好友
阅读权限20
听众
最后登录1970-1-1
|
TurboLaunch 5.1.2 汉化版 追码!练习用!TurboLaunch 5.1.2 汉化版 追码!
程序:百度上面直接找的TurboLaunch 5.1.2 汉化版
使用工具:PEID,OD
调试系统:XP
先PEID查壳(其实一般汉化过后的东西基本上都去掉了外壳,可以直接OD),我们先直接运行程序提示需要注册,如果输入错误的注册码会提示“输入的用户名与注册码不正确。你必须正确的输入注册确认信上的用户名与注册码。请重试。”
用OD载入
00541BE0 > $ 55 push ebp //停在这里
00541BE1 . 8BEC mov ebp, esp
00541BE3 . 83C4 F0 add esp, -10
00541BE6 . 53 push ebx
00541BE7 . B8 C0155400 mov eax, 005415C0
00541BEC . E8 4F56ECFF call 00407240
00541BF1 . 8B1D 00795400 mov ebx, dword ptr [547900] ; TurboLau.00549DD8
00541BF7 . 8B03 mov eax, dword ptr [ebx]
00541BF9 . E8 0A0CF9FF call 004D2808
00541BFE . 8B03 mov eax, dword ptr [ebx]
00541C00 . BA 481C5400 mov edx, 00541C48 ; ASCII "TurboLaunch"
用OD带的插件查找字符串(输入的用户名与注册码不正确。你必须正确的输入注册确认信上的用户名与注册码。请重试。)可以找到
0052A2C0 |. BA D4A35200 mov edx, 0052A3D4 ; 输入的用户名与注册码不正确。你必须正确的输入注册确认信上的用户名与注册码。请重试。
向上回追:
0052A1E5 |. A1 1C7A5400 mov eax, dword ptr [547A1C]
0052A1EA |. 8B00 mov eax, dword ptr [eax]
0052A1EC |. E8 4B120100 call 0053B43C \\关键CALL ,跟进
0052A1F1 |. 84C0 test al, al
0052A1F3 |. 0F84 C0000000 je 0052A2B9
0052A1F9 |. 33D2 xor edx, edx
0052A1FB |. 8B83 00030000 mov eax, dword ptr [ebx+300]
0053B43C /$ 8B90 68010000 mov edx, dword ptr [eax+168]
0053B442 |. 8B80 64010000 mov eax, dword ptr [eax+164]
0053B448 |. E8 1F580000 call 00540C6C //关键,跟进
0053B44D \. C3 retn
注意到右边已经有你的注册名和注册码了,继续
00540C6C /$ 55 push ebp
00540C6D |. 8BEC mov ebp, esp
00540C6F |. 83C4 9C add esp, -64
00540C72 |. 53 push ebx
00540C73 |. 56 push esi
00540C74 |. 57 push edi
00540C75 |. 33C9 xor ecx, ecx
00540C77 |. 894D A0 mov dword ptr [ebp-60], ecx
00540C7A |. 894D 9C mov dword ptr [ebp-64], ecx
00540C7D |. 894D A8 mov dword ptr [ebp-58], ecx
00540C80 |. 894D A4 mov dword ptr [ebp-5C], ecx
00540C83 |. 894D AC mov dword ptr [ebp-54], ecx
00540C86 |. 894D F4 mov dword ptr [ebp-C], ecx
00540C89 |. 8955 F8 mov dword ptr [ebp-8], edx
00540C8C |. 8945 FC mov dword ptr [ebp-4], eax
00540C8F |. 8B45 FC mov eax, dword ptr [ebp-4]
00540C92 |. E8 3D44ECFF call 004050D4
00540C97 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00540C9A |. E8 3544ECFF call 004050D4
00540C9F |. 33C0 xor eax, eax
00540CA1 |. 55 push ebp
00540CA2 |. 68 460E5400 push 00540E46
00540CA7 |. 64:FF30 push dword ptr fs:[eax]
00540CAA |. 64:8920 mov dword ptr fs:[eax], esp
00540CAD |. 8B45 FC mov eax, dword ptr [ebp-4]
00540CB0 |. E8 2F42ECFF call 00404EE4
00540CB5 |. 85C0 test eax, eax
00540CB7 |. 74 0C je short 00540CC5
00540CB9 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00540CBC |. E8 2342ECFF call 00404EE4
00540CC1 |. 85C0 test eax, eax
00540CC3 |. 75 07 jnz short 00540CCC
00540CC5 |> 33DB xor ebx, ebx
00540CC7 |. E9 52010000 jmp 00540E1E
00540CCC |> 8D45 B2 lea eax, dword ptr [ebp-4E]
00540CCF |. 8B55 FC mov edx, dword ptr [ebp-4]
00540CD2 |. E8 B155F1FF call 00456288
00540CD7 |. 6A 00 push 0
00540CD9 |. 8B45 FC mov eax, dword ptr [ebp-4]
00540CDC |. E8 0342ECFF call 00404EE4
00540CE1 |. 8BC8 mov ecx, eax
00540CE3 |. 8D45 B2 lea eax, dword ptr [ebp-4E]
00540CE6 |. BA 40000000 mov edx, 40
00540CEB |. E8 F0ECFFFF call 0053F9E0
00540CF0 |. 8B15 447B5400 mov edx, dword ptr [547B44] ; TurboLau.00542008
00540CF6 |. 8902 mov dword ptr [edx], eax
00540CF8 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00540CFB |. E8 243FECFF call 00404C24
00540D00 |. BF 01000000 mov edi, 1
00540D05 |> 8B45 FC /mov eax, dword ptr [ebp-4]
00540D08 |. E8 D741ECFF |call 00404EE4
00540D0D |. 50 |push eax
00540D0E |. 8BC7 |mov eax, edi
00540D10 |. 48 |dec eax
00540D11 |. 5A |pop edx
00540D12 |. 8BCA |mov ecx, edx
00540D14 |. 99 |cdq
00540D15 |. F7F9 |idiv ecx
00540D17 |. 8B45 FC |mov eax, dword ptr [ebp-4]
00540D1A |. 8A0410 |mov al, byte ptr [eax+edx]
00540D1D |. 8845 F3 |mov byte ptr [ebp-D], al
00540D20 |. 33DB |xor ebx, ebx
00540D22 |. BE 13000000 |mov esi, 13
00540D27 |. 2BF7 |sub esi, edi
00540D29 |. 85F6 |test esi, esi
00540D2B |. 7E 1C |jle short 00540D49
00540D2D |> B8 21000000 |/mov eax, 21
00540D32 |. E8 B127ECFF ||call 004034E8
00540D37 |. 8BD8 ||mov ebx, eax
00540D39 |. 43 ||inc ebx
00540D3A |. 8A45 F3 ||mov al, byte ptr [ebp-D]
00540D3D |. 34 FF ||xor al, 0FF
00540D3F |. 25 FF000000 ||and eax, 0FF
00540D44 |. 03D8 ||add ebx, eax
00540D46 |. 4E ||dec esi
00540D47 |.^ 75 E4 |\jnz short 00540D2D
00540D49 |> 83FB 21 |cmp ebx, 21
00540D4C |. 7E 08 |jle short 00540D56
00540D4E |> 83EB 21 |/sub ebx, 21
00540D51 |. 83FB 21 ||cmp ebx, 21
00540D54 |.^ 7F F8 |\jg short 00540D4E
00540D56 |> 8D45 AC |lea eax, dword ptr [ebp-54]
00540D59 |. BA 600E5400 |mov edx, 00540E60 ; ASCII "GF2DSA38HJKL7M4NZXCV5BY9UPT6R1EWQ40I1CP7Z7GOEPQLZ"
00540D5E |. 8A541A FF |mov dl, byte ptr [edx+ebx-1]
00540D62 |. E8 A540ECFF |call 00404E0C
00540D67 |. 8B55 AC |mov edx, dword ptr [ebp-54]
00540D6A |. 8D45 F4 |lea eax, dword ptr [ebp-C]
00540D6D |. E8 7A41ECFF |call 00404EEC
00540D72 |. 8BC7 |mov eax, edi
00540D74 |. B9 06000000 |mov ecx, 6
00540D79 |. 99 |cdq
00540D7A |. F7F9 |idiv ecx
00540D7C |. 85D2 |test edx, edx
00540D7E |. 75 12 |jnz short 00540D92
00540D80 |. 83FF 12 |cmp edi, 12
00540D83 |. 7D 0D |jge short 00540D92
00540D85 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
00540D88 |. BA 9C0E5400 |mov edx, 00540E9C
00540D8D |. E8 5A41ECFF |call 00404EEC
00540D92 |> 47 |inc edi
00540D93 |. 83FF 13 |cmp edi, 13
00540D96 |.^ 0F85 69FFFFFF \jnz 00540D05
上面这一串就是计算你的注册码了
00540D9C |. 8B45 F4 mov eax, dword ptr [ebp-C] //这里已经可以得到正确的注册码
00540D9F |. 8B55 F8 mov edx, dword ptr [ebp-8]
00540DA2 |. E8 8942ECFF call 00405030
00540DA7 |. 0F94C3 sete bl
00540DAA |. 84DB test bl, bl
00540DAC |. 75 50 jnz short 00540DFE
00540DAE |. 8D45 A4 lea eax, dword ptr [ebp-5C]
00540DB1 |. 8D55 B2 lea edx, dword ptr [ebp-4E]
堆栈 ss:[0012F118]=00CCD1C8, (ASCII "PLBCBT-22P51B-141NTG")
eax=00000003
上面就是正确的注册码!
有兴趣的朋友可以分析一下算法!!我对这个不是很在行!!
老鸟请飞过!!爆破的办法我就不写了,自己实验吧!
最后:
注册码:zeknight
PLBCBT-22P51B-141NTG |
|