成功助理5.2追码同时实现软件自注册
用户名:皈依我佛注册码:I4O0sLj/98zfYEL9
1、OD加载,F9运行,点击注册,输入用户名:皈依我佛 假码:1111111122222222
必须十六位的假码,软件有注册码位数的比较。
2、下好断点:
3、点击注册按钮,程序被断下,ALT-F9返回程序领空,来到00850C32这里,上面的CALL就是注册码错误的CALL
00850C24 .8B45 FC MOV EAX,DWORD PTR SS:
00850C27 .E8 C85DC4FF CALL 004969F4
00850C2C .50 PUSH EAX ; |hOwner
00850C2D .E8 EE7CBBFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA 注册码错误的对话框
00850C32 >33C0 XOR EAX,EAX
00850C34 .5A POP EDX
00850C35 .59 POP ECX
00850C36 .59 POP ECX
4、找到段首下F2断点:
0085068C .55 PUSH EBP //注册的按钮事件段首
0085068D .8BEC MOV EBP,ESP
0085068F .B9 08000000 MOV ECX,8
00850694 >6A 00 PUSH 0
00850696 .6A 00 PUSH 0
00850698 .49 DEC ECX
00850699 .^ 75 F9 JNZ SHORT 00850694
0085069B .51 PUSH ECX
0085069C .53 PUSH EBX
----------------------------------------------------------------------------------------------------------------
5、F9运行,点击“确定”按钮,继续点击“完成注册”,程序断下,一直单步走,来到
0085075A .55 PUSH EBP
0085075B .68 060C8500 PUSH 00850C06
00850760 .64:FF30 PUSH DWORD PTR FS:
00850763 .64:8920 MOV DWORD PTR FS:,ESP
00850766 .8B45 F8 MOV EAX,DWORD PTR SS:
00850769 .E8 4A4BBBFF CALL 004052B8
0085076E .83F8 03 CMP EAX,3 ///比较用户名是否大于3位
00850771 .0F8E 85040000 JLE 00850BFC
00850777 .8B45 F4 MOV EAX,DWORD PTR SS:
0085077A .E8 394BBBFF CALL 004052B8
0085077F .83F8 10 CMP EAX,10
00850782 .0F85 74040000 JNZ 00850BFC //// 比较注册码是否16位
00850788 .8D4D DC LEA ECX,DWORD PTR SS:
0085078B .8B55 F4 MOV EDX,DWORD PTR SS: //假码
0085078E .8B45 F8 MOV EAX,DWORD PTR SS:
00850791 .E8 1ACBD2FF CALL 0057D2B0 //算法CALL,进入
00850796 .8B55 DC MOV EDX,DWORD PTR SS: //真码
00850799 8B45 DC MOV EAX,DWORD PTR SS://假码,修改为EBP-24
0085079C .E8 634CBBFF CALL 00405404 //比较call
008507A1 .0F85 55040000 JNZ 00850BFC //真码和真码比较的结果就不用说了
008507A7 .A1 00938A00 MOV EAX,DWORD PTR DS:
008507AC .8B00 MOV EAX,DWORD PTR DS:
008507AE .8B80 40030000 MOV EAX,DWORD PTR DS:
008507B4 .BA B80C8500 MOV EDX,00850CB8
008507B9 .E8 06B6D2FF CALL 0057BDC4
008507BE .84C0 TEST AL,AL
008507C0 .0F84 36040000 JE 00850BFC
008507C6 .A1 00938A00 MOV EAX,DWORD PTR DS:
008507CB .8B00 MOV EAX,DWORD PTR DS:
008507CD .8B80 40030000 MOV EAX,DWORD PTR DS:
008507D3 .E8 B0BAC8FF CALL 004DC288
008507D8 .8D4D D8 LEA ECX,DWORD PTR SS:
008507DB .8B15 D8968A00 MOV EDX,DWORD PTR DS: 008507E1 .8B12 MOV EDX,DWORD PTR DS:
008507E3 .8B45 F8 MOV EAX,DWORD PTR SS:
008507E6 .E8 ED8BD2FF CALL 005793D8
008507EB .8B45 D8 MOV EAX,DWORD PTR SS:
008507EE .50 PUSH EAX
008507EF .A1 00938A00 MOV EAX,DWORD PTR DS:
008507F4 .8B00 MOV EAX,DWORD PTR DS:
008507F6 .8B80 40030000 MOV EAX,DWORD PTR DS:
008507FC .BA D80C8500 MOV EDX,00850CD8 ;
00850801 .E8 C2A2C8FF CALL 004DAAC8
00850806 .5A POP EDX
00850807 .8B08 MOV ECX,DWORD PTR DS:
00850809 .FF91 B0000000 CALL DWORD PTR DS: ;SuccessP.004D18DC
0085080F .8D4D D4 LEA ECX,DWORD PTR SS:
00850812 .8B15 D8968A00 MOV EDX,DWORD PTR DS: ;SuccessP.008A6790
00850818 .8B12 MOV EDX,DWORD PTR DS:
0085081A .8B45 F4 MOV EAX,DWORD PTR SS://EBP-c修改为EBP-24
0085081D .E8 B68BD2FF CALL 005793D8 // 注册码写入文件的CALL
00850822 .8B45 D4 MOV EAX,DWORD PTR SS:
00850825 .50 PUSH EAX
6、算法CALL来到:
0057D8B8 .E8 2371E8FF CALL 004049E0
0057D8BD >8B45 F8 MOV EAX,DWORD PTR SS:
0057D8C0 .E8 F379E8FF CALL 004052B8
0057D8C5 .83F8 10 CMP EAX,10
0057D8C8 .74 0A JE SHORT 0057D8D4 // 假码等于16位就跳
0057D8CA .8B45 F4 MOV EAX,DWORD PTR SS:
0057D8CD .E8 1677E8FF CALL 00404FE8
0057D8D2 .EB 22 JMP SHORT 0057D8F6
0057D8D4 >8B45 F4 MOV EAX,DWORD PTR SS:
0057D8D7 .8B55 D8 MOV EDX,DWORD PTR SS: //真码给EDX(皈依我佛)的注册码(ASCII "I4O0sLj/98zfYEL9")
0057D8DA .E8 5D77E8FF CALL 0040503C
0057D8DF .8B45 F4 MOV EAX,DWORD PTR SS:
0057D8E2 .8B00 MOV EAX,DWORD PTR DS: //真码给EAX
0057D8E4 .8B55 F8 MOV EDX,DWORD PTR SS: //假码给EDX
0057D8E7 .E8 187BE8FF CALL 00405404 //比较CALL
0057D8EC .74 08 JE SHORT 0057D8F6 //必须跳
0057D8EE .8B45 F4 MOV EAX,DWORD PTR SS:
0057D8F1 .E8 F276E8FF CALL 00404FE8
0057D8F6 >33C0 XOR EAX,EAX
堆栈 SS:=0950EF8C, (ASCII "I4O0sLj/98zfYEL9") 嗯。不错,学习ing.. 顶下兄弟了!!! 太精彩了,学习一下 00850796是啥意思?明码比较吗?
不错,支持一下 不错,学习ing..{:2_145:} 学习先,感谢楼主,如果楼主能把软件的下载地址也放上来就更好了 学习先,感谢楼主 学习了!!顶一个!! 找到的都是一些文章,看雪里,吾爱破解里也都是一些文章,要是做个动画就好了,但一直都找不到这样的动画,郁闷了!
页:
[1]
2