万能五笔2002分析笔记
-
万能五笔2002这个软件好像已经有人分析了,不过我没看到!我是昨天下午从作者主页下载的,拿回来后就开始分析了,如果一定要说我是抄回来的我也没办法! (不过下面的东西绝对是我自己在家花了一晚时间整理的,绝对没有抄袭!!!)
第一次做这么详细的分析,可能有很多地方错误,请大哥哥\大姐姐指正和支持!
【下载页面】
http://www.tt98.com/wnwb2002/wnwb_rjxz.htm
【软件大小】:1556K
【软件限制】:试用200次...还有就是不知道了!呵呵...
【作者声明】:只是个人兴趣,读者看后所做出的一切事情与我无关,我也不负责,希望读者能三思再后行!
【破解工具】:w32Dasm TRW2K PEid
—————————————————————————————————
【过 程】:先用w32Dasm反它,根据参考很快就找到关键!下断bpx 40EB98 F5返回,输入假的注册码7878787878787878 一定要大于16位,按OK拦下来到下面:
:0040EB98 8B742474 mov esi, dword ptr [esp+74]
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:0040EB9C 8B3D40524200 mov edi, dword ptr [00425240]
:0040EBA2 8D4C243C lea ecx, dword ptr [esp+3C]
:0040EBA6 6A32 push 00000032
:0040EBA8 51 push ecx
:0040EBA9 68F7030000 push 000003F7
:0040EBAE 56 push esi
:0040EBAF FFD7 call edi
:0040EBB1 8D542428 lea edx, dword ptr [esp+28]
:0040EBB5 6A11 push 00000011
:0040EBB7 52 push edx
:0040EBB8 68F8030000 push 000003F8
:0040EBBD 56 push esi
:0040EBBE FFD7 call edi
:0040EBC0 6A04 push 00000004
:0040EBC2 56 push esi
* Reference To: USER32.ShowWindow, Ord:026Ah
|
:0040EBC3 FF15E8514200 Call dword ptr [004251E8]
:0040EBC9 8D7C243C lea edi, dword ptr [esp+3C] \\取得发布网站的名称
:0040EBCD 83C9FF or ecx, FFFFFFFF
:0040EBD0 33C0 xor eax, eax
:0040EBD2 F2 repnz \\这个是什么用的就不清楚了!
:0040EBD3 AE scasb \\这个是什么用的就不清楚了!
:0040EBD4 F7D1 not ecx \\取反
:0040EBD6 49 dec ecx \\减一
:0040EBD7 83F904 cmp ecx, 00000004 \\?!比较发布网站是否小于4个字节,我真搞不懂,那个筐里的东西是灰色的根本填不了东西可,就是小于四个字节也不关我事啊!!晕哦...
:0040EBDA 7342 jnb 0040EC1E \\小于就不跳,死掉!不小于就跳到下面!
:0040EBDC A1F08F4300 mov eax, dword ptr [00438FF0]
:0040EBE1 6A10 push 00000010
:0040EBE3 85C0 test eax, eax
* Possible StringData Ref from Data Obj ->"Error"
|
:0040EBE5 6800804200 push 00428000
:0040EBEA 7519 jne 0040EC05
* Possible StringData Ref from Data Obj ->"发布网站名不能小于4个字节!"
|
:0040EBEC 686CA74200 push 0042A76C
:0040EBF1 56 push esi
--------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EBDA(C)
|
:0040EC1E 8D7C2428 lea edi, dword ptr [esp+28] \\从0040EBDA跳到这里!EDI里是我输入的注册码!
:0040EC22 83C9FF or ecx, FFFFFFFF
:0040EC25 33C0 xor eax, eax
:0040EC27 F2 repnz \\?????????
:0040EC28 AE scasb \\?????????
:0040EC29 F7D1 not ecx \\取反
:0040EC2B 49 dec ecx \\减一
:0040EC2C 83F910 cmp ecx, 00000010 \\比较注册码是否大于16位!不明白的是怎么取得注册码的位数的!可能是我太菜了...
:0040EC2F 7442 je 0040EC73 \\大于就跳到下面,否则就死掉!
:0040EC31 A1F08F4300 mov eax, dword ptr [00438FF0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EC91(C)
|
:0040EC36 85C0 test eax, eax
:0040EC38 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"Error"
|
:0040EC3A 6800804200 push 00428000
:0040EC3F 7519 jne 0040EC5A
* Possible StringData Ref from Data Obj ->"解码失败!"
|
:0040EC41 6844A74200 push 0042A744
:0040EC46 56 push esi
------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EC2F(C)
|
:0040EC73 8D442428 lea eax, dword ptr [esp+28] \\从0040EC2F跳到这里!EAX装的是我输入的注册码!
:0040EC77 6800994300 push 00439900 \\这里是机器码压入堆栈!
:0040EC7C 8D4C2440 lea ecx, dword ptr [esp+40] \\ECX装的是发布网站WWW.TT98.COM!
:0040EC80 50 push eax \\我输入的注册码压栈
:0040EC81 51 push ecx \\www.TT98.COM压栈
:0040EC82 E8D925FFFF call 00401260 \\关键CALL F8追进去!好眼熟啊,经典比较!!
:0040EC87 83C40C add esp, 0000000C
:0040EC8A 85C0 test eax, eax \\注册码是否正确
:0040EC8C A1F08F4300 mov eax, dword ptr [00438FF0]
:0040EC91 74A3 je 0040EC36 \\不正确就跳回去死掉!!!
:0040EC93 85C0 test eax, eax
:0040EC95 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"Success"
|
:0040EC97 68909F4200 push 00429F90
:0040EC9C 7507 jne 0040ECA5
* Possible StringData Ref from Data Obj ->"解码成功,感谢您对国产共享软件的支持!"
|
:0040EC9E 6810A74200 push 0042A710
:0040ECA3 EB05 jmp 0040ECAA
------------------------------------------------------------------
上面F8到这里:
:00401260 83EC14 sub esp, 00000014
:00401263 53 push ebx
:00401264 55 push ebp
:00401265 8B6C2420 mov ebp, dword ptr [esp+20] \\这里是www.TT98.com
:00401269 56 push esi
:0040126A 57 push edi
:0040126B C644242000 mov [esp+20], 00
* Possible StringData Ref from Data Obj ->"www.TT98.net"
|
:00401270 BE40794200 mov esi, 00427940 \\这里是www.TT98.net
:00401275 8BC5 mov eax, ebp \\这里是www.TT98.com
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401299(C)
|
:00401277 8A10 mov dl, byte ptr [eax] \\把www.TT98.com的第一个字符的ASCII码放入EDX的低位!
:00401279 8A1E mov bl, byte ptr [esi] \\把www.TT98.net的第一个字符的ASCII码放入EBX的低位!
:0040127B 8ACA mov cl, dl
:0040127D 3AD3 cmp dl, bl \\比较
:0040127F 751E jne 0040129F \\不等于就跳下去死
:00401281 84C9 test cl, cl \\是否为零
:00401283 7416 je 0040129B \\是就跳下去死
:00401285 8A5001 mov dl, byte ptr [eax+01] \\把www.TT98.com的第二个字符的ASCII码放入EDX的低位!
:00401288 8A5E01 mov bl, byte ptr [esi+01] \\把www.TT98.net的第二个字符的ASCII码放入EBX的低位!
:0040128B 8ACA mov cl, dl
:0040128D 3AD3 cmp dl, bl \\比较
:0040128F 750E jne 0040129F \\不等于就跳下去死
:00401291 83C002 add eax, 00000002 \\EAX加二之后就变成w.TT98.com
:00401294 83C602 add esi, 00000002 \\ESI加二之后就变成w.TT98.net
:00401297 84C9 test cl, cl \\是否取完
:00401299 75DC jne 00401277 \\没有取完就跳上去继续↑
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401283(C)
|
:0040129B 33C0 xor eax, eax \\清零
:0040129D EB05 jmp 004012A4 \\跳去死!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040127F(C), :0040128F(C)
|
:0040129F 1BC0 sbb eax, eax
:004012A1 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040129D(U)
|
:004012A4 85C0 test eax, eax
:004012A6 750D jne 004012B5 \\这里不跳的话就死得好惨...
:004012A8 5F pop edi
:004012A9 5E pop esi
:004012AA 5D pop ebp
:004012AB B801000000 mov eax, 00000001
:004012B0 5B pop ebx
:004012B1 83C414 add esp, 00000014
:004012B4 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012A6(C)
|
:004012B5 8BFD mov edi, ebp \\这里是发布网站的名称www.TT98.com
:004012B7 83C9FF or ecx, FFFFFFFF
:004012BA 33C0 xor eax, eax
:004012BC F2 repnz
:004012BD AE scasb
:004012BE F7D1 not ecx
:004012C0 49 dec ecx
:004012C1 83F904 cmp ecx, 00000004 \\发布网站得名称是否大于四个字节!它是怎么取得发布网站的字节的我搞不懂,可能是我太菜了吧!
:004012C4 0F82C0000000 jb 0040138A \\不大于就跳去死掉!
:004012CA 8B5C242C mov ebx, dword ptr [esp+2C] \\我输入的注册码
:004012CE 83C9FF or ecx, FFFFFFFF
:004012D1 8BFB mov edi, ebx \\我输入的注册码
:004012D3 F2 repnz
:004012D4 AE scasb
:004012D5 F7D1 not ecx
:004012D7 49 dec ecx
:004012D8 83F910 cmp ecx, 00000010 \\比较注册码是否大于16位!它是怎么取得我输入注册码的字节的我搞不懂,可能是我太菜了吧!
:004012DB 0F85A9000000 jne 0040138A \\不大于得话就跳去死!
:004012E1 8B542430 mov edx, dword ptr [esp+30]
:004012E5 83C9FF or ecx, FFFFFFFF
:004012E8 8BFA mov edi, edx
...........
.........
:00401332 83E103 and ecx, 00000003
:00401335 F3 repz
:00401336 A4 movsb
:00401337 8D4C2410 lea ecx, dword ptr [esp+10]
:0040133B 51 push ecx \\这个不知道是什么.可能是C盘或者是密匙!
:0040133C 50 push eax \\这里是两个机器码连在一起,也是注册标志!
:0040133D 52 push edx \\这里是机器码
:0040133E E8ADFEFFFF call 004011F0 \\这个CALL就是注册算法!
\\想知道算法的话就追进去!
\\我追了一会儿,头晕了就没追了!
\\其实是我的汇编太差,看得不太明白!
\\但有一些地方还是看得懂的,一会总结分析!
:00401343 83C40C add esp, 0000000C
:00401346 8D742410 lea esi, dword ptr [esp+10] \\这里就是真的注册码了!
:0040134A 8BC3 mov eax, ebx \\我输入的假注册码!下面是比较!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040136E(C)
|
:0040134C 8A10 mov dl, byte ptr [eax] \\假码的第一位的ASCII码放入EDX的低位!
:0040134E 8A1E mov bl, byte ptr [esi] \\真码的第一位的ASCII码放入EBX的低位!
:00401350 8ACA mov cl, dl \\CL=DL
:00401352 3AD3 cmp dl, bl \\比较
:00401354 751E jne 00401374 \\不等于就跳去死!
:00401356 84C9 test cl, cl \\注册码第一位是否为零!
:00401358 7416 je 00401370 \\是零的话就跳去死!
:0040135A 8A5001 mov dl, byte ptr [eax+01] \\假码的第二位的ASCII码放入EDX的低位!
:0040135D 8A5E01 mov bl, byte ptr [esi+01] \\真码的第二位的ASCII码放入EBX的低位!
:00401360 8ACA mov cl, dl \\CL=DL
:00401362 3AD3 cmp dl, bl \\比较第二位是否相等!
:00401364 750E jne 00401374 \\不相等就跳去死!
:00401366 83C002 add eax, 00000002 \\假码加二(这里和上面00401291道理相同)
:00401369 83C602 add esi, 00000002 \\真码加二(这里和上面00401292道理相同)
:0040136C 84C9 test cl, cl \\注册码第二位是否为零!
:0040136E 75DC jne 0040134C \\不为零的话就跳回去继续比较!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401358(C)
|
:00401370 33C0 xor eax, eax \\清零
:00401372 EB05 jmp 00401379 \\跳去死!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401354(C), :00401364(C)
|
:00401374 1BC0 sbb eax, eax
:00401376 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401372(U)
|
:00401379 85C0 test eax, eax
:0040137B 750D jne 0040138A
:0040137D 5F pop edi
:0040137E 5E pop esi
:0040137F 5D pop ebp
:00401380 B801000000 mov eax, 00000001
:00401385 5B pop ebx
:00401386 83C414 add esp, 00000014
:00401389 C3 ret
-----------------------------------------------------------------------
内存注册机:
中断地址:40134A
中断次数:1
第一字节:8B
指令长度:2
内存方式:寄存器 ESI
注册码是XXXX-XXXXXX-XXXXX形式的!
-----------------------------------------------------------------------
注册信息保存在同目录下的wnb.ini文件的最下面那一行serialno=XXXX-XXXXXX-XXXX
把这一行删掉就又变成未注册版本了!
------------------------------------------------------------------------
我曾经追进:
:0040133E E8ADFEFFFF call 004011F0
后发现程序是把机器码(我的机器码是527901190)的ASCII的和X与某个数Y运算后得出一个数Z的十进制就十注册码的前面部分!再把Z这个数的十进制乘以二就十后面部分,中间部分是怎么来的我就真的搞不懂了!唉........
我的机器码的ASCII和是1D2再与某个数运算后得出CFC
CFC转为十进制是3324
我的注册码是3324-594401-6648
整个分析就到此结束了!谢谢您的观赏!
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>