SuperCleaner2.30

标题：SuperCleaner2.30破解过程 (11千字)
作者：lllufh
时间：2002-2-4 3:03:45
链接：http://bbs.pediy.com

破解对象：SuperCleaner2.30

破解工具：TRW、W32DASM、OLLDYBG

破解目的：练习一下找算法

下面开工喽：

* Reference To: USER32.GetDlgItemTextA, Ord:0113h
|
:004121EF 8B3D7C024200 mov edi, dword ptr [0042027C]
:004121F5 6817040000 push 00000417
:004121FA 56 push esi
:004121FB FFD7 call edi
:004121FD 8D542408 lea edx, dword ptr [esp+08]－－－－－停在这里
:00412201 6800010000 push 00000100
:00412206 52 push edx
:00412207 68FC030000 push 000003FC
:0041220C 56 push esi
:0041220D FFD7 call edi
:0041220F 8D442408 lea eax, dword ptr [esp+08]
:00412213 8D8C2408010000 lea ecx, dword ptr [esp+00000108]
:0041221A 50 push eax
:0041221B 51 push ecx
:0041221C E8BF080000 call 00412AE0－－－－－－－－－－－－过这里出错，进去看看
:00412221 83C408 add esp, 00000008
:00412224 85C0 test eax, eax
:00412226 5F pop edi
:00412227 7443 je 0041226C
:00412229 8D542404 lea edx, dword ptr [esp+04]
:0041222D 8D842404010000 lea eax, dword ptr [esp+00000104]
:00412234 52 push edx
:00412235 50 push eax

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
进入0041421C：

:00412AF1 B93F000000 mov ecx, 0000003F
:00412AF6 33C0 xor eax, eax
:00412AF8 8D7C2409 lea edi, dword ptr [esp+09]
:00412AFC 8B94240C010000 mov edx, dword ptr [esp+0000010C]
:00412B03 F3 repz
:00412B04 AB stosd
:00412B05 66AB stosw
:00412B07 8D4C2408 lea ecx, dword ptr [esp+08]
:00412B0B 33F6 xor esi, esi
:00412B0D 51 push ecx
:00412B0E 52 push edx
:00412B0F AA stosb
:00412B10 E8AB000000 call 00412BC0－－－－－－－－－－算法应该在这里吧，接着进
:00412B15 8B8C2418010000 mov ecx, dword ptr [esp+00000118]－－－－－这里是真码
:00412B1C 8D442410 lea eax, dword ptr [esp+10]－－－－－－－－这里是假码
:00412B20 50 push eax
:00412B21 51 push ecx
:00412B22 E869FFFFFF call 00412A90
:00412B27 83C410 add esp, 00000010
:00412B2A 85C0 test eax, eax

* Possible Reference to String Resource ID=00001: "蜩屬%s"
|
:00412B2C B801000000 mov eax, 00000001
:00412B31 7502 jne 00412B35
:00412B33 8BC6 mov eax, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412B31(C)
|
:00412B35 5F pop edi
:00412B36 5E pop esi
:00412B37 81C400010000 add esp, 00000100
:00412B3D C3 ret

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

进入00412B10：

:00412BC0 81EC00010000 sub esp, 00000100
:00412BC6 A0808C4200 mov al, byte ptr [00428C80]
:00412BCB 53 push ebx
:00412BCC 55 push ebp
:00412BCD 56 push esi
:00412BCE 57 push edi
:00412BCF 88442410 mov byte ptr [esp+10], al

* Possible Reference to String Resource ID=00063: "`氬~剠?+ Netscape 4 剦棚?"
|
:00412BD3 B93F000000 mov ecx, 0000003F
:00412BD8 33C0 xor eax, eax
:00412BDA 8D7C2411 lea edi, dword ptr [esp+11]
:00412BDE F3 repz
:00412BDF AB stosd
:00412BE0 66AB stosw
:00412BE2 AA stosb
:00412BE3 8BBC2414010000 mov edi, dword ptr [esp+00000114]----这里是注册名
:00412BEA 57 push edi

* Reference To: KERNEL32.lstrlenA, Ord:039Eh
|
:00412BEB FF1510024200 Call dword ptr [00420210]
:00412BF1 8BF0 mov esi, eax---ESI＝EAX＝11(注册名的长度)我输入的是lllufh[BCG]
:00412BF3 33C9 xor ecx, ecx
:00412BF5 33C0 xor eax, eax
:00412BF7 85F6 test esi, esi
:00412BF9 7E13 jle 00412C0E
:00412BFB 8B15F45B4200 mov edx, dword ptr [00425BF4]－－－EDX＝38

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C0C(C)
|
:00412C01 0FBE1C38 movsx ebx, byte ptr [eax+edi]－－取出注册名第一位的十六进制值
:00412C05 03DA add ebx, edx－－－－－－－－－－　　　　　　　　　｜　　　
:00412C07 03CB add ecx, ebx－－－－－－－－－－　　　　　　　　　｜计算机
:00412C09 40 inc eax　　－－－－－－－－－－EAX应该是累加器吧　｜
:00412C0A 3BC6 cmp eax, esi
:00412C0C 7CF3 jl 00412C01－－－－－－－－－－依次取出注册名并循环
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　循环后ECX＝5ADh（1453）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412BF9(C)
|
:00412C0E 8B9C2418010000 mov ebx, dword ptr [esp+00000118]
:00412C15 51 push ecx

* Possible Reference to Dialog:
|
:00412C16 68085C4200 push 00425C08－－－－－－1453后加“－”
:00412C1B 53 push ebx

* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C1C FF15FC024200 Call dword ptr [004202FC]
:00412C22 83C40C add esp, 0000000C
:00412C25 33C9 xor ecx, ecx
:00412C27 33C0 xor eax, eax
:00412C29 85F6 test esi, esi
:00412C2B 7E14 jle 00412C41
:00412C2D 8B15F85B4200 mov edx, dword ptr [00425BF8]－EDX＝52

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C3F(C)
|
:00412C33 0FBE2C38 movsx ebp, byte ptr [eax+edi]照样取出注册名第一位的十六进制值
:00412C37 0FAFEA imul ebp, edx，　　　　　　　　　　　　｜
:00412C3A 03CD add ecx, ebp　　　　　　　　　　　　　｜计算机
:00412C3C 40 inc eax　　　　应该还是累加器　　　　　　　　　　　　　　｜
:00412C3D 3BC6 cmp eax, esi
:00412C3F 7CF2 jl 00412C33－－－－－－－－－－－依次取出注册名并循环
最后得出ECX＝D23Ch（53820）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C2B(C)
|
:00412C41 51 push ecx
:00412C42 8D4C2414 lea ecx, dword ptr [esp+14]

* Possible Reference to Dialog:
|
:00412C46 68085C4200 push 00425C08－－－－－－－－－－53820后加“－”
:00412C4B 51 push ecx

* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C4C FF15FC024200 Call dword ptr [004202FC]
:00412C52 83C40C add esp, 0000000C
:00412C55 8D542410 lea edx, dword ptr [esp+10]
:00412C59 52 push edx
:00412C5A 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412C5B FF15F8014200 Call dword ptr [004201F8]
:00412C61 33C9 xor ecx, ecx
:00412C63 33C0 xor eax, eax
:00412C65 85F6 test esi, esi
:00412C67 7E13 jle 00412C7C
:00412C69 8B15FC5B4200 mov edx, dword ptr [00425BFC]--------EDX=12

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C7A(C)
|
:00412C6F 0FBE2C38 movsx ebp, byte ptr [eax+edi]－－－－
:00412C73 03EA add ebp, edx　　　　　－－－－－－－
:00412C75 03CD add ecx, ebp　　　　　－－－－－－－同上最后得出
:00412C77 40 inc eax　　　　　　　－－－－－－－ECX＝48Fh（1167）
:00412C78 3BC6 cmp eax, esi　　　　　－－－－－－－
:00412C7A 7CF3 jl 00412C6F　　　　　－－－－－－－

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C67(C)
|
:00412C7C 51 push ecx
:00412C7D 8D442414 lea eax, dword ptr [esp+14]

* Possible Reference to Dialog:
|
:00412C81 68085C4200 push 00425C08　－－－－－－－－－－－1167后加“－”
:00412C86 50 push eax

* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C87 FF15FC024200 Call dword ptr [004202FC]
:00412C8D 83C40C add esp, 0000000C
:00412C90 8D4C2410 lea ecx, dword ptr [esp+10]
:00412C94 51 push ecx
:00412C95 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412C96 FF15F8014200 Call dword ptr [004201F8]
:00412C9C 33C9 xor ecx, ecx
:00412C9E 33C0 xor eax, eax
:00412CA0 85F6 test esi, esi
:00412CA2 7E14 jle 00412CB8
:00412CA4 8B15005C4200 mov edx, dword ptr [00425C00]－－－－－EDX＝14

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412CB6(C)
|
:00412CAA 0FBE2C38 movsx ebp, byte ptr [eax+edi]－－－－－
:00412CAE 0FAFEA imul ebp, edx　　　　　　　　－－－－－
:00412CB1 03CD add ecx, ebp　　　　　　　　－－－－－同上，经计算
:00412CB3 40 inc eax　　　　　　　　　　　－－－－－ECX＝389Ah（14490）
:00412CB4 3BC6 cmp eax, esi　　　　　　　　－－－－－－
:00412CB6 7CF2 jl 00412CAA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412CA2(C)
|
:00412CB8 51 push ecx
:00412CB9 8D542414 lea edx, dword ptr [esp+14]

* Possible Reference to Dialog:
|
:00412CBD 68045C4200 push 00425C04
:00412CC2 52 push edx

* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412CC3 FF15FC024200 Call dword ptr [004202FC]
:00412CC9 83C40C add esp, 0000000C
:00412CCC 8D442410 lea eax, dword ptr [esp+10]
:00412CD0 50 push eax
:00412CD1 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412CD2 FF15F8014200 Call dword ptr [004201F8]
:00412CD8 5F pop edi
:00412CD9 5E pop esi
:00412CDA 5D pop ebp
:00412CDB 5B pop ebx ---------这里就是真码"1453-53820-1167-14490"
:00412CDC 81C400010000 add esp, 00000100
:00412CE2 C3 ret

总结一下：这个软件的算法，应该就是把注册名，依次提出并转换成十六进制并分别和四个固定的十六进数字　　　　　进行运算，并将结果分别转换为十进制，就OK了，呵呵呵！！

这是我第一次写这方面的文章，请各位大侠不要见笑，并加以指点，谢谢

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　lllufh[BCG]
2002年2月4日2:47分