软件名称:
来电宝
最新版本: 1.2A
--------------------------------------------------------------------------------
(1)破
解:mwd[DFCG]
(2)目 的:找出算法,追出注册码。
(3)练习程序:来电宝 1.2A
(4)下
载:http://5235.cn/web/huui/Data/LaiDianBao.exe
(5)工 具:Ollydbg,PW32Dasm.
(6)开
始:PW32Dasm载入程序找到相关信息,OLL载入程序过程如下:
********************************************************************************
:00401F90
E86F570100 Call 00417704----------------断点
:00401F95
8D55F0 lea edx,
dword ptr [ebp-10]-将[ebp-10]的地址送EDX
:00401F98 FF32
push dword ptr [edx]--------用户名_l?Pc<SlKtKlS<cP?l_T入栈
:00401F9A
FF75B0 push [ebp-50]
:00401F9D
E83E0D0000 call 00402CE0--------关键CALL--算法:进入
:00401FA2
83C40C add esp,
0000000C-----------ESP=ESP+0C
:00401FA5 FF4DD8
dec [ebp-28]------------------减1
:00401FA8
8D45F0 lea eax,
dword ptr [ebp-10]
:00401FAB BA02000000
mov edx, 00000002-------------置EDX为2
:00401FB0 E8B7150000
call 0040356C
:00401FB5 8D55F8
lea edx, dword ptr [ebp-08]
:00401FB8
8D45FC lea eax,
dword ptr [ebp-04]
:00401FBB E8F0150000
call 004035B
:00401FC0 85C0
test eax, eax---------------测试0或1
:00401FC2
7576 jne
0040203A----------为1则跳,不能跳,~!!!
:00401FC4 FF75FC
push [ebp-04] 改7576为7476即可爆破~!!
:00401FC7
FF75B0 push [ebp-50]
:00401FCA
E8E10D0000 call 00402DB0
:00401FCF
83C408 add esp,
00000008
:00401FD2 66C745CC4400 mov
[ebp-34], 0044
* Possible
StringData Ref from Data Obj ->"注册成功! 感谢您使用长联科技产品."
|
:00401FD8 BA8EA34100
mov edx, 0041A38E
:00401FDD 8D45EC
lea eax, dword ptr [ebp-14]
:00401FE0 E8B7140000
call 0040349C
:00401FE5 FF45D8
inc [ebp-28]
:00401FE8
8D55EC lea edx,
dword ptr [ebp-14]
:00401FEB 8B45B8
mov eax, dword ptr [ebp-48]
:00401FEE 050C030000
add eax, 0000030C
:00401FF3 E8A4150000
call 0040359C
:00401FF8 FF4DD8
dec [ebp-28]
:00401FFB
8D45EC lea eax,
dword ptr [ebp-14]
:00401FFE BA02000000
mov edx, 00000002
:00402003 E864150000
call 0040356C
:00402008 6A40
push 00000040
*
Possible StringData Ref from Data Obj ->"来电宝"
|
:0040200A 68B0A34100 push
0041A3B0
:0040200F 8B45B8
mov eax, dword ptr [ebp-48]
:00402012 050C030000
add eax, 0000030C
:00402017 E8ECF7FFFF
call 00401808
:0040201C 50
push eax
:0040201D
8B45B8 mov eax,
dword ptr [ebp-48]
*
Reference To: VCL50.Controls::TWinControl::GetHandle(void()), Ord:0000h
|
:00402020 E88B560100
Call 004176B0
:00402025 50
push eax
:00402026 E8EF570100
call 0041781A
:0040202B 6A01
push 00000001
:0040202D
FF75B8 push [ebp-48]
:00402030
E837F8FFFF call 0040186C
:00402035
83C408 add esp,
00000008
:00402038 EB59
jmp 00402093
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401FC2(C)
|
:0040203A
66C745CC5000 mov [ebp-34], 0050
*
Possible StringData Ref from Data Obj ->"您的注册码有误! 注册失败."
|
********************************************************************************
算法CALL:
00401F9D E83E0D0000 call
00402CE0
00402CE0 /$
55 PUSH EBP
00402CE1 |. 8BEC
MOV EBP,ESP
00402CE3 |. 83C4 CC
ADD ESP,-34
00402CE6 |. B8 90AD4100 MOV
EAX,LaiDianB.0041AD90
00402CEB |. E8 FC060000 CALL LaiDianB.004033EC
00402CF0
|. C745 F4 010000>MOV DWORD PTR SS:[EBP-C],1
00402CF7 |. 8D55
0C LEA EDX,DWORD PTR SS:[EBP+C]
00402CFA |.
8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
00402CFD |.
E8 D2070000 CALL LaiDianB.004034D4
00402D02 |. FF45 F4
INC DWORD PTR SS:[EBP-C]
00402D05 |. 66:C745 E8 080>MOV
WORD PTR SS:[EBP-18],8
00402D0B |. 66:C745 E8 140>MOV WORD PTR SS:[EBP-18],14
00402D11
|. BA 67AC4100 MOV EDX,LaiDianB.0041AC67----- EDX=字符串"ABCDEFGHIGKLMNOPQRST"
00402D16
|. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00402D19
|. E8 7E070000 CALL LaiDianB.0040349C
00402D1E |.
FF45 F4 INC DWORD PTR SS:[EBP-C]
00402D21 |.
8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00402D24 |.
8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
00402D27 |.
E8 70080000 CALL LaiDianB.0040359C
00402D2C |. FF4D F4
DEC DWORD PTR SS:[EBP-C]
00402D2F |. 8D45 FC
LEA EAX,DWORD PTR SS:[EBP-4]
00402D32 |. BA 02000000
MOV EDX,2
00402D37 |. E8 30080000 CALL LaiDianB.0040356C
00402D3C
|. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]
00402D3F
|. E8 C4EAFFFF CALL LaiDianB.00401808
00402D44 |.
8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX-用户名(_l?Pc<SlKtKlS<cP?l_T)送入[EBP-2C]
00402D47
|. 66:C745 E8 080>MOV WORD PTR SS:[EBP-18],8
00402D4D |. 8B45
10 MOV EAX,DWORD PTR SS:[EBP+10]
00402D50 |.
E8 B3EAFFFF CALL LaiDianB.00401808
00402D55 |. 8945 D0
MOV DWORD PTR SS:[EBP-30],EAX--取字符串"ABCDEFGHIGKLMNOPQRST"
00402D58
|. 33D2 XOR EDX,EDX--------------------EDX清0
00402D5A
|. 8955 CC MOV DWORD PTR SS:[EBP-34],EDX--置[EBP-34]为0
00402D5D
|. EB 24 JMP SHORT LaiDianB.00402D83--------跳~!
00402D5F
|> 8B4D CC /MOV ECX,DWORD PTR SS:[EBP-34]
00402D62
|. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C]---用户名(_l?Pc<SlKtKlS<cP?l_T)送入EAX
00402D65
|. 0FBE0408 |MOVSX EAX,BYTE PTR DS:[EAX+ECX]--依次取用户名的字符:_l?Pc<SlKtKlS<cP?l_T
00402D69 |.
F76D CC |IMUL DWORD PTR SS:[EBP-34]--------乘法运算
00402D6C
|. B9 21000000 |MOV ECX,21-------------------------取21
00402D71
|. 99 |CDQ----------------------------把EAX中的字的符号扩展到EDX中去
00402D72
|. F7F9 |IDIV ECX--------------------------除法运算
00402D74
|. 80C2 3C |ADD DL,3C
第1位:DL=DL(0)+3C=3C(<)
11:DL=DL(18)+3C=54(T)
2:DL=DL(9)+3C=45(E)
12:DL=DL(0)+3C=3C(<)
3:DL=DL(1B)+3C=57(W)
13:DL=DL(6)+3C=42(B)
4,DL=DL(9)+3C=45(E)
14:DL=DL(15)+3C=51(Q)
5,DL=DL(0)+3C=3C(<)
15,DL=DL(0)+3C=3C(<)
6,DL=DL(3)+3C=3F(?)
16,DL=DL(0C)+3C=48(H)
7,DL=DL(3)+3C=3F(?)
17,DL=DL(12)+3C=4E(N)
8,DL=DL(1E)+3C=5A(Z)
18,DL=DL(15)+3C=51(Q)
9,DL=DL(6)+3C=
42(B) 19,DL=DL(1B)+3C=57(W)
10,DL=DL(15)+3C=51(Q)
20,DL=DL(0C)+3C=48(H)
00402D77 |. 8B45 D0
|MOV EAX,DWORD PTR SS:[EBP-30]----字符串"ABCDEFGHIGKLMNOPQRST"送EAX
00402D7A
|. 8B4D CC |MOV ECX,DWORD PTR SS:[EBP-34]
00402D7D
|. 881408 |MOV BYTE PTR DS:[EAX+ECX],DL-将DL的Char值依次替换到"ABCDEFGHIGKLMNOPQRST"
替换以后的字符串就是注册码~!!!!
00402D80
|. FF45 CC |INC DWORD PTR SS:[EBP-34]----加1
00402D83
|> 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]-----堆栈地址送入EAX
00402D86
|. E8 31FFFFFF |CALL LaiDianB.00402CBC
00402D8B |.
3B45 CC |CMP EAX,DWORD PTR SS:[EBP-34]---与字符串的位数比较
00402D8E
|.^7F CF \JG SHORT LaiDianB.00402D5F-----不等向上循环
00402D90
|. FF4D F4 DEC DWORD PTR SS:[EBP-C]
00402D93
|. 8D45 0C LEA EAX,DWORD PTR SS:[EBP+C]