遼寧省職稱計算機考試2001年光碟的破解和序號產生器的製作 (13千字)

使用工具：SoftICE 4.05，W32Dasm白金版
說明：2001年光碟的模擬考試必須先進行註冊，該光碟允許安裝4臺機器，獲取註冊號需要透過撥打電話16898173，然後輸入一個14位長的數字，我聽過周圍的好幾個人說電話註冊很費勁也很麻煩，經常為了一個註冊需要打好幾次資訊臺電話，花了不少電話費，50塊錢一張光碟就夠貴的了，竟然還要透過資訊臺再掙一次錢，真是可恨，因此絕對有必要破解它。其實找出註冊碼的方法很多，也很容易，用SmartCheck就可以輕鬆搞定。
用SoftICE的破解過程：
設定好SoftICE，出現輸入註冊號的對話方塊後，輸入一個12位的註冊號，bpx hmemcpy或bpx rtcinputbox，按確定後，會被攔截回來，一步一步跟蹤，就會找到真正的註冊號。
用SmartCheck的破解過程：
設定好SmartCheck後，執行軟體，出現輸入註冊號的對話方塊後，輸入一個12位的註冊號，按確定，當然肯定是錯誤，按退出，查詢SmartCheck記錄，就會找到註冊號。
註冊碼的生成過程：
* Possible StringData Ref from Code Obj ->"cc:\jsjdog"
|
:0059350D 6898EE4100 push 0041EE98
...
* Reference To: MSVBVM50.__vbaFileOpen, Ord:0000h
|
:0059351E FF15CCD35D00 Call dword ptr [005DD3CC]

* Reference To: MSVBVM50.rtcEndOfFile, Ord:023Bh
|
:00593524 8B35DCD35D00 mov esi, dword ptr [005DD3DC]
:0059352A 6A01 push 00000001
:0059352C FFD6 call esi
:0059352E 6685C0 test ax, ax
:00593531 6A01 push 00000001
:00593533 750C jne 00593541
:00593535 8D45A4 lea eax, dword ptr [ebp-5C]
:00593538 50 push eax
* Reference To: MSVBVM50.__vbaLineInputVar, Ord:0000h
|
:00593539 FF15A4D25D00 Call dword ptr [005DD2A4]
:0059353F EBE9 jmp 0059352A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00593533(C)
|
* Reference To: MSVBVM50.__vbaFileClose, Ord:0000h
|
:00593541 FF1538D35D00 Call dword ptr [005DD338]
:00593547 8D4D84 lea ecx, dword ptr [ebp-7C]
:0059354A 8D55A4 lea edx, dword ptr [ebp-5C] ====> 行輸入內容地址
:0059354D 51 push ecx
:0059354E 6A04 push 00000004
:00593550 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74]
:00593556 52 push edx
:00593557 50 push eax
:00593558 C7458C05000000 mov [ebp-74], 00000005
:0059355F C7458402000000 mov [ebp-7C], 00000002

* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00593566 FF1530D35D00 Call dword ptr [005DD330]
:0059356C 8D8D74FFFFFF lea ecx, dword ptr [ebp+FFFFFF74]
:00593572 51 push ecx

* Reference To: MSVBVM50.__vbaR8Var, Ord:0000h
|
:00593573 FF1504D45D00 Call dword ptr [005DD404]
:00593579 DD5DB4 fstp qword ptr [ebp-4C]
:0059357C 8D9574FFFFFF lea edx, dword ptr [ebp+FFFFFF74]
:00593582 8D4584 lea eax, dword ptr [ebp-7C]
:00593585 52 push edx
:00593586 50 push eax
:00593587 6A02 push 00000002

* Reference To: MSVBVM50.__vbaFreeVarList, Ord:0000h
|
:00593589 FF1598D25D00 Call dword ptr [005DD298]
:0059358F 83C40C add esp, 0000000C

上面這段程式是開啟c:\jsjdog檔案，用行讀入方式讀取檔案，從第4個字元開始取5個字元，並轉成單精度格式，用VB程式表示如下：
Open "c:\jsjdos" For Input As #1
Do While Not EOF(1)
  Line Input #1, DogCode$
Loop
Close #1
VeriCode=Csng(Mid(DogCode$, 4, 5))

:00593592 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
:00593598 8D4D84 lea ecx, dword ptr [ebp-7C]

* Possible StringData Ref from Code Obj ->"cc:\Msdos"
|
:0059359B C785DCFEFFFFC4EE4100 mov dword ptr [ebp+FFFFFEDC], 0041EEC4
:005935A5 C785D4FEFFFF08000000 mov dword ptr [ebp+FFFFFED4], 00000008

* Reference To: MSVBVM50.__vbaVarDup, Ord:0000h
|
:005935AF FF1538D45D00 Call dword ptr [005DD438]
:005935B5 8D4D84 lea ecx, dword ptr [ebp-7C]
:005935B8 53 push ebx
:005935B9 51 push ecx

* Reference To: MSVBVM50.rtcDir, Ord:0285h
|
:005935BA FF15C0D35D00 Call dword ptr [005DD3C0]
:005935C0 8BD0 mov edx, eax
:005935C2 8D4DA0 lea ecx, dword ptr [ebp-60]
:005935C5 FFD7 call edi
:005935C7 50 push eax
:005935C8 6818584100 push 00415818

* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:005935CD FF1548D35D00 Call dword ptr [005DD348]
:005935D3 8BF0 mov esi, eax
:005935D5 8D4DA0 lea ecx, dword ptr [ebp-60]
:005935D8 F7DE neg esi
:005935DA 1BF6 sbb esi, esi
:005935DC F7DE neg esi
:005935DE F7DE neg esi

* Reference To: MSVBVM50.__vbaFreeStr, Ord:0000h
|
:005935E0 FF1580D45D00 Call dword ptr [005DD480]
:005935E6 8D4D84 lea ecx, dword ptr [ebp-7C]

* Reference To: MSVBVM50.__vbaFreeVar, Ord:0000h
|
:005935E9 FF157CD25D00 Call dword ptr [005DD27C]
:005935EF 663BF3 cmp si, bx ====> 是否存在"c:\Msdos"
:005935F2 743C je 00593630 ====> 不存在，則轉

* Possible StringData Ref from Code Obj ->"cc:\Msdos"
|
:005935F4 68C4EE4100 push 0041EEC4
:005935F9 6A01 push 00000001
:005935FB 6AFF push FFFFFFFF
:005935FD 6A01 push 00000001

* Reference To: MSVBVM50.__vbaFileOpen, Ord:0000h
|
:005935FF FF15CCD35D00 Call dword ptr [005DD3CC]
:00593605 8D55CC lea edx, dword ptr [ebp-34]
:00593608 6A01 push 00000001
:0059360A 52 push edx

* Reference To: MSVBVM50.__vbaLineInputVar, Ord:0000h
|
:0059360B FF15A4D25D00 Call dword ptr [005DD2A4]
:00593611 6A01 push 00000001

* Reference To: MSVBVM50.__vbaFileClose, Ord:0000h
|
:00593613 FF1538D35D00 Call dword ptr [005DD338]
:00593619 6A07 push 00000007 ====> 屬性值為7，即系統、只讀、隱含

* Possible StringData Ref from Code Obj ->"cc:\msdos"
|
:0059361B 6800584100 push 00415800

* Reference To: MSVBVM50.rtcSetFileAttr, Ord:0244h
|
:00593620 FF1588D45D00 Call dword ptr [005DD488]
:00593626 BB0A000000 mov ebx, 0000000A
:0059362B E999080000 jmp 00593EC9

上面這段程式是檢測C盤是否有msdos這個檔案(其實這個檔案的內容就是註冊碼)，如果有則開啟這個檔案並讀取內容，VB程式可能如下：
A$="c:\Msdos"
B$=Dir("c:\Msdos")
If A$=B$ Then
  Open B$ For Input As #1
      Line Input #1, RegCode1$
  Close #1
  SetAttr B$, vbReadOnly+vbHidden+vbSystem
Else
  進入輸入軟體序列號和註冊碼對話方塊
End If

:00593EC9 DD45B4 fld qword ptr [ebp-4C]

* Reference To: MSVBVM50.__vbaFpI4, Ord:0000h
|
:00593ECC 8B3544D45D00 mov esi, dword ptr [005DD444]
:00593ED2 FFD6 call esi
:00593ED4 99 cdq
:00593ED5 B905000000 mov ecx, 00000005
:00593EDA F7F9 idiv ecx
:00593EDC 83FA04 cmp edx, 00000004
:00593EDF 0F8768280000 ja 0059674D
:00593EE5 FF249594695900 jmp dword ptr [4*edx+00596994] ====> 轉到593EEC、594661、594DD6、5955D6、595DD6

:00593EEC DD45B4 fld qword ptr [ebp-4C]
:00593EEF FFD6 call esi

* Possible StringData Ref from Code Obj ->"4412345"
|
:00593EF1 6868EF4100 push 0041EF68
:00593EF6 8BD8 mov ebx, eax

* Reference To: MSVBVM50.__vbaI4Str, Ord:0000h
|
:00593EF8 FF15ECD35D00 Call dword ptr [005DD3EC] ====> 轉為字元格式
:00593EFE 33D8 xor ebx, eax ====> 與412345異或
:00593F00 53 push ebx

* Reference To: MSVBVM50.__vbaStrI4, Ord:0000h
|
:00593F01 FF1574D25D00 Call dword ptr [005DD274]
:00593F07 8BD0 mov edx, eax
:00593F09 8D4DA0 lea ecx, dword ptr [ebp-60]
:00593F0C FFD7 call edi
:00593F0E DD0528354000 fld qword ptr [00403528] ====> [00403528]值為99999
:00593F14 DC65B4 fsub qword ptr [ebp-4C] ====> 99999-VeriCode
:00593F17 50 push eax
:00593F18 DFE0 fstsw ax
:00593F1A A80D test al, 0D
:00593F1C 0F85862A0000 jne 005969A8
:00593F22 FFD6 call esi

* Possible StringData Ref from Code Obj ->"2238745"
|
:00593F24 687CEF4100 push 0041EF7C
:00593F29 8BD8 mov ebx, eax

* Reference To: MSVBVM50.__vbaI4Str, Ord:0000h
|
:00593F2B FF15ECD35D00 Call dword ptr [005DD3EC]
:00593F31 33D8 xor ebx, eax ====> 與238745異或
:00593F33 53 push ebx

* Reference To: MSVBVM50.__vbaStrI4, Ord:0000h
|
:00593F34 FF1574D25D00 Call dword ptr [005DD274]
:00593F3A 8BD0 mov edx, eax
:00593F3C 8D4D9C lea ecx, dword ptr [ebp-64]
:00593F3F FFD7 call edi

* Reference To: MSVBVM50.__vbaStrCat, Ord:0000h
|
:00593F41 8B1DC0D25D00 mov ebx, dword ptr [005DD2C0]
:00593F47 50 push eax
:00593F48 FFD3 call ebx ====> 兩個結果進行合併
:00593F4A 8D5584 lea edx, dword ptr [ebp-7C]
:00593F4D 89856CFFFFFF mov dword ptr [ebp+FFFFFF6C], eax
:00593F53 52 push edx
:00593F54 8D45CC lea eax, dword ptr [ebp-34]
:00593F57 6A02 push 00000002
:00593F59 8D8D74FFFFFF lea ecx, dword ptr [ebp+FFFFFF74]
:00593F5F 50 push eax
:00593F60 51 push ecx
:00593F61 C78564FFFFFF08800000 mov dword ptr [ebp+FFFFFF64], 00008008
:00593F6B C7458C0C000000 mov [ebp-74], 0000000C
:00593F72 C7458402000000 mov [ebp-7C], 00000002

* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00593F79 FF1530D35D00 Call dword ptr [005DD330] ====> 從第2個字元開始讀取12(0Ch)個註冊碼字元
:00593F7F 8D9564FFFFFF lea edx, dword ptr [ebp+FFFFFF64] ====> 剛才讀取的字元地址
:00593F85 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74] ====> 兩次異或運算的結果地址
:00593F8B 52 push edx
:00593F8C 50 push eax

* Reference To: MSVBVM50.__vbaVarTstEq, Ord:0000h
|
:00593F8D FF154CD35D00 Call dword ptr [005DD34C] ====> 字串比較

上面共兩段程式，第一段程式是求檢測碼與5的模，根據模的值進行不同的運算，第二段程式是模為0時的運算過程，另外4個運算過程與此相似，這裡就不再說了。VB程式可能如下：
TestCode = Cint(VeriCode) Mod 5
Select Case TestCode
  Case 0
      RegCode2$=(Cstr(VerCode) Xor Cstr(412345))+(Cstr(99999-VerCode) Xor Cstr(238745))
      RegCode1$=Mid(RegCode1$, 2, 12)
      If RegCode1$ = RegCode2$ Then
          MsgBox "註冊成功！", vbOnly
          GoTo 程式正常執行處
      Else
          MsgBox "註冊失敗！", vbOnly
          End
      End If
  Case 1
      RegCode2$=(Cstr(VerCode) Xor Cstr(235678))+(Cstr(99999-VerCode) Xor Cstr(338762))
      RegCode1$=Mid(RegCode1$, 2, 12)
      If RegCode1$ = RegCode2$ Then
          MsgBox "註冊成功！", vbOnly
          GoTo 程式正常執行處
      Else
          MsgBox "註冊失敗！", vbOnly
          End
      End If
  Case 2
      RegCode2$=(Cstr(VerCode) Xor Cstr(897363))+(Cstr(99999-VerCode) Xor Cstr(283954))
      RegCode1$=Mid(RegCode1$, 2, 12)
      If RegCode1$ = RegCode2$ Then
          MsgBox "註冊成功！", vbOnly
          GoTo 程式正常執行處
      Else
          MsgBox "註冊失敗！", vbOnly
          End
      End If
  Case 3
      RegCode2$=(Cstr(VerCode) Xor Cstr(236738))+(Cstr(99999-VerCode) Xor Cstr(458902))
      RegCode1$=Mid(RegCode1$, 2, 12)
      If RegCode1$ = RegCode2$ Then
          MsgBox "註冊成功！", vbOnly
          GoTo 程式正常執行處
      Else
          MsgBox "註冊失敗！", vbOnly
          End
      End If
  Case 4
      RegCode2$=(Cstr(VerCode) Xor Cstr(763218))+(Cstr(99999-VerCode) Xor Cstr(238958))
      RegCode1$=Mid(RegCode1$, 2, 12)
      If RegCode1$ = RegCode2$ Then
          MsgBox "註冊成功！", vbOnly
          GoTo 程式正常執行處
      Else
          MsgBox "註冊失敗！", vbOnly
          End
      End If
End Select
因此這個程式的序號產生器不難編寫，因為軟體序列號即最後5位數字是可見的
設最後5位數字為abcde，
則註冊碼的前6位為：固定數字1 xor abcde
則註冊碼的後6位為：固定數字2 xor (99999-abcde)
這樣，共12位註冊碼，序號產生器已經做好並測試透過

遼寧省職稱計算機考試2001年光碟的破解和序號產生器的製作 (13千字)

相關文章