来源:http://bbs.pediy.com/showthread.php?p=1253653
一. 工具:
1. uncompyle2
2. IDA Pro 6.1
3. WingIDE 5.0本身
二. 工具安装
1. 安装Python2.7
2. 安装WinIDE 5.0
3. 解压uncompyle2,进入解压目录,执行命令python setup.py install
三. 破解过程
1. 直接拷贝C:\Wing IDE 5.0\bin\2.7\src.zip到C:\crack,解压。
2. cd C:\Python27\Scripts,运行python uncompyle2 --py -o . c:\crack\src,反编译所有的pyo文件。
3. 启动WingIDE 5.0,选择”Obtain or extend a trial license”,获得个10天的试用。
点击help-->Enter License…,弹出的对话框中选择”Install and activate a permant license”,
随便输几个啥,我这里输入”FFFF”,提示如下图:
哈,说的很明白了。
4. 找License ID的规律
用WingIDE打开c:\crack\src\process\wingctl.py,搜索字符串”Invalid license id”,定位到这串代码
代码:
if self.__fRadioActivate.get_active():id = self.__fLicenseIDEntry.get_text()errs, lic = abstract.ValidateAndNormalizeLicenseID(id)if len(errs) == 0 and id[0] == 'T':errs.append(_('You cannot enter a trial license id here'))if len(errs) > 0:msg = _('Invalid license id: %s. Please check and correct it. Errors found were:\n\n%s') % (id, '\n'.join(errs))buttons = [dialogs.CButtonSpec(_('_OK'), None, wgtk.STOCK_OK)]dlg = messages.CMessageDialog(self.fSingletons, _('Invalid License ID'), msg, [], buttons)dlg.RunAsModal(self)return True
右键点击ValidateAndNormalizeLicenseID,选Go to Definition,到
代码:
def ValidateAndNormalizeLicenseID(id):errs, id2 = __ValidateAndNormalize(id)if len(id2) > 0 and id2[0] not in kLicenseUseCodes:errs.append(_('Invalid first character: Should be one of %s') % str(kLicenseUseCodes))if len(id2) > 1 and id2[1] != kLicenseProdCode:cur_product = 'Wing IDE %s' % config.kProductlic_product = kLicenseProdForCode.get(id2[1], None)if lic_product is None:lic_product = _('an unknown product')else:lic_product = 'Wing IDE %s' % config.k_ProductNames[lic_product]errs.append(_('Your license is for %s, but you are currently running %s. Please download the correct product from http://wingware.com/downloads or upgrade your license at https://wingware.com/store/upgrade') % (lic_product, cur_product))if len(errs) > 0:check_code = id.strip().upper().replace('-', '')if len(check_code) == 16:looks_like_11 = Truefor c in check_code:if c not in '0123456789ABCDEF':looks_like_11 = Falseif looks_like_11:errs = [_('You cannot activate using a Wing IDE 1.1 license: Please use a trial license or upgrade your license at http://wingware.com/store/upgrade')]if len(errs) > 0:return (errs, None)else:return ([], id2)
我们首先看看__ValidateAndNormalize在干些啥,转到定义,
代码:
def __ValidateAndNormalize(code):"""Remove hyphens and extra space/chars in a license id or activationrequest, and validate it as within the realm of possibility. Returnserrs, value."""errs = []code = code.strip().upper()code2 = ''badchars = ''for c in code:if c in ('-', ' ', '\t'):passelif c not in textutils.BASE30:code2 += cif badchars.find(c) == -1:badchars += celse:code2 += cif len(badchars) > 0:errs.append(_('Contains invalid characters: %s') % badchars)if len(code2) != 20:errs.append(_('Wrong length (should contain 20 non-hyphen characters)'))if len(errs) > 0:return (errs, code2)else:return ([], AddHyphens(code2))
程序定义的BASE30 = '123456789ABCDEFGHJKLMNPQRTVWXY',
这个定义是在C:\crack\src\wingutils\ textutils.py中。
现在返回ValidateAndNormalizeLicenseID函数,从第二行知道License ID的首字符必须是
kLicenseUseCodes中的一个kLicenseUseCodes = ['T', 'N', 'E', 'C', '1', '3', '6'],前面说过,’T’表示trial license
第四行告诉我们,License ID的第二个字符必须是kLicenseProdCode中的一个
这个kLicenseProdCode定义如下
代码:
kLicenseProdCodes = {config.kProd101: '1',config.kProdPersonal: 'L',config.kProdProfessional: 'N',config.kProdEnterprise: 'E'}
kLicenseProdCode = kLicenseProdCodes[config.kProductCode]
好了,总结一下:
License ID 必须有20个字符且每个字符必须是'123456789ABCDEFGHJKLMNPQRTVWXY'中的;
字符必须首字母必须是['T', 'N', 'E', 'C', '1', '3', '6']中的一个,但是我们不会用’T’;
第二个字符必须是['1','L','N','E']中的一个 。
那现在随便搞个”CN123-12345-12345-12345”输入:
Continue,哈,出来了这个,选择输入激活码
先不管,直接Continue,看看啥反应
哦,又是需要20个字符,并且必须是”AXX”开头,好吧,好戏要上场了。
5. 找Activation Code
还是在c:\crack\src\process\wingctl.py查找字符串” Invalid activation key”,来到这:
代码:
def __PageTwoContinue(self):if self.__fRadioDirect.get_active():self.__StartActivation()return Trueif self.__fRadioManual.get_active():act = self.__fManualEntry.get_text()errs, act = abstract.ValidateAndNormalizeActivation(act)if len(errs) > 0:title = _('Invalid License ID')msg = _('Invalid activation key: %s. Please check and correct it. Errors found were:\n\n%s') % (self.__fManualEntry.get_text(), '\n'.join(errs))self.__ErrorDlg(title, msg)return Trueactbase = os.path.normpath(fileutils.join(config.kUserWingDir, 'license.pending'))
代码:
def ValidateAndNormalizeActivation(id):errs, id2 = __ValidateAndNormalize(id)if id2[:3] != kActivationPrefix:errs.append(_("Invalid prefix: Should be '%s'") % kActivationPrefix)if len(errs) > 0:return (errs, None)else:return ([], id2)
激活码前三个字符必须是kActivationPrefix ,这个kActivationPrefix = 'AXX'。
好了,我们随便输个”AXX23-12345-12345-12345”,这个当然是错误的。
在c:\crack\src\process\wingctl.py查找字符串” Invalid activation key”的下一处出现的地方,来到:
代码:
self.fLicense['activation'] = acterr, info = self.fLicMgr._ValidateLicenseDict(self.fLicense, None)if err != abstract.kLicenseOK:msg = _('Invalid activation key: %s. Please check and correct it.') % self.__fManualEntry.get_text()errs.append('Current activation -- failed:')errs.extend([ ' ' + t for t in self.fLicMgr._StatusToErrString((err, info)) ])if len(errs) > 0:msg += _(' Validation errors were:\n\n%s') % '\n'.join(errs)title = _('Invalid License ID')
我们先看看self.fLicMgr是个啥东西,转到定义:
代码:
class CObtainLicenseDialog(dialogs.CGenericDialog):"""Dialog used to obtain a new license"""kCharWidth = 60def __init__(self, singletons, lic = None):self.fSingletons = singletonsself.fLicMgr = singletons.fLicMgrself.fLicense = lic
代码:
def _ObtainLicense(self):"""Prompt user to obtain a license, or quit if they don't get one"""if self._fPromptForSaveDialog or not wgtk.kQt and wgtk.gdk.pointer_is_grabbed():returnif self.__fObtainLicenseDialog is not None:self.__fObtainLicenseDialog.Show()returnself.__fObtainLicenseDialog = CObtainLicenseDialog(self.fSingletons)
初始化CObtainLicenseDialog的参数是类CWingLicenseManager的成员,转到定义
代码:
class CWingLicenseManager(abstract.CLicenseManager):""" Specialization of the generic license manager for use in Wing IDE """def __init__(self, singletons):""" Constructor """abstract.CLicenseManager.__init__(self)self.fSingletons = singletonsself._fExpiringLicenseCheck = Falseself.__fObtainLicenseDialog = Noneself._fPromptForSaveDialog = False
代码:
def CreateLicMgr(self):""" Create license manager. Mucking with this code is a violation ofyour software license and a generally sleazy thing to do to a bunch ofguys trying to make a living by creating some decent tools for you. Soplease don't do it. """ lic_mgr = process.wingctl.CWingLicenseManager(self)self.fLicMgr = lic_mgrself.emit('changed', self)
那么看看CWingLicenseManager的基类是啥?是abstract.py文件中的CLicenseManager,
这个类中有_ValidateLicenseDict()函数的定义。好了,转到这个函数去看看:
代码:
def _ValidateLicenseDict(self, lic, filename):""" Check license for internal integrity and expiration """lic['daysleft'] = _('expired')for key in kRequiredLicenseFields:if not lic.has_key(key):return (kLicenseCorrupt, _('Missing a required line %s') % key)err, msg = self._ValidatePlatform(lic['license'], lic['os'])if err != None:return (err, msg)err, msg = self._ValidateProduct(lic['product'])if err != None:return (err, msg)err, msg = self._ValidateVersion(lic['version'])if err != None:return (err, msg)try:lichash = CreateActivationRequest(lic)act30 = lic['activation']if lichash[2] not in 'X34':hasher = sha.new()hasher.update(lichash)hasher.update(lic['license'])digest = hasher.hexdigest().upper()lichash = lichash[:3] + textutils.SHAToBase30(digest)errs, lichash = ValidateAndNormalizeRequest(lichash)act = act30.replace('-', '')[3:]hexact = textutils.BaseConvert(act, textutils.BASE30, textutils.BASE16)while len(hexact) < 20:hexact = '0' + hexactconfig._locale_valid = 0valid = control.validate(lichash, lic['os'], lic['version'][:lic['version'].find('.')], hexact)valid = config._locale_validexcept:valid = 0if not valid:return (kLicenseCorrupt, _('Invalid license activation'))daysleft = self._GetTermDaysLeft(lic)if daysleft == -1:lic['daysleft'] = _('unlimited')else:if daysleft == -2:return (kLicenseCorrupt, _('Invalid date or termdays in file'))if daysleft == 0:return (kLicenseExpired, None)if daysleft > 12 and lic['license'][0] == 'T':return (kLicenseCorrupt, _('Invalid date or termdays in file'))if daysleft > 190 and lic['license'][0] != 'T':return (kLicenseCorrupt, _('Invalid date or termdays in file'))lic['daysleft'] = str(daysleft) + _(' days left')errs = hostinfo.IDMatch(lic['hostinfo'])if len(errs) > 0:return (kLicenseHostMismatch, None)if filename is not None:err, info = self.__CheckUserCount(lic, filename)else:err = kLicenseOKinfo = []return (err, info)
将lichash的前三个字符附加在前面的到新的lichash。
最初的lichash是CreateActivationRequest得到的,
这其实就是在要我们输入激活码那个对话框中显示的Request Code=’ RW518-Q2NNM-13PRE-JQ3JR’。
lic[‘license’]其实就是输入的License ID。
通过看ValidateAndNormalizeRequest的代码,可知lichash的前三个字符分别是:
’R’代表这个是Request code;’W’表示是Windows;’5’表示是5.*版本。
关键就在这句
代码:
valid = control.validate(lichash, lic['os'], lic['version'][:lic['version'].find('.')], hexact)
代码:
if sys.platform[:5] in ('win32', 'darwi') or sys.platform[:5] == 'linux' and os.uname()[4] not in ('ppc', 'ppc64', 'arm7l'):import ctlutil as control
else:try:import pycontrolcontrol = pycontrolexcept ImportError:dirname = os.path.dirname(__file__).replace('.zip', '')control = LoadFromDat(fileutils.join(dirname, 'pycontrol.dat'), 'pycontrol')
反编译后的哑名函数不多,就5个,挨个看。看到sub_10001410这函数的时候,猛然发现有个”_locale_valid”
代码:
.text:10001410 sub_10001410 proc near ; DATA XREF: .data:100030A8o
.text:10001410
.text:10001410 var_110 = dword ptr -110h
.text:10001410 var_10C = dword ptr -10Ch
.text:10001410 var_108 = dword ptr -108h
.text:10001410 var_104 = dword ptr -104h
.text:10001410 var_100 = byte ptr -100h
.text:10001410 arg_4 = dword ptr 8
.text:10001410
.text:10001410 sub esp, 110h
.text:10001416 cmp dword_100030E0, 0
.text:1000141D jnz short loc_10001432
.text:1000141F push offset aConfig ; "config"
.text:10001424 call ds:PyImport_ImportModule
.text:1000142A add esp, 4
.text:1000142D mov dword_100030E0, eax
.text:10001432
.text:10001432 loc_10001432: ; CODE XREF: sub_10001410+Dj
.text:10001432 push esi
.text:10001433 mov esi, ds:PyInt_FromLong
.text:10001439 push edi
.text:1000143A push 0
.text:1000143C call esi ; PyInt_FromLong
.text:1000143E mov edi, ds:PyObject_SetAttrString
.text:10001444 push eax
.text:10001445 mov eax, dword_100030E0
.text:1000144A push offset a_locale_valid ; "_locale_valid"
.text:1000144F push eax
.text:10001450 call edi ; PyObject_SetAttrString
.text:10001452 lea ecx, [esp+128h+var_108]
代码:
.text:10001489 mov ecx, [esp+118h+var_10C]
.text:1000148D lea eax, [esp+118h+var_100]
.text:10001491 push eax ; char *
.text:10001492 mov eax, [esp+11Ch+var_104]
.text:10001496 push ecx ; int
.text:10001497 mov ecx, [esp+120h+var_110]
.text:1000149B call sub_10001020 ; 计算真正的activation key
.text:100014A0 add esp, 8
.text:100014A3 test eax, eax
.text:100014A5 jnz short loc_100014FC
.text:100014A7 mov edx, [esp+118h+var_108] ; 得到输入的activation key的地址
.text:100014AB lea ecx, [esp+118h+var_100] ; 得到计算的Activation Key的地址
.text:100014AF nop
.text:100014B0
.text:100014B0 loc_100014B0: ; CODE XREF: sub_10001410+BAj
.text:100014B0 mov al, [ecx]
.text:100014B2 cmp al, [edx] ; 我的妈呀,明文比较呀,这是要发啊~~~
.text:100014B4 jnz short loc_100014D0
.text:100014B6 test al, al
.text:100014B8 jz short loc_100014CC
.text:100014BA mov al, [ecx+1]
.text:100014BD cmp al, [edx+1]
.text:100014C0 jnz short loc_100014D0
.text:100014C2 add ecx, 2
.text:100014C5 add edx, 2
.text:100014C8 test al, al
.text:100014CA jnz short loc_100014B0
输入假的激活码” AXX23-12345-12345-12345”。F8单步过lea ecx,[esp+118h+var_100],
内存窗口里转到ecx的地址,得到的是:
“55DF6297CE47296C1916”,这是真正的激活码的sha值,现在要做的就是把这sha转换到BASE30,
然后前面附加”AXX”就行了。新建一个py文件,转换代码如下:
代码:
realcode='55DF6297CE47296C1916' act30=BaseConvert(realcode,BASE16,BASE30) while len(act30) < 17:act30 = '1' + act30
act30=”1X8TBXQFVWRYLBDKB”
所以激活码是AXX1X8TBXQFVWRYLBDKB
6.注册机的制作
进入sub_10001020,算法非常简单,不多说了,直接上注册机
CalcActivationCode.rar .
注册机是个python源代码文件,没有使用任何附加库,直接可以跑
使用时,编辑下RequestCode就行了
看下效果吧
