算法浅探——万年历
V2.4.053
下载页面: http://www.skycn.com/soft/11961.html
软件大小:
241 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 时钟日历
应用平台: Win9x/NT/2000/XP
加入时间:
2003-05-05 11:11:05
下载次数: 29
推荐等级: ***
【软件简介】:本万年历工作范围1901-2100年,共200年。能显示公历、农历日期,交节气时间,年月日时干支,及简单的占卜等;想知道今天的运气如何? 可以试试………
【软件限制】:20次试用。免费软件。
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、PEiD、AspackDie、W32Dasm 9.0白金版
—————————————————————————————————
【过
程】:
这个小东东的算法实在是有点麻烦,呵呵,跟到中间有点头大眼花了。^O^
^O^
万年历 V2.4.053.exe 是ASPack 2.12壳,用AspackDie脱之。2410K->708K。 Delphi 编写。
用户名:fly
机器码:c7a5f8d8
试炼码:13572468
—————————————————————————————————
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475C1C(C)
|
:00475C31
8D55F8 lea edx,
dword ptr [ebp-08]
:00475C34 8B831C030000
mov eax, dword ptr [ebx+0000031C]
:00475C3A E83924FCFF
call 00438078
:00475C3F 837DF800
cmp dword ptr [ebp-08], 00000000
====>没有注册码?
:00475C43
7523 jne
00475C68
:00475C45 8B831C030000 mov
eax, dword ptr [ebx+0000031C]
:00475C4B 8B10
mov edx, dword ptr [eax]
:00475C4D FF92C4000000
call dword ptr [edx+000000C4]
*
Possible StringData Ref from Code Obj ->"未输入注册码"
|
:00475C53 BA885E4700
mov edx, 00475E88
:00475C58 8B8308030000
mov eax, dword ptr [ebx+00000308]
:00475C5E E84524FCFF
call 004380A8
:00475C63 E987010000
jmp 00475DEF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475C43(C)
|
:00475C68
8D55F4 lea edx,
dword ptr [ebp-0C]
:00475C6B 8B831C030000
mov eax, dword ptr [ebx+0000031C]
:00475C71 E80224FCFF
call 00438078
:00475C76 8B45F4
mov eax, dword ptr [ebp-0C]
====>EAX=13572468
试炼码
:00475C79 50
push eax
:00475C7A 8D55EC
lea edx, dword ptr [ebp-14]
:00475C7D
8B8314030000 mov eax, dword ptr [ebx+00000314]
:00475C83
E8F023FCFF call 00438078
:00475C88
8B45EC mov eax,
dword ptr [ebp-14]
====>EAX=c7a5f8d8
机器码
:00475C8B 50
push
eax
:00475C8C 8D45F0
lea eax, dword ptr [ebp-10]
:00475C8F 50
push eax
:00475C90 8D55E8
lea edx, dword ptr [ebp-18]
:00475C93
A198C54700 mov eax, dword ptr
[0047C598]
:00475C98 8B00
mov eax, dword ptr [eax]
:00475C9A E87D1CFEFF
call 0045791C
:00475C9F 8B45E8
mov eax, dword ptr [ebp-18]
:00475CA2
50 push
eax
:00475CA3 8D55E4
lea edx, dword ptr [ebp-1C]
:00475CA6 8B8310030000
mov eax, dword ptr [ebx+00000310]
:00475CAC E8C723FCFF
call 00438078
:00475CB1 8B45E4
mov eax, dword ptr
[ebp-1C]
====>EAX=fly
用户名
* Possible
StringData Ref from Code Obj ->"China"
|
:00475CB4 BAA05E4700 mov
edx, 00475EA0
====>EDX=China
程序自给的参数
:00475CB9 59
pop ecx
:00475CBA
E8E9F2FFFF call 00474FA8
====>关键CALL!进入!
:00475CBF
8B55F0 mov edx,
dword ptr [ebp-10]
====>EDX=901e494b
注册码
:00475CC2
58 pop
eax
====>EAX=13572468
试炼码
:00475CC3 E89CE7F8FF
call 00404464
====>比较CALL!
:00475CC8 742B
je 00475CF5
====>不跳则OVER!
:00475CCA 6A30 push 00000030
* Possible StringData Ref from Code Obj
->"警告"
|
:00475CCC 68A85E4700
push 00475EA8
*
Possible StringData Ref from Code Obj ->"注册码不符!"
====>BAD BOY!
:00475CD1 68B05E4700
push 00475EB0
:00475CD6 8BC3
mov eax,
ebx
:00475CD8 E88F8BFCFF call
0043E86C
:00475CDD 50
push eax
* Reference To: user32.MessageBoxA,
Ord:0000h
|
:00475CDE E88D0BF9FF
Call 00406870
:00475CE3 B201
mov dl, 01
:00475CE5
8B8330030000 mov eax, dword ptr [ebx+00000330]
:00475CEB
E8A822FCFF call 00437F98
:00475CF0
E9FA000000 jmp 00475DEF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475CC8(C)
|
:00475CF5
33C0 xor
eax, eax
:00475CF7 E80CF4FFFF call
00475108
:00475CFC 3C02
cmp al, 02
:00475CFE 0F85EB000000
jne 00475DEF
* Possible StringData Ref
from Code Obj ->"注册成功"
====>呵呵,胜利女神!
:00475D04
BAC45E4700 mov edx, 00475EC4
:00475D09
8B8308030000 mov eax, dword ptr [ebx+00000308]
:00475D0F
E89423FCFF call 004380A8
—————————————————————————————————
进入关键CALL:00475CBA
call 00474FA8
* Referenced by a CALL at
Addresses:
|:00475606 , :00475CBA
|
:00474FA8 55
push ebp
:00474FA9
8BEC mov
ebp, esp
:00474FAB 83C4EC
add esp, FFFFFFEC
:00474FAE 53
push ebx
:00474FAF 33DB
xor ebx, ebx
:00474FB1
895DEC mov dword
ptr [ebp-14], ebx
:00474FB4 895DF0
mov dword ptr [ebp-10], ebx
:00474FB7 894DF4
mov dword ptr [ebp-0C], ecx
:00474FBA
8955F8 mov dword
ptr [ebp-08], edx
:00474FBD 8945FC
mov dword ptr [ebp-04], eax
====>EAX=fly 用户名
:00474FC0
8B45FC mov eax,
dword ptr [ebp-04]
:00474FC3 E840F5F8FF
call 00404508
:00474FC8 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=China 程序自给的参数
:00474FCB
E838F5F8FF call 00404508
:00474FD0
8B45F4 mov eax,
dword ptr [ebp-0C]
====>EAX=万年历
(1901-2100) 程序自给的参数
:00474FD3 E830F5F8FF
call 00404508
:00474FD8 8B450C
mov eax, dword ptr [ebp+0C]
====>EAX=c7a5f8d8 机器码
:00474FDB
E828F5F8FF call 00404508
:00474FE0
33C0 xor
eax, eax
:00474FE2 55
push ebp
:00474FE3 684E504700
push 0047504E
:00474FE8 64FF30
push dword ptr fs:[eax]
:00474FEB 648920
mov dword ptr fs:[eax],
esp
:00474FEE FF75FC
push [ebp-04]
:00474FF1 FF75F8
push [ebp-08]
:00474FF4 FF75F4
push [ebp-0C]
:00474FF7 FF750C
push [ebp+0C]
:00474FFA 8B450C
mov eax, dword ptr
[ebp+0C]
:00474FFD 50
push eax
:00474FFE 8D45EC
lea eax, dword ptr [ebp-14]
:00475001 50
push eax
:00475002
8B4DF4 mov ecx,
dword ptr [ebp-0C]
:00475005 8B55F8
mov edx, dword ptr [ebp-08]
:00475008 8B45FC
mov eax, dword ptr [ebp-04]
:0047500B
E840FDFFFF call 00474D50
====>对上面3组参数进行处理得出最后一组参数
:00475010
FF75EC push [ebp-14]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
内存中的值是上面得出的参数
:
00C148E8 5F 3E 45 51 20
_>EQ
这是最后一组参数!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00475013
8D45F0 lea eax,
dword ptr [ebp-10]
:00475016 BA05000000
mov edx, 00000005
:0047501B E8B8F3F8FF
call 004043D8
====>把上面5组字符连接起来
:00475020
8B5508 mov edx,
dword ptr [ebp+08]
:00475023 8B45F0
mov eax, dword ptr [ebp-10]
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
内存中的值是上面连接的结果:
00C1C280
66 6C 79 43 68 69 6E 61 CD F2 C4 EA C0 FA 20 28 flyChina万年历 (
00C1C290
31 39 30 31 2D 32 31 30 30 29 63 37 61 35 66 38 1901-2100)c7a5f8
00C1C2A0
64 38 5F 3E 45 51 20
d8_>EQ
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00475026
E831000000 call 0047505C
====>算法CALL!进入!
:0047502B
33C0 xor
eax, eax
:0047502D 5A
pop edx
:0047502E 59
pop ecx
:0047502F 59
pop ecx
:00475030
648910 mov dword
ptr fs:[eax], edx
:00475033 6855504700
push 00475055
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00475053(U)
|
:00475038 8D45EC
lea eax, dword ptr [ebp-14]
:0047503B
BA05000000 mov edx, 00000005
:00475040
E837F0F8FF call 0040407C
:00475045
8D450C lea eax,
dword ptr [ebp+0C]
:00475048 E80BF0F8FF
call 00404058
:0047504D C3
ret
—————————————————————————————————
进入关键CALL:0047500B call 00474D50
*
Referenced by a CALL at Address:
|:0047500B
|
:00474D50 55
push ebp
:00474D51
8BEC mov
ebp, esp
:00474D53 83C4E8
add esp, FFFFFFE8
:00474D56 53
push ebx
:00474D57 33DB
xor ebx, ebx
:00474D59
895DE8 mov dword
ptr [ebp-18], ebx
:00474D5C 895DEC
mov dword ptr [ebp-14], ebx
:00474D5F 895DF0
mov dword ptr [ebp-10], ebx
:00474D62
894DF4 mov dword
ptr [ebp-0C], ecx
:00474D65 8955F8
mov dword ptr [ebp-08], edx
:00474D68 8945FC
mov dword ptr [ebp-04], eax
:00474D6B
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=fly
用户名
:00474D6E
E895F7F8FF call 00404508
:00474D73
8B45F8 mov eax,
dword ptr [ebp-08]
====>EAX=China
程序自给的参数
:00474D76
E88DF7F8FF call 00404508
:00474D7B
8B45F4 mov eax,
dword ptr [ebp-0C]
====>EAX=万年历
(1901-2100) 程序自给的参数
:00474D7E E885F7F8FF
call 00404508
:00474D83 8B450C
mov eax, dword ptr [ebp+0C]
:00474D86
E87DF7F8FF call 00404508
:00474D8B
33C0 xor
eax, eax
:00474D8D 55
push ebp
:00474D8E 680B4E4700
push 00474E0B
:00474D93 64FF30
push dword ptr fs:[eax]
:00474D96 648920
mov dword ptr fs:[eax],
esp
:00474D99 33D2
xor edx, edx
:00474D9B 8B450C
mov eax, dword ptr [ebp+0C]
:00474D9E E85134F9FF
call 004081F4
:00474DA3 8BD0
mov edx,
eax
:00474DA5 8D4DF0
lea ecx, dword ptr [ebp-10]
:00474DA8 B81C4E4700
mov eax, 00474E1C
:00474DAD E86E000000
call 00474E20
:00474DB2 8B45F4
mov eax, dword ptr [ebp-0C]
====>EAX=万年历 (1901-2100) 程序自给的参数
:00474DB5
E85EF7F8FF call 00404518
:00474DBA
8D4DEC lea ecx,
dword ptr [ebp-14]
:00474DBD 33D2
xor edx, edx
:00474DBF E85C000000
call 00474E20
====>对 万年历 (1901-2100) 进行运算
:00474DC4
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=fly
用户名
:00474DC7
E84CF7F8FF call 00404518
:00474DCC
8D4DE8 lea ecx,
dword ptr [ebp-18]
:00474DCF 33D2
xor edx, edx
:00474DD1 E84A000000
call 00474E20
====>对 用户名fly 进行运算
:00474DD6 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=China
程序自给的参数
:00474DD9 E83AF7F8FF
call 00404518
:00474DDE 8B4D08
mov ecx, dword ptr
[ebp+08]
:00474DE1 33D2
xor edx, edx
:00474DE3 E838000000
call 00474E20
====>对
China 进行运算 得出最后一组参数
:00474DE8 33C0
xor eax, eax
:00474DEA
5A pop
edx
:00474DEB 59
pop ecx
:00474DEC 59
pop ecx
:00474DED 648910
mov dword ptr fs:[eax], edx
:00474DF0
68124E4700 push 00474E12
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474E10(U)
|
:00474DF5
8D45E8 lea eax,
dword ptr [ebp-18]
:00474DF8 BA06000000
mov edx, 00000006
:00474DFD E87AF2F8FF
call 0040407C
:00474E02 8D450C
lea eax, dword ptr [ebp+0C]
:00474E05 E84EF2F8FF
call 00404058
:00474E0A C3
ret
—————————————————————————————————
进入运算CALL:00474DBF、00474DD1、00474DE3
call 00474E20
说明一下:
1、程序对3组字符的运算处理流程是一致的,因此我只是记录了运算用户名时的数据。
2、[0047DDD0]初始值是0,通过对 “万年历 (1901-2100)” 的运算而成为0002ED18,这个值可以应该看作是固定值,因为“万年历 (1901-2100)”参数是固定的。如果有朋友跟踪麻烦应证一下。
3、[0047DDD4]初始值是0,通过 万年历 (1901-2100) 的运算而增至C,这个值也可以看作是固定值。
4、程序在这个基础上对用户名和China运算处理得出最后一组参数,这个是变量,根据用户名的不同而不同!
*
Referenced by a CALL at Addresses:
|:00474DAD , :00474DBF , :00474DD1
, :00474DE3
|
:00474E20 55
push ebp
:00474E21 8BEC
mov ebp, esp
:00474E23
83C4EC add esp,
FFFFFFEC
:00474E26 53
push ebx
:00474E27 56
push esi
:00474E28 57
push edi
:00474E29
33DB xor
ebx, ebx
:00474E2B 895DEC
mov dword ptr [ebp-14], ebx
:00474E2E 895DF0
mov dword ptr [ebp-10], ebx
:00474E31
894DF8 mov dword
ptr [ebp-08], ecx
:00474E34 8BF2
mov esi, edx
:00474E36 8945FC
mov dword ptr [ebp-04], eax
:00474E39
33C0 xor
eax, eax
:00474E3B 55
push ebp
:00474E3C 685A4F4700
push 00474F5A
:00474E41 64FF30
push dword ptr fs:[eax]
:00474E44 648920
mov dword ptr fs:[eax],
esp
:00474E47 8D45F0
lea eax, dword ptr [ebp-10]
:00474E4A 8B55FC
mov edx, dword ptr [ebp-04]
:00474E4D E8FEF3F8FF
call 00404250
:00474E52 8B45F0
mov eax, dword ptr
[ebp-10]
:00474E55 E8BEF4F8FF call
00404318
:00474E5A 8BD8
mov ebx, eax
:00474E5C 85DB
test ebx, ebx
:00474E5E 7513
jne 00474E73
:00474E60
8935D0DD4700 mov dword ptr [0047DDD0],
esi
:00474E66 6BC664
imul eax, esi, 00000064
:00474E69 A3D4DD4700
mov dword ptr [0047DDD4], eax
:00474E6E E9CC000000
jmp 00474F3F
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474E5E(C)
|
:00474E73
8B45F8 mov eax,
dword ptr [ebp-08]
:00474E76 E8DDF1F8FF
call 00404058
:00474E7B 8BFB
mov edi, ebx
:00474E7D 4F
dec edi
:00474E7E 85FF
test edi,
edi
:00474E80 0F8CB9000000 jl 00474F3F
:00474E86
47 inc
edi
:00474E87 33F6
xor esi, esi
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00474F39(C)
|
:00474E89 8B45FC
mov eax, dword ptr [ebp-04]
====>EAX=fly
用户名
:00474E8C 8A0430
mov al, byte ptr [eax+esi]
====>依次取fly字符的HEX值
:00474E8F
3C20 cmp
al, 20
:00474E91 0F82A0000000 jb 00474F37
:00474E97
3C7E cmp
al, 7E
:00474E99 0F8798000000 ja 00474F37
:00474E9F
8B15D0DD4700 mov edx, dword ptr [0047DDD0]
1、 ====>EDX=0002DE18 此值是对上个参数处理的结果!
2、
====>EDX=0005DA73
3、 ====>EDX=000BB502
:00474EA5
81E2FFFFFF1F and edx, 1FFFFFFF
:00474EAB
8B0DD0DD4700 mov ecx, dword ptr [0047DDD0]
:00474EB1
C1E91D shr ecx,
1D
1、 ====>ECX=0002DE18 SHR 1D=00000000
2、 ====>ECX=0005DA73 SHR 1D=00000000
3、
====>ECX=000BB502 SHR 1D=00000000
:00474EB4
83E131 and ecx,
00000031
:00474EB7 33D1
xor edx, ecx
1、 ====>EDX=0002DE18
XOR 00000000=0002DE18
2、 ====>EDX=0005DA73 XOR 00000000=0005DA73
3、 ====>EDX=000BB502 XOR 00000000=000BB502
:00474EB9
8915D0DD4700 mov dword ptr [0047DDD0],
edx
:00474EBF 8845F7
mov byte ptr [ebp-09], al
====>[ebp-09]=AL=依次取fly字符的HEX值
:00474EC2
A1D0DD4700 mov eax, dword ptr
[0047DDD0]
:00474EC7 B95F000000 mov
ecx, 0000005F
:00474ECC 99
cdq
:00474ECD F7F9
idiv ecx
1、 ====>EAX=0002DE18
/ 5F=000007E2
2、 ====>EAX=0005DA73 / 5F=00000FC5
3、 ====>EAX=000BB502 / 5F=00001F8C
:00474ECF
33D2 xor
edx, edx
:00474ED1 8A55F7
mov dl, byte ptr [ebp-09]
1、 ====>DL=66
即:f的HEX值
2、 ====>DL=6C
即:l的HEX值
3、 ====>DL=79
即:y的HEX值
:00474ED4
83EA20 sub edx,
00000020
1、 ====>EDX=00000066 - 00000020=00000046
2、 ====>EDX=0000006C - 00000020=0000004C
3、
====>EDX=00000079 - 00000020=00000059
:00474ED7
2BC2 sub
eax, edx
1、 ====>EAX=000007E2 - 00000046=0000079C
2、 ====>EAX=00000FC5 - 0000004C=00000F79
2、
====>EAX=00001F8C - 00000059=00001F33
:00474ED9
E88A000000 call 00474F68
====>对上面的得数进行处理!进入!
:00474EDE
8BD8 mov
ebx, eax
====>对上面的得数处理的结果
1、 ====>EBX=30
2、 ====>EBX=42
3、 ====>EBX=07
:00474EE0 80C320
add bl, 20
1、
====>BL=30 + 20=50
2、 ====>BL=42
+ 20=62
3、 ====>BL=07 + 20=27
:00474EE3
FF05D4DD4700 inc dword ptr [0047DDD4]
====>[0047DDD4]增1
:00474EE9
813DD4DD470079510000 cmp dword ptr [0047DDD4], 00005179
:00474EF3
7C07 jl 00474EFC
:00474EF5
33C0 xor
eax, eax
:00474EF7 A3D4DD4700 mov
dword ptr [0047DDD4], eax
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00474EF3(C)
|
:00474EFC 8A45F7
mov al, byte ptr [ebp-09]
:00474EFF
32C3 xor
al, bl
1、 ====>AL=66 XOR 50=36
2、
====>AL=6C XOR 62=0E
3、 ====>AL=79
XOR 27=5E
:00474F01 25FF000000
and eax, 000000FF
:00474F06 8B15D0DD4700
mov edx, dword ptr [0047DDD0]
1、
====>EDX=0002DE18
2、 ====>EDX=0005DA73
3、 ====>EDX=000BB502
:00474F0C
0315D0DD4700 add edx, dword ptr [0047DDD0]
1、 ====>EDX=0002DE18 + 0002DE18=0005DA30
2、
====>EDX=0005DA73 + 0005DA73=000BB4E6
3、
====>EDX=000BB502 + 000BB502=00176A04
:00474F12
03C2 add
eax, edx
1、 ====>EAX=00000036 + 0005DA30=0005DA66
2、 ====>EAX=0000000E + 000BB4E6=000BB4F4
3、
====>EAX=0000005E + 00176A04=00176A62
:00474F14
0305D4DD4700 add eax, dword ptr [0047DDD4]
1、 ====>EAX=0005DA66 + D=0005DA73
2、
====>EAX=000BB4F4 + E=000BB502
3、 ====>EAX=00176A62
+ F=00176A71
:00474F1A A3D0DD4700
mov dword ptr [0047DDD0], eax
====>[0047DDD0]=EAX
:00474F1F 8D45EC
lea eax, dword ptr
[ebp-14]
:00474F22 8BD3
mov edx, ebx
:00474F24 E817F3F8FF
call 00404240
:00474F29 8B55EC
mov edx, dword ptr [ebp-14]
1、
====>EDX=50
2、 ====>EDX=62
3、 ====>EDX=27
:00474F2C 8B45F8
mov eax, dword ptr [ebp-08]
:00474F2F
E8ECF3F8FF call 00404320
:00474F34
8B45F8 mov eax,
dword ptr [ebp-08]
====>对用户名循环处理最后[ebp-08]中的值:50 62 27
====>对China
循环处理最后[ebp-08]中的值:5F 3E 45 51 20 终于得出最后一个参数了!
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00474E91(C),
:00474E99(C)
|
:00474F37 46
inc esi
:00474F38 4F
dec edi
:00474F39 0F854AFFFFFF
jne 00474E89
====>循环
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00474E6E(U), :00474E80(C)
|
:00474F3F
33C0 xor
eax, eax
:00474F41 5A
pop edx
:00474F42 59
pop ecx
:00474F43 59
pop ecx
:00474F44
648910 mov dword
ptr fs:[eax], edx
:00474F47 68614F4700
push 00474F61
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00474F5F(U)
|
:00474F4C 8D45EC
lea eax, dword ptr [ebp-14]
:00474F4F
BA02000000 mov edx, 00000002
:00474F54
E823F1F8FF call 0040407C
:00474F59
C3 ret
—————————————————————————————————
进入处理CALL:00474ED9 call 00474F68
根据不同的大小而分别进行处理!
*
Referenced by a CALL at Address:
|:00474ED9
|
:00474F68 3D1C250000
cmp eax, 0000251C
:00474F6D
7C0C jl 00474F7B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F79(C)
|
:00474F6F
2D1C250000 sub eax, 0000251C
:00474F74
3D1C250000 cmp eax, 0000251C
:00474F79
7DF4 jge
00474F6F
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00474F6D(C)
|
:00474F7B 3DB6030000
cmp eax, 000003B6
:00474F80 7C0C
jl 00474F8E
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F8C(C)
|
:00474F82
2DB6030000 sub eax, 000003B6
1、 ====>EAX=0000079C - 000003B6=000003E6
====>EAX=000003E6 - 000003B6=00000030
2、 ====>EAX=00000F79 - 000003B6=00000BC3
…… …… 省 略 …… ……
====>EAX=00000457
- 000003B6=000000A1
3、 ====>EAX=00001F33
- 000003B6=00001B7D
…… …… 省 略
…… ……
====>EAX=00000539 -
000003B6=00000183
:00474F87 3DB6030000
cmp eax, 000003B6
:00474F8C 7DF4
jge 00474F82
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474F80(C)
|
:00474F8E
83F85F cmp eax,
0000005F
:00474F91 7C08
jl 00474F9B
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00474F99(C)
|
:00474F93 83E85F
sub eax, 0000005F
2、 ====>EAX=000000A1 - 0000005F=00000042
3、 ====>EAX=00000183 - 0000005F=00000124
…… …… 省 略 …… ……
====>EAX=00000066
- 0000005F=00000007
:00474F96 83F85F
cmp eax, 0000005F
:00474F99
7DF8 jge
00474F93
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00474F91(C)
|
:00474F9B 85C0
test eax, eax
:00474F9D 7D07
jge 00474FA6
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474FA4(C)
|
:00474F9F
83C05F add eax,
0000005F
:00474FA2 85C0
test eax, eax
:00474FA4 7CF9
jl 00474F9F
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00474F9D(C)
|
:00474FA6
C3 ret
—————————————————————————————————
进入算法CALL:00475026 call 0047505C
*
Referenced by a CALL at Address:
|:00475026
|
:0047505C 55
push ebp
:0047505D
8BEC mov
ebp, esp
:0047505F 83C4F4
add esp, FFFFFFF4
:00475062 53
push ebx
:00475063 56
push esi
:00475064
33C9 xor
ecx, ecx
:00475066 894DF4
mov dword ptr [ebp-0C], ecx
:00475069 8955F8
mov dword ptr [ebp-08], edx
:0047506C
8945FC mov dword
ptr [ebp-04], eax
:0047506F 8B45FC
mov eax, dword ptr [ebp-04]
:00475072 E891F4F8FF
call 00404508
:00475077 33C0
xor eax, eax
:00475079
55 push
ebp
:0047507A 68FB504700 push
004750FB
:0047507F 64FF30
push dword ptr fs:[eax]
:00475082 648920
mov dword ptr fs:[eax], esp
:00475085
33DB xor
ebx, ebx
:00475087 8B45FC
mov eax, dword ptr [ebp-04]
:0047508A E889F2F8FF
call 00404318
====>取连接后字符串的长度
:0047508F 85C0
test eax, eax
====>EAX=27(H)=39(D)
:00475091
7E2C jle
004750BF
:00475093 BE01000000 mov
esi, 00000001
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:004750BD(C)
|
:00475098 8B55FC
mov edx, dword ptr [ebp-04]
:0047509B
8A5432FF mov dl, byte ptr
[edx+esi-01]
====>依次取下面内存中的HEX值
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
内存中的值是上面连接的结果:
00C1C280
66 6C 79 43 68 69 6E 61 CD F2 C4 EA C0 FA 20 28 flyChina万年历 (
00C1C290
31 39 30 31 2D 32 31 30 30 29 63 37 61 35 66 38 1901-2100)c7a5f8
00C1C2A0
64 38 5F 3E 45 51 20
d8_>EQ
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:0047509F
32D3 xor
dl, bl
1、 ====>DL=66 XOR 00=66
2、
====>DL=6C XOR 6D=01
3、 ====>DL=79 XOR 52=2B
…… …… 省 略 …… ……
39、
====>DL=20 XOR 2F=0F
:004750A1 81E2FF000000
and edx, 000000FF
:004750A7 8B14956CBE4700
mov edx, dword ptr [4*edx+0047BE6C]
====>以EDX*4为指针从[0047BE6C]内存中取值
1、
====>EDX=A4D1C46D
2、 ====>EDX=77073096
3、 ====>EDX=ACBCF940
……
…… 省 略 …… ……
39、 ====>EDX=90BF1D91
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[0047BE6C]内存中有一张表:呵呵,真不小呀。不知道是否是固定值
{:-) :-(
0047BE6C 00 00 00 00 96 30 07 77 2C
61 0E EE BA 51 09 99 ....?w,a詈Q.
0047BE7C 19 C4 6D 07 8F F4 6A
70 35 A5 63 E9 A3 95 64 9E 膍忯jp5椋昫?
0047BE8C 32 88 DB 0E A4 B8
DC 79 1E E9 D5 E0 88 D9 D2 97 2堐じ躽檎鄨僖?
0047BE9C 2B 4C B6 09 BD
7C B1 7E 07 2D B8 E7 91 1D BF 90 +L?絴眫-哥?繍
0047BEAC 64 10 B7 1D
F2 20 B0 6A 48 71 B9 F3 DE 41 BE 84 d??癹Hq贵轆緞
0047BEBC 7D D4 DA
1A EB E4 DD 6D 51 B5 D4 F4 C7 85 D3 83 }在脘輒Q翟羟呌?
0047BECC 56 98
6C 13 C0 A8 6B 64 7A F9 62 FD EC C9 65 8A V榣括kdz鵥蒭?
0047BEDC 4F
5C 01 14 D9 6C 06 63 63 3D 0F FA F5 0D 08 8D O\賚cc=.?
0047BEEC
C8 20 6E 3B 5E 10 69 4C E4 41 60 D5 72 71 67 A2 ?n;^iL銩`誶qg?
0047BEFC
D1 E4 03 3C 47 D4 04 4B FD 85 0D D2 6B B5 0A A5 唁<G?K齾.襨??
0047BF0C
FA A8 B5 35 6C 98 B2 42 D6 C9 BB DB 40 F9 BC AC ?l槻B稚慧@?
0047BF1C
E3 6C D8 32 75 5C DF 45 CF 0D D6 DC 59 3D D1 AB 鉲?u\逧?周Y=勋
0047BF2C
AC 30 D9 26 3A 00 DE 51 80 51 D7 C8 16 61 D0 BF ??:.轖Q兹a锌
0047BF3C
B5 F4 B4 21 23 C4 B3 56 99 95 BA CF 0F A5 BD B8 掉?#某V檿合ソ?
0047BF4C
9E B8 02 28 08 88 05 5F B2 D9 0C C6 24 E9 0B B1 灨(?_操.???
0047BF5C
87 7C 6F 2F 11 4C 68 58 AB 1D 61 C1 3D 2D 66 B6 噟o/LhX?a?-f?
0047BF6C
90 41 DC 76 06 71 DB 01 BC 20 D2 98 2A 10 D5 EF 怉躹q??覙*诊
0047BF7C
89 85 B1 71 1F B5 B6 06 A5 E4 BF 9F 33 D4 B8 E8 墔眖刀ヤ繜3愿?
0047BF8C
A2 C9 07 78 34 F9 00 0F 8E A8 09 96 18 98 0E E1 ⑸x4?帹.???
0047BF9C
BB 0D 6A 7F 2D 3D 6D 08 97 6C 64 91 01 5C 63 E6 ?j-=m條d?\c?
0047BFAC
F4 51 6B 6B 62 61 6C 1C D8 30 65 85 4E 00 62 F2 鬛kkbal?e匩.b?
0047BFBC
ED 95 06 6C 7B A5 01 1B C1 F4 08 82 57 C4 0F F5 頃l{?留俉??
0047BFCC
C6 D9 B0 65 50 E9 B7 12 EA B8 BE 8B 7C 88 B9 FC 瀑癳P榉旮緥|埞?
0047BFDC
DF 1D DD 62 49 2D DA 15 F3 7C D3 8C 65 4C D4 FB ?輇I-?髚訉eL喳
0047BFEC
58 61 B2 4D CE 51 B5 3A 74 00 BC A3 E2 30 BB D4 Xa睲蜵?t.迹?辉
0047BFFC
41 A5 DF 4A D7 95 D8 3D 6D C4 D1 A4 FB F4 D6 D3 AミJ讜?m难糁?
0047C00C
6A E9 69 43 FC D9 6E 34 46 88 67 AD D0 B8 60 DA j閕Cn4F坓竊?
0047C01C
73 2D 04 44 E5 1D 03 33 5F 4C 0A AA C9 7C 0D DD s-D?3_L.|.?
…… …… 省 略 …… ……
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004750AE
C1EB08 shr ebx,
08
1、 ====>EBX=00000000 SHR 8=00000000
2、
====>EBX=A4D1C46D SHR 8=00A4D1C4
3、 ====>EBX=77A3E152
SHR 8=0077A3E1
…… …… 省 略 …… ……
39、 ====>EBX=A154DA2F SHR 8=00A154DA
:004750B1
81E3FFFFFF00 and ebx, 00FFFFFF
:004750B7
33D3 xor
edx, ebx
1、 ====>EDX=A4D1C46D XOR 00000000=A4D1C46D
2、 ====>EDX=77073096 XOR 00A4D1C4=77A3E152
3、
====>EDX=ACBCF940 XOR 0077A3E1=ACCB5AA1
…… …… 省 略 …… ……
结果 39、 ====>EDX=90BF1D91 XOR 00A154DA=901E494B
:004750B9
8BDA mov
ebx, edx
====>EBX=EDX
:004750BB
46 inc
esi
:004750BC 48
dec eax
:004750BD 75D9
jne 00475098
====>循环39次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475091(C)
|
:004750BF
8BC3 mov
eax, ebx
====>循环结果:EAX=EBX=901E494B
:004750C1
33D2 xor
edx, edx
:004750C3 52
push edx
:004750C4 50
push eax
:004750C5 8D55F4
lea edx, dword ptr [ebp-0C]
:004750C8
B808000000 mov eax, 00000008
:004750CD
E8B630F9FF call 00408188
:004750D2
8B45F4 mov eax,
dword ptr [ebp-0C]
:004750D5 8B55F8
mov edx, dword ptr [ebp-08]
:004750D8 E85B2CF9FF
call 00407D38
====>把901E494B中的大写字母转化为小写字母
====>901E494B->901e494b
这就是注册码了!
:004750DD 33C0
xor eax, eax
:004750DF 5A
pop edx
:004750E0
59 pop
ecx
:004750E1 59
pop ecx
:004750E2 648910
mov dword ptr fs:[eax], edx
:004750E5 6802514700
push 00475102
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475100(U)
|
:004750EA
8D45F4 lea eax,
dword ptr [ebp-0C]
:004750ED E866EFF8FF
call 00404058
:004750F2 8D45FC
lea eax, dword ptr [ebp-04]
:004750F5 E85EEFF8FF
call 00404058
:004750FA C3
ret
—————————————————————————————————
【算
法 总 结】:
1、程序自给2组参数:“万年历 (1901-2100)” 和
“China”
2、对“万年历 (1901-2100)” 、用户名 和 “China”进行处理运算得出
最后一组参数:5F 3E 45 51 20
3、连接 用户名 + China +
万年历 (1901-2100) + 机器码 和 最后一组参数:
00C1C280 66 6C 79 43 68 69 6E 61 CD F2
C4 EA C0 FA 20 28 flyChina万年历 (
00C1C290 31 39 30 31 2D 32 31 30
30 29 63 37 61 35 66 38 1901-2100)c7a5f8
00C1C2A0 64 38 5F 3E 45
51 20
d8_>EQ
4、取以上字符的HEX值循环异或运算,以此为指针从[4*edx+0047BE6C]的表中取值进入下一轮循环运算,我不知道[0047BE6C]的表是否是固定参数,如果这张表也是变量的话,那么这个程序也就太麻烦了。真不明白,既然作者大费心机设计了如此麻烦的算法为何最后还用明码比较?完全可以来个变量比较呀,那样的话可能就没有几个人会去分析算法了。
5、循环最后得出901E494B,把里面的大写字母替换成小写字母,
得出:901e494b 这就是我用了5个小时跟踪的注册码了!^O^^O^^O^^O^
—————————————————————————————————
【完 美 爆 破】:
00475CC8 742B
je 00475CF5
改为:
EB2B jmp 00475CF5
呵呵,跳过去程序就自动保存好注册信息了!
—————————————————————————————————
【KeyMake之{82th}内存注册机】:
中断地址:00475CC3
中断次数:1
第一字节:E8
指令长度:5
内存方式:EDX
—————————————————————————————————
【注册信息保存】:
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Defaultvalue"=dword:00000000
注册成功的标志!
—————————————————————————————————
【整 理】:
用户名:fly
机器码:c7a5f8d8
注册码:901e494b
—————————————————————————————————
, _/
/| _.-~/
\_ , 青春都一饷
( /~ / \~-._
|\
`\\ _/
\ ~\ ) 忍把浮名
_-~~~-.) )__/;;,. \_ //'
/'_,\ --~ \ ~~~- ,;;\___( (.-~~~-.
换了破解轻狂
`~ _( ,_..--\ ( ,;'' /
~-- /._`\
/~~//' /' `~\
) /--.._, )_ `~
" `~" "
`" /~'`\ `\\~~\
"
" "~' ""
Cracked By 巢水工作坊——fly [OCN][FCG]
2003-05-06 22:24