- UID
- 2198
注册时间2005-6-29
阅读权限255
最后登录1970-1-1
副坛主
该用户从未签到
|
【破文标题】壁纸雷达 v2007b.11 算法分析+注册机源码
【破文作者】狼孩
【破解工具】peid0.94+flyODBG
【破解平台】真正D版的xp sp2
【软件名称】壁纸雷达 v2007b.11
【软件大小】1.59MB
【原版下载】http://shareware.skycn.com/soft/2874.htm
【软件简介】壁纸雷达是一款小巧的壁纸工具软件,她最突出的特色是能每天从互联网上下载最新最酷的壁纸,并在您不知不觉中为您铺在桌面上。
【破解声明】只是技术交流,无其它目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------------------------
【破解过程】
wallrada.exe为壁纸雷达的主程序,wrmain.exe为壁纸雷达的设置程序(内含注册模块),尝试运行wrmain.exe,找到注册模块,点击注册,发现有提示。嘿嘿,这就好办了。那么废话少说,将wrmain.exe挂上PEiD查壳à无壳,Borland Delphi 6.0 - 7.0,然后立马用 flyODBG挂上wrmain.exe,用罗聪大牛的“超级字串参考”插件来“查找ASCII”,找到下面的提示:
超级字串参考
地址 反汇编 文本字串
004D3671 MOV ECX,wrmain.004D36C8 favorite.exe
004D3684 PUSH wrmain.004D36D8 Open
004D37BC MOV EDX,wrmain.004D3980 恭喜您,注册成功! 感谢您的支持!!!
004D3882 PUSH wrmain.004D39AC .
004D38E0 MOV EDX,wrmain.004D39B8 已注册 - 壁纸雷达感谢您的支持!
004D38FC MOV EDX,wrmain.004D39D8 注册码不正确, 请查实.
004D3930 MOV EDX,wrmain.004D39D8 注册码不正确, 请查实.
双击004D38FC处,来到:
004D38FC |. BA D8394D00 MOV EDX,wrmain.004D39D8 ; 注册码不正确, 请查实.
//来到这里!<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
往上看,可以看到整个注册计算的流程。好,我们在算法流程的开始处下断点:
004D36E0 /. 55 PUSH EBP //在这里下断点
004D36E1 |. 8BEC MOV EBP,ESP
004D36E3 |. <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />81C4 E8FEFFFF ADD ESP,-118
然后F9运行,点击“软件注册”,在E-mail框输入E-mail地址,然后点击提交,再在注册码框处输入假码,如下:
E-mail:[email protected]
注册码:123456789012
点击注册,OD立刻断下。
004D36E0 /. 55 PUSH EBP //断在这里,F8单步调试
004D36E1 |. 8BEC MOV EBP,ESP
004D36E3 |. 81C4 E8FEFFFF ADD ESP,-118
004D36E9 |. 53 PUSH EBX
004D36EA |. 56 PUSH ESI
004D36EB |. 57 PUSH EDI
004D36EC |. 33C9 XOR ECX,ECX
004D36EE |. 898D F0FEFFFF MOV DWORD PTR SS:[EBP-110],ECX
004D36F4 |. 898D ECFEFFFF MOV DWORD PTR SS:[EBP-114],ECX
004D36FA |. 898D E8FEFFFF MOV DWORD PTR SS:[EBP-118],ECX
004D3700 |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
004D3703 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
004D3706 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004D3709 |. 33C0 XOR EAX,EAX
004D370B |. 55 PUSH EBP
004D370C |. 68 6F394D00 PUSH wrmain.004D396F
004D3711 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004D3714 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004D3717 |. 66:BE 4F04 MOV SI,44F
004D371B |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004D371E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D3721 |. 8B80 68030000 MOV EAX,DWORD PTR DS:[EAX+368]
004D3727 |. E8 8CDCF6FF CALL wrmain.004413B8
004D372C |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004D372F |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004D3732 |. E8 B956F3FF CALL wrmain.00408DF0
004D3737 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] //将假码传给EAX
004D373A |. E8 35E7FFFF CALL wrmain.004D1E74 //判断注册码是否为空
004D373F |. 84C0 TEST AL,AL
004D3741 |. 74 08 JE SHORT wrmain.004D374B //若不为空就跳,不跳就Over
004D3743 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004D3746 |. E8 8D11F3FF CALL wrmain.004048D8
004D374B |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] //跳来这里,将假码传给EAX
004D374E |. E8 3D14F3FF CALL wrmain.00404B90 //判断注册码的长度
004D3753 |. 83F8 0B CMP EAX,0B //注册码的长度与十六进制B比较
004D3756 |. 0F8E C4010000 JLE wrmain.004D3920
//小于或等于就跳,跳就Over,就是说,注册码的位数必须大于11
004D375C |. 33DB XOR EBX,EBX
004D375E |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004D3761 |. E8 2A14F3FF CALL wrmain.00404B90
004D3766 |. 8BD0 MOV EDX,EAX
004D3768 |. 85D2 TEST EDX,EDX
004D376A |. 7E 25 JLE SHORT wrmain.004D3791 //长度为零就Over
004D376C |. B8 01000000 MOV EAX,1 //将1传给EAX。即 EAX=1
004D3771 |> 8B4D F8 /MOV ECX,DWORD PTR SS:[EBP-8] //将假码放于ECX
004D3774 |. 0FB64C01 FF |MOVZX ECX,BYTE PTR DS:[ECX+EAX-1]
//按顺序逐位取假码存于ECX
004D3779 |. 0FB7FE |MOVZX EDI,SI //取固定十六进制044F存于EDI
004D377C |. C1EF 08 |SHR EDI,8 //EDI逻辑右移8位
004D377F |. 33CF |XOR ECX,EDI //ECX与EDI作Xor运算,结果存于ECX
004D3781 |. BF 12000000 |MOV EDI,12 //赋十六进制12值给EDI
004D3786 |. 2BF8 |SUB EDI,EAX //EDI与EAX作减法运算,结果存于EDI
004D3788 |. 0FAFCF |IMUL ECX,EDI //ECX与EDI作乘法运算,结果存于ECX
004D378B |. 03D9 |ADD EBX,ECX
//EBX与ECX作加法运算,结果存于EBX,这里就是把每个字符的计算结果加起来
004D378D |. 40 |INC EAX //EAX加一
004D378E |. 4A |DEC EDX //EDX减一
004D378F |.^ 75 E0 \JNZ SHORT wrmain.004D3771
//如果注册码还没取完就继续循环
004D3791 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] //将假码传给EAX
004D3794 |. 0FB640 05 MOVZX EAX,BYTE PTR DS:[EAX+5]
//取假码的第六位存于WAX
004D3798 |. 6BC0 13 IMUL EAX,EAX,13
//EAX与十六进制数值13作乘法运算,结果存于EAX
004D379B |. 50 PUSH EAX //EAX压栈
004D379C |. 8BC3 MOV EAX,EBX //EBX传值给EAX
004D379E |. 5A POP EDX //EDX出栈
004D379F |. 8BCA MOV ECX,EDX //EDX传值给ECX
004D37A1 |. 99 CDQ
004D37A2 |. F7F9 IDIV ECX //EAX除以ECX,商存于EAX,余数存于EDX
004D37A4 |. 85D2 TEST EDX,EDX
004D37A6 0F85 40010000 JNZ wrmain.004D38EC
//若EDX不为零则跳,跳就Over,此乃传说中的关键跳,算法分析到此结束,下面的不再注释!
004D37AC |. 6A 00 PUSH 0
004D37AE |. A1 EC754D00 MOV EAX,DWORD PTR DS:[4D75EC]
004D37B3 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D37B5 |. E8 CE15F3FF CALL wrmain.00404D88
004D37BA |. 8BC8 MOV ECX,EAX
004D37BC |. BA 80394D00 MOV EDX,wrmain.004D3980 ; 恭喜您,注册成功! 感谢您的支持!!!
004D37C1 |. A1 D0784D00 MOV EAX,DWORD PTR DS:[4D78D0]
004D37C6 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D37C8 |. E8 6FDDF8FF CALL wrmain.0046153C
004D37CD |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D37D0 |. 8B80 68030000 MOV EAX,DWORD PTR DS:[EAX+368]
004D37D6 |. B2 01 MOV DL,1
004D37D8 |. E8 0FE3F5FF CALL wrmain.00431AEC
004D37DD |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D37E0 |. 8B80 34030000 MOV EAX,DWORD PTR DS:[EAX+334]
004D37E6 |. 33D2 XOR EDX,EDX
004D37E8 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004D37EA |. FF51 64 CALL NEAR DWORD PTR DS:[ECX+64]
004D37ED |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D37F0 |. 8B80 1C040000 MOV EAX,DWORD PTR DS:[EAX+41C]
004D37F6 |. B2 01 MOV DL,1
004D37F8 |. E8 EFE2F5FF CALL wrmain.00431AEC
004D37FD |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D3800 |. 8B80 B8030000 MOV EAX,DWORD PTR DS:[EAX+3B8]
004D3806 |. B2 01 MOV DL,1
004D3808 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004D380A |. FF51 64 CALL NEAR DWORD PTR DS:[ECX+64]
004D380D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D3810 |. 8B80 10040000 MOV EAX,DWORD PTR DS:[EAX+410]
004D3816 |. B2 01 MOV DL,1
004D3818 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004D381A |. FF51 64 CALL NEAR DWORD PTR DS:[ECX+64]
004D381D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D3820 |. 8B80 DC030000 MOV EAX,DWORD PTR DS:[EAX+3DC]
004D3826 |. 33D2 XOR EDX,EDX
004D3828 |. E8 BBDBF6FF CALL wrmain.004413E8
004D382D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D3830 |. 8B80 0C040000 MOV EAX,DWORD PTR DS:[EAX+40C]
004D3836 |. 33D2 XOR EDX,EDX
004D3838 |. E8 ABDBF6FF CALL wrmain.004413E8
004D383D |. 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C]
004D3843 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004D3846 |. B9 FF000000 MOV ECX,0FF
004D384B |. E8 1C13F3FF CALL wrmain.00404B6C
004D3850 |. 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C]
004D3856 |. A1 9C794D00 MOV EAX,DWORD PTR DS:[4D799C]
004D385B |. 05 E0000000 ADD EAX,0E0
004D3860 |. B1 10 MOV CL,10
004D3862 |. E8 71F7F2FF CALL wrmain.00402FD8
004D3867 |. 8D8D ECFEFFFF LEA ECX,DWORD PTR SS:[EBP-114]
004D386D |. BA 0A000000 MOV EDX,0A
004D3872 |. A1 24A04D00 MOV EAX,DWORD PTR DS:[4DA024]
004D3877 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
004D3879 |. FF53 0C CALL NEAR DWORD PTR DS:[EBX+C]
004D387C |. FFB5 ECFEFFFF PUSH DWORD PTR SS:[EBP-114]
004D3882 |. 68 AC394D00 PUSH wrmain.004D39AC ; .
004D3887 |. 8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118]
004D388D |. A1 9C794D00 MOV EAX,DWORD PTR DS:[4D799C]
004D3892 |. 8B80 F4000000 MOV EAX,DWORD PTR DS:[EAX+F4]
004D3898 |. E8 E356F3FF CALL wrmain.00408F80
004D389D |. FFB5 E8FEFFFF PUSH DWORD PTR SS:[EBP-118]
004D38A3 |. 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
004D38A9 |. BA 03000000 MOV EDX,3
004D38AE |. E8 9D13F3FF CALL wrmain.00404C50
004D38B3 |. 8B95 F0FEFFFF MOV EDX,DWORD PTR SS:[EBP-110]
004D38B9 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D38BC |. 8B80 F0020000 MOV EAX,DWORD PTR DS:[EAX+2F0]
004D38C2 |. E8 85C6FDFF CALL wrmain.004AFF4C
004D38C7 |. A1 14764D00 MOV EAX,DWORD PTR DS:[4D7614]
004D38CC |. C600 01 MOV BYTE PTR DS:[EAX],1
004D38CF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D38D2 |. E8 ADE4FFFF CALL wrmain.004D1D84
004D38D7 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D38DA |. 8B80 68030000 MOV EAX,DWORD PTR DS:[EAX+368]
004D38E0 |. BA B8394D00 MOV EDX,wrmain.004D39B8 ; 已注册 - 壁纸雷达感谢您的支持!
004D38E5 |. E8 FEDAF6FF CALL wrmain.004413E8
004D38EA |. EB 55 JMP SHORT wrmain.004D3941
004D38EC |> 6A 00 PUSH 0
004D38EE |. A1 EC754D00 MOV EAX,DWORD PTR DS:[4D75EC]
004D38F3 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D38F5 |. E8 8E14F3FF CALL wrmain.00404D88
004D38FA |. 8BC8 MOV ECX,EAX
004D38FC |. BA D8394D00 MOV EDX,wrmain.004D39D8 ; 注册码不正确, 请查实.
004D3901 |. A1 D0784D00 MOV EAX,DWORD PTR DS:[4D78D0]
004D3906 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D3908 |. E8 2FDCF8FF CALL wrmain.0046153C |
|
IP卡
发表于 2007-9-20 22:48:09
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-9-21 00:17:36
发表于 2007-9-21 11:57:59
发表于 2007-9-21 18:06:44
楼主
发表于 2007-9-23 17:17:14