【破文标题】PromoSoft 1.73算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】PromoSoft 1.73
【软件大小】4223KB
【软件类别】国外软件/网络辅助
【软件授权】共享版
【软件语言】英文
【更新时间】2008-7-7
【原版下载】华军软件园
【保护方式】注册码
【软件简介】一款专为软件发布所开发设计的软件。可快速且大量的将软件自动地发布到互联网中的软件下载网站.
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
初学破解与编程,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
"registration name or code is incorrect. try again."
**************************************************************
二、用PEiD对PromoSoft查壳,为 Borland Delphi 6.0 - 7.0
**************************************************************
三、运行OD,打开PromoSoft,右键超级字串参考查找ASCII.
发现"registration name or code is incorrect. try again."
00559018 /. 55 PUSH EBP 00559019 |. 8BEC MOV EBP,ESP 0055901B |. B9 07000000 MOV ECX,7 00559020 |> 6A 00 /PUSH 0 00559022 |. 6A 00 |PUSH 0 00559024 |. 49 |DEC ECX 00559025 |.^ 75 F9 \JNZ SHORT PromoSof.00559020 00559027 |. 51 PUSH ECX 00559028 |. 53 PUSH EBX 00559029 |. 56 PUSH ESI 0055902A |. 57 PUSH EDI 0055902B |. 8BF8 MOV EDI,EAX 0055902D |. 33C0 XOR EAX,EAX 0055902F |. 55 PUSH EBP 00559030 |. 68 B1925500 PUSH PromoSof.005592B1 00559035 |. 64:FF30 PUSH DWORD PTR FS:[EAX] 00559038 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP 0055903B |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] 0055903E |. 8B87 38030000 MOV EAX,DWORD PTR DS:[EDI+338] 00559044 |. E8 C3BFEFFF CALL PromoSof.0045500C 00559049 |. 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 0055904D |. 0F84 09020000 JE PromoSof.0055925C ; //用户名为空则跳 00559053 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] 00559056 |. 8B87 34030000 MOV EAX,DWORD PTR DS:[EDI+334] 0055905C |. E8 ABBFEFFF CALL PromoSof.0045500C 00559061 |. 837D F0 00 CMP DWORD PTR SS:[EBP-10],0 00559065 |. 0F84 F1010000 JE PromoSof.0055925C ; //注册码为空则跳 0055906B |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] 0055906E |. 8B87 38030000 MOV EAX,DWORD PTR DS:[EDI+338] 00559074 |. E8 93BFEFFF CALL PromoSof.0045500C 00559079 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 0055907C |. E8 67BFEAFF CALL PromoSof.00404FE8 00559081 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; //用户名 00559084 |. E8 2FC2EAFF CALL PromoSof.004052B8 ; //取用户名长度 00559089 |. 8BF0 MOV ESI,EAX ; //ESI=EAX=用户名长度 0055908B |. 85F6 TEST ESI,ESI 0055908D |. 0F8E AE000000 JLE PromoSof.00559141 00559093 |. BB 01000000 MOV EBX,1 ; //EBX=1 00559098 |> 895D E8 /MOV DWORD PTR SS:[EBP-18],EBX ; //[EBP-18]=EBX 0055909B |. DB45 E8 |FILD DWORD PTR SS:[EBP-18] ; //ST0=[EBP-18] 0055909E |. D835 C0925500 |FDIV DWORD PTR DS:[5592C0] ; //ST0=ST0/2 005590A4 |. 83C4 F4 |ADD ESP,-0C 005590A7 |. DB3C24 |FSTP TBYTE PTR SS:[ESP] ; | 005590AA |. 9B |WAIT ; | 005590AB |. 8D45 EC |LEA EAX,DWORD PTR SS:[EBP-14] ; | 005590AE |. E8 B537EBFF |CALL PromoSof.0040C868 ; \PromoSof.0040C868 005590B3 |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14] 005590B6 |. 50 |PUSH EAX 005590B7 |. 895D E8 |MOV DWORD PTR SS:[EBP-18],EBX 005590BA |. DB45 E8 |FILD DWORD PTR SS:[EBP-18] ; //ST0=[EBP-18] 005590BD |. D835 C0925500 |FDIV DWORD PTR DS:[5592C0] ; //ST0=ST0/2 005590C3 |. E8 0C9DEAFF |CALL PromoSof.00402DD4 005590C8 |. 8945 DC |MOV DWORD PTR SS:[EBP-24],EAX 005590CB |. 8955 E0 |MOV DWORD PTR SS:[EBP-20],EDX 005590CE |. DF6D DC |FILD QWORD PTR SS:[EBP-24] 005590D1 |. 83C4 F4 |ADD ESP,-0C 005590D4 |. DB3C24 |FSTP TBYTE PTR SS:[ESP] ; | 005590D7 |. 9B |WAIT ; | 005590D8 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; | 005590DB |. E8 8837EBFF |CALL PromoSof.0040C868 ; \PromoSof.0040C868 005590E0 |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C] 005590E3 |. 58 |POP EAX 005590E4 |. E8 1BC3EAFF |CALL PromoSof.00405404 005590E9 |. 75 33 |JNZ SHORT PromoSof.0055911E 005590EB |. 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28] 005590EE |. 50 |PUSH EAX 005590EF |. 8D55 D4 |LEA EDX,DWORD PTR SS:[EBP-2C] 005590F2 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; //用户名 005590F5 |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] ; //逐位取用户名ASC值 005590FA |. E8 DD12EBFF |CALL PromoSof.0040A3DC 005590FF |. 8B45 D4 |MOV EAX,DWORD PTR SS:[EBP-2C] ; //ASC码10进制 00559102 |. B9 02000000 |MOV ECX,2 00559107 |. BA 01000000 |MOV EDX,1 0055910C |. E8 07C4EAFF |CALL PromoSof.00405518 00559111 |. 8B55 D8 |MOV EDX,DWORD PTR SS:[EBP-28] ; //ASC码十进制1-2位 00559114 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8] 00559117 |. E8 A4C1EAFF |CALL PromoSof.004052C0 0055911C |. EB 1B |JMP SHORT PromoSof.00559139 0055911E |> 8D45 D0 |LEA EAX,DWORD PTR SS:[EBP-30] 00559121 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] ; //用户名 00559124 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] ; //逐位取用户名ASC值 00559129 |. E8 A2C0EAFF |CALL PromoSof.004051D0 0055912E |. 8B55 D0 |MOV EDX,DWORD PTR SS:[EBP-30] 00559131 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8] 00559134 |. E8 87C1EAFF |CALL PromoSof.004052C0 00559139 |> 43 |INC EBX ; //EBX=EBX+1 0055913A |. 4E |DEC ESI ; //ESI=ESI-1 0055913B |.^ 0F85 57FFFFFF \JNZ PromoSof.00559098 ; //不等则跳,奇数位取原字符,偶数位取字符的ASC码10进制的 1-2位 00559141 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00559144 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; //变形后的字符串 00559147 |. E8 34BFEAFF CALL PromoSof.00405080 0055914C |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 0055914F |. E8 94BEEAFF CALL PromoSof.00404FE8 00559154 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; //变形后的字符串 00559157 |. E8 5CC1EAFF CALL PromoSof.004052B8 ; //取变形后的字符串长度 0055915C |. 8BD8 MOV EBX,EAX ; //EBX=EAX=变形后的字符串长度 0055915E |. 83FB 01 CMP EBX,1 00559161 |. 7C 2A JL SHORT PromoSof.0055918D 00559163 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; //变形后的字符串 00559166 |. 807C18 FF 20 |CMP BYTE PTR DS:[EAX+EBX-1],20 ; //倒取变形字符串的ASC值与20比较 0055916B |. 74 1B |JE SHORT PromoSof.00559188 ; //等于则跳 0055916D |. 8D45 CC |LEA EAX,DWORD PTR SS:[EBP-34] 00559170 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] ; //变形后的字符串 00559173 |. 0FB6541A FF |MOVZX EDX,BYTE PTR DS:[EDX+EBX-1] ; //倒取变形字符串的ASC值 00559178 |. E8 53C0EAFF |CALL PromoSof.004051D0 0055917D |. 8B55 CC |MOV EDX,DWORD PTR SS:[EBP-34] 00559180 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8] 00559183 |. E8 38C1EAFF |CALL PromoSof.004052C0 00559188 |> 4B |DEC EBX ; //EBX=EBX-1 00559189 |. 85DB |TEST EBX,EBX 0055918B |.^ 75 D6 \JNZ SHORT PromoSof.00559163 ; //不等则跳,去空格,倒转字符串 0055918D |> 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38] 00559190 |. 8B87 34030000 MOV EAX,DWORD PTR DS:[EDI+334] 00559196 |. E8 71BEEFFF CALL PromoSof.0045500C 0055919B |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38] ; //试练码 0055919E |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; //真码 005591A1 |. E8 5EC2EAFF CALL PromoSof.00405404 ; //比较CALL 005591A6 |. 0F85 8B000000 JNZ PromoSof.00559237 ; //关键跳转 005591AC |. 6A 00 PUSH 0 ; /Arg1 = 00000000 005591AE |. 0FB70D C49255>MOVZX ECX,WORD PTR DS:[5592C4] ; | 005591B5 |. B2 02 MOV DL,2 ; | 005591B7 |. B8 D0925500 MOV EAX,PromoSof.005592D0 ; |registration complete! thank you for registering promosoft. 005591BC |. E8 C751EFFF CALL PromoSof.0044E388 ; \PromoSof.0044E388 005591C1 |. A1 90326100 MOV EAX,DWORD PTR DS:[613290] 005591C6 |. C600 01 MOV BYTE PTR DS:[EAX],1 005591C9 |. A1 0C3B6100 MOV EAX,DWORD PTR DS:[613B0C] 005591CE |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 005591D0 |. E8 2FEB0500 CALL PromoSof.005B7D04 005591D5 |. A1 0C3B6100 MOV EAX,DWORD PTR DS:[613B0C] 005591DA |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 005591DC |. E8 1FED0500 CALL PromoSof.005B7F00 005591E1 |. A1 0C3B6100 MOV EAX,DWORD PTR DS:[613B0C] 005591E6 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 005591E8 |. 8B90 50040000 MOV EDX,DWORD PTR DS:[EAX+450] 005591EE |. A1 0C3B6100 MOV EAX,DWORD PTR DS:[613B0C] 005591F3 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 005591F5 |. 8B80 4C040000 MOV EAX,DWORD PTR DS:[EAX+44C] 005591FB |. E8 B421F3FF CALL PromoSof.0048B3B4 00559200 |. 8B15 E8376100 MOV EDX,DWORD PTR DS:[6137E8] ; PromoSof.00616840 00559206 |. 8B12 MOV EDX,DWORD PTR DS:[EDX] 00559208 |. 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C] 0055920B |. B9 14935500 MOV ECX,PromoSof.00559314 ; sites\sites.dat 00559210 |. E8 EFC0EAFF CALL PromoSof.00405304 00559215 |. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C] 00559218 |. 33D2 XOR EDX,EDX 0055921A |. E8 19D90A00 CALL PromoSof.00606B38 0055921F |. A1 0C3B6100 MOV EAX,DWORD PTR DS:[613B0C] 00559224 |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 00559226 |. E8 B56C0400 CALL PromoSof.0059FEE0 0055922B |. C787 64020000>MOV DWORD PTR DS:[EDI+264],1 00559235 |. EB 25 JMP SHORT PromoSof.0055925C 00559237 |> 6A 00 PUSH 0 ; /Arg1 = 00000000 00559239 |. 0FB70D C49255>MOVZX ECX,WORD PTR DS:[5592C4] ; | 00559240 |. B2 01 MOV DL,1 ; | 00559242 |. B8 2C935500 MOV EAX,PromoSof.0055932C ; |registration name or code is incorrect. try again. 00559247 |. E8 3C51EFFF CALL PromoSof.0044E388 ; \PromoSof.0044E388 0055924C |. 8B97 38030000 MOV EDX,DWORD PTR DS:[EDI+338] 00559252 |. A1 38656100 MOV EAX,DWORD PTR DS:[616538] 00559257 |. E8 F097F1FF CALL PromoSof.00472A4C 0055925C |> 33C0 XOR EAX,EAX 0055925E |. 5A POP EDX 0055925F |. 59 POP ECX 00559260 |. 59 POP ECX 00559261 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX 00559264 |. 68 B8925500 PUSH PromoSof.005592B8 00559269 |> 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C] 0055926C |. E8 77BDEAFF CALL PromoSof.00404FE8 00559271 |. 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] 00559274 |. E8 6FBDEAFF CALL PromoSof.00404FE8 00559279 |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34] 0055927C |. BA 04000000 MOV EDX,4 00559281 |. E8 86BDEAFF CALL PromoSof.0040500C 00559286 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] 00559289 |. E8 5ABDEAFF CALL PromoSof.00404FE8 0055928E |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 00559291 |. E8 52BDEAFF CALL PromoSof.00404FE8 00559296 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 00559299 |. BA 02000000 MOV EDX,2 0055929E |. E8 69BDEAFF CALL PromoSof.0040500C 005592A3 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 005592A6 |. BA 02000000 MOV EDX,2 005592AB |. E8 5CBDEAFF CALL PromoSof.0040500C 005592B0 \. C3 RETN 005592B1 .^ E9 5EB6EAFF JMP PromoSof.00404914 005592B6 .^ EB B1 JMP SHORT PromoSof.00559269 005592B8 . 5F POP EDI 005592B9 . 5E POP ESI 005592BA . 5B POP EBX 005592BB . 8BE5 MOV ESP,EBP 005592BD . 5D POP EBP 005592BE . C3 RETN
【破解总结】
--------------------------------------------------------------
【算法总结】
用户名奇数位取原字符,偶数位取字符的ASC码10进制的1-2位,相连形成新字符串;将新字符串去空格后倒转即为注册码
--------------------------------------------------------------
【算法注册机】
〖VB代码〗
Private Sub Command1_Click()
Dim M, N As String
Dim I, J, A, B
If Len(Text1.Text) = 0 Then
Text2.Text = "请输入用户名!"
Else
For I = 1 To Len(Text1.Text)
A = Asc(Mid(Text1.Text, I, 1))
If I Mod 2 = 1 Then
M = M & Chr(A)
Else
M = M & Left(A, 2)
End If
Next
For J = 1 To Len(M)
B = Mid(M, Len(M) - J + 1, 1)
If B = " " Then
N = N & ""
Else
N = N & B
End If
Next
Text2.Text = N
End If
End Sub
〖Delphi代码〗
procedure TForm1.Button1Click(Sender: TObject);
var
i,j,a,c:integer;
b,d:string;
begin
if Length(Edit1.Text)=0 then
begin
ShowMessage('请输入用户名!');
exit;
end;
for i:=1 to length(edit1.text) do
begin
a:=ord(edit1.text[i]);
if (i mod 2=1) then
b:=b + Chr(a)
else
b:=b + copy(inttostr(a),1,2)
end;
for j:=1 to length(b) do
begin
c:=ord(b[length(b)-j+1]);
if (c=32) then
d:=d
else
d:=d + chr(c)
end;
Edit2.Text :=d;
end;
--------------------------------------------------------------
【内存注册机】
中断地址 005591A1
中断次数 1
第一字节 E8
指令长度 5
内存方式-寄存器-EDX
--------------------------------------------------------------
【注册信息】
用户名:abcdef
注册码:01e01c89a
保存在reginfo.ini
--------------------------------------------------------------
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!