PC6下载站

分类分类

一个未完成的破解 (SubmitWolf Enterprise V4.02 CN build: 003 Script: 1.000)

关注+2004-10-15作者:蓝点

软件的功能概述:
~~~~~~~~~~~~~~
    SubmitWolf是宣传因特网站点的自动提交向导,它能够在几分钟内将一个URL排列
到数百个搜索引擎和链接目录上。

保护方法:
~~~~~~~~
    简单的name/code保护;未注册版本中,大多数站点不可使用,URL只能被提交到少数
几个选定的站点。

破解过程:
~~~~~~~~
(第一次)    启动TRW2000,按OK,TRW2000已隐藏在TaskBar了。运行SubmitWolf,按“注册”,
            分别填入:

注册名称:iloveeagle
序列号:  10101010

CTRL-N,进入TRW2000,下断点bpx getdlgitemtexta,再CTRL-N,按“确定”。程序中断在:

* Reference To: USER32.GetDlgItemTextA, Ord:0104h
                                  |
:00418588 8B355C514300            mov esi, dword ptr [0043515C]
:0041858E 8D44240C                lea eax, dword ptr [esp+0C]<---注册码地址
:00418592 6A50                    push 00000050
:00418594 50                      push eax
:00418595 6814040000              push 00000414
:0041859A 53                      push ebx
:0041859B FFD6                    call esi<----------取得注册码

我们中断在此CALL内,F12来到RET语句,再F10回到下面一句。然后清除所有断点
:BC *
再F10一路走下。

:0041859D 8D8C248C000000          lea ecx, dword ptr [esp+0000008C] ;name地址
:004185A4 6A50                    push 00000050
:004185A6 51                      push ecx

* Possible Reference to Dialog: DialogID_0098, CONTROL_ID:0405, ""
                                  |
:004185A7 6805040000              push 00000405
:004185AC 53                      push ebx
:004185AD FFD6                    call esi<-----------------取得name
:004185AF 8D54240C                lea edx, dword ptr [esp+0C]
:004185B3 6A52                    push 00000052
:004185B5 52                      push edx
:004185B6 E8254F0100              call 0042D4E0<---------若注册码中含有字符"R",则返回
:004185BB 83C408                  add esp, 00000008      "R"的地址;否则返回0。对应于第二
:004185BE 85C0                    test eax, eax           种注册码的情形。
:004185C0 7475                    je 00418637
:004185C2 8D7C240C                lea edi, dword ptr [esp+0C]---|这个过程是把name和code调换位置
:004185C6 83C9FF                  or ecx, FFFFFFFF              |注册码为第二种形式时,执行这
:004185C9 33C0                    xor eax, eax                  |里的语句。(***)
:004185CB 8D54240C                lea edx, dword ptr [esp+0C]   |
:004185CF F2                      repnz                         |
:004185D0 AE                      scasb                         |
:004185D1 F7D1                    not ecx                       |
:004185D3 2BF9                    sub edi, ecx                  |
:004185D5 8BC1                    mov eax, ecx                  |
:004185D7 8BF7                    mov esi, edi                  |
:004185D9 BF60E64300              mov edi, 0043E660             |
:004185DE C1E902                  shr ecx, 02                   |
:004185E1 F3                      repz                          |
:004185E2 A5                      movsd                         |
:004185E3 8BC8                    mov ecx, eax                  |
:004185E5 33C0                    xor eax, eax                  |
:004185E7 83E103                  and ecx, 00000003             |
:004185EA F3                      repz                          |
:004185EB A4                      movsb                         |
:004185EC 8DBC248C000000          lea edi, dword ptr [esp+0000008C]
:004185F3 83C9FF                  or ecx, FFFFFFFF              |
:004185F6 F2                      repnz                         |
:004185F7 AE                      scasb                         |
:004185F8 F7D1                    not ecx                       |
:004185FA 2BF9                    sub edi, ecx                  |
:004185FC 8BC1                    mov eax, ecx                  |
:004185FE 8BF7                    mov esi, edi                  |
:00418600 8BFA                    mov edi, edx                  |
:00418602 8D94248C000000          lea edx, dword ptr [esp+0000008C]
:00418609 C1E902                  shr ecx, 02                   |
:0041860C F3                      repz                          |
:0041860D A5                      movsd                         |
:0041860E 8BC8                    mov ecx, eax                  |
:00418610 33C0                    xor eax, eax                  |
:00418612 83E103                  and ecx, 00000003             |
:00418615 F3                      repz                          |
:00418616 A4                      movsb                         |
:00418617 BF60E64300              mov edi, 0043E660             |
:0041861C 83C9FF                  or ecx, FFFFFFFF              |
:0041861F F2                      repnz                         |
:00418620 AE                      scasb                         |
:00418621 F7D1                    not ecx                       |
:00418623 2BF9                    sub edi, ecx                  |
:00418625 8BC1                    mov eax, ecx                  |
:00418627 8BF7                    mov esi, edi                  |
:00418629 8BFA                    mov edi, edx                  |
:0041862B C1E902                  shr ecx, 02                   |
:0041862E F3                      repz                          |
:0041862F A5                      movsd                         |
:00418630 8BC8                    mov ecx, eax                  |
:00418632 83E103                  and ecx, 00000003             |
:00418635 F3                      repz                          |
:00418636 A4                      movsb-------------------------|

走到:004185C0处,看看跳转的两个方向,都没要出对话框的意思。那么先F10跟它走,看看有何结果。我们来
到:00418637处。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004185C0(C)
|
:00418637 8D8C248C000000          lea ecx, dword ptr [esp+0000008C]
:0041863E 51                      push ecx
:0041863F E83CDBFFFF              call 00416180<-------------对name的第一位和最后一位字符
:00418644 8D542410                lea edx, dword ptr [esp+10]   做有效性检查.
:00418648 52                      push edx
:00418649 E832DBFFFF              call 00416180<-------------对code的第一位和最后一位字符
:0041864E 8D442414                lea eax, dword ptr [esp+14]   做有效性检查.
:00418652 8D8C2494000000          lea ecx, dword ptr [esp+00000094]
:00418659 50                      push eax
:0041865A 51                      push ecx
:0041865B E890090000              call 00418FF0<---------注册码不正确则返回0.重要,F8进入.

* Reference To: USER32.LoadStringA, Ord:01ABh
                                  |
:00418660 8B35A8514300            mov esi, dword ptr [004351A8]
:00418666 83C410                  add esp, 00000010
:00418669 85C0                    test eax, eax
:0041866B 0F85AE000000            jne 0041871F<---------这里是要害所在!

走到这里,抬头看看eax,它的值为0。程序不会跳走,再看看下面的语句,将要显示一个出错对话框。我们
马上明白:要想注册成功,eax必须不为0。问题的焦点马上集中在:0041865B处的那个CALL上了。

:00418671 8B1550624400            mov edx, dword ptr [00446250]  下面的messageboxa.
:00418677 68D00F0000              push 00000FD0
:0041867C 6860E64300              push 0043E660

* Possible Reference to String Resource ID=01459: "鑼
??鬣H"
                                  |
:00418681 68B3050000              push 000005B3
:00418686 52                      push edx
:00418687 FFD6                    call esi
:00418689 A150624400              mov eax, dword ptr [00446250]
:0041868E 68D00F0000              push 00000FD0
:00418693 6800D44300              push 0043D400

* Possible Reference to String Resource ID=01460: "鑼郒"
                                  |
:00418698 68B4050000              push 000005B4
:0041869D 50                      push eax
:0041869E FFD6                    call esi
:004186A0 6A30                    push 00000030
:004186A2 6800D44300              push 0043D400
:004186A7 6860E64300              push 0043E660
:004186AC 53                      push ebx

* Reference To: USER32.MessageBoxA, Ord:01BEh

(第二次)    CTRL-N,回到程序,重新输入注册信息。这次CODE我输的是191919(为了便于进行内存搜索,我
            每次都输不同的CODE,这是个小经验)。CTRL-N进入TRW2000,在:0041859D处双击鼠标,设置断
            点。再CTRL-N回到程序,按下“确定”钮。(BC *)清除所有断点,F10一直到

:0041865B E890090000              call 00418FF0

F8进入。再F10一路走下。

下面是call 00418FF0的内容:

:00418FF0 83EC70                  sub esp, 00000070
:00418FF3 53                      push ebx
:00418FF4 8B5C2478                mov ebx, dword ptr [esp+78]      ;[ebx]->code
:00418FF8 56                      push esi
:00418FF9 57                      push edi
:00418FFA 85DB                    test ebx, ebx
:00418FFC 7436                    je 00419034
:00418FFE 6A52                    push 00000052<--"R"----------------------------|注册码为第二种
:00419000 53                      push ebx                                       |形式时,执行这
:00419001 E8DA440100              call 0042D4E0<--返回code中"R"的地址.           |里的语句。
:00419006 83C408                  add esp, 00000008                              |(***)
:00419009 85C0                    test eax, eax                                  |
:0041900B 7427                    je 00419034                                    |
:0041900D 8BBC2484000000          mov edi, dword ptr [esp+00000084]  ;[edi]->name|
:00419014 85FF                    test edi, edi                                  |
:00419016 0F84ED010000            je 00419209                                    |
:0041901C 6A40                    push 00000040                                  |
:0041901E 57                      push edi                                       |
:0041901F E8BC440100              call 0042D4E0<--返回name中"@"的地址.           |
:00419024 83C408                  add esp, 00000008                              |
:00419027 85C0                    test eax, eax                                  |
:00419029 7410                    je 0041903B                                    |
:0041902B 8BFB                    mov edi, ebx                                   |
                                                                                 |
* Possible StringData Ref from Data Obj ->"EPAK"                                 |
                                  |                                              |
:0041902D BB44824300              mov ebx, 00438244                              |
:00419032 EB07                    jmp 0041903B-----------------------------------|

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00418FFC(C), :0041900B(C)
|
:00419034 8BBC2484000000          mov edi, dword ptr [esp+00000084]  ;[edi]->code

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00419029(C), :00419032(U)
|
:0041903B 85FF                    test edi, edi
:0041903D 0F84C6010000            je 00419209
:00419043 85DB                    test ebx, ebx
:00419045 0F84BE010000            je 00419209

* Possible Ref to Menu: MenuID_0064, Item: ""
                                  |
:0041904B 6A02                    push 00000002

* Possible StringData Ref from Data Obj ->"PY"
                                  |
:0041904D 685C824300              push 0043825C
:00419052 57                      push edi
:00419053 E898450100              call 0042D5F0<------比较code前两位是否为"PY",相等则返回0...(1)
:00419058 83C40C                  add esp, 0000000C   否则不为0
:0041905B 85C0                    test eax, eax
:0041905D 7418                    je 00419077

* Possible Ref to Menu: MenuID_0064, Item: ""
                                  |
:0041905F 6A02                    push 00000002

* Possible StringData Ref from Data Obj ->"EY"
                                  |
:00419061 6858824300              push 00438258
:00419066 57                      push edi
:00419067 E884450100              call 0042D5F0<------比较code前两位是否为"EY",相等则返回....(2)
:0041906C 83C40C                  add esp, 0000000C   否则不为0
:0041906F 85C0                    test eax, eax
:00419071 0F8592010000            jne 00419209

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041905D(C)
|

* Possible Ref to Menu: MenuID_0064, Item: ""
                                  |
:00419077 6A02                    push 00000002

* Possible StringData Ref from Data Obj ->"EY"
                                  |
:00419079 6858824300              push 00438258
:0041907E 57                      push edi
:0041907F E86C450100              call 0042D5F0<----同上.....................................(3)
:00419084 F7D8                    neg eax
:00419086 1BC0                    sbb eax, eax
:00419088 6A2D                    push 0000002D
:0041908A 40                      inc eax
:0041908B 57                      push edi
:0041908C A304BC4300              mov dword ptr [0043BC04], eax
:00419091 E81A470100              call 0042D7B0<-----------------返回code中"-"的位置.........(4)
:00419096 83C414                  add esp, 00000014
:00419099 85C0                    test eax, eax
:0041909B 0F8468010000            je 00419209<------若无"-",则死
:004190A1 83C9FF                  or ecx, FFFFFFFF
:004190A4 33C0                    xor eax, eax
:004190A6 F2                      repnz
:004190A7 AE                      scasb
:004190A8 F7D1                    not ecx
:004190AA 2BF9                    sub edi, ecx
:004190AC 8D542414                lea edx, dword ptr [esp+14]
:004190B0 8BC1                    mov eax, ecx
:004190B2 8BF7                    mov esi, edi
:004190B4 8BFA                    mov edi, edx
:004190B6 6A2D                    push 0000002D
:004190B8 C1E902                  shr ecx, 02
:004190BB F3                      repz
:004190BC A5                      movsd
:004190BD 8BC8                    mov ecx, eax
:004190BF 83E103                  and ecx, 00000003
:004190C2 F3                      repz
:004190C3 A4                      movsb
:004190C4 8D4C2418                lea ecx, dword ptr [esp+18]
:004190C8 51                      push ecx
:004190C9 E8E2460100              call 0042D7B0<--------------------同上....................(5)
:004190CE 8BF8                    mov edi, eax
:004190D0 83C408                  add esp, 00000008
:004190D3 85FF                    test edi, edi
:004190D5 0F842E010000            je 00419209
:004190DB C60700                  mov byte ptr [edi], 00
:004191BA 8D442448                lea eax, dword ptr [esp+48]

(第三次)   这里我略去了一个繁长的计算过程。其实第二次我们不会来到这里,反而会很快跳到:00419209
           处,返回eax=0,跳到失败。从第二次的过程我们看到,注册码的前两位必须是“PY”或“EY”
           并且必须有一位是“-”。再从头来一次,这次输入name:QQQ/code:EY2000-121212。进入

           :0041865B E890090000              call 00418FF0
          
           后,反正是F10,一路按下。突然,看看下面,多么熟悉的身影映入眼帘。这样你就得到了一个
           正确的注册码组合。若想作注册机就仔细研究一下略去的部分。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004191E0(C)
|
:004191BE 8A10                    mov dl, byte ptr [eax]<--------真假code的比较!!!...........(6)
:004191C0 8A1E                    mov bl, byte ptr [esi]
:004191C2 8ACA                    mov cl, dl
:004191C4 3AD3                    cmp dl, bl
:004191C6 752C                    jne 004191F4
:004191C8 84C9                    test cl, cl
:004191CA 7416                    je 004191E2
:004191CC 8A5001                  mov dl, byte ptr [eax+01]
:004191CF 8A5E01                  mov bl, byte ptr [esi+01]
:004191D2 8ACA                    mov cl, dl
:004191D4 3AD3                    cmp dl, bl
:004191D6 751C                    jne 004191F4
:004191D8 83C002                  add eax, 00000002
:004191DB 83C602                  add esi, 00000002
:004191DE 84C9                    test cl, cl
:004191E0 75DC                    jne 004191BE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:<---跳到这里,则成功
|:004191CA(C)
|
:004191E2 33C0                    xor eax, eax
:004191E4 33C9                    xor ecx, ecx
:004191E6 85C0                    test eax, eax
:004191E8 0F94C1                  sete cl
:004191EB 5F                      pop edi
:004191EC 5E                      pop esi
:004191ED 8BC1                    mov eax, ecx
:004191EF 5B                      pop ebx
:004191F0 83C470                  add esp, 00000070
:004191F3 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:<--跳到这里,有可能成功
|:004191C6(C), :004191D6(C)                                          但看看这两个跳转,都是
|                                                                    jnz,所以到这里也是死!
:004191F4 1BC0                    sbb eax, eax
:004191F6 5F                      pop edi
:004191F7 83D8FF                  sbb eax, FFFFFFFF
:004191FA 33C9                    xor ecx, ecx
:004191FC 85C0                    test eax, eax
:004191FE 0F94C1                  sete cl
:00419201 5E                      pop esi
:00419202 8BC1                    mov eax, ecx
:00419204 5B                      pop ebx
:00419205 83C470                  add esp, 00000070
:00419208 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:<---若跳到这里,则失败.
|:00419016(C), :0041903D(C), :00419045(C), :00419071(C), :0041909B(C)
|:004190D5(C)
|
:00419209 5F                      pop edi
:0041920A 5E                      pop esi
:0041920B 33C0                    xor eax, eax
:0041920D 5B                      pop ebx
:0041920E 83C470                  add esp, 00000070
:00419211 C3                      ret

事情完了吗?没有。我们应该研究一下两个标有(***)的程序段。第一个程序段在判断CODE中含有“R”
后,把NAME和CODE在内存的地址对调;第二个程序段是判断NAME中是否含有字符“@”。见下面总结:

总结:

这个程序存在两种类型的注册码:

1、一种注册码形式如:
Name:QQQ/code:EY2000-121212
    这里,"EY"和"-"间的数字随意。“-”后的数字由Name和“-”前的字符(包括EY)
算出。“EY”也可以是“PY”。当然"EY"和"-"间也可以没东西,这样注册后也可看到
注册成功的画面。但在联网升级时,会发生错误,连选择升级组件的列表都不出现;我
用上面的注册码注册时,会出现选择升级组件的列表,选好组件后,要求我输入email地
址,这时我才犯难了。我怎么知道有哪些email地址在它的服务器上注了册,我又不是
黑客。

2、另一种注册码形式如:
Name:anything@anything/code:EYR2002-121212
    这种形式的注册码和NAME是无关的。注册码中必须含有“R”,前两位也必须是
“EY”或“PY”。“-”后的数字由字符“EPAK”和“-”前的字符(包括“EY”或“PY”)
算出。而NAME中的“@”是必须有的,作者很可能想让你输入email地址。这种注册码也许和
引擎软件包(Engine Pack)的升级有关。
    
    
     
    
    
展开全部

相关文章

更多+相同厂商

热门推荐

  • 最新排行
  • 最热排行
  • 评分最高
排行榜

    点击查看更多

      点击查看更多

        点击查看更多

        说两句网友评论

          我要评论...
          取消