【破文作者】 YuanQiao[BCG][]
【文章题目】 IE收藏夹管理小精灵
【下载地址】 http://www.nanhoo.com/pro/favorite/favoriteSetup.exe
----------------------------------------------------------------------------------------------
【破解工具】 PEiD, OllyDbg
【破解难度】 +++初级+++
【破解平台】 WinXP SP2
----------------------------------------------------------------------------------------------
【破解过程】
用PEiD检测显示《Borland Delphi 6.0 - 7.0》无壳。
运行软件,注册无提示。
用OLLYDBG载入之后,使用字符串参考。
看到一些字符:
\\.\PhysicalDrive0
regCode
regUser
通过下面计算后,说明找的断点是正确的。
004EB0C4 /. 55 PUSH EBP
004EB0C5 |. 8BEC MOV EBP,ESP
004EB0C7 |. 33C9 XOR ECX,ECX
004EB0C9 |. 51 PUSH ECX
004EB0CA |. 51 PUSH ECX
004EB0CB |. 51 PUSH ECX
004EB0CC |. 51 PUSH ECX
004EB0CD |. 33C0 XOR EAX,EAX
004EB0CF |. 55 PUSH EBP
004EB0D0 |. 68 35B14E00 PUSH Favorite.004EB135
004EB0D5 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004EB0D8 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004EB0DB |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004EB0DE |. E8 592BFFFF CALL Favorite.004DDC3C ; 计算机器码(如有兴趣可以进去看一看)
004EB0E3 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004EB0E6 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004EB0E9 |. E8 AE33FFFF CALL Favorite.004DE49C ; 计算真注册码的MD5值
004EB0EE |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 把真注册码的MD5值给EAX
004EB0F1 |. 50 PUSH EAX
004EB0F2 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004EB0F5 |. B8 48B14E00 MOV EAX,Favorite.004EB148 ; ASCII "regCode"
004EB0FA |. E8 D131FFFF CALL Favorite.004DE2D0 ; 计算假注册码的MD5值
004EB0FF |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; 把假注册码的MD5值给EAX
004EB102 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004EB105 |. E8 D6E0F1FF CALL Favorite.004091E0
004EB10A |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004EB10D |. 58 POP EAX
004EB10E |. E8 1D9BF1FF CALL Favorite.00404C30 ; 比较两个MD5值是否相等
004EB113 74 05 JE SHORT Favorite.004EB11A ; 这个就是爆破口
004EB115 |. E8 9EDDFFFF CALL Favorite.004E8EB8
004EB11A |> 33C0 XOR EAX,EAX
004EB11C |. 5A POP EDX
004EB11D |. 59 POP ECX
004EB11E |. 59 POP ECX
004EB11F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004EB122 |. 68 3CB14E00 PUSH Favorite.004EB13C
004EB127 |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004EB12A |. BA 04000000 MOV EDX,4
004EB12F |. E8 1497F1FF CALL Favorite.00404848
004EB134 \. C3 RETN
计算机器码
---------004EB0DE |. E8 592BFFFF CALL Favorite.004DDC3C ---------
004DDC3C /$ 55 PUSH EBP
004DDC3D |. 8BEC MOV EBP,ESP
004DDC3F |. 33C9 XOR ECX,ECX
004DDC41 |. 51 PUSH ECX
004DDC42 |. 51 PUSH ECX
004DDC43 |. 51 PUSH ECX
004DDC44 |. 51 PUSH ECX
004DDC45 |. 51 PUSH ECX
004DDC46 |. 51 PUSH ECX
004DDC47 |. 51 PUSH ECX
004DDC48 |. 53 PUSH EBX
004DDC49 |. 8BD8 MOV EBX,EAX
004DDC4B |. 33C0 XOR EAX,EAX
004DDC4D |. 55 PUSH EBP
004DDC4E |. 68 F2DC4D00 PUSH Favorite.004DDCF2
004DDC53 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004DDC56 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004DDC59 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004DDC5C |. E8 FF000000 CALL Favorite.004DDD60 ; 取硬盘物理序列号
004DDC61 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004DDC64 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DDC67 |. E8 74B5F2FF CALL Favorite.004091E0
004DDC6C |. 837D EC 00 CMP DWORD PTR SS:[EBP-14],0 ; 判断是否取到硬盘物理序列号
004DDC70 |. 75 08 JNZ SHORT Favorite.004DDC7A
004DDC72 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004DDC75 |. E8 16030000 CALL Favorite.004DDF90 ; 取C盘逻辑序列号
004DDC7A |> 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004DDC7D |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DDC80 |. E8 5BB5F2FF CALL Favorite.004091E0
004DDC85 |. 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; 判断是否取到C盘逻辑序列号
004DDC89 |. 75 35 JNZ SHORT Favorite.004DDCC0
004DDC8B |. 33C0 XOR EAX,EAX
004DDC8D |. E8 B2C2F2FF CALL Favorite.00409F44
004DDC92 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004DDC95 |. 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX
004DDC98 |. 68 08DD4D00 PUSH Favorite.004DDD08 ; ASCII "h0u0"
004DDC9D |. FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; /Arg2
004DDCA0 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; |Arg1
004DDCA3 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] ; |
004DDCA6 |. E8 11BAF2FF CALL Favorite.004096BC ; \Favorite.004096BC
004DDCAB |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
004DDCAE |. 68 18DD4D00 PUSH Favorite.004DDD18 ; ASCII "a9g5"
004DDCB3 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004DDCB6 |. BA 03000000 MOV EDX,3
004DDCBB |. E8 E46EF2FF CALL Favorite.00404BA4
004DDCC0 |> 8BC3 MOV EAX,EBX
004DDCC2 |. B9 28DD4D00 MOV ECX,Favorite.004DDD28 ; ASCII "21"
004DDCC7 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004DDCCA |. E8 616EF2FF CALL Favorite.00404B30 ; 取到的序列号后加上21
004DDCCF |. 33C0 XOR EAX,EAX
004DDCD1 |. 5A POP EDX
004DDCD2 |. 59 POP ECX
004DDCD3 |. 59 POP ECX
004DDCD4 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004DDCD7 |. 68 F9DC4D00 PUSH Favorite.004DDCF9
004DDCDC |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004DDCDF |. BA 03000000 MOV EDX,3
004DDCE4 |. E8 5F6BF2FF CALL Favorite.00404848
004DDCE9 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004DDCEC |. E8 336BF2FF CALL Favorite.00404824
004DDCF1 \. C3 RETN
计算真注册码的MD5值
---------004EB0E9 |. E8 AE33FFFF CALL Favorite.004DE49C------------
004DE49C /$ 55 PUSH EBP
004DE49D |. 8BEC MOV EBP,ESP
004DE49F |. 83C4 B8 ADD ESP,-48
004DE4A2 |. 53 PUSH EBX
004DE4A3 |. 56 PUSH ESI
004DE4A4 |. 57 PUSH EDI
004DE4A5 |. 33C9 XOR ECX,ECX
004DE4A7 |. 894D B8 MOV DWORD PTR SS:[EBP-48],ECX
004DE4AA |. 894D CC MOV DWORD PTR SS:[EBP-34],ECX
004DE4AD |. 894D D0 MOV DWORD PTR SS:[EBP-30],ECX
004DE4B0 |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
004DE4B3 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
004DE4B6 |. 894D D8 MOV DWORD PTR SS:[EBP-28],ECX
004DE4B9 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
004DE4BC |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004DE4BF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DE4C2 |. E8 0D68F2FF CALL Favorite.00404CD4
004DE4C7 |. 33C0 XOR EAX,EAX
004DE4C9 |. 55 PUSH EBP
004DE4CA |. 68 C5E64D00 PUSH Favorite.004DE6C5
004DE4CF |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004DE4D2 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004DE4D5 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004DE4D8 |. 8B15 74ED4E00 MOV EDX,DWORD PTR DS:[4EED74] ; 取一固定字符串
004DE4DE |. E8 D963F2FF CALL Favorite.004048BC
004DE4E3 |. 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
004DE4E6 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 取机器码
004DE4E9 |. E8 CAAAF2FF CALL Favorite.00408FB8 ; 大写字母转换为小写字母
004DE4EE |. 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30]
004DE4F1 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004DE4F4 |. E8 C363F2FF CALL Favorite.004048BC
004DE4F9 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004DE4FC |. E8 2363F2FF CALL Favorite.00404824
004DE501 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DE504 |. E8 DB65F2FF CALL Favorite.00404AE4 ; 计算机器码位数
004DE509 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX ; 机器码位数给[EBP-20]
004DE50C |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004DE50F |. E8 D065F2FF CALL Favorite.00404AE4 ; 计算固定字符串位数
004DE514 |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX ; 固定字符串位数给[EBP-24]
004DE517 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
004DE51A |. 85C0 TEST EAX,EAX
004DE51C |. 0F8E F5000000 JLE Favorite.004DE617 ; 判断机器位数是否为空
004DE522 |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
004DE525 |. BB 01000000 MOV EBX,1
004DE52A |> 33F6 /XOR ESI,ESI
004DE52C |. 33C0 |XOR EAX,EAX
004DE52E |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX
004DE531 |. 83FB 01 |CMP EBX,1
004DE534 |. 75 05 |JNZ SHORT Favorite.004DE53B
004DE536 |. 8B75 E0 |MOV ESI,DWORD PTR SS:[EBP-20]
004DE539 |. EB 01 |JMP SHORT Favorite.004DE53C
004DE53B |> 4E |DEC ESI
004DE53C |> 3B5D E0 |CMP EBX,DWORD PTR SS:[EBP-20]
004DE53F |. 75 09 |JNZ SHORT Favorite.004DE54A
004DE541 |. C745 E4 01000>|MOV DWORD PTR SS:[EBP-1C],1
004DE548 |. EB 03 |JMP SHORT Favorite.004DE54D
004DE54A |> FF45 E4 |INC DWORD PTR SS:[EBP-1C]
004DE54D |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004DE550 |. 8A4418 FF |MOV AL,BYTE PTR DS:[EAX+EBX-1] ; 顺序取机器码位数的ASCII值
004DE554 |. E8 EFF9FFFF |CALL Favorite.004DDF48
004DE559 |. 8BF8 |MOV EDI,EAX
004DE55B |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004DE55E |. 8A4430 FF |MOV AL,BYTE PTR DS:[EAX+ESI-1]
004DE562 |. E8 E1F9FFFF |CALL Favorite.004DDF48
004DE567 |. 8945 EC |MOV DWORD PTR SS:[EBP-14],EAX
004DE56A |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004DE56D |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
004DE570 |. 8A4410 FF |MOV AL,BYTE PTR DS:[EAX+EDX-1]
004DE574 |. E8 CFF9FFFF |CALL Favorite.004DDF48
004DE579 |. 8945 E8 |MOV DWORD PTR SS:[EBP-18],EAX
004DE57C |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
004DE57F |. 03C7 |ADD EAX,EDI
004DE581 |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
004DE584 |. 99 |CDQ
004DE585 |. F77D E0 |IDIV DWORD PTR SS:[EBP-20]
004DE588 |. 8BF2 |MOV ESI,EDX
004DE58A |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
004DE58D |. 03C7 |ADD EAX,EDI
004DE58F |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
004DE592 |. 8BD3 |MOV EDX,EBX
004DE594 |. C1E2 02 |SHL EDX,2
004DE597 |. 4A |DEC EDX
004DE598 |. 0FAFD3 |IMUL EDX,EBX
004DE59B |. 03C2 |ADD EAX,EDX
004DE59D |. 85C0 |TEST EAX,EAX
004DE59F |. 79 03 |JNS SHORT Favorite.004DE5A4
004DE5A1 |. 83C0 07 |ADD EAX,7
004DE5A4 |> C1F8 03 |SAR EAX,3
004DE5A7 |. 03F0 |ADD ESI,EAX
004DE5A9 |. 3B75 DC |CMP ESI,DWORD PTR SS:[EBP-24] ; 比较是否小于0X55
004DE5AC |. 7E 14 |JLE SHORT Favorite.004DE5C2 ; 小于则跳
004DE5AE |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
004DE5B1 |. 03C7 |ADD EAX,EDI
004DE5B3 |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
004DE5B6 |. 03C3 |ADD EAX,EBX
004DE5B8 |. B9 FF000000 |MOV ECX,0FF
004DE5BD |. 99 |CDQ
004DE5BE |. F7F9 |IDIV ECX
004DE5C0 |. 8BF0 |MOV ESI,EAX
004DE5C2 |> 85F6 |TEST ESI,ESI
004DE5C4 |. 7F 15 |JG SHORT Favorite.004DE5DB
004DE5C6 |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
004DE5C9 |. 03C7 |ADD EAX,EDI
004DE5CB |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
004DE5CE |. 03C3 |ADD EAX,EBX
004DE5D0 |. B9 07000000 |MOV ECX,7
004DE5D5 |. 99 |CDQ
004DE5D6 |. F7F9 |IDIV ECX
004DE5D8 |. 8BF0 |MOV ESI,EAX
004DE5DA |. 46 |INC ESI
004DE5DB |> 3B75 DC |CMP ESI,DWORD PTR SS:[EBP-24] ; 比较是否小于0X55
004DE5DE |. 7E 13 |JLE SHORT Favorite.004DE5F3 ; 小于则跳
004DE5E0 |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
004DE5E3 |. 03C7 |ADD EAX,EDI
004DE5E5 |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
004DE5E8 |. B9 FF000000 |MOV ECX,0FF
004DE5ED |. 99 |CDQ
004DE5EE |. F7F9 |IDIV ECX
004DE5F0 |. 8BF0 |MOV ESI,EAX
004DE5F2 |. 46 |INC ESI
004DE5F3 |> 8D45 CC |LEA EAX,DWORD PTR SS:[EBP-34]
004DE5F6 |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C]
004DE5F9 |. 8A5432 FF |MOV DL,BYTE PTR DS:[EDX+ESI-1] ; 取固定字符串对应位的值(取完之后的字符串就是真注册码的一半)
004DE5FD |. E8 0A64F2FF |CALL Favorite.00404A0C
004DE602 |. 8B55 CC |MOV EDX,DWORD PTR SS:[EBP-34]
004DE605 |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
004DE608 |. E8 DF64F2FF |CALL Favorite.00404AEC
004DE60D |. 43 |INC EBX
004DE60E |. FF4D D4 |DEC DWORD PTR SS:[EBP-2C]
004DE611 |.^ 0F85 13FFFFFF \JNZ Favorite.004DE52A
004DE617 |> 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
004DE61A |. A1 78ED4E00 MOV EAX,DWORD PTR DS:[4EED78]
004DE61F |. E8 F8F4FFFF CALL Favorite.004DDB1C ; 计算字符串的MD5值
004DE624 |. 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004DE627 |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
004DE62A |. E8 61F5FFFF CALL Favorite.004DDB90
004DE62F |. 837D E0 02 CMP DWORD PTR SS:[EBP-20],2 ; 判断机器码位数是否小于等于2
004DE633 |. 7E 1F JLE SHORT Favorite.004DE654 ; 小于等于2,则以05补充。
004DE635 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004DE638 |. 50 PUSH EAX
004DE639 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
004DE63C |. B9 0D000000 MOV ECX,0D
004DE641 |. 99 CDQ
004DE642 |. F7F9 IDIV ECX
004DE644 |. 42 INC EDX ; 机器码位数与0D求余+1
004DE645 |. B9 01000000 MOV ECX,1 ; 这里是在MD5值中所取几个值的初值
004DE64A |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28] ; 把上面计算的MD5值给EAX
004DE64D |. E8 F266F2FF CALL Favorite.00404D44 ; 取机器码位数与0D求余+1在计算的MD5值中位数对应的值
004DE652 |. EB 0D JMP SHORT Favorite.004DE661
004DE654 |> 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004DE657 |. BA DCE64D00 MOV EDX,Favorite.004DE6DC ; ASCII "05"
004DE65C |. E8 5B62F2FF CALL Favorite.004048BC
004DE661 |> 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
004DE664 |. 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
004DE667 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
004DE66A |. E8 C164F2FF CALL Favorite.00404B30
004DE66F |. 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48]
004DE672 |. 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
004DE675 |. E8 A2F4FFFF CALL Favorite.004DDB1C ; 这里显示真注册码。(把它进行MD5计算)
004DE67A |. 8D45 BC LEA EAX,DWORD PTR SS:[EBP-44]
004DE67D |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004DE680 |. E8 0BF5FFFF CALL Favorite.004DDB90
004DE685 |. 33C0 XOR EAX,EAX
004DE687 |. 5A POP EDX
004DE688 |. 59 POP ECX
004DE689 |. 59 POP ECX
004DE68A |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004DE68D |. 68 CCE64D00 PUSH Favorite.004DE6CC
004DE692 |> 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]
004DE695 |. E8 8A61F2FF CALL Favorite.00404824
004DE69A |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004DE69D |. BA 02000000 MOV EDX,2
004DE6A2 |. E8 A161F2FF CALL Favorite.00404848
004DE6A7 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004DE6AA |. E8 7561F2FF CALL Favorite.00404824
004DE6AF |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004DE6B2 |. BA 02000000 MOV EDX,2
004DE6B7 |. E8 8C61F2FF CALL Favorite.00404848
004DE6BC |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004DE6BF |. E8 6061F2FF CALL Favorite.00404824
004DE6C4 \. C3 RETN
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
计算字符串的MD5值
----------004DE61F |. E8 F8F4FFFF CALL Favorite.004DDB1C----------
004DDB1C /$ 55 PUSH EBP
004DDB1D |. 8BEC MOV EBP,ESP
004DDB1F |. 83C4 A4 ADD ESP,-5C
004DDB22 |. 53 PUSH EBX
004DDB23 |. 8BDA MOV EBX,EDX
004DDB25 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004DDB28 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DDB2B |. E8 A471F2FF CALL Favorite.00404CD4
004DDB30 |. 33C0 XOR EAX,EAX
004DDB32 |. 55 PUSH EBP
004DDB33 |. 68 82DB4D00 PUSH Favorite.004DDB82
004DDB38 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004DDB3B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004DDB3E |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
004DDB41 |. E8 AEFEFFFF CALL Favorite.004DD9F4 ; 初始MD5值
004DDB46 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 取MD5要计算的字符串到EAX
004DDB49 |. E8 966FF2FF CALL Favorite.00404AE4
004DDB4E |. 50 PUSH EAX
004DDB4F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004DDB52 |. E8 8D71F2FF CALL Favorite.00404CE4
004DDB57 |. 8BD0 MOV EDX,EAX
004DDB59 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
004DDB5C |. 59 POP ECX
004DDB5D |. E8 C6FEFFFF CALL Favorite.004DDA28
004DDB62 |. 8BD3 MOV EDX,EBX
004DDB64 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
004DDB67 |. E8 3CFFFFFF CALL Favorite.004DDAA8
004DDB6C |. 33C0 XOR EAX,EAX
004DDB6E |. 5A POP EDX
004DDB6F |. 59 POP ECX
004DDB70 |. 59 POP ECX
004DDB71 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004DDB74 |. 68 89DB4D00 PUSH Favorite.004DDB89
004DDB79 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004DDB7C |. E8 A36CF2FF CALL Favorite.00404824
004DDB81 \. C3 RETN
初始MD5值
------004DDB41 |. E8 AEFEFFFF CALL Favorite.004DD9F4----------
004DD9F4 /$ C700 01234567 MOV DWORD PTR DS:[EAX],67452301 ; 跟进来到这里!看到下面的常数,标准的MD5算法
004DD9FA |. C740 04 89ABC>MOV DWORD PTR DS:[EAX+4],EFCDAB89
004DDA01 |. C740 08 FEDCB>MOV DWORD PTR DS:[EAX+8],98BADCFE
004DDA08 |. C740 0C 76543>MOV DWORD PTR DS:[EAX+C],10325476
004DDA0F |. 33D2 XOR EDX,EDX
004DDA11 |. 8950 10 MOV DWORD PTR DS:[EAX+10],EDX
004DDA14 |. 33D2 XOR EDX,EDX
004DDA16 |. 8950 14 MOV DWORD PTR DS:[EAX+14],EDX
004DDA19 |. 83C0 18 ADD EAX,18
004DDA1C |. BA 40000000 MOV EDX,40
004DDA21 |. E8 D6A1F2FF CALL Favorite.00407BFC
004DDA26 \. C3 RETN
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
程序用到两个固定字符为:
yhn234jukimlpo3982bgtvfr21decxsz34aweq这个进行MD5计算后为:09c8b1c09c1b914bab8cdaf685fb9c96
askdfjk2asd3fjlasdp43lmkoijnh32ubgyvftr3dcxzsaewq10928374653940348023klnlx34cn834efkn
----------------------------------------------------------------------------------------------
【算法总结】
根据上面算法分析总结C程序算法为:
=============================================
#include "Stdio.h"
#include "Conio.h"
#include "Ctype.h"
int main(void)
{static char char1[]={"09c8b1c09c1b914bab8cdaf685fb9c96"};
static char char2[30];
static char char4[]={"askdfjk2asd3fjlasdp43lmkoijnh32ubgyvftr3dcxzsaewq10928374653940348023klnlx34cn834efkn"};
long char3[30],char5[30];
int i,temp;
scanf("%s",char2);
temp=strlen(char2);
for (i=0;i<temp;i++)
{char2[i]=tolower(char2[i]);
if (char2[i]>=0x30&&char2[i]<=0x39)
{if (i==0)
{if (char2[0]>=0x30&&char2[0]<=0x39)
char3[i]=(char2[i]-0x30+0x1a)+0x1b+(char2[0]-0x30+0x1a);
if (char2[0]>=0x61&&char2[0]<=0x7a)
char3[i]=(char2[i]-0x30+0x1a)+0x1b+(char2[0]-0x30);
}
else
{if (char2[0]>=0x30&&char2[0]<=0x39)
char3[i]=(char2[i]-0x30+0x1a)+(char2[0]-0x30+0x1a);
if (char2[0]>=0x61&&char2[0]<=0x7a)
char3[i]=(char2[i]-0x30+0x1a)+(char2[0]-0x30);
}
}
if (char2[i]>=0x61&&char2[i]<=0x7a)
{if (i==0)
{if (char2[0]>=0x30&&char2[0]<=0x39)
{char3[i]=(char2[i]-0x30)+0x1b+(char2[0]-0x30+0x1a);
}
if (char2[0]>=0x61&&char2[0]<=0x7a)
{char3[i]=(char2[i]-0x30)+0x1b+(char2[0]-0x30);
}
}
else
{if (char2[0]>=0x30&&char2[0]<=0x39)
char3[i]=(char2[i]-0x30)+(char2[0]-0x30+0x1a);
if (char2[0]>=0x61&&char2[0]<=0x7a)
char3[i]=(char2[i]-0x30)+(char2[0]-0x30);
}
}
char5[i]=((((i+1)*(i+1)*0x4-(i+1))+char3[i])>>0x3)+char3[i]%temp;
if (char5[i]>0x55)
char5[i]=(char3[i]+(i+1))/7+1;
printf("%c",char4[char5[i]-1]);
}
printf("%c",char1[temp%0xd]);
getch();
return 0;
}
由于刚刚学习编程,设计不好,还请指教。
注册信息在注册表中
[HKEY_LOCAL_MACHINE\SOFTWARE\Favorite]
"regCode"="1677bf79d55d8432a06d90f4836cd033"
"regUser"="THANKYOU"
机器码为:0000000000000021
注册码为:o3jdljgdq534ssss8
机器码为:h0u09992126464a9g521
注册码为:vjkpgras90nllldapall0
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2005-11-7 22:19:15