重启验证Collectify 1.75.1585暴破手记(注册表)
【破文标题】Collectify 1.75.1585破解手记【破文作者】野猫III
【破解工具】常用PEiD,W32DASM,UC32,OD
【破解平台】Windows XP SP2
【软件名称】Collectify 1.75.1585
【软件大小】22,953KB
【原版下载】http://www6.skycn.com/soft/16113.html
【保护方式】时间限制,注册码
【软件简介】一款信息管理软件 可创建任何你想要的资料目录,照片、图画、网页、公文文件、视频、电话、地址、日程安排等。使用非常方便。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------------------
一、任意序号安装程序后,用PEiD查无壳,程序是Microsoft Visual C++ 6.0 程序。
二、OD载入程序,运行到注册,得到错误提示“This is an invalid key.”点OK之后返回OD中对其进行字符参考,没有任何收获。
靠的一个笨方法就是在每个条件命令上下断咯。。。请看:
1)在OD里输入命令断点bpx d,确定之后,打开了R模块间调用窗口。
2)右键,在每个命令上设置断点,然后返回程序,OD中断它,将所有中断取消,直到程序运行:
0045710A .E8 7FFB0000 CALL MyStuff.?PreTranslateMessage@CWinTh>;JMP 到 MFC42.#5289
//发现只有一处,好极!
3)接着在Collectify 1.75程序注册窗口点OK确认注册。程序被OD中断:
00427E9B .E8 74E30300 CALL MyStuff.??0CString@@QAE@XZ ;JMP 到 MFC42.#540 //F2,F9
00427EA0 .8365 FC 00 AND DWORD PTR SS:,0
00427EA4 .8D4D E8 LEA ECX,DWORD PTR SS:
00427EA7 .E8 68E30300 CALL MyStuff.??0CString@@QAE@XZ ;JMP 到 MFC42.#540 //F2,F9
00427EAC .8D4D EC LEA ECX,DWORD PTR SS:
00427EAF .C645 FC 01 MOV BYTE PTR SS:,1
00427EB3 .E8 5CE30300 CALL MyStuff.??0CString@@QAE@XZ ;JMP 到 MFC42.#540 //F2,F9
00427EB8 .8D4D F0 LEA ECX,DWORD PTR SS:
00427EBB .C645 FC 02 MOV BYTE PTR SS:,2
00427EBF .E8 50E30300 CALL MyStuff.??0CString@@QAE@XZ ;JMP 到 MFC42.#540 //F2,F9
00427EC4 .8D45 E4 LEA EAX,DWORD PTR SS:
00427EC7 .8D8E E4000000LEA ECX,DWORD PTR DS:
00427ECD .50 PUSH EAX
00427ECE .C645 FC 03 MOV BYTE PTR SS:,3
00427ED2 .E8 21E40300 CALL MyStuff.?GetWindowTextA@CWnd>;JMP 到 MFC42.#3874 //F2,F9
00427ED7 .8D45 E8 LEA EAX,DWORD PTR SS:
00427EDA .8D8E 24010000LEA ECX,DWORD PTR DS:
00427EE0 .50 PUSH EAX
00427EE1 .E8 12E40300 CALL MyStuff.?GetWindowTextA@CWnd>;JMP 到 MFC42.#3874 //F2,F9
00427EE6 .8D45 EC LEA EAX,DWORD PTR SS:
00427EE9 .8D8E 64010000LEA ECX,DWORD PTR DS:
00427EEF .50 PUSH EAX
00427EF0 .E8 03E40300 CALL MyStuff.?GetWindowTextA@CWnd>;JMP 到 MFC42.#3874
//到这里的时候,看到我们输入的第二组试练码。重新打开R模块间调用窗口,右键删除所有断点。单步跟踪。
00427EF5 .8D45 F0 LEA EAX,DWORD PTR SS:
00427EF8 .8D8E A4010000LEA ECX,DWORD PTR DS:
00427EFE .50 PUSH EAX
00427EFF .E8 F4E30300 CALL MyStuff.?GetWindowTextA@CWnd>;JMP 到 MFC42.#3874
00427F04 .8D86 EC010000LEA EAX,DWORD PTR DS: ;Call取第四组试练码
00427F0A .8D4E 64 LEA ECX,DWORD PTR DS:
00427F0D .50 PUSH EAX
00427F0E .E8 E5E30300 CALL MyStuff.?GetWindowTextA@CWnd>;JMP 到 MFC42.#3874
00427F13 .8D86 F0010000LEA EAX,DWORD PTR DS: ;Call取用户名
00427F19 .8D8E A4000000LEA ECX,DWORD PTR DS:
00427F1F .50 PUSH EAX
00427F20 .E8 D3E30300 CALL MyStuff.?GetWindowTextA@CWnd>;JMP 到 MFC42.#3874
00427F25 .FF75 F0 PUSH DWORD PTR SS: ;Call取组织名称
00427F28 .8DBE E8010000LEA EDI,DWORD PTR DS:
00427F2E .FF75 EC PUSH DWORD PTR SS:
00427F31 .FF75 E8 PUSH DWORD PTR SS:
00427F34 .FF75 E4 PUSH DWORD PTR SS:
00427F37 .68 98EB4900 PUSH MyStuff.0049EB98 ;ASCII "%s-%s-%s-%s"
00427F3C .57 PUSH EDI
00427F3D .E8 B0E30300 CALL MyStuff.?Format@CString@@QAA>;JMP 到 MFC42.#2818
00427F42 .FF37 PUSH DWORD PTR DS:
00427F44 .FF96 E4010000CALL DWORD PTR DS:
00427F4A .83C4 1C ADD ESP,1C ;Call出一组码
00427F4D .84C0 TEST AL,AL ;比较!
00427F4F 75 17 JNZ SHORT MyStuff.00427F68 ;不等跳!否则OVER!~由此可见,这是程序的关键跳转!
00427F51 .6A FF PUSH -1
00427F53 .6A 02 PUSH 2
00427F55 .68 63660000 PUSH 6663
00427F5A .68 90650000 PUSH 6590
00427F5F .8BCE MOV ECX,ESI
00427F61 .E8 0A23FEFF CALL MyStuff.?xMessageBox@?$BaseW>;OVER!
00427F66 .EB 1C JMP SHORT MyStuff.00427F84 ;跳过下面注册正确的操作。
00427F68 >8BCE MOV ECX,ESI ;注册码正确就跳来这~~~
00427F6A .E8 51010000 CALL MyStuff.?SetSerialNumber@CRe>
00427F6F .8BCE MOV ECX,ESI
00427F71 .E8 75010000 CALL MyStuff.?SetName@CRegCheckWa>
00427F76 .8BCE MOV ECX,ESI
00427F78 .E8 99010000 CALL MyStuff.?SetCompany@CRegChec>
00427F7D .8BCE MOV ECX,ESI
00427F7F .E8 CAE40300 CALL MyStuff.?OnOK@CDialog@@MAEXX>;JMP 到 MFC42.#4853
00427F84 >8D4D F0 LEA ECX,DWORD PTR SS: ;跳来这~~
00427F87 .C645 FC 02 MOV BYTE PTR SS:,2
00427F8B .E8 5AE20300 CALL MyStuff.??1CString@@QAE@XZ ;JMP 到 MFC42.#800
00427F90 .8D4D EC LEA ECX,DWORD PTR SS:
00427F93 .C645 FC 01 MOV BYTE PTR SS:,1
00427F97 .E8 4EE20300 CALL MyStuff.??1CString@@QAE@XZ ;JMP 到 MFC42.#800
00427F9C .8065 FC 00 AND BYTE PTR SS:,0
00427FA0 .8D4D E8 LEA ECX,DWORD PTR SS:
00427FA3 .E8 42E20300 CALL MyStuff.??1CString@@QAE@XZ ;JMP 到 MFC42.#800
00427FA8 .834D FC FF OR DWORD PTR SS:,FFFFFFFF
00427FAC .8D4D E4 LEA ECX,DWORD PTR SS:
00427FAF .E8 36E20300 CALL MyStuff.??1CString@@QAE@XZ ;JMP 到 MFC42.#800
00427FB4 .8B4D F4 MOV ECX,DWORD PTR SS:
00427FB7 .5F POP EDI
00427FB8 .5E POP ESI
00427FB9 .64:890D 000000>MOV DWORD PTR FS:,ECX
00427FC0 .C9 LEAVE
00427FC1 .C3 RETN ;重来
00427FC2 > .81EC 08010000SUB ESP,108
00427FC8 .53 PUSH EBX ;盲目的破解是浪费力气的~~~请从这往下看。。。
00427FC9 .55 PUSH EBP
00427FCA .56 PUSH ESI
00427FCB .57 PUSH EDI
00427FCC .8BF1 MOV ESI,ECX
00427FCE .E8 53E20300 CALL MyStuff.?OnInitDialog@CDialo>;JMP 到 MFC42.#4710
00427FD3 .8B3D 3C4E4700MOV EDI,DWORD PTR DS:[<&USER32.Se>;USER32.SendMessageA
00427FD9 .33ED XOR EBP,EBP
00427FDB .55 PUSH EBP ; /lParam => 0
00427FDC .BB C5000000 MOV EBX,0C5 ; |
00427FE1 .6A 0E PUSH 0E ; |wParam = E
00427FE3 .53 PUSH EBX ; |Message => EM_LIMITTEXT
00427FE4 .FFB6 C4010000PUSH DWORD PTR DS: ; |hWnd
00427FEA .FFD7 CALL EDI ; \SendMessageA
00427FEC .55 PUSH EBP ; /lParam => 0
00427FED .6A 02 PUSH 2 ; |wParam = 2
00427FEF .53 PUSH EBX ; |Message => EM_LIMITTEXT
00427FF0 .FFB6 04010000PUSH DWORD PTR DS: ; |hWnd
00427FF6 .FFD7 CALL EDI ; \SendMessageA
00427FF8 .55 PUSH EBP ; /lParam => 0
00427FF9 .6A 04 PUSH 4 ; |wParam = 4
00427FFB .53 PUSH EBX ; |Message => EM_LIMITTEXT
00427FFC .FFB6 44010000PUSH DWORD PTR DS: ; |hWnd
00428002 .FFD7 CALL EDI ; \SendMessageA
00428004 .55 PUSH EBP ; /lParam => 0
00428005 .6A 02 PUSH 2 ; |wParam = 2
00428007 .53 PUSH EBX ; |Message => EM_LIMITTEXT
00428008 .FFB6 84010000PUSH DWORD PTR DS: ; |hWnd
0042800E .FFD7 CALL EDI ; \SendMessageA
00428010 .BF 81000000 MOV EDI,81
00428015 .8D4424 10 LEA EAX,DWORD PTR SS:
00428019 .57 PUSH EDI ; /n => 81 (129.)
0042801A .55 PUSH EBP ; |c => 00
0042801B .50 PUSH EAX ; |s
0042801C .E8 D5EF0300 CALL MyStuff._memset ; \_memset
00428021 .57 PUSH EDI ; /n
00428022 .8D8424 A400000>LEA EAX,DWORD PTR SS: ; |
00428029 .55 PUSH EBP ; |c
0042802A .50 PUSH EAX ; |s
0042802B .E8 C6EF0300 CALL MyStuff._memset ; \_memset
00428030 .83C4 18 ADD ESP,18
00428033 .E8 18E20300 CALL MyStuff.?AfxGetModuleState@@>;JMP 到 MFC42.#1168
00428038 .8B40 0C MOV EAX,DWORD PTR DS:
0042803B .8B3D E4544700MOV EDI,DWORD PTR DS:[<&utils.?Ge>;utils.?GetAppRegistryString@CRegistryIO@@SAHPAUHINSTANCE__@@PBD11PADI1_N@Z
00428041 .6A 01 PUSH 1
00428043 .68 BCEB4900 PUSH MyStuff.0049EBBC ;ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
00428048 .8D4C24 18 LEA ECX,DWORD PTR SS: ;这个主键应该是程序注册成功保存注册码的位置。
0042804C .68 80000000 PUSH 80
00428051 .BD 202C4A00 MOV EBP,MyStuff.004A2C20
00428056 .51 PUSH ECX
00428057 .55 PUSH EBP
00428058 .BB B4EB4900 MOV EBX,MyStuff.0049EBB4 ;ASCII "MyStuff"
0042805D .68 ACEB4900 PUSH MyStuff.0049EBAC ;ASCII "User"
00428062 .53 PUSH EBX ;用户名~~~
00428063 .50 PUSH EAX
00428064 .FFD7 CALL EDI ;<&utils.?GetAppRegistryString@CRegistryIO@@SAHPAUHINSTANCE__@@PBD11PADI1_N@Z>
00428066 .83C4 20 ADD ESP,20
00428069 .E8 E2E10300 CALL MyStuff.?AfxGetModuleState@@>;JMP 到 MFC42.#1168
0042806E .8B40 0C MOV EAX,DWORD PTR DS:
00428071 .6A 01 PUSH 1
00428073 .68 BCEB4900 PUSH MyStuff.0049EBBC ;ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
00428078 .8D8C24 9C00000>LEA ECX,DWORD PTR SS:
0042807F .68 80000000 PUSH 80
00428084 .51 PUSH ECX
00428085 .55 PUSH EBP
00428086 .68 A4EB4900 PUSH MyStuff.0049EBA4 ;ASCII "Company"
0042808B .53 PUSH EBX ;组织~~~
0042808C .50 PUSH EAX
0042808D .FFD7 CALL EDI
0042808F .83C4 20 ADD ESP,20
00428092 .8D4424 10 LEA EAX,DWORD PTR SS:
00428096 .8D4E 64 LEA ECX,DWORD PTR DS:
00428099 .50 PUSH EAX
0042809A .E8 99E10300 CALL MyStuff.?SetWindowTextA@CWnd>;JMP 到 MFC42.#6199
0042809F .8D8424 9400000>LEA EAX,DWORD PTR SS:
004280A6 .8D8E A4000000LEA ECX,DWORD PTR DS:
004280AC .50 PUSH EAX
004280AD .E8 86E10300 CALL MyStuff.?SetWindowTextA@CWnd>;JMP 到 MFC42.#6199
004280B2 .6A 01 PUSH 1
004280B4 .58 POP EAX
004280B5 .5F POP EDI
004280B6 .5E POP ESI
004280B7 .5D POP EBP
004280B8 .5B POP EBX
004280B9 .81C4 08010000ADD ESP,108
004280BF .C3 RETN
004280C0 >/$56 PUSH ESI
004280C1|.8BB1 E8010000MOV ESI,DWORD PTR DS:
004280C7|.E8 84E10300 CALL MyStuff.?AfxGetModuleState@@>;JMP 到 MFC42.#1168
004280CC|.8B40 0C MOV EAX,DWORD PTR DS:
004280CF|.68 BCEB4900 PUSH MyStuff.0049EBBC ;ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
004280D4|.56 PUSH ESI
004280D5|.68 E4EB4900 PUSH MyStuff.0049EBE4 ;ASCII "RegNumber"
004280DA|.68 B4EB4900 PUSH MyStuff.0049EBB4 ;ASCII "MyStuff"
004280DF|.50 PUSH EAX ;注册码~~~
004280E0|.FF15 E8544700CALL DWORD PTR DS:[<&utils.?SetAp>;utils.?SetAppRegistryString@CRegistryIO@@SA_NPAUHINSTANCE__@@PBD111@Z
004280E6|.83C4 14 ADD ESP,14
004280E9|.5E POP ESI
004280EA\.C3 RETN
004280EB >/$56 PUSH ESI
004280EC|.8BB1 EC010000MOV ESI,DWORD PTR DS:
004280F2|.E8 59E10300 CALL MyStuff.?AfxGetModuleState@@>;JMP 到 MFC42.#1168
004280F7|.8B40 0C MOV EAX,DWORD PTR DS:
004280FA|.68 BCEB4900 PUSH MyStuff.0049EBBC ;ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
004280FF|.56 PUSH ESI
00428100|.68 ACEB4900 PUSH MyStuff.0049EBAC ;ASCII "User"
00428105|.68 B4EB4900 PUSH MyStuff.0049EBB4 ;ASCII "MyStuff"
0042810A|.50 PUSH EAX
0042810B|.FF15 E8544700CALL DWORD PTR DS:[<&utils.?SetAp>;utils.?SetAppRegistryString@CRegistryIO@@SA_NPAUHINSTANCE__@@PBD111@Z
00428111|.83C4 14 ADD ESP,14
00428114|.5E POP ESI
00428115\.C3 RETN
00428116 >/$56 PUSH ESI
00428117|.8BB1 F0010000MOV ESI,DWORD PTR DS:
0042811D|.E8 2EE10300 CALL MyStuff.?AfxGetModuleState@@>;JMP 到 MFC42.#1168
00428122|.8B40 0C MOV EAX,DWORD PTR DS:
00428125|.68 BCEB4900 PUSH MyStuff.0049EBBC ;ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
0042812A|.56 PUSH ESI
0042812B|.68 A4EB4900 PUSH MyStuff.0049EBA4 ;ASCII "Company"
00428130|.68 B4EB4900 PUSH MyStuff.0049EBB4 ;ASCII "MyStuff"
00428135|.50 PUSH EAX
00428136|.FF15 E8544700CALL DWORD PTR DS:[<&utils.?SetAp>;utils.?SetAppRegistryString@CRegistryIO@@SA_NPAUHINSTANCE__@@PBD111@Z
0042813C|.83C4 14 ADD ESP,14
0042813F|.5E POP ESI
00428140\.C3 RETN
终上所述,关键跳转:
00427F4F /75 17 JNZ SHORT MyStuff.00427F68 //将jnz改成jmp,另存为CrMyStuff.exe文件。
暴破之后,注册成功,但程序没提示,将注册信息写入注册表后,程序就直接进入主界面。
4)关了OD,运行CrMyStuff.exe文件,程序还是提示要注册,证明程序有重启验证操作。
经分析,程序重启的时候,肯定会以注册表里的注册信息RegNumber项进行读取及验证,我们就可以这样着手破解。
打开注册表,在HKEY_LOCAL_MACHINE\SOFTWARE\Collectify\MyStuff,看到程序保存注册信息在这。
而检测的第一项就是RegNumber这项,我们用OD载入一更改成的CrMyStuff.exe程序。右键搜索,所有参考文本字串。
搜索与User注册表项相符的字串,并分别下断,结果以下:
文本字串参考位于 CrMyStuf:.text, 条目 279
地址=004280D5
反汇编=PUSH CrMyStuf.0049EBE4
文本字串=ASCII "RegNumber"
文本字串参考位于 CrMyStuf:.text, 条目 667
地址=0045689C
反汇编=PUSH CrMyStuf.0049EBE4
文本字串=ASCII "RegNumber"
一共两处读取。F9运行程序,程序中断在:
0045689C|.68 E4EB4900 PUSH CrMyStuf.0049EBE4 ;ASCII "RegNumber" //这里
004568A1|.68 B4EB4900 PUSH CrMyStuf.0049EBB4 ;ASCII "MyStuff"
004568A6|.53 PUSH EBX
004568A7|.FFD7 CALL EDI ;<&utils.?GetAppRegistryString@CRegistryIO@@SAHPAUHINSTANCE__@@PBD11PADI1_N@Z>
004568A9|.83C4 2C ADD ESP,2C
004568AC|.3BC3 CMP EAX,EBX
004568AE|.74 10 JE SHORT CrMyStuf.004568C0 //注册码项有吗?没有就OVER!
004568B0|.8D45 AC LEA EAX,DWORD PTR SS:
004568B3|.50 PUSH EAX
004568B4|.FF55 08 CALL DWORD PTR SS:
004568B7|.3AC3 CMP AL,BL
004568B9|.59 POP ECX
004568BA|.0F85 1C020000 JNZ CrMyStuf.00456ADC//注册码对吗?不等测注册成功了。相等的话就OVER!
//终上所述,程序更改了就可以直接进入主界面。在关于里也可以看到注册信息。
Bin!
经验:对于重启难证的软件,我们可以着手从它重启对注册信息难证的过程中进行暴破。
请教:这个程序常常看到前三组码出现,怀疑是真码,但求大家找找它的注册码,谢谢!
-----------------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
破解演示,请到龙族下载吧。就不一一上传!等猫申请进了成员组再另做打算。http://www.chinadforce.com/viewthread.php?tid=556037&extra=page%3D1
[ 本帖最后由 野猫III 于 2006-7-7 00:44 编辑 ] 历害。。。 猫兄挺厉害的,我的水平还有待提高啊!学习学习 猫兄确实厉害呢 学习,猫兄越来越厉害了。 兄弟进步不小~~ 支持下~ 感谢分享~~ 厉害,佩服。。。。。。 呵呵~~~兄弟们歪夸.谢谢支持~~~共同进步~ 学习一下! 学习 ,谢谢,可是我不是龙族会员,下不来啊,班组能否提供下载
页:
[1]
2