SeaMoon Pic Hunter 1.2破解手记
作 者: CoolWolF[SCD]
破解时间:
2002-4-3
破解工具: Windows 2K环境下 Ollydbg1.05a Registry Shot1.52b
作者主页: http://www.seamoontech.com
难 度: 中低
说 明: 访问并分析您所指定的网站或页面的结构.把其中的图片如GIF和JPEG等快速地下载到本地来.
=================================================================
以下文字纯粹是供各位爱好逆向工程同好参考交流,请尊重软件作者的权益
=================================================================
一个不错的工具,尤其对于我这种抓图狂来说 ^o^ ok,废话不说了,开工!
运行软件,弹出一个注册对话窗,告诉你如果不注册最多只能搜索49张图片.填入用户名CoolWolF,注册码1212,确认后提示要求重新启动软件来验证注册是否成功.那么这个软件应该是把我们输入的注册信息放入注册表或者某个文件,在软件启动的时候来校验是否正确.根据经验应该是注册标的可能性大一些.
用Registry Shot比较后发现,果然是把我们输入的信息放在了\Software\SeaMoonTech\SeaMoon
Pic Hunter\V1.2\ 里,分为RegUserName和RegCode两个键值.
用Ollydbg载入PicHunter.exe,按Ctel+N,在"ADVAPI32.RegQueryValueExA"一行回车,出现所有调用这个api的地址,在右键菜单中选择"Set
breakpoint on every command",然后关闭这个窗口回到主界面.
按F9运行,程序中断在:
0045EED7 |. 8B35 10C04600 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegQuer>;
ADVAPI32.RegQueryValueExA
0045EEDD |. 51
PUSH ECX
; /pBufSize
0045EEDE
|. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
; |
0045EEE1 |. 57
PUSH EDI
; |Buffer
0045EEE2 |. 51 PUSH ECX
; |pValueType
0045EEE3 |. 57
PUSH EDI
; |Reserved
0045EEE4
|. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
; |
0045EEE7 |. FF75 10
PUSH DWORD PTR SS:[EBP+10]
; |ValueName
0045EEEA |. 50
PUSH EAX
; |hKey
0045EEEB |. FFD6
CALL ESI
; \RegQueryValueExA
用F8往下走了一段后发现都是一些对我们没用的东西,于是按F9继续查找.19次之后来到
0045EED7
|. 8B35 10C04600 MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegQuer>;
ADVAPI32.RegQueryValueExA
0045EEDD |. 51
PUSH ECX
; /pBufSize
0045EEDE
|. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
; |
0045EEE1 |. 57
PUSH EDI
; |Buffer
0045EEE2 |. 51 PUSH ECX
; |pValueType
0045EEE3 |. 57
PUSH EDI
; |Reserved
0045EEE4
|. 897D FC MOV DWORD PTR SS:[EBP-4],EDI
; |
0045EEE7 |. FF75 10
PUSH DWORD PTR SS:[EBP+10]
; |ValueName = "RegCode"
0045EEEA |. 50
PUSH EAX
; |hKey
0045EEEB
|. FFD6 CALL ESI
; \RegQueryValueExA
哈哈,找到我们要的地方了!
F8慢慢往下走一直到:
00406605 . C68424 5801000>MOV BYTE PTR SS:[ESP+158],4
这个时候看看右下角的窗口,有我们的注册名和输入的假注册码.继续:
0040660D . 50
PUSH EAX
0040660E . 8D4C24 14
LEA ECX,DWORD PTR SS:[ESP+14]
00406612 . E8 6CEC0300
CALL PicHunte.00445283
00406617 . 8D4C24 24
LEA ECX,DWORD PTR SS:[ESP+24]
0040661B . C68424 5801000>MOV BYTE PTR
SS:[ESP+158],2
00406623 . E8 22EB0300 CALL PicHunte.0044514A
00406628 . 51 PUSH ECX
00406629 . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
0040662D . 8BCC MOV ECX,ESP
0040662F
. 896424 1C MOV DWORD PTR SS:[ESP+1C],ESP
00406633
. 50 PUSH EAX
00406634 . E8
86E80300 CALL PicHunte.00444EBF
00406639 . 51
PUSH ECX
0040663A . 8D5424 1C
LEA EDX,DWORD PTR SS:[ESP+1C]
0040663E . 8BCC
MOV ECX,ESP
00406640 . 896424 28
MOV DWORD PTR SS:[ESP+28],ESP
00406644 . 52
PUSH EDX
00406645 . C68424 6401000>MOV BYTE PTR SS:[ESP+164],5
0040664D . E8 6DE80300 CALL PicHunte.00444EBF //关键Call
进入 (我是凭感觉进去的)
按F7跟进去之后
00406E60 /$ 6A FF
PUSH -1
00406E62 |. 68 B0714600
PUSH PicHunte.004671B0
00406E67 |. 64:A1 00000000 MOV EAX,DWORD PTR
FS:[0]
00406E6D |. 50 PUSH
EAX
00406E6E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00406E75
|. 81EC D0000000 SUB ESP,D0
00406E7B |. C78424 D800000>MOV DWORD
PTR SS:[ESP+D8],0
00406E86 |. 8B8424 E000000>MOV EAX,DWORD PTR SS:[ESP+E0]
00406E8D |. 68 B0864800 PUSH PicHunte.004886B0
00406E92
|. 50 PUSH EAX
00406E93 |.
E8 AF7F0200 CALL PicHunte.0042EE47
00406E98 |. 83C4 08
ADD ESP,8
00406E9B |. 85C0
TEST EAX,EAX
00406E9D |. 0F84 31010000 JE PicHunte.00406FD4
00406EA3 |. 8B8C24 E400000>MOV ECX,DWORD PTR SS:[ESP+E4]
00406EAA
|. 68 B0864800 PUSH PicHunte.004886B0
00406EAF |. 51
PUSH ECX
00406EB0 |. E8 927F0200
CALL PicHunte.0042EE47
00406EB5 |. 83C4 08
ADD ESP,8
00406EB8 |. 85C0
TEST EAX,EAX
00406EBA |. 0F84 14010000 JE PicHunte.00406FD4
00406EC0 |. 8B9424 E000000>MOV EDX,DWORD PTR SS:[ESP+E0]
00406EC7
|. 53 PUSH EBX
00406EC8 |.
56 PUSH ESI
00406EC9 |. B0
6F MOV AL,6F
00406ECB |. 8B72 F8
MOV ESI,DWORD PTR DS:[EDX-8]
00406ECE |. 33C9
XOR ECX,ECX
00406ED0 |. 85F6
TEST ESI,ESI
00406ED2 |. C64424 08 73 MOV
BYTE PTR SS:[ESP+8],73
00406ED7 |. C64424 09 65 MOV BYTE PTR
SS:[ESP+9],65
00406EDC |. C64424 0A 61 MOV BYTE PTR SS:[ESP+A],61
00406EE1 |. C64424 0B 6D MOV BYTE PTR SS:[ESP+B],6D
00406EE6
|. 884424 0C MOV BYTE PTR SS:[ESP+C],AL
00406EEA
|. 884424 0D MOV BYTE PTR SS:[ESP+D],AL
00406EEE
|. C64424 0E 6E MOV BYTE PTR SS:[ESP+E],6E
00406EF3 |. C64424
0F 00 MOV BYTE PTR SS:[ESP+F],0
00406EF8 |. 7E 3E
JLE SHORT PicHunte.00406F38 //循环计算
00406EFA |.
55 PUSH EBP
00406EFB |. 57
PUSH EDI
00406EFB |. 57
PUSH EDI
;
PicHunte.00488938
00406EFC |. 8D7C34 17 LEA EDI,DWORD
PTR SS:[ESP+ESI+17]
00406F00 |> 8B8424 F000000>MOV EAX,DWORD PTR SS:[ESP+F0]
00406F07 |. BD 07000000 MOV EBP,7
00406F0C
|. 8A1C01 MOV BL,BYTE PTR DS:[ECX+EAX]
00406F0F
|. 8BC1 MOV EAX,ECX
00406F11 |. 99
CDQ
00406F12 |. F7FD
IDIV EBP
00406F14 |. 0FBEC3
MOVSX EAX,BL
00406F17 |. BB 09000000 MOV EBX,9
00406F1C |. 0FBE5414 10 MOVSX EDX,BYTE PTR SS:[ESP+EDX+10]
00406F21 |. 03D6 ADD EDX,ESI
00406F23 |. 8D144A LEA EDX,DWORD PTR DS:[EDX+ECX*2]
00406F26 |. 03C2 ADD EAX,EDX
00406F28 |. 99 CDQ
00406F29
|. F7FB IDIV EBX
00406F2B |. 80C2
30 ADD DL,30
00406F2E |. 41
INC ECX
00406F2F |. 8817
MOV BYTE PTR DS:[EDI],DL
00406F31 |. 4F
DEC EDI
00406F32 |. 3BCE
CMP ECX,ESI
00406F34 |.^7C CA
JL SHORT PicHunte.00406F00
00406F36 |. 5F
POP EDI
00406F37 |. 5D
POP EBP
00406F38 |> 8D46 4D
LEA EAX,DWORD PTR DS:[ESI+4D]
00406F3B |. B9 09000000
MOV ECX,9
00406F40 |. 99 CDQ
00406F41 |. F7F9 IDIV ECX
00406F43
|. 8B8424 EC00000>MOV EAX,DWORD PTR SS:[ESP+EC]
00406F4A |. 80C2 30
ADD DL,30
00406F4D |. 885434 10
MOV BYTE PTR SS:[ESP+ESI+10],DL
00406F51 |. C64434 11 00 MOV
BYTE PTR SS:[ESP+ESI+11],0
00406F56 |. 8D7424 10
LEA ESI,DWORD PTR SS:[ESP+10] //根据注册名生成注册码
00406F5A |> 8A10
MOV DL,BYTE PTR DS:[EAX] //假注册码入EAX
00406F5C |.
8A1E MOV BL,BYTE PTR DS:[ESI] //真注册码入ESI
00406F5E |. 8ACA MOV CL,DL
00406F60
|. 3AD3 CMP DL,BL //比对真假注册码的第一个字节
00406F62
|. 75 1E JNZ SHORT PicHunte.00406F82 //不同就完蛋
00406F64 |. 84C9 TEST CL,CL
......
在00406F5C下断就可以看到保存在ESI中的注册码.不过整个计算过程我还是没太看明白,所以上面也不敢乱作注释,还请各位老大指点.
整理:用户名CoolWolF[SCD] 注册码77245502320260
收工
--------------------------------------------------------------------------------------------------------
- 标 题:SeaMoon Pic Hunter 1.2破解手记 (8千字)
- 作 者:CoolWolF[BCG]
- 时 间:2002-4-3
13:04:01
- 链 接:http://bbs.pediy.com