初學者(26) (9千字)
Icon Clock
Version
5.0
The shareware version of Icon Clock will only run 30 days. There are now
two options for registering Icon Clock. The Standard Registration costs
just $10.00. The Deluxe Registration is $20.00.
* Possible StringData Ref from Data Obj ->"clock"
安裝後,輸入使用者名稱:LiuTong
註冊碼:987654321(註冊碼要求9位)
開始時,按常用方法設bpx hmemcpy斷點
找到了輸入的註冊碼"987654321"的地址****:********
設斷點bpm ****:********
但未發現比較指令.
因此猜測軟體將使用者名稱和註冊碼存到某個地方,當下次啟動時比較.
追蹤過程中發現軟體在登錄檔中存了幾個資料:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Icinst/lday<---當前日期
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Icinst/lhr<---當前時間
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Icinst/sday<---安裝日期
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Icinst/smonth<---安裝月
改用斷點bpx GetPrivateProfileStringA
很快便找到了使用者名稱和輸入碼,並分別用bpm設了兩個斷點
於是找到下面的程式
:00401B8B 68D4E14200 push 0042E1D4
:00401B90 52
push edx
:00401B91 8BC8
mov ecx, eax
:00401B93 E8DE0D0200 call 00422976
:00401B98 8B442408 mov
eax, dword ptr [esp+08]
:00401B9C BE02000000 mov esi,
00000002
:00401BA1 893518224300 mov dword ptr
[00432218], esi
:00401BA7 8378F809 cmp
dword ptr [eax-08], 00000009
:00401BAB 0F85EB020000 jne 00401E9C
:00401BB1 8B44240C mov
eax, dword ptr [esp+0C]
:00401BB5 8378F804 cmp
dword ptr [eax-08], 00000004
:00401BB9 0F8CDD020000 jl 00401E9C
:00401BBF 0FBE08
movsx ecx, byte ptr [eax]
:00401BC2 51
push ecx
:00401BC3 E8A89C0000 call 0040B870
:00401BC8 83C404
add esp, 00000004
:00401BCB E8B09C0000 call 0040B880<--計算Call
:00401BD0 99
cdq
:00401BD1 B909000000 mov ecx,
00000009
:00401BD6 F7F9
idiv ecx
:00401BD8 8B442408 mov
eax, dword ptr [esp+08]
:00401BDC 0FBE4806 movsx
ecx, byte ptr [eax+06]<--輸入碼第7位
:00401BE0 83C230
add edx, 00000030 <--註冊碼第7位
:00401BE3 3BD1
cmp edx, ecx
:00401BE5 7406
je 00401BED
:00401BE7 893D18224300 mov dword ptr
[00432218], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401BE5(C)
|
:00401BED E88E9C0000 call 0040B880
:00401BF2 99
cdq
:00401BF3 B909000000 mov ecx,
00000009
:00401BF8 F7F9
idiv ecx
:00401BFA 8B442408 mov
eax, dword ptr [esp+08]
:00401BFE 0FBE4803 movsx
ecx, byte ptr [eax+03]<--輸入碼第4位
:00401C02 83C230
add edx, 00000030<--註冊碼第4位
:00401C05 3BD1
cmp edx, ecx
:00401C07 7406
je 00401C0F
:00401C09 893D18224300 mov dword ptr
[00432218], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C07(C)
|
:00401C0F E86C9C0000 call 0040B880
:00401C14 99
cdq
:00401C15 B909000000 mov ecx,
00000009
:00401C1A F7F9
idiv ecx
:00401C1C 8B442408 mov
eax, dword ptr [esp+08]
:00401C20 0FBE08
movsx ecx, byte ptr [eax]<--輸入碼第1位
:00401C23 83C230
add edx, 00000030<--註冊碼第1位
:00401C26 3BD1
cmp edx, ecx
:00401C28 7406
je 00401C30
:00401C2A 893D18224300 mov dword ptr
[00432218], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C28(C)
|
:00401C30 8B54240C mov
edx, dword ptr [esp+0C]
:00401C34 0FBE4201 movsx
eax, byte ptr [edx+01]
:00401C38 50
push eax
:00401C39 E8329C0000 call 0040B870
:00401C3E 83C404
add esp, 00000004
:00401C41 E83A9C0000 call 0040B880
:00401C46 99
cdq
:00401C47 B909000000 mov ecx,
00000009
:00401C4C F7F9
idiv ecx
:00401C4E 8B442408 mov
eax, dword ptr [esp+08]
:00401C52 0FBE4807 movsx
ecx, byte ptr [eax+07]<--輸入碼第8位
:00401C56 83C230
add edx, 00000030<--註冊碼第8位
:00401C59 3BD1
cmp edx, ecx
:00401C5B 7406
je 00401C63
:00401C5D 893D18224300 mov dword ptr
[00432218], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C5B(C)
|
:00401C63 E8189C0000 call 0040B880
:00401C68 99
cdq
:00401C69 B909000000 mov ecx,
00000009
:00401C6E F7F9
idiv ecx
:00401C70 8B442408 mov
eax, dword ptr [esp+08]
:00401C74 0FBE4804 movsx
ecx, byte ptr [eax+04]<--輸入碼第5位
:00401C78 83C230
add edx, 00000030<--註冊碼第5位
:00401C7B 3BD1
cmp edx, ecx
:00401C7D 7406
je 00401C85
:00401C7F 893D18224300 mov dword ptr
[00432218], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C7D(C)
|
:00401C85 E8F69B0000 call 0040B880
:00401C8A 99
cdq
:00401C8B B909000000 mov ecx,
00000009
:00401C90 F7F9
idiv ecx
:00401C92 8B442408 mov
eax, dword ptr [esp+08]
:00401C96 0FBE4801 movsx
ecx, byte ptr [eax+01]<--輸入碼第2位
:00401C9A 83C230
add edx, 00000030<--註冊碼第2位
:00401C9D 3BD1
cmp edx, ecx
:00401C9F 7406
je 00401CA7
:00401CA1 893D18224300 mov dword ptr
[00432218], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401C9F(C)
|
:00401CA7 8B54240C mov
edx, dword ptr [esp+0C]
:00401CAB 0FBE4202 movsx
eax, byte ptr [edx+02]
:00401CAF 50
push eax
:00401CB0 E8BB9B0000 call 0040B870
:00401CB5 83C404
add esp, 00000004
:00401CB8 E8C39B0000 call 0040B880
:00401CBD 99
cdq
:00401CBE B909000000 mov ecx,
00000009
:00401CC3 F7F9
idiv ecx
:00401CC5 8B442408 mov
eax, dword ptr [esp+08]
:00401CC9 0FBE4808 movsx
ecx, byte ptr [eax+08]<--輸入碼第9位
:00401CCD 83C230
add edx, 00000030<--註冊碼第9位
:00401CD0 3BD1
cmp edx, ecx
:00401CD2 7406
je 00401CDA
:00401CD4 893D18224300 mov dword ptr
[00432218], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401CD2(C)
|
:00401CDA E8A19B0000 call 0040B880
:00401CDF 99
cdq
:00401CE0 B909000000 mov ecx,
00000009
:00401CE5 F7F9
idiv ecx
:00401CE7 8B442408 mov
eax, dword ptr [esp+08]
:00401CEB 0FBE4805 movsx
ecx, byte ptr [eax+05]<--輸入碼第6位
:00401CEF 83C230
add edx, 00000030<--註冊碼第6位
:00401CF2 3BD1
cmp edx, ecx
:00401CF4 7406
je 00401CFC
:00401CF6 893D18224300 mov dword ptr
[00432218], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401CF4(C)
|
:00401CFC E87F9B0000 call 0040B880
:00401D01 99
cdq
:00401D02 B909000000 mov ecx,
00000009
:00401D07 F7F9
idiv ecx
:00401D09 8B442408 mov
eax, dword ptr [esp+08]
:00401D0D 0FBE4802 movsx
ecx, byte ptr [eax+02]<--輸入碼第3位
:00401D11 83C230
add edx, 00000030<--註冊碼第3位
:00401D14 3BD1
cmp edx, ecx
:00401D16 7406
je 00401D1E
:00401D18 893D18224300 mov dword ptr
[00432218], edi
計算Call見下:
* Referenced by a CALL at Addresses:
|:00401BCB , :00401BED , :00401C0F , :00401C41 , :00401C63
|:00401C85 , :00401CB8 , :00401CDA , :00401CFC , :00401D44
|:00401D68 , :00401D8A , :00401DBD , :00401DDF , :00401E01
|:00401E39 , :00401E5E , :00401E80
|
:0040B880 E8FB3A0000 call 0040F380
:0040B885 8B4814
mov ecx, dword ptr [eax+14]
:0040B888 8D1449
lea edx, dword ptr [ecx+2*ecx]
:0040B88B 8D1491
lea edx, dword ptr [ecx+4*edx]
:0040B88E C1E204
shl edx, 04
:0040B891 03D1
add edx, ecx
:0040B893 C1E208
shl edx, 08
:0040B896 2BD1
sub edx, ecx
:0040B898 8D8C91C39E2600 lea ecx, dword ptr
[ecx+4*edx+00269EC3]
:0040B89F 894814
mov dword ptr [eax+14], ecx
:0040B8A2 8BC1
mov eax, ecx
:0040B8A4 C1E810
shr eax, 10
:0040B8A7 25FF7F0000 and eax,
00007FFF
:0040B8AC C3
ret
實際計算中,軟體使用使用者名稱的第一個字母計算出第7,4,1位註冊碼
使用使用者名稱的第二個字母計算出第8,5,2位註冊碼
使用使用者名稱的第三個字母計算出第9,6,3位註冊碼
整理:
使用者名稱:LiuTong
註冊碼:441752736
相關文章
- 初學者(9) (3千字)2000-05-07
- 演算法分析: <獻給初學者>
之四 (9千字)2002-06-06演算法
- 初學者(7) (4千字)2000-05-05
- 初學者(8) (4千字)2000-05-07
- 初學者(10) (8千字)2000-05-14
- 初學者(11) (2千字)2000-05-18
- 初學者(12) (1千字)2000-06-09
- 初學者(13) (2千字)2000-06-09
- 初學者(14) (5千字)2000-06-10
- 初學者(15) (3千字)2000-07-04
- 初學者(16) (2千字)2000-07-04
- 初學者(17) (1千字)2000-07-04
- 初學者(18) (2千字)2000-07-05
- 初學者(19) (4千字)2000-07-10
- 初學者(20) (3千字)2000-07-15
- 初學者(20) (1千字)2000-08-08
- 初學者(22) (7千字)2000-08-09
- 初學者(23) (7千字)2000-08-13
- 初學者(27) (1千字)2000-08-25
- 手動脫掉Asprotect的殼,(給初學者的) (9千字)2002-01-24
- 瘋狂單詞破解實錄(初學者請進!) (9千字)2000-08-24
- 給初學者,因為我就是個初學者(1) (3千字)2000-05-03
- 給初學者,因為我就是個初學者(2) (1千字)2000-05-03
- 給初學者,因為我就是個初學者(4) (1千字)2000-05-03
- 初學者請看! (2千字)2000-12-28
- 初學者作品(6) (1千字)2000-05-04
- Oracle初學者問題9(轉)2007-08-06Oracle
- 一篇破解教程-----面向初學者 (15千字)2001-04-01
- 貼個教學,初學者請進! (11千字)2001-04-20
- 破解badcat21---真正的初學者 (5千字)2001-05-19
- 演算法分析: <獻給初學者>
之一 (4千字)2002-06-06演算法
- 演算法分析:
<獻給初學者> 之二 (7千字)2002-06-07演算法
- 獻給初學者(高手也看看) 破解 Cpukiller 2.0 (1千字)2000-09-17
- 初學者指南2017-09-09
- 初學者 (轉)2007-10-31
- 初學者請進(一篇破解javagirl的心得) (2千字)2000-05-09Java
- RAC 和 Oracle Clusterware 最佳實踐和初學者指南 (AIX)1526555.12013-06-08OracleAI
- Nginx初學者指南2018-07-29Nginx