『凌雲郵神』 註冊碼破解 (非明碼比較的哦 ^_^)
作者:PaulYoung ( 屬於 China Cracking Group )
軟體:凌雲郵神 ( http://fang_public.myetang.com/Dewnload/LYMail.zip 267
KB )
簡介:支援國內絕大多數郵件伺服器,支援附件傳送,可傳送無限個附件;支援SMTP身份驗證;速度奇快。可以設定優先順序。本軟體區別於其他郵件群發軟體的最大特點就是在收信地址正確的情況下只須傳送次郵件的時間即可發完全部郵件,極大地縮短了上網時間。
加密:一機一碼,非明碼比較
工具:SoftICE 4.05 334
日期:2001.11.05
************************************************************************************************
最近對爆破和明碼比較的軟體完全失去破解的興趣了,記憶體序號產生器也玩到膩了,專心搞一些非明碼破解和加強對加密演算法的研究。下面這個軟體,是一個非明碼比較的軟體,比較簡單,細心一點不難破解。如果哪位朋友有一些非明碼比較的軟體,歡迎向我推薦,最好幾百
KB 就好了,還有,DOS 和 VB 就免了,小生怕怕 :) 呵……忘了告訴大家怎麼聯絡我,My E-mail: paulyoung@21cn.com
, QQ:65827779 ,不要寄病毒來哦!
為了節約時間,相信大家也非常容易就找到它的關鍵所在,另外為了敘述,下面的數字均是十進位制。
演算法驗證就在下面了……
* Referenced by a CALL at Addresses:
|:0046F40F , :0046F915 , :004704BF , :00470961
// WOO...四處地方驗證註冊碼
|
:0046F208 55
push ebp
:0046F209 8BEC
mov ebp, esp
:0046F20B 33C9
xor ecx, ecx
:0046F20D 51
push ecx
:0046F20E 51
push ecx
:0046F20F 51
push ecx
:0046F210 51
push ecx
:0046F211 51
push ecx
:0046F212 51
push ecx
:0046F213 51
push ecx
:0046F214 53
push ebx
:0046F215 33C0
xor eax, eax
:0046F217 55
push ebp
:0046F218 68F8F24600 push 0046F2F8
:0046F21D 64FF30
push dword ptr fs:[eax]
:0046F220 648920
mov dword ptr fs:[eax], esp
:0046F223 C645FF00 mov
[ebp-01], 00
:0046F227 8D45F8
lea eax, dword ptr [ebp-08]
:0046F22A E811FEFFFF call 0046F040
:0046F22F B201
mov dl, 01
:0046F231 A160F84400 mov eax,
dword ptr [0044F860]
:0046F236 E82507FEFF call 0044F960
:0046F23B 8BD8
mov ebx, eax
:0046F23D BA02000080 mov edx,
80000002
:0046F242 8BC3
mov eax, ebx
:0046F244 E8B707FEFF call 0044FA00
:0046F249 8D55EC
lea edx, dword ptr [ebp-14]
:0046F24C A16C364700 mov eax,
dword ptr [0047366C]
:0046F251 8B00
mov eax, dword ptr [eax]
:0046F253 E8D8A2FDFF call 00449530
:0046F258 8B4DEC
mov ecx, dword ptr [ebp-14]
:0046F25B 8D45F0
lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"SOFTWARE\"
|
:0046F25E BA10F34600 mov edx,
0046F310
:0046F263 E8004BF9FF call 00403D68
:0046F268 8B55F0
mov edx, dword ptr [ebp-10]
:0046F26B 8BC3
mov eax, ebx
:0046F26D E8820CFEFF call 0044FEF4
:0046F272 84C0
test al, al
:0046F274 743A
je 0046F2B0
:0046F276 8D55E4
lea edx, dword ptr [ebp-1C]
:0046F279 A16C364700 mov eax,
dword ptr [0047366C]
:0046F27E 8B00
mov eax, dword ptr [eax]
:0046F280 E8ABA2FDFF call 00449530
:0046F285 8B4DE4
mov ecx, dword ptr [ebp-1C]
:0046F288 8D45E8
lea eax, dword ptr [ebp-18]
* Possible StringData Ref from Code Obj ->"SOFTWARE\"
|
:0046F28B BA10F34600 mov edx,
0046F310
:0046F290 E8D34AF9FF call 00403D68
:0046F295 8B55E8
mov edx, dword ptr [ebp-18]
:0046F298 B101
mov cl, 01
:0046F29A 8BC3
mov eax, ebx
:0046F29C E89F08FEFF call 0044FB40
:0046F2A1 8D4DF4
lea ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"RegSN"
|
:0046F2A4 BA24F34600 mov edx,
0046F324
:0046F2A9 8BC3
mov eax, ebx
:0046F2AB E8580AFEFF call 0044FD08
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046F274(C)
|
:0046F2B0 8BC3
mov eax, ebx
:0046F2B2 E81907FEFF call 0044F9D0
:0046F2B7 837DF400 cmp
dword ptr [ebp-0C], 00000000
:0046F2BB 7420
je 0046F2DD
:0046F2BD 8B45F8
mov eax, dword ptr [ebp-08]
:0046F2C0 E88BFEFFFF call 0046F150
:0046F2C5 8BD8
mov ebx, eax //注意,eax的值變為 2547 了,並儲存到ebx
:0046F2C7 8B45F4
mov eax, dword ptr [ebp-0C]
:0046F2CA E89990F9FF call 00408368
:0046F2CF 03D8
add ebx, eax //來到這裡,eax 就是你輸入的註冊碼,ebx 的值為
2547 ,eax + ebx ,結果儲存到 ebx
:0046F2D1 81FBBAAA9404 cmp ebx, 0494AABA
//ebx 與 0494AABA 的值比較
:0046F2D7 7504
jne 0046F2DD //不等則跳
:0046F2D9 C645FF01 mov
[ebp-01], 01 //不跳你就成功了!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046F2BB(C), :0046F2D7(C)
|
:0046F2DD 33C0
xor eax, eax //註冊碼不正確,跳到此 eax 清0,完蛋!
:0046F2DF 5A
pop edx
:0046F2E0 59
pop ecx
:0046F2E1 59
pop ecx
:0046F2E2 648910
mov dword ptr fs:[eax], edx
:0046F2E5 68FFF24600 push 0046F2FF
我們重點分析 0046F2D1 這處關鍵的比較:
ebx = 輸入的註冊碼 + 2547 的和,而 0494AABA 的值是 76851898 ,兩者相等則成功,那麼,那真正的註冊碼就是 76851898-2547=76849351
:)
我的軟體序號是:1D6D-17E5 ,註冊碼是:76849351 ,填入後,“註冊完成”!再重啟,WA...軟體的註冊按鈕也不見了,成功了!!!!
註冊碼跟公司名和電話號碼無關。
可惜小弟水平有限,彙編學得不精,尚未發現軟體序號跟註冊碼之間的關係,2547 這個值是怎麼來的呢??懇請大俠出手,指點小弟一二,不勝感激。