算法分析——批量更名专家V1.5 Build 1111
下载地址: http://www.skycn.com/soft/7412.html
软件大小:
888 KB
软件语言: 简体中文
软件类别: 国产软件 / 免费版 / 文件更名
应用平台: Win9x/NT/2000/XP
加入时间:
2002-11-11 14:32:01
下载次数: 12853
推荐等级: ***
开 发 商: http://zigsoft.yeah.net
【软件简介】:
批量更名专家是一款优秀的批量文件改名工具,更名速度极快。简明的资源管理器界面,上手极为方便。提供批量修改文件属性和日期,修改扩展名,修改大小写,可以插入,删除,替换,独特的序数改名功能,直接编辑文件名,根据MP3文件的Id3信息改名等。
【软件限制】:30天试用。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请各大侠赐教!
【破解工具】:TRW2000娃娃修改版、FI2.5、AspackDie、RegMon、W32Dasm8.93黄金版
—————————————————————————————
【过
程】:
呵呵,这个软件简单,很多朋友都已经解过了。在 天空 溜达,看见它的个头不大,索性DOWN下来练练手。
找注册码挺简单,但是要细细的分析算法可就需要耐心与毅力了。
唉,菜鸟分析算法真难呀!算法虽简单却转来绕去,让我头大。
填入试炼信息。
用户名:flysky12(不能少于8位)
试炼码:13572468
—————————————————————————————
软件需要重启验证注册码,因此软件肯定把注册码保存在注册表或其它文件中。用RegMon监测,在注册表中发现了它留下的“尾巴”。
呵呵,发现了"RWCode"的键名,老方法,在反汇编代码里搜索RWCode,简简单单我们就找到了核心:4B8E92。于是,首先在TRW里下BPX 4B8E92,然后重新载入程序。F5,程序被拦下!
—————————————————————————————
1、用户名不能少于8位
:004B979C
E81FA8F4FF call 00403FC0
:004B97A1
83F808 cmp eax,
00000008
====>比较用户名是否少于8位?
:004B97A4
7D1D jge
004B97C3
====>少于8位则不跳则OVER!
:004B97A6
6A00 push
00000000
* Possible
StringData Ref from Code Obj ->"警告框"
|
:004B97A8 B930994B00 mov
ecx, 004B9930
* Possible
StringData Ref from Code Obj ->"用户名太短或者注册号不对!"
|
:004B97AD BA38994B00
mov edx, 004B9938
—————————————————————————————
2、开始追踪!
*
Possible StringData Ref from Code Obj ->"RWCode"
====>注册信息存放位置!
:004B8E92
BA28904B00 mov edx, 004B9028
====>我们拦在这儿!
F10走,多加注意!经过一个RET,很快的我们就来到了核心!
……
……
:004B8EF0 8D55F0
lea edx, dword ptr [ebp-10]
:004B8EF3 8B45FC
mov eax, dword ptr [ebp-04]
====>D EAX=我们输入的试炼信息
:004B8EF6 E845FDFFFF
call 004B8C40
====>算法CALL!F8进入!
:004B8EFB
8B45F0 mov eax,
dword ptr [ebp-10]
:004B8EFE 8B55F8
mov edx, dword ptr [ebp-08]
:004B8F01 E8CAB1F4FF
call 004040D0
====>比较CALL!F8进入!
:004B8F06
0F85AB000000 jne 004B8FB7
====>跳则OVER!
:004B8F0C B201
mov dl, 01
:004B8FA7 8B45F4 mov eax, dword ptr [ebp-0C]
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B8EE0(C),
:004B8EEA(C), :004B8F06(C)
|
:004B8FB7 33C0
xor eax, eax
—————————————————————————————
3、F8进入算法CALL:004B8EF6
call 004B8C40
注:下面的“1、2、3……”是指循环的次序,最好自己跟踪一下,很容易晕头的。呵呵,让我难受。关键结果下面我都标上
******** 的记号!
*
Referenced by a CALL at Address:
|:004B8EF6
|
:004B8C40 55
push ebp
:004B8C41
8BEC mov
ebp, esp
:004B8C43 B904000000 mov
ecx, 00000004
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004B8C4D(C)
|
:004B8C48
6A00 push
00000000
:004B8C4A 6A00
push 00000000
:004B8C4C 49
dec ecx
:004B8C4D 75F9
jne 004B8C48
:004B8C4F
51 push
ecx
:004B8C50 53
push ebx
:004B8C51 56
push esi
:004B8C52 57
push edi
:004B8C53 8955F8
mov dword ptr [ebp-08],
edx
:004B8C56 8945FC
mov dword ptr [ebp-04], eax
:004B8C59 8B45FC
mov eax, dword ptr [ebp-04]
====>用户名入EAX
:004B8C5C E813B5F4FF
call 00404174
:004B8C61 33C0
xor eax, eax
:004B8C63 55
push ebp
:004B8C64
68DC8D4B00 push 004B8DDC
:004B8C69
64FF30 push dword
ptr fs:[eax]
:004B8C6C 648920
mov dword ptr fs:[eax], esp
:004B8C6F B201
mov dl, 01
*
Possible StringData Ref from Code Obj ->"|"A"
|
:004B8C71 A1F8034100
mov eax, dword ptr [004103F8]
:004B8C76 E849A3F4FF
call 00402FC4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8C02(C)
|
:004B8C7B
8945EC mov dword
ptr [ebp-14], eax
:004B8C7E 33C0
xor eax, eax
:004B8C80 55
push ebp
:004B8C81 689A8D4B00
push 004B8D9A
:004B8C86 64FF30
push dword ptr fs:[eax]
:004B8C89
648920 mov dword
ptr fs:[eax], esp
:004B8C8C 8D45F4
lea eax, dword ptr [ebp-0C]
:004B8C8F 8B55FC
mov edx, dword ptr [ebp-04]
:004B8C92
E841B1F4FF call 00403DD8
:004B8C97
8B45F4 mov eax,
dword ptr [ebp-0C]
:004B8C9A E821B3F4FF
call 00403FC0
====>取用户名位数。
:004B8C9F
8BF0 mov
esi, eax
====>?EAX=8,入ESI
:004B8CA1
8B45F4 mov eax,
dword ptr [ebp-0C]
:004B8CA4 E817B3F4FF
call 00403FC0
:004B8CA9 8BD8
mov ebx, eax
:004B8CAB 85DB
test ebx, ebx
====>?EBX=8,用户名位数
:004B8CAD 0F8EA0000000
jle 004B8D53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D4D(C)
注册码算法的循环开始了!要细心看了!作者真不怕麻烦,我都快追晕了。^-^
:004B8CB3
8BC3 mov
eax, ebx
====>EAX是循环的次数,依次递减。
:004B8CB5
2501000080 and eax, 80000001
====>保留eax的最后一位,如果eax是奇数那他的最后一位就是1那么在下面
:004B8CBA
7905 jns
004B8CC1
:004B8CBC 48
dec eax
:004B8CBD 83C8FE
or eax, FFFFFFFE
:004B8CC0 40
inc eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CBA(C)
|
:004B8CC1
85C0 test
eax, eax
:004B8CC3 752E
jne 004B8CF3
====>是否是判断奇、偶数的?分别跳转?
:004B8CC5
8B45F4 mov eax,
dword ptr [ebp-0C]
====>D EAX=flysky12
:004B8CC8
0FB64418FF movzx eax, byte ptr
[eax+ebx-01]
EBX=8 取第8位 ====>1、?EAX=32 即2的HEX值
EBX=6 取第6位
====>3、?EAX=79 即y的HEX值
EBX=4 取第4位 ====>5、?EAX=73 即s的HEX值
EBX=2 取第2位 ====>7、?EAX=6C
即l的HEX值
:004B8CCD
8BD6 mov
edx, esi
====>8入EDX
:004B8CCF 2BD3
sub edx,
ebx
====>1、EDX=8-8=0
====>3、EDX=8-6=2
====>5、EDX=8-4=4
====>7、EDX=8-2=6
:004B8CD1
8B4DF4 mov ecx,
dword ptr [ebp-0C]
====>D ECX=flysky12
:004B8CD4
0FB65411FF movzx edx, byte ptr
[ecx+edx-01]
从第0位取字符
====>1、EDX=0, 即从第0位取字符
从第2位取字符 ====>3、EDX=6C,即l的HEX值
从第4位取字符 ====>5、EDX=73,即s的HEX值
从第6位取字符 ====>7、EAX=79,即y的HEX值
:004B8CD9
F7EA imul
edx
====>1、EAX=32*0=0
====>3、EAX=79*6C=330C
====>5、EAX=73*73=33A9
====>7、EAX=6C*79=330C
:004B8CDB
83E003 and eax,
00000003
====>1、EAX=0&3=0(分别进行“与”运算)
====>3、EAX=330C&3=0
====>5、EAX=33A9&3=1
====>7、EAX=330C&3=0
:004B8CDE
8D55E8 lea edx,
dword ptr [ebp-18]
:004B8CE1 E87E04F5FF
call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8CE6
8B55E8 mov edx,
dword ptr [ebp-18]
====>结果入EDX
====>1、EDX=0
********
====>3、EDX=0
********
====>5、EDX=1
********
====>7、EDX=0
********
:004B8CE9
8B45EC mov eax,
dword ptr [ebp-14]
:004B8CEC 8B08
mov ecx, dword ptr [eax]
:004B8CEE FF5134
call [ecx+34]
:004B8CF1 EB57 jmp 004B8D4A
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CC3(C)
|
:004B8CF3
8BC3 mov
eax, ebx
====>2、7入EAX
====>4、5入EAX
====>6、3入EAX
====>8、1入EAX
:004B8CF5
B903000000 mov ecx, 00000003
====>3入ECX
:004B8CFA 99
cdq
:004B8CFB
F7F9 idiv
ecx
====>2、EAX=7/3=2余1
====>4、EAX=5/3=1余2
====>6、EAX=3/3=1余0
====>8、EAX=1/3
:004B8CFD
85D2 test
edx, edx
:004B8CFF 752B
jne 004B8D2C
====>EDX=0则不跳!即不可整除就跳!
:004B8D01
8B45F4 mov eax,
dword ptr [ebp-0C]
====>EAX=flysky12
:004B8D04
0FB64418FF movzx eax, byte ptr
[eax+ebx-01]
EBX=3
取第3位 ====>6、EAX=79,即y的HEX值
:004B8D09
8BD6 mov
edx, esi
:004B8D0B 2BD3
sub edx, ebx
====>6、EDX=8-3=5
:004B8D0D
8B4DF4 mov ecx,
dword ptr [ebp-0C]
====>D ECX=flysky12
:004B8D10
0FB65411FF movzx edx, byte ptr
[ecx+edx-01]
EDX=5
取第5位 ====>6、D EDX=6B,即k的HEX值
:004B8D15 03C2
add eax, edx
====>6、EAX=79+6B=E4
:004B8D17
8D55E4 lea edx,
dword ptr [ebp-1C]
:004B8D1A E84504F5FF
call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8D1F
8B55E4 mov edx,
dword ptr [ebp-1C]
====>6、EDX=228,即E4的Decimal值
********
:004B8D22
8B45EC mov eax,
dword ptr [ebp-14]
:004B8D25 8B08
mov ecx, dword ptr [eax]
:004B8D27 FF5134
call [ecx+34]
:004B8D2A
EB1E jmp
004B8D4A
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CFF(C)
|
:004B8D2C
8B45F4 mov eax,
dword ptr [ebp-0C]
====>EAX=flysky12
:004B8D2F
0FB64418FF movzx eax, byte ptr
[eax+ebx-01]
EBX=7 ====>2、EAX=31,即第7位的字符
EBX=5
====>4、EAX=6B,即第5位的字符
EBX=1 ====>8、EAX=66,即第1位的字符
:004B8D34
83C005 add eax,
00000005
====>2、EAX=31+5=36
====>4、EAX=6B+5=70
====>8、EAX=66+5=6B
:004B8D37
8D55E0 lea edx,
dword ptr [ebp-20]
:004B8D3A E82504F5FF
call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8D3F
8B55E0 mov edx,
dword ptr [ebp-20]
====>2、EDX= 54,即36的Decimal值
********
====>4、EDX=112,即70的Decimal值
********
====>8、EDX=107,即6B的Decimal值
********
:004B8D42
8B45EC mov eax,
dword ptr [ebp-14]
:004B8D45 8B08
mov ecx, dword ptr [eax]
:004B8D47 FF5134
call [ecx+34]
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B8CF1(U),
:004B8D2A(U)
|
:004B8D4A 4B
dec ebx
====>EBX依次减一
====>1、EBX=7
====>2、EBX=6
…… ……
:004B8D4B
85DB test
ebx, ebx
:004B8D4D 0F8F60FFFFFF jg
004B8CB3
====>没取完?继续循环!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CAD(C)
|
:004B8D53
8B45EC mov eax,
dword ptr [ebp-14]
:004B8D56 8B10
mov edx, dword ptr [eax]
:004B8D58 FF5214
call [edx+14]
:004B8D5B
8BF0 mov
esi, eax
:004B8D5D 4E
dec esi
:004B8D5E 85F6
test esi, esi
:004B8D60 7C22
jl 004B8D84
:004B8D62
46 inc
esi
:004B8D63 33DB
xor ebx, ebx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D82(C)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
下面循环代码的作用是把上面8次循环所得的结果,按照8、7、6、5、4、3、2、1的倒序方式连接起来,所得到的最后结果存入[EBP-10]处!这就是咱们“千辛万苦”追踪的真码!
:004B8D65
8D4DDC lea ecx,
dword ptr [ebp-24]
:004B8D68 8BD3
mov edx, ebx
:004B8D6A 8B45EC
mov eax, dword ptr [ebp-14]
:004B8D6D
8B38 mov
edi, dword ptr [eax]
:004B8D6F FF570C
call [edi+0C]
:004B8D72 8B55DC
mov edx, dword ptr [ebp-24]
:004B8D75 8D45F0
lea eax, dword ptr
[ebp-10]
:004B8D78 8B4DF0
mov ecx, dword ptr [ebp-10]
:004B8D7B E88CB2F4FF
call 0040400C
:004B8D80 43
inc ebx
:004B8D81
4E dec
esi
:004B8D82 75E1
jne 004B8D65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D60(C)
|
:004B8D84
33C0 xor
eax, eax
:004B8D86 5A
pop edx
:004B8D87 59
pop ecx
:004B8D88 59
pop ecx
:004B8D89
648910 mov dword
ptr fs:[eax], edx
:004B8D8C 68A18D4B00
push 004B8DA1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D9F(U)
|
:004B8D91
8B45EC mov eax,
dword ptr [ebp-14]
:004B8D94 E85BA2F4FF
call 00402FF4
:004B8D99 C3
ret
—————————————————————————————
4、F8进入比较CALL:004B8F01 call 004040D0
:004040D0
53 push
ebx
:004040D1 56
push esi
:004040D2 57
push edi
:004040D3 89C6
mov esi, eax
:004040D5 89D7
mov edi,
edx
:004040D7 39D0
cmp eax, edx
====>D
EAX=真码!!
====>D EDX=试炼码
:004040D9 0F848F000000 je 0040416E
—————————————————————————————
【KeyMake之内存注册机】:
中断地址:4B8F01
中断次数:1
第一字节:E8
指令长度:5
中断地址:4040D7
中断次数:1
第一字节:39
指令长度:2
内存方式:EAX
—————————————————————————————
【注册信息保存】:
HKEY_LOCAL_MACHINE\Software\zigsoft\rw1.5\setup]
"RWUser"="flysky12"
"RWCode"="107022811120540"
—————————————————————————————
【整
理】:
用户名:flysky12
注册码:107022811120540
—————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-2-7 23:00