简单算法——热键大师1.13
下载地址:http://windowshelp.myetang.com/
软件大小:
680K
【软件简介】:《热键大师》是一款键盘辅助类软件,它除了具备了同类软件的功能外,还能够实现‘热键锁屏’,‘热键粘贴’等功能。
此外本软件采用了低级键盘钩子技术,使到系统资源消耗降到最低。即使你设置了100个(如果有那么多!呵呵),你的系统一点都不会慢下来。有了《热键大师》,让你的鼠标一边凉快去吧!!
【软件限制】:15次使用限制。注册不收费。作者17岁,正在读高二。佩服!
【作者声明】:小弟初学Crack,只是对 crack 感兴趣,没有其它目的。失误之处敬请各大侠赐教!
【破解工具】:TRW2000娃娃修改版、FI2.5、UPXWin、W32Dasm黄金版
—————————————————————————————
【过
程】:
虽然软件是自由注册,但我还是解了它,做破解重要的是不断的练习!
--------------------------------------------------------
一、脱壳
用FI看
热键大师.exe是UPX 1.07壳。用UPXWin脱之,341K->1.17M。Delphi编写。
--------------------------------------------------------
二、反汇编
填好试炼信息:
用户名:fly
注册码:13572468
作者很诚实,关键信息一目了然。^-^
:004B4926
E83116F9FF call 00445F5C
:004B492B
837DFC00 cmp dword ptr
[ebp-04], 00000000
====>没填用户名?
:004B492F 750F jne 004B4940
* Possible
StringData Ref from Code Obj ->"请输入用户名"
|
:004B4931 B8944A4B00
mov eax, 004B4A94
:004B4936 E809A7F8FF
call 0043F044
:004B493B E9FE000000
jmp 004B4A3E
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B492F(C)
|
:004B4940
8D55F8 lea edx,
dword ptr [ebp-08]
:004B4943 8B8370040000
mov eax, dword ptr [ebx+00000470]
:004B4949 E80E16F9FF
call 00445F5C
:004B494E 837DF800
cmp dword ptr [ebp-08], 00000000
====>没填注册码?
:004B4952 750F jne 004B4963
* Possible
StringData Ref from Code Obj ->"请输入注册码"
|
:004B4954 B8AC4A4B00
mov eax, 004B4AAC
:004B4959 E8E6A6F8FF
call 0043F044
:004B495E E9DB000000
jmp 004B4A3E
…………
:004B497E
E8D915F9FF call 00445F5C
:004B4983
8B55EC mov edx,
dword ptr [ebp-14]
:004B4986 8D4DF0
lea ecx, dword ptr [ebp-10]
:004B4989 8BC3
mov eax, ebx
:004B498B
E8B4FEFFFF call 004B4844
====>算法CALL
:004B4990
8B55F0 mov edx,
dword ptr [ebp-10]
:004B4993 58
pop eax
:004B4994 E86F02F5FF
call 00404C08
====>比较CALL
:004B4999
0F8588000000 jne 004B4A27
====>跳则OVER!
*
Possible StringData Ref from Code Obj ->"感谢您对本软件的支持"
====>呵呵,胜利女神!
:004B499F
B8C44A4B00 mov eax, 004B4AC4
:004B49A4
E89BA6F8FF call 0043F044
*
Possible StringData Ref from Code Obj ->"热键大师 v1.13(注册给:"
|
:004B49A9 68E44A4B00
push 004B4AE4
:004B49AE 8D55E4
lea edx, dword ptr [ebp-1C]
:004B49B1 8B836C040000
mov eax, dword ptr [ebx+0000046C]
:004B49B7
E8A015F9FF call 00445F5C
:004B49BC
FF75E4 push [ebp-1C]
:004B49BF
680C4B4B00 push 004B4B0C
:004B49C4
8D45E8 lea eax,
dword ptr [ebp-18]
:004B49C7 BA03000000
mov edx, 00000003
:004B49CC E8B301F5FF
call 00404B84
:004B49D1 8B55E8
mov edx, dword ptr [ebp-18]
:004B49D4 8B8344040000
mov eax, dword ptr [ebx+00000444]
:004B49DA
E8AD15F9FF call 00445F8C
:004B49DF
8D55E0 lea edx,
dword ptr [ebp-20]
:004B49E2 8B836C040000
mov eax, dword ptr [ebx+0000046C]
:004B49E8 E86F15F9FF
call 00445F5C
:004B49ED 8B45E0
mov eax, dword ptr [ebp-20]
:004B49F0
50 push
eax
* Possible StringData
Ref from Code Obj ->"USERNAME"
|
:004B49F1
B9184B4B00 mov ecx, 004B4B18
*
Possible StringData Ref from Code Obj ->"Pro"
|
:004B49F6 BA2C4B4B00
mov edx, 004B4B2C
:004B49FB 8BC3
mov eax, ebx
:004B49FD E896080000
call 004B5298
:004B4A02 8D55DC
lea edx, dword ptr [ebp-24]
:004B4A05
8B8370040000 mov eax, dword ptr [ebx+00000470]
:004B4A0B
E84C15F9FF call 00445F5C
:004B4A10
8B45DC mov eax,
dword ptr [ebp-24]
:004B4A13 50
push eax
*
Possible StringData Ref from Code Obj ->"CODE"
|
:004B4A14 B9384B4B00
mov ecx, 004B4B38
*
Possible StringData Ref from Code Obj ->"Pro"
|
:004B4A19 BA2C4B4B00
mov edx, 004B4B2C
:004B4A1E 8BC3
mov eax, ebx
:004B4A20 E873080000
call 004B5298
:004B4A25 EB17
jmp 004B4A3E
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B4999(C)
|
*
Possible StringData Ref from Code Obj ->"注册码不正确,请重新输入"
====>BAD BOY!
:004B4A27 B8484B4B00 mov eax, 004B4B48
--------------------------------------------------------
F8进入算法CALL:004B498B
call 004B4844
*
Referenced by a CALL at Addresses:
|:004AFCD5 , :004B498B
|
:004B4844
55 push
ebp
:004B4845 8BEC
mov ebp, esp
:004B4847 83C4EC
add esp, FFFFFFEC
:004B484A 53
push ebx
:004B484B 56
push
esi
:004B484C 33DB
xor ebx, ebx
:004B484E 895DEC
mov dword ptr [ebp-14], ebx
:004B4851 895DF4
mov dword ptr [ebp-0C],
ebx
:004B4854 894DF8
mov dword ptr [ebp-08], ecx
:004B4857 8955FC
mov dword ptr [ebp-04], edx
:004B485A 8B45FC
mov eax, dword ptr
[ebp-04]
:004B485D E84A04F5FF call
00404CAC
:004B4862 33C0
xor eax, eax
:004B4864 55
push ebp
:004B4865 68EF484B00
push 004B48EF
:004B486A 64FF30
push dword ptr fs:[eax]
:004B486D
648920 mov dword
ptr fs:[eax], esp
:004B4870 C745F053469103 mov
[ebp-10], 03914653
====>03914653移入[EBP-10]
注意此数!此数应该是作者的幸运数。呵呵。03914653(H)=十进制59852371
:004B4877
8D45F4 lea eax,
dword ptr [ebp-0C]
:004B487A 8B55FC
mov edx, dword ptr [ebp-04]
:004B487D E82200F5FF
call 004048A4
:004B4882 8B45F4
mov eax, dword ptr [ebp-0C]
:004B4885
E83A02F5FF call 00404AC4
====>取用户名长度
:004B488A
8BD8 mov
ebx, eax
:004B488C 85DB
test ebx, ebx
====>?
EBX=3
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:004B481D(C)
|
:004B488E
7E2E jle
004B48BE
:004B4890 BE01000000 mov
esi, 00000001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004B48BC(C)
|
:004B4895
8D45EC lea eax,
dword ptr [ebp-14]
:004B4898 50
push eax
:004B4899 B901000000
mov ecx, 00000001
:004B489E 8BD6
mov edx, esi
:004B48A0 8B45F4
mov eax, dword ptr
[ebp-0C]
:004B48A3 E87404F5FF call
00404D1C
:004B48A8 8B45EC
mov eax, dword ptr [ebp-14]
====>fly移入EAX
:004B48AB
E80C04F5FF call 00404CBC
:004B48B0
8A00 mov
al, byte ptr [eax]
====>依次取用户名。
====>1、?AL=66 即f的HEX值
====>2、?AL=6C 即l的HEX值
====>3、?AL=79
即y的HEX值
:004B48B2 25FF000000
and eax, 000000FF
:004B48B7
0145F0 add dword
ptr [ebp-10], eax
====>[EBP-10]的初始值是03914653,依次与用户名字符的HEX值相加!
====>1、03914653+66=39146B9
====>2、 39146B9+6C=3914725
====>3、
3914725+79=391479E
391479E(H)=十进制59852702!这就是真码!!
呵呵,这是分析过的算法中最简单的一个了。
:004B48BA
46 inc
esi
:004B48BB 4B
dec ebx
:004B48BC 75D7
jne 004B4895
====>循环
—————————————————————————————
F8进入比较CALL:4B4994 call 00404C08
:00404C08
53 push
ebx
:00404C09 56
push esi
:00404C0A 57
push edi
:00404C0B 89C6
mov esi, eax
:00404C0D 89D7
mov edi,
edx
:00404C0F 39D0
cmp eax, edx
====>D
EAX=试炼码!
====>D EDX=真码!!
:00404C11 0F848F000000 je 00404CA6
—————————————————————————————
【KeyMake之内存注册机】:
中断地址:4B4994
中断次数:1
第一字节:E8
指令长度:5
中断地址:404C0F
中断次数:1
第一字节:39
指令长度:2
内存方式:EDX
—————————————————————————————
【注册信息保存】:
[HKEY_LOCAL_MACHINE\Software\HotKey
Master\propertiy]
"Times"="2" 使用次数!
"USERNAME"="fly"
"CODE"="59852702"
—————————————————————————————
【整 理】:
用户名:fly
注册码:59852702
—————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
2003-1-31 14:00