神奇注册表 V1.81
软件名称:神奇注册表 V1.81下载地址:
http://www.skycn.com/soft/2998.html
首先查壳PECompact 1.68 - 1.84 -> Jeremy Collake
脱掉壳后——运行——输入注册码——用户名:xinldy注册码:19831030——提示重新启动
用Ollydbg载入——查找字符串
发现可疑的地方:
mgwin.ini
username
reg
可知为ini文件重启验证
下断点:
bp GetPrivateProfileStringA
Ollydbg载入后运行14次后alt+f9来到:
00420C56 > \33C0 xor eax, eax
00420C58 >A3 7C314800 mov dword ptr , eax
00420C5D .68 F4C04700 push 0047C0F4 ;ASCII "mgwin.ini"
00420C62 .8D8424 880000>lea eax, dword ptr
00420C69 .6A 14 push 14
00420C6B .50 push eax
00420C6C .68 60304800 push 00483060
00420C71 .68 E8C04700 push 0047C0E8 ;ASCII "UserName"
00420C76 .68 E4C04700 push 0047C0E4 ;ASCII "REG"
00420C7B .C68424 201700>mov byte ptr , 3
00420C83 .FFD5 call ebp
00420C85 .68 F4C04700 push 0047C0F4 ;ASCII "mgwin.ini"
00420C8A .8D4C24 60 lea ecx, dword ptr
00420C8E .6A 14 push 14
00420C90 .51 push ecx
00420C91 .68 60304800 push 00483060
00420C96 .68 E8E14700 push 0047E1E8 ;ASCII "RegCode"
00420C9B .68 E4C04700 push 0047C0E4 ;ASCII "REG"
00420CA0 .8BF8 mov edi, eax
00420CA2 .FFD5 call ebp
00420CA4 .8B4C24 28 mov ecx, dword ptr ;123.004830B8
00420CA8 .8D5424 5C lea edx, dword ptr
00420CAC .8D8424 840000>lea eax, dword ptr
00420CB3 .52 push edx
00420CB4 .50 push eax
00420CB5 .E8 46080000 call 00421500
00420CBA .85C0 test eax, eax
00420CBC .74 0F je short 00420CCD
00420CBE .83FF 04 cmp edi, 4
00420CC1 .C705 A0314800>mov dword ptr , 1
00420CCB .73 06 jnb short 00420CD3
00420CCD >891D A0314800 mov dword ptr , ebx
00420CD3 >8D4C24 5C lea ecx, dword ptr
00420CD7 .51 push ecx
00420CD8 .8B4C24 2C mov ecx, dword ptr
00420CDC .E8 7F0B0000 call 00421860 关键call
00420CE1 .85C0 test eax, eax
00420CE3 .0F85 77010000 jnz 00420E60 必须跳!!
00420CE9 .53 push ebx
00420CEA .8D8C24 200600>lea ecx, dword ptr
00420CF1 .891D A0314800 mov dword ptr , ebx
00420CF7 .E8 B4880000 call 004295B0
00420CFC .8D8C24 1C0600>lea ecx, dword ptr
00420D03 .C68424 081700>mov byte ptr , 8
00420D0B .E8 23AE0200 call 0044BB33 出现注册框
在00420CDC下好断点——取消掉以前断点——重新运行
进入00420CDC .E8 7F0B0000 call 00421860中
代码如下:
0042185F 90 nop
00421860/$B8 FC2A0000 mov eax, 2AFC
00421865|.E8 968E0100 call 0043A700
0042186A|.66:A1 4CCD470>mov ax, word ptr
00421870|.53 push ebx
00421871|.56 push esi
00421872|.57 push edi
00421873|.66:894424 0Emov word ptr , ax
00421878|.B9 26020000 mov ecx, 226
0042187D|.33C0 xor eax, eax
0042187F|.8DBC24 D81900>lea edi, dword ptr
00421886|.F3:AB rep stos dword ptr es:
00421888|.B9 26020000 mov ecx, 226
0042188D|.8D7C24 10 lea edi, dword ptr
00421891|.F3:AB rep stos dword ptr es:
00421893|.B9 26020000 mov ecx, 226
00421898|.8DBC24 A80800>lea edi, dword ptr
0042189F|.F3:AB rep stos dword ptr es:
004218A1|.B9 26020000 mov ecx, 226
004218A6|.8DBC24 401100>lea edi, dword ptr
004218AD|.F3:AB rep stos dword ptr es:
004218AF|.B9 26020000 mov ecx, 226
004218B4|.8DBC24 702200>lea edi, dword ptr
004218BB|.F3:AB rep stos dword ptr es:
004218BD|.83C9 FF or ecx, FFFFFFFF
004218C0|.BF 88F84700 mov edi, 0047F888 注册码出现ASCII "T309RW36,UKLGRP16,67KAOZ6R,96GZDSPH,FSHR0WIC,VSURZCU4,RWDTLYSC,ES14BUSQ,O3ZAK3CE,CCXTT49W,T2UXPCHA,G16ZC0Y9,4OU4N1WW,11X0C6N1,RY9N9FT8,Y7S5A0AF,9KFTZHUX,LHUOBUO1,30JQWLHW,MKBBH5AG,2R0JI7UV,F7WYPZGX,016HSYOT,AXP91IDA,VGGXTFR5,DUBGFKDW,GU0"...
004218C5|.F2:AE repne scas byte ptr es:
004218C7|.F7D1 not ecx
004218C9|.2BF9 sub edi, ecx
004218CB|.8D9424 D81900>lea edx, dword ptr
004218D2|.8BC1 mov eax, ecx
004218D4|.8BF7 mov esi, edi
004218D6|.C1E9 02 shr ecx, 2
004218D9|.8BFA mov edi, edx
004218DB|.8D5424 10 lea edx, dword ptr
004218DF|.F3:A5 rep movs dword ptr es:, dword p>
004218E1|.8BC8 mov ecx, eax
004218E3|.33C0 xor eax, eax
004218E5|.83E1 03 and ecx, 3
004218E8|.F3:A4 rep movs byte ptr es:, byte ptr>
004218EA|.BF A8F04700 mov edi, 0047F0A8 注册码出现ASCII "NB7DA55K,E0A8X5UP,31GHWNAF,I951DRH9,J8VE3CZA,QADVGEWK,4IT2ND2N,2XEWRWHZ,UZ9CTGRZ,N9ATBLHX,IWG8KZ4E,I4S4SMGL,V330S8D8,PFGSGNE6,GRKA7N1T,BM5USQL5,2IA05Y0O,VDQARR1Z,RDDAI03G,GIL03S6A,F9HRWLJN,GTQT21PG,BVB3G8XR,G1X0U5C4,EY6URGHD,WCR9C82K,WKO"...
004218EF|.83C9 FF or ecx, FFFFFFFF
004218F2|.F2:AE repne scas byte ptr es:
004218F4|.F7D1 not ecx
004218F6|.2BF9 sub edi, ecx
004218F8|.8BC1 mov eax, ecx
004218FA|.8BF7 mov esi, edi
004218FC|.8BFA mov edi, edx
004218FE|.8D9424 A80800>lea edx, dword ptr
00421905|.C1E9 02 shr ecx, 2
00421908|.F3:A5 rep movs dword ptr es:, dword p>
0042190A|.8BC8 mov ecx, eax
0042190C|.33C0 xor eax, eax
0042190E|.83E1 03 and ecx, 3
00421911|.F3:A4 rep movs byte ptr es:, byte ptr>
00421913|.BF C8E84700 mov edi, 0047E8C8 注册码出现
ASCII "2U0G2RE0,XPOYL7RZ,P886PB9T,M0JEZGLJ,GFRAMAX1,NIH6T7KZ,A9RS82OT,R3EIEMLM,Z0T54K95,HJXQSF8X,ZE2ZSL7N,Q50VDAX7,FBCK22JF,JAU517SF,66YTY0VH,7XFETFG3,HCVDVIRG,Q414CO0U,AR30AFIH,FTJ3BRVY,MR7MBE5E,X68F1RSC,4K1EQ53D,6EXJKZJS,E56SHQ6Z,WRN1V1ZB,FO8"...
00421918|.83C9 FF or ecx, FFFFFFFF
0042191B|.F2:AE repne scas byte ptr es:
0042191D|.F7D1 not ecx
0042191F|.2BF9 sub edi, ecx
00421921|.8BC1 mov eax, ecx
00421923|.8BF7 mov esi, edi
00421925|.8BFA mov edi, edx
00421927|.8D9424 401100>lea edx, dword ptr
0042192E|.C1E9 02 shr ecx, 2
00421931|.F3:A5 rep movs dword ptr es:, dword p>
00421933|.8BC8 mov ecx, eax
00421935|.33C0 xor eax, eax
00421937|.83E1 03 and ecx, 3
0042193A|.F3:A4 rep movs byte ptr es:, byte ptr>
0042193C|.BF 9CE54700 mov edi, 0047E59C 注册码出现 ASCII "ZZVRZBLE,F7K02B3Q,WJK5EQEB,9ZHJLM1L,DAAPBIAK,JLUH4SCT,TO9QA2VL,SVBUPL9Z,NP0AJ4AU,OA8ZUI5G,4M19V7B7,YB24V2ZZ,VH3SOH59,BP0RQ0GR,GNDMKNPN,K7JS46XA,6WCXNIZI,WF69FS2Q,5JFXFGLM,HHWXL6Q1,9C4TPSIH,JCHVQWAZ,V47N0ONQ,8SY0HUB4,2V6NFQUO,4H2JKES9,YSQ"...
00421941|.83C9 FF or ecx, FFFFFFFF
00421944|.F2:AE repne scas byte ptr es:
00421946|.F7D1 not ecx
00421948|.2BF9 sub edi, ecx
0042194A|.8BC1 mov eax, ecx
0042194C|.8BF7 mov esi, edi
0042194E|.8BFA mov edi, edx
00421950|.C1E9 02 shr ecx, 2
00421953|.F3:A5 rep movs dword ptr es:, dword p>
00421955|.8BC8 mov ecx, eax
00421957|.83E1 03 and ecx, 3
0042195A|.F3:A4 rep movs byte ptr es:, byte ptr>
0042195C|.BF 28E34700 mov edi, 0047E328 注册码出现 ASCII "1288221711427,222902289010920,120922289000222,01082028001271201,010822290111922,02290029002190271210500,002907159210020,220781181250002,210807082212,2229022990220211,90190119128,201701189072112,212781187251702010,0207072590108,0207222872"...
00421961|.83C9 FF or ecx, FFFFFFFF
00421964|.33C0 xor eax, eax
00421966|.8D9424 702200>lea edx, dword ptr
0042196D|.F2:AE repne scas byte ptr es:
0042196F|.F7D1 not ecx
00421971|.2BF9 sub edi, ecx
如果不是明码比较怎么办?
这里提供一种修改方法:
来到尾部此时注意代码!
修改前:
00421B74|> \5F pop edi
00421B75|.5E pop esi
00421B76|.33C0 xor eax, eax 罪魁祸首
00421B78|.5B pop ebx
00421B79|.81C4 FC2A0000 add esp, 2AFC
00421B7F|.C2 0400 retn 4
00421B82|>5F pop edi
00421B83|.5E pop esi
00421B84|.B8 01000000 mov eax, 1
00421B89|.5B pop ebx
00421B8A|.81C4 FC2A0000 add esp, 2AFC
00421B90\.C2 0400 retn 4
00421B93 90 nop
修改后:
00421B74|> \5F pop edi
00421B75|.5E pop esi
00421B76 B0 01 mov al, 1
00421B78 5B pop ebx
00421B79 81C4 FC2A0000 add esp, 2AFC
00421B7F C2 0400 retn 4
00421B82|>5F pop edi
00421B83|.5E pop esi
00421B84|.B8 01000000 mov eax, 1
00421B89|.5B pop ebx
00421B8A|.81C4 FC2A0000 add esp, 2AFC
00421B90\.C2 0400 retn 4
然后保存——运行一切正常!
注册文件保存在C:\WINDOWS\mgwin.ini中
[ 本帖最后由 xinldy 于 2008-8-8 12:30 编辑 ] 不错,学习了,/:018 软件有点老了,可是不知为什么会有这么多的注册码!注册码均可用! 有个注册码库吧 受益非浅,成长不忘教导恩 学习了,先谢谢楼主......... 收获很大,谢谢你的教程 试下可以不先。。 谢谢分享,认真学习! 分析出来的都是明码呀,哈哈,历害,学习
页:
[1]
2