本人是刚刚学习破解的菜鸟,
软件名:黑客字典II中文版
W32反汇编,查找“注册名或者注册码不正确”字符串,来到
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401D00(C)
|
* Possible StringData Ref from Data Obj ->"注册名或注册码不正确!"
|
:00401DE5 68C0704300 push 004370C0
:00401DEA 8D8C24EC000000 lea ecx, dword ptr [esp+000000EC]
:00401DF1 E87A010000 call 00401F70
:00401DF6 C78424B401000002000000 mov dword ptr [esp+000001B4], 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401DE3(U)
|
:00401E01 8D8C2444010000 lea ecx, dword ptr [esp+00000144]
:00401E08 E8CCEB0100 call 004209D9
:00401E0D 8D8C24E8000000 lea ecx, dword ptr [esp+000000E8]
:00401E14 C78424B4010000FFFFFFFF mov dword ptr [esp+000001B4], FFFFFFFF
:00401E1F E843AE0100 call 0041CC67
往下走,来到
00401CAC > 55 PUSH EBP
00401CAD . 8D8C24 EC00000>LEA ECX,DWORD PTR SS:[ESP+EC]
00401CB4 . 889C34 4C01000>MOV BYTE PTR SS:[ESP+ESI+14C],BL
00401CBB . E8 F0010000 CALL UltraDic.00401EB0 ; 关键CALL,算法分析,因本人汇编基础差,就不CALL进了
00401CC0 . 899C24 B401000>MOV DWORD PTR SS:[ESP+1B4],EBX
00401CC7 . 8DB424 8400000>LEA ESI,DWORD PTR SS:[ESP+84] ; 假码
00401CCE . 8D8424 4801000>LEA EAX,DWORD PTR SS:[ESP+148] ; 真码,此地址可作为制作内存注册机
00401CD5 > 8A10 MOV DL,BYTE PTR DS:[EAX]
00401CD7 . 8ACA MOV CL,DL
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401CF7(U)
|
:00401CFE 3BC3 cmp eax, ebx
:00401D00 0F85DF000000 jne 00401DE5 ;关键跳转,一跳就死!! 爆破点
:00401D06 6801100000 push 00001001
* Possible StringData Ref from Data Obj ->"C:\regbanyet.dat"
|
:00401D0B 68F4704300 push 004370F4
:00401D10 8D4C2418 lea ecx, dword ptr [esp+18]
:00401D14 E88FEF0100 call 00420CA8
:00401D19 8D7C2420 lea edi, dword ptr [esp+20]
:00401D1D 83C9FF or ecx, FFFFFFFF
:00401D20 33C0 xor eax, eax
:00401D22 B20D mov dl, 0D
:00401D24 F2 repnz
:00401D25 AE scasb
:00401D26 F7D1 not ecx
:00401D28 49 dec ecx
:00401D29 8DBC2484000000 lea edi, dword ptr [esp+00000084]
:00401D30 C68424B401000001 mov byte ptr [esp+000001B4], 01
:00401D38 88540C20 mov byte ptr [esp+ecx+20], dl
:00401D3C 41 inc ecx
:00401D3D C6440C200A mov [esp+ecx+20], 0A
:00401D42 885C0C21 mov byte ptr [esp+ecx+21], bl
:00401D46 83C9FF or ecx, FFFFFFFF
:00401D49 F2 repnz
:00401D4A AE scasb
:00401D4B F7D1 not ecx
:00401D4D 49 dec ecx
:00401D4E 8D7C2420 lea edi, dword ptr [esp+20]
:00401D52 88940C84000000 mov byte ptr [esp+ecx+00000084], dl
:00401D59 41 inc ecx
:00401D5A C6840C840000000A mov byte ptr [esp+ecx+00000084], 0A
:00401D62 889C0C85000000 mov byte ptr [esp+ecx+00000085], bl
:00401D69 83C9FF or ecx, FFFFFFFF
:00401D6C F2 repnz
:00401D6D AE scasb
:00401D6E F7D1 not ecx
:00401D70 49 dec ecx
:00401D71 8D442420 lea eax, dword ptr [esp+20]
:00401D75 51 push ecx
:00401D76 50 push eax
:00401D77 8D4C2418 lea ecx, dword ptr [esp+18]
:00401D7B E8DCF10100 call 00420F5C
:00401D80 8DBC2484000000 lea edi, dword ptr [esp+00000084]
:00401D87 83C9FF or ecx, FFFFFFFF
:00401D8A 33C0 xor eax, eax
:00401D8C F2 repnz
:00401D8D AE scasb
:00401D8E F7D1 not ecx
:00401D90 49 dec ecx
:00401D91 51 push ecx
:00401D92 8D8C2488000000 lea ecx, dword ptr [esp+00000088]
:00401D99 51 push ecx
:00401D9A 8D4C2418 lea ecx, dword ptr [esp+18]
:00401D9E E8B9F10100 call 00420F5C
:00401DA3 6A03 push 00000003
* Possible StringData Ref from Data Obj ->"C:\regbanyet.dat"
|
:00401DA5 68F4704300 push 004370F4 注册成功,在C:\生成一个regbanyet.dat注册文件
* Reference To: KERNEL32.SetFileAttributesA, Ord:0268h
|
:00401DAA FF158CB24200 Call dword ptr [0042B28C]
另类破解:查看了了c:生成的regbanyet.dat文件,发现里面就是输入的用户名和注册码,想想,是不是自己生成一个regbanyet.dat文件放在
c:\下,是否能注册呢?结果是正确的,跳过了破解,直接生成regbanyet.dat放在C:\下,结果重启软件,呵呵,软件显示“注册给(在
regbanyet.dat文件里面填写的用户名)”
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
