秒杀注册码方式的某软件全过程

这是软件用的是注册码方式,由于重新安装系统,又要注册一次,比较麻烦,所以自己动手了……

试用软件,弹出注册框,上面有机器码,输入注册码就OK。

试注册,输入注册码:51crack,点确定,软件退出,没有任何提示。

用OD加载软件,F9跑起来,找到弹出对话框的代码处:

05392B98  |.  8D4C24 3C     lea ecx,dword ptr ss:[esp+0x3C]

05392B9C  |.  E8 3FE70000   call HM.004122E0

05392BA1  |.  8D4424 18     lea eax,dword ptr ss:[esp+0x18]

05392BA5  |.  8D4C24 38     lea ecx,dword ptr ss:[esp+0x38]

05392BA9  |.  50            push eax

05392BAA  |.  C68424 AC0000>mov byte ptr ss:[esp+0xAC],0x3

05392BB2  |.  E8 39E80000   call HM.004123F0                    ;  弹出注册窗口

05392BB7  |.  8D4C24 38     lea ecx,dword ptr ss:[esp+0x38]

05392BBB  |.  E8 620D0100   call <jmp.&MFC42.#CDialog::DoModal_2514>

05392BC0  |.  83F8 01       cmp eax,0x1

05392BC3  |.  75 63         jnz short HM.05392C28               ;  是否点击了确定按钮

05392BC5  |.  8D4C24 14     lea ecx,dword ptr ss:[esp+0x14]

05392BC9  |.  51            push ecx

05392BCA  |.  8D4C24 3C     lea ecx,dword ptr ss:[esp+0x3C]

05392BCE  |.  E8 FDE70000   call HM.004123D0         ;  注册算法

05392BD3  |.  8B4424 14     mov eax,dword ptr ss:[esp+0x14]

05392BD7  |.  8D5424 1C     lea edx,dword ptr ss:[esp+0x1C]

05392BDB  |.  52            push edx

05392BDC  |.  68 54C04100   push HM.0041C054         ; |format = "%ld"

05392BE1  |.  50            push eax                   ; |s

05392BE2  |.  FF15 F0744100 call dword ptr ds:[<&MSVCRT.sscanf>]     ; \sscanf

05392BE8  |.  8B4424 28     mov eax,dword ptr ss:[esp+0x28]

05392BEC  |.  83C4 0C       add esp,0xC

05392BEF  |.  3BC6          cmp eax,esi

05392BF1  |.  75 25         jnz short HM.05392C18

05392BF3  |.  8D4C24 28     lea ecx,dword ptr ss:[esp+0x28]

05392BF7  |.  6A 04         push 0x4                                 ; /BufSize = 4

05392BF9  |.  51            push ecx                                 ; |Buffer

05392BFA  |.  6A 04         push 0x4                                 ; |ValueType = REG_DWORD

05392BFC  |.  55            push ebp                                 ; |Reserved

05392BFD  |.  68 58C04100   push HM.0041C058                    ; |ValueName = "HMCode"

05392C02  |.  57            push edi                                 ; |hKey

05392C03  |.  897424 40     mov dword ptr ss:[esp+0x40],esi          ; |

05392C07  |.  FF15 90704100 call dword ptr ds:[<&ADVAPI32.RegSetValu>; \RegSetValueExA

 

 

一眼就可以看出来,软件的注册码是保存在注册表中,那就非常简单了,可以对注册表下手,这里我就采用更加直接一点的方法吧,在弹出注册对话框的上面找到关键的代码:

05392B2E  |> \8D4C24 28     lea ecx,dword ptr ss:[esp+0x28]

05392B32  |.  8D5424 10     lea edx,dword ptr ss:[esp+0x10]

05392B36  |.  51            push ecx                                 ; /pDisposition

05392B37  |.  52            push edx                                 ; |pHandle

05392B38  |.  55            push ebp                                 ; |pSecurity

05392B39  |.  68 3F000F00   push 0xF003F                             ; |Access = KEY_ALL_ACCESS

05392B3E  |.  55            push ebp                                 ; |Options

05392B3F  |.  55            push ebp                                 ; |Class

05392B40  |.  55            push ebp                                 ; |Reserved

05392B41  |.  68 64C04100   push HM.0041C064                    ; |Subkey = "Software\HM2004"

05392B46  |.  68 02000080   push 0x80000002                          ; |hKey = HKEY_LOCAL_MACHINE

05392B4B  |.  896C24 34     mov dword ptr ss:[esp+0x34],ebp          ; |

05392B4F  |.  FF15 88704100 call dword ptr ds:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA

05392B55  |.  3BC5          cmp eax,ebp

05392B57  |.  0F85 68010000 jnz HM.05392CC5

05392B5D  |.  8B7C24 10     mov edi,dword ptr ss:[esp+0x10]

05392B61  |>  8D4424 1C     lea eax,dword ptr ss:[esp+0x1C]

05392B65  |.  8D4C24 2C     lea ecx,dword ptr ss:[esp+0x2C]

05392B69  |.  50            push eax                                 ; /pBufSize

05392B6A  |.  8D5424 18     lea edx,dword ptr ss:[esp+0x18]          ; |

05392B6E  |.  51            push ecx                                 ; |Buffer

05392B6F  |.  52            push edx                                 ; |pValueType

05392B70  |.  55            push ebp                                 ; |Reserved

05392B71  |.  68 58C04100   push HM.0041C058                    ; |ValueName = "HMCode"

05392B76  |.  57            push edi                                 ; |hKey

05392B77  |.  897C24 38     mov dword ptr ss:[esp+0x38],edi          ; |

05392B7B  |.  33DB          xor ebx,ebx                              ; |

05392B7D  |.  896C24 2C     mov dword ptr ss:[esp+0x2C],ebp          ; |

05392B81  |.  C74424 34 040>mov dword ptr ss:[esp+0x34],0x4          ; |

05392B89  |.  FF15 8C704100 call dword ptr ds:[<&ADVAPI32.RegQueryVa>; \RegQueryValueExA

05392B8F  |.  3BC5          cmp eax,ebp

05392B91      0F84 1D010000 je HM.05392CB4  //软件破解的关键点,修改此处代码

05392B97  |.  55            push ebp

05392B98  |.  8D4C24 3C     lea ecx,dword ptr ss:[esp+0x3C]

05392B9C  |.  E8 3FE70000   call HM.004122E0

05392BA1  |.  8D4424 18     lea eax,dword ptr ss:[esp+0x18]

05392BA5  |.  8D4C24 38     lea ecx,dword ptr ss:[esp+0x38]

05392BA9  |.  50            push eax

05392BAA  |.  C68424 AC0000>mov byte ptr ss:[esp+0xAC],0x3

05392BB2  |.  E8 39E80000   call HM.004123F0                    ;  弹出注册窗口 

找到弹出注册窗口的关键代码处,只要修改一处代码,软件不会再弹出注册提示框了,直接可以使用,绿色环保!!!

X

点击这里给我发消息
微信号:crackgou