菜鳥破解vis_ddr v1.11 (14千字)
首先介紹一下破解物件-----vis_ddr.dll ,此乃winamp的一個外掛,可以讓winamp實現跳舞毯的功能,這裡破解的是它的v1.11版。沒有註冊前,不能使用跳舞毯,還有一個特殊效果也用不上。註冊之後就沒有這些限制了。好了,廢話少說,請看我的破解過程。先宣告我是菜鳥一個,而且對組合語言很不熟悉,分析的過程中,有很多地方是我自己在猜測那條語句是幹什麼的,至於猜的正不正確還請高手門指教,我不想誤人子弟。:)
先執行winamp,招到此外掛的配置視窗,然後點選註冊。哈哈,標準的註冊視窗,使用者名稱加註冊碼。先隨便試了一下,有錯誤提示,本來可以用w32dsm黃金加強版反編譯分析的,無賴我的彙編太差勁,只好作罷,用trw追吧。下中斷bpx
hmemcpy,返回到程式中,隨便輸入一些假的註冊資訊,然後點確定,被trw斷下,敲入pmodule,一回車,疑???怎麼直接回到程式的介面了啊。搞不懂怎麼回事,不管它,再來一次,這次不打pmodule了,我直接按F12總可以了吧,按了11下就回到程式了,好下次就只要按10下了。重新來一次,按10下F12後,小心的按F10,N次後,來到如下的程式段:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10003740(C)
|
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:10003769 8B35D0B10010 mov esi, dword
ptr [1000B1D0]
:1000376F 53
push ebx
:10003770 8B5C2430 mov
ebx, dword ptr [esp+30]
:10003774 6A64
push 00000064
:10003776 6830F40010 push 1000F430
:1000377B 68FB030000 push 000003FB
:10003780 53
push ebx
:10003781 FFD6
call esi <--取註冊碼長度放入EAX中
:10003783 8D4C240C lea
ecx, dword ptr [esp+0C] <--D EDX可看假碼
:10003787 6A20
push 00000020
:10003789 51
push ecx
:1000378A 68FA030000 push 000003FA
:1000378F 53
push ebx
:10003790 FFD6
call esi
:10003792 8D54240C lea
edx, dword ptr [esp+0C]
:10003796 52
push edx
:10003797 6830F40010 push 1000F430
<--此處D 0287F430可看使用者名稱
:1000379C E8EFF7FFFF call 10002F90
<--這裡有一個經典的對比,所以這個CALL嫌疑非常大,進去看看。*********************
:100037A1 83C408
add esp, 00000008
:100037A4 85C0
test eax, eax
:100037A6 0F84A3000000 je 1000384F
:100037AC 8D442430 lea
eax, dword ptr [esp+30]
:100037B0 50
push eax
* Possible StringData Ref from Data Obj ->"Software\WinampDDR"
|
:100037B1 68F0D90010 push 1000D9F0
:100037B6 6801000080 push 80000001
* Reference To: ADVAPI32.RegCreateKeyA, Ord:015Eh
|
:100037BB FF1508B00010 Call dword ptr
[1000B008]
:100037C1 8B542430 mov
edx, dword ptr [esp+30]
:100037C5 85D2
test edx, edx
:100037C7 7452
je 1000381B
:100037C9 BF30F40010 mov edi,
1000F430
:100037CE 83C9FF
or ecx, FFFFFFFF
:100037D1 33C0
xor eax, eax
* Reference To: ADVAPI32.RegSetValueExA, Ord:0186h
|
:100037D3 8B3504B00010 mov esi, dword
ptr [1000B004]
:100037D9 F2
repnz
:100037DA AE
scasb
:100037DB F7D1
not ecx
:100037DD 51
push ecx
:100037DE 6830F40010 push 1000F430
:100037E3 6A01
push 00000001
:100037E5 50
push eax
* Possible StringData Ref from Data Obj ->"User"
|
:100037E6 68E0D90010 push 1000D9E0
:100037EB 52
push edx
:100037EC FFD6
call esi
:100037EE 8D7C240C lea
edi, dword ptr [esp+0C]
:100037F2 83C9FF
or ecx, FFFFFFFF
:100037F5 33C0
xor eax, eax
:100037F7 8B542430 mov
edx, dword ptr [esp+30]
:100037FB F2
repnz
:100037FC AE
scasb
:100037FD F7D1
not ecx
:100037FF 51
push ecx
:10003800 8D4C2410 lea
ecx, dword ptr [esp+10]
:10003804 51
push ecx
:10003805 6A01
push 00000001
:10003807 50
push eax
* Possible StringData Ref from Data Obj ->"RegCode"
|
:10003808 68E8D90010 push 1000D9E8
:1000380D 52
push edx
:1000380E FFD6
call esi
:10003810 8B442430 mov
eax, dword ptr [esp+30]
:10003814 50
push eax
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:10003815 FF150CB00010 Call dword ptr
[1000B00C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100037C7(C)
|
:1000381B 6A40
push 00000040
* Possible StringData Ref from Data Obj ->"Register OK"
|
:1000381D 6880E00010 push 1000E080
* Possible StringData Ref from Data Obj ->"Thanks for registering WinampDDR!"
|
:10003822 685CE00010 push 1000E05C
:10003827 53
push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:10003828 FF15A4B10010 Call dword ptr
[1000B1A4]
:1000382E 6A01
push 00000001
:10003830 53
push ebx
:10003831 C70594F4001001000000 mov dword ptr [1000F494], 00000001
* Reference To: USER32.EndDialog, Ord:00B9h
|
:1000383B FF15E4B10010 Call dword ptr
[1000B1E4]
:10003841 5B
pop ebx
:10003842 5F
pop edi
:10003843 B801000000 mov eax,
00000001
:10003848 5E
pop esi
:10003849 83C420
add esp, 00000020
:1000384C C21000
ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100037A6(C)
|
:1000384F 6A10
push 00000010
* Possible StringData Ref from Data Obj ->"Register failed"
|
:10003851 684CE00010 push 1000E04C
* Possible StringData Ref from Data Obj ->"Registration code invalid!"
|
:10003856 6830E00010 push 1000E030
:1000385B 53
push ebx
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:1000385C FF15A4B10010 Call dword ptr
[1000B1A4]
:10003862 6A01
push 00000001
:10003864 53
push ebx
* Reference To: USER32.EndDialog, Ord:00B9h
|
:10003865 FF15E4B10010 Call dword ptr
[1000B1E4]
:1000386B 5B
pop ebx
:1000386C 5F
pop edi
:1000386D B801000000 mov eax,
00000001
:10003872 5E
pop esi
:10003873 83C420
add esp, 00000020
:10003876 C21000
ret 0010
呵呵,上面這一大段,看不太懂,只知道是根據註冊資訊的正確與否來決定是顯示註冊成功的畫面並在登錄檔裡面記下相關資訊還是直接顯示註冊失敗的畫面,不管它了,先進那個可疑CALL看看,如下:
這裡接上面的**********************
* Referenced by a CALL at Addresses:
|:100010D8 , :1000379C
|
:10002F90 83EC28
sub esp, 00000028
:10002F93 55
push ebp
:10002F94 8B6C2430 mov
ebp, dword ptr [esp+30]
:10002F98 85ED
test ebp, ebp<--看使用者名稱是否為空
:10002F9A 57
push edi
:10002F9B 0F8429010000 je 100030CA
:10002FA1 8B542438 mov
edx, dword ptr [esp+38]
:10002FA5 85D2
test edx, edx<--看註冊碼是否為空
:10002FA7 0F841D010000 je 100030CA
:10002FAD 8BFD
mov edi, ebp
:10002FAF 83C9FF
or ecx, FFFFFFFF
:10002FB2 33C0
xor eax, eax
:10002FB4 F2
repnz
:10002FB5 AE
scasb
:10002FB6 F7D1
not ecx
:10002FB8 49
dec ecx
:10002FB9 0F840B010000 je 100030CA
:10002FBF 8BFA
mov edi, edx
:10002FC1 83C9FF
or ecx, FFFFFFFF
:10002FC4 F2
repnz
:10002FC5 AE
scasb
:10002FC6 F7D1
not ecx
:10002FC8 49
dec ecx
:10002FC9 0F84FB000000 je 100030CA
:10002FCF 53
push ebx
:10002FD0 32DB
xor bl, bl
:10002FD2 B908000000 mov ecx,
00000008
:10002FD7 8D7C2411 lea
edi, dword ptr [esp+11]
:10002FDB 885C2410 mov
byte ptr [esp+10], bl
:10002FDF 33D2
xor edx, edx
:10002FE1 F3
repz
:10002FE2 AB
stosd
:10002FE3 8BFD
mov edi, ebp
:10002FE5 83C9FF
or ecx, FFFFFFFF
:10002FE8 F2
repnz
:10002FE9 AE
scasb
:10002FEA F7D1
not ecx
:10002FEC 49
dec ecx
:10002FED 56
push esi
:10002FEE 85C9
test ecx, ecx
:10002FF0 894C243C mov
dword ptr [esp+3C], ecx
:10002FF4 7E0A
jle 10003000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10002FFE(C)
|
:10002FF6 8A042A
mov al, byte ptr [edx+ebp]
:10002FF9 32D8
xor bl, al
:10002FFB 42
inc edx
:10002FFC 3BD1
cmp edx, ecx
:10002FFE 7CF6
jl 10002FF6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10002FF4(C)
|
:10003000 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10003073(U)
|
:10003002 83FE08
cmp esi, 00000008
:10003005 7C07
jl 1000300E
:10003007 8D0409
lea eax, dword ptr [ecx+ecx]
:1000300A 3BF0
cmp esi, eax
:1000300C 7D67
jge 10003075
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10003005(C)
|
:1000300E 8BFD
mov edi, ebp
:10003010 83C9FF
or ecx, FFFFFFFF
:10003013 33C0
xor eax, eax
:10003015 F2
repnz
:10003016 AE
scasb
:10003017 8BC6
mov eax, esi
:10003019 99
cdq
:1000301A F7D1
not ecx
:1000301C 2BC2
sub eax, edx
:1000301E 49
dec ecx
:1000301F D1F8
sar eax, 1
:10003021 33D2
xor edx, edx
:10003023 F7F1
div ecx
:10003025 83FE01
cmp esi, 00000001
:10003028 8BFA
mov edi, edx
:1000302A 7E05
jle 10003031
:1000302C 8D46FF
lea eax, dword ptr [esi-01]
:1000302F EB02
jmp 10003033
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000302A(C)
|
:10003031 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000302F(U)
|
:10003033 8A4C0414 mov
cl, byte ptr [esp+eax+14]
:10003037 32CB
xor cl, bl
:10003039 80F18D
xor cl, 8D
:1000303C 8AD9
mov bl, cl
:1000303E 885C2410 mov
byte ptr [esp+10], bl
:10003042 8B542410 mov
edx, dword ptr [esp+10]
:10003046 52
push edx
:10003047 E8F4FEFFFF call 10002F40
:1000304C 8B4C2440 mov
ecx, dword ptr [esp+40]
:10003050 88443418 mov
byte ptr [esp+esi+18], al
:10003054 2BCF
sub ecx, edi
:10003056 8A5429FF mov
dl, byte ptr [ecx+ebp-01]
:1000305A 32D0
xor dl, al
:1000305C 80F2D8
xor dl, D8
:1000305F 52
push edx
:10003060 E8DBFEFFFF call 10002F40
:10003065 8B4C2444 mov
ecx, dword ptr [esp+44]
:10003069 83C408
add esp, 00000008
:1000306C 88443415 mov
byte ptr [esp+esi+15], al
:10003070 83C602
add esi, 00000002
:10003073 EB8D
jmp 10003002
這上面一打斷又看不懂了,如果那位大哥看懂了的話,還請和我說說它的演算法,讓我徹底弄懂一下,先謝謝了!
下面開始將錯誤的註冊碼和正確的註冊碼進行比較:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000300C(C)
|
:10003075 8B742440 mov
esi, dword ptr [esp+40]這裡是假碼
:10003079 8D442414 lea
eax, dword ptr [esp+14]這裡是真碼
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000309F(C)
|
:1000307D 8A10
mov dl, byte ptr [eax]
:1000307F 8A1E
mov bl, byte ptr [esi]
:10003081 8ACA
mov cl, dl
:10003083 3AD3
cmp dl, bl
:10003085 752D
jne 100030B4
:10003087 84C9
test cl, cl
:10003089 7416
je 100030A1
:1000308B 8A5001
mov dl, byte ptr [eax+01]
:1000308E 8A5E01
mov bl, byte ptr [esi+01]
:10003091 8ACA
mov cl, dl
:10003093 3AD3
cmp dl, bl
:10003095 751D
jne 100030B4
:10003097 83C002
add eax, 00000002
:1000309A 83C602
add esi, 00000002
:1000309D 84C9
test cl, cl
:1000309F 75DC
jne 1000307D前兩位正確的話,繼續比較後面的,挺有意思的:)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10003089(C)
|
:100030A1 33C0
xor eax, eax
:100030A3 33C9
xor ecx, ecx
:100030A5 85C0
test eax, eax
:100030A7 5E
pop esi
:100030A8 5B
pop ebx
:100030A9 0F94C1
sete cl
:100030AC 5F
pop edi
:100030AD 8BC1
mov eax, ecx
:100030AF 5D
pop ebp
:100030B0 83C428
add esp, 00000028
:100030B3 C3
ret
大概就這麼些吧,最後整理一下我的註冊資訊:
註冊名:Turkey
註冊碼:GHFwZETtIJRP
哈哈,可以收工了,比較簡單,對於我來說,實在是個練手的好東東。因為半個月前,我還只會爆破它,且爆破的不完全,這下終於搞定了,好開心啊,真是沒有白來看雪的論壇,真心希望它能越辦越好,越辦越火。
哦,忘了寫軟體的下載地址了,加上:
http://turkey.363.net/palplaza/download/ddr.zip
相關文章
- 菜鳥破解錄之 The Cleaner (4千字)2000-08-12
- 菜鳥破解錄之 DlgXRSizer (4千字)2000-08-17
- 菜鳥破解錄之 Animated Screen (4千字)2000-08-13
- 菜鳥破解錄之 CleanReg 3.2.6 (3千字)2000-08-15
- 菜鳥破解錄之 AutoDialogs (3千字)2000-08-18
- 菜鳥破解錄(14)之 3DMark2000 1.0 (4千字)2000-07-313D
- 菜鳥破解錄(九)之 CDSpace 1.95 (4千字)2000-07-22
- 菜鳥破解錄(17)之 BackupXpress Pro (3千字)2000-08-05
- 菜鳥破解錄(19)之 XMLwriter 1.21 (9千字)2000-08-08XML
- 菜鳥破解一篇:vcrkme01 (11千字)2001-10-19
- 菜鳥破解錄(10)之 A Day in the Life 1.51
(6千字)2000-07-23
- 菜鳥破解錄 JPEG Optimizer3.15 (6千字)2000-08-14
- 菜鳥破解實錄 之Terrapin FTP Browser (5千字)2000-09-09APIFTP
- 菜鳥學破解(七)之 PowerZip V5.2 (3千字)2000-07-21
- 菜鳥破解錄(11)之 WinGlobe2.0 (7千字)2000-07-24
- 菜鳥破解錄(12)之 AxMan3.10 (3千字)2000-07-26
- 菜鳥破解錄(18)之 GWD Text Editor 3.0 (4千字)2000-08-06
- 菜鳥破解實錄之 Dynamic Desktop 1.4.2 (9千字)2000-08-09
- 菜鳥破解實錄 之 GWD Text Editor 3.0 (9千字)2000-08-16
- 菜鳥初鳴--最易破解的軟體 supercleaner (2千字)2001-10-11
- 菜鳥破解實錄(16)之 CD Box Labeler Pro (4千字)2000-08-03
- 某國產Office for Linux的破解(簡單,菜鳥水平) (4千字)2015-11-15Linux
- 菜鳥破解實錄(五)之 EditPlus v2.01 (7千字)2000-08-01
- 菜鳥破解錄之 黑馬輸入法2000 (2千字)2000-08-11
- 菜鳥脫 UltraFXP 0.9941 殼( SVKP )+ 破解2015-11-15
- 菜鳥破解錄自之 Dialup Constructor 及演算法分析
(6千字)2000-09-11Struct演算法
- ultimate zip cracker6.2破解小結,菜鳥文章,高手勿看。
(1千字)2000-10-07
- 黑娃講破解知識之菜鳥的破解之路(轉)2007-08-12
- 菜鳥破解實錄(八)之 超級信封列印工具 v3.2 (6千字)2000-07-21
- 菜鳥破解錄之 GIF Construction Set Pro及演算法分析
(8千字)2000-09-01Struct演算法
- 菜鳥學堂之破解Sessioncookie的方法(轉)2007-09-19SessionCookie
- 2個菜鳥級軟體 (1千字)2001-03-26
- 菜鳥之作--Help & Manual V3.0.4.619破解--只修改2個位元組搞定
(3千字)2002-06-02
- SuperCleaner演算法分析----菜鳥級
(12千字)2015-11-15演算法
- 菜鳥教學--密碼學概述 (10千字)2015-11-15密碼學
- 菜鳥破解之軟體自己顯示註冊碼2015-11-15
- 《冠軍足球經理2001》免光碟破解實錄_供菜鳥閱讀 (5千字)2002-01-22
- HotkeyMaster演算法分析----菜鳥級
(4千字)2015-11-15AST演算法