IEPopupKiller 1.2破解手記--演算法分析
標 題:IEPopupKiller 1.2破解手記--演算法分析
發信人:newlaos[DFCG]
時 間:2003/04/02 05:04pm
詳細資訊:
IEPopupKiller
1.2破解手記--演算法分析
作者:newlaos[DFCG]
軟體名稱:IEPopupKiller
1.2(瀏覽過濾)
整理日期:2003.3.29(華軍網)
最新版本:1.2
檔案大小:786KB
軟體授權:共享軟體
使用平臺:Win9x/Me/NT/2000/XP
釋出公司:"http://www.wingsofts.com/"
軟體簡介:當你在網上衝浪的時候,是否被那些彈出的廣告所捆擾?IEPopupKiller可以幫你殺掉這些無聊的廣告,它獨有的智慧化查詢方式,能將那些無用的彈出視窗殺掉,而保留有用的頁面。減少資源浪費,從而加快上網速度。是真正的上網廣告防護利器。
加密方式:註冊碼
功能限制:使用次數30次
PJ工具:TRW20001.23註冊版,W32Dasm8.93黃金版,FI2.5
PJ日期:2003-03-31
作者newlaos申明:只是學習,請不用於商業用途或是將本文方法制作的序號產生器任意傳播,造成後果,本人一概不負。
1、先用FI2.5看一下主檔案“IEPopupKiller.exe”,沒加殼。程式是用VC++6.0編的
2、用W32Dasm8.93黃金版對QuickCD.exe進行靜態反彙編,再用串式資料參考,找不到什麼經典的句子,怎麼辦?在軟體的安裝目錄下,發現在\Languages\chinese(simple).ini檔案中有:
[IDD_DIALOG_REGISTER]
OK=恭喜你註冊成功!感謝你對國產軟體的支援!
<===呵呵,原來關鍵字元是OK呀!
IDC_STATIC_SELECT=你可以選擇如下站點之一進行註冊。
IDC_STATIC_SERIAL=序列號:
IDC_STATIC_USETIMES=你還可以使用的次數:
IDC_BUTTON_GO=註冊
再回到W32Dasm8.93,找到"OK"(這就是註冊成功),雙擊有很兩個,經過分析,發現位於00430962的才是關鍵的部分。
3、再用TRW20001.23註冊版進行動態跟蹤,下斷BPX
004308A0(通常在註冊成功與否的前面一些下斷,這樣,才能找到關鍵部分),
先輸入假碼: 78787878
.......
.......
:004308A0
6AFF push
FFFFFFFF
:004308A2 68C0494B00 push
004B49C0
:004308A7 64A100000000 mov
eax, dword ptr fs:[00000000]
:004308AD 50
push eax
:004308AE 64892500000000
mov dword ptr fs:[00000000], esp
:004308B5
83EC14 sub esp,
00000014
:004308B8 A160C44D00 mov
eax, dword ptr [004DC460]
:004308BD 53
push ebx
:004308BE 56
push esi
:004308BF 57
push
edi
:004308C0 8BF1
mov esi, ecx
:004308C2 8944240C
mov dword ptr [esp+0C], eax
:004308C6 8D4C240C
lea ecx, dword ptr [esp+0C]
:004308CA
C744242800000000 mov [esp+28], 00000000
:004308D2
51 push
ecx
:004308D3 8D4E64
lea ecx, dword ptr [esi+64]
:004308D6 E8FED10400
call 0047DAD9 <===EAX=8(輸入註冊碼的長度) ECX=78787878
:004308DB
51 push
ecx
:004308DC 8D542410 lea
edx, dword ptr [esp+10]
:004308E0 8BCC
mov ecx, esp
:004308E2 89642418
mov dword ptr [esp+18], esp
:004308E6 52
push
edx
:004308E7 E85D040500 call
00480D49
:004308EC 8BCE
mov ecx, esi
:004308EE E84308FDFF
call 00401136 <===關鍵的演算法CALL,F8跟進
:004308F3
85C0 test
eax, eax <===要想正確註冊,則EAX不能為0
:004308F5 0F84E4000000
je 004309DF <===如果註冊碼不正確,就從這裡跳走,OVER了
:004308FB
8B8680000000 mov eax, dword ptr [esi+00000080]
:00430901
BB01000000 mov ebx, 00000001
:00430906
6A00 push
00000000
:00430908 53
push ebx
:00430909 68CF000000
push 000000CF
:0043090E 50
push eax
*
Reference To: USER32.SendMessageA, Ord:0214h
|
:0043090F
FF15DC774E00 Call dword ptr [004E77DC]
*
Possible StringData Ref from Data Obj ->"IDD_DIALOG_REGISTER"
|
:00430915 6874B14D00
push 004DB174
:0043091A 8D4C2414
lea ecx, dword ptr [esp+14]
:0043091E E81F070500
call 00481042
:00430923 885C2428
mov byte ptr [esp+28],
bl
:00430927 E895130500 call
00481CC1
:0043092C 85C0
test eax, eax
:0043092E 740B
je 0043093B
:00430930 8B10
mov edx, dword ptr [eax]
:00430932
8BC8 mov
ecx, eax
:00430934 FF5274
call [edx+74]
:00430937 8BF8
mov edi, eax
:00430939 EB02
jmp 0043093D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043092E(C)
|
:0043093B
33FF xor
edi, edi
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00430939(U)
|
:0043093D
E850E80600 call 0049F192
:00430942
8B4C240C mov ecx, dword
ptr [esp+0C]
:00430946 8B4004
mov eax, dword ptr [eax+04]
:00430949 51
push ecx
*
Possible StringData Ref from Data Obj ->"Serial"
|
:0043094A 68DCA84D00
push 004DA8DC
*
Possible StringData Ref from Data Obj ->"Serial"
|
:0043094F 68DCA84D00
push 004DA8DC
:00430954 8BC8
mov ecx, eax
:00430956 E8C0EF0500
call 0048F91B
:0043095B 51
push ecx
:0043095C
8BCC mov
ecx, esp
:0043095E 8964241C
mov dword ptr [esp+1C], esp
*
Possible StringData Ref from Data Obj ->"OK"
<===這是裡就是註冊成功的資訊
|
:00430962 6830B14D00
push 004DB130
:00430967 E8D6060500
call 00481042
:0043096C 51
push
ecx
:0043096D 8D542418 lea
edx, dword ptr [esp+18]
:00430971 8BCC
mov ecx, esp
:00430973 89642424
mov dword ptr [esp+24], esp
:00430977 52
push
edx
:00430978 C644243402 mov
[esp+34], 02
:0043097D E8C7030500
call 00480D49
:00430982 8D44241C
lea eax, dword ptr [esp+1C]
:00430986 8D8F9C0E0000
lea ecx, dword ptr [edi+00000E9C]
:0043098C 50
push eax
:0043098D
885C2434 mov byte ptr [esp+34],
bl
:00430991 E83716FDFF call
00401FCD
:00430996 8B00
mov eax, dword ptr [eax]
:00430998 8BCE
mov ecx, esi
:0043099A 50
push eax
*
Possible Reference to Dialog: DialogID_0090, CONTROL_ID:0419, "Static"
|
:0043099B 6819040000
push 00000419
:004309A0 C644243003
mov [esp+30], 03
:004309A5 E89DF80400
call 00480247
:004309AA 8BC8
mov ecx, eax
:004309AC
E82DFB0400 call 004804DE
:004309B1
8D4C2414 lea ecx, dword
ptr [esp+14]
:004309B5 885C2428
mov byte ptr [esp+28], bl
:004309B9 E816060500
call 00480FD4
:004309BE 6A00
push 00000000
:004309C0 8D8EA0000000
lea ecx, dword ptr [esi+000000A0]
:004309C6
E89AFC0400 call 00480665
:004309CB
8D4C2410 lea ecx, dword
ptr [esp+10]
:004309CF 899F80010000 mov
dword ptr [edi+00000180], ebx
:004309D5 C644242800
mov [esp+28], 00
:004309DA E8F5050500
call 00480FD4
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004308F5(C)
|
:004309DF
8D4C240C lea ecx, dword
ptr [esp+0C]
:004309E3 C7442428FFFFFFFF mov [esp+28],
FFFFFFFF
:004309EB E8E4050500 call
00480FD4
:004309F0 8B4C2420
mov ecx, dword ptr [esp+20]
:004309F4 5F
pop edi
:004309F5 5E
pop esi
:004309F6
64890D00000000 mov dword ptr fs:[00000000],
ecx
:004309FD 5B
pop ebx
:004309FE 83C420
add esp, 00000020
:00430A01 C3
ret
.......
.......
-----004308EE
call 00401136 關鍵的演算法CALL,F8跟進來到下列程式碼段------------------
要正確註冊,則EAX返回時,不能為0
:00430370
6AFF push
FFFFFFFF
:00430372 6820494B00 push
004B4920
:00430377 64A100000000 mov
eax, dword ptr fs:[00000000]
:0043037D 50
push eax
:0043037E 64892500000000
mov dword ptr fs:[00000000], esp
:00430385
83EC1C sub esp,
0000001C
:00430388 53
push ebx
:00430389 55
push ebp
:0043038A 56
push esi
:0043038B
57 push
edi
:0043038C 8D44243C lea
eax, dword ptr [esp+3C]
:00430390 8D4C2414
lea ecx, dword ptr [esp+14]
:00430394 50
push eax
:00430395
C744243800000000 mov [esp+38], 00000000
:0043039D
E8A7090500 call 00480D49
:004303A2
8B742414 mov esi, dword
ptr [esp+14] <===ESI=78787878
:004303A6 8B56F8
mov edx, dword ptr [esi-08] <===EDX=8(輸入註冊碼的碼的長度)
:004303A9
83FA0C cmp edx,
0000000C <===看輸入的註冊碼長度是不是C(12位),將假碼改為787878787878,重新來
:004303AC 0F85B5010000
jne 00430567 <===跳過去就OVER了
:004303B2
33C9 xor
ecx, ecx <===計數器ECX,初始值化為0
:004303B4 85D2
test edx, edx
:004303B6
7E18 jle
004303D0 <===不跳
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004303CE(C)
|
:004303B8
8A0431 mov al, byte
ptr [ecx+esi]
:004303BB 3C41
cmp al, 41
:004303BD 0F8CA4010000
jl 00430567 <===跳過去就OVER了
:004303C3
3C5A cmp
al, 5A
:004303C5 0F8F9C010000 jg 00430567
<===跳過去就OVER了
:004303CB 41
inc ecx
:004303CC
3BCA cmp
ecx, edx
:004303CE 7CE8
jl 004303B8 <===構成一個小迴圈,主要功能依次提取註冊碼的字元,檢測是不是位於A-Z(大寫)之間,只要一個不對,就OVER!
將假碼改為ABCDEFGHIJKL,再重新來
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004303B6(C)
|
*******************
.......
中間部分省略,主要功能是將輸入的註冊碼分成四段,每段三個字元
.......
*******************
:00430492
8D4C2428 lea ecx, dword
ptr [esp+28]
:00430496 885C2434
mov byte ptr [esp+34], bl
:0043049A E8350B0500
call 00480FD4
:0043049F 8B7C241C
mov edi, dword ptr [esp+1C] <===EDI=GHI(第三段)
:004304A3
8B6C2418 mov ebp, dword
ptr [esp+18] <===EBP=JKL(第四段)
:004304A7 8B742420
mov esi, dword ptr [esp+20] <===ESI=DEF(第二段)
:004304AB
8B442424 mov eax, dword
ptr [esp+24] <===EAX=ABC(第一段)
:004304AF 8A1F
mov bl, byte ptr [edi] <===BL=47(是G的ASCII的16進製表示形式)
:004304B1
8A16 mov
dl, byte ptr [esi] <===DL=44(是D的ASCII的16進製表示形式)
:004304B3 8A08
mov cl, byte ptr
[eax] <===CL=41(是A的ASCII的16進製表示形式)
:004304B5 885C2412
mov byte ptr [esp+12], bl
:004304B9
8A5D00 mov bl, byte
ptr [ebp+00] <===BL=4A(是J的ASCII的16進製表示形式)
:004304BC 885C2413
mov byte ptr [esp+13], bl
:004304C0
0FBE5C2412 movsx ebx, byte ptr
[esp+12] <===EBX=47,不變
:004304C5 0FBED2
movsx edx, dl
<===EDX=44
:004304C8 0FBEC9
movsx ecx, cl <===ECX=41
:004304CB
2BD3 sub
edx, ebx
:004304CD 03D1
add edx, ecx
<===EDX=EDX-EBX+ECX=3E
:004304CF 0FBE4C2413
movsx ecx, byte ptr [esp+13] <===ECX=4A
:004304D4
41 inc
ecx <===ECX=4B
:004304D5 3BD1
cmp edx, ecx
<===這裡必須相等,這裡EDX和ECX怎麼相等,見分析
:004304D7 740B
je 004304E4 <===從這裡跳走,才能正確註冊
*** 這一小段的分析得出n4-n7+n1=n10+1(n1、n4分別對應註冊碼的位上的值)才能正確註冊,現將假碼改為ABCDEFAHICKL,重新來。
:004304D9
C644243404 mov [esp+34], 04
:004304DE
8D4C2418 lea ecx, dword
ptr [esp+18]
:004304E2 EB54
jmp 00430538 <===跳過去就OVER了
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004304D7(C)
|
<===假碼改為ABCDEFAHICKL後,跳到這裡,為說明問題,我們將其分為四段,每段三個字元
:004304E4
8A5701 mov dl, byte
ptr [edi+01]<===取第三段字元AHI的第二個字元(H)DL=48
:004304E7 8A5801
mov bl, byte ptr [eax+01]<===取第一段字元ABC的第二個字元(B)BL=42
:004304EA
8A4E01 mov cl, byte
ptr [esi+01]<===取第二段字元DEF的第二個字元(E)CL=45
:004304ED 0FBEDB
movsx ebx, bl <===EBX=42
:004304F0
0FBED2 movsx edx,
dl <===EDX=48
:004304F3 0FBEC9
movsx ecx, cl <===ECX=45
:004304F6 2BD3
sub edx, ebx
:004304F8
03D1 add
edx, ecx <===EDX=EDX-EBX+ECX
:004304FA 0FBE4D01
movsx ecx, byte ptr [ebp+01] <===取第四段字元CKL的第二個字元(K)CL=4B
:004304FE
41 inc
ecx <===ECX=ECX+1=4C
:004304FF 3BD1
cmp edx, ecx <===這裡必須相等,這裡EDX和ECX怎麼相等,見分析
:00430501
740B je 0043050E
<===從這裡跳走,才能正確註冊
*** 這一小段的分析得出n8-n2+n5=n11+1(n2、n5分別對應註冊碼的位上的值)才能正確註冊,現將假碼改為ABCDBFAHICGL,重新來。
:00430503
C644243404 mov [esp+34], 04
:00430508
8D4C2418 lea ecx, dword
ptr [esp+18]
:0043050C EB2A
jmp 00430538 <===跳過去就OVER了
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430501(C)
|
:0043050E
8A4F02 mov cl, byte
ptr [edi+02]<===取第三段字元AHI的第三個字元(I)CL=49
:00430511 8A5602
mov dl, byte ptr [esi+02]<===取第二段字元DBF的第三個字元(F)DL=46
:00430514
8A4002 mov al, byte
ptr [eax+02]<===取第一段字元ABC的第三個字元(C)AL=43
:00430517 8A5D02
mov bl, byte ptr [ebp+02]<===取第四段字元CGL的第三個字元(L)BL=4C
:0043051A
0FBED2 movsx edx,
dl <===EDX=46
:0043051D 0FBEC9
movsx ecx, cl <===ECX=49
:00430520
2BCA sub
ecx, edx <===ECX=ECX-EDX=3
:00430522 C644243404
mov [esp+34], 04
:00430527 0FBED0
movsx edx, al <===EDX=43
:0043052A
0FBEC3 movsx eax,
bl <===EAX=4C
:0043052D 03CA
add ecx, edx <===ECX=ECX+EDX=46
:0043052F
48 dec
eax <===EAX=4C-1=4B
:00430530 3BC8
cmp ecx, eax <===這裡必須相等,這裡ECX和EAX怎麼相等,見分析
:00430532
8D4C2418 lea ecx, dword
ptr [esp+18]
:00430536 7452
je 0043058A <===這裡是個關鍵的跳轉,跳了就成功註冊了。
*** 這一小段的分析得出n9-n6+n3=n12-1(n3、n6分別對應註冊碼的位上的值)才能正確註冊,現將假碼改為ABCDBCAHICGJ,再點註冊,呵呵,成功了
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004304E2(U),
:0043050C(U)
|
:00430538 E8970A0500
call 00480FD4
:0043053D 8D4C241C
lea ecx, dword ptr [esp+1C]
:00430541 C644243403
mov [esp+34], 03
:00430546 E8890A0500
call 00480FD4
:0043054B 8D4C2420
lea ecx, dword ptr [esp+20]
:0043054F
C644243402 mov [esp+34], 02
:00430554
E87B0A0500 call 00480FD4
:00430559
8D4C2424 lea ecx, dword
ptr [esp+24]
:0043055D C644243401
mov [esp+34], 01
:00430562 E86D0A0500
call 00480FD4
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004303AC(C),
:004303BD(C), :004303C5(C)
|
:00430567 8D4C2414
lea ecx, dword ptr [esp+14]
:0043056B C644243400
mov [esp+34], 00
:00430570
E85F0A0500 call 00480FD4
:00430575
8D4C243C lea ecx, dword
ptr [esp+3C]
:00430579 C7442434FFFFFFFF mov [esp+34],
FFFFFFFF
:00430581 E84E0A0500 call
00480FD4
:00430586 33C0
xor eax, eax <===EAX被清0,呵呵,就OVER了
:00430588
EB53 jmp
004305DD
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00430536(C)
|
:0043058A
E8450A0500 call 00480FD4
:0043058F
8D4C241C lea ecx, dword
ptr [esp+1C]
:00430593 C644243403
mov [esp+34], 03
:00430598 E8370A0500
call 00480FD4
:0043059D 8D4C2420
lea ecx, dword ptr [esp+20]
:004305A1 C644243402
mov [esp+34], 02
:004305A6 E8290A0500
call 00480FD4
:004305AB 8D4C2424
lea ecx, dword ptr [esp+24]
:004305AF
C644243401 mov [esp+34], 01
:004305B4
E81B0A0500 call 00480FD4
:004305B9
8D4C2414 lea ecx, dword
ptr [esp+14]
:004305BD C644243400
mov [esp+34], 00
:004305C2 E80D0A0500
call 00480FD4
:004305C7 8D4C243C
lea ecx, dword ptr [esp+3C]
:004305CB C7442434FFFFFFFF
mov [esp+34], FFFFFFFF
:004305D3 E8FC090500
call 00480FD4
:004305D8 B801000000
mov eax, 00000001 <===這裡是個關鍵的賦值,經過這裡才能正確註冊,向上看
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430588(U)
|
:004305DD
8B4C242C mov ecx, dword
ptr [esp+2C]
:004305E1 5F
pop edi
:004305E2 5E
pop esi
:004305E3 5D
pop ebp
:004305E4
5B pop
ebx
:004305E5 64890D00000000 mov dword ptr
fs:[00000000], ecx
:004305EC 83C428
add esp, 00000028
:004305EF C20400
ret 0004
-----------------------------------------------------------------------
4、演算法分析:---型別:對註冊碼進行數學運算檢驗---
a、將12位的註冊碼分成四段,每段三個字元。假設註冊碼為n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n11 n12
b、對上面註冊碼的要求n4-n7+n1=n10+1 n8-n2+n5=n11+1
n9-n6+n3=n12-1
c、只要上面三要求都滿足,就成功註冊了。
我找到的幾個註冊碼ABCDBCAHICGJ
EEEEEEEEEDDF
5、註冊資訊儲存在檔案setup.ini中:
[Serial]
Uses=J
<===好象是使用次數
Serial=EEEEEEEEEDDF
相關文章
- HTMLock 1.9.3破解手記---演算法分析2003-06-27HTML演算法
- QuickCD 1.0.320破解手記--演算法分析2015-11-15UI演算法
- GreenBrowser 1.0.312破解手記--演算法分析2015-11-15演算法
- Golden 5.7 Build 391破解手記--演算法分析2015-11-15GoUI演算法
- SeaMoon Pic Hunter 1.2破解手記 (8千字)2015-11-15
- 拱豬大戰 1.8破解手記--演算法分析2015-11-15演算法
- Setup2Go 1.97破解手記--演算法分析2015-11-15Go演算法
- 計程車管理
1.2 演算法分析2004-08-16演算法
- pcmedik V5.4.8.2003破解手記--演算法分析2003-05-10演算法
- 極速傳真[SpeedFax] 2.4 破解手記--程式逆向分析演算法2015-11-15演算法
- Advanced MP3WMA Recorder 3.7.3破解手記--完美演算法分析2015-11-15演算法
- 法律文書、合同樣本庫
5.10破解手記--演算法分析2015-11-15演算法
- Iparmor 木馬克星 V5.40 Build 0414破解手記-演算法分析2015-11-15UI演算法
- MySQL Manager 2.8.0.1脫殼破解手記破解分析2004-11-03MySql
- 系網紅巾V1.2演算法分析!2003-06-19演算法
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- Disk
Chief 1.2 簡單註冊演算法分析2015-11-15演算法
- Bannershop 4.5破解手記2015-11-15
- 拱豬大戰 V2.3XP 演算法破解手記2015-11-15演算法
- Irfanview破解手記 (668字)2001-02-02View
- Download Boost 2002 Go 2.0漢化版演算法破解手記2015-11-15Go演算法
- hanami1005破解手記2003-08-19
- 《Erlang
4.08》另類破解手記2002-06-24
- 資料結構與演算法分析(c 語言描述)習題 1.22018-12-14資料結構演算法
- AcWing演算法基礎1.22019-05-28演算法
- 霸榜7年!《瘟疫公司》玩家破1.2億,開發者訪談2019-05-24
- 【 標題:SmartWhoIs 3.0 (build 21) 破解手記
】2000-11-30UI
- GetSmart破解手記 (1011字)2001-02-02
- 分析家資料批量轉換器暴力破解手記 (3千字)2001-09-07
- 1.2 分詞技術與演算法2019-11-19分詞演算法
- Turbo Note+ 破解手記 (4千字)2001-05-13
- Trojan Remover 4.3.0破解手記 (8千字)2001-08-31REM
- 漢字通破解手記 (19千字)2000-09-06
- SolSuite v8.0破解手記 (3千字)2001-09-08UI
- ACDSEE4.0的破解手記 (1千字)2002-01-20
- ReGet Junior 2.0破解手記(一) (3千字)2002-02-23
- 轉載:“亂刀”破解手記 (1千字)2000-09-03
- ReGet Junior 2.0破解手記(二) (4千字)2015-11-15