关于 Windows XPlan 的破解!
组织:Universe Forever Cracker Prganise [UFCO] - 万物永恒破解组织
'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
首先脱壳,用 W32dams 反汇编主程序后,发现无法对注册提示
“注册码正确,请重新启动....."
这一句进行反汇编,打开UltraEdit 将提示这句改为"11111..."
这样在Ollydbg 中反汇编程序时,才会显示出这句来!
找到这句后,我们双击来到这句字符串处,向上找到如下代码:
'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
以下是整个计算机注册码的过程
'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
00562DCC /. 55 PUSH EBP
00562DCD |. 8BEC MOV EBP,ESP
00562DCF |. B9 08000000 MOV ECX,8
00562DD4 |> 6A 00 /PUSH 0
00562DD6 |. 6A 00 |PUSH 0
00562DD8 |. 49 |DEC ECX
00562DD9 |.^75 F9 \JNZ SHORT unpacked.00562DD4
00562DDB |. 53 PUSH EBX
00562DDC |. 8BD8 MOV EBX,EAX
00562DDE |. 33C0 XOR EAX,EAX
00562DE0 |. 55 PUSH EBP
00562DE1 |. 68 0D305600 PUSH unpacked.0056300D
00562DE6 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00562DE9 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00562DEC |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00562DEF |. 8B83 34030000 MOV EAX,DWORD PTR DS:[EBX+334]
00562DF5 |. E8 4E27EFFF CALL unpacked.00455548
00562DFA |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00562DFD |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00562E00 |. 8B83 38030000 MOV EAX,DWORD PTR DS:[EBX+338]
00562E06 |. E8 3D27EFFF CALL unpacked.00455548
00562E0B |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
00562E0E |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00562E11 |. 8B83 3C030000 MOV EAX,DWORD PTR DS:[EBX+33C]
00562E17 |. E8 2C27EFFF CALL unpacked.00455548
00562E1C |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00562E1F |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00562E22 |. 8B83 40030000 MOV EAX,DWORD PTR DS:[EBX+340]
00562E28 |. E8 1B27EFFF CALL unpacked.00455548
00562E2D |. FF75 EC PUSH DWORD PTR SS:[EBP-14]
00562E30 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00562E33 |. BA 04000000 MOV EDX,4
00562E38 |. E8 3B23EAFF CALL unpacked.00405178
00562E3D |. 6A 01 PUSH 1
00562E3F |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00562E42 |. 50 PUSH EAX
00562E43 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00562E46 |. 8B83 30030000 MOV EAX,DWORD PTR DS:[EBX+330]
00562E4C |. E8 F726EFFF CALL unpacked.00455548
00562E51 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00562E54 |. 50 PUSH EAX
00562E55 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00562E58 |. 8B83 2C030000 MOV EAX,DWORD PTR DS:[EBX+32C]
00562E5E |. E8 E526EFFF CALL unpacked.00455548
00562E63 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00562E66 |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00562E69 |. 5A POP EDX
00562E6A |. E8 75C20500 CALL unpacked.005BF0E4
00562E6F |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00562E72 |. B9 09000000 MOV ECX,9
00562E77 |. 66:BA 9803 MOV DX,398
00562E7B |. E8 6CC30500 CALL unpacked.005BF1EC
00562E80 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00562E83 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 在寄存器 EAX 中出现注册码
00562E86 |. E8 7123EAFF CALL unpacked.004051FC 比较注册码
跟入到: 00562E86 |. E8 7123EAFF CALL unpacked.004051FC
004051FC /$ 53 PUSH EBX
004051FD |. 56 PUSH ESI 定义 ESI 寄存器
004051FE |. 57 PUSH EDI 定义 EDI 寄存器
004051FF |. 89C6 MOV ESI,EAX 将EAX的内容转入到ESI EAX中是真正的注册码
00405201 |. 89D7 MOV EDI,EDX 将EDX的内容转入到EDI EDI中是我们输入的注册码
00405203 |. 39D0 CMP EAX,EDX 比较注册码
'\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
这时我们做个内存注册机:
在 00562E83 处,EAX中会出现注册码:
所以在内存注册机的内容如下:
中断地址:00562E83
中断次数:1
第一字节:8B
指今长度:1
保存下列注册码中选择:内存方式
再选择寄存器 EAX
最后,在结尾处插入字符: # 这样,注册机运行后,# 号前的就是注册码!
最后得到注册码:
Name : ufco
Code : 011624104111055224565934
日期:2006-1-15
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法