Add/Remove 4Good 2註冊碼 跟蹤過程,稍麻煩些---[BCG]參考教程 (12千字)
Add/Remove 4Good 2註冊碼 跟蹤過程,稍麻煩些---[BCG]入門教程
作者:CrackerABC[BCG]
作者主頁:http://crackerabc.longcity.net
這個軟體呢就是一個典型的跟進CALL計運算元程式的例子,下面開始了。
1、首先隨便輸入任意註冊資訊:
Name:sunfeng
Code: 31415926
2、啟動TRW2000,點確定後用Ctrl+N呼叫出來,然後下bpx hmemcpy
3、F5返回程式空間後,點註冊被TRW2000攔截到其領域,下BD *中斷所有斷點。
4、開始按F12,共計23次(24次時出錯),請仔細看了,
0167:004018D5 PUSH DWORD FF /////這裡是你按第一次F10後的位置
0167:004018DA MOV ECX,[EBP-10]
0167:004018DD PUSH DWORD 00408460
0167:004018E2 ADD ECX,01A0
0167:004018E8 CALL `MFC40!ord_00000D36`
0167:004018ED PUSH DWORD 00408360
0167:004018F2 LEA ECX,[EBP-18]
0167:004018F5 CALL `MFC40!ord_000001E3`
0167:004018FA MOV DWORD [EBP-04],00
0167:00401901 MOV EAX,[EAX]
0167:00401903 PUSH DWORD 004085A4
0167:00401908 PUSH EAX
0167:00401909 CALL `MSVCRT40!_mbscmp`
0167:0040190F MOV DWORD [EBP-04],FFFFFFFF
0167:00401916 ADD ESP,BYTE +08
0167:00401919 CMP EAX,BYTE +01
0167:0040191C MOV EAX,[EBP-14]
0167:0040191F SBB [EBP-14],EAX
0167:00401922 NEG DWORD [EBP-14]
0167:00401925 CALL 00401A33
0167:0040192A CMP DWORD [EBP-14],BYTE +00
0167:0040192E JZ 00401949
0167:00401930 PUSH BYTE +01
0167:00401932 MOV ECX,[EBP-10]
0167:00401935 CALL `MFC40!ord_00000910`
0167:0040193A MOV EAX,[EBP-0C]
0167:0040193D POP EDI
0167:0040193E MOV [FS:00],EAX
0167:00401944 POP ESI
0167:00401945 MOV ESP,EBP
0167:00401947 POP EBP
0167:00401948 RET
0167:00401949 CALL 00401620 ////按F8跟進去這裡是計算的子程式入口
0167:0040194E TEST EAX,EAX ////這裡可是典型的組合啊。
0167:00401950 JZ NEAR 004019F8 ///
0167:00401956 LEA EAX,[EBP-18]
下面是跟進去的程式碼段:
0167:00401620 MOV EAX,[FS:00]
0167:00401626 PUSH EBP
0167:00401627 MOV EBP,ESP
0167:00401629 PUSH BYTE -01
0167:0040162B PUSH DWORD 004017A5
0167:00401630 MOV ECX,FFFFFFFF
0167:00401635 PUSH EAX
0167:00401636 MOV [FS:00],ESP
0167:0040163D SUB ESP,BYTE +0C
0167:00401640 SUB EAX,EAX
0167:00401642 PUSH EDI
0167:00401643 MOV EDI,00408360
0167:00401648 REPNE SCASB
0167:0040164A NOT ECX
0167:0040164C DEC ECX
0167:0040164D CMP ECX,BYTE +06
0167:00401650 JNC 00401663
0167:00401652 XOR EAX,EAX
0167:00401654 MOV ECX,[EBP-0C]
0167:00401657 POP EDI
0167:00401658 MOV [FS:00],ECX
0167:0040165F MOV ESP,EBP
0167:00401661 POP EBP
0167:00401662 RET
0167:00401663 MOV EDI,00408360
0167:00401668 MOV ECX,FFFFFFFF
0167:0040166D SUB EAX,EAX
0167:0040166F REPNE SCASB
0167:00401671 NOT ECX
0167:00401673 SUB EDX,EDX
0167:00401675 LEA EAX,[ECX-01]
0167:00401678 MOV ECX,0C
0167:0040167D DIV ECX
0167:0040167F MOV EAX,[0040835C]
0167:00401684 LEA ECX,[EBP-10]
0167:00401684 LEA ECX,[EBP-10] ////D ECX得到87ae2401my69,這可不是真註冊碼喲。和他緊挨的
//// 是感謝註冊的語句,迷惑人。
0167:00401687 MOV AL,[EAX+EDX]
0167:0040168A PUSH EAX
0167:0040168B PUSH DWORD 0040859C
0167:00401690 CALL `MFC40!ord_000001E3`
0167:00401695 PUSH EAX
0167:00401696 LEA ECX,[EBP-14]
0167:00401699 MOV DWORD [EBP-04],00
0167:004016A0 PUSH ECX
0167:004016A1 CALL `MFC40!ord_00000332`
0167:004016A6 MOV BYTE [EBP-04],02
0167:004016AA CALL 0040179D
0167:004016AF MOV EDI,00408360
0167:004016B4 MOV ECX,FFFFFFFF
0167:004016B9 MOV DWORD [EBP-10],00
0167:004016C0 SUB EAX,EAX
0167:004016C2 REPNE SCASB
0167:004016C4 NOT ECX
0167:004016C6 DEC ECX
0167:004016C7 JZ 00401741
0167:004016C9 TEST BYTE [EBP-10],01
0167:004016CD JNZ 00401728
0167:004016CF MOV EAX,[EBP-10]
0167:004016D2 MOV AL,[EAX+00408360]
0167:004016D8 CMP AL,7F
0167:004016DA JG NEAR 00401773
0167:004016E0 CMP AL,20
0167:004016E2 JL NEAR 00401784
0167:004016E8 CBW
0167:004016EA MOV CL,02
0167:004016EC IDIV CL
0167:004016EE ADD AL,20
0167:004016F0 CMP AL,5A
0167:004016F2 JNG 004016FA
0167:004016F4 CMP AL,61
0167:004016F6 JNL 004016FA
0167:004016F8 ADD AL,06
0167:004016FA CMP AL,39
0167:004016FC JNG 00401704
0167:004016FE CMP AL,41
0167:00401700 JNL 00401704
0167:00401702 ADD AL,08
0167:00401704 PUSH EAX
0167:00401705 LEA ECX,[EBP-18]
0167:00401708 LEA EAX,[EBP-14]
0167:0040170B PUSH EAX
0167:0040170C PUSH ECX
0167:0040170D CALL `MFC40!ord_00000332`
0167:00401712 PUSH EAX
0167:00401713 LEA ECX,[EBP-14]
0167:00401716 MOV BYTE [EBP-04],03
0167:0040171A CALL `MFC40!ord_000002F8`
0167:0040171F MOV BYTE [EBP-04],02 ////此處多次呼叫,D
ECX得到逐個註冊碼,最後為6582-1YWRS
0167:00401723 CALL 00401795
0167:00401728 MOV EDI,00408360
0167:0040172D MOV ECX,FFFFFFFF
0167:00401732 INC DWORD [EBP-10]
0167:00401735 SUB EAX,EAX
0167:00401737 REPNE SCASB
0167:00401739 NOT ECX
0167:0040173B DEC ECX
0167:0040173C CMP ECX,[EBP-10]
0167:0040173F JA 004016C9
0167:00401741 PUSH DWORD 00408460
0167:00401746 MOV EAX,[EBP-14]
0167:00401749 PUSH EAX
0167:0040174A CALL `MSVCRT40!_mbscmp`
0167:00401750 ADD ESP,BYTE +08
0167:00401753 MOV ECX,[EBP-10]
0167:00401756 MOV DWORD [EBP-04],FFFFFFFF
0167:0040175D CMP EAX,BYTE +01
0167:00401760 SBB [EBP-10],ECX
0167:00401763 NEG DWORD [EBP-10]
0167:00401766 CALL 004017AF
0167:0040176B MOV EAX,[EBP-10]
0167:0040176E JMP 00401654
0167:00401773 MOV DWORD [EBP-04],FFFFFFFF
0167:0040177A CALL 004017AF
0167:0040177F JMP 00401652
0167:00401784 MOV DWORD [EBP-04],FFFFFFFF
0167:0040178B CALL 004017AF
0167:00401790 JMP 00401652
0167:00401795 LEA ECX,[EBP-18]
0167:00401798 JMP `MFC40!ord_000002C2`
0167:0040179D LEA ECX,[EBP-10]
0167:004017A0 JMP `MFC40!ord_000002C2`
0167:004017A5 MOV EAX,00406E70
0167:004017AA JMP `MSVCRT40!__CxxFrameHandler`
0167:004017AF LEA ECX,[EBP-14]
0167:004017B2 JMP `MFC40!ord_000002C2`
0167:004017B7 INT3
0167:004017B8 INT3
0167:004017B9 INT3
0167:004017BA INT3
0167:004017BB INT3
0167:004017BC INT3
0167:004017BD INT3
0167:004017BE INT3
0167:004017BF INT3
0167:004017C0 PUSH EBX
0167:004017C1 PUSH ESI
0167:004017C2 PUSH EDI
0167:004017C3 MOV EBX,ECX
0167:004017C5 CALL `MFC40!ord_0000104D`
0167:004017CA MOV ECX,EBX
0167:004017CC CALL 004014A0
0167:004017D1 CALL 004015A0
0167:004017D6 TEST EAX,EAX
0167:004017D8 JZ NEAR 00401867
0167:004017DE PUSH DWORD 00408674
0167:004017E3 LEA ECX,[EBX+60]
0167:004017E6 CALL `MFC40!ord_00001574`
0167:004017EB PUSH DWORD 004085C8
0167:004017F0 LEA ECX,[EBX+E0]
0167:004017F6 LEA EDI,[EBX+01E0]
0167:004017FC CALL `MFC40!ord_00001574`
0167:00401801 PUSH DWORD 004085BC
0167:00401806 LEA ECX,[EBX+A0]
0167:0040180C LEA ESI,[EBX+01A0]
0167:00401812 CALL `MFC40!ord_00001574`
0167:00401817 PUSH DWORD 00408360
0167:0040181C MOV ECX,EDI
0167:0040181E CALL `MFC40!ord_00001574`
0167:00401823 PUSH DWORD 00408460
0167:00401828 MOV ECX,ESI
0167:0040182A CALL `MFC40!ord_00001574`
0167:0040182F PUSH DWORD 004085B8
0167:00401834 LEA ECX,[EBX+0120]
0167:0040183A CALL `MFC40!ord_00001574`
0167:0040183F PUSH BYTE +00
0167:00401841 MOV ECX,EDI
0167:00401843 CALL `MFC40!ord_0000090D`
0167:00401848 PUSH BYTE +00
0167:0040184A MOV ECX,ESI
0167:0040184C CALL `MFC40!ord_0000090D`
0167:00401851 PUSH BYTE +00
0167:00401853 LEA ECX,[EBX+0160]
0167:00401859 CALL `MFC40!ord_0000090D`
0167:0040185E MOV EAX,01
0167:00401863 POP EDI
0167:00401864 POP ESI
0167:00401865 POP EBX
0167:00401866 RET
0167:00401867 PUSH DWORD 004085A4
0167:0040186C LEA ECX,[EBX+01E0]
0167:00401872 CALL `MFC40!ord_00001574`
0167:00401877 PUSH DWORD 004085A4
0167:0040187C LEA ECX,[EBX+01A0]
0167:00401882 CALL `MFC40!ord_00001574`
0167:00401887 MOV EAX,[00408358]
0167:0040188C LEA ECX,[EBX+60]
0167:0040188F PUSH EAX
0167:00401890 CALL `MFC40!ord_00001574`
0167:00401895 MOV EAX,01
0167:0040189A POP EDI
0167:0040189B POP ESI
0167:0040189C POP EBX
0167:0040189D RET
0167:0040189E INT3
0167:0040189F INT3
0167:004018A0 MOV EAX,[FS:00]
0167:004018A6 PUSH EBP
0167:004018A7 MOV EBP,ESP
0167:004018A9 PUSH BYTE -01
0167:004018AB PUSH DWORD 00401A29
0167:004018B0 PUSH EAX
0167:004018B1 MOV [FS:00],ESP
0167:004018B8 SUB ESP,BYTE +0C
0167:004018BB MOV [EBP-10],ECX
0167:004018BE PUSH ESI
0167:004018BF PUSH EDI
0167:004018C0 ADD ECX,01E0
0167:004018C6 PUSH DWORD FF
0167:004018CB PUSH DWORD 00408360
0167:004018D0 CALL `MFC40!ord_00000D36`
0167:004018D5 PUSH DWORD FF
0167:004018DA MOV ECX,[EBP-10]
0167:004018DD PUSH DWORD 00408460
0167:004018E2 ADD ECX,01A0
0167:004018E8 CALL `MFC40!ord_00000D36`
0167:004018ED PUSH DWORD 00408360
0167:004018F2 LEA ECX,[EBP-18]
0167:004018F5 CALL `MFC40!ord_000001E3`
0167:004018FA MOV DWORD [EBP-04],00
0167:00401901 MOV EAX,[EAX]
0167:00401903 PUSH DWORD 004085A4
0167:00401908 PUSH EAX
0167:00401909 CALL `MSVCRT40!_mbscmp`
0167:0040190F MOV DWORD [EBP-04],FFFFFFFF
0167:00401916 ADD ESP,BYTE +08
0167:00401919 CMP EAX,BYTE +01
0167:0040191C MOV EAX,[EBP-14]
0167:0040191F SBB [EBP-14],EAX
0167:00401922 NEG DWORD [EBP-14]
0167:00401925 CALL 00401A33
0167:0040192A CMP DWORD [EBP-14],BYTE +00
0167:0040192E JZ 00401949
0167:00401930 PUSH BYTE +01
0167:00401932 MOV ECX,[EBP-10]
0167:00401935 CALL `MFC40!ord_00000910`
0167:0040193A MOV EAX,[EBP-0C]
0167:0040193D POP EDI
0167:0040193E MOV [FS:00],EAX
0167:00401944 POP ESI
0167:00401945 MOV ESP,EBP
0167:00401947 POP EBP
0167:00401948 RET
0167:00401949 CALL 00401620
0167:0040194E TEST EAX,EAX
0167:00401950 JZ NEAR 004019F8
0167:00401956 LEA EAX,[EBP-18]
0167:00401959 LEA ECX,[EBP-14]
0167:0040195C MOV DWORD [EBP-18],00
0167:00401963 MOV DWORD [EBP-14],00
0167:0040196A PUSH EAX
0167:0040196B PUSH ECX
0167:0040196C PUSH BYTE +00
0167:0040196E PUSH DWORD 000F003F
0167:00401973 PUSH BYTE +00
0167:00401975 PUSH BYTE +00
0167:00401977 PUSH BYTE +00
0167:00401979 PUSH DWORD 0040857C
0167:0040197E PUSH DWORD 80000002
0167:00401983 CALL `ADVAPI32!RegCreateKeyExA`
0167:00401989 MOV EDI,EAX
0167:0040198B TEST EDI,EDI
0167:0040198D JNZ 004019BC
0167:0040198F PUSH DWORD 0200
0167:00401994 MOV EAX,[EBP-14]
0167:00401997 PUSH DWORD 00408360
0167:0040199C PUSH BYTE +03
0167:0040199E PUSH BYTE +00
0167:004019A0 PUSH DWORD 00408578
0167:004019A5 PUSH EAX
0167:004019A6 CALL `ADVAPI32!RegSetValueExA`
0167:004019AC MOV EDI,EAX
0167:004019AE MOV EAX,[EBP-14]
0167:004019B1 PUSH EAX
0167:004019B2 CALL `ADVAPI32!RegCloseKey`
0167:004019B8 TEST EDI,EDI
0167:004019BA JZ 004019CF
0167:004019BC PUSH BYTE +00
0167:004019BE PUSH BYTE +00
0167:004019C0 PUSH DWORD 0040886C
0167:004019C5 CALL `MFC40!ord_00000425`
0167:004019CA JMP 00401930
0167:004019CF CMP DWORD [EBP-10],BYTE +00
0167:004019D3 MOV EAX,00
0167:004019D8 JZ 004019E0
0167:004019DA MOV EAX,[EBP-10]
0167:004019DD MOV EAX,[EAX+20]
0167:004019E0 PUSH BYTE +00
0167:004019E2 PUSH DWORD 0040885C
0167:004019E7 PUSH DWORD 004087DC
0167:004019EC PUSH EAX
0167:004019ED CALL `USER32!MessageBoxA`
0167:004019F3 JMP 00401930
0167:004019F8 PUSH BYTE -01
0167:004019FA CALL `USER32!MessageBeep`
0167:00401A00 CMP DWORD [EBP-10],BYTE +00
0167:00401A04 MOV EAX,00
0167:00401A09 JZ 00401A11
0167:00401A0B MOV EAX,[EBP-10]
0167:00401A0E MOV EAX,[EAX+20]
0167:00401A11 PUSH BYTE +30
0167:00401A13 PUSH DWORD 004087C8
0167:00401A18 PUSH DWORD 00408688
0167:00401A1D PUSH EAX ///下面的語句就是彈出出錯對框的了。
如果跟的不細心,就會得到一個近似相象的註冊碼87ae2401my69,其實是假的。
好了,自己總結總結,那些地方應該跟進去呢。下課了。
<------完------->
相關文章
- Add/Remove 4Good v2.01 註冊演算法分析 (18千字)2015-11-15REMGo演算法
- Add/Remove Plus! 2001過期提示的去除.By冷雨飄心[BCG]
(2千字)2001-04-22REM
- 例項動態註冊跟蹤2016-01-07
- ReadBook v1.41註冊碼演算法,供參考! (1千字)2001-03-31演算法
- getPassword2.3註冊碼計算分析過程 (3千字)2001-11-07
- 這個軟體是有點麻煩! (2千字)2001-10-28
- estiprojm 註冊 (12千字)2001-11-08
- 註冊碼演算法 (2千字)2001-01-14演算法
- MYSQL sql執行過程的一些跟蹤分析(一)2019-01-19MySql
- SQLNET跟蹤tnsping過程2015-03-10SQL
- 破解 密碼監聽器 v1.4 註冊碼,順便向BCG組織的各位兄弟問好! (12千字)2001-10-25密碼
- DataFit V7.0.36註冊過程的分析 (9千字)2001-11-09
- Cute Email Searcher2.2註冊過程分析 (5千字)2001-11-18AI
- DOM參考手冊及事件參考手冊2015-05-24事件
- winimp1.11註冊碼破解 (2千字)2000-07-16
- FINAL DATA註冊碼計算 (2千字)2000-07-24
- 讓SyGate 4.0 build712自己告訴你註冊碼. (2千字)2001-05-03UI
- Photocaster xtra v3.0.3 註冊過程的分析 (15千字)2001-11-22AST
- Spark-Shuffle過程概要參考2018-10-15Spark
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- vfp&exe1.70註冊碼計算 (2千字)2001-06-04
- cooolftp 註冊過程 (643字)2001-06-01FTP
- 註冊Github賬戶過程2016-03-10Github
- 聊聊跟蹤監聽器動態註冊(Dynamic Register)方法2015-09-01
- MYSQL sql執行過程的一些跟蹤分析(二.mysql優化器追蹤分析)2019-01-28MySql優化
- PLSQL Developer 12 註冊碼2018-06-07SQLDeveloper
- HEdit 2.0 的註冊破解過程 <<-------可能過時了高手末入
(8千字)2001-02-23
- IP搜尋客 1.61 註冊碼計算 (2千字)2000-05-16
- Git教程參考2015-03-23Git
- 幻影2003 V3.0註冊碼分析
(12千字)2003-01-25
- 如何跟蹤ASProtect外殼加密過的程式? (7千字)2001-04-13加密
- 入門習作2:HOSTMONITOR 1.31 執行自校驗及註冊破解過程 (11千字)2001-06-27
- PostgreSQL 原始碼解讀(15)- Insert語句(執行過程跟蹤)2018-08-10SQL原始碼
- JavaScript物件參考手冊2018-08-11JavaScript物件
- JQuery 1.6參考手冊2011-05-11jQuery
- 參考手冊總結2012-07-31
- MySQL 5.1參考手冊2010-07-14MySql
- mysql 5.1 參考手冊2007-06-23MySql