破解软件:财智老板通3.04注册版
软件地址:http://www.moneywise.com.cn/downcenter.htm
破解工具:ollyDbg1.09,W32ASM黄金版,汇编基础知识,一颗CRACKING的脑袋
破解目的:技术研究,如大家有更好的想法,请指正
为了解说方便,假设相关注册码:
用户码:1-505-5171
注册码:87654321(各位相应表示为:X(1)X(2)X(3)X(4)X(5)X(6)X(7)X(8))
一、查找出错信息。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0062BAFC(C)
|
:0062BB65
68E8030000 push 000003E8
*
Reference To: kernel32.Sleep, Ord:0000h
|
:0062BB6A
E891C3DDFF Call 00407F00
:0062BB6F
FF8380030000 inc dword ptr [ebx+00000380]
:0062BB75
B930000000 mov ecx, 00000030
:0062BB7A
33D2 xor
edx, edx
* Possible
StringData Ref from Code Obj ->"您所输入的注册码不正确,请检查您的输入是否正确"
->"!"
为从0062BAFC跳来的,到那看看:
:0062BAF2
8B45FC mov eax,
dword ptr [ebp-04]
:0062BAF5 E88E90FBFF
call 005E4B88=========>关键CALL(1)
:0062BAFA 84C0
test al, al
:0062BAFC
7467 je 0062BB65=========>一跳就死,如果在这把JE改为JNE的话,会提示注册成功,但实际上并没有成功。
:0062BAFE
A148886800 mov eax, dword ptr
[00688848]
二、用ollydbg载入程序,在0062BAF5按F@下断,F9运行,F7进入关键CALL(1)
-------------------------------------------
关键CALL(1)
005E4B88
/$ 55 PUSH EBP
005E4B89 |.
8BEC MOV EBP,ESP
005E4B8B |. 6A 00
PUSH 0
005E4B8D |. 6A 00
PUSH 0
005E4B8F |. 6A 00
PUSH 0
005E4B91 |. 53
PUSH EBX
005E4B92 |. 8945 FC MOV DWORD PTR
SS:[EBP-4],EAX
005E4B95 |. 8B45 FC MOV EAX,DWORD
PTR SS:[EBP-4]
005E4B98 |. E8 4BF8E1FF CALL MoneyBos.004043E8
005E4B9D
|. 33C0 XOR EAX,EAX
005E4B9F |.
55 PUSH EBP
005E4BA0 |. 68
314C5E00 PUSH MoneyBos.005E4C31
005E4BA5 |. 64:FF30
PUSH DWORD PTR FS:[EAX]
005E4BA8 |. 64:8920
MOV DWORD PTR FS:[EAX],ESP
005E4BAB |. 8D45 F4
LEA EAX,DWORD PTR SS:[EBP-C]
005E4BAE |. E8 29FFFFFF
CALL MoneyBos.005E4ADC
; 取得用户码
005E4BB3 |. 8B45 F4
MOV EAX,DWORD PTR SS:[EBP-C]
在这:EAX=1-505-5171
005E4BB6 |. 8D55 F8 LEA
EDX,DWORD PTR SS:[EBP-8]
005E4BB9 |. E8 3EFFFFFF CALL MoneyBos.005E4AFC
; 据用户码生成中间注册码5-187-9773
005E4BBE
|. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
在这:EAX=5-187-9773
005E4BC1 |. E8 6AFCFFFF
CALL MoneyBos.005E4830
; 关键 call(2),中间注册码5-187-9773经过关键call(2)运算,把运算结果放在
005E4BC6
|. 8BD8 MOV EBX,EAX
005E4BC8 |.
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005E4BCB |.
E8 60FCFFFF CALL MoneyBos.005E4830 ==================> ;
关键 call(2),把输入的注册假码87654321经过关键call(2)运算,把运算结果放在EAX
005E4BD0 |.
05 31D40000 ADD EAX,0D431
; 把EAX与54321相加
005E4BD5
|. 3BC3 CMP EAX,EBX
;
EAX与EBX比较
005E4BD7 75 15 JNE
SHORT MoneyBos.005E4BEE ;如果不相等,就跳出错
005E4BD9
|. 3D 31D40000 CMP EAX,0D431
; EAX与54321比较
005E4BDE
74 04 JE SHORT MoneyBos.005E4BE4
;如果EAX与54321相等则跳出错
005E4BE0
|. 33D8 XOR EBX,EAX
;
005E4BE2
74 04 JZ SHORT MoneyBos.005E4BE8
;
005E4BE4 |>
33C0 XOR EAX,EAX
005E4BE6 |. EB 02
JMP SHORT MoneyBos.005E4BEA
005E4BE8 |>
B0 01 MOV AL,1
005E4BEA |> 8BD8
MOV EBX,EAX
005E4BEC |. EB 28
JMP SHORT MoneyBos.005E4C16
005E4BEE |>
3D 39300000 CMP EAX,3039
005E4BF3 |. 74 19
JE SHORT MoneyBos.005E4C0E
005E4BF5 |. 3D 31D40000
CMP EAX,0D431
005E4BFA |. 74 12
JE SHORT MoneyBos.005E4C0E
005E4BFC |. 3D 3A300000 CMP
EAX,303A
005E4C01 |. 74 0B JE SHORT
MoneyBos.005E4C0E
005E4C03 |. 3D 3B300000 CMP EAX,303B
005E4C08
|. 74 04 JE SHORT MoneyBos.005E4C0E
005E4C0A
|. 33D8 XOR EBX,EAX
005E4C0C |.
74 04 JE SHORT MoneyBos.005E4C12
005E4C0E
|> 33C0 XOR EAX,EAX
005E4C10 |.
EB 02 JMP SHORT MoneyBos.005E4C14
005E4C12
|> B0 01 MOV AL,1
005E4C14 |>
8BD8 MOV EBX,EAX
005E4C16 |> 33C0
XOR EAX,EAX
005E4C18 |. 5A
POP EDX
005E4C19 |. 59
POP ECX
005E4C1A |. 59
POP ECX
005E4C1B |. 64:8910
MOV DWORD PTR FS:[EAX],EDX
005E4C1E |. 68 384C5E00 PUSH
MoneyBos.005E4C38
005E4C23 |> 8D45 F4 LEA
EAX,DWORD PTR SS:[EBP-C]
005E4C26 |. BA 03000000 MOV EDX,3
005E4C2B
|. E8 98F3E1FF CALL MoneyBos.00403FC8
005E4C30 \. C3
RETN
如要爆破,只要在
005E4BD7
74 15 JNE SHORT MoneyBos.005E4BEE
把JNE改为JE
及在
005E4BE2 75 04
JZ SHORT MoneyBos.005E4BE8 把JZ改为JNZ
就会注册成功
----------------------------------------
关键CALL(2)
005E4830
/$ 55 PUSH EBP
005E4831 |.
8BEC MOV EBP,ESP
005E4833 |. 83C4
F8 ADD ESP,-8
005E4836 |. 53
PUSH EBX
005E4837 |. 56
PUSH ESI
005E4838 |. 33D2
XOR EDX,EDX
005E483A |. 8955 F8 MOV
DWORD PTR SS:[EBP-8],EDX
005E483D |. 8945 FC MOV
DWORD PTR SS:[EBP-4],EAX
005E4840 |. 8B45 FC MOV
EAX,DWORD PTR SS:[EBP-4]
005E4843 |. E8 A0FBE1FF CALL MoneyBos.004043E8
005E4848
|. 33C0 XOR EAX,EAX
005E484A |.
55 PUSH EBP
005E484B |. 68
0A495E00 PUSH MoneyBos.005E490A
005E4850 |. 64:FF30
PUSH DWORD PTR FS:[EAX]
005E4853 |. 64:8920
MOV DWORD PTR FS:[EAX],ESP
005E4856 |. 8B55 FC
MOV EDX,DWORD PTR SS:[EBP-4]
005E4859 |. B8 24495E00
MOV EAX,MoneyBos.005E4924
005E485E |. E8 BDFCE1FF
CALL MoneyBos.00404520
005E4863 |. 85C0
TEST EAX,EAX
005E4865 |. 76 1F JBE
SHORT MoneyBos.005E4886
005E4867 |> 8D55 FC /LEA
EDX,DWORD PTR SS:[EBP-4] ; 去掉"-",据此可知用码与注册码格式一致。
005E486A
|. B9 01000000 |MOV ECX,1
005E486F |. 92
|XCHG EAX,EDX
005E4870 |. E8 07FCE1FF
|CALL MoneyBos.0040447C
005E4875 |. 8B55 FC
|MOV EDX,DWORD PTR SS:[EBP-4]
005E4878 |. B8 24495E00 |MOV
EAX,MoneyBos.005E4924
005E487D |. E8 9EFCE1FF |CALL MoneyBos.00404520
005E4882
|. 85C0 |TEST EAX,EAX
005E4884 |.^77
E1 \JA SHORT MoneyBos.005E4867
005E4886 |>
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
005E4889 |.
E8 A6F9E1FF CALL MoneyBos.00404234
005E488E |. 83F8 08
CMP EAX,8
005E4891 |. 74 04
JE SHORT MoneyBos.005E4897
005E4893 |. 33DB
XOR EBX,EBX
005E4895 |. EB 58
JMP SHORT MoneyBos.005E48EF
005E4897 |> 8D55 F8
LEA EDX,DWORD PTR SS:[EBP-8]
005E489A |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
005E489D |. E8
4653E2FF CALL MoneyBos.00409BE8
005E48A2 |. 33C9
XOR ECX,ECX
005E48A4 |. 33F6
XOR ESI,ESI
005E48A6 |. B8 06000000 MOV EAX,6
;
核心注册运算(1)
-----------------------------------------------------------------------
005E48AB
|> 8B55 F8 /MOV EDX,DWORD PTR SS:[EBP-8]
| 把去掉“-”串入EDX
005E48AE |. 0FB65402
FF |MOVZX EDX,BYTE PTR DS:[EDX+EAX-1] | 依次把第6位至第1位入EDX
005E48B3
|. 83EA 30 |SUB EDX,30
|
005E48B6
|. 03F2 |ADD ESI,EDX
|
005E48B8 |. 03C9 |ADD ECX,ECX
|
005E48BA |. 8D0C89 |LEA ECX,DWORD
PTR DS:[ECX+ECX*4] |
005E48BD |. 03D1
|ADD EDX,ECX
|
005E48BF |.
8BCA |MOV ECX,EDX
|
005E48C1
|. 48 |DEC EAX
|
005E48C2 |. 85C0 |TEST EAX,EAX
|
005E48C4 |.^75 E5 \JNZ SHORT
MoneyBos.005E48AB | ; 运算结果放入ECX、ESI
------------------------------------------------------------------------
以上运算等式为:
等式A:ESI=X(1)+X(2)+X(3)+X(4)+X(5)+X(6)
等式B:ECX=[[[[X(6)*10+X(5)]*10+X(4)]*10+X(3)]*10+X(2)]*10+X(1),
等效为 ECX=X(6)*100000+X(5)*10000+X(4)*1000+X(3)*100+X(2)*10+X(1)
即各位乘10相加(可以理解为串高低位反转):如5-187-9773结果为797815,87654321结果变
345678
005E48C6
|. 33D2 XOR EDX,EDX
005E48C8 |.
B8 08000000 MOV EAX,8
;
核心注册运算(2)
-----------------------------------------------------------------------
005E48CD
|> 03D2 /ADD EDX,EDX
|
005E48CF |. 8D1492 |LEA EDX,DWORD PTR
DS:[EDX+EDX*4] |
005E48D2 |.
8B5D F8 |MOV EBX,DWORD PTR SS:[EBP-8]
|
005E48D5 |. 0FB65C03
FF |MOVZX EBX,BYTE PTR DS:[EBX+EAX-1] |
005E48DA |. 83EB 30 |SUB
EBX,30
|
005E48DD |. 03D3
|ADD EDX,EBX
|
005E48DF |. 48
|DEC EAX
|
005E48E0
|. 83F8 06 |CMP EAX,6
|
005E48E3 |.^75 E8 \JNZ SHORT
MoneyBos.005E48CD | 运算结果放入EDX
-----------------------------------------------------------------------
以上运算等式为:
等式C:EDX=X(8)*10+X(7)
005E48E5
|. 3BF2 CMP ESI,EDX
; 比较运算结果ESI,EDX
005E48E7
|. 74 04 JE SHORT MoneyBos.005E48ED
;如果不相等,则跳往出错
005E48E9 |. 33DB
XOR EBX,EBX
005E48EB |. EB 02
JMP SHORT MoneyBos.005E48EF
005E48ED |> 8BD9
MOV EBX,ECX
; 把ECX斌给EBX
005E48EF
|> 33C0 XOR EAX,EAX
005E48F1 |.
5A POP EDX
005E48F2 |. 59
POP ECX
005E48F3 |. 59
POP ECX
005E48F4 |. 64:8910
MOV DWORD PTR FS:[EAX],EDX
005E48F7 |. 68 11495E00
PUSH MoneyBos.005E4911
005E48FC |> 8D45 F8
LEA EAX,DWORD PTR SS:[EBP-8]
005E48FF |. BA 02000000 MOV
EDX,2
005E4904 |. E8 BFF6E1FF CALL MoneyBos.00403FC8
005E4909
\. C3 RETN
005E490A
.^E9 11F1E1FF JMP MoneyBos.00403A20
005E490F .^EB EB
JMP SHORT MoneyBos.005E48FC
005E4911 . 8BC3
MOV EAX,EBX
005E4913 . 5E
POP ESI
005E4914 . 5B
POP EBX
005E4915 . 59
POP ECX
005E4916 . 59
POP ECX
005E4917 . 5D
POP EBP
005E4918 . C3
RETN
------------------------------------------
从以上分析可得,如果要注册成功:
1、等式A与等式C的结果应相等
2、输入的注册码经过等式B运算结果+54321,应与中间码(用户码产生的)经过等式B运算的结果相等。
注册码分两部分,前6位为第一部分,后两位为第二部分,第二部分部分据第一部分推算出来。
所以我的注册码为:
第一部分:由串5-187-9773据等式B反倒得797815==>
797815-54321=743494,据等式B反倒得494347
第二部分:494347各位相加等31,可得第7位为1,第8位为3。
整理如下:
用户码:1-505-5171
注册码:4-943-4713
三、制作注册机
有时间再做一个注册机,下面附注生成生成中间注册码CALL,确实时间有限,那位兄弟帮我看看,它是怎么据用户码产生中间注册码。
据用户码生成中间注册码的CALL
---------------------------------------
005E472C
/$ 55 PUSH EBP
005E472D |.
8BEC MOV EBP,ESP
005E472F |. 33C9
XOR ECX,ECX
005E4731 |. 51
PUSH ECX
005E4732 |. 51
PUSH ECX
005E4733 |. 51
PUSH ECX
005E4734 |. 51
PUSH ECX
005E4735 |. 51
PUSH ECX
005E4736 |. 53
PUSH EBX
005E4737 |. 56 PUSH
ESI
005E4738 |. 57 PUSH EDI
005E4739
|. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
005E473C
|. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
005E473F
|. 33C0 XOR EAX,EAX
005E4741 |.
55 PUSH EBP
005E4742 |. 68
16485E00 PUSH MoneyBos.005E4816
005E4747 |. 64:FF30
PUSH DWORD PTR FS:[EAX]
005E474A |. 64:8920
MOV DWORD PTR FS:[EAX],ESP
005E474D |. 8D45 F4
LEA EAX,DWORD PTR SS:[EBP-C]
005E4750 |. E8 4FF8E1FF
CALL MoneyBos.00403FA4
005E4755 |. 33FF
XOR EDI,EDI
005E4757 |. BB 06000000 MOV EBX,6
005E475C
|> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]
005E475F
|. B9 0A000000 |MOV ECX,0A
005E4764 |. 33D2
|XOR EDX,EDX
005E4766 |. F7F1
|DIV ECX
005E4768 |. 8BF2
|MOV ESI,EDX
005E476A |. 03FE
|ADD EDI,ESI
005E476C |. 8D45 F0 |LEA EAX,DWORD
PTR SS:[EBP-10]
005E476F |. 8D56 30 |LEA EDX,DWORD
PTR DS:[ESI+30]
005E4772 |. E8 D5F9E1FF |CALL MoneyBos.0040414C
005E4777
|. 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10]
005E477A
|. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
005E477D
|. E8 BAFAE1FF |CALL MoneyBos.0040423C
005E4782 |.
8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
005E4785 |.
B9 0A000000 |MOV ECX,0A
005E478A |. 33D2
|XOR EDX,EDX
005E478C |. F7F1
|DIV ECX
005E478E |. 8945 FC |MOV DWORD
PTR SS:[EBP-4],EAX
005E4791 |. 4B
|DEC EBX
005E4792 |.^75 C8 \JNZ
SHORT MoneyBos.005E475C
005E4794 |. BB 02000000 MOV EBX,2
005E4799
|> 8BC7 /MOV EAX,EDI======================>在以下代码依次产生中间码的各位
005E479B
|. B9 0A000000 |MOV ECX,0A
005E47A0 |. 33D2
|XOR EDX,EDX
005E47A2 |. F7F1
|DIV ECX
005E47A4 |. 8BF2
|MOV ESI,EDX
005E47A6 |. 8D45 EC |LEA
EAX,DWORD PTR SS:[EBP-14]
005E47A9 |. 8D56 30 |LEA
EDX,DWORD PTR DS:[ESI+30]
005E47AC |. E8 9BF9E1FF |CALL
MoneyBos.0040414C
005E47B1 |. 8B55 EC |MOV
EDX,DWORD PTR SS:[EBP-14]
005E47B4 |. 8D45 F4 |LEA
EAX,DWORD PTR SS:[EBP-C]
005E47B7 |. E8 80FAE1FF |CALL MoneyBos.0040423C================>一过这里就增加一位,请看下面的CALL
005E47BC
|. 8BC7 |MOV EAX,EDI
005E47BE |.
B9 0A000000 |MOV ECX,0A
005E47C3 |. 33D2
|XOR EDX,EDX
005E47C5 |. F7F1
|DIV ECX
005E47C7 |. 8BF8 |MOV
EDI,EAX
005E47C9 |. 4B |DEC
EBX
005E47CA |.^75 CD \JNZ SHORT MoneyBos.005E4799
005E47CC
|. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
005E47CF
|. B9 05000000 MOV ECX,5
005E47D4 |. B8 2C485E00
MOV EAX,MoneyBos.005E482C
005E47D9 |. E8 E6FCE1FF CALL
MoneyBos.004044C4
005E47DE |. 8D55 F4 LEA
EDX,DWORD PTR SS:[EBP-C]
005E47E1 |. B9 02000000 MOV ECX,2
005E47E6
|. B8 2C485E00 MOV EAX,MoneyBos.005E482C
005E47EB |.
E8 D4FCE1FF CALL MoneyBos.004044C4
005E47F0 |. 8B45 F8
MOV EAX,DWORD PTR SS:[EBP-8]
005E47F3 |. 8B55 F4
MOV EDX,DWORD PTR SS:[EBP-C]
005E47F6 |. E8
FDF7E1FF CALL MoneyBos.00403FF8
005E47FB |. 33C0
XOR EAX,EAX
005E47FD |. 5A
POP EDX
005E47FE |. 59
POP ECX
005E47FF |. 59
POP ECX
005E4800 |. 64:8910 MOV
DWORD PTR FS:[EAX],EDX
005E4803 |. 68 1D485E00 PUSH MoneyBos.005E481D
005E4808
|> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
005E480B
|. BA 03000000 MOV EDX,3
005E4810 |. E8 B3F7E1FF
CALL MoneyBos.00403FC8
005E4815 \. C3
RETN
--------------------------------------------------------
0040423C
$ 85D2 TEST EDX,EDX
0040423E
. 74 3F JE SHORT MoneyBos.0040427F
00404240
. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00404242
. 85C9 TEST ECX,ECX
00404244
.^0F84 AEFDFFFF JE MoneyBos.00403FF8
0040424A . 53
PUSH EBX
0040424B . 56
PUSH ESI
0040424C . 57
PUSH EDI
0040424D . 89C3
MOV EBX,EAX
0040424F . 89D6 MOV ESI,EDX
00404251
. 8B79 FC MOV EDI,DWORD PTR DS:[ECX-4]
00404254
. 8B56 FC MOV EDX,DWORD PTR DS:[ESI-4]
00404257
. 01FA ADD EDX,EDI
00404259
. 39CE CMP ESI,ECX
0040425B . 74
17 JE SHORT MoneyBos.00404274
0040425D
. E8 06030000 CALL MoneyBos.00404568
00404262 . 89F0
MOV EAX,ESI
00404264 . 8B4E FC
MOV ECX,DWORD PTR DS:[ESI-4]
00404267 > 8B13
MOV EDX,DWORD PTR DS:[EBX]
00404269 . 01FA
ADD EDX,EDI
0040426B . E8 38E8FFFF
CALL MoneyBos.00402AA8=================>在这里产生的,请看下面的CALL
00404270
. 5F POP EDI
-----------------------------------------------------
-------------------------------------
00402AA8
/$ 56 PUSH ESI
00402AA9 |.
57 PUSH EDI
00402AAA |. 89C6
MOV ESI,EAX
00402AAC |. 89D7
MOV EDI,EDX
00402AAE |. 89C8
MOV EAX,ECX
00402AB0 |. 39F7
CMP EDI,ESI
00402AB2 |. 77 13
JA SHORT MoneyBos.00402AC7
00402AB4 |. 74 2F
JE SHORT MoneyBos.00402AE5
00402AB6 |. C1F9 02
SAR ECX,2
00402AB9 |. 78 2A
JS SHORT MoneyBos.00402AE5
00402ABB |. F3:A5
REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00402ABD |.
89C1 MOV ECX,EAX
00402ABF |. 83E1
03 AND ECX,3
00402AC2 |. F3:A4
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00402AC4 |.
5F POP EDI
00402AC5 |. 5E
POP ESI
00402AC6 |. C3
RETN
00402AC7 |> 8D740E FC
LEA ESI,DWORD PTR DS:[ESI+ECX-4]
00402ACB |. 8D7C0F FC
LEA EDI,DWORD PTR DS:[EDI+ECX-4]
00402ACF |. C1F9 02
SAR ECX,2
00402AD2 |. 78 11
JS SHORT MoneyBos.00402AE5
00402AD4 |. FD
STD
00402AD5 |. F3:A5
REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00402AD7 |. 89C1
MOV ECX,EAX
00402AD9 |. 83E1 03
AND ECX,3
00402ADC |. 83C6 03 ADD
ESI,3
00402ADF |. 83C7 03 ADD EDI,3
00402AE2
|. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE
PTR DS:[>
00402AE4 |. FC
CLD
00402AE5 |> 5F POP EDI
00402AE6
|. 5E POP ESI
00402AE7 \.
C3 RETN