软件名称:CoverXP Pro V1.44.050
软件功能:一个制作光盘封面(AutoRun)的工具
下载地址:www.coverxp.com
破解工具:DeDe,SoftICE
软件保护:防SoftICE
联网验证(???,输入序列号对话框上写的。好像没用,找到注册码后即可享用完全版功能)。输入错误序列号后会延时一段时间,联网验证?骗人的?(用了个Timer控件,用DeDe可以看出)
用FI查看主程序文件发现是Delphi编写,于是用DeDe载入。
在类信息中找到有关输入序列号的类为TSerialform,相关处理过程为fserial。
查看Tserialform发现注册按钮(Register)的处理事件为bt_checkClick,反汇编
:
00508428 8B15406B5200 mov
edx, [$526B40]
0050842E 803A00
cmp byte ptr [edx], $00
00508431 7507
jnz 0050843A
00508433 33D2
xor edx, edx
|
00508435 E81AEEFFFF
call 00507254 ;关键Call,用
SoftICE设断
0050843A C3
ret
SoftICE载入后,跟进上面那个Call,到达如下区域:
00507281 CALL 00521098 ;检测\\.\SICE
00507286 TEST AL,AL
00507288 JNZ
0050729A ;一定不能跳
0050728A
MOV EAX,[005269BC]
0050728F MOV
EAX,[EAX]
00507291 CALL 005210D4
;检测\\.\NTICE
00507296 TEST AL,AL
00507298
JZ 005072B0 ;一定要跳
0050729A MOV EAX,[005269BC]
0050729F MOV
EAX,[EAX]
005072A1 MOV EDX,05
005072A6 CALL 005211CC ;检测到SoftICE重启机器
005072AB CALL 00404650
005072B0 MOV
EAX,00529B84 ;跳到这里,继续...
005072B5
CALL 004047C4
005072BA MOV EAX,[00527234]
005072BF MOV BYTE [EAX],00
005072C2
OR EBX,BYTE -01
005072C5 MOV
DWORD [EBP-1C],FFFFFFFF
005072CC CMP BYTE [EBP-05],00
省略一大段............
00507354 CALL 00404A84
;取用户名长度
00507359 MOV
[EBP-18],EAX
0050735C CMP DWORD [EBP-18],BYTE +05
;必须大于5
00507360 JL NEAR 0050752D
00507366 MOV EAX,[00526B40]
0050736B MOV
BYTE [EAX],00
0050736E MOV ESI,40
;开始处理用户名
00507373 MOV
EAX,ESI
00507375 ADD EAX,EAX
00507377
ADD EAX,BYTE +03
0050737A MOV
[EBP-1C],EAX
0050737D MOV EAX,[EBP-0C]
00507380
MOV EDX,[EBP-18]
00507383 MOVZX EAX,BYTE
[EAX+EDX-04]
00507388 MOV [EBP-20],EAX
0050738B
MOV EBX,[EBP-20]
0050738E IMUL EBX,[EBP-1C]
00507392 MOV EAX,[EBP-18]
00507395 TEST
EAX,EAX
00507397 JNG NEAR 00507420
0050739D MOV [EBP-2C],EAX ;循环次数为用户名长度
005073A0 MOV ECX,01
005073A5 MOV
EAX,ECX ;循环开始
005073A7
MOV EDI,03
005073AC CDQ
005073AD
IDIV EDI
005073AF MOV EDI,EDX
005073B1 MOV EAX,EDI
005073B3 SHL
EAX,02
005073B6 ADD EBX,EAX
005073B8
LEA EAX,[ECX+10]
005073BB PUSH EAX
005073BC MOV EAX,[EBP-20]
005073BF POP
EDX
005073C0 PUSH ECX
005073C1
MOV ECX,EDX
005073C3 CDQ
005073C4
IDIV ECX
005073C6 POP ECX
005073C7
MOV [EBP-24],EDX
005073CA SUB
EDI,BYTE +01
005073CD JC 005073D6
005073CF
JZ 005073ED
005073D1 DEC EDI
005073D2 JZ 00507404
005073D4 JMP
SHORT 0050741A
005073D6 MOV EAX,[EBP-0C]
005073D9 MOVZX EAX,BYTE [EAX+ECX-01]
005073DE
IMUL DWORD [EBP-24]
005073E1 XOR EAX,AA
005073E6 ADD ESI,EAX
005073E8 SUB
EBX,BYTE +06
005073EB JMP SHORT 0050741A
005073ED MOV EAX,[EBP-0C]
005073F0 MOVZX
EAX,BYTE [EAX+ECX-01]
005073F5 IMUL DWORD [EBP-24]
005073F8 XOR EAX,CC
005073FD ADD
ESI,EAX
005073FF SUB EBX,BYTE +06
00507402 JMP SHORT 0050741A
00507404
MOV EAX,[EBP-0C]
00507407 MOVZX EAX,BYTE
[EAX+ECX-01]
0050740C IMUL DWORD [EBP-24]
0050740F
XOR EAX,BYTE +1C
00507412 ADD
ESI,EAX
00507414 LEA EAX,[EBX+04]
00507417
MOV [EBP-1C],EAX
0050741A INC
ECX
0050741B DEC DWORD [EBP-2C] ;循环计数器减1
0050741E JNZ 005073A5
;返回循环开始处
00507420 CMP ESI,2710
;第一次处理完毕。下面继续处
理...
00507426
JNG 00507439
00507428 SUB ESI,2710
0050742E ADD [EBP-1C],EBX
00507431 CMP
ESI,2710
00507437 JG 00507428
00507439 MOV EAX,ESI
0050743B MOV
ECX,09
00507440 CDQ
00507441 IDIV
ECX
00507443 MOV EDI,EDX
00507445
INC EDI
00507446 IMUL EDI,[EBP-18]
0050744A CMP EDI,BYTE +64
0050744D JNG
0050745E
0050744F SUB EDI,BYTE +64
00507452 MOV EAX,[EBP-1C]
00507455 IMUL
EBX
00507457 MOV EBX,EAX
00507459
CMP EDI,BYTE +64
0050745C JG
0050744F ;第二次处理完毕。算法懒得写了,
写注册机的话可以直接利用反汇编结果
0050745E LEA EDX,[EBP-30]
00507461 MOV
EAX,EBX
00507463 CALL 0040934C
;可以跟进去看看作了些什么运算。
同样写注册机的话直接Copy
00507468 MOV
EAX,[EBP-30]
0050746B PUSH EAX
0050746C
LEA EDX,[EBP-34]
0050746F MOV
EAX,[EBP-1C]
00507472 CALL 0040934C
00507477
MOV EDX,[EBP-34]
0050747A LEA
EAX,[EBP-14]
0050747D POP ECX
0050747E
CALL 00404AD0
00507483 LEA EDX,[EBP-38]
00507486 MOV EAX,ESI
00507488 CALL
0040934C ;这里算出注册码的后四位
0050748D
MOV EAX,[EBP-38]
00507490 PUSH EAX
00507491 LEA EDX,[EBP-3C]
00507494 MOV
EAX,EDI
00507496 CALL 0040934C
;这里算出注册码的前四位(可小于
四位)
0050749B MOV
EDX,[EBP-3C]
0050749E LEA EAX,[EBP-14]
005074A1 POP ECX
这里省略一小段......
00507537
MOV EAX,[EBP-10] ;输入的注册码
0050753A MOV EDX,[EBP-14]
;真正的注册码
0050753D CALL 00404BD0
;太经典了
00507542 JNZ NEAR 005077D9
;不等则跳...
AirHolder,09/28/02.
- 标 题:CoverXP--我也来凑数,呵呵 (5千字)
- 作 者:AirHolder
- 时 间:2002-9-29 13:26:01
- 链 接:http://bbs.pediy.com