分类分类
关注+2004-10-15作者:蓝点
下载页面: http://www.skycn.com/soft/10315.html
软件大小: 378 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 杂类工具
应用平台: Win9x/NT/2000/XP
加入时间: 2003-01-05 09:01:25
下载次数: 383
推荐等级: ***
开 发 商: http://www.380000.com/
【软件简介】: 《暴风共享软件管理器I》是一款专业的共享软件管理工具,它能帮助你方便地管理你的共享软件。《暴风共享软件管理器I》利用“接口式动态链接库注册码自动生成系统”可以自动用你提供的算法算出相应的注册码;可以画出各产品销售额、利润、销售量的统计图形;采用适合中国共享软件销售方式的定单式管理风格。《暴风共享软件管理器I》必将成为你管理共享软件的好帮手。
【软件限制】:30天试用。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 10修改版
—————————————————————————————————
【过 程】:
暴风共享软件管理器I.exe 无壳。Visual C++ 6.0编写。
呵呵,分析完了后看到newlaos兄写的《奇门遁甲演义V6.3》,发觉算法很相似,再看看软件的开发公司,哦,是一家的,“共享”了一套注册算法。看来 函数图像大师、鼠到擒来 等等同门软件也是差不多了。
虽然注册码很长,但算法基本的流程是一样的,变换了参数而得到其它几组注册码,所以我只是记录了第一组的算法过程。
用户名:fly
试炼码:12345-67890-ABCDE-FGHIJ-KLMNO
反汇编,看看参考,很容易就能找到下面的核心。
—————————————————————————————————
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C13(C)
|
:00408C21 8D44242C lea eax, dword ptr [esp+2C]
:00408C25 6A1E push 0000001E
:00408C27 50 push eax
:00408C28 8D8E0C010000 lea ecx, dword ptr [esi+0000010C]
:00408C2E E88D350000 call 0040C1C0
:00408C33 8D4C240C lea ecx, dword ptr [esp+0C]
:00408C37 6A1E push 0000001E
:00408C39 51 push ecx
:00408C3A 8D8E1C010000 lea ecx, dword ptr [esi+0000011C]
:00408C40 E87B350000 call 0040C1C0
:00408C45 8D7C242C lea edi, dword ptr [esp+2C]
:00408C49 83C9FF or ecx, FFFFFFFF
:00408C4C 33C0 xor eax, eax
:00408C4E F2 repnz
:00408C4F AE scasb
:00408C50 F7D1 not ecx
:00408C52 49 dec ecx
:00408C53 7511 jne 00408C66
====>填用户名了吗?
:00408C55 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"错误"
|
:00408C57 680CC24200 push 0042C20C
* Possible StringData Ref from Data Obj ->"没有用户名!"
|
:00408C5C 68F0C34200 push 0042C3F0
:00408C61 E983000000 jmp 00408CE9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C53(C)
|
:00408C66 8D7C240C lea edi, dword ptr [esp+0C]
:00408C6A 83C9FF or ecx, FFFFFFFF
:00408C6D 33C0 xor eax, eax
:00408C6F F2 repnz
:00408C70 AE scasb
:00408C71 F7D1 not ecx
:00408C73 49 dec ecx
:00408C74 7512 jne 00408C88
====>填注册码了吗?
:00408C76 8B460C mov eax, dword ptr [esi+0C]
:00408C79 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"错误"
|
:00408C7B 680CC24200 push 0042C20C
* Possible StringData Ref from Data Obj ->"没有注册码!"
|
:00408C80 68E0C34200 push 0042C3E0
:00408C85 50 push eax
:00408C86 EB65 jmp 00408CED
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C74(C)
|
:00408C88 8B8E08010000 mov ecx, dword ptr [esi+00000108]
:00408C8E E8DD84FFFF call 00401170
:00408C93 84C0 test al, al
:00408C95 7412 je 00408CA9
====>注册过了吗?呵呵,挺逗。
:00408C97 8B4E0C mov ecx, dword ptr [esi+0C]
:00408C9A 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"你已经注册过了。"
|
:00408C9C 6898C34200 push 0042C398
* Possible StringData Ref from Data Obj ->"你已经注册过了。"
|
:00408CA1 6898C34200 push 0042C398
:00408CA6 51 push ecx
:00408CA7 EB44 jmp 00408CED
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C95(C)
|
:00408CA9 8B8E08010000 mov ecx, dword ptr [esi+00000108]
:00408CAF 8D54240C lea edx, dword ptr [esp+0C]
====>EDX=12345-67890-ABCDE-FGHIJ-KLMNO
:00408CB3 8D44242C lea eax, dword ptr [esp+2C]
====>EAX=fly 用户名
:00408CB7 52 push edx
:00408CB8 50 push eax
:00408CB9 E88286FFFF call 00401340
:00408CBE 8B8E08010000 mov ecx, dword ptr [esi+00000108]
:00408CC4 E8A784FFFF call 00401170
====>关键CALL!进入!
:00408CC9 84C0 test al, al
:00408CCB 6A40 push 00000040
:00408CCD 7410 je 00408CDF
====>跳则OVER!
:00408CCF 8B4E0C mov ecx, dword ptr [esi+0C]
* Possible StringData Ref from Data Obj ->"成功"
====>呵呵,胜利女神!
:00408CD2 68D8C34200 push 0042C3D8
* Possible StringData Ref from Data Obj ->"注册将在重启后生效!"
|
:00408CD7 68C0C34200 push 0042C3C0
:00408CDC 51 push ecx
:00408CDD EB0E jmp 00408CED
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408CCD(C)
|
* Possible StringData Ref from Data Obj ->"失败"
|
:00408CDF 68B8C34200 push 0042C3B8
* Possible StringData Ref from Data Obj ->"非法注册码"
====>BAD BOY!
:00408CE4 68ACC34200 push 0042C3AC
—————————————————————————————————
进入关键CALL:408CC4 call 00401170
* Referenced by a CALL at Addresses:
|:00403D92 , :00408B93 , :00408C8E , :00408CC4
…… ……省 略…… ……
:00401223 8A4C2425 mov cl, byte ptr [esp+25]
:00401227 B02D mov al, 2D
====>AL=2D 即:-
:00401229 3AC8 cmp cl, al
====>比较注册码第6个字符是否是 -
:0040122B 7572 jne 0040129F
:0040122D 3844242B cmp byte ptr [esp+2B], al
====>比较注册码第12个字符是否是 -
:00401231 756C jne 0040129F
:00401233 38442431 cmp byte ptr [esp+31], al
====>比较注册码第18个字符是否是 -
:00401237 7566 jne 0040129F
:00401239 38442437 cmp byte ptr [esp+37], al
====>比较注册码第24个字符是否是 -
:0040123D 7560 jne 0040129F
:0040123F 33FF xor edi, edi
:00401241 8D742422 lea esi, dword ptr [esp+22]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401294(C)
|
:00401245 8D4C2418 lea ecx, dword ptr [esp+18]
:00401249 8D542440 lea edx, dword ptr [esp+40]
====>EDX=fly
:0040124D 51 push ecx
:0040124E 57 push edi
:0040124F 52 push edx
:00401250 8BCD mov ecx, ebp
:00401252 E859000000 call 004012B0
====>算法CALL!进入!
====>下面是逐位比较!有一处不同就OVER了!
:00401257 8A46FE mov al, byte ptr [esi-02]
====>[esi-02]=12345
:0040125A 8A4C2418 mov cl, byte ptr [esp+18]
====>[esp+18]=1E9TT
第一个大循环得出:1E9TT
第二个大循环得出:5GDGG
第三个大循环得出:72WW8
第四个大循环得出:72WR9
第五个大循环得出:11MGG
:0040125E 3AC1 cmp al, cl
:00401260 753D jne 0040129F
:00401262 8A4EFF mov cl, byte ptr [esi-01]
:00401265 8A442419 mov al, byte ptr [esp+19]
:00401269 3AC8 cmp cl, al
:0040126B 7532 jne 0040129F
:0040126D 8A16 mov dl, byte ptr [esi]
:0040126F 8A44241A mov al, byte ptr [esp+1A]
:00401273 3AD0 cmp dl, al
:00401275 7528 jne 0040129F
:00401277 8A4601 mov al, byte ptr [esi+01]
:0040127A 8A4C241B mov cl, byte ptr [esp+1B]
:0040127E 3AC1 cmp al, cl
:00401280 751D jne 0040129F
:00401282 8A4E02 mov cl, byte ptr [esi+02]
:00401285 8A44241C mov al, byte ptr [esp+1C]
:00401289 3AC8 cmp cl, al
:0040128B 7512 jne 0040129F
:0040128D 47 inc edi
:0040128E 83C606 add esi, 00000006
:00401291 83FF05 cmp edi, 00000005
:00401294 7CAF jl 00401245
:00401296 5F pop edi
:00401297 5E pop esi
:00401298 B001 mov al, 01
====>置1则OK!
:0040129A 5D pop ebp
:0040129B 83C454 add esp, 00000054
:0040129E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401221(C), :0040122B(C), :00401231(C), :00401237(C), :0040123D(C)
|:00401260(C), :0040126B(C), :00401275(C), :00401280(C), :0040128B(C)
|
:0040129F 5F pop edi
:004012A0 5E pop esi
:004012A1 32C0 xor al, al
====>清0则OVER!
:004012A3 5D pop ebp
:004012A4 83C454 add esp, 00000054
:004012A7 C3 ret
—————————————————————————————————
进入算法CALL:401252 call 004012B0
* Referenced by a CALL at Address:
|:00401252
|
:004012B0 8B4C2408 mov ecx, dword ptr [esp+08]
:004012B4 8B542404 mov edx, dword ptr [esp+04]
====>EDX=fly
:004012B8 03D1 add edx, ecx
:004012BA 83EC0C sub esp, 0000000C
:004012BD B801000000 mov eax, 00000001
:004012C2 8A0A mov cl, byte ptr [edx]
====>CL=66
:004012C4 56 push esi
:004012C5 84C9 test cl, cl
:004012C7 7413 je 004012DC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012DA(C)
|
:004012C9 0FBEC9 movsx ecx, cl
1、 ====>ECX=CL=66
2、 ====>ECX=6C
3、 ====>ECX=79
:004012CC 8BF1 mov esi, ecx
:004012CE 0FAFF1 imul esi, ecx
1、 ====>ESI=66 * 66=28A4
2、 ====>ESI=6C * 6C=2D90
3、 ====>ESI=79 * 79=3931
:004012D1 8A4A01 mov cl, byte ptr [edx+01]
1、 ====>CL=6C
:004012D4 0FAFC6 imul eax, esi
1、 ====>EAX=01 * 28A4=28A4
2、 ====>EAX=28A4 * 2D90=073BB040
3、 ====>EAX=073BB040 * 3931=ACAAFC40
:004012D7 42 inc edx
:004012D8 84C9 test cl, cl
:004012DA 75ED jne 004012C9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012C7(C)
|
:004012DC 8B74241C mov esi, dword ptr [esp+1C]
:004012E0 33C9 xor ecx, ecx
:004012E2 8BD6 mov edx, esi
:004012E4 6A24 push 00000024
:004012E6 3517108519 xor eax, 19851017
====>EAX=ACAAFC40 XOR 19851017=B52FEC57
:004012EB 890A mov dword ptr [edx], ecx
:004012ED 66894A04 mov word ptr [edx+04], cx
:004012F1 8D4C2408 lea ecx, dword ptr [esp+08]
:004012F5 51 push ecx
:004012F6 50 push eax
:004012F7 E8C70B0200 call 00421EC3
====>又是一个子运算CALL!进入!
:004012FC 8D542410 lea edx, dword ptr [esp+10]
====>EDX=1e9ttnb
:00401300 52 push edx
* Possible StringData Ref from Data Obj ->"%.5s"
|
:00401301 681CC14200 push 0042C11C
:00401306 56 push esi
:00401307 E8BC730100 call 004186C8
====>此CALL将上面所得字符截取前5位!
====>ESI=1e9tt
:0040130C 83C418 add esp, 00000018
:0040130F 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040132F(C)
|
:00401311 8A0431 mov al, byte ptr [ecx+esi]
:00401314 3C61 cmp al, 61
:00401316 7C0B jl 00401323
:00401318 3C7A cmp al, 7A
:0040131A 7F07 jg 00401323
:0040131C 2C20 sub al, 20
:0040131E 880431 mov byte ptr [ecx+esi], al
:00401321 EB08 jmp 0040132B
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401316(C), :0040131A(C)
|
:00401323 84C0 test al, al
:00401325 7504 jne 0040132B
:00401327 C6043130 mov byte ptr [ecx+esi], 30
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401321(U), :00401325(C)
|
:0040132B 41 inc ecx
:0040132C 83F905 cmp ecx, 00000005
:0040132F 7CE0 jl 00401311
====>这个小循环是将1e9tt中的小写字母转换为大写字母!
====>ESI=1e9tt 转换为 1E9TT
:00401331 5E pop esi
:00401332 83C40C add esp, 0000000C
:00401335 C20C00 ret 000C
—————————————————————————————————
进入子运算CALL:004012F7 call 00421EC3
再进入:00421EE0 call 00421E67
* Referenced by a CALL at Addresses:
|:00421E5A , :00421EE0
|
:00421E67 55 push ebp
:00421E68 8BEC mov ebp, esp
:00421E6A 837D1400 cmp dword ptr [ebp+14], 00000000
:00421E6E 8B4D0C mov ecx, dword ptr [ebp+0C]
:00421E71 53 push ebx
:00421E72 56 push esi
:00421E73 57 push edi
:00421E74 740B je 00421E81
:00421E76 8B7508 mov esi, dword ptr [ebp+08]
:00421E79 C6012D mov byte ptr [ecx], 2D
:00421E7C 41 inc ecx
:00421E7D F7DE neg esi
:00421E7F EB03 jmp 00421E84
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421E74(C)
|
:00421E81 8B7508 mov esi, dword ptr [ebp+08]
====>ESI=B52FEC57
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421E7F(U)
|
:00421E84 8BF9 mov edi, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421EAA(C)
|
:00421E86 8BC6 mov eax, esi
:00421E88 33D2 xor edx, edx
:00421E8A F77510 div [ebp+10]
====>[ebp+10]=24
1、 ====>EDX=B52FEC57 % 24=0B
2、 ====>EDX=0508713B % 24=17
3、 ====>EDX=0023CA41 % 24=1D
4、 ====>EDX=0000FE81 % 24=1D
5、 ====>EDX=00000711 % 24=09
6、 ====>EDX=00000032 % 24=0E
7、 ====>EDX=00000001 % 24=01
:00421E8D 8BC6 mov eax, esi
:00421E8F 8BDA mov ebx, edx
:00421E91 33D2 xor edx, edx
:00421E93 F77510 div [ebp+10]
1、 ====>EAX=B52FEC57 / 24=0508713B
2、 ====>EAX=0508713B / 24=0023CA41
3、 ====>EAX=0023CA41 / 24=0000FE81
4、 ====>EAX=0000FE81 / 24=00000711
5、 ====>EAX=00000711 / 24=00000032
6、 ====>EAX=00000032 / 24=00000001
7、 ====>EAX=00000001 / 24=00000000
:00421E96 83FB09 cmp ebx, 00000009
:00421E99 8BF0 mov esi, eax
====>ESI=EAX
:00421E9B 7605 jbe 00421EA2
:00421E9D 80C357 add bl, 57
1、 ====>BL=0B + 57=62 即字符:b
2、 ====>BL=17 + 57=6E 即字符:n
3、 ====>BL=1D + 57=74 即字符:t
4、 ====>BL=1D + 57=74 即字符:t
6、 ====>BL=0E + 57=65 即字符:e
:00421EA0 EB03 jmp 00421EA5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421E9B(C)
|
:00421EA2 80C330 add bl, 30
5、 ====>BL=09 + 30=39 即字符:9
7、 ====>BL=01 + 30=31 即字符:1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421EA0(U)
|
:00421EA5 8819 mov byte ptr [ecx], bl
====>BL 入 [ecx]处
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[ECX]内存中的值:
006DEE3C 62 6E 74 74 39 65 31 bntt9e1
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00421EA7 41 inc ecx
:00421EA8 85F6 test esi, esi
:00421EAA 77DA ja 00421E86
====>循环!
:00421EAC 802100 and byte ptr [ecx], 00
:00421EAF 49 dec ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421EBC(C)
|
:00421EB0 8A17 mov dl, byte ptr [edi]
:00421EB2 8A01 mov al, byte ptr [ecx]
:00421EB4 8811 mov byte ptr [ecx], dl
:00421EB6 8807 mov byte ptr [edi], al
:00421EB8 49 dec ecx
:00421EB9 47 inc edi
:00421EBA 3BF9 cmp edi, ecx
:00421EBC 72F2 jb 00421EB0
====>这个小循环是将bntt9e1倒序为:1e9ttnb
:00421EBE 5F pop edi
:00421EBF 5E pop esi
:00421EC0 5B pop ebx
:00421EC1 5D pop ebp
:00421EC2 C3 ret
—————————————————————————————————
【完 美 爆 破】:
呵呵,完美爆破很简单。
004012A1 32C0 xor al, al
改为: B001 mov al, 01 就OK了!与401298处相映成趣!
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\SsmI]
"User Name"=hex:66,6c,79,00,4c,ef,6d,00,80,ef,6d,00,18,02,00,00,37,01,00,00,17,\
03,00,00,fd,01,00,00,8f,03
"Register Code"=hex:31,45,39,54,54,2d,35,47,44,47,47,2d,37,32,57,57,38,2d,37,\
32,57,52,39,2d,31,31,4d,47,47,00
—————————————————————————————————
【整 理】:
用户名:fly
注册码:1E9TT-5GDGG-72WW8-72WR9-11MGG
—————————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-10-10 21:21
标 题:暴风共享软件管理器I V1.0-部分注册机源码!
发信人: HMILYBCG
时 间:2003/04/11 06:12pm
详细信息:
呵呵,这次又沾fly的光,在他分析的基础上,我再进行了必要的
分析(写注册机时所要知道的东东)。
如果想成为一个真正的crack就必需在分析出算法后写出注册机。
呵呵,当然我也不是说我自己就是一个合格的crack,crack要学
的东东实在太多。但最起码能写出注册机就是一个质的飞越。
所以源码就只贴出一部份,不能让你们偷懒。
如果有需要注册机的就发E-mail给我吧 gyyxll@21cn.com
以下为CB部分源码:
while(b<=a)
{
e=name[b];
f=e*e;
g=g*f;b++;
}
h=g^0x19851017;
while(h>0)
{
i=h%0x24;
h=h/0x24;
if(i<=9) i=i+0x30;
else i=i+0x57;
key_1=key_1+char(i);
}
c=key_1.Length();
while(c>=1)
{
e_1=key_1[c];
if(e_1>0x60) e_1=e_1-0x20;
else e_1=e_1;c--;
key_11=key_11+char(e_1);
}
c=1;
while(c<=5)
{
e_1=key_11[c];
key_111=key_111+char(e_1);c++;
}
CEdit->Text=key_111;
相关文章
更多+相同厂商
热门推荐
点击查看更多
点击查看更多
点击查看更多
说两句网友评论