首页
社区
课程
招聘
GhostView 4.2 简单破解
发表于: 2004-8-16 00:17 7839

GhostView 4.2 简单破解

RoBa 活跃值
16
2004-8-16 00:17
7839

GhostView 4.2 破解

一直在搞我的黑白棋,很久没有破解,手都生了。:) 我在研究黑白棋编程时找到一堆PS格式的资料,于是下了这个东东来阅读,没想到还要注册。启动时有时会出现NAG窗口,当时忙得没顾上,现在被编程搞晕了想放一放,所以就瞄上它了。根据我的经验,这种国外的看上去比较古老的软件(尽管这是2004年的新版)一般都不太难破。我们来看一看:

无壳,VC7,胡乱输入用户名和前后两段序列号,记下错误信息,用W32DASM反一下,很容易来到下面:

* Possible Reference to Dialog: DialogID_08E8, CONTROL_ID:08EB, ""
                                  |
:0044C101 68EB080000              push 000008EB
:0044C106 8B4D08                  mov ecx, dword ptr [ebp+08]
:0044C109 51                      push ecx

* Reference To: USER32.GetDlgItemInt, Ord:0112h
                                  |
:0044C10A FF15705C4A00            Call dword ptr [004A5C70]		;得到前面一段序列号
:0044C110 8945FC                  mov dword ptr [ebp-04], eax		;放在[EBP-4]
:0044C113 6A00                    push 00000000
:0044C115 6A00                    push 00000000

* Possible Reference to Dialog: DialogID_08E8, CONTROL_ID:08EC, ""
                                  |
:0044C117 68EC080000              push 000008EC
:0044C11C 8B5508                  mov edx, dword ptr [ebp+08]
:0044C11F 52                      push edx

* Reference To: USER32.GetDlgItemInt, Ord:0112h
                                  |
:0044C120 FF15705C4A00            Call dword ptr [004A5C70]		;得到后面一段序列号
:0044C126 8985F4FEFFFF            mov dword ptr [ebp+FFFFFEF4], eax	;放在[EBP+FFFFFEF4]
:0044C12C 6800010000              push 00000100
:0044C131 8D85F8FEFFFF            lea eax, dword ptr [ebp+FFFFFEF8]
:0044C137 50                      push eax

* Possible Reference to Dialog: DialogID_08E8, CONTROL_ID:08EA, ""
                                  |
:0044C138 68EA080000              push 000008EA
:0044C13D 8B4D08                  mov ecx, dword ptr [ebp+08]
:0044C140 51                      push ecx

* Reference To: USER32.GetDlgItemTextA, Ord:0113h
                                  |
:0044C141 FF151C5D4A00            Call dword ptr [004A5D1C]		;得到用户名
:0044C147 837DFC00                cmp dword ptr [ebp-04], 00000000	
:0044C14B 7470                    je 0044C1BD				;用户名不能为空
:0044C14D 8B55FC                  mov edx, dword ptr [ebp-04]		;前段序列号作CALL的参数
:0044C150 52                      push edx
:0044C151 E8B44EFBFF              call 0040100A				;关键CALL,跟进
:0044C156 83C404                  add esp, 00000004
:0044C159 3985F4FEFFFF            cmp dword ptr [ebp+FFFFFEF4], eax	;返回值与输入的后段序列号比较
:0044C15F 755C                    jne 0044C1BD				;不等就完蛋了

.................略

:0044C1BD 68FF000000              push 000000FF
:0044C1C2 8D85F0FDFFFF            lea eax, dword ptr [ebp+FFFFFDF0]
:0044C1C8 50                      push eax

* Possible Reference to String Resource ID=00864: "Invalid Registration Name or Number"
                                  |
:0044C1C9 6860030000              push 00000360
:0044C1CE E8FA58FBFF              call 00401ACD
:0044C1D3 83C40C                  add esp, 0000000C
:0044C1D6 6A30                    push 00000030

* Possible StringData Ref from Data Obj ->"GSview"
                                  |
:0044C1D8 68802E4800              push 00482E80
:0044C1DD 8D8DF0FDFFFF            lea ecx, dword ptr [ebp+FFFFFDF0]
:0044C1E3 51                      push ecx
:0044C1E4 8B5508                  mov edx, dword ptr [ebp+08]
:0044C1E7 52                      push edx

* Reference To: USER32.MessageBoxA, Ord:01DEh
                                  |
:0044C1E8 FF15505D4A00            Call dword ptr [004A5D50]	;死翘翘了:D

进入关键的CALL,

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040100A(U)
|
:004253A0 55                      push ebp
:004253A1 8BEC                    mov ebp, esp
:004253A3 83EC14                  sub esp, 00000014
:004253A6 C745EC08840000          mov [ebp-14], 00008408	;常数
:004253AD 8B4508                  mov eax, dword ptr [ebp+08]	;传入的参数,前段序列号
:004253B0 8945F0                  mov dword ptr [ebp-10], eax	;局部变量
:004253B3 C745F800000000          mov [ebp-08], 00000000	;局部变量
:004253BA C745F400000000          mov [ebp-0C], 00000000	
:004253C1 EB09                    jmp 004253CC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00425405(U)
|
:004253C3 8B4DF4                  mov ecx, dword ptr [ebp-0C]	;[EBP-C]是循环变量
:004253C6 83C101                  add ecx, 00000001
:004253C9 894DF4                  mov dword ptr [ebp-0C], ecx	;循环变量递增

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004253C1(U)
|
:004253CC 837DF420                cmp dword ptr [ebp-0C], 00000020
:004253D0 7335                    jnb 00425407			;循环20次
:004253D2 8B55F8                  mov edx, dword ptr [ebp-08]	;下面是核心部分
:004253D5 83E201                  and edx, 00000001
:004253D8 8955FC                  mov dword ptr [ebp-04], edx
:004253DB 8B45F8                  mov eax, dword ptr [ebp-08]
:004253DE D1E8                    shr eax, 1
:004253E0 8B4DF0                  mov ecx, dword ptr [ebp-10]
:004253E3 83E101                  and ecx, 00000001
:004253E6 C1E10F                  shl ecx, 0F
:004253E9 03C1                    add eax, ecx
:004253EB 8945F8                  mov dword ptr [ebp-08], eax
:004253EE 837DFC01                cmp dword ptr [ebp-04], 00000001
:004253F2 7509                    jne 004253FD
:004253F4 8B55F8                  mov edx, dword ptr [ebp-08]
:004253F7 3355EC                  xor edx, dword ptr [ebp-14]
:004253FA 8955F8                  mov dword ptr [ebp-08], edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004253F2(C)
|
:004253FD 8B45F0                  mov eax, dword ptr [ebp-10]
:00425400 D1E8                    shr eax, 1
:00425402 8945F0                  mov dword ptr [ebp-10], eax	;上面是核心部分
:00425405 EBBC                    jmp 004253C3			;循环结束

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004253D0(C)
|
:00425407 8B45F8                  mov eax, dword ptr [ebp-08]	;计算结果放入EAX传出
:0042540A 8BE5                    mov esp, ebp
:0042540C 5D                      pop ebp
:0042540D C3                      ret

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 7
支持
分享
最新回复 (2)
雪    币: 205
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
发信人: morgan (morgan), 信区: computer
标  题: GSView 4.6的破解过程(原创)
发信站: 共青森林 BBS 站 (Mon Mar 22 15:51:42 2004) , 站内信件

    GSView是一个PostScript浏览器,它可支持PS、PDF、EPS等多种不同类型的PostScript
文档,我们在浏览PostScript文档时所需的搜索、打印、缩放、转换成文本文件、抽取插图
等功能都不在其话下。同时GSView还具有占用磁盘空间少、启动速度快、对系统资源影响小
等优点,实为广大用户在查看PostScript文档时的最佳选择。
    应同事的要求,前几天我破解了GSView32 4.6版,得到它的注册码。现将分析过程简单
介绍如下:
    用W32Dasm反汇编,根据出错信息来到这里:
0044C141  |. FF15 1C5D4A00  CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgIt
emTextA
0044C147  |. 837D FC 00     CMP DWORD PTR temp2,0
0044C14B  |. 74 70          JE SHORT gsview32.0044C1BD
0044C14D  |. 8B55 FC        MOV EDX,DWORD PTR temp2
0044C150  |. 52             PUSH EDX
0044C151  |. E8 B44EFBFF    CALL gsview32.0040100A   

经过跟踪来到这里,这个函数是注册码的计算过程:
这个函数共用到5个堆栈地址,它们的含义分别为:
SS:[EBP-14]->33800 (常数)
SS:[EBP-10]->787878787        ;我输入的注册码
SS:[EBP-C]->计数器(<32)
SS:[EBP-8]->temp1                 ;经计算后的返回值
SS:[EBP-4]->temp2

下面是我跟踪2遍后的注解:
004253A0  PUSH EBP
004253A1  MOV EBP,ESP
004253A3  SUB ESP,14
004253A6  MOV DWORD PTR SS:[EBP-14],8408
004253AD  MOV EAX,DWORD PTR SS:[EBP+8]
004253B0  MOV DWORD PTR SS:[EBP-10],EAX
004253B3  MOV DWORD PTR SS:[EBP-8],0
004253BA  MOV DWORD PTR SS:[EBP-C],0
004253C1  JMP SHORT gsview32.004253CC
004253C3  /MOV ECX,DWORD PTR SS:[EBP-C]         ;ECX=0000 0000
004253C6  |ADD ECX,1                         ;ECX=0000 0001
004253C9  |MOV DWORD PTR SS:[EBP-C],ECX         ;SS:[EBP-C] = ECX

/***************** for(counter=0;counter < 32;counter++) ************/

004253CC   CMP DWORD PTR SS:[EBP-C],20       
004253D0  |JNB SHORT gsview32.00425407         ;if(ECX <= 0x20)大于则跳走
004253D2  |MOV EDX,DWORD PTR SS:[EBP-8]         ;EDX = 0000 0000
004253D5  |AND EDX,1                         ;EDX = 0000 0001
004253D8  |MOV DWORD PTR SS:[EBP-4],EDX         ;SS:[EBP-4] = 0000 0000

/************************** temp2 = temp1 & 1; ****************************/

004253DB  |MOV EAX,DWORD PTR SS:[EBP-8]         ;EAX = 0000 8000
004253DE  |SHR EAX,1                         ;EAX = 0000 4000,0000 6000
004253E0  |MOV ECX,DWORD PTR SS:[EBP-10] ;ECX=787878787,393939393,196969696
004253E3  |AND ECX,1                         ;ECX=0000 0001,0000 0001
004253E6  |SHL ECX,0F                         ;ECX=0000 8000,0000 8000
004253E9  |ADD EAX,ECX                         ;EAX=0000 8000,0000 C000
004253EB  |MOV DWORD PTR SS:[EBP-8],EAX         ;SS:[EBP-8] = EAX

/******************** temp1 = (temp1>>1) + ((sn & 1) << 0xf)   *************/

004253EE  |CMP DWORD PTR SS:[EBP-4],1         ;if(SS:[EBP-8] == 1)
004253F2  |JNZ SHORT gsview32.004253FD         ;不等则跳走
004253F4  |MOV EDX,DWORD PTR SS:[EBP-8]         ;EDX = 2497
004253F7  |XOR EDX,DWORD PTR SS:[EBP-14] ;SS:[EBP-14] = 0000 8408
004253FA  |MOV DWORD PTR SS:[EBP-8],EDX         ;EDX = 36297

/********************* temp1 = temp1 ^ CONST; *****************************/

004253FD  |MOV EAX,DWORD PTR SS:[EBP-10] ;EAX=787878787,393939393,196969696
00425400  |SHR EAX,1                         ;EAX=393939393,196969696,98484848
00425402  |MOV DWORD PTR SS:[EBP-10],EAX ;SS:[EBP-10] = EAX
00425405  \JMP SHORT gsview32.004253C3
00425407  MOV EAX,DWORD PTR SS:[EBP-8]
0042540A  MOV ESP,EBP
0042540C  POP EBP
0042540D  RETN

下面是跟据汇编逆向出的VC计算过程:
m_serial1和m_serial2是两个EDIT控件,m_serial1对应输入的数字,
m_serial2是计算后的结果。整个计算过程与用户名无关。

void CGsView32Dlg::OnCalculate()
{
        // TODO: Add your control notification handler code here
        UpdateData(true);
        const int CNT = 0x8408;
        unsigned int sn=787878787, counter=0, temp1=0, temp2=0;
        sn = atoi(m_serial1);
        for(counter = 0; counter < 32; counter++ )
        {
                temp2 = temp1 & 1;
                temp1 = (temp1 >> 1) + ((sn & 1) << 0xf);
                if(temp2 == 1)
                {
                        temp1 ^= CNT;
                }
                sn >>= 1;
        }
        m_serial2.Format("%d",temp1);
        UpdateData(false);
}
需要注册机的可联系我:acesong#tom.com
下面是一个注册码:
m_serial1=19771215
m_serial2=39294
2004-8-16 00:36
0
雪    币: 261
活跃值: (230)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
3
会crack就是好:D
2004-8-16 21:24
0
游客
登录 | 注册 方可回帖
返回
//