****家庭理财非常简单的MD5算法分析
****家庭理财非常简单的MD5算法分析【文章作者】: tzl
【作者邮箱】: 无
【软件名称】: ***家庭理财
【软件大小】: 1224KB
【下载地址】: http://www.newhua.com/soft/52975.htm
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 7.0
【使用工具】: OD PEID
【操作平台】: XP SP2
【软件介绍】:
***家庭理财是帮助个人、 家庭、小型企业理财的好帮手,能很方便的知道客户消费了多少钱,收入多少钱,现有现金多少,存款多少。能快速的满足客户的各种统计需求!
非常简单的算法,适合菜鸟学习,这里与大家分享,菜鸟共同进步。
一、查壳无;
二、根据字符串相关信息,我们可以在这里下断开始分析:
注册名:tigerisme
地区:***
邮箱:[email protected]
注册日期:20061121
密码:123456789
00452EBC .55 push ebp
00452EBD .56 push esi
00452EBE .8BF1 mov esi, ecx
00452EC0 .57 push edi
00452EC1 .8D4C24 20 lea ecx, dword ptr
00452EC5 .E8 308A0000 call <jmp.&MFC42.#540>
00452ECA .8D4C24 14 lea ecx, dword ptr
00452ECE .C78424 240100>mov dword ptr , 0
00452ED9 .E8 1C8A0000 call <jmp.&MFC42.#540>
00452EDE .8D4C24 1C lea ecx, dword ptr
00452EE2 .C68424 240100>mov byte ptr , 1
00452EEA .E8 0B8A0000 call <jmp.&MFC42.#540>
00452EEF .8D4C24 10 lea ecx, dword ptr
00452EF3 .C68424 240100>mov byte ptr , 2
00452EFB .E8 FA890000 call <jmp.&MFC42.#540>
00452F00 .8D4C24 18 lea ecx, dword ptr
00452F04 .C68424 240100>mov byte ptr , 3
00452F0C .E8 E9890000 call <jmp.&MFC42.#540>
00452F11 .8D4424 20 lea eax, dword ptr
00452F15 .8BCE mov ecx, esi
00452F17 .50 push eax
00452F18 .68 2B040000 push 42B
00452F1D .C68424 2C0100>mov byte ptr , 4
00452F25 .E8 4A8B0000 call <jmp.&MFC42.#3097>
00452F2A .8D4C24 14 lea ecx, dword ptr ;ecx=tigerisme
00452F2E .51 push ecx
00452F2F .68 2D040000 push 42D
00452F34 .8BCE mov ecx, esi
00452F36 .E8 398B0000 call <jmp.&MFC42.#3097>
00452F3B .8D5424 1C lea edx, dword ptr ;[email protected]
00452F3F .8BCE mov ecx, esi
00452F41 .52 push edx
00452F42 .68 2E040000 push 42E
00452F47 .E8 288B0000 call <jmp.&MFC42.#3097>
00452F4C .8D4424 10 lea eax, dword ptr
00452F50 .8BCE mov ecx, esi
00452F52 .50 push eax
00452F53 .68 2F040000 push 42F
00452F58 .E8 178B0000 call <jmp.&MFC42.#3097>
00452F5D .8D4C24 18 lea ecx, dword ptr ;ecx=20061121
00452F61 .51 push ecx
00452F62 .68 30040000 push 430
00452F67 .8BCE mov ecx, esi
00452F69 .E8 068B0000 call <jmp.&MFC42.#3097>
00452F6E .8B5424 20 mov edx, dword ptr
00452F72 .8B3D 84894600 mov edi, dword ptr [<&MSVCRT._mbscmp>;msvcrt._mbscmp
00452F78 .68 80E24700 push 0047E280 ; /s2 = ""
00452F7D .52 push edx ; |s1
00452F7E .FFD7 call edi ; \_mbscmp
00452F80 .83C4 08 add esp, 8
00452F83 .85C0 test eax, eax
00452F85 .74 4C je short 00452FD3 ;检测注册信息是否为空
00452F87 .8B4424 14 mov eax, dword ptr ;“[email protected]",送eax
00452F8B .68 80E24700 push 0047E280
00452F90 .50 push eax
00452F91 .FFD7 call edi
00452F93 .83C4 08 add esp, 8
00452F96 .85C0 test eax, eax
00452F98 .74 39 je short 00452FD3 ;检测注册信息是否为空
00452F9A .8B4C24 1C mov ecx, dword ptr
00452F9E .68 80E24700 push 0047E280
00452FA3 .51 push ecx
00452FA4 .FFD7 call edi
00452FA6 .83C4 08 add esp, 8
00452FA9 .85C0 test eax, eax
00452FAB .74 26 je short 00452FD3 ;检测注册信息是否为空
00452FAD .8B5424 10 mov edx, dword ptr
00452FB1 .68 80E24700 push 0047E280
00452FB6 .52 push edx
00452FB7 .FFD7 call edi
00452FB9 .83C4 08 add esp, 8
00452FBC .85C0 test eax, eax
00452FBE .74 13 je short 00452FD3 ;检测注册信息是否为空
00452FC0 .8B4424 18 mov eax, dword ptr
00452FC4 .68 80E24700 push 0047E280
00452FC9 .50 push eax
00452FCA .FFD7 call edi
00452FCC .83C4 08 add esp, 8
00452FCF .85C0 test eax, eax
00452FD1 .75 10 jnz short 00452FE3 ;检测注册信息是否为空,不为空正常跳转
00452FD3 >6A 00 push 0
00452FD5 .6A 00 push 0
00452FD7 .68 38DF4700 push 0047DF38 ;尊敬的客户!你需要在右边的网站上注册后,正确的填写用户、邮箱、地区、注册日期和取得的密码就可以注册啦!
00452FDC .8BCE mov ecx, esi
00452FDE .E8 AD890000 call <jmp.&MFC42.#4224>
00452FE3 >8D4C24 10 lea ecx, dword ptr
00452FE7 .E8 68890000 call <jmp.&MFC42.#6282>
00452FEC .8D4C24 10 lea ecx, dword ptr
00452FF0 .E8 59890000 call <jmp.&MFC42.#6283>
00452FF5 .8D4C24 14 lea ecx, dword ptr
00452FF9 .E8 56890000 call <jmp.&MFC42.#6282>
00452FFE .8D4C24 14 lea ecx, dword ptr
00453002 .E8 47890000 call <jmp.&MFC42.#6283>
00453007 .B9 10000000 mov ecx, 10
0045300C .33C0 xor eax, eax
0045300E .8D7C24 55 lea edi, dword ptr
00453012 .C64424 54 00mov byte ptr , 0
00453017 .F3:AB rep stos dword ptr es:
00453019 .8D4C24 2C lea ecx, dword ptr
0045301D .8D6E 60 lea ebp, dword ptr
00453020 .E8 D5880000 call <jmp.&MFC42.#540>
00453025 .8D4C24 24 lea ecx, dword ptr
00453029 .C68424 240100>mov byte ptr , 5
00453031 .E8 C4880000 call <jmp.&MFC42.#540>
00453036 .8D4C24 10 lea ecx, dword ptr
0045303A .68 30DF4700 push 0047DF30 ;fuck,计算注册码时用到,用这个连接符真BT!
0045303F .8D5424 2C lea edx, dword ptr
00453043 .B3 06 mov bl, 6
00453045 .51 push ecx
00453046 .52 push edx
00453047 .889C24 300100>mov byte ptr , bl
0045304E .E8 8D8A0000 call <jmp.&MFC42.#924>
00453053 .8D4C24 14 lea ecx, dword ptr
00453057 .8D5424 34 lea edx, dword ptr
0045305B .51 push ecx
0045305C .50 push eax
0045305D .52 push edx
0045305E .C68424 300100>mov byte ptr , 7
00453066 .E8 37890000 call <jmp.&MFC42.#922>
0045306B .50 push eax
0045306C .8D4C24 30 lea ecx, dword ptr
00453070 .C68424 280100>mov byte ptr , 8
00453078 .E8 F5880000 call <jmp.&MFC42.#858>
0045307D .8D4C24 34 lea ecx, dword ptr
00453081 .C68424 240100>mov byte ptr , 7
00453089 .E8 3C880000 call <jmp.&MFC42.#800>
0045308E .8D4C24 28 lea ecx, dword ptr
00453092 .889C24 240100>mov byte ptr , bl
00453099 .E8 2C880000 call <jmp.&MFC42.#800>
0045309E .8B45 00 mov eax, dword ptr
004530A1 .8BCD mov ecx, ebp
004530A3 .FF50 0C call dword ptr ;call运算,将注册日期、fuck及注册邮箱连接起来
004530A6 .8B4424 2C mov eax, dword ptr ;连起来的字符串为"[email protected]"
004530AA .8B55 00 mov edx, dword ptr
004530AD .8B48 F8 mov ecx, dword ptr
004530B0 .51 push ecx
004530B1 .50 push eax
004530B2 .8BCD mov ecx, ebp
004530B4 .FF52 04 call dword ptr
004530B7 .8B45 00 mov eax, dword ptr
004530BA .8D4C24 54 lea ecx, dword ptr
004530BE .51 push ecx
004530BF .8BCD mov ecx, ebp
004530C1 .FF50 08 call dword ptr
004530C4 .B9 20000000 mov ecx, 20
004530C9 .33C0 xor eax, eax
004530CB .8DBC24 990000>lea edi, dword ptr
004530D2 .C68424 980000>mov byte ptr , 0
004530DA .8D9424 980000>lea edx, dword ptr
004530E1 .F3:AB rep stos dword ptr es:
004530E3 .52 push edx
004530E4 .8D4424 58 lea eax, dword ptr
004530E8 .6A 10 push 10
004530EA .50 push eax
004530EB .E8 40FDFFFF call 00452E30 ;MD5运算,即MD5([email protected]),有兴趣可以进去看看
004530F0 .8B5424 24 mov edx, dword ptr
004530F4 .8D8C24 A40000>lea ecx, dword ptr
004530FB .51 push ecx ; /MD5结果为“B3EE0D943618B2EB238E9D6F35BCF746”,放在ecx中
004530FC .52 push edx ; |edx=试练码“123456789”
004530FD .FF15 84894600 call dword ptr [<&MSVCRT._mbscmp>] ; \_mbscmp
00453103 .83C4 14 add esp, 14
00453106 .85C0 test eax, eax
00453108 .0F85 F0020000 jnz 004533FE ;关键跳转,爆破点
0045310E .8D4424 20 lea eax, dword ptr
00453112 .8D4C24 30 lea ecx, dword ptr
**********************************************************************************************
算法总结:
软件采算法非常简单,注册码=MD5(注册日期+fuck+注册邮箱),取32位大写。软件作者真BT,算法简单,还加个BT的连接符。
特别说明: 本文仅是一些破解的心得和思路,完全是个人对程序的研究,无其他目的。 学习,收藏!!支持!!!! 支持!!!! 又有好东西玩了!谢谢! 刚刚按照楼主的思路研究了下呵呵这里真佩服楼主还有软件进行了升级 不过它只是将那个固顶字符fuck改成了goodsoft而已 呵呵 不过这样就可以让以前的算法注册机失效 作者耍了个小聪明/:08 好东东,应该得到大家的支持。
页:
[1]