桌面工具Personal HelperV2.1破解分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → 桌面工具Personal HelperV2.1破解分析

桌面工具Personal HelperV2.1破解分析 时间：2004/10/15 1:01:00来源：本站整理作者：蓝点我要评论(0)

软件大小：  1059 KB
软件语言：  英文
软件类别：  国外软件 / 共享版 / 桌面工具
应用平台：  Win9x/NT/2000/XP
界面预览：  无
加入时间：  2003-05-19 08:59:25
下载次数：  49
破解工具：Pescan3.31,OllyDbg1.09,Wdasm8.93
作者声明：初学破解，仅作学习交流之用，失误之处敬请大侠赐教

软件下载:

http://count.skycn.com/softdown.php?id=11962&url=http://on165-http.skycn.net:8080/down/phelper21cn.exe
软件说明:
使用便签可以方便的储存你的临时或者用其他用途的信息，就如同日常使用纸质便签一样方便，便签编辑支持格式，可以设置字体的大小颜色等。实际上等同于一个小的写字板，并且每个便签可以单独的设置时间提醒。具备与天文时钟自动或者手动同步的功能，可以让你的系统时钟每时每刻都是最精准的。还可以替换Windows任务栏时钟显示，可以改变颜色，显示内容等，使得Windwos时钟的显示完全可以定制化。试用版开放全部功能，但是只能使用30天。30天到期后请购买注册，或者将本程序卸载。

用Pescan检查,aspack2.12的壳,脱壳,419K-->1232K,反汇编,查找字串,很快就找到关键点,用OD载入!
任意填入用户名ShenGe和注册码12345678。

004D9460  PUSH    DWORD PTR FS:[EAX]
004D9463  MOV     DWORD PTR FS:[EAX], ESP
004D9466  LEA     EDX, [LOCAL.1]
004D9469  MOV     EAX, DWORD PTR DS:[EBX+308]
004D946F  CALL    1.0044765C
                 <---取假码
004D9474  MOV     EAX, [LOCAL.1]
                 <---EAX="12345678"
004D9477  PUSH    EAX
004D9478  LEA     EDX, [LOCAL.2]
004D947B  MOV     EAX, DWORD PTR DS:[EBX+304]
004D9481  CALL    1.0044765C
                 <---取用户名
004D9486  MOV     EDX, [LOCAL.2]
                 <---EDX="ShenGe"
004D9489  MOV     EAX, DWORD PTR DS:[4E036C]
004D948E  MOV     EAX, DWORD PTR DS:[EAX]
004D9490  MOV     ECX, 1.004D95A8
004D9495  CALL    1.004B4884
                 <---关键的Call,跟进!
004D949A  TEST    AL, AL
004D949C  JNZ     SHORT 1.004D94A8
                 <---关键跳转
004D949E  MOV     EAX, 1.004D95B8
004D94A3  CALL    1.00440850            <---注册失败
004D94A8  MOV     EAX, DWORD PTR DS:[4E036C]
004D94AD  MOV     EAX, DWORD PTR DS:[EAX]
004D94AF  MOV     EDX, DWORD PTR DS:[EAX+5C]
004D94B2  MOV     EAX, DWORD PTR DS:[EBX+308]
004D94B8  CALL    1.0044768C
004D94BD  MOV     EAX, DWORD PTR DS:[4E036C]
004D94C2  MOV     EAX, DWORD PTR DS:[EAX]
004D94C4  MOV     EDX, DWORD PTR DS:[EAX+48]
004D94C7  MOV     EAX, DWORD PTR DS:[EBX+304]
004D94CD  CALL    1.0044768C
004D94D2  MOV     EAX, DWORD PTR DS:[4E036C]
004D94D7  MOV     EAX, DWORD PTR DS:[EAX]
004D94D9  CALL    1.004B4538
004D94DE  LEA     EDX, [LOCAL.3]
004D94E1  CALL    1.00408EBC
004D94E6  MOV     EDX, [LOCAL.3]
004D94E9  MOV     EAX, DWORD PTR DS:[EBX+300]
004D94EF  CALL    1.0044768C
004D94F4  MOV     EAX, DWORD PTR DS:[4E036C]
004D94F9  MOV     EAX, DWORD PTR DS:[EAX]
004D94FB  CALL    1.004B4578
004D9500  TEST    AL, AL
004D9502  JE      SHORT 1.004D9522
004D9504  MOV     EDX, 1.004D95CC
004D9509  MOV     EAX, EBX
004D950B  CALL    1.0044768C          <---注册成功!
004D9510  MOV     EDX, 1.004D95E0
跟进那个关键的Call,可看到如下代码:
004B4884  PUSH    EBP
004B4885  MOV     EBP, ESP
004B4887  ADD     ESP, -10
004B488A  PUSH    EBX
004B488B  XOR     EBX, EBX
004B488D  MOV     [LOCAL.4], EBX
004B4890  MOV     [LOCAL.3], EBX
004B4893  MOV     [LOCAL.2], ECX
004B4896  MOV     [LOCAL.1], EDX
004B4899  MOV     EBX, EAX
004B489B  MOV     EAX, [LOCAL.1]
004B489E  CALL    1.00404B0C
004B48A3  MOV     EAX, [LOCAL.2]
004B48A6  CALL    1.00404B0C
004B48AB  MOV     EAX, [ARG.1]
004B48AE  CALL    1.00404B0C
004B48B3  XOR     EAX, EAX
004B48B5  PUSH    EBP
004B48B6  PUSH    1.004B496E
004B48BB  PUSH    DWORD PTR FS:[EAX]
004B48BE  MOV     DWORD PTR FS:[EAX], ESP
004B48C1  MOV     EAX, [LOCAL.1]
                 <---EAX="ShenGe"
004B48C4  CALL    1.00404924
                 <---取用户名长度
004B48C9  CMP     EAX, DWORD PTR DS:[EBX+4C]
                 <---用户名长度不能大于25
004B48CC  JG      SHORT 1.004B48E7
004B48CE  MOV     EAX, [LOCAL.1]
004B48D1  CALL    1.00404924
004B48D6  CMP     EAX, DWORD PTR DS:[EBX+50]
                 <---用户名长度不能小于3
004B48D9  JL      SHORT 1.004B48E7
004B48DB  MOV     EAX, [ARG.1]
                 <---EAX="12345678"
004B48DE  CALL    1.00404924
004B48E3  TEST    EAX, EAX
                 <---判断是否输入了注册码
004B48E5  JNZ     SHORT 1.004B48EB
004B48E7  XOR     EBX, EBX
004B48E9  JMP     SHORT 1.004B494B
004B48EB  LEA     EDX, [LOCAL.3]
004B48EE  MOV     EAX, [ARG.1]
004B48F1  CALL    1.00408A1C
004B48F6  MOV     EDX, [LOCAL.3]
004B48F9  LEA     EAX, [ARG.1]
004B48FC  CALL    1.00404704
004B4901  LEA     ECX, [LOCAL.4]
004B4904  MOV     EDX, [LOCAL.1]
                 <---EDX="ShenGe"
004B4907  MOV     EAX, EBX
004B4909  CALL    1.004B4580
                 <---计算注册码的Call,跟进去看看!
004B490E  MOV     EAX, [LOCAL.4]
                 <---EAX="000079CBD764",真码
004B4911  MOV     EDX, [ARG.1]
                 <---EDX="12345678",假码
004B4914  CALL    1.00408A94
                 <---注册码比较
004B4919  TEST    EAX, EAX
004B491B  JE      SHORT 1.004B4921
004B491D  XOR     EBX, EBX
004B491F  JMP     SHORT 1.004B494B
004B4921  LEA     EAX, DWORD PTR DS:[EBX+48]
004B4924  MOV     EDX, [LOCAL.1]
004B4927  CALL    1.004046C0
004B492C  LEA     EAX, DWORD PTR DS:[EBX+54]
004B492F  MOV     EDX, [LOCAL.2]
004B4932  CALL    1.004046C0
004B4937  LEA     EAX, DWORD PTR DS:[EBX+5C]
004B493A  MOV     EDX, [ARG.1]
004B493D  CALL    1.004046C0
004B4942  MOV     EAX, EBX
004B4944  CALL    1.004B4AFC
004B4949  MOV     BL, 1
004B494B  XOR     EAX, EAX
                 <---EAX=0,注册码不对跳到这
004B494D  POP     EDX
004B494E  POP     ECX
004B494F  POP     ECX
004B4950  MOV     DWORD PTR FS:[EAX], EDX
004B4953  PUSH    1.004B4975
004B4958  LEA     EAX, [LOCAL.4]
004B495B  MOV     EDX, 4
004B4960  CALL    1.00404690
004B4965  LEA     EAX, [ARG.1]
004B4968  CALL    1.0040466C
004B496D  RETN
我们再跟进计算注册码的那个Call:
004B45A8  PUSH    DWORD PTR FS:[EAX]
004B45AB  MOV     DWORD PTR FS:[EAX], ESP
-------------------------------------------
004B45AE  MOV     EAX, [LOCAL.1]
004B45B1  CALL    1.00404924
004B45B6  CMP     EAX, DWORD PTR DS:[ESI+4C]
004B45B9  JG      SHORT 1.004B45C8
004B45BB  MOV     EAX, [LOCAL.1]
004B45BE  CALL    1.00404924
004B45C3  CMP     EAX, DWORD PTR DS:[ESI+50]
004B45C6  JGE     SHORT 1.004B45D4
-------------------------------------------
此段见前面注释,判断用户长是否大于3且小于25
004B45C8  MOV     EAX, EDI
004B45CA  CALL    1.0040466C
004B45CF  JMP     1.004B4673
004B45D4  MOV     EAX, [LOCAL.1]
                 <---EAX="ShenGe"
004B45D7  CALL    1.00404924
                 <---取用户名长度
004B45DC  MOV     EBX, EAX
                 <---EBX=6
004B45DE  JMP     SHORT 1.004B4611
---------------------------------------------
004B45E0  /MOV     EAX, [LOCAL.1]
         |        <---EAX="ShenGe"
004B45E3  |MOV     AL, BYTE PTR DS:[EAX+EBX-1]
         |        <---按位取用户名的每个字符参与后面的运算,从后往前取
004B45E7  |AND     EAX, 0FF
         |        <---保留低2位,EAX=65<-----e
         |                          47<-----G
         |                          6E<-----n
         |                          65<-----e
         |                          68<-----h
         |                          53<-----S
004B45EC  |XOR     EDX, EDX
004B45EE  |PUSH    EDX
004B45EF  |PUSH    EAX
004B45F0  |MOV     EAX, DWORD PTR DS:[ESI+68]
         |        <---EAX=3A2015E0,为机器码的Hex形式
004B45F3  |MOV     EDX, DWORD PTR DS:[ESI+6C]
004B45F6  |CALL    1.00405744
         |        <---此Call将机器码除字符值,返回值为余数值,在EAX中
         |            3A2015E0 mod 65=14
         |            3A2015E0 mod 47=2B
         |            3A2015E0 mod 6E=28
         |            3A2015E0 mod 65=14
         |            3A2015E0 mod 68=8
         |            3A2015E0 mod 53=4
004B45FB  |PUSH    EDX
004B45FC  |PUSH    EAX
004B45FD  |LEA     EAX, [LOCAL.7]
004B4600  |CALL    1.00408EEC
         |        <---将前面的余数值格式化成10进制值
004B4605  |MOV     EDX, [LOCAL.7]
         |        <---EDX=20 <-----14
         |                43 <-----2B
         |                40 <-----28
         |                20 <-----14
         |                 8  <-----8
         |                 4  <-----4
004B4608  |LEA     EAX, [LOCAL.3]
004B460B  |CALL    1.0040492C
         |        <---此Call将上面格式化后的值连接起来
004B4610  |DEC     EBX
004B4611  |MOV     EAX, [LOCAL.1]
         |        <---上面跳到这,EAX="ShenGe"
004B4614  |CALL    1.00404924
         |        <---取用户名长度到EAX中
004B4619  |SUB     EAX, 6
         |        <---EAX=EAX-6,由此可看出,如果用户名
         |            长度大于6,只对后7个字符进行运算
004B461C  |CMP     EBX, EAX
004B461E  |JL      SHORT 1.004B4624
004B4620  |TEST    EBX, EBX
         |        <---比较是否取完用户名
004B4622  \JG      SHORT 1.004B45E0
---------------------------------------
004B4624  LEA     EDX, [LOCAL.2]
004B4627  MOV     EAX, [LOCAL.3]
                 <---EAX=2043402084,为连接后的值
004B462A  CALL    1.00405850
                 <---Dec转换成Hex
004B462F  MOV     [LOCAL.6], EAX
                 <---低位部分,EAX=79CBD764
004B4632  MOV     [LOCAL.5], EDX
                 <---高位部分,EDX=00000000
004B4635  MOV     EBX, DWORD PTR DS:[ESI+60]
                 <---ESI=C,注册码为12位
004B4638  TEST    EBX, EBX
004B463A  JG      SHORT 1.004B464D
004B463C  PUSH    [LOCAL.5]
004B463F  PUSH    [LOCAL.6]
004B4642  MOV     EDX, EDI
004B4644  XOR     EAX, EAX
004B4646  CALL    1.00408F5C
004B464B  JMP     SHORT 1.004B4673
004B464D  PUSH    [LOCAL.5]
                 <---第1部分,79CB764
004B4650  PUSH    [LOCAL.6]
                 <---第2部分,00000000
004B4653  MOV     EDX, EDI
004B4655  MOV     EAX, EBX
                 <---EAX=C
004B4657  CALL    1.00408F5C
                 <---将高低位部分连接起来,取后12位
004B465C  MOV     EAX, DWORD PTR DS:[EDI]
                 <---EAX=000079CBD764,正确注册码
004B465E  CALL    1.00404924
004B4663  MOV     ECX, EAX
004B4665  SUB     ECX, DWORD PTR DS:[ESI+60]
004B4668  MOV     EDX, DWORD PTR DS:[ESI+60]
004B466B  INC     EDX
004B466C  MOV     EAX, EDI
004B466E  CALL    1.00404BBC
004B4673  XOR     EAX, EAX
004B4675  POP     EDX
004B4676  POP     ECX
004B4677  POP     ECX
004B4678  MOV     DWORD PTR FS:[EAX], EDX
004B467B  PUSH    1.004B46A0
004B4680  LEA     EAX, [LOCAL.7]
004B4683  CALL    1.0040466C
004B4688  LEA     EAX, [LOCAL.3]
004B468B  CALL    1.0040466C
004B4690  LEA     EAX, [LOCAL.1]
004B4693  CALL    1.0040466C
004B4698  RETN

破解这个软件并不难,只是写出完整的算法费了我一点时间,特别是对于16进制转换部分,我跟了几次,对于大数的16进制转换不知上面的描述对不对!欢迎高手指正!

我得到的注册码为:用户名:ShenGe     注册码:000079CBD764
              或用户名:Flyhorse   注册码:126CD348178C

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法