- UID
- 29293
注册时间2007-3-4
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
【文章标题】: 文件批量复制工具 2.0注册算法浅析
【文章作者】: 蚊香/magic659117852
【作者邮箱】: [email protected]
【作者主页】: http://www.xpi386.com
【软件大小】: 803KB
【下载地址】: http://www.newhua.com/soft/70381.htm
【保护方式】: 注册码
【编写语言】: Borland Delphi
【使用工具】: PEiD OllyDBG
【操作平台】: D版XP-SP2
【软件介绍】: 可以一次性将多个文件复制到多个目录下的工具。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】- 0048AA18 /. 55 push ebp ; 通过查找字符串在此下断
- 0048AA19 |. 8BEC mov ebp, esp ; F9运行,输入123456789012试注册
- 0048AA1B |. 81C4 E0FEFFFF add esp, -120
- 0048AA21 |. 53 push ebx
- 0048AA22 |. 56 push esi
- 0048AA23 |. 57 push edi
- 0048AA24 |. 33C9 xor ecx, ecx
- 0048AA26 |. 898D E0FEFFFF mov dword ptr [ebp-120], ecx
- 0048AA2C |. 898D E4FEFFFF mov dword ptr [ebp-11C], ecx
- 0048AA32 |. 898D E8FEFFFF mov dword ptr [ebp-118], ecx
- 0048AA38 |. 898D ECFEFFFF mov dword ptr [ebp-114], ecx
- 0048AA3E |. 898D F0FEFFFF mov dword ptr [ebp-110], ecx
- 0048AA44 |. 898D F4FEFFFF mov dword ptr [ebp-10C], ecx
- 0048AA4A |. 8BD8 mov ebx, eax
- 0048AA4C |. 33C0 xor eax, eax
- 0048AA4E |. 55 push ebp
- 0048AA4F |. 68 E1AB4800 push 0048ABE1
- 0048AA54 |. 64:FF30 push dword ptr fs:[eax]
- 0048AA57 |. 64:8920 mov dword ptr fs:[eax], esp
- 0048AA5A |. 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
- 0048AA60 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
- 0048AA66 |. E8 E5F9FCFF call 0045A450 ; 试练码长度
- 0048AA6B |. 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C]
- 0048AA71 |. E8 FA060000 call 0048B170 ; 算法CALL,F7进
- 0048AA76 |. 84C0 test al, al
- 0048AA78 |. 0F84 DF000000 je 0048AB5D ; 关键跳,跳则挂
- 0048AA7E |. A1 F0E34800 mov eax, dword ptr [48E3F0]
- 0048AA83 |. C600 01 mov byte ptr [eax], 1
- 0048AA86 |. 8D95 F0FEFFFF lea edx, dword ptr [ebp-110]
- 0048AA8C |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
- 0048AA92 |. E8 B9F9FCFF call 0045A450
- 0048AA97 |. 8B95 F0FEFFFF mov edx, dword ptr [ebp-110]
- 0048AA9D |. A1 18E44800 mov eax, dword ptr [48E418]
- 0048AAA2 |. E8 8195F7FF call 00404028
- 0048AAA7 |. 68 05010000 push 105 ; /BufSize = 105 (261.)
- 0048AAAC |. 8D85 FBFEFFFF lea eax, dword ptr [ebp-105] ; |
- 0048AAB2 |. 50 push eax ; |Buffer
- 0048AAB3 |. E8 7CBAF7FF call <jmp.&kernel32.GetSystemDirector>; \GetSystemDirectoryA
- 0048AAB8 |. 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
- 0048AABE |. 8D95 FBFEFFFF lea edx, dword ptr [ebp-105]
- 0048AAC4 |. B9 05010000 mov ecx, 105
- 0048AAC9 |. E8 7697F7FF call 00404244
- 0048AACE |. 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
- 0048AAD4 |. BA F8AB4800 mov edx, 0048ABF8 ; \supercopy.ini
- 0048AAD9 |. E8 BE97F7FF call 0040429C ; 注册码保存位置 C:\WINDOWS\system32
- \SuperCopy.ini
- 0048AADE |. 8B8D ECFEFFFF mov ecx, dword ptr [ebp-114]
- 0048AAE4 |. B2 01 mov dl, 1
- 0048AAE6 |. A1 FC554300 mov eax, dword ptr [4355FC]
- 0048AAEB |. E8 BCABFAFF call 004356AC
- 0048AAF0 |. 8BF0 mov esi, eax
- 0048AAF2 |. 8D95 E8FEFFFF lea edx, dword ptr [ebp-118]
- 0048AAF8 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
- 0048AAFE |. E8 4DF9FCFF call 0045A450
- 0048AB03 |. 8B85 E8FEFFFF mov eax, dword ptr [ebp-118]
- 0048AB09 |. 50 push eax
- 0048AB0A |. B9 10AC4800 mov ecx, 0048AC10 ; key
- 0048AB0F |. BA 1CAC4800 mov edx, 0048AC1C ; regcode
- 0048AB14 |. 8BC6 mov eax, esi
- 0048AB16 |. 8B38 mov edi, dword ptr [eax]
- 0048AB18 |. FF57 04 call dword ptr [edi+4]
- 0048AB1B |. 8BC6 mov eax, esi
- 0048AB1D |. E8 9E86F7FF call 004031C0
- 0048AB22 |. 6A 40 push 40
- 0048AB24 |. 8D95 E4FEFFFF lea edx, dword ptr [ebp-11C]
- 0048AB2A |. A1 A4E64800 mov eax, dword ptr [48E6A4]
- 0048AB2F |. 8B00 mov eax, dword ptr [eax]
- 0048AB31 |. E8 B6F2FEFF call 00479DEC
- 0048AB36 |. 8B85 E4FEFFFF mov eax, dword ptr [ebp-11C]
- 0048AB3C |. E8 5399F7FF call 00404494
- 0048AB41 |. 50 push eax
- 0048AB42 |. 68 24AC4800 push 0048AC24 ; 注册成功!
- 0048AB47 |. 8BC3 mov eax, ebx
- 0048AB49 |. E8 2261FDFF call 00460C70
- 0048AB4E |. 50 push eax ; |hOwner
- 0048AB4F |. E8 28C1F7FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
- 0048AB54 |. 8BC3 mov eax, ebx
- 0048AB56 |. E8 3DC0FEFF call 00476B98
- 0048AB5B |. EB 40 jmp short 0048AB9D
- 0048AB5D |> 6A 40 push 40
- 0048AB5F |. 8D95 E0FEFFFF lea edx, dword ptr [ebp-120]
- 0048AB65 |. A1 A4E64800 mov eax, dword ptr [48E6A4]
- 0048AB6A |. 8B00 mov eax, dword ptr [eax]
- 0048AB6C |. E8 7BF2FEFF call 00479DEC
- 0048AB71 |. 8B85 E0FEFFFF mov eax, dword ptr [ebp-120]
- 0048AB77 |. E8 1899F7FF call 00404494
- 0048AB7C |. 50 push eax
- 0048AB7D |. 68 30AC4800 push 0048AC30 ; 注册码错误,请重新输入!
- 0048AB82 |. 8BC3 mov eax, ebx
- 0048AB84 |. E8 E760FDFF call 00460C70
- 0048AB89 |. 50 push eax ; |hOwner
- 0048AB8A |. E8 EDC0F7FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
- 0048AB8F |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
- 0048AB95 |. 8B10 mov edx, dword ptr [eax]
- 0048AB97 |. FF92 C4000000 call dword ptr [edx+C4]
- 0048AB9D |> 33C0 xor eax, eax
- 0048AB9F |. 5A pop edx
- 0048ABA0 |. 59 pop ecx
- 0048ABA1 |. 59 pop ecx
- 0048ABA2 |. 64:8910 mov dword ptr fs:[eax], edx
- 0048ABA5 |. 68 E8AB4800 push 0048ABE8
- 0048ABAA |> 8D85 E0FEFFFF lea eax, dword ptr [ebp-120]
- 0048ABB0 |. BA 02000000 mov edx, 2
- 0048ABB5 |. E8 3E94F7FF call 00403FF8
- 0048ABBA |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
- 0048ABC0 |. E8 0F94F7FF call 00403FD4
- 0048ABC5 |. 8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
- 0048ABCB |. E8 0494F7FF call 00403FD4
- 0048ABD0 |. 8D85 F0FEFFFF lea eax, dword ptr [ebp-110]
- 0048ABD6 |. BA 02000000 mov edx, 2
- 0048ABDB |. E8 1894F7FF call 00403FF8
- 0048ABE0 \. C3 retn
- 0048ABE1 .^ E9 6E8DF7FF jmp 00403954
- 0048ABE6 .^ EB C2 jmp short 0048ABAA
- 0048ABE8 . 5F pop edi
- 0048ABE9 . 5E pop esi
- 0048ABEA > 5B pop ebx
- 0048ABEB . 8BE5 mov esp, ebp
- 0048ABED . 5D pop ebp
- 0048ABEE . C3 retn
- 0048B170 55 push ebp ; 直接在此赋1给AL后返回可实现爆破
- 0048B171 8BEC mov ebp, esp
- 0048B173 51 push ecx
- 0048B174 |. 53 push ebx
- 0048B175 |. 8945 FC mov dword ptr [ebp-4], eax
- 0048B178 |. 8B45 FC mov eax, dword ptr [ebp-4]
- 0048B17B |. E8 0493F7FF call 00404484
- 0048B180 |. 33C0 xor eax, eax
- 0048B182 |. 55 push ebp
- 0048B183 |. 68 DBB14800 push 0048B1DB
- 0048B188 |. 64:FF30 push dword ptr fs:[eax]
- 0048B18B |. 64:8920 mov dword ptr fs:[eax], esp
- 0048B18E |. 8B45 FC mov eax, dword ptr [ebp-4]
- 0048B191 |. E8 FE90F7FF call 00404294 ; 注册码长度
- 0048B196 |. 83F8 0C cmp eax, 0C ; 必须为12位
- 0048B199 |. 74 04 je short 0048B19F
- 0048B19B |. 33DB xor ebx, ebx
- 0048B19D |. EB 26 jmp short 0048B1C5
- 0048B19F |> BB 05000000 mov ebx, 5 ; EBX=5
- 0048B1A4 |> 8B45 FC /mov eax, dword ptr [ebp-4]
- 0048B1A7 |. 8A4418 FF |mov al, byte ptr [eax+ebx-1] ; 依次取试练码的5-8位
- 0048B1AB |. E8 60FFFFFF |call 0048B110 ; 查表
- 0048B1B0 |. 8B55 FC |mov edx, dword ptr [ebp-4]
- 0048B1B3 |. 3A441A 03 |cmp al, byte ptr [edx+ebx+3] ; 查表所得分别依次与试练码的9-12位比较
- 0048B1B7 |. 74 04 |je short 0048B1BD ; 遇不相同则跳向失败
- 0048B1B9 |. 33DB |xor ebx, ebx
- 0048B1BB |. EB 08 |jmp short 0048B1C5
- 0048B1BD 43 |inc ebx
- 0048B1BE 83FB 09 |cmp ebx, 9
- 0048B1C1 ^ 75 E1 \jnz short 0048B1A4 ; 循环4次
- 0048B1C3 B3 01 mov bl, 1 ; 关键赋值
- 0048B1C5 33C0 xor eax, eax
- 0048B1C7 5A pop edx
- 0048B1C8 59 pop ecx
- 0048B1C9 59 pop ecx
- 0048B1CA |. 64:8910 mov dword ptr fs:[eax], edx
- 0048B1CD |. 68 E2B14800 push 0048B1E2
- 0048B1D2 |> 8D45 FC lea eax, dword ptr [ebp-4]
- 0048B1D5 E8 FA8DF7FF call 00403FD4
- 0048B1DA C3 retn
- 0048B1DB ^ E9 7487F7FF jmp 00403954
- 0048B1E0 ^ EB F0 jmp short 0048B1D2
- 0048B1E2 8BC3 mov eax, ebx ; 关键传递
- 0048B1E4 5B pop ebx
- 0048B1E5 59 pop ecx
- 0048B1E6 5D pop ebp
- 0048B1E7 C3 retn
- 0048B14C |> \B0 38 mov al, 38 ; Case 30 ('0') of switch 0048B115
- 0048B14E |. C3 retn
- 0048B14F |> B0 36 mov al, 36 ; Case 31 ('1') of switch 0048B115
- 0048B151 |. C3 retn
- 0048B152 |> B0 34 mov al, 34 ; Case 32 ('2') of switch 0048B115
- 0048B154 |. C3 retn
- 0048B155 |> B0 30 mov al, 30 ; Case 33 ('3') of switch 0048B115
- 0048B157 |. C3 retn
- 0048B158 |> B0 35 mov al, 35 ; Case 34 ('4') of switch 0048B115
- 0048B15A |. C3 retn
- 0048B15B |> B0 32 mov al, 32 ; Case 35 ('5') of switch 0048B115
- 0048B15D |. C3 retn
- 0048B15E |> B0 39 mov al, 39 ; Case 36 ('6') of switch 0048B115
- 0048B160 |. C3 retn
- 0048B161 |> B0 31 mov al, 31 ; Case 37 ('7') of switch 0048B115
- 0048B163 |. C3 retn
- 0048B164 |> B0 33 mov al, 33 ; Case 38 ('8') of switch 0048B115
- 0048B166 |. C3 retn
- 0048B167 |> B0 37 mov al, 37 ; Case 39 ('9') of switch 0048B115
- 0048B169 |. C3 retn
【算法总结】
注册码12位,前4位任意。
5-8位根据以下规则转换成另一个数字:
0 → 8
1 → 6
2 → 4
3 → 0
4 → 5
5 → 2
6 → 9
7 → 1
8 → 3
9 → 7
转换后的5-8位分别依次与9-12位比较,均相等则注册成功(例如:123456782913)。注册码保存到C:\WINDOWS\system32
\SuperCopy.ini
算号器源码(VB Code):
Private Sub Command1_Click()
Randomize
X1 = Int(Rnd * 90000000) + 10000000
Text1.Text = X1
For i = 5 To 8
temp = Mid(Text1.Text, i, 1)
Select Case temp
Case 0
sn = sn & 8
Case 1
sn = sn & 6
Case 2
sn = sn & 4
Case 3
sn = sn & 0
Case 4
sn = sn & 5
Case 5
sn = sn & 2
Case 6
sn = sn & 9
Case 7
sn = sn & 1
Case 8
sn = sn & 3
Case 9
sn = sn & 7
End Select
Next
Text1.Text = X1 & sn
End Sub
VB6.0精简版测试通过~~~~~~~
--------------------------------------------------------------------------------
【版权声明】: 本文 蚊香 原创, 转载请注明作者并保持文章的完整, 谢谢!
2008年08月06日 上午 10:12:22 |
-
-
KG.rar
3.24 KB, 下载次数: 2, 下载积分: 飘云币 -2 枚
评分
-
查看全部评分
|
IP卡
发表于 2008-8-6 10:40:27
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-8-6 18:06:05
发表于 2008-9-18 14:31:44
发表于 2008-9-18 16:14:21