〖软件大小〗:812
KB
〖软件语言〗:英文
〖软件类别〗:国外软件 / 共享版 / 键盘鼠标
〖运行环境〗:Win95/98/NT
〖加入时间〗:2003-07-05 08:08:22
〖下载地址〗:http://count.skycn.com/softdown.php?id=12770&url=http://on165-http.skycn.net:8080/down/cmdbar.zip
〖软件评级〗:☆☆☆☆
【软件介绍】:
这是一个用键盘控制Windows的命令行的软件,在Windows 95, Windows 98 和Windows NT操作系统中均可使用。用户可通过键盘执行大多数命令,比如复制、删除、显示文件列表、轻松地启动喜爱的程序、链接万维网、快速进入并搜寻喜爱的文件夹,等等。CMDbar支持使用方便的文件管理窗口、多命令别名、喜爱的文件、文件夹、程序、文件过滤和许多内置的命令。CMDbar也可以存储和运行用户编的小程序。
〖破解工具〗:OllyDbgV1.09,WdasmV10.0,Windows自带计算器
〖作者声明〗:初学破解,仅作学习交流之用,失误之处敬请大侠赐教.
【简要过程】:
任意填入注册信息
Name:ShenGe[BCG]
Company:HOME
Postal:没有,所以没填
Number of licences:8888
Registration:12345678
再接再励,算作节日献礼,放上一个老外的软件的破解过程。
无壳,VC编写,用Wdasm反汇编,然后用串式参考,定位到中断点,用OD载入分析:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00402364(C)
|
:0040236F 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:00402373 8D465C lea
eax, dword ptr [esi+5C]
:00402376 8D4F04 lea
ecx, dword ptr [edi+04]
:00402379 50
push eax
:0040237A E8A7FF0100 call
00422326
:0040237F 8D4660 lea
eax, dword ptr [esi+60]
<===[eax]="ShenGe[BCG]"
:00402382 8BCF
mov ecx, edi
:00402384 50
push eax
:00402385 E89CFF0100 call
00422326
:0040238A 8D466C lea
eax, dword ptr [esi+6C]
:0040238D 8D4F08 lea
ecx, dword ptr [edi+08]
:00402390 50
push eax
:00402391 E890FF0100 call
00422326
:00402396 8B4664 mov
eax, dword ptr [esi+64]
<===eax=22B8,Licences值8888的16进制
:00402399 89470C mov
dword ptr [edi+0C], eax
:0040239C A178694300 mov eax,
dword ptr [00436978]
:004023A1 8945F0 mov
dword ptr [ebp-10], eax
:004023A4 895DFC mov
dword ptr [ebp-04], ebx
:004023A7 8945EC mov
dword ptr [ebp-14], eax
:004023AA 53
push ebx
:004023AB 8D4DEC lea
ecx, dword ptr [ebp-14]
:004023AE C645FC02 mov
[ebp-04], 02
:004023B2 E85A020200 call
00422611
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004023B7 FF7668 push
[esi+68]
<===[esi+68]中为假码"12345678"
:004023BA 8D5E68 lea
ebx, dword ptr [esi+68]
:004023BD 8BCF
mov ecx, edi
<===[ecx]="ShenGe[BCG]"
:004023BF E8F0490000 call
00406DB4
<===上面紧跟着就是一个判断和长
跳转,此处当然要跟进了!①
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004023C4 84C0
test al, al
:004023C6 747C
je 00402444
:004023C8 8BCB
mov ecx, ebx
:004023CA E8E8010200 call
004225B7
:004023CF 6A00
push 00000000
:004023D1 8BCE
mov ecx, esi
:004023D3 E812EB0100 call
00420EEA
:004023D8 E89C470200 call
00426B79
:004023DD 8B4004 mov
eax, dword ptr [eax+04]
:004023E0 8D98E4000000 lea ebx, dword
ptr [eax+000000E4]
:004023E6 8D4704 lea
eax, dword ptr [edi+04]
:004023E9 50
push eax
:004023EA 8D4B04 lea
ecx, dword ptr [ebx+04]
:004023ED E834FF0100 call
00422326
:004023F2 57
push edi
:004023F3 8BCB
mov ecx, ebx
:004023F5 E82CFF0100 call
00422326
:004023FA 8D4708 lea
eax, dword ptr [edi+08]
:004023FD 8D4B08 lea
ecx, dword ptr [ebx+08]
:00402400 50
push eax
:00402401 E820FF0100 call
00422326
:00402406 8B470C mov
eax, dword ptr [edi+0C]
:00402409 89430C mov
dword ptr [ebx+0C], eax
:0040240C E868470200 call
00426B79
:00402411 8B4004 mov
eax, dword ptr [eax+04]
:00402414 8D5668 lea
edx, dword ptr [esi+68]
:00402417 52
push edx
:00402418 8BC8
mov ecx, eax
:0040241A E84D580000 call
00407C6C
* Possible Reference to String
Resource ID=00275: "The registration number is accepted. Thank
you for register"
|
:0040241F 6813010000 push
00000113
:00402424 8D4DF0 lea
ecx, dword ptr [ebp-10]
:00402427 E8E5010200 call
00422611
<===可以收工了!
* Possible Ref to Menu: MenuID_0079,
Item: "Exit"
|
:0040242C 6A40
push 00000040
:0040242E 8BCE
mov ecx, esi
:00402430 FF75EC push
[ebp-14]
:00402433 FF75F0 push
[ebp-10]
:00402436 E853E30100 call
0042078E
:0040243B 8BCE
mov ecx, esi
:0040243D E86AC70100 call
0041EBAC
:00402442 EB1C
jmp 00402460
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004023C6(C)
|
* Possible Reference to String
Resource ID=00276: "The registration number is not valid. Make
sure you have en"
|
:00402444 6814010000 push
00000114
:00402449 8D4DF0 lea
ecx, dword ptr [ebp-10]
:0040244C E8C0010200 call
00422611
<===Bad Boy!
:00402451 6A10
push 00000010
:00402453 8BCE
mov ecx, esi
:00402455 FF75EC push
[ebp-14]
:00402458 FF75F0 push
[ebp-10]
:0040245B E82EE30100 call
0042078E
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00402442(U)
|
:00402460 85FF
test edi, edi
:00402462 740E
je 00402472
:00402464 8BCF
mov ecx, edi
:00402466 E88A470000 call
00406BF5
:0040246B 57
push edi
:0040246C E876FB0100 call
00421FE7
:00402471 59
pop ecx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00402462(C)
|
:00402472 8D4DEC lea
ecx, dword ptr [ebp-14]
:00402475 C645FC01 mov
[ebp-04], 01
:00402479 E8FFFD0100 call
0042227D
:0040247E 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:00402482 8D4DF0 lea
ecx, dword ptr [ebp-10]
:00402485 E8F3FD0100 call
0042227D
:0040248A 5F
pop edi
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040234B(C)
|
:0040248B 8B4DF4 mov
ecx, dword ptr [ebp-0C]
:0040248E 5E
pop esi
:0040248F 5B
pop ebx
:00402490 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00402497 C9
leave
:00402498 C3
ret
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
①跟进这个Call看看都有些什么:
:00406DB4 B8AC9B4200
mov eax, 00429BAC
:00406DB9 E8BE870000 call
0040F57C
:00406DBE 51
push ecx
:00406DBF A178694300 mov eax,
dword ptr [00436978]
:00406DC4 53
push ebx
:00406DC5 56
push esi
:00406DC6 8BF1
mov esi, ecx
:00406DC8 8945F0 mov
dword ptr [ebp-10], eax
:00406DCB FF7508 push
[ebp+08]
:00406DCE 8365FC00 and
dword ptr [ebp-04], 00000000
:00406DD2 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406DD5 E8CDB40100 call
004222A7
:00406DDA 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406DDD C645FC01 mov
[ebp-04], 01
:00406DE1 E8805A0100 call
0041C866
<===取假码,eax="12345678"
:00406DE6 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406DE9 E82C5A0100 call
0041C81A
:00406DEE 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406DF1 E8C1B70100 call
004225B7
:00406DF6 8D45F0 lea
eax, dword ptr [ebp-10]
:00406DF9 8BCE
mov ecx, esi
:00406DFB 50
push eax
:00406DFC E836FFFFFF call
00406D37
<====此Call后ecx="4032ffffde7003e9",不用
说,当然也要跟进了!②
:00406E01 84C0
test al, al
:00406E03 743C
je 00406E41
:00406E05 8D4DF0 lea
ecx, dword ptr [ebp-10]
:00406E08 E8AAB70100 call
004225B7
<===这个Call是将字串中的小写字符转换成大写
:00406E0D 8B4508 mov
eax, dword ptr [ebp+08]
<===eax="12345678",假码
:00406E10 8B48F8 mov
ecx, dword ptr [eax-08]
<===ecx=8,假码位数
:00406E13 83F908 cmp
ecx, 00000008
<===注册码必须为8位(第1次机会)
:00406E16 7517
jne 00406E2F
:00406E18 51
push ecx
:00406E19 FF75F0 push
[ebp-10]
<===[ebp-10]中为"4032FFFFDE7003E9"
:00406E1C 50
push eax
<===eax="12345678",假码
:00406E1D E8AE920000 call
004100D0
<===猜想是比对的Call,如果你愿意就跟进去看看吧!
我是懒得跟了!猜想正确的注册码为"4032FFFF"
:00406E22 8BD8
mov ebx, eax
:00406E24 83C40C add
esp, 0000000C
:00406E27 F7DB
neg ebx
:00406E29 1ADB
sbb bl, bl
:00406E2B FEC3
inc bl
:00406E2D EB14
jmp 00406E43
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00406E16(C)
|
--------------------------------------------------------------
这里开始是第2次机会
:00406E2F 50
push eax
<===假码
:00406E30 FF75F0 push
[ebp-10]
<===真码,后面就不用我多说了吧!
:00406E33 E8688B0000 call
0040F9A0
:00406E38 59
pop ecx
:00406E39 85C0
test eax, eax
:00406E3B 59
pop ecx
:00406E3C 0F94C3 sete
bl
:00406E3F EB02
jmp 00406E43
--------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406E03(C)
|
:00406E41 32DB
xor bl, bl
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00406E2D(U), :00406E3F(U)
|
:00406E43 8065FC00 and
byte ptr [ebp-04], 00
:00406E47 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406E4A E82EB40100 call
0042227D
:00406E4F 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:00406E53 8D4DF0 lea
ecx, dword ptr [ebp-10]
:00406E56 E822B40100 call
0042227D
:00406E5B 8B4DF4 mov
ecx, dword ptr [ebp-0C]
:00406E5E 8AC3
mov al, bl
:00406E60 5E
pop esi
:00406E61 5B
pop ebx
:00406E62 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00406E69 C9
leave
:00406E6A C20400 ret
0004
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
② 看来算法就在这个Call当中了:
* Referenced by a CALL at Addresses:
|:00406DFC , :00407D35
|
:00406D37 55
push ebp
:00406D38 8BEC
mov ebp, esp
:00406D3A 51
push ecx
:00406D3B 53
push ebx
:00406D3C 56
push esi
:00406D3D 8BF1
mov esi, ecx
:00406D3F 57
push edi
:00406D40 56
push esi
<===[esi]="ShenGe[BCG]",用户名
:00406D41 E827010000 call
00406E6D
<===这个Call的作用是将字串中的小写字符转换
成大写,过滤掉其中的其它字符(即只取A~Z之间的字
符参与运算)然后累 加取和的低位值(Hex),如我的为
"SHENGE[BCG]"---53+48+45+4E+47+45+42+43+47=286
:00406D46 8945FC mov
dword ptr [ebp-04], eax
<===eax=286
:00406D49 8D4604 lea
eax, dword ptr [esi+04]
:00406D4C 50
push eax
<===[eax]="HOME"
:00406D4D 8BCE
mov ecx, esi
:00406D4F E819010000 call
00406E6D
<===同上
:00406D54 8BF8
mov edi, eax
<===eax=129
:00406D56 8D4608 lea
eax, dword ptr [esi+08]
:00406D59 50
push eax
:00406D5A 8BCE
mov ecx, esi
<===[ecx]="ShenGe[BCG]"
:00406D5C E80C010000 call
00406E6D
:00406D61 8B4D08 mov
ecx, dword ptr [ebp+08]
:00406D64 8BD8
mov ebx, eax
<===ebx=3E8,好像是定值!
:00406D66 E89DB40100 call
00422208
:00406D6B B8E8030000 mov eax,
000003E8
:00406D70 3945FC cmp
dword ptr [ebp-04], eax
:00406D73 750C
jne 00406D81
:00406D75 3BF8
cmp edi, eax
:00406D77 7508
jne 00406D81
:00406D79 3BD8
cmp ebx, eax
:00406D7B 7504
jne 00406D81
:00406D7D 32C0
xor al, al
:00406D7F EB2C
jmp 00406DAD
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00406D73(C), :00406D77(C), :00406D7B(C)
|
:00406D81 8B4610 mov
eax, dword ptr [esi+10]
<===eax=3E8,定值
:00406D84 8B760C mov
esi, dword ptr [esi+0C]
<===esi=22B8-->8888的16进制值
:00406D87 2BFE
sub edi, esi
<===edi=129-22B8=FFFFDE71
:00406D89 2B75FC sub
esi, dword ptr [ebp-04]
<===esi=22B8-286=2032
:00406D8C 8D0C18 lea
ecx, dword ptr [eax+ebx]
<===ecx=3E8+1=03E9
:00406D8F 2BF8
sub edi, eax
<===edi=FFFFDE71-1=FFFFDE70
:00406D91 51
push ecx
<===入栈参数1
:00406D92 57
push edi
<===入栈参数2
:00406D93 8D8406FF1F0000 lea eax, dword
ptr [esi+eax+00001FFF]
<===eax=2032+1+1FFF=4032
:00406D9A 50
push eax
<===入栈参数3
* Possible StringData Ref from
Data Obj ->"%04x%04x%04x"
|
:00406D9B 6870624300 push
00436270
:00406DA0 FF7508 push
[ebp+08]
:00406DA3 E8165A0100 call
0041C7BE
<===看见上面的"%04x%04x%04x"了吗?这个Call是
将上面压入栈的3个三个参数连接起来并转化成
字串形式
返回值在ecx中,我的为"4032ffffde7003e9"
:00406DA8 83C414 add
esp, 00000014
:00406DAB B001
mov al, 01
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00406D7F(U)
|
:00406DAD 5F
pop edi
:00406DAE 5E
pop esi
:00406DAF 5B
pop ebx
:00406DB0 C9
leave
:00406DB1 C20400 ret
0004
【总结】:
至此我们基本上清楚了这个软件的算法:
求出用户名和Company的各字符16进制累加和(小写转换成大写,特殊字符不参与运算,即只有A~Z之间的字符参与运算)取其低位值设为a和b,用户填入的Licences的16进制值设为c,则注册码为将(b-c-1)与(c-a)的值和"03E9"连接起来组成的字串或者取字串的前8位,即有两个。(呵呵,实在不知该怎么描述,不明白的话就看上面的代码吧!)
软件将注册信息保存在注册表的"HKEY_CURRENT_USER\Software\Rovensky Software\CMDbar\General"下
给出一个可用注册码:
Name:ShenGe[BCG]
Company:HOME
Postal:
Number of licences:8888
Registration:4032FFFF或4032FFFFDE7003E9
Cracked
By ShenGe[BCG] 2003.8.1