加密精靈V2.2破解過程 (9千字)
加密精靈V2.2是一個檔案加密工具,破解它可以用兩種方法:爆破和註冊演算法。好,我們來看看怎樣破它:
1、爆破:
用W32DASM反彙編主程式,在串式參考中查詢“這個軟體註冊給”,雙擊它,會找到下面的程式碼:
* Reference To: GDI32.GetObjectA, Ord:014Fh
|
:00418E90 FF1578804300 Call dword ptr
[00438078]
:00418E96 A178F74300 mov eax,
dword ptr [0043F778] <=====取回註冊標誌
:00418E9B 85C0
test eax, eax
<=====是否是0
:00418E9D 7420
je 00418EBF
<=====是則沒有註冊,跳到未註冊的程式碼處
:00418E9F 682CF34300 push 0043F32C
<=====註冊成功
:00418EA4 8D542434 lea
edx, dword ptr [esp+34]
* Possible StringData Ref from Data Obj ->"這個軟體註冊給: %s"
|
:00418EA8 68D0C84300 push 0043C8D0
:00418EAD 52
push edx
* Reference To: USER32.wsprintfA, Ord:02ACh
|
:00418EAE FF1520834300 Call dword ptr
[00438320]
:00418EB4 83C40C
add esp, 0000000C
:00418EB7 8D442430 lea
eax, dword ptr [esp+30]
:00418EBB 33C9
xor ecx, ecx
:00418EBD EB0A
jmp 00418EC9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418E9D(C)
|
* Possible StringData Ref from Data Obj ->"您的註冊是對我們最大的支援和鼓勵"
|
:00418EBF B8ACC84300 mov eax,
0043C8AC
* Possible Reference to Dialog: DialogID_00A1, CONTROL_ID:00FF, ""
看到上面的程式碼了嗎?所以我們必須把註冊標誌改為不為零的數字,通常是改為1,我的改法是:
:00418E96 A178F74300 mov eax,
dword ptr [0043F778] <=====改為mov word ptr
:00418E9B 85C0
test eax, eax
<=====[0043F778],1剛好九個位元組
:00418E9D 7420
je 00418EBF
2、註冊演算法:
這個軟體是根據註冊名來算出註冊碼的,註冊碼一共有16位,程式會自動生成密碼錶,密碼錶的形式為:
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz
然後透過註冊名算出各個註冊碼在密碼錶中的位置.好,我們先下中斷,BPX HMEMCPY,中斷後用pmodule返回到主程式:
:0040151F 6A1E
push 0000001E <=====返回到這裡
:00401521 6864EA4300 push 0043EA64
:00401526 6815040000 push 00000415
:0040152B 53
push ebx
:0040152C FFD6
call esi
:0040152E 50
push eax
:0040152F FFD7
call edi
:00401531 6A02
push 00000002
:00401533 6A00
push 00000000
:00401535 E836780100 call 00418D70
:0040153A 6A00
push 00000000
:0040153C 6864EA4300 push 0043EA64
<=====這裡是我們輸入的註冊名和註冊碼
:00401541 682CF34300 push 0043F32C
<=====
:00401546 E895730200 call 004288E0
<=====計算和判斷註冊碼的CALL,如果不正確則EAX=1,所以要F8進入
:0040154B 83C414
add esp, 00000014
:0040154E F7D8
neg eax
:00401550 1BC0
sbb eax, eax
:00401552 40
inc eax
:00401553 A378F74300 mov dword
ptr [0043F778], eax
:00401558 0F849C000000 je 004015FA
<====如果註冊碼不正確,則跳
:0040155E BF2CF34300 mov edi,
0043F32C
:00401563 83C9FF
or ecx, FFFFFFFF
:00401566 33C0
xor eax, eax
:00401568 F2
repnz
:00401569 AE
scasb
:0040156A F7D1
not ecx
:0040156C 51
push ecx
:0040156D 682CF34300 push 0043F32C
* Possible StringData Ref from Data Obj ->"UserName"
|
:00401572 68D0B04300 push 0043B0D0
* Possible StringData Ref from Data Obj ->"Setings"
|
:00401577 68C8B04300 push 0043B0C8
:0040157C E8BF030000 call 00401940
:00401581 8BC8
mov ecx, eax
:00401583 E8A8B10000 call 0040C730
:00401588 BF64EA4300 mov edi,
0043EA64
:0040158D 83C9FF
or ecx, FFFFFFFF
:00401590 33C0
xor eax, eax
:00401592 F2
repnz
:00401593 AE
scasb
:00401594 F7D1
not ecx
:00401596 51
push ecx
:00401597 6864EA4300 push 0043EA64
* Possible StringData Ref from Data Obj ->"RegisterNumber"
進入CALL後,一直按F10,來到下面的地方:
:004288FA E871000000 call 00428970
<====呼叫演算法的CALL,F8進入
:004288FF 83C408
add esp, 00000008
:00428902 85C0
test eax, eax
:00428904 744D
je 00428953
:00428906 53
push ebx
:00428907 56
push esi
:00428908 8D74240C lea
esi, dword ptr [esp+0C]
:0042890C 8BC7
mov eax, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428930(C)
|
:0042890E 8A10
mov dl, byte ptr [eax] <====我們輸入的假註冊碼
:00428910 8A1E
mov bl, byte ptr [esi] <====真正的註冊碼,用D ESI就可以看到真正的註冊碼
:00428912 8ACA
mov cl, dl
:00428914 3AD3
cmp dl, bl <====比較註冊碼
:00428916 751E
jne 00428936
:00428918 84C9
test cl, cl
:0042891A 7416
je 00428932
:0042891C 8A5001
mov dl, byte ptr [eax+01]
:0042891F 8A5E01
mov bl, byte ptr [esi+01]
:00428922 8ACA
mov cl, dl
:00428924 3AD3
cmp dl, bl
:00428926 750E
jne 00428936
:00428928 83C002
add eax, 00000002
:0042892B 83C602
add esi, 00000002
:0042892E 84C9
test cl, cl
:00428930 75DC
jne 0042890E
下面是註冊演算法:
:004289E1 8B442458 mov
eax, dword ptr [esp+58] <===取註冊名,ESI初始值=註冊名長度
:004289E5 33D2
xor edx, edx
:004289E7 BF3E000000 mov edi,
0000003E
:004289EC 0FBE0C06 movsx
ecx, byte ptr [esi+eax] <==取註冊名+註冊名字元位置
:004289F0 03CD
add ecx, ebp <===ECX+B2770FBE
:004289F2 8BC1
mov eax, ecx <+==EAX=ECX EAX=商 EDX=餘數
:004289F4 F7F7
div edi <==EAX/3E
:004289F6 83F93D
cmp ecx, 0000003D <==;比較CL是否大於3D
:004289F9 8BFA
mov edi, edx
:004289FB 7615
jbe 00428A12 不大於則跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A10(C)
|
:004289FD B885104208 mov eax,
08421085
:00428A02 F7E1
mul ecx
:00428A04 2BCA
sub ecx, edx
:00428A06 D1E9
shr ecx, 1
:00428A08 03CA
add ecx, edx
:00428A0A C1E905
shr ecx, 05
:00428A0D 83F93D
cmp ecx, 0000003D
:00428A10 77EB
ja 004289FD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004289FB(C)
|
:00428A12 03CF
add ecx, edi
:00428A14 83F93D
cmp ecx, 0000003D
:00428A17 761F
jbe 00428A38
:00428A19 8BC1
mov eax, ecx
:00428A1B 33D2
xor edx, edx
:00428A1D BF3E000000 mov edi,
0000003E
:00428A22 F7F7
div edi
:00428A24 B885104208 mov eax,
08421085
:00428A29 8BFA
mov edi, edx
:00428A2B F7E1
mul ecx
:00428A2D 2BCA
sub ecx, edx
:00428A2F D1E9
shr ecx, 1
:00428A31 03CA
add ecx, edx
:00428A33 C1E905
shr ecx, 05
:00428A36 03CF
add ecx, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A17(C)
|
:00428A38 8B54245C mov
edx, dword ptr [esp+5C]
:00428A3C 8A4C0C14 mov
cl, byte ptr [esp+ecx+14] <===從密碼錶中取位置為ECX的註冊碼
:00428A40 8B442410 mov
eax, dword ptr [esp+10]
:00428A44 880C13
mov byte ptr [ebx+edx], cl <====儲存註冊碼
:00428A47 43
inc ebx
:00428A48 46
inc esi
:00428A49 3BF0
cmp esi, eax
:00428A4B 7C02
jl 00428A4F
:00428A4D 33F6
xor esi, esi <=====清0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A4B(C)
|
:00428A4F 45
inc ebp
:00428A50 83FB10
cmp ebx, 00000010 <====夠16位了嗎?
:00428A53 7C8C
jl 004289E1 <====不夠繼續運算
:00428A55 8B44245C mov
eax, dword ptr [esp+5C]
:00428A59 C70598FB430010000000 mov dword ptr [0043FB98], 00000010
:00428A63 5D
pop ebp
:00428A64 C6040300 mov
byte ptr [ebx+eax], 00
:00428A68 5B
pop ebx
:00428A69 5F
pop edi
:00428A6A B801000000 mov eax,
00000001
:00428A6F 5E
pop esi
:00428A70 83C444
add esp, 00000044
:00428A73 C3
ret
寫序號產生器不是小弟的長項,希望哪位朋友寫一個序號產生器給大家用好了,呵呵
相關文章
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- EmEditor v3.16破解過程 (9千字)2001-07-22
- 木馬克星5.33.60破解過程
(9千字)2002-03-28
- 蒙泰5.0加密狗破解過程 (6千字)2001-10-11加密
- Hardlock加密狗破解過程-----外殼型加密狗的破解方法 (7千字)2001-10-15加密
- 新手請進~~~~~SN Calculator v2.2(科學計算器)破解過程~~~~~
(4千字)2001-03-08
- 破解華琦庫管精靈1.2.4 (8千字)2000-09-11
- 破解 開機小精靈 2.11 (7千字)2001-11-12
- 破解<<破解堅盾磁碟加密系統 V4.0>>的全過程 (10千字)2001-10-23加密
- 管家婆8.2單機版加密狗破解過程 (3千字)2001-10-13加密
- 加密精靈 (EncryptGenie) 2.612015-11-15加密
- Nullz CrackMe 1.1破解過程 (13千字)2001-09-18Null
- WebTimeSync 5.2.0 破解過程 (14千字)2001-10-05Web
- 破解Ghost多媒體視訊點播系統全過程 (9千字)2002-07-29
- dfx V4.0破解過程 (10千字)2000-09-24
- 破解過程-----請多多指教 (2千字)2000-12-31
- 電腦字型秀破解過程 (1千字)2001-03-18
- webeasymail的簡單破解過程 (2千字)2001-08-04WebAI
- Kryptel 3.8 暴力破解過程 (18千字)2001-09-18
- PUZZLER1.20破解過程 (4千字)2002-01-26
- SuperCleaner2.30破解過程 (11千字)2002-02-04
- 閒來無聊,寫下話費清單精簡版破解過程 (4千字)2001-05-05
- 自動精靈 2.00 破解教程2004-12-17
- 方正飛騰3.1加密狗破解過程-----淺談Sentinel Super Pro的加密演算法 (14千字)2015-11-15加密演算法
- 敏思硬碟衛士 v2.2破解手記 (4千字)2001-11-20硬碟
- 檔案加密工具fedt2.40(7月22日修改後)破解過程 (4千字)2001-07-24加密
- Password Keeper v6.3破解過程 (8千字)2002-04-12
- post NOW! 破解過程!有意思。 (1千字)2000-12-30
- 有聲有色3.33破解過程 (4千字)2001-02-09
- 專業掃雷 1.2破解過程 (4千字)2001-02-17
- fulldisk A32 破解過程!(簡單) (1千字)2001-03-20
- 具體的破解過程來也! (10千字)2001-04-21
- 密碼大師4.0破解過程 (3千字)2001-05-06密碼
- 對VCDCUT 4.03的分析破解過程 (18千字)2001-08-08
- GaitCD破解全過程(installshield) (3千字)2015-11-15AI
- 音樂賀卡廠4.10破解過程 (6千字)2001-08-11
- 破解 OverNimble Localize Plus 1.04
全過程! (13千字)2015-11-15
- Grduw最新版破解過程(爆破keyfile,nag,時間限制,暗樁,字元加密)... (10千字)2001-10-16字元加密