|
|
|||||||
| 論壇說明 |
|
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
|
主題工具 | 顯示模式 |
2003-12-11, 07:51 PM
|
#1 |
|
榮譽會員
 
|
破解LeapFTP 2.7.3.600
破解目標:LeapFTP 2.7.3.600
官方主頁:http://www.leapware.com/download.html 軟體簡介:ftp下載軟體。 下載位址:ftp://ftp.leapware.com/pub/lftp273.exe 使用工具:W32Dasm、Ollydbg、Windows 自帶的計算器 這個程序用fi2.5檢測無殼,用W32Dasm,找到「感謝註冊」: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00487B6C(C) | :00487B7C 8B83F0020000 mov eax, dword ptr [ebx+000002F0] :00487B82 50 push eax :00487B83 8D55F4 lea edx, dword ptr [ebp-0C] :00487B86 8B83D0020000 mov eax, dword ptr [ebx+000002D0] :00487B8C E833C0FAFF call 00433BC4 :00487B91 8B55F4 mov edx, dword ptr [ebp-0C] :00487B94 8B4DFC mov ecx, dword ptr [ebp-04] :00487B97 8BC3 mov eax, ebx :00487B99 E8BA010000 call 00487D58 //註冊碼就在堶捱漭X :00487B9E 84C0 test al, al //測試AL :00487BA0 7462 je 00487C04 //為0就去死 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00487B7A(C) | :00487BA2 8D55F0 lea edx, dword ptr [ebp-10] :00487BA5 8B83E4020000 mov eax, dword ptr [ebx+000002E4] :00487BAB E814C0FAFF call 00433BC4 :00487BB0 8B45F0 mov eax, dword ptr [ebp-10] :00487BB3 50 push eax :00487BB4 8D55EC lea edx, dword ptr [ebp-14] :00487BB7 8B83D0020000 mov eax, dword ptr [ebx+000002D0] :00487BBD E802C0FAFF call 00433BC4 :00487BC2 8B4DEC mov ecx, dword ptr [ebp-14] :00487BC5 8B93EC020000 mov edx, dword ptr [ebx+000002EC] :00487BCB 8BC3 mov eax, ebx :00487BCD E8AE040000 call 00488080 * Possible StringData Ref from Code Obj ->"感謝你的註冊!" | :00487BD2 B8507C4800 mov eax, 00487C50 :00487BD7 E8542FFDFF call 0045AB30 :00487BDC C7833402000001000000 mov dword ptr [ebx+00000234], 00000001 :00487BE6 8D55E8 lea edx, dword ptr [ebp-18] :00487BE9 8B83D0020000 mov eax, dword ptr [ebx+000002D0] :00487BEF E8D0BFFAFF call 00433BC4 :00487BF4 8B55E8 mov edx, dword ptr [ebp-18] :00487BF7 8D83E8020000 lea eax, dword ptr [ebx+000002E8] :00487BFD E846C1F7FF call 00403D48 :00487C02 EB15 jmp 00487C19 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00487BA0(C) | :00487C04 6A00 push 00000000 :00487C06 668B0D6C7C4800 mov cx, word ptr [00487C6C] :00487C0D B201 mov dl, 01 * Possible StringData Ref from Code Obj ->"你輸入的許可密匙是不正確的. 要確保準確, " ->"你應該直接總你的購買驗證 E-Mail " ->"中複製並貼上序列號. 如果你繼續操作後碰到麻煩, " ->"請聯繫support@leapware.com." | :00487C0F B8787C4800 mov eax, 00487C78 :00487C14 E81F2EFDFF call 0045AA38 **************************************************************** 用Ollydbg載入LeapFTP.exe,執行,填上用戶名:henhao 註冊碼:78787878(隨便亂填) 在Ollydbg堶00487B99處F2下斷,點軟體的"確定"註冊! 程序停在00487B99處,F7進去,我是個菜鳥,進去後,就感到頭開始慢慢的變大~~~~~ 00487D58 /$ 55 PUSH EBP 00487D59 |. 8BEC MOV EBP,ESP 00487D5B |. 83C4 DC ADD ESP,-24 00487D5E |. 53 PUSH EBX 00487D5F |. 33DB XOR EBX,EBX 00487D61 |. 895D DC MOV DWORD PTR SS:[EBP-24],EBX 00487D64 |. 895D E0 MOV DWORD PTR SS:[EBP-20],EBX 00487D67 |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX 00487D6A |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX 00487D6D |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX 00487D70 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00487D73 |. E8 B0C3F7FF CALL LeapFTP.00404128 00487D78 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00487D7B |. E8 A8C3F7FF CALL LeapFTP.00404128 00487D80 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00487D83 |. E8 A0C3F7FF CALL LeapFTP.00404128 00487D88 |. 33C0 XOR EAX,EAX 00487D8A |. 55 PUSH EBP 00487D8B |. 68 BB7E4800 PUSH LeapFTP.00487EBB 00487D90 |. 64:FF30 PUSH DWORD PTR FS:[EAX] 00487D93 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP 00487D96 |. 33C0 XOR EAX,EAX 00487D98 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 00487D9B |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 00487D9E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00487DA1 |. E8 CEC1F7FF CALL LeapFTP.00403F74 //計算註冊名位數 00487DA6 |. 8BD0 MOV EDX,EAX //位數edx 00487DA8 |. 85D2 TEST EDX,EDX //測試註冊名是否為0 00487DAA |. 7E 33 JLE SHORT LeapFTP.00487DDF //為0就跳 00487DAC |. B8 01000000 MOV EAX,1 ===================開始計算====================== 00487DB1 |> 8B4D FC /MOV ECX,DWORD PTR SS:[EBP-4] //取註冊名 00487DB4 |. 0FB64C01 FF |MOVZX ECX,BYTE PTR DS:[ECX+EAX-1] //逐位取註冊名字串的 ASCII 值,這裡以第一次計算為例,字串"h",ASCII 值 68 00487DB9 |. 0FAFC8 |IMUL ECX,EAX //ECX*EAX 乘以儅前位數,儅前是第一位,再乘以整數10。就是68*1*10=680,(若儅前註冊名的ASCII是第二位數,就是68*2*10) 00487DBC |. 8BD9 |MOV EBX,ECX //ECX*EAX計算結果入ebx 00487DBE |. C1E1 04 |SHL ECX,4 // 00487DC1 |. 2BCB |SUB ECX,EBX //減法ecx-ebx 00487DC3 |. 894D E8 |MOV DWORD PTR SS:[EBP-18],ECX //計算結果入ecx 00487DC6 |. DB45 E8 |FILD DWORD PTR SS:[EBP-18] //將計算結果十進製裝到st(0) 00487DC9 |. DC45 F0 |FADD QWORD PTR SS:[EBP-10] //纍加以後裝到ST(0) 00487DCC |. 8D0C80 |LEA ECX,DWORD PTR DS:[EAX+EAX*4] //計算eax+eax*4,比如儅前是註冊名ASCII第一位數,計算方式就是:1+1*4,如果儅前是註冊名ASCII第二位,計算方式為:2+2*4,以此類推 00487DCF |. 894D E4 |MOV DWORD PTR SS:[EBP-1C],ECX //結果入ecx 00487DD2 |. DB45 E4 |FILD DWORD PTR SS:[EBP-1C] //將ecx的值十進製裝入st(0) 00487DD5 |. DEC1 |FADDP ST(1),ST //ST(0),ST(1)在這徦鴠[ 00487DD7 |. DD5D F0 |FSTP QWORD PTR SS:[EBP-10] //儲存,執行一次出棧 00487DDA |. 9B |WAIT 00487DDB |. 40 |INC EAX 計數器加1 00487DDC |. 4A |DEC EDX 00487DDD |.^75 D2 \JNZ SHORT LeapFTP.00487DB1 //根據註冊名ASCII個數循環 我輸入的註冊名:henhao h 68*1*10-68*1+(1+1*4)=61D e 65*2*10-65*2+(2+2*4)=BE0 n 6E*3*10-6E*3+(3+3*4)=1365 h 68*4*10-68*4+(4+4*4)=1874 a 61*5*10-65*5+(5+5*4)=1c84 o 6F*6*10-6F*6+(6+6*4)=2724 + -------------------------------- =817E 十進製轉換=33150 ==================================================================== 00487DDF |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] //取eax的值214065(一組類BIOS註冊碼) 00487DE2 |. E8 BD0FF8FF CALL LeapFTP.00408DA4 //轉換成16進製 00487DE7 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX //送到eax 00487DEA |. DB45 E8 FILD DWORD PTR SS:[EBP-18] //裝入 00487DED |. DD45 F0 FLD QWORD PTR SS:[EBP-10] //裝入上面循環計算的結果(33150) 00487DF0 |. DC4D F0 FMUL QWORD PTR SS:[EBP-10] //[EBP-10]*[EBP-10]就是33150*33150 00487DF3 |. DEC1 FADDP ST(1),ST //st(0)+st(1) 00487DF5 |. DD5D F0 FSTP QWORD PTR SS:[EBP-10] //裝入,然後再執行一次出棧 這堛犖滫k: 33150*33150+214065=1099136565 ==================================================================== 00487DF8 |. 9B WAIT 00487DF9 |. DD45 F0 FLD QWORD PTR SS:[EBP-10] 00487DFC |. 83C4 F4 ADD ESP,-0C 00487DFF |. DB3C24 FSTP TBYTE PTR SS:[ESP] ; | 00487E02 |. 9B WAIT ; | 00487E03 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] ; | 00487E06 |. E8 C51EF8FF CALL LeapFTP.00409CD0 ; \LeapFTP.00409CD0 00487E0B |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 00487E0E |. 50 PUSH EAX 00487E0F |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00487E12 |. B8 D47E4800 MOV EAX,LeapFTP.00487ED4 00487E17 |. E8 44C4F7FF CALL LeapFTP.00404260 //這堻B理註冊碼為214065-XXXXXXXXXXXX形式 00487E1C |. 8BC8 MOV ECX,EAX 00487E1E |. 49 DEC ECX 00487E1F |. BA 01000000 MOV EDX,1 00487E24 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00487E27 |. E8 50C3F7FF CALL LeapFTP.0040417C 00487E2C |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] 00487E2F |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 00487E32 |. E8 4DC2F7FF CALL LeapFTP.00404084 00487E37 |. 75 48 JNZ SHORT LeapFTP.00487E81 00487E39 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] 00487E3C |. 50 PUSH EAX 00487E3D |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00487E40 |. B8 D47E4800 MOV EAX,LeapFTP.00487ED4 00487E45 |. E8 16C4F7FF CALL LeapFTP.00404260 00487E4A |. 50 PUSH EAX 00487E4B |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00487E4E |. E8 21C1F7FF CALL LeapFTP.00403F74 00487E53 |. 5A POP EDX 00487E54 |. 2BC2 SUB EAX,EDX 00487E56 |. 50 PUSH EAX 00487E57 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 00487E5A |. B8 D47E4800 MOV EAX,LeapFTP.00487ED4 00487E5F |. E8 FCC3F7FF CALL LeapFTP.00404260 00487E64 |. 8BD0 MOV EDX,EAX 00487E66 |. 42 INC EDX 00487E67 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00487E6A |. 59 POP ECX 00487E6B |. E8 0CC3F7FF CALL LeapFTP.0040417C 00487E70 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 00487E73 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] 00487E76 |. E8 09C2F7FF CALL LeapFTP.00404084 00487E7B |. 75 04 JNZ SHORT LeapFTP.00487E81 00487E7D |. B3 01 MOV BL,1 00487E7F |. EB 02 JMP SHORT LeapFTP.00487E83 00487E81 |> 33DB XOR EBX,EBX 00487E83 |> 33C0 XOR EAX,EAX 00487E85 |. 5A POP EDX 00487E86 |. 59 POP ECX 00487E87 |. 59 POP ECX 00487E88 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX 00487E8B |. 68 C27E4800 PUSH LeapFTP.00487EC2 00487E90 |> 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] 00487E93 |. BA 02000000 MOV EDX,2 00487E98 |. E8 7BBEF7FF CALL LeapFTP.00403D18 00487E9D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 00487EA0 |. E8 4FBEF7FF CALL LeapFTP.00403CF4 00487EA5 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 00487EA8 |. BA 02000000 MOV EDX,2 00487EAD |. E8 66BEF7FF CALL LeapFTP.00403D18 00487EB2 |. 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8] 00487EB5 |. E8 3ABEF7FF CALL LeapFTP.00403CF4 00487EBA \. C3 RETN 00487EBB .^E9 CCB8F7FF JMP LeapFTP.0040378C 00487EC0 .^EB CE JMP SHORT LeapFTP.00487E90 00487EC2 . 8BC3 MOV EAX,EBX 00487EC4 . 5B POP EBX 00487EC5 . 8BE5 MOV ESP,EBP 00487EC7 . 5D POP EBP 00487EC8 . C2 0400 RETN 4 //返回 --------------------------------------------------------------------- 通過我輸入的註冊名henhao經過計算就得到了我的註冊碼:214065-1099136565 --------------------------------------------------------------------- 【註冊信息儲存】: HKEY_CURRENT_USER\Software\LeapWare\Registry\LeapFTP UserKey 214065-1099136565 UserName henhao 刪除這個,可以重新註冊! ---------------------------------------------------------------------- 我想學習註冊機的製作,哪位老師能不能教教我這個怎麼用keymake製作註冊機,謝謝!!! 第一次寫的破文,望指正!!! ---------------------------------------------------------------------- 好好學習 2003.05.09 |
|
送花文章: 3,
|
平板模式
