自己把CHMFactory注册

继续没工作……

在csdn论坛上有人推销自己的程序:CHMFactory ,说句实话真的不怎么样……还是QUICKCHM好!

差归差但是要注册,脱壳后反汇编看一下:很简单……直接爆破,注册成功。重起程序后却恢复成老样子,看来作者有所防范。只好看老老实实汇编代码

用OLLDBG打开程序,下段点bp GetDlgItemTextA ,一阵ALT+F9,看见一个CALL 竟然带这两个参数,一个是序列号,另个是我输入的错误注册码……哭,竟然作者这样写……

code:

;两个参数:生成的序列号,用户输入的注册号
* Referenced by a CALL at Addresses:
|:0040CD63   , :0040D390   
|
:00426370 81EC08080000            sub esp, 00000808
:00426376 B900020000              mov ecx, 00000200
:0042637B 33C0                    xor eaxeax
:0042637D 8D542408                lea edxdword ptr [esp+08]
:00426381 53                      push ebx
:00426382 56                      push esi
:00426383 57                      push edi
:00426384 8D7C2414                lea edidword ptr [esp+14]
:00426388 F3                      repz
:00426389 AB                      stosd
:0042638A 8BBC2418080000          mov edidword ptr [esp+00000818]
:00426391 83C9FF                  or ecx, FFFFFFFF
:00426394 F2                      repnz
:00426395 AE                      scasb
:00426396 F7D1                    not ecx
:00426398 2BF9                    sub ediecx
:0042639A 6A3F                    push 0000003F
:0042639C 8BC1                    mov eaxecx
:0042639E 8BF7                    mov esiedi
:004263A0 8BFA                    mov ediedx
:004263A2 C1E902                  shr ecx, 02
:004263A5 F3                      repz
:004263A6 A5                      movsd
:004263A7 8BC8                    mov ecxeax
:004263A9 83E103                  and ecx, 00000003
:004263AC F3                      repz
:004263AD A4                      movsb

* Reference To: MFC42.RectVisible, Ord:0337h
                                  |
:004263AE E87F8EFFFF              Call 0041F232
:004263B3 8BD8                    mov ebxeax
:004263B5 83C404                  add esp, 00000004
:004263B8 85DB                    test ebxebx
:004263BA 0F84DA000000            je 0042649A
:004263C0 33C0                    xor eaxeax

;生成表:"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004263CE(C)
|
:004263C2 8AC8                    mov clal
:004263C4 80C130                  add cl, 30
:004263C7 880C03                  mov byte ptr [ebx+eax], cl
:004263CA 40                      inc eax
:004263CB 83F80A                  cmp eax, 0000000A
:004263CE 7CF2                    jl 004263C2
:004263D0 B80A000000              mov eax, 0000000A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004263E1(C)
|
:004263D5 8AD0                    mov dlal
:004263D7 80C237                  add dl, 37
:004263DA 881403                  mov byte ptr [ebx+eax], dl
:004263DD 40                      inc eax
:004263DE 83F824                  cmp eax, 00000024
:004263E1 7CF2                    jl 004263D5
:004263E3 B824000000              mov eax, 00000024

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004263F4(C)
|
:004263E8 8AC8                    mov clal
:004263EA 80C13D                  add cl, 3D
:004263ED 880C03                  mov byte ptr [ebx+eax], cl
:004263F0 40                      inc eax
:004263F1 83F83E                  cmp eax, 0000003E
:004263F4 7CF2                    jl 004263E8
:004263F6 C6040300                mov byte ptr [ebx+eax], 00
:004263FA 8D7C2414                lea edidword ptr [esp+14]
:004263FE 83C9FF                  or ecx, FFFFFFFF
:00426401 33C0                    xor eaxeax
:00426403 F2                      repnz
:00426404 AE                      scasb
:00426405 F7D1                    not ecx
:00426407 55                      push ebp
:00426408 49                      dec ecx
:00426409 33ED                    xor ebpebp
:0042640B 85C9                    test ecxecx
:0042640D 7E2E                    jle 0042643D

* Possible Reference to Dialog: DialogID_008F, CONTROL_ID:0005, ""
                                  |
:0042640F BE05000000              mov esi, 00000005        ;esi=5,乱用……
:00426414 8D442418                lea eaxdword ptr [esp+18]
:00426418 2BC6                    sub eaxesi
:0042641A 89442410                mov dword ptr [esp+10], eax
:0042641E EB04                    jmp 00426424

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042643B(C)
|
:00426420 8B442410                mov eaxdword ptr [esp+10]

;重点开始了!!!
;获得EBP
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042641E(U)
|
:00426424 0FBE0430                movsx eaxbyte ptr [eax+esi]        ;第一个字符
:00426428 0FAFC6                  imul eaxesi        ;*5
:0042642B 99                      cdq        ;edx:eax <-- eax
:0042642C BF3E000000              mov edi, 0000003E
:00426431 F7FF                    idiv edi        ;eax mod 3e
:00426433 03EA                    add ebpedx        ;ebp = ebp(初始为0) + edx
:00426435 46                      inc esi
:00426436 8D56FB                  lea edxdword ptr [esi-05]        ;下个字符
:00426439 3BD1                    cmp edxecx
:0042643B 7CE3                    jl 00426420

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042640D(C)
|
:0042643D 33C0                    xor eaxeax
:0042643F 85C9                    test ecxecx
:00426441 7E42                    jle 00426485

* Possible Reference to Dialog: DialogID_008F, CONTROL_ID:0005, ""
                                  |
:00426443 BE05000000              mov esi, 00000005
:00426448 8D7C2418                lea edidword ptr [esp+18]
:0042644C 2BFE                    sub ediesi
:0042644E 894C2410                mov dword ptr [esp+10], ecx
:00426452 894C2414                mov dword ptr [esp+14], ecx
;注册玛生成
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042647F(C)
|
:00426456 0FBE043E                movsx eaxbyte ptr [esi+edi]        ;真的很象……
:0042645A 0FAFC6                  imul eaxesi
:0042645D 03C5                    add eaxebp        ;加上刚才计算出的EBP
:0042645F B93E000000              mov ecx, 0000003E
:00426464 99                      cdq
:00426465 F7F9                    idiv ecx
:00426467 8B842420080000          mov eaxdword ptr [esp+00000820]
:0042646E 46                      inc esi
:0042646F 8A141A                  mov dlbyte ptr [edx+ebx]        ;查表,注册码第一个字符出现了
:00426472 885430FA                mov byte ptr [eax+esi-06], dl        ;DL 里是真正注册码字符。
:00426476 8B442410                mov eaxdword ptr [esp+10]
:0042647A 48                      dec eax
:0042647B 89442410                mov dword ptr [esp+10], eax
:0042647F 75D5                    jne 00426456
:00426481 8B442414                mov eaxdword ptr [esp+14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00426441(C)
|
:00426485 8B8C2420080000          mov ecxdword ptr [esp+00000820]
:0042648C 53                      push ebx
:0042648D C6040800                mov byte ptr [eax+ecx], 00

* Reference To: MFC42.RectVisible, Ord:0339h
                                  |
:00426491 E8D68CFFFF              Call 0041F16C
:00426496 83C404                  add esp, 00000004
:00426499 5D                      pop ebp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004263BA(C)
|
:0042649A 5F                      pop edi
:0042649B 5E                      pop esi
:0042649C 5B                      pop ebx
:0042649D 81C408080000            add esp, 00000808
:004264A3 C20800                  ret 0008

最后在堆栈里写着明码注册号,早知道不看算法了(玩笑)。
简单的程序就会有简单的算法:

#include <stdio.h>

int fun(char *myser,*my pass)
{
    char *key = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
    char *val
    int i,basenum;

    for (i=0;i< lstrlen(myser) ;i++ )
    {
        basenum = basenum + (*(myser + i) * (i + 5)) % 3;
    }

    for (i=0;i< lstrlen(myser) ;i++ )
    {
        *(val+i) = *(key + (*(myser + i) * (i + 5) + basenum) % 3
    }
    
    return *val;
}

这个注册程序是不能编译出来的(因为错误太多,呵呵,故意的)。大家都要混口饭吃,我现在正在深切得体会混不倒饭吃得艰苦……

阅读更多
个人分类: 抄程式
想对作者说点什么? 我来说一句

CHMFactory

2010年10月07日 2.05MB 下载

chmfactory

2008年03月22日 2.54MB 下载

CHMFactory2.31.1

2010年04月29日 3.62MB 下载

CHMFactory(chm制作工具)

2013年05月01日 1.59MB 下载

CHMFactory教程 chm版

2010年10月03日 789KB 下载

没有更多推荐了,返回首页

不良信息举报

自己把CHMFactory注册

最多只允许输入30个字

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭