了。
F10两次,走到0048194F上,
D EAX, 显示78787878,有门,D EDX,显示336b9f6b,明码显示?!就是它?!
抄下。BC *
重新运行MouseStar,用336b9f6b注册,出现“感谢注册”,成功。
退出MouseStar,第二次运行REGSHOT并对比:
**Original contents Maybe deleted or modified**
NONE!
**Keys&Values Modified | Added in the 2ndShot**
H.U\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component
Categories\{00021492-0000-0000-C000-000000000046}
H.U\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component
Categories\{00021492-0000-0000-C000-000000000046}\Enum
H.U\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component
Categories\{00021492-0000-0000-C000-000000000046}\Enum\Implementing: 1C 00 00
00 01 00 00 00 D1 07 07 00 05 00 1B 00 0A 00 35 00 39 00 8C 00 02 00 00 00 21
BF 5C 0E 5F D1 D0 11 83 01 00 AA 00 5B 43 83 81 45 E0 01 EE 4E D0 11 BF E9 00
AA 00 5B 43 83
H.U\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\@browselc.dll,-13138:
"链接(&L)"
H.U\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\@browselc.dll,-13137:
"地址(&A)"
H.U\.DEFAULT\Software\MouseStar 1.0
H.U\.DEFAULT\Software\MouseStar 1.0\Key: "336b9f6b" //呵呵,注册码在这
即然知道了比较的CALL,也就看进看看吧。先删除H.U\.DEFAULT\Software\MouseStar 1.0\Key: "336b9f6b"
让它还原成未注册版。
用W32DASM打开MouseStar.exe
进:0048194F E8DC24F8FF call 00403E30
:00403E30 53
push ebx
:00403E31 56
push esi
:00403E32 57
push edi
:00403E33 89C6
mov esi, eax
:00403E35 89D7
mov edi, edx
:00403E37 39D0
cmp eax, edx //就是这里了。
:00403E39 0F848F000000 je 00403ECE
:00403E3F 85F6
test esi, esi
:00403E41 7468
je 00403EAB
:00403E43 85FF
test edi, edi
:00403E45 746B
je 00403EB2
:00403E47 8B46FC
mov eax, dword ptr [esi-04]
:00403E4A 8B57FC
mov edx, dword ptr [edi-04]
:00403E4D 29D0
sub eax, edx
:00403E4F 7702
ja 00403E53
:00403E51 01C2
add edx, eax
好,用CRACKCODE2000做个注册机
CRACKCODE.INI内容为:
[Options]
CommandLine=mousestar.exe
Mode=2
//程序运行到00481949赋值后回0040E30对比,所以用增强模式
First_Break_Address=48194F //调用的CALL的偏移地址
First_Break_Address_Code=E8 //此CALL的第一个字节
First_Break_Address_Code_Lenth=5 //此调用语句共5个字节
Second_Break_Address=403E37 //真假码对比处的偏移地址
Second_Break_Address_Code=39 //语句的第一个字节
Second_Break_Address_Code_Lenth=2 //共有2个字节
Save_Code_Address=EDX //放真注册码的地方
测试,成功。
再试一下暴破,将:00481954处的757E改为9090,成功。
并自动写注册表H.U\.DEFAULT\Software\MouseStar 1.0\Key: "336b9f6b"
皇贤
2001.7.27
- 标 题:申请加入BCG破文第一篇:鼠标增强工具MouseStar 2.1破解过程。请老大多多指教。 (7千字)
- 作 者:皇贤
- 时 间:2001-7-27 21:46:09
- 链 接:http://bbs.pediy.com