注册你的Fast Browser4.01
URL:http://www.qwerks.com/download/2617/fbps.zip
用FILEINFO检测发现主程序是加了PECompact v1.40.2-5壳,用冲击波检测发现主程序的入口是502EC8(嘿嘿,感谢DBOY写的好东东),然后用TRW脱壳。
:004DB4CD 8D55F8
lea edx, dword ptr [ebp-08] <----装入用户名
:004DB4D0 8B83F8020000 mov eax, dword
ptr [ebx+000002F8]
:004DB4D6 E80D9CF5FF call 004350E8
\
:004DB4DB 837DF800 cmp
dword ptr [ebp-08], 00000000 |检测是否输入了用户名
:004DB4DF 751A
jne 004DB4FB
/
:004DB4E1 6A00
push 00000000
:004DB4E3 668B0D8CB64D00 mov cx, word ptr
[004DB68C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DB479(C)
|
:004DB4EA B202
mov dl, 02
* Possible StringData Ref from Code Obj ->"Please input your user name."
|
:004DB4EC B898B64D00 mov eax,
004DB698
:004DB4F1 E8D601F8FF call 0045B6CC
:004DB4F6 E933010000 jmp 004DB62E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DB4DF(C)
|
:004DB4FB A1F0635000 mov eax,
dword ptr [005063F0]
:004DB500 803800
cmp byte ptr [eax], 00
:004DB503 751C
jne 004DB521
:004DB505 B811000000 mov eax,
00000011
:004DB50A E85DBEFCFF call 004A736C
\
:004DB50F 84C0
test al, al |联上INTERNET吗?
:004DB511 741A
je 004DB52D /没有,去死把,把741a改成9090
:004DB513 B810000000 mov eax,
00000010
:004DB518 E84FBEFCFF call 004A736C
\
:004DB51D 84C0
test al, al |联上INTERNET吗?
:004DB51F 740C
je 004DB52D /没有,去死把,把740c改成9090
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004DB503(C)
|
:004DB521 8BC3
mov eax, ebx
:004DB523 E818FDFFFF call 004DB240
call(1)<---比对注册码的call,进去看看
:004DB528 E901010000 jmp 004DB62E
<---跳到出错信息“错误的注册信息”
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004DB511(C), :004DB51F(C)
|
:004DB52D 8D45FC
lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Connect to the Internet now so "
->"the program
can
check your registration "
->"information
online."
|
:004DB530 BAC0B64D00 mov edx,
004DB6C0
_________________________________________________________________________________________
call(1)
:004D4A48 55
push ebp <----我们停在这里
:004D4A49 8BEC
mov ebp, esp
:004D4A4B 83C4F4
add esp, FFFFFFF4
:004D4A4E 53
push ebx
:004D4A4F 33C9
xor ecx, ecx
:004D4A51 894DF4
mov dword ptr [ebp-0C], ecx
:004D4A54 8955F8
mov dword ptr [ebp-08], edx
:004D4A57 8945FC
mov dword ptr [ebp-04], eax
:004D4A5A 8B45FC
mov eax, dword ptr [ebp-04]
:004D4A5D E842F7F2FF call 004041A4
:004D4A62 8B45F8
mov eax, dword ptr [ebp-08]
:004D4A65 E83AF7F2FF call 004041A4
:004D4A6A 33C0
xor eax, eax
:004D4A6C 55
push ebp
:004D4A6D 680F4B4D00 push 004D4B0F
:004D4A72 64FF30
push dword ptr fs:[eax]
:004D4A75 648920
mov dword ptr fs:[eax], esp
:004D4A78 837DFC00 cmp
dword ptr [ebp-04], 00000000
:004D4A7C 741E
je 004D4A9C
:004D4A7E 837DF800 cmp
dword ptr [ebp-08], 00000000
:004D4A82 7418
je 004D4A9C
:004D4A84 8D55F4
lea edx, dword ptr [ebp-0C]
:004D4A87 8B45FC
mov eax, dword ptr [ebp-04]
:004D4A8A E8D1FEFFFF call 004D4960
<----算法,进去看看
:004D4A8F 8B55F4
mov edx, dword ptr [ebp-0C] <----真码
:004D4A92 8B45F8
mov eax, dword ptr [ebp-08] <----假码(我们输入的)
:004D4A95 E866F6F2FF call 00404100
call(2) <----关键比对
:004D4A9A 7404
je 004D4AA0
<----相等,注册成功
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D4A7C(C), :004D4A82(C)
|
:004D4A9C 33DB
xor ebx, ebx
:004D4A9E EB02
jmp 004D4AA2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D4A9A(C)
|
:004D4AA0 B301
mov bl, 01
_______________________________________________________________________________________
call(2)
:004D4960 55
push ebp <----我们停在这里
:004D4961 8BEC
mov ebp, esp
:004D4963 6A00
push 00000000
:004D4965 6A00
push 00000000
:004D4967 6A00
push 00000000
:004D4969 53
push ebx
:004D496A 56
push esi
:004D496B 57
push edi
:004D496C 8BF2
mov esi, edx
:004D496E 8945FC
mov dword ptr [ebp-04], eax
:004D4971 8B45FC
mov eax, dword ptr [ebp-04]
:004D4974 E82BF8F2FF call 004041A4
:004D4979 33C0
xor eax, eax
:004D497B 55
push ebp
:004D497C 683A4A4D00 push 004D4A3A
:004D4981 64FF30
push dword ptr fs:[eax]
:004D4984 648920
mov dword ptr fs:[eax], esp
:004D4987 8BC6
mov eax, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D4922(C)
|
:004D4989 E8E2F3F2FF call 00403D70
:004D498E 8B45FC
mov eax, dword ptr [ebp-04]
:004D4991 E85AF6F2FF call 00403FF0
<----检测注册名的长度
:004D4996 83F803
cmp eax, 00000003 <----大于3吗?
:004D4999 0F8C80000000 jl 004D4A1F
<----跳,就死拉
:004D499F 803D6C5E500000 cmp byte ptr [00505E6C],
00
:004D49A6 743E
je 004D49E6
:004D49A8 8B45FC
mov eax, dword ptr [ebp-04]
:004D49AB E840F6F2FF call 00403FF0
:004D49B0 8BF8
mov edi, eax
:004D49B2 85FF
test edi, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D494F(C)
|
:004D49B4 7E69
jle 004D4A1F
:004D49B6 BB01000000 mov ebx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D49E2(C)
|
:004D49BB 8B45FC
mov eax, dword ptr [ebp-04]
:004D49BE 0FB64418FF movzx eax,
byte ptr [eax+ebx-01]<----取注册名的最后一位的ASCII码(ebx注册名长度)
:004D49C3 B90A000000 mov ecx,
0000000A <----赋值
:004D49C8 33D2
xor edx, edx
<----edx清零
:004D49CA F7F1
div ecx
:004D49CC 8BC2
mov eax, edx
<----将余数放入eax(也就是真注册码)
:004D49CE 8D55F8
lea edx, dword ptr [ebp-08]
:004D49D1 E8BA49F3FF call 00409390
:004D49D6 8B55F8
mov edx, dword ptr [ebp-08]
:004D49D9 8BC6
mov eax, esi
:004D49DB E818F6F2FF call 00403FF8
:004D49E0 43
inc ebx
:004D49E1 4F
dec edi
:004D49E2 75D7
jne 004D49BB
<----循环
^_^算法简单吧
Jieao[CCG]
3177117154
004DB511 741a,9090
004DB51F 740c,9090
注册成功后在你的安装目录中会生成一个xxxx.key的文件(我的是8686.key),在\安装目录\Search\生成一个reg的文件
在注册表中添加HKEY_CURRENT_USER\Software\Sealine\fb\user键
- 标 题:注册你的Fast Browser4.01 (7千字)
- 作 者:jieao
- 时 间:2001-10-6 14:32:00
- 链 接:http://bbs.pediy.com