文件密使pj心得
-
破解软件:一个加密文件的软件,电脑爱好者上曾经有过介绍
破解人:powerboy
软件保护介绍:软件属于注册码保护但是特别的是注册码比较是在网上进行的认证,所以进行注册码破解显然是不可能,只能爆破.
首先,查看软件是否加壳(可能是作者对自己软件的保护很有信心所以连壳都没加,VC编译)
然后,进入软件进行一次注册,输入:
NAME:powerboy
SN:1234567890123456(软件告诉你了注册码要16位)并且有很多提示.
查找有关的注册提示,很有帮助.
首先看到"注册失败"有门看看!
:00418226 E8C5820000 Call 004204F0
:0041822B 6A01 push 00000001
:0041822D 8D4E64 lea ecx, dword ptr [esi+64]
:00418230 5F pop edi
:00418231 50 push eax
:00418232 897DFC mov dword ptr [ebp-04], edi
* Reference To: MFC42.Ordinal:035A, Ord:035Ah
|
:00418235 E8D0800000 Call 0042030A
:0041823A 834DFCFF or dword ptr [ebp-04], FFFFFFFF
:0041823E 8D4DF0 lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00418241 E80C7E0000 Call 00420052
:00418246 8BCE mov ecx, esi
:00418248 E840020000 call 0041848D----------->这里是个关键的CALL(要跟进去看看一会你就知道了)
:0041824D 85C0 test eax, eax
:0041824F 752F jne 00418280------------>既然不跳是错误,那跳呢!!!!
:00418251 50 push eax
:00418252 50 push eax
* Possible StringData Ref from Data Obj ->"注册失败"
|
:00418253 68201F4300 push 00431F20
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:00418258 E8CB800000 Call 00420328
:0041825D E9DA000000 jmp 0041833C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004181E9(C), :004181EE(C)
:00418262 6A00 push 00000000
:00418264 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"注册码类型错误"
|
:00418266 68101F4300 push 00431F10
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00418185(U), :00418196(U)
|
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:0041826B E8B8800000 Call 00420328
:00418270 8D8E14010000 lea ecx, dword ptr [esi+00000114]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418170(U)
|
* Reference To: MFC42.Ordinal:175D, Ord:175Dh
|
:00418276 E8ED7F0000 Call 00420268
:0041827B E9BC000000 jmp 0041833C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041824F(C)
|
:00418280 8BCE mov ecx, esi------------------------->跳到这里了,向下看看!
:00418282 E8E2060000 call 00418969
:00418287 85C0 test eax, eax
:00418289 0F84AD000000 je 0041833C
:0041828F 8BCE mov ecx, esi
:00418291 E884040000 call 0041871A
:00418296 85C0 test eax, eax
:00418298 0F849E000000 je 0041833C
:0041829E 89BBC8080000 mov dword ptr [ebx+000008C8], edi
:004182A4 8DBEA4020000 lea edi, dword ptr [esi+000002A4]
:004182AA 57 push edi
:004182AB 8D45F0 lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Data Obj ->"***** - " 软件的名称啊!
|
:004182AE 68CC104300 push 004310CC
:004182B3 50 push eax
* Reference To: MFC42.Ordinal:039E, Ord:039Eh
|
:004182B4 E857800000 Call 00420310
:004182B9 FF30 push dword ptr [eax]
:004182BB 8BCB mov ecx, ebx
:004182BD C745FC02000000 mov [ebp-04], 00000002
* Reference To: MFC42.Ordinal:1837, Ord:1837h
|
:004182C4 E8B77F0000 Call 00420280
:004182C9 834DFCFF or dword ptr [ebp-04], FFFFFFFF
:004182CD 8D4DF0 lea ecx, dword ptr [ebp-10]
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004182D0 E87D7D0000 Call 00420052
* Possible Reference to Dialog: DialogID_0092, CONTROL_ID:03E9, ""
|
:004182D5 68E9030000 push 000003E9
:004182DA FF7320 push [ebx+20]
* Reference To: USER32.KillTimer, Ord:0195h
|
:004182DD FF1520584200 Call dword ptr [00425820]
:004182E3 57 push edi
:004182E4 8D45E4 lea eax, dword ptr [ebp-1C]
* Possible StringData Ref from Data Obj ->"恭喜你 "--------------------->看到这个了吗!软件替你说了^_^
|
==========================================================================
跟入上面的关键CALL........
* Referenced by a CALL at Address:
|:00418248
|
:0041848D B87C3D4200 mov eax, 00423D7C
* Reference To: MSVCRT._EH_prolog, Ord:0042h
|
:00418492 E8A9820000 Call 00420740
:00418497 81EC80000000 sub esp, 00000080
:0041849D 53 push ebx
:0041849E 56 push esi
:0041849F 57 push edi
:004184A0 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"用户注册通知"
|
:004184A2 6828224300 push 00432228
:004184A7 8BD9 mov ebx, ecx
* Possible StringData Ref from Data Obj ->"亲爱的用户! 3.0以上版本必须进行网上激活,
请稍"
->"等片刻既可完成整个注册验证过程."
|
:004184A9 68D8214300 push 004321D8
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004184AE E8AF7D0000 Call 00420262
:004184B3 E8B29FFEFF call 0040246A
:004184B8 8BF8 mov edi, eax
* Possible StringData Ref from Data Obj ->"\"
|
:004184BA 6844014300 push 00430144
:004184BF 8D87D43A0000 lea eax, dword ptr [edi+00003AD4]
:004184C5 50 push eax
:004184C6 8D45E0 lea eax, dword ptr [ebp-20]
:004184C9 50 push eax
* Reference To: MFC42.Ordinal:039C, Ord:039Ch
|
:004184CA E82F7E0000 Call 004202FE
:004184CF 8365FC00 and dword ptr [ebp-04], 00000000
:004184D3 8D4B60 lea ecx, dword ptr [ebx+60]
:004184D6 51 push ecx
:004184D7 50 push eax
:004184D8 8D45E4 lea eax, dword ptr [ebp-1C]
:004184DB 50 push eax
* Reference To: MFC42.Ordinal:039A, Ord:039Ah
|
:004184DC E8177E0000 Call 004202F8
* Possible StringData Ref from Data Obj ->".dat"
|
:004184E1 BED0214300 mov esi, 004321D0
:004184E6 C645FC01 mov [ebp-04], 01
:004184EA 56 push esi
:004184EB 50 push eax
:004184EC 8D45EC lea eax, dword ptr [ebp-14]
:004184EF 50 push eax
* Reference To: MFC42.Ordinal:039C, Ord:039Ch
|
:004184F0 E8097E0000 Call 004202FE
:004184F5 8D4DE4 lea ecx, dword ptr [ebp-1C]
:004184F8 C645FC04 mov [ebp-04], 04
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:004184FC E8517B0000 Call 00420052
:00418501 8D4DE0 lea ecx, dword ptr [ebp-20]
:00418504 C645FC03 mov [ebp-04], 03
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00418508 E8457B0000 Call 00420052
:0041850D 8D4360 lea eax, dword ptr [ebx+60]
:00418510 50 push eax
:00418511 8D45DC lea eax, dword ptr [ebp-24]
* Possible StringData Ref from Data Obj ->"http://www.wjmshome.com/register/" 看到了吗!要上网去效验的啊!
|
:00418514 68AC214300 push 004321AC
:00418519 50 push eax
* Reference To: MFC42.Ordinal:039E, Ord:039Eh
|
:0041851A E8F17D0000 Call 00420310
:0041851F 56 push esi
:00418520 50 push eax
:00418521 8D45E8 lea eax, dword ptr [ebp-18]
:00418524 C645FC05 mov [ebp-04], 05
:00418528 50 push eax
* Reference To: MFC42.Ordinal:039C, Ord:039Ch
|
:00418529 E8D07D0000 Call 004202FE
:0041852E 8D4DDC lea ecx, dword ptr [ebp-24]
:00418531 C645FC07 mov [ebp-04], 07
* Reference To: MFC42.Ordinal:0320, Ord:0320h
|
:00418535 E8187B0000 Call 00420052
:0041853A 8BCF mov ecx, edi
:0041853C E89D27FFFF call 0040ACDE
:00418541 51 push ecx
:00418542 8D45EC lea eax, dword ptr [ebp-14]
:00418545 8BCC mov ecx, esp
:00418547 8965D8 mov dword ptr [ebp-28], esp
:0041854A 50 push eax
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:0041854B E81E7D0000 Call 0042026E
:00418550 51 push ecx
:00418551 8D45E8 lea eax, dword ptr [ebp-18]
:00418554 8BCC mov ecx, esp
:00418556 8965D4 mov dword ptr [ebp-2C], esp
:00418559 50 push eax
:0041855A C645FC08 mov [ebp-04], 08
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:0041855E E80B7D0000 Call 0042026E
:00418563 8BCF mov ecx, edi
:00418565 C645FC07 mov [ebp-04], 07
:00418569 E8E025FFFF call 0040AB4E
:0041856E 33F6 xor esi, esi
:00418570 3BC6 cmp eax, esi
:00418572 7511 jne 00418585
:00418574 56 push esi
:00418575 56 push esi
* Possible StringData Ref from Data Obj ->"无法接入Internet注册数据,请与开发商联系"
|
:00418576 6880214300 push 00432180
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:0041857B E8A87D0000 Call 00420328
:00418580 E93B010000 jmp 004186C0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418572(C)
|
:00418585 8D4DC4 lea ecx, dword ptr [ebp-3C]
* Reference To: MFC42.Ordinal:0162, Ord:0162h
|
:00418588 E8417D0000 Call 004202CE
:0041858D 56 push esi
:0041858E 6800800000 push 00008000
:00418593 FF75EC push [ebp-14]
:00418596 8D4DC4 lea ecx, dword ptr [ebp-3C]
:00418599 C645FC09 mov [ebp-04], 09
* Reference To: MFC42.Ordinal:1442, Ord:1442h
|
:0041859D E81A7D0000 Call 004202BC
:004185A2 85C0 test eax, eax
:004185A4 7511 jne 004185B7
:004185A6 56 push esi
:004185A7 56 push esi
* Possible StringData Ref from Data Obj ->"无法读取已经下载的Internet注册数据"
|
:004185A8 685C214300 push 0043215C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00418639(U), :00418693(U)
|
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004185AD E8767D0000 Call 00420328
:004185B2 E9FD000000 jmp 004186B4
看到了吗!输入注册码之后,不是在本地比较,而是在网上比较那可怎么办啊!不如我们还一种思路,既然是在网上比较那么怎么才能
说明是否正确呢!一定有标志!在找找看!
注册在网上比较,如果错误一定提示所以在关键字符中找找有没有关于注册码的提示!哈!!!!!!!
看到下面了吗
==================================================================================
:0041867F E8CE790000 Call 00420052
:00418684 807DF300 cmp byte ptr [ebp-0D], 00---------->为0则跳,一定要跳
:00418688 740E je 00418698
:0041868A 33F6 xor esi, esi
:0041868C 56 push esi
:0041868D 56 push esi
* Possible StringData Ref from Data Obj ->"注册码输入错误"
|
:0041868E 6828214300 push 00432128
:00418693 E915FFFFFF jmp 004185AD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00418688(C)
|
:00418698 807DC201 cmp byte ptr [ebp-3E], 01---------->如果返回的值是1就正确
:0041869C 754B jne 004186E9----------------------->不相等则跳
:0041869E 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"感谢您的注册"
|
:004186A0 6818214300 push 00432118
* Possible StringData Ref from Data Obj ->"你已是*******的正式注册用户并可免费注册以后的"
->"所有版本,
如果公开注册码将会被取消注册用户资?
->"?"
|
:004186A5 68B8204300 push 004320B8
==================================================================================
到这里我们知道我们找到的关键CALL该返回什么,有知道在哪里返回---改啊!还等什么啊!
爆破之后你会发现,软件重启之后就已经注册成功了,没有重启效验看来作者对他的注册码保护方式很有信心啊!
注册名和注册码的变形值保存在注册表里:
小弟对密码学不是很懂但是软件是一个用RSA为文件加密的软件所以小弟猜这个变型是RSA的(没有验证啊)
注册码和用户名没有关系,但是保存在JIM.DAT中的我们输入的注册码和保存在注册表里的变型之后的数值有关啊!
HKEY_CURRENT_USER\Software\文件密使\Register
RegisterName="powerboy"
RegisterCodeSanLieZhi=fc 01 c9 5b eb f6 14 68 5e b0 70 82 5b 77 4b 56
注册码保存在JIM.DAT里看这个文件的最下面,是我们输入的注册码.
到这里应该清楚了,原来软件注册成功之后只是把JIM.DAT里的注册码与注册表里的注册码变形进行比较.
所以注册码和用户名无关,注册成功就是把我们输入的注册码变形保存在注册表里.
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>