AA制费用分摊 1.21简单MD5算法分析(超级简单!)
【破文标题】AA制费用分摊 1.21简单MD5算法分析(超级简单!)【破文作者】playboyjin[火鸟]
【作者邮箱】[email protected]
【作者主页】http://group301.ttsite.com
【破解工具】PEID OD
【破解平台】WINXP
【软件名称】AA制费用分摊 1.21
【软件大小】244K
【原版下载】http://www.newhua.com/soft/49919.htm
【保护方式】无壳
【软件简介】AA制费用分摊软件是一款绿色软件。主要用于集体活动后的费用分摊.包括记流水帐、软件设置、费用查询等功能..
【破解声明】本人系正宗菜鸟,初学cracking,,仅作学习交流,无其它目的.
------------------------------------------------------------------------
【破解过程】一。查壳为Microsoft Visual C++ 6.0 呵呵~~
通过查找字符串很容易来到下面:
004081E0 .6A FF PUSH -1
004081E2 .68 49F94100 PUSH FeeAVG.0041F949 ;SE 处理程序安装
004081E7 .64:A1 0000000>MOV EAX,DWORD PTR FS:
004081ED .50 PUSH EAX
004081EE .64:8925 00000>MOV DWORD PTR FS:,ESP
004081F5 .81EC E8000000 SUB ESP,0E8
004081FB .53 PUSH EBX
004081FC .55 PUSH EBP
004081FD .8BE9 MOV EBP,ECX
004081FF .56 PUSH ESI
00408200 .57 PUSH EDI
00408201 .8D4C24 14 LEA ECX,DWORD PTR SS:
00408205 .E8 56590100 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040820A .8D4C24 10 LEA ECX,DWORD PTR SS:
0040820E .C78424 000100>MOV DWORD PTR SS:,0
00408219 .E8 42590100 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040821E .8D4424 14 LEA EAX,DWORD PTR SS:
00408222 .8BCD MOV ECX,EBP
00408224 .50 PUSH EAX
00408225 .68 0C040000 PUSH 40C
0040822A .C68424 080100>MOV BYTE PTR SS:,1
00408232 .E8 0B5C0100 CALL <JMP.&MFC42.#3097_?GetDlgItemTextA@>
00408237 .8D4C24 10 LEA ECX,DWORD PTR SS: ;取机器码3CB84E02
0040823B .51 PUSH ECX
0040823C .68 10040000 PUSH 410
00408241 .8BCD MOV ECX,EBP
00408243 .E8 FA5B0100 CALL <JMP.&MFC42.#3097_?GetDlgItemTextA@>;取假码
00408248 .B9 10000000 MOV ECX,10
0040824D .33C0 XOR EAX,EAX
0040824F .8D7C24 31 LEA EDI,DWORD PTR SS:
00408253 .C64424 30 00MOV BYTE PTR SS:,0
00408258 .F3:AB REP STOS DWORD PTR ES:
0040825A .8D4C24 28 LEA ECX,DWORD PTR SS:
0040825E .8DB5 90000000 LEA ESI,DWORD PTR SS:
00408264 .E8 F7580100 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00408269 .8D4C24 1C LEA ECX,DWORD PTR SS:
0040826D .C68424 000100>MOV BYTE PTR SS:,2
00408275 .E8 E6580100 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040827A .8D5424 14 LEA EDX,DWORD PTR SS:
0040827E .8D4424 20 LEA EAX,DWORD PTR SS:
00408282 .52 PUSH EDX
00408283 .B3 03 MOV BL,3
00408285 .68 24A74200 PUSH FeeAVG.0042A724 ;good
0040828A .50 PUSH EAX
0040828B .889C24 0C0100>MOV BYTE PTR SS:,BL
00408292 .E8 7D590100 CALL <JMP.&MFC42.#926_??H@YG?AVCString@@>
00408297 .68 1CA74200 PUSH FeeAVG.0042A71C ;8866
0040829C .8D4C24 1C LEA ECX,DWORD PTR SS:
004082A0 .50 PUSH EAX
004082A1 .51 PUSH ECX
004082A2 .C68424 0C0100>MOV BYTE PTR SS:,4
004082AA .E8 4D590100 CALL <JMP.&MFC42.#924_??H@YG?AVCString@@>
004082AF .50 PUSH EAX
004082B0 .8D4C24 2C LEA ECX,DWORD PTR SS:
004082B4 .C68424 040100>MOV BYTE PTR SS:,5
004082BC .E8 05590100 CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
004082C1 .8D4C24 18 LEA ECX,DWORD PTR SS:
004082C5 .C68424 000100>MOV BYTE PTR SS:,4
004082CD .E8 64580100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004082D2 .8D4C24 20 LEA ECX,DWORD PTR SS:
004082D6 .889C24 000100>MOV BYTE PTR SS:,BL
004082DD .E8 54580100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004082E2 .8B16 MOV EDX,DWORD PTR DS:
004082E4 .8BCE MOV ECX,ESI
004082E6 .FF52 0C CALL DWORD PTR DS:
004082E9 .8B4424 28 MOV EAX,DWORD PTR SS: ;机器码与上面字符相连GooD+3CB84E02+8866
004082ED .8B16 MOV EDX,DWORD PTR DS:
004082EF .8B48 F8 MOV ECX,DWORD PTR DS:
004082F2 .51 PUSH ECX
004082F3 .50 PUSH EAX ;上面字符串入栈,作后面的运算准备~~
004082F4 .8BCE MOV ECX,ESI
004082F6 .FF52 04 CALL DWORD PTR DS:
004082F9 .8B06 MOV EAX,DWORD PTR DS:
004082FB .8D4C24 30 LEA ECX,DWORD PTR SS:
004082FF .51 PUSH ECX
00408300 .8BCE MOV ECX,ESI
00408302 .FF50 08 CALL DWORD PTR DS:
00408305 .C64424 74 00MOV BYTE PTR SS:,0
0040830A .B9 20000000 MOV ECX,20
0040830F .33C0 XOR EAX,EAX
00408311 .8D7C24 75 LEA EDI,DWORD PTR SS:
00408315 .8D5424 74 LEA EDX,DWORD PTR SS:
00408319 .F3:AB REP STOS DWORD PTR ES:
0040831B .52 PUSH EDX
0040831C .8D4424 34 LEA EAX,DWORD PTR SS:
00408320 .6A 10 PUSH 10
00408322 .50 PUSH EAX
00408323 .E8 48FEFFFF CALL FeeAVG.00408170 ;算法CallF7进入
00408328 .8B5424 1C MOV EDX,DWORD PTR SS: ;假码
0040832C .8D8C24 800000>LEA ECX,DWORD PTR SS: ;真码
00408333 .51 PUSH ECX ; /s2
00408334 .52 PUSH EDX ; |s1
00408335 .FF15 E4264200 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
0040833B .83C4 14 ADD ESP,14
0040833E .85C0 TEST EAX,EAX
00408340 0F85 02010000 JNZ FeeAVG.00408448 ;关键跳,爆破点
00408346 .8D4424 14 LEA EAX,DWORD PTR SS:
0040834A .8D4C24 24 LEA ECX,DWORD PTR SS:
0040834E .50 PUSH EAX
0040834F .68 00A74200 PUSH FeeAVG.0042A700 ;update regsoft set rname ='
00408354 .51 PUSH ECX
00408355 .E8 BA580100 CALL <JMP.&MFC42.#926_??H@YG?AVCString@@>
0040835A .68 F4A64200 PUSH FeeAVG.0042A6F4 ;', rpwd='
0040835F .8D5424 30 LEA EDX,DWORD PTR SS:
00408363 .50 PUSH EAX
00408364 .52 PUSH EDX
00408365 .C68424 0C0100>MOV BYTE PTR SS:,6
0040836D .E8 8A580100 CALL <JMP.&MFC42.#924_??H@YG?AVCString@@>
00408372 .8D4C24 10 LEA ECX,DWORD PTR SS:
00408376 .8D5424 18 LEA EDX,DWORD PTR SS:
0040837A .51 PUSH ECX
0040837B .50 PUSH EAX
0040837C .52 PUSH EDX
0040837D .C68424 0C0100>MOV BYTE PTR SS:,7
00408385 .E8 6C580100 CALL <JMP.&MFC42.#922_??H@YG?AVCString@@>
0040838A .68 E4A64200 PUSH FeeAVG.0042A6E4 ;'where id =1
0040838F .50 PUSH EAX
00408390 .8D4424 28 LEA EAX,DWORD PTR SS:
00408394 .C68424 080100>MOV BYTE PTR SS:,8
0040839C .50 PUSH EAX
0040839D .E8 5A580100 CALL <JMP.&MFC42.#924_??H@YG?AVCString@@>
004083A2 .50 PUSH EAX
004083A3 .8D4C24 20 LEA ECX,DWORD PTR SS:
004083A7 .C68424 040100>MOV BYTE PTR SS:,9
004083AF .E8 12580100 CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
004083B4 .8D4C24 20 LEA ECX,DWORD PTR SS:
004083B8 .C68424 000100>MOV BYTE PTR SS:,8
004083C0 .E8 71570100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004083C5 .8D4C24 18 LEA ECX,DWORD PTR SS:
004083C9 .C68424 000100>MOV BYTE PTR SS:,7
004083D1 .E8 60570100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004083D6 .8D4C24 2C LEA ECX,DWORD PTR SS:
004083DA .C68424 000100>MOV BYTE PTR SS:,6
004083E2 .E8 4F570100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004083E7 .8D4C24 24 LEA ECX,DWORD PTR SS:
004083EB .889C24 000100>MOV BYTE PTR SS:,BL
004083F2 .E8 3F570100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004083F7 .6A 01 PUSH 1
004083F9 .6A 00 PUSH 0
004083FB .8D4C24 24 LEA ECX,DWORD PTR SS:
004083FF .E8 FCA5FFFF CALL FeeAVG.00402A00
00408404 .51 PUSH ECX
00408405 .8BCC MOV ECX,ESP
00408407 .896424 38 MOV DWORD PTR SS:,ESP
0040840B .50 PUSH EAX
0040840C .E8 CFC3FFFF CALL FeeAVG.004047E0
00408411 .8D4C24 30 LEA ECX,DWORD PTR SS:
00408415 .889C24 0C0100>MOV BYTE PTR SS:,BL
0040841C .51 PUSH ECX
0040841D .8D8D F0000000 LEA ECX,DWORD PTR SS:
00408423 .E8 E8C2FFFF CALL FeeAVG.00404710
00408428 .8BC8 MOV ECX,EAX
0040842A .E8 A1C6FFFF CALL FeeAVG.00404AD0
0040842F .8B4424 24 MOV EAX,DWORD PTR SS:
00408433 .85C0 TEST EAX,EAX
00408435 .74 06 JE SHORT FeeAVG.0040843D
00408437 .8B10 MOV EDX,DWORD PTR DS:
00408439 .50 PUSH EAX
0040843A .FF52 08 CALL DWORD PTR DS:
0040843D >6A 00 PUSH 0
0040843F .6A 00 PUSH 0
00408441 .68 C4A64200 PUSH FeeAVG.0042A6C4 ;谢谢您的使用,你的软件已注册!
00408446 .EB 09 JMP SHORT FeeAVG.00408451
00408448 >6A 00 PUSH 0
0040844A .6A 00 PUSH 0
0040844C .68 ACA64200 PUSH FeeAVG.0042A6AC ;注册码错误,请重新注册!
00408451 >E8 AC570100 CALL <JMP.&MFC42.#1200_?AfxMessageBox@@Y>
00408456 .8D4C24 1C LEA ECX,DWORD PTR SS:
0040845A .C68424 000100>MOV BYTE PTR SS:,2
00408462 .E8 CF560100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00408467 .8D4C24 28 LEA ECX,DWORD PTR SS:
0040846B .C68424 000100>MOV BYTE PTR SS:,1
00408473 .E8 BE560100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
----------------------------------------------------------------------
算法CALL:
------------------------------------
00408170/$8B4424 08 MOV EAX,DWORD PTR SS:
00408174|.53 PUSH EBX
00408175|.8B5C24 08 MOV EBX,DWORD PTR SS:
00408179|.55 PUSH EBP
0040817A|.8B6C24 14 MOV EBP,DWORD PTR SS:
0040817E|.85C0 TEST EAX,EAX
00408180|.C645 00 00 MOV BYTE PTR SS:,0
00408184|.7E 4D JLE SHORT FeeAVG.004081D3
00408186|.56 PUSH ESI
00408187|.57 PUSH EDI
00408188|.894424 1C MOV DWORD PTR SS:,EAX
0040818C|>8A0B /MOV CL,BYTE PTR DS:
0040818E|.8D4424 14 |LEA EAX,DWORD PTR SS: //循环
00408192|.50 |PUSH EAX
00408193|.51 |PUSH ECX
00408194|.E8 A7FFFFFF |CALL FeeAVG.00408140 ;MD5运算结果转大写
00408199|.8D7C24 1C |LEA EDI,DWORD PTR SS:
0040819D|.83C9 FF |OR ECX,FFFFFFFF
004081A0|.33C0 |XOR EAX,EAX
004081A2|.83C4 08 |ADD ESP,8
004081A5|.F2:AE |REPNE SCAS BYTE PTR ES:
004081A7|.F7D1 |NOT ECX
004081A9|.2BF9 |SUB EDI,ECX
004081AB|.8BF7 |MOV ESI,EDI
004081AD|.8BD1 |MOV EDX,ECX
004081AF|.8BFD |MOV EDI,EBP
004081B1|.83C9 FF |OR ECX,FFFFFFFF
004081B4|.F2:AE |REPNE SCAS BYTE PTR ES:
004081B6|.8BCA |MOV ECX,EDX
004081B8|.4F |DEC EDI
004081B9|.C1E9 02 |SHR ECX,2
004081BC|.F3:A5 |REP MOVS DWORD PTR ES:,DWORD PTR D>
004081BE|.8B4424 1C |MOV EAX,DWORD PTR SS:
004081C2|.8BCA |MOV ECX,EDX
004081C4|.83E1 03 |AND ECX,3
004081C7|.43 |INC EBX
004081C8|.48 |DEC EAX
004081C9|.F3:A4 |REP MOVS BYTE PTR ES:,BYTE PTR DS:>
004081CB|.894424 1C |MOV DWORD PTR SS:,EAX
004081CF|.^ 75 BB \JNZ SHORT FeeAVG.0040818C
004081D1|.5F POP EDI
004081D2|.5E POP ESI
004081D3|>5D POP EBP
004081D4|.5B POP EBX
004081D5\.C3 RETN
------------------------------------------------------------------------
【破解总结】这个软件很适合初学算的人(像我这样的),简单的MD5运算结果就是注册码,没有其它的。算法很简单。而且,软件也没有重启验证~~
高手不要笑我,我就这个水平了~~^_^算是算法入门的一个参考吧、、、、
------------------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!天道酬勤! 不错,不错 很不错的 密码学算法 加精鼓励 good到底是大写还是小写
没表达清楚 向楼主学习!!!!
00408194|.E8 A7FFFFFF |CALL FeeAVG.00408140 ;MD5运算结果转大写
请问上面这行是怎样知道是 (MD5运算结果转大写)的???
MD5运算结果转大写
BD60D7B5FBE1252E58A0CAC3DA84727A
请问怎样转大写??
[ 本帖最后由 qq500com 于 2007-3-14 22:10 编辑 ] 原帖由 qq500com 于 2007-3-14 18:17 发表
向楼主学习!!!!
00408194|.E8 A7FFFFFF |CALL FeeAVG.00408140 ;MD5运算结果转大写
请问上面这行是怎样知道是 (MD5运算结果转大写)的???
应该是"事实证明":lol:
还有哪个才是算法Call啊?
[ 本帖最后由 极速暴龙 于 2007-3-14 18:51 编辑 ] 00408323 .E8 48FEFFFF CALL FeeAVG.00408170 ;算法CallF7进入
00408328 .8B5424 1C MOV EDX,DWORD PTR SS: ;假码
0040832C .8D8C24 800000>LEA ECX,DWORD PTR SS: ;真码
00408333 .51 PUSH ECX ; /s2
00408334 .52 PUSH EDX ; |s1
00408335 .FF15 E4264200 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
上面有两个 CALL怎么知道是第一个CALL 有什么技术,可以分享一下吗?很想学算法,
看见好多代码,就是不知道是那个关键CALL。
[ 本帖最后由 qq500com 于 2007-3-14 21:59 编辑 ] good在字符串中为小写,是后来与机器码结合时转换的,,关于哪个是算法CALL。有一种最好的也是最笨的方法,那就是一个一个的找:lol: :lol: 不过,如果分析多了,会有一种感觉的,:$ good在字符串中为小写,是后来与机器码结合时转换的,,关于哪个是算法CALL。有一种最好的也是最笨的方法,那就是一个一个的找不过,如果分析多了,会有一种感觉的,
谢谢!!!!
是不是这样的啊????
[ 本帖最后由 qq500com 于 2007-3-14 22:42 编辑 ] 学习.学习.. MD5 大
MD5 小
都注册不成功???