《漂葉網咖管理系統4.0》破解心得： (9千字)

軟體名稱：漂葉網咖管理系統
版　　本：4.0
下載地址：http://go4.163.com/~piaoyes/
破解工具：softice for win95
破解過程：（第一次寫心得，亂遭遭的，各位別笑）
執行該軟體，註冊，隨便輸入網咖名稱：abcd及註冊碼：123456，按^D啟用softice，下中斷bpx hmemcpy，按F5返回，點註冊，立即被中斷，再bc *，按12次F12和幾次F10後，來到這裡：
016F:00517733 MOV EAX,[EBP+FFFFFDF8]
016F:00517739 LEA EDX,[EBP+FFFFFDFC]
016F:0051773F CALL 004096D4
016F:00517744 MOV EAX,[EBP+FFFFFDFC]
016F:0051774A MOV ECX,09
016F:0051774F MOV EDX,0A
016F:00517754 CALL 00404134
016F:00517759 LEA EAX,[EBP-28]
016F:0051775C PUSH EAX
016F:0051775D LEA EDX,[EBP+FFFFFDF0]
016F:00517763 MOV EAX,[EBP-04]
016F:00517766 MOV EAX,[EAX+0314]
016F:0051776C CALL 00433E30
016F:00517771 MOV EAX,[EBP+FFFFFDF0]
016F:00517777 LEA EDX,[EBP+FFFFFDF4]
016F:0051777D CALL 004096D4
016F:00517782 MOV EAX,[EBP+FFFFFDF4]
016F:00517788 MOV ECX,08
016F:0051778D MOV EDX,01
016F:00517792 CALL 00404134
016F:00517797 LEA EDX,[EBP-08]
016F:0051779A MOV EAX,[EBP-34]
016F:0051779D CALL 00402C88
016F:005177A2 CMP DWORD [EBP-08],BYTE +00　　；檢查註冊碼的格式是否合格
016F:005177A6 JZ 005177C2　　　　　　　　　；是則跳過去

016F:005177A8 PUSH BYTE +00
016F:005177AA MOV CX,[00517E68]
016F:005177B1 XOR EDX,EDX
016F:005177B3 MOV EAX,00517E74
016F:005177B8 CALL 00457674　　　　　　　　　；顯示錯誤資訊
016F:005177BD JMP 00517D86
結果由於輸入的註冊碼格式不合而跳不過去，經分析它要求的格式是這樣的：XXXXXXXX-XXXXXXXXX（其中的X為數字），於是重新輸入註冊碼：12345678-987654321便可跳過這步，來到
016F:005177C2 MOV EAX,[EBP-34]
016F:005177C5 CALL 00409984
016F:005177CA MOV EBX,EAX
016F:005177CC MOV EAX,EBX
016F:005177CE MOV ECX,B5
016F:005177D3 CDQ
016F:005177D4 IDIV ECX
016F:005177D6 IMUL EAX,EAX,C4
016F:005177DC XOR EAX,025DAFF2
016F:005177E1 CDQ
016F:005177E2 XOR EAX,EDX
016F:005177E4 SUB EAX,EDX
016F:005177E6 ADD EAX,08392AF4
016F:005177EB MOV EBX,EAX
016F:005177ED LEA EAX,[EBP-0C]
016F:005177F0 PUSH EAX
016F:005177F1 LEA EDX,[EBP+FFFFFDEC]
016F:005177F7 MOV EAX,EBX
016F:005177F9 CALL 00409954
016F:005177FE MOV EAX,[EBP+FFFFFDEC]
016F:00517804 MOV ECX,08
016F:00517809 MOV EDX,01
016F:0051780E CALL 00404134
016F:00517813 LEA EAX,[EBP-10]
016F:00517816 MOV EDX,00517E94
016F:0051781B CALL 00403D44
016F:00517820 LEA EAX,[EBP-14]
016F:00517823 CALL 00403CAC
016F:00517828 MOV EBX,01
016F:0051782D LEA EAX,[EBP+FFFFFDE8]
016F:00517833 MOV EDX,[EBP-10]
016F:00517836 MOVZX EDX,BYTE [EDX+EBX-01]
016F:0051783B SUB EDX,BYTE +31
016F:0051783E MOV ECX,[EBP-0C]
016F:00517841 MOV DL,[ECX+EDX]
016F:00517844 CALL 00403E54
016F:00517849 MOV EDX,[EBP+FFFFFDE8]
016F:0051784F LEA EAX,[EBP-14]
016F:00517852 CALL 00403F34
016F:00517857 INC EBX
016F:00517858 CMP EBX,BYTE +09
016F:0051785B JNZ 0051782D
016F:0051785D MOV EAX,[EBP-14]
016F:00517860 MOV EDX,[EBP-28]
016F:00517863 CALL 0040403C　　　　　　　；在此處下中斷，這個CALL是檢查註冊碼的前8位與後9位之間的某種聯絡。
中斷後，下命令d eax可見到“97641521”的字樣，d edx則見到的是假註冊碼的前8位（即“12345678”），顯然，如果註冊碼的前8位不是“97641521”的話，下一句就跳不過去而出錯。
016F:00517868 JZ 00517884
016F:0051786A PUSH BYTE +00
016F:0051786C MOV CX,[00517E68]
016F:00517873 XOR EDX,EDX
016F:00517875 MOV EAX,00517EA8
016F:0051787A CALL 00457674　　　　　　　　；顯示錯誤資訊
016F:0051787F JMP 00517D86
重新輸入註冊碼：97641521-987654321，則可來到
016F:00517884 LEA EDX,[EBP+FFFFFDE4]
016F:0051788A MOV EAX,[EBP-04]
016F:0051788D MOV EAX,[EAX+0304]
016F:00517893 CALL 00433E30
016F:00517898 MOV EAX,[EBP+FFFFFDE4]
016F:0051789E LEA EDX,[EBP-18]
016F:005178A1 CALL 004096D4
016F:005178A6 LEA EAX,[EBP-1C]
016F:005178A9 MOV EDX,00517EC8
016F:005178AE CALL 00403D44
016F:005178B3 MOV EAX,[00522408]
016F:005178B8 PUSH EAX
016F:005178B9 LEA EDX,[EBP+FFFFFDDC]
016F:005178BF MOV EAX,[EBP-04]
016F:005178C2 MOV EAX,[EAX+0314]
016F:005178C8 CALL 00433E30
016F:005178CD MOV EAX,[EBP+FFFFFDDC]
016F:005178D3 LEA EDX,[EBP+FFFFFDE0]
016F:005178D9 CALL 004096D4
016F:005178DE MOV EAX,[EBP+FFFFFDE0]
016F:005178E4 MOV ECX,03
016F:005178E9 MOV EDX,0A
016F:005178EE CALL 00404134
016F:005178F3 MOV ESI,01
016F:005178F8 MOV EDI,005556B5
016F:005178FD MOV EAX,[EBP-18]
016F:00517900 CALL 00403F2C
016F:00517905 MOV ECX,EAX
016F:00517907 TEST ECX,ECX
016F:00517909 JNG 00517932
016F:0051790B MOV EBX,01
016F:00517910 MOV EAX,[EBP-18]
016F:00517913 MOVZX EAX,BYTE [EAX+EBX-01]
016F:00517918 IMUL ESI
016F:0051791A ADD EAX,0F48
016F:0051791F CDQ
016F:00517920 XOR EAX,EDX
016F:00517922 SUB EAX,EDX
016F:00517924 MOV ESI,000F4240
016F:00517929 CDQ
016F:0051792A IDIV ESI
016F:0051792C MOV ESI,EDX
016F:0051792E INC EBX
016F:0051792F DEC ECX
016F:00517930 JNZ 00517910
016F:00517932 MOV EAX,[EBP-1C]
016F:00517935 CALL 00403F2C
016F:0051793A MOV ECX,EAX
016F:0051793C SUB ECX,BYTE +02
016F:0051793F JL 00517969
016F:00517941 INC ECX
016F:00517942 MOV EBX,02
016F:00517947 MOV EAX,[EBP-1C]
016F:0051794A MOVZX EAX,BYTE [EAX+EBX-01]
016F:0051794F IMUL ESI
016F:00517951 ADD EAX,0F83
016F:00517956 CDQ
016F:00517957 XOR EAX,EDX
016F:00517959 SUB EAX,EDX
016F:0051795B MOV ESI,000F4240
016F:00517960 CDQ
016F:00517961 IDIV ESI
016F:00517963 MOV ESI,EDX
016F:00517965 INC EBX
016F:00517966 DEC ECX
016F:00517967 JNZ 00517947
016F:00517969 MOV EAX,[EBP-18]
016F:0051796C CALL 00403F2C
016F:00517971 MOV EBX,EAX
016F:00517973 MOV EAX,[EBP-1C]
016F:00517976 CALL 00403F2C
016F:0051797B ADD EBX,EAX
016F:0051797D MOV EAX,EBX
016F:0051797F ADD EDI,ESI
016F:00517981 IMUL EDI
016F:00517983 CDQ
016F:00517984 XOR EAX,EDX
016F:00517986 SUB EAX,EDX
016F:00517988 ADD EAX,00A35B08
016F:0051798D MOV ESI,EAX
016F:0051798F LEA EAX,[EBP+FFFFFDD8]
016F:00517995 PUSH EAX
016F:00517996 LEA EDX,[EBP+FFFFFDD4]
016F:0051799C MOV EAX,ESI
016F:0051799E CALL 00409954
016F:005179A3 MOV EAX,[EBP+FFFFFDD4]
016F:005179A9 MOV ECX,06
016F:005179AE MOV EDX,01
016F:005179B3 CALL 00404134
016F:005179B8 MOV ECX,[EBP+FFFFFDD8]
016F:005179BE MOV EDX,[00522408]
016F:005179C4 MOV EDX,[EDX]
016F:005179C6 LEA EAX,[EBP-2C]
016F:005179C9 CALL 00403F78
016F:005179CE LEA EAX,[EBP+FFFFFDCC]
016F:005179D4 PUSH EAX
016F:005179D5 LEA EDX,[EBP+FFFFFDC8]
016F:005179DB MOV EAX,ESI
016F:005179DD CALL 00409954
016F:005179E2 MOV EAX,[EBP+FFFFFDC8]
016F:005179E8 MOV ECX,06
016F:005179ED MOV EDX,01
016F:005179F2 CALL 00404134
016F:005179F7 MOV ECX,[EBP+FFFFFDCC]
016F:005179FD MOV EDX,[00522408]
016F:00517A03 MOV EDX,[EDX]
016F:00517A05 LEA EAX,[EBP+FFFFFDD0]
016F:00517A0B CALL 00403F78
016F:00517A10 MOV EAX,[EBP+FFFFFDD0]
016F:00517A16 CALL 00409984
016F:00517A1B MOV ESI,EAX
016F:00517A1D MOV EAX,ESI
016F:00517A1F MOV ECX,B5
016F:00517A24 CDQ
016F:00517A25 IDIV ECX
016F:00517A27 IMUL EAX,EAX,C4
016F:00517A2D XOR EAX,025DAFF2
016F:00517A32 CDQ
016F:00517A33 XOR EAX,EDX
016F:00517A35 SUB EAX,EDX
016F:00517A37 ADD EAX,08392AF4
016F:00517A3C MOV ESI,EAX
016F:00517A3E LEA EAX,[EBP-18]
016F:00517A41 PUSH EAX
016F:00517A42 LEA EDX,[EBP+FFFFFDC4]
016F:00517A48 MOV EAX,ESI
016F:00517A4A CALL 00409954
016F:00517A4F MOV EAX,[EBP+FFFFFDC4]
016F:00517A55 MOV ECX,08
016F:00517A5A MOV EDX,01
016F:00517A5F CALL 00404134
016F:00517A64 LEA EAX,[EBP-1C]
016F:00517A67 MOV EDX,00517E94
016F:00517A6C CALL 00403D44
016F:00517A71 LEA EAX,[EBP-24]
016F:00517A74 CALL 00403CAC
016F:00517A79 MOV EBX,01
016F:00517A7E LEA EAX,[EBP+FFFFFDC0]
016F:00517A84 MOV EDX,[EBP-1C]
016F:00517A87 MOVZX EDX,BYTE [EDX+EBX-01]
016F:00517A8C SUB EDX,BYTE +31
016F:00517A8F MOV ECX,[EBP-18]
016F:00517A92 MOV DL,[ECX+EDX]
016F:00517A95 CALL 00403E54
016F:00517A9A MOV EDX,[EBP+FFFFFDC0]
016F:00517AA0 LEA EAX,[EBP-24]
016F:00517AA3 CALL 00403F34
016F:00517AA8 INC EBX
016F:00517AA9 CMP EBX,BYTE +09
016F:00517AAC JNZ 00517A7E
016F:00517AAE PUSH DWORD [EBP-24]
016F:00517AB1 PUSH DWORD 00517EDC
016F:00517AB6 PUSH DWORD [EBP-2C]
016F:00517AB9 LEA EAX,[EBP-20]
016F:00517ABC MOV EDX,03
016F:00517AC1 CALL 00403FEC
016F:00517AC6 LEA EAX,[EBP+FFFFFDBC]
016F:00517ACC PUSH EAX
016F:00517ACD LEA EDX,[EBP+FFFFFDB4]
016F:00517AD3 MOV EAX,[EBP-04]
016F:00517AD6 MOV EAX,[EAX+0314]
016F:00517ADC CALL 00433E30
016F:00517AE1 MOV EAX,[EBP+FFFFFDB4]
016F:00517AE7 LEA EDX,[EBP+FFFFFDB8]
016F:00517AED CALL 004096D4
016F:00517AF2 MOV EAX,[EBP+FFFFFDB8]
016F:00517AF8 MOV ECX,12
016F:00517AFD MOV EDX,01
016F:00517B02 CALL 00404134
016F:00517B07 MOV EDX,[EBP+FFFFFDBC]
016F:00517B0D MOV EAX,[EBP-20]
016F:00517B10 CALL 0040403C　　　　　　　　；在此處下中斷，再d eax即可見到真的註冊碼，至此破解完畢。

《漂葉網咖管理系統4.0》破解心得： (9千字)

相關文章