文件批量复制工具 2.0注册算法浅析
【文章标题】: 文件批量复制工具 2.0注册算法浅析【文章作者】: 蚊香/magic659117852
【作者邮箱】: [email protected]
【作者主页】: http://www.xpi386.com
【软件大小】: 803KB
【下载地址】: http://www.newhua.com/soft/70381.htm
【保护方式】: 注册码
【编写语言】: Borland Delphi
【使用工具】: PEiD OllyDBG
【操作平台】: D版XP-SP2
【软件介绍】: 可以一次性将多个文件复制到多个目录下的工具。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】0048AA18/.55 push ebp ;通过查找字符串在此下断
0048AA19|.8BEC mov ebp, esp ;F9运行,输入123456789012试注册
0048AA1B|.81C4 E0FEFFFF add esp, -120
0048AA21|.53 push ebx
0048AA22|.56 push esi
0048AA23|.57 push edi
0048AA24|.33C9 xor ecx, ecx
0048AA26|.898D E0FEFFFF mov dword ptr , ecx
0048AA2C|.898D E4FEFFFF mov dword ptr , ecx
0048AA32|.898D E8FEFFFF mov dword ptr , ecx
0048AA38|.898D ECFEFFFF mov dword ptr , ecx
0048AA3E|.898D F0FEFFFF mov dword ptr , ecx
0048AA44|.898D F4FEFFFF mov dword ptr , ecx
0048AA4A|.8BD8 mov ebx, eax
0048AA4C|.33C0 xor eax, eax
0048AA4E|.55 push ebp
0048AA4F|.68 E1AB4800 push 0048ABE1
0048AA54|.64:FF30 push dword ptr fs:
0048AA57|.64:8920 mov dword ptr fs:, esp
0048AA5A|.8D95 F4FEFFFF lea edx, dword ptr
0048AA60|.8B83 FC020000 mov eax, dword ptr
0048AA66|.E8 E5F9FCFF call 0045A450 ;试练码长度
0048AA6B|.8B85 F4FEFFFF mov eax, dword ptr
0048AA71|.E8 FA060000 call 0048B170 ;算法CALL,F7进
0048AA76|.84C0 test al, al
0048AA78|.0F84 DF000000 je 0048AB5D ;关键跳,跳则挂
0048AA7E|.A1 F0E34800 mov eax, dword ptr
0048AA83|.C600 01 mov byte ptr , 1
0048AA86|.8D95 F0FEFFFF lea edx, dword ptr
0048AA8C|.8B83 FC020000 mov eax, dword ptr
0048AA92|.E8 B9F9FCFF call 0045A450
0048AA97|.8B95 F0FEFFFF mov edx, dword ptr
0048AA9D|.A1 18E44800 mov eax, dword ptr
0048AAA2|.E8 8195F7FF call 00404028
0048AAA7|.68 05010000 push 105 ; /BufSize = 105 (261.)
0048AAAC|.8D85 FBFEFFFF lea eax, dword ptr ; |
0048AAB2|.50 push eax ; |Buffer
0048AAB3|.E8 7CBAF7FF call <jmp.&kernel32.GetSystemDirector>; \GetSystemDirectoryA
0048AAB8|.8D85 ECFEFFFF lea eax, dword ptr
0048AABE|.8D95 FBFEFFFF lea edx, dword ptr
0048AAC4|.B9 05010000 mov ecx, 105
0048AAC9|.E8 7697F7FF call 00404244
0048AACE|.8D85 ECFEFFFF lea eax, dword ptr
0048AAD4|.BA F8AB4800 mov edx, 0048ABF8 ;\supercopy.ini
0048AAD9|.E8 BE97F7FF call 0040429C ;注册码保存位置 C:\WINDOWS\system32
\SuperCopy.ini
0048AADE|.8B8D ECFEFFFF mov ecx, dword ptr
0048AAE4|.B2 01 mov dl, 1
0048AAE6|.A1 FC554300 mov eax, dword ptr
0048AAEB|.E8 BCABFAFF call 004356AC
0048AAF0|.8BF0 mov esi, eax
0048AAF2|.8D95 E8FEFFFF lea edx, dword ptr
0048AAF8|.8B83 FC020000 mov eax, dword ptr
0048AAFE|.E8 4DF9FCFF call 0045A450
0048AB03|.8B85 E8FEFFFF mov eax, dword ptr
0048AB09|.50 push eax
0048AB0A|.B9 10AC4800 mov ecx, 0048AC10 ;key
0048AB0F|.BA 1CAC4800 mov edx, 0048AC1C ;regcode
0048AB14|.8BC6 mov eax, esi
0048AB16|.8B38 mov edi, dword ptr
0048AB18|.FF57 04 call dword ptr
0048AB1B|.8BC6 mov eax, esi
0048AB1D|.E8 9E86F7FF call 004031C0
0048AB22|.6A 40 push 40
0048AB24|.8D95 E4FEFFFF lea edx, dword ptr
0048AB2A|.A1 A4E64800 mov eax, dword ptr
0048AB2F|.8B00 mov eax, dword ptr
0048AB31|.E8 B6F2FEFF call 00479DEC
0048AB36|.8B85 E4FEFFFF mov eax, dword ptr
0048AB3C|.E8 5399F7FF call 00404494
0048AB41|.50 push eax
0048AB42|.68 24AC4800 push 0048AC24 ;注册成功!
0048AB47|.8BC3 mov eax, ebx
0048AB49|.E8 2261FDFF call 00460C70
0048AB4E|.50 push eax ; |hOwner
0048AB4F|.E8 28C1F7FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0048AB54|.8BC3 mov eax, ebx
0048AB56|.E8 3DC0FEFF call 00476B98
0048AB5B|.EB 40 jmp short 0048AB9D
0048AB5D|>6A 40 push 40
0048AB5F|.8D95 E0FEFFFF lea edx, dword ptr
0048AB65|.A1 A4E64800 mov eax, dword ptr
0048AB6A|.8B00 mov eax, dword ptr
0048AB6C|.E8 7BF2FEFF call 00479DEC
0048AB71|.8B85 E0FEFFFF mov eax, dword ptr
0048AB77|.E8 1899F7FF call 00404494
0048AB7C|.50 push eax
0048AB7D|.68 30AC4800 push 0048AC30 ;注册码错误,请重新输入!
0048AB82|.8BC3 mov eax, ebx
0048AB84|.E8 E760FDFF call 00460C70
0048AB89|.50 push eax ; |hOwner
0048AB8A|.E8 EDC0F7FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0048AB8F|.8B83 FC020000 mov eax, dword ptr
0048AB95|.8B10 mov edx, dword ptr
0048AB97|.FF92 C4000000 call dword ptr
0048AB9D|>33C0 xor eax, eax
0048AB9F|.5A pop edx
0048ABA0|.59 pop ecx
0048ABA1|.59 pop ecx
0048ABA2|.64:8910 mov dword ptr fs:, edx
0048ABA5|.68 E8AB4800 push 0048ABE8
0048ABAA|>8D85 E0FEFFFF lea eax, dword ptr
0048ABB0|.BA 02000000 mov edx, 2
0048ABB5|.E8 3E94F7FF call 00403FF8
0048ABBA|.8D85 E8FEFFFF lea eax, dword ptr
0048ABC0|.E8 0F94F7FF call 00403FD4
0048ABC5|.8D85 ECFEFFFF lea eax, dword ptr
0048ABCB|.E8 0494F7FF call 00403FD4
0048ABD0|.8D85 F0FEFFFF lea eax, dword ptr
0048ABD6|.BA 02000000 mov edx, 2
0048ABDB|.E8 1894F7FF call 00403FF8
0048ABE0\.C3 retn
0048ABE1 .^ E9 6E8DF7FF jmp 00403954
0048ABE6 .^ EB C2 jmp short 0048ABAA
0048ABE8 .5F pop edi
0048ABE9 .5E pop esi
0048ABEA >5B pop ebx
0048ABEB .8BE5 mov esp, ebp
0048ABED .5D pop ebp
0048ABEE .C3 retn进入算法CALL 0048AA710048B170 55 push ebp ;直接在此赋1给AL后返回可实现爆破
0048B171 8BEC mov ebp, esp
0048B173 51 push ecx
0048B174|.53 push ebx
0048B175|.8945 FC mov dword ptr , eax
0048B178|.8B45 FC mov eax, dword ptr
0048B17B|.E8 0493F7FF call 00404484
0048B180|.33C0 xor eax, eax
0048B182|.55 push ebp
0048B183|.68 DBB14800 push 0048B1DB
0048B188|.64:FF30 push dword ptr fs:
0048B18B|.64:8920 mov dword ptr fs:, esp
0048B18E|.8B45 FC mov eax, dword ptr
0048B191|.E8 FE90F7FF call 00404294 ;注册码长度
0048B196|.83F8 0C cmp eax, 0C ;必须为12位
0048B199|.74 04 je short 0048B19F
0048B19B|.33DB xor ebx, ebx
0048B19D|.EB 26 jmp short 0048B1C5
0048B19F|>BB 05000000 mov ebx, 5 ;EBX=5
0048B1A4|>8B45 FC /mov eax, dword ptr
0048B1A7|.8A4418 FF |mov al, byte ptr ;依次取试练码的5-8位
0048B1AB|.E8 60FFFFFF |call 0048B110 ;查表
0048B1B0|.8B55 FC |mov edx, dword ptr
0048B1B3|.3A441A 03 |cmp al, byte ptr ;查表所得分别依次与试练码的9-12位比较
0048B1B7|.74 04 |je short 0048B1BD ;遇不相同则跳向失败
0048B1B9|.33DB |xor ebx, ebx
0048B1BB|.EB 08 |jmp short 0048B1C5
0048B1BD 43 |inc ebx
0048B1BE 83FB 09 |cmp ebx, 9
0048B1C1 ^ 75 E1 \jnz short 0048B1A4 ;循环4次
0048B1C3 B3 01 mov bl, 1 ;关键赋值
0048B1C5 33C0 xor eax, eax
0048B1C7 5A pop edx
0048B1C8 59 pop ecx
0048B1C9 59 pop ecx
0048B1CA|.64:8910 mov dword ptr fs:, edx
0048B1CD|.68 E2B14800 push 0048B1E2
0048B1D2|>8D45 FC lea eax, dword ptr
0048B1D5 E8 FA8DF7FF call 00403FD4
0048B1DA C3 retn
0048B1DB ^ E9 7487F7FF jmp 00403954
0048B1E0 ^ EB F0 jmp short 0048B1D2
0048B1E2 8BC3 mov eax, ebx ;关键传递
0048B1E4 5B pop ebx
0048B1E5 59 pop ecx
0048B1E6 5D pop ebp
0048B1E7 C3 retn0048B1AB处表内容为:0048B14C|> \B0 38 mov al, 38 ;Case 30 ('0') of switch 0048B115
0048B14E|.C3 retn
0048B14F|>B0 36 mov al, 36 ;Case 31 ('1') of switch 0048B115
0048B151|.C3 retn
0048B152|>B0 34 mov al, 34 ;Case 32 ('2') of switch 0048B115
0048B154|.C3 retn
0048B155|>B0 30 mov al, 30 ;Case 33 ('3') of switch 0048B115
0048B157|.C3 retn
0048B158|>B0 35 mov al, 35 ;Case 34 ('4') of switch 0048B115
0048B15A|.C3 retn
0048B15B|>B0 32 mov al, 32 ;Case 35 ('5') of switch 0048B115
0048B15D|.C3 retn
0048B15E|>B0 39 mov al, 39 ;Case 36 ('6') of switch 0048B115
0048B160|.C3 retn
0048B161|>B0 31 mov al, 31 ;Case 37 ('7') of switch 0048B115
0048B163|.C3 retn
0048B164|>B0 33 mov al, 33 ;Case 38 ('8') of switch 0048B115
0048B166|.C3 retn
0048B167|>B0 37 mov al, 37 ;Case 39 ('9') of switch 0048B115
0048B169|.C3 retn--------------------------------------------------------------------------------
【算法总结】
注册码12位,前4位任意。
5-8位根据以下规则转换成另一个数字:
0 → 8
1 → 6
2 → 4
3 → 0
4 → 5
5 → 2
6 → 9
7 → 1
8 → 3
9 → 7
转换后的5-8位分别依次与9-12位比较,均相等则注册成功(例如:123456782913)。注册码保存到C:\WINDOWS\system32
\SuperCopy.ini
算号器源码(VB Code):
Private Sub Command1_Click()
Randomize
X1 = Int(Rnd * 90000000) + 10000000
Text1.Text = X1
For i = 5 To 8
temp = Mid(Text1.Text, i, 1)
Select Case temp
Case 0
sn = sn & 8
Case 1
sn = sn & 6
Case 2
sn = sn & 4
Case 3
sn = sn & 0
Case 4
sn = sn & 5
Case 5
sn = sn & 2
Case 6
sn = sn & 9
Case 7
sn = sn & 1
Case 8
sn = sn & 3
Case 9
sn = sn & 7
End Select
Next
Text1.Text = X1 & sn
End Sub
VB6.0精简版测试通过~~~~~~~
--------------------------------------------------------------------------------
【版权声明】: 本文 蚊香 原创, 转载请注明作者并保持文章的完整, 谢谢!
2008年08月06日 上午 10:12:22 写的不错,学习了。 写的不错,学习了。 不错啊,,学习了一下啊 这个写的不错,挺详细,支持一下
页:
[1]