- UID
- 20767
注册时间2006-8-25
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【破文标题】卡易售一**生成器重启验证完美爆破
【破文作者】hackhd
【作者邮箱】hackhd*163.com
【作者主页】www.910y.cn
【破解工具】OllyDbg
【破解平台】WINDOWS XP
【软件名称】一**生成器
【软件大小】780KB
【原版下载】http://www.cardesales.com/download/YktMakeTools.exe
【保护方式】注册机制
【软件简介】一**生成器是由杭州易购科技开发的服务于一**模块的卡号生成工具,保证生成的卡号和密码安全有效。该生成器具有以下优势:1.脱离网站后台生成卡号密码,更快、更安全有效;2.针对卡易售系统一**模块开发,符合后台使用系统;3.可面值不同生成不同类型的一**; 4.可填写批次编码,让每次生成的卡都可区别;5.生成数量无限制;6.多种密码组合方式;7.配合相应操作方式,杜绝重复卡的发生;
【破解声明】为了生活我们历尽奔波
------------------------------------------------------------------------
【破解过程】OD载入后,查找字符串
00497BA6 mov eax, 00497CF8 注册成功!
记下这个地址00497BA6 我们直接跳到这里
004979B5 |. 8BF0 mov esi, eax
004979B7 |. 85F6 test esi, esi
004979B9 |. 7E 57 jle short 00497A12
'在这个jle上面下F2断点都可以,修改jle让它跳转成功跳过注册不能成功的地方
004979BB |. BB 01000000 mov ebx, 1
004979C0 |> 8D4D E4 /lea ecx, dword ptr [ebp-1C]
004979C3 |. 8BD3 |mov edx, ebx
004979C5 |. B8 01000000 |mov eax, 1
004979CA |. E8 C1FAFFFF |call 00497490
004979CF |. 8B45 E4 |mov eax, dword ptr [ebp-1C]
004979D2 |. 50 |push eax
004979D3 |. 8D45 E0 |lea eax, dword ptr [ebp-20]
004979D6 |. 50 |push eax
004979D7 |. 8D55 DC |lea edx, dword ptr [ebp-24]
004979DA |. 8B87 00030000 |mov eax, dword ptr [edi+300]
004979E0 |. E8 C7D5FAFF |call 00444FAC
004979E5 |. 8B45 DC |mov eax, dword ptr [ebp-24]
004979E8 |. B9 01000000 |mov ecx, 1
004979ED |. 8BD3 |mov edx, ebx
004979EF |. E8 78D4F6FF |call 00404E6C
004979F4 |. 8B55 E0 |mov edx, dword ptr [ebp-20]
004979F7 |. 58 |pop eax
004979F8 |. E8 5BD3F6FF |call 00404D58
004979FD |. 74 0F |je short 00497A0E
004979FF |. B8 B87C4900 |mov eax, 00497CB8 ; 注册码不正确!
00497A04 |. E8 4B69F9FF |call 0042E354
00497A09 |. E9 1D020000 |jmp 00497C2B
00497A0E |> 43 |inc ebx
00497A0F |. 4E |dec esi
00497A10 |.^ 75 AE \jnz short 004979C0
00497A12 |> 8D55 D8 lea edx, dword ptr [ebp-28]
00497A15 |. 8B87 04030000 mov eax, dword ptr [edi+304]
00497A1B |. E8 8CD5FAFF call 00444FAC
00497A20 |. 8B45 D8 mov eax, dword ptr [ebp-28]
00497A23 |. E8 E4D1F6FF call 00404C0C
00497A28 |. 8BF0 mov esi, eax
00497A2A |. 85F6 test esi, esi
00497A2C |. 7E 57 jle short 00497A85
'在这个jle上面下F2断点,修改jle让它跳转成功跳过注册不能成功的地方
00497A2E |. BB 01000000 mov ebx, 1
00497A33 |> 8D4D D4 /lea ecx, dword ptr [ebp-2C]
00497A36 |. 8BD3 |mov edx, ebx
00497A38 |. B8 02000000 |mov eax, 2
00497A3D |. E8 4EFAFFFF |call 00497490
00497A42 |. 8B45 D4 |mov eax, dword ptr [ebp-2C]
00497A45 |. 50 |push eax
00497A46 |. 8D45 D0 |lea eax, dword ptr [ebp-30]
00497A49 |. 50 |push eax
00497A4A |. 8D55 CC |lea edx, dword ptr [ebp-34]
00497A4D |. 8B87 04030000 |mov eax, dword ptr [edi+304]
00497A53 |. E8 54D5FAFF |call 00444FAC
00497A58 |. 8B45 CC |mov eax, dword ptr [ebp-34]
00497A5B |. B9 01000000 |mov ecx, 1
00497A60 |. 8BD3 |mov edx, ebx
00497A62 |. E8 05D4F6FF |call 00404E6C
00497A67 |. 8B55 D0 |mov edx, dword ptr [ebp-30]
00497A6A |. 58 |pop eax
00497A6B |. E8 E8D2F6FF |call 00404D58
00497A70 |. 74 0F |je short 00497A81
00497A72 |. B8 B87C4900 |mov eax, 00497CB8 ; 注册码不正确!
00497A77 |. E8 D868F9FF |call 0042E354
00497A7C |. E9 AA010000 |jmp 00497C2B
00497A81 |> 43 |inc ebx
00497A82 |. 4E |dec esi
00497A83 |.^ 75 AE \jnz short 00497A33
00497A85 |> 8D55 C8 lea edx, dword ptr [ebp-38]
00497A88 |. 8B87 08030000 mov eax, dword ptr [edi+308]
00497A8E |. E8 19D5FAFF call 00444FAC
00497A93 |. 8B45 C8 mov eax, dword ptr [ebp-38]
00497A96 |. E8 71D1F6FF call 00404C0C
00497A9B |. 8BF0 mov esi, eax
00497A9D |. 85F6 test esi, esi
00497A9F |. 7E 57 jle short 00497AF8
'在这个jle上面下F2断点都可以,修改jle让它跳转成功跳过注册不能成功的地方
00497AA1 |. BB 01000000 mov ebx, 1
00497AA6 |> 8D4D C4 /lea ecx, dword ptr [ebp-3C]
00497AA9 |. 8BD3 |mov edx, ebx
00497AAB |. B8 03000000 |mov eax, 3
00497AB0 |. E8 DBF9FFFF |call 00497490
00497AB5 |. 8B45 C4 |mov eax, dword ptr [ebp-3C]
00497AB8 |. 50 |push eax
00497AB9 |. 8D45 C0 |lea eax, dword ptr [ebp-40]
00497ABC |. 50 |push eax
00497ABD |. 8D55 BC |lea edx, dword ptr [ebp-44]
00497AC0 |. 8B87 08030000 |mov eax, dword ptr [edi+308]
00497AC6 |. E8 E1D4FAFF |call 00444FAC
00497ACB |. 8B45 BC |mov eax, dword ptr [ebp-44]
00497ACE |. B9 01000000 |mov ecx, 1
00497AD3 |. 8BD3 |mov edx, ebx
00497AD5 |. E8 92D3F6FF |call 00404E6C
00497ADA |. 8B55 C0 |mov edx, dword ptr [ebp-40]
00497ADD |. 58 |pop eax
00497ADE |. E8 75D2F6FF |call 00404D58
00497AE3 |. 74 0F |je short 00497AF4
00497AE5 |. B8 B87C4900 |mov eax, 00497CB8 ; 注册码不正确!
00497AEA |. E8 6568F9FF |call 0042E354
00497AEF |. E9 37010000 |jmp 00497C2B
00497AF4 |> 43 |inc ebx
00497AF5 |. 4E |dec esi
00497AF6 |.^ 75 AE \jnz short 00497AA6
00497AF8 |> 8D55 B8 lea edx, dword ptr [ebp-48]
00497AFB |. 8B87 0C030000 mov eax, dword ptr [edi+30C]
00497B01 |. E8 A6D4FAFF call 00444FAC
00497B06 |. 8B45 B8 mov eax, dword ptr [ebp-48]
00497B09 |. E8 FED0F6FF call 00404C0C
00497B0E |. 8BF0 mov esi, eax
00497B10 |. 85F6 test esi, esi
00497B12 |. 7E 57 jle short 00497B6B
'在这个jle上面下F2断点都可以,修改jle让它跳转成功跳过注册不能成功的地方
00497B14 |. BB 01000000 mov ebx, 1
00497B19 |> 8D4D B4 /lea ecx, dword ptr [ebp-4C]
00497B1C |. 8BD3 |mov edx, ebx
00497B1E |. B8 04000000 |mov eax, 4
00497B23 |. E8 68F9FFFF |call 00497490
00497B28 |. 8B45 B4 |mov eax, dword ptr [ebp-4C]
00497B2B |. 50 |push eax
00497B2C |. 8D45 B0 |lea eax, dword ptr [ebp-50]
00497B2F |. 50 |push eax
00497B30 |. 8D55 AC |lea edx, dword ptr [ebp-54]
00497B33 |. 8B87 0C030000 |mov eax, dword ptr [edi+30C]
00497B39 |. E8 6ED4FAFF |call 00444FAC
00497B3E |. 8B45 AC |mov eax, dword ptr [ebp-54]
00497B41 |. B9 01000000 |mov ecx, 1
00497B46 |. 8BD3 |mov edx, ebx
00497B48 |. E8 1FD3F6FF |call 00404E6C
00497B4D |. 8B55 B0 |mov edx, dword ptr [ebp-50]
00497B50 |. 58 |pop eax
00497B51 |. E8 02D2F6FF |call 00404D58
00497B56 |. 74 0F |je short 00497B67
00497B58 |. B8 B87C4900 |mov eax, 00497CB8 ; 注册码不正确!
00497B5D |. E8 F267F9FF |call 0042E354
00497B62 |. E9 C4000000 |jmp 00497C2B
00497B67 |> 43 |inc ebx
00497B68 |. 4E |dec esi
00497B69 |.^ 75 AE \jnz short 00497B19
00497B6B |> B2 01 mov dl, 1
00497B6D |. A1 E04C4300 mov eax, dword ptr [434CE0]
00497B72 |. E8 69D2F9FF call 00434DE0
00497B77 |. 8BD8 mov ebx, eax
00497B79 |. BA 02000080 mov edx, 80000002
00497B7E |. 8BC3 mov eax, ebx
00497B80 |. E8 FBD2F9FF call 00434E80
00497B85 |. B1 01 mov cl, 1
00497B87 |. BA D07C4900 mov edx, 00497CD0 ; software
00497B8C |. 8BC3 mov eax, ebx
00497B8E |. E8 51D3F9FF call 00434EE4
00497B93 |. 84C0 test al, al
00497B95 |. 74 0F je short 00497BA6
00497B97 |. 8B4D FC mov ecx, dword ptr [ebp-4]
00497B9A |. BA E47C4900 mov edx, 00497CE4 ; easygoing
00497B9F |. 8BC3 mov eax, ebx
00497BA1 |. E8 DAD4F9FF call 00435080
00497BA6 |> B8 F87C4900 mov eax, 00497CF8 ; 注册成功!
修改这几处后,选择 另存为
现在打开程序,随便输入注册码6666-6666-6666-6666就可以注册成功了但是当程序关掉后,再打开又要注册,每次打开都要注册一次,太麻烦,有重启验证。
首先通过分析和观察,注册码不是写在文件里的,那么就可能是注册表,我尝试性的在注册里搜索6666666找到了
证明重启验证是读取的注册表值判断的。再一个当程序走到
00497B97 |. 8B4D FC mov ecx, dword ptr [ebp-4]
00497B9A |. BA E47C4900 mov edx, 00497CE4 ; easygoing
走到这里,可以发现在向注册表写入注册码
00497B9F |. 8BC3 mov eax, ebx
00497BA1 |. E8 DAD4F9FF call 00435080
00497BA6 |> B8 F87C4900 mov eax, 00497CF8 ; 注册成功!
既然是读取注册表,那么再重新载入按Ctrl+N键来到
0049E230 .idata 输入 advapi32.RegQueryValueExA
点击键查看调用树 在所有调用这个函数的地址上按F2下断一共6个
按F9,当第三次停下来的时候,一直按F8
一直到来到这里
004989BF |. /74 0F je short 004989D0
004989C1 |. |8D4D FC lea ecx, dword ptr [ebp-4]
004989C4 |. |BA 248C4900 mov edx, 00498C24 ; easygoing
004989C9 |. |8BC3 mov eax, ebx
004989CB |. |E8 DCC6F9FF call 004350AC
004989D0 |> \8BC3 mov eax, ebx
004989D2 |. E8 79C4F9FF call 00434E50
004989D7 |. B2 01 mov dl, 1
004989D9 |. 8BC3 mov eax, ebx
004989DB |. 8B08 mov ecx, dword ptr [eax]
004989DD |. FF51 FC call dword ptr [ecx-4]
004989E0 |. BB 01000000 mov ebx, 1
004989E5 |> 8D4D F0 /lea ecx, dword ptr [ebp-10]
004989E8 |. 8BD3 |mov edx, ebx
004989EA |. B8 01000000 |mov eax, 1
004989EF |. E8 C8FBFFFF |call 004985BC
004989F4 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
004989F7 |. 50 |push eax
004989F8 |. 8D45 EC |lea eax, dword ptr [ebp-14]
004989FB |. 50 |push eax
004989FC |. B9 01000000 |mov ecx, 1
00498A01 |. 8BD3 |mov edx, ebx
00498A03 |. 8B45 FC |mov eax, dword ptr [ebp-4]
00498A06 |. E8 61C4F6FF |call 00404E6C
00498A0B |. 8B55 EC |mov edx, dword ptr [ebp-14]
00498A0E |. 58 |pop eax
00498A0F |. E8 44C3F6FF |call 00404D58
00498A14 |. 74 39 |je short 00498A4F ‘跳转要成功要不然到了JMP就完蛋了,可以自行修改
00498A16 |. 33D2 |xor edx, edx
00498A18 |. 8B86 B0030000 |mov eax, dword ptr [esi+3B0]
00498A1E |. E8 4DE8FBFF |call 00457270
00498A23 |. 33D2 |xor edx, edx
00498A25 |. 8B86 3C030000 |mov eax, dword ptr [esi+33C]
00498A2B |. 8B08 |mov ecx, dword ptr [eax]
00498A2D |. FF51 64 |call dword ptr [ecx+64]
00498A30 |. 33D2 |xor edx, edx
00498A32 |. 8B86 38030000 |mov eax, dword ptr [esi+338]
00498A38 |. 8B08 |mov ecx, dword ptr [eax]
00498A3A |. FF51 64 |call dword ptr [ecx+64]
00498A3D |. 33D2 |xor edx, edx
00498A3F |. 8B86 54030000 |mov eax, dword ptr [esi+354]
00498A45 |. 8B08 |mov ecx, dword ptr [eax]
00498A47 |. FF51 64 |call dword ptr [ecx+64]
00498A4A |. E9 72010000 |jmp 00498BC1
00498A4F |> 43 |inc ebx
00498A50 |. 83FB 06 |cmp ebx, 6
00498A53 |.^ 75 90 \jnz short 004989E5 走到这里有一个回跳向上,因为注册码一段有5位,这里是验证第一段的5位注册码的正确,会回跳5次,5次后,JNZ会向上跳转失败程序走到第二段注册码的验证代码
和第一段一样,一直到四段走完,每一段的那个JE跳转都要修改得让它成功,方法很多,懒人就改JMP吧
这就是程序启动向注册表读取注册码时验证的地方,一共有四段,因为注册填的时候是按四段填的,
所以这里也是一段一段的验证的
当这四处修改完另存为后,再打开程序就发现软件注册的菜单没了
------------------------------------------------------------------------
【破解总结】每次到了夜深人静的时候我总是睡不着 我怀疑是不是只有我明天没有变的更好
未来会怎样究竟有谁会知道 幸福是否只是一种传说我永远都找不到
总的来说很简单!主要目的是看看我的OD还能用不,没想到还能用,嘿嘿。真神奇
------------------------------------------------------------------------
【版权声明】
打死也不承认
[ 本帖最后由 hackhd 于 2008-8-30 22:04 编辑 ] |
|
IP卡
发表于 2008-8-30 21:58:15
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-9-7 05:47:00