X-FREE 破解
来源:互联网 发布:java截取字符串 编辑:程序博客网 时间:2024/05/17 05:17
先写暴力破解的方法,有空再看算法
1、注册信息保存在注册表,OD中CTRL+N找到 RegQueryValueExA函数,查找输入函数参考,在每个命令上设置参考,F9执行
找到关心的地方
- 0042A7E3 . BA 06F36800 mov edx, 0068F306 ; ASCII "RegistryCode"
- 0042A7E8 . 8D85 78FCFFFF lea eax, dword ptr [ebp-388]
- 0042A7EE . E8 99D02100 call 0064788C
- 0042A7F3 . FF85 3CFAFFFF inc dword ptr [ebp-5C4]
- 0042A7F9 . 8B10 mov edx, dword ptr [eax]
- 0042A7FB . 33C0 xor eax, eax
- 0042A7FD . 8985 74FCFFFF mov dword ptr [ebp-38C], eax
- 0042A803 . 8D8D 74FCFFFF lea ecx, dword ptr [ebp-38C]
- 0042A809 . FF85 3CFAFFFF inc dword ptr [ebp-5C4]
- 0042A80F . 8B85 98F9FFFF mov eax, dword ptr [ebp-668]
- 0042A815 . E8 068C1600 call 00593420
- 0042A81A . 8D95 74FCFFFF lea edx, dword ptr [ebp-38C]
- 0042A820 . 8B45 FC mov eax, dword ptr [ebp-4]
- 0042A823 . 05 BC0A0000 add eax, 0ABC
- 0042A828 . E8 2BD32100 call 00647B58
- 0042A82D . FF8D 3CFAFFFF dec dword ptr [ebp-5C4]
- 0042A833 . 8D85 74FCFFFF lea eax, dword ptr [ebp-38C]
- 0042A839 . BA 02000000 mov edx, 2
- 0042A83E . E8 E5D22100 call 00647B28
- 0042A843 . FF8D 3CFAFFFF dec dword ptr [ebp-5C4]
- 0042A849 . 8D85 78FCFFFF lea eax, dword ptr [ebp-388]
- 0042A84F . BA 02000000 mov edx, 2
- 0042A854 . E8 CFD22100 call 00647B28
- 0042A859 . 66:C785 30FAF>mov word ptr [ebp-5D0], 38C
- 0042A862 . BA 13F36800 mov edx, 0068F313 ; ASCII "UserName"
- 0042A867 . 8D85 70FCFFFF lea eax, dword ptr [ebp-390]
- 0042A86D . E8 1AD02100 call 0064788C
- 0042A872 . FF85 3CFAFFFF inc dword ptr [ebp-5C4]
- 0042A878 . 8B10 mov edx, dword ptr [eax]
- 0042A87A . 33C0 xor eax, eax
- 0042A87C . 8985 6CFCFFFF mov dword ptr [ebp-394], eax
- 0042A882 . 8D8D 6CFCFFFF lea ecx, dword ptr [ebp-394]
- 0042A888 . FF85 3CFAFFFF inc dword ptr [ebp-5C4]
- 0042A88E . 8B85 98F9FFFF mov eax, dword ptr [ebp-668]
- 0042A894 . E8 878B1600 call 00593420
- 0042A899 . 8D95 6CFCFFFF lea edx, dword ptr [ebp-394]
- 0042A89F . 8B45 FC mov eax, dword ptr [ebp-4]
- 0042A8A2 . 05 C00A0000 add eax, 0AC0
- 0042A8A7 . E8 ACD22100 call 00647B58
- 0042A8AC . FF8D 3CFAFFFF dec dword ptr [ebp-5C4]
- 0042A8B2 . 8D85 6CFCFFFF lea eax, dword ptr [ebp-394]
- 0042A8B8 . BA 02000000 mov edx, 2
- 0042A8BD . E8 66D22100 call 00647B28
- 0042A8C2 . FF8D 3CFAFFFF dec dword ptr [ebp-5C4]
- 0042A8C8 . 8D85 70FCFFFF lea eax, dword ptr [ebp-390]
- 0042A8CE . BA 02000000 mov edx, 2
- 0042A8D3 . E8 50D22100 call 00647B28
- 0042A8D8 . 66:C785 30FAF>mov word ptr [ebp-5D0], 398
- 0042A8E1 . BA 1CF36800 mov edx, 0068F31C ; ASCII "EMail"
- 0042A8E6 . 8D85 68FCFFFF lea eax, dword ptr [ebp-398]
- 0042A8EC . E8 9BCF2100 call 0064788C
- 0042A8F1 . FF85 3CFAFFFF inc dword ptr [ebp-5C4]
- 0042A8F7 . 8B10 mov edx, dword ptr [eax]
- 0042A8F9 . 33C0 xor eax, eax
- 0042A8FB . 8985 64FCFFFF mov dword ptr [ebp-39C], eax
- 0042A901 . 8D8D 64FCFFFF lea ecx, dword ptr [ebp-39C]
- 0042A907 . FF85 3CFAFFFF inc dword ptr [ebp-5C4]
- 0042A90D . 8B85 98F9FFFF mov eax, dword ptr [ebp-668]
- 0042A913 . E8 088B1600 call 00593420
- 0042A918 . 8D95 64FCFFFF lea edx, dword ptr [ebp-39C]
- 0042A91E . 8B45 FC mov eax, dword ptr [ebp-4]
- 0042A921 . 05 C40A0000 add eax, 0AC4
- 0042A926 . E8 2DD22100 call 00647B58
- 0042A92B . FF8D 3CFAFFFF dec dword ptr [ebp-5C4]
- 0042A931 . 8D85 64FCFFFF lea eax, dword ptr [ebp-39C]
- 0042A937 . BA 02000000 mov edx, 2
- 0042A93C . E8 E7D12100 call 00647B28
- 0042A941 . FF8D 3CFAFFFF dec dword ptr [ebp-5C4]
- 0042A947 . 8D85 68FCFFFF lea eax, dword ptr [ebp-398]
(初步理解:软件在上面代码中从注册表里取出注册信息放在变量里,在下面的代码部分中校验)
执行完0042A83E处的call,edx保存的是输入的假注册码,在寄存器edx(我的是00FB09D8)处右键数据窗口中跟随,在左下角窗口上右键--断点--内存访问
会进到call 00598390里,返回后来到下面:
- 0042B418 . E8 73CF1600 call 00598390
- 0042B41D . 85C0 test eax, eax
- 0042B41F . 8D85 ECFBFFFF lea eax, dword ptr [ebp-414]
- 0042B425 . 0F94C1 sete cl
- 0042B428 . 83E1 01 and ecx, 1
- 0042B42B . BA 02000000 mov edx, 2
- 0042B430 . 51 push ecx ; /Arg1
- 0042B431 . FF8D 3CFAFFFF dec dword ptr [ebp-5C4] ; |
- 0042B437 . E8 ECC62100 call 00647B28 ; /CppIDE.00647B28
- 0042B43C . 59 pop ecx
- 0042B43D . 84C9 test cl, cl
- 0042B43F 0F84 91000000 je 0042B4D6 ;此处的je改为jnz即可暴力破解
- 0042B445 . 83BD F0FBFFFF>cmp dword ptr [ebp-410], 0
- 0042B44C . 74 0B je short 0042B459
- 0042B44E . 8B85 F0FBFFFF mov eax, dword ptr [ebp-410]
- X-FREE 破解
- X-FREE的loader程序
- 破解myeclipse4.0.x
- 破解myeclipse4.0.x
- weblogic 9.x破解
- 用友t65。x破解
- Visual Assist X破解~
- win8 破解myeclipse10.x
- visual assist x破解
- X-mind 破解 方法
- iar 7.x 破解
- Myeclipse10.x破解方法
- Visual Assist X 破解
- x-pack 破解
- elasticsearch x-pack 破解
- X-pack破解
- 关于破解 visuall assist x 破解方法
- WingIDE破解 python2.x和python3.x
- Linux 系统调试...
- 控制PDA的背光和电源
- 为 sqlalchemy model 生成 html form
- 网络聊天室
- 【sparc】资料总汇(不断更新)
- X-FREE 破解
- php 无限分类管理(1)
- Keytool 几种命令的用法
- java编程使用库的简单方法
- Nginx 0.7.x + PHP 5.2.6(FastCGI)搭建胜过Apache十倍的Web服务器(第4版)
- 用友收入上升利润下降 信息化成突围良机
- 搭建IBM z/OS 1.9(ADCD 1.9)
- 对文件压缩解压操作
- Axis1.4 的客户端使用