- UID
- 26625
注册时间2007-1-1
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 无聊
2017-8-31 14:43 |
|---|
签到天数: 7 天 [LV.3]偶尔看看II
|
【破文标题】AA制费用分摊 1.21简单MD5算法分析(超级简单!)
【破文作者】playboyjin[火鸟]
【作者邮箱】[email protected]
【作者主页】http://group301.ttsite.com
【破解工具】PEID OD
【破解平台】WINXP
【软件名称】AA制费用分摊 1.21
【软件大小】244K
【原版下载】http://www.newhua.com/soft/49919.htm
【保护方式】无壳
【软件简介】AA制费用分摊软件是一款绿色软件。主要用于集体活动后的费用分摊.包括记流水帐、软件设置、费用查询等功能..
【破解声明】本人系正宗菜鸟,初学cracking,,仅作学习交流,无其它目的.
------------------------------------------------------------------------
【破解过程】一。查壳为Microsoft Visual C++ 6.0 呵呵~~
通过查找字符串很容易来到下面:
004081E0 . 6A FF PUSH -1
004081E2 . 68 49F94100 PUSH FeeAVG.0041F949 ; SE 处理程序安装
004081E7 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
004081ED . 50 PUSH EAX
004081EE . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
004081F5 . 81EC E8000000 SUB ESP,0E8
004081FB . 53 PUSH EBX
004081FC . 55 PUSH EBP
004081FD . 8BE9 MOV EBP,ECX
004081FF . 56 PUSH ESI
00408200 . 57 PUSH EDI
00408201 . 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00408205 . E8 56590100 CALL <[email=JMP.&MFC42.#540_??0CString@@QAE@XZ]JMP.&MFC42.#540_??0CString@@QAE@XZ[/email]>
0040820A . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
0040820E . C78424 000100>MOV DWORD PTR SS:[ESP+100],0
00408219 . E8 42590100 CALL <[email=JMP.&MFC42.#540_??0CString@@QAE@XZ]JMP.&MFC42.#540_??0CString@@QAE@XZ[/email]>
0040821E . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00408222 . 8BCD MOV ECX,EBP
00408224 . 50 PUSH EAX
00408225 . 68 0C040000 PUSH 40C
0040822A . C68424 080100>MOV BYTE PTR SS:[ESP+108],1
00408232 . E8 0B5C0100 CALL <JMP.&MFC42.#3097_?GetDlgItemTextA@>
00408237 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ; 取机器码3CB84E02
0040823B . 51 PUSH ECX
0040823C . 68 10040000 PUSH 410
00408241 . 8BCD MOV ECX,EBP
00408243 . E8 FA5B0100 CALL <JMP.&MFC42.#3097_?GetDlgItemTextA@>; 取假码
00408248 . B9 10000000 MOV ECX,10
0040824D . 33C0 XOR EAX,EAX
0040824F . 8D7C24 31 LEA EDI,DWORD PTR SS:[ESP+31]
00408253 . C64424 30 00 MOV BYTE PTR SS:[ESP+30],0
00408258 . F3:AB REP STOS DWORD PTR ES:[EDI]
0040825A . 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
0040825E . 8DB5 90000000 LEA ESI,DWORD PTR SS:[EBP+90]
00408264 . E8 F7580100 CALL <[email=JMP.&MFC42.#540_??0CString@@QAE@XZ]JMP.&MFC42.#540_??0CString@@QAE@XZ[/email]>
00408269 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
0040826D . C68424 000100>MOV BYTE PTR SS:[ESP+100],2
00408275 . E8 E6580100 CALL <[email=JMP.&MFC42.#540_??0CString@@QAE@XZ]JMP.&MFC42.#540_??0CString@@QAE@XZ[/email]>
0040827A . 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
0040827E . 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
00408282 . 52 PUSH EDX
00408283 . B3 03 MOV BL,3
00408285 . 68 24A74200 PUSH FeeAVG.0042A724 ; good
0040828A . 50 PUSH EAX
0040828B . 889C24 0C0100>MOV BYTE PTR SS:[ESP+10C],BL
00408292 . E8 7D590100 CALL <[email=JMP.&MFC42.#926_??H@YG?AVCString]JMP.&MFC42.#926_??H@YG?AVCString[/email]@@>
00408297 . 68 1CA74200 PUSH FeeAVG.0042A71C ; 8866
0040829C . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
004082A0 . 50 PUSH EAX
004082A1 . 51 PUSH ECX
004082A2 . C68424 0C0100>MOV BYTE PTR SS:[ESP+10C],4
004082AA . E8 4D590100 CALL <[email=JMP.&MFC42.#924_??H@YG?AVCString]JMP.&MFC42.#924_??H@YG?AVCString[/email]@@>
004082AF . 50 PUSH EAX
004082B0 . 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
004082B4 . C68424 040100>MOV BYTE PTR SS:[ESP+104],5
004082BC . E8 05590100 CALL <[email=JMP.&MFC42.#858_??4CString@@QAEABV]JMP.&MFC42.#858_??4CString@@QAEABV[/email]>
004082C1 . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
004082C5 . C68424 000100>MOV BYTE PTR SS:[ESP+100],4
004082CD . E8 64580100 CALL <[email=JMP.&MFC42.#800_??1CString@@QAE@XZ]JMP.&MFC42.#800_??1CString@@QAE@XZ[/email]>
004082D2 . 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
004082D6 . 889C24 000100>MOV BYTE PTR SS:[ESP+100],BL
004082DD . E8 54580100 CALL <[email=JMP.&MFC42.#800_??1CString@@QAE@XZ]JMP.&MFC42.#800_??1CString@@QAE@XZ[/email]>
004082E2 . 8B16 MOV EDX,DWORD PTR DS:[ESI]
004082E4 . 8BCE MOV ECX,ESI
004082E6 . FF52 0C CALL DWORD PTR DS:[EDX+C]
004082E9 . 8B4424 28 MOV EAX,DWORD PTR SS:[ESP+28] ; 机器码与上面字符相连GooD+3CB84E02+8866
004082ED . 8B16 MOV EDX,DWORD PTR DS:[ESI]
004082EF . 8B48 F8 MOV ECX,DWORD PTR DS:[EAX-8]
004082F2 . 51 PUSH ECX
004082F3 . 50 PUSH EAX ; 上面字符串入栈,作后面的运算准备~~
004082F4 . 8BCE MOV ECX,ESI
004082F6 . FF52 04 CALL DWORD PTR DS:[EDX+4]
004082F9 . 8B06 MOV EAX,DWORD PTR DS:[ESI]
004082FB . 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
004082FF . 51 PUSH ECX
00408300 . 8BCE MOV ECX,ESI
00408302 . FF50 08 CALL DWORD PTR DS:[EAX+8]
00408305 . C64424 74 00 MOV BYTE PTR SS:[ESP+74],0
0040830A . B9 20000000 MOV ECX,20
0040830F . 33C0 XOR EAX,EAX
00408311 . 8D7C24 75 LEA EDI,DWORD PTR SS:[ESP+75]
00408315 . 8D5424 74 LEA EDX,DWORD PTR SS:[ESP+74]
00408319 . F3:AB REP STOS DWORD PTR ES:[EDI]
0040831B . 52 PUSH EDX
0040831C . 8D4424 34 LEA EAX,DWORD PTR SS:[ESP+34]
00408320 . 6A 10 PUSH 10
00408322 . 50 PUSH EAX
00408323 . E8 48FEFFFF CALL FeeAVG.00408170 ; 算法CallF7进入
00408328 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C] ; 假码
0040832C . 8D8C24 800000>LEA ECX,DWORD PTR SS:[ESP+80] ; 真码
00408333 . 51 PUSH ECX ; /s2
00408334 . 52 PUSH EDX ; |s1
00408335 . FF15 E4264200 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
0040833B . 83C4 14 ADD ESP,14
0040833E . 85C0 TEST EAX,EAX
00408340 0F85 02010000 JNZ FeeAVG.00408448 ; 关键跳,爆破点
00408346 . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
0040834A . 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
0040834E . 50 PUSH EAX
0040834F . 68 00A74200 PUSH FeeAVG.0042A700 ; update regsoft set rname ='
00408354 . 51 PUSH ECX
00408355 . E8 BA580100 CALL <[email=JMP.&MFC42.#926_??H@YG?AVCString]JMP.&MFC42.#926_??H@YG?AVCString[/email]@@>
0040835A . 68 F4A64200 PUSH FeeAVG.0042A6F4 ; ', rpwd='
0040835F . 8D5424 30 LEA EDX,DWORD PTR SS:[ESP+30]
00408363 . 50 PUSH EAX
00408364 . 52 PUSH EDX
00408365 . C68424 0C0100>MOV BYTE PTR SS:[ESP+10C],6
0040836D . E8 8A580100 CALL <[email=JMP.&MFC42.#924_??H@YG?AVCString]JMP.&MFC42.#924_??H@YG?AVCString[/email]@@>
00408372 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00408376 . 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+18]
0040837A . 51 PUSH ECX
0040837B . 50 PUSH EAX
0040837C . 52 PUSH EDX
0040837D . C68424 0C0100>MOV BYTE PTR SS:[ESP+10C],7
00408385 . E8 6C580100 CALL <[email=JMP.&MFC42.#922_??H@YG?AVCString]JMP.&MFC42.#922_??H@YG?AVCString[/email]@@>
0040838A . 68 E4A64200 PUSH FeeAVG.0042A6E4 ; ' where id =1
0040838F . 50 PUSH EAX
00408390 . 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28]
00408394 . C68424 080100>MOV BYTE PTR SS:[ESP+108],8
0040839C . 50 PUSH EAX
0040839D . E8 5A580100 CALL <[email=JMP.&MFC42.#924_??H@YG?AVCString]JMP.&MFC42.#924_??H@YG?AVCString[/email]@@>
004083A2 . 50 PUSH EAX
004083A3 . 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
004083A7 . C68424 040100>MOV BYTE PTR SS:[ESP+104],9
004083AF . E8 12580100 CALL <[email=JMP.&MFC42.#858_??4CString@@QAEABV]JMP.&MFC42.#858_??4CString@@QAEABV[/email]>
004083B4 . 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
004083B8 . C68424 000100>MOV BYTE PTR SS:[ESP+100],8
004083C0 . E8 71570100 CALL <[email=JMP.&MFC42.#800_??1CString@@QAE@XZ]JMP.&MFC42.#800_??1CString@@QAE@XZ[/email]>
004083C5 . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
004083C9 . C68424 000100>MOV BYTE PTR SS:[ESP+100],7
004083D1 . E8 60570100 CALL <[email=JMP.&MFC42.#800_??1CString@@QAE@XZ]JMP.&MFC42.#800_??1CString@@QAE@XZ[/email]>
004083D6 . 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
004083DA . C68424 000100>MOV BYTE PTR SS:[ESP+100],6
004083E2 . E8 4F570100 CALL <[email=JMP.&MFC42.#800_??1CString@@QAE@XZ]JMP.&MFC42.#800_??1CString@@QAE@XZ[/email]>
004083E7 . 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
004083EB . 889C24 000100>MOV BYTE PTR SS:[ESP+100],BL
004083F2 . E8 3F570100 CALL <[email=JMP.&MFC42.#800_??1CString@@QAE@XZ]JMP.&MFC42.#800_??1CString@@QAE@XZ[/email]>
004083F7 . 6A 01 PUSH 1
004083F9 . 6A 00 PUSH 0
004083FB . 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
004083FF . E8 FCA5FFFF CALL FeeAVG.00402A00
00408404 . 51 PUSH ECX
00408405 . 8BCC MOV ECX,ESP
00408407 . 896424 38 MOV DWORD PTR SS:[ESP+38],ESP
0040840B . 50 PUSH EAX
0040840C . E8 CFC3FFFF CALL FeeAVG.004047E0
00408411 . 8D4C24 30 LEA ECX,DWORD PTR SS:[ESP+30]
00408415 . 889C24 0C0100>MOV BYTE PTR SS:[ESP+10C],BL
0040841C . 51 PUSH ECX
0040841D . 8D8D F0000000 LEA ECX,DWORD PTR SS:[EBP+F0]
00408423 . E8 E8C2FFFF CALL FeeAVG.00404710
00408428 . 8BC8 MOV ECX,EAX
0040842A . E8 A1C6FFFF CALL FeeAVG.00404AD0
0040842F . 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
00408433 . 85C0 TEST EAX,EAX
00408435 . 74 06 JE SHORT FeeAVG.0040843D
00408437 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
00408439 . 50 PUSH EAX
0040843A . FF52 08 CALL DWORD PTR DS:[EDX+8]
0040843D > 6A 00 PUSH 0
0040843F . 6A 00 PUSH 0
00408441 . 68 C4A64200 PUSH FeeAVG.0042A6C4 ; 谢谢您的使用,你的软件已注册!
00408446 . EB 09 JMP SHORT FeeAVG.00408451
00408448 > 6A 00 PUSH 0
0040844A . 6A 00 PUSH 0
0040844C . 68 ACA64200 PUSH FeeAVG.0042A6AC ; 注册码错误,请重新注册!
00408451 > E8 AC570100 CALL <[email=JMP.&MFC42.#1200_?AfxMessageBox@@Y]JMP.&MFC42.#1200_?AfxMessageBox@@Y[/email]>
00408456 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
0040845A . C68424 000100>MOV BYTE PTR SS:[ESP+100],2
00408462 . E8 CF560100 CALL <[email=JMP.&MFC42.#800_??1CString@@QAE@XZ]JMP.&MFC42.#800_??1CString@@QAE@XZ[/email]>
00408467 . 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
0040846B . C68424 000100>MOV BYTE PTR SS:[ESP+100],1
00408473 . E8 BE560100 CALL <[email=JMP.&MFC42.#800_??1CString@@QAE@XZ]JMP.&MFC42.#800_??1CString@@QAE@XZ[/email]>
----------------------------------------------------------------------
算法CALL:
------------------------------------
00408170 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00408174 |. 53 PUSH EBX
00408175 |. 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+8]
00408179 |. 55 PUSH EBP
0040817A |. 8B6C24 14 MOV EBP,DWORD PTR SS:[ESP+14]
0040817E |. 85C0 TEST EAX,EAX
00408180 |. C645 00 00 MOV BYTE PTR SS:[EBP],0
00408184 |. 7E 4D JLE SHORT FeeAVG.004081D3
00408186 |. 56 PUSH ESI
00408187 |. 57 PUSH EDI
00408188 |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
0040818C |> 8A0B /MOV CL,BYTE PTR DS:[EBX]
0040818E |. 8D4424 14 |LEA EAX,DWORD PTR SS:[ESP+14] //循环
00408192 |. 50 |PUSH EAX
00408193 |. 51 |PUSH ECX
00408194 |. E8 A7FFFFFF |CALL FeeAVG.00408140 ; MD5运算结果转大写
00408199 |. 8D7C24 1C |LEA EDI,DWORD PTR SS:[ESP+1C]
0040819D |. 83C9 FF |OR ECX,FFFFFFFF
004081A0 |. 33C0 |XOR EAX,EAX
004081A2 |. 83C4 08 |ADD ESP,8
004081A5 |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
004081A7 |. F7D1 |NOT ECX
004081A9 |. 2BF9 |SUB EDI,ECX
004081AB |. 8BF7 |MOV ESI,EDI
004081AD |. 8BD1 |MOV EDX,ECX
004081AF |. 8BFD |MOV EDI,EBP
004081B1 |. 83C9 FF |OR ECX,FFFFFFFF
004081B4 |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
004081B6 |. 8BCA |MOV ECX,EDX
004081B8 |. 4F |DEC EDI
004081B9 |. C1E9 02 |SHR ECX,2
004081BC |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR D>
004081BE |. 8B4424 1C |MOV EAX,DWORD PTR SS:[ESP+1C]
004081C2 |. 8BCA |MOV ECX,EDX
004081C4 |. 83E1 03 |AND ECX,3
004081C7 |. 43 |INC EBX
004081C8 |. 48 |DEC EAX
004081C9 |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:>
004081CB |. 894424 1C |MOV DWORD PTR SS:[ESP+1C],EAX
004081CF |.^ 75 BB \JNZ SHORT FeeAVG.0040818C
004081D1 |. 5F POP EDI
004081D2 |. 5E POP ESI
004081D3 |> 5D POP EBP
004081D4 |. 5B POP EBX
004081D5 \. C3 RETN
------------------------------------------------------------------------
【破解总结】这个软件很适合初学算的人(像我这样的),简单的MD5运算结果就是注册码,没有其它的。算法很简单。而且,软件也没有重启验证~~
高手不要笑我,我就这个水平了~~^_^ 算是算法入门的一个参考吧、、、、
------------------------------------------------------------------------
【版权声明】本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!天道酬勤! |
|
IP卡
发表于 2007-3-14 13:26:16
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-3-14 18:49:14
楼主
发表于 2007-3-14 22:43:57