【破文标题】:A+ Pop Up Blocker 2.1 -- MD5算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:A+ Pop Up Blocker 2.1
【软件大小】:450 KB
【软件类别】:国外软件 / 共享版 / 浏览辅助
【下载地址】:http://www.amplusnet.com/
【软件简介】:A+ Pop Up Blocker 可以屏蔽网页中的弹出广告窗口,从而提高你的网络浏览速度。
【保护方式】:注册码+试用时间限制
【编译语言】:Microsoft Visual C++ 7.0 [Debug]
【调试环境】:WinXP、PEiD、W32Dasm、Ollydbg
【破解日期】:2005-05-12
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Microsoft Visual C++ 7.0 [Debug] 编译。
试探:运行主程序注册,输入Name、Email、Key,确认!程序提示"The registration key is not valid!"
初步下药:使出法宝,用W32Dasm进行静态反汇编,查找"The registration key is not valid!"字符串,结果什么都没找到!(郁闷~)
对症下药:Ollydbg载入主程序,加载完毕后,搜索--->所有的参考文本字符串"The registration key is not valid!",双击来到004042D3,
向上来到 004040E9 处下断,F9运行,输入注册信息:
Name:KuNgBiM
Email:gb_1227@163.com
Key:9876543210
点击确定OD中断在:
004040E0 E8 D8A10100 call PopUpBlo.0041E2BD
004040E5 8B10 mov edx,dword ptr ds:[eax]
004040E7 8BC8 mov ecx,eax
004040E9 FF52 0C call dword ptr ds:[edx+C] //中断,以下均为F8单步跟踪!
004040EC 83C0 10 add eax,10
004040EF 894424 18 mov dword ptr ss:[esp+18],eax
004040F3 8D4424 44 lea eax,dword ptr ss:[esp+44]
004040F7 50 push eax
004040F8 68 20034300 push PopUpBlo.00430320 ; ASCII "idTextName" //指向检测是否输入用户名
004040FD 8BCE mov ecx,esi
004040FF C64424 44 03 mov byte ptr ss:[esp+44],3
00404104 E8 974A0200 call PopUpBlo.00428BA0
00404109 8B4424 44 mov eax,dword ptr ss:[esp+44]
0040410D 8B08 mov ecx,dword ptr ds:[eax]
0040410F 8D5424 24 lea edx,dword ptr ss:[esp+24]
00404113 52 push edx
00404114 6A 00 push 0
00404116 68 B8054300 push PopUpBlo.004305B8 ; UNICODE "value" //已输入用户名标识
0040411B 50 push eax
0040411C FF51 20 call dword ptr ds:[ecx+20]
0040411F 8D4424 24 lea eax,dword ptr ss:[esp+24]
00404123 50 push eax //用户名压栈待取
00404124 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00404128 E8 53F5FFFF call PopUpBlo.00403680
0040412D 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
00404131 51 push ecx
00404132 68 7C024300 push PopUpBlo.0043027C ; ASCII "idTextCompany" //指向检测是否输入用户邮箱
00404137 8BCE mov ecx,esi
00404139 E8 624A0200 call PopUpBlo.00428BA0
0040413E 8B4424 44 mov eax,dword ptr ss:[esp+44]
00404142 8B10 mov edx,dword ptr ds:[eax]
00404144 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00404148 51 push ecx
00404149 6A 00 push 0
0040414B 68 B8054300 push PopUpBlo.004305B8 ; UNICODE "value" //已输入用户邮箱标识
00404150 50 push eax
00404151 FF52 20 call dword ptr ds:[edx+20]
00404154 8D5424 24 lea edx,dword ptr ss:[esp+24]
00404158 52 push edx //用户邮箱压栈待取
00404159 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
0040415D E8 1EF5FFFF call PopUpBlo.00403680
00404162 8D4424 44 lea eax,dword ptr ss:[esp+44]
00404166 50 push eax
00404167 68 E4014300 push PopUpBlo.004301E4 ; ASCII "idTextKey" //指向检测是否输入注册码
0040416C 8BCE mov ecx,esi
0040416E E8 2D4A0200 call PopUpBlo.00428BA0
00404173 8B4424 44 mov eax,dword ptr ss:[esp+44]
00404177 8B08 mov ecx,dword ptr ds:[eax]
00404179 8D5424 24 lea edx,dword ptr ss:[esp+24]
0040417D 52 push edx
0040417E 6A 00 push 0
00404180 68 B8054300 push PopUpBlo.004305B8 ; UNICODE "value" //已输入注册码标识
00404185 50 push eax
00404186 FF51 20 call dword ptr ds:[ecx+20]
00404189 8D4424 24 lea eax,dword ptr ss:[esp+24]
0040418D 50 push eax //注册码压栈待取
0040418E 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
00404192 E8 E9F4FFFF call PopUpBlo.00403680
00404197 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040419B 51 push ecx
0040419C 8D5424 24 lea edx,dword ptr ss:[esp+24]
004041A0 68 94044300 push PopUpBlo.00430494 ; ASCII "AmplusnetAPlus20" //字符串压栈待取
004041A5 52 push edx
004041A6 E8 15F6FFFF call PopUpBlo.004037C0 //连接字符串与用户名组成新字符串
004041AB 8B6C24 1C mov ebp,dword ptr ss:[esp+1C]
004041AF 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
004041B2 8B00 mov eax,dword ptr ds:[eax] ; ASCII "AmplusnetAPlus20KuNgBiM"
004041B4 83C1 10 add ecx,10
004041B7 51 push ecx
004041B8 50 push eax //新字符串再次压栈
004041B9 8D4424 30 lea eax,dword ptr ss:[esp+30]
004041BD 50 push eax
004041BE C64424 54 04 mov byte ptr ss:[esp+54],4
004041C3 E8 68E3FFFF call PopUpBlo.00402530 //将压栈的新字符串转换为MD5编码,算法CALL跟进!!!
004041C8 8B00 mov eax,dword ptr ds:[eax] ; ASCII "f4d0c4f350a132c8e2bc9451fab178f3"
004041CA 8B7C24 30 mov edi,dword ptr ss:[esp+30]
004041CE 50 push eax //真码入栈,内存注册机
004041CF 57 push edi //假码入栈
004041D0 E8 DCD20000 call PopUpBlo.004114B1 //比较CALL
004041D5 8BD8 mov ebx,eax
004041D7 8B4424 3C mov eax,dword ptr ss:[esp+3C] ; ASCII "f4d0c4f350a132c8e2bc9451fab178f3"
004041DB 83C4 20 add esp,20
004041DE F7DB neg ebx
004041E0 1ADB sbb bl,bl
004041E2 83C0 F0 add eax,-10
004041E5 FEC3 inc bl
004041E7 8D48 0C lea ecx,dword ptr ds:[eax+C]
004041EA 83CA FF or edx,FFFFFFFF
004041ED F0:0FC111 lock xadd dword ptr ds:[ecx],edx
004041F1 4A dec edx
004041F2 85D2 test edx,edx
004041F4 7F 08 jg short PopUpBlo.004041FE
004041F6 8B08 mov ecx,dword ptr ds:[eax]
004041F8 8B11 mov edx,dword ptr ds:[ecx]
004041FA 50 push eax
004041FB FF52 04 call dword ptr ds:[edx+4]
004041FE 8B4424 20 mov eax,dword ptr ss:[esp+20] ; ASCII "AmplusnetAPlus20KuNgBiM"
00404202 83C0 F0 add eax,-10
00404205 C64424 3C 03 mov byte ptr ss:[esp+3C],3
0040420A 8D48 0C lea ecx,dword ptr ds:[eax+C]
0040420D 83CA FF or edx,FFFFFFFF
00404210 F0:0FC111 lock xadd dword ptr ds:[ecx],edx
00404214 4A dec edx
00404215 85D2 test edx,edx
00404217 7F 08 jg short PopUpBlo.00404221
00404219 8B08 mov ecx,dword ptr ds:[eax]
0040421B 8B11 mov edx,dword ptr ds:[ecx]
0040421D 50 push eax
0040421E FF52 04 call dword ptr ds:[edx+4]
00404221 84DB test bl,bl
00404223 > 0F84 A3000000 je PopUpBlo.004042CC //注册验证爆破点!^__^
00404229 51 push ecx
0040422A 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0040422D 896424 24 mov dword ptr ss:[esp+24],esp
00404231 8BDC mov ebx,esp
00404233 50 push eax
00404234 E8 57DBFFFF call PopUpBlo.00401D90
00404239 83C0 10 add eax,10
0040423C 83C4 04 add esp,4
0040423F B9 98E74300 mov ecx,PopUpBlo.0043E798
00404244 8903 mov dword ptr ds:[ebx],eax
00404246 E8 951D0000 call PopUpBlo.00405FE0
0040424B 8B4424 14 mov eax,dword ptr ss:[esp+14]
0040424F 51 push ecx
00404250 83C0 F0 add eax,-10
00404253 896424 24 mov dword ptr ss:[esp+24],esp
00404257 8BDC mov ebx,esp
00404259 50 push eax
0040425A E8 31DBFFFF call PopUpBlo.00401D90
0040425F 83C0 10 add eax,10
00404262 83C4 04 add esp,4
00404265 B9 B8E74300 mov ecx,PopUpBlo.0043E7B8
0040426A 8903 mov dword ptr ds:[ebx],eax
0040426C E8 6F1D0000 call PopUpBlo.00405FE0
00404271 51 push ecx
00404272 8D47 F0 lea eax,dword ptr ds:[edi-10]
00404275 896424 24 mov dword ptr ss:[esp+24],esp
00404279 8BDC mov ebx,esp
0040427B 50 push eax
0040427C E8 0FDBFFFF call PopUpBlo.00401D90
00404281 83C0 10 add eax,10
00404284 83C4 04 add esp,4
00404287 B9 F8E74300 mov ecx,PopUpBlo.0043E7F8
0040428C 8903 mov dword ptr ds:[ebx],eax
0040428E E8 4D1D0000 call PopUpBlo.00405FE0
00404293 6A 40 push 40
00404295 68 50F74200 push PopUpBlo.0042F750 ; ASCII "A+ PopUp Blocker"
0040429A 68 8C054300 push PopUpBlo.0043058C ; ASCII "A+ PopUp Blocker registration successful!"
0040429F 8BCE mov ecx,esi
004042A1 E8 4FCD0100 call PopUpBlo.00420FF5
004042A6 68 8D000000 push 8D
004042AB 8BCE mov ecx,esi
004042AD E8 DF4F0200 call PopUpBlo.00429291
004042B2 6A 01 push 1
004042B4 B9 18E74300 mov ecx,PopUpBlo.0043E718
004042B9 E8 82170000 call PopUpBlo.00405A40
004042BE 6A 01 push 1
004042C0 B9 58E74300 mov ecx,PopUpBlo.0043E758
004042C5 E8 76170000 call PopUpBlo.00405A40
004042CA EB 13 jmp short PopUpBlo.004042DF
004042CC 6A 30 push 30
004042CE 68 50F74200 push PopUpBlo.0042F750 ; ASCII "A+ PopUp Blocker"
004042D3 68 68054300 push PopUpBlo.00430568 ; ASCII "The registration key is not valid!" //字符串
004042D8 8BCE mov ecx,esi
=========================================================================================================
注册信息经过MD5计算后与假码明码比较
经典 MD5(注册信息)=注册码。
=========================================================================================================
=================== 跟进:004041C3 E8 68E3FFFF call PopUpBlo.00402530 ===========================
00402530 6A FF push -1
00402532 68 28CC4200 push PopUpBlo.0042CC28
00402537 64:A1 00000000 mov eax,dword ptr fs:[0]
0040253D 50 push eax
0040253E 64:8925 0000000>mov dword ptr fs:[0],esp
00402545 83EC 64 sub esp,64
00402548 A1 48D64300 mov eax,dword ptr ds:[43D648]
0040254D 53 push ebx
0040254E 8B5C24 7C mov ebx,dword ptr ss:[esp+7C]
00402552 55 push ebp
00402553 56 push esi
00402554 8BB424 88000000 mov esi,dword ptr ss:[esp+88]
0040255B 57 push edi
0040255C 33ED xor ebp,ebp
0040255E 55 push ebp
0040255F 56 push esi
00402560 894424 78 mov dword ptr ss:[esp+78],eax
00402564 53 push ebx
00402565 896C24 1C mov dword ptr ss:[esp+1C],ebp
00402569 E8 83B30100 call PopUpBlo.0041D8F1
0040256E B9 10000000 mov ecx,10
00402573 33C0 xor eax,eax
00402575 8D7C24 18 lea edi,dword ptr ss:[esp+18]
00402579 C74424 14 BCF54>mov dword ptr ss:[esp+14],PopUpBlo.0042F5B>
00402581 F3:AB rep stos dword ptr es:[edi]
00402583 896C24 5C mov dword ptr ss:[esp+5C],ebp
00402587 896C24 58 mov dword ptr ss:[esp+58],ebp
0040258B C74424 60 01234>mov dword ptr ss:[esp+60],67452301
00402593 C74424 64 89ABC>mov dword ptr ss:[esp+64],EFCDAB89
0040259B C74424 68 FEDCB>mov dword ptr ss:[esp+68],98BADCFE
004025A3 C74424 6C 76543>mov dword ptr ss:[esp+6C],10325476
004025AB 56 push esi
004025AC 53 push ebx
004025AD 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
004025B1 89AC24 84000000 mov dword ptr ss:[esp+84],ebp
004025B8 E8 63F3FFFF call PopUpBlo.00401920
004025BD 8BB424 84000000 mov esi,dword ptr ss:[esp+84]
004025C4 56 push esi
004025C5 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
004025C9 E8 22FDFFFF call PopUpBlo.004022F0
004025CE 8B4C24 74 mov ecx,dword ptr ss:[esp+74]
004025D2 5F pop edi
004025D3 8BC6 mov eax,esi
004025D5 5E pop esi
004025D6 5D pop ebp
004025D7 64:890D 0000000>mov dword ptr fs:[0],ecx
004025DE 8B4C24 64 mov ecx,dword ptr ss:[esp+64]
004025E2 5B pop ebx
004025E3 E8 A1E20000 call PopUpBlo.00410889 //调用MD5函数,算法CALL,跟进![标准的MD5]
004025E8 83C4 70 add esp,70
004025EB C3 retn
=================== 跟进 004025E3 E8 A1E20000 call PopUpBlo.00410889 [MD5 算法CALL] ==================
004022F0 6A FF push -1 ; Md5
004022F2 68 08CC4200 push PopUpBlo.0042CC08
004022F7 64:A1 00000000 mov eax,dword ptr fs:[0]
004022FD 50 push eax
004022FE 64:8925 0000000>mov dword ptr fs:[0],esp
00402305 83EC 24 sub esp,24
00402308 A1 48D64300 mov eax,dword ptr ds:[43D648]
0040230D 53 push ebx
0040230E 55 push ebp
0040230F 56 push esi
00402310 57 push edi
00402311 8BF1 mov esi,ecx
00402313 33FF xor edi,edi
00402315 894424 30 mov dword ptr ss:[esp+30],eax
00402319 897C24 18 mov dword ptr ss:[esp+18],edi
0040231D 33C9 xor ecx,ecx
0040231F 8D46 46 lea eax,dword ptr ds:[esi+46]
00402322 8A50 FE mov dl,byte ptr ds:[eax-2]
00402325 88540C 18 mov byte ptr ss:[esp+ecx+18],dl
00402329 8A50 FF mov dl,byte ptr ds:[eax-1]
0040232C 88540C 19 mov byte ptr ss:[esp+ecx+19],dl
00402330 8A10 mov dl,byte ptr ds:[eax]
00402332 88540C 1A mov byte ptr ss:[esp+ecx+1A],dl
00402336 8A50 01 mov dl,byte ptr ds:[eax+1]
00402339 88540C 1B mov byte ptr ss:[esp+ecx+1B],dl
0040233D 83C1 04 add ecx,4
00402340 83C0 04 add eax,4
00402343 83F9 08 cmp ecx,8
00402346 ^ 72 DA jb short PopUpBlo.00402322
00402348 8B4E 44 mov ecx,dword ptr ds:[esi+44]
0040234B C1E9 03 shr ecx,3
0040234E 83E1 3F and ecx,3F
00402351 83F9 38 cmp ecx,38
00402354 B8 38000000 mov eax,38
00402359 72 05 jb short PopUpBlo.00402360
0040235B B8 78000000 mov eax,78
00402360 2BC1 sub eax,ecx
00402362 50 push eax
00402363 68 18C14300 push PopUpBlo.0043C118
00402368 8BCE mov ecx,esi
0040236A E8 B1F5FFFF call PopUpBlo.00401920
0040236F 6A 08 push 8
00402371 8D4424 1C lea eax,dword ptr ss:[esp+1C]
00402375 50 push eax
00402376 8BCE mov ecx,esi
00402378 E8 A3F5FFFF call PopUpBlo.00401920
0040237D 33C9 xor ecx,ecx
0040237F 8D46 4E lea eax,dword ptr ds:[esi+4E]
00402382 8A50 FE mov dl,byte ptr ds:[eax-2]
00402385 88540C 20 mov byte ptr ss:[esp+ecx+20],dl
00402389 8A50 FF mov dl,byte ptr ds:[eax-1]
0040238C 88540C 21 mov byte ptr ss:[esp+ecx+21],dl
00402390 8A10 mov dl,byte ptr ds:[eax]
00402392 88540C 22 mov byte ptr ss:[esp+ecx+22],dl
00402396 8A50 01 mov dl,byte ptr ds:[eax+1]
00402399 88540C 23 mov byte ptr ss:[esp+ecx+23],dl
0040239D 83C1 04 add ecx,4
004023A0 83C0 04 add eax,4
004023A3 83F9 10 cmp ecx,10
004023A6 ^ 72 DA jb short PopUpBlo.00402382
004023A8 E8 10BF0100 call PopUpBlo.0041E2BD
004023AD 8B10 mov edx,dword ptr ds:[eax]
004023AF 8BC8 mov ecx,eax
004023B1 FF52 0C call dword ptr ds:[edx+C]
004023B4 83C0 10 add eax,10
004023B7 894424 14 mov dword ptr ss:[esp+14],eax
004023BB 897C24 3C mov dword ptr ss:[esp+3C],edi
004023BF BB 01000000 mov ebx,1
004023C4 E8 F4BE0100 call PopUpBlo.0041E2BD
004023C9 8B10 mov edx,dword ptr ds:[eax]
004023CB 8BC8 mov ecx,eax
004023CD FF52 0C call dword ptr ds:[edx+C]
004023D0 83C0 10 add eax,10
004023D3 894424 10 mov dword ptr ss:[esp+10],eax
004023D7 8A443C 20 mov al,byte ptr ss:[esp+edi+20]
004023DB 84C0 test al,al
004023DD 885C24 3C mov byte ptr ss:[esp+3C],bl
004023E1 75 41 jnz short PopUpBlo.00402424
004023E3 68 C8F54200 push PopUpBlo.0042F5C8 ; ASCII "00"
004023E8 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
004023EC E8 4FFEFFFF call PopUpBlo.00402240
004023F1 50 push eax
004023F2 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004023F6 C64424 40 02 mov byte ptr ss:[esp+40],2
004023FB E8 70FDFFFF call PopUpBlo.00402170
00402400 8B4424 18 mov eax,dword ptr ss:[esp+18]
00402404 83C0 F0 add eax,-10
00402407 885C24 3C mov byte ptr ss:[esp+3C],bl
0040240B 8D48 0C lea ecx,dword ptr ds:[eax+C]
0040240E 83CA FF or edx,FFFFFFFF
00402411 F0:0FC111 lock xadd dword ptr ds:[ecx],edx
00402415 4A dec edx
00402416 85D2 test edx,edx
00402418 7F 34 jg short PopUpBlo.0040244E
0040241A 8B08 mov ecx,dword ptr ds:[eax]
0040241C 8B11 mov edx,dword ptr ds:[ecx]
0040241E 50 push eax
0040241F FF52 04 call dword ptr ds:[edx+4]
00402422 EB 2A jmp short PopUpBlo.0040244E
00402424 3C 0F cmp al,0F
00402426 77 10 ja short PopUpBlo.00402438
00402428 0FB6C0 movzx eax,al
0040242B 50 push eax
0040242C 68 C4F54200 push PopUpBlo.0042F5C4 ; ASCII "0%x"
00402431 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00402435 51 push ecx
00402436 EB 0E jmp short PopUpBlo.00402446
00402438 0FB6D0 movzx edx,al
0040243B 52 push edx
0040243C 68 C0F54200 push PopUpBlo.0042F5C0 ; ASCII "%x"
00402441 8D4424 18 lea eax,dword ptr ss:[esp+18]
00402445 50 push eax
00402446 E8 D5FDFFFF call PopUpBlo.00402220
0040244B 83C4 0C add esp,0C
0040244E 8B7424 10 mov esi,dword ptr ss:[esp+10]
00402452 8B46 F4 mov eax,dword ptr ds:[esi-C]
00402455 50 push eax
00402456 56 push esi
00402457 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0040245B E8 10FCFFFF call PopUpBlo.00402070
00402460 8D46 F0 lea eax,dword ptr ds:[esi-10]
00402463 C64424 3C 00 mov byte ptr ss:[esp+3C],0
00402468 8D48 0C lea ecx,dword ptr ds:[eax+C]
0040246B 83CA FF or edx,FFFFFFFF
0040246E F0:0FC111 lock xadd dword ptr ds:[ecx],edx
00402472 4A dec edx
00402473 85D2 test edx,edx
00402475 7F 08 jg short PopUpBlo.0040247F
00402477 8B08 mov ecx,dword ptr ds:[eax]
00402479 8B11 mov edx,dword ptr ds:[ecx]
0040247B 50 push eax
0040247C FF52 04 call dword ptr ds:[edx+4]
0040247F 47 inc edi
00402480 83FF 10 cmp edi,10
00402483 ^ 0F8C 3BFFFFFF jl PopUpBlo.004023C4 //向上循环运算16次,产生32位注册码
00402489 8B6C24 14 mov ebp,dword ptr ss:[esp+14] ; ASCII "f4d0c4f350a132c8e2bc9451fab178f3"
0040248D 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00402490 8B01 mov eax,dword ptr ds:[ecx]
00402492 83C5 F0 add ebp,-10
00402495 FF50 10 call dword ptr ds:[eax+10]
00402498 8B55 0C mov edx,dword ptr ss:[ebp+C]
0040249B 85D2 test edx,edx
0040249D 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
004024A0 7C 0D jl short PopUpBlo.004024AF
004024A2 3B45 00 cmp eax,dword ptr ss:[ebp]
004024A5 75 08 jnz short PopUpBlo.004024AF
004024A7 8BC5 mov eax,ebp
004024A9 F0:0FC119 lock xadd dword ptr ds:[ecx],ebx
004024AD EB 32 jmp short PopUpBlo.004024E1
004024AF 8B4D 04 mov ecx,dword ptr ss:[ebp+4]
004024B2 8B10 mov edx,dword ptr ds:[eax]
004024B4 53 push ebx
004024B5 51 push ecx
004024B6 8BC8 mov ecx,eax
004024B8 FF12 call dword ptr ds:[edx]
004024BA 85C0 test eax,eax
004024BC 75 05 jnz short PopUpBlo.004024C3
004024BE E8 2DF7FFFF call PopUpBlo.00401BF0
004024C3 8B55 04 mov edx,dword ptr ss:[ebp+4]
004024C6 8950 04 mov dword ptr ds:[eax+4],edx
004024C9 8B4D 04 mov ecx,dword ptr ss:[ebp+4]
004024CC 41 inc ecx
004024CD 8BD1 mov edx,ecx
004024CF C1E9 02 shr ecx,2
004024D2 8D75 10 lea esi,dword ptr ss:[ebp+10]
004024D5 8D78 10 lea edi,dword ptr ds:[eax+10]
004024D8 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[>
004024DA 8BCA mov ecx,edx
004024DC 83E1 03 and ecx,3
004024DF F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[es>
004024E1 8B7424 44 mov esi,dword ptr ss:[esp+44]
004024E5 83C0 10 add eax,10
004024E8 8906 mov dword ptr ds:[esi],eax
004024EA C74424 3C FFFFF>mov dword ptr ss:[esp+3C],-1
004024F2 8D45 0C lea eax,dword ptr ss:[ebp+C]
004024F5 83C9 FF or ecx,FFFFFFFF
004024F8 F0:0FC108 lock xadd dword ptr ds:[eax],ecx
004024FC 49 dec ecx
004024FD 85C9 test ecx,ecx
004024FF 7F 09 jg short PopUpBlo.0040250A
00402501 8B4D 00 mov ecx,dword ptr ss:[ebp]
00402504 8B11 mov edx,dword ptr ds:[ecx]
00402506 55 push ebp
00402507 FF52 04 call dword ptr ds:[edx+4]
0040250A 8B4C24 34 mov ecx,dword ptr ss:[esp+34]
0040250E 5F pop edi
0040250F 8BC6 mov eax,esi
00402511 5E pop esi
00402512 5D pop ebp
00402513 64:890D 0000000>mov dword ptr fs:[0],ecx
0040251A 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
0040251E 5B pop ebx
0040251F E8 65E30000 call PopUpBlo.00410889
00402524 83C4 30 add esp,30
00402527 C2 0400 retn 4 //返回
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单,MD5(固定字符串"AmplusnetAPlus20"+Name)=Key。(Email在注册码计算中没用到)
=======================
算法注册机代码:
'窗体部分:
Option Explicit
Private Sub Text1_Change()
Set c1 = New clsMD5 '调用算法模块将ID转换成 MD5密钥
sn = c1.Md5_String_Calc("AmplusnetAPlus20" + Text1.Text) 'MD5(固定字符串"AmplusnetAPlus20"+Name)=Key
Text2.Text = LCase(sn) '把转换后的MD5码转换为小写然后输出作为Key
End Sub
'类模块部分:
(略)
上次我写的《土地拍卖竞标助手 专业版 6.31--MD5算法分析》中有VB的MD5模块,自己写写看!
=======================
内存注册机:
中断地址:004041CE
中断次数:1
第一字节:50
指令长度:1
内存方式--->EAX
=======================
注册信息:
Name:KuNgBiM
Email:gb_1227@163.com
Key:f4d0c4f350a132c8e2bc9451fab178f3
Name:KuNgBiM[DFCG]
Email:gb_1227@163.com
Key:5941ab3a6614ae8a624ba817b476ee89
注册信息保存在注册表:HKEY_LOCAL_MACHINE\SOFTWARE\A+PopupBlocker 中。
--------------------------------------------------------------------------
(本文完)
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-05-12
12:09:18 PM