使用工具:SoftICE 4.05,W32Dasm白金版
说明:2001年光盘的模拟考试必须先进行注册,该光盘允许安装4台机器,获取注册号需要通过拨打电话16898173,然后输入一个14位长的数字,我听过周围的好几个人说电话注册很费劲也很麻烦,经常为了一个注册需要打好几次信息台电话,花了不少电话费,50块钱一张光盘就够贵的了,竟然还要通过信息台再挣一次钱,真是可恨,因此绝对有必要破解它。其实找出注册码的方法很多,也很容易,用SmartCheck就可以轻松搞定。
用SoftICE的破解过程:
设定好SoftICE,出现输入注册号的对话框后,输入一个12位的注册号,bpx hmemcpy或bpx rtcinputbox,按确定后,会被拦截回来,一步一步跟踪,就会找到真正的注册号。
用SmartCheck的破解过程:
设定好SmartCheck后,运行软件,出现输入注册号的对话框后,输入一个12位的注册号,按确定,当然肯定是错误,按退出,查找SmartCheck记录,就会找到注册号。
注册码的生成过程:
* Possible StringData Ref from Code Obj ->"cc:\jsjdog"
|
:0059350D 6898EE4100 push 0041EE98
...
* Reference To: MSVBVM50.__vbaFileOpen, Ord:0000h
|
:0059351E FF15CCD35D00 Call dword ptr
[005DD3CC]
* Reference To: MSVBVM50.rtcEndOfFile, Ord:023Bh
|
:00593524 8B35DCD35D00 mov esi, dword
ptr [005DD3DC]
:0059352A 6A01
push 00000001
:0059352C FFD6
call esi
:0059352E 6685C0
test ax, ax
:00593531 6A01
push 00000001
:00593533 750C
jne 00593541
:00593535 8D45A4
lea eax, dword ptr [ebp-5C]
:00593538 50
push eax
* Reference To: MSVBVM50.__vbaLineInputVar, Ord:0000h
|
:00593539 FF15A4D25D00 Call dword ptr
[005DD2A4]
:0059353F EBE9
jmp 0059352A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00593533(C)
|
* Reference To: MSVBVM50.__vbaFileClose, Ord:0000h
|
:00593541 FF1538D35D00 Call dword ptr
[005DD338]
:00593547 8D4D84
lea ecx, dword ptr [ebp-7C]
:0059354A 8D55A4
lea edx, dword ptr [ebp-5C] ====> 行输入内容地址
:0059354D 51
push ecx
:0059354E 6A04
push 00000004
:00593550 8D8574FFFFFF lea eax, dword
ptr [ebp+FFFFFF74]
:00593556 52
push edx
:00593557 50
push eax
:00593558 C7458C05000000 mov [ebp-74], 00000005
:0059355F C7458402000000 mov [ebp-7C], 00000002
* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00593566 FF1530D35D00 Call dword ptr
[005DD330]
:0059356C 8D8D74FFFFFF lea ecx, dword
ptr [ebp+FFFFFF74]
:00593572 51
push ecx
* Reference To: MSVBVM50.__vbaR8Var, Ord:0000h
|
:00593573 FF1504D45D00 Call dword ptr
[005DD404]
:00593579 DD5DB4
fstp qword ptr [ebp-4C]
:0059357C 8D9574FFFFFF lea edx, dword
ptr [ebp+FFFFFF74]
:00593582 8D4584
lea eax, dword ptr [ebp-7C]
:00593585 52
push edx
:00593586 50
push eax
:00593587 6A02
push 00000002
* Reference To: MSVBVM50.__vbaFreeVarList, Ord:0000h
|
:00593589 FF1598D25D00 Call dword ptr
[005DD298]
:0059358F 83C40C
add esp, 0000000C
上面这段程序是打开c:\jsjdog文件,用行读入方式读取文件,从第4个字符开始取5个字符,并转成单精度格式,用VB程序表示如下:
Open "c:\jsjdos" For Input As #1
Do While Not EOF(1)
Line Input #1, DogCode$
Loop
Close #1
VeriCode=Csng(Mid(DogCode$, 4, 5))
:00593592 8D95D4FEFFFF lea edx, dword
ptr [ebp+FFFFFED4]
:00593598 8D4D84
lea ecx, dword ptr [ebp-7C]
* Possible StringData Ref from Code Obj ->"cc:\Msdos"
|
:0059359B C785DCFEFFFFC4EE4100 mov dword ptr [ebp+FFFFFEDC], 0041EEC4
:005935A5 C785D4FEFFFF08000000 mov dword ptr [ebp+FFFFFED4], 00000008
* Reference To: MSVBVM50.__vbaVarDup, Ord:0000h
|
:005935AF FF1538D45D00 Call dword ptr
[005DD438]
:005935B5 8D4D84
lea ecx, dword ptr [ebp-7C]
:005935B8 53
push ebx
:005935B9 51
push ecx
* Reference To: MSVBVM50.rtcDir, Ord:0285h
|
:005935BA FF15C0D35D00 Call dword ptr
[005DD3C0]
:005935C0 8BD0
mov edx, eax
:005935C2 8D4DA0
lea ecx, dword ptr [ebp-60]
:005935C5 FFD7
call edi
:005935C7 50
push eax
:005935C8 6818584100 push 00415818
* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:005935CD FF1548D35D00 Call dword ptr
[005DD348]
:005935D3 8BF0
mov esi, eax
:005935D5 8D4DA0
lea ecx, dword ptr [ebp-60]
:005935D8 F7DE
neg esi
:005935DA 1BF6
sbb esi, esi
:005935DC F7DE
neg esi
:005935DE F7DE
neg esi
* Reference To: MSVBVM50.__vbaFreeStr, Ord:0000h
|
:005935E0 FF1580D45D00 Call dword ptr
[005DD480]
:005935E6 8D4D84
lea ecx, dword ptr [ebp-7C]
* Reference To: MSVBVM50.__vbaFreeVar, Ord:0000h
|
:005935E9 FF157CD25D00 Call dword ptr
[005DD27C]
:005935EF 663BF3
cmp si, bx ====> 是否存在"c:\Msdos"
:005935F2 743C
je 00593630 ====> 不存在,则转
* Possible StringData Ref from Code Obj ->"cc:\Msdos"
|
:005935F4 68C4EE4100 push 0041EEC4
:005935F9 6A01
push 00000001
:005935FB 6AFF
push FFFFFFFF
:005935FD 6A01
push 00000001
* Reference To: MSVBVM50.__vbaFileOpen, Ord:0000h
|
:005935FF FF15CCD35D00 Call dword ptr
[005DD3CC]
:00593605 8D55CC
lea edx, dword ptr [ebp-34]
:00593608 6A01
push 00000001
:0059360A 52
push edx
* Reference To: MSVBVM50.__vbaLineInputVar, Ord:0000h
|
:0059360B FF15A4D25D00 Call dword ptr
[005DD2A4]
:00593611 6A01
push 00000001
* Reference To: MSVBVM50.__vbaFileClose, Ord:0000h
|
:00593613 FF1538D35D00 Call dword ptr
[005DD338]
:00593619 6A07
push 00000007 ====> 属性值为7,即系统、只读、隐含
* Possible StringData Ref from Code Obj ->"cc:\msdos"
|
:0059361B 6800584100 push 00415800
* Reference To: MSVBVM50.rtcSetFileAttr, Ord:0244h
|
:00593620 FF1588D45D00 Call dword ptr
[005DD488]
:00593626 BB0A000000 mov ebx,
0000000A
:0059362B E999080000 jmp 00593EC9
上面这段程序是检测C盘是否有msdos这个文件(其实这个文件的内容就是注册码),如果有则打开这个文件并读取内容,VB程序可能如下:
A$="c:\Msdos"
B$=Dir("c:\Msdos")
If A$=B$ Then
Open B$ For Input As #1
Line Input #1, RegCode1$
Close #1
SetAttr B$, vbReadOnly+vbHidden+vbSystem
Else
进入输入软件序列号和注册码对话框
End If
:00593EC9 DD45B4
fld qword ptr [ebp-4C]
* Reference To: MSVBVM50.__vbaFpI4, Ord:0000h
|
:00593ECC 8B3544D45D00 mov esi, dword
ptr [005DD444]
:00593ED2 FFD6
call esi
:00593ED4 99
cdq
:00593ED5 B905000000 mov ecx,
00000005
:00593EDA F7F9
idiv ecx
:00593EDC 83FA04
cmp edx, 00000004
:00593EDF 0F8768280000 ja 0059674D
:00593EE5 FF249594695900 jmp dword ptr [4*edx+00596994]
====> 转到593EEC、594661、594DD6、5955D6、595DD6
:00593EEC DD45B4
fld qword ptr [ebp-4C]
:00593EEF FFD6
call esi
* Possible StringData Ref from Code Obj ->"4412345"
|
:00593EF1 6868EF4100 push 0041EF68
:00593EF6 8BD8
mov ebx, eax
* Reference To: MSVBVM50.__vbaI4Str, Ord:0000h
|
:00593EF8 FF15ECD35D00 Call dword ptr
[005DD3EC] ====> 转为字符格式
:00593EFE 33D8
xor ebx, eax ====>
与412345异或
:00593F00 53
push ebx
* Reference To: MSVBVM50.__vbaStrI4, Ord:0000h
|
:00593F01 FF1574D25D00 Call dword ptr
[005DD274]
:00593F07 8BD0
mov edx, eax
:00593F09 8D4DA0
lea ecx, dword ptr [ebp-60]
:00593F0C FFD7
call edi
:00593F0E DD0528354000 fld qword ptr
[00403528] ====> [00403528]值为99999
:00593F14 DC65B4
fsub qword ptr [ebp-4C] ====> 99999-VeriCode
:00593F17 50
push eax
:00593F18 DFE0
fstsw ax
:00593F1A A80D
test al, 0D
:00593F1C 0F85862A0000 jne 005969A8
:00593F22 FFD6
call esi
* Possible StringData Ref from Code Obj ->"2238745"
|
:00593F24 687CEF4100 push 0041EF7C
:00593F29 8BD8
mov ebx, eax
* Reference To: MSVBVM50.__vbaI4Str, Ord:0000h
|
:00593F2B FF15ECD35D00 Call dword ptr
[005DD3EC]
:00593F31 33D8
xor ebx, eax ====>
与238745异或
:00593F33 53
push ebx
* Reference To: MSVBVM50.__vbaStrI4, Ord:0000h
|
:00593F34 FF1574D25D00 Call dword ptr
[005DD274]
:00593F3A 8BD0
mov edx, eax
:00593F3C 8D4D9C
lea ecx, dword ptr [ebp-64]
:00593F3F FFD7
call edi
* Reference To: MSVBVM50.__vbaStrCat, Ord:0000h
|
:00593F41 8B1DC0D25D00 mov ebx, dword
ptr [005DD2C0]
:00593F47 50
push eax
:00593F48 FFD3
call ebx
====> 两个结果进行合并
:00593F4A 8D5584
lea edx, dword ptr [ebp-7C]
:00593F4D 89856CFFFFFF mov dword ptr
[ebp+FFFFFF6C], eax
:00593F53 52
push edx
:00593F54 8D45CC
lea eax, dword ptr [ebp-34]
:00593F57 6A02
push 00000002
:00593F59 8D8D74FFFFFF lea ecx, dword
ptr [ebp+FFFFFF74]
:00593F5F 50
push eax
:00593F60 51
push ecx
:00593F61 C78564FFFFFF08800000 mov dword ptr [ebp+FFFFFF64], 00008008
:00593F6B C7458C0C000000 mov [ebp-74], 0000000C
:00593F72 C7458402000000 mov [ebp-7C], 00000002
* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00593F79 FF1530D35D00 Call dword ptr
[005DD330] ====> 从第2个字符开始读取12(0Ch)个注册码字符
:00593F7F 8D9564FFFFFF lea edx, dword
ptr [ebp+FFFFFF64] ====> 刚才读取的字符地址
:00593F85 8D8574FFFFFF lea eax, dword
ptr [ebp+FFFFFF74] ====> 两次异或运算的结果地址
:00593F8B 52
push edx
:00593F8C 50
push eax
* Reference To: MSVBVM50.__vbaVarTstEq, Ord:0000h
|
:00593F8D FF154CD35D00 Call dword ptr
[005DD34C] ====> 字符串比较
上面共两段程序,第一段程序是求检测码与5的模,根据模的值进行不同的运算,第二段程序是模为0时的运算过程,另外4个运算过程与此相似,这里就不再说了。VB程序可能如下:
TestCode = Cint(VeriCode) Mod 5
Select Case TestCode
Case 0
RegCode2$=(Cstr(VerCode) Xor Cstr(412345))+(Cstr(99999-VerCode)
Xor Cstr(238745))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
Case 1
RegCode2$=(Cstr(VerCode) Xor Cstr(235678))+(Cstr(99999-VerCode)
Xor Cstr(338762))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
Case 2
RegCode2$=(Cstr(VerCode) Xor Cstr(897363))+(Cstr(99999-VerCode)
Xor Cstr(283954))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
Case 3
RegCode2$=(Cstr(VerCode) Xor Cstr(236738))+(Cstr(99999-VerCode)
Xor Cstr(458902))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
Case 4
RegCode2$=(Cstr(VerCode) Xor Cstr(763218))+(Cstr(99999-VerCode)
Xor Cstr(238958))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
End Select
因此这个程序的注册机不难编写,因为软件序列号即最后5位数字是可见的
设最后5位数字为abcde,
则注册码的前6位为:固定数字1 xor abcde
则注册码的后6位为:固定数字2 xor (99999-abcde)
这样,共12位注册码,注册机已经做好并测试通过
- 标 题:辽宁省职称计算机考试2001年光盘的破解和注册机的制作 (13千字)
- 作 者:robot
- 时 间:2001-5-4 13:50:32
- 链 接:http://bbs.pediy.com