破解对象:SuperCleaner2.30
破解工具:TRW、W32DASM、OLLDYBG
破解目的:练习一下找算法
下面开工喽:
* Reference To: USER32.GetDlgItemTextA, Ord:0113h
|
:004121EF 8B3D7C024200 mov edi, dword
ptr [0042027C]
:004121F5 6817040000 push 00000417
:004121FA 56
push esi
:004121FB FFD7
call edi
:004121FD 8D542408 lea
edx, dword ptr [esp+08]----- 停在这里
:00412201 6800010000 push 00000100
:00412206 52
push edx
:00412207 68FC030000 push 000003FC
:0041220C 56
push esi
:0041220D FFD7
call edi
:0041220F 8D442408 lea
eax, dword ptr [esp+08]
:00412213 8D8C2408010000 lea ecx, dword ptr
[esp+00000108]
:0041221A 50
push eax
:0041221B 51
push ecx
:0041221C E8BF080000 call 00412AE0------------过这里出错,进去看看
:00412221 83C408
add esp, 00000008
:00412224 85C0
test eax, eax
:00412226 5F
pop edi
:00412227 7443
je 0041226C
:00412229 8D542404 lea
edx, dword ptr [esp+04]
:0041222D 8D842404010000 lea eax, dword ptr
[esp+00000104]
:00412234 52
push edx
:00412235 50
push eax
===============================================
进入0041421C:
:00412AF1 B93F000000 mov ecx,
0000003F
:00412AF6 33C0
xor eax, eax
:00412AF8 8D7C2409 lea
edi, dword ptr [esp+09]
:00412AFC 8B94240C010000 mov edx, dword ptr
[esp+0000010C]
:00412B03 F3
repz
:00412B04 AB
stosd
:00412B05 66AB
stosw
:00412B07 8D4C2408 lea
ecx, dword ptr [esp+08]
:00412B0B 33F6
xor esi, esi
:00412B0D 51
push ecx
:00412B0E 52
push edx
:00412B0F AA
stosb
:00412B10 E8AB000000 call 00412BC0----------算法应该在这里吧,接着进
:00412B15 8B8C2418010000 mov ecx, dword ptr
[esp+00000118]-----这里是真码
:00412B1C 8D442410 lea
eax, dword ptr [esp+10]--------这里是假码
:00412B20 50
push eax
:00412B21 51
push ecx
:00412B22 E869FFFFFF call 00412A90
:00412B27 83C410
add esp, 00000010
:00412B2A 85C0
test eax, eax
* Possible Reference to String Resource ID=00001: "蜩屬%s"
|
:00412B2C B801000000 mov eax,
00000001
:00412B31 7502
jne 00412B35
:00412B33 8BC6
mov eax, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412B31(C)
|
:00412B35 5F
pop edi
:00412B36 5E
pop esi
:00412B37 81C400010000 add esp, 00000100
:00412B3D C3
ret
================================================
进入00412B10:
:00412BC0 81EC00010000 sub esp, 00000100
:00412BC6 A0808C4200 mov al,
byte ptr [00428C80]
:00412BCB 53
push ebx
:00412BCC 55
push ebp
:00412BCD 56
push esi
:00412BCE 57
push edi
:00412BCF 88442410 mov
byte ptr [esp+10], al
* Possible Reference to String Resource ID=00063: "`氬~剠?+ Netscape 4 剦棚?"
|
:00412BD3 B93F000000 mov ecx,
0000003F
:00412BD8 33C0
xor eax, eax
:00412BDA 8D7C2411 lea
edi, dword ptr [esp+11]
:00412BDE F3
repz
:00412BDF AB
stosd
:00412BE0 66AB
stosw
:00412BE2 AA
stosb
:00412BE3 8BBC2414010000 mov edi, dword ptr
[esp+00000114]----这里是注册名
:00412BEA 57
push edi
* Reference To: KERNEL32.lstrlenA, Ord:039Eh
|
:00412BEB FF1510024200 Call dword ptr
[00420210]
:00412BF1 8BF0
mov esi, eax---ESI=EAX=11(注册名的长度)我输入的是lllufh[BCG]
:00412BF3 33C9
xor ecx, ecx
:00412BF5 33C0
xor eax, eax
:00412BF7 85F6
test esi, esi
:00412BF9 7E13
jle 00412C0E
:00412BFB 8B15F45B4200 mov edx, dword
ptr [00425BF4]---EDX=38
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C0C(C)
|
:00412C01 0FBE1C38 movsx
ebx, byte ptr [eax+edi]--取出注册名第一位的十六进制值
:00412C05 03DA
add ebx, edx---------- |
:00412C07 03CB
add ecx, ebx---------- |计算机
:00412C09 40
inc eax ----------EAX应该是累加器吧 |
:00412C0A 3BC6
cmp eax, esi
:00412C0C 7CF3
jl 00412C01----------依次取出注册名并循环
循环后ECX=5ADh(1453)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412BF9(C)
|
:00412C0E 8B9C2418010000 mov ebx, dword ptr
[esp+00000118]
:00412C15 51
push ecx
* Possible Reference to Dialog:
|
:00412C16 68085C4200 push 00425C08------1453后加“-”
:00412C1B 53
push ebx
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C1C FF15FC024200 Call dword ptr
[004202FC]
:00412C22 83C40C
add esp, 0000000C
:00412C25 33C9
xor ecx, ecx
:00412C27 33C0
xor eax, eax
:00412C29 85F6
test esi, esi
:00412C2B 7E14
jle 00412C41
:00412C2D 8B15F85B4200 mov edx, dword
ptr [00425BF8]-EDX=52
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C3F(C)
|
:00412C33 0FBE2C38 movsx
ebp, byte ptr [eax+edi]照样取出注册名第一位的十六进制值
:00412C37 0FAFEA
imul ebp, edx, |
:00412C3A 03CD
add ecx, ebp |计算机
:00412C3C 40
inc eax 应该还是累加器 |
:00412C3D 3BC6
cmp eax, esi
:00412C3F 7CF2
jl 00412C33-----------依次取出注册名并循环
最后得出ECX=D23Ch(53820)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C2B(C)
|
:00412C41 51
push ecx
:00412C42 8D4C2414 lea
ecx, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412C46 68085C4200 push 00425C08----------53820后加“-”
:00412C4B 51
push ecx
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C4C FF15FC024200 Call dword ptr
[004202FC]
:00412C52 83C40C
add esp, 0000000C
:00412C55 8D542410 lea
edx, dword ptr [esp+10]
:00412C59 52
push edx
:00412C5A 53
push ebx
* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412C5B FF15F8014200 Call dword ptr
[004201F8]
:00412C61 33C9
xor ecx, ecx
:00412C63 33C0
xor eax, eax
:00412C65 85F6
test esi, esi
:00412C67 7E13
jle 00412C7C
:00412C69 8B15FC5B4200 mov edx, dword
ptr [00425BFC]--------EDX=12
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C7A(C)
|
:00412C6F 0FBE2C38 movsx
ebp, byte ptr [eax+edi]----
:00412C73 03EA
add ebp, edx -------
:00412C75 03CD
add ecx, ebp -------同上最后得出
:00412C77 40
inc eax -------ECX=48Fh(1167)
:00412C78 3BC6
cmp eax, esi -------
:00412C7A 7CF3
jl 00412C6F -------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C67(C)
|
:00412C7C 51
push ecx
:00412C7D 8D442414 lea
eax, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412C81 68085C4200 push 00425C08 -----------1167后加“-”
:00412C86 50
push eax
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C87 FF15FC024200 Call dword ptr
[004202FC]
:00412C8D 83C40C
add esp, 0000000C
:00412C90 8D4C2410 lea
ecx, dword ptr [esp+10]
:00412C94 51
push ecx
:00412C95 53
push ebx
* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412C96 FF15F8014200 Call dword ptr
[004201F8]
:00412C9C 33C9
xor ecx, ecx
:00412C9E 33C0
xor eax, eax
:00412CA0 85F6
test esi, esi
:00412CA2 7E14
jle 00412CB8
:00412CA4 8B15005C4200 mov edx, dword
ptr [00425C00]-----EDX=14
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412CB6(C)
|
:00412CAA 0FBE2C38 movsx
ebp, byte ptr [eax+edi]-----
:00412CAE 0FAFEA
imul ebp, edx -----
:00412CB1 03CD
add ecx, ebp -----同上,经计算
:00412CB3 40
inc eax -----ECX=389Ah(14490)
:00412CB4 3BC6
cmp eax, esi ------
:00412CB6 7CF2
jl 00412CAA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412CA2(C)
|
:00412CB8 51
push ecx
:00412CB9 8D542414 lea
edx, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412CBD 68045C4200 push 00425C04
:00412CC2 52
push edx
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412CC3 FF15FC024200 Call dword ptr
[004202FC]
:00412CC9 83C40C
add esp, 0000000C
:00412CCC 8D442410 lea
eax, dword ptr [esp+10]
:00412CD0 50
push eax
:00412CD1 53
push ebx
* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412CD2 FF15F8014200 Call dword ptr
[004201F8]
:00412CD8 5F
pop edi
:00412CD9 5E
pop esi
:00412CDA 5D
pop ebp
:00412CDB 5B
pop ebx ---------这里就是真码"1453-53820-1167-14490"
:00412CDC 81C400010000 add esp, 00000100
:00412CE2 C3
ret
总结一下:这个软件的算法,应该就是把注册名,依次提出并转换成十六进制并分别和四个固定的十六进数字 进行运算,并将结果分别转换为十进制,就OK了,呵呵呵!!
这是我第一次写这方面的文章,请各位大侠不要见笑,并加以指点,谢谢
lllufh[BCG]
2002年2月4日2:47分
- 标 题:SuperCleaner2.30破解过程 (11千字)
- 作 者:lllufh
- 时 间:2002-2-4 3:03:45
- 链 接:http://bbs.pediy.com