爆破MD5加密程式――驅動之加 1.21 [VB]

看雪資料發表於2015-11-15

爆破MD5加密程式――驅動之加 1.21 [VB]
 
 
 
下載頁面:  http://xj.onlinedown.net/soft/17117.htm 
軟體大小:  2.93 MB
軟體語言:  多國語言
軟體類別:  共享版/備份工具
執行環境:  Win9x/Me/NT/2000/XP
加入時間:  2003-8-13 10:41:12
下載次數:  988
軟體評級:  ****

【軟體簡介】:是一款驅動之家的驅動精靈的克隆版本。1、更專業的驅動備份功能:能夠檢測使用者計算機系統中的硬體裝置,將全部或任意部分硬體的驅動程式提取備份出來,並能夠將備份出來的驅動程式做成Zip壓縮檔案或自解壓檔案。速度敏捷,這份工作快到只需30秒就能全部完成。透過驅動備份功能,大家可以完全免去重新安裝系統後驅動程式丟失的煩惱,多臺同配置機器也不再需要那數不勝數的驅動光碟了。此外,軟體還支援區域網備份功能。2、更專業驅動還原功能:完全免去了新手不會安裝驅動程式的煩惱,在重新安裝系統後再也不需要一個一個手動安裝驅動,只需點選一下按鈕就能將您備份出來的驅動程式自動安裝到系統上,乾淨利落。3、備份系統桌面的功能。4、備份檔案加密的功能。5、3721上網助手模組。

【軟體限制】:NAG、15天試用

【作者宣告】:初學Crack,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!

【破解工具】:Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版、RegMon

――――――――――――――――――――――――――――――――― 
【過    程】:
          
         
程式的前6位註冊碼是作者預置的,MD5值是:BB4E92EC6FBA2F7B93CF192D7CB9368DB,所以就只好爆破啦。只要作者保證已註冊使用者的金鑰不洩露,恐怕是很難得到完整的註冊碼。程式在註冊和啟動時皆驗證註冊碼。

Driver Backup Plus.exe 是ASPack v2.12殼,用AspackDie脫之。136K->520K。VB 6.0編寫。

姓  名:fly
試煉碼:135724689012
―――――――――――――――――――――――――――――――――
一、註冊時的驗證   下斷 MSVBVM60.rtcLeftCharVar 就行了。


:00443374 8B957CFFFFFF            mov edxdword ptr [ebp+FFFFFF7C]
                                  ====>EDX=fly                     使用者名稱

…… …… 省 略 …… ……

:004433D8 8B957CFFFFFF            mov edxdword ptr [ebp+FFFFFF7C]
                                  ====>EDX=13572468901234567890    試煉碼


* Reference To: MSVBVM60.rtcLeftCharVar, Ord:0269h
                                  |
:0044342E FF15E8114000            Call dword ptr [004011E8]
                                  ====>取 試煉碼 前6位:135724

…… …… 省 略 …… ……

:00443465 FF512C                  call [ecx+2C]
                                  ====>計算135724的MD5值=4DDCB6075647F0A96811CF0ACB291A93

…… …… 省 略 …… ……

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044346C(C)
|
:00443480 8B957CFFFFFF            mov edxdword ptr [ebp+FFFFFF7C]
                                  ====>EDX=4DDCB6075647F0A96811CF0ACB291A93

:00443486 52                      push edx

* Possible StringData Ref from Code Obj ->"BB4E92EC6FBA2F7B93CF192D7CB9368DB"
                                  |
:00443487 68E4904000              push 004090E4

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
                                  |
:0044348C FF15E8104000            Call dword ptr [004010E8]
                                  ====>比較CALL!①  作者預置了用MD5加密的前6位註冊碼!

:00443492 8BF8                    mov edieax
:00443494 8D8D7CFFFFFF            lea ecxdword ptr [ebp+FFFFFF7C]
:0044349A F7DF                    neg edi
:0044349C 1BFF                    sbb ediedi
:0044349E F7DF                    neg edi
:004434A0 F7DF                    neg edi

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                                  |
:004434A2 FF1528124000            Call dword ptr [00401228]
:004434A8 663BFE                  cmp disi
:004434AB 0F8534080000            jne 00443CE5
                                  ====>跳則OVER!  爆破點 ① 也可以從上面改

…… …… 省 略 …… ……

:004434C2 FF512C                  call [ecx+2C]
                                  ====>計算fly的MD5值=AF17BC3B4A86A96A0F053A7E5F7C18BA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004434C9(C)
|
:004434DD 8B957CFFFFFF            mov edxdword ptr [ebp+FFFFFF7C]
                                  ====>EDX=AF17BC3B4A86A96A0F053A7E5F7C18BA

…… …… 省 略 …… ……

:00443533 FFD3                    call ebx
                                  ====>取試煉碼135724689012的第7位至第10位:6890

…… …… 省 略 …… ……

:0044356F FFD3                    call ebx
                                  ====>取AF17BC3B4A86A96A0F053A7E5F7C18BA的第16至19位:A0F0

:00443571 8D8D54FFFFFF            lea ecxdword ptr [ebp+FFFFFF54]
:00443577 8D9534FFFFFF            lea edxdword ptr [ebp+FFFFFF34]
:0044357D 51                      push ecx
:0044357E 52                      push edx

* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
                                  |
:0044357F FF15B8114000            Call dword ptr [004011B8]
                                  ====>比較CALL!②

:00443585 668985E0FEFFFF          mov word ptr [ebp+FFFFFEE0], ax
:0044358C 8D8534FFFFFF            lea eaxdword ptr [ebp+FFFFFF34]
:00443592 8D8D54FFFFFF            lea ecxdword ptr [ebp+FFFFFF54]
:00443598 50                      push eax
:00443599 8D9544FFFFFF            lea edxdword ptr [ebp+FFFFFF44]
:0044359F 51                      push ecx
:004435A0 8D8564FFFFFF            lea eaxdword ptr [ebp+FFFFFF64]
:004435A6 52                      push edx
:004435A7 50                      push eax
:004435A8 57                      push edi

* Reference To: MSVBVM60.__vbaFreeVarList, Ord:0000h
                                  |
:004435A9 8B3D34104000            mov edidword ptr [00401034]
:004435AF FFD7                    call edi
:004435B1 83C414                  add esp, 00000014
:004435B4 6639B5E0FEFFFF          cmp word ptr [ebp+FFFFFEE0], si
:004435BB 0F8524070000            jne 00443CE5
                                  ====>跳則OVER!爆破點 ②

:004435C1 8D9514FFFFFF            lea edxdword ptr [ebp+FFFFFF14]
:004435C7 6A08                    push 00000008
:004435C9 8D8564FFFFFF            lea eaxdword ptr [ebp+FFFFFF64]
:004435CF 8D4DA4                  lea ecxdword ptr [ebp-5C]
:004435D2 52                      push edx
:004435D3 50                      push eax
:004435D4 898D1CFFFFFF            mov dword ptr [ebp+FFFFFF1C], ecx
:004435DA C78514FFFFFF08400000    mov dword ptr [ebp+FFFFFF14], 00004008

* Reference To: MSVBVM60.rtcRightCharVar, Ord:026Bh
                                  |
:004435E4 FF1500124000            Call dword ptr [00401200]
                                  ====>取AF17BC3B4A86A96A0F053A7E5F7C18BA的最後8位:5F7C18BA

…… …… 省 略 …… ……

:00443619 FF522C                  call [edx+2C]
                                  ====>計算5F7C18BA的MD5值=3B300D0A6C82BE9E41C9D78365E9E442

…… …… 省 略 …… ……

:00443634 8B9578FFFFFF            mov edxdword ptr [ebp+FFFFFF78]
                                  ====>EDX=3B300D0A6C82BE9E41C9D78365E9E442

…… …… 省 略 …… ……

* Reference To: MSVBVM60.rtcRightCharVar, Ord:026Bh
                                  |
:00443684 FF1500124000            Call dword ptr [00401200]
                                  ====>取試煉碼135724689012的最後2位字元:12

…… …… 省 略 …… ……

:004436C5 FFD3                    call ebx
                                  ====>取3B300D0A6C82BE9E41C9D78365E9E442的23、24位:83

:004436C7 8D8D64FFFFFF            lea ecxdword ptr [ebp+FFFFFF64]
:004436CD 8D9544FFFFFF            lea edxdword ptr [ebp+FFFFFF44]
:004436D3 51                      push ecx
:004436D4 52                      push edx

* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
                                  |
:004436D5 FF15B8114000            Call dword ptr [004011B8]
                                  ====>比較CALL!③

:004436DB 668985E0FEFFFF          mov word ptr [ebp+FFFFFEE0], ax
:004436E2 8D8544FFFFFF            lea eaxdword ptr [ebp+FFFFFF44]
:004436E8 8D8D64FFFFFF            lea ecxdword ptr [ebp+FFFFFF64]
:004436EE 50                      push eax
:004436EF 8D9554FFFFFF            lea edxdword ptr [ebp+FFFFFF54]
:004436F5 51                      push ecx
:004436F6 52                      push edx
:004436F7 6A03                    push 00000003
:004436F9 FFD7                    call edi
:004436FB 83C410                  add esp, 00000010
:004436FE 6639B5E0FEFFFF          cmp word ptr [ebp+FFFFFEE0], si
:00443705 0F85DA050000            jne 00443CE5
                                  ====>跳則OVER!爆破點 ③

…… …… 省 略 …… ……


* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
                                  |
:00443A49 FF1590104000            Call dword ptr [00401090]
                                  ====>呵呵,勝利女神!


――――――――――――――――――――
二、程式重啟後又變回未註冊了,呵呵,啟動時還有驗證呀。           
用RegMon知道程式把註冊碼儲存在登錄檔中,所以在反彙編程式碼裡搜尋sserialnumber下斷。


* Possible StringData Ref from Code Obj ->"sserialnumber"
                                  |
:00435A87 68188F4000              push 00408F18
:00435A8C 8D954CFFFFFF            lea edxdword ptr [ebp+FFFFFF4C]
:00435A92 52                      push edx

* Reference To: MSVBVM60.__vbaStrToAnsi, Ord:0000h
                                  |
:00435A93 FF15D0114000            Call dword ptr [004011D0]

…… …… 省 略 …… ……


* Reference To: MSVBVM60.rtcLeftCharVar, Ord:0269h
                                  |
:00435FCB FF15E8114000            Call dword ptr [004011E8]
                                  ====>取 試煉碼 前6位:135724

…… …… 省 略 …… ……

:0043608D FF512C                  call [ecx+2C]
                                  ====>計算135724的MD5值=4DDCB6075647F0A96811CF0ACB291A93

…… …… 省 略 …… ……

:004360CE 8B955CFFFFFF            mov edxdword ptr [ebp+FFFFFF5C]
                                  ====>EDX=4DDCB6075647F0A96811CF0ACB291A93

:004360D4 52                      push edx

* Possible StringData Ref from Code Obj ->"BB4E92EC6FBA2F7B93CF192D7CB9368DB"
                                  |
:004360D5 68E4904000              push 004090E4
                                  ====>004090E4=BB4E92EC6FBA2F7B93CF192D7CB9368DB

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
                                  |
:004360DA FF15E8104000            Call dword ptr [004010E8]
                                  ====>比較CALL! ④

:004360E0 F7D8                    neg eax
:004360E2 1BC0                    sbb eaxeax
:004360E4 F7D8                    neg eax
:004360E6 F7D8                    neg eax
:004360E8 6689858CFEFFFF          mov word ptr [ebp+FFFFFE8C], ax
:004360EF 8D8D5CFFFFFF            lea ecxdword ptr [ebp+FFFFFF5C]

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                                  |
:004360F5 FF1528124000            Call dword ptr [00401228]
:004360FB 0FBF858CFEFFFF          movsx eaxword ptr [ebp+FFFFFE8C]
:00436102 85C0                    test eaxeax
:00436104 0F8480010000            je 0043628A
                                  ====>不跳則OVER! 爆破點 ④

…… …… 省 略 …… ……

:00436332 8BD0                    mov edxeax
                                  ====>EDX=fly                     使用者名稱

:00436334 8D8D58FFFFFF            lea ecxdword ptr [ebp+FFFFFF58]

* Reference To: MSVBVM60.__vbaStrMove, Ord:0000h
                                  |
:0043633A FF15F0114000            Call dword ptr [004011F0]
:00436340 8D8D54FFFFFF            lea ecxdword ptr [ebp+FFFFFF54]
:00436346 51                      push ecx
:00436347 8D9558FFFFFF            lea edxdword ptr [ebp+FFFFFF58]
:0043634D 52                      push edx
:0043634E 8B8594FEFFFF            mov eaxdword ptr [ebp+FFFFFE94]
:00436354 8B08                    mov ecxdword ptr [eax]
:00436356 8B9594FEFFFF            mov edxdword ptr [ebp+FFFFFE94]
:0043635C 52                      push edx
:0043635D FF512C                  call [ecx+2C]
                                  ====>計算fly的MD5值=AF17BC3B4A86A96A0F053A7E5F7C18BA

…… …… 省 略 …… ……

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
                                  |
:0043644A FF15C8104000            Call dword ptr [004010C8]
                                  ====>取試煉碼135724689012的第7位至第10位:6890

…… …… 省 略 …… ……

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
                                  |
:004364A1 FF15C8104000            Call dword ptr [004010C8]
                                  ====>取AF17BC3B4A86A96A0F053A7E5F7C18BA的第16至19位:A0F0

:004364A7 8D8D20FFFFFF            lea ecxdword ptr [ebp+FFFFFF20]
:004364AD 51                      push ecx
:004364AE 8D9500FFFFFF            lea edxdword ptr [ebp+FFFFFF00]
:004364B4 52                      push edx

* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
                                  |
:004364B5 FF15B8114000            Call dword ptr [004011B8]
                                  ====>比較CALL! ⑤

…… …… 省 略 …… ……

:004364FC 85C9                    test ecxecx
                                  ====> 爆破點  ⑤

:004364FE 0F8480010000            je 00436684
                                  ====>不跳則OVER!

…… …… 省 略 …… ……

* Reference To: MSVBVM60.rtcRightCharVar, Ord:026Bh
                                  |
:004366AE FF1500124000            Call dword ptr [00401200]
                                  ====>取AF17BC3B4A86A96A0F053A7E5F7C18BA的最後8位:5F7C18BA

…… …… 省 略 …… ……

:00436723 FF522C                  call [edx+2C]
                                  ====>計算5F7C18BA的MD5值=3B300D0A6C82BE9E41C9D78365E9E442

…… …… 省 略 …… ……

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
                                  |
:00436803 FF15C8104000            Call dword ptr [004010C8]
                                  ====>取試煉碼135724689012的最後2位字元:12

…… …… 省 略 …… ……

* Reference To: MSVBVM60.rtcMidCharVar, Ord:0278h
                                  |
:0043685A FF15C8104000            Call dword ptr [004010C8]
                                  ====>取3B300D0A6C82BE9E41C9D78365E9E442的23、24位:83

:00436860 8D8520FFFFFF            lea eaxdword ptr [ebp+FFFFFF20]
:00436866 50                      push eax
:00436867 8D8D00FFFFFF            lea ecxdword ptr [ebp+FFFFFF00]
:0043686D 51                      push ecx

* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
                                  |
:0043686E FF15B8114000            Call dword ptr [004011B8]
                                  ====>比較CALL! ⑥
…… …… 省 略 …… ……

:004368B5 85C0                    test eaxeax
                                  ====> 爆破點  ⑥

:004368B7 0F8480010000            je 00436A3D
                                  ====>不跳則OVER!

…… …… 省 略 …… ……

:00436996 FF91B0020000            call dword ptr [ecx+000002B0]
                                  ====>要求註冊的NAG!

:00436A14 E893FAFCFF              call 004064AC
                                  ====>刪除登錄檔中的使用者名稱



―――――――――――――――――――――――――――――――――
【算 法  總 結】:


1、前6位註冊碼是作者預置的,MD5值是:BB4E92EC6FBA2F7B93CF192D7CB9368DB
   呵呵,窮舉?爆破?付款?等待金鑰洩露?恐怕只有這幾種辦法啦  

2、計算使用者名稱fly的MD5值=AF17BC3B4A86A96A0F053A7E5F7C18BA  
   取其第16位至19位: A0F0 作為註冊碼的 第7、8、9、10位    

3、取 AF17BC3B4A86A96A0F053A7E5F7C18BA 的最後8位:5F7C18BA
   計算 5F7C18BA 的 MD5值=3B300D0A6C82BE9E41C9D78365E9E442
   取其第23、24位: 83 作為註冊碼最後2位


――――――――――――――――――――――――――――――――― 
【完 美  爆 破】:



1、00443480 8B957CFFFFFF            mov edxdword ptr [ebp+FFFFFF7C]
      改為:BAE490400090            mov edx, 004090E4

2、004435BB 0F8524070000            jne 00443CE5
      改為:909090909090            NOP

3、00443705 0F85DA050000            jne 00443CE5
      改為:909090909090            NOP掉  

4、004360CE 8B955CFFFFFF            mov edxdword ptr [ebp+FFFFFF5C]
      改為:BAE490400090            mov edx, 004090E4

5、004364FC 85C9                    test ecxecx
      改為:33C9                    xor  ecxecx

6、004368B5 85C0                    test eaxeax
      改為:33C0                    xor  eaxeax

           

――――――――――――――――――――――――――――――――― 
【註冊資訊儲存】:


REGEDIT4

[HKEY_LOCAL_MACHINESoftwaredriver backup plus]
"firsttime"="9-24-2003"
"endtrialtime"="10-9-2003"
"lastvalid"="B7264EE8114E63CE5002DDDFEE7A8245"
"serialnumber"="135724A0F083"
"username"="fly"


―――――――――――――――――――――――――――――――――
    
                                
         ,     _/ 
        /| _.-~/            _     ,        青春都一餉
       ( /~   /              ~-._ |
       `\  _/                   ~ )          忍把浮名 
   _-~~~-.)  )__/;;,.          _  //'
  /'_,   --~    ~~~-  ,;;___(  (.-~~~-.        換了破解輕狂
 `~ _( ,_..-- (     ,;'' /    ~--   /._` 
  /~~//'   /' `~         ) /--.._, )_  `~
  "  `~"  "      `"      /~'`    `\~~   
                         "     "   "~'  ""

    

               Cracked By 巢水工作坊――fly [OCN][FCG]

                       2003-09-24  23:50

相關文章