【破解作者】 cracklover
【作者邮箱】 [email]cracklover@126.com[/email]
【使用工具】 DeDe3.5 OD1.1 MasmV8
【破解平台】 Win2000
【软件名称】 中华通讯录V4.7Build
【软件简介】 中华通讯录是一款实用的通讯录软件,软件界面采用WINXP风格,
功能完善,最多能够容纳十万条通讯记录,新版本增加了QQ助聊功能,通过它
可以向网友连续发送信息,非常方便快捷。启动时需要输入密码,使其它人不
能看到你的通讯资料,让你的信息更安全。查询栏让你很快找到你的联系人。
支持增加分类,添加,删除信息。
【软件大小】 871
【加壳方式】 UPX1.08
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
根据注册错误提示,很容易找到如下代码,以下代码是从DEDE中拷贝出的代码:
005263F4 53 push ebx
005263F5 8BD8 mov ebx, eax
005263F7 8BC3 mov eax, ebx
* Reference to : TFrmMain.Proc_00522F74()
|
005263F9 E876CBFFFF call 00522F74 //注册码验证CALL,追入!
005263FE 84C0 test al, al //AL为比较标志
00526400 7409 jz 0052640B //关键跳转,跳则OVER!
00526402 8BC3 mov eax, ebx
* Reference to : TFrmMain.Proc_00522D10()
|
00526404 E807C9FFFF call 00522D10 //显示注册成功的CALL
00526409 5B pop ebx
0052640A C3 ret
* Possible String Reference to: '注册码不正确,无法注册'
|
0052640B B820645200 mov eax, $00526420
* Reference to: dialogs.ShowMessage(AnsiString);
|
00526410 E89B85F3FF call 0045E9B0
00526415 5B pop ebx
00526416 C3 ret
#########################################################################################
call 00522F74的内容:
00522F74 55 push ebp
00522F75 8BEC mov ebp, esp
00522F77 33C9 xor ecx, ecx
00522F79 51 push ecx
00522F7A 51 push ecx
00522F7B 51 push ecx
00522F7C 51 push ecx
00522F7D 51 push ecx
00522F7E 53 push ebx
00522F7F 56 push esi
00522F80 8945FC mov [ebp-$04], eax
00522F83 33C0 xor eax, eax
00522F85 55 push ebp
00522F86 6850305200 push $00523050
***** TRY
|
00522F8B 64FF30 push dword ptr fs:[eax]
00522F8E 648920 mov fs:[eax], esp
00522F91 33C0 xor eax, eax
00522F93 8945F4 mov [ebp-$0C], eax
00522F96 8D55F8 lea edx, [ebp-$08]
* Reference to FrmMain
|
00522F99 8B45FC mov eax, [ebp-$04]
* Reference to control TFrmMain.Edit1 : TsuiEdit
|
00522F9C 8B8020040000 mov eax, [eax+$0420]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
00522FA2 E8A937F1FF call 00436750
00522FA7 8B45F8 mov eax, [ebp-$08]
* Reference to: system.@LStrLen:Integer;
|
00522FAA E88D11EEFF call 0040413C
00522FAF 8BD8 mov ebx, eax
00522FB1 85DB test ebx, ebx
00522FB3 7E2E jle 00522FE3
00522FB5 BE01000000 mov esi, $00000001
00522FBA 8D45F0 lea eax, [ebp-$10]
00522FBD 50 push eax
00522FBE B901000000 mov ecx, $00000001
00522FC3 8BD6 mov edx, esi
00522FC5 8B45F8 mov eax, [ebp-$08]
* Reference to: system.@LStrCopy;
|
00522FC8 E87713EEFF call 00404344
00522FCD 8B45F0 mov eax, [ebp-$10]
* Reference to: system.@LStrToPChar; //以下是注册码的生成过程!
|
00522FD0 E82B13EEFF call 00404300
00522FD5 8A00 mov al, byte ptr [eax] //机器码逐位入AL
00522FD7 25FF000000 and eax, $000000FF //其他清零
00522FDC 0145F4 add [ebp-$0C], eax //将值累加到[EBP-C]
00522FDF 46 inc esi //ESI=ESI+1
00522FE0 4B dec ebx //EBX=EBX-1
00522FE1 75D7 jnz 00522FBA //处理完?未完继续!
00522FE3 8D55EC lea edx, [ebp-$14]
* Reference to FrmMain
|
00522FE6 8B45FC mov eax, [ebp-$04]
* Reference to control TFrmMain.Edit2 : TsuiEdit
|
00522FE9 8B8024040000 mov eax, [eax+$0424]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
00522FEF E85C37F1FF call 00436750
00522FF4 8B45EC mov eax, [ebp-$14] //eax指向我们输入的假码
* Reference to: Unit_00408D30.Proc_0040A088
|
00522FF7 E88C70EEFF call 0040A088 //eax=假码的十六进制值
* Reference to FrmMain
|
00522FFC 8B55F4 mov edx, [ebp-$0C] //刚才计算的累加值入EDX
00522FFF 81C2FC7E1200 add edx, $00127EFC //EDX=EDX+127EFCh
00523005 81C29EE46400 add edx, $0064E49E //EDX=EDX+64E49Eh
0052300B 3BC2 cmp eax, edx //eax=edx?
0052300D 7519 jnz 00523028 //不相等则跳,OVER!
0052300F B301 mov bl, $01 //到此我们可写出注册机了!
00523011 B8E4A55400 mov eax, $0054A5E4
00523016 8B55F8 mov edx, [ebp-$08]
* Reference to: system.@LStrAsg;
|
00523019 E8F20EEEFF call 00403F10
* Reference to FrmMain
|
0052301E 8B45F4 mov eax, [ebp-$0C]
* Reference to GlobalVar_0054A5E8
|
00523021 A3E8A55400 mov dword ptr [$0054A5E8], eax
00523026 EB02 jmp 0052302A
00523028 33DB xor ebx, ebx
0052302A 33C0 xor eax, eax
0052302C 5A pop edx
0052302D 59 pop ecx
0052302E 59 pop ecx
0052302F 648910 mov fs:[eax], edx
****** FINALLY
|
* Possible String Reference to: '?^[?]?U??栌VW3?M?M?M????
| UhC1R'
|
00523032 6857305200 push $00523057
00523037 8D45EC lea eax, [ebp-$14]
* Reference to: system.@LStrClr(String;String);
|
0052303A E87D0EEEFF call 00403EBC
0052303F 8D45F0 lea eax, [ebp-$10]
* Reference to: system.@LStrClr(String;String);
|
00523042 E8750EEEFF call 00403EBC
00523047 8D45F8 lea eax, [ebp-$08]
* Reference to: system.@LStrClr(String;String);
|
0052304A E86D0EEEFF call 00403EBC
0052304F C3 ret
* Reference to: system.@HandleFinally;
|
00523050 E95F08EEFF jmp 004038B4
00523055 EBE0 jmp 00523037
****** END
|
00523057 8BC3 mov eax, ebx
00523059 5E pop esi
0052305A 5B pop ebx
0052305B 8BE5 mov esp, ebp
0052305D 5D pop ebp
0052305E C3 ret
--------------------------------------------------------------------------------
下面是计算注册码的Masm子程序:
说明:
lpstr1是机器码的地址,lpstr2是指计算出的注册码的地址,count是机器码长度
Process proc lpstr1:DWORD,lpstr2:DWORD,count:DWORD
pushad
mov esi,lpstr1
mov edi,lpstr2
xor eax,eax
xor edx,edx
@@:
mov al,[esi]
add edx,eax
inc esi
dec count
jnz @B
add edx,127EFCh
add edx,64E49Eh
mov lpstr1,edx
invoke udw2str,lpstr1,lpstr2 ;将十六进制数转化为十进制的字符串
popad
ret
Process endp
破解总结:
此软件的机器码其实就是硬盘序列号,所以,我们也可以不通过运行软件得到机器码,而直接
在注册机里得到硬盘序列号,再计算出注册码。
要是有人要注册机的asm源码及资源文件请EMAIL ME:cracklover@126.com。
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
