XXXX专家 X.0 简单算法分析
【破解日期】 2006年11月10日【破解作者】 冷血书生
【作者邮箱】 meiyou
【作者主页】 hxxp://www.126sohu.com
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 XXXX专家 X.0
【下载地址】 略
【软件简介】 XXXX专家 X.0
【软件大小】 710KB
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
004DA467 mov eax,dword ptr ss: ; 识别码
004DA46A lea ecx,dword ptr ss:
004DA470 mov dword ptr ss:,eax
004DA476 lea eax,dword ptr ss:
004DA47C push eax
004DA47D push ecx
004DA47E mov dword ptr ss:,edi
004DA481 mov dword ptr ss:,8
004DA48B call dword ptr ds:[<&MSVBVM60.#520>]; MSVBVM60.rtcTrimVar
004DA491 lea edx,dword ptr ss:
004DA497 lea ecx,dword ptr ss:
004DA49A call esi
004DA49C lea edx,dword ptr ss:
004DA49F lea eax,dword ptr ss:
004DA4A2 push edx
004DA4A3 push eax
004DA4A4 push 2
004DA4A6 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObjList
004DA4AC add esp,0C
004DA4AF lea ecx,dword ptr ss:
004DA4B5 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVar
004DA4BB lea edx,dword ptr ss:
004DA4C1 lea ecx,dword ptr ss:
004DA4C7 mov dword ptr ss:,cardpro.00>
004DA4D1 mov dword ptr ss:,8
004DA4DB call dword ptr ds:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarDup
004DA4E1 push edi
004DA4E2 lea ecx,dword ptr ss:
004DA4E8 push -1
004DA4EA lea edx,dword ptr ss:
004DA4ED push ecx
004DA4EE lea eax,dword ptr ss:
004DA4F1 push edx
004DA4F2 push eax
004DA4F3 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarVal
004DA4F9 lea ecx,dword ptr ss:
004DA4FF push eax ;
004DA500 push ecx
004DA501 call dword ptr ds:[<&MSVBVM60.#711>]; MSVBVM60.rtcSplit
004DA507 lea edx,dword ptr ss:
004DA50D lea ecx,dword ptr ss:
004DA510 call esi
004DA512 lea ecx,dword ptr ss:
004DA515 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr
004DA51B lea ecx,dword ptr ss:
004DA521 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVar
004DA527 mov edx,dword ptr ds:
004DA529 push ebx
004DA52A call dword ptr ds:
004DA530 push eax
004DA531 lea eax,dword ptr ss:
004DA534 push eax
004DA535 call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet
004DA53B mov ebx,eax
004DA53D lea edx,dword ptr ss:
004DA540 push edx
004DA541 push 2
004DA543 mov ecx,dword ptr ds:
004DA545 push ebx
004DA546 call dword ptr ds:
004DA549 cmp eax,edi
004DA54B fclex
004DA54D jge short cardpro.004DA55E
004DA54F push 40
004DA551 push cardpro.0040ABFC
004DA556 push ebx
004DA557 push eax
004DA558 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
004DA55E mov eax,dword ptr ss:
004DA561 lea edx,dword ptr ss:
004DA564 push edx
004DA565 push eax
004DA566 mov ecx,dword ptr ds:
004DA568 mov ebx,eax
004DA56A call dword ptr ds:
004DA570 cmp eax,edi
004DA572 fclex
004DA574 jge short cardpro.004DA588
004DA576 push 0A0
004DA57B push cardpro.0040ABEC
004DA580 push ebx
004DA581 push eax
004DA582 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj
004DA588 mov eax,dword ptr ss: ;
004DA58B lea ecx,dword ptr ss:
004DA591 mov dword ptr ss:,eax
004DA597 lea eax,dword ptr ss:
004DA59D mov ebx,8
004DA5A2 push eax
004DA5A3 push ecx
004DA5A4 mov dword ptr ss:,edi
004DA5A7 mov dword ptr ss:,ebx
004DA5AD call dword ptr ds:[<&MSVBVM60.#520>]; MSVBVM60.rtcTrimVar
004DA5B3 lea edx,dword ptr ss:
004DA5B9 lea ecx,dword ptr ss:
004DA5BC call esi
004DA5BE lea edx,dword ptr ss:
004DA5C1 lea eax,dword ptr ss:
004DA5C4 push edx
004DA5C5 mov edi,2
004DA5CA push eax
004DA5CB push edi
004DA5CC call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObjList
004DA5D2 add esp,0C
004DA5D5 lea ecx,dword ptr ss:
004DA5DB call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVar
004DA5E1 mov edx,dword ptr ss:
004DA5E4 mov eax,dword ptr ss:
004DA5E7 sub esp,10
004DA5EA mov ecx,esp
004DA5EC mov dword ptr ds:,edx
004DA5EE mov edx,dword ptr ss:
004DA5F1 mov dword ptr ds:,eax
004DA5F4 mov eax,dword ptr ss:
004DA5F7 mov dword ptr ds:,edx
004DA5FA mov dword ptr ds:,eax
004DA5FD lea ecx,dword ptr ss:
004DA603 push ecx
004DA604 call cardpro.004C5650 ;
004DA609 lea edx,dword ptr ss:
004DA60F lea ecx,dword ptr ss:
004DA612 call esi
004DA614 sub esp,10
004DA617 mov ecx,edi
004DA619 mov edx,esp
004DA61B mov dword ptr ss:,ecx
004DA621 mov eax,1
004DA626 push 1
004DA628 mov dword ptr ds:,ecx
004DA62A mov ecx,dword ptr ss:
004DA630 mov dword ptr ss:,eax
004DA636 mov dword ptr ds:,ecx
004DA639 lea ecx,dword ptr ss:
004DA63C push ecx
004DA63D mov dword ptr ds:,eax
004DA640 mov eax,dword ptr ss:
004DA646 mov dword ptr ds:,eax ;
004DA649 lea edx,dword ptr ss:
004DA64F push edx
004DA650 call dword ptr ds:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarIndexLoad
004DA656 add esp,1C
004DA659 lea eax,dword ptr ss:
004DA65F lea ecx,dword ptr ss:
004DA665 lea edx,dword ptr ss:
004DA66B push eax
004DA66C push ecx
004DA66D push edx
004DA66E mov dword ptr ss:,4
004DA678 mov dword ptr ss:,edi
004DA67E mov dword ptr ss:,5
004DA688 mov dword ptr ss:,edi
004DA68E call dword ptr ds:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarDiv /// 识别码中间部分/5
004DA694 mov edx,eax
004DA696 lea ecx,dword ptr ss:
004DA69C call esi
004DA69E lea eax,dword ptr ss:
004DA6A4 lea ecx,dword ptr ss:
004DA6AA push eax
004DA6AB push edi
004DA6AC lea edx,dword ptr ss:
004DA6B2 push ecx
004DA6B3 push edx
004DA6B4 call dword ptr ds:[<&MSVBVM60.#632>]; MSVBVM60.rtcMidCharVar
004DA6BA mov dword ptr ss:,65 ; 固定字符串
004DA6C4 lea eax,dword ptr ss: ;
004DA6C7 push 3
004DA6C9 lea ecx,dword ptr ss:
004DA6CF mov dword ptr ss:,ebx
004DA6D5 mov ebx,dword ptr ds:[<&MSVBVM60.#617>; MSVBVM60.rtcLeftCharVar
004DA6DB push eax ; 从左边开始取
004DA6DC push ecx
004DA6DD mov dword ptr ss:,edi
004DA6E3 mov dword ptr ss:,cardpro.00>
004DA6ED call ebx ; 取用户名第一位
004DA6EF lea edx,dword ptr ss: ;
004DA6F2 push 4
004DA6F4 lea eax,dword ptr ss:
004DA6FA push edx
004DA6FB push eax
004DA6FC mov dword ptr ss:,8
004DA706 mov dword ptr ss:,edi
004DA70C call ebx
004DA70E mov ebx,dword ptr ds:[<&MSVBVM60.__vb>; 取用户名第一位和第二位
004DA714 lea ecx,dword ptr ss:
004DA71A lea edx,dword ptr ss:
004DA720 push ecx
004DA721 lea eax,dword ptr ss:
004DA727 push edx
004DA728 push eax
004DA729 mov dword ptr ss:,edi
004DA72F mov dword ptr ss:,edi
004DA735 call ebx ; 固定字符串101*A
004DA737 mov edi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaVarCat
004DA73D lea ecx,dword ptr ss:
004DA743 push eax
004DA744 lea edx,dword ptr ss:
004DA74A push ecx
004DA74B push edx
004DA74C call edi
004DA74E push eax
004DA74F lea eax,dword ptr ss:
004DA755 lea ecx,dword ptr ss:
004DA75B push eax
004DA75C lea edx,dword ptr ss:
004DA762 push ecx
004DA763 push edx
004DA764 call ebx ;8*(用户名第一位)D
004DA766 push eax
004DA767 lea eax,dword ptr ss:
004DA76D push eax
004DA76E call edi
004DA770 lea ecx,dword ptr ss:
004DA776 push eax
004DA777 lea edx,dword ptr ss:
004DA77D push ecx
004DA77E lea eax,dword ptr ss:
004DA784 push edx
004DA785 push eax
004DA786 call ebx ; 2*(用户名第一位和第二位)D的前四位
004DA788 lea ecx,dword ptr ss:
004DA78E push eax
004DA78F push ecx
004DA790 call edi
004DA792 mov edx,eax
004DA794 lea ecx,dword ptr ss:
004DA797 call esi ; 不要以为不是明码,其实进去就可以看见了,呵呵
004DA799 lea edx,dword ptr ss:
004DA79F lea eax,dword ptr ss:
004DA7A5 push edx
004DA7A6 lea ecx,dword ptr ss:
004DA7AC push eax
004DA7AD lea edx,dword ptr ss:
004DA7B3 push ecx
004DA7B4 lea eax,dword ptr ss:
004DA7BA push edx
004DA7BB lea ecx,dword ptr ss:
004DA7C1 push eax
004DA7C2 lea edx,dword ptr ss:
004DA7C8 push ecx
004DA7C9 lea eax,dword ptr ss:
004DA7CF push edx
004DA7D0 push eax
004DA7D1 push 8
004DA7D3 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVarList
004DA7D9 add esp,24
004DA7DC mov ecx,dword ptr ss:
004DA7DF movsx eax,word ptr ds:
004DA7E2 sub eax,0
004DA7E5 je cardpro.004DAB50
004DA7EB dec eax
004DA7EC je cardpro.004DA8DA
004DA7F2 dec eax
004DA7F3 jnz cardpro.004DAD2A
004DA7F9 mov eax,dword ptr ds:
004DA7FE test eax,eax
004DA800 jnz short cardpro.004DA816
004DA802 mov ebx,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaNew2
004DA808 push cardpro.004E1740
004DA80D push cardpro.0040B3DC
004DA812 call ebx
004DA814 jmp short cardpro.004DA81C
004DA816 mov ebx,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaNew2
004DA81C mov edx,dword ptr ss:
004DA81F mov esi,dword ptr ds:
004DA825 lea eax,dword ptr ss:
004DA828 push edx
004DA829 mov edi,dword ptr ds:
004DA82B push eax
004DA82C call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSetAddref
004DA832 push eax
004DA833 push esi
004DA834 call dword ptr ds:
004DA837 test eax,eax
004DA839 fclex
004DA83B jge short cardpro.004DA850
004DA83D mov edi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaHresultCheckObj
004DA843 push 10
004DA845 push cardpro.0040B3CC
004DA84A push esi
004DA84B push eax
004DA84C call edi
004DA84E jmp short cardpro.004DA856
004DA850 mov edi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaHresultCheckObj
004DA856 lea ecx,dword ptr ss:
004DA859 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj
004DA85F mov eax,dword ptr ds:
004DA864 test eax,eax
004DA866 jnz short cardpro.004DA874
004DA868 push cardpro.004E1010
004DA86D push cardpro.0040DBB0
004DA872 call ebx
004DA874 mov esi,dword ptr ds:
004DA87A push -1
004DA87C push esi
004DA87D mov ecx,dword ptr ds:
004DA87F call dword ptr ds:
004DA885 test eax,eax
004DA887 fclex
004DA889 jge short cardpro.004DA899
004DA88B push 94
004DA890 push cardpro.00409DCC
004DA895 push esi
004DA896 push eax
004DA897 call edi
004DA899 mov eax,dword ptr ds:
004DA89E test eax,eax
004DA8A0 jnz short cardpro.004DA8AE
004DA8A2 push cardpro.004E1010
004DA8A7 push cardpro.0040DBB0
004DA8AC call ebx
004DA8AE mov esi,dword ptr ds:
004DA8B4 push esi
004DA8B5 mov edx,dword ptr ds:
004DA8B7 call dword ptr ds:
004DA8BD test eax,eax
004DA8BF fclex
004DA8C1 jge cardpro.004DAD2A
004DA8C7 push 2A8
004DA8CC push cardpro.00409DCC
004DA8D1 push esi
004DA8D2 push eax
004DA8D3 call edi
004DA8D5 jmp cardpro.004DAD2A
004DA8DA lea eax,dword ptr ss:
004DA8DD lea ecx,dword ptr ss:
004DA8E0 push eax
004DA8E1 push ecx
004DA8E2 call dword ptr ds:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarTstNe
004DA8E8 test ax,ax
004DA8EB je cardpro.004DA9E9 ; 爆破点
004DA8F1 lea edx,dword ptr ss:
004DA8F7 push 0D
////////////////////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////////////////
算法总结:
1) 识别码中间部分/5,取其2--5位,记为A
1) 固定字符串101*A = B
2) 8*(用户名第一位)D=C
3) 2*(用户名第一位和第二位)D的前四位=D
4) "B" - "CD" = 注册码
--------------------------------------------------------------------------------
【破解总结】
复习看题目看得眼好花,不小心又捡了软东西~~~~
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! ;P 支持冷血兄弟
页:
[1]