加密精靈V2.2破解過程 (9千字)
加密精靈V2.2是一個檔案加密工具,破解它可以用兩種方法:爆破和註冊演算法。好,我們來看看怎樣破它:
1、爆破:
用W32DASM反彙編主程式,在串式參考中查詢“這個軟體註冊給”,雙擊它,會找到下面的程式碼:
* Reference To: GDI32.GetObjectA, Ord:014Fh
|
:00418E90 FF1578804300 Call dword ptr
[00438078]
:00418E96 A178F74300 mov eax,
dword ptr [0043F778] <=====取回註冊標誌
:00418E9B 85C0
test eax, eax
<=====是否是0
:00418E9D 7420
je 00418EBF
<=====是則沒有註冊,跳到未註冊的程式碼處
:00418E9F 682CF34300 push 0043F32C
<=====註冊成功
:00418EA4 8D542434 lea
edx, dword ptr [esp+34]
* Possible StringData Ref from Data Obj ->"這個軟體註冊給: %s"
|
:00418EA8 68D0C84300 push 0043C8D0
:00418EAD 52
push edx
* Reference To: USER32.wsprintfA, Ord:02ACh
|
:00418EAE FF1520834300 Call dword ptr
[00438320]
:00418EB4 83C40C
add esp, 0000000C
:00418EB7 8D442430 lea
eax, dword ptr [esp+30]
:00418EBB 33C9
xor ecx, ecx
:00418EBD EB0A
jmp 00418EC9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418E9D(C)
|
* Possible StringData Ref from Data Obj ->"您的註冊是對我們最大的支援和鼓勵"
|
:00418EBF B8ACC84300 mov eax,
0043C8AC
* Possible Reference to Dialog: DialogID_00A1, CONTROL_ID:00FF, ""
看到上面的程式碼了嗎?所以我們必須把註冊標誌改為不為零的數字,通常是改為1,我的改法是:
:00418E96 A178F74300 mov eax,
dword ptr [0043F778] <=====改為mov word ptr
:00418E9B 85C0
test eax, eax
<=====[0043F778],1剛好九個位元組
:00418E9D 7420
je 00418EBF
2、註冊演算法:
這個軟體是根據註冊名來算出註冊碼的,註冊碼一共有16位,程式會自動生成密碼錶,密碼錶的形式為:
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz
然後透過註冊名算出各個註冊碼在密碼錶中的位置.好,我們先下中斷,BPX HMEMCPY,中斷後用pmodule返回到主程式:
:0040151F 6A1E
push 0000001E <=====返回到這裡
:00401521 6864EA4300 push 0043EA64
:00401526 6815040000 push 00000415
:0040152B 53
push ebx
:0040152C FFD6
call esi
:0040152E 50
push eax
:0040152F FFD7
call edi
:00401531 6A02
push 00000002
:00401533 6A00
push 00000000
:00401535 E836780100 call 00418D70
:0040153A 6A00
push 00000000
:0040153C 6864EA4300 push 0043EA64
<=====這裡是我們輸入的註冊名和註冊碼
:00401541 682CF34300 push 0043F32C
<=====
:00401546 E895730200 call 004288E0
<=====計算和判斷註冊碼的CALL,如果不正確則EAX=1,所以要F8進入
:0040154B 83C414
add esp, 00000014
:0040154E F7D8
neg eax
:00401550 1BC0
sbb eax, eax
:00401552 40
inc eax
:00401553 A378F74300 mov dword
ptr [0043F778], eax
:00401558 0F849C000000 je 004015FA
<====如果註冊碼不正確,則跳
:0040155E BF2CF34300 mov edi,
0043F32C
:00401563 83C9FF
or ecx, FFFFFFFF
:00401566 33C0
xor eax, eax
:00401568 F2
repnz
:00401569 AE
scasb
:0040156A F7D1
not ecx
:0040156C 51
push ecx
:0040156D 682CF34300 push 0043F32C
* Possible StringData Ref from Data Obj ->"UserName"
|
:00401572 68D0B04300 push 0043B0D0
* Possible StringData Ref from Data Obj ->"Setings"
|
:00401577 68C8B04300 push 0043B0C8
:0040157C E8BF030000 call 00401940
:00401581 8BC8
mov ecx, eax
:00401583 E8A8B10000 call 0040C730
:00401588 BF64EA4300 mov edi,
0043EA64
:0040158D 83C9FF
or ecx, FFFFFFFF
:00401590 33C0
xor eax, eax
:00401592 F2
repnz
:00401593 AE
scasb
:00401594 F7D1
not ecx
:00401596 51
push ecx
:00401597 6864EA4300 push 0043EA64
* Possible StringData Ref from Data Obj ->"RegisterNumber"
進入CALL後,一直按F10,來到下面的地方:
:004288FA E871000000 call 00428970
<====呼叫演算法的CALL,F8進入
:004288FF 83C408
add esp, 00000008
:00428902 85C0
test eax, eax
:00428904 744D
je 00428953
:00428906 53
push ebx
:00428907 56
push esi
:00428908 8D74240C lea
esi, dword ptr [esp+0C]
:0042890C 8BC7
mov eax, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428930(C)
|
:0042890E 8A10
mov dl, byte ptr [eax] <====我們輸入的假註冊碼
:00428910 8A1E
mov bl, byte ptr [esi] <====真正的註冊碼,用D ESI就可以看到真正的註冊碼
:00428912 8ACA
mov cl, dl
:00428914 3AD3
cmp dl, bl <====比較註冊碼
:00428916 751E
jne 00428936
:00428918 84C9
test cl, cl
:0042891A 7416
je 00428932
:0042891C 8A5001
mov dl, byte ptr [eax+01]
:0042891F 8A5E01
mov bl, byte ptr [esi+01]
:00428922 8ACA
mov cl, dl
:00428924 3AD3
cmp dl, bl
:00428926 750E
jne 00428936
:00428928 83C002
add eax, 00000002
:0042892B 83C602
add esi, 00000002
:0042892E 84C9
test cl, cl
:00428930 75DC
jne 0042890E
下面是註冊演算法:
:004289E1 8B442458 mov
eax, dword ptr [esp+58] <===取註冊名,ESI初始值=註冊名長度
:004289E5 33D2
xor edx, edx
:004289E7 BF3E000000 mov edi,
0000003E
:004289EC 0FBE0C06 movsx
ecx, byte ptr [esi+eax] <==取註冊名+註冊名字元位置
:004289F0 03CD
add ecx, ebp <===ECX+B2770FBE
:004289F2 8BC1
mov eax, ecx <+==EAX=ECX EAX=商 EDX=餘數
:004289F4 F7F7
div edi <==EAX/3E
:004289F6 83F93D
cmp ecx, 0000003D <==;比較CL是否大於3D
:004289F9 8BFA
mov edi, edx
:004289FB 7615
jbe 00428A12 不大於則跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A10(C)
|
:004289FD B885104208 mov eax,
08421085
:00428A02 F7E1
mul ecx
:00428A04 2BCA
sub ecx, edx
:00428A06 D1E9
shr ecx, 1
:00428A08 03CA
add ecx, edx
:00428A0A C1E905
shr ecx, 05
:00428A0D 83F93D
cmp ecx, 0000003D
:00428A10 77EB
ja 004289FD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004289FB(C)
|
:00428A12 03CF
add ecx, edi
:00428A14 83F93D
cmp ecx, 0000003D
:00428A17 761F
jbe 00428A38
:00428A19 8BC1
mov eax, ecx
:00428A1B 33D2
xor edx, edx
:00428A1D BF3E000000 mov edi,
0000003E
:00428A22 F7F7
div edi
:00428A24 B885104208 mov eax,
08421085
:00428A29 8BFA
mov edi, edx
:00428A2B F7E1
mul ecx
:00428A2D 2BCA
sub ecx, edx
:00428A2F D1E9
shr ecx, 1
:00428A31 03CA
add ecx, edx
:00428A33 C1E905
shr ecx, 05
:00428A36 03CF
add ecx, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A17(C)
|
:00428A38 8B54245C mov
edx, dword ptr [esp+5C]
:00428A3C 8A4C0C14 mov
cl, byte ptr [esp+ecx+14] <===從密碼錶中取位置為ECX的註冊碼
:00428A40 8B442410 mov
eax, dword ptr [esp+10]
:00428A44 880C13
mov byte ptr [ebx+edx], cl <====儲存註冊碼
:00428A47 43
inc ebx
:00428A48 46
inc esi
:00428A49 3BF0
cmp esi, eax
:00428A4B 7C02
jl 00428A4F
:00428A4D 33F6
xor esi, esi <=====清0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00428A4B(C)
|
:00428A4F 45
inc ebp
:00428A50 83FB10
cmp ebx, 00000010 <====夠16位了嗎?
:00428A53 7C8C
jl 004289E1 <====不夠繼續運算
:00428A55 8B44245C mov
eax, dword ptr [esp+5C]
:00428A59 C70598FB430010000000 mov dword ptr [0043FB98], 00000010
:00428A63 5D
pop ebp
:00428A64 C6040300 mov
byte ptr [ebx+eax], 00
:00428A68 5B
pop ebx
:00428A69 5F
pop edi
:00428A6A B801000000 mov eax,
00000001
:00428A6F 5E
pop esi
:00428A70 83C444
add esp, 00000044
:00428A73 C3
ret
寫序號產生器不是小弟的長項,希望哪位朋友寫一個序號產生器給大家用好了,呵呵
相關文章
- https加密過程2024-03-29HTTP加密
- 淺談IAT加密原理及過程2020-12-30加密
- 某網站加密返回資料加密_爬取過程2024-06-08網站加密
- myeclipse2017破解過程以及遇到的破解失敗的問題2018-09-13Eclipse
- 透過已知明文攻擊破解弱加密演算法2024-10-19加密演算法
- 程式碼精簡執行過程2024-03-13
- 凱撒密碼加解密過程與破解原理2024-07-10密碼解密
- 用python暴力破解rar加密檔案(經過測試)2019-02-22Python加密
- HTTPS加密過程和TLS證書驗證2019-03-03HTTP加密TLS
- 最新webqq密碼的加密方式分析過程2020-08-19Web密碼加密
- 中興ZXV10B860AV2.1-A破解過程2019-02-02
- 三菱PLC加密破解2020-10-10加密
- 9-7 ~ 9-27做論文全過程的反思2020-09-27
- SpriteAtlas精靈圖集2024-04-18
- 時代拓靈AI降噪SDK整合除錯過程2020-12-09AI除錯
- 精講RestTemplate第9篇-如何透過HTTP Basic Au2021-09-09RESTHTTP
- 暴力破解zip加密檔案2024-09-26加密
- Arduino&pn532破解加密卡2024-06-23UI加密
- CSS精靈圖技術2018-11-25CSS
- 如何建立 mapbox 精靈圖2021-01-14
- 所見即所得 HTML 編輯器 Froala Editor 3.1.1 破解過程2020-05-25HTML
- 《精靈寶可夢Go》4月收入超過6500萬美元2019-05-07Go
- 通過窮舉法快速破解excel或word加密文件最高15位密碼2021-03-06Excel加密密碼
- 驅動精靈是幹嘛的 驅動精靈怎麼安裝驅動2021-06-07
- https與http區別以及https資料加密解密過程2019-03-02HTTP加密解密
- 瀏覽器和伺服器之前的加密解密過程2024-03-08瀏覽器伺服器加密解密
- JavaScript逆向之iwencai請求頭引數加密過程解析2024-03-15JavaScriptAI加密
- 精講RestTemplate第9篇-如何通過HTTP Basic Auth認證2020-08-16RESTHTTP
- 學習 PixiJS — 動畫精靈2019-01-14JS動畫
- 學習 PixiJS — 精靈狀態2019-01-19JS
- Leprechaun綠精靈魔法來襲2022-04-21
- 影像識別的原理、過程、應用前景,精華篇!2018-09-28
- 可愛精靈在球裡養著玩?《精靈之境》IOS預約開啟!2021-08-25iOS
- 《精靈之境》終測開啟,聯動《蔬菜動物精靈》打造可愛旅程2021-10-12
- 對於HTTP過程中POST內容加密的解決方案2019-08-04HTTP加密
- WaveMetrics Igor Pro 9 破解下載「WaveMetrics Igor Pro 9 金鑰」2023-11-07Go
- 學習 PixiJS — 小精靈冒險2019-03-11JS
- 精盡MyBatis原始碼分析 - SQL執行過程(一)之 Executor2020-11-24MyBatis原始碼SQL
- 精盡MyBatis原始碼分析 - SQL執行過程(二)之 StatementHandler2020-11-25MyBatis原始碼SQL