UltraEdit-32 8.10.1.0的破解及序號產生器的生成 (15千字)

UltraEdit-32 8.10.1.0的破解及序號產生器的生成
1、這個軟體的序號產生器網上早就有了，我寫這篇教程主要是用來交流。希望起到拋磚引玉的功效^O^
2、下載：http://www.ultraedit.com/
3、破解必備工具：TRW2000或者SoftICE，W32Dasm，大腦:)
4、因為這個程式沒有加殼，所以有1M多。未註冊版好像有個時間限制，Hmmm我對去除時間限制不感興趣，我要的是序號產生器。這個程式註冊後會在主程式目錄下生成一個與主程式同名的×.reg的檔案。Ok，Let's go!
5、先在Help選單下找到Register UltraEdit-32，點選會彈出一個對話方塊。填入你的大名，還有註冊碼。我用，CoolBob，12345－54321-67890-09876。為什麼知道註冊碼是這個格式呢，因為我跟蹤過。你也可以在記憶體中看到這個格式。這裡就不羅嗦了。填好後，點選OK按鈕。呼啦一下，那個目錄下多出來一個檔案，這個檔名跟主程式的名字一樣，副檔名為reg。嘿嘿，這個時候可以猜想這個檔案就是它的keyfile，程式啟動的時候肯定會去檢驗的，下什麼斷點呢？試試Bpx readfile do "d esp-100",用Symbol Loader裝載UltraEdit-32。按幾次F5你會在SoftICE的資料視窗看到C:\Program Files\UltraEdit\UEDIT32.reg字樣，這個時候就要小心跟蹤了，F12跳出來。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00468949(C)
|
:00468925 8A8C3579FDFFFF mov cl, byte ptr [ebp+esi-00000287]
:0046892C 8A843578FDFFFF mov al, byte ptr [ebp+esi-00000288]
:00468933 FEC9 dec cl
:00468935 FEC8 dec al
:00468937 888C357CFEFFFF mov byte ptr [ebp+esi-00000184], cl
:0046893E 8884357DFEFFFF mov byte ptr [ebp+esi-00000183], al
:00468945 46 inc esi
:00468946 46 inc esi
:00468947 3BF7 cmp esi, edi
:00468949 7EDA jle 00468925
:0046894B 8D857CFEFFFF lea eax, dword ptr [ebp+FFFFFE7C]
在這裡把UEDIT32.reg裡的資料解碼，現在下d eax呵呵，看到什麼了？
接下來就簡單了，bpr 上面的那段資料。再F5讓SoftICE盡情狂奔，一步一步跟到這裡
:004136AE 0FBE740DAF movsx esi, byte ptr [ebp+ecx-51]
:004136B3 0FBE7C0DB1 movsx edi, byte ptr [ebp+ecx-4F]
:004136B8 46 inc esi
:004136B9 0FAFF7 imul esi, edi
:004136BC 03F1 add esi, ecx
:004136BE 0175FC add dword ptr [ebp-04], esi
:004136C1 41 inc ecx
:004136C2 3BC8 cmp ecx, eax
:004136C4 7CE8 jl 004136AE
把你的名字經過一番運算，後儲存在ebp－04這個地方，看看ebp-04上面來頭，下Bpm ebp-04.接下來的運算還真變態，看看吧
:004136C6 33FF xor edi, edi
:004136C8 8955F8 mov dword ptr [ebp-08], edx
:004136CB 8D45B0 lea eax, dword ptr [ebp-50]
:004136CE 33C9 xor ecx, ecx
:004136D0 2945F8 sub dword ptr [ebp-08], eax
:004136D3 897D10 mov dword ptr [ebp+10], edi
:004136D6 891D8C3E5000 mov dword ptr [00503E8C], ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004137C9(C)
|
:004136DC 8B45F8 mov eax, dword ptr [ebp-08]
:004136DF 8D740DB0 lea esi, dword ptr [ebp+ecx-50]
:004136E3 03C6 add eax, esi
:004136E5 83F83C cmp eax, 0000003C
:004136E8 7D42 jge 0041372C
:004136EA 8BC1 mov eax, ecx

* Possible Reference to Dialog: DialogID_0604, CONTROL_ID:0004, "Replace All"
|

* Possible Reference to String Resource ID=00004: "*.MAC"
|
:004136EC 6A04 push 00000004//注意這些數字
:004136EE 99 cdq
:004136EF 5F pop edi
:004136F0 F7FF idiv edi
:004136F2 8BC1 mov eax, ecx

* Possible Reference to Dialog: DialogID_0605, CONTROL_ID:0020, ""
|

* Possible Reference to String Resource ID=00032: "

Any changes will be lost and the file deleted!"
|
:004136F4 6A20 push 00000020//注意這些數字
:004136F6 5B pop ebx

* Possible Reference to String Resource ID=00059: "Select File to Compare"
|
:004136F7 6A3B push 0000003B//注意這些數字
:004136F9 8BFA mov edi, edx
:004136FB 99 cdq
:004136FC F7FB idiv ebx
:004136FE 8BC2 mov eax, edx
:00413700 99 cdq
:00413701 2BC2 sub eax, edx
:00413703 8B14BD00A04F00 mov edx, dword ptr [4*edi+004FA000]//CRC
:0041370A D1F8 sar eax, 1
:0041370C 5F pop edi
:0041370D 0FB60402 movzx eax, byte ptr [edx+eax]//取一些資料來
:00413711 8AD1 mov dl, cl
:00413713 0255FC add dl, byte ptr [ebp-04]
:00413716 0FB6D2 movzx edx, dl
:00413719 33C2 xor eax, edx
:0041371B 99 cdq
:0041371C F7FF idiv edi
:0041371E 8B7D10 mov edi, dword ptr [ebp+10]
:00413721 8A4415B0 mov al, byte ptr [ebp+edx-50]
:00413725 02C1 add al, cl
:00413727 324601 xor al, byte ptr [esi+01]
:0041372A 8806 mov byte ptr [esi], al//儲存al的值，後面有用

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004136E8(C)
|
:0041372C 83FF3C cmp edi, 0000003C
:0041372F 7D71 jge 004137A2
:00413731 8BC1 mov eax, ecx

* Possible Reference to String Resource ID=00005: "ULTRAEDT.MAC"
|
:00413733 6A05 push 00000005//注意這些數字，無非就是整除、求餘
:00413735 99 cdq
:00413736 5B pop ebx
:00413737 F7FB idiv ebx
:00413739 8BDA mov ebx, edx
:0041373B 85DB test ebx, ebx//ebx=0,dl=esi%1a+0x41
:0041373D 895DF0 mov dword ptr [ebp-10], ebx
:00413740 740A je 0041374C
:00413742 83FB02 cmp ebx, 00000002//和ebx＝0一樣的運算
:00413745 7405 je 0041374C
:00413747 83FB04 cmp ebx, 00000004//和ebx＝0一樣的運算
:0041374A 751A jne 00413766

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00413740(C), :00413745(C)
|
:0041374C 0FB606 movzx eax, byte ptr [esi]

* Possible Reference to String Resource ID=00026: "Run Windows Program"
|
:0041374F 6A1A push 0000001A
:00413751 99 cdq
:00413752 5B pop ebx
:00413753 F7FB idiv ebx
:00413755 8B5DF0 mov ebx, dword ptr [ebp-10]
:00413758 80C241 add dl, 41
:0041375B 88943D30FFFFFF mov byte ptr [ebp+edi-000000D0], dl//這裡存放註冊碼
:00413762 47 inc edi
:00413763 897D10 mov dword ptr [ebp+10], edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041374A(C)
|
:00413766 83FF3C cmp edi, 0000003C
:00413769 7D37 jge 004137A2
:0041376B 83FB01 cmp ebx, 00000001//ebx=1,3時，dl＝esi%0xa+0x30
:0041376E 7405 je 00413775
:00413770 83FB03 cmp ebx, 00000003
:00413773 7517 jne 0041378C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041376E(C)
|
:00413775 0FB606 movzx eax, byte ptr [esi]

* Possible Reference to String Resource ID=00010: "

Thank you for supporting Shareware."
|
:00413778 6A0A push 0000000A
:0041377A 99 cdq
:0041377B 5E pop esi
:0041377C F7FE idiv esi
:0041377E 80C230 add dl, 30
:00413781 88943D30FFFFFF mov byte ptr [ebp+edi-000000D0], dl//這裡存放註冊碼
:00413788 47 inc edi
:00413789 897D10 mov dword ptr [ebp+10], edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413773(C)
|
:0041378C 83FF3C cmp edi, 0000003C
:0041378F 7D11 jge 004137A2
:00413791 83FB04 cmp ebx, 00000004
:00413794 750C jne 004137A2
:00413796 C6843D30FFFFFF2D mov byte ptr [ebp+edi-000000D0], 2D//插入‘－’
:0041379E 47 inc edi
:0041379F 897D10 mov dword ptr [ebp+10], edi

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041372F(C), :00413769(C), :0041378F(C), :00413794(C)
|
:004137A2 85C9 test ecx, ecx
:004137A4 7E1F jle 004137C5
:004137A6 3B4DF4 cmp ecx, dword ptr [ebp-0C]//ebp-0C裡儲存的是name的位數
:004137A9 7D1A jge 004137C5
:004137AB 3B7DF4 cmp edi, dword ptr [ebp-0C]
:004137AE 7D15 jge 004137C5
:004137B0 8B4508 mov eax, dword ptr [ebp+08]
:004137B3 0FBE5401FF movsx edx, byte ptr [ecx+eax-01]//這裡要注意
:004137B8 0FBE0407 movsx eax, byte ptr [edi+eax]//把你的名字再次運算
:004137BC 0FAFD0 imul edx, eax
:004137BF 01158C3E5000 add dword ptr [00503E8C], edx//儲存在這裡

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004137A4(C), :004137A9(C), :004137AE(C)
|
:004137C5 41 inc ecx
:004137C6 83F93C cmp ecx, 0000003C
:004137C9 0F8C0DFFFFFF jl 004136DC
很明顯上面是一個巢狀迴圈，我第一次在這裡找到了一個註冊碼，然後急忙bd*離開SoftICE；到程式中一註冊關閉程式驗證，沒有提示框，並且help選單的about裡也顯示註冊成功，呵呵，這麼快就搞定了？當我關掉程式後，發現那個UEDIT.reg被刪除了，昏～，程式中肯定還有其他的地方比較註冊碼，並且呼叫Deletefilea等api來刪掉檔案，很好的突破口！用剛才的註冊碼再註冊一次，跑到SoftICE裡下，Bpx Deletefilea.然後關掉程式
Hmmm，又來到SoftICE裡，F12跳出來，向上找找看，有沒有運算比較跳躍的地方，這裡很嗆眼

:00468B64 A18C3E5000 mov eax, dword ptr [00503E8C]//這個00503E8C還記得嗎？
:00468B69 FF35983D5000 push dword ptr [00503D98]
:00468B6F 8945F0 mov dword ptr [ebp-10], eax
:00468B72 E8F98E0200 call 00491A70
:00468B77 59 pop ecx
:00468B78 83F80F cmp eax, 0000000F
:00468B7B 59 pop ecx
:00468B7C 0F8206010000 jb 00468C88
:00468B82 391D6C7E5000 cmp dword ptr [00507E6C], ebx
:00468B88 0F85FA000000 jne 00468C88
:00468B8E 391D707E5000 cmp dword ptr [00507E70], ebx
:00468B94 0F84EE000000 je 00468C88
:00468B9A 0FB645F0 movzx eax, byte ptr [ebp-10]//取出的是上面第二次name運算值

* Possible Reference to String Resource ID=00025: "Dos Command"
|
:00468B9E 6A19 push 00000019//這裡就很嗆眼
:00468BA0 8B3D983D5000 mov edi, dword ptr [00503D98]
:00468BA6 99 cdq
:00468BA7 59 pop ecx
:00468BA8 F7F9 idiv ecx
:00468BAA 0FBE4716 movsx eax, byte ptr [edi+16]//我們輸入註冊碼的第23位
:00468BAE 83C241 add edx, 00000041
:00468BB1 3BC2 cmp eax, edx
:00468BB3 7530 jne 00468BE5
:00468BB5 0FB645F0 movzx eax, byte ptr [ebp-10]

* Possible Reference to String Resource ID=00009: "

This copy of UltraEdit-32 is licensed to :

"
|
:00468BB9 6A09 push 00000009//還有
:00468BBB 99 cdq
:00468BBC 59 pop ecx
:00468BBD F7F9 idiv ecx
:00468BBF 0FBE4707 movsx eax, byte ptr [edi+07]//我們輸入註冊碼的第8位
:00468BC3 83C230 add edx, 00000030
:00468BC6 3BC2 cmp eax, edx
:00468BC8 751B jne 00468BE5
:00468BCA 0FB645F0 movzx eax, byte ptr [ebp-10]
:00468BCE 8A4F0C mov cl, byte ptr [edi+0C]//我們輸入註冊碼的第13位

* Possible Reference to String Resource ID=00013: "Mod: "
|
:00468BD1 6A0D push 0000000D//第三個
:00468BD3 99 cdq
:00468BD4 5F pop edi
:00468BD5 F7FF idiv edi
:00468BD7 0FBEC1 movsx eax, cl
:00468BDA 83C241 add edx, 00000041
:00468BDD 3BC2 cmp eax, edx
:00468BDF 0F84A3000000 je 00468C88
總算搞明白了，呵呵，就是把
:004137BF 01158C3E5000 add dword ptr [00503E8C], edx//儲存在這裡
這裡儲存的數值取出來經過三次運算：1、edi%0x19+0x41與byte ptr [edi+16]比較
2、eax%0x9+0x30與byte ptr [edi+07]比較
                3、eax%0xD+0x41與byte ptr [edi+0C]比較
有一個不相等，嘿嘿，就把那個×.reg刪掉！
到這裡序號產生器應該不難做了:)
6、序號產生器
－－－－－－－－－－－－－－－－start here－－－－－－－－－－－－－－－－－－－－－－
#include <stdio.h>
main()
{ int i,n,nm=0;
int j=0;
int k=0;
int ebp_04=0;int ebp_08=0;
int esi;
char code[23];
char name[60];
unsigned char a0[]={0x2f,0,0xde,0,0x43,0,0xa5,0,0xd8,0,0xef,0,0x8e,0,0x66,0};
unsigned char a1[]={0x38,0,0x8f,0,0x65,0,0x5a,0,0xd3,0,0x1f,0,0x78,0,0x6f,0};
unsigned char a2[]={0,0x1f,0,0xcb,0,0x98,0,0xf3,0,0x10,0,0xf1,0,0xa5,0,0x2f};
unsigned char a3[]={0,0x73,0,0x34,0,0x77,0,0x33,0,0xfe,0,0xe0,0,0x73,0,0x78};
printf("UltraEdit-32 8.10.1.0 keymaker by CoolBob[CCG],written at 2001-5-15\n");
printf("\nyour name(at least 6 numbers and not exceed 60):");
scanf("%s",name);
n=strlen(name);
for (i=1,j=2;(i<n)&&(j<n);i++,j++){
if((i%5==4)&&(i>0)) j++;
ebp_08=ebp_08+name[i-1]*name[j];};
ebp_08=ebp_08&0x00ff;
for (i=0;i<n-1;i++) {
ebp_04=ebp_04+(name[i]+1)*name[i+2]+i;
};
ebp_04=ebp_04&0x00ff;
name[strlen(name)]=0;
for (i=strlen(name)+1;i<0x3c;i++){name[i]=i;};
for (i=0;i<20;i++){
if(i%4==0){
esi=(a0[i/2]^((i+ebp_04)&0x00ff))%0x3b;
esi=name[esi]+i;
esi=esi^name[i+1];
name[i]=esi;
if ((i%5==0)||(i%5==2)||(i%5==4)) esi=esi%0x1a+0x41;
    else esi=esi%0xa+0x30;
    };
if(i%4==1){
esi=(a1[i/2]^((i+ebp_04)&0x00ff))%0x3b;
esi=name[esi]+i;
esi=esi^name[i+1];
name[i]=esi;
if ((i%5==0)||(i%5==2)||(i%5==4)) esi=esi%0x1a+0x41;
    else esi=esi%0xa+0x30;
    };
if(i%4==2){
esi=(a2[i/2]^((i+ebp_04)&0x00ff))%0x3b;
esi=name[esi]+i;
esi=esi^name[i+1];
name[i]=esi;
if ((i%5==0)||(i%5==2)||(i%5==4)) esi=esi%0x1a+0x41;
    else esi=esi%0xa+0x30;
    };
if(i%4==3){
esi=(a3[i/2]^((i+ebp_04)&0x00ff))%0x3b;
esi=name[esi]+i;
esi=esi^name[i+1];
name[i]=esi;
if ((i%5==0)||(i%5==2)||(i%5==4)) esi=esi%0x1a+0x41;
    else esi=esi%0xa+0x30;
    };

if((i%5==0)&&(i>0)) {code[k++]='-';} code[k++]=esi;

};
code[22]=ebp_08%0x19+0x41;
code[7]=ebp_08%0x9+0x30;
code[12]=ebp_08%0xd+0x41;
code[23]=0;
printf("code is: %s",code);
printf("\nPress any key to exit!\n");
getch();
}

－－－－－－－－－－－－－－－－－end here－－－－－－－－－－－－－－－－－－－－－－－－－

UltraEdit-32 8.10.1.0的破解及序號產生器的生成 (15千字)

相關文章