工會圖書管理系統 V1.0

簡單演算法――工會圖書管理系統 V1.0

軟體大小：496K
下載頁面：http://www.wtybook.com/GHOSTAR

【軟體簡介】：圖書管理

【軟體限制】：必須註冊，否則無法使用

【作者宣告】：初學Crack，只是感興趣，沒有其它目的。失誤之處敬請諸位大俠賜教！

【破解工具】：TRW2000娃娃修改版、FI2.5、CasprGui、W32Dasm8.93黃金版

―――――――――――――――――――――――――――――――――
【過程】：

GhBook.exe是ASPROTECT 1.1殼，用CasprGui脫之。485K->1.21M。DELPHI編寫。

反彙編，查詢關鍵提示："對不起, 此軟體已被鎖定!"在4FC7AB。
向上分析，很容易就找到關鍵點了。

啟用驗證程式碼：21291120 （程式自給）
啟用程式碼-光碟號：1357-0 （試煉碼）

―――――――――――――――――――――――――――――――――
* Possible StringData Ref from Data Obj ->"您的啟用驗證號碼:"
|
:004FC648 BA90C74F00 mov edx, 004FC790
:004FC64D E8267AF0FF call 00404078
:004FC652 8B55F4 mov edx, dword ptr [ebp-0C]
:004FC655 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:004FC65B E87873F3FF call 004339D8
:004FC660 33C0 xor eax, eax
:004FC662 55 push ebp
:004FC663 6829C74F00 push 004FC729
:004FC668 64FF30 push dword ptr fs:[eax]
:004FC66B 648920 mov dword ptr fs:[eax], esp
:004FC66E 8BC3 mov eax, ebx
:004FC670 8B10 mov edx, dword ptr [eax]
:004FC672 FF92D8000000 call dword ptr [edx+000000D8]
:004FC678 48 dec eax
:004FC679 7559 jne 004FC6D4
:004FC67B 8D55EC lea edx, dword ptr [ebp-14]
:004FC67E 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:004FC684 E81F73F3FF call 004339A8
:004FC689 8B45EC mov eax, dword ptr [ebp-14]
:004FC68C E8FFFAFFFF call 004FC190
:004FC691 84C0 test al, al
:004FC693 740E je 004FC6A3
:004FC695 8D55FC lea edx, dword ptr [ebp-04]
:004FC698 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:004FC69E E80573F3FF call 004339A8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC693(C)
|
:004FC6A3 8D55E8 lea edx, dword ptr [ebp-18]
:004FC6A6 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:004FC6AC E8F772F3FF call 004339A8
:004FC6B1 8B45E8 mov eax, dword ptr [ebp-18]
:004FC6B4 E8D7FAFFFF call 004FC190
:004FC6B9 84C0 test al, al
:004FC6BB 740E je 004FC6CB
:004FC6BD 8D55F8 lea edx, dword ptr [ebp-08]
:004FC6C0 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:004FC6C6 E8DD72F3FF call 004339A8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC6BB(C)
|
:004FC6CB 8BC3 mov eax, ebx
:004FC6CD E8762CF5FF call 0044F348
:004FC6D2 EB13 jmp 004FC6E7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC679(C)
|
:004FC6D4 A120EB4F00 mov eax, dword ptr [004FEB20]
:004FC6D9 8B00 mov eax, dword ptr [eax]
:004FC6DB E8AC63F5FF call 00452A8C
:004FC6E0 8BC3 mov eax, ebx
:004FC6E2 E8612CF5FF call 0044F348

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC6D2(U)
|
:004FC6E7 8B55F8 mov edx, dword ptr [ebp-08]
====>EDX=0 光碟號

:004FC6EA 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=1357 啟用程式碼

:004FC6ED E8BEFBFFFF call 004FC2B0
====>關鍵CALL！進入！

:004FC6F2 84C0 test al, al
:004FC6F4 7424 je 004FC71A
====>跳則OVER！

:004FC6F6 B89CFA4F00 mov eax, 004FFA9C
:004FC6FB 8B55FC mov edx, dword ptr [ebp-04]
:004FC6FE E8FD76F0FF call 00403E00
:004FC703 B8A0FA4F00 mov eax, 004FFAA0
:004FC708 8B55F8 mov edx, dword ptr [ebp-08]
:004FC70B E8F076F0FF call 00403E00
:004FC710 33C0 xor eax, eax
:004FC712 5A pop edx
:004FC713 59 pop ecx
:004FC714 59 pop ecx
:004FC715 648910 mov dword ptr fs:[eax], edx
:004FC718 EB1E jmp 004FC738
====>呵呵，跳向勝利！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC6F4(C)
|
:004FC71A E885000000 call 004FC7A4
:004FC71F 33C0 xor eax, eax
:004FC721 5A pop edx
:004FC722 59 pop ecx
:004FC723 59 pop ecx
:004FC724 648910 mov dword ptr fs:[eax], edx
:004FC727 EB0F jmp 004FC738
:004FC729 E9C26DF0FF jmp 004034F0
:004FC72E E871000000 call 004FC7A4

* Referenced by a CALL at Addresses:
|:004FC71A , :004FC72E
|
:004FC7A4 6A10 push 00000010
:004FC7A6 68C4C74F00 push 004FC7C4

* Possible StringData Ref from Data Obj ->"對不起, 此軟體已被鎖定!"
====>BAD BOY！

:004FC7AB 68CCC74F00 push 004FC7CC

―――――――――――――――――――――――――――――――――
F8進入演算法CALL：4FC6ED call 004FC2B0

* Referenced by a CALL at Addresses:
|:004FC5B2 , :004FC6ED
|
:004FC2B0 55 push ebp
:004FC2B1 8BEC mov ebp, esp
:004FC2B3 83C4F0 add esp, FFFFFFF0
:004FC2B6 53 push ebx
:004FC2B7 56 push esi
:004FC2B8 33C9 xor ecx, ecx
:004FC2BA 894DF4 mov dword ptr [ebp-0C], ecx
:004FC2BD 894DF0 mov dword ptr [ebp-10], ecx
:004FC2C0 8955F8 mov dword ptr [ebp-08], edx
:004FC2C3 8945FC mov dword ptr [ebp-04], eax
:004FC2C6 8B45FC mov eax, dword ptr [ebp-04]
:004FC2C9 E8127FF0FF call 004041E0
:004FC2CE 8B45F8 mov eax, dword ptr [ebp-08]
:004FC2D1 E80A7FF0FF call 004041E0
:004FC2D6 33C0 xor eax, eax
:004FC2D8 55 push ebp
:004FC2D9 6857C34F00 push 004FC357
:004FC2DE 64FF30 push dword ptr fs:[eax]
:004FC2E1 648920 mov dword ptr fs:[eax], esp
:004FC2E4 8B45FC mov eax, dword ptr [ebp-04]
:004FC2E7 E884DAF0FF call 00409D70
====>把1357轉化16進位制值

:004FC2EC 8BC8 mov ecx, eax
1、 ====>EAX=54D（H）=1357（D）

:004FC2EE 8BC1 mov eax, ecx
:004FC2F0 2DBF020000 sub eax, 000002BF
2、 ====>EAX=54D-2BF=28E

:004FC2F5 B903000000 mov ecx, 00000003
====>3 入 ECX

:004FC2FA 99 cdq
:004FC2FB F7F9 idiv ecx
3、 ====>EAX=54D/3=DA

:004FC2FD 8BD8 mov ebx, eax
====>EBX=EAX=DA

:004FC2FF 81EB87000000 sub ebx, 00000087
4、 ====>EBX=DA-87=53

:004FC305 D1FB sar ebx, 1
5、 ====>EBX=53 右移1位=29

:004FC307 7903 jns 004FC30C
:004FC309 83D300 adc ebx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC307(C)
|
:004FC30C 8B45F8 mov eax, dword ptr [ebp-08]
====>0入EAX，即光碟號

:004FC30F E85CDAF0FF call 00409D70
====>轉化成16進位制值

:004FC314 8BF0 mov esi, eax
====>ESX=EAX=0

:004FC316 8D55F4 lea edx, dword ptr [ebp-0C]
:004FC319 8BC3 mov eax, ebx
====>EAX=EBX=29

:004FC31B 2BC6 sub eax, esi
6、 ====>EBX=29-0=29
即上面對輸入的1357運算後得出的29減去光碟號的16進位制值！

:004FC31D E8AED9F0FF call 00409CD0
====>把29轉化成10進位制值：41

:004FC322 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=41

:004FC325 50 push eax
:004FC326 8D45F0 lea eax, dword ptr [ebp-10]
:004FC329 E80AFFFFFF call 004FC238
:004FC32E 8B55F0 mov edx, dword ptr [ebp-10]
====>EDX=21291120 即：我的啟用驗證程式碼

:004FC331 58 pop eax
:004FC332 E8057EF0FF call 0040413C
====>比較CALL！進入！

:004FC337 0F94C0 sete al
====>設定標誌位！

:004FC33A 8BD8 mov ebx, eax
:004FC33C 33C0 xor eax, eax
:004FC33E 5A pop edx
:004FC33F 59 pop ecx
:004FC340 59 pop ecx
:004FC341 648910 mov dword ptr fs:[eax], edx
:004FC344 685EC34F00 push 004FC35E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004FC35C(U)
|
:004FC349 8D45F0 lea eax, dword ptr [ebp-10]
:004FC34C BA04000000 mov edx, 00000004
:004FC351 E87A7AF0FF call 00403DD0
:004FC356 C3 ret

―――――――――――――――――――――――――――――――――
F8進入比較CALL：4FC332 call 0040413C

* Referenced by a CALL at Addresses:
|:00413C97 , :00418AAB , :00419F4B , :0041F3DD , :00420728
…… …… 省略 …… ……

:0040413C 53 push ebx
:0040413D 56 push esi
:0040413E 57 push edi
:0040413F 89C6 mov esi, eax
:00404141 89D7 mov edi, edx
:00404143 39D0 cmp eax, edx
====>EAX=41
====>EDX=21291120
上面運算的最後結果與啟用驗證程式碼比較，相同則OK！

:00404145 0F848F000000 je 004041DA
:0040414B 85F6 test esi, esi
:0040414D 7468 je 004041B7
:0040414F 85FF test edi, edi
:00404151 746B je 004041BE
:00404153 8B46FC mov eax, dword ptr [esi-04]
:00404156 8B57FC mov edx, dword ptr [edi-04]
:00404159 29D0 sub eax, edx
:0040415B 7702 ja 0040415F

―――――――――――――――――――――――――――――――――
【算法總結】：

演算法不復雜，簡單求逆即可算出相應的註冊碼。

設：啟用驗證程式碼為S、啟用程式碼為K1、光碟號為K2、對K1運算的結果為KK

1、 KK-K2 = S 成功的條件！
我把K2固定為0（呵呵，省點事），所以KK-0=144E070（H）=21291120（D）

2、逆反第5步的右移1位：144E070*2=289C0E0

3、逆反第4步：289C0E0+87=289C167

4、逆反第3步：289C167*3=79D4435

5、逆反第2步：79D4435+2BF=79D46F4

6、逆反第1步：79D46F4的10進位制值=127747828

呵呵，至此，求出我的啟用程式碼 K1=127747828

―――――――――――――――――――――――――――――――――
【註冊資訊儲存】：

REGEDIT4

[HKEY_CURRENT_USER\Software\GHOStar\Main]
"F1"="127747828"
"F2"="0"

―――――――――――――――――――――――――――――――――
【整理】：

啟用驗證程式碼：21291120
啟用程式碼-光碟號：127747828-0

―――――――――――――――――――――――――――――――――

Cracked By 巢水工作坊――fly【OCN】

19:50 03-3-7

工會圖書管理系統 V1.0

相關文章