eBookmark V1.8.1 Build 94 　

标题：eBookmark V1.8.1 Build 94
作者：fly
时间：2003/04/14 02:37pm
链接：http://bbs.pediy.com

下载地址： http://www.etoolssoft.com/files/ebmen.exe
软件大小： 908 KB
软件语言：英文
软件类别：国产软件 / 共享版 / 书签工具
应用平台： Win9x/NT/2000/XP
加入时间： 2002-08-27 18:03:23
下载次数： 888
推荐等级： ***
开发商： http://www.etoolssoft.com/

【软件简介】：一个本地和Internet书签管理软件。主要的功能和特点：1、对Internet书签及磁盘文件进行分类管理，提供方便快速的书签查找功能。2、方便的修改更新，可使用拖放方式来调整书签分类，及书签的摆放。3、支持文件及Internet浏览器的拖放，可直接将文件和URL拖放到eBookmark中，免去手工输入的麻烦。4、可对书签按分类加锁，防止他人查看你的私人书签。5、后台自动对Internet书签进行有效性验证，免除手工验证速度慢、耗时多的麻烦。6、可方便的将原有的书签中导入到eBookmark中。7、内建数百个常用的分类书签可供使用，也可方便的修改更新。

【软件限制】：30天试用。

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版

—————————————————————————————————
【过程】：

有朋友说找到的注册码成功注册重启后却又变回未注册，我试了试，果然这个东东私下里还偷偷去连接网络检验！
fxyang兄说：“用注册码注册成功后,在防火墙中禁止它访问网络,即不要它进行网络效验,就不会提示错误。”
谢谢fxyang！我也做了完美爆破，解决了网络校验的问题，连网后也不会变回未注册了！

ebm.exe 用侦测工具没查出壳。Delphi 编写。

用户名：fly01 至少5位
试炼码：1234567890ABCDEF 要16 位
—————————————————————————————————
软件对用户名和注册码限制的要求：

:004A4BDC E81FA5F9FF call 0043F100
:004A4BE1 8B45D8 mov eax, dword ptr [ebp-28]
:004A4BE4 8D55F4 lea edx, dword ptr [ebp-0C]
:004A4BE7 E8703BF6FF call 0040875C
:004A4BEC 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=fly01 用户名

:004A4BEF E874F2F5FF call 00403E68
====>取用户名的位数

:004A4BF4 83F805 cmp eax, 00000005
====>小于5位？

:004A4BF7 7D2D jge 004A4C26
====>不跳则OVER！

:004A4BF9 6A00 push 00000000
:004A4BFB 8D55D4 lea edx, dword ptr [ebp-2C]

* Possible StringData Ref from Code Obj ->"SC_UNameLess5"
|
:004A4BFE B8644D4A00 mov eax, 004A4D64
:004A4C03 E8E0DE0000 call 004B2AE8
:004A4C08 8B45D4 mov eax, dword ptr [ebp-2C]
:004A4C0B E81CF4F5FF call 0040402C
:004A4C10 50 push eax
:004A4C11 8B45FC mov eax, dword ptr [ebp-04]
:004A4C14 E8BF05FAFF call 004451D8
:004A4C19 B102 mov cl, 02
:004A4C1B 5A pop edx
:004A4C1C E8FFDE0000 call 004B2B20
:004A4C21 E9F8000000 jmp 004A4D1E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4BF7(C)
|
:004A4C26 8D45DF lea eax, dword ptr [ebp-21]
:004A4C29 33C9 xor ecx, ecx
:004A4C2B BA11000000 mov edx, 00000011
:004A4C30 E803DFF5FF call 00402B38
:004A4C35 8D55F8 lea edx, dword ptr [ebp-08]
:004A4C38 8B45FC mov eax, dword ptr [ebp-04]
:004A4C3B 8B80D8020000 mov eax, dword ptr [eax+000002D8]
:004A4C41 E8BAA4F9FF call 0043F100
:004A4C46 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=1234567890ABCDEF 试炼码

:004A4C49 E81AF2F5FF call 00403E68
====>取试炼码位数

:004A4C4E 83F810 cmp eax, 00000010
====>小于16位？

:004A4C51 0F8CC7000000 jl 004A4D1E
====>跳则OVER！

:004A4C57 BA01000000 mov edx, 00000001
:004A4C5C 8D45DF lea eax, dword ptr [ebp-21]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4C6D(C)
|
:004A4C5F 8B4DF8 mov ecx, dword ptr [ebp-08]
:004A4C62 8A4C11FF mov cl, byte ptr [ecx+edx-01]
:004A4C66 8808 mov byte ptr [eax], cl
:004A4C68 42 inc edx
:004A4C69 40 inc eax
:004A4C6A 83FA11 cmp edx, 00000011
:004A4C6D 75F0 jne 004A4C5F
:004A4C6F B201 mov dl, 01
:004A4C71 A180304500 mov eax, dword ptr [00453080]
:004A4C76 E871E5FAFF call 004531EC
:004A4C7B 8945F0 mov dword ptr [ebp-10], eax
:004A4C7E 33C0 xor eax, eax
:004A4C80 55 push ebp
:004A4C81 68EF4C4A00 push 004A4CEF
:004A4C86 64FF30 push dword ptr fs:[eax]
:004A4C89 648920 mov dword ptr fs:[eax], esp
:004A4C8C BA02000080 mov edx, 80000002
:004A4C91 8B45F0 mov eax, dword ptr [ebp-10]
:004A4C94 E82FE6FAFF call 004532C8
:004A4C99 B101 mov cl, 01

====>下面把注册信息保存到注册表里。重启时比较！
* Possible StringData Ref from Code Obj ->"\software\Rockboy\eBookmark"
|
:004A4C9B BA7C4D4A00 mov edx, 004A4D7C
:004A4CA0 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CA3 E864E7FAFF call 0045340C
:004A4CA8 8B4DF4 mov ecx, dword ptr [ebp-0C]

* Possible StringData Ref from Code Obj ->"UserName"
|
:004A4CAB BAA04D4A00 mov edx, 004A4DA0
:004A4CB0 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CB3 E8A0ECFAFF call 00453958
:004A4CB8 B101 mov cl, 01

* Possible StringData Ref from Code Obj ->"\software\Rockboy\eBookmark\"
|
:004A4CBA BAB44D4A00 mov edx, 004A4DB4
:004A4CBF 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CC2 E845E7FAFF call 0045340C
:004A4CC7 6A11 push 00000011
:004A4CC9 8D4DDF lea ecx, dword ptr [ebp-21]

* Possible StringData Ref from Code Obj ->"UserData"
====>注册码保存的地方！

:004A4CCC BADC4D4A00 mov edx, 004A4DDC
:004A4CD1 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CD4 E8EFEDFAFF call 00453AC8
:004A4CD9 33C0 xor eax, eax
:004A4CDB 5A pop edx
:004A4CDC 59 pop ecx
:004A4CDD 59 pop ecx
:004A4CDE 648910 mov dword ptr fs:[eax], edx

* Possible StringData Ref from Code Obj ->""
|
:004A4CE1 68F64C4A00 push 004A4CF6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4CF4(U)
|
:004A4CE6 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CE9 E8AEE1F5FF call 00402E9C
:004A4CEE C3 ret

:004A4D19 E802DE0000 call 004B2B20
====>要求重启确认注册

—————————————————————————————————
软件重启时的检验注册码。因为注册信息保存在注册表里，可在TRW装入程序后下bpx regqueryvalueexa do"dd*(esp+8)"断点，不断地按F5，程序会不断的被中断，约有30次左右，直至在TRW里看到"UserData" 2 次时就可暂停断点，再按F12返回程序领空了。F10走，不久就会来到下面的地方。也可以直接在反汇编代码里查找"UserData"，也能找到核心的。各取顺手的方法吧。呵呵，我喜欢用第二种方法，方便。

* Referenced by a CALL at Address:
|:004BD385
|
:004BCB28 55 push ebp
:004BCB29 8BEC mov ebp, esp
:004BCB2B 83C4D0 add esp, FFFFFFD0
:004BCB2E 33C0 xor eax, eax
:004BCB30 8945F8 mov dword ptr [ebp-08], eax
:004BCB33 33C0 xor eax, eax
:004BCB35 55 push ebp
:004BCB36 68F9CB4B00 push 004BCBF9
:004BCB3B 64FF30 push dword ptr fs:[eax]
:004BCB3E 648920 mov dword ptr fs:[eax], esp
:004BCB41 C645FF00 mov [ebp-01], 00
:004BCB45 B201 mov dl, 01
:004BCB47 A180304500 mov eax, dword ptr [00453080]
:004BCB4C E89B66F9FF call 004531EC
:004BCB51 8945F4 mov dword ptr [ebp-0C], eax
:004BCB54 33C0 xor eax, eax
:004BCB56 55 push ebp
:004BCB57 68DCCB4B00 push 004BCBDC
:004BCB5C 64FF30 push dword ptr fs:[eax]
:004BCB5F 648920 mov dword ptr fs:[eax], esp
:004BCB62 BA02000080 mov edx, 80000002
:004BCB67 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCB6A E85967F9FF call 004532C8
:004BCB6F B101 mov cl, 01

* Possible StringData Ref from Code Obj ->"\software\Rockboy\eBookmark"
====>取注册信息

:004BCB71 BA10CC4B00 mov edx, 004BCC10
:004BCB76 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCB79 E88E68F9FF call 0045340C
:004BCB7E 84C0 test al, al
:004BCB80 7444 je 004BCBC6
====>跳则OVER！

:004BCB82 8D4DF8 lea ecx, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"UserName"
|
:004BCB85 BA34CC4B00 mov edx, 004BCC34
:004BCB8A 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCB8D E8F26DF9FF call 00453984
:004BCB92 6A11 push 00000011
:004BCB94 8D4DE3 lea ecx, dword ptr [ebp-1D]

* Possible StringData Ref from Code Obj ->"UserData"
|
:004BCB97 BA48CC4B00 mov edx, 004BCC48
:004BCB9C 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCB9F E8386FF9FF call 00453ADC
:004BCBA4 8D55D2 lea edx, dword ptr [ebp-2E]
:004BCBA7 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=fly01 用户名

:004BCBAA E84D86FFFF call 004B51FC
====>算法CALL！进入！

:004BCBAF 84C0 test al, al
:004BCBB1 7413 je 004BCBC6
====>跳则OVER！

:004BCBB3 8D55E3 lea edx, dword ptr [ebp-1D]
====>EDX=1234567890ABCDEF 试炼码!

:004BCBB6 8D45D2 lea eax, dword ptr [ebp-2E]
====>EAX=22cM19ZWIWWCDDcZ 注册码!

:004BCBB9 E826C5F4FF call 004090E4
====>比较CALL！

:004BCBBE 85C0 test eax, eax
:004BCBC0 7504 jne 004BCBC6
====>跳则OVER！

:004BCBC2 C645FF01 mov [ebp-01], 01
====>置1则OK！

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BCB80(C), :004BCBB1(C), :004BCBC0(C)
|
:004BCBC6 33C0 xor eax, eax
====>清0则OVER！

:004BCBC8 5A pop edx
:004BCBC9 59 pop ecx
:004BCBCA 59 pop ecx
:004BCBCB 648910 mov dword ptr fs:[eax], edx
:004BCBCE 68E3CB4B00 push 004BCBE3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BCBE1(U)
|
:004BCBD3 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCBD6 E8C162F4FF call 00402E9C
:004BCBDB C3 ret

:004BCBDC E91B6AF4FF jmp 004035FC
:004BCBE1 EBF0 jmp 004BCBD3
:004BCBE3 33C0 xor eax, eax
:004BCBE5 5A pop edx
:004BCBE6 59 pop ecx
:004BCBE7 59 pop ecx
:004BCBE8 648910 mov dword ptr fs:[eax], edx
:004BCBEB 6800CC4B00 push 004BCC00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BCBFE(U)
|
:004BCBF0 8D45F8 lea eax, dword ptr [ebp-08]
:004BCBF3 E8F06FF4FF call 00403BE8
:004BCBF8 C3 ret

:004BCBF9 E9FE69F4FF jmp 004035FC
:004BCBFE EBF0 jmp 004BCBF0
:004BCC00 8A45FF mov al, byte ptr [ebp-01]
====>注册标志位的值入 AL！爆破点！这次我选这儿完美爆破！

:004BCC03 8BE5 mov esp, ebp
:004BCC05 5D pop ebp
:004BCC06 C3 ret

—————————————————————————————————
进入算法CALL：4BCBAA call 004B51FC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52C6(C)
|
:004B52CD 8A443EFF mov al, byte ptr [esi+edi-01]
1、 ====>AL=66 依次取用户名fly01字符的HEX值
…… ……省略…… ……共16次。用户名不够16位则循环取数。

:004B52D1 8801 mov byte ptr [ecx], al
====>[ecx]=AL

:004B52D3 47 inc edi

* Possible StringData Ref from Code Obj ->"k($j3dAd18L;0gfj"
|
:004B52D4 B868534B00 mov eax, 004B5368
====>EAX=k($j3dAd18L;0gfj

:004B52D9 8A4418FF mov al, byte ptr [eax+ebx-01]
1、 ====>AL=6B 依次取k($j3dAd18L;0gfj字符的HEX值
…… ……省略…… ……共16次

:004B52DD 3001 xor byte ptr [ecx], al
====>依次进行异或运算！

1、 ====>[ecx]=66 XOR 6B=0D
2、 ====>[ecx]=6C XOR 28=44 即：字符D
3、 ====>[ecx]=79 XOR 24=5D
4、 ====>[ecx]=30 XOR 6A=5A 即：字符Z
5、 ====>[ecx]=31 XOR 33=02
6、 ====>[ecx]=66 XOR 64=02
7、 ====>[ecx]=6C XOR 41=2D
8、 ====>[ecx]=79 XOR 64=1D
9、 ====>[ecx]=30 XOR 31=01
10、 ====>[ecx]=31 XOR 38=09
11、 ====>[ecx]=66 XOR 4C=2A
12、 ====>[ecx]=6C XOR 3B=57 即：字符W
13、 ====>[ecx]=79 XOR 30=49 即：字符I
14、 ====>[ecx]=30 XOR 67=57 即：字符W
15、 ====>[ecx]=31 XOR 66=57 即：字符W
16、 ====>[ecx]=66 XOR 6A=0C

:004B52DF 80397A cmp byte ptr [ecx], 7A
====>结果和 7A比较。小于7A就跳下去。否则就进行下面的运算！

:004B52E2 7611 jbe 004B52F5
:004B52E4 33C0 xor eax, eax
:004B52E6 8A01 mov al, byte ptr [ecx]
:004B52E8 51 push ecx
:004B52E9 B97A000000 mov ecx, 0000007A
:004B52EE 33D2 xor edx, edx
:004B52F0 F7F1 div ecx
:004B52F2 59 pop ecx
:004B52F3 8811 mov byte ptr [ecx], dl

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52E2(C)
|
:004B52F5 803930 cmp byte ptr [ecx], 30
====>结果和 30比较。大于30就跳下去。否则就进行下面的运算！

:004B52F8 7303 jnb 004B52FD
:004B52FA 800130 add byte ptr [ecx], 30
1、 ====>[ecx]=0D + 30=3D
5、 ====>[ecx]=02 + 30=32 即：字符2
6、 ====>[ecx]=02 + 30=32 即：字符2
7、 ====>[ecx]=2D + 30=5D
8、 ====>[ecx]=1D + 30=4D 即：字符M
9、 ====>[ecx]=01 + 30=31 即：字符1
10、 ====>[ecx]=09 + 30=39 即：字符9
11、 ====>[ecx]=2A + 30=5A 即：字符Z
16、 ====>[ecx]=0C + 30=3C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52F8(C)
|
:004B52FD 8A01 mov al, byte ptr [ecx]
:004B52FF 3C39 cmp al, 39
:004B5301 7607 jbe 004B530A
:004B5303 3C41 cmp al, 41
====>结果和 41比较。大于41就跳下去。否则就进行下面的运算！

:004B5305 7303 jnb 004B530A
:004B5307 800107 add byte ptr [ecx], 07
1、 ====>[ecx]=3D + 07=44 即：字符D
16、 ====>[ecx]=3C + 07=43 即：字符C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B5301(C), :004B5305(C)
|
:004B530A 8A01 mov al, byte ptr [ecx]
:004B530C 3C5A cmp al, 5A
:004B530E 7607 jbe 004B5317
:004B5310 3C61 cmp al, 61
====>结果和 61比较。大于61就跳下去。否则就进行下面的运算！

:004B5312 7303 jnb 004B5317
:004B5314 800106 add byte ptr [ecx], 06
3、 ====>[ecx]=5D + 06=63 即：字符c
7、 ====>[ecx]=5D + 06=63 即：字符c

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B530E(C), :004B5312(C)
|
:004B5317 43 inc ebx
====>EBX依次增1

:004B5318 41 inc ecx
:004B5319 83FB11 cmp ebx, 00000011
:004B531C 75A5 jne 004B52C3
====>循环16次！
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[ECX]内存中的值：

0074FD8B 44 44 63 5A 32 32 63 4D 31 39 5A 57 49 57 57 43 DDcZ22cM19ZWIWWC
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:004B531E BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B5341(C)
|
:004B5323 8A55DB mov dl, byte ptr [ebp-25]
:004B5326 BB01000000 mov ebx, 00000001
:004B532B 8D45DC lea eax, dword ptr [ebp-24]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B5338(C)
|
:004B532E 8A08 mov cl, byte ptr [eax]
:004B5330 8848FF mov byte ptr [eax-01], cl
:004B5333 43 inc ebx
:004B5334 40 inc eax
:004B5335 83FB10 cmp ebx, 00000010
:004B5338 75F4 jne 004B532E
:004B533A 8855EA mov byte ptr [ebp-16], dl
:004B533D 46 inc esi
:004B533E 83FE05 cmp esi, 00000005
:004B5341 75E0 jne 004B5323
====>上面进行4*16次的循环!
呵呵，如此大动干戈的循环取数只是把DDcZ22cM19ZWIWWC的前4位DDcZ移动到字符串的最后!

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[EAX]内存中的值：

0074FD8B 32 32 63 4D 31 39 5A 57 49 57 57 43 44 44 63 5A 22cM19ZWIWWCDDcZ
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:004B5343 C645EB00 mov [ebp-15], 00
:004B5347 8D55DB lea edx, dword ptr [ebp-25]
====>EDX=22cM19ZWIWWCDDcZ

:004B534A 8B45F0 mov eax, dword ptr [ebp-10]
:004B534D E8B23CF5FF call 00409004
====>EAX=22cM19ZWIWWCDDcZ

:004B5352 B301 mov bl, 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B523B(C), :004B5252(C), :004B5266(C), :004B5274(C), :004B52A6(C)
|
:004B5354 8BC3 mov eax, ebx
:004B5356 5F pop edi
:004B5357 5E pop esi
:004B5358 5B pop ebx
:004B5359 8BE5 mov esp, ebp
:004B535B 5D pop ebp
:004B535C C3 ret

—————————————————————————————————
【算法总结】：

算法很简单呀。循环取用户名的字符依次和程序自给的k($j3dAd18L;0gfj进行异或运算！

所得结果若：>7A则和7A求模，<30则加上30，<41则加上7，<61则加上6。即把结果转换成数字或字母。

最后把所得字符串的前4位移到末尾，既是注册码了！

—————————————————————————————————
【完美爆破】：

004BCC00 8A45FF mov al, byte ptr [ebp-01]
改为： 8B4501 mov al, 01

呵呵，和上面的004BCBC2 mov [ebp-01], 01处相映成趣! 呵呵，让AL永远为1，岂有不OK的？
这样也就不怕网络校验了！

—————————————————————————————————
【KeyMake之{57th}内存注册机】：

中断地址：4BCBB9
中断次数：1
第一字节：E8
指令长度：5

内存方式：EAX

注意：用户名至少5位！注册码16位！

—————————————————————————————————
【注册信息保存】：

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Rockboy\eBookmark]
"UserName"="fly01"
"UserData"=hex:32,32,63,4d,31,39,5a,57,49,57,57,43,44,44,63,5a,00

—————————————————————————————————
【整理】：

用户名：fly01
注册码：22cM19ZWIWWCDDcZ

—————————————————————————————————

Cracked By 巢水工作坊——fly【OCN】

2003-4-13 22:22