- UID
- 2198
注册时间2005-6-29
阅读权限255
最后登录1970-1-1
副坛主
该用户从未签到
|
RegEditer V3.1
http://www.skycn.com/soft/6873.html
Only Game! 软件加密简单,高手飘过~~新手权当练习。
注册时下万能断点即可,算法比较简单,这里就不多写了。
004DA481 |. E8 0E1AF7FF CALL RegEdite.0044BE94
004DA486 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 下万能断点后返回到这里
004DA489 |. E8 2678FCFF CALL RegEdite.004A1CB4
004DA48E |. 84C0 TEST AL,AL
004DA490 |. 0F84 80000000 JE RegEdite.004DA516
004DA496 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004DA499 |. 8B83 F4020000 MOV EAX,DWORD PTR DS:[EBX+2F4]
004DA49F |. E8 F019F7FF CALL RegEdite.0044BE94
004DA4A4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004DA4A7 |. 50 PUSH EAX
004DA4A8 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004DA4AB |. 8B83 04030000 MOV EAX,DWORD PTR DS:[EBX+304]
004DA4B1 |. E8 DE19F7FF CALL RegEdite.0044BE94
004DA4B6 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004DA4B9 |. A1 60E24E00 MOV EAX,DWORD PTR DS:[4EE260]
004DA4BE |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004DA4C0 |. 59 POP ECX
004DA4C1 |. E8 3E720000 CALL RegEdite.004E1704 ; 这里将保存注册信息到注册表中
004DA4C6 |. 84C0 TEST AL,AL
004DA4C8 |. 74 27 JE SHORT RegEdite.004DA4F1
004DA4CA |. C783 4C020000>MOV DWORD PTR DS:[EBX+24C],1
004DA4D4 |. 66:B8 F100 MOV AX,0F1
004DA4D8 |. E8 D78DFCFF CALL RegEdite.004A32B4
004DA4DD |. 8BD0 MOV EDX,EAX
004DA4DF |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004DA4E2 |. E8 11A0F2FF CALL RegEdite.004044F8
004DA4E7 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004DA4EA |. E8 C923FCFF CALL RegEdite.0049C8B8 ; 这个CALL弹出注册成功
004DA4EF |. EB 40 JMP SHORT RegEdite.004DA531
算法CALL如下:
004A1CB4 $ 55 PUSH EBP
004A1CB5 . 8BEC MOV EBP,ESP
004A1CB7 . 33C9 XOR ECX,ECX
004A1CB9 . 51 PUSH ECX
004A1CBA . 51 PUSH ECX
004A1CBB . 51 PUSH ECX
004A1CBC . 51 PUSH ECX
004A1CBD . 51 PUSH ECX
004A1CBE . 53 PUSH EBX
004A1CBF . 56 PUSH ESI
004A1CC0 . 57 PUSH EDI
004A1CC1 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004A1CC4 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1CC7 . E8 DC2AF6FF CALL RegEdite.004047A8
004A1CCC . 33C0 XOR EAX,EAX
004A1CCE . 55 PUSH EBP
004A1CCF . 68 271E4A00 PUSH RegEdite.004A1E27
004A1CD4 . 64:FF30 PUSH DWORD PTR FS:[EAX]
004A1CD7 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
004A1CDA . 33DB XOR EBX,EBX
004A1CDC . 33C0 XOR EAX,EAX
004A1CDE . 55 PUSH EBP
004A1CDF . 68 001E4A00 PUSH RegEdite.004A1E00
004A1CE4 . 64:FF30 PUSH DWORD PTR FS:[EAX]
004A1CE7 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
004A1CEA . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1CED . E8 CE28F6FF CALL RegEdite.004045C0
004A1CF2 . 83F8 16 CMP EAX,16
004A1CF5 . 74 0D JE SHORT RegEdite.004A1D04 ; 注册码长度为22位
004A1CF7 . 33C0 XOR EAX,EAX
004A1CF9 . 5A POP EDX
004A1CFA . 59 POP ECX
004A1CFB . 59 POP ECX
004A1CFC . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004A1CFF . E9 08010000 JMP RegEdite.004A1E0C
004A1D04 > 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004A1D07 . E8 FC25F6FF CALL RegEdite.00404308
004A1D0C . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004A1D0F . BA 401E4A00 MOV EDX,RegEdite.004A1E40 ; K
004A1D14 . E8 AF28F6FF CALL RegEdite.004045C8
004A1D19 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004A1D1C . BA 4C1E4A00 MOV EDX,RegEdite.004A1E4C ; G
004A1D21 . E8 A228F6FF CALL RegEdite.004045C8
004A1D26 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004A1D29 . BA 581E4A00 MOV EDX,RegEdite.004A1E58 ; L
004A1D2E . E8 9528F6FF CALL RegEdite.004045C8
004A1D33 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004A1D36 . BA 641E4A00 MOV EDX,RegEdite.004A1E64 ; -
004A1D3B . E8 8828F6FF CALL RegEdite.004045C8
004A1D40 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004A1D43 . E8 702AF6FF CALL RegEdite.004047B8
004A1D48 . 50 PUSH EAX
004A1D49 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1D4C . E8 672AF6FF CALL RegEdite.004047B8
004A1D51 . 8BF0 MOV ESI,EAX
004A1D53 . 8BC6 MOV EAX,ESI
004A1D55 . 5A POP EDX
004A1D56 . E8 8D76F6FF CALL RegEdite.004093E8 ; 注册码前四位必须为"KGL-"
004A1D5B . 8BF8 MOV EDI,EAX
004A1D5D . 3BFE CMP EDI,ESI
004A1D5F . 74 0D JE SHORT RegEdite.004A1D6E
004A1D61 . 33C0 XOR EAX,EAX
004A1D63 . 5A POP EDX
004A1D64 . 59 POP ECX
004A1D65 . 59 POP ECX
004A1D66 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004A1D69 . E9 9E000000 JMP RegEdite.004A1E0C
004A1D6E > 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1D71 . 8078 03 2D CMP BYTE PTR DS:[EAX+3],2D
004A1D75 . 75 12 JNZ SHORT RegEdite.004A1D89 ; 第4位必须位“-”
004A1D77 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1D7A . 8078 0A 2D CMP BYTE PTR DS:[EAX+A],2D
004A1D7E . 75 09 JNZ SHORT RegEdite.004A1D89 ; 第11位必须位“-”
004A1D80 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1D83 . 8078 0F 2D CMP BYTE PTR DS:[EAX+F],2D
004A1D87 . 74 0A JE SHORT RegEdite.004A1D93 ; 第16位必须位“-”
004A1D89 > 33C0 XOR EAX,EAX
004A1D8B . 5A POP EDX
004A1D8C . 59 POP ECX
004A1D8D . 59 POP ECX
004A1D8E . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004A1D91 . EB 79 JMP SHORT RegEdite.004A1E0C
004A1D93 > 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004A1D96 . 50 PUSH EAX
004A1D97 . B9 06000000 MOV ECX,6
004A1D9C . BA 05000000 MOV EDX,5
004A1DA1 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1DA4 . E8 6F2AF6FF CALL RegEdite.00404818
004A1DA9 . 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004A1DAC . 50 PUSH EAX
004A1DAD . B9 04000000 MOV ECX,4
004A1DB2 . BA 0C000000 MOV EDX,0C
004A1DB7 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1DBA . E8 592AF6FF CALL RegEdite.00404818
004A1DBF . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004A1DC2 . 50 PUSH EAX
004A1DC3 . B9 06000000 MOV ECX,6
004A1DC8 . BA 11000000 MOV EDX,11
004A1DCD . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004A1DD0 . E8 432AF6FF CALL RegEdite.00404818
004A1DD5 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
004A1DD8 . 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004A1DDB . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004A1DDE . E8 95FBFFFF CALL RegEdite.004A1978 ; 算法CALL
004A1DE3 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; KEY的后6位
004A1DE6 . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] ; 中间10的运算结果
004A1DE9 . E8 1629F6FF CALL RegEdite.00404704 ; 比较
004A1DEE . 75 04 JNZ SHORT RegEdite.004A1DF4 ; 如果相等则不跳 // 暴破可NOP掉这里
004A1DF0 . B3 01 MOV BL,1
004A1DF2 . EB 02 JMP SHORT RegEdite.004A1DF6
004A1DF4 > 33DB XOR EBX,EBX
004A1DF6 > 33C0 XOR EAX,EAX
004A1DF8 . 5A POP EDX
004A1DF9 . 59 POP ECX
004A1DFA . 59 POP ECX
004A1DFB . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004A1DFE . EB 0C JMP SHORT RegEdite.004A1E0C
004A1E00 .^ E9 771CF6FF JMP RegEdite.00403A7C
004A1E05 . 33DB XOR EBX,EBX
004A1E07 . E8 D81FF6FF CALL RegEdite.00403DE4
004A1E0C > 33C0 XOR EAX,EAX
004A1E0E . 5A POP EDX
004A1E0F . 59 POP ECX
004A1E10 . 59 POP ECX
004A1E11 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004A1E14 . 68 2E1E4A00 PUSH RegEdite.004A1E2E
004A1E19 > 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004A1E1C . BA 05000000 MOV EDX,5
004A1E21 . E8 0625F6FF CALL RegEdite.0040432C
004A1E26 . C3 RETN
重启的爆破点在这里:
004DC78C . B1 01 MOV CL,1
004DC78E . BA B0CA4D00 MOV EDX,RegEdite.004DCAB0 ; Software\Kugle\RegEditer
004DC793 . E8 4C7FF9FF CALL RegEdite.004746E4
004DC798 . 84C0 TEST AL,AL
004DC79A . 74 4D JE SHORT RegEdite.004DC7E9 ; 看该注册表项是否为空
004DC79C . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004DC79F . 8B83 31060000 MOV EAX,DWORD PTR DS:[EBX+631]
004DC7A5 . BA D4CA4D00 MOV EDX,RegEdite.004DCAD4 ; AuthorizationCode
004DC7AA . E8 D180F9FF CALL RegEdite.00474880
004DC7AF . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004DC7B2 . 8D83 56060000 LEA EAX,DWORD PTR DS:[EBX+656]
004DC7B8 . E8 9F7BF2FF CALL RegEdite.0040435C
004DC7BD . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004DC7C0 . 8B83 31060000 MOV EAX,DWORD PTR DS:[EBX+631]
004DC7C6 . BA F0CA4D00 MOV EDX,RegEdite.004DCAF0 ; UserName
004DC7CB . E8 B080F9FF CALL RegEdite.00474880
004DC7D0 . 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
004DC7D3 . 8D83 7F060000 LEA EAX,DWORD PTR DS:[EBX+67F]
004DC7D9 . E8 7E7BF2FF CALL RegEdite.0040435C
004DC7DE . 8B83 31060000 MOV EAX,DWORD PTR DS:[EBX+631]
004DC7E4 . E8 677EF9FF CALL RegEdite.00474650
004DC7E9 > 8B83 56060000 MOV EAX,DWORD PTR DS:[EBX+656]
004DC7EF . E8 C054FCFF CALL RegEdite.004A1CB4 ; 算法CALL的比较
004DC7F4 . 84C0 TEST AL,AL
004DC7F6 . 74 46 JE SHORT RegEdite.004DC83E ; 跳则挂
004DC7F8 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004DC7FB . 50 PUSH EAX
004DC7FC . 66:B8 0100 MOV AX,1
004DC800 . E8 AF6AFCFF CALL RegEdite.004A32B4
004DC805 . 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX ; |
004DC808 . C645 D8 06 MOV BYTE PTR SS:[EBP-28],6 ; |
004DC80C . 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C] ; |
004DC80F . 33C9 XOR ECX,ECX ; |
004DC811 . B8 04CB4D00 MOV EAX,RegEdite.004DCB04 ; |Kugle RegEditer %s
004DC816 . E8 B9D1F2FF CALL RegEdite.004099D4 ; \RegEdite.004099D4
004DC81B . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
004DC81E . A1 F0054F00 MOV EAX,DWORD PTR DS:[4F05F0]
004DC823 . E8 9CF6F6FF CALL RegEdite.0044BEC4
004DC828 . C683 7E060000>MOV BYTE PTR DS:[EBX+67E],1
004DC82F . 8B83 6C030000 MOV EAX,DWORD PTR DS:[EBX+36C]
004DC835 . 33D2 XOR EDX,EDX
004DC837 . E8 341AF8FF CALL RegEdite.0045E270
004DC83C . EB 44 JMP SHORT RegEdite.004DC882
或者跟进算法CALL暴破:
004A1DDE . E8 95FBFFFF CALL RegEdite.004A1978 ; 算法CALL
004A1DE3 . 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004A1DE6 . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
004A1DE9 . E8 1629F6FF CALL RegEdite.00404704
004A1DEE . 75 04 JNZ SHORT RegEdite.004A1DF4 ; 或者NOP掉这里
004A1DF0 . B3 01 MOV BL,1
004A1DF2 . EB 02 JMP SHORT RegEdite.004A1DF6
提供一组KEY:KGL-999999-Nisy-OBPDFA
简单说一下算法:
前四位必须位“KGL-”;
第4、第11、第16位必须位“-”;
由中间的十位“999999Nisy”经过一定的运算得出后六位的KEY;
软件比较计算的结果和注册表中保存的后六位是否相等,相等则为注册版。
时间忙 简单整理而已 有兴趣的自己分析下 祝大家新年快乐~~ |
评分
-
查看全部评分
|
IP卡
发表于 2008-2-11 22:59:45
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-2-11 23:07:25
发表于 2008-2-12 09:27:54
发表于 2008-2-12 13:48:17
发表于 2008-2-12 22:54:48