-
-
[原创][原创]糊里糊涂破解成功(注册机不怎么好使)
-
发表于: 2007-8-7 23:30
-
【文章标题】: 【原创】糊里糊涂破解成功(注册机不怎么好使)
【文章作者】: zhouxl
【作者邮箱】: 214201887@qq.com
【软件名称】: Andrénalin.1.exe
【软件大小】: 9.50 KB
【编写语言】: Microsoft Visual Basic 5.0 / 6.0
【使用工具】: OLLYICE keymake
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
第一篇文章,不免有些紧张~~还是开始吧:手都发抖了哈哈
首先,当然查壳
然后,是运行下程序 输入'123456' 提示"Leider Falsch ! Schau noch mal genau nach ..."
再用ollyice载入,右键->查找->所有参考文本字串->找到"Leider Falsch ! Schau noch mal genau nach ..."就在最下面
双击来到:(代码不多贴长点了)
00401CD1 . 8BEC mov ebp, esp
00401CD3 . 83EC 0C sub esp, 0C
00401CD6 . 68 16104000 push <jmp.&MSVBVM50.__vbaExceptHandle>; SE 处理程序安装
00401CDB . 64:A1 0000000>mov eax, dword ptr fs:[0]
00401CE1 . 50 push eax
00401CE2 . 64:8925 00000>mov dword ptr fs:[0], esp
00401CE9 . 81EC BC000000 sub esp, 0BC
00401CEF . 53 push ebx
00401CF0 . 56 push esi
00401CF1 . 57 push edi
00401CF2 . 8B7D 08 mov edi, dword ptr [ebp+8]
00401CF5 . 8BC7 mov eax, edi
00401CF7 . 83E7 FE and edi, FFFFFFFE
00401CFA . 8965 F4 mov dword ptr [ebp-C], esp
00401CFD . 83E0 01 and eax, 1
00401D00 . 8B1F mov ebx, dword ptr [edi]
00401D02 . C745 F8 00104>mov dword ptr [ebp-8], 00401000
00401D09 . 57 push edi
00401D0A . 8945 FC mov dword ptr [ebp-4], eax
00401D0D . 897D 08 mov dword ptr [ebp+8], edi
00401D10 . FF53 04 call dword ptr [ebx+4]
00401D13 . 33F6 xor esi, esi
00401D15 . 57 push edi
00401D16 . 8975 DC mov dword ptr [ebp-24], esi
00401D19 . 8975 D8 mov dword ptr [ebp-28], esi
00401D1C . 8975 D4 mov dword ptr [ebp-2C], esi
00401D1F . 8975 C4 mov dword ptr [ebp-3C], esi
00401D22 . 8975 B4 mov dword ptr [ebp-4C], esi
00401D25 . 8975 A4 mov dword ptr [ebp-5C], esi
00401D28 . 8975 94 mov dword ptr [ebp-6C], esi
00401D2B . 8975 84 mov dword ptr [ebp-7C], esi
00401D2E . 89B5 74FFFFFF mov dword ptr [ebp-8C], esi
00401D34 . 89B5 44FFFFFF mov dword ptr [ebp-BC], esi
00401D3A . FF93 00030000 call dword ptr [ebx+300]
00401D40 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00401D43 . 50 push eax
00401D44 . 51 push ecx
00401D45 . FF15 EC304000 call dword ptr [<&MSVBVM50.__vbaObjSe>; MSVBVM50.__vbaObjSet
---->4.按F2设断点,点重新开始,运行 按F8跟踪
00401D4B . 8BF8 mov edi, eax
00401D4D . 8D45 D8 lea eax, dword ptr [ebp-28]
00401D50 . 50 push eax
00401D51 . 57 push edi
00401D52 . 8B17 mov edx, dword ptr [edi]
00401D54 . FF92 A0000000 call dword ptr [edx+A0]
00401D5A . 3BC6 cmp eax, esi
00401D5C . 7D 12 jge short 00401D70
00401D5E . 68 A0000000 push 0A0
00401D63 . 68 401A4000 push 00401A40
00401D68 . 57 push edi
00401D69 . 50 push eax
00401D6A . FF15 E4304000 call dword ptr [<&MSVBVM50.__vbaHresu>; MSVBVM50.__vbaHresultCheckObj
00401D70 > 8B4D D8 mov ecx, dword ptr [ebp-28]
------------>5.到这,看到了自己输入的假注册码
00401D73 . 51 push ecx
00401D74 . 68 541A4000 push 00401A54 ; UNICODE "SynTaX 2oo1"
-------->6.真注册码我看到你拉~跟进下面的CALL
00401D79 . FF15 08314000 call dword ptr [<&MSVBVM50.__vbaStrCm>; MSVBVM50.__vbaStrCmp
7403F8F6 > FF7424 08 push dword ptr [esp+8]
7403F8FA FF7424 08 push dword ptr [esp+8]
7403F8FE 6A 00 push 0
7403F900 E8 5E3CFEFF call __vbaStrComp
----->7.继续跟进
7403F905 0FBFC0 movsx eax, ax
7403F908 C2 0800 retn 8
74023563 > 55 push ebp
74023564 8BEC mov ebp, esp
74023566 53 push ebx
74023567 56 push esi
74023568 57 push edi
74023569 837D 10 00 cmp dword ptr [ebp+10], 0
7402356D BE 00000000 mov esi, 0
74023572 74 06 je short 7402357A
74023574 8B45 10 mov eax, dword ptr [ebp+10]
74023577 8B70 FC mov esi, dword ptr [eax-4]
7402357A 837D 0C 00 cmp dword ptr [ebp+C], 0
7402357E BF 00000000 mov edi, 0
74023583 74 06 je short 7402358B
74023585 8B4D 0C mov ecx, dword ptr [ebp+C] ; Andréna.00401A54
-------->8.按F8到这,就可以写内存注册码了
74023588 8B79 FC mov edi, dword ptr [ecx-4]
00401D7F . 8BF8 mov edi, eax
00401D81 . 8D4D D8 lea ecx, dword ptr [ebp-28]
00401D84 . F7DF neg edi
00401D86 . 1BFF sbb edi, edi
00401D88 . 47 inc edi
00401D89 . F7DF neg edi
00401D8B . FF15 5C314000 call dword ptr [<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr
00401D91 . 8D4D D4 lea ecx, dword ptr [ebp-2C]
00401D94 . FF15 60314000 call dword ptr [<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj
00401D9A . 66:3BFE cmp di, si
00401D9D 0F84 A0000000 je 00401E43
---------->3.这跳过来的,到这我也不清楚该怎么办了
--------- >只知道在上面有假注册码,我在401D45处设断
00401DA3 . FF15 2C314000 call dword ptr [<&MSVBVM50.#534>] ; MSVBVM50.rtcBeep
00401DA9 . 8B3D 48314000 mov edi, dword ptr [<&MSVBVM50.__vba>; MSVBVM50.__vbaVarDup
00401DAF . B9 04000280 mov ecx, 80020004
00401DB4 . 894D 9C mov dword ptr [ebp-64], ecx
00401DB7 . B8 0A000000 mov eax, 0A
00401DBC . 894D AC mov dword ptr [ebp-54], ecx
00401DBF . BB 08000000 mov ebx, 8
00401DC4 . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
00401DCA . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00401DCD . 8945 94 mov dword ptr [ebp-6C], eax
00401DD0 . 8945 A4 mov dword ptr [ebp-5C], eax
00401DD3 . C785 7CFFFFFF>mov dword ptr [ebp-84], 00401AC4 ; UNICODE "SuCCESFul !"
00401DDD . 899D 74FFFFFF mov dword ptr [ebp-8C], ebx
00401DE3 . FFD7 call edi ; <&MSVBVM50.__vbaVarDup>
00401DE5 . 8D55 84 lea edx, dword ptr [ebp-7C]
00401DE8 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00401DEB . C745 8C 701A4>mov dword ptr [ebp-74], 00401A70 ; UNICODE "RiCHtiG ! ...nun weiter zu CrackMe 2 !"
00401DF2 . 895D 84 mov dword ptr [ebp-7C], ebx
00401DF5 . FFD7 call edi
00401DF7 . 8D55 94 lea edx, dword ptr [ebp-6C]
00401DFA . 8D45 A4 lea eax, dword ptr [ebp-5C]
00401DFD . 52 push edx
00401DFE . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00401E01 . 50 push eax
00401E02 . 51 push ecx
00401E03 . 8D55 C4 lea edx, dword ptr [ebp-3C]
00401E06 . 6A 30 push 30
00401E08 . 52 push edx
00401E09 . FF15 F0304000 call dword ptr [<&MSVBVM50.#595>] ; MSVBVM50.rtcMsgBox
00401E0F . 8D95 44FFFFFF lea edx, dword ptr [ebp-BC]
00401E15 . 8D4D DC lea ecx, dword ptr [ebp-24]
00401E18 . 8985 4CFFFFFF mov dword ptr [ebp-B4], eax
00401E1E . C785 44FFFFFF>mov dword ptr [ebp-BC], 3
00401E28 . FF15 D0304000 call dword ptr [<&MSVBVM50.__vbaVarMo>; MSVBVM50.__vbaVarMove
00401E2E . 8D45 94 lea eax, dword ptr [ebp-6C]
00401E31 . 8D4D A4 lea ecx, dword ptr [ebp-5C]
00401E34 . 50 push eax
00401E35 . 8D55 B4 lea edx, dword ptr [ebp-4C]
00401E38 . 51 push ecx
00401E39 . 8D45 C4 lea eax, dword ptr [ebp-3C]
00401E3C . 52 push edx
00401E3D . 50 push eax
00401E3E . E9 95000000 jmp 00401ED8
00401E43 > 8B3D 48314000 mov edi, dword ptr [<&MSVBVM50.__vba>; MSVBVM50.__vbaVarDup
--->2.点下这行就可一看到从哪跳过来了
00401E49 . B9 04000280 mov ecx, 80020004
00401E4E . 894D 9C mov dword ptr [ebp-64], ecx
00401E51 . B8 0A000000 mov eax, 0A
00401E56 . 894D AC mov dword ptr [ebp-54], ecx
00401E59 . BB 08000000 mov ebx, 8
00401E5E . 8D95 74FFFFFF lea edx, dword ptr [ebp-8C]
00401E64 . 8D4D B4 lea ecx, dword ptr [ebp-4C]
00401E67 . 8945 94 mov dword ptr [ebp-6C], eax
00401E6A . 8945 A4 mov dword ptr [ebp-5C], eax
00401E6D . C785 7CFFFFFF>mov dword ptr [ebp-84], 00401B44 ; UNICODE "leider NeiN !"
00401E77 . 899D 74FFFFFF mov dword ptr [ebp-8C], ebx
00401E7D . FFD7 call edi ; <&MSVBVM50.__vbaVarDup>
00401E7F . 8D55 84 lea edx, dword ptr [ebp-7C]
00401E82 . 8D4D C4 lea ecx, dword ptr [ebp-3C]
00401E85 . C745 8C E01A4>mov dword ptr [ebp-74], 00401AE0 ; UNICODE "Leider Falsch ! Schau noch mal genau nach ..."
----------------->1.双击后停这,我们往上找跳转.
00401E8C . 895D 84 mov dword ptr [ebp-7C], ebx
------------------------------------------------------------------------
内存注册机
我早上刚学会的 但是还是不能搞出个完美的.
我把整个过程写出来:
先找 程序名:点浏览找就可以了
点添加 这里中断地址要写'74023588'而不是'74023585' 早上看了小糊涂神大哥的回帖才知道的
应该填下一个地址.
中断次数:1
第一字节:8B
指令长度:1(这好象填几都一样的)
内存方式(因为注册码在内存中,而不是ECX中,ECX只是偏移)
把宽字符串打上钩(如果是ASCII就不用打勾,UNICODE就要打勾.应该是这样的)
如图: 
点修改.
点生成 完成了
这里有个问题请教高手:我的内存注册机搞好后,多出了些字母应该是"SynTaX 2oo1"却提示"SynTaX 2oo11408084"
图:
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年08月07日 23:27:09
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
忘上传文件了
|
|
|
请使用2.0预览版的,你用的好像是版本1.73的BUG
用2.0的就不会出现这个问题:  |
|
|
|
|
|
我用2.0预览版问题解决了。
 谢谢
|
|
|
|
|
|
|
|
|
|
|
|
|
