|
|
KeyGhost V3.2 破解实录
作者:liangs
E-mail:liang_s@263.net
软件名称:KeyGhost V3.2
下载地址:http://sunhy.126.com
使用的工具
W32Dasm V8.93 超级中文版
Trw2000 ver1.22
首先连按两次ALT+F12呼出KeyGhost,在注册框中输入:liangs-787878,为什么是'liangs-787878'
而不是'liangs787878',下面你就知道了。然后下bpx hmemcpy,中断后,首先bd *,去掉所有中断,
再按18次F12。
* Possible StringData Ref from Code Obj ->"请合法使用软件"
|
:00475580 B888564700 mov eax, 00475688
:00475585 E842ADFDFF call 004502CC
:0047558A 837DFC00 cmp dword ptr [ebp-04], 00000000 <---我们停在这;
:0047558E 0F8499000000 je 0047562D
:00475594 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:0047559A 8B55FC mov edx, dword ptr [ebp-04] <---此处edx=liangs-787878;
:0047559D B9FF000000 mov ecx, 000000FF
:004755A2 E881E8F8FF call 00403E28
:004755A7 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:004755AD E8CAC2FFFF call 0047187C <---判断输入的注册码的合法性,此处按F8跟入;
:004755B2 84C0 test al, al
:004755B4 7477 je 0047562D <---注册码错误就跳走;
:004755B6 B201 mov dl, 01
:004755B8 8B8340030000 mov eax, dword ptr [ebx+00000340]
:004755BE E8F570FBFF call 0042C6B8
:004755C3 33D2 xor edx, edx
:004755C5 8B8318030000 mov eax, dword ptr [ebx+00000318]
:004755CB E8E870FBFF call 0042C6B8
:004755D0 B201 mov dl, 01
:004755D2 8B8340040000 mov eax, dword ptr [ebx+00000440]
:004755D8 8B08 mov ecx, dword ptr [eax]
:004755DA FF515C call [ecx+5C]
:004755DD C605D1BA470001 mov byte ptr [0047BAD1], 01
* Possible StringData Ref from Code Obj ->"Code"
|
:004755E4 68A0564700 push 004756A0
:004755E9 8D95E8FEFFFF lea edx, dword ptr [ebp+FFFFFEE8]
:004755EF 8B45FC mov eax, dword ptr [ebp-04]
:004755F2 E84595FEFF call 0045EB3C
:004755F7 8B95E8FEFFFF mov edx, dword ptr [ebp+FFFFFEE8]
:004755FD 8D85ECFEFFFF lea eax, dword ptr [ebp+FFFFFEEC]
:00475603 E8A4F9F8FF call 00404FAC
:00475608 8D85ECFEFFFF lea eax, dword ptr [ebp+FFFFFEEC]
:0047560E 50 push eax
* Possible StringData Ref from Code Obj ->"Software\Sun\Keyghost3xx"
|
:0047560F B9B0564700 mov ecx, 004756B0
:00475614 B202 mov dl, 02
:00475616 8B8310030000 mov eax, dword ptr [ebx+00000310]
:0047561C E85F21FEFF call 00457780
* Possible StringData Ref from Code Obj ->"注册成功!谢谢您的支持!"
|
:00475621 B8D4564700 mov eax, 004756D4 <---注册码正确跳到此处;
:00475626 E885A9FDFF call 0044FFB0
:0047562B EB0A jmp 00475637
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047558E(C), :004755B4(C)
|
* Possible StringData Ref from Code Obj ->"请购买本软件!见右侧注册说明!"
|
:0047562D B8F8564700 mov eax, 004756F8 <---注册码错误跳到此处;
:00475632 E879A9FDFF call 0044FFB0
---------------------------------------------------------------------------
跟入 call 0047187C 中:此Call用来判断输入的注册码的合法性
* Referenced by a CALL at Addresses:
|:004755AD , :00475979
|
:0047187C 55 push ebp
:0047187D 8BEC mov ebp, esp
:0047187F 81C4ECFCFFFF add esp, FFFFFCEC
:00471885 53 push ebx
:00471886 56 push esi
:00471887 57 push edi
:00471888 33D2 xor edx, edx
:0047188A 8995F0FCFFFF mov dword ptr [ebp+FFFFFCF0], edx
:00471890 8995ECFCFFFF mov dword ptr [ebp+FFFFFCEC], edx
:00471896 8995F8FCFFFF mov dword ptr [ebp+FFFFFCF8], edx
:0047189C 8995F4FCFFFF mov dword ptr [ebp+FFFFFCF4], edx
:004718A2 8BF0 mov esi, eax
:004718A4 8DBDFFFEFFFF lea edi, dword ptr [ebp+FFFFFEFF]
:004718AA 33C9 xor ecx, ecx
:004718AC 8A0E mov cl, byte ptr [esi]
:004718AE 41 inc ecx
:004718AF F3 repz
:004718B0 A4 movsb
:004718B1 33C0 xor eax, eax
:004718B3 55 push ebp
:004718B4 68DE194700 push 004719DE
:004718B9 64FF30 push dword ptr fs:[eax]
:004718BC 648920 mov dword ptr fs:[eax], esp
:004718BF C645FF00 mov [ebp-01], 00
:004718C3 8D85F4FCFFFF lea eax, dword ptr [ebp+FFFFFCF4]
:004718C9 8D95FFFEFFFF lea edx, dword ptr [ebp+FFFFFEFF]
:004718CF E81C25F9FF call 00403DF0
:004718D4 8B85F4FCFFFF mov eax, dword ptr [ebp+FFFFFCF4]
:004718DA 8D95F8FCFFFF lea edx, dword ptr [ebp+FFFFFCF8]
:004718E0 E82374F9FF call 00408D08
:004718E5 8B95F8FCFFFF mov edx, dword ptr [ebp+FFFFFCF8]
:004718EB 8D85FFFEFFFF lea eax, dword ptr [ebp+FFFFFEFF]
:004718F1 B9FF000000 mov ecx, 000000FF
:004718F6 E82D25F9FF call 00403E28
:004718FB 33DB xor ebx, ebx
:004718FD C685FFFDFFFF00 mov byte ptr [ebp+FFFFFDFF], 00
:00471904 C685FFFCFFFF00 mov byte ptr [ebp+FFFFFCFF], 00
:0047190B 8D95FFFEFFFF lea edx, dword ptr [ebp+FFFFFEFF]
:00471911 B8F0194700 mov eax, 004719F0
:00471916 E80511F9FF call 00402A20 <---判断输入的注册号是否是xxxx-yyyy的形式;
按F8跟入可知。
:0047191B 8BF0 mov esi, eax
:0047191D 85F6 test esi, esi
:0047191F 0F8E9B000000 jle 004719C0 <---注册号若不是xxxx-yyyy的形式则跳
这里千万不能跳,不然就OVER了。:-)
:00471925 8D85FFFDFFFF lea eax, dword ptr [ebp+FFFFFDFF]
:0047192B 50 push eax
:0047192C 8BCE mov ecx, esi
:0047192E 49 dec ecx
:0047192F BA01000000 mov edx, 00000001
:00471934 8D85FFFEFFFF lea eax, dword ptr [ebp+FFFFFEFF]
:0047193A E8250FF9FF call 00402864
:0047193F 8D85FFFCFFFF lea eax, dword ptr [ebp+FFFFFCFF]
:00471945 50 push eax
:00471946 33C9 xor ecx, ecx
:00471948 8A8DFFFEFFFF mov cl, byte ptr [ebp+FFFFFEFF]
:0047194E 2BCE sub ecx, esi
:00471950 8D5601 lea edx, dword ptr [esi+01]
:00471953 8D85FFFEFFFF lea eax, dword ptr [ebp+FFFFFEFF]
:00471959 E8060FF9FF call 00402864
:0047195E 33D2 xor edx, edx
:00471960 8A95FFFDFFFF mov dl, byte ptr [ebp+FFFFFDFF]
:00471966 85D2 test edx, edx
:00471968 7E16 jle 00471980
:0047196A 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047197E(C)
|
:00471970 33C9 xor ecx, ecx
:00471972 8A08 mov cl, byte ptr [eax]
:00471974 03D9 add ebx, ecx
:00471976 81C3A41D0F00 add ebx, 000F1DA4
:0047197C 40 inc eax
:0047197D 4A dec edx
:0047197E 75F0 jne 00471970
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471968(C)
|
:00471980 8D85F0FCFFFF lea eax, dword ptr [ebp+FFFFFCF0]
:00471986 8D95FFFCFFFF lea edx, dword ptr [ebp+FFFFFCFF]
:0047198C E85F24F9FF call 00403DF0
:00471991 8B85F0FCFFFF mov eax, dword ptr [ebp+FFFFFCF0]
:00471997 50 push eax
:00471998 8D95ECFCFFFF lea edx, dword ptr [ebp+FFFFFCEC]
:0047199E 8BC3 mov eax, ebx
:004719A0 E8E374F9FF call 00408E88 <---用xxxx算出正确的注册码;
执行完上面这条语句后,EDX中就是
正确的注册码,我的是:5944406
:004719A5 8B95ECFCFFFF mov edx, dword ptr [ebp+FFFFFCEC]
:004719AB 58 pop eax
:004719AC E8AB25F9FF call 00403F5C <---判断yyyy与上面用xxxx算出的
注册码是否相等; :004719B1 750D jne 004719C0 <---不等就跳走;
:004719B3 80BD00FFFFFF61 cmp byte ptr [ebp+FFFFFF00], 61
:004719BA 7204 jb 004719C0
:004719BC C645FF01 mov [ebp-01], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047191F(C), :004719B1(C), :004719BA(C)
|
:004719C0 33C0 xor eax, eax <---可爱的EAX标志被置0,就OVER了
:004719C2 5A pop edx
:004719C3 59 pop ecx
:004719C4 59 pop ecx
:004719C5 648910 mov dword ptr fs:[eax], edx
:004719C8 68E5194700 push 004719E5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004719E3(U)
|
:004719CD 8D85ECFCFFFF lea eax, dword ptr [ebp+FFFFFCEC]
:004719D3 BA04000000 mov edx, 00000004
:004719D8 E81322F9FF call 00403BF0
:004719DD C3 ret
--------------------------------------------------------------------------------
由 call 00402A20 跟入:此Call判断注册码是否为xxxx-yyyy的形式.
:00402A20 53 push ebx
:00402A21 56 push esi
:00402A22 57 push edi
:00402A23 89C6 mov esi, eax
:00402A25 89D7 mov edi, edx
:00402A27 31C9 xor ecx, ecx
:00402A29 8A0F mov cl, byte ptr [edi]
:00402A2B 47 inc edi
:00402A2C 57 push edi
:00402A2D 31D2 xor edx, edx
:00402A2F 8A16 mov dl, byte ptr [esi]
:00402A31 46 inc esi
:00402A32 4A dec edx
:00402A33 781B js 00402A50
:00402A35 8A06 mov al, byte ptr [esi] <---将AL赋值'2D',也就是符号'-';
:00402A37 46 inc esi
:00402A38 29D1 sub ecx, edx
:00402A3A 7E14 jle 00402A50
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402A4E(U)
|
:00402A3C F2 repnz
:00402A3D AE scasb <---循环依次取输入的注册码与AL中的'-'比较
:00402A3E 7510 jne 00402A50 <---注册码中没有'-'符就跳走;
:00402A40 89CB mov ebx, ecx
:00402A42 56 push esi
:00402A43 57 push edi
:00402A44 89D1 mov ecx, edx
:00402A46 F3 repz
:00402A47 A6 cmpsb
:00402A48 5F pop edi
:00402A49 5E pop esi
:00402A4A 7409 je 00402A55
:00402A4C 89D9 mov ecx, ebx
:00402A4E EBEC jmp 00402A3C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402A33(C), :00402A3A(C), :00402A3E(C)
|
:00402A50 5A pop edx
:00402A51 31C0 xor eax, eax
:00402A53 EB05 jmp 00402A5A
整理一下我的注册码为:liangs-5944406 |
|
