GreenBrowser 1.0.312破解手记--算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → GreenBrowser 1.0.312破解手记--算法分析

GreenBrowser 1.0.312破解手记--算法分析 时间：2004/10/15 0:52:00来源：本站整理作者：蓝点我要评论(0): 　

GreenBrowser 1.0.312破解手记--算法分析
作者：newlaos[DFCG]

软件名称：GreenBrowser 1.0.312(主页浏览)
整理日期：2003.3.28(华军网)
最新版本：1.0.312
文件大小：443KB
软件授权：共享软件
使用平台：Win9x/Me/NT/2000/XP
发布公司：http://www.websamba.com/morequick
软件简介：GreenBrowser是一个基于IE的多窗口浏览器, 并更拥有更多更好的其他特性.例如:热键,搜集器,鼠标手势,鼠标拖曳,弹出窗口过滤,搜索引擎,网页背景色设置,工具条皮肤,代理服务器,自动滚动,自动保存,自动填表,启动模式...

加密方式：注册码
PJ工具：TRW20001.23注册版，W32Dasm8.93黄金版，FI2.5
PJ日期：2003-04-04
作者newlaos申明：只是学习，请不用于商业用途或是将本文方法制作的注册机任意传播，造成后果，本人一概不负。

1、先用FI2.5看一下主文件“GreenBrowser.exe”，没加壳。程序是用VC++6.0编的

2、用W32Dasm8.93黄金版对GreenBrowser.exe进行静态反汇编，再用串式数据参考，找到"Registration key error!"
双击来到下面代码段。

3、再用TRW20001.23注册版进行动态跟踪，下断BPX 00412500(通常在注册成功与否的前面一些下断，这样，才能找到关键部分)，
先输入假码: 78787878

.......
.......
:00412500 6AFF push FFFFFFFF
:00412502 68B01E4800 push 00481EB0
:00412507 64A100000000 mov eax, dword ptr fs:[00000000]
:0041250D 50 push eax
:0041250E 64892500000000 mov dword ptr fs:[00000000], esp
:00412515 83EC08 sub esp, 00000008
:00412518 A1B0DC4A00 mov eax, dword ptr [004ADCB0]
:0041251D 55 push ebp
:0041251E 56 push esi
:0041251F 57 push edi
:00412520 8BF1 mov esi, ecx
:00412522 89442410 mov dword ptr [esp+10], eax
:00412526 C744241C00000000 mov [esp+1C], 00000000
:0041252E 8944240C mov dword ptr [esp+0C], eax
:00412532 8D442410 lea eax, dword ptr [esp+10]
:00412536 8D8E98000000 lea ecx, dword ptr [esi+00000098]
:0041253C 50 push eax
:0041253D C644242001 mov [esp+20], 01
:00412542 E8864E0500 call 004673CD <===EAX=8(为机器码的长度) ECX=30084737
:00412547 8D4C240C lea ecx, dword ptr [esp+0C]
:0041254B 51 push ecx
:0041254C 8D4E5C lea ecx, dword ptr [esi+5C]
:0041254F E8794E0500 call 004673CD <===EAX=8(为注册码的长度) ECX=78787878
:00412554 8B54240C mov edx, dword ptr [esp+0C]
:00412558 837AF801 cmp dword ptr [edx-08], 00000001
:0041255C 0F8E8F000000 jle 004125F1 <===从这里跳走，就说明没有输入注册码
:00412562 8B442410 mov eax, dword ptr [esp+10]
:00412566 50 push eax
:00412567 E8D2250400 call 00454B3E <===将机器码转为十六进制1CB0E81
:0041256C 8B4C2410 mov ecx, dword ptr [esp+10]
:00412570 8BF8 mov edi, eax
:00412572 51 push ecx
:00412573 E8C6250400 call 00454B3E <===将注册码转为十六进制4B23526
:00412578 83C408 add esp, 00000008
:0041257B 8BCE mov ecx, esi
:0041257D 8BE8 mov ebp, eax
:0041257F 57 push edi
:00412580 E8AB000000 call 00412630 <===关键的CALL，是将十六进制机器码进行变形处理
:00412585 3BC5 cmp eax, ebp <===EBP=4B23526 EAX为十六进制机器码的变形
:00412587 755D jne 004125E6 <===不相等，就跳向OVER了

* Possible Reference to Dialog: DialogID_0064, CONTROL_ID:04DD, "Register"
|
:00412589 68DD040000 push 000004DD
:0041258E 8BCE mov ecx, esi
:00412590 E80A710500 call 0046969F
:00412595 8BF8 mov edi, eax
:00412597 6A00 push 00000000
:00412599 8BCF mov ecx, edi
:0041259B E87E730500 call 0046991E

* Possible StringData Ref from Data Obj ->"Register Ok"
|
:004125A0 68B4BB4A00 push 004ABBB4 <===注册成功
:004125A5 8BCF mov ecx, edi
:004125A7 E814720500 call 004697C0

* Possible Reference to Dialog: DialogID_0064, CONTROL_ID:04DF, "Get Key"
|
:004125AC 68DF040000 push 000004DF
:004125B1 8BCE mov ecx, esi
:004125B3 E8E7700500 call 0046969F
:004125B8 6A00 push 00000000
:004125BA 8BC8 mov ecx, eax
:004125BC E85D730500 call 0046991E
:004125C1 E863920600 call 0047B829
:004125C6 8B4004 mov eax, dword ptr [eax+04]
:004125C9 55 push ebp

* Possible StringData Ref from Data Obj ->"RKey"
|
:004125CA 68C0BB4A00 push 004ABBC0

* Possible StringData Ref from Data Obj ->"Settings"
|
:004125CF 68F0B14A00 push 004AB1F0
:004125D4 8BC8 mov ecx, eax
:004125D6 E8ECF40500 call 00471AC7
:004125DB 6A00 push 00000000
:004125DD 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Thanks for you register, best "
->"support will prepare for you!"
|
:004125DF 6828BD4A00 push 004ABD28 <===感谢你的注册，最好的技术支持为你准备
:004125E4 EB14 jmp 004125FA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412587(C)
|
:004125E6 6A00 push 00000000
:004125E8 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Registration key error!"
|
:004125EA 6810BD4A00 push 004ABD10 <===注册码错误
:004125EF EB09 jmp 004125FA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041255C(C)
|
:004125F1 6A00 push 00000000
:004125F3 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Please input registration key!"
|
:004125F5 68F0BC4A00 push 004ABCF0 <===请输入注册码(呵呵，就是没有输入了)

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004125E4(U), :004125EF(U)
|
:004125FA E88FF30500 call 0047198E
:004125FF 8D4C240C lea ecx, dword ptr [esp+0C]
:00412603 C644241C00 mov [esp+1C], 00
:00412608 E81C7C0500 call 0046A229
:0041260D 8D4C2410 lea ecx, dword ptr [esp+10]
:00412611 C744241CFFFFFFFF mov [esp+1C], FFFFFFFF
:00412619 E80B7C0500 call 0046A229
:0041261E 8B4C2414 mov ecx, dword ptr [esp+14]
:00412622 5F pop edi
:00412623 5E pop esi
:00412624 5D pop ebp
:00412625 64890D00000000 mov dword ptr fs:[00000000], ecx
:0041262C 83C414 add esp, 00000014
:0041262F C3 ret
.......
.......

------00412580 call 00412630 是将十六进制机器码进行变形处理------------------

:00412630 8B442404 mov eax, dword ptr [esp+04] <===EAX=1CB0E81
:00412634 350B484802 xor eax, 0248480B <===EAX=1CB0E81 XOR 0248480B =3A3468A
:00412639 054271F900 add eax, 00F97142 <===EAX=3A3468A AND F97142 =47CB7CC
:0041263E 7905 jns 00412645
:00412640 99 cdq
:00412641 33C2 xor eax, edx
:00412643 2BC2 sub eax, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041263E(C)
|
:00412645 C20400 ret 0004

-----------------------------------------------------------------------------
4、算法分析： ---类型：f1(机器码)=注册码---
a、将机器码和注册码都转为16进制表示形式：
b、将16进制表示形式的机器码进行如下处理：
机器码1=(机器码 xor 0248480B) + F97142
c、将机器码1与注册码1(16进制表示形式)做比较，如果相等，就注册成功
d、机器码转为16进制后与0248480B异或运算，再加上F97142，得到出来的值再转为10进制，就是注册码了。我的机器码是30084737，那么注册码就是75282380

5、注册信息保存在文件GreenBrowser.ini里：
[Settings]
RKey=75282380

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法