- UID
- 5592
注册时间2005-12-21
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 慵懒
2019-1-18 17:27 |
|---|
签到天数: 30 天 [LV.5]常住居民I
|
【破文标题】图片吸血鬼 V1.30算法分析
【破文作者】lzq1973[PYG][CZG]
【作者邮箱】[email protected]
【作者主页】
【破解工具】OD、PEiD、C32Asm
【破解平台】WIN98、WIN2000
【软件名称】图片吸血鬼 V1.30
【软件大小】1181 KB
【原版下载】http://www4.skycn.com/soft/17808.html
【保护方式】无壳
【软件简介】 图片吸血鬼是一款从网站上下载图片的共享软件,它可以把网站上的图片都下载下来,特点:1,设定下载图片的格式(如jpg,gif或swf);2,可自己设置下载图片的大小;3,搜索准确度高,可以把下级页面的图片都搜索出来。
【破解声明】俺是只小小鸟,纯为学习,愿与大家分享!
------------------------------------------------------------------------
【破解过程】
PEID查壳为 Borland Delphi 6.0 - 7.0 无壳,心中暗喜,已成功一半。OD载入断在这里
004F2F7B . 55 push ebp
004F2F7C . 68 75304F00 push DOWN.004F3075
004F2F81 . 64:FF30 push dword ptr fs:[eax]
004F2F84 . 64:8920 mov dword ptr fs:[eax],esp
004F2F87 . B2 01 mov dl,1
004F2F89 . A1 A0B94300 mov eax,dword ptr ds:[43B9A0]
004F2F8E . E8 0D8BF4FF call DOWN.0043BAA0
004F2F93 . 8945 F0 mov dword ptr ss:[ebp-10],eax
004F2F96 . BA 02000080 mov edx,80000002
004F2F9B . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004F2F9E . E8 9D8BF4FF call DOWN.0043BB40
004F2FA3 . 8D45 EC lea eax,dword ptr ss:[ebp-14]
004F2FA6 . BA 48324F00 mov edx,DOWN.004F3248 ; ASCII "Software\zy\Pic[注册信息存放处]"
004F2FAB . E8 741BF1FF call DOWN.00404B24
004F2FB0 . B1 01 mov cl,1
004F2FB2 . 8B55 EC mov edx,dword ptr ss:[ebp-14]
004F2FB5 . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004F2FB8 . E8 E78BF4FF call DOWN.0043BBA4
004F2FBD . 84C0 test al,al
004F2FBF . 0F84 92000000 je DOWN.004F3057
004F2FC5 . 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004F2FC8 . BA 60324F00 mov edx,DOWN.004F3260 ; ASCII "Name"
004F2FCD . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004F2FD0 . E8 978DF4FF call DOWN.0043BD6C
004F2FD5 . 8B55 C0 mov edx,dword ptr ss:[ebp-40] ; 用户名
004F2FD8 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F2FDB . 05 F4030000 add eax,3F4
004F2FE0 . E8 FB1AF1FF call DOWN.00404AE0
004F2FE5 . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004F2FE8 . BA 70324F00 mov edx,DOWN.004F3270 ; ASCII "Pass"
004F2FED . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004F2FF0 . E8 778DF4FF call DOWN.0043BD6C
004F2FF5 . 8B55 BC mov edx,dword ptr ss:[ebp-44] ; 假码
004F2FF8 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F2FFB . 05 F8030000 add eax,3F8
004F3000 . E8 DB1AF1FF call DOWN.00404AE0
004F3005 . 33C0 xor eax,eax
004F3007 . 55 push ebp
004F3008 . 68 2E304F00 push DOWN.004F302E
004F300D . 64:FF30 push dword ptr fs:[eax]
004F3010 . 64:8920 mov dword ptr fs:[eax],esp
004F3013 . BA 80324F00 mov edx,DOWN.004F3280 ; ASCII "Date"
004F3018 . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004F301B . E8 348EF4FF call DOWN.0043BE54
004F3020 . DD5D E0 fstp qword ptr ss:[ebp-20]
004F3023 . 9B wait
004F3024 . 33C0 xor eax,eax
004F3026 . 5A pop edx
004F3027 . 59 pop ecx
004F3028 . 59 pop ecx
004F3029 . 64:8910 mov dword ptr fs:[eax],edx
004F302C . EB 29 jmp short DOWN.004F3057
004F302E .^ E9 2511F1FF jmp DOWN.00404158
004F3033 . FF75 DC push dword ptr ss:[ebp-24] ; /Arg2
004F3036 . FF75 D8 push dword ptr ss:[ebp-28] ; |Arg1
004F3039 . BA 80324F00 mov edx,DOWN.004F3280 ; |ASCII "Date"
004F303E . 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; |
004F3041 . E8 FA8DF4FF call DOWN.0043BE40 ; \DOWN.0043BE40
004F3046 . 8B45 D8 mov eax,dword ptr ss:[ebp-28]
004F3049 . 8945 E0 mov dword ptr ss:[ebp-20],eax
004F304C . 8B45 DC mov eax,dword ptr ss:[ebp-24]
004F304F . 8945 E4 mov dword ptr ss:[ebp-1C],eax
004F3052 . E8 6914F1FF call DOWN.004044C0
004F3057 > 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004F305A . E8 B18AF4FF call DOWN.0043BB10
004F305F . 33C0 xor eax,eax
004F3061 . 5A pop edx
004F3062 . 59 pop ecx
004F3063 . 59 pop ecx
004F3064 . 64:8910 mov dword ptr fs:[eax],edx
004F3067 . 68 7C304F00 push DOWN.004F307C
004F306C > 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004F306F . E8 040CF1FF call DOWN.00403C78
004F3074 . C3 retn
004F3075 .^ E9 9213F1FF jmp DOWN.0040440C
004F307A .^ EB F0 jmp short DOWN.004F306C
004F307C . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
004F307F . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F3082 . 8B90 F4030000 mov edx,dword ptr ds:[eax+3F4] ; 用户名
004F3088 . A1 DC864F00 mov eax,dword ptr ds:[4F86DC]
004F308D . 8B00 mov eax,dword ptr ds:[eax]
004F308F . E8 4CDEFFFF call DOWN.004F0EE0 ; 注册算法
004F3094 . 8B55 B8 mov edx,dword ptr ss:[ebp-48] ; 注册码(ASCII "Pic4-3373ei8es-9313")
004F3097 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F309A . 8B80 F8030000 mov eax,dword ptr ds:[eax+3F8] ; 假码
004F30A0 . E8 F31DF1FF call DOWN.00404E98
004F30A5 . 75 25 jnz short DOWN.004F30CC
004F30A7 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F30AA . C680 EC030000 >mov byte ptr ds:[eax+3EC],0
004F30B1 . 8B55 F4 mov edx,dword ptr ss:[ebp-C]
004F30B4 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F30B7 . E8 2064F7FF call DOWN.004694DC
004F30BC . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F30BF . 8B80 68030000 mov eax,dword ptr ds:[eax+368]
004F30C5 . 33D2 xor edx,edx
004F30C7 . E8 F886F8FF call DOWN.0047B7C4
004F30CC > 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F30CF . 80B8 EC030000 >cmp byte ptr ds:[eax+3EC],0
004F30D6 . 0F84 BE000000 je DOWN.004F319A
004F30DC . DD45 D8 fld qword ptr ss:[ebp-28]
004F30DF . DC65 E0 fsub qword ptr ss:[ebp-20]
004F30E2 . DD5D D0 fstp qword ptr ss:[ebp-30]
004F30E5 . 9B wait
004F30E6 . D905 88324F00 fld dword ptr ds:[4F3288]
004F30EC . DC65 D0 fsub qword ptr ss:[ebp-30]
004F30EF . E8 D0FBF0FF call DOWN.00402CC4
004F30F4 . 8BD8 mov ebx,eax
004F30F6 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F30F9 . 8998 FC030000 mov dword ptr ds:[eax+3FC],ebx
004F30FF . 85DB test ebx,ebx
004F3101 . 7D 0B jge short DOWN.004F310E
004F3103 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F3106 . 33D2 xor edx,edx
004F3108 . 8990 FC030000 mov dword ptr ds:[eax+3FC],edx
004F310E > FF75 F4 push dword ptr ss:[ebp-C]
004F3111 . 68 94324F00 push DOWN.004F3294 ; \->: (未注册版 还剩
004F3116 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F3119 . DB80 FC030000 fild dword ptr ds:[eax+3FC]
004F311F . 83C4 F4 add esp,-0C
004F3122 . DB3C24 fstp tbyte ptr ss:[esp] ; |
004F3125 . 9B wait ; |
004F3126 . 8D45 B0 lea eax,dword ptr ss:[ebp-50] ; |
004F3129 . E8 E67AF1FF call DOWN.0040AC14 ; \DOWN.0040AC14
004F312E . FF75 B0 push dword ptr ss:[ebp-50]
004F3131 . 68 B0324F00 push DOWN.004F32B0 ; \->: 天)
004F3136 . 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
004F3139 . BA 04000000 mov edx,4
004F313E . E8 C91CF1FF call DOWN.00404E0C
004F3143 . 8B55 B4 mov edx,dword ptr ss:[ebp-4C]
004F3146 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F3149 . E8 8E63F7FF call DOWN.004694DC
004F314E . DD45 D0 fld qword ptr ss:[ebp-30]
004F3151 . D81D 88324F00 fcomp dword ptr ds:[4F3288]
004F3157 . DFE0 fstsw ax
004F3159 . 9E sahf
至此注册码已出来了,可还没完工啊,那就继续往下看吧!
-------------跟进 004F308F E8 4CDEFFFF call DOWN.004F0EE0 来到这里--------------
004F0EE0 /$ 55 push ebp
004F0EE1 |. 8BEC mov ebp,esp
004F0EE3 |. 51 push ecx
004F0EE4 |. B9 04000000 mov ecx,4
004F0EE9 |> 6A 00 /push 0 ; /4(即不空)
004F0EEB |. 6A 00 |push 0 ; |
004F0EED |. 49 |dec ecx ; |递减
004F0EEE |.^ 75 F9 \jnz short DOWN.004F0EE9 ; \循环
004F0EF0 |. 51 push ecx
004F0EF1 |. 874D FC xchg dword ptr ss:[ebp-4],ecx
004F0EF4 |. 53 push ebx
004F0EF5 |. 56 push esi
004F0EF6 |. 57 push edi
004F0EF7 |. 8BF9 mov edi,ecx
004F0EF9 |. 8955 FC mov dword ptr ss:[ebp-4],edx ; 用户名
004F0EFC |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F0EFF |. E8 3840F1FF call DOWN.00404F3C
004F0F04 |. 33C0 xor eax,eax
004F0F06 |. 55 push ebp
004F0F07 |. 68 A1104F00 push DOWN.004F10A1
004F0F0C |. 64:FF30 push dword ptr fs:[eax]
004F0F0F |. 64:8920 mov dword ptr fs:[eax],esp
004F0F12 |. 8BC7 mov eax,edi
004F0F14 |. E8 733BF1FF call DOWN.00404A8C
004F0F19 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004F0F1C |. E8 2B3EF1FF call DOWN.00404D4C
004F0F21 |. 8BF0 mov esi,eax
004F0F23 |. 85F6 test esi,esi
004F0F25 |. 7E 26 jle short DOWN.004F0F4D
004F0F27 |. BB 01000000 mov ebx,1
004F0F2C |> 8D4D EC /lea ecx,dword ptr ss:[ebp-14] ; /将用户名转为16进制
004F0F2F |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; |用户名
004F0F32 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1] ; 逐位取
004F0F37 |. 33D2 |xor edx,edx ; |
004F0F39 |. E8 C285F1FF |call DOWN.00409500 ; |
004F0F3E |. 8B55 EC |mov edx,dword ptr ss:[ebp-14] ; |转为16进制
004F0F41 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8] ; |
004F0F44 |. E8 0B3EF1FF |call DOWN.00404D54 ; |
004F0F49 |. 43 |inc ebx ; |
004F0F4A |. 4E |dec esi ; |
004F0F4B |.^ 75 DF \jnz short DOWN.004F0F2C ; \循环
004F0F4D |> 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 转后的 (ASCII "6C7A7131393733")
004F0F50 |. E8 F73DF1FF call DOWN.00404D4C
004F0F55 |. 8BF0 mov esi,eax
004F0F57 |. 85F6 test esi,esi
004F0F59 |. 7E 2C jle short DOWN.004F0F87
004F0F5B |. BB 01000000 mov ebx,1
004F0F60 |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8] ; /翻转将用户名转换后的ASCII(即(ASCII "6C7A7131393733"))
004F0F63 |. E8 E43DF1FF |call DOWN.00404D4C ; |
004F0F68 |. 2BC3 |sub eax,ebx ; |取第几位
004F0F6A |. 8B55 F8 |mov edx,dword ptr ss:[ebp-8] ; |
004F0F6D |. 8A1402 |mov dl,byte ptr ds:[edx+eax] ; |
004F0F70 |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18] ; |
004F0F73 |. E8 FC3CF1FF |call DOWN.00404C74 ; |
004F0F78 |. 8B55 E8 |mov edx,dword ptr ss:[ebp-18] ; |
004F0F7B |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C] ; |
004F0F7E |. E8 D13DF1FF |call DOWN.00404D54 ; |
004F0F83 |. 43 |inc ebx ; |
004F0F84 |. 4E |dec esi ; |
004F0F85 |.^ 75 D9 \jnz short DOWN.004F0F60 ; \循环
004F0F87 |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004F0F8A |. 50 push eax
004F0F8B |. B9 04000000 mov ecx,4 ; /取4位
004F0F90 |. BA 01000000 mov edx,1 ; |从第1位开始
004F0F95 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; \翻转后的赋给EAX即(ASCII "3373931317A7C6")
004F0F98 |. E8 0F40F1FF call DOWN.00404FAC
004F0F9D |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004F0FA0 |. 50 push eax
004F0FA1 |. B9 04000000 mov ecx,4 ; /取4位
004F0FA6 |. BA 05000000 mov edx,5 ; |从第5位开始
004F0FAB |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; \翻转后的赋给EAX即(ASCII "3373931317A7C6")
004F0FAE |. E8 F93FF1FF call DOWN.00404FAC
004F0FB3 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 第1~4位(ASCII "3373")
004F0FB6 |. E8 913DF1FF call DOWN.00404D4C
004F0FBB |. 83F8 04 cmp eax,4 ; 比较长度是否为4
004F0FBE |. 7D 2F jge short DOWN.004F0FEF ; 为4就跳
004F0FC0 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004F0FC3 |. E8 843DF1FF call DOWN.00404D4C
004F0FC8 |. 8BD8 mov ebx,eax
004F0FCA |. 83FB 03 cmp ebx,3
004F0FCD |. 7F 20 jg short DOWN.004F0FEF
004F0FCF |> 8D4D E4 /lea ecx,dword ptr ss:[ebp-1C]
004F0FD2 |. 8BC3 |mov eax,ebx
004F0FD4 |. C1E0 02 |shl eax,2
004F0FD7 |. 33D2 |xor edx,edx
004F0FD9 |. E8 2285F1FF |call DOWN.00409500
004F0FDE |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
004F0FE1 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8]
004F0FE4 |. E8 6B3DF1FF |call DOWN.00404D54
004F0FE9 |. 43 |inc ebx
004F0FEA |. 83FB 04 |cmp ebx,4
004F0FED |.^ 75 E0 \jnz short DOWN.004F0FCF
004F0FEF |> 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 第5~8位即 (ASCII "9313")
004F0FF2 |. E8 553DF1FF call DOWN.00404D4C
004F0FF7 |. 83F8 04 cmp eax,4 ; 比较长度是否为4
004F0FFA |. 7D 2F jge short DOWN.004F102B ; 为4就跳
004F0FFC |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004F0FFF |. E8 483DF1FF call DOWN.00404D4C
004F1004 |. 8BD8 mov ebx,eax
004F1006 |. 83FB 03 cmp ebx,3
004F1009 |. 7F 20 jg short DOWN.004F102B
004F100B |> 8D4D E0 /lea ecx,dword ptr ss:[ebp-20]
004F100E |. 8BC3 |mov eax,ebx
004F1010 |. C1E0 02 |shl eax,2
004F1013 |. 33D2 |xor edx,edx
004F1015 |. E8 E684F1FF |call DOWN.00409500
004F101A |. 8B55 E0 |mov edx,dword ptr ss:[ebp-20]
004F101D |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
004F1020 |. E8 2F3DF1FF |call DOWN.00404D54
004F1025 |. 43 |inc ebx
004F1026 |. 83FB 04 |cmp ebx,4
004F1029 |.^ 75 E0 \jnz short DOWN.004F100B
004F102B |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004F102E |. BA B8104F00 mov edx,DOWN.004F10B8 ; 常量(ASCII "Pic4ei8espr")
004F1033 |. E8 EC3AF1FF call DOWN.00404B24
004F1038 |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
004F103B |. 50 push eax
004F103C |. B9 04000000 mov ecx,4 ; /取4位
004F1041 |. BA 01000000 mov edx,1 ; |从第1位开始
004F1046 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; |要截取的字串(ASCII "Pic4ei8espr")
004F1049 |. E8 5E3FF1FF call DOWN.00404FAC ; |
004F104E |. FF75 DC push dword ptr ss:[ebp-24] ; \进栈 (ASCII "Pic4")
004F1051 |. 68 CC104F00 push DOWN.004F10CC
004F1056 |. FF75 F8 push dword ptr ss:[ebp-8] ; 进栈(ASCII "3373")
004F1059 |. 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004F105C |. 50 push eax
004F105D |. B9 05000000 mov ecx,5 ; /取5位
004F1062 |. BA 05000000 mov edx,5 ; |从第5位开始
004F1067 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; |要截取的字串(ASCII "Pic4ei8espr")
004F106A |. E8 3D3FF1FF call DOWN.00404FAC ; |
004F106F |. FF75 D8 push dword ptr ss:[ebp-28] ; \进栈(ASCII "ei8es")
004F1072 |. 68 CC104F00 push DOWN.004F10CC
004F1077 |. FF75 F4 push dword ptr ss:[ebp-C] ; 进栈(ASCII "9313")
004F107A |. 8BC7 mov eax,edi
004F107C |. BA 06000000 mov edx,6
004F1081 |. E8 863DF1FF call DOWN.00404E0C ; 拼接注册码
004F1086 |. 33C0 xor eax,eax ; DOWN.004F1086
004F1088 |. 5A pop edx
004F1089 |. 59 pop ecx
004F108A |. 59 pop ecx
004F108B |. 64:8910 mov dword ptr fs:[eax],edx
004F108E |. 68 A8104F00 push DOWN.004F10A8
004F1093 |> 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004F1096 |. BA 0A000000 mov edx,0A
004F109B |. E8 103AF1FF call DOWN.00404AB0
004F10A0 \. C3 retn
004F10A1 .^ E9 6633F1FF jmp DOWN.0040440C
004F10A6 .^ EB EB jmp short DOWN.004F1093
004F10A8 . 5F pop edi
004F10A9 . 5E pop esi
004F10AA . 5B pop ebx
004F10AB . 8BE5 mov esp,ebp
004F10AD . 5D pop ebp
004F10AE . C3 retn
到这里吧!小鸟我只能做到这了?
------------------------------------------------------------------------
【算法总结】
其实算法还是很简单的:把用户名(长度最好大于4位,程序中说是机器码)转换为16进制,然后翻转,取其第1~4位(作为注册码中间的前半部分)和5~8位(作为注册码的第三部分);再取常量"Pic4ei8espr"的第1~4位(作为注册码的第一部分)和5~9位(作为注册码中间的后半部分);1、2、3部分之间用“-”间隔。如(注意大小写)
机器码:lzq1973[PYG]
注册码:Pic4-D574ei8es-9505
或
机器码:lzq1973[CZG]
注册码:Pic4-D574ei8es-A534
注册信息保存在HKEY_LOCAL_MACHINE\Software\zy\Pic,删除即可再玩玩~,下面部分保存为.REG
文件,导入即可完成注册。
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\zy\Pic]
"Date"=hex:00,00,00,00,60,ec,e2,40
"Name"="中国人"
"Pass"="Pic4-BC8Cei8es-AF9B"
是不是很简单呢,算法注册器就不要了吧,大家找个ASCII及进制转换工具就行了。
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! |
|
IP卡
发表于 2006-2-8 16:31:19
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-2-9 00:42:31
发表于 2006-2-9 04:20:28
发表于 2007-12-1 21:04:07
发表于 2007-12-3 04:42:11
