IEPopupKiller V1.21
软件大小: 789
KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 浏览辅助
应用平台: Win9x/NT/2000/XP
界面预览:
加入时间: 2003-04-03 10:33:55
下载次数: 3297
推荐等级:
联
系 人: support_max@wingsofts.com
开 发 商: http://www.wingsofts.com/
软件介绍:
目前的网上广告查杀方式一般只有两种方式:一种是在IE打开页面之前查杀,
一种是在IE打开之后查杀。前者需要对下载页面文件进行解析,这极大的占用了系
统资源。相当于用户每打开一个页面,需要系统解析两次(IE和查杀软件)。而且
往往是禁止任何窗口弹出,这显然是不合理的。因为有很多站点要弹出一个BBS,这
应该属于有用窗口,而非广告窗口。而后者则也多是将全部弹出窗口关闭。而IEPopupKiller则采用一种智能化的查杀方式,在IE打开页面之后进行查杀,资源占用少,查杀速度快,判断准确。查杀弹出式广告,并保留有用页面,已得到众多用户的共识。是保护大家上网免受广告侵扰的强兵利器!
【作者声明】:本人只是对Crack感兴趣,没有其它目的。
【破解工具】:Ollydbg1.09 中文版、trw2000 v1.23
—————————————————————————————
【过
程】:
这个软件的断点还是不好下,在API中找了几个常用的下了不能被中断,再次用trw2000的
万能断点才能来到软件的领空.还是老办法,用trw2000找到注册码计算的入口后.用Ollydbg
跟踪.输入试验码:
7894561230123456 来到这里是计算的核心:
004308F0
PUSH -1
004308F2 PUSH IEPopupK.004B4C80
004308F7 MOV
EAX, DWORD PTR FS:[0]
004308FD PUSH EAX
004308FE
MOV DWORD PTR FS:[0], ESP
00430905 SUB ESP,
1C
00430908 PUSH EBX
00430909 PUSH EBP
0043090A
PUSH ESI
0043090B PUSH EDI
0043090C
LEA EAX, DWORD PTR SS:[ESP+3C]
00430910 LEA
ECX, DWORD PTR SS:[ESP+14]
00430914 PUSH EAX
00430915
MOV DWORD PTR SS:[ESP+38], 0
0043091D CALL
IEPopupK.00481055
00430922 MOV ESI, DWORD PTR SS:[ESP+14]
; ESI=01226E98,(ASCII "7894561230123456")
00430926
MOV EDX, DWORD PTR DS:[ESI-8] ; EDX=0C
00430929
CMP EDX, 0C
; EDX=0C 注册码的长度是12位
0043092C JNZ
IEPopupK.00430AE7 ;
试验码改为 789456123012
00430932 XOR ECX, ECX
00430934
TEST EDX, EDX
00430936 JLE SHORT IEPopupK.00430950
00430938
MOV AL, BYTE PTR DS:[ECX+ESI] \ AL=DS:[ECX+ESI]=37
('7')
0043093B CMP AL, 41
|
<--注册码的取值范围是5A<注册码>41 即是大写字母
0043093D
JL IEPopupK.00430AE7 |<--试验码再次改为
QWERTYUIOPAS
00430943 CMP AL, 5A
|
00430945 JG
IEPopupK.00430AE7 |
0043094B
INC ECX
|
0043094C CMP
ECX, EDX
|
0043094E JL SHORT IEPopupK.00430938
/
00430950 MOV EAX, DWORD PTR DS:[4DC440]
00430955
MOV DWORD PTR SS:[ESP+24], EAX
00430959 MOV
DWORD PTR SS:[ESP+20], EAX
0043095D MOV DWORD PTR
SS:[ESP+1C], EAX
00430961 MOV DWORD PTR SS:[ESP+18], EAX
00430965
LEA ECX, DWORD PTR SS:[ESP+28]
00430969 PUSH
3
0043096B MOV BL, 5
0043096D PUSH
ECX
0043096E LEA ECX, DWORD PTR SS:[ESP+1C]
00430972
MOV BYTE PTR SS:[ESP+3C], BL ; BL=5
00430976
CALL IEPopupK.004728FF
; <--取注册码的前三位
0043097B PUSH EAX
0043097C
LEA ECX, DWORD PTR SS:[ESP+28]
00430980 MOV
BYTE PTR SS:[ESP+38], 6
00430985 CALL IEPopupK.00481419
0043098A
LEA ECX, DWORD PTR SS:[ESP+28]
0043098E MOV
BYTE PTR SS:[ESP+34], BL ; BL=5
00430992
CALL IEPopupK.004812E0
00430997 PUSH 3
00430999
LEA EDX, DWORD PTR SS:[ESP+2C]
0043099D PUSH
3
0043099F PUSH EDX
004309A0 LEA
ECX, DWORD PTR SS:[ESP+20]
004309A4 CALL IEPopupK.004727ED
; <--取注册码的第二个三位"RTY"
004309A9
PUSH EAX
004309AA LEA ECX, DWORD PTR
SS:[ESP+24]
004309AE MOV BYTE PTR SS:[ESP+38], 7
004309B3
CALL IEPopupK.00481419
004309B8 LEA
ECX, DWORD PTR SS:[ESP+28]
004309BC MOV BYTE PTR SS:[ESP+34],
BL
004309C0 CALL IEPopupK.004812E0
004309C5 PUSH
3
004309C7 LEA EAX, DWORD PTR SS:[ESP+2C]
004309CB
PUSH 6
004309CD PUSH EAX
004309CE
LEA ECX, DWORD PTR SS:[ESP+20]
004309D2 CALL
IEPopupK.004727ED
004309D7 PUSH EAX
004309D8
LEA ECX, DWORD PTR SS:[ESP+20]
004309DC MOV
BYTE PTR SS:[ESP+38], 8
004309E1 CALL IEPopupK.00481419
004309E6
LEA ECX, DWORD PTR SS:[ESP+28]
004309EA MOV
BYTE PTR SS:[ESP+34], BL
004309EE CALL IEPopupK.004812E0
004309F3
LEA ECX, DWORD PTR SS:[ESP+28]
004309F7 PUSH
3
004309F9 PUSH ECX
004309FA LEA
ECX, DWORD PTR SS:[ESP+1C]
004309FE CALL IEPopupK.00472883
00430A03
PUSH EAX
00430A04 LEA ECX, DWORD PTR
SS:[ESP+1C]
00430A08 MOV BYTE PTR SS:[ESP+38], 9
00430A0D
CALL IEPopupK.00481419
00430A12 LEA
ECX, DWORD PTR SS:[ESP+28]
00430A16 MOV BYTE PTR SS:[ESP+34],
BL ; 同上,按三位一组取出
00430A1A CALL IEPopupK.004812E0
00430A1F
MOV EDI, DWORD PTR SS:[ESP+1C] ; EDI<--0134C658,(ASCII
"UIO")
00430A23 MOV EBP, DWORD PTR SS:[ESP+18]
; EBP<--0134C6A8,(ASCII "PAS")
00430A27
MOV ESI, DWORD PTR SS:[ESP+20] ; ESI<--01227668,(ASCII"RTY")
00430A2B
MOV EAX, DWORD PTR SS:[ESP+24] ; EAX<--0134C608,(ASCII"QWE")
00430A2F
MOV BL, BYTE PTR DS:[EDI] ;
BL=DS:[EDI]=55 ('U')
00430A31 MOV DL, BYTE PTR DS:[ESI]
; DL=DS:[ESI]=52 ('R')
00430A33
MOV CL, BYTE PTR DS:[EAX] ; CL=DS:[EAX]=51
('Q')
00430A35 MOV BYTE PTR SS:[ESP+12], BL
; BL=DS:[EDI]=55 ('U')==>SS:[12E732]
00430A39
MOV BL, BYTE PTR SS:[EBP] ;
BL=SS:[EBP]=50 ('P')
00430A3C MOV BYTE PTR SS:[ESP+13],
BL
; BL=SS:[EBP]=50 ('P')==>SS:[12E733]
00430A40
MOVSX EBX, BYTE PTR SS:[ESP+12] ; EBX<--SS:[12E732]=55
('U')
00430A45 MOVSX EDX, DL
; EDX=DL=52 ('R')
00430A48
MOVSX ECX, CL
; ECX=CL=51 ('Q')
00430A4B SUB
EDX, EBX
; EDX=52 ('R')-55 ('U')=FFFFFFFD
00430A4D
ADD EDX, ECX
; EDX==FFFFFFFD+51 ('Q')=4E
00430A4F
MOVSX ECX, BYTE PTR SS:[ESP+13] ; ECX<--SS:[12E733]=50
('P')
00430A54 INC ECX
; ECX+1=51
00430A55
CMP EDX, ECX
; EDX=51 EDX=4E
00430A57 JE
SHORT IEPopupK.00430A64
; <--第一个条件(hex值)--第4位-第7位+第1位-1=第10位.改第10位为4D ('M')继续.
00430A59
MOV BYTE PTR SS:[ESP+34], 4
00430A5E LEA
ECX, DWORD PTR SS:[ESP+18]
00430A62 JMP SHORT IEPopupK.00430AB8
00430A64
MOV DL, BYTE PTR DS:[EDI+1] ; DL=49
('I')
00430A67 MOV BL, BYTE PTR DS:[EAX+1]
; BL=57 ('W')
00430A6A MOV CL, BYTE PTR
DS:[ESI+1] ; CL=54 ('T')
00430A6D MOVSX
EBX, BL
; EBX=57 ('W')
00430A70 MOVSX EDX, DL
;
EDX=49 ('I')
00430A73 MOVSX ECX, CL
; ECX=54 ('T')
00430A76
SUB EDX, EBX
; EDX=49-57=FFFFFFF2
00430A78 ADD
EDX, ECX
; EDX=54+FFFFFFF2=46
00430A7A MOVSX ECX, BYTE
PTR SS:[EBP+1] ; ECX<--41 ('A')
00430A7E
INC ECX
; ECX=41 ('A')+1=42
00430A7F
CMP EDX, ECX
; EDX=46 ECX=42
00430A81 JE
SHORT IEPopupK.00430A8E
; <--第2个条件(hex值)--第8位-第2位+第5位-1=第11位.改第11位为45 ('E')继续.
00430A83
MOV BYTE PTR SS:[ESP+34], 4
00430A88 LEA
ECX, DWORD PTR SS:[ESP+18]
00430A8C JMP SHORT IEPopupK.00430AB8
00430A8E
MOV CL, BYTE PTR DS:[EDI+2] ; CL=4F
('O')
00430A91 MOV DL, BYTE PTR DS:[ESI+2]
; DL=59 ('Y')
00430A94 MOV AL, BYTE PTR
DS:[EAX+2] ; AL=45 ('E')
00430A97 MOV
BL, BYTE PTR SS:[EBP+2] ; BL=53 ('S')
00430A9A
MOVSX EDX, DL
; EDX=59 ('Y')
00430A9D MOVSX ECX,
CL ;
ECX=4F ('O')
00430AA0 SUB ECX, EDX
; ECX=4F-59=FFFFFFF6
00430AA2
MOV BYTE PTR SS:[ESP+34], 4
00430AA7 MOVSX
EDX, AL
; EDX=45 ('E')
00430AAA MOVSX EAX, BL
; EAX=53
('S')
00430AAD ADD ECX, EDX
; ECX=FFFFFFF6+45=3B
00430AAF
DEC EAX
; EAX=53-1
00430AB0
CMP ECX, EAX
; ECX=3B EAX=52
00430AB2 LEA
ECX, DWORD PTR SS:[ESP+18]
00430AB6 JE SHORT IEPopupK.00430B0A
;
<--第3个条件(hex值)--第9位-第6位+第3位+1=第12位.
/ 说明:由于ECX=3B+1=3C < 41 使得到的第12位不是大写字母,所以把第三位的hex值加大
所以第三位改为58
('X') 这样计算出来的第12位等于4F ('O')
; 注册吗改为 QWXRTYUIOMEO 继续
00430AB8
CALL IEPopupK.004812E0
00430ABD LEA ECX, DWORD PTR SS:[ESP+1C]
00430AC1
MOV BYTE PTR SS:[ESP+34], 3
00430AC6 CALL
IEPopupK.004812E0
00430ACB LEA ECX, DWORD PTR SS:[ESP+20]
00430ACF
MOV BYTE PTR SS:[ESP+34], 2
00430AD4 CALL
IEPopupK.004812E0
00430AD9 LEA ECX, DWORD PTR SS:[ESP+24]
00430ADD
MOV BYTE PTR SS:[ESP+34], 1
00430AE2 CALL
IEPopupK.004812E0
00430AE7 LEA ECX, DWORD PTR SS:[ESP+14]
00430AEB
MOV BYTE PTR SS:[ESP+34], 0
00430AF0 CALL
IEPopupK.004812E0
00430AF5 LEA ECX, DWORD PTR SS:[ESP+3C]
00430AF9
MOV DWORD PTR SS:[ESP+34], -1
00430B01 CALL
IEPopupK.004812E0
00430B06 XOR EAX, EAX
<---EAX清0 (赋注册失败的标志)
00430B08
JMP SHORT IEPopupK.00430B5D
00430B0A CALL
IEPopupK.004812E0
00430B0F LEA ECX, DWORD PTR SS:[ESP+1C]
00430B13
MOV BYTE PTR SS:[ESP+34], 3
00430B18 CALL
IEPopupK.004812E0
00430B1D LEA ECX, DWORD PTR SS:[ESP+20]
00430B21
MOV BYTE PTR SS:[ESP+34], 2
00430B26 CALL
IEPopupK.004812E0
00430B2B LEA ECX, DWORD PTR SS:[ESP+24]
00430B2F
MOV BYTE PTR SS:[ESP+34], 1
00430B34 CALL
IEPopupK.004812E0
00430B39 LEA ECX, DWORD PTR SS:[ESP+14]
00430B3D
MOV BYTE PTR SS:[ESP+34], 0
00430B42 CALL
IEPopupK.004812E0
00430B47 LEA ECX, DWORD PTR SS:[ESP+3C]
00430B4B
MOV DWORD PTR SS:[ESP+34], -1
00430B53 CALL
IEPopupK.004812E0
00430B58 MOV EAX, 1
<---EAX=1 (赋注册成功的标志)
00430B5D
MOV ECX, DWORD PTR SS:[ESP+2C]
00430B61 POP
EDI
00430B62 POP ESI
00430B63 POP
EBP
00430B64 POP EBX
00430B65 MOV
DWORD PTR FS:[0], ECX
00430B6C ADD ESP, 28
00430B6F
RETN 4
======================================================
到这里注册码的算法跟踪结束,现在总结一下:
注册码的首要条件:
1.长度是12位
2.必须是大写字母
注册码的计算方法:(hex值)
1.第4位-第7位+第1位-1=第10位
2.第8位-第2位+第5位-1=第11位
3.第9位-第6位+第3位+1=第12位
by fxyang[OCN]
2003.4.16