VirTime HTMLock V1.4.0 破解之暴力篇 (7千字)

VirTime HTMLock V1.4.0 破解之暴力篇

作者：PaulYoung
時間：2001.05.05 凌晨
軟體簡介：幫助您建立基於 JavaScript 的密碼保護頁面
DOWNLOAD: http://www.inhua.com/down/htl.zip
破解工具：RegMon,TRW 2000 V1.03,HIEW V6.55

**************************************************************************************************************

　　今天下載了一個 VirTime HTMLock V1.4.0 ，本來想搞定它的註冊碼，可惜自己彙編水平有限，且現在已是夜深人靜了，無奈何，先暴力解決它，哪位大蝦有興趣再算算它的註冊碼吧。
　　（注：這個軟體註冊碼採用了實時檢驗模式，註冊碼不正確則 OK 鍵禁用。）
　　
　　一、用 RegMon 監視，執行軟體，發覺它讀取如下兩個登錄檔鍵值：

HKLM\SOFTWARE\VirTime\HTL1.4.0\UserName SUCCESS "NOBODY" （使用者名稱）
HKLM\SOFTWARE\VirTime\HTL1.4.0\RegKey SUCCESS "NOKEY"　（註冊碼）

　　我想它會不會是啟動時讀取這兩個鍵值並正確與否，來判斷它是否為註冊版，後經我反彙編分析，證實了我的猜測（分析過程略）
　　
　　二、開啟 REGEDIT ，把這兩個鍵值分別改為 "PaulYoung" and "78787878"
　　三、用 TRW 2000 LOAD 此軟體，F10　單步分析，如下：

//******************** Program Entry Point ********
:004630EC 55 push ebp
:004630ED 8BEC mov ebp, esp
:004630EF 83C4F4 add esp, FFFFFFF4
:004630F2 B8642F4600 mov eax, 00462F64
:004630F7 E8042FFAFF call 00406000
:004630FC A138574600 mov eax, dword ptr [00465738]
:00463101 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"HTMLock"
|
:00463103 BA6C314600 mov edx, 0046316C
:00463108 E81B18FEFF call 00444928
:0046310D E896DEFFFF call 00460FA8 //好面善哦，F8 跟進看一看
:00463112 84C0 test al, al
:00463114 7446 je 0046315C

***************
* Referenced by a CALL at Address:
|:0046310D
|
:00460FA8 55 push ebp
:00460FA9 8BEC mov ebp, esp
:00460FAB 6A00 push 00000000
:00460FAD 6A00 push 00000000
:00460FAF 6A00 push 00000000

...

F10直到

...

:0046102A B9C8104600 mov ecx, 004610C8
:0046102F 8B15E8684600 mov edx, dword ptr [004668E8]
:00461035 E85E2CFAFF call 00403C98
:0046103A C605F068460000 mov byte ptr [004668F0], 00
:00461041 C6050869460000 mov byte ptr [00466908], 00
:00461048 E87FFDFFFF call 00460DCC
:0046104D 8B15F4684600 mov edx, dword ptr [004668F4]
:00461053 A1F8684600 mov eax, dword ptr [004668F8]
:00461058 E827EBFFFF call 0045FB84 //D EAX=假註冊碼(F8 跟進看一看)

********
* Referenced by a CALL at Addresses:
|:004609C3 , :00460A3F , :00460C82 , :00461058
|
:0045FB84 55 push ebp
:0045FB85 8BEC mov ebp, esp
:0045FB87 83C4F8 add esp, FFFFFFF8
:0045FB8A 53 push ebx
:0045FB8B 56 push esi
:0045FB8C 33C9 xor ecx, ecx
:0045FB8E 894DF8 mov dword ptr [ebp-08], ecx
:0045FB91 8BDA mov ebx, edx
:0045FB93 8BF0 mov esi, eax
:0045FB95 33C0 xor eax, eax
:0045FB97 55 push ebp
:0045FB98 681EFC4500 push 0045FC1E
:0045FB9D 64FF30 push dword ptr fs:[eax]
:0045FBA0 648920 mov dword ptr fs:[eax], esp
:0045FBA3 C645FF00 mov [ebp-01], 00
:0045FBA7 8BC3 mov eax, ebx
:0045FBA9 E89E40FAFF call 00403C4C
:0045FBAE 83F802 cmp eax, 00000002
:0045FBB1 7C55 jl 0045FC08
:0045FBB3 8BC6 mov eax, esi
:0045FBB5 E89240FAFF call 00403C4C
:0045FBBA 83F824 cmp eax, 00000024 //註冊碼是否為36位
:0045FBBD 7C49 jl 0045FC08 //9090 NOP 掉(@ Offset 0005EFBDh)
:0045FBBF 33DB xor ebx, ebx
:0045FBC1 8BC6 mov eax, esi
:0045FBC3 E88440FAFF call 00403C4C
:0045FBC8 83E802 sub eax, 00000002
:0045FBCB 85C0 test eax, eax
:0045FBCD 7E0F jle 0045FBDE
:0045FBCF BA01000000 mov edx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045FBDC(C)
|
:0045FBD4 8A4C16FF mov cl, byte ptr [esi+edx-01]
:0045FBD8 02D9 add bl, cl
:0045FBDA 42 inc edx
:0045FBDB 48 dec eax
:0045FBDC 75F6 jne 0045FBD4 （跟蹤時要下 r fl z ,否則不能跟下去）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045FBCD(C)
|
:0045FBDE 33C0 xor eax, eax
:0045FBE0 8AC3 mov al, bl
:0045FBE2 33D2 xor edx, edx
:0045FBE4 52 push edx
:0045FBE5 50 push eax
:0045FBE6 8D45F8 lea eax, dword ptr [ebp-08]
:0045FBE9 E85AFEFFFF call 0045FA48
:0045FBEE 8B45F8 mov eax, dword ptr [ebp-08]
:0045FBF1 8A400E mov al, byte ptr [eax+0E]
:0045FBF4 3A4622 cmp al, byte ptr [esi+22] 　 //比較第35位（比較是否為 "i" )
:0045FBF7 750F jne 0045FC08 　　　　　　 //750F改為740F (@ Offset 0005EFF7h)
:0045FBF9 8B45F8 mov eax, dword ptr [ebp-08]
:0045FBFC 8A400F mov al, byte ptr [eax+0F]
:0045FBFF 3A4623 cmp al, byte ptr [esi+23]　　 //比較第36位（比較是否為"D" )
:0045FC02 7504 jne 0045FC08 　　　　　　//7504改為7404　（@ Offset 5F002h）
:0045FC04 C645FF01 mov [ebp-01], 01 //程式走到這裡就可以註冊成功了

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045FBB1(C), :0045FBBD(C), :0045FBF7(C), :0045FC02(C)
|
:0045FC08 33C0 xor eax, eax
:0045FC0A 5A pop edx

*****

:0046312E E8BDDAFFFF call 00460BF0
:00463133 84C0 test al, al
:00463135 7514 jne 0046314B
:00463137 8B1570554600 mov edx, dword ptr [00465570]
:0046313D 8B12 mov edx, dword ptr [edx]
:0046313F A170554600 mov eax, dword ptr [00465570]
:00463144 8B00 mov eax, dword ptr [eax]
:00463146 E885F7FFFF call 004628D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463135(C)
|
:0046314B A138574600 mov eax, dword ptr [00465738]
:00463150 8B00 mov eax, dword ptr [eax]
:00463152 E8351CFEFF call 00444D8C //彈出軟體執行介面

　　"This program is registered to PaulYoung.Thank you for useing this program."

　　YEAH!!!!!!!! zzzzZZZZZZZZ（你幹什麼？我想睡覺！！！！！:D )

　　由於小弟學習 Crack 沒幾天，且這個軟體我還未使用過，如有錯誤之處，望各位大俠指出，多謝多謝！！

**************************************************************************************************************
歡迎光臨我的網路小屋：

"Cracker 初體驗"

http://paulyoung.yeah.net

VirTime HTMLock V1.4.0 破解之暴力篇 (7千字)

相關文章