【破文标题】PhotoShrink 2.0算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD,DeDe
【破解平台】Windows XP sp3
【软件名称】PhotoShrink 2.0
【软件大小】1245KB
【软件语言】英文
【软件类别】国外软件/图像处理
【软件授权】共享版
【运行环境】Win9x/Me/NT/2000/XP/2003
【更新时间】2007-5-31
【原版下载】http://www.onlinedown.net/soft/58519.htm
【保护方式】注册码
【软件简介】PhotoShrink是一个使用方便的图形优化工具,可以根据电子邮件或者网页设计的需要对图形文件进行缩放以节省存储空间。它使用简单,支持批量缩放和鼠标操作,可以调整JPG格式文件的质量。
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、对photoshrink.exe查壳为Borland Delphi 6.0 - 7.0
**************************************************************
二、用DeDe查找按钮事件就可以快速到达关键部位
00506A74 /. 55 push ebp 00506A75 |. 8BEC mov ebp, esp 00506A77 |. 33C9 xor ecx, ecx 00506A79 |. 51 push ecx 00506A7A |. 51 push ecx 00506A7B |. 51 push ecx 00506A7C |. 51 push ecx 00506A7D |. 51 push ecx 00506A7E |. 51 push ecx 00506A7F |. 53 push ebx 00506A80 |. 8BD8 mov ebx, eax 00506A82 |. 33C0 xor eax, eax 00506A84 |. 55 push ebp 00506A85 |. 68 C86B5000 push 00506BC8 00506A8A |. 64:FF30 push dword ptr fs:[eax] 00506A8D |. 64:8920 mov dword ptr fs:[eax], esp 00506A90 |. 8D55 FC lea edx, dword ptr [ebp-4] 00506A93 |. 8B83 08030000 mov eax, dword ptr [ebx+308] 00506A99 |. E8 02DFF3FF call 004449A0 00506A9E |. 837D FC 00 cmp dword ptr [ebp-4], 0 00506AA2 |. 0F84 E4000000 je 00506B8C ; //邮箱名为空则跳 00506AA8 |. 8D55 F4 lea edx, dword ptr [ebp-C] 00506AAB |. 8B83 08030000 mov eax, dword ptr [ebx+308] 00506AB1 |. E8 EADEF3FF call 004449A0 00506AB6 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; //邮箱名 00506AB9 |. 8D4D F8 lea ecx, dword ptr [ebp-8] 00506ABC |. A1 BC185100 mov eax, dword ptr [5118BC] 00506AC1 |. 8B00 mov eax, dword ptr [eax] 00506AC3 |. E8 8C050000 call 00507054 ; //算法CALL 00506AC8 |. 8B45 F8 mov eax, dword ptr [ebp-8] 00506ACB |. 50 push eax 00506ACC |. 8D55 F0 lea edx, dword ptr [ebp-10] 00506ACF |. 8B83 10030000 mov eax, dword ptr [ebx+310] 00506AD5 |. E8 C6DEF3FF call 004449A0 00506ADA |. 8B55 F0 mov edx, dword ptr [ebp-10] ; //试炼码 00506ADD |. 58 pop eax ; //注册码 00506ADE |. E8 D9DEEFFF call 004049BC ; //比较CALL 00506AE3 |. 0F85 A3000000 jnz 00506B8C ; //关键跳转 00506AE9 |. 8D55 EC lea edx, dword ptr [ebp-14] 00506AEC |. 8B83 08030000 mov eax, dword ptr [ebx+308] 00506AF2 |. E8 A9DEF3FF call 004449A0 00506AF7 |. 8B55 EC mov edx, dword ptr [ebp-14] 00506AFA |. A1 BC185100 mov eax, dword ptr [5118BC] 00506AFF |. 8B00 mov eax, dword ptr [eax] 00506B01 |. 05 28030000 add eax, 328 00506B06 |. E8 EDDAEFFF call 004045F8 00506B0B |. 8D55 E8 lea edx, dword ptr [ebp-18] 00506B0E |. 8B83 10030000 mov eax, dword ptr [ebx+310] 00506B14 |. E8 87DEF3FF call 004449A0 00506B19 |. 8B55 E8 mov edx, dword ptr [ebp-18] 00506B1C |. A1 BC185100 mov eax, dword ptr [5118BC] 00506B21 |. 8B00 mov eax, dword ptr [eax] 00506B23 |. 05 2C030000 add eax, 32C 00506B28 |. E8 CBDAEFFF call 004045F8 00506B2D |. A1 BC185100 mov eax, dword ptr [5118BC] 00506B32 |. 8B00 mov eax, dword ptr [eax] 00506B34 |. C680 24030000>mov byte ptr [eax+324], 1 00506B3B |. A1 BC185100 mov eax, dword ptr [5118BC] 00506B40 |. 8B00 mov eax, dword ptr [eax] 00506B42 |. E8 05060000 call 0050714C 00506B47 |. A1 BC185100 mov eax, dword ptr [5118BC] 00506B4C |. 8B00 mov eax, dword ptr [eax] 00506B4E |. 8B80 F4020000 mov eax, dword ptr [eax+2F4] 00506B54 |. 33D2 xor edx, edx 00506B56 |. E8 65DDF3FF call 004448C0 00506B5B |. A1 BC185100 mov eax, dword ptr [5118BC] 00506B60 |. 8B00 mov eax, dword ptr [eax] 00506B62 |. 8B80 08030000 mov eax, dword ptr [eax+308] 00506B68 |. BA 08000000 mov edx, 8 00506B6D |. E8 76D5F3FF call 004440E8 00506B72 |. 8BC3 mov eax, ebx 00506B74 |. E8 BB45F4FF call 0044B134 00506B79 |. BA D86B5000 mov edx, 00506BD8 ; UNICODE "Thank you for registering PhotoShrink" 00506B7E |. E8 75B5F8FF call 004920F8 00506B83 |. 8BC3 mov eax, ebx 00506B85 |. E8 7EB3F5FF call 00461F08 00506B8A |. EB 11 jmp short 00506B9D 00506B8C |> 8BC3 mov eax, ebx 00506B8E |. E8 A145F4FF call 0044B134 00506B93 |. BA 286C5000 mov edx, 00506C28 ; UNICODE "Name and Key do not Match!",LF,LF,"Make sure you've entered your email address and the key correctly and th" 00506B98 |. E8 CBB5F8FF call 00492168 00506B9D |> 33C0 xor eax, eax 00506B9F |. 5A pop edx 00506BA0 |. 59 pop ecx 00506BA1 |. 59 pop ecx 00506BA2 |. 64:8910 mov dword ptr fs:[eax], edx 00506BA5 |. 68 CF6B5000 push 00506BCF 00506BAA |> 8D45 E8 lea eax, dword ptr [ebp-18] 00506BAD |. BA 04000000 mov edx, 4 00506BB2 |. E8 11DAEFFF call 004045C8 00506BB7 |. 8D45 F8 lea eax, dword ptr [ebp-8] 00506BBA |. E8 E5D9EFFF call 004045A4 00506BBF |. 8D45 FC lea eax, dword ptr [ebp-4] 00506BC2 |. E8 DDD9EFFF call 004045A4 00506BC7 \. C3 retn 00506BC8 .^ E9 3FD3EFFF jmp 00403F0C 00506BCD .^ EB DB jmp short 00506BAA 00506BCF . 5B pop ebx 00506BD0 . 8BE5 mov esp, ebp 00506BD2 . 5D pop ebp 00506BD3 . C3 retn ===================================== 00507054 /$ 55 push ebp 00507055 |. 8BEC mov ebp, esp 00507057 |. 6A 00 push 0 00507059 |. 6A 00 push 0 0050705B |. 6A 00 push 0 0050705D |. 53 push ebx 0050705E |. 56 push esi 0050705F |. 8BF1 mov esi, ecx 00507061 |. 8955 FC mov dword ptr [ebp-4], edx 00507064 |. 8B45 FC mov eax, dword ptr [ebp-4] 00507067 |. E8 F4D9EFFF call 00404A60 0050706C |. 33C0 xor eax, eax 0050706E |. 55 push ebp 0050706F |. 68 16715000 push 00507116 00507074 |. 64:FF30 push dword ptr fs:[eax] 00507077 |. 64:8920 mov dword ptr fs:[eax], esp 0050707A |. 837D FC 00 cmp dword ptr [ebp-4], 0 0050707E |. 75 09 jnz short 00507089 ; //邮箱名不为空则跳 00507080 |. 8BC6 mov eax, esi 00507082 |. E8 1DD5EFFF call 004045A4 00507087 |. EB 72 jmp short 005070FB 00507089 |> 8D4D F8 lea ecx, dword ptr [ebp-8] 0050708C |. BA 14000000 mov edx, 14 00507091 |. B8 2C715000 mov eax, 0050712C ; ASCII "How DARE you crack my software!" 00507096 |. E8 0DB4F8FF call 004924A8 0050709B |. BB 01000000 mov ebx, 1 005070A0 |> 8B45 FC /mov eax, dword ptr [ebp-4] ; //邮箱名 005070A3 |. E8 D0D7EFFF |call 00404878 ; //取邮箱名长度 005070A8 |. 50 |push eax 005070A9 |. 8BC3 |mov eax, ebx 005070AB |. 48 |dec eax 005070AC |. 5A |pop edx 005070AD |. 8BCA |mov ecx, edx 005070AF |. 99 |cdq 005070B0 |. F7F9 |idiv ecx 005070B2 |. 8B45 FC |mov eax, dword ptr [ebp-4] ; //邮箱名 005070B5 |. 8A0410 |mov al, byte ptr [eax+edx] ; //循环取邮箱名 005070B8 |. 8B55 F8 |mov edx, dword ptr [ebp-8] ; //字符串"How DARE you crack my software!" 005070BB |. 8A541A FF |mov dl, byte ptr [edx+ebx-1] ; //逐位取字符串"How DARE you crack my software!" 005070BF |. 32C2 |xor al, dl ; //异或 005070C1 |. 25 FF000000 |and eax, 0FF 005070C6 |. 8D55 F4 |lea edx, dword ptr [ebp-C] 005070C9 |. E8 A221F0FF |call 00409270 ; //EAX转10进制 005070CE |. 8B45 F4 |mov eax, dword ptr [ebp-C] ; //10进制字符 005070D1 |. E8 A2D7EFFF |call 00404878 005070D6 |. 8B55 F4 |mov edx, dword ptr [ebp-C] ; //10进制字符 005070D9 |. 8A4402 FF |mov al, byte ptr [edx+eax-1] ; //取字符右边1位 005070DD |. 50 |push eax 005070DE |. 8D45 F8 |lea eax, dword ptr [ebp-8] 005070E1 |. E8 E2D9EFFF |call 00404AC8 005070E6 |. 5A |pop edx 005070E7 |. 885418 FF |mov byte ptr [eax+ebx-1], dl ; //保存 005070EB |. 43 |inc ebx ; //计数器+1 005070EC |. 83FB 15 |cmp ebx, 15 005070EF |.^ 75 AF \jnz short 005070A0 ; //循环 005070F1 |. 8BC6 mov eax, esi 005070F3 |. 8B55 F8 mov edx, dword ptr [ebp-8] ; //注册码 005070F6 |. E8 FDD4EFFF call 004045F8 005070FB |> 33C0 xor eax, eax 005070FD |. 5A pop edx 005070FE |. 59 pop ecx 005070FF |. 59 pop ecx 00507100 |. 64:8910 mov dword ptr fs:[eax], edx 00507103 |. 68 1D715000 push 0050711D 00507108 |> 8D45 F4 lea eax, dword ptr [ebp-C] 0050710B |. BA 03000000 mov edx, 3 00507110 |. E8 B3D4EFFF call 004045C8 00507115 \. C3 retn 00507116 .^ E9 F1CDEFFF jmp 00403F0C 0050711B .^ EB EB jmp short 00507108 0050711D . 5E pop esi 0050711E . 5B pop ebx 0050711F . 8BE5 mov esp, ebp 00507121 . 5D pop ebp 00507122 . C3 retn
【破解总结】
--------------------------------------------------------------
【算法总结】
用户名和固定字符串"How DARE you crack my software!"中的字符异或得到注册码
--------------------------------------------------------------
【算法注册机】
〖VB代码〗
Private Sub Command1_Click()
If Len(Text1.Text) = 0 Then
Text2.Text = "输入有误,请重新输入!"
Else
For I = 1 To 20
J = ((I - 1) Mod Len(Text1.Text)) + 1
X = Asc(Mid(Text1.Text, J, 1)) Xor Asc(Mid("How DARE you crack my software!", I, 1))
Y = Y & Right(X, 1)
Next
Text2.Text = Y
End If
End Sub
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!