- UID
- 2
注册时间2004-12-1
阅读权限255
最后登录1970-1-1
总坛主
TA的每日心情 | 开心
2024-12-1 11:04 |
|---|
签到天数: 12 天 [LV.3]偶尔看看II
|
【破文标题】算法分析入门第十三课
【破文作者】飘云
【作者主页】https://www.chinapyg.com
【破解平台】winxp
【破解工具】PEiD0.93、DEDE、OD
【作者邮箱】[email protected]
【软件名称】更名王2005 2.0.0.0
【软件大小】458KB
【原版下载】http://hn.onlinedown.net/soft/37519.htm
【软件简介】在这里我谢谢各位网友的支持,各位网龄有多大呢?是否有自己的主页呢?不知你们遇见没有有很多位置都不能大小写混用,自己的
主页在本地用的很好,可是一上传却总是不能用,特别是如果有大量的图片更麻烦,一旦既有大小写,而HTML中却都是小写,用手写又太麻烦了,怎
么办呢?嘻嘻,试一试它吧。请注意,可以乱改名字,现在有历史恢复功能了。一位网友将本地硬盘的文件更改以后文件都不能用了,将需要更
改的文件更改,特别是后缀为EXE;BAT;COM的文件切记切记......建议用800*600的小字体,不然屏幕将一团糟的。
【破解过程】由于这里主要讨论算法分析,脱壳、找关键点没有写,相信大家通过前面的学习已经知道怎么做了,具体请看 视频教学区录像
输入试探信息:
用户名:piaoyun
许可证:007001010003003013031 [注:由上面的用户名自动生成]
注册码:123456789
OD下断来到关键处:
00506F9C push ebp
00506F9D mov ebp,esp
00506F9F mov ecx,5
00506FA4 /push 0
00506FA6 |push 0
00506FA8 |dec ecx
00506FA9 \jnz short unpack.00506FA4
00506FAB push ecx
00506FAC push ebx
00506FAD push esi
00506FAE mov esi,eax
00506FB0 xor eax,eax
00506FB2 push ebp
00506FB3 push unpack.0050720B
00506FB8 push dword ptr fs:[eax]
00506FBB mov dword ptr fs:[eax],esp
00506FBE mov dl,1
00506FC0 mov eax,dword ptr ds:[426714]
00506FC5 call unpack.00426814
00506FCA mov ebx,eax
00506FCC lea edx,dword ptr ss:[ebp-8]
00506FCF mov eax,dword ptr ds:[esi+348]
00506FD5 call unpack.004B33A0
00506FDA mov eax,dword ptr ss:[ebp-8] ; 假码
00506FDD lea edx,dword ptr ss:[ebp-4]
00506FE0 call unpack.00408740
00506FE5 cmp dword ptr ss:[ebp-4],0 ; 是否输入假码
00506FE9 je unpack.00507157
00506FEF lea edx,dword ptr ss:[ebp-10]
00506FF2 mov eax,dword ptr ds:[esi+344]
00506FF8 call unpack.004B33A0
00506FFD mov eax,dword ptr ss:[ebp-10] ; 许可证号
00507000 lea edx,dword ptr ss:[ebp-C]
00507003 call unpack.00408740
00507008 cmp dword ptr ss:[ebp-C],0 ; 是否生成
0050700C je unpack.00507157
00507012 lea edx,dword ptr ss:[ebp-14]
00507015 mov eax,dword ptr ds:[esi+348]
0050701B call unpack.004B33A0
00507020 mov eax,dword ptr ss:[ebp-14]
00507023 push eax
00507024 lea eax,dword ptr ss:[ebp-18]
00507027 push eax
00507028 lea edx,dword ptr ss:[ebp-20]
0050702B mov eax,dword ptr ds:[esi+344]
00507031 call unpack.004B33A0
00507036 mov eax,dword ptr ss:[ebp-20]
00507039 lea edx,dword ptr ss:[ebp-1C]
0050703C call unpack.00408740
00507041 mov edx,dword ptr ss:[ebp-1C]
00507044 mov eax,dword ptr ds:[50DDE8]
00507049 mov eax,dword ptr ds:[eax]
0050704B mov cx,1F4
0050704F call unpack.00506B5C ;算法call,跟进!
00507054 mov edx,dword ptr ss:[ebp-18]
00507057 pop eax
00507058 call unpack.0040472C ;★经典代码★
0050705D jnz unpack.005070F5 ;爆破点
00507063 mov eax,dword ptr ds:[50DDE8]
00507068 mov eax,dword ptr ds:[eax]
0050706A mov byte ptr ds:[eax+64],1
0050706E mov edx,80000000
00507073 mov eax,ebx
00507075 call unpack.004268B4 ;下面开始向注册表写信息
0050707A mov cl,1
0050707C mov edx,unpack.00507220 ; ASCII "\whkldzz"
00507081 mov eax,ebx
00507083 call unpack.00426918
00507088 lea edx,dword ptr ss:[ebp-24]
0050708B mov eax,dword ptr ds:[esi+340]
00507091 call unpack.004B33A0
00507096 mov ecx,dword ptr ss:[ebp-24]
00507099 mov edx,unpack.00507234 ; ASCII "Username"
0050709E mov eax,ebx
005070A0 call unpack.00426C6C
005070A5 lea edx,dword ptr ss:[ebp-28]
005070A8 mov eax,dword ptr ds:[esi+344]
005070AE call unpack.004B33A0
005070B3 mov ecx,dword ptr ss:[ebp-28]
005070B6 mov edx,unpack.00507248 ; ASCII "license"
005070BB mov eax,ebx
005070BD call unpack.00426C6C
005070C2 lea edx,dword ptr ss:[ebp-2C]
005070C5 mov eax,dword ptr ds:[esi+348]
005070CB call unpack.004B33A0
005070D0 mov ecx,dword ptr ss:[ebp-2C]
005070D3 mov edx,unpack.00507258 ; ASCII "regno"
.
.
.省略部分代码
.
.
005071E8 mov edx,2
005071ED call unpack.00404344
005071F2 lea eax,dword ptr ss:[ebp-C]
005071F5 call unpack.00404320
005071FA lea eax,dword ptr ss:[ebp-8]
005071FD call unpack.00404320
00507202 lea eax,dword ptr ss:[ebp-4]
00507205 call unpack.00404320
0050720A retn
***********************call 00506B5C:*********************
00506B5C push ebp
00506B5D mov ebp,esp
00506B5F add esp,-0C
00506B62 push ebx
00506B63 push esi
00506B64 push edi
00506B65 xor ebx,ebx
00506B67 mov dword ptr ss:[ebp-4],ebx
00506B6A mov esi,ecx ; ecx=1F4
00506B6C mov dword ptr ss:[ebp-8],edx ; 许可证号
00506B6F xor eax,eax ; eax清零
00506B71 push ebp
00506B72 push unpack.00506BF9
00506B77 push dword ptr fs:[eax]
00506B7A mov dword ptr fs:[eax],esp
00506B7D mov eax,dword ptr ss:[ebp-8]
00506B80 call unpack.004045E0 ; 许可证长度
00506B85 mov edx,eax
00506B87 lea eax,dword ptr ss:[ebp-4]
00506B8A call unpack.0040496C
00506B8F mov eax,dword ptr ss:[ebp-8]
00506B92 call unpack.004045E0
00506B97 test al,al
00506B99 jbe short unpack.00506BD8
00506B9B mov byte ptr ss:[ebp-9],al ; 长度送到[EBP-9]
00506B9E mov bl,1 ; 初始化bl=1
00506BA0 /lea eax,dword ptr ss:[ebp-4>
00506BA3 |call unpack.00404838
00506BA8 |movzx edi,bl
00506BAB |mov edx,dword ptr ss:[ebp-8>; 许可证
00506BAE |movzx edx,byte ptr ds:[edx+>; 逐位取ascii送到edx
00506BB3 |movzx ecx,si ; esi=01F4
00506BB6 |shr ecx,8 ; 右移8位
00506BB9 |xor dl,cl ; 异或上面的ascii
00506BBB |mov byte ptr ds:[eax+edi-1]>; 结果保存到[EAX+EDI-1]
00506BBF |mov eax,dword ptr ss:[ebp-8>
00506BC2 |movzx eax,byte ptr ds:[eax+>; 再次取ascii (下面累加作为下次esi的值)
00506BC7 |add si,ax ; si=si+ax
00506BCA |add si,32 ; si=si+32
00506BCE |add si,32 ; si=si+32
00506BD2 |inc ebx
00506BD3 |dec byte ptr ss:[ebp-9] ; 循环条件为: 许可证长度
00506BD6 \jnz short unpack.00506BA0
00506BD8 mov eax,dword ptr ss:[ebp+8]
00506BDB mov edx,dword ptr ss:[ebp-4]
00506BDE call unpack.00404374
00506BE3 xor eax,eax
00506BE5 pop edx
00506BE6 pop ecx
00506BE7 pop ecx
00506BE8 mov dword ptr fs:[eax],edx
00506BEB push unpack.00506C00
00506BF0 lea eax,dword ptr ss:[ebp-4]
00506BF3 call unpack.00404320
00506BF8 retn
上面意思就是说:
每次循环得到的eax值转换成字符然后连接起来就是注册码了~
【算法总结】
要学会自己总结哦!!
【注册机】
内存注册机不用说了吧!
贴上一段VB源码:
Dim xkz, reg, a
xkz = Text2.Text
a = &H1F4
If Len(xkz) <> 0 Then
For i = 1 To Len(xkz)
b = Asc(Mid(xkz, i, 1))
c = a \ (2 ^ 8)
c = c Xor b
a = a + b
a = a + &H32
a = a + &H32
reg = reg & Chr(c)
Next
Text3 = reg
Else
Text3 = "请输入许可证号!"
End If
附:注册信息保存在 HKEY_CLASSES_ROOT\whkldzz ,删除又可以继续研究
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
|
IP卡
发表于 2005-8-30 13:55:40
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-8-30 20:33:30
发表于 2005-10-16 20:40:40
发表于 2005-12-31 09:10:50
