【软件名称】医学专用软件(商业,价值不菲,为了避免不必要的麻烦,不写具体名称了)
【下载地址】http://
【应用平台】Win9x/NT/2000/XP
【软件限制】hasp加密狗+序列号
【破解声明】破解只是感兴趣,无其它目的。失误之处敬请诸位大侠赐教!
【破解工具】w32dasm,flyODBG,hiew,trw2000
【软件简介】无狗可安装,运行报错,安装加密狗后,要求输入序列号。否则不能使用。========================================================================================
【分析过程】该软件中加密狗的使用不是很好,很容易破解。
………………
0043475D . 52 push edx
0043475E . 50 push eax
0043475F . 6A 01 push 1
00434761 . 68 76160000 push 1676
00434766 . E8 95FFFEFF call STEREO.00424700 读狗……具体分析未整理。
0043476B . 83C4 10 add esp,10
0043476E . 66:85C0 test ax,ax 比较,判断是否有加密狗存在。
00434771 . 0F85 FA020000 jnz STEREO.00434A71 跳就出错了。经分析并没有使用狗内数据,只是个简单的判断,爆破就可以。
00434777 . 8D45 C8 lea eax,dword ptr ss:[ebp-38]
0043477A . 50 push eax ; /Arg1
0043477B . E8 80FEFEFF call STEREO.00424600 ; \STEREO.00424600
………………
另一个对付HASP狗的办法就是用HASP_Emul_PreProfessional 来模拟狗,经测试通过。这个软件好象在天天下载里有,原来白菜乐园有,后来就找不到了。另外国外的破解网站上也有。确实不错。狗的问题解决后,就是对付序列号了。
004440E0 . 56 push esi
004440E1 . 57 push edi
004440E2 . 8D41 60 lea eax,dword ptr ds:[ecx+60]
004440E5 . 8BF1 mov esi,ecx
004440E7 . 8B7C24 0C mov edi,dword ptr ss:[esp+C]
004440EB . 50 push eax
004440EC . 68 16070000 push 716
004440F1 . 57 push edi
004440F2 . E8 41540000 call <jmp.&MFC40.#2072>
004440F7 . 8D4E 64 lea ecx,dword ptr ds:[esi+64] ; ECX 为输入的用户名
004440FA . 51 push ecx
004440FB . 68 17070000 push 717
00444100 . 57 push edi
00444101 . E8 32540000 call <jmp.&MFC40.#2072>
00444106 . 8D46 68 lea eax,dword ptr ds:[esi+68] ; EAX 为组织名 运行后ECX为组织名
00444109 . 83C6 6C add esi,6C
0044410C . 50 push eax
0044410D . 68 83070000 push 783
00444112 . 57 push edi
00444113 . E8 20540000 call <jmp.&MFC40.#2072>
00444118 . 56 push esi ; ECX为序列号
00444119 . 6A 6D push 6D
0044411B . 57 push edi
0044411C . E8 17540000 call <jmp.&MFC40.#2072>
00444121 . 5F pop edi
00444122 . 5E pop esi
00444123 . C2 0400 retn 4
……
004443BA |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
004443BD |. 8B08 MOV ECX,DWORD PTR DS:[EAX] 用户名
004443BF |. 8B79 F8 MOV EDI,DWORD PTR DS:[ECX-8] 组织名
004443C2 |. 7E 05 JLE SHORT STEREO.004443C9
004443C4 |. BE 64000000 MOV ESI,64
004443C9 |> 83FF 64 CMP EDI,64
004443CC |. 7E 05 JLE SHORT STEREO.004443D3
004443CE |. BF 64000000 MOV EDI,64
004443D3 |> 3BF7 CMP ESI,EDI
004443D5 |. 8BC6 MOV EAX,ESI
004443D7 |. 7F 02 JG SHORT STEREO.004443DB
004443D9 |. 8BC7 MOV EAX,EDI
004443DB |> 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004443DE |. 33C0 XOR EAX,EAX
004443E0 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004443E3 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004443E6 |. 3945 E8 CMP DWORD PTR SS:[EBP-18],EAX
004443E9 |. 0F8E 85000000 JLE STEREO.00444474
004443EF |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004443F2 |. 03C0 ADD EAX,EAX
004443F4 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004443F7 |> 8B45 F0 /MOV EAX,DWORD PTR SS:[EBP-10] 精华部分
004443FA |. 85F6 |TEST ESI,ESI
004443FC |. 8BD8 |MOV EBX,EAX
004443FE |. 75 04 |JNZ SHORT STEREO.00444404
00444400 |. 33C0 |XOR EAX,EAX
00444402 |. EB 0B |JMP SHORT STEREO.0044440F
00444404 |> 3B75 F0 |CMP ESI,DWORD PTR SS:[EBP-10]
00444407 |. 7D 06 |JGE SHORT STEREO.0044440F
00444409 |> 2BC6 |/SUB EAX,ESI
0044440B |. 3BF0 ||CMP ESI,EAX
0044440D |.^7C FA |\JL SHORT STEREO.00444409
0044440F |> 85FF |TEST EDI,EDI
00444411 |. 75 04 |JNZ SHORT STEREO.00444417
00444413 |. 33DB |XOR EBX,EBX
00444415 |. EB 0B |JMP SHORT STEREO.00444422
00444417 |> 397D F0 |CMP DWORD PTR SS:[EBP-10],EDI
0044441A |. 7E 06 |JLE SHORT STEREO.00444422
0044441C |> 2BDF |/SUB EBX,EDI
0044441E |. 3BDF ||CMP EBX,EDI
00444420 |.^7F FA |\JG SHORT STEREO.0044441C
00444422 |> 3BF0 |CMP ESI,EAX
00444424 |. 7F 0B |JG SHORT STEREO.00444431
00444426 |. 6A 00 |PUSH 0
00444428 |. 8D85 A4FEFFFF |LEA EAX,DWORD PTR SS:[EBP-15C]
0044442E |. 50 |PUSH EAX
0044442F |. EB 10 |JMP SHORT STEREO.00444441
00444431 |> 8B4D D8 |MOV ECX,DWORD PTR SS:[EBP-28]
00444434 |. 8B11 |MOV EDX,DWORD PTR DS:[ECX]
00444436 |. 8D8D A4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-15C]
0044443C |. 8A0402 |MOV AL,BYTE PTR DS:[EDX+EAX]
0044443F |. 50 |PUSH EAX
00444440 |. 51 |PUSH ECX
00444441 |> E8 CA67FFFF |CALL STEREO.0043AC10
00444446 |. 83C4 08 |ADD ESP,8
00444449 |. 3BDF |CMP EBX,EDI
0044444B |. 7C 04 |JL SHORT STEREO.00444451
0044444D |. 6A 00 |PUSH 0
0044444F |. EB 09 |JMP SHORT STEREO.0044445A
00444451 |> 8B45 DC |MOV EAX,DWORD PTR SS:[EBP-24]
00444454 |. 8B08 |MOV ECX,DWORD PTR DS:[EAX]
00444456 |. 8A1419 |MOV DL,BYTE PTR DS:[ECX+EBX]
00444459 |. 52 |PUSH EDX
0044445A |> 8D85 A4FEFFFF |LEA EAX,DWORD PTR SS:[EBP-15C]
00444460 |. 50 |PUSH EAX
00444461 |. E8 AA67FFFF |CALL STEREO.0043AC10
00444466 |. 83C4 08 |ADD ESP,8
00444469 |. FF45 F0 |INC DWORD PTR SS:[EBP-10]
0044446C |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
0044446F |. 3B45 E8 |CMP EAX,DWORD PTR SS:[EBP-18]
00444472 |.^7C 83 \JL SHORT STEREO.004443F7
00444474 |> BB 10000000 MOV EBX,10
00444479 |> BE 01000000 /MOV ESI,1 精华部分
0044447E |. 8ACB |MOV CL,BL
00444480 |. D3E6 |SHL ESI,CL
00444482 |. 6A FF |PUSH -1
00444484 |. 8BC6 |MOV EAX,ESI
00444486 |. 25 00010000 |AND EAX,100
0044448B |. 8D8D A4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-15C]
00444491 |. C1E8 08 |SHR EAX,8
00444494 |. 50 |PUSH EAX
00444495 |. 51 |PUSH ECX
00444496 |. E8 0567FFFF |CALL STEREO.0043ABA0
0044449B |. 83C4 0C |ADD ESP,0C
0044449E |. 8D8D A4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-15C]
004444A4 |. 6A FF |PUSH -1
004444A6 |. 6A 00 |PUSH 0
004444A8 |. 51 |PUSH ECX
004444A9 |. E8 F266FFFF |CALL STEREO.0043ABA0
004444AE |. 83C4 0C |ADD ESP,0C
004444B1 |. 8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30]
004444B4 |. 23C6 |AND EAX,ESI
004444B6 |. 8D8D A4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-15C]
004444BC |. 6A FF |PUSH -1
004444BE |. 83F8 01 |CMP EAX,1
004444C1 |. 1BC0 |SBB EAX,EAX
004444C3 |. 43 |INC EBX
004444C4 |. 40 |INC EAX
004444C5 |. 50 |PUSH EAX
004444C6 |. 51 |PUSH ECX
004444C7 |. E8 D466FFFF |CALL STEREO.0043ABA0
004444CC |. 83C4 0C |ADD ESP,0C
004444CF |. 8D8D A4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-15C]
004444D5 |. 6A FF |PUSH -1
004444D7 |. 6A 00 |PUSH 0
004444D9 |. 51 |PUSH ECX
004444DA |. E8 C166FFFF |CALL STEREO.0043ABA0
004444DF |. 83C4 0C |ADD ESP,0C
004444E2 |. 83FB 20 |CMP EBX,20
004444E5 |.^7C 92 \JL SHORT STEREO.00444479
004444E7 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004444EA |. 8D8D A4FEFFFF LEA ECX,DWORD PTR SS:[EBP-15C]
004444F0 |. 83C0 10 ADD EAX,10
004444F3 |. 50 PUSH EAX
004444F4 |. 51 PUSH ECX
004444F5 |. 68 B71DC104 PUSH 4C11DB7
004444FA |. E8 5167FFFF CALL STEREO.0043AC50
004444FF |. 83C4 0C ADD ESP,0C
00444502 |. 8BF0 MOV ESI,EAX
00444504 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00444507 |. E8 0E500000 CALL <JMP.&MFC40.#486>
0044450C |. 56 PUSH ESI
0044450D |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00444510 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00444514 |. 68 04674500 PUSH STEREO.00456704 ; ASCII "%08X"
00444519 |. 51 PUSH ECX
0044451A |. E8 27510000 CALL <JMP.&MFC40.#2471>
0044451F |. 83C4 0C ADD ESP,0C
00444522 |. 8B75 EC MOV ESI,DWORD PTR SS:[EBP-14]
00444525 |. 83C6 68 ADD ESI,68
00444528 |. 8BCE MOV ECX,ESI
0044452A |. E8 BF540000 CALL <JMP.&MFC40.#3697>
0044452F |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
00444531 |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
00444534 |. 50 PUSH EAX ; /s2 输入的注册码
00444535 |. 51 PUSH ECX ; |s1 正确的注册码
00444536 |. FF15 309F4500 CALL DWORD PTR DS:[<&MSVCRT40._mbscmp>] ; \_mbscmp
0044453C |. 83C4 08 ADD ESP,8
0044453F |. 85C0 TEST EAX,EAX
00444541 |. 74 45 JE SHORT STEREO.00444588 跳就OK
========================================================================================
【分析总结】抱歉,只是写了一半的东西,由于时间紧迫,具体算法没有仔细分析,找到注册码就拉倒了,有时间再仔细研究一下。本人只破解医学加密软件,希望能和同道多交流。
========================================================================================
【版权信息】中国自由破解联盟版权所有
0f4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6U0k6$3y4Z5K9h3&6S2i4K6u0W2j5$3!0E0i4K6t1$3L8X3u0K6M7q4)9K6b7R3`.`. 05-2-26
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
