Visual CHM 4.0 算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → Visual CHM 4.0 算法分析

Visual CHM 4.0 算法分析 时间：2004/10/15 0:53:00来源：本站整理作者：蓝点我要评论(0): 　

算法浅探！——Visual CHM 4.0

下载页面： http://www.skycn.com/soft/6376.html
软件大小： 1570 KB
软件语言：简体中文
软件类别：国产软件 / 共享版 / 安装制作
应用平台： Win9x/NT/2000/XP
加入时间： 2002-11-18 09:39:16
下载次数： 12464
推荐等级： ****
开发商： http://cn.geocities.com/vchm2000/

【软件简介】：一级棒的制作CHM文件的工具。
Visual CHM 将帮助您非常容易的制作出具有非常专业水准的CHM文件，而且是“所见即所得”。

【软件限制】：功能限制

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、FI2.5、AspackDie、W32Dasm8.93黄金版

—————————————————————————————————
【过程】：

呵呵，记得刚学破解时想把《看雪论坛精华3、4》合并为1个CHM文件，于是找到了这个软件，Visual CHM 的确是一款一级棒的制作软件，但是未注册版只能编译15个节点的文件。当时我调试了好几次均无功而返。

后来得知软件作者葛泽华先生就是一位CRACK高手！前些日从看雪精华里发现 heXer/iPB 老师分析3.10版的算法解文，非常高兴，于是这3天来静下心又重新试试4.0的破解，居然饶幸找到了一点眉目！

我很菜，许多地方分析的有错误，恳请诸位老师指正！另外：特别感谢 heXer/iPB 老师和葛泽华先生。冒犯之处，还请葛先生海涵！

近1个月我把学破解以来所作的笔记整理出来一部分，已经全部放到论坛上了，谢谢老师、朋友们的关心和帮助！以后我或许没有充裕的时间破解了，就以此篇解文作为我这段学习日子的小结吧！东方欲晓了，呵呵，又一个不眠之夜。~_~~_~

—————————————————————————————————
Vchm.exe是ASPack 2.12壳，用AspackDie脱之。407K->1.28M。反汇编，便于静态分析。

用户名：fly[OCN] （用户名长度须在5-32位间）
试炼码：BCDEFGHIJK （注册码10位）

设：1、用户名fly[OCN]为N0；2、对N0进行运算后得出的字符TJYIPJFB为N1；3、对N1运算后得出的字符TJYIPJFBFW为N2；4、试炼码BCDEFGHIJK为K0；5、对K0进行运算后得出的字符LJPJLJXJLJ为K1；6、对K1进行运算后得出的字符RSTUVWXYZJ为K2。呵呵，我也是晕头转向呀！~@~

★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
一、对用户名 N0 进行运算后得出 N1

* Possible StringData Ref from Code Obj ->"http://www.vchm.com/ convenient "
->"CHM editor,WYSIWYG."
|
:004E7684 BA3C8B4E00 mov edx, 004E8B3C
====>EDX=http://www.vchm.com/ convenient CHM editor,WYSIWYG.

:004E7689 E8BAD5F1FF call 00404C48
:004E768E 8B45FC mov eax, dword ptr [ebp-04]
:004E7691 0550060000 add eax, 00000650
:004E7696 8B55FC mov edx, dword ptr [ebp-04]
:004E7699 8B9248060000 mov edx, dword ptr [edx+00000648]
:004E769F E860D5F1FF call 00404C04

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E764A(C)
|
:004E76A4 8D45E8 lea eax, dword ptr [ebp-18]
:004E76A7 BA788B4E00 mov edx, 004E8B78
:004E76AC E897D5F1FF call 00404C48
:004E76B1 8B45FC mov eax, dword ptr [ebp-04]
:004E76B4 8B8050060000 mov eax, dword ptr [eax+00000650]
====>EAX=fly[OCN]

:004E76BA E8C5D7F1FF call 00404E84
====>取用户名长度

:004E76BF 8BF8 mov edi, eax
====>EDI=8

:004E76C1 85FF test edi, edi
:004E76C3 7E66 jle 004E772B
:004E76C5 BE01000000 mov esi, 00000001
====>ESI=1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7729(C)
|
:004E76CA 8B45FC mov eax, dword ptr [ebp-04]
:004E76CD 8B8050060000 mov eax, dword ptr [eax+00000650]
====>EAX=fly[OCN]

:004E76D3 8A5C30FF mov bl, byte ptr [eax+esi-01]
====>依次取用户名字符的HEX值
1、 ====>BL=66

…… …… 省略 …… ……
8、 ====>BL=5D

:004E76D7 8B45EC mov eax, dword ptr [ebp-14]
====>EAX=http://www.vchm.com/ convenient CHM editor,WYSIWYG.

:004E76DA 8A4430FF mov al, byte ptr [eax+esi-01]
====>依次取http://www.vchm.com/ convenient CHM editor,WYSIWYG.
1、 ====>AL=68

…… …… 省略 …… ……
8、 ====>AL=77

:004E76DE 32D8 xor bl, al
1、 ====>BL=66 XOR 68=0E

…… …… 省略 …… ……
8、 ====>BL=5D XOR 77=2A

:004E76E0 81E3FF000000 and ebx, 000000FF
:004E76E6 33DE xor ebx, esi
1、 ====>EBX=0E XOR 01=0F

…… …… 省略 …… ……
8、 ====>EBX=2A XOR 08=22

:004E76E8 83FB41 cmp ebx, 00000041
====>EBX 是否小于41？
:004E76EB 7D0B jge 004E76F8
====>小于则下面相加

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E76F6(C)
|
:004E76ED 8D441E16 lea eax, dword ptr [esi+ebx+16]
1、① ====>EAX=01 + 0F + 16=26
1、② ====>EAX=01 + 26 + 16=3D
1、③ ====>EAX=01 + 3D + 16=54

…… …… 省略 …… ……
8、① ====>EAX=08 + 22 + 16=40
8、② ====>EAX=08 + 40 + 16=5E

:004E76F1 8BD8 mov ebx, eax
====>EBX=EAX

:004E76F3 83FB41 cmp ebx, 00000041
====>EBX 是否小于41？

:004E76F6 7CF5 jl 004E76ED
====>是则跳上去继续相加，直至不小于41

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E76EB(C)
|
:004E76F8 83FB7A cmp ebx, 0000007A
:004E76FB 7E0F jle 004E770C
====>若大于 7A ，则下面相减！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7705(C)
|
:004E76FD 83EB1B sub ebx, 0000001B
:004E7700 2BDE sub ebx, esi
:004E7702 83FB7A cmp ebx, 0000007A
:004E7705 7FF6 jg 004E76FD
:004E7707 EB03 jmp 004E770C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7714(C)
|
:004E7709 83C304 add ebx, 00000004

…… …… 省略 …… ……
8、① ====>EAX=5E + 04=62

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E76FB(C), :004E7707(U)
|
:004E770C 83FB61 cmp ebx, 00000061
====>EBX 是否小于61？
:004E770F 7D05 jge 004E7716
:004E7711 83FB5A cmp ebx, 0000005A
:004E7714 7FF3 jg 004E7709

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E770F(C)
|
:004E7716 8B45FC mov eax, dword ptr [ebp-04]
:004E7719 0550060000 add eax, 00000650
:004E771E E8B1D9F1FF call 004050D4
:004E7723 885C30FF mov byte ptr [eax+esi-01], bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=54
2、 ====>BL=4A
3、 ====>BL=59
4、 ====>BL=49
5、 ====>BL=70
6、 ====>BL=6A
7、 ====>BL=66
8、 ====>BL=62
循环结束后[eax+esi-01] 处是fly[OCN](设为N0)经过以上运算转换后的字符：TJYIpjfb（设为N1）

:004E7727 46 inc esi
====>ESI 逐次增1
:004E7728 4F dec edi
====>8次！用户名长度
:004E7729 759F jne 004E76CA
====>继续循环？
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★

…… …… 省略 …… ……

* Possible StringData Ref from Code Obj ->"DropZone"
|
:004E7985 BAFC854E00 mov edx, 004E85FC
:004E798A 8B18 mov ebx, dword ptr [eax]
:004E798C FF5310 call [ebx+10]
:004E798F 8BD0 mov edx, eax
:004E7991 A12C154F00 mov eax, dword ptr [004F152C]
:004E7996 8B00 mov eax, dword ptr [eax]
:004E7998 E84726F8FF call 00469FE4
:004E799D A12C154F00 mov eax, dword ptr [004F152C]
:004E79A2 8B00 mov eax, dword ptr [eax]
:004E79A4 8A5057 mov dl, byte ptr [eax+57]
:004E79A7 8B45FC mov eax, dword ptr [ebp-04]
:004E79AA 8B80E8050000 mov eax, dword ptr [eax+000005E8]

◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇
二、对试炼码 K0 进行运算后得出 K1

:004E79B0 E8239CF7FF call 004615D8
:004E79B5 8B45FC mov eax, dword ptr [ebp-04]
:004E79B8 056C060000 add eax, 0000066C
:004E79BD BA0A000000 mov edx, 0000000A
:004E79C2 E841D8F1FF call 00405208
====>取试炼码码前10位呵呵，我只输入10位 ^v^ ㊣

:004E79C7 8B45FC mov eax, dword ptr [ebp-04]
:004E79CA 8B806C060000 mov eax, dword ptr [eax+0000066C]
====>EAX=BCDEFGHIJK

:004E79D0 E8AFD4F1FF call 00404E84
====>取试炼码位数

:004E79D5 8BD8 mov ebx, eax
====>EBX=A

:004E79D7 8B45FC mov eax, dword ptr [ebp-04]
:004E79DA 056C060000 add eax, 0000066C
:004E79DF 8BD3 mov edx, ebx
:004E79E1 E822D8F1FF call 00405208
:004E79E6 8B45FC mov eax, dword ptr [ebp-04]
:004E79E9 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E79EF E890D4F1FF call 00404E84
:004E79F4 8BF8 mov edi, eax
:004E79F6 85FF test edi, edi
:004E79F8 7E5C jle 004E7A56
:004E79FA BE01000000 mov esi, 00000001
====>ESI 初始值位为1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A54(C)
|
:004E79FF 8B45FC mov eax, dword ptr [ebp-04]
:004E7A02 8B806C060000 mov eax, dword ptr [eax+0000066C]
====>EAX=BCDEFGHIJK

:004E7A08 33DB xor ebx, ebx
:004E7A0A 8A5C30FF mov bl, byte ptr [eax+esi-01]
====>依次取ABCDEFGHIJ的HEX值
1、 ====>BL=42
2、 ====>BL=43
3、 ====>BL=44
4、 ====>BL=45
5、 ====>BL=46
6、 ====>BL=47
7、 ====>BL=48
8、 ====>BL=49
9、 ====>BL=4A
10、 ====>BL=4B

:004E7A0E 33DE xor ebx, esi
1、 ====>EBX=42 XOR 01=43
2、 ====>EBX=43 XOR 02=41
3、 ====>EBX=44 XOR 03=47
4、 ====>EBX=45 XOR 04=41
5、 ====>EBX=46 XOR 05=43
6、 ====>EBX=47 XOR 06=41
7、 ====>EBX=48 XOR 07=4F
8、 ====>EBX=49 XOR 08=41
9、 ====>EBX=4A XOR 09=43
10、 ====>EBX=4B XOR 0A=41

:004E7A10 83C329 add ebx, 00000029
1、 ====>EBX=43 + 29=6C
2、 ====>EBX=41 + 29=6A
3、 ====>EBX=47 + 29=70
4、 ====>EBX=41 + 29=6A
5、 ====>EBX=43 + 29=6C
6、 ====>EBX=41 + 29=6A
7、 ====>EBX=4F + 29=78
8、 ====>EBX=41 + 29=6A
9、 ====>EBX=43 + 29=6C
10、 ====>EBX=41 + 29=6A

:004E7A13 83FB41 cmp ebx, 00000041
:004E7A16 7D0B jge 004E7A23
====>不小于41则跳

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A21(C)
|
:004E7A18 8D441E16 lea eax, dword ptr [esi+ebx+16]
:004E7A1C 8BD8 mov ebx, eax
:004E7A1E 83FB41 cmp ebx, 00000041
:004E7A21 7CF5 jl 004E7A18

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A16(C)
|
:004E7A23 83FB7A cmp ebx, 0000007A
:004E7A26 7E0F jle 004E7A37
====>不大于7A则跳

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A30(C)
|
:004E7A28 83EB1B sub ebx, 0000001B
:004E7A2B 2BDE sub ebx, esi
:004E7A2D 83FB7A cmp ebx, 0000007A
:004E7A30 7FF6 jg 004E7A28
:004E7A32 EB03 jmp 004E7A37

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A3F(C)
|
:004E7A34 83C304 add ebx, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E7A26(C), :004E7A32(U)
|
:004E7A37 83FB61 cmp ebx, 00000061
:004E7A3A 7D05 jge 004E7A41
====>不小于61则跳

:004E7A3C 83FB5A cmp ebx, 0000005A
:004E7A3F 7FF3 jg 004E7A34

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A3A(C)
|
:004E7A41 8B45FC mov eax, dword ptr [ebp-04]
:004E7A44 056C060000 add eax, 0000066C
:004E7A49 E886D6F1FF call 004050D4
:004E7A4E 885C30FF mov byte ptr [eax+esi-01], bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=6C
2、 ====>BL=6A
3、 ====>BL=70
4、 ====>BL=6A
5、 ====>BL=6C
6、 ====>BL=6A
7、 ====>BL=78
8、 ====>BL=6A
9、 ====>BL=6C
10、 ====>BL=6A

循环结束后[eax+esi-01] 处是ABCDEFGHIJ(设为K0)经过以上运算转换后的字符：ljpjljxjlj

:004E7A52 46 inc esi
:004E7A53 4F dec edi
:004E7A54 75A9 jne 004E79FF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E79F8(C)
|
:004E7A56 8B45FC mov eax, dword ptr [ebp-04]
:004E7A59 056C060000 add eax, 0000066C
:004E7A5E BA0A000000 mov edx, 0000000A
:004E7A63 E8A0D7F1FF call 00405208
:004E7A68 8D9524FEFFFF lea edx, dword ptr [ebp+FFFFFE24]
:004E7A6E 8B45FC mov eax, dword ptr [ebp-04]
:004E7A71 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7A77 E84C16F2FF call 004090C8
====>此CALL把ljpjljxjlj转换成大写字母！

:004E7A7C 8B9524FEFFFF mov edx, dword ptr [ebp+FFFFFE24]
====>EDX=LJPJLJXJLJ （设为K1）
◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇

:004E7A82 8B45FC mov eax, dword ptr [ebp-04]
:004E7A85 056C060000 add eax, 0000066C
:004E7A8A E875D1F1FF call 00404C04
:004E7A8F 8B45FC mov eax, dword ptr [ebp-04]
:004E7A92 81B8740600005B851C00 cmp dword ptr [eax+00000674], 001C855B
:004E7A9C 0F8EA8000000 jle 004E7B4A
:004E7AA2 8B45FC mov eax, dword ptr [ebp-04]
:004E7AA5 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7AAB E8D4D3F1FF call 00404E84
====>取LJPJLJXJLJ位数
:004E7AB0 8BF0 mov esi, eax
====>ESI=A

:004E7AB2 8B45FC mov eax, dword ptr [ebp-04]
:004E7AB5 8B8054060000 mov eax, dword ptr [eax+00000654]
:004E7ABB E8C4D3F1FF call 00404E84
:004E7AC0 50 push eax
:004E7AC1 8B45FC mov eax, dword ptr [ebp-04]
:004E7AC4 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7ACA E8B5D3F1FF call 00404E84
:004E7ACF 5A pop edx
:004E7AD0 E84B7BF4FF call 0042F620
====>猜测此CALL进行CRC校验？？！！！

:004E7AD5 48 dec eax
:004E7AD6 83F800 cmp eax, 00000000
:004E7AD9 7C60 jl 004E7B3B
====>如果修改了程序或脱壳，则此处不跳！
那么将对上面得出的K1再进行运算，得出K2。呵呵，比较时就用K2代替K1进行比较，无论怎样用K2求逆都无法得出正确的注册码！我在这儿“晕”了6个小时！这也是作者所说的“冗余代码”吧？（再想保护深一点就加入一些冗余代码，让Cracker在这堆代码里转的头晕脑涨，你的目的就达到了。 ——作者原话）

●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
三、下面就是迷惑我们CRACKER的把 K1 转化为 K2 的运算了。~Q~~Q~

:004E7ADB 8945E0 mov dword ptr [ebp-20], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B39(C)
|
:004E7ADE 8B45FC mov eax, dword ptr [ebp-04]
:004E7AE1 8B806C060000 mov eax, dword ptr [eax+0000066C]
====>EAX=LJPJLJXJLJ

:004E7AE7 33DB xor ebx, ebx
:004E7AE9 8A5C30FF mov bl, byte ptr [eax+esi-01]
====>取[eax+esi-01]处的字符值
1、 ====>BL=4A J
2、 ====>BL=4A J
3、 ====>BL=4A J
4、 ====>BL=4A J
5、 ====>BL=4A J
6、 ====>BL=4A J
7、 ====>BL=4A J
8、 ====>BL=4A J
9、 ====>BL=4A J
10、 ====>BL=4A J

:004E7AED 33DE xor ebx, esi
1、 ====>EBX=4A XOR 0A=40
2、 ====>EBX=4A XOR 0A=40
3、 ====>EBX=4A XOR 0A=40
4、 ====>EBX=4A XOR 0A=40
5、 ====>EBX=4A XOR 0A=40
6、 ====>EBX=4A XOR 0A=40
7、 ====>EBX=4A XOR 0A=40
8、 ====>EBX=4A XOR 0A=40
9、 ====>EBX=4A XOR 0A=40
10、 ====>EBX=4A XOR 0A=40

:004E7AEF 83FB41 cmp ebx, 00000041
:004E7AF2 7D0B jge 004E7AFF
====>小于41则不跳！进行下面运算！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AFD(C)
|
:004E7AF4 83C311 add ebx, 00000011
1、 ====>EBX=40 + 11=51
2、 ====>EBX=40 + 11=51
3、 ====>EBX=40 + 11=51
4、 ====>EBX=40 + 11=51
5、 ====>EBX=40 + 11=51
6、 ====>EBX=40 + 11=51
7、 ====>EBX=40 + 11=51
8、 ====>EBX=40 + 11=51
9、 ====>EBX=40 + 11=51
10、 ====>EBX=40 + 11=51

:004E7AF7 035DE0 add ebx, dword ptr [ebp-20]
1、 ====>EBX=51 + 09=5A
2、 ====>EBX=51 + 08=59
3、 ====>EBX=51 + 07=58
4、 ====>EBX=51 + 06=57
5、 ====>EBX=51 + 05=56
6、 ====>EBX=51 + 04=55
7、 ====>EBX=51 + 03=54
8、 ====>EBX=51 + 02=53
9、 ====>EBX=51 + 01=52
10、 ====>EBX=51 + 00=51

:004E7AFA 83FB41 cmp ebx, 00000041
:004E7AFD 7CF5 jl 004E7AF4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AF2(C)
|
:004E7AFF 83FB7A cmp ebx, 0000007A
:004E7B02 7E10 jle 004E7B14

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B0D(C)
|
:004E7B04 83EB17 sub ebx, 00000017
:004E7B07 2B5DE0 sub ebx, dword ptr [ebp-20]
:004E7B0A 83FB7A cmp ebx, 0000007A
:004E7B0D 7FF5 jg 004E7B04
:004E7B0F EB03 jmp 004E7B14

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B1C(C)
|
:004E7B11 83EB03 sub ebx, 00000003

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E7B02(C), :004E7B0F(U)
|
:004E7B14 83FB61 cmp ebx, 00000061
:004E7B17 7D05 jge 004E7B1E
:004E7B19 83FB5A cmp ebx, 0000005A
:004E7B1C 7FF3 jg 004E7B11

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B17(C)
|
:004E7B1E 8B45FC mov eax, dword ptr [ebp-04]
:004E7B21 056C060000 add eax, 0000066C
:004E7B26 E8A9D5F1FF call 004050D4
:004E7B2B 8B55E0 mov edx, dword ptr [ebp-20]
====>[ebp-20] 入 EDX
1、 ====>EDX=09
2、 ====>EDX=08
3、 ====>EDX=07
4、 ====>EDX=06
5、 ====>EDX=05
6、 ====>EDX=04
7、 ====>EDX=03
8、 ====>EDX=02
9、 ====>EDX=01
10、 ====>EDX=00

:004E7B2E 885C10FF mov byte ptr [eax+edx-01], bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=5A [eax+esi-01]=LJPJLJXJZJ
2、 ====>BL=59 [eax+esi-01]=LJPJLJXYZJ
3、 ====>BL=58 [eax+esi-01]=LJPJLJXYZJ
4、 ====>BL=57 [eax+esi-01]=LJPJLWXYZJ
5、 ====>BL=56 [eax+esi-01]=LJPJVWXYZJ
6、 ====>BL=55 [eax+esi-01]=LJPUVWXYZJ
7、 ====>BL=54 [eax+esi-01]=LJTUVWXYZJ
8、 ====>BL=53 [eax+esi-01]=LSTUVWXYZJ
9、 ====>BL=52 [eax+esi-01]=RSTUVWXYZJ
10、 ====>BL=51 [eax+esi-01]=QRSTUVWXYZJ

:004E7B32 FF4DE0 dec [ebp-20]
====>[ebp-20]逐次减1。初始值9

:004E7B35 837DE0FF cmp dword ptr [ebp-20], FFFFFFFF
:004E7B39 75A3 jne 004E7ADE
====>跳上去继续循环？共10次！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AD9(C)
|
:004E7B3B 8B45FC mov eax, dword ptr [ebp-04]
:004E7B3E 056C060000 add eax, 0000066C
:004E7B43 8BD6 mov edx, esi
:004E7B45 E8BED6F1FF call 00405208

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A9C(C)
|

* Reference To: kernel32.GetTickCount, Ord:0000h
|
:004E7B4A E879F9F1FF Call 004074C8
:004E7B4F 8B55FC mov edx, dword ptr [ebp-04]
:004E7B52 2B827C060000 sub eax, dword ptr [edx+0000067C]
:004E7B58 3D9E400000 cmp eax, 0000409E
:004E7B5D 730A jnb 004E7B69
:004E7B5F 8B45FC mov eax, dword ptr [ebp-04]
:004E7B62 C6804C06000001 mov byte ptr [eax+0000064C], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B5D(C)
|
:004E7B69 8D9520FEFFFF lea edx, dword ptr [ebp+FFFFFE20]
:004E7B6F 8B45FC mov eax, dword ptr [ebp-04]
:004E7B72 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7B78 E84B15F2FF call 004090C8
====>取后10位

:004E7B7D 8B9520FEFFFF mov edx, dword ptr [ebp+FFFFFE20]
====>EDX=RSTUVWXYZJ （设为K2）
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
:004E7B83 8B45FC mov eax, dword ptr [ebp-04]
:004E7B86 0558060000 add eax, 00000658
:004E7B8B E874D0F1FF call 00404C04
:004E7B90 BB01000000 mov ebx, 00000001
:004E7B95 8D45EC lea eax, dword ptr [ebp-14]
:004E7B98 BA788B4E00 mov edx, 004E8B78
:004E7B9D E8A6D0F1FF call 00404C48
:004E7BA2 682C010000 push 0000012C

呵呵，上面几步运算可以在软件重新启动时中断！而下面的比较则有点麻烦了，先不知道断点的话是不容易找到的。我试了很多次，终于用TRW慢慢找到了。呵呵，殚思极虑呀！^Q^~@~

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5400(U)
|
:004E546B 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=LJPJLJXJLJ(或者：RSTUVWXYZJ)

:004E546E E811FAF1FF call 00404E84
====>取位数

:004E5473 83F80B cmp eax, 0000000B
:004E5476 7F8A jg 004E5402
====>不大于B则不跳！

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
四、对我们第一步求出的 N1 进行运算得出 10位的 N2

:004E5478 33DB xor ebx, ebx
:004E547A 8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFB（其中的小写字母已转换成大写）

:004E5480 E8FFF9F1FF call 00404E84
:004E5485 8BF8 mov edi, eax
:004E5487 E9BA000000 jmp 004E5546
====>跳下去运算补足10位！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5554(C)
|
:004E548C 83FF15 cmp edi, 00000015
:004E548F 7D03 jge 004E5494
:004E5491 43 inc ebx
:004E5492 EB15 jmp 004E54A9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E548F(C)
|
:004E5494 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E549A E8E5F9F1FF call 00404E84
:004E549F B909000000 mov ecx, 00000009
:004E54A4 99 cdq
:004E54A5 F7F9 idiv ecx
:004E54A7 8BDA mov ebx, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5492(U)
|
:004E54A9 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E54AF E8D0F9F1FF call 00404E84
:004E54B4 2BC3 sub eax, ebx
:004E54B6 8B9664060000 mov edx, dword ptr [esi+00000664]
:004E54BC 8A4402FF mov al, byte ptr [edx+eax-01]
:004E54C0 8B9664060000 mov edx, dword ptr [esi+00000664]
:004E54C6 8A541AFF mov dl, byte ptr [edx+ebx-01]
:004E54CA 32C2 xor al, dl
:004E54CC 25FF000000 and eax, 000000FF
:004E54D1 83C079 add eax, 00000079
:004E54D4 50 push eax
:004E54D5 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E54DB E8F4FBF1FF call 004050D4
:004E54E0 5A pop edx
:004E54E1 885418FF mov byte ptr [eax+ebx-01], dl
:004E54E5 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E54EB 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
:004E54F0 E89367FFFF call 004DBC88
:004E54F5 50 push eax
:004E54F6 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E54FC E8D3FBF1FF call 004050D4
:004E5501 5A pop edx
:004E5502 885418FF mov byte ptr [eax+ebx-01], dl
:004E5506 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E550C 50 push eax
:004E550D 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E5513 E86CF9F1FF call 00404E84
:004E5518 8BC8 mov ecx, eax
:004E551A 2BCB sub ecx, ebx
:004E551C BA01000000 mov edx, 00000001
:004E5521 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E5527 E8B0FBF1FF call 004050DC
:004E552C 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E5532 E84DF9F1FF call 00404E84
:004E5537 8BD0 mov edx, eax
:004E5539 2BD3 sub edx, ebx
:004E553B 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E5541 E8C2FCF1FF call 00405208

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5487(U)
|
:004E5546 8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFB

:004E554C E833F9F1FF call 00404E84
====>取位数
:004E5551 83F80B cmp eax, 0000000B
:004E5554 0F8F32FFFFFF jg 004E548C
====>不大于B则不跳！

:004E555A 33DB xor ebx, ebx
:004E555C EB40 jmp 004E559E
====>跳过去！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E55BA(C)
|
:004E555E 43 inc ebx
:004E555F 8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFB

:004E5565 8A4418FF mov al, byte ptr [eax+ebx-01]
1、 ====>AL=54
2、 ====>AL=4A

:004E5569 3455 xor al, 55
1、 ====>AL=54 XOR 55=01
2、 ====>AL=4A XOR 55=1F

:004E556B 25FF000000 and eax, 000000FF
:004E5570 8D5346 lea edx, dword ptr [ebx+46]
1、 ====>EDX=1 + 46=47
2、 ====>EDX=2 + 46=48

:004E5573 33C2 xor eax, edx
1、 ====>AL=01 XOR 47=46
2、 ====>AL=1F XOR 48=57

:004E5575 8845FB mov byte ptr [ebp-05], al
:004E5578 33C0 xor eax, eax
:004E557A 8A45FB mov al, byte ptr [ebp-05]
:004E557D E80667FFFF call 004DBC88
:004E5582 8845FB mov byte ptr [ebp-05], al
:004E5585 8D45F0 lea eax, dword ptr [ebp-10]
:004E5588 8A55FB mov dl, byte ptr [ebp-05]
:004E558B E800F8F1FF call 00404D90
:004E5590 8B55F0 mov edx, dword ptr [ebp-10]
:004E5593 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E5599 E8EEF8F1FF call 00404E8C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E555C(U)
|
:004E559E 8B8664060000 mov eax, dword ptr [esi+00000664]
====>上面2次运算把N1转换为TJYIPJFBFW （设为N2）

:004E55A4 E8DBF8F1FF call 00404E84
:004E55A9 83F80A cmp eax, 0000000A
====>是否10位？

:004E55AC 7D0E jge 004E55BC
====>不小于10位则跳！
:004E55AE 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E55B4 E8CBF8F1FF call 00404E84
:004E55B9 48 dec eax
:004E55BA 7FA2 jg 004E555E
====>继续跳上去运算！直至10位！
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣
五、比较了！用注册名求出的 N2 和试炼码求出的 K1进行“倒序”逐位比较！
呵呵，如果你修改或脱壳了原程序，则此处用上面的“冗余代码”得出的K2替代K1进行比较！很高明的“迷魂阵”呀！

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E55AC(C)
|
:004E55BC 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E55C2 BA0A000000 mov edx, 0000000A
:004E55C7 E83CFCF1FF call 00405208
:004E55CC 8D55EC lea edx, dword ptr [ebp-14]
:004E55CF 8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法