|
論壇說明 | 標記討論區已讀 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2004-01-10, 10:50 PM | #1 |
榮譽會員
|
來一篇註冊碼與keyfile結合方式軟體的破解(大陸開發軟體隱去有關信息
國內某軟體的破解
軟體名稱:xxxxxx(隱去有關軟體信息串) 破解程序: 1.用PEid檢查:軟體使用ASPack 2.000 -> Alexey Solodovnikov加殼 使用aspackdie V1.3E輕鬆脫殼 2.使用kWdsm載入分析 3.使用Keymake 1.73製作記憶體註冊機 //////////////////////////////////////////////////////////////////////////////////////// :00583320 55 push ebp :00583321 8BEC mov ebp, esp :00583323 33C9 xor ecx, ecx :00583325 51 push ecx :00583326 51 push ecx :00583327 51 push ecx :00583328 51 push ecx :00583329 51 push ecx :0058332A 53 push ebx :0058332B 56 push esi :0058332C 8BD8 mov ebx, eax :0058332E 33C0 xor eax, eax :00583330 55 push ebp :00583331 6880345800 push 00583480 :00583336 64FF30 push dword ptr fs:[eax] :00583339 648920 mov dword ptr fs:[eax], esp :0058333C 8D45F0 lea eax, dword ptr [ebp-10] :0058333F E8E44D0000 call 00588128 :00583344 8D45F0 lea eax, dword ptr [ebp-10] :00583347 BA98345800 mov edx, 00583498 :0058334C E8970DE8FF call 004040E8 :00583351 8B4DF0 mov ecx, dword ptr [ebp-10] :00583354 B201 mov dl, 01 :00583356 A19CB44700 mov eax, dword ptr [0047B49C] :0058335B E88C82EFFF call 0047B5EC :00583360 A35C2C5A00 mov dword ptr [005A2C5C], eax :00583365 68AC345800 push 005834AC :0058336A 8D45FC lea eax, dword ptr [ebp-04] :0058336D 50 push eax :0058336E B9BC345800 mov ecx, 005834BC :00583373 BACC345800 mov edx, 005834CC :00583378 A15C2C5A00 mov eax, dword ptr [005A2C5C] :0058337D 8B30 mov esi, dword ptr [eax] :0058337F FF16 call dword ptr [esi] :00583381 68DC345800 push 005834DC :00583386 8D45EC lea eax, dword ptr [ebp-14] :00583389 50 push eax :0058338A B9BC345800 mov ecx, 005834BC :0058338F BACC345800 mov edx, 005834CC :00583394 A15C2C5A00 mov eax, dword ptr [005A2C5C] :00583399 8B30 mov esi, dword ptr [eax] :0058339B FF16 call dword ptr [esi] :0058339D 8B45EC mov eax, dword ptr [ebp-14] :005833A0 8D55F8 lea edx, dword ptr [ebp-08] :005833A3 E880500000 call 00588428 :005833A8 68E8345800 push 005834E8 :005833AD 8D45F4 lea eax, dword ptr [ebp-0C] :005833B0 50 push eax :005833B1 B9F8345800 mov ecx, 005834F8 :005833B6 BACC345800 mov edx, 005834CC :005833BB A15C2C5A00 mov eax, dword ptr [005A2C5C] :005833C0 8B30 mov esi, dword ptr [eax] :005833C2 FF16 call dword ptr [esi] :005833C4 8B45F8 mov eax, dword ptr [ebp-08] :005833C7 8B55F4 mov edx, dword ptr [ebp-0C] :005833CA E8210EE8FF call 004041F0 :005833CF 7570 jne 00583441 :005833D1 8B45FC mov eax, dword ptr [ebp-04] :005833D4 E8CF430000 call 005877A8 //哈哈哈,判斷是否上黑名單 :005833D9 84C0 test al, al :005833DB 7564 jne 00583441 :005833DD E876400000 call 00587458 //判斷是否存在正確的reg.dat :005833E2 84C0 test al, al :005833E4 745B je 00583441 :005833E6 33D2 xor edx, edx :005833E8 8B83D4020000 mov eax, dword ptr [ebx+000002D4] :005833EE 8B08 mov ecx, dword ptr [eax] :005833F0 FF515C call [ecx+5C] :005833F3 33D2 xor edx, edx :005833F5 8B83EC020000 mov eax, dword ptr [ebx+000002EC] :005833FB 8B08 mov ecx, dword ptr [eax] :005833FD FF515C call [ecx+5C] :00583400 8B55FC mov edx, dword ptr [ebp-04] :00583403 8B83E0020000 mov eax, dword ptr [ebx+000002E0] :00583409 E89659EBFF call 00438DA4 :0058340E 8B15B8FC5900 mov edx, dword ptr [0059FCB8] :00583414 8B12 mov edx, dword ptr [edx] :00583416 8B83F0020000 mov eax, dword ptr [ebx+000002F0] :0058341C E88359EBFF call 00438DA4 :00583421 8B55F4 mov edx, dword ptr [ebp-0C] :00583424 8B83E4020000 mov eax, dword ptr [ebx+000002E4] :0058342A E87559EBFF call 00438DA4 * Possible StringData Ref from Code Obj ->"Registered!" | :0058342F BA08355800 mov edx, 00583508 :00583434 8B83FC020000 mov eax, dword ptr [ebx+000002FC] :0058343A E86559EBFF call 00438DA4 :0058343F EB1A jmp 0058345B //////////////////////////////////////////////////////////////////////////////////////// :0058357C 8D55F4 lea edx, dword ptr [ebp-0C] :0058357F 8B83E0020000 mov eax, dword ptr [ebx+000002E0] :00583585 E8EA57EBFF call 00438D74 :0058358A 8B45F4 mov eax, dword ptr [ebp-0C] :0058358D E816420000 call 005877A8 //哈哈哈,判斷是否上黑名單 //"fish,fish[BCG],lllufh,yyq,TianXin,hsxy,fpx[CCG],hehacool,TangKaiYu[BCG],Edea[BCG]," :00583592 84C0 test al, al :00583594 0F8530010000 jne 005836CA :0058359A 8D55F0 lea edx, dword ptr [ebp-10] :0058359D 8B83E4020000 mov eax, dword ptr [ebx+000002E4] :005835A3 E8CC57EBFF call 00438D74 :005835A8 8B45F0 mov eax, dword ptr [ebp-10] :005835AB 50 push eax :005835AC 8D55E8 lea edx, dword ptr [ebp-18] :005835AF 8B83E0020000 mov eax, dword ptr [ebx+000002E0] :005835B5 E8BA57EBFF call 00438D74 :005835BA 8B45E8 mov eax, dword ptr [ebp-18] :005835BD 8D55EC lea edx, dword ptr [ebp-14] :005835C0 E8634E0000 call 00588428 :005835C5 8B55EC mov edx, dword ptr [ebp-14] //EDX=真註冊碼 :005835C8 58 pop eax :005835C9 E8220CE8FF call 004041F0 //此處設斷點 :005835CE 0F85F6000000 jne 005836CA :005835D4 8D45E4 lea eax, dword ptr [ebp-1C] :005835D7 E84C4B0000 call 00588128 :005835DC 8D45E4 lea eax, dword ptr [ebp-1C] //////////////////////////////////////////////////////////////////////////////////////// :005874F7 B9F0755800 mov ecx, 005875F0 :005874FC BACC755800 mov edx, 005875CC :00587501 A1982C5A00 mov eax, dword ptr [005A2C98] :00587506 8B18 mov ebx, dword ptr [eax] :00587508 FF13 call dword ptr [ebx] :0058750A 8D45E0 lea eax, dword ptr [ebp-20] :0058750D 8B4DF0 mov ecx, dword ptr [ebp-10] :00587510 8B55F8 mov edx, dword ptr [ebp-08] :00587513 E814CCE7FF call 0040412C :00587518 8B45E0 mov eax, dword ptr [ebp-20] //此處合併註冊名與註冊碼 :0058751B E8C0CBE7FF call 004040E0 :00587520 8BD8 mov ebx, eax :00587522 8B45FC mov eax, dword ptr [ebp-04] :00587525 E81A22E8FF call 00409744 //註冊名與註冊碼合併串與 :0058752A 84C0 test al, al //reg.dat中內容比較 :0058752C 740A je 00587538 :0058752E 8B45FC mov eax, dword ptr [ebp-04] //////////////////////////////////////////////////////////////////////////////////////// 將註冊姓名與得到的註冊碼合併作為reg.dat文本文件的內容存放在安裝目錄下方可真正註冊成功 (以前以為註冊成功就可,但執行一段時間後顯示未註冊版,這就是其中的奧秘,算法分析已有人作出,但未提及此註冊文件的產生,所以最終不成功) reg.dat內容=用戶名串+註冊碼串 用keymake V1.73製作記憶體註冊機 //////////////////////////////////////////////////////////////////////////////////////// 中斷位址 中斷次數 指令 長度 005835C9 1 E8 5 記憶體方式 暫存器 EDX //////////////////////////////////////////////////////////////////////////////////////// 收工。 lajiaolz |
送花文章: 3,
|