加密精灵V2.2是一个文件加密工具,破解它可以用两种方法:爆破和注册算法。好,我们来看看怎样破它:
1、爆破:
用W32DASM反汇编主程序,在串式参考中查找“这个软件注册给”,双击它,会找到下面的代码:
* Reference To: GDI32.GetObjectA, Ord:014Fh
|
:00418E90 FF1578804300 Call dword ptr
[00438078]
:00418E96 A178F74300 mov eax,
dword ptr [0043F778] <=====取回注册标志
:00418E9B 85C0
test eax, eax
<=====是否是0
:00418E9D 7420
je 00418EBF
<=====是则没有注册,跳到未注册的代码处
:00418E9F 682CF34300 push 0043F32C
<=====注册成功
:00418EA4 8D542434 lea
edx, dword ptr [esp+34]
* Possible StringData Ref from Data Obj ->"这个软件注册给: %s"
|
:00418EA8 68D0C84300 push 0043C8D0
:00418EAD 52
push edx
* Reference To: USER32.wsprintfA, Ord:02ACh
|
:00418EAE FF1520834300 Call dword ptr
[00438320]
:00418EB4 83C40C
add esp, 0000000C
:00418EB7 8D442430 lea
eax, dword ptr [esp+30]
:00418EBB 33C9
xor ecx, ecx
:00418EBD EB0A
jmp 00418EC9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418E9D(C)
|
* Possible StringData Ref from Data Obj ->"您的注册是对我们最大的支持和鼓励"
|
:00418EBF B8ACC84300 mov eax,
0043C8AC
* Possible Reference to Dialog: DialogID_00A1, CONTROL_ID:00FF, ""
看到上面的代码了吗?所以我们必须把注册标志改为不为零的数字,通常是改为1,我的改法是:
:00418E96 A178F74300 mov eax,
dword ptr [0043F778] <=====改为mov word ptr
:00418E9B 85C0
test eax, eax
<=====[0043F778],1刚好九个字节
:00418E9D 7420
je 00418EBF
2、注册算法:
这个软件是根据注册名来算出注册码的,注册码一共有16位,程序会自动生成密码表,密码表的形式为:
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz
然后通过注册名算出各个注册码在密码表中的位置.好,我们先下中断,BPX HMEMCPY,中断后用pmodule返回到主程序:
:0040151F 6A1E
push 0000001E <=====返回到这里
:00401521 6864EA4300 push 0043EA64
:00401526 6815040000 push 00000415
:0040152B 53
push ebx
:0040152C FFD6
call esi
:0040152E 50
push eax
:0040152F FFD7
call edi
:00401531 6A02
push 00000002
:00401533 6A00
push 00000000
:00401535 E836780100 call 00418D70
:0040153A 6A00
push 00000000
:0040153C 6864EA4300 push 0043EA64
<=====这里是我们输入的注册名和注册码
:00401541 682CF34300 push 0043F32C
<=====
:00401546 E895730200 call 004288E0
<=====计算和判断注册码的CALL,如果不正确则EAX=1,所以要F8进入
:0040154B 83C414
add esp, 00000014
:0040154E F7D8
neg eax
:00401550 1BC0
sbb eax, eax
:00401552 40
inc eax
:00401553 A378F74300 mov dword
ptr [0043F778], eax
:00401558 0F849C000000 je 004015FA
<====如果注册码不正确,则跳
:0040155E BF2CF34300 mov edi,
0043F32C
:00401563 83C9FF
or ecx, FFFFFFFF
:00401566 33C0
xor eax, eax
:00401568 F2
repnz
:00401569 AE
scasb
:0040156A F7D1
not ecx
:0040156C 51
push ecx
:0040156D 682CF34300 push 0043F32C
* Possible StringData Ref from Data Obj ->"UserName"
|
:00401572 68D0B04300 push 0043B0D0
* Possible StringData Ref from Data Obj ->"Setings"
|
:00401577 68C8B04300 push 0043B0C8
:0040157C E8BF030000 call 00401940
:00401581 8BC8
mov ecx, eax
:00401583 E8A8B10000 call 0040C730
:00401588 BF64EA4300 mov edi,
0043EA64
:0040158D 83C9FF
or ecx, FFFFFFFF
:00401590 33C0
xor eax, eax
:00401592 F2
repnz
:00401593 AE
scasb
:00401594 F7D1
not ecx
:00401596 51
push ecx
:00401597 6864EA4300 push 0043EA64
* Possible StringData Ref from Data Obj ->"RegisterNumber"
进入CALL后,一直按F10,来到下面的地方:
:004288FA E871000000 call 00428970
<====调用算法的CALL,F8进入
:004288FF 83C408
add esp, 00000008
:00428902 85C0
test eax, eax
:00428904 744D
je 00428953
:00428906 53
push ebx
:00428907 56
push esi
:00428908 8D74240C lea
esi, dword ptr [esp+0C]
:0042890C 8BC7
mov eax, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428930(C)
|
:0042890E 8A10
mov dl, byte ptr [eax] <====我们输入的假注册码
:00428910 8A1E
mov bl, byte ptr [esi] <====真正的注册码,用D ESI就可以看到真正的注册码
:00428912 8ACA
mov cl, dl
:00428914 3AD3
cmp dl, bl <====比较注册码
:00428916 751E
jne 00428936
:00428918 84C9
test cl, cl
:0042891A 7416
je 00428932
:0042891C 8A5001
mov dl, byte ptr [eax+01]
:0042891F 8A5E01
mov bl, byte ptr [esi+01]
:00428922 8ACA
mov cl, dl
:00428924 3AD3
cmp dl, bl
:00428926 750E
jne 00428936
:00428928 83C002
add eax, 00000002
:0042892B 83C602
add esi, 00000002
:0042892E 84C9
test cl, cl
:00428930 75DC
jne 0042890E
下面是注册算法:
:004289E1 8B442458 mov
eax, dword ptr [esp+58] <===取注册名,ESI初始值=注册名长度
:004289E5 33D2
xor edx, edx
:004289E7 BF3E000000 mov edi,
0000003E
:004289EC 0FBE0C06 movsx
ecx, byte ptr [esi+eax] <==取注册名+注册名字符位置
:004289F0 03CD
add ecx, ebp <===ECX+B2770FBE
:004289F2 8BC1
mov eax, ecx <+==EAX=ECX EAX=商 EDX=余数
:004289F4 F7F7
div edi <==EAX/3E
:004289F6 83F93D
cmp ecx, 0000003D <==;比较CL是否大于3D
:004289F9 8BFA
mov edi, edx
:004289FB 7615
jbe 00428A12 不大于则跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A10(C)
|
:004289FD B885104208 mov eax,
08421085
:00428A02 F7E1
mul ecx
:00428A04 2BCA
sub ecx, edx
:00428A06 D1E9
shr ecx, 1
:00428A08 03CA
add ecx, edx
:00428A0A C1E905
shr ecx, 05
:00428A0D 83F93D
cmp ecx, 0000003D
:00428A10 77EB
ja 004289FD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004289FB(C)
|
:00428A12 03CF
add ecx, edi
:00428A14 83F93D
cmp ecx, 0000003D
:00428A17 761F
jbe 00428A38
:00428A19 8BC1
mov eax, ecx
:00428A1B 33D2
xor edx, edx
:00428A1D BF3E000000 mov edi,
0000003E
:00428A22 F7F7
div edi
:00428A24 B885104208 mov eax,
08421085
:00428A29 8BFA
mov edi, edx
:00428A2B F7E1
mul ecx
:00428A2D 2BCA
sub ecx, edx
:00428A2F D1E9
shr ecx, 1
:00428A31 03CA
add ecx, edx
:00428A33 C1E905
shr ecx, 05
:00428A36 03CF
add ecx, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A17(C)
|
:00428A38 8B54245C mov
edx, dword ptr [esp+5C]
:00428A3C 8A4C0C14 mov
cl, byte ptr [esp+ecx+14] <===从密码表中取位置为ECX的注册码
:00428A40 8B442410 mov
eax, dword ptr [esp+10]
:00428A44 880C13
mov byte ptr [ebx+edx], cl <====保存注册码
:00428A47 43
inc ebx
:00428A48 46
inc esi
:00428A49 3BF0
cmp esi, eax
:00428A4B 7C02
jl 00428A4F
:00428A4D 33F6
xor esi, esi <=====清0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A4B(C)
|
:00428A4F 45
inc ebp
:00428A50 83FB10
cmp ebx, 00000010 <====够16位了吗?
:00428A53 7C8C
jl 004289E1 <====不够继续运算
:00428A55 8B44245C mov
eax, dword ptr [esp+5C]
:00428A59 C70598FB430010000000 mov dword ptr [0043FB98], 00000010
:00428A63 5D
pop ebp
:00428A64 C6040300 mov
byte ptr [ebx+eax], 00
:00428A68 5B
pop ebx
:00428A69 5F
pop edi
:00428A6A B801000000 mov eax,
00000001
:00428A6F 5E
pop esi
:00428A70 83C444
add esp, 00000044
:00428A73 C3
ret
写注册机不是小弟的长项,希望哪位朋友写一个注册机给大家用好了,呵呵
- 标 题:加密精灵V2.2破解过程 (9千字)
- 作 者:crackjack[BCG]
- 时 间:2001-10-28 1:40:52
- 链 接:http://bbs.pediy.com