秒杀注册码方式的某软件全过程
这是软件用的是注册码方式,由于重新安装系统,又要注册一次,比较麻烦,所以自己动手了……
试用软件,弹出注册框,上面有机器码,输入注册码就OK。
试注册,输入注册码:51crack,点确定,软件退出,没有任何提示。
用OD加载软件,F9跑起来,找到弹出对话框的代码处:
05392B98 |. 8D4C24 3C lea ecx,dword ptr ss:[esp+0x3C]
05392B9C |. E8 3FE70000 call HM.004122E0
05392BA1 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18]
05392BA5 |. 8D4C24 38 lea ecx,dword ptr ss:[esp+0x38]
05392BA9 |. 50 push eax
05392BAA |. C68424 AC0000>mov byte ptr ss:[esp+0xAC],0x3
05392BB2 |. E8 39E80000 call HM.004123F0 ; 弹出注册窗口
05392BB7 |. 8D4C24 38 lea ecx,dword ptr ss:[esp+0x38]
05392BBB |. E8 620D0100 call <jmp.&MFC42.#CDialog::DoModal_2514>
05392BC0 |. 83F8 01 cmp eax,0x1
05392BC3 |. 75 63 jnz short HM.05392C28 ; 是否点击了确定按钮
05392BC5 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14]
05392BC9 |. 51 push ecx
05392BCA |. 8D4C24 3C lea ecx,dword ptr ss:[esp+0x3C]
05392BCE |. E8 FDE70000 call HM.004123D0 ; 注册算法
05392BD3 |. 8B4424 14 mov eax,dword ptr ss:[esp+0x14]
05392BD7 |. 8D5424 1C lea edx,dword ptr ss:[esp+0x1C]
05392BDB |. 52 push edx
05392BDC |. 68 54C04100 push HM.0041C054 ; |format = “%ld”
05392BE1 |. 50 push eax ; |s
05392BE2 |. FF15 F0744100 call dword ptr ds:[<&MSVCRT.sscanf>] ; \sscanf
05392BE8 |. 8B4424 28 mov eax,dword ptr ss:[esp+0x28]
05392BEC |. 83C4 0C add esp,0xC
05392BEF |. 3BC6 cmp eax,esi
05392BF1 |. 75 25 jnz short HM.05392C18
05392BF3 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+0x28]
05392BF7 |. 6A 04 push 0x4 ; /BufSize = 4
05392BF9 |. 51 push ecx ; |Buffer
05392BFA |. 6A 04 push 0x4 ; |ValueType = REG_DWORD
05392BFC |. 55 push ebp ; |Reserved
05392BFD |. 68 58C04100 push HM.0041C058 ; |ValueName = “HMCode”
05392C02 |. 57 push edi ; |hKey
05392C03 |. 897424 40 mov dword ptr ss:[esp+0x40],esi ; |
05392C07 |. FF15 90704100 call dword ptr ds:[<&ADVAPI32.RegSetValu>; \RegSetValueExA
一眼就可以看出来,软件的注册码是保存在注册表中,那就非常简单了,可以对注册表下手,这里我就采用更加直接一点的方法吧,在弹出注册对话框的上面找到关键的代码:
05392B2E |> \8D4C24 28 lea ecx,dword ptr ss:[esp+0x28]
05392B32 |. 8D5424 10 lea edx,dword ptr ss:[esp+0x10]
05392B36 |. 51 push ecx ; /pDisposition
05392B37 |. 52 push edx ; |pHandle
05392B38 |. 55 push ebp ; |pSecurity
05392B39 |. 68 3F000F00 push 0xF003F ; |Access = KEY_ALL_ACCESS
05392B3E |. 55 push ebp ; |Options
05392B3F |. 55 push ebp ; |Class
05392B40 |. 55 push ebp ; |Reserved
05392B41 |. 68 64C04100 push HM.0041C064 ; |Subkey = “Software\HM2004”
05392B46 |. 68 02000080 push 0x80000002 ; |hKey = HKEY_LOCAL_MACHINE
05392B4B |. 896C24 34 mov dword ptr ss:[esp+0x34],ebp ; |
05392B4F |. FF15 88704100 call dword ptr ds:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
05392B55 |. 3BC5 cmp eax,ebp
05392B57 |. 0F85 68010000 jnz HM.05392CC5
05392B5D |. 8B7C24 10 mov edi,dword ptr ss:[esp+0x10]
05392B61 |> 8D4424 1C lea eax,dword ptr ss:[esp+0x1C]
05392B65 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+0x2C]
05392B69 |. 50 push eax ; /pBufSize
05392B6A |. 8D5424 18 lea edx,dword ptr ss:[esp+0x18] ; |
05392B6E |. 51 push ecx ; |Buffer
05392B6F |. 52 push edx ; |pValueType
05392B70 |. 55 push ebp ; |Reserved
05392B71 |. 68 58C04100 push HM.0041C058 ; |ValueName = “HMCode”
05392B76 |. 57 push edi ; |hKey
05392B77 |. 897C24 38 mov dword ptr ss:[esp+0x38],edi ; |
05392B7B |. 33DB xor ebx,ebx ; |
05392B7D |. 896C24 2C mov dword ptr ss:[esp+0x2C],ebp ; |
05392B81 |. C74424 34 040>mov dword ptr ss:[esp+0x34],0x4 ; |
05392B89 |. FF15 8C704100 call dword ptr ds:[<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
05392B8F |. 3BC5 cmp eax,ebp
05392B91 0F84 1D010000 je HM.05392CB4 //软件破解的关键点,修改此处代码
05392B97 |. 55 push ebp
05392B98 |. 8D4C24 3C lea ecx,dword ptr ss:[esp+0x3C]
05392B9C |. E8 3FE70000 call HM.004122E0
05392BA1 |. 8D4424 18 lea eax,dword ptr ss:[esp+0x18]
05392BA5 |. 8D4C24 38 lea ecx,dword ptr ss:[esp+0x38]
05392BA9 |. 50 push eax
05392BAA |. C68424 AC0000>mov byte ptr ss:[esp+0xAC],0x3
05392BB2 |. E8 39E80000 call HM.004123F0 ; 弹出注册窗口
找到弹出注册窗口的关键代码处,只要修改一处代码,软件不会再弹出注册提示框了,直接可以使用,绿色环保!!!
