昨日,WPS Office抢鲜版V3.1(6.6.0.2805)正式发布,提供免费下载使用。
下载页面:http://www.380000.com/download/show.asp?id=sdql 软件分类:图像工具 运行平台:Win98/ME/2000/XP 软件大小:80KB 软件授权:共享软件 注册方式:序列号-注册码 出品日期:2002-12-1
【软件简介】:鼠到擒来V3.1 是一款能从文件中提取图标、位图的并可处理图片的图像工具。
【软件限制】:NAG、功能限制。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、pe-scan、UnAspacka、W32Dasm 10修改版
————————————————————————————————— 【过 程】:
鼠到擒来.exe 是ASPack 1.07壳,用UnAspacka脱之。76K->372K。VC++ 6.0编写。呵呵,压缩后才76K,很是小巧呀。佩服作者的功力!
软件重启验证。注册信息保存在同目录下的sign.ini中,因此在反汇编代码里查找sign.ini,能找到下面的核心。《鼠到擒来》和其同门兄弟的注册码算法差不多,呵呵,变了点,经常跳来跳去。迷惑我们Cracker的视线。
序列号:922836698试炼码:123456-7890ABC
————————————————————————————————— * Referenced by a CALL at Addresses:|:00401FE7 , :00406831 |:00406C20 A0A45A4100 mov al, byte ptr [00415AA4]:00406C25 81EC94010000 sub esp, 00000194:00406C2B 84C0 test al, al:00406C2D 56 push esi:00406C2E 0F8511010000 jne 00406D45
* Possible StringData Ref from Data Obj ->"rb" |:00406C34 68D8404100 push 004140D8
* Possible StringData Ref from Data Obj ->"sign.ini" ====>注册信息保存的地方! |:00406C39 6888434100 push 00414388:00406C3E E857190000 call 0040859A:00406C43 8BF0 mov esi, eax:00406C45 83C408 add esp, 00000008:00406C48 85F6 test esi, esi:00406C4A 7511 jne 00406C5D:00406C4C C605A45A410001 mov byte ptr [00415AA4], 01:00406C53 32C0 xor al, al:00406C55 5E pop esi:00406C56 81C494010000 add esp, 00000194:00406C5C C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00406C4A(C)|:00406C5D 56 push esi:00406C5E 8D442408 lea eax, dword ptr [esp+08]:00406C62 68C9000000 push 000000C9:00406C67 50 push eax:00406C68 E8DD170000 call 0040844A:00406C6D 56 push esi:00406C6E E881170000 call 004083F4:00406C73 8D4C2414 lea ecx, dword ptr [esp+14] ====>ECX=123456-7890ABC
* Possible Reference to Dialog: |:00406C77 6830444100 push 00414430:00406C7C 51 push ecx:00406C7D E87E190000 call 00408600 ====>呵呵,里面有很多运算呀。跟进去?^*^
:00406C82 83C418 add esp, 00000018:00406C85 85C0 test eax, eax:00406C87 7511 jne 00406C9A:00406C89 C605A45A410001 mov byte ptr [00415AA4], 01:00406C90 32C0 xor al, al:00406C92 5E pop esi:00406C93 81C494010000 add esp, 00000194:00406C99 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00406C87(C)|:00406C9A 57 push edi:00406C9B 8D542408 lea edx, dword ptr [esp+08]
* Possible Reference to Dialog: |:00406C9F 6830444100 push 00414430:00406CA4 52 push edx:00406CA5 E856190000 call 00408600 ====>呵呵,里面有很多运算呀。跟进去?^*^
:00406CAA 8BF8 mov edi, eax:00406CAC 83C9FF or ecx, FFFFFFFF:00406CAF 47 inc edi:00406CB0 33C0 xor eax, eax:00406CB2 F2 repnz:00406CB3 AE scasb:00406CB4 F7D1 not ecx:00406CB6 2BF9 sub edi, ecx:00406CB8 8D942440010000 lea edx, dword ptr [esp+00000140]:00406CBF 8BC1 mov eax, ecx:00406CC1 8BF7 mov esi, edi:00406CC3 8BFA mov edi, edx
* Possible Reference to Dialog: |:00406CC5 6830444100 push 00414430:00406CCA C1E902 shr ecx, 02:00406CCD F3 repz:00406CCE A5 movsd:00406CCF 8BC8 mov ecx, eax:00406CD1 83E103 and ecx, 00000003:00406CD4 F3 repz:00406CD5 A4 movsb:00406CD6 8D4C2414 lea ecx, dword ptr [esp+14]:00406CDA 51 push ecx:00406CDB E820190000 call 00408600:00406CE0 8BF8 mov edi, eax:00406CE2 83C9FF or ecx, FFFFFFFF:00406CE5 33C0 xor eax, eax:00406CE7 8D542418 lea edx, dword ptr [esp+18]:00406CEB F2 repnz:00406CEC AE scasb:00406CED F7D1 not ecx:00406CEF 49 dec ecx:00406CF0 8D7C2418 lea edi, dword ptr [esp+18]:00406CF4 2BD1 sub edx, ecx:00406CF6 83C9FF or ecx, FFFFFFFF:00406CF9 F2 repnz:00406CFA AE scasb:00406CFB F7D1 not ecx:00406CFD 49 dec ecx:00406CFE 8D7C2418 lea edi, dword ptr [esp+18]:00406D02 88040A mov byte ptr [edx+ecx], al:00406D05 83C9FF or ecx, FFFFFFFF:00406D08 F2 repnz:00406D09 AE scasb:00406D0A F7D1 not ecx:00406D0C 2BF9 sub edi, ecx:00406D0E 8D9424E4000000 lea edx, dword ptr [esp+000000E4]:00406D15 8BC1 mov eax, ecx:00406D17 8BF7 mov esi, edi:00406D19 8BFA mov edi, edx:00406D1B 8D9424E4000000 lea edx, dword ptr [esp+000000E4]:00406D22 C1E902 shr ecx, 02:00406D25 F3 repz:00406D26 A5 movsd:00406D27 8BC8 mov ecx, eax:00406D29 83E103 and ecx, 00000003:00406D2C F3 repz:00406D2D A4 movsb:00406D2E 8D8C2448010000 lea ecx, dword ptr [esp+00000148]:00406D35 51 push ecx:00406D36 52 push edx:00406D37 E824FCFFFF call 00406960 ====>关键CALL!进入! ^-^ ^-^
:00406D3C 83C418 add esp, 00000018:00406D3F A2A55A4100 mov byte ptr [00415AA5], al ====>注册标志位 值入[00415AA5]
:00406D44 5F pop edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00406C2E(C)|:00406D45 A0A55A4100 mov al, byte ptr [00415AA5]:00406D4A C605A45A410001 mov byte ptr [00415AA4], 01:00406D51 5E pop esi:00406D52 81C494010000 add esp, 00000194:00406D58 C3 ret
—————————————————————————————————进入关键CALLL:406D37 call 00406960
* Referenced by a CALL at Address:|:00406D37 |:00406960 83EC18 sub esp, 00000018:00406963 53 push ebx:00406964 56 push esi:00406965 57 push edi:00406966 E8C5FFFFFF call 00406930 ====>取硬盘序列号,并运算得到软件序列号!
:0040696B 8BF8 mov edi, eax ====>EDI=EAX=37015EDA
:0040696D 8D44240C lea eax, dword ptr [esp+0C]:00406971 81F717108519 xor edi, 19851017 ====>EDI=37015EDA XOR 19851017=2E844ECD 呵呵,用运算得到的2E844ECD作为重要参数,经过下面CALL的运算得出第一组注册码!
:00406977 6A24 push 00000024:00406979 50 push eax:0040697A 57 push edi:0040697B E8FFA70000 call 0041117F ====>第一个运算CALL!进入!
:00406980 8B442434 mov eax, dword ptr [esp+34] ====>EAX=[esp+34]=123456 试炼码的前半部分
:00406984 83C40C add esp, 0000000C:00406987 8D74240C lea esi, dword ptr [esp+0C] ====>ESI=[esp+0C]=cwn64t 注册码的前半部分
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004069AD(C) ====>下面是逐位比较!有一处不同就OVER了!:0040698B 8A10 mov dl, byte ptr [eax]:0040698D 8A1E mov bl, byte ptr [esi]:0040698F 8ACA mov cl, dl:00406991 3AD3 cmp dl, bl:00406993 751E jne 004069B3 ====>跳则OVER!
:00406995 84C9 test cl, cl:00406997 7416 je 004069AF:00406999 8A5001 mov dl, byte ptr [eax+01]:0040699C 8A5E01 mov bl, byte ptr [esi+01]:0040699F 8ACA mov cl, dl:004069A1 3AD3 cmp dl, bl:004069A3 750E jne 004069B3 ====>跳则OVER!
:004069A5 83C002 add eax, 00000002:004069A8 83C602 add esi, 00000002:004069AB 84C9 test cl, cl:004069AD 75DC jne 0040698B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00406997(C)|:004069AF 33C0 xor eax, eax:004069B1 EB05 jmp 004069B8
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00406993(C), :004069A3(C)|:004069B3 1BC0 sbb eax, eax:004069B5 83D8FF sbb eax, FFFFFFFF ====>爆破点 1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004069B1(U)|:004069B8 85C0 test eax, eax:004069BA 756B jne 00406A27 ====>应不跳!
:004069BC B801000000 mov eax, 00000001 ====>置1则OK!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004069CA(C)|:004069C1 8BC8 mov ecx, eax:004069C3 0FAFF9 imul edi, ecx ====>EDI=2E844ECD*1*2*3*4*5*6*7*8*9=9A541B80
:004069C6 40 inc eax:004069C7 83F80A cmp eax, 0000000A:004069CA 7CF5 jl 004069C1 ====>循环9次相乘!得出9A541B80作为运算第二组注册码的参数!
:004069CC 8D542418 lea edx, dword ptr [esp+18]:004069D0 6A24 push 00000024:004069D2 52 push edx:004069D3 57 push edi:004069D4 E8A6A70000 call 0041117F ====>第二个运算CALL! 和第一组注册码的运算流程相同,只是参数换成了9A541B80!
:004069D9 8B442438 mov eax, dword ptr [esp+38] ====>EAX=7890ABC 试炼码的后半部分
:004069DD 83C40C add esp, 0000000C:004069E0 8D742418 lea esi, dword ptr [esp+18] ====>ESI=16tjm2o 注册码的后半部分
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00406A06(C) ====>下面是逐位比较!有一处不同就OVER了!:004069E4 8A10 mov dl, byte ptr [eax]:004069E6 8A1E mov bl, byte ptr [esi]:004069E8 8ACA mov cl, dl:004069EA 3AD3 cmp dl, bl:004069EC 7528 jne 00406A16 ====>跳则OVER!
:004069EE 84C9 test cl, cl:004069F0 7416 je 00406A08:004069F2 8A5001 mov dl, byte ptr [eax+01]:004069F5 8A5E01 mov bl, byte ptr [esi+01]:004069F8 8ACA mov cl, dl:004069FA 3AD3 cmp dl, bl:004069FC 7518 jne 00406A16 ====>跳则OVER!
:004069FE 83C002 add eax, 00000002:00406A01 83C602 add esi, 00000002:00406A04 84C9 test cl, cl:00406A06 75DC jne 004069E4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:004069F0(C)|:00406A08 33C0 xor eax, eax:00406A0A 5F pop edi:00406A0B 85C0 test eax, eax:00406A0D 5E pop esi:00406A0E 5B pop ebx:00406A0F 0F94C0 sete al ====>置1则OK!
:00406A12 83C418 add esp, 00000018:00406A15 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:004069EC(C), :004069FC(C)|:00406A16 1BC0 sbb eax, eax:00406A18 5F pop edi:00406A19 83D8FF sbb eax, FFFFFFFF ====>爆破点2:00406A1C 5E pop esi:00406A1D 85C0 test eax, eax:00406A1F 0F94C0 sete al:00406A22 5B pop ebx:00406A23 83C418 add esp, 00000018:00406A26 C3 ret
—————————————————————————————————进入406966 call 00406930 看看是如何得到软件序列号的!
* Referenced by a CALL at Addresses:|:004063D6 , :00406966 |:00406930 51 push ecx:00406931 6A00 push 00000000:00406933 6A00 push 00000000:00406935 6A00 push 00000000:00406937 8D44240C lea eax, dword ptr [esp+0C]:0040693B 6A00 push 00000000:0040693D 50 push eax:0040693E 6A00 push 00000000:00406940 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"C:\" |:00406942 68F8434100 push 004143F8
* Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h |:00406947 FF1514214100 Call dword ptr [00412114] ====>取硬盘序列号。呵呵:GetVolumeInformationA
:0040694D 8B442400 mov eax, dword ptr [esp] ====>EAX=211C1E09 是我的硬盘序列号!
:00406951 35D3401D16 xor eax, 161D40D3 ====>EAX=211C1E09 XOR 161D40D3=37015EDA(H)=922836698(D)
:00406956 99 cdq:00406957 33C2 xor eax, edx:00406959 2BC2 sub eax, edx:0040695B 59 pop ecx:0040695C C3 ret
—————————————————————————————————进入运算CALL:40697B call 0041117F 因为两轮运算的流程相同,所以我只是记录了第一组的数据!
再进入:0041119C call 00411123
* Referenced by a CALL at Addresses:|:00411116 , :0041119C |:00411123 55 push ebp:00411124 8BEC mov ebp, esp:00411126 837D1400 cmp dword ptr [ebp+14], 00000000:0041112A 8B4D0C mov ecx, dword ptr [ebp+0C]:0041112D 53 push ebx:0041112E 56 push esi:0041112F 57 push edi:00411130 740B je 0041113D:00411132 8B7508 mov esi, dword ptr [ebp+08]:00411135 C6012D mov byte ptr [ecx], 2D:00411138 41 inc ecx:00411139 F7DE neg esi:0041113B EB03 jmp 00411140
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00411130(C)|:0041113D 8B7508 mov esi, dword ptr [ebp+08] ====>ESI=2E844ECD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0041113B(U)|:00411140 8BF9 mov edi, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00411166(C)|:00411142 8BC6 mov eax, esi:00411144 33D2 xor edx, edx:00411146 F77510 div [ebp+10] ====>[ebp+10]=24 1、 ====>EDX=2E844ECD % 24=1D 2、 ====>EDX=014AC94C % 24=04 3、 ====>EDX=00093042 % 24=06 4、 ====>EDX=00004157 % 24=17 5、 ====>EDX=000001D0 % 24=20 6、 ====>EDX=0000000C % 24=0C
:00411149 8BC6 mov eax, esi:0041114B 8BDA mov ebx, edx:0041114D 33D2 xor edx, edx:0041114F F77510 div [ebp+10] 1、 ====>EAX=2E844ECD / 24=014AC94C 2、 ====>EAX=014AC94C / 24=00093042 3、 ====>EAX=00093042 / 24=00004157 4、 ====>EAX=00004157 / 24=000001D0 5、 ====>EAX=000001D0 / 24=0000000C 6、 ====>EAX=0000000C / 24=00000000
:00411152 83FB09 cmp ebx, 00000009:00411155 8BF0 mov esi, eax ====>ESI=EAX 用商继续运算! 直至为0!
:00411157 7605 jbe 0041115E:00411159 80C357 add bl, 57 1、 ====>BL=1D + 57=74 即字符:t 4、 ====>BL=17 + 57=6E 即字符:n 5、 ====>BL=20 + 57=77 即字符:w 6、 ====>BL=0C + 57=63 即字符:c
:0041115C EB03 jmp 00411161
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00411157(C)|:0041115E 80C330 add bl, 30 2、 ====>BL=04 + 30=34 即字符:4 3、 ====>BL=06 + 30=36 即字符:6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:0041115C(U)|:00411161 8819 mov byte ptr [ecx], bl ====>BL 入 [ecx]处☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆循环结束后[ECX]内存中的值:
0068F528 74 34 36 6E 77 63 t46nwc☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00411163 41 inc ecx:00411164 85F6 test esi, esi:00411166 77DA ja 00411142 ====>循环!
:00411168 802100 and byte ptr [ecx], 00:0041116B 49 dec ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00411178(C)|:0041116C 8A17 mov dl, byte ptr [edi]:0041116E 8A01 mov al, byte ptr [ecx]:00411170 8811 mov byte ptr [ecx], dl:00411172 8807 mov byte ptr [edi], al:00411174 49 dec ecx:00411175 47 inc edi:00411176 3BF9 cmp edi, ecx:00411178 72F2 jb 0041116C ====>这个小循环是将t46nwc倒序为:cwn64t
:0041117A 5F pop edi:0041117B 5E pop esi:0041117C 5B pop ebx:0041117D 5D pop ebp:0041117E C3 ret
—————————————————————————————————【算 法 总 结】:
一、取硬盘序列号211C1E09 XOR 161D40D3=37015EDA,得到软件序列号。
二、软件序列号37015EDA XOR 19851017=2E844ECD,用2E844ECD循环和24求模,直至商为0。 余数若小于9则加30,转化为数字;否则加57转化为小写字母。再倒序排列。
得到注册码前半部分:cwn64t
三、软件序列号2E844ECD*1*2*3*4*5*6*7*8*9=9A541B80,用9A541B80循环和24求模,直至商为0。 余数若小于9则加30,转化为数字;否则加57转化为小写字母。再倒序排列。
得到注册码后半部分:16tjm2o
所以,我的注册码是:cwn64t-16tjm2o
————————————————————————————————— 【完 美 爆 破】:
1、004069B5 83D8FF sbb eax, FFFFFFFF 改为: 33C090 xor eax, eax 补一个NOP
2、00406A19 83D8FF sbb eax, FFFFFFFF 改为: 33C090 xor eax, eax 补一个NOP
————————————————————————————————— 【注册信息保存】:
同目录下的sign.ini中:cwn64t-16tjm2o
————————————————————————————————— 【整 理】:
序列号:922836698注册码:cwn64t-16tjm2o
—————————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-10-11 15:51
标 题:鼠到擒来 V3.1注册机发信人:HMILYBCG 时 间:2003/04/12 10:20am详细信息:
呵呵,还是fly兄分析,我写注册机!!
以下为注册机源码:CB v6.0 win98 se下调试通过!//---------------------------------------------------------------------------void __fastcall Tform1::OKBtnClick(TObject *Sender){String key_1,key_11,key_2,key_22;__int64 Ma;int a,b,c=1,d,b_1;unsigned long e=0,f=0,g=0;if(MEdit->Text!="") { Ma=StrToInt64(MEdit->Text); e=Ma^0x19851017; while(e>0) { a=e%0x24; e=e/0x24; if(a=1) { f=key_1[b];b--; key_11=key_11+char(f); } e=Ma^0x19851017; while(c0) { d=e%0x24; e=e/0x24; if(d=1) { g=key_2[b_1];b_1--; key_22=key_22+char(g); } CEdit->Text=CEdit->Text+key_11+"-"+key_22;