Holiday Lights V5.0
程式猎人
简介:Holiday Lights places strings of Christmas tree bulbs around the edges
of your screen, with festive music playing in the background.
The bulbs appear on your desktop wallpaper or on top of all other windows,
so you'll feel the holiday spirit while you work on other computer tasks.
You can choose from many different bulbs and songs.
When your computer is idle, Holiday Lights can also display a screen saver
showing falling snow or other animations behind the bulbs.
追踪:name:dahuilang
RN:01234567
好长时间没有追踪软件了,昨天没事可做就开始追踪这个软件,发现这个软件真的不是一般的软件,想要追出来它的注册码还得需要一点工夫。这个可是对初学者有一定的帮助,可以启发初学者的思维,可以了解如何注册这个软件。现在就开始破解它了。
这个软件是使用当注册码正确后按钮才可按的注册方式,所以在这里先输入RN:0123456后,设bpx hmemcpy,输入7后拦下如下:
|:0040AE41(C)
|
:0040ADD5 8D45C0
lea eax, dword ptr [ebp-40]
:0040ADD8 50
push eax
:0040ADD9 E8927F0000 call
00412D70
:0040ADDE 84C0
test al, al
:0040ADE0 59
pop ecx
:0040ADE1 754C
jne 0040AE2F
:0040ADE3 8D45C0
lea eax, dword ptr [ebp-40]
:0040ADE6 50
push eax
:0040ADE7 E8C462FFFF call
004010B0
:0040ADEC 84C0
test al, al
:0040ADEE 59
pop ecx
:0040ADEF 753E
jne 0040AE2F
:0040ADF1 8D45C0
lea eax, dword ptr [ebp-40]
:0040ADF4 50
push eax
:0040ADF5 E8F6FE0000 call
0041ACF0
:0040ADFA 84C0
test al, al
:0040ADFC 59
pop ecx
:0040ADFD 7530
jne 0040AE2F
:0040ADFF 8D45C0
lea eax, dword ptr [ebp-40]
:0040AE02 50
push eax
:0040AE03 E8E8750000 call
004123F0
:0040AE08 84C0
test al, al
:0040AE0A 59
pop ecx
:0040AE0B 7522
jne 0040AE2F
:0040AE0D 8D45C0
lea eax, dword ptr [ebp-40]
:0040AE10 50
push eax
:0040AE11 E8EA210000 call
0040D000
:0040AE16 84C0
test al, al
:0040AE18 59
pop ecx
:0040AE19 7514
jne 0040AE2F
:0040AE1B 8D45C0
lea eax, dword ptr [ebp-40]
:0040AE1E 50
push eax
* Reference To: USER32.TranslateMessage, Ord:0285h
|
:0040AE1F FF1510375400 Call dword
ptr [00543710]
:0040AE25 8D45C0
lea eax, dword ptr [ebp-40]
:0040AE28 50
push eax
* Reference To: USER32.DispatchMessageA, Ord:0096h
|
:0040AE29 FF1514375400 Call dword
ptr [00543714]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040ADD3(U), :0040ADE1(C), :0040ADEF(C), :0040ADFD(C), :0040AE0B(C)
|:0040AE19(C)
|
:0040AE2F 8D45C0
lea eax, dword ptr [ebp-40]
:0040AE32 6A00
push 00000000
:0040AE34 6A00
push 00000000
:0040AE36 6A00
push 00000000
:0040AE38 50
push eax
* Reference To: USER32.GetMessageA, Ord:012Ch
|
:0040AE39 FF1518375400 Call dword
ptr [00543718]
:0040AE3F 85C0
test eax, eax
:0040AE41 7F92
jg 0040ADD5
:0040AE43 EB28
jmp 0040AE6D
大家看到上面有许多的比较地方,可是如果你要到达这里你将在这里一直在循环,无法从这里出来,所以在这里使用这个拦截将无法达到我们想要的结果,那么我们将如何对待它呢?
办法当然有了,可能不同的人会使用不同的办法,破解也需要机会的,我先考虑这个软件有可能会将注册的结果保存在注册表中,现在使用Regmon软件来监视软件对注册表有什么动作。经查找,终于发现这个监视软件的确是不负众望,查到了我想要得到的东西。如下:
HKEY_CURRENT_USER\Software\Tiger Technologies\Holiday Lights\serial number
NTFF
HKEY_CURRENT_USER\Software\Tiger Technologies\Holiday Lights\user NTFF
现在打动打开注册表,查找是否有这两个键值,发现了没有?当然没有,因为Regmon软件已经提到此软件没有读到这两个值,所以我们就知道这点了。如果这个软件注册成功,那么它将注册信息写到这里,每次启动的时候会这里读取注册信息,如果成功就认为是注册用户,否则为试用用户。下面就是在注册表中创建这两个值了。如下
serial number:01234567
user:dahuilang
因为程序将读取注册表,所以我们使用TRW的load功能加载程序,后设bpx regqueryvalueexa(这个就是从Regmon中看到的程序读取注册表的函数)
你在第三次被拦下如下:
:0040EE00 55
push ebp
:0040EE01 89E5
mov ebp, esp
:0040EE03 53
push ebx
:0040EE04 56
push esi
:0040EE05 83EC08
sub esp, 00000008
:0040EE08 8B7508
mov esi, dword ptr [ebp+08]
:0040EE0B 8B5D0C
mov ebx, dword ptr [ebp+0C]
:0040EE0E C60600
mov byte ptr [esi], 00
:0040EE11 C60300
mov byte ptr [ebx], 00
:0040EE14 8D4DF0
lea ecx, dword ptr [ebp-10]
:0040EE17 6801000080 push
80000001
:0040EE1C E80FFBFFFF call
0040E930
:0040EE21 8D4DF0
lea ecx, dword ptr [ebp-10]
:0040EE24 56
push esi
:0040EE25 6A40
push 00000040
:0040EE24 56
push esi
:0040EE25 6A40
push 00000040
* Possible StringData Ref from Data Obj ->"User"
|
:0040EE27 685EB55300 push
0053B55E
:0040EE2C E85FF9FFFF call
0040E790
:0040EE31 8D4DF0
lea ecx, dword ptr [ebp-10] <-出来
:0040EE34 53
push ebx
:0040EE35 6A10
push 00000010
* Possible StringData Ref from Data Obj ->"Serial Number"
|
:0040EE37 6863B55300 push
0053B563
:0040EE3C E84FF9FFFF call
0040E790
:0040EE41 8D4DF0
lea ecx, dword ptr [ebp-10] <-出来
:0040EE44 E827F9FFFF call
0040E770
:0040EE49 803E00
cmp byte ptr [esi], 00
:0040EE4C 753A
jne 0040EE88
:0040EE4E 803B00
cmp byte ptr [ebx], 00
:0040EE51 7535
jne 0040EE88
:0040EE53 8D4DF4
lea ecx, dword ptr [ebp-0C]
:0040EE56 6802000080 push
80000002
:0040EE5B E8D0FAFFFF call
0040E930
:0040EE60 8D4DF4
lea ecx, dword ptr [ebp-0C]
:0040EE63 56
push esi
:0040EE64 6A40
push 00000040
* Possible StringData Ref from Data Obj ->"User"
|
:0040EE66 685EB55300 push
0053B55E
:0040EE6B E820F9FFFF call
0040E790
:0040EE70 8D4DF4
lea ecx, dword ptr [ebp-0C]
:0040EE73 53
push ebx
:0040EE74 6A10
push 00000010
* Possible StringData Ref from Data Obj ->"Serial Number"
|
:0040EE76 6863B55300 push
0053B563
:0040EE7B E810F9FFFF call
0040E790
:0040EE80 8D4DF4
lea ecx, dword ptr [ebp-0C]
:0040EE83 E8E8F8FFFF call
0040E770
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040EE4C(C), :0040EE51(C)
|
:0040EE88 8D65F8
lea esp, dword ptr [ebp-08]
:0040EE8B 5E
pop esi
:0040EE8C 5B
pop ebx
:0040EE8D 5D
pop ebp
:0040EE8E C3
ret
上面是从W32dasm反汇编得到的结果,如果你使用TRW来动态追踪,一开始是看不到这些信息的,所以在上面将被拦下二次,分别读取user和serial
number的值,现在程序可以追踪到了。我在内存中一看到有这两个值出现就知道离成功不远了。现在向下追踪。
:00412210 55
push ebp
:00412211 89E5
mov ebp, esp
:00412213 53
push ebx
:00412214 83EC58
sub esp, 00000058
:00412217 803D7967420000 cmp byte ptr [00426779],
00
:0041221E 750E
jne 0041222E
:00412220 C6057867420000 mov byte ptr [00426778],
00
:00412227 C6057967420001 mov byte ptr [00426779],
01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041221E(C)
|
:0041222E 803D64D1530000 cmp byte ptr [0053D164],
00
:00412235 7555
jne 0041228C
:00412237 803D7867420000 cmp byte ptr [00426778],
00
:0041223E 754C
jne 0041228C
:00412240 C6057867420001 mov byte ptr [00426778],
01
:00412247 8D55EC
lea edx, dword ptr [ebp-14]
:0041224A 8D45AC
lea eax, dword ptr [ebp-54]
:0041224D 52
push edx
:0041224E 50
push eax
:0041224F E8ACCBFFFF call
0040EE00 <-出来
:00412254 8B45A8
mov eax, dword ptr [ebp-58]
:00412257 59
pop ecx
:00412258 3345A8
xor eax, dword ptr [ebp-58]
:0041225B 59
pop ecx
:0041225C 8D4DEC
lea ecx, dword ptr [ebp-14]
:0041225F 8945A8
mov dword ptr [ebp-58], eax
:00412262 8D45AC
lea eax, dword ptr [ebp-54]
:00412265 51
push ecx
:00412266 50
push eax
:00412267 31DB
xor ebx, ebx
:00412269 E8D2080000 call
00412B40 关键的比较函数,进入其中
:0041226E 85C0
test eax, eax
:00412270 59
pop ecx
:00412271 59
pop ecx
:00412272 7507
jne 0041227B
:00412274 C745A801000000 mov [ebp-58], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412272(C)
|
:0041227B 807DA800
cmp byte ptr [ebp-58], 00
:0041227F 7505
jne 00412286
:00412281 BB01000000 mov ebx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041227F(C)
|
:00412286 881D64D15300 mov byte ptr
[0053D164], bl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00412235(C), :0041223E(C)
|
:0041228C A064D15300 mov al,
byte ptr [0053D164]
:00412291 8D65FC
lea esp, dword ptr [ebp-04]
:00412294 5B
pop ebx
:00412295 5D
pop ebp
:00412296 C3
ret
call 0040EE00是调用读取注册表的函数,所以从上面的地方出来,到达下面的比较的地方,在这里你将得到关键的比较地方,进入其中
:00412B40 55
push ebp
:00412B41 31C0
xor eax, eax
:00412B43 89E5
mov ebp, esp
:00412B45 53
push ebx
:00412B46 56
push esi
:00412B47 57
push edi
:00412B48 83EC10
sub esp, 00000010
:00412B4B 8B7D0C
mov edi, dword ptr [ebp+0C]
:00412B4E B9FFFFFFFF mov ecx,
FFFFFFFF
:00412B53 8B7508
mov esi, dword ptr [ebp+08]
:00412B56 C745F000000000 mov [ebp-10], 00000000
:00412B5D F2
repnz
:00412B5E AE
scasb
:00412B5F B8FEFFFFFF mov eax,
FFFFFFFE
:00412B64 29C8
sub eax, ecx
:00412B66 3D0C000000 cmp eax,
0000000C
:00412B6B 0F850E010000 jne 00412C7F
:00412B71 31DB
xor ebx, ebx
:00412B73 31D2
xor edx, edx
:00412B75 EB7B
jmp 00412BF2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C09(C)
|
:00412B77 0FBFCA
movsx ecx, dx
:00412B7A 0FBE040E
movsx eax, byte ptr [esi+ecx]
:00412B7E 2D41000000 sub eax,
00000041
:00412B83 3D35000000 cmp eax,
00000035
:00412B88 7767
ja 00412BF1
:00412B8A FF248568D25300 jmp dword ptr [4*eax+0053D268]
:00412B91 81C320A10700 add ebx, 0007A120
:00412B97 EB58
jmp 00412BF1
:00412B99 8D842000000000 lea eax, dword
ptr [eax]
:00412BA0 81C3A0860100 add ebx, 000186A0
:00412BA6 EB49
jmp 00412BF1
:00412BA8 81C350C30000 add ebx, 0000C350
:00412BAE EB41
jmp 00412BF1
:00412BB0 81C310270000 add ebx, 00002710
:00412BB6 EB39
jmp 00412BF1
:00412BB8 81C388130000 add ebx, 00001388
:00412BBE EB31
jmp 00412BF1
:00412BC0 81C3E8030000 add ebx, 000003E8
:00412BC6 EB29
jmp 00412BF1
:00412BC8 81C3F4010000 add ebx, 000001F4
:00412BCE EB21
jmp 00412BF1
:00412BD0 83C364
add ebx, 00000064
:00412BD3 EB1C
jmp 00412BF1
:00412BD5 83C332
add ebx, 00000032
:00412BD8 EB17
jmp 00412BF1
:00412BDA 8D8000000000 lea eax, dword
ptr [eax+00000000]
:00412BE0 83C30A
add ebx, 0000000A
:00412BE3 EB0C
jmp 00412BF1
:00412BE5 83C305
add ebx, 00000005
:00412BE8 EB07
jmp 00412BF1
:00412BEA 8D8000000000 lea eax, dword
ptr [eax+00000000]
:00412BF0 43
inc ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00412B88(C), :00412B97(U), :00412BA6(U), :00412BAE(U), :00412BB6(U)
|:00412BBE(U), :00412BC6(U), :00412BCE(U), :00412BD3(U), :00412BD8(U)
|:00412BE3(U), :00412BE8(U)
|
:00412BF1 42
inc edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412B75(U)
|
:00412BF2 B9FFFFFFFF mov ecx,
FFFFFFFF
:00412BF7 89F7
mov edi, esi
:00412BF9 31C0
xor eax, eax
:00412BFB F2
repnz
:00412BFC AE
scasb
:00412BFD 0FBFC2
movsx eax, dx
:00412C00 BFFEFFFFFF mov edi,
FFFFFFFE
:00412C05 29CF
sub edi, ecx
:00412C07 39F8
cmp eax, edi
:00412C09 0F8268FFFFFF jb 00412B77
:00412C0F 8B4D0C
mov ecx, dword ptr [ebp+0C]
:00412C12 8A4109
mov al, byte ptr [ecx+09]
:00412C15 8945EC
mov dword ptr [ebp-14], eax
:00412C18 89C8
mov eax, ecx
:00412C1A C6400900
mov [eax+09], 00
:00412C1E FF750C
push [ebp+0C]
:00412C21 E84AC30000 call
0041EF70
:00412C26 89C7
mov edi, eax
:00412C28 59
pop ecx
:00412C29 8B450C
mov eax, dword ptr [ebp+0C]
:00412C2C 8B4DEC
mov ecx, dword ptr [ebp-14]
:00412C2F 884809
mov byte ptr [eax+09], cl
:00412C32 29DF
sub edi, ebx
:00412C34 8B450C
mov eax, dword ptr [ebp+0C]
:00412C37 0509000000 add eax,
00000009
:00412C3C 50
push eax
:00412C3D E82EC30000 call
0041EF70
:00412C42 81FFFFFFFF0E cmp edi, 0EFFFFFF
:00412C48 59
pop ecx
:00412C49 89C3
mov ebx, eax
:00412C4B 7432
je 00412C7F
:00412C4D FF750C
push [ebp+0C]
:00412C50 56
push esi
:00412C51 E82AFAFFFF call
00412680
:00412C56 84C0
test al, al
:00412C58 59
pop ecx
:00412C59 59
pop ecx
:00412C5A 7423
je 00412C7F
:00412C5C B85F763708 mov eax,
0837765F
:00412C61 F7E7
mul edi
:00412C63 055F763708 add eax,
0837765F
:00412C68 89F8
mov eax, edi
:00412C6A 83D200
adc edx, 00000000
:00412C6D C1EA05
shr edx, 05
:00412C70 69D2E5030000 imul edx,
000003E5
:00412C76 29D0
sub eax, edx
:00412C78 39C3
cmp ebx, eax
:00412C7A 7503
jne 00412C7F
:00412C7C 897DF0
mov dword ptr [ebp-10], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00412B6B(C), :00412C4B(C), :00412C5A(C), :00412C7A(C)
|
:00412C7F 8165F000004000 and dword ptr [ebp-10],
00400000
:00412C86 8B45F0
mov eax, dword ptr [ebp-10]
:00412C89 8D65F4
lea esp, dword ptr [ebp-0C]
:00412C8C 5F
pop edi
:00412C8D 5E
pop esi
:00412C8E 5B
pop ebx
:00412C8F 5D
pop ebp
:00412C90 C3
ret
这里就是比较的大本营了,如果你要得到这个软件的注册机,就应当仔细研究一下这个程序是如何生成注册码的,其实你就是想得到这个软件的注册码也要明白这个软件是如何生成注册码的过程。现在我简单的介绍一下是如何生成注册码的。
1 首先检查你输入的注册码是否为12位
2 将你的注册名每个字符-41后比较35(H),如果大于就到达[4*eax+0053D268]其中eax就是计算后的值。如果小于就到达00412BF1这里,不参与计算。
3 计算后得到过度值ebx
4 将注册码的前9位值取出为edi(十六进位)
5 使用edi=edi-ebx得到第6步运算的edi值
6 下面是生成第二个比较值的过程,相信大家一定能够看懂
:00412C5C B85F763708 mov eax,
0837765F
:00412C61 F7E7
mul edi
:00412C63 055F763708 add eax,
0837765F
:00412C68 89F8
mov eax, edi
:00412C6A 83D200
adc edx, 00000000
:00412C6D C1EA05
shr edx, 05
:00412C70 69D2E5030000 imul edx,
000003E5
:00412C76 29D0
sub eax, edx
在这里将得到eax,同注册码的后三位比较,如果相等就在下面的地方不跳跃,但是不也不表明注册成功。如下
:00412C78 39C3
cmp ebx, eax
:00412C7A 7503
jne 00412C7F
:00412C7C 897DF0
mov dword ptr [ebp-10], edi
:00412C7F 8165F000004000 and dword ptr [ebp-10],
00400000
:00412C86 8B45F0
mov eax, dword ptr [ebp-10]
因为这里edi是最后的返回值,所以如果让其值为0,就一定要使edi AND 00400000不为0。那么查看AND表可以知道只要使edi中第三位值为4,5,6,7,C,D,E,F就可以了。因为我使用name:dahuilang得到的ebx=164F,那么只要使最后的edi的第三位为4就可以了。这个就可以得到前9位值为00400000+164F=0040164F(H)=004200015,通过上面的计算得到eax=39A,所以最后三位就为922。现在我的注册码如下:
name:dahuilang
RN:004200015922
输入后注册成功。
破解成功。
欢迎访问我的主页:http://programhunter.myetang.com
- 标 题:我可是好长时间没有向这里发表文章,今天就来一个了。请大家指点。 (18千字)
- 作 者:程式猎人
- 时 间:2001-3-28 20:47:43
- 链 接:http://bbs.pediy.com