-
-
[原创]Easy Autorun Creator V2.0 的注册
-
发表于: 2006-1-22 09:36 6535
-
【破文作者】 rdsnow[BCG][PYG][D.4s]
【作者主页】 http://rdsnow.ys168.com
【 E-mail 】 [email]rdsnow@163.com[/email]
【 作者QQ 】 83757177
【文章题目】 Easy Autorun Creator V2.0 的注册
【软件名称】 Easy Autorun Creator2.0
【下载地址】 http://www.aw-software.com/
----------------------------------------------------------------------------------------
【加密方式】 序列号
【破解工具】 ODbyDYK v1.10[05.09]
【软件限制】 功能限制
【破解平台】 Microsoft Windows XP Professional
【平台版本】 5.1.2600 Service Pack 2 内部版本号 2600
----------------------------------------------------------------------------------------
【软件简介】
* Automatic CD menu creation
* Template support
* Autorun wizard
* Easy-to-use interface
* Disk compatibility with Windows XP, Me, 98, NT, 2003
【文章简介】
看到这个程序有汉化版下载,就下了一个,Scan with PeiD 0.94 ,无壳,可能是被汉化的脱掉了,Borland Delphi 6.0 - 7.0编译。算法比较简单,高手略过。
----------------------------------------------------------------------------------------
【破解过程】
因为有错误的对话框,所以下断 Bp MessageBoxA ,单步到程序领空,很容易找到程序比较的地方。典型的明码比较。
0050708B . 68 F6735000 PUSH Easy_Aut.005073F6
00507090 . 64:FF30 PUSH DWORD PTR FS:[EAX]
00507093 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00507096 . 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00507099 . 8B83 1C030000 MOV EAX,DWORD PTR DS:[EBX+31C]
0050709F . E8 CCC8F5FF CALL Easy_Aut.00463970 ; 取 Email
005070A4 . 837D F0 00 CMP DWORD PTR SS:[EBP-10],0
005070A8 . 0F84 F0020000 JE Easy_Aut.0050739E ; 没有输入就跳
005070AE . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
005070B1 . 8B83 1C030000 MOV EAX,DWORD PTR DS:[EBX+31C]
005070B7 . E8 B4C8F5FF CALL Easy_Aut.00463970 ; 取 Email
005070BC . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
005070BF . BA 0C745000 MOV EDX,Easy_Aut.0050740C ; ASCII "inf@hot.com"(黑名单)
005070C4 . E8 23D7EFFF CALL Easy_Aut.004047EC
005070C9 . 0F84 CF020000 JE Easy_Aut.0050739E
005070CF . 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
005070D2 . 8B83 1C030000 MOV EAX,DWORD PTR DS:[EBX+31C]
005070D8 . E8 93C8F5FF CALL Easy_Aut.00463970 ; 取 Email
005070DD . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
005070E0 . BA 20745000 MOV EDX,Easy_Aut.00507420 ; ASCII "TEAM DVT"(黑名单)
0050718A . E8 5DD6EFFF CALL Easy_Aut.004047EC
0050718F . 0F84 09020000 JE Easy_Aut.0050739E
…………………… ; 省略二十几个黑名单
00507195 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00507198 . BA AC745000 MOV EDX,Easy_Aut.005074AC ; ASCII "AW Software"(黑名单)
0050719D . E8 D6D2EFFF CALL Easy_Aut.00404478
005071A2 . 8B0D B8345100 MOV ECX,DWORD PTR DS:[5134B8] ; Easy_Aut.00516134
005071A8 . 8B09 MOV ECX,DWORD PTR DS:[ECX]
005071AA . B2 01 MOV DL,1
005071AC . A1 C8284C00 MOV EAX,DWORD PTR DS:[4C28C8]
005071B1 . E8 12A1FBFF CALL Easy_Aut.004C12C8
005071B6 . 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
005071B9 . 8B0D 70134C00 MOV ECX,DWORD PTR DS:[4C1370] ; Easy_Aut.004C13BC
005071BF . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
005071C2 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005071C5 . E8 E29EFBFF CALL Easy_Aut.004C10AC
005071CA . 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
005071CD . 8B83 20030000 MOV EAX,DWORD PTR DS:[EBX+320]
005071D3 . E8 98C7F5FF CALL Easy_Aut.00463970 ; 取 假码
005071D8 . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
005071DB . 50 PUSH EAX
005071DC . 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
005071DF . 8B83 1C030000 MOV EAX,DWORD PTR DS:[EBX+31C]
005071E5 . E8 86C7F5FF CALL Easy_Aut.00463970 ; 取 Email
005071EA . 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
005071ED . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
005071F0 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
005071F3 . 8B30 MOV ESI,DWORD PTR DS:[EAX]
005071F5 . FF56 54 CALL DWORD PTR DS:[ESI+54] ; 得到真码
005071F8 . 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
005071FB . 58 POP EAX
005071FC . E8 EBD5EFFF CALL Easy_Aut.004047EC ; 真码和假码比较
00507201 . 0F85 C1000000 JNZ Easy_Aut.005072C8
00507207 . B8 C0745000 MOV EAX,Easy_Aut.005074C0
0050720C . E8 9BFBF2FF CALL Easy_Aut.00436DAC
跟进
005071F5 . FF56 54 CALL DWORD PTR DS:[ESI+54] ; 得到真码
来到计算注册码的地方
004C120C /. 55 PUSH EBP
004C120D |. 8BEC MOV EBP,ESP
004C120F |. 6A 00 PUSH 0
004C1211 |. 53 PUSH EBX
004C1212 |. 56 PUSH ESI
……………………
004C124F |. 8BD0 MOV EDX,EAX
004C1251 |. 8BC7 MOV EAX,EDI
004C1253 |. 59 POP ECX
004C1254 |. 8B30 MOV ESI,DWORD PTR DS:[EAX]
004C1256 |. FF56 4C CALL DWORD PTR DS:[ESI+4C] ; 对 Email 进行预处理
004C1259 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004C125C |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
004C125E |. E8 C5F7FFFF CALL Easy_Aut.004C0A28 ; 预处理结果进行 base64 编码
004C1263 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004C1266 |. 8BC3 MOV EAX,EBX
……………………
004C1272 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004C1275 |. 68 8A124C00 PUSH Easy_Aut.004C128A
004C127A |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004C127D |. E8 5E31F4FF CALL Easy_Aut.004043E0
004C1282 \. C3 RETN
跟进
004C1256 |. FF56 4C CALL DWORD PTR DS:[ESI+4C] ; 对 Email 进行预处理
看看对注册码的预处理
004C2D34 /. 55 PUSH EBP
004C2D35 |. 8BEC MOV EBP,ESP
004C2D37 |. 83C4 F0 ADD ESP,-10
004C2D3A |. 53 PUSH EBX
004C2D3B |. 56 PUSH ESI
004C2D3C |. 57 PUSH EDI
004C2D3D |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
004C2D40 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004C2D43 |. 8078 30 00 CMP BYTE PTR DS:[EAX+30],0
004C2D47 |. 75 16 JNZ SHORT Easy_Aut.004C2D5F
004C2D49 |. B9 D82D4C00 MOV ECX,Easy_Aut.004C2DD8 ; ASCII "Cipher not initialized"
004C2D4E |. B2 01 MOV DL,1
004C2D50 |. A1 B40D4C00 MOV EAX,DWORD PTR DS:[4C0DB4]
004C2D55 |. E8 5E9BF4FF CALL Easy_Aut.0040C8B8
004C2D5A |. E8 1910F4FF CALL Easy_Aut.00403D78
004C2D5F |> 33C9 XOR ECX,ECX
004C2D61 |. 33D2 XOR EDX,EDX
004C2D63 |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
004C2D66 |. 4B DEC EBX
004C2D67 |. 85DB TEST EBX,EBX
004C2D69 |. 72 5A JB SHORT Easy_Aut.004C2DC5
004C2D6B |. 43 INC EBX
004C2D6C |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
004C2D6F |. C745 F4 0000> MOV DWORD PTR SS:[EBP-C],0
004C2D76 |> 41 / INC ECX
004C2D77 |. 81E1 FF000000 | AND ECX,0FF
004C2D7D |. 0FB67408 34 | MOVZX ESI,BYTE PTR DS:[EAX+ECX+34] ; 取 SBox[i]
004C2D82 |. 8D1416 | LEA EDX,DWORD PTR DS:[ESI+EDX] ; n = ( n + SBox[i] ) & 0xFF
004C2D85 |. 81E2 FF000000 | AND EDX,0FF
004C2D8B |. 8A5C10 34 | MOV BL,BYTE PTR DS:[EAX+EDX+34] ; 取 SBox[n]
004C2D8F |. 885C08 34 | MOV BYTE PTR DS:[EAX+ECX+34],BL ; SBox[i] = SBox[n]
004C2D93 |. 8BDE | MOV EBX,ESI
004C2D95 |. 885C10 34 | MOV BYTE PTR DS:[EAX+EDX+34],BL ; SBox[n] = SBox[i],即交换 SBox[i] 和 SBox[n]
004C2D99 |. 33DB | XOR EBX,EBX
004C2D9B |. 8A5C08 34 | MOV BL,BYTE PTR DS:[EAX+ECX+34]
004C2D9F |. 03F3 | ADD ESI,EBX ; K = ( SBox[n] + SBox[i] ) & 0xFF
004C2DA1 |. 81E6 FF000000 | AND ESI,0FF
004C2DA7 |. 8B5D FC | MOV EBX,DWORD PTR SS:[EBP-4]
004C2DAA |. 8B7D F4 | MOV EDI,DWORD PTR SS:[EBP-C]
004C2DAD |. 8A1C3B | MOV BL,BYTE PTR DS:[EBX+EDI] ; 取 Email[i]
004C2DB0 |. 325C30 34 | XOR BL,BYTE PTR DS:[EAX+ESI+34] ; 取 Email[i] Xor SBox[K]
004C2DB4 |. 8B75 F8 | MOV ESI,DWORD PTR SS:[EBP-8]
004C2DB7 |. 8B7D F4 | MOV EDI,DWORD PTR SS:[EBP-C]
004C2DBA |. 881C3E | MOV BYTE PTR DS:[ESI+EDI],BL ; 保存结果
004C2DBD |. FF45 F4 | INC DWORD PTR SS:[EBP-C]
004C2DC0 |. FF4D F0 | DEC DWORD PTR SS:[EBP-10]
004C2DC3 |.^ 75 B1 \ JNZ SHORT Easy_Aut.004C2D76
004C2DC5 |> 5F POP EDI
004C2DC6 |. 5E POP ESI
004C2DC7 |. 5B POP EBX
004C2DC8 |. 8BE5 MOV ESP,EBP
004C2DCA |. 5D POP EBP
004C2DCB \. C2 0400 RETN 4
----------------------------------------------------------------------------------------
【破解心得】
注册码的计算分两步进行,
一、先对输入的 Email 地址进行预先处理
对 Email 预变换的代码不多,加密过程大致是这样的,首先定义一个 byte 表 SBox[513],使用一个 byte 变量 n 。SBox[513] 中预置了一些数据,对 Email 处理的同时对 SBox 中的数据进行变换。
* i 从 1 开始循环,每次循环取 SBox[i] ,并且累加到 n 上
* 交换 SBox[i] 和 SBox[n]
* 求 SBox[i] 和 SBox[n] 的和
* 用求得的和去查 SBox 表
* 查表结果再跟 Email[i] 异或,并替换掉 Email[i]
* 等Email 中所有字符都被替换掉了,替换后的 Email 就是预处理结果
二、将预处理结果采用标准的 Base64 编码,就得到真码了。
【注册机源码】
void CKeygenDlg::OnChangeEdit1( )
{
// TODO: If this is a RICHEDIT control, the control will not
// send this notification unless you override the CDialog::OnInitDialog()
// function and call CRichEditCtrl().SetEventMask()
// with the ENM_CHANGE flag ORed into the mask.
// TODO: Add your control notification handler code here
//从内存中复制的 SBox[513]
unsigned char SBox[513]={
0xA9,0x8A,0xEC,0x2B,0x4E,0x74,0x69,0xA6,0x88,0x99,0x2A,0x0A,0xCF,0x83,0x22,0xA3,
0xC1,0x6E,0xB0,0x5B,0xB3,0x38,0xE3,0x47,0x85,0x1C,0xB2,0xDC,0x6B,0x92,0xAB,0xF6,
0x2E,0x01,0x1F,0x18,0x17,0x8F,0x10,0xD3,0x53,0xDF,0xBF,0x90,0x7A,0x11,0xC2,0xB9,
0x02,0x5D,0x40,0xED,0x52,0x66,0x4D,0xA0,0xD1,0xE7,0x3F,0x7F,0xE0,0x7E,0x70,0xCB,
0x48,0x39,0x50,0xBA,0x1B,0x7D,0x4F,0x9B,0x57,0x72,0x9D,0x1E,0x9A,0x0F,0x29,0x59,
0x26,0xD9,0x77,0xC5,0xA1,0xFB,0x35,0xD2,0x4C,0x58,0x9E,0xBC,0xA2,0x79,0xD5,0xDD,
0xA7,0x65,0x96,0x84,0xE8,0xC6,0xBB,0x3B,0xF0,0x55,0x04,0x24,0xEF,0x43,0x75,0x23,
0x4A,0xEA,0xC7,0xC0,0xE9,0x00,0x08,0x4B,0x6C,0xDB,0x1A,0xFC,0xC3,0xE2,0x0E,0xAE,
0x1D,0xF9,0x2C,0xB8,0xB7,0x89,0xFA,0xAD,0x68,0xFE,0x8D,0x91,0x21,0x93,0xD4,0x46,
0x7C,0x87,0x19,0xB6,0x98,0xB5,0x2F,0xBE,0x56,0x16,0x03,0x80,0x0C,0x5A,0x49,0x6D,
0x95,0x28,0x0B,0x78,0xC9,0x97,0x61,0xCD,0x06,0x9C,0x13,0x45,0x41,0x6F,0xD8,0x5C,
0x62,0x5F,0x12,0x32,0x94,0xFF,0x73,0x8E,0xF7,0x60,0x0D,0x5E,0x09,0x64,0x30,0x37,
0xA5,0x82,0x54,0x36,0xB4,0x8B,0xD7,0x9F,0x81,0x2D,0x71,0x76,0x15,0x8C,0xDE,0xDA,
0xC8,0x33,0xE1,0x3A,0xD0,0xEB,0x3D,0xF4,0xF8,0x14,0x25,0x6A,0x3C,0x86,0xEE,0x07,
0x51,0x63,0x7B,0x20,0xE5,0xC4,0xE6,0xF3,0x34,0xFD,0xAF,0xAC,0xF1,0x67,0xCC,0xA8,
0xB1,0xCA,0xD6,0x42,0x27,0x44,0x3E,0xCE,0xBD,0x05,0xF2,0xE4,0xAA,0xF5,0xA4,0x31,
0xA9,0x8A,0xEC,0x2B,0x4E,0x74,0x69,0xA6,0x88,0x99,0x2A,0x0A,0xCF,0x83,0x22,0xA3,
0xC1,0x6E,0xB0,0x5B,0xB3,0x38,0xE3,0x47,0x85,0x1C,0xB2,0xDC,0x6B,0x92,0xAB,0xF6,
0x2E,0x01,0x1F,0x18,0x17,0x8F,0x10,0xD3,0x53,0xDF,0xBF,0x90,0x7A,0x11,0xC2,0xB9,
0x02,0x5D,0x40,0xED,0x52,0x66,0x4D,0xA0,0xD1,0xE7,0x3F,0x7F,0xE0,0x7E,0x70,0xCB,
0x48,0x39,0x50,0xBA,0x1B,0x7D,0x4F,0x9B,0x57,0x72,0x9D,0x1E,0x9A,0x0F,0x29,0x59,
0x26,0xD9,0x77,0xC5,0xA1,0xFB,0x35,0xD2,0x4C,0x58,0x9E,0xBC,0xA2,0x79,0xD5,0xDD,
0xA7,0x65,0x96,0x84,0xE8,0xC6,0xBB,0x3B,0xF0,0x55,0x04,0x24,0xEF,0x43,0x75,0x23,
0x4A,0xEA,0xC7,0xC0,0xE9,0x00,0x08,0x4B,0x6C,0xDB,0x1A,0xFC,0xC3,0xE2,0x0E,0xAE,
0x1D,0xF9,0x2C,0xB8,0xB7,0x89,0xFA,0xAD,0x68,0xFE,0x8D,0x91,0x21,0x93,0xD4,0x46,
0x7C,0x87,0x19,0xB6,0x98,0xB5,0x2F,0xBE,0x56,0x16,0x03,0x80,0x0C,0x5A,0x49,0x6D,
0x95,0x28,0x0B,0x78,0xC9,0x97,0x61,0xCD,0x06,0x9C,0x13,0x45,0x41,0x6F,0xD8,0x5C,
0x62,0x5F,0x12,0x32,0x94,0xFF,0x73,0x8E,0xF7,0x60,0x0D,0x5E,0x09,0x64,0x30,0x37,
0xA5,0x82,0x54,0x36,0xB4,0x8B,0xD7,0x9F,0x81,0x2D,0x71,0x76,0x15,0x8C,0xDE,0xDA,
0xC8,0x33,0xE1,0x3A,0xD0,0xEB,0x3D,0xF4,0xF8,0x14,0x25,0x6A,0x3C,0x86,0xEE,0x07,
0x51,0x63,0x7B,0x20,0xE5,0xC4,0xE6,0xF3,0x34,0xFD,0xAF,0xAC,0xF1,0x67,0xCC,0xA8,
0xB1,0xCA,0xD6,0x42,0x27,0x44,0x3E,0xCE,0xBD,0x05,0xF2,0xE4,0xAA,0xF5,0xA4,0x31,
0x26 } ;
int i , j , EmailLength ;
unsigned char n = 0 , k = 0 ;
char Email[256] , SerialNummber[512] ;
UpdateData (true) ;
EmailLength = m_Edit1.GetLength () ;
strcpy ( Email , m_Edit1 ) ;
//预处理
for ( i = 0 ; i < EmailLength ; i++ ) {
j = i + 1 ;
n += SBox [j] ;
k = SBox [j] ;
SBox[j] = SBox[n] ;
SBox[n] = k ;
k = SBox[j] + SBox[n] ;
Email[i] ^= SBox[k] ;
}
//base64 编码
memset ( SerialNummber , 0 , 512 ) ;
base64_encode( Email , EmailLength , SerialNummber ) ;
m_Edit2 = SerialNummber ;
UpdateData (false) ;
}
----------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------
文章写于2006-1-5 18:10:17
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
- [原创]Python模拟登陆某网教师教育网 7168
- [原创]**阅卷系统 V8.1 寻找暗桩 6225
- [原创]Vista 的扫雷 22298
- [原创]简单RSA128的笔记 11766