【破解作者】 落魄浪子
【使用工具】 FlyOD1.1修改版
【破解平台】 Win9x/NT/2000/XP
【软件名称】 AutoCAD七天超级速成法2.0版
【下载地址】 http://www.shxian.com 或者网上搜索
【加壳方式】 ASPack 2.1 -> Alexey Solodovnikov [Overlay]
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
七天能让你成为CAD工程师?有这么牛B,如果是这样那中国的豆腐渣工程可以遍地开花啦!七天就出一个工程师。
恐怖啊!我看最多也就能知道点皮毛。
不说这个软件的好坏了,还是转入正题。我没有对软件脱壳,因为脱壳后还要对附加数据修复(Fly大师有篇VB函数
速查的附加数据的修复文章)。用PEID找到OEP然后直接G到OEP。
0048C850 55 push ebp 程序OEP
0048C851 8BEC mov ebp,esp
0048C853 83C4 F4 add esp,-0C
0048C856 53 push ebx
0048C857 B8 F8C54800 mov eax,AUTOCAD?0048C5F8
0048C85C E8 2BA2F7FF call AUTOCAD?00406A8C
找到字符串UserName,Password,下断。经过分析是在注册表里,所以我就在注册表里建了这两项键值。
0048C232 B8 E0C24800 mov eax,AUTOCAD?0048C2E0 ; ASCII "\Software\Ada99\eBook workshop\Security\%s"
0048C237 E8 48D2F7FF call AUTOCAD?00409484
0048C23C 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0048C23F B1 01 mov cl,1
0048C241 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C244 E8 DFB7FEFF call AUTOCAD?00477A28
0048C249 84C0 test al,al
0048C24B 74 34 je short AUTOCAD?0048C281
0048C24D 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0048C250 BA 14C34800 mov edx,AUTOCAD?0048C314 ; ASCII "UserName"
0048C255 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C258 E8 93B9FEFF call AUTOCAD?00477BF0
0048C25D 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
0048C260 8BC3 mov eax,ebx
0048C262 E8 857AF7FF call AUTOCAD?00403CEC
0048C267 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0048C26A BA 28C34800 mov edx,AUTOCAD?0048C328 ; ASCII "Password"
0048C26F 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C272 E8 79B9FEFF call AUTOCAD?00477BF0
程序启动后,点目录的最后一项,会弹出要你输入户名和密码的对话框。这里因为以经在注册表里建了这两项。
0048C244 E8 DFB7FEFF call AUTOCAD?00477A28 断在这里
0048C249 84C0 test al,al
0048C24B 74 34 je short AUTOCAD?0048C281
0048C24D 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
0048C250 BA 14C34800 mov edx,AUTOCAD?0048C314 ; ASCII "UserName"
0048C255 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C258 E8 93B9FEFF call AUTOCAD?00477BF0
0048C25D 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
0048C260 8BC3 mov eax,ebx
0048C262 E8 857AF7FF call AUTOCAD?00403CEC
0048C267 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0048C26A BA 28C34800 mov edx,AUTOCAD?0048C328 ; ASCII "Password"
一路F8之后来到下面:
0048BE8F 8B45 EC mov eax,dword ptr ss:[ebp-14] 用户名
0048BE92 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
0048BE95 8B15 54E54800 mov edx,dword ptr ds:[48E554] ; AUTOCAD?0048FC18
0048BE9B 8B12 mov edx,dword ptr ds:[edx] ASCII "autocad688387F9FF" 记为S1
0048BE9D E8 DE9EFFFF call AUTOCAD?00485D80 关键CALL进入
-------------------------------------------------------------------
00485D80 55 push ebp 进入后来到这里
00485D81 8BEC mov ebp,esp
00485D83 83C4 D0 add esp,-30
00485D86 53 push ebx
---------------------略过代码--------------------------------------
00485DAE 8B45 F8 mov eax,dword ptr ss:[ebp-8] S1入EAX
00485DB1 E8 16E3F7FF call AUTOCAD?004040CC
00485DB6 33C0 xor eax,eax
00485DB8 55 push ebp
00485DB9 68 745F4800 push AUTOCAD?00485F74
00485DBE 64:FF30 push dword ptr fs:[eax]
00485DC1 64:8920 mov dword ptr fs:[eax],esp
00485DC4 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00485DC7 8B55 FC mov edx,dword ptr ss:[ebp-4] 用户名入EDX
00485DCA E8 61DFF7FF call AUTOCAD?00403D30
00485DCF 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00485DD2 8B55 F8 mov edx,dword ptr ss:[ebp-8]
00485DD5 E8 56DFF7FF call AUTOCAD?00403D30
00485DDA 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00485DDD BA 8C5F4800 mov edx,AUTOCAD?00485F8C ; ASCII "i love ada"
00485DE2 E8 05DFF7FF call AUTOCAD?00403CEC
00485DE7 837D E8 00 cmp dword ptr ss:[ebp-18],0 比较用户名是否为空
00485DEB 0F84 4E010000 je AUTOCAD?00485F3F
00485DF1 837D E4 00 cmp dword ptr ss:[ebp-1C],0 比较S1是否为空
00485DF5 0F84 44010000 je AUTOCAD?00485F3F
00485DFB 8B45 E4 mov eax,dword ptr ss:[ebp-1C] S1入EAX
00485DFE E8 15E1F7FF call AUTOCAD?00403F18 取S1的长度
00485E03 8945 F0 mov dword ptr ss:[ebp-10],eax
00485E06 33FF xor edi,edi
00485E08 BB 80000000 mov ebx,80 80入EBX记为B1
00485E0D 8B45 E8 mov eax,dword ptr ss:[ebp-18] 用户名入EAX 记为S2
00485E10 E8 03E1F7FF call AUTOCAD?00403F18 取用户名长度
00485E15 8BF0 mov esi,eax
00485E17 83FE 01 cmp esi,1
00485E1A 7C 7E jl short AUTOCAD?00485E9A
00485E1C 8B45 E8 mov eax,dword ptr ss:[ebp-18] S2入EAX
00485E1F 0FB64430 FF movzx eax,byte ptr ds:[eax+esi-1] 右向左取S2的一位记为N1
00485E24 03C3 add eax,ebx N1加上C1结果记为N2,第一次EBX=B1
00485E26 B9 FF000000 mov ecx,0FF 0FF入ECX记为B2
00485E2B 99 cdq
00485E2C F7F9 idiv ecx N2除B2 取余数记为N3
00485E2E 8BDA mov ebx,edx
00485E30 3B7D F0 cmp edi,dword ptr ss:[ebp-10] [EBP-10]是S1的长度
00485E33 7D 03 jge short AUTOCAD?00485E38 是否取完
00485E35 47 inc edi 记数器加1
00485E36 EB 05 jmp short AUTOCAD?00485E3D
00485E38 BF 01000000 mov edi,1 取完了则置记数器为1
00485E3D 8B45 E4 mov eax,dword ptr ss:[ebp-1C] S1入EAX
00485E40 0FB64438 FF movzx eax,byte ptr ds:[eax+edi-1] 左向右取S1的一位记为D1
00485E45 33D8 xor ebx,eax N3与D1作异或运算结果记为C1
00485E47 8BC6 mov eax,esi 用户名长度入EAX
00485E49 25 01000080 and eax,80000001
00485E4E 79 05 jns short AUTOCAD?00485E55
00485E50 48 dec eax
00485E51 83C8 FE or eax,FFFFFFFE
00485E54 40 inc eax
00485E55 85C0 test eax,eax
00485E57 75 27 jnz short AUTOCAD?00485E80
00485E59 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00485E5C 50 push eax
00485E5D 895D D8 mov dword ptr ss:[ebp-28],ebx
00485E60 C645 DC 00 mov byte ptr ss:[ebp-24],0
00485E64 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00485E67 33C9 xor ecx,ecx
00485E69 B8 A05F4800 mov eax,AUTOCAD?00485FA0 ; ASCII "%1.2x"
00485E6E E8 1136F8FF call AUTOCAD?00409484
00485E73 8B55 E0 mov edx,dword ptr ss:[ebp-20]
00485E76 8D45 EC lea eax,dword ptr ss:[ebp-14]
00485E79 E8 A2E0F7FF call AUTOCAD?00403F20
00485E7E EB 15 jmp short AUTOCAD?00485E95
-------------------------------------------------------------------------
00485E95 4E dec esi 用户名长度减一
00485E96 85F6 test esi,esi
00485E98 ^ 75 82 jnz short AUTOCAD?00485E1C 是否取完,没有则继续。
00485E9A 8D45 EC lea eax,dword ptr ss:[ebp-14] 最后计算的结果记为H1
00485E9D BA B05F4800 mov edx,AUTOCAD?00485FB0 ; ASCII "12345678"
00485EA2 E8 79E0F7FF call AUTOCAD?00403F20
00485EA7 8B45 EC mov eax,dword ptr ss:[ebp-14] H1与ASCII "12345678"连起来记为H2
00485EAA E8 69E0F7FF call AUTOCAD?00403F18 取H2的长度
00485EAF 83F8 07 cmp eax,7
00485EB2 7E 16 jle short AUTOCAD?00485ECA
00485EB4 8D45 EC lea eax,dword ptr ss:[ebp-14] H2入EAX
00485EB7 50 push eax
00485EB8 B9 07000000 mov ecx,7
00485EBD BA 01000000 mov edx,1
00485EC2 8B45 EC mov eax,dword ptr ss:[ebp-14]
00485EC5 E8 56E2F7FF call AUTOCAD?00404120
00485ECA 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00485ECD E8 C6DDF7FF call AUTOCAD?00403C98
00485ED2 8B45 EC mov eax,dword ptr ss:[ebp-14] 用户名入EAX
00485ED5 E8 3EE0F7FF call AUTOCAD?00403F18
00485EDA 8BF0 mov esi,eax
00485EDC 83FE 01 cmp esi,1
00485EDF 7C 53 jl short AUTOCAD?00485F34
00485EE1 8B45 EC mov eax,dword ptr ss:[ebp-14] 取H2的前七位入EAX记为H3
00485EE4 0FB64430 FF movzx eax,byte ptr ds:[eax+esi-1] 右向左取H3的一位记为G1
00485EE9 03C3 add eax,ebx G1加上C1记为G2
00485EEB B9 FF000000 mov ecx,0FF
00485EF0 99 cdq
00485EF1 F7F9 idiv ecx G2除0FF取余数记为G3
00485EF3 8BDA mov ebx,edx G3入EBX
00485EF5 83FF 01 cmp edi,1
00485EF8 7D 03 jge short AUTOCAD?00485EFD
00485EFA 4F dec edi
00485EFB EB 03 jmp short AUTOCAD?00485F00
00485EFD 8B7D F0 mov edi,dword ptr ss:[ebp-10] S1长度入EDI
00485F00 8B45 E4 mov eax,dword ptr ss:[ebp-1C] S1入EAX
00485F03 0FB64438 FF movzx eax,byte ptr ds:[eax+edi-1] 右向左取S1的一位记为F1
00485F08 33D8 xor ebx,eax G3与F1作异或运算结果记为C2
00485F0A 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00485F0D 50 push eax
00485F0E 895D D8 mov dword ptr ss:[ebp-28],ebx
00485F11 C645 DC 00 mov byte ptr ss:[ebp-24],0
00485F15 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00485F18 33C9 xor ecx,ecx
00485F1A B8 A05F4800 mov eax,AUTOCAD?00485FA0 ; ASCII "%1.2x"
00485F1F E8 6035F8FF call AUTOCAD?00409484
00485F24 8B55 D0 mov edx,dword ptr ss:[ebp-30]
00485F27 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00485F2A E8 F1DFF7FF call AUTOCAD?00403F20
00485F2F 4E dec esi
00485F30 85F6 test esi,esi
00485F32 ^ 75 AD jnz short AUTOCAD?00485EE1 七位是否已计算完没有则继续
00485F34 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00485F37 8B55 E8 mov edx,dword ptr ss:[ebp-18] 计算的结果入EDX
00485F3A E8 ADDDF7FF call AUTOCAD?00403CEC 可以做内存注册机
--------------------------------------------------------------------------------
【破解总结】
算法比较简单,下面附上VB注册机。
Dim A1, A2, A5, A6, A7, A8, A9, A11, A12, A13, A14, A15, A16, A17, A18, A19, A20, A21, A22
Dim A3 As String
Dim A4 As Variant
Dim A10 As Variant
A1 = "autocad688387F9FF"
If Text1.Text = "" Then
MsgBox "^0^对不起!请输入你的用户名。^0^", , "AutoCAD七天超级速成2.0注册机"
End If
For A2 = 1 To Len(Text1.Text)
A3 = A3 & Hex(Asc(Mid(Text1.Text, A2, 1)))
Next A2
For A7 = 1 To Len(A1)
A8 = A8 & Hex(Asc(Mid(A1, A7, 1)))
Next A7
A6 = Len(A3) + 1
A9 = Len(A8)
A7 = 128
For A5 = 1 To Len(A3) / 2
A6 = A6 - 2
A9 = A9 - 1
A4 = CLng("&H" & Mid(A3, A6, 2))
If A4 < 0 Then A4 = A4 + 65536
A10 = CLng("&H" & Mid(A8, Len(A8) - A9, 2))
A9 = A9 - 1
If A10 < 0 Then A10 = A10 + 65536
A7 = ((A4 + A7) Mod 255) Xor A10
A12 = A5 And 80000001
If A12 = 0 Then
A11 = A11 & Hex(A7)
Else
A11 = A11 & Hex(Asc(Mid(Hex(A7), 1, 1))) & Hex(Asc(Mid(Hex(A7), 2, 1)))
End If
Next A5
A13 = Mid(A11, Len(A11) - 1, 2)
If A13 < 0 Then A13 = A13 + 65536
A13 = CLng("&H" & A13)
A11 = A11 & "3132333435363738"
A14 = Len(Mid(A11, 1, 14)) + 1
For A15 = 1 To 7
A14 = A14 - 2
If Len(Text1.Text) = 1 Then
If Mid(A8, 1, 2) < 0 Then Mid(A8, 1, 2) = Mid(A8, 1, 2) + 65536
A17 = CLng("&H" & Mid(A8, 1, 2))
Else
If Mid(A8, Len(A8) - 1, 2) < 0 Then Mid(A8, Len(A8) - 1, 2) = Mid(A8, Len(A8) - 1, 2) + 65536
A17 = CLng("&H" & Mid(A8, Len(A8) - 1, 22))
End If
A20 = Mid(Mid(A11, 1, 14), A14, 2)
If A20 < 0 Then A20 = A20 + 65536
A16 = CLng("&H" & A20)
A18 = ((A16 + A13) Mod 255) Xor A17
A13 = A18
If Len(Hex(A18)) = 1 Then
A19 = A19 & 0 & Hex(A18)
Else
A19 = A19 & Hex(A18)
End If
Next A15
Text2.Text = A19
本注册机在WINXP SP2 VB6下运行通过。VB只是凑和着用下,高手见笑了。
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)