windows優化大師 v1.0.2.7 (10千字)

軟體名稱:windows優化大師 v1.0.2.7
註冊方式:name+phone+serial+prc-serrial
軟體功能:登錄檔修改軟體
作者:魯錦
作者主頁:http://lamb.shangdu.net
作者郵箱:mailoflujin@163.net
破解者:happyhackwang
郵箱:happyhackwang@263.net
OICQ:4696993(不線上^^)
註冊方式:Patch(誰想寫序號產生器,自己寫吧!演算法見後)
工具:Trw,w32dasm,my head,ultraedit(to write this article),ProcDump

首先感謝劉濤濤,Ru Feng,DingBoy,看雪他們的為CRACK所做的貢獻
首先要對這個程式進行脫殼,用ProcDump Dump(full)可以脫下來(trw中pnewsec->procdump,不要rebuild PE)
原來的檔案大小為:413K
脫殼後的檔案大小為:0.99M
它是用ASPack 1.083壓縮的,也可以用ProcDump直接脫殼

下面是反彙編的結果,配合softice,可以很容易破解

:004B30B7 E8500EF5FF call 00403F0C
:004B30BC 741D je 004B30DB   ;這個判斷總是能夠跳轉,所以不用Patch
:004B30BE 6A10 push 00000010

* Possible StringData Ref from Code Obj ->"Windows優化大師"
|
:004B30C0 B988324B00 mov ecx, 004B3288

* Possible StringData Ref from Code Obj ->"錯誤！註冊失敗。"
|
:004B30C5 BA8C334B00 mov edx, 004B338C
......
:004B30EF E80C55F5FF call 00408600   ;關鍵的call
:004B30F4 8D907D590200 lea edx, dword ptr [eax+0002597D]
:004B30FA 8B0DD0CB4D00 mov ecx, dword ptr [004DCBD0]
:004B3100 0301 add eax, dword ptr [ecx]
:004B3102 33D0 xor edx, eax
:004B3104 8BC2 mov eax, edx
:004B3106 3BD8 cmp ebx, eax   ;名字與註冊碼分別算出來的數相比較
:004B3108 741D je 004B3127   ;(b2708)change to jmp,Patch的地方
:004B310A 6A10 push 00000010

* Possible StringData Ref from Code Obj ->"Windows優化大師"
|
:004B310C B988324B00 mov ecx, 004B3288

* Possible StringData Ref from Code Obj ->"錯誤！註冊失敗。"
|
:004B3111 BA8C334B00 mov edx, 004B338C
......
* Possible StringData Ref from Code Obj ->"註冊成功。感謝您使用國產軟體---您忠實的朋友“?
->"辰酢?
|
:004B31DA BAD8334B00 mov edx, 004B33D8

Patch:
004B3104 8BC2 mov eax, edx
   8BC3            mov eax,ebx

現在看一下注冊碼的演算法
:004B30EF E80C55F5FF call 00408600   ;關鍵的計算語句,追進去
:004B30F4 8D907D590200 lea edx, dword ptr [eax+0002597D]   ;出口引數eax是用你輸
:004B30FA 8B0DD0CB4D00 mov ecx, dword ptr [004DCBD0]       ;入的註冊碼計算出來
:004B3100 0301 add eax, dword ptr [ecx]       ;[ecx]=FD9C 預定義的
:004B3102 33D0 xor edx, eax               ;eax=eax && edx
:004B3104 8BC2 mov eax, edx               ;出口ebx是真正註冊碼
:004B3106 3BD8 cmp ebx, eax               ;的校驗和,這裡進行比較
:004B3108 741D je 004B3127

edx=eax+2597D;
eax+=FD9C;
eax=edx&&eax;

:00408622 E8A5A6FFFF call 00402CCC   ;關鍵

追進來可以看到:
:00402CD6 31C0 xor eax, eax   ;初始化累加器
:00402CD8 31DB xor ebx, ebx
......
:00402CDF 8A1E mov bl, byte ptr [esi]   ;esi是你輸入的註冊碼的位置
:00402CE1 46 inc esi
:00402CE2 80FB20 cmp bl, 20   ;空格
:00402CE5 74F8 je 00402CDF
:00402CE7 B500 mov ch, 00
:00402CE9 80FB2D cmp bl, 2D   ;-
:00402CEC 7469 je 00402D57
:00402CEE 80FB2B cmp bl, 2B   ;+
:00402CF1 7466 je 00402D59
:00402CF3 80FB24 cmp bl, 24   ;$
:00402CF6 7466 je 00402D5E
:00402CF8 80FB78 cmp bl, 78   ;x
:00402CFB 7461 je 00402D5E
:00402CFD 80FB58 cmp bl, 58   ;X
:00402D00 745C je 00402D5E
:00402D02 80FB30 cmp bl, 30   ;0
:00402D05 7513 jne 00402D1A
:00402D07 8A1E mov bl, byte ptr [esi]
:00402D09 46 inc esi
:00402D0A 80FB78 cmp bl, 78
:00402D0D 744F je 00402D5E
:00402D0F 80FB58 cmp bl, 58
:00402D12 744A je 00402D5E
:00402D14 84DB test bl, bl
:00402D16 7420 je 00402D38
:00402D18 EB04 jmp 00402D1E

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402D05(C), :00402D5C(U)
|
:00402D1A 84DB test bl, bl
:00402D1C 7434 je 00402D52

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402D18(U), :00402D36(C)
|
:00402D1E 80EB30 sub bl, 30   ;是數字的話進行變換
:00402D21 80FB09 cmp bl, 09   ;數字的ASCII碼值在30~39之間,數字在0~9之間
:00402D24 772C ja 00402D52
:00402D26 39F8 cmp eax, edi   ;eax累加和,初始化為0,edi初始化為CCCCCCC
:00402D28 7728 ja 00402D52
:00402D2A 8D0480 lea eax, dword ptr [eax+4*eax]   ;eax=eax*5
:00402D2D 01C0 add eax, eax               ;eax=eax*2
:00402D2F 01D8 add eax, ebx               ;eax=eax+ebx
:00402D31 8A1E mov bl, byte ptr [esi]       ;取下一個字元
:00402D33 46 inc esi
:00402D34 84DB test bl, bl
:00402D36 75E6 jne 00402D1E

註冊碼校驗和的演算法總結如下
int j =getlength(serial);
int x=0;
for (int i=0;i<j;i++)
{
  char ch=serial[i];
  _ebx=atoi(ch);
  x*=10;
  x+=_ebx;//_ebx is the number that you input
}
x+=FD9C;
_edx=x+2597D;
x=x&&_edx;
return x;

而ebx中的數是怎麼算出來的?我們看看:

:004B3034 BE01000000 mov esi, 00000001   ;esi=1,位元組偏移量

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3059(C)
|
:004B3039 8B45F8 mov eax, dword ptr [ebp-08]   ;取得字串的地址(字串1)
:004B303C 0FB64430FF movzx eax, byte ptr [eax+esi-01]   ;取每一個字元
:004B3041 F7EB imul ebx   ;乘,ebx初始化為1
:004B3043 05770F0000 add eax, 00000F77   ;與
:004B3048 99 cdq   ;edx清零
:004B3049 33C2 xor eax, edx   ;eax與edx異或,此時edx=0,所以eax不變
:004B304B 2BC2 sub eax, edx   ;eax=eax-edx,eax不變
:004B304D BB40420F00 mov ebx, 000F4240   ;ebx=F4240
:004B3052 99 cdq   ;edx清零
:004B3053 F7FB idiv ebx   ;除
:004B3055 8BDA mov ebx, edx   ;ebx=edx
:004B3057 46 inc esi   ;增量
:004B3058 49 dec ecx   ;計數器
:004B3059 75DE jne 004B3039   ;迴圈
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3032(C)
|
:004B305B 8B45F4 mov eax, dword ptr [ebp-0C]   ;eax是電話號碼的偏移地址(字串2)
:004B305E E8990DF5FF call 00403DFC   ;取得這個字串的長度
:004B3063 8BC8 mov ecx, eax
:004B3065 83E902 sub ecx, 00000002
:004B3068 7C2B jl 004B3095
:004B306A 41 inc ecx   ;到這裡ecx是真正字串的長度減去1,做計數器
:004B306B BE02000000 mov esi, 00000002   ;

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3093(C)
|
:004B3070 8B45F4 mov eax, dword ptr [ebp-0C]   ;eax是字串的地址
:004B3073 0FB64430FF movzx eax, byte ptr [eax+esi-01]   ;從第二個字元開始取
:004B3078 F7EB imul ebx   ;乘
:004B307A 8B15D0CB4D00 mov edx, dword ptr [004DCBD0]   ;
:004B3080 0302 add eax, dword ptr [edx]   ;[edx]=FD9C,固定的,是預定義的
:004B3082 99 cdq   ;edx清零
:004B3083 33C2 xor eax, edx   ;
:004B3085 2BC2 sub eax, edx   ;eax不變
:004B3087 BB40420F00 mov ebx, 000F4240   ;ebx=F4240
:004B308C 99 cdq   ;edx清零
:004B308D F7FB idiv ebx   ;除
:004B308F 8BDA mov ebx, edx   ;ebx=edx
:004B3091 46 inc esi   ;偏移增量
:004B3092 49 dec ecx   ;計數器
:004B3093 75DB jne 004B3070   ;迴圈

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3068(C)
|
:004B3095 8D837D590200 lea eax, dword ptr [ebx+0002597D]   ;eax=ebx+2597D
:004B309B 8B15D0CB4D00 mov edx, dword ptr [004DCBD0]       ;
:004B30A1 031A add ebx, dword ptr [edx]       ;[edx]依然是FD9C
:004B30A3 33C3 xor eax, ebx           ;異或
:004B30A5 8BD8 mov ebx, eax   ;ebx的數算出來了!



這裡的字串有區別:
字串1是wanghlLamb1111111lily
~~~~~~ ~~~~~~~
名字電話號碼
字串2是1111111lily
字串1=名字+Lamb+電話號碼+lily           (Lamb,魯錦的英文名,lily,可能是他的女朋友的名字)
字串2=電話號碼+lily

注:1:註冊碼必須是數字,不信你就可以試一試
2:註冊申請碼是由電話號碼決定的,與其他的兩項無關
3:在windows\system下面有個檔案kernel32.ini,是這個軟體建立的,是註冊與否的標誌!
這個檔案一刪除,就變成非註冊版了,請看:

註冊成功下面就是
* Possible StringData Ref from Code Obj ->"\System\Kernel32.ini"
|
:004B3143 BACC324B00 mov edx, 004B32CC
:004B3148 E8B70CF5FF call 00403E04
:004B314D 8B4DE8 mov ecx, dword ptr [ebp-18]
:004B3150 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"OE"
|
:004B3152 A100494500 mov eax, dword ptr [00454900]
:004B3157 E84C18FAFF call 004549A8
:004B315C 8BF0 mov esi, eax
:004B315E 8D55E8 lea edx, dword ptr [ebp-18]
:004B3161 8BC3 mov eax, ebx
:004B3163 E8F453F5FF call 0040855C
:004B3168 8B45E8 mov eax, dword ptr [ebp-18]
:004B316B 50 push eax

* Possible StringData Ref from Code Obj ->"MaxFileCache"
|
:004B316C B9A8334B00 mov ecx, 004B33A8

* Possible StringData Ref from Code Obj ->"vcache"
......

********************************世間本無事,庸人自擾耳*************************************

windows優化大師 v1.0.2.7 (10千字)

相關文章