- UID
- 5592
注册时间2005-12-21
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 慵懒
2019-1-18 17:27 |
|---|
签到天数: 30 天 [LV.5]常住居民I
|
【破文标题】小巧名片王 2.0 解码分析
【破文作者】lzq1973[PYG][CZG][OCN][DFCG]
【作者邮箱】[email protected]
【作者主页】http://my.winzheng.com/?455397
【破解工具】OD、PEiD、C32Asm
【破解平台】WinXP
【软件名称】小巧名片王 2.0
【软件大小】2.45M
【原版下载】http://www.sharebank.com.cn/soft/SoftView_21252.htm
【保护方式】SN
【软件简介】 名片本身是联系信息,各种各样的联系信息毫无疑问是您非常宝贵的无形资产。小巧名片王主要是为了管理您长期积累下来的众多名片而设计,当然也可以用来管理您的其他联系信息。
本软件具有价格低廉,操作简单,查找方便,管理容易,界面直观优美,功能强大,程序小巧的优点
【破解声明】俺是只小小鸟,纯为学习,愿与大家分享!
------------------------------------------------------------------------
【破解过程】1、运行程序,得知是重启验证型的,记住相关提示信息;
2、PEiD侦之Borland Delphi 6.0 - 7.0;
3、OD载入,在这里下断,来到
0058EE59 . E8 D6DEFFFF call 0058CD34 ; 关键算法
0058EE5E . 8B55 A8 mov edx, [ebp-58] ; (ASCII "MPW4-145356ei8-3593")
0058EE61 . A1 40D45A00 mov eax, [5AD440]
0058EE66 . 8B00 mov eax, [eax]
0058EE68 . 8B80 54040000 mov eax, [eax+454] ; 假码
0058EE6E . E8 3D5EE7FF call 00404CB0 ; 进去真假码比较·[这里可做内存注册器(EDX)]
0058EE73 . 74 44 je short 0058EEB9 ; 相等就跳
0058EE75 . 8D4D A4 lea ecx, [ebp-5C]
0058EE78 . A1 40D45A00 mov eax, [5AD440]
0058EE7D . 8B00 mov eax, [eax]
0058EE7F . 8B90 50040000 mov edx, [eax+450]
0058EE85 . A1 7CD15A00 mov eax, [5AD17C]
0058EE8A . 8B00 mov eax, [eax]
0058EE8C . E8 A3DEFFFF call 0058CD34 ; 关键算法
0058EE91 . 8D45 A4 lea eax, [ebp-5C]
0058EE94 . BA 00F25800 mov edx, 0058F200 ; -sql
0058EE99 . E8 CE5CE7FF call 00404B6C ; 拼接
0058EE9E . 8B55 A4 mov edx, [ebp-5C] ; 拼接后的 (ASCII "MPW4-145356ei8-3593-SQL")
0058EEA1 . A1 40D45A00 mov eax, [5AD440]
0058EEA6 . 8B00 mov eax, [eax]
0058EEA8 . 8B80 54040000 mov eax, [eax+454]
0058EEAE . E8 FD5DE7FF call 00404CB0
0058EEB3 . 0F85 A0000000 jnz 0058EF59 ; 不等就跳
0058EEB9 > A1 40D45A00 mov eax, [5AD440]
0058EEBE . 8B00 mov eax, [eax]
0058EEC0 . C680 4C040000>mov byte ptr [eax+44C], 0
0058EEC7 . 81FB C8000000 cmp ebx, 0C8
0058EECD . 0F8C DC000000 jl 0058EFAF ; 相等就跳
0058EED3 . A1 40D45A00 mov eax, [5AD440]
0058EED8 . 8B00 mov eax, [eax]
0058EEDA . 80B8 10040000>cmp byte ptr [eax+410], 0
0058EEE1 . 75 42 jnz short 0058EF25
0058EEE3 . 8D45 A0 lea eax, [ebp-60]
0058EEE6 . 50 push eax
0058EEE7 . A1 40D45A00 mov eax, [5AD440]
0058EEEC . 8B00 mov eax, [eax]
0058EEEE . 8B80 54040000 mov eax, [eax+454]
0058EEF4 . B9 03000000 mov ecx, 3
0058EEF9 . BA 15000000 mov edx, 15
0058EEFE . E8 C15EE7FF call 00404DC4
========= 0058EE8C . E8 A3DEFFFF call 0058CD34 ===========
0058CD34 /$ 55 push ebp ; 来到这里
0058CD35 |. 8BEC mov ebp, esp
0058CD37 |. 51 push ecx
0058CD38 |. B9 04000000 mov ecx, 4
0058CD3D |> 6A 00 /push 0
0058CD3F |. 6A 00 |push 0
0058CD41 |. 49 |dec ecx
0058CD42 |.^ 75 F9 \jnz short 0058CD3D
0058CD44 |. 51 push ecx
0058CD45 |. 874D FC xchg [ebp-4], ecx
0058CD48 |. 53 push ebx
0058CD49 |. 56 push esi
0058CD4A |. 57 push edi
0058CD4B |. 8BF9 mov edi, ecx
0058CD4D |. 8955 FC mov [ebp-4], edx ; (ASCII "PF2B27K2119S5A")
0058CD50 |. 8B45 FC mov eax, [ebp-4]
0058CD53 |. E8 FC7FE7FF call 00404D54
0058CD58 |. 33C0 xor eax, eax
0058CD5A |. 55 push ebp
0058CD5B |. 68 F5CE5800 push 0058CEF5
0058CD60 |. 64:FF30 push dword ptr fs:[eax]
0058CD63 |. 64:8920 mov fs:[eax], esp
0058CD66 |. 8BC7 mov eax, edi
0058CD68 |. E8 377BE7FF call 004048A4
0058CD6D |. 8B45 FC mov eax, [ebp-4] ; (ASCII "PF2B27K2119S5A")
0058CD70 |. E8 EF7DE7FF call 00404B64
0058CD75 |. 8BF0 mov esi, eax
0058CD77 |. 85F6 test esi, esi
0058CD79 |. 7E 26 jle short 0058CDA1
0058CD7B |. BB 01000000 mov ebx, 1
0058CD80 |> 8D4D EC /lea ecx, [ebp-14] ; / 字符串转为16进制(指机器码)
0058CD83 |. 8B45 FC |mov eax, [ebp-4]
0058CD86 |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1]
0058CD8B |. 33D2 |xor edx, edx
0058CD8D |. E8 1ED0E7FF |call 00409DB0
0058CD92 |. 8B55 EC |mov edx, [ebp-14]
0058CD95 |. 8D45 F8 |lea eax, [ebp-8]
0058CD98 |. E8 CF7DE7FF |call 00404B6C
0058CD9D |. 43 |inc ebx
0058CD9E |. 4E |dec esi
0058CD9F |.^ 75 DF \jnz short 0058CD80 ; \ 循环
0058CDA1 |> 8B45 F8 mov eax, [ebp-8] ; (ASCII "5046324232374B32313139533541")
0058CDA4 |. E8 BB7DE7FF call 00404B64
0058CDA9 |. 8BF0 mov esi, eax
0058CDAB |. 85F6 test esi, esi
0058CDAD |. 7E 2C jle short 0058CDDB
0058CDAF |. BB 01000000 mov ebx, 1
0058CDB4 |> 8B45 F8 /mov eax, [ebp-8] ; / 翻转之
0058CDB7 |. E8 A87DE7FF |call 00404B64
0058CDBC |. 2BC3 |sub eax, ebx
0058CDBE |. 8B55 F8 |mov edx, [ebp-8]
0058CDC1 |. 8A1402 |mov dl, [edx+eax]
0058CDC4 |. 8D45 E8 |lea eax, [ebp-18]
0058CDC7 |. E8 C07CE7FF |call 00404A8C
0058CDCC |. 8B55 E8 |mov edx, [ebp-18]
0058CDCF |. 8D45 F4 |lea eax, [ebp-C]
0058CDD2 |. E8 957DE7FF |call 00404B6C
0058CDD7 |. 43 |inc ebx
0058CDD8 |. 4E |dec esi
0058CDD9 |.^ 75 D9 \jnz short 0058CDB4 ; \ 循环
0058CDDB |> 8D45 F8 lea eax, [ebp-8]
0058CDDE |. 50 push eax
0058CDDF |. B9 04000000 mov ecx, 4 ; 长度4
0058CDE4 |. BA 01000000 mov edx, 1 ; 从第一位开始
0058CDE9 |. 8B45 F4 mov eax, [ebp-C] ; 翻转后的 (ASCII "14533593131323B4732324236405")
0058CDEC |. E8 D37FE7FF call 00404DC4
0058CDF1 |. 8D45 F4 lea eax, [ebp-C]
0058CDF4 |. 50 push eax
0058CDF5 |. B9 04000000 mov ecx, 4 ; 长度4
0058CDFA |. BA 05000000 mov edx, 5 ; 从第五位开始
0058CDFF |. 8B45 F4 mov eax, [ebp-C]
0058CE02 |. E8 BD7FE7FF call 00404DC4
0058CE07 |. 8B45 F8 mov eax, [ebp-8] ; 前4位 (ASCII "1453")
0058CE0A |. E8 557DE7FF call 00404B64
0058CE0F |. 83F8 04 cmp eax, 4
0058CE12 |. 7D 2F jge short 0058CE43
0058CE14 |. 8B45 F8 mov eax, [ebp-8]
0058CE17 |. E8 487DE7FF call 00404B64
0058CE1C |. 8BD8 mov ebx, eax
0058CE1E |. 83FB 03 cmp ebx, 3
0058CE21 |. 7F 20 jg short 0058CE43
0058CE23 |> 8D4D E4 /lea ecx, [ebp-1C]
0058CE26 |. 8BC3 |mov eax, ebx
0058CE28 |. C1E0 02 |shl eax, 2
0058CE2B |. 33D2 |xor edx, edx
0058CE2D |. E8 7ECFE7FF |call 00409DB0
0058CE32 |. 8B55 E4 |mov edx, [ebp-1C]
0058CE35 |. 8D45 F8 |lea eax, [ebp-8]
0058CE38 |. E8 2F7DE7FF |call 00404B6C
0058CE3D |. 43 |inc ebx
0058CE3E |. 83FB 04 |cmp ebx, 4
0058CE41 |.^ 75 E0 \jnz short 0058CE23
0058CE43 |> 8B45 F4 mov eax, [ebp-C] ; 第5~8位 (ASCII "3593")
0058CE46 |. E8 197DE7FF call 00404B64
0058CE4B |. 83F8 04 cmp eax, 4
0058CE4E |. 7D 2F jge short 0058CE7F
0058CE50 |. 8B45 F4 mov eax, [ebp-C]
0058CE53 |. E8 0C7DE7FF call 00404B64
0058CE58 |. 8BD8 mov ebx, eax
0058CE5A |. 83FB 03 cmp ebx, 3
0058CE5D |. 7F 20 jg short 0058CE7F
0058CE5F |> 8D4D E0 /lea ecx, [ebp-20]
0058CE62 |. 8BC3 |mov eax, ebx
0058CE64 |. C1E0 02 |shl eax, 2
0058CE67 |. 33D2 |xor edx, edx
0058CE69 |. E8 42CFE7FF |call 00409DB0
0058CE6E |. 8B55 E0 |mov edx, [ebp-20]
0058CE71 |. 8D45 F4 |lea eax, [ebp-C]
0058CE74 |. E8 F37CE7FF |call 00404B6C
0058CE79 |. 43 |inc ebx
0058CE7A |. 83FB 04 |cmp ebx, 4
0058CE7D |.^ 75 E0 \jnz short 0058CE5F
0058CE7F |> 8D45 F0 lea eax, [ebp-10]
0058CE82 |. BA 0CCF5800 mov edx, 0058CF0C ; 常量 (ASCII "MPW456ei878")
0058CE87 |. E8 B07AE7FF call 0040493C
0058CE8C |. 8D45 DC lea eax, [ebp-24]
0058CE8F |. 50 push eax
0058CE90 |. B9 04000000 mov ecx, 4 ; 长度4
0058CE95 |. BA 01000000 mov edx, 1 ; 从第一位开始
0058CE9A |. 8B45 F0 mov eax, [ebp-10]
0058CE9D |. E8 227FE7FF call 00404DC4 ; 取常量的前4位
0058CEA2 |. FF75 DC push dword ptr [ebp-24] ; (ASCII "MPW4")
0058CEA5 |. 68 20CF5800 push 0058CF20 ; -
0058CEAA |. FF75 F8 push dword ptr [ebp-8] ; (ASCII "1453")
0058CEAD |. 8D45 D8 lea eax, [ebp-28]
0058CEB0 |. 50 push eax
0058CEB1 |. B9 05000000 mov ecx, 5 ; 长度5
0058CEB6 |. BA 05000000 mov edx, 5 ; 从第五位开始
0058CEBB |. 8B45 F0 mov eax, [ebp-10]
0058CEBE |. E8 017FE7FF call 00404DC4
0058CEC3 |. FF75 D8 push dword ptr [ebp-28] ; 第5~9位 (ASCII "56ei8")
0058CEC6 |. 68 20CF5800 push 0058CF20 ; -
0058CECB |. FF75 F4 push dword ptr [ebp-C] ; (ASCII "3593")
0058CECE |. 8BC7 mov eax, edi
0058CED0 |. BA 06000000 mov edx, 6
0058CED5 |. E8 4A7DE7FF call 00404C24
0058CEDA |. 33C0 xor eax, eax
0058CEDC |. 5A pop edx
0058CEDD |. 59 pop ecx
0058CEDE |. 59 pop ecx
0058CEDF |. 64:8910 mov fs:[eax], edx
0058CEE2 |. 68 FCCE5800 push 0058CEFC
0058CEE7 |> 8D45 D8 lea eax, [ebp-28]
0058CEEA |. BA 0A000000 mov edx, 0A
0058CEEF |. E8 D479E7FF call 004048C8
0058CEF4 \. C3 retn
0058CEF5 .^ E9 CE72E7FF jmp 004041C8
0058CEFA .^ EB EB jmp short 0058CEE7
0058CEFC . 5F pop edi
0058CEFD . 5E pop esi
0058CEFE . 5B pop ebx
0058CEFF . 8BE5 mov esp, ebp
0058CF01 . 5D pop ebp
0058CF02 . C3 retn
------------------------------------------------------------------------
【破解总结】明码比较的,算法也简单,还是分析下。
1、令机器码为A;
2、将字符串A转为16进制,令其为B;
3、将B翻转后为C;
4、取C的前4位为C1、第5~8位为C2;
5、取常量D(即MPW456ei878)的前4位为D1、第5~9位为D2;
6、注册码K=D1-C1+D2-C2 (这里的“-”为分隔符,“+”为连接符),如我这里的是MPW4-145356ei8-3593
7、注册码K8也可是这样的,K8=K-SQL (这里的“-”为分隔符),如MPW4-145356ei8-3593-SQL
注册信息保存处:
[HKEY_LOCAL_MACHINE\SOFTWARE\vt\mpw]
"Date"=hex:00,00,00,00,e0,23,e3,40
"Name"="PF2B27K2119S5A"
"Pass"="MPW4-145356ei8-3593-SQL"
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! |
|
IP卡
发表于 2007-4-28 16:04:40
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-4-29 16:22:51
发表于 2007-5-1 21:55:07
发表于 2007-5-21 11:13:39
发表于 2007-5-22 15:23:08