Tutor13  How to crack Drag And View v4.50

作者:dREAMtHEATER
E-mail:dreamtheater@263.net
寫作日期: 16/17th, Oct 1999

軟體背景資料

執行平臺: Win9X/NT
檔名稱: dv95.exe
程式型別: 檔案格式瀏覽器
下載地點: http://www.canyonsw.com
檔案大小: 1,970KB

使用的工具

SoftIce V4.0--Win9X Debugger
W32Dasm V8.93--Win9X Dissembler
RegSnap V2.51--Registry Analyzing Tool
Registry Studio V1.01--Enhanced Registry Editor

保護型別
Serials(*) Nag Screens(*) Keyfiles( ) Crippled( ) Packed( ) CD-Checks( )

難易程度
Easy(X) Medium( ) Hard( ) Pro( )

----------=======宣告========----------

未經作者同意，不得修改、引用原文，一切權利保留。
本教程只供教學用，其他一切用途皆被禁止。

----------=======軟體介紹========----------

超強的瀏覽,編輯程式,支援拖放功能，支援各種文字、圖形，甚至資料庫的瀏覽。可取代
ACDsee,UltraEdit等。
它所支援的檔案型別如下：
- Word, Works, WordPerfect, Ami Pro,
Q&AWrite, 純文字、二進位制檔案等型別文件。
- Excel, Lotus, Quattro等電子表格
- FoxPro, Clipper, dBase資料庫
- 播放動態GIF檔案
- 播放MIDI, WAV和RMI聲音檔案
- 播放AVI動畫
- 大量最新的Internet檔案格式
- 使用Active X控制顯示Web頁面
- 大量的圖形檔案

註冊後能夠支援下列格式：
PowerPoint PPT
Autocad DXF
Micrografx Designer DRW
Computer Graphics Metafiles CGM
Encapsulated Postscript Files EPS
HPGL
Lotus PIC
WordPerfect Graphics WPG

----摘自該軟體的漢化說明（作者：張楚權）

----------=======軟體的保護系統========-------

該軟體可以免費試用三十天，六十天後必須註冊,時間寫在
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{34ee9750-9350-11d1-8fee-004095e2400c}預設鍵
值中，註冊後在登錄檔： HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{34ee9750-9350-11d1-
8fee-004095e2400c}\InprocServer32 這個子鍵下寫入預設鍵值：“ole32.DLL”，如果是重新獲得
30天試用期，將在:
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{34ee9750-9350-11d1-8fee-004095e2400c}下寫入
一個DWORD值 “Extension=0x00000001(1)”。可見，該程式並不是將真正的註冊碼寫入登錄檔，而
是以“ole32.DLL”和“Extension=0x00000001(1)”為標誌。

----------========正文========----------

如何計算註冊碼

執行程式，還好！沒有討厭的nag出現，直接到選單中尋找註冊項，沒有！難道是過期後才提
示註冊？對！將系統時間往後調，關閉視窗，準備重新執行。就在我按下視窗的關閉按紐後，哇！
Nag出現了，原來它躲在這裡！點選上面的"Enter Code" button,進入註冊視窗，輸入1234567890。
在SoftIce中設斷點"bpx hmemcpy" ,Ctrl-D,回到註冊視窗，press "OK" button,BOOM!你又立
即回到SoftIce中,"bc *",取消所有斷點，Press F12數次，直到下面的程式碼出現：

:00402B15 6A0F push 0000000F
:00402B17 50 push eax

* Possible Reference to Dialog: DialogID_0083, CONTROL_ID:01F9, ""
|
:00402B18 68F9010000 push 000001F9
:00402B1D 56 push esi

* Reference To: USER32.GetDlgItemTextA, Ord:00F5h <==程式呼叫"GetDlgItemTextA"來獲取
你輸入的code，在SI中你也可以設定
這個斷點，但請記住，在你不知道程
序呼叫什麼函式之前，"hmemcpy"應
是你的首選，它的命中率為99.9% ，
這會節省你的時間，但需要你有較
多的經驗。
|
:00402B1E FF1570BD4400 Call dword ptr [0044BD70]
:00402B24 FF35EC5A4400 push dword ptr [00445AEC]
:00402B2A 8D45EC lea eax, dword ptr [ebp-14] <==eax指向輸入的code
:00402B2D 50 push eax
:00402B2E 56 push esi
:00402B2F E83C000000 call 00402B70 <==code check
:00402B34 83C40C add esp, 0000000C
:00402B37 85C0 test eax, eax
:00402B39 7417 je 00402B52 <==good/bad boy
:00402B3B 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"Thank You"
|
:00402B3D 6808134400 push 00441308

* Possible StringData Ref from Data Obj ->"Program is registered"
|
:00402B42 68F0124400 push 004412F0
:00402B47 56 push esi

* Reference To: USER32.MessageBoxA, Ord:0195h
|
:00402B48 FF1574BD4400 Call dword ptr [0044BD74]

為了瞭解程式如何進行註冊碼計算的，我們需要trace into "call 00402B70",因此在
:00402B70處設斷點，重新回到註冊視窗，填入fake code,這回你進入了下面的這段程式碼：

* Referenced by a CALL at Address:
|:00402B2F
|
:00402B70 55 push ebp
:00402B71 8BEC mov ebp, esp
:00402B73 56 push esi
:00402B74 57 push edi
:00402B75 8B7D0C mov edi, dword ptr [ebp+0C]
:00402B78 57 push edi <==eax point to code you type into

* Reference To: KERNEL32.lstrlenA, Ord:02A1h
|
:00402B79 FF1508BA4400 Call dword ptr [0044BA08] <==獲取你輸入code的字串
長度
:00402B7F 83F80E cmp eax, 0000000E
:00402B82 7550 jne 00402BD4 <==not equal to 14 ,bad boy
:00402B84 57 push edi
:00402B85 33F6 xor esi, esi

* Reference To: USER32.CharUpperA, Ord:002Bh
|
:00402B87 FF1564BD4400 Call dword ptr [0044BD64] <==將輸入的code中的小寫字
母變成大寫。
:00402B8D 33C9 xor ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402BAF(C)
|
:00402B8F 8A0439 mov al, byte ptr [ecx+edi]---------+
:00402B92 3C41 cmp al, 41 |
:00402B94 0FBEC0 movsx eax, al |
:00402B97 7C06 jl 00402B9F |
:00402B99 8D7406BF lea esi, dword ptr [esi+eax-41] |
:00402B9D EB04 jmp 00402BA3 |
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |
|:00402B97(C) |
| |
:00402B9F 8D7406D0 lea esi, dword ptr [esi+eax-30] |
|---real serial
* Referenced by a (U)nconditional or (C)onditional Jump at Address: | check
|:00402B9D(U) |
| |
:00402BA3 83FE09 cmp esi, 00000009 |
:00402BA6 7E03 jle 00402BAB |
:00402BA8 83EE09 sub esi, 00000009 |
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |
|:00402BA6(C) |
| |
:00402BAB 41 inc ecx |
:00402BAC 83F90E cmp ecx, 0000000E |
:00402BAF 7CDE jl 00402B8F -----------------------+
:00402BB1 83FE04 cmp esi, 00000004
:00402BB4 750F jne 00402BC5 〈== if eax=4, you'll recover more 30
days to evaluate it
:00402BB6 FF7510 push [ebp+10]
:00402BB9 FF7508 push [ebp+08]
:00402BBC E8A3000000 call 00402C64 <==寫登錄檔
:00402BC1 59 pop ecx
:00402BC2 59 pop ecx
:00402BC3 EB3D jmp 00402C02

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402BB4(C)
|
:00402BC5 8B4510 mov eax, dword ptr [ebp+10] <==eax=5
:00402BC8 3BF0 cmp esi, eax
:00402BCA 7508 jne 00402BD4 <==good/bad boy
:00402BCC 48 dec eax
:00402BCD 7425 je 00402BF4
:00402BCF 83E804 sub eax, 00000004
:00402BD2 7419 je 00402BED

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402B82(C), :00402BCA(C)
|
:00402BD4 6A10 push 00000010

* Possible StringData Ref from Data Obj ->"Invalid Code"
|
:00402BD6 6888134400 push 00441388

* Possible StringData Ref from Data Obj ->"Sorry, Invalid Code!"
|
:00402BDB 6870134400 push 00441370
:00402BE0 FF7508 push [ebp+08]

* Reference To: USER32.MessageBoxA, Ord:0195h
|
:00402BE3 FF1574BD4400 Call dword ptr [0044BD74]
:00402BE9 33C0 xor eax, eax
:00402BEB EB15 jmp 00402C02

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402BD2(C)
|

* Possible StringData Ref from Data Obj ->"{34ee9750-9350-11d1-8fee-004095e2400c}"
|
:00402BED 6890114400 push 00441190
:00402BF2 EB05 jmp 00402BF9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402BCD(C)
|

* Possible StringData Ref from Data Obj ->"{6ea280e0-9350-11d1-8fee-004095e2400c}"
|
:00402BF4 68E0114400 push 004411E0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402BF2(U)
|
:00402BF9 E808000000 call 00402C06 <==寫登錄檔
:00402BFE 59 pop ecx
:00402BFF 6A01 push 00000001
:00402C01 58 pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402BC3(U), :00402BEB(U)
|
:00402C02 5F pop edi
:00402C03 5E pop esi
:00402C04 5D pop ebp
:00402C05 C3 ret

從:00402B8F到:00402BAC計算註冊碼，你能看懂嗎？其中，edi指向code字串的首地址，
我們可以將我們輸入的code看作一個字串陣列(假設為reg(I))，按順序取字串的每一位，共進
行十四次迴圈，每次將該位字元的ACSII碼值與0x41（字元“A”）相比，若小於則將碼值減去0x30(
字元“0”)，所得值加上esi(初始值為零）再賦給esi;若大於等於，則減去0x41,其他步驟同前。每
次迴圈的最後將esi與9比較，大於9則令esi=esi-9。
迴圈計算結束，所得esi值若等於4，你將重新獲得30天試用期，等於5，你就是註冊使用者了
，等於其他數，程式就認為你輸入了無效的註冊碼。
為了便於理解，我將上面計算註冊碼的部分翻譯成BASIC語言（注：48,65代表"0","A"十進
制ASCII值）：

esi=0
for i=1 to 14
a=asc(reg(i))-65
if a<0 then
esi=esi+asc(reg(i))-48
else
esi=esi+asc(reg(i))-65
end if
if esi>9 then
esi=esi-9
end if
next i
if esi=5 then goto goodbay
else
if esi=4 then goto more30days
end if
end if
goto badboy

經過上面的講述你能獨立算出正確的註冊碼嗎？可以看出，有無數個14位字元組成的字串
符合上述條件。最簡單、直接的推算，可以寫出50000000000000,5jjjjjjjjjjjjj,11111111111111
.......你能類推嗎？

If you have any questions,please free drop me at dreamtheater@263.net

dREAMtHEATER

Tutor13 How to crack Drag And View v4.50

相關文章