算法浅探!——Visual CHM 4.0
下载页面: http://www.skycn.com/soft/6376.html
软件大小: 1570 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 安装制作
应用平台: Win9x/NT/2000/XP
加入时间: 2002-11-18 09:39:16
下载次数: 12464
推荐等级: ****
开 发 商: http://cn.geocities.com/vchm2000/
【软件简介】:一级棒的制作CHM文件的工具。
Visual CHM 将帮助您非常容易的制作出具有非常专业水准的CHM文件,而且是“所见即所得”。
【软件限制】:功能限制
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、FI2.5、AspackDie、W32Dasm8.93黄金版
—————————————————————————————————
【过 程】:
呵呵,记得刚学破解时想把 《看雪论坛精华3、4》合并为1个CHM文件,于是找到了这个软件,Visual CHM 的确是一款一级棒的制作软件,但是未注册版只能编译15个节点的文件。当时我调试了好几次均无功而返。
后来得知软件作者 葛泽华 先生就是一位CRACK高手!前些日从看雪精华里发现 heXer/iPB 老师分析3.10版的算法解文,非常高兴,于是这3天来静下心又重新试试4.0的破解,居然饶幸找到了一点眉目!
我很菜,许多地方分析的有错误,恳请诸位老师指正!另外:特别感谢 heXer/iPB 老师 和 葛泽华 先生。冒犯之处,还请葛先生海涵!
近1个月我把学破解以来所作的笔记整理出来一部分,已经全部放到论坛上了,谢谢老师、朋友们的关心和帮助!以后我或许没有充裕的时间破解了,就以此篇解文作为我这段学习日子的小结吧!东方欲晓了,呵呵,又一个不眠之夜。~_~~_~
—————————————————————————————————
Vchm.exe是ASPack 2.12壳,用AspackDie脱之。407K->1.28M。反汇编,便于静态分析。
用户名:fly[OCN] (用户名长度须在5-32位间)
试炼码:BCDEFGHIJK (注册码10位)
设:1、用户名fly[OCN]为N0;2、对N0进行运算后得出的字符TJYIPJFB为N1;3、对N1运算后得出的字符TJYIPJFBFW为N2;4、试炼码BCDEFGHIJK为K0;5、对K0进行运算后得出的字符LJPJLJXJLJ为K1;6、对K1进行运算后得出的字符RSTUVWXYZJ为K2。呵呵,我也是晕头转向呀!~@~
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
一、对用户名 N0 进行运算后得出 N1
* Possible StringData Ref from Code Obj ->"http://www.vchm.com/ convenient "
->"CHM editor,WYSIWYG."
|
:004E7684 BA3C8B4E00 mov edx, 004E8B3C
====>EDX=http://www.vchm.com/ convenient CHM editor,WYSIWYG.
:004E7689 E8BAD5F1FF call 00404C48
:004E768E 8B45FC mov eax, dword ptr [ebp-04]
:004E7691 0550060000 add eax, 00000650
:004E7696 8B55FC mov edx, dword ptr [ebp-04]
:004E7699 8B9248060000 mov edx, dword ptr [edx+00000648]
:004E769F E860D5F1FF call 00404C04
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E764A(C)
|
:004E76A4 8D45E8 lea eax, dword ptr [ebp-18]
:004E76A7 BA788B4E00 mov edx, 004E8B78
:004E76AC E897D5F1FF call 00404C48
:004E76B1 8B45FC mov eax, dword ptr [ebp-04]
:004E76B4 8B8050060000 mov eax, dword ptr [eax+00000650]
====>EAX=fly[OCN]
:004E76BA E8C5D7F1FF call 00404E84
====>取用户名长度
:004E76BF 8BF8 mov edi, eax
====>EDI=8
:004E76C1 85FF test edi, edi
:004E76C3 7E66 jle 004E772B
:004E76C5 BE01000000 mov esi, 00000001
====>ESI=1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7729(C)
|
:004E76CA 8B45FC mov eax, dword ptr [ebp-04]
:004E76CD 8B8050060000 mov eax, dword ptr [eax+00000650]
====>EAX=fly[OCN]
:004E76D3 8A5C30FF mov bl, byte ptr [eax+esi-01]
====>依次取用户名字符的HEX值
1、 ====>BL=66
…… …… 省 略 …… ……
8、 ====>BL=5D
:004E76D7 8B45EC mov eax, dword ptr [ebp-14]
====>EAX=http://www.vchm.com/ convenient CHM editor,WYSIWYG.
:004E76DA 8A4430FF mov al, byte ptr [eax+esi-01]
====>依次取http://www.vchm.com/ convenient CHM editor,WYSIWYG.
1、 ====>AL=68
…… …… 省 略 …… ……
8、 ====>AL=77
:004E76DE 32D8 xor bl, al
1、 ====>BL=66 XOR 68=0E
…… …… 省 略 …… ……
8、 ====>BL=5D XOR 77=2A
:004E76E0 81E3FF000000 and ebx, 000000FF
:004E76E6 33DE xor ebx, esi
1、 ====>EBX=0E XOR 01=0F
…… …… 省 略 …… ……
8、 ====>EBX=2A XOR 08=22
:004E76E8 83FB41 cmp ebx, 00000041
====>EBX 是否 小于41?
:004E76EB 7D0B jge 004E76F8
====>小于则下面相加
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E76F6(C)
|
:004E76ED 8D441E16 lea eax, dword ptr [esi+ebx+16]
1、① ====>EAX=01 + 0F + 16=26
1、② ====>EAX=01 + 26 + 16=3D
1、③ ====>EAX=01 + 3D + 16=54
…… …… 省 略 …… ……
8、① ====>EAX=08 + 22 + 16=40
8、② ====>EAX=08 + 40 + 16=5E
:004E76F1 8BD8 mov ebx, eax
====>EBX=EAX
:004E76F3 83FB41 cmp ebx, 00000041
====>EBX 是否 小于41?
:004E76F6 7CF5 jl 004E76ED
====>是则跳上去继续相加,直至不小于41
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E76EB(C)
|
:004E76F8 83FB7A cmp ebx, 0000007A
:004E76FB 7E0F jle 004E770C
====>若大于 7A ,则下面相减!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7705(C)
|
:004E76FD 83EB1B sub ebx, 0000001B
:004E7700 2BDE sub ebx, esi
:004E7702 83FB7A cmp ebx, 0000007A
:004E7705 7FF6 jg 004E76FD
:004E7707 EB03 jmp 004E770C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7714(C)
|
:004E7709 83C304 add ebx, 00000004
…… …… 省 略 …… ……
8、① ====>EAX=5E + 04=62
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E76FB(C), :004E7707(U)
|
:004E770C 83FB61 cmp ebx, 00000061
====>EBX 是否 小于61?
:004E770F 7D05 jge 004E7716
:004E7711 83FB5A cmp ebx, 0000005A
:004E7714 7FF3 jg 004E7709
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E770F(C)
|
:004E7716 8B45FC mov eax, dword ptr [ebp-04]
:004E7719 0550060000 add eax, 00000650
:004E771E E8B1D9F1FF call 004050D4
:004E7723 885C30FF mov byte ptr [eax+esi-01], bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=54
2、 ====>BL=4A
3、 ====>BL=59
4、 ====>BL=49
5、 ====>BL=70
6、 ====>BL=6A
7、 ====>BL=66
8、 ====>BL=62
循环结束后[eax+esi-01] 处是fly[OCN](设为N0)经过以上运算转换后的字符:TJYIpjfb(设为N1)
:004E7727 46 inc esi
====>ESI 逐次增1
:004E7728 4F dec edi
====>8次!用户名长度
:004E7729 759F jne 004E76CA
====>继续循环?
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
…… …… 省 略 …… ……
* Possible StringData Ref from Code Obj ->"DropZone"
|
:004E7985 BAFC854E00 mov edx, 004E85FC
:004E798A 8B18 mov ebx, dword ptr [eax]
:004E798C FF5310 call [ebx+10]
:004E798F 8BD0 mov edx, eax
:004E7991 A12C154F00 mov eax, dword ptr [004F152C]
:004E7996 8B00 mov eax, dword ptr [eax]
:004E7998 E84726F8FF call 00469FE4
:004E799D A12C154F00 mov eax, dword ptr [004F152C]
:004E79A2 8B00 mov eax, dword ptr [eax]
:004E79A4 8A5057 mov dl, byte ptr [eax+57]
:004E79A7 8B45FC mov eax, dword ptr [ebp-04]
:004E79AA 8B80E8050000 mov eax, dword ptr [eax+000005E8]
◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇
二、对试炼码 K0 进行运算后得出 K1
:004E79B0 E8239CF7FF call 004615D8
:004E79B5 8B45FC mov eax, dword ptr [ebp-04]
:004E79B8 056C060000 add eax, 0000066C
:004E79BD BA0A000000 mov edx, 0000000A
:004E79C2 E841D8F1FF call 00405208
====>取试炼码码前10位 呵呵,我只输入10位 ^v^ ㊣
:004E79C7 8B45FC mov eax, dword ptr [ebp-04]
:004E79CA 8B806C060000 mov eax, dword ptr [eax+0000066C]
====>EAX=BCDEFGHIJK
:004E79D0 E8AFD4F1FF call 00404E84
====>取试炼码位数
:004E79D5 8BD8 mov ebx, eax
====>EBX=A
:004E79D7 8B45FC mov eax, dword ptr [ebp-04]
:004E79DA 056C060000 add eax, 0000066C
:004E79DF 8BD3 mov edx, ebx
:004E79E1 E822D8F1FF call 00405208
:004E79E6 8B45FC mov eax, dword ptr [ebp-04]
:004E79E9 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E79EF E890D4F1FF call 00404E84
:004E79F4 8BF8 mov edi, eax
:004E79F6 85FF test edi, edi
:004E79F8 7E5C jle 004E7A56
:004E79FA BE01000000 mov esi, 00000001
====>ESI 初始值位为1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A54(C)
|
:004E79FF 8B45FC mov eax, dword ptr [ebp-04]
:004E7A02 8B806C060000 mov eax, dword ptr [eax+0000066C]
====>EAX=BCDEFGHIJK
:004E7A08 33DB xor ebx, ebx
:004E7A0A 8A5C30FF mov bl, byte ptr [eax+esi-01]
====>依次取ABCDEFGHIJ的HEX值
1、 ====>BL=42
2、 ====>BL=43
3、 ====>BL=44
4、 ====>BL=45
5、 ====>BL=46
6、 ====>BL=47
7、 ====>BL=48
8、 ====>BL=49
9、 ====>BL=4A
10、 ====>BL=4B
:004E7A0E 33DE xor ebx, esi
1、 ====>EBX=42 XOR 01=43
2、 ====>EBX=43 XOR 02=41
3、 ====>EBX=44 XOR 03=47
4、 ====>EBX=45 XOR 04=41
5、 ====>EBX=46 XOR 05=43
6、 ====>EBX=47 XOR 06=41
7、 ====>EBX=48 XOR 07=4F
8、 ====>EBX=49 XOR 08=41
9、 ====>EBX=4A XOR 09=43
10、 ====>EBX=4B XOR 0A=41
:004E7A10 83C329 add ebx, 00000029
1、 ====>EBX=43 + 29=6C
2、 ====>EBX=41 + 29=6A
3、 ====>EBX=47 + 29=70
4、 ====>EBX=41 + 29=6A
5、 ====>EBX=43 + 29=6C
6、 ====>EBX=41 + 29=6A
7、 ====>EBX=4F + 29=78
8、 ====>EBX=41 + 29=6A
9、 ====>EBX=43 + 29=6C
10、 ====>EBX=41 + 29=6A
:004E7A13 83FB41 cmp ebx, 00000041
:004E7A16 7D0B jge 004E7A23
====>不小于41则跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A21(C)
|
:004E7A18 8D441E16 lea eax, dword ptr [esi+ebx+16]
:004E7A1C 8BD8 mov ebx, eax
:004E7A1E 83FB41 cmp ebx, 00000041
:004E7A21 7CF5 jl 004E7A18
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A16(C)
|
:004E7A23 83FB7A cmp ebx, 0000007A
:004E7A26 7E0F jle 004E7A37
====>不大于7A则跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A30(C)
|
:004E7A28 83EB1B sub ebx, 0000001B
:004E7A2B 2BDE sub ebx, esi
:004E7A2D 83FB7A cmp ebx, 0000007A
:004E7A30 7FF6 jg 004E7A28
:004E7A32 EB03 jmp 004E7A37
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A3F(C)
|
:004E7A34 83C304 add ebx, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E7A26(C), :004E7A32(U)
|
:004E7A37 83FB61 cmp ebx, 00000061
:004E7A3A 7D05 jge 004E7A41
====>不小于61则跳
:004E7A3C 83FB5A cmp ebx, 0000005A
:004E7A3F 7FF3 jg 004E7A34
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A3A(C)
|
:004E7A41 8B45FC mov eax, dword ptr [ebp-04]
:004E7A44 056C060000 add eax, 0000066C
:004E7A49 E886D6F1FF call 004050D4
:004E7A4E 885C30FF mov byte ptr [eax+esi-01], bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=6C
2、 ====>BL=6A
3、 ====>BL=70
4、 ====>BL=6A
5、 ====>BL=6C
6、 ====>BL=6A
7、 ====>BL=78
8、 ====>BL=6A
9、 ====>BL=6C
10、 ====>BL=6A
循环结束后[eax+esi-01] 处是ABCDEFGHIJ(设为K0)经过以上运算转换后的字符:ljpjljxjlj
:004E7A52 46 inc esi
:004E7A53 4F dec edi
:004E7A54 75A9 jne 004E79FF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E79F8(C)
|
:004E7A56 8B45FC mov eax, dword ptr [ebp-04]
:004E7A59 056C060000 add eax, 0000066C
:004E7A5E BA0A000000 mov edx, 0000000A
:004E7A63 E8A0D7F1FF call 00405208
:004E7A68 8D9524FEFFFF lea edx, dword ptr [ebp+FFFFFE24]
:004E7A6E 8B45FC mov eax, dword ptr [ebp-04]
:004E7A71 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7A77 E84C16F2FF call 004090C8
====>此CALL把ljpjljxjlj转换成大写字母!
:004E7A7C 8B9524FEFFFF mov edx, dword ptr [ebp+FFFFFE24]
====>EDX=LJPJLJXJLJ (设为K1)
◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇◇
:004E7A82 8B45FC mov eax, dword ptr [ebp-04]
:004E7A85 056C060000 add eax, 0000066C
:004E7A8A E875D1F1FF call 00404C04
:004E7A8F 8B45FC mov eax, dword ptr [ebp-04]
:004E7A92 81B8740600005B851C00 cmp dword ptr [eax+00000674], 001C855B
:004E7A9C 0F8EA8000000 jle 004E7B4A
:004E7AA2 8B45FC mov eax, dword ptr [ebp-04]
:004E7AA5 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7AAB E8D4D3F1FF call 00404E84
====>取LJPJLJXJLJ位数
:004E7AB0 8BF0 mov esi, eax
====>ESI=A
:004E7AB2 8B45FC mov eax, dword ptr [ebp-04]
:004E7AB5 8B8054060000 mov eax, dword ptr [eax+00000654]
:004E7ABB E8C4D3F1FF call 00404E84
:004E7AC0 50 push eax
:004E7AC1 8B45FC mov eax, dword ptr [ebp-04]
:004E7AC4 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7ACA E8B5D3F1FF call 00404E84
:004E7ACF 5A pop edx
:004E7AD0 E84B7BF4FF call 0042F620
====>猜测此CALL进行CRC校验??!!!
:004E7AD5 48 dec eax
:004E7AD6 83F800 cmp eax, 00000000
:004E7AD9 7C60 jl 004E7B3B
====>如果修改了程序或脱壳,则此处不跳!
那么将对上面得出的K1再进行运算,得出K2。呵呵,比较时就用K2代替K1进行比较,无论怎样用K2求逆都无法得出正确的注册码!我在这儿“晕”了6个小时!这也是作者所说的“冗余代码”吧?(再想保护深一点就加入一些冗余代码,让Cracker在这堆代码里转的头晕脑涨,你的目的就达到了。 ——作者原话)
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
三、下面就是迷惑我们CRACKER的把 K1 转化为 K2 的运算了。~Q~~Q~
:004E7ADB 8945E0 mov dword ptr [ebp-20], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B39(C)
|
:004E7ADE 8B45FC mov eax, dword ptr [ebp-04]
:004E7AE1 8B806C060000 mov eax, dword ptr [eax+0000066C]
====>EAX=LJPJLJXJLJ
:004E7AE7 33DB xor ebx, ebx
:004E7AE9 8A5C30FF mov bl, byte ptr [eax+esi-01]
====>取[eax+esi-01]处的字符值
1、 ====>BL=4A J
2、 ====>BL=4A J
3、 ====>BL=4A J
4、 ====>BL=4A J
5、 ====>BL=4A J
6、 ====>BL=4A J
7、 ====>BL=4A J
8、 ====>BL=4A J
9、 ====>BL=4A J
10、 ====>BL=4A J
:004E7AED 33DE xor ebx, esi
1、 ====>EBX=4A XOR 0A=40
2、 ====>EBX=4A XOR 0A=40
3、 ====>EBX=4A XOR 0A=40
4、 ====>EBX=4A XOR 0A=40
5、 ====>EBX=4A XOR 0A=40
6、 ====>EBX=4A XOR 0A=40
7、 ====>EBX=4A XOR 0A=40
8、 ====>EBX=4A XOR 0A=40
9、 ====>EBX=4A XOR 0A=40
10、 ====>EBX=4A XOR 0A=40
:004E7AEF 83FB41 cmp ebx, 00000041
:004E7AF2 7D0B jge 004E7AFF
====>小于41则不跳!进行下面运算!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AFD(C)
|
:004E7AF4 83C311 add ebx, 00000011
1、 ====>EBX=40 + 11=51
2、 ====>EBX=40 + 11=51
3、 ====>EBX=40 + 11=51
4、 ====>EBX=40 + 11=51
5、 ====>EBX=40 + 11=51
6、 ====>EBX=40 + 11=51
7、 ====>EBX=40 + 11=51
8、 ====>EBX=40 + 11=51
9、 ====>EBX=40 + 11=51
10、 ====>EBX=40 + 11=51
:004E7AF7 035DE0 add ebx, dword ptr [ebp-20]
1、 ====>EBX=51 + 09=5A
2、 ====>EBX=51 + 08=59
3、 ====>EBX=51 + 07=58
4、 ====>EBX=51 + 06=57
5、 ====>EBX=51 + 05=56
6、 ====>EBX=51 + 04=55
7、 ====>EBX=51 + 03=54
8、 ====>EBX=51 + 02=53
9、 ====>EBX=51 + 01=52
10、 ====>EBX=51 + 00=51
:004E7AFA 83FB41 cmp ebx, 00000041
:004E7AFD 7CF5 jl 004E7AF4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AF2(C)
|
:004E7AFF 83FB7A cmp ebx, 0000007A
:004E7B02 7E10 jle 004E7B14
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B0D(C)
|
:004E7B04 83EB17 sub ebx, 00000017
:004E7B07 2B5DE0 sub ebx, dword ptr [ebp-20]
:004E7B0A 83FB7A cmp ebx, 0000007A
:004E7B0D 7FF5 jg 004E7B04
:004E7B0F EB03 jmp 004E7B14
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B1C(C)
|
:004E7B11 83EB03 sub ebx, 00000003
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004E7B02(C), :004E7B0F(U)
|
:004E7B14 83FB61 cmp ebx, 00000061
:004E7B17 7D05 jge 004E7B1E
:004E7B19 83FB5A cmp ebx, 0000005A
:004E7B1C 7FF3 jg 004E7B11
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B17(C)
|
:004E7B1E 8B45FC mov eax, dword ptr [ebp-04]
:004E7B21 056C060000 add eax, 0000066C
:004E7B26 E8A9D5F1FF call 004050D4
:004E7B2B 8B55E0 mov edx, dword ptr [ebp-20]
====>[ebp-20] 入 EDX
1、 ====>EDX=09
2、 ====>EDX=08
3、 ====>EDX=07
4、 ====>EDX=06
5、 ====>EDX=05
6、 ====>EDX=04
7、 ====>EDX=03
8、 ====>EDX=02
9、 ====>EDX=01
10、 ====>EDX=00
:004E7B2E 885C10FF mov byte ptr [eax+edx-01], bl
====>结果入 [eax+esi-01] 处
1、 ====>BL=5A [eax+esi-01]=LJPJLJXJZJ
2、 ====>BL=59 [eax+esi-01]=LJPJLJXYZJ
3、 ====>BL=58 [eax+esi-01]=LJPJLJXYZJ
4、 ====>BL=57 [eax+esi-01]=LJPJLWXYZJ
5、 ====>BL=56 [eax+esi-01]=LJPJVWXYZJ
6、 ====>BL=55 [eax+esi-01]=LJPUVWXYZJ
7、 ====>BL=54 [eax+esi-01]=LJTUVWXYZJ
8、 ====>BL=53 [eax+esi-01]=LSTUVWXYZJ
9、 ====>BL=52 [eax+esi-01]=RSTUVWXYZJ
10、 ====>BL=51 [eax+esi-01]=QRSTUVWXYZJ
:004E7B32 FF4DE0 dec [ebp-20]
====>[ebp-20]逐次减1。初始值9
:004E7B35 837DE0FF cmp dword ptr [ebp-20], FFFFFFFF
:004E7B39 75A3 jne 004E7ADE
====>跳上去继续循环?共10次!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7AD9(C)
|
:004E7B3B 8B45FC mov eax, dword ptr [ebp-04]
:004E7B3E 056C060000 add eax, 0000066C
:004E7B43 8BD6 mov edx, esi
:004E7B45 E8BED6F1FF call 00405208
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7A9C(C)
|
* Reference To: kernel32.GetTickCount, Ord:0000h
|
:004E7B4A E879F9F1FF Call 004074C8
:004E7B4F 8B55FC mov edx, dword ptr [ebp-04]
:004E7B52 2B827C060000 sub eax, dword ptr [edx+0000067C]
:004E7B58 3D9E400000 cmp eax, 0000409E
:004E7B5D 730A jnb 004E7B69
:004E7B5F 8B45FC mov eax, dword ptr [ebp-04]
:004E7B62 C6804C06000001 mov byte ptr [eax+0000064C], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E7B5D(C)
|
:004E7B69 8D9520FEFFFF lea edx, dword ptr [ebp+FFFFFE20]
:004E7B6F 8B45FC mov eax, dword ptr [ebp-04]
:004E7B72 8B806C060000 mov eax, dword ptr [eax+0000066C]
:004E7B78 E84B15F2FF call 004090C8
====>取后10位
:004E7B7D 8B9520FEFFFF mov edx, dword ptr [ebp+FFFFFE20]
====>EDX=RSTUVWXYZJ (设为K2)
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
:004E7B83 8B45FC mov eax, dword ptr [ebp-04]
:004E7B86 0558060000 add eax, 00000658
:004E7B8B E874D0F1FF call 00404C04
:004E7B90 BB01000000 mov ebx, 00000001
:004E7B95 8D45EC lea eax, dword ptr [ebp-14]
:004E7B98 BA788B4E00 mov edx, 004E8B78
:004E7B9D E8A6D0F1FF call 00404C48
:004E7BA2 682C010000 push 0000012C
呵呵,上面几步运算可以在软件重新启动时中断!而下面的比较则有点麻烦了,先不知道断点的话是不容易找到的。我试了很多次,终于用TRW慢慢找到了。呵呵,殚思极虑呀!^Q^~@~
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5400(U)
|
:004E546B 8B45FC mov eax, dword ptr [ebp-04]
====>EAX=LJPJLJXJLJ(或者:RSTUVWXYZJ)
:004E546E E811FAF1FF call 00404E84
====>取位数
:004E5473 83F80B cmp eax, 0000000B
:004E5476 7F8A jg 004E5402
====>不大于B则不跳!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
四、对我们第一步求出的 N1 进行运算得出 10位的 N2
:004E5478 33DB xor ebx, ebx
:004E547A 8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFB(其中的小写字母已转换成大写)
:004E5480 E8FFF9F1FF call 00404E84
:004E5485 8BF8 mov edi, eax
:004E5487 E9BA000000 jmp 004E5546
====>跳下去运算补足10位!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5554(C)
|
:004E548C 83FF15 cmp edi, 00000015
:004E548F 7D03 jge 004E5494
:004E5491 43 inc ebx
:004E5492 EB15 jmp 004E54A9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E548F(C)
|
:004E5494 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E549A E8E5F9F1FF call 00404E84
:004E549F B909000000 mov ecx, 00000009
:004E54A4 99 cdq
:004E54A5 F7F9 idiv ecx
:004E54A7 8BDA mov ebx, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5492(U)
|
:004E54A9 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E54AF E8D0F9F1FF call 00404E84
:004E54B4 2BC3 sub eax, ebx
:004E54B6 8B9664060000 mov edx, dword ptr [esi+00000664]
:004E54BC 8A4402FF mov al, byte ptr [edx+eax-01]
:004E54C0 8B9664060000 mov edx, dword ptr [esi+00000664]
:004E54C6 8A541AFF mov dl, byte ptr [edx+ebx-01]
:004E54CA 32C2 xor al, dl
:004E54CC 25FF000000 and eax, 000000FF
:004E54D1 83C079 add eax, 00000079
:004E54D4 50 push eax
:004E54D5 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E54DB E8F4FBF1FF call 004050D4
:004E54E0 5A pop edx
:004E54E1 885418FF mov byte ptr [eax+ebx-01], dl
:004E54E5 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E54EB 0FB64418FF movzx eax, byte ptr [eax+ebx-01]
:004E54F0 E89367FFFF call 004DBC88
:004E54F5 50 push eax
:004E54F6 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E54FC E8D3FBF1FF call 004050D4
:004E5501 5A pop edx
:004E5502 885418FF mov byte ptr [eax+ebx-01], dl
:004E5506 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E550C 50 push eax
:004E550D 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E5513 E86CF9F1FF call 00404E84
:004E5518 8BC8 mov ecx, eax
:004E551A 2BCB sub ecx, ebx
:004E551C BA01000000 mov edx, 00000001
:004E5521 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E5527 E8B0FBF1FF call 004050DC
:004E552C 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E5532 E84DF9F1FF call 00404E84
:004E5537 8BD0 mov edx, eax
:004E5539 2BD3 sub edx, ebx
:004E553B 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E5541 E8C2FCF1FF call 00405208
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E5487(U)
|
:004E5546 8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFB
:004E554C E833F9F1FF call 00404E84
====>取位数
:004E5551 83F80B cmp eax, 0000000B
:004E5554 0F8F32FFFFFF jg 004E548C
====>不大于B则不跳!
:004E555A 33DB xor ebx, ebx
:004E555C EB40 jmp 004E559E
====>跳过去!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E55BA(C)
|
:004E555E 43 inc ebx
:004E555F 8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=TJYIPJFB
:004E5565 8A4418FF mov al, byte ptr [eax+ebx-01]
1、 ====>AL=54
2、 ====>AL=4A
:004E5569 3455 xor al, 55
1、 ====>AL=54 XOR 55=01
2、 ====>AL=4A XOR 55=1F
:004E556B 25FF000000 and eax, 000000FF
:004E5570 8D5346 lea edx, dword ptr [ebx+46]
1、 ====>EDX=1 + 46=47
2、 ====>EDX=2 + 46=48
:004E5573 33C2 xor eax, edx
1、 ====>AL=01 XOR 47=46
2、 ====>AL=1F XOR 48=57
:004E5575 8845FB mov byte ptr [ebp-05], al
:004E5578 33C0 xor eax, eax
:004E557A 8A45FB mov al, byte ptr [ebp-05]
:004E557D E80667FFFF call 004DBC88
:004E5582 8845FB mov byte ptr [ebp-05], al
:004E5585 8D45F0 lea eax, dword ptr [ebp-10]
:004E5588 8A55FB mov dl, byte ptr [ebp-05]
:004E558B E800F8F1FF call 00404D90
:004E5590 8B55F0 mov edx, dword ptr [ebp-10]
:004E5593 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E5599 E8EEF8F1FF call 00404E8C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E555C(U)
|
:004E559E 8B8664060000 mov eax, dword ptr [esi+00000664]
====>上面2次运算把N1转换为TJYIPJFBFW (设为N2)
:004E55A4 E8DBF8F1FF call 00404E84
:004E55A9 83F80A cmp eax, 0000000A
====>是否10位?
:004E55AC 7D0E jge 004E55BC
====>不小于10位则跳!
:004E55AE 8B8664060000 mov eax, dword ptr [esi+00000664]
:004E55B4 E8CBF8F1FF call 00404E84
:004E55B9 48 dec eax
:004E55BA 7FA2 jg 004E555E
====>继续跳上去运算!直至10位!
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣㊣
五、比较了!用注册名求出的 N2 和 试炼码求出的 K1进行“倒序”逐位比较!
呵呵,如果你修改或脱壳了原程序,则此处用上面的“冗余代码”得出的K2替代K1进行比较!很高明的“迷魂阵”呀!
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004E55AC(C)
|
:004E55BC 8D8664060000 lea eax, dword ptr [esi+00000664]
:004E55C2 BA0A000000 mov edx, 0000000A
:004E55C7 E83CFCF1FF call 00405208
:004E55CC 8D55EC lea edx, dword ptr [ebp-14]
:004E55CF 8B8664060000 mov eax, dword ptr [esi+00000664]
====>EAX=
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>