一个重启验证软件的算法分析
已经是老版本了,作者也没更新,昨天玩了一下,贴出来让大家看看吧!
这是一个重启验证的软件,第一次成功破解这类软件。。
EZ Extract Resource 1.86算法分析
【破解作者】 ihhvqu[OCN][CZG][PYG]
【作者邮箱】 ihhvqu@tom.com
【作者主页】 http://www.chinaocn.net
【使用工具】 flyod,RegSnap
【破解平台】 Winxp sp2
【软件名称】 EZ Extract Resource 1.86
【下载地址】 http://www.skycn.com/soft/398.html
【软件简介】 从本地各类文件里提取各种资源,如图标,光标,位图,JPG,GIF,Wave,AVI,Midi,动画光标等,还有其它暂不识别的也可以提取出来供用户处理。可以搜索整个目录并从.exe, .dll, .ocx, .cpl等类文件中提取资源。可以直接浏览和播放提取出来的各种资源,或者以十六进制方式查看其内容。方便的文件管理功能,操作与资源管理器类似。支持多国语言。如果你是一名程序开发人员或需做美工设计方面的工作,本软件是最适合你的。有了它,你可以直接使用或更新设计已经存在的资源文件为自己所。
【软件大小】 安装包482 KB
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
peid0.93一查,Microsoft Visual C++ 6.0无壳,重启验证型
0012FA5C 0044D44D /CALL 到 MessageBoxA 来自 ExtractR.0044D447
0012FA60 004A0196 |hOwner = 004A0196 ('EZ Extract Resource 1.86 [unr...',class='Afx:400000:b:10011:6:20f031f')
0012FA64 0012FC38 |Text = "请重新运行本程序以检测注册码是否正确。"
0012FA68 00B20EB0 |Title = "EZ Extract Resource"
0012FA6C 00000030 \Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
注册信息保存在
HKEY_USERS\S-1-5-21-1292428093-2111687655-1343024091-500\Software\SeaMoonTech\EZ Extract Resource\RegInfo\RegCode
想了一下,我输入的
用户是:ihhvqu
注册码:1314k
但是在注册表中保存的地方一看,确成了
RegUserName:ihhvqu
RegCoe:3536m
不难看出对注册码作了一些变化后才写到注册表中的,这个很简单,我重复输入发现
输入1变为3
输入2变为4
输入a变为d
输入b变为e
输入A变为D
输入B变为E
我猜都猜到了,在写入前对注册码各位的Ascii加了2,
然后跟踪程序,跟了很久总是摸不着头脑,后来发现,本软件在注册时,写入注册表中的不只是RegUserName,RegCoe两个字段,
另外一还有Settings下有还有三个字段,分别是SearchID1,SearchID2,SearchID3,输入不同的注册码这三个字段会发现变为,其中SearchID2
为我们输入的注册码的原型,SearchID1,和SearchID2是变型后的,我们然后跟踪一下,注册时按下注册按钮后发生的一切吧.......
但是想了一下,SearchID1和SearchID3是用来骗人的,故意弄得很复杂,不信请看下文
OD重新载入:
bp RegOpenKeyExA 很容易来到:
*************************************************************************************************
*************************************************************************************************
第1段运算:
0040F3B6 68 A4594800 push ExtractR.004859A4
0040F3BB 68 44074800 push ExtractR.00480744 ; ASCII "RegUserName"
0040F3C0 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040F3C4 68 3C074800 push ExtractR.0048073C ; ASCII "RegInfo"
0040F3C9 51 push ecx ;准备取键值:RegInfo\RegUserName(也就是注册名,我的是ihhvqu)
0040F3CA 8BCE mov ecx,esi
0040F3CC E8 95C40400 call ExtractR.0045B866
0040F3D1 8DBE D0000000 lea edi,dword ptr ds:[esi+D0]
0040F3D7 50 push eax
0040F3D8 8BCF mov ecx,edi
0040F3DA C78424 D0010000>mov dword ptr ss:[esp+1D0],1
0040F3E5 E8 C73E0300 call ExtractR.004432B1 ; 注册名+-0c结果存到ecx中
0040F3EA 8D4C24 10 lea ecx,dword ptr ss:[esp+10] ; 把偏移地址存到ecx中
0040F3EE 89AC24 CC010000 mov dword ptr ss:[esp+1CC],ebp
0040F3F5 E8 7E3D0300 call ExtractR.00443178 ; 判断了一些东西,说要是A和一个地址,还得进去看看
0040F3FA A1 F0364800 mov eax,dword ptr ds:[4836F0]
0040F3FF 894424 1C mov dword ptr ss:[esp+1C],eax
0040F403 C78424 CC010000>mov dword ptr ss:[esp+1CC],2
0040F40E 894424 20 mov dword ptr ss:[esp+20],eax
0040F412 894424 18 mov dword ptr ss:[esp+18],eax
0040F416 894424 24 mov dword ptr ss:[esp+24],eax
******************************************************************************************
第2段运算:
0040F41A 68 A4594800 push ExtractR.004859A4
0040F41F 68 28074800 push ExtractR.00480728 ; ASCII "SearchID1"
0040F424 8D5424 18 lea edx,dword ptr ss:[esp+18]
0040F428 BB 05000000 mov ebx,5
0040F42D 68 B8064800 push ExtractR.004806B8 ; ASCII "Settings"
0040F432 52 push edx ; 准备取键值:Settings\SearchID1(也就是j3020)
0040F433 8BCE mov ecx,esi
0040F435 889C24 DC010000 mov byte ptr ss:[esp+1DC],bl
0040F43C E8 25C40400 call ExtractR.0045B866 ; 得仔细看
0040F441 50 push eax
0040F442 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0040F446 C68424 D0010000>mov byte ptr ss:[esp+1D0],6
0040F44E E8 5E3E0300 call ExtractR.004432B1 ; j3020+-0c 以及A
0040F453 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040F457 889C24 CC010000 mov byte ptr ss:[esp+1CC],bl
0040F45E E8 153D0300 call ExtractR.00443178 ; 判断了一些东西,说要是A和一个地址,还得进行看看
0040F463 51 push ecx
0040F464 8D4424 24 lea eax,dword ptr ss:[esp+24]
0040F468 8BCC mov ecx,esp
0040F46A 896424 18 mov dword ptr ss:[esp+18],esp
0040F46E 50 push eax
0040F46F E8 793A0300 call ExtractR.00442EED ; 判断有字符吗?有则返回1,[eax-c]
0040F474 51 push ecx
0040F475 C68424 D4010000>mov byte ptr ss:[esp+1D4],7
0040F47D 8BCC mov ecx,esp
0040F47F 896424 18 mov dword ptr ss:[esp+18],esp
0040F483 57 push edi
0040F484 E8 643A0300 call ExtractR.00442EED ; ?
0040F489 8BCE mov ecx,esi
0040F48B 889C24 D4010000 mov byte ptr ss:[esp+1D4],bl
0040F492 E8 490A0000 call ExtractR.0040FEE0 ; 必进啦,这里关键CALL2
****************************************************************************************
第3段运算:
0040F497 68 A4594800 push ExtractR.004859A4
0040F49C 68 10074800 push ExtractR.00480710 ; ASCII "SearchID3"
0040F4A1 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040F4A5 68 B8064800 push ExtractR.004806B8 ; ASCII "Settings"
0040F4AA 51 push ecx
0040F4AB 8BCE mov ecx,esi
0040F4AD 8986 E0000000 mov dword ptr ds:[esi+E0],eax
0040F4B3 E8 AEC30400 call ExtractR.0045B866 ; 准备取键值:Settings\SearchID3(也就是l5242)
0040F4B8 50 push eax
0040F4B9 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040F4BD C68424 D0010000>mov byte ptr ss:[esp+1D0],8
0040F4C5 E8 E73D0300 call ExtractR.004432B1 ;l5242+-0c 以及A
0040F4CA 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040F4CE 889C24 CC010000 mov byte ptr ss:[esp+1CC],bl
0040F4D5 E8 9E3C0300 call ExtractR.00443178 ;判断了一些东西,说要是A和一个地址,还得进行看看
0040F4DA 51 push ecx
0040F4DB 8D5424 28 lea edx,dword ptr ss:[esp+28]
0040F4DF 8BCC mov ecx,esp
0040F4E1 896424 18 mov dword ptr ss:[esp+18],esp
0040F4E5 52 push edx
0040F4E6 E8 023A0300 call ExtractR.00442EED ; ????????
0040F4EB 51 push ecx
0040F4EC C68424 D4010000>mov byte ptr ss:[esp+1D4],9
0040F4F4 8BCC mov ecx,esp
0040F4F6 896424 18 mov dword ptr ss:[esp+18],esp
0040F4FA 57 push edi
0040F4FB E8 ED390300 call ExtractR.00442EED ??????????????
0040F500 8BCE mov ecx,esi ;到这里看到ihhvqu,l5242
0040F502 889C24 D4010000 mov byte ptr ss:[esp+1D4],bl
0040F509 E8 D2090000 call ExtractR.0040FEE0 ; 必进啦,这里关键CALL2,和上面的那个一样
0040F50E 8BCE mov ecx,esi
0040F510 8986 E0000000 mov dword ptr ds:[esi+E0],eax
0040F516 E8 950D0000 call ExtractR.004102B0
******************************************************************************************
第4段运算:
0040F51B 68 A4594800 push ExtractR.004859A4
0040F520 68 34074800 push ExtractR.00480734 ; ASCII "RegCode"
0040F525 8D4424 18 lea eax,dword ptr ss:[esp+18]
0040F529 68 3C074800 push ExtractR.0048073C ; ASCII "RegInfo"
0040F52E 50 push eax
0040F52F 8BCE mov ecx,esi
0040F531 E8 30C30400 call ExtractR.0045B866 ; 准备取键值:RegInfo\RegCode(也就是变化后的注册码我的是3536m)
0040F536 50 push eax
0040F537 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040F53B C68424 D0010000>mov byte ptr ss:[esp+1D0],0A
0040F543 E8 693D0300 call ExtractR.004432B1 ; 3536m +-0c 以及A
0040F548 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040F54C 889C24 CC010000 mov byte ptr ss:[esp+1CC],bl
0040F553 E8 203C0300 call ExtractR.00443178 ;判断了一些东西,说要是A和一个地址,还得进行看看;也有可能是关
键call
0040F558 51 push ecx
0040F559 8D5424 20 lea edx,dword ptr ss:[esp+20]
0040F55D 8BCC mov ecx,esp
0040F55F 896424 18 mov dword ptr ss:[esp+18],esp
0040F563 52 push edx
0040F564 E8 84390300 call ExtractR.00442EED ;??????????
0040F569 51 push ecx
0040F56A C68424 D4010000>mov byte ptr ss:[esp+1D4],0B
0040F572 8BCC mov ecx,esp
0040F574 896424 18 mov dword ptr ss:[esp+18],esp
0040F578 57 push edi
0040F579 E8 6F390300 call ExtractR.00442EED
0040F57E 8BCE mov ecx,esi
0040F580 889C24 D4010000 mov byte ptr ss:[esp+1D4],bl
0040F587 E8 54090000 call ExtractR.0040FEE0 ; 必进啦,这里关键CALL2和上面的一样,但是这时进,是骗人的
0040F58C 8986 E0000000 mov dword ptr ds:[esi+E0],eax
*******************************************************************************************************
第5段运算:
0040F592 68 A4594800 push ExtractR.004859A4
0040F597 68 1C074800 push ExtractR.0048071C ; ASCII "SearchID2"
0040F59C 8D4424 1C lea eax,dword ptr ss:[esp+1C]
0040F5A0 68 B8064800 push ExtractR.004806B8 ; ASCII "Settings"
0040F5A5 50 push eax
0040F5A6 8BCE mov ecx,esi
0040F5A8 E8 B9C20400 call ExtractR.0045B866
0040F5AD 50 push eax ; 准备取键值:Settings\SearchID2(也就是我们输入的注册码)
0040F5AE 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040F5B2 C68424 D0010000>mov byte ptr ss:[esp+1D0],0C
0040F5BA E8 F23C0300 call ExtractR.004432B1 ;1314k+-0c 以及A
0040F5BF 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040F5C3 889C24 CC010000 mov byte ptr ss:[esp+1CC],bl
0040F5CA E8 A93B0300 call ExtractR.00443178 ;
0040F5CF 51 push ecx
0040F5D0 8D5424 1C lea edx,dword ptr ss:[esp+1C]
0040F5D4 8BCC mov ecx,esp
0040F5D6 896424 14 mov dword ptr ss:[esp+14],esp
0040F5DA 52 push edx
0040F5DB E8 0D390300 call ExtractR.00442EED
0040F5E0 51 push ecx
0040F5E1 C68424 D4010000>mov byte ptr ss:[esp+1D4],0D
0040F5E9 8BCC mov ecx,esp
0040F5EB 896424 34 mov dword ptr ss:[esp+34],esp
0040F5EF 57 push edi
0040F5F0 E8 F8380300 call ExtractR.00442EED
0040F5F5 8BCE mov ecx,esi
0040F5F7 889C24 D4010000 mov byte ptr ss:[esp+1D4],bl
0040F5FE E8 DD080000 call ExtractR.0040FEE0 ; 必进啦,这里关键CALL2必进,和上面的一样
*************************************************************************
0040F603 BF 04000000 mov edi,4
0040F608 8986 E0000000 mov dword ptr ds:[esi+E0],eax
0040F60E 89BE D8000000 mov dword ptr ds:[esi+D8],edi
0040F614 FF15 E0824600 call dword ptr ds:[<&KERNEL32.GetSy>; kernel32.GetSystemDefaultLangID
0040F61A 6A 68 push 68
0040F61C E8 72050300 call ExtractR.0043FB93
0040F621 83C4 04 add esp,4
0040F624 894424 2C mov dword ptr ss:[esp+2C],eax
0040F628 85C0 test eax,eax
0040F62A C68424 CC010000>mov byte ptr ss:[esp+1CC],0E
0040F632 74 1D je short ExtractR.0040F651
0040F634 68 A0A84600 push ExtractR.0046A8A0
0040F639 68 D0944600 push ExtractR.004694D0
0040F63E 68 C8A24600 push ExtractR.0046A2C8
0040F643 68 80000000 push 80
0040F648 8BC8 mov ecx,eax
0040F64A E8 14B00300 call ExtractR.0044A663
0040F64F EB 02 jmp short ExtractR.0040F653
0040F651 33C0 xor eax,eax
0040F653 50 push eax
0040F654 8BCE mov ecx,esi
0040F656 889C24 D0010000 mov byte ptr ss:[esp+1D0],bl
0040F65D E8 86370400 call ExtractR.00452DE8
0040F662 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
0040F669 E8 46C50400 call ExtractR.0045BBB4
0040F66E 8D8424 9C000000 lea eax,dword ptr ss:[esp+9C]
0040F675 8BCE mov ecx,esi
0040F677 50 push eax
0040F678 C68424 D0010000>mov byte ptr ss:[esp+1D0],0F
0040F680 E8 DCC40400 call ExtractR.0045BB61
0040F685 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
0040F68C 51 push ecx
0040F68D 8BCE mov ecx,esi
0040F68F E8 FBC80400 call ExtractR.0045BF8F ; 到这里窗口出现了
0040F694 85C0 test eax,eax
0040F696 75 5D jnz short ExtractR.0040F6F5
0040F698 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
0040F69F 889C24 CC010000 mov byte ptr ss:[esp+1CC],bl
0040F6A6 E8 64C50400 call ExtractR.0045BC0F
0040F6AB 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0040F6AF C68424 CC010000>mov byte ptr ss:[esp+1CC],4
0040F6B7 E8 BC3A0300 call ExtractR.00443178
0040F6BC 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040F6C0 C68424 CC010000>mov byte ptr ss:[esp+1CC],3
0040F6C8 E8 AB3A0300 call ExtractR.00443178
0040F6CD 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040F6D1 C68424 CC010000>mov byte ptr ss:[esp+1CC],2
0040F6D9 E8 9A3A0300 call ExtractR.00443178
0040F6DE 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040F6E2 89AC24 CC010000 mov dword ptr ss:[esp+1CC],ebp
0040F6E9 E8 8A3A0300 call ExtractR.00443178
0040F6EE 33C0 xor eax,eax
0040F6F0 E9 04010000 jmp ExtractR.0040F7F9
0040F6F5 8B4E 1C mov ecx,dword ptr ds:[esi+1C]
0040F6F8 53 push ebx
0040F6F9 E8 D7510300 call ExtractR.004448D5
0040F6FE 8B46 1C mov eax,dword ptr ds:[esi+1C]
0040F701 8B50 1C mov edx,dword ptr ds:[eax+1C]
0040F704 52 push edx
0040F705 FF15 24864600 call dword ptr ds:[<&USER32.UpdateW>; USER32.UpdateWindow
0040F70B 68 3C0E4800 push ExtractR.00480E3C ; ASCII "EZ Extract Resource 1.86"
0040F710 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040F714 E8 CD3A0300 call ExtractR.004431E6 ; 关键call
0040F719 A1 286B4800 mov eax,dword ptr ds:[486B28]
0040F71E C68424 CC010000>mov byte ptr ss:[esp+1CC],10
0040F726 85C0 test eax,eax
0040F728 75 0E jnz short ExtractR.0040F738 ; 不跳就为未注册
0040F72A 68 2C0E4800 push ExtractR.00480E2C ; ASCII " [unregistered]"
0040F72F 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0040F733 E8 1C3E0300 call ExtractR.00443554
0040F738 8B4424 28 mov eax,dword ptr ss:[esp+28]
0040F73C 8B4E 1C mov ecx,dword ptr ds:[esi+1C]
0040F73F 50 push eax
0040F740 E8 66500300 call ExtractR.004447AB
0040F745 68 200E4800 push ExtractR.00480E20 ; ASCII "help.chm"
0040F74A E8 1CE80100 call ExtractR.0042DF6B
0040F74F 83C4 04 add esp,4
0040F752 8BCE mov ecx,esi
0040F754 8986 8C000000 mov dword ptr ds:[esi+8C],eax
0040F75A E8 71030000 call ExtractR.0040FAD0
0040F75F 8BB6 68020000 mov esi,dword ptr ds:[esi+268]
0040F765 8B0D 646A4800 mov ecx,dword ptr ds:[486A64]
0040F76B 56 push esi
0040F76C E8 CFBDFFFF call ExtractR.0040B540
0040F771 A1 286B4800 mov eax,dword ptr ds:[486B28]
0040F776 85C0 test eax,eax
0040F778 75 13 jnz short ExtractR.0040F78D
0040F77A 393D 206B4800 cmp dword ptr ds:[486B20],edi
0040F780 7C 0B jl short ExtractR.0040F78D
0040F782 8B0D 646A4800 mov ecx,dword ptr ds:[486A64]
0040F788 E8 F3CDFFFF call ExtractR.0040C580
0040F78D 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
0040F791 C68424 CC010000>mov byte ptr ss:[esp+1CC],0F
0040F799 E8 DA390300 call ExtractR.00443178
0040F79E 8D8C24 9C000000 lea ecx,dword ptr ss:[esp+9C]
0040F7A5 889C24 CC010000 mov byte ptr ss:[esp+1CC],bl
0040F7AC E8 5EC40400 call ExtractR.0045BC0F
0040F7B1 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
0040F7B5 C68424 CC010000>mov byte ptr ss:[esp+1CC],4
0040F7BD E8 B6390300 call ExtractR.00443178
0040F7C2 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040F7C6 C68424 CC010000>mov byte ptr ss:[esp+1CC],3
0040F7CE E8 A5390300 call ExtractR.00443178
0040F7D3 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0040F7D7 C68424 CC010000>mov byte ptr ss:[esp+1CC],2
0040F7DF E8 94390300 call ExtractR.00443178
0040F7E4 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040F7E8 89AC24 CC010000 mov dword ptr ss:[esp+1CC],ebp
0040F7EF E8 84390300 call ExtractR.00443178
0040F7F4 B8 01000000 mov eax,1
0040F7F9 8B8C24 C4010000 mov ecx,dword ptr ss:[esp+1C4]
0040F800 5F pop edi
0040F801 5E pop esi
0040F802 5D pop ebp
0040F803 64:890D 0000000>mov dword ptr fs:[0],ecx
0040F80A 5B pop ebx
0040F80B 81C4 C0010000 add esp,1C0
0040F811 C3 retn
***************************************************************************************************
kkk段代码:
0045B866 B8 D0654600 mov eax,ExtractR.004665D0
0045B86B E8 2830FDFF call ExtractR.0042E898 ; ?????
0045B870 B8 0C100000 mov eax,100C
0045B875 E8 C62AFDFF call ExtractR.0042E340 ; ????????
0045B87A 57 push edi
0045B87B 33FF xor edi,edi
0045B87D 3979 7C cmp dword ptr ds:[ecx+7C],edi
0045B880 897D EC mov dword ptr ss:[ebp-14],edi
0045B883 0F84 A0000000 je ExtractR.0045B929
0045B889 FF75 0C push dword ptr ss:[ebp+C]
0045B88C E8 23FFFFFF call ExtractR.0045B7B4
0045B891 3BC7 cmp eax,edi
0045B893 8945 F0 mov dword ptr ss:[ebp-10],eax
0045B896 75 08 jnz short ExtractR.0045B8A0
0045B898 FF75 14 push dword ptr ss:[ebp+14]
0045B89B E9 BD000000 jmp ExtractR.0045B95D
0045B8A0 8B0D F0364800 mov ecx,dword ptr ds:[4836F0] ; ExtractR.00483704
0045B8A6 53 push ebx ;
0045B8A7 56 push esi
0045B8A8 894D 0C mov dword ptr ss:[ebp+C],ecx
0045B8AB 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
0045B8AE 8B35 34804600 mov esi,dword ptr ds:[<&ADVAPI32.Reg>; ADVAPI32.RegQueryValueExA (这个函数用来获取键值)
0045B8B4 51 push ecx
0045B8B5 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0045B8B8 57 push edi
0045B8B9 51 push ecx
0045B8BA 57 push edi
0045B8BB 897D FC mov dword ptr ss:[ebp-4],edi
0045B8BE FF75 10 push dword ptr ss:[ebp+10]
0045B8C1 50 push eax
0045B8C2 FFD6 call esi
0045B8C4 8BD8 mov ebx,eax
0045B8C6 3BDF cmp ebx,edi
0045B8C8 75 29 jnz short ExtractR.0045B8F3
0045B8CA 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0045B8CD 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
0045B8D0 50 push eax
0045B8D1 FF75 E8 push dword ptr ss:[ebp-18]
0045B8D4 E8 CF7CFEFF call ExtractR.004435A8
0045B8D9 50 push eax
0045B8DA 8D45 EC lea eax,dword ptr ss:[ebp-14]
0045B8DD 50 push eax
0045B8DE 57 push edi
0045B8DF FF75 10 push dword ptr ss:[ebp+10]
0045B8E2 FF75 F0 push dword ptr ss:[ebp-10]
0045B8E5 FFD6 call esi
0045B8E7 6A FF push -1
0045B8E9 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
0045B8EC 8BD8 mov ebx,eax
0045B8EE E8 047DFEFF call ExtractR.004435F7 ; 取注册名,送ecx(第一次读到ihhvqu,第二次,第三次l5242)
0045B8F3 FF75 F0 push dword ptr ss:[ebp-10]
0045B8F6 FF15 00804600 call dword ptr ds:[<&ADVAPI32.RegClo>; ADVAPI32.RegCloseKey
0045B8FC 5E pop esi
0045B8FD 3BDF cmp ebx,edi
0045B8FF 5B pop ebx
0045B900 75 0E jnz short ExtractR.0045B910
0045B902 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0045B905 8D45 0C lea eax,dword ptr ss:[ebp+C]
0045B908 50 push eax
0045B909 E8 DF75FEFF call ExtractR.00442EED ; ???
0045B90E EB 0B jmp short ExtractR.0045B91B
0045B910 FF75 14 push dword ptr ss:[ebp+14]
0045B913 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0045B916 E8 CB78FEFF call ExtractR.004431E6
0045B91B 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
0045B91F 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
0045B922 E8 5178FEFF call ExtractR.00443178 ; ???
0045B927 EB 3C jmp short ExtractR.0045B965
0045B929 397D 14 cmp dword ptr ss:[ebp+14],edi
0045B92C 75 07 jnz short ExtractR.0045B935
0045B92E C745 14 888C480>mov dword ptr ss:[ebp+14],ExtractR.0>
0045B935 FFB1 90000000 push dword ptr ds:[ecx+90]
0045B93B 8D85 E8EFFFFF lea eax,dword ptr ss:[ebp-1018]
0045B941 68 00100000 push 1000
0045B946 50 push eax
0045B947 FF75 14 push dword ptr ss:[ebp+14]
0045B94A FF75 10 push dword ptr ss:[ebp+10]
0045B94D FF75 0C push dword ptr ss:[ebp+C]
0045B950 FF15 C4824600 call dword ptr ds:[<&KERNEL32.GetPri>; kernel32.GetPrivateProfileStringA
0045B956 8D85 E8EFFFFF lea eax,dword ptr ss:[ebp-1018]
0045B95C 50 push eax
0045B95D 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0045B960 E8 8178FEFF call ExtractR.004431E6
0045B965 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
0045B968 8B45 08 mov eax,dword ptr ss:[ebp+8]
0045B96B 5F pop edi
0045B96C 64:890D 0000000>mov dword ptr fs:[0],ecx
0045B973 C9 leave
0045B974 C2 1000 retn 10
**********************************************************************************************
关键Call2, 0040F5FE E8 DD080000 call ExtractR.0040FEE0 F7追入来到:
**********************************************************************************************
0040FEE0 6A FF push -1
0040FEE2 68 F0454600 push ExtractR.004645F0
0040FEE7 64:A1 00000000 mov eax,dword ptr fs:[0]
0040FEED 50 push eax
0040FEEE 64:8925 0000000>mov dword ptr fs:[0],esp
0040FEF5 81EC D0000000 sub esp,0D0
0040FEFB 56 push esi
0040FEFC 8BF1 mov esi,ecx
0040FEFE B8 01000000 mov eax,1 ; eax赋初值
0040FF03 68 A4594800 push ExtractR.004859A4
0040FF08 898424 E0000000 mov dword ptr ss:[esp+E0],eax
0040FF0F 8986 D4000000 mov dword ptr ds:[esi+D4],eax
0040FF15 8B8424 E8000000 mov eax,dword ptr ss:[esp+E8] ; 注册名送eax
0040FF1C 50 push eax
0040FF1D E8 48DD0100 call ExtractR.0042DC6A ; 用户名为空吗?
0040FF22 83C4 08 add esp,8
0040FF25 85C0 test eax,eax
0040FF27 0F84 A9010000 je ExtractR.004100D6 ; 为空则跳
0040FF2D 8B8C24 E8000000 mov ecx,dword ptr ss:[esp+E8] ; 注册码送到ecx中
0040FF34 68 A4594800 push ExtractR.004859A4
0040FF39 51 push ecx
0040FF3A E8 2BDD0100 call ExtractR.0042DC6A ; 注册码为空吗?
0040FF3F 83C4 08 add esp,8
0040FF42 85C0 test eax,eax
0040FF44 0F84 8C010000 je ExtractR.004100D6 ; 为空则跳
0040FF4A 68 740F4800 push ExtractR.00480F74 ; ASCII "ttdown" 黑名单
0040FF4F 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+E8]
0040FF56 E8 4BCC0200 call ExtractR.0043CBA6
0040FF5B 83F8 FF cmp eax,-1
0040FF5E 75 6E jnz short ExtractR.0040FFCE
0040FF60 68 6C0F4800 push ExtractR.00480F6C ; ASCII "crsky"
0040FF65 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+E8]
0040FF6C E8 35CC0200 call ExtractR.0043CBA6
0040FF71 83F8 FF cmp eax,-1
0040FF74 75 58 jnz short ExtractR.0040FFCE
0040FF76 68 640F4800 push ExtractR.00480F64 ; ASCII ".com"
0040FF7B 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+E8]
0040FF82 E8 1FCC0200 call ExtractR.0043CBA6
0040FF87 83F8 FF cmp eax,-1
0040FF8A 75 42 jnz short ExtractR.0040FFCE
0040FF8C 68 5C0F4800 push ExtractR.00480F5C ; ASCII "jetdown"
0040FF91 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+E8]
0040FF98 E8 09CC0200 call ExtractR.0043CBA6
0040FF9D 83F8 FF cmp eax,-1
0040FFA0 75 2C jnz short ExtractR.0040FFCE
0040FFA2 68 540F4800 push ExtractR.00480F54 ; ASCII ".org"
0040FFA7 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+E8]
0040FFAE E8 F3CB0200 call ExtractR.0043CBA6
0040FFB3 83F8 FF cmp eax,-1
0040FFB6 75 16 jnz short ExtractR.0040FFCE
0040FFB8 68 480F4800 push ExtractR.00480F48
0040FFBD 8D8C24 E8000000 lea ecx,dword ptr ss:[esp+E8]
0040FFC4 E8 DDCB0200 call ExtractR.0043CBA6
0040FFC9 83F8 FF cmp eax,-1
0040FFCC 74 0A je short ExtractR.0040FFD8 ; 这里跳了
0040FFCE C786 D4000000 0>mov dword ptr ds:[esi+D4],0
0040FFD8 8B9424 E4000000 mov edx,dword ptr ss:[esp+E4] ; 注册名送edx
0040FFDF 33C9 xor ecx,ecx ; ecx清零
0040FFE1 53 push ebx
0040FFE2 C64424 08 68 mov byte ptr ss:[esp+8],68 ; 68,也就是字符h
0040FFE7 8B72 F8 mov esi,dword ptr ds:[edx-8]
0040FFEA C64424 09 75 mov byte ptr ss:[esp+9],75 ; 75,也就是字符u
0040FFEF 85F6 test esi,esi
0040FFF1 C64424 0A 79 mov byte ptr ss:[esp+A],79 ; 79,也就是字符y
0040FFF6 C64424 0B 64 mov byte ptr ss:[esp+B],64 ; 64,也就是字符d
0040FFFB C64424 0C 6F mov byte ptr ss:[esp+C],6F ; 6F,也就是字符o
00410000 C64424 0D 6E mov byte ptr ss:[esp+D],6E ; 6E,也就是字符n
00410005 C64424 0E 67 mov byte ptr ss:[esp+E],67 ; 67,也就是字符g
0041000A C64424 0F 00 mov byte ptr ss:[esp+F],0
0041000F 7E 3F jle short ExtractR.00410050
00410011 55 push ebp
00410012 57 push edi
00410013 8D7C34 17 lea edi,dword ptr ss:[esp+esi+17]
00410017 8B8424 F0000000 mov eax,dword ptr ss:[esp+F0] ; 核心,将用户名ihhvqu移入eax
0041001E BD 07000000 mov ebp,7
00410023 8A1C01 mov bl,byte ptr ds:[ecx+eax] ; 逐位取用户名到bl,1-69 2-68
00410026 8BC1 mov eax,ecx
00410028 99 cdq ; 双字扩展指令edx置0
00410029 F7FD idiv ebp
0041002B 0FBEC3 movsx eax,bl ; 将用户名各位的ASCII值送到eax中
0041002E 8BD9 mov ebx,ecx ; ecx好像是计数器
00410030 0FBE5414 10 movsx edx,byte ptr ss:[esp+edx+10] ; 从“huydong”中逐位取字符到EDX
00410035 03DA add ebx,edx ; ebx=取的位数+该位的ASCII码
00410037 03C3 add eax,ebx ; 第一次过后eax=d1
00410039 BB 09000000 mov ebx,9 ; ebx赋值为9
0041003E 03C6 add eax,esi ; 上面相加后的值+用户名长度.
00410040 99 cdq ; edx置0
00410041 F7FB idiv ebx ; 上面得到的值除以9,这个9是哪里来的呢,是上面赋的
00410043 80C2 30 add dl,30 ; 余数+30,进行除法运算后,余数是保存在edx中的.我看了很久才明
白这里
00410046 41 inc ecx ; ecx+1,准备取下一位
00410047 8817 mov byte ptr ds:[edi],dl ; 将dl的值存到[edi]中
00410049 4F dec edi
0041004A 3BCE cmp ecx,esi ; 取完了吗?
0041004C ^ 7C C9 jl short ExtractR.00410017 ; 向上循环
0041004E 5F pop edi
0041004F 5D pop ebp
00410050 8D46 4D lea eax,dword ptr ds:[esi+4D] ; esi=6 6+4D送eax
00410053 B9 09000000 mov ecx,9 ; 赋值
00410058 99 cdq
00410059 F7F9 idiv ecx ; eax/9
0041005B 8B8424 EC000000 mov eax,dword ptr ss:[esp+EC] ; 假码送eax
00410062 80C2 30 add dl,30 ; dl=dl+30
00410065 885434 10 mov byte ptr ss:[esp+esi+10],dl
00410069 C64434 11 00 mov byte ptr ss:[esp+esi+11],0
0041006E 8D7424 10 lea esi,dword ptr ss:[esp+10] ; 把真码送到esi中
00410072 8A10 mov dl,byte ptr ds:[eax] ; eax中为假码
00410074 8A1E mov bl,byte ptr ds:[esi] ; esi中为真码
00410076 8ACA mov cl,dl
00410078 3AD3 cmp dl,bl ; 真假码比较
0041007A 75 1E jnz short ExtractR.0041009A ; 不等则跳,则挂...
0041007C 84C9 test cl,cl
0041007E 74 16 je short ExtractR.00410096
00410080 8A50 01 mov dl,byte ptr ds:[eax+1]
00410083 8A5E 01 mov bl,byte ptr ds:[esi+1]
00410086 8ACA mov cl,dl
00410088 3AD3 cmp dl,bl
0041008A 75 0E jnz short ExtractR.0041009A
0041008C 83C0 02 add eax,2
0041008F 83C6 02 add esi,2
00410092 84C9 test cl,cl
00410094 ^ 75 DC jnz short ExtractR.00410072
00410096 33C0 xor eax,eax
00410098 EB 05 jmp short ExtractR.0041009F
0041009A 1BC0 sbb eax,eax
0041009C 83D8 FF sbb eax,-1
0041009F 85C0 test eax,eax
004100A1 5B pop ebx
004100A2 C68424 DC000000>mov byte ptr ss:[esp+DC],0
004100AA 8D8C24 E4000000 lea ecx,dword ptr ss:[esp+E4]
--------------------------------------------------------------------------------
【破解总结】
请不要认为这里是明码,其实这类软件是很难的,我昨天弄了整整一天,
也许有人要问有好几个地方都可以进0040FEE0,为什么不在前面进,而是在第五段进呢?我开始以为各个段都要进行然后把各段的连起
来才是注册码,结果后来想了一下,在注册表中的SearchID1和SearchID3,键值是根本假码算出来的,如果再用它们来算,怎么可能得到真码呢
?只有可能是用SearchID2,的值为算的,所以我在读取SearchID2时跟进,找到了关键点!!(其实我是一个个进然后发现,才想到的)
一组可用注册码:
用户名:ihhvqu
注册码:4028382
本想写注册机,但是太激动,先发文,过两天再写注册机..
我还有很多找到注册码的破文,就不发了,因为都一样。但是这个不同,这个对我来说是非常难的....
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
ihhvqu 2005-11-7
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!