盲打之友V2.5破解(包括註冊演算法) (11千字)
盲打之友V2.5破解過程
工具:trw2000
Hview
W32dasm 8.93黃金中文版
破解:crackjack[BCG]
未註冊版本的限制:1、只能練習2分鐘。2、只能執行三次,超過三次必須重新啟動系統才能繼續使用
我們仍然是用兩種方法來註冊它:爆破和序號產生器。
一、爆破:
用W32DASM反彙編程式,在串式參考中查詢"軟體註冊失敗!
請重新註冊!",雙擊它,會轉到下面的程式碼:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00469C5C(C)
|
* Possible StringData Ref from Code Obj ->"軟體註冊失敗!
請重新註冊!"
|
:00469C9B B89C9D4600 mov eax,
00469D9C
:00469CA0 E8EB22FEFF call 0044BF90
:00469CA5 EB0A
jmp 00469CB1
從程式碼來看,是從地址00469C5C跳轉來的,我們看看這個地址的程式碼:
:00469C4A E8A559FFFF call 0045F5F4
:00469C4F 8B55F4
mov edx, dword ptr [ebp-0C]
:00469C52 8B45F8
mov eax, dword ptr [ebp-08]
:00469C55 E8BA57FFFF call 0045F414
<=====計算和比較註冊碼
:00469C5A 84C0
test al, al
:00469C5C 743D
je 00469C9B <=====跳到註冊失敗的地方
:00469C5E 8B45FC
mov eax, dword ptr [ebp-04]
:00469C61 E8B656FFFF call 0045F31C
<=====嘗試把註冊碼寫入登錄檔
:00469C66 84C0
test al, al
:00469C68 7425
je 00469C8F <=====如果失敗則跳
* Possible StringData Ref from Code Obj ->"恭喜!恭喜!
軟體註冊成功!" <=====註冊成功
|
:00469C6A B8049D4600 mov eax,
00469D04
:00469C6F E81C23FEFF call 0044BF90
:00469C74 33D2
xor edx, edx
:00469C76 8B8620040000 mov eax, dword
ptr [esi+00000420]
:00469C7C E84716FCFF call 0042B2C8
好了,我們知道00469C55是關鍵CALL,所以要F8進入,看它是在什麼地方會給al賦值的:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045F448(C), :0045F45C(C), :0045F4E9(C), :0045F4EE(C), :0045F535(C)
|:0045F53A(C)
|
:0045F561 33C0
xor eax, eax
:0045F563 5A
pop edx
:0045F564 59
pop ecx
:0045F565 59
pop ecx
:0045F566 648910
mov dword ptr fs:[eax], edx
:0045F569 687EF54500 push 0045F57E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F57C(U)
|
:0045F56E 8D45F0
lea eax, dword ptr [ebp-10]
:0045F571 E89A43FAFF call 00403910
:0045F576 C3
ret
:0045F577 E9543EFAFF jmp 004033D0
:0045F57C EBF0
jmp 0045F56E
:0045F57E 8A45F7
mov al, byte ptr [ebp-09] <=====取標誌,如果註冊碼錯誤,則al=0,所以我
們把它改為mov al,01;NOP
:0045F581 5F
pop edi
:0045F582 5E
pop esi
:0045F583 5B
pop ebx
:0045F584 8BE5
mov esp, ebp
:0045F586 5D
pop ebp
:0045F587 C3
ret
我們知道這段程式碼一共有6個地址跳到這裡,這6個地址都是註冊碼錯誤或者是沒有註冊時都會跳到這裡,所以只要我
們改掉0045F57E地址的程式碼就可以了。
如果你對它的註冊演算法感興趣,請繼續看下去吧:
二、註冊演算法:
該軟體的註冊碼形式是 123456-7890ab-cdefgh-ijklmn,運算方法是取註冊碼的奇數位(假設我們輸入的註冊碼是前面
所說的,則取出的註冊碼是13579acegikm),然後透過計算後,得出註冊碼的偶數位。
我們F8進入00469C55處的CALL:
:0045F414 55
push ebp
:0045F415 8BEC
mov ebp, esp
:0045F417 83C4E4
add esp, FFFFFFE4
:0045F41A 53
push ebx
:0045F41B 56
push esi
:0045F41C 57
push edi
:0045F41D 33C9
xor ecx, ecx
:0045F41F 894DF0
mov dword ptr [ebp-10], ecx
:0045F422 8955F8
mov dword ptr [ebp-08], edx
:0045F425 8945FC
mov dword ptr [ebp-04], eax
:0045F428 33C0
xor eax, eax
:0045F42A 55
push ebp
:0045F42B 6877F54500 push 0045F577
:0045F430 64FF30
push dword ptr fs:[eax]
:0045F433 648920
mov dword ptr fs:[eax], esp
:0045F436 C645F700 mov
[ebp-09], 00
:0045F43A 8B45FC
mov eax, dword ptr [ebp-04]
:0045F43D E84A47FAFF call 00403B8C
<=====計算奇數位的註冊碼長度,EAX=長度
:0045F442 3B05B0EC4600 cmp eax, dword
ptr [0046ECB0] <=====和0C比較
:0045F448 0F8513010000 jne 0045F561
<=====不相等則跳到註冊失敗
:0045F44E 8B45F8
mov eax, dword ptr [ebp-08]
:0045F451 E83647FAFF call 00403B8C
<=====計算偶數位的註冊碼長度,EAX=長度
:0045F456 3B05B0EC4600 cmp eax, dword
ptr [0046ECB0] <=====和0C比較
:0045F45C 0F85FF000000 jne 0045F561
<=====不相等則跳到註冊失敗
:0045F462 33FF
xor edi, edi
:0045F464 A1B4EC4600 mov eax,
dword ptr [0046ECB4] <=====取得計算係數5945H
:0045F469 8945EC
mov dword ptr [ebp-14], eax <=====儲存以用於計算
:0045F46C A1BCEC4600 mov eax,
dword ptr [0046ECBC] <=====取得計算係數F3B4H
:0045F471 8945E8
mov dword ptr [ebp-18], eax <=====儲存以用於計算
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F40E(C)
|
:0045F474 8B45FC
mov eax, dword ptr [ebp-04]
:0045F477 E81047FAFF call 00403B8C
:0045F47C 85C0
test eax, eax
:0045F47E 7C16
jl 0045F496
:0045F480 40
inc eax
:0045F481 8945E4
mov dword ptr [ebp-1C], eax
:0045F484 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <====這裡的程式碼是計算奇數位註冊碼的
總和,作為計算第一個偶數的計算係數,結果放在EDI中
|:0045F494(C)
|
:0045F486 8B45FC
mov eax, dword ptr [ebp-04]
:0045F489 0FB64430FF movzx eax,
byte ptr [eax+esi-01] <=====取奇數位註冊碼
:0045F48E 03F8
add edi, eax
<=====累加
:0045F490 46
inc esi
:0045F491 FF4DE4
dec [ebp-1C]
:0045F494 75F0
jne 0045F486
<=====沒有加完則繼續加
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <=====計算偶數位的程式碼
|:0045F47E(C)
|
:0045F496 A1B8EC4600 mov eax,
dword ptr [0046ECB8] <=====取計算係數C499H
:0045F49B 2145EC
and dword ptr [ebp-14], eax <=====與 EDI 異或(結果假設為R1)
:0045F49E 8D45F0
lea eax, dword ptr [ebp-10]
:0045F4A1 8B15B0EC4600 mov edx, dword
ptr [0046ECB0]
:0045F4A7 E8104AFAFF call 00403EBC
:0045F4AC A1C0EC4600 mov eax,
dword ptr [0046ECC0] <=====取計算係數5908H
:0045F4B1 2145E8
and dword ptr [ebp-18], eax <=====與F3B4 異或(結果假設為R2)
:0045F4B4 A1B0EC4600 mov eax,
dword ptr [0046ECB0]
:0045F4B9 85C0
test eax, eax
:0045F4BB 0F8E91000000 jle 0045F552
:0045F4C1 8945E4
mov dword ptr [ebp-1C], eax
:0045F4C4 BE01000000 mov esi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F54C(C)
|
:0045F4C9 8B45FC
mov eax, dword ptr [ebp-04]
:0045F4CC 33DB
xor ebx, ebx
:0045F4CE 8A5C30FF mov
bl, byte ptr [eax+esi-01] <====取註冊碼
:0045F4D2 83FB30
cmp ebx, 00000030 <====比較是否是數字
:0045F4D5 7C05
jl 0045F4DC <=====不是則跳到下一個比較
:0045F4D7 83FB39
cmp ebx, 00000039
:0045F4DA 7E14
jle 0045F4F0 <=====是則跳到註冊碼計算處
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F4D5(C)
|
:0045F4DC 83FB41
cmp ebx, 00000041
:0045F4DF 7C05
jl 0045F4E6 <=====比較是否是大寫字母
:0045F4E1 83FB5A
cmp ebx, 0000005A
:0045F4E4 7E0A
jle 0045F4F0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F4DF(C)
|
:0045F4E6 83FB61
cmp ebx, 00000061 <=====比較是否是小寫字母
:0045F4E9 7C76
jl 0045F561
:0045F4EB 83FB7A
cmp ebx, 0000007A
:0045F4EE 7F71
jg 0045F561 <=====如果都不是,則註冊失敗
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
<====這裡是註冊碼的計算
|:0045F4DA(C), :0045F4E4(C)
|
:0045F4F0 8B45FC
mov eax, dword ptr [ebp-04] <=====取奇數位註冊碼(N)
:0045F4F3 0FB64430FF movzx eax,
byte ptr [eax+esi-01] <=====EAX=註冊碼
:0045F4F8 8BD0
mov edx, eax
<=====EDX=EAX
:0045F4FA 03D7
add edx, edi <====EDX=EAX+EDI
:0045F4FC 0FAF55EC imul
edx, dword ptr [ebp-14] <=====EDX=EDX*R1
:0045F500 8B4DFC
mov ecx, dword ptr [ebp-04]
:0045F503 0FB60C31 movzx
ecx, byte ptr [ecx+esi] <=====取N+1位的註冊碼(ECX)
:0045F507 33F9
xor edi, ecx
<=====EDI=EDI XOR ECX
:0045F509 0FAF7DE8 imul
edi, dword ptr [ebp-18] <=====EDI=EDI * R2
:0045F50D 03D7
add edx, edi
<=====EDX=EDX+EDI
:0045F50F 8BFA
mov edi, edx
<=====EDI=EDX
:0045F511 C1EF08
shr edi, 08
<=====EDI右移8位,同時這個結果作為下一
位註冊碼的計算係數
:0045F514 8B55FC
mov edx, dword ptr [ebp-04]
:0045F517 8BD8
mov ebx, eax <=====EBX=N
:0045F519 33DF
xor ebx, edi <=====EBX=EBX xor EDI
:0045F51B 83E37F
and ebx, 0000007F <=====EBX=EBX and 7F(取EBX中的一個BL,作為相應偶數
位的註冊碼)
:0045F51E 83FB30
cmp ebx, 00000030 <=====比較結果是不是數字
:0045F521 7C05
jl 0045F528
:0045F523 83FB39
cmp ebx, 00000039
:0045F526 7E14
jle 0045F53C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F521(C)
|
:0045F528 83FB41
cmp ebx, 00000041 <=====比較結果是不是大寫字母
:0045F52B 7C05
jl 0045F532
:0045F52D 83FB5A
cmp ebx, 0000005A
:0045F530 7E0A
jle 0045F53C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F52B(C)
|
:0045F532 83FB61
cmp ebx, 00000061 <======比較結果是不是小寫字母
:0045F535 7C2A
jl 0045F561
:0045F537 83FB7A
cmp ebx, 0000007A
:0045F53A 7F25
jg 0045F561 <======如果都不是,則註冊失敗
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045F526(C), :0045F530(C)
|
:0045F53C 8D45F0
lea eax, dword ptr [ebp-10]
:0045F53F E81848FAFF call 00403D5C
:0045F544 885C30FF mov
byte ptr [eax+esi-01], bl <=====儲存結果
:0045F548 46
inc esi
:0045F549 FF4DE4
dec [ebp-1C] <=====計算完了嗎?
:0045F54C 0F8577FFFFFF jne 0045F4C9
<======沒有則繼續計算
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F4BB(C)
|
:0045F552 8B45F0
mov eax, dword ptr [ebp-10] <=====取輸入的偶數位假註冊碼
:0045F555 8B55F8
mov edx, dword ptr [ebp-08] <=====取計算出來的註冊碼
:0045F558 E83F47FAFF call 00403C9C
<=====比較註冊碼
:0045F55D 0F9445F7 sete
byte ptr [ebp-09] <=====按比較的結果設註冊標誌
好了,註冊演算法清楚了,序號產生器我就不能一時編出來的,這個軟體不能用另類的序號產生器制作軟體來製作,只能用程式設計來窮
舉出它的註冊碼了.等幾天吧,我再發表我的序號產生器.
相關文章
- 《TxEdit 4.6》的註冊碼破解 (11千字)2001-07-28
- IconToy 3.1 註冊碼快速破解 (11千字)2001-03-02
- winimp1.11註冊碼破解 (2千字)2000-07-16
- 聽力之友1.0破解 (3千字)2002-02-28
- Diskbase 5.11的破解和註冊演算法(俺是新手) (18千字)2001-05-21演算法
- 有聲有色4.0註冊演算法 一 (11千字)2001-05-01演算法
- Vopt99 v4.31的註冊碼破解 (11千字)2000-09-28
- Regediter 1.3 破解(得到註冊碼) (9千字)2002-01-23
- Key File 破解之 PicMaster V2.5 (10千字)2001-10-27AST
- File Shredder 2000破解筆記及註冊演算法 (5千字)2003-04-30筆記演算法
- 紫禁城反黃衛士個人版破解(註冊演算法) (10千字)2001-10-31演算法
- 註冊碼演算法 (2千字)2001-01-14演算法
- 猜數記---BCWIPE註冊半破解 (25千字)2001-04-02
- BabyGame 破解方法及註冊碼錶 (1千字)2001-07-04GAM
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- 《chm幫助編輯器V2.61》註冊碼破解心得: (11千字)2001-02-17
- 《ICONSCAN 2.4》註冊碼破解 高手莫入! (3千字)2001-05-06
- 《MAGICWIN RELEASE 1.2》註冊碼破解 高手莫入! (2千字)2001-05-07
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法
- eXeScope
V6.41 的註冊演算法破解2004-05-03演算法
- 財智證券結算軟體2.5 破解註冊碼分析!使用ollydbg 破解註冊動畫!高手莫入! (1千字)2001-11-20動畫
- SMailserver2.5註冊碼的破解手記 (1千字)2001-03-01AIServer
- 《WinImage v5.00.5007 註冊碼破解》 (7千字)2001-05-10
- CDSpace Power+註冊演算法 (7千字)2001-07-27演算法
- 《棋隱》的註冊演算法 (19千字)2001-08-26演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- 超級個人軟體 V2.5 破解過程! (3千字)2002-03-04
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- 某電子書註冊破解實錄,高手莫入。 (6千字)2002-10-05
- 如何破解《彩票快車黃金版》註冊碼 (1千字)2001-04-21
- 豪傑大眼睛共享版註冊碼破解 (1千字)2001-07-08
- Kugle Regediter 1.0 註冊碼破解法(非明碼) (8千字)2001-11-03
- 黑馬課表管理系統2.6註冊破解 (1千字)2002-01-12
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- 破解《推箱子》Ver:1.6(230關) 註冊版 (1千字)2001-04-01
- 開心鬥地主1.6標準版 註冊碼破解 (4千字)2001-04-25
- 如何破解Cool ASCII Art Maker V1.21註冊碼 (2千字)2001-05-03ASCII
- 《EASY MP3 2.2》的註冊碼破解 高手莫入! (2千字)2001-05-05