首先介绍一下破解对象-----vis_ddr.dll ,此乃winamp的一个插件,可以让winamp实现跳舞毯的功能,这里破解的是它的v1.11版。没有注册前,不能使用跳舞毯,还有一个特殊效果也用不上。注册之后就没有这些限制了。好了,废话少说,请看我的破解过程。先声明我是菜鸟一个,而且对汇编语言很不熟悉,分析的过程中,有很多地方是我自己在猜测那条语句是干什么的,至于猜的正不正确还请高手门指教,我不想误人子弟。:)
先运行winamp,招到此插件的配置窗口,然后点击注册。哈哈,标准的注册窗口,用户名加注册码。先随便试了一下,有错误提示,本来可以用w32dsm黄金加强版反编译分析的,无赖我的汇编太差劲,只好作罢,用trw追吧。下中断bpx
hmemcpy,返回到程序中,随便输入一些假的注册信息,然后点确定,被trw断下,敲入pmodule,一回车,疑???怎么直接回到程序的界面了啊。搞不懂怎么回事,不管它,再来一次,这次不打pmodule了,我直接按F12总可以了吧,按了11下就回到程序了,好下次就只要按10下了。重新来一次,按10下F12后,小心的按F10,N次后,来到如下的程序段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10003740(C)
|
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:10003769 8B35D0B10010 mov esi, dword
ptr [1000B1D0]
:1000376F 53
push ebx
:10003770 8B5C2430 mov
ebx, dword ptr [esp+30]
:10003774 6A64
push 00000064
:10003776 6830F40010 push 1000F430
:1000377B 68FB030000 push 000003FB
:10003780 53
push ebx
:10003781 FFD6
call esi <--取注册码长度放入EAX中
:10003783 8D4C240C lea
ecx, dword ptr [esp+0C] <--D EDX可看假码
:10003787 6A20
push 00000020
:10003789 51
push ecx
:1000378A 68FA030000 push 000003FA
:1000378F 53
push ebx
:10003790 FFD6
call esi
:10003792 8D54240C lea
edx, dword ptr [esp+0C]
:10003796 52
push edx
:10003797 6830F40010 push 1000F430
<--此处D 0287F430可看用户名
:1000379C E8EFF7FFFF call 10002F90
<--这里有一个经典的对比,所以这个CALL嫌疑非常大,进去看看。*********************
:100037A1 83C408
add esp, 00000008
:100037A4 85C0
test eax, eax
:100037A6 0F84A3000000 je 1000384F
:100037AC 8D442430 lea
eax, dword ptr [esp+30]
:100037B0 50
push eax
* Possible StringData Ref from Data Obj ->"Software\WinampDDR"
|
:100037B1 68F0D90010 push 1000D9F0
:100037B6 6801000080 push 80000001
* Reference To: ADVAPI32.RegCreateKeyA, Ord:015Eh
|
:100037BB FF1508B00010 Call dword ptr
[1000B008]
:100037C1 8B542430 mov
edx, dword ptr [esp+30]
:100037C5 85D2
test edx, edx
:100037C7 7452
je 1000381B
:100037C9 BF30F40010 mov edi,
1000F430
:100037CE 83C9FF
or ecx, FFFFFFFF
:100037D1 33C0
xor eax, eax
* Reference To: ADVAPI32.RegSetValueExA, Ord:0186h
|
:100037D3 8B3504B00010 mov esi, dword
ptr [1000B004]
:100037D9 F2
repnz
:100037DA AE
scasb
:100037DB F7D1
not ecx
:100037DD 51
push ecx
:100037DE 6830F40010 push 1000F430
:100037E3 6A01
push 00000001
:100037E5 50
push eax
* Possible StringData Ref from Data Obj ->"User"
|
:100037E6 68E0D90010 push 1000D9E0
:100037EB 52
push edx
:100037EC FFD6
call esi
:100037EE 8D7C240C lea
edi, dword ptr [esp+0C]
:100037F2 83C9FF
or ecx, FFFFFFFF
:100037F5 33C0
xor eax, eax
:100037F7 8B542430 mov
edx, dword ptr [esp+30]
:100037FB F2
repnz
:100037FC AE
scasb
:100037FD F7D1
not ecx
:100037FF 51
push ecx
:10003800 8D4C2410 lea
ecx, dword ptr [esp+10]
:10003804 51
push ecx
:10003805 6A01
push 00000001
:10003807 50
push eax
* Possible StringData Ref from Data Obj ->"RegCode"
|
:10003808 68E8D90010 push 1000D9E8
:1000380D 52
push edx
:1000380E FFD6
call esi
:10003810 8B442430 mov
eax, dword ptr [esp+30]
:10003814 50
push eax
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:10003815 FF150CB00010 Call dword ptr
[1000B00C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100037C7(C)
|
:1000381B 6A40
push 00000040
* Possible StringData Ref from Data Obj ->"Register OK"
|
:1000381D 6880E00010 push 1000E080
* Possible StringData Ref from Data Obj ->"Thanks for registering WinampDDR!"
|
:10003822 685CE00010 push 1000E05C
:10003827 53
push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:10003828 FF15A4B10010 Call dword ptr
[1000B1A4]
:1000382E 6A01
push 00000001
:10003830 53
push ebx
:10003831 C70594F4001001000000 mov dword ptr [1000F494], 00000001
* Reference To: USER32.EndDialog, Ord:00B9h
|
:1000383B FF15E4B10010 Call dword ptr
[1000B1E4]
:10003841 5B
pop ebx
:10003842 5F
pop edi
:10003843 B801000000 mov eax,
00000001
:10003848 5E
pop esi
:10003849 83C420
add esp, 00000020
:1000384C C21000
ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100037A6(C)
|
:1000384F 6A10
push 00000010
* Possible StringData Ref from Data Obj ->"Register failed"
|
:10003851 684CE00010 push 1000E04C
* Possible StringData Ref from Data Obj ->"Registration code invalid!"
|
:10003856 6830E00010 push 1000E030
:1000385B 53
push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:1000385C FF15A4B10010 Call dword ptr
[1000B1A4]
:10003862 6A01
push 00000001
:10003864 53
push ebx
* Reference To: USER32.EndDialog, Ord:00B9h
|
:10003865 FF15E4B10010 Call dword ptr
[1000B1E4]
:1000386B 5B
pop ebx
:1000386C 5F
pop edi
:1000386D B801000000 mov eax,
00000001
:10003872 5E
pop esi
:10003873 83C420
add esp, 00000020
:10003876 C21000
ret 0010
呵呵,上面这一大段,看不太懂,只知道是根据注册信息的正确与否来决定是显示注册成功的画面并在注册表里面记下相关信息还是直接显示注册失败的画面,不管它了,先进那个可疑CALL看看,如下:
这里接上面的**********************
* Referenced by a CALL at Addresses:
|:100010D8 , :1000379C
|
:10002F90 83EC28
sub esp, 00000028
:10002F93 55
push ebp
:10002F94 8B6C2430 mov
ebp, dword ptr [esp+30]
:10002F98 85ED
test ebp, ebp<--看用户名是否为空
:10002F9A 57
push edi
:10002F9B 0F8429010000 je 100030CA
:10002FA1 8B542438 mov
edx, dword ptr [esp+38]
:10002FA5 85D2
test edx, edx<--看注册码是否为空
:10002FA7 0F841D010000 je 100030CA
:10002FAD 8BFD
mov edi, ebp
:10002FAF 83C9FF
or ecx, FFFFFFFF
:10002FB2 33C0
xor eax, eax
:10002FB4 F2
repnz
:10002FB5 AE
scasb
:10002FB6 F7D1
not ecx
:10002FB8 49
dec ecx
:10002FB9 0F840B010000 je 100030CA
:10002FBF 8BFA
mov edi, edx
:10002FC1 83C9FF
or ecx, FFFFFFFF
:10002FC4 F2
repnz
:10002FC5 AE
scasb
:10002FC6 F7D1
not ecx
:10002FC8 49
dec ecx
:10002FC9 0F84FB000000 je 100030CA
:10002FCF 53
push ebx
:10002FD0 32DB
xor bl, bl
:10002FD2 B908000000 mov ecx,
00000008
:10002FD7 8D7C2411 lea
edi, dword ptr [esp+11]
:10002FDB 885C2410 mov
byte ptr [esp+10], bl
:10002FDF 33D2
xor edx, edx
:10002FE1 F3
repz
:10002FE2 AB
stosd
:10002FE3 8BFD
mov edi, ebp
:10002FE5 83C9FF
or ecx, FFFFFFFF
:10002FE8 F2
repnz
:10002FE9 AE
scasb
:10002FEA F7D1
not ecx
:10002FEC 49
dec ecx
:10002FED 56
push esi
:10002FEE 85C9
test ecx, ecx
:10002FF0 894C243C mov
dword ptr [esp+3C], ecx
:10002FF4 7E0A
jle 10003000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10002FFE(C)
|
:10002FF6 8A042A
mov al, byte ptr [edx+ebp]
:10002FF9 32D8
xor bl, al
:10002FFB 42
inc edx
:10002FFC 3BD1
cmp edx, ecx
:10002FFE 7CF6
jl 10002FF6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10002FF4(C)
|
:10003000 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10003073(U)
|
:10003002 83FE08
cmp esi, 00000008
:10003005 7C07
jl 1000300E
:10003007 8D0409
lea eax, dword ptr [ecx+ecx]
:1000300A 3BF0
cmp esi, eax
:1000300C 7D67
jge 10003075
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10003005(C)
|
:1000300E 8BFD
mov edi, ebp
:10003010 83C9FF
or ecx, FFFFFFFF
:10003013 33C0
xor eax, eax
:10003015 F2
repnz
:10003016 AE
scasb
:10003017 8BC6
mov eax, esi
:10003019 99
cdq
:1000301A F7D1
not ecx
:1000301C 2BC2
sub eax, edx
:1000301E 49
dec ecx
:1000301F D1F8
sar eax, 1
:10003021 33D2
xor edx, edx
:10003023 F7F1
div ecx
:10003025 83FE01
cmp esi, 00000001
:10003028 8BFA
mov edi, edx
:1000302A 7E05
jle 10003031
:1000302C 8D46FF
lea eax, dword ptr [esi-01]
:1000302F EB02
jmp 10003033
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000302A(C)
|
:10003031 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000302F(U)
|
:10003033 8A4C0414 mov
cl, byte ptr [esp+eax+14]
:10003037 32CB
xor cl, bl
:10003039 80F18D
xor cl, 8D
:1000303C 8AD9
mov bl, cl
:1000303E 885C2410 mov
byte ptr [esp+10], bl
:10003042 8B542410 mov
edx, dword ptr [esp+10]
:10003046 52
push edx
:10003047 E8F4FEFFFF call 10002F40
:1000304C 8B4C2440 mov
ecx, dword ptr [esp+40]
:10003050 88443418 mov
byte ptr [esp+esi+18], al
:10003054 2BCF
sub ecx, edi
:10003056 8A5429FF mov
dl, byte ptr [ecx+ebp-01]
:1000305A 32D0
xor dl, al
:1000305C 80F2D8
xor dl, D8
:1000305F 52
push edx
:10003060 E8DBFEFFFF call 10002F40
:10003065 8B4C2444 mov
ecx, dword ptr [esp+44]
:10003069 83C408
add esp, 00000008
:1000306C 88443415 mov
byte ptr [esp+esi+15], al
:10003070 83C602
add esi, 00000002
:10003073 EB8D
jmp 10003002
这上面一打断又看不懂了,如果那位大哥看懂了的话,还请和我说说它的算法,让我彻底弄懂一下,先谢谢了!
下面开始将错误的注册码和正确的注册码进行比较:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000300C(C)
|
:10003075 8B742440 mov
esi, dword ptr [esp+40]这里是假码
:10003079 8D442414 lea
eax, dword ptr [esp+14]这里是真码
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000309F(C)
|
:1000307D 8A10
mov dl, byte ptr [eax]
:1000307F 8A1E
mov bl, byte ptr [esi]
:10003081 8ACA
mov cl, dl
:10003083 3AD3
cmp dl, bl
:10003085 752D
jne 100030B4
:10003087 84C9
test cl, cl
:10003089 7416
je 100030A1
:1000308B 8A5001
mov dl, byte ptr [eax+01]
:1000308E 8A5E01
mov bl, byte ptr [esi+01]
:10003091 8ACA
mov cl, dl
:10003093 3AD3
cmp dl, bl
:10003095 751D
jne 100030B4
:10003097 83C002
add eax, 00000002
:1000309A 83C602
add esi, 00000002
:1000309D 84C9
test cl, cl
:1000309F 75DC
jne 1000307D前两位正确的话,继续比较后面的,挺有意思的:)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10003089(C)
|
:100030A1 33C0
xor eax, eax
:100030A3 33C9
xor ecx, ecx
:100030A5 85C0
test eax, eax
:100030A7 5E
pop esi
:100030A8 5B
pop ebx
:100030A9 0F94C1
sete cl
:100030AC 5F
pop edi
:100030AD 8BC1
mov eax, ecx
:100030AF 5D
pop ebp
:100030B0 83C428
add esp, 00000028
:100030B3 C3
ret
大概就这么些吧,最后整理一下我的注册信息:
注册名:Turkey
注册码:GHFwZETtIJRP
哈哈,可以收工了,比较简单,对于我来说,实在是个练手的好东东。因为半个月前,我还只会爆破它,且爆破的不完全,这下终于搞定了,好开心啊,真是没有白来看雪的论坛,真心希望它能越办越好,越办越火。
哦,忘了写软件的下载地址了,加上:
http://turkey.363.net/palplaza/download/ddr.zip
- 标 题:菜鸟破解vis_ddr v1.11 (14千字)
- 作 者:turkey99
- 时 间:2001-12-8 0:16:44
- 链 接:http://bbs.pediy.com