看来模仿Fravia的东西不太受欢迎哪^_^,那就传统一点,来篇简体中文版的!
【软件名称】:CHM浏览器 V1.3
【软件大小】: 510 KB
【软件语言】: 简体中文
【软件类别】: 国产软件 / 共享版 / 浏览辅助
【应用平台】: Win9x/NT/2000/XP
【加入时间】: 2003-07-31 17:26:26
【软件介绍】:
CHM浏览器能够反编译出已编译的Windows HTML帮助文件(*.chm)中的任何类型文件。它处理CHM文件就像ZIP文件一样。你可以像使用Winzip查看ZIP文件一样来运行或查看CHM中的文件。你可以通过双击文件的图标来查看HTML文件或图片文件。
【作者】: cyclotron[BCG]
【工具】: Ollydbg V1.09
【破解过程】:
用Ollydbg载入CHMunpacker.
输入用户密和试炼码:
用户名:cyclotron[BCG]
试炼码:78787878(随便填)
按下Ctrl+N搜索输入函数:GetWindowText。右击并选择 "view call tree",在每个call上都设断。回到对话框点确定。被Ollydbg断下,然后清除所有断点。
00405A87 PUSH ECX
00405A88 PUSH 3E9
00405A8D MOV ECX,ESI
00405A8F CALL CHMUNPAC.00422761
00405A94 MOV EDX,DWORD PTR SS:[ESP+C]
00405A98 PUSH CHMUNPAC.0044C930
; /Arg2 = 0044C930
00405A9D PUSH EDX
; |Arg1
00405A9E CALL CHMUNPAC.0040EC26
; \CHMUNPAC.0040EC26
00405AA3 ADD ESP,8
00405AA6 TEST EAX,EAX
; 是否输入了用户名?
00405AA8 JNZ SHORT CHMUNPAC.00405AB6
; 没有就跳走
00405AAA PUSH EBX
00405AAB PUSH EBX
00405AAC PUSH CHMUNPAC.0044A594
00405AB1 JMP CHMUNPAC.00405BF1
00405AB6 MOV EAX,DWORD PTR SS:[ESP+8]
00405ABA PUSH CHMUNPAC.0044C930
; /Arg2 = 0044C930
00405ABF PUSH EAX
; |Arg1
00405AC0 CALL CHMUNPAC.0040EC26
; \CHMUNPAC.0040EC26
00405AC5 ADD ESP,8
00405AC8 TEST EAX,EAX
; 是否输入了注册码?
00405ACA JNZ SHORT CHMUNPAC.00405AD8
00405ACC PUSH EBX
00405ACD PUSH EBX
00405ACE PUSH CHMUNPAC.0044A584
00405AD3 JMP CHMUNPAC.00405BF1
00405AD8 PUSH CHMUNPAC.0044A580
00405ADD LEA ECX,DWORD PTR SS:[ESP+C]
00405AE1 CALL CHMUNPAC.0041CAE2
00405AE6 PUSH CHMUNPAC.0044A580
00405AEB LEA ECX,DWORD PTR SS:[ESP+C]
00405AEF CALL CHMUNPAC.0041CA43
00405AF4 MOV EAX,DWORD PTR SS:[ESP+8]
00405AF8 CMP DWORD PTR DS:[EAX-8],10
;注册码长度必须为16位
00405AFC JE SHORT CHMUNPAC.00405B0A
00405AFE PUSH EBX
00405AFF PUSH EBX
00405B00 PUSH CHMUNPAC.0044A570
00405B05 JMP CHMUNPAC.00405BF1
00405B0A PUSH CHMUNPAC.0044A55C
; /Arg2 = 0044A55C ASCII
; "eLRYdMs7IhHiObJg"
; 黑名单
00405B0F PUSH EAX
; |Arg1
00405B10 CALL CHMUNPAC.0040EC26
; \CHMUNPAC.0040EC26
00405B15 ADD ESP,8
00405B18 TEST EAX,EAX
00405B1A JE CHMUNPAC.00405BEA
00405B20 MOV ECX,DWORD PTR SS:[ESP+8]
00405B24 PUSH CHMUNPAC.0044A548
; /Arg2 = 0044A548 ASCII
; "FkZQYRjGoBNcgJVU"
; 又一个黑名单
00405B29 PUSH ECX
; |Arg1
00405B2A CALL CHMUNPAC.0040EC26
; \CHMUNPAC.0040EC26
00405B2F ADD ESP,8
00405B32 TEST EAX,EAX
00405B34 JE CHMUNPAC.00405BEA
00405B3A LEA EDX,DWORD PTR SS:[ESP+10]
00405B3E PUSH EDI
00405B3F PUSH EDX
; /pHandle
00405B40 PUSH CHMUNPAC.0044A52C
; |Subkey = ; "Software\YBSoft\CHMUnpacker"
00405B45 PUSH 80000002
; |hKey
= HKEY_LOCAL_MACHINE
00405B4A CALL DWORD PTR DS:[<&ADVAPI32.RegCreateKeyA>>;
\RegCreateKeyA
00405B50 MOV EAX,DWORD PTR SS:[ESP+C]
00405B54 LEA ECX,DWORD PTR SS:[ESP+C]
00405B58 MOV EAX,DWORD PTR DS:[EAX-8]
00405B5B PUSH EAX
00405B5C PUSH 1
00405B5E CALL CHMUNPAC.0041FCD0
00405B63 MOV ECX,DWORD PTR SS:[ESP+18]
; |
00405B67 MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegSetvalue>;
|
00405B6D PUSH EAX
; |Buffer
00405B6E PUSH 1
; |valueType = REG_SZ
00405B70 PUSH EBX
; |Reserved
00405B71 PUSH CHMUNPAC.0044A280
; |valueName = "Version"
00405B76 PUSH ECX
; |hKey
00405B77 CALL EDI
; \RegSetvalueExA
; 将注册信息写入注册表
00405B79 MOV EDX,DWORD PTR SS:[ESP+10]
00405B7D LEA ECX,DWORD PTR SS:[ESP+10]
00405B81 MOV EAX,DWORD PTR DS:[EDX-8]
00405B84 PUSH EAX
00405B85 PUSH 1
00405B87 CALL CHMUNPAC.0041FCD0
00405B8C PUSH EAX
00405B8D MOV EAX,DWORD PTR SS:[ESP+1C]
00405B91 PUSH 1
00405B93 PUSH EBX
00405B94 PUSH CHMUNPAC.0044A524
; ASCII "User"
00405B99 PUSH EAX
00405B9A CALL EDI
00405B9C MOV ECX,DWORD PTR SS:[ESP+14]
00405BA0 PUSH ECX
; /hKey
00405BA1 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] ;
\RegCloseKey
00405BA7 MOV ECX,ESI
00405BA9 CALL CHMUNPAC.0042068F
00405BAE PUSH EBX
; /Arg3
00405BAF PUSH EBX
; |Arg2
00405BB0 PUSH CHMUNPAC.0044A4EC
; |Arg1 = 0044A4EC
00405BB5 CALL CHMUNPAC.00429791
; \CHMUNPAC.00429791
00405BBA LEA ECX,DWORD PTR SS:[ESP+C]
00405BBE MOV BYTE PTR SS:[ESP+20],BL
00405BC2 CALL CHMUNPAC.0041F8A0
00405BC7 LEA ECX,DWORD PTR SS:[ESP+10]
00405BCB MOV DWORD PTR SS:[ESP+20],-1
00405BD3 CALL CHMUNPAC.0041F8A0
00405BD8 POP EDI
00405BD9 POP ESI
00405BDA POP EBX
00405BDB MOV ECX,DWORD PTR SS:[ESP+C]
00405BDF MOV DWORD PTR FS:[0],ECX
00405BE6 ADD ESP,18
00405BE9 RETN
重启检验。
再次载入并搜索字串"version",那里存放着你的注册信息。有效断点为401F32。
00401F22 LEA EDX,DWORD PTR SS:[ESP+38]
00401F26 PUSH ECX
; /pBufSize
00401F27 MOV ECX,DWORD PTR SS:[ESP+C]
; |
00401F2B LEA EAX,DWORD PTR SS:[ESP+14]
; |
00401F2F PUSH EDX
; |Buffer
00401F30 PUSH EAX
; |pvalueType
00401F31 PUSH EDI
; |Reserved
00401F32 PUSH CHMUNPAC.0044A280
; |valueName = "Version"
00401F37 PUSH ECX
; |hKey
00401F38 MOV DWORD PTR SS:[ESP+24],0FF
; |
00401F40 CALL DWORD PTR DS:[<&ADVAPI32.RegQueryvalueE>;
\RegQueryvalueExA
00401F46 TEST EAX,EAX
00401F48 JNZ SHORT CHMUNPAC.00401F9C
00401F4A MOV EDX,DWORD PTR SS:[ESP+8]
00401F4E PUSH EDX
; /hKey
00401F4F CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] ;
\RegCloseKey
00401F55 LEA EDX,DWORD PTR SS:[ESP+39]; edx指向注册码第二位
00401F59 MOV AL,BYTE PTR DS:[EDX-1]
; 试炼码奇数位送al
00401F5C CMP AL,61
;
小于61h?(非小写字母)
00401F5E JL SHORT CHMUNPAC.00401F64
; 是则跳
00401F60 SUB AL,3D
;
al=al-3Dh
00401F62 JMP SHORT CHMUNPAC.00401F6E
00401F64 CMP AL,41
;
小于41h?(非大写字母)
00401F66 JL SHORT CHMUNPAC.00401F6C
; 是则跳
00401F68 SUB AL,37
;
al=al-37h
00401F6A JMP SHORT CHMUNPAC.00401F6E
00401F6C SUB AL,30
;
al=al-30h(一定是数字)
00401F6E MOV CL,AL
;
cl=al
00401F70 MOV AL,BYTE PTR DS:[EDX]
; 试炼码偶数位送al
00401F72 CMP AL,61
;
\
00401F74 JL SHORT CHMUNPAC.00401F7A
; |
00401F76 SUB AL,3D
;
|
00401F78 JMP SHORT CHMUNPAC.00401F84
; |
00401F7A CMP AL,41
;
|和上面的一样
00401F7C JL SHORT CHMUNPAC.00401F82
; |
00401F7E SUB AL,37
;
|
00401F80 JMP SHORT CHMUNPAC.00401F84
; |
00401F82 SUB AL,30
;
/
00401F84 MOVSX EAX,AL
; eax=al,偶数位计算结果
00401F87 MOVSX ECX,CL
; ecx=cl,奇数位计算结果
00401F8A ADD EAX,ECX
;
eax=eax+ecx
00401F8C CMP EAX,3D
;
等于3Dh?
00401F8F JNZ SHORT CHMUNPAC.00401F9C
; 不等则失败
00401F91 INC EDI
;
edi++
00401F92 ADD EDX,2
;
edx+=2
00401F95 CMP EDI,8
;
edi等于8?
00401F98 JL SHORT CHMUNPAC.00401F59
; 不等则返回继续循环
00401F9A JMP SHORT CHMUNPAC.00402012
; GoodBoy!
00401F9C PUSH 0
00401F9E LEA ECX,DWORD PTR SS:[ESP+3C]
00401FA2 CALL CHMUNPAC.00404960
00401FA7 LEA ECX,DWORD PTR SS:[ESP+38]
00401FAB MOV BYTE PTR SS:[ESP+150],2
00401FB3 CALL CHMUNPAC.004203A5
; NAG
00401FB8 CMP EAX,2
00401FBB JNZ SHORT CHMUNPAC.00401FC5
00401FBD MOV ECX,DWORD PTR DS:[ESI+1C]
00401FC0 MOV EDX,DWORD PTR DS:[ECX]
00401FC2 CALL DWORD PTR DS:[EDX+58]
00401FC5 LEA ECX,DWORD PTR SS:[ESP+10C]
00401FCC MOV BYTE PTR SS:[ESP+150],5
00401FD4 CALL CHMUNPAC.0042F38E
00401FD9 LEA ECX,DWORD PTR SS:[ESP+D0]
00401FE0 MOV BYTE PTR SS:[ESP+150],4
00401FE8 CALL CHMUNPAC.0042F328
00401FED LEA ECX,DWORD PTR SS:[ESP+94]
00401FF4 MOV BYTE PTR SS:[ESP+150],3
00401FFC CALL CHMUNPAC.0041D3D1
00402001 LEA ECX,DWORD PTR SS:[ESP+38]
00402005 MOV BYTE PTR SS:[ESP+150],1
0040200D CALL CHMUNPAC.0041FFDB
00402012 MOV ECX,ESI
00402014 CALL CHMUNPAC.004023F0
; 注册版本入口
00402019 LEA ECX,DWORD PTR SS:[ESP+14]
0040201D MOV DWORD PTR SS:[ESP+150],-1
00402028 CALL CHMUNPAC.0043355F
0040202D MOV ECX,DWORD PTR SS:[ESP+148]
00402034 POP EDI
00402035 MOV EAX,1
0040203A POP ESI
0040203B MOV DWORD PTR FS:[0],ECX
00402042 ADD ESP,14C
00402048 RETN
【整理】:
算法很简单,注册机不写了(偶尔偷一次懒^_^)
随便写个注册码:eLeLeLeLeLeLeLeL
cyclotron[BCG]
2003.8.1
特为纪念中国人民解放军建军76周年而作