KeyGhost V3.2 破解實錄 (11千字)
KeyGhost V3.2 破解實錄
作者:liangs
E-mail:liang_s@263.net
軟體名稱:KeyGhost V3.2
下載地址:http://sunhy.126.com
使用的工具
W32Dasm V8.93 超級中文版
Trw2000 ver1.22
首先連按兩次ALT+F12撥出KeyGhost,在註冊框中輸入:liangs-787878,為什麼是'liangs-787878'
而不是'liangs787878',下面你就知道了。然後下bpx hmemcpy,中斷後,首先bd *,去掉所有中斷,
再按18次F12。
* Possible StringData Ref from Code Obj ->"請合法使用軟體"
|
:00475580 B888564700 mov eax,
00475688
:00475585 E842ADFDFF call 004502CC
:0047558A 837DFC00 cmp
dword ptr [ebp-04], 00000000 <---我們停在這;
:0047558E 0F8499000000 je 0047562D
:00475594 8D85FCFEFFFF lea eax, dword
ptr [ebp+FFFFFEFC]
:0047559A 8B55FC
mov edx, dword ptr [ebp-04] <---此處edx=liangs-787878;
:0047559D B9FF000000 mov ecx,
000000FF
:004755A2 E881E8F8FF call 00403E28
:004755A7 8D85FCFEFFFF lea eax, dword
ptr [ebp+FFFFFEFC]
:004755AD E8CAC2FFFF call 0047187C
<---判斷輸入的註冊碼的合法性,此處按F8跟入;
:004755B2 84C0
test al, al
:004755B4 7477
je 0047562D <---註冊碼錯誤就跳走;
:004755B6 B201
mov dl, 01
:004755B8 8B8340030000 mov eax, dword
ptr [ebx+00000340]
:004755BE E8F570FBFF call 0042C6B8
:004755C3 33D2
xor edx, edx
:004755C5 8B8318030000 mov eax, dword
ptr [ebx+00000318]
:004755CB E8E870FBFF call 0042C6B8
:004755D0 B201
mov dl, 01
:004755D2 8B8340040000 mov eax, dword
ptr [ebx+00000440]
:004755D8 8B08
mov ecx, dword ptr [eax]
:004755DA FF515C
call [ecx+5C]
:004755DD C605D1BA470001 mov byte ptr [0047BAD1],
01
* Possible StringData Ref from Code Obj ->"Code"
|
:004755E4 68A0564700 push 004756A0
:004755E9 8D95E8FEFFFF lea edx, dword
ptr [ebp+FFFFFEE8]
:004755EF 8B45FC
mov eax, dword ptr [ebp-04]
:004755F2 E84595FEFF call 0045EB3C
:004755F7 8B95E8FEFFFF mov edx, dword
ptr [ebp+FFFFFEE8]
:004755FD 8D85ECFEFFFF lea eax, dword
ptr [ebp+FFFFFEEC]
:00475603 E8A4F9F8FF call 00404FAC
:00475608 8D85ECFEFFFF lea eax, dword
ptr [ebp+FFFFFEEC]
:0047560E 50
push eax
* Possible StringData Ref from Code Obj ->"Software\Sun\Keyghost3xx"
|
:0047560F B9B0564700 mov ecx,
004756B0
:00475614 B202
mov dl, 02
:00475616 8B8310030000 mov eax, dword
ptr [ebx+00000310]
:0047561C E85F21FEFF call 00457780
* Possible StringData Ref from Code Obj ->"註冊成功!謝謝您的支援!"
|
:00475621 B8D4564700 mov eax,
004756D4 <---註冊碼正確跳到此處;
:00475626 E885A9FDFF call 0044FFB0
:0047562B EB0A
jmp 00475637
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047558E(C), :004755B4(C)
|
* Possible StringData Ref from Code Obj ->"請購買本軟體!見右側註冊說明!"
|
:0047562D B8F8564700 mov eax,
004756F8 <---註冊碼錯誤跳到此處;
:00475632 E879A9FDFF call 0044FFB0
---------------------------------------------------------------------------
跟入 call 0047187C 中:此Call用來判斷輸入的註冊碼的合法性
* Referenced by a CALL at Addresses:
|:004755AD , :00475979
|
:0047187C 55
push ebp
:0047187D 8BEC
mov ebp, esp
:0047187F 81C4ECFCFFFF add esp, FFFFFCEC
:00471885 53
push ebx
:00471886 56
push esi
:00471887 57
push edi
:00471888 33D2
xor edx, edx
:0047188A 8995F0FCFFFF mov dword ptr
[ebp+FFFFFCF0], edx
:00471890 8995ECFCFFFF mov dword ptr
[ebp+FFFFFCEC], edx
:00471896 8995F8FCFFFF mov dword ptr
[ebp+FFFFFCF8], edx
:0047189C 8995F4FCFFFF mov dword ptr
[ebp+FFFFFCF4], edx
:004718A2 8BF0
mov esi, eax
:004718A4 8DBDFFFEFFFF lea edi, dword
ptr [ebp+FFFFFEFF]
:004718AA 33C9
xor ecx, ecx
:004718AC 8A0E
mov cl, byte ptr [esi]
:004718AE 41
inc ecx
:004718AF F3
repz
:004718B0 A4
movsb
:004718B1 33C0
xor eax, eax
:004718B3 55
push ebp
:004718B4 68DE194700 push 004719DE
:004718B9 64FF30
push dword ptr fs:[eax]
:004718BC 648920
mov dword ptr fs:[eax], esp
:004718BF C645FF00 mov
[ebp-01], 00
:004718C3 8D85F4FCFFFF lea eax, dword
ptr [ebp+FFFFFCF4]
:004718C9 8D95FFFEFFFF lea edx, dword
ptr [ebp+FFFFFEFF]
:004718CF E81C25F9FF call 00403DF0
:004718D4 8B85F4FCFFFF mov eax, dword
ptr [ebp+FFFFFCF4]
:004718DA 8D95F8FCFFFF lea edx, dword
ptr [ebp+FFFFFCF8]
:004718E0 E82374F9FF call 00408D08
:004718E5 8B95F8FCFFFF mov edx, dword
ptr [ebp+FFFFFCF8]
:004718EB 8D85FFFEFFFF lea eax, dword
ptr [ebp+FFFFFEFF]
:004718F1 B9FF000000 mov ecx,
000000FF
:004718F6 E82D25F9FF call 00403E28
:004718FB 33DB
xor ebx, ebx
:004718FD C685FFFDFFFF00 mov byte ptr [ebp+FFFFFDFF],
00
:00471904 C685FFFCFFFF00 mov byte ptr [ebp+FFFFFCFF],
00
:0047190B 8D95FFFEFFFF lea edx, dword
ptr [ebp+FFFFFEFF]
:00471911 B8F0194700 mov eax,
004719F0
:00471916 E80511F9FF call 00402A20
<---判斷輸入的註冊號是否是xxxx-yyyy的形式;
按F8跟入可知。
:0047191B 8BF0
mov esi, eax
:0047191D 85F6
test esi, esi
:0047191F 0F8E9B000000 jle 004719C0
<---註冊號若不是xxxx-yyyy的形式則跳
這裡千萬不能跳,不然就OVER了。:-)
:00471925 8D85FFFDFFFF lea eax, dword
ptr [ebp+FFFFFDFF]
:0047192B 50
push eax
:0047192C 8BCE
mov ecx, esi
:0047192E 49
dec ecx
:0047192F BA01000000 mov edx,
00000001
:00471934 8D85FFFEFFFF lea eax, dword
ptr [ebp+FFFFFEFF]
:0047193A E8250FF9FF call 00402864
:0047193F 8D85FFFCFFFF lea eax, dword
ptr [ebp+FFFFFCFF]
:00471945 50
push eax
:00471946 33C9
xor ecx, ecx
:00471948 8A8DFFFEFFFF mov cl, byte
ptr [ebp+FFFFFEFF]
:0047194E 2BCE
sub ecx, esi
:00471950 8D5601
lea edx, dword ptr [esi+01]
:00471953 8D85FFFEFFFF lea eax, dword
ptr [ebp+FFFFFEFF]
:00471959 E8060FF9FF call 00402864
:0047195E 33D2
xor edx, edx
:00471960 8A95FFFDFFFF mov dl, byte
ptr [ebp+FFFFFDFF]
:00471966 85D2
test edx, edx
:00471968 7E16
jle 00471980
:0047196A 8D8500FEFFFF lea eax, dword
ptr [ebp+FFFFFE00]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047197E(C)
|
:00471970 33C9
xor ecx, ecx
:00471972 8A08
mov cl, byte ptr [eax]
:00471974 03D9
add ebx, ecx
:00471976 81C3A41D0F00 add ebx, 000F1DA4
:0047197C 40
inc eax
:0047197D 4A
dec edx
:0047197E 75F0
jne 00471970
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471968(C)
|
:00471980 8D85F0FCFFFF lea eax, dword
ptr [ebp+FFFFFCF0]
:00471986 8D95FFFCFFFF lea edx, dword
ptr [ebp+FFFFFCFF]
:0047198C E85F24F9FF call 00403DF0
:00471991 8B85F0FCFFFF mov eax, dword
ptr [ebp+FFFFFCF0]
:00471997 50
push eax
:00471998 8D95ECFCFFFF lea edx, dword
ptr [ebp+FFFFFCEC]
:0047199E 8BC3
mov eax, ebx
:004719A0 E8E374F9FF call 00408E88
<---用xxxx算出正確的註冊碼;
執行完上面這條語句後,EDX中就是
正確的註冊碼,我的是:5944406
:004719A5 8B95ECFCFFFF mov edx, dword
ptr [ebp+FFFFFCEC]
:004719AB 58
pop eax
:004719AC E8AB25F9FF call 00403F5C
<---判斷yyyy與上面用xxxx算出的
註冊碼是否相等;
:004719B1 750D
jne 004719C0
<---不等就跳走;
:004719B3 80BD00FFFFFF61 cmp byte ptr [ebp+FFFFFF00],
61
:004719BA 7204
jb 004719C0
:004719BC C645FF01 mov
[ebp-01], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047191F(C), :004719B1(C), :004719BA(C)
|
:004719C0 33C0
xor eax, eax <---可愛的EAX標誌被置0,就OVER了
:004719C2 5A
pop edx
:004719C3 59
pop ecx
:004719C4 59
pop ecx
:004719C5 648910
mov dword ptr fs:[eax], edx
:004719C8 68E5194700 push 004719E5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004719E3(U)
|
:004719CD 8D85ECFCFFFF lea eax, dword
ptr [ebp+FFFFFCEC]
:004719D3 BA04000000 mov edx,
00000004
:004719D8 E81322F9FF call 00403BF0
:004719DD C3
ret
--------------------------------------------------------------------------------
由 call 00402A20 跟入:此Call判斷註冊碼是否為xxxx-yyyy的形式.
:00402A20 53
push ebx
:00402A21 56
push esi
:00402A22 57
push edi
:00402A23 89C6
mov esi, eax
:00402A25 89D7
mov edi, edx
:00402A27 31C9
xor ecx, ecx
:00402A29 8A0F
mov cl, byte ptr [edi]
:00402A2B 47
inc edi
:00402A2C 57
push edi
:00402A2D 31D2
xor edx, edx
:00402A2F 8A16
mov dl, byte ptr [esi]
:00402A31 46
inc esi
:00402A32 4A
dec edx
:00402A33 781B
js 00402A50
:00402A35 8A06
mov al, byte ptr [esi] <---將AL賦值'2D',也就是符號'-';
:00402A37 46
inc esi
:00402A38 29D1
sub ecx, edx
:00402A3A 7E14
jle 00402A50
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402A4E(U)
|
:00402A3C F2
repnz
:00402A3D AE
scasb <---迴圈依次取輸入的註冊碼與AL中的'-'比較
:00402A3E 7510
jne 00402A50 <---註冊碼中沒有'-'符就跳走;
:00402A40 89CB
mov ebx, ecx
:00402A42 56
push esi
:00402A43 57
push edi
:00402A44 89D1
mov ecx, edx
:00402A46 F3
repz
:00402A47 A6
cmpsb
:00402A48 5F
pop edi
:00402A49 5E
pop esi
:00402A4A 7409
je 00402A55
:00402A4C 89D9
mov ecx, ebx
:00402A4E EBEC
jmp 00402A3C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402A33(C), :00402A3A(C), :00402A3E(C)
|
:00402A50 5A
pop edx
:00402A51 31C0
xor eax, eax
:00402A53 EB05
jmp 00402A5A
整理一下我的註冊碼為:liangs-5944406
相關文章
- 菜鳥破解實錄(八)之 超級信封列印工具 v3.2 (6千字)2000-07-21
- 破解 周公解夢2.11 實戰錄 (3千字)2000-08-22
- 神奇登錄檔0.6破解 (11千字)2001-07-27
- iTime 破解實錄 (15千字)2001-04-26
- Gifline破解實錄 (4千字)2001-08-05
- Teleport Pro破解實戰錄 (6千字)2000-05-28
- 破解Visual Zip Password Recovery Processor
v3.2 初級 (3千字)2000-02-27
- RegHance v1.1破解實錄 (5千字)2001-03-26
- 詞彙終結者破解實錄 (7千字)2000-08-13
- 菜鳥破解錄(11)之 WinGlobe2.0 (7千字)2000-07-24
- vfp&exe加密程式破解實錄 (1千字)2001-08-17加密
- Vopt99另類破解實戰錄
(3千字)2000-09-27
- 《teleport pro 1.28》破解實錄 !!高手莫進!! (5千字)2001-05-03
- 破解實錄(六)之 1toX 1.63 (6千字)2000-07-20
- 菜鳥破解實錄 之Terrapin FTP Browser (5千字)2000-09-09APIFTP
- 電腦幽靈pcGhost4.0破解實錄 (7千字)2001-03-07
- 美萍反黃專家 版本2.41 破解實錄 (9千字)2001-10-04
- 美萍反黃專家 版本3.2破解實錄 (6千字)2001-12-08
- 破解實錄(四)之 NoteTab Pro Trial 4.81 (3千字)2000-07-18
- 菜鳥破解實錄之 Dynamic Desktop 1.4.2 (9千字)2000-08-09
- 菜鳥破解實錄 之 GWD Text Editor 3.0 (9千字)2000-08-16
- 炒股理財 v1.13破解實戰錄! (3千字)2000-08-24
- 我的破解心得(11) (9千字)2001-03-13
- 菜鳥破解錄之 The Cleaner (4千字)2000-08-12
- 菜鳥破解錄之 DlgXRSizer (4千字)2000-08-17
- 輕鬆試卷 V4.5版破解實錄。 (8千字)2002-06-30
- 某電子書註冊破解實錄,高手莫入。 (6千字)2002-10-05
- 正版“盟軍敢死隊”密匙光碟加密破解實錄 (7千字)2000-10-19加密
- 破解flash32(抓圖軟體)實站錄 (2千字)2000-05-28
- 瘋狂單詞破解實錄(初學者請進!) (9千字)2000-08-24
- 菜鳥破解錄之 Animated Screen (4千字)2000-08-13
- 菜鳥破解錄之 CleanReg 3.2.6 (3千字)2000-08-15
- 菜鳥破解錄之 AutoDialogs (3千字)2000-08-18
- ★破解WinBoost2001 Standard Edion實錄 (3千字)2001-07-31
- 最新 英語聽力通 v2.1 破解實錄 (6千字)2002-01-21
- 菜鳥破解實錄(16)之 CD Box Labeler Pro (4千字)2000-08-03
- see This 破解實戰! (5千字)2000-06-26
- 破解實戰!polyview (3千字)2000-06-27View