软件名称:HotkeyMaster 下载地址:http://www.core-project.com/hotkeymaster/HotkeyMaster.exe 软件介绍:如软件名.今天在ROR论坛看到有网友原创了该软件的使用教程,喈软件如痴的我自然不肯放过.下载回来后发现确实顺手,可需要注册----不爽. 使用工具:FI,W32DASM,OllyDbg 破解过程: 1.使用FI查看软件是否加壳和所使用的编程语言 2.万幸,软件并未加壳 3.运行W32DASM,查找软件注册失败后提示的出错信息. 启动OllyDbg,F3载入Hotkey Master.利用我们在W32DASM中分析找到的关键CALL-004144C1设断. 或者点击鼠标右键"Search for"->"All referenced text strings"查找"The key you entered is not correct."向上查找同样可以找到断点 :004144C1 E83FE7FFFF call 00412C05 ----嗯,就是你了!!!进入分析!! :004144C6 83C410 add esp, 00000010 :004144C9 3BC7 cmp eax, edi :004144CB 7545 jne 00414512 :004144CD 8D85E0FEFFFF lea eax, dword ptr [ebp+FFFFFEE0] :004144D3 50 push eax :004144D4 FF35949E4200 push dword ptr [00429E94] :004144DA FF35809E4200 push dword ptr [00429E80] :004144E0 E835BCFFFF call 0041011A :004144E5 8D45E0 lea eax, dword ptr [ebp-20] :004144E8 50 push eax :004144E9 FF35989E4200 push dword ptr [00429E98] :004144EF FF35809E4200 push dword ptr [00429E80] :004144F5 E820BCFFFF call 0041011A :004144FA 83C418 add esp, 00000018 :004144FD C605F8B4430001 mov byte ptr [0043B4F8], 01 :00414504 56 push esi :00414505 FF35749E4200 push dword ptr [00429E74] * Possible StringData Ref from Data Obj ->"Thank you for registering Hotkey ----注册成功信息 ->"Master." | :0041450B 68849F4200 push 00429F84 :00414510 EB0C jmp 0041451E * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004144CB(C) | :00414512 56 push esi :00414513 FF35749E4200 push dword ptr [00429E74] * Possible StringData Ref from Data Obj ->"The key you entered is not correct." ----这里是出错信息,向上查找关键CALL和跳转 | :00414519 68609F4200 push 00429F60 . . . . (略) . . . . 00412C05 /$ 55 PUSH EBP ----进入004144C1时停在这里 00412C06 |. 8BEC MOV EBP,ESP 00412C08 |. 51 PUSH ECX 00412C09 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] 00412C0C |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0 00412C10 |. E8 BB230000 CALL Hotkey_M.00414FD0 00412C15 |. 33D2 XOR EDX,EDX 00412C17 |. 59 POP ECX 00412C18 |. 85C0 TEST EAX,EAX 00412C1A |. 7E 2E JLE SHORT Hotkey_M.00412C4A 00412C1C |. 53 PUSH EBX 00412C1D |. 56 PUSH ESI 00412C1E |. 57 PUSH EDI 00412C1F |. 8D70 0E LEA ESI,DWORD PTR DS:[EAX+E] EAX=用户名长度 SO ESI=EAX+Eh 00412C22 |> 8B4D 08 /MOV ECX,DWORD PTR SS:[EBP+8] ----从这里开始是注 册算法 00412C25 |. 0FBE0C0A |MOVSX ECX,BYTE PTR DS:[EDX+ECX] ----依次计算用户名 的各个字节ASCII 00412C29 |. 8D79 0B |LEA EDI,DWORD PTR DS:[ECX+B] ----EDI=用户名长度+Bh 00412C2C |. 8D59 03 |LEA EBX,DWORD PTR DS:[ECX+3] ----EBX=用户名长度+3h 00412C2F |. 0FAFFB |IMUL EDI,EBX ----EDI*EBX的值放在 EDI 00412C32 |. 0FAFF9 |IMUL EDI,ECX ----EDI*ECX的值放在 EDI 00412C35 |. 0FAFFE |IMUL EDI,ESI ----EDI*ESI的值放在 EDI 00412C38 |. 8D48 05 |LEA ECX,DWORD PTR DS:[EAX+5] 00412C3B |. 0FAFF9 |IMUL EDI,ECX ----EDI*ECX的值放在 EDI 00412C3E |. 017D FC |ADD DWORD PTR SS:[EBP-4],EDI 00412C41 |. 42 |INC EDX ----EDX+1 00412C42 |. 46 |INC ESI ----ESI+1 00412C43 |. 3BD0 |CMP EDX,EAX ----算完了没有?没有 !那就继续从00412C25开始 00412C45 |.^7C DB \JL SHORT Hotkey_M.00412C22 ----循环计算 00412C47 |. 5F POP EDI 00412C48 |. 5E POP ESI 00412C49 |. 5B POP EBX 00412C4A |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ----这里保存真注册码的十六 进制 00412C4D |. C9 LEAVE 00412C4E \. C3 RETN 4.总结 注册码通过用户名计算,将依次计算的结果相加再转换为十进制: 用户名=N 注册码=S 用户名长度=X 我们假设用户名为wolflh S1=((N1+3h)*(N1+Bh)*N1*(X+5h))*(X+5h) S2=((N1+3h)*(N1+Bh)*N1*(X+5h+1))*(X+5h) S3=((N1+3h)*(N1+Bh)*N1*(X+5h+2))*(X+5h) S4=((N1+3h)*(N1+Bh)*N1*(X+5h+3))*(X+5h) S5=((N1+3h)*(N1+Bh)*N1*(X+5h+4))*(X+5h) S6=((N1+3h)*(N1+Bh)*N1*(X+5h+5))*(X+5h) S=S1+S2+S3+S4+S5+S6 软件注册成功后会在[HKEY_CURRENT_USER\Software\Mario Knok\Hotkey Master]下添加两个键值 Registered Name"="wolflh" Registered Key"="2151786450" 删除这两个键值,又变成未注册版. 恕小子我刚加入"风飘雪",很少写过破文.对汇编知识和语言的谁知几乎为零,所以大部分算法都是自己乱猜的.分析如有错误,欢迎指出.
