《 ACDSEE 2.3 》的另類註冊碼破解
目標:ACDSEE 2.3
因為自己的機器上有用它,雖有註冊碼,但不是自己破的,總覺得不舒服。遂自己動手,豐衣足食!
作者:RATARICE[BCG]
工具:TRW2000 1.2
過程:
一、 執行程式,填好註冊碼:
name:RATARICE[BCG]
code:987654321
二、 啟動TRW;CTRL+N、bpx hmemcpy、CTRL+N。
三、 點“OK”。被攔。下bd *;pmodule。程式碼如下:
015F:00407AA4 LEA EDX,[ESP+7C]
015F:00407AA8 PUSH DWORD 01F5
015F:00407AAD PUSH EDX
015F:00407AAE PUSH DWORD 82
015F:00407AB3 PUSH ESI
015F:00407AB4 CALL EDI
015F:00407AB6 LEA EAX,[ESP+7C]
015F:00407ABA LEA ECX,[ESP+3C]
015F:00407ABE PUSH EAX
015F:00407ABF PUSH ECX
015F:00407AC0 CALL 004072F0 ---------------------->關鍵CALL
015F:00407AC5 ADD ESP,BYTE +08
015F:00407AC8 TEST EAX,EAX
015F:00407ACA JNG 00407B37 ---------------------->關鍵跳轉
追入上面的CALL。來到:
015F:004072F0 PUSH ESI
015F:004072F1 MOV ESI,[ESP+08]
015F:004072F5 PUSH ESI
015F:004072F6 MOV DWORD [004BE040],00
015F:00407300 CALL 00407330 ---------------------->可能是比較長度
015F:00407305 ADD ESP,BYTE +04
015F:00407308 TEST EAX,EAX
015F:0040730A JNZ 0040730E ---------------------->這裡要跳才行
015F:0040730C POP ESI
015F:0040730D RET
015F:0040730E MOV EAX,[ESP+0C]
015F:00407312 PUSH EAX
015F:00407313 PUSH ESI
015F:00407314 PUSH DWORD 004BE450
015F:00407319 CALL 00442F10 ---------------------->關鍵CALL,追入!
015F:0040731E ADD ESP,BYTE +0C
015F:00407321 NEG EAX
015F:00407323 SBB EAX,EAX
015F:00407325 POP ESI
015F:00407326 NEG EAX
015F:00407328 MOV [004BE040],EAX
015F:0040732D RET
追入後,到下面:
015F:00442F10 MOV ECX,[ESP+08]
015F:00442F14 SUB ESP,84
015F:00442F1A LEA EAX,[ESP+00]
015F:00442F1E PUSH EBX
015F:00442F1F PUSH ESI
015F:00442F20 PUSH EDI
015F:00442F21 PUSH EAX
015F:00442F22 PUSH ECX
015F:00442F23 CALL 00443600
015F:00442F28 LEA EDI,[ESP+14]
015F:00442F2C OR ECX,BYTE -01
015F:00442F2F XOR EAX,EAX
015F:00442F31 ADD ESP,BYTE +08
015F:00442F34 REPNE SCASB
015F:00442F36 NOT ECX
015F:00442F38 DEC ECX
015F:00442F39 MOV EAX,2AAAAAAB
015F:00442F3E MOV ESI,ECX
015F:00442F40 IMUL ESI
015F:00442F42 MOV EAX,EDX
015F:00442F44 SHR EAX,1F
015F:00442F47 LEA EDI,[EDX+EAX+01]
015F:00442F4B XOR EDX,EDX
015F:00442F4D TEST ESI,ESI
015F:00442F4F JNG 00442F62
015F:00442F51 XOR EAX,EAX
015F:00442F53 MOV CL,[ESP+EAX+0C]------
015F:00442F57 ADD EAX,EDI
|
015F:00442F59 MOV [ESP+EDX+38],CL
|---------------->對名字進行處理
015F:00442F5D INC EDX
|
取單數位!!!
015F:00442F5E CMP EAX,ESI
|
015F:00442F60 JL 00442F53 ------------
015F:00442F62 MOV EAX,[ESP+9C]
015F:00442F69 MOV ECX,[ESP+94]
015F:00442F70 MOV BYTE [ESP+EDX+38],00
015F:00442F75 LEA EDX,[ESP+64]
015F:00442F79 PUSH BYTE +29
015F:00442F7B PUSH EDX
015F:00442F7C PUSH EAX
015F:00442F7D PUSH ECX
015F:00442F7E CALL 00442FE0 ----------------------------->對註冊碼進行處理。(不明白)
015F:00442F83 ADD ESP,BYTE +10
015F:00442F86 LEA ESI,[ESP+64] ------------------------->處理後的註冊碼
d esi 可見!
015F:00442F8A LEA EAX,[ESP+38] ------------------------->處理後的名字
d eax 可見!
015F:00442F8E MOV DL,[EAX] ------
015F:00442F90 MOV BL,[ESI] |
015F:00442F92 MOV CL,DL
|
015F:00442F94 CMP DL,BL
|
015F:00442F96 JNZ 00442FC7 |
015F:00442F98 TEST CL,CL
|
015F:00442F9A JZ 00442FB2 |
015F:00442F9C MOV DL,[EAX+01] |
015F:00442F9F MOV BL,[ESI+01] |
把處理後的註冊碼和名字
015F:00442FA2 MOV CL,DL
|----------------------> 進行比較
015F:00442FA4 CMP DL,BL
|
一致就成功了!!!
015F:00442FA6 JNZ 00442FC7 |
015F:00442FA8 ADD EAX,BYTE +02 |
015F:00442FAB ADD ESI,BYTE +02 |
015F:00442FAE TEST CL,CL
|
015F:00442FB0 JNZ 00442F8E |
015F:00442FB2 XOR EAX,EAX
|
015F:00442FB4 XOR ECX,ECX
|
015F:00442FB6 TEST EAX,EAX |
015F:00442FB8 SETZ CL
|
015F:00442FBB MOV EAX,ECX -------
015F:00442FBD POP EDI
015F:00442FBE POP ESI
015F:00442FBF POP EBX
015F:00442FC0 ADD ESP,84
015F:00442FC6 RET
015F:00442FC7 SBB EAX,EAX
015F:00442FC9 POP EDI
015F:00442FCA SBB EAX,BYTE -01
015F:00442FCD XOR ECX,ECX
015F:00442FCF TEST EAX,EAX
015F:00442FD1 SETZ CL
015F:00442FD4 POP ESI
015F:00442FD5 MOV EAX,ECX
015F:00442FD7 POP EBX
015F:00442FD8 ADD ESP,84
015F:00442FDE RET
基本上明白了它的工作原理,但因為本人的能力有限,不能理解它對註冊碼的加密演算法,
所以只好退之求其次了,它對名字的處理可謂簡單之極!所以讓處理後的名字和處理後的註冊碼
相等是可以做到的!
在上面 d esi 可以看到處理後的註冊碼,我的是A(空格)DA,所以只要名字的單數位是它們
就可以了!我填的是AB(空格)CDEA!
再點“OK”,提示註冊成功!
最後:
哪位高手可以告訴我它的註冊碼的加密演算法???(請寫的越詳細越好)