目标软件: mIRC 6.01
软件简介: 呵呵,根本就不需要再我来介绍这款大名鼎鼎的软件了吧?:)
软件性质: 共享软件,免费试用30天。
使用工具: W32Dasm中文版(GOLD)、TRW2000。
:004C3C13
6837D75600 push 0056D737
<====序列号入栈。
:004C3C18 6850D35600
push 0056D350 <====用户名入栈。
:004C3C1D E88FFBFFFF
call 004C37B1 <====关键CALL。
:004C3C22
85C0 test
eax, eax <====测试EAX。
:004C3C24 0F84B7000000
je 004C3CE1 <====不跳注册成功。
.............................................................................................
*
Reference To: USER32.EndDialog, Ord:0000h
|
:004C3C97
E84EB30800 Call 0054EFEA
:004C3C9C
6A00 push
00000000
:004C3C9E 6A00
push 00000000
*
Possible Reference to String Resource ID=01912: "Registration"
|
:004C3CA0 6878070000
push 00000778
:004C3CA5 E80D8AF6FF
call 0042C6B7
:004C3CAA 50
push eax
:004C3CAB 6A00
push 00000000
*
Possible Reference to String Resource ID=01911: "Your registration has
been entered successfully."
|
:004C3CAD 6877070000
push 00000777
:004C3CB2 E8008AF6FF
call 0042C6B7
:004C3CB7 50
push eax
:004C3CB8 FF7508
push [ebp+08]
*
Reference To: USER32.MessageBoxA, Ord:0000h
|
:004C3CBB
E8F2B40800 Call 0054F1B2
:004C3CC0
6A00 push
00000000
.............................................................................................
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C3C24(C)
|
.............................................................................................
*
Possible Reference to String Resource ID=01912: "Registration"
|
:004C3D18 6878070000
push 00000778
:004C3D1D E89589F6FF
call 0042C6B7
:004C3D22 50
push eax
:004C3D23 6A00
push 00000000
*
Possible Reference to String Resource ID=01913: "The registration name and
number you have entered do not mat"
|
:004C3D25
6879070000 push 00000779
:004C3D2A
E88889F6FF call 0042C6B7
进入 4C3C1D 处的关键 CALL,直到:
:004C38CB
E8EEFDFFFF call 004C36BE
<====测试你输入的序列号。
:004C38D0 85C0
test eax, eax
:004C38D2 7407
je 004C38DB
<====跳走就会 Game Over !
所以进入 4C38CB 看看:
* Referenced
by a CALL at Addresses:
|:004C3839 , :004C38CB
|
:004C36BE
55 push
ebp
:004C36BF 8BEC
mov ebp, esp
:004C36C1 83C4F4
add esp, FFFFFFF4
:004C36C4 53
push ebx
:004C36C5 56
push
esi
:004C36C6 57
push edi
:004C36C7 8B750C
mov esi, dword ptr [ebp+0C]
:004C36CA FF7508
push [ebp+08]
:004C36CD E84ECA0700
call 00540120 <====获得用户名位数。
:004C36D2 59
pop ecx <====ECX 弹出栈。
:004C36D3
83F805 cmp eax,
00000005<====和 5 比较。
:004C36D6 7307
jnb 004C36DF <====不小于就进行下一步
的比较。
:004C36D8 33C0
xor eax, eax
:004C36DA E9C9000000
jmp 004C37A8 <====否则
Game Over !
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004C36D6(C)
|
:004C36DF
6A2D push
0000002D
:004C36E1 56
push esi
:004C36E2 E899C90700
call 00540080 <====测试你输入的序列号
的格式。
:004C36E7 83C408
add esp, 00000008
:004C36EA 8BD8
mov ebx, eax
:004C36EC 85DB
test ebx, ebx
:004C36EE
7507 jne
004C36F7 <====正确就行下一步的计算。
:004C36F0 33C0
xor eax, eax
:004C36F2 E9B1000000
jmp 004C37A8 <====否则
Game Over !
由于不知道序列号的正确形式是什么,所以进入 4C36E2:
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:00540220(U), :00540225(U)
|
:00540080
55 push
ebp
:00540081 8BEC
mov ebp, esp
:00540083 53
push ebx
<====用户名入栈。
:00540084 8B5508
mov edx, dword ptr [ebp+08]
:00540087 8BCA
mov ecx, edx
:00540089 8A450C
mov al, byte ptr
[ebp+0C] <====“-”送入AL。
:0054008C FC
cld
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005400B9(C)
|
:0054008D
8A1A mov
bl, byte ptr [edx] <====序列号第一位
送入BL。
:0054008F 3AC3
cmp al, bl
<====和 AL 比较。
:00540091 742C
je 005400BF
<====等于就成功
返回。
:00540093 84DB
test bl, bl
<====测试 BL。
:00540095 7424
je 005400BB
<====已比较完则
返回。
:00540097 8A5A01
mov bl, byte ptr [edx+01] <====序列号第二
位送入BL。
:0054009A 3AC3
cmp al, bl
<====和 AL 比较。
:0054009C 7425
je 005400C3
<====等于就成功
返回。
:0054009E 84DB
test bl, bl
<====测试 BL。
:005400A0 7419
je 005400BB
<====已比较完则
返回。
:005400A2 8A5A02
mov bl, byte ptr [edx+02] <====序列号第三
位送入BL。
:005400A5 3AC3
cmp al, bl
<====和 AL 比较。
:005400A7
741F je 005400C8
<====等于就成功
返回。
:005400A9 84DB
test bl, bl
<====测试 BL。
:005400AB 740E
je 005400BB
<====已比较完则
返回。
:005400AD 8A5A03
mov bl, byte ptr [edx+03] <====序列号第四
位送入BL。
:005400B0 3AC3
cmp al, bl
<====和 AL 比较。
:005400B2
7419 je 005400CD
<====等于就成功
返回。
:005400B4 83C204
add edx, 00000004
:005400B7
84DB test
bl, bl
:005400B9 75D2
jne 0054008D <====没比较完就
向上循环。
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00540095(C),
:005400A0(C), :005400AB(C)
|
:005400BB 33C0
xor eax, eax
:005400BD EB11
jmp 005400D0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00540091(C)
|
:005400BF
8BC2 mov
eax, edx
:005400C1 EB0D
jmp 005400D0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0054009C(C)
|
:005400C3
8D4201 lea eax,
dword ptr [edx+01]
:005400C6 EB08
jmp 005400D0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005400A7(C)
|
:005400C8
8D4202 lea eax,
dword ptr [edx+02]
:005400CB EB03
jmp 005400D0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005400B2(C)
|
:005400CD
8D4203 lea eax,
dword ptr [edx+03]
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005400BD(U),
:005400C1(U), :005400C6(U), :005400CB(U)
|
:005400D0 5B
pop ebx
:005400D1 5D
pop
ebp
:005400D2 C3
ret
这下知道序列号的形式了:)!原来序列号的任意的一位必须是“-”。所以从新输入序列号(随便输):765-4321,然后继续:
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C36EE(C)
|
:004C36F7
C60300 mov byte
ptr [ebx], 00
:004C36FA 56
push esi
<====第一个“-”前的
数字入栈。
:004C36FB E874580800 call
00548F74 <====将其转换为十六
进制。
:004C3700 59
pop ecx
:004C3701 8945FC
mov dword ptr [ebp-04],
eax
:004C3704 C6032D
mov byte ptr [ebx], 2D
:004C3707 43
inc ebx
:004C3708 803B00
cmp byte ptr [ebx], 00
:004C370B
7507 jne
004C3714
:004C370D 33C0
xor eax, eax
:004C370F E994000000
jmp 004C37A8
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C370B(C)
|
:004C3714
53 push
ebx <====第一个“-”后
的数字入栈。
:004C3715
E85A580800 call 00548F74
<====将其转换为十六
进制。
:004C371A 59
pop ecx
:004C371B 8945F8
mov dword ptr [ebp-08], eax
:004C371E
FF7508 push [ebp+08]
<====用户名入栈。
:004C3721 E8FAC90700
call 00540120
<====获得其位数。
:004C3726 59
pop ecx
:004C3727 8945F4
mov dword ptr [ebp-0C],
eax
:004C372A 33C0
xor eax, eax
:004C372C 33DB
xor ebx, ebx
:004C372E BA03000000
mov edx, 00000003
:004C3733 8B4D08
mov ecx, dword ptr
[ebp+08]
:004C3736 83C103
add ecx, 00000003
:004C3739 3B55F4
cmp edx, dword ptr [ebp-0C]
:004C373C 7D1C
jge 004C375A
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C3758(C)
|
:004C373E
0FB631 movzx esi,
byte ptr [ecx] <====取序列号第
四位。
:004C3741 0FAF34852CC45500 imul esi,
dword ptr [4*eax+0055C42C] <====:(
:004C3749 03DE
add ebx, esi
:004C374B 40
inc eax
:004C374C
83F826 cmp eax,
00000026
:004C374F 7E02
jle 004C3753
:004C3751 33C0
xor eax, eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C374F(C)
|
:004C3753
42 inc
edx
:004C3754 41
inc ecx
:004C3755 3B55F4
cmp edx, dword ptr [ebp-0C]
:004C3758 7CE4
jl 004C373E
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C373C(C)
|
:004C375A
3B5DFC cmp ebx,
dword ptr [ebp-04] <====关键比
较(1)。
:004C375D 7404
je 004C3763
<====等于就进入
下一步比较。
:004C375F 33C0
xor eax, eax
:004C3761 EB45
jmp 004C37A8
<====否则返回。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C375D(C)
|
:004C3763
33C0 xor
eax, eax
:004C3765 33DB
xor ebx, ebx
:004C3767 BA03000000
mov edx, 00000003
:004C376C 8B4D08
mov ecx, dword ptr [ebp+08]
:004C376F
83C103 add ecx,
00000003
:004C3772 3B55F4
cmp edx, dword ptr [ebp-0C]
:004C3775 7D23
jge 004C379A
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C3798(C)
|
:004C3777
0FB631 movzx esi,
byte ptr [ecx]
:004C377A 0FB679FF
movzx edi, byte ptr [ecx-01]
:004C377E 0FAFF7
imul esi, edi
:004C3781 0FAF34852CC45500
imul esi, dword ptr [4*eax+0055C42C]
:004C3789 03DE
add ebx,
esi
:004C378B 40
inc eax
:004C378C 83F826
cmp eax, 00000026
:004C378F 7E02
jle 004C3793
:004C3791 33C0
xor eax, eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C378F(C)
|
:004C3793
42 inc
edx
:004C3794 41
inc ecx
:004C3795 3B55F4
cmp edx, dword ptr [ebp-0C]
:004C3798 7CDD
jl 004C3777
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C3775(C)
|
:004C379A
3B5DF8 cmp ebx,
dword ptr [ebp-08] <====关键比
较(2)。
:004C379D 7404
je 004C37A3
<====等于就可
成功返回。
:004C379F 33C0
xor eax, eax
:004C37A1
EB05 jmp
004C37A8 <====否则出错。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C379D(C)
|
:004C37A3
B801000000 mov eax, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C36DA(U),
:004C36F2(U), :004C370F(U), :004C3761(U), :004C37A1(U)
|
:004C37A8 5F
pop edi
:004C37A9
5E pop
esi
:004C37AA 5B
pop ebx
:004C37AB 8BE5
mov esp, ebp
:004C37AD 5D
pop ebp
:004C37AE C20800
ret 0008
终于到了最后的 BOSS 战了^_^!用 TRW 2000 依次在上面两处关键比较处下断点,获得正确的序列号:
在 4C375A 处下断点,成功断下来之后,下:
?
EBX
DEC = 3436
HEX = d6c
D EBP-04
0177:008DF0C0
FD 02 00 00 E0 F0 8D 00-3E 38 4C 00 D0 3C 57 00 ?..囵?>8L.?W.
0177:008DF0D0
D4 3D 57 00 00 F1 8D 00-70 81 00 00 4C F1 8D 00 ?W..駦.p?.L駦.
0177:008DF0E0
F8 F0 8D 00 22 3C 4C 00-50 D3 56 00 37 D7 56 00 ?"<L.P覸.7譜.
0177:008DF0F0
00 F1 8D 00 70 81 00 00-18 F1 8D 00 13 36 F6 BF .駦.p?..駦..6隹
?
02FD
DEC = 765
HEX = 2fd
从新填入序列号:3436-4321,然后在 4C379A 处下断点,成功断下来之后,下:
?
EBX
DEC = 371733
HEX = 5ac15
D EBP-08
0177:008DF0BC
E1 10 00 00 6C 0D 00 00-E0 F0 8D 00 3E 38 4C 00 ?..l...囵?>8L.
0177:008DF0CC
D0 3C 57 00 D4 3D 57 00-00 F1 8D 00 70 81 00 00 ?W.?W..駦.p?.
0177:008DF0DC
4C F1 8D 00 F8 F0 8D 00-22 3C 4C 00 50 D3 56 00 L駦.?"<L.P覸.
0177:008DF0EC
37 D7 56 00 00 F1 8D 00-70 81 00 00 18 F1 8D 00 7譜..駦.p?..駦.
?
10E1
DEC = 4321
HEX = 10e1
最后小节:mIRC 是先测试你输入的序列号的形式是否正确,然后才根据你输入的用户名进行计算,之后拿 计算的结果分别和你输入的序列号进行比较,相等即可注册成功。
注册之后,注册信息保存在注册表:HKEY_CURRENT_USER\Software\mIRC\License 子键中。
整理:
用户名:fengma
序列号:3436-371733
15:02
2002-08-11
风马