关于一款图书管理软件的破解(适合入门)
[文章标题]:关于一款图书管理软件的破解(适合入门)[文章作者]:willjhw[作者邮箱]:466684954@qq.com[软件名称]:悠仕书架[加壳方式]:无壳[编写语言]:Borland C++[使用工具]:吾爱破解OD,PEID,VC6.0[操作系统]:windows xp[软件介绍]:悠仕书架是专门针对喜爱读书的个人用户的软件产品,可以对用户所收藏的书籍进行方便的管理。[作者声明]:最近无聊,朋友给了我一个软件让我玩玩,只是兴趣,希望大家还是支持正版,本人菜鸟,很多分析不到位,还请大神们多多指教。---------------------------------------------------------------------------------------------------------------------------------[前言]:破解此软件并非用于商业用途,只是想锻炼自己的逆向能力。[详细过程]:首先是查壳啦,如下图,没有壳,嘿嘿…
运行程序,发现需要注册,是一个弹框的,于是下一个MessageBoxA断点(bp MessageBoxA),断了下来,找到关键代码处,好了上代码:00415698/.55 push ebp
00415699|.8BEC mov ebp, esp
0041569B|.83C4 98 add esp, -68
0041569E|.53 push ebx
0041569F|.56 push esi
004156A0|.57 push edi
004156A1|.8BD8 mov ebx, eax
004156A3|.8D75 9C lea esi, dword ptr
004156A6|.B8 D08D5D00 mov eax, 005D8DD0
004156AB|.E8 A4911900 call 005AE854
004156B0|.66:C746 10 08>mov word ptr , 8
004156B6|.33D2 xor edx, edx
004156B8|.8955 FC mov dword ptr , edx
004156BB|.8D55 FC lea edx, dword ptr
004156BE|.FF46 1C inc dword ptr
004156C1|.8B83 F4020000 mov eax, dword ptr
004156C7|.E8 94A21600 call 0057F960
004156CC|.837D FC 00 cmp dword ptr , 0
004156D0|.74 08 je short 004156DA
004156D2|.8B4D FC mov ecx, dword ptr
004156D5|.8B41 FC mov eax, dword ptr
004156D8|.EB 02 jmp short 004156DC
004156DA|>33C0 xor eax, eax
004156DC|>48 dec eax
004156DD|.0F8C 8A000000 jl 0041576D
004156E3|.33D2 xor edx, edx
004156E5|.8955 F8 mov dword ptr , edx
004156E8|.8D55 F8 lea edx, dword ptr
004156EB|.FF46 1C inc dword ptr
004156EE|.8B83 F8020000 mov eax, dword ptr
004156F4|.E8 67A21600 call 0057F960
004156F9|.837D F8 00 cmp dword ptr , 0
004156FD|.74 08 je short 00415707
004156FF|.8B4D F8 mov ecx, dword ptr
00415702|.8B41 FC mov eax, dword ptr
00415705|.EB 02 jmp short 00415709
00415707|>33C0 xor eax, eax
00415709|>48 dec eax
0041570A|.0F9CC2 setl dl
0041570D|.83E2 01 and edx, 1
00415710|.8D45 F8 lea eax, dword ptr
00415713|.52 push edx ; /Arg1
00415714|.BA 02000000 mov edx, 2 ; |
00415719|.FF4E 1C dec dword ptr ; |
0041571C|.E8 3B311A00 call 005B885C ; \usbsp.005B885C
00415721|.59 pop ecx
00415722|.85C9 test ecx, ecx
00415724|.75 47 jnz short 0041576D
00415726|.33C0 xor eax, eax
00415728|.8945 F4 mov dword ptr , eax
0041572B|.8D55 F4 lea edx, dword ptr
0041572E|.FF46 1C inc dword ptr
00415731|.8B83 04030000 mov eax, dword ptr
00415737|.E8 24A21600 call 0057F960
0041573C|.837D F4 00 cmp dword ptr , 0
00415740|.74 08 je short 0041574A
00415742|.8B55 F4 mov edx, dword ptr
00415745|.8B4A FC mov ecx, dword ptr
00415748|.EB 02 jmp short 0041574C
0041574A|>33C9 xor ecx, ecx
0041574C|>49 dec ecx
0041574D|.BA 02000000 mov edx, 2
00415752|.0F9CC0 setl al
00415755|.83E0 01 and eax, 1
00415758|.50 push eax ; /Arg1
00415759|.8D45 F4 lea eax, dword ptr ; |
0041575C|.FF4E 1C dec dword ptr ; |
0041575F|.E8 F8301A00 call 005B885C ; \usbsp.005B885C
00415764|.59 pop ecx
00415765|.85C9 test ecx, ecx
00415767|.75 04 jnz short 0041576D
00415769|.33C0 xor eax, eax
0041576B|.EB 05 jmp short 00415772
0041576D|>B8 01000000 mov eax, 1
00415772|>50 push eax ; /Arg1
00415773|.FF4E 1C dec dword ptr ; |
00415776|.8D45 FC lea eax, dword ptr ; |
00415779|.BA 02000000 mov edx, 2 ; |
0041577E|.E8 D9301A00 call 005B885C ; \usbsp.005B885C
00415783|.59 pop ecx
00415784|.84C9 test cl, cl
00415786|.74 1D je short 004157A5
00415788|.A1 00035E00 mov eax, dword ptr
0041578D|.6A 00 push 0
0041578F|.B9 E88B5D00 mov ecx, 005D8BE8
00415794|.BA CE8B5D00 mov edx, 005D8BCE
00415799|.8B00 mov eax, dword ptr
0041579B|.E8 F42F1A00 call 005B8794
004157A0|.E9 6A030000 jmp 00415B0F
004157A5|>66:C746 10 20>mov word ptr , 20
004157AB|.33D2 xor edx, edx
004157AD|.8955 F0 mov dword ptr , edx
004157B0|.8D55 F0 lea edx, dword ptr
004157B3|.FF46 1C inc dword ptr
004157B6|.8B83 F8020000 mov eax, dword ptr
004157BC|.E8 9FA11600 call 0057F960
004157C1|.8D45 F0 lea eax, dword ptr
004157C4|.8B00 mov eax, dword ptr
004157C6|.E8 59821100 call 0052DA24
004157CB|.8BF8 mov edi, eax
004157CD|.FF4E 1C dec dword ptr
004157D0|.8D45 F0 lea eax, dword ptr
004157D3|.BA 02000000 mov edx, 2
004157D8|.E8 7F301A00 call 005B885C
004157DD|.66:C746 10 14>mov word ptr , 14
004157E3|.66:C746 10 2C>mov word ptr , 2C
004157E9|.33C9 xor ecx, ecx
004157EB|.894D EC mov dword ptr , ecx
004157EE|.8D55 EC lea edx, dword ptr
004157F1|.FF46 1C inc dword ptr
004157F4|.8B83 04030000 mov eax, dword ptr
004157FA|.E8 61A11600 call 0057F960
004157FF|.8D45 EC lea eax, dword ptr
00415802|.8B00 mov eax, dword ptr
00415804|.E8 1B821100 call 0052DA24
00415809|.8945 98 mov dword ptr , eax
0041580C|.FF4E 1C dec dword ptr
0041580F|.8D45 EC lea eax, dword ptr
00415812|.BA 02000000 mov edx, 2
00415817|.E8 40301A00 call 005B885C
0041581C|.66:C746 10 14>mov word ptr , 14
其实前面都没有什么要说的,就是判断用户名是否为空,注册种子是否为空,注册码是否为空,如果为空就跳走了,关键就在下面的地方的了。00415822|.B9 9F860100 mov ecx, 1869F
00415827|.2BCF sub ecx, edi
00415829|.8BC1 mov eax, ecx
0041582B|.03C0 add eax, eax
0041582D|.8D0480 lea eax, dword ptr
00415830|.83C0 21 add eax, 21
00415833|.3B45 98 cmp eax, dword ptr
00415836|.0F85 B5020000 jnz 00415AF1
上面这个就是关键的跳了,只要改了jz就可以注册成功啦。 好啦,我们来分析下这个简单的算法吧,然后写个简单的注册机00415822|.B9 9F860100 mov ecx, 1869F ;将0x1869f赋值给ecx
00415827|.2BCF sub ecx, edi ;ecx = ecx – edi(edi就是注册种子)
00415829|.8BC1 mov eax, ecx ;eax = ecx
0041582B|.03C0 add eax, eax ;eax = eax + eax
0041582D|.8D0480 lea eax, dword ptr ;eax = eax + eax * 4
00415830|.83C0 21 add eax, 21 ;eax = eax + 0x21
00415833|.3B45 98 cmp eax, dword ptr 这个就是比较注册码和计算出来的相等否
00415836|.0F85 B5020000 jnz 00415AF1
下面我用c语言写了一个简单的注册机,代码如下:#include <stdio.h>
int main (void)
{
char Name;
int Code1, Code2, Temp;
printf ("请输入用户名:");
scanf ("%s", Name);
printf ("请输入注册种子:");
scanf ("%d",&Code1);
Temp = 0x1869f - Code1;
Temp = Temp + Temp;
Temp = Temp + Temp * 4;
Temp = Temp + 0x21;
Code2 = Temp;
printf ("\n注册码是%d\n", Code2);
return 0;
}
软件大家就自己去下吧,网上很多的,我就不加附件了,免得花费各位的吾爱破解币,还有些地方没有分析到位,以后完善吧,这样也能注册成功使用的。{:301_1008:} 好东东,一定要支持,收藏备用 关键跳怎么一下就能看出来呢? 回复 sewolf1207 的帖子
因为我尝试了,如果改了跟过去就是注册成功,如果没有改跟过去就是失败,和一般的CrackMe差不多的吧,只是下断点这些,还有找对关键代码是关键:keai 回复 wjlan 的帖子
谢谢支持哦:keai 好东东,一定要支持,收藏备用 不错,这种练手的程序可以给大家提供个下载地址比较好. 回复 Hmily 的帖子
谢谢hmily老大看得起呀 willJ 发表于 2011-11-27 18:25 static/image/common/back.gif
回复 Hmily 的帖子
谢谢hmily老大看得起呀
willJ牛,提供下载撒。 对我来说是精华{:1_928:}