破READBOOK141
程序:电脑报合订本2000配套光盘。
用W32DASM找Ref关键:0040A16A:您已经成功地注册了!
上看,知对比处0040A10F cmp dword ptr [ebp-04], esi重要。
姓 名:zest
注册码:12345678(hex=bc614e)
下bpx 0040a10f
?[ebp-04]=bc614e(dec=12345678)
?esi=8907821a(dec=2298970650)
填写2298970650 OK!
耗时3分钟。
===================================================================================
注:
-----------------------------------------------------------------------------------
1、填写姓名zest注册码12345678按OK后程序会在ReadBook.ini的[File]加上User和Register。
User=zest Register=-8625359(经变形处理),你可bpx 409FAE(程序下面第一行)中断,
suspend打开ReadBook.ini看看。
-----------------------------------------------------------------------------------
2、程序启动时会在ReadBook.ini的[File]找User和Register项,
找User用GetPrivateProfileStringA找Register用GetPrivateProfileIntA。
-----------------------------------------------------------------------------------
3、如发现在ReadBook.ini的[File]中无User项,在00409FC9处不跳,将在Favorites.ini中找
NowDay(记录最后运行日期),与今天日期相比,如不等,出注册提示框,如等,无提示。
程序退出后,写今天日期入NowDay。相当于每天只在第一次运行READBOOK时出现注册框。
-----------------------------------------------------------------------------------
4、0040A044~0040A077计算变换zest,取姓名的A个字符进行变换,不足A的用20代替,计算过
程见下面,我不写了,自己分析。
-----------------------------------------------------------------------------------
5、RegisterEncryptMode用来还原Register=-8625359。
如果ReadBook.ini的[File]无RegisterEncryptMode项,用GetDiskFreeSpaceA(C盘的)还原,
如有RegisterEncryptMode项,例如RegisterEncryptMode=1,则用GlobalMemoryStatus还原。
你可加上试试,注册码不变,但位于ReadBook.ini的[File]的Register值会变。
估计作者会改变RegisterEncryptMode的值来加密Register的值,但好像意义不大。
用GetDiskFreeSpaceA还原时返回值不知是什么,见0040A0E1~0040A0E4,是否是
total number of clusters on the disk和the number of sectors in a cluster
on the disk
我的值是fff6和40,此外,进栈GetDiskFreeSpaceA的1234,8888等何用?请指教。
-----------------------------------------------------------------------------------
6、注册码有fff个,见0040A10F~0040A12F,运算查表计算。
-----------------------------------------------------------------------------------
7、注册码有误,会用WritePrivateProfileStringA删除临时加入ReadBook.ini/[File]的User
和Register项。
-----------------------------------------------------------------------------------
8、姓名:zest 部分注册码:2298970650 3507406439 65711848 316971046等
===================================================================================
* Possible StringData Ref from Data Obj ->"File"
|
:00409FAE BF98344600 mov edi,
00463498
* Possible StringData Ref from Data Obj ->"User"
|
:00409FB3 68A0384600 push
004638A0
:00409FB8 57
push edi
:00409FB9 E857D30000 call
00417315==>用GetPrivateProfileStringA找zest
:00409FBE 33DB
xor ebx, ebx ==>清零ebx,eax=zest个数4
:00409FC0 83C41C
add esp, 0000001C
:00409FC3 389D44FFFFFF cmp byte ptr
[ebp+FFFFFF44], bl==>[ebp+FFFFFF44]=zest 7A 65 73 74
:00409FC9 756D
jne 0040A038
==>跳,不跳检查NowDay,略
......
......
......
:0040A038 8D8544FFFFFF lea eax, dword
ptr [ebp+FFFFFF44]==>跳到此
:0040A03E 50
push eax ==>zest进栈
:0040A03F E8829B0200 call
00433BC6 big==>大写字母变小写
:0040A044 8B8548FFFFFF mov eax, dword
ptr [ebp+FFFFFF48]==>20202000
:0040A04A 8B8D4CFFFFFF mov ecx, dword
ptr [ebp+FFFFFF4C]==>20202020
:0040A050 8BB544FFFFFF mov esi, dword
ptr [ebp+FFFFFF44]==>7473657A(zest)
:0040A056 03C1
add eax, ecx
==>得40404020
:0040A058 038550FFFFFF add eax, dword
ptr [ebp+FFFFFF50]==>得60606040
:0040A05E 69F631750000 imul esi,
00007531 ==>得07772e5a
:0040A064 69C031750000 imul eax,
00007531 ==>得7e6fac40
* Possible StringData Ref from Data Obj ->"BIN_OR_TEXT"
|
:0040A06A C704240C334600 mov dword ptr [esp],
0046330C
:0040A071 68B5000000 push
000000B5
:0040A076 53
push ebx
:0040A077 2BF0
sub esi, eax
==>得8907821a 重要!
* Reference To: KERNEL32.FindResourceA, Ord:00A3h
|
:0040A079 FF1534124500 Call dword
ptr [00451234]
:0040A07F 50
push eax
:0040A080 53
push ebx
* Reference To: KERNEL32.LoadResource, Ord:01C7h
|
:0040A081 FF153C124500 Call dword
ptr [0045123C]
* Possible StringData Ref from Data Obj ->"Register"
|
:0040A087 6894384600 push
00463894
:0040A08C 57
push edi ==>d edi=file
:0040A08D 8945EC
mov dword ptr [ebp-14], eax
:0040A090 E8A2D20000 call
00417337==>用GetPrivateProfileIntA取Register之值
==>eax=ff7c6331(dex=-8625359)
* Possible StringData Ref from Data Obj ->"RegisterEncryptMode"
|
:0040A095 6880384600 push
00463880==>开始变换
:0040A09A 57
push edi ==>d edi=file
:0040A09B 8945FC
mov dword ptr [ebp-04], eax
:0040A09E C745F412320000 mov [ebp-0C], 00003212
:0040A0A5 C745E434120000 mov [ebp-1C], 00001234
:0040A0AC C745E888880000 mov [ebp-18], 00008888
:0040A0B3 C745F023230000 mov [ebp-10], 00002323
:0040A0BA E878D20000 call
00417337==>用GetPrivateProfileStringA找RegisterEncryptMode
:0040A0BF 83C410
add esp, 00000010
:0040A0C2 85C0
test eax, eax
:0040A0C4 7524
jne 0040A0EA ==>有值返回EAX跳,无,不跳
:0040A0C6 8D45F0
lea eax, dword ptr [ebp-10]==>00002323
:0040A0C9 50
push eax
:0040A0CA 8D45E8
lea eax, dword ptr [ebp-18]==>00008888
:0040A0CD 50
push eax
:0040A0CE 8D45E4
lea eax, dword ptr [ebp-1C]==>00001234
:0040A0D1 50
push eax
:0040A0D2 8D45F4
lea eax, dword ptr [ebp-0C]==>00003212
:0040A0D5 50
push eax
* Possible StringData Ref from Data Obj ->"C:\"
|
:0040A0D6 6860374600 push
00463760==>查C盘的
* Reference To: KERNEL32.GetDiskFreeSpaceA, Ord:0100h
|
:0040A0DB FF15F8114500 Call dword
ptr [004511F8] ==>用GetDiskFreeSpaceA解密
:0040A0E1 8B45F0
mov eax, dword ptr [ebp-10] ==>fff6?
:0040A0E4 0FAF45F4
imul eax, dword ptr [ebp-0C]==>fff6×40?=3ffd80
:0040A0E8 EB19
jmp 0040A103
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A0C4(C)
|
:0040A0EA 8D45C4
lea eax, dword ptr [ebp-3C]
:0040A0ED C745C420000000 mov [ebp-3C], 00000020
:0040A0F4 50
push eax
* Reference To: KERNEL32.GlobalMemoryStatus, Ord:018Dh
|
:0040A0F5 FF15F0114500 Call dword
ptr [004511F0]==>用GlobalMemoryStatus解密
:0040A0FB 8B45D0
mov eax, dword ptr [ebp-30]
:0040A0FE 05CCEDFFFF add eax,
FFFFEDCC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A0E8(U)
|
:0040A103 F7D0
not eax
==>得ffc0027f
:0040A105 3145FC
xor dword ptr [ebp-04], eax==>还原xor ff7c6331 ffc0027f
:0040A108 33C0
xor eax, eax ==>得bc614e(12345678)
:0040A10A A3FC544600 mov dword
ptr [004654FC], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A12A(C)
|
:0040A10F 3975FC
cmp dword ptr [ebp-04], esi ==>比较bc614e 8907821a
:0040A112 741D
je 0040A131
==>if the same jump good!
:0040A114 8B55EC
mov edx, dword ptr [ebp-14] ==>表
:0040A117 8BC8
mov ecx, eax
:0040A119 83E17F
and ecx, 0000007F ==>ecx<=7f
:0040A11C 03348A
add esi, dword ptr [edx+4*ecx]==>+
:0040A11F 40
inc eax
:0040A120 3DFF0F0000 cmp eax,
00000FFF ==>比较fff次
:0040A125 A3FC544600 mov dword
ptr [004654FC], eax
:0040A12A 72E3
jb 0040A10F
:0040A12C 3975FC
cmp dword ptr [ebp-04], esi ==>最后比
:0040A12F 7547
jne 0040A178
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A112(C)
|
:0040A131 8B75F8
mov esi, dword ptr [ebp-08]
:0040A134 C705A8854B0001000000 mov dword ptr [004B85A8], 00000001
:0040A13E FF761C
push [esi+1C]
* Reference To: USER32.GetMenu, Ord:011Ch
|
:0040A141 FF1598154500 Call dword
ptr [00451598]
:0040A147 50
push eax
:0040A148 E81D1F0300 call
0043C06A
:0040A14D 53
push ebx
* Possible Ref to Menu: MenuID_0080, Item: "鑼(R)"
|
:0040A14E 6850800000 push
00008050
:0040A153 FF7004
push [eax+04]
* Reference To: USER32.RemoveMenu, Ord:0204h
|
:0040A156 FF158C154500 Call dword
ptr [0045158C]
:0040A15C 391DAC854B00 cmp dword
ptr [004B85AC], ebx
:0040A162 744C
je 0040A1B0
:0040A164 53
push ebx
* Possible StringData Ref from Data Obj ->"祝贺"
|
:0040A165 6878384600 push
00463878
* Possible StringData Ref from Data Obj ->"您已经成功地注册了!"
|
:0040A16A 6864384600 push
00463864
:0040A16F 8BCE
mov ecx, esi
:0040A171 E8B2F70200 call
00439928
:0040A176 EB38
jmp 0040A1B0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A12F(C)
|
:0040A178 53
push ebx
* Possible StringData Ref from Data Obj ->"User"
|
:0040A179 68A0384600 push
004638A0
:0040A17E 57
push edi
:0040A17F 891DA8854B00 mov dword
ptr [004B85A8], ebx
:0040A185 E843D10000 call
004172CD==>注册不成功删除User项
:0040A18A 53
push ebx
* Possible StringData Ref from Data Obj ->"Register"
|
:0040A18B 6894384600 push
00463894
:0040A190 57
push edi
:0040A191 E837D10000 call
004172CD==>注册不成功删除Register项
:0040A196 8B45F8
mov eax, dword ptr [ebp-08]
:0040A199 83C418
add esp, 00000018
:0040A19C 53
push ebx
* Possible Ref to Menu: MenuID_0084, Item: "ID_VERIFY_RELEASE_ERROR"
|
:0040A19D 6853800000 push
00008053
:0040A1A2 6811010000 push
00000111
:0040A1A7 FF701C
push [eax+1C]
* Reference To: USER32.PostMessageA, Ord:01DEh
|
:0040A1AA FF1528164500 Call dword
ptr [00451628]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A162(C), :0040A176(U)
|
:0040A1B0 891DAC854B00 mov dword
ptr [004B85AC], ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00409FD1(C), :0040A000(C), :0040A00D(C), :0040A033(U)
|
:0040A1B6 5F
pop edi
:0040A1B7 5E
pop esi
:0040A1B8 5B
pop ebx
:0040A1B9 C9
leave
:0040A1BA C3
ret
:0040A1BB 56
push esi
:0040A1BC 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"错了啦!"
|
:0040A1BE 68C8384600 push
004638C8
:0040A1C3 8BF1
mov esi, ecx
* Possible StringData Ref from Data Obj ->"注册码错误,请重新填写注册码!"
|
:0040A1C5 68A8384600 push
004638A8
:0040A1CA E859F70200 call
00439928
:0040A1CF 6A00
push 00000000
* Possible Ref to Menu: MenuID_0080, Item: "鑼(R)"
|
:0040A1D1 6850800000 push
00008050
:0040A1D6 6811010000 push
00000111
:0040A1DB FF761C
push [esi+1C]
* Reference To: USER32.PostMessageA, Ord:01DEh
|
:0040A1DE FF1528164500 Call dword
ptr [00451628]
:0040A1E4 5E
pop esi
:0040A1E5 C3
ret
/\zest/\
2001.2.20
- 标 题:破READBOOK141 (13千字)
- 作 者:zest
- 时 间:2001-2-20 18:52:50
- 链 接:http://bbs.pediy.com