貼個教學，初學者請進！ (11千字)

星期天在家無聊，很久沒有動過軟體了，就隨便找了個LeapFTP的軟體來實踐一下Debug.(我菜，當然不敢找那
些厲害的軟體下手。不然被搞的灰頭土臉的就慘，一天都不會有好心情...扯遠了還是回到程式中來)

Leap2.7程式下載地址：http://download.sohu.com/disk2/it/new/update/0212/lftp271.exe
作者:MachoMan[CCG]
註冊名:[CCG] (China Cracking Group)
註冊碼:CCG1-CC2A-C1GD-UPVE
後附序號產生器
工具：
soft ice 4.05
dasm32
步驟:
我先在註冊名處輸入'CCG'
然後輸入假註冊碼'31415926'(Sunbird 的老辦法)
再用ice 中的bpx hmemcpy下斷點。再用F12進入程式空間。然後用
bd hmemcpy 遮蔽掉這個斷點
在ice下用 S 30:0 L ffffffff '31415926' 命令查詢我的註冊碼的位置
30:80607e02 30 31 34 31 35 39 32 36-00 00 00 00 00 00 00 00 31415926.............
接下來要做的就是對這個記憶體位置下斷點
bpm 30: 80607e02(不同機器是可能不同的)
然後你就會在下面的位置004875D2發現偽註冊碼被判斷，就是關鍵所在了。

* Referenced by a CALL at Addresses:
|:0048721F , :00487D85
|
:004875AC 55 push ebp
:004875AD 8BEC mov ebp, esp
:004875AF 83C4F4 add esp, FFFFFFF4
:004875B2 53 push ebx
:004875B3 56 push esi
:004875B4 57 push edi
:004875B5 8955FC mov dword ptr [ebp-04], edx
:004875B8 8B45FC mov eax, dword ptr [ebp-04]
:004875BB E8F8CAF7FF call 004040B8
:004875C0 33C0 xor eax, eax
:004875C2 55 push ebp
:004875C3 6819774800 push 00487719
:004875C8 64FF30 push dword ptr fs:[eax]
:004875CB 648920 mov dword ptr fs:[eax], esp
:004875CE C645FB00 mov [ebp-05], 00
:004875D2 8B45FC mov eax, dword ptr [ebp-04]//你可以發現註冊碼在[ebp-04]的地方'31415926'
:004875D5 E82AC9F7FF call 00403F04//這個函式是判斷註冊碼的個數
:004875DA 83F813 cmp eax, 00000013;註冊碼是0x13(16進位制)=19個字元
:004875DD 0F8520010000 jne 00487703;不是就洗白
:004875E3 8B45FC mov eax, dword ptr [ebp-04]
:004875E6 8078042D cmp byte ptr [eax+04], 2D;第5個字元為0x2D對應ASCII '-'
:004875EA 0F8513010000 jne 00487703;不是就洗白
:004875F0 8B45FC mov eax, dword ptr [ebp-04]
:004875F3 8078092D cmp byte ptr [eax+09], 2D;第10個字元為0x2D對應ASCII '-'
:004875F7 0F8506010000 jne 00487703;不是就洗白
:004875FD 8B45FC mov eax, dword ptr [ebp-04]
:00487600 80780E2D cmp byte ptr [eax+0E], 2D;第15個字元為0x2D對應ASCII '-'
:00487604 0F85F9000000 jne 00487703;不是就洗白,要想註冊就不能洗白！在這裡可以知道註冊碼的
;結構該是'****-****-****-****'這樣的結構*代表一個字元
:0048760A 33F6 xor esi, esi
:0048760C 33FF xor edi, edi
:0048760E 33C0 xor eax, eax
:00487610 8945F4 mov dword ptr [ebp-0C], eax
:00487613 BB01000000 mov ebx, 00000001
/******************************************************************************************/
//這下面從487618開始就是一個迴圈，它把你輸入的註冊碼進行判斷是否符合要求，其要求是第一組註冊碼
//的最後一個字元為數字，其餘的3個為字元，第二組的倒數第2個為數字，其他三個為字元。第三組的倒數第
//3個為數字，其他三個為字元。如果符合其要求，則把前三組註冊碼分組求和，然後把這個3個和數，及3個
//和數的總和分別做一個這樣的運算 (X+0x41)/0x1a+0x4-5-->最後一組的4個字元，可以知道註冊碼跟使用者名稱
//無關

圖示如下

****-****-****-****
sum1 sum2 sum3||||
||||____________________(sum1+sum2+sum3+0x41)/0x1a+0x41
|||
|||____________________(sum3+0x41)/0x1a+0x41
||
||_____________________ (sum2+0x41)/0x1a+0x41
|
|_______________________(sum1+0x41)/0x1a+0x41

/******************************************************************************************/
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048769E(C)
|
:00487618 8BC3 mov eax, ebx
:0048761A 2503000080 and eax, 80000003
:0048761F 7905 jns 00487626
:00487621 48 dec eax
:00487622 83C8FC or eax, FFFFFFFC
:00487625 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048761F(C)
|
:00487626 85C0 test eax, eax
:00487628 7516 jne 00487640
:0048762A 8B45FC mov eax, dword ptr [ebp-04]
:0048762D 8A4418FF mov al, byte ptr [eax+ebx-01]
:00487631 E84EFFFFFF call 00487584//這個呼叫作用是把你的註冊碼的一個字元進行識別。要求
//其必須其必須是一個數字，在'0'-'9'之間
//
:00487636 84C0 test al, al //判斷返回值符合要求嗎？如果不是，al是置0的
:00487638 0F84C5000000 je 00487703//判斷返回值
:0048763E EB22 jmp 00487662//不能跳

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487628(C)
|
:00487640 8BC3 mov eax, ebx
:00487642 B905000000 mov ecx, 00000005
:00487647 99 cdq
:00487648 F7F9 idiv ecx
:0048764A 85D2 test edx, edx
:0048764C 7414 je 00487662
:0048764E 8B45FC mov eax, dword ptr [ebp-04]
:00487651 8A4418FF mov al, byte ptr [eax+ebx-01]
:00487655 E83EFFFFFF call 00487598//這個呼叫的作用是把你的註冊碼的一個字元進行識別。要求
//其必須是字元，而且其必須在'A'-'Z'之間，你可以根據地址找到
:0048765A 84C0 test al, al//判斷返回值
:0048765C 0F84A1000000 je 00487703//不能跳！

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048763E(U), :0048764C(C)
|
:00487662 8B45FC mov eax, dword ptr [ebp-04]
:00487665 8A4418FF mov al, byte ptr [eax+ebx-01]
:00487669 3C2D cmp al, 2D //判斷是字元'-'嗎？
:0048766B 742D je 0048769A//字元不參與計算，跳過迴圈
:0048766D 83FB05 cmp ebx, 00000005//
:00487670 7D0C jge 0048767E
:00487672 8B55FC mov edx, dword ptr [ebp-04]
:00487675 25FF000000 and eax, 000000FF
:0048767A 03F0 add esi, eax//esi 中放第一組註冊碼的和
:0048767C EB1C jmp 0048769A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487670(C)
|
:0048767E 83FB0A cmp ebx, 0000000A
:00487681 7D0C jge 0048768F
:00487683 8B55FC mov edx, dword ptr [ebp-04]//[ebp-04]
:00487686 25FF000000 and eax, 000000FF
:0048768B 03F8 add edi, eax//edi第二組註冊碼的和
:0048768D EB0B jmp 0048769A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487681(C)
|
:0048768F 8B55FC mov edx, dword ptr [ebp-04]
:00487692 25FF000000 and eax, 000000FF
:00487697 0145F4 add dword ptr [ebp-0C], eax//[ebp-0c]中放第三組註冊碼的和

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048766B(C), :0048767C(U), :0048768D(U)
|
:0048769A 43 inc ebx
:0048769B 83FB0F cmp ebx, 0000000F//迴圈完了嗎？
:0048769E 0F8574FFFFFF jne 00487618//如果沒完繼續
:004876A4 8D0C37 lea ecx, dword ptr [edi+esi]//這下邊的就是生成註冊碼的最後4個字元
:004876A7 034DF4 add ecx, dword ptr [ebp-0C]
:004876AA 8BC6 mov eax, esi
:004876AC BB1A000000 mov ebx, 0000001A
:004876B1 99 cdq
:004876B2 F7FB idiv ebx
:004876B4 83C241 add edx, 00000041
:004876B7 8B45FC mov eax, dword ptr [ebp-04]
:004876BA 3A500F cmp dl, byte ptr [eax+0F]
:004876BD 7544 jne 00487703
:004876BF 8BC7 mov eax, edi
:004876C1 BB1A000000 mov ebx, 0000001A
:004876C6 99 cdq
:004876C7 F7FB idiv ebx
:004876C9 83C241 add edx, 00000041
:004876CC 8B45FC mov eax, dword ptr [ebp-04]
:004876CF 3A5010 cmp dl, byte ptr [eax+10]
:004876D2 752F jne 00487703
:004876D4 8B45F4 mov eax, dword ptr [ebp-0C]
:004876D7 BB1A000000 mov ebx, 0000001A
:004876DC 99 cdq
:004876DD F7FB idiv ebx
:004876DF 83C241 add edx, 00000041
:004876E2 8B45FC mov eax, dword ptr [ebp-04]
:004876E5 3A5011 cmp dl, byte ptr [eax+11]
:004876E8 7519 jne 00487703
:004876EA 8BC1 mov eax, ecx
:004876EC B91A000000 mov ecx, 0000001A
:004876F1 99 cdq
:004876F2 F7F9 idiv ecx
:004876F4 83C241 add edx, 00000041
:004876F7 8B45FC mov eax, dword ptr [ebp-04]
:004876FA 3A5012 cmp dl, byte ptr [eax+12]
:004876FD 7504 jne 00487703
:004876FF C645FB01 mov [ebp-05], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004875DD(C), :004875EA(C), :004875F7(C), :00487604(C), :00487638(C)
|:0048765C(C), :004876BD(C), :004876D2(C), :004876E8(C), :004876FD(C)
|
:00487703 33C0 xor eax, eax
:00487705 5A pop edx
:00487706 59 pop ecx
:00487707 59 pop ecx
:00487708 648910 mov dword ptr fs:[eax], edx
:0048770B 6820774800 push 00487720

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048771E(U)
|
:00487710 8D45FC lea eax, dword ptr [ebp-04]
:00487713 E86CC5F7FF call 00403C84
:00487718 C3 ret
/*****************************************************************************************/
//判斷數字(ASCII)呼叫
Referenced by a CALL at Address:
|:00487631
|
:00487584 8BD0 mov edx, eax
:00487586 80FA2F cmp dl, 2F
:00487589 7608 jbe 00487593
:0048758B 80FA3A cmp dl, 3A
:0048758E 7303 jnb 00487593
:00487590 B001 mov al, 01
:00487592 C3

/****************************************************************************************/

//字元判斷呼叫
* Referenced by a CALL at Address:
|:00487655
|
:00487598 8BD0 mov edx, eax
:0048759A 80FA40 cmp dl, 40
:0048759D 7608 jbe 004875A7
:0048759F 80FA5B cmp dl, 5B
:004875A2 7303 jnb 004875A7
:004875A4 B001 mov al, 01
:004875A6 C3 ret

//轉摘請保持完整 AllRight Reserved By: [CCG]

貼個教學，初學者請進！ (11千字)

相關文章