- UID
- 5592
注册时间2005-12-21
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 慵懒
2019-1-18 17:27 |
|---|
签到天数: 30 天 [LV.5]常住居民I
|
【破文标题】手机号码助手 V1.0 寻码记
【破文作者】lzq1973[PYG][CZG][OCN][DFCG]
【作者邮箱】[email protected]
【作者主页】http://my.winzheng.com/?455397
【破解工具】OD、PEiD
【破解平台】WinXP
【软件名称】手机号码助手
【软件大小】1190KB
【原版下载】http://www.sharebank.com.cn/soft/SoftView_20262.htm
【保护方式】SN
【软件简介】 手机号码助手软件是专为大规模的短信群发所需号码段生成,群发日志生成而设计的号码生成整理与日志工具。通过本软件,您可以在浩如烟海的手机号码中轻易挑选出发送价值高的号码,同时短信群发过程中产生的日志可以轻松生成,应对企业客户。从而节省您的时间和金钱,使您的短信广告收效更明显。
【破解声明】俺是只小小鸟,纯为学习,愿与大家分享!
------------------------------------------------------------------------
【破解过程】1、PEiD侦之“Borland Delphi 6.0 - 7.0”,无壳,心中暗喜;
2、运行程序,来到注册界面,试着注册,有提示“注册错误”,属直接比较型;
3、OD载入,用其插件找字相关字符串(上面已说了的),在这里下断,就来到了...
OD载入,找相关字串后(下断点),F9运行,断在这里
005654B8 . 55 push ebp
005654B9 . 8BEC mov ebp, esp
005654BB . 83C4 D8 add esp, -28
005654BE . 53 push ebx
005654BF . 33C9 xor ecx, ecx
005654C1 . 894D E0 mov [ebp-20], ecx
005654C4 . 894D E4 mov [ebp-1C], ecx
005654C7 . 894D E8 mov [ebp-18], ecx
005654CA . 894D F0 mov [ebp-10], ecx
005654CD . 894D EC mov [ebp-14], ecx
005654D0 . 8BD8 mov ebx, eax
005654D2 . 33C0 xor eax, eax
005654D4 . 55 push ebp
005654D5 . 68 F2565600 push 005656F2
005654DA . 64:FF30 push dword ptr fs:[eax]
005654DD . 64:8920 mov fs:[eax], esp
005654E0 . 33C9 xor ecx, ecx
005654E2 . B2 01 mov dl, 1
005654E4 . A1 20355500 mov eax, [553520]
005654E9 . E8 7A4DF0FF call 0046A268
005654EE . 8945 F8 mov [ebp-8], eax
005654F1 . 33C0 xor eax, eax
005654F3 . 55 push ebp
005654F4 . 68 C8565600 push 005656C8
005654F9 . 64:FF30 push dword ptr fs:[eax]
005654FC . 64:8920 mov fs:[eax], esp
005654FF . 8B45 F8 mov eax, [ebp-8]
00565502 . 8B10 mov edx, [eax]
00565504 . FF92 EC000000 call [edx+EC]
0056550A . 48 dec eax
0056550B . 0F85 A1010000 jnz 005656B2
00565511 . 8D55 F0 lea edx, [ebp-10]
00565514 . 8B45 F8 mov eax, [ebp-8]
00565517 . 8B80 04030000 mov eax, [eax+304]
0056551D . E8 46BFEEFF call 00451468
00565522 . 8B45 F0 mov eax, [ebp-10]
00565525 . 50 push eax
00565526 . 8D55 EC lea edx, [ebp-14]
00565529 . 8B45 F8 mov eax, [ebp-8]
0056552C . 8B80 FC020000 mov eax, [eax+2FC]
00565532 . E8 31BFEEFF call 00451468
00565537 . 8B4D EC mov ecx, [ebp-14]
0056553A . 8B83 60030000 mov eax, [ebx+360]
00565540 . BA 83850C00 mov edx, 0C8583 ; 这个常量很重要,后面的算法要用到的
00565545 . E8 124CFAFF call 0050A15C ; 关键处
0056554A . 84C0 test al, al
0056554C . 0F84 4D010000 je 0056569F
00565552 . B8 00020000 mov eax, 200
00565557 . E8 7839EAFF call 00408ED4
0056555C . 8945 FC mov [ebp-4], eax
0056555F . 8B45 FC mov eax, [ebp-4]
00565562 . 33C9 xor ecx, ecx
00565564 . BA 00020000 mov edx, 200
00565569 . E8 1ADCE9FF call 00403188
0056556E . 33C0 xor eax, eax
00565570 . 55 push ebp
00565571 . 68 98565600 push 00565698
00565576 . 64:FF30 push dword ptr fs:[eax]
00565579 . 64:8920 mov fs:[eax], esp
0056557C . 8B4D FC mov ecx, [ebp-4]
0056557F . BA 02000000 mov edx, 2
00565584 . B8 01000000 mov eax, 1
00565589 . E8 CAE3FEFF call 00553958
0056558E . 8B45 FC mov eax, [ebp-4]
00565591 . C640 78 C7 mov byte ptr [eax+78], 0C7
00565595 . 8B4D FC mov ecx, [ebp-4]
00565598 . BA 02000000 mov edx, 2
0056559D . B8 01000000 mov eax, 1
005655A2 . E8 D1E4FEFF call 00553A78
005655A7 . B2 01 mov dl, 1
005655A9 . A1 34B14300 mov eax, [43B134]
005655AE . E8 ED5CEDFF call 0043B2A0
005655B3 . 8945 F4 mov [ebp-C], eax
005655B6 . 33C0 xor eax, eax
005655B8 . 55 push ebp
005655B9 . 68 3C565600 push 0056563C
005655BE . 64:FF30 push dword ptr fs:[eax]
005655C1 . 64:8920 mov fs:[eax], esp
005655C4 . BA 02000080 mov edx, 80000002
005655C9 . 8B45 F4 mov eax, [ebp-C]
005655CC . E8 AB5DEDFF call 0043B37C
005655D1 . B1 01 mov cl, 1
005655D3 . BA 08575600 mov edx, 00565708 ; \software\splog (注册信息存放处,但注册成功后又与此无关)
005655D8 . 8B45 F4 mov eax, [ebp-C]
005655DB . E8 045EEDFF call 0043B3E4
005655E0 . 84C0 test al, al
005655E2 . 74 42 je short 00565626
005655E4 . 8D55 E8 lea edx, [ebp-18]
005655E7 . 8B45 F8 mov eax, [ebp-8]
005655EA . 8B80 FC020000 mov eax, [eax+2FC]
005655F0 . E8 73BEEEFF call 00451468
005655F5 . 8B4D E8 mov ecx, [ebp-18]
005655F8 . BA 20575600 mov edx, 00565720 ; hsn
005655FD . 8B45 F4 mov eax, [ebp-C]
00565600 . E8 3361EDFF call 0043B738
00565605 . 8D55 E4 lea edx, [ebp-1C]
00565608 . 8B45 F8 mov eax, [ebp-8]
0056560B . 8B80 04030000 mov eax, [eax+304]
00565611 . E8 52BEEEFF call 00451468
00565616 . 8B4D E4 mov ecx, [ebp-1C]
00565619 . BA 2C575600 mov edx, 0056572C ; sn
0056561E . 8B45 F4 mov eax, [ebp-C]
00565621 . E8 1261EDFF call 0043B738
00565626 > 33C0 xor eax, eax
00565628 . 5A pop edx
00565629 . 59 pop ecx
0056562A . 59 pop ecx
0056562B . 64:8910 mov fs:[eax], edx
0056562E . 68 43565600 push 00565643
00565633 > 8B45 F4 mov eax, [ebp-C]
00565636 . E8 C5E3E9FF call 00403A00
0056563B . C3 retn
0056563C .^ E9 53EBE9FF jmp 00404194
00565641 .^ EB F0 jmp short 00565633
00565643 . 8D45 E0 lea eax, [ebp-20]
00565646 . 50 push eax ; /Arg1
00565647 . B8 38575600 mov eax, 00565738 ; |手机号码助手v1.0(注册版)
0056564C . 8945 D8 mov [ebp-28], eax ; |
0056564F . C645 DC 0B mov byte ptr [ebp-24], 0B ; |
00565653 . 8D55 D8 lea edx, [ebp-28] ; |
00565656 . 33C9 xor ecx, ecx ; |
00565658 . B8 5C575600 mov eax, 0056575C ; |%s
0056565D . E8 A64EEAFF call 0040A508 ; \Log.0040A508
00565662 . 8B55 E0 mov edx, [ebp-20]
00565665 . A1 9CED5600 mov eax, [56ED9C]
0056566A . E8 29BEEEFF call 00451498
0056566F . 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00565671 . 68 60575600 push 00565760 ; |成功
00565676 . 68 68575600 push 00565768 ; |注册成功
0056567B . 6A 00 push 0 ; |hOwner = NULL
0056567D . E8 4A23EAFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00565682 . 33C0 xor eax, eax
00565684 . 5A pop edx
00565685 . 59 pop ecx
00565686 . 59 pop ecx
00565687 . 64:8910 mov fs:[eax], edx
0056568A . 68 B2565600 push 005656B2
0056568F > 8B45 FC mov eax, [ebp-4]
00565692 . E8 51D1E9FF call 004027E8
00565697 . C3 retn
00565698 .^ E9 F7EAE9FF jmp 00404194
0056569D .^ EB F0 jmp short 0056568F
0056569F > 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
005656A1 . 68 74575600 push 00565774 ; |错误
005656A6 . 68 7C575600 push 0056577C ; |注册失败
005656AB . 6A 00 push 0 ; |hOwner = NULL
005656AD . E8 1A23EAFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
005656B2 > 33C0 xor eax, eax
005656B4 . 5A pop edx
005656B5 . 59 pop ecx
005656B6 . 59 pop ecx
005656B7 . 64:8910 mov fs:[eax], edx
005656BA . 68 CF565600 push 005656CF
005656BF > 8B45 F8 mov eax, [ebp-8]
005656C2 . E8 39E3E9FF call 00403A00
005656C7 . C3 retn
005656C8 .^ E9 C7EAE9FF jmp 00404194
005656CD .^ EB F0 jmp short 005656BF
005656CF . 33C0 xor eax, eax
005656D1 . 5A pop edx
005656D2 . 59 pop ecx
005656D3 . 59 pop ecx
005656D4 . 64:8910 mov fs:[eax], edx
005656D7 . 68 F9565600 push 005656F9
005656DC > 8D45 E0 lea eax, [ebp-20]
005656DF . E8 E8F0E9FF call 004047CC
005656E4 . 8D45 E4 lea eax, [ebp-1C]
005656E7 . BA 04000000 mov edx, 4
005656EC . E8 FFF0E9FF call 004047F0
005656F1 . C3 retn
005656F2 .^ E9 9DEAE9FF jmp 00404194
005656F7 .^ EB E3 jmp short 005656DC
005656F9 . 5B pop ebx
005656FA . 8BE5 mov esp, ebp
005656FC . 5D pop ebp
005656FD . C3 retn
===== F7进去看看 00565545 . E8 124CFAFF call 0050A15C ==============
0050A15C /$ 55 push ebp
0050A15D |. 8BEC mov ebp, esp
0050A15F |. 83C4 F8 add esp, -8
0050A162 |. 53 push ebx
0050A163 |. 56 push esi
0050A164 |. 33DB xor ebx, ebx
0050A166 |. 895D F8 mov [ebp-8], ebx
0050A169 |. 894D FC mov [ebp-4], ecx
0050A16C |. 8BF2 mov esi, edx
0050A16E |. 8BD8 mov ebx, eax
0050A170 |. 8B45 FC mov eax, [ebp-4]
0050A173 |. E8 14ABEFFF call 00404C8C
0050A178 |. 8B45 08 mov eax, [ebp+8]
0050A17B |. E8 0CABEFFF call 00404C8C
0050A180 |. 33C0 xor eax, eax
0050A182 |. 55 push ebp
0050A183 |. 68 DFA15000 push 0050A1DF
0050A188 |. 64:FF30 push dword ptr fs:[eax]
0050A18B |. 64:8920 mov fs:[eax], esp
0050A18E |. 837D FC 00 cmp dword ptr [ebp-4], 0
0050A192 |. 74 26 je short 0050A1BA
0050A194 |. 85F6 test esi, esi
0050A196 |. 74 22 je short 0050A1BA
0050A198 |. 8D45 F8 lea eax, [ebp-8]
0050A19B |. 50 push eax
0050A19C |. 8B4D FC mov ecx, [ebp-4]
0050A19F |. 8BD6 mov edx, esi
0050A1A1 |. 8BC3 mov eax, ebx
0050A1A3 |. E8 A4FEFFFF call 0050A04C ; 算法关键
0050A1A8 |. 8B55 F8 mov edx, [ebp-8] ; (ASCII "11541834--515122352-8227171")
0050A1AB |. 8B45 08 mov eax, [ebp+8]
0050A1AE |. E8 35AAEFFF call 00404BE8 ; 内存注册器(EDX)
0050A1B3 |. 0F94C0 sete al
0050A1B6 |. 8BD8 mov ebx, eax
0050A1B8 |. EB 02 jmp short 0050A1BC
0050A1BA |> 33DB xor ebx, ebx
0050A1BC |> 33C0 xor eax, eax
0050A1BE |. 5A pop edx
0050A1BF |. 59 pop ecx
0050A1C0 |. 59 pop ecx
0050A1C1 |. 64:8910 mov fs:[eax], edx
0050A1C4 |. 68 E6A15000 push 0050A1E6
0050A1C9 |> 8D45 F8 lea eax, [ebp-8]
0050A1CC |. BA 02000000 mov edx, 2
0050A1D1 |. E8 1AA6EFFF call 004047F0
0050A1D6 |. 8D45 08 lea eax, [ebp+8]
0050A1D9 |. E8 EEA5EFFF call 004047CC
0050A1DE \. C3 retn
0050A1DF .^ E9 B09FEFFF jmp 00404194
0050A1E4 .^ EB E3 jmp short 0050A1C9
0050A1E6 . 8BC3 mov eax, ebx
0050A1E8 . 5E pop esi
0050A1E9 . 5B pop ebx
0050A1EA . 59 pop ecx
0050A1EB . 59 pop ecx
0050A1EC . 5D pop ebp
0050A1ED . C2 0400 retn 4
============ 这里F7进去 0050A1A3 |. E8 A4FEFFFF call 0050A04C =======================
0050A04C /$ 55 push ebp
0050A04D |. 8BEC mov ebp, esp
0050A04F |. 6A 00 push 0
0050A051 |. 6A 00 push 0
0050A053 |. 6A 00 push 0
0050A055 |. 6A 00 push 0
0050A057 |. 53 push ebx
0050A058 |. 56 push esi
0050A059 |. 57 push edi
0050A05A |. 894D FC mov [ebp-4], ecx
0050A05D |. 8BFA mov edi, edx
0050A05F |. 8B5D 08 mov ebx, [ebp+8]
0050A062 |. 8B45 FC mov eax, [ebp-4] ; (ASCII "PF2B27K2119S5A")
0050A065 |. E8 22ACEFFF call 00404C8C
0050A06A |. 33C0 xor eax, eax
0050A06C |. 55 push ebp
0050A06D |. 68 3EA15000 push 0050A13E
0050A072 |. 64:FF30 push dword ptr fs:[eax]
0050A075 |. 64:8920 mov fs:[eax], esp
0050A078 |. 85FF test edi, edi
0050A07A |. 0F84 97000000 je 0050A117
0050A080 |. 837D FC 00 cmp dword ptr [ebp-4], 0
0050A084 |. 0F84 8D000000 je 0050A117
0050A08A |. 8B45 FC mov eax, [ebp-4]
0050A08D |. E8 0AAAEFFF call 00404A9C ; 取硬件号长度
0050A092 |. 8BF0 mov esi, eax
0050A094 |. 0FAFF7 imul esi, edi ; ESI×EDI(C8583×E)=AF4D2A,E(14)为机器码的长度
0050A097 |. 8B45 FC mov eax, [ebp-4]
0050A09A |. 0FB600 movzx eax, byte ptr [eax] ; 首字符给EAX
0050A09D |. 69C0 9A020000 imul eax, eax, 29A ; EAX=50×29A=D020
0050A0A3 |. 03F0 add esi, eax ; ESI+EDI=B01D4A
0050A0A5 |. 8D55 F8 lea edx, [ebp-8]
0050A0A8 |. 8BC6 mov eax, esi
0050A0AA |. E8 59F6EFFF call 00409708 ; 转为十进制
0050A0AF |. 8B55 F8 mov edx, [ebp-8] ; (ASCII "11541834")
0050A0B2 |. 8BC3 mov eax, ebx
0050A0B4 |. B9 58A15000 mov ecx, 0050A158 ; -
0050A0B9 |. E8 2AAAEFFF call 00404AE8
0050A0BE |. 8B45 FC mov eax, [ebp-4]
0050A0C1 |. 0FB600 movzx eax, byte ptr [eax] ; 首字符赋给EAX
0050A0C4 |. F7EF imul edi ; EAX=EDI×50=3E9B8F0 (EDI=C8583)
0050A0C6 |. 6BF0 7B imul esi, eax, 7B ; ESI=EAX×7B=E14BDB50
0050A0C9 |. FF33 push dword ptr [ebx]
0050A0CB |. 8D55 F4 lea edx, [ebp-C]
0050A0CE |. 8BC6 mov eax, esi
0050A0D0 |. E8 33F6EFFF call 00409708
0050A0D5 |. FF75 F4 push dword ptr [ebp-C] ; (ASCII "-515122352")
0050A0D8 |. 68 58A15000 push 0050A158 ; -
0050A0DD |. 8BC3 mov eax, ebx
0050A0DF |. BA 03000000 mov edx, 3
0050A0E4 |. E8 73AAEFFF call 00404B5C
0050A0E9 |. 8B45 FC mov eax, [ebp-4] ; (ASCII "PF2B27K2119S5A")
0050A0EC |. E8 ABA9EFFF call 00404A9C ; 取硬件号长度
0050A0F1 |. 8B55 FC mov edx, [ebp-4]
0050A0F4 |. 0FB612 movzx edx, byte ptr [edx] ; 硬件号首字符
0050A0F7 |. F7EA imul edx ; EAX=50×E=460
0050A0F9 |. 69F0 D5190000 imul esi, eax, 19D5 ; ESI=EAX×19D5=7103E0
0050A0FF |. 03F7 add esi, edi ; ESI=ESI+EDI=7D8963
0050A101 |. 8D55 F0 lea edx, [ebp-10]
0050A104 |. 8BC6 mov eax, esi
0050A106 |. E8 FDF5EFFF call 00409708 ; 转为十进制
0050A10B |. 8B55 F0 mov edx, [ebp-10] ; (ASCII "8227171")
0050A10E |. 8BC3 mov eax, ebx
0050A110 |. E8 8FA9EFFF call 00404AA4
0050A115 |. EB 0C jmp short 0050A123
0050A117 |> 8BD3 mov edx, ebx
0050A119 |. A1 08B95600 mov eax, [56B908]
0050A11E |. E8 95C9EFFF call 00406AB8
0050A123 |> 33C0 xor eax, eax
0050A125 |. 5A pop edx
0050A126 |. 59 pop ecx
0050A127 |. 59 pop ecx
0050A128 |. 64:8910 mov fs:[eax], edx
0050A12B |. 68 45A15000 push 0050A145
0050A130 |> 8D45 F0 lea eax, [ebp-10]
0050A133 |. BA 04000000 mov edx, 4
0050A138 |. E8 B3A6EFFF call 004047F0
0050A13D \. C3 retn
0050A13E .^ E9 51A0EFFF jmp 00404194
0050A143 .^ EB EB jmp short 0050A130
0050A145 . 5F pop edi
0050A146 . 5E pop esi
0050A147 . 5B pop ebx
0050A148 . 8BE5 mov esp, ebp
0050A14A . 5D pop ebp
0050A14B . C2 0400 retn 4
------------------------------------------------------------------------
【破解总结】
注册码由三部份组成,各部分间用“-”间隔,各部分如下:
1、硬件号长度为D;其首字符的16进制为Y;
2、常量C8583、29A、7B、19D5分别分E、F、G、H
3、首部分, A=D×E+Y×F,后转为十进制K1;
4、次部分, B=E×Y×G,后转为十进制K2;
5、后部分,C=D×Y×H+E,后转为十进制K2;
6、注册码K=K1-K2-K3
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! |
|
IP卡
发表于 2007-3-30 09:57:28
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-3-30 16:58:45
发表于 2007-4-8 22:17:15