浪漫情书3.1破解手记--算法分析
作者:newlaos[CCG][DFCG]
软件名称:浪漫情书3.1
最新版本:未知
文件大小:883KB
软件授权:共享软件
使用平台:Win9x/Me/2000/XP
发布公司:http://go3.163.com/pyeditor/ http://pyeditor.k12.net.cn/
软件简介:“浪漫情书”的3.1版本。这一版本的“浪漫情书”中拥有许多方便快捷的功能,如:
1、快速的“自动写情书”功能;
2、强大的“拼音码查找情话”功能;
3、体贴的“情书精灵”功能;
4、多种风格的“Email情书功能”;
5、方便的“鼠标拖放式维护情话库”功能……
加密方式:ASPACK+注册码
功能限制:功能限制
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5
PJ日期:2003-04-17
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
一、解决程序自校验代码部分:
1、用FI2.5查壳,发现加了ASPACK的壳,版本很老,用TRW2000进行手动脱壳,也可以用PE-scan3.31脱壳! 生成UNPACK.exe文件。可一运行程序就报被病毒感染后,退出! 说明此程序有自校验代码。先解决掉它。
2、用W32Dasm黄金修正版本进行静态反汇编,找到"文件读写错误,由于某些原因(例如:被病毒感染)
",双击来到下面代码段。
3、动态跟踪调试。请出国宝TRW2000,下断点BPX 004972E8(关键就在这,见下面动态代码分析)。这下好了,可以动态跟踪调试了。
.......
.......
:004972E8 E871E1F6FF call 0040545E
:004972ED A14C7B4A00 mov eax, dword ptr [004A7B4C]
:004972F2 C60000 mov byte ptr [eax], 00
:004972F5 BA01000000 mov edx, 00000001
:004972FA 8D85B4FEFFFF lea eax, dword ptr [ebp+FFFFFEB4]
:00497300 E8C8E3F6FF call 004056CD
:00497305 E89AB4F6FF call 004027A4
:0049730A 8D85B4FEFFFF lea eax, dword ptr [ebp+FFFFFEB4]
:00497310 E827E2F6FF call 0040553C
:00497315 E88AB4F6FF call 004027A4
:0049731A 3DD0050500 cmp eax, 000505D0 <===EAX为实际运行文件大小,505D0(329168)******改这一行了
:0049731F 7F17 jg 00497338 <===如果文件大于这个数就说明出错了,把上面一行改为1M就可了(因为脱壳后的文件,中有820KB)。
:00497321 8D85B4FEFFFF lea eax, dword ptr [ebp+FFFFFEB4]
:00497327 E810E2F6FF call 0040553C
:0049732C E873B4F6FF call 004027A4
:00497331 3D18FA0400 cmp eax, 0004FA18 <===EAX为实际运行文件大小,4FA18(326168)
:00497336 7D3D jge 00497375 <===如果文件小于这个数也出错。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0049731F(C)
|
:00497338 8D85B0FEFFFF lea eax, dword ptr [ebp+FFFFFEB0]
:0049733E 8B8E98060000 mov ecx, dword ptr [esi+00000698]
* Possible StringData Ref from Code Obj ->"文件读写错误,由于某些原因(例如:被病毒感染)
"
->"改变了loveletter31.exe文件,为了保证您的电脑安"
->"
全,程式将会自动退出!
建议您访问下址重新下载"
->"“浪漫情书”软件:
"
|
:00497344 BAA4734900 mov edx, 004973A4
:00497349 E88EC9F6FF call 00403CDC
.......
.......
-------------------------------------------------------------------------------------------
二、解决软件注册部分注册全面分析:
1、用W32Dasm黄金修正版本进行静态反汇编,找到"注册成功!请重新启动浪漫情书……",双击来到下面代码段。
2、动态跟踪调试。请出国宝TRW2000,下断点BPX 00488FE5(往往断点设在关键跳转前面一些的地方)。
.......
.......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00489017(C)
|
:00488FE5 8B45F4 mov eax, dword ptr [ebp-0C]
:00488FE8 8A4418FF mov al, byte ptr [eax+ebx-01]
:00488FEC 3C30 cmp al, 30
:00488FEE 7225 jb 00489015
:00488FF0 8B55F4 mov edx, dword ptr [ebp-0C]
:00488FF3 3C39 cmp al, 39
:00488FF5 771E ja 00489015
:00488FF7 8D45EC lea eax, dword ptr [ebp-14]
:00488FFA 50 push eax
:00488FFB B901000000 mov ecx, 00000001
:00489000 8BD3 mov edx, ebx
:00489002 8B45F4 mov eax, dword ptr [ebp-0C]
:00489005 E88AAEF7FF call 00403E94
:0048900A 8B55EC mov edx, dword ptr [ebp-14]
:0048900D 8D45F8 lea eax, dword ptr [ebp-08]
:00489010 E883ACF7FF call 00403C98
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00488FEE(C), :00488FF5(C)
|
:00489015 43 inc ebx
:00489016 4E dec esi
:00489017 75CC jne 00488FE5 <===向上跳的循环,主要功能是依次验证输入的注册码是不是全为数字
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488FE0(C)
|
:00489019 8D55F0 lea edx, dword ptr [ebp-10]
:0048901C 8B45FC mov eax, dword ptr [ebp-04]
:0048901F 8B80E0020000 mov eax, dword ptr [eax+000002E0]
:00489025 E8065CFAFF call 0042EC30
:0048902A 8B45F0 mov eax, dword ptr [ebp-10] <===EAX=newlaos
:0048902D 8D55EC lea edx, dword ptr [ebp-14]
:00489030 E83BFEFFFF call 00488E70 <===关键算法CALL了,F8跟进
:00489035 8B45EC mov eax, dword ptr [ebp-14] <===呵呵,真正的注册码
:00489038 8B55F8 mov edx, dword ptr [ebp-08] <===此处为假码78787878,在这可以用KEYMAKE制作内存注册机
:0048903B E860ADF7FF call 00403DA0 <===这里的CALL,主功是将EAX和EDX进行对比
:00489040 0F8556010000 jne 0048919C <===呵呵,关键跳转
* Possible StringData Ref from Code Obj ->"注册成功!请重新启动浪漫情书……"
|
:00489046 B834924800 mov eax, 00489234
:0048904B E8008AFCFF call 00451A50
:00489050 33C0 xor eax, eax
:00489052 55 push ebp
:00489053 682C914800 push 0048912C
:00489058 64FF30 push dword ptr fs:[eax]
:0048905B 648920 mov dword ptr fs:[eax], esp
:0048905E 8D55E8 lea edx, dword ptr [ebp-18]
:00489061 A1B47A4A00 mov eax, dword ptr [004A7AB4]
:00489066 8B00 mov eax, dword ptr [eax]
:00489068 E80F27FCFF call 0044B77C
.......
此处删除一段注册信息保存代码
.......
:00489190 E8BB88FCFF call 00451A50
:00489195 E8E2A3F7FF call 0040357C
:0048919A EB0A jmp 004891A6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00489040(C) <===从这里得知关键跳转在哪里!
|
* Possible StringData Ref from Code Obj ->"用户名或注册码有误!"
|
:0048919C B898924800 mov eax, 00489298
:004891A1 E8AA88FCFF call 00451A50
.......
.......
-----00489030 call 00488E70 关键算法CALL了,F8跟进,来到下列代码段------------------
:00488E70 55 push ebp
:00488E71 8BEC mov ebp, esp
:00488E73 83C4F8 add esp, FFFFFFF8
:00488E76 53 push ebx
:00488E77 56 push esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488E34(C)
|
:00488E78 57 push edi
:00488E79 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488E0A(C)
|
:00488E7B 894DF8 mov dword ptr [ebp-08], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488E08(C)
|
:00488E7E 8BF2 mov esi, edx
:00488E80 8945FC mov dword ptr [ebp-04], eax
:00488E83 8B45FC mov eax, dword ptr [ebp-04]
:00488E86 E8B9AFF7FF call 00403E44
:00488E8B 33C0 xor eax, eax
:00488E8D 55 push ebp
:00488E8E 68118F4800 push 00488F11
:00488E93 64FF30 push dword ptr fs:[eax]
:00488E96 648920 mov dword ptr fs:[eax], esp
:00488E99 33DB xor ebx, ebx
:00488E9B 8D55F8 lea edx, dword ptr [ebp-08]
:00488E9E A1E4784A00 mov eax, dword ptr [004A78E4]
:00488EA3 8B00 mov eax, dword ptr [eax]
:00488EA5 E8D2D70000 call 0049667C
:00488EAA 8B55F8 mov edx, dword ptr [ebp-08] <===EDX=502713(机器码)
:00488EAD 8D45FC lea eax, dword ptr [ebp-04]
:00488EB0 8B4DFC mov ecx, dword ptr [ebp-04] <===ECX=newlaos
:00488EB3 E824AEF7FF call 00403CDC <===这个CALL的作用,将两者合为502713newlaos
:00488EB8 8B45FC mov eax, dword ptr [ebp-04]
:00488EBB E8D0ADF7FF call 00403C90 <===计算502713newlaos的长度为D(14位长)
:00488EC0 8BD0 mov edx, eax
:00488EC2 85D2 test edx, edx
:00488EC4 7C17 jl 00488EDD
:00488EC6 42 inc edx
:00488EC7 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488EDB(C)
|
:00488EC9 8B4DFC mov ecx, dword ptr [ebp-04]
:00488ECC 0FB64C01FF movzx ecx, byte ptr [ecx+eax-01]<===依次取出上面那个合串的字符的ASC值
:00488ED1 8D7803 lea edi, dword ptr [eax+03] <===EAX也是依次递增
:00488ED4 0FAFCF imul ecx, edi <===ASC值与EDI相乘
:00488ED7 03D9 add ebx, ecx <===将相乘的结果累加
:00488ED9 40 inc eax
:00488EDA 4A dec edx
:00488EDB 75EC jne 00488EC9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488EC4(C)
|
:00488EDD 8BC3 mov eax, ebx <===最后的总和为2E76
:00488EDF 99 cdq
:00488EE0 33C2 xor eax, edx
:00488EE2 2BC2 sub eax, edx
:00488EE4 69C0C9430000 imul eax, 000043C9 <===2E76与系统给定值相乘,EAX=C4D5CA6
:00488EEA 05BBEF9505 add eax, 0595EFBB <===再此值相加EAX=C4D5CA6+0595EFBB=11E34C61(将此值转为10进制,就是我们所要的注册码了XXXXXXXXX
:00488EEF 8BD6 mov edx, esi
:00488EF1 E80AF0F7FF call 00407F00
:00488EF6 33C0 xor eax, eax
:00488EF8 5A pop edx
:00488EF9 59 pop ecx
:00488EFA 59 pop ecx
:00488EFB 648910 mov dword ptr fs:[eax], edx
:00488EFE 68188F4800 push 00488F18
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00488F16(U)
|
:00488F03 8D45F8 lea eax, dword ptr [ebp-08]
:00488F06 BA02000000 mov edx, 00000002
:00488F0B E828ABF7FF call 00403A38
:00488F10 C3 ret
:00488F11 E9BEA5F7FF jmp 004034D4
:00488F16 EBEB jmp 00488F03
:00488F18 5F pop edi
:00488F19 5E pop esi
:00488F1A 5B pop ebx
:00488F1B 59 pop ecx
:00488F1C 59 pop ecx
:00488F1D 5D pop ebp
:00488F1E C3 ret
-----------------------------------------------------------------------
3、算法分析:---类型:f(机器码,注册名)=注册码---
a、将机器码合为一个字符串,依次取出每个字符的ASC码值乘以(它所在的位置+3),最后再把这些值加起来。
b、相加得到的总和,再乘以43C9,再加上0595EFBB,最后得出的结果转为10进制,就是注册码了。
4、用KEYMAKE 1.73制作内存注册机
一、选择F8 → 另类注册机!
程序名称:LoveLetter3.exe
添加数据:
中断地址:00489038
中断次数:1
第一字节:8B
指令长度:3
保存下列信息为注册码 → 内存方式 → 寄存器 → EAX
二、选择内存方式:内存方式 → EAX → 点生成,就有你乐的了!
5、--------------VB编译的注册机-----------------
Private Sub Command1_Click()
Dim i As Integer
Dim h As Integer
Dim nlen1 As Integer
Dim nlen2 As Integer
Dim nlen3 As Integer
Dim sumtmp As Long
Dim sam As Long
Dim str1 As String
Dim str2 As String
Dim str3 As String
Dim strtmp As String
str1 = Text1.Text
str2 = Text3.Text
str3 = str1 + str2
nlen1 = Len(str1)
nlen2 = Len(str2)
nlen3 = Len(str3)
If nlen1 <> 0 And nlen2 <> 0 Then
h = 1 '注册名为中文的判断
For i = 1 To nlen3
sumtmp = Asc(Mid(str3, i, 1))
If Abs(sumtmp) <> sumtmp Then
h = 2
Else
sam = sam + sumtmp * (i + 3)
End If
Next i
sam = sam * 17353 + 93712315
If h <> 2 Then
Text2.Text = sam
Else
h = MsgBox("请核对机器码和必须是英文的注册名", 0, "出错了")
End If
Else
h = MsgBox("你还没有输入机器码或注册名,请核对后重新输入", 0, "出错了!")
End If
End Sub
6、注册信息保存在文件"浪漫情书31\System\配置.ini":
[注册]
用户名=newlaos[CCG][DFCG]
注册码=XXXXXXXXX <===(为维护作者利益=>隐)
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>