初學者(23) (7千字)
軟體名稱:Animated Email Magic
最新版本:2.0 Release D
檔案大小:7463KB
使用平臺:Win95/98/NT
軟體簡介:
在郵件中加上動畫,讓MAIL更加生動活潑。
安裝完,執行,發現要線上註冊,差點兒uninstall,突然發現是30天DEMO,乾脆把時鐘向前調,
再次執行,彈出個對話方塊,顯示出本機程式碼並要求輸入註冊碼.嘿嘿,這就好辦了....
設斷點bpx hmemcpy,找到了計算和比較的地方,看下面
========================================================================
以下是計算部分
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E94B(C)
|
:0044E930 8B550C
mov edx, dword ptr [ebp+0C]
:0044E933 8B0C82
mov ecx, dword ptr [edx+4*eax]<-----取內部的資料
:0044E936 8BD3
mov edx, ebx
:0044E938 D3E2
shl edx, cl
:0044E93A 85F2
test edx, esi<--ESI存放的是十六進位制的輸入碼與1D7EA925的異或結果
:0044E93C 7409
je 0044E947
:0044E93E 8BC8
mov ecx, eax
:0044E940 8BD3
mov edx, ebx
:0044E942 D3E2
shl edx, cl
:0044E944 0955FC
or dword ptr [ebp-04], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044E93C(C)
|
:0044E947 40
inc eax
:0044E948 83F820
cmp eax, 00000020 <-----32個資料
:0044E94B 7CE3
jl 0044E930
:0044E94D 8B45FC
mov eax, dword ptr [ebp-04]
:0044E950 5E
pop esi
:0044E951 5B
pop ebx
:0044E952 59
pop ecx
:0044E953 5D
pop ebp
:0044E954 C3
ret
32個內部資料
4 1A 6 15
8 A 18 C
1 F 7 B
0 2 0 10
1B 1E 12 1F
11 1D 13 14
17 9 E 19
16 1C 5 3
由我輸入的註冊碼87654321計算後得到3615A6A1
然後軟體會將其與另一個碼E992DC7F(估計與本機程式碼391-8716-031有關)比較
=================
* Referenced by a CALL at Addresses:
|:0044EF73 , :0044F615
|
:0044EFF3 55
push ebp
:0044EFF4 8BEC
mov ebp, esp
:0044EFF6 53
push ebx
:0044EFF7 56
push esi
:0044EFF8 8B5D08
mov ebx, dword ptr [ebp+08]
:0044EFFB 8B750C
mov esi, dword ptr [ebp+0C]
:0044EFFE FF35009F5000 push dword ptr
[00509F00]
:0044F004 68809E5000 push 00509E80
:0044F009 56
push esi
:0044F00A E809F9FFFF call 0044E918
:0044F00F 83C40C
add esp, 0000000C
:0044F012 3B4341
cmp eax, dword ptr [ebx+41]<---3615A6A1與E992DC7F比較
:0044F015 0F94C0
sete al <----若輸入的註冊碼正確設標誌
:0044F018 83E001
and eax, 00000001
:0044F01B 5E
pop esi
:0044F01C 5B
pop ebx
:0044F01D 5D
pop ebp
:0044F01E C3
ret
==============
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044F238(C)
|
:0044F60A 53
push ebx
:0044F60B E879F3FFFF call 0044E989
:0044F610 59
pop ecx
:0044F611 8BD8
mov ebx, eax
:0044F613 53
push ebx
:0044F614 56
push esi
:0044F615 E8D9F9FFFF call 0044EFF3
:0044F61A 83C408
add esp, 00000008
:0044F61D 84C0
test al, al
:0044F61F 753D
jne 0044F65E <----查註冊標誌,若為"1"轉
:0044F621 8B06
mov eax, dword ptr [esi]
:0044F623 6A00
push 00000000
* Possible StringData Ref from Data Obj ->"Error"
|
:0044F625 68BAA35000 push 0050A3BA
* Possible StringData Ref from Data Obj ->"Key is invalid"
|
:0044F62A 68ABA35000 push 0050A3AB
:0044F62F FF700C
push [eax+0C]
:0044F632 FF7068
push [eax+68]
:0044F635 E88F9C0700 call 004C92C9
:0044F63A 83C414
add esp, 00000014
:0044F63D 33C0
xor eax, eax
:0044F63F 50
push eax
:0044F640 6A02
push 00000002
:0044F642 8D55F8
lea edx, dword ptr [ebp-08]
:0044F645 52
push edx
:0044F646 E811950A00 call 004F8B5C
:0044F64B 83C408
add esp, 00000008
:0044F64E 58
pop eax
:0044F64F 8B55C4
mov edx, dword ptr [ebp-3C]
:0044F652 64891500000000 mov dword ptr fs:[00000000],
edx
:0044F659 E9D8010000 jmp 0044F836
若將jne 0044F65E 改為jmp 0044F65E 註冊後會有"註冊成功"提示,但退出後重新啟動又會有註冊提示.
在跟蹤第二段程式碼時發現在軟體啟動時也會走這段程式,並找到了呼叫處
==================
* Reference To: USER32.ClientToScreen, Ord:0000h
|
:00447524 E8612C0B00 Call 004FA18A
:00447529 8D45D8
lea eax, dword ptr [ebp-28]
:0044752C 50
push eax
:0044752D 53
push ebx
:0044752E E8F4F90700 call 004C6F27
:00447533 83C408
add esp, 00000008
:00447536 56
push esi
:00447537 8D75D8
lea esi, dword ptr [ebp-28]
:0044753A 8D7DE8
lea edi, dword ptr [ebp-18]
:0044753D B904000000 mov ecx,
00000004
:00447542 F3
repz
:00447543 A5
movsd
:00447544 5E
pop esi
:00447545 8B4510
mov eax, dword ptr [ebp+10]
:00447548 3B45E8
cmp eax, dword ptr [ebp-18]
:0044754B 7C18
jl 00447565
:0044754D 8B5510
mov edx, dword ptr [ebp+10]
:00447550 3B55F0
cmp edx, dword ptr [ebp-10]
:00447553 7D10
jge 00447565
:00447555 8B4D14
mov ecx, dword ptr [ebp+14]
:00447558 3B4DEC
cmp ecx, dword ptr [ebp-14]
:0044755B 7C08
jl 00447565
:0044755D 8B4514
mov eax, dword ptr [ebp+14]
:00447560 3B45F4
cmp eax, dword ptr [ebp-0C]
:00447563 7C04
jl 00447569
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044754B(C), :00447553(C), :0044755B(C)
|
:00447565 33C0
xor eax, eax
:00447567 EB05
jmp 0044756E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00447563(C)
|
:00447569 B801000000 mov eax,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00447567(U)
|
:0044756E 84C0
test al, al
:00447570 7409
je 0044757B <----未註冊轉
:00447572 53
push ebx
:00447573 E809D90700 call 004C4E81
:00447578 59
pop ecx
:00447579 EB41
jmp 004475BC
將je 0044757B 改為兩個nop,軟體將不會過期了(但不知是否有功能限制,因為在提示軟體註冊成功時同時
顯示說是full function了)
由於註冊碼計算都是與或指令,不太好算,想有空時編個程式算.
相關文章
- 初學者(7) (4千字)2000-05-05
- 初學者(22) (7千字)2000-08-09
- 初學者(8) (4千字)2000-05-07
- 初學者(9) (3千字)2000-05-07
- 初學者(10) (8千字)2000-05-14
- 初學者(11) (2千字)2000-05-18
- 初學者(12) (1千字)2000-06-09
- 初學者(13) (2千字)2000-06-09
- 初學者(14) (5千字)2000-06-10
- 初學者(15) (3千字)2000-07-04
- 初學者(16) (2千字)2000-07-04
- 初學者(17) (1千字)2000-07-04
- 初學者(18) (2千字)2000-07-05
- 初學者(19) (4千字)2000-07-10
- 初學者(20) (3千字)2000-07-15
- 初學者(20) (1千字)2000-08-08
- 初學者(26) (9千字)2000-08-17
- 初學者(27) (1千字)2000-08-25
- 演算法分析:
<獻給初學者> 之二 (7千字)2002-06-07演算法
- 給初學者,因為我就是個初學者(1) (3千字)2000-05-03
- 給初學者,因為我就是個初學者(2) (1千字)2000-05-03
- 給初學者,因為我就是個初學者(4) (1千字)2000-05-03
- 初學者請看! (2千字)2000-12-28
- 初學者作品(6) (1千字)2000-05-04
- 初學者請進,看far.exe的註冊碼! (7千字)2001-04-24
- Oracle初學者問題7(轉)2007-08-06Oracle
- Internet Maniac ver 1.2b 破解過程(適合初學者)
(7千字)2000-09-13
- 一篇破解教程-----面向初學者 (15千字)2001-04-01
- 貼個教學,初學者請進! (11千字)2001-04-20
- 飛馬魔法桌布V3.0註冊演算法(適合初學者) (7千字)2001-11-25演算法
- 破解badcat21---真正的初學者 (5千字)2001-05-19
- 寫給Git初學者的7個建議2013-10-31Git
- 演算法分析: <獻給初學者>
之一 (4千字)2002-06-06演算法
- 演算法分析: <獻給初學者>
之四 (9千字)2002-06-06演算法
- 獻給初學者(高手也看看) 破解 Cpukiller 2.0 (1千字)2000-09-17
- 初學者指南2017-09-09
- 初學者 (轉)2007-10-31
- 手動脫掉Asprotect的殼,(給初學者的) (9千字)2002-01-24