软件名称:windows优化大师 v1.0.2.7
注册方式:name+phone+serial+pre-serrial
软件功能:注册表修改软件
作者:鲁锦
作者主页:http://lamb.shangdu.net
作者邮箱:mailoflujin@163.net
破解者:happyhackwang
邮箱:happyhackwang@263.net
OICQ:4696993(不在线^^)
注册方式:Patch(谁想写注册机,自己写吧!算法见后)
工具:Trw,w32dasm,my head,ultraedit(to write this article),ProcDump
首先感谢刘涛涛,Ru Feng,DingBoy,看雪他们的为CRACK所做的贡献
首先要对这个程序进行脱壳,用ProcDump Dump(full)可以脱下来(trw中pnewsec->procdump,不要rebuild PE)
原来的文件大小为:413K
脱壳后的文件大小为:0.99M
它是用ASPack 1.083压缩的,也可以用ProcDump直接脱壳
下面是反汇编的结果,配合softice,可以很容易破解
:004B30B7 E8500EF5FF call
00403F0C
:004B30BC 741D
je 004B30DB ;这个判断总是能够跳转,所以不用Patch
:004B30BE 6A10
push 00000010
* Possible StringData Ref from Code Obj ->"Windows优化大师"
|
:004B30C0 B988324B00 mov ecx,
004B3288
* Possible StringData Ref from Code Obj ->"错误!注册失败。"
|
:004B30C5 BA8C334B00 mov edx,
004B338C
......
:004B30EF E80C55F5FF call
00408600 ;关键的call
:004B30F4 8D907D590200 lea edx, dword
ptr [eax+0002597D]
:004B30FA 8B0DD0CB4D00 mov ecx, dword
ptr [004DCBD0]
:004B3100 0301
add eax, dword ptr [ecx]
:004B3102 33D0
xor edx, eax
:004B3104 8BC2
mov eax, edx
:004B3106 3BD8
cmp ebx, eax ;名字与注册码分别算出来的数相比较
:004B3108 741D
je 004B3127 ;(b2708)change to jmp,Patch的地方
:004B310A 6A10
push 00000010
* Possible StringData Ref from Code Obj ->"Windows优化大师"
|
:004B310C B988324B00 mov ecx,
004B3288
* Possible StringData Ref from Code Obj ->"错误!注册失败。"
|
:004B3111 BA8C334B00 mov edx,
004B338C
......
* Possible StringData Ref from Code Obj ->"注册成功。感谢您使用国产软件---您忠实的朋友“?
->"辰酢?
|
:004B31DA BAD8334B00 mov edx,
004B33D8
Patch:
004B3104 8BC2
mov eax, edx
8BC3
mov eax,ebx
现在看一下注册码的算法
:004B30EF E80C55F5FF call
00408600 ;关键的计算语句,追进去
:004B30F4 8D907D590200 lea edx, dword
ptr [eax+0002597D] ;出口参数eax是用你输
:004B30FA 8B0DD0CB4D00 mov ecx, dword
ptr [004DCBD0] ;入的注册码计算出来
:004B3100 0301
add eax, dword ptr [ecx] ;[ecx]=FD9C
预定义的
:004B3102 33D0
xor edx, eax
;eax=eax && edx
:004B3104 8BC2
mov eax, edx
;出口ebx是真正注册码
:004B3106 3BD8
cmp ebx, eax
;的校验和,这里进行比较
:004B3108 741D
je 004B3127
edx=eax+2597D;
eax+=FD9C;
eax=edx&&eax;
:00408622 E8A5A6FFFF call
00402CCC ;关键
追进来可以看到:
:00402CD6 31C0
xor eax, eax ;初始化累加器
:00402CD8 31DB
xor ebx, ebx
......
:00402CDF 8A1E
mov bl, byte ptr [esi] ;esi是你输入的注册码的位置
:00402CE1 46
inc esi
:00402CE2 80FB20
cmp bl, 20 ;空格
:00402CE5 74F8
je 00402CDF
:00402CE7 B500
mov ch, 00
:00402CE9 80FB2D
cmp bl, 2D ;-
:00402CEC 7469
je 00402D57
:00402CEE 80FB2B
cmp bl, 2B ;+
:00402CF1 7466
je 00402D59
:00402CF3 80FB24
cmp bl, 24 ;$
:00402CF6 7466
je 00402D5E
:00402CF8 80FB78
cmp bl, 78 ;x
:00402CFB 7461
je 00402D5E
:00402CFD 80FB58
cmp bl, 58 ;X
:00402D00 745C
je 00402D5E
:00402D02 80FB30
cmp bl, 30 ;0
:00402D05 7513
jne 00402D1A
:00402D07 8A1E
mov bl, byte ptr [esi]
:00402D09 46
inc esi
:00402D0A 80FB78
cmp bl, 78
:00402D0D 744F
je 00402D5E
:00402D0F 80FB58
cmp bl, 58
:00402D12 744A
je 00402D5E
:00402D14 84DB
test bl, bl
:00402D16 7420
je 00402D38
:00402D18 EB04
jmp 00402D1E
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402D05(C), :00402D5C(U)
|
:00402D1A 84DB
test bl, bl
:00402D1C 7434
je 00402D52
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402D18(U), :00402D36(C)
|
:00402D1E 80EB30
sub bl, 30 ;是数字的话进行变换
:00402D21 80FB09
cmp bl, 09 ;数字的ASCII码值在30~39之间,数字在0~9之间
:00402D24 772C
ja 00402D52
:00402D26 39F8
cmp eax, edi ;eax累加和,初始化为0,edi初始化为CCCCCCC
:00402D28 7728
ja 00402D52
:00402D2A 8D0480
lea eax, dword ptr [eax+4*eax] ;eax=eax*5
:00402D2D 01C0
add eax, eax
;eax=eax*2
:00402D2F 01D8
add eax, ebx
;eax=eax+ebx
:00402D31 8A1E
mov bl, byte ptr [esi] ;取下一个字符
:00402D33 46
inc esi
:00402D34 84DB
test bl, bl
:00402D36 75E6
jne 00402D1E
注册码校验和的算法总结如下
int j =getlength(serial);
int x=0;
for (int i=0;i<j;i++)
{
char ch=serial[i];
_ebx=atoi(ch);
x*=10;
x+=_ebx;//_ebx is the number that you input
}
x+=FD9C;
_edx=x+2597D;
x=x&&_edx;
return x;
而ebx中的数是怎么算出来的?我们看看:
:004B3034 BE01000000 mov esi,
00000001 ;esi=1,字节偏移量
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3059(C)
|
:004B3039 8B45F8
mov eax, dword ptr [ebp-08] ;取得字符串的地址(字符串1)
:004B303C 0FB64430FF movzx
eax, byte ptr [eax+esi-01] ;取每一个字符
:004B3041 F7EB
imul ebx ;乘,ebx初始化为1
:004B3043 05770F0000 add eax,
00000F77 ;与
:004B3048 99
cdq ;edx清零
:004B3049 33C2
xor eax, edx ;eax与edx异或,此时edx=0,所以eax不变
:004B304B 2BC2
sub eax, edx ;eax=eax-edx,eax不变
:004B304D BB40420F00 mov ebx,
000F4240 ;ebx=F4240
:004B3052 99
cdq ;edx清零
:004B3053 F7FB
idiv ebx ;除
:004B3055 8BDA
mov ebx, edx ;ebx=edx
:004B3057 46
inc esi ;增量
:004B3058 49
dec ecx ;计数器
:004B3059 75DE
jne 004B3039 ;循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3032(C)
|
:004B305B 8B45F4
mov eax, dword ptr [ebp-0C] ;eax是电话号码的偏移地址(字符串2)
:004B305E E8990DF5FF call
00403DFC ;取得这个字符串的长度
:004B3063 8BC8
mov ecx, eax
:004B3065 83E902
sub ecx, 00000002
:004B3068 7C2B
jl 004B3095
:004B306A 41
inc ecx ;到这里ecx是真正字符串的长度减去1,做计数器
:004B306B BE02000000 mov esi,
00000002 ;
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3093(C)
|
:004B3070 8B45F4
mov eax, dword ptr [ebp-0C] ;eax是字符串的地址
:004B3073 0FB64430FF movzx
eax, byte ptr [eax+esi-01] ;从第二个字符开始取
:004B3078 F7EB
imul ebx ;乘
:004B307A 8B15D0CB4D00 mov edx, dword
ptr [004DCBD0] ;
:004B3080 0302
add eax, dword ptr [edx] ;[edx]=FD9C,固定的,是预定义的
:004B3082 99
cdq ;edx清零
:004B3083 33C2
xor eax, edx ;
:004B3085 2BC2
sub eax, edx ;eax不变
:004B3087 BB40420F00 mov ebx,
000F4240 ;ebx=F4240
:004B308C 99
cdq ;edx清零
:004B308D F7FB
idiv ebx ;除
:004B308F 8BDA
mov ebx, edx ;ebx=edx
:004B3091 46
inc esi ;偏移增量
:004B3092 49
dec ecx ;计数器
:004B3093 75DB
jne 004B3070 ;循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3068(C)
|
:004B3095 8D837D590200 lea eax, dword
ptr [ebx+0002597D] ;eax=ebx+2597D
:004B309B 8B15D0CB4D00 mov edx, dword
ptr [004DCBD0] ;
:004B30A1 031A
add ebx, dword ptr [edx] ;[edx]依然是FD9C
:004B30A3 33C3
xor eax, ebx ;异或
:004B30A5 8BD8
mov ebx, eax ;ebx的数算出来了!
这里的字符串有区别:
字符串1是wanghlLamb1111111lily
~~~~~~ ~~~~~~~
名字 电话号码
字符串2是1111111lily
字符串1=名字+Lamb+电话号码+lily (Lamb,鲁锦的英文名,lily,可能是他的女朋友的名字)
字符串2=电话号码+lily
注:1:注册码必须是数字,不信你就可以试一试
2:注册申请码是由电话号码决定的,与其他的两项无关
3:在windows\system下面有个文件kernel32.ini,是这个软件建立的,是注册与否的标志!
这个文件一删除,就变成非注册版了,请看:
注册成功下面就是
* Possible StringData Ref from Code Obj ->"\System\Kernel32.ini"
|
:004B3143 BACC324B00 mov edx,
004B32CC
:004B3148 E8B70CF5FF call
00403E04
:004B314D 8B4DE8
mov ecx, dword ptr [ebp-18]
:004B3150 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"萇E"
|
:004B3152 A100494500 mov eax,
dword ptr [00454900]
:004B3157 E84C18FAFF call
004549A8
:004B315C 8BF0
mov esi, eax
:004B315E 8D55E8
lea edx, dword ptr [ebp-18]
:004B3161 8BC3
mov eax, ebx
:004B3163 E8F453F5FF call
0040855C
:004B3168 8B45E8
mov eax, dword ptr [ebp-18]
:004B316B 50
push eax
* Possible StringData Ref from Code Obj ->"MaxFileCache"
|
:004B316C B9A8334B00 mov ecx,
004B33A8
* Possible StringData Ref from Code Obj ->"vcache"
......
********************************世间本无事,庸人自扰耳*************************************
- 标 题:windows优化大师 v1.0.2.7 (10千字)
- 作 者:happyhackwang
- 时 间:2001-3-11 21:03:12
- 链 接:http://bbs.pediy.com