QMolView(http://members.lycos.co.uk/qmolview/),45天的限制。
步骤如下:
1。查壳。好像没有加壳,软件用delphi编写。
2。OllyDbg调入。
输入User Name; Company; Authorization Code
弹出对话框,提示:Bad Registration Code
当前内存dump进CPU,在内存中查找Bad Registration Code,并寻找其参考。看到如下代码:
...........................
注册码需要24位,我输入:yzez;用户单位:[DFCG][BCG][FCG],试验码:123456789009876543211234
006886BF CALL QMolview.00438DEC
006886C4 LEA EAX,DWORD PTR SS:[EBP-4]
006886C7 MOV ECX,7 ****************赋ECX常数7,即去掉前7位试验码,取后面的17位试验码!
006886CC MOV EDX,1
006886D1 CALL QMolview.00404388
006886D6 LEA EAX,DWORD PTR SS:[EBP-4]
006886D9 MOV ECX,1
006886DE MOV EDX,6*********************再把取出的17位试验码的第6位去掉,余下16位试验码!
006886E3 CALL QMolview.00404388
006886E8 LEA EAX,DWORD PTR SS:[EBP-4]
006886EB MOV ECX,1
006886F0 MOV EDX,0B *******************再去掉上面取出的试验码中的第0B位即11位试验码,余下15位试验码,
*****以上述为例,去掉前七位就是;89009876543311234,再去掉第6、11两位:8、3,得到:890097654311234
006886F5 CALL QMolview.00404388
006886FA MOV EAX,DWORD PTR SS:[EBP-4]*******上述值保存到EAX中
006886FD PUSH EAX
006886FE LEA EDX,DWORD PTR SS:[EBP-8]
00688701 MOV EAX,DWORD PTR DS:[EBX+2EC]*****用户名入EAX
00688707 CALL QMolview.00438DEC
0068870C MOV EAX,DWORD PTR SS:[EBP-8]
0068870F PUSH EAX <--------Company压栈
00688710 LEA EDX,DWORD PTR SS:[EBP-C]
00688713 MOV EAX,DWORD PTR DS:[EBX+2E4]
00688719 CALL QMolview.00438DEC <--------计算,根据用户名和单位计算:得到一组值:我的是:1811037398D1FC9
0068871E MOV EDX,DWORD PTR SS:[EBP-C]
00688721 MOV EAX,DWORD PTR DS:[EBX+2F8]
00688727 POP ECX
00688728 CALL QMolview.00687C2C <----------关键比较
0068872D TEST AL,AL <--------AL=0 ,注册失败,AL=1,注册成功!
0068872F JE SHORT QMolview.00688759 <-----------跳就提示错误注册码!!!
00688731 MOV EAX,EBX
00688733 CALL QMolview.004556CC <--------注册成功前的操作?
00688738 PUSH 0 ; /Arg1 = 00000000
0068873A MOV CX,WORD PTR DS:[6887B8] ; |
00688741 MOV DL,2 ; |
00688743 MOV EAX,QMolview.006887C4 ; |ASCII "Thank you for purchase QMolView."
00688748 |. E8 B387DDFF CALL QMolview.00460F00 ; QMolview.00460F00
0068874D |. C783 34020000 >MOV DWORD PTR DS:[EBX+234],1
00688757 |. EB 30 JMP SHORT QMolview.00688789
00688759 |> 6A 00 PUSH 0 ; /Arg1 = 00000000
0068875B |. 66:8B0D B88768>MOV CX,WORD PTR DS:[6887B8] ; |
00688762 |. B2 02 MOV DL,2 ; |
00688764 |. B8 F0876800 MOV EAX,QMolview.006887F0 ; |ASCII "Bad Registration Code"
00688769 |. E8 9287DDFF CALL QMolview.00460F00 ; QMolview.00460F00
0068876E |. 33D2 XOR EDX,EDX
=====================================================================================
关键比较CALL:
00687C2C /$ 55 PUSH EBP
00687C2D |. 8BEC MOV EBP,ESP
00687C2F |. 83C4 F0 ADD ESP,-10
00687C32 |. 53 PUSH EBX
00687C33 |. 33DB XOR EBX,EBX
00687C35 |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
00687C38 |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
00687C3B |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00687C3E |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00687C41 |. 8BD8 MOV EBX,EAX
00687C43 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00687C46 |. E8 A9C6D7FF CALL QMolview.004042F4
00687C4B |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00687C4E |. E8 A1C6D7FF CALL QMolview.004042F4
00687C53 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00687C56 |. E8 99C6D7FF CALL QMolview.004042F4
00687C5B |. 33C0 XOR EAX,EAX
00687C5D |. 55 PUSH EBP
00687C5E |. 68 167D6800 PUSH QMolview.00687D16
00687C63 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00687C66 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00687C69 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00687C6C |. E8 CFC4D7FF CALL QMolview.00404140
00687C71 |. 3B43 3C CMP EAX,DWORD PTR DS:[EBX+3C]
00687C74 |. 7F 19 JG SHORT QMolview.00687C8F
00687C76 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00687C79 |. E8 C2C4D7FF CALL QMolview.00404140
00687C7E |. 3B43 40 CMP EAX,DWORD PTR DS:[EBX+40]
00687C81 |. 7C 0C JL SHORT QMolview.00687C8F
00687C83 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00687C86 |. E8 B5C4D7FF CALL QMolview.00404140
00687C8B |. 85C0 TEST EAX,EAX
00687C8D |. 75 04 JNZ SHORT QMolview.00687C93
00687C8F |> 33DB XOR EBX,EBX
00687C91 |. EB 60 JMP SHORT QMolview.00687CF3
00687C93 |> 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00687C96 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00687C99 |. E8 E61CD8FF CALL QMolview.00409984
00687C9E |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00687CA1 |. 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00687CA4 |. E8 9FC2D7FF CALL QMolview.00403F48
00687CA9 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00687CAC |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00687CAF |. 8BC3 MOV EAX,EBX
00687CB1 |. E8 4EFCFFFF CALL QMolview.00687904
00687CB6 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00687CB9 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00687CBC |. E8 3B1DD8FF CALL QMolview.004099FC********在这个CALL比较,比较什么?上面取的试验码,与根据用户名和
****单位计算的值比较,相等,EAX的值为1,否则为0
00687CC1 |. 85C0 TEST EAX,EAX **********EAX的值为0,为0就跳,一跳就失败,
00687CC3 |. 74 04 JE SHORT QMolview.00687CC9
00687CC5 |. 33DB XOR EBX,EBX
00687CC7 |. EB 2A JMP SHORT QMolview.00687CF3
00687CC9 |> 8D43 38 LEA EAX,DWORD PTR DS:[EBX+38]
00687CCC |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00687CCF |. E8 30C2D7FF CALL QMolview.00403F04
00687CD4 |. 8D43 44 LEA EAX,DWORD PTR DS:[EBX+44]
00687CD7 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00687CDA |. E8 25C2D7FF CALL QMolview.00403F04
00687CDF |. 8D43 4C LEA EAX,DWORD PTR DS:[EBX+4C]
00687CE2 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00687CE5 |. E8 1AC2D7FF CALL QMolview.00403F04
00687CEA |. 8BC3 MOV EAX,EBX
00687CEC |. E8 9B010000 CALL QMolview.00687E8C
00687CF1 |. B3 01 MOV BL,1
00687CF3 |> 33C0 XOR EAX,EAX
00687CF5 |. 5A POP EDX
00687CF6 |. 59 POP ECX
00687CF7 |. 59 POP ECX
00687CF8 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00687CFB |. 68 1D7D6800 PUSH QMolview.00687D1D
00687D00 |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00687D03 |. BA 04000000 MOV EDX,4
00687D08 |. E8 C7C1D7FF CALL QMolview.00403ED4
00687D0D |. 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00687D10 |. E8 9BC1D7FF CALL QMolview.00403EB0
00687D15 . C3 RETN
00687D16 .^E9 8DBBD7FF JMP QMolview.004038A8
所以这个软件的注册码关键是找到用户名和单位计算后的数值,把这个值找到后,替换试验码的后17位,
然后再在这个值的第5、10两位后面加入任意的两位数值和字符就行了。
一组可用注册码:yzez;
用户单位:[DFCG][BCG][FCG],
注册码:1234567181108373980D1FC9