【破文标题】易通电脑助手2005 V1.3.0 一劳永逸的自注册破解方法
【破文作者】蓝色の夢
【作者邮箱】yhz-163@163.com
【作者主页】http://www.pediy.com
【破解工具】OD,W32Dasm,ASPackDie
【破解平台】XP SP2
【软件名称】易通电脑助手2005 V1.3.0
【软件大小】5144K
【原版下载】http://www.etongsoft.net
【保护方式】壳,注册码
【破解声明】就在前三天接连破解了易通文件夹锁和易通电脑锁,二话不说索性干掉最后一个!
===================================================================================
【破解过程】
【分析过程】
前两次发表的“易通*** 一劳永逸的自注册破解方法”已经将算法和破解思路完全分析透彻,这次既然都是一样的就简单提供一下汇编代码,具体分析和破解过程见前两篇文章。
===================================================================================
0047B060 55 push ebp ; 注册算法入口
0047B061 8BEC mov ebp,esp
0047B063 B9 07000000 mov ecx,7
0047B068 6A 00 push 0
0047B06A 6A 00 push 0
0047B06C 49 dec ecx
0047B06D ^ 75 F9 jnz short chelper.0047B068
0047B06F 53 push ebx
0047B070 8BD8 mov ebx,eax
0047B072 33C0 xor eax,eax
0047B074 55 push ebp
0047B075 68 18B24700 push chelper.0047B218
0047B07A 64:FF30 push dword ptr fs:[eax]
0047B07D 64:8920 mov dword ptr fs:[eax],esp
0047B080 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0047B083 8B83 4C040000 mov eax,dword ptr ds:[ebx+44C]
0047B089 E8 2EDFFBFF call chelper.00438FBC
0047B08E 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0047B091 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0047B094 E8 CBD5F8FF call chelper.00408664
0047B099 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0047B09C E8 C795F8FF call chelper.00404668
0047B0A1 85C0 test eax,eax
0047B0A3 75 41 jnz short chelper.0047B0E6
0047B0A5 6A 10 push 10
0047B0A7 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0047B0AA B8 2CB24700 mov eax,chelper.0047B22C
0047B0AF E8 C4B3FFFF call chelper.00476478
0047B0B4 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0047B0B7 E8 A497F8FF call chelper.00404860
0047B0BC 50 push eax
0047B0BD 8D55 EC lea edx,dword ptr ss:[ebp-14]
0047B0C0 B8 44B24700 mov eax,chelper.0047B244
0047B0C5 E8 AEB3FFFF call chelper.00476478
0047B0CA 8B45 EC mov eax,dword ptr ss:[ebp-14]
0047B0CD E8 8E97F8FF call chelper.00404860
0047B0D2 8BD0 mov edx,eax
0047B0D4 A1 68D94700 mov eax,dword ptr ds:[47D968]
0047B0D9 8B00 mov eax,dword ptr ds:[eax]
0047B0DB 59 pop ecx
0047B0DC E8 9FDEFDFF call chelper.00458F80
0047B0E1 E9 E8000000 jmp chelper.0047B1CE
0047B0E6 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0047B0E9 8B83 50040000 mov eax,dword ptr ds:[ebx+450]
0047B0EF E8 C8DEFBFF call chelper.00438FBC
0047B0F4 FF75 E8 push dword ptr ss:[ebp-18] ; 第一组注册码 ebp-38=11111
0047B0F7 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0047B0FA 8B83 88040000 mov eax,dword ptr ds:[ebx+488] ; eax=5
0047B100 E8 B7DEFBFF call chelper.00438FBC
0047B105 FF75 E4 push dword ptr ss:[ebp-1C] ; 第二组注册码 ebp-3C=22222
0047B108 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0047B10B 8B83 8C040000 mov eax,dword ptr ds:[ebx+48C] ; eax=5
0047B111 E8 A6DEFBFF call chelper.00438FBC
0047B116 FF75 E0 push dword ptr ss:[ebp-20] ; 第三组注册码 ebp-40=33333
0047B119 8D55 DC lea edx,dword ptr ss:[ebp-24]
0047B11C 8B83 90040000 mov eax,dword ptr ds:[ebx+490] ; eax=5
0047B122 E8 95DEFBFF call chelper.00438FBC
0047B127 FF75 DC push dword ptr ss:[ebp-24] ; 第四组注册码 ebp-44=44444
0047B12A 8D45 FC lea eax,dword ptr ss:[ebp-4]
0047B12D BA 04000000 mov edx,4 ; edx=4
0047B132 E8 F195F8FF call chelper.00404728
0047B137 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0047B13A 8B83 4C040000 mov eax,dword ptr ds:[ebx+44C]
0047B140 E8 77DEFBFF call chelper.00438FBC
0047B145 8B55 D8 mov edx,dword ptr ss:[ebp-28] ; 注册名送edx
0047B148 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假注册码送eax
0047B14B E8 4CB7FFFF call chelper.0047689C ; 调用算法call(1)
0047B150 84C0 test al,al ; 标志位检验
0047B152 74 3E je short chelper.0047B192 ; 标志位判断,关键跳,跳则失败(但在此文不重要)
0047B154 6A 40 push 40
0047B156 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
0047B159 B8 2CB24700 mov eax,chelper.0047B22C
0047B15E E8 15B3FFFF call chelper.00476478
0047B163 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0047B166 E8 F596F8FF call chelper.00404860
0047B16B 50 push eax
0047B16C 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0047B16F B8 64B24700 mov eax,chelper.0047B264
0047B174 E8 FFB2FFFF call chelper.00476478
0047B179 8B45 D0 mov eax,dword ptr ss:[ebp-30]
0047B17C E8 DF96F8FF call chelper.00404860
0047B181 8BD0 mov edx,eax
0047B183 A1 68D94700 mov eax,dword ptr ds:[47D968]
0047B188 8B00 mov eax,dword ptr ds:[eax]
0047B18A 59 pop ecx
0047B18B E8 F0DDFDFF call chelper.00458F80
0047B190 EB 3C jmp short chelper.0047B1CE
0047B192 6A 10 push 10
0047B194 8D55 CC lea edx,dword ptr ss:[ebp-34]
========================================================================
算法Call(1)
0047689B 0055 8B add byte ptr ss:[ebp-75],dl ; 算法Call(1)开始
0047689E EC in al,dx
0047689F 33C9 xor ecx,ecx
004768A1 51 push ecx
004768A2 51 push ecx
004768A3 51 push ecx
004768A4 51 push ecx
004768A5 51 push ecx
004768A6 51 push ecx
004768A7 51 push ecx
004768A8 53 push ebx
004768A9 56 push esi
004768AA 57 push edi
004768AB 8BFA mov edi,edx
004768AD 8BF0 mov esi,eax
004768AF 33C0 xor eax,eax
004768B1 55 push ebp
004768B2 68 2A6A4700 push chelper.00476A2A
004768B7 64:FF30 push dword ptr fs:[eax]
004768BA 64:8920 mov dword ptr fs:[eax],esp
004768BD C645 FF 00 mov byte ptr ss:[ebp-1],0
004768C1 B8 285D4700 mov eax,chelper.00475D28
004768C6 E8 65F6FFFF call chelper.00475F30
004768CB 84C0 test al,al
004768CD 74 0C je short chelper.004768DB
004768CF A1 68D94700 mov eax,dword ptr ds:[47D968]
004768D4 8B00 mov eax,dword ptr ds:[eax]
004768D6 E8 0126FEFF call chelper.00458EDC
004768DB B8 F4574700 mov eax,chelper.004757F4
004768E0 E8 4BF6FFFF call chelper.00475F30
004768E5 84C0 test al,al
004768E7 74 0C je short chelper.004768F5
004768E9 A1 68D94700 mov eax,dword ptr ds:[47D968]
004768EE 8B00 mov eax,dword ptr ds:[eax]
004768F0 E8 E725FEFF call chelper.00458EDC
004768F5 B8 08594700 mov eax,chelper.00475908
004768FA E8 31F6FFFF call chelper.00475F30
004768FF 84C0 test al,al
00476901 74 0C je short chelper.0047690F
00476903 A1 68D94700 mov eax,dword ptr ds:[47D968]
00476908 8B00 mov eax,dword ptr ds:[eax]
0047690A E8 CD25FEFF call chelper.00458EDC
0047690F B8 405A4700 mov eax,chelper.00475A40
00476914 E8 17F6FFFF call chelper.00475F30
00476919 84C0 test al,al
0047691B 74 0C je short chelper.00476929
0047691D A1 68D94700 mov eax,dword ptr ds:[47D968]
00476922 8B00 mov eax,dword ptr ds:[eax]
00476924 E8 B325FEFF call chelper.00458EDC
00476929 B8 C05B4700 mov eax,chelper.00475BC0
0047692E E8 FDF5FFFF call chelper.00475F30
00476933 84C0 test al,al
00476935 74 0C je short chelper.00476943
00476937 A1 68D94700 mov eax,dword ptr ds:[47D968]
0047693C 8B00 mov eax,dword ptr ds:[eax]
0047693E E8 9925FEFF call chelper.00458EDC ; 调用算法call(2)-根据硬盘号取得机器码
00476943 803D A8EC4700 0>cmp byte ptr ds:[47ECA8],0
0047694A 0F85 BF000000 jnz chelper.00476A0F
00476950 8D4D F4 lea ecx,dword ptr ss:[ebp-C]
00476953 8BD7 mov edx,edi ; edi=注册名
00476955 A1 A4EC4700 mov eax,dword ptr ds:[47ECA4]
0047695A E8 69FCFFFF call chelper.004765C8 ; 调用算法call(4)-注册算法
0047695F 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; EDX中存的就是注册真码
00476962 8BD6 mov edx,esi ; !!!!!关键所在,请看后文分析!!!!!!!
00476964 E8 43DEF8FF call chelper.004047AC ; 由算法call(2)得出真正注册码
00476969 0F85 A0000000 jnz chelper.00476A0F
0047696F B2 01 mov dl,1
00476971 A1 D0D74500 mov eax,dword ptr ds:[45D7D0]
00476976 E8 556FFEFF call chelper.0045D8D0
0047697B 8BD8 mov ebx,eax
0047697D BA 00000080 mov edx,80000000
..........
017E7419 C3 retn ; 算法Call(1)结束
=========================================================================
【破解总结】
晕倒,易通果然牛,所有软件全部使用一模一样的注册方法,显然不必细说了(前提是你看了我之前的那两篇文章)。
用 W32Dasm 打开脱壳后的 chelper.exe 定位到 00476962 将 8BD6 mov edx,esi 改为 8BF2 mov esi,edx,然后覆盖原文件,运行软件随意输入用户名与注册码,即可成功注册。
再回来验证一下,将原文件覆盖回去,运行软件发现仍然是注册版。只要保留修改后的 chelper.exe 文件就可以不用OD跟码,一劳永逸的让程序自己注册了。
真的不想再说什么了,这篇破文还是抄袭自己的,目的依然是为菜鸟们提供简单的破解方法,技术含量超级低,希望cracker们留我口气,下回一定发表新的破解!!
另附:本文注册码存放于注册表的(依机器码不同而不同):
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SVS6YPYHR1QCA\tgdy: "[DPVSF.'^ %' %]^PNDT"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SVS6YPYHR1QCA\bdre: "耐辽"