IEPopupKiller
1.2破解手记--算法分析
作者:newlaos[DFCG]
软件名称:IEPopupKiller
1.2(浏览过滤)
整理日期:2003.3.29(华军网)
最新版本:1.2
文件大小:786KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000/XP
发布公司:"http://www.wingsofts.com/"
软件简介:当你在网上冲浪的时候,是否被那些弹出的广告所捆扰?IEPopupKiller可以帮你杀掉这些无聊的广告,它独有的智能化查找方式,能将那些无用的弹出窗口杀掉,而保留有用的页面。减少资源浪费,从而加快上网速度。是真正的上网广告防护利器。
加密方式:注册码
功能限制:使用次数30次
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5
PJ日期:2003-03-31
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
1、先用FI2.5看一下主文件“IEPopupKiller.exe”,没加壳。程序是用VC++6.0编的
2、用W32Dasm8.93黄金版对QuickCD.exe进行静态反汇编,再用串式数据参考,找不到什么经典的句子,怎么办?在软件的安装目录下,发现在\Languages\chinese(simple).ini文件中有:
[IDD_DIALOG_REGISTER]
OK=恭喜你注册成功!感谢你对国产软件的支持!
<===呵呵,原来关键字符是OK呀!
IDC_STATIC_SELECT=你可以选择如下站点之一进行注册。
IDC_STATIC_SERIAL=序列号:
IDC_STATIC_USETIMES=你还可以使用的次数:
IDC_BUTTON_GO=注册
再回到W32Dasm8.93,找到"OK"(这就是注册成功),双击有很两个,经过分析,发现位于00430962的才是关键的部分。
3、再用TRW20001.23注册版进行动态跟踪,下断BPX
004308A0(通常在注册成功与否的前面一些下断,这样,才能找到关键部分),
先输入假码: 78787878
.......
.......
:004308A0
6AFF push
FFFFFFFF
:004308A2 68C0494B00 push
004B49C0
:004308A7 64A100000000 mov
eax, dword ptr fs:[00000000]
:004308AD 50
push eax
:004308AE 64892500000000
mov dword ptr fs:[00000000], esp
:004308B5
83EC14 sub esp,
00000014
:004308B8 A160C44D00 mov
eax, dword ptr [004DC460]
:004308BD 53
push ebx
:004308BE 56
push esi
:004308BF 57
push
edi
:004308C0 8BF1
mov esi, ecx
:004308C2 8944240C
mov dword ptr [esp+0C], eax
:004308C6 8D4C240C
lea ecx, dword ptr [esp+0C]
:004308CA
C744242800000000 mov [esp+28], 00000000
:004308D2
51 push
ecx
:004308D3 8D4E64
lea ecx, dword ptr [esi+64]
:004308D6 E8FED10400
call 0047DAD9 <===EAX=8(输入注册码的长度) ECX=78787878
:004308DB
51 push
ecx
:004308DC 8D542410 lea
edx, dword ptr [esp+10]
:004308E0 8BCC
mov ecx, esp
:004308E2 89642418
mov dword ptr [esp+18], esp
:004308E6 52
push
edx
:004308E7 E85D040500 call
00480D49
:004308EC 8BCE
mov ecx, esi
:004308EE E84308FDFF
call 00401136 <===关键的算法CALL,F8跟进
:004308F3
85C0 test
eax, eax <===要想正确注册,则EAX不能为0
:004308F5 0F84E4000000
je 004309DF <===如果注册码不正确,就从这里跳走,OVER了
:004308FB
8B8680000000 mov eax, dword ptr [esi+00000080]
:00430901
BB01000000 mov ebx, 00000001
:00430906
6A00 push
00000000
:00430908 53
push ebx
:00430909 68CF000000
push 000000CF
:0043090E 50
push eax
*
Reference To: USER32.SendMessageA, Ord:0214h
|
:0043090F
FF15DC774E00 Call dword ptr [004E77DC]
*
Possible StringData Ref from Data Obj ->"IDD_DIALOG_REGISTER"
|
:00430915 6874B14D00
push 004DB174
:0043091A 8D4C2414
lea ecx, dword ptr [esp+14]
:0043091E E81F070500
call 00481042
:00430923 885C2428
mov byte ptr [esp+28],
bl
:00430927 E895130500 call
00481CC1
:0043092C 85C0
test eax, eax
:0043092E 740B
je 0043093B
:00430930 8B10
mov edx, dword ptr [eax]
:00430932
8BC8 mov
ecx, eax
:00430934 FF5274
call [edx+74]
:00430937 8BF8
mov edi, eax
:00430939 EB02
jmp 0043093D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043092E(C)
|
:0043093B
33FF xor
edi, edi
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00430939(U)
|
:0043093D
E850E80600 call 0049F192
:00430942
8B4C240C mov ecx, dword
ptr [esp+0C]
:00430946 8B4004
mov eax, dword ptr [eax+04]
:00430949 51
push ecx
*
Possible StringData Ref from Data Obj ->"Serial"
|
:0043094A 68DCA84D00
push 004DA8DC
*
Possible StringData Ref from Data Obj ->"Serial"
|
:0043094F 68DCA84D00
push 004DA8DC
:00430954 8BC8
mov ecx, eax
:00430956 E8C0EF0500
call 0048F91B
:0043095B 51
push ecx
:0043095C
8BCC mov
ecx, esp
:0043095E 8964241C
mov dword ptr [esp+1C], esp
*
Possible StringData Ref from Data Obj ->"OK"
<===这是里就是注册成功的信息
|
:00430962 6830B14D00
push 004DB130
:00430967 E8D6060500
call 00481042
:0043096C 51
push
ecx
:0043096D 8D542418 lea
edx, dword ptr [esp+18]
:00430971 8BCC
mov ecx, esp
:00430973 89642424
mov dword ptr [esp+24], esp
:00430977 52
push
edx
:00430978 C644243402 mov
[esp+34], 02
:0043097D E8C7030500
call 00480D49
:00430982 8D44241C
lea eax, dword ptr [esp+1C]
:00430986 8D8F9C0E0000
lea ecx, dword ptr [edi+00000E9C]
:0043098C 50
push eax
:0043098D
885C2434 mov byte ptr [esp+34],
bl
:00430991 E83716FDFF call
00401FCD
:00430996 8B00
mov eax, dword ptr [eax]
:00430998 8BCE
mov ecx, esi
:0043099A 50
push eax
*
Possible Reference to Dialog: DialogID_0090, CONTROL_ID:0419, "Static"
|
:0043099B 6819040000
push 00000419
:004309A0 C644243003
mov [esp+30], 03
:004309A5 E89DF80400
call 00480247
:004309AA 8BC8
mov ecx, eax
:004309AC
E82DFB0400 call 004804DE
:004309B1
8D4C2414 lea ecx, dword
ptr [esp+14]
:004309B5 885C2428
mov byte ptr [esp+28], bl
:004309B9 E816060500
call 00480FD4
:004309BE 6A00
push 00000000
:004309C0 8D8EA0000000
lea ecx, dword ptr [esi+000000A0]
:004309C6
E89AFC0400 call 00480665
:004309CB
8D4C2410 lea ecx, dword
ptr [esp+10]
:004309CF 899F80010000 mov
dword ptr [edi+00000180], ebx
:004309D5 C644242800
mov [esp+28], 00
:004309DA E8F5050500
call 00480FD4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004308F5(C)
|
:004309DF
8D4C240C lea ecx, dword
ptr [esp+0C]
:004309E3 C7442428FFFFFFFF mov [esp+28],
FFFFFFFF
:004309EB E8E4050500 call
00480FD4
:004309F0 8B4C2420
mov ecx, dword ptr [esp+20]
:004309F4 5F
pop edi
:004309F5 5E
pop esi
:004309F6
64890D00000000 mov dword ptr fs:[00000000],
ecx
:004309FD 5B
pop ebx
:004309FE 83C420
add esp, 00000020
:00430A01 C3
ret
.......
.......
-----004308EE
call 00401136 关键的算法CALL,F8跟进来到下列代码段------------------
要正确注册,则EAX返回时,不能为0
:00430370
6AFF push
FFFFFFFF
:00430372 6820494B00 push
004B4920
:00430377 64A100000000 mov
eax, dword ptr fs:[00000000]
:0043037D 50
push eax
:0043037E 64892500000000
mov dword ptr fs:[00000000], esp
:00430385
83EC1C sub esp,
0000001C
:00430388 53
push ebx
:00430389 55
push ebp
:0043038A 56
push esi
:0043038B
57 push
edi
:0043038C 8D44243C lea
eax, dword ptr [esp+3C]
:00430390 8D4C2414
lea ecx, dword ptr [esp+14]
:00430394 50
push eax
:00430395
C744243800000000 mov [esp+38], 00000000
:0043039D
E8A7090500 call 00480D49
:004303A2
8B742414 mov esi, dword
ptr [esp+14] <===ESI=78787878
:004303A6 8B56F8
mov edx, dword ptr [esi-08] <===EDX=8(输入注册码的码的长度)
:004303A9
83FA0C cmp edx,
0000000C <===看输入的注册码长度是不是C(12位),将假码改为787878787878,重新来
:004303AC 0F85B5010000
jne 00430567 <===跳过去就OVER了
:004303B2
33C9 xor
ecx, ecx <===计数器ECX,初始值化为0
:004303B4 85D2
test edx, edx
:004303B6
7E18 jle
004303D0 <===不跳
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004303CE(C)
|
:004303B8
8A0431 mov al, byte
ptr [ecx+esi]
:004303BB 3C41
cmp al, 41
:004303BD 0F8CA4010000
jl 00430567 <===跳过去就OVER了
:004303C3
3C5A cmp
al, 5A
:004303C5 0F8F9C010000 jg 00430567
<===跳过去就OVER了
:004303CB 41
inc ecx
:004303CC
3BCA cmp
ecx, edx
:004303CE 7CE8
jl 004303B8 <===构成一个小循环,主要功能依次提取注册码的字符,检测是不是位于A-Z(大写)之间,只要一个不对,就OVER!
将假码改为ABCDEFGHIJKL,再重新来
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004303B6(C)
|
*******************
.......
中间部分省略,主要功能是将输入的注册码分成四段,每段三个字符
.......
*******************
:00430492
8D4C2428 lea ecx, dword
ptr [esp+28]
:00430496 885C2434
mov byte ptr [esp+34], bl
:0043049A E8350B0500
call 00480FD4
:0043049F 8B7C241C
mov edi, dword ptr [esp+1C] <===EDI=GHI(第三段)
:004304A3
8B6C2418 mov ebp, dword
ptr [esp+18] <===EBP=JKL(第四段)
:004304A7 8B742420
mov esi, dword ptr [esp+20] <===ESI=DEF(第二段)
:004304AB
8B442424 mov eax, dword
ptr [esp+24] <===EAX=ABC(第一段)
:004304AF 8A1F
mov bl, byte ptr [edi] <===BL=47(是G的ASCII的16进制表示形式)
:004304B1
8A16 mov
dl, byte ptr [esi] <===DL=44(是D的ASCII的16进制表示形式)
:004304B3 8A08
mov cl, byte ptr
[eax] <===CL=41(是A的ASCII的16进制表示形式)
:004304B5 885C2412
mov byte ptr [esp+12], bl
:004304B9
8A5D00 mov bl, byte
ptr [ebp+00] <===BL=4A(是J的ASCII的16进制表示形式)
:004304BC 885C2413
mov byte ptr [esp+13], bl
:004304C0
0FBE5C2412 movsx ebx, byte ptr
[esp+12] <===EBX=47,不变
:004304C5 0FBED2
movsx edx, dl
<===EDX=44
:004304C8 0FBEC9
movsx ecx, cl <===ECX=41
:004304CB
2BD3 sub
edx, ebx
:004304CD 03D1
add edx, ecx
<===EDX=EDX-EBX+ECX=3E
:004304CF 0FBE4C2413
movsx ecx, byte ptr [esp+13] <===ECX=4A
:004304D4
41 inc
ecx <===ECX=4B
:004304D5 3BD1
cmp edx, ecx
<===这里必须相等,这里EDX和ECX怎么相等,见分析
:004304D7 740B
je 004304E4 <===从这里跳走,才能正确注册
*** 这一小段的分析得出n4-n7+n1=n10+1(n1、n4分别对应注册码的位上的值)才能正确注册,现将假码改为ABCDEFAHICKL,重新来。
:004304D9
C644243404 mov [esp+34], 04
:004304DE
8D4C2418 lea ecx, dword
ptr [esp+18]
:004304E2 EB54
jmp 00430538 <===跳过去就OVER了
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004304D7(C)
|
<===假码改为ABCDEFAHICKL后,跳到这里,为说明问题,我们将其分为四段,每段三个字符
:004304E4
8A5701 mov dl, byte
ptr [edi+01]<===取第三段字符AHI的第二个字符(H)DL=48
:004304E7 8A5801
mov bl, byte ptr [eax+01]<===取第一段字符ABC的第二个字符(B)BL=42
:004304EA
8A4E01 mov cl, byte
ptr [esi+01]<===取第二段字符DEF的第二个字符(E)CL=45
:004304ED 0FBEDB
movsx ebx, bl <===EBX=42
:004304F0
0FBED2 movsx edx,
dl <===EDX=48
:004304F3 0FBEC9
movsx ecx, cl <===ECX=45
:004304F6 2BD3
sub edx, ebx
:004304F8
03D1 add
edx, ecx <===EDX=EDX-EBX+ECX
:004304FA 0FBE4D01
movsx ecx, byte ptr [ebp+01] <===取第四段字符CKL的第二个字符(K)CL=4B
:004304FE
41 inc
ecx <===ECX=ECX+1=4C
:004304FF 3BD1
cmp edx, ecx <===这里必须相等,这里EDX和ECX怎么相等,见分析
:00430501
740B je 0043050E
<===从这里跳走,才能正确注册
*** 这一小段的分析得出n8-n2+n5=n11+1(n2、n5分别对应注册码的位上的值)才能正确注册,现将假码改为ABCDBFAHICGL,重新来。
:00430503
C644243404 mov [esp+34], 04
:00430508
8D4C2418 lea ecx, dword
ptr [esp+18]
:0043050C EB2A
jmp 00430538 <===跳过去就OVER了
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430501(C)
|
:0043050E
8A4F02 mov cl, byte
ptr [edi+02]<===取第三段字符AHI的第三个字符(I)CL=49
:00430511 8A5602
mov dl, byte ptr [esi+02]<===取第二段字符DBF的第三个字符(F)DL=46
:00430514
8A4002 mov al, byte
ptr [eax+02]<===取第一段字符ABC的第三个字符(C)AL=43
:00430517 8A5D02
mov bl, byte ptr [ebp+02]<===取第四段字符CGL的第三个字符(L)BL=4C
:0043051A
0FBED2 movsx edx,
dl <===EDX=46
:0043051D 0FBEC9
movsx ecx, cl <===ECX=49
:00430520
2BCA sub
ecx, edx <===ECX=ECX-EDX=3
:00430522 C644243404
mov [esp+34], 04
:00430527 0FBED0
movsx edx, al <===EDX=43
:0043052A
0FBEC3 movsx eax,
bl <===EAX=4C
:0043052D 03CA
add ecx, edx <===ECX=ECX+EDX=46
:0043052F
48 dec
eax <===EAX=4C-1=4B
:00430530 3BC8
cmp ecx, eax <===这里必须相等,这里ECX和EAX怎么相等,见分析
:00430532
8D4C2418 lea ecx, dword
ptr [esp+18]
:00430536 7452
je 0043058A <===这里是个关键的跳转,跳了就成功注册了。
*** 这一小段的分析得出n9-n6+n3=n12-1(n3、n6分别对应注册码的位上的值)才能正确注册,现将假码改为ABCDBCAHICGJ,再点注册,呵呵,成功了
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004304E2(U),
:0043050C(U)
|
:00430538 E8970A0500
call 00480FD4
:0043053D 8D4C241C
lea ecx, dword ptr [esp+1C]
:00430541 C644243403
mov [esp+34], 03
:00430546 E8890A0500
call 00480FD4
:0043054B 8D4C2420
lea ecx, dword ptr [esp+20]
:0043054F
C644243402 mov [esp+34], 02
:00430554
E87B0A0500 call 00480FD4
:00430559
8D4C2424 lea ecx, dword
ptr [esp+24]
:0043055D C644243401
mov [esp+34], 01
:00430562 E86D0A0500
call 00480FD4
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004303AC(C),
:004303BD(C), :004303C5(C)
|
:00430567 8D4C2414
lea ecx, dword ptr [esp+14]
:0043056B C644243400
mov [esp+34], 00
:00430570
E85F0A0500 call 00480FD4
:00430575
8D4C243C lea ecx, dword
ptr [esp+3C]
:00430579 C7442434FFFFFFFF mov [esp+34],
FFFFFFFF
:00430581 E84E0A0500 call
00480FD4
:00430586 33C0
xor eax, eax <===EAX被清0,呵呵,就OVER了
:00430588
EB53 jmp
004305DD
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00430536(C)
|
:0043058A
E8450A0500 call 00480FD4
:0043058F
8D4C241C lea ecx, dword
ptr [esp+1C]
:00430593 C644243403
mov [esp+34], 03
:00430598 E8370A0500
call 00480FD4
:0043059D 8D4C2420
lea ecx, dword ptr [esp+20]
:004305A1 C644243402
mov [esp+34], 02
:004305A6 E8290A0500
call 00480FD4
:004305AB 8D4C2424
lea ecx, dword ptr [esp+24]
:004305AF
C644243401 mov [esp+34], 01
:004305B4
E81B0A0500 call 00480FD4
:004305B9
8D4C2414 lea ecx, dword
ptr [esp+14]
:004305BD C644243400
mov [esp+34], 00
:004305C2 E80D0A0500
call 00480FD4
:004305C7 8D4C243C
lea ecx, dword ptr [esp+3C]
:004305CB C7442434FFFFFFFF
mov [esp+34], FFFFFFFF
:004305D3 E8FC090500
call 00480FD4
:004305D8 B801000000
mov eax, 00000001 <===这里是个关键的赋值,经过这里才能正确注册,向上看
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430588(U)
|
:004305DD
8B4C242C mov ecx, dword
ptr [esp+2C]
:004305E1 5F
pop edi
:004305E2 5E
pop esi
:004305E3 5D
pop ebp
:004305E4
5B pop
ebx
:004305E5 64890D00000000 mov dword ptr
fs:[00000000], ecx
:004305EC 83C428
add esp, 00000028
:004305EF C20400
ret 0004
-----------------------------------------------------------------------
4、算法分析:---类型:对注册码进行数学运算检验---
a、将12位的注册码分成四段,每段三个字符。假设注册码为n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12
b、对上面注册码的要求n4-n7+n1=n10+1 n8-n2+n5=n11+1
n9-n6+n3=n12-1
c、只要上面三要求都满足,就成功注册了。
我找到的几个注册码ABCDBCAHICGJ
EEEEEEEEEDDF
5、注册信息保存在文件setup.ini中:
[Serial]
Uses=J
<===好象是使用次数
Serial=EEEEEEEEEDDF