一個未完成的破解 (SubmitWolf Enterprise V4.02 CN build: 003 Script: 1.000)
看雪資料發表於2015-11-15
軟體的功能概述:
~~~~~~~~~~~~~~ SubmitWolf是宣傳因特網站點的自動提交嚮導,它能夠在幾分鐘內將一個URL排列 到數百個搜尋引擎和連結目錄上。 保護方法: ~~~~~~~~ 簡單的name/code保護;未註冊版本中,大多數站點不可使用,URL只能被提交到少數 幾個選定的站點。 破解過程: ~~~~~~~~ (第一次) 啟動TRW2000,按OK,TRW2000已隱藏在TaskBar了。執行SubmitWolf,按“註冊”, 分別填入: 註冊名稱:iloveeagle 序列號: 10101010 CTRL-N,進入TRW2000,下斷點bpx getdlgitemtexta,再CTRL-N,按“確定”。程式中斷在: * Reference To: USER32.GetDlgItemTextA, Ord:0104h | :00418588 8B355C514300 mov esi, dword ptr [0043515C] :0041858E 8D44240C lea eax, dword ptr [esp+0C]<---註冊碼地址 :00418592 6A50 push 00000050 :00418594 50 push eax :00418595 6814040000 push 00000414 :0041859A 53 push ebx :0041859B FFD6 call esi<----------取得註冊碼 我們中斷在此CALL內,F12來到RET語句,再F10回到下面一句。然後清除所有斷點 :BC * 再F10一路走下。 :0041859D 8D8C248C000000 lea ecx, dword ptr [esp+0000008C] ;name地址 :004185A4 6A50 push 00000050 :004185A6 51 push ecx * Possible Reference to Dialog: DialogID_0098, CONTROL_ID:0405, "" | :004185A7 6805040000 push 00000405 :004185AC 53 push ebx :004185AD FFD6 call esi<-----------------取得name :004185AF 8D54240C lea edx, dword ptr [esp+0C] :004185B3 6A52 push 00000052 :004185B5 52 push edx :004185B6 E8254F0100 call 0042D4E0<---------若註冊碼中含有字元"R",則返回 :004185BB 83C408 add esp, 00000008 "R"的地址;否則返回0。對應於第二 :004185BE 85C0 test eax, eax 種註冊碼的情形。 :004185C0 7475 je 00418637 :004185C2 8D7C240C lea edi, dword ptr [esp+0C]---|這個過程是把name和code調換位置 :004185C6 83C9FF or ecx, FFFFFFFF |註冊碼為第二種形式時,執行這 :004185C9 33C0 xor eax, eax |裡的語句。(***) :004185CB 8D54240C lea edx, dword ptr [esp+0C] | :004185CF F2 repnz | :004185D0 AE scasb | :004185D1 F7D1 not ecx | :004185D3 2BF9 sub edi, ecx | :004185D5 8BC1 mov eax, ecx | :004185D7 8BF7 mov esi, edi | :004185D9 BF60E64300 mov edi, 0043E660 | :004185DE C1E902 shr ecx, 02 | :004185E1 F3 repz | :004185E2 A5 movsd | :004185E3 8BC8 mov ecx, eax | :004185E5 33C0 xor eax, eax | :004185E7 83E103 and ecx, 00000003 | :004185EA F3 repz | :004185EB A4 movsb | :004185EC 8DBC248C000000 lea edi, dword ptr [esp+0000008C] :004185F3 83C9FF or ecx, FFFFFFFF | :004185F6 F2 repnz | :004185F7 AE scasb | :004185F8 F7D1 not ecx | :004185FA 2BF9 sub edi, ecx | :004185FC 8BC1 mov eax, ecx | :004185FE 8BF7 mov esi, edi | :00418600 8BFA mov edi, edx | :00418602 8D94248C000000 lea edx, dword ptr [esp+0000008C] :00418609 C1E902 shr ecx, 02 | :0041860C F3 repz | :0041860D A5 movsd | :0041860E 8BC8 mov ecx, eax | :00418610 33C0 xor eax, eax | :00418612 83E103 and ecx, 00000003 | :00418615 F3 repz | :00418616 A4 movsb | :00418617 BF60E64300 mov edi, 0043E660 | :0041861C 83C9FF or ecx, FFFFFFFF | :0041861F F2 repnz | :00418620 AE scasb | :00418621 F7D1 not ecx | :00418623 2BF9 sub edi, ecx | :00418625 8BC1 mov eax, ecx | :00418627 8BF7 mov esi, edi | :00418629 8BFA mov edi, edx | :0041862B C1E902 shr ecx, 02 | :0041862E F3 repz | :0041862F A5 movsd | :00418630 8BC8 mov ecx, eax | :00418632 83E103 and ecx, 00000003 | :00418635 F3 repz | :00418636 A4 movsb-------------------------| 走到:004185C0處,看看跳轉的兩個方向,都沒要出對話方塊的意思。那麼先F10跟它走,看看有何結果。我們來 到:00418637處。 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004185C0(C) | :00418637 8D8C248C000000 lea ecx, dword ptr [esp+0000008C] :0041863E 51 push ecx :0041863F E83CDBFFFF call 00416180<-------------對name的第一位和最後一位字元 :00418644 8D542410 lea edx, dword ptr [esp+10] 做有效性檢查. :00418648 52 push edx :00418649 E832DBFFFF call 00416180<-------------對code的第一位和最後一位字元 :0041864E 8D442414 lea eax, dword ptr [esp+14] 做有效性檢查. :00418652 8D8C2494000000 lea ecx, dword ptr [esp+00000094] :00418659 50 push eax :0041865A 51 push ecx :0041865B E890090000 call 00418FF0<---------註冊碼不正確則返回0.重要,F8進入. * Reference To: USER32.LoadStringA, Ord:01ABh | :00418660 8B35A8514300 mov esi, dword ptr [004351A8] :00418666 83C410 add esp, 00000010 :00418669 85C0 test eax, eax :0041866B 0F85AE000000 jne 0041871F<---------這裡是要害所在! 走到這裡,抬頭看看eax,它的值為0。程式不會跳走,再看看下面的語句,將要顯示一個出錯對話方塊。我們 馬上明白:要想註冊成功,eax必須不為0。問題的焦點馬上集中在:0041865B處的那個CALL上了。 :00418671 8B1550624400 mov edx, dword ptr [00446250] 下面的messageboxa. :00418677 68D00F0000 push 00000FD0 :0041867C 6860E64300 push 0043E660 * Possible Reference to String Resource ID=01459: " ??鬣H" | :00418681 68B3050000 push 000005B3 :00418686 52 push edx :00418687 FFD6 call esi :00418689 A150624400 mov eax, dword ptr [00446250] :0041868E 68D00F0000 push 00000FD0 :00418693 6800D44300 push 0043D400 * Possible Reference to String Resource ID=01460: "H" | :00418698 68B4050000 push 000005B4 :0041869D 50 push eax :0041869E FFD6 call esi :004186A0 6A30 push 00000030 :004186A2 6800D44300 push 0043D400 :004186A7 6860E64300 push 0043E660 :004186AC 53 push ebx * Reference To: USER32.MessageBoxA, Ord:01BEh (第二次) CTRL-N,回到程式,重新輸入註冊資訊。這次CODE我輸的是191919(為了便於進行記憶體搜尋,我 每次都輸不同的CODE,這是個小經驗)。CTRL-N進入TRW2000,在:0041859D處雙擊滑鼠,設定斷 點。再CTRL-N回到程式,按下“確定”鈕。(BC *)清除所有斷點,F10一直到 :0041865B E890090000 call 00418FF0 F8進入。再F10一路走下。 下面是call 00418FF0的內容: :00418FF0 83EC70 sub esp, 00000070 :00418FF3 53 push ebx :00418FF4 8B5C2478 mov ebx, dword ptr [esp+78] ;[ebx]->code :00418FF8 56 push esi :00418FF9 57 push edi :00418FFA 85DB test ebx, ebx :00418FFC 7436 je 00419034 :00418FFE 6A52 push 00000052<--"R"----------------------------|註冊碼為第二種 :00419000 53 push ebx |形式時,執行這 :00419001 E8DA440100 call 0042D4E0<--返回code中"R"的地址. |裡的語句。 :00419006 83C408 add esp, 00000008 |(***) :00419009 85C0 test eax, eax | :0041900B 7427 je 00419034 | :0041900D 8BBC2484000000 mov edi, dword ptr [esp+00000084] ;[edi]->name| :00419014 85FF test edi, edi | :00419016 0F84ED010000 je 00419209 | :0041901C 6A40 push 00000040 | :0041901E 57 push edi | :0041901F E8BC440100 call 0042D4E0<--返回name中"@"的地址. | :00419024 83C408 add esp, 00000008 | :00419027 85C0 test eax, eax | :00419029 7410 je 0041903B | :0041902B 8BFB mov edi, ebx | | * Possible StringData Ref from Data Obj ->"EPAK" | | | :0041902D BB44824300 mov ebx, 00438244 | :00419032 EB07 jmp 0041903B-----------------------------------| * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00418FFC(C), :0041900B(C) | :00419034 8BBC2484000000 mov edi, dword ptr [esp+00000084] ;[edi]->code * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00419029(C), :00419032(U) | :0041903B 85FF test edi, edi :0041903D 0F84C6010000 je 00419209 :00419043 85DB test ebx, ebx :00419045 0F84BE010000 je 00419209 * Possible Ref to Menu: MenuID_0064, Item: "" | :0041904B 6A02 push 00000002 * Possible StringData Ref from Data Obj ->"PY" | :0041904D 685C824300 push 0043825C :00419052 57 push edi :00419053 E898450100 call 0042D5F0<------比較code前兩位是否為"PY",相等則返回0...(1) :00419058 83C40C add esp, 0000000C 否則不為0 :0041905B 85C0 test eax, eax :0041905D 7418 je 00419077 * Possible Ref to Menu: MenuID_0064, Item: "" | :0041905F 6A02 push 00000002 * Possible StringData Ref from Data Obj ->"EY" | :00419061 6858824300 push 00438258 :00419066 57 push edi :00419067 E884450100 call 0042D5F0<------比較code前兩位是否為"EY",相等則返回....(2) :0041906C 83C40C add esp, 0000000C 否則不為0 :0041906F 85C0 test eax, eax :00419071 0F8592010000 jne 00419209 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041905D(C) | * Possible Ref to Menu: MenuID_0064, Item: "" | :00419077 6A02 push 00000002 * Possible StringData Ref from Data Obj ->"EY" | :00419079 6858824300 push 00438258 :0041907E 57 push edi :0041907F E86C450100 call 0042D5F0<----同上.....................................(3) :00419084 F7D8 neg eax :00419086 1BC0 sbb eax, eax :00419088 6A2D push 0000002D :0041908A 40 inc eax :0041908B 57 push edi :0041908C A304BC4300 mov dword ptr [0043BC04], eax :00419091 E81A470100 call 0042D7B0<-----------------返回code中"-"的位置.........(4) :00419096 83C414 add esp, 00000014 :00419099 85C0 test eax, eax :0041909B 0F8468010000 je 00419209<------若無"-",則死 :004190A1 83C9FF or ecx, FFFFFFFF :004190A4 33C0 xor eax, eax :004190A6 F2 repnz :004190A7 AE scasb :004190A8 F7D1 not ecx :004190AA 2BF9 sub edi, ecx :004190AC 8D542414 lea edx, dword ptr [esp+14] :004190B0 8BC1 mov eax, ecx :004190B2 8BF7 mov esi, edi :004190B4 8BFA mov edi, edx :004190B6 6A2D push 0000002D :004190B8 C1E902 shr ecx, 02 :004190BB F3 repz :004190BC A5 movsd :004190BD 8BC8 mov ecx, eax :004190BF 83E103 and ecx, 00000003 :004190C2 F3 repz :004190C3 A4 movsb :004190C4 8D4C2418 lea ecx, dword ptr [esp+18] :004190C8 51 push ecx :004190C9 E8E2460100 call 0042D7B0<--------------------同上....................(5) :004190CE 8BF8 mov edi, eax :004190D0 83C408 add esp, 00000008 :004190D3 85FF test edi, edi :004190D5 0F842E010000 je 00419209 :004190DB C60700 mov byte ptr [edi], 00 :004191BA 8D442448 lea eax, dword ptr [esp+48] (第三次) 這裡我略去了一個繁長的計算過程。其實第二次我們不會來到這裡,反而會很快跳到:00419209 處,返回eax=0,跳到失敗。從第二次的過程我們看到,註冊碼的前兩位必須是“PY”或“EY” 並且必須有一位是“-”。再從頭來一次,這次輸入name:QQQ/code:EY2000-121212。進入 :0041865B E890090000 call 00418FF0 後,反正是F10,一路按下。突然,看看下面,多麼熟悉的身影映入眼簾。這樣你就得到了一個 正確的註冊碼組合。若想作序號產生器就仔細研究一下略去的部分。 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004191E0(C) | :004191BE 8A10 mov dl, byte ptr [eax]<--------真假code的比較!!!...........(6) :004191C0 8A1E mov bl, byte ptr [esi] :004191C2 8ACA mov cl, dl :004191C4 3AD3 cmp dl, bl :004191C6 752C jne 004191F4 :004191C8 84C9 test cl, cl :004191CA 7416 je 004191E2 :004191CC 8A5001 mov dl, byte ptr [eax+01] :004191CF 8A5E01 mov bl, byte ptr [esi+01] :004191D2 8ACA mov cl, dl :004191D4 3AD3 cmp dl, bl :004191D6 751C jne 004191F4 :004191D8 83C002 add eax, 00000002 :004191DB 83C602 add esi, 00000002 :004191DE 84C9 test cl, cl :004191E0 75DC jne 004191BE * Referenced by a (U)nconditional or (C)onditional Jump at Address:<---跳到這裡,則成功 |:004191CA(C) | :004191E2 33C0 xor eax, eax :004191E4 33C9 xor ecx, ecx :004191E6 85C0 test eax, eax :004191E8 0F94C1 sete cl :004191EB 5F pop edi :004191EC 5E pop esi :004191ED 8BC1 mov eax, ecx :004191EF 5B pop ebx :004191F0 83C470 add esp, 00000070 :004191F3 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:<--跳到這裡,有可能成功 |:004191C6(C), :004191D6(C) 但看看這兩個跳轉,都是 | jnz,所以到這裡也是死! :004191F4 1BC0 sbb eax, eax :004191F6 5F pop edi :004191F7 83D8FF sbb eax, FFFFFFFF :004191FA 33C9 xor ecx, ecx :004191FC 85C0 test eax, eax :004191FE 0F94C1 sete cl :00419201 5E pop esi :00419202 8BC1 mov eax, ecx :00419204 5B pop ebx :00419205 83C470 add esp, 00000070 :00419208 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:<---若跳到這裡,則失敗. |:00419016(C), :0041903D(C), :00419045(C), :00419071(C), :0041909B(C) |:004190D5(C) | :00419209 5F pop edi :0041920A 5E pop esi :0041920B 33C0 xor eax, eax :0041920D 5B pop ebx :0041920E 83C470 add esp, 00000070 :00419211 C3 ret 事情完了嗎?沒有。我們應該研究一下兩個標有(***)的程式段。第一個程式段在判斷CODE中含有“R” 後,把NAME和CODE在記憶體的地址對調;第二個程式段是判斷NAME中是否含有字元“@”。見下面總結: 總結: 這個程式存在兩種型別的註冊碼: 1、一種註冊碼形式如: Name:QQQ/code:EY2000-121212 這裡,"EY"和"-"間的數字隨意。“-”後的數字由Name和“-”前的字元(包括EY) 算出。“EY”也可以是“PY”。當然"EY"和"-"間也可以沒東西,這樣註冊後也可看到 註冊成功的畫面。但在聯網升級時,會發生錯誤,連選擇升級元件的列表都不出現;我 用上面的註冊碼註冊時,會出現選擇升級元件的列表,選好元件後,要求我輸入email地 址,這時我才犯難了。我怎麼知道有哪些email地址在它的伺服器上注了冊,我又不是 駭客。 2、另一種註冊碼形式如: Name:anything@anything/code:EYR2002-121212 這種形式的註冊碼和NAME是無關的。註冊碼中必須含有“R”,前兩位也必須是 “EY”或“PY”。“-”後的數字由字元“EPAK”和“-”前的字元(包括“EY”或“PY”) 算出。而NAME中的“@”是必須有的,作者很可能想讓你輸入email地址。這種註冊碼也許和 引擎軟體包(Engine Pack)的升級有關。
相關文章
- gradle中的build script詳解2021-02-13GradleUI
- 另類Armadillo脫殼+破解――StayOn Pro V4.00
Build 2003.03.012015-11-15UI
- goldengate跳過/提交一個未完成的事務2015-10-10Go
- script取一個月的最後一天2007-06-27
- 破解XMLSpy Enterprise 20042015-11-15XML
- 一個未完成創業專案的思考——創業雜記2014-08-24創業
- 漢語寶典 Build 2003.05.282015-11-15UI
- yangqd提交了一個ant的build檔案2002-09-20UI
- https://juejin.cn/post/68836796760410030222020-12-11HTTP
- The Cleaner 3.2 BUILD 3205的破解(10千字)2001-01-27UI
- Mycsdn 1.40.2 (2003.09.22)的破解2015-11-15
- 【 標題:SmartWhoIs 3.0 (build 21) 破解手記
】2000-11-30UI
- oicq build 0425 的不完全破解 (3千字)2000-05-28UI
- 最近發現一個不錯的網站http://www.ossearch.cn2007-09-26網站HTTP
- 偶破解了Jive.Forums.Enterprise.v3.0.9 (轉)2007-08-14
- 緊急求borland optimizeit enterprise suite 2006的破解!!!2007-02-27UI
- Golden 5.7 Build 391破解手記--演算法分析2015-11-15GoUI演算法
- Cute FTP Ver 4.0 build 19 的註冊碼破解
(820字)2001-02-05FTPUI
- Rational Rose 2003 下載及破解方法2009-06-10ROS
- 請說說`<script>`、`<script async>`和`<script defer>`的區別2024-11-21
- 續未完成破解,寫出它的序號產生器,3k。。。 (8千字)2001-07-09
- 開源一個天氣APP Build with React Native2018-08-01APPUIReact Native
- intervention/image 中的一個小坑及其破解之法2017-11-13
- 我的第一個破解軟體,試驗成功!2013-12-26
- Enterprise Architect是一個完全的UML分析和設計工具2015-05-14
- 轉貼一篇:FlashFXP v1.4.1 build 823 的脫殼與破解 (16千字)2001-12-30UI
- 一個帥氣的社交型別網站2014/9/5凌晨更新(未完成)2019-05-11型別網站
- 億虎Email郵差 2003c Build 02252015-11-15AIUI
- 手動脫時間提醒助手
Build 2003.12.082015-11-15UI
- 記錄一個 Nginx-FastCGI-"Primary script unknown" 錯誤2022-06-16NginxAST
- Java構建工具Ant之第一個build.xml2015-04-01JavaUIXML
- 說一說 HTML 中的 script 標籤2019-02-16HTML
- 恆訊科技分析:com域名和cn域名註冊哪一個好?2021-08-10
- 破解YATS32 v8.1 build 6 (2千字)2000-09-22S3UI
- regsnap2.8(build 638)之記憶體破解 (508字)2001-02-08UI記憶體
- 一個超容易破解的軟體! (5千字)2001-01-21
- 一個delphi控制元件的破解 (12千字)2001-03-31控制元件
- 羽夏逆向指引——破解第一個程式2021-11-20