这个软件早就升级到1.9了,且到1.9是免费的,贴这个破解过程似乎没有太大的意义了,但我想应该可以用来学习一下,也想在精华5在充个数。:)
破解者:HMILY[CCG]
软件名称:光盘卫士 v1.5
破解说明:这个软件是用aspack v2.00压缩的,脱壳后汇编找以下内容:
:0047212A E8C173FFFF call 004694F0 ->重点,跟进去
:0047212F 84C0 test al, al ->测试al=0吗?
:00472131 0F84BE000000 je 004721F5 ->相等则跳,跳就 game over
* Possible StringData Ref from Code Obj ->"user"
|
:00472137 6884224700 push 00472284
:0047213C 8D55F0 lea edx, dword ptr [ebp-10]
:0047213F 8B83E8020000 mov eax, dword ptr [ebx+000002E8]
:00472145 E87276FBFF call 004297BC
:0047214A 8B55F0 mov edx, dword ptr [ebp-10]
:0047214D 8D4DF4 lea ecx, dword ptr [ebp-0C]
:00472150 A14C984700 mov eax, dword ptr [0047984C]
:00472155 8B00 mov eax, dword ptr [eax]
:00472157 E820330000 call 0047547C
:0047215C 8B45F4 mov eax, dword ptr [ebp-0C]
:0047215F 50 push eax
:00472160 A14C984700 mov eax, dword ptr [0047984C]
:00472165 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"software\microsoft\windows\currentversion\syst"
->"em\Qu\cdsafe" ->向注册表中加入注册信息,用户名和
| 注册码都是加过密的,把sn删除又是未注册版
:00472167 B994224700 mov ecx, 00472294
:0047216C BA02000080 mov edx, 80000002
:00472171 E816300000 call 0047518C
:00472176 68D8224700 push 004722D8
:0047217B 8D55E8 lea edx, dword ptr [ebp-18]
:0047217E 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:00472184 E83376FBFF call 004297BC
:00472189 8B55E8 mov edx, dword ptr [ebp-18]
:0047218C 8D4DEC lea ecx, dword ptr [ebp-14]
:0047218F A14C984700 mov eax, dword ptr [0047984C]
:00472194 8B00 mov eax, dword ptr [eax]
:00472196 E8E1320000 call 0047547C
:0047219B 8B45EC mov eax, dword ptr [ebp-14]
:0047219E 50 push eax
:0047219F A14C984700 mov eax, dword ptr [0047984C]
:004721A4 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"software\microsoft\windows\currentversion\syst"
->"em\Qu\cdsafe"
|
:004721A6 B994224700 mov ecx, 00472294
:004721AB BA02000080 mov edx, 80000002
:004721B0 E8D72F0000 call 0047518C
:004721B5 A14C984700 mov eax, dword ptr [0047984C]
:004721BA 8B00 mov eax, dword ptr [eax]
:004721BC C7808C030000FFFFFFFF mov dword ptr [ebx+0000038C], FFFFFFFF
:004721C6 A174974700 mov eax, dword ptr [00479774]
:004721CB 8B00 mov eax, dword ptr [eax]
:004721CD 8B80D4020000 mov eax, dword ptr [eax+000002D4]
* Possible StringData Ref from Code Obj ->"感谢您的使用本软件"
|
:004721D3 BAE4224700 mov edx, 004722E4
:004721D8 E80F76FBFF call 004297EC
:004721DD A174974700 mov eax, dword ptr [00479774]
:004721E2 8B00 mov eax, dword ptr [eax]
:004721E4 8B10 mov edx, dword ptr [eax]
:004721E6 FF92D8000000 call dword ptr [edx+000000D8]
:004721EC 8BC3 mov eax, ebx
:004721EE E82D1FFDFF call 00444120
:004721F3 EB3D jmp 00472232
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00472131(C)
|
:004721F5 A174974700 mov eax, dword ptr [00479774]
:004721FA 8B00 mov eax, dword ptr [eax]
:004721FC 8B80E4020000 mov eax, dword ptr [eax+000002E4]
* Possible StringData Ref from Code Obj ->"错误"
|
:00472202 BA00234700 mov edx, 00472300
:00472207 E8E075FBFF call 004297EC
:0047220C A174974700 mov eax, dword ptr [00479774]
:00472211 8B00 mov eax, dword ptr [eax]
:00472213 8B80D4020000 mov eax, dword ptr [eax+000002D4]
* Possible StringData Ref from Code Obj ->"注册码不正确"
|
:00472219 BA10234700 mov edx, 00472310
:0047221E E8C975FBFF call 004297EC
:00472223 A174974700 mov eax, dword ptr [00479774]
:00472228 8B00 mov eax, dword ptr [eax]
:0047222A 8B10 mov edx, dword ptr [eax]
:0047222C FF92D8000000 call dword ptr [edx+000000D8]
=======================================================================
* Referenced by a CALL at Addresses:
|:0047212A , :00475A09
|
:004694F0 55 push ebp ->跟进上面那个call来到这里
:004694F1 8BEC mov ebp, esp ->暴力破解改这里558BEC->改为B001C3
:004694F3 83C4F8 add esp, FFFFFFF8
:004694F6 53 push ebx
:004694F7 56 push esi
:004694F8 33DB xor ebx, ebx
:004694FA 895DF8 mov dword ptr [ebp-08], ebx
:004694FD 894DFC mov dword ptr [ebp-04], ecx
:00469500 8BF2 mov esi, edx
:00469502 8BD8 mov ebx, eax
:00469504 8B45FC mov eax, dword ptr [ebp-04]
:00469507 E8D8A9F9FF call 00403EE4
:0046950C 8B4508 mov eax, dword ptr [ebp+08]
:0046950F E8D0A9F9FF call 00403EE4
:00469514 33C0 xor eax, eax
:00469516 55 push ebp
:00469517 6877954600 push 00469577
:0046951C 64FF30 push dword ptr fs:[eax]
:0046951F 648920 mov dword ptr fs:[eax], esp
:00469522 837DFC00 cmp dword ptr [ebp-04], 00000000
:00469526 7504 jne 0046952C
:00469528 33DB xor ebx, ebx
:0046952A EB28 jmp 00469554
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00469526(C)
|
:0046952C 85F6 test esi, esi
:0046952E 7504 jne 00469534
:00469530 33DB xor ebx, ebx
:00469532 EB20 jmp 00469554
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046952E(C)
|
:00469534 8D45F8 lea eax, dword ptr [ebp-08]
:00469537 50 push eax
:00469538 8B4DFC mov ecx, dword ptr [ebp-04]
:0046953B 8BD6 mov edx, esi
:0046953D 8BC3 mov eax, ebx
:0046953F E880FEFFFF call 004693C4 ->注册码的计算,跟进去看看
:00469544 8B55F8 mov edx, dword ptr [ebp-08]
:00469547 8B4508 mov eax, dword ptr [ebp+08]
:0046954A E8F1A8F9FF call 00403E40
:0046954F 0F94C0 sete al
:00469552 8BD8 mov ebx, eax
======================================================================
* Referenced by a CALL at Addresses:
|:0046932E , :0046938F , :0046953F
|
:004693C4 55 push ebp ->跟进注册码计算call来到这里
:004693C5 8BEC mov ebp, esp
:004693C7 6A00 push 00000000
:004693C9 6A00 push 00000000
:004693CB 6A00 push 00000000
:004693CD 6A00 push 00000000
:004693CF 6A00 push 00000000
:004693D1 53 push ebx
:004693D2 56 push esi
:004693D3 894DFC mov dword ptr [ebp-04], ecx
:004693D6 8BF2 mov esi, edx
:004693D8 8B45FC mov eax, dword ptr [ebp-04]
:004693DB E804ABF9FF call 00403EE4
:004693E0 33C0 xor eax, eax
:004693E2 55 push ebp
:004693E3 68C2944600 push 004694C2
:004693E8 64FF30 push dword ptr fs:[eax]
:004693EB 648920 mov dword ptr fs:[eax], esp
:004693EE 8D45F8 lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"Error"
|
:004693F1 BADC944600 mov edx, 004694DC
:004693F6 E84DA7F9FF call 00403B48
:004693FB 85F6 test esi, esi
:004693FD 0F8499000000 je 0046949C
:00469403 837DFC00 cmp dword ptr [ebp-04], 00000000
:00469407 0F848F000000 je 0046949C
:0046940D 8B45FC mov eax, dword ptr [ebp-04]
:00469410 E81BA9F9FF call 00403D30 ->取注册名位数
:00469415 8BD8 mov ebx, eax ->将位数传给ebx
:00469417 0FAFDE imul ebx, esi ->esi=25F5是一个基数,ebx=位数*0x25F5
:0046941A 8B45FC mov eax, dword ptr [ebp-04]
:0046941D 0FB600 movzx eax, byte ptr [eax] ->注册名第一位
:00469420 69C09A020000 imul eax, 0000029A ->eax=eax*0x29A
:00469426 03D8 add ebx, eax ->ebx=eax+ebx得到注册码第一部分
:00469428 8D55F4 lea edx, dword ptr [ebp-0C]
:0046942B 8BC3 mov eax, ebx
:0046942D E81AECF9FF call 0040804C
:00469432 8B55F4 mov edx, dword ptr [ebp-0C]
:00469435 8D45F8 lea eax, dword ptr [ebp-08]
:00469438 B9EC944600 mov ecx, 004694EC
:0046943D E83AA9F9FF call 00403D7C
:00469442 8B45FC mov eax, dword ptr [ebp-04] ->注册名传给eax
:00469445 0FB600 movzx eax, byte ptr [eax] ->取注册名第一位传给eax
:00469448 F7EE imul esi ->eax=第一位*基数(0x25F5)
:0046944A 6BD87B imul ebx, eax, 0000007B ->ebx=eax*0x7B
:0046944D FF75F8 push [ebp-08]
:00469450 8D55F0 lea edx, dword ptr [ebp-10]
:00469453 8BC3 mov eax, ebx
:00469455 E8F2EBF9FF call 0040804C
:0046945A FF75F0 push [ebp-10]
:0046945D 68EC944600 push 004694EC
:00469462 8D45F8 lea eax, dword ptr [ebp-08]
:00469465 BA03000000 mov edx, 00000003
:0046946A E881A9F9FF call 00403DF0
:0046946F 8B45FC mov eax, dword ptr [ebp-04]
:00469472 E8B9A8F9FF call 00403D30
:00469477 8B55FC mov edx, dword ptr [ebp-04] ->注册名传给eax
:0046947A 0FB612 movzx edx, byte ptr [edx] ->取注册名第一位传给edx
:0046947D F7EA imul edx ->eax=注册名位数*edx
:0046947F 69D8D5190000 imul ebx, eax, 000019D5 ->ebx=eax*0x19D5
:00469485 03DE add ebx, esi ->ebx=ebx+0x25F5
:00469487 8D55EC lea edx, dword ptr [ebp-14]
:0046948A 8BC3 mov eax, ebx
:0046948C E8BBEBF9FF call 0040804C
:00469491 8B55EC mov edx, dword ptr [ebp-14]
:00469494 8D45F8 lea eax, dword ptr [ebp-08]
:00469497 E89CA8F9FF call 00403D38
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004693FD(C), :00469407(C)
|
:0046949C 8B4508 mov eax, dword ptr [ebp+08]
:0046949F 8B55F8 mov edx, dword ptr [ebp-08]
:004694A2 E85DA6F9FF call 00403B04
:004694A7 33C0 xor eax, eax
:004694A9 5A pop edx
:004694AA 59 pop ecx
:004694AB 59 pop ecx
:004694AC 648910 mov dword ptr fs:[eax], edx
:004694AF 68C9944600 push 004694C9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004694C7(U)
|
:004694B4 8D45EC lea eax, dword ptr [ebp-14]
:004694B7 BA05000000 mov edx, 00000005
:004694BC E813A6F9FF call 00403AD4
:004694C1 C3 ret
===================================================================
总结:分析出了这个软件注册码的计算,怎么能少得了注册机呢!
TC v2.0下调试通过。
#include <stdio.h>
#include <string.h>
int main(void)
{
unsigned long a,b,c,d,x;
unsigned char name[60],*p=name;
strat:printf("CDsafe v1.5 keygen by HMILY[CCG][BCG]\n");
printf("My QQ: 5289322 E-mail: gyyxll@ynmail.com\n");
printf("********************************\n");
printf("Please enter your name = ");
gets(name);
a=strlen(name);
if(*p=='\0'){ printf("Your user name is empty !!! please re-input\n");goto strat;}
x=name[0];
b=a*0x25F5+x*0x29A;
c=x*0x25F5*0x7B;
d=a*x*0x19D5+0x25F5;
printf("Your register code is = %ld-%ld-%ld\n",b,c,d);
设为首页
加入收藏
总编信箱
投稿或申请专栏请先 [登 陆]
