windows魔法助手 注册分析
【破解作者】 微笑刺客
【作者邮箱】 yuqli@yeah.net
【使用工具】 PEID v0.93 OllyDbg v1.10 fly修改版
【破解平台】 Win2K
【软件名称】 windows魔法助手 V2.95
【下载地址】 http://www.softreg.com.cn/shareware_view.aspx?id=/8C10F1E1-47C9-4AC8-A42F-7F47C83F5A39/
【编写语言】 Borland Delphi
【软件介绍】 和windows优化大师 差不多不管是界面还是一些基本功能都非常相市~~
【破解声明】 学习破解
【破解过程】 PeID查壳,ASPack 2.12 -> Alexey Solodovnikov,用ASPackDie v1.41轻松搞定,默认另存为UnPacked.exe,再查Borland Delphi
4.0 - 5.0,Dede查的注册按钮事件地址004A913C ,OD载入在004A913C下断,F9运行
注册->输入"12345-12345-12345-12345-12345" 点注册认证 断下
004A913C 55 push ebp //断在这里
004A913D 8BEC mov ebp, esp
004A913F 33C9 xor ecx, ecx
004A9141 51 push ecx
004A9142 51 push ecx
004A9143 51 push ecx
004A9144 51 push ecx
004A9145 51 push ecx
004A9146 51 push ecx
004A9147 51 push ecx
004A9148 51 push ecx
004A9149 53 push ebx
004A914A 8BD8 mov ebx, eax
004A914C 33C0 xor eax, eax
004A914E 55 push ebp
* Possible String Reference to: '殪?胗[?]?
|
004A914F 6847934A00 push $004A9347
***** TRY
|
004A9154 64FF30 push dword ptr fs:[eax]
004A9157 648920 mov fs:[eax], esp
004A915A 8D55F8 lea edx, [ebp-$08]
* Reference to control fetkey1 : N.A.
|
004A915D 8B830C030000 mov eax, [ebx+$030C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
| ~~~~~~~~~~
004A9163 E84CC1F9FF call 004452B4 // 看“~~~~~” 知道了吧 函数是取字符串
004A9168 FF75F8 push dword ptr [ebp-$08]
004A916B 685C934A00 push $004A935C
004A9170 8D55F4 lea edx, [ebp-$0C]
* Reference to control fetkey2 : N.A.
|
004A9173 8B8310030000 mov eax, [ebx+$0310]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004A9179 E836C1F9FF call 004452B4 //同上
004A917E FF75F4 push dword ptr [ebp-$0C]
004A9181 685C934A00 push $004A935C
004A9186 8D55F0 lea edx, [ebp-$10]
* Reference to control fetkey3 : N.A.
|
004A9189 8B8314030000 mov eax, [ebx+$0314]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004A918F E820C1F9FF call 004452B4 //同上
004A9194 FF75F0 push dword ptr [ebp-$10]
004A9197 685C934A00 push $004A935C
004A919C 8D55EC lea edx, [ebp-$14]
* Reference to control fetkey4 : N.A.
|
004A919F 8B8318030000 mov eax, [ebx+$0318]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004A91A5 E80AC1F9FF call 004452B4
004A91AA FF75EC push dword ptr [ebp-$14]
004A91AD 685C934A00 push $004A935C
004A91B2 8D55E8 lea edx, [ebp-$18]
* Reference to control fetkey5 : N.A.
|
004A91B5 8B831C030000 mov eax, [ebx+$031C]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004A91BB E8F4C0F9FF call 004452B4 //和上面是同一个函数
004A91C0 FF75E8 push dword ptr [ebp-$18]
004A91C3 8D45FC lea eax, [ebp-$04]
004A91C6 BA09000000 mov edx, $00000009
* Reference to: System.@LStrCatN; //看函数名知道什么意思了
|
004A91CB E8D4B8F5FF call 00404AA4 //连接 12345-12345-12345-12345-12345
004A91D0 8B45FC mov eax, [ebp-$04]
|
004A91D3 E89C280A00 call 0054BA74 //关键 进入
004A91D8 84C0 test al, al
004A91DA 0F8420010000 jz 004A9300
* Possible String Reference to: '注册成功--感谢您对本软件的支持!'
|
004A91E0 B968934A00 mov ecx, $004A9368
004A91E5 BA01000000 mov edx, $00000001
004A91EA B801000000 mov eax, $00000001
|
004A91EF E8C4F70900 call 005489B8
004A91F4 B201 mov dl, $01
004A91F6 A160B04600 mov eax, dword ptr [$0046B060]
* Reference to: Registry.TRegistry.Create(TRegistry;boolean);overload;
|
004A91FB E8601FFCFF call 0046B160
004A9200 8BD8 mov ebx, eax
004A9202 BA02000080 mov edx, $80000002
004A9207 8BC3 mov eax, ebx
* Reference to: Registry.TRegistry.SetRootKey(TRegistry;HKEY);
|
004A9209 E8F21FFCFF call 0046B200
004A920E B101 mov cl, $01
* Possible String Reference to: '\software\GZNSoft' //写入注册表 注册成功进去看看
|
004A9210 BA94934A00 mov edx, $004A9394
004A9215 8BC3 mov eax, ebx
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
0054BA74 55 push ebp
0054BA75 8BEC mov ebp, esp
0054BA77 83C4F0 add esp, -$10
0054BA7A 53 push ebx
0054BA7B 56 push esi
0054BA7C 57 push edi
0054BA7D 33D2 xor edx, edx
0054BA7F 8955F0 mov [ebp-$10], edx
0054BA82 8955F4 mov [ebp-$0C], edx
0054BA85 8945FC mov [ebp-$04], eax //所有字符连接一起
0054BA88 8B45FC mov eax, [ebp-$04]
省略一部分`~~
0054BABE E8218FEBFF call 004049E4
0054BAC3 83F81D cmp eax, +$1D
0054BAC6 0F8508030000 jnz 0054BDD4
0054BACC 8D45F4 lea eax, [ebp-$0C]
0054BACF 8B55FC mov edx, [ebp-$04]
* Reference to: System.@LStrLAsg(void;void;void;void);
|
================================================================
0054BAD2 E8ED8CEBFF call 004047C4
0054BAD7 8B45F4 mov eax, [ebp-$0C] //连接后注册码12345-12345-12345-12345-12345 记为SN[N] N=29
0054BADA 0FB64018 movzx eax, byte ptr [eax+$18] //sn[24]=5
0054BADE 8B55F4 mov edx, [ebp-$0C]
0054BAE1 0FB6521C movzx edx, byte ptr [edx+$1C] //sn[28] =1
0054BAE5 2BC2 sub eax, edx //2数相减
0054BAE7 99 cdq
0054BAE8 33C2 xor eax, edx
0054BAEA 2BC2 sub eax, edx //相当于 取绝对值
0054BAEC 8BD8 mov ebx, eax
0054BAEE 83C330 add ebx, +$30
0054BAF1 83FB39 cmp ebx, +$39
0054BAF4 7E08 jle 0054BAFE
0054BAF6 83FB41 cmp ebx, +$41
0054BAF9 7D03 jnl 0054BAFE
0054BAFB 83C307 add ebx, +$07
0054BAFE 8D45F4 lea eax, [ebp-$0C]
|
0054BB01 E82E91EBFF call 00404C34 //相减结果bl=>字符
0054BB06 885802 mov [eax+$02], bl //bl =>sn[2],'4'->'3'
软件作者就是利用上面的这段代码来计算注册码
所以下面的一样计算 简单
========================================
0054BB09 8B45F4 mov eax, [ebp-$0C] //新sn=12445-12345-12345-12345-12345
0054BB0C 0FB64012 movzx eax, byte ptr [eax+$12] //sn[18]
0054BB10 8B55F4 mov edx, [ebp-$0C]
0054BB13 0FB65216 movzx edx, byte ptr [edx+$16] //sn[22]
0054BB17 2BC2 sub eax, edx //sn[18]-sn[22]
0054BB19 99 cdq
0054BB1A 33C2 xor eax, edx
0054BB1C 2BC2 sub eax, edx
0054BB1E 8BD8 mov ebx, eax //和上面的一样 绝对值 所以下面就不再多说了
0054BB20 83C330 add ebx, +$30
0054BB23 83FB39 cmp ebx, +$39
0054BB26 7E08 jle 0054BB30
0054BB28 83FB41 cmp ebx, +$41
0054BB2B 7D03 jnl 0054BB30
0054BB2D 83C307 add ebx, +$07
0054BB30 8D45F4 lea eax, [ebp-$0C]
|
0054BB33 E8FC90EBFF call 00404C34
0054BB38 885808 mov [eax+$08], bl // bl相减结果=>sn[8]
0054BB3B 8B45F4 mov eax, [ebp-$0C] // 新sn=12445-12445-12345-12345-12345
0054BB3E 0FB6400C movzx eax, byte ptr [eax+$0C] //sn[12]
0054BB42 8B55F4 mov edx, [ebp-$0C]
0054BB45 0FB65210 movzx edx, byte ptr [edx+$10] //sn[16]
0054BB49 2BC2 sub eax, edx //sn[12]-sn[16]
0054BB4B 99 cdq
0054BB4C 33C2 xor eax, edx
0054BB4E 2BC2 sub eax, edx
........
........
|
0054BB65 E8CA90EBFF call 00404C34
0054BB6A 88580E mov [eax+$0E], bl // bl相减结果=>sn[14]
0054BB6D 8B45F4 mov eax, [ebp-$0C] //新sn=12445-12445-12445-12345-12345
0054BB70 0FB64006 movzx eax, byte ptr [eax+$06] //sn[6]
0054BB74 8B55F4 mov edx, [ebp-$0C]
0054BB77 0FB6520A movzx edx, byte ptr [edx+$0A] //sn[10]
0054BB7B 2BC2 sub eax, edx //sn[6]-sn[10]
0054BB7D 99 cdq
.........
...........
0054BB97 E89890EBFF call 00404C34
0054BB9C 885814 mov [eax+$14], bl // bl相减结果=>sn[20]
0054BB9F 8B45F4 mov eax, [ebp-$0C] // 新sn=12445-12445-12445-12445-12345
0054BBA2 0FB600 movzx eax, byte ptr [eax] //sn[0]
0054BBA5 8B55F4 mov edx, [ebp-$0C]
0054BBA8 0FB65204 movzx edx, byte ptr [edx+$04] //sn[4]
0054BBAC 2BC2 sub eax, edx //sn[0]-sn[4]
0054BBAE 99 cdq
0054BBAF 33C2 xor eax, edx
......
......
0054BBC8 E86790EBFF call 00404C34
0054BBCD 88581A mov [eax+$1A], bl // bl相减结果=>sn[26]
0054BBD0 8B45F4 mov eax, [ebp-$0C] // 新sn=12445-12445-12445-12445-12445
0054BBD3 0FB64008 movzx eax, byte ptr [eax+$08] //sn[8]
0054BBD7 8B55F4 mov edx, [ebp-$0C]
0054BBDA 0FB6520A movzx edx, byte ptr [edx+$0A] //sn[10]
0054BBDE 2BC2 sub eax, edx //sn[8]-sn[10]
0054BBE0 99 cdq
.......
.......
0054BBFA E83590EBFF call 00404C34
0054BBFF 885801 mov [eax+$01], bl // bl相减结果=>sn[1]
0054BC02 8B45F4 mov eax, [ebp-$0C] // 新sn=11445-12445-12445-12445-12445
0054BC05 0FB64014 movzx eax, byte ptr [eax+$14] //sn[20]
0054BC09 8B55F4 mov edx, [ebp-$0C]
0054BC0C 0FB65216 movzx edx, byte ptr [edx+$16] //sn[22]
0054BC10 2BC2 sub eax, edx //sn[20]-sn[22]
0054BC12 99 cdq
.........
........
0054BC2C E80390EBFF call 00404C34
0054BC31 885807 mov [eax+$07], bl // bl相减结果=>sn[7]
0054BC34 8B45F4 mov eax, [ebp-$0C] // 新sn=11445-11445-12445-12445-12445
0054BC37 0FB6400E movzx eax, byte ptr [eax+$0E] //sn[14]
0054BC3B 8B55F4 mov edx, [ebp-$0C]
0054BC3E 0FB65210 movzx edx, byte ptr [edx+$10] //sn[16]
0054BC42 2BC2 sub eax, edx //sn[14]-sn[16]
0054BC44 99 cdq
.........
.........
0054BC5E E8D18FEBFF call 00404C34
0054BC63 88580D mov [eax+$0D], bl //bl相减结果=>sn[13]
0054BC66 8B45F4 mov eax, [ebp-$0C] // 新sn=11445-11445-11445-12445-12445
0054BC69 0FB64002 movzx eax, byte ptr [eax+$02] //sn[2]
0054BC6D 8B55F4 mov edx, [ebp-$0C]
0054BC70 0FB65204 movzx edx, byte ptr [edx+$04] //sn[4]
0054BC74 2BC2 sub eax, edx //sn[2]-sn[4]
0054BC76 99 cdq
00.........
...........
|
0054BC90 E89F8FEBFF call 00404C34
0054BC95 885813 mov [eax+$13], bl //bl相减结果=>sn[19]
0054BC98 8B45F4 mov eax, [ebp-$0C] // 新sn=11445-11445-11445-11445-12445
0054BC9B 0FB6401A movzx eax, byte ptr [eax+$1A] //sn[26]
0054BC9F 8B55F4 mov edx, [ebp-$0C]
0054BCA2 0FB6521C movzx edx, byte ptr [edx+$1C] //sn[28]
0054BCA6 2BC2 sub eax, edx //sn[26]-sn[28]
0054BCA8 99 cdq
..........
.........
0054BCC2 E86D8FEBFF call 00404C34
0054BCC7 885819 mov [eax+$19], bl //bl相减结果=>sn[25]
0054BCCA 8B45F4 mov eax, [ebp-$0C] // 新sn=11445-11445-11445-11445-11445
0054BCCD 0FB64013 movzx eax, byte ptr [eax+$13] //sn[19]
0054BCD1 8B55F4 mov edx, [ebp-$0C]
0054BCD4 0FB65212 movzx edx, byte ptr [edx+$12] //sn[18]
0054BCD8 2BC2 sub eax, edx //sn[19]-sn[18]
........
........
0054BCF4 E83B8FEBFF call 00404C34
0054BCF9 885803 mov [eax+$03], bl //bl相减结果=>sn[3]
0054BCFC 8B45F4 mov eax, [ebp-$0C] //新sn=11405-11445-11445-11445-11445
0054BCFF 0FB64018 movzx eax, byte ptr [eax+$18] //sn[24]
0054BD03 8B55F4 mov edx, [ebp-$0C]
0054BD06 0FB65219 movzx edx, byte ptr [edx+$19] //sn[25]
0054BD0A 2BC2 sub eax, edx //sn[24]-sn[25]
...........
...........
0054BD26 E8098FEBFF call 00404C34
0054BD2B 885809 mov [eax+$09], bl //bl相减结果=>sn[9]
0054BD2E 8B45F4 mov eax, [ebp-$0C] //新sn=11405-11405-11445-11445-11445
0054BD31 0FB64006 movzx eax, byte ptr [eax+$06] //sn[6]
0054BD35 8B55F4 mov edx, [ebp-$0C]
0054BD38 0FB65207 movzx edx, byte ptr [edx+$07] //sn[7]
0054BD3C 2BC2 sub eax, edx //sn[6]-sn[7]
.........
.........
0054BD58 E8D78EEBFF call 00404C34
0054BD5D 88580F mov [eax+$0F], bl //bl相减结果=>sn[15]
0054BD60 8B45F4 mov eax, [ebp-$0C] //新sn=11405-11405-11405-11445-11445
0054BD63 0FB6400C movzx eax, byte ptr [eax+$0C] //sn[12]
0054BD67 8B55F4 mov edx, [ebp-$0C]
0054BD6A 0FB6520D movzx edx, byte ptr [edx+$0D] //sn[13]
0054BD6E 2BC2 sub eax, edx //sn[12]-sn[13]
...........
..........
0054BD8A E8A58EEBFF call 00404C34
0054BD8F 885815 mov [eax+$15], bl //bl相减结果=>sn[21]
0054BD92 8B45F4 mov eax, [ebp-$0C] //新sn=11405-11405-11405-11405-11445
0054BD95 0FB600 movzx eax, byte ptr [eax] //sn[0]
0054BD98 8B55F4 mov edx, [ebp-$0C]
0054BD9B 0FB65201 movzx edx, byte ptr [edx+$01] //sn[1]
0054BD9F 2BC2 sub eax, edx //sn[0]-sn[1]
.........
.........
0054BDBB E8748EEBFF call 00404C34
0054BDC0 88581B mov [eax+$1B], bl //bl相减结果=>sn[27]
0054BDC3 8B45F4 mov eax, [ebp-$0C] //新sn=11405-11405-11405-11405-11405
0054BDC6 8B55FC mov edx, [ebp-$04] //原sn=12345-12345-12345-12345-12345
* Reference to: System.@LStrCmp; //比较函数
|
0054BDC9 E85A8DEBFF call 00404B28
0054BDCE 7504 jnz 0054BDD4 不相等就完了`~~
0054BDD0 C645FB01 mov byte ptr [ebp-$05], $01
0054BDD4 33C0 xor eax, eax
*************************************
『算法总结』:
先把输入的注册码连接起来
然后经过一系列的相减运算就完事~~
过程比较复杂点,但是不难 跟一下就完了
可以编写内存注册机
中断地址 0054BDC6
中断次数 1
第一个字节 8B
指令长度 3
内存方式 EAX
象我这般菜鸟 可以去下载来练练
by 微笑刺客~~
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
