- UID
- 37793
注册时间2007-12-1
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
软件名称:神奇注册表 V1.81
下载地址:
http://www.skycn.com/soft/2998.html
首先查壳PECompact 1.68 - 1.84 -> Jeremy Collake
脱掉壳后——运行——输入注册码——用户名:xinldy 注册码:19831030——提示重新启动
用Ollydbg载入——查找字符串
发现可疑的地方:
mgwin.ini
username
reg
可知为ini文件重启验证
下断点:
bp GetPrivateProfileStringA
Ollydbg载入后运行14次后alt+f9来到:
00420C56 > \33C0 xor eax, eax
00420C58 > A3 7C314800 mov dword ptr [48317C], eax
00420C5D . 68 F4C04700 push 0047C0F4 ; ASCII "mgwin.ini"
00420C62 . 8D8424 880000>lea eax, dword ptr [esp+88]
00420C69 . 6A 14 push 14
00420C6B . 50 push eax
00420C6C . 68 60304800 push 00483060
00420C71 . 68 E8C04700 push 0047C0E8 ; ASCII "UserName"
00420C76 . 68 E4C04700 push 0047C0E4 ; ASCII "REG"
00420C7B . C68424 201700>mov byte ptr [esp+1720], 3
00420C83 . FFD5 call ebp
00420C85 . 68 F4C04700 push 0047C0F4 ; ASCII "mgwin.ini"
00420C8A . 8D4C24 60 lea ecx, dword ptr [esp+60]
00420C8E . 6A 14 push 14
00420C90 . 51 push ecx
00420C91 . 68 60304800 push 00483060
00420C96 . 68 E8E14700 push 0047E1E8 ; ASCII "RegCode"
00420C9B . 68 E4C04700 push 0047C0E4 ; ASCII "REG"
00420CA0 . 8BF8 mov edi, eax
00420CA2 . FFD5 call ebp
00420CA4 . 8B4C24 28 mov ecx, dword ptr [esp+28] ; 123.004830B8
00420CA8 . 8D5424 5C lea edx, dword ptr [esp+5C]
00420CAC . 8D8424 840000>lea eax, dword ptr [esp+84]
00420CB3 . 52 push edx
00420CB4 . 50 push eax
00420CB5 . E8 46080000 call 00421500
00420CBA . 85C0 test eax, eax
00420CBC . 74 0F je short 00420CCD
00420CBE . 83FF 04 cmp edi, 4
00420CC1 . C705 A0314800>mov dword ptr [4831A0], 1
00420CCB . 73 06 jnb short 00420CD3
00420CCD > 891D A0314800 mov dword ptr [4831A0], ebx
00420CD3 > 8D4C24 5C lea ecx, dword ptr [esp+5C]
00420CD7 . 51 push ecx
00420CD8 . 8B4C24 2C mov ecx, dword ptr [esp+2C]
00420CDC . E8 7F0B0000 call 00421860 关键call
00420CE1 . 85C0 test eax, eax
00420CE3 . 0F85 77010000 jnz 00420E60 必须跳!!
00420CE9 . 53 push ebx
00420CEA . 8D8C24 200600>lea ecx, dword ptr [esp+620]
00420CF1 . 891D A0314800 mov dword ptr [4831A0], ebx
00420CF7 . E8 B4880000 call 004295B0
00420CFC . 8D8C24 1C0600>lea ecx, dword ptr [esp+61C]
00420D03 . C68424 081700>mov byte ptr [esp+1708], 8
00420D0B . E8 23AE0200 call 0044BB33 出现注册框
在00420CDC下好断点——取消掉以前断点——重新运行
进入00420CDC . E8 7F0B0000 call 00421860中
代码如下:
0042185F 90 nop
00421860 /$ B8 FC2A0000 mov eax, 2AFC
00421865 |. E8 968E0100 call 0043A700
0042186A |. 66:A1 4CCD470>mov ax, word ptr [47CD4C]
00421870 |. 53 push ebx
00421871 |. 56 push esi
00421872 |. 57 push edi
00421873 |. 66:894424 0E mov word ptr [esp+E], ax
00421878 |. B9 26020000 mov ecx, 226
0042187D |. 33C0 xor eax, eax
0042187F |. 8DBC24 D81900>lea edi, dword ptr [esp+19D8]
00421886 |. F3:AB rep stos dword ptr es:[edi]
00421888 |. B9 26020000 mov ecx, 226
0042188D |. 8D7C24 10 lea edi, dword ptr [esp+10]
00421891 |. F3:AB rep stos dword ptr es:[edi]
00421893 |. B9 26020000 mov ecx, 226
00421898 |. 8DBC24 A80800>lea edi, dword ptr [esp+8A8]
0042189F |. F3:AB rep stos dword ptr es:[edi]
004218A1 |. B9 26020000 mov ecx, 226
004218A6 |. 8DBC24 401100>lea edi, dword ptr [esp+1140]
004218AD |. F3:AB rep stos dword ptr es:[edi]
004218AF |. B9 26020000 mov ecx, 226
004218B4 |. 8DBC24 702200>lea edi, dword ptr [esp+2270]
004218BB |. F3:AB rep stos dword ptr es:[edi]
004218BD |. 83C9 FF or ecx, FFFFFFFF
004218C0 |. BF 88F84700 mov edi, 0047F888 注册码出现ASCII "T309RW36,UKLGRP16,67KAOZ6R,96GZDSPH,FSHR0WIC,VSURZCU4,RWDTLYSC,ES14BUSQ,O3ZAK3CE,CCXTT49W,T2UXPCHA,G16ZC0Y9,4OU4N1WW,11X0C6N1,RY9N9FT8,Y7S5A0AF,9KFTZHUX,LHUOBUO1,30JQWLHW,MKBBH5AG,2R0JI7UV,F7WYPZGX,016HSYOT,AXP91IDA,VGGXTFR5,DUBGFKDW,GU0"...
004218C5 |. F2:AE repne scas byte ptr es:[edi]
004218C7 |. F7D1 not ecx
004218C9 |. 2BF9 sub edi, ecx
004218CB |. 8D9424 D81900>lea edx, dword ptr [esp+19D8]
004218D2 |. 8BC1 mov eax, ecx
004218D4 |. 8BF7 mov esi, edi
004218D6 |. C1E9 02 shr ecx, 2
004218D9 |. 8BFA mov edi, edx
004218DB |. 8D5424 10 lea edx, dword ptr [esp+10]
004218DF |. F3:A5 rep movs dword ptr es:[edi], dword p>
004218E1 |. 8BC8 mov ecx, eax
004218E3 |. 33C0 xor eax, eax
004218E5 |. 83E1 03 and ecx, 3
004218E8 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
004218EA |. BF A8F04700 mov edi, 0047F0A8 注册码出现ASCII "NB7DA55K,E0A8X5UP,31GHWNAF,I951DRH9,J8VE3CZA,QADVGEWK,4IT2ND2N,2XEWRWHZ,UZ9CTGRZ,N9ATBLHX,IWG8KZ4E,I4S4SMGL,V330S8D8,PFGSGNE6,GRKA7N1T,BM5USQL5,2IA05Y0O,VDQARR1Z,RDDAI03G,GIL03S6A,F9HRWLJN,GTQT21PG,BVB3G8XR,G1X0U5C4,EY6URGHD,WCR9C82K,WKO"...
004218EF |. 83C9 FF or ecx, FFFFFFFF
004218F2 |. F2:AE repne scas byte ptr es:[edi]
004218F4 |. F7D1 not ecx
004218F6 |. 2BF9 sub edi, ecx
004218F8 |. 8BC1 mov eax, ecx
004218FA |. 8BF7 mov esi, edi
004218FC |. 8BFA mov edi, edx
004218FE |. 8D9424 A80800>lea edx, dword ptr [esp+8A8]
00421905 |. C1E9 02 shr ecx, 2
00421908 |. F3:A5 rep movs dword ptr es:[edi], dword p>
0042190A |. 8BC8 mov ecx, eax
0042190C |. 33C0 xor eax, eax
0042190E |. 83E1 03 and ecx, 3
00421911 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
00421913 |. BF C8E84700 mov edi, 0047E8C8 注册码出现
ASCII "2U0G2RE0,XPOYL7RZ,P886PB9T,M0JEZGLJ,GFRAMAX1,NIH6T7KZ,A9RS82OT,R3EIEMLM,Z0T54K95,HJXQSF8X,ZE2ZSL7N,Q50VDAX7,FBCK22JF,JAU517SF,66YTY0VH,7XFETFG3,HCVDVIRG,Q414CO0U,AR30AFIH,FTJ3BRVY,MR7MBE5E,X68F1RSC,4K1EQ53D,6EXJKZJS,E56SHQ6Z,WRN1V1ZB,FO8"...
00421918 |. 83C9 FF or ecx, FFFFFFFF
0042191B |. F2:AE repne scas byte ptr es:[edi]
0042191D |. F7D1 not ecx
0042191F |. 2BF9 sub edi, ecx
00421921 |. 8BC1 mov eax, ecx
00421923 |. 8BF7 mov esi, edi
00421925 |. 8BFA mov edi, edx
00421927 |. 8D9424 401100>lea edx, dword ptr [esp+1140]
0042192E |. C1E9 02 shr ecx, 2
00421931 |. F3:A5 rep movs dword ptr es:[edi], dword p>
00421933 |. 8BC8 mov ecx, eax
00421935 |. 33C0 xor eax, eax
00421937 |. 83E1 03 and ecx, 3
0042193A |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
0042193C |. BF 9CE54700 mov edi, 0047E59C 注册码出现 ASCII "ZZVRZBLE,F7K02B3Q,WJK5EQEB,9ZHJLM1L,DAAPBIAK,JLUH4SCT,TO9QA2VL,SVBUPL9Z,NP0AJ4AU,OA8ZUI5G,4M19V7B7,YB24V2ZZ,VH3SOH59,BP0RQ0GR,GNDMKNPN,K7JS46XA,6WCXNIZI,WF69FS2Q,5JFXFGLM,HHWXL6Q1,9C4TPSIH,JCHVQWAZ,V47N0ONQ,8SY0HUB4,2V6NFQUO,4H2JKES9,YSQ"...
00421941 |. 83C9 FF or ecx, FFFFFFFF
00421944 |. F2:AE repne scas byte ptr es:[edi]
00421946 |. F7D1 not ecx
00421948 |. 2BF9 sub edi, ecx
0042194A |. 8BC1 mov eax, ecx
0042194C |. 8BF7 mov esi, edi
0042194E |. 8BFA mov edi, edx
00421950 |. C1E9 02 shr ecx, 2
00421953 |. F3:A5 rep movs dword ptr es:[edi], dword p>
00421955 |. 8BC8 mov ecx, eax
00421957 |. 83E1 03 and ecx, 3
0042195A |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
0042195C |. BF 28E34700 mov edi, 0047E328 注册码出现 ASCII "1288221711427,222902289010920,120922289000222,01082028001271201,010822290111922,02290029002190271210500,002907159210020,220781181250002,210807082212,2229022990220211,90190119128,201701189072112,212781187251702010,0207072590108,0207222872"...
00421961 |. 83C9 FF or ecx, FFFFFFFF
00421964 |. 33C0 xor eax, eax
00421966 |. 8D9424 702200>lea edx, dword ptr [esp+2270]
0042196D |. F2:AE repne scas byte ptr es:[edi]
0042196F |. F7D1 not ecx
00421971 |. 2BF9 sub edi, ecx
如果不是明码比较怎么办?
这里提供一种修改方法:
来到尾部此时注意代码!
修改前:
00421B74 |> \5F pop edi
00421B75 |. 5E pop esi
00421B76 |. 33C0 xor eax, eax 罪魁祸首
00421B78 |. 5B pop ebx
00421B79 |. 81C4 FC2A0000 add esp, 2AFC
00421B7F |. C2 0400 retn 4
00421B82 |> 5F pop edi
00421B83 |. 5E pop esi
00421B84 |. B8 01000000 mov eax, 1
00421B89 |. 5B pop ebx
00421B8A |. 81C4 FC2A0000 add esp, 2AFC
00421B90 \. C2 0400 retn 4
00421B93 90 nop
修改后:
00421B74 |> \5F pop edi
00421B75 |. 5E pop esi
00421B76 B0 01 mov al, 1
00421B78 5B pop ebx
00421B79 81C4 FC2A0000 add esp, 2AFC
00421B7F C2 0400 retn 4
00421B82 |> 5F pop edi
00421B83 |. 5E pop esi
00421B84 |. B8 01000000 mov eax, 1
00421B89 |. 5B pop ebx
00421B8A |. 81C4 FC2A0000 add esp, 2AFC
00421B90 \. C2 0400 retn 4
然后保存——运行一切正常!
注册文件保存在C:\WINDOWS\mgwin.ini中
[ 本帖最后由 xinldy 于 2008-8-8 12:30 编辑 ] |
|
IP卡
发表于 2008-8-8 12:05:52
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-8-8 12:34:38
楼主
发表于 2008-8-9 11:03:47
发表于 2008-8-9 20:03:52
发表于 2008-8-10 09:45:18
发表于 2008-8-10 18:02:11