【破文标题】资料收集管理专家(DataCollector) 版本: V1.50
【破文作者】inbreak
【破解工具】OD,W32Dasm,ASPackDie
【破解平台】XP SP2
【软件名称】资料收集管理专家(DataCollector)
【软件大小】1.41MB
【原版下载】http://www.delphidak.com/
【保护方式】壳,注册码
【编写语言】DELPHI
【破解感言】没想到超新大菜鸟有一天也能写一篇破文。汗!
===================================================================================
【破解声明】只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
===================================================================================
【破解过程】
运行软件后出理提示,跟着是一个注册提示窗口,随便输入以下信息,
注册名:inberak
注册人:随便,注册码与此值无关
注册码:789789789789
点注册,出现有错误提示。
然后用 W32Dasm 反编译找一个错误提示的内容,很容易就找到地址:
005038AA |. /75 2C jnz short 005038D8 ; 关键跳,不跳就失败!
那么我们再向前看
0050384C /. 55 push ebp ;在这里下断点吧
0050384D |. 8BEC mov ebp, esp
0050384F |. 33C9 xor ecx, ecx
00503851 |. 51 push ecx
00503852 |. 51 push ecx
00503853 |. 51 push ecx
00503854 |. 51 push ecx
00503855 |. 53 push ebx
00503856 |. 56 push esi
00503857 |. 8BD8 mov ebx, eax
00503859 |. 33C0 xor eax, eax
0050385B |. 55 push ebp
0050385C |. 68 63395000 push 00503963
00503861 |. 64:FF30 push dword ptr fs:[eax]
00503864 |. 64:8920 mov dword ptr fs:[eax], esp
00503867 |. 8D55 F8 lea edx, dword ptr [ebp-8]
0050386A |. 8B83 18030000 mov eax, dword ptr [ebx+318]
00503870 |. E8 C3A3F4FF call 0044DC38 ; 得到假注册码 789789789
00503875 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00503878 |. 50 push eax
00503879 |. 8D55 F4 lea edx, dword ptr [ebp-C]
0050387C |. 8B83 14030000 mov eax, dword ptr [ebx+314]
00503882 |. E8 B1A3F4FF call 0044DC38
00503887 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 注册人:KAKAKAKA
0050388A |. 50 push eax
0050388B |. 8D55 F0 lea edx, dword ptr [ebp-10]
0050388E |. 8B83 10030000 mov eax, dword ptr [ebx+310]
00503894 |. E8 9FA3F4FF call 0044DC38
00503899 |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 注册名:inbreak
0050389C |. 8B83 2C030000 mov eax, dword ptr [ebx+32C]
005038A2 |. 59 pop ecx
005038A3 |. E8 8CF0FFFF call 00502934 ; 关键CALL
005038A8 |. 84C0 test al, al
005038AA |. 75 2C jnz short 005038D8 ; 关键跳,不跳就失败!
--------------------------
F7跟进 005038A3 |. E8 8CF0FFFF call 00502934 ; 关键CALL
00502934 /$ 55 push ebp
00502935 |. 8BEC mov ebp, esp
00502937 |. 83C4 F0 add esp, -10
0050293A |. 53 push ebx
0050293B |. 33DB xor ebx, ebx
0050293D |. 895D F0 mov dword ptr [ebp-10], ebx
00502940 |. 895D F4 mov dword ptr [ebp-C], ebx
00502943 |. 894D F8 mov dword ptr [ebp-8], ecx
00502946 |. 8955 FC mov dword ptr [ebp-4], edx
00502949 |. 8BD8 mov ebx, eax
0050294B |. 8B45 FC mov eax, dword ptr [ebp-4]
0050294E |. E8 5D28F0FF call 004051B0
00502953 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00502956 |. E8 5528F0FF call 004051B0
0050295B |. 8B45 08 mov eax, dword ptr [ebp+8]
0050295E |. E8 4D28F0FF call 004051B0
00502963 |. 33C0 xor eax, eax
00502965 |. 55 push ebp
00502966 |. 68 1E2A5000 push 00502A1E
0050296B |. 64:FF30 push dword ptr fs:[eax]
0050296E |. 64:8920 mov dword ptr fs:[eax], esp
00502971 |. 8B45 FC mov eax, dword ptr [ebp-4]
00502974 |. E8 4F26F0FF call 00404FC8
00502979 |. 3B43 4C cmp eax, dword ptr [ebx+4C]
0050297C |. 7F 19 jg short 00502997
0050297E |. 8B45 FC mov eax, dword ptr [ebp-4]
00502981 |. E8 4226F0FF call 00404FC8
00502986 |. 3B43 50 cmp eax, dword ptr [ebx+50]
00502989 |. 7C 0C jl short 00502997
0050298B |. 8B45 08 mov eax, dword ptr [ebp+8]
0050298E |. E8 3526F0FF call 00404FC8
00502993 |. 85C0 test eax, eax
00502995 |. 75 04 jnz short 0050299B
00502997 |> 33DB xor ebx, ebx
00502999 |. EB 60 jmp short 005029FB
0050299B |> 8D55 F4 lea edx, dword ptr [ebp-C]
0050299E |. 8B45 08 mov eax, dword ptr [ebp+8]
005029A1 |. E8 926BF0FF call 00409538
005029A6 |. 8B55 F4 mov edx, dword ptr [ebp-C]
005029A9 |. 8D45 08 lea eax, dword ptr [ebp+8]
005029AC |. E8 F723F0FF call 00404DA8
005029B1 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
005029B4 |. 8B55 FC mov edx, dword ptr [ebp-4]
005029B7 |. 8BC3 mov eax, ebx
005029B9 |. E8 46FBFFFF call 00502504 ; 关键CALL
这里再用 F7 跟进
00502504 /$ 55 push ebp
00502505 |. 8BEC mov ebp, esp
00502507 |. 51 push ecx
00502508 |. B9 04000000 mov ecx, 4
0050250D |> 6A 00 /push 0
0050250F |. 6A 00 |push 0
00502511 |. 49 |dec ecx
00502512 |.^ 75 F9 \jnz short 0050250D
00502514 |. 874D FC xchg dword ptr [ebp-4], ecx
00502517 |. 53 push ebx
00502518 |. 56 push esi
00502519 |. 57 push edi
0050251A |. 8BF9 mov edi, ecx
0050251C |. 8955 FC mov dword ptr [ebp-4], edx
0050251F |. 8BF0 mov esi, eax
00502521 |. 8B45 FC mov eax, dword ptr [ebp-4]
00502524 |. E8 872CF0FF call 004051B0
00502529 |. 33C0 xor eax, eax
0050252B |. 55 push ebp
0050252C |. 68 A4265000 push 005026A4
00502531 |. 64:FF30 push dword ptr fs:[eax]
00502534 |. 64:8920 mov dword ptr fs:[eax], esp
00502537 |. 8D55 DC lea edx, dword ptr [ebp-24]
0050253A |. 8BC6 mov eax, esi
0050253C |. E8 070F0000 call 00503448 ; 得到的机器码
00502541 |. 8B45 DC mov eax, dword ptr [ebp-24]
00502544 |. 8D55 EC lea edx, dword ptr [ebp-14]
00502547 |. E8 3C72F0FF call 00409788
0050254C |. 837D EC 00 cmp dword ptr [ebp-14], 0
00502550 |. 75 0D jnz short 0050255F
00502552 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00502555 |. 8B55 FC mov edx, dword ptr [ebp-4]
00502558 |. E8 4B28F0FF call 00404DA8
0050255D |. EB 5D jmp short 005025BC
0050255F |> 8B45 EC mov eax, dword ptr [ebp-14]
00502562 |. E8 612AF0FF call 00404FC8
00502567 |. 8BD8 mov ebx, eax
00502569 |. 8D45 E8 lea eax, dword ptr [ebp-18]
0050256C |. 50 push eax
0050256D |. 8BCB mov ecx, ebx
0050256F |. D1F9 sar ecx, 1
00502571 |. 79 03 jns short 00502576
00502573 |. 83D1 00 adc ecx, 0
00502576 |> BA 01000000 mov edx, 1
0050257B |. 8B45 EC mov eax, dword ptr [ebp-14]
0050257E |. E8 9D2CF0FF call 00405220
00502583 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00502586 |. 50 push eax
00502587 |. 8BC3 mov eax, ebx
00502589 |. D1F8 sar eax, 1
0050258B |. 79 03 jns short 00502590
0050258D |. 83D0 00 adc eax, 0
00502590 |> 8BCB mov ecx, ebx
00502592 |. 2BC8 sub ecx, eax
00502594 |. 8BD3 mov edx, ebx
00502596 |. D1FA sar edx, 1
00502598 |. 79 03 jns short 0050259D
0050259A |. 83D2 00 adc edx, 0
0050259D |> 42 inc edx
0050259E |. 8B45 EC mov eax, dword ptr [ebp-14]
005025A1 |. E8 7A2CF0FF call 00405220
005025A6 |. FF75 E8 push dword ptr [ebp-18] ;假设一变量 s1 = 机码号前六位
005025A9 |. FF75 FC push dword ptr [ebp-4] ;假设一变量 s = 注册名
005025AC |. FF75 E4 push dword ptr [ebp-1C] ;假设一变量 s2 = 机器码后六位
005025AF |. 8D45 E0 lea eax, dword ptr [ebp-20]
005025B2 |. BA 03000000 mov edx, 3
005025B7 |. E8 CC2AF0FF call 00405088 ;s = s1 + s + s2
005025BC |> C745 F0 00000>mov dword ptr [ebp-10], 0
005025C3 |. C745 F4 00000>mov dword ptr [ebp-C], 0
005025CA |. 8B45 FC mov eax, dword ptr [ebp-4]
005025CD |. E8 F629F0FF call 00404FC8
005025D2 |. 3B46 4C cmp eax, dword ptr [esi+4C]
005025D5 |. 7F 0D jg short 005025E4
005025D7 |. 8B45 FC mov eax, dword ptr [ebp-4]
005025DA |. E8 E929F0FF call 00404FC8
005025DF |. 3B46 50 cmp eax, dword ptr [esi+50]
005025E2 |. 7D 0C jge short 005025F0
005025E4 |> 8BC7 mov eax, edi
005025E6 |. E8 2527F0FF call 00404D10
005025EB |. E9 91000000 jmp 00502681
005025F0 |> 8B45 E0 mov eax, dword ptr [ebp-20]
005025F3 |. E8 D029F0FF call 00404FC8
005025F8 |. 8BD8 mov ebx, eax
005025FA |. EB 37 jmp short 00502633
005025FC |> 8B45 F0 /mov eax, dword ptr [ebp-10] ; 假一个变量 A ,初始时 A=0
005025FF |. 8B55 F4 |mov edx, dword ptr [ebp-C] ; 假一个变量 B ,初始时 B=0
00502602 |. 0346 68 |add eax, dword ptr [esi+68] ; A = A + 0xA934C0AF
00502605 |. 1356 6C |adc edx, dword ptr [esi+6C] ; 带进位加法
00502608 |. 52 |push edx
00502609 |. 50 |push eax
0050260A |. 8B45 E0 |mov eax, dword ptr [ebp-20]
0050260D |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1] ; 假一个变量 c =从后面开始逐一取s字符串的ASCII值
00502612 |. 50 |push eax
00502613 |. B8 59040000 |mov eax, 459 ; 假一个变量 D =459
00502618 |. 5A |pop edx ; EDX=之前EAX得到的字符ASCII值
00502619 |. 8BCA |mov ecx, edx
0050261B |. 33D2 |xor edx, edx
0050261D |. F7F1 |div ecx ; D div C ; 这里我们假D值取余数,即 D = D mod C
0050261F |. 8BC2 |mov eax, edx
00502621 |. 33D2 |xor edx, edx
00502623 |. 290424 |sub dword ptr [esp], eax ; A = A - D
00502626 |. 195424 04 |sbb dword ptr [esp+4], edx
0050262A |. 58 |pop eax
0050262B |. 5A |pop edx
0050262C |. 8945 F0 |mov dword ptr [ebp-10], eax
0050262F |. 8955 F4 |mov dword ptr [ebp-C], edx
00502632 |. 4B |dec ebx
00502633 |> 8B45 E0 mov eax, dword ptr [ebp-20]
00502636 |. E8 8D29F0FF |call 00404FC8
0050263B |. 3BD8 |cmp ebx, eax
0050263D |. 7F 04 |jg short 00502643
0050263F |. 85DB |test ebx, ebx
00502641 |.^ 7F B9 \jg short 005025FC
00502643 |> 8B5E 60 mov ebx, dword ptr [esi+60]
00502646 |. 85DB test ebx, ebx
00502648 |. 7F 11 jg short 0050265B
0050264A |. FF75 F4 push dword ptr [ebp-C] ; /Arg2
0050264D |. FF75 F0 push dword ptr [ebp-10] ; |Arg1
00502650 |. 8BD7 mov edx, edi ; |
00502652 |. 33C0 xor eax, eax ; |
00502654 |. E8 AF74F0FF call 00409B08 ; \unpacked.00409B08
00502659 |. EB 26 jmp short 00502681
0050265B |> FF75 F4 push dword ptr [ebp-C] ; /Arg2 这里保存关B最后的值
0050265E |. FF75 F0 push dword ptr [ebp-10] ; |Arg1 这里保存着A最后的值
00502661 |. 8BD7 mov edx, edi ; |
00502663 |. 8BC3 mov eax, ebx ; |
00502665 |. E8 9E74F0FF call 00409B08 ; \E = 将 B十六进制的后4位值的字符串 + A十六进制字符
串
最后的 E 字符串就是注册码了;
注册名:inbreak
注册人:随便,注册码与此值无值
校验码:01A3F2DAC4C0
注册码:03193C80C9A7
【算法分析】
1,首先将注册码放在机器码的中间连接成一个新的字符串S;
2,将S字符串由后逐一取ASCII值;
3,....
懒,不想描述了,
下面放上DELPHI注册机源码吧:
procedure TForm1.Button1Click(Sender: TObject);
const
X = $A934C0Af ;
Y = $2E ;
Z = $459 ;
var
s,s1,s2:ShortString;
i:SmallInt;
a,a1,b,c,d :DWORD;
begin
s:=Edit1.Text;
s1:=Copy(Edit2.Text,1,6);
s2:=Copy(Edit2.Text,7,6);
s:=s1+s+s2;
a:=0 ; b:=0 ; C:= 0; D := 0; a1:=0;
for i := Length(s) downto 1 do begin
a1:=a;
a:= a + X;
if a<a1 then
b:= b+ y +1
else
b:=b + y;
c:=Ord(s[i]);
D:= Z mod C;
A:=A - D;
end;
Edit3.Text :=Format('%s%s',[IntToHex(b,4),IntToHex(A,8)]);
end;
===================================================================================
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2006-12-17