科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道宽带Web服务器(ADSLWebServer) V1.2

宽带Web服务器(ADSLWebServer) V1.2

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

作者:巧巧读书 来源:巧巧读书 2008年6月27日

关键字: 网吧 网吧组网 网吧服务器架设

  • 评论
  • 分享微博
  • 分享邮件
  【软件限制】:功能限制

  【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!

  【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、W32Dasm 9.0白金版

  —————————————————————————————————

  【过 程】:

  其实“搜易”系列软件的算法都是差不多的,只是其商业软件大部分放出来的是不完全版本。

  很简单的东西,因为有朋友要笔记,所以写了一下,没有什么价值。

  adslwebserverV12.exe 无壳。Borland Delphi6.0 编写。

  序列号:204706460

  试炼码:13572468

  —————————————————————————————————

  查看作者给的提示,很容易就找到下面的地方:

  * Possible StringData Ref from Code Obj ->"00000000"

  |

  :004B3AB2 BAE03B4B00 mov edx, 004B3BE0

  :004B3AB7 E8B40DF5FF call 00404870

  :004B3ABC 8D4DF4 lea ecx, dword ptr [ebp-0C]

  * Possible StringData Ref from Code Obj ->"请输入您的软件注册码"

  |

  :004B3ABF BAF43B4B00 mov edx, 004B3BF4

  * Possible StringData Ref from Code Obj ->"登记注册"

  |

  :004B3AC4 B8143C4B00 mov eax, 004B3C14

  :004B3AC9 E80A8FF8FF call 0043C9D8

  :004B3ACE 3C01 cmp al, 01

  :004B3AD0 0F85D5000000 jne 004B3BAB

  :004B3AD6 8D55E0 lea edx, dword ptr [ebp-20]

  :004B3AD9 8B45F4 mov eax, dword ptr [ebp-0C]

  ====>EAX=13572468 试炼码

  :004B3ADC E8CB51F5FF call 00408CAC

  :004B3AE1 8B45E0 mov eax, dword ptr [ebp-20]

  :004B3AE4 E89754F5FF call 00408F80

  ====>取试炼码13572468的16进制值

  :004B3AE9 8945F8 mov dword ptr [ebp-08], eax

  ====>[ebp-08]=00CF1974(H)=13572468(D)

  :004B3AEC 8955FC mov dword ptr [ebp-04], edx

  :004B3AEF 6A00 push 00000000

  :004B3AF1 6A45 push 00000045

  :004B3AF3 8B45F8 mov eax, dword ptr [ebp-08]

  :004B3AF6 8B55FC mov edx, dword ptr [ebp-04]

  :004B3AF9 E8BA1CF5FF call 004057B8

  ====>这里面除以45

  ====>EAX=00CF1974 / 45=0003005E

  :004B3AFE 8945F8 mov dword ptr [ebp-08], eax

  :004B3B01 8955FC mov dword ptr [ebp-04], edx

  :004B3B04 8B45F8 mov eax, dword ptr [ebp-08]

  :004B3B07 8B55FC mov edx, dword ptr [ebp-04]

  :004B3B0A 2D983D0100 sub eax, 00013D98

  ====>EAX=0003005E - 00013D98=0001C2C6

  :004B3B0F 83DA00 sbb edx, 00000000

  :004B3B12 8945F8 mov dword ptr [ebp-08], eax

  ====>[ebp-08]=EAX=0001C2C6

  :004B3B15 8955FC mov dword ptr [ebp-04], edx

  :004B3B18 8D45E4 lea eax, dword ptr [ebp-1C]

  :004B3B1B E8A4DDFFFF call 004B18C4

  ====>取CPUID =00000F13

  :004B3B20 8B4DE4 mov ecx, dword ptr [ebp-1C]

  :004B3B23 8BC1 mov eax, ecx

  :004B3B25 99 cdq

  :004B3B26 3B55FC cmp edx, dword ptr [ebp-04]

  :004B3B29 756B jne 004B3B96

  :004B3B2B 3B45F8 cmp eax, dword ptr [ebp-08]

  ====>比较了!相等则OK! ^O^ ^O^

  ====>EAX=00000F13

  ====>[ebp-08]=0001C2C6

  :004B3B2E 7566 jne 004B3B96

  ====>跳则OVER!

  :004B3B30 33D2 xor edx, edx

  :004B3B32 8B83C4030000 mov eax, dword ptr [ebx+000003C4]

  :004B3B38 8B08 mov ecx, dword ptr [eax]

  :004B3B3A FF5164 call [ecx+64]

  :004B3B3D B201 mov dl, 01

  :004B3B3F 8B8304030000 mov eax, dword ptr [ebx+00000304]

  :004B3B45 8B08 mov ecx, dword ptr [eax]

  :004B3B47 FF5164 call [ecx+64]

  * Possible StringData Ref from Code Obj ->"已注册登记版本"

  |

  :004B3B4A BA283C4B00       mov edx, 004B3C28

  :004B3B4F 8B83C0030000      mov eax, dword ptr [ebx+000003C0]

  :004B3B55 E846F8F8FF       call 004433A0

  :004B3B5A 8B837C030000      mov eax, dword ptr [ebx+0000037C]

  :004B3B60 C7400C09000000     mov [eax+0C], 00000009

  :004B3B67 33D2          xor edx, edx

  :004B3B69 8B83CC030000 mov eax, dword ptr [ebx+000003CC]

  :004B3B6F E82CF8F8FF       call 004433A0

  :004B3B74 8B83EC030000      mov eax, dword ptr [ebx+000003EC]

  :004B3B7A E831E2FCFF       call 00481DB0

  :004B3B7F 6A00          push 00000000

  :004B3B81 668B0D383C4B00     mov cx, word ptr [004B3C38]

  :004B3B88 B202          mov dl, 02

  * Possible StringData Ref from Code Obj ->"软件登记注册成功"

  :004B3B8A B8443C4B00 mov eax, 004B3C44

  :004B3B8F E8288DF8FF call 0043C8BC

  ====>呵呵,胜利女神!

  :004B3B94 EB15 jmp 004B3BAB

  * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

  |:004B3B29(C), :004B3B2E(C)

  |

  :004B3B96 6A00          push 00000000

  :004B3B98 668B0D383C4B00 mov cx, word ptr [004B3C38]

  :004B3B9F B201          mov dl, 01

  * Possible StringData Ref from Code Obj ->"软件注册号错误"

  :004B3BA1 B8603C4B00 mov eax, 004B3C60

  :004B3BA6 E8118DF8FF call 0043C8BC

  ====>BAD BOY!

  是否需要简单求逆注册码?NO!其实作者已经帮我们把注册码算好了! ^O^ ^O^

  —————————————————————————————————

  下面是程序启动时拦截的:

  * Referenced by a (U)nconditional or (C)onditional Jump at Address:

  |:004B1AEB(C)

  |

  :004B1B20 8B45FC mov eax, dword ptr [ebp-04]

  :004B1B23 8B80C4030000 mov eax, dword ptr [eax+000003C4]

  :004B1B29 8B10          mov edx, dword ptr [eax]

  :004B1B2B FF5250         call [edx+50]

  :004B1B2E 3C01          cmp al, 01

  :004B1B30 0F8596000000 jne 004B1BCC

  :004B1B36 8D45DC         lea eax, dword ptr [ebp-24]

  :004B1B39 E886FDFFFF       call 004B18C4

  ====>取CPUID

  :004B1B3E 8B45DC mov eax, dword ptr [ebp-24]

  ====>EAX=0F13 CPUID

  :004B1B41 99 cdq

  :004B1B42 8945F0         mov dword ptr [ebp-10], eax

  :004B1B45 8955F4         mov dword ptr [ebp-0C], edx

  :004B1B48 8B45F0         mov eax, dword ptr [ebp-10]

  :004B1B4B 8B55F4         mov edx, dword ptr [ebp-0C]

  :004B1B4E 05983D0100       add eax, 00013D98

  ====>EAX=0F13 + 00013D98=00014CAB

  :004B1B53 83D200         adc edx, 00000000

  :004B1B56 8945F0         mov dword ptr [ebp-10], eax

  :004B1B59 8955F4         mov dword ptr [ebp-0C], edx

  :004B1B5C 6A00          push 00000000

  :004B1B5E 6A45          push 00000045

  :004B1B60 8B45F0         mov eax, dword ptr [ebp-10]

  :004B1B63 8B55F4         mov edx, dword ptr [ebp-0C]

  :004B1B66 E8293CF5FF call 00405794

  ====>这里面乘以45,所得结果的10进制值其实就是注册码!

  ====>EAX=00014CAB * 45=0059AA17(H)=5876247(D)

  :004B1B6B 8945F0 mov dword ptr [ebp-10], eax

  :004B1B6E 8955F4 mov dword ptr [ebp-0C], edx

  :004B1B71 8B45F0 mov eax, dword ptr [ebp-10]

  :004B1B74 8B55F4 mov edx, dword ptr [ebp-0C]

  :004B1B77 2D636B0000 sub eax, 00006B63

  ====>EAX=0059AA17 - 00006B63=00593EB4

  :004B1B7C 83DA00 sbb edx, 00000000

  :004B1B7F 8945F0         mov dword ptr [ebp-10], eax

  :004B1B82 8955F4         mov dword ptr [ebp-0C], edx

  :004B1B85 6A00          push 00000000

  :004B1B87 6A23 push 00000023

  :004B1B89 8B45F0         mov eax, dword ptr [ebp-10]

  :004B1B8C 8B55F4         mov edx, dword ptr [ebp-0C]

  :004B1B8F E8003CF5FF       call 00405794

  ====>这里面再乘以23,所得结果的10进制值其实就是序列号!

  ====>EAX=00593EB4 * 23=0C33929C

  :004B1B94 8945F0 mov dword ptr [ebp-10], eax

  ====>[ebp-10]=0C33929C(H)=204706460(D) 序列号

  —————————————————————————————————

  【算 法 总 结】:

  序列号的16进制值除以23,再加上00006B63,所得结果的10进制值就是注册码

  —————————————————————————————————

  【C++ KeyGen】:

  #include<iostream.h>

  void main()

  {

  unsigned long int m,s;

  cout<<"\n\n★★★★宽带Web服务器(ADSLWebServer) V1.2 KeyGen{13th}★★★★\n\n\n\n";

  cout<<"请输入序列号:";

  cin >>m;

  s=m/0X23+0X6B63;

  cout<<"\n呵呵,注册码:"<<s<<endl;

  cout<<"\n\n\nCracked By 巢水工作坊——fly [OCN][FCG] 2003-06-17 01:30 COMPILE";

  cout<<"\n\n\n * * * 按回车退出!* * *";cin.get();cin.get();

  }

  —————————————————————————————————

  【完 美 爆 破】

  004B3B2E 7566 jne 004B3B96

  改为: 9090 NOP掉

  —————————————————————————————————

  【KeyMake之{94th}内存注册机】:

  中断地址:004B1B6B

  中断次数:1

  第一字节:89

  指令长度:3

  寄存器方式:EAX

  10进制值

  —————————————————————————————————

  【注册信息保存】:

  REGEDIT4

  [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1AE69D60-73D0-11D4-BD52-38A480C50000}]

  "231114271"="231114271"

  —————————————————————————————————

  【整 理】:

  序列号:204706460

  注册码:5876247

  ————————————————————————————————

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章