加密方式:注册码
功能限制:未注册信息提示
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5
PJ日期:2003-04-09
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
1、先用FI2.5看一下主文件“32bc.exe”,没加壳。程序是用VC++6.0编的
2、用W32Dasm8.93黄金版对32bc.exe进行静态反汇编,再用串式数据参考,找到"Thank you for registering "
双击来到下面代码段。
3、再用TRW20001.23注册版进行动态跟踪,下断BPX 0040B3A8(通常在注册成功与否的前面一些下断,这样,才能找到关键部分),
先输入姓名:newlaos
假码: 78787878
.......
.......
:0040B3A8 E870F70100 call 0042AB1D <===ECX=7(注册名的长度) EDX=newlaos EAX=1(说明输入了注册名)
:0040B3AD A144CE4400 mov eax, dword ptr [0044CE44]
:0040B3B2 6A01 push 00000001
:0040B3B4 683CA74400 push 0044A73C
:0040B3B9 50 push eax
:0040B3BA E8B11A0000 call 0040CE70
:0040B3BF 83C40C add esp, 0000000C
:0040B3C2 33DB xor ebx, ebx
:0040B3C4 83F801 cmp eax, 00000001
:0040B3C7 746A je 0040B433 <===我跳
.......
此处略一段无关代码
.......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B3C7(C)
|
:0040B433 6A51 push 00000051 <===跳到这
:0040B435 68E8A64400 push 0044A6E8
* Possible Reference to Dialog: DialogID_0093, CONTROL_ID:03F1, ""
|
:0040B43A 68F1030000 push 000003F1
:0040B43F B988A64400 mov ecx, 0044A688
:0040B444 E8D4F60100 call 0042AB1D
:0040B449 8B0D44CE4400 mov ecx, dword ptr [0044CE44]
:0040B44F 6A01 push 00000001
:0040B451 68E8A64400 push 0044A6E8
:0040B456 51 push ecx
:0040B457 E8A41A0000 call 0040CF00
:0040B45C 83C40C add esp, 0000000C
:0040B45F 83F801 cmp eax, 00000001
:0040B462 746A je 0040B4CE <===呵呵,我再跳
.......
此处略一段无关代码
.......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B462(C)
|
:0040B4CE 53 push ebx <===跳到这
:0040B4CF 6A01 push 00000001
:0040B4D1 E8EAE6FFFF call 00409BC0
:0040B4D6 83C408 add esp, 00000008
:0040B4D9 B908000000 mov ecx, 00000008
:0040B4DE 33C0 xor eax, eax
:0040B4E0 BF90A74400 mov edi, 0044A790
:0040B4E5 F3 repz
:0040B4E6 AB stosd
:0040B4E7 6A20 push 00000020
:0040B4E9 6890A74400 push 0044A790
* Possible Reference to Dialog: DialogID_0093, CONTROL_ID:03EF, ""
|
:0040B4EE 68EF030000 push 000003EF
:0040B4F3 B988A64400 mov ecx, 0044A688
:0040B4F8 E820F60100 call 0042AB1D <===EAX=8,这里下命令S 0 FFFFFFFF '78787878'发现它已经位于程序的数据区
:0040B4FD B940000000 mov ecx, 00000040
:0040B502 33C0 xor eax, eax
:0040B504 BF4CB54400 mov edi, 0044B54C
:0040B509 684CB54400 push 0044B54C
* Possible StringData Ref from Data Obj ->"32bit Convert It"
:0040B50E 6890DD4300 push 0043DD90
:0040B513 683CA74400 push 0044A73C
:0040B518 F3 repz
:0040B519 AB stosd
:0040B51A E8D1E9FFFF call 00409EF0 <===关键的CALL,F8跟进
:0040B51F 684CB54400 push 0044B54C
:0040B524 E887E9FFFF call 00409EB0
:0040B529 6890A74400 push 0044A790
:0040B52E E87DE9FFFF call 00409EB0
:0040B533 BF4CB54400 mov edi, 0044B54C <===呵呵,EDI=303533373D36真正的注册码)
:0040B538 83C9FF or ecx, FFFFFFFF <===这里就可以用KEYMAKE做内存注册机了
:0040B53B 33C0 xor eax, eax
:0040B53D 83C414 add esp, 00000014
:0040B540 F2 repnz
:0040B541 AE scasb
:0040B542 F7D1 not ecx
:0040B544 49 dec ecx
:0040B545 BF4CB54400 mov edi, 0044B54C
:0040B54A BE90A74400 mov esi, 0044A790
:0040B54F 33D2 xor edx, edx
:0040B551 F3 repz
:0040B552 A6 cmpsb
:0040B553 0F85B2000000 jne 0040B60B <===第一个关键跳转,跳了就OVER
:0040B559 BF4CB54400 mov edi, 0044B54C
:0040B55E 83C9FF or ecx, FFFFFFFF
:0040B561 F2 repnz
:0040B562 AE scasb
:0040B563 F7D1 not ecx
:0040B565 49 dec ecx
:0040B566 BF90A74400 mov edi, 0044A790
:0040B56B 8BD1 mov edx, ecx
:0040B56D 83C9FF or ecx, FFFFFFFF
:0040B570 F2 repnz
:0040B571 AE scasb
:0040B572 F7D1 not ecx
:0040B574 49 dec ecx
:0040B575 3BCA cmp ecx, edx
:0040B577 0F858E000000 jne 0040B60B <===第二个关键跳转,跳了就OVER
:0040B57D BF90A74400 mov edi, 0044A790
:0040B582 83C9FF or ecx, FFFFFFFF
:0040B585 F2 repnz
:0040B586 AE scasb
.......
【相关文章】
【随机文章】
【相关评论】
没有相关评论
【发表评论】
|