我按照飘云大哥的方法注册成功,具体如下:
【破文标题】星空电影院V2.01破解分析
【软件名称】星空电影院V2.01
【下载地址】http://www3.skycn.com/soft/20221.html
【破解工具】PEiD、W32Dasm10.0汉化版、OD
【保护方式】序列号
【破解步骤】先用PEiD 0.92侦测,发现为Borland Delphi 6.0 - 7.0编写,未加壳;试着运行软件:我的机器码为:CF4F35B4 输入伪码:87654321,点"确定注册"出现"您输入的注册码87654321"不正确,请和作者联系"的错误窗口,呵呵!这是关键!接下来W32DASM出场,在"串式参考"中找到:
:004B93C2 8D55F0 lea edx, dword ptr [ebp-10]
:004B93C5 8B45FC mov eax, dword ptr [ebp-04]
:004B93C8 8B8038030000 mov eax, dword ptr [eax+00000338]
:004B93CE E8A5DBF8FF call 00446F78
:004B93D3 837DF000 cmp dword ptr [ebp-10], 00000000 ;注册码是否为0
:004B93D7 741E je 004B93F7 ;是0则跳死
:004B93D9 8D55EC lea edx, dword ptr [ebp-14]
:004B93DC 8B45FC mov eax, dword ptr [ebp-04]
:004B93DF 8B8038030000 mov eax, dword ptr [eax+00000338]
:004B93E5 E88EDBF8FF call 00446F78
:004B93EA 8B45EC mov eax, dword ptr [ebp-14]
:004B93ED E882B0F4FF call 00404474
:004B93F2 83F808 cmp eax, 00000008 ;是否超过8位
:004B93F5 7E0F jle 004B9406 ;不跳则OVER!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B93D7(C)
|
* Possible StringData Ref from Code Obj ->" 您输入的注册码无效,请重新输入。
★★找到这里,向上看★★
|
:004B93F7 B860964B00 mov eax, 004B9660
:004B93FC E8CF73F7FF call 004307D0
:004B9401 E9BA010000 jmp 004B95C0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B93F5(C)
|
:004B9406 8D45E4 lea eax, dword ptr [ebp-1C] ;符合要求则跳到这里
:004B9409 50 push eax
:004B940A 8D55E0 lea edx, dword ptr [ebp-20]
:004B940D 8B45FC mov eax, dword ptr [ebp-04]
:004B9410 8B803C030000 mov eax, dword ptr [eax+0000033C]
:004B9416 E85DDBF8FF call 00446F78 ;得到机器码
:004B941B 8B45E0 mov eax, dword ptr [ebp-20]
:004B941E B906000000 mov ecx, 00000006
:004B9423 BA01000000 mov edx, 00000001
:004B9428 E8A7B2F4FF call 004046D4 ;取机器码前6位,
;我的是CF4F35。
:004B942D 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004B9430 8D45E8 lea eax, dword ptr [ebp-18]
:004B9433 BA8C964B00 mov edx, 004B968C
:004B9438 E883B0F4FF call 004044C0
:004B943D 8B45E8 mov eax, dword ptr [ebp-18]
:004B9440 E847F7F4FF call 00408B8C
:004B9445 8BF0 mov esi, eax
:004B9447 33C0 xor eax, eax
:004B9449 55 push ebp
:004B944A 6877954B00 push 004B9577
:004B944F 64FF30 push dword ptr fs:[eax]
:004B9452 648920 mov dword ptr fs:[eax], esp
:004B9455 8D55DC lea edx, dword ptr [ebp-24]
:004B9458 8B45FC mov eax, dword ptr [ebp-04]
:004B945B 8B8038030000 mov eax, dword ptr [eax+00000338]
:004B9461 E812DBF8FF call 00446F78
:004B9466 8B45DC mov eax, dword ptr [ebp-24] ;伪码87654321送到EAX
:004B9469 E81EF7F4FF call 00408B8C ;关键CALL1,跟进去!
:004B946E 8BD8 mov ebx, eax
:004B9470 8BC3 mov eax, ebx
:004B9472 2BC6 sub eax, esi ;伪码-机器码前6位
:004B9474 3B05C8A35400 cmp eax, dword ptr [0054A3C8] ;与[0054A3C8]比较
:004B947A 7438 je 004B94B4 ;等于0则注册成功
* Possible StringData Ref from Code Obj ->" 您输入的注册码 "
|
:004B947C 6898964B00 push 004B9698
:004B9481 8D55D4 lea edx, dword ptr [ebp-2C]
:004B9484 8B45FC mov eax, dword ptr [ebp-04]
:004B9487 8B8038030000 mov eax, dword ptr [eax+00000338]
:004B948D E8E6DAF8FF call 00446F78
:004B9492 FF75D4 push [ebp-2C]
* Possible StringData Ref from Code Obj ->" 不正确,请与作者联系。"
|
:004B9495 68B4964B00 push 004B96B4
:004B949A 8D45D8 lea eax, dword ptr [ebp-28]
:004B949D BA03000000 mov edx, 00000003
:004B94A2 E88DB0F4FF call 00404534
:004B94A7 8B45D8 mov eax, dword ptr [ebp-28]
:004B94AA E82173F7FF call 004307D0
:004B94AF E9B9000000 jmp 004B956D
(省略部分代码)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B9549(U)
|
:004B953B 8B45F8 mov eax, dword ptr [ebp-08]
:004B953E E8819EF4FF call 004033C4
:004B9543 C3 ret
:004B9544 E9CFA5F4FF jmp 00403B18
:004B9549 EBF0 jmp 004B953B
:004B954B 6A00 push 00000000
:004B954D 668B0D2C964B00 mov cx, word ptr [004B962C]
:004B9554 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"注册成功。谢谢你支持正版软件!
请关闭软件重新"启动[星空电影院]"
********************************************************************************************
跟进关键CALL1:
00408B8C /$ 53 push ebx
00408B8D |. 56 push esi
00408B8E |. 83C4 F4 add esp,-0C
00408B91 |. 8BD8 mov ebx,eax
00408B93 |. 8BD4 mov edx,esp
00408B95 |. 8BC3 mov eax,ebx
00408B97 |. E8 50A2FFFF call 星空电影.00402DEC ;关键CALL2,跟进去!
00408B9C |. 8BF0 mov esi,eax
00408B9E |. 833C24 00 cmp dword ptr ss:[esp],0
00408BA2 |. 74 19 je short 星空电影.00408BBD
00408BA4 |. 895C24 04 mov dword ptr ss:[esp+4],ebx
00408BA8 |. C64424 08 0B mov byte ptr ss:[esp+8],0B
00408BAD |. 8D5424 04 lea edx,dword ptr ss:[esp+4]
00408BB1 |. A1 FCA65400 mov eax,dword ptr ds:[54A6FC]
00408BB6 |. 33C9 xor ecx,ecx
00408BB8 |. E8 CBF7FFFF call 星空电影.00408388
00408BBD |> 8BC6 mov eax,esi
00408BBF |. 83C4 0C add esp,0C
00408BC2 |. 5E pop esi
00408BC3 |. 5B pop ebx
00408BC4 \. C3 retn
********************************************************************************************
跟进关键CALL2:
00402DEC /$ 53 push ebx
00402DED |. 56 push esi
00402DEE |. 57 push edi
00402DEF |. 89C6 mov esi,eax ;ESI=EAX=伪码87654321
00402DF1 |. 50 push eax
00402DF2 |. 85C0 test eax,eax ;伪码是否输入
00402DF4 |. 74 6C je short 星空电影.00402E62 ;没有输入则OVER
00402DF6 |. 31C0 xor eax,eax
00402DF8 |. 31DB xor ebx,ebx
00402DFA |. BF CCCCCC0C mov edi,0CCCCCCC ;0CCCCCCC送到EDI
00402DFF |> 8A1E /mov bl,byte ptr ds:[esi] ;伪码一次送到BL
00402E01 |. 46 |inc esi ;计数器加一
00402E02 |. 80FB 20 |cmp bl,20 ;是否空格
00402E05 |.^ 74 F8 \je short 星空电影.00402DFF
00402E07 |. B5 00 mov ch,0
00402E09 |. 80FB 2D cmp bl,2D ;是否符号"-"
00402E0C |. 74 62 je short 星空电影.00402E70
00402E0E |. 80FB 2B cmp bl,2B ;是否符号"+"
00402E11 |. 74 5F je short 星空电影.00402E72
00402E13 |> 80FB 24 cmp bl,24 ;是否符号"$"
00402E16 |. 74 5F je short 星空电影.00402E77
00402E18 |. 80FB 78 cmp bl,78 ;是否符号"x"
00402E1B |. 74 5A je short 星空电影.00402E77
00402E1D |. 80FB 58 cmp bl,58 ;是否符号"X"
00402E20 |. 74 55 je short 星空电影.00402E77
00402E22 |. 80FB 30 cmp bl,30 ;是否0
00402E25 |. 75 13 jnz short 星空电影.00402E3A ;不是则跳,跳就OVER!
此处可以分析出:注册码不能为:空格 - + $ x X 0中任何一个
00402E27 |. 8A1E mov bl,byte ptr ds:[esi]
00402E29 |. 46 inc esi
00402E2A |. 80FB 78 cmp bl,78
00402E2D |. 74 48 je short 星空电影.00402E77
00402E2F |. 80FB 58 cmp bl,58
00402E32 |. 74 43 je short 星空电影.00402E77
00402E34 |. 84DB test bl,bl
00402E36 |. 74 20 je short 星空电影.00402E58
00402E38 |. EB 04 jmp short 星空电影.00402E3E
00402E3A |> 84DB test bl,bl ;是否还没有取完?
00402E3C |. 74 2D je short 星空电影.00402E6B
00402E3E |> 80EB 30 /sub bl,30 ;减去30
00402E41 |. 80FB 09 |cmp bl,9 ;和9比,看是否是数字
00402E44 |. 77 25 |ja short 星空电影.00402E6B
00402E46 |. 39F8 |cmp eax,edi ;是否大于0XCCCCCC
00402E48 |. 77 21 |ja short 星空电影.00402E6B
00402E4A |. 8D0480 |lea eax,dword ptr ds:[eax+eax*4] ;eax'=5eax
00402E4D |. 01C0 |add eax,eax ;eax"=6eax'
00402E4F |. 01D8 |add eax,ebx
00402E51 |. 8A1E |mov bl,byte ptr ds:[esi]
00402E53 |. 46 |inc esi
00402E54 |. 84DB |test bl,bl ;是否取完?
00402E56 |.^ 75 E6 \jnz short 星空电影.00402E3E ;没有取完则循环
00402E58 |> FECD dec ch
00402E5A |. 74 09 je short 星空电影.00402E65
00402E5C |. 85C0 test eax,eax ;伪码转为16进制,
(EAX=5397FB1,即87654321)
00402E5E |. 7D 54 jge short 星空电影.00402EB4
00402E60 |. EB 09 jmp short 星空电影.00402E6B
(省略部分代码)
00402EB4 |> 59 pop ecx
00402EB5 |. 31F6 xor esi,esi
00402EB7 |> 8932 mov dword ptr ds:[edx],esi
00402EB9 |. 5F pop edi
00402EBA |. 5E pop esi
00402EBB |. 5B pop ebx
00402EBC \. C3 retn
算出注册码进行注册,提示注册成功。但是不管看哪个电影时都会提示“请注册,支持正版,谢谢”。
看来还有功能限制,这是怎么回事,难道是注册算法有问题??请斑竹赐教。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课