==================================================================================
【工程作者】深海游侠【CZG】【OCN】
【作者邮箱】shenhaiyouxia@163.com
==================================================================================
【软件名称】ACCESS密码查看器 3.0
【下载地址】http://sccnc.onlinedown.net/soft/28800.htm
【所受限制】功能限制
【破解目的】纯属兴趣,如有失误之处,请各位大侠多多指点!:)
【软件介绍】
当您忘记自己的ACCESS数据库密码时,可用此工具查看,支持ACCESS97/2000/XP,可查看20位的ACCESS2000密码,并且支持中文密码。
==================================================================================
【工程平台】Win 9X
【调试工具】Ollydbg,PEID,W32DASM,ASCII码速查工具
【脱壳方式】
==================================================================================
【破解过程】
首先查壳,Borland Delphi 6.0 - 7.0,无壳。好用W32DASM载入,找到"注册码错误",最后找到相关上边最后的一次跳转处的前方下断!程序顺利断下.
016F:004BDA54 8B8300030000 MOV EAX,[EBX+0300]
016F:004BDA5A E8B13DF8FF CALL 00441810
016F:004BDA5F 837DFC00 CMP DWORD [EBP-04],BYTE +00 //是否输入注册码
016F:004BDA63 751E JNZ 004BDA83
016F:004BDA65 6A30 PUSH BYTE +30
016F:004BDA67 68DCDB4B00 PUSH DWORD 004BDBDC
016F:004BDA6C 68E4DB4B00 PUSH DWORD 004BDBE4
016F:004BDA71 8BC3 MOV EAX,EBX
016F:004BDA73 E878A5F8FF CALL 00447FF0
016F:004BDA78 50 PUSH EAX
016F:004BDA79 E8969BF4FF CALL `USER32!MessageBoxA` //您没有输入注册码!
016F:004BDA7E E919010000 JMP 004BDB9C
016F:004BDA83 8D55F8 LEA EDX,[EBP-08]
016F:004BDA86 8B8300030000 MOV EAX,[EBX+0300]
016F:004BDA8C E87F3DF8FF CALL 00441810
016F:004BDA91 8B45F8 MOV EAX,[EBP-08] //EAX=假码
016F:004BDA94 50 PUSH EAX //压栈,看来一会要比较用!
016F:004BDA95 8D55F0 LEA EDX,[EBP-10]
016F:004BDA98 8B83F8020000 MOV EAX,[EBX+02F8]
016F:004BDA9E E86D3DF8FF CALL 00441810
016F:004BDAA3 8B55F0 MOV EDX,[EBP-10] //EDX=机器码,看来要计算了!
016F:004BDAA6 8D4DF4 LEA ECX,[EBP-0C]
016F:004BDAA9 8BC3 MOV EAX,EBX
016F:004BDAAB E8C4010000 CALL 004BDC74 //毫无疑问,关键CALL,跟进!
016F:004BDAB0 8B55F4 MOV EDX,[EBP-0C] //EDX=真码
016F:004BDAB3 58 POP EAX //EAX=假码,出栈
016F:004BDAB4 E8D76EF4FF CALL 00404990
016F:004BDAB9 0F85C4000000 JNZ NEAR 004BDB83 //关键比较
016F:004BDABF B201 MOV DL,01
016F:004BDAC1 A1B4314900 MOV EAX,[004931B4]
016F:004BDAC6 E8E957FDFF CALL 004932B4
016F:004BDACB 8BF0 MOV ESI,EAX
016F:004BDACD BA02000080 MOV EDX,80000002
016F:004BDAD2 8BC6 MOV EAX,ESI
016F:004BDAD4 E87B58FDFF CALL 00493354
016F:004BDAD9 B101 MOV CL,01
016F:004BDADB BA08DC4B00 MOV EDX,004BDC08
016F:004BDAE0 8BC6 MOV EAX,ESI
016F:004BDAE2 E8AD59FDFF CALL 00493494
016F:004BDAE7 B901000000 MOV ECX,01
016F:004BDAEC BA28DC4B00 MOV EDX,004BDC28
016F:004BDAF1 8BC6 MOV EAX,ESI
016F:004BDAF3 E83C5BFDFF CALL 00493634
016F:004BDAF8 8D55EC LEA EDX,[EBP-14]
016F:004BDAFB 8B8300030000 MOV EAX,[EBX+0300]
016F:004BDB01 E80A3DF8FF CALL 00441810
016F:004BDB06 8B4DEC MOV ECX,[EBP-14]
016F:004BDB09 BA38DC4B00 MOV EDX,004BDC38
016F:004BDB0E 8BC6 MOV EAX,ESI
016F:004BDB10 E8F35AFDFF CALL 00493608
016F:004BDB15 8D55E8 LEA EDX,[EBP-18]
016F:004BDB18 8B83F8020000 MOV EAX,[EBX+02F8]
016F:004BDB1E E8ED3CF8FF CALL 00441810
016F:004BDB23 8B4DE8 MOV ECX,[EBP-18]
016F:004BDB26 BA44DC4B00 MOV EDX,004BDC44
016F:004BDB2B 8BC6 MOV EAX,ESI
016F:004BDB2D E8D65AFDFF CALL 00493608
016F:004BDB32 8BC6 MOV EAX,ESI
016F:004BDB34 E8EB57FDFF CALL 00493324
016F:004BDB39 8BC6 MOV EAX,ESI
016F:004BDB3B E8F85BF4FF CALL 00403738
016F:004BDB40 6A00 PUSH BYTE +00
016F:004BDB42 B94CDC4B00 MOV ECX,004BDC4C
016F:004BDB47 BA54DC4B00 MOV EDX,004BDC54
016F:004BDB4C A1B81A4C00 MOV EAX,[004C1AB8]
016F:004BDB51 8B00 MOV EAX,[EAX]
016F:004BDB53 E8A04AFAFF CALL 004625F8
016F:004BDB58 A1201C4C00 MOV EAX,[004C1C20]
016F:004BDB5D 8B00 MOV EAX,[EAX]
016F:004BDB5F 8B8030030000 MOV EAX,[EAX+0330]
016F:004BDB65 33D2 XOR EDX,EDX
016F:004BDB67 E8F058F9FF CALL 0045345C
016F:004BDB6C A1201C4C00 MOV EAX,[004C1C20]
016F:004BDB71 8B00 MOV EAX,[EAX]
016F:004BDB73 C6806C03000001 MOV BYTE [EAX+036C],01
016F:004BDB7A 8BC3 MOV EAX,EBX
016F:004BDB7C E8CB12FAFF CALL 0045EE4C //注册正确CALL
016F:004BDB81 EB19 JMP SHORT 004BDB9C
016F:004BDB83 6A30 PUSH BYTE +30
016F:004BDB85 68DCDB4B00 PUSH DWORD 004BDBDC
016F:004BDB8A 6868DC4B00 PUSH DWORD 004BDC68
016F:004BDB8F 8BC3 MOV EAX,EBX
016F:004BDB91 E85AA4F8FF CALL 00447FF0
016F:004BDB96 50 PUSH EAX
016F:004BDB97 E8789AF4FF CALL `USER32!MessageBoxA` //出现错误画面!
016F:004BDB9C 33C0 XOR EAX,EAX
016F:004BDB9E 5A POP EDX
016F:004BDB9F 59 POP ECX
016F:004BDBA0 59 POP ECX
016F:004BDBA1 648910 MOV [FS:EAX],EDX
016F:004BDBA4 68D3DB4B00 PUSH DWORD 004BDBD3
016F:004BDBA9 8D45E8 LEA EAX,[EBP-18]
016F:004BDBAC BA03000000 MOV EDX,03
016F:004BDBB1 E8F269F4FF CALL 004045A8
016F:004BDBB6 8D45F4 LEA EAX,[EBP-0C]
016F:004BDBB9 E8C669F4FF CALL 00404584
016F:004BDBBE 8D45F8 LEA EAX,[EBP-08]
016F:004BDBC1 BA02000000 MOV EDX,02
016F:004BDBC6 E8DD69F4FF CALL 004045A8
016F:004BDBCB C3 RET
004BDAAB E8C4010000 CALL 004BDC74
|
004BDC74 /$ 55 PUSH EBP
004BDC75 |. 8BEC MOV EBP,ESP
004BDC77 |. 51 PUSH ECX
004BDC78 |. B9 06000000 MOV ECX,6
004BDC7D |> 6A 00 /PUSH 0
004BDC7F |. 6A 00 |PUSH 0
004BDC81 |. 49 |DEC ECX
004BDC82 |.^ 75 F9 \JNZ SHORT ACCESSPA.004BDC7D
004BDC84 |. 51 PUSH ECX
004BDC85 |. 874D FC XCHG DWORD PTR SS:[EBP-4],ECX
004BDC88 |. 53 PUSH EBX
004BDC89 |. 56 PUSH ESI
004BDC8A |. 57 PUSH EDI
004BDC8B |. 8BF9 MOV EDI,ECX
004BDC8D |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004BDC90 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] //EAX=机器码
004BDC93 |. E8 9C6DF4FF CALL ACCESSPA.00404A34
004BDC98 |. 33C0 XOR EAX,EAX
004BDC9A |. 55 PUSH EBP
004BDC9B |. 68 3FDE4B00 PUSH ACCESSPA.004BDE3F
004BDCA0 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004BDCA3 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004BDCA6 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004BDCA9 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004BDCAC |. E8 6B69F4FF CALL ACCESSPA.0040461C
004BDCB1 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004BDCB4 |. E8 CB68F4FF CALL ACCESSPA.00404584
004BDCB9 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] //EAX=机器码,上边都是计算前的准备,时间关系不看了.
004BDCBC |. E8 8B6BF4FF CALL ACCESSPA.0040484C
004BDCC1 |. 8BF0 MOV ESI,EAX
004BDCC3 |. 85F6 TEST ESI,ESI
004BDCC5 |. 0F8E 4F010000 JLE ACCESSPA.004BDE1A
004BDCCB |. BB 01000000 MOV EBX,1 //EBX=1,计数器
004BDCD0 |> 8D45 EC /LEA EAX,DWORD PTR SS:[EBP-14]
004BDCD3 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8] //EDX=假码
004BDCD6 |. 8A541A FF |MOV DL,BYTE PTR DS:[EDX+EBX-1] //取假码其中1位,看你第几次来就取第几位~
004BDCDA |. E8 856AF4FF |CALL ACCESSPA.00404764
004BDCDF |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
004BDCE2 |. 8D55 F0 |LEA EDX,DWORD PTR SS:[EBP-10]
004BDCE5 |. E8 2AADF4FF |CALL ACCESSPA.00408A14
004BDCEA |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10] //EAX=刚才取的那位的ASCII码
004BDCED |. BA 58DE4B00 |MOV EDX,ACCESSPA.004BDE58 //是否等于32?(也相当于是否是字符2)
004BDCF2 |. E8 996CF4FF |CALL ACCESSPA.00404990
004BDCF7 |. 75 12 |JNZ SHORT ACCESSPA.004BDD0B
004BDCF9 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004BDCFC |. BA 64DE4B00 |MOV EDX,ACCESSPA.004BDE64 //如果是,那么就把4C转换为ASCII码入EDX! ★相当于L
004BDD01 |. E8 4E6BF4FF |CALL ACCESSPA.00404854
004BDD06 |. E9 07010000 |JMP ACCESSPA.004BDE12
004BDD0B |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] //不是2到这里
004BDD0E |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
004BDD11 |. 8A541A FF |MOV DL,BYTE PTR DS:[EDX+EBX-1] //再取一次
004BDD15 |. E8 4A6AF4FF |CALL ACCESSPA.00404764
004BDD1A |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
004BDD1D |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18]
004BDD20 |. E8 EFACF4FF |CALL ACCESSPA.00408A14
004BDD25 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004BDD28 |. BA 70DE4B00 |MOV EDX,ACCESSPA.004BDE70 //是否是34?(也相当于字符4)
004BDD2D |. E8 5E6CF4FF |CALL ACCESSPA.00404990
004BDD32 |. 75 12 |JNZ SHORT ACCESSPA.004BDD46
004BDD34 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004BDD37 |. BA 7CDE4B00 |MOV EDX,ACCESSPA.004BDE7C
004BDD3C |. E8 136BF4FF |CALL ACCESSPA.00404854 //如果是,那么把4F转换为ASCII码入EDX! ★相当于O
004BDD41 |. E9 CC000000 |JMP ACCESSPA.004BDE12
004BDD46 |> 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24] //不是4到这里
004BDD49 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
004BDD4C |. 8A541A FF |MOV DL,BYTE PTR DS:[EDX+EBX-1] //再取
004BDD50 |. E8 0F6AF4FF |CALL ACCESSPA.00404764
004BDD55 |. 8B45 DC |MOV EAX,DWORD PTR SS:[EBP-24]
004BDD58 |. 8D55 E0 |LEA EDX,DWORD PTR SS:[EBP-20]
004BDD5B |. E8 B4ACF4FF |CALL ACCESSPA.00408A14
004BDD60 |. 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
004BDD63 |. BA 88DE4B00 |MOV EDX,ACCESSPA.004BDE88 //是否是36?(相当于字符6)
004BDD68 |. E8 236CF4FF |CALL ACCESSPA.00404990
004BDD6D |. 75 12 |JNZ SHORT ACCESSPA.004BDD81
004BDD6F |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004BDD72 |. BA 94DE4B00 |MOV EDX,ACCESSPA.004BDE94 //如果是,那么把56转为为ASCII码入EDX, ★相当于V
004BDD77 |. E8 D86AF4FF |CALL ACCESSPA.00404854
004BDD7C |. E9 91000000 |JMP ACCESSPA.004BDE12
004BDD81 |> 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C] //不是36到这里
004BDD84 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
004BDD87 |. 8A541A FF |MOV DL,BYTE PTR DS:[EDX+EBX-1] //再取
004BDD8B |. E8 D469F4FF |CALL ACCESSPA.00404764
004BDD90 |. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C]
004BDD93 |. 8D55 D8 |LEA EDX,DWORD PTR SS:[EBP-28]
004BDD96 |. E8 79ACF4FF |CALL ACCESSPA.00408A14
004BDD9B |. 8B45 D8 |MOV EAX,DWORD PTR SS:[EBP-28]
004BDD9E |. BA A0DE4B00 |MOV EDX,ACCESSPA.004BDEA0 //是否是38?(相当于字符8)
004BDDA3 |. E8 E86BF4FF |CALL ACCESSPA.00404990
004BDDA8 |. 75 0F |JNZ SHORT ACCESSPA.004BDDB9
004BDDAA |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004BDDAD |. BA ACDE4B00 |MOV EDX,ACCESSPA.004BDEAC //如果是,那么把45转为为ASCII码入EDX, ★相当于E
004BDDB2 |. E8 9D6AF4FF |CALL ACCESSPA.00404854
004BDDB7 |. EB 59 |JMP SHORT ACCESSPA.004BDE12
004BDDB9 |> 8D45 CC |LEA EAX,DWORD PTR SS:[EBP-34] //不是38到这里
004BDDBC |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
004BDDBF |. 8A541A FF |MOV DL,BYTE PTR DS:[EDX+EBX-1] //再取
004BDDC3 |. E8 9C69F4FF |CALL ACCESSPA.00404764
004BDDC8 |. 8B45 CC |MOV EAX,DWORD PTR SS:[EBP-34]
004BDDCB |. 8D55 D0 |LEA EDX,DWORD PTR SS:[EBP-30]
004BDDCE |. E8 41ACF4FF |CALL ACCESSPA.00408A14
004BDDD3 |. 8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30]
004BDDD6 |. BA B8DE4B00 |MOV EDX,ACCESSPA.004BDEB8 //是否是30?(相当于字符0)
004BDDDB |. E8 B06BF4FF |CALL ACCESSPA.00404990
004BDDE0 |. 75 0F |JNZ SHORT ACCESSPA.004BDDF1
004BDDE2 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004BDDE5 |. BA C4DE4B00 |MOV EDX,ACCESSPA.004BDEC4 //如果是,那么把55转为为ASCII码入EDX, ★相当于U
004BDDEA |. E8 656AF4FF |CALL ACCESSPA.00404854
004BDDEF |. EB 21 |JMP SHORT ACCESSPA.004BDE12
004BDDF1 |> 8D45 C8 |LEA EAX,DWORD PTR SS:[EBP-38] //不是到这里
004BDDF4 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8] //居然上边的都不是
004BDDF7 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] //再取
004BDDFC |. 83C2 21 |ADD EDX,21 //EDX=EDX+21
004BDDFF |. 83E2 7F |AND EDX,7F //EDX=EDX and 7F
004BDE02 |. E8 5D69F4FF |CALL ACCESSPA.00404764 //结果实现
004BDE07 |. 8B55 C8 |MOV EDX,DWORD PTR SS:[EBP-38]
004BDE0A |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004BDE0D |. E8 426AF4FF |CALL ACCESSPA.00404854 //成功转为SCII码,并入EDX.
004BDE12 |> 43 |INC EBX //计数器+1
004BDE13 |. 4E |DEC ESI
004BDE14 |.^ 0F85 B6FEFFFF \JNZ ACCESSPA.004BDCD0 //循环!
004BDE1A |> 8BC7 MOV EAX,EDI
004BDE1C |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] //EDX=上边计算结果!也就是真码!内存注册机此处!
004BDE1F |. E8 B467F4FF CALL ACCESSPA.004045D8
004BDE24 |. 33C0 XOR EAX,EAX
004BDE26 |. 5A POP EDX
004BDE27 |. 59 POP ECX
004BDE28 |. 59 POP ECX
004BDE29 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004BDE2C |. 68 46DE4B00 PUSH ACCESSPA.004BDE46
004BDE31 |> 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
004BDE34 |. BA 0E000000 MOV EDX,0E
004BDE39 |. E8 6A67F4FF CALL ACCESSPA.004045A8
004BDE3E \. C3 RETN
004BDE3F .^ E9 8860F4FF JMP ACCESSPA.00403ECC
004BDE44 .^ EB EB JMP SHORT ACCESSPA.004BDE31
004BDE46 . 5F POP EDI
004BDE47 . 5E POP ESI
004BDE48 . 5B POP EBX
004BDE49 . 8BE5 MOV ESP,EBP
004BDE4B . 5D POP EBP
004BDE4C . C3 RETN
2,总结.
1>注册码和机器码位数一致.
2>根据机器码每位不同的字符找出相应的注册码.
3>机器码和注册码对应的方式我在下面表示:
机器码 0 2 4 6 8
注册码 U L O V E
如果机器码不是上述字符,那么进行下面计算:(转为ASCII码)
SN=(M+21) and 7F
结果转为ASCII码字符即可
3,内存注册机
中断地址:4BDAB3
中断次数:1
第一字节:58
字节长度:1
寄存器:EDX(内存方式)
4,注册资料保存:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ap\apreg: 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ap\sn: "VEZERTXV"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ap\cpuid: "58981375"
机器码:58981375
注册码:VEZERTXV
5,感评:
此软件的注册方式十分简单,不过对于新手学算法很有学习意思!毕竟只有自己多动手才能快速得到提高!
如果您在我这篇文章中学到了些什么,那么我的目的也就达到了.
注册机就不做了,毕竟我们只是为了技术才学破解的,也希望大家都能尊重作者的劳动成果!
==================================================================================
【工程声明】本过程只供内部学习之用!如要转载请保持过程完整!
==================================================================================
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
