下载地址: http://www.etoolssoft.com/files/ebmen.exe
软件大小: 908 KB
软件语言: 英文
软件类别: 国产软件 / 共享版 / 书签工具
应用平台: Win9x/NT/2000/XP
加入时间: 2002-08-27 18:03:23
下载次数: 888
推荐等级: ***
开 发 商: http://www.etoolssoft.com/
【软件简介】:一个本地和Internet书签管理软件。主要的功能和特点:1、对Internet书签及磁盘文件进行分类管理,提供方便快速的书签查找功能。2、方便的修改更新,可使用拖放方式来调整书签分类,及书签的摆放。3、支持文件及Internet浏览器的拖放,可直接将文件和URL拖放到eBookmark中,免去手工输入的麻烦。4、可对书签按分类加锁,防止他人查看你的私人书签。5、后台自动对Internet书签进行有效性验证,免除手工验证速度慢、耗时多的麻烦。6、可方便的将原有的书签中导入到eBookmark中。7、内建数百个常用的分类书签可供使用,也可方便的修改更新。
【软件限制】:30天试用。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
有朋友说找到的注册码成功注册重启后却又变回未注册,我试了试,果然这个东东私下里还偷偷去连接网络检验!
fxyang兄说:“用注册码注册成功后,在防火墙中禁止它访问网络,即不要它进行网络效验,就不会提示错误。”
谢谢fxyang!我也做了完美爆破,解决了网络校验的问题,连网后也不会变回未注册了!
ebm.exe 用侦测工具没查出壳。Delphi 编写。
用户名:fly01 至少5位
试炼码:1234567890ABCDEF 要16 位
—————————————————————————————————
软件对用户名和注册码限制的要求:
:004A4BDC E81FA5F9FF call 0043F100
:004A4BE1 8B45D8 mov eax, dword ptr [ebp-28]
:004A4BE4 8D55F4 lea edx, dword ptr [ebp-0C]
:004A4BE7 E8703BF6FF call 0040875C
:004A4BEC 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=fly01 用户名
:004A4BEF E874F2F5FF call 00403E68
====>取 用户名 的位数
:004A4BF4 83F805 cmp eax, 00000005
====>小于5位?
:004A4BF7 7D2D jge 004A4C26
====>不跳则OVER!
:004A4BF9 6A00 push 00000000
:004A4BFB 8D55D4 lea edx, dword ptr [ebp-2C]
* Possible StringData Ref from Code Obj ->"SC_UNameLess5"
|
:004A4BFE B8644D4A00 mov eax, 004A4D64
:004A4C03 E8E0DE0000 call 004B2AE8
:004A4C08 8B45D4 mov eax, dword ptr [ebp-2C]
:004A4C0B E81CF4F5FF call 0040402C
:004A4C10 50 push eax
:004A4C11 8B45FC mov eax, dword ptr [ebp-04]
:004A4C14 E8BF05FAFF call 004451D8
:004A4C19 B102 mov cl, 02
:004A4C1B 5A pop edx
:004A4C1C E8FFDE0000 call 004B2B20
:004A4C21 E9F8000000 jmp 004A4D1E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4BF7(C)
|
:004A4C26 8D45DF lea eax, dword ptr [ebp-21]
:004A4C29 33C9 xor ecx, ecx
:004A4C2B BA11000000 mov edx, 00000011
:004A4C30 E803DFF5FF call 00402B38
:004A4C35 8D55F8 lea edx, dword ptr [ebp-08]
:004A4C38 8B45FC mov eax, dword ptr [ebp-04]
:004A4C3B 8B80D8020000 mov eax, dword ptr [eax+000002D8]
:004A4C41 E8BAA4F9FF call 0043F100
:004A4C46 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=1234567890ABCDEF 试炼码
:004A4C49 E81AF2F5FF call 00403E68
====>取 试炼码 位数
:004A4C4E 83F810 cmp eax, 00000010
====>小于16位?
:004A4C51 0F8CC7000000 jl 004A4D1E
====>跳则OVER!
:004A4C57 BA01000000 mov edx, 00000001
:004A4C5C 8D45DF lea eax, dword ptr [ebp-21]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4C6D(C)
|
:004A4C5F 8B4DF8 mov ecx, dword ptr [ebp-08]
:004A4C62 8A4C11FF mov cl, byte ptr [ecx+edx-01]
:004A4C66 8808 mov byte ptr [eax], cl
:004A4C68 42 inc edx
:004A4C69 40 inc eax
:004A4C6A 83FA11 cmp edx, 00000011
:004A4C6D 75F0 jne 004A4C5F
:004A4C6F B201 mov dl, 01
:004A4C71 A180304500 mov eax, dword ptr [00453080]
:004A4C76 E871E5FAFF call 004531EC
:004A4C7B 8945F0 mov dword ptr [ebp-10], eax
:004A4C7E 33C0 xor eax, eax
:004A4C80 55 push ebp
:004A4C81 68EF4C4A00 push 004A4CEF
:004A4C86 64FF30 push dword ptr fs:[eax]
:004A4C89 648920 mov dword ptr fs:[eax], esp
:004A4C8C BA02000080 mov edx, 80000002
:004A4C91 8B45F0 mov eax, dword ptr [ebp-10]
:004A4C94 E82FE6FAFF call 004532C8
:004A4C99 B101 mov cl, 01
====>下面把注册信息保存到注册表里。重启时比较!
* Possible StringData Ref from Code Obj ->"\software\Rockboy\eBookmark"
|
:004A4C9B BA7C4D4A00 mov edx, 004A4D7C
:004A4CA0 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CA3 E864E7FAFF call 0045340C
:004A4CA8 8B4DF4 mov ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"UserName"
|
:004A4CAB BAA04D4A00 mov edx, 004A4DA0
:004A4CB0 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CB3 E8A0ECFAFF call 00453958
:004A4CB8 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"\software\Rockboy\eBookmark\"
|
:004A4CBA BAB44D4A00 mov edx, 004A4DB4
:004A4CBF 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CC2 E845E7FAFF call 0045340C
:004A4CC7 6A11 push 00000011
:004A4CC9 8D4DDF lea ecx, dword ptr [ebp-21]
* Possible StringData Ref from Code Obj ->"UserData"
====>注册码保存的地方!
:004A4CCC BADC4D4A00 mov edx, 004A4DDC
:004A4CD1 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CD4 E8EFEDFAFF call 00453AC8
:004A4CD9 33C0 xor eax, eax
:004A4CDB 5A pop edx
:004A4CDC 59 pop ecx
:004A4CDD 59 pop ecx
:004A4CDE 648910 mov dword ptr fs:[eax], edx
* Possible StringData Ref from Code Obj ->""
|
:004A4CE1 68F64C4A00 push 004A4CF6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4CF4(U)
|
:004A4CE6 8B45F0 mov eax, dword ptr [ebp-10]
:004A4CE9 E8AEE1F5FF call 00402E9C
:004A4CEE C3 ret
:004A4D19 E802DE0000 call 004B2B20
====>要求重启确认注册
—————————————————————————————————
软件重启时的检验注册码。因为注册信息保存在注册表里,可在TRW装入程序后下bpx regqueryvalueexa do"dd*(esp+8)"断点,不断地按F5,程序会不断的被中断,约有30次左右,直至在TRW里看到"UserData" 2 次时就可暂停断点,再按F12返回程序领空了。F10走,不久就会来到下面的地方。也可以直接在反汇编代码里查找"UserData",也能找到核心的。各取顺手的方法吧。呵呵,我喜欢用第二种方法,方便。
* Referenced by a CALL at Address:
|:004BD385
|
:004BCB28 55 push ebp
:004BCB29 8BEC mov ebp, esp
:004BCB2B 83C4D0 add esp, FFFFFFD0
:004BCB2E 33C0 xor eax, eax
:004BCB30 8945F8 mov dword ptr [ebp-08], eax
:004BCB33 33C0 xor eax, eax
:004BCB35 55 push ebp
:004BCB36 68F9CB4B00 push 004BCBF9
:004BCB3B 64FF30 push dword ptr fs:[eax]
:004BCB3E 648920 mov dword ptr fs:[eax], esp
:004BCB41 C645FF00 mov [ebp-01], 00
:004BCB45 B201 mov dl, 01
:004BCB47 A180304500 mov eax, dword ptr [00453080]
:004BCB4C E89B66F9FF call 004531EC
:004BCB51 8945F4 mov dword ptr [ebp-0C], eax
:004BCB54 33C0 xor eax, eax
:004BCB56 55 push ebp
:004BCB57 68DCCB4B00 push 004BCBDC
:004BCB5C 64FF30 push dword ptr fs:[eax]
:004BCB5F 648920 mov dword ptr fs:[eax], esp
:004BCB62 BA02000080 mov edx, 80000002
:004BCB67 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCB6A E85967F9FF call 004532C8
:004BCB6F B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"\software\Rockboy\eBookmark"
====>取注册信息
:004BCB71 BA10CC4B00 mov edx, 004BCC10
:004BCB76 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCB79 E88E68F9FF call 0045340C
:004BCB7E 84C0 test al, al
:004BCB80 7444 je 004BCBC6
====>跳则OVER!
:004BCB82 8D4DF8 lea ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"UserName"
|
:004BCB85 BA34CC4B00 mov edx, 004BCC34
:004BCB8A 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCB8D E8F26DF9FF call 00453984
:004BCB92 6A11 push 00000011
:004BCB94 8D4DE3 lea ecx, dword ptr [ebp-1D]
* Possible StringData Ref from Code Obj ->"UserData"
|
:004BCB97 BA48CC4B00 mov edx, 004BCC48
:004BCB9C 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCB9F E8386FF9FF call 00453ADC
:004BCBA4 8D55D2 lea edx, dword ptr [ebp-2E]
:004BCBA7 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=fly01 用户名
:004BCBAA E84D86FFFF call 004B51FC
====>算法CALL!进入!
:004BCBAF 84C0 test al, al
:004BCBB1 7413 je 004BCBC6
====>跳则OVER!
:004BCBB3 8D55E3 lea edx, dword ptr [ebp-1D]
====>EDX=1234567890ABCDEF 试炼码!
:004BCBB6 8D45D2 lea eax, dword ptr [ebp-2E]
====>EAX=22cM19ZWIWWCDDcZ 注册码!
:004BCBB9 E826C5F4FF call 004090E4
====>比较CALL!
:004BCBBE 85C0 test eax, eax
:004BCBC0 7504 jne 004BCBC6
====>跳则OVER!
:004BCBC2 C645FF01 mov [ebp-01], 01
====>置1则OK!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BCB80(C), :004BCBB1(C), :004BCBC0(C)
|
:004BCBC6 33C0 xor eax, eax
====>清0则OVER!
:004BCBC8 5A pop edx
:004BCBC9 59 pop ecx
:004BCBCA 59 pop ecx
:004BCBCB 648910 mov dword ptr fs:[eax], edx
:004BCBCE 68E3CB4B00 push 004BCBE3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BCBE1(U)
|
:004BCBD3 8B45F4 mov eax, dword ptr [ebp-0C]
:004BCBD6 E8C162F4FF call 00402E9C
:004BCBDB C3 ret
:004BCBDC E91B6AF4FF jmp 004035FC
:004BCBE1 EBF0 jmp 004BCBD3
:004BCBE3 33C0 xor eax, eax
:004BCBE5 5A pop edx
:004BCBE6 59 pop ecx
:004BCBE7 59 pop ecx
:004BCBE8 648910 mov dword ptr fs:[eax], edx
:004BCBEB 6800CC4B00 push 004BCC00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BCBFE(U)
|
:004BCBF0 8D45F8 lea eax, dword ptr [ebp-08]
:004BCBF3 E8F06FF4FF call 00403BE8
:004BCBF8 C3 ret
:004BCBF9 E9FE69F4FF jmp 004035FC
:004BCBFE EBF0 jmp 004BCBF0
:004BCC00 8A45FF mov al, byte ptr [ebp-01]
====>注册标志位的值 入 AL!爆破点!这次我选这儿完美爆破!
:004BCC03 8BE5 mov esp, ebp
:004BCC05 5D pop ebp
:004BCC06 C3 ret
—————————————————————————————————
进入算法CALL:4BCBAA call 004B51FC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52C6(C)
|
:004B52CD 8A443EFF mov al, byte ptr [esi+edi-01]
1、 ====>AL=66 依次取用户名fly01字符的HEX值
…… ……省 略…… ……共16次。用户名不够16位则循环取数。
:004B52D1 8801 mov byte ptr [ecx], al
====>[ecx]=AL
:004B52D3 47 inc edi
* Possible StringData Ref from Code Obj ->"k($j3dAd18L;0gfj"
|
:004B52D4 B868534B00 mov eax, 004B5368
====>EAX=k($j3dAd18L;0gfj
:004B52D9 8A4418FF mov al, byte ptr [eax+ebx-01]
1、 ====>AL=6B 依次取k($j3dAd18L;0gfj字符的HEX值
…… ……省 略…… ……共16次
:004B52DD 3001 xor byte ptr [ecx], al
====>依次进行 异或 运算!
1、 ====>[ecx]=66 XOR 6B=0D
2、 ====>[ecx]=6C XOR 28=44 即:字符D
3、 ====>[ecx]=79 XOR 24=5D
4、 ====>[ecx]=30 XOR 6A=5A 即:字符Z
5、 ====>[ecx]=31 XOR 33=02
6、 ====>[ecx]=66 XOR 64=02
7、 ====>[ecx]=6C XOR 41=2D
8、 ====>[ecx]=79 XOR 64=1D
9、 ====>[ecx]=30 XOR 31=01
10、 ====>[ecx]=31 XOR 38=09
11、 ====>[ecx]=66 XOR 4C=2A
12、 ====>[ecx]=6C XOR 3B=57 即:字符W
13、 ====>[ecx]=79 XOR 30=49 即:字符I
14、 ====>[ecx]=30 XOR 67=57 即:字符W
15、 ====>[ecx]=31 XOR 66=57 即:字符W
16、 ====>[ecx]=66 XOR 6A=0C
:004B52DF 80397A cmp byte ptr [ecx], 7A
====>结果 和 7A比较。小于7A就跳下去。否则就进行下面的运算!
:004B52E2 7611 jbe 004B52F5
:004B52E4 33C0 xor eax, eax
:004B52E6 8A01 mov al, byte ptr [ecx]
:004B52E8 51 push ecx
:004B52E9 B97A000000 mov ecx, 0000007A
:004B52EE 33D2 xor edx, edx
:004B52F0 F7F1 div ecx
:004B52F2 59 pop ecx
:004B52F3 8811 mov byte ptr [ecx], dl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52E2(C)
|
:004B52F5 803930 cmp byte ptr [ecx], 30
====>结果 和 30比较。大于30就跳下去。否则就进行下面的运算!
:004B52F8 7303 jnb 004B52FD
:004B52FA 800130 add byte ptr [ecx], 30
1、 ====>[ecx]=0D + 30=3D
5、 ====>[ecx]=02 + 30=32 即:字符2
6、 ====>[ecx]=02 + 30=32 即:字符2
7、 ====>[ecx]=2D + 30=5D
8、 ====>[ecx]=1D + 30=4D 即:字符M
9、 ====>[ecx]=01 + 30=31 即:字符1
10、 ====>[ecx]=09 + 30=39 即:字符9
11、 ====>[ecx]=2A + 30=5A 即:字符Z
16、 ====>[ecx]=0C + 30=3C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B52F8(C)
|
:004B52FD 8A01 mov al, byte ptr [ecx]
:004B52FF 3C39 cmp al, 39
:004B5301 7607 jbe 004B530A
:004B5303 3C41 cmp al, 41
====>结果 和 41比较。大于41就跳下去。否则就进行下面的运算!
:004B5305 7303 jnb 004B530A
:004B5307 800107 add byte ptr [ecx], 07
1、 ====>[ecx]=3D + 07=44 即:字符D
16、 ====>[ecx]=3C + 07=43 即:字符C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B5301(C), :004B5305(C)
|
:004B530A 8A01 mov al, byte ptr [ecx]
:004B530C 3C5A cmp al, 5A
:004B530E 7607 jbe 004B5317
:004B5310 3C61 cmp al, 61
====>结果 和 61比较。大于61就跳下去。否则就进行下面的运算!
:004B5312 7303 jnb 004B5317
:004B5314 800106 add byte ptr [ecx], 06
3、 ====>[ecx]=5D + 06=63 即:字符c
7、 ====>[ecx]=5D + 06=63 即:字符c
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B530E(C), :004B5312(C)
|
:004B5317 43 inc ebx
====>EBX依次增1
:004B5318 41 inc ecx
:004B5319 83FB11 cmp ebx, 00000011
:004B531C 75A5 jne 004B52C3
====>循环16次!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[ECX]内存中的值:
0074FD8B 44 44 63 5A 32 32 63 4D 31 39 5A 57 49 57 57 43 DDcZ22cM19ZWIWWC
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004B531E BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B5341(C)
|
:004B5323 8A55DB mov dl, byte ptr [ebp-25]
:004B5326 BB01000000 mov ebx, 00000001
:004B532B 8D45DC lea eax, dword ptr [ebp-24]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B5338(C)
|
:004B532E 8A08 mov cl, byte ptr [eax]
:004B5330 8848FF mov byte ptr [eax-01], cl
:004B5333 43 inc ebx
:004B5334 40 inc eax
:004B5335 83FB10 cmp ebx, 00000010
:004B5338 75F4 jne 004B532E
:004B533A 8855EA mov byte ptr [ebp-16], dl
:004B533D 46 inc esi
:004B533E 83FE05 cmp esi, 00000005
:004B5341 75E0 jne 004B5323
====>上面进行4*16次的循环!
呵呵,如此大动干戈的循环取数只是把DDcZ22cM19ZWIWWC的前4位DDcZ移动到字符串的最后!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[EAX]内存中的值:
0074FD8B 32 32 63 4D 31 39 5A 57 49 57 57 43 44 44 63 5A 22cM19ZWIWWCDDcZ
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004B5343 C645EB00 mov [ebp-15], 00
:004B5347 8D55DB lea edx, dword ptr [ebp-25]
====>EDX=22cM19ZWIWWCDDcZ
:004B534A 8B45F0 mov eax, dword ptr [ebp-10]
:004B534D E8B23CF5FF call 00409004
====>EAX=22cM19ZWIWWCDDcZ
:004B5352 B301 mov bl, 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B523B(C), :004B5252(C), :004B5266(C), :004B5274(C), :004B52A6(C)
|
:004B5354 8BC3 mov eax, ebx
:004B5356 5F pop edi
:004B5357 5E pop esi
:004B5358 5B pop ebx
:004B5359 8BE5 mov esp, ebp
:004B535B 5D pop ebp
:004B535C C3 ret
—————————————————————————————————
【算 法 总 结】:
算法很简单呀。循环取用户名的字符 依次和 程序自给的k($j3dAd18L;0gfj进行异或运算!
所得结果若:>7A则和7A求模,<30则加上30,<41则加上7,<61则加上6。即把结果转换成数字或字母。
最后把所得字符串的前4位移到末尾,既是注册码了!
—————————————————————————————————
【完 美 爆 破】:
004BCC00 8A45FF mov al, byte ptr [ebp-01]
改为: 8B4501 mov al, 01
呵呵,和上面的004BCBC2 mov [ebp-01], 01处相映成趣! 呵呵,让AL永远为1,岂有不OK的?
这样也就不怕网络校验了!
—————————————————————————————————
【KeyMake之{57th}内存注册机】:
中断地址:4BCBB9
中断次数:1
第一字节:E8
指令长度:5
内存方式:EAX
注意:用户名至少5位!注册码16位!
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Rockboy\eBookmark]
"UserName"="fly01"
"UserData"=hex:32,32,63,4d,31,39,5a,57,49,57,57,43,44,44,63,5a,00
—————————————————————————————————
【整 理】:
用户名:fly01
注册码:22cM19ZWIWWCDDcZ
—————————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-4-13 22:22
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>