下载地址:
http://www.etoolssoft.com/files/ebmen.exe
软件大小:
908 KB
软件语言: 英文
软件类别: 国产软件 / 共享版 / 书签工具
应用平台: Win9x/NT/2000/XP
加入时间:
2002-08-27 18:03:23
下载次数: 888
推荐等级: ***
开 发 商: http://www.etoolssoft.com/
【软件简介】:一个本地和Internet书签管理软件。主要的功能和特点:1、对Internet书签及磁盘文件进行分类管理,提供方便快速的书签查找功能。2、方便的修改更新,可使用拖放方式来调整书签分类,及书签的摆放。3、支持文件及Internet浏览器的拖放,可直接将文件和URL拖放到eBookmark中,免去手工输入的麻烦。4、可对书签按分类加锁,防止他人查看你的私人书签。5、后台自动对Internet书签进行有效性验证,免除手工验证速度慢、耗时多的麻烦。6、可方便的将原有的书签中导入到eBookmark中。7、内建数百个常用的分类书签可供使用,也可方便的修改更新。
【软件限制】:30天试用。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
有朋友说找到的注册码成功注册重启后却又变回未注册,我试了试,果然这个东东私下里还偷偷去连接网络检验!
fxyang兄说:“用注册码注册成功后,在防火墙中禁止它访问网络,即不要它进行网络效验,就不会提示错误。”
谢谢fxyang!我也做了完美爆破,解决了网络校验的问题,连网后也不会变回未注册了!
ebm.exe
用侦测工具没查出壳。Delphi 编写。
用户名:fly01
至少5位
试炼码:1234567890ABCDEF
要16 位
—————————————————————————————————
软件对用户名和注册码限制的要求:
:004A4BDC
E81FA5F9FF call 0043F100
:004A4BE1
8B45D8 mov eax,
dword ptr [ebp-28]
:004A4BE4 8D55F4
lea edx, dword ptr [ebp-0C]
:004A4BE7 E8703BF6FF
call 0040875C
:004A4BEC 8B45F4
mov eax, dword ptr [ebp-0C]
====>EAX=fly01
用户名
:004A4BEF
E874F2F5FF call 00403E68
====>取 用户名 的位数
:004A4BF4
83F805 cmp eax,
00000005
====>小于5位?
:004A4BF7
7D2D jge
004A4C26
====>不跳则OVER!
:004A4BF9
6A00 push
00000000
:004A4BFB 8D55D4
lea edx, dword ptr [ebp-2C]
*
Possible StringData Ref from Code Obj ->"SC_UNameLess5"
|
:004A4BFE B8644D4A00
mov eax, 004A4D64
:004A4C03 E8E0DE0000
call 004B2AE8
:004A4C08 8B45D4
mov eax, dword ptr [ebp-2C]
:004A4C0B
E81CF4F5FF call 0040402C
:004A4C10
50 push
eax
:004A4C11 8B45FC
mov eax, dword ptr [ebp-04]
:004A4C14 E8BF05FAFF
call 004451D8
:004A4C19 B102
mov cl, 02
:004A4C1B 5A
pop edx
:004A4C1C
E8FFDE0000 call 004B2B20
:004A4C21
E9F8000000 jmp 004A4D1E
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4BF7(C)
|
:004A4C26
8D45DF lea eax,
dword ptr [ebp-21]
:004A4C29 33C9
xor ecx, ecx
:004A4C2B BA11000000
mov edx, 00000011
:004A4C30 E803DFF5FF
call 00402B38
:004A4C35 8D55F8
lea edx, dword ptr [ebp-08]
:004A4C38
8B45FC mov eax,
dword ptr [ebp-04]
:004A4C3B 8B80D8020000
mov eax, dword ptr [eax+000002D8]
:004A4C41 E8BAA4F9FF
call 0043F100
:004A4C46 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=1234567890ABCDEF 试炼码
:004A4C49
E81AF2F5FF call 00403E68
====>取 试炼码 位数
:004A4C4E
83F810 cmp eax,
00000010
====>小于16位?
:004A4C51
0F8CC7000000 jl 004A4D1E
====>跳则OVER!
:004A4C57
BA01000000 mov edx, 00000001
:004A4C5C
8D45DF lea eax,
dword ptr [ebp-21]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4C6D(C)
|
:004A4C5F
8B4DF8 mov ecx,
dword ptr [ebp-08]
:004A4C62 8A4C11FF
mov cl, byte ptr [ecx+edx-01]
:004A4C66 8808
mov byte ptr [eax], cl
:004A4C68
42 inc
edx
:004A4C69 40
inc eax
:004A4C6A 83FA11
cmp edx, 00000011
:004A4C6D 75F0
jne 004A4C5F
:004A4C6F B201
mov dl, 01
:004A4C71
A180304500 mov eax, dword ptr
[00453080]
:004A4C76 E871E5FAFF call
004531EC
:004A4C7B 8945F0
mov dword ptr [ebp-10], eax
:004A4C7E 33C0
xor eax, eax
:004A4C80 55
push ebp
:004A4C81
68EF4C4A00 push 004A4CEF
:004A4C86
64FF30 push dword
ptr fs:[eax]
:004A4C89 648920
mov dword ptr fs:[eax], esp
:004A4C8C BA02000080
mov edx, 80000002
:004A4C91 8B45F0
mov eax, dword ptr [ebp-10]
:004A4C94
E82FE6FAFF call 004532C8
:004A4C99
B101 mov
cl, 01
====>下面把注册信息保存到注册表里。重启时比较!
* Possible StringData Ref
from Code Obj ->"\software\Rockboy\eBookmark"
|
:004A4C9B BA7C4D4A00
mov edx, 004A4D7C
:004A4CA0 8B45F0
mov eax, dword ptr [ebp-10]
:004A4CA3 E864E7FAFF
call 0045340C
:004A4CA8 8B4DF4
mov ecx, dword ptr
[ebp-0C]
* Possible
StringData Ref from Code Obj ->"UserName"
|
:004A4CAB BAA04D4A00
mov edx, 004A4DA0
:004A4CB0 8B45F0
mov eax, dword ptr [ebp-10]
:004A4CB3 E8A0ECFAFF
call 00453958
:004A4CB8 B101
mov cl, 01
*
Possible StringData Ref from Code Obj ->"\software\Rockboy\eBookmark\"
|
:004A4CBA BAB44D4A00
mov edx, 004A4DB4
:004A4CBF 8B45F0
mov eax, dword ptr [ebp-10]
:004A4CC2
E845E7FAFF call 0045340C
:004A4CC7
6A11 push
00000011
:004A4CC9 8D4DDF
lea ecx, dword ptr [ebp-21]
*
Possible StringData Ref from Code Obj ->"UserData"
====>注册码保存的地方!
:004A4CCC
BADC4D4A00 mov edx, 004A4DDC
:004A4CD1
8B45F0 mov eax,
dword ptr [ebp-10]
:004A4CD4 E8EFEDFAFF
call 00453AC8
:004A4CD9 33C0
xor eax, eax
:004A4CDB 5A
pop edx
:004A4CDC 59
pop
ecx
:004A4CDD 59
pop ecx
:004A4CDE 648910
mov dword ptr fs:[eax], edx
*
Possible StringData Ref from Code Obj ->""
|
:004A4CE1 68F64C4A00
push 004A4CF6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4CF4(U)
|
:004A4CE6
8B45F0 mov eax,
dword ptr [ebp-10]
:004A4CE9 E8AEE1F5FF
call 00402E9C
:004A4CEE C3
ret
:004A4D19
E802DE0000 call 004B2B20
====>要求重启确认注册
—————————————————————————————————
软件重启时的检验注册码。因为注册信息保存在注册表里,可在TRW装入程序后下bpx regqueryvalueexa do"dd*(esp+8)"断点,不断地按F5,程序会不断的被中断,约有30次左右,直至在TRW里看到"UserData"
2 次时就可暂停断点,再按F12返回程序领空了。F10走,不久就会来到下面的地方。也可以直接在反汇编代码里查找"UserData",也能找到核心的。各取顺手的方法吧。呵呵,我喜欢用第二种方法,方便。
*
Referenced by a CALL at Address:
|:004BD385
|
:004BCB28 55
push ebp
:004BCB29
8BEC mov
ebp, esp
:004BCB2B 83C4D0
add esp, FFFFFFD0
:004BCB2E 33C0
xor eax, eax
:004BCB30 8945F8
mov dword ptr [ebp-08], eax
:004BCB33
33C0 xor
eax, eax
:004BCB35 55
push ebp
:004BCB36 68F9CB4B00
push 004BCBF9
:004BCB3B 64FF30
push dword ptr fs:[eax]
:004BCB3E 648920
mov dword ptr fs:[eax],
esp
:004BCB41 C645FF00 mov
[ebp-01], 00
:004BCB45 B201
mov dl, 01
:004BCB47 A180304500
mov eax, dword ptr [00453080]
:004BCB4C E89B66F9FF
call 004531EC
:004BCB51 8945F4
mov dword ptr [ebp-0C],
eax
:004BCB54 33C0
xor eax, eax
:004BCB56 55
push ebp
:004BCB57 68DCCB4B00
push 004BCBDC
:004BCB5C 64FF30
push dword ptr fs:[eax]
:004BCB5F
648920 mov dword
ptr fs:[eax], esp
:004BCB62 BA02000080
mov edx, 80000002
:004BCB67 8B45F4
mov eax, dword ptr [ebp-0C]
:004BCB6A E85967F9FF
call 004532C8
:004BCB6F B101
mov cl, 01
*
Possible StringData Ref from Code Obj ->"\software\Rockboy\eBookmark"
====>取注册信息
:004BCB71
BA10CC4B00 mov edx, 004BCC10
:004BCB76
8B45F4 mov eax,
dword ptr [ebp-0C]
:004BCB79 E88E68F9FF
call 0045340C
:004BCB7E 84C0
test al, al
:004BCB80 7444
je 004BCBC6
====>跳则OVER!
:004BCB82 8D4DF8 lea ecx, dword ptr [ebp-08]
*
Possible StringData Ref from Code Obj ->"UserName"
|
:004BCB85 BA34CC4B00
mov edx, 004BCC34
:004BCB8A 8B45F4
mov eax, dword ptr [ebp-0C]
:004BCB8D E8F26DF9FF
call 00453984
:004BCB92 6A11
push 00000011
:004BCB94
8D4DE3 lea ecx,
dword ptr [ebp-1D]
*
Possible StringData Ref from Code Obj ->"UserData"
|
:004BCB97 BA48CC4B00
mov edx, 004BCC48
:004BCB9C 8B45F4
mov eax, dword ptr [ebp-0C]
:004BCB9F E8386FF9FF
call 00453ADC
:004BCBA4 8D55D2
lea edx, dword ptr
[ebp-2E]
:004BCBA7 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=fly01
用户名
:004BCBAA
E84D86FFFF call 004B51FC
====>算法CALL!进入!
:004BCBAF
84C0 test
al, al
:004BCBB1 7413
je 004BCBC6
====>跳则OVER!
:004BCBB3
8D55E3 lea edx,
dword ptr [ebp-1D]
====>EDX=1234567890ABCDEF
试炼码!
:004BCBB6
8D45D2 lea eax,
dword ptr [ebp-2E]
====>EAX=22cM19ZWIWWCDDcZ
注册码!
:004BCBB9
E826C5F4FF call 004090E4
====>比较CALL!
:004BCBBE
85C0 test
eax, eax
:004BCBC0 7504
jne 004BCBC6
====>跳则OVER!
:004BCBC2
C645FF01 mov [ebp-01],
01
====>置1则OK!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BCB80(C),
:004BCBB1(C), :004BCBC0(C)
|
:004BCBC6 33C0
xor eax, eax
====>清0则OVER!
:004BCBC8
5A pop
edx
:004BCBC9 59
pop ecx
:004BCBCA 59
pop ecx
:004BCBCB 648910
mov dword ptr fs:[eax], edx
:004BCBCE
68E3CB4B00 push 004BCBE3
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BCBE1(U)
|
:004BCBD3
8B45F4 mov eax,
dword ptr [ebp-0C]
:004BCBD6 E8C162F4FF
call 00402E9C
:004BCBDB C3
ret
:004BCBDC
E91B6AF4FF jmp 004035FC
:004BCBE1
EBF0 jmp
004BCBD3
:004BCBE3 33C0
xor eax, eax
:004BCBE5 5A
pop edx
:004BCBE6 59
pop ecx
:004BCBE7 59
pop
ecx
:004BCBE8 648910
mov dword ptr fs:[eax], edx
:004BCBEB 6800CC4B00
push 004BCC00
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BCBFE(U)
|
:004BCBF0
8D45F8 lea eax,
dword ptr [ebp-08]
:004BCBF3 E8F06FF4FF
call 00403BE8
:004BCBF8 C3
ret
:004BCBF9
E9FE69F4FF jmp 004035FC
:004BCBFE
EBF0 jmp
004BCBF0
:004BCC00 8A45FF
mov al, byte ptr [ebp-01]
====>注册标志位的值
入 AL!爆破点!这次我选这儿完美爆破!
:004BCC03
8BE5 mov
esp, ebp
:004BCC05 5D
pop ebp
:004BCC06 C3
ret
—————————————————————————————————
进入算法CALL:4BCBAA call 004B51FC
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52C6(C)
|
:004B52CD
8A443EFF mov al, byte ptr
[esi+edi-01]
1、 ====>AL=66
依次取用户名fly01字符的HEX值
…… ……省 略……
……共16次。用户名不够16位则循环取数。
:004B52D1
8801 mov
byte ptr [ecx], al
====>[ecx]=AL
:004B52D3 47 inc edi
* Possible StringData
Ref from Code Obj ->"k($j3dAd18L;0gfj"
|
:004B52D4 B868534B00
mov eax, 004B5368
====>EAX=k($j3dAd18L;0gfj
:004B52D9
8A4418FF mov al, byte ptr
[eax+ebx-01]
1、 ====>AL=6B
依次取k($j3dAd18L;0gfj字符的HEX值
…… ……省 略…… ……共16次
:004B52DD
3001 xor
byte ptr [ecx], al
====>依次进行 异或
运算!
1、
====>[ecx]=66 XOR 6B=0D
2、
====>[ecx]=6C XOR 28=44 即:字符D
3、
====>[ecx]=79 XOR 24=5D
4、
====>[ecx]=30 XOR 6A=5A 即:字符Z
5、
====>[ecx]=31 XOR 33=02
6、
====>[ecx]=66 XOR 64=02
7、 ====>[ecx]=6C
XOR 41=2D
8、 ====>[ecx]=79 XOR
64=1D
9、 ====>[ecx]=30 XOR 31=01
10、 ====>[ecx]=31 XOR 38=09
11、
====>[ecx]=66 XOR 4C=2A
12、 ====>[ecx]=6C
XOR 3B=57 即:字符W
13、 ====>[ecx]=79
XOR 30=49 即:字符I
14、 ====>[ecx]=30
XOR 67=57 即:字符W
15、 ====>[ecx]=31
XOR 66=57 即:字符W
16、 ====>[ecx]=66
XOR 6A=0C
:004B52DF
80397A cmp byte
ptr [ecx], 7A
====>结果 和 7A比较。小于7A就跳下去。否则就进行下面的运算!
:004B52E2
7611 jbe
004B52F5
:004B52E4 33C0
xor eax, eax
:004B52E6 8A01
mov al, byte ptr [ecx]
:004B52E8 51
push ecx
:004B52E9
B97A000000 mov ecx, 0000007A
:004B52EE
33D2 xor
edx, edx
:004B52F0 F7F1
div ecx
:004B52F2 59
pop ecx
:004B52F3 8811
mov byte ptr [ecx], dl
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52E2(C)
|
:004B52F5
803930 cmp byte
ptr [ecx], 30
====>结果 和 30比较。大于30就跳下去。否则就进行下面的运算!
:004B52F8
7303 jnb
004B52FD
:004B52FA 800130
add byte ptr [ecx], 30
1、 ====>[ecx]=0D
+ 30=3D
5、 ====>[ecx]=02 + 30=32
即:字符2
6、 ====>[ecx]=02 + 30=32
即:字符2
7、 ====>[ecx]=2D + 30=5D
8、 ====>[ecx]=1D + 30=4D 即:字符M
9、 ====>[ecx]=01 + 30=31 即:字符1
10、 ====>[ecx]=09 + 30=39 即:字符9
11、 ====>[ecx]=2A + 30=5A 即:字符Z
16、 ====>[ecx]=0C + 30=3C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52F8(C)
|
:004B52FD
8A01 mov
al, byte ptr [ecx]
:004B52FF 3C39
cmp al, 39
:004B5301 7607
jbe 004B530A
:004B5303 3C41
cmp al, 41
====>结果 和 41比较。大于41就跳下去。否则就进行下面的运算!
:004B5305
7303 jnb
004B530A
:004B5307 800107
add byte ptr [ecx], 07
1、 ====>[ecx]=3D
+ 07=44 即:字符D
16、 ====>[ecx]=3C
+ 07=43 即:字符C
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B5301(C),
:004B5305(C)
|
:004B530A 8A01
mov al, byte ptr [ecx]
:004B530C 3C5A
cmp al, 5A
:004B530E
7607 jbe
004B5317
:004B5310 3C61
cmp al, 61
====>结果 和 61比较。大于61就跳下去。否则就进行下面的运算!
:004B5312
7303 jnb
004B5317
:004B5314 800106
add byte ptr [ecx], 06
3、 ====>[ecx]=5D
+ 06=63 即:字符c
7、 ====>[ecx]=5D
+ 06=63 即:字符c
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B530E(C),
:004B5312(C)
|
:004B5317 43
inc ebx
====>EBX依次增1
:004B5318
41 inc
ecx
:004B5319 83FB11
cmp ebx, 00000011
:004B531C 75A5
jne 004B52C3
====>循环16次!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[ECX]内存中的值:
0074FD8B
44 44 63 5A 32 32 63 4D 31 39 5A 57 49 57 57 43 DDcZ22cM19ZWIWWC
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004B531E
BE01000000 mov esi, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B5341(C)
|
:004B5323
8A55DB mov dl, byte
ptr [ebp-25]
:004B5326 BB01000000
mov ebx, 00000001
:004B532B 8D45DC
lea eax, dword ptr [ebp-24]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B5338(C)
|
:004B532E
8A08 mov
cl, byte ptr [eax]
:004B5330 8848FF
mov byte ptr [eax-01], cl
:004B5333 43
inc ebx
:004B5334 40
inc
eax
:004B5335 83FB10
cmp ebx, 00000010
:004B5338 75F4
jne 004B532E
:004B533A 8855EA
mov byte ptr [ebp-16], dl
:004B533D
46 inc
esi
:004B533E 83FE05
cmp esi, 00000005
:004B5341 75E0
jne 004B5323
====>上面进行4*16次的循环!
呵呵,如此大动干戈的循环取数只是把DDcZ22cM19ZWIWWC的前4位DDcZ移动到字符串的最后!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[EAX]内存中的值:
0074FD8B
32 32 63 4D 31 39 5A 57 49 57 57 43 44 44 63 5A 22cM19ZWIWWCDDcZ
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004B5343
C645EB00 mov [ebp-15],
00
:004B5347 8D55DB
lea edx, dword ptr [ebp-25]
====>EDX=22cM19ZWIWWCDDcZ
:004B534A
8B45F0 mov eax,
dword ptr [ebp-10]
:004B534D E8B23CF5FF
call 00409004
====>EAX=22cM19ZWIWWCDDcZ
:004B5352 B301 mov bl, 01
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B523B(C), :004B5252(C),
:004B5266(C), :004B5274(C), :004B52A6(C)
|
:004B5354 8BC3
mov eax, ebx
:004B5356
5F pop
edi
:004B5357 5E
pop esi
:004B5358 5B
pop ebx
:004B5359 8BE5
mov esp, ebp
:004B535B 5D
pop ebp
:004B535C
C3 ret
—————————————————————————————————
【算
法 总 结】:
算法很简单呀。循环取用户名的字符
依次和 程序自给的k($j3dAd18L;0gfj进行异或运算!
所得结果若:>7A则和7A求模,<30则加上30,<41则加上7,<61则加上6。即把结果转换成数字或字母。
最后把所得字符串的前4位移到末尾,既是注册码了!
—————————————————————————————————
【完 美 爆 破】:
004BCC00
8A45FF mov al, byte
ptr [ebp-01]
改为: 8B4501
mov al, 01
呵呵,和上面的004BCBC2
mov [ebp-01], 01处相映成趣! 呵呵,让AL永远为1,岂有不OK的?
这样也就不怕网络校验了!
—————————————————————————————————
【KeyMake之{57th}内存注册机】:
中断地址:4BCBB9
中断次数:1
第一字节:E8
指令长度:5
内存方式:EAX
注意:用户名至少5位!注册码16位!
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Rockboy\eBookmark]
"UserName"="fly01"
"UserData"=hex:32,32,63,4d,31,39,5a,57,49,57,57,43,44,44,63,5a,00
—————————————————————————————————
【整 理】:
用户名:fly01
注册码:22cM19ZWIWWCDDcZ
—————————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-4-13 22:22