VirTime HTMLock V1.4.0 pj之温柔篇 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → VirTime HTMLock V1.4.0 pj之温柔篇

VirTime HTMLock V1.4.0 pj之温柔篇 时间：2004/10/15 0:52:00来源：本站整理作者：蓝点我要评论(0): 　

软件简介：帮助您创建基于 JavaScript 的密码保护页面
DOWNLOAD: http://www.inhua.com/down/htl.zip
pj工具：RegMon,TRW 2000 V1.03

**************************************************************************************************************

　精华三里paulyoung写了一个pj的暴力篇，我来一个婉约派的温柔篇，而且还有些很有意思的发现，各位大小虾，不妨看看。
　　
　　一、用 RegMon 监视，运行软件，发觉它读取如下两个注册表键值：

HKLM\SOFTWARE\VirTime\HTL1.4.0\UserName SUCCESS "NOBODY" （用户名）
HKLM\SOFTWARE\VirTime\HTL1.4.0\RegKey SUCCESS "NOKEY"　（注册码）

　　我想它会不会是启动时读取这两个键值并正确与否，来判断它是否为注册版，后经我反汇编分析，证实了我的猜测（分析过程略）
　　
　　二、打开 REGEDIT ，把这两个键值分别改为 "killer" and "" 6789543267895432678954326789543267895432
　　三、用trw中搜索字串，然后用bpm拦后跟踪。
四、代码分析如下：
//******************** Program Entry Point ********
:004630EC 55 push ebp
:004630ED 8BEC mov ebp, esp
:004630EF 83C4F4 add esp, FFFFFFF4
:004630F2 B8642F4600 mov eax, 00462F64
:004630F7 E8042FFAFF call 00406000
:004630FC A138574600 mov eax, dword ptr [00465738]
:00463101 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"HTMLock"
|
:00463103 BA6C314600 mov edx, 0046316C
:00463108 E81B18FEFF call 00444928
:0046310D E896DEFFFF call 00460FA8 //F8 跟进看一看
:00463112 84C0 test al, al
:00463114 7446 je 0046315C

***************
* Referenced by a CALL at Address:
|:0046310D
|
:00460FA8 55 push ebp
:00460FA9 8BEC mov ebp, esp
:00460FAB 6A00 push 00000000
:00460FAD 6A00 push 00000000
:00460FAF 6A00 push 00000000

...

F10直到

...

:0046102A B9C8104600 mov ecx, 004610C8
:0046102F 8B15E8684600 mov edx, dword ptr [004668E8]
:00461035 E85E2CFAFF call 00403C98
:0046103A C605F068460000 mov byte ptr [004668F0], 00
:00461041 C6050869460000 mov byte ptr [00466908], 00
:00461048 E87FFDFFFF call 00460DCC
:0046104D 8B15F4684600 mov edx, dword ptr [004668F4]
:00461053 A1F8684600 mov eax, dword ptr [004668F8]
:00461058 E827EBFFFF call 0045FB84 //D EAX=假注册码D EDX=假的注册名。
(F8 跟进看一看)

********
* Referenced by a CALL at Addresses:
|:004609C3 , :00460A3F , :00460C82 , :00461058
|
:0045FB84 55 push ebp
:0045FB85 8BEC mov ebp, esp
:0045FB87 83C4F8 add esp, FFFFFFF8
:0045FB8A 53 push ebx
:0045FB8B 56 push esi
:0045FB8C 33C9 xor ecx, ecx
:0045FB8E 894DF8 mov dword ptr [ebp-08], ecx
:0045FB91 8BDA mov ebx, edx
:0045FB93 8BF0 mov esi, eax
:0045FB95 33C0 xor eax, eax
:0045FB97 55 push ebp
:0045FB98 681EFC4500 push 0045FC1E
:0045FB9D 64FF30 push dword ptr fs:[eax]
:0045FBA0 648920 mov dword ptr fs:[eax], esp
:0045FBA3 C645FF00 mov [ebp-01], 00
:0045FBA7 8BC3 mov eax, ebx
:0045FBA9 E89E40FAFF call 00403C4C
:0045FBAE 83F802 cmp eax, 00000002 /名字是否小于2位

:0045FBB1 7C55 jl 0045FC08 /:0045FBB3//是则跳至末注册
8BC6 mov eax, esi
:0045FBB5 E89240FAFF call 00403C4C
:0045FBBA 83F824 cmp eax, 00000024 //注册码是否小于36位
:0045FBBD 7C49 jl 0045FC08 //是则跳至末注册
:0045FBBF 33DB xor ebx, ebx
:0045FBC1 8BC6 mov eax, esi
:0045FBC3 E88440FAFF call 00403C4C
:0045FBC8 83E802 sub eax, 00000002
:0045FBCB 85C0 test eax, eax
:0045FBCD 7E0F jle 0045FBDE
:0045FBCF BA01000000 mov edx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045FBDC(C)
|
:0045FBD4 8A4C16FF mov cl, byte ptr [esi+edx-01]----- 此代码段，将注册码除最后两
:0045FBD8 02D9 add bl, cl *位以外，相加。和的末两位存入bl.
:0045FBDA 42 inc edx *此时我的和为7F
:0045FBDB 48 dec eax *
:0045FBDC 75F6 jne 0045FBD4 --------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045FBCD(C)
|
:0045FBDE 33C0 xor eax, eax
:0045FBE0 8AC3 mov al, bl
:0045FBE2 33D2 xor edx, edx
:0045FBE4 52 push edx
:0045FBE5 50 push eax
:0045FBE6 8D45F8 lea eax, dword ptr [ebp-08]
:0045FBE9 E85AFEFFFF call 0045FA48
:0045FBEE 8B45F8 mov eax, dword ptr [ebp-08]
:0045FBF1 8A400E mov al, byte ptr [eax+0E]
:0045FBF4 3A4622 cmp al, byte ptr [esi+22] 　 //比较第35位（比较是否为 "e " )
:0045FBF7 750F jne 0045FC08 　　　　　　不相等则跳至末注册
:0045FBF9 8B45F8 mov eax, dword ptr [ebp-08]
:0045FBFC 8A400F mov al, byte ptr [eax+0F]
:0045FBFF 3A4623 cmp al, byte ptr [esi+23]　　 //比较第36位（比较是否为"o" )
:0045FC02 7504 jne 0045FC08 　　　　　　//不相等则跳至末注册
:0045FC04 C645FF01 mov [ebp-01], 01 //程序走到这里就可以注册成功了

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0045FBB1(C), :0045FBBD(C), :0045FBF7(C), :0045FC02(C)
|
:0045FC08 33C0 xor eax, eax
:0045FC0A 5A pop edx

*****

:0046312E E8BDDAFFFF call 00460BF0
:00463133 84C0 test al, al
:00463135 7514 jne 0046314B
:00463137 8B1570554600 mov edx, dword ptr [00465570]
:0046313D 8B12 mov edx, dword ptr [edx]
:0046313F A170554600 mov eax, dword ptr [00465570]
:00463144 8B00 mov eax, dword ptr [eax]
:00463146 E885F7FFFF call 004628D0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463135(C)
|
:0046314B A138574600 mov eax, dword ptr [00465738]
:00463150 8B00 mov eax, dword ptr [eax]
:00463152 E8351CFEFF call 00444D8C //弹出软件运行界面
那么把regkey改为:6789543267895432678954326789543267eo5432应该可以了吧。
但是运行完还是未注册。这时变为

　:0045FBF4 3A4622 cmp al, byte ptr [esi+22] 　 //比较第35位（比较是否为 "M" )
:0045FBF7 750F jne 0045FC08 　　　　　　 // 不相等则跳至末注册
:0045FBF9 8B45F8 mov eax, dword ptr [ebp-08]
:0045FBFC 8A400F mov al, byte ptr [eax+0F]
:0045FBFF 3A4623 cmp al, byte ptr [esi+23]　　 //比较第36位（比较是否为"u" )
:0045FC02 7504 jne 0045FC08 　　　　　　//不相等则跳至末注册
:0045FC04 C645FF01 mov [ebp-01], 01 //程序走到这里就可以注册成功了

原来是bl中注册码和为指引，提取字串“HACKERYouMUSTDie”(哈哈，我好怕怕啊，难道有下什么套？)的字母，与35位及36位的注册码进行比较。但其实也很简单，令注册码的和仍为7F且
35，36位为e,o就可注册成功。如下：
regname:killer
regkey: 6789543267895432678954326789543267eoMP5432
就可显示注册给killer了。
哈哈 so easy!!
但运行对文件加密，却跳出提示框“你的文件超过4kb,请注册你的软件”。呜呜，无法使用。是不是我高兴的太早了？是不是我MUST Die?
Can u help me ?

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法