算法浅探——ChangeFolderColor
V2.0
下载地址: http://yafeisoft.nease.net/download/clfolder_11.zip
软件大小:
923 KB
软件语言: 英文
软件类别: 国外软件 / 共享版 / 系统设置
应用平台: Win9x/NT/2000/XP
加入时间:
2003-05
下载次数: 983
推荐等级: ***
开 发 商: http://yafeisoft.diy.163.com/
【软件简介】:可以帮你改变文件夹的颜色,让你可以很快的找到你要用的文件夹,增加你的工作效率,也让你的电脑变得五彩缤纷喔。
【软件限制】:15天试用、NAG、功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版
—————————————————————————————————
【过
程】:
clfolder.exe 是ASPack 2.12 壳,用AspackDie脱之。336K->836K。
Delphi 编写。
这次作者也升级了注册码的算法呀!程序有点复杂,重启验证,注册信息保存在注册表里,所以在反汇编代码里查找“RegisterCode”,可以找到2处,有一处是保存试炼码的,可以把断点下在另一处,这样就能跟踪到核心了。以前的版本验证流程还算比较清楚,这次就不同了,作者设计了不少限制,呵呵,一不小心就OVER了!有兴趣的朋友自己试试,会有收获的。^O^ ^O^ ^O^ ^O^
用户名:fly
试炼码:Z2CDE678F255(需要12位,并且有诸多限制!)
—————————————————————————————————
*
Referenced by a CALL at Address:
|:004850DA
|
:00484D24 55
push ebp
:00484D25
8BEC mov
ebp, esp
:00484D27 B904000000 mov
ecx, 00000004
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:00484D31(C)
|
:00484D2C 6A00
push 00000000
:00484D2E
6A00 push
00000000
:00484D30 49
dec ecx
:00484D31 75F9
jne 00484D2C
:00484D33 51
push ecx
:00484D34 8945FC
mov dword ptr [ebp-04],
eax
:00484D37 33C0
xor eax, eax
:00484D39 55
push ebp
:00484D3A 686F4E4800
push 00484E6F
:00484D3F 64FF30
push dword ptr fs:[eax]
:00484D42
648920 mov dword
ptr fs:[eax], esp
* Possible StringData Ref from
Code Obj ->"Software\Yafei\ColorFolder\"
|
:00484D45 B9844E4800
mov ecx, 00484E84
:00484D4A B201
mov dl, 01
:00484D4C A164784300
mov eax, dword ptr [00437864]
:00484D51 E8AA32FBFF
call 00438000
:00484D56 8945F0
mov dword ptr [ebp-10],
eax
:00484D59 33C0
xor eax, eax
:00484D5B 55
push ebp
:00484D5C 68D04D4800
push 00484DD0
:00484D61 64FF30
push dword ptr fs:[eax]
:00484D64
648920 mov dword
ptr fs:[eax], esp
* Possible StringData Ref from
Code Obj ->"Guest"
|
:00484D67
68A84E4800 push 00484EA8
:00484D6C
8D45F8 lea eax,
dword ptr [ebp-08]
:00484D6F 50
push eax
* Possible StringData
Ref from Code Obj ->"Name"
|
:00484D70
B9B84E4800 mov ecx, 00484EB8
:00484D75
33D2 xor
edx, edx
:00484D77 8B45F0
mov eax, dword ptr [ebp-10]
:00484D7A E81533FBFF
call 00438094
*
Possible StringData Ref from Code Obj ->"101010101010"
|
:00484D7F 68C84E4800
push 00484EC8
:00484D84 8D45F4
lea eax, dword ptr [ebp-0C]
:00484D87 50
push
eax
* Possible StringData Ref from Code Obj ->"RegisterCode"
|
:00484D88 B9E04E4800
mov ecx, 00484EE0
====>可以把断点下在这!!
:00484D8D
33D2 xor
edx, edx
:00484D8F 8B45F0
mov eax, dword ptr [ebp-10]
:00484D92 E8FD32FBFF
call 00438094
:00484D97 8D55EC
lea edx, dword ptr [ebp-14]
:00484D9A
8B45F4 mov eax,
dword ptr [ebp-0C]
====>EAX=Z2CDE678F255
试炼码
:00484D9D E8CE33F8FF
call 00408170
:00484DA2 8B55EC
mov edx, dword ptr [ebp-14]
:00484DA5
8D45F4 lea eax,
dword ptr [ebp-0C]
:00484DA8 E88BF3F7FF
call 00404138
:00484DAD B854BC4800
mov eax, 0048BC54
:00484DB2 8B55F8
mov edx, dword ptr [ebp-08]
====>EDX=fly
用户名
:00484DB5 E83AF3F7FF
call 004040F4
:00484DBA 33C0
xor eax, eax
:00484DBC
5A pop
edx
:00484DBD 59
pop ecx
:00484DBE 59
pop ecx
:00484DBF 648910
mov dword ptr fs:[eax], edx
:00484DC2
68D74D4800 push 00484DD7
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00484DD5(U)
|
:00484DC7
8B45F0 mov eax,
dword ptr [ebp-10]
:00484DCA E8BDE4F7FF
call 0040328C
:00484DCF C3
ret
====>呵呵,这里直接走到00484DD7处!
:00484DD0
E94BECF7FF jmp 00403A20
:00484DD5
EBF0 jmp
00484DC7
:00484DD7 8D55E8
lea edx, dword ptr [ebp-18]
:00484DDA 8B45F4
mov eax, dword ptr [ebp-0C]
:00484DDD
E8E21F0000 call 00486DC4
====>关键CALL!进入!
:00484DE2
8B45E8 mov eax,
dword ptr [ebp-18]
:00484DE5 50
push eax
:00484DE6 8D55E4
lea edx, dword ptr [ebp-1C]
:00484DE9 B895E40300
mov eax, 0003E495
:00484DEE
E8F536F8FF call 004084E8
:00484DF3
8D45E4 lea eax,
dword ptr [ebp-1C]
* Possible StringData Ref from
Code Obj ->"Yafeisoft"
|
:00484DF6
BAF84E4800 mov edx, 00484EF8
:00484DFB
E868F5F7FF call 00404368
:00484E00
8B55E4 mov edx,
dword ptr [ebp-1C]
:00484E03 58
pop eax
:00484E04 E8A3F6F7FF
call 004044AC
:00484E09 751F
jne 00484E2A
====>跳则OVER!爆破点①!
:00484E0B
8D55E0 lea edx,
dword ptr [ebp-20]
:00484E0E B895E40300
mov eax, 0003E495
:00484E13 E8D036F8FF
call 004084E8
:00484E18 8B55E0
mov edx, dword ptr [ebp-20]
:00484E1B 8B45FC
mov eax, dword ptr
[ebp-04]
* Possible StringData Ref from Code Obj
->"Yafeisoft"
|
:00484E1E
B9F84E4800 mov ecx, 00484EF8
:00484E23
E884F5F7FF call 004043AC
:00484E28
EB1D jmp
00484E47
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00484E09(C)
|
:00484E2A 8D55DC
lea edx, dword ptr [ebp-24]
:00484E2D
B89CB90300 mov eax, 0003B99C
:00484E32
E8B136F8FF call 004084E8
:00484E37
8B55DC mov edx,
dword ptr [ebp-24]
:00484E3A 8B45FC
mov eax, dword ptr [ebp-04]
*
Possible StringData Ref from Code Obj ->"Yafeisoft"
|
:00484E3D B9F84E4800
mov ecx, 00484EF8
:00484E42 E865F5F7FF
call 004043AC
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00484E28(U)
|
:00484E47
33C0 xor
eax, eax
:00484E49 5A
pop edx
:00484E4A 59
pop ecx
:00484E4B 59
pop ecx
:00484E4C
648910 mov dword
ptr fs:[eax], edx
:00484E4F 68764E4800
push 00484E76
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00484E74(U)
|
:00484E54 8D45DC
lea eax, dword ptr [ebp-24]
:00484E57
BA05000000 mov edx, 00000005
:00484E5C
E863F2F7FF call 004040C4
:00484E61
8D45F4 lea eax,
dword ptr [ebp-0C]
:00484E64 BA02000000
mov edx, 00000002
:00484E69 E856F2F7FF
call 004040C4
:00484E6E C3
ret
—————————————————————————————————
进入关键CALL:00484DDD
call 00486DC4
* Referenced by a CALL at
Address:
|:00484DDD
|
:00486DC4 55
push ebp
:00486DC5 8BEC
mov ebp, esp
:00486DC7
B909000000 mov ecx, 00000009
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486DD1(C)
|
:00486DCC
6A00 push
00000000
:00486DCE 6A00
push 00000000
:00486DD0 49
dec ecx
:00486DD1 75F9
jne 00486DCC
:00486DD3
53 push
ebx
:00486DD4 56
push esi
:00486DD5 57
push edi
:00486DD6 8955F8
mov dword ptr [ebp-08], edx
:00486DD9
8945FC mov dword
ptr [ebp-04], eax
:00486DDC 8B45FC
mov eax, dword ptr [ebp-04]
:00486DDF E86CD7F7FF
call 00404550
:00486DE4 33C0
xor eax, eax
:00486DE6
55 push
ebp
:00486DE7 6857754800 push
00487557
:00486DEC 64FF30
push dword ptr fs:[eax]
:00486DEF 648920
mov dword ptr fs:[eax], esp
:00486DF2
B301 mov
bl, 01
:00486DF4 8D45F4
lea eax, dword ptr [ebp-0C]
:00486DF7 8B55FC
mov edx, dword ptr [ebp-04]
:00486DFA E839D3F7FF
call 00404138
:00486DFF 8B45F4
mov eax, dword ptr
[ebp-0C]
====>EAX=Z2CDE678F255
试炼码
:00486E02 E859D5F7FF
call 00404360
====>取 试炼码 的位数
:00486E07 83F80C
cmp eax, 0000000C
====>是否12位?
:00486E0A 7422
je 00486E2E
====>不跳则OVER!
:00486E0C
8D55C8 lea edx,
dword ptr [ebp-38]
:00486E0F B89CB90300
mov eax, 0003B99C
:00486E14 E8CF16F8FF
call 004084E8
:00486E19 8B55C8
mov edx, dword ptr [ebp-38]
:00486E1C 8B45F8
mov eax, dword ptr
[ebp-08]
* Possible StringData Ref from Code Obj
->"Yafeisoft"
|
:00486E1F
B970754800 mov ecx, 00487570
:00486E24
E883D5F7FF call 004043AC
:00486E29
E906070000 jmp 00487534
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486E0A(C)
|
:00486E2E
8D45F0 lea eax,
dword ptr [ebp-10]
:00486E31 50
push eax
:00486E32 B901000000
mov ecx, 00000001
:00486E37 BA01000000
mov edx, 00000001
:00486E3C 8B45F4
mov eax, dword ptr [ebp-0C]
:00486E3F
E87CD7F7FF call 004045C0
:00486E44
8D45EC lea eax,
dword ptr [ebp-14]
:00486E47 50
push eax
:00486E48 B901000000
mov ecx, 00000001
:00486E4D BA02000000
mov edx, 00000002
:00486E52 8B45F4
mov eax, dword ptr [ebp-0C]
:00486E55
E866D7F7FF call 004045C0
:00486E5A
8D45E8 lea eax,
dword ptr [ebp-18]
:00486E5D 50
push eax
:00486E5E B901000000
mov ecx, 00000001
:00486E63 BA03000000
mov edx, 00000003
:00486E68 8B45F4
mov eax, dword ptr [ebp-0C]
:00486E6B
E850D7F7FF call 004045C0
:00486E70
8D45E4 lea eax,
dword ptr [ebp-1C]
:00486E73 50
push eax
:00486E74 B901000000
mov ecx, 00000001
:00486E79 BA04000000
mov edx, 00000004
:00486E7E 8B45F4
mov eax, dword ptr [ebp-0C]
:00486E81
E83AD7F7FF call 004045C0
:00486E86
8D45E0 lea eax,
dword ptr [ebp-20]
:00486E89 50
push eax
:00486E8A B901000000
mov ecx, 00000001
:00486E8F BA05000000
mov edx, 00000005
:00486E94 8B45F4
mov eax, dword ptr [ebp-0C]
:00486E97
E824D7F7FF call 004045C0
:00486E9C
8D45DC lea eax,
dword ptr [ebp-24]
:00486E9F 50
push eax
:00486EA0 B901000000
mov ecx, 00000001
:00486EA5 BA06000000
mov edx, 00000006
:00486EAA 8B45F4
mov eax, dword ptr [ebp-0C]
:00486EAD
E80ED7F7FF call 004045C0
:00486EB2
8D45D8 lea eax,
dword ptr [ebp-28]
:00486EB5 50
push eax
:00486EB6 B901000000
mov ecx, 00000001
:00486EBB BA07000000
mov edx, 00000007
:00486EC0 8B45F4
mov eax, dword ptr [ebp-0C]
:00486EC3
E8F8D6F7FF call 004045C0
:00486EC8
8D45D4 lea eax,
dword ptr [ebp-2C]
:00486ECB 50
push eax
:00486ECC B901000000
mov ecx, 00000001
:00486ED1 BA08000000
mov edx, 00000008
:00486ED6 8B45F4
mov eax, dword ptr [ebp-0C]
:00486ED9
E8E2D6F7FF call 004045C0
:00486EDE
8D45D0 lea eax,
dword ptr [ebp-30]
:00486EE1 50
push eax
:00486EE2 B901000000
mov ecx, 00000001
:00486EE7 BA09000000
mov edx, 00000009
:00486EEC 8B45F4
mov eax, dword ptr [ebp-0C]
:00486EEF
E8CCD6F7FF call 004045C0
:00486EF4
8D45CC lea eax,
dword ptr [ebp-34]
:00486EF7 50
push eax
:00486EF8 B903000000
mov ecx, 00000003
:00486EFD BA0A000000
mov edx, 0000000A
:00486F02 8B45F4
mov eax, dword ptr [ebp-0C]
:00486F05
E8B6D6F7FF call 004045C0
:00486F0A
33C0 xor
eax, eax
:00486F0C 55
push ebp
:00486F0D 685B6F4800
push 00486F5B
:00486F12 64FF30
push dword ptr fs:[eax]
:00486F15 648920
mov dword ptr fs:[eax],
esp
:00486F18 8B45CC
mov eax, dword ptr [ebp-34]
====>EAX=255
试炼码的最后3位!
:00486F1B E80417F8FF
call 00408624
====>取255的16进制值=FF 呵呵,我后来改的。
:00486F20
3DFF000000 cmp eax, 000000FF
====>与FF比较 所以注册码最后3位应是255
:00486F25
742A je 00486F51
====>不跳则OVER!
…… …… 省 略 …… ……
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486F25(C)
|
:00486F51
33C0 xor
eax, eax
:00486F53 5A
pop edx
:00486F54 59
pop ecx
:00486F55 59
pop ecx
:00486F56
648910 mov dword
ptr fs:[eax], edx
:00486F59 EB31
jmp 00486F8C
…… …… 省 略 …… ……
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486F59(U)
|
:00486F8C
8B45F0 mov eax,
dword ptr [ebp-10]
:00486F8F 0FB600
movzx eax, byte ptr [eax]
====>EAX=5A 试炼码的第1位字符Z的HEX值!
:00486F92
83C0BF add eax,
FFFFFFBF
====>EAX=5A - 41=19
:00486F95
83F819 cmp eax,
00000019
====>结果和19比较!
:00486F98
0F8754050000 ja 004874F2
====>跳则OVER!所以注册码第一位应为大写字母
:00486F9E
FF2485A56F4800 jmp dword ptr [4*eax+00486FA5]
====>根据EAX的值而跳向不同的位置判断注册码!
…… …… 省 略 …… ……
:004874C8
8B45D0 mov eax,
dword ptr [ebp-30]
:004874CB 50
push eax
:004874CC 8B45EC
mov eax, dword ptr [ebp-14]
:004874CF 50
push
eax
:004874D0 8B45DC
mov eax, dword ptr [ebp-24]
:004874D3 50
push eax
:004874D4 8B45D8
mov eax, dword ptr [ebp-28]
:004874D7
50 push
eax
:004874D8 8B45D4
mov eax, dword ptr [ebp-2C]
:004874DB 50
push eax
:004874DC 8B4DE0
mov ecx, dword ptr [ebp-20]
:004874DF
8B55E4 mov edx,
dword ptr [ebp-1C]
:004874E2 8B45E8
mov eax, dword ptr [ebp-18]
:004874E5 E8EAF6FFFF
call 00486BD4
====>关键CALL!进入!
:004874EA 84C0
test al, al
:004874EC
7506 jne
004874F4
====>不跳则OVER!
:004874EE
33DB xor
ebx, ebx
:004874F0 EB02
jmp 004874F4
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00486F98(C)
|
:004874F2 33DB
xor ebx, ebx
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00487031(C),
:00487039(U), :00487062(C), :0048706A(U), :00487093(C)
|:0048709B(U), :004870C4(C),
:004870CC(U), :004870F5(C), :004870FD(U)
|:00487126(C), :0048712E(U), :00487157(C),
:0048715F(U), :00487188(C)
|:00487190(U), :004871B9(C), :004871C1(U), :004871EA(C),
:004871F2(U)
|:0048721B(C), :00487223(U), :0048724C(C), :00487254(U), :0048727D(C)
|:00487285(U),
:004872AE(C), :004872B6(U), :004872DF(C), :004872E7(U)
|:00487310(C), :00487318(U),
:00487341(C), :00487349(U), :00487372(C)
|:0048737A(U), :004873A3(C), :004873AB(U),
:004873D4(C), :004873DC(U)
|:00487405(C), :0048740D(U), :00487436(C), :0048743E(U),
:00487467(C)
|:0048746F(U), :00487498(C), :0048749C(U), :004874C2(C), :004874C6(U)
|:004874EC(C),
:004874F0(U)
|
:004874F4 84DB
test bl, bl
:004874F6 741F
je 00487517
====>跳则OVER!
:004874F8 8D55BC
lea edx, dword ptr
[ebp-44]
:004874FB B895E40300 mov
eax, 0003E495
:00487500 E8E30FF8FF
call 004084E8
:00487505 8B55BC
mov edx, dword ptr [ebp-44]
:00487508 8B45F8
mov eax, dword ptr [ebp-08]
*
Possible StringData Ref from Code Obj ->"Yafeisoft"
|
:0048750B B970754800
mov ecx, 00487570
:00487510 E897CEF7FF
call 004043AC
:00487515 EB1D
jmp 00487534
—————————————————————————————————
进入关键CALL:004874E5
call 00486BD4
* Referenced by a
CALL at Addresses:
|:0048702A , :0048705B , :0048708C
, :004870BD , :004870EE
|:0048711F , :00487150
, :00487181 , :004871B2 , :004871E3
|:00487214
, :00487245 , :00487276 , :004872A7 , :004872D8
|:00487309
, :0048733A , :0048736B , :0048739C , :004873CD
|:004873FE , :0048742F , :00487460 , :00487491
, :004874BB
|:004874E5
|
:00486BD4 55
push ebp
:00486BD5 8BEC
mov ebp,
esp
:00486BD7 51
push ecx
:00486BD8 B907000000
mov ecx, 00000007
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00486BE2(C)
|
:00486BDD
6A00 push
00000000
:00486BDF 6A00
push 00000000
:00486BE1 49
dec ecx
:00486BE2 75F9
jne 00486BDD
:00486BE4
874DFC xchg dword
ptr [ebp-04], ecx
:00486BE7 53
push ebx
:00486BE8 56
push esi
:00486BE9 57
push edi
:00486BEA
894DF4 mov dword
ptr [ebp-0C], ecx
:00486BED 8955F8
mov dword ptr [ebp-08], edx
:00486BF0 8945FC
mov dword ptr [ebp-04], eax
:00486BF3
8B45FC mov eax,
dword ptr [ebp-04]
:00486BF6 E855D9F7FF
call 00404550
:00486BFB 8B45F8
mov eax, dword ptr [ebp-08]
:00486BFE E84DD9F7FF
call 00404550
:00486C03 8B45F4
mov eax, dword ptr
[ebp-0C]
:00486C06 E845D9F7FF call
00404550
:00486C0B 8B4518
mov eax, dword ptr [ebp+18]
:00486C0E E83DD9F7FF
call 00404550
:00486C13 8B4514
mov eax, dword ptr [ebp+14]
:00486C16
E835D9F7FF call 00404550
:00486C1B
8B4510 mov eax,
dword ptr [ebp+10]
:00486C1E E82DD9F7FF
call 00404550
:00486C23 8B450C
mov eax, dword ptr [ebp+0C]
:00486C26 E825D9F7FF
call 00404550
:00486C2B 8B4508
mov eax, dword ptr
[ebp+08]
:00486C2E E81DD9F7FF call
00404550
:00486C33 33C0
xor eax, eax
:00486C35 55
push ebp
:00486C36 68B06D4800
push 00486DB0
:00486C3B 64FF30
push dword ptr fs:[eax]
:00486C3E
648920 mov dword
ptr fs:[eax], esp
:00486C41 8B45FC
mov eax, dword ptr [ebp-04]
:00486C44 8A00
mov al, byte ptr [eax]
====>EAX=43 试炼码Z2CDE678F255的第3位C!
:00486C46
3C41 cmp
al, 41
====>不能小于41
:00486C48
721B jb 00486C65
====>跳则OVER!
:00486C4A
8B45F8 mov eax,
dword ptr [ebp-08]
:00486C4D 8A00
mov al, byte ptr [eax]
====>EAX=44 试炼码Z2CDE678F255的第4位D!
:00486C4F 3C41
cmp al, 41
====>不能小于41
:00486C51 7212
jb 00486C65
====>跳则OVER!
:00486C53
8B45F4 mov eax,
dword ptr [ebp-0C]
:00486C56 8A00
mov al, byte ptr [eax]
====>EAX=45 试炼码的第5位E的HEX值!
:00486C58
3C41 cmp
al, 41
====>不能小于41
:00486C5A
7209 jb 00486C65
====>跳则OVER!
:00486C5C
8B4518 mov eax,
dword ptr [ebp+18]
:00486C5F 8A00
mov al, byte ptr [eax]
====>EAX=46 试炼码的第9位F的HEX值!
:00486C61
3C41 cmp
al, 41
====>不能小于41
:00486C63
7307 jnb
00486C6C
====>不跳则OVER!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00486C48(C),
:00486C51(C), :00486C5A(C)
|
:00486C65 33DB
xor ebx, ebx
====>清0则OVER!
:00486C67 E90F010000 jmp 00486D7B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486C63(C)
|
:00486C6C
33D2 xor
edx, edx
:00486C6E 55
push ebp
:00486C6F 68666D4800
push 00486D66
:00486C74 64FF32
push dword ptr fs:[edx]
:00486C77 648922
mov dword ptr fs:[edx],
esp
:00486C7A 8B4514
mov eax, dword ptr [ebp+14]
:00486C7D E8A219F8FF
call 00408624
:00486C82 8BD8
mov ebx, eax
:00486C84 8B4510
mov eax, dword ptr
[ebp+10]
:00486C87 E89819F8FF call
00408624
:00486C8C 8BF0
mov esi, eax
====>ESI=6
试炼码Z2CDE678F255的第6位!
:00486C8E 8B450C
mov eax, dword ptr
[ebp+0C]
:00486C91 E88E19F8FF call
00408624
:00486C96 8BF8
mov edi, eax
====>EDI=7
试炼码的第7位!
:00486C98
8B4508 mov eax,
dword ptr [ebp+08]
:00486C9B E88419F8FF
call 00408624
:00486CA0 8945E0
mov dword ptr [ebp-20], eax
====>[ebp-20]=EAX=8 试炼码的第8位!
:00486CA3
8D55F0 lea edx,
dword ptr [ebp-10]
:00486CA6 8B45FC
mov eax, dword ptr [ebp-04]
:00486CA9 0FB600
movzx eax, byte ptr [eax]
====>EAX=43 试炼码的第3位C的HEX值!
:00486CAC
E83718F8FF call 004084E8
====>取43的10进制值=67
:00486CB1
8D55EC lea edx,
dword ptr [ebp-14]
:00486CB4 8B45F8
mov eax, dword ptr [ebp-08]
:00486CB7 0FB600
movzx eax, byte ptr [eax]
====>EAX=44 试炼码的第4位D的HEX值!
:00486CBA
E82918F8FF call 004084E8
====>取44的10进制值=68
:00486CBF
8D55E8 lea edx,
dword ptr [ebp-18]
:00486CC2 8B45F4
mov eax, dword ptr [ebp-0C]
:00486CC5 0FB600
movzx eax, byte ptr [eax]
====>EAX=45 试炼码的第5位E的HEX值!
:00486CC8
E81B18F8FF call 004084E8
====>取45的10进制值=69
:00486CCD
8D55E4 lea edx,
dword ptr [ebp-1C]
:00486CD0 8B4518
mov eax, dword ptr [ebp+18]
:00486CD3 0FB600
movzx eax, byte ptr [eax]
====>EAX=46 试炼码的第9位F的HEX值!
:00486CD6
E80D18F8FF call 004084E8
====>取46的10进制值=70
:00486CDB
8D45D0 lea eax,
dword ptr [ebp-30]
:00486CDE 8B55F0
mov edx, dword ptr [ebp-10]
====>EDX=67
:00486CE1 8A5201
mov dl, byte ptr [edx+01]
====>DL=37 即:67的后一位字符
:00486CE4
E89FD5F7FF call 00404288
:00486CE9
8B45D0 mov eax,
dword ptr [ebp-30]
:00486CEC E83319F8FF
call 00408624
:00486CF1 8945DC
mov dword ptr [ebp-24], eax
====>[ebp-24]=EAX=7
:00486CF4 8D45CC
lea eax, dword ptr
[ebp-34]
:00486CF7 8B55EC
mov edx, dword ptr [ebp-14]
====>EDX=68
:00486CFA
8A5201 mov dl, byte
ptr [edx+01]
====>DL=38
即:68的后一位字符
:00486CFD E886D5F7FF
call 00404288
:00486D02 8B45CC
mov eax, dword ptr [ebp-34]
:00486D05
E81A19F8FF call 00408624
:00486D0A
8945D8 mov dword
ptr [ebp-28], eax
====>[ebp-28]=EAX=8
:00486D0D
8D45C8 lea eax,
dword ptr [ebp-38]
:00486D10 8B55E8
mov edx, dword ptr [ebp-18]
====>EDX=69
:00486D13 8A5201
mov dl, byte ptr [edx+01]
====>DL=39 即:69的后一位字符
:00486D16
E86DD5F7FF call 00404288
:00486D1B
8B45C8 mov eax,
dword ptr [ebp-38]
:00486D1E E80119F8FF
call 00408624
:00486D23 8945D4
mov dword ptr [ebp-2C], eax
====>[ebp-2C]=EAX=9
:00486D26 8D45C4
lea eax, dword ptr
[ebp-3C]
:00486D29 8B55E4
mov edx, dword ptr [ebp-1C]
====>EDX=70
:00486D2C
8A5201 mov dl, byte
ptr [edx+01]
====>DL=30
即:70的后一位字符
:00486D2F E854D5F7FF
call 00404288
:00486D34 8B45C4
mov eax, dword ptr [ebp-3C]
:00486D37
E8E818F8FF call 00408624
:00486D3C
3B5DDC cmp ebx,
dword ptr [ebp-24]
====>EBX=2
试炼码的第2位
====>[ebp-24]=7
试炼码的第3位HEX值10进制值的末位
====>所以注册码的第2位应是7
:00486D3F
750F jne
00486D50
====>跳则OVER!
:00486D41
3B75D8 cmp esi,
dword ptr [ebp-28]
====>ESI=6
试炼码的第6位
====>[ebp-28]=8
试炼码的第4位HEX值10进制值的末位
====>所以注册码的第6位应是8
:00486D44
750A jne
00486D50
====>跳则OVER!
:00486D46
3B7DD4 cmp edi,
dword ptr [ebp-2C]
====>EDI=7
试炼码的第7位
====>[ebp-2C]=9
试炼码的第5位HEX值10进制值的末位
====>所以注册码的第7位应是9
:00486D49
7505 jne
00486D50
====>跳则OVER!
:00486D4B
3B45E0 cmp eax,
dword ptr [ebp-20]
====>EAX=0
试炼码的第9位HEX值10进制值的末位
====>[ebp-20]=8 试炼码的第8位
====>所以注册码的第8位应是0
:00486D4E
740C je 00486D5C
====>不跳则OVER!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00486D3F(C),
:00486D44(C), :00486D49(C)
|
:00486D50 33DB
xor ebx, ebx
:00486D52 33C0
xor eax, eax
:00486D54
5A pop
edx
:00486D55 59
pop ecx
:00486D56 59
pop ecx
:00486D57 648910
mov dword ptr fs:[eax], edx
:00486D5A
EB1F jmp
00486D7B
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00486D4E(C)
|
:00486D5C 33C0
xor eax, eax
:00486D5E 5A
pop edx
:00486D5F
59 pop
ecx
:00486D60 59
pop ecx
:00486D61 648910
mov dword ptr fs:[eax], edx
:00486D64 EB13
jmp 00486D79
:00486D66
E901CAF7FF jmp 0040376C
:00486D6B
33DB xor
ebx, ebx
:00486D6D E862CDF7FF call
00403AD4
:00486D72 EB07
jmp 00486D7B
:00486D74 E85BCDF7FF
call 00403AD4
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00486D64(U)
|
:00486D79
B301 mov
bl, 01
====>置1则OK!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00486C67(U),
:00486D5A(U), :00486D72(U)
|
:00486D7B 33C0
xor eax, eax
:00486D7D 5A
pop edx
:00486D7E
59 pop
ecx
:00486D7F 59
pop ecx
:00486D80 648910
mov dword ptr fs:[eax], edx
:00486D83 68B76D4800
push 00486DB7
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486DB5(U)
|
:00486D88
8D45C4 lea eax,
dword ptr [ebp-3C]
:00486D8B BA04000000
mov edx, 00000004
:00486D90 E82FD3F7FF
call 004040C4
:00486D95 8D45E4
lea eax, dword ptr [ebp-1C]
:00486D98 BA07000000
mov edx, 00000007
:00486D9D
E822D3F7FF call 004040C4
:00486DA2
8D4508 lea eax,
dword ptr [ebp+08]
:00486DA5 BA05000000
mov edx, 00000005
:00486DAA E815D3F7FF
call 004040C4
:00486DAF C3
ret
:00486DB0
E96BCCF7FF jmp 00403A20
:00486DB5
EBD1 jmp
00486D88
:00486DB7 8BC3
mov eax, ebx
====>EBX值入EAX!!
:00486DB9
5F pop
edi
:00486DBA 5E
pop esi
:00486DBB 5B
pop ebx
:00486DBC 8BE5
mov esp, ebp
:00486DBE 5D
pop ebp
:00486DBF
C21400 ret 0014
—————————————————————————————————
程序的2个功能限制处:
*
Possible StringData Ref from Code Obj ->"Yafeisoft"
|
:00485DA6 BAD85F4800
mov edx, 00485FD8
:00485DAB E8B8E5F7FF
call 00404368
:00485DB0 8B55F0
mov edx, dword ptr [ebp-10]
:00485DB3 A15CBC4800
mov eax, dword ptr [0048BC5C]
:00485DB8
E8EFE6F7FF call 004044AC
:00485DBD
740F je 00485DCE
====>应跳!爆破点②!
*
Possible StringData Ref from Code Obj ->"Sorry, Only Registered version
"
->"can
use this function."
|
:00485DBF
B8EC5F4800 mov eax, 00485FEC
:00485DC4
E877B6FAFF call 00431440
:00485DC9
E98A010000 jmp 00485F58
…… …… 省 略 …… ……
* Possible StringData Ref from Code Obj ->"Yafeisoft"
|
:00486771 BA9C694800
mov edx, 0048699C
:00486776 E8EDDBF7FF
call 00404368
:0048677B 8B55F0
mov edx, dword ptr [ebp-10]
:0048677E
A15CBC4800 mov eax, dword ptr
[0048BC5C]
:00486783 E824DDF7FF call
004044AC
:00486788 740F
je 00486799
====>应跳!爆破点③!
*
Possible StringData Ref from Code Obj ->"Sorry, Only Registered version
"
->"can
use this function."
|
:0048678A
B8B0694800 mov eax, 004869B0
:0048678F
E8ACACFAFF call 00431440
:00486794
E98C010000 jmp 00486925
—————————————————————————————————
【算
法 总 结】:
1、注册码与用户名无关。需要12位。
试炼码:Z2CDE678F255
当然这个试炼码是调试了数十次而不断修改得到的。
2、注册码最后3位固定为255
3、注册码第一位应是大写字母,并且根据第一位字符的HEX值-41后的值而跳向不同的位置进行不同判断的运算!我选择第1位是Z,下面的其它注册码情况根据这个分支进行求逆的!
4、注册码第3、4、5、9位字符的HEX值不能小于41。分别取这几位字符HEX值的10进制值。
5、注册码第2、6、7、8位应是数字。
6、注册码的第2位应等于试炼码的第3位HEX值10进制值的末位。
7、注册码的第6位应等于试炼码的第4位HEX值10进制值的末位。
8、注册码的第7位应等于试炼码的第5位HEX值10进制值的末位。
9、注册码的第8位应等于试炼码的第9位HEX值10进制值的末位。
至此可以求逆出一组可用的注册码:Z7CDE890F255
当然,注册码的组合是很多很多的…… 只要你愿意找 ^O^ ^O^ ^O^ ^O^
—————————————————————————————————
【完 美 爆 破】:
呵呵,这个东东的完美爆破不太好做呀!
如果仅仅从算法校验里改很容易非法操作的。哪位大侠搞定了请指教!
未注册版本有15天的试用期、NAG、还有2个功能限制。所以我取点巧,从下面几处改,改完后发现没有注册提示了,功能也和注册版本一样了,勉强算是一个完美爆破吧。^v^ ^v^
1、00484E09 751F
jne 00484E2A
改为: 9090
NOP掉
去除时间限制和NAG
2、00485DBD 740F
je 00485DCE
改为: EB0F
jmp 00485DCE 去除功能限制
3、00486788 740F
je 00486799
改为:
EB0F jmp 00486799
去除功能限制
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_CURRENT_USER\Software\Yafei\ColorFolder]
"Name"="fly"
"RegisterCode"="Z7CDE890F255"
—————————————————————————————————
【整 理】:
Registartion
Name:fly
Registartion Code:Z7CDE890F255 或者:Z0FLY699Y255 …… 很 多
……
—————————————————————————————————
, _/
/| _.-~/ \_
, 青春都一饷
( /~
/ \~-._ |\
`\\ _/ \
~\ ) 忍把浮名
_-~~~-.) )__/;;,.
\_ //'
/'_,\ --~
\ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//'
/' `~\ ) /--.._, )_ `~
"
`~" " `" /~'`\
`\\~~\
" " "~'
""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-05-07 22:00