简单算法——搜索引擎工厂(Search Engine Builder)V1.595
软件大小:
604 KB
软件语言: 英文
软件类别: 国产软件 / 共享版 / 网页辅助
应用平台: Win9x/NT/2000/XP
加入时间:
2002-12-28 09:32:11
下载次数: 3492
推荐等级: ***
开 发 商: http://www.seamoontech.com/
【软件简介】:
为你的网站自动生成一个站内搜索引擎。很多人访问您的网站只是为了得到其中一部分信息而不想全部浏览完毕您的网站。如果让您的客户一页页的寻找这小部分信息,无疑一部分客户会失去耐心而转向别处。Cool Search Maker 就是为了解决这个问题而产生的。它快速的索引整个网站并自动生成一个高效的搜索引擎,这是一个HTML文件,把它加入到您的网站上即可。使用 Cool Search Maker 生成搜索引擎,您所须做的只是点几下鼠标而已。有了它,您不必耗费大量的时间亲自去写繁杂的搜索代码了。Cool Search Maker还有许多附加的特性如:自定义摸板用来生成漂亮的搜索页面,自定义搜索结果的输出格式,为本地文本文件生成搜索引擎以便于查询。
【软件限制】:NAG、功能限制。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、FI2.5、W32Dasm黄金版
—————————————————————————————
【过
程】:
SearchMaker.exe是VC++6.0编写。无壳。反汇编方便了。^-^
程序要求重启验证注册码。程序把试炼码写入了注册表,启动时进行比较。
TRW调试时当然可下断点:BPX
Regqueryvalueexa do"dd*(esp+8)"
只是装入后必须按很多下F5键,烦人。
于是想起以前破过的FlashGet、EZ Extract Resource等等同种验证方式(重启验证),学习了许多大侠的经验,想起了一点小办法。
在反汇编代码里查找“RegCode”,一般会有2处,那么其中的1处就是核心了。省我按几十次F5键了。呵呵
OK,查到了。直接BPX
40DC92,重启时拦下!
Let's Go!
--------------------------------------------------------
*
Possible StringData Ref from Data Obj ->"RegUserName"
|
:0040DC4C 682C194600
push 0046192C
:0040DC51 8D542418
lea edx, dword ptr [esp+18]
:0040DC55 B305
mov bl, 05
*
Possible StringData Ref from Data Obj ->"RegInfo"
|
:0040DC57 6824194600
push 00461924
:0040DC5C 52
push edx
:0040DC5D 8BCE
mov ecx, esi
:0040DC5F
889C247C050000 mov byte ptr [esp+0000057C],
bl
:0040DC66 E807920300 call
00446E72
:0040DC6B 50
push eax
:0040DC6C 8D4C2418
lea ecx, dword ptr [esp+18]
:0040DC70 C684247005000006
mov byte ptr [esp+00000570], 06
:0040DC78 E8387A0200
call 004356B5
:0040DC7D 8D4C2410
lea ecx, dword ptr [esp+10]
:0040DC81
889C246C050000 mov byte ptr [esp+0000056C],
bl
:0040DC88 E8EF780200 call
0043557C
:0040DC8D 68145C4600 push
00465C14
* Possible
StringData Ref from Data Obj ->"RegCode"
|
:0040DC92 681C194600
push 0046191C
====>中断在这!
:0040DC97 8D442428 lea eax, dword ptr [esp+28]
* Possible
StringData Ref from Data Obj ->"RegInfo"
|
:0040DC9B 6824194600
push 00461924
:0040DCA0 50
push eax
:0040DCA1 8BCE
mov ecx, esi
:0040DCA3 E8CA910300
call 00446E72
:0040DCA8 50
push
eax
:0040DCA9 8D4C241C lea
ecx, dword ptr [esp+1C]
:0040DCAD C684247005000007 mov
byte ptr [esp+00000570], 07
:0040DCB5 E8FB790200
call 004356B5
:0040DCBA 8D4C2420
lea ecx, dword ptr [esp+20]
:0040DCBE 889C246C050000
mov byte ptr [esp+0000056C], bl
:0040DCC5
E8B2780200 call 0043557C
:0040DCCA
51 push
ecx
:0040DCCB 8D54241C lea
edx, dword ptr [esp+1C]
:0040DCCF 8BCC
mov ecx, esp
:0040DCD1 89642414
mov dword ptr [esp+14], esp
:0040DCD5 52
push
edx
:0040DCD6 E816760200 call
004352F1
:0040DCDB 51
push ecx
:0040DCDC 8D44241C
lea eax, dword ptr [esp+1C]
:0040DCE0 8BCC
mov ecx, esp
:0040DCE2
89642424 mov dword ptr
[esp+24], esp
:0040DCE6 50
push eax
:0040DCE7 C684247805000008
mov byte ptr [esp+00000578], 08
:0040DCEF E8FD750200
call 004352F1
:0040DCF4 8BCE
mov ecx, esi
:0040DCF6
889C2474050000 mov byte ptr [esp+00000574],
bl
:0040DCFD E86E160000 call
0040F370
:0040DD02 33FF
xor edi, edi
:0040DD04 3BC7
cmp eax, edi
:0040DD06 7408
je 0040DD10
:0040DD08
89AECC010000 mov dword ptr [esi+000001CC],
ebp
:0040DD0E EB52
jmp 0040DD62
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DD06(C)
|
:0040DD10
39AEC0000000 cmp dword ptr [esi+000000C0],
ebp
:0040DD16 7444
je 0040DD5C
:0040DD18 51
push ecx
:0040DD19 8D54241C
lea edx, dword ptr [esp+1C]
:0040DD1D
8BCC mov
ecx, esp
:0040DD1F 89642420
mov dword ptr [esp+20], esp
:0040DD23 52
push edx
:0040DD24 E8C8750200
call 004352F1
:0040DD29 51
push
ecx
:0040DD2A 8D44241C lea
eax, dword ptr [esp+1C]
:0040DD2E 8BCC
mov ecx, esp
:0040DD30 89642418
mov dword ptr [esp+18], esp
:0040DD34 50
push
eax
:0040DD35 C684247805000009 mov byte ptr [esp+00000578],
09
:0040DD3D E8AF750200 call
004352F1
:0040DD42 8BCE
mov ecx, esi
:0040DD44 889C2474050000
mov byte ptr [esp+00000574], bl
:0040DD4B
E8C0070000 call 0040E510
====>核心CALL!
:0040DD50
3BC7 cmp
eax, edi
:0040DD52 7408
je 0040DD5C
====>不能跳!
:0040DD54
89AECC010000 mov dword ptr [esi+000001CC],
ebp
:0040DD5A EB06
jmp 0040DD62
--------------------------------------------------------
F8进入关键CALL。40DD4B
call 0040E510
*
Referenced by a CALL at Address:
|:0040DD4B
看看下面吧,藏了几个黑名单:"ttdown"、"crsky"、".com"、"jetdown",这些都是破解网站,喜欢用自己的站名来做软件的注册名,统统禁杀了!
这些黑名单使我想起EZ
Extract Resource的黑名单,几乎差不多,后来一看:这2个软件是一个公司开发的(http://www.seamoontech.com/),怪不得如此相象。
:0040E510
6AFF push
FFFFFFFF
:0040E512 6870B64400 push
0044B670
:0040E517 64A100000000 mov
eax, dword ptr fs:[00000000]
:0040E51D 50
push eax
:0040E51E 64892500000000
mov dword ptr fs:[00000000], esp
:0040E525
81ECD4000000 sub esp, 000000D4
:0040E52B
53 push
ebx
:0040E52C 56
push esi
:0040E52D 8BF1
mov esi, ecx
:0040E52F B801000000
mov eax, 00000001
:0040E534 68145C4600
push 00465C14
:0040E539 898424E8000000
mov dword ptr [esp+000000E8], eax
:0040E540
8986D0010000 mov dword ptr [esi+000001D0],
eax
:0040E546 8B8424F0000000 mov eax, dword
ptr [esp+000000F0]
:0040E54D 50
push eax
:0040E54E E842620100
call 00424795
:0040E553 83C408
add esp, 00000008
:0040E556 85C0
test eax, eax
====>测试用户名是否为空
:0040E558
0F8477010000 je 0040E6D5
====>不能跳!
:0040E55E
8B8C24F0000000 mov ecx, dword ptr [esp+000000F0]
:0040E565
68145C4600 push 00465C14
:0040E56A
51 push
ecx
:0040E56B E825620100
call 00424795
:0040E570 83C408
add esp, 00000008
:0040E573
85C0 test
eax, eax
====>测试注册码是否为空
:0040E575
0F845A010000 je 0040E6D5
====>不能跳!
*
Possible StringData Ref from Data Obj ->"ttdown"
====>黑名单!
|
:0040E57B 683C1A4600
push 00461A3C
:0040E580 8D8C24F0000000
lea ecx, dword ptr [esp+000000F0]
:0040E587 E846440200
call 004329D2
:0040E58C 33DB
xor ebx,
ebx
:0040E58E 83F8FF
cmp eax, FFFFFFFF
:0040E591 7542
jne 0040E5D5
====>不能跳!
*
Possible StringData Ref from Data Obj ->"crsky"
====>黑名单!
|
:0040E593 68341A4600
push 00461A34
:0040E598 8D8C24F0000000
lea ecx, dword ptr [esp+000000F0]
:0040E59F E82E440200
call 004329D2
:0040E5A4 83F8FF
cmp eax, FFFFFFFF
:0040E5A7
752C jne
0040E5D5
====>不能跳!
*
Possible StringData Ref from Data Obj ->".com"
====>黑名单!
:0040E5A9 682C1A4600
push 00461A2C
:0040E5AE 8D8C24F0000000
lea ecx, dword ptr [esp+000000F0]
:0040E5B5 E818440200
call 004329D2
:0040E5BA 83F8FF
cmp eax, FFFFFFFF
:0040E5BD
7516 jne
0040E5D5
====>不能跳!
*
Possible StringData Ref from Data Obj ->"jetdown"
====>黑名单!
|
:0040E5BF 68241A4600
push 00461A24
:0040E5C4 8D8C24F0000000
lea ecx, dword ptr [esp+000000F0]
:0040E5CB E802440200
call 004329D2
:0040E5D0 83F8FF
cmp eax, FFFFFFFF
:0040E5D3
7406 je 0040E5DB
====>应跳!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040E591(C),
:0040E5A7(C), :0040E5BD(C)
|
:0040E5D5 899ED0010000
mov dword ptr [esi+000001D0], ebx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E5D3(C)
|
:0040E5DB
55 push
ebp
:0040E5DC 8BAC24F0000000 mov ebp, dword
ptr [esp+000000F0]
用户名送eax
:0040E5E3
B165 mov
cl, 65
:0040E5E5 B061
mov al, 61
:0040E5E7 8B75F8
mov esi, dword ptr [ebp-08]
====>用户名长度送esi
====>?
ESI=3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===>下面这段代码是从[esp+10]依次处放入“searmake”字符串
:0040E5EA
884C240D mov byte ptr [esp+0D],
cl
:0040E5EE 884C2413 mov
byte ptr [esp+13], cl
:0040E5F2 33C9
xor ecx, ecx
:0040E5F4 3BF3
cmp esi, ebx
:0040E5F6 C644240C73
mov [esp+0C], 73
:0040E5FB
8844240E mov byte ptr [esp+0E],
al
:0040E5FF C644240F72 mov
[esp+0F], 72
:0040E604 C64424106D
mov [esp+10], 6D
:0040E609 88442411
mov byte ptr [esp+11], al
:0040E60D C64424126B
mov [esp+12], 6B
:0040E612 885C2414
mov byte ptr [esp+14], bl
:0040E616
7E3D jle
0040E655
:0040E618 57
push edi
:0040E619 8D7C341B
lea edi, dword ptr [esp+esi+1B]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E650(C)
====>以下就是运算核心了!
:0040E61D
8A0429 mov al, byte
ptr [ecx+ebp]
====>依次取用户名。
====>1、?AL=66 即f的HEX值
====>2、?AL=6C 即l的HEX值
====>3、?AL=79
即y的HEX值
:0040E620 8BD1
mov edx,
ecx
:0040E622 81E207000080 and edx,
80000007
:0040E628 7905
jns 0040E62F
:0040E62A 4A
dec edx
:0040E62B 83CAF8
or edx, FFFFFFF8
:0040E62E 42
inc edx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E628(C)
|
:0040E62F
0FBE541410 movsx edx, byte ptr
[esp+edx+10]
====>依次从“searmake”字符串中取字符入EDX
====>1、?EDX=73 即s的HEX值
====>2、?EDX=65 即e的HEX值
====>3、?EDX=61 即a的HEX值
:0040E634 0FBEC0
movsx eax, al
====>1、?EAX=66 即f的HEX值
====>2、?EAX=6C 即l的HEX值
====>3、?EAX=79
即y的HEX值
:0040E637 8BD9
mov ebx,
ecx
====>1、?EBX=0
====>2、?EBX=1
====>3、?EBX=2
:0040E639
03DA add
ebx, edx
====>1、EBX=0+73=73
====>2、EBX=1+65=66
====>3、EBX=2+61=63
:0040E63B
03C3 add
eax, ebx
====>1、EAX=66+73=D9
====>2、EAX=6C+66=D2
====>3、EAX=79+63=DC
:0040E63D
BB09000000 mov ebx, 00000009
====>9送ebx
:0040E642
03C6 add
eax, esi
====>esi是用户名长度
====>1、EAX=D9+3=DC
====>2、EAX=D2+3=D5
====>3、EAX=DC+3=DF
:0040E644
99 cdq
:0040E645
F7FB idiv
ebx
====>EAX依次除以9
====>1、EAX=DC/9=18余4
====>2、EAX=D5/9=17余6
====>3、EAX=DF/9=18余7
:0040E647
80C230 add dl, 30
====>余数入DL,依次加30
====>1、DL=4+30=34
====>2、DL=6+30=36
====>3、DL=7+30=37
:0040E64A 41
inc
ecx
====>ecx依次增1
:0040E64B
8817 mov
byte ptr [edi], dl
====>DL->[edi]
====>循环3次后,D EDI=764
****这是真码的前3个数!!!
:0040E64D
4F dec
edi
:0040E64E 3BCE
cmp ecx, esi
====>比较用户名是否取完
:0040E650 7CCB
jl 0040E61D
====>没有取完,跳上去继续循环
====>共循环3次。
:0040E652
33DB xor
ebx, ebx
:0040E654 5F
pop edi
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E616(C)
|
:0040E655
8D4668 lea eax,
dword ptr [esi+68]
====>?ESI=3
实际上是用户名长度加上68的结果送eax
====>过此
?EAX=6B
:0040E658 B909000000
mov ecx, 00000009
====>9送ecx
:0040E65D
99 cdq
:0040E65E
F7F9 idiv
ecx
====>EAX/9=B余8
====>余数8入DL
:0040E660
8B8424F4000000 mov eax, dword ptr [esp+000000F4]
====>用户输入的假注册码送eax
:0040E667
5D pop
ebp
:0040E668 80C230
add dl, 30
====>DL=8+30=38
****这是真码的最后1个数!!!
:0040E66B
88543414 mov byte ptr [esp+esi+14],
dl
====>DL移入[esp+17]处
:0040E66F
885C3415 mov byte ptr [esp+esi+15],
bl
:0040E673 8D742414 lea
esi, dword ptr [esp+14]
====>真正的注册码送ESI
*****************************************************
至此算法分析完毕。呵呵,追注册码挺快。
但是分析、整理成这篇心得却花了我半天的工夫!
希望能够给如我般的初学者一点用处!!!
*****************************************************
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E695(C)
这里向下是将真假注册码逐位的进行比较,一个经典的组合!
:0040E677
8A10 mov
dl, byte ptr [eax]
====>D EAX=试炼码
:0040E679
8ACA mov
cl, dl
:0040E67B 3A16
cmp dl, byte ptr [esi]
====>D
ESI=真码!!!!
:0040E67D
751C jne
0040E69B
:0040E67F 3ACB
cmp cl, bl
:0040E681 7414
je 0040E697
:0040E683 8A5001
mov dl, byte ptr [eax+01]
:0040E686
8ACA mov
cl, dl
:0040E688 3A5601
cmp dl, byte ptr [esi+01]
:0040E68B 750E
jne 0040E69B
:0040E68D 83C002
add eax, 00000002
:0040E690
83C602 add esi,
00000002
:0040E693 3ACB
cmp cl, bl
:0040E695 75E0
jne 0040E677
—————————————————————————————
【KeyMake之内存注册机】:
中断地址:40E67B
中断次数:1
第一字节:3A
指令长度:2
内存方式:ESI
—————————————————————————————
【注册信息保存】:
[HKEY_CURRENT_USER\Software\SeaMoonTech\SEARCHMAKER\RegInfo]
"RegUserName"="fly"
"RegCode"="7648"
—————————————————————————————
【整
理】:
Registartion
Name:fly
Registartion Code:7648
—————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-1-24 17:00