图片吸血鬼 V1.30算法分析
【破文标题】图片吸血鬼 V1.30算法分析【破文作者】lzq1973
【作者邮箱】[email protected]
【作者主页】
【破解工具】OD、PEiD、C32Asm
【破解平台】WIN98、WIN2000
【软件名称】图片吸血鬼 V1.30
【软件大小】1181 KB
【原版下载】http://www4.skycn.com/soft/17808.html
【保护方式】无壳
【软件简介】 图片吸血鬼是一款从网站上下载图片的共享软件,它可以把网站上的图片都下载下来,特点:1,设定下载图片的格式(如jpg,gif或swf);2,可自己设置下载图片的大小;3,搜索准确度高,可以把下级页面的图片都搜索出来。
【破解声明】俺是只小小鸟,纯为学习,愿与大家分享!
------------------------------------------------------------------------
【破解过程】
PEID查壳为 Borland Delphi 6.0 - 7.0 无壳,心中暗喜,已成功一半。OD载入断在这里
004F2F7B .55 push ebp
004F2F7C .68 75304F00 push DOWN.004F3075
004F2F81 .64:FF30 push dword ptr fs:
004F2F84 .64:8920 mov dword ptr fs:,esp
004F2F87 .B2 01 mov dl,1
004F2F89 .A1 A0B94300 mov eax,dword ptr ds:
004F2F8E .E8 0D8BF4FF call DOWN.0043BAA0
004F2F93 .8945 F0 mov dword ptr ss:,eax
004F2F96 .BA 02000080 mov edx,80000002
004F2F9B .8B45 F0 mov eax,dword ptr ss:
004F2F9E .E8 9D8BF4FF call DOWN.0043BB40
004F2FA3 .8D45 EC lea eax,dword ptr ss:
004F2FA6 .BA 48324F00 mov edx,DOWN.004F3248 ;ASCII "Software\zy\Pic[注册信息存放处]"
004F2FAB .E8 741BF1FF call DOWN.00404B24
004F2FB0 .B1 01 mov cl,1
004F2FB2 .8B55 EC mov edx,dword ptr ss:
004F2FB5 .8B45 F0 mov eax,dword ptr ss:
004F2FB8 .E8 E78BF4FF call DOWN.0043BBA4
004F2FBD .84C0 test al,al
004F2FBF .0F84 92000000je DOWN.004F3057
004F2FC5 .8D4D C0 lea ecx,dword ptr ss:
004F2FC8 .BA 60324F00 mov edx,DOWN.004F3260 ;ASCII "Name"
004F2FCD .8B45 F0 mov eax,dword ptr ss:
004F2FD0 .E8 978DF4FF call DOWN.0043BD6C
004F2FD5 .8B55 C0 mov edx,dword ptr ss: ;用户名
004F2FD8 .8B45 FC mov eax,dword ptr ss:
004F2FDB .05 F4030000 add eax,3F4
004F2FE0 .E8 FB1AF1FF call DOWN.00404AE0
004F2FE5 .8D4D BC lea ecx,dword ptr ss:
004F2FE8 .BA 70324F00 mov edx,DOWN.004F3270 ;ASCII "Pass"
004F2FED .8B45 F0 mov eax,dword ptr ss:
004F2FF0 .E8 778DF4FF call DOWN.0043BD6C
004F2FF5 .8B55 BC mov edx,dword ptr ss: ;假码
004F2FF8 .8B45 FC mov eax,dword ptr ss:
004F2FFB .05 F8030000 add eax,3F8
004F3000 .E8 DB1AF1FF call DOWN.00404AE0
004F3005 .33C0 xor eax,eax
004F3007 .55 push ebp
004F3008 .68 2E304F00 push DOWN.004F302E
004F300D .64:FF30 push dword ptr fs:
004F3010 .64:8920 mov dword ptr fs:,esp
004F3013 .BA 80324F00 mov edx,DOWN.004F3280 ;ASCII "Date"
004F3018 .8B45 F0 mov eax,dword ptr ss:
004F301B .E8 348EF4FF call DOWN.0043BE54
004F3020 .DD5D E0 fstp qword ptr ss:
004F3023 .9B wait
004F3024 .33C0 xor eax,eax
004F3026 .5A pop edx
004F3027 .59 pop ecx
004F3028 .59 pop ecx
004F3029 .64:8910 mov dword ptr fs:,edx
004F302C .EB 29 jmp short DOWN.004F3057
004F302E .^ E9 2511F1FF jmp DOWN.00404158
004F3033 .FF75 DC push dword ptr ss: ; /Arg2
004F3036 .FF75 D8 push dword ptr ss: ; |Arg1
004F3039 .BA 80324F00 mov edx,DOWN.004F3280 ; |ASCII "Date"
004F303E .8B45 F0 mov eax,dword ptr ss: ; |
004F3041 .E8 FA8DF4FF call DOWN.0043BE40 ; \DOWN.0043BE40
004F3046 .8B45 D8 mov eax,dword ptr ss:
004F3049 .8945 E0 mov dword ptr ss:,eax
004F304C .8B45 DC mov eax,dword ptr ss:
004F304F .8945 E4 mov dword ptr ss:,eax
004F3052 .E8 6914F1FF call DOWN.004044C0
004F3057 >8B45 F0 mov eax,dword ptr ss:
004F305A .E8 B18AF4FF call DOWN.0043BB10
004F305F .33C0 xor eax,eax
004F3061 .5A pop edx
004F3062 .59 pop ecx
004F3063 .59 pop ecx
004F3064 .64:8910 mov dword ptr fs:,edx
004F3067 .68 7C304F00 push DOWN.004F307C
004F306C >8B45 F0 mov eax,dword ptr ss:
004F306F .E8 040CF1FF call DOWN.00403C78
004F3074 .C3 retn
004F3075 .^ E9 9213F1FF jmp DOWN.0040440C
004F307A .^ EB F0 jmp short DOWN.004F306C
004F307C .8D4D B8 lea ecx,dword ptr ss:
004F307F .8B45 FC mov eax,dword ptr ss:
004F3082 .8B90 F4030000mov edx,dword ptr ds: ;用户名
004F3088 .A1 DC864F00 mov eax,dword ptr ds:
004F308D .8B00 mov eax,dword ptr ds:
004F308F .E8 4CDEFFFF call DOWN.004F0EE0 ;注册算法
004F3094 .8B55 B8 mov edx,dword ptr ss: ;注册码(ASCII "Pic4-3373ei8es-9313")
004F3097 .8B45 FC mov eax,dword ptr ss:
004F309A .8B80 F8030000mov eax,dword ptr ds: ;假码
004F30A0 .E8 F31DF1FF call DOWN.00404E98
004F30A5 .75 25 jnz short DOWN.004F30CC
004F30A7 .8B45 FC mov eax,dword ptr ss:
004F30AA .C680 EC030000 >mov byte ptr ds:,0
004F30B1 .8B55 F4 mov edx,dword ptr ss:
004F30B4 .8B45 FC mov eax,dword ptr ss:
004F30B7 .E8 2064F7FF call DOWN.004694DC
004F30BC .8B45 FC mov eax,dword ptr ss:
004F30BF .8B80 68030000mov eax,dword ptr ds:
004F30C5 .33D2 xor edx,edx
004F30C7 .E8 F886F8FF call DOWN.0047B7C4
004F30CC >8B45 FC mov eax,dword ptr ss:
004F30CF .80B8 EC030000 >cmp byte ptr ds:,0
004F30D6 .0F84 BE000000je DOWN.004F319A
004F30DC .DD45 D8 fld qword ptr ss:
004F30DF .DC65 E0 fsub qword ptr ss:
004F30E2 .DD5D D0 fstp qword ptr ss:
004F30E5 .9B wait
004F30E6 .D905 88324F00fld dword ptr ds:
004F30EC .DC65 D0 fsub qword ptr ss:
004F30EF .E8 D0FBF0FF call DOWN.00402CC4
004F30F4 .8BD8 mov ebx,eax
004F30F6 .8B45 FC mov eax,dword ptr ss:
004F30F9 .8998 FC030000mov dword ptr ds:,ebx
004F30FF .85DB test ebx,ebx
004F3101 .7D 0B jge short DOWN.004F310E
004F3103 .8B45 FC mov eax,dword ptr ss:
004F3106 .33D2 xor edx,edx
004F3108 .8990 FC030000mov dword ptr ds:,edx
004F310E >FF75 F4 push dword ptr ss:
004F3111 .68 94324F00 push DOWN.004F3294 ; \->:(未注册版 还剩
004F3116 .8B45 FC mov eax,dword ptr ss:
004F3119 .DB80 FC030000fild dword ptr ds:
004F311F .83C4 F4 add esp,-0C
004F3122 .DB3C24 fstp tbyte ptr ss: ; |
004F3125 .9B wait ; |
004F3126 .8D45 B0 lea eax,dword ptr ss: ; |
004F3129 .E8 E67AF1FF call DOWN.0040AC14 ; \DOWN.0040AC14
004F312E .FF75 B0 push dword ptr ss:
004F3131 .68 B0324F00 push DOWN.004F32B0 ;\->:天)
004F3136 .8D45 B4 lea eax,dword ptr ss:
004F3139 .BA 04000000 mov edx,4
004F313E .E8 C91CF1FF call DOWN.00404E0C
004F3143 .8B55 B4 mov edx,dword ptr ss:
004F3146 .8B45 FC mov eax,dword ptr ss:
004F3149 .E8 8E63F7FF call DOWN.004694DC
004F314E .DD45 D0 fld qword ptr ss:
004F3151 .D81D 88324F00fcomp dword ptr ds:
004F3157 .DFE0 fstsw ax
004F3159 .9E sahf
至此注册码已出来了,可还没完工啊,那就继续往下看吧!
-------------跟进 004F308FE8 4CDEFFFF call DOWN.004F0EE0 来到这里--------------
004F0EE0 /$55 push ebp
004F0EE1 |.8BEC mov ebp,esp
004F0EE3 |.51 push ecx
004F0EE4 |.B9 04000000 mov ecx,4
004F0EE9 |>6A 00 /push 0 ;/4(即不空)
004F0EEB |.6A 00 |push 0 ;|
004F0EED |.49 |dec ecx ;|递减
004F0EEE |.^ 75 F9 \jnz short DOWN.004F0EE9 ;\循环
004F0EF0 |.51 push ecx
004F0EF1 |.874D FC xchg dword ptr ss:,ecx
004F0EF4 |.53 push ebx
004F0EF5 |.56 push esi
004F0EF6 |.57 push edi
004F0EF7 |.8BF9 mov edi,ecx
004F0EF9 |.8955 FC mov dword ptr ss:,edx ;用户名
004F0EFC |.8B45 FC mov eax,dword ptr ss:
004F0EFF |.E8 3840F1FF call DOWN.00404F3C
004F0F04 |.33C0 xor eax,eax
004F0F06 |.55 push ebp
004F0F07 |.68 A1104F00 push DOWN.004F10A1
004F0F0C |.64:FF30 push dword ptr fs:
004F0F0F |.64:8920 mov dword ptr fs:,esp
004F0F12 |.8BC7 mov eax,edi
004F0F14 |.E8 733BF1FF call DOWN.00404A8C
004F0F19 |.8B45 FC mov eax,dword ptr ss:
004F0F1C |.E8 2B3EF1FF call DOWN.00404D4C
004F0F21 |.8BF0 mov esi,eax
004F0F23 |.85F6 test esi,esi
004F0F25 |.7E 26 jle short DOWN.004F0F4D
004F0F27 |.BB 01000000 mov ebx,1
004F0F2C |>8D4D EC /lea ecx,dword ptr ss: ;/将用户名转为16进制
004F0F2F |.8B45 FC |mov eax,dword ptr ss: ;|用户名
004F0F32 |.0FB64418 FF |movzx eax,byte ptr ds: ;逐位取
004F0F37 |.33D2 |xor edx,edx ;|
004F0F39 |.E8 C285F1FF |call DOWN.00409500 ;|
004F0F3E |.8B55 EC |mov edx,dword ptr ss: ;|转为16进制
004F0F41 |.8D45 F8 |lea eax,dword ptr ss: ;|
004F0F44 |.E8 0B3EF1FF |call DOWN.00404D54 ;|
004F0F49 |.43 |inc ebx ;|
004F0F4A |.4E |dec esi ;|
004F0F4B |.^ 75 DF \jnz short DOWN.004F0F2C ;\循环
004F0F4D |>8B45 F8 mov eax,dword ptr ss: ;转后的 (ASCII "6C7A7131393733")
004F0F50 |.E8 F73DF1FF call DOWN.00404D4C
004F0F55 |.8BF0 mov esi,eax
004F0F57 |.85F6 test esi,esi
004F0F59 |.7E 2C jle short DOWN.004F0F87
004F0F5B |.BB 01000000 mov ebx,1
004F0F60 |>8B45 F8 /mov eax,dword ptr ss: ;/翻转将用户名转换后的ASCII(即(ASCII "6C7A7131393733"))
004F0F63 |.E8 E43DF1FF |call DOWN.00404D4C ;|
004F0F68 |.2BC3 |sub eax,ebx ;|取第几位
004F0F6A |.8B55 F8 |mov edx,dword ptr ss: ;|
004F0F6D |.8A1402 |mov dl,byte ptr ds: ;|
004F0F70 |.8D45 E8 |lea eax,dword ptr ss: ;|
004F0F73 |.E8 FC3CF1FF |call DOWN.00404C74 ;|
004F0F78 |.8B55 E8 |mov edx,dword ptr ss: ;|
004F0F7B |.8D45 F4 |lea eax,dword ptr ss: ;|
004F0F7E |.E8 D13DF1FF |call DOWN.00404D54 ;|
004F0F83 |.43 |inc ebx ;|
004F0F84 |.4E |dec esi ;|
004F0F85 |.^ 75 D9 \jnz short DOWN.004F0F60 ;\循环
004F0F87 |>8D45 F8 lea eax,dword ptr ss:
004F0F8A |.50 push eax
004F0F8B |.B9 04000000 mov ecx,4 ;/取4位
004F0F90 |.BA 01000000 mov edx,1 ;|从第1位开始
004F0F95 |.8B45 F4 mov eax,dword ptr ss: ;\翻转后的赋给EAX即(ASCII "3373931317A7C6")
004F0F98 |.E8 0F40F1FF call DOWN.00404FAC
004F0F9D |.8D45 F4 lea eax,dword ptr ss:
004F0FA0 |.50 push eax
004F0FA1 |.B9 04000000 mov ecx,4 ;/取4位
004F0FA6 |.BA 05000000 mov edx,5 ;|从第5位开始
004F0FAB |.8B45 F4 mov eax,dword ptr ss: ;\翻转后的赋给EAX即(ASCII "3373931317A7C6")
004F0FAE |.E8 F93FF1FF call DOWN.00404FAC
004F0FB3 |.8B45 F8 mov eax,dword ptr ss: ;第1~4位(ASCII "3373")
004F0FB6 |.E8 913DF1FF call DOWN.00404D4C
004F0FBB |.83F8 04 cmp eax,4 ;比较长度是否为4
004F0FBE |.7D 2F jge short DOWN.004F0FEF ;为4就跳
004F0FC0 |.8B45 F8 mov eax,dword ptr ss:
004F0FC3 |.E8 843DF1FF call DOWN.00404D4C
004F0FC8 |.8BD8 mov ebx,eax
004F0FCA |.83FB 03 cmp ebx,3
004F0FCD |.7F 20 jg short DOWN.004F0FEF
004F0FCF |>8D4D E4 /lea ecx,dword ptr ss:
004F0FD2 |.8BC3 |mov eax,ebx
004F0FD4 |.C1E0 02 |shl eax,2
004F0FD7 |.33D2 |xor edx,edx
004F0FD9 |.E8 2285F1FF |call DOWN.00409500
004F0FDE |.8B55 E4 |mov edx,dword ptr ss:
004F0FE1 |.8D45 F8 |lea eax,dword ptr ss:
004F0FE4 |.E8 6B3DF1FF |call DOWN.00404D54
004F0FE9 |.43 |inc ebx
004F0FEA |.83FB 04 |cmp ebx,4
004F0FED |.^ 75 E0 \jnz short DOWN.004F0FCF
004F0FEF |>8B45 F4 mov eax,dword ptr ss: ;第5~8位即 (ASCII "9313")
004F0FF2 |.E8 553DF1FF call DOWN.00404D4C
004F0FF7 |.83F8 04 cmp eax,4 ;比较长度是否为4
004F0FFA |.7D 2F jge short DOWN.004F102B ;为4就跳
004F0FFC |.8B45 F4 mov eax,dword ptr ss:
004F0FFF |.E8 483DF1FF call DOWN.00404D4C
004F1004 |.8BD8 mov ebx,eax
004F1006 |.83FB 03 cmp ebx,3
004F1009 |.7F 20 jg short DOWN.004F102B
004F100B |>8D4D E0 /lea ecx,dword ptr ss:
004F100E |.8BC3 |mov eax,ebx
004F1010 |.C1E0 02 |shl eax,2
004F1013 |.33D2 |xor edx,edx
004F1015 |.E8 E684F1FF |call DOWN.00409500
004F101A |.8B55 E0 |mov edx,dword ptr ss:
004F101D |.8D45 F4 |lea eax,dword ptr ss:
004F1020 |.E8 2F3DF1FF |call DOWN.00404D54
004F1025 |.43 |inc ebx
004F1026 |.83FB 04 |cmp ebx,4
004F1029 |.^ 75 E0 \jnz short DOWN.004F100B
004F102B |>8D45 F0 lea eax,dword ptr ss:
004F102E |.BA B8104F00 mov edx,DOWN.004F10B8 ;常量(ASCII "Pic4ei8espr")
004F1033 |.E8 EC3AF1FF call DOWN.00404B24
004F1038 |.8D45 DC lea eax,dword ptr ss:
004F103B |.50 push eax
004F103C |.B9 04000000 mov ecx,4 ;/取4位
004F1041 |.BA 01000000 mov edx,1 ;|从第1位开始
004F1046 |.8B45 F0 mov eax,dword ptr ss: ;|要截取的字串(ASCII "Pic4ei8espr")
004F1049 |.E8 5E3FF1FF call DOWN.00404FAC ;|
004F104E |.FF75 DC push dword ptr ss: ;\进栈 (ASCII "Pic4")
004F1051 |.68 CC104F00 push DOWN.004F10CC
004F1056 |.FF75 F8 push dword ptr ss: ;进栈(ASCII "3373")
004F1059 |.8D45 D8 lea eax,dword ptr ss:
004F105C |.50 push eax
004F105D |.B9 05000000 mov ecx,5 ;/取5位
004F1062 |.BA 05000000 mov edx,5 ;|从第5位开始
004F1067 |.8B45 F0 mov eax,dword ptr ss: ;|要截取的字串(ASCII "Pic4ei8espr")
004F106A |.E8 3D3FF1FF call DOWN.00404FAC ;|
004F106F |.FF75 D8 push dword ptr ss: ;\进栈(ASCII "ei8es")
004F1072 |.68 CC104F00 push DOWN.004F10CC
004F1077 |.FF75 F4 push dword ptr ss: ;进栈(ASCII "9313")
004F107A |.8BC7 mov eax,edi
004F107C |.BA 06000000 mov edx,6
004F1081 |.E8 863DF1FF call DOWN.00404E0C ;拼接注册码
004F1086 |.33C0 xor eax,eax ;DOWN.004F1086
004F1088 |.5A pop edx
004F1089 |.59 pop ecx
004F108A |.59 pop ecx
004F108B |.64:8910 mov dword ptr fs:,edx
004F108E |.68 A8104F00 push DOWN.004F10A8
004F1093 |>8D45 D8 lea eax,dword ptr ss:
004F1096 |.BA 0A000000 mov edx,0A
004F109B |.E8 103AF1FF call DOWN.00404AB0
004F10A0 \.C3 retn
004F10A1 .^ E9 6633F1FF jmp DOWN.0040440C
004F10A6 .^ EB EB jmp short DOWN.004F1093
004F10A8 .5F pop edi
004F10A9 .5E pop esi
004F10AA .5B pop ebx
004F10AB .8BE5 mov esp,ebp
004F10AD .5D pop ebp
004F10AE .C3 retn
到这里吧!小鸟我只能做到这了?
------------------------------------------------------------------------
【算法总结】
其实算法还是很简单的:把用户名(长度最好大于4位,程序中说是机器码)转换为16进制,然后翻转,取其第1~4位(作为注册码中间的前半部分)和5~8位(作为注册码的第三部分);再取常量"Pic4ei8espr"的第1~4位(作为注册码的第一部分)和5~9位(作为注册码中间的后半部分);1、2、3部分之间用“-”间隔。如(注意大小写)
机器码:lzq1973
注册码:Pic4-D574ei8es-9505
或
机器码:lzq1973
注册码:Pic4-D574ei8es-A534
注册信息保存在HKEY_LOCAL_MACHINE\Software\zy\Pic,删除即可再玩玩~,下面部分保存为.REG
文件,导入即可完成注册。
REGEDIT4
"Date"=hex:00,00,00,00,60,ec,e2,40
"Name"="中国人"
"Pass"="Pic4-BC8Cei8es-AF9B"
是不是很简单呢,算法注册器就不要了吧,大家找个ASCII及进制转换工具就行了。
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! 谢谢!是我们菜鸟学习的好文章。 太棒了!
支持! 学习了~~
记得是重启验证的吧?
呵呵!
算法比较简单!! 太难.不会.
还要努力学习了. 学习了/:001 /:001 一直不太会用这个软件..... 真棒!!
高手如云啊~~~/:good 老大,这是不完全算法分析/:017
页:
[1]