软件发布快车2005的破解教程
平台:win98
工具:ollydbg,w32dasm.
功能限制:没注册只能使用15次
注意:只有在98平下面分析,在xp平台下分析会经常出现异常,它是反跟踪的。
这个软件是重新起动才比较注册码的,用pe-scan3.31,查壳知道是upx加的壳,用dREAMtHEATER做的通用脱机脱壳,不幸的是脱壳之后它不能运行,我们再用w32dasm反汇编脱壳的程序,查找字符串我们会发现
:004F0665 E8C6B9F7FF call 0046C030
:004F066A B101 mov cl, 01
* Possible StringData Ref from Data Obj ->"\SOFTWARE\ExeSoft\ExePCar"----->你输入的注册码会放在注册表里面的这个位置
|
:004F066C BAFC064F00 mov edx, 004F06FC
:004F0671 8BC6 mov eax, esi
:004F0673 E820BAF7FF call 0046C098
:004F0678 8B4DFC mov ecx, dword ptr [ebp-04]
* Possible StringData Ref from Data Obj ->"Cache32" ---->这是字符串的键名
|
:004F067B BA20074F00 mov edx, 004F0720
:004F0680 8BC6 mov eax, esi
:004F0682 E88DBDF7FF call 0046C414
:004F0687 8BC6 mov eax, esi
:004F0689 E872B9F7FF call 0046C000
:004F068E 8BC6 mov eax, esi
:004F0690 E82334F1FF call 00403AB8
:004F0695 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"谢谢"
|
:004F0697 6828074F00 push 004F0728
* Possible StringData Ref from Data Obj ->"感谢您的注册,请重新启动程序。"
|
:004F069C 6830074F00 push 004F0730
:004F06A1 8BC3 mov eax, ebx
:004F06A3 E8D8E9F5FF call 0044F080
:004F06A8 50 push eax
_____________________________________________________________________
这个软件有使用时会多次比较注册码,在这里我们只要在004F0DDD断下点。再点“关于”就可以把它拦下来,到这里
_______________________________________________________________________
|
:004F0DCE 8B1580984F00 mov edx, dword ptr [004F9880]
:004F0DD4 8B12 mov edx, dword ptr [edx]
:004F0DD6 A180984F00 mov eax, dword ptr [004F9880]
:004F0DDB 8B00 mov eax, dword ptr [eax]
:004F0DDD E8A6460000 call 004F5488 -----> 这里是注册算法的call跟下去
:004F0DE2 84C0 test al, al
:004F0DE4 7410 je 004F0DF6
* Possible StringData Ref from Data Obj ->"非常感谢您的注册。"
|
:004F0DE6 BA640E4F00 mov edx, 004F0E64
:004F0DEB 8B8300030000 mov eax, dword ptr [ebx+00000300]
_________________________________________________________________________
* Referenced by a CALL at Addresses:
|:004F0DDD , :004F2820 , :004F38A7 , :004F3BDB , :004F55D7
|:004F563B , :004F567A , :004F5786
|
:004F5488 55 push ebp
:004F5489 8BEC mov ebp, esp
:004F548B 33C9 xor ecx, ecx
:004F548D 51 push ecx
:004F548E 51 push ecx
:004F548F 51 push ecx
:004F5490 51 push ecx
:004F5491 51 push ecx
:004F5492 53 push ebx
:004F5493 56 push esi
:004F5494 57 push edi
:004F5495 8BD8 mov ebx, eax
:004F5497 33C0 xor eax, eax
:004F5499 55 push ebp
:004F549A 689A554F00 push 004F559A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F546E(C)
|
:004F549F 64FF30 push dword ptr fs:[eax]
:004F54A2 648920 mov dword ptr fs:[eax], esp
:004F54A5 C645FF00 mov [ebp-01], 00
:004F54A9 33C0 xor eax, eax
:004F54AB 55 push ebp
:004F54AC 6875554F00 push 004F5575
:004F54B1 64FF30 push dword ptr fs:[eax]
:004F54B4 648920 mov dword ptr fs:[eax], esp
:004F54B7 8B83B4040000 mov eax, dword ptr [ebx+000004B4]
:004F54BD E89EF6F0FF call 00404B60
:004F54C2 83F808 cmp eax, 00000008 --> 比较注册码的位数是否等于8不等则注册失败
:004F54C5 0F85A0000000 jne 004F556B
:004F54CB 8D45F8 lea eax, dword ptr [ebp-08]
:004F54CE 50 push eax
:004F54CF 8B83B4040000 mov eax, dword ptr [ebx+000004B4]
:004F54D5 B902000000 mov ecx, 00000002
:004F54DA BA01000000 mov edx, 00000001
:004F54DF E8D4F8F0FF call 00404DB8
:004F54E4 8B45F8 mov eax, dword ptr [ebp-08]
* Possible StringData Ref from Data Obj ->"42" --->注册码的前两位
|
:004F54E7 BAB4554F00 mov edx, 004F55B4
:004F54EC E8B3F7F0FF call 00404CA4 --> 这个call是比较注册码的前两位是否是42不是就失败
:004F54F1 7578 jne 004F556B
:004F54F3 8D45F4 lea eax, dword ptr [ebp-0C]
:004F54F6 50 push eax
:004F54F7 8B83B4040000 mov eax, dword ptr [ebx+000004B4]
:004F54FD B902000000 mov ecx, 00000002
:004F5502 BA03000000 mov edx, 00000003
:004F5507 E8ACF8F0FF call 00404DB8
:004F550C 8B45F4 mov eax, dword ptr [ebp-0C]
:004F550F E8083FF1FF call 0040941C ----> 这是比较3和4位的call
:004F5514 8BF0 mov esi, eax
:004F5516 03F6 add esi, esi
:004F5518 8D45F0 lea eax, dword ptr [ebp-10]
:004F551B 50 push eax
:004F551C 8B83B4040000 mov eax, dword ptr [ebx+000004B4]
:004F5522 B902000000 mov ecx, 00000002
:004F5527 BA05000000 mov edx, 00000005
:004F552C E887F8F0FF call 00404DB8
:004F5531 8B45F0 mov eax, dword ptr [ebp-10]
:004F5534 E8E33EF1FF call 0040941C --------> 这是比较5和6位的call(算法与上面的相同 所以5和6位都为0
:004F5539 3BF0 cmp esi, eax
:004F553B 752E jne 004F556B
:004F553D 8D45EC lea eax, dword ptr [ebp-14]
:004F5540 8B93B4040000 mov edx, dword ptr [ebx+000004B4]
:004F5546 8A5206 mov dl, byte ptr [edx+06]
:004F5549 E83AF5F0FF call 00404A88
:004F554E 8B45EC mov eax, dword ptr [ebp-14]
:004F5551 E8C63EF1FF call 0040941C
:004F5556 83F808 cmp eax, 00000008 -----> 比较第七位是否为8
:004F5559 7510 jne 004F556B
:004F555B 8B83B4040000 mov eax, dword ptr [ebx+000004B4]
:004F5561 80780745 cmp byte ptr [eax+07], 45 -----> 比较注册码第八位的ascll码是否是45(E)
:004F5565 7504 jne 004F556B
:004F5567 C645FF01 mov [ebp-01], 01
____________________________________________________________________________
* Referenced by a CALL at Addresses:
|:00413245 , :00413287 , :0046DBE8 , :0046DC07 , :0046F403
|:0046F837 , :0046F854 , :0046F872 , :0046F890 , :0047853A
|:00479B99 , :00479BB7 , :0047AF0E , :004CCFB8 , :004CD005
|:004D0061 , :004D0A6C , :004D374B , :004F3912 , :004F3963
|:004F441D , :004F444D , :004F4476 , :004F4F81 , :004F550F
|:004F5534 , :004F5551
|
:0040941C 53 push ebx
:0040941D 56 push esi
:0040941E 83C4F4 add esp, FFFFFFF4
:00409421 8BD8 mov ebx, eax
:00409423 8BD4 mov edx, esp
:00409425 8BC3 mov eax, ebx
:00409427 E8389FFFFF call 00403364 -----> 第3和4位的比较跟下去
:0040942C 8BF0 mov esi, eax
:0040942E 833C2400 cmp dword ptr [esp], 00000000
:00409432 7419 je 0040944D
:00409434 895C2404 mov dword ptr [esp+04], ebx
:00409438 C64424080B mov [esp+08], 0B
:0040943D 8D542404 lea edx, dword ptr [esp+04]
:00409441 A108954F00 mov eax, dword ptr [004F9508]
:00409446 33C9 xor ecx, ecx
:00409448 E88FF8FFFF call 00408CDC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409432(C)
|
:0040944D 8BC6 mov eax, esi
:0040944F 83C40C add esp, 0000000C
:00409452 5E pop esi
:00409453 5B pop ebx
:00409454 C3 ret
_________________________________________________
* Referenced by a CALL at Addresses:
|:00409427 , :0040945E
|
:00403364 53 push ebx
:00403365 56 push esi
:00403366 57 push edi
:00403367 89C6 mov esi, eax
:00403369 50 push eax
:0040336A 85C0 test eax, eax
:0040336C 746C je 004033DA
:0040336E 31C0 xor eax, eax
:00403370 31DB xor ebx, ebx
:00403372 BFCCCCCC0C mov edi, 0CCCCCCC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040337D(C)
|
:00403377 8A1E mov bl, byte ptr [esi]
:00403379 46 inc esi
:0040337A 80FB20 cmp bl, 20
:0040337D 74F8 je 00403377
:0040337F B500 mov ch, 00
:00403381 80FB2D cmp bl, 2D
:00403384 7462 je 004033E8
:00403386 80FB2B cmp bl, 2B
:00403389 745F je 004033EA
:0040338B 80FB24 cmp bl, 24
:0040338E 745F je 004033EF
:00403390 80FB78 cmp bl, 78
:00403393 745A je 004033EF
:00403395 80FB58 cmp bl, 58
:00403398 7455 je 004033EF
:0040339A 80FB30 cmp bl, 30 ---->比较第3位是否为0
:0040339D 7513 jne 004033B2
:0040339F 8A1E mov bl, byte ptr [esi]
:004033A1 46 inc esi
:004033A2 80FB78 cmp bl, 78
:004033A5 7448 je 004033EF
:004033A7 80FB58 cmp bl, 58
:004033AA 7443 je 004033EF
:004033AC 84DB test bl, bl ---->比较第4位是否为0
:004033AE 7420 je 004033D0
:004033B0 EB04 jmp 004033B6
_______________________________________________________________________
注册码是有9位数的,在比较时去掉了最后一位随便填就行了
注册码为4200008E*
软件的作者声称他将要发布3000版本的软件是无人能破的呵呵
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)