- UID
- 17574
注册时间2006-7-6
阅读权限40
最后登录1970-1-1
独步武林
 
该用户从未签到
|
****家庭理财非常简单的MD5算法分析
【文章作者】: tzl
【作者邮箱】: 无
【软件名称】: ***家庭理财
【软件大小】: 1224KB
【下载地址】: http://www.newhua.com/soft/52975.htm
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 7.0
【使用工具】: OD PEID
【操作平台】: XP SP2
【软件介绍】:
***家庭理财是帮助个人、 家庭、小型企业理财的好帮手,能很方便的知道客户消费了多少钱,收入多少钱,现有现金多少,存款多少。能快速的满足客户的各种统计需求!
非常简单的算法,适合菜鸟学习,这里与大家分享,菜鸟共同进步。
一、查壳无;
二、根据字符串相关信息,我们可以在这里下断开始分析:
注册名:tigerisme
地区:***
邮箱:[email protected]
注册日期:20061121
密码:123456789
00452EBC . 55 push ebp
00452EBD . 56 push esi
00452EBE . 8BF1 mov esi, ecx
00452EC0 . 57 push edi
00452EC1 . 8D4C24 20 lea ecx, dword ptr [esp+20]
00452EC5 . E8 308A0000 call <jmp.&MFC42.#540>
00452ECA . 8D4C24 14 lea ecx, dword ptr [esp+14]
00452ECE . C78424 240100>mov dword ptr [esp+124], 0
00452ED9 . E8 1C8A0000 call <jmp.&MFC42.#540>
00452EDE . 8D4C24 1C lea ecx, dword ptr [esp+1C]
00452EE2 . C68424 240100>mov byte ptr [esp+124], 1
00452EEA . E8 0B8A0000 call <jmp.&MFC42.#540>
00452EEF . 8D4C24 10 lea ecx, dword ptr [esp+10]
00452EF3 . C68424 240100>mov byte ptr [esp+124], 2
00452EFB . E8 FA890000 call <jmp.&MFC42.#540>
00452F00 . 8D4C24 18 lea ecx, dword ptr [esp+18]
00452F04 . C68424 240100>mov byte ptr [esp+124], 3
00452F0C . E8 E9890000 call <jmp.&MFC42.#540>
00452F11 . 8D4424 20 lea eax, dword ptr [esp+20]
00452F15 . 8BCE mov ecx, esi
00452F17 . 50 push eax
00452F18 . 68 2B040000 push 42B
00452F1D . C68424 2C0100>mov byte ptr [esp+12C], 4
00452F25 . E8 4A8B0000 call <jmp.&MFC42.#3097>
00452F2A . 8D4C24 14 lea ecx, dword ptr [esp+14] ; ecx=tigerisme
00452F2E . 51 push ecx
00452F2F . 68 2D040000 push 42D
00452F34 . 8BCE mov ecx, esi
00452F36 . E8 398B0000 call <jmp.&MFC42.#3097>
00452F3B . 8D5424 1C lea edx, dword ptr [esp+1C] ; [email protected]
00452F3F . 8BCE mov ecx, esi
00452F41 . 52 push edx
00452F42 . 68 2E040000 push 42E
00452F47 . E8 288B0000 call <jmp.&MFC42.#3097>
00452F4C . 8D4424 10 lea eax, dword ptr [esp+10]
00452F50 . 8BCE mov ecx, esi
00452F52 . 50 push eax
00452F53 . 68 2F040000 push 42F
00452F58 . E8 178B0000 call <jmp.&MFC42.#3097>
00452F5D . 8D4C24 18 lea ecx, dword ptr [esp+18] ; ecx=20061121
00452F61 . 51 push ecx
00452F62 . 68 30040000 push 430
00452F67 . 8BCE mov ecx, esi
00452F69 . E8 068B0000 call <jmp.&MFC42.#3097>
00452F6E . 8B5424 20 mov edx, dword ptr [esp+20]
00452F72 . 8B3D 84894600 mov edi, dword ptr [<&MSVCRT._mbscmp>; msvcrt._mbscmp
00452F78 . 68 80E24700 push 0047E280 ; /s2 = ""
00452F7D . 52 push edx ; |s1
00452F7E . FFD7 call edi ; \_mbscmp
00452F80 . 83C4 08 add esp, 8
00452F83 . 85C0 test eax, eax
00452F85 . 74 4C je short 00452FD3 ; 检测注册信息是否为空
00452F87 . 8B4424 14 mov eax, dword ptr [esp+14] ; “[email protected]",送eax
00452F8B . 68 80E24700 push 0047E280
00452F90 . 50 push eax
00452F91 . FFD7 call edi
00452F93 . 83C4 08 add esp, 8
00452F96 . 85C0 test eax, eax
00452F98 . 74 39 je short 00452FD3 ; 检测注册信息是否为空
00452F9A . 8B4C24 1C mov ecx, dword ptr [esp+1C]
00452F9E . 68 80E24700 push 0047E280
00452FA3 . 51 push ecx
00452FA4 . FFD7 call edi
00452FA6 . 83C4 08 add esp, 8
00452FA9 . 85C0 test eax, eax
00452FAB . 74 26 je short 00452FD3 ; 检测注册信息是否为空
00452FAD . 8B5424 10 mov edx, dword ptr [esp+10]
00452FB1 . 68 80E24700 push 0047E280
00452FB6 . 52 push edx
00452FB7 . FFD7 call edi
00452FB9 . 83C4 08 add esp, 8
00452FBC . 85C0 test eax, eax
00452FBE . 74 13 je short 00452FD3 ; 检测注册信息是否为空
00452FC0 . 8B4424 18 mov eax, dword ptr [esp+18]
00452FC4 . 68 80E24700 push 0047E280
00452FC9 . 50 push eax
00452FCA . FFD7 call edi
00452FCC . 83C4 08 add esp, 8
00452FCF . 85C0 test eax, eax
00452FD1 . 75 10 jnz short 00452FE3 ; 检测注册信息是否为空,不为空正常跳转
00452FD3 > 6A 00 push 0
00452FD5 . 6A 00 push 0
00452FD7 . 68 38DF4700 push 0047DF38 ; 尊敬的客户!你需要在右边的网站上注册后,正确的填写用户、邮箱、地区、注册日期和取得的密码就可以注册啦!
00452FDC . 8BCE mov ecx, esi
00452FDE . E8 AD890000 call <jmp.&MFC42.#4224>
00452FE3 > 8D4C24 10 lea ecx, dword ptr [esp+10]
00452FE7 . E8 68890000 call <jmp.&MFC42.#6282>
00452FEC . 8D4C24 10 lea ecx, dword ptr [esp+10]
00452FF0 . E8 59890000 call <jmp.&MFC42.#6283>
00452FF5 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00452FF9 . E8 56890000 call <jmp.&MFC42.#6282>
00452FFE . 8D4C24 14 lea ecx, dword ptr [esp+14]
00453002 . E8 47890000 call <jmp.&MFC42.#6283>
00453007 . B9 10000000 mov ecx, 10
0045300C . 33C0 xor eax, eax
0045300E . 8D7C24 55 lea edi, dword ptr [esp+55]
00453012 . C64424 54 00 mov byte ptr [esp+54], 0
00453017 . F3:AB rep stos dword ptr es:[edi]
00453019 . 8D4C24 2C lea ecx, dword ptr [esp+2C]
0045301D . 8D6E 60 lea ebp, dword ptr [esi+60]
00453020 . E8 D5880000 call <jmp.&MFC42.#540>
00453025 . 8D4C24 24 lea ecx, dword ptr [esp+24]
00453029 . C68424 240100>mov byte ptr [esp+124], 5
00453031 . E8 C4880000 call <jmp.&MFC42.#540>
00453036 . 8D4C24 10 lea ecx, dword ptr [esp+10]
0045303A . 68 30DF4700 push 0047DF30 ; fuck,计算注册码时用到,用这个连接符真BT!
0045303F . 8D5424 2C lea edx, dword ptr [esp+2C]
00453043 . B3 06 mov bl, 6
00453045 . 51 push ecx
00453046 . 52 push edx
00453047 . 889C24 300100>mov byte ptr [esp+130], bl
0045304E . E8 8D8A0000 call <jmp.&MFC42.#924>
00453053 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00453057 . 8D5424 34 lea edx, dword ptr [esp+34]
0045305B . 51 push ecx
0045305C . 50 push eax
0045305D . 52 push edx
0045305E . C68424 300100>mov byte ptr [esp+130], 7
00453066 . E8 37890000 call <jmp.&MFC42.#922>
0045306B . 50 push eax
0045306C . 8D4C24 30 lea ecx, dword ptr [esp+30]
00453070 . C68424 280100>mov byte ptr [esp+128], 8
00453078 . E8 F5880000 call <jmp.&MFC42.#858>
0045307D . 8D4C24 34 lea ecx, dword ptr [esp+34]
00453081 . C68424 240100>mov byte ptr [esp+124], 7
00453089 . E8 3C880000 call <jmp.&MFC42.#800>
0045308E . 8D4C24 28 lea ecx, dword ptr [esp+28]
00453092 . 889C24 240100>mov byte ptr [esp+124], bl
00453099 . E8 2C880000 call <jmp.&MFC42.#800>
0045309E . 8B45 00 mov eax, dword ptr [ebp]
004530A1 . 8BCD mov ecx, ebp
004530A3 . FF50 0C call dword ptr [eax+C] ; call运算,将注册日期、fuck及注册邮箱连接起来
004530A6 . 8B4424 2C mov eax, dword ptr [esp+2C] ; 连起来的字符串为"[email protected]"
004530AA . 8B55 00 mov edx, dword ptr [ebp]
004530AD . 8B48 F8 mov ecx, dword ptr [eax-8]
004530B0 . 51 push ecx
004530B1 . 50 push eax
004530B2 . 8BCD mov ecx, ebp
004530B4 . FF52 04 call dword ptr [edx+4]
004530B7 . 8B45 00 mov eax, dword ptr [ebp]
004530BA . 8D4C24 54 lea ecx, dword ptr [esp+54]
004530BE . 51 push ecx
004530BF . 8BCD mov ecx, ebp
004530C1 . FF50 08 call dword ptr [eax+8]
004530C4 . B9 20000000 mov ecx, 20
004530C9 . 33C0 xor eax, eax
004530CB . 8DBC24 990000>lea edi, dword ptr [esp+99]
004530D2 . C68424 980000>mov byte ptr [esp+98], 0
004530DA . 8D9424 980000>lea edx, dword ptr [esp+98]
004530E1 . F3:AB rep stos dword ptr es:[edi]
004530E3 . 52 push edx
004530E4 . 8D4424 58 lea eax, dword ptr [esp+58]
004530E8 . 6A 10 push 10
004530EA . 50 push eax
004530EB . E8 40FDFFFF call 00452E30 ; MD5运算,即MD5([email protected]),有兴趣可以进去看看
004530F0 . 8B5424 24 mov edx, dword ptr [esp+24]
004530F4 . 8D8C24 A40000>lea ecx, dword ptr [esp+A4]
004530FB . 51 push ecx ; /MD5结果为“B3EE0D943618B2EB238E9D6F35BCF746”,放在ecx中
004530FC . 52 push edx ; |edx=试练码“123456789”
004530FD . FF15 84894600 call dword ptr [<&MSVCRT._mbscmp>] ; \_mbscmp
00453103 . 83C4 14 add esp, 14
00453106 . 85C0 test eax, eax
00453108 . 0F85 F0020000 jnz 004533FE ; 关键跳转,爆破点
0045310E . 8D4424 20 lea eax, dword ptr [esp+20]
00453112 . 8D4C24 30 lea ecx, dword ptr [esp+30]
**********************************************************************************************
算法总结:
软件采算法非常简单,注册码=MD5(注册日期+fuck+注册邮箱),取32位大写。软件作者真BT,算法简单,还加个BT的连接符。
特别说明: 本文仅是一些破解的心得和思路,完全是个人对程序的研究,无其他目的。 |
|
IP卡
发表于 2006-11-21 15:38:45
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-11-21 21:37:26
发表于 2008-9-23 08:20:01