演算法淺探――EXE檔案捆綁器V1.0
下載頁面:
http://www.yd123.com/cncg/
軟體大小:
278 KB
適用平臺: WIN9x, NT, 2000
【軟體簡介】:將兩個可執行檔案捆綁在一起的軟體,捆綁後的檔案圖示是第一個檔案的圖示。軟體自帶10個系統圖示,也可以從另外的可執行檔案中提取圖示 。
【軟體限制】:30次試用
【作者宣告】:初學Crack,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!
【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、FI2.5、AspackDie、W32Dasm 10修改版
―――――――――――――――――――――――――――――――――
【過 程】:
exebind.exe是ASPack
2.12殼,用AspackDie脫之。278K->1.22M。Delphi編寫。
軟體重啟驗證。註冊碼儲存在登錄檔中,因此在反彙編程式碼裡查詢regcode,很容易就能找到下面的核心。
序列號:211C1E09
(呵呵,又要用我的硬碟序列號了)
使用者名稱:fly0 (呵呵,至少4位。否則重啟軟體就非法操作了!)
試煉碼:13572468
(註冊碼要8位)
―――――――――――――――――――――――――――――――――
* Referenced by a CALL at Address:
|:00486E3A
|
:004862F8
55 push
ebp
:004862F9 8BEC
mov ebp, esp
:004862FB 6A00
push 00000000
:004862FD 6A00
push 00000000
:004862FF
53 push
ebx
:00486300 33C0
xor eax, eax
:00486302 55
push ebp
:00486303 6828654800
push 00486528
:00486308 64FF30
push dword ptr fs:[eax]
:0048630B
648920 mov dword
ptr fs:[eax], esp
:0048630E C60560BD480001 mov
byte ptr [0048BD60], 01
:00486315 B201
mov dl, 01
:00486317 A140BB4500
mov eax, dword ptr [0045BB40]
:0048631C E81F59FDFF
call 0045BC40
:00486321 A358BD4800
mov dword ptr [0048BD58], eax
:00486326
BA02000080 mov edx, 80000002
:0048632B
A158BD4800 mov eax, dword ptr
[0048BD58]
:00486330 E8AB59FDFF call
0045BCE0
:00486335 33C9
xor ecx, ecx
*
Possible StringData Ref from Code Obj ->"\software\exebind\reg"
|
:00486337 BA40654800
mov edx, 00486540
:0048633C A158BD4800
mov eax, dword ptr [0048BD58]
:00486341 E8DA5AFDFF
call 0045BE20
:00486346 84C0
test al,
al
:00486348 0F84BD010000 je 0048650B
*
Possible StringData Ref from Code Obj ->"user"
|
:0048634E BA60654800
mov edx, 00486560
:00486353 A158BD4800
mov eax, dword ptr [0048BD58]
:00486358 E8235EFDFF
call 0045C180
:0048635D 84C0
test al, al
:0048635F
0F84A2010000 je 00486507
*
Possible StringData Ref from Code Obj ->"regcode"
|
:00486365 BA70654800
mov edx, 00486570
:0048636A A158BD4800
mov eax, dword ptr [0048BD58]
:0048636F E80C5EFDFF
call 0045C180
:00486374 84C0
test al, al
:00486376
0F848B010000 je 00486507
:0048637C
8D4DFC lea ecx,
dword ptr [ebp-04]
*
Possible StringData Ref from Code Obj ->"user"
|
:0048637F BA60654800
mov edx, 00486560
:00486384 A158BD4800
mov eax, dword ptr [0048BD58]
:00486389 E85A5CFDFF
call 0045BFE8
:0048638E 8D4DF8
lea ecx, dword ptr [ebp-08]
*
Possible StringData Ref from Code Obj ->"regcode"
|
:00486391 BA70654800
mov edx, 00486570
:00486396 A158BD4800
mov eax, dword ptr [0048BD58]
:0048639B E8485CFDFF
call 0045BFE8
:004863A0 8B55F8
mov edx, dword ptr [ebp-08]
====>EDX=[ebp-08]=13572468
:004863A3
B85CBD4800 mov eax, 0048BD5C
:004863A8
E81BE1F7FF call 004044C8
:004863AD
837DFC00 cmp dword ptr
[ebp-04], 00000000
====>[ebp-04]=fly0
沒填使用者名稱?
:004863B1
7409 je 004863BC
:004863B3
833D5CBD480000 cmp dword ptr [0048BD5C], 00000000
====>[0048BD5C]=13572468 沒填註冊碼?
:004863BA 7507 jne 004863C3
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004863B1(C)
|
:004863BC
33DB xor
ebx, ebx
:004863BE E94A010000 jmp
0048650D
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004863BA(C)
|
:004863C3
A15CBD4800 mov eax, dword ptr
[0048BD5C]
====>EAX=[0048BD5C]=13572468
:004863C8
E85FE3F7FF call 0040472C
:004863CD
83F808 cmp eax,
00000008
====>註冊碼是否8位?
:004863D0
7407 je 004863D9
:004863D2
33DB xor
ebx, ebx
:004863D4 E934010000 jmp
0048650D
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004863D0(C)
|
:004863D9
33C0 xor
eax, eax
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004863FD(C)
|
:004863DB
33D2 xor
edx, edx
:004863DD 8AD0
mov dl, al
:004863DF 8B0D5CBD4800
mov ecx, dword ptr [0048BD5C]
====>ECX=[0048BD5C]=13572468
:004863E5
8A0C11 mov cl, byte
ptr [ecx+edx]
====>依次取試煉碼字元的HEX值
1、 ====>CL=31
2、 ====>33
:004863E8
8D5801 lea ebx,
dword ptr [eax+01]
====>EBX依次增1
1、 ====>EBX=1
2、 ====>EBX=2
:004863EB
C1E304 shl ebx,
04
1、 ====>EBX=1 SHL 04=10
2、
====>EBX=2 SHL 04=20
3、 ====>EBX=3 SHL 04=30
4、 ====>EBX=4 SHL 04=40
5、
====>EBX=5 SHL 04=50
6、 ====>EBX=6 SHL 04=60
7、 ====>EBX=7 SHL 04=70
8、
====>EBX=8 SHL 04=80
:004863EE
32CB xor
cl, bl
1、 ====>CL=31 XOR 10=21
2、
====>CL=33 XOR 20=13
3、 ====>CL=35 XOR 30=05
4、 ====>CL=37 XOR 40=77
5、
====>CL=32 XOR 50=62
6、 ====>CL=34 XOR 60=54
7、 ====>CL=36 XOR 70=46
8、
====>CL=38 XOR 80=B8
:004863F0
42 inc
edx
:004863F1 8D1452
lea edx, dword ptr [edx+2*edx]
:004863F4 888A7BBD4800
mov byte ptr [edx+0048BD7B], cl
====>CL 入 [edx+0048BD7B]處
0048BD7B
00 00 00 21 00 00 13 00 00 05 00 00 77 00 00 62 ...!......w..b
0048BD8B
00 00 54 00 00 46 00 00 B8 00 00 00 00 00 00 00 ..T..F..?......4
:004863FA
40 inc
eax
====>EAX 依次增1
:004863FB
3C08 cmp
al, 08
:004863FD 75DC
jne 004863DB
====>迴圈8次
:004863FF
8B45FC mov eax,
dword ptr [ebp-04]
====>EAX=fly0
:00486402
E805FBFFFF call 00485F0C
====>關鍵CALL!對使用者名稱和序列號運算得出一組值!
====>下面進行逐位比較,有一處不同就OVER了!
:00486407 A084BD4800
mov al, byte ptr [0048BD84]
====>AL=05
:0048640C
3A05ABBD4800 cmp al, byte ptr [0048BDAB]
====>[0048BDAB]=76 比較第3位!
:00486412
7412 je 00486426
====>不跳則OVER!
:00486414
803D60BD480000 cmp byte ptr [0048BD60], 00
:0048641B
33C0 xor
eax, eax
:0048641D EB02
jmp 00486421
:0048641F B001
mov al, 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048641D(U)
|
:00486421
A260BD4800 mov byte ptr [0048BD60],
al
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00486412(C)
|
:00486426
A08ABD4800 mov al, byte ptr [0048BD8A]
====>[0048BD8A]=62
:0048642B
3A05CBBD4800 cmp al, byte ptr [0048BDCB]
====>[0048BDCB]=18 比較第5位!
:00486431
7412 je 00486445
====>不跳則OVER!
:00486433
803D60BD480000 cmp byte ptr [0048BD60], 00
:0048643A
33C0 xor
eax, eax
:0048643C EB02
jmp 00486440
:0048643E B001
mov al, 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048643C(U)
|
:00486440
A260BD4800 mov byte ptr [0048BD60],
al
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00486431(C)
|
:00486445
A081BD4800 mov al, byte ptr [0048BD81]
====>[0048BD81]=13
:0048644A
3A059BBD4800 cmp al, byte ptr [0048BD9B]
====>[0048BD9B]=73 比較第2位!
:00486450
7412 je 00486464
====>不跳則OVER!
:00486452
803D60BD480000 cmp byte ptr [0048BD60], 00
:00486459
33C0 xor
eax, eax
:0048645B EB02
jmp 0048645F
:0048645D B001
mov al, 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048645B(U)
|
:0048645F
A260BD4800 mov byte ptr [0048BD60],
al
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00486450(C)
|
:00486464
A087BD4800 mov al, byte ptr [0048BD87]
====>[0048BD87]=77
:00486469
3A05BBBD4800 cmp al, byte ptr [0048BDBB]
====>[0048BDBB]=09 比較第4位!
:0048646F
7412 je 00486483
====>不跳則OVER!
:00486471
803D60BD480000 cmp byte ptr [0048BD60], 00
:00486478
33C0 xor
eax, eax
:0048647A EB02
jmp 0048647E
:0048647C B001
mov al, 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048647A(U)
|
:0048647E
A260BD4800 mov byte ptr [0048BD60],
al
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:0048646F(C)
|
:00486483
A07EBD4800 mov al, byte ptr [0048BD7E]
====>[0048BD7E]=21
:00486488
3A058BBD4800 cmp al, byte ptr [0048BD8B]
====>[0048BD8B]=48 比較第1位!
:0048648E
7412 je 004864A2
====>不跳則OVER!
:00486490
803D60BD480000 cmp byte ptr [0048BD60], 00
:00486497
33C0 xor
eax, eax
:00486499 EB02
jmp 0048649D
:0048649B B001
mov al, 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486499(U)
|
:0048649D
A260BD4800 mov byte ptr [0048BD60],
al
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:0048648E(C)
|
:004864A2
A08DBD4800 mov al, byte ptr [0048BD8D]
====>[0048BD8D]=54
:004864A7
3A05DBBD4800 cmp al, byte ptr [0048BDDB]
====>[0048BDDB]=26 比較第6位!
:004864AD
7412 je 004864C1
====>不跳則OVER!
:004864AF
803D60BD480000 cmp byte ptr [0048BD60], 00
:004864B6
33C0 xor
eax, eax
:004864B8 EB02
jmp 004864BC
:004864BA B001
mov al, 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864B8(U)
|
:004864BC
A260BD4800 mov byte ptr [0048BD60],
al
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:004864AD(C)
|
:004864C1
A093BD4800 mov al, byte ptr [0048BD93]
====>[0048BD93]=B8
:004864C6
3A05FBBD4800 cmp al, byte ptr [0048BDFB]
====>[0048BDFB]=C3 比較第8位!
:004864CC
7412 je 004864E0
====>不跳則OVER!
:004864CE
803D60BD480000 cmp byte ptr [0048BD60], 00
:004864D5
33C0 xor
eax, eax
:004864D7 EB02
jmp 004864DB
:004864D9 B001
mov al, 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864D7(U)
|
:004864DB
A260BD4800 mov byte ptr [0048BD60],
al
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:004864CC(C)
|
:004864E0
A090BD4800 mov al, byte ptr [0048BD90]
====>[0048BD90]=46
:004864E5
3A05EBBD4800 cmp al, byte ptr [0048BDEB]
====>[0048BDEB]=3D 比較第7位!
:004864EB
7412 je 004864FF
====>不跳則OVER!
:004864ED
803D60BD480000 cmp byte ptr [0048BD60], 00
:004864F4
33C0 xor
eax, eax
:004864F6 EB02
jmp 004864FA
:004864F8 B001
mov al, 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004864F6(U)
|
:004864FA
A260BD4800 mov byte ptr [0048BD60],
al
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:004864EB(C)
|
:004864FF
8A1D60BD4800 mov bl, byte ptr [0048BD60]
====>BL=[0048BD60]=01 置1就OK了!
:00486505 EB06 jmp 0048650D
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048635F(C), :00486376(C)
|
:00486507
33DB xor
ebx, ebx
:00486509 EB02
jmp 0048650D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486348(C)
|
:0048650B
33DB xor
ebx, ebx
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:004863BE(U), :004863D4(U),
:00486505(U), :00486509(U)
|
:0048650D 33C0
xor eax, eax
:0048650F 5A
pop edx
:00486510
59 pop
ecx
:00486511 59
pop ecx
:00486512 648910
mov dword ptr fs:[eax], edx
:00486515 682F654800
push 0048652F
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048652D(U)
|
:0048651A
8D45F8 lea eax,
dword ptr [ebp-08]
:0048651D BA02000000
mov edx, 00000002
:00486522 E871DFF7FF
call 00404498
:00486527 C3
ret
:00486528 E96FD9F7FF
jmp 00403E9C
:0048652D EBEB
jmp 0048651A
:0048652F
8BC3 mov
eax, ebx
:00486531 5B
pop ebx
:00486532 59
pop ecx
:00486533 59
pop ecx
:00486534
5D pop
ebp
:00486535 C3
ret
―――――――――――――――――――――――――――――――――
進入關鍵CALL:486402
call 00485F0C
呵呵,很是煩瑣,作者自己是不嫌麻煩的。想寫序號產生器的CRACKER可不輕鬆了。
*
Referenced by a CALL at Address:
|:00486402
|
:00485F0C 55
push ebp
:00485F0D
8BEC mov
ebp, esp
:00485F0F 83C4EC
add esp, FFFFFFEC
:00485F12 53
push ebx
:00485F13 56
push esi
:00485F14
57 push
edi
:00485F15 33D2
xor edx, edx
:00485F17 8955F8
mov dword ptr [ebp-08], edx
:00485F1A 8955F4
mov dword ptr [ebp-0C],
edx
:00485F1D 8945FC
mov dword ptr [ebp-04], eax
:00485F20 8B45FC
mov eax, dword ptr [ebp-04]
:00485F23 E8ECE9F7FF
call 00404914
:00485F28 33C0
xor eax,
eax
:00485F2A 55
push ebp
:00485F2B 6849614800
push 00486149
:00485F30 64FF30
push dword ptr fs:[eax]
:00485F33 648920
mov dword ptr fs:[eax],
esp
:00485F36 8B45FC
mov eax, dword ptr [ebp-04]
====>EAX=fly0
:00485F39
E8EEE7F7FF call 0040472C
====>取 使用者名稱 位數入 AL
:00485F3E
8845F2 mov byte
ptr [ebp-0E], al
====>[ebp-0E]=AL=04
:00485F41
E87AF0FFFF call 00484FC0
====>取硬碟序列號 入 EAX=211C1E09
:00485F46
8D4DF4 lea ecx,
dword ptr [ebp-0C]
:00485F49 BA08000000
mov edx, 00000008
:00485F4E E8112BF8FF
call 00408A64
:00485F53 33C0
xor eax, eax
:00485F55 8A45F2
mov al, byte ptr [ebp-0E]
:00485F58
83C009 add eax,
00000009
====>EAX=04 + 09=0D
:00485F5B
50 push
eax
:00485F5C 8D45F8
lea eax, dword ptr [ebp-08]
:00485F5F B901000000
mov ecx, 00000001
*
Possible StringData Ref from Code Obj ->".3"
|
:00485F64 8B15EC5E4800
mov edx, dword ptr [00485EEC]
:00485F6A E8A9FAF7FF
call 00405A18
:00485F6F 83C404
add esp, 00000004
:00485F72 8A45F2
mov al, byte ptr
[ebp-0E]
:00485F75 48
dec eax
:00485F76 84C0
test al, al
:00485F78 721C
jb 00485F96
:00485F7A
40 inc
eax
:00485F7B B300
mov bl, 00
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485F94(C)
|
:00485F7D
33D2 xor
edx, edx
:00485F7F 8AD3
mov dl, bl
:00485F81 8B4DFC
mov ecx, dword ptr [ebp-04]
:00485F84 8A1411
mov dl, byte ptr [ecx+edx]
:00485F87
33C9 xor
ecx, ecx
:00485F89 8ACB
mov cl, bl
:00485F8B 8B75F8
mov esi, dword ptr [ebp-08]
:00485F8E 88140E
mov byte ptr [esi+ecx],
dl
====>使用者名稱 入 [esi+ecx]處
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[esi+ecx]記憶體中的值:
00C92358
66 6C 79 30 00 00 00 00 00 00 00 00 00 00 00 00 fly0............
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00485F91
43 inc
ebx
:00485F92 FEC8
dec al
:00485F94 75E7
jne 00485F7D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485F78(C)
|
:00485F96
8A5DF2 mov bl, byte
ptr [ebp-0E]
:00485F99 8A45F2
mov al, byte ptr [ebp-0E]
:00485F9C 0407
add al, 07
====>AL=04 + 07=0B
:00485F9E
2AC3 sub
al, bl
====>AL=0B - 04=07
:00485FA0
7233 jb 00485FD5
:00485FA2
40 inc
eax
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:00485FD3(C)
|
:00485FA3
8BF3 mov
esi, ebx
:00485FA5 81E6FF000000 and
esi, 000000FF
:00485FAB 8BD6
mov edx, esi
:00485FAD 33C9
xor ecx, ecx
:00485FAF 8A4DF2
mov cl, byte ptr [ebp-0E]
:00485FB2
2BD1 sub
edx, ecx
:00485FB4 8B4DF4
mov ecx, dword ptr [ebp-0C]
====>ECX=211C1E09
呵呵,我的硬碟序列號
:00485FB7
8A0C11 mov cl, byte
ptr [ecx+edx]
====>依次取硬碟序列號的字元值
:00485FBA
51 push
ecx
:00485FBB 8B4DF8
mov ecx, dword ptr [ebp-08]
:00485FBE 8D3431
lea esi, dword ptr [ecx+esi]
:00485FC1 59
pop
ecx
:00485FC2 880E
mov byte ptr [esi], cl
:00485FC4 8B4DF4
mov ecx, dword ptr [ebp-0C]
:00485FC7 8A0C11
mov cl, byte ptr
[ecx+edx]
:00485FCA 888A64BD4800 mov
byte ptr [edx+0048BD64], cl
====>硬碟序列號
入 [edx+0048BD64]處
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
[edx+0048BD64]記憶體中的值:
0048BD64
32 31 31 43 31 45 30 39 00 00 00 00 00 00 00 00 211C1E09........
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:00485FD0
43 inc
ebx
:00485FD1 FEC8
dec al
:00485FD3 75CE
jne 00485FA3
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485FA0(C)
|
:00485FD5
33C0 xor
eax, eax
:00485FD7 8A45F2
mov al, byte ptr [ebp-0E]
====>AL=04
:00485FDA
8B55F8 mov edx,
dword ptr [ebp-08]
====>EDX=fly0211C1E09
使用者名稱和序列號連線起來
:00485FDD
C644020900 mov [edx+eax+09], 00
:00485FE2
C645F100 mov [ebp-0F],
00
:00485FE6 8A45F2
mov al, byte ptr [ebp-0E]
:00485FE9 0408
add al, 08
====>AL=04 + 08=0C
:00485FEB
8845EF mov byte
ptr [ebp-11], al
====>AL=0C 入 [ebp-11]
:00485FEE
8A45F2 mov al, byte
ptr [ebp-0E]
:00485FF1 0407
add al, 07
====>AL=04
+ 07=0B
:00485FF3 84C0
test al,
al
:00485FF5 7215
jb 0048600C
:00485FF7 40
inc eax
:00485FF8 B300
mov bl, 00
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048600A(C)
|
:00485FFA
33D2 xor
edx, edx
:00485FFC 8AD3
mov dl, bl
:00485FFE 8B4DF8
mov ecx, dword ptr [ebp-08]
====>ECX=fly0211C1E09
:00486001
8A1411 mov dl, byte
ptr [ecx+edx]
====>依次取上面字元的HEX值,下面累加
:00486004
0055F1 add byte
ptr [ebp-0F], dl
====>[ebp-0F]=0+66+6C+79+32+31+31+43+31+45+30+39=31
捨去溢位
:00486007
43 inc
ebx
:00486008 FEC8
dec al
:0048600A 75EE
jne 00485FFA
====>迴圈12次
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485FF5(C)
|
:0048600C
33DB xor
ebx, ebx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00486117(C)
|
:0048600E
C645F300 mov [ebp-0D],
00
* Referenced by a
(U)nconditional or (C)onditional Jump at Addresses:
|:004860BF(C), :004860C7(C)
|
:00486012
8BFB mov
edi, ebx
:00486014 81E7FF000000 and
edi, 000000FF
:0048601A 8B45F8
mov eax, dword ptr [ebp-08]
====>EAX=fly0211C1E09
:0048601D
8A0438 mov al, byte
ptr [eax+edi]
====>依次取上面字元的HEX值
:00486020
02C3 add
al, bl
====>AL=66 + 00=66
:00486022
8A55F1 mov dl, byte
ptr [ebp-0F]
====>DL=[ebp-0F]=31
:00486025
02D3 add
dl, bl
====>DL=31 + 00=31
:00486027
32C2 xor
al, dl
====>AL=66 XOR 31=57
:00486029
33D2 xor
edx, edx
:0048602B 8A55EF
mov dl, byte ptr [ebp-11]
====>DL=[ebp-11]=OC
:0048602E
2BD7 sub
edx, edi
:00486030 8B4DF8
mov ecx, dword ptr [ebp-08]
====>ECX=fly0211C1E09
:00486033
8A1411 mov dl, byte
ptr [ecx+edx]
====>加1位倒序依次取上面字元的HEX值
====>DL=00
:00486036
02D3 add
dl, bl
====>DL=00 + 00=00
:00486038
8BCB mov
ecx, ebx
:0048603A 660FAFCB
imul cx, bx
:0048603E 02D1
add dl, cl
:00486040 8855F0
mov byte ptr [ebp-10], dl
:00486043
8A55F3 mov dl, byte
ptr [ebp-0D]
:00486046 660FAF55F3
imul dx, word ptr [ebp-0D]
====>DX=00
* F800=00
0076FC3B 00 F8 51 C9 00 58 23 C9 00 50 FD C9 00 68 FC 76 .Q?X#?P.hv
00 5
:0048604B 52
push
edx
:0048604C 8A55F0
mov dl, byte ptr [ebp-10]
:0048604F 59
pop ecx
:00486050 2AD1
sub dl, cl
:00486052
2A55EF sub dl, byte
ptr [ebp-11]
====>DL=00 - 0C=F4
:00486055
32D0 xor
dl, al
====>DL=F4 XOR 57=A3
:00486057
8BC2 mov
eax, edx
:00486059 E8FA000000 call
00486158
:0048605E 8A55F3
mov dl, byte ptr [ebp-0D]
:00486061 660FAFD3
imul dx, bx
:00486065 02C2
add al, dl
:00486067
2A45F3 sub al, byte
ptr [ebp-0D]
:0048606A 32C3
xor al, bl
:0048606C E8C3010000
call 00486234
:00486071 8D9080000000
lea edx, dword ptr [eax+00000080]
:00486077 2A55F3
sub dl, byte ptr [ebp-0D]
:0048607A
8BC3 mov
eax, ebx
:0048607C 660FAF45F3 imul
ax, word ptr [ebp-0D]
:00486081 02C3
add al, bl
:00486083 32D0
xor dl, al
:00486085 8BC2
mov eax, edx
:00486087
E8CC000000 call 00486158
:0048608C
8A55F3 mov dl, byte
ptr [ebp-0D]
:0048608F 660FAF55F3
imul dx, word ptr [ebp-0D]
:00486094 02C2
add al, dl
:00486096 2AC3
sub al, bl
:00486098
32C3 xor
al, bl
:0048609A E895010000 call
00486234
:0048609F 0580000000 add
eax, 00000080
:004860A4 2A45F3
sub al, byte ptr [ebp-0D]
====>DL=A3
- 00=A3
:004860A7 8BD3
mov edx,
ebx
:004860A9 660FAFD3 imul
dx, bx
:004860AD 0255F3
add dl, byte ptr [ebp-0D]
:004860B0 32C2
xor al, dl
:004860B2 FE45F3
inc [ebp-0D]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
下面是對AL的取值範圍進行比較,如果不在此範圍則繼續迴圈直至符合為止!
:004860B5 3C41
cmp al, 41
:004860B7
7204 jb 004860BD
:004860B9
3C5A cmp
al, 5A
:004860BB 7610
jbe 004860CD
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004860B7(C)
|
:004860BD
3C61 cmp
al, 61
:004860BF 0F824DFFFFFF jb 00486012
:004860C5
3C7A cmp
al, 7A
:004860C7 0F8745FFFFFF ja 00486012
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004860BB(C)
|
:004860CD
3C61 cmp
al, 61
:004860CF 7202
jb 004860D3
:004860D1 2C20
sub al, 20
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004860CF(C)
|
:004860D3
8D5301 lea edx,
dword ptr [ebx+01]
:004860D6 C1E204
shl edx, 04
:004860D9 32D0
xor dl, al
:004860DB 8BF3
mov esi, ebx
:004860DD
81E6FF000000 and esi, 000000FF
:004860E3
46 inc
esi
:004860E4 8BC6
mov eax, esi
:004860E6 C1E004
shl eax, 04
:004860E9 88907BBD4800
mov byte ptr [eax+0048BD7B], dl
迴圈結果 ====>DL=①48
②73 ③76 ④09 ⑤18 ⑥26 ⑦3D ⑧C3
:004860EF
33C0 xor
eax, eax
:004860F1 8AC3
mov al, bl
:004860F3 40
inc eax
:004860F4 C1E004
shl eax, 04
:004860F7 8D0476
lea eax, dword ptr [esi+2*esi]
:004860FA
3A907BBD4800 cmp dl, byte ptr [eax+0048BD7B]
:00486100
7511 jne
00486113
:00486102 33C0
xor eax, eax
:00486104 8AC3
mov al, bl
:00486106 83C005
add eax, 00000005
:00486109
8D0480 lea eax,
dword ptr [eax+4*eax]
:0048610C C6807BBD480001
mov byte ptr [eax+0048BD7B], 01
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00486100(C)
|
:00486113
43 inc
ebx
:00486114 80FB08
cmp bl, 08
:00486117 0F85F1FEFFFF
jne 0048600E
====>大迴圈8次,得出8個值!
:0048611D
33C0 xor
eax, eax
:0048611F 5A
pop edx
:00486120 59
pop ecx
:00486121 59
pop ecx
:00486122
648910 mov dword
ptr fs:[eax], edx
:00486125 6850614800
push 00486150
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048614E(U)
|
:0048612A
8D45F4 lea eax,
dword ptr [ebp-0C]
:0048612D E842E3F7FF
call 00404474
:00486132 8D45F8
lea eax, dword ptr [ebp-08]
*
Possible StringData Ref from Code Obj ->".3"
|
:00486135 8B15EC5E4800
mov edx, dword ptr [00485EEC]
:0048613B E8F8F9F7FF
call 00405B38
:00486140 8D45FC
lea eax, dword ptr [ebp-04]
:00486143
E82CE3F7FF call 00404474
:00486148
C3 ret
―――――――――――――――――――――――――――――――――
【求 逆】:
現在我已知道程式首先對試煉碼進行簡單的異或處理得出新的值;設為S1。
然後,程式透過對使用者名稱和序列號的運算再次得出一組值;設為S2
只要S1=S2,則OK!
所以我們可以透過K2簡單求逆就可得出真正的註冊碼!
這是K1的生成過程:
:004863EE
32CB xor
cl, bl
1、 ====>CL=31 XOR 10=21
2、
====>CL=33 XOR 20=13
3、 ====>CL=35 XOR 30=05
4、 ====>CL=37 XOR 40=77
5、
====>CL=32 XOR 50=62
6、 ====>CL=34 XOR 60=54
7、 ====>CL=36 XOR 70=46
8、
====>CL=38 XOR 80=B8
現在我的S2=①48
②73 ③76 ④09 ⑤18 ⑥26 ⑦3D ⑧C3
所以註冊碼的求逆過程為:
1、 ====>K1=48
XOR 10=58 即:字元X
2、 ====>K2=73
XOR 20=53 即:字元S
3、 ====>K3=76
XOR 30=46 即:字元F
4、 ====>K4=09
XOR 40=49 即:字元I
5、 ====>K5=18
XOR 50=48 即:字元H
6、 ====>K6=26
XOR 60=46 即:字元F
7、 ====>K7=3D
XOR 70=4D 即:字元M
8、 ====>K8=C3
XOR 80=43 即:字元C
所以,我的註冊碼為:XSFIHFMC
另外,再多說一點,如果僅僅是在驗證外的某處爆破的話,會顯示“已註冊”,但是合併後的檔案是會非法操作的。
呵呵,即便如此,卻也比
開山檔案合併器 要“溫柔”的多了。
―――――――――――――――――――――――――――――――――
【註冊資訊儲存】:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\exebind\reg]
"user"="fly0"
"regcode"="XSFIHFMC"
―――――――――――――――――――――――――――――――――
【整 理】:
序列號:211C1E09
使用者名稱:fly0
註冊碼:XSFIHFMC
―――――――――――――――――――――――――――――――――
Cracked By 巢水工作坊――fly【OCN】
2003-04-04 11:01:11
相關文章
- 一種檔案捆綁型病毒研究2015-11-07
- .NET/ASP.NET 4.5 Bundle元件(捆綁、縮小靜態檔案)2013-09-09ASP.NET元件
- js module bundle 模組捆綁2018-09-20JS
- Asp.Net MVC 捆綁(Bundle)2017-11-28ASP.NETMVC
- 火山PC捆綁式動態建立教程2020-12-14
- [ASP.NET MVC 小牛之路]17 - 捆綁(Bundle)2013-11-25ASP.NETMVC
- win10怎麼阻止捆綁安裝軟體_win10禁止自動安裝捆綁軟體的步驟2020-06-10Win10
- Asp.Net Mvc ScriptBundle 指令碼檔案捆綁壓縮 導致 指令碼出錯的問題2018-07-16ASP.NETMVC指令碼
- Google將與Salesforce合作或捆綁應用軟體2007-09-27GoSalesforce
- 歐盟消協主席:蘋果iTunes捆綁模式必須更改2007-09-29蘋果模式
- 純淨!OEM版Win10或不捆綁軟體2015-02-03Win10
- java呼叫exe檔案2009-05-09Java
- BT客戶端BitLord被發現捆綁間諜軟體2019-07-30客戶端
- ASP.NET MVC4 捆綁(Bundle)技術下的 JavaScript2017-11-16ASP.NETMVCJavaScript
- BEA新版Jrockit與紅旗Linux捆綁釋出(轉)2007-08-12Linux
- 將Jar檔案製作成exe檔案2005-08-14JAR
- API檔案產生器-javadoc.exe(轉)2007-08-15APIJava
- 超頻再無壓力!新版AMD銳龍處理器捆綁高階Wraith Max散熱器2019-03-12AI
- jar檔案換成exe檔案問題?2007-03-10JAR
- Matlab生成exe檔案2017-06-03Matlab
- 如何使用Hadoop捆綁的低階工具進行資料提取?2018-10-19Hadoop
- 拼音大師1.81 之 演算法淺探!2003-02-24演算法
- 演算法淺探!――RegEditer v2.062015-11-15演算法
- 遊戲私服捆綁傳播挖礦木馬,已感染超5000臺電腦2020-05-21遊戲
- 瑞星對Windows7捆綁防毒軟體等訊息的回應2019-05-12Windows防毒
- 用不勝其煩的update,將Windows使用者捆綁上未來戰車2019-06-21Windows
- SourceForge分發的GIMP安裝包開始捆綁推廣軟體2015-05-29
- 色情捆綁木馬:起底軟體下載三大新陷阱2015-12-03
- 微軟稱將要把部分軟體與XP系統捆綁銷售 (轉)2008-04-04微軟
- Matlab生成.exe格式檔案2019-04-08Matlab
- ccc.exe檔案及ccc.exe病毒清除方法2017-11-27
- 怎樣將class檔案變成.exe檔案?薦2007-06-26
- Linux作業系統首次捆綁系統級虛擬化軟體2007-08-25Linux作業系統
- 瘋狂登錄檔v1.0演算法分析2015-11-15演算法
- GODADLY:EXE檔案海外雲伺服器可以執行嗎?2020-03-16Go伺服器
- 利用IDEA和exe4j生成exe檔案及資原始檔和so、dll檔案的放置2017-09-04Idea
- 使用pyinstaller打包exe檔案教程2019-04-15
- 讓你的Exe檔案減減肥2017-11-08