凌晨2:30分,总算有空安定下来写这篇教程了。 以前破过不少杀毒、加密及注册软件,但还是第一次写教程,表达可能不是很好,多看几偏吧。OK
软件:LeapFTP.EXE (这是一个上传网页的程序)版本:2.7.0.550
程序在注册成功后会将其写入注册表的HKEY_CURRENT_USER\Software\LeapWare\Registry\LeapFTP
下面,
每次启动时都回读取判断. 这个程序有两种注册码,并且由两段不同的程序段进行判断.
第一种:将用户名运算后与注册码比较,注册码格式 XXXXXX-XXXXXXXXXX X为数字
列:ligang 214065-1079336565 (有效的注册码哦!)
第二种:用户名任意,通过注册码来做文章. 注册码格式 XXXY-XXYX-XYXX-ABCD X为字母,Y为数字,A为XXXY中
各位ASCII之和除以1AH的余数+41H所得的ASCII码字符,B为XXYX中各位ASCII之和除以1AH的余数+41H所得的
ASCII码字符,C为XYXX中各位ASCII之和除以1AH的余数+41H所得的ASCII码字符,D为前三节ASCII之和除以1AH的
余数+41H所得的ASCII码字符.(好烦!!!) 列:ABC9-AB9C-A3CC-VVQG (有效的注册码哦!)第一种:破解工具:TRW,HIEW
先进入程序的注册画面添写. ^N 进入TRW设BPX HMEMCPY 然后F5,点OK,被拦下,再F5,拦下后,BD
1 PMODULE
:004871C0 E803C8FAFF call
004339C8
:004871C5 8B55F4
mov edx, dword ptr [ebp-0C] ;按F10从几处RET返回后到次
:004871C8 8B4DFC
mov ecx, dword ptr [ebp-04]
:004871CB 8BC3
mov eax, ebx
:004871CD E8BA010000 call
0048738C ;!!!!追进
:004871D2 84C0
test al, al ;若AL=0就完了,将其改1可成功,但从启任然
:004871D4 7462
je 00487238 ;为UNREGSETR;call 0048738C 的进入点
. .
:00487466 E8A9CBF7FF call
00404014 ;判断前六位
:0048746B 7548
jne 004874B5 ;决不能转 .
.
. :004874AA E865CBF7FF
call 00404014 ;判断后10位
:004874AF 7504
jne 004874B5 ;决不能转
:004874B1 B301
mov bl, 01 ;呵,呵,可爱的1
:004874B3 EB02
jmp 004874B7;程序判断比较部分
:00404014 53
push ebx
:00404015 56
push esi
:00404016 57
push edi
:00404017 89C6
mov esi, eax
:00404019 89D7
mov edi, edx
:0040401B 39D0
cmp eax, edx
:0040401D 0F848F000000 je 004040B2
:00404023 85F6
test esi, esi
:00404025 7468
je 0040408F
:00404027 85FF
test edi, edi
:00404029 746B
je 00404096
:0040402B 8B46FC
mov eax, dword ptr [esi-04]
:0040402E 8B57FC
mov edx, dword ptr [edi-04]
:00404031 29D0
sub eax, edx
:00404033 7702
ja 00404037
:00404035 01C2
add edx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404033(C)
|:00404037 52
push edx
:00404038 C1EA02
shr edx, 02
:0040403B 7426
je 00404063
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404059(C)
|
:0040403D 8B0E
mov ecx, dword ptr [esi] ;下D ESI并将此处设断(因不是一次比较完)
:0040403F 8B1F
mov ebx, dword ptr [edi] ;下D EDI 看见了甚麽???
:00404041 39D9
cmp ecx, ebx
:00404043 7558
jne 0040409D
:00404045 4A
dec edx
:00404046 7415
je 0040405D
:00404048 8B4E04
mov ecx, dword ptr [esi+04]
:0040404B 8B5F04
mov ebx, dword ptr [edi+04]
:0040404E 39D9
cmp ecx, ebx
:00404050 754B
jne 0040409D
:00404052 83C608
add esi, 00000008
:00404055 83C708
add edi, 00000008
:00404058 4A
dec edx
:00404059 75E2
jne 0040403D
:0040405B EB06
jmp 00404063
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404046(C)
|:0040405D 83C604
add esi, 00000004
:00404060 83C704
add edi, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040403B(C), :0040405B(U)|:00404063 5A
pop edx
:00404064 83E203
and edx, 00000003
:00404067 7422
je 0040408B
:00404069 8B0E
mov ecx, dword ptr [esi]
:0040406B 8B1F
mov ebx, dword ptr [edi]
:0040406D 38D9
cmp cl, bl
:0040406F 7541
jne 004040B2
:00404071 4A
dec edx
:00404072 7417
je 0040408B
:00404074 38FD
cmp ch, bh
:00404076 753A
jne 004040B2
:00404078 4A
dec edx
:00404079 7410
je 0040408B
:0040407B 81E30000FF00 and ebx, 00FF0000
:00404081 81E10000FF00 and ecx, 00FF0000
:00404087 39D9
cmp ecx, ebx
:00404089 7527
jne 004040B2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404067(C), :00404072(C), :00404079(C)|
:0040408B 01C0
add eax, eax
:0040408D EB23
jmp 004040B2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404025(C)
|:0040408F 8B57FC
mov edx, dword ptr [edi-04]
:00404092 29D0
sub eax, edx
:00404094 EB1C
jmp 004040B2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404029(C)
|:00404096 8B46FC
mov eax, dword ptr [esi-04]
:00404099 29D0
sub eax, edx
:0040409B EB15
jmp 004040B2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404043(C), :00404050(C)|:0040409D 5A
pop edx
:0040409E 38D9
cmp cl, bl
:004040A0 7510
jne 004040B2
:004040A2 38FD
cmp ch, bh
:004040A4 750C
jne 004040B2
:004040A6 C1E910
shr ecx, 10
:004040A9 C1EB10
shr ebx, 10
:004040AC 38D9
cmp cl, bl
:004040AE 7502
jne 004040B2
:004040B0 38FD
cmp ch, bh
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040401D(C), :0040406F(C), :00404076(C), :00404089(C), :0040408D(U)
|:00404094(U), :0040409B(U), :004040A0(C), :004040A4(C), :004040AE(C)|
:004040B2 5F
pop edi
:004040B3 5E
pop esi
:004040B4 5B
pop ebx:004040B5 C3
ret
;程序判断比较部分返回第二种::00487562 83F813
cmp eax, 00000013 ;比较是19字符个吗
:00487565 0F8520010000 jne 0048768B
:0048756B 8B45FC
mov eax, dword ptr [ebp-04]
:0048756E 8078042D
cmp byte ptr [eax+04], 2D ;判断有无"-"
:00487572 0F8513010000 jne 0048768B
:00487578 8B45FC
mov eax, dword ptr [ebp-04]
:0048757B 8078092D
cmp byte ptr [eax+09], 2D ;同上
:0048757F 0F8506010000 jne 0048768B
:00487585 8B45FC
mov eax, dword ptr [ebp-04]
:00487588 80780E2D
cmp byte ptr [eax+0E], 2D ;同上
:0048758C 0F85F9000000 jne 0048768B
. .
:004875AE 85C0
test eax, eax
:004875B0 7516
jne 004875C8
:004875B2 8B45FC
mov eax, dword ptr [ebp-04]
:004875B5 8A4418FF
mov al, byte ptr [eax+ebx-01]
:004875AE 85C0
test eax, eax
:004875B0 7516
jne 004875C8
:004875B2 8B45FC
mov eax, dword ptr [ebp-04]
:004875B5 8A4418FF
mov al, byte ptr [eax+ebx-01]
:004875B9 E84EFFFFFF call
0048750C ;对字符的判断
:004875BE 84C0
test al, al
:004875C0 0F84C5000000 je 0048768B
:004875C6 EB22
jmp 004875EA .
.
:004875D9 8A4418FF
mov al, byte ptr [eax+ebx-01]
:004875DD E83EFFFFFF call
00487520 ;对数字的判断
:004875E2 84C0
test al, al
:004875E4 0F84A1000000 je 0048768B
. .
:00487632 8BC6
mov eax, esi ; ESI中是第一节区ASCII之和
:00487634 BB1A000000 mov ebx,
0000001A
:00487639 99
cdq:0048763A F7FB
idiv ebx
:0048763C 83C241
add edx, 00000041 ;余数+41H
:0048763F 8B45FC
mov eax, dword ptr [ebp-04]
:00487642 3A500F
cmp dl, byte ptr [eax+0F] ;比较 A
:00487645 7544
jne 0048768B
:00487647 8BC7
mov eax, edi ;EDI中是第二节区ASCII之和
:00487649 BB1A000000 mov ebx,
0000001A
:0048764E 99
cdq:0048764F F7FB
idiv ebx
:00487651 83C241
add edx, 00000041
:00487654 8B45FC
mov eax, dword ptr [ebp-04]
:00487657 3A5010
cmp dl, byte ptr [eax+10] ;比较 B
:0048765A 752F
jne 0048768B
:0048765C 8B45F4
mov eax, dword ptr [ebp-0C] ;[EBP-0C]中是第三节区ASCII之和
:0048765F BB1A000000 mov ebx,
0000001A
:00487664 99
cdq:00487665 F7FB
idiv ebx
:00487667 83C241
add edx, 00000041
:0048766A 8B45FC
mov eax, dword ptr [ebp-04]
:0048766D 3A5011
cmp dl, byte ptr [eax+11] ;比较 C
:00487670 7519
jne 0048768B
:00487672 8BC1
mov eax, ecx ;ECX中是第一.二.三节区ASCII之和(前面以累加)
:00487674 B91A000000 mov ecx,
0000001A
:00487679 99
cdq:0048767A F7F9
idiv ecx
:0048767C 83C241
add edx, 00000041
:0048767F 8B45FC
mov eax, dword ptr [ebp-04]
:00487682 3A5012
cmp dl, byte ptr [eax+12] ;比较 D
:00487685 7504
jne 0048768B
:00487687 C645FB01
mov [ebp-05], 01 ;呵,呵,就是它了;可以看出每一节区的字符顺序可任意
:0048768B 33C0
xor eax, eax
:0048768D 5A
pop edx
:0048768E 59
pop ecx
:0048768F 59
pop ecx
:00487690 648910
mov dword ptr fs:[eax], edx
:00487693 68A8764800 push
004876A8
:00487698 8D45FC
lea eax, dword ptr [ebp-04]
:0048769B E8E4C5F7FF call
00403C84
:004876A0 C3
ret可以看出第二种手工都可以算出注册码哎,我打字太慢了,现在8:00整了.
- 标 题:转载一篇破解教程(LeapFTP) (10千字)
- 作 者:duba.126.com
- 时 间:2001-3-29 12:30:58
- 链 接:http://bbs.pediy.com