能力值:
( LV4,RANK:50 )
|
-
-
26 楼
在线激活代码关键控制;
005891EE 837D F0 00 cmp dword ptr ss:[ebp-10], 0 ; //!!!! cmp dword ptr ss:[ebp-10], 0 > cmp *, 2
005891F2 75 54 jnz short 00589248 ; //!!!!!!! jump pass the good boy. jnz short 00589248> nop
nop掉那个jnz就直接到congratulations!
so cool
cmp指令返回2到堆栈中,因为本来我的activation code就不对嘛。呵呵
不生气 在线激活关键代码:
005891E7 |. 8B00 mov eax, dword ptr ds:[eax] ; //edit checking routine
005891E9 |. E8 36D1EDFF call 00466324 ; //call 00466324> nop!! maybe a key compare call
005891EE 837D F0 00 cmp dword ptr ss:[ebp-10], 0 ; //!!!! cmp dword ptr ss:[ebp-10], 0 > cmp *, 2
005891F2 75 54 jnz short 00589248 ; //!!!!!!! jump pass the good boy. jnz short 00589248> nop
005891F4 6A 24 push 24
005891F6 |. 8D55 D0 lea edx, dword ptr ss:[ebp-30]
005891F9 |. A1 889B6400 mov eax, dword ptr ds:[649B88]
005891FE |. E8 09E0E7FF call 0040720C
00589203 |. 8B45 D0 mov eax, dword ptr ss:[ebp-30] ; //!!!! mov "congratulations!" to eax
00589206 |. E8 59BBE7FF call 00404D64
0058920B |. 50 push eax
0058920C |. 8D55 CC lea edx, dword ptr ss:[ebp-34]
0058920F |. A1 E89D6400 mov eax, dword ptr ds:[649DE8]
00589214 |. E8 F3DFE7FF call 0040720C
00589219 |. 8B45 CC mov eax, dword ptr ss:[ebp-34]
0058921C |. E8 43BBE7FF call 00404D64
00589221 |. 8BD0 mov edx, eax
00589223 |. A1 249D6400 mov eax, dword ptr ds:[649D24]
00589228 |. 8B00 mov eax, dword ptr ds:[eax]
0058922A |. 59 pop ecx ; //!!! pop congratulations
0058922B |. E8 94D4EDFF call 004666C4
00589230 |. 8B55 FC mov edx, dword ptr ss:[ebp-4]
00589233 |. 8982 00030000 mov dword ptr ds:[edx+300], eax
00589239 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
0058923C |. C780 07020000>mov dword ptr ds:[eax+207], 1
00589246 |. EB 2F jmp short 00589277
00589248 |> 6A 10 push 10
0058924A |. 8D55 C8 lea edx, dword ptr ss:[ebp-38]
0058924D |. A1 E4996400 mov eax, dword ptr ds:[6499E4]
00589252 |. E8 B5DFE7FF call 0040720C
00589257 |. 8B45 C8 mov eax, dword ptr ss:[ebp-38]
0058925A |. E8 05BBE7FF call 00404D64
0058925F |. 50 push eax
00589260 |. 8B45 EC mov eax, dword ptr ss:[ebp-14]
00589263 |. E8 FCBAE7FF call 00404D64
00589268 |. 8BD0 mov edx, eax
0058926A |. A1 249D6400 mov eax, dword ptr ds:[649D24]
0058926F |. 8B00 mov eax, dword ptr ds:[eax]
00589271 |. 59 pop ecx
00589272 |. E8 4DD4EDFF call 004666C4
|
能力值:
( LV4,RANK:50 )
|
-
-
27 楼
在线激活消息返回代码:
0059EDF8 /$ 55 push ebp ; //case switch
0059EDF9 |. 8BEC mov ebp, esp
0059EDFB |. 83C4 F8 add esp, -8
0059EDFE |. 8845 FF mov byte ptr ss:[ebp-1], al
0059EE01 |. 33C0 xor eax, eax
0059EE03 |. 8A45 FF mov al, byte ptr ss:[ebp-1]
0059EE06 |. 83F8 07 cmp eax, 7 ; Switch (cases 1..7)
0059EE09 |. 77 66 ja short 0059EE71
0059EE0B |. FF2485 12EE59>jmp dword ptr ds:[eax*4+59EE12]
0059EE12 |. 71EE5900 dd FlashDig.0059EE71 ; Switch table used at 0059EE0B
0059EE16 |. 32EE5900 dd FlashDig.0059EE32
0059EE1A |. 3BEE5900 dd FlashDig.0059EE3B
0059EE1E |. 44EE5900 dd FlashDig.0059EE44
0059EE22 |. 4DEE5900 dd FlashDig.0059EE4D
0059EE26 |. 56EE5900 dd FlashDig.0059EE56
0059EE2A |. 5FEE5900 dd FlashDig.0059EE5F
0059EE2E |. 68EE5900 dd FlashDig.0059EE68
0059EE32 |> C745 F8 01000>mov dword ptr ss:[ebp-8], 1 ; Case 1 of switch 0059EE06
0059EE39 |. EB 3B jmp short 0059EE76
0059EE3B |> C745 F8 04000>mov dword ptr ss:[ebp-8], 4 ; Case 2 of switch 0059EE06
0059EE42 |. EB 32 jmp short 0059EE76
0059EE44 |> C745 F8 08000>mov dword ptr ss:[ebp-8], 8 ; Case 3 of switch 0059EE06
0059EE4B |. EB 29 jmp short 0059EE76
0059EE4D |> C745 F8 10000>mov dword ptr ss:[ebp-8], 10 ; Case 4 of switch 0059EE06
0059EE54 |. EB 20 jmp short 0059EE76
0059EE56 |> C745 F8 10000>mov dword ptr ss:[ebp-8], 10 ; Case 5 of switch 0059EE06
0059EE5D |. EB 17 jmp short 0059EE76
0059EE5F |> C745 F8 18000>mov dword ptr ss:[ebp-8], 18 ; Case 6 of switch 0059EE06
0059EE66 |. EB 0E jmp short 0059EE76
0059EE68 |> C745 F8 20000>mov dword ptr ss:[ebp-8], 20 ; Case 7 of switch 0059EE06
0059EE6F |. EB 05 jmp short 0059EE76
0059EE71 |> 33C0 xor eax, eax ; Default case of switch 0059EE06
0059EE73 |. 8945 F8 mov dword ptr ss:[ebp-8], eax
0059EE76 |> 8B45 F8 mov eax, dword ptr ss:[ebp-8]
0059EE79 |. 59 pop ecx
0059EE7A |. 59 pop ecx
0059EE7B |. 5D pop ebp
0059EE7C \. C3 retn
注意那个cmp eax,7,共有7种消息要返回。如果想一步跳过,直接movzx eax,7好了,再配合那个跳过成功消息jnz。自己就清除骗过了在线激活
|
能力值:
( LV4,RANK:50 )
|
-
-
28 楼
控制所有handle的代码:
0043BEEC /. 55 push ebp ; //!!! all mighty control
0043BEED |. 8BEC mov ebp, esp
0043BEEF |. 51 push ecx
0043BEF0 |. A1 E0E76300 mov eax, dword ptr ds:[63E7E0]
0043BEF5 |. 8B55 08 mov edx, dword ptr ss:[ebp+8]
0043BEF8 |. 8990 44010000 mov dword ptr ds:[eax+144], edx
0043BEFE |. A1 E0E76300 mov eax, dword ptr ds:[63E7E0]
0043BF03 |. 8B80 51010000 mov eax, dword ptr ds:[eax+151]
0043BF09 |. 50 push eax ; /NewValue
0043BF0A |. 6A FC push -4 ; |Index = GWL_WNDPROC
0043BF0C |. 8B45 08 mov eax, dword ptr ss:[ebp+8] ; |
0043BF0F |. 50 push eax ; |hWnd
0043BF10 |. E8 BFD1FCFF call <jmp.&user32.SetWindowLongA> ; \SetWindowLongA
0043BF15 |. 6A F0 push -10 ; /Index = GWL_STYLE
0043BF17 |. 8B45 08 mov eax, dword ptr ss:[ebp+8] ; |
0043BF1A |. 50 push eax ; |hWnd
0043BF1B |. E8 6CCFFCFF call <jmp.&user32.GetWindowLongA> ; \GetWindowLongA
0043BF20 A9 00000040 test eax, 40000000
0043BF25 74 1E je short 0043BF45
0043BF27 |. 6A F4 push -0C ; /Index = GWL_ID
0043BF29 |. 8B45 08 mov eax, dword ptr ss:[ebp+8] ; |
0043BF2C |. 50 push eax ; |hWnd
0043BF2D |. E8 5ACFFCFF call <jmp.&user32.GetWindowLongA> ; \GetWindowLongA
0043BF32 85C0 test eax, eax ; //test eax, eax > nop
0043BF34 75 0F jnz short 0043BF45 ; //jnz short 0043BF45
0043BF36 |. 8B45 08 mov eax, dword ptr ss:[ebp+8]
0043BF39 |. 50 push eax ; /NewValue
0043BF3A |. 6A F4 push -0C ; |Index = GWL_ID
0043BF3C |. 8B45 08 mov eax, dword ptr ss:[ebp+8] ; |
0043BF3F |. 50 push eax ; |hWnd
0043BF40 |. E8 8FD1FCFF call <jmp.&user32.SetWindowLongA> ; \SetWindowLongA
0043BF45 |> A1 E0E76300 mov eax, dword ptr ds:[63E7E0]
0043BF4A |. 50 push eax ; /hData => NULL
0043BF4B |. 0FB705 5EA764>movzx eax, word ptr ds:[64A75E] ; |
0043BF52 |. 50 push eax ; |Property
0043BF53 |. 8B45 08 mov eax, dword ptr ss:[ebp+8] ; |
0043BF56 |. 50 push eax ; |hWnd
0043BF57 |. E8 40D1FCFF call <jmp.&user32.SetPropA> ; \SetPropA
0043BF5C |. A1 E0E76300 mov eax, dword ptr ds:[63E7E0]
0043BF61 |. 50 push eax ; /hData => NULL
0043BF62 |. 0FB705 5CA764>movzx eax, word ptr ds:[64A75C] ; |
0043BF69 |. 50 push eax ; |Property
0043BF6A |. 8B45 08 mov eax, dword ptr ss:[ebp+8] ; |
0043BF6D |. 50 push eax ; |hWnd
0043BF6E |. E8 29D1FCFF call <jmp.&user32.SetPropA> ; \SetPropA
0043BF73 |. FF75 14 push dword ptr ss:[ebp+14]
0043BF76 |. FF75 10 push dword ptr ss:[ebp+10]
0043BF79 |. FF75 0C push dword ptr ss:[ebp+C]
0043BF7C |. FF75 08 push dword ptr ss:[ebp+8]
0043BF7F |. 8B05 E0E76300 mov eax, dword ptr ds:[63E7E0]
0043BF85 |. C705 E0E76300>mov dword ptr ds:[63E7E0], 0
0043BF8F |. FF90 51010000 call dword ptr ds:[eax+151]
0043BF95 |. 8945 FC mov dword ptr ss:[ebp-4], eax
0043BF98 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
0043BF9B |. 59 pop ecx
0043BF9C |. 5D pop ebp
0043BF9D \. C2 1000 retn 10 ; //user32.77d48734
|
能力值:
( LV4,RANK:50 )
|
-
-
29 楼
字符串装载(总管)代码:
0040720C /$ 55 push ebp ; //load cong string
0040720D |. 8BEC mov ebp, esp
0040720F |. 81C4 F8FBFFFF add esp, -408
00407215 |. 8955 F8 mov dword ptr ss:[ebp-8], edx
00407218 |. 8945 FC mov dword ptr ss:[ebp-4], eax
0040721B |. 837D FC 00 cmp dword ptr ss:[ebp-4], 0
0040721F |. 74 51 je short 00407272
00407221 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00407224 |. 8178 04 00000>cmp dword ptr ds:[eax+4], 10000 ; UNICODE "=::=::\"
0040722B |. 7D 37 jge short 00407264
0040722D |. 68 00040000 push 400
00407232 |. 8D85 F8FBFFFF lea eax, dword ptr ss:[ebp-408]
00407238 |. 50 push eax
00407239 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
0040723C |. 8B40 04 mov eax, dword ptr ds:[eax+4]
0040723F |. 50 push eax
00407240 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00407243 |. 8B00 mov eax, dword ptr ds:[eax]
00407245 |. 8B00 mov eax, dword ptr ds:[eax]
00407247 |. E8 E4F8FFFF call 00406B30
0040724C |. 50 push eax ; |hInst
0040724D |. E8 6EA1FFFF call <jmp.&user32.LoadStringA> ; \LoadStringA
00407252 |. 8BC8 mov ecx, eax
00407254 |. 8D95 F8FBFFFF lea edx, dword ptr ss:[ebp-408] ; // !!!! flashdigger is activated
0040725A |. 8B45 F8 mov eax, dword ptr ss:[ebp-8]
0040725D |. E8 62D7FFFF call 004049C4
00407262 |. EB 0E jmp short 00407272
00407264 |> 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00407267 |. 8B55 FC mov edx, dword ptr ss:[ebp-4]
0040726A |. 8B52 04 mov edx, dword ptr ds:[edx+4]
0040726D |. E8 4AD8FFFF call 00404ABC
00407272 |> 8BE5 mov esp, ebp
00407274 |. 5D pop ebp
00407275 \. C3 retn
|
能力值:
( LV4,RANK:50 )
|
-
-
30 楼
先贴这么多。
名著the art of assembly language programming的作者如此说:
the best way to learn assembly language is to REVERSE an application.
就是凭这句话,我开始学习汇编和破解。在这之前,学过C++,但一直没用上。
花了将近20天,学些flashdigger的反编译代码。不仅学习了汇编语言,还了解到了程序设计原理和程序结构的构架。
flashigger的构架就做得非常好,使用delphi 6编写。
|
能力值:
( LV4,RANK:50 )
|
-
-
31 楼
这段代码(可能)决定返回ss:[ebp-5]的值:
004048DC /$ 8B10 mov edx, dword ptr ds:[eax] ; //compare
004048DE 85D2 test edx, edx ; //!!! KEY key test edx, edx
004048E0 74 1C je short 004048FE ; //je > jne
004048E2 |. C700 00000000 mov dword ptr ds:[eax], 0
004048E8 |. 8B4A F8 mov ecx, dword ptr ds:[edx-8]
004048EB |. 49 dec ecx
004048EC |. 7C 10 jl short 004048FE
004048EE |. F0:FF4A F8 lock dec dword ptr ds:[edx-8]
004048F2 |. 75 0A jnz short 004048FE
004048F4 |. 50 push eax
004048F5 |. 8D42 F8 lea eax, dword ptr ds:[edx-8]
004048F8 |. E8 BBE6FFFF call 00402FB8
004048FD |. 58 pop eax
004048FE \> C3 retn
|
能力值:
( LV4,RANK:50 )
|
-
-
32 楼
从这段代码开始生成激活窗口:
00588C74 . 55 push ebp ; //reg window created
00588C75 . 8BEC mov ebp, esp
00588C77 . 83C4 F0 add esp, -10
00588C7A . 33C9 xor ecx, ecx
00588C7C . 894D F0 mov dword ptr ss:[ebp-10], ecx
00588C7F . 8955 F4 mov dword ptr ss:[ebp-C], edx
00588C82 . 8945 FC mov dword ptr ss:[ebp-4], eax
00588C85 . 33C0 xor eax, eax
00588C87 . 55 push ebp
00588C88 . 68 258D5800 push 00588D25
00588C8D . 64:FF30 push dword ptr fs:[eax]
00588C90 . 64:8920 mov dword ptr fs:[eax], esp
00588C93 . E9 01000000 jmp 00588C99
00588C98 19 db 19
00588C99 >- E9 62232800 jmp 0080B000
00588C9E DC db DC
00588C9F DF db DF
00588CA0 67 db 67 ; CHAR 'g'
00588CA1 C1 db C1
00588CA2 5D db 5D ; CHAR ']'
00588CA3 85 db 85
00588CA4 8D db 8D
00588CA5 79 db 79 ; CHAR 'y'
00588CA6 F7 db F7
00588CA7 2D db 2D ; CHAR '-'
00588CA8 9C db 9C
00588CA9 CD db CD
00588CAA 15 db 15
00588CAB 8B db 8B
|
能力值:
( LV4,RANK:50 )
|
-
-
33 楼
activate button执行代码:
00588EB8 /. 55 push ebp ; //btn_AClick
00588EB9 |. 8BEC mov ebp, esp
00588EBB |. 33C9 xor ecx, ecx
00588EBD |. 51 push ecx
00588EBE |. 51 push ecx
00588EBF |. 51 push ecx
00588EC0 |. 51 push ecx
00588EC1 |. 51 push ecx
00588EC2 |. 51 push ecx
00588EC3 |. 51 push ecx
00588EC4 |. 53 push ebx
00588EC5 |. 8955 F4 mov dword ptr ss:[ebp-C], edx
00588EC8 |. 8945 FC mov dword ptr ss:[ebp-4], eax
00588ECB |. 33C0 xor eax, eax
00588ECD |. 55 push ebp
00588ECE |. 68 1B905800 push 0058901B
00588ED3 |. 64:FF30 push dword ptr fs:[eax]
00588ED6 |. 64:8920 mov dword ptr fs:[eax], esp
00588ED9 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588EDC |. 8B90 F0020000 mov edx, dword ptr ds:[eax+2F0]
00588EE2 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588EE5 |. E8 06040000 call 005892F0
00588EEA |. 33D2 xor edx, edx
00588EEC |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588EEF |. 8B80 A4020000 mov eax, dword ptr ds:[eax+2A4]
00588EF5 |. 8B08 mov ecx, dword ptr ds:[eax]
00588EF7 |. FF51 5C call dword ptr ds:[ecx+5C]
00588EFA |. 33D2 xor edx, edx
00588EFC |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588EFF |. 8B80 E0020000 mov eax, dword ptr ds:[eax+2E0]
00588F05 |. 8B08 mov ecx, dword ptr ds:[eax]
00588F07 |. FF51 5C call dword ptr ds:[ecx+5C]
00588F0A |. 33D2 xor edx, edx
00588F0C |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588F0F |. 8B80 D8020000 mov eax, dword ptr ds:[eax+2D8] ; //e-code
00588F15 |. 8B08 mov ecx, dword ptr ds:[eax]
00588F17 |. FF51 5C call dword ptr ds:[ecx+5C]
00588F1A |. B2 01 mov dl, 1
00588F1C |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588F1F |. 8B80 E4020000 mov eax, dword ptr ds:[eax+2E4]
00588F25 |. E8 666AEBFF call 0043F990
00588F2A |. 68 30905800 push 00589030 ; ASCII "HWID="
00588F2F |. 8D55 EC lea edx, dword ptr ss:[ebp-14]
00588F32 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588F35 |. 8B80 E0020000 mov eax, dword ptr ds:[eax+2E0]
00588F3B |. E8 046CEBFF call 0043FB44
00588F40 |. 8B45 EC mov eax, dword ptr ss:[ebp-14]
00588F43 |. 8D55 F0 lea edx, dword ptr ss:[ebp-10]
00588F46 |. E8 7DFEFFFF call 00588DC8 ; ////edit checking routine
00588F4B |. FF75 F0 push dword ptr ss:[ebp-10]
00588F4E |. 68 40905800 push 00589040 ; ASCII "&ACODE="
00588F53 |. 8D55 E4 lea edx, dword ptr ss:[ebp-1C]
00588F56 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588F59 |. 8B80 D8020000 mov eax, dword ptr ds:[eax+2D8]
00588F5F |. E8 E06BEBFF call 0043FB44
00588F64 |. 8B45 E4 mov eax, dword ptr ss:[ebp-1C]
00588F67 |. 8D55 E8 lea edx, dword ptr ss:[ebp-18]
00588F6A |. E8 59FEFFFF call 00588DC8 ; //E_code controller
00588F6F |. FF75 E8 push dword ptr ss:[ebp-18]
00588F72 |. 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00588F75 |. BA 04000000 mov edx, 4
00588F7A |. E8 E1BCE7FF call 00404C60
00588F7F |. 8B45 FC mov eax, dword ptr ss:[ebp-4] ; //end of e_code control
00588F82 |. 8B80 F4020000 mov eax, dword ptr ds:[eax+2F4]
00588F88 |. 8B55 FC mov edx, dword ptr ss:[ebp-4]
00588F8B |. 8B92 FC020000 mov edx, dword ptr ds:[edx+2FC]
00588F91 |. 8990 D2400000 mov dword ptr ds:[eax+40D2], edx
00588F97 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588F9A |. 8B80 FC020000 mov eax, dword ptr ds:[eax+2FC]
00588FA0 |. E8 7BFDE8FF call 00418D20
00588FA5 |. 8B45 F8 mov eax, dword ptr ss:[ebp-8] ; // codes catched
00588FA8 |. E8 F3BBE7FF call 00404BA0
00588FAD |. 50 push eax
00588FAE |. 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00588FB1 |. E8 BABDE7FF call 00404D70
00588FB6 |. 8BD0 mov edx, eax
00588FB8 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588FBB |. 8B80 FC020000 mov eax, dword ptr ds:[eax+2FC]
00588FC1 |. 59 pop ecx
00588FC2 |. 8B18 mov ebx, dword ptr ds:[eax]
00588FC4 |. FF53 08 call dword ptr ds:[ebx+8]
00588FC7 |. 33D2 xor edx, edx
00588FC9 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588FCC |. 8B80 FC020000 mov eax, dword ptr ds:[eax+2FC]
00588FD2 |. E8 09F7E8FF call 004186E0 ; //compare catched codes
00588FD7 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588FDA |. 8B80 F4020000 mov eax, dword ptr ds:[eax+2F4]
00588FE0 |. E8 BFDFFFFF call 00586FA4 ; //http activation
00588FE5 33C0 xor eax, eax ; //xor eax, eax,> nop
00588FE7 |. 5A pop edx
00588FE8 |. 59 pop ecx
00588FE9 |. 59 pop ecx
00588FEA |. 64:8910 mov dword ptr fs:[eax], edx
00588FED |. 68 22905800 push 00589022
00588FF2 |> 8D45 E4 lea eax, dword ptr ss:[ebp-1C]
00588FF5 |. E8 E2B8E7FF call 004048DC
00588FFA |. 8D45 E8 lea eax, dword ptr ss:[ebp-18]
00588FFD |. E8 DAB8E7FF call 004048DC
00589002 |. 8D45 EC lea eax, dword ptr ss:[ebp-14]
00589005 |. E8 D2B8E7FF call 004048DC
0058900A |. 8D45 F0 lea eax, dword ptr ss:[ebp-10]
0058900D |. E8 CAB8E7FF call 004048DC
00589012 |. 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00589015 |. E8 C2B8E7FF call 004048DC ; //on activation course
0058901A \. C3 retn
|
能力值:
( LV4,RANK:50 )
|
-
-
34 楼
激活码输入子窗口和激活码匹配代码:
00588DC8 /$ 55 push ebp ; //E_Code Control
00588DC9 |. 8BEC mov ebp, esp
00588DCB |. 83C4 E8 add esp, -18
00588DCE |. 33C9 xor ecx, ecx
00588DD0 |. 894D E8 mov dword ptr ss:[ebp-18], ecx
00588DD3 |. 894D EC mov dword ptr ss:[ebp-14], ecx
00588DD6 |. 8955 F8 mov dword ptr ss:[ebp-8], edx
00588DD9 |. 8945 FC mov dword ptr ss:[ebp-4], eax
00588DDC |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588DDF |. E8 70BFE7FF call 00404D54
00588DE4 |. 33C0 xor eax, eax
00588DE6 |. 55 push ebp
00588DE7 |. 68 9F8E5800 push 00588E9F
00588DEC |. 64:FF30 push dword ptr fs:[eax]
00588DEF |. 64:8920 mov dword ptr fs:[eax], esp
00588DF2 |. 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00588DF5 |. E8 E2BAE7FF call 004048DC
00588DFA |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588DFD |. E8 9EBDE7FF call 00404BA0
00588E02 |. 85C0 test eax, eax ; //test eax, eax, eax retned 0D
00588E04 7E 76 jle short 00588E7C ; //???? jle short 00588E7C
00588E06 |. 8945 F0 mov dword ptr ss:[ebp-10], eax
00588E09 |. C745 F4 01000>mov dword ptr ss:[ebp-C], 1
00588E10 |> 8B45 FC /mov eax, dword ptr ss:[ebp-4] ; //!! algorithm
00588E13 |. 8B55 F4 |mov edx, dword ptr ss:[ebp-C]
00588E16 |. 8A4410 FF |mov al, byte ptr ds:[eax+edx-1]
00588E1A |. 04 E0 |add al, 0E0
00588E1C |. 2C 10 |sub al, 10
00588E1E |. 72 06 |jb short 00588E26
00588E20 |. 04 B0 |add al, 0B0
00588E22 |. 2C 80 |sub al, 80
00588E24 |. 73 2E |jnb short 00588E54
00588E26 |> 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E29 |. FF30 |push dword ptr ds:[eax]
00588E2B |. 68 B48E5800 |push 00588EB4
00588E30 |. 8D55 EC |lea edx, dword ptr ss:[ebp-14]
00588E33 |. 8B45 FC |mov eax, dword ptr ss:[ebp-4]
00588E36 |. 8B4D F4 |mov ecx, dword ptr ss:[ebp-C]
00588E39 |. 8A4408 FF |mov al, byte ptr ds:[eax+ecx-1]
00588E3D |. E8 52FFFFFF |call 00588D94
00588E42 |. FF75 EC |push dword ptr ss:[ebp-14]
00588E45 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E48 |. BA 03000000 |mov edx, 3
00588E4D |. E8 0EBEE7FF |call 00404C60
00588E52 |. EB 20 |jmp short 00588E74
00588E54 |> 8D45 E8 |lea eax, dword ptr ss:[ebp-18]
00588E57 |. 8B55 FC |mov edx, dword ptr ss:[ebp-4]
00588E5A |. 8B4D F4 |mov ecx, dword ptr ss:[ebp-C]
00588E5D |. 8A540A FF |mov dl, byte ptr ds:[edx+ecx-1]
00588E61 |. E8 46BCE7FF |call 00404AAC
00588E66 |. 8B55 E8 |mov edx, dword ptr ss:[ebp-18]
00588E69 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E6C |. E8 37BDE7FF |call 00404BA8
00588E71 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E74 |> FF45 F4 |inc dword ptr ss:[ebp-C]
00588E77 |. FF4D F0 |dec dword ptr ss:[ebp-10]
00588E7A |.^ 75 94 \jnz short 00588E10
00588E7C |> 33C0 xor eax, eax
00588E7E |. 5A pop edx
00588E7F |. 59 pop ecx
00588E80 |. 59 pop ecx
00588E81 |. 64:8910 mov dword ptr fs:[eax], edx
00588E84 |. 68 A68E5800 push 00588EA6
00588E89 |> 8D45 E8 lea eax, dword ptr ss:[ebp-18]
00588E8C |. BA 02000000 mov edx, 2
00588E91 |. E8 6ABAE7FF call 00404900
00588E96 |. 8D45 FC lea eax, dword ptr ss:[ebp-4]
00588E99 |. E8 3EBAE7FF call 004048DC
00588E9E \. C3 retn ; //!!! calc routine 1
|
能力值:
( LV4,RANK:50 )
|
-
-
35 楼
激活码输入和license文件获取控制代码:
00589F14 /$ 55 push ebp ; //e_code enter
00589F15 |. 8BEC mov ebp, esp
00589F17 |. 83C4 C8 add esp, -38
00589F1A |. 8955 F8 mov dword ptr ss:[ebp-8], edx
00589F1D |. 8945 FC mov dword ptr ss:[ebp-4], eax
00589F20 |. 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00589F23 |. E8 2CAEE7FF call 00404D54
00589F28 |. 33C0 xor eax, eax
00589F2A |. 55 push ebp
00589F2B |. 68 F79F5800 push 00589FF7
00589F30 |. 64:FF30 push dword ptr fs:[eax]
00589F33 |. 64:8920 mov dword ptr fs:[eax], esp
00589F36 |. 8D55 CB lea edx, dword ptr ss:[ebp-35]
00589F39 |. 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00589F3C |. E8 CFF6FEFF call 00579610
00589F41 |. 66:837D DF 01 cmp word ptr ss:[ebp-21], 1
00589F46 |. 75 18 jnz short 00589F60
00589F48 |. 0FB74D E1 movzx ecx, word ptr ss:[ebp-1F]
00589F4C |. 8B55 E3 mov edx, dword ptr ss:[ebp-1D]
00589F4F |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00589F52 |. E8 19010000 call 0058A070
00589F57 |. C645 F7 01 mov byte ptr ss:[ebp-9], 1
00589F5B |. E9 81000000 jmp 00589FE1
00589F60 |> 83CA FF or edx, FFFFFFFF
00589F63 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00589F66 |. 8B80 A8020000 mov eax, dword ptr ds:[eax+2A8]
00589F6C |. E8 87BDEAFF call 00435CF8
00589F71 |. 83CA FF or edx, FFFFFFFF
00589F74 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00589F77 |. 8B80 D4020000 mov eax, dword ptr ds:[eax+2D4]
00589F7D |. E8 76BDEAFF call 00435CF8
00589F82 |. 83CA FF or edx, FFFFFFFF
00589F85 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00589F88 |. 8B80 B4020000 mov eax, dword ptr ds:[eax+2B4]
00589F8E |. E8 65BDEAFF call 00435CF8
00589F93 |. 83CA FF or edx, FFFFFFFF
00589F96 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00589F99 |. 8B80 C0020000 mov eax, dword ptr ds:[eax+2C0]
00589F9F |. E8 54BDEAFF call 00435CF8
00589FA4 |. 83CA FF or edx, FFFFFFFF
00589FA7 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00589FAA |. 8B80 C4020000 mov eax, dword ptr ds:[eax+2C4]
00589FB0 |. E8 43BDEAFF call 00435CF8
00589FB5 |. 33D2 xor edx, edx
00589FB7 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00589FBA |. 8B80 CC020000 mov eax, dword ptr ds:[eax+2CC]
00589FC0 |. E8 33BDEAFF call 00435CF8
00589FC5 |. 6A 10 push 10
00589FC7 |. B9 08A05800 mov ecx, 0058A008 ; ASCII "Error"
00589FCC |. BA 10A05800 mov edx, 0058A010 ; ASCII "Improper File Format",CR,LF,"Please use Sound Uncompressor to decode it",CR,LF,"into uncompressed WAV format"
00589FD1 |. A1 249D6400 mov eax, dword ptr ds:[649D24]
00589FD6 |. 8B00 mov eax, dword ptr ds:[eax]
00589FD8 |. E8 E7C6EDFF call 004666C4
00589FDD |. C645 F7 00 mov byte ptr ss:[ebp-9], 0
00589FE1 |> 33C0 xor eax, eax
00589FE3 |. 5A pop edx
00589FE4 |. 59 pop ecx
00589FE5 |. 59 pop ecx
00589FE6 |. 64:8910 mov dword ptr fs:[eax], edx
00589FE9 |. 68 FE9F5800 push 00589FFE
00589FEE |> 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00589FF1 |. E8 E6A8E7FF call 004048DC
00589FF6 \. C3 retn
|
能力值:
( LV4,RANK:50 )
|
-
-
36 楼
完全成功注册后消息代码:
0061C543 . E8 1C15FDFF call 005EDA64
0061C548 . E8 4B7DDEFF call 00404298
0061C54D > 837D FC 00 cmp dword ptr ss:[ebp-4], 0 ; // cmp dword ptr ss:[ebp-4], 0
0061C551 90 nop ; // orginally a jump past the good boy, jb short 0061C599
0061C552 90 nop
0061C553 . A1 189D6400 mov eax, dword ptr ds:[649D18]
0061C558 . 8B55 FC mov edx, dword ptr ss:[ebp-4]
0061C55B . E8 D083DEFF call 00404930
0061C560 . 8B0D 189D6400 mov ecx, dword ptr ds:[649D18] ; FlashDig.0064B3AC
0061C566 . 8B09 mov ecx, dword ptr ds:[ecx]
0061C568 . A1 98996400 mov eax, dword ptr ds:[649998]
0061C56D . BA ACC56100 mov edx, 0061C5AC ; ASCII "Registered to",CR,LF,CR,LF
0061C572 . E8 7586DEFF call 00404BEC
0061C577 . EB 05 jmp short 0061C57E
0061C579 . E8 FA14FDFF call 005EDA78
0061C57E > 33C0 xor eax, eax
0061C580 . 5A pop edx
|
能力值:
( LV4,RANK:50 )
|
-
-
37 楼
ok了,主要的代码已经贴完了。
lena说:既然激活、注册与未激活,未注册是两个不同的状态,那么他们对应的代码也就应当不同。
我们可以试试直接从unregistered, trial等未激活,未注册信息字符串开始,直接开始attack.因为这些字符串一定是一开始就载入的,只有在激活、注册后他们才会消息。找到将negative消息压入栈的命令,并且找到调用这些push命令的代码,一般是call,然后再往上寻找条件,就可能找到最简单的破解代码。
今天我试试从trial version下手。
因为这个程序显然由double check routine,否则不会出现在线验证成功而程序任未激活的情形。
|
能力值:
( LV4,RANK:50 )
|
-
-
38 楼
最开始贴出的控制activate button的代码也是对的,只要跳过第一轮activation code比较就可以了。昨天晚上看了lena的第8集教程,才由重新看了一遍比较代码,发现了更直接的控制方式就是那两个cmp,而且他们似乎更到程序的控制机制本身。呵呵。
我是学 math的,讲究精益求精
|
能力值:
( LV4,RANK:50 )
|
-
-
39 楼
如果觉得贴出的代码不好操作,我把comments上传,用labelmaster插件将comments导入;同时,将breakpoints list上传,用breakpoints manager插件导入,就可以方便开工了
comments list;
http://www.live-share.com/files/180869/flashdigger_comments1.txt.html
breakpoints list:
http://www.live-share.com/files/180870/flashdigger_breakpoints.obp.html
****
enjoy
|
能力值:
( LV2,RANK:10 )
|
-
-
40 楼
恩,值得学习,支持你,一起进步!
|
能力值:
( LV2,RANK:10 )
|
-
-
41 楼
学习中!!!!!!!!!!
|
能力值:
( LV4,RANK:50 )
|
-
-
42 楼
这两天没有新进展,呵呵,估计是到bottle neck了
技术不够,艾,...
|
能力值:
( LV4,RANK:50 )
|
-
-
43 楼
sorry
|
能力值:
( LV2,RANK:10 )
|
-
-
44 楼
好期待哦,给我学习哦。
|
能力值:
( LV2,RANK:10 )
|
-
-
45 楼
继续关注~~~
|
能力值:
( LV4,RANK:50 )
|
-
-
46 楼
ok, demo版本的主要限制是
delete tag/frame限制。
有兴趣的朋友一起解除这个限制。唉。果然验证了+ORC的话:
出于商业目的的有些软件只是在程序设计的最后阶段才匆匆加上限制,而且有些demo版本与registered/activated的版本的功能相差无几。并且这种限制几乎是照搬老方法而且代码也不会太长 加油啊
let's digger into FlashDigger
|
能力值:
( LV2,RANK:10 )
|
-
-
47 楼
需要慢慢消化
|
能力值:
( LV4,RANK:50 )
|
-
-
48 楼
今天将执行delete tag/frame时的激活弹出框kill了。
而且找到激活框的调用,就一句话 call 588700, 地址在:63824b.
凡是调用激活框的,nop调这个call,或者将条件更改,就可以了
快了,快了,。。。。。。
加勒比海盗里这样唱道:
Yao a, yao a, the pirate life of mine
下段是基本的比较代码包括大小写转换,和求输入应当满足的范围:
00588DC8 /$ 55 push ebp
00588DC9 |. 8BEC mov ebp, esp
00588DCB |. 83C4 E8 add esp, -18
00588DCE |. 33C9 xor ecx, ecx
00588DD0 |. 894D E8 mov dword ptr ss:[ebp-18], ecx
00588DD3 |. 894D EC mov dword ptr ss:[ebp-14], ecx
00588DD6 |. 8955 F8 mov dword ptr ss:[ebp-8], edx
00588DD9 |. 8945 FC mov dword ptr ss:[ebp-4], eax
00588DDC |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588DDF |. E8 70BFE7FF call 00404D54
00588DE4 |. 33C0 xor eax, eax
00588DE6 |. 55 push ebp
00588DE7 |. 68 9F8E5800 push 00588E9F
00588DEC |. 64:FF30 push dword ptr fs:[eax]
00588DEF |. 64:8920 mov dword ptr fs:[eax], esp
00588DF2 |. 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00588DF5 |. E8 E2BAE7FF call 004048DC
00588DFA |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588DFD |. E8 9EBDE7FF call 00404BA0
00588E02 |. 85C0 test eax, eax
00588E04 |. 7E 76 jle short 00588E7C
00588E06 |. 8945 F0 mov dword ptr ss:[ebp-10], eax
00588E09 |. C745 F4 01000>mov dword ptr ss:[ebp-C], 1
00588E10 |> 8B45 FC /mov eax, dword ptr ss:[ebp-4]
00588E13 |. 8B55 F4 |mov edx, dword ptr ss:[ebp-C]
00588E16 |. 8A4410 FF |mov al, byte ptr ds:[eax+edx-1]
00588E1A |. 04 E0 |add al, 0E0
00588E1C |. 2C 10 |sub al, 10
00588E1E |. 72 06 |jb short 00588E26
00588E20 |. 04 B0 |add al, 0B0
00588E22 |. 2C 80 |sub al, 80
00588E24 |. 73 2E |jnb short 00588E54
00588E26 |> 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E29 |. FF30 |push dword ptr ds:[eax]
00588E2B |. 68 B48E5800 |push 00588EB4
00588E30 |. 8D55 EC |lea edx, dword ptr ss:[ebp-14]
00588E33 |. 8B45 FC |mov eax, dword ptr ss:[ebp-4]
00588E36 |. 8B4D F4 |mov ecx, dword ptr ss:[ebp-C]
00588E39 |. 8A4408 FF |mov al, byte ptr ds:[eax+ecx-1]
00588E3D |. E8 52FFFFFF |call 00588D94
00588E42 |. FF75 EC |push dword ptr ss:[ebp-14]
00588E45 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E48 |. BA 03000000 |mov edx, 3
00588E4D |. E8 0EBEE7FF |call 00404C60
00588E52 |. EB 20 |jmp short 00588E74
00588E54 |> 8D45 E8 |lea eax, dword ptr ss:[ebp-18]
00588E57 |. 8B55 FC |mov edx, dword ptr ss:[ebp-4]
00588E5A |. 8B4D F4 |mov ecx, dword ptr ss:[ebp-C]
00588E5D |. 8A540A FF |mov dl, byte ptr ds:[edx+ecx-1]
00588E61 |. E8 46BCE7FF |call 00404AAC
00588E66 |. 8B55 E8 |mov edx, dword ptr ss:[ebp-18]
00588E69 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E6C |. E8 37BDE7FF |call 00404BA8
00588E71 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E74 |> FF45 F4 |inc dword ptr ss:[ebp-C]
00588E77 |. FF4D F0 |dec dword ptr ss:[ebp-10]
00588E7A |.^ 75 94 \jnz short 00588E10
00588E7C |> 33C0 xor eax, eax
00588E7E |. 5A pop edx
00588E7F |. 59 pop ecx
00588E80 |. 59 pop ecx
00588E81 |. 64:8910 mov dword ptr fs:[eax], edx
00588E84 |. 68 A68E5800 push 00588EA6
00588E89 |> 8D45 E8 lea eax, dword ptr ss:[ebp-18]
00588E8C |. BA 02000000 mov edx, 2
00588E91 |. E8 6ABAE7FF call 00404900
00588E96 |. 8D45 FC lea eax, dword ptr ss:[ebp-4]
00588E99 |. E8 3EBAE7FF call 004048DC
00588E9E \. C3 retn
|
能力值:
( LV4,RANK:50 )
|
-
-
49 楼
在ARTeam上发了: how to trace hidden codes的提问,呵呵,得到了答复:look deeper into the code for comparison
今日有新发现,呵呵,也说明对汇编的理解长进了。
原谅我又把代码贴进来
005893D8 /$ 55 push ebp ; //!!!!!!!!! start comparing
005893D9 |. 8BEC mov ebp, esp
005893DB |. 83C4 E8 add esp, -18
005893DE |. 33D2 xor edx, edx
005893E0 |. 8955 E8 mov dword ptr ss:[ebp-18], edx
005893E3 |. 8955 EC mov dword ptr ss:[ebp-14], edx
005893E6 |. 8945 FC mov dword ptr ss:[ebp-4], eax ; //code to stack
005893E9 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
005893EC |. E8 63B9E7FF call 00404D54
005893F1 |. 33C0 xor eax, eax ; //clear a_code
005893F3 |. 55 push ebp
005893F4 |. 68 04955800 push 00589504 ; // push : jmp 004041F0
005893F9 |. 64:FF30 push dword ptr fs:[eax] ; //set up code seg
005893FC |. 64:8920 mov dword ptr fs:[eax], esp
005893FF |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00589402 |. E8 99B7E7FF call 00404BA0 ; //test whether input is null and then truncate at 18h
00589407 |. 83F8 18 cmp eax, 18 ; //compare length
0058940A |. 0F9445 FB sete byte ptr ss:[ebp-5]
0058940E |. 807D FB 00 cmp byte ptr ss:[ebp-5], 0 ; //!!! retn 1 if aCode is 18h
00589412 |. 74 5B je short 0058946F
00589414 |. C745 F4 01000>mov dword ptr ss:[ebp-C], 1
0058941B |> 837D F4 05 /cmp dword ptr ss:[ebp-C], 5 ; // inner loop test 1st 4 chars
0058941F |. 74 12 |je short 00589433
00589421 |. 837D F4 0A |cmp dword ptr ss:[ebp-C], 0A ; //inner loop test 1st 10 chars
00589425 |. 74 0C |je short 00589433
00589427 |. 837D F4 0F |cmp dword ptr ss:[ebp-C], 0F ; // inner loop test 1st 15 chars
0058942B |. 74 06 |je short 00589433
0058942D |. 837D F4 14 |cmp dword ptr ss:[ebp-C], 14 ; //inner loop test 1st 20 chars
00589431 |. 75 11 |jnz short 00589444
00589433 |> 8B45 FC |mov eax, dword ptr ss:[ebp-4]
00589436 |. 8B55 F4 |mov edx, dword ptr ss:[ebp-C]
00589439 |. 807C10 FF 2D |cmp byte ptr ds:[eax+edx-1], 2D
0058943E |. 0F9445 FB |sete byte ptr ss:[ebp-5]
00589442 |. EB 1C |jmp short 00589460
00589444 |> 8B45 FC |mov eax, dword ptr ss:[ebp-4]
00589447 |. 8B55 F4 |mov edx, dword ptr ss:[ebp-C] ; //ss:[ebp-c]=ecode
0058944A |. 8A4410 FF |mov al, byte ptr ds:[eax+edx-1]
0058944E |. 25 FF000000 |and eax, 0FF ; // take only word al
00589453 |. 0FA305 9C8264>|bt dword ptr ds:[64829C], eax ; //bit test comand
0058945A |. 0F92C0 |setb al
0058945D |. 8845 FB |mov byte ptr ss:[ebp-5], al
00589460 |> 807D FB 00 |cmp byte ptr ss:[ebp-5], 0
00589464 |. 74 09 |je short 0058946F
00589466 |. FF45 F4 |inc dword ptr ss:[ebp-C]
00589469 |. 837D F4 19 |cmp dword ptr ss:[ebp-C], 19
0058946D |.^ 75 AC \jnz short 0058941B
0058946F |> 807D FB 00 cmp byte ptr ss:[ebp-5], 0 ; //retn 1 to stack if e_code is INcorrect, cmp byte ptr ss:[ebp-5], 0
00589473 |. 74 6C je short 005894E1 ; //je, past 1st 20 being moved to stack
00589475 |. 66:C745 F2 00>mov word ptr ss:[ebp-E], 0
0058947B |. 8D45 EC lea eax, dword ptr ss:[ebp-14]
0058947E |. 50 push eax
0058947F |. B9 14000000 mov ecx, 14 ; //test the ist 20 char
00589484 |. BA 01000000 mov edx, 1
00589489 |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
0058948C |. E8 17B9E7FF call 00404DA8 ; //test again
00589491 |. 8B45 EC mov eax, dword ptr ss:[ebp-14]
00589494 |. E8 07B7E7FF call 00404BA0
00589499 |. 50 push eax
0058949A |. 8D45 EC lea eax, dword ptr ss:[ebp-14]
0058949D |. E8 CEB8E7FF call 00404D70
005894A2 |. 8D4D F2 lea ecx, dword ptr ss:[ebp-E]
005894A5 |. 5A pop edx ; // pop up ecode
005894A6 |. E8 BDFEFFFF call 00589368 ; //move 1st 20 chars onto stack
005894AB |. 8D4D EC lea ecx, dword ptr ss:[ebp-14]
005894AE |. 0FB745 F2 movzx eax, word ptr ss:[ebp-E] ; //last 4 chars
005894B2 |. BA 04000000 mov edx, 4
005894B7 |. E8 8819E8FF call 0040AE44
005894BC |. 8D45 E8 lea eax, dword ptr ss:[ebp-18]
005894BF |. 50 push eax
005894C0 |. B9 04000000 mov ecx, 4
005894C5 |. BA 15000000 mov edx, 15
005894CA |. 8B45 FC mov eax, dword ptr ss:[ebp-4] ; //returned here after calculation
005894CD |. E8 D6B8E7FF call 00404DA8
005894D2 |. 8B55 E8 mov edx, dword ptr ss:[ebp-18]
005894D5 |. 8B45 EC mov eax, dword ptr ss:[ebp-14]
005894D8 |. E8 D3B7E7FF call 00404CB0 ; //compare last 4
005894DD |. 0F9445 FB sete byte ptr ss:[ebp-5] ; //may control activate button, sete byte ptr ss:[ebp-5]
005894E1 |> 33C0 xor eax, eax ; //xor eax, eax
005894E3 |. 5A pop edx
005894E4 |. 59 pop ecx
005894E5 |. 59 pop ecx
005894E6 |. 64:8910 mov dword ptr fs:[eax], edx
005894E9 |. 68 0B955800 push 0058950B
005894EE |> 8D45 E8 lea eax, dword ptr ss:[ebp-18]
005894F1 |. BA 02000000 mov edx, 2
005894F6 |. E8 05B4E7FF call 00404900
005894FB |. 8D45 FC lea eax, dword ptr ss:[ebp-4]
005894FE |. E8 D9B3E7FF call 004048DC ; //compare to follow
00589503 \. C3 retn
所以注册码应当是:
1234-6789-2345-7890-D154
这样的形式,注释写得很清除,让咱们newbie共享assemble的快乐
这个:
00589439 |. 807C10 FF 2D |cmp byte ptr ds:[eax+edx-1], 2D
决定在5, a, f, 14处必须出现-, 也就是短杠,这个补上
|
能力值:
( LV4,RANK:50 )
|
-
-
50 楼
OK
艰辛的工作终于又结果了:呵呵,我的机器码是51E68C75-EA0F
输入的activation code为:1234-6789-2345-7890-D154
Activate button自动激活,验证后出现internal activation error,估计这些activation code是列入了black list
我是一个一个检查了代码对输入的对比,都通过了比较。
激活码关键比较的返回:
1.长度比较 length=18h
0058940E |. 807D FB 00 cmp byte ptr ss:[ebp-5], 0 ; //!!! ss:[ebp-5] is retned 1 if aCode length is 18h
2.形式和最后四位比较:
0058946F |> \807D FB 00 cmp byte ptr ss:[ebp-5], 0 ; //!!! ss:[ebp-5] is retned 0 if e_code form unmatch
3. 最后4位的显式比较代码,直接道这儿取:
00404CB7 |. 39D0 cmp eax, edx
注意要在activation code比较时取,否则就不是这个了
这个代码处于:
005894D8 |. E8 D3B7E7FF call 00404CB0 ; //compare last 4
这个activation code使得原程序的activate button激活,说明这个code就是正确的。
它先比较格式输入格式,应当是:
***-****-****-****-****
然后比较前20输入,一个一个比较,似乎没有看见加密比较:
00588DC8 /$ 55 push ebp ; //!!! E_Code Control
00588DC9 |. 8BEC mov ebp, esp
00588DCB |. 83C4 E8 add esp, -18
00588DCE |. 33C9 xor ecx, ecx
00588DD0 |. 894D E8 mov dword ptr ss:[ebp-18], ecx
00588DD3 |. 894D EC mov dword ptr ss:[ebp-14], ecx
00588DD6 |. 8955 F8 mov dword ptr ss:[ebp-8], edx
00588DD9 |. 8945 FC mov dword ptr ss:[ebp-4], eax
00588DDC |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588DDF |. E8 70BFE7FF call 00404D54
00588DE4 |. 33C0 xor eax, eax ; // clear
00588DE6 |. 55 push ebp
00588DE7 |. 68 9F8E5800 push 00588E9F
00588DEC |. 64:FF30 push dword ptr fs:[eax]
00588DEF |. 64:8920 mov dword ptr fs:[eax], esp
00588DF2 |. 8B45 F8 mov eax, dword ptr ss:[ebp-8]
00588DF5 |. E8 E2BAE7FF call 004048DC
00588DFA |. 8B45 FC mov eax, dword ptr ss:[ebp-4]
00588DFD |. E8 9EBDE7FF call 00404BA0 ; //get length
00588E02 |. 85C0 test eax, eax ; //test length
00588E04 |. 7E 76 jle short 00588E7C ; //???? jle short 00588E7C
00588E06 |. 8945 F0 mov dword ptr ss:[ebp-10], eax
00588E09 |. C745 F4 01000>mov dword ptr ss:[ebp-C], 1
00588E10 |> 8B45 FC /mov eax, dword ptr ss:[ebp-4] ; //code temp
00588E13 |. 8B55 F4 |mov edx, dword ptr ss:[ebp-C] ; // ss:[ebp-C]=1
00588E16 |. 8A4410 FF |mov al, byte ptr ds:[eax+edx-1]
00588E1A |. 04 E0 |add al, 0E0
00588E1C |. 2C 10 |sub al, 10
00588E1E |. 72 06 |jb short 00588E26
00588E20 |. 04 B0 |add al, 0B0
00588E22 |. 2C 80 |sub al, 80
00588E24 |. 73 2E |jnb short 00588E54 ; //!!!!!!!
00588E26 |> 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E29 |. FF30 |push dword ptr ds:[eax]
00588E2B |. 68 B48E5800 |push 00588EB4
00588E30 |. 8D55 EC |lea edx, dword ptr ss:[ebp-14]
00588E33 |. 8B45 FC |mov eax, dword ptr ss:[ebp-4]
00588E36 |. 8B4D F4 |mov ecx, dword ptr ss:[ebp-C]
00588E39 |. 8A4408 FF |mov al, byte ptr ds:[eax+ecx-1]
00588E3D |. E8 52FFFFFF |call 00588D94
00588E42 |. FF75 EC |push dword ptr ss:[ebp-14]
00588E45 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E48 |. BA 03000000 |mov edx, 3
00588E4D |. E8 0EBEE7FF |call 00404C60
00588E52 |. EB 20 |jmp short 00588E74 ; // unconditional
00588E54 |> 8D45 E8 |lea eax, dword ptr ss:[ebp-18]
00588E57 |. 8B55 FC |mov edx, dword ptr ss:[ebp-4]
00588E5A |. 8B4D F4 |mov ecx, dword ptr ss:[ebp-C]
00588E5D |. 8A540A FF |mov dl, byte ptr ds:[edx+ecx-1]
00588E61 |. E8 46BCE7FF |call 00404AAC
00588E66 |. 8B55 E8 |mov edx, dword ptr ss:[ebp-18]
00588E69 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E6C |. E8 37BDE7FF |call 00404BA8 ; //!!!! // move acode to stack
00588E71 |. 8B45 F8 |mov eax, dword ptr ss:[ebp-8]
00588E74 |> FF45 F4 |inc dword ptr ss:[ebp-C]
00588E77 |. FF4D F0 |dec dword ptr ss:[ebp-10]
00588E7A |.^ 75 94 \jnz short 00588E10
00588E7C |> 33C0 xor eax, eax
00588E7E |. 5A pop edx
00588E7F |. 59 pop ecx
00588E80 |. 59 pop ecx
00588E81 |. 64:8910 mov dword ptr fs:[eax], edx
00588E84 |. 68 A68E5800 push 00588EA6
00588E89 |> 8D45 E8 lea eax, dword ptr ss:[ebp-18]
00588E8C |. BA 02000000 mov edx, 2
00588E91 |. E8 6ABAE7FF call 00404900
00588E96 |. 8D45 FC lea eax, dword ptr ss:[ebp-4]
00588E99 |. E8 3EBAE7FF call 004048DC
00588E9E \. C3 retn ; //!!! calc routine 1, to 588ea6
这段代码给出了对activation code的大小写转换和masking,同时它也是检查Hardware id的routine
看起来基本上就是这4处大的比较了,都贴在前面的贴子中。
最后四个输入,我的是:
D154,注意区分大小写。
*******
就是Lena的思想:
Guide the application to the goodboy
试一试哦
庆祝一下
|
|
|