【文章标题】: ×××进销存管理软件v9.52破解记录
【软件大小】: 3.62M
【下载地址】: http://www.minicn.com
【加壳方式】: ASPack 2.X -> Alexey Solodovnikov
【保护方式】: 注册码保护
【编写语言】: DELPHI
【使用工具】: Ollydbg_by_cao_cong、PeID 0.93,通用脱壳工具fs
--------------------------------------------------------------------------------
【详细过程】
首先运行这个软件,对这个软件有一个基本的了解。
用PE测试壳:ASPack 2.X -> Alexey Solodovnikov。用fs脱之。
脱壳后的软件5.03M,用PE检测为DELPHI。
运行这个软件,点注册窗口:一共有3项,其中序列号已经显示,需要填入用户名和注册码.这里很奇怪,注册码不能填入,不知道为什么.输入用户名后点击确定,程序提示,已经保存注册,将在下次启动时对注册码进行校验。关闭程序,在程序的目录下并无其他多余文件,很明显注册信息是保存在注册表里了,运行注册表发现:
HKEY_LOCAL_MACHINE\SOFTWARE\Minicn
一共有两项:code,name
修改:
Code:12345678
Name:jinkows
这说明刚刚的判断是正确的:注册信息是保存在注册表里.
用OD调入主程序,因为是访问注册表,所以下断点BPX RegQueryValueExA,共计8处,此时还不知道哪些是读注册表信息的,所以全部下断.
F9运行,经过多次F9后,可以在堆栈窗口中发现ValueName="Name",再F9可以发现ValueName="Code",此时断到
0048285F E8 AC4DF8FF CALL <JMP.&advapi32.RegQueryValueExA> ;来到此处
然后F8单步跟踪,
00482864 85C0 TEST EAX,EAX
00482866 74 24 JE SHORT Minicn.0048288C
00482868 8975 F4 MOV DWORD PTR SS:[EBP-C],ESI
0048286B C645 F8 0B MOV BYTE PTR SS:[EBP-8],0B
0048286F 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00482872 50 PUSH EAX
00482873 6A 00 PUSH 0
00482875 8B0D 0C897200 MOV ECX,DWORD PTR DS:[72890C] ; Minicn.0041A028
0048287B B2 01 MOV DL,1
0048287D A1 A41F4800 MOV EAX,DWORD PTR DS:[481FA4]
00482882 E8 35BCF8FF CALL Minicn.0040E4BC
00482887 E8 FC1BF8FF CALL Minicn.00404488
0048288C 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
0048288F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00482892 E8 B1F8FFFF CALL Minicn.00482148 ; 读取注册表中信息,可以看到正在读取Code,试炼码12345678
00482897 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0048289A 8802 MOV BYTE PTR DS:[EDX],AL
0048289C 8BC3 MOV EAX,EBX
0048289E 5F POP EDI
0048289F 5E POP ESI
004828A0 5B POP EBX
004828A1 8BE5 MOV ESP,EBP
004828A3 5D POP EBP
004828A4 C2 0800 RET 8
----------------------------------------------------------------------------------------------------
0048273A 50 PUSH EAX
0048273B 8B07 MOV EAX,DWORD PTR DS:[EDI]
0048273D E8 5628F8FF CALL Minicn.00404F98
00482742 8BC8 MOV ECX,EAX
00482744 8BD5 MOV EDX,EBP
00482746 8BC6 MOV EAX,ESI
00482748 E8 E7000000 CALL Minicn.00482834 ; 读注册表中的值
0048274D 803C24 01 CMP BYTE PTR SS:[ESP],1 ;上面RET 8返回到此处
00482751 74 06 JE SHORT Minicn.00482759
00482753 803C24 02 CMP BYTE PTR SS:[ESP],2
00482757 75 17 JNZ SHORT Minicn.00482770
00482759 8B07 MOV EAX,DWORD PTR DS:[EDI]
0048275B E8 3828F8FF CALL Minicn.00404F98 ;判断试炼码是否为空
00482760 E8 BB81F8FF CALL Minicn.0040A920 ; 获取试炼码长度
00482765 8BD0 MOV EDX,EAX
00482767 8BC7 MOV EAX,EDI
00482769 E8 B629F8FF CALL Minicn.00405124
0048276E EB 10 JMP SHORT Minicn.00482780
00482770 8BC5 MOV EAX,EBP
00482772 E8 61F9FFFF CALL Minicn.004820D8
00482777 EB 07 JMP SHORT Minicn.00482780
00482779 8BC7 MOV EAX,EDI
0048277B E8 6823F8FF CALL Minicn.00404AE8
00482780 5A POP EDX
00482781 5D POP EBP
00482782 5F POP EDI
00482783 5E POP ESI
00482784 5B POP EBX
00482785 C3 RET
--------------------------------------------------------------------------------------------------------------
00629A0D 8BEC MOV EBP,ESP
00629A0F 6A 00 PUSH 0
00629A11 6A 00 PUSH 0
00629A13 6A 00 PUSH 0
00629A15 53 PUSH EBX
00629A16 56 PUSH ESI
00629A17 8BF2 MOV ESI,EDX
00629A19 8BD8 MOV EBX,EAX
00629A1B 33C0 XOR EAX,EAX
00629A1D 55 PUSH EBP
00629A1E 68 D29A6200 PUSH Minicn.00629AD2
00629A23 64:FF30 PUSH DWORD PTR FS:[EAX]
00629A26 64:8920 MOV DWORD PTR FS:[EAX],ESP
00629A29 B2 01 MOV DL,1
00629A2B A1 04204800 MOV EAX,DWORD PTR DS:[482004]
00629A30 E8 3B87E5FF CALL Minicn.00482170
00629A35 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00629A38 33C0 XOR EAX,EAX
00629A3A 55 PUSH EBP
00629A3B 68 B09A6200 PUSH Minicn.00629AB0
00629A40 64:FF30 PUSH DWORD PTR FS:[EAX]
00629A43 64:8920 MOV DWORD PTR FS:[EAX],ESP
00629A46 BA 02000080 MOV EDX,80000002
00629A4B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00629A4E E8 F987E5FF CALL Minicn.0048224C
00629A53 33C9 XOR ECX,ECX
00629A55 BA E89A6200 MOV EDX,Minicn.00629AE8 ; \software\minicn
00629A5A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00629A5D E8 2E89E5FF CALL Minicn.00482390
00629A62 84C0 TEST AL,AL
00629A64 74 34 JE SHORT Minicn.00629A9A
00629A66 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
00629A69 BA 049B6200 MOV EDX,Minicn.00629B04 ; name
00629A6E 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00629A71 E8 9A8CE5FF CALL Minicn.00482710 ; 得到注册表中的用户名及长度
00629A76 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00629A79 8BC6 MOV EAX,ESI
00629A7B E8 BCB0DDFF CALL Minicn.00404B3C
00629A80 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C]
00629A83 BA 149B6200 MOV EDX,Minicn.00629B14 ; code
00629A88 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00629A8B E8 808CE5FF CALL Minicn.00482710 ; 得到注册表中的注册码及长度
00629A90 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ;上面RET到此处
00629A93 8BC3 MOV EAX,EBX
00629A95 E8 A2B0DDFF CALL Minicn.00404B3C
00629A9A 33C0 XOR EAX,EAX
00629A9C 5A POP EDX
00629A9D 59 POP ECX
00629A9E 59 POP ECX
00629A9F 64:8910 MOV DWORD PTR FS:[EAX],EDX
00629AA2 68 B79A6200 PUSH Minicn.00629AB7
00629AA7 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; ASCII "P H"
00629AAA E8 49A1DDFF CALL Minicn.00403BF8
00629AAF C3 RET
00629AB0 ^ E9 D7A8DDFF JMP Minicn.0040438C
00629AB5 ^ EB F0 JMP SHORT Minicn.00629AA7
00629AB7 33C0 XOR EAX,EAX
00629AB9 5A POP EDX
00629ABA 59 POP ECX
00629ABB 59 POP ECX
00629ABC 64:8910 MOV DWORD PTR FS:[EAX],EDX
00629ABF 68 D99A6200 PUSH Minicn.00629AD9
00629AC4 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] ; eax=输入注册码
00629AC7 BA 02000000 MOV EDX,2
00629ACC E8 3BB0DDFF CALL Minicn.00404B0C
00629AD1 C3 RET
00629AD2 ^ E9 B5A8DDFF JMP Minicn.0040438C
00629AD7 ^ EB EB JMP SHORT Minicn.00629AC4
00629AD9 5E POP ESI
00629ADA 5B POP EBX
00629ADB 8BE5 MOV ESP,EBP
00629ADD 5D POP EBP
00629ADE C3 RET
--------------------------------------------------------------------------------------------------------------
0070E78D 53 PUSH EBX
0070E78E 8BD8 MOV EBX,EAX
0070E790 33C0 XOR EAX,EAX
0070E792 55 PUSH EBP
0070E793 68 7DE87000 PUSH Minicn.0070E87D
0070E798 64:FF30 PUSH DWORD PTR FS:[EAX]
0070E79B 64:8920 MOV DWORD PTR FS:[EAX],ESP
0070E79E A1 98847200 MOV EAX,DWORD PTR DS:[728498]
0070E7A3 8B00 MOV EAX,DWORD PTR DS:[EAX]
0070E7A5 E8 827CF3FF CALL Minicn.0064642C
0070E7AA 8B15 347E7200 MOV EDX,DWORD PTR DS:[727E34] ; Minicn.0072B6A4
0070E7B0 8902 MOV DWORD PTR DS:[EDX],EAX
0070E7B2 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0070E7B5 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0070E7B8 E8 4FB2F1FF CALL Minicn.00629A0C
0070E7BD 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4] ;上面RET此处
0070E7C0 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ;EDX=输入用户名
0070E7C3 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ;EAX=输入注册码
0070E7C6 E8 25B0F1FF CALL Minicn.006297F0 ; 关键,跟进
0070E7CB 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0070E7CE BA 94E87000 MOV EDX,Minicn.0070E894 ; t
0070E7D3 E8 0C67CFFF CALL Minicn.00404EE4 ; ECX='T'
0070E7D8 A1 D4847200 MOV EAX,DWORD PTR DS:[7284D4]
0070E7DD 0F9400 SETE BYTE PTR DS:[EAX]
0070E7E0 A1 D4847200 MOV EAX,DWORD PTR DS:[7284D4]
0070E7E5 8038 00 CMP BYTE PTR DS:[EAX],0
0070E7E8 74 11 JE SHORT Minicn.0070E7FB
0070E7EA A1 98847200 MOV EAX,DWORD PTR DS:[728498]
0070E7EF 8B00 MOV EAX,DWORD PTR DS:[EAX]
0070E7F1 BA 02000000 MOV EDX,2
0070E7F6 E8 5197F3FF CALL Minicn.00647F4C ; 检查更新
0070E7FB E8 54B3F1FF CALL Minicn.00629B54
----------------------------------------------------------------------------------------------------------
0070E7C6 >>F7跟进到:
006297F2 EC IN AL,DX ; I/O 命令
006297F3 6A 00 PUSH 0
006297F5 6A 00 PUSH 0
006297F7 6A 00 PUSH 0
006297F9 6A 00 PUSH 0
006297FB 6A 00 PUSH 0
006297FD 53 PUSH EBX
006297FE 8BD9 MOV EBX,ECX
00629800 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX ; 保存用户名
00629803 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; 保存注册码
00629806 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00629809 E8 7AB7DDFF CALL Minicn.00404F88 ; 输入是否为空
0062980E 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00629811 E8 72B7DDFF CALL Minicn.00404F88
00629816 33C0 XOR EAX,EAX
00629818 55 PUSH EBP
00629819 68 87986200 PUSH Minicn.00629887
0062981E 64:FF30 PUSH DWORD PTR FS:[EAX]
00629821 64:8920 MOV DWORD PTR FS:[EAX],ESP
00629824 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00629827 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0062982A E8 E9FDFFFF >>CALL Minicn.00629618 ; MD5加密,跟进,#1
0062982F 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00629832 E8 25FDFFFF >>CALL Minicn.0062955C ;跟进,产生在注册窗口看到的序列号,#2
00629837 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ;EAX=序列号
0062983A 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0062983D 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ;EDX=用户名
00629840 E8 A3FEFFFF >>CALL Minicn.006296E8 ; 关键,#3
00629845 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ;EAX=MD5(真正的注册码+"这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!")
00629848 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ;EDX=MD5(输入注册码+"这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!")
0062984B E8 94B6DDFF CALL Minicn.00404EE4 ; 比较
00629850 75 0E JNZ SHORT Minicn.00629860 ;EAX不等于EDX就完蛋
00629852 8BC3 MOV EAX,EBX
00629854 BA 9C986200 MOV EDX,Minicn.0062989C ; t
00629859 E8 DEB2DDFF CALL Minicn.00404B3C ; 赋值"T"
0062985E EB 0C JMP SHORT Minicn.0062986C
00629860 8BC3 MOV EAX,EBX
00629862 BA A8986200 MOV EDX,Minicn.006298A8 ; f
00629867 E8 D0B2DDFF CALL Minicn.00404B3C
0062986C 33C0 XOR EAX,EAX
0062986E 5A POP EDX
0062986F 59 POP ECX
00629870 59 POP ECX
00629871 64:8910 MOV DWORD PTR FS:[EAX],EDX
00629874 68 8E986200 PUSH Minicn.0062988E
00629879 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0062987C BA 05000000 MOV EDX,5
00629881 E8 86B2DDFF CALL Minicn.00404B0C ; ;5个值不空吗?
00629886 C3 RET
---------------------------------------------------------------------------------------------------
------------------------------------------#1开始---------------------------------------------------
上面0062982A跟进到此处:
00629617 0055 8B ADD BYTE PTR SS:[EBP-75],DL
0062961A EC IN AL,DX ; I/O 命令
0062961B 83C4 E8 ADD ESP,-18
0062961E 53 PUSH EBX
0062961F 33C9 XOR ECX,ECX
00629621 894D E8 MOV DWORD PTR SS:[EBP-18],ECX
00629624 8BDA MOV EBX,EDX
00629626 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ;保存序列号
00629629 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0062962C E8 57B9DDFF CALL Minicn.00404F88
00629631 33C0 XOR EAX,EAX
00629633 55 PUSH EBP
00629634 68 82966200 PUSH Minicn.00629682
00629639 64:FF30 PUSH DWORD PTR FS:[EAX]
0062963C 64:8920 MOV DWORD PTR FS:[EAX],ESP
0062963F 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00629642 B9 98966200 MOV ECX,Minicn.00629698 ; 这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!
00629647 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0062964A E8 9DB7DDFF CALL Minicn.00404DEC ;合并输入注册码和字符串"这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!"
0062964F 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00629652 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00629655 E8 B27BF6FF CALL Minicn.0059120C ; MD5(输入注册码+“这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!”)
0062965A 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0062965D 8BD3 MOV EDX,EBX
0062965F E8 1C7CF6FF CALL Minicn.00591280 ; 大写转小写
00629664 33C0 XOR EAX,EAX
00629666 5A POP EDX
00629667 59 POP ECX
00629668 59 POP ECX
00629669 64:8910 MOV DWORD PTR FS:[EAX],EDX
0062966C 68 89966200 PUSH Minicn.00629689
00629671 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00629674 E8 6FB4DDFF CALL Minicn.00404AE8 ; 是否为空
00629679 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0062967C E8 67B4DDFF CALL Minicn.00404AE8
00629681 C3 RET
00629682 ^ E9 05ADDDFF JMP Minicn.0040438C
00629687 ^ EB E8 JMP SHORT Minicn.00629671
00629689 5B POP EBX
0062968A 8BE5 MOV ESP,EBP
0062968C 5D POP EBP
0062968D C3 RET
------------------------------------------#1结束---------------------------------------------------
---------------------------------------------------------------------------------------------------
------------------------------------------#2开始---------------------------------------------------
上面00629832跟进到:
0062955C 55 PUSH EBP
0062955D 8BEC MOV EBP,ESP
0062955F 83C4 E8 ADD ESP,-18
00629562 53 PUSH EBX
00629563 33D2 XOR EDX,EDX
00629565 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX
00629568 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
0062956B 8BD8 MOV EBX,EAX
0062956D 33C0 XOR EAX,EAX
0062956F 55 PUSH EBP
00629570 68 CE956200 PUSH Minicn.006295CE
00629575 64:FF30 PUSH DWORD PTR FS:[EAX]
00629578 64:8920 MOV DWORD PTR FS:[EAX],ESP
0062957B 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
0062957E E8 C1FEFFFF CALL Minicn.00629444 ; 获取硬盘序列号(我的机器 "5JVFSBG2")
00629583 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00629586 BA E4956200 MOV EDX,Minicn.006295E4 ; you find the thing,but don't tell anyone,thank you!
0062958B E8 18B8DDFF CALL Minicn.00404DA8
00629590 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00629593 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00629596 E8 717CF6FF CALL Minicn.0059120C ; MD5("5JVFSBG2You find the thing,but don't tell anyone,thank you!")=31a7015cd3f3554f62c6105f381db0f2
0062959B 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0062959E 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
006295A1 E8 DA7CF6FF CALL Minicn.00591280 ; 大写转小写
006295A6 8BD3 MOV EDX,EBX
006295A8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006295AB E8 ECFEFFFF CALL Minicn.0062949C ; 算法1:通过计算得到一个8位纯数字,在注册窗口看到的序列号(我的是"66708803")
006295B0 33C0 XOR EAX,EAX
006295B2 5A POP EDX
006295B3 59 POP ECX
006295B4 59 POP ECX
006295B5 64:8910 MOV DWORD PTR FS:[EAX],EDX
006295B8 68 D5956200 PUSH Minicn.006295D5
006295BD 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
006295C0 E8 23B5DDFF CALL Minicn.00404AE8
006295C5 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
006295C8 E8 1BB5DDFF CALL Minicn.00404AE8
006295CD C3 RET
006295CE ^ E9 B9ADDDFF JMP Minicn.0040438C
006295D3 ^ EB E8 JMP SHORT Minicn.006295BD
006295D5 5B POP EBX
006295D6 8BE5 MOV ESP,EBP
006295D8 5D POP EBP
006295D9 C3 RET
------------------------------------------#2结束---------------------------------------------------
---------------------------------------------------------------------------------------------------
------------------------------------------#3开始---------------------------------------------------
上面00629840跟踪到此处:
006296EA EC IN AL,DX ; I/O 命令
006296EB 83C4 DC ADD ESP,-24
006296EE 53 PUSH EBX
006296EF 33DB XOR EBX,EBX
006296F1 895D DC MOV DWORD PTR SS:[EBP-24],EBX
006296F4 895D E0 MOV DWORD PTR SS:[EBP-20],EBX
006296F7 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
006296FA 8BD9 MOV EBX,ECX
006296FC 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX ; 保存用户名
006296FF 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; 保存序列号
00629702 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00629705 E8 7EB8DDFF CALL Minicn.00404F88 ; EDX+=1
0062970A 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0062970D E8 76B8DDFF CALL Minicn.00404F88
00629712 33C0 XOR EAX,EAX
00629714 55 PUSH EBP
00629715 68 8B976200 PUSH Minicn.0062978B
0062971A 64:FF30 PUSH DWORD PTR FS:[EAX]
0062971D 64:8920 MOV DWORD PTR FS:[EAX],ESP
00629720 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00629723 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00629726 68 A0976200 PUSH Minicn.006297A0 ; 这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!
0062972B 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0062972E BA 03000000 MOV EDX,3
00629733 E8 28B7DDFF CALL Minicn.00404E60
00629738 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
0062973B 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0062973E E8 C97AF6FF CALL Minicn.0059120C ; MD5(用户名+序列号+这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!)
00629743 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00629746 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00629749 E8 327BF6FF CALL Minicn.00591280 ; 大写转小写
0062974E 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00629751 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00629754 E8 43FDFFFF CALL Minicn.0062949C ; 算法1:通过计算得到一个8位纯数字,得到真正的注册码
00629759 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0062975C 8BD3 MOV EDX,EBX
0062975E E8 B5FEFFFF CALL Minicn.00629618 ;MD5(真正的注册码+这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!)
00629763 33C0 XOR EAX,EAX
00629765 5A POP EDX
00629766 59 POP ECX
00629767 59 POP ECX
00629768 64:8910 MOV DWORD PTR FS:[EAX],EDX
0062976B 68 92976200 PUSH Minicn.00629792
00629770 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00629773 BA 02000000 MOV EDX,2
00629778 E8 8FB3DDFF CALL Minicn.00404B0C
0062977D 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00629780 BA 03000000 MOV EDX,3
00629785 E8 82B3DDFF CALL Minicn.00404B0C ; 可以看到三个基本值:用户名、序列号、注册码
0062978A C3 RET
------------------------------------------#3结束---------------------------------------------------
至此,在00629754可以得到真正注册码,注意:
0062984B E8 94B6DDFF CALL Minicn.00404EE4
此次比较不是注册码比较,而是MD5加密过的值进行比较.
在上面的分析中还有一处没有分析,就是"算法1":0062949C,下面就分析一下:
------------------------------------------算法1开始---------------------------------------------------
0062949C 55 PUSH EBP
0062949D 8BEC MOV EBP,ESP
0062949F 6A 00 PUSH 0
006294A1 6A 00 PUSH 0
006294A3 6A 00 PUSH 0
006294A5 53 PUSH EBX
006294A6 56 PUSH ESI
006294A7 57 PUSH EDI
006294A8 8BFA MOV EDI,EDX
006294AA 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
006294AD 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006294B0 E8 D3BADDFF CALL Minicn.00404F88
006294B5 33C0 XOR EAX,EAX
006294B7 55 PUSH EBP
006294B8 68 4D956200 PUSH Minicn.0062954D
006294BD 64:FF30 PUSH DWORD PTR FS:[EAX]
006294C0 64:8920 MOV DWORD PTR FS:[EAX],ESP
006294C3 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] ;EAX=要计算的字符串
006294C6 BA 08000000 MOV EDX,8 ;EDX=8,字符串长度
006294CB E8 54BCDDFF CALL Minicn.00405124
006294D0 BB 01000000 MOV EBX,1 ;EBX=1,每次加1
006294D5 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006294D8 0FB67418 FF MOVZX ESI,BYTE PTR DS:[EAX+EBX-1] ; 字符串当前指向的前面第1个字符的ASCII码
006294DD 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006294E0 0FB64418 07 MOVZX EAX,BYTE PTR DS:[EAX+EBX+7] ; 字符串当前指向的后面第7个字符的ASCII码
006294E5 03F0 ADD ESI,EAX ; 累加
006294E7 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006294EA 0FB64418 0F MOVZX EAX,BYTE PTR DS:[EAX+EBX+F] ; 字符串当前指向的后面第15个字符的ASCII码
006294EF 03F0 ADD ESI,EAX
006294F1 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006294F4 0FB64418 17 MOVZX EAX,BYTE PTR DS:[EAX+EBX+17] ; 字符串当前指向的后面第23个字符的ASCII码
006294F9 03F0 ADD ESI,EAX ; 累加
006294FB 8BC6 MOV EAX,ESI
006294FD B9 0A000000 MOV ECX,0A ;ECX=0x0A
00629502 99 CDQ
00629503 F7F9 IDIV ECX ;ESI/ECX
00629505 8BF2 MOV ESI,EDX ; 余数付给esi
00629507 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0062950A 8BC6 MOV EAX,ESI
0062950C E8 7B09DEFF CALL Minicn.00409E8C ;余数对应的字符
00629511 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00629514 E8 D7BADDFF CALL Minicn.00404FF0
00629519 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0062951C 8A12 MOV DL,BYTE PTR DS:[EDX]
0062951E 885418 FF MOV BYTE PTR DS:[EAX+EBX-1],DL
00629522 43 INC EBX ;EBX+=1
00629523 83FB 09 CMP EBX,9 ;EBX=9?
00629526 ^ 75 AD JNZ SHORT Minicn.006294D5 ;小于9就跳转
00629528 8BC7 MOV EAX,EDI ;EAX=计算过的字符串
0062952A 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0062952D E8 0AB6DDFF CALL Minicn.00404B3C
00629532 33C0 XOR EAX,EAX
00629534 5A POP EDX
00629535 59 POP ECX
00629536 59 POP ECX
00629537 64:8910 MOV DWORD PTR FS:[EAX],EDX
0062953A 68 54956200 PUSH Minicn.00629554
0062953F 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00629542 BA 03000000 MOV EDX,3
00629547 E8 C0B5DDFF CALL Minicn.00404B0C
0062954C C3 RET
------------------------------------------算法1结束---------------------------------------------------
【算法总结】
算法1:0062949C
(1)32位16进制的数输入;
(2)设m_Edit1为当前(1)数串,则
for (i=1;i<9;i++)
{
temp=int(m_Edit1.GetAt (i-1))+int(m_Edit1.GetAt (i+7))+int(m_Edit1.GetAt (i+15))+ \
int(m_Edit1.GetAt (i+23));
temp%=0x0A;
temp+=0x30;
m_Edit2.Insert(i-1,char(temp));
}
m_Edit2为所求值.
【破解总结】
以下例子以我的机器为版本介绍:
1.先获取硬盘序列号:5JVFSBG2
2.经过MD5和算法1的计算获得弹出注册窗体的"序列号"
MD5("5JVFSBG2You find the thing,but don't tell anyone,thank you!")=31a7015cd3f3554f62c6105f381db0f2
算法1:0062949C(31a7015cd3f3554f62c6105f381db0f2)=66708803
3.将"序列号"和用户名及字符串"这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!"--感觉这个地方很搞笑
进行MD5和算法1计算:得出注册码
MD5(66708803jinkows这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!)
=43619acca37823e94c6f65be5367e23b
算法1:0062949C(43619acca37823e94c6f65be5367e23b)=42722195
4.将所求注册码与"这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!"合并进行MD5运算,
所得结果与输入假注册码与"这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!"合并
进行MD5运算的结果进行比较,相等则注册正确.
MD5(42722195这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!)
=745c87927116a74d2cfee00c26e5bb9e
MD5(12345678这是一个纯数字的8个字符长度的串,被人家用注册机搞掉了!以后不再使用注册码了!)
=652ca177f7808292ef094f06704f3828
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
2006年05月31日 13:14:01
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)