软件:半仙算命V2006 build 12.10
工具: OD peid
下载地址:http://u.163.com/SNQf1
提取码dicw1ac5
非常菜鸟级的破解,大鸟勿进
先查下壳,ASPack 2.12,看到了没,把他脱下.工具论坛上有.
脱下壳之后用OD打开,按F9运行,右键点击,在弹出的菜单中选ultra string reference 用插件来找ASCII码
在跳出的窗口下打到"本软件已注册" 双击来到00555393,00555380这里下断,(我想看一下上面的CAL,所以在0055536F下断了) .切换到半仙软件界面,点注册,输入确认码和注册码,我输入111111111注册码aaaaaaaaa.按注册被OD拦下
005552DB |. 8B95 6CFFFFFF mov edx, dword ptr [ebp-94]
005552E1 |. 8BC7 mov eax, edi
005552E3 |. E8 282CEFFF call 00447F10
005552E8 |. 8D95 64FFFFFF lea edx, dword ptr [ebp-9C]
005552EE |. 8B83 04030000 mov eax, dword ptr [ebx+304]
005552F4 |. E8 E72BEFFF call 00447EE0
005552F9 |. 83BD 64FFFFFF>cmp dword ptr [ebp-9C], 0
00555300 74 1A je short 0055531C
00555302 |. 8D95 60FFFFFF lea edx, dword ptr [ebp-A0]
00555308 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0055530E |. E8 CD2BEFFF call 00447EE0
00555313 |. 83BD 60FFFFFF>cmp dword ptr [ebp-A0], 0
0055531A |. 75 0F jnz short 0055532B
0055531C |> B8 40555500 mov eax, 00555540 ; 注册信息没有填写齐全
00555321 |. E8 46B9EEFF call 00440C6C
00555326 |. E9 54010000 jmp 0055547F
0055532B |> 8D95 5CFFFFFF lea edx, dword ptr [ebp-A4]
00555331 |. 8B83 04030000 mov eax, dword ptr [ebx+304]
00555337 |. E8 A42BEFFF call 00447EE0
0055533C |. 8B85 5CFFFFFF mov eax, dword ptr [ebp-A4]
00555342 |. 50 push eax -------------在这里出现假注册码aaaaaaaa
00555343 |. 8D95 54FFFFFF lea edx, dword ptr [ebp-AC]
00555349 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0055534F |. E8 8C2BEFFF call 00447EE0
00555354 |. 8B85 54FFFFFF mov eax, dword ptr [ebp-AC]
0055535A |. E8 2143EBFF call 00409680------------------- --出现11111111
0055535F |. B9 84100000 mov ecx, 1084
00555364 |. 99 cdq
00555365 |. F7F9 idiv ecx
00555367 |. 8BC2 mov eax, edx
00555369 |. 8D95 58FFFFFF lea edx, dword ptr [ebp-A8]
0055536F |. E8 B0FDFFFF call 00555124---------------------这个CAL应该是注册码算法 我在这里下断了
00555374 |. 8B95 58FFFFFF mov edx, dword ptr [ebp-A8]-------EDX里面就是注册码73122657
0055537A |. 58 pop eax
0055537B |. E8 00FAEAFF call 00404D80-----对比真假码,把EAX里十六进制改成00C9B69C注册成功
00555380 |. 0F85 DF000000 jnz 00555465-------爆破把JNZ改成JZ
00555386 |. A1 6C1D5700 mov eax, dword ptr [571D6C]
0055538B |. 8B00 mov eax, dword ptr [eax]
0055538D |. 8B80 D4040000 mov eax, dword ptr [eax+4D4]
00555393 |. BA 60555500 mov edx, 00555560 ; 本软件已注册
00555398 |. E8 732BEFFF call 00447F10
0055539D |. 8D95 50FFFFFF lea edx, dword ptr [ebp-B0]
005553A3 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
005553A9 |. E8 322BEFFF call 00447EE0
005553AE |. 8B8D 50FFFFFF mov ecx, dword ptr [ebp-B0]
005553B4 |. BA 78555500 mov edx, 00555578 ; ssbxr
005553B9 |. 8BC6 mov eax, esi
005553BB |. E8 3093F2FF call 0047E6F0
005553C0 |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4]
005553C6 |. B9 88555500 mov ecx, 00555588 ; \c401l.dll
005553CB |. 8B55 FC mov edx, dword ptr [ebp-4]
005553CE |. E8 B5F8EAFF call 00404C88
005553D3 |. 8B8D 4CFFFFFF mov ecx, dword ptr [ebp-B4]
005553D9 |. B2 01 mov dl, 1
005553DB |. A1 00D44700 mov eax, dword ptr [47D400]
005553E0 |. E8 CB80F2FF call 0047D4B0
005553E5 |. 8BF0 mov esi, eax
005553E7 |. 8D95 48FFFFFF lea edx, dword ptr [ebp-B8]
005553ED |. 8B83 04030000 mov eax, dword ptr [ebx+304]
005553F3 |. E8 E82AEFFF call 00447EE0
005553F8 |. 8B85 48FFFFFF mov eax, dword ptr [ebp-B8]
005553FE |. 50 push eax
005553FF |. B9 9C555500 mov ecx, 0055559C ; dd
00555404 |. BA A8555500 mov edx, 005555A8 ; syssetup
00555409 |. 8BC6 mov eax, esi
0055540B |. 8B38 mov edi, dword ptr [eax]
0055540D |. FF57 04 call dword ptr [edi+4]
00555410 |. 8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
00555416 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0055541C |. E8 BF2AEFFF call 00447EE0
00555421 |. 8B85 44FFFFFF mov eax, dword ptr [ebp-BC]
00555427 |. 50 push eax
00555428 |. B9 BC555500 mov ecx, 005555BC ; zc
0055542D |. BA A8555500 mov edx, 005555A8 ; syssetup
00555432 |. 8BC6 mov eax, esi
00555434 |. 8B30 mov esi, dword ptr [eax]
00555436 |. FF56 04 call dword ptr [esi+4]
00555439 |. 8D85 40FFFFFF lea eax, dword ptr [ebp-C0]
0055543F |. B9 88555500 mov ecx, 00555588 ; \c401l.dll
00555444 |. 8B55 FC mov edx, dword ptr [ebp-4]
00555447 |. E8 3CF8EAFF call 00404C88
0055544C |. 8B85 40FFFFFF mov eax, dword ptr [ebp-C0]
00555452 |. BA 02000000 mov edx, 2
00555457 |. E8 5045EBFF call 004099AC
0055545C |. 8BC3 mov eax, ebx
这个已经破解了有一段时间了,因为太简单,所以没有放上来,现在放上来主要是给新手练练手
不过这个注册码我不知道软件是放在那里,本来删了再破一次的.如果谁知道注册保存在哪里,麻烦你和大家分享一下,谢谢
[课程]Android-CTF解题方法汇总!