小弟的一篇湊數的破解文章,是小弟解決的第一個密碼學軟體!(爆破哈!) (14千字)
破解軟體:一個加密檔案的軟體,電腦愛好者上曾經有過介紹
破解人:powerboy
軟體保護介紹:軟體屬於註冊碼保護但是特別的是註冊碼比較是在網上進行的認證,所以進行註冊碼破解顯然是不可能,只能爆破.
首先,檢視軟體是否加殼(可能是作者對自己軟體的保護很有信心所以連殼都沒加,VC編譯)
然後,進入軟體進行一次註冊,輸入:
NAME:powerboy
SN:1234567890123456(軟體告訴你了註冊碼要16位)並且有很多提示.
查詢有關的註冊提示,很有幫助.
首先看到"註冊失敗"有門看看!
:00418226 E8C5820000
Call 004204F0
:0041822B 6A01
push 00000001
:0041822D 8D4E64
lea ecx, dword ptr [esi+64]
:00418230
5F
pop edi
:00418231 50
push eax
:00418232 897DFC
mov dword ptr [ebp-04], edi
* Reference
To: MFC42.Ordinal:035A, Ord:035Ah
|
:00418235 E8D0800000 Call
0042030A
:0041823A 834DFCFF
or dword ptr [ebp-04], FFFFFFFF
:0041823E 8D4DF0
lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00418241 E80C7E0000
Call 00420052
:00418246 8BCE
mov ecx, esi
:00418248 E840020000
call 0041848D----------->這裡是個關鍵的CALL(要跟進去看看一會你就知道了)
:0041824D 85C0
test eax, eax
:0041824F 752F
jne 00418280------------>既然不跳是錯誤,那跳呢!!!!
:00418251
50
push eax
:00418252 50
push eax
* Possible StringData Ref from Data Obj
->"註冊失敗"
|
:00418253 68201F4300
push 00431F20
* Reference
To: MFC42.Ordinal:04B0, Ord:04B0h
|
:00418258 E8CB800000 Call
00420328
:0041825D E9DA000000
jmp 0041833C
* Referenced by a (U)nconditional or (C)onditional Jump
at Addresses:
|:004181E9(C), :004181EE(C)
:00418262 6A00
push 00000000
:00418264
6A00 push
00000000
* Possible StringData Ref from Data Obj ->"註冊碼型別錯誤"
|
:00418266 68101F4300
push 00431F10
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00418185(U), :00418196(U)
|
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:0041826B E8B8800000
Call 00420328
:00418270 8D8E14010000
lea ecx, dword ptr [esi+00000114]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00418170(U)
|
* Reference
To: MFC42.Ordinal:175D, Ord:175Dh
|
:00418276 E8ED7F0000 Call
00420268
:0041827B E9BC000000
jmp 0041833C
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0041824F(C)
|
:00418280 8BCE
mov ecx, esi------------------------->跳到這裡了,向下看看!
:00418282 E8E2060000 call
00418969
:00418287 85C0
test eax, eax
:00418289 0F84AD000000
je 0041833C
:0041828F 8BCE
mov ecx, esi
:00418291 E884040000
call 0041871A
:00418296 85C0
test eax, eax
:00418298 0F849E000000 je 0041833C
:0041829E 89BBC8080000 mov dword ptr
[ebx+000008C8], edi
:004182A4 8DBEA4020000
lea edi, dword ptr [esi+000002A4]
:004182AA 57
push edi
:004182AB
8D45F0 lea eax,
dword ptr [ebp-10]
* Possible StringData Ref from Data Obj ->"*****
- " 軟體的名稱啊!
|
:004182AE
68CC104300 push 004310CC
:004182B3 50
push eax
* Reference To: MFC42.Ordinal:039E, Ord:039Eh
|
:004182B4 E857800000
Call 00420310
:004182B9 FF30
push dword ptr [eax]
:004182BB
8BCB mov
ecx, ebx
:004182BD C745FC02000000 mov [ebp-04],
00000002
* Reference To: MFC42.Ordinal:1837, Ord:1837h
|
:004182C4 E8B77F0000
Call 00420280
:004182C9 834DFCFF
or dword ptr [ebp-04], FFFFFFFF
:004182CD 8D4DF0
lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004182D0 E87D7D0000
Call 00420052
* Possible Reference to Dialog: DialogID_0092,
CONTROL_ID:03E9, ""
|
:004182D5
68E9030000 push 000003E9
:004182DA FF7320
push [ebx+20]
* Reference To: USER32.KillTimer, Ord:0195h
|
:004182DD FF1520584200
Call dword ptr [00425820]
:004182E3 57
push edi
:004182E4
8D45E4 lea eax,
dword ptr [ebp-1C]
* Possible StringData Ref from Data Obj ->"恭喜你 "--------------------->看到這個了嗎!軟體替你說了^_^
|
==========================================================================
跟入上面的關鍵CALL........
* Referenced by a CALL at Address:
|:00418248
|
:0041848D B87C3D4200
mov eax, 00423D7C
* Reference To: MSVCRT._EH_prolog, Ord:0042h
|
:00418492 E8A9820000
Call 00420740
:00418497 81EC80000000
sub esp, 00000080
:0041849D 53
push ebx
:0041849E
56
push esi
:0041849F 57
push edi
:004184A0 6A40
push 00000040
* Possible StringData
Ref from Data Obj ->"使用者註冊通知"
|
:004184A2
6828224300 push 00432228
:004184A7 8BD9
mov ebx, ecx
* Possible StringData Ref from Data Obj ->"親愛的使用者! 3.0以上版本必須進行網上啟用,
請稍"
->"等片刻既可完成整個註冊驗證過程."
|
:004184A9
68D8214300 push 004321D8
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004184AE E8AF7D0000
Call 00420262
:004184B3 E8B29FFEFF
call 0040246A
:004184B8 8BF8
mov edi, eax
* Possible StringData Ref from
Data Obj ->"\"
|
:004184BA 6844014300
push 00430144
:004184BF 8D87D43A0000
lea eax, dword ptr [edi+00003AD4]
:004184C5
50
push eax
:004184C6 8D45E0
lea eax, dword ptr [ebp-20]
:004184C9 50
push eax
* Reference
To: MFC42.Ordinal:039C, Ord:039Ch
|
:004184CA E82F7E0000 Call
004202FE
:004184CF 8365FC00
and dword ptr [ebp-04], 00000000
:004184D3 8D4B60
lea ecx, dword ptr [ebx+60]
:004184D6
51
push ecx
:004184D7 50
push eax
:004184D8 8D45E4
lea eax, dword ptr [ebp-1C]
:004184DB
50
push eax
* Reference To: MFC42.Ordinal:039A, Ord:039Ah
|
:004184DC E8177E0000
Call 004202F8
* Possible StringData Ref from Data Obj
->".dat"
|
:004184E1 BED0214300
mov esi, 004321D0
:004184E6 C645FC01
mov [ebp-04], 01
:004184EA
56
push esi
:004184EB 50
push eax
:004184EC 8D45EC
lea eax, dword ptr [ebp-14]
:004184EF
50
push eax
* Reference To: MFC42.Ordinal:039C, Ord:039Ch
|
:004184F0 E8097E0000
Call 004202FE
:004184F5 8D4DE4
lea ecx, dword ptr [ebp-1C]
:004184F8 C645FC04
mov [ebp-04], 04
*
Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004184FC E8517B0000 Call
00420052
:00418501 8D4DE0
lea ecx, dword ptr [ebp-20]
:00418504 C645FC03
mov [ebp-04], 03
* Reference
To: MFC42.Ordinal:0320, Ord:0320h
|
:00418508 E8457B0000 Call
00420052
:0041850D 8D4360
lea eax, dword ptr [ebx+60]
:00418510 50
push eax
:00418511
8D45DC lea eax,
dword ptr [ebp-24]
* Possible
StringData Ref from Data Obj ->"http://www.wjmshome.com/register/" 看到了嗎!要上網去效驗的啊!
|
:00418514 68AC214300
push 004321AC
:00418519 50
push eax
* Reference To: MFC42.Ordinal:039E, Ord:039Eh
|
:0041851A E8F17D0000
Call 00420310
:0041851F 56
push esi
:00418520 50
push eax
:00418521 8D45E8
lea eax, dword ptr [ebp-18]
:00418524 C645FC05
mov [ebp-04], 05
:00418528 50
push eax
* Reference To: MFC42.Ordinal:039C,
Ord:039Ch
|
:00418529 E8D07D0000
Call 004202FE
:0041852E 8D4DDC
lea ecx, dword ptr [ebp-24]
:00418531 C645FC07
mov [ebp-04], 07
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00418535 E8187B0000
Call 00420052
:0041853A 8BCF
mov ecx, edi
:0041853C E89D27FFFF
call 0040ACDE
:00418541 51
push ecx
:00418542 8D45EC
lea eax, dword ptr [ebp-14]
:00418545 8BCC
mov ecx, esp
:00418547 8965D8
mov dword ptr [ebp-28], esp
:0041854A 50
push eax
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:0041854B E81E7D0000
Call 0042026E
:00418550 51
push ecx
:00418551 8D45E8
lea eax, dword ptr [ebp-18]
:00418554 8BCC
mov ecx, esp
:00418556 8965D4
mov dword ptr [ebp-2C], esp
:00418559 50
push eax
:0041855A
C645FC08 mov [ebp-04],
08
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:0041855E E80B7D0000
Call 0042026E
:00418563 8BCF
mov ecx, edi
:00418565 C645FC07
mov [ebp-04], 07
:00418569
E8E025FFFF call 0040AB4E
:0041856E 33F6
xor esi, esi
:00418570 3BC6
cmp eax, esi
:00418572 7511
jne 00418585
:00418574 56
push esi
:00418575 56
push esi
* Possible StringData Ref from Data Obj ->"無法接入Internet註冊資料,請與開發商聯絡"
|
:00418576 6880214300
push 00432180
* Reference To: MFC42.Ordinal:04B0,
Ord:04B0h
|
:0041857B E8A87D0000
Call 00420328
:00418580 E93B010000
jmp 004186C0
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00418572(C)
|
:00418585 8D4DC4
lea ecx, dword ptr [ebp-3C]
* Reference To: MFC42.Ordinal:0162,
Ord:0162h
|
:00418588 E8417D0000
Call 004202CE
:0041858D 56
push esi
:0041858E 6800800000 push
00008000
:00418593 FF75EC
push [ebp-14]
:00418596 8D4DC4
lea ecx, dword ptr [ebp-3C]
:00418599 C645FC09
mov [ebp-04], 09
*
Reference To: MFC42.Ordinal:1442, Ord:1442h
|
:0041859D E81A7D0000 Call
004202BC
:004185A2 85C0
test eax, eax
:004185A4 7511
jne 004185B7
:004185A6 56
push esi
:004185A7
56
push esi
* Possible StringData Ref from Data Obj ->"無法讀取已經下載的Internet註冊資料"
|
:004185A8 685C214300
push 0043215C
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00418639(U), :00418693(U)
|
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004185AD E8767D0000
Call 00420328
:004185B2 E9FD000000
jmp 004186B4
看到了嗎!輸入註冊碼之後,不是在本地比較,而是在網上比較那可怎麼辦啊!不如我們還一種思路,既然是在網上比較那麼怎麼才能
說明是否正確呢!一定有標誌!在找找看!
註冊在網上比較,如果錯誤一定提示所以在關鍵字元中找找有沒有關於註冊碼的提示!哈!!!!!!!
看到下面了嗎
==================================================================================
:0041867F E8CE790000 Call
00420052
:00418684 807DF300
cmp byte ptr [ebp-0D], 00---------->為0則跳,一定要跳
:00418688 740E
je 00418698
:0041868A 33F6
xor esi, esi
:0041868C 56
push esi
:0041868D 56
push esi
* Possible
StringData Ref from Data Obj ->"註冊碼輸入錯誤"
|
:0041868E 6828214300 push
00432128
:00418693 E915FFFFFF
jmp 004185AD
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00418688(C)
|
:00418698 807DC201
cmp byte ptr [ebp-3E], 01---------->如果返回的值是1就正確
:0041869C 754B
jne 004186E9----------------------->不相等則跳
:0041869E 6A40
push 00000040
* Possible StringData Ref from Data Obj ->"感謝您的註冊"
|
:004186A0 6818214300
push 00432118
* Possible StringData Ref from Data Obj ->"你已是*******的正式註冊使用者並可免費註冊以後的"
->"所有版本,
如果公開註冊碼將會被取消註冊使用者資?
->"?"
|
:004186A5
68B8204300 push 004320B8
==================================================================================
到這裡我們知道我們找到的關鍵CALL該返回什麼,有知道在哪裡返回---改啊!還等什麼啊!
爆破之後你會發現,軟體重啟之後就已經註冊成功了,沒有重啟效驗看來作者對他的註冊碼保護方式很有信心啊!
註冊名和註冊碼的變形值儲存在登錄檔裡:
小弟對密碼學不是很懂但是軟體是一個用RSA為檔案加密的軟體所以小弟猜這個變型是RSA的(沒有驗證啊)
註冊碼和使用者名稱沒有關係,但是儲存在JIM.DAT中的我們輸入的註冊碼和儲存在登錄檔裡的變型之後的數值有關啊!
HKEY_CURRENT_USER\Software\檔案密使\Register
RegisterName="powerboy"
RegisterCodeSanLieZhi=fc 01 c9 5b eb f6 14 68
5e b0 70 82 5b 77 4b 56
註冊碼儲存在JIM.DAT裡看這個檔案的最下面,是我們輸入的註冊碼.
到這裡應該清楚了,原來軟體註冊成功之後只是把JIM.DAT裡的註冊碼與登錄檔裡的註冊碼變形進行比較.
所以註冊碼和使用者名稱無關,註冊成功就是把我們輸入的註冊碼變形儲存在登錄檔裡.
相關文章
- 請看小弟KeyFile保護的破解 (7千字)2001-02-01
- 哪位是真正的大師?幫小弟解決這個問題,不勝感激2007-06-18
- ES6總結篇(一)小弟的第一滴血,希望大家多多包涵哈2020-03-14
- 小弟為共享軟體作者製作的管理軟體註冊的動態連結庫 (轉)2007-12-05
- 分析破解某個軟體公司出的理財東東!
(14千字)2015-11-15
- 高手請幫忙看看小弟寫的這個web service:2004-04-29Web
- 加入[BCG]的第一篇破解文章ZTZ-IE網路瀏覽器1.5破解!!也是本人第一次寫破解文章! (4千字)2001-06-29瀏覽器
- 兩個月的破解回顧以及7個軟體的破解! (3千字)2000-12-28
- 小弟想做個交友的網站,各位大哥給點意見,2006-10-13網站
- 各位新年快樂,小弟在這裡奉上B-Jigsaw6.02的破解給大家拜年!
(21千字)2001-01-24
- 一個超容易破解的軟體! (5千字)2001-01-21
- 我的第一個破解軟體,試驗成功!2013-12-26
- 個位大哥,小弟一直想成為軟體開發精英,請指點呀!2005-03-05
- 小弟請求各位師兄大哥一個面試遇到的問題2007-09-04面試
- 一個典型的時間限制軟體的破解 (4千字)2001-01-29
- 本人寫的第一篇破解文章(cleanPC) (902字)2000-08-16
- 一篇文章搞定密碼學基礎2017-12-13密碼學
- 小弟請教一個在英國的project的問題 請大俠們指教2004-11-11Project
- 軟體即數學的意思是?2012-10-29
- 一篇關於密碼學的入門級破解例項-BiSHoP's
CrackMe4 (30千字)2002-11-09密碼學
- Tmaster6.0 破解(我的第一篇灌水) (4千字)2001-10-04AST
- WinImage密碼的另一種破解――WinHex破解法 (2千字)2001-07-12密碼
- 同學翻譯的一篇FlexLm文章 (9千字)2003-03-31Flex
- 破解OICQ的密碼演算法 (6千字)2001-06-25密碼演算法
- 懂ibatis的大俠幫小弟看看錯在哪了2007-01-21BAT
- 密碼管理軟體。 (2千字)2001-03-12密碼
- 破解一個CCG的軟體,改半位元組! (6千字)2002-01-27
- 一個非常簡單易懂的WIFI密碼爆破python指令碼2017-01-18WiFi密碼Python指令碼
- 如何破解掉vt4.0的軟體狗(一種醫藥用影像分析軟體) 不錯的文章
(7千字)2015-11-15
- 快手、B站、鬥魚、虎牙的遊戲直播:一場騰訊四小弟的PK2020-03-26遊戲
- zip密碼爆破:fcrackzip2024-03-28密碼
- 一個菜鳥對密碼學的理解 (4千字)2015-11-15密碼學
- 我的第一篇增加PE檔案功能的文章,獻醜了。 (4千字)2015-11-15
- 求助關於EJB的部署問題(小弟是初學者,請各位大哥看一下)2005-09-05
- 這是我今天破出來的第一個軟體,呵呵,平安夜的早晨很冷的 (9千字)2001-12-24
- 發一篇C#.NET的破解文章,請各位指點指點:)
(12千字)2015-11-15C#
- 小弟在struts+hibernate的開發中遇到難題。求救!!2004-06-03
- 小弟求救伺服器-客戶端程式2006-07-10伺服器客戶端