【软件限制】:功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
程序比较注册码的地方很容易找到,但是算法之处却费了点劲。猜测程序在启动之时已悄悄完成运算,于是查找蛛丝马迹,果然抓到了狐狸的尾巴。 ^O^ ^O^ 哎,最近有点忙,没写笔记了,可能以后更少写了,没办法呀。
FlashPlayer.exe 是ASPack 2.12壳,用AspackDie脱之。566K->2.28M。 Delphi 编写。
认证码:E12561A3DC225AA7CB125C9DDC11789
试炼码:13572468
—————————————————————————————————
:004C2C4B E8441BF4FF call 00404794
:004C2C50 C6838904000000 mov byte ptr [ebx+00000489], 00
:004C2C57 8D83BC040000 lea eax, dword ptr [ebx+000004BC]
:004C2C5D E8DE1AF4FF call 00404740
:004C2C62 8D55E4 lea edx, dword ptr [ebp-1C]
:004C2C65 8BC3 mov eax, ebx
:004C2C67 E820310000 call 004C5D8C
:004C2C6C 8B55E4 mov edx, dword ptr [ebp-1C]
:004C2C6F 8D4DE8 lea ecx, dword ptr [ebp-18]
:004C2C72 8BC3 mov eax, ebx
:004C2C74 E89F6E0000 call 004C9B18
====>关键CALL!进入!取得认证码!
:004C2C79 8B55E8 mov edx, dword ptr [ebp-18]
====>EDX=E12561A3DC225AA7CB125C9DDC11789 认证码
:004C2C7C 8D8390040000 lea eax, dword ptr [ebx+00000490]
:004C2C82 E80D1BF4FF call 00404794
:004C2C87 8D4DE0 lea ecx, dword ptr [ebp-20]
:004C2C8A 8B9390040000 mov edx, dword ptr [ebx+00000490]
:004C2C90 8BC3 mov eax, ebx
:004C2C92 E821710000 call 004C9DB8
====>算法CALL!进入!
:004C2C97 8B55E0 mov edx, dword ptr [ebp-20]
====>EDX=413D3F3C282F3FCC473025140C0163E 注册码
:004C2C9A 8D8394040000 lea eax, dword ptr [ebx+00000494]
:004C2CA0 E8EF1AF4FF call 00404794
:004C2CA5 C6838A04000000 mov byte ptr [ebx+0000048A], 00
:004C2CAC C6838B04000000 mov byte ptr [ebx+0000048B], 00
:004C2CB3 C6838C04000000 mov byte ptr [ebx+0000048C], 00
:004C2CBA C683C104000000 mov byte ptr [ebx+000004C1], 00
:004C2CC1 C6838804000000 mov byte ptr [ebx+00000488], 00
:004C2CC8 8BC3 mov eax, ebx
:004C2CCA E879360000 call 004C6348
====>从注册表里读取程序运行的参数,并检查是否已经注册
:004C2CCF 80BB9804000000 cmp byte ptr [ebx+00000498], 00
:004C2CD6 7529 jne 004C2D01
:004C2CD8 8D55DC lea edx, dword ptr [ebp-24]
:004C2CDB A194034D00 mov eax, dword ptr [004D0394]
:004C2CE0 E8ABF8F8FF call 00452590
:004C2CE5 8D45DC lea eax, dword ptr [ebp-24]
* Possible StringData Ref from Code Obj ->" [未注册版本]"
|
:004C2CE8 BA84324C00 mov edx, 004C3284
:004C2CED E8161DF4FF call 00404A08
:004C2CF2 8B55DC mov edx, dword ptr [ebp-24]
:004C2CF5 A194034D00 mov eax, dword ptr [004D0394]
:004C2CFA E8C1F8F8FF call 004525C0
:004C2CFF EB27 jmp 004C2D28
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2CD6(C)
|
:004C2D01 8D55D8 lea edx, dword ptr [ebp-28]
:004C2D04 A194034D00 mov eax, dword ptr [004D0394]
:004C2D09 E882F8F8FF call 00452590
:004C2D0E 8D45D8 lea eax, dword ptr [ebp-28]
* Possible StringData Ref from Code Obj ->" [注册版本]"
|
:004C2D11 BA9C324C00 mov edx, 004C329C
:004C2D16 E8ED1CF4FF call 00404A08
—————————————————————————————————
进入关键CALL:004C2C74 call 004C9B18
* Referenced by a CALL at Address:
|:004C2C74
…… ……省略…… …… 好象这段是判断何种操作系统
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C9B65(C), :004C9B74(C), :004C9B83(C), :004C9B92(C)
|
:004C9BA3 33C0 xor eax, eax
:004C9BA5 55 push ebp
:004C9BA6 68C89B4C00 push 004C9BC8
:004C9BAB 64FF30 push dword ptr fs:[eax]
:004C9BAE 648920 mov dword ptr fs:[eax], esp
:004C9BB1 8D45F4 lea eax, dword ptr [ebp-0C]
:004C9BB4 BA71EC0F00 mov edx, 000FEC71
:004C9BB9 E87AADF3FF call 00404938
====>取我的“宝马”的 主板信息
====>07/11/2002-P4X266E-8233A-6A6LWSNGC-00
:004C9BBE 33C0 xor eax, eax
:004C9BC0 5A pop edx
:004C9BC1 59 pop ecx
:004C9BC2 59 pop ecx
:004C9BC3 648910 mov dword ptr fs:[eax], edx
:004C9BC6 EB29 jmp 004C9BF1
====>跳下去
:004C9BC8 E93FA2F3FF jmp 00403E0C
:004C9BCD 8D45F4 lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"SnowSky781026"
|
:004C9BD0 BA649D4C00 mov edx, 004C9D64
:004C9BD5 E8FEABF3FF call 004047D8
:004C9BDA E895A5F3FF call 00404174
:004C9BDF EB10 jmp 004C9BF1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C9BA1(C)
* Possible StringData Ref from Code Obj ->"SnowSky781026"
|
:004C9BE1 BA649D4C00 mov edx, 004C9D64
:004C9BE6 8D45F4 lea eax, dword ptr [ebp-0C]
:004C9BE9 8B4DFC mov ecx, dword ptr [ebp-04]
:004C9BEC E85BAEF3FF call 00404A4C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C9BC6(U), :004C9BDF(U)
|
:004C9BF1 837DF400 cmp dword ptr [ebp-0C], 00000000
====>[ebp-0C]=07/11/2002-P4X266E-8233A-6A6LWSNGC-00
:004C9BF5 750D jne 004C9C04
:004C9BF7 8D45F4 lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"SnowSky781026"
|
:004C9BFA BA649D4C00 mov edx, 004C9D64
:004C9BFF E8D4ABF3FF call 004047D8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C9BF5(C)
|
:004C9C04 A0749D4C00 mov al, byte ptr [004C9D74]
:004C9C09 50 push eax
:004C9C0A 8D45F0 lea eax, dword ptr [ebp-10]
:004C9C0D 50 push eax
:004C9C0E 33C9 xor ecx, ecx
:004C9C10 BA809D4C00 mov edx, 004C9D80
:004C9C15 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=07/11/2002-P4X266E-8233A-6A6LWSNGC-00
:004C9C18 E85344F4FF call 0040E070
====>剔除字符串中非数字、字母的符号
:004C9C1D 8B55F0 mov edx, dword ptr [ebp-10]
====>EDX=07112002-P4X266E-8233A-6A6LWSNGC-00
:004C9C20 8D45F4 lea eax, dword ptr [ebp-0C]
:004C9C23 E8B0ABF3FF call 004047D8
:004C9C28 A0749D4C00 mov al, byte ptr [004C9D74]
:004C9C2D 50 push eax
:004C9C2E 8D45EC lea eax, dword ptr [ebp-14]
:004C9C31 50 push eax
:004C9C32 33C9 xor ecx, ecx
:004C9C34 BA8C9D4C00 mov edx, 004C9D8C
:004C9C39 8B45F4 mov eax, dword ptr [ebp-0C]
:004C9C3C E82F44F4FF call 0040E070
:004C9C41 8B55EC mov edx, dword ptr [ebp-14]
:004C9C44 8D45F4 lea eax, dword ptr [ebp-0C]
:004C9C47 E88CABF3FF call 004047D8
:004C9C4C A0749D4C00 mov al, byte ptr [004C9D74]
:004C9C51 50 push eax
:004C9C52 8D45E8 lea eax, dword ptr [ebp-18]
:004C9C55 50 push eax
:004C9C56 33C9 xor ecx, ecx
:004C9C58 BA989D4C00 mov edx, 004C9D98
:004C9C5D 8B45F4 mov eax, dword ptr [ebp-0C]
====>EDX=07112002-P4X266E-8233A-6A6LWSNGC-00
:004C9C60 E80B44F4FF call 0040E070
====>剔除字符串中非数字、字母的符号
:004C9C65 8B55E8 mov edx, dword ptr [ebp-18]
====>EDX=07112002P4X266E8233A6A6LWSNGC00
:004C9C68 8D45F4 lea eax, dword ptr [ebp-0C]
:004C9C6B E868ABF3FF call 004047D8
:004C9C70 A0749D4C00 mov al, byte ptr [004C9D74]
:004C9C75 50 push eax
:004C9C76 8D45E4 lea eax, dword ptr [ebp-1C]
:004C9C79 50 push eax
:004C9C7A 33C9 xor ecx, ecx
:004C9C7C BAA49D4C00 mov edx, 004C9DA4
:004C9C81 8B45F4 mov eax, dword ptr [ebp-0C]
:004C9C84 E8E743F4FF call 0040E070
:004C9C89 8B55E4 mov edx, dword ptr [ebp-1C]
:004C9C8C 8D45F4 lea eax, dword ptr [ebp-0C]
:004C9C8F E844ABF3FF call 004047D8
:004C9C94 8B4DF8 mov ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"1978"
|
:004C9C97 BAB09D4C00 mov edx, 004C9DB0
====>EDX=004C9DB0=1978
:004C9C9C 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=07112002P4X266E8233A6A6LWSNGC00
:004C9C9F E8FC89FFFF call 004C26A0
====>用1978和上面的主板信息循环运算得出一组新值
:004C9CA4 8B45F8 mov eax, dword ptr [ebp-08]
:004C9CA7 50 push eax
:004C9CA8 8B45F8 mov eax, dword ptr [ebp-08]
:004C9CAB 8B00 mov eax, dword ptr [eax]
====>EAX=0809799DF6187196F0709DC2CC3251A1E12561A3DC225AA7CB125C9DDC11789F
:004C9CAD E84EADF3FF call 00404A00
====>取上面字符串的长度
:004C9CB2 8BD8 mov ebx, eax
====>EBX=40
:004C9CB4 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=07112002P4X266E8233A6A6LWSNGC00
:004C9CB7 E844ADF3FF call 00404A00
====>取上面字符串的长度 EAX=1F
:004C9CBC 2BD8 sub ebx, eax
====>EBX=40 - 1F=21(H)=33(D)
:004C9CBE 53 push ebx
:004C9CBF 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=07112002P4X266E8233A6A6LWSNGC00
:004C9CC2 E839ADF3FF call 00404A00
====>取上面字符串的长度
:004C9CC7 8BC8 mov ecx, eax
====>ECX=1F(H)=31(D)
:004C9CC9 8B45F8 mov eax, dword ptr [ebp-08]
:004C9CCC 8B00 mov eax, dword ptr [eax]
====>EAX=0809799DF6187196F0709DC2CC3251A1E12561A3DC225AA7CB125C9DDC11789F
:004C9CCE 5A pop edx
====>EDX=21(H)=33(D)
:004C9CCF E88CAFF3FF call 00404C60
====>从第33位开始取上面字符串中的31位字符
====>E12561A3DC225AA7CB125C9DDC11789 这就是认证码了
:004C9CD4 33C0 xor eax, eax
:004C9CD6 5A pop edx
:004C9CD7 59 pop ecx
:004C9CD8 59 pop ecx
:004C9CD9 648910 mov dword ptr fs:[eax], edx
:004C9CDC 68FE9C4C00 push 004C9CFE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C9CFC(U)
|
:004C9CE1 8D45E4 lea eax, dword ptr [ebp-1C]
:004C9CE4 BA05000000 mov edx, 00000005
:004C9CE9 E876AAF3FF call 00404764
:004C9CEE 8D45FC lea eax, dword ptr [ebp-04]
:004C9CF1 E84AAAF3FF call 00404740
:004C9CF6 C3 ret
—————————————————————————————————
进入算法CALL:4C2C92 call 004C9DB8
* Referenced by a CALL at Address:
|:004C2C92
|
:004C9DB8 55 push ebp
:004C9DB9 8BEC mov ebp, esp
:004C9DBB 6A00 push 00000000
:004C9DBD 6A00 push 00000000
:004C9DBF 6A00 push 00000000
:004C9DC1 6A00 push 00000000
:004C9DC3 6A00 push 00000000
:004C9DC5 6A00 push 00000000
:004C9DC7 53 push ebx
:004C9DC8 8BD9 mov ebx, ecx
:004C9DCA 8955FC mov dword ptr [ebp-04], edx
:004C9DCD 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789
:004C9DD0 E81BAEF3FF call 00404BF0
:004C9DD5 33C0 xor eax, eax
........................
............
:004C9E6F 8B55E8 mov edx, dword ptr [ebp-18]
:004C9E72 8D45FC lea eax, dword ptr [ebp-04]
:004C9E75 E85EA9F3FF call 004047D8
:004C9E7A 8D4DF8 lea ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"1978"
|
:004C9E7D BA449F4C00 mov edx, 004C9F44
====>EDX=004C9F44=1978 呵呵,大约是作者的出生之年
:004C9E82 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789
:004C9E85 E81688FFFF call 004C26A0
====>用1978和上面的认证码循环运算得出一组新值
:004C9E8A 8D45F8 lea eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89FD0D619AFC177DF9047085F1147D85848A
:004C9E8D 50 push eax
:004C9E8E 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789
:004C9E91 E86AABF3FF call 00404A00
====>取上面字符串的长度
:004C9E96 8BC8 mov ecx, eax
====>ECX=1F
:004C9E98 BA01000000 mov edx, 00000001
:004C9E9D 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89FD0D619AFC177DF9047085F1147D85848A
:004C9EA0 E8BBADF3FF call 00404C60
====>取上面字符串的前31位进行下面的运算
====>087C94F11F64ACDA364BB7DE296F89F
:004C9EA5 8D4DFC lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"ILOVEYOU"
|
:004C9EA8 BA549F4C00 mov edx, 004C9F54
====>EDX=ILOVEYOU 作者挺不错,没有骂人 ^O^ ^O^
:004C9EAD 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89F
:004C9EB0 E8EB87FFFF call 004C26A0
====>用ILOVEYOU和上面的字符串循环运算得出新值
====>和 004C9E85 处的运算流程一样
:004C9EB5 53 push ebx
:004C9EB6 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=0871E552C3B9B4B5B3ADBFBAB8BC59D2413D3F3C282F3FCC473025140C0163E6
:004C9EB9 E842ABF3FF call 00404A00
====>取上面字符串的长度
:004C9EBE 8BD8 mov ebx, eax
====>EBX=40
:004C9EC0 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89F
:004C9EC3 E838ABF3FF call 00404A00
====>取上面字符串的长度
:004C9EC8 2BD8 sub ebx, eax
====>EBX=40 - 1F=21(H)=33(D)
:004C9ECA 53 push ebx
:004C9ECB 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=087C94F11F64ACDA364BB7DE296F89F
:004C9ECE E82DABF3FF call 00404A00
====>再取上面字符串的长度 哎,这么多次
:004C9ED3 8BC8 mov ecx, eax
====>ECX=1F(H)=31(D)
:004C9ED5 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=0871E552C3B9B4B5B3ADBFBAB8BC59D2413D3F3C282F3FCC473025140C0163E6
:004C9ED8 5A pop edx
:004C9ED9 E882ADF3FF call 00404C60
====>从第33位开始取上面字符串中的31位字符
====>413D3F3C282F3FCC473025140C0163E 这就是注册码了
:004C9EDE 33C0 xor eax, eax
:004C9EE0 5A pop edx
:004C9EE1 59 pop ecx
:004C9EE2 59 pop ecx
:004C9EE3 648910 mov dword ptr fs:[eax], edx
:004C9EE6 68009F4C00 push 004C9F00
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C9EFE(U)
|
:004C9EEB 8D45E8 lea eax, dword ptr [ebp-18]
:004C9EEE BA06000000 mov edx, 00000006
:004C9EF3 E86CA8F3FF call 00404764
:004C9EF8 C3 ret
—————————————————————————————————
进入004C9E85 call 004C26A0
4C9C9F 和 4C9EB0 call 004C26A0也是同样的运算流程,因此就没有详细记录数据了。
:004C26A0 55 push ebp
:004C26A1 8BEC mov ebp, esp
:004C26A3 83C4DC add esp, FFFFFFDC
:004C26A6 53 push ebx
:004C26A7 56 push esi
:004C26A8 57 push edi
...............
.........
:004C26E9 8D45F8 lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"Snowsky781026"
|
:004C26EC BAD4274C00 mov edx, 004C27D4
:004C26F1 E8E220F4FF call 004047D8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C26E7(C)
|
:004C26F6 33F6 xor esi, esi
:004C26F8 BB08000000 mov ebx, 00000008
====>EBX=8 初始值
:004C26FD 8D45EC lea eax, dword ptr [ebp-14]
:004C2700 50 push eax
:004C2701 895DE0 mov dword ptr [ebp-20], ebx
:004C2704 C645E400 mov [ebp-1C], 00
:004C2708 8D55E0 lea edx, dword ptr [ebp-20]
:004C270B 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"%1.2x"
|
:004C270D B8EC274C00 mov eax, 004C27EC
:004C2712 E8A576F4FF call 00409DBC
:004C2717 8B45FC mov eax, dword ptr [ebp-04]
:004C271A E8E122F4FF call 00404A00
:004C271F 8BF8 mov edi, eax
:004C2721 85FF test edi, edi
:004C2723 7E60 jle 004C2785
:004C2725 C745E801000000 mov [ebp-18], 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2783(C)
|
:004C272C 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=E12561A3DC225AA7CB125C9DDC11789 认证码
:004C272F 8B55E8 mov edx, dword ptr [ebp-18]
====>EDX=[ebp-18] 循环次数
:004C2732 0FB64410FF movzx eax, byte ptr [eax+edx-01]
====>依次取E12561A3DC225AA7CB125C9DDC11789字符的HEX值
:004C2737 03C3 add eax, ebx
1、 ====>EAX=45 + 08=4D
2、 ====>EAX=31 + 7C=AD
3、 ====>EAX=32 + 94=C6
4、 ====>EAX=35 + F1=126
…… ……省 略…… ……
31、 ====>EAX=39 + 84=BD
:004C2739 B9FF000000 mov ecx, 000000FF
====>ECX=FF
:004C273E 99 cdq
:004C273F F7F9 idiv ecx
1、 ====>EDX=4D % FF=4D
2、 ====>EDX=AD % FF=AD
3、 ====>EDX=C6 % FF=C6
4、 ====>EDX=126 % FF=27
…… ……省 略…… ……
31、 ====>EDX=BD % FF=BD
:004C2741 8BDA mov ebx, edx
:004C2743 3B75F0 cmp esi, dword ptr [ebp-10]
====>比较是否取完4位
:004C2746 7D03 jge 004C274B
====>取完4位就跳下去。即:循环使用下面的1978
:004C2748 46 inc esi
:004C2749 EB05 jmp 004C2750
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2746(C)
|
:004C274B BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2749(U)
|
:004C2750 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=1978
:004C2753 0FB64430FF movzx eax, byte ptr [eax+esi-01]
====>依次循环取1978字符的HEX值
:004C2758 33D8 xor ebx, eax
1、 ====>EBX=4D XOR 31=7C
2、 ====>EBX=AD XOR 39=94
3、 ====>EBX=C6 XOR 37=F1
4、 ====>EBX=27 XOR 38=1F
…… ……省 略…… ……
31、 ====>EBX=BD XOR 37=8A
:004C275A 8D45DC lea eax, dword ptr [ebp-24]
:004C275D 50 push eax
:004C275E 895DE0 mov dword ptr [ebp-20], ebx
:004C2761 C645E400 mov [ebp-1C], 00
:004C2765 8D55E0 lea edx, dword ptr [ebp-20]
:004C2768 33C9 &
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>