[新手教学]RegEditer V3.1 简单分析
RegEditer V3.1http://www.skycn.com/soft/6873.html
Only Game! 软件加密简单,高手飘过~~新手权当练习。
注册时下万能断点即可,算法比较简单,这里就不多写了。
004DA481|.E8 0E1AF7FF CALL RegEdite.0044BE94
004DA486|.8B45 FC MOV EAX,DWORD PTR SS: ;下万能断点后返回到这里
004DA489|.E8 2678FCFF CALL RegEdite.004A1CB4
004DA48E|.84C0 TEST AL,AL
004DA490|.0F84 80000000 JE RegEdite.004DA516
004DA496|.8D55 F8 LEA EDX,DWORD PTR SS:
004DA499|.8B83 F4020000 MOV EAX,DWORD PTR DS:
004DA49F|.E8 F019F7FF CALL RegEdite.0044BE94
004DA4A4|.8B45 F8 MOV EAX,DWORD PTR SS:
004DA4A7|.50 PUSH EAX
004DA4A8|.8D55 F4 LEA EDX,DWORD PTR SS:
004DA4AB|.8B83 04030000 MOV EAX,DWORD PTR DS:
004DA4B1|.E8 DE19F7FF CALL RegEdite.0044BE94
004DA4B6|.8B55 F4 MOV EDX,DWORD PTR SS:
004DA4B9|.A1 60E24E00 MOV EAX,DWORD PTR DS:
004DA4BE|.8B00 MOV EAX,DWORD PTR DS:
004DA4C0|.59 POP ECX
004DA4C1|.E8 3E720000 CALL RegEdite.004E1704 ;这里将保存注册信息到注册表中
004DA4C6|.84C0 TEST AL,AL
004DA4C8|.74 27 JE SHORT RegEdite.004DA4F1
004DA4CA|.C783 4C020000>MOV DWORD PTR DS:,1
004DA4D4|.66:B8 F100 MOV AX,0F1
004DA4D8|.E8 D78DFCFF CALL RegEdite.004A32B4
004DA4DD|.8BD0 MOV EDX,EAX
004DA4DF|.8D45 F0 LEA EAX,DWORD PTR SS:
004DA4E2|.E8 11A0F2FF CALL RegEdite.004044F8
004DA4E7|.8B45 F0 MOV EAX,DWORD PTR SS:
004DA4EA|.E8 C923FCFF CALL RegEdite.0049C8B8 ;这个CALL弹出注册成功
004DA4EF|.EB 40 JMP SHORT RegEdite.004DA531
算法CALL如下:
004A1CB4 $55 PUSH EBP
004A1CB5 .8BEC MOV EBP,ESP
004A1CB7 .33C9 XOR ECX,ECX
004A1CB9 .51 PUSH ECX
004A1CBA .51 PUSH ECX
004A1CBB .51 PUSH ECX
004A1CBC .51 PUSH ECX
004A1CBD .51 PUSH ECX
004A1CBE .53 PUSH EBX
004A1CBF .56 PUSH ESI
004A1CC0 .57 PUSH EDI
004A1CC1 .8945 FC MOV DWORD PTR SS:,EAX
004A1CC4 .8B45 FC MOV EAX,DWORD PTR SS:
004A1CC7 .E8 DC2AF6FF CALL RegEdite.004047A8
004A1CCC .33C0 XOR EAX,EAX
004A1CCE .55 PUSH EBP
004A1CCF .68 271E4A00 PUSH RegEdite.004A1E27
004A1CD4 .64:FF30 PUSH DWORD PTR FS:
004A1CD7 .64:8920 MOV DWORD PTR FS:,ESP
004A1CDA .33DB XOR EBX,EBX
004A1CDC .33C0 XOR EAX,EAX
004A1CDE .55 PUSH EBP
004A1CDF .68 001E4A00 PUSH RegEdite.004A1E00
004A1CE4 .64:FF30 PUSH DWORD PTR FS:
004A1CE7 .64:8920 MOV DWORD PTR FS:,ESP
004A1CEA .8B45 FC MOV EAX,DWORD PTR SS:
004A1CED .E8 CE28F6FF CALL RegEdite.004045C0
004A1CF2 .83F8 16 CMP EAX,16
004A1CF5 .74 0D JE SHORT RegEdite.004A1D04 ;注册码长度为22位
004A1CF7 .33C0 XOR EAX,EAX
004A1CF9 .5A POP EDX
004A1CFA .59 POP ECX
004A1CFB .59 POP ECX
004A1CFC .64:8910 MOV DWORD PTR FS:,EDX
004A1CFF .E9 08010000 JMP RegEdite.004A1E0C
004A1D04 >8D45 F0 LEA EAX,DWORD PTR SS:
004A1D07 .E8 FC25F6FF CALL RegEdite.00404308
004A1D0C .8D45 F0 LEA EAX,DWORD PTR SS:
004A1D0F .BA 401E4A00 MOV EDX,RegEdite.004A1E40 ;K
004A1D14 .E8 AF28F6FF CALL RegEdite.004045C8
004A1D19 .8D45 F0 LEA EAX,DWORD PTR SS:
004A1D1C .BA 4C1E4A00 MOV EDX,RegEdite.004A1E4C ;G
004A1D21 .E8 A228F6FF CALL RegEdite.004045C8
004A1D26 .8D45 F0 LEA EAX,DWORD PTR SS:
004A1D29 .BA 581E4A00 MOV EDX,RegEdite.004A1E58 ;L
004A1D2E .E8 9528F6FF CALL RegEdite.004045C8
004A1D33 .8D45 F0 LEA EAX,DWORD PTR SS:
004A1D36 .BA 641E4A00 MOV EDX,RegEdite.004A1E64 ;-
004A1D3B .E8 8828F6FF CALL RegEdite.004045C8
004A1D40 .8B45 F0 MOV EAX,DWORD PTR SS:
004A1D43 .E8 702AF6FF CALL RegEdite.004047B8
004A1D48 .50 PUSH EAX
004A1D49 .8B45 FC MOV EAX,DWORD PTR SS:
004A1D4C .E8 672AF6FF CALL RegEdite.004047B8
004A1D51 .8BF0 MOV ESI,EAX
004A1D53 .8BC6 MOV EAX,ESI
004A1D55 .5A POP EDX
004A1D56 .E8 8D76F6FF CALL RegEdite.004093E8 ;注册码前四位必须为"KGL-"
004A1D5B .8BF8 MOV EDI,EAX
004A1D5D .3BFE CMP EDI,ESI
004A1D5F .74 0D JE SHORT RegEdite.004A1D6E
004A1D61 .33C0 XOR EAX,EAX
004A1D63 .5A POP EDX
004A1D64 .59 POP ECX
004A1D65 .59 POP ECX
004A1D66 .64:8910 MOV DWORD PTR FS:,EDX
004A1D69 .E9 9E000000 JMP RegEdite.004A1E0C
004A1D6E >8B45 FC MOV EAX,DWORD PTR SS:
004A1D71 .8078 03 2D CMP BYTE PTR DS:,2D
004A1D75 .75 12 JNZ SHORT RegEdite.004A1D89 ;第4位必须位“-”
004A1D77 .8B45 FC MOV EAX,DWORD PTR SS:
004A1D7A .8078 0A 2D CMP BYTE PTR DS:,2D
004A1D7E .75 09 JNZ SHORT RegEdite.004A1D89 ;第11位必须位“-”
004A1D80 .8B45 FC MOV EAX,DWORD PTR SS:
004A1D83 .8078 0F 2D CMP BYTE PTR DS:,2D
004A1D87 .74 0A JE SHORT RegEdite.004A1D93 ;第16位必须位“-”
004A1D89 >33C0 XOR EAX,EAX
004A1D8B .5A POP EDX
004A1D8C .59 POP ECX
004A1D8D .59 POP ECX
004A1D8E .64:8910 MOV DWORD PTR FS:,EDX
004A1D91 .EB 79 JMP SHORT RegEdite.004A1E0C
004A1D93 >8D45 F8 LEA EAX,DWORD PTR SS:
004A1D96 .50 PUSH EAX
004A1D97 .B9 06000000 MOV ECX,6
004A1D9C .BA 05000000 MOV EDX,5
004A1DA1 .8B45 FC MOV EAX,DWORD PTR SS:
004A1DA4 .E8 6F2AF6FF CALL RegEdite.00404818
004A1DA9 .8D45 F4 LEA EAX,DWORD PTR SS:
004A1DAC .50 PUSH EAX
004A1DAD .B9 04000000 MOV ECX,4
004A1DB2 .BA 0C000000 MOV EDX,0C
004A1DB7 .8B45 FC MOV EAX,DWORD PTR SS:
004A1DBA .E8 592AF6FF CALL RegEdite.00404818
004A1DBF .8D45 EC LEA EAX,DWORD PTR SS:
004A1DC2 .50 PUSH EAX
004A1DC3 .B9 06000000 MOV ECX,6
004A1DC8 .BA 11000000 MOV EDX,11
004A1DCD .8B45 FC MOV EAX,DWORD PTR SS:
004A1DD0 .E8 432AF6FF CALL RegEdite.00404818
004A1DD5 .8D4D F0 LEA ECX,DWORD PTR SS:
004A1DD8 .8B55 F4 MOV EDX,DWORD PTR SS:
004A1DDB .8B45 F8 MOV EAX,DWORD PTR SS:
004A1DDE .E8 95FBFFFF CALL RegEdite.004A1978 ;算法CALL
004A1DE3 .8B45 EC MOV EAX,DWORD PTR SS: ;KEY的后6位
004A1DE6 .8B55 F0 MOV EDX,DWORD PTR SS: ;中间10的运算结果
004A1DE9 .E8 1629F6FF CALL RegEdite.00404704 ;比较
004A1DEE .75 04 JNZ SHORT RegEdite.004A1DF4 ;如果相等则不跳// 暴破可NOP掉这里
004A1DF0 .B3 01 MOV BL,1
004A1DF2 .EB 02 JMP SHORT RegEdite.004A1DF6
004A1DF4 >33DB XOR EBX,EBX
004A1DF6 >33C0 XOR EAX,EAX
004A1DF8 .5A POP EDX
004A1DF9 .59 POP ECX
004A1DFA .59 POP ECX
004A1DFB .64:8910 MOV DWORD PTR FS:,EDX
004A1DFE .EB 0C JMP SHORT RegEdite.004A1E0C
004A1E00 .^ E9 771CF6FF JMP RegEdite.00403A7C
004A1E05 .33DB XOR EBX,EBX
004A1E07 .E8 D81FF6FF CALL RegEdite.00403DE4
004A1E0C >33C0 XOR EAX,EAX
004A1E0E .5A POP EDX
004A1E0F .59 POP ECX
004A1E10 .59 POP ECX
004A1E11 .64:8910 MOV DWORD PTR FS:,EDX
004A1E14 .68 2E1E4A00 PUSH RegEdite.004A1E2E
004A1E19 >8D45 EC LEA EAX,DWORD PTR SS:
004A1E1C .BA 05000000 MOV EDX,5
004A1E21 .E8 0625F6FF CALL RegEdite.0040432C
004A1E26 .C3 RETN
重启的爆破点在这里:
004DC78C .B1 01 MOV CL,1
004DC78E .BA B0CA4D00 MOV EDX,RegEdite.004DCAB0 ;Software\Kugle\RegEditer
004DC793 .E8 4C7FF9FF CALL RegEdite.004746E4
004DC798 .84C0 TEST AL,AL
004DC79A .74 4D JE SHORT RegEdite.004DC7E9 ;看该注册表项是否为空
004DC79C .8D4D E4 LEA ECX,DWORD PTR SS:
004DC79F .8B83 31060000 MOV EAX,DWORD PTR DS:
004DC7A5 .BA D4CA4D00 MOV EDX,RegEdite.004DCAD4 ;AuthorizationCode
004DC7AA .E8 D180F9FF CALL RegEdite.00474880
004DC7AF .8B55 E4 MOV EDX,DWORD PTR SS:
004DC7B2 .8D83 56060000 LEA EAX,DWORD PTR DS:
004DC7B8 .E8 9F7BF2FF CALL RegEdite.0040435C
004DC7BD .8D4D E0 LEA ECX,DWORD PTR SS:
004DC7C0 .8B83 31060000 MOV EAX,DWORD PTR DS:
004DC7C6 .BA F0CA4D00 MOV EDX,RegEdite.004DCAF0 ;UserName
004DC7CB .E8 B080F9FF CALL RegEdite.00474880
004DC7D0 .8B55 E0 MOV EDX,DWORD PTR SS:
004DC7D3 .8D83 7F060000 LEA EAX,DWORD PTR DS:
004DC7D9 .E8 7E7BF2FF CALL RegEdite.0040435C
004DC7DE .8B83 31060000 MOV EAX,DWORD PTR DS:
004DC7E4 .E8 677EF9FF CALL RegEdite.00474650
004DC7E9 >8B83 56060000 MOV EAX,DWORD PTR DS:
004DC7EF .E8 C054FCFF CALL RegEdite.004A1CB4 ;算法CALL的比较
004DC7F4 .84C0 TEST AL,AL
004DC7F6 .74 46 JE SHORT RegEdite.004DC83E ;跳则挂
004DC7F8 .8D45 DC LEA EAX,DWORD PTR SS:
004DC7FB .50 PUSH EAX
004DC7FC .66:B8 0100 MOV AX,1
004DC800 .E8 AF6AFCFF CALL RegEdite.004A32B4
004DC805 .8945 D4 MOV DWORD PTR SS:,EAX ; |
004DC808 .C645 D8 06 MOV BYTE PTR SS:,6 ; |
004DC80C .8D55 D4 LEA EDX,DWORD PTR SS: ; |
004DC80F .33C9 XOR ECX,ECX ; |
004DC811 .B8 04CB4D00 MOV EAX,RegEdite.004DCB04 ; |Kugle RegEditer %s
004DC816 .E8 B9D1F2FF CALL RegEdite.004099D4 ; \RegEdite.004099D4
004DC81B .8B55 DC MOV EDX,DWORD PTR SS:
004DC81E .A1 F0054F00 MOV EAX,DWORD PTR DS:
004DC823 .E8 9CF6F6FF CALL RegEdite.0044BEC4
004DC828 .C683 7E060000>MOV BYTE PTR DS:,1
004DC82F .8B83 6C030000 MOV EAX,DWORD PTR DS:
004DC835 .33D2 XOR EDX,EDX
004DC837 .E8 341AF8FF CALL RegEdite.0045E270
004DC83C .EB 44 JMP SHORT RegEdite.004DC882
或者跟进算法CALL暴破:
004A1DDE .E8 95FBFFFF CALL RegEdite.004A1978 ;算法CALL
004A1DE3 .8B45 EC MOV EAX,DWORD PTR SS:
004A1DE6 .8B55 F0 MOV EDX,DWORD PTR SS:
004A1DE9 .E8 1629F6FF CALL RegEdite.00404704
004A1DEE .75 04 JNZ SHORT RegEdite.004A1DF4 ;或者NOP掉这里
004A1DF0 .B3 01 MOV BL,1
004A1DF2 .EB 02 JMP SHORT RegEdite.004A1DF6
提供一组KEY:KGL-999999-Nisy-OBPDFA
简单说一下算法:
前四位必须位“KGL-”;
第4、第11、第16位必须位“-”;
由中间的十位“999999Nisy”经过一定的运算得出后六位的KEY;
软件比较计算的结果和注册表中保存的后六位是否相等,相等则为注册版。
时间忙 简单整理而已 有兴趣的自己分析下 祝大家新年快乐~~ 学习了~~~~~~~~~~~~~
谢谢分享
收下消化。 先来学习一下啊看看 学习中,谢谢·!!!! 我来学一下了,谢谢 学习学习,消化消化 学习中,谢谢·!!!! 学习了 谢谢提供/:001 不错啊,学习了啊。。
页:
[1]
2