菜鸟找算法还真给蒙出来了

标题：菜鸟找算法还真给蒙出来了
作者：小小网虫
时间：2010-09-08 20:46:47
链接：http://bbs.pediy.com/showthread.php?t=120060

初学破解，前几天都是弄弄暴破追追注册码什么的，总看那些大牛的算法分析很是膜拜。。。
今天终于下定决心研究研究算法（去网上找了一个目标软件小点代码好看的^_^），哈哈还没想到自己不太懂汇编代码，还能蒙出算法。

说说咱菜鸟的方法，那肯定是先查找字符串了，发现有错误提示信息（注册码错误的提示框），嘿嘿有这个就好办了，超级字符串查找找到错误信息后双击错误信息来到汇编代码窗口，看HEX数据左边有一条粗黑线往上找到头就在那里 00475E3C 下断点，以下是一些要看的代码。90% 看不懂==!

目标程序下载地址：http://www.duote.com/soft/21382.html

-----------这里是断点的位置---------------------------

引用:

00475E3C  /.  55            PUSH EBP
00475E3D  |.  8BEC          MOV EBP,ESP
00475E3F  |.  83C4 F8       ADD ESP,-8
00475E42  |.  53            PUSH EBX
00475E43  |.  56            PUSH ESI
00475E44  |.  33C9          XOR ECX,ECX
00475E46  |.  894D F8       MOV DWORD PTR SS:[EBP-8],ECX
00475E49  |.  8BD8          MOV EBX,EAX
00475E4B  |.  33C0          XOR EAX,EAX
00475E4D  |.  55            PUSH EBP
00475E4E  |.  68 405F4700   PUSH QQTelesc.00475F40
00475E53  |.  64:FF30       PUSH DWORD PTR FS:[EAX]
00475E56  |.  64:8920       MOV DWORD PTR FS:[EAX],ESP
00475E59  |.  A1 C8DC4E00   MOV EAX,DWORD PTR DS:[4EDCC8]
00475E5E  |.  8B48 0C       MOV ECX,DWORD PTR DS:[EAX+C]
00475E61  |.  B2 01         MOV DL,1
00475E63  |.  A1 08304700   MOV EAX,DWORD PTR DS:[473008]
00475E68  |.  E8 4BD2FFFF   CALL QQTelesc.004730B8
00475E6D  |.  8945 FC       MOV DWORD PTR SS:[EBP-4],EAX             ;  T0G
00475E70  |.  33C0          XOR EAX,EAX                              ;  eax 0
00475E72  |.  55            PUSH EBP
00475E73  |.  68 235F4700   PUSH QQTelesc.00475F23
00475E78  |.  64:FF30       PUSH DWORD PTR FS:[EAX]
00475E7B  |.  64:8920       MOV DWORD PTR FS:[EAX],ESP
00475E7E  |.  8D55 F8       LEA EDX,DWORD PTR SS:[EBP-8]
00475E81  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
00475E87  |.  E8 3834FDFF   CALL QQTelesc.004492C4
00475E8C  |.  8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]             ;  假注册码
00475E8F  |.  50            PUSH EAX                                 ;  假注册码入栈
00475E90  |.  B9 585F4700   MOV ECX,QQTelesc.00475F58                ;  注册码
00475E95  |.  BA 685F4700   MOV EDX,QQTelesc.00475F68                ;  信息
00475E9A  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]             ;  SS:[EBP-4] T0G
00475E9D  |.  8B30          MOV ESI,DWORD PTR DS:[EAX]
00475E9F  |.  FF56 04       CALL DWORD PTR DS:[ESI+4]
00475EA2  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00475EA5  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]
00475EA7  |.  FF52 54       CALL DWORD PTR DS:[EDX+54]
00475EAA  |.  A1 C8DC4E00   MOV EAX,DWORD PTR DS:[4EDCC8]
00475EAF  |.  E8 74F8FFFF   CALL QQTelesc.00475728                   ; F7进去找了半天这是才是关键(菜鸟笨啊)
00475EB4  |.  84C0          TEST AL,AL
00475EB6  |.  74 1A         JE SHORT QQTelesc.00475ED2
00475EB8  |.  B9 785F4700   MOV ECX,QQTelesc.00475F78                ;  提示
00475EBD  |.  33D2          XOR EDX,EDX
00475EBF  |.  B8 885F4700   MOV EAX,QQTelesc.00475F88                ;  注册成功！
00475EC4  |.  E8 ABF0FFFF   CALL QQTelesc.00474F74
00475EC9  |.  8BC3          MOV EAX,EBX
00475ECB  |.  E8 400EFFFF   CALL QQTelesc.00466D10
00475ED0  |.  EB 3B         JMP SHORT QQTelesc.00475F0D
00475ED2  |>  6A 00         PUSH 0
00475ED4  |.  B9 585F4700   MOV ECX,QQTelesc.00475F58                ;  注册码
00475ED9  |.  BA 685F4700   MOV EDX,QQTelesc.00475F68                ;  信息
00475EDE  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00475EE1  |.  8B30          MOV ESI,DWORD PTR DS:[EAX]
00475EE3  |.  FF56 04       CALL DWORD PTR DS:[ESI+4]
00475EE6  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00475EE9  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]
00475EEB  |.  FF52 54       CALL DWORD PTR DS:[EDX+54]
00475EEE  |.  B9 785F4700   MOV ECX,QQTelesc.00475F78                ;  提示
00475EF3  |.  33D2          XOR EDX,EDX
00475EF5  |.  B8 9C5F4700   MOV EAX,QQTelesc.00475F9C                ;  注册失败，请填写正确的注册码！
00475EFA  |.  E8 75F0FFFF   CALL QQTelesc.00474F74
00475EFF  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
00475F05  |.  8B10          MOV EDX,DWORD PTR DS:[EAX]
00475F07  |.  FF92 C0000000 CALL DWORD PTR DS:[EDX+C0]
00475F0D  |>  33C0          XOR EAX,EAX
00475F0F  |.  5A            POP EDX
00475F10  |.  59            POP ECX
00475F11  |.  59            POP ECX
00475F12  |.  64:8910       MOV DWORD PTR FS:[EAX],EDX
00475F15  |.  68 2A5F4700   PUSH QQTelesc.00475F2A
00475F1A  |>  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00475F1D  |.  E8 BAD8F8FF   CALL QQTelesc.004037DC
00475F22  \.  C3            RETN

-----------第一次Call到这里来---------------------------

引用:

00475728  /$  55            PUSH EBP
00475729  |.  8BEC          MOV EBP,ESP
0047572B  |.  6A 00         PUSH 0
0047572D  |.  6A 00         PUSH 0
0047572F  |.  6A 00         PUSH 0
00475731  |.  53            PUSH EBX
00475732  |.  56            PUSH ESI
00475733  |.  57            PUSH EDI
00475734  |.  8BD8          MOV EBX,EAX
00475736  |.  33C0          XOR EAX,EAX
00475738  |.  55            PUSH EBP
00475739  |.  68 B7574700   PUSH QQTelesc.004757B7
0047573E  |.  64:FF30       PUSH DWORD PTR FS:[EAX]
00475741  |.  64:8920       MOV DWORD PTR FS:[EAX],ESP
00475744  |.  8B4B 0C       MOV ECX,DWORD PTR DS:[EBX+C]
00475747  |.  B2 01         MOV DL,1
00475749  |.  A1 08304700   MOV EAX,DWORD PTR DS:[473008]
0047574E  |.  E8 65D9FFFF   CALL QQTelesc.004730B8
00475753  |.  8BF0          MOV ESI,EAX
00475755  |.  6A 00         PUSH 0
00475757  |.  8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
0047575A  |.  50            PUSH EAX
0047575B  |.  B9 D0574700   MOV ECX,QQTelesc.004757D0                ;  注册码
00475760  |.  BA E0574700   MOV EDX,QQTelesc.004757E0                ;  信息
00475765  |.  8BC6          MOV EAX,ESI
00475767  |.  8B38          MOV EDI,DWORD PTR DS:[EAX]
00475769  |.  FF17          CALL DWORD PTR DS:[EDI]
0047576B  |.  8BC6          MOV EAX,ESI
0047576D  |.  E8 6AE0F8FF   CALL QQTelesc.004037DC
00475772  |.  8D55 F4       LEA EDX,DWORD PTR SS:[EBP-C]
00475775  |.  8BC3          MOV EAX,EBX
00475777  |.  E8 B4FEFFFF   CALL QQTelesc.00475630
0047577C  |.  8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]             ;  QQWYJ9VMF4Z15 机器码
0047577F  |.  E8 E0F3FFFF   CALL QQTelesc.00474B64
00475784  |.  8D55 F8       LEA EDX,DWORD PTR SS:[EBP-8]
00475787  |.  E8 B436F9FF   CALL QQTelesc.00408E40                   ;  F7进去把机器码转换为注册码
0047578C  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]             ;  219105 这里是上面call计算后的真实注册码
0047578F  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]             ;  假码
00475792  |.  E8 CDF1F8FF   CALL QQTelesc.00404964
00475797  |.  0F94C0        SETE AL
0047579A  |.  8BD8          MOV EBX,EAX
0047579C  |.  33C0          XOR EAX,EAX
0047579E  |.  5A            POP EDX
0047579F  |.  59            POP ECX
004757A0  |.  59            POP ECX
004757A1  |.  64:8910       MOV DWORD PTR FS:[EAX],EDX
004757A4  |.  68 BE574700   PUSH QQTelesc.004757BE
004757A9  |>  8D45 F4       LEA EAX,DWORD PTR SS:[EBP-C]
004757AC  |.  BA 03000000   MOV EDX,3
004757B1  |.  E8 D6EDF8FF   CALL QQTelesc.0040458C
004757B6  \.  C3            RETN

-----------第二次Call到这里来---------------------------

引用:

00474B64  /$  55            PUSH EBP
00474B65  |.  8BEC          MOV EBP,ESP
00474B67  |.  83C4 F8       ADD ESP,-8
00474B6A  |.  53            PUSH EBX
00474B6B  |.  56            PUSH ESI
00474B6C  |.  57            PUSH EDI
00474B6D  |.  8945 FC       MOV DWORD PTR SS:[EBP-4],EAX             ;  机器码
00474B70  |.  8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
00474B73  |.  E8 90FEF8FF   CALL QQTelesc.00404A08
00474B78  |.  33C0          XOR EAX,EAX
00474B7A  |.  55            PUSH EBP
00474B7B  |.  68 EA4B4700   PUSH QQTelesc.00474BEA
00474B80  |.  64:FF30       PUSH DWORD PTR FS:[EAX]
00474B83  |.  64:8920       MOV DWORD PTR FS:[EAX],ESP
00474B86  |.  BB 01000000   MOV EBX,1
00474B8B  |.  BE 02000000   MOV ESI,2
00474B90  |.  33FF          XOR EDI,EDI
00474B92  |.  33C0          XOR EAX,EAX
00474B94  |.  8945 F8       MOV DWORD PTR SS:[EBP-8],EAX
00474B97  |.  EB 0D         JMP SHORT QQTelesc.00474BA6
00474B99  |>  8B45 FC       /MOV EAX,DWORD PTR SS:[EBP-4]            ;  机器码
00474B9C  |.  0FB64418 FF   |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]       ;  取机器码第n位奇数位
00474BA1  |.  03F8          |ADD EDI,EAX                             ;  edi=edi+eax(取的那位)
00474BA3  |.  83C3 02       |ADD EBX,2                               ;  ebx加2
00474BA6  |>  8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]            ;  机器码
00474BA9  |.  E8 72FCF8FF   |CALL QQTelesc.00404820
00474BAE  |.  3BD8          |CMP EBX,EAX
00474BB0  |.^ 7E E7         \JLE SHORT QQTelesc.00474B99
00474BB2  |.  EB 0E         JMP SHORT QQTelesc.00474BC2
00474BB4  |>  8B45 FC       /MOV EAX,DWORD PTR SS:[EBP-4]            ;  机器码
00474BB7  |.  0FB64430 FF   |MOVZX EAX,BYTE PTR DS:[EAX+ESI-1]       ;  取机器码第n位偶数位
00474BBC  |.  0145 F8       |ADD DWORD PTR SS:[EBP-8],EAX            ;  ebp-8 = ebp-8 +eax(取的那位)
00474BBF  |.  83C6 02       |ADD ESI,2                               ;  esi加2
00474BC2  |>  8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]            ;  机器码
00474BC5  |.  E8 56FCF8FF   |CALL QQTelesc.00404820
00474BCA  |.  3BF0          |CMP ESI,EAX
00474BCC  |.^ 7E E6         \JLE SHORT QQTelesc.00474BB4
00474BCE  |.  8BDF          MOV EBX,EDI
00474BD0  |.  0FAF5D F8     IMUL EBX,DWORD PTR SS:[EBP-8]            ;  偶数和与奇数和相乘结果就是注册码
00474BD4  |.  33C0          XOR EAX,EAX
00474BD6  |.  5A            POP EDX
00474BD7  |.  59            POP ECX
00474BD8  |.  59            POP ECX
00474BD9  |.  64:8910       MOV DWORD PTR FS:[EAX],EDX
00474BDC  |.  68 F14B4700   PUSH QQTelesc.00474BF1
00474BE1  |>  8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
00474BE4  |.  E8 7FF9F8FF   CALL QQTelesc.00404568
00474BE9  \.  C3            RETN

-----------以下是注册机生成代码---------------------------

引用:

    a="" '你的机器码
    For i=1 To Len(a) Step 2
      b=b+Asc(Mid(a,i,1))
      c=c+Asc(Mid(a,i+1,1))
    Next
    d=b*c

    d就是注册码啦。。。。

注册机.rar
-----------------------------------------------------------

菜鸟第一次写文章大家见笑了啊。。。。