Mview破解手记

mView是查看操作系统不能显示的光盘目录（ISO格式）。支持后缀名为FCD和VCD未压缩虚拟光驱的境像文件和标准的ISO境像文件。适用于WIN95/WIN98/WINNT/WIN2000。它可以让您象资源管理器一样的操作被隐藏的文件和目录。能快速的读取文件和目录，支持多种访问方式。它可以隐藏未压缩虚拟光驱的境像文件中的目录，当您插入虚拟光驱后不可见，但可以正常的运行和在（MS-DOS下）访问。可保护您的数据。当然最实用的功能就是查看加密的光盘的内容，有一个ISOBuster软件虽然可以查看内容，但是运行加密光盘上的文件时，必须复制到硬盘上，而此软件就没有这个必要，可以通过双击文件在光盘上直接运行加密光盘上的文件，界面也类似于ISOBuster，非常好用。（一）用FI侦测Mview.exe是用Aspack1.07加的壳，用UnAspack脱壳，另存为Mview1.exe。（二）运行一遍，发现注册出错的信息为"The registration code error"。（三）用W32Dasm打开Mview1.exe。串式参考，反复双击发现有两处调用，而"Thank you for register mView，Good luck!"估计为注册成功的信息，反复双击发现只有一处调用。（四）分析:00403B1E 68C0B44400              push 0044B4C0:00403B23 53                      push ebx:00403B24 E8E4A40200              call 0042E00D:00403B29 E83D000000              call 00403B6B＊＊＊＊关键CALL:00403B2E 813D7009450095260000    cmp dword ptr [00450970], 00002695＊＊＊＊判断:00403B38 5F                      pop edi:00403B39 5B                      pop ebx:00403B3A 6AFF                    push FFFFFFFF:00403B3C 7509                    jne 00403B47＊＊＊＊不跳就死，一跳就出成功信息:00403B3E 6A10                    push 00000010* Possible Reference to String Resource ID=61719: The registration code error!"                                  |＊＊＊＊注册失败:00403B40 6817F10000              push 0000F117:00403B45 EB1D                    jmp 00403B64* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403B3C(C)|:00403B47 6A40                    push 00000040* Possible Reference to String Resource ID=61720: Thank you for register mView, Good luck!"                                  |＊＊＊＊注册成功信息:00403B49 6818F10000              push 0000F118:00403B4E E874530200              call 00428EC7:00403B53 8BCE                    mov ecx, esi:00403B55 E855D40100              call 00420FAF:00403B5A 5E                      pop esi:00403B5B C3                      ret（五）用UltraEdit修改，将403B3C处改为强制跳转。（六）运行Mview1.exe，注册，显示成功。以为至此已破解完成，不料重新运行后还是未注册版本。只好从头来过，经过分析，发现程序将注册名和注册码保存在注册表中（HKCU\Software\yANmVIEW\mView\OPTION），重新运行程序时（其实在注册时也是一样），程序读取注册表，再进行判断。没办法，只好用TRW2000跟踪分析。（七）运行TRW2000，再运行Mview1.exe，进入注册窗口，填写注册码，不按"OK"按纽，按Ctrl+N进入TRW2000环境，下万能中断（bpx hmemcpy），F5执行，按"OK"按纽，被截取，单步执行进行分析。具体的代码太多，不列出了。发现程序主要进行以下几步：先判断注册名和注册码是否为空，之后将注册名和注册码写入注册表，接下来就到了上面列出的那部分代码，按F8追进CALL 403B6B，代码如下：:00403B6B B8209E4300              mov eax, 00439E20:00403B70 E8DBD30000              call 00410F50:00403B75 83EC0C                  sub esp, 0000000C:00403B78 A1F0BD4400              mov eax, dword ptr [0044BDF0]:00403B7D 53                      push ebx:00403B7E 56                      push esi:00403B7F 57                      push edi:00403B80 8945F0                  mov dword ptr [ebp-10], eax:00403B83 33DB                    xor ebx, ebx:00403B85 8945EC                  mov dword ptr [ebp-14], eax:00403B88 895DFC                  mov dword ptr [ebp-04], ebx:00403B8B 53                      push ebx* Possible StringData Ref from Data Obj ->"OPTION"                                  |:00403B8C BFD4B34400              mov edi, 0044B3D4* Possible StringData Ref from Data Obj ->"REGNAME"＊＊＊＊以下代码从注册表中读取注册名                                  |:00403B91 68A8B44400              push 0044B4A8:00403B96 8D45E8                  lea eax, dword ptr [ebp-18]:00403B99 BE90FE4400              mov esi, 0044FE90:00403B9E 57                      push edi:00403B9F 50                      push eax:00403BA0 8BCE                    mov ecx, esi:00403BA2 C645FC01                mov [ebp-04], 01:00403BA6 E85C230300              call 00435F07:00403BAB 50                      push eax:00403BAC 8D4DF0                  lea ecx, dword ptr [ebp-10]:00403BAF C645FC02                mov [ebp-04], 02:00403BB3 E80AE00100              call 00421BC2:00403BB8 8D4DE8                  lea ecx, dword ptr [ebp-18]:00403BBB C645FC01                mov [ebp-04], 01:00403BBF E8C5DE0100              call 00421A89:00403BC4 53                      push ebx* Possible StringData Ref from Data Obj ->"REGCODE"＊＊＊＊以下代码从注册表中读取输入的注册码                                  |:00403BC5 68C0B44400              push 0044B4C0:00403BCA 8D45E8                  lea eax, dword ptr [ebp-18]:00403BCD 57                      push edi:00403BCE 50                      push eax:00403BCF 8BCE                    mov ecx, esi:00403BD1 E831230300              call 00435F07:00403BD6 50                      push eax:00403BD7 8D4DEC                  lea ecx, dword ptr [ebp-14]:00403BDA C645FC03                mov [ebp-04], 03:00403BDE E8DFDF0100              call 00421BC2:00403BE3 8D4DE8                  lea ecx, dword ptr [ebp-18]:00403BE6 C645FC01                mov [ebp-04], 01:00403BEA E89ADE0100              call 00421A89:00403BEF 8B45F0                  mov eax, dword ptr [ebp-10]＊＊＊＊EAX得到姓名地址13E4610:00403BF2 3958F8                  cmp dword ptr [eax-08], ebx＊＊＊＊判断姓名是否为空（长度为0）:00403BF5 7476                    je 00403C6D＊＊＊＊为0转403C6D，出错:00403BF7 8B45EC                  mov eax, dword ptr [ebp-14]＊＊＊＊EAX得到注册码地址13E4660:00403BFA 3958F8                  cmp dword ptr [eax-08], ebx＊＊＊＊判断注册码是否为空:00403BFD 746E                    je 00403C6D＊＊＊＊为0转403C6D，出错* Possible StringData Ref from Data Obj ->"                                                  |:00403BFF 68C8B44400              push 0044B4C8:00403C04 8D4DF0                  lea ecx, dword ptr [ebp-10]＊＊＊＊ECX为存放姓名地址的单元地址:00403C07 E87FE10100              call 00421D8B:00403C0C FF75EC                  push [ebp-14]＊＊＊＊将存放注册码的地址压栈:00403C0F E85FD90000              call 00411573＊＊＊＊关键，此处将注册码的10进制数转换为16进制数:00403C14 8BF0                    mov esi, eax＊＊＊＊将换算过来的16进制数保存到ESI中，用于后面计算:00403C16 59                      pop ecx:00403C17 3BF3                    cmp esi, ebx＊＊＊＊判断注册码是否为0，为0则错误:00403C19 7452                    je 00403C6D* Possible Reference to Dialog: DialogID_0088, CONTROL_ID:0007, &(&N)"                                  |:00403C1B 6A07                    push 00000007:00403C1D 5F                      pop edi给EDI赋值为7，用于后面参与运算时计数用* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403C51(C)|:00403C1E 8B45F0                  mov eax, dword ptr [ebp-10]＊＊＊＊程序核心开始，EAX为姓名地址:00403C21 0FBE0407                movsx eax, byte ptr [edi+eax]＊＊＊＊al得到当前指向姓名的字符:00403C25 50                      push eax＊＊＊＊注意：不管你输入几位，程序都将运算8次，:00403C26 E895D80000              call 004114C0＊＊＊＊不足位用20（空格）代替。下面一段主要用于:00403C2B 85C0                    test eax, eax＊＊＊＊将小写字母转换为大写字母:00403C2D 8B45F0                  mov eax, dword ptr [ebp-10]:00403C30 59                      pop ecx:00403C31 8A0407                  mov al, byte ptr [edi+eax]:00403C34 7402                    je 00403C38:00403C36 2C20                    sub al, 20* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403C34(C)|:00403C38 0FB6C0                  movzx eax, al＊＊＊＊得到转换后的数据（指小写转大写）:00403C3B 2BF0                    sub esi, eax＊＊＊＊前面的ESI减EAX，也就是减去字母的ASCII码:00403C3D 6A09                    push 00000009:00403C3F 8BC6                    mov eax, esi＊＊＊＊EAX为ESI:00403C41 33D2                    xor edx, edx＊＊＊＊EDX置0:00403C43 59                      pop ecx＊＊＊＊ECX赋值为9:00403C44 F7F1                    div ecx＊＊＊＊将EDX:EAX除9:00403C46 85D2                    test edx, edx＊＊＊＊判断是否除尽:00403C48 7509                    jne 00403C53＊＊＊＊没有除尽则转向出错:00403C4A 8BC6                    mov eax, esi:00403C4C F7F1                    div ecx:00403C4E 4F                      dec edi＊＊＊＊计数器减1:00403C4F 8BF0                    mov esi, eax＊＊＊＊ESI得到除9的商:00403C51 79CB                    jns 00403C1E＊＊＊＊继续循环做直至EDI为0* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403C48(C)|:00403C53 F7DE                    neg esi＊＊＊＊如果ESI为0则，取补码后CF＝0，否则CF＝1，导致下面出错:00403C55 1BF6                    sbb esi, esi＊＊＊＊如果CF＝1，则ESI＝FFFFFFFF，否则ESI＝0:00403C57 6A01                    push 00000001＊＊＊＊而ESI＝FFFFFFFF则导致450970单元为2695，注册不成功:00403C59 6681E682F4              and si, F482:00403C5E 81C613320000            add esi, 00003213＊＊＊＊强行修改处:00403C64 893570094500            mov dword ptr [00450970], esi＊＊＊＊修改地址单位数据:00403C6A 5E                      pop esi:00403C6B EB02                    jmp 00403C6F* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:|:00403BF5(C), :00403BFD(C), :00403C19(C)|:00403C6D 33F6                    xor esi, esi＊＊＊＊ESI置0* Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403C6B(U)|:00403C6F 8D4DEC                  lea ecx, dword ptr [ebp-14]:00403C72 885DFC                  mov byte ptr [ebp-04], bl:00403C75 E80FDE0100              call 00421A89:00403C7A 834DFCFF                or dword ptr [ebp-04], FFFFFFFF:00403C7E 8D4DF0                  lea ecx, dword ptr [ebp-10]:00403C81 E803DE0100              call 00421A89:00403C86 8B4DF4                  mov ecx, dword ptr [ebp-0C]:00403C89 8BC6                    mov eax, esi:00403C8B 5F                      pop edi:00403C8C 5E                      pop esi:00403C8D 5B                      pop ebx:00403C8E 64890D00000000          mov dword ptr fs:[00000000], ecx:00403C95 C9                      leave:00403C96 C3                      ret由于代码非常长，而且没有直接出现注册码，所以没办法了，只好进行爆破。由于注册成功与否，主要是看地址00450970处的数据是否为2695（见403B2E），而修改此地址内容的代码在403C64，但直接改此句不方便，而上一句对要放入此地址的ESI处理，所以改上一句，将与ESI运算的3213随便改一个数据，保存。（八）运行修改后的Mview1.exe，发现不再出现那个讨厌的要求注册的窗口，通过关于菜单的注册也是不论输入什么东西都可以成功。至此，破解完成。附记（2001.10.14凌晨1时）：由于强行破解存在一个问题，就是提示框内仍认为你是未注册的，所以始终觉得不是很舒服，再次分析源代码，终于发现注册码的算法。具体说明见代码注释。根据分析可以发现注册码的算法如下：将注册名的ASCII码排序如下：A、B、C、D、E、F、G、H，如果不够8位，则后面补20（即空格）。计算注册码的方法：((((((A*9+B)*9+C)*9+D)*9+E)*9+F)*9+G)*9+H。最后就是编写一个注册机了，由于用VB最方便，就用它了。