Installshield5.0反編譯破解軟體安裝序列號一例 (14千字)
工具:ISDCC v2.10(Modified)
破解者:smartsl
時間:2002-10-21
軟體:XXXXXX管理系統
2000
首先,在安裝目錄找到一個setup.ins檔案,用原版的isdcc21.exe反編譯出錯,提示
!!!!Unknown
opcode (0x168) at (0xD0D)
幸好這個isdcc的作者提供有原始碼,找到decode.c裡面有這行:
if (decodeTable[opcode] == NULL)
error("\n!!!!Unknown
opcode (0x%x) at (0x%x)\n", opcode, tell(fd));
再看看decodetable.h這個檔案,裡面很多類似下面的定義:
static char* rawDecodeTable[][4] = {
......
{(char*) 0x0068, "PlaceWindow",
(char*) 4, (char*) (*parseSystemFunction)},
......
};
搜尋一下發現沒有0x0168的定義,不管它,加上一行,後面的引數個數只好慢慢試,直到不出錯為止,試出來應該是3個引數。
同樣,需要再加一個0x0167的定義,引數個數也是3。
這樣,就可以正常反編譯了。
因為不知道這兩個函式名,暫時定為:
{(char*) 0x0168, "UnknowFunction_1", (char*) 3, (char*) (*parseSystemFunction)},
{(char*) 0x0167, "UnknowFunction_2", (char*) 3, (char*) (*parseSystemFunction)},
反編譯後大體瀏覽一下,很多lNumberXX、lStringXX的臨時變數,因為這個基本是按順序執行的,而這個軟體安裝出現license提示後馬上就要輸入序號,否則彈出提示框,不向下繼續安裝。所以在前面就能找到如下關鍵點:
004E58:015D: SilentReadData(string1, "szName",
1, pString2, lNumber3);
004E71:015D: SilentReadData(string1,
"szCompany", 1, pString3, lNumber3);
004E8D:015D:
SilentReadData(string1, "szSerial", 1, pString4, lNumber3);
這段在function1()裡面,function1()在function103()裡面,如下:
// ------------- FUNCTION function103 --------------
function function103()
number lNumber0;
string lString0;
string lString1;
begin
002872:0013:
string4 = "";
00287A:0013: string5 = "";
002882:0013: lString0 = "";
00288A:0013:
lString1 = "";
002892:00B5:
function1(lString0, lString1, string4, string5, string6);
0028A9:0021:
lNumber0 = LAST_RESULT;
0028B1:012F:
return(lNumber0);
0028B8:00B8: return;
end;
function103()又在function89()裡面,這回發現找到地方了,下面列出關鍵的一段:
這段完整的程式是:
// ------------- FUNCTION function89 --------------
function function89()
number
lNumber0;
number lNumber1;
number lNumber2;
number lNumber3;
number lNumber4;
number lNumber5;
number lNumber6;
number lNumber7;
number
lNumber8;
number lNumber9;
string lString0;
string lString1;
string lString2;
string lString3;
string lString4;
string lString5;
string
lString6;
string lString7;
string lString8;
string lString9;
begin
001143:0021: lNumber5
= 0;
label17: //Ref: 001181 0011BA
001151:00B5:
function100();
001159:0021:
lNumber0 = LAST_RESULT;
001161:0128: lNumber8
= lNumber0 = 12;
001173:0022: if (lNumber8 = 0)
then
goto label18;
endif;
001181:002C: goto
label17;
label18: //Ref: 001173 001275
00118A:00B5:
function101();
;顯示"license.txt"
001192:0021:
lNumber0 = LAST_RESULT;
00119A:0128:
lNumber8 = lNumber0 = 12;
0011AC:0022:
if (lNumber8 = 0) then
goto label19;
endif;
0011BA:002C:
goto label17;
label19: //Ref: 0011AC
0011C3:0021:
number49 = 0;
0011CD:0021:
number42 = 0;
label20: //Ref: 0012C2 00132C 0013DA
00161C 001682
0011DB:0022: if (number42
= 0) then
goto label21;
endif;
0011E9:002A:
MessageBox("\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff!",
-65534);
label21: //Ref: 0011DB
00120E:0128:
lNumber8 = number49 > 3;
001220:0022:
if (lNumber8 = 0) then
goto label22;
endif;
00122E:012F:
return(-1);
label22: //Ref: 001220
00123B:00B5:
function103();
001243:0021:
lNumber0 = LAST_RESULT;
00124B:0128: lNumber8
= lNumber0 = 12;
00125D:0022: if (lNumber8 = 0)
then
goto label23;
;按"繼續"按鈕就跳
endif;
00126B:0021:
number42 = 1;
001275:002C: goto label18;
label23: //Ref: 00125D
00127E:0119:
number49 = number49 + 1;
00128B:002F: StrLength(string6);
;序列號長度
001290:0021: lNumber8 = LAST_RESULT;
001298:0128:
lNumber8 = lNumber8 != 14;
;長度不是14位
0012AA:0022:
if (lNumber8 = 0) then
goto label24;
;為假則跳(長度就是14位)
endif;
0012B8:0021:
number42 = 1;
0012C2:002C:
goto label20;
label24: //Ref: 0012AA
0012CB:007A:
GetByte(lNumber8, string6, 0);
;取序列號第1位
0012D8:0128: lNumber8 = lNumber8
!= 56; ;56='8'
0012EA:007A: GetByte(lNumber9, string6, 1);
;取序列號第2位
0012F7:0128:
lNumber9 = lNumber9 != 45;
;45='-'
001309:0126:
lNumber8 = lNumber8 || lNumber9;
001314:0022:
if (lNumber8 = 0) then
goto label25;
;為假則跳(不用解釋了:))
endif;
001322:0021:
number42 = 1;
00132C:002C:
goto label20;
label25: //Ref: 001314
001335:0021:
number38 = 0;
;迴圈變數初始化(i=0;)
label26: //Ref: 001413
001343:0128: lNumber8 = number38 <= 11;
;12位的迴圈(i<12;)
001355:0022: if (lNumber8 = 0) then
goto
label28;
;迴圈結束,跳出
endif;
001363:0119: lNumber8 = number38
+ 2;
001370:007A: GetByte(lNumber8, string6, lNumber8);
;serial[i+2]
00137B:0128:
lNumber8 = lNumber8 < 48;
;<'0'
00138D:0119:
lNumber9 = number38 + 2;
00139A:007A: GetByte(lNumber9,
string6, lNumber9); ;serial[i+2]
0013A5:0128:
lNumber9 = lNumber9 > 57;
;>'9'
0013B7:0126:
lNumber8 = lNumber8 || lNumber9;
0013C2:0022:
if (lNumber8 = 0) then
goto label27;
;檢查是數字就跳
endif;
0013D0:0021:
number42 = 1;
0013DA:002C:
goto label20;
;####################################
; GetByte(lOutput,&str,i);
label27: //Ref: 0013C2
; SetByte(&str,i,lInput);
0013E3:0119: lNumber8 = number38 + 2;
;####################################
0013F0:007A: GetByte(lNumber8, string6, lNumber8);
0013FB:007B: SetByte(string15, number38, lNumber8);
;serial後面12位-->string15
001406:0119:
number38 = number38 + 1;
;迴圈變數遞增(i++;)
001413:002C:
goto label26;
label28: //Ref: 001355
00141C:007B:
SetByte(string15, 12, 0);
;<---序列號全是數字就到這裡,string15[12]='\0';
00142B:0021:
number39 = 0;
001435:0021:
number38 = 0;
label29: //Ref: 0014C3
001443:0128:
lNumber8 = number38 <= 5;
;迴圈開始
001455:0022:
if (lNumber8 = 0) then
goto label30;
;迴圈結束
endif;
001463:007A:
GetByte(lNumber8, string15, number38);
;
00146E:007B: SetByte(string12, number39,
lNumber8); ;string12是string15的前3個奇數位
001479:0119: lNumber8 = number39 + 3;
001486:0119:
lNumber9 = number38 + 1;
001493:007A:
GetByte(lNumber9, string15, lNumber9);
00149E:007B:
SetByte(string13, lNumber8, lNumber9); ;string13從第4位起是string15的前3個偶數位
0014A9:0119: number39 = number39 + 1;
0014B6:0119:
number38 = number38 + 2;
0014C3:002C:
goto label29;
;迴圈繼續
label30: //Ref: 001455
0014CC:007A: GetByte(lNumber8, string15, 11);
0014D9:007B: SetByte(string12, 3, lNumber8);
0014E6:007A:
GetByte(lNumber8, string15, 9);
0014F3:007B:
SetByte(string12, 4, lNumber8);
001500:007A:
GetByte(lNumber8, string15, 8);
00150D:007B:
SetByte(string12, 5, lNumber8); ;設定string12的4、5、6位為string15的第12、10、9位
00151A:007A: GetByte(lNumber8, string15, 6);
001527:007B: SetByte(string13, 0, lNumber8);
001534:007A:
GetByte(lNumber8, string15, 10);
001541:007B:
SetByte(string13, 1, lNumber8);
00154E:007A:
GetByte(lNumber8, string15, 7);
00155B:007B:
SetByte(string13, 2, lNumber8);
;設定string13的1、2、3位為string15的第7、11、8位
001568:0021:
number38 = 0;
label31: //Ref: 00163F
001576:0128:
lNumber8 = number38 <= 5;
;迴圈開始
001588:0022:
if (lNumber8 = 0) then
goto label33;
;迴圈結束
endif;
001596:007A:
GetByte(number46, string12, number38);
0015A1:011A:
number43 = number46 - 48;
0015AE:007A:
GetByte(number47, string13, number38);
0015B9:011A:
number44 = number47 - 48;
0015C6:0167:
UnknowFunction_2(lNumber8, string10, number43); ;???
0015D1:011B: lNumber8 = lNumber8 * 10;
0015DE:0119:
lNumber8 = lNumber8 + number38;
0015E9:0167:
UnknowFunction_2(number45, string11, lNumber8); ;???
0015F4:0128: lNumber8 = number45 != number44;
001604:0022: if (lNumber8 = 0) then
goto
label32;
;相等就跳
endif;
001612:0021: number42 = 1;
00161C:002C: goto label20;
;不滿足條件,返回
label32: //Ref: 001604
001625:0119:
number48 = number45 + 48;
001632:0119: number38
= number38 + 1;
00163F:002C: goto label31;
;迴圈繼續
label33: //Ref: 001588 0016BB 0017A6
001648:0021:
number42 = 0;
001652:00B5:
function104();
;<---
00165A:0021:
lNumber0 = LAST_RESULT;
001662:0128: lNumber8
= lNumber0 = 12;
001674:0022: if (lNumber8 = 0)
then
goto label34;
endif;
001682:002C: goto
label20;
label34: //Ref: 001674 001734 00176D
00168B:00B5: function105();
001693:0021:
lNumber0 = LAST_RESULT;
00169B:0128:
lNumber8 = lNumber0 = 12;
0016AD:0022:
if (lNumber8 = 0) then
goto label35;
endif;
0016BB:002C:
goto label33;
label35: //Ref: 0016AD
0016C4:0128:
lNumber8 = lNumber0 = 12;
0016D6:0023:
StrCompare(string9, "Custom");
0016E4:0128:
lNumber9 = LAST_RESULT != 0;
0016F6:0127:
lNumber8 = lNumber8 && lNumber9;
001701:0023:
StrCompare(string9, "");
001709:0128: lNumber9
= LAST_RESULT != 0;
00171B:0127: lNumber8 = lNumber8
&& lNumber9;
001726:0022: if (lNumber8
= 0) then
goto label36;
endif;
001734:002C:
goto label34;
label36: //Ref: 001726
00173D:00B5:
function106();
001745:0021: lNumber0
= LAST_RESULT;
00174D:0128: lNumber8 = lNumber0
= 12;
00175F:0022: if (lNumber8 = 0) then
goto label37;
endif;
00176D:002C: goto label34;
label37: //Ref: 00175F
001776:00B5:
function107();
00177E:0021: lNumber0 = LAST_RESULT;
001786:0128: lNumber8 = lNumber0 = 12;
001798:0022:
if (lNumber8 = 0) then
goto label38;
endif;
0017A6:002C:
goto label33;
label38: //Ref: 001798
0017AF:012F: return(0);
0017B8:00B8:
return;
end;
其中function101()是顯示"license.txt"的,這個進去看看就知道:
// ------------- FUNCTION function101 --------------
function function101()
number lNumber0;
string lString0;
string lString1;
string lString2;
string lString3;
begin
00278F:0125:
lString3 = SUPPORTDIR ^ "license.txt";
0027A5:0013:
lString0 = "";
0027AD:0013:
lString1 = "";
0027B5:0013: lString2 = "";
0027BD:00B5: function27(lString0, lString1, lString2,
lString3);
0027D1:0021: lNumber0 = LAST_RESULT;
0027D9:012F: return(lNumber0);
0027E0:00B8:
return;
end;
其他的我的註釋就寫得很清楚了
最後有一個關鍵迴圈比較的地方用到了這個未知函式,因為跟上面反覆用到的兩個GetByte()和SetByte()很像,所以就猜測著去作.用到了一個變數string11,在全部反編譯裡面搜尋發現,僅這一次呼叫,初始化處在前面開頭:
000DC5:0021: number40 = 0;
000DCF:0021: number38
= 0;
label2: //Ref: 000E96
000DDD:0128: number52
= number38 <= 9;
000DEF:0022: if (number52 = 0) then
goto label5;
endif;
000DFD:0119:
number40 = number40 + 1;
000E0A:0021: number39 = 0;
label3: //Ref: 000E80
000E18:0128: number52 = number39
<= 9;
000E2A:0022: if (number52 = 0) then
goto label4;
endif;
000E38:011B:
number52 = number38 * 10;
000E45:0119: number52 = number52
+ number39;
000E50:0119: number53 = number40 + number39;
000E5B:0123: number53 = number53 % 10;
000E68:0168:
UnknowFunction_1(string11, number52, number53);
000E73:0119:
number39 = number39 + 1;
000E80:002C: goto label3;
label4: //Ref: 000E2A
000E89:0119: number38 = number38
+ 1;
000E96:002C: goto label2;
這些演算法都很簡單,仔細看就行.
最後附上我做的序號產生器主要原始碼,可以結合起來分析:
#define MAXINPUTLEN 12
char szFormat[] = "8-%s";
char serial[MAXINPUTLEN+1],s1[MAXINPUTLEN+1]="123456789012";
int t1[6]={0,2,4,11,9,8},t2[6]={6,10,7,1,3,5},MagicTable[10]={6,2,9,5,1,4,1,3,8,7};
int i,x,y;
for(i=0;i<6;i++)
{
//x=t3[i];//DEBUG
x=rand()%10;
y=MagicTable[x]*10+i;
s1[t1[i]]=48+x;
s1[t2[i]]=48+(y/10+y%10+1)%10;
}
sprintf(serial,szFormat,s1);
最後,我們可以認為
UnknowFunction_1()
===> SetByte()
UnknowFunction_2() ===>
GetByte()
於是可以在decodetable.h裡面加上這兩行
{(char*) 0x0167, "GetByte__",
(char*) 3, (char*) (*parseSystemFunction)},
{(char*) 0x0168, "SetByte__",
(char*) 3, (char*) (*parseSystemFunction)},
這就是前面那個ISDCC v2.10(Modified)的來源,加上"__"是為了跟原有的函式區別開來,我現在反正不知道區別是什麼.
-=over=-
相關文章
- 反編譯之安裝Apktool2018-10-25編譯APK
- abbyy finereader14序列號 附安裝教程2020-10-12
- IDA Pro for Mac(靜態反編譯軟體)2022-07-12Mac編譯
- IDA Pro for Mac 靜態反編譯軟體2022-06-18Mac編譯
- Go開發者之如何破解安裝GoLand編譯器?2018-11-24GoLand編譯
- Photoshop CC 2018 軟體安裝包+破解教程2023-11-01
- PhpStorm 2023 啟用序列號最新+PhpStorm 2023 破解安裝包v2023.32023-12-13PHPORM
- 在Ubuntu 18.04上編譯安裝pppoe客戶端軟體2020-03-24Ubuntu編譯客戶端
- c#寫的軟體如何防止被反編譯2024-04-12C#編譯
- 軟體推薦-Java反編譯軟體-jd-gui(附下載地址)2018-10-10Java編譯GUI
- 編譯安裝zabbix2019-06-01編譯
- 安裝編譯ffmpeg2024-06-29編譯
- Griffin編譯安裝2024-05-24編譯
- 編譯安裝nmon2022-12-20編譯
- swoole 編譯安裝2022-06-23編譯
- apache編譯安裝2022-07-18Apache編譯
- Java編譯與反編譯2021-03-20Java編譯
- 軟體序列號查詢軟體:Serial Box for Mac2024-01-12Mac
- 龍芯麒麟原始碼編譯MySQL生成軟體包進行安裝2023-01-13原始碼編譯MySql
- 安卓逆向之Luac解密反編譯2018-08-03安卓解密編譯
- ffmpeg安裝之linux編譯安裝2021-06-01Linux編譯
- pdf編輯軟體Acrobat Pro DC 2023中文破解版(附安裝教程)2024-01-03BAT
- Multisim14--軟體簡介及安裝教程(內含安裝包)2024-05-04
- httpd編譯安裝php2018-10-17httpd編譯PHP
- Shell編譯安裝nginx2020-06-14編譯Nginx
- Linux 編譯安裝 Python2024-05-29Linux編譯Python
- Linux編譯安裝Nginx2021-09-09Linux編譯Nginx
- centos PHP 編譯安裝2021-03-16CentOSPHP編譯
- 開源編譯工具和編譯軟體2020-12-25編譯
- python pyinstaller打包的exe 反編譯問題記錄 破解加密2024-06-21Python編譯加密
- 【軟體】Mac parallels desktop 13破解下載及安裝方法2018-03-03MacParallel
- android 反編譯2024-10-04Android編譯
- mac軟體安裝-SnapGene 5 for Mac 全新啟用版,DNA序列分析軟體2023-09-19Mac
- Android Apk反編譯系列教程(一)如何反編譯APK2019-04-14AndroidAPK編譯
- Serial Box for mac(Mac軟體序列號大全)2022-07-12Mac
- Mac軟體序列號大全:Serial Box for mac2022-05-22Mac
- PHP Linux安裝擴充套件(編譯安裝)2024-06-18PHPLinux套件編譯
- 【MySQL安裝】Linux下安裝MySQL(預編譯)2021-01-05MySqlLinux編譯
- Xopsed的編譯與安裝2019-01-30編譯