遼寧省職稱計算機考試2001年光碟的破解和序號產生器的製作 (13千字)
使用工具:SoftICE 4.05,W32Dasm白金版
說明:2001年光碟的模擬考試必須先進行註冊,該光碟允許安裝4臺機器,獲取註冊號需要透過撥打電話16898173,然後輸入一個14位長的數字,我聽過周圍的好幾個人說電話註冊很費勁也很麻煩,經常為了一個註冊需要打好幾次資訊臺電話,花了不少電話費,50塊錢一張光碟就夠貴的了,竟然還要透過資訊臺再掙一次錢,真是可恨,因此絕對有必要破解它。其實找出註冊碼的方法很多,也很容易,用SmartCheck就可以輕鬆搞定。
用SoftICE的破解過程:
設定好SoftICE,出現輸入註冊號的對話方塊後,輸入一個12位的註冊號,bpx hmemcpy或bpx rtcinputbox,按確定後,會被攔截回來,一步一步跟蹤,就會找到真正的註冊號。
用SmartCheck的破解過程:
設定好SmartCheck後,執行軟體,出現輸入註冊號的對話方塊後,輸入一個12位的註冊號,按確定,當然肯定是錯誤,按退出,查詢SmartCheck記錄,就會找到註冊號。
註冊碼的生成過程:
* Possible StringData Ref from Code Obj ->"cc:\jsjdog"
|
:0059350D 6898EE4100 push 0041EE98
...
* Reference To: MSVBVM50.__vbaFileOpen, Ord:0000h
|
:0059351E FF15CCD35D00 Call dword ptr
[005DD3CC]
* Reference To: MSVBVM50.rtcEndOfFile, Ord:023Bh
|
:00593524 8B35DCD35D00 mov esi, dword
ptr [005DD3DC]
:0059352A 6A01
push 00000001
:0059352C FFD6
call esi
:0059352E 6685C0
test ax, ax
:00593531 6A01
push 00000001
:00593533 750C
jne 00593541
:00593535 8D45A4
lea eax, dword ptr [ebp-5C]
:00593538 50
push eax
* Reference To: MSVBVM50.__vbaLineInputVar, Ord:0000h
|
:00593539 FF15A4D25D00 Call dword ptr
[005DD2A4]
:0059353F EBE9
jmp 0059352A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00593533(C)
|
* Reference To: MSVBVM50.__vbaFileClose, Ord:0000h
|
:00593541 FF1538D35D00 Call dword ptr
[005DD338]
:00593547 8D4D84
lea ecx, dword ptr [ebp-7C]
:0059354A 8D55A4
lea edx, dword ptr [ebp-5C] ====> 行輸入內容地址
:0059354D 51
push ecx
:0059354E 6A04
push 00000004
:00593550 8D8574FFFFFF lea eax, dword
ptr [ebp+FFFFFF74]
:00593556 52
push edx
:00593557 50
push eax
:00593558 C7458C05000000 mov [ebp-74], 00000005
:0059355F C7458402000000 mov [ebp-7C], 00000002
* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00593566 FF1530D35D00 Call dword ptr
[005DD330]
:0059356C 8D8D74FFFFFF lea ecx, dword
ptr [ebp+FFFFFF74]
:00593572 51
push ecx
* Reference To: MSVBVM50.__vbaR8Var, Ord:0000h
|
:00593573 FF1504D45D00 Call dword ptr
[005DD404]
:00593579 DD5DB4
fstp qword ptr [ebp-4C]
:0059357C 8D9574FFFFFF lea edx, dword
ptr [ebp+FFFFFF74]
:00593582 8D4584
lea eax, dword ptr [ebp-7C]
:00593585 52
push edx
:00593586 50
push eax
:00593587 6A02
push 00000002
* Reference To: MSVBVM50.__vbaFreeVarList, Ord:0000h
|
:00593589 FF1598D25D00 Call dword ptr
[005DD298]
:0059358F 83C40C
add esp, 0000000C
上面這段程式是開啟c:\jsjdog檔案,用行讀入方式讀取檔案,從第4個字元開始取5個字元,並轉成單精度格式,用VB程式表示如下:
Open "c:\jsjdos" For Input As #1
Do While Not EOF(1)
Line Input #1, DogCode$
Loop
Close #1
VeriCode=Csng(Mid(DogCode$, 4, 5))
:00593592 8D95D4FEFFFF lea edx, dword
ptr [ebp+FFFFFED4]
:00593598 8D4D84
lea ecx, dword ptr [ebp-7C]
* Possible StringData Ref from Code Obj ->"cc:\Msdos"
|
:0059359B C785DCFEFFFFC4EE4100 mov dword ptr [ebp+FFFFFEDC], 0041EEC4
:005935A5 C785D4FEFFFF08000000 mov dword ptr [ebp+FFFFFED4], 00000008
* Reference To: MSVBVM50.__vbaVarDup, Ord:0000h
|
:005935AF FF1538D45D00 Call dword ptr
[005DD438]
:005935B5 8D4D84
lea ecx, dword ptr [ebp-7C]
:005935B8 53
push ebx
:005935B9 51
push ecx
* Reference To: MSVBVM50.rtcDir, Ord:0285h
|
:005935BA FF15C0D35D00 Call dword ptr
[005DD3C0]
:005935C0 8BD0
mov edx, eax
:005935C2 8D4DA0
lea ecx, dword ptr [ebp-60]
:005935C5 FFD7
call edi
:005935C7 50
push eax
:005935C8 6818584100 push 00415818
* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:005935CD FF1548D35D00 Call dword ptr
[005DD348]
:005935D3 8BF0
mov esi, eax
:005935D5 8D4DA0
lea ecx, dword ptr [ebp-60]
:005935D8 F7DE
neg esi
:005935DA 1BF6
sbb esi, esi
:005935DC F7DE
neg esi
:005935DE F7DE
neg esi
* Reference To: MSVBVM50.__vbaFreeStr, Ord:0000h
|
:005935E0 FF1580D45D00 Call dword ptr
[005DD480]
:005935E6 8D4D84
lea ecx, dword ptr [ebp-7C]
* Reference To: MSVBVM50.__vbaFreeVar, Ord:0000h
|
:005935E9 FF157CD25D00 Call dword ptr
[005DD27C]
:005935EF 663BF3
cmp si, bx ====> 是否存在"c:\Msdos"
:005935F2 743C
je 00593630 ====> 不存在,則轉
* Possible StringData Ref from Code Obj ->"cc:\Msdos"
|
:005935F4 68C4EE4100 push 0041EEC4
:005935F9 6A01
push 00000001
:005935FB 6AFF
push FFFFFFFF
:005935FD 6A01
push 00000001
* Reference To: MSVBVM50.__vbaFileOpen, Ord:0000h
|
:005935FF FF15CCD35D00 Call dword ptr
[005DD3CC]
:00593605 8D55CC
lea edx, dword ptr [ebp-34]
:00593608 6A01
push 00000001
:0059360A 52
push edx
* Reference To: MSVBVM50.__vbaLineInputVar, Ord:0000h
|
:0059360B FF15A4D25D00 Call dword ptr
[005DD2A4]
:00593611 6A01
push 00000001
* Reference To: MSVBVM50.__vbaFileClose, Ord:0000h
|
:00593613 FF1538D35D00 Call dword ptr
[005DD338]
:00593619 6A07
push 00000007 ====> 屬性值為7,即系統、只讀、隱含
* Possible StringData Ref from Code Obj ->"cc:\msdos"
|
:0059361B 6800584100 push 00415800
* Reference To: MSVBVM50.rtcSetFileAttr, Ord:0244h
|
:00593620 FF1588D45D00 Call dword ptr
[005DD488]
:00593626 BB0A000000 mov ebx,
0000000A
:0059362B E999080000 jmp 00593EC9
上面這段程式是檢測C盤是否有msdos這個檔案(其實這個檔案的內容就是註冊碼),如果有則開啟這個檔案並讀取內容,VB程式可能如下:
A$="c:\Msdos"
B$=Dir("c:\Msdos")
If A$=B$ Then
Open B$ For Input As #1
Line Input #1, RegCode1$
Close #1
SetAttr B$, vbReadOnly+vbHidden+vbSystem
Else
進入輸入軟體序列號和註冊碼對話方塊
End If
:00593EC9 DD45B4
fld qword ptr [ebp-4C]
* Reference To: MSVBVM50.__vbaFpI4, Ord:0000h
|
:00593ECC 8B3544D45D00 mov esi, dword
ptr [005DD444]
:00593ED2 FFD6
call esi
:00593ED4 99
cdq
:00593ED5 B905000000 mov ecx,
00000005
:00593EDA F7F9
idiv ecx
:00593EDC 83FA04
cmp edx, 00000004
:00593EDF 0F8768280000 ja 0059674D
:00593EE5 FF249594695900 jmp dword ptr [4*edx+00596994]
====> 轉到593EEC、594661、594DD6、5955D6、595DD6
:00593EEC DD45B4
fld qword ptr [ebp-4C]
:00593EEF FFD6
call esi
* Possible StringData Ref from Code Obj ->"4412345"
|
:00593EF1 6868EF4100 push 0041EF68
:00593EF6 8BD8
mov ebx, eax
* Reference To: MSVBVM50.__vbaI4Str, Ord:0000h
|
:00593EF8 FF15ECD35D00 Call dword ptr
[005DD3EC] ====> 轉為字元格式
:00593EFE 33D8
xor ebx, eax ====>
與412345異或
:00593F00 53
push ebx
* Reference To: MSVBVM50.__vbaStrI4, Ord:0000h
|
:00593F01 FF1574D25D00 Call dword ptr
[005DD274]
:00593F07 8BD0
mov edx, eax
:00593F09 8D4DA0
lea ecx, dword ptr [ebp-60]
:00593F0C FFD7
call edi
:00593F0E DD0528354000 fld qword ptr
[00403528] ====> [00403528]值為99999
:00593F14 DC65B4
fsub qword ptr [ebp-4C] ====> 99999-VeriCode
:00593F17 50
push eax
:00593F18 DFE0
fstsw ax
:00593F1A A80D
test al, 0D
:00593F1C 0F85862A0000 jne 005969A8
:00593F22 FFD6
call esi
* Possible StringData Ref from Code Obj ->"2238745"
|
:00593F24 687CEF4100 push 0041EF7C
:00593F29 8BD8
mov ebx, eax
* Reference To: MSVBVM50.__vbaI4Str, Ord:0000h
|
:00593F2B FF15ECD35D00 Call dword ptr
[005DD3EC]
:00593F31 33D8
xor ebx, eax ====>
與238745異或
:00593F33 53
push ebx
* Reference To: MSVBVM50.__vbaStrI4, Ord:0000h
|
:00593F34 FF1574D25D00 Call dword ptr
[005DD274]
:00593F3A 8BD0
mov edx, eax
:00593F3C 8D4D9C
lea ecx, dword ptr [ebp-64]
:00593F3F FFD7
call edi
* Reference To: MSVBVM50.__vbaStrCat, Ord:0000h
|
:00593F41 8B1DC0D25D00 mov ebx, dword
ptr [005DD2C0]
:00593F47 50
push eax
:00593F48 FFD3
call ebx
====> 兩個結果進行合併
:00593F4A 8D5584
lea edx, dword ptr [ebp-7C]
:00593F4D 89856CFFFFFF mov dword ptr
[ebp+FFFFFF6C], eax
:00593F53 52
push edx
:00593F54 8D45CC
lea eax, dword ptr [ebp-34]
:00593F57 6A02
push 00000002
:00593F59 8D8D74FFFFFF lea ecx, dword
ptr [ebp+FFFFFF74]
:00593F5F 50
push eax
:00593F60 51
push ecx
:00593F61 C78564FFFFFF08800000 mov dword ptr [ebp+FFFFFF64], 00008008
:00593F6B C7458C0C000000 mov [ebp-74], 0000000C
:00593F72 C7458402000000 mov [ebp-7C], 00000002
* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00593F79 FF1530D35D00 Call dword ptr
[005DD330] ====> 從第2個字元開始讀取12(0Ch)個註冊碼字元
:00593F7F 8D9564FFFFFF lea edx, dword
ptr [ebp+FFFFFF64] ====> 剛才讀取的字元地址
:00593F85 8D8574FFFFFF lea eax, dword
ptr [ebp+FFFFFF74] ====> 兩次異或運算的結果地址
:00593F8B 52
push edx
:00593F8C 50
push eax
* Reference To: MSVBVM50.__vbaVarTstEq, Ord:0000h
|
:00593F8D FF154CD35D00 Call dword ptr
[005DD34C] ====> 字串比較
上面共兩段程式,第一段程式是求檢測碼與5的模,根據模的值進行不同的運算,第二段程式是模為0時的運算過程,另外4個運算過程與此相似,這裡就不再說了。VB程式可能如下:
TestCode = Cint(VeriCode) Mod 5
Select Case TestCode
Case 0
RegCode2$=(Cstr(VerCode) Xor Cstr(412345))+(Cstr(99999-VerCode)
Xor Cstr(238745))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "註冊成功!", vbOnly
GoTo 程式正常執行處
Else
MsgBox "註冊失敗!", vbOnly
End
End If
Case 1
RegCode2$=(Cstr(VerCode) Xor Cstr(235678))+(Cstr(99999-VerCode)
Xor Cstr(338762))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "註冊成功!", vbOnly
GoTo 程式正常執行處
Else
MsgBox "註冊失敗!", vbOnly
End
End If
Case 2
RegCode2$=(Cstr(VerCode) Xor Cstr(897363))+(Cstr(99999-VerCode)
Xor Cstr(283954))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "註冊成功!", vbOnly
GoTo 程式正常執行處
Else
MsgBox "註冊失敗!", vbOnly
End
End If
Case 3
RegCode2$=(Cstr(VerCode) Xor Cstr(236738))+(Cstr(99999-VerCode)
Xor Cstr(458902))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "註冊成功!", vbOnly
GoTo 程式正常執行處
Else
MsgBox "註冊失敗!", vbOnly
End
End If
Case 4
RegCode2$=(Cstr(VerCode) Xor Cstr(763218))+(Cstr(99999-VerCode)
Xor Cstr(238958))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "註冊成功!", vbOnly
GoTo 程式正常執行處
Else
MsgBox "註冊失敗!", vbOnly
End
End If
End Select
因此這個程式的序號產生器不難編寫,因為軟體序列號即最後5位數字是可見的
設最後5位數字為abcde,
則註冊碼的前6位為:固定數字1 xor abcde
則註冊碼的後6位為:固定數字2 xor (99999-abcde)
這樣,共12位註冊碼,序號產生器已經做好並測試透過
相關文章
- 一個CrackMe的破解以及序號產生器的製作
(4千字)2001-08-16
- MP3 explorer 破解和序號產生器的製作2015-11-15
- 製作mIRC6.02序號產生器(給別人寫的初學者序號產生器教材) (14千字)2015-11-15
- EditPlus 2.01b 序號產生器的製作 (22千字)2001-09-10
- IrfanView 序號產生器分析(初級版)
(13千字)2015-11-15View
- AlgoLab PtVector的破解及序號產生器的編寫 (17千字)2001-05-04Go
- 如何製作VB程式記憶體序號產生器--國內某軟體的序號產生器(隱去軟體資訊)
(14千字)2002-08-04記憶體
- xplorer2之破解和序號產生器2004-12-05
- winzip的通用序號產生器 (2千字)2001-12-10
- UltraEdit-32 8.10.1.0的破解及序號產生器的生成 (15千字)2001-05-15
- winzip序號產生器 (1千字)2001-04-12
- NetTalk破解與序號產生器(高手勿進) (10千字)2001-09-20
- 貼彩虹狗破解工具的序號產生器 (727字)2001-07-01
- Kalua Cocktails 1.1完全破解,內附彙編序號產生器(用序號產生器編寫器,並有它的使用教程)
(22千字)2002-02-27AI
- 序號產生器制分析: (1千字)2001-11-19
- 破解accoustica
2.21(帶序號產生器)----讓高手見笑了:) (11千字)2002-03-31
- Resource
Builder 1.1.0 完全破解~~附彙編序號產生器 (10千字)2015-11-15UI
- 《淺談利用RSA演算法防止非法序號產生器的製作》2004-05-20演算法
- supercapture3.0的版序號產生器!
(4千字)2002-04-23APT
- 用KEYMAKE製作記憶體序號產生器特殊一例
(11千字)2015-11-15記憶體
- 網頁加密器(HTMLEncryptor1.1)破解及序號產生器 (1千字)2001-04-22網頁加密HTML
- 文書處理大師 3.0 破解~~~附序號產生器 (17千字)2002-03-24
- 3DAxy貪吃蛇 AxySnake 破解與序號產生器 (21千字)2015-11-153D
- 社群遊戲伴侶
V1.0註冊碼的計算,序號產生器 (30千字)2003-05-09遊戲
- 續未完成破解,寫出它的序號產生器,3k。。。 (8千字)2001-07-09
- 用DeDe破解 e族百變桌面 V5.1+用DEIPHI5寫序號產生器
(13千字)2002-04-18
- 讓他變成自己的序號產生器!財智家庭理財2001加強版(v3.2)的破解 (7千字)2001-11-05
- 010
Editorv1.3破解(序號產生器)2004-05-17
- EmEditor V3.29和它的序號產生器 (12千字)2015-11-15
- 《DesktopX v1.0》PJ 記錄 + 序號產生器原始碼 (13千字)2015-11-15原始碼
- 序號產生器寫作教學。奉賢給想加入CCG和BCG的朋友。 (11千字)2001-10-21
- 序號產生器合集2024-03-17
- SWF探索者XP 1.2(swfexplorer)破解+分析+序號產生器
(18千字)2002-04-14
- KEYGENNING4NEWBIES #7破解過程+序號產生器 (6千字)2001-08-21
- 用“破解除錯”的方法修改序號產生器(SDK)功能――獻給自由的FCG和所有Cracker (23千字)2015-11-15除錯
- 美萍安全衛士V8.45序號產生器制作分析過程,及序號產生器! (11千字)2001-10-28
- Gif2Swf Ver 2.1 TC20序號產生器 && MASM32序號產生器 (4千字)2001-12-10ASM
- hellfire2000破解過程及序號產生器的編寫(上) (4千字)2001-01-19