- UID
- 8671
注册时间2006-2-27
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 开心
2018-5-6 16:27 |
|---|
签到天数: 7 天 [LV.3]偶尔看看II
|
【破文标题】速存(QuickSave) 1.0 简单算法分析(浮点)
【破文作者】WildCatIII[D.4s][PYG]
【破文时间】2006-08-18
【作者主页】龙族:Www.ChinaDforce.CoM 飘云阁:HttP://Www.ChinAPYG.CoM
【破解工具】PEiD,W32DASM,UC32,OD
【破解平台】Windows XP SP2
【软件名称】速存(QuickSave) 1.0
【软件大小】2021KB
【原版下载】http://www.onlinedown.net/soft/24526.htm
【保护方式】注册码
【软件简介】速存QuickSave是一个快速保存网上资料的小工具软件。它操作简单,设置灵活,实用性强,是网友搜集网上资料的得力助手。运行QuickSave后,上网搜集资料时,你就不用再反复地“吭哧塞”(Ctrl-c复制)、“吭哧喂”(Ctrl-v粘贴)了,只要将选定的内容,随手拖到QuickSave的资料框(类似网络蚂蚁的小窗口)中,就自动保存到事先设置的目录中了。QuickSave能自动生成文件名,自动记录资料来源URL,并且最多可同时设置9个资料框,分别保存不同方面的资料,这是与其它类似软件的不同之处。我现在使用的QuickSave,就设了6个资料框:硬件、软件、VB、手机、杂文和其它,使用起来非常方便。QuickSave的资料框位于其它窗体的上面,并且可随意拖动,并不影响浏览。网上资料一拉得,搜集资料更轻松。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
------------------------------------------------------------------------
一、查得Microsoft Visual Basic 5.0 / 6.0程序。
二、OD载入,运行注册窗口,注册错误的提示,但字符搜索找不到.
下API断点bp rtcMsgBox,程序注册确认中断在:
73472F29 > 55 PUSH EBP
73472F2A 8BEC MOV EBP,ESP
73472F2C 83EC 4C SUB ESP,4C
73472F2F 8B4D 14 MOV ECX,DWORD PTR SS:[EBP+14]
取消断点,观察堆栈窗口的友好提示:
0012EFF0 00410343 返回到 QuickSav.00410343 来自 MSVBVM60.rtcMsgBox
、、右键反汇编窗口中跟随。
0012EFF4 0012F0F0
0012EFF8 00000030
++++++
0041033D . FF15 80104000 CALL DWORD PTR DS:[<&MSVBVM60.#595>] ; MSVBVM60.rtcMsgBox
00410343 . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74] 、、来到这,上面是注册错误的提示。
-=-=重新来进行分析以下。。。
0041006D . FF15 2C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVarList
00410073 . 83C4 20 ADD ESP,20 ; 试练码取位数
00410076 . C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7
0041007D . 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24] ; 试练码
00410080 . 51 PUSH ECX
00410081 . 68 CC754000 PUSH QuickSav.004075CC
00410086 . FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
0041008C . 85C0 TEST EAX,EAX ; 试练码值了吗?
0041008E . 0F85 0F010000 JNZ QuickSav.004101A3 ; 没填就挂!
~~~中间代码略~~~
004101A3 > \C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
004101AA . 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
004101AD . 52 PUSH EDX
004101AE . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004101B1 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
004101B3 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004101B6 . 52 PUSH EDX
004101B7 . FF91 4C070000 CALL DWORD PTR DS:[ECX+74C] ; 算法Call,F7跟进!
004101BD . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ; 试练码
004101C0 . 50 PUSH EAX
004101C1 . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28] ; [EBP-28]=真码
004101C4 . 51 PUSH ECX
004101C5 . FF15 C0104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>; MSVBVM60.__vbaStrCmp
004101CB . F7D8 NEG EAX ; 以上Call进比较,返回标志位。
004101CD . 1BC0 SBB EAX,EAX
004101CF . 40 INC EAX
004101D0 . F7D8 NEG EAX
004101D2 . 66:8985 F8FEF>MOV WORD PTR SS:[EBP-108],AX
004101D9 . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
004101DC . FF15 F8114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>; MSVBVM60.__vbaFreeStr
004101E2 . 0FBF95 F8FEFF>MOVSX EDX,WORD PTR SS:[EBP-108]
004101E9 . 85D2 TEST EDX,EDX
004101EB . 0F84 D1000000 JE QuickSav.004102C2 ;关键跳转~跳就注册失败。
+++++
跟进算法Call来到~
00405204 . /E9 27E50000 JMP QuickSav.00413730 、、跟!
+++
00413730 > \55 PUSH EBP
00413731 . 8BEC MOV EBP,ESP
00413733 . 83EC 18 SUB ESP,18
00413736 . 68 06254000 PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE 处理程序安装
0041373B . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00413741 . 50 PUSH EAX
00413742 . 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00413749 . B8 90000000 MOV EAX,90
0041374E . E8 ADEDFEFF CALL <JMP.&MSVBVM60.__vbaChkstk>
00413753 . 53 PUSH EBX
00413754 . 56 PUSH ESI
00413755 . 57 PUSH EDI
00413756 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00413759 . C745 EC A01C4000 MOV DWORD PTR SS:[EBP-14],QuickSav.00401CA0 ; >
00413760 . C745 F0 00000000 MOV DWORD PTR SS:[EBP-10],0
00413767 . C745 F4 00000000 MOV DWORD PTR SS:[EBP-C],0
0041376E . C745 FC 01000000 MOV DWORD PTR SS:[EBP-4],1
00413775 . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
00413778 . C700 00000000 MOV DWORD PTR DS:[EAX],0
0041377E . C745 FC 02000000 MOV DWORD PTR SS:[EBP-4],2
00413785 . 6A 01 PUSH 1
00413787 . FF15 7C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaOnError>] ; MSVBVM60.__vbaOnError
0041378D . C745 FC 03000000 MOV DWORD PTR SS:[EBP-4],3
00413794 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
00413797 . 51 PUSH ECX
00413798 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0041379B . 8B02 MOV EAX,DWORD PTR DS:[EDX]
0041379D . 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
004137A0 . 51 PUSH ECX
004137A1 . FF90 FC060000 CALL DWORD PTR DS:[EAX+6FC]
004137A7 . 8985 78FFFFFF MOV DWORD PTR SS:[EBP-88],EAX
004137AD . 83BD 78FFFFFF 00 CMP DWORD PTR SS:[EBP-88],0
004137B4 . 7D 23 JGE SHORT QuickSav.004137D9
004137B6 . 68 FC060000 PUSH 6FC
004137BB . 68 D8634000 PUSH QuickSav.004063D8
004137C0 . 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004137C3 . 52 PUSH EDX
004137C4 . 8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]
004137CA . 50 PUSH EAX
004137CB . FF15 68104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresultCheckOb>; MSVBVM60.__vbaHresultCheckObj
004137D1 . 8985 5CFFFFFF MOV DWORD PTR SS:[EBP-A4],EAX
004137D7 . EB 0A JMP SHORT QuickSav.004137E3
004137D9 > C785 5CFFFFFF 000>MOV DWORD PTR SS:[EBP-A4],0
004137E3 > 8B4D CC MOV ECX,DWORD PTR SS:[EBP-34] ; 机器码
004137E6 . 898D 60FFFFFF MOV DWORD PTR SS:[EBP-A0],ECX
004137EC . C745 CC 00000000 MOV DWORD PTR SS:[EBP-34],0
004137F3 . 8B95 60FFFFFF MOV EDX,DWORD PTR SS:[EBP-A0]
004137F9 . 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
004137FC . FF15 CC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00413802 . C745 FC 04000000 MOV DWORD PTR SS:[EBP-4],4
00413809 . 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
0041380C . 52 PUSH EDX
0041380D . FF15 78114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI4Str>] ; MSVBVM60.__vbaI4Str
00413813 . 8985 58FFFFFF MOV DWORD PTR SS:[EBP-A8],EAX ; 转换成HEX值
00413819 . DB85 58FFFFFF FILD DWORD PTR SS:[EBP-A8]
0041381F . DD9D 50FFFFFF FSTP QWORD PTR SS:[EBP-B0]
00413825 . DD85 50FFFFFF FLD QWORD PTR SS:[EBP-B0]
0041382B . 833D 00C04100 00 CMP DWORD PTR DS:[41C000],0
00413832 . 75 08 JNZ SHORT QuickSav.0041383C
00413834 . DC35 101D4000 FDIV QWORD PTR DS:[401D10] ; 除以常数7
0041383A . EB 11 JMP SHORT QuickSav.0041384D
0041383C > FF35 141D4000 PUSH DWORD PTR DS:[401D14]
00413842 . FF35 101D4000 PUSH DWORD PTR DS:[401D10]
00413848 . E8 D7ECFEFF CALL <JMP.&MSVBVM60._adj_fdiv_m64>
0041384D > DC0D 081D4000 FMUL QWORD PTR DS:[401D08] ; 结果乘以常数3
00413853 . DC05 001D4000 FADD QWORD PTR DS:[401D00] ; 然后加上常数12345
00413859 . DFE0 FSTSW AX
0041385B . A8 0D TEST AL,0D
0041385D . 0F85 3C010000 JNZ QuickSav.0041399F
00413863 . FF15 B4114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFpI4>] ; MSVBVM60.__vbaFpI4
00413869 . 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX ; 转换成16进制值放EAX
0041386C . C745 FC 05000000 MOV DWORD PTR SS:[EBP-4],5
00413873 . 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
00413876 . 50 PUSH EAX
00413877 . FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>] ; MSVBVM60.__vbaStrI4
0041387D . 8BD0 MOV EDX,EAX ; 其值送到EDX
0041387F . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00413882 . FF15 CC114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00413888 . C745 FC 06000000 MOV DWORD PTR SS:[EBP-4],6
0041388F . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00413892 . 894D 94 MOV DWORD PTR SS:[EBP-6C],ECX
00413895 . C745 8C 08400000 MOV DWORD PTR SS:[EBP-74],4008
0041389C . 6A 05 PUSH 5
0041389E . 8D55 8C LEA EDX,DWORD PTR SS:[EBP-74]
004138A1 . 52 PUSH EDX
004138A2 . 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004138A5 . 50 PUSH EAX
004138A6 . FF15 D8114000 CALL DWORD PTR DS:[<&MSVBVM60.#619>] ; MSVBVM60.rtcRightCharVar
004138AC . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004138AF . 894D 84 MOV DWORD PTR SS:[EBP-7C],ECX
004138B2 . C785 7CFFFFFF 084>MOV DWORD PTR SS:[EBP-84],4008
004138BC . 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
004138BF . 52 PUSH EDX
004138C0 . FF15 24104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBstr>]; MSVBVM60.__vbaLenBstr
004138C6 . 83E8 05 SUB EAX,5 ; 取位数减去5
004138C9 . 0F80 D5000000 JO QuickSav.004139A4
004138CF . 50 PUSH EAX
004138D0 . 8D85 7CFFFFFF LEA EAX,DWORD PTR SS:[EBP-84]
004138D6 . 50 PUSH EAX
004138D7 . 8D4D AC LEA ECX,DWORD PTR SS:[EBP-54]
004138DA . 51 PUSH ECX
004138DB . FF15 C0114000 CALL DWORD PTR DS:[<&MSVBVM60.#617>] ; MSVBVM60.rtcLeftCharVar
004138E1 . 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44] ; 取右边的4位
004138E4 . 52 PUSH EDX
004138E5 . 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
004138E8 . 50 PUSH EAX
004138E9 . 8D4D 9C LEA ECX,DWORD PTR SS:[EBP-64]
004138EC . 51 PUSH ECX
004138ED . FF15 2C114000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
004138F3 . 50 PUSH EAX
004138F4 . FF15 20104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVarMove>] ; MSVBVM60.__vbaStrVarMove
004138FA . 8BD0 MOV EDX,EAX ; 右边4位 & 左边5位,注册码也!
' -----------------------------------------------------------------
' 设CodeA为双精度小数型,CodeB为长整数型.
' 一、取机器码 / 7 * 3 + 12345,设为CodeA.
' 二、将CodeA四舍五入取整,结果设为CodeB.
' 三、取CodeB的左边5位移到右边四位的后面就是真码。
' 提供一组注册码供大家参考。
' -1542372548
' 04461-6610
' -----------------------------------------------------------------
- VB算法KeyGen源碼:
- Private Sub Command1_Click()
- '这下面可以填变量。
- Dim CodeA As Double
- Dim CodeB As Long
- Dim LenCodeB As Integer
- Dim CodeC As String
- Dim A, B As String
- If Text1.Text = "" Then
- Text2.Text = "输入有误,请重新输入!"
- Else '以上为注册相关信息检测过程及提示。
- CodeA = Val(Text1.Text)
- CodeA = CodeA / 7
- CodeA = CodeA * 3
- CodeA = CodeA + 12345
- CodeB = Round(CodeA, 0)
- CodeC = Str(CodeB)
- LenCodeB = 0
- LenCodeB = Len(CodeC)
- A = Left(CodeC, 5)
- LenCodeB = LenCodeB - 5
- B = Right(CodeC, LenCodeB)
- Text2.Text = B + A
- '以上空白处输入算法源码就OK啦。
- End If
- End Sub
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 野猫III 于 2006-8-18 22:40 编辑 ] |
|
IP卡
发表于 2006-8-18 16:29:48
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-8-18 17:36:00
发表于 2006-8-18 18:02:14
发表于 2006-8-18 19:47:47
楼主