軟體名稱:電子郵件地址搜尋器
軟體簡介:收集電子郵件地址的軟體。透過本軟體收集的電子郵件地址全部是有效的。
軟體下載:http://www.csdn.net/cnshare/soft/7/7589.html
破解難度:極易(適合菜鳥練習)
破解者:Edea[BCG] QQ:3849036
先用Fi分析,發現該軟體沒有加殼,為Delphi編寫。
用WDASM反彙編,在反彙編的同時開啟軟體(呵呵,主要是為了節約時間),填入註冊碼:9876543210,彈出“註冊碼錯誤”的對話方塊。
在反彙編出的程式碼中我們找到這樣一段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047DF33(C)
|
:0047DF87 8B55F0
mov edx, dword ptr [ebp-10]
:0047DF8A 8D45F8
lea eax, dword ptr [ebp-08]
:0047DF8D E8B25BF8FF call 00403B44
:0047DF92 8D55E8
lea edx, dword ptr [ebp-18]
:0047DF95 8B83DC020000 mov eax, dword
ptr [ebx+000002DC]
:0047DF9B E8981CFBFF call 0042FC38
:0047DFA0 8B45E8
mov eax, dword ptr [ebp-18]
:0047DFA3 8D55EC
lea edx, dword ptr [ebp-14]
:0047DFA6 E871A2F8FF call 0040821C
:0047DFAB 8B55EC
mov edx, dword ptr [ebp-14]
:0047DFAE 8B45F8
mov eax, dword ptr [ebp-08]
:0047DFB1 E8865EF8FF call 00403E3C
:0047DFB6 7536
jne 0047DFEE ------〉這裡一跳就死翹翹了
* Possible StringData Ref from Code Obj ->"註冊成功"
|
:0047DFB8 B854E04700 mov eax,
0047E054
:0047DFBD E87699FDFF call 00457938
:0047DFC2 8B45F8
mov eax, dword ptr [ebp-08]
:0047DFC5 50
push eax
:0047DFC6 8D45E4
lea eax, dword ptr [ebp-1C]
:0047DFC9 E8FEA7FEFF call 004687CC
:0047DFCE 8B45E4
mov eax, dword ptr [ebp-1C]
* Possible StringData Ref from Code Obj ->"RegistNo"
|
:0047DFD1 B968E04700 mov ecx,
0047E068
* Possible StringData Ref from Code Obj ->"Regist"
|
:0047DFD6 BA7CE04700 mov edx,
0047E07C
:0047DFDB E8DCA4FEFF call 004684BC
* Possible StringData Ref from Code Obj ->"已經註冊"
|
:0047DFE0 BA8CE04700 mov edx,
0047E08C
:0047DFE5 8BC3
mov eax, ebx
:0047DFE7 E87C1CFBFF call 0042FC68
:0047DFEC EB18
jmp 0047E006
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047DFB6(C)
|
* Possible StringData Ref from Code Obj ->"註冊碼錯誤!"
|
:0047DFEE B8A0E04700 mov eax,
0047E0A0
:0047DFF3 E84099FDFF call 00457938
:0047DFF8 8B83DC020000 mov eax, dword
ptr [ebx+000002DC]
:0047DFFE 8B10
mov edx, dword ptr [eax]
:0047E000 FF92B0000000 call dword ptr
[edx+000000B0]
*********************************************************************************************
好了,開啟TRW2000,下斷點bpx 0047DF87,再隨便填入註冊碼9876543210,點註冊,被攔下,我們來到:
0177:0047DF87 MOV EDX,[EBP-10] ------>在這裡我們看到程式把“AXAMBGWH”放入EDX,很可疑
0177:0047DF8A LEA EAX,[EBP-08]
(你的有可能不是AXAMBGWH)
0177:0047DF8D CALL 00403B44
0177:0047DF92 LEA EDX,[EBP-18]
0177:0047DF95 MOV EAX,[EBX+02DC]
0177:0047DF9B CALL 0042FC38
0177:0047DFA0 MOV EAX,[EBP-18] ------>9876543210
=> EAX
0177:0047DFA3 LEA EDX,[EBP-14]
0177:0047DFA6 CALL 0040821C
0177:0047DFAB MOV EDX,[EBP-14] ------>9876543210
=> EDX
0177:0047DFAE MOV EAX,[EBP-08] ------>AXAMBGWH
=> EAX
0177:0047DFB1 CALL 00403E3C ------>跟入
0177:0047DFB6 JNZ 0047DFEE
------>跳則死
0177:0047DFB8 MOV EAX,0047E054
0177:0047DFBD CALL 00457938
0177:0047DFC2 MOV EAX,[EBP-08]
0177:0047DFC5 PUSH EAX
Call from 0047DFB1:
0177:00403E39 LEA EAX,[EAX+00]
0177:00403E3C PUSH EBX
0177:00403E3D PUSH ESI
0177:00403E3E PUSH EDI
0177:00403E3F MOV ESI,EAX
0177:00403E41 MOV EDI,EDX
0177:00403E43 CMP EAX,EDX ------>在這裡我們看到程式拿AXAMBGWH和我的假註冊碼比較,嘿嘿,剩下的就不用我說了吧
0177:00403E45 JZ NEAR 00403EDA
0177:00403E4B TEST ESI,ESI
0177:00403E4D JZ 00403EB7
0177:00403E4F TEST EDI,EDI
0177:00403E51 JZ 00403EBE
0177:00403E53 MOV EAX,[ESI-04]
我的註冊碼:AXAMBGWH
這個軟體的註冊碼是根據本機安裝號碼算出來的,所以你的註冊碼十有八九與我的不同
註冊成功後,軟體所在目錄下出現一個名為System.sch的檔案,儲存你的註冊碼。
呵呵,一個星期沒破軟體了,隨便拉一個來練練手。