初學者-Winzip8.0

Winzip V8.0

輸入
使用者名稱: Liu Tong
註冊碼: 87654321
設斷點bpx hmemcpy
點OK鍵,被中斷後按F12鍵9次(第10次出錯)
便按F10便用D命令找輸入的註冊碼(如D ESI, D EDI....)
如找到註冊碼的地址****:********,設斷點bpx ****:********
CTRL+D返回Winzip,再次被中斷後注意找,下面的程式,若不是繼續按CTRL+D

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004692F8(C), :00469318(C)
|
:004692EC 0AC0 or al, al
:004692EE 742E je 0046931E
:004692F0 8A06 mov al, byte ptr [esi]<----此處用D ESI命令可看到輸入碼
:004692F2 46 inc esi
:004692F3 8A27 mov ah, byte ptr [edi]<----此處用D EDI命令可看到註冊碼
:004692F5 47 inc edi
:004692F6 38C4 cmp ah, al
:004692F8 74F2 je 004692EC
:004692FA 2C41 sub al, 41
:004692FC 3C1A cmp al, 1A
:004692FE 1AC9 sbb cl, cl
:00469300 80E120 and cl, 20
:00469303 02C1 add al, cl
:00469305 0441 add al, 41
:00469307 86E0 xchg al, ah
:00469309 2C41 sub al, 41
:0046930B 3C1A cmp al, 1A
:0046930D 1AC9 sbb cl, cl
:0046930F 80E120 and cl, 20
:00469312 02C1 add al, cl
:00469314 0441 add al, 41
:00469316 38E0 cmp al, ah
:00469318 74D2 je 004692EC
:0046931A 1AC0 sbb al, al
:0046931C 1CFF sbb al, FF

下面是找註冊碼生成的過程:
通常,註冊碼是由使用者名稱(或使用者名稱加公司名)計算出來的.
因此,設斷點bpx ********(********是使用者名稱儲存的地址)
會找到兩段程式(軟體的註冊碼是由兩個4位碼組合成的):
第一段程式生成後4位碼:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B6C(U)
|
:00407B5A 84D2 test dl, dl
:00407B5C 7410 je 00407B6E
:00407B5E 660FB6D2 movzx dx, dl
:00407B62 0FAFD7 imul edx, edi
:00407B65 03DA add ebx, edx
:00407B67 8A5601 mov dl, byte ptr [esi+01]
:00407B6A 47 inc edi
:00407B6B 46 inc esi
:00407B6C EBEC jmp 00407B5A

第二段程式生成前4位碼:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407B97(U)
|
:00407B7C 84C9 test cl, cl
:00407B7E 7419 je 00407B99
:00407B80 660FB6C9 movzx cx, cl
:00407B84 6821100000 push 00001021
:00407B89 51 push ecx
:00407B8A 50 push eax
:00407B8B E829000000 call 00407BB9
:00407B90 8A4E01 mov cl, byte ptr [esi+01]
:00407B93 83C40C add esp, 0000000C
:00407B96 46 inc esi
:00407B97 EBE3 jmp 00407B7C
======================================================================
* Referenced by a CALL at Addresses:
|:00407B8B , :00407C75
|
:00407BB9 55 push ebp
:00407BBA 8BEC mov ebp, esp
:00407BBC 8B4508 mov eax, dword ptr [ebp+08]
:00407BBF 56 push esi
:00407BC0 33C9 xor ecx, ecx

* Possible Ref to Menu: RBUTTONMENU1, Item: "Delete..."
|

* Possible Reference to String Resource ID=00008: "Delete files from %s"
|
:00407BC2 6A08 push 00000008
:00407BC4 8A6D0C mov ch, byte ptr [ebp+0C]
:00407BC7 5A pop edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407BDF(C)
|
:00407BC8 8BF0 mov esi, eax
:00407BCA 33F1 xor esi, ecx
:00407BCC 66F7C60080 test si, 8000
:00407BD1 7407 je 00407BDA
:00407BD3 03C0 add eax, eax
:00407BD5 334510 xor eax, dword ptr [ebp+10]
:00407BD8 EB02 jmp 00407BDC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407BD1(C)
|
:00407BDA D1E0 shl eax, 1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407BD8(U)
|
:00407BDC D1E1 shl ecx, 1
:00407BDE 4A dec edx
:00407BDF 75E7 jne 00407BC8
:00407BE1 5E pop esi
:00407BE2 5D pop ebp
:00407BE3 C3 ret

初學者-Winzip8.0

相關文章