网站推广专家 V1.26

标题：网站推广专家 V1.26 专业版
作者： lordor
时间：2003/06/07 09:47am
链接：http://bbs.pediy.com

作者：lordor[BCG]
Mail:lordor@sina.com
目的：属技术交流，无其它目的，请不要任意散布或用用商业用途。初学破解,如有不对的地方欢迎批评指出。
工具：softice,w32Dasm,ollydbg,DeDe,Aspackdie1.3

试炼码：

机器码：A21401E1-282
用户名：lordor[BCG]
注册码：654321

来到这里：

00529D98 /. 55 PUSH EBP
00529D99 |. 8BEC MOV EBP,ESP
00529D9B |. 6A 00 PUSH 0
00529D9D |. 6A 00 PUSH 0
00529D9F |. 53 PUSH EBX
00529DA0 |. 8BD8 MOV EBX,EAX
00529DA2 |. 33C0 XOR EAX,EAX
00529DA4 |. 55 PUSH EBP
00529DA5 |. 68 D49E5200 PUSH unpacked.00529ED4
00529DAA |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00529DAD |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00529DB0 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00529DB3 |. 8B83 E4020000 MOV EAX,DWORD PTR DS:[EBX+2E4]
00529DB9 |. E8 9A85F0FF CALL unpacked.00432358 ; 取用户名unpa
00529DBE |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 用户名入edxDWOR
00529DC1 |. B8 F0755800 MOV EAX,unpacked.005875F0
00529DC6 |. E8 F19FEDFF CALL unpacked.00403DBC
00529DCB |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00529DCE |. 8B83 E8020000 MOV EAX,DWORD PTR DS:[EBX+2E8]
00529DD4 |. E8 7F85F0FF CALL unpacked.00432358 ; 取注册码unpa
00529DD9 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; 注册码入edxDWOR
00529DDC |. B8 F8755800 MOV EAX,unpacked.005875F8
00529DE1 |. E8 D69FEDFF CALL unpacked.00403DBC
00529DE6 |. A1 2C985700 MOV EAX,DWORD PTR DS:[57982C]
00529DEB |. 8B15 F0755800 MOV EDX,DWORD PTR DS:[5875F0] ; 用户名入edxDWOR
00529DF1 |. E8 C69FEDFF CALL unpacked.00403DBC
00529DF6 |. FF05 14765800 INC DWORD PTR DS:[587614]
00529DFC |. 833D 14765800>CMP DWORD PTR DS:[587614],3
00529E03 |. 7E 0F JLE SHORT unpacked.00529E14
00529E05 |. C783 34020000>MOV DWORD PTR DS:[EBX+234],2
00529E0F |. E9 A5000000 JMP unpacked.00529EB9
00529E14 |> A1 049C5700 MOV EAX,DWORD PTR DS:[579C04]
00529E19 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00529E1B |. E8 982E0000 CALL unpacked.0052CCB8 ; 关键call，F8进入
00529E20 |. 84C0 TEST AL,AL ; 成功标志AL,A
00529E22 |. 74 47 JE SHORT unpacked.00529E6B
00529E22 |. /74 47 JE SHORT unpacked.00529E6B
00529E24 |. |A1 949B5700 MOV EAX,DWORD PTR DS:[579B94]
00529E29 |. |C700 01000000 MOV DWORD PTR DS:[EAX],1
00529E2F |. |A1 B0995700 MOV EAX,DWORD PTR DS:[5799B0]
00529E34 |. |C700 01000000 MOV DWORD PTR DS:[EAX],1
00529E3A |. |8BC3 MOV EAX,EBX
00529E3C |. |E8 83FEFFFF CALL unpacked.00529CC4
00529E41 |. |A1 049C5700 MOV EAX,DWORD PTR DS:[579C04]
00529E46 |. |8B00 MOV EAX,DWORD PTR DS:[EAX]
00529E48 |. |8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
00529E4E |. |33D2 XOR EDX,EDX
00529E50 |. |E8 FF8CF1FF CALL unpacked.00442B54
00529E55 |. |A1 00765800 MOV EAX,DWORD PTR DS:[587600]
00529E5A |. |E8 6DDEF2FF CALL unpacked.00457CCC
00529E5F |. |A1 E8755800 MOV EAX,DWORD PTR DS:[5875E8]
00529E64 |. |E8 DB38F2FF CALL unpacked.0044D744
00529E69 |. |EB 4E JMP SHORT unpacked.00529EB9
00529E6B |> \A1 949B5700 MOV EAX,DWORD PTR DS:[579B94]
00529E70 |. 33D2 XOR EDX,EDX
00529E72 |. 8910 MOV DWORD PTR DS:[EAX],EDX

------------------------------------
关键call:

0052CCB8 /$ 55 PUSH EBP
0052CCB9 |. 8BEC MOV EBP,ESP
0052CCBB |. B9 05000000 MOV ECX,5
0052CCC0 |> 6A 00 /PUSH 0
0052CCC2 |. 6A 00 |PUSH 0
0052CCC4 |. 49 |DEC ECX
0052CCC5 |.^ 75 F9 \JNZ SHORT unpacked.0052CCC0
0052CCC7 |. 53 PUSH EBX
0052CCC8 |. 56 PUSH ESI
0052CCC9 |. 57 PUSH EDI
0052CCCA |. 33C0 XOR EAX,EAX
0052CCCC |. 55 PUSH EBP
0052CCCD |. 68 3BCF5200 PUSH unpacked.0052CF3B
0052CCD2 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0052CCD5 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0052CCD8 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0052CCDB |. BA 54CF5200 MOV EDX,unpacked.0052CF54 ; ASCII
"sef1sn8y3420dnu2ofps"
0052CCE0 |. E8 1B71EDFF CALL unpacked.00403E00
0052CCE5 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0052CCE8 |. E8 7B70EDFF CALL unpacked.00403D68
0052CCED |. 8B15 309A5700 MOV EDX,DWORD PTR DS:[579A30] ; unpacked.005875F0
0052CCF3 |. 8B12 MOV EDX,DWORD PTR DS:[EDX] ; 用户名入edxDWOR
0052CCF5 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0052CCF8 |. 8B0D 703C1301 MOV ECX,DWORD PTR DS:[1133C70] ; 机器码入ecxDWOR
0052CCFE |. E8 3173EDFF CALL unpacked.00404034 ; 用户名＋机器码接起来，形成串A
0052CD03 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; A串入eax
0052CD06 |. E8 DD72EDFF CALL unpacked.00403FE8 ; 串A的长度
0052CD0B |. A1 703C1301 MOV EAX,DWORD PTR DS:[1133C70] ; 机器码入eax
0052CD10 |. E8 D372EDFF CALL unpacked.00403FE8 ; 取机器码长度
0052CD15 |. 8BF0 MOV ESI,EAX
0052CD17 |. 85F6 TEST ESI,ESI
0052CD19 |. 0F8E B0000000 JLE unpacked.0052CDCF
0052CD1F |. BB 01000000 MOV EBX,1
0052CD24 |> 8D45 E8 /LEA EAX,DWORD PTR SS:[EBP-18]
0052CD27 |. 50 |PUSH EAX
0052CD28 |. B9 01000000 |MOV ECX,1
0052CD2D |. 8BD3 |MOV EDX,EBX
0052CD2F |. A1 703C1301 |MOV EAX,DWORD PTR DS:[1133C70] ; 机器码入edx
0052CD34 |. E8 B774EDFF |CALL unpacked.004041F0 ; 从机器码第ebx位开始取1位
004041F0
0052CD39 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
0052CD3C |. E8 6B74EDFF |CALL unpacked.004041AC
0052CD41 |. 8BF8 |MOV EDI,EAX
0052CD43 |. A1 309A5700 |MOV EAX,DWORD PTR DS:[579A30]
0052CD48 |. 8B00 |MOV EAX,DWORD PTR DS:[EAX] ; 用户名入eax,DWO
0052CD4A |. E8 9972EDFF |CALL unpacked.00403FE8 ; 取长度L u
0052CD4F |. 3BD8 |CMP EBX,EAX ; 与计数器比较X,EAX
0052CD51 |. 7F 23 |JG SHORT unpacked.0052CD76
0052CD53 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C]
0052CD56 |. 50 |PUSH EAX
0052CD57 |. A1 309A5700 |MOV EAX,DWORD PTR DS:[579A30]
0052CD5C |. 8B00 |MOV EAX,DWORD PTR DS:[EAX] ; 用户名入eax,DWO
0052CD5E |. B9 01000000 |MOV ECX,1
0052CD63 |. 8BD3 |MOV EDX,EBX
0052CD65 |. E8 8674EDFF |CALL unpacked.004041F0 ; 从用户名第ebx位开始取1位
0052CD6A |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
0052CD6D |. E8 3A74EDFF |CALL unpacked.004041AC
0052CD72 |. 8BD0 |MOV EDX,EAX
0052CD74 |. EB 1D |JMP SHORT unpacked.0052CD93
0052CD76 |> 8D45 E0 |LEA EAX,DWORD PTR SS:[EBP-20]
0052CD79 |. 50 |PUSH EAX
0052CD7A |. B9 01000000 |MOV ECX,1
0052CD7F |. 8BD3 |MOV EDX,EBX
0052CD81 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
0052CD84 |. E8 6774EDFF |CALL unpacked.004041F0
0052CD89 |. 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
0052CD8C |. E8 1B74EDFF |CALL unpacked.004041AC
0052CD91 |. 8BD0 |MOV EDX,EAX
0052CD93 |> 8A07 |MOV AL,BYTE PTR DS:[EDI] ; 取得的一位机器入al
0052CD95 |. 8A12 |MOV DL,BYTE PTR DS:[EDX] ; 取得的一位用户名dl
0052CD97 |. 3C 41 |CMP AL,41 ; 机器码是否为字母A
0052CD99 |. 75 02 |JNZ SHORT unpacked.0052CD9D
0052CD9B |. B0 66 |MOV AL,66 ; 如是字母A就用f代替al的值
0052CD9D |> 8BF8 |MOV EDI,EAX
0052CD9F |. 81E7 FF000000 |AND EDI,0FF
0052CDA5 |. 33C0 |XOR EAX,EAX
0052CDA7 |. 8AC2 |MOV AL,DL ; 一位用户名码入al
0052CDA9 |. 03F8 |ADD EDI,EAX ; edi与eax相加，即1位机器码与1位用户名相加
0052CDAB |. 03FB |ADD EDI,EBX ; 再加计数器DI,EB
0052CDAD |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
0052CDB0 |. BA 02000000 |MOV EDX,2
0052CDB5 |. 8BC7 |MOV EAX,EDI
0052CDB7 |. E8 ECCDEDFF |CALL unpacked.00409BA8 ; 上面计算得到的数转换为字符.
0052CDBC |. 8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24]
0052CDBF |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
0052CDC2 |. E8 2972EDFF |CALL unpacked.00403FF0 ; 接起来形成串B
0052CDC7 |. 43 |INC EBX
0052CDC8 |. 4E |DEC ESI
0052CDC9 |.^ 0F85 55FFFFFF \JNZ unpacked.0052CD24
0052CDCF |> \8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0052CDD2 |. E8 1172EDFF CALL unpacked.00403FE8
0052CDD7 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0052CDDA |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0052CDDD |. E8 1E70EDFF CALL unpacked.00403E00
0052CDE2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0052CDE5 |. E8 FE71EDFF CALL unpacked.00403FE8
0052CDEA |. 8BF0 MOV ESI,EAX
0052CDEC |. 85F6 TEST ESI,ESI
0052CDEE |. 0F8E F6000000 JLE unpacked.0052CEEA
0052CDF4 |. BB 01000000 MOV EBX,1
0052CDF9 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CDFC |. 807C18 FF 41 |CMP BYTE PTR DS:[EAX+EBX-1],41 ; 是否为ABYT
0052CE01 |. 75 0D |JNZ SHORT unpacked.0052CE10
0052CE03 |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CE06 |. E8 AD73EDFF |CALL unpacked.004041B8
0052CE0B |. C64418 FF 4D |MOV BYTE PTR DS:[EAX+EBX-1],4D ; 用M代替A
0052CE10 |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CE13 |. 807C18 FF 31 |CMP BYTE PTR DS:[EAX+EBX-1],31 ; 是否为1BYT
0052CE18 |. 75 0D |JNZ SHORT unpacked.0052CE27
0052CE1A |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CE1D |. E8 9673EDFF |CALL unpacked.004041B8
0052CE22 |. C64418 FF 4F |MOV BYTE PTR DS:[EAX+EBX-1],4F
0052CE27 |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CE2A |. 807C18 FF 32 |CMP BYTE PTR DS:[EAX+EBX-1],32 ; 是否为2BYT
0052CE2F |. 75 0D |JNZ SHORT unpacked.0052CE3E
0052CE31 |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CE34 |. E8 7F73EDFF |CALL unpacked.004041B8
0052CE39 |. C64418 FF 33 |MOV BYTE PTR DS:[EAX+EBX-1],33
0052CE3E |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CE41 |. 807C18 FF 72 |CMP BYTE PTR DS:[EAX+EBX-1],72 ; 是否为rBYT
0052CE46 |. 75 0D |JNZ SHORT unpacked.0052CE55
0052CE48 |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CE4B |. E8 6873EDFF |CALL unpacked.004041B8
0052CE50 |. C64418 FF 37 |MOV BYTE PTR DS:[EAX+EBX-1],37
0052CE55 |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CE58 |. 807C18 FF 34 |CMP BYTE PTR DS:[EAX+EBX-1],34 ; 是否为4
0052CE5D |. 75 0D |JNZ SHORT unpacked.0052CE6C
0052CE5F |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CE62 |. E8 5173EDFF |CALL unpacked.004041B8
0052CE67 |. C64418 FF 4A |MOV BYTE PTR DS:[EAX+EBX-1],4A
0052CE6C |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CE6F |. 807C18 FF 35 |CMP BYTE PTR DS:[EAX+EBX-1],35 ; 是否为5
0052CE74 |. 75 0D |JNZ SHORT unpacked.0052CE83
0052CE76 |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CE79 |. E8 3A73EDFF |CALL unpacked.004041B8
0052CE7E |. C64418 FF 36 |MOV BYTE PTR DS:[EAX+EBX-1],36
0052CE83 |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CE86 |. 807C18 FF 38 |CMP BYTE PTR DS:[EAX+EBX-1],38 ; 是否为8
0052CE8B |. 75 0D |JNZ SHORT unpacked.0052CE9A
0052CE8D |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CE90 |. E8 2373EDFF |CALL unpacked.004041B8
0052CE95 |. C64418 FF 44 |MOV BYTE PTR DS:[EAX+EBX-1],44
0052CE9A |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CE9D |. 807C18 FF 30 |CMP BYTE PTR DS:[EAX+EBX-1],30 ; 是否为0
0052CEA2 |. 75 0D |JNZ SHORT unpacked.0052CEB1
0052CEA4 |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CEA7 |. E8 0C73EDFF |CALL unpacked.004041B8
0052CEAC |. C64418 FF 4D |MOV BYTE PTR DS:[EAX+EBX-1],4D
0052CEB1 |> 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; 串B入eaxX,
0052CEB4 |. 807C18 FF 45 |CMP BYTE PTR DS:[EAX+EBX-1],45 ; 是否E B
0052CEB9 |. 75 0D |JNZ SHORT unpacked.0052CEC8
0052CEBB |. 8D45 FC |LEA EAX,DWORD PTR SS:[EBP-4]
0052CEBE |. E8 F572EDFF |CALL unpacked.004041B8
0052CEC3 |. C64418 FF 44 |MOV BYTE PTR DS:[EAX+EBX-1],44
0052CEC8 |> 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]
0052CECB |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] ; 串B入edxX,
0052CECE |. 8A541A FF |MOV DL,BYTE PTR DS:[EDX+EBX-1] ; 取1位串B入dl
0052CED2 |. E8 3970EDFF |CALL unpacked.00403F10
0052CED7 |. 8B55 D8 |MOV EDX,DWORD PTR SS:[EBP-28]
0052CEDA |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
0052CEDD |. E8 0E71EDFF |CALL unpacked.00403FF0
0052CEE2 |. 43 |INC EBX
0052CEE3 |. 4E |DEC ESI
0052CEE4 |.^ 0F85 0FFFFFFF \JNZ unpacked.0052CDF9
0052CEEA |> \A1 C09A5700 MOV EAX,DWORD PTR DS:[579AC0]
0052CEEF |. 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 注册码入eaxDWOR
0052CEF1 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 真码入edx
0052CEF4 |. E8 FF71EDFF CALL unpacked.004040F8 ; 关键比较unpa
0052CEF9 |. /75 23 JNZ SHORT unpacked.0052CF1E ; 不等则跳

-------------------------------------------

总结　：

　　机器码与用户名运算产生串A，再到串A进行置换得串B，用串B与输入的注册码比较，如相等，则显示注册正确。

注册信息保存在：

[HKEY_USERS\.DEFAULT\Software\Osb\Demo]
"Name"="lordor[BCG]"
"Pass"="D3M3M69CMJM9M77B79D3MM6D"

机器码：A21401E1-282
用户名：lordor[BCG]
注册码：D3M3M69CMJM9M77B79D3MM6D

cracked by lordor[BCG]
03.06.07