Internet Download Accelerator V1.5.1.463　

标题：Internet Download Accelerator V1.5.1.463　
作者：fly
时间：2003/05/09 12:40pm
链接：http://bbs.pediy.com

算法浅探——Internet Download Accelerator V1.5.1.463

下载页面： http://www.skycn.com/soft/11016.html
软件大小： 1320 KB
软件语言：英文
软件类别：国外软件 / 共享版 / 下载工具
应用平台： Win9x/NT/2000/XP
加入时间： 2003-04-25 17:34:54
下载次数： 2900
推荐等级： ****
开发商： http://www.one.com.ua/

【软件简介】：Internet Download Accelerator(IDA)，支持HTTP及FTP的通讯协议、动态多线程下载、断线续传、排程下载、完成后自动关机、下载完成后写入纪录文件、剪贴簿监控、 IE功能整合等等，功能可以跟FlashGet相比。

【软件限制】：30天试用

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、Guw32、W3 2Dasm 9.0白金版

—————————————————————————— ———————
【过程】：

这几天碰到的都是麻烦的东东，哎，我该休息休息了。 ^O^ ^O^
不清楚这个程序是否会私下去连网校验，有朋友做的话麻烦验证一下。

ida.exe 是UPX 1.23壳，用Guw32脱之。590K->1.75M。 Delphi 编写。

Name : fly01 （至少5位）
E-mail：fly@263.net （至少5位）
试炼码：1234567890ABCDEF （需 16位）
———————————————————————————————— —
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5855(C)
|
:004D5850 6A00 push 00000000
:004D5852 6A00 push 00000000
:004D5854 49 dec ecx
:004D5855 75F9 jne 004D5850
:004D5857 51 push ecx
:004D5858 53 push ebx
:004D5859 56 push esi
:004D585A 57 push edi
:004D585B 8BD8 mov ebx, eax
:004D585D 33C0 xor eax, eax
:004D585F 55 push ebp
:004D5860 68175C4D00 push 004D5C17
:004D5865 64FF30 push dword ptr fs:[eax]
:004D5868 648920 mov dword ptr fs:[eax], esp
:004D586B 8D55F8 lea edx, dword ptr [ebp-08]
:004D586E 8B8318030000 mov eax, dword ptr [ebx+00000318]
:004D5874 E82F16F7FF call 00446EA8
:004D5879 8B55F8 mov edx, dword ptr [ebp-08]
====>EDX=fly@263.net E-Mail

:004D587C B88C665200 mov eax, 0052668C
:004D5881 E8AEF1F2FF call 00404A34
:004D5886 8D55F4 lea edx, dword ptr [ebp-0C]
:004D5889 8B831C030000 mov eax, dword ptr [ebx+0000031C]
:004D588F E81416F7FF call 00446EA8
:004D5894 8B55F4 mov edx, dword ptr [ebp-0C]
====>EDX=fly01 用户名

:004D5897 B890665200 mov eax, 00526690
:004D589C E893F1F2FF call 00404A34
:004D58A1 8D55F0 lea edx, dword ptr [ebp-10]
:004D58A4 8B8320030000 mov eax, dword ptr [ebx+00000320]
:004D58AA E8F915F7FF call 00446EA8
:004D58AF 8B55F0 mov edx, dword ptr [ebp-10]
====>EDX=1234567890ABCDEF 试炼码

:004D58B2 B894665200 mov eax, 00526694

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5840(C)
|
:004D58B7 E878F1F2FF call 00404A34
:004D58BC 6A00 push 00000000
:004D58BE 8B0D90665200 mov ecx, dword ptr [00526690]
:004D58C4 8B158C665200 mov edx, dword ptr [0052668C]
:004D58CA 8BC3 mov eax, ebx
:004D58CC E8EF060000 call 004D5FC0
====>关键CALL！检测你输入的信息是否符合要求！

:004D58D1 8BF0 mov esi, eax
:004D58D3 85F6 test esi, esi
:004D58D5 7568 jne 004D593F
====>跳则OVER！

:004D58D7 A194665200 mov eax, dword ptr [00526694]
====>EAX=1234567890ABCDEF 试炼码

:004D58DC E8B7F3F2FF call 00404C98
====>取试炼码长度

:004D58E1 83F810 cmp eax, 00000010
====> 注册码是否16位？

:004D58E4 7405 je 004D58EB
:004D58E6 BE4D010000 mov esi, 0000014D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D58E4(C)
|
:004D58EB 8D55EC lea edx, dword ptr [ebp-14]
:004D58EE A194665200 mov eax, dword ptr [00526694]
:004D58F3 E83837F3FF call 00409030
:004D58F8 8B45EC mov eax, dword ptr [ebp-14]
:004D58FB E898F3F2FF call 00404C98
:004D5900 8BF8 mov edi, eax
:004D5902 A194665200 mov eax, dword ptr [00526694]
:004D5907 E88CF3F2FF call 00404C98
:004D590C 3BF8 cmp edi, eax
:004D590E 7405 je 004D5915
:004D5910 BE4B010000 mov esi, 0000014B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D590E(C)
|
:004D5915 8D55E8 lea edx, dword ptr [ebp-18]
:004D5918 A194665200 mov eax, dword ptr [00526694]
:004D591D E84237F3FF call 00409064
:004D5922 8B45E8 mov eax, dword ptr [ebp-18]
:004D5925 E86EF3F2FF call 00404C98
:004D592A 8BF8 mov edi, eax
:004D592C A194665200 mov eax, dword ptr [00526694]
:004D5931 E862F3F2FF call 00404C98
:004D5936 3BF8 cmp edi, eax
:004D5938 7405 je 004D593F
:004D593A BE4C010000 mov esi, 0000014C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D58D5(C), :004D5938(C)
|
:004D593F 85F6 test esi, esi
:004D5941 747F je 004D59C2
:004D5943 6A00 push 00000000
:004D5945 8D45E4 lea eax, dword ptr [ebp-1C]
:004D5948 50 push eax
:004D5949 8D45E0 lea eax, dword ptr [ebp-20]
:004D594C 50 push eax
:004D594D A1E42F5200 mov eax, dword ptr [00522FE4]
:004D5952 8B00 mov eax, dword ptr [eax]
:004D5954 8B80A0070000 mov eax, dword ptr [eax+000007A0]

* Possible StringData Ref from Code Obj ->"30820"
|
:004D595A B9305C4D00 mov ecx, 004D5C30
:004D595F B208 mov dl, 08
:004D5961 E8C6B1FDFF call 004B0B2C
:004D5966 8B45E0 mov eax, dword ptr [ebp-20]
:004D5969 50 push eax
:004D596A 8D55DC lea edx, dword ptr [ebp-24]
:004D596D 8BC6 mov eax, esi
:004D596F E8F038F3FF call 00409264
:004D5974 8B55DC mov edx, dword ptr [ebp-24]
:004D5977 33C9 xor ecx, ecx
:004D5979 58 pop eax
:004D597A E865B5F9FF call 00470EE4
:004D597F 8B45E4 mov eax, dword ptr [ebp-1C]
:004D5982 50 push eax
:004D5983 6A1E push 0000001E
:004D5985 68405C4D00 push 004D5C40
:004D598A 68405C4D00 push 004D5C40
:004D598F 8D45D8 lea eax, dword ptr [ebp-28]
:004D5992 50 push eax
:004D5993 A1E42F5200 mov eax, dword ptr [00522FE4]
:004D5998 8B00 mov eax, dword ptr [eax]
:004D599A 8B80A0070000 mov eax, dword ptr [eax+000007A0]

* Possible StringData Ref from Code Obj ->"13053"
|
:004D59A0 B94C5C4D00 mov ecx, 004D5C4C
:004D59A5 B203 mov dl, 03
:004D59A7 E880B1FDFF call 004B0B2C
:004D59AC 8B4DD8 mov ecx, dword ptr [ebp-28]
:004D59AF A1E42F5200 mov eax, dword ptr [00522FE4]
:004D59B4 8B00 mov eax, dword ptr [eax]
:004D59B6 B201 mov dl, 01
:004D59B8 E887E40300 call 00513E44
====>BAD BOY！

:004D59BD E925020000 jmp 004D5BE7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5941(C)
|
:004D59C2 8B8340030000 mov eax, dword ptr [ebx+00000340]
:004D59C8 50 push eax
:004D59C9 8D45FC lea eax, dword ptr [ebp-04]
:004D59CC 50 push eax
:004D59CD 8B0D94665200 mov ecx, dword ptr [00526694]
:004D59D3 8B1590665200 mov edx, dword ptr [00526690]
:004D59D9 A18C665200 mov eax, dword ptr [0052668C]
:004D59DE E889F6FFFF call 004D506C
====>关键CALL！进入！

:004D59E3 8B45FC mov eax, dword ptr [ebp-04]
:004D59E6 E8ADF2F2FF call 00404C98
:004D59EB 85C0 test eax, eax
:004D59ED 0F8E84010000 jle 004D5B77
====>跳则OVER！

:004D59F3 8B0D8C665200 mov ecx, dword ptr [0052668C]

* Possible StringData Ref from Code Obj ->"Email"
|
:004D59F9 BA5C5C4D00 mov edx, 004D5C5C
:004D59FE 8B8334030000 mov eax, dword ptr [ebx+00000334]
:004D5A04 E8BBA2F9FF call 0046FCC4
:004D5A09 8B0D90665200 mov ecx, dword ptr [00526690]

* Possible StringData Ref from Code Obj ->"Name"
|
:004D5A0F BA6C5C4D00 mov edx, 004D5C6C
:004D5A14 8B8334030000 mov eax, dword ptr [ebx+00000334]
:004D5A1A E8A5A2F9FF call 0046FCC4
:004D5A1F A1A42F5200 mov eax, dword ptr [00522FA4]
:004D5A24 8B1594665200 mov edx, dword ptr [00526694]
:004D5A2A E805F0F2FF call 00404A34
:004D5A2F B87D010000 mov eax, 0000017D
:004D5A34 E8AFA7F9FF call 004701E8
:004D5A39 A194665200 mov eax, dword ptr [00526694]
:004D5A3E E855F2F2FF call 00404C98
:004D5A43 8BF8 mov edi, eax
:004D5A45 85FF test edi, edi
:004D5A47 7E3C jle 004D5A85
:004D5A49 BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5A83(C)
====>把注册信息再经过变化处理后保存！
:004D5A4E A194665200 mov eax, dword ptr [00526694]
:004D5A53 8A4430FF mov al, byte ptr [eax+esi-01]
:004D5A57 E8A8ABFDFF call 004B0604
:004D5A5C 50 push eax
:004D5A5D B83F000000 mov eax, 0000003F
:004D5A62 E859A7F9FF call 004701C0
:004D5A67 8BD0 mov edx, eax
:004D5A69 58 pop eax
:004D5A6A 32C2 xor al, dl
:004D5A6C E887ABFDFF call 004B05F8
:004D5A71 50 push eax
:004D5A72 B894665200 mov eax, 00526694
:004D5A77 E86CF4F2FF call 00404EE8
:004D5A7C 5A pop edx
:004D5A7D 885430FF mov byte ptr [eax+esi-01], dl
:004D5A81 46 inc esi
:004D5A82 4F dec edi
:004D5A83 75C9 jne 004D5A4E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5A47(C)
|
:004D5A85 8B0D94665200 mov ecx, dword ptr [00526694]

* Possible StringData Ref from Code Obj ->"REGKEY"
====>保存注册信息！

:004D5A8B BA7C5C4D00 mov edx, 004D5C7C
:004D5A90 8B8334030000 mov eax, dword ptr [ebx+00000334]
:004D5A96 E829A2F9FF call 0046FCC4
:004D5A9B 8B8334030000 mov eax, dword ptr [ebx+00000334]
:004D5AA1 E88292F9FF call 0046ED28
:004D5AA6 8B45FC mov eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"RUSREG"
|
:004D5AA9 BA8C5C4D00 mov edx, 004D5C8C
:004D5AAE E829F3F2FF call 00404DDC
:004D5AB3 752C jne 004D5AE1
:004D5AB5 B99C5C4D00 mov ecx, 004D5C9C

* Possible StringData Ref from Code Obj ->"2VGFUR"
|
:004D5ABA BAA85C4D00 mov edx, 004D5CA8
:004D5ABF 8B8334030000 mov eax, dword ptr [ebx+00000334]
:004D5AC5 E8FAA1F9FF call 0046FCC4
:004D5ACA 6A00 push 00000000
:004D5ACC 668B0DB05C4D00 mov cx, word ptr [004D5CB0]
:004D5AD3 B202 mov dl, 02

* Possible StringData Ref from Code Obj ->"严姥攘?抢信萌岩欣秩? 义镥瘘 "
->"怦?趔黻鲨铐嚯 ?怵屐屙睇?"
====>晕，乱码！如果最后的结果是23会到这儿！

:004D5AD5 B8BC5C4D00 mov eax, 004D5CBC
:004D5ADA E8E9A2F6FF call 0043FDC8
:004D5ADF EB7F jmp 004D5B60

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5AB3(C)

…… …… 省略 …… ……

:004D5B5B E8E4E20300 call 00513E44
====>呵呵，胜利女神！

…… …… 省略 …… ……

:004D5BE2 E85DE20300 call 00513E44
====>BAD BOY！

—— ———————————————————————————————
进入关键CALL：4D59DE call 004D506C

* Referenced by a CALL at Addresses:
|:004D59DE , :004D9CF4 , :00510186
|
:004D506C 55 push ebp
:004D506D 8BEC mov ebp, esp
:004D506F 83C4DC add esp, FFFFFFDC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5001(C)
|
:004D5072 53 push ebx
:004D5073 56 push esi
:004D5074 57 push edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D4FFF(C)
|
:004D5075 33DB xor ebx, ebx
:004D5077 895DDC mov dword ptr [ebp-24], ebx
:004D507A 894DF4 mov dword ptr [ebp-0C], ecx
:004D507D 8955F8 mov dword ptr [ebp-08], edx
:004D5080 8945FC mov dword ptr [ebp-04], eax
:004D5083 8B45FC mov eax, dword ptr [ebp-04]
:004D5086 E8F5FDF2FF call 00404E80

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5015(C)
|
:004D508B 8B45F8 mov eax, dword ptr [ebp-08]
:004D508E E8EDFDF2FF call 00404E80
:004D5093 8B45F4 mov eax, dword ptr [ebp-0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5027(C)
|
:004D5096 E8E5FDF2FF call 00404E80
:004D509B 8B450C mov eax, dword ptr [ebp+0C]
:004D509E E8DDFDF2FF call 00404E80
:004D50A3 33C0 xor eax, eax
:004D50A5 55 push ebp
:004D50A6 6851534D00 push 004D5351
:004D50AB 64FF30 push dword ptr fs:[eax]
:004D50AE 648920 mov dword ptr fs:[eax], esp
:004D50B1 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=1234567890ABCDEF 试炼码

:004D50B4 E8DFFBF2FF call 00404C98
====> 取试炼码长度 EAX=5

:004D50B9 83F810 cmp eax, 00000010
====>注册码是否16位？

:004D50BC 0F855C020000 jne 004D531E
====>跳则OVER！

:004D50C2 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=fly01 用户名

:004D50C5 E8CEFBF2FF call 00404C98
====>取用户名长度 EAX=5

:004D50CA 83F805 cmp eax, 00000005
====> 用户名不能少于5位

:004D50CD 0F8C4B020000 jl 004D531E
====>跳则OVER！

:004D50D3 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly@263.net E-Mail

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5067(C)
|
:004D50D6 E8BDFBF2FF call 00404C98
====>取 E-Mail 长度 EAX=5

:004D50DB 83F805 cmp eax, 00000005
====>E-Mail不能少于5位

:004D50DE 0F8C3A020000 jl 004D531E
====>跳则OVER！

:004D50E4 33FF xor edi, edi
:004D50E6 33C0 xor eax, eax
:004D50E8 8945E8 mov dword ptr [ebp-18], eax
:004D50EB 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=fly01 用户名

:004D50EE E8A5FBF2FF call 00404C98
====>取用户名长度 EAX=5

:004D50F3 8B55F8 mov edx, dword ptr [ebp-08]
:004D50F6 8A4402FF mov al, byte ptr [edx+eax-01]
====>取用户名末位字符的HEX值

:004D50FA E805B5FDFF call 004B0604
====>关键CALL！取字符在表中的位置！

:004D50FF 33DB xor ebx, ebx
:004D5101 8AD8 mov bl, al
====>BL=01

:004D5103 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=fly01 用户名

:004D5106 8A00 mov al, byte ptr [eax]
====>取用户名首位字符的HEX值

:004D5108 E8F7B4FDFF call 004B0604
====>取字符在表中的位置！

:004D510D 25FF000000 and eax, 000000FF
====>EAX=29

:004D5112 0FAFD8 imul ebx, eax
====>EBX=01 * 29=29

:004D5115 895DF0 mov dword ptr [ebp-10], ebx
====>[ebp-10]=EBX=29

:004D5118 8B45F8 mov eax, dword ptr [ebp-08]
:004D511B E878FBF2FF call 00404C98
:004D5120 8BF0 mov esi, eax
:004D5122 85F6 test esi, esi
:004D5124 7E21 jle 004D5147
:004D5126 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5145(C)
|
:004D512B 8B45F8 mov eax, dword ptr [ebp-08]
====>EAX=fly01 用户名

:004D512E 8A4418FF mov al, byte ptr [eax+ebx-01]
====>依次正序取用户名字符的HEX 值

:004D5132 E8CDB4FDFF call 004B0604
====>关键CALL！取字符在表中的位置！

:004D5137 25FF000000 and eax, 000000FF
1、 ====>EAX=29
2、 ====>EAX=2F
3、 ====>EAX=3C
4、 ====>EAX=00
5、 ====>EAX=01

:004D513C F76DF0 imul [ebp-10]
1、 ====>EAX=29 * 29=00000691
2、 ====>EAX=2F * 29=00000787
3、 ====>EAX=3C * 29=0000099C
4、 ====>EAX=00 * 29=00000000
5、 ====>EAX=01 * 29=00000029

:004D513F 03F8 add edi, eax
1、 ====>EDI=00000000 + 00000691=00000691
2、 ====>EDI=00000692 + 00000787=00000E19
3、 ====>EDI=00000E1B + 0000099C=000017B7
4、 ====>EDI=000017BA + 00000000=000017BA
5、 ====>EDI=000017BE + 00000029=000017E7

:004D5141 03FB add edi, ebx
1、 ====>EDI=00000691 + 1=00000692
2、 ====>EDI=00000E19 + 2=00000E1B
3、 ====>EDI=000017B7 + 3=000017BA
4、 ====>EDI=000017BA + 4=000017BE
5、 ====>EDI=000017E7 + 5=000017EC

:004D5143 43 inc ebx
====>EBX 增1

:004D5144 4E dec esi
:004D5145 75E4 jne 004D512B
====>循环用户名位数次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5124(C)
|
:004D5147 8D45DC lea eax, dword ptr [ebp-24]

* Possible StringData Ref from Code Obj ->"rusreg"
|
:004D514A B96C534D00 mov ecx, 004D536C
====>ECX=rusreg

:004D514F 8B55F8 mov edx, dword ptr [ebp-08]
====>EDX=fly01 用户名

:004D5152 E88DFBF2FF call 00404CE4
====>将用户名和 rusreg连接起来

:004D5157 8B45DC mov eax, dword ptr [ebp-24]
====>EAX=fly01rusreg

:004D515A E839FBF2FF call 00404C98
====>取 fly01rusreg 长度

:004D515F 8BF0 mov esi, eax
====>ESI=EAX=B

:004D5161 85F6 test esi, esi
:004D5163 7E25 jle 004D518A
:004D5165 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5188(C)
====>和上面的运算流程一样，因此只记了结果。
:004D516A 8B45DC mov eax, dword ptr [ebp-24]
====>EAX=fly01rusreg

:004D516D 8A4418FF mov al, byte ptr [eax+ebx-01]
====>依次正序取fly01rusreg字符的HEX值

:004D5171 E88EB4FDFF call 004B0604
====>关键CALL！取字符在表中的位置！

:004D5176 25FF000000 and eax, 000000FF
:004D517B F76DF0 imul [ebp-10]
:004D517E 0345E8 add eax, dword ptr [ebp-18]
:004D5181 03C3 add eax, ebx
:004D5183 8945E8 mov dword ptr [ebp-18], eax
====>最后结果=[ebp-18]=000047D9

:004D5186 43 inc ebx
:004D5187 4E dec esi
:004D5188 75E0 jne 004D516A
====>循环11次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5163(C)
|
:004D518A 8B450C mov eax, dword ptr [ebp+0C]
====>EAX=Internet Download Accelerator
☆☆ ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆☆☆
这个参数是固定的：

0174F9C8 49 6E 74 65 72 6E 65 74 20 44 6F 77 6E 6C 6F 61 Internet Downloa
0174F9D8 64 20 41 63 63 65 6C 65 72 61 74 6F 72 d Accelerator
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆☆☆☆☆☆☆☆☆☆☆☆☆

:004D518D E806FBF2FF call 00404C98
====>取Internet Download Accelerator长度

:004D5192 8BF0 mov esi, eax
====>ESI=1D

:004D5194 85F6 test esi, esi
:004D5196 7E3D jle 004D51D5
:004D5198 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D51D3(C)
|
:004D519D 8B450C mov eax, dword ptr [ebp+0C]
:004D51A0 8A4418FF mov al, byte ptr [eax+ebx-01]
====>依次正序取Internet Download Accelerator

:004D51A4 E85BB4FDFF call 004B0604
====>取字符在表中的位置！

:004D51A9 25FF000000 and eax, 000000FF
1、 ====>EAX=12
…… …… 省略 …… ……
29、 ====>EAX=35

:004D51AE F76DF0 imul [ebp-10]
1、 ====>EAX=12 * 29=000002E2
…… …… 省略 …… ……
29、 ====>EAX=35 * 29=0000087D

:004D51B1 03F8 add edi, eax
====>EDI=000017EC 是上面对fly01运算的结果
1、 ====>EDI=000017EC + 000002E2=00001ACE
…… …… 省略 …… ……
29、 ====>EDI=0000CAF6 + 0000087D=0000D373

:004D51B3 03FB add edi, ebx
1、 ====>EDI=00001AEC + 00000001=00001ACF
…… …… 省略 …… ……
结果 29 、 ====>EDI=0000D373 +0000001D=0000D390

:004D51B5 8B450C mov eax, dword ptr [ebp+0C]
====>EAX=Internet Download Accelerator

:004D51B8 8A4418FF mov al, byte ptr [eax+ebx-01]
====>依次正序取Internet Download Accelerator

:004D51BC E843B4FDFF call 004B0604
====>取字符在表中的位置！

:004D51C1 25FF000000 and eax, 000000FF
1、 ====>EAX=12
…… …… 省略 …… ……
29、 ====>EAX=35

:004D51C6 F76DF0 imul [ebp-10]
1、 ====>EAX=12 * 29=000002E2
…… …… 省略 …… ……
29、 ====>EAX=35 * 29=0000087D

:004D51C9 0345E8 add eax, dword ptr [ebp-18]
====>[ebp-18]=000047D9 是上面对fly01rusreg运算的结果
1、 ====>EAX=000002E2 + 000047D9=00004ABB
…… …… 省略 …… ……
29、 ====>EAX=0000087D + 0000FAE3=00010360

:004D51CC 03C3 add eax, ebx
1、 ====>EAX=00004ABB + 00000001=00004ABC
…… …… 省略 …… ……
结果 29 、 ====>EAX=00010360 + 0000001D=0001037D

:004D51CE 8945E8 mov dword ptr [ebp-18], eax
:004D51D1 43 inc ebx
====>EBX 增1

:004D51D2 4E dec esi
:004D51D3 75C8 jne 004D519D
====> 循环29次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5196(C)
|
:004D51D5 81E73F000080 and edi, 8000003F
====>EDI的值是004D51B3处循环的结果
====>EDI=0000D390 AND 8000003F=00000010

:004D51DB 7905 jns 004D51E2
:004D51DD 4F dec edi
:004D51DE 83CFC0 or edi, FFFFFFC0
:004D51E1 47 inc edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D51DB(C)
|
:004D51E2 8B45E8 mov eax, dword ptr [ebp-18]
====>EAX=0001037D 是004D51CC处循环的结果

:004D51E5 253F000080 and eax, 8000003F
====>EAX=0001037D AND 8000003F=0000003D

:004D51EA 7905 jns 004D51F1
:004D51EC 48 dec eax
:004D51ED 83C8C0 or eax, FFFFFFC0
:004D51F0 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D51EA(C)
|
:004D51F1 8945E8 mov dword ptr [ebp-18], eax
====>[ebp-18]=EAX=0000003D

:004D51F4 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly@263.net E-Mail

:004D51F7 E89CFAF2FF call 00404C98
====>取 E-Mail 的长度 EAX=B

:004D51FC 8B55FC mov edx, dword ptr [ebp-04]
====>EDX=fly@263.net E-Mail

:004D51FF 8A4402FF mov al, byte ptr [edx+eax-01]
====>取E-Mail的末位 AL=74

:004D5203 E8FCB3FDFF call 004B0604
====>取字符在表中的位置

:004D5208 33DB xor ebx, ebx
:004D520A 8AD8 mov bl, al
====>BL=37

:004D520C 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly@263.net E-Mail

:004D520F 8A00 mov al, byte ptr [eax]
====>取E-Mail的首位

:004D5211 E8EEB3FDFF call 004B0604
====>取字符在表中的位置

:004D5216 25FF000000 and eax, 000000FF
====>EAX=29

:004D521B 0FAFD8 imul ebx, eax
====>EBX=37 * 29=000008CF

:004D521E 895DEC mov dword ptr [ebp-14], ebx
:004D5221 33C0 xor eax, eax
:004D5223 8945E4 mov dword ptr [ebp-1C], eax
:004D5226 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly@263.net E-Mail

:004D5229 E86AFAF2FF call 00404C98
====>取 E-Mail 的长度

:004D522E 8BF0 mov esi, eax
====>ESI=B

:004D5230 85F6 test esi, esi
:004D5232 7E25 jle 004D5259
:004D5234 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5257(C)
|
:004D5239 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=fly@263.net E-Mail

:004D523C 8A4418FF mov al, byte ptr [eax+ebx-01]
====>依次正序取 E-Mail 字符的HEX 值

:004D5240 E8BFB3FDFF call 004B0604
====>取字符在表中的位置

:004D5245 25FF000000 and eax, 000000FF
1、 ====>EAX=29
…… … … 省略 …… ……
11、 ====>EAX=37

:004D524A F76DEC imul [ebp-14]
1、 ====>EAX=29 * 000008CF=00016927
…… …… 省略 …… ……
11、 ====>EAX=37 * 000008CF=0001E479

:004D524D 0345E4 add eax, dword ptr [ebp-1C]
1、 ====>EAX=00016927 + 00000000=00016927
…… …… 省略 …… ……
11、 ====>EAX=0001E479 + 000CD5D2=000EBA4B

:004D5250 03C3 add eax, ebx
1、 ====>EAX=00016927 + 00000001=00016928
…… …… 省略 …… ……
结果 11、 ====>EAX=000EBA4B + 0000000B=000EBA56

:004D5252 8945E4 mov dword ptr [ebp-1C], eax
:004D5255 43 inc ebx
:004D5256 4E dec esi
:004D5257 75E0 jne 004D5239
====>循环E-Mail位数次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5232(C)
|
:004D5259 8B45E4 mov eax, dword ptr [ebp-1C]
====>EAX=000EBA56

:004D525C 253F000080 and eax, 8000003F
====>EAX=000EBA56 AND 8000003F=00000016

:004D5261 7905 jns 004D5268
:004D5263 48 dec eax
:004D5264 83C8C0 or eax, FFFFFFC0
:004D5267 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5261(C)
|
:004D5268 8945E4 mov dword ptr [ebp-1C], eax
:004D526B 8B45E4 mov eax, dword ptr [ebp-1C]
:004D526E 03C7 add eax, edi
====>EAX=00000016 + 00000010=00000026

:004D5270 253F000080 and eax, 8000003F
====>EAX=00000026 AND 8000003F=00000026

:004D5275 7905 jns 004D527C
:004D5277 48 dec eax
:004D5278 83C8C0 or eax, FFFFFFC0
:004D527B 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5275(C)
|
:004D527C 8945E4 mov dword ptr [ebp-1C], eax
:004D527F 33C0 xor eax, eax
:004D5281 8945E0 mov dword ptr [ebp-20], eax
:004D5284 8B45F4 mov eax, dword ptr [ebp-0C]
====>EDX=1234567890ABCDEF 试炼码

:004D5287 E80CFAF2FF call 00404C98
====> 取试炼码长度

:004D528C 8BF0 mov esi, eax
====>ESI=10

:004D528E 85F6 test esi, esi
:004D5290 7E22 jle 004D52B4
:004D5292 BB01000000 mov ebx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D52B2(C)
|
:004D5297 8B45F4 mov eax, dword ptr [ebp-0C]
====>EDX=1234567890ABCDEF 试炼码

:004D529A 8A4418FF mov al, byte ptr [eax+ebx-01]
====>依次正序取试炼码字符的HEX值

:004D529E E861B3FDFF call 004B0604
====>取字符在表中的位置

:004D52A3 25FF000000 and eax, 000000FF
1、 ====>EAX=01
…… …… 省略 …… ……
16、 ====>EAX=0F

:004D52A8 0345E0 add eax, dword ptr [ebp-20]
1、 ====>EAX=00000001 + 00000000=00000001
…… …… 省略 …… ……
16、 ====>EAX=0000000F + 000000E1=000000F0

:004D52AB 03C3 add eax, ebx
1、 ====>EAX=00000001 + 00000001=00000002
…… …… 省略 …… ……
结果 16 、 ====>EAX=000000F0 + 00000010=00000100

:004D52AD 8945E0 mov dword ptr [ebp-20], eax
:004D52B0 43 inc ebx
:004D52B1 4E dec esi
:004D52B2 75E3 jne 004D5297
====> 循环16次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5290(C)
|
:004D52B4 8B5DE0 mov ebx, dword ptr [ebp-20]
====>EBX=00000100 是4D52AB处对试炼码运算的结果

:004D52B7 81E33F000080 and ebx, 8000003F
====>EBX=00000100 AND 8000003F=00000000

:004D52BD 7905 jns 004D52C4
:004D52BF 4B dec ebx
:004D52C0 83CBC0 or ebx, FFFFFFC0
:004D52C3 43 inc ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D52BD(C)
|
:004D52C4 8B45E8 mov eax, dword ptr [ebp-18]
====>EAX=0000003D 是4D51E5处的结果

:004D52C7 0345E4 add eax, dword ptr [ebp-1C]
====>EAX=0000003D + 00000026=00000063

:004D52CA 253F000080 and eax, 8000003F
====>EAX=00000063 AND 8000003F=00000023

:004D52CF 7905 jns 004D52D6
:004D52D1 48 dec eax
:004D52D2 83C8C0 or eax, FFFFFFC0
:004D52D5 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D52CF(C)
|
:004D52D6 3BD8 cmp ebx, eax
====>比较了！^O^ ^O^ 如果这里相等……
====>EBX=00000000
====>EAX=00000023

:004D52D8 750F jne 004D52E9
:004D52DA 8B4508 mov eax, dword ptr [ebp+08]

* Possible StringData Ref from Code Obj ->"RUSREG"
|
:004D52DD BA7C534D00 mov edx, 004D537C
:004D52E2 E84DF7F2FF call 00404A34
:004D52E7 EB3D jmp 004D5326

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D52D8(C)
|
:004D52E9 8B4508 mov eax, dword ptr [ebp+08]
:004D52EC E8EFF6F2FF call 004049E0
:004D52F1 037DE4 add edi, dword ptr [ebp-1C]
====>EDI=00000010 + 00000026=00000036

:004D52F4 81E73F000080 and edi, 8000003F
====>EDI=00000036 AND 8000003F=00000036

:004D52FA 7905 jns 004D5301
:004D52FC 4F dec edi
:004D52FD 83CFC0 or edi, FFFFFFC0
:004D5300 47 inc edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D52FA(C)
|
:004D5301 3BDF cmp ebx, edi
====>比较了！相等则OK！
====>EBX=00000000
====>EAX=00000036

:004D5303 750F jne 004D5314
====> 跳则OVER！

:004D5305 8B4508 mov eax, dword ptr [ebp+08]

* Possible StringData Ref from Code Obj ->"REG"
|
:004D5308 BA8C534D00 mov edx, 004D538C
:004D530D E822F7F2FF call 00404A34
:004D5312 EB12 jmp 004D5326

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5303(C)
|
:004D5314 8B4508 mov eax, dword ptr [ebp+08]
:004D5317 E8C4F6F2FF call 004049E0
:004D531C EB08 jmp 004D5326

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D50BC(C), :004D50CD(C), :004D50DE(C)
|
:004D531E 8B4508 mov eax, dword ptr [ebp+08]
:004D5321 E8BAF6F2FF call 004049E0

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D52E7(U), :004D5312(U), :004D531C(U)
|
:004D5326 33C0 xor eax, eax
:004D5328 5A pop edx
:004D5329 59 pop ecx
:004D532A 59 pop ecx
:004D532B 648910 mov dword ptr fs:[eax], edx
:004D532E 6858534D00 push 004D5358

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004D5356(U)
|
:004D5333 8D45DC lea eax, dword ptr [ebp-24]
:004D5336 E8A5F6F2FF call 004049E0
:004D533B 8D45F4 lea eax, dword ptr [ebp-0C]
:004D533E BA03000000 mov edx, 00000003
:004D5343 E8BCF6F2FF call 00404A04
:004D5348 8D450C lea eax, dword ptr [ebp+0C]
:004D534B E890F6F2FF call 004049E0
:004D5350 C3 ret

—— ———————————————————————————————
进入关键CALL： call 004B0604

因为各个字符的取位置流程是相同的，因此只是记录了用户名的取值。

* Referenced by a CALL at Addresses:
|:004D50FA , :004D5108 , :004D5132 , :004D5171 , :004D51A4
|:004D51BC , :004D5203 , :004D5211 , :004D5240 , :004D529E
|:004D5A57 , :004D6043 , :004D6057 , :004D6143 , :004D6157
|:004EBB16 , :00510061 , :00510D54 , :00510D7E , :00513A3E
|:00514258 , :00514288 , :00514C09 , :00514C34 , :00519EA5
|:00519ECF , :00519F09 , :00519F1A
|
:004B0604 33D2 xor edx, edx
:004B0606 EB01 jmp 004B0609

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0618(C)
|
:004B0608 42 inc edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0606(U)
|
:004B0609 33C9 xor ecx, ecx
:004B060B 8ACA mov cl, dl
:004B060D 3A81FC225200 cmp al, byte ptr [ecx+005222FC]
====>把用户名字符的HEX值与下张表中的值比较，
取其所在表中的位置

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆☆☆☆☆☆☆☆☆
[005222FC]内存中有一张表：

005222FC 30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 0123456789ABCDEF
0052230C 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 GHIJKLMNOPQRSTUV
0052231C 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C WXYZabcdefghijkl
0052232C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 40 2E mnopqrstuvwxyz@.
0052233C 88 22 4B 00 ?K..
☆☆☆☆☆☆☆ ☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

< br>:004B0613 7405 je 004B061A
:004B0615 80FA40 cmp dl, 40
:004B0618 72EE jb 004B0608

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B0613(C)
|
:004B061A 33C0 xor eax, eax
:004B061C 8AC2 mov al, dl
fly01
====>66、6C、79、30、31分别对应于：29、2F、3C、00 、01

fly01rusreg
====>66、6C、79、30、31、72、75、73、 72、65、67
对应于：29、2F、3C、00、01、35、38、36、35、28、2A

:004B061E 83E03F and eax, 0000003F
====>EAX AND 0000003F

:004B0621 C3 ret

——————————————————————————— ——————
【算法总结】：

1、程序通过取用户名、用户名+rusreg、Internet Download Accelerator、E-mail
的字符在表中的位置值参与运算，得出：36

2、对试炼码进行同样的取值运算得出00，如果这2者相同则0K！

3、所以我们可以对注册码以此为目的进行求逆。有很多可能的组合。^O^ ^O^

———————————————————— —————————————
【注册信息保存】：

REGEDIT4

[HKEY_CURRENT_USER\Software\2V G\Internet Download Accelerator]

"Name"="fly01"
"Email" ="fly@263.net"
"REGKEY"="Bt6XnYgqvu1b63uX& quot;

——————————————————————————————— ——
【整理】：

Name : fly01
E-mail：fly@263.net
注册码：fly[OCN][FCG]xyz

简单求逆出一组注册码。 ^O^ ^O^……有很多呀……^O^ ^O^

————————————————— ————————————————

, _/
/| _.-~/ \_ , 青春都一饷
( /~ / \~-._ |\
`\\ _/ \ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂
`~ _( ,_..--\ ( ,;'' / ~-- /._`\
/~~//' /' `~\ ) /--.._, )_ `~
" `~" " `" /~'`\ `\\~~\
" " "~' ""

Cracked By 巢水工作坊——fly [OCN][FCG]

2003-05-09 02:26