- UID
- 29646
注册时间2007-3-4
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
【破文标题】Asterisk Recovery Genie追码+算法+注册分析BY傻人有傻福
【破文作者】傻人有傻福
【作者邮箱】
【作者主页】
【破解工具】PEID+DEDE+OD
【破解平台】WINDOWS XP
【软件名称】Asterisk Recovery Genie
【软件大小】822K
【原版下载】http://www.onlinedown.net/soft/63077.htm
【保护方式】注册码+重启验证
【软件简介】是一款密码恢复软件,在你忘记密码的时候他很有用的.包括自动显示ie浏览器里form中的*字符等,支持多语言密码。
【破解声明】只为讨论、学习与分享破解技术,勿用于非法用途,请多多支持软件开发者!
------------------------------------------------------------------------
强烈建议大家先看下我写的破解总结
【破解过程】 拿到软件先查壳:Delphi程序,无壳。DEDE出手,查得注册事件地址在0048AAF4。OD载入,在0048AAF4下断,代码如下:(只选取比较有用的代码)
0048AB1C |. 8B45 F8 mov eax,[local.2] ; 取用户名
0048AB1F |. 8D55 FC lea edx,[local.1]
0048AB22 |. E8 F1D4F7FF call Asterisk.00408018
0048AB27 |. 8B45 FC mov eax,[local.1]
0048AB2A |. E8 3598F7FF call Asterisk.00404364
0048AB2F |. 85C0 test eax,eax ; 判断是否输入用户名
0048AB31 |. 75 1A jnz short Asterisk.0048AB4D
0048AB33 |. B8 ECAB4800 mov eax,Asterisk.0048ABEC ; ASCII "Please input regname!"
0048AB38 |. E8 27EEF9FF call Asterisk.00429964
0048AB3D |. 8B83 0C030000 mov eax,dword ptr ds:[ebx+30C]
0048AB43 |. 8B10 mov edx,dword ptr ds:[eax]
0048AB45 |. FF92 C4000000 call dword ptr ds:[edx+C4]
0048AB4B |. EB 5D jmp short Asterisk.0048ABAA
0048AB4D |> 8D55 F0 lea edx,[local.4]
0048AB50 |. 8B83 14030000 mov eax,dword ptr ds:[ebx+314]
0048AB56 |. E8 C1B6FBFF call Asterisk.0044621C
0048AB5B |. 8B45 F0 mov eax,[local.4] ; 取注册码
0048AB5E |. 8D55 F4 lea edx,[local.3]
0048AB61 |. E8 B2D4F7FF call Asterisk.00408018
0048AB66 |. 8B45 F4 mov eax,[local.3]
0048AB69 |. E8 F697F7FF call Asterisk.00404364
0048AB6E |. 85C0 test eax,eax ; 判断是否输入注册码
0048AB70 |. 75 1A jnz short Asterisk.0048AB8C
0048AB72 |. B8 0CAC4800 mov eax,Asterisk.0048AC0C ; ASCII "Please input regcode!"
0048AB77 |. E8 E8EDF9FF call Asterisk.00429964
0048AB7C |. 8B83 14030000 mov eax,dword ptr ds:[ebx+314]
0048AB82 |. 8B10 mov edx,dword ptr ds:[eax]
0048AB84 |. FF92 C4000000 call dword ptr ds:[edx+C4]
0048AB8A |. EB 1E jmp short Asterisk.0048ABAA
0048AB8C |> 8BC3 mov eax,ebx
0048AB8E |. E8 31FEFFFF call Asterisk.0048A9C4 ; 关键CALL
0048AB93 |. 84C0 test al,al
0048AB95 |. 74 09 je short Asterisk.0048ABA0
0048AB97 |. 8BC3 mov eax,ebx
0048AB99 |. E8 0AFDFFFF call Asterisk.0048A8A8
0048AB9E |. EB 0A jmp short Asterisk.0048ABAA
0048ABA0 |> B8 2CAC4800 mov eax,Asterisk.0048AC2C ; ASCII "Regcode error!"
------------------------------------------------------------------------------------------------------
我们跟进上面的关键CALL来看看:(也是选取了比较有用的部分)
0048A9EE |. 8B45 F8 mov eax,[local.2] ; 取假码
0048A9F1 |. 8D55 FC lea edx,[local.1]
0048A9F4 |. E8 1FD6F7FF call Asterisk.00408018
0048A9F9 |. 8B45 FC mov eax,[local.1] ; 取假码
0048A9FC |. 50 push eax
0048A9FD |. 8D55 EC lea edx,[local.5]
0048AA00 |. 8B86 0C030000 mov eax,dword ptr ds:[esi+30C]
0048AA06 |. E8 11B8FBFF call Asterisk.0044621C
0048AA0B |. 8B45 EC mov eax,[local.5] ; 取用户名
0048AA0E |. 8D55 F0 lea edx,[local.4]
0048AA11 |. E8 02D6F7FF call Asterisk.00408018
0048AA16 |. 8B55 F0 mov edx,[local.4] ; 取用户名
0048AA19 |. 8D4D F4 lea ecx,[local.3]
0048AA1C |. 8BC6 mov eax,esi
0048AA1E |. E8 91FCFFFF call Asterisk.0048A6B4 ; 算法CALL
0048AA23 |. 8B55 F4 mov edx,[local.3] ; 出现真码
0048AA26 |. 58 pop eax
0048AA27 |. E8 849AF7FF call Asterisk.004044B0 ; 可以做内存注册机的地方
0048AA2C |. 75 1C jnz short Asterisk.0048AA4A
0048AA2E |. B3 01 mov bl,1
0048AA30 |. 8BC6 mov eax,esi
0048AA32 |. E8 71FEFFFF call Asterisk.0048A8A8
0048AA37 |. B8 98AA4800 mov eax,Asterisk.0048AA98 ; ASCII "Register success!"
-----------------------------------------------------------------------------------------------------
我们再来看看算法CALL吧:(这次是比较完整的)
0048A6B4 /$ 55 push ebp
0048A6B5 |. 8BEC mov ebp,esp
0048A6B7 |. 51 push ecx
0048A6B8 |. B9 04000000 mov ecx,4
0048A6BD |> 6A 00 /push 0
0048A6BF |. 6A 00 |push 0
0048A6C1 |. 49 |dec ecx
0048A6C2 |.^ 75 F9 \jnz short Asterisk.0048A6BD
0048A6C4 |. 51 push ecx
0048A6C5 |. 874D FC xchg [local.1],ecx
0048A6C8 |. 53 push ebx
0048A6C9 |. 56 push esi
0048A6CA |. 57 push edi
0048A6CB |. 8BF9 mov edi,ecx
0048A6CD |. 8955 FC mov [local.1],edx
0048A6D0 |. 8B45 FC mov eax,[local.1]
0048A6D3 |. E8 7C9EF7FF call Asterisk.00404554
0048A6D8 |. 33C0 xor eax,eax
0048A6DA |. 55 push ebp
0048A6DB |. 68 75A84800 push Asterisk.0048A875
0048A6E0 |. 64:FF30 push dword ptr fs:[eax]
0048A6E3 |. 64:8920 mov dword ptr fs:[eax],esp
0048A6E6 |. 8BC7 mov eax,edi
0048A6E8 |. E8 B799F7FF call Asterisk.004040A4
0048A6ED |. 8B45 FC mov eax,[local.1]
0048A6F0 |. E8 6F9CF7FF call Asterisk.00404364
0048A6F5 |. 8BF0 mov esi,eax
0048A6F7 |. 85F6 test esi,esi
0048A6F9 |. 7E 26 jle short Asterisk.0048A721
0048A6FB |. BB 01000000 mov ebx,1
0048A700 |> 8D4D EC /lea ecx,[local.5]
0048A703 |. 8B45 FC |mov eax,[local.1]
0048A706 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1]
0048A70B |. 33D2 |xor edx,edx
0048A70D |. E8 82DCF7FF |call Asterisk.00408394
0048A712 |. 8B55 EC |mov edx,[local.5]
0048A715 |. 8D45 F8 |lea eax,[local.2]
0048A718 |. E8 4F9CF7FF |call Asterisk.0040436C
0048A71D |. 43 |inc ebx
0048A71E |. 4E |dec esi
0048A71F |.^ 75 DF \jnz short Asterisk.0048A700
0048A721 |> 8B45 F8 mov eax,[local.2] ; 用户名的ASCII码连在一起
0048A724 |. E8 3B9CF7FF call Asterisk.00404364 ; 取用户名ASCII码的位数
0048A729 |. 8BF0 mov esi,eax
0048A72B |. 85F6 test esi,esi
0048A72D |. 7E 2C jle short Asterisk.0048A75B
0048A72F |. BB 01000000 mov ebx,1
0048A734 |> 8B45 F8 /mov eax,[local.2]
0048A737 |. E8 289CF7FF |call Asterisk.00404364 ; 还是取用户名ASCII码位数
0048A73C |. 2BC3 |sub eax,ebx
0048A73E |. 8B55 F8 |mov edx,[local.2]
0048A741 |. 8A1402 |mov dl,byte ptr ds:[edx+eax]
0048A744 |. 8D45 E8 |lea eax,[local.6]
0048A747 |. E8 409BF7FF |call Asterisk.0040428C
0048A74C |. 8B55 E8 |mov edx,[local.6]
0048A74F |. 8D45 F4 |lea eax,[local.3]
0048A752 |. E8 159CF7FF |call Asterisk.0040436C
0048A757 |. 43 |inc ebx
0048A758 |. 4E |dec esi
0048A759 |.^ 75 D9 \jnz short Asterisk.0048A734
0048A75B |> 8D45 F8 lea eax,[local.2]
0048A75E |. 50 push eax
0048A75F |. B9 04000000 mov ecx,4
0048A764 |. BA 01000000 mov edx,1
0048A769 |. 8B45 F4 mov eax,[local.3] ; 用户名ASCII顺序颠倒
0048A76C |. E8 539EF7FF call Asterisk.004045C4
0048A771 |. 8D45 F4 lea eax,[local.3]
0048A774 |. 50 push eax
0048A775 |. B9 04000000 mov ecx,4
0048A77A |. BA 05000000 mov edx,5
0048A77F |. 8B45 F4 mov eax,[local.3]
0048A782 |. E8 3D9EF7FF call Asterisk.004045C4
0048A787 |. 8B45 F8 mov eax,[local.2] ; 取前4位
0048A78A |. E8 D59BF7FF call Asterisk.00404364
0048A78F |. 83F8 04 cmp eax,4
0048A792 |. 7D 2F jge short Asterisk.0048A7C3
0048A794 |. 8B45 F8 mov eax,[local.2]
0048A797 |. E8 C89BF7FF call Asterisk.00404364
0048A79C |. 8BD8 mov ebx,eax
0048A79E |. 83FB 03 cmp ebx,3
0048A7A1 |. 7F 20 jg short Asterisk.0048A7C3
0048A7A3 |> 8D4D E4 /lea ecx,[local.7]
0048A7A6 |. 8BC3 |mov eax,ebx
0048A7A8 |. C1E0 02 |shl eax,2
0048A7AB |. 33D2 |xor edx,edx
0048A7AD |. E8 E2DBF7FF |call Asterisk.00408394
0048A7B2 |. 8B55 E4 |mov edx,[local.7]
0048A7B5 |. 8D45 F8 |lea eax,[local.2]
0048A7B8 |. E8 AF9BF7FF |call Asterisk.0040436C
0048A7BD |. 43 |inc ebx
0048A7BE |. 83FB 04 |cmp ebx,4
0048A7C1 |.^ 75 E0 \jnz short Asterisk.0048A7A3
0048A7C3 |> 8B45 F4 mov eax,[local.3] ; 再取4位
0048A7C6 |. E8 999BF7FF call Asterisk.00404364
0048A7CB |. 83F8 04 cmp eax,4
0048A7CE |. 7D 2F jge short Asterisk.0048A7FF
0048A7D0 |. 8B45 F4 mov eax,[local.3]
0048A7D3 |. E8 8C9BF7FF call Asterisk.00404364
0048A7D8 |. 8BD8 mov ebx,eax
0048A7DA |. 83FB 03 cmp ebx,3
0048A7DD |. 7F 20 jg short Asterisk.0048A7FF
0048A7DF |> 8D4D E0 /lea ecx,[local.8]
0048A7E2 |. 8BC3 |mov eax,ebx
0048A7E4 |. C1E0 02 |shl eax,2
0048A7E7 |. 33D2 |xor edx,edx
0048A7E9 |. E8 A6DBF7FF |call Asterisk.00408394
0048A7EE |. 8B55 E0 |mov edx,[local.8]
0048A7F1 |. 8D45 F4 |lea eax,[local.3]
0048A7F4 |. E8 739BF7FF |call Asterisk.0040436C
0048A7F9 |. 43 |inc ebx
0048A7FA |. 83FB 04 |cmp ebx,4
0048A7FD |.^ 75 E0 \jnz short Asterisk.0048A7DF
0048A7FF |> 8D45 F0 lea eax,[local.4]
0048A802 |. BA 8CA84800 mov edx,Asterisk.0048A88C ; ASCII "Astris58ef88e"
0048A807 |. E8 3099F7FF call Asterisk.0040413C
0048A80C |. 8D45 DC lea eax,[local.9]
0048A80F |. 50 push eax
0048A810 |. B9 04000000 mov ecx,4
0048A815 |. BA 01000000 mov edx,1
0048A81A |. 8B45 F0 mov eax,[local.4] ; 上面那个字符串
0048A81D |. E8 A29DF7FF call Asterisk.004045C4
0048A822 |. FF75 DC push [local.9] ; 取那个字符串前4位
0048A825 |. 68 A4A84800 push Asterisk.0048A8A4
0048A82A |. FF75 F8 push [local.2] ; 取用户名ASCII前4位
0048A82D |. 8D45 D8 lea eax,[local.10]
0048A830 |. 50 push eax
0048A831 |. B9 05000000 mov ecx,5
0048A836 |. BA 05000000 mov edx,5
0048A83B |. 8B45 F0 mov eax,[local.4] ; 还是取上面那个字符串
0048A83E |. E8 819DF7FF call Asterisk.004045C4
0048A843 |. FF75 D8 push [local.10] ; 取那个字符串接着的5位
0048A846 |. 68 A4A84800 push Asterisk.0048A8A4
0048A84B |. FF75 F4 push [local.3] ; 取用户名ASCII码再来4位
0048A84E |. 8BC7 mov eax,edi
0048A850 |. BA 06000000 mov edx,6
0048A855 |. E8 CA9BF7FF call Asterisk.00404424
0048A85A |. 33C0 xor eax,eax
0048A85C |. 5A pop edx
0048A85D |. 59 pop ecx
0048A85E |. 59 pop ecx
0048A85F |. 64:8910 mov dword ptr fs:[eax],edx
0048A862 |. 68 7CA84800 push Asterisk.0048A87C
0048A867 |> 8D45 D8 lea eax,[local.10]
0048A86A |. BA 0A000000 mov edx,0A
0048A86F |. E8 5498F7FF call Asterisk.004040C8
0048A874 \. C3 retn
------------------------------------------------------------------------------------------------------
算法总结:把用户名转成ASCII码,比如说你的用户名是PYGPYG 算法就是先把PYGPYG变成505947505947 P的ASCII值是50 Y的ASCII值是59 G的ASCII值是47。这样之后再把这串字符串颠倒变成749805749505,分别与软件内置的字符串进行拼接,拼接的方法是:Astris58ef88e这个字符串取分别取前4位Astr,中间5位is58e;用户名ASCII串颠倒后先取前4位,再取中间4位,拼接成Astr-7498is58e-0574这种形式。
本以为算法都出来了应该就解决了,可是有了一些意外。软件重新启动后提示注册码不合法请重新购买,真是有点好笑啊,算法都解决了怎么还有问题呢?我们接着来分析一下,软件重新启动后提示注册码不合法,这证明软件在启动时读取了注册码,那这个注册码放在哪里呢?先来看最一般的情况,软件是放在注册表中吗?我们在注册表中搜索一下刚才的注册码,找到了,键名为Pass。好,我们OD载入查找一下这个Pass。
我们找到2处,一处是0048A933,这里是存注册码的地方,另一处是0048BFC6,这里就是软件启动时读取的位置了,我们来看一下这部分的代码:(选取比较有用的地方)
0048C0EC . E8 D384F7FF call Asterisk.004045C4
0048C0F1 . 8B45 C8 mov eax,dword ptr ss:[ebp-38] ; 取用户名前2位
0048C0F4 . BA 9CC34800 mov edx,Asterisk.0048C39C ; ASCII "As"
0048C0F9 . E8 B283F7FF call Asterisk.004044B0
0048C0FE 75 4C jnz short Asterisk.0048C14C ; 比较用户名前两位是不是As
0048C100 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C103 . 8B80 90030000 mov eax,dword ptr ds:[eax+390]
0048C109 . E8 5682F7FF call Asterisk.00404364 ; 取用户名位数
0048C10E . 83F8 04 cmp eax,4 ; 比较用户名是否为4位
0048C111 75 39 jnz short Asterisk.0048C14C
0048C113 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C116 . C680 8C030000 00 mov byte ptr ds:[eax+38C],0
0048C11D . BA A8C34800 mov edx,Asterisk.0048C3A8 ; ASCII "Asterisk Recovery Genie V1.20"
0048C122 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C125 . E8 22A1FBFF call Asterisk.0044624C
0048C12A . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C12D . 8B80 58030000 mov eax,dword ptr ds:[eax+358]
0048C133 . 33D2 xor edx,edx
0048C135 . E8 1672FCFF call Asterisk.00453350
0048C13A . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C13D . 8B80 54030000 mov eax,dword ptr ds:[eax+354]
0048C143 . 33D2 xor edx,edx
0048C145 . E8 C2C8FCFF call Asterisk.00458A0C
0048C14A . EB 3F jmp short Asterisk.0048C18B
0048C14C > 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C14F . C680 8C030000 01 mov byte ptr ds:[eax+38C],1
0048C156 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C159 . 8B80 1C030000 mov eax,dword ptr ds:[eax+31C]
0048C15F . 33D2 xor edx,edx
0048C161 . E8 E26EFCFF call Asterisk.00453048
0048C166 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C169 . 8B80 2C030000 mov eax,dword ptr ds:[eax+32C]
0048C16F . 33D2 xor edx,edx
0048C171 . E8 D26EFCFF call Asterisk.00453048
0048C176 . 6A 00 push 0 ; /Arg1 = 00000000
0048C178 . 66:8B0D C8C34800 mov cx,word ptr ds:[48C3C8] ; |
0048C17F . B2 03 mov dl,3 ; |
0048C181 . B8 D4C34800 mov eax,Asterisk.0048C3D4 ; |ASCII "RegCode is invalid,You must buy it again!"
0048C186 . E8 E1D6F9FF call Asterisk.0042986C ; \Asterisk.0042986C
0048C18B > 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C18E . 80B8 8C030000 00 cmp byte ptr ds:[eax+38C],0
0048C195 . 0F84 EE000000 je Asterisk.0048C289
0048C19B . DD45 E0 fld qword ptr ss:[ebp-20]
0048C19E . DC65 E8 fsub qword ptr ss:[ebp-18]
0048C1A1 . DD5D D8 fstp qword ptr ss:[ebp-28]
0048C1A4 . 9B wait
0048C1A5 . D905 00C44800 fld dword ptr ds:[48C400]
0048C1AB . DC65 D8 fsub qword ptr ss:[ebp-28]
0048C1AE . E8 C968F7FF call Asterisk.00402A7C
0048C1B3 . 8BD8 mov ebx,eax
0048C1B5 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C1B8 . 8998 98030000 mov dword ptr ds:[eax+398],ebx
0048C1BE . 85DB test ebx,ebx
0048C1C0 . 7D 0B jge short Asterisk.0048C1CD
0048C1C2 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C1C5 . 33D2 xor edx,edx
0048C1C7 . 8990 98030000 mov dword ptr ds:[eax+398],edx
0048C1CD > 68 0CC44800 push Asterisk.0048C40C ; ASCII "Asterisk Recovery Genie V1.20 (No register, "
0048C1D2 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C1D5 . DB80 98030000 fild dword ptr ds:[eax+398]
0048C1DB . 83C4 F4 add esp,-0C
0048C1DE . DB3C24 fstp tbyte ptr ss:[esp] ; |
0048C1E1 . 9B wait ; |
0048C1E2 . 8D45 C0 lea eax,dword ptr ss:[ebp-40] ; |
0048C1E5 . E8 2AD5F7FF call Asterisk.00409714 ; \Asterisk.00409714
0048C1EA . FF75 C0 push dword ptr ss:[ebp-40]
0048C1ED . 68 44C44800 push Asterisk.0048C444 ; ASCII " days left)"
0048C1F2 . 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0048C1F5 . BA 03000000 mov edx,3
0048C1FA . E8 2582F7FF call Asterisk.00404424
0048C1FF . 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
0048C202 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C205 . E8 42A0FBFF call Asterisk.0044624C
0048C20A . DD45 D8 fld qword ptr ss:[ebp-28]
0048C20D . D81D 00C44800 fcomp dword ptr ds:[48C400]
0048C213 . DFE0 fstsw ax
0048C215 . 9E sahf
0048C216 . 77 0E ja short Asterisk.0048C226
0048C218 . DD45 D8 fld qword ptr ss:[ebp-28]
0048C21B . D81D 50C44800 fcomp dword ptr ds:[48C450]
0048C221 . DFE0 fstsw ax
0048C223 . 9E sahf
0048C224 . 73 63 jnb short Asterisk.0048C289
0048C226 > 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C229 . 8B80 1C030000 mov eax,dword ptr ds:[eax+31C]
0048C22F . 33D2 xor edx,edx
0048C231 . E8 126EFCFF call Asterisk.00453048
0048C236 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C239 . 8B80 2C030000 mov eax,dword ptr ds:[eax+32C]
0048C23F . 33D2 xor edx,edx
0048C241 . E8 026EFCFF call Asterisk.00453048
0048C246 . 6A 24 push 24
0048C248 . 68 54C44800 push Asterisk.0048C454 ; ASCII "Thank you for trying Asterisk Recovery Genie 10 days"
0048C24D . 68 8CC44800 push Asterisk.0048C48C ; ASCII "Your trial period has expired,Would you like to buy Asterisk Recovery Genie?"
0048C252 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C255 . E8 BE08FCFF call Asterisk.0044CB18
0048C25A . 50 push eax ; |hOwner
0048C25B . E8 E4A6F7FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0048C260 . 83F8 06 cmp eax,6
0048C263 . 75 24 jnz short Asterisk.0048C289
0048C265 . 6A 05 push 5
0048C267 . 68 DCC44800 push Asterisk.0048C4DC
0048C26C . 68 DCC44800 push Asterisk.0048C4DC
0048C271 . 68 E0C44800 push Asterisk.0048C4E0 ; ASCII "https://www.qwerks.com/order/buynow.asp?ProductID=7725"
0048C276 . 68 18C54800 push Asterisk.0048C518 ; ASCII "open"
0048C27B . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C27E . E8 9508FCFF call Asterisk.0044CB18
0048C283 . 50 push eax ; |hWnd
0048C284 . E8 2FC4F9FF call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA
0048C289 > 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0048C28C . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C28F . E8 20040000 call Asterisk.0048C6B4
0048C294 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C297 . 8B80 1C030000 mov eax,dword ptr ds:[eax+31C]
0048C29D . 8078 6A 00 cmp byte ptr ds:[eax+6A],0
0048C2A1 . 74 0B je short Asterisk.0048C2AE
0048C2A3 . 8B55 F8 mov edx,dword ptr ss:[ebp-8]
0048C2A6 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0048C2A9 . E8 4EF9FFFF call Asterisk.0048BBFC
0048C2AE > 33C0 xor eax,eax
0048C2B0 . 5A pop edx
0048C2B1 . 59 pop ecx
0048C2B2 . 59 pop ecx
0048C2B3 . 64:8910 mov dword ptr fs:[eax],edx
0048C2B6 . 68 D8C24800 push Asterisk.0048C2D8
0048C2BB > 8D45 C0 lea eax,dword ptr ss:[ebp-40]
0048C2BE . BA 06000000 mov edx,6
0048C2C3 . E8 007EF7FF call Asterisk.004040C8
0048C2C8 . 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0048C2CB . E8 D47DF7FF call Asterisk.004040A4
0048C2D0 . C3 retn
0048C2D1 .^ E9 4E77F7FF jmp Asterisk.00403A24
0048C2D6 .^ EB E3 jmp short Asterisk.0048C2BB
0048C2D8 . 5F pop edi
0048C2D9 . 5E pop esi
0048C2DA . 5B pop ebx
0048C2DB . 8BE5 mov esp,ebp
0048C2DD . 5D pop ebp
0048C2DE . C3 retn
-------------------------------------------------------------------------------------------------------
大家看明白了吧,软件要求用户名前2位一定要是As,用户名位数一定要是4位,只要符合这两点,再加上已经弄清算法的注册码就可以了。我们从代码上可以看出用户名这部分符合条件的话就可以跳过像:软件还有10天试用,还剩多少天啊,注册码不合法,这些乱七八糟的东西,软件界面也变成了Asterisk Recovery Genie V1.20而不是Asterisk Recovery Genie V1.20 (No register)的了,打开软件看下ABOUT 也已经提示注册给我们了。这样我们就既解决了一个软件,又学习了破解,好高兴啊!
------------------------------------------------------------------------
【破解总结】 这个软件我觉得真的是教科书版的软件,它的追码,算法,重启验证都很基础,很适合我等菜鸟学习,我强烈建议看我的破文之前先自己拿这个软件练习一下,这个软件真的是学习破解的经典试练品,只有自己动手了才能学好破解,光看的话是很难看懂的,希望大家能自己动手先弄一下。
最后感谢PYG带领我走进破解学习的大门,欢迎大家有空来PYG看看!
------------------------------------------------------------------------
【版权声明】破文版权归我,转载版权归你。欢迎转载,转载请注明出处,不用注明作者了,我水平比较菜,怕丢人*^_^*
[ 本帖最后由 傻人有傻福 于 2007-12-30 13:46 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2007-12-30 01:45:35
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-12-30 02:32:40
发表于 2007-12-30 12:41:38
发表于 2007-12-30 13:43:31
