您的位置:首页精文荟萃破解文章 → Windows变脸王 4.4破解手记--完美爆破

Windows变脸王 4.4破解手记--完美爆破

时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(0)

 软件名称:Windows变脸王 4.4(桌面辅助)
整理日期:2003.3.29
最新版本:4.4
文件大小:1357KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000/XP
发布公司: http://www.holer.net
软件简介:你是不是早已对windows的界面看得不耐烦了?那就试试“Windows变脸王”吧,她能让你的windows与众不同!Windows变脸王具有以下功能:
·更改开机、关机画面。支持BMP,JPG,并可自动缩放图像。
·替换系统内的各种图标,图标主题功能能一次性替换所有图标。
·具有IE反修改功能,并可更改IE浏览器背景,动画图标等。
·成套替换鼠标样式,内置几套极酷鼠标主题。
·更改驱动器图标及文件夹图标、提示文字、颜色等。
·更换窗口外观颜色,让你的WINDOWS窗口五彩缤纷。
·更改OEM标志,更改系统中各种用户信息,如用户名,序列号等。
·永久透明桌面文字,更改文字颜色,桌面文字右对齐,圆圈对齐。
·蓝屏的背景颜色和文字颜色,窗口凹3D效果,启动声音修改等。
特点 :·程序不驻留内存,即使关闭程序,各种效果照样存在。
·本软件自带了许多图片图标资源,你可以直接使用现成的效果,无需额外制作。
·强大的还原功能,使你无后顾之忧。
·界面直观,使用方便,特别适合初级电脑用户使用。


加密方式:ASPROTECT1.2+注册码
功能限制:未注册信息提示
PJ工具:TRW20001.23注册版(加SuperBPM)、W32Dasm8.93黄金版,FI2.5,Import Reconstructor 1.4.2+,fs0-loader,eXeScope6.30
PJ日期:2003-04-02
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。水平低,只能找到爆破点,而没有办法找到关键算法,还请高手指点!

注:由于这个软件是在程序开始运行的时候才验证注册信息,所以下面的过程是在你已经运行过这个软件,并在注册的地方填入了newlaos[DFCG]和注册码7878787878787878
1、先用FI2.5看一下主文件“WinBeautician.exe”,加了ASPROTECT1.22壳,只有手动脱壳了。
a、用fs0_loader找入口点工具,找到入口点。软件提示入口点在4F7BF8。好!先记下来。
b、用trw2000初步脱壳,打开SuperBPM,点erase,用trw载入WinBeautician.exe,下g 4F7BF8. 接着下pedump脱出程序为DUMP1.EXE。
C、打开原加壳程序,在Import REConstructor v1.4.2+ 的 Attach to an Active Process 窗口中选取WinBeautician.exe的进程,然后在下方的oep处填入rva即F7BF8(入口点地址4F7BF8-40000),点IAT AutoSearch,再点Get Imports,点Auto Trace,然后点Show Invalid,在Imported Functions Found窗口里的无效地址上点鼠标右键,选Trace Leve11(disasm),再点show invaids,发现部分修复。再在无效地址上点鼠标右键,选Trace Leve11(HOOK),再点show invaids,发现又有几个被修复。同理再选Trace Leve11(Tray Flag),又修复几个。若还有几个没有修复,再次在那几个没有修复的地址上点鼠标右键. 选中Plugin Tracer(Asprotect 1.2X Emul),再点show invaids应发现所有的dll显示 valid:Yes了。
再点Fix Dump,选中你用trw2000 pedump出的文件DUMP1.EXE修复,最后生成完全脱壳程序名称为dump1_.exe。退出一运行,脱壳成功!

2、用W32Dasm8.93黄金版对AntiSpam.exe进行静态反汇编,再用串式数据参考,找不到什么经典的句子,怎么办?先用eXeScope6.30对文件的资源进行分析,在“资源\字串表\8”,可以看见:
112,这是未注册版,按下确定后会自动连接到洪亮软件网站。请您可以通过注册取消此限制。
120,setting
121,name
122,left
123,right
再在软件安装的目录下,打开config.ini文件可以看见:
[setting]
name=newlaos
right=7878787878787878 <===呵呵,注册码在这里呀
再回到W32Dasm8.93,找到String Resource ID=00123: "right",双击,晕~~~~有一大片,怎么办?将它们都记下来,备用。

3、再用TRW20001.23注册版进行动态跟踪,由于这个软件是在程序开始运行的时候就验证,所在一开始就在刚才记下的地址上下断。天助我也,程序很快断了下来,而且只是在一个地方,那就是004F0A06,这样就能定位关键的注册算法段了

.......
.......
* Possible Reference to String Resource ID=00123: "right"
|
:004F0A06 B87B000000 mov eax, 0000007B
:004F0A0B E88085F1FF call 00408F90
:004F0A10 8B85B8FEFFFF mov eax, dword ptr [ebp+FFFFFEB8]
:004F0A16 50 push eax
:004F0A17 8D95B4FEFFFF lea edx, dword ptr [ebp+FFFFFEB4]

* Possible Reference to String Resource ID=00120: "setting"
|
:004F0A1D B878000000 mov eax, 00000078
:004F0A22 E86985F1FF call 00408F90
:004F0A27 8B95B4FEFFFF mov edx, dword ptr [ebp+FFFFFEB4]
:004F0A2D 8B45F8 mov eax, dword ptr [ebp-08]
:004F0A30 59 pop ecx
:004F0A31 8B30 mov esi, dword ptr [eax]
:004F0A33 FF16 call dword ptr [esi]
:004F0A35 837DEC00 cmp dword ptr [ebp-14], 00000000
:004F0A39 0F8483000000 je 004F0AC2
:004F0A3F 837DE400 cmp dword ptr [ebp-1C], 00000000
:004F0A43 747D je 004F0AC2
:004F0A45 8D8DB0FEFFFF lea ecx, dword ptr [ebp+FFFFFEB0]

* Possible StringData Ref from Code Obj ->"holer@21cn.com"
|
:004F0A4B BA00124F00 mov edx, 004F1200 <===EDX=holer@21cn.com
:004F0A50 8B45E4 mov eax, dword ptr [ebp-1C]<===eax=7878787878787878
:004F0A53 E830A2FBFF call 004AAC88 <===关键的算法CALL,F8跟进
:004F0A58 8B95B0FEFFFF mov edx, dword ptr [ebp+FFFFFEB0] <===EDX此处为注册码的变形
:004F0A5E 8B45EC mov eax, dword ptr [ebp-14] <===EAX=newlaos
:004F0A61 E87E36F1FF call 004040E4 <===要想注册成功,则上面EDX必须和EAX相等
:004F0A66 755A jne 004F0AC2 <===这里可以爆破此软件,将755A改成745A
:004F0A68 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004F0A6E 8B8038020000 mov eax, dword ptr [eax+00000238]
:004F0A74 B201 mov dl, 01
:004F0A76 E83DF5F3FF call 0042FFB8
:004F0A7B 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004F0A81 8B8034020000 mov eax, dword ptr [eax+00000234]
:004F0A87 33D2 xor edx, edx
:004F0A89 E82AF5F3FF call 0042FFB8
:004F0A8E 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004F0A94 8B8024020000 mov eax, dword ptr [eax+00000224]
:004F0A9A B201 mov dl, 01
:004F0A9C E817F5F3FF call 0042FFB8
:004F0AA1 8B8378030000 mov eax, dword ptr [ebx+00000378]
:004F0AA7 8B8068020000 mov eax, dword ptr [eax+00000268]
:004F0AAD 33D2 xor edx, edx
:004F0AAF E804F5F3FF call 0042FFB8
:004F0AB4 8B55E0 mov edx, dword ptr [ebp-20]
:004F0AB7 8B831C030000 mov eax, dword ptr [ebx+0000031C]
:004F0ABD E80EF6F3FF call 004300D0
.......
.......


--------004F0A53 call 004AAC88 关键的算法CALL,F8跟进来到下列代码段-----------------
初始值:EDX=holer@21cn.com eax=7878787878
:004AAC88 55 push ebp
:004AAC89 8BEC mov ebp, esp
:004AAC8B 6A00 push 00000000
:004AAC8D 6A00 push 00000000
:004AAC8F 6A00 push 00000000
:004AAC91 6A00 push 00000000
:004AAC93 6A00 push 00000000
:004AAC95 53 push ebx
:004AAC96 56 push esi
:004AAC97 57 push edi
:004AAC98 8BF9 mov edi, ecx
:004AAC9A 8955F8 mov dword ptr [ebp-08], edx
:004AAC9D 8945FC mov dword ptr [ebp-04], eax
:004AACA0 8B45FC mov eax, dword ptr [ebp-04]
:004AACA3 E8E094F5FF call 00404188
:004AACA8 8B45F8 mov eax, dword ptr [ebp-08]
:004AACAB E8D894F5FF call 00404188

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAC74(C)
|
:004AACB0 33C0 xor eax, eax
:004AACB2 55 push ebp
:004AACB3 683EAD4A00 push 004AAD3E
:004AACB8 64FF30 push dword ptr fs:[eax]
:004AACBB 648920 mov dword ptr fs:[eax], esp
:004AACBE 8D45F4 lea eax, dword ptr [ebp-0C]
:004AACC1 E88E90F5FF call 00403D54
:004AACC6 8B45FC mov eax, dword ptr [ebp-04]
:004AACC9 E80693F5FF call 00403FD4
:004AACCE 8BD8 mov ebx, eax
:004AACD0 D1FB sar ebx, 1
:004AACD2 7903 jns 004AACD7
:004AACD4 83D300 adc ebx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AACD2(C)
|
:004AACD7 4B dec ebx
:004AACD8 85DB test ebx, ebx
:004AACDA 7C3A jl 004AAD16
:004AACDC 43 inc ebx
:004AACDD 33F6 xor esi, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAD14(C) <===从这一行开始循环
|
:004AACDF 8D45F0 lea eax, dword ptr [ebp-10]
:004AACE2 50 push eax
:004AACE3 8BD6 mov edx, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAC71(C)
|
:004AACE5 03D2 add edx, edx
:004AACE7 42 inc edx

* Possible Reference to String Resource ID=00002: " http://www.holer.net"
|
:004AACE8 B902000000 mov ecx, 00000002
:004AACED 8B45FC mov eax, dword ptr [ebp-04] <===EAX=7878787878787878
:004AACF0 E8E794F5FF call 004041DC
:004AACF5 8B45F0 mov eax, dword ptr [ebp-10]
:004AACF8 E89BFEFFFF call 004AAB98
:004AACFD 8BD0 mov edx, eax
:004AACFF 8D45EC lea eax, dword ptr [ebp-14]
:004AAD02 E8F591F5FF call 00403EFC
:004AAD07 8B55EC mov edx, dword ptr [ebp-14]
:004AAD0A 8D45F4 lea eax, dword ptr [ebp-0C]
:004AAD0D E8CA92F5FF call 00403FDC
:004AAD12 46 inc esi
:004AAD13 4B dec ebx
:004AAD14 75C9 jne 004AACDF <===这里向上构成一个小循环,提出的是输入的注册码每两个数字对应一个ASC码值的字符,我们这里就对应的是xxxxxxxx(78对应的就是字符x),所这里也是循环8次

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AACDA(C)
|
:004AAD16 8BCF mov ecx, edi
:004AAD18 8B55F8 mov edx, dword ptr [ebp-08]<===EDX=holer@21cn.com
:004AAD1B 8B45F4 mov eax, dword ptr [ebp-0C]<===EAX=xxxxxxxx
:004AAD1E E8E1FCFFFF call 004AAA04 <===这个CALL,再将xxxxxxxx做最后的变形,F8跟进
:004AAD23 33C0 xor eax, eax
:004AAD25 5A pop edx
:004AAD26 59 pop ecx
:004AAD27 59 pop ecx
:004AAD28 648910 mov dword ptr fs:[eax], edx
:004AAD2B 6845AD4A00 push 004AAD45
:004AAD30 8D45EC lea eax, dword ptr [ebp-14]
:004AAD33 BA05000000 mov edx, 00000005
:004AAD38 E83B90F5FF call 00403D78
:004AAD45 5F pop edi
:004AAD46 5E pop esi
:004AAD47 5B pop ebx
:004AAD48 8BE5 mov esp, ebp
:004AAD4A 5D pop ebp
:004AAD4B C3 ret



-----004AAD1E call 004AAA04 这个CALL将xxxxxxxx做最后的变形,F8跟进-------------------
:004AAA04 55 push ebp
:004AAA05 8BEC mov ebp, esp
:004AAA07 83C4CC add esp, FFFFFFCC
:004AAA0A 53 push ebx
:004AAA0B 56 push esi
:004AAA0C 33DB xor ebx, ebx
:004AAA0E 895DCC mov dword ptr [ebp-34], ebx
:004AAA11 895DD8 mov dword ptr [ebp-28], ebx
:004AAA14 894DF4 mov dword ptr [ebp-0C], ecx
:004AAA17 8955F8 mov dword ptr [ebp-08], edx
:004AAA1A 8945FC mov dword ptr [ebp-04], eax
:004AAA1D 8B45FC mov eax, dword ptr [ebp-04]
:004AAA20 E86397F5FF call 00404188
:004AAA25 8B45F8 mov eax, dword ptr [ebp-08]
:004AAA28 E85B97F5FF call 00404188
:004AAA2D 33C0 xor eax, eax
:004AAA2F 55 push ebp
:004AAA30 687DAB4A00 push 004AAB7D
:004AAA35 64FF30 push dword ptr fs:[eax]
:004AAA38 648920 mov dword ptr fs:[eax], esp
:004AAA3B 8B45F8 mov eax, dword ptr [ebp-08]
:004AAA3E E89195F5FF call 00403FD4
:004AAA43 83F808 cmp eax, 00000008
:004AAA46 7D1C jge 004AAA64
:004AAA48 EB0D jmp 004AAA57

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA62(C)
|
:004AAA4A 8D45F8 lea eax, dword ptr [ebp-08]
:004AAA4D BA94AB4A00 mov edx, 004AAB94
:004AAA52 E88595F5FF call 00403FDC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA48(U)
|
:004AAA57 8B45F8 mov eax, dword ptr [ebp-08]
:004AAA5A E87595F5FF call 00403FD4
:004AAA5F 83F808 cmp eax, 00000008
:004AAA62 7CE6 jl 004AAA4A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA46(C)
|
:004AAA64 33DB xor ebx, ebx
:004AAA66 8D45DC lea eax, dword ptr [ebp-24]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA76(C)
|
:004AAA69 8B55F8 mov edx, dword ptr [ebp-08]
:004AAA6C 8A141A mov dl, byte ptr [edx+ebx]
:004AAA6F 8810 mov byte ptr [eax], dl
:004AAA71 43 inc ebx
:004AAA72 40 inc eax
:004AAA73 83FB08 cmp ebx, 00000008<===这里只循环8次
:004AAA76 75F1 jne 004AAA69 <===这里构成一个循环结构,用于再次定位holer@21(仅是holer@21cn.com的前8位)
:004AAA78 6A0F push 0000000F
:004AAA7A B980B94F00 mov ecx, 004FB980
:004AAA7F 8D45DC lea eax, dword ptr [ebp-24]
:004AAA82 BA07000000 mov edx, 00000007
:004AAA87 E848FBFFFF call 004AA5D4
:004AAA8C 8D45D8 lea eax, dword ptr [ebp-28]
:004AAA8F E8C092F5FF call 00403D54
:004AAA94 8B45FC mov eax, dword ptr [ebp-04]
:004AAA97 E83895F5FF call 00403FD4
:004AAA9C 85C0 test eax, eax
:004AAA9E 7903 jns 004AAAA3
:004AAAA0 83C007 add eax, 00000007

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAA9E(C)
|
:004AAAA3 C1F803 sar eax, 03
:004AAAA6 48 dec eax
:004AAAA7 85C0 test eax, eax
:004AAAA9 7C7E jl 004AAB29
:004AAAAB 40 inc eax
:004AAAAC 8945D0 mov dword ptr [ebp-30], eax
:004AAAAF C745D400000000 mov [ebp-2C], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB0E(C)
|
:004AAAB6 33DB xor ebx, ebx
:004AAAB8 8D45EC lea eax, dword ptr [ebp-14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAAD0(C)
|
:004AAABB 8B55D4 mov edx, dword ptr [ebp-2C]
:004AAABE C1E203 shl edx, 03
:004AAAC1 03D3 add edx, ebx
:004AAAC3 8B4DFC mov ecx, dword ptr [ebp-04]
:004AAAC6 8A1411 mov dl, byte ptr [ecx+edx]
:004AAAC9 8810 mov byte ptr [eax], dl
:004AAACB 43 inc ebx
:004AAACC 40 inc eax
:004AAACD 83FB08 cmp ebx, 00000008 <===这里说明要循环8次,也就是注册码只取16位
:004AAAD0 75E9 jne 004AAABB <===这里构成一个循环结构,用于再次定位xxxxxxxx
:004AAAD2 8D45E4 lea eax, dword ptr [ebp-1C]
:004AAAD5 50 push eax
:004AAAD6 6A07 push 00000007
:004AAAD8 8D55EC lea edx, dword ptr [ebp-14]
:004AAADB B907000000 mov ecx, 00000007
:004AAAE0 B001 mov al, 01
:004AAAE2 E845FDFFFF call 004AA82C <===又是一个关键的CALL,最终生成注册码变形,F8跟进
:004AAAE7 BB08000000 mov ebx, 00000008
:004AAAEC 8D75E4 lea esi, dword ptr [ebp-1C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB06(C)
|
:004AAAEF 8D45CC lea eax, dword ptr [ebp-34]
:004AAAF2 8A16 mov dl, byte ptr [esi]
:004AAAF4 E80394F5FF call 00403EFC
:004AAAF9 8B55CC mov edx, dword ptr [ebp-34]
:004AAAFC 8D45D8 lea eax, dword ptr [ebp-28]
:004AAAFF E8D894F5FF call 00403FDC
:004AAB04 46 inc esi
:004AAB05 4B dec ebx
:004AAB06 75E7 jne 004AAAEF <===这里构成循环,用于再次定位最后生成的注册码变形
:004AAB08 FF45D4 inc [ebp-2C]
:004AAB0B FF4DD0 dec [ebp-30]
:004AAB0E 75A6 jne 004AAAB6
:004AAB10 EB17 jmp 004AAB29

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB45(C)
|
:004AAB12 8B45D8 mov eax, dword ptr [ebp-28]
:004AAB15 E8BA94F5FF call 00403FD4
:004AAB1A 8BD0 mov edx, eax
:004AAB1C 8D45D8 lea eax, dword ptr [ebp-28]

* Possible Reference to String Resource ID=00001: " http://www.holer.net/cn/cooperate.htm"
|
:004AAB1F B901000000 mov ecx, 00000001
:004AAB24 E8F396F5FF call 0040421C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AAAA9(C), :004AAB10(U)
|
:004AAB29 8B45D8 mov eax, dword ptr [ebp-28]
:004AAB2C E8A394F5FF call 00403FD4
:004AAB31 85C0 test eax, eax
:004AAB33 7E12 jle 004AAB47
:004AAB35 8B45D8 mov eax, dword ptr [ebp-28]
:004AAB38 E89794F5FF call 00403FD4
:004AAB3D 8B55D8 mov edx, dword ptr [ebp-28]
:004AAB40 807C02FF00 cmp byte ptr [edx+eax-01], 00
:004AAB45 74CB je 004AAB12

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB33(C)
|
:004AAB47 8B45F4 mov eax, dword ptr [ebp-0C]
:004AAB4A 8B55D8 mov edx, dword ptr [ebp-28]
:004AAB4D E85692F5FF call 00403DA8
:004AAB52 33C0 xor eax, eax
:004AAB54 5A pop edx
:004AAB55 59 pop ecx
:004AAB56 59 pop ecx
:004AAB57 648910 mov dword ptr fs:[eax], edx
:004AAB5A 6884AB4A00 push 004AAB84

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AAB82(U)
|
:004AAB5F 8D45CC lea eax, dword ptr [ebp-34]
:004AAB62 E8ED91F5FF call 00403D54
:004AAB67 8D45D8 lea eax, dword ptr [ebp-28]
:004AAB6A E8E591F5FF call 00403D54
:004AAB6F 8D45F8 lea eax, dword ptr [ebp-08]

* Possible Reference to String Resource ID=00002: " http://www.holer.net"
|
:004AAB72 BA02000000 mov edx, 00000002
:004AAB77 E8FC91F5FF call 00403D78
:004AAB7C C3 ret


:004AAB7D E96A8CF5FF jmp 004037EC
:004AAB82 EBDB jmp 004AAB5F
:004AAB84 5E pop esi
:004AAB85 5B pop ebx
:004AAB86 8BE5 mov esp, ebp
:004AAB88 5D pop ebp
:004AAB89 C3 ret


---------004AAAE2 call 004AA82C 关键的CALL,最终生成注册码变形,F8跟进-------------

:004AA82C 55 push ebp
:004AA82D 8BEC mov ebp, esp
:004AA82F 83C4E8 add esp, FFFFFFE8
:004AA832 53 push ebx
:004AA833 56 push esi
:004AA834 57 push edi
:004AA835 8BD9 mov ebx, ecx
:004AA837 85DB test ebx, ebx
:004AA839 780A js 004AA845
:004AA83B C1EB02 shr ebx, 02

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA843(C)
|
:004AA83E 8B349A mov esi, dword ptr [edx+4*ebx]
:004AA841 4B dec ebx
:004AA842 56 push esi
:004AA843 79F9 jns 004AA83E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA839(C)
|
:004AA845 8BD4 mov edx, esp
:004AA847 8955FC mov dword ptr [ebp-04], edx
:004AA84A 8BD8 mov ebx, eax
:004AA84C C745F808000000 mov [ebp-08], 00000008
:004AA853 8B45FC mov eax, dword ptr [ebp-04]
:004AA856 8B4D0C mov ecx, dword ptr [ebp+0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA862(C)
|
:004AA859 8A10 mov dl, byte ptr [eax]
:004AA85B 8811 mov byte ptr [ecx], dl
:004AA85D 41 inc ecx
:004AA85E 40 inc eax
:004AA85F FF4DF8 dec [ebp-08]
:004AA862 75F5 jne 004AA859
:004AA864 8B450C mov eax, dword ptr [ebp+0C]
:004AA867 8B5508 mov edx, dword ptr [ebp+08]
:004AA86A E881F9FFFF call 004AA1F0
:004AA86F 84DB test bl, bl
:004AA871 0F85B5000000 jne 004AA92C
:004AA877 C745F810000000 mov [ebp-08], 00000010
:004AA87E C745EC80B94F00 mov [ebp-14], 004FB980

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA8E9(C)
|
:004AA885 B804000000 mov eax, 00000004
:004AA88A 8B550C mov edx, dword ptr [ebp+0C]
:004AA88D 8D75F4 lea esi, dword ptr [ebp-0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA897(C)
|
:004AA890 8A0A mov cl, byte ptr [edx]
:004AA892 880E mov byte ptr [esi], cl
:004AA894 46 inc esi
:004AA895 42 inc edx
:004AA896 48 dec eax
:004AA897 75F7 jne 004AA890
:004AA899 B804000000 mov eax, 00000004
:004AA89E 8B550C mov edx, dword ptr [ebp+0C]
:004AA8A1 83C204 add edx, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA8AB(C)
|
:004AA8A4 8A0A mov cl, byte ptr [edx]
:004AA8A6 884AFC mov byte ptr [edx-04], cl
:004AA8A9 42 inc edx
:004AA8AA 48 dec eax
:004AA8AB 75F7 jne 004AA8A4
:004AA8AD 6A05 push 00000005
:004AA8AF 8D45F0 lea eax, dword ptr [ebp-10]
:004AA8B2 50 push eax
:004AA8B3 6A03 push 00000003
:004AA8B5 8B45EC mov eax, dword ptr [ebp-14]
:004AA8B8 8BC8 mov ecx, eax
:004AA8BA 8B450C mov eax, dword ptr [ebp+0C]
:004AA8BD 8B5508 mov edx, dword ptr [ebp+08]
:004AA8C0 E83FFEFFFF call 004AA704
:004AA8C5 B804000000 mov eax, 00000004
:004AA8CA 8D55F4 lea edx, dword ptr [ebp-0C]
:004AA8CD 8D75F0 lea esi, dword ptr [ebp-10]
:004AA8D0 8B4D0C mov ecx, dword ptr [ebp+0C]
:004AA8D3 83C104 add ecx, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA8E0(C)
|
:004AA8D6 8A1A mov bl, byte ptr [edx]
:004AA8D8 321E xor bl, byte ptr [esi]
:004AA8DA 8819 mov byte ptr [ecx], bl
:004AA8DC 41 inc ecx
:004AA8DD 46 inc esi
:004AA8DE 42 inc edx
:004AA8DF 48 dec eax
:004AA8E0 75F4 jne 004AA8D6
:004AA8E2 8345EC06 add dword ptr [ebp-14], 00000006
:004AA8E6 FF4DF8 dec [ebp-08]
:004AA8E9 759A jne 004AA885
:004AA8EB B804000000 mov eax, 00000004
:004AA8F0 8B550C mov edx, dword ptr [ebp+0C]
:004AA8F3 83C204 add edx, 00000004
:004AA8F6 8D4DF4 lea ecx, dword ptr [ebp-0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA900(C)
|
:004AA8F9 8A1A mov bl, byte ptr [edx]
:004AA8FB 8819 mov byte ptr [ecx], bl
:004AA8FD 41 inc ecx
:004AA8FE 42 inc edx
:004AA8FF 48 dec eax
:004AA900 75F7 jne 004AA8F9
:004AA902 B804000000 mov eax, 00000004
:004AA907 8B550C mov edx, dword ptr [ebp+0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA911(C)
|
:004AA90A 8A0A mov cl, byte ptr [edx]
:004AA90C 884A04 mov byte ptr [edx+04], cl
:004AA90F 42 inc edx
:004AA910 48 dec eax
:004AA911 75F7 jne 004AA90A
:004AA913 B804000000 mov eax, 00000004
:004AA918 8D55F4 lea edx, dword ptr [ebp-0C]
:004AA91B 8B4D0C mov ecx, dword ptr [ebp+0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA925(C)
|
:004AA91E 8A1A mov bl, byte ptr [edx]
:004AA920 8819 mov byte ptr [ecx], bl
:004AA922 41 inc ecx
:004AA923 42 inc edx
:004AA924 48 dec eax
:004AA925 75F7 jne 004AA91E
:004AA927 E9BB000000 jmp 004AA9E7

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA871(C)
|
:004AA92C 80FB01 cmp bl, 01
:004AA92F 0F85B2000000 jne 004AA9E7
:004AA935 C745F8F0FFFFFF mov [ebp-08], FFFFFFF0
:004AA93C BBDAB94F00 mov ebx, 004FB9DA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA9A9(C)
|
:004AA941 B804000000 mov eax, 00000004
:004AA946 8B550C mov edx, dword ptr [ebp+0C]
:004AA949 8D75F4 lea esi, dword ptr [ebp-0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA953(C)
|
:004AA94C 8A0A mov cl, byte ptr [edx]
:004AA94E 880E mov byte ptr [esi], cl
:004AA950 46 inc esi
:004AA951 42 inc edx
:004AA952 48 dec eax
:004AA953 75F7 jne 004AA94C
:004AA955 B804000000 mov eax, 00000004
:004AA95A 8B550C mov edx, dword ptr [ebp+0C]
:004AA95D 83C204 add edx, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA967(C)
|
:004AA960 8A0A mov cl, byte ptr [edx]
:004AA962 884AFC mov byte ptr [edx-04], cl
:004AA965 42 inc edx
:004AA966 48 dec eax
:004AA967 75F7 jne 004AA960
:004AA969 6A05 push 00000005
:004AA96B 8D45F0 lea eax, dword ptr [ebp-10]
:004AA96E 50 push eax
:004AA96F 6A03 push 00000003
:004AA971 8BCB mov ecx, ebx
:004AA973 8B450C mov eax, dword ptr [ebp+0C]
:004AA976 8B5508 mov edx, dword ptr [ebp+08]
:004AA979 E886FDFFFF call 004AA704
:004AA97E B804000000 mov eax, 00000004
:004AA983 8D55F4 lea edx, dword ptr [ebp-0C]
:004AA986 8D75F0 lea esi, dword ptr [ebp-10]
:004AA989 8B4D0C mov ecx, dword ptr [ebp+0C]
:004AA98C 83C104 add ecx, 00000004
:004AA98F 894DE8 mov dword ptr [ebp-18], ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA9A1(C)
|
:004AA992 8A0A mov cl, byte ptr [edx]
:004AA994 320E xor cl, byte ptr [esi]
:004AA996 8B7DE8 mov edi, dword ptr [ebp-18]
:004AA999 880F mov byte ptr [edi], cl
:004AA99B FF45E8 inc [ebp-18]
:004AA99E 46 inc esi
:004AA99F 42 inc edx
:004AA9A0 48 dec eax
:004AA9A1 75EF jne 004AA992
:004AA9A3 83EB06 sub ebx, 00000006
:004AA9A6 FF45F8 inc [ebp-08]
:004AA9A9 7596 jne 004AA941
:004AA9AB B804000000 mov eax, 00000004
:004AA9B0 8B550C mov edx, dword ptr [ebp+0C]
:004AA9B3 83C204 add edx, 00000004
:004AA9B6 8D5DF4 lea ebx, dword ptr [ebp-0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA9C0(C)
|
:004AA9B9 8A0A mov cl, byte ptr [edx]
:004AA9BB 880B mov byte ptr [ebx], cl
:004AA9BD 43 inc ebx
:004AA9BE 42 inc edx
:004AA9BF 48 dec eax
:004AA9C0 75F7 jne 004AA9B9
:004AA9C2 B804000000 mov eax, 00000004
:004AA9C7 8B5D0C mov ebx, dword ptr [ebp+0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA9D1(C)
|
:004AA9CA 8A13 mov dl, byte ptr [ebx]
:004AA9CC 885304 mov byte ptr [ebx+04], dl
:004AA9CF 43 inc ebx
:004AA9D0 48 dec eax
:004AA9D1 75F7 jne 004AA9CA
:004AA9D3 B804000000 mov eax, 00000004
:004AA9D8 8D5DF4 lea ebx, dword ptr [ebp-0C]
:004AA9DB 8B550C mov edx, dword ptr [ebp+0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA9E5(C)
|
:004AA9DE 8A0B mov cl, byte ptr [ebx]
:004AA9E0 880A mov byte ptr [edx], cl
:004AA9E2 42 inc edx
:004AA9E3 43 inc ebx
:004AA9E4 48 dec eax
:004AA9E5 75F7 jne 004AA9DE

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AA927(U), :004AA92F(C)
|
:004AA9E7 8B450C mov eax, dword ptr [ebp+0C]
:004AA9EA 8B5508 mov edx, dword ptr [ebp+08]
:004AA9ED E882F8FFFF call 004AA274 <===这个CALL,最后生成注册码的变形,F8跟进
:004AA9F2 8B7DDC mov edi, dword ptr [ebp-24]
:004AA9F5 8B75E0 mov esi, dword ptr [ebp-20]
:004AA9F8 8B5DE4 mov ebx, dword ptr [ebp-1C]
:004AA9FB 8BE5 mov esp, ebp
:004AA9FD 5D pop ebp
:004AA9FE C20800 ret 0008




-------004AA9ED call 004AA274 这个CALL,最后生成注册码的变形,F8跟进-------------------------
:004AA274 53 push ebx
:004AA275 56 push esi
:004AA276 57 push edi
:004AA277 83C4F8 add esp, FFFFFFF8
:004AA27A 8BF0 mov esi, eax
:004AA27C 8BC4 mov eax, esp
:004AA27E 33C9 xor ecx, ecx
:004AA280 BA08000000 mov edx, 00000008
:004AA285 E8F689F5FF call 00402C80 <===内存7EF934位置清空出8个位置,准备放注册码的最后变形
:004AA28A 33D2 xor edx, edx <===计数器EDX,初始化为0
:004AA28C B890984F00 mov eax, 004F9890
<===这里放了一个码表,其作用不是取码表值进行运算,而是经过计算得出位数,从而取出变形后的注册码对应的位数值。
| 27 07 2F 0F 37 17 3F 1F -26 06 2E 0E 36 16 3E 1E |
| 25 05 2D 0D 35 15 3D 1D -24 04 2C 0C 34 14 3C 1C |
| 23 03 2B 0B 33 13 3B 1B -22 02 2A 0A 32 12 3A 1A |
| 21 01 29 09 31 11 39 19 -20 00 28 08 30 10 38 18 |
***这串码表设计得十分巧妙(原因见下面)****

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA2DC(C)
|
:004AA291 8A18 mov bl, byte ptr [eax] <===依次取出码表中的值,放入BL
:004AA293 8BCB mov ecx, ebx
:004AA295 80E107 and cl, 07
:004AA298 81E1FF000000 and ecx, 000000FF <===码表设计设计得十分巧妙,每循环8次(正好是对注册码的第一次变形后的8位字符各取一次后),则ECX就减少一位(7,6,5,4,3,2,1,0),这样就实现了对最终注册码(也是8位)的每位字符的变形动作
:004AA29E 51 push ecx
:004AA29F B907000000 mov ecx, 00000007
:004AA2A4 5F pop edi <===EDI依次为7,6,5,4,3,2,1,0(每循环8次,变换一次)
:004AA2A5 2BCF sub ecx, edi <===ECX=7-EDI=0,1,2,3,4,5,6,7,8

* Possible Reference to String Resource ID=00001: " http://www.holer.net/cn/cooperate.htm"
|
:004AA2A7 BF01000000 mov edi, 00000001 <===EDI=1
:004AA2AC D3E7 shl edi, cl <===EDI逻辑左移CL位
:004AA2AE 33C9 xor ecx, ecx <===ECX清0
:004AA2B0 8ACB mov cl, bl
:004AA2B2 C1E903 shr ecx, 03 <===取出的码表值逻辑右移3位,得出位数值!
:004AA2B5 0FB60C0E movzx ecx, byte ptr [esi+ecx] <===ECX为对就取出的第一次变形的注册码(8位)的值
****从第一次变形的注册码(8位)取值位见下表:****
| 5 1 6 2 7 3 8 4 - 5 1 6 2 7 3 8 4 | <===其实,也就是第一次变开的注册码又取了8次。
| 5 1 6 2 7 3 8 4 - 5 1 6 2 7 3 8 4 |
| 5 1 6 2 7 3 8 4 - 5 1 6 2 7 3 8 4 |
| 5 1 6 2 7 3 8 4 - 5 1 6 2 7 3 8 4 |
:004AA2B9 23F9 and edi, ecx <===ECX为取出来的值和EDI做与运算
:004AA2BB 741A je 004AA2D7
:004AA2BD 8BCA mov ecx, edx
:004AA2BF 83E107 and ecx, 00000007
:004AA2C2 51 push ecx
:004AA2C3 B907000000 mov ecx, 00000007
:004AA2C8 5B pop ebx
:004AA2C9 2BCB sub ecx, ebx
:004AA2CB B301 mov bl, 01
:004AA2CD D2E3 shl bl, cl
:004AA2CF 8BCA mov ecx, edx
:004AA2D1 C1E903 shr ecx, 03
:004AA2D4 081C0C or byte ptr [esp+ecx], bl

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA2BB(C)
|
:004AA2D7 42 inc edx <===计数器EDX=EDX+1
:004AA2D8 40 inc eax
:004AA2D9 83FA40 cmp edx, 00000040 <===此处定义循环64次(40是十六进制)
:004AA2DC 75B3 jne 004AA291
<===向上循还构成一个循环结构,将对注册码做最后的变形,先放在内存7EF934位置上
:004AA2DE BA08000000 mov edx, 00000008
:004AA2E3 8BC4 mov eax, esp
:004AA2E5 8BCE mov ecx, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA2EE(C)
|
:004AA2E7 8A18 mov bl, byte ptr [eax]
:004AA2E9 8819 mov byte ptr [ecx], bl
:004AA2EB 41 inc ecx
:004AA2EC 40 inc eax
:004AA2ED 4A dec edx
:004AA2EE 75F7 jne 004AA2E7
:004AA2F0 59 pop ecx
:004AA2F1 5A pop edx
:004AA2F2 5F pop edi
:004AA2F3 5E pop esi
:004AA2F4 5B pop ebx
:004AA2F5 C3 ret

4、算法说明:由于本人实力有限只能找出注册码,而没办法分析出算法,还请高手指点(费了半天的劲,只能爆破,真是不干心)
a、类型是 f(注册码)=注册名,注册码长度必须长于16位
b、注册码总共进行了两个次变形,最后与注册码比较,如果相等就注册成功。

5、注册信息存放在文件config.ini:
[setting]
name=newlaos[DFCG]
right=1234567890123456


    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程