本帖最后由 FenR 于 2011-12-28 20:36 编辑
大家好,我是 Fenr 今天呢,带来一个易我数据恢复向导V2.1.0的 追码教程.
直接开始把,省时间.
查壳:Microsoft Visual C++ 6.0
OD载入.不用搜索字符串了,搜索不到的.直接运行注册. 提示:您输入的注册码与注册名不相匹配,请重新输入.
我们F12暂停.ALT+K 查看调用堆栈.
调用堆栈: 主线程
地址 堆栈 函数过程 / 参数 调用来自 结构
0012EB50 779CEA56 ? user32.MessageBoxExA user32.779CEA51 0012EB4C
0012EB54 00010980 hOwner = 00010980 ('注册易我数据恢
0012EB58 006A9A50 Text = "您输入的注册码与注册名不相
0012EB5C 006A9AA0 Title = "错误"
0012EB60 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLM
0012EB64 00000000 LanguageID = 0 (LANG_NEUTRAL)
0012EB6C 5F45C91C ? user32.MessageBoxA MFC42.5F45C916 0012EB68
0012EB70 00010980 hOwner = 00010980 ('注册易我数据恢
0012EB74 006A9A50 Text = "您输入的注册码与注册名不相
0012EB78 006A9AA0 Title = "错误"
0012EB7C 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLM
0012EB84 0044154B ? <jmp.&MFC42.#4224> DRW.00441546 右键显示调用
00441546 |. E8 EBA50300 call <jmp.&MFC42.#4224> 来到这里
0044154B |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
0044154F |. 8D4D F0 lea ecx,[local.4]
00441552 |. E8 13A20300 call <jmp.&MFC42.#800>
00441557 |. C745 FC FFFFF>mov [local.1],-0x1
0044155E |. 8D4D EC lea ecx,[local.5]
00441561 |. E8 04A20300 call <jmp.&MFC42.#800>
00441566 |. E9 A1000000 jmp DRW.0044160C
0044156B |> 68 F4EF0000 push 0xEFF4
00441570 |. 8D4D F0 lea ecx,[local.4]
00441573 |. E8 70A50300 call <jmp.&MFC42.#4160>
00441578 |. 68 62EF0000 push 0xEF62
0044157D |. 8D4D EC lea ecx,[local.5]
00441580 |. E8 63A50300 call <jmp.&MFC42.#4160>
004414B6 /. 55 push ebp 段首.F2下断 F9运行
004414B7 |. 8BEC mov ebp,esp
004414B9 |. 6A FF push -0x1
004414BB |. 68 37074800 push DRW.00480737 ; SE 处理程序安装
004414C0 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
004414C6 |. 50 push eax
004414C7 |. 64:8925 00000>mov dword ptr fs:[0],esp
004414CE |. 83EC 20 sub esp,0x20
004414D1 |. 894D E0 mov [local.8],ecx
004414D4 |. 6A 01 push 0x1
004414D6 |. 8B4D E0 mov ecx,[local.8]
004414D9 |. E8 C2A20300 call <jmp.&MFC42.#6334>
004414DE |. 8D4D EC lea ecx,[local.5]
004414E1 |. E8 9CA20300 call <jmp.&MFC42.#540>
004414E6 |. C745 FC 00000>mov [local.1],0x0
重新注册一下,让断点断下来 F8单步走下去看看
0044150C |. E8 7F4B0300 call DRW.00476090 关键Call F7进去
00441511 |. 85C0 test eax,eax
00441513 |. 75 56 jnz XDRW.0044156B 关键跳
0012EB80 006A99B0 ASCII "11111-11111-11111-11111-11111" 出现了我们的假码
004760A5 |. E8 57F7FFFF call DRW.00475801 F7进去.
00475801 /$ 55 push ebp F7进去Call后来到这里
00475802 |. 8BEC mov ebp,esp
00475804 |. 81EC AC0A0000 sub esp,0xAAC
0047580A |. C785 78FBFFFF>mov [local.290],0x950B4B61
00475814 |. 66:C785 7CFBF>mov word ptr ss:[ebp-0x484],0xFA41
0047581D |. 66:C785 7EFBF>mov word ptr ss:[ebp-0x482],0x4DC2
00475826 |. C685 80FBFFFF>mov byte ptr ss:[ebp-0x480],0xAD
0047582D |. C685 81FBFFFF>mov byte ptr ss:[ebp-0x47F],0x7E
00475834 |. C685 82FBFFFF>mov byte ptr ss:[ebp-0x47E],0x63
0047583B |. C685 83FBFFFF>mov byte ptr ss:[ebp-0x47D],0xCF
00475842 |. C685 84FBFFFF>mov byte ptr ss:[ebp-0x47C],0x62
00475849 |. C685 85FBFFFF>mov byte ptr ss:[ebp-0x47B],0x11
00475850 |. C685 86FBFFFF>mov byte ptr ss:[ebp-0x47A],0xB2
00475857 |. C685 87FBFFFF>mov byte ptr ss:[ebp-0x479],0x11
0047585E |. C785 88FBFFFF>mov [local.286],0x90E7EED0
00475868 |. 66:C785 8CFBF>mov word ptr ss:[ebp-0x474],0x3005
00475871 |. 66:C785 8EFBF>mov word ptr ss:[ebp-0x472],0x4A09
0047587A |. C685 90FBFFFF>mov byte ptr ss:[ebp-0x470],0x9D
00475A5C |. 837D 0C 00 cmp [arg.2],0x0 堆栈出现假码
00475A6C |. 50 push eax ; /s = "吾爱破解论坛"
00475A6D |. E8 F0660000 call <jmp.&MSVCRT.strlen> ; \strlen
00475B1F |.^\EB AE \jmp XDRW.00475ACF
00475B21 |> 68 00020000 push 0x200 ; /n = 200 (512.)
向上跳转到失败的,我们在下一行下断点,然后运行到那里.
00475CA4 |> \8D85 54F7FFFF lea eax,[local.555]
00475CAA |. 50 push eax ; /s
堆栈地址=0012E2C8, (ASCII "11111011-440a8cad-51c5603e-99d0db15-cd6d05fd-")
eax=00000004
跳转来自 00475C67
真的注册码已经追踪出来了.我们复制然后注册看看.
Registration License:11111011-440A8CAD-51C5603E-99D0DB15-CD6D05FD
没有注册的按钮了,注册成功了.
教程就到这里了.希望大家观看过后,可以获得一些思路. 拜拜.
吾爱破解论坛 - Fenr
破解教程,我发布到动画区 - 帖子地址:http://www.52pojie.cn/thread-126397-1-1.html
| 
发表于 2011-12-28 20:24
