能力值:
( LV2,RANK:10 )
|
-
-
2 楼
呵呵,你肯定没有认真的跟一下吧,反编译后,可以看到两个注册码啦,当然是上了黑名单的啦,这个软件有趣就在这里,它把注册码存在注册表里,重启验证算法时就不管黑名单了,所以你可以直接把这两个注册码写到注册表了,一定可注册的。
不过,算法也很简单,
A1A2.......A16,
Ai进行变换,如果Ai>=0x61(a),Ai-0x3D;
如果Ai>=0x41(A),Ai-0x37;
否则Ai-0x30;
得到B1B2.....B16;
如果B1+B2=0x3D.........B15+B16=0x3D,注册成功。
现在大家都在玩壳了,没人搞算法了,感觉自己越来越菜了。
|
能力值:
( LV7,RANK:100 )
|
-
-
3 楼
谢谢!大哥指点~~~~~~~~~~~~
|
能力值:
( LV4,RANK:50 )
|
-
-
4 楼
用ue把黑名单随便改成别的,再用黑名单注册,即可成功
|
能力值:
( LV9,RANK:690 )
|
-
-
5 楼
以前发过的,既然有人要就再发一次:) 【软件名称】:CHM浏览器 V1.3
【软件大小】: 510 KB
【软件语言】: 简体中文
【软件类别】: 国产软件 / 共享版 / 浏览辅助
【应用平台】: Win9x/NT/2000/XP
【加入时间】: 2003-07-31 17:26:26
【软件介绍】:
CHM浏览器能够反编译出已编译的Windows HTML帮助文件(*.chm)中的任何类型文件。它处理CHM文件就像ZIP文件一样。你可以像使用Winzip查看ZIP文件一样来运行或查看CHM中的文件。你可以通过双击文件的图标来查看HTML文件或图片文件。
【作者】: cyclotron[BCG][DFCG][FCG][OCN]
【工具】: Ollydbg V1.09
【破解过程】:
用Ollydbg载入CHMunpacker.
输入用户密和试炼码:
用户名:cyclotron[BCG]
试炼码:78787878(随便填)
按下Ctrl+N搜索输入函数:GetWindowText。右击并选择 "view call tree",在每个call上都设断。回到对话框点确定。被Ollydbg断下,然后清除所有断点。
00405A87 PUSH ECX
00405A88 PUSH 3E9
00405A8D MOV ECX,ESI
00405A8F CALL CHMUNPAC.00422761
00405A94 MOV EDX,DWORD PTR SS:[ESP+C]
00405A98 PUSH CHMUNPAC.0044C930 ; /Arg2 = 0044C930
00405A9D PUSH EDX ; |Arg1
00405A9E CALL CHMUNPAC.0040EC26 ; \CHMUNPAC.0040EC26
00405AA3 ADD ESP,8
00405AA6 TEST EAX,EAX ; 是否输入了用户名?
00405AA8 JNZ SHORT CHMUNPAC.00405AB6 ; 没有就跳走
00405AAA PUSH EBX
00405AAB PUSH EBX
00405AAC PUSH CHMUNPAC.0044A594
00405AB1 JMP CHMUNPAC.00405BF1
00405AB6 MOV EAX,DWORD PTR SS:[ESP+8]
00405ABA PUSH CHMUNPAC.0044C930 ; /Arg2 = 0044C930
00405ABF PUSH EAX ; |Arg1
00405AC0 CALL CHMUNPAC.0040EC26 ; \CHMUNPAC.0040EC26
00405AC5 ADD ESP,8
00405AC8 TEST EAX,EAX ; 是否输入了注册码?
00405ACA JNZ SHORT CHMUNPAC.00405AD8
00405ACC PUSH EBX
00405ACD PUSH EBX
00405ACE PUSH CHMUNPAC.0044A584
00405AD3 JMP CHMUNPAC.00405BF1
00405AD8 PUSH CHMUNPAC.0044A580
00405ADD LEA ECX,DWORD PTR SS:[ESP+C]
00405AE1 CALL CHMUNPAC.0041CAE2
00405AE6 PUSH CHMUNPAC.0044A580
00405AEB LEA ECX,DWORD PTR SS:[ESP+C]
00405AEF CALL CHMUNPAC.0041CA43
00405AF4 MOV EAX,DWORD PTR SS:[ESP+8]
00405AF8 CMP DWORD PTR DS:[EAX-8],10 ;注册码长度必须为16位
00405AFC JE SHORT CHMUNPAC.00405B0A
00405AFE PUSH EBX
00405AFF PUSH EBX
00405B00 PUSH CHMUNPAC.0044A570
00405B05 JMP CHMUNPAC.00405BF1
00405B0A PUSH CHMUNPAC.0044A55C ; /Arg2 = 0044A55C ASCII
; "eLRYdMs7IhHiObJg"
; 黑名单
00405B0F PUSH EAX ; |Arg1
00405B10 CALL CHMUNPAC.0040EC26 ; \CHMUNPAC.0040EC26
00405B15 ADD ESP,8
00405B18 TEST EAX,EAX
00405B1A JE CHMUNPAC.00405BEA
00405B20 MOV ECX,DWORD PTR SS:[ESP+8]
00405B24 PUSH CHMUNPAC.0044A548 ; /Arg2 = 0044A548 ASCII
; "FkZQYRjGoBNcgJVU"
; 又一个黑名单
00405B29 PUSH ECX ; |Arg1
00405B2A CALL CHMUNPAC.0040EC26 ; \CHMUNPAC.0040EC26
00405B2F ADD ESP,8
00405B32 TEST EAX,EAX
00405B34 JE CHMUNPAC.00405BEA
00405B3A LEA EDX,DWORD PTR SS:[ESP+10]
00405B3E PUSH EDI
00405B3F PUSH EDX ; /pHandle
00405B40 PUSH CHMUNPAC.0044A52C ; |Subkey = ; "Software\YBSoft\CHMUnpacker"
00405B45 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00405B4A CALL DWORD PTR DS:[<&ADVAPI32.RegCreateKeyA>>; \RegCreateKeyA
00405B50 MOV EAX,DWORD PTR SS:[ESP+C]
00405B54 LEA ECX,DWORD PTR SS:[ESP+C]
00405B58 MOV EAX,DWORD PTR DS:[EAX-8]
00405B5B PUSH EAX
00405B5C PUSH 1
00405B5E CALL CHMUNPAC.0041FCD0
00405B63 MOV ECX,DWORD PTR SS:[ESP+18] ; |
00405B67 MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegSetValue>; |
00405B6D PUSH EAX ; |Buffer
00405B6E PUSH 1 ; |ValueType = REG_SZ
00405B70 PUSH EBX ; |Reserved
00405B71 PUSH CHMUNPAC.0044A280 ; |ValueName = "Version"
00405B76 PUSH ECX ; |hKey
00405B77 CALL EDI ; \RegSetValueExA
; 将注册信息写入注册表
00405B79 MOV EDX,DWORD PTR SS:[ESP+10]
00405B7D LEA ECX,DWORD PTR SS:[ESP+10]
00405B81 MOV EAX,DWORD PTR DS:[EDX-8]
00405B84 PUSH EAX
00405B85 PUSH 1
00405B87 CALL CHMUNPAC.0041FCD0
00405B8C PUSH EAX
00405B8D MOV EAX,DWORD PTR SS:[ESP+1C]
00405B91 PUSH 1
00405B93 PUSH EBX
00405B94 PUSH CHMUNPAC.0044A524 ; ASCII "User"
00405B99 PUSH EAX
00405B9A CALL EDI
00405B9C MOV ECX,DWORD PTR SS:[ESP+14]
00405BA0 PUSH ECX ; /hKey
00405BA1 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
00405BA7 MOV ECX,ESI
00405BA9 CALL CHMUNPAC.0042068F
00405BAE PUSH EBX ; /Arg3
00405BAF PUSH EBX ; |Arg2
00405BB0 PUSH CHMUNPAC.0044A4EC ; |Arg1 = 0044A4EC
00405BB5 CALL CHMUNPAC.00429791 ; \CHMUNPAC.00429791
00405BBA LEA ECX,DWORD PTR SS:[ESP+C]
00405BBE MOV BYTE PTR SS:[ESP+20],BL
00405BC2 CALL CHMUNPAC.0041F8A0
00405BC7 LEA ECX,DWORD PTR SS:[ESP+10]
00405BCB MOV DWORD PTR SS:[ESP+20],-1
00405BD3 CALL CHMUNPAC.0041F8A0
00405BD8 POP EDI
00405BD9 POP ESI
00405BDA POP EBX
00405BDB MOV ECX,DWORD PTR SS:[ESP+C]
00405BDF MOV DWORD PTR FS:[0],ECX
00405BE6 ADD ESP,18
00405BE9 RETN
重启检验。
再次载入并搜索字串"version",那里存放着你的注册信息。有效断点为401F32。
00401F22 LEA EDX,DWORD PTR SS:[ESP+38]
00401F26 PUSH ECX ; /pBufSize
00401F27 MOV ECX,DWORD PTR SS:[ESP+C] ; |
00401F2B LEA EAX,DWORD PTR SS:[ESP+14] ; |
00401F2F PUSH EDX ; |Buffer
00401F30 PUSH EAX ; |pValueType
00401F31 PUSH EDI ; |Reserved
00401F32 PUSH CHMUNPAC.0044A280 ; |ValueName = "Version"
00401F37 PUSH ECX ; |hKey
00401F38 MOV DWORD PTR SS:[ESP+24],0FF ; |
00401F40 CALL DWORD PTR DS:[<&ADVAPI32.RegQueryValueE>; \RegQueryValueExA
00401F46 TEST EAX,EAX
00401F48 JNZ SHORT CHMUNPAC.00401F9C
00401F4A MOV EDX,DWORD PTR SS:[ESP+8]
00401F4E PUSH EDX ; /hKey
00401F4F CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
00401F55 LEA EDX,DWORD PTR SS:[ESP+39] ; edx指向注册码第二位
00401F59 MOV AL,BYTE PTR DS:[EDX-1] ; 试炼码奇数位送al
00401F5C CMP AL,61 ; 小于61h?(非小写字母)
00401F5E JL SHORT CHMUNPAC.00401F64 ; 是则跳
00401F60 SUB AL,3D ; al=al-3Dh
00401F62 JMP SHORT CHMUNPAC.00401F6E
00401F64 CMP AL,41 ; 小于41h?(非大写字母)
00401F66 JL SHORT CHMUNPAC.00401F6C ; 是则跳
00401F68 SUB AL,37 ; al=al-37h
00401F6A JMP SHORT CHMUNPAC.00401F6E
00401F6C SUB AL,30 ; al=al-30h(一定是数字)
00401F6E MOV CL,AL ; cl=al
00401F70 MOV AL,BYTE PTR DS:[EDX] ; 试炼码偶数位送al
00401F72 CMP AL,61 ; \
00401F74 JL SHORT CHMUNPAC.00401F7A ; |
00401F76 SUB AL,3D ; |
00401F78 JMP SHORT CHMUNPAC.00401F84 ; |
00401F7A CMP AL,41 ; |和上面的一样
00401F7C JL SHORT CHMUNPAC.00401F82 ; |
00401F7E SUB AL,37 ; |
00401F80 JMP SHORT CHMUNPAC.00401F84 ; |
00401F82 SUB AL,30 ; /
00401F84 MOVSX EAX,AL ; eax=al,偶数位计算结果
00401F87 MOVSX ECX,CL ; ecx=cl,奇数位计算结果
00401F8A ADD EAX,ECX ; eax=eax+ecx
00401F8C CMP EAX,3D ; 等于3Dh?
00401F8F JNZ SHORT CHMUNPAC.00401F9C ; 不等则失败
00401F91 INC EDI ; edi++
00401F92 ADD EDX,2 ; edx+=2
00401F95 CMP EDI,8 ; edi等于8?
00401F98 JL SHORT CHMUNPAC.00401F59 ; 不等则返回继续循环
00401F9A JMP SHORT CHMUNPAC.00402012 ; GoodBoy!
00401F9C PUSH 0
00401F9E LEA ECX,DWORD PTR SS:[ESP+3C]
00401FA2 CALL CHMUNPAC.00404960
00401FA7 LEA ECX,DWORD PTR SS:[ESP+38]
00401FAB MOV BYTE PTR SS:[ESP+150],2
00401FB3 CALL CHMUNPAC.004203A5 ; NAG
00401FB8 CMP EAX,2
00401FBB JNZ SHORT CHMUNPAC.00401FC5
00401FBD MOV ECX,DWORD PTR DS:[ESI+1C]
00401FC0 MOV EDX,DWORD PTR DS:[ECX]
00401FC2 CALL DWORD PTR DS:[EDX+58]
00401FC5 LEA ECX,DWORD PTR SS:[ESP+10C]
00401FCC MOV BYTE PTR SS:[ESP+150],5
00401FD4 CALL CHMUNPAC.0042F38E
00401FD9 LEA ECX,DWORD PTR SS:[ESP+D0]
00401FE0 MOV BYTE PTR SS:[ESP+150],4
00401FE8 CALL CHMUNPAC.0042F328
00401FED LEA ECX,DWORD PTR SS:[ESP+94]
00401FF4 MOV BYTE PTR SS:[ESP+150],3
00401FFC CALL CHMUNPAC.0041D3D1
00402001 LEA ECX,DWORD PTR SS:[ESP+38]
00402005 MOV BYTE PTR SS:[ESP+150],1
0040200D CALL CHMUNPAC.0041FFDB
00402012 MOV ECX,ESI
00402014 CALL CHMUNPAC.004023F0 ; 注册版本入口
00402019 LEA ECX,DWORD PTR SS:[ESP+14]
0040201D MOV DWORD PTR SS:[ESP+150],-1
00402028 CALL CHMUNPAC.0043355F
0040202D MOV ECX,DWORD PTR SS:[ESP+148]
00402034 POP EDI
00402035 MOV EAX,1
0040203A POP ESI
0040203B MOV DWORD PTR FS:[0],ECX
00402042 ADD ESP,14C
00402048 RETN
【整理】:
算法很简单,注册机不写了(偶尔偷一次懒^_^)
随便写个注册码:eLeLeLeLeLeLeLeL
【注册机】: cyclotron[BCG][DFCG][FCG][OCN]
2003.8.1
|
