算法浅探——Internet
Download Accelerator V1.5.1.463
下载页面: http://www.skycn.com/soft/11016.html
软件大小: 1320 KB
软件语言:
英文
软件类别: 国外软件 / 共享版 / 下载工具
应用平台: Win9x/NT/2000/XP
加入时间:
2003-04-25 17:34:54
下载次数: 2900
推荐等级: ****
开 发 商: http://www.one.com.ua/
【软件简介】:Internet Download Accelerator(IDA),支持HTTP及FTP的通讯协议、动态多线程下载、断 线续传、排程下载、完成后自动关机、下载完成后写入纪录文件、剪贴簿监控、 IE功能整合等等,功能可以跟FlashGet相比。
【软件限制】:30天试用
【 作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠 赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、Guw32、W3 2Dasm 9.0白金版
—————————————————————————— ———————
【过
程】:
这几天碰到的都是麻 烦的东东,哎,我该休息休息了。 ^O^
^O^
不清楚这个程序是否会私下去连 网校验,有朋友做的话麻烦验证一下。
ida.exe 是UPX 1.23壳,用Guw32脱之 。590K->1.75M。 Delphi 编写。
Name :
fly01 (至少5位)
E-mail:fly@263.net
(至少5位)
试炼码:1234567890ABCDEF (需 16位 )
————————————————————————————————
—
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5855(C)
|
:004D5850
6A00 push
00000000
:004D5852 6A00
push 00000000
:004D5854 49
dec ecx
:004D5855 75F9
jne 004D5850
:004D5857
51 push
ecx
:004D5858 53
push ebx
:004D5859 56
push esi
:004D585A 57
push edi
:004D585B 8BD8
mov ebx,
eax
:004D585D 33C0
xor eax, eax
:004D585F 55
push ebp
:004D5860 68175C4D00
push 004D5C17
:004D5865 64FF30
push dword ptr fs:[eax]
:004D5868
648920 mov dword
ptr fs:[eax], esp
:004D586B 8D55F8
lea edx, dword ptr [ebp-08]
:004D586E 8B8318030000
mov eax, dword ptr [ebx+00000318]
:004D5874
E82F16F7FF call 00446EA8
:004D5879
8B55F8 mov edx,
dword ptr [ebp-08]
====>EDX=fly@263.net
E-Mail
:004D587C B88C665200
mov eax, 0052668C
:004D5881
E8AEF1F2FF call 00404A34
:004D5886
8D55F4 lea edx,
dword ptr [ebp-0C]
:004D5889 8B831C030000
mov eax, dword ptr [ebx+0000031C]
:004D588F E81416F7FF
call 00446EA8
:004D5894 8B55F4
mov edx, dword ptr [ebp-0C]
====>EDX=fly01
用户名
:004D5897 B890665200
mov eax, 00526690
:004D589C E893F1F2FF
call 00404A34
:004D58A1 8D55F0
lea edx, dword ptr
[ebp-10]
:004D58A4 8B8320030000 mov
eax, dword ptr [ebx+00000320]
:004D58AA E8F915F7FF
call 00446EA8
:004D58AF 8B55F0
mov edx, dword ptr [ebp-10]
====>EDX=1234567890ABCDEF 试炼码
:004D58B2 B894665200 mov eax, 00526694
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5840(C)
|
:004D58B7
E878F1F2FF call 00404A34
:004D58BC
6A00 push
00000000
:004D58BE 8B0D90665200 mov
ecx, dword ptr [00526690]
:004D58C4 8B158C665200
mov edx, dword ptr [0052668C]
:004D58CA 8BC3
mov eax, ebx
:004D58CC E8EF060000
call 004D5FC0
====>关键CALL!检测你输入的信息是否符合要求!
:004D58D1
8BF0 mov
esi, eax
:004D58D3 85F6
test esi, esi
:004D58D5 7568
jne 004D593F
====>跳则OVER!
:004D58D7 A194665200
mov eax, dword ptr [00526694]
====>EAX=1234567890ABCDEF 试炼码
:004D58DC
E8B7F3F2FF call 00404C98
====>取 试炼码 长度
:004D58E1
83F810 cmp eax,
00000010
====> 注册码是否16位?
:004D58E4
7405 je 004D58EB
:004D58E6
BE4D010000 mov esi, 0000014D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D58E4(C)
|
:004D58EB
8D55EC lea edx,
dword ptr [ebp-14]
:004D58EE A194665200
mov eax, dword ptr [00526694]
:004D58F3 E83837F3FF
call 00409030
:004D58F8 8B45EC
mov eax, dword ptr [ebp-14]
:004D58FB
E898F3F2FF call 00404C98
:004D5900
8BF8 mov
edi, eax
:004D5902 A194665200 mov
eax, dword ptr [00526694]
:004D5907 E88CF3F2FF
call 00404C98
:004D590C 3BF8
cmp edi, eax
:004D590E 7405
je 004D5915
:004D5910
BE4B010000 mov esi, 0000014B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D590E(C)
|
:004D5915
8D55E8 lea edx,
dword ptr [ebp-18]
:004D5918 A194665200
mov eax, dword ptr [00526694]
:004D591D E84237F3FF
call 00409064
:004D5922 8B45E8
mov eax, dword ptr [ebp-18]
:004D5925
E86EF3F2FF call 00404C98
:004D592A
8BF8 mov
edi, eax
:004D592C A194665200 mov
eax, dword ptr [00526694]
:004D5931 E862F3F2FF
call 00404C98
:004D5936 3BF8
cmp edi, eax
:004D5938 7405
je 004D593F
:004D593A
BE4C010000 mov esi, 0000014C
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D58D5(C),
:004D5938(C)
|
:004D593F 85F6
test esi, esi
:004D5941 747F
je 004D59C2
:004D5943 6A00
push 00000000
:004D5945
8D45E4 lea eax,
dword ptr [ebp-1C]
:004D5948 50
push eax
:004D5949 8D45E0
lea eax, dword ptr [ebp-20]
:004D594C 50
push
eax
:004D594D A1E42F5200 mov
eax, dword ptr [00522FE4]
:004D5952 8B00
mov eax, dword ptr [eax]
:004D5954 8B80A0070000
mov eax, dword ptr [eax+000007A0]
*
Possible StringData Ref from Code Obj ->"30820"
|
:004D595A B9305C4D00
mov ecx, 004D5C30
:004D595F B208
mov dl, 08
:004D5961 E8C6B1FDFF
call 004B0B2C
:004D5966 8B45E0
mov eax, dword ptr [ebp-20]
:004D5969
50 push
eax
:004D596A 8D55DC
lea edx, dword ptr [ebp-24]
:004D596D 8BC6
mov eax, esi
:004D596F E8F038F3FF
call 00409264
:004D5974 8B55DC
mov edx, dword ptr
[ebp-24]
:004D5977 33C9
xor ecx, ecx
:004D5979 58
pop eax
:004D597A E865B5F9FF
call 00470EE4
:004D597F 8B45E4
mov eax, dword ptr [ebp-1C]
:004D5982
50 push
eax
:004D5983 6A1E
push 0000001E
:004D5985 68405C4D00
push 004D5C40
:004D598A 68405C4D00
push 004D5C40
:004D598F 8D45D8
lea eax, dword ptr [ebp-28]
:004D5992
50 push
eax
:004D5993 A1E42F5200 mov
eax, dword ptr [00522FE4]
:004D5998 8B00
mov eax, dword ptr [eax]
:004D599A 8B80A0070000
mov eax, dword ptr [eax+000007A0]
*
Possible StringData Ref from Code Obj ->"13053"
|
:004D59A0 B94C5C4D00
mov ecx, 004D5C4C
:004D59A5 B203
mov dl, 03
:004D59A7 E880B1FDFF
call 004B0B2C
:004D59AC 8B4DD8
mov ecx, dword ptr [ebp-28]
:004D59AF
A1E42F5200 mov eax, dword ptr
[00522FE4]
:004D59B4 8B00
mov eax, dword ptr [eax]
:004D59B6 B201
mov dl, 01
:004D59B8 E887E40300
call 00513E44
====>BAD BOY!
:004D59BD E925020000 jmp 004D5BE7
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5941(C)
|
:004D59C2
8B8340030000 mov eax, dword ptr [ebx+00000340]
:004D59C8
50 push
eax
:004D59C9 8D45FC
lea eax, dword ptr [ebp-04]
:004D59CC 50
push eax
:004D59CD 8B0D94665200
mov ecx, dword ptr [00526694]
:004D59D3
8B1590665200 mov edx, dword ptr [00526690]
:004D59D9
A18C665200 mov eax, dword ptr
[0052668C]
:004D59DE E889F6FFFF call
004D506C
====>关键CALL!进入!
:004D59E3
8B45FC mov eax,
dword ptr [ebp-04]
:004D59E6 E8ADF2F2FF
call 00404C98
:004D59EB 85C0
test eax, eax
:004D59ED 0F8E84010000
jle 004D5B77
====>跳则OVER!
:004D59F3 8B0D8C665200 mov ecx, dword ptr [0052668C]
*
Possible StringData Ref from Code Obj ->"Email"
|
:004D59F9 BA5C5C4D00
mov edx, 004D5C5C
:004D59FE 8B8334030000
mov eax, dword ptr [ebx+00000334]
:004D5A04 E8BBA2F9FF
call 0046FCC4
:004D5A09 8B0D90665200
mov ecx, dword ptr [00526690]
*
Possible StringData Ref from Code Obj ->"Name"
|
:004D5A0F BA6C5C4D00
mov edx, 004D5C6C
:004D5A14 8B8334030000
mov eax, dword ptr [ebx+00000334]
:004D5A1A E8A5A2F9FF
call 0046FCC4
:004D5A1F A1A42F5200
mov eax, dword ptr [00522FA4]
:004D5A24
8B1594665200 mov edx, dword ptr [00526694]
:004D5A2A
E805F0F2FF call 00404A34
:004D5A2F
B87D010000 mov eax, 0000017D
:004D5A34
E8AFA7F9FF call 004701E8
:004D5A39
A194665200 mov eax, dword ptr
[00526694]
:004D5A3E E855F2F2FF call
00404C98
:004D5A43 8BF8
mov edi, eax
:004D5A45 85FF
test edi, edi
:004D5A47 7E3C
jle 004D5A85
:004D5A49
BE01000000 mov esi, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5A83(C)
====>把注册信息再经过变化处理后保 存!
:004D5A4E A194665200
mov eax, dword ptr [00526694]
:004D5A53
8A4430FF mov al, byte ptr
[eax+esi-01]
:004D5A57 E8A8ABFDFF
call 004B0604
:004D5A5C 50
push eax
:004D5A5D B83F000000
mov eax, 0000003F
:004D5A62 E859A7F9FF
call 004701C0
:004D5A67 8BD0
mov edx, eax
:004D5A69
58 pop
eax
:004D5A6A 32C2
xor al, dl
:004D5A6C E887ABFDFF
call 004B05F8
:004D5A71 50
push eax
:004D5A72 B894665200
mov eax, 00526694
:004D5A77 E86CF4F2FF
call 00404EE8
:004D5A7C 5A
pop
edx
:004D5A7D 885430FF mov
byte ptr [eax+esi-01], dl
:004D5A81 46
inc esi
:004D5A82 4F
dec edi
:004D5A83 75C9
jne 004D5A4E
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5A47(C)
|
:004D5A85
8B0D94665200 mov ecx, dword ptr [00526694]
*
Possible StringData Ref from Code Obj ->"REGKEY"
====>保存注册信息!
:004D5A8B BA7C5C4D00
mov edx, 004D5C7C
:004D5A90
8B8334030000 mov eax, dword ptr [ebx+00000334]
:004D5A96
E829A2F9FF call 0046FCC4
:004D5A9B
8B8334030000 mov eax, dword ptr [ebx+00000334]
:004D5AA1
E88292F9FF call 0046ED28
:004D5AA6
8B45FC mov eax,
dword ptr [ebp-04]
* Possible StringData Ref from
Code Obj ->"RUSREG"
|
:004D5AA9
BA8C5C4D00 mov edx, 004D5C8C
:004D5AAE
E829F3F2FF call 00404DDC
:004D5AB3
752C jne
004D5AE1
:004D5AB5 B99C5C4D00 mov
ecx, 004D5C9C
* Possible StringData Ref from Code
Obj ->"2VGFUR"
|
:004D5ABA
BAA85C4D00 mov edx, 004D5CA8
:004D5ABF
8B8334030000 mov eax, dword ptr [ebx+00000334]
:004D5AC5
E8FAA1F9FF call 0046FCC4
:004D5ACA
6A00 push
00000000
:004D5ACC 668B0DB05C4D00 mov cx,
word ptr [004D5CB0]
:004D5AD3 B202
mov dl, 02
* Possible
StringData Ref from Code Obj ->"严姥攘?抢 信萌岩欣秩? 义镥瘘 "
->"怦?趔黻鲨铐嚯 ?怵屐屙睇?"
====>晕,乱码!如果 最后的结果是23会到这儿!
:004D5AD5 B8BC5C4D00
mov eax, 004D5CBC
:004D5ADA E8E9A2F6FF
call 0043FDC8
:004D5ADF EB7F
jmp 004D5B60
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5AB3(C)
…… …… 省 略 …… ……
:004D5B5B
E8E4E20300 call 00513E44
====>呵呵,胜利女神!
…… …… 省 略 …… ……
:004D5BE2 E85DE20300
call 00513E44
====>BAD BOY!
—— ———————————————————————————————
进 入关键CALL:4D59DE call 004D506C
* Referenced
by a CALL at Addresses:
|:004D59DE , :004D9CF4 , :00510186
|
:004D506C 55
push ebp
:004D506D 8BEC
mov ebp, esp
:004D506F 83C4DC
add esp, FFFFFFDC
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5001(C)
|
:004D5072
53 push
ebx
:004D5073 56
push esi
:004D5074 57
push edi
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004D4FFF(C)
|
:004D5075
33DB xor
ebx, ebx
:004D5077 895DDC
mov dword ptr [ebp-24], ebx
:004D507A 894DF4
mov dword ptr [ebp-0C], ecx
:004D507D
8955F8 mov dword
ptr [ebp-08], edx
:004D5080 8945FC
mov dword ptr [ebp-04], eax
:004D5083 8B45FC
mov eax, dword ptr [ebp-04]
:004D5086
E8F5FDF2FF call 00404E80
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5015(C)
|
:004D508B
8B45F8 mov eax,
dword ptr [ebp-08]
:004D508E E8EDFDF2FF
call 00404E80
:004D5093 8B45F4
mov eax, dword ptr [ebp-0C]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5027(C)
|
:004D5096
E8E5FDF2FF call 00404E80
:004D509B
8B450C mov eax,
dword ptr [ebp+0C]
:004D509E E8DDFDF2FF
call 00404E80
:004D50A3 33C0
xor eax, eax
:004D50A5 55
push ebp
:004D50A6 6851534D00
push 004D5351
:004D50AB 64FF30
push dword ptr fs:[eax]
:004D50AE
648920 mov dword
ptr fs:[eax], esp
:004D50B1 8B45F4
mov eax, dword ptr [ebp-0C]
====>EAX=1234567890ABCDEF 试炼码
:004D50B4
E8DFFBF2FF call 00404C98
====> 取 试炼码 长度 EAX=5
:004D50B9
83F810 cmp eax,
00000010
====>注册码是否16位?
:004D50BC
0F855C020000 jne 004D531E
====>跳则OVER!
:004D50C2
8B45F8 mov eax,
dword ptr [ebp-08]
====>EAX=fly01
用户名
:004D50C5
E8CEFBF2FF call 00404C98
====>取 用户名 长度 EAX=5
:004D50CA
83F805 cmp eax,
00000005
====> 用户名不能少于5位
:004D50CD
0F8C4B020000 jl 004D531E
====>跳则OVER!
:004D50D3 8B45FC
mov eax, dword ptr
[ebp-04]
====>EAX=fly@263.net
E-Mail
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004D5067(C)
|
:004D50D6 E8BDFBF2FF
call 00404C98
====>取 E-Mail 长度 EAX=5
:004D50DB
83F805 cmp eax,
00000005
====>E-Mail不能少于5位
:004D50DE
0F8C3A020000 jl 004D531E
====>跳则OVER!
:004D50E4 33FF
xor edi,
edi
:004D50E6 33C0
xor eax, eax
:004D50E8 8945E8
mov dword ptr [ebp-18], eax
:004D50EB 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=fly01
用户名
:004D50EE E8A5FBF2FF
call 00404C98
====>取 用户名 长度 EAX=5
:004D50F3
8B55F8 mov edx,
dword ptr [ebp-08]
:004D50F6 8A4402FF
mov al, byte ptr [edx+eax-01]
====>取
用户名 末位字符的HEX值
:004D50FA E805B5FDFF
call 004B0604
====>关键CALL!取字 符在表中的位置!
:004D50FF 33DB
xor ebx, ebx
:004D5101
8AD8 mov
bl, al
====>BL=01
:004D5103
8B45F8 mov eax,
dword ptr [ebp-08]
====>EAX=fly01
用户名
:004D5106
8A00 mov
al, byte ptr [eax]
====>取 用户名 首位字符的HEX值
:004D5108
E8F7B4FDFF call 004B0604
====>取字符在表中的 位置!
:004D510D
25FF000000 and eax, 000000FF
====>EAX=29
:004D5112
0FAFD8 imul ebx,
eax
====>EBX=01 * 29=29
:004D5115
895DF0 mov dword
ptr [ebp-10], ebx
====>[ebp-10]=EBX=29
:004D5118
8B45F8 mov eax,
dword ptr [ebp-08]
:004D511B E878FBF2FF
call 00404C98
:004D5120 8BF0
mov esi, eax
:004D5122 85F6
test esi, esi
:004D5124
7E21 jle
004D5147
:004D5126 BB01000000 mov
ebx, 00000001
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:004D5145(C)
|
:004D512B 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=fly01
用户名
:004D512E 8A4418FF
mov al, byte ptr [eax+ebx-01]
====>依次正序取 用户名 字符的HEX 值
:004D5132
E8CDB4FDFF call 004B0604
====>关键CALL!取字符在表中的位置!
:004D5137
25FF000000 and eax, 000000FF
1、 ====>EAX=29
2、 ====>EAX=2F
3、 ====>EAX=3C
4、 ====>EAX=00
5、 ====>EAX=01
:004D513C F76DF0
imul [ebp-10]
1、 ====>EAX=29 * 29=00000691
2、 ====>EAX=2F
* 29=00000787
3、 ====>EAX=3C * 29=0000099C
4、 ====>EAX=00 * 29=00000000
5、 ====>EAX=01
* 29=00000029
:004D513F 03F8
add edi, eax
1、
====>EDI=00000000 + 00000691=00000691
2、
====>EDI=00000692 + 00000787=00000E19
3、 ====>EDI=00000E1B
+ 0000099C=000017B7
4、 ====>EDI=000017BA + 00000000=000017BA
5、 ====>EDI=000017BE + 00000029=000017E7
:004D5141
03FB add
edi, ebx
1、 ====>EDI=00000691 + 1=00000692
2、 ====>EDI=00000E19 + 2=00000E1B
3、 ====>EDI=000017B7
+ 3=000017BA
4、 ====>EDI=000017BA + 4=000017BE
5、 ====>EDI=000017E7 + 5=000017EC
:004D5143
43 inc
ebx
====>EBX 增1
:004D5144
4E dec
esi
:004D5145 75E4
jne 004D512B
====>循环用户名位数次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5124(C)
|
:004D5147
8D45DC lea eax,
dword ptr [ebp-24]
* Possible StringData Ref from
Code Obj ->"rusreg"
|
:004D514A
B96C534D00 mov ecx, 004D536C
====>ECX=rusreg
:004D514F
8B55F8 mov edx,
dword ptr [ebp-08]
====>EDX=fly01
用户名
:004D5152
E88DFBF2FF call 00404CE4
====>将 用户名 和 rusreg连接起来
:004D5157
8B45DC mov eax,
dword ptr [ebp-24]
====>EAX=fly01rusreg
:004D515A E839FBF2FF
call 00404C98
====>取
fly01rusreg 长度
:004D515F 8BF0
mov esi, eax
====>ESI=EAX=B
:004D5161 85F6
test esi,
esi
:004D5163 7E25
jle 004D518A
:004D5165 BB01000000
mov ebx, 00000001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004D5188(C)
====>和上面的运算流程一样,因此只记了结果。
:004D516A 8B45DC
mov eax, dword ptr [ebp-24]
====>EAX=fly01rusreg
:004D516D
8A4418FF mov al, byte ptr
[eax+ebx-01]
====>依次正序取fly01rusreg字符的HEX值
:004D5171
E88EB4FDFF call 004B0604
====>关键CALL!取字 符在表中的位置!
:004D5176
25FF000000 and eax, 000000FF
:004D517B
F76DF0 imul [ebp-10]
:004D517E
0345E8 add eax,
dword ptr [ebp-18]
:004D5181 03C3
add eax, ebx
:004D5183 8945E8
mov dword ptr [ebp-18], eax
====>最后结果=[ebp-18]=000047D9
:004D5186
43 inc
ebx
:004D5187 4E
dec esi
:004D5188 75E0
jne 004D516A
====>循环11次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5163(C)
|
:004D518A
8B450C mov eax,
dword ptr [ebp+0C]
====>EAX=Internet
Download Accelerator
☆☆ ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆☆☆
这个参数是固定的:
0174F9C8
49 6E 74 65 72 6E 65 74 20 44 6F 77 6E 6C 6F 61 Internet Downloa
0174F9D8
64 20 41 63 63 65 6C 65 72 61 74 6F 72
d Accelerator
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆☆☆☆☆☆☆☆☆☆☆☆☆
:004D518D
E806FBF2FF call 00404C98
====>取Internet Download Accelerator长度
:004D5192
8BF0 mov
esi, eax
====>ESI=1D
:004D5194
85F6 test
esi, esi
:004D5196 7E3D
jle 004D51D5
:004D5198 BB01000000
mov ebx, 00000001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004D51D3(C)
|
:004D519D
8B450C mov eax,
dword ptr [ebp+0C]
:004D51A0 8A4418FF
mov al, byte ptr [eax+ebx-01]
====>依次正序取Internet
Download Accelerator
:004D51A4 E85BB4FDFF
call 004B0604
====>取字符在表中的位置!
:004D51A9 25FF000000
and eax, 000000FF
1、
====>EAX=12
…… …… 省 略 …… ……
29、
====>EAX=35
:004D51AE F76DF0
imul [ebp-10]
1、
====>EAX=12 * 29=000002E2
…… …… 省 略 …… ……
29、
====>EAX=35 * 29=0000087D
:004D51B1 03F8
add edi,
eax
====>EDI=000017EC 是上面对fly01运算的结果
1、 ====>EDI=000017EC + 000002E2=00001ACE
……
…… 省 略 …… ……
29、 ====>EDI=0000CAF6 + 0000087D=0000D373
:004D51B3
03FB add
edi, ebx
1、 ====>EDI=00001AEC + 00000001=00001ACF
…… …… 省 略 …… ……
结果 29 、 ====>EDI=0000D373 +0000001D=0000D390
:004D51B5
8B450C mov eax,
dword ptr [ebp+0C]
====>EAX=Internet
Download Accelerator
:004D51B8 8A4418FF
mov al, byte ptr [eax+ebx-01]
====>依次正序取Internet Download Accelerator
:004D51BC
E843B4FDFF call 004B0604
====>取字符在表中的位置!
:004D51C1
25FF000000 and eax, 000000FF
1、 ====>EAX=12
…… …… 省 略 …… ……
29、
====>EAX=35
:004D51C6 F76DF0
imul [ebp-10]
1、
====>EAX=12 * 29=000002E2
…… …… 省 略 …… ……
29、 ====>EAX=35 * 29=0000087D
:004D51C9
0345E8 add eax,
dword ptr [ebp-18]
====>[ebp-18]=000047D9
是上面对fly01rusreg运算的结果
1、 ====>EAX=000002E2 + 000047D9=00004ABB
…… …… 省 略 …… ……
29、 ====>EAX=0000087D + 0000FAE3=00010360
:004D51CC
03C3 add
eax, ebx
1、 ====>EAX=00004ABB + 00000001=00004ABC
…… …… 省 略 …… ……
结果 29 、 ====>EAX=00010360 + 0000001D=0001037D
:004D51CE
8945E8 mov dword
ptr [ebp-18], eax
:004D51D1 43
inc ebx
====>EBX
增1
:004D51D2 4E
dec esi
:004D51D3 75C8
jne 004D519D
====> 循环29次
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004D5196(C)
|
:004D51D5
81E73F000080 and edi, 8000003F
====>EDI的值是004D51B3处循环的结果
====>EDI=0000D390 AND 8000003F=00000010
:004D51DB
7905 jns
004D51E2
:004D51DD 4F
dec edi
:004D51DE 83CFC0
or edi, FFFFFFC0
:004D51E1 47
inc edi
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D51DB(C)
|
:004D51E2
8B45E8 mov eax,
dword ptr [ebp-18]
====>EAX=0001037D
是004D51CC处循环的结果
:004D51E5 253F000080
and eax, 8000003F
====>EAX=0001037D AND 8000003F=0000003D
:004D51EA
7905 jns
004D51F1
:004D51EC 48
dec eax
:004D51ED 83C8C0
or eax, FFFFFFC0
:004D51F0 40
inc eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D51EA(C)
|
:004D51F1
8945E8 mov dword
ptr [ebp-18], eax
====>[ebp-18]=EAX=0000003D
:004D51F4
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=fly@263.net
E-Mail
:004D51F7 E89CFAF2FF
call 00404C98
====>取 E-Mail 的长度 EAX=B
:004D51FC
8B55FC mov edx,
dword ptr [ebp-04]
====>EDX=fly@263.net
E-Mail
:004D51FF 8A4402FF
mov al, byte ptr [edx+eax-01]
====>取E-Mail的末位 AL=74
:004D5203
E8FCB3FDFF call 004B0604
====>取字符在表中的位置
:004D5208
33DB xor
ebx, ebx
:004D520A 8AD8
mov bl, al
====>BL=37
:004D520C
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=fly@263.net
E-Mail
:004D520F 8A00
mov al, byte
ptr [eax]
====>取E-Mail的首位
:004D5211
E8EEB3FDFF call 004B0604
====>取字符在表中的位置
:004D5216
25FF000000 and eax, 000000FF
====>EAX=29
:004D521B
0FAFD8 imul ebx,
eax
====>EBX=37 * 29=000008CF
:004D521E
895DEC mov dword
ptr [ebp-14], ebx
:004D5221 33C0
xor eax, eax
:004D5223 8945E4
mov dword ptr [ebp-1C], eax
:004D5226
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=fly@263.net
E-Mail
:004D5229 E86AFAF2FF
call 00404C98
====>取 E-Mail 的长度
:004D522E
8BF0 mov
esi, eax
====>ESI=B
:004D5230
85F6 test
esi, esi
:004D5232 7E25
jle 004D5259
:004D5234 BB01000000
mov ebx, 00000001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004D5257(C)
|
:004D5239
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=fly@263.net
E-Mail
:004D523C 8A4418FF
mov al, byte ptr [eax+ebx-01]
====>依次正序取 E-Mail 字符的HEX 值
:004D5240
E8BFB3FDFF call 004B0604
====>取字符在表中的位置
:004D5245
25FF000000 and eax, 000000FF
1、 ====>EAX=29
…… … … 省 略 …… ……
11、
====>EAX=37
:004D524A F76DEC
imul [ebp-14]
1、
====>EAX=29 * 000008CF=00016927
…… …… 省 略 …… ……
11、 ====>EAX=37 * 000008CF=0001E479
:004D524D
0345E4 add eax,
dword ptr [ebp-1C]
1、 ====>EAX=00016927 + 00000000=00016927
…… …… 省 略 …… ……
11、 ====>EAX=0001E479 + 000CD5D2=000EBA4B
:004D5250
03C3 add
eax, ebx
1、 ====>EAX=00016927 + 00000001=00016928
…… …… 省 略 …… ……
结果 11、 ====>EAX=000EBA4B + 0000000B=000EBA56
:004D5252
8945E4 mov dword
ptr [ebp-1C], eax
:004D5255 43
inc ebx
:004D5256 4E
dec esi
:004D5257 75E0
jne 004D5239
====>循环E-Mail位数次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5232(C)
|
:004D5259
8B45E4 mov eax,
dword ptr [ebp-1C]
====>EAX=000EBA56
:004D525C
253F000080 and eax, 8000003F
====>EAX=000EBA56 AND 8000003F=00000016
:004D5261
7905 jns
004D5268
:004D5263 48
dec eax
:004D5264 83C8C0
or eax, FFFFFFC0
:004D5267 40
inc eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5261(C)
|
:004D5268
8945E4 mov dword
ptr [ebp-1C], eax
:004D526B 8B45E4
mov eax, dword ptr [ebp-1C]
:004D526E 03C7
add eax, edi
====>EAX=00000016 + 00000010=00000026
:004D5270
253F000080 and eax, 8000003F
====>EAX=00000026 AND 8000003F=00000026
:004D5275
7905 jns
004D527C
:004D5277 48
dec eax
:004D5278 83C8C0
or eax, FFFFFFC0
:004D527B 40
inc eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5275(C)
|
:004D527C
8945E4 mov dword
ptr [ebp-1C], eax
:004D527F 33C0
xor eax, eax
:004D5281 8945E0
mov dword ptr [ebp-20], eax
:004D5284
8B45F4 mov eax,
dword ptr [ebp-0C]
====>EDX=1234567890ABCDEF
试炼码
:004D5287 E80CFAF2FF
call 00404C98
====>
取 试炼码 长度
:004D528C 8BF0
mov esi, eax
====>ESI=10
:004D528E 85F6
test esi, esi
:004D5290
7E22 jle
004D52B4
:004D5292 BB01000000 mov
ebx, 00000001
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:004D52B2(C)
|
:004D5297 8B45F4
mov eax, dword ptr [ebp-0C]
====>EDX=1234567890ABCDEF 试炼码
:004D529A
8A4418FF mov al, byte ptr
[eax+ebx-01]
====>依次正序取 试炼码 字符的HEX值
:004D529E
E861B3FDFF call 004B0604
====>取字符在表中的 位置
:004D52A3
25FF000000 and eax, 000000FF
1、 ====>EAX=01
…… …… 省 略 …… ……
16、
====>EAX=0F
:004D52A8 0345E0
add eax, dword ptr [ebp-20]
1、 ====>EAX=00000001 + 00000000=00000001
……
…… 省 略 …… ……
16、 ====>EAX=0000000F + 000000E1=000000F0
:004D52AB
03C3 add
eax, ebx
1、 ====>EAX=00000001 + 00000001=00000002
…… …… 省 略 …… ……
结果 16 、 ====>EAX=000000F0 + 00000010=00000100
:004D52AD
8945E0 mov dword
ptr [ebp-20], eax
:004D52B0 43
inc ebx
:004D52B1 4E
dec esi
:004D52B2 75E3
jne 004D5297
====> 循环16次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5290(C)
|
:004D52B4
8B5DE0 mov ebx,
dword ptr [ebp-20]
====>EBX=00000100
是4D52AB处对试炼码运算的结果
:004D52B7 81E33F000080
and ebx, 8000003F
====>EBX=00000100
AND 8000003F=00000000
:004D52BD 7905
jns 004D52C4
:004D52BF
4B dec
ebx
:004D52C0 83CBC0
or ebx, FFFFFFC0
:004D52C3 43
inc ebx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004D52BD(C)
|
:004D52C4
8B45E8 mov eax,
dword ptr [ebp-18]
====>EAX=0000003D
是4D51E5处的结果
:004D52C7 0345E4
add eax, dword ptr [ebp-1C]
====>EAX=0000003D + 00000026=00000063
:004D52CA
253F000080 and eax, 8000003F
====>EAX=00000063 AND 8000003F=00000023
:004D52CF
7905 jns
004D52D6
:004D52D1 48
dec eax
:004D52D2 83C8C0
or eax, FFFFFFC0
:004D52D5 40
inc eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D52CF(C)
|
:004D52D6
3BD8 cmp
ebx, eax
====>比较了 !^O^ ^O^ 如果这里相等……
====>EBX=00000000
====>EAX=00000023
:004D52D8 750F
jne 004D52E9
:004D52DA
8B4508 mov eax,
dword ptr [ebp+08]
* Possible StringData Ref from
Code Obj ->"RUSREG"
|
:004D52DD
BA7C534D00 mov edx, 004D537C
:004D52E2
E84DF7F2FF call 00404A34
:004D52E7
EB3D jmp
004D5326
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004D52D8(C)
|
:004D52E9 8B4508
mov eax, dword ptr [ebp+08]
:004D52EC
E8EFF6F2FF call 004049E0
:004D52F1
037DE4 add edi,
dword ptr [ebp-1C]
====>EDI=00000010
+ 00000026=00000036
:004D52F4 81E73F000080
and edi, 8000003F
====>EDI=00000036 AND 8000003F=00000036
:004D52FA
7905 jns
004D5301
:004D52FC 4F
dec edi
:004D52FD 83CFC0
or edi, FFFFFFC0
:004D5300 47
inc edi
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D52FA(C)
|
:004D5301
3BDF cmp
ebx, edi
====>比较了! 相等 则OK!
====>EBX=00000000
====>EAX=00000036
:004D5303 750F
jne 004D5314
====> 跳则OVER!
:004D5305 8B4508 mov eax, dword ptr [ebp+08]
* Possible StringData Ref from
Code Obj ->"REG"
|
:004D5308
BA8C534D00 mov edx, 004D538C
:004D530D
E822F7F2FF call 00404A34
:004D5312
EB12 jmp
004D5326
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004D5303(C)
|
:004D5314 8B4508
mov eax, dword ptr [ebp+08]
:004D5317
E8C4F6F2FF call 004049E0
:004D531C
EB08 jmp
004D5326
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:004D50BC(C), :004D50CD(C), :004D50DE(C)
|
:004D531E
8B4508 mov eax,
dword ptr [ebp+08]
:004D5321 E8BAF6F2FF
call 004049E0
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:004D52E7(U), :004D5312(U), :004D531C(U)
|
:004D5326
33C0 xor
eax, eax
:004D5328 5A
pop edx
:004D5329 59
pop ecx
:004D532A 59
pop ecx
:004D532B
648910 mov dword
ptr fs:[eax], edx
:004D532E 6858534D00
push 004D5358
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004D5356(U)
|
:004D5333 8D45DC
lea eax, dword ptr [ebp-24]
:004D5336
E8A5F6F2FF call 004049E0
:004D533B
8D45F4 lea eax,
dword ptr [ebp-0C]
:004D533E BA03000000
mov edx, 00000003
:004D5343 E8BCF6F2FF
call 00404A04
:004D5348 8D450C
lea eax, dword ptr [ebp+0C]
:004D534B E890F6F2FF
call 004049E0
:004D5350 C3
ret
——
———————————————————————————————
进 入关键CALL: call 004B0604
因为各个字符的取位置流程是相同的, 因此只是记录了用户名的取值。
* Referenced by a CALL at Addresses:
|:004D50FA
, :004D5108 , :004D5132 , :004D5171 , :004D51A4
|:004D51BC , :004D5203 , :004D5211 , :004D5240
, :004D529E
|:004D5A57 , :004D6043 , :004D6057
, :004D6143 , :004D6157
|:004EBB16 , :00510061
, :00510D54 , :00510D7E , :00513A3E
|:00514258
, :00514288 , :00514C09 , :00514C34 , :00519EA5
|:00519ECF
, :00519F09 , :00519F1A
|
:004B0604 33D2
xor edx, edx
:004B0606
EB01 jmp
004B0609
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004B0618(C)
|
:004B0608 42
inc edx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0606(U)
|
:004B0609
33C9 xor
ecx, ecx
:004B060B 8ACA
mov cl, dl
:004B060D 3A81FC225200
cmp al, byte ptr [ecx+005222FC]
====>把用户名字符的HEX值与下张表中的值比较,
取其所在表中的 位置
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
☆☆☆☆☆☆☆☆☆
[005222FC]内存中有一张表:
005222FC 30
31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 0123456789ABCDEF
0052230C
47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 GHIJKLMNOPQRSTUV
0052231C
57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C WXYZabcdefghijkl
0052232C
6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 40 2E mnopqrstuvwxyz@.
0052233C
88 22 4B 00
?K..
☆☆☆☆☆☆☆
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
< br>:004B0613
7405 je 004B061A
:004B0615
80FA40 cmp dl, 40
:004B0618
72EE jb 004B0608
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0613(C)
|
:004B061A
33C0 xor
eax, eax
:004B061C 8AC2
mov al, dl
fly01
====>66、6C、79、30、31分别对应于:29、2F、3C、00
、01
fly01rusreg
====>66、6C、79、30、31、72、75、73、
72、65、67
对应于:29、2F、3C、00、01、35、38、36、35、28、2A
:004B061E 83E03F and
eax, 0000003F
====>EAX AND 0000003F
:004B0621 C3 ret
———————————————————————————
——————
【算 法 总 结】:
1、程序通过取用户名、用 户名+rusreg、Internet
Download Accelerator、E-mail
的字符在 表中的位置值参与运算,得出:36
2、对试炼码进行同样的取值运算得出00, 如果这2者相同则0K!
3、所以我们可以对注册码以此为目的进行求逆。有很 多可能的组合。^O^ ^O^
———————————————————— —————————————
【注册信息保存】:
REGEDIT4
[HKEY_CURRENT_USER\Software\2V G\Internet Download Accelerator]
"Name"="fly01"
"Email"
="fly@263.net"
"REGKEY"="Bt6XnYgqvu1b63uX& quot;
———————————————————————————————
——
【整 理】:
Name
: fly01
E-mail:fly@263.net
注册码:fly[OCN][FCG]xyz
简单求逆出一组注册码。 ^O^ ^O^……有很多呀……^O^ ^O^
————————————————— ————————————————
,
_/
/| _.-~/
\_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/
\ ~\ ) 忍把浮名
_-~~~-.)
)__/;;,. \_ //'
/'_,\
--~ \ ~~~- ,;;\___( (.-~~~-.
换了 破解轻狂
`~ _( ,_..--\ ( ,;'' / ~--
/._`\
/~~//' /' `~\ ) /--.._, )_
`~
" `~" " `"
/~'`\ `\\~~\
"
" "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-05-09 02:26