📄 mirc.html
字号:
reg number in EDI</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B397B
MOV EDX, EDI
<- <B><FONT COLOR="#993366">EDX now holds fake reg number</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B397D
MOV ECX, FFFFFFFF <- <B><FONT COLOR="#993366">Setting
up for a count</FONT></B></FONT></FONT>
<P><FONT COLOR="#993300">Note: anytime you see FFFFFFFF being put into
ECX, you are most likely at the start of a routine that determines the
length of some string or number.</FONT>
<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B3982
XOR AL, AL
<- <B><FONT COLOR="#993366">Zero out AL</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B3984
CLD <- <B><FONT COLOR="#993366">CLear
the Direction flag for a string operation</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B3985
REPNZ SCASB
<- <B><FONT COLOR="#993366">While not 0, scan string byte</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B3987
NOT ECX
<- <B><FONT COLOR="#993366">ECX = length of string + 1</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B3989
MOV EDI, EDX
<- <B><FONT COLOR="#993366">EDI holds fake reg number</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B398B
MOV AL, [EBP+0C]</FONT></FONT>
<P>Ahhh...AL now holds 2D. So. The program IS going to check for a '-'
in the reg number.
<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B398E
REPNZ SCASB
<- <B><FONT COLOR="#993366">While not 0, scan string byte</FONT></B></FONT></FONT>
<P>You DID put a '-' in your registration number, didn't you? If not, then
please do so and then return to this point.
<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B3990
JNZ 004B3998 <- <B><FONT COLOR="#993366">No
'-' found? Then jump, bad cracker!</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B3992
LEA EAX, [EDI-01] <- <B><FONT COLOR="#993366">Fake
reg number from '-' to end of</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>
<- <B><FONT COLOR="#993366">number in EAX</FONT></B></FONT></FONT>
<P><B>F8</B> until you return from the call.
<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E53C
ADD ESP, 08</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E53F
MOV EBX, EAX <- <B><FONT COLOR="#993366">Fake
reg number from '-' to end of number</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>
<- <B><FONT COLOR="#993366">in EBX</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E541
TEST EBX, EBX <- <B><FONT COLOR="#993366">IS there
a number in EBX?</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E543
JNZ 0048E54C <- <B><FONT COLOR="#993366">If
not 0 there is!</FONT></B></FONT></FONT>
<P>At this point the program jumps to :0048E54C if there is a '-' in the
fake registration number.
<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E54C MOV BYTE
PTR [EBX], 00 <- <B><FONT COLOR="#993366">Zero out the '-' in the fake
number</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E54F PUSH
ESI</FONT></FONT>
<P>If you type <B>d ESI</B> you'll see your fake number without the '-'.
<P>:0048E550 CALL 004B8D5C
<P><B>F8</B> into this call.
<BR><B>F8</B> until:
<P>:004B8D66 MOV AL, [EDX]
<P>This puts the first number in your fake reg number into AL.
<BR><B>F8</B> until:
<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B8DA0
CMP AL, 30 <- <B><FONT COLOR="#993366">Is
it a '0'?</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B8DA2
JL 004B8DA8</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B8DA4
CMP AL, 39 <- <B><FONT COLOR="#993366">Is
it a '9'?</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:004B8DA6
JLE 004B8D90</FONT></FONT>
<P>What this routine does is check to see whether the reg number character
in AL is between a 0 and a 9.
<BR>
<BR><B>F8</B> through the checking until you reach:
<P>:0048E56A CALL 004B8D5C
<P>At this point, in case you didn't notice, the program put the '-' back
in the fake reg number.
<BR><B> </B>
<BR><B>F8</B> into this call until you return (well, you CAN hit <B>F10</B>
if you really want to).
<BR><B>F8</B> until you reach the next call:
<P>:0048E577 CALL 004B39C8
<P>Notice that just before this call the program pushes EAX, which holds
the name that you entered.
<BR><B> </B>
<BR><B>F8</B> into this call.
<BR>
<BR>If you study this routine, you'll see that it again seems to count
the number of characters in your name.
<P><B>F10</B> until you return from the call.
<BR>Now, <B>F8</B> until you reach:
<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E594
MOVZX ESI, BYTE PTR [ECX]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E597
IMUL ESI, [EAX*4+004CCB30]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E59F
ADD EBX, ESI</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E5A1
INC EAX</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E5A2
CMP EAX, 26</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E5A5
JLE 0048E5A9</FONT></FONT>
<P>Hmm...looks like a calculation routine to me!
<BR><B>F8</B> until the conditional jump at :0048E5AE no longer jumps:
<P>:0048E5AE JL 0048E594
<P>Next, you'll see a CMP instruction:
<P>:0048E5B0 CMP EBX, [EBP-04]
<P>If you check to see what EBP-04 is, you'll find the hex value for the
first part of your fake reg number. To get this (if you really don't want
to look at the upper-right corner just above your data window in Softice),
type <B>d EBP-04</B>. See the first numbers in the data window? (Example:
1617:00034567 FD 02 00 00 00 00......). Take the numbers that you
find there (in my case they are FD 02) and reverse them: 02FD. If you type
<B>? 02FD</B> (or whatever your numbers were), you'll see that it is the
first part of your fake registration number (before the '-').
<BR>
<BR>If you now type <B>? EBX</B> you'll see what the program is looking
for. Write this number down.
<BR>
<BR>Disable your breakpoints (type <B>bd *</B>) and set a new one at that
CMP instruction.
<BR><B>BPX 015F:0048E5B0</B> (the 015F is the Code Segment. It might be
different on your computer).
<BR>
<BR>Now, type <B>X</B> to return to the program. Oops...back in Softice.
Type <B>X</B> again to return to the program. Put in your name and the
value that you wrote down (that EBX held at :0048E5B0). After that number,
put a '-' and whatever other numbers that you want. Ready?
<P>Click on "Register!"
<BR>Ok. We're back in Softice at the CMP EBX, [EBP-04] instruction:
<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E5B0 CMP EBX,
[EBP-04] <- <B><FONT COLOR="#993366">Are they the same? (they
SHOULD be, now)</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:0048E5B3 JZ 0048E5B9
<- <B><FONT COLOR="#993366">Yes? Then jump.</FONT></B></FONT></FONT>
<P><B>F8</B> until the conditional jump at 0048E5EE no longer jumps:
<P>:0048E5EE JL 0048E5CD
<P>Note that the whole routine that you just traced through calculates
the second part of the REAL registration number.
<BR><B>F8</B> past this JL 0048E5B9 instruction.
<P>:0048E5F0 CMP EBX, [EBP-08]
<P>Could it be? Yes, it is! If you look at the value at EBP-08, you'll
see that it is the second part of your fake number. What, then, does EBX
hold?
<BR>Type <B>? EBX</B>
<BR>
<BR>Well, what do you know! The REAL second part of the registration number.
<BR>Write this number down (the decimal part of it without the leading
zeros).
<BR>Clear your breakpoints (type <B>bc *</B>).
<BR>Type <B>X</B> to go back to the program.
<BR>Enter your name, as usual.
<BR>
<BR>Now, enter the first number that you wrote down + '-' + the second
number that you wrote down (in my case it is 3559-259043).
<BR>
<BR>Click on "Register!"
<BR>Ahhh...the smell of success!
<BR>
<BR>Program cracked.
<BR>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The 'Crack'</FONT> </FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"> </FONT>
<BR>None.
<BR>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">Final Notes</FONT> </FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#333333"> </FONT></FONT>
<BR>With this essay, you now have enough information to create a key generator
for mIRC (providing, that is, that you know how to program in one of the
various programming languages)...
<BR>
<BR>As a final note: in this program there are a number of "easter eggs"
that can be reached from the "About" screen. I'll give you two of them:
click on the programmer's nose (yes, his pic is there) and you'll hear
it squeak...The next "easter egg": right click on the "About" screen. If
you look carefully, you'll see a bouncing dot above the 'I' in mIRC. Now
it's up to you to find the rest...*grin*
<BR>
<BR>
<BR><FONT FACE="Arial,Helvetica">My thanks and gratitude goes to:-</FONT>
<BR><FONT FACE="Arial,Helvetica"> </FONT>
<BR><FONT FACE="Arial,Helvetica">Fravia+ for providing possibly the greatest
source of Reverse Engineering</FONT>
<BR><FONT FACE="Arial,Helvetica">knowledge on the Web.</FONT>
<BR><FONT FACE="Arial,Helvetica"> </FONT>
<BR><FONT FACE="Arial,Helvetica">+ORC for showing me the light at the end
of the tunnel.</FONT>
<BR>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Ob Duh</FONT></FONT> </CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica"> </FONT></I>
<BR><FONT FACE="Arial,Helvetica"> </FONT>
<BR><I><FONT FACE="Arial,Helvetica">Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will continue to produce even *better* software for
us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.</FONT></I>
<BR><FONT FACE="Arial,Helvetica"> </FONT>
<BR><I><FONT FACE="Arial,Helvetica">If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.</FONT></I>
<P><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Essay by: <A HREF="mailto:KLee8084@snet.net">KLee8084</A></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Page Created: 11th August
1998</FONT></FONT>
</BODY>
</HTML>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -