CuteFTP最新版V4.2.4 線上註冊的破解 (10千字)
CuteFTP最新版V4.2.4 線上註冊的破解
破解者:moonlite[BCG][FCG]
目標:
CuteFTP最新版V4.2.4
應用平臺:Win9X/ME/WinNT/2K
下載:http://www.globalscape.com/
大小:1694k
軟體用途: 當然是最cool的FTP客戶端軟體了,不用再多說了吧。
工具:TRW1.22,W32dasm, filemon,
regmon, Winhex
保護: 每次啟動都彈出註冊窗,提示上網註冊; 30 天試用期;動態CRC校驗。
【前言】: xy2000[BCG]老兄推薦的軟體,就拿它練練手吧.
我很喜歡這個軟體的原因有三:
㈠. 沒加殼;㈡. 沒有反除錯;
㈢. CRC的出錯資訊中體現了對crack們的尊重:請看
┼――――――――――――――――――――――――――――――――
CuteFTP consistency check failed. This means that you are probably using a corrupted
version. This
may caused by a virus. Please, do a virus scan, reinstall CuteFTP
and try to start it again.
――――――――――――――――――――――――――――――――――┼
它不象有些軟體,你一除錯,它就說 "Hmm...Debug yourself".
===>好,開始工作吧!◆
★(第一部分)找註冊碼
1)啟動cutftp32.exe,提示線上註冊nag視窗彈出。分析它的註冊資訊一定存放在登錄檔中,或有keyfile保護。
2)分別啟動filemon和regmon分析:
發現以下可疑點→
AUTONAME.DAT, COMMANDS.DAT-------->呼叫到的檔案
QueryValueEx HKLM\Software\GlobalSCAPE Inc.\CuteFTP\Key2
NOTFOUND
QueryValueEx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId
SUCCESS "80123-026-6304672-53376"
CloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
SUCCESS
OpenKey HKCR\Rl
NOTFOUND ※※※※
OpenKey HKLM\Software\GlobalSCAPE Inc.\CuteFTP SUCCESS
hKey: 0xC2A0E050
QueryValueEx HKLM\Software\GlobalSCAPE
Inc.\CuteFTP\Key1
NOTFOUND
3)我嘗試了建Key1 和 Key2兩個鍵值,沒有發現效果。就在HKCR\下建了個Rl\1,
隨便輸入字串 "23232323232323".
[HKEY_LOCAL_MACHINE\Software\GlobalSCAPE
Inc.\CuteFTP]下建"RegUserName"="moonLite[BCG]"
4)再次執行cutftp32.exe,線上註冊視窗彈出。喚出TRW,點選按鈕
"Contiue Trial" 並Ctrl+D 啟用TRW。程式來到--->
* Reference To: USER32.GetMessageA,
Ord:012Ah
|
:004DD7E4 FF1594D75100
Call dword ptr [0051D794]
:004DD7EA 85C0
test eax, eax<-------------------------游標在這!
:004DD7EC 7426
je 004DD814
:004DD7EE 817E346A030000
cmp dword ptr [esi+34], 0000036A
:004DD7F5 741A
je 004DD811
:004DD7F7 8B06
mov eax, dword
ptr [esi]
:004DD7F9 57
push edi
:004DD7FA 8BCE
mov ecx, esi
:004DD7FC FF5058
call [eax+58]
:004DD7FF
85C0 test
eax, ea
:004DD801 750E
jne 004DD811
:004DD803 57
push edi
開始按F12+F10,
記錄下來可疑的跳轉:4D8249,43B873.
:0043B849 68F4235500
push 005523F4
:0043B84E 8BCB
mov ecx, ebx
:0043B850 E82CB70B00
call 004F6F81
:0043B855 8983DC000000
mov dword ptr [ebx+000000DC], eax
:0043B85B
B801000000 mov eax, 00000001
:0043B860 898344060000 mov dword ptr
[ebx+00000644], eax
:0043B866 898380060000
mov dword ptr [ebx+00000680], eax
:0043B86C E8FF4F0500
call 00490870------------------------->進入
:0043B871 85C0
test eax, eax-------------------------|這裡,讓eax=1 可以跳過nag!
:0043B873 753D
jne 0043B8B2
:0043B875 33F6
xor esi, esi
:0043B877 8BCB
mov ecx, ebx
:0043B879 56
push esi
* Possible
StringData Ref from Data Obj ->"TSUninstaller"
|
:0043B87A 68DC465500
push 005546DC
* Possible StringData Ref from Data Obj ->"CtFPRgsraeoe"
|
:0043B87F 68F4235500
push 005523F4
:0043B884 E85B890A00
call 004E41E4
:0043B889 89B380060000
mov dword ptr [ebx+00000680], esi
:0043B88F
6A01 push
00000001
:0043B891 8BCB
mov ecx, ebx
:0043B893 89B388060000
mov dword ptr [ebx+00000688], esi
:0043B899 E812130000
call 0043CBB0
:0043B89E 8BCB
mov ecx, ebx
:0043B8A0 E87B0A0000 call 0043C320-------------------------|線上註冊視窗
:0043B8A5 85C0
test eax, eax
:0043B8A7 751E
jne 0043B8C7
:0043B8A9 56
push esi
可見,0043B86C的CALL
有問題,得進去看看!
5)
* Referenced by a CALL at Addresses:
|:004013FA , :004300A8 , :004346DB , :0043B86C , :0044045B
|:004459D9 , :004476A3 , :00457F8F , :0047D15E ,
:0047D8FE
|:0048B82F , :0048C470 , :00491F79 , :004ACB68
|
:00490870 64A100000000 mov
eax, dword ptr fs:[00000000]
* Possible Reference to String Resource
ID=00255: "No entry for the current site found. Do you wish to create o"
|
:00490876 6AFF
push FFFFFFFF
:00490878 68D34F5100
push 00514FD3
:0049087D 50
push eax
:0049087E B81C180000 mov
eax, 0000181C
:00490883 64892500000000
mov dword ptr fs:[00000000], esp
:0049088A E801130300
call 004C1B90
:0049088F 53
push ebx
:00490890
8D8424680C0000 lea eax, dword ptr [esp+00000C68]
:00490897 56
push esi
:00490898 50
push eax
:00490899 E882F9FFFF
call 00490220
:0049089E 83C404
add esp, 00000004
:004908A1
85C0 test
eax, eax
:004908A3 7517
jne 004908BC
:004908A5 5E
pop esi
:004908A6 5B
pop ebx
:004908A7
8B8C241C180000 mov ecx, dword ptr [esp+0000181C]
:004908AE 64890D00000000 mov dword ptr
fs:[00000000], ecx
:004908B5 81C428180000
add esp, 00001828
:004908BB C3
ret
-->不斷按F10,會來到:
:004908E7 83C40C
add esp, 0000000C
:004908EA 85C0
test eax, eax
:004908EC 5F
pop edi
:004908ED
0F857A020000 jne 00490B6D
:004908F3
8A84249C040000 mov al, byte ptr [esp+0000049C]---------------|從“23232323232323”取一個字元
:004908FA 84C0
test al, al
:004908FC 0F84C1020000
je 00490BC3
:00490902 8D8C249C040000
lea ecx, dword ptr [esp+0000049C]---------------|ecx指向“23232323232323”字串
:00490909 8D542418 lea
edx, dword ptr [esp+18]
:0049090D 51
push ecx
:0049090E 52
push edx
:0049090F
C7442420FFFFFF7F mov [esp+20], 7FFFFFFF
:00490917
E824690200 call 004B7240--------------->注意到緊跟的判斷,得追進去
:0049091C 83C408
add esp, 00000008
:0049091F 6685C0
test ax, ax---------------|ax不為0,就能成功了!
:00490922 7519
jne 0049093D---------------|不跳轉則失敗!
:00490924 5E
pop esi
:00490925 33C0
xor eax, eax---------------|eax為註冊標誌
:00490927
5B
pop ebx
:00490928 8B8C241C180000 mov ecx,
dword ptr [esp+0000181C]
:0049092F 64890D00000000
mov dword ptr fs:[00000000], ecx
:00490936 81C428180000
add esp, 00001828
:0049093C C3
ret
--------------------
* Referenced by a CALL at Addresses:
|:00490917 , :00490BA2
, :004915A6
|
:004B7240 83EC20
sub esp, 00000020--------------------------------------------|
:004B7243 83C9FF
or ecx, FFFFFFFF
|
:004B7246 33C0
xor eax, eax
|
:004B7248 56
push esi
|
:004B7249
8B74242C mov esi, dword
ptr [esp+2C]/指向從“23232323232323”字串 |計算字串長度
:004B724D 57
push edi
|
:004B724E 8BFE
mov edi, esi
|
:004B7250 F2
repnz
|
:004B7251 AE
scasb
|
:004B7252 F7D1
not ecx
|
:004B7254 49
dec ecx -----------------------------------------------------|
:004B7255 83F90E
cmp ecx, 0000000E--------------------|長度不是14位,就不帶玩了!
:004B7258 7573
jne 004B72CD-------------------------|不要在此跳啊!
:004B725A 56
push esi
:004B725B E863E10000
call 004C53C3
............
接著走到
:004B728C
C644242800 mov [esp+28], 00
:004B7291 E86A20FEFF call 00499300
:004B7296 8D442438
lea eax, dword ptr [esp+38]-------------------|下 d eax 看看
* Possible
Reference to String Resource ID=00014: "Paste Url"
|
:004B729A 6A0E
push 0000000E
:004B729C 8D4C242C
lea ecx, dword ptr [esp+2C]-------------------|下 d
ecx 可以看到精彩部分啊!
============================================================================
0030:0071DAE4 41 32 32 32 32 32 32 32-32 32 32 32 32 32 00 C2 A2222222222222.?
0030:0071DAF4 32 33 32 33 32 33 32 33-32 33 32 33 32 33 00 00 23232323232323..
============================================================================
:004B72A0 50
push eax
:004B72A1 51
push ecx
:004B72A2 E879C90000
call 004C3C20-------------------|關鍵的比較部分!(不想列出了,否則篇幅太長了)
:004B72A7 83C42C
add esp, 0000002C
:004B72AA 85C0
test eax, eax-------------------|eax=0 就對了!eax=1,則失敗
:004B72AC 7510
jne 004B72BE--------------------|eax=1,則做失敗跳轉
:004B72AE 8B54242C
mov edx, dword ptr [esp+2C]
:004B72B2 660DFFFF or ax,
FFFF
:004B72B6 893A
mov dword ptr [edx], edi
:004B72B8 5F
pop edi
:004B72B9 5E
pop esi
:004B72BA 83C420
add esp, 00000020
:004B72BD C3
ret
▲試著將[HKEY_CLASSES_ROOT\Rl]\1 的鍵值改為"A2222222222222",重新執行程式--哇!
nag 視窗沒有了!!但是在about視窗中是
Licensed to: UNVERIFIED - moonLite [BCG], 難道還要上網驗證嗎?
5)果然,上網後,啟動程式後,自動與它的伺服器連線並驗證,返回 “moonLite[BCG] & A2222222222222”
not accepted....真厲害!
――>看來只有爆破了。
〓 待續 〓
相關文章
- 如何破解CuteFTP 4.0 (5千字)2000-07-20FTP
- vTuner Plus 3.0 線上註冊的破解方法一:爆破篇 (7千字)2002-06-16
- 《TxEdit 4.6》的註冊碼破解 (11千字)2001-07-28
- CuteFTP最新版V4.2.5build3.7.1官方簡體中文版
破解 (15千字)2015-11-15FTPUI
- Regediter 1.3 破解(得到註冊碼) (9千字)2002-01-23
- IconToy 3.1 註冊碼快速破解 (11千字)2001-03-02
- 猜數記---BCWIPE註冊半破解 (25千字)2001-04-02
- BabyGame 破解方法及註冊碼錶 (1千字)2001-07-04GAM
- winimp1.11註冊碼破解 (2千字)2000-07-16
- SMailserver2.5註冊碼的破解手記 (1千字)2001-03-01AIServer
- 《ICONSCAN 2.4》註冊碼破解 高手莫入! (3千字)2001-05-06
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- 轉貼 Ronnier 的 AcqURL 5.1 註冊黑名單的破解 (7千字)2001-05-14
- 紫禁城反黃衛士個人版破解(註冊演算法) (10千字)2001-10-31演算法
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- 《WinImage v5.00.5007 註冊碼破解》 (7千字)2001-05-10
- winzip self-extractor2.1最新版註冊碼找法,僅供剛學破解者,高手莫入。
(1千字)2000-08-06
- Vopt99 v4.31的註冊碼破解 (11千字)2000-09-28
- 《EASY MP3 2.2》的註冊碼破解 高手莫入! (2千字)2001-05-05
- 某電子書註冊破解實錄,高手莫入。 (6千字)2002-10-05
- 如何破解《彩票快車黃金版》註冊碼 (1千字)2001-04-21
- 豪傑大眼睛共享版註冊碼破解 (1千字)2001-07-08
- Kugle Regediter 1.0 註冊碼破解法(非明碼) (8千字)2001-11-03
- 黑馬課表管理系統2.6註冊破解 (1千字)2002-01-12
- Search32最新版V5.08註冊演算法筆記 (一) (10千字)2001-08-11演算法筆記
- 《OFFLINE EXPLORER 1.0》的註冊碼破解 高手莫入!! (2千字)2001-05-18
- 交一篇作業---破解Hedit 2.0的註冊碼 (7千字)2001-09-30
- 如何破解cuteftp4.2 full.2000-12-21FTP
- 破解《推箱子》Ver:1.6(230關) 註冊版 (1千字)2001-04-01
- 開心鬥地主1.6標準版 註冊碼破解 (4千字)2001-04-25
- 如何破解Cool ASCII Art Maker V1.21註冊碼 (2千字)2001-05-03ASCII
- 盲打之友V2.5破解(包括註冊演算法) (11千字)2001-10-29演算法
- Diskbase 5.11的破解和註冊演算法(俺是新手) (18千字)2001-05-21演算法
- 破解HappyEO電子琴203版的註冊碼。 (7千字)2001-09-28APP
- 『凌雲郵神』 註冊碼破解 (非明碼比較的哦 ^_^) (6千字)2001-11-05
- estiprojm 註冊 (12千字)2001-11-08
- 破解音樂賀卡廠4.04,註冊碼也可用於4.10,高手勿進 (1千字)2001-08-14