《中华压缩 6.01》注册码破解及注册机
小弟最近在学做注册机,所以看到论坛上有位大哥贴出它的注册码,并且说它very easy!所以小弟就想试试看了!如果这位大哥觉得我做的有不妥的地方,请呼我(QQ:15319522),小弟一定赔罪!
作者:RATARICE
工具:FI、BW2000、TRW2000 1.23、W32DSM89、TC 2.0
过程:
一、 用FI检查软件,发现是用ASPack v2.001加的壳。再用prodump和caspr脱壳无果好,想起大哥们的教诲,
于是用BW2000找到它的入口是:4FD8A4。好了,启动TRW,下BPX 4FD8A4,PDUMP。OK!
二、 经过本人的一通折腾才找到注册的代码,如下:
:004F3D27 90
nop
:004F3D28 55
push ebp
:004F3D29 8BEC
mov ebp, esp
:004F3D2B 33C9
xor ecx, ecx
:004F3D2D 51
push ecx
:004F3D2E 51
push ecx
:004F3D2F 51
push ecx
:004F3D30 51
push ecx
:004F3D31 53
push ebx
:004F3D32 8BD8
mov ebx, eax
:004F3D34 33C0
xor eax, eax
:004F3D36 55
push ebp
:004F3D37 68203E4F00 push 004F3E20
:004F3D3C 64FF30
push dword ptr fs:[eax]
:004F3D3F 648920
mov dword ptr fs:[eax], esp
:004F3D42 8D55F8
lea edx, dword ptr [ebp-08]
:004F3D45 8B83E4020000 mov eax, dword
ptr [ebx+000002E4]
:004F3D4B E840F2F3FF call 00432F90
:004F3D50 8B45F8
mov eax, dword ptr [ebp-08]
:004F3D53 50
push eax
:004F3D54 8D55F0
lea edx, dword ptr [ebp-10]
:004F3D57 8B83E0020000 mov eax, dword
ptr [ebx+000002E0]
:004F3D5D E82EF2F3FF call 00432F90
:004F3D62 8B55F0
mov edx, dword ptr [ebp-10]
:004F3D65 8D4DF4
lea ecx, dword ptr [ebp-0C]
:004F3D68 8BC3
mov eax, ebx
:004F3D6A E8C9010000 call 004F3F38
------------------->计算注册码,要追进去!
:004F3D6F 8B55F4
mov edx, dword ptr [ebp-0C]
:004F3D72 58
pop eax
:004F3D73 E8A403F1FF call 0040411C
:004F3D78 7576
jne 004F3DF0 -------------------->很明显,跳就完蛋了!
:004F3D7A B201
mov dl, 01
将这里nop掉,就可爆破!
:004F3D7C A174654700 mov eax,
dword ptr [00476574]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3D12(C)
|
:004F3D81 E8EE28F8FF call 00476674
:004F3D86 8945FC
mov dword ptr [ebp-04], eax
:004F3D89 33C0
xor eax, eax
:004F3D8B 55
push ebp
:004F3D8C 68E93D4F00 push 004F3DE9
:004F3D91 64FF30
push dword ptr fs:[eax]
:004F3D94 648920
mov dword ptr fs:[eax], esp
:004F3D97 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\XDZHAN\ChinaZip"
|
:004F3D99 BA343E4F00 mov edx,
004F3E34
:004F3D9E 8B45FC
mov eax, dword ptr [ebp-04]
:004F3DA1 E8B22AF8FF call 00476858
* Possible StringData Ref from Code Obj ->"Real Programmers Use Pascal!"
|
:004F3DA6 B9583E4F00 mov ecx,
004F3E58
* Possible StringData Ref from Code Obj ->"Key"
|
:004F3DAB BA803E4F00 mov edx,
004F3E80
:004F3DB0 8B45FC
mov eax, dword ptr [ebp-04]
:004F3DB3 E8E42EF8FF call 00476C9C
* Possible StringData Ref from Code Obj ->"软件注册成功,谢谢您的支持!"
|
:004F3DB8 B88C3E4F00 mov eax,
004F3E8C
:004F3DBD E8E243F6FF call 004581A4
:004F3DC2 A16C005000 mov eax,
dword ptr [0050006C]
:004F3DC7 8B00
mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"中华压缩(ChinaZip)—注册版"
|
:004F3DC9 BAB03E4F00 mov edx,
004F3EB0
:004F3DCE E8EDF1F3FF call 00432FC0
:004F3DD3 33C0
xor eax, eax
:004F3DD5 5A
pop edx
:004F3DD6 59
pop ecx
:004F3DD7 59
pop ecx
:004F3DD8 648910
mov dword ptr fs:[eax], edx
:004F3DDB 68FA3D4F00 push 004F3DFA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3DEE(U)
|
:004F3DE0 8B45FC
mov eax, dword ptr [ebp-04]
:004F3DE3 E8DCF2F0FF call 004030C4
:004F3DE8 C3
ret
:004F3DE9 E936FAF0FF jmp 00403824
:004F3DEE EBF0
jmp 004F3DE0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3D78(C)
|
* Possible StringData Ref from Code Obj ->"注册码不正确,无法注册!"
|
:004F3DF0 B8D43E4F00 mov eax,
004F3ED4
:004F3DF5 E8AA43F6FF call 004581A4
:004F3DFA 33C0
xor eax, eax
:004F3DFC 5A
pop edx
:004F3DFD 59
pop ecx
:004F3DFE 59
pop ecx
:004F3DFF 648910
mov dword ptr fs:[eax], edx
:004F3E02 68273E4F00 push 004F3E27
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3E25(U)
|
:004F3E07 8D45F0
lea eax, dword ptr [ebp-10]
:004F3E0A E87DFFF0FF call 00403D8C
:004F3E0F 8D45F4
lea eax, dword ptr [ebp-0C]
:004F3E12 E875FFF0FF call 00403D8C
:004F3E17 8D45F8
lea eax, dword ptr [ebp-08]
:004F3E1A E86DFFF0FF call 00403D8C
:004F3E1F C3
ret
:004F3E20 E9FFF9F0FF jmp 00403824
:004F3E25 EBE0
jmp 004F3E07
:004F3E27 5B
pop ebx
:004F3E28 8BE5
mov esp, ebp
:004F3E2A 5D
pop ebp
:004F3E2B C3
ret
************************追入CALL 004F3F38*************************
* Referenced by a CALL at Address:
|:004F3D6A
|
:004F3F38 55
push ebp
:004F3F39 8BEC
mov ebp, esp
:004F3F3B 6A00
push 00000000
:004F3F3D 6A00
push 00000000
:004F3F3F 6A00
push 00000000
:004F3F41 6A00
push 00000000
:004F3F43 6A00
push 00000000
:004F3F45 6A00
push 00000000
:004F3F47 6A00
push 00000000
:004F3F49 53
push ebx
:004F3F4A 56
push esi
:004F3F4B 57
push edi
:004F3F4C 894DF8
mov dword ptr [ebp-08], ecx
:004F3F4F 8955FC
mov dword ptr [ebp-04], edx
:004F3F52 8B45FC
mov eax, dword ptr [ebp-04]
:004F3F55 E86602F1FF call 004041C0
:004F3F5A 33C0
xor eax, eax
:004F3F5C 55
push ebp
:004F3F5D 6823404F00 push 004F4023
:004F3F62 64FF30
push dword ptr fs:[eax]
:004F3F65 648920
mov dword ptr fs:[eax], esp
:004F3F68 33F6
xor esi, esi
:004F3F6A 8D45F4
lea eax, dword ptr [ebp-0C]
:004F3F6D 8B55FC
mov edx, dword ptr [ebp-04]
:004F3F70 E8AFFEF0FF call 00403E24
:004F3F75 8B45F4
mov eax, dword ptr [ebp-0C]
:004F3F78 E88F00F1FF call 0040400C
-------------------->计算名字的长度
:004F3F7D 8BF8
mov edi, eax
:004F3F7F 85FF
test edi, edi -------------------->检查长度是否等于0
:004F3F81 7E5A
jle 004F3FDD --------------------->等于就完蛋了!
:004F3F83 BB01000000 mov ebx,
00000001
~~~~~~~~~~~~~~~~~~~~~~~~~~~~开始计算~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3FDB(C)
|
:004F3F88 8B45F4
mov eax, dword ptr [ebp-0C] ------>将名字的地址给EAX
:004F3F8B 8A4418FF mov
al, byte ptr [eax+ebx-01] ---->依次取出一个名字的代码
:004F3F8F E858FFFFFF call 004F3EEC
-------------------->计算该代码是不是质数
:004F3F94 84C0
test al, al ---------------------->是则al=1,反之al=0
:004F3F96 7425
je 004F3FBD ---------------------->不是质数就跳转
:004F3F98 8D45E8
lea eax, dword ptr [ebp-18]-------
:004F3F9B 8B55F4
mov edx, dword ptr [ebp-0C] |
:004F3F9E 8A541AFF mov
dl, byte ptr [edx+ebx-01] |
:004F3FA2 E88DFFF0FF call 00403F34
| 如果是质数,将该代码转化
:004F3FA7 8B45E8
mov eax, dword ptr [ebp-18] | 成大写,若本来就是大写则
:004F3FAA 8D55EC
lea edx, dword ptr [ebp-14] | 不变
:004F3FAD E8FA48F1FF call 004088AC
|
:004F3FB2 8B55EC
mov edx, dword ptr [ebp-14] |
:004F3FB5 8D45F0
lea eax, dword ptr [ebp-10] |
:004F3FB8 E85700F1FF call 00404014
--------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3F96(C)
|
:004F3FBD 83FB01
cmp ebx, 00000001 ---------------->看取的是不是第一个代码
:004F3FC0 740A
je 004F3FCC ---------------------->是就跳
:004F3FC2 8B45F4
mov eax, dword ptr [ebp-0C] ------>将名字的地址给EAX
:004F3FC5 0FB64418FE movzx eax,
byte ptr [eax+ebx-02] ->去前一个代码
:004F3FCA EB06
jmp 004F3FD2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3FC0(C)
|
:004F3FCC 8B45F4
mov eax, dword ptr [ebp-0C] ------| 若是第一个
:004F3FCF 0FB600
movzx eax, byte ptr [eax]---------| 则直接取得
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3FCA(U)
|
:004F3FD2 8DB486A8000000 lea esi, dword ptr
[esi+4*eax+000000A8] ->将代码乘4加A8再
:004F3FD9 43
inc ebx
加ESI
:004F3FDA 4F
dec edi
:004F3FDB 75AB
jne 004F3F88 ---------------------------->循环直到把名字都
取完
~~~~~~~~~~~~~~~~~~~~~~~~~~~到这结束计算~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F3F81(C)
|
:004F3FDD 8D55E4
lea edx, dword ptr [ebp-1C]
:004F3FE0 8BC6
mov eax, esi
:004F3FE2 E8894CF1FF call 00408C70
-------------------->将ESI中的数转为十进制(2)
:004F3FE7 8B4DE4
mov ecx, dword ptr [ebp-1C] ------>转化的结果
:004F3FEA 8D45F4
lea eax, dword ptr [ebp-0C]
:004F3FED 8B55F0
mov edx, dword ptr [ebp-10] ------>名字中为质数的大写排列(1)
:004F3FF0 E86300F1FF call 00404058
-------------------->将(1)+(2)= 真注册码
:004F3FF5 8B45F8
mov eax, dword ptr [ebp-08] ------>假注册码
:004F3FF8 8B55F4
mov edx, dword ptr [ebp-0C] ------>真注册码
:004F3FFB E8E0FDF0FF call 00403DE0
:004F4000 33C0
xor eax, eax
:004F4002 5A
pop edx
:004F4003 59
pop ecx
:004F4004 59
pop ecx
:004F4005 648910
mov dword ptr fs:[eax], edx
:004F4008 682A404F00 push 004F402A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F4028(U)
|
:004F400D 8D45E4
lea eax, dword ptr [ebp-1C]
:004F4010 BA05000000 mov edx,
00000005
:004F4015 E896FDF0FF call 00403DB0
:004F401A 8D45FC
lea eax, dword ptr [ebp-04]
:004F401D E86AFDF0FF call 00403D8C
:004F4022 C3
ret
:004F4023 E9FCF7F0FF jmp 00403824
:004F4028 EBE3
jmp 004F400D
:004F402A 5F
pop edi
:004F402B 5E
pop esi
:004F402C 5B
pop ebx
:004F402D 8BE5
mov esp, ebp
:004F402F 5D
pop ebp
:004F4030 C3
ret
:004F4031 8D4000
lea eax, dword ptr [eax+00]
:004F4034 55
push ebp
:004F4035 8BEC
mov ebp, esp
:004F4037 33C0
xor eax, eax
:004F4039 55
push ebp
:004F403A 6859404F00 push 004F4059
:004F403F 64FF30
push dword ptr fs:[eax]
:004F4042 648920
mov dword ptr fs:[eax], esp
:004F4045 FF0518855200 inc dword ptr
[00528518]
:004F404B 33C0
xor eax, eax
:004F404D 5A
pop edx
:004F404E 59
pop ecx
:004F404F 59
pop ecx
:004F4050 648910
mov dword ptr fs:[eax], edx
:004F4053 6860404F00 push 004F4060
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F405E(U)
|
:004F4058 C3
ret
:004F4059 E9C6F7F0FF jmp 00403824
:004F405E EBF8
jmp 004F4058
:004F4060 5D
pop ebp
:004F4061 C3
ret
:004F4062 8BC0
mov eax, eax
:004F4064 832D1885520001 sub dword ptr [00528518],
00000001
:004F406B C3
ret
三、既然已经了解了它的算法就做它的注册机吧!由于C是自学的,所以底子不是很好,有什么不对的地方还 请大哥们多指教了!!!
main()
{char a[30];
int i,b,c,esi=0,eax;
clrscr();
printf("********************The Chinazip 6.01 crack by RATARICE");
printf("********************\n\n");
printf("Please input your register name : \n");
gets(a);
printf("\n");
printf("You register code is : \n");
c=strlen(a);
for(i=0;i<c;i++)
{
for (b=2;b {if(a[i]%b==0) goto end;
else b++;}
if(a[i]<=122&&a[i]>=97) printf("%c",a[i]-32);
else printf("%c",a[i]);
end:;
}
i=0;
eax=a[0];
esi=eax*4+168;
for(i=1;i<c;i++)
{eax=a[i-1];
esi=esi+eax*4+168;
}
printf("%d\n",esi);
}
另外、当注册成功后,它在注册表里的
[HKEY_CURRENT_USER\Software\XDZHAN\ChinaZip]
填了这个:"Key"="Real Programmers Use Pascal!"
总算好了,大功告成!!!
- 标 题:《中华压缩 6.01》注册码破解及注册机 (14千字)
- 作 者:ratarice
- 时 间:2001-8-19 22:48:44
- 链 接:http://bbs.pediy.com