Tutor8 How to crack LockDown 2000 3.0 Build 3.0.1.28 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → Tutor8 How to crack LockDown 2000 3.0 Build 3.0.1.28

Tutor8 How to crack LockDown 2000 3.0 Build 3.0.1.28 时间：2004/10/15 1:03:00来源：本站整理作者：蓝点我要评论(0): 　软件背景资料

运行平台: Win9X/NT
文件名称: Lockdown2000.exe
程序类型: 杀毒工具
下载地点: http://lockdown2000.com\download.html
文件大小: 2,046KB

使用的工具

SoftIce V3.25--Win9X Debugger
W32Dasm V8.93--Win9X Dissembler
Hex WorkShop v2.54--Hex Editor
RegSnap V2.51--Registry Tracer

难易程度

Easy(X) Medium( ) Hard( ) Pro( )

----------=======声明========----------

未经作者同意，不得修改、引用原文，一切权利保留。
本教程只供教学用，其他一切用途皆被禁止。

----------=======软件介绍========----------

简单地说，它是一个查杀网上流行黑客程序的共享软件（还是先防防我的cracking吧,^O^)他
的查杀速度我可不敢恭维，另外启动极慢，反正我是不会用的。

----------=======软件的保护机制========-------

第一次运行时间记录在windows目录\AJBALSE.INI中
注册时，不需要name,程序自动产生一个Product Serial,我的是：6WD-Q2D3-6F67-2,为了证
实这个码是不是随机产生的，我曾将该软件反安装，为了保险，并将安装时在windows目录里生成的
文件、注册表键值均统统删掉，然后再次安装，看看Product Serial变没变，结果还是
6WD-Q2D3-6F67-2，但我估计他的产生有可能根据windows安装时你输入的个人信息。如果你感兴趣
，在你的机器上安装此软件，看看是否与我的Product Serial一样。
注册后，注册信息保存在注册表的
HKEY_LOCAL_MACHINE\Software\Harbor Telco\LockDown 2000 v3.0\3.0.1.1\Register

----------========正文========----------

Part1 Snippet out code

在注册窗口中，输入任意的code,我输入:12121212
在SoftIce中设断点bpx hmemcpy do "p ret;",Ctrl-D,回到注册窗口，press "OK" button,
重新回到SoftIce中,"bc *",取消所有断点，Press F12数次，程序停在：

:004C5132 E8CDDCF6FF call 00432E04
:004C5137 8B55F8 mov edx, dword ptr [ebp-08] <==回到这里，edx指向我
们输入的code的首地址
:004C513A 58 pop eax
:004C513B E8FCEEF3FF call 0040403C <==计算注册码
:004C5140 7504 jne 004C5146 <==注册不成功，jump to 004c5146
:004C5142 B301 mov bl, 01 <==注册成功，bl=1
:004C5144 EB02 jmp 004C5148

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C5140(C)
|
:004C5146 33DB xor ebx, ebx <==ebx=0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C5144(U)
|
:004C5148 84DB test bl, bl
:004C514A 7523 jne 004C516F <==注册成功，则bl=1，jump to 004C516F
:004C514C 6A00 push 00000000
:004C514E 668B0D7C524C00 mov cx, word ptr [004C527C]
:004C5155 33D2 xor edx, edx

* Possible StringData Ref from Code Obj ->"The unlock code you have entered "
->"is invalid for this machine, please "
->"re-type the number or contact "
->"Harbor Telco to receive a new "
->"registration number."
|
:004C5157 B888524C00 mov eax, 004C5288
:004C515C E80F14F9FF call 00456570
:004C5161 8B86CC020000 mov eax, dword ptr [esi+000002CC]
:004C5167 8B10 mov edx, dword ptr [eax]
:004C5169 FF92B4000000 call dword ptr [edx+000000B4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C514A(C)
|
:004C516F 84DB test bl, bl <==再一次检查bl是否为1
:004C5171 0F84D9000000 je 004C5250 〈==不等于0，显示注册成功
:004C5177 8D55F8 lea edx, dword ptr [ebp-08]
:004C517A 8B86CC020000 mov eax, dword ptr [esi+000002CC]
:004C5180 E87FDCF6FF call 00432E04
:004C5185 8B45F8 mov eax, dword ptr [ebp-08]
:004C5188 E8F7E5FDFF call 004A3784
:004C518D 6A00 push 00000000
:004C518F 668B0D7C524C00 mov cx, word ptr [004C527C]
:004C5196 B202 mov dl, 02

* Possible StringData Ref from Code Obj ->"Thank you for registering LockDown "
->"2000!"
|
:004C5198 B828534C00 mov eax, 004C5328
:004C519D E8CE13F9FF call 00456570
:004C51A2 A120EC4C00 mov eax, dword ptr [004CEC20]
:004C51A7 8B00 mov eax, dword ptr [eax]
:004C51A9 80784700 cmp byte ptr [eax+47], 00
:004C51AD 750E jne 004C51BD
:004C51AF A120EC4C00 mov eax, dword ptr [004CEC20]

为了找到注册码, 让我们trace into call 0040403C

:0040403C 53 push ebx
:0040403D 56 push esi
:0040403E 57 push edi
:0040403F 89C6 mov esi, eax <==令esi指向real code的首地址
:00404041 89D7 mov edi, edx <==令edi指向fake code的首地址
:00404043 39D0 cmp eax, edx
:00404045 0F848F000000 je 004040DA
:0040404B 85F6 test esi, esi
:0040404D 7468 je 004040B7
:0040404F 85FF test edi, edi
:00404051 746B je 004040BE
:00404053 8B46FC mov eax, dword ptr [esi-04]
:00404056 8B57FC mov edx, dword ptr [edi-04]
:00404059 29D0 sub eax, edx
:0040405B 7702 ja 0040405F
:0040405D 01C2 add edx, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040405B(C)
|
:0040405F 52 push edx
:00404060 C1EA02 shr edx, 02
:00404063 7426 je 0040408B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404081(C)
|
:00404065 8B0E mov ecx, dword ptr [esi] 〈==real code前四位字符的
ASCII码值赋给ecx
:00404067 8B1F mov ebx, dword ptr [edi] <==fake code前四位字符的
ASCII码值赋给ecx
:00404069 39D9 cmp ecx, ebx <==比较real与fake的前四位字符
:0040406B 7558 jne 004040C5
:0040406D 4A dec edx
:0040406E 7415 je 00404085 <==jump to 00404085
:00404070 8B4E04 mov ecx, dword ptr [esi+04]
:00404073 8B5F04 mov ebx, dword ptr [edi+04]
:00404076 39D9 cmp ecx, ebx
:00404078 754B jne 004040C5
:0040407A 83C608 add esi, 00000008
:0040407D 83C708 add edi, 00000008
:00404080 4A dec edx
:00404081 75E2 jne 00404065
:00404083 EB06 jmp 0040408B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040406E(C)
|
:00404085 83C604 add esi, 00000004 <==esi=esi+4
:00404088 83C704 add edi, 00000004 <==edi=edi+4

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404063(C), :00404083(U)
|
:0040408B 5A pop edx
:0040408C 83E203 and edx, 00000003
:0040408F 7422 je 004040B3
:00404091 8B0E mov ecx, dword ptr [esi] <==从real code第五位取四位
字符的ASCII码赋给ecx
:00404093 8B1F mov ebx, dword ptr [edi] 〈==从fake code第五位取四位
字符的ASCII码赋给ecx
:00404095 38D9 cmp cl, bl <==比较fake与real的第五位字符的ASCII
码值
:00404097 7541 jne 004040DA
:00404099 4A dec edx
:0040409A 7417 je 004040B3
:0040409C 38FD cmp ch, bh 〈==比较fake与real的第六位字符的ASCII
码值
:0040409E 753A jne 004040DA
:004040A0 4A dec edx
:004040A1 7410 je 004040B3 〈==jump to 004040B3
:004040A3 81E30000FF00 and ebx, 00FF0000
:004040A9 81E10000FF00 and ecx, 00FF0000
:004040AF 39D9 cmp ecx, ebx
:004040B1 7527 jne 004040DA

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040408F(C), :0040409A(C), :004040A1(C)
|
:004040B3 01C0 add eax, eax
:004040B5 EB23 jmp 004040DA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040404D(C)
|
:004040B7 8B57FC mov edx, dword ptr [edi-04]
:004040BA 29D0 sub eax, edx
:004040BC EB1C jmp 004040DA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404051(C)
|
:004040BE 8B46FC mov eax, dword ptr [esi-04]
:004040C1 29D0 sub eax, edx
:004040C3 EB15 jmp 004040DA

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040406B(C), :00404078(C)
|
:004040C5 5A pop edx
:004040C6 38D9 cmp cl, bl
:004040C8 7510 jne 004040DA
:004040CA 38FD cmp ch, bh
:004040CC 750C jne 004040DA
:004040CE C1E910 shr ecx, 10
:004040D1 C1EB10 shr ebx, 10
:004040D4 38D9 cmp cl, bl
:004040D6 7502 jne 004040DA
:004040D8 38FD cmp ch, bh

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00404045(C), :00404097(C), :0040409E(C), :004040B1(C), :004040B5(U)
|:004040BC(U), :004040C3(U), :004040C8(C), :004040CC(C), :004040D6(C)
|
:004040DA 5F pop edi
:004040DB 5E pop esi
:004040DC 5B pop ebx
:004040DD C3 ret

有注释的部分为填入的code正确时程序的执行过程，其实在0040403F处,我们在SoftIce中下
命令“d eax”，即可在数据窗口看到real code,做注释的目的使你更清楚程序是如何检验你输入的
code的正确性。
我的code:7ERE55

Part2 快速破解法

线索
当我从该软件公司的主页下载此程序时，对方告之试用版只能查黑客程序而不能杀掉。

在W32Dasm中，反汇编LockDown2000.exe，用鼠标点击工具栏中的“String Data References
”,调出程序参考的字符串，你会看到程序参考的字符串量非常大，你需要有耐心，一点点找，当你
发现下面的这部分：

"tcp is the only protocol supported "
"tcp"
"test.txt"
"text/html"
"TextHeight"
"Thank you for registering LockDown "
"The trial period on this demo "
"The unlock code you have entered "
"time to live expired"
"To enable LockDown 2000 trojan " 〈==这一行
"Too many levels of remote in path"
"Too many levels of symbolic links"
"Too many open files"
"Too many processes"
"Too many references: can't splice"
"Too many users"
"too much data availaible"

用鼠标双击这一行，主窗口将显示与此字符串相关的程序代码部分；

:004C5617 E83CE2FDFF call 004A3858
:004C561C 84C0 test al, al
:004C561E 751A jne 004C563A <==

* Possible StringData Ref from Code Obj ->"To enable LockDown 2000 trojan "
->"removal and repair features, you "
->"must first purchase a license "
->"for this computer."
|
:004C5620 B858564C00 mov eax, 004C5658
:004C5625 E83E10F9FF call 00456668
:004C562A A11CEB4C00 mov eax, dword ptr [004CEB1C]
:004C562F 8B00 mov eax, dword ptr [eax]

从004C5617至004C561E ，又是经典的call/test/conditional jump,让我们进入那个call看
看，用鼠标单击 004C5617这一行，这使窗口高亮显示这一行代码，再用鼠标点击工具栏中的“
Execute Call”，窗口将显示下面这部分代码：

* Referenced by a CALL at Addresses:
|:004A457F , :004A46A6 , :004A4B70 , :004A507F , :004B78F5
|:004BD0A1 , :004BE69C , :004C3F12 , :004C5617 , :004C5773
|
:004A3858 55 push ebp
:004A3859 8BEC mov ebp, esp
:004A385B 6A00 push 00000000
:004A385D 6A00 push 00000000
:004A385F 53 push ebx
:004A3860 33C0 xor eax, eax
:004A3862 55 push ebp
:004A3863 68E9384A00 push 004A38E9
:004A3868 64FF30 push dword ptr fs:[eax]
:004A386B 648920 mov dword ptr fs:[eax], esp
:004A386E B201 mov dl, 01
:004A3870 A15C974700 mov eax, dword ptr [0047975C]
:004A3875 E82260FDFF call 0047989C
:004A387A 8BD8 mov ebx, eax
:004A387C BA02000080 mov edx, 80000002
:004A3881 8BC3 mov eax, ebx
:004A3883 E8AC60FDFF call 00479934
:004A3888 B101 mov cl, 01

* Possible StringData Ref from Code Obj ->"Software\Harbor Telco\LockDown "
->"2000 v3.0\3.0.1.1"
|
:004A388A BA00394A00 mov edx, 004A3900
:004A388F 8BC3 mov eax, ebx
:004A3891 E80261FDFF call 00479998
:004A3896 8D4DFC lea ecx, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"Register"
|
:004A3899 BA3C394A00 mov edx, 004A393C
:004A389E 8BC3 mov eax, ebx
:004A38A0 E8EB64FDFF call 00479D90
:004A38A5 8BC3 mov eax, ebx
:004A38A7 E85860FDFF call 00479904
:004A38AC 8BC3 mov eax, ebx
:004A38AE E869F7F5FF call 0040301C
:004A38B3 8D45F8 lea eax, dword ptr [ebp-08]
:004A38B6 E89DFBFFFF call 004A3458
:004A38BB 8B55F8 mov edx, dword ptr [ebp-08]
:004A38BE 8B45FC mov eax, dword ptr [ebp-04]
:004A38C1 E87607F6FF call 0040403C
:004A38C6 7504 jne 004A38CC
:004A38C8 B301 mov bl, 01
:004A38CA EB02 jmp 004A38CE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A38C6(C)
|
:004A38CC 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A38CA(U)
|
:004A38CE 33C0 xor eax, eax
:004A38D0 5A pop edx
:004A38D1 59 pop ecx
:004A38D2 59 pop ecx
:004A38D3 648910 mov dword ptr fs:[eax], edx
:004A38D6 68F0384A00 push 004A38F0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A38EE(U)
|
:004A38DB 8D45F8 lea eax, dword ptr [ebp-08]
:004A38DE BA02000000 mov edx, 00000002
:004A38E3 E8EC03F6FF call 00403CD4
:004A38E8 C3 ret

看到了吗？这部分代码从注册表的
HKEY_LOCAL_MACHINE\Software\Harbor Telco\LockDown 2000 v3.0\3.0.1.1\Register
获取注册信息，若存在，检验正确性，一切OK,让返回值al=1。另外，你还会看到，此段代码被10个
call参考，那就说明程序从10个不同方面检查你是否注册。
我没有再仔细分析这段代码，为了让所有参考此部分代码的call都认为程序已注册，最简单的
方法：在004A3858处，按顺序修改代码为 (1)mov al, 01 (2)ret
修改后，重新执行程序，bingo!程序百分之百注册！

----------=======The Patch========----------

在文件LockDown2000.exe的offset:0xA2C58处，修改558BEC为B001C3

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法