【破文标题】IE终极加速简单算法分析
【破文作者】wuhanqi[CR][ICY][48PG]
【作者邮箱】wuhanqi@qq.com
【作者主页】http://www.edisk.org/?wuhanqi
【软件名称】IE终极加速 v3.0 汉化版
【破解声明】菜鸟一个,还需多多学习
------------------------------------------------------------------------
【破解过程】一、脱壳 工具简单搞定
二、通过bp MessageBoxA这个断点 很快找到这里:
0049946C . 55 push ebp
0049946D . 8BEC mov ebp, esp
0049946F . B9 0A000000 mov ecx, 0A
00499474 > 6A 00 push 0
00499476 . 6A 00 push 0
00499478 . 49 dec ecx
00499479 .^ 75 F9 jnz short 00499474
0049947B . 51 push ecx
0049947C . 53 push ebx
0049947D . 56 push esi
0049947E . 57 push edi
0049947F . 8945 FC mov dword ptr [ebp-4], eax
00499482 . 33C0 xor eax, eax
00499484 . 55 push ebp
00499485 . 68 75984900 push 00499875
0049948A . 64:FF30 push dword ptr fs:[eax]
0049948D . 64:8920 mov dword ptr fs:[eax], esp
00499490 . 8D55 E4 lea edx, dword ptr [ebp-1C]
00499493 . 8B45 FC mov eax, dword ptr [ebp-4]
00499496 . 8B80 00030000 mov eax, dword ptr [eax+300]
0049949C . E8 A385FAFF call 00441A44
004994A1 . 8B45 E4 mov eax, dword ptr [ebp-1C]
004994A4 . E8 87B5F6FF call 00404A30
004994A9 . 05 57040000 add eax, 457
004994AE . 8D55 E8 lea edx, dword ptr [ebp-18]
004994B1 . E8 06FBF6FF call 00408FBC
004994B6 . 8D55 E0 lea edx, dword ptr [ebp-20]
004994B9 . 8B45 FC mov eax, dword ptr [ebp-4]
004994BC . 8B80 00030000 mov eax, dword ptr [eax+300]
004994C2 . E8 7D85FAFF call 00441A44
004994C7 . 8B45 E0 mov eax, dword ptr [ebp-20]
004994CA . BA 8C984900 mov edx, 0049988C ; ASCII "DiSTiNCT"
004994CF . E8 A0B6F6FF call 00404B74
004994D4 . 0F84 EA020000 je 004997C4
004994DA . 8D55 DC lea edx, dword ptr [ebp-24]
004994DD . 8B45 FC mov eax, dword ptr [ebp-4]
004994E0 . 8B80 00030000 mov eax, dword ptr [eax+300]
004994E6 . E8 5985FAFF call 00441A44
004994EB . 8B45 DC mov eax, dword ptr [ebp-24]
004994EE . BA A0984900 mov edx, 004998A0 ; ASCII "Team iNSaNE"
004994F3 . E8 7CB6F6FF call 00404B74
004994F8 . 0F84 C6020000 je 004997C4
004994FE . 8D55 D8 lea edx, dword ptr [ebp-28]
00499501 . 8B45 FC mov eax, dword ptr [ebp-4]
00499504 . 8B80 00030000 mov eax, dword ptr [eax+300]
0049950A . E8 3585FAFF call 00441A44
0049950F . 8B45 D8 mov eax, dword ptr [ebp-28]
00499512 . BA B4984900 mov edx, 004998B4 ; ASCII "TNT!2000"
00499517 . E8 58B6F6FF call 00404B74
0049951C . 0F84 A2020000 je 004997C4
00499522 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00499525 . 8B45 FC mov eax, dword ptr [ebp-4]
00499528 . 8B80 00030000 mov eax, dword ptr [eax+300]
0049952E . E8 1185FAFF call 00441A44
00499533 . 8B45 D4 mov eax, dword ptr [ebp-2C]
00499536 . BA C8984900 mov edx, 004998C8 ; ASCII "-=Demian/TNT!=-"
0049953B . E8 34B6F6FF call 00404B74
00499540 . 0F84 7E020000 je 004997C4
00499546 . 8D55 D0 lea edx, dword ptr [ebp-30]
00499549 . 8B45 FC mov eax, dword ptr [ebp-4]
0049954C . 8B80 00030000 mov eax, dword ptr [eax+300]
00499552 . E8 ED84FAFF call 00441A44
00499557 . 8B45 D0 mov eax, dword ptr [ebp-30]
0049955A . BA E0984900 mov edx, 004998E0 ; ASCII "-=Demian/TNT!=- "
0049955F . E8 10B6F6FF call 00404B74
00499564 . 0F84 5A020000 je 004997C4
0049956A . 8D55 CC lea edx, dword ptr [ebp-34]
0049956D . 8B45 FC mov eax, dword ptr [ebp-4]
00499570 . 8B80 00030000 mov eax, dword ptr [eax+300]
00499576 . E8 C984FAFF call 00441A44
0049957B . 8B45 CC mov eax, dword ptr [ebp-34]
0049957E . BA FC984900 mov edx, 004998FC ; ASCII "DiSTiNCT "
00499583 . E8 ECB5F6FF call 00404B74
00499588 . 0F84 36020000 je 004997C4
0049958E . 8D55 C8 lea edx, dword ptr [ebp-38]
00499591 . 8B45 FC mov eax, dword ptr [ebp-4]
00499594 . 8B80 00030000 mov eax, dword ptr [eax+300]
0049959A . E8 A584FAFF call 00441A44
0049959F . 8B45 C8 mov eax, dword ptr [ebp-38]
004995A2 . BA 10994900 mov edx, 00499910 ; ASCII "TMG"
004995A7 . E8 C8B5F6FF call 00404B74
004995AC . 0F84 12020000 je 004997C4 ; 以上都是黑名单
004995B2 . 68 1C994900 push 0049991C ; 固定值C
004995B7 . 8B45 FC mov eax, dword ptr [ebp-4]
004995BA . FFB0 2C030000 push dword ptr [eax+32C] ; 固定字符 MW
004995C0 . 68 28994900 push 00499928 ; 固定字符20
004995C5 . FF75 E8 push dword ptr [ebp-18] ; 固定字符1118
004995C8 . 68 34994900 push 00499934
004995CD . 8D55 C0 lea edx, dword ptr [ebp-40]
004995D0 . 8B45 FC mov eax, dword ptr [ebp-4]
004995D3 . 8B80 00030000 mov eax, dword ptr [eax+300]
004995D9 . E8 6684FAFF call 00441A44
004995DE . 8B45 C0 mov eax, dword ptr [ebp-40]
004995E1 . 8D55 C4 lea edx, dword ptr [ebp-3C]
004995E4 . E8 E3FDFFFF call 004993CC ; 关键CALL 跟进 算出的结果设为A
004995E9 . FF75 C4 push dword ptr [ebp-3C]
004995EC . 8D45 EC lea eax, dword ptr [ebp-14]
004995EF . BA 06000000 mov edx, 6
004995F4 . E8 F7B4F6FF call 00404AF0 ; 将A与固定值串起来 CMW201118-A
004995F9 . 8D45 E8 lea eax, dword ptr [ebp-18]
004995FC . BA 40994900 mov edx, 00499940 ; ASCII "\System32\spool\drivers\w32x86\2\riched20.dll SetActiveEditControlFont, Arial, 30"
00499601 . E8 0AB2F6FF call 00404810
00499606 . 8D55 BC lea edx, dword ptr [ebp-44]
00499609 . 8B45 FC mov eax, dword ptr [ebp-4]
0049960C . 8B80 04030000 mov eax, dword ptr [eax+304]
00499612 . E8 2D84FAFF call 00441A44
00499617 . 8B55 BC mov edx, dword ptr [ebp-44]
0049961A . 8B45 EC mov eax, dword ptr [ebp-14]
0049961D . E8 4AB7F6FF call 00404D6C
00499622 . 85C0 test eax, eax
00499624 . 0F84 9A010000 je 004997C4
0049962A . 8B45 FC mov eax, dword ptr [ebp-4]
0049962D . 8B80 04030000 mov eax, dword ptr [eax+304]
00499633 . 33D2 xor edx, edx
00499635 . E8 3A84FAFF call 00441A74
0049963A . 8D45 EC lea eax, dword ptr [ebp-14]
0049963D . E8 36B1F6FF call 00404778
00499642 . 6A 00 push 0
00499644 . 68 94994900 push 00499994 ; ASCII "Registration Success!"
00499649 . 68 AC994900 push 004999AC ; ASCII " Thank you for your support.",CR,"We will work even harder and",CR,"notify you future releases."
0049964E . 8B45 FC mov eax, dword ptr [ebp-4]
00499651 . E8 B6EAFAFF call 0044810C
00499656 . 50 push eax ; |hOwner
00499657 . E8 C0E0F6FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0049965C . 8B45 FC mov eax, dword ptr [ebp-4]
0049965F . C680 31030000>mov byte ptr [eax+331], 0
00499666 . B2 01 mov dl, 1
00499668 . A1 48DD4600 mov eax, dword ptr [46DD48]
0049966D . E8 D647FDFF call 0046DE48
00499672 . 8945 F8 mov dword ptr [ebp-8], eax
00499675 . 33C0 xor eax, eax
00499677 . 55 push ebp
00499678 . 68 79974900 push 00499779
0049967D . 64:FF30 push dword ptr fs:[eax]
00499680 . 64:8920 mov dword ptr fs:[eax], esp
00499683 . BA 01000080 mov edx, 80000001
…… …… …… 省略 N行代码 …… …… ……
004997E4 . 8D45 EC lea eax, dword ptr [ebp-14]
004997E7 . BA 03000000 mov edx, 3
004997EC . E8 C3B5F6FF call 00404DB4
004997F1 . 8D45 EC lea eax, dword ptr [ebp-14]
004997F4 . BA 709A4900 mov edx, 00499A70 ; ASCII "$%^"
004997F9 . E8 12B0F6FF call 00404810
004997FE . 6A 00 push 0
00499800 . 68 749A4900 push 00499A74 ; ASCII "Invalid Registration Code"
00499805 . 68 909A4900 push 00499A90 ; ASCII "Please make sure the registration",CR,"code and the registration name are",CR,"correct."
0049980A . 8B45 FC mov eax, dword ptr [ebp-4]
0049980D . E8 FAE8FAFF call 0044810C
00499812 . 50 push eax ; |hOwner
00499813 . E8 04DFF6FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00499818 > 33C0 xor eax, eax
0049981A . 5A pop edx
0049981B . 59 pop ecx
0049981C . 59 pop ecx
0049981D . 64:8910 mov dword ptr fs:[eax], edx
00499820 . 68 7C984900 push 0049987C
00499825 > 8D45 AC lea eax, dword ptr [ebp-54]
00499828 . E8 4BAFF6FF call 00404778
0049982D . 8D45 B0 lea eax, dword ptr [ebp-50]
00499830 . E8 43AFF6FF call 00404778
00499835 . 8D45 B4 lea eax, dword ptr [ebp-4C]
00499838 . E8 3BAFF6FF call 00404778
0049983D . 8D45 B8 lea eax, dword ptr [ebp-48]
00499840 . E8 33AFF6FF call 00404778
00499845 . 8D45 BC lea eax, dword ptr [ebp-44]
00499848 . BA 02000000 mov edx, 2
0049984D . E8 4AAFF6FF call 0040479C
00499852 . 8D45 C4 lea eax, dword ptr [ebp-3C]
00499855 . E8 1EAFF6FF call 00404778
0049985A . 8D45 C8 lea eax, dword ptr [ebp-38]
0049985D . BA 08000000 mov edx, 8
00499862 . E8 35AFF6FF call 0040479C
00499867 . 8D45 E8 lea eax, dword ptr [ebp-18]
0049986A . BA 02000000 mov edx, 2
0049986F . E8 28AFF6FF call 0040479C
00499874 . C3 retn
00499875 .- E9 26A9F6FF jmp 004041A0
0049987A .^ EB A9 jmp short 00499825
0049987C . 5F pop edi
0049987D . 5E pop esi
0049987E . 5B pop ebx
0049987F . 8BE5 mov esp, ebp
00499881 . 5D pop ebp
00499882 . C3 retn
--------------------------------------------------
跟进004995E4 . E8 E3FDFFFF call 004993CC 来到
--------------------------------------------------
004993CC /$ 55 push ebp
004993CD |. 8BEC mov ebp, esp
004993CF |. 83C4 F0 add esp, -10
004993D2 |. 53 push ebx
004993D3 |. 56 push esi
004993D4 |. 57 push edi
004993D5 |. 33C9 xor ecx, ecx
004993D7 |. 894D F0 mov dword ptr [ebp-10], ecx
004993DA |. 894D F4 mov dword ptr [ebp-C], ecx
004993DD |. 8955 F8 mov dword ptr [ebp-8], edx
004993E0 |. 8945 FC mov dword ptr [ebp-4], eax
004993E3 |. 8B45 FC mov eax, dword ptr [ebp-4]
004993E6 |. E8 2DB8F6FF call 00404C18
004993EB |. 33C0 xor eax, eax
004993ED |. 55 push ebp
004993EE |. 68 5B944900 push 0049945B
004993F3 |. 64:FF30 push dword ptr fs:[eax]
004993F6 |. 64:8920 mov dword ptr fs:[eax], esp
004993F9 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名到EAX
004993FC |. E8 2FB6F6FF call 00404A30 ; 计算用户名位数
00499401 |. 8BD8 mov ebx, eax ; EAX到EBX
00499403 |. 85DB test ebx, ebx
00499405 |. 7E 26 jle short 0049942D
00499407 |. BF 01000000 mov edi, 1
0049940C |> 8B45 FC /mov eax, dword ptr [ebp-4]
0049940F |. 0FB67438 FF |movzx esi, byte ptr [eax+edi-1] ; 逐位取用户名ASCII码,到ESI
00499414 |. 8D55 F0 |lea edx, dword ptr [ebp-10]
00499417 |. 8BC6 |mov eax, esi ; ESI到EAX
00499419 |. E8 26FFFFFF |call 00499344 ; 保存在堆栈地址12F3AC
0049941E |. 8B55 F0 |mov edx, dword ptr [ebp-10] ; ASCII码到EDX
00499421 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
00499424 |. E8 0FB6F6FF |call 00404A38 ; 把ASCII码串在之前的ASCII码之后
00499429 |. 47 |inc edi ; EDI+1
0049942A |. 4B |dec ebx ; EBX-1
0049942B |.^ 75 DF \jnz short 0049940C
0049942D |> 8B45 F8 mov eax, dword ptr [ebp-8]
00499430 |. 8B55 F4 mov edx, dword ptr [ebp-C]
00499433 |. E8 94B3F6FF call 004047CC
00499438 |. 33C0 xor eax, eax
0049943A |. 5A pop edx
0049943B |. 59 pop ecx
0049943C |. 59 pop ecx
0049943D |. 64:8910 mov dword ptr fs:[eax], edx
00499440 |. 68 62944900 push 00499462
00499445 |> 8D45 F0 lea eax, dword ptr [ebp-10]
00499448 |. BA 02000000 mov edx, 2
0049944D |. E8 4AB3F6FF call 0040479C
00499452 |. 8D45 FC lea eax, dword ptr [ebp-4]
00499455 |. E8 1EB3F6FF call 00404778
0049945A \. C3 retn
0049945B .- E9 40ADF6FF jmp 004041A0
00499460 .^ EB E3 jmp short 00499445
00499462 . 5F pop edi
00499463 . 5E pop esi
00499464 . 5B pop ebx
00499465 . 8BE5 mov esp, ebp
00499467 . 5D pop ebp
00499468 . C3 retn
------------------------------------------------------------------------
【破解总结】
算法超级简单
逐位取用户名ASCII码 再首尾串起来 结果设为A
与固定值 CMW201118 串起来 格式为 CMW201118-A 即为真码
E语言注册机源码:
.版本 2
.局部变量 name, 文本型
.局部变量 len, 整数型
.局部变量 sn, 文本型
.局部变量 i, 整数型
.局部变量 C, 文本型
.局部变量 sum, 文本型
name = 编辑框1.内容
len = 取文本长度 (name)
.计次循环首 (len, i)
C = 取十六进制文本 (取代码 (name, i))
sum = sum + C
.计次循环尾 ()
sn = “CMW201118” + “-” + sum
编辑框2.内容 = sn
------------------------------------------------------------------------
【版权声明】原创破文 仍需学习