UltraEdit-32 8.10.1.0的破解及序號產生器的生成 (15千字)
UltraEdit-32 8.10.1.0的破解及序號產生器的生成
1、這個軟體的序號產生器網上早就有了,我寫這篇教程主要是用來交流。希望起到拋磚引玉的功效^O^
2、下載:http://www.ultraedit.com/
3、破解必備工具:TRW2000或者SoftICE,W32Dasm,大腦:)
4、因為這個程式沒有加殼,所以有1M多。未註冊版好像有個時間限制,Hmmm我對去除時間限制不感興趣,我要的是序號產生器。這個程式註冊後會在主程式目錄下生成一個與主程式同名的×.reg的檔案。Ok,Let's
go!
5、先在Help選單下找到Register UltraEdit-32,點選會彈出一個對話方塊。填入你的大名,還有註冊碼。我用,CoolBob,12345-54321-67890-09876。為什麼知道註冊碼是這個格式呢,因為我跟蹤過。你也可以在記憶體中看到這個格式。這裡就不羅嗦了。填好後,點選OK按鈕。呼啦一下,那個目錄下多出來一個檔案,這個檔名跟主程式的名字一樣,副檔名為reg。嘿嘿,這個時候可以猜想這個檔案就是它的keyfile,程式啟動的時候肯定會去檢驗的,下什麼斷點呢?試試Bpx
readfile do "d esp-100",用Symbol Loader裝載UltraEdit-32。按幾次F5你會在SoftICE的資料視窗看到C:\Program
Files\UltraEdit\UEDIT32.reg字樣,這個時候就要小心跟蹤了,F12跳出來。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00468949(C)
|
:00468925 8A8C3579FDFFFF mov cl, byte ptr
[ebp+esi-00000287]
:0046892C 8A843578FDFFFF mov al, byte ptr
[ebp+esi-00000288]
:00468933 FEC9
dec cl
:00468935 FEC8
dec al
:00468937 888C357CFEFFFF mov byte ptr [ebp+esi-00000184],
cl
:0046893E 8884357DFEFFFF mov byte ptr [ebp+esi-00000183],
al
:00468945 46
inc esi
:00468946 46
inc esi
:00468947 3BF7
cmp esi, edi
:00468949 7EDA
jle 00468925
:0046894B 8D857CFEFFFF lea eax, dword
ptr [ebp+FFFFFE7C]
在這裡把UEDIT32.reg裡的資料解碼,現在下d eax呵呵,看到什麼了?
接下來就簡單了,bpr 上面的那段資料。再F5讓SoftICE盡情狂奔,一步一步跟到這裡
:004136AE 0FBE740DAF movsx esi,
byte ptr [ebp+ecx-51]
:004136B3 0FBE7C0DB1 movsx edi,
byte ptr [ebp+ecx-4F]
:004136B8 46
inc esi
:004136B9 0FAFF7
imul esi, edi
:004136BC 03F1
add esi, ecx
:004136BE 0175FC
add dword ptr [ebp-04], esi
:004136C1 41
inc ecx
:004136C2 3BC8
cmp ecx, eax
:004136C4 7CE8
jl 004136AE
把你的名字經過一番運算,後儲存在ebp-04這個地方,看看ebp-04上面來頭,下Bpm ebp-04.接下來的運算還真變態,看看吧
:004136C6 33FF
xor edi, edi
:004136C8 8955F8
mov dword ptr [ebp-08], edx
:004136CB 8D45B0
lea eax, dword ptr [ebp-50]
:004136CE 33C9
xor ecx, ecx
:004136D0 2945F8
sub dword ptr [ebp-08], eax
:004136D3 897D10
mov dword ptr [ebp+10], edi
:004136D6 891D8C3E5000 mov dword ptr
[00503E8C], ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004137C9(C)
|
:004136DC 8B45F8
mov eax, dword ptr [ebp-08]
:004136DF 8D740DB0 lea
esi, dword ptr [ebp+ecx-50]
:004136E3 03C6
add eax, esi
:004136E5 83F83C
cmp eax, 0000003C
:004136E8 7D42
jge 0041372C
:004136EA 8BC1
mov eax, ecx
* Possible Reference to Dialog: DialogID_0604, CONTROL_ID:0004, "Replace All"
|
* Possible Reference to String Resource ID=00004: "*.MAC"
|
:004136EC 6A04
push 00000004//注意這些數字
:004136EE 99
cdq
:004136EF 5F
pop edi
:004136F0 F7FF
idiv edi
:004136F2 8BC1
mov eax, ecx
* Possible Reference to Dialog: DialogID_0605, CONTROL_ID:0020, ""
|
* Possible Reference to String Resource ID=00032: "
Any changes will be lost and the file deleted!"
|
:004136F4 6A20
push 00000020//注意這些數字
:004136F6 5B
pop ebx
* Possible Reference to String Resource ID=00059: "Select File to Compare"
|
:004136F7 6A3B
push 0000003B//注意這些數字
:004136F9 8BFA
mov edi, edx
:004136FB 99
cdq
:004136FC F7FB
idiv ebx
:004136FE 8BC2
mov eax, edx
:00413700 99
cdq
:00413701 2BC2
sub eax, edx
:00413703 8B14BD00A04F00 mov edx, dword ptr
[4*edi+004FA000]//CRC
:0041370A D1F8
sar eax, 1
:0041370C 5F
pop edi
:0041370D 0FB60402 movzx
eax, byte ptr [edx+eax]//取一些資料來
:00413711 8AD1
mov dl, cl
:00413713 0255FC
add dl, byte ptr [ebp-04]
:00413716 0FB6D2
movzx edx, dl
:00413719 33C2
xor eax, edx
:0041371B 99
cdq
:0041371C F7FF
idiv edi
:0041371E 8B7D10
mov edi, dword ptr [ebp+10]
:00413721 8A4415B0 mov
al, byte ptr [ebp+edx-50]
:00413725 02C1
add al, cl
:00413727 324601
xor al, byte ptr [esi+01]
:0041372A 8806
mov byte ptr [esi], al//儲存al的值,後面有用
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004136E8(C)
|
:0041372C 83FF3C
cmp edi, 0000003C
:0041372F 7D71
jge 004137A2
:00413731 8BC1
mov eax, ecx
* Possible Reference to String Resource ID=00005: "ULTRAEDT.MAC"
|
:00413733 6A05
push 00000005//注意這些數字,無非就是整除、求餘
:00413735 99
cdq
:00413736 5B
pop ebx
:00413737 F7FB
idiv ebx
:00413739 8BDA
mov ebx, edx
:0041373B 85DB
test ebx, ebx//ebx=0,dl=esi%1a+0x41
:0041373D 895DF0
mov dword ptr [ebp-10], ebx
:00413740 740A
je 0041374C
:00413742 83FB02
cmp ebx, 00000002//和ebx=0一樣的運算
:00413745 7405
je 0041374C
:00413747 83FB04
cmp ebx, 00000004//和ebx=0一樣的運算
:0041374A 751A
jne 00413766
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00413740(C), :00413745(C)
|
:0041374C 0FB606
movzx eax, byte ptr [esi]
* Possible Reference to String Resource ID=00026: "Run Windows Program"
|
:0041374F 6A1A
push 0000001A
:00413751 99
cdq
:00413752 5B
pop ebx
:00413753 F7FB
idiv ebx
:00413755 8B5DF0
mov ebx, dword ptr [ebp-10]
:00413758 80C241
add dl, 41
:0041375B 88943D30FFFFFF mov byte ptr [ebp+edi-000000D0],
dl//這裡存放註冊碼
:00413762 47
inc edi
:00413763 897D10
mov dword ptr [ebp+10], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041374A(C)
|
:00413766 83FF3C
cmp edi, 0000003C
:00413769 7D37
jge 004137A2
:0041376B 83FB01
cmp ebx, 00000001//ebx=1,3時,dl=esi%0xa+0x30
:0041376E 7405
je 00413775
:00413770 83FB03
cmp ebx, 00000003
:00413773 7517
jne 0041378C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041376E(C)
|
:00413775 0FB606
movzx eax, byte ptr [esi]
* Possible Reference to String Resource ID=00010: "
Thank you for supporting Shareware."
|
:00413778 6A0A
push 0000000A
:0041377A 99
cdq
:0041377B 5E
pop esi
:0041377C F7FE
idiv esi
:0041377E 80C230
add dl, 30
:00413781 88943D30FFFFFF mov byte ptr [ebp+edi-000000D0],
dl//這裡存放註冊碼
:00413788 47
inc edi
:00413789 897D10
mov dword ptr [ebp+10], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413773(C)
|
:0041378C 83FF3C
cmp edi, 0000003C
:0041378F 7D11
jge 004137A2
:00413791 83FB04
cmp ebx, 00000004
:00413794 750C
jne 004137A2
:00413796 C6843D30FFFFFF2D mov byte ptr [ebp+edi-000000D0],
2D//插入‘-’
:0041379E 47
inc edi
:0041379F 897D10
mov dword ptr [ebp+10], edi
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041372F(C), :00413769(C), :0041378F(C), :00413794(C)
|
:004137A2 85C9
test ecx, ecx
:004137A4 7E1F
jle 004137C5
:004137A6 3B4DF4
cmp ecx, dword ptr [ebp-0C]//ebp-0C裡儲存的是name的位數
:004137A9 7D1A
jge 004137C5
:004137AB 3B7DF4
cmp edi, dword ptr [ebp-0C]
:004137AE 7D15
jge 004137C5
:004137B0 8B4508
mov eax, dword ptr [ebp+08]
:004137B3 0FBE5401FF movsx edx,
byte ptr [ecx+eax-01]//這裡要注意
:004137B8 0FBE0407 movsx
eax, byte ptr [edi+eax]//把你的名字再次運算
:004137BC 0FAFD0
imul edx, eax
:004137BF 01158C3E5000 add dword ptr
[00503E8C], edx//儲存在這裡
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004137A4(C), :004137A9(C), :004137AE(C)
|
:004137C5 41
inc ecx
:004137C6 83F93C
cmp ecx, 0000003C
:004137C9 0F8C0DFFFFFF jl 004136DC
很明顯上面是一個巢狀迴圈,我第一次在這裡找到了一個註冊碼,然後急忙bd*離開SoftICE;到程式中一註冊關閉程式驗證,沒有提示框,並且help選單的about裡也顯示註冊成功,呵呵,這麼快就搞定了?當我關掉程式後,發現那個UEDIT.reg被刪除了,昏~,程式中肯定還有其他的地方比較註冊碼,並且呼叫Deletefilea等api來刪掉檔案,很好的突破口!用剛才的註冊碼再註冊一次,跑到SoftICE裡下,Bpx
Deletefilea.然後關掉程式
Hmmm,又來到SoftICE裡,F12跳出來,向上找找看,有沒有運算比較跳躍的地方,這裡很嗆眼
:00468B64 A18C3E5000 mov eax,
dword ptr [00503E8C]//這個00503E8C還記得嗎?
:00468B69 FF35983D5000 push dword ptr
[00503D98]
:00468B6F 8945F0
mov dword ptr [ebp-10], eax
:00468B72 E8F98E0200 call 00491A70
:00468B77 59
pop ecx
:00468B78 83F80F
cmp eax, 0000000F
:00468B7B 59
pop ecx
:00468B7C 0F8206010000 jb 00468C88
:00468B82 391D6C7E5000 cmp dword ptr
[00507E6C], ebx
:00468B88 0F85FA000000 jne 00468C88
:00468B8E 391D707E5000 cmp dword ptr
[00507E70], ebx
:00468B94 0F84EE000000 je 00468C88
:00468B9A 0FB645F0 movzx
eax, byte ptr [ebp-10]//取出的是上面第二次name運算值
* Possible Reference to String Resource ID=00025: "Dos Command"
|
:00468B9E 6A19
push 00000019//這裡就很嗆眼
:00468BA0 8B3D983D5000 mov edi, dword
ptr [00503D98]
:00468BA6 99
cdq
:00468BA7 59
pop ecx
:00468BA8 F7F9
idiv ecx
:00468BAA 0FBE4716 movsx
eax, byte ptr [edi+16]//我們輸入註冊碼的第23位
:00468BAE 83C241
add edx, 00000041
:00468BB1 3BC2
cmp eax, edx
:00468BB3 7530
jne 00468BE5
:00468BB5 0FB645F0 movzx
eax, byte ptr [ebp-10]
* Possible Reference to String Resource ID=00009: "
This copy of UltraEdit-32 is licensed to :
"
|
:00468BB9 6A09
push 00000009//還有
:00468BBB 99
cdq
:00468BBC 59
pop ecx
:00468BBD F7F9
idiv ecx
:00468BBF 0FBE4707 movsx
eax, byte ptr [edi+07]//我們輸入註冊碼的第8位
:00468BC3 83C230
add edx, 00000030
:00468BC6 3BC2
cmp eax, edx
:00468BC8 751B
jne 00468BE5
:00468BCA 0FB645F0 movzx
eax, byte ptr [ebp-10]
:00468BCE 8A4F0C
mov cl, byte ptr [edi+0C]//我們輸入註冊碼的第13位
* Possible Reference to String Resource ID=00013: "Mod: "
|
:00468BD1 6A0D
push 0000000D//第三個
:00468BD3 99
cdq
:00468BD4 5F
pop edi
:00468BD5 F7FF
idiv edi
:00468BD7 0FBEC1
movsx eax, cl
:00468BDA 83C241
add edx, 00000041
:00468BDD 3BC2
cmp eax, edx
:00468BDF 0F84A3000000 je 00468C88
總算搞明白了,呵呵,就是把
:004137BF 01158C3E5000 add dword ptr
[00503E8C], edx//儲存在這裡
這裡儲存的數值取出來經過三次運算:1、edi%0x19+0x41與byte ptr [edi+16]比較
2、eax%0x9+0x30與byte ptr [edi+07]比較
3、eax%0xD+0x41與byte ptr [edi+0C]比較
有一個不相等,嘿嘿,就把那個×.reg刪掉!
到這裡序號產生器應該不難做了:)
6、序號產生器
----------------start here----------------------
#include <stdio.h>
main()
{ int i,n,nm=0;
int j=0;
int k=0;
int ebp_04=0;int ebp_08=0;
int esi;
char code[23];
char name[60];
unsigned char a0[]={0x2f,0,0xde,0,0x43,0,0xa5,0,0xd8,0,0xef,0,0x8e,0,0x66,0};
unsigned char a1[]={0x38,0,0x8f,0,0x65,0,0x5a,0,0xd3,0,0x1f,0,0x78,0,0x6f,0};
unsigned char a2[]={0,0x1f,0,0xcb,0,0x98,0,0xf3,0,0x10,0,0xf1,0,0xa5,0,0x2f};
unsigned char a3[]={0,0x73,0,0x34,0,0x77,0,0x33,0,0xfe,0,0xe0,0,0x73,0,0x78};
printf("UltraEdit-32 8.10.1.0 keymaker by CoolBob[CCG],written at 2001-5-15\n");
printf("\nyour name(at least 6 numbers and not exceed 60):");
scanf("%s",name);
n=strlen(name);
for (i=1,j=2;(i<n)&&(j<n);i++,j++){
if((i%5==4)&&(i>0)) j++;
ebp_08=ebp_08+name[i-1]*name[j];};
ebp_08=ebp_08&0x00ff;
for (i=0;i<n-1;i++) {
ebp_04=ebp_04+(name[i]+1)*name[i+2]+i;
};
ebp_04=ebp_04&0x00ff;
name[strlen(name)]=0;
for (i=strlen(name)+1;i<0x3c;i++){name[i]=i;};
for (i=0;i<20;i++){
if(i%4==0){
esi=(a0[i/2]^((i+ebp_04)&0x00ff))%0x3b;
esi=name[esi]+i;
esi=esi^name[i+1];
name[i]=esi;
if ((i%5==0)||(i%5==2)||(i%5==4)) esi=esi%0x1a+0x41;
else esi=esi%0xa+0x30;
};
if(i%4==1){
esi=(a1[i/2]^((i+ebp_04)&0x00ff))%0x3b;
esi=name[esi]+i;
esi=esi^name[i+1];
name[i]=esi;
if ((i%5==0)||(i%5==2)||(i%5==4)) esi=esi%0x1a+0x41;
else esi=esi%0xa+0x30;
};
if(i%4==2){
esi=(a2[i/2]^((i+ebp_04)&0x00ff))%0x3b;
esi=name[esi]+i;
esi=esi^name[i+1];
name[i]=esi;
if ((i%5==0)||(i%5==2)||(i%5==4)) esi=esi%0x1a+0x41;
else esi=esi%0xa+0x30;
};
if(i%4==3){
esi=(a3[i/2]^((i+ebp_04)&0x00ff))%0x3b;
esi=name[esi]+i;
esi=esi^name[i+1];
name[i]=esi;
if ((i%5==0)||(i%5==2)||(i%5==4)) esi=esi%0x1a+0x41;
else esi=esi%0xa+0x30;
};
if((i%5==0)&&(i>0)) {code[k++]='-';} code[k++]=esi;
};
code[22]=ebp_08%0x19+0x41;
code[7]=ebp_08%0x9+0x30;
code[12]=ebp_08%0xd+0x41;
code[23]=0;
printf("code is: %s",code);
printf("\nPress any key to exit!\n");
getch();
}
-----------------end here-------------------------
相關文章
- AlgoLab PtVector的破解及序號產生器的編寫 (17千字)2001-05-04Go
- 網頁加密器(HTMLEncryptor1.1)破解及序號產生器 (1千字)2001-04-22網頁加密HTML
- 一個CrackMe的破解以及序號產生器的製作
(4千字)2001-08-16
- winzip的通用序號產生器 (2千字)2001-12-10
- winzip序號產生器 (1千字)2001-04-12
- hellfire2000破解過程及序號產生器的編寫(上) (4千字)2001-01-19
- NetTalk破解與序號產生器(高手勿進) (10千字)2001-09-20
- 美萍安全衛士V8.45序號產生器制作分析過程,及序號產生器! (11千字)2001-10-28
- 《中華壓縮 6.01》註冊碼破解及序號產生器 (14千字)2001-08-19
- 貼彩虹狗破解工具的序號產生器 (727字)2001-07-01
- Kalua Cocktails 1.1完全破解,內附彙編序號產生器(用序號產生器編寫器,並有它的使用教程)
(22千字)2002-02-27AI
- 序號產生器制分析: (1千字)2001-11-19
- 破解accoustica
2.21(帶序號產生器)----讓高手見笑了:) (11千字)2002-03-31
- Resource
Builder 1.1.0 完全破解~~附彙編序號產生器 (10千字)2015-11-15UI
- 音樂處理acoustica2.0註冊碼破解及序號產生器 (8千字)2002-04-06
- supercapture3.0的版序號產生器!
(4千字)2002-04-23APT
- Universe 1.63註冊碼生成分析及序號產生器原碼(上) (2千字)2001-11-12
- 文書處理大師 3.0 破解~~~附序號產生器 (17千字)2002-03-24
- 3DAxy貪吃蛇 AxySnake 破解與序號產生器 (21千字)2015-11-153D
- 續未完成破解,寫出它的序號產生器,3k。。。 (8千字)2001-07-09
- 製作mIRC6.02序號產生器(給別人寫的初學者序號產生器教材) (14千字)2015-11-15
- EmEditor V3.29和它的序號產生器 (12千字)2015-11-15
- xplorer2之破解和序號產生器2004-12-05
- 010
Editorv1.3破解(序號產生器)2004-05-17
- 序號產生器合集2024-03-17
- SWF探索者XP 1.2(swfexplorer)破解+分析+序號產生器
(18千字)2002-04-14
- KEYGENNING4NEWBIES #7破解過程+序號產生器 (6千字)2001-08-21
- MP3 explorer 破解和序號產生器的製作2015-11-15
- Audio compositor註冊碼及序號產生器 (5千字)2002-04-06
- Gif2Swf Ver 2.1 TC20序號產生器 && MASM32序號產生器 (4千字)2001-12-10ASM
- 橋牌軟體Deep Finesse的序號產生器 (1千字)2015-11-15
- 破解QQ圖形留言器3.0(不是OICQ圖形留言系統)及序號產生器編寫!! (6千字)2001-07-15
- 檔案密使2.0暴力破解及序號產生器的編寫―好久沒寫過東西了。 (11千字)2001-07-10
- Pexplorer 1.70 完全破解(KeyFile&Name+Code),附序號產生器~~~~~~~~~
(17千字)2002-04-03
- ZTZ-IE網路瀏覽器的破解與序號產生器,應付PETERCHEN用的 (8千字)2001-08-11瀏覽器
- IrfanView 序號產生器分析(初級版)
(13千字)2015-11-15View
- NewsReactor 1.0 Build 5009的序號產生器制分析 (16千字)2001-08-07ReactUI
- 另類序號產生器(一MFC程式的改造心得) (3千字)2001-09-10C程式