扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
其实“搜易”系列软件的算法都是差不多的,只是其商业软件大部分放出来的是不完全版本。
很简单的东西,因为有朋友要笔记,所以写了一下,没有什么价值。
adslwebserverV12.exe 无壳。Borland Delphi6.0 编写。
序列号:204706460
试炼码:13572468
—————————————————————————————————
查看作者给的提示,很容易就找到下面的地方:
* Possible StringData Ref from Code Obj ->"00000000"
|
:004B3AB2 BAE03B4B00 mov edx, 004B3BE0
:004B3AB7 E8B40DF5FF call 00404870
:004B3ABC 8D4DF4 lea ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"请输入您的软件注册码"
|
:004B3ABF BAF43B4B00 mov edx, 004B3BF4
* Possible StringData Ref from Code Obj ->"登记注册"
|
:004B3AC4 B8143C4B00 mov eax, 004B3C14
:004B3AC9 E80A8FF8FF call 0043C9D8
:004B3ACE 3C01 cmp al, 01
:004B3AD0 0F85D5000000 jne 004B3BAB
:004B3AD6 8D55E0 lea edx, dword ptr [ebp-20]
:004B3AD9 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=13572468 试炼码
:004B3ADC E8CB51F5FF call 00408CAC
:004B3AE1 8B45E0 mov eax, dword ptr [ebp-20]
:004B3AE4 E89754F5FF call 00408F80
====>取试炼码13572468的16进制值
:004B3AE9 8945F8 mov dword ptr [ebp-08], eax
====>[ebp-08]=00CF1974(H)=13572468(D)
:004B3AEC 8955FC mov dword ptr [ebp-04], edx
:004B3AEF 6A00 push 00000000
:004B3AF1 6A45 push 00000045
:004B3AF3 8B45F8 mov eax, dword ptr [ebp-08]
:004B3AF6 8B55FC mov edx, dword ptr [ebp-04]
:004B3AF9 E8BA1CF5FF call 004057B8
====>这里面除以45
====>EAX=00CF1974 / 45=0003005E
:004B3AFE 8945F8 mov dword ptr [ebp-08], eax
:004B3B01 8955FC mov dword ptr [ebp-04], edx
:004B3B04 8B45F8 mov eax, dword ptr [ebp-08]
:004B3B07 8B55FC mov edx, dword ptr [ebp-04]
:004B3B0A 2D983D0100 sub eax, 00013D98
====>EAX=0003005E - 00013D98=0001C2C6
:004B3B0F 83DA00 sbb edx, 00000000
:004B3B12 8945F8 mov dword ptr [ebp-08], eax
====>[ebp-08]=EAX=0001C2C6
:004B3B15 8955FC mov dword ptr [ebp-04], edx
:004B3B18 8D45E4 lea eax, dword ptr [ebp-1C]
:004B3B1B E8A4DDFFFF call 004B18C4
====>取CPUID =00000F13
:004B3B20 8B4DE4 mov ecx, dword ptr [ebp-1C]
:004B3B23 8BC1 mov eax, ecx
:004B3B25 99 cdq
:004B3B26 3B55FC cmp edx, dword ptr [ebp-04]
:004B3B29 756B jne 004B3B96
:004B3B2B 3B45F8 cmp eax, dword ptr [ebp-08]
====>比较了!相等则OK! ^O^ ^O^
====>EAX=00000F13
====>[ebp-08]=0001C2C6
:004B3B2E 7566 jne 004B3B96
====>跳则OVER!
:004B3B30 33D2 xor edx, edx
:004B3B32 8B83C4030000 mov eax, dword ptr [ebx+000003C4]
:004B3B38 8B08 mov ecx, dword ptr [eax]
:004B3B3A FF5164 call [ecx+64]
:004B3B3D B201 mov dl, 01
:004B3B3F 8B8304030000 mov eax, dword ptr [ebx+00000304]
:004B3B45 8B08 mov ecx, dword ptr [eax]
:004B3B47 FF5164 call [ecx+64]
* Possible StringData Ref from Code Obj ->"已注册登记版本"
|
:004B3B4A BA283C4B00 mov edx, 004B3C28
:004B3B4F 8B83C0030000 mov eax, dword ptr [ebx+000003C0]
:004B3B55 E846F8F8FF call 004433A0
:004B3B5A 8B837C030000 mov eax, dword ptr [ebx+0000037C]
:004B3B60 C7400C09000000 mov [eax+0C], 00000009
:004B3B67 33D2 xor edx, edx
:004B3B69 8B83CC030000 mov eax, dword ptr [ebx+000003CC]
:004B3B6F E82CF8F8FF call 004433A0
:004B3B74 8B83EC030000 mov eax, dword ptr [ebx+000003EC]
:004B3B7A E831E2FCFF call 00481DB0
:004B3B7F 6A00 push 00000000
:004B3B81 668B0D383C4B00 mov cx, word ptr [004B3C38]
:004B3B88 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"软件登记注册成功"
:004B3B8A B8443C4B00 mov eax, 004B3C44
:004B3B8F E8288DF8FF call 0043C8BC
====>呵呵,胜利女神!
:004B3B94 EB15 jmp 004B3BAB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B3B29(C), :004B3B2E(C)
|
:004B3B96 6A00 push 00000000
:004B3B98 668B0D383C4B00 mov cx, word ptr [004B3C38]
:004B3B9F B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"软件注册号错误"
:004B3BA1 B8603C4B00 mov eax, 004B3C60
:004B3BA6 E8118DF8FF call 0043C8BC
====>BAD BOY!
是否需要简单求逆注册码?NO!其实作者已经帮我们把注册码算好了! ^O^ ^O^
—————————————————————————————————
下面是程序启动时拦截的:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B1AEB(C)
|
:004B1B20 8B45FC mov eax, dword ptr [ebp-04]
:004B1B23 8B80C4030000 mov eax, dword ptr [eax+000003C4]
:004B1B29 8B10 mov edx, dword ptr [eax]
:004B1B2B FF5250 call [edx+50]
:004B1B2E 3C01 cmp al, 01
:004B1B30 0F8596000000 jne 004B1BCC
:004B1B36 8D45DC lea eax, dword ptr [ebp-24]
:004B1B39 E886FDFFFF call 004B18C4
====>取CPUID
:004B1B3E 8B45DC mov eax, dword ptr [ebp-24]
====>EAX=0F13 CPUID
:004B1B41 99 cdq
:004B1B42 8945F0 mov dword ptr [ebp-10], eax
:004B1B45 8955F4 mov dword ptr [ebp-0C], edx
:004B1B48 8B45F0 mov eax, dword ptr [ebp-10]
:004B1B4B 8B55F4 mov edx, dword ptr [ebp-0C]
:004B1B4E 05983D0100 add eax, 00013D98
====>EAX=0F13 + 00013D98=00014CAB
:004B1B53 83D200 adc edx, 00000000
:004B1B56 8945F0 mov dword ptr [ebp-10], eax
:004B1B59 8955F4 mov dword ptr [ebp-0C], edx
:004B1B5C 6A00 push 00000000
:004B1B5E 6A45 push 00000045
:004B1B60 8B45F0 mov eax, dword ptr [ebp-10]
:004B1B63 8B55F4 mov edx, dword ptr [ebp-0C]
:004B1B66 E8293CF5FF call 00405794
====>这里面乘以45,所得结果的10进制值其实就是注册码!
====>EAX=00014CAB * 45=0059AA17(H)=5876247(D)
:004B1B6B 8945F0 mov dword ptr [ebp-10], eax
:004B1B6E 8955F4 mov dword ptr [ebp-0C], edx
:004B1B71 8B45F0 mov eax, dword ptr [ebp-10]
:004B1B74 8B55F4 mov edx, dword ptr [ebp-0C]
:004B1B77 2D636B0000 sub eax, 00006B63
====>EAX=0059AA17 - 00006B63=00593EB4
:004B1B7C 83DA00 sbb edx, 00000000
:004B1B7F 8945F0 mov dword ptr [ebp-10], eax
:004B1B82 8955F4 mov dword ptr [ebp-0C], edx
:004B1B85 6A00 push 00000000
:004B1B87 6A23 push 00000023
:004B1B89 8B45F0 mov eax, dword ptr [ebp-10]
:004B1B8C 8B55F4 mov edx, dword ptr [ebp-0C]
:004B1B8F E8003CF5FF call 00405794
====>这里面再乘以23,所得结果的10进制值其实就是序列号!
====>EAX=00593EB4 * 23=0C33929C
:004B1B94 8945F0 mov dword ptr [ebp-10], eax
====>[ebp-10]=0C33929C(H)=204706460(D) 序列号
—————————————————————————————————
【算 法 总 结】:
序列号的16进制值除以23,再加上00006B63,所得结果的10进制值就是注册码
—————————————————————————————————
【C++ KeyGen】:
#include<iostream.h>
void main()
{
unsigned long int m,s;
cout<<"\n\n★★★★宽带Web服务器(ADSLWebServer) V1.2 KeyGen{13th}★★★★\n\n\n\n";
cout<<"请输入序列号:";
cin >>m;
s=m/0X23+0X6B63;
cout<<"\n呵呵,注册码:"<<s<<endl;
cout<<"\n\n\nCracked By 巢水工作坊——fly [OCN][FCG] 2003-06-17 01:30 COMPILE";
cout<<"\n\n\n * * * 按回车退出!* * *";cin.get();cin.get();
}
—————————————————————————————————
【完 美 爆 破】
004B3B2E 7566 jne 004B3B96
改为: 9090 NOP掉
—————————————————————————————————
【KeyMake之{94th}内存注册机】:
中断地址:004B1B6B
中断次数:1
第一字节:89
指令长度:3
寄存器方式:EAX
10进制值
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1AE69D60-73D0-11D4-BD52-38A480C50000}]
"231114271"="231114271"
—————————————————————————————————
【整 理】:
序列号:204706460
注册码:5876247
————————————————————————————————
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者