中华通讯录算法分析 V3.2
软件名称:中华通讯录
编译版本:v3.2
原文件:http://www.skycn.net/soft/12563.html
软件大小: 1294 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 信息管理
应用平台: Win9x/NT/2000/XP
开 发 商: http://hebreed.6to23.com/
软件介绍:
世纪之星进销存--3大创新! 企能CRM软件-提高销售能力 数据管理利器,易表新版上市
中华通讯录是一款实用的通讯录软件,软件界面采用WINXP风格,功能完善,最多能够容纳十
万条通讯记录,启动时需要输入密码,使其它人不能看到你的通讯资料,让你的信息更安全。
查询栏让你很快找到你的联系人。支持增加分类,添加,删除信息。
破解工具:OllyDbg pe-scan w32dasm procdump
破解过程:
pe-scan侦壳 发现为aspack 1.07b
用procdump脱壳
用w32dasm反编译,其关键地方为:
|:00503D7B(U)
|
:00503D35 59 pop ecx
:00503D36 59 pop ecx
:00503D37 648910 mov dword ptr fs:[eax], edx
:00503D3A 68623D5000 push 00503D62
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00503D60(U)
|
:00503D3F 8D45F0 lea eax, dword ptr [ebp-10]
:00503D42 BA02000000 mov edx, 00000002
:00503D47 E8BCFFEFFF call 00403D08
:00503D4C 8D45F8 lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"TChgPwdFormData"
|
:00503D4F 8B15E4E04F00 mov edx, dword ptr [004FE0E4]
:00503D55 E8460AF0FF call 004047A0
:00503D5A C3 ret
:00503D5B E900FAEFFF jmp 00403760
:00503D60 EBDD jmp 00503D3F
:00503D62 5B pop ebx
:00503D63 8BE5 mov esp, ebp
:00503D65 5D pop ebp
:00503D66 C3 ret
:00503D67 00 BYTE 0
:00503D68 C3 ret
:00503D69 DCC2 fadd st(2), st(0)
:00503D6B EBB8 jmp 00503D25
:00503D6D FC cld
:00503D6E B8C4B3C9B9 mov eax, B9C9B3C4
:00503D73 A6 cmpsb
:00503D74 A3A10000C3 mov dword ptr [C30000A1], eax
:00503D79 DCC2 fadd st(2), st(0)
:00503D7B EBB8 jmp 00503D35
:00503D7D FC cld
:00503D7E B8C4CAA7B0 mov eax, B0A7CAC4
:00503D83 DCA3A1000053 fsub qword ptr [ebx+530000A1]
:00503D89 8BD8 mov ebx, eax
:00503D8B 8BC3 mov eax, ebx
:00503D8D E89ECEFFFF call 00500C30 关键call 分析见下
:00503D92 84C0 test al, al
:00503D94 7409 je 00503D9F 死亡跳转
:00503D96 8BC3 mov eax, ebx
:00503D98 E82FCCFFFF call 005009CC
:00503D9D 5B pop ebx
:00503D9E C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00503D94(C)
|
* Possible StringData Ref from Code Obj ->"注册码不正确,无法注册"
|
:00503D9F B8B43D5000 mov eax, 00503DB4
:00503DA4 E86377F5FF call 0045B50C
:00503DA9 5B pop ebx
:00503DAA C3 ret
关键call 于00503D8D
* Referenced by a CALL at Address:
|:00503D8D
|
:00500C30 55 push ebp
:00500C31 8BEC mov ebp, esp
:00500C33 33C9 xor ecx, ecx
:00500C35 51 push ecx
:00500C36 51 push ecx
:00500C37 51 push ecx
:00500C38 51 push ecx
:00500C39 51 push ecx
:00500C3A 53 push ebx
:00500C3B 56 push esi
:00500C3C 8945FC mov dword ptr [ebp-04], eax
:00500C3F 33C0 xor eax, eax
:00500C41 55 push ebp
:00500C42 680C0D5000 push 00500D0C
:00500C47 64FF30 push dword ptr fs:[eax]
:00500C4A 648920 mov dword ptr fs:[eax], esp
:00500C4D 33C0 xor eax, eax
:00500C4F 8945F4 mov dword ptr [ebp-0C], eax
:00500C52 8D55F8 lea edx, dword ptr [ebp-08]
:00500C55 8B45FC mov eax, dword ptr [ebp-04]
:00500C58 8B8024040000 mov eax, dword ptr [eax+00000424]
:00500C5E E83141F3FF call 00434D94
:00500C63 8B45F8 mov eax, dword ptr [ebp-08]
:00500C66 E8F932F0FF call 00403F64
:00500C6B 8BD8 mov ebx, eax
:00500C6D 85DB test ebx, ebx
:00500C6F 7E2E jle 00500C9F
:00500C71 BE01000000 mov esi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500C9D(C)
|
:00500C76 8D45F0 / lea eax, dword ptr [ebp-10] 算法开始
:00500C79 50 | push eax
:00500C7A B901000000 | mov ecx, 00000001
:00500C7F 8BD6 | mov edx, esi
:00500C81 8B45F8 | mov eax, dword ptr [ebp-08]
:00500C84 E8E334F0FF | call 0040416C
:00500C89 8B45F0 | mov eax, dword ptr [ebp-10]
:00500C8C E89734F0FF | call 00404128
:00500C91 8A00 | mov al, byte ptr [eax]
:00500C93 25FF000000 | and eax, 000000FF eax=name[i]
:00500C98 0145F4 | add dword ptr [ebp-0C], eax 结果保存与ebp-0c
:00500C9B 46 | inc esi
:00500C9C 4B | dec ebx
:00500C9D 75D7 jne 00500C76 循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500C6F(C)
|
:00500C9F 8D55EC lea edx, dword ptr [ebp-14]
:00500CA2 8B45FC mov eax, dword ptr [ebp-04]
:00500CA5 8B8028040000 mov eax, dword ptr [eax+00000428]
:00500CAB E8E440F3FF call 00434D94
:00500CB0 8B45EC mov eax, dword ptr [ebp-14]
:00500CB3 E8FC8EF0FF call 00409BB4
:00500CB8 8B55F4 mov edx, dword ptr [ebp-0C] 上面的结果
:00500CBB 81C2FC7E1200 add edx, 00127EFC 结果加1212156(10进制)
:00500CC1 81C29AE46400 add edx, 0064E49A 结果加6612122(10进制)
:00500CC7 3BC2 cmp eax, edx 比较输入的注册码是否相等
:00500CC9 7519 jne 00500CE4 不相等就死
:00500CCB B301 mov bl, 01
:00500CCD B8F44B5200 mov eax, 00524BF4
:00500CD2 8B55F8 mov edx, dword ptr [ebp-08]
:00500CD5 E85E30F0FF call 00403D38
:00500CDA 8B45F4 mov eax, dword ptr [ebp-0C]
:00500CDD A3F84B5200 mov dword ptr [00524BF8], eax
:00500CE2 EB02 jmp 00500CE6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500CC9(C)
|
:00500CE4 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500CE2(U)
|
:00500CE6 33C0 xor eax, eax
:00500CE8 5A pop edx
:00500CE9 59 w pop ecx
:00500CEA 59 pop ecx
:00500CEB 648910 mov dword ptr fs:[eax], edx
:00500CEE 68130D5000 push 00500D13
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500D11(U)
|
:00500CF3 8D45EC lea eax, dword ptr [ebp-14]
:00500CF6 E8E92FF0FF call 00403CE4
:00500CFB 8D45F0 lea eax, dword ptr [ebp-10]
:00500CFE E8E12FF0FF call 00403CE4
:00500D03 8D45F8 lea eax, dword ptr [ebp-08]
:00500D06 E8D92FF0FF call 00403CE4
:00500D0B C3 ret
从上面的分析可以看出其注册过程为:
将机器码的asc2码相加后在加上 1212156 和6612122
所以 机器码 1652-1cd8
注册码为 7824278
注册机为(VB):
Private Sub Command1_Click()
Dim i As Integer
Dim m, n As Single
For i = 1 To Len(Text1.Text)
m = m + Asc(Mid(Text1.Text, i, 1))
nexti
n = n + 1212156 + 6612122
Text2.Text = Str(n)
End Sub