破解目标:LeapFTP 2.7.3.600
官方主页:http://www.leapware.com/download.html
软件简介:ftp下載軟件。
下载地址:ftp://ftp.leapware.com/pub/lftp273.exe
使用工具:W32Dasm、Ollydbg、Windows 自带的计算器
這個程序用fi2.5檢測無殼,用W32Dasm,找到“感謝註冊”:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487B6C(C)
|
:00487B7C 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:00487B82 50 push eax
:00487B83 8D55F4 lea edx, dword ptr [ebp-0C]
:00487B86 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:00487B8C E833C0FAFF call 00433BC4
:00487B91 8B55F4 mov edx, dword ptr [ebp-0C]
:00487B94 8B4DFC mov ecx, dword ptr [ebp-04]
:00487B97 8BC3 mov eax, ebx
:00487B99 E8BA010000 call 00487D58 //註冊碼就在裏靣算出
:00487B9E 84C0 test al, al //測試AL
:00487BA0 7462 je 00487C04 //為0就去死
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487B7A(C)
|
:00487BA2 8D55F0 lea edx, dword ptr [ebp-10]
:00487BA5 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:00487BAB E814C0FAFF call 00433BC4
:00487BB0 8B45F0 mov eax, dword ptr [ebp-10]
:00487BB3 50 push eax
:00487BB4 8D55EC lea edx, dword ptr [ebp-14]
:00487BB7 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:00487BBD E802C0FAFF call 00433BC4
:00487BC2 8B4DEC mov ecx, dword ptr [ebp-14]
:00487BC5 8B93EC020000 mov edx, dword ptr [ebx+000002EC]
:00487BCB 8BC3 mov eax, ebx
:00487BCD E8AE040000 call 00488080
* Possible StringData Ref from Code Obj ->"感谢你的注册!"
|
:00487BD2 B8507C4800 mov eax, 00487C50
:00487BD7 E8542FFDFF call 0045AB30
:00487BDC C7833402000001000000 mov dword ptr [ebx+00000234], 00000001
:00487BE6 8D55E8 lea edx, dword ptr [ebp-18]
:00487BE9 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:00487BEF E8D0BFFAFF call 00433BC4
:00487BF4 8B55E8 mov edx, dword ptr [ebp-18]
:00487BF7 8D83E8020000 lea eax, dword ptr [ebx+000002E8]
:00487BFD E846C1F7FF call 00403D48
:00487C02 EB15 jmp 00487C19
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487BA0(C)
|
:00487C04 6A00 push 00000000
:00487C06 668B0D6C7C4800 mov cx, word ptr [00487C6C]
:00487C0D B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"你输入的许可密匙是不正确的. 要确保准确, "
->"你应该直接总你的购买确认 E-Mail "
->"中复制并粘贴序列号. 如果你继续操作后碰到麻烦, "
->"请联系support@leapware.com."
|
:00487C0F B8787C4800 mov eax, 00487C78
:00487C14 E81F2EFDFF call 0045AA38
****************************************************************
用Ollydbg加載LeapFTP.exe,運行,填上用戶名:henhao 註冊碼:78787878(隨便亂填)
在Ollydbg裏面00487B99処F2下斷,點軟件的"確定"註冊!
程序停在00487B99処,F7進去,我是個菜鳥,進去后,就感到頭開始慢慢的變大~~~~~
00487D58 /$ 55 PUSH EBP
00487D59 |. 8BEC MOV EBP,ESP
00487D5B |. 83C4 DC ADD ESP,-24
00487D5E |. 53 PUSH EBX
00487D5F |. 33DB XOR EBX,EBX
00487D61 |. 895D DC MOV DWORD PTR SS:[EBP-24],EBX
00487D64 |. 895D E0 MOV DWORD PTR SS:[EBP-20],EBX
00487D67 |. 895D EC MOV DWORD PTR SS:[EBP-14],EBX
00487D6A |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00487D6D |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00487D70 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00487D73 |. E8 B0C3F7FF CALL LeapFTP.00404128
00487D78 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00487D7B |. E8 A8C3F7FF CALL LeapFTP.00404128
00487D80 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00487D83 |. E8 A0C3F7FF CALL LeapFTP.00404128
00487D88 |. 33C0 XOR EAX,EAX
00487D8A |. 55 PUSH EBP
00487D8B |. 68 BB7E4800 PUSH LeapFTP.00487EBB
00487D90 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00487D93 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00487D96 |. 33C0 XOR EAX,EAX
00487D98 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00487D9B |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00487D9E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00487DA1 |. E8 CEC1F7FF CALL LeapFTP.00403F74 //計算註冊名位數
00487DA6 |. 8BD0 MOV EDX,EAX //位數edx
00487DA8 |. 85D2 TEST EDX,EDX //測試註冊名是否為0
00487DAA |. 7E 33 JLE SHORT LeapFTP.00487DDF //為0就跳
00487DAC |. B8 01000000 MOV EAX,1
===================開始計算======================
00487DB1 |> 8B4D FC /MOV ECX,DWORD PTR SS:[EBP-4] //取註冊名
00487DB4 |. 0FB64C01 FF |MOVZX ECX,BYTE PTR DS:[ECX+EAX-1] //逐位取注册名字符的 ASCII 值,这里以第一次计算为例,字符"h",ASCII 值 68
00487DB9 |. 0FAFC8 |IMUL ECX,EAX //ECX*EAX 乘以儅前位數,儅前是第一位,再乘以整數10。就是68*1*10=680,(若儅前註冊名的ASCII是第二位數,就是68*2*10)
00487DBC |. 8BD9 |MOV EBX,ECX //ECX*EAX計算結果入ebx
00487DBE |. C1E1 04 |SHL ECX,4 //
00487DC1 |. 2BCB |SUB ECX,EBX //減法ecx-ebx
00487DC3 |. 894D E8 |MOV DWORD PTR SS:[EBP-18],ECX //計算結果入ecx
00487DC6 |. DB45 E8 |FILD DWORD PTR SS:[EBP-18] //將計算結果十進製裝到st(0)
00487DC9 |. DC45 F0 |FADD QWORD PTR SS:[EBP-10] //纍加以後裝到ST(0)
00487DCC |. 8D0C80 |LEA ECX,DWORD PTR DS:[EAX+EAX*4] //計算eax+eax*4,比如儅前是註冊名ASCII第一位數,計算方式就是:1+1*4,如果儅前是註冊名ASCII第二位,計算方式為:2+2*4,以此類推
00487DCF |. 894D E4 |MOV DWORD PTR SS:[EBP-1C],ECX //結果入ecx
00487DD2 |. DB45 E4 |FILD DWORD PTR SS:[EBP-1C] //將ecx的值十進製裝入st(0)
00487DD5 |. DEC1 |FADDP ST(1),ST //ST(0),ST(1)在這裏纍加
00487DD7 |. DD5D F0 |FSTP QWORD PTR SS:[EBP-10] //保存,執行一次出棧
00487DDA |. 9B |WAIT
00487DDB |. 40 |INC EAX 計數器加1
00487DDC |. 4A |DEC EDX
00487DDD |.^75 D2 \JNZ SHORT LeapFTP.00487DB1 //根據註冊名ASCII個數循環
我輸入的註冊名:henhao
h 68*1*10-68*1+(1+1*4)=61D
e 65*2*10-65*2+(2+2*4)=BE0
n 6E*3*10-6E*3+(3+3*4)=1365
h 68*4*10-68*4+(4+4*4)=1874
a 61*5*10-65*5+(5+5*4)=1c84
o 6F*6*10-6F*6+(6+6*4)=2724
+
--------------------------------
=817E 十進製轉換=33150
====================================================================
00487DDF |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] //取eax的值214065(一組固定註冊碼)
00487DE2 |. E8 BD0FF8FF CALL LeapFTP.00408DA4 //轉換成16進製
00487DE7 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX //送到eax
00487DEA |. DB45 E8 FILD DWORD PTR SS:[EBP-18] //裝入
00487DED |. DD45 F0 FLD QWORD PTR SS:[EBP-10] //裝入上靣循環計算的結果(33150)
00487DF0 |. DC4D F0 FMUL QWORD PTR SS:[EBP-10] //[EBP-10]*[EBP-10]就是33150*33150
00487DF3 |. DEC1 FADDP ST(1),ST //st(0)+st(1)
00487DF5 |. DD5D F0 FSTP QWORD PTR SS:[EBP-10] //裝入,然後再執行一次出棧
這裏的算法:
33150*33150+214065=1099136565
====================================================================
00487DF8 |. 9B WAIT
00487DF9 |. DD45 F0 FLD QWORD PTR SS:[EBP-10]
00487DFC |. 83C4 F4 ADD ESP,-0C
00487DFF |. DB3C24 FSTP TBYTE PTR SS:[ESP] ; |
00487E02 |. 9B WAIT ; |
00487E03 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] ; |
00487E06 |. E8 C51EF8FF CALL LeapFTP.00409CD0 ; \LeapFTP.00409CD0
00487E0B |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00487E0E |. 50 PUSH EAX
00487E0F |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00487E12 |. B8 D47E4800 MOV EAX,LeapFTP.00487ED4
00487E17 |. E8 44C4F7FF CALL LeapFTP.00404260 //這裏処理註冊碼為214065-XXXXXXXXXXXX形式
00487E1C |. 8BC8 MOV ECX,EAX
00487E1E |. 49 DEC ECX
00487E1F |. BA 01000000 MOV EDX,1
00487E24 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00487E27 |. E8 50C3F7FF CALL LeapFTP.0040417C
............
.........
00487EB2 |. 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00487EB5 |. E8 3ABEF7FF CALL LeapFTP.00403CF4
00487EBA \. C3 RETN
00487EBB .^E9 CCB8F7FF JMP LeapFTP.0040378C
00487EC0 .^EB CE JMP SHORT LeapFTP.00487E90
00487EC2 . 8BC3 MOV EAX,EBX
00487EC4 . 5B POP EBX
00487EC5 . 8BE5 MOV ESP,EBP
00487EC7 . 5D POP EBP
00487EC8 . C2 0400 RETN 4 //返囘
---------------------------------------------------------------------
通過我輸入的註冊名henhao經過計算就得到了我的註冊碼:214065-1099136565
---------------------------------------------------------------------
【注册信息保存】:
HKEY_CURRENT_USER\Software\LeapWare\Registry\LeapFTP
UserKey 214065-1099136565
UserName henhao
刪除這個,可以重新註冊!
----------------------------------------------------------------------
我想學習註冊機的製作,哪位老師能不能教教我這個怎麽用keymake製作註冊機,謝謝!!!
第一次寫的破文,望指正!!!
----------------------------------------------------------------------
好好學習
|
当前位置:
特别推荐
