算法浅探!——Visual
CHM 4.0
下载页面: http://www.skycn.com/soft/6376.html
软件大小:
1570 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 安装制作
应用平台: Win9x/NT/2000/XP
加入时间: 2002-11-18 09:39:16
下载次数: 12464
推荐等级: ****
开
发 商: http://cn.geocities.com/vchm2000/
【软件简介】:一级棒的制作CHM文件的工具。
Visual CHM 将帮助您非常容易的制作出具有非常专业水准的CHM文件,而且是“所见即所得”。
【软件限制】:功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、FI2.5、AspackDie、W32Dasm8.93黄金版
—————————————————————————————————
【过 程】:
呵呵,记得刚学破解时想把 《看雪论坛精华3、4》合并为1个CHM文件,于是找到了这个软件,Visual CHM 的确是一款一级棒的制作软件,但是未注册版只能编译15个节点的文件。当时我调试了好几次均无功而返。
后来得知软件作者 葛泽华 先生就是一位CRACK高手!前些日从看雪精华里发现 heXer/iPB 老师分析3.10版的算法解文,非常高兴,于是这3天来静下心又重新试试4.0的破解,居然饶幸找到了一点眉目!
我很菜,许多地方分析的有错误,恳请诸位老师指正!另外:特别感谢 heXer/iPB 老师 和 葛泽华 先生。冒犯之处,还请葛先生海涵!
近1个月我把学破解以来所作的笔记整理出来一部分,已经全部放到论坛上了,谢谢老师、朋友们的关心和帮助!以后我或许没有充裕的时间破解了,就以此篇解文作为我这段学习日子的小结吧!东方欲晓了,呵呵,又一个不眠之夜。~_~~_~
—————————————————————————————————
Vchm.exe是ASPack 2.12壳,用AspackDie脱之。407K->1.28M。反汇编,便于静态分析。
用户名:fly[OCN]
(用户名长度须在5-32位间)
试炼码:BCDEFGHIJK (注册码10位)
设:1、用户名fly[OCN]为N0;2、对N0进行运算后得出的字符TJYIPJFB为N1;3、对N1运算后得出的字符TJYIPJFBFW为N2;4、试炼码BCDEFGHIJK为K0;5、对K0进行运算后得出的字符LJPJLJXJLJ为K1;6、对K1进行运算后得出的字符RSTUVWXYZJ为K2。呵呵,我也是晕头转向呀!~@~
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
一、对用户名
N0 进行运算后得出 N1
* Possible
StringData Ref from Code Obj ->"http://www.vchm.com/
convenient "
->"CHM
editor,WYSIWYG."
|
:004E7684 BA3C8B4E00
mov edx, 004E8B3C
====>EDX=http://www.vchm.com/ convenient CHM editor,WYSIWYG.
:004E7689
E8BAD5F1FF call 00404C48
:004E768E
8B45FC mov eax,
dword ptr [ebp-04]
:004E7691 0550060000
add eax, 00000650
:004E7696 8B55FC
mov edx, dword ptr [ebp-04]
:004E7699 8B9248060000
mov edx, dword ptr [edx+00000648]
:004E769F
E860D5F1FF call 00404C04
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E764A(C)
|
:004E76A4
8D45E8 lea eax,
dword ptr [ebp-18]
:004E76A7 BA788B4E00
mov edx, 004E8B78
:004E76AC E897D5F1FF
call 00404C48
:004E76B1 8B45FC
mov eax, dword ptr [ebp-04]
:004E76B4 8B8050060000
mov eax, dword ptr [eax+00000650]
====>EAX=fly[OCN]
:004E76BA
E8C5D7F1FF call 00404E84
====>取用户名长度
:004E76BF
8BF8 mov
edi, eax
====>EDI=8
:004E76C1
85FF test
edi, edi
:004E76C3 7E66
jle 004E772B
:004E76C5 BE01000000
mov esi, 00000001
====>ESI=1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7729(C)
|
:004E76CA
8B45FC mov eax,
dword ptr [ebp-04]
:004E76CD 8B8050060000
mov eax, dword ptr [eax+00000650]
====>EAX=fly[OCN]
:004E76D3
8A5C30FF mov bl, byte ptr
[eax+esi-01]
====>依次取用户名字符的HEX值
1、 ====>BL=66
…… …… 省 略 …… ……
8、 ====>BL=5D
:004E76D7
8B45EC mov eax,
dword ptr [ebp-14]
====>EAX=http://www.vchm.com/
convenient CHM editor,WYSIWYG.
:004E76DA
8A4430FF mov al, byte ptr
[eax+esi-01]
====>依次取http://www.vchm.com/
convenient CHM editor,WYSIWYG.
1、 ====>AL=68
…… …… 省 略 …… ……
8、 ====>AL=77
:004E76DE
32D8 xor
bl, al
1、 ====>BL=66 XOR 68=0E
…… …… 省 略 …… ……
8、 ====>BL=5D XOR 77=2A
:004E76E0
81E3FF000000 and ebx, 000000FF
:004E76E6
33DE xor
ebx, esi
1、 ====>EBX=0E XOR 01=0F
…… …… 省 略 …… ……
8、 ====>EBX=2A XOR 08=22
:004E76E8
83FB41 cmp ebx,
00000041
====>EBX 是否 小于41?
:004E76EB
7D0B jge
004E76F8
====>小于则下面相加
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E76F6(C)
|
:004E76ED
8D441E16 lea eax, dword
ptr [esi+ebx+16]
1、① ====>EAX=01 + 0F + 16=26
1、② ====>EAX=01 + 26 + 16=3D
1、③ ====>EAX=01
+ 3D + 16=54
…… …… 省 略 …… ……
8、① ====>EAX=08 + 22
+ 16=40
8、② ====>EAX=08 + 40 + 16=5E
:004E76F1
8BD8 mov
ebx, eax
====>EBX=EAX
:004E76F3
83FB41 cmp ebx,
00000041
====>EBX 是否 小于41?
:004E76F6
7CF5 jl 004E76ED
====>是则跳上去继续相加,直至不小于41
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E76EB(C)
|
:004E76F8
83FB7A cmp ebx,
0000007A
:004E76FB 7E0F
jle 004E770C
====>若大于
7A ,则下面相减!
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004E7705(C)
|
:004E76FD
83EB1B sub ebx,
0000001B
:004E7700 2BDE
sub ebx, esi
:004E7702 83FB7A
cmp ebx, 0000007A
:004E7705 7FF6
jg 004E76FD
:004E7707 EB03
jmp 004E770C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7714(C)
|
:004E7709
83C304 add ebx,
00000004
…… …… 省 略 …… ……
8、① ====>EAX=5E + 04=62
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E76FB(C),
:004E7707(U)
|
:004E770C 83FB61
cmp ebx, 00000061
====>EBX
是否 小于61?
:004E770F 7D05
jge 004E7716
:004E7711 83FB5A
cmp ebx, 0000005A
:004E7714 7FF3
jg 004E7709
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E770F(C)
|
:004E7716
8B45FC mov eax,
dword ptr [ebp-04]
:004E7719 0550060000
add eax, 00000650
:004E771E E8B1D9F1FF
call 004050D4
:004E7723 885C30FF
mov byte ptr [eax+esi-01], bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=54
2、 ====>BL=4A
3、 ====>BL=59
4、 ====>BL=49
5、 ====>BL=70
6、 ====>BL=6A
7、 ====>BL=66
8、 ====>BL=62
循环结束后[eax+esi-01] 处是fly[OCN](设为N0)经过以上运算转换后的字符:TJYIpjfb(设为N1)
:004E7727
46 inc
esi
====>ESI 逐次增1
:004E7728
4F dec
edi
====>8次!用户名长度
:004E7729
759F jne
004E76CA
====>继续循环?
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
…… …… 省 略 …… ……
*
Possible StringData Ref from Code Obj ->"DropZone"
|
:004E7985 BAFC854E00
mov edx, 004E85FC
:004E798A 8B18
mov ebx, dword ptr [eax]
:004E798C FF5310
call [ebx+10]
:004E798F
8BD0 mov
edx, eax
:004E7991 A12C154F00 mov
eax, dword ptr [004F152C]
:004E7996 8B00
mov eax, dword ptr [eax]
:004E7998 E84726F8FF
call 00469FE4
:004E799D A12C154F00
mov eax, dword ptr [004F152C]
:004E79A2
8B00 mov
eax, dword ptr [eax]
:004E79A4 8A5057
mov dl, byte ptr [eax+57]
:004E79A7 8B45FC
mov eax, dword ptr [ebp-04]
:004E79AA
8B80E8050000 mov eax, dword ptr [eax+000005E8]
◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇
二、对试炼码
K0 进行运算后得出 K1
:004E79B0
E8239CF7FF call 004615D8
:004E79B5
8B45FC mov eax,
dword ptr [ebp-04]
:004E79B8 056C060000
add eax, 0000066C
:004E79BD BA0A000000
mov edx, 0000000A
:004E79C2 E841D8F1FF
call 00405208
====>取试炼码码前10位
呵呵,我只输入10位 ^v^ ㊣
:004E79C7
8B45FC mov eax,
dword ptr [ebp-04]
:004E79CA 8B806C060000
mov eax, dword ptr [eax+0000066C]
====>EAX=BCDEFGHIJK
:004E79D0
E8AFD4F1FF call 00404E84
====>取试炼码位数
:004E79D5
8BD8 mov
ebx, eax
====>EBX=A
:004E79D7
8B45FC mov eax,
dword ptr [ebp-04]
:004E79DA 056C060000
add eax, 0000066C
:004E79DF 8BD3
mov edx, ebx
:004E79E1 E822D8F1FF
call 00405208
:004E79E6 8B45FC
mov eax, dword ptr [ebp-04]
:004E79E9
8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E79EF
E890D4F1FF call 00404E84
:004E79F4
8BF8 mov
edi, eax
:004E79F6 85FF
test edi, edi
:004E79F8 7E5C
jle 004E7A56
:004E79FA BE01000000
mov esi, 00000001
====>ESI 初始值位为1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A54(C)
|
:004E79FF
8B45FC mov eax,
dword ptr [ebp-04]
:004E7A02 8B806C060000
mov eax, dword ptr [eax+0000066C]
====>EAX=BCDEFGHIJK
:004E7A08
33DB xor
ebx, ebx
:004E7A0A 8A5C30FF
mov bl, byte ptr [eax+esi-01]
====>依次取ABCDEFGHIJ的HEX值
1、 ====>BL=42
2、 ====>BL=43
3、 ====>BL=44
4、 ====>BL=45
5、 ====>BL=46
6、 ====>BL=47
7、 ====>BL=48
8、 ====>BL=49
9、 ====>BL=4A
10、 ====>BL=4B
:004E7A0E
33DE xor
ebx, esi
1、 ====>EBX=42 XOR 01=43
2、
====>EBX=43 XOR 02=41
3、 ====>EBX=44
XOR 03=47
4、 ====>EBX=45 XOR 04=41
5、
====>EBX=46 XOR 05=43
6、 ====>EBX=47
XOR 06=41
7、 ====>EBX=48 XOR 07=4F
8、
====>EBX=49 XOR 08=41
9、 ====>EBX=4A
XOR 09=43
10、 ====>EBX=4B XOR 0A=41
:004E7A10
83C329 add ebx,
00000029
1、 ====>EBX=43 + 29=6C
2、
====>EBX=41 + 29=6A
3、 ====>EBX=47 + 29=70
4、 ====>EBX=41 + 29=6A
5、
====>EBX=43 + 29=6C
6、 ====>EBX=41 + 29=6A
7、 ====>EBX=4F + 29=78
8、
====>EBX=41 + 29=6A
9、 ====>EBX=43 + 29=6C
10、 ====>EBX=41 + 29=6A
:004E7A13
83FB41 cmp ebx,
00000041
:004E7A16 7D0B
jge 004E7A23
====>不小于41则跳
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A21(C)
|
:004E7A18
8D441E16 lea eax, dword
ptr [esi+ebx+16]
:004E7A1C 8BD8
mov ebx, eax
:004E7A1E 83FB41
cmp ebx, 00000041
:004E7A21 7CF5
jl 004E7A18
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A16(C)
|
:004E7A23
83FB7A cmp ebx,
0000007A
:004E7A26 7E0F
jle 004E7A37
====>不大于7A则跳
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A30(C)
|
:004E7A28
83EB1B sub ebx,
0000001B
:004E7A2B 2BDE
sub ebx, esi
:004E7A2D 83FB7A
cmp ebx, 0000007A
:004E7A30 7FF6
jg 004E7A28
:004E7A32 EB03
jmp 004E7A37
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A3F(C)
|
:004E7A34
83C304 add ebx,
00000004
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E7A26(C), :004E7A32(U)
|
:004E7A37
83FB61 cmp ebx,
00000061
:004E7A3A 7D05
jge 004E7A41
====>不小于61则跳
:004E7A3C
83FB5A cmp ebx,
0000005A
:004E7A3F 7FF3
jg 004E7A34
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A3A(C)
|
:004E7A41
8B45FC mov eax,
dword ptr [ebp-04]
:004E7A44 056C060000
add eax, 0000066C
:004E7A49 E886D6F1FF
call 004050D4
:004E7A4E 885C30FF
mov byte ptr [eax+esi-01], bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=6C
2、 ====>BL=6A
3、 ====>BL=70
4、 ====>BL=6A
5、 ====>BL=6C
6、 ====>BL=6A
7、 ====>BL=78
8、 ====>BL=6A
9、 ====>BL=6C
10、 ====>BL=6A
循环结束后[eax+esi-01] 处是ABCDEFGHIJ(设为K0)经过以上运算转换后的字符:ljpjljxjlj
:004E7A52
46 inc
esi
:004E7A53 4F
dec edi
:004E7A54 75A9
jne 004E79FF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E79F8(C)
|
:004E7A56
8B45FC mov eax,
dword ptr [ebp-04]
:004E7A59 056C060000
add eax, 0000066C
:004E7A5E BA0A000000
mov edx, 0000000A
:004E7A63 E8A0D7F1FF
call 00405208
:004E7A68 8D9524FEFFFF
lea edx, dword ptr [ebp+FFFFFE24]
:004E7A6E 8B45FC
mov eax, dword ptr
[ebp-04]
:004E7A71 8B806C060000 mov
eax, dword ptr [eax+0000066C]
:004E7A77 E84C16F2FF
call 004090C8
====>此CALL把ljpjljxjlj转换成大写字母!
:004E7A7C
8B9524FEFFFF mov edx, dword ptr [ebp+FFFFFE24]
====>EDX=LJPJLJXJLJ
(设为K1)
◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇
:004E7A82
8B45FC mov eax,
dword ptr [ebp-04]
:004E7A85 056C060000
add eax, 0000066C
:004E7A8A E875D1F1FF
call 00404C04
:004E7A8F 8B45FC
mov eax, dword ptr [ebp-04]
:004E7A92 81B8740600005B851C00
cmp dword ptr [eax+00000674], 001C855B
:004E7A9C 0F8EA8000000
jle 004E7B4A
:004E7AA2 8B45FC
mov eax, dword ptr [ebp-04]
:004E7AA5
8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7AAB
E8D4D3F1FF call 00404E84
====>取LJPJLJXJLJ位数
:004E7AB0 8BF0
mov esi, eax
====>ESI=A
:004E7AB2
8B45FC mov eax,
dword ptr [ebp-04]
:004E7AB5 8B8054060000
mov eax, dword ptr [eax+00000654]
:004E7ABB E8C4D3F1FF
call 00404E84
:004E7AC0 50
push eax
:004E7AC1
8B45FC mov eax,
dword ptr [ebp-04]
:004E7AC4 8B806C060000
mov eax, dword ptr [eax+0000066C]
:004E7ACA E8B5D3F1FF
call 00404E84
:004E7ACF 5A
pop edx
:004E7AD0
E84B7BF4FF call 0042F620
====>猜测此CALL进行CRC校验??!!!
:004E7AD5
48 dec
eax
:004E7AD6 83F800
cmp eax, 00000000
:004E7AD9 7C60
jl 004E7B3B
====>如果修改了程序或脱壳,则此处不跳!
那么将对上面得出的K1再进行运算,得出K2。呵呵,比较时就用K2代替K1进行比较,无论怎样用K2求逆都无法得出正确的注册码!我在这儿“晕”了6个小时!这也是作者所说的“冗余代码”吧?(再想保护深一点就加入一些冗余代码,让Cracker在这堆代码里转的头晕脑涨,你的目的就达到了。
——作者原话)
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
三、下面就是迷惑我们CRACKER的把
K1 转化为 K2 的运算了。~Q~~Q~
:004E7ADB 8945E0 mov dword ptr [ebp-20], eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B39(C)
|
:004E7ADE
8B45FC mov eax,
dword ptr [ebp-04]
:004E7AE1 8B806C060000
mov eax, dword ptr [eax+0000066C]
====>EAX=LJPJLJXJLJ
:004E7AE7
33DB xor
ebx, ebx
:004E7AE9 8A5C30FF
mov bl, byte ptr [eax+esi-01]
====>取[eax+esi-01]处的字符值
1、 ====>BL=4A J
2、
====>BL=4A J
3、 ====>BL=4A J
4、 ====>BL=4A J
5、
====>BL=4A J
6、 ====>BL=4A J
7、 ====>BL=4A J
8、
====>BL=4A J
9、 ====>BL=4A J
10、 ====>BL=4A J
:004E7AED
33DE xor
ebx, esi
1、 ====>EBX=4A XOR 0A=40
2、
====>EBX=4A XOR 0A=40
3、 ====>EBX=4A
XOR 0A=40
4、 ====>EBX=4A XOR 0A=40
5、
====>EBX=4A XOR 0A=40
6、 ====>EBX=4A
XOR 0A=40
7、 ====>EBX=4A XOR 0A=40
8、
====>EBX=4A XOR 0A=40
9、 ====>EBX=4A
XOR 0A=40
10、 ====>EBX=4A XOR 0A=40
:004E7AEF
83FB41 cmp ebx,
00000041
:004E7AF2 7D0B
jge 004E7AFF
====>小于41则不跳!进行下面运算!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AFD(C)
|
:004E7AF4
83C311 add ebx,
00000011
1、 ====>EBX=40 + 11=51
2、
====>EBX=40 + 11=51
3、 ====>EBX=40 + 11=51
4、 ====>EBX=40 + 11=51
5、
====>EBX=40 + 11=51
6、 ====>EBX=40 + 11=51
7、 ====>EBX=40 + 11=51
8、
====>EBX=40 + 11=51
9、 ====>EBX=40 + 11=51
10、 ====>EBX=40 + 11=51
:004E7AF7
035DE0 add ebx,
dword ptr [ebp-20]
1、 ====>EBX=51 + 09=5A
2、 ====>EBX=51 + 08=59
3、
====>EBX=51 + 07=58
4、 ====>EBX=51 + 06=57
5、 ====>EBX=51 + 05=56
6、
====>EBX=51 + 04=55
7、 ====>EBX=51 + 03=54
8、 ====>EBX=51 + 02=53
9、
====>EBX=51 + 01=52
10、 ====>EBX=51 + 00=51
:004E7AFA
83FB41 cmp ebx,
00000041
:004E7AFD 7CF5
jl 004E7AF4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AF2(C)
|
:004E7AFF
83FB7A cmp ebx,
0000007A
:004E7B02 7E10
jle 004E7B14
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B0D(C)
|
:004E7B04
83EB17 sub ebx,
00000017
:004E7B07 2B5DE0
sub ebx, dword ptr [ebp-20]
:004E7B0A 83FB7A
cmp ebx, 0000007A
:004E7B0D 7FF5
jg 004E7B04
:004E7B0F
EB03 jmp
004E7B14
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B1C(C)
|
:004E7B11
83EB03 sub ebx,
00000003
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E7B02(C), :004E7B0F(U)
|
:004E7B14
83FB61 cmp ebx,
00000061
:004E7B17 7D05
jge 004E7B1E
:004E7B19 83FB5A
cmp ebx, 0000005A
:004E7B1C 7FF3
jg 004E7B11
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B17(C)
|
:004E7B1E
8B45FC mov eax,
dword ptr [ebp-04]
:004E7B21 056C060000
add eax, 0000066C
:004E7B26 E8A9D5F1FF
call 004050D4
:004E7B2B 8B55E0
mov edx, dword ptr [ebp-20]
====>[ebp-20] 入 EDX
1、 ====>EDX=09
2、 ====>EDX=08
3、 ====>EDX=07
4、 ====>EDX=06
5、 ====>EDX=05
6、 ====>EDX=04
7、 ====>EDX=03
8、 ====>EDX=02
9、 ====>EDX=01
10、 ====>EDX=00
:004E7B2E
885C10FF mov byte ptr [eax+edx-01],
bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=5A [eax+esi-01]=LJPJLJXJZJ
2、
====>BL=59 [eax+esi-01]=LJPJLJXYZJ
3、
====>BL=58 [eax+esi-01]=LJPJLJXYZJ
4、 ====>BL=57
[eax+esi-01]=LJPJLWXYZJ
5、 ====>BL=56 [eax+esi-01]=LJPJVWXYZJ
6、 ====>BL=55 [eax+esi-01]=LJPUVWXYZJ
7、 ====>BL=54 [eax+esi-01]=LJTUVWXYZJ
8、
====>BL=53 [eax+esi-01]=LSTUVWXYZJ
9、
====>BL=52 [eax+esi-01]=RSTUVWXYZJ
10、 ====>BL=51
[eax+esi-01]=QRSTUVWXYZJ
:004E7B32
FF4DE0 dec [ebp-20]
====>[ebp-20]逐次减1。初始值9
:004E7B35
837DE0FF cmp dword ptr
[ebp-20], FFFFFFFF
:004E7B39 75A3
jne 004E7ADE
====>跳上去继续循环?共10次!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AD9(C)
|
:004E7B3B
8B45FC mov eax,
dword ptr [ebp-04]
:004E7B3E 056C060000
add eax, 0000066C
:004E7B43 8BD6
mov edx, esi
:004E7B45 E8BED6F1FF
call 00405208
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A9C(C)
|
*
Reference To: kernel32.GetTickCount, Ord:0000h
|
:004E7B4A E879F9F1FF Call
004074C8
:004E7B4F 8B55FC
mov edx, dword ptr [ebp-04]
:004E7B52 2B827C060000
sub eax, dword ptr [edx+0000067C]
:004E7B58 3D9E400000
cmp eax, 0000409E
:004E7B5D
730A jnb
004E7B69
:004E7B5F 8B45FC
mov eax, dword ptr [ebp-04]
:004E7B62 C6804C06000001
mov byte ptr [eax+0000064C], 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B5D(C)
|
:004E7B69
8D9520FEFFFF lea edx, dword ptr [ebp+FFFFFE20]
:004E7B6F
8B45FC mov eax,
dword ptr [ebp-04]
:004E7B72 8B806C060000
mov eax, dword ptr [eax+0000066C]
:004E7B78 E84B15F2FF
call 004090C8
====>取后10位
:004E7B7D
8B9520FEFFFF mov edx, dword ptr [ebp+FFFFFE20]
====>EDX=RSTUVWXYZJ (设为K2)
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
:004E7B83
8B45FC mov eax,
dword ptr [ebp-04]
:004E7B86 0558060000
add eax, 00000658
:004E7B8B E874D0F1FF
call 00404C04
:004E7B90 BB01000000
mov ebx, 00000001
:004E7B95 8D45EC
lea eax, dword ptr [ebp-14]
:004E7B98
BA788B4E00 mov edx, 004E8B78
:004E7B9D
E8A6D0F1FF call 00404C48
:004E7BA2
682C010000 push 0000012C
呵呵,上面几步运算可以在软件重新启动时中断!而下面的比较则有点麻烦了,先不知道断点的话是不容易找到的。我试了很多次,终于用TRW慢慢找到了。呵呵,殚思极虑呀!^Q^~@~
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5400(U)
|
:004E546B
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=LJPJLJXJLJ(或者:RSTUVWXYZJ)
:004E546E
E811FAF1FF call 00404E84
====>取位数
:004E5473
83F80B cmp eax,
0000000B
:004E5476 7F8A
jg 004E5402
====>不大于B则不跳!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
四、对我们第一步求出的
N1 进行运算得出 10位的 N2
:004E5478
33DB xor
ebx, ebx
:004E547A 8B8664060000 mov
eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFB(其中的小写字母已转换成大写)
:004E5480
E8FFF9F1FF call 00404E84
:004E5485
8BF8 mov
edi, eax
:004E5487 E9BA000000 jmp
004E5546
====>跳下去运算补足10位!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5554(C)
|
:004E548C
83FF15 cmp edi,
00000015
:004E548F 7D03
jge 004E5494
:004E5491 43
inc ebx
:004E5492 EB15
jmp 004E54A9
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E548F(C)
|
:004E5494
8B8664060000 mov eax, dword ptr [esi+00000664]
:004E549A
E8E5F9F1FF call 00404E84
:004E549F
B909000000 mov ecx, 00000009
:004E54A4
99 cdq
:004E54A5
F7F9 idiv
ecx
:004E54A7 8BDA
mov ebx, edx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5492(U)
|
:004E54A9
8B8664060000 mov eax, dword ptr [esi+00000664]
:004E54AF
E8D0F9F1FF call 00404E84
:004E54B4
2BC3 sub
eax, ebx
:004E54B6 8B9664060000 mov
edx, dword ptr [esi+00000664]
:004E54BC 8A4402FF
mov al, byte ptr [edx+eax-01]
:004E54C0 8B9664060000
mov edx, dword ptr [esi+00000664]
:004E54C6
8A541AFF mov dl, byte ptr
[edx+ebx-01]
:004E54CA 32C2
xor al, dl
:004E54CC 25FF000000
and eax, 000000FF
:004E54D1 83C079
add eax, 00000079
:004E54D4 50
push eax
:004E54D5
8D8664060000 lea eax, dword ptr [esi+00000664]
:004E54DB
E8F4FBF1FF call 004050D4
:004E54E0
5A pop
edx
:004E54E1 885418FF mov
byte ptr [eax+ebx-01], dl
:004E54E5 8B8664060000
mov eax, dword ptr [esi+00000664]
:004E54EB 0FB64418FF
movzx eax, byte ptr [eax+ebx-01]
:004E54F0
E89367FFFF call 004DBC88
:004E54F5
50 push
eax
:004E54F6 8D8664060000 lea eax,
dword ptr [esi+00000664]
:004E54FC E8D3FBF1FF
call 004050D4
:004E5501 5A
pop edx
:004E5502 885418FF
mov byte ptr [eax+ebx-01], dl
:004E5506
8D8664060000 lea eax, dword ptr [esi+00000664]
:004E550C
50 push
eax
:004E550D 8B8664060000 mov eax,
dword ptr [esi+00000664]
:004E5513 E86CF9F1FF
call 00404E84
:004E5518 8BC8
mov ecx, eax
:004E551A 2BCB
sub ecx, ebx
:004E551C
BA01000000 mov edx, 00000001
:004E5521
8B8664060000 mov eax, dword ptr [esi+00000664]
:004E5527
E8B0FBF1FF call 004050DC
:004E552C
8B8664060000 mov eax, dword ptr [esi+00000664]
:004E5532
E84DF9F1FF call 00404E84
:004E5537
8BD0 mov
edx, eax
:004E5539 2BD3
sub edx, ebx
:004E553B 8D8664060000
lea eax, dword ptr [esi+00000664]
:004E5541 E8C2FCF1FF
call 00405208
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5487(U)
|
:004E5546
8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFB
:004E554C
E833F9F1FF call 00404E84
====>取位数
:004E5551 83F80B
cmp eax, 0000000B
:004E5554 0F8F32FFFFFF
jg 004E548C
====>不大于B则不跳!
:004E555A
33DB xor
ebx, ebx
:004E555C EB40
jmp 004E559E
====>跳过去!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E55BA(C)
|
:004E555E
43 inc
ebx
:004E555F 8B8664060000 mov eax,
dword ptr [esi+00000664]
====>EAX=TJYIPJFB
:004E5565
8A4418FF mov al, byte ptr
[eax+ebx-01]
1、 ====>AL=54
2、
====>AL=4A
:004E5569
3455 xor
al, 55
1、 ====>AL=54 XOR 55=01
2、
====>AL=4A XOR 55=1F
:004E556B
25FF000000 and eax, 000000FF
:004E5570
8D5346 lea edx,
dword ptr [ebx+46]
1、 ====>EDX=1 + 46=47
2、 ====>EDX=2 + 46=48
:004E5573
33C2 xor
eax, edx
1、 ====>AL=01 XOR 47=46
2、
====>AL=1F XOR 48=57
:004E5575
8845FB mov byte
ptr [ebp-05], al
:004E5578 33C0
xor eax, eax
:004E557A 8A45FB
mov al, byte ptr [ebp-05]
:004E557D E80667FFFF
call 004DBC88
:004E5582 8845FB
mov byte ptr [ebp-05],
al
:004E5585 8D45F0
lea eax, dword ptr [ebp-10]
:004E5588 8A55FB
mov dl, byte ptr [ebp-05]
:004E558B E800F8F1FF
call 00404D90
:004E5590 8B55F0
mov edx, dword ptr
[ebp-10]
:004E5593 8D8664060000 lea
eax, dword ptr [esi+00000664]
:004E5599 E8EEF8F1FF
call 00404E8C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E555C(U)
|
:004E559E
8B8664060000 mov eax, dword ptr [esi+00000664]
====>上面2次运算把N1转换为TJYIPJFBFW (设为N2)
:004E55A4
E8DBF8F1FF call 00404E84
:004E55A9
83F80A cmp eax,
0000000A
====>是否10位?
:004E55AC
7D0E jge
004E55BC
====>不小于10位则跳!
:004E55AE
8B8664060000 mov eax, dword ptr [esi+00000664]
:004E55B4
E8CBF8F1FF call 00404E84
:004E55B9
48 dec
eax
:004E55BA 7FA2
jg 004E555E
====>继续跳上去运算!直至10位!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣
五、比较了!用注册名求出的
N2 和 试炼码求出的 K1进行“倒序”逐位比较!
呵呵,如果你修改或脱壳了原程序,则此处用上面的“冗余代码”得出的K2替代K1进行比较!很高明的“迷魂阵”呀!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E55AC(C)
|
:004E55BC
8D8664060000 lea eax, dword ptr [esi+00000664]
:004E55C2
BA0A000000 mov edx, 0000000A
:004E55C7
E83CFCF1FF call 00405208
:004E55CC
8D55EC lea edx,
dword ptr [ebp-14]
:004E55CF 8B8664060000
mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFBFW
:004E55D5
E8EE3AF2FF call 004090C8
:004E55DA
8B55EC mov edx,
dword ptr [ebp-14]
====>EDX=TJYIPJFBFW
:004E55DD
8D8664060000 lea eax, dword ptr [esi+00000664]
:004E55E3
E81CF6F1FF call 00404C04
:004E55E8
8D45FC lea eax,
dword ptr [ebp-04]
:004E55EB 8B9658060000
mov edx, dword ptr [esi+00000658]
====>EDX=LJPJLJXJLJ
:004E55F1
E852F6F1FF call 00404C48
:004E55F6
C6868006000001 mov byte ptr [esi+00000680],
01
:004E55FD BF01000000 mov
edi, 00000001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004E5637(C)
====>下面是对运算出来的N2(正向取字符)和K1(反向取字符)进行逐位比较!
:004E5602
80BE8006000000 cmp byte ptr [esi+00000680],
00
:004E5609 741C
je 004E5627
:004E560B 8B8664060000
mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFBFW
:004E5611
8A4438FF mov al, byte ptr
[eax+edi-01]
====>从前往后取TJYIPJFBFW
:004E5615
BA0B000000 mov edx, 0000000B
:004E561A
2BD7 sub
edx, edi
:004E561C 8B4DFC
mov ecx, dword ptr [ebp-04]
====>ECX=LJPJLJXJLJ
:004E561F
8A5411FF mov dl, byte ptr
[ecx+edx-01]
====>从后往前取LJPJLJXJLJ
:004E5623
32C2 xor
al, dl
====>逐位异或!即:比较是否相同!
:004E5625
7404 je 004E562B
====>不跳则OVER!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5609(C)
|
:004E5627
33C0 xor
eax, eax
====>EAX清零!OVER!
:004E5629 EB02 jmp 004E562D
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004E5625(C)
|
:004E562B
B001 mov
al, 01
====>EAX置!OK!
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5629(U)
|
:004E562D
888680060000 mov byte ptr [esi+00000680],
al
====>AL值入注册标志位!!!
:004E5633
47 inc
edi
:004E5634 83FF0B
cmp edi, 0000000B
:004E5637 75C9
jne 004E5602
:004E5639 EB2A
jmp 004E5665
㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣
—————————————————————————————————
【算
法 总 结】:
呵呵,经过三天三夜“千辛万苦”的跟踪,终于得到了算法的大概过程。现在进行求逆!
设:
①、用户名fly[OCN]为N0;②、对N0进行运算后得出的字符TJYIPJFB为N1;③、对N1运算后得出的字符TJYIPJFBFW为N2;
④、试炼码BCDEFGHIJK为K0;⑤、对K0进行运算后得出的字符LJPJLJXJLJ为K1;⑥、对K1进行运算后得出的字符RSTUVWXYZJ为K2。
一、软件最后用N2(TJYIPJFBFW)和K1(LJPJLJXJLJ)的倒序值进行比较,若相同则OK!
所以:真正的K1=WFBFJPIYJT
二、逆推K0:
程序运算
K1 的代码:
:004E7A0E 33DE
xor ebx, esi
1、 ====>EBX=42 XOR 01=43
2、 ====>EBX=43 XOR 02=41
3、
====>EBX=44 XOR 03=47
4、 ====>EBX=45 XOR 04=41
5、 ====>EBX=46 XOR 05=43
6、
====>EBX=47 XOR 06=41
7、 ====>EBX=48 XOR 07=4F
8、 ====>EBX=49 XOR 08=41
9、
====>EBX=4A XOR 09=43
10、 ====>EBX=4B XOR 0A=41
:004E7A10
83C329 add ebx,
00000029
1、 ====>EBX=43 + 29=6C
2、
====>EBX=41 + 29=6A
3、 ====>EBX=47 + 29=70
4、 ====>EBX=41 + 29=6A
5、
====>EBX=43 + 29=6C
6、 ====>EBX=41 + 29=6A
7、 ====>EBX=4F + 29=78
8、
====>EBX=41 + 29=6A
9、 ====>EBX=43 + 29=6C
10、 ====>EBX=41 + 29=6A
我的求逆:
先把WFBFJPIYJT转换为小写wfbfjpiyjt,分别用其对应的HEX值求逆!
1、
(77-29) XOR 01=4F 即:O
2、 (66-29) XOR 02=3F 即:?
3、
(62-29) XOR 03=3A 即::
4、 (66-29) XOR 04=39 即:9
5、
(6A-29) XOR 05=44 即:D
6、 (70-29) XOR 06=41 即:A
7、
(69-29) XOR 07=47 即:G
8、 (79-29) XOR 08=58 即:X
9、
(6A-29) XOR 09=48 即:H
10、(74-29) XOR 0A=41 即:A
呵呵,至此求出我的注册码O?:9DAGXHA
—————————————————————————————————
【关
于 爆 破】:
也曾见过这个软件的爆破版,如:Team
Lz0版,我试了试却不太好用(可能是我的方法不当)。我也爆破了一下,虽然显示“注册成功”而且“编译”菜单没变成灰色,但是依旧有功能限制!或许软件有非常隐蔽的CRC校验和检验算法。
呵呵,真的佩服作者的功力!如果大家有完美的爆破方法,麻烦您指教我!
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\XgSoft\Visual
CHM 3.0]
"Email"="fly[OCN]"
"RegisterCode"="O?:9DAGXHA"
—————————————————————————————————
【整 理】:
用户名:fly[OCN]
注册码:O?:9DAGXHA
—————————————————————————————————
Cracked By 巢水工作坊——fly【OCN】
4:30 03-3-13