最近很忙,剛寫了一篇Uedit32 8.0破解過程(高手莫入)! (12千字)
Uedit32 8.0 破解過程
工具:
Sice4.5 W32dasm
如見採用key檔案保護方式,用bpx createfilea do " d esp->4 "下斷點,看到打
開的是檔案Uedit32.reg時下斷點bpx readfile.跟蹤度寫的資料到下面程式。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00468D47(C)
|
:00468D57 E8AAAA0500 call 004C3806
:00468D5C 8B7004
mov esi, dword ptr [eax+04]
:00468D5F E8A2AA0500 call 004C3806
:00468D64 8B4004
mov eax, dword ptr [eax+04]
:00468D67 05E8030000 add eax,
000003E8 // eax指向輸入的使用者名稱
:00468D6C 50
push eax // 下斷點bpx eax
:00468D6D E80E910200 call 00491E80
:00468D72 59
pop ecx
:00468D73 C68430E803000020 mov byte ptr [eax+esi+000003E8],
20
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00468CA2(C), :00468CFB(C)
|
:00468D7B 8D4DE4
lea ecx, dword ptr [ebp-1C]
:00468D7E 885DFC
mov byte ptr [ebp-04], bl
:00468D81 E8942E0400 call 004ABC1A
:00468D86 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:00468D8A 8D4D10
lea ecx, dword ptr [ebp+10]
:00468D8D E8391D0400 call 004AAACB
:00468D92 33C0
xor eax, eax
:00468D94 EB12
jmp 00468DA8
按F5執行攔到後按F12從函式中返回
* Possible Reference to String Resource ID=00006: "Load Macro"
|
:00413847 6A06
push 00000006
:00413849 8065BF00 and
byte ptr [ebp-41], 00
:0041384D 80A547FFFFFF00 and byte ptr [ebp+FFFFFF47],
00
:00413854 59
pop ecx
:00413855 8D8570FFFFFF lea eax, dword
ptr [ebp+FFFFFF70]
:0041385B 50
push eax
:0041385C 8DBD70FFFFFF lea edi, dword
ptr [ebp+FFFFFF70]
:00413862 FF750C
push [ebp+0C]
:00413865 C68537FFFFFF30 mov byte ptr [ebp+FFFFFF37],
30
:0041386C F3
repz
:0041386D A5
movsd
:0041386E 80658700 and
byte ptr [ebp-79], 00
:00413872 C68577FFFFFF30 mov byte ptr [ebp+FFFFFF77],
30
:00413879 C6857CFFFFFF30 mov byte ptr [ebp+FFFFFF7C],
30
:00413880 C6458630 mov
[ebp-7A], 30
:00413884 C6853CFFFFFF30 mov byte ptr [ebp+FFFFFF3C],
30
:0041388B C68546FFFFFF30 mov byte ptr [ebp+FFFFFF46],
30
:00413892 E8A9FD0700 call 00493640
:00413897 59
pop ecx // 返回到這裡
:00413898 59
pop ecx
:00413899 5E
pop esi
:0041389A 85C0
test eax, eax
:0041389C 7523
jne 004138C1 //一定不等,跳轉
:0041389E 8D8570FFFFFF lea eax, dword
ptr [ebp+FFFFFF70]
:004138A4 50
push eax
:004138A5 FF750C
push [ebp+0C]
:004138A8 E893FD0700 call 00493640
:004138AD 59
pop ecx
:004138AE 85C0
test eax, eax
:004138B0 59
pop ecx
:004138B1 7554
jne 00413907
:004138B3 FF750C
push [ebp+0C]
:004138B6 E8C5E50700 call 00491E80
:004138BB 83F80C
cmp eax, 0000000C
:004138BE 59
pop ecx
:004138BF 7446
je 00413907
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041389C(C)
|
:004138C1 8D45B0
lea eax, dword ptr [ebp-50] //比較的值,不知是什麼
:004138C4 50
push eax
:004138C5 8D8570FFFFFF lea eax, dword
ptr [ebp+FFFFFF70] //輸入的註冊碼
:004138CB 50
push eax
:004138CC E86FFD0700 call 00493640
//作比較
:004138D1 59
pop ecx
:004138D2 85C0
test eax, eax //eax=1,比較不等
:004138D4 59
pop ecx
:004138D5 7429
je 00413900 //步跳轉
:004138D7 8D8530FFFFFF lea eax, dword
ptr [ebp+FFFFFF30] //真正的註冊碼
:004138DD 50
push eax
:004138DE 8D8570FFFFFF lea eax, dword
ptr [ebp+FFFFFF70] //輸入的註冊碼
:004138E4 50
push eax
:004138E5 E856FD0700 call 00493640
//比較
:004138EA 59
pop ecx
:004138EB 85C0
test eax, eax //如果相等eax=0
:004138ED 59
pop ecx
:004138EE 7410
je 00413900 //跳轉就OK了!
:004138F0 C705C04E500001000000 mov dword ptr [00504EC0], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00413659(C), :00413662(C), :0041367A(C)
|
:004138FA 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041390A(U)
|
:004138FC 5F
pop edi
:004138FD 5B
pop ebx
:004138FE C9
leave
:004138FF C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004138D5(C), :004138EE(C)
|
:00413900 8325C04E500000 and dword ptr [00504EC0],
00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004138B1(C), :004138BF(C)
|
:00413907 6A01
push 00000001
:00413909 58
pop eax
:0041390A EBF0
jmp 004138FC
我的使用者名稱和註冊碼是:
Ultra Edit8.0 Name: floatsnow Sn: M2V3R-Q0N1J-08Z8W-G9B30
程式退出時對註冊碼的其中三位進行比較,下斷點bpx deletefilea攔住後
按F12返回主程式向上著跳轉。程式如下:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00468EAB(C)
|
:00468EB4 66813DF88E5000D007 cmp word ptr [00508EF8], 07D0
:00468EBD 0F8656010000 jbe 00469019
:00468EC3 66833DFA8E500001 cmp word ptr [00508EFA],
0001
:00468ECB 0F8648010000 jbe 00469019
:00468ED1 68D84D5000 push 00504DD8
:00468ED6 8D4DE4
lea ecx, dword ptr [ebp-1C]
:00468ED9 E862190400 call 004AA840
:00468EDE FF75E4
push [ebp-1C]
:00468EE1 895DFC
mov dword ptr [ebp-04], ebx
:00468EE4 E8978F0200 call 00491E80
:00468EE9 A1BC4E5000 mov eax,
dword ptr [00504EBC]
:00468EEE FF35CC4D5000 push dword ptr
[00504DCC]
:00468EF4 8945F0
mov dword ptr [ebp-10], eax
:00468EF7 E8848F0200 call 00491E80
:00468EFC 59
pop ecx
:00468EFD 83F80F
cmp eax, 0000000F
:00468F00 59
pop ecx
:00468F01 0F8206010000 jb 0046900D
:00468F07 391D9C8E5000 cmp dword ptr
[00508E9C], ebx
:00468F0D 0F85FA000000 jne 0046900D
:00468F13 391DA08E5000 cmp dword ptr
[00508EA0], ebx
:00468F19 0F84EE000000 je 0046900D
:00468F1F 0FB645F0 movzx
eax, byte ptr [ebp-10]
* Possible Reference to String Resource ID=00025: "Dos Command"
|
:00468F23 6A19
push 00000019
:00468F25 8B3DCC4D5000 mov edi, dword
ptr [00504DCC]
:00468F2B 99
cdq
:00468F2C 59
pop ecx
:00468F2D F7F9
idiv ecx
:00468F2F 0FBE4716 movsx
eax, byte ptr [edi+16] //取註冊碼最後一位
:00468F33 83C241
add edx, 00000041
:00468F36 3BC2
cmp eax, edx //和真正的值進行比較
:00468F38 7530
jne 00468F6A //不等就跳,刪除檔案
:00468F3A 0FB645F0 movzx
eax, byte ptr [ebp-10]
* Possible Reference to String Resource ID=00009: "
This copy of UltraEdit-32 is licensed to :
"
|
:00468F3E 6A09
push 00000009
:00468F40 99
cdq
:00468F41 59
pop ecx
:00468F42 F7F9
idiv ecx
:00468F44 0FBE4707 movsx
eax, byte ptr [edi+07] //取註冊碼第7位
:00468F48 83C230
add edx, 00000030
:00468F4B 3BC2
cmp eax, edx //比較
:00468F4D 751B
jne 00468F6A //不等跳到刪除檔案
:00468F4F 0FB645F0 movzx
eax, byte ptr [ebp-10]
:00468F53 8A4F0C
mov cl, byte ptr [edi+0C] //取註冊碼第12位
* Possible Reference to String Resource ID=00013: "Mod: "
|
:00468F56 6A0D
push 0000000D
:00468F58 99
cdq
:00468F59 5F
pop edi
:00468F5A F7FF
idiv edi
:00468F5C 0FBEC1
movsx eax, cl //註冊碼第12位給eax
:00468F5F 83C241
add edx, 00000041
:00468F62 3BC2
cmp eax, edx //比較
:00468F64 0F84A3000000 je 0046900D
//不等繼續執行,刪除檔案
//相等則跳轉
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00468F38(C), :00468F4D(C)
|
:00468F6A 891DA08E5000 mov dword ptr
[00508EA0], ebx
:00468F70 E891A80500 call 004C3806
:00468F75 8B4004
mov eax, dword ptr [eax+04]
:00468F78 8D4DF0
lea ecx, dword ptr [ebp-10]
:00468F7B FFB08C000000 push dword ptr
[eax+0000008C]
:00468F81 E8B31B0400 call 004AAB39
:00468F86 8B45F0
mov eax, dword ptr [ebp-10]
:00468F89 8D4DF0
lea ecx, dword ptr [ebp-10]
:00468F8C C645FC01 mov
[ebp-04], 01
:00468F90 8B40F8
mov eax, dword ptr [eax-08]
:00468F93 83C0FD
add eax, FFFFFFFD
:00468F96 50
push eax
:00468F97 8D45E0
lea eax, dword ptr [ebp-20]
:00468F9A 50
push eax
:00468F9B E8309B0300 call 004A2AD0
* Possible StringData Ref from Data Obj ->"REG"
|
:00468FA0 68E0B24F00 push 004FB2E0
:00468FA5 50
push eax
:00468FA6 8D45DC
lea eax, dword ptr [ebp-24]
:00468FA9 C645FC02 mov
[ebp-04], 02
:00468FAD 50
push eax
:00468FAE E8611D0400 call 004AAD14
:00468FB3 50
push eax
:00468FB4 8D4DF0
lea ecx, dword ptr [ebp-10]
:00468FB7 C645FC03 mov
[ebp-04], 03
:00468FBB E8F81B0400 call 004AABB8
:00468FC0 8D4DDC
lea ecx, dword ptr [ebp-24]
:00468FC3 C645FC02 mov
[ebp-04], 02
:00468FC7 E8FF1A0400 call 004AAACB
:00468FCC 8D4DE0
lea ecx, dword ptr [ebp-20]
:00468FCF C645FC01 mov
[ebp-04], 01
:00468FD3 E8F31A0400 call 004AAACB
* Possible Reference to Dialog: DialogID_0080
|
* Possible Reference to Dialog: DialogID_006E, CONTROL_ID:0080, "Details for
registration can be found in"
|
* Possible Reference to String Resource ID=00128: "Lines containing find string:"
|
:00468FD8 6880000000 push 00000080
:00468FDD FF75F0
push [ebp-10]
* Reference To: KERNEL32.SetFileAttributesA, Ord:0268h
|
:00468FE0 FF1544434D00 Call dword ptr
[004D4344]
:00468FE6 FF75F0
push [ebp-10]
* Reference To: KERNEL32.DeleteFileA, Ord:0057h
// 呼叫deletefilea刪除檔案Uedit32.reg
:00468FE9 FF1520434D00 Call dword ptr
[004D4320]
:00468FEF A1D48E5000 mov eax,
dword ptr [00508ED4]
:00468FF4 8D4DF0
lea ecx, dword ptr [ebp-10]
:00468FF7 83C0D2
add eax, FFFFFFD2
:00468FFA 885DFC
mov byte ptr [ebp-04], bl
:00468FFD A3E08E5000 mov dword
ptr [00508EE0], eax
:00469002 899E820D0000 mov dword ptr
[esi+00000D82], ebx
:00469008 E8BE1A0400 call 004AAACB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00468F01(C), :00468F0D(C), :00468F19(C), :00468F64(C)
|
:0046900D 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:00469011 8D4DE4
lea ecx, dword ptr [ebp-1C]
:00469014 E8B21A0400 call 004AAACB
破解完成,整理註冊碼為:
Ultra Edit8.0 Name: floatsnow Sn: M2V3R-Q0N1J-E8Z8W-G9B3A
千萬不要用我的呀!!!!!!!
相關文章
- crackme破解教程(續) (高手莫入) (2千字)2001-03-17
- 桌面鋼筆v2.0破解過程,入門級,高手莫入。2015-11-15
- 《ICONSCAN 2.4》註冊碼破解 高手莫入! (3千字)2001-05-06
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- 破文一篇:易經八卦占卜程式7.0的破解(高手莫入) (8千字)2001-08-31
- HEdit 2.0 的註冊破解過程 <<-------可能過時了高手末入
(8千字)2001-02-23
- 某電子書註冊破解實錄,高手莫入。 (6千字)2002-10-05
- 破解LeapFTP 2.7剛完成的,寫得不好高手別看^_^ (7千字)2002-03-16FTP
- winzip self-extractor2.1最新版註冊碼找法,僅供剛學破解者,高手莫入。
(1千字)2000-08-06
- 《EASY MP3 2.2》的註冊碼破解 高手莫入! (2千字)2001-05-05
- 再貼:軟體管理專家(Flashsoft) 1.05的破解(高手莫入)
(3千字)2001-04-22
- 《OFFLINE EXPLORER 1.0》的註冊碼破解 高手莫入!! (2千字)2001-05-18
- 簡單破解:電子郵件地址搜尋器------->高手莫入 (4千字)2001-06-19
- 破解WorkgroupMail 的30天的時間限制(FCG作業)---高手莫入! (10千字)2015-11-15AI
- 手機開始鬧情緒……剛剛寫了一個儲存過程2009-03-02儲存過程
- EMEDITOR V3.0破解過程~~~~~呵呵~~~~~我第一次寫過程~~~~累死我了~~~~呵呵
(14千字)2001-01-11
- 破文三,高手莫入,非常簡單 (2千字)2001-08-01
- 我寫的一個記憶體補丁,很基本。。高手莫入。。
(5千字)2015-11-15記憶體
- 我的第一篇破文easyoffice 2001 高手莫入!! (1千字)2001-11-04
- 我的第2篇破文 高手莫入!! (3千字)2001-11-11
- 交作業了!!!!!!PECompact1.48破解過程 (6千字)2001-06-26
- 一篇初級破解過程,很久沒有動手了,大家不要笑我鈍啊! (10千字)2003-01-11
- 我終於破解了魔裝網神了,破解過程!!,不過是用2.70破解的。 (1千字)2001-10-15
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- 破解環球商務資訊釋出系統2.0中文版----------->高手莫入 (5千字)2001-06-10
- pecompact1.50破解過程 (加入BCG的第一篇) (8千字)2001-06-28
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- Nullz CrackMe 1.1破解過程 (13千字)2001-09-18Null
- WebTimeSync 5.2.0 破解過程 (14千字)2001-10-05Web
- PacWorld v 1.3 詳細破解過程(對不起,上一篇貼錯了,更正一下!!!)
(7千字)2015-11-15
- dfx V4.0破解過程 (10千字)2000-09-24
- 破解過程-----請多多指教 (2千字)2000-12-31
- 電腦字型秀破解過程 (1千字)2001-03-18
- webeasymail的簡單破解過程 (2千字)2001-08-04WebAI
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- PUZZLER1.20破解過程 (4千字)2002-01-26
- SuperCleaner2.30破解過程 (11千字)2002-02-04
- 我來寫一下LanSentry的解狗破解過程 (5千字)2002-01-19