• 标 题:【原创】中华通讯录 pj教程
  • 作 者:cracklover
  • 时 间:2004-11-27,09:53
  • 链 接:http://bbs.pediy.com

【破解作者】 cracklover
【作者邮箱】 cracklover@126.com
【使用工具】 DeDe3.5  OD1.1  MasmV8
【破解平台】 Win2000
【软件名称】 中华通讯录V4.7Build

【软件简介】 中华通讯录是一款实用的通讯录软件,软件界面采用WINXP风格,
功能完善,最多能够容纳十万条通讯记录,新版本增加了QQ助聊功能,通过它
可以向网友连续发送信息,非常方便快捷。启动时需要输入密码,使其它人不
能看到你的通讯资料,让你的信息更安全。查询栏让你很快找到你的联系人。
支持增加分类,添加,删除信息。

【软件大小】 871
【加壳方式】 UPX1.08
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
根据注册错误提示,很容易找到如下代码,以下代码是从DEDE中拷贝出的代码:

005263F4   53                     push    ebx
005263F5   8BD8                   mov     ebxeax
005263F7   8BC3                   mov     eaxebx

* Reference to : TFrmMain.Proc_00522F74()
|
005263F9   E876CBFFFF             call    00522F74  //注册码验证CALL,追入!
005263FE   84C0                   test    alal  //AL为比较标志
00526400   7409                   jz      0052640B  //关键跳转,跳则OVER!
00526402   8BC3                   mov     eaxebx

* Reference to : TFrmMain.Proc_00522D10()
|
00526404   E807C9FFFF             call    00522D10  //显示注册成功的CALL
00526409   5B                     pop     ebx
0052640A   C3                     ret


* Possible String Reference to: '注册码不正确,无法注册'
|
0052640B   B820645200             mov     eax, $00526420

* Reference to: dialogs.ShowMessage(AnsiString);
|
00526410   E89B85F3FF             call    0045E9B0
00526415   5B                     pop     ebx
00526416   C3                     ret


#########################################################################################

call    00522F74的内容:

00522F74   55                     push    ebp
00522F75   8BEC                   mov     ebpesp
00522F77   33C9                   xor     ecxecx
00522F79   51                     push    ecx
00522F7A   51                     push    ecx
00522F7B   51                     push    ecx
00522F7C   51                     push    ecx
00522F7D   51                     push    ecx
00522F7E   53                     push    ebx
00522F7F   56                     push    esi
00522F80   8945FC                 mov     [ebp-$04], eax
00522F83   33C0                   xor     eaxeax
00522F85   55                     push    ebp
00522F86   6850305200             push    $00523050

***** TRY
|
00522F8B   64FF30                 push    dword ptr fs:[eax]
00522F8E   648920                 mov     fs:[eax], esp
00522F91   33C0                   xor     eaxeax
00522F93   8945F4                 mov     [ebp-$0C], eax
00522F96   8D55F8                 lea     edx, [ebp-$08]

* Reference to FrmMain
|
00522F99   8B45FC                 mov     eax, [ebp-$04]

* Reference to control TFrmMain.Edit1 : TsuiEdit
|
00522F9C   8B8020040000           mov     eax, [eax+$0420]

* Reference to: controls.TControl.GetText(TControl):TCaption;
|
00522FA2   E8A937F1FF             call    00436750
00522FA7   8B45F8                 mov     eax, [ebp-$08]

* Reference to: system.@LStrLen:Integer;
|
00522FAA   E88D11EEFF             call    0040413C
00522FAF   8BD8                   mov     ebxeax
00522FB1   85DB                   test    ebxebx
00522FB3   7E2E                   jle     00522FE3
00522FB5   BE01000000             mov     esi, $00000001
00522FBA   8D45F0                 lea     eax, [ebp-$10]
00522FBD   50                     push    eax
00522FBE   B901000000             mov     ecx, $00000001
00522FC3   8BD6                   mov     edxesi
00522FC5   8B45F8                 mov     eax, [ebp-$08]

* Reference to: system.@LStrCopy;
|
00522FC8   E87713EEFF             call    00404344
00522FCD   8B45F0                 mov     eax, [ebp-$10]

* Reference to: system.@LStrToPChar;  //以下是注册码的生成过程!
|
00522FD0   E82B13EEFF             call    00404300
00522FD5   8A00                   mov     albyte ptr [eax]  //机器码逐位入AL
00522FD7   25FF000000             and     eax, $000000FF  //其他清零
00522FDC   0145F4                 add     [ebp-$0C], eax  //将值累加到[EBP-C]
00522FDF   46                     inc     esi      //ESI=ESI+1
00522FE0   4B                     dec     ebx      //EBX=EBX-1
00522FE1   75D7                   jnz     00522FBA    //处理完?未完继续!
00522FE3   8D55EC                 lea     edx, [ebp-$14]

* Reference to FrmMain
|
00522FE6   8B45FC                 mov     eax, [ebp-$04]

* Reference to control TFrmMain.Edit2 : TsuiEdit
|
00522FE9   8B8024040000           mov     eax, [eax+$0424]

* Reference to: controls.TControl.GetText(TControl):TCaption;
|
00522FEF   E85C37F1FF             call    00436750
00522FF4   8B45EC                 mov     eax, [ebp-$14]  //eax指向我们输入的假码

* Reference to: Unit_00408D30.Proc_0040A088
|
00522FF7   E88C70EEFF             call    0040A088    //eax=假码的十六进制值

* Reference to FrmMain
|
00522FFC   8B55F4                 mov     edx, [ebp-$0C]  //刚才计算的累加值入EDX
00522FFF   81C2FC7E1200           add     edx, $00127EFC  //EDX=EDX+127EFCh
00523005   81C29EE46400           add     edx, $0064E49E  //EDX=EDX+64E49Eh
0052300B   3BC2                   cmp     eaxedx    //eax=edx?
0052300D   7519                   jnz     00523028    //不相等则跳,OVER!    
0052300F   B301                   mov     bl, $01    //到此我们可写出注册机了!
00523011   B8E4A55400             mov     eax, $0054A5E4
00523016   8B55F8                 mov     edx, [ebp-$08]

* Reference to: system.@LStrAsg;
|
00523019   E8F20EEEFF             call    00403F10

* Reference to FrmMain
|
0052301E   8B45F4                 mov     eax, [ebp-$0C]

* Reference to GlobalVar_0054A5E8
|
00523021   A3E8A55400             mov     dword ptr [$0054A5E8], eax
00523026   EB02                   jmp     0052302A
00523028   33DB                   xor     ebxebx
0052302A   33C0                   xor     eaxeax
0052302C   5A                     pop     edx
0052302D   59                     pop     ecx
0052302E   59                     pop     ecx
0052302F   648910                 mov     fs:[eax], edx

****** FINALLY
|

* Possible String Reference to: '嬅^[嬪]脨U嬱兡鑃VW3蓧M靿M鑹M饗驄??
|                                UhC1R'
|
00523032   6857305200             push    $00523057
00523037   8D45EC                 lea     eax, [ebp-$14]

* Reference to: system.@LStrClr(String;String);
|
0052303A   E87D0EEEFF             call    00403EBC
0052303F   8D45F0                 lea     eax, [ebp-$10]

* Reference to: system.@LStrClr(String;String);
|
00523042   E8750EEEFF             call    00403EBC
00523047   8D45F8                 lea     eax, [ebp-$08]

* Reference to: system.@LStrClr(String;String);
|
0052304A   E86D0EEEFF             call    00403EBC
0052304F   C3                     ret


* Reference to: system.@HandleFinally;
|
00523050   E95F08EEFF             jmp     004038B4
00523055   EBE0                   jmp     00523037

****** END
|
00523057   8BC3                   mov     eaxebx
00523059   5E                     pop     esi
0052305A   5B                     pop     ebx
0052305B   8BE5                   mov     espebp
0052305D   5D                     pop     ebp
0052305E   C3                     ret
--------------------------------------------------------------------------------

下面是计算注册码的Masm子程序:
说明:
lpstr1是机器码的地址,lpstr2是指计算出的注册码的地址,count是机器码长度


Process  proc  lpstr1:DWORD,lpstr2:DWORD,count:DWORD
  pushad
    mov  esi,lpstr1
    mov  edi,lpstr2
    xor  eax,eax
    xor  edx,edx
  @@:
    mov  al,[esi]
    add  edx,eax
    inc  esi
    dec  count
    jnz   @B
    add  edx,127EFCh
    add  edx,64E49Eh
    mov  lpstr1,edx
    invoke udw2str,lpstr1,lpstr2  ;将十六进制数转化为十进制的字符串
  popad
  ret
Process endp

破解总结:
此软件的机器码其实就是硬盘序列号,所以,我们也可以不通过运行软件得到机器码,而直接
在注册机里得到硬盘序列号,再计算出注册码。
要是有人要注册机的asm源码及资源文件请EMAIL  ME:cracklover@126.com。

【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!