来电宝 1.2A

标题：来电宝 1.2A
作者： mwd
时间：2003/04/21 01:37pm
链接：http://bbs.pediy.com

软件名称: 来电宝
最新版本: 1.2A
--------------------------------------------------------------------------------
（1）破解：mwd[DFCG]
（2）目的:找出算法，追出注册码。
（3）练习程序:来电宝 1.2A
（4）下载：http://5235.cn/web/huui/Data/LaiDianBao.exe
（5）工具:Ollydbg,PW32Dasm.
（6）开始：PW32Dasm载入程序找到相关信息，OLL载入程序过程如下：

********************************************************************************
:00401F90 E86F570100 Call 00417704----------------断点
:00401F95 8D55F0 lea edx, dword ptr [ebp-10]-将[ebp-10]的地址送EDX
:00401F98 FF32 push dword ptr [edx]--------用户名_l?Pc<SlKtKlS<cP?l_T入栈
:00401F9A FF75B0 push [ebp-50]
:00401F9D E83E0D0000 call 00402CE0--------关键CALL--算法：进入
:00401FA2 83C40C add esp, 0000000C-----------ESP=ESP+0C
:00401FA5 FF4DD8 dec [ebp-28]------------------减1
:00401FA8 8D45F0 lea eax, dword ptr [ebp-10]
:00401FAB BA02000000 mov edx, 00000002-------------置EDX为2
:00401FB0 E8B7150000 call 0040356C
:00401FB5 8D55F8 lea edx, dword ptr [ebp-08]
:00401FB8 8D45FC lea eax, dword ptr [ebp-04]
:00401FBB E8F0150000 call 004035B
:00401FC0 85C0 test eax, eax---------------测试0或1
:00401FC2 7576 jne 0040203A----------为1则跳，不能跳，~！！！
:00401FC4 FF75FC push [ebp-04] 改7576为7476即可爆破~！！
:00401FC7 FF75B0 push [ebp-50]
:00401FCA E8E10D0000 call 00402DB0
:00401FCF 83C408 add esp, 00000008
:00401FD2 66C745CC4400 mov [ebp-34], 0044

* Possible StringData Ref from Data Obj ->"注册成功! 感谢您使用长联科技产品."
|
:00401FD8 BA8EA34100 mov edx, 0041A38E
:00401FDD 8D45EC lea eax, dword ptr [ebp-14]
:00401FE0 E8B7140000 call 0040349C
:00401FE5 FF45D8 inc [ebp-28]
:00401FE8 8D55EC lea edx, dword ptr [ebp-14]
:00401FEB 8B45B8 mov eax, dword ptr [ebp-48]
:00401FEE 050C030000 add eax, 0000030C
:00401FF3 E8A4150000 call 0040359C
:00401FF8 FF4DD8 dec [ebp-28]
:00401FFB 8D45EC lea eax, dword ptr [ebp-14]
:00401FFE BA02000000 mov edx, 00000002
:00402003 E864150000 call 0040356C
:00402008 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"来电宝"
|
:0040200A 68B0A34100 push 0041A3B0
:0040200F 8B45B8 mov eax, dword ptr [ebp-48]
:00402012 050C030000 add eax, 0000030C
:00402017 E8ECF7FFFF call 00401808
:0040201C 50 push eax
:0040201D 8B45B8 mov eax, dword ptr [ebp-48]

* Reference To: VCL50.Controls::TWinControl::GetHandle(void()), Ord:0000h
|
:00402020 E88B560100 Call 004176B0
:00402025 50 push eax
:00402026 E8EF570100 call 0041781A
:0040202B 6A01 push 00000001
:0040202D FF75B8 push [ebp-48]
:00402030 E837F8FFFF call 0040186C
:00402035 83C408 add esp, 00000008
:00402038 EB59 jmp 00402093

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FC2(C)
|
:0040203A 66C745CC5000 mov [ebp-34], 0050

* Possible StringData Ref from Data Obj ->"您的注册码有误! 注册失败."
|
********************************************************************************
算法CALL: 00401F9D E83E0D0000 call 00402CE0

00402CE0 /$ 55 PUSH EBP
00402CE1 |. 8BEC MOV EBP,ESP
00402CE3 |. 83C4 CC ADD ESP,-34
00402CE6 |. B8 90AD4100 MOV EAX,LaiDianB.0041AD90
00402CEB |. E8 FC060000 CALL LaiDianB.004033EC
00402CF0 |. C745 F4 010000>MOV DWORD PTR SS:[EBP-C],1
00402CF7 |. 8D55 0C LEA EDX,DWORD PTR SS:[EBP+C]
00402CFA |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
00402CFD |. E8 D2070000 CALL LaiDianB.004034D4
00402D02 |. FF45 F4 INC DWORD PTR SS:[EBP-C]
00402D05 |. 66:C745 E8 080>MOV WORD PTR SS:[EBP-18],8
00402D0B |. 66:C745 E8 140>MOV WORD PTR SS:[EBP-18],14
00402D11 |. BA 67AC4100 MOV EDX,LaiDianB.0041AC67----- EDX=字符串"ABCDEFGHIGKLMNOPQRST"
00402D16 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00402D19 |. E8 7E070000 CALL LaiDianB.0040349C
00402D1E |. FF45 F4 INC DWORD PTR SS:[EBP-C]
00402D21 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00402D24 |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00402D27 |. E8 70080000 CALL LaiDianB.0040359C
00402D2C |. FF4D F4 DEC DWORD PTR SS:[EBP-C]
00402D2F |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00402D32 |. BA 02000000 MOV EDX,2
00402D37 |. E8 30080000 CALL LaiDianB.0040356C
00402D3C |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
00402D3F |. E8 C4EAFFFF CALL LaiDianB.00401808
00402D44 |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX-用户名(_l?Pc<SlKtKlS<cP?l_T)送入[EBP-2C]
00402D47 |. 66:C745 E8 080>MOV WORD PTR SS:[EBP-18],8
00402D4D |. 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00402D50 |. E8 B3EAFFFF CALL LaiDianB.00401808
00402D55 |. 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX--取字符串"ABCDEFGHIGKLMNOPQRST"
00402D58 |. 33D2 XOR EDX,EDX--------------------EDX清0
00402D5A |. 8955 CC MOV DWORD PTR SS:[EBP-34],EDX--置[EBP-34]为0
00402D5D |. EB 24 JMP SHORT LaiDianB.00402D83--------跳~！
00402D5F |> 8B4D CC /MOV ECX,DWORD PTR SS:[EBP-34]
00402D62 |. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C]---用户名(_l?Pc<SlKtKlS<cP?l_T)送入EAX
00402D65 |. 0FBE0408 |MOVSX EAX,BYTE PTR DS:[EAX+ECX]--依次取用户名的字符：_l?Pc<SlKtKlS<cP?l_T
00402D69 |. F76D CC |IMUL DWORD PTR SS:[EBP-34]--------乘法运算
00402D6C |. B9 21000000 |MOV ECX,21-------------------------取21
00402D71 |. 99 |CDQ----------------------------把EAX中的字的符号扩展到EDX中去
00402D72 |. F7F9 |IDIV ECX--------------------------除法运算
00402D74 |. 80C2 3C |ADD DL,3C
第1位:DL=DL(0)+3C=3C(<) 11：DL=DL(18)+3C=54(T)
2:DL=DL(9)+3C=45(E) 12：DL=DL(0)+3C=3C(<)
3:DL=DL(1B)+3C=57(W) 13：DL=DL(6)+3C=42(B)
4,DL=DL(9)+3C=45(E) 14：DL=DL(15)+3C=51(Q)
5,DL=DL(0)+3C=3C(<) 15，DL=DL(0)+3C=3C(<)
6,DL=DL(3)+3C=3F(?) 16，DL=DL(0C)+3C=48(H)
7,DL=DL(3)+3C=3F(?) 17，DL=DL(12)+3C=4E(N)
8,DL=DL(1E)+3C=5A(Z) 18，DL=DL(15)+3C=51(Q)
9,DL=DL(6)+3C= 42(B) 19，DL=DL(1B)+3C=57(W)
10,DL=DL(15)+3C=51(Q) 20，DL=DL(0C)+3C=48(H)
00402D77 |. 8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30]----字符串"ABCDEFGHIGKLMNOPQRST"送EAX
00402D7A |. 8B4D CC |MOV ECX,DWORD PTR SS:[EBP-34]
00402D7D |. 881408 |MOV BYTE PTR DS:[EAX+ECX],DL-将DL的Char值依次替换到"ABCDEFGHIGKLMNOPQRST"
替换以后的字符串就是注册码~！！！！
00402D80 |. FF45 CC |INC DWORD PTR SS:[EBP-34]----加1
00402D83 |> 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]-----堆栈地址送入EAX
00402D86 |. E8 31FFFFFF |CALL LaiDianB.00402CBC
00402D8B |. 3B45 CC |CMP EAX,DWORD PTR SS:[EBP-34]---与字符串的位数比较
00402D8E |.^7F CF \JG SHORT LaiDianB.00402D5F-----不等向上循环
00402D90 |. FF4D F4 DEC DWORD PTR SS:[EBP-C]
00402D93 |. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]