Personal HelperV2.1

标题：简单算法---桌面工具Personal HelperV2.1破解分析!
作者：ShenGe
时间：2003/05/20 07:33am
链接：http://bbs.pediy.com

软件大小： 1059 KB
软件语言：英文
软件类别：国外软件 / 共享版 / 桌面工具
应用平台： Win9x/NT/2000/XP
界面预览：无
加入时间： 2003-05-19 08:59:25
下载次数： 49
推荐等级：

破解工具：Pescan3.31,OllyDbg1.09,Wdasm8.93
作者声明：初学破解，仅作学习交流之用，失误之处敬请大侠赐教

软件下载: http://count.skycn.com/softdown.php?id=11962&url=http://on165-http.skycn.net:8080/down/phelper21cn.exe
软件说明:
使用便签可以方便的储存你的临时或者用其他用途的信息，就如同日常使用纸质便签一样方便，便签编辑支持格式，可以设置字体的大小颜色等。实际上等同于一个小的写字板，并且每个便签可以单独的设置时间提醒。具备与天文时钟自动或者手动同步的功能，可以让你的系统时钟每时每刻都是最精准的。还可以替换Windows任务栏时钟显示，可以改变颜色，显示内容等，使得Windwos时钟的显示完全可以定制化。试用版开放全部功能，但是只能使用30天。30天到期后请购买注册，或者将本程序卸载。

用Pescan检查,aspack2.12的壳,脱壳,419K-->1232K,反汇编,查找字串,很快就找到关键点,用OD载入!任意填入用户名ShenGe和注册码12345678。

004D9460 PUSH DWORD PTR FS:[EAX]
004D9463 MOV DWORD PTR FS:[EAX], ESP
004D9466 LEA EDX, [LOCAL.1]
004D9469 MOV EAX, DWORD PTR DS:[EBX+308]
004D946F CALL 1.0044765C
<---取假码
004D9474 MOV EAX, [LOCAL.1]
<---EAX="12345678"
004D9477 PUSH EAX
004D9478 LEA EDX, [LOCAL.2]
004D947B MOV EAX, DWORD PTR DS:[EBX+304]
004D9481 CALL 1.0044765C
<---取用户名
004D9486 MOV EDX, [LOCAL.2]
<---EDX="ShenGe"
004D9489 MOV EAX, DWORD PTR DS:[4E036C]
004D948E MOV EAX, DWORD PTR DS:[EAX]
004D9490 MOV ECX, 1.004D95A8
004D9495 CALL 1.004B4884
<---关键的Call,跟进!
004D949A TEST AL, AL
004D949C JNZ SHORT 1.004D94A8
<---关键跳转
004D949E MOV EAX, 1.004D95B8
004D94A3 CALL 1.00440850 <---注册失败
004D94A8 MOV EAX, DWORD PTR DS:[4E036C]
004D94AD MOV EAX, DWORD PTR DS:[EAX]
004D94AF MOV EDX, DWORD PTR DS:[EAX+5C]
004D94B2 MOV EAX, DWORD PTR DS:[EBX+308]
004D94B8 CALL 1.0044768C
004D94BD MOV EAX, DWORD PTR DS:[4E036C]
004D94C2 MOV EAX, DWORD PTR DS:[EAX]
004D94C4 MOV EDX, DWORD PTR DS:[EAX+48]
004D94C7 MOV EAX, DWORD PTR DS:[EBX+304]
004D94CD CALL 1.0044768C
004D94D2 MOV EAX, DWORD PTR DS:[4E036C]
004D94D7 MOV EAX, DWORD PTR DS:[EAX]
004D94D9 CALL 1.004B4538
004D94DE LEA EDX, [LOCAL.3]
004D94E1 CALL 1.00408EBC
004D94E6 MOV EDX, [LOCAL.3]
004D94E9 MOV EAX, DWORD PTR DS:[EBX+300]
004D94EF CALL 1.0044768C
004D94F4 MOV EAX, DWORD PTR DS:[4E036C]
004D94F9 MOV EAX, DWORD PTR DS:[EAX]
004D94FB CALL 1.004B4578
004D9500 TEST AL, AL
004D9502 JE SHORT 1.004D9522
004D9504 MOV EDX, 1.004D95CC
004D9509 MOV EAX, EBX
004D950B CALL 1.0044768C <---注册成功!
004D9510 MOV EDX, 1.004D95E0
跟进那个关键的Call,可看到如下代码:
004B4884 PUSH EBP
004B4885 MOV EBP, ESP
004B4887 ADD ESP, -10
004B488A PUSH EBX
004B488B XOR EBX, EBX
004B488D MOV [LOCAL.4], EBX
004B4890 MOV [LOCAL.3], EBX
004B4893 MOV [LOCAL.2], ECX
004B4896 MOV [LOCAL.1], EDX
004B4899 MOV EBX, EAX
004B489B MOV EAX, [LOCAL.1]
004B489E CALL 1.00404B0C
004B48A3 MOV EAX, [LOCAL.2]
004B48A6 CALL 1.00404B0C
004B48AB MOV EAX, [ARG.1]
004B48AE CALL 1.00404B0C
004B48B3 XOR EAX, EAX
004B48B5 PUSH EBP
004B48B6 PUSH 1.004B496E
004B48BB PUSH DWORD PTR FS:[EAX]
004B48BE MOV DWORD PTR FS:[EAX], ESP
004B48C1 MOV EAX, [LOCAL.1]
<---EAX="ShenGe"
004B48C4 CALL 1.00404924
<---取用户名长度
004B48C9 CMP EAX, DWORD PTR DS:[EBX+4C]
<---用户名长度不能大于25
004B48CC JG SHORT 1.004B48E7
004B48CE MOV EAX, [LOCAL.1]
004B48D1 CALL 1.00404924
004B48D6 CMP EAX, DWORD PTR DS:[EBX+50]
<---用户名长度不能小于3
004B48D9 JL SHORT 1.004B48E7
004B48DB MOV EAX, [ARG.1]
<---EAX="12345678"
004B48DE CALL 1.00404924
004B48E3 TEST EAX, EAX
<---判断是否输入了注册码
004B48E5 JNZ SHORT 1.004B48EB
004B48E7 XOR EBX, EBX
004B48E9 JMP SHORT 1.004B494B
004B48EB LEA EDX, [LOCAL.3]
004B48EE MOV EAX, [ARG.1]
004B48F1 CALL 1.00408A1C
004B48F6 MOV EDX, [LOCAL.3]
004B48F9 LEA EAX, [ARG.1]
004B48FC CALL 1.00404704
004B4901 LEA ECX, [LOCAL.4]
004B4904 MOV EDX, [LOCAL.1]
<---EDX="ShenGe"
004B4907 MOV EAX, EBX
004B4909 CALL 1.004B4580
<---计算注册码的Call,跟进去看看!
004B490E MOV EAX, [LOCAL.4]
<---EAX="000079CBD764",真码
004B4911 MOV EDX, [ARG.1]
<---EDX="12345678",假码
004B4914 CALL 1.00408A94
<---注册码比较
004B4919 TEST EAX, EAX
004B491B JE SHORT 1.004B4921
004B491D XOR EBX, EBX
004B491F JMP SHORT 1.004B494B
004B4921 LEA EAX, DWORD PTR DS:[EBX+48]
004B4924 MOV EDX, [LOCAL.1]
004B4927 CALL 1.004046C0
004B492C LEA EAX, DWORD PTR DS:[EBX+54]
004B492F MOV EDX, [LOCAL.2]
004B4932 CALL 1.004046C0
004B4937 LEA EAX, DWORD PTR DS:[EBX+5C]
004B493A MOV EDX, [ARG.1]
004B493D CALL 1.004046C0
004B4942 MOV EAX, EBX
004B4944 CALL 1.004B4AFC
004B4949 MOV BL, 1
004B494B XOR EAX, EAX
<---EAX=0,注册码不对跳到这
004B494D POP EDX
004B494E POP ECX
004B494F POP ECX
004B4950 MOV DWORD PTR FS:[EAX], EDX
004B4953 PUSH 1.004B4975
004B4958 LEA EAX, [LOCAL.4]
004B495B MOV EDX, 4
004B4960 CALL 1.00404690
004B4965 LEA EAX, [ARG.1]
004B4968 CALL 1.0040466C
004B496D RETN
我们再跟进计算注册码的那个Call:
004B45A8 PUSH DWORD PTR FS:[EAX]
004B45AB MOV DWORD PTR FS:[EAX], ESP
-------------------------------------------
004B45AE MOV EAX, [LOCAL.1]
004B45B1 CALL 1.00404924
004B45B6 CMP EAX, DWORD PTR DS:[ESI+4C]
004B45B9 JG SHORT 1.004B45C8
004B45BB MOV EAX, [LOCAL.1]
004B45BE CALL 1.00404924
004B45C3 CMP EAX, DWORD PTR DS:[ESI+50]
004B45C6 JGE SHORT 1.004B45D4
-------------------------------------------
此段见前面注释,判断用户长是否大于3且小于25
004B45C8 MOV EAX, EDI
004B45CA CALL 1.0040466C
004B45CF JMP 1.004B4673
004B45D4 MOV EAX, [LOCAL.1]
<---EAX="ShenGe"
004B45D7 CALL 1.00404924
<---取用户名长度
004B45DC MOV EBX, EAX
<---EBX=6
004B45DE JMP SHORT 1.004B4611
---------------------------------------------
004B45E0 /MOV EAX, [LOCAL.1]
| <---EAX="ShenGe"
004B45E3 |MOV AL, BYTE PTR DS:[EAX+EBX-1]
| <---按位取用户名的每个字符参与后面的运算,从后往前取
004B45E7 |AND EAX, 0FF
| <---保留低2位,EAX=65<-----e
| 47<-----G
| 6E<-----n
| 65<-----e
| 68<-----h
| 53<-----S
004B45EC |XOR EDX, EDX
004B45EE |PUSH EDX
004B45EF |PUSH EAX
004B45F0 |MOV EAX, DWORD PTR DS:[ESI+68]
| <---EAX=3A2015E0,为机器码的Hex形式
004B45F3 |MOV EDX, DWORD PTR DS:[ESI+6C]
004B45F6 |CALL 1.00405744
| <---此Call将机器码除字符值,返回值为余数值,在EAX中
| 3A2015E0 mod 65=14
| 3A2015E0 mod 47=2B
| 3A2015E0 mod 6E=28
| 3A2015E0 mod 65=14
| 3A2015E0 mod 68=8
| 3A2015E0 mod 53=4
004B45FB |PUSH EDX
004B45FC |PUSH EAX
004B45FD |LEA EAX, [LOCAL.7]
004B4600 |CALL 1.00408EEC
| <---将前面的余数值格式化成10进制值
004B4605 |MOV EDX, [LOCAL.7]
| <---EDX=20 <-----14
| 43 <-----2B
| 40 <-----28
| 20 <-----14
| 8 <-----8
| 4 <-----4
004B4608 |LEA EAX, [LOCAL.3]
004B460B |CALL 1.0040492C
| <---此Call将上面格式化后的值连接起来
004B4610 |DEC EBX
004B4611 |MOV EAX, [LOCAL.1]
| <---上面跳到这,EAX="ShenGe"
004B4614 |CALL 1.00404924
| <---取用户名长度到EAX中
004B4619 |SUB EAX, 6
| <---EAX=EAX-6,由此可看出,如果用户名
| 长度大于6,只对后7个字符进行运算
004B461C |CMP EBX, EAX
004B461E |JL SHORT 1.004B4624
004B4620 |TEST EBX, EBX
| <---比较是否取完用户名
004B4622 \JG SHORT 1.004B45E0
---------------------------------------
004B4624 LEA EDX, [LOCAL.2]
004B4627 MOV EAX, [LOCAL.3]
<---EAX=2043402084,为连接后的值
004B462A CALL 1.00405850
<---Dec转换成Hex
004B462F MOV [LOCAL.6], EAX
<---低位部分,EAX=79CBD764
004B4632 MOV [LOCAL.5], EDX
<---高位部分,EDX=00000000
004B4635 MOV EBX, DWORD PTR DS:[ESI+60]
<---ESI=C,注册码为12位
004B4638 TEST EBX, EBX
004B463A JG SHORT 1.004B464D
004B463C PUSH [LOCAL.5]
004B463F PUSH [LOCAL.6]
004B4642 MOV EDX, EDI
004B4644 XOR EAX, EAX
004B4646 CALL 1.00408F5C
004B464B JMP SHORT 1.004B4673
004B464D PUSH [LOCAL.5]
<---第1部分,79CB764
004B4650 PUSH [LOCAL.6]
<---第2部分,00000000
004B4653 MOV EDX, EDI
004B4655 MOV EAX, EBX
<---EAX=C
004B4657 CALL 1.00408F5C
<---将高低位部分连接起来,取后12位
004B465C MOV EAX, DWORD PTR DS:[EDI]
<---EAX=000079CBD764,正确注册码
004B465E CALL 1.00404924
004B4663 MOV ECX, EAX
004B4665 SUB ECX, DWORD PTR DS:[ESI+60]
004B4668 MOV EDX, DWORD PTR DS:[ESI+60]
004B466B INC EDX
004B466C MOV EAX, EDI
004B466E CALL 1.00404BBC
004B4673 XOR EAX, EAX
004B4675 POP EDX
004B4676 POP ECX
004B4677 POP ECX
004B4678 MOV DWORD PTR FS:[EAX], EDX
004B467B PUSH 1.004B46A0
004B4680 LEA EAX, [LOCAL.7]
004B4683 CALL 1.0040466C
004B4688 LEA EAX, [LOCAL.3]
004B468B CALL 1.0040466C
004B4690 LEA EAX, [LOCAL.1]
004B4693 CALL 1.0040466C
004B4698 RETN

破解这个软件并不难,只是写出完整的算法费了我一点时间,特别是对于16进制转换部分,我跟了几次,对于大数的16进制转换不知上面的描述对不对!欢迎高手指正!

我得到的注册码为:用户名:ShenGe 注册码:000079CBD764
或用户名:Flyhorse 注册码:126CD348178C
Crack By ShenGe