|
|
[blockquote]使用工具:SoftICE 4.05,W32Dasm白金版
说明:2001年光盘的模拟考试必须先进行注册,该光盘允许安装4台机器,获取注册号需要通过拨打电话16898173,然后输入一个14位长的数字,我听过周围的好几个人说电话注册很费劲也很麻烦,经常为了一个注册需要打好几次信息台电话,花了不少电话费,50块钱一张光盘就够贵的了,竟然还要通过信息台再挣一次钱,真是可恨,因此绝对有必要破解它。其实找出注册码的方法很多,也很容易,用SmartCheck就可以轻松搞定。
用SoftICE的破解过程:
设定好SoftICE,出现输入注册号的对话框后,输入一个12位的注册号,bpx hmemcpy或bpx rtcinputbox,按确定后,会被拦截回来,一步一步跟踪,就会找到真正的注册号。
用SmartCheck的破解过程:
设定好SmartCheck后,运行软件,出现输入注册号的对话框后,输入一个12位的注册号,按确定,当然肯定是错误,按退出,查找SmartCheck记录,就会找到注册号。
注册码的生成过程:
* Possible StringData Ref from Code Obj ->"cc:\jsjdog"
|
:0059350D 6898EE4100 push 0041EE98
...
* Reference To: MSVBVM50.__vbaFileOpen, Ord:0000h
|
:0059351E FF15CCD35D00 Call dword ptr [005DD3CC]
* Reference To: MSVBVM50.rtcEndOfFile, Ord:023Bh
|
:00593524 8B35DCD35D00 mov esi, dword ptr [005DD3DC]
:0059352A 6A01 push 00000001
:0059352C FFD6 call esi
:0059352E 6685C0 test ax, ax
:00593531 6A01 push 00000001
:00593533 750C jne 00593541
:00593535 8D45A4 lea eax, dword ptr [ebp-5C]
:00593538 50 push eax
* Reference To: MSVBVM50.__vbaLineInputVar, Ord:0000h
|
:00593539 FF15A4D25D00 Call dword ptr [005DD2A4]
:0059353F EBE9 jmp 0059352A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00593533(C)
|
* Reference To: MSVBVM50.__vbaFileClose, Ord:0000h
|
:00593541 FF1538D35D00 Call dword ptr [005DD338]
:00593547 8D4D84 lea ecx, dword ptr [ebp-7C]
:0059354A 8D55A4 lea edx, dword ptr [ebp-5C] ====> 行输入内容地址
:0059354D 51 push ecx
:0059354E 6A04 push 00000004
:00593550 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74]
:00593556 52 push edx
:00593557 50 push eax
:00593558 C7458C05000000 mov [ebp-74], 00000005
:0059355F C7458402000000 mov [ebp-7C], 00000002
* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00593566 FF1530D35D00 Call dword ptr [005DD330]
:0059356C 8D8D74FFFFFF lea ecx, dword ptr [ebp+FFFFFF74]
:00593572 51 push ecx
* Reference To: MSVBVM50.__vbaR8Var, Ord:0000h
|
:00593573 FF1504D45D00 Call dword ptr [005DD404]
:00593579 DD5DB4 fstp qword ptr [ebp-4C]
:0059357C 8D9574FFFFFF lea edx, dword ptr [ebp+FFFFFF74]
:00593582 8D4584 lea eax, dword ptr [ebp-7C]
:00593585 52 push edx
:00593586 50 push eax
:00593587 6A02 push 00000002
* Reference To: MSVBVM50.__vbaFreeVarList, Ord:0000h
|
:00593589 FF1598D25D00 Call dword ptr [005DD298]
:0059358F 83C40C add esp, 0000000C
上面这段程序是打开c:\jsjdog文件,用行读入方式读取文件,从第4个字符开始取5个字符,并转成单精度格式,用VB程序表示如下:
Open "c:\jsjdos" For Input As #1
Do While Not EOF(1)
Line Input #1, DogCode$
Loop
Close #1
VeriCode=Csng(Mid(DogCode$, 4, 5))
:00593592 8D95D4FEFFFF lea edx, dword ptr [ebp+FFFFFED4]
:00593598 8D4D84 lea ecx, dword ptr [ebp-7C]
* Possible StringData Ref from Code Obj ->"cc:\Msdos"
|
:0059359B C785DCFEFFFFC4EE4100 mov dword ptr [ebp+FFFFFEDC], 0041EEC4
:005935A5 C785D4FEFFFF08000000 mov dword ptr [ebp+FFFFFED4], 00000008
* Reference To: MSVBVM50.__vbaVarDup, Ord:0000h
|
:005935AF FF1538D45D00 Call dword ptr [005DD438]
:005935B5 8D4D84 lea ecx, dword ptr [ebp-7C]
:005935B8 53 push ebx
:005935B9 51 push ecx
* Reference To: MSVBVM50.rtcDir, Ord:0285h
|
:005935BA FF15C0D35D00 Call dword ptr [005DD3C0]
:005935C0 8BD0 mov edx, eax
:005935C2 8D4DA0 lea ecx, dword ptr [ebp-60]
:005935C5 FFD7 call edi
:005935C7 50 push eax
:005935C8 6818584100 push 00415818
* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:005935CD FF1548D35D00 Call dword ptr [005DD348]
:005935D3 8BF0 mov esi, eax
:005935D5 8D4DA0 lea ecx, dword ptr [ebp-60]
:005935D8 F7DE neg esi
:005935DA 1BF6 sbb esi, esi
:005935DC F7DE neg esi
:005935DE F7DE neg esi
* Reference To: MSVBVM50.__vbaFreeStr, Ord:0000h
|
:005935E0 FF1580D45D00 Call dword ptr [005DD480]
:005935E6 8D4D84 lea ecx, dword ptr [ebp-7C]
* Reference To: MSVBVM50.__vbaFreeVar, Ord:0000h
|
:005935E9 FF157CD25D00 Call dword ptr [005DD27C]
:005935EF 663BF3 cmp si, bx ====> 是否存在"c:\Msdos"
:005935F2 743C je 00593630 ====> 不存在,则转
* Possible StringData Ref from Code Obj ->"cc:\Msdos"
|
:005935F4 68C4EE4100 push 0041EEC4
:005935F9 6A01 push 00000001
:005935FB 6AFF push FFFFFFFF
:005935FD 6A01 push 00000001
* Reference To: MSVBVM50.__vbaFileOpen, Ord:0000h
|
:005935FF FF15CCD35D00 Call dword ptr [005DD3CC]
:00593605 8D55CC lea edx, dword ptr [ebp-34]
:00593608 6A01 push 00000001
:0059360A 52 push edx
* Reference To: MSVBVM50.__vbaLineInputVar, Ord:0000h
|
:0059360B FF15A4D25D00 Call dword ptr [005DD2A4]
:00593611 6A01 push 00000001
* Reference To: MSVBVM50.__vbaFileClose, Ord:0000h
|
:00593613 FF1538D35D00 Call dword ptr [005DD338]
:00593619 6A07 push 00000007 ====> 属性值为7,即系统、只读、隐含
* Possible StringData Ref from Code Obj ->"cc:\msdos"
|
:0059361B 6800584100 push 00415800
* Reference To: MSVBVM50.rtcSetFileAttr, Ord:0244h
|
:00593620 FF1588D45D00 Call dword ptr [005DD488]
:00593626 BB0A000000 mov ebx, 0000000A
:0059362B E999080000 jmp 00593EC9
上面这段程序是检测C盘是否有msdos这个文件(其实这个文件的内容就是注册码),如果有则打开这个文件并读取内容,VB程序可能如下:
A$="c:\Msdos"
B$=Dir("c:\Msdos")
If A$=B$ Then
Open B$ For Input As #1
Line Input #1, RegCode1$
Close #1
SetAttr B$, vbReadOnly+vbHidden+vbSystem
Else
进入输入软件序列号和注册码对话框
End If
:00593EC9 DD45B4 fld qword ptr [ebp-4C]
* Reference To: MSVBVM50.__vbaFpI4, Ord:0000h
|
:00593ECC 8B3544D45D00 mov esi, dword ptr [005DD444]
:00593ED2 FFD6 call esi
:00593ED4 99 cdq
:00593ED5 B905000000 mov ecx, 00000005
:00593EDA F7F9 idiv ecx
:00593EDC 83FA04 cmp edx, 00000004
:00593EDF 0F8768280000 ja 0059674D
:00593EE5 FF249594695900 jmp dword ptr [4*edx+00596994] ====> 转到593EEC、594661、594DD6、5955D6、595DD6
:00593EEC DD45B4 fld qword ptr [ebp-4C]
:00593EEF FFD6 call esi
* Possible StringData Ref from Code Obj ->"4412345"
|
:00593EF1 6868EF4100 push 0041EF68
:00593EF6 8BD8 mov ebx, eax
* Reference To: MSVBVM50.__vbaI4Str, Ord:0000h
|
:00593EF8 FF15ECD35D00 Call dword ptr [005DD3EC] ====> 转为字符格式
:00593EFE 33D8 xor ebx, eax ====> 与412345异或
:00593F00 53 push ebx
* Reference To: MSVBVM50.__vbaStrI4, Ord:0000h
|
:00593F01 FF1574D25D00 Call dword ptr [005DD274]
:00593F07 8BD0 mov edx, eax
:00593F09 8D4DA0 lea ecx, dword ptr [ebp-60]
:00593F0C FFD7 call edi
:00593F0E DD0528354000 fld qword ptr [00403528] ====> [00403528]值为99999
:00593F14 DC65B4 fsub qword ptr [ebp-4C] ====> 99999-VeriCode
:00593F17 50 push eax
:00593F18 DFE0 fstsw ax
:00593F1A A80D test al, 0D
:00593F1C 0F85862A0000 jne 005969A8
:00593F22 FFD6 call esi
* Possible StringData Ref from Code Obj ->"2238745"
|
:00593F24 687CEF4100 push 0041EF7C
:00593F29 8BD8 mov ebx, eax
* Reference To: MSVBVM50.__vbaI4Str, Ord:0000h
|
:00593F2B FF15ECD35D00 Call dword ptr [005DD3EC]
:00593F31 33D8 xor ebx, eax ====> 与238745异或
:00593F33 53 push ebx
* Reference To: MSVBVM50.__vbaStrI4, Ord:0000h
|
:00593F34 FF1574D25D00 Call dword ptr [005DD274]
:00593F3A 8BD0 mov edx, eax
:00593F3C 8D4D9C lea ecx, dword ptr [ebp-64]
:00593F3F FFD7 call edi
* Reference To: MSVBVM50.__vbaStrCat, Ord:0000h
|
:00593F41 8B1DC0D25D00 mov ebx, dword ptr [005DD2C0]
:00593F47 50 push eax
:00593F48 FFD3 call ebx ====> 两个结果进行合并
:00593F4A 8D5584 lea edx, dword ptr [ebp-7C]
:00593F4D 89856CFFFFFF mov dword ptr [ebp+FFFFFF6C], eax
:00593F53 52 push edx
:00593F54 8D45CC lea eax, dword ptr [ebp-34]
:00593F57 6A02 push 00000002
:00593F59 8D8D74FFFFFF lea ecx, dword ptr [ebp+FFFFFF74]
:00593F5F 50 push eax
:00593F60 51 push ecx
:00593F61 C78564FFFFFF08800000 mov dword ptr [ebp+FFFFFF64], 00008008
:00593F6B C7458C0C000000 mov [ebp-74], 0000000C
:00593F72 C7458402000000 mov [ebp-7C], 00000002
* Reference To: MSVBVM50.rtcMidCharVar, Ord:0278h
|
:00593F79 FF1530D35D00 Call dword ptr [005DD330] ====> 从第2个字符开始读取12(0Ch)个注册码字符
:00593F7F 8D9564FFFFFF lea edx, dword ptr [ebp+FFFFFF64] ====> 刚才读取的字符地址
:00593F85 8D8574FFFFFF lea eax, dword ptr [ebp+FFFFFF74] ====> 两次异或运算的结果地址
:00593F8B 52 push edx
:00593F8C 50 push eax
* Reference To: MSVBVM50.__vbaVarTstEq, Ord:0000h
|
:00593F8D FF154CD35D00 Call dword ptr [005DD34C] ====> 字符串比较
上面共两段程序,第一段程序是求检测码与5的模,根据模的值进行不同的运算,第二段程序是模为0时的运算过程,另外4个运算过程与此相似,这里就不再说了。VB程序可能如下:
TestCode = Cint(VeriCode) Mod 5
Select Case TestCode
Case 0
RegCode2$=(Cstr(VerCode) Xor Cstr(412345))+(Cstr(99999-VerCode) Xor Cstr(238745))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
Case 1
RegCode2$=(Cstr(VerCode) Xor Cstr(235678))+(Cstr(99999-VerCode) Xor Cstr(338762))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
Case 2
RegCode2$=(Cstr(VerCode) Xor Cstr(897363))+(Cstr(99999-VerCode) Xor Cstr(283954))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
Case 3
RegCode2$=(Cstr(VerCode) Xor Cstr(236738))+(Cstr(99999-VerCode) Xor Cstr(458902))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
Case 4
RegCode2$=(Cstr(VerCode) Xor Cstr(763218))+(Cstr(99999-VerCode) Xor Cstr(238958))
RegCode1$=Mid(RegCode1$, 2, 12)
If RegCode1$ = RegCode2$ Then
MsgBox "注册成功!", vbOnly
GoTo 程序正常运行处
Else
MsgBox "注册失败!", vbOnly
End
End If
End Select
因此这个程序的注册机不难编写,因为软件序列号即最后5位数字是可见的
设最后5位数字为abcde,
则注册码的前6位为:固定数字1 xor abcde
则注册码的后6位为:固定数字2 xor (99999-abcde)
这样,共12位注册码,注册机已经做好并测试通过 [/blockquote] |
|
雷达卡
发表于 2010-5-28 11:08
提升卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
