chm幫助編輯器v2.6 註冊碼破解詳談之二*解碼篇* (11千字)
目標軟體:chm幫助編輯器v2.6
破 解 人:TAE!
保護方式:序列號
破解方式:分析出註冊碼
軟體介紹:此軟體的作者似乎處境相當困難,此篇的目的在於學習,
請支援一下其作者,註冊吧!
下載地址:http://kshii.51.net/
序言:其實這個軟體的註冊碼計算,比較部分相當簡單,關鍵在於破解方法!
如果用常規的方法即輸入註冊碼,設斷點,按註冊,那就會什麼反應都沒有,
那就換個方法吧!
軟體的試用次數過了以後,會跳出一個Nag,說已經過期,想想看,軟體怎麼知道
我們有沒有註冊呢?肯定是讀取了某處的一個註冊標誌!就從這裡入手,如何?
在軟體彈出Nag時,到TRW下命令Pmodule,這時回到程式,按確定,又回到了TRW
(Pmodule真是個很好用的命令),然後就向上檢視,發現有兩個地方可以跳過Nag:
:0047A276 E8BDFDFFFF call
0047A038 //*很關鍵的地方*
:0047A27B A1E0B84800 mov eax,
dword ptr [0048B8E0]
:0047A280 8B80CC060000 mov eax, dword
ptr [eax+000006CC]
:0047A286 81780CF4010000 cmp dword ptr [eax+0C],
000001F4
:0047A28D 0F845A010000 je 0047A3ED
//檢查是否已經註冊.(第一個)
:0047A293 6800010000 push
00000100
:0047A298 8D85F7FEFFFF lea eax, dword
ptr [ebp+FFFFFEF7]
:0047A29E 50
push eax
* Possible StringData Ref from Data Obj ->""
|
:0047A29F 6828A44700 push
0047A428
* Possible StringData Ref from Data Obj ->"PWes"
//win.ini中的字元
|
:0047A2A4 68F8A44700 push
0047A4F8
* Possible StringData Ref from Data Obj ->"AgeSet" //win.ini中的字元
|
:0047A2A9 6834A44700 push
0047A434
:0047A2AE E8E5C7F8FF call
00406A98
:0047A2B3 8D45FC
lea eax, dword ptr [ebp-04]
:0047A2B6 8D95F7FEFFFF lea edx, dword
ptr [ebp+FFFFFEF7]
:0047A2BC B901010000 mov ecx,
00000101
:0047A2C1 E85E9BF8FF call
00403E24
:0047A2C6 8D45F8
lea eax, dword ptr [ebp-08]
:0047A2C9 50
push eax
:0047A2CA B901000000 mov ecx,
00000001
:0047A2CF BA01000000 mov edx,
00000001
:0047A2D4 8B45FC
mov eax, dword ptr [ebp-04]
:0047A2D7 E8A09DF8FF call
0040407C
* Possible StringData Ref from Data Obj ->"1234567890!@#$%^-*()QWERTYUIOPASDFGHJKLZXCVBNM"
->"qwertyuiopasdfghjklzxcvbnm"
|
:0047A2DC BA44A44700 mov edx,
0047A444
:0047A2E1 8B45F8
mov eax, dword ptr [ebp-08]
:0047A2E4 E8779EF8FF call
00404160
:0047A2E9 8BD8
mov ebx, eax
:0047A2EB 83FB3E
cmp ebx, 0000003E
:0047A2EE 7E5D
jle 0047A34D //檢查使用次數(第二個)
:0047A2F0 6A30
push 00000030
* Possible StringData Ref from Data Obj ->"軟體過期"
|
:0047A2F2 6808A54700 push
0047A508
* Possible StringData Ref from Data Obj ->"您的試用期限已過,若有繼續使用本軟體,請您註冊."
|
:0047A2F7 6814A54700 push
0047A514
進入那個call 0047A038
:0047A038 53
push ebx
:0047A039 8BD8
mov ebx, eax
:0047A03B 8B83BC060000 mov eax, dword
ptr [ebx+000006BC]
:0047A041 8B4070
mov eax, dword ptr [eax+70]
:0047A044 E80BFEFFFF call
00479E54 //*計算比較註冊碼*
:0047A049 84C0
test al, al
:0047A04B 743A
je 0047A087
:0047A04D 8B83BC060000 mov eax, dword
ptr [ebx+000006BC]
:0047A053 8B4070
mov eax, dword ptr [eax+70]
:0047A056 E8DD9FF8FF call
00404038
:0047A05B 50
push eax
進入CAll 00479E54
:00479E54 55
push ebp
:00479E55 8BEC
mov ebp, esp
:00479E57 33C9
xor ecx, ecx
:00479E59 51
push ecx
:00479E5A 51
push ecx
:00479E5B 51
push ecx
:00479E5C 51
push ecx
:00479E5D 51
push ecx
:00479E5E 51
push ecx
:00479E5F 51
push ecx
:00479E60 51
push ecx
:00479E61 53
push ebx
:00479E62 56
push esi
:00479E63 8945FC
mov dword ptr [ebp-04], eax
:00479E66 8B45FC
mov eax, dword ptr [ebp-04]
:00479E69 E8BAA1F8FF call
00404028
:00479E6E 33C0
xor eax, eax
:00479E70 55
push ebp
* Possible StringData Ref from Data Obj ->"朊[迕"
|
:00479E71 68EC9F4700 push
00479FEC
:00479E76 64FF30
push dword ptr fs:[eax]
:00479E79 648920
mov dword ptr fs:[eax], esp
:00479E7C 33DB
xor ebx, ebx
:00479E7E 8B45FC
mov eax, dword ptr [ebp-04]
:00479E81 E8EE9FF8FF call
00403E74 //檢查Win.ini中是否有一個Pset=XXX(存放註冊碼的地方)
:00479E86 83F80D
cmp eax, 0000000D //比較註冊碼的位數是否為13位,我們在這裡設斷點.
:00479E89 0F8542010000 jne 00479FD1
//發現EAX不是13個跳走,是13個繼續檢查
所以在win.ini中加入這樣一句Pset=1234567890abc,在此執行程式此時被中斷,繼續F10
走到這裡
* Possible StringData Ref from Data Obj ->"Ee"
|
:00479EA8 BA04A04700 mov edx,
0047A004
:00479EAD E8D2A0F8FF call
00403F84 //檢查第一個和第二個字元是不是Ee
:00479EB2 0F8519010000 jne 00479FD1
//不是就跳
:00479EB8 8D45F0
lea eax, dword ptr [ebp-10]
:00479EBB 50
push eax
:00479EBC B901000000 mov ecx,
00000001
:00479EC1 BA03000000 mov edx,
00000003
:00479EC6 8B45FC
mov eax, dword ptr [ebp-04]
:00479EC9 E8AEA1F8FF call
0040407C
:00479ECE 8B45F0
mov eax, dword ptr [ebp-10]
* Possible StringData Ref from Data Obj ->"@"
|
:00479ED1 BA10A04700 mov edx,
0047A010
:00479ED6 E8A9A0F8FF call
00403F84 //檢查第三個字元是不是@
:00479EDB 0F85F0000000 jne 00479FD1
//不是就跳
:00479EE1 8D45EC
lea eax, dword ptr [ebp-14]
:00479EE4 50
push eax
:00479EE5 B901000000 mov ecx,
00000001
:00479EEA BA0A000000 mov edx,
0000000A
:00479EEF 8B45FC
mov eax, dword ptr [ebp-04]
:00479EF2 E885A1F8FF call
0040407C
:00479EF7 8B45EC
mov eax, dword ptr [ebp-14]
* Possible StringData Ref from Data Obj ->"%"
|
:00479EFA BA1CA04700 mov edx,
0047A01C
:00479EFF E880A0F8FF call
00403F84 //檢查倒數第四個字元是不是%
:00479F04 0F85C7000000 jne 00479FD1
:00479F0A 8D45E8
lea eax, dword ptr [ebp-18]
:00479F0D 50
push eax
:00479F0E B901000000 mov ecx,
00000001
:00479F13 BA0B000000 mov edx,
0000000B
:00479F18 8B45FC
mov eax, dword ptr [ebp-04]
:00479F1B E85CA1F8FF call
0040407C
:00479F20 8B45E8
mov eax, dword ptr [ebp-18]
* Possible StringData Ref from Data Obj ->"("
|
:00479F23 BA28A04700 mov edx,
0047A028
:00479F28 E857A0F8FF call
00403F84 //檢查倒數第三個字元是不是(
:00479F2D 0F859E000000 jne 00479FD1
:00479F33 8D45E4
lea eax, dword ptr [ebp-1C]
:00479F36 50
push eax
:00479F37 B901000000 mov ecx,
00000001
:00479F3C BA0D000000 mov edx,
0000000D
:00479F41 8B45FC
mov eax, dword ptr [ebp-04]
:00479F44 E833A1F8FF call
0040407C
:00479F49 8B45E4
mov eax, dword ptr [ebp-1C]
* Possible StringData Ref from Data Obj ->")"
|
:00479F4C BA34A04700 mov edx,
0047A034
:00479F51 E82EA0F8FF call
00403F84 //檢查倒數第一個字元是不是)
:00479F56 7579
jne 00479FD1
:00479F58 8D45E0
lea eax, dword ptr [ebp-20]
:00479F5B 50
push eax
:00479F5C B906000000 mov ecx,
00000006
:00479F61 BA04000000 mov edx,
00000004
:00479F66 8B45FC
mov eax, dword ptr [ebp-04]
:00479F69 E80EA1F8FF call
0040407C
:00479F6E 8B45E0
mov eax, dword ptr [ebp-20]
:00479F71 E8C2A0F8FF call
00404038
:00479F76 8BF0
mov esi, eax
:00479F78 8D55F8
lea edx, dword ptr [ebp-08]
:00479F7B A1E0B84800 mov eax,
dword ptr [0048B8E0]
:00479F80 8B80C0060000 mov eax, dword
ptr [eax+000006C0]
:00479F86 E83567FBFF call
004306C0
:00479F8B 8B45F8
mov eax, dword ptr [ebp-08]
:00479F8E E8A5A0F8FF call
00404038
:00479F93 8BC8
mov ecx, eax
:00479F95 8A16
mov dl, byte ptr [esi]
:00479F97 8A4107
mov al, byte ptr [ecx+07]
:00479F9A 3AC2
cmp al, dl
\
:00479F9C 7533
jne 00479FD1
\
:00479F9E 8A5601
mov dl, byte ptr [esi+01] \
:00479FA1 8A4104
mov al, byte ptr [ecx+04] \
:00479FA4 3AC2
cmp al, dl
\
:00479FA6 7529
jne 00479FD1
\
:00479FA8 8A5602
mov dl, byte ptr [esi+02] \
:00479FAB 8A01
mov al, byte ptr [ecx] \
:00479FAD 3AC2
cmp al, dl
\
:00479FAF 7520
jne 00479FD1
|檢查其它六位數.經過跟蹤發現
:00479FB1 8A5603
mov dl, byte ptr [esi+03] /其它這六位數,必須都在它給的
:00479FB4 8A4109
mov al, byte ptr [ecx+09] / ID中,只是排列順序不同.
:00479FB7 3AC2
cmp al, dl
/ 至於是如何排列的,自己研究吧
:00479FB9 7516
jne 00479FD1
/ 很簡單的.
:00479FBB 8A5604
mov dl, byte ptr [esi+04] /
:00479FBE 8A4102
mov al, byte ptr [ecx+02] /
:00479FC1 3AC2
cmp al, dl
/
:00479FC3 750C
jne 00479FD1
/
:00479FC5 8A5605
mov dl, byte ptr [esi+05] /
:00479FC8 8A4106
mov al, byte ptr [ecx+06] /
:00479FCB 3AC2
cmp al, dl /
:00479FCD 7502
jne 00479FD1
:00479FCF B301
mov bl, 01 <------------看到希望了
我的ID:Nsd5JLy!jt
註冊碼:Ee@!JNtdy%(b)
自己跟一跟,很簡單的,只是切入的方法不同而已.
後記:這篇好像注重了方法,若你想寫出序號產生器,就自己分析吧!
這個軟體的註冊很特別,我破解的方法也很特別,
所以說解軟體,一定不能輕易放棄,要從不同的地方入手,多想想辦法一定會有收穫的!
相關文章
- chm幫助編輯器v2.6 註冊碼破解詳談之一*脫殼篇* (3千字)2001-02-04
- 《chm幫助編輯器V2.61》註冊碼破解心得: (11千字)2001-02-17
- 《TxEdit 4.6》的註冊碼破解 (11千字)2001-07-28
- IconToy 3.1 註冊碼快速破解 (11千字)2001-03-02
- winimp1.11註冊碼破解 (2千字)2000-07-16
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- 某穿牆輔助的註冊碼破解2018-03-10
- 程式碼編輯器:sublime text for Mac 註冊版2023-12-28Mac
- Regediter 1.3 破解(得到註冊碼) (9千字)2002-01-23
- Vopt99 v4.31的註冊碼破解 (11千字)2000-09-28
- BabyGame 破解方法及註冊碼錶 (1千字)2001-07-04GAM
- 交一篇作業---破解Hedit 2.0的註冊碼 (7千字)2001-09-30
- Kugle Regediter 1.0 註冊碼破解法(非明碼) (8千字)2001-11-03
- 《ICONSCAN 2.4》註冊碼破解 高手莫入! (3千字)2001-05-06
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- Sublime Text 4 Dev 註冊碼(程式碼編輯器) v4.0(4164)2023-11-09dev
- SMailserver2.5註冊碼的破解手記 (1千字)2001-03-01AIServer
- 《WinImage v5.00.5007 註冊碼破解》 (7千字)2001-05-10
- 程式碼編輯器:sublime text for Mac 4.0(4164)註冊漢化版2023-11-14Mac
- Pycharm安裝破解 註冊碼2017-06-25PyCharm
- 『凌雲郵神』 註冊碼破解 (非明碼比較的哦 ^_^) (6千字)2001-11-05
- 如何破解《彩票快車黃金版》註冊碼 (1千字)2001-04-21
- 豪傑大眼睛共享版註冊碼破解 (1千字)2001-07-08
- HTML文字編輯器:BBEdit for Mac14.6.8啟用版+註冊碼2023-10-27HTMLMac
- 強大的程式碼編輯器Sublime Text for Mac註冊啟用版2023-11-27Mac
- 今天好多人 phpstrom 編譯器註冊碼失效了,最新可用註冊碼2019-12-24PHP編譯
- 窮人幫窮人--大英自學輔導的破解過程和註冊碼---請進! (1千字)2001-04-28
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- 《中華壓縮 6.01》註冊碼破解及序號產生器 (14千字)2001-08-19
- 開心鬥地主1.6標準版 註冊碼破解 (4千字)2001-04-25
- 如何破解Cool ASCII Art Maker V1.21註冊碼 (2千字)2001-05-03ASCII
- 《EASY MP3 2.2》的註冊碼破解 高手莫入! (2千字)2001-05-05
- EditRocket for Mac(多功能程式碼編輯器) v4.5.9註冊啟用版2020-12-11Mac
- sublime text for Mac(程式碼編輯器) v4.0(4164)註冊漢化版2023-11-15Mac
- Sublime Text 4 Dev for Mac(程式碼編輯器)4.0中文註冊版2023-11-20devMac
- sublime text for Mac(程式碼編輯器)v4.0(4167)註冊漢化版2023-11-23Mac
- 破解<<生日字典密碼生成器 v3.7 password>> 的註冊碼 (4千字)2001-10-21密碼