这是我写的第一篇破解的文章,也是我第一次成功地破解软件(成功破解是指能写出注册机),若有错的话请大家提出来,指导一下我这只菜鸟 ;)
目标:贯通词典V2.1
简介:一个日语字典
原因:自己正在自学日语,听说这个词典还算可以,就下载下来试试,发现是要注册的
先用PEID看看
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
嗯,是用UPX加壳,用upx -d就可以解壳了,手动解壳也可
解壳后是1.23MB的
OK了,用C32ASM反汇编吧
::004E65A7:: BA 01000000 MOV EDX,1
::004E65AC:: 59 POP ECX
::004E65AD:: E8 4EE6F1FF CALL 00404C00
::004E65B2:: 8B45 E4 MOV EAX,[EBP-1C]
::004E65B5:: E8 E6E5F1FF CALL 00404BA0
::004E65BA:: 8D55 E8 LEA EDX,[EBP-18]
::004E65BD:: E8 BAE2FFFF CALL 004E487C
::004E65C2:: 8B55 E8 MOV EDX,[EBP-18]
::004E65C5:: B8 64F64E00 MOV EAX,4EF664
::004E65CA:: E8 65E1F1FF CALL 00404734
::004E65CF:: 8D4D D8 LEA ECX,[EBP-28]
::004E65D2:: BA E46E4E00 MOV EDX,4E6EE4 \->: yasha
::004E65D7:: A1 64F64E00 MOV EAX,[4EF664]
::004E65DC:: E8 13E1FFFF CALL 004E46F4 ->关键:注册码生成过程
::004E65E1:: 8B45 D8 MOV EAX,[EBP-28]
::004E65E4:: 8D55 F4 LEA EDX,[EBP-C]
::004E65E7:: E8 F8E1FFFF CALL 004E47E4
::004E65EC:: C705 3CF64E00 705E4E00 MOV DWORD PTR [4EF63C],4E5E70
::004E65F6:: 8D45 D4 LEA EAX,[EBP-2C]
::004E65F9:: BA 6CF64E00 MOV EDX,4EF66C
::004E65FE:: B9 80000000 MOV ECX,80
进去4E46F4里面看看是怎样生成注册码的吧
::004E46F4:: 55 PUSH EBP \:BYCALL CallBy:004E65DC,
::004E46F5:: 8BEC MOV EBP,ESP
::004E46F7:: 83C4 E8 ADD ESP,-18
::004E46FA:: 53 PUSH EBX
::004E46FB:: 56 PUSH ESI
::004E46FC:: 57 PUSH EDI
::004E46FD:: 33DB XOR EBX,EBX
::004E46FF:: 895D E8 MOV [EBP-18],EBX
::004E4702:: 895D F0 MOV [EBP-10],EBX
::004E4705:: 895D EC MOV [EBP-14],EBX
::004E4708:: 894D F4 MOV [EBP-C],ECX
::004E470B:: 8955 F8 MOV [EBP-8],EDX
::004E470E:: 8945 FC MOV [EBP-4],EAX
::004E4711:: 8B45 FC MOV EAX,[EBP-4]
::004E4714:: E8 7704F2FF CALL 00404B90 \:JMPUP
::004E4719:: 8B45 F8 MOV EAX,[EBP-8]
::004E471C:: E8 6F04F2FF CALL 00404B90 \:JMPUP
::004E4721:: 33C0 XOR EAX,EAX
::004E4723:: 55 PUSH EBP
::004E4724:: 68 D3474E00 PUSH 4E47D3
::004E4729:: 64:FF30 PUSH DWORD PTR FS:[EAX]
::004E472C:: 64:8920 MOV FS:[EAX],ESP
::004E472F:: 8B45 FC MOV EAX,[EBP-4] 把序列号送入EAX
::004E4732:: E8 7102F2FF CALL 004049A8 序列号ASCII码的位数(9个)
::004E4737:: 50 PUSH EAX EAX入栈
::004E4738:: 8B45 F8 MOV EAX,[EBP-8] 字符串"yasha"送到EAX里
::004E473B:: E8 6802F2FF CALL 004049A8 "yasha"ASCII码的位数(5个)
::004E4740:: 5A POP EDX 栈的数据弹到EDX里 (EDX==9 EAX==5)
::004E4741:: 92 XCHG EAX,EDX 交换EAX与EDX (EDX==5 EAX==9)
::004E4742:: 8BCA MOV ECX,EDX EDX数据送入ECX (ECX=EDX=5)
::004E4744:: 99 CDQ
::004E4745:: F7F9 IDIV ECX ECX执行除法 (EAX==1 EDX==4)
::004E4747:: 8BF8 MOV EDI,EAX EAX数据送到EDI里
::004E4749:: 66:85FF TEST DI,DI
::004E474C:: 7C 11 JL SHORT 004E475F
::004E474E:: 47 INC EDI EDI++
::004E474F:: 8D45 F0 LEA EAX,[EBP-10]
::004E4752:: 8B55 F8 MOV EDX,[EBP-8] "yasha"送入EDX
::004E4755:: E8 5602F2FF CALL 004049B0 把"yasha"累加,变成"yashayasha"
::004E475A:: 66:FFCF DEC DI
::004E475D:: 75 F0 JNZ SHORT 004E474F
::004E475F:: 8B45 FC MOV EAX,[EBP-4] 序列号送到EAX
::004E4762:: E8 4102F2FF CALL 004049A8 得到序列号长度(9)
::004E4767:: 8BF8 MOV EDI,EAX
::004E4769:: 66:85FF TEST DI,DI
::004E476C:: 7E 32 JLE SHORT 004E47A0
::004E476E:: 66:BE 0100 MOV SI,1
::004E4772:: 0FBFC6 MOVSX EAX,SI
::004E4775:: 8B55 FC MOV EDX,[EBP-4] 序列号送到EDX
::004E4778:: 8A5C02 FF MOV BL,[EDX+EAX-1] 序列号的第一个字符送到BL
::004E477C:: 8B55 F0 MOV EDX,[EBP-10] 字符串"yashayasha"送到EDX
::004E477F:: 8A4402 FF MOV AL,[EDX+EAX-1] 字符串"yashayasha"第一个字符送去AL
::004E4783:: 32D8 XOR BL,AL 异或BL与AL,结果送回BL
::004E4785:: 8D45 E8 LEA EAX,[EBP-18]
::004E4788:: 8BD3 MOV EDX,EBX
::004E478A:: E8 3101F2FF CALL 004048C0 \:JMPUP
::004E478F:: 8B55 E8 MOV EDX,[EBP-18]
::004E4792:: 8D45 EC LEA EAX,[EBP-14]
::004E4795:: E8 1602F2FF CALL 004049B0 \:JMPUP
::004E479A:: 46 INC ESI
::004E479B:: 66:FFCF DEC DI
::004E479E:: 75 D2 JNZ SHORT 004E4772 \:JMPUP
::004E47A0:: 8B45 F4 MOV EAX,[EBP-C] \:BYJMP JmpBy:004E476C,
::004E47A3:: 8B55 EC MOV EDX,[EBP-14]
::004E47A6:: E8 89FFF1FF CALL 00404734 \:JMPUP
::004E47AB:: 33C0 XOR EAX,EAX
::004E47AD:: 5A POP EDX
::004E47AE:: 59 POP ECX
::004E47AF:: 59 POP ECX
::004E47B0:: 64:8910 MOV FS:[EAX],EDX
::004E47B3:: 68 DA474E00 PUSH 4E47DA
::004E47B8:: 8D45 E8 LEA EAX,[EBP-18] \:BYJMP JmpBy:004E47D8,
::004E47BB:: BA 03000000 MOV EDX,3
::004E47C0:: E8 3FFFF1FF CALL 00404704 \:JMPUP
::004E47C5:: 8D45 F8 LEA EAX,[EBP-8]
::004E47C8:: BA 02000000 MOV EDX,2
::004E47CD:: E8 32FFF1FF CALL 00404704 \:JMPUP
::004E47D2:: C3 RETN
::004E47D3:: E9 30F9F1FF JMP 00404108 \:JMPUP
::004E47D8:: EB DE JMP SHORT 004E47B8 \:JMPUP
::004E47DA:: 5F POP EDI
::004E47DB:: 5E POP ESI
::004E47DC:: 5B POP EBX
::004E47DD:: 8BE5 MOV ESP,EBP
::004E47DF:: 5D POP EBP
::004E47E0:: C3 RETN
经过这个CALL以后,因为我的序列号是8C0D-DB4C,与yashayash异或后的字符串就是A"C,L=#G+
最后一步还要留意这个CALL:
::004E6603:: E8 50E3F1FF CALL 00404958
它把异或后的字符串转为ASCII码的十进制值, A"C,L=#G+的十进制ASCII码值就是65 34 67 44 76 61 35 71 43 把空格去掉,就是653467447661357143,这就是注册码了,开始写注册机吧
void CRegDlg::OnButton1()
{
// TODO: Add your control notification handler code here
int tmp,cst,cst2,res;
char buff[20];
CString ori="yashayasha";
UpdateData(true);
m_CS2="";
int stlen=strlen(m_CS1);
if(stlen!=9) MessageBox("申请注册码是XXXX-XXXX的型式的");
else
{
for(tmp=0;tmp<stlen;tmp++)
{
cst=int(m_CS1.GetAt(tmp));
cst2=int(ori.GetAt(tmp));
res=cst^cst2;
_itoa(res,buff,10);
m_CS2=m_CS2+buff;
}
}
UpdateData(false);
}
完成,收工.
另外一个: 序列号是根据C盘序列号算出来的,但我始终搞不清是如何算出来的,请高手帮我看看吧
有不对的地方请提出来,谢谢.