[ 文章标题] :关于一款图书管理软件的破解(适合入门)[文章作者]:willjhw [软件名称]:悠仕书架 [加壳方式]:无壳 [编写语言]:Borland C++ [操作系统]:windows xp [软件介绍]:悠仕书架是专门针对喜爱读书的个人用户的软件产品,可以对用户所收藏的书籍进行方便的管理。 [作者声明]:最近无聊,朋友给了我一个软件让我玩玩,只是兴趣,希望大家还是支持正版,本人菜鸟,很多分析不到位,还请大神们多多指教。 --------------------------------------------------------------------------------------------------------------------------------- [前言]: 破解此软件并非用于商业用途,只是想锻炼自己的逆向能力。 [详细过程]:
首先是查壳啦,如下图,没有壳,嘿嘿…
运行程序,发现需要注册,是一个弹框的,于是下一个MessageBoxA断点(bp MessageBoxA),断了下来,找到关键代码处,好了上代码: 00415698 /. 55 push ebp
00415699 |. 8BEC mov ebp, esp
0041569B |. 83C4 98 add esp, -68
0041569E |. 53 push ebx
0041569F |. 56 push esi
004156A0 |. 57 push edi
004156A1 |. 8BD8 mov ebx, eax
004156A3 |. 8D75 9C lea esi, dword ptr [ebp-64]
004156A6 |. B8 D08D5D00 mov eax, 005D8DD0
004156AB |. E8 A4911900 call 005AE854
004156B0 |. 66:C746 10 08>mov word ptr [esi+10], 8
004156B6 |. 33D2 xor edx, edx
004156B8 |. 8955 FC mov dword ptr [ebp-4], edx
004156BB |. 8D55 FC lea edx, dword ptr [ebp-4]
004156BE |. FF46 1C inc dword ptr [esi+1C]
004156C1 |. 8B83 F4020000 mov eax, dword ptr [ebx+2F4]
004156C7 |. E8 94A21600 call 0057F960
004156CC |. 837D FC 00 cmp dword ptr [ebp-4], 0
004156D0 |. 74 08 je short 004156DA
004156D2 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004156D5 |. 8B41 FC mov eax, dword ptr [ecx-4]
004156D8 |. EB 02 jmp short 004156DC
004156DA |> 33C0 xor eax, eax
004156DC |> 48 dec eax
004156DD |. 0F8C 8A000000 jl 0041576D
004156E3 |. 33D2 xor edx, edx
004156E5 |. 8955 F8 mov dword ptr [ebp-8], edx
004156E8 |. 8D55 F8 lea edx, dword ptr [ebp-8]
004156EB |. FF46 1C inc dword ptr [esi+1C]
004156EE |. 8B83 F8020000 mov eax, dword ptr [ebx+2F8]
004156F4 |. E8 67A21600 call 0057F960
004156F9 |. 837D F8 00 cmp dword ptr [ebp-8], 0
004156FD |. 74 08 je short 00415707
004156FF |. 8B4D F8 mov ecx, dword ptr [ebp-8]
00415702 |. 8B41 FC mov eax, dword ptr [ecx-4]
00415705 |. EB 02 jmp short 00415709
00415707 |> 33C0 xor eax, eax
00415709 |> 48 dec eax
0041570A |. 0F9CC2 setl dl
0041570D |. 83E2 01 and edx, 1
00415710 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00415713 |. 52 push edx ; /Arg1
00415714 |. BA 02000000 mov edx, 2 ; |
00415719 |. FF4E 1C dec dword ptr [esi+1C] ; |
0041571C |. E8 3B311A00 call 005B885C ; \usbsp.005B885C
00415721 |. 59 pop ecx
00415722 |. 85C9 test ecx, ecx
00415724 |. 75 47 jnz short 0041576D
00415726 |. 33C0 xor eax, eax
00415728 |. 8945 F4 mov dword ptr [ebp-C], eax
0041572B |. 8D55 F4 lea edx, dword ptr [ebp-C]
0041572E |. FF46 1C inc dword ptr [esi+1C]
00415731 |. 8B83 04030000 mov eax, dword ptr [ebx+304]
00415737 |. E8 24A21600 call 0057F960
0041573C |. 837D F4 00 cmp dword ptr [ebp-C], 0
00415740 |. 74 08 je short 0041574A
00415742 |. 8B55 F4 mov edx, dword ptr [ebp-C]
00415745 |. 8B4A FC mov ecx, dword ptr [edx-4]
00415748 |. EB 02 jmp short 0041574C
0041574A |> 33C9 xor ecx, ecx
0041574C |> 49 dec ecx
0041574D |. BA 02000000 mov edx, 2
00415752 |. 0F9CC0 setl al
00415755 |. 83E0 01 and eax, 1
00415758 |. 50 push eax ; /Arg1
00415759 |. 8D45 F4 lea eax, dword ptr [ebp-C] ; |
0041575C |. FF4E 1C dec dword ptr [esi+1C] ; |
0041575F |. E8 F8301A00 call 005B885C ; \usbsp.005B885C
00415764 |. 59 pop ecx
00415765 |. 85C9 test ecx, ecx
00415767 |. 75 04 jnz short 0041576D
00415769 |. 33C0 xor eax, eax
0041576B |. EB 05 jmp short 00415772
0041576D |> B8 01000000 mov eax, 1
00415772 |> 50 push eax ; /Arg1
00415773 |. FF4E 1C dec dword ptr [esi+1C] ; |
00415776 |. 8D45 FC lea eax, dword ptr [ebp-4] ; |
00415779 |. BA 02000000 mov edx, 2 ; |
0041577E |. E8 D9301A00 call 005B885C ; \usbsp.005B885C
00415783 |. 59 pop ecx
00415784 |. 84C9 test cl, cl
00415786 |. 74 1D je short 004157A5
00415788 |. A1 00035E00 mov eax, dword ptr [5E0300]
0041578D |. 6A 00 push 0
0041578F |. B9 E88B5D00 mov ecx, 005D8BE8
00415794 |. BA CE8B5D00 mov edx, 005D8BCE
00415799 |. 8B00 mov eax, dword ptr [eax]
0041579B |. E8 F42F1A00 call 005B8794
004157A0 |. E9 6A030000 jmp 00415B0F
004157A5 |> 66:C746 10 20>mov word ptr [esi+10], 20
004157AB |. 33D2 xor edx, edx
004157AD |. 8955 F0 mov dword ptr [ebp-10], edx
004157B0 |. 8D55 F0 lea edx, dword ptr [ebp-10]
004157B3 |. FF46 1C inc dword ptr [esi+1C]
004157B6 |. 8B83 F8020000 mov eax, dword ptr [ebx+2F8]
004157BC |. E8 9FA11600 call 0057F960
004157C1 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004157C4 |. 8B00 mov eax, dword ptr [eax]
004157C6 |. E8 59821100 call 0052DA24
004157CB |. 8BF8 mov edi, eax
004157CD |. FF4E 1C dec dword ptr [esi+1C]
004157D0 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004157D3 |. BA 02000000 mov edx, 2
004157D8 |. E8 7F301A00 call 005B885C
004157DD |. 66:C746 10 14>mov word ptr [esi+10], 14
004157E3 |. 66:C746 10 2C>mov word ptr [esi+10], 2C
004157E9 |. 33C9 xor ecx, ecx
004157EB |. 894D EC mov dword ptr [ebp-14], ecx
004157EE |. 8D55 EC lea edx, dword ptr [ebp-14]
004157F1 |. FF46 1C inc dword ptr [esi+1C]
004157F4 |. 8B83 04030000 mov eax, dword ptr [ebx+304]
004157FA |. E8 61A11600 call 0057F960
004157FF |. 8D45 EC lea eax, dword ptr [ebp-14]
00415802 |. 8B00 mov eax, dword ptr [eax]
00415804 |. E8 1B821100 call 0052DA24
00415809 |. 8945 98 mov dword ptr [ebp-68], eax
0041580C |. FF4E 1C dec dword ptr [esi+1C]
0041580F |. 8D45 EC lea eax, dword ptr [ebp-14]
00415812 |. BA 02000000 mov edx, 2
00415817 |. E8 40301A00 call 005B885C
0041581C |. 66:C746 10 14>mov word ptr [esi+10], 14
其实前面都没有什么要说的,就是判断用户名是否为空,注册种子是否为空,注册码是否为空,如果为空就跳走了,关键就在下面的地方的了。 00415822 |. B9 9F860100 mov ecx, 1869F
00415827 |. 2BCF sub ecx, edi
00415829 |. 8BC1 mov eax, ecx
0041582B |. 03C0 add eax, eax
0041582D |. 8D0480 lea eax, dword ptr [eax+eax*4]
00415830 |. 83C0 21 add eax, 21
00415833 |. 3B45 98 cmp eax, dword ptr [ebp-68]
00415836 |. 0F85 B5020000 jnz 00415AF1
上面这个就是关键的跳了,只要改了jz就可以注册成功啦。 好啦,我们来分析下这个简单的算法吧,然后写个简单的注册机 00415822 |. B9 9F860100 mov ecx, 1869F ;将0x1869f赋值给ecx
00415827 |. 2BCF sub ecx, edi ;ecx = ecx – edi(edi就是注册种子)
00415829 |. 8BC1 mov eax, ecx ;eax = ecx
0041582B |. 03C0 add eax, eax ;eax = eax + eax
0041582D |. 8D0480 lea eax, dword ptr [eax+eax*4] ;eax = eax + eax * 4
00415830 |. 83C0 21 add eax, 21 ;eax = eax + 0x21
00415833 |. 3B45 98 cmp eax, dword ptr [ebp-68] 这个就是比较注册码和计算出来的相等否
00415836 |. 0F85 B5020000 jnz 00415AF1
下面我用c语言写了一个简单的注册机,代码如下: #include <stdio.h>
int main (void)
{
char Name[100];
int Code1, Code2, Temp;
printf ("请输入用户名:");
scanf ("%s", Name);
printf ("请输入注册种子:");
scanf ("%d",&Code1);
Temp = 0x1869f - Code1;
Temp = Temp + Temp;
Temp = Temp + Temp * 4;
Temp = Temp + 0x21;
Code2 = Temp;
printf ("\n注册码是%d\n", Code2);
return 0;
}
软件大家就自己去下吧,网上很多的,我就不加附件了,免得花费各位的吾爱破解币,还有些地方没有分析到位,以后完善吧,这样也能注册成功使用的。  |
[复制链接]
发表于 2011-11-20 15:31
|
发表于 2011-11-20 15:45
|楼主
收藏
淘帖
有用
分享到朋友圈
