IEPopupKiller 1.2破解手记--算法分析
-
IEPopupKiller 1.2破解手记--算法分析
作者:newlaos[DFCG]
软件名称:IEPopupKiller 1.2(浏览过滤)
整理日期:2003.3.29(华军网)
最新版本:1.2
文件大小:786KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000/XP
发布公司:"http://www.wingsofts.com/"
软件简介:当你在网上冲浪的时候,是否被那些弹出的广告所捆扰?IEPopupKiller可以帮你杀掉这些无聊的广告,它独有的智能化查找方式,能将那些无用的弹出窗口杀掉,而保留有用的页面。减少资源浪费,从而加快上网速度。是真正的上网广告防护利器。
加密方式:注册码
功能限制:使用次数30次
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5
PJ日期:2003-03-31
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
1、先用FI2.5看一下主文件“IEPopupKiller.exe”,没加壳。程序是用VC++6.0编的
2、用W32Dasm8.93黄金版对QuickCD.exe进行静态反汇编,再用串式数据参考,找不到什么经典的句子,怎么办?在软件的安装目录下,发现在\Languages\chinese(simple).ini文件中有:
[IDD_DIALOG_REGISTER]
OK=恭喜你注册成功!感谢你对国产软件的支持! <===呵呵,原来关键字符是OK呀!
IDC_STATIC_SELECT=你可以选择如下站点之一进行注册。
IDC_STATIC_SERIAL=序列号:
IDC_STATIC_USETIMES=你还可以使用的次数:
IDC_BUTTON_GO=注册
再回到W32Dasm8.93,找到"OK"(这就是注册成功),双击有很两个,经过分析,发现位于00430962的才是关键的部分。
3、再用TRW20001.23注册版进行动态跟踪,下断BPX 004308A0(通常在注册成功与否的前面一些下断,这样,才能找到关键部分),
先输入假码: 78787878
.......
.......
:004308A0 6AFF push FFFFFFFF
:004308A2 68C0494B00 push 004B49C0
:004308A7 64A100000000 mov eax, dword ptr fs:[00000000]
:004308AD 50 push eax
:004308AE 64892500000000 mov dword ptr fs:[00000000], esp
:004308B5 83EC14 sub esp, 00000014
:004308B8 A160C44D00 mov eax, dword ptr [004DC460]
:004308BD 53 push ebx
:004308BE 56 push esi
:004308BF 57 push edi
:004308C0 8BF1 mov esi, ecx
:004308C2 8944240C mov dword ptr [esp+0C], eax
:004308C6 8D4C240C lea ecx, dword ptr [esp+0C]
:004308CA C744242800000000 mov [esp+28], 00000000
:004308D2 51 push ecx
:004308D3 8D4E64 lea ecx, dword ptr [esi+64]
:004308D6 E8FED10400 call 0047DAD9 <===EAX=8(输入注册码的长度) ECX=78787878
:004308DB 51 push ecx
:004308DC 8D542410 lea edx, dword ptr [esp+10]
:004308E0 8BCC mov ecx, esp
:004308E2 89642418 mov dword ptr [esp+18], esp
:004308E6 52 push edx
:004308E7 E85D040500 call 00480D49
:004308EC 8BCE mov ecx, esi
:004308EE E84308FDFF call 00401136 <===关键的算法CALL,F8跟进
:004308F3 85C0 test eax, eax <===要想正确注册,则EAX不能为0
:004308F5 0F84E4000000 je 004309DF <===如果注册码不正确,就从这里跳走,OVER了
:004308FB 8B8680000000 mov eax, dword ptr [esi+00000080]
:00430901 BB01000000 mov ebx, 00000001
:00430906 6A00 push 00000000
:00430908 53 push ebx
:00430909 68CF000000 push 000000CF
:0043090E 50 push eax
* Reference To: USER32.SendMessageA, Ord:0214h
|
:0043090F FF15DC774E00 Call dword ptr [004E77DC]
* Possible StringData Ref from Data Obj ->"IDD_DIALOG_REGISTER"
|
:00430915 6874B14D00 push 004DB174
:0043091A 8D4C2414 lea ecx, dword ptr [esp+14]
:0043091E E81F070500 call 00481042
:00430923 885C2428 mov byte ptr [esp+28], bl
:00430927 E895130500 call 00481CC1
:0043092C 85C0 test eax, eax
:0043092E 740B je 0043093B
:00430930 8B10 mov edx, dword ptr [eax]
:00430932 8BC8 mov ecx, eax
:00430934 FF5274 call [edx+74]
:00430937 8BF8 mov edi, eax
:00430939 EB02 jmp 0043093D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043092E(C)
|
:0043093B 33FF xor edi, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430939(U)
|
:0043093D E850E80600 call 0049F192
:00430942 8B4C240C mov ecx, dword ptr [esp+0C]
:00430946 8B4004 mov eax, dword ptr [eax+04]
:00430949 51 push ecx
* Possible StringData Ref from Data Obj ->"Serial"
|
:0043094A 68DCA84D00 push 004DA8DC
* Possible StringData Ref from Data Obj ->"Serial"
|
:0043094F 68DCA84D00 push 004DA8DC
:00430954 8BC8 mov ecx, eax
:00430956 E8C0EF0500 call 0048F91B
:0043095B 51 push ecx
:0043095C 8BCC mov ecx, esp
:0043095E 8964241C mov dword ptr [esp+1C], esp
* Possible StringData Ref from Data Obj ->"OK" <===这是里就是注册成功的信息
|
:00430962 6830B14D00 push 004DB130
:00430967 E8D6060500 call 00481042
:0043096C 51 push ecx
:0043096D 8D542418 lea edx, dword ptr [esp+18]
:00430971 8BCC mov ecx, esp
:00430973 89642424 mov dword ptr [esp+24], esp
:00430977 52 push edx
:00430978 C644243402 mov [esp+34], 02
:0043097D E8C7030500 call 00480D49
:00430982 8D44241C lea eax, dword ptr [esp+1C]
:00430986 8D8F9C0E0000 lea ecx, dword ptr [edi+00000E9C]
:0043098C 50 push eax
:0043098D 885C2434 mov byte ptr [esp+34], bl
:00430991 E83716FDFF call 00401FCD
:00430996 8B00 mov eax, dword ptr [eax]
:00430998 8BCE mov ecx, esi
:0043099A 50 push eax
* Possible Reference to Dialog: DialogID_0090, CONTROL_ID:0419, "Static"
|
:0043099B 6819040000 push 00000419
:004309A0 C644243003 mov [esp+30], 03
:004309A5 E89DF80400 call 00480247
:004309AA 8BC8 mov ecx, eax
:004309AC E82DFB0400 call 004804DE
:004309B1 8D4C2414 lea ecx, dword ptr [esp+14]
:004309B5 885C2428 mov byte ptr [esp+28], bl
:004309B9 E816060500 call 00480FD4
:004309BE 6A00 push 00000000
:004309C0 8D8EA0000000 lea ecx, dword ptr [esi+000000A0]
:004309C6 E89AFC0400 call 00480665
:004309CB 8D4C2410 lea ecx, dword ptr [esp+10]
:004309CF 899F80010000 mov dword ptr [edi+00000180], ebx
:004309D5 C644242800 mov [esp+28], 00
:004309DA E8F5050500 call 00480FD4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004308F5(C)
|
:004309DF 8D4C240C lea ecx, dword ptr [esp+0C]
:004309E3 C7442428FFFFFFFF mov [esp+28], FFFFFFFF
:004309EB E8E4050500 call 00480FD4
:004309F0 8B4C2420 mov ecx, dword ptr [esp+20]
:004309F4 5F pop edi
:004309F5 5E pop esi
:004309F6 64890D00000000 mov dword ptr fs:[00000000], ecx
:004309FD 5B pop ebx
:004309FE 83C420 add esp, 00000020
:00430A01 C3 ret
.......
.......
-----004308EE call 00401136 关键的算法CALL,F8跟进来到下列代码段------------------
要正确注册,则EAX返回时,不能为0
:00430370 6AFF push FFFFFFFF
:00430372 6820494B00 push 004B4920
:00430377 64A100000000 mov eax, dword ptr fs:[00000000]
:0043037D 50 push eax
:0043037E 64892500000000 mov dword ptr fs:[00000000], esp
:00430385 83EC1C sub esp, 0000001C
:00430388 53 push ebx
:00430389 55 push ebp
:0043038A 56 push esi
:0043038B 57 push edi
:0043038C 8D44243C lea eax, dword ptr [esp+3C]
:00430390 8D4C2414 lea ecx, dword ptr [esp+14]
:00430394 50 push eax
:00430395 C744243800000000 mov [esp+38], 00000000
:0043039D E8A7090500 call 00480D49
:004303A2 8B742414 mov esi, dword ptr [esp+14] <===ESI=78787878
:004303A6 8B56F8 mov edx, dword ptr [esi-08] <===EDX=8(输入注册码的码的长度)
:004303A9 83FA0C cmp edx, 0000000C <===看输入的注册码长度是不是C(12位),将假码改为787878787878,重新来
:004303AC 0F85B5010000 jne 00430567 <===跳过去就OVER了
:004303B2 33C9 xor ecx, ecx <===计数器ECX,初始值化为0
:004303B4 85D2 test edx, edx
:004303B6 7E18 jle 004303D0 <===不跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004303CE(C)
|
:004303B8 8A0431 mov al, byte ptr [ecx+esi]
:004303BB 3C41 cmp al, 41
:004303BD 0F8CA4010000 jl 00430567 <===跳过去就OVER了
:004303C3 3C5A cmp al, 5A
:004303C5 0F8F9C010000 jg 00430567 <===跳过去就OVER了
:004303CB 41 inc ecx
:004303CC 3BCA cmp ecx, edx
:004303CE 7CE8 jl 004303B8 <===构成一个小循环,主要功能依次提取注册码的字符,检测是不是位于A-Z(大写)之间,只要一个不对,就OVER! 将假码改为ABCDEFGHIJKL,再重新来
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004303B6(C)
|
*******************
.......
中间部分省略,主要功能是将输入的注册码分成四段,每段三个字符
.......
*******************
:00430492 8D4C2428 lea ecx, dword ptr [esp+28]
:00430496 885C2434 mov byte ptr [esp+34], bl
:0043049A E8350B0500 call 00480FD4
:0043049F 8B7C241C mov edi, dword ptr [esp+1C] <===EDI=GHI(第三段)
:004304A3 8B6C2418 mov ebp, dword ptr [esp+18] <===EBP=JKL(第四段)
:004304A7 8B742420 mov esi, dword ptr [esp+20] <===ESI=DEF(第二段)
:004304AB 8B442424 mov eax, dword ptr [esp+24] <===EAX=ABC(第一段)
:004304AF 8A1F mov bl, byte ptr [edi] <===BL=47(是G的ASCII的16进制表示形式)
:004304B1 8A16 mov dl, byte ptr [esi] <===DL=44(是D的ASCII的16进制表示形式)
:004304B3 8A08 mov cl, byte ptr [eax] <===CL=41(是A的ASCII的16进制表示形式)
:004304B5 885C2412 mov byte ptr [esp+12], bl
:004304B9 8A5D00 mov bl, byte ptr [ebp+00] <===BL=4A(是J的ASCII的16进制表示形式)
:004304BC 885C2413 mov byte ptr [esp+13], bl
:004304C0 0FBE5C2412 movsx ebx, byte ptr [esp+12] <===EBX=47,不变
:004304C5 0FBED2 movsx edx, dl <===EDX=44
:004304C8 0FBEC9 movsx ecx, cl <===ECX=41
:004304CB 2BD3 sub edx, ebx
:004304CD 03D1 add edx, ecx <===EDX=EDX-EBX+ECX=3E
:004304CF 0FBE4C2413 movsx ecx, byte ptr [esp+13] <===ECX=4A
:004304D4 41 inc ecx <===ECX=4B
:004304D5 3BD1 cmp edx, ecx <===这里必须相等,这里EDX和ECX怎么相等,见分析
:004304D7 740B je 004304E4 <===从这里跳走,才能正确注册
*** 这一小段的分析得出n4-n7+n1=n10+1(n1、n4分别对应注册码的位上的值)才能正确注册,现将假码改为ABCDEFAHICKL,重新来。
:004304D9 C644243404 mov [esp+34], 04
:004304DE 8D4C2418 lea ecx, dword ptr [esp+18]
:004304E2 EB54 jmp 00430538 <===跳过去就OVER了
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004304D7(C)
| <===假码改为ABCDEFAHICKL后,跳到这里,为说明问题,我们将其分为四段,每段三个字符
:004304E4 8A5701 mov dl, byte ptr [edi+01]<===取第三段字符AHI的第二个字符(H)DL=48
:004304E7 8A5801 mov bl, byte ptr [eax+01]<===取第一段字符ABC的第二个字符(B)BL=42
:004304EA 8A4E01 mov cl, byte ptr [esi+01]<===取第二段字符DEF的第二个字符(E)CL=45
:004304ED 0FBEDB movsx ebx, bl <===EBX=42
:004304F0 0FBED2 movsx edx, dl <===EDX=48
:004304F3 0FBEC9 movsx ecx, cl <===ECX=45
:004304F6 2BD3 sub edx, ebx
:004304F8 03D1 add edx, ecx <===EDX=EDX-EBX+ECX
:004304FA 0FBE4D01 movsx ecx, byte ptr [ebp+01] <===取第四段字符CKL的第二个字符(K)CL=4B
:004304FE 41 inc ecx <===ECX=ECX+1=4C
:004304FF 3BD1 cmp edx, ecx <===这里必须相等,这里EDX和ECX怎么相等,见分析
:00430501 740B je 0043050E <===从这里跳走,才能正确注册
*** 这一小段的分析得出n8-n2+n5=n11+1(n2、n5分别对应注册码的位上的值)才能正确注册,现将假码改为ABCDBFAHICGL,重新来。
:00430503 C644243404 mov [esp+34], 04
:00430508 8D4C2418 lea ecx, dword ptr [esp+18]
:0043050C EB2A jmp 00430538 <===跳过去就OVER了
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430501(C)
|
:0043050E 8A4F02 mov cl, byte ptr [edi+02]<===取第三段字符AHI的第三个字符(I)CL=49
:00430511 8A5602 mov dl, byte ptr [esi+02]<===取第二段字符DBF的第三个字符(F)DL=46
:00430514 8A4002 mov al, byte ptr [eax+02]<===取第一段字符ABC的第三个字符(C)AL=43
:00430517 8A5D02 mov bl, byte ptr [ebp+02]<===取第四段字符CGL的第三个字符(L)BL=4C
:0043051A 0FBED2 movsx edx, dl <===EDX=46
:0043051D 0FBEC9 movsx ecx, cl <===ECX=49
:00430520 2BCA sub ecx, edx <===ECX=ECX-EDX=3
:00430522 C644243404 mov [esp+34], 04
:00430527 0FBED0 movsx edx, al <===EDX=43
:0043052A 0FBEC3 movsx eax, bl <===EAX=4C
:0043052D 03CA add ecx, edx <===ECX=ECX+EDX=46
:0043052F 48 dec eax <===EAX=4C-1=4B
:00430530 3BC8 cmp ecx, eax <===这里必须相等,这里ECX和EAX怎么相等,见分析
:00430532 8D4C2418 lea ecx, dword ptr [esp+18]
:00430536 7452 je 0043058A <===这里是个关键的跳转,跳了就成功注册了。
*** 这一小段的分析得出n9-n6+n3=n12-1(n3、n6分别对应注册码的位上的值)才能正确注册,现将假码改为ABCDBCAHICGJ,再点注册,呵呵,成功了
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004304E2(U), :0043050C(U)
|
:00430538 E8970A0500 call 00480FD4
:0043053D 8D4C241C lea ecx, dword ptr [esp+1C]
:00430541 C644243403 mov [esp+34], 03
:00430546 E8890A0500 call 00480FD4
:0043054B 8D4C2420 lea ecx, dword ptr [esp+20]
:0043054F C644243402 mov [esp+34], 02
:00430554 E87B0A0500 call 00480FD4
:00430559 8D4C2424 lea ecx, dword ptr [esp+24]
:0043055D C644243401 mov [esp+34], 01
:00430562 E86D0A0500 call 00480FD4
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004303AC(C), :004303BD(C), :004303C5(C)
|
:00430567 8D4C2414 lea ecx, dword ptr [esp+14]
:0043056B C644243400 mov [esp+34], 00
:00430570 E85F0A0500 call 00480FD4
:00430575 8D4C243C lea ecx, dword ptr [esp+3C]
:00430579 C7442434FFFFFFFF mov [esp+34], FFFFFFFF
:00430581 E84E0A0500 call 00480FD4
:00430586 33C0 xor eax, eax <===EAX被清0,呵呵,就OVER了
:00430588 EB53 jmp 004305DD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430536(C)
|
:0043058A E8450A0500 call 00480FD4
:0043058F 8D4C241C lea ecx, dword ptr [esp+1C]
:00430593 C644243403 mov [esp+34], 03
:00430598 E8370A0500 call 00480FD4
:0043059D 8D4C2420 lea ecx, dword ptr [esp+20]
:004305A1 C644243402 mov [esp+34], 02
:004305A6 E8290A0500 call 00480FD4
:004305AB 8D4C2424 lea ecx, dword ptr [esp+24]
:004305AF C644243401 mov [esp+34], 01
:004305B4 E81B0A0500 call 00480FD4
:004305B9 8D4C2414 lea ecx, dword ptr [esp+14]
:004305BD C644243400 mov [esp+34], 00
:004305C2 E80D0A0500 call 00480FD4
:004305C7 8D4C243C lea ecx, dword ptr [esp+3C]
:004305CB C7442434FFFFFFFF mov [esp+34], FFFFFFFF
:004305D3 E8FC090500 call 00480FD4
:004305D8 B801000000 mov eax, 00000001 <===这里是个关键的赋值,经过这里才能正确注册,向上看
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430588(U)
|
:004305DD 8B4C242C mov ecx, dword ptr [esp+2C]
:004305E1 5F pop edi
:004305E2 5E pop esi
:004305E3 5D pop ebp
:004305E4 5B pop ebx
:004305E5 64890D00000000 mov dword ptr fs:[00000000], ecx
:004305EC 83C428 add esp, 00000028
:004305EF C20400 ret 0004
-----------------------------------------------------------------------
4、算法分析:---类型:对注册码进行数学运算检验---
a、将12位的注册码分成四段,每段三个字符。假设注册码为n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12
b、对上面注册码的要求n4-n7+n1=n10+1 n8-n2+n5=n11+1 n9-n6+n3=n12-1
c、只要上面三要求都满足,就成功注册了。
我找到的几个注册码ABCDBCAHICGJ EEEEEEEEEDDF
5、注册信息保存在文件setup.ini中:
[Serial]
Uses=J <===好象是使用次数
Serial=EEEEEEEEEDDF
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>