iTime 破解实录

日期:2003年6月9日 作者:CoolBob[CCG] 人气: 500

iTime 破解实录
iTime International Version
http://www.touchstone.de

一个可以同步你的电脑时钟的程序,在2000下不需要了。小弟还是比较喜欢用98作为破解平台,经常泡在SoftICE里面一转就是好几个小时。时钟经常不灵,最近在网上闲逛发现这个程序可以同步时钟,就抓了一个回来。居然还要注册,不然时间到了就不让用。我现在是一看到Register就会条件反射:),还是写个注册机出来吧。OK,Let's go!

1、工具:DeDe v2.50,TRW2000 or SoftICE,TC2.0 or asm(你喜欢的编译器)
2、用DeDe打开iTime.exe,在DeDe中点击Procedures按钮,找到options(unit name)那一项双击,在右边的窗口中找到mnuRegisterClick这一项,再双击,WOW!

来到这里你已经成功一半啦!^*^(这么简单?)

* Reference to: controls.TControl.GetText(TControl):System.String;
|
004078B4  E80F0C0300            call    004384C8
004078B9  8D45F8                lea    eax, [ebp-$08] <--d *eax 看到你输入的名字

|
004078BC  E827670500            call    0045DFE8
004078C1  8BF0                  mov    esi, eax
004078C3  83FE32                cmp    esi, +$32
004078C6  7E04                  jle    004078CC
004078C8  B232                  mov    dl, $32
004078CA  EB02                  jmp    004078CE
004078CC  8BD6                  mov    edx, esi
004078CE  889528FFFFFF          mov    [ebp+$FFFFFF28], dl
004078D4  33C0                  xor    eax, eax
004078D6  8A8528FFFFFF          mov    al, byte ptr [ebp+$FFFFFF28]
004078DC  50                    push    eax
004078DD  837DF800              cmp    dword ptr [ebp-$08], +$00
004078E1  7405                  jz      004078E8
004078E3  8B4DF8                mov    ecx, [ebp-$08]
004078E6  EB05                  jmp    004078ED
004078E8  B9C8AF4600            mov    ecx, $0046AFC8
004078ED  51                    push    ecx
004078EE  8D8529FFFFFF          lea    eax, [ebp+$FFFFFF29]
004078F4  50                    push    eax

* Reference to: _strncpy()
|
004078F5  E86C1C0600            call    00469566
004078FA  83C40C                add    esp, +$0C
004078FD  FF4DD4                dec    dword ptr [ebp-$2C]
00407900  8D45F8                lea    eax, [ebp-$08]
00407903  BA02000000            mov    edx, $00000002

|
00407908  E8DF650500            call    0045DEEC
0040790D  8D9528FFFFFF          lea    edx, [ebp+$FFFFFF28]
00407913  8D855CFFFFFF          lea    eax, [ebp+$FFFFFF5C]

|
00407919  E8C2B9FFFF            call    004032E0
0040791E  66C745C82C00          mov    word ptr [ebp-$38], $002C
00407924  33C9                  xor    ecx, ecx
00407926  894DF4                mov    [ebp-$0C], ecx
00407929  8D55F4                lea    edx, [ebp-$0C]
0040792C  FF45D4                inc    dword ptr [ebp-$2C]
0040792F  8B45B4                mov    eax, [ebp-$4C]

* Reference to control btnDel : TResButton
|
00407932  8B80EC010000          mov    eax, [eax+$01EC]

* Reference to: controls.TControl.GetText(TControl):System.String;
|
00407938  E88B0B0300            call    004384C8
0040793D  8D45F4                lea    eax, [ebp-$0C] <--d *eax 看到你输入的密码

|
00407940  E8A3660500            call    0045DFE8

为了更快的找到关键比对核心,可以下bpr,或者,bpm等断点。当你看到这段代码:

0167:0040CA38  PUSH    EBP
0167:0040CA39  MOV      EBP,ESP
0167:0040CA3B  ADD      ESP,BYTE -1C
0167:0040CA3E  MOV      [EBP-0C],ECX
0167:0040CA41  MOV      [EBP-08],EDX
0167:0040CA44  MOV      [EBP-04],EAX
0167:0040CA47  MOV      BYTE [EBP-16],00
0167:0040CA4B  LEA      EAX,[EBP-16]
0167:0040CA4E  MOV      EDX,0040CB90
0167:0040CA53  MOV      CL,09
0167:0040CA55  CALL    0045B014
0167:0040CA5A  LEA      EAX,[EBP-1C]
0167:0040CA5D  MOV      EDX,[EBP-08]
0167:0040CA60  SHR      EDX,1C
0167:0040CA63  AND      EDX,BYTE +0F
0167:0040CA66  MOV      DL,[EDX+0046EE4C]
0167:0040CA6C  MOV      [EAX+01],DL
0167:0040CA6F  MOV      BYTE [EAX],01
0167:0040CA72  LEA      EDX,[EBP-1C]
0167:0040CA75  LEA      EAX,[EBP-16]
0167:0040CA78  MOV      CL,09
0167:0040CA7A  CALL    0045B014
0167:0040CA7F  LEA      EAX,[EBP-1C]
0167:0040CA82  MOV      EDX,[EBP-08]
0167:0040CA85  SHR      EDX,18
0167:0040CA88  AND      EDX,BYTE +0F
0167:0040CA8B  MOV      DL,[EDX+0046EE4C]
0167:0040CA91  MOV      [EAX+01],DL
0167:0040CA94  MOV      BYTE [EAX],01
0167:0040CA97  LEA      EDX,[EBP-1C]
0167:0040CA9A  LEA      EAX,[EBP-16]
0167:0040CA9D  MOV      CL,09
0167:0040CA9F  CALL    0045B014
0167:0040CAA4  LEA      EAX,[EBP-1C]
0167:0040CAA7  MOV      EDX,[EBP-08]
0167:0040CAAA  SHR      EDX,14
0167:0040CAAD  AND      EDX,BYTE +0F
0167:0040CAB0  MOV      DL,[EDX+0046EE4C]
0167:0040CAB6  MOV      [EAX+01],DL
0167:0040CAB9  MOV      BYTE [EAX],01
0167:0040CABC  LEA      EDX,[EBP-1C]
0167:0040CABF  LEA      EAX,[EBP-16]
0167:0040CAC2  MOV      CL,09
0167:0040CAC4  CALL    0045B014
0167:0040CAC9  LEA      EAX,[EBP-1C]
0167:0040CACC  MOV      EDX,[EBP-08]
0167:0040CACF  SHR      EDX,10
0167:0040CAD2  AND      EDX,BYTE +0F
0167:0040CAD5  MOV      DL,[EDX+0046EE4C]
0167:0040CADB  MOV      [EAX+01],DL
0167:0040CADE  MOV      BYTE [EAX],01
0167:0040CAE1  LEA      EDX,[EBP-1C]
0167:0040CAE4  LEA      EAX,[EBP-16]
0167:0040CAE7  MOV      CL,09
0167:0040CAE9  CALL    0045B014
0167:0040CAEE  LEA      EAX,[EBP-1C]
0167:0040CAF1  MOV      EDX,[EBP-08]
0167:0040CAF4  SHR      EDX,0C
0167:0040CAF7  AND      EDX,BYTE +0F
0167:0040CAFA  MOV      DL,[EDX+0046EE4C]
0167:0040CB00  MOV      [EAX+01],DL
0167:0040CB03  MOV      BYTE [EAX],01
0167:0040CB06  LEA      EDX,[EBP-1C]
0167:0040CB09  LEA      EAX,[EBP-16]
0167:0040CB0C  MOV      CL,09
0167:0040CB0E  CALL    0045B014
0167:0040CB13  LEA      EAX,[EBP-1C]
0167:0040CB16  MOV      EDX,[EBP-08]
0167:0040CB19  SHR      EDX,08
0167:0040CB1C  AND      EDX,BYTE +0F
0167:0040CB1F  MOV      DL,[EDX+0046EE4C]
0167:0040CB25  MOV      [EAX+01],DL
0167:0040CB28  MOV      BYTE [EAX],01
0167:0040CB2B  LEA      EDX,[EBP-1C]
0167:0040CB2E  LEA      EAX,[EBP-16]
0167:0040CB31  MOV      CL,09
0167:0040CB33  CALL    0045B014
0167:0040CB38  LEA      EAX,[EBP-1C]
0167:0040CB3B  MOV      EDX,[EBP-08]
0167:0040CB3E  SHR      EDX,04
0167:0040CB41  AND      EDX,BYTE +0F
0167:0040CB44  MOV      DL,[EDX+0046EE4C]
0167:0040CB4A  MOV      [EAX+01],DL
0167:0040CB4D  MOV      BYTE [EAX],01
0167:0040CB50  LEA      EDX,[EBP-1C]
0167:0040CB53  LEA      EAX,[EBP-16]
0167:0040CB56  MOV      CL,09
0167:0040CB58  CALL    0045B014
0167:0040CB5D  LEA      EAX,[EBP-1C]
0167:0040CB60  MOV      EDX,[EBP-08]
0167:0040CB63  AND      EDX,BYTE +0F
0167:0040CB66  MOV      DL,[EDX+0046EE4C]
0167:0040CB6C  MOV      [EAX+01],DL
0167:0040CB6F  MOV      BYTE [EAX],01
0167:0040CB72  LEA      EDX,[EBP-1C]
0167:0040CB75  LEA      EAX,[EBP-16]
0167:0040CB78  MOV      CL,09
0167:0040CB7A  CALL    0045B014
0167:0040CB7F  MOV      EAX,[EBP-0C]
0167:0040CB82  LEA      EDX,[EBP-16]
0167:0040CB85  MOV      CL,09
0167:0040CB87  CALL    0045B060
0167:0040CB8C  MOV      ESP,EBP
0167:0040CB8E  POP      EBP
0167:0040CB8F  RET

其实就是把一个4字节的十六进制数转换为字符串。比如它第一次是把一个0x426B2FA9转换为$426B2FA9

第二次把0x6FB73A24转换为$6FB73A24.

-----------------------------------------
0167:0040CBBF  MOV      AL,[EBP-4D]
0167:0040CBC2  INC      EAX
0167:0040CBC3  CMP      EAX,BYTE +32
0167:0040CBC6  JG      0040CBDC
0167:0040CBC8  MOV      [EBP-10],EAX
0167:0040CBCB  MOV      EAX,[EBP-10]
0167:0040CBCE  MOV      BYTE [EBP+EAX-4D],2A
0167:0040CBD3  INC      DWORD [EBP-10]
0167:0040CBD6  CMP      DWORD [EBP-10],BYTE +33
0167:0040CBDA  JNZ      0040CBCB
0167:0040CBDC  LEA      EAX,[EBP+FFFFFF6C]
0167:0040CBE2  MOV      [EBP-0C],EAX
0167:0040CBE5  LEA      ECX,[EBP+FFFFFF60]
0167:0040CBEB  MOV      EAX,[EBP-04]
0167:0040CBEE  MOV      EDX,[EAX+0224]
0167:0040CBF4  MOV      EAX,[EBP-04]
0167:0040CBF7  CALL    0040CA38

这段代码就是把name不足50个字符的地方全部用'*'添满。然后再把上面的两个字符串加到你的名字像下面那样

    $426B2FA9CoolBob*******************************************    $6FB73A24

|------------------一共71个字符------------------|

下面就要小心跟踪了,来到这里:

0167:0040C9E3  MOV      [EBP-08],EDX
0167:0040C9E6  MOV      [EBP-04],EAX
0167:0040C9E9  MOV      BYTE [EBP-15],00
0167:0040C9ED  MOV      EAX,[EBP-08]    <---EAX初始化为0xABCDEF
0167:0040C9F0  SHR      EAX,08
0167:0040C9F3  AND      EAX,00FFFFFF
0167:0040C9F8  MOV      [EBP-10],EAX
0167:0040C9FB  XOR      EAX,EAX
0167:0040C9FD  MOV      AL,[EBP-15]
0167:0040CA00  MOVZX    EAX,BYTE [EBP+EAX-5C] <---这里也就是刚才那个71个字符了
0167:0040CA05  XOR      EAX,[EBP-08]
0167:0040CA08  AND      EAX,FF
0167:0040CA0D  MOV      EAX,[EAX*4+0046EA44]  <----在TRW2000下把这段数据用                                                  <----w 46EA44 fe*4+46EA44 c:\data.bin抓下来
                          <----后面作注册机少不了这个。
0167:0040CA14  MOV      [EBP-14],EAX
0167:0040CA17  MOV      EAX,[EBP-10]
0167:0040CA1A  XOR      EAX,[EBP-14]
0167:0040CA1D  MOV      [EBP-08],EAX
0167:0040CA20  INC      BYTE [EBP-15]
0167:0040CA23  CMP      BYTE [EBP-15],47
0167:0040CA27  JNZ      0040C9ED          <----循环0x47次,也就是71次

这里算出来的EAX就是注册码的原型了,只是要把EAX包含的十六进制数转换为字符串输出即可!

----------------------------
0167:0040CE14  MOV      CL,[EAX+0375]
0167:0040CE1A  LEA      EDX,[EBP-42]
0167:0040CE1D  MOV      EAX,[EBP-04]
0167:0040CE20  CALL    0040CB94
0167:0040CE25  LEA      EAX,[EBP-50]     <-----d EAX (real code)
0167:0040CE28  LEA      EDX,[EBP-0E]    <-----d edx (our  code)
0167:0040CE2B  XOR      ECX,ECX
0167:0040CE2D  MOV      CL,[EAX]
0167:0040CE2F  INC      ECX
0167:0040CE30  CALL    0045B114    <-----比较是否相等
0167:0040CE35  SETZ    [EBP-0F]    <-----相等的话置注册成功标志1到[EBP-0F]
0167:0040CE39  CMP      BYTE [EBP-0F],00
0167:0040CE3D  JNZ      0040CE85    <-----if jump good boy:)
0167:0040CE3F  MOV      EAX,[EBP-04]
0167:0040CE42  MOV      BYTE [EAX+0375],01
0167:0040CE49  LEA      EAX,[EBP-50]
0167:0040CE4C  PUSH    EAX
0167:0040CE4D  MOV      EAX,[EBP-04]
0167:0040CE50  MOV      CL,[EAX+0375]
0167:0040CE56  LEA      EDX,[EBP-42]
0167:0040CE59  MOV      EAX,[EBP-04]
0167:0040CE5C  CALL    0040CB94
0167:0040CE61  LEA      EAX,[EBP-50]
0167:0040CE64  LEA      EDX,[EBP-0E]
0167:0040CE67  XOR      ECX,ECX
0167:0040CE69  MOV      CL,[EAX]
0167:0040CE6B  INC      ECX
0167:0040CE6C  CALL    0045B114
0167:0040CE71  SETZ    [EBP-0F]
0167:0040CE75  CMP      BYTE [EBP-0F],01
0167:0040CE79  JNZ      0040CE85
0167:0040CE7B  MOV      EAX,[EBP-04]
0167:0040CE7E  MOV      BYTE [EAX+0375],01
0167:0040CE85  MOV      AL,[EBP-0F]
0167:0040CE88  POP      EDI
0167:0040CE89  POP      ESI
0167:0040CE8A  MOV      ESP,EBP
0167:0040CE8C  POP      EBP
0167:0040CE8D  RET

该程序注册正确后,会在其目录下生成一个叫iTime.key的文件。

3、在作注册机前的准备:

我们要对那个TRW2000抓下来的data.bin进行一番处理。可以编个小程序来处理:

//------------------------------------Start here--------------------------------------
#include <stdio.h>
main(){
FILE *fp1,*fp2;
unsigned long buffer[0xfe];
int i;
clrscr();
fp=fopen("c:\\data.bin","rb+");
fp2=fopen("c:\\x.bin","w+");
for(i=0;i<0xfe;i++)
{fread(&buffer[i],4,1,fp1);
printf("0x%lX,",buffer[i]);
fprintf(fp2,"0x%lX,",buffer[i]);
if (i%6==0) fprintf(fp2,"\n");
}
}
//------------------------------------Cut here----------------------------------------

上面这个程序就是把data.bin里面的二进制数据转换成4字节的长整数。

4、注册机

//-------------------start here------------------
#include <stdio.h>
#include <string.h>
main()
{
char string1[]={0x9,0x24,0x34,0x32,0x36,0x42,0x32,0x46,0x41,0x39};
char string2[]={0x9,0x24,0x36,0x46,0x42,0x37,0x33,0x41,0x32,0x34};
char name[50];
char code[8];
char sns[71];
unsigned long data[]={0x0,
0x77073096,0xEE0E612C,0x990951BA,0x76DC419,0x706AF48F,0xE963A535,
0x9E6495A3,0xEDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,0x9B64C2B,
0x7EB17CBD,0xE7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0xF3B97148,
0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0xF4D4B551,0x83D385C7,0x136C9856,
0x646BA8C0,0xFD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0xFA0F3D63,
0x8D080DF5,0x3B6E20C8,0x4C69105E,0xD56041E4,0xA2677172,0x3C03E4D1,
0x4B04D447,0xD20D85FD,0xA50AB56B,0x35B5A8FA,0x42B2986C,0xDBBBC9D6,
0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,0x26D930AC,
0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423,0xCFBA9599,
0xB8BDA50F,0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,0x2F6F7C87,
0x58684C11,0xC1611DAB,0xB6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,
0xEFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0xE8B8D433,0x7807C9A2,
0xF00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,
0xE6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,0x6C0695ED,
0x1B01A57B,0x8208F4C1,0xF50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,
0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,0x4DB26158,
0x3AB551CE,0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7,0xA4D1C46D,
0xD3D6F4FB,0x4369E96A,0x346ED9FC,0xAD678846,0xDA60B8D0,0x44042D73,
0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,0x5005713C,0x270241AA,0xBE0B1010,
0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,0xCE61E49F,0x5EDEF90E,
0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81,0xB7BD5C3B,
0xC0BA6CAD,0xEDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0xEAD54739,
0x9DD277AF,0x4DB2615,0x73DC1683,0xE3630B12,0x94643B84,0xD6D6A3E,
0x7A6A5AA8,0xE40ECF0B,0x9309FF9D,0xA00AE27,0x7D079EB1,0xF00F9344,
0x8708A3D2,0x1E01F268,0x6906C2FE,0xF762575D,0x806567CB,0x196C3671,
0x6E6B06E7,0xFED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0xF9B9DF6F,
0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0xD6D6A3E8,0xA1D1937E,0x38D8C2C4,
0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,0xD80D2BDA,
0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55,0x316E8EEF,
0x4669BE79,0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,0xCC0C7795,
0xBB0B4703,0x220216B9,0x5505262F,0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,
0x5CB36A04,0xC2D7FFA7,0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,
0xEC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0xEB0E363F,0x72076785,
0x5005713,0x95BF4A82,0xE2B87A14,0x7BB12BAE,0xCB61B38,0x92D28E9B,
0xE5D5BE0D,0x7CDCEFB7,0xBDBDF21,0x86D3D2D4,0xF1D4E242,0x68DDB3F8,
0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,
0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69,0x616BFFD3,
0x166CCF45,0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,0xA7672661,
0xD06016F7,0x4969474D,0x3E6E77DB,0xAED16A4A,0xD9D65ADC,0x40DF0B66,
0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,0x47B2CF7F,0x30B5FFE9,0xBDBDF21C,
0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,0xCDD70693,0x54DE5729,
0x23D967BF,0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,0xB40BBE37,
0xC30C8EA1};
int i,j;unsigned long ebp=0xABCDEF,eax;
clrscr();
printf("iTime (International Version) Keymaker by CoolBob[CCG]\n");
printf("written at 2001.4.25\n");
printf("name: ");
scanf("%s",name);printf("\n");
for(i=0;i<10;i++)sns[i]=string1[i];
sns[10]=strlen(name);
for(i=11;i<strlen(name)+11;i++)sns[i]=name[i-11];
if (strlen(name)<50) {for(i=strlen(name)+11;i<61;i++) sns[i]='*';};
for(i=61;i<71;i++) sns[i]=string2[i-61];
for(i=0;i<0x47;i++)
{
eax=ebp;
eax=(eax>>8)&0x00FFFFFF;
j=(sns[i]^ebp)&0xFF;
ebp=eax^data[j];
}
printf("code: %lX\n\n",ebp);
printf("Hmm,OK,that's your code!!enjoy yourself! Contact me at CoolBob@21cn.com :-)\n");
printf("press any key to exit!!");
getch();
}
//--------------------cut here---------------------
written by CoolBob[CCG]
2001.4.26
(CIH??)
CopyRight reserved by China Cracker Group
标准的crc32算法 (空)
Contributors: FHL