貫通詞典破解過程

這是我寫的第一篇破解的文章,也是我第一次成功地破解軟體(成功破解是指能寫出序號產生器),若有錯的話請大家提出來,指導一下我這隻菜鳥 ;)

目標:貫通詞典V2.1
簡介:一個日語字典
原因:自己正在自學日語,聽說這個詞典還算可以,就下載下來試試,發現是要註冊的

先用PEID看看
UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
嗯,是用UPX加殼,用upx -d就可以解殼了,手動解殼也可
解殼後是1.23MB的
OK了,用C32ASM反彙編吧
::004E65A7::  BA 01000000              MOV EDX,1
::004E65AC::  59                       POP ECX
::004E65AD::  E8 4EE6F1FF              CALL 00404C00
::004E65B2::  8B45 E4                  MOV EAX,[EBP-1C]
::004E65B5::  E8 E6E5F1FF              CALL 00404BA0
::004E65BA::  8D55 E8                  LEA EDX,[EBP-18]
::004E65BD::  E8 BAE2FFFF              CALL 004E487C
::004E65C2::  8B55 E8                  MOV EDX,[EBP-18]
::004E65C5::  B8 64F64E00              MOV EAX,4EF664
::004E65CA::  E8 65E1F1FF              CALL 00404734
::004E65CF::  8D4D D8                  LEA ECX,[EBP-28]
::004E65D2::  BA E46E4E00              MOV EDX,4E6EE4                              \->: yasha
::004E65D7::  A1 64F64E00              MOV EAX,[4EF664]
::004E65DC::  E8 13E1FFFF              CALL 004E46F4        ->關鍵:註冊碼生成過程
::004E65E1::  8B45 D8                  MOV EAX,[EBP-28]
::004E65E4::  8D55 F4                  LEA EDX,[EBP-C]
::004E65E7::  E8 F8E1FFFF              CALL 004E47E4
::004E65EC::  C705 3CF64E00 705E4E00   MOV DWORD PTR [4EF63C],4E5E70
::004E65F6::  8D45 D4                  LEA EAX,[EBP-2C]
::004E65F9::  BA 6CF64E00              MOV EDX,4EF66C
::004E65FE::  B9 80000000              MOV ECX,80

進去4E46F4裡面看看是怎樣生成註冊碼的吧
::004E46F4::  55                       PUSH EBP                                \:BYCALL CallBy:004E65DC,
::004E46F5::  8BEC                     MOV EBP,ESP
::004E46F7::  83C4 E8                  ADD ESP,-18
::004E46FA::  53                       PUSH EBX
::004E46FB::  56                       PUSH ESI
::004E46FC::  57                       PUSH EDI
::004E46FD::  33DB                     XOR EBX,EBX
::004E46FF::  895D E8                  MOV [EBP-18],EBX
::004E4702::  895D F0                  MOV [EBP-10],EBX
::004E4705::  895D EC                  MOV [EBP-14],EBX
::004E4708::  894D F4                  MOV [EBP-C],ECX
::004E470B::  8955 F8                  MOV [EBP-8],EDX
::004E470E::  8945 FC                  MOV [EBP-4],EAX
::004E4711::  8B45 FC                  MOV EAX,[EBP-4]
::004E4714::  E8 7704F2FF              CALL 00404B90                           \:JMPUP
::004E4719::  8B45 F8                  MOV EAX,[EBP-8]
::004E471C::  E8 6F04F2FF              CALL 00404B90                           \:JMPUP
::004E4721::  33C0                     XOR EAX,EAX
::004E4723::  55                       PUSH EBP
::004E4724::  68 D3474E00              PUSH 4E47D3
::004E4729::  64:FF30                  PUSH DWORD PTR FS:[EAX]
::004E472C::  64:8920                  MOV FS:[EAX],ESP
::004E472F::  8B45 FC                  MOV EAX,[EBP-4]                     把序列號送入EAX
::004E4732::  E8 7102F2FF              CALL 004049A8                       序列號ASCII碼的位數(9個)
::004E4737::  50                       PUSH EAX                            EAX入棧
::004E4738::  8B45 F8                  MOV EAX,[EBP-8]                  字串"yasha"送到EAX裡
::004E473B::  E8 6802F2FF              CALL 004049A8                      "yasha"ASCII碼的位數(5個)
::004E4740::  5A                       POP EDX                            棧的資料彈到EDX裡 (EDX==9 EAX==5)
::004E4741::  92                       XCHG EAX,EDX                      交換EAX與EDX   (EDX==5 EAX==9)
::004E4742::  8BCA                     MOV ECX,EDX                       EDX資料送入ECX (ECX=EDX=5)
::004E4744::  99                       CDQ
::004E4745::  F7F9                     IDIV ECX                        ECX執行除法 (EAX==1 EDX==4)
::004E4747::  8BF8                     MOV EDI,EAX                         EAX資料送到EDI裡
::004E4749::  66:85FF                  TEST DI,DI
::004E474C::  7C 11                    JL SHORT 004E475F
::004E474E::  47                       INC EDI                                           EDI++
::004E474F::  8D45 F0                  LEA EAX,[EBP-10]
::004E4752::  8B55 F8                  MOV EDX,[EBP-8]                       "yasha"送入EDX
::004E4755::  E8 5602F2FF              CALL 004049B0                         把"yasha"累加,變成"yashayasha"
::004E475A::  66:FFCF                  DEC DI
::004E475D::  75 F0                    JNZ SHORT 004E474F
::004E475F::  8B45 FC                  MOV EAX,[EBP-4]                      序列號送到EAX
::004E4762::  E8 4102F2FF              CALL 004049A8                        得到序列號長度(9)
::004E4767::  8BF8                     MOV EDI,EAX
::004E4769::  66:85FF                  TEST DI,DI
::004E476C::  7E 32                    JLE SHORT 004E47A0
::004E476E::  66:BE 0100               MOV SI,1
::004E4772::  0FBFC6                   MOVSX EAX,SI
::004E4775::  8B55 FC                  MOV EDX,[EBP-4]                      序列號送到EDX
::004E4778::  8A5C02 FF                MOV BL,[EDX+EAX-1]                 序列號的第一個字元送到BL
::004E477C::  8B55 F0                  MOV EDX,[EBP-10]                    字串"yashayasha"送到EDX
::004E477F::  8A4402 FF                MOV AL,[EDX+EAX-1]                 字串"yashayasha"第一個字元送去AL
::004E4783::  32D8                     XOR BL,AL                           異或BL與AL,結果送回BL
::004E4785::  8D45 E8                  LEA EAX,[EBP-18]
::004E4788::  8BD3                     MOV EDX,EBX
::004E478A::  E8 3101F2FF              CALL 004048C0                           \:JMPUP
::004E478F::  8B55 E8                  MOV EDX,[EBP-18]
::004E4792::  8D45 EC                  LEA EAX,[EBP-14]
::004E4795::  E8 1602F2FF              CALL 004049B0                           \:JMPUP
::004E479A::  46                       INC ESI
::004E479B::  66:FFCF                  DEC DI
::004E479E::  75 D2                    JNZ SHORT 004E4772                      \:JMPUP
::004E47A0::  8B45 F4                  MOV EAX,[EBP-C]                         \:BYJMP JmpBy:004E476C,
::004E47A3::  8B55 EC                  MOV EDX,[EBP-14]
::004E47A6::  E8 89FFF1FF              CALL 00404734                           \:JMPUP
::004E47AB::  33C0                     XOR EAX,EAX
::004E47AD::  5A                       POP EDX
::004E47AE::  59                       POP ECX
::004E47AF::  59                       POP ECX
::004E47B0::  64:8910                  MOV FS:[EAX],EDX
::004E47B3::  68 DA474E00              PUSH 4E47DA
::004E47B8::  8D45 E8                  LEA EAX,[EBP-18]                        \:BYJMP JmpBy:004E47D8,
::004E47BB::  BA 03000000              MOV EDX,3
::004E47C0::  E8 3FFFF1FF              CALL 00404704                           \:JMPUP
::004E47C5::  8D45 F8                  LEA EAX,[EBP-8]
::004E47C8::  BA 02000000              MOV EDX,2
::004E47CD::  E8 32FFF1FF              CALL 00404704                           \:JMPUP
::004E47D2::  C3                       RETN
::004E47D3::  E9 30F9F1FF              JMP 00404108                            \:JMPUP
::004E47D8::  EB DE                    JMP SHORT 004E47B8                      \:JMPUP
::004E47DA::  5F                       POP EDI
::004E47DB::  5E                       POP ESI
::004E47DC::  5B                       POP EBX
::004E47DD::  8BE5                     MOV ESP,EBP
::004E47DF::  5D                       POP EBP
::004E47E0::  C3                       RETN

經過這個CALL以後,因為我的序列號是8C0D-DB4C,與yashayash異或後的字串就是A"C,L=#G+
最後一步還要留意這個CALL:
::004E6603::  E8 50E3F1FF              CALL 00404958
它把異或後的字串轉為ASCII碼的十進位制值, A"C,L=#G+的十進位制ASCII碼值就是65 34 67 44 76 61 35 71 43 把空格去掉,就是653467447661357143,這就是註冊碼了,開始寫序號產生器吧
void CRegDlg::OnButton1()
{
// TODO: Add your control notification handler code here
int tmp,cst,cst2,res;
char buff[20];
CString ori="yashayasha";
UpdateData(true);
m_CS2="";
int stlen=strlen(m_CS1);
if(stlen!=9) MessageBox("申請註冊碼是XXXX-XXXX的型式的");
else
{
for(tmp=0;tmp<stlen;tmp++)
{
cst=int(m_CS1.GetAt(tmp));
cst2=int(ori.GetAt(tmp));
res=cst^cst2;
_itoa(res,buff,10);
m_CS2=m_CS2+buff;
}
}
UpdateData(false);
}

完成,收工.
另外一個: 序列號是根據C盤序列號算出來的,但我始終搞不清是如何算出來的,請高手幫我看看吧
有不對的地方請提出來,謝謝.

貫通詞典破解過程

相關文章