英宇职业介绍管理系统 V5.0
-
【软件限制】:30天试用
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、FI2.5、W32Dasm 9.0白金版
—————————————————————————————————
【过 程】:
英宇职介管理V5.exe 用FI2.5看是Softsentry 2.11壳,晕,现在居然还用 V2.11加壳。 有专用的For Softsentry2.11的脱壳工具:Crkss211.com,脱完壳后就取消一切限制了。这篇我写的稍微简单点,其实Softsentry壳的算法都大同小异,具体的可以看我以前分析过的笔记。这个程序不同的是取了用户名和单位名进行运算。
序列号:95065
用户名:fly
单位名:[OCN][FCG]
试炼码:ABCDEFGH-12345678-KLMNOPQ
—————————————————————————————————
可以下bpx getdlgitemtexta 一般 Softsentry 壳下这个断点挺好用。
拦下后返回程序细心跟踪会来到下面:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721ABD(C)
|
:00721B55 8B3D44BC7200 mov edi, dword ptr [0072BC44]
====>EDI=YYG-YYZJ- 这就是String 1
:00721B5B B9FFFFFFFF mov ecx, FFFFFFFF
:00721B60 2BC0 sub eax, eax
:00721B62 F2 repnz
:00721B63 AE scasb
:00721B64 F7D1 not ecx
:00721B66 49 dec ecx
====>取长度 ECX=9
:00721B67 6649 dec cx
:00721B69 6683F9FF cmp cx, FFFF
:00721B6D 7426 je 00721B95
:00721B6F 6685C9 test cx, cx
:00721B72 7C1B jl 00721B8F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721B8D(C)
:00721B74 8B1544BC7200 mov edx, dword ptr [0072BC44]
====>EDX=YYG-YYZJ-
:00721B7A 0FBFC1 movsx eax, cx
:00721B7D 8A1402 mov dl, byte ptr [edx+eax]
====>DI=依次倒序取YYG-YYZJ-
:00721B80 80FA3F cmp dl, 3F
:00721B83 7406 je 00721B8B
:00721B85 3854041C cmp byte ptr [esp+eax+1C], dl
====>逐位比较试炼码前9位是否是YYG-YYZJ-
:00721B89 7504 jne 00721B8F
====>跳则OVER!可以NOP掉,方便调试 ^O^ ^O^
一、 ====>所以注册码前9位固定是 YYG-YYZJ-
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721B83(C)
|
:00721B8B 6649 dec cx
:00721B8D 79E5 jns 00721B74 ====>循环比较!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00721B72(C), :00721B89(C)
|
:00721B8F 6683F9FF cmp cx, FFFF
:00721B93 7505 jne 00721B9A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721B6D(C)
|
:00721B95 BD01000000 mov ebp, 00000001 ====>EBP=1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721B93(C)
|
:00721B9A 8B3DCCBB7200 mov edi, dword ptr [0072BBCC]
====>EDI=-1002002 这就是String 2
:00721BA0 B9FFFFFFFF mov ecx, FFFFFFFF
:00721BA5 2BC0 sub eax, eax
:00721BA7 F2 repnz
:00721BA8 AE scasb
:00721BA9 F7D1 not ecx
:00721BAB 49 dec ecx
====>取长度 ECX=8
:00721BAC 8D7C241C lea edi, dword ptr [esp+1C]
====>EDI=ABCDEFGH-12345678-KLMNOPQ 试炼码
:00721BB0 668BD1 mov dx, cx
====>DX=CX=8
:00721BB3 2BC0 sub eax, eax
:00721BB5 B9FFFFFFFF mov ecx, FFFFFFFF
:00721BBA F2 repnz
:00721BBB AE scasb
:00721BBC F7D1 not ecx
:00721BBE 49 dec ecx
====>取长度 ECX=19
:00721BBF 662BCA sub cx, dx
====>CX=19 - 8=11
:00721BC2 6685C9 test cx, cx
:00721BC5 7E2F jle 00721BF6
:00721BC7 6633F6 xor si, si
:00721BCA 6685D2 test dx, dx
:00721BCD 7E21 jle 00721BF0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721BEE(C)
|
:00721BCF A1CCBB7200 mov eax, dword ptr [0072BBCC]
:00721BD4 0FBFFE movsx edi, si
:00721BD7 8A0438 mov al, byte ptr [eax+edi]
====>AI=依次倒序取-1002002
:00721BDA 3C3F cmp al, 3F
:00721BDC 740B je 00721BE9
:00721BDE 0FBFD9 movsx ebx, cx
:00721BE1 03DF add ebx, edi
:00721BE3 38441C1C cmp byte ptr [esp+ebx+1C], al
====>逐位比较试炼码最后8位是否是-1002002
:00721BE7 7507 jne 00721BF0
====>跳则OVER!可以NOP掉,方便调试 ^O^ ^O^
二、 ====>所以注册码最后8位固定是 -1002002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721BDC(C)
|
:00721BE9 6646 inc si
:00721BEB 663BD6 cmp dx, si
:00721BEE 7FDF jg 00721BCF
====>循环比较!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00721BCD(C), :00721BE7(C)
|
:00721BF0 663BD6 cmp dx, si
:00721BF3 7501 jne 00721BF6
:00721BF5 45 inc ebp
====>EBP=1 + 1=2
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00721BC5(C), :00721BF3(C)
|
:00721BF6 83FD02 cmp ebp, 00000002
====>是否已比较2次?
:00721BF9 740A je 00721C05
====>跳下去
:00721BFB BDFEFFFFFF mov ebp, FFFFFFFE
:00721C00 E900010000 jmp 00721D05
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721BF9(C)
|
:00721C05 8B3D44BC7200 mov edi, dword ptr [0072BC44]
:00721C0B B9FFFFFFFF mov ecx, FFFFFFFF
:00721C10 2BC0 sub eax, eax
:00721C12 F2 repnz
:00721C13 AE scasb
:00721C14 F7D1 not ecx
:00721C16 2BC0 sub eax, eax
:00721C18 8D740C1B lea esi, dword ptr [esp+ecx+1B]
:00721C1C 8BFE mov edi, esi
:00721C1E B9FFFFFFFF mov ecx, FFFFFFFF
:00721C23 F2 repnz
:00721C24 AE scasb
:00721C25 F7D1 not ecx
:00721C27 8B3DCCBB7200 mov edi, dword ptr [0072BBCC]
:00721C2D 2BC0 sub eax, eax
:00721C2F 8D51FF lea edx, dword ptr [ecx-01]
:00721C32 B9FFFFFFFF mov ecx, FFFFFFFF
:00721C37 F2 repnz
:00721C38 AE scasb
:00721C39 F7D1 not ecx
:00721C3B 49 dec ecx
:00721C3C 8BC6 mov eax, esi
:00721C3E 2BC1 sub eax, ecx
:00721C40 8BCE mov ecx, esi
:00721C42 C6041000 mov byte ptr [eax+edx], 00
:00721C46 E8C54D0000 call 00726A10
====>测试试炼码中间的12345678是否是数字?
:00721C4B 85C0 test eax, eax
:00721C4D 750A jne 00721C59
====>是则跳下去
:00721C4F BDFDFFFFFF mov ebp, FFFFFFFD
:00721C54 E9AC000000 jmp 00721D05
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721C4D(C)
|
:00721C59 BAE8807200 mov edx, 007280E8
====>EDX=0604
:00721C5E 8BCE mov ecx, esi
====>ECX=12345678 试炼码中间的8位
:00721C60 BDFCFFFFFF mov ebp, FFFFFFFC
:00721C65 E8F64D0000 call 00726A60
====>取12345678的16进制值=00BC614E
:00721C6A 66833D38BC720001 cmp word ptr [0072BC38], 0001
:00721C72 8BF0 mov esi, eax
====>ESI=00BC614E(H)=12345678(D)
:00721C74 7559 jne 00721CCF
====>跳下去
:00721C76 668B3D3EBC7200 mov di, word ptr [0072BC3E]
:00721C7D 8B15C0BB7200 mov edx, dword ptr [0072BBC0]
:00721C83 66C1EF08 shr di, 08
:00721C87 668B0D3EBC7200 mov cx, word ptr [0072BC3E]
:00721C8E 6681E1FF00 and cx, 00FF
:00721C93 E8F8FAFFFF call 00721790
:00721C98 03F0 add esi, eax
:00721C9A 6685FF test di, di
:00721C9D 750A jne 00721CA9
:00721C9F 8B15C4BB7200 mov edx, dword ptr [0072BBC4]
:00721CA5 8BCF mov ecx, edi
:00721CA7 EB0B jmp 00721CB4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721C9D(C)
|
:00721CA9 668BCF mov cx, di
:00721CAC 8B15C4BB7200 mov edx, dword ptr [0072BBC4]
:00721CB2 6641 inc cx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721CA7(U)
|
:00721CB4 E8D7FAFFFF call 00721790
:00721CB9 8BC8 mov ecx, eax
:00721CBB 85C9 test ecx, ecx
:00721CBD 7507 jne 00721CC6
:00721CBF BDFBFFFFFF mov ebp, FFFFFFFB
:00721CC4 EB36 jmp 00721CFC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721CBD(C)
|
:00721CC6 8BC6 mov eax, esi
:00721CC8 99 cdq
:00721CC9 F7F9 idiv ecx
:00721CCB 8BEA mov ebp, edx
:00721CCD EB2D jmp 00721CFC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721C74(C)
|
:00721CCF 66833D38BC720002 cmp word ptr [0072BC38], 0002
:00721CD7 7523 jne 00721CFC
:00721CD9 668B153EBC7200 mov dx, word ptr [0072BC3E]
====>DX=3221 这个似乎是固定值
:00721CE0 A1C4BB7200 mov eax, dword ptr [0072BBC4]
====>EAX=[OCN][FCG] 单位名
:00721CE5 50 push eax
:00721CE6 8B0DC0BB7200 mov ecx, dword ptr [0072BBC0]
====>ECX=fly 用户名
:00721CEC 51 push ecx
:00721CED 8B0DD4B97200 mov ecx, dword ptr [0072B9D4]
====>ECX=00017359(H)=95065(D) 序列号
:00721CF3 E828FBFFFF call 00721820
====>关键CALL!进入!对用户名、单位和序列号进行运算
:00721CF8 8BE8 mov ebp, eax
====>EBP=EAX=0002B750(H)=178000(D) 运算的结果
:00721CFA 2BEE sub ebp, esi
====>EBX=0002B750 - 00BC614E=FF465602
====>其实就是比较注册码中间几位是否和上面运算的结果相等!
三、 ====>所以我的注册码中间几位是 178000
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00721CC4(U), :00721CCD(U), :00721CD7(C)
|
:00721CFC 85ED test ebp, ebp
:00721CFE 7429 je 00721D29
…… ……省 略…… ……
:00721E74 FF15B0C57200 call dword ptr [0072C5B0]
====>BAD BOY!
—————————————————————————————————
进入关键CALL:00721CF3 call 00721820
* Referenced by a CALL at Address:
|:00721CF3
|
:00721820 53 push ebx
:00721821 56 push esi
:00721822 57 push edi
:00721823 8BD9 mov ebx, ecx
:00721825 668BCA mov cx, dx
====>CX=DX=3221
:00721828 668BFA mov di, dx
====>DI=DX=3221
:0072182B 8B542410 mov edx, dword ptr [esp+10]
====>EDX=fly
:0072182F 6681E1FF00 and cx, 00FF
====>CX=3221 AND FF=21
:00721834 66C1EF08 shr di, 08
====>DI=3221 SHR 08=32
:00721838 E853FFFFFF call 00721790
====>关键CALL!进入!对用户名fly进行运算
:0072183D 668BCF mov cx, di
:00721840 8BF0 mov esi, eax
:00721842 6685C9 test cx, cx
:00721845 7517 jne 0072185E
:00721847 8B542414 mov edx, dword ptr [esp+14]
:0072184B E840FFFFFF call 00721790
:00721850 8D0C33 lea ecx, dword ptr [ebx+esi]
:00721853 5F pop edi
:00721854 0FAFC8 imul ecx, eax
:00721857 8BC1 mov eax, ecx
:00721859 5E pop esi
:0072185A 5B pop ebx
:0072185B C20800 ret 0008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00721845(C)
|
:0072185E 6641 inc cx
:00721860 8B542414 mov edx, dword ptr [esp+14]
====>EDX=[OCN][FCG]
:00721864 E827FFFFFF call 00721790
====>对单位名[OCN][FCG]进行运算!
:00721869 03C6 add eax, esi
====>对用户名和单位名运算的结果相加
====>EAX=00006760 + 0000DC97=000143F7
:0072186B 5F pop edi
:0072186C 03C3 add eax, ebx
====>EBX=00017359(H)=95065(D) 即:序列号
====>EAX=000143F7 + 00017359=0002B750
:0072186E 5E pop esi
:0072186F 5B pop ebx
:00721870 C20800 ret 0008
—————————————————————————————————
进入0072184B call 00721790
因为对用户名和单位名的运算流程是相同的,所以只是记录了用户名的运算数据。
* Referenced by a CALL at Addresses:
|:00721838 , :0072184B , :00721864 , :00721C93 , :00721CB4
|
:00721790 53 push ebx
:00721791 56 push esi
:00721792 668BD9 mov bx, cx
====>BX=21
:00721795 57 push edi
:00721796 55 push ebp
:00721797 8BF2 mov esi, edx
:00721799 85F6 test esi, esi
====>ESI=fly
:0072179B 7475 je 00721812
:0072179D 803E00 cmp byte ptr [esi], 00
:007217A0 7470 je 00721812
:007217A2 8BFE mov edi, esi
:007217A4 B9FFFFFFFF mov ecx, FFFFFFFF
:007217A9 2BC0 sub eax, eax
:007217AB F2 repnz
:007217AC AE scasb
:007217AD F7D1 not ecx
:007217AF 49 dec ecx
====>取fly长度 ECX=3
:007217B0 6685DB test bx, bx
:007217B3 7444 je 007217F9
:007217B5 6683FB01 cmp bx, 0001
:007217B9 743E je 007217F9
:007217BB 0FB7FB movzx edi, bx
:007217BE 8BC7 mov eax, edi
====>EAX=21
:007217C0 99 cdq
:007217C1 F7F9 idiv ecx
====>EDX=21 % 3=0
:007217C3 0FBE0416 movsx eax, byte ptr [esi+edx]
====>EAX=66 根据余数EDX的值0取fly的第一位
:007217C7 0FAFC2 imul eax, edx
====>EAX=66 * 0=0
:007217CA 0FAFC7 imul eax, edi
====>EAX=0 * 21=0
:007217CD 03C1 add eax, ecx
====>EAX=0 + 3=3
:007217CF 33D2 xor edx, edx
:007217D1 85C9 test ecx, ecx
:007217D3 7E19 jle 007217EE
:007217D5 8BD9 mov ebx, ecx
====>EBX=ECX=3
:007217D7 2BDF sub ebx, edi
====>EBX=3 - 21=FFFFFFE2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:007217EC(C)
|
:007217D9 0FBE3C16 movsx edi, byte ptr [esi+edx]
====>EDI=依次取fly字符的HEX值:66、6C、79
:007217DD 8BEB mov ebp, ebx
====>EBP=EBX=FFFFFFE2
:007217DF 2BEA sub ebp, edx
1、 ====>EBP=FFFFFFE2 - 0=FFFFFFE2
2、 ====>EBP=FFFFFFE2 - 1=FFFFFFE1
3、 ====>EBP=FFFFFFE2 - 2=FFFFFFE0
:007217E1 42 inc edx
====>EDX依次增1
:007217E2 83C56F add ebp, 0000006F
1、 ====>EBP=FFFFFFE2 + 6F=51
2、 ====>EBP=FFFFFFE1 + 6F=50
3、 ====>EBP=FFFFFFE0 + 6F=4F
:007217E5 0FAFFD imul edi, ebp
1、 ====>EDI=00000066 * 51=00002046
2、 ====>EDI=0000006C * 50=000021C0
3、 ====>EDI=00000079 * 4F=00002557
:007217E8 03C7 add eax, edi
1、 ====>EAX=00000003 + 00002046=00002049
2、 ====>EAX=00002049 + 000021C0=00004209
3、 ====>EAX=00004209 + 00002557=00006760
:007217EA 3BCA cmp ecx, edx
:007217EC 7FEB jg 007217D9
====>继续循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:007217D3(C)
|
:007217EE 85C0 test eax, eax
对用户名 fly运算得出 ====>EAX=00006760
对[OCN][FCG]运算得出 ====>EAX=0000DC97
:007217F0 7D25 jge 00721817
:007217F2 F7D8 neg eax
:007217F4 5D pop ebp
:007217F5 5F pop edi
:007217F6 5E pop esi
:007217F7 5B pop ebx
:007217F8 C3 ret
—————————————————————————————————
【算 法 总 结】:
1、注册码前9位固定为:YYG-YYZJ-
2、注册码最后8位固定:-1002002
3、注册码中间几位是通过对用户名、单位名、序列号运算得出的。
—————————————————————————————————
【注册信息保存】:
1、REGEDIT4
[HKEY_CLASSES_ROOT\{1N1AXAvCav}]
@="NUQ=&!!9!(Q!!!#!!#!\"G!T5Q.4)U!!!!!!\"=R1!!>`^:75=N76F;3CUR.TAQN-$!N-4!Q-D!Q-A!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!!!!N!!!!(A!!!.-(\"1!'!\"]!!!!A!!A!:A-!!!)!!!!!!!!!!+(`<1&G<(E!7U^$;4FV<2E.(81!!!!!!!!!!!!!!!!!!!!!!!!!!"
2、REGEDIT4
[HKEY_CLASSES_ROOT\SystemAppIDs]
@="B!A!!!!!!!!\"\\-XJ';E>04W*638V\\-5YR16B\">E.B>HU!"
3、C:\WINDOWS\SYSTEM 下的access.ctl文件。
—————————————————————————————————
【整 理】:
序列号:95065
用户名:fly
单位名:[OCN][FCG]
注册码:YYG-YYZJ-178000-1002002
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有1条评论>>