C-Free4.1专业版注册码破解 - xiufeng_wang的专栏 - CSDN博客
来源:百度文库 编辑:神马文学网 时间:2024/06/05 14:47:23
C-Free4.1专业版注册码破解 收藏
运行C-Free主程序时点击“关于”菜单会看到未注册字样,如果运行超过试用期会在启动时弹出要求注册的对话框,禁止调试等功能。 选择“注册”菜单,输入用户名、邮箱、注册码(错误的),点击确定后程序要求重新启动以验证。 当我们重新启动,发现刚才输入的用户名和邮箱自动载入,说明刚才存入了注册表,注册码也存入注册表,而注册码因为是错误的,所以现在要求重新输入。 打开注册表,在HKEY_CURRENT_USER\Software\C-Free\4下找到以下项: Email RegistryCode UserName 说明程序启动时会读写注册表项值,用OLLYICE载入程序,下API断点,函数名称为:RegQueryValueExA 运行,在此005218E4处中断:005218E4 /$ 55 PUSH EBP005218E5 |. 8BEC MOV EBP,ESP005218E7 |. 83C4 F0 ADD ESP,-10005218EA |. 53 PUSH EBX005218EB |. 56 PUSH ESI005218EC |. 57 PUSH EDI005218ED |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8];输入的注册码005218F0 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]005218F3 |. 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]005218F6 |. 807C08 FF 00 CMP BYTE PTR DS:[EAX+ECX-1],0;注册码长度005218FB |. 75 03 JNZ SHORT CppIDE.00521900005218FD |. FF4D 0C DEC DWORD PTR SS:[EBP+C]00521900 837D 10 00 CMP DWORD PTR SS:[EBP+10],000521904 75 4C JNZ SHORT CppIDE.0052195200521906 837D 0C 03 CMP DWORD PTR SS:[EBP+C],30052190A |. 7D 07 JGE SHORT CppIDE.005219130052190C |. 33C0 XOR EAX,EAX0052190E |. E9 19010000 JMP CppIDE.00521A2C00521913 |> 33D2 XOR EDX,EDX00521915 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]00521918 |. 0FBE4C08 FE MOVSX ECX,BYTE PTR DS:[EAX+ECX-2]0052191D |. 83F9 3D CMP ECX,3D00521920 |. 75 07 JNZ SHORT CppIDE.0052192900521922 |. BA 02000000 MOV EDX,200521927 |. EB 12 JMP SHORT CppIDE.0052193B00521929 |> 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]0052192C |. 0FBE4408 FF MOVSX EAX,BYTE PTR DS:[EAX+ECX-1]00521931 |. 83F8 3D CMP EAX,3D00521934 |. 75 05 JNZ SHORT CppIDE.0052193B00521936 |. BA 01000000 MOV EDX,10052193B |> 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]0052193E |. 85C0 TEST EAX,EAX00521940 |. 79 03 JNS SHORT CppIDE.0052194500521942 |. 83C0 03 ADD EAX,300521945 |> C1F8 02 SAR EAX,200521948 |. 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]0052194B |. 2BC2 SUB EAX,EDX0052194D |. E9 DA000000 JMP CppIDE.00521A2C00521952 |> 85D2 TEST EDX,EDX00521954 |. 75 09 JNZ SHORT CppIDE.0052195F00521956 |. C745 FC 03456>MOV DWORD PTR SS:[EBP-4],CppIDE.006E45030052195D |. EB 03 JMP SHORT CppIDE.005219620052195F |> 8955 FC MOV DWORD PTR SS:[EBP-4],EDX00521962 |> 33D2 XOR EDX,EDX00521964 |. 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX00521967 |. 8BD0 MOV EDX,EAX00521969 |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]0052196C |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX;保存注册码转换后的值的位置0052196F |. E9 A2000000 JMP CppIDE.00521A1600521974 |> 3C 7B /CMP AL,7B00521976 |. 0F83 AA000000 |JNB CppIDE.00521A260052197C |. C745 F8 03000>|MOV DWORD PTR SS:[EBP-8],300521983 |. 33DB |XOR EBX,EBX00521985 |. 33C0 |XOR EAX,EAX00521987 |> C1E3 06 |/SHL EBX,60052198A |. 8A0A ||MOV CL,BYTE PTR DS:[EDX]0052198C |. 80F9 3D ||CMP CL,3D0052198F |. 75 15 ||JNZ SHORT CppIDE.005219A600521991 |. 81E1 FF000000 ||AND ECX,0FF00521997 |. 0FBE89 88446E>||MOVSX ECX,BYTE PTR DS:[ECX+6E4488]0052199E |. 0BD9 ||OR EBX,ECX005219A0 |. 48 ||DEC EAX005219A1 |. 8945 F8 ||MOV DWORD PTR SS:[EBP-8],EAX005219A4 |. EB 22 ||JMP SHORT CppIDE.005219C8005219A6 |> 837D 0C 00 ||CMP DWORD PTR SS:[EBP+C],0005219AA |. 7E 16 ||JLE SHORT CppIDE.005219C2005219AC |. 803A 7B ||CMP BYTE PTR DS:[EDX],7B005219AF |. 73 11 ||JNB SHORT CppIDE.005219C2005219B1 |. 33C9 ||XOR ECX,ECX005219B3 |. 8A0A ||MOV CL,BYTE PTR DS:[EDX]005219B5 |. 0FBE89 88446E>||MOVSX ECX,BYTE PTR DS:[ECX+6E4488];6E4488存有注册码字符对应的替换表,从表中可知输入的密码的许可字符是哪些005219BC |. 0BD9 ||OR EBX,ECX ;将替换后的值异或运算005219BE |. 42 ||INC EDX005219BF |. FF4D 0C ||DEC DWORD PTR SS:[EBP+C]005219C2 |> 40 ||INC EAX005219C3 |. 83F8 04 ||CMP EAX,4 ;注册码长度必须为4的倍数,这里是4个一组进行先替换再异或运算005219C6 |.^ 7C BF |\JL SHORT CppIDE.00521987005219C8 |> 837D F8 01 |CMP DWORD PTR SS:[EBP-8],1005219CC |. 75 03 |JNZ SHORT CppIDE.005219D1005219CE |. C1E3 06 |SHL EBX,6005219D1 |> 81E3 FFFFFF00 |AND EBX,0FFFFFF005219D7 |. 33C0 |XOR EAX,EAX005219D9 |. 3B45 F8 |CMP EAX,DWORD PTR SS:[EBP-8]005219DC |. 7D 38 |JGE SHORT CppIDE.00521A16005219DE |> B9 02000000 |/MOV ECX,2005219E3 |. 8BF3 ||MOV ESI,EBX ;上面运算得到的异或结果005219E5 |. 2BC8 ||SUB ECX,EAX005219E7 |. 8B7D F4 ||MOV EDI,DWORD PTR SS:[EBP-C]005219EA |. C1E1 03 ||SHL ECX,3005219ED |. D3FE ||SAR ESI,CL005219EF |. 8BCE ||MOV ECX,ESI005219F1 |. 8B75 FC ||MOV ESI,DWORD PTR SS:[EBP-4];ESI保存异或表,值为B8 BB C4 EA 用于循环的异或运算005219F4 |. 80E1 FF ||AND CL,0FF005219F7 |. 320C3E ||XOR CL,BYTE PTR DS:[ESI+EDI] ;和异或表的值进行异或运算005219FA |. 8B75 F0 ||MOV ESI,DWORD PTR SS:[EBP-10] ;保存异或结果005219FD |. 880E ||MOV BYTE PTR DS:[ESI],CL005219FF |. FF45 F4 ||INC DWORD PTR SS:[EBP-C]00521A02 |. FF45 F0 ||INC DWORD PTR SS:[EBP-10]00521A05 |. 837D F4 04 ||CMP DWORD PTR SS:[EBP-C],400521A09 |. 75 05 ||JNZ SHORT CppIDE.00521A1000521A0B |. 33C9 ||XOR ECX,ECX00521A0D |. 894D F4 ||MOV DWORD PTR SS:[EBP-C],ECX00521A10 |> 40 ||INC EAX00521A11 |. 3B45 F8 ||CMP EAX,DWORD PTR SS:[EBP-8] ;每轮运算3次00521A14 |.^ 7C C8 |\JL SHORT CppIDE.005219DE00521A16 |> 8A02 MOV AL,BYTE PTR DS:[EDX]00521A18 |. 3C 3D |CMP AL,3D00521A1A |. 74 0A |JE SHORT CppIDE.00521A2600521A1C |. 837D 0C 00 |CMP DWORD PTR SS:[EBP+C],0 ;注册码转换后的长度是否>0,注册码转换后的长度计算公式:注册码长度/4*300521A20 |.^ 0F8F 4EFFFFFF \JG CppIDE.0052197400521A26 |> 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]00521A29 |. 2B45 10 SUB EAX,DWORD PTR SS:[EBP+10]00521A2C |> 5F POP EDI00521A2D |. 5E POP ESI00521A2E |. 5B POP EBX00521A2F |. 8BE5 MOV ESP,EBP00521A31 |. 5D POP EBP00521A32 \. C3 RETN这是注册码验证的核心,共中断两次,第二次中断是重点,不可走跑。一直运行到00521A32,单步运行到0042F10E . E8 69962100 CALL CppIDE.0064877C ;读入刚才输入的用户名和邮箱0042F113 . FF85 E8F9FFFF INC DWORD PTR SS:[EBP-618]0042F119 . 8B10 MOV EDX,DWORD PTR DS:[EAX]0042F11B . 8B85 ACFBFFFF MOV EAX,DWORD PTR SS:[EBP-454]0042F121 . E8 F2CC1700 CALL CppIDE.005ABE18 ;上面验证算法的结果和邮箱用户名连接的字串进行长度和内容的比较0042F126 . 85C0 TEST EAX,EAX ;测试是否成功,即值是否为0,如果不成功,程序每次启动时要求注册 如何确定输入的注册码字符是否有效呢?可以实时观察此处的结果:005219FA |. 8B75 F0 ||MOV ESI,DWORD PTR SS:[EBP-10] ;保存异或结果 用d ESI 观察,结果一定要求是上面替换表中允许的字符,否则在启动验证时字串长度不对,如果不是可显字符,调整注册表项RegistryCode对应字符的值。 全部通过后,可以用这个转换结果字串替换注册表项UserName 和 Email 在此给出我的一个结果:cf@1u40iUNi^cfp7jp UserName可取为:UNi^cfp7jp 邮箱可取为:cf@1u40i 本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/xiufeng_wang/archive/2010/01/15/5192729.aspx
运行C-Free主程序时点击“关于”菜单会看到未注册字样,如果运行超过试用期会在启动时弹出要求注册的对话框,禁止调试等功能。 选择“注册”菜单,输入用户名、邮箱、注册码(错误的),点击确定后程序要求重新启动以验证。 当我们重新启动,发现刚才输入的用户名和邮箱自动载入,说明刚才存入了注册表,注册码也存入注册表,而注册码因为是错误的,所以现在要求重新输入。 打开注册表,在HKEY_CURRENT_USER\Software\C-Free\4下找到以下项: Email RegistryCode UserName 说明程序启动时会读写注册表项值,用OLLYICE载入程序,下API断点,函数名称为:RegQueryValueExA 运行,在此005218E4处中断:005218E4 /$ 55 PUSH EBP005218E5 |. 8BEC MOV EBP,ESP005218E7 |. 83C4 F0 ADD ESP,-10005218EA |. 53 PUSH EBX005218EB |. 56 PUSH ESI005218EC |. 57 PUSH EDI005218ED |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8];输入的注册码005218F0 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]005218F3 |. 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14]005218F6 |. 807C08 FF 00 CMP BYTE PTR DS:[EAX+ECX-1],0;注册码长度005218FB |. 75 03 JNZ SHORT CppIDE.00521900005218FD |. FF4D 0C DEC DWORD PTR SS:[EBP+C]00521900 837D 10 00 CMP DWORD PTR SS:[EBP+10],000521904 75 4C JNZ SHORT CppIDE.0052195200521906 837D 0C 03 CMP DWORD PTR SS:[EBP+C],30052190A |. 7D 07 JGE SHORT CppIDE.005219130052190C |. 33C0 XOR EAX,EAX0052190E |. E9 19010000 JMP CppIDE.00521A2C00521913 |> 33D2 XOR EDX,EDX00521915 |. 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]00521918 |. 0FBE4C08 FE MOVSX ECX,BYTE PTR DS:[EAX+ECX-2]0052191D |. 83F9 3D CMP ECX,3D00521920 |. 75 07 JNZ SHORT CppIDE.0052192900521922 |. BA 02000000 MOV EDX,200521927 |. EB 12 JMP SHORT CppIDE.0052193B00521929 |> 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C]0052192C |. 0FBE4408 FF MOVSX EAX,BYTE PTR DS:[EAX+ECX-1]00521931 |. 83F8 3D CMP EAX,3D00521934 |. 75 05 JNZ SHORT CppIDE.0052193B00521936 |. BA 01000000 MOV EDX,10052193B |> 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]0052193E |. 85C0 TEST EAX,EAX00521940 |. 79 03 JNS SHORT CppIDE.0052194500521942 |. 83C0 03 ADD EAX,300521945 |> C1F8 02 SAR EAX,200521948 |. 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2]0052194B |. 2BC2 SUB EAX,EDX0052194D |. E9 DA000000 JMP CppIDE.00521A2C00521952 |> 85D2 TEST EDX,EDX00521954 |. 75 09 JNZ SHORT CppIDE.0052195F00521956 |. C745 FC 03456>MOV DWORD PTR SS:[EBP-4],CppIDE.006E45030052195D |. EB 03 JMP SHORT CppIDE.005219620052195F |> 8955 FC MOV DWORD PTR SS:[EBP-4],EDX00521962 |> 33D2 XOR EDX,EDX00521964 |. 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX00521967 |. 8BD0 MOV EDX,EAX00521969 |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]0052196C |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX;保存注册码转换后的值的位置0052196F |. E9 A2000000 JMP CppIDE.00521A1600521974 |> 3C 7B /CMP AL,7B00521976 |. 0F83 AA000000 |JNB CppIDE.00521A260052197C |. C745 F8 03000>|MOV DWORD PTR SS:[EBP-8],300521983 |. 33DB |XOR EBX,EBX00521985 |. 33C0 |XOR EAX,EAX00521987 |> C1E3 06 |/SHL EBX,60052198A |. 8A0A ||MOV CL,BYTE PTR DS:[EDX]0052198C |. 80F9 3D ||CMP CL,3D0052198F |. 75 15 ||JNZ SHORT CppIDE.005219A600521991 |. 81E1 FF000000 ||AND ECX,0FF00521997 |. 0FBE89 88446E>||MOVSX ECX,BYTE PTR DS:[ECX+6E4488]0052199E |. 0BD9 ||OR EBX,ECX005219A0 |. 48 ||DEC EAX005219A1 |. 8945 F8 ||MOV DWORD PTR SS:[EBP-8],EAX005219A4 |. EB 22 ||JMP SHORT CppIDE.005219C8005219A6 |> 837D 0C 00 ||CMP DWORD PTR SS:[EBP+C],0005219AA |. 7E 16 ||JLE SHORT CppIDE.005219C2005219AC |. 803A 7B ||CMP BYTE PTR DS:[EDX],7B005219AF |. 73 11 ||JNB SHORT CppIDE.005219C2005219B1 |. 33C9 ||XOR ECX,ECX005219B3 |. 8A0A ||MOV CL,BYTE PTR DS:[EDX]005219B5 |. 0FBE89 88446E>||MOVSX ECX,BYTE PTR DS:[ECX+6E4488];6E4488存有注册码字符对应的替换表,从表中可知输入的密码的许可字符是哪些005219BC |. 0BD9 ||OR EBX,ECX ;将替换后的值异或运算005219BE |. 42 ||INC EDX005219BF |. FF4D 0C ||DEC DWORD PTR SS:[EBP+C]005219C2 |> 40 ||INC EAX005219C3 |. 83F8 04 ||CMP EAX,4 ;注册码长度必须为4的倍数,这里是4个一组进行先替换再异或运算005219C6 |.^ 7C BF |\JL SHORT CppIDE.00521987005219C8 |> 837D F8 01 |CMP DWORD PTR SS:[EBP-8],1005219CC |. 75 03 |JNZ SHORT CppIDE.005219D1005219CE |. C1E3 06 |SHL EBX,6005219D1 |> 81E3 FFFFFF00 |AND EBX,0FFFFFF005219D7 |. 33C0 |XOR EAX,EAX005219D9 |. 3B45 F8 |CMP EAX,DWORD PTR SS:[EBP-8]005219DC |. 7D 38 |JGE SHORT CppIDE.00521A16005219DE |> B9 02000000 |/MOV ECX,2005219E3 |. 8BF3 ||MOV ESI,EBX ;上面运算得到的异或结果005219E5 |. 2BC8 ||SUB ECX,EAX005219E7 |. 8B7D F4 ||MOV EDI,DWORD PTR SS:[EBP-C]005219EA |. C1E1 03 ||SHL ECX,3005219ED |. D3FE ||SAR ESI,CL005219EF |. 8BCE ||MOV ECX,ESI005219F1 |. 8B75 FC ||MOV ESI,DWORD PTR SS:[EBP-4];ESI保存异或表,值为B8 BB C4 EA 用于循环的异或运算005219F4 |. 80E1 FF ||AND CL,0FF005219F7 |. 320C3E ||XOR CL,BYTE PTR DS:[ESI+EDI] ;和异或表的值进行异或运算005219FA |. 8B75 F0 ||MOV ESI,DWORD PTR SS:[EBP-10] ;保存异或结果005219FD |. 880E ||MOV BYTE PTR DS:[ESI],CL005219FF |. FF45 F4 ||INC DWORD PTR SS:[EBP-C]00521A02 |. FF45 F0 ||INC DWORD PTR SS:[EBP-10]00521A05 |. 837D F4 04 ||CMP DWORD PTR SS:[EBP-C],400521A09 |. 75 05 ||JNZ SHORT CppIDE.00521A1000521A0B |. 33C9 ||XOR ECX,ECX00521A0D |. 894D F4 ||MOV DWORD PTR SS:[EBP-C],ECX00521A10 |> 40 ||INC EAX00521A11 |. 3B45 F8 ||CMP EAX,DWORD PTR SS:[EBP-8] ;每轮运算3次00521A14 |.^ 7C C8 |\JL SHORT CppIDE.005219DE00521A16 |> 8A02 MOV AL,BYTE PTR DS:[EDX]00521A18 |. 3C 3D |CMP AL,3D00521A1A |. 74 0A |JE SHORT CppIDE.00521A2600521A1C |. 837D 0C 00 |CMP DWORD PTR SS:[EBP+C],0 ;注册码转换后的长度是否>0,注册码转换后的长度计算公式:注册码长度/4*300521A20 |.^ 0F8F 4EFFFFFF \JG CppIDE.0052197400521A26 |> 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]00521A29 |. 2B45 10 SUB EAX,DWORD PTR SS:[EBP+10]00521A2C |> 5F POP EDI00521A2D |. 5E POP ESI00521A2E |. 5B POP EBX00521A2F |. 8BE5 MOV ESP,EBP00521A31 |. 5D POP EBP00521A32 \. C3 RETN这是注册码验证的核心,共中断两次,第二次中断是重点,不可走跑。一直运行到00521A32,单步运行到0042F10E . E8 69962100 CALL CppIDE.0064877C ;读入刚才输入的用户名和邮箱0042F113 . FF85 E8F9FFFF INC DWORD PTR SS:[EBP-618]0042F119 . 8B10 MOV EDX,DWORD PTR DS:[EAX]0042F11B . 8B85 ACFBFFFF MOV EAX,DWORD PTR SS:[EBP-454]0042F121 . E8 F2CC1700 CALL CppIDE.005ABE18 ;上面验证算法的结果和邮箱用户名连接的字串进行长度和内容的比较0042F126 . 85C0 TEST EAX,EAX ;测试是否成功,即值是否为0,如果不成功,程序每次启动时要求注册 如何确定输入的注册码字符是否有效呢?可以实时观察此处的结果:005219FA |. 8B75 F0 ||MOV ESI,DWORD PTR SS:[EBP-10] ;保存异或结果 用d ESI 观察,结果一定要求是上面替换表中允许的字符,否则在启动验证时字串长度不对,如果不是可显字符,调整注册表项RegistryCode对应字符的值。 全部通过后,可以用这个转换结果字串替换注册表项UserName 和 Email 在此给出我的一个结果:cf@1u40iUNi^cfp7jp UserName可取为:UNi^cfp7jp 邮箱可取为:cf@1u40i 本文来自CSDN博客,转载请标明出处:http://blog.csdn.net/xiufeng_wang/archive/2010/01/15/5192729.aspx
C-Free4.1专业版注册码破解 - xiufeng_wang的专栏 - CSDN博客
iebook超级精灵2008 专业版破解 - 冷月宫主的专栏 - CSDN博客
C语言宏的学习: - henry19850318的专栏 - CSDN博客
C语言宏的学习: - henry19850318的专栏 - CSDN博客
异常处理 - [C++] - guomei的专栏 - CSDN博客
C Recommend Book List - ehui928的专栏 - CSDN博客
C语言字符串函数大全 - amossavez的专栏 - CSDN博客
javacard mask.c 文件结构 - tccth4091的专栏 - CSDN博客
baozhengw的专栏 - CSDN博客
keil c编译器错误与解决方法 - babylon_0049的专栏 - CSDN博客
AGPS简介 - kv110的专栏 - CSDN博客
OpenMAX简介 - shenbin1430的专栏 - CSDN博客
Android flinger - simmer_ken的专栏 - CSDN博客
windows 命令 - orangeman1982112的专栏 - CSDN博客
JNDI概述 - tanghongru1983的专栏 - CSDN博客
指针 - syhhl007的专栏 - CSDN博客
变量命名 - yszwn的专栏 - CSDN博客
什么是PLL - JasonCao的专栏 - CSDN博客
VC积累 - cherryt的专栏 - CSDN博客
fms技术 - wanglilin2000的专栏 - CSDN博客
关于numeric_limits - qianlong88的专栏 - CSDN博客
gcc - sportmanmanman44的专栏 - CSDN博客
破解工具软件 - 梦的归宿 - CSDN博客
Windows XP专业版最新注册码