批量更名专家V1.5 Build 1111 算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → 批量更名专家V1.5 Build 1111 算法分析

批量更名专家V1.5 Build 1111 算法分析 时间：2004/10/15 0:53:00来源：本站整理作者：蓝点我要评论(0): 　

算法分析——批量更名专家V1.5 Build 1111

下载地址： http://www.skycn.com/soft/7412.html
软件大小： 888 KB
软件语言：简体中文
软件类别：国产软件 / 免费版 / 文件更名
应用平台： Win9x/NT/2000/XP
加入时间： 2002-11-11 14:32:01
下载次数： 12853
推荐等级： ***
开发商： http://zigsoft.yeah.net

【软件简介】：批量更名专家是一款优秀的批量文件改名工具，更名速度极快。简明的资源管理器界面，上手极为方便。提供批量修改文件属性和日期，修改扩展名，修改大小写，可以插入，删除，替换，独特的序数改名功能，直接编辑文件名，根据MP3文件的Id3信息改名等。

【软件限制】：30天试用。

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请各大侠赐教！

【破解工具】：TRW2000娃娃修改版、FI2.5、AspackDie、RegMon、W32Dasm8.93黄金版

—————————————————————————————
【过程】：

呵呵，这个软件简单，很多朋友都已经解过了。在天空溜达，看见它的个头不大，索性DOWN下来练练手。

找注册码挺简单，但是要细细的分析算法可就需要耐心与毅力了。
唉，菜鸟分析算法真难呀！算法虽简单却转来绕去，让我头大。

填入试炼信息。

用户名：flysky12（不能少于8位）
试炼码：13572468

—————————————————————————————
软件需要重启验证注册码，因此软件肯定把注册码保存在注册表或其它文件中。用RegMon监测，在注册表中发现了它留下的“尾巴”。

呵呵，发现了"RWCode"的键名，老方法，在反汇编代码里搜索RWCode，简简单单我们就找到了核心：4B8E92。于是，首先在TRW里下BPX 4B8E92，然后重新载入程序。F5，程序被拦下！

—————————————————————————————
1、用户名不能少于8位

:004B979C E81FA8F4FF call 00403FC0
:004B97A1 83F808 cmp eax, 00000008
====>比较用户名是否少于8位？

:004B97A4 7D1D jge 004B97C3
====>少于8位则不跳则OVER！
:004B97A6 6A00 push 00000000

* Possible StringData Ref from Code Obj ->"警告框"
|
:004B97A8 B930994B00 mov ecx, 004B9930

* Possible StringData Ref from Code Obj ->"用户名太短或者注册号不对！"
|
:004B97AD BA38994B00 mov edx, 004B9938

—————————————————————————————
2、开始追踪！

* Possible StringData Ref from Code Obj ->"RWCode"
====>注册信息存放位置！
:004B8E92 BA28904B00 mov edx, 004B9028
====>我们拦在这儿！

F10走，多加注意！经过一个RET，很快的我们就来到了核心！

…… ……
:004B8EF0 8D55F0 lea edx, dword ptr [ebp-10]
:004B8EF3 8B45FC mov eax, dword ptr [ebp-04]
====>D EAX=我们输入的试炼信息
:004B8EF6 E845FDFFFF call 004B8C40
====>算法CALL！F8进入！

:004B8EFB 8B45F0 mov eax, dword ptr [ebp-10]
:004B8EFE 8B55F8 mov edx, dword ptr [ebp-08]
:004B8F01 E8CAB1F4FF call 004040D0
====>比较CALL！F8进入！

:004B8F06 0F85AB000000 jne 004B8FB7
====>跳则OVER！
:004B8F0C B201 mov dl, 01

:004B8FA7 8B45F4 mov eax, dword ptr [ebp-0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B8EE0(C), :004B8EEA(C), :004B8F06(C)
|
:004B8FB7 33C0 xor eax, eax

—————————————————————————————
3、F8进入算法CALL：004B8EF6 call 004B8C40
注：下面的“1、2、3……”是指循环的次序，最好自己跟踪一下，很容易晕头的。呵呵，让我难受。关键结果下面我都标上 ******** 的记号！

* Referenced by a CALL at Address:
|:004B8EF6
|
:004B8C40 55 push ebp
:004B8C41 8BEC mov ebp, esp
:004B8C43 B904000000 mov ecx, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8C4D(C)
|
:004B8C48 6A00 push 00000000
:004B8C4A 6A00 push 00000000
:004B8C4C 49 dec ecx
:004B8C4D 75F9 jne 004B8C48
:004B8C4F 51 push ecx
:004B8C50 53 push ebx
:004B8C51 56 push esi
:004B8C52 57 push edi
:004B8C53 8955F8 mov dword ptr [ebp-08], edx
:004B8C56 8945FC mov dword ptr [ebp-04], eax
:004B8C59 8B45FC mov eax, dword ptr [ebp-04]
====>用户名入EAX
:004B8C5C E813B5F4FF call 00404174
:004B8C61 33C0 xor eax, eax
:004B8C63 55 push ebp
:004B8C64 68DC8D4B00 push 004B8DDC
:004B8C69 64FF30 push dword ptr fs:[eax]
:004B8C6C 648920 mov dword ptr fs:[eax], esp
:004B8C6F B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"|"A"
|
:004B8C71 A1F8034100 mov eax, dword ptr [004103F8]
:004B8C76 E849A3F4FF call 00402FC4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8C02(C)
|
:004B8C7B 8945EC mov dword ptr [ebp-14], eax
:004B8C7E 33C0 xor eax, eax
:004B8C80 55 push ebp
:004B8C81 689A8D4B00 push 004B8D9A
:004B8C86 64FF30 push dword ptr fs:[eax]
:004B8C89 648920 mov dword ptr fs:[eax], esp
:004B8C8C 8D45F4 lea eax, dword ptr [ebp-0C]
:004B8C8F 8B55FC mov edx, dword ptr [ebp-04]
:004B8C92 E841B1F4FF call 00403DD8
:004B8C97 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8C9A E821B3F4FF call 00403FC0
====>取用户名位数。
:004B8C9F 8BF0 mov esi, eax
====>？EAX=8，入ESI

:004B8CA1 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8CA4 E817B3F4FF call 00403FC0
:004B8CA9 8BD8 mov ebx, eax
:004B8CAB 85DB test ebx, ebx
====>？EBX=8，用户名位数
:004B8CAD 0F8EA0000000 jle 004B8D53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D4D(C)
注册码算法的循环开始了！要细心看了！作者真不怕麻烦，我都快追晕了。^-^

:004B8CB3 8BC3 mov eax, ebx
====>EAX是循环的次数，依次递减。
:004B8CB5 2501000080 and eax, 80000001
====>保留eax的最后一位,如果eax是奇数那他的最后一位就是1那么在下面
:004B8CBA 7905 jns 004B8CC1
:004B8CBC 48 dec eax
:004B8CBD 83C8FE or eax, FFFFFFFE
:004B8CC0 40 inc eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CBA(C)
|
:004B8CC1 85C0 test eax, eax
:004B8CC3 752E jne 004B8CF3
====>是否是判断奇、偶数的？分别跳转？
:004B8CC5 8B45F4 mov eax, dword ptr [ebp-0C]
====>D EAX=flysky12
:004B8CC8 0FB64418FF movzx eax, byte ptr [eax+ebx-01]

EBX=8 取第8位 ====>1、？EAX=32 即2的HEX值
EBX=6 取第6位 ====>3、？EAX=79 即y的HEX值
EBX=4 取第4位 ====>5、？EAX=73 即s的HEX值
EBX=2 取第2位 ====>7、？EAX=6C 即l的HEX值

:004B8CCD 8BD6 mov edx, esi
====>8入EDX
:004B8CCF 2BD3 sub edx, ebx
====>1、EDX=8-8=0
====>3、EDX=8-6=2
====>5、EDX=8-4=4
====>7、EDX=8-2=6

:004B8CD1 8B4DF4 mov ecx, dword ptr [ebp-0C]
====>D ECX=flysky12
:004B8CD4 0FB65411FF movzx edx, byte ptr [ecx+edx-01]
从第0位取字符 ====>1、EDX=0，即从第0位取字符
从第2位取字符 ====>3、EDX=6C，即l的HEX值
从第4位取字符 ====>5、EDX=73，即s的HEX值
从第6位取字符 ====>7、EAX=79，即y的HEX值

:004B8CD9 F7EA imul edx
====>1、EAX=32*0=0
====>3、EAX=79*6C=330C
====>5、EAX=73*73=33A9
====>7、EAX=6C*79=330C

:004B8CDB 83E003 and eax, 00000003
====>1、EAX=0&3=0(分别进行“与”运算)
====>3、EAX=330C&3=0
====>5、EAX=33A9&3=1
====>7、EAX=330C&3=0

:004B8CDE 8D55E8 lea edx, dword ptr [ebp-18]
:004B8CE1 E87E04F5FF call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8CE6 8B55E8 mov edx, dword ptr [ebp-18]
====>结果入EDX
====>1、EDX=0
********
====>3、EDX=0
********
====>5、EDX=1
********
====>7、EDX=0
********

:004B8CE9 8B45EC mov eax, dword ptr [ebp-14]
:004B8CEC 8B08 mov ecx, dword ptr [eax]
:004B8CEE FF5134 call [ecx+34]

:004B8CF1 EB57 jmp 004B8D4A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CC3(C)
|
:004B8CF3 8BC3 mov eax, ebx
====>2、7入EAX
====>4、5入EAX
====>6、3入EAX
====>8、1入EAX

:004B8CF5 B903000000 mov ecx, 00000003
====>3入ECX
:004B8CFA 99 cdq
:004B8CFB F7F9 idiv ecx
====>2、EAX=7/3=2余1
====>4、EAX=5/3=1余2
====>6、EAX=3/3=1余0
====>8、EAX=1/3

:004B8CFD 85D2 test edx, edx
:004B8CFF 752B jne 004B8D2C
====>EDX=0则不跳！即不可整除就跳！
:004B8D01 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=flysky12
:004B8D04 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
EBX=3 取第3位 ====>6、EAX=79，即y的HEX值

:004B8D09 8BD6 mov edx, esi
:004B8D0B 2BD3 sub edx, ebx
====>6、EDX=8-3=5
:004B8D0D 8B4DF4 mov ecx, dword ptr [ebp-0C]
====>D ECX=flysky12
:004B8D10 0FB65411FF movzx edx, byte ptr [ecx+edx-01]
EDX=5 取第5位 ====>6、D EDX=6B，即k的HEX值
:004B8D15 03C2 add eax, edx
====>6、EAX=79+6B=E4

:004B8D17 8D55E4 lea edx, dword ptr [ebp-1C]
:004B8D1A E84504F5FF call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8D1F 8B55E4 mov edx, dword ptr [ebp-1C]
====>6、EDX=228，即E4的Decimal值
********

:004B8D22 8B45EC mov eax, dword ptr [ebp-14]
:004B8D25 8B08 mov ecx, dword ptr [eax]
:004B8D27 FF5134 call [ecx+34]
:004B8D2A EB1E jmp 004B8D4A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CFF(C)
|
:004B8D2C 8B45F4 mov eax, dword ptr [ebp-0C]
====>EAX=flysky12
:004B8D2F 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
EBX=7 ====>2、EAX=31，即第7位的字符
EBX=5 ====>4、EAX=6B，即第5位的字符
EBX=1 ====>8、EAX=66，即第1位的字符

:004B8D34 83C005 add eax, 00000005
====>2、EAX=31+5=36
====>4、EAX=6B+5=70
====>8、EAX=66+5=6B

:004B8D37 8D55E0 lea edx, dword ptr [ebp-20]
:004B8D3A E82504F5FF call 00409164
====>此CALL把以上所得值转化为十进制值
:004B8D3F 8B55E0 mov edx, dword ptr [ebp-20]
====>2、EDX= 54，即36的Decimal值
********
====>4、EDX=112，即70的Decimal值
********
====>8、EDX=107，即6B的Decimal值
********

:004B8D42 8B45EC mov eax, dword ptr [ebp-14]
:004B8D45 8B08 mov ecx, dword ptr [eax]
:004B8D47 FF5134 call [ecx+34]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B8CF1(U), :004B8D2A(U)
|
:004B8D4A 4B dec ebx
====>EBX依次减一
====>1、EBX=7
====>2、EBX=6
……　　……

:004B8D4B 85DB test ebx, ebx
:004B8D4D 0F8F60FFFFFF jg 004B8CB3
====>没取完？继续循环！
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CAD(C)
|
:004B8D53 8B45EC mov eax, dword ptr [ebp-14]
:004B8D56 8B10 mov edx, dword ptr [eax]
:004B8D58 FF5214 call [edx+14]
:004B8D5B 8BF0 mov esi, eax
:004B8D5D 4E dec esi
:004B8D5E 85F6 test esi, esi
:004B8D60 7C22 jl 004B8D84
:004B8D62 46 inc esi
:004B8D63 33DB xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D82(C)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
下面循环代码的作用是把上面8次循环所得的结果，按照8、7、6、5、4、3、2、1的倒序方式连接起来，所得到的最后结果存入[EBP-10]处！这就是咱们“千辛万苦”追踪的真码！

:004B8D65 8D4DDC lea ecx, dword ptr [ebp-24]
:004B8D68 8BD3 mov edx, ebx
:004B8D6A 8B45EC mov eax, dword ptr [ebp-14]
:004B8D6D 8B38 mov edi, dword ptr [eax]
:004B8D6F FF570C call [edi+0C]
:004B8D72 8B55DC mov edx, dword ptr [ebp-24]
:004B8D75 8D45F0 lea eax, dword ptr [ebp-10]
:004B8D78 8B4DF0 mov ecx, dword ptr [ebp-10]
:004B8D7B E88CB2F4FF call 0040400C
:004B8D80 43 inc ebx
:004B8D81 4E dec esi
:004B8D82 75E1 jne 004B8D65
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D60(C)
|
:004B8D84 33C0 xor eax, eax
:004B8D86 5A pop edx
:004B8D87 59 pop ecx
:004B8D88 59 pop ecx
:004B8D89 648910 mov dword ptr fs:[eax], edx
:004B8D8C 68A18D4B00 push 004B8DA1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D9F(U)
|
:004B8D91 8B45EC mov eax, dword ptr [ebp-14]
:004B8D94 E85BA2F4FF call 00402FF4
:004B8D99 C3 ret
—————————————————————————————

4、F8进入比较CALL：004B8F01 call 004040D0

:004040D0 53 push ebx
:004040D1 56 push esi
:004040D2 57 push edi
:004040D3 89C6 mov esi, eax
:004040D5 89D7 mov edi, edx
:004040D7 39D0 cmp eax, edx
====>D EAX=真码！！
====>D EDX=试炼码

:004040D9 0F848F000000 je 0040416E

—————————————————————————————
【KeyMake之内存注册机】：

中断地址：4B8F01
中断次数：1
第一字节：E8
指令长度：5

中断地址：4040D7
中断次数：1
第一字节：39
指令长度：2

内存方式：EAX

—————————————————————————————
【注册信息保存】：
HKEY_LOCAL_MACHINE\Software\zigsoft\rw1.5\setup]

"RWUser"="flysky12"
"RWCode"="107022811120540"
—————————————————————————————
【整理】：

用户名：flysky12
注册码：107022811120540
—————————————————————————————

Cracked By 巢水工作坊——fly【OCN】

2003-2-7 23:00

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法