软件名称:盗文高手(DownFiles)
软件版本:Ver1.3
软件功能:
您是否常常因自己好不容易从网上查找的宝贵资料不知放到哪里而急得直抓头发吗?您是否常常把宝贵的时间浪费在复制、粘贴的重复工作上了呢?盗文高手(DownFiles)就是为了解决这些问题而写的,本软件可使您一次点击就能取得想要的文章,并且通过树型目录管理,及智能化的自动整理文章,使您即节省时间又能把抓取的文章管理得井井有条。
未注册版启动时有30秒延迟
破解工具:W32Dasm、OllyDbg
破解过程:
W32Dasm反汇编
:0051C7B5 648920 mov dword ptr fs:[eax], esp
:0051C7B8 8D55F8 lea edx, dword ptr [ebp-08]
:0051C7BB 8B83F8020000 mov eax, dword ptr [ebx+000002F8]
:0051C7C1 E81E40F5FF call 004707E4
:0051C7C6 8B45F8 mov eax, dword ptr [ebp-08]
:0051C7C9 50 push eax
:0051C7CA 8D55F4 lea edx, dword ptr [ebp-0C]
:0051C7CD 8B8314030000 mov eax, dword ptr [ebx+00000314]
:0051C7D3 E80C40F5FF call 004707E4
:0051C7D8 8B55F4 mov edx, dword ptr [ebp-0C] |机器码504848328369
:0051C7DB 8BC6 mov eax, esi |
:0051C7DD 59 pop ecx
:0051C7DE E88167F7FF call 00492F64 |关键Call进入
:0051C7E3 84C0 test al, al
:0051C7E5 0F84CE000000 je 0051C8B9 |出错跳转
:0051C7EB B201 mov dl, 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051C77E(C)
|
:0051C7ED A1105D4400 mov eax, dword ptr [00445D10]
:0051C7F2 E81996F2FF call 00445E10
:0051C7F7 8945FC mov dword ptr [ebp-04], eax
:0051C7FA BA01000080 mov edx, 80000001
:0051C7FF 8B45FC mov eax, dword ptr [ebp-04]
:0051C802 E8A996F2FF call 00445EB0
:0051C807 33C0 xor eax, eax
:0051C809 55 push ebp
:0051C80A 68B2C85100 push 0051C8B2
:0051C80F 64FF30 push dword ptr fs:[eax]
:0051C812 648920 mov dword ptr fs:[eax], esp
:0051C815 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"SOFTWAREDownFiles"
|
:0051C817 BAF4C85100 mov edx, 0051C8F4
:0051C81C 8B45FC mov eax, dword ptr [ebp-04]
:0051C81F E8F096F2FF call 00445F14
* Possible StringData Ref from Code Obj ->"myK"
|
:0051C824 BA10C95100 mov edx, 0051C910
:0051C829 8B45FC mov eax, dword ptr [ebp-04]
:0051C82C E81F9AF2FF call 00446250
:0051C831 84C0 test al, al
:0051C833 751E jne 0051C853
:0051C835 8D55F0 lea edx, dword ptr [ebp-10]
:0051C838 8B83F8020000 mov eax, dword ptr [ebx+000002F8]
:0051C83E E8A13FF5FF call 004707E4
:0051C843 8B4DF0 mov ecx, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"myK"
|
:0051C846 BA10C95100 mov edx, 0051C910
:0051C84B 8B45FC mov eax, dword ptr [ebp-04]
:0051C84E E87D98F2FF call 004460D0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051C833(C)
|
* Possible StringData Ref from Code Obj ->"myN"
|
:0051C853 BA1CC95100 mov edx, 0051C91C
:0051C858 8B45FC mov eax, dword ptr [ebp-04]
:0051C85B E8F099F2FF call 00446250
:0051C860 84C0 test al, al
:0051C862 751E jne 0051C882
:0051C864 8D55EC lea edx, dword ptr [ebp-14]
:0051C867 8B83FC020000 mov eax, dword ptr [ebx+000002FC]
:0051C86D E8723FF5FF call 004707E4
:0051C872 8B4DEC mov ecx, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"myN"
|
:0051C875 BA1CC95100 mov edx, 0051C91C
:0051C87A 8B45FC mov eax, dword ptr [ebp-04]
:0051C87D E84E98F2FF call 004460D0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051C862(C)
|
:0051C882 8B45FC mov eax, dword ptr [ebp-04]
:0051C885 E8F695F2FF call 00445E80
:0051C88A 33C0 xor eax, eax
:0051C88C 5A pop edx
:0051C88D 59 pop ecx
:0051C88E 59 pop ecx
:0051C88F 648910 mov dword ptr fs:[eax], edx
:0051C892 68C3C85100 push 0051C8C3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051C8B7(U)
|
:0051C897 8B45FC mov eax, dword ptr [ebp-04]
:0051C89A E8B96DEEFF call 00403658
:0051C89F A1BCBF5400 mov eax, dword ptr [0054BFBC]
:0051C8A4 C60001 mov byte ptr [eax], 01
* Possible StringData Ref from Code Obj ->"谢谢您注册本软件,您注册成功了!"
|
:0051C8A7 B828C95100 mov eax, 0051C928
:0051C8AC E8C3E5F1FF call 0043AE74
:0051C8B1 C3 ret
:0051C8B2 E93575EEFF jmp 00403DEC
:0051C8B7 EBDE jmp 0051C897
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051C7E5(C)
|
* Possible StringData Ref from Code Obj ->"注册码错误!"
|
:0051C8B9 B850C95100 mov eax, 0051C950
:0051C8BE E8B1E5F1FF call 0043AE74
:0051C8C3 33C0 xor eax, eax
:0051C8C5 5A pop edx
:0051C8C6 59 pop ecx
:0051C8C7 59 pop ecx
:0051C8C8 648910 mov dword ptr fs:[eax], edx
:0051C8CB 68E5C85100 push 0051C8E5
注册算法:(OllyDbg动态跟踪)
00492F64 /$ 55 PUSH EBP
00492F65 |. 8BEC MOV EBP,ESP
00492F67 |. 51 PUSH ECX
00492F68 |. B9 04000000 MOV ECX,4
00492F6D |> 6A 00 PUSH 0
00492F6F |. 6A 00 PUSH 0
00492F71 |. 49 DEC ECX
00492F72 |.^75 F9 JNZ SHORT DownFile.00492F6D
00492F74 |. 51 PUSH ECX
00492F75 |. 874D FC XCHG DWORD PTR SS:[EBP-4],ECX
00492F78 |. 53 PUSH EBX
00492F79 |. 56 PUSH ESI
00492F7A |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00492F7D |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
00492F80 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00492F83 |. E8 741AF7FF CALL DownFile.004049FC
00492F88 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00492F8B |. E8 6C1AF7FF CALL DownFile.004049FC
00492F90 |. 33C0 XOR EAX,EAX
00492F92 |. 55 PUSH EBP
00492F93 |. 68 C2304900 PUSH DownFile.004930C2
00492F98 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00492F9B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00492F9E |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00492FA1 |. E8 A615F7FF CALL DownFile.0040454C
00492FA6 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00492FA9 |. E8 5E18F7FF CALL DownFile.0040480C
00492FAE |. 8BF0 MOV ESI,EAX
00492FB0 |. 85F6 TEST ESI,ESI
00492FB2 |. 7E 39 JLE SHORT DownFile.00492FED
00492FB4 |. BB 01000000 MOV EBX,1
00492FB9 |> 8BC3 MOV EAX,EBX
00492FBB |. 25 01000080 AND EAX,80000001
00492FC0 |. 79 05 JNS SHORT DownFile.00492FC7
00492FC2 |. 48 DEC EAX
00492FC3 |. 83C8 FE OR EAX,FFFFFFFE
00492FC6 |. 40 INC EAX
00492FC7 |> 85C0 TEST EAX,EAX
00492FC9 |. 75 1E JNZ SHORT DownFile.00492FE9
00492FCB |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00492FCE |. 50 PUSH EAX
00492FCF |. B9 01000000 MOV ECX,1
00492FD4 |. 8BD3 MOV EDX,EBX
00492FD6 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00492FD9 |. E8 92F4FAFF CALL DownFile.00442470
00492FDE |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
00492FE1 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00492FE4 |. E8 2B18F7FF CALL DownFile.00404814
00492FE9 |> 43 INC EBX
00492FEA |. 4E DEC ESI
00492FEB |.^75 CC JNZ SHORT DownFile.00492FB9
00492FED |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00492FF0 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00492FF3 |. E8 EC15F7FF CALL DownFile.004045E4
00492FF8 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00492FFB |. E8 4C15F7FF CALL DownFile.0040454C
00493000 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
以上代码用来取机器码的偶数位组成新的数字串504848328369→088239
00493003 |. BA 02000000 MOV EDX,2
00493008 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049300B |. E8 6CF3FAFF CALL DownFile.0044237C |取首2位(08)
00493010 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] |
00493013 |. E8 9463F7FF CALL DownFile.004093AC |0*A+8=8
00493018 |. 8BD0 MOV EDX,EAX |EDX=EAX=8
0049301A |. C1E0 03 SHL EAX,3 |EAX=EAX SHL 3=40
0049301D |. 2BC2 SUB EAX,EDX |EAX=EAX-EDX=38
0049301F |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] |
00493022 |. E8 4962F7FF CALL DownFile.00409270 |十六进制到十进制"56"
00493027 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] |
0049302A |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] |
0049302D |. E8 E217F7FF CALL DownFile.00404814 |
00493032 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] |
00493035 |. BA 02000000 MOV EDX,2 |
0049303A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] |
0049303D |. E8 AAF3FAFF CALL DownFile.004423EC |取最后2位(39)
00493042 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] |
00493045 |. E8 6263F7FF CALL DownFile.004093AC |3*A+9=27
0049304A |. C1E0 03 SHL EAX,3 |EAX=EAX SHL 3=138
0049304D |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C] |
00493050 |. E8 1B62F7FF CALL DownFile.00409270 |十六进制到十进制"312"
00493055 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] |EDX=312
00493058 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] |
0049305B |. E8 B417F7FF CALL DownFile.00404814 |
00493060 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] |
00493063 |. 50 PUSH EAX |
00493064 |. B9 02000000 MOV ECX,2 |
00493069 |. BA 03000000 MOV EDX,3 |
0049306E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] |
00493071 |. E8 FAF3FAFF CALL DownFile.00442470 |取中间2位(82)
00493076 |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] |
00493079 |. E8 2E63F7FF CALL DownFile.004093AC |8*A+2=52
0049307E |. 8D0440 LEA EAX,DWORD PTR DS:[EAX+EAX*2] |52*3=F6
00493081 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24] |
00493084 |. E8 E761F7FF CALL DownFile.00409270 |十六进制到十进制"246"
00493089 |. 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
0049308C |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0049308F |. E8 8017F7FF CALL DownFile.00404814
00493094 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] |真注册码56312246
00493097 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] |假注册码
0049309A |. E8 B918F7FF CALL DownFile.00404958
0049309F |. 75 04 JNZ SHORT DownFile.004930A5
004930A1 |. B3 01 MOV BL,1
004930A3 |. EB 02 JMP SHORT DownFile.004930A7
004930A5 |> 33DB XOR EBX,EBX
004930A7 |> 33C0 XOR EAX,EAX
004930A9 |. 5A POP EDX
004930AA |. 59 POP ECX
004930AB |. 59 POP ECX
004930AC |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004930AF |. 68 C9304900 PUSH DownFile.004930C9
004930B4 |> 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004930B7 |. BA 0A000000 MOV EDX,A
004930BC |. E8 AF14F7FF CALL DownFile.00404570
004930C1 . C3 RETN
004930C2 .^E9 250DF7FF JMP DownFile.00403DEC
004930C7 .^EB EB JMP SHORT DownFile.004930B4
004930C9 . 8BC3 MOV EAX,EBX
004930CB . 5E POP ESI
004930CC . 5B POP EBX
004930CD . 8BE5 MOV ESP,EBP
004930CF . 5D POP EBP
004930D0 . C3 RETN
注册算法:
1、取机器码(12位长度)的偶数位构成新的数字(6位长度)
504848328369→088239
2、取新数字首2位乘7
08:08*7 =56
3、取新数字末2位乘8
39:39*8=312
4、取新数字中间2位,乘3
82:82*3=246
5、将结果连接起来构成新数字56312246就是注册码。