【下载页面】http://www.92down.com/soft/7878.htm
【软件名称】同益起名大师 3.33
【软件分类】国产软件 / 授权未知 / 测字算命
【适用平台】Win9x/Me/NT/2000/XP
【文件大小】6529KB
【软件介绍】是一个专业的起名测名软件,可以说是最优秀、最专业的,绝对100%精品(注:自吹而已)。它有个人起名、公司行号命名、商标楼号命名、姓名八卦、吉号选择、姓名分析、名称分析、号码吉凶分析等及参考名字查询、成语查询、偏旁查字等多种活字典辞典功能。是姓名学爱好者及研究人员的得力工具,让您真正放心、方便、快捷地为您的公司商行或亲朋好友起个好名。
—————————————————————————————————
【破文作者】moon
【作者声明】:只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、flyODBG、PEiD
—————————————————————————————————
【准备工作】:
手动更改注册表项目HKEY_LOCAL_MACHINE\SOFTWARE\GoodSoft\GoodName中的:
1. Appid改为注册框中的申请码,注册按十进制写。
2. FName改为要起名的姓,如"朱"。
3. Serial改为一个32位的码,如"12345678901234567890123456789012"。
手动更改注册表项目HKEY_LOCAL_MACHINE\SOFTWARE\GoodSoft\GoodName\License中的:
1. RegMod改为fb。一个标志。
2. RegSeq改为2。一个标志。
3. Value改为"AC2A706C25768C57",这是与“朱”相对应的值。怎么得到的?这是强暴了同益起名大师3.29版后,它帮我算出来的。
—————————————————————————————————
【破解过程】:
用peid查壳,是:
UltraProtect 1.x -> RISCO Software Inc.
这就是ACProtect的壳。因为脱壳暂时没有搞定,所以今采取带壳跟踪的方法。下:
bp RegQueryValueExA
bp RegSetValueExA
这是它的穴位,可以拦截所有对注册表有关注册信息的读写操作,第一次读取注册信息是启动以后,在00576477开始的程序段上:
00576746 call GoodName.004F601C 关键比较
0057674B mov byte ptr ds:[583F48],al al要等于1才行
是关键比较。在此中断后,把al改为1即可突破启动段的注册验证。相关操作已做成OD的脚本文件,加载后只需运行此文件,即可突破其启动的验证段:
var addrQ
gpa "RegQueryValueExA", "advapi32.dll"
mov addrQ,$RESULT
bp addrQ
eob Break0
run
Break0:
cmp edx,0057695c
je lbl0
cmp eip,addrQ
jne end0:
run
lbl0:
cob
bc addrQ
bp 0057674B
run
bc 0057674B
inc eax //用此命令把al置1
bp addrQ
run
end0:
run
ret
当然这样还不能使用这个软件,在点击“注册”、“个人起名”、“开始分析”等按钮以后还有不同的验证段,并且验证段是有壳的,还有待于进一步的研究。
--------------------------------------------------------------------------
【附:启动以后的验证段】
00576477 mov edx,GoodName.0057695C ; ASCII "Appid"
0057647C mov eax,dword ptr ss:[ebp-14]
0057647F call GoodName.0043D870
00576484 mov dword ptr ss:[ebp-8],eax
00576487 lea ecx,dword ptr ss:[ebp-C]
0057648A mov edx,GoodName.0057696C ; ASCII "Serial"
0057648F mov eax,dword ptr ss:[ebp-14]
00576492 call GoodName.0043D7E4
00576497 lea ecx,dword ptr ss:[ebp-10]
0057649A mov edx,GoodName.0057697C ; ASCII "FName"
0057649F mov eax,dword ptr ss:[ebp-14]
005764A2 call GoodName.0043D7E4
005764A7 lea edx,dword ptr ss:[ebp-18]
005764AA mov eax,dword ptr ss:[ebp-10]
005764AD call GoodName.00409070
005764B2 mov edx,dword ptr ss:[ebp-18]
005764B5 lea eax,dword ptr ss:[ebp-10]
005764B8 call GoodName.004047A8
005764BD xor ecx,ecx
005764BF mov edx,GoodName.0057698C ; ASCII "License"
005764C4 mov eax,dword ptr ss:[ebp-14]
005764C7 call GoodName.0043D43C
005764CC test al,al
005764CE jnz short GoodName.005764E2
005764D0 xor eax,eax
005764D2 pop edx
005764D3 pop ecx
005764D4 pop ecx
005764D5 mov dword ptr fs:[eax],edx
005764D8 call GoodName.00404194
005764DD jmp GoodName.005768A8
005764E2 mov edx,GoodName.0057699C ; ASCII "RegSeq"
005764E7 mov eax,dword ptr ss:[ebp-14]
005764EA call GoodName.0043D870
005764EF mov word ptr ds:[583F4E],ax
005764F5 cmp word ptr ds:[583F4E],2
005764FD jnz short GoodName.00576508
005764FF mov byte ptr ds:[583F49],0
00576506 jmp short GoodName.0057650F
00576508 mov byte ptr ds:[583F49],1
0057650F mov edx,GoodName.005769AC ; ASCII "RegMod"
00576514 mov eax,dword ptr ss:[ebp-14]
00576517 call GoodName.0043D870
0057651C mov word ptr ds:[583F4E],ax
00576522 lea edx,dword ptr ss:[ebp-1C]
00576525 mov eax,dword ptr ss:[ebp-10]
00576528 call GoodName.00409070
0057652D mov eax,dword ptr ss:[ebp-1C]
00576530 call GoodName.004049D0
00576535 dec eax
00576536 jle short GoodName.00576577
00576538 lea ecx,dword ptr ss:[ebp-28]
0057653B mov edx,GoodName.005769BC ; ASCII "Value"
00576540 mov eax,dword ptr ss:[ebp-14]
00576543 call GoodName.0043D7E4
00576548 mov eax,dword ptr ss:[ebp-28]
0057654B lea edx,dword ptr ss:[ebp-24]
0057654E call GoodName.00409070
00576553 mov eax,dword ptr ss:[ebp-24]
00576556 lea ecx,dword ptr ss:[ebp-20]
00576559 mov edx,GoodName.005769CC ; ASCII "CFE37613C6ACB1"
0057655E call GoodName.004F53A4
00576563 mov edx,dword ptr ss:[ebp-20]
00576566 mov eax,dword ptr ss:[ebp-10]
00576569 call GoodName.00404B1C 注册表中的姓和根据Value算出的姓比较
0057656E je short GoodName.00576577
00576570 mov dword ptr ss:[ebp-8],4D
00576577 lea ecx,dword ptr ss:[ebp-38]
0057657A mov edx,GoodName.005769E4 ; ASCII "Value1"
0057657F mov eax,dword ptr ss:[ebp-14]
00576582 call GoodName.0043D7E4
00576587 mov eax,dword ptr ss:[ebp-38]
0057658A lea edx,dword ptr ss:[ebp-34]
0057658D call GoodName.00409070
00576592 mov eax,dword ptr ss:[ebp-34]
00576595 lea ecx,dword ptr ss:[ebp-30]
00576598 mov edx,GoodName.005769CC ; ASCII "CFE37613C6ACB1"
0057659D call GoodName.004F53A4
005765A2 mov eax,dword ptr ss:[ebp-30]
005765A5 lea edx,dword ptr ss:[ebp-2C]
005765A8 call GoodName.00409070
005765AD mov eax,dword ptr ss:[ebp-2C]
005765B0 push eax
005765B1 lea edx,dword ptr ss:[ebp-3C]
005765B4 mov eax,dword ptr ss:[ebp-10]
005765B7 call GoodName.00409070
005765BC mov edx,dword ptr ss:[ebp-3C]
005765BF lea eax,dword ptr ss:[ebp-10]
005765C2 pop ecx
005765C3 call GoodName.00404A1C
005765C8 xor eax,eax
005765CA pop edx
005765CB pop ecx
005765CC pop ecx
005765CD mov dword ptr fs:[eax],edx
005765D0 jmp short GoodName.005765E3
005765D2 jmp GoodName.00403D38
005765D7 xor eax,eax
005765D9 call GoodName.005192A4
005765DE call GoodName.00404164
005765E3 cmp dword ptr ss:[ebp-8],4D
005765E7 jnz short GoodName.0057661C
005765E9 mov eax,dword ptr ss:[ebp-4]
005765EC mov eax,dword ptr ds:[eax+340]
005765F2 xor edx,edx
005765F4 call GoodName.0046A608
005765F9 mov al,byte ptr ss:[ebp-8]
005765FC call GoodName.005192A4
00576601 mov eax,dword ptr ss:[ebp-4]
00576604 mov eax,dword ptr ds:[eax+3B8]
0057660A mov edx,dword ptr ss:[ebp-8]
0057660D call GoodName.00521864
00576612 mov eax,dword ptr ds:[583F30]
00576617 call GoodName.00403884
0057661C cmp word ptr ds:[583F4E],0FB
00576625 jnz GoodName.005767F2
0057662B lea edx,dword ptr ss:[ebp-40]
0057662E mov eax,dword ptr ss:[ebp-C]
00576631 call GoodName.00409070 复制注册码
00576636 mov eax,dword ptr ss:[ebp-40]
00576639 call GoodName.004049D0 查注册码位数
0057663E cmp eax,15
00576641 jle GoodName.005767F2
00576647 lea eax,dword ptr ss:[ebp-48]
0057664A push eax
0057664B lea edx,dword ptr ss:[ebp-50]
0057664E mov eax,dword ptr ss:[ebp-8]
00576651 call GoodName.0040942C
00576656 mov eax,dword ptr ss:[ebp-50]
00576659 lea edx,dword ptr ss:[ebp-4C]
0057665C call GoodName.00409070 复制申请码
00576661 lea eax,dword ptr ss:[ebp-4C]
00576664 mov edx,GoodName.005769F4 ; ASCII " "
00576669 call GoodName.004049D8 申请码后加空格
0057666E mov eax,dword ptr ss:[ebp-4C]
00576671 mov ecx,8
00576676 mov edx,1
0057667B call GoodName.00404C30 取前8位
00576680 lea eax,dword ptr ss:[ebp-48]
00576683 mov edx,dword ptr ss:[ebp-10]
00576686 call GoodName.004049D8 申请码加上姓
0057668B mov eax,dword ptr ss:[ebp-48]
0057668E lea edx,dword ptr ss:[ebp-44]
00576691 call GoodName.004E0E1C
00576696 mov edx,dword ptr ss:[ebp-44]
00576699 mov eax,GoodName.00583F50
0057669E call GoodName.00404764
005766A3 lea edx,dword ptr ss:[ebp-58]
005766A6 mov eax,dword ptr ss:[ebp-C]
005766A9 call GoodName.00514ADC
005766AE mov eax,dword ptr ss:[ebp-58]
005766B1 lea edx,dword ptr ss:[ebp-54]
005766B4 call GoodName.004E0E1C
005766B9 mov edx,dword ptr ss:[ebp-54]
005766BC mov eax,GoodName.00583F54
005766C1 call GoodName.00404764
005766C6 lea edx,dword ptr ss:[ebp-68]
005766C9 mov eax,dword ptr ds:[583F50]
005766CE call GoodName.004F5F24
005766D3 lea eax,dword ptr ss:[ebp-68]
005766D6 lea edx,dword ptr ss:[ebp-10]
005766D9 call GoodName.004F5F98
005766DE lea eax,dword ptr ss:[ebp-70]
005766E1 push eax
005766E2 lea edx,dword ptr ss:[ebp-74]
005766E5 mov eax,dword ptr ds:[583F54]
005766EA call GoodName.004E0E1C
005766EF mov eax,dword ptr ss:[ebp-74]
005766F2 mov ecx,10
005766F7 mov edx,1
005766FC call GoodName.00404C30
00576701 mov eax,dword ptr ss:[ebp-70]
00576704 lea ecx,dword ptr ss:[ebp-6C]
00576707 mov edx,dword ptr ss:[ebp-10]
0057670A call GoodName.004F548C
0057670F mov eax,dword ptr ss:[ebp-6C]
00576712 lea edx,dword ptr ss:[ebp-68]
00576715 call GoodName.004F5F24
0057671A lea eax,dword ptr ss:[ebp-68]
0057671D push eax
0057671E lea edx,dword ptr ss:[ebp-88]
00576724 mov eax,dword ptr ds:[583F50]
00576729 call GoodName.004F96A0
0057672E mov eax,dword ptr ss:[ebp-88]
00576734 lea edx,dword ptr ss:[ebp-84]
0057673A call GoodName.004F5F24
0057673F lea eax,dword ptr ss:[ebp-84]
00576745 pop edx
00576746 call GoodName.004F601C 关键比较
0057674B mov byte ptr ds:[583F48],al al要等于1才行
00576750 cmp byte ptr ds:[583F48],0
00576757 je short GoodName.00576769
00576759 mov eax,dword ptr ss:[ebp-4]
0057675C mov eax,dword ptr ds:[eax+44C]
00576762 mov dl,1
00576764 call GoodName.0046A4EC
00576769 cmp byte ptr ds:[583F48],0
00576770 je short GoodName.00576784
00576772 mov eax,dword ptr ss:[ebp-4]
00576775 mov eax,dword ptr ds:[eax+340]
0057677B xor edx,edx
0057677D call GoodName.0046A608
00576782 jmp short GoodName.005767B7
00576784 mov eax,dword ptr ss:[ebp-4]
00576787 mov eax,dword ptr ds:[eax+340]
0057678D xor edx,edx
0057678F call GoodName.0046A608
00576794 mov al,byte ptr ss:[ebp-8]
00576797 call GoodName.005192A4
0057679C mov eax,dword ptr ss:[ebp-4]
0057679F mov eax,dword ptr ds:[eax+3B8]
005767A5 mov edx,dword ptr ss:[ebp-8]
005767A8 call GoodName.00521864
005767AD mov eax,dword ptr ds:[583F30]
005767B2 call GoodName.00403884
005767B7 cmp dword ptr ss:[ebp-8],63
005767BB jle short GoodName.005767F9
005767BD lea eax,dword ptr ss:[ebp-90]
005767C3 call GoodName.005115F8
005767C8 mov eax,dword ptr ss:[ebp-90]
005767CE lea edx,dword ptr ss:[ebp-8C]
005767D4 call GoodName.00409070
005767D9 mov eax,dword ptr ss:[ebp-8C]
005767DF call GoodName.00409598
005767E4 cmp eax,dword ptr ss:[ebp-8]
005767E7 je short GoodName.005767F9
005767E9 mov byte ptr ds:[583F48],0
005767F0 jmp short GoodName.005767F9
005767F2 mov byte ptr ds:[583F48],0
005767F9 cmp dword ptr ss:[ebp-8],64
005767FD jge short GoodName.00576806
005767FF mov byte ptr ds:[583F48],0
00576806 mov eax,dword ptr ss:[ebp-14]
00576809 call GoodName.0043D3A4
0057680E xor eax,eax
00576810 pop edx
00576811 pop ecx
00576812 pop ecx
00576813 mov dword ptr fs:[eax],edx
00576816 push GoodName.0057682B
0057681B mov eax,dword ptr ss:[ebp-14]
0057681E call GoodName.00403884
00576823 retn