- UID
- 8671
注册时间2006-2-27
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
2018-5-6 16:27 |
|---|
签到天数: 7 天 [LV.3]偶尔看看II
|
【破文标题】Collectify 1.75.1585破解手记
【破文作者】野猫III[D.4s]
【破解工具】常用PEiD,W32DASM,UC32,OD
【破解平台】Windows XP SP2
【软件名称】Collectify 1.75.1585
【软件大小】22,953KB
【原版下载】http://www6.skycn.com/soft/16113.html
【保护方式】时间限制,注册码
【软件简介】一款信息管理软件 可创建任何你想要的资料目录,照片、图画、网页、公文文件、视频、电话、地址、日程安排等。使用非常方便。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------------------
一、任意序号安装程序后,用PEiD查无壳,程序是Microsoft Visual C++ 6.0 [Debug]程序。
二、OD载入程序,运行到注册,得到错误提示“This is an invalid key.”点OK之后返回OD中对其进行字符参考,没有任何收获。
靠的一个笨方法就是在每个条件命令上下断咯。。。请看:
1)在OD里输入命令断点bpx d,确定之后,打开了R模块间调用窗口。
2)右键,在每个命令上设置断点,然后返回程序,OD中断它,将所有中断取消,直到程序运行:
0045710A . E8 7FFB0000 CALL MyStuff.?PreTranslateMessage@CWinTh>; JMP 到 MFC42.#5289
//发现只有一处,好极!
3)接着在Collectify 1.75程序注册窗口点OK确认注册。程序被OD中断:
00427E9B . E8 74E30300 CALL MyStuff.??0CString@@QAE@XZ ; JMP 到 MFC42.#540 //F2,F9
00427EA0 . 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00427EA4 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00427EA7 . E8 68E30300 CALL MyStuff.??0CString@@QAE@XZ ; JMP 到 MFC42.#540 //F2,F9
00427EAC . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
00427EAF . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00427EB3 . E8 5CE30300 CALL MyStuff.??0CString@@QAE@XZ ; JMP 到 MFC42.#540 //F2,F9
00427EB8 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00427EBB . C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00427EBF . E8 50E30300 CALL MyStuff.??0CString@@QAE@XZ ; JMP 到 MFC42.#540 //F2,F9
00427EC4 . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00427EC7 . 8D8E E4000000 LEA ECX,DWORD PTR DS:[ESI+E4]
00427ECD . 50 PUSH EAX
00427ECE . C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
00427ED2 . E8 21E40300 CALL MyStuff.?GetWindowTextA@CWnd>; JMP 到 MFC42.#3874 //F2,F9
00427ED7 . 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00427EDA . 8D8E 24010000 LEA ECX,DWORD PTR DS:[ESI+124]
00427EE0 . 50 PUSH EAX
00427EE1 . E8 12E40300 CALL MyStuff.?GetWindowTextA@CWnd>; JMP 到 MFC42.#3874 //F2,F9
00427EE6 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00427EE9 . 8D8E 64010000 LEA ECX,DWORD PTR DS:[ESI+164]
00427EEF . 50 PUSH EAX
00427EF0 . E8 03E40300 CALL MyStuff.?GetWindowTextA@CWnd>; JMP 到 MFC42.#3874
//到这里的时候,看到我们输入的第二组试练码。重新打开R模块间调用窗口,右键删除所有断点。单步跟踪。
00427EF5 . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00427EF8 . 8D8E A4010000 LEA ECX,DWORD PTR DS:[ESI+1A4]
00427EFE . 50 PUSH EAX
00427EFF . E8 F4E30300 CALL MyStuff.?GetWindowTextA@CWnd>; JMP 到 MFC42.#3874
00427F04 . 8D86 EC010000 LEA EAX,DWORD PTR DS:[ESI+1EC] ; Call取第四组试练码
00427F0A . 8D4E 64 LEA ECX,DWORD PTR DS:[ESI+64]
00427F0D . 50 PUSH EAX
00427F0E . E8 E5E30300 CALL MyStuff.?GetWindowTextA@CWnd>; JMP 到 MFC42.#3874
00427F13 . 8D86 F0010000 LEA EAX,DWORD PTR DS:[ESI+1F0] ; Call取用户名
00427F19 . 8D8E A4000000 LEA ECX,DWORD PTR DS:[ESI+A4]
00427F1F . 50 PUSH EAX
00427F20 . E8 D3E30300 CALL MyStuff.?GetWindowTextA@CWnd>; JMP 到 MFC42.#3874
00427F25 . FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; Call取组织名称
00427F28 . 8DBE E8010000 LEA EDI,DWORD PTR DS:[ESI+1E8]
00427F2E . FF75 EC PUSH DWORD PTR SS:[EBP-14]
00427F31 . FF75 E8 PUSH DWORD PTR SS:[EBP-18]
00427F34 . FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
00427F37 . 68 98EB4900 PUSH MyStuff.0049EB98 ; ASCII "%s-%s-%s-%s"
00427F3C . 57 PUSH EDI
00427F3D . E8 B0E30300 CALL MyStuff.?Format@CString@@QAA>; JMP 到 MFC42.#2818
00427F42 . FF37 PUSH DWORD PTR DS:[EDI]
00427F44 . FF96 E4010000 CALL DWORD PTR DS:[ESI+1E4]
00427F4A . 83C4 1C ADD ESP,1C ; Call出一组码
00427F4D . 84C0 TEST AL,AL ; 比较!
00427F4F 75 17 JNZ SHORT MyStuff.00427F68 ; 不等跳!否则OVER!~由此可见,这是程序的关键跳转!
00427F51 . 6A FF PUSH -1
00427F53 . 6A 02 PUSH 2
00427F55 . 68 63660000 PUSH 6663
00427F5A . 68 90650000 PUSH 6590
00427F5F . 8BCE MOV ECX,ESI
00427F61 . E8 0A23FEFF CALL MyStuff.?xMessageBox@?$BaseW>; OVER!
00427F66 . EB 1C JMP SHORT MyStuff.00427F84 ; 跳过下面注册正确的操作。
00427F68 > 8BCE MOV ECX,ESI ; 注册码正确就跳来这~~~
00427F6A . E8 51010000 CALL MyStuff.?SetSerialNumber@CRe>
00427F6F . 8BCE MOV ECX,ESI
00427F71 . E8 75010000 CALL MyStuff.?SetName@CRegCheckWa>
00427F76 . 8BCE MOV ECX,ESI
00427F78 . E8 99010000 CALL MyStuff.?SetCompany@CRegChec>
00427F7D . 8BCE MOV ECX,ESI
00427F7F . E8 CAE40300 CALL MyStuff.?OnOK@CDialog@@MAEXX>; JMP 到 MFC42.#4853
00427F84 > 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10] ; 跳来这~~
00427F87 . C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00427F8B . E8 5AE20300 CALL MyStuff.??1CString@@QAE@XZ ; JMP 到 MFC42.#800
00427F90 . 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
00427F93 . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00427F97 . E8 4EE20300 CALL MyStuff.??1CString@@QAE@XZ ; JMP 到 MFC42.#800
00427F9C . 8065 FC 00 AND BYTE PTR SS:[EBP-4],0
00427FA0 . 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00427FA3 . E8 42E20300 CALL MyStuff.??1CString@@QAE@XZ ; JMP 到 MFC42.#800
00427FA8 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
00427FAC . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00427FAF . E8 36E20300 CALL MyStuff.??1CString@@QAE@XZ ; JMP 到 MFC42.#800
00427FB4 . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00427FB7 . 5F POP EDI
00427FB8 . 5E POP ESI
00427FB9 . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
00427FC0 . C9 LEAVE
00427FC1 . C3 RETN ; 重来
00427FC2 > . 81EC 08010000 SUB ESP,108
00427FC8 . 53 PUSH EBX ; 盲目的破解是浪费力气的~~~请从这往下看。。。
00427FC9 . 55 PUSH EBP
00427FCA . 56 PUSH ESI
00427FCB . 57 PUSH EDI
00427FCC . 8BF1 MOV ESI,ECX
00427FCE . E8 53E20300 CALL MyStuff.?OnInitDialog@CDialo>; JMP 到 MFC42.#4710
00427FD3 . 8B3D 3C4E4700 MOV EDI,DWORD PTR DS:[<&USER32.Se>; USER32.SendMessageA
00427FD9 . 33ED XOR EBP,EBP
00427FDB . 55 PUSH EBP ; /lParam => 0
00427FDC . BB C5000000 MOV EBX,0C5 ; |
00427FE1 . 6A 0E PUSH 0E ; |wParam = E
00427FE3 . 53 PUSH EBX ; |Message => EM_LIMITTEXT
00427FE4 . FFB6 C4010000 PUSH DWORD PTR DS:[ESI+1C4] ; |hWnd
00427FEA . FFD7 CALL EDI ; \SendMessageA
00427FEC . 55 PUSH EBP ; /lParam => 0
00427FED . 6A 02 PUSH 2 ; |wParam = 2
00427FEF . 53 PUSH EBX ; |Message => EM_LIMITTEXT
00427FF0 . FFB6 04010000 PUSH DWORD PTR DS:[ESI+104] ; |hWnd
00427FF6 . FFD7 CALL EDI ; \SendMessageA
00427FF8 . 55 PUSH EBP ; /lParam => 0
00427FF9 . 6A 04 PUSH 4 ; |wParam = 4
00427FFB . 53 PUSH EBX ; |Message => EM_LIMITTEXT
00427FFC . FFB6 44010000 PUSH DWORD PTR DS:[ESI+144] ; |hWnd
00428002 . FFD7 CALL EDI ; \SendMessageA
00428004 . 55 PUSH EBP ; /lParam => 0
00428005 . 6A 02 PUSH 2 ; |wParam = 2
00428007 . 53 PUSH EBX ; |Message => EM_LIMITTEXT
00428008 . FFB6 84010000 PUSH DWORD PTR DS:[ESI+184] ; |hWnd
0042800E . FFD7 CALL EDI ; \SendMessageA
00428010 . BF 81000000 MOV EDI,81
00428015 . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
00428019 . 57 PUSH EDI ; /n => 81 (129.)
0042801A . 55 PUSH EBP ; |c => 00
0042801B . 50 PUSH EAX ; |s
0042801C . E8 D5EF0300 CALL MyStuff._memset ; \_memset
00428021 . 57 PUSH EDI ; /n
00428022 . 8D8424 A400000>LEA EAX,DWORD PTR SS:[ESP+A4] ; |
00428029 . 55 PUSH EBP ; |c
0042802A . 50 PUSH EAX ; |s
0042802B . E8 C6EF0300 CALL MyStuff._memset ; \_memset
00428030 . 83C4 18 ADD ESP,18
00428033 . E8 18E20300 CALL MyStuff.?AfxGetModuleState@@>; JMP 到 MFC42.#1168
00428038 . 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
0042803B . 8B3D E4544700 MOV EDI,DWORD PTR DS:[<&utils.?Ge>; utils.?GetAppRegistryString@CRegistryIO@@SAHPAUHINSTANCE__@@PBD11PADI1_N@Z
00428041 . 6A 01 PUSH 1
00428043 . 68 BCEB4900 PUSH MyStuff.0049EBBC ; ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
00428048 . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; 这个主键应该是程序注册成功保存注册码的位置。
0042804C . 68 80000000 PUSH 80
00428051 . BD 202C4A00 MOV EBP,MyStuff.004A2C20
00428056 . 51 PUSH ECX
00428057 . 55 PUSH EBP
00428058 . BB B4EB4900 MOV EBX,MyStuff.0049EBB4 ; ASCII "MyStuff"
0042805D . 68 ACEB4900 PUSH MyStuff.0049EBAC ; ASCII "User"
00428062 . 53 PUSH EBX ; 用户名~~~
00428063 . 50 PUSH EAX
00428064 . FFD7 CALL EDI ; <&utils.?GetAppRegistryString@CRegistryIO@@SAHPAUHINSTANCE__@@PBD11PADI1_N@Z>
00428066 . 83C4 20 ADD ESP,20
00428069 . E8 E2E10300 CALL MyStuff.?AfxGetModuleState@@>; JMP 到 MFC42.#1168
0042806E . 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
00428071 . 6A 01 PUSH 1
00428073 . 68 BCEB4900 PUSH MyStuff.0049EBBC ; ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
00428078 . 8D8C24 9C00000>LEA ECX,DWORD PTR SS:[ESP+9C]
0042807F . 68 80000000 PUSH 80
00428084 . 51 PUSH ECX
00428085 . 55 PUSH EBP
00428086 . 68 A4EB4900 PUSH MyStuff.0049EBA4 ; ASCII "Company"
0042808B . 53 PUSH EBX ; 组织~~~
0042808C . 50 PUSH EAX
0042808D . FFD7 CALL EDI
0042808F . 83C4 20 ADD ESP,20
00428092 . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
00428096 . 8D4E 64 LEA ECX,DWORD PTR DS:[ESI+64]
00428099 . 50 PUSH EAX
0042809A . E8 99E10300 CALL MyStuff.?SetWindowTextA@CWnd>; JMP 到 MFC42.#6199
0042809F . 8D8424 9400000>LEA EAX,DWORD PTR SS:[ESP+94]
004280A6 . 8D8E A4000000 LEA ECX,DWORD PTR DS:[ESI+A4]
004280AC . 50 PUSH EAX
004280AD . E8 86E10300 CALL MyStuff.?SetWindowTextA@CWnd>; JMP 到 MFC42.#6199
004280B2 . 6A 01 PUSH 1
004280B4 . 58 POP EAX
004280B5 . 5F POP EDI
004280B6 . 5E POP ESI
004280B7 . 5D POP EBP
004280B8 . 5B POP EBX
004280B9 . 81C4 08010000 ADD ESP,108
004280BF . C3 RETN
004280C0 >/$ 56 PUSH ESI
004280C1 |. 8BB1 E8010000 MOV ESI,DWORD PTR DS:[ECX+1E8]
004280C7 |. E8 84E10300 CALL MyStuff.?AfxGetModuleState@@>; JMP 到 MFC42.#1168
004280CC |. 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
004280CF |. 68 BCEB4900 PUSH MyStuff.0049EBBC ; ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
004280D4 |. 56 PUSH ESI
004280D5 |. 68 E4EB4900 PUSH MyStuff.0049EBE4 ; ASCII "RegNumber"
004280DA |. 68 B4EB4900 PUSH MyStuff.0049EBB4 ; ASCII "MyStuff"
004280DF |. 50 PUSH EAX ; 注册码~~~
004280E0 |. FF15 E8544700 CALL DWORD PTR DS:[<&utils.?SetAp>; utils.?SetAppRegistryString@CRegistryIO@@SA_NPAUHINSTANCE__@@PBD111@Z
004280E6 |. 83C4 14 ADD ESP,14
004280E9 |. 5E POP ESI
004280EA \. C3 RETN
004280EB >/$ 56 PUSH ESI
004280EC |. 8BB1 EC010000 MOV ESI,DWORD PTR DS:[ECX+1EC]
004280F2 |. E8 59E10300 CALL MyStuff.?AfxGetModuleState@@>; JMP 到 MFC42.#1168
004280F7 |. 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
004280FA |. 68 BCEB4900 PUSH MyStuff.0049EBBC ; ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
004280FF |. 56 PUSH ESI
00428100 |. 68 ACEB4900 PUSH MyStuff.0049EBAC ; ASCII "User"
00428105 |. 68 B4EB4900 PUSH MyStuff.0049EBB4 ; ASCII "MyStuff"
0042810A |. 50 PUSH EAX
0042810B |. FF15 E8544700 CALL DWORD PTR DS:[<&utils.?SetAp>; utils.?SetAppRegistryString@CRegistryIO@@SA_NPAUHINSTANCE__@@PBD111@Z
00428111 |. 83C4 14 ADD ESP,14
00428114 |. 5E POP ESI
00428115 \. C3 RETN
00428116 >/$ 56 PUSH ESI
00428117 |. 8BB1 F0010000 MOV ESI,DWORD PTR DS:[ECX+1F0]
0042811D |. E8 2EE10300 CALL MyStuff.?AfxGetModuleState@@>; JMP 到 MFC42.#1168
00428122 |. 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
00428125 |. 68 BCEB4900 PUSH MyStuff.0049EBBC ; ASCII "HKEY_LOCAL_MACHINE\SOFTWARE\Collectify"
0042812A |. 56 PUSH ESI
0042812B |. 68 A4EB4900 PUSH MyStuff.0049EBA4 ; ASCII "Company"
00428130 |. 68 B4EB4900 PUSH MyStuff.0049EBB4 ; ASCII "MyStuff"
00428135 |. 50 PUSH EAX
00428136 |. FF15 E8544700 CALL DWORD PTR DS:[<&utils.?SetAp>; utils.?SetAppRegistryString@CRegistryIO@@SA_NPAUHINSTANCE__@@PBD111@Z
0042813C |. 83C4 14 ADD ESP,14
0042813F |. 5E POP ESI
00428140 \. C3 RETN
终上所述,关键跳转:
00427F4F /75 17 JNZ SHORT MyStuff.00427F68 //将jnz改成jmp,另存为CrMyStuff.exe文件。
暴破之后,注册成功,但程序没提示,将注册信息写入注册表后,程序就直接进入主界面。
4)关了OD,运行CrMyStuff.exe文件,程序还是提示要注册,证明程序有重启验证操作。
经分析,程序重启的时候,肯定会以注册表里的注册信息RegNumber项进行读取及验证,我们就可以这样着手破解。
打开注册表,在HKEY_LOCAL_MACHINE\SOFTWARE\Collectify\MyStuff,看到程序保存注册信息在这。
而检测的第一项就是RegNumber这项,我们用OD载入一更改成的CrMyStuff.exe程序。右键搜索,所有参考文本字串。
搜索与User注册表项相符的字串,并分别下断,结果以下:
文本字串参考位于 CrMyStuf:.text, 条目 279
地址=004280D5
反汇编=PUSH CrMyStuf.0049EBE4
文本字串=ASCII "RegNumber"
文本字串参考位于 CrMyStuf:.text, 条目 667
地址=0045689C
反汇编=PUSH CrMyStuf.0049EBE4
文本字串=ASCII "RegNumber"
一共两处读取。F9运行程序,程序中断在:
0045689C |. 68 E4EB4900 PUSH CrMyStuf.0049EBE4 ; ASCII "RegNumber" //这里
004568A1 |. 68 B4EB4900 PUSH CrMyStuf.0049EBB4 ; ASCII "MyStuff"
004568A6 |. 53 PUSH EBX
004568A7 |. FFD7 CALL EDI ; <&utils.?GetAppRegistryString@CRegistryIO@@SAHPAUHINSTANCE__@@PBD11PADI1_N@Z>
004568A9 |. 83C4 2C ADD ESP,2C
004568AC |. 3BC3 CMP EAX,EBX
004568AE |. 74 10 JE SHORT CrMyStuf.004568C0 //注册码项有吗?没有就OVER!
004568B0 |. 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
004568B3 |. 50 PUSH EAX
004568B4 |. FF55 08 CALL DWORD PTR SS:[EBP+8]
004568B7 |. 3AC3 CMP AL,BL
004568B9 |. 59 POP ECX
004568BA |. 0F85 1C020000 JNZ CrMyStuf.00456ADC //注册码对吗?不等测注册成功了。相等的话就OVER!
//终上所述,程序更改了就可以直接进入主界面。在关于里也可以看到注册信息。
Bin!
经验:对于重启难证的软件,我们可以着手从它重启对注册信息难证的过程中进行暴破。
请教:这个程序常常看到前三组码出现,怀疑是真码,但求大家找找它的注册码,谢谢!
-----------------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
破解演示,请到龙族下载吧。就不一一上传!等猫申请进了[PYG]成员组再另做打算。http://www.chinadforce.com/viewthread.php?tid=556037&extra=page%3D1
[ 本帖最后由 野猫III 于 2006-7-7 00:44 编辑 ] |
|
IP卡
发表于 2006-6-24 21:08:56
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-6-24 21:38:17
发表于 2006-6-25 00:13:47
发表于 2006-6-25 07:39:11
发表于 2006-6-25 11:48:13
楼主
