TouchPro V4.5.0.

标题：Ollydbg——TouchPro V4.5.0.
作者：fly
时间：2003/08/25 02:50am
链接：http://bbs.pediy.com

Ollydbg——TouchPro V4.5.0.0

下载页面： http://www.skycn.com/soft/2827.html
软件大小： 282 KB
软件语言：英文
软件类别：国外软件 / 共享版 / 文件管理
应用平台： Win9x/NT/2000/XP
加入时间： 2003-08-15 17:11:57
下载次数： 1652
推荐等级： ****
开发商： http://www.jddesign.co.uk/

【软件简介】：Windows下文件的时间属性有三种：创建时间，修改时间，访问时间。在一些特殊情况下我们要修改日期属性。TouchPro就是一款运行于Windows下的时间属性修改工具。Touch安装后集成于资源管理器，不占用任何资源，支持多级目录与隐藏文件的日期属性批量修改。选中文件或目录后单击鼠标右键菜单中的 “TouchPro”即可按你指定的时间格式快速将创建时间，修改时间，访问时间设置为你指定时间或当前时间。

【软件限制】：功能限制

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 9.0白金版

—————————————————————————————————
【过程】：

TouchPro.dll 无壳。 Visual C++ 编写。

用户名：fly [FCG] （要有空格）
试炼码：13572468
—————————————————————————————————
这个东东用OD调试有点麻烦。安装完程序后会提示是否注册，选是则弹出注册框，运行Ollydbg，附加上D:\WINDOWS\System32\MsiExec.exe这个进程，然后ALT+E打开可执行模块，选择TouchPro模块, 双击“D:\Program Files\JD Design\TouchPro\TouchPro.dll”，呵呵，终于进入目标程序领空了！其实在98下用TRW下万能断点最方便了。感谢 fxyang 兄的协助！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100011B4(C)
|
:1000127B 833D4C53011000 cmp dword ptr [1001534C], 00000000
:10001282 7568 jne 100012EC
:10001284 8B35284E0110 mov esi, dword ptr [10014E28]
:1000128A 6A64 push 00000064
:1000128C 8D8560FEFFFF lea eax, dword ptr [ebp+FFFFFE60]
:10001292 50 push eax
:10001293 6835040000 push 00000435
:10001298 FF7570 push [ebp+70]
:1000129B FFD6 call esi
:1000129D 6A64 push 00000064
:1000129F 8D8598FDFFFF lea eax, dword ptr [ebp+FFFFFD98]
:100012A5 50 push eax
:100012A6 6832040000 push 00000432
:100012AB FF7570 push [ebp+70]
:100012AE FFD6 call esi
:100012B0 68D4020110 push 100102D4
:100012B5 8D8598FDFFFF lea eax, dword ptr [ebp+FFFFFD98]
:100012BB 50 push eax
:100012BC 8D8560FEFFFF lea eax, dword ptr [ebp+FFFFFE60]
:100012C2 50 push eax
:100012C3 E844040000 call 1000170C
====>关键CALL！进入！

:100012C8 83C40C add esp, 0000000C
:100012CB 84C0 test al, al
:100012CD 741D je 100012EC
====>跳则OVER！

:100012CF 8D8598FDFFFF lea eax, dword ptr [ebp+FFFFFD98]
:100012D5 50 push eax
:100012D6 8D8560FEFFFF lea eax, dword ptr [ebp+FFFFFE60]
:100012DC 50 push eax
:100012DD E839070000 call 10001A1B
====>保存注册信息！

:100012E2 0FB6C0 movzx eax, al
:100012E5 59 pop ecx
:100012E6 59 pop ecx
:100012E7 A34C530110 mov dword ptr [1001534C], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100011BB(C), :10001282(C), :100012CD(C)
|
:100012EC 57 push edi
:100012ED FF7570 push [ebp+70]

* Reference To: USER32.EndDialog, Ord:00C6h
|
:100012F0 FF1528020110 Call dword ptr [10010228]
:100012F6 E961FFFFFF jmp 1000125C

…… ……省略…… ……

* Possible Reference to String Resource ID=00025: "Your registration details are correct.Thank you for regist"

:10004916 6A19 push 00000019
:10004918 57 push edi
:10004919 E8F7EEFFFF call 10003815
====>呵呵，胜利女神！

—————————————————————————————————
进入关键CALL：100012C3 call 1000170C

* Referenced by a CALL at Addresses:
|:100012C3 , :1000204B
|
:1000170C 55 push ebp
:1000170D 8BEC mov ebp, esp
:1000170F 81ECD4000000 sub esp, 000000D4
:10001715 53 push ebx
:10001716 FF7508 push [ebp+08]
:10001719 8D852CFFFFFF lea eax, dword ptr [ebp+FFFFFF2C]
:1000171F 50 push eax
:10001720 32DB xor bl, bl
:10001722 FF15F84D0110 call dword ptr [10014DF8]

* Possible Reference to String Resource ID=00032: "Enter the number of seconds to offset the existing timestamp"
|
:10001728 6A20 push 00000020
:1000172A FF7508 push [ebp+08]
:1000172D E8D95C0000 call 1000740B
====>进入用户名检测CALL 检测Name中是否有空格

:10001732 85C0 test eax, eax
:10001734 59 pop ecx
:10001735 59 pop ecx
:10001736 7468 je 100017A0
====>没有空格则跳则OVER！

:10001738 56 push esi
:10001739 FF7510 push [ebp+10]
:1000173C 8D852CFFFFFF lea eax, dword ptr [ebp+FFFFFF2C]
====>EAX=fly [FCG] Name

:10001742 50 push eax
:10001743 8D45F4 lea eax, dword ptr [ebp-0C]
:10001746 50 push eax
:10001747 E8ABFEFFFF call 100015F7
====>算法CALL！进入！

:1000174C 8B450C mov eax, dword ptr [ebp+0C]
====>EAX=13572468 试炼码

:1000174F 83C40C add esp, 0000000C
:10001752 33F6 xor esi, esi
:10001754 EB3B jmp 10001791

====>下面其实就是每2位比较注册码！
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001797(C)
|
:10001756 83FE0C cmp esi, 0000000C
:10001759 7341 jnb 1000179C
:1000175B 6683F939 cmp cx, 0039
:1000175F 8A08 mov cl, byte ptr [eax]
:10001761 7705 ja 10001768
====>大于39则跳下去-37

:10001763 80E930 sub cl, 30
====>是数字则HEX值减30

:10001766 EB03 jmp 1000176B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001761(C)
|
:10001768 80E937 sub cl, 37
====>大于39则-37

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001766(U)
|
:1000176B C0E104 shl cl, 04
====>结果左移4位

:1000176E 40 inc eax
:1000176F 40 inc eax
:10001770 668B10 mov dx, word ptr [eax]
:10001773 6685D2 test dx, dx
:10001776 7410 je 10001788
:10001778 6683FA39 cmp dx, 0039
:1000177C 7705 ja 10001783
:1000177E 80EA30 sub dl, 30
:10001781 EB03 jmp 10001786

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000177C(C)
|
:10001783 80EA37 sub dl, 37

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001781(U)
|
:10001786 0ACA or cl, dl
====>试炼码第1、2位结果OR

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001776(C)
|
:10001788 40 inc eax
:10001789 40 inc eax
:1000178A 384C35F4 cmp byte ptr [ebp+esi-0C], cl
====>上面运算的结果逐位和注册码比较！

:1000178E 7509 jne 10001799
====>跳则OVER！

:10001790 46 inc esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001754(U)
|
:10001791 668B08 mov cx, word ptr [eax]
:10001794 6685C9 test cx, cx
:10001797 75BD jne 10001756
====>循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000178E(C)
|
:10001799 83FE0C cmp esi, 0000000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001759(C)
|
:1000179C 0F94C3 sete bl
====>置1则OK！

:1000179F 5E pop esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001736(C)
|
:100017A0 8AC3 mov al, bl
:100017A2 5B pop ebx
:100017A3 C9 leave
:100017A4 C3 ret

—————————————————————————————————
进入算法CALL：10001747 call 100015F7

* Referenced by a CALL at Address:
|:10001747
|
:100015F7 55 push ebp
:100015F8 8D6C2494 lea ebp, dword ptr [esp-6C]
:100015FC 81ECC8000000 sub esp, 000000C8
:10001602 56 push esi
:10001603 8B7578 mov esi, dword ptr [ebp+78]
:10001606 56 push esi
:10001607 8D45A4 lea eax, dword ptr [ebp-5C]
:1000160A 50 push eax
:1000160B FF15F84D0110 call dword ptr [10014DF8]
:10001611 C7457800FC0000 mov [ebp+78], 0000FC00
====>[ebp+78]=0000FC00

:10001618 EB0A jmp 10001624

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1000162A(C)
|
:1000161A 0FB7C0 movzx eax, ax
====>逐位取用户名字符HEX值

:1000161D 014578 add dword ptr [ebp+78], eax
====>循环与0000FC00累加最后要用到这个值！
====>[ebp+78]=FEF3

:10001620 46 inc esi
:10001621 46 inc esi
:10001622 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001618(U)
|
:10001624 668B06 mov ax, word ptr [esi]
:10001627 6685C0 test ax, ax
:1000162A 75EE jne 1000161A
====>循环

:1000162C 53 push ebx
:1000162D 6810050110 push 10010510
:10001632 8D45A4 lea eax, dword ptr [ebp-5C]
:10001635 50 push eax
:10001636 FF15F44D0110 call dword ptr [10014DF4]
====>连接用户名与123456789012

:1000163C 8B4574 mov eax, dword ptr [ebp+74]
====>EAX=fly [FCG]123456789012

:1000163F 8A5DB0 mov bl, byte ptr [ebp-50]
====>取第7位 C

:10001642 885802 mov byte ptr [eax+02], bl
:10001645 8A5DB6 mov bl, byte ptr [ebp-4A]
====>取第10位 1

:10001648 885803 mov byte ptr [eax+03], bl
:1000164B 8A5DA4 mov bl, byte ptr [ebp-5C]
====>取第1位 f

:1000164E 8B757C mov esi, dword ptr [ebp+7C]
====>ESI=TouchPropertyPage 固定参数！

:10001651 885804 mov byte ptr [eax+04], bl
:10001654 8A5DB2 mov bl, byte ptr [ebp-4E]
====>取第8位 G

:10001657 885805 mov byte ptr [eax+05], bl
:1000165A 8A5DAA mov bl, byte ptr [ebp-56]
====>取第4位空格

:1000165D 8A4DB4 mov cl, byte ptr [ebp-4C]
====>取第9位 ]

:10001660 8A55B8 mov dl, byte ptr [ebp-48]
====>取第11位 2

:10001663 885806 mov byte ptr [eax+06], bl
:10001666 8A5DA6 mov bl, byte ptr [ebp-5A]
====>取第2位 l

:10001669 885807 mov byte ptr [eax+07], bl
:1000166C 8A5DAE mov bl, byte ptr [ebp-52]
====>取第6位 F

:1000166F 885808 mov byte ptr [eax+08], bl
:10001672 8A5DBA mov bl, byte ptr [ebp-46]
====>取第12位 3

:10001675 8808 mov byte ptr [eax], cl
====>用第9位]替换[eax]的第1位 30（H）

:10001677 885809 mov byte ptr [eax+09], bl
:1000167A 8A5DAC mov bl, byte ptr [ebp-54]
====>取第5位 [

:1000167D 88580A mov byte ptr [eax+0A], bl
:10001680 8A5DA8 mov bl, byte ptr [ebp-58]
====>取第3位 y

:10001683 88580B mov byte ptr [eax+0B], bl
:10001686 885001 mov byte ptr [eax+01], dl
====>用第11位2替换[eax]的第2位 F5（H）

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
fly [FCG]123456789012 变化为：

008EF504 5D 32 43 31 66 47 20 6C 46 33 5B 79 ]2C1fG lF3[y
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:10001689 8A1E mov bl, byte ptr [esi]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[ESI]的值：是固定参数 TouchPropertyPage

100102D4 54 00 6F 00 75 00 63 00 68 00 50 00 72 00 6F 00 T.o.u.c.h.P.r.o.
100102E4 70 00 65 00 72 00 74 00 79 00 50 00 61 00 67 00 p.e.r.t.y.P.a.g.
100102F4 65 00 e.
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

====>下面是把5D 32 43 31 66 47 20 6C 46 33 5B 79和固定参数54 6F 75 63 68 50 72 6F 70 65 72 74逐位异或
:1000168B 32D9 xor bl, cl
====>BL=54 XOR 5D=09

:1000168D 8818 mov byte ptr [eax], bl
:1000168F 8A4E02 mov cl, byte ptr [esi+02]
:10001692 32CA xor cl, dl
====>CL=6F XOR 32=5D

:10001694 884801 mov byte ptr [eax+01], cl
:10001697 8A4E04 mov cl, byte ptr [esi+04]
:1000169A 324DB0 xor cl, byte ptr [ebp-50]
====>CL=75 XOR 43=36

:1000169D 5B pop ebx
:1000169E 884802 mov byte ptr [eax+02], cl
:100016A1 8A4E06 mov cl, byte ptr [esi+06]
:100016A4 324DB6 xor cl, byte ptr [ebp-4A]
====>CL=63 XOR 31=52

:100016A7 884803 mov byte ptr [eax+03], cl
:100016AA 8A4E08 mov cl, byte ptr [esi+08]
:100016AD 324DA4 xor cl, byte ptr [ebp-5C]
====>CL=68 XOR 66=0E

:100016B0 884804 mov byte ptr [eax+04], cl
:100016B3 8A4E0A mov cl, byte ptr [esi+0A]
:100016B6 324DB2 xor cl, byte ptr [ebp-4E]
====>CL=50 XOR 47=17

:100016B9 884805 mov byte ptr [eax+05], cl
:100016BC 8A4E0C mov cl, byte ptr [esi+0C]
:100016BF 324DAA xor cl, byte ptr [ebp-56]
====>CL=72 XOR 20=52

:100016C2 884806 mov byte ptr [eax+06], cl
:100016C5 8A4E0E mov cl, byte ptr [esi+0E]
:100016C8 324DA6 xor cl, byte ptr [ebp-5A]
====>CL=6F XOR 6C=03

:100016CB 884807 mov byte ptr [eax+07], cl
:100016CE 8A4E10 mov cl, byte ptr [esi+10]
:100016D1 324DAE xor cl, byte ptr [ebp-52]
====>CL=70 XOR 46=36

:100016D4 884808 mov byte ptr [eax+08], cl
:100016D7 8A4E12 mov cl, byte ptr [esi+12]
:100016DA 324DBA xor cl, byte ptr [ebp-46]
====>CL=65 XOR 33=56

:100016DD 884809 mov byte ptr [eax+09], cl
:100016E0 8A4E14 mov cl, byte ptr [esi+14]
:100016E3 324DAC xor cl, byte ptr [ebp-54]
====>CL=72 XOR 5B=29

:100016E6 88480A mov byte ptr [eax+0A], cl
:100016E9 8A4E16 mov cl, byte ptr [esi+16]
:100016EC 324DA8 xor cl, byte ptr [ebp-58]
====>CL=74 XOR 79=0D

:100016EF 33F6 xor esi, esi
:100016F1 88480B mov byte ptr [eax+0B], cl

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
异或的结果：

008EF504 09 5D 36 52 0E 17 52 03 36 56 29 0D .]6RR6V).
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001704(C)
|
:100016F4 8BCE mov ecx, esi
:100016F6 B201 mov dl, 01
:100016F8 D2E2 shl dl, cl
:100016FA 225578 and dl, byte ptr [ebp+78]
====>DL=01、02、04、08分别 AND F3
====>F3即是用户名HEX值和FC00累加=FEF3的低位

:100016FD 301406 xor byte ptr [esi+eax], dl
====>分别与前4位 09 5D 36 52 异或
①、 ====>[esi+eax]=09 XOR 01=08
②、 ====>[esi+eax]=5D XOR 02=5F
③、 ====>[esi+eax]=36 XOR 00=36
④、 ====>[esi+eax]=52 XOR 00=52

:10001700 46 inc esi
:10001701 83FE04 cmp esi, 00000004
:10001704 7CEE jl 100016F4
====>循环4次

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[EAX]的值替换成：这就是Name运算的结果！其HEX值就是注册码！

008EF504 08 5F 36 52 0E 17 52 03 36 56 29 0D _6RR6V).
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:10001706 5E pop esi
:10001707 83C56C add ebp, 0000006C
:1000170A C9 leave
:1000170B C3 ret

—————————————————————————————————
进入用户名检测CALL：:1000172D call 1000740B

* Referenced by a CALL at Address:
|:1000172D
|
:1000740B 8B442404 mov eax, dword ptr [esp+04]
====>EAX=fly [FCG] Name

:1000740F 668B542408 mov dx, word ptr [esp+08]
====>DX=20 即：空格

:10007414 EB07 jmp 1000741D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10007423(C)
|
:10007416 663BCA cmp cx, dx
====>比较用户名中是否有空格？

:10007419 7411 je 1000742C
:1000741B 40 inc eax
:1000741C 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10007414(U)
|
:1000741D 668B08 mov cx, word ptr [eax]
:10007420 6685C9 test cx, cx
:10007423 75F1 jne 10007416
:10007425 663BCA cmp cx, dx
====>比较用户名中是否有空格？

:10007428 7402 je 1000742C
:1000742A 33C0 xor eax, eax
====>如果到这儿清0就OVER了！

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10007419(C), :10007428(C)
|
:1000742C C3 ret

—————————————————————————————————
【算法总结】：

1、用户名须有空格 fly [FCG]

2、Name字符的HEX值逐位和FC00累加，=FEF3，取低位F3后面用

3、连接用户名和123456789012 fly [FCG]123456789012

4、对上面字符串的顺序重新排列：fly [FCG]123456789012==>]2C1fG lF3[y

5、]2C1fG lF3[y 和固定参数 TouchPropertyPage 的前面12位字符HEX值逐位异或
得出：09 5D 36 52 0E 17 52 03 36 56 29 0D

6、用01、02、04、08分别 AND F3 （第2步所得的值），分别异或上面所得结果的前4位09 5D 36 52

7、最后得出注册码：085F36520E1752033656290D

—————————————————————————————————
【注册信息保存】：

REGEDIT4

[HKEY_CURRENT_USER\Software\JD Design\TouchPro]
"RegNumber"=hex:30,38,35,46,33,36,35,32,30,45,31,37,35,32,30,33,33,36,35,36,32,\
39,30,44
"User"=hex:66,6c,79,20,5b,46,43,47,5d

—————————————————————————————————
【整理】：

Registartion Name：fly [FCG]
Registartion Code：085F36520E1752033656290D

—————————————————————————————————

, _/
/| _.-~/ \_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""

Cracked By 巢水工作坊——fly [OCN][FCG]

2003-8-24 18:43