LeapFTP 2.7.0.550

标题：转载一篇破解教程（LeapFTP) (10千字)
作者：duba.126.com
时间：2001-3-29 12:30:58
链接：http://bbs.pediy.com

凌晨2：30分，总算有空安定下来写这篇教程了。以前破过不少杀毒、加密及注册软件，但还是第一次写教程，表达可能不是很好，多看几偏吧。OK
软件：LeapFTP.EXE (这是一个上传网页的程序)版本：2.7.0.550
程序在注册成功后会将其写入注册表的HKEY_CURRENT_USER\Software\LeapWare\Registry\LeapFTP 下面,
每次启动时都回读取判断. 这个程序有两种注册码,并且由两段不同的程序段进行判断.
第一种:将用户名运算后与注册码比较,注册码格式 XXXXXX-XXXXXXXXXX X为数字
列:ligang 214065-1079336565 (有效的注册码哦!)
第二种:用户名任意,通过注册码来做文章. 注册码格式 XXXY-XXYX-XYXX-ABCD X为字母,Y为数字,A为XXXY中
各位ASCII之和除以1AH的余数+41H所得的ASCII码字符,B为XXYX中各位ASCII之和除以1AH的余数+41H所得的
ASCII码字符,C为XYXX中各位ASCII之和除以1AH的余数+41H所得的ASCII码字符,D为前三节ASCII之和除以1AH的
余数+41H所得的ASCII码字符.(好烦!!!) 列：ABC9-AB9C-A3CC-VVQG (有效的注册码哦!)第一种:破解工具：TRW,HIEW
先进入程序的注册画面添写. ^N 进入TRW设BPX HMEMCPY 然后F5,点OK,被拦下,再F5,拦下后,BD 1 PMODULE
:004871C0 E803C8FAFF call 004339C8
:004871C5 8B55F4 mov edx, dword ptr [ebp-0C] ;按F10从几处RET返回后到次
:004871C8 8B4DFC mov ecx, dword ptr [ebp-04]
:004871CB 8BC3 mov eax, ebx
:004871CD E8BA010000 call 0048738C ;!!!!追进
:004871D2 84C0 test al, al ;若AL=0就完了,将其改1可成功,但从启任然
:004871D4 7462 je 00487238 ;为UNREGSETR;call 0048738C 的进入点
. .
:00487466 E8A9CBF7FF call 00404014 ;判断前六位
:0048746B 7548 jne 004874B5 ;决不能转 . .
. :004874AA E865CBF7FF call 00404014 ;判断后10位
:004874AF 7504 jne 004874B5 ;决不能转
:004874B1 B301 mov bl, 01 ;呵,呵,可爱的1
:004874B3 EB02 jmp 004874B7;程序判断比较部分
:00404014 53 push ebx
:00404015 56 push esi
:00404016 57 push edi
:00404017 89C6 mov esi, eax
:00404019 89D7 mov edi, edx
:0040401B 39D0 cmp eax, edx
:0040401D 0F848F000000 je 004040B2
:00404023 85F6 test esi, esi
:00404025 7468 je 0040408F
:00404027 85FF test edi, edi
:00404029 746B je 00404096
:0040402B 8B46FC mov eax, dword ptr [esi-04]
:0040402E 8B57FC mov edx, dword ptr [edi-04]
:00404031 29D0 sub eax, edx
:00404033 7702 ja 00404037
:00404035 01C2 add edx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404033(C)
|:00404037 52 push edx
:00404038 C1EA02 shr edx, 02
:0040403B 7426 je 00404063
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404059(C)
|
:0040403D 8B0E mov ecx, dword ptr [esi] ;下D ESI并将此处设断(因不是一次比较完)
:0040403F 8B1F mov ebx, dword ptr [edi] ;下D EDI 看见了甚麽???
:00404041 39D9 cmp ecx, ebx
:00404043 7558 jne 0040409D
:00404045 4A dec edx
:00404046 7415 je 0040405D
:00404048 8B4E04 mov ecx, dword ptr [esi+04]
:0040404B 8B5F04 mov ebx, dword ptr [edi+04]
:0040404E 39D9 cmp ecx, ebx
:00404050 754B jne 0040409D
:00404052 83C608 add esi, 00000008
:00404055 83C708 add edi, 00000008
:00404058 4A dec edx
:00404059 75E2 jne 0040403D
:0040405B EB06 jmp 00404063
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404046(C)
|:0040405D 83C604 add esi, 00000004
:00404060 83C704 add edi, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040403B(C), :0040405B(U)|:00404063 5A pop edx
:00404064 83E203 and edx, 00000003
:00404067 7422 je 0040408B
:00404069 8B0E mov ecx, dword ptr [esi]
:0040406B 8B1F mov ebx, dword ptr [edi]
:0040406D 38D9 cmp cl, bl
:0040406F 7541 jne 004040B2
:00404071 4A dec edx
:00404072 7417 je 0040408B
:00404074 38FD cmp ch, bh
:00404076 753A jne 004040B2
:00404078 4A dec edx
:00404079 7410 je 0040408B
:0040407B 81E30000FF00 and ebx, 00FF0000
:00404081 81E10000FF00 and ecx, 00FF0000
:00404087 39D9 cmp ecx, ebx
:00404089 7527 jne 004040B2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404067(C), :00404072(C), :00404079(C)|
:0040408B 01C0 add eax, eax
:0040408D EB23 jmp 004040B2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404025(C)
|:0040408F 8B57FC mov edx, dword ptr [edi-04]
:00404092 29D0 sub eax, edx
:00404094 EB1C jmp 004040B2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00404029(C)
|:00404096 8B46FC mov eax, dword ptr [esi-04]
:00404099 29D0 sub eax, edx
:0040409B EB15 jmp 004040B2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404043(C), :00404050(C)|:0040409D 5A pop edx
:0040409E 38D9 cmp cl, bl
:004040A0 7510 jne 004040B2
:004040A2 38FD cmp ch, bh
:004040A4 750C jne 004040B2
:004040A6 C1E910 shr ecx, 10
:004040A9 C1EB10 shr ebx, 10
:004040AC 38D9 cmp cl, bl
:004040AE 7502 jne 004040B2
:004040B0 38FD cmp ch, bh
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040401D(C), :0040406F(C), :00404076(C), :00404089(C), :0040408D(U)
|:00404094(U), :0040409B(U), :004040A0(C), :004040A4(C), :004040AE(C)|
:004040B2 5F pop edi
:004040B3 5E pop esi
:004040B4 5B pop ebx:004040B5 C3 ret
;程序判断比较部分返回第二种::00487562 83F813 cmp eax, 00000013 ;比较是19字符个吗
:00487565 0F8520010000 jne 0048768B
:0048756B 8B45FC mov eax, dword ptr [ebp-04]
:0048756E 8078042D cmp byte ptr [eax+04], 2D ;判断有无"-"
:00487572 0F8513010000 jne 0048768B
:00487578 8B45FC mov eax, dword ptr [ebp-04]
:0048757B 8078092D cmp byte ptr [eax+09], 2D ;同上
:0048757F 0F8506010000 jne 0048768B
:00487585 8B45FC mov eax, dword ptr [ebp-04]
:00487588 80780E2D cmp byte ptr [eax+0E], 2D ;同上
:0048758C 0F85F9000000 jne 0048768B . .
:004875AE 85C0 test eax, eax
:004875B0 7516 jne 004875C8
:004875B2 8B45FC mov eax, dword ptr [ebp-04]
:004875B5 8A4418FF mov al, byte ptr [eax+ebx-01]
:004875AE 85C0 test eax, eax
:004875B0 7516 jne 004875C8
:004875B2 8B45FC mov eax, dword ptr [ebp-04]
:004875B5 8A4418FF mov al, byte ptr [eax+ebx-01]
:004875B9 E84EFFFFFF call 0048750C ;对字符的判断
:004875BE 84C0 test al, al
:004875C0 0F84C5000000 je 0048768B
:004875C6 EB22 jmp 004875EA . .
:004875D9 8A4418FF mov al, byte ptr [eax+ebx-01]
:004875DD E83EFFFFFF call 00487520 ;对数字的判断
:004875E2 84C0 test al, al
:004875E4 0F84A1000000 je 0048768B . .
:00487632 8BC6 mov eax, esi ; ESI中是第一节区ASCII之和
:00487634 BB1A000000 mov ebx, 0000001A
:00487639 99 cdq:0048763A F7FB idiv ebx
:0048763C 83C241 add edx, 00000041 ;余数+41H
:0048763F 8B45FC mov eax, dword ptr [ebp-04]
:00487642 3A500F cmp dl, byte ptr [eax+0F] ;比较 A
:00487645 7544 jne 0048768B
:00487647 8BC7 mov eax, edi ;EDI中是第二节区ASCII之和
:00487649 BB1A000000 mov ebx, 0000001A
:0048764E 99 cdq:0048764F F7FB idiv ebx
:00487651 83C241 add edx, 00000041
:00487654 8B45FC mov eax, dword ptr [ebp-04]
:00487657 3A5010 cmp dl, byte ptr [eax+10] ;比较 B
:0048765A 752F jne 0048768B
:0048765C 8B45F4 mov eax, dword ptr [ebp-0C] ;[EBP-0C]中是第三节区ASCII之和
:0048765F BB1A000000 mov ebx, 0000001A
:00487664 99 cdq:00487665 F7FB idiv ebx
:00487667 83C241 add edx, 00000041
:0048766A 8B45FC mov eax, dword ptr [ebp-04]
:0048766D 3A5011 cmp dl, byte ptr [eax+11] ;比较 C
:00487670 7519 jne 0048768B
:00487672 8BC1 mov eax, ecx ;ECX中是第一.二.三节区ASCII之和(前面以累加)
:00487674 B91A000000 mov ecx, 0000001A
:00487679 99 cdq:0048767A F7F9 idiv ecx
:0048767C 83C241 add edx, 00000041
:0048767F 8B45FC mov eax, dword ptr [ebp-04]
:00487682 3A5012 cmp dl, byte ptr [eax+12] ;比较 D
:00487685 7504 jne 0048768B
:00487687 C645FB01 mov [ebp-05], 01 ;呵,呵,就是它了;可以看出每一节区的字符顺序可任意
:0048768B 33C0 xor eax, eax
:0048768D 5A pop edx
:0048768E 59 pop ecx
:0048768F 59 pop ecx
:00487690 648910 mov dword ptr fs:[eax], edx
:00487693 68A8764800 push 004876A8
:00487698 8D45FC lea eax, dword ptr [ebp-04]
:0048769B E8E4C5F7FF call 00403C84
:004876A0 C3 ret可以看出第二种手工都可以算出注册码哎,我打字太慢了,现在8:00整了.