CCproxy最新版破解,有個小小的玩笑 (17千字)
目標軟體:CCProxy 4.11
保護方式:註冊碼
破解人:TAE![CCG][BCG][FCG]
破解方式:算註冊碼
執行軟體發現程式自動生成一個機器碼,需要讓使用者輸入序列號和註冊碼,你可以隨便輸入
一些,我輸入的是:
序列號:12345678
註冊碼:78787878
進入TRW設定斷點 bpx hmemcpy,回到程式點註冊,這時被TRW攔住,按兩次F5,為什麼?因為第
三次按F5,錯誤提示就出來了,其實系統使用了三次USER32.GetWindowTextA函式分別讀取機
器碼,序列號和註冊碼,那麼我們當然要在系統讀取機器碼和序列號之後進行跟蹤嘍,按過兩
次F5之後,便是程式第三次呼叫USER32.GetWindowTextA來讀取註冊碼了,這時候, 我們被中
斷在系統函式hmemcpy的附近,那麼我們要回到程式中呀,所以下命令pmodule,這時來到了下
面這裡:
* Reference To: USER32.GetWindowTextA, Ord:015Eh //其實你也可以直接下這個斷點的
^^^^^^^^^^^^^^^^^^^^^^
:0042C9DD FF15FC434300 Call dword ptr
[004343FC]
:0042C9E3 8B4D10
mov ecx, dword ptr [ebp+10] //應該回到了這裡
:0042C9E6 6AFF
push FFFFFFFF
:0042C9E8 E8BCC7FFFF call 004291A9
:0042C9ED EB0B
jmp 0042C9FA
:0042C9EF 8B4510
mov eax, dword ptr [ebp+10]
:0042C9F2 FF30
push dword ptr [eax]
:0042C9F4 56
push esi
:0042C9F5 E8EEF1FFFF call 0042BBE8
:0042C9FA 5F
pop edi
:0042C9FB 5E
pop esi
:0042C9FC 5D
pop ebp
:0042C9FD C20C00
ret 000C
一直跟著它走,來到這裡:
:00405944 8B8620020000 mov eax, dword
ptr [esi+00000220]
* Reference To: KERNEL32.WritePrivateProfileStringA, Ord:02E5h
|
:0040594A 8B1D18424300 mov ebx, dword
ptr [00434218]
:00405950 8D7E5C
lea edi, dword ptr [esi+5C]
:00405953 57
push edi //edi是檔名,也就是CCProxy.ini
:00405954 50
push eax
* Possible StringData Ref from Data Obj ->"RegCode"
|
:00405955 68B0014400 push 004401B0
* Possible StringData Ref from Data Obj ->"System"
|
:0040595A 68D8024400 push 004402D8
:0040595F FFD3
call ebx //這裡是呼叫WritePrivateProfileStringA,
:00405961 8B8624020000 mov eax, dword
ptr [esi+00000224]
:00405967 57
push edi //edi是檔名,也就是CCProxy.ini
:00405968 50
push eax
* Possible StringData Ref from Data Obj ->"UserName"
|
:00405969 681C024400 push 0044021C
* Possible StringData Ref from Data Obj ->"System"
|
:0040596E 68D8024400 push 004402D8
:00405973 FFD3
call ebx //這裡是呼叫WritePrivateProfileStringA,
:00405975 8B862C020000 mov eax, dword
ptr [esi+0000022C]
:0040597B 57
push edi //edi是檔名,也就是CCProxy.ini
:0040597C 50
push eax
* Possible StringData Ref from Data Obj ->"SerialCode"
|
:0040597D 68C0014400 push 004401C0
* Possible StringData Ref from Data Obj ->"System"
|
:00405982 68D8024400 push 004402D8
:00405987 FFD3
call ebx //這裡是呼叫WritePrivateProfileStringA,
經過跟蹤不能發現,上面一段程式是將序列號,註冊碼寫入檔案CCProxy.ini中
格式是這樣的:
=====================
[System]
Setup=1
RegCode=78787878
UserName=
SerialCode=12345678
=====================
跟蹤到這裡我就發現這個程式很奇怪,一般來說程式註冊的過程應該是這樣的,
即判斷註冊碼的合法性,如果正確那麼寫入登錄檔或者是檔案中,錯誤的話應該
不寫入的,而這個程式還沒有判斷正誤就將註冊資訊寫入了檔案,奇怪!另外如
你仔細觀察機器碼,你會發現每次註冊,機器碼都會改變,奇怪!可能會有陷阱!
無論如何我們還是繼續跟蹤吧!
:00405989 E8F2D4FFFF call 00402E80
//這裡要進入喲,因為下面就是關鍵的跳轉了
:0040598E F7D8
neg eax
:00405990 1BC0
sbb eax, eax
:00405992 40
inc eax
:00405993 A3BC034400 mov dword
ptr [004403BC], eax
:00405998 A1240E4400 mov eax,
dword ptr [00440E24]
:0040599D 8944240C mov
dword ptr [esp+0C], eax
:004059A1 BB00000000 mov ebx,
00000000
:004059A6 895C241C mov
dword ptr [esp+1C], ebx
:004059AA 747D
je 00405A29 //關鍵的跳轉.
:004059AC 8D4C2410 lea
ecx, dword ptr [esp+10]
* Possible Reference to String Resource ID=00128: "CCProxy v4.11(evaluation
version only for 5 clients)"
|
:004059B0 6880000000 push 00000080
:004059B5 51
push ecx
:004059B6 E885D6FFFF call 00403040
:004059BB 83C408
add esp, 00000008
:004059BE 50
push eax
:004059BF 8D4C2410 lea
ecx, dword ptr [esp+10]
:004059C3 C644242001 mov [esp+20],
01
:004059C8 E8AB340200 call 00428E78
:004059CD 8D4C2410 lea
ecx, dword ptr [esp+10]
:004059D1 885C241C mov
byte ptr [esp+1C], bl
:004059D5 E865330200 call 00428D3F
:004059DA E8833A0200 call 00429462
:004059DF 3BC3
cmp eax, ebx
:004059E1 7409
je 004059EC
:004059E3 8B10
mov edx, dword ptr [eax]
:004059E5 8BC8
mov ecx, eax
:004059E7 FF5274
call [edx+74]
:004059EA EB02
jmp 004059EE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004059E1(C)
|
:004059EC 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004059EA(U)
|
:004059EE 8B4C240C mov
ecx, dword ptr [esp+0C]
:004059F2 51
push ecx
:004059F3 8BC8
mov ecx, eax
:004059F5 E85C2E0200 call 00428856
:004059FA 8D542410 lea
edx, dword ptr [esp+10]
* Possible Reference to String Resource ID=00126: "Register failed!"
|
:004059FE 6A7E
push 0000007E
:00405A00 52
push edx
:00405A01 E83AD6FFFF call 00403040
:00405A06 83C408
add esp, 00000008
:00405A09 50
push eax
:00405A0A 8D4C2410 lea
ecx, dword ptr [esp+10]
:00405A0E C644242002 mov [esp+20],
02
:00405A13 E860340200 call 00428E78
:00405A18 8D4C2410 lea
ecx, dword ptr [esp+10]
:00405A1C 885C241C mov
byte ptr [esp+1C], bl
:00405A20 E81A330200 call 00428D3F
:00405A25 53
push ebx
:00405A26 53
push ebx
:00405A27 EB79
jmp 00405AA2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004059AA(C)
|
:00405A29 8D4C2410 lea
ecx, dword ptr [esp+10]
* Possible Reference to String Resource ID=00127: "CCProxy v4.11"
|
:00405A2D 6A7F
push 0000007F
:00405A2F 51
push ecx
:00405A30 E80BD6FFFF call 00403040
:00405A35 83C408
add esp, 00000008
:00405A38 50
push eax
:00405A39 8D4C2410 lea
ecx, dword ptr [esp+10]
:00405A3D C644242003 mov [esp+20],
03
:00405A42 E831340200 call 00428E78
:00405A47 8D4C2410 lea
ecx, dword ptr [esp+10]
:00405A4B 885C241C mov
byte ptr [esp+1C], bl
:00405A4F E8EB320200 call 00428D3F
:00405A54 E8093A0200 call 00429462
:00405A59 3BC3
cmp eax, ebx
:00405A5B 7409
je 00405A66
:00405A5D 8B10
mov edx, dword ptr [eax]
:00405A5F 8BC8
mov ecx, eax
:00405A61 FF5274
call [edx+74]
:00405A64 EB02
jmp 00405A68
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405A5B(C)
|
:00405A66 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405A64(U)
|
:00405A68 8B4C240C mov
ecx, dword ptr [esp+0C]
:00405A6C 51
push ecx
:00405A6D 8BC8
mov ecx, eax
:00405A6F E8E22D0200 call 00428856
:00405A74 8D542410 lea
edx, dword ptr [esp+10]
* Possible Reference to String Resource ID=00125: "Register successfully!"
|
:00405A78 6A7D
push 0000007D
:00405A7A 52
push edx
:00405A7B E8C0D5FFFF call 00403040
:00405A80 83C408
add esp, 00000008
:00405A83 50
push eax
:00405A84 8D4C2410 lea
ecx, dword ptr [esp+10]
:00405A88 C644242004 mov [esp+20],
04
:00405A8D E8E6330200 call 00428E78
:00405A92 8D4C2410 lea
ecx, dword ptr [esp+10]
:00405A96 885C241C mov
byte ptr [esp+1C], bl
:00405A9A E8A0320200 call 00428D3F
:00405A9F 53
push ebx
:00405AA0 6A40
push 00000040
現在我們就進入call 00402E80吧!
* Referenced by a CALL at Addresses:
|:00403F41 , :004048C5 , :0040539A , :00405989
|
:00402E80 64A100000000 mov eax, dword
ptr fs:[00000000]
:00402E86 6AFF
push FFFFFFFF
:00402E88 6831184300 push 00431831
:00402E8D 50
push eax
:00402E8E B80C100000 mov eax,
0000100C
:00402E93 64892500000000 mov dword ptr fs:[00000000],
esp
:00402E9A E8113A0100 call 004168B0
:00402E9F A1240E4400 mov eax,
dword ptr [00440E24]
:00402EA4 56
push esi
:00402EA5 57
push edi
:00402EA6 89442408 mov
dword ptr [esp+08], eax
:00402EAA C784241C10000000000000 mov dword ptr [esp+0000101C], 00000000
:00402EB5 E890AF0200 call 0042DE4A
:00402EBA 8B4004
mov eax, dword ptr [eax+04]
:00402EBD 8B888C000000 mov ecx, dword
ptr [eax+0000008C]
:00402EC3 51
push ecx
:00402EC4 8D4C240C lea
ecx, dword ptr [esp+0C]
:00402EC8 E8FB5F0200 call 00428EC8
:00402ECD 6A2E
push 0000002E
:00402ECF 8D4C240C lea
ecx, dword ptr [esp+0C]
:00402ED3 E8B1070200 call 00423689
:00402ED8 8D542410 lea
edx, dword ptr [esp+10]
:00402EDC 50
push eax
:00402EDD 52
push edx
:00402EDE 8D4C2410 lea
ecx, dword ptr [esp+10]
:00402EE2 E82A070200 call 00423611
:00402EE7 50
push eax
:00402EE8 8D4C240C lea
ecx, dword ptr [esp+0C]
:00402EEC C684242010000001 mov byte ptr [esp+00001020],
01
:00402EF4 E87F5F0200 call 00428E78
:00402EF9 8D4C2410 lea
ecx, dword ptr [esp+10]
:00402EFD C684241C10000000 mov byte ptr [esp+0000101C],
00
:00402F05 E8355E0200 call 00428D3F
:00402F0A A1240E4400 mov eax,
dword ptr [00440E24]
:00402F0F 8944240C mov
dword ptr [esp+0C], eax
:00402F13 8B4C2408 mov
ecx, dword ptr [esp+08]
:00402F17 8D54240C lea
edx, dword ptr [esp+0C]
:00402F1B 51
push ecx
* Possible StringData Ref from Data Obj ->"%s.ini"
|
:00402F1C 68CC014400 push 004401CC
:00402F21 52
push edx
:00402F22 C684242810000002 mov byte ptr [esp+00001028],
02
:00402F2A E8BD0A0200 call 004239EC
:00402F2F 8B442418 mov
eax, dword ptr [esp+18]
:00402F33 83C40C
add esp, 0000000C
* Reference To: KERNEL32.GetPrivateProfileStringA, Ord:013Ah
|
:00402F36 8B3520424300 mov esi, dword
ptr [00434220]
:00402F3C 8D8C2414080000 lea ecx, dword ptr
[esp+00000814]
:00402F43 50
push eax
:00402F44 6800040000 push 00000400
:00402F49 51
push ecx
:00402F4A 68802C4400 push 00442C80
* Possible StringData Ref from Data Obj ->"SerialCode"
|
:00402F4F 68C0014400 push 004401C0
* Possible StringData Ref from Data Obj ->"system"
|
:00402F54 68B8014400 push 004401B8
:00402F59 FFD6
call esi
:00402F5B 8B54240C mov
edx, dword ptr [esp+0C]
:00402F5F 8D842414040000 lea eax, dword ptr
[esp+00000414]
:00402F66 52
push edx
:00402F67 6800040000 push 00000400
:00402F6C 50
push eax
:00402F6D 68802C4400 push 00442C80
* Possible StringData Ref from Data Obj ->"RegCode"
|
:00402F72 68B0014400 push 004401B0
* Possible StringData Ref from Data Obj ->"system"
|
:00402F77 68B8014400 push 004401B8
:00402F7C FFD6
call esi
:00402F7E 8D4C2410 lea
ecx, dword ptr [esp+10]
:00402F82 51
push ecx
:00402F83 E8B8FEFFFF call 00402E40
//這個就是生成機器碼的地方!
上面是從檔案CCproxy.ini中讀取資料,併產生機器碼,
我係統生成的機器碼是"080808082808",(後來發現是個假的)
繼續跟蹤,一直來到這裡:
:00402FCC 52
push edx //這個是機器碼"080808082808"
:00402FCD 50
push eax //這個是你輸入的註冊碼"78787878"
:00402FCE E83DFBFFFF call 00402B10
//算註冊碼的call
:00402FD3 8D8C2400000000 lea ecx, dword ptr
[esp]
:00402FDA 6A0C
push 0000000C
:00402FDC 8D9424240C0000 lea edx, dword ptr
[esp+00000C24]
:00402FE3 52
push edx
:00402FE4 52
push edx
:00402FE5 E886380100 call 00416870
進入call 00402B10 然後一直按F10,一直來到這裡:
程式會根據"microserver0"和"ccproxy20010"還有你的序列號來生成註冊碼.
:00402B8E 8B442434 mov
eax, dword ptr [esp+34]
:00402B92 0FBE0408 movsx
eax, byte ptr [eax+ecx];將microserver0的字元依次傳給eax
:00402B96 0FBE140B movsx
edx, byte ptr [ebx+ecx];將ccproxy20010的字元依次傳給eax
:00402B9A 03C2
add eax, edx ;相加給eax
:00402B9C BD3E000000 mov ebp,
0000003E ;"3E"給ebp
:00402BA1 0FBE140F movsx
edx, byte ptr [edi+ecx];將序列號的字元依次傳給edx
:00402BA5 03C2
add eax, edx ;相加給eax
:00402BA7 0FBE11
movsx edx, byte ptr [ecx] ;將機器碼的字元依次傳給edx
:00402BAA 03C2
add eax, edx ;再相加給eax
:00402BAC 99
cdq
:00402BAD F7FD
idiv ebp
;最後的和除以ebp,也就是"3E"餘數給dl
:00402BAF 83FA1A
cmp edx, 0000001A ;大於"1A"嗎?
:00402BB2 7D05
jge 00402BB9 ;大於就跳
:00402BB4 80C261
add dl, 61 ;小於就加上61
:00402BB7 EB0D
jmp 00402BC6 ;跳到00402bc6處
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402BB2(C)
|
:00402BB9 83FA34
cmp edx, 00000034 ;大於"34"嗎?
:00402BBC 7D05
jge 00402BC3 ;大於就跳
:00402BBE 80C227
add dl, 27 ;小於就減去"27"
:00402BC1 EB03
jmp 00402BC6 ;跳到00402bc6處
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402BBC(C)
| |
:00402BC3 80EA04
sub dl, 04 ;上面如果小於就到了這裡,減去"4"
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402BB7(U), :00402BC1(U)
|
:00402BC6 8B442438 mov
eax, dword ptr [esp+38]
:00402BCA 88140E
mov byte ptr [esi+ecx], dl ;儲存註冊碼!
:00402BCD 41
inc ecx
;指向下一個機器碼的字元
:00402BCE 48
dec eax
;計數器
:00402BCF 89442438 mov
dword ptr [esp+38], eax
:00402BD3 75B9
jne 00402B8E ;形成迴圈
上面就是形成註冊碼的過程.
:00402BD5 5F
pop edi //到了這裡你可以用d esp+38來檢視註冊碼
:00402BD6 5E
pop esi
:00402BD7 5D
pop ebp
:00402BD8 5B
pop ebx
:00402BD9 83C420
add esp, 00000020
:00402BDC C3
ret
用這個註冊碼註冊,顯示註冊成功,可是再次執行軟體,還是沒是未註冊版,那麼我們將斷點設在
生產註冊碼後的地方,也就是00402BD5這裡,重新執行程式,第一次中斷,下命令檢視註冊碼顯示
的就是剛才程式生產的假註冊碼,下命令 g,再次被中斷,這時再次檢視註冊碼,這個就是真的注
冊碼了,只不過你不能在註冊對話方塊輸入,只能在檔案中修改,呵呵,就這樣吧!
相關文章
- 快速破解CCProxy 4.30(7千字)2002-01-26
- WindowBlinds v3.0 enhanced 破解 (17千字)2002-02-28
- 菜鳥破解錄(17)之 BackupXpress Pro (3千字)2000-08-05
- CuteFTP最新版V4.2.4 線上註冊的破解 (10千字)2001-09-27FTP
- 對offline explorer v 1.9的簡單破解 (17千字)2001-08-22
- 第二個CrackMe的破解 (6千字)2001-08-17
- 貼個程式的smc破解。 (1千字)2001-09-24
- 有聲有色3.33破解過程 (4千字)2001-02-09
- win2000下手動破解Elib2.01 (17千字)2002-03-28
- 兩個月的破解回顧以及7個軟體的破解! (3千字)2000-12-28
- AlgoLab PtVector的破解及序號產生器的編寫 (17千字)2001-05-04Go
- 文書處理大師 3.0 破解~~~附序號產生器 (17千字)2002-03-24
- 有聲有色 v3.16破解教程 (6千字)2000-10-03
- 有誰能名將它完全破解了 (5千字)2000-08-26
- CuteFTP最新版V4.2.5build3.7.1官方簡體中文版
破解 (15千字)2015-11-15FTPUI
- 用W32DASM破解圖形捕捉ScreenTaker
最新版本:2.21 (7千字)2015-11-15ASM
- 初學者(17) (1千字)2000-07-04
- 一個超容易破解的軟體! (5千字)2001-01-21
- 一個delphi控制元件的破解 (12千字)2001-03-31控制元件
- PolyView 破解 (5千字)2000-12-31View
- 破解FAQGenie (4千字)2001-04-10
- 破解MyMahj (5千字)2001-06-20
- 破解winimage (1千字)2001-10-07
- 檔案管理理破解(內有下載地址),好象也沒有來這個論壇了 (1千字)2001-04-01
- Pexplorer 1.70 完全破解(KeyFile&Name+Code),附序號產生器~~~~~~~~~
(17千字)2002-04-03
- Grduw最新版破解過程(爆破keyfile,nag,時間限制,暗樁,字元加密)... (10千字)2001-10-16字元加密
- 一個Delphi程式的破解: Icon Catcher (1千字)2000-03-16
- 一個ReverseME破解 SynApsus's ReverseME #1 (13千字)2015-11-15
- 超屏捕 v3.41 破解^程~的有cy~ (19千字)2002-02-18
- 破解ClockWise 3.03 (7千字)2001-06-06
- 破解TurboLaunch 4.04 (5千字)2001-06-06
- winimage完全破解 (8千字)2001-07-04
- Authorware 5.0破解 (4千字)2001-09-10
- 破解“Mail Scan” (1千字)2000-08-04AI
- I am Back :) 貼個安裝程式的破解 (6千字)2003-04-06
- iis兄,請進《有聲有色 3.10》的破解方法。 (9千字)2000-08-17
- 流光 4.5 完全破解 (15千字)2002-08-24
- 破解入門5 (3千字)2000-09-23