入門習作2:HOSTMONITOR 1.31 執行自校驗及註冊破解過程 (11千字)
入門習作2:HOSTMONITOR 1.31 執行自校驗及註冊破解過程
程式名稱:HOSTMONITOR 1.31
保護方式:註冊碼、執行時程式碼自校驗
破解過程如下:
一、啟動程式後,進入licence 的註冊視窗
任意輸入使用者名稱及註冊碼,點選確定後出現“Sorry, but Name or Registration
number is wrong
!”畫面,
用pwdasm32反彙編主程式hostmonitor.exe後,查詢上面的字串,發現下列程式碼
段與註冊有關:
:004CA33C 8B45E8
mov eax, dword ptr [ebp-18]
:004CA33F E86C81FFFF call 004C24B0
-->判斷使用者名稱是否在HACKER
:004CA344 84C0
test al, al 名單中
:004CA346 7441
je 004CA389 -->不是則跳轉4CA389處驗證
使用者名稱及註冊碼有效性***
(*修改為 EB41
jmp 004ca389 *)
* Possible StringData Ref from Code Obj ->"Sorry, but your registration name
"
->"("
|
:004CA348 68ECA54C00 push 004CA5EC
:004CA34D 8D55E0
lea edx, dword ptr [ebp-20]
:004CA350 8B06
mov eax, dword ptr [esi]
:004CA352 8B80E4020000 mov eax, dword
ptr [eax+000002E4]
:004CA358 E84FF4F6FF call 004397AC
:004CA35D FF75E0
push [ebp-20]
* Possible StringData Ref from Code Obj ->") found in "black list".
"
|
:004CA360 6818A64C00 push 004CA618
* Possible StringData Ref from Code Obj ->"Should you have any questions, "
->"please don`t
hesitate to let us "
->"know.
"
|
:004CA365 6840A64C00 push 004CA640
* Possible StringData Ref from Code Obj ->"E-Mail: line1@ks-soft.net; line2@ks-soft.net"
|
:004CA36A 6890A64C00 push 004CA690
:004CA36F 8D45E4
lea eax, dword ptr [ebp-1C]
:004CA372 BA05000000 mov edx,
00000005
:004CA377 E8EC9EF3FF call 00404268
:004CA37C 8B45E4
mov eax, dword ptr [ebp-1C]
:004CA37F E8FC69F9FF call 00460D80
:004CA384 E9F7010000 jmp 004CA580
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004CA346(C)
|
:004CA389 8D55DC
lea edx, dword ptr [ebp-24]
:004CA38C 8B06
mov eax, dword ptr [esi]
:004CA38E 8B80E4020000 mov eax, dword
ptr [eax+000002E4]
:004CA394 E813F4F6FF call 004397AC
-->計算字串長度
:004CA399 837DDC00 cmp
dword ptr [ebp-24], 00000000
:004CA39D 0F84C9010000 je 004CA56C
-->使用者名稱長度是否為0
(跳轉則註冊失敗)
:004CA3A3 8D55D8
lea edx, dword ptr [ebp-28]
:004CA3A6 8B06
mov eax, dword ptr [esi]
:004CA3A8 8B80E8020000 mov eax, dword
ptr [eax+000002E8]
:004CA3AE E8F9F3F6FF call 004397AC
:004CA3B3 837DD800 cmp
dword ptr [ebp-28], 00000000
:004CA3B7 0F84AF010000 je 004CA56C
-->註冊碼長度是否為0
(跳轉則註冊失敗)
:004CA3BD 8D55D4
lea edx, dword ptr [ebp-2C]
:004CA3C0 8B06
mov eax, dword ptr [esi]
:004CA3C2 8B80E4020000 mov eax, dword
ptr [eax+000002E4]
:004CA3C8 E8DFF3F6FF call 004397AC
:004CA3CD 8B45D4
mov eax, dword ptr [ebp-2C]
:004CA3D0 E8C7D6FFFF call 004C7A9C
-->使用者名稱轉換為字串1
:004CA3D5 8BF8
mov edi, eax
:004CA3D7 8D55D0
lea edx, dword ptr [ebp-30]
:004CA3DA 8B06
mov eax, dword ptr [esi]
:004CA3DC 8B80E8020000 mov eax, dword
ptr [eax+000002E8]
:004CA3E2 E8C5F3F6FF call 004397AC
:004CA3E7 8B45D0
mov eax, dword ptr [ebp-30]
:004CA3EA E8C9D7FFFF call 004C7BB8
-->註冊碼轉換為字串2
:004CA3EF 663BF8
cmp di, ax
:004CA3F2 0F8574010000 jne 004CA56C
-->註冊碼為字母或長度
為1,則跳轉至註冊失敗
:004CA3F8 A1344E5400 mov eax,
dword ptr [00544E34]
:004CA3FD BAFF010000 mov edx,
000001FF
:004CA402 E87DD6FFFF call 004C7A84
-->計算字串1累加和
:004CA407 8BF8
mov edi, eax
:004CA409 A1C44C5400 mov eax,
dword ptr [00544CC4]
:004CA40E BAFF010000 mov edx,
000001FF
:004CA413 E86CD6FFFF call 004C7A84
-->計算字串2累加和
:004CA418 3BF8
cmp edi, eax
:004CA41A 0F854C010000 jne 004CA56C
-->是否相等? ***
不相等,則跳轉至註冊失敗;
相等,繼續則註冊OK!
(*修改為 909090909090 nop(6個)*)
:004CA420 8D55CC
lea edx, dword ptr [ebp-34]
:004CA423 8B06
mov eax, dword ptr [esi]
:004CA425 8B80E4020000 mov eax, dword
ptr [eax+000002E4]
:004CA42B E87CF3F6FF call 004397AC
:004CA430 8B55CC
mov edx, dword ptr [ebp-34]
:004CA433 A16C505400 mov eax,
dword ptr [0054506C]
:004CA438 E83F9BF3FF call 00403F7C
:004CA43D 8D55C8
lea edx, dword ptr [ebp-38]
:004CA440 8B06
mov eax, dword ptr [esi]
:004CA442 8B80E8020000 mov eax, dword
ptr [eax+000002E8]
:004CA448 E85FF3F6FF call 004397AC
:004CA44D 8B55C8
mov edx, dword ptr [ebp-38]
:004CA450 A1244D5400 mov eax,
dword ptr [00544D24]
:004CA455 E8229BF3FF call 00403F7C
:004CA45A 8BC3
mov eax, ebx
:004CA45C E89BF9FFFF call 004C9DFC
* Possible StringData Ref from Code Obj ->"Thank You for registering"
|
:004CA461 B8C8A64C00 mov eax,
004CA6C8
:004CA466 E81569F9FF call 00460D80
:004CA46B B201
mov dl, 01
:004CA46D A11CB84100 mov eax,
dword ptr [0041B81C]
:004CA472 E81115F5FF call 0041B988
:004CA477 8BD8
mov ebx, eax
:004CA479 B101
mov cl, 01
.
.
.
.
(略) .
.
.
:004CA56A EB14
jmp 004CA580
* Possible StringData Ref from Code Obj ->"Sorry, but Name or Registration "
->"number is
wrong !"
|
:004CA56C B8DCA74C00 mov eax,
004CA7DC
:004CA571 E80A68F9FF call 00460D80
:004CA576 A1E44B5400 mov eax,
dword ptr [00544BE4]
:004CA57B 8B55FC
mov edx, dword ptr [ebp-04]
:004CA57E 8910
mov dword ptr [eax], edx
從以上程式段可看出,只要用ULTRAEDIT等工具將***處作相應修改即可任意註冊。
(*註冊碼不能為字母、註冊碼長度不能為1)
二、註冊成功後,重新執行程式,出現啟動畫面,顯示“self test"後,出現提示
“Program was corrupted !”畫面,只有退出程式。
再在pwasm32反彙編檔案中查詢以上字元,相關程式如下:
:0053E19A 8B55E8
mov edx, dword ptr [ebp-18]
:0053E19D A1944C5400 mov eax,
dword ptr [00544C94]
:0053E1A2 8B00
mov eax, dword ptr [eax]
:0053E1A4 8B80D0020000 mov eax, dword
ptr [eax+000002D0]
:0053E1AA 8B8008020000 mov eax, dword
ptr [eax+00000208]
:0053E1B0 8B08
mov ecx, dword ptr [eax]
:0053E1B2 FF5134
call [ecx+34] -->提示“self test"
:0053E1B5 E89A45F8FF call 004C2754
-->程式程式碼校驗
:0053E1BA 8B15244C5400 mov edx, dword
ptr [00544C24]
:0053E1C0 3B82B4000000 cmp eax, dword
ptr [edx+000000B4]
:0053E1C6 740F
je 0053E1D7 -->比較校驗結果:***
不符,則提示出錯資訊;
相符,則跳轉程式正常初始化。
(*修改為 EB0f
jmp 0053e1d7 *)
* Possible StringData Ref from Code Obj ->"Program was corrupted !"
|
:0053E1C8 B81CEA5300 mov eax,
0053EA1C
:0053E1CD E8AE2BF2FF call 00460D80
:0053E1D2 E996070000 jmp 0053E96D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053E1C6(C)
|
:0053E1D7 68E4E95300 push 0053E9E4
:0053E1DC E82FD4ECFF call 0040B610
:0053E1E1 83C4F8
add esp, FFFFFFF8
:0053E1E4 DD1C24
fstp qword ptr [esp]
:0053E1E7 9B
wait
:0053E1E8 8D45DC
lea eax, dword ptr [ebp-24]
:0053E1EB E834E0ECFF call 0040C224
:0053E1F0 FF75DC
push [ebp-24]
* Possible StringData Ref from Code Obj ->"] App Init .."
|
-->程式初始化
:0053E1F3 683CEA5300 push 0053EA3C
:0053E1F8 8D45E0
lea eax, dword ptr [ebp-20]
:0053E1FB BA03000000 mov edx,
00000003
:0053E200 E86360ECFF call 00404268
將上段程式***處作相應修改,程式即可正常執行
三、發現程式啟動時,在下列程式段進行註冊比較:(查詢4C7A84時發現)
:0053C7C6 8B45F4
mov eax, dword ptr [ebp-0C]
:0053C7C9 E8CEB2F8FF call 004C7A9C
:0053C7CE 8B45F0
mov eax, dword ptr [ebp-10]
:0053C7D1 E8E2B3F8FF call 004C7BB8
:0053C7D6 A1344E5400 mov eax,
dword ptr [00544E34]
:0053C7DB BAFF010000 mov edx,
000001FF
:0053C7E0 E89FB2F8FF call 004C7A84
-->計算使用者名稱字串1累加和
:0053C7E5 8BF0
mov esi, eax
:0053C7E7 A1C44C5400 mov eax,
dword ptr [00544CC4]
:0053C7EC BAFF010000 mov edx,
000001FF
:0053C7F1 E88EB2F8FF call 004C7A84
-->計算註冊碼字串2累加和
:0053C7F6 3BF0
cmp esi, eax
:0053C7F8 751C
jne 0053C816 -->比較是否相等? ***
不相等在license視窗顯示
“Unregistration"
相等則在license視窗顯示
註冊資訊。
(*修改為 9090
nop(2個) *)
:0053C7FA A16C505400 mov eax,
dword ptr [0054506C]
:0053C7FF 8B55F4
mov edx, dword ptr [ebp-0C]
:0053C802 E87577ECFF call 00403F7C
:0053C807 A1244D5400 mov eax,
dword ptr [00544D24]
:0053C80C 8B55F0
mov edx, dword ptr [ebp-10]
:0053C80F E86877ECFF call 00403F7C
:0053C814 EB2D
jmp 0053C843
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0053C7F8(C)
|
:0053C816 A1344E5400 mov eax,
dword ptr [00544E34]
:0053C81B 33C9
xor ecx, ecx
:0053C81D BA00020000 mov edx,
00000200
:0053C822 E89565ECFF call 00402DBC
從以上程式段可看出,只要將***處作相應修改即可。
錯誤之處請指正,謝謝!! <Crack123>
相關文章
- 破解flax 1.31的校驗及功能限制 (3千字)2001-10-25
- winimp1.11註冊碼破解 (2千字)2000-07-16
- HEdit 2.0 的註冊破解過程 <<-------可能過時了高手末入
(8千字)2001-02-23
- 破解 Mover98 3.1 的自校驗 (2千字)2001-03-22
- 《TxEdit 4.6》的註冊碼破解 (11千字)2001-07-28
- IconToy 3.1 註冊碼快速破解 (11千字)2001-03-02
- BabyGame 破解方法及註冊碼錶 (1千字)2001-07-04GAM
- LaunchIt
NOW! Plus 2.5 自校驗破解 (5千字)2003-02-13
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- SuperCleaner2.30破解過程 (11千字)2002-02-04
- 作業二:Github註冊賬戶過程2016-03-13Github
- 破解過程-----請多多指教 (2千字)2000-12-31
- webeasymail的簡單破解過程 (2千字)2001-08-04WebAI
- Readbook 1.31破解心得
(3千字)2000-03-01
- Android需求之RxJava2實現表單校驗(註冊登入)2020-11-13AndroidRxJava
- Mover98 V3.1 暴力破解 + 註冊碼破解(有實時檢驗、自校驗,還有一個非常捉弄人的地方,小心
:D) (8千字)2001-05-07
- Vopt99 v4.31的註冊碼破解 (11千字)2000-09-28
- 盲打之友V2.5破解(包括註冊演算法) (11千字)2001-10-29演算法
- DataFit V7.0.36註冊過程的分析 (9千字)2001-11-09
- Cute Email Searcher2.2註冊過程分析 (5千字)2001-11-18AI
- 交一篇作業---破解Hedit 2.0的註冊碼 (7千字)2001-09-30
- Regediter 1.3 破解(得到註冊碼) (9千字)2002-01-23
- 用mvp模式實現登入註冊的統一校驗2016-11-21MVP模式
- 如何破解Cool ASCII Art Maker V1.21註冊碼 (2千字)2001-05-03ASCII
- 《EASY MP3 2.2》的註冊碼破解 高手莫入! (2千字)2001-05-05
- 原始碼簡析XXL-JOB的註冊和執行過程2021-05-10原始碼
- 原始碼分析 — Activity的清單註冊校驗及動態注入2018-03-20原始碼
- PassWD2000破解過程~~~轉貼~~~~~~ (11千字)2001-10-10
- getPassword2.3註冊碼計算分析過程 (3千字)2001-11-07
- Photocaster xtra v3.0.3 註冊過程的分析 (15千字)2001-11-22AST
- 窮人幫窮人--大英自學輔導的破解過程和註冊碼---請進! (1千字)2001-04-28
- 去除CuteFTP Pro 2.0 Final(2001.11.20)自校驗 (2千字)2001-11-26FTP
- 交作業了!!!!!!PECompact1.48破解過程 (6千字)2001-06-26
- 猜數記---BCWIPE註冊半破解 (25千字)2001-04-02
- cooolftp 註冊過程 (643字)2001-06-01FTP
- 註冊Github賬戶過程2016-03-10Github
- 《OFFLINE EXPLORER 1.0》的註冊碼破解 高手莫入!! (2千字)2001-05-18
- SpringBoot分組校驗及自定義校驗註解2020-09-26Spring Boot