eBook Edit Pro 3.21 算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → eBook Edit Pro 3.21 算法分析

eBook Edit Pro 3.21 算法分析 时间：2004/10/15 0:55:00来源：本站整理作者：蓝点我要评论(2): 　

eBook Edit Pro 3.21破解手记
***************************************************
软件名称：eBook Edit Pro 3.21
下载地址：http://www.eBookEdit.com
大小：2.383MB(脱壳后)
加密方式：注册码
使用工具：TRW2000中文1.23注册版，fi2.5,keymake1.73,AspackDie 1.41
pj日期：2003年3月10日
***************************************************

软件说明：一个编辑eBook的软件，十分好用!指定一个含有网页文件的文件夹，它就会把它做成一个exe可执行文件的E书。

PJ说明：
我也是新手，学习破解还不到两个星期，不足之处，请大家批评指正！
本文件中提到的主文件，即用于制作E书的主运行程序ebookedit.exe
本文件中提到的exe文件，即制作为成品的E书文件

这个软件的注册方式很特别! 在主文件运行过程中，注册部分只有输入用户名和注册码，但除了保存这个信息在注册表的HKEY_CURRENT_USER\Software\Cybershare\Registration位置外(错的也保存)，并不做任何检验注册码是否正确的动作。而真正的注册码检验部分是在生成的exe文件中，呵呵，很有意思吧! 如果在主文件当中输入的注册码不正确，那么生成的exe文件在运行的时候，会出现一个未注册的信息。由于exe文件可以脱离原生成程序运行，所以，我们可以判断出来，主文件在生成exe文件的过程中，已经将输入的用户名和注册码信息放入exe文件里了，那么exe文件一运行，就会将这部分信息提取出来，进行注册码正确检验。
得出的结论：要想得真正的注册码，不是研究主文件，而是研究生成的exe文件(找出这个关键，我费了2个小时)

1、先试用一下软件，运行出现欢迎画片，只有一个授权给：和注册键：，分别输入newlaos和78787878(学前辈的试用码)，然后按正常步骤生成一个exe文件(不要太大)，这里假设为crack.exe文件。

2、用fi2.5一看，exe文件加了一个aspack2.1的壳，用TRW2000可以手动脱壳，自动脱壳我选择了AspackDie 1.41(脱壳过程中，它会发现一个附加信息，选择“是”)，生成unpack.exe文件。

3、用TRW2000载入unpack.exe文件，按F10步进(因为按F12一下就出现了未注册信息)，来到下面代码段：
......
...... |
:0047C7DC A1D8F04000 mov eax, dword ptr [0040F0D8]
:0047C7E1 E8B260F9FF call 00412898
:0047C7E6 A3D40A4800 mov dword ptr [00480AD4], eax
:0047C7EB 33C0 xor eax, eax
:0047C7ED 55 push ebp
:0047C7EE 6859C84700 push 0047C859
:0047C7F3 64FF30 push dword ptr fs:[eax]
:0047C7F6 648920 mov dword ptr fs:[eax], esp
:0047C7F9 A10CE84700 mov eax, dword ptr [0047E80C]
:0047C7FE 8B00 mov eax, dword ptr [eax]
:0047C800 E8F7DBFCFF call 0044A3FC
:0047C805 A10CE84700 mov eax, dword ptr [0047E80C]
:0047C80A 8B00 mov eax, dword ptr [eax]
:0047C80C C6404B00 mov [eax+4B], 00
:0047C810 A1F0E64700 mov eax, dword ptr [0047E6F0]
:0047C815 8B15D40A4800 mov edx, dword ptr [00480AD4]
:0047C81B 8910 mov dword ptr [eax], edx
:0047C81D 8B0D34E64700 mov ecx, dword ptr [0047E634]
:0047C823 A10CE84700 mov eax, dword ptr [0047E80C]
:0047C828 8B00 mov eax, dword ptr [eax]

* Possible StringData Ref from Code Obj ->"?C"
|
:0047C82A 8B15F0964700 mov edx, dword ptr [004796F0]
:0047C830 E8DFDBFCFF call 0044A414 <===因为一过这里就出现了未注册信息，所以F8进入(后面很多是这种情况)
:0047C835 A10CE84700 mov eax, dword ptr [0047E80C]
:0047C83A 8B00 mov eax, dword ptr [eax]
:0047C83C E853DCFCFF call 0044A494
:0047C841 33C0 xor eax, eax
:0047C843 5A pop edx
:0047C844 59 pop ecx
:0047C845 59 pop ecx
:0047C846 648910 mov dword ptr fs:[eax], edx
:0047C849 6860C84700 push 0047C860

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047C85E(U)
|
:0047C84E A1D40A4800 mov eax, dword ptr [00480AD4]
:0047C853 E86866F8FF call 00402EC0
:0047C858 C3 ret
......
......

_______________________________F8来到下面代码段_______________________________________________

:0044A414 55 push ebp
:0044A415 8BEC mov ebp, esp
:0044A417 51 push ecx
:0044A418 53 push ebx
:0044A419 56 push esi
:0044A41A 57 push edi
:0044A41B 894DFC mov dword ptr [ebp-04], ecx
:0044A41E 8BDA mov ebx, edx
:0044A420 8BF0 mov esi, eax
:0044A422 8BC3 mov eax, ebx
:0044A424 FF50F4 call [eax-0C]
:0044A427 8BD8 mov ebx, eax
:0044A429 8B45FC mov eax, dword ptr [ebp-04]
:0044A42C 8918 mov dword ptr [eax], ebx
:0044A42E 33C0 xor eax, eax
:0044A430 55 push ebp
:0044A431 6852A44400 push 0044A452
:0044A436 64FF30 push dword ptr fs:[eax]
:0044A439 648920 mov dword ptr fs:[eax], esp
:0044A43C 8BCE mov ecx, esi
:0044A43E 83CAFF or edx, FFFFFFFF
:0044A441 8BC3 mov eax, ebx
:0044A443 8B38 mov edi, dword ptr [eax]
:0044A445 FF572C call [edi+2C] <===因为一过这里就出现了未注册信息，所以F8再进入
:0044A448 33C0 xor eax, eax
:0044A44A 5A pop edx
:0044A44B 59 pop ecx
:0044A44C 59 pop ecx
:0044A44D 648910 mov dword ptr fs:[eax], edx
:0044A450 EB16 jmp 0044A468
:0044A452 E9158FFBFF jmp 0040336C
:0044A457 8B45FC mov eax, dword ptr [ebp-04]
:0044A45A 33D2 xor edx, edx
:0044A45C 8910 mov dword ptr [eax], edx
:0044A45E E81192FBFF call 00403674
:0044A463 E86092FBFF call 004036C8
......
......

_______________________________F8来到下面代码段_______________________________________________

:0047C448 53 push ebx
:0047C449 56 push esi
:0047C44A 84D2 test dl, dl
:0047C44C 7408 je 0047C456 <===不跳
:0047C44E 83C4F0 add esp, FFFFFFF0
:0047C451 E8AA6DF8FF call 00403200

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047C44C(C)
|
:0047C456 8BDA mov ebx, edx
:0047C458 8BF0 mov esi, eax
:0047C45A 33D2 xor edx, edx
:0047C45C 8BC6 mov eax, esi
:0047C45E E80571FCFF call 00443568
:0047C463 8BC6 mov eax, esi
:0047C465 84DB test bl, bl
:0047C467 740F je 0047C478 <===不跳
:0047C469 E8EA6DF8FF call 00403258 <===因为一过这里就出现了未注册信息，所以F8第三次进入(不要晕!胜利就在前方)
:0047C46E 648F0500000000 pop dword ptr fs:[00000000]
:0047C475 83C40C add esp, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047C467(C)
|
:0047C478 8BC6 mov eax, esi
:0047C47A 5E pop esi
:0047C47B 5B pop ebx
:0047C47C C3 ret
......
......

_______________________________F8来到下面代码段_______________________________________________
:00403258 50 push eax
:00403259 8B10 mov edx, dword ptr [eax]
:0040325B FF52E4 call [edx-1C]
:0040325E 58 pop eax
:0040325F C3 ret
......

_______________________________程序进到402EA5_______________________________________________
:00402EA5 648F0500000000 pop dword ptr fs:[00000000]
:00402EAC 83C40C add esp, 0000000C
:00402EAF C3 ret
......

_______________________________程序进到47AA21_______________________________________________
:0047AA21 89832C030000 mov dword ptr [ebx+0000032C], eax
:0047AA27 33C0 xor eax, eax
:0047AA29 898330030000 mov dword ptr [ebx+00000330], eax
:0047AA2F 8BCB mov ecx, ebx
:0047AA31 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"?C"
|
:0047AA33 A194614700 mov eax, dword ptr [00476194]
:0047AA38 E82B8BFCFF call 00443568
:0047AA3D 8BF0 mov esi, eax
:0047AA3F 89B338030000 mov dword ptr [ebx+00000338], esi
:0047AA45 8BC6 mov eax, esi
:0047AA47 E844C8FCFF call 00447290
:0047AA4C 8B8338030000 mov eax, dword ptr [ebx+00000338]
:0047AA52 8998EC020000 mov dword ptr [eax+000002EC], ebx

* Possible StringData Ref from Code Obj ->"U嬱j"
|
:0047AA58 C780E8020000A8C14700 mov dword ptr [ebx+000002E8], 0047C1A8
:0047AA62 E8F1B1FFFF call 00475C58
:0047AA67 833DCC0A480000 cmp dword ptr [00480ACC], 00000000
:0047AA6E 740D je 0047AA7D
:0047AA70 8B15CC0A4800 mov edx, dword ptr [00480ACC]
:0047AA76 8BC3 mov eax, ebx
:0047AA78 E893FDFFFF call 0047A810 <===因为一过这里就出现了未注册信息，所以F8第四次进入(呵呵!)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047AA6E(C)
|
:0047AA7D A1F4E74700 mov eax, dword ptr [0047E7F4]
:0047AA82 C60000 mov byte ptr [eax], 00
:0047AA85 8BC3 mov eax, ebx
:0047AA87 E860140000 call 0047BEEC
:0047AA8C A1F4E74700 mov eax, dword ptr [0047E7F4]
:0047AA91 C60001 mov byte ptr [eax], 01
:0047AA94 8BC3 mov eax, ebx
:0047AA96 E849140000 call 0047BEE4
:0047AA9B 8BC3 mov eax, ebx
:0047AA9D E832160000 call 0047C0D4
:0047AAA2 A1CC0A4800 mov eax, dword ptr [00480ACC]
......
......

_______________________________F8来到下面代码段_______________________________________________

:0047A810 55 push ebp
:0047A811 8BEC mov ebp, esp
:0047A813 83C4E8 add esp, FFFFFFE8
:0047A816 53 push ebx
:0047A817 56 push esi
:0047A818 57 push edi
:0047A819 33C9 xor ecx, ecx
:0047A81B 894DEC mov dword ptr [ebp-14], ecx
:0047A81E 894DE8 mov dword ptr [ebp-18], ecx
:0047A821 8BDA mov ebx, edx
:0047A823 8BF0 mov esi, eax
:0047A825 33C0 xor eax, eax
:0047A827 55 push ebp
:0047A828 684AA94700 push 0047A94A
:0047A82D 64FF30 push dword ptr fs:[eax]
:0047A830 648920 mov dword ptr fs:[eax], esp
:0047A833 8BC3 mov eax, ebx
:0047A835 E8F27DF9FF call 0041262C
:0047A83A 8BD0 mov edx, eax
:0047A83C 83EA10 sub edx, 00000010
:0047A83F 33C9 xor ecx, ecx
:0047A841 8BC3 mov eax, ebx
:0047A843 8B38 mov edi, dword ptr [eax]
:0047A845 FF570C call [edi+0C]
:0047A848 8D55F0 lea edx, dword ptr [ebp-10]
:0047A84B B910000000 mov ecx, 00000010
:0047A850 8BC3 mov eax, ebx
:0047A852 8B38 mov edi, dword ptr [eax]
:0047A854 FF5704 call [edi+04]
:0047A857 8B7DFC mov edi, dword ptr [ebp-04]
:0047A85A 81FF97130000 cmp edi, 00001397
:0047A860 7440 je 0047A8A2 <===跳转了，不然就进看下面:-)
:0047A862 6A00 push 00000000
:0047A864 8D4DE8 lea ecx, dword ptr [ebp-18]
:0047A867 33D2 xor edx, edx
:0047A869 8BC7 mov eax, edi
:0047A86B E8C0E0F8FF call 00408930
:0047A870 8B4DE8 mov ecx, dword ptr [ebp-18]
:0047A873 8D45EC lea eax, dword ptr [ebp-14]

* Possible StringData Ref from Code Obj ->"这本 eBook 具有一个错误的签名. "
->"这个程序将被终止.
签名: "
|
:0047A876 BA60A94700 mov edx, 0047A960
:0047A87B E8F095F8FF call 00403E70
:0047A880 8B45EC mov eax, dword ptr [ebp-14]
:0047A883 668B0DB4A94700 mov cx, word ptr [0047A9B4]
:0047A88A B201 mov dl, 01
:0047A88C E8D337FDFF call 0044E064
:0047A891 A10CE84700 mov eax, dword ptr [0047E80C]
:0047A896 8B00 mov eax, dword ptr [eax]
:0047A898 E8ABFCFCFF call 0044A548
:0047A89D E98D000000 jmp 0047A92F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A860(C)
|
:0047A8A2 8BC3 mov eax, ebx <===程序跳到这里，继续往下走
:0047A8A4 E8837DF9FF call 0041262C
:0047A8A9 8BF8 mov edi, eax
:0047A8AB 2B7DF0 sub edi, dword ptr [ebp-10]
:0047A8AE 89BE1C030000 mov dword ptr [esi+0000031C], edi
:0047A8B4 33C9 xor ecx, ecx
:0047A8B6 8BD7 mov edx, edi
:0047A8B8 8BC3 mov eax, ebx
:0047A8BA 8B38 mov edi, dword ptr [eax]
:0047A8BC FF570C call [edi+0C]
:0047A8BF 8BD3 mov edx, ebx
:0047A8C1 8BC6 mov eax, esi
:0047A8C3 E858030000 call 0047AC20
:0047A8C8 8BD3 mov edx, ebx
:0047A8CA 8BC6 mov eax, esi
:0047A8CC E807F5FFFF call 00479DD8 <===因为一过这里就出现了未注册信息，所以F8第五次进入(555555~~~~还要进)
:0047A8D1 8BD3 mov edx, ebx
:0047A8D3 8BC6 mov eax, esi
:0047A8D5 E816FAFFFF call 0047A2F0
:0047A8DA 8BD3 mov edx, ebx
:0047A8DC 8BC6 mov eax, esi
:0047A8DE E8C9F5FFFF call 00479EAC
:0047A8E3 80BE6C03000000 cmp byte ptr [esi+0000036C], 00
:0047A8EA 7509 jne 0047A8F5
:0047A8EC 8BD3 mov edx, ebx
:0047A8EE 8BC6 mov eax, esi
:0047A8F0 E83BFAFFFF call 0047A330
......
......

_______________________________F8来到下面代码段_______________________________________________

:00479DD8 55 push ebp
:00479DD9 8BEC mov ebp, esp
:00479DDB 51 push ecx
:00479DDC 53 push ebx
:00479DDD 56 push esi
:00479DDE 8BF2 mov esi, edx
:00479DE0 8BD8 mov ebx, eax
:00479DE2 8D9320030000 lea edx, dword ptr [ebx+00000320]
:00479DE8 8BC6 mov eax, esi
:00479DEA E83DE5FFFF call 0047832C
:00479DEF 8D9324030000 lea edx, dword ptr [ebx+00000324]
:00479DF5 8BC6 mov eax, esi
:00479DF7 E830E5FFFF call 0047832C
:00479DFC 8D9328030000 lea edx, dword ptr [ebx+00000328]
:00479E02 8BC6 mov eax, esi
:00479E04 E823E5FFFF call 0047832C
:00479E09 6A00 push 00000000
:00479E0B 8B9324030000 mov edx, dword ptr [ebx+00000324]
:00479E11 8B8320030000 mov eax, dword ptr [ebx+00000320]

* Possible StringData Ref from Code Obj ->"~TurnIde@$IntoProfit$w/eBook$!>>YouC@n$ucceed!"
->"<<"
|
:00479E17 B9789E4700 mov ecx, 00479E78
:00479E1C E83BE2FFFF call 0047805C <===算法CALL了，最后一次F8进入，看个究竟
:00479E21 84C0 test al, al
:00479E23 7544 jne 00479E69 <===关键跳转(终于到了)，爆破只针对每个exe文件，所以没多大意思
:00479E25 8BCB mov ecx, ebx
:00479E27 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"?C"
|
:00479E29 A1B4744700 mov eax, dword ptr [004774B4]
:00479E2E E83597FCFF call 00443568
:00479E33 8945FC mov dword ptr [ebp-04], eax
:00479E36 33C0 xor eax, eax
:00479E38 55 push ebp
:00479E39 68629E4700 push 00479E62
:00479E3E 64FF30 push dword ptr fs:[eax]
:00479E41 648920 mov dword ptr fs:[eax], esp
:00479E44 8B45FC mov eax, dword ptr [ebp-04]
:00479E47 E88CD8FFFF call 004776D8
:00479E4C 33C0 xor eax, eax
:00479E4E 5A pop edx
:00479E4F 59 pop ecx
:00479E50 59 pop ecx
:00479E51 648910 mov dword ptr fs:[eax], edx
:00479E54 68699E4700 push 00479E69

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00479E67(U)
|
:00479E59 8B45FC mov eax, dword ptr [ebp-04]
:00479E5C E85F90F8FF call 00402EC0
:00479E61 C3 ret

:00479E62 E9B997F8FF jmp 00403620
:00479E67 EBF0 jmp 00479E59

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00479E23(C)
|
:00479E69 5E pop esi
:00479E6A 5B pop ebx
:00479E6B 59 pop ecx
:00479E6C 5D pop ebp
:00479E6D C3 ret

_______________________________F8来到下面代码段_______________________________________________

:0047805C 55 push ebp <===此处下D EAX发现EAX=newlaos，下D EDX发现EDX＝78787878
:0047805D 8BEC mov ebp, esp
:0047805F 81C4FCFEFFFF add esp, FFFFFEFC
:00478065 53 push ebx
:00478066 56 push esi
:00478067 57 push edi
:00478068 33DB xor ebx, ebx
:0047806A 895DFC mov dword ptr [ebp-04], ebx
:0047806D 8BF9 mov edi, ecx
:0047806F 8BF2 mov esi, edx
:00478071 8BD8 mov ebx, eax
:00478073 8B4508 mov eax, dword ptr [ebp+08]
:00478076 E85DBFF8FF call 00403FD8
:0047807B 33C0 xor eax, eax
:0047807D 55 push ebp
:0047807E 68D7804700 push 004780D7
:00478083 64FF30 push dword ptr fs:[eax]
:00478086 648920 mov dword ptr fs:[eax], esp
:00478089 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:0047808F 50 push eax
:00478090 8B4D08 mov ecx, dword ptr [ebp+08]
:00478093 8BD7 mov edx, edi
:00478095 8BC3 mov eax, ebx
:00478097 E810FEFFFF call 00477EAC　　<===此CALL算出与用户名相对应的注册码
:0047809C 8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC]　
:004780A2 8D45FC lea eax, dword ptr [ebp-04]　<===此处下D EAX发现注册码，但位置不正确
:004780A5 E81EBDF8FF call 00403DC8
:004780AA 8B45FC mov eax, dword ptr [ebp-04]　<===此处将真码放入EAX
:004780AD 8BD6 mov edx, esi　　　　<===将假码78787878放入EDX，在这下命令D EAX可以看见注册码
:004780AF E880BEF8FF call 00403F34　　　　
:004780B4 0F94C0 sete al
:004780B7 8BD8 mov ebx, eax
:004780B9 33C0 xor eax, eax
:004780BB 5A pop edx
:004780BC 59 pop ecx
:004780BD 59 pop ecx
:004780BE 648910 mov dword ptr fs:[eax], edx
:004780C1 68DE804700 push 004780DE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004780DC(U)
|
:004780C6 8D45FC lea eax, dword ptr [ebp-04]
:004780C9 E8D6BAF8FF call 00403BA4
:004780CE 8D4508 lea eax, dword ptr [ebp+08]
:004780D1 E8CEBAF8FF call 00403BA4
:004780D6 C3 ret

4、制作内存注册机：(keymake 1.73)
一、选择F8 → 另类注册机！
程序名称：crack.exe
添加数据：
　　中断地址：004780AD
中断次数：1
第一字节：8B
指令长度：2
　　保存下列信息为注册码 → 内存方式 → 寄存器 → EAX
二、选择内存方式：内存地址 → BF693C → 点生成，就有你乐的了(这一句是学老师的;)
三、内存注册机的使用：由于是针对生成的exe文件，如果要用注册机，就必须将exe文件改名为在制作注册机时定义的程序名称（本例制作出的注册机，使用时就应把exe文件改名为crack.exe），否则不能完成找注册码的工作。找到注册码，只取前面16字符就可以了！

5、我的注册信息
受权给：newlaos
注册键：EDwKZK84BuzRTYQ2

文章评论

查看所有2条评论>>

热门文章 去除winrar注册框方法