商务精灵 V2.0

标题：商务精灵 V2.0
作者：mwd
时间： 2003/04/21 01:32pm
链接：http://bbs.pediy.com

（1）破解：mwd[DFCG]
（2）目的:找出算法 ,作出注册机。
（3）练习程序: **精灵 V2.0
（4）难度：简单，明码。
（4）下载：http://www.skycn.com/soft/8146.html
（5）工具:Ollydbg,PW32Dasm.PEiD，pe-scan。
（6）开始：PEiD检查程序带ASPack 2.12 -> Alexey Solodovnikov的壳，pe-scan脱壳，
PW32Dasm载入程序找到相关信息，OLL载入程序过程如下：输入注册信息：注册名；DFCG
注册码：121212。

================================================================================
:004EAF2F E86897F5FF call 0044469C-----------------此处下断
:004EAF34 8B45FC mov eax, dword ptr [ebp-04]---假码送入EAX
:004EAF37 E8909AF1FF call 004049CC
:004EAF3C 85C0 test eax, eax-----------------注册码是否为空
:004EAF3E 741E je 004EAF5E-------------------不是空继续
:004EAF40 8BC3 mov eax, ebx
:004EAF42 E8C5FCFFFF call 004EAC0C------------------关键CALL--此处进入
:004EAF47 84C0 test al, al-------------------测试0或1
:004EAF49 7409 je 004EAF54-------------------为0则跳--不能跳
:004EAF4B 8BC3 mov eax, ebx
:004EAF4D E896FAFFFF call 004EA9E8
:004EAF52 EB0A jmp 004EAF5E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004EAF49(C)
|

* Possible StringData Ref from Data Obj ->"注册码错误,请与作者联系!"
********************************************************************************
关键CALL-进入：F8走到以下：

004EAC31 E8 669AF5FF CALL 1.0044469C
004EAC36 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]------假码送EAX
004EAC39 50 PUSH EAX--------------------------入栈
004EAC3A 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004EAC3D 8B86 FC020000 MOV EAX,DWORD PTR DS:[ESI+2FC]
004EAC43 E8 549AF5FF CALL 1.0044469C
004EAC48 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]-------注册名送入edx
004EAC4B 8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
004EAC50 E8 C3000000 CALL 1.004EAD18----------------------算法call-进入
004EAC55 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]-----真码送入EDX
004EAC58 58 POP EAX--------------------------假码出栈
004EAC59 E8 B29EF1FF CALL 1.00404B10------------------比较
004EAC5E 75 3A JNZ SHORT 1.004EAC9A-------------不等则玩完~！！！！

********************************************************************************
算法call-进入：

004EAD18 55 PUSH EBP
004EAD19 8BEC MOV EBP,ESP
004EAD1B 51 PUSH ECX
004EAD1C B9 04000000 MOV ECX,4------------------------ECX置4
004EAD21 6A 00 PUSH 0
004EAD23 6A 00 PUSH 0
004EAD25 49 DEC ECX--------------------------再减1
004EAD26 ^75 F9 JNZ SHORT 1.004EAD21-------------跳~直到ECX为0
004EAD28 51 PUSH ECX-------------------------入栈
004EAD29 874D FC XCHG DWORD PTR SS:[EBP-4],ECX----相互交换
004EAD2C 53 PUSH EBX
004EAD2D 56 PUSH ESI
004EAD2E 57 PUSH EDI
004EAD2F 8BF9 MOV EDI,ECX---------------------交换后送入EDI
004EAD31 8955 FC MOV DWORD PTR SS:[EBP-4],EDX----注册名送[EBP-4]
004EAD34 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]----再送入EAX
004EAD37 E8 789EF1FF CALL 1.00404BB4
004EAD3C 33C0 XOR EAX,EAX-----------------------EAX清0
004EAD3E 55 PUSH EBP
004EAD3F 68 D9AE4E00 PUSH 1.004EAED9
004EAD44 64:FF30 PUSH DWORD PTR FS:[EAX]
004EAD47 64:8920 MOV DWORD PTR FS:[EAX],ESP
004EAD4A 8BC7 MOV EAX,EDI
004EAD4C E8 C399F1FF CALL 1.00404714
004EAD51 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]------注册名送EAX
004EAD54 E8 739CF1FF CALL 1.004049CC
004EAD59 8BF0 MOV ESI,EAX-----------------------计数ESI=注册名位数
004EAD5B 85F6 TEST ESI,ESI----------------------测试0或1
004EAD5D 7E 26 JLE SHORT 1.004EAD85--------------继续
004EAD5F BB 01000000 MOV EBX,1--------------------------EBX=1
004EAD64 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004EAD67 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]--------注册名送EAX
004EAD6A 0FB64418 FF MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]---依次取注册名的字符
第1位：44(D)
2: 46(F)
3: 43(C)
4: 47(G)
004EAD6F 33D2 XOR EDX,EDX--------------------EDX清0
004EAD71 E8 3AE4F1FF CALL 1.004091B0
004EAD76 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]--将取出的注册名十六进制依次送入EDX 004EAD79 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004EAD7C E8 539CF1FF CALL 1.004049D4
004EAD81 43 INC EBX--------------------------加1
004EAD82 4E DEC ESI-------------------------减1
004EAD83 ^75 DF JNZ SHORT 1.004EAD64------------直到为0，否则向上循环
004EAD85 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]-----注册名(44464347)送EAX
004EAD88 E8 3F9CF1FF CALL 1.004049CC
004EAD8D 8BF0 MOV ESI,EAX-------------------ESI=注册名十六进制(44464347)的位数=8
004EAD8F 85F6 TEST ESI,ESI-----------------------测试0或1
004EAD91 7E 2C JLE SHORT 1.004EADBF---------------继续
004EAD93 BB 01000000 MOV EBX,1--------------------------置EBX为1
004EAD98 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]-------6D7764送入EAX
004EAD9B E8 2C9CF1FF CALL 1.004049CC
004EADA0 2BC3 SUB EAX,EBX------------------------EAX=EAX-EBX
004EADA2 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]--------44464347送入EDX
004EADA5 8A1402 MOV DL,BYTE PTR DS:[EDX+EAX]--------倒取44464347的字依次送入DL
004EADA8 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004EADAB E8 449BF1FF CALL 1.004048F4
004EADB0 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
004EADB3 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004EADB6 E8 199CF1FF CALL 1.004049D4
004EADBB 43 INC EBX----------------------------加1
004EADBC 4E DEC ESI----------------------------减1
004EADBD ^75 D9 JNZ SHORT 1.004EAD98---------------直到为0，否则向上循环
004EADBF 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004EADC2 50 PUSH EAX
004EADC3 B9 04000000 MOV ECX,4--------------------------ECX=4
004EADC8 BA 01000000 MOV EDX,1--------------------------EDX=1
004EADCD 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]-------将倒取的值74346444送入EAX
004EADD0 E8 4F9EF1FF CALL 1.00404C24
004EADD5 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004EADD8 50 PUSH EAX
004EADD9 B9 04000000 MOV ECX,4--------------------------ECX=4
004EADDE BA 05000000 MOV EDX,5--------------------------EDX=5
004EADE3 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]-------74346444送入EAX
004EADE6 E8 399EF1FF CALL 1.00404C24
004EADEB 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]-------取前四位7434送EAX
004EADEE E8 D99BF1FF CALL 1.004049CC
004EADF3 83F8 04 CMP EAX,4--------------------------比较是否为4
004EADF6 7D 2F JGE SHORT 1.004EAE27---------------是则跳
004EADF8 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004EADFB E8 CC9BF1FF CALL 1.004049CC
004EAE00 8BD8 MOV EBX,EAX
004EAE02 83FB 03 CMP EBX,3
004EAE05 7F 20 JG SHORT 1.004EAE27
004EAE07 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004EAE0A 8BC3 MOV EAX,EBX
004EAE0C C1E0 02 SHL EAX,2
004EAE0F 33D2 XOR EDX,EDX
004EAE11 E8 9AE3F1FF CALL 1.004091B0
004EAE16 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004EAE19 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004EAE1C E8 B39BF1FF CALL 1.004049D4
004EAE21 43 INC EBX
004EAE22 83FB 04 CMP EBX,4
004EAE25 ^75 E0 JNZ SHORT 1.004EAE07
004EAE27 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]--------取后四位6444
004EAE2A E8 9D9BF1FF CALL 1.004049CC
004EAE2F 83F8 04 CMP EAX,4---------------------------比较是否为4
004EAE32 7D 2F JGE SHORT 1.004EAE63----------------不是继续
004EAE34 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]--------后四位6444送EAX
004EAE37 E8 909BF1FF CALL 1.004049CC
004EAE3C 8BD8 MOV EBX,EAX-------------------------EBX=EAX
004EAE3E 83FB 03 CMP EBX,3---------------------------比较
004EAE41 7F 20 JG SHORT 1.004EAE63-----------------小于继续
004EAE43 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004EAE46 8BC3 MOV EAX,EBX-------------------------EAX=EBX
004EAE48 C1E0 02 SHL EAX,2---------------------------逻辑左移2位
004EAE4B 33D2 XOR EDX,EDX-------------------------EDX清0
004EAE4D E8 5EE3F1FF CALL 1.004091B0
004EAE52 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
004EAE55 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004EAE58 E8 779BF1FF CALL 1.004049D4
004EAE5D 43 INC EBX-----------------------------加1
004EAE5E 83FB 04 CMP EBX,4---------------------------与4比较
004EAE61 ^75 E0 JNZ SHORT 1.004EAE43----------------小于则循环，相等继续
004EAE63 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004EAE66 BA F0AE4E00 MOV EDX,1.004EAEF0-------------------字符串ddf22444送入EDX
004EAE6B E8 3C99F1FF CALL 1.004047AC
004EAE70 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004EAE73 50 PUSH EAX
004EAE74 B9 04000000 MOV ECX,4---------------------------置ECX为4
004EAE79 BA 01000000 MOV EDX,1---------------------------置EDX为1
004EAE7E 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]-------ddf22444送入EAX
004EAE81 E8 9E9DF1FF CALL 1.00404C24
004EAE86 FF75 DC PUSH DWORD PTR SS:[EBP-24]----------ddf22444取前四位ddf2入栈
004EAE89 68 04AF4E00 PUSH 1.004EAF04
004EAE8E FF75 F8 PUSH DWORD PTR SS:[EBP-8]-----------7434入栈
004EAE91 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004EAE94 50 PUSH EAX
004EAE95 B9 05000000 MOV ECX,5---------------------------ECX=5
004EAE9A BA 05000000 MOV EDX,5---------------------------EDX=5
004EAE9F 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]-----ddf22444送入EAX
004EAEA2 E8 7D9DF1FF CALL 1.00404C24
004EAEA7 FF75 D8 PUSH DWORD PTR SS:[EBP-28]-----ddf22444取后四位2444入栈
004EAEAA 68 04AF4E00 PUSH 1.004EAF04
004EAEAF FF75 F4 PUSH DWORD PTR SS:[EBP-C]--------6444入栈
004EAEB2 8BC7 MOV EAX,EDI
004EAEB4 BA 06000000 MOV EDX,6
004EAEB9 E8 CE9BF1FF CALL 1.00404A8C
004EAEBE 33C0 XOR EAX,EAX
004EAEC0 5A POP EDX
004EAEC1 59 POP ECX
004EAEC2 59 POP ECX
004EAEC3 64:8910 MOV DWORD PTR FS:[EAX],EDX
004EAEC6 68 E0AE4E00 PUSH 1.004EAEE0
004EAECB 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004EAECE BA 0A000000 MOV EDX,0A
004EAED3 E8 6098F1FF CALL 1.00404738
004EAED8 C3 RETN
004EAED9 ^E9 FA90F1FF JMP 1.00403FD8
004EAEDE ^EB EB JMP SHORT 1.004EAECB
004EAEE0 5F POP EDI
004EAEE1 5E POP ESI
004EAEE2 5B POP EBX
004EAEE3 8BE5 MOV ESP,EBP
004EAEE5 5D POP EBP
004EAEE6 C3 RETN
------------------------------------------------------------------------------- 整理：注册名：DFCG
注册码：ddf2-74342444-6444
注册码分为三组，是由注册名的十六进制数值倒取数值，再与固定的一组字符串交叉组成。
注册机就不放上了~~！！！！
--------------------------------mwd[DFCG]---------------------------------------