- UID
- 3725
注册时间2005-10-14
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 无聊
2018-12-10 18:30 |
|---|
签到天数: 70 天 [LV.6]常住居民II
|
【破文标题】Windows 历史记录清理助手 2.0注册算法分析
【破文作者】HBQJXHW[PYG]
【破解工具】OD
【破解平台】WIN2000-SP4
【软件名称】Windows 历史记录清理助手 2.0
【软件大小】391k
【原版下载】http://www.pcsoft.com.cn/Soft/Soft_3618.htm
【保护方式】SN
【软件简介】你是否曾经有过上网的的记录被人查看的经历,是否有过电脑操记录被人偷窥的体验,是否曾经为电脑里一些没用的文件占用磁盘空间而苦恼过? 现在Windows 历史记录清理助手可以帮你解决这些问题. 本软件具有以下的特点: 1.先扫描后清理,让你自己可以选择要清理掉的文件,让你对你清理掉的文件看的明明白白. 2.你可以选择对系统记录文件的清理,还可以选择针对磁盘,选择自己定义要扫描的文件类型,清理掉你想清除的文件.
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享
【破解过程】
------------------------------------------------------------------------
Peid 0.93查壳,无壳(Microsoft Visual C++ 6.0)
运行,输入注册码,有错误提示.
OllyDbg载入,来到:
00413F7C >/$ 55 PUSH EBP ; (初始 cpu 选择)
00413F7D |. 8BEC MOV EBP,ESP
00413F7F |. 6A FF PUSH -1
00413F81 |. 68 40654300 PUSH Windows_.00436540
00413F86 |. 68 AC834100 PUSH Windows_.004183AC ; SE 处理程序安装
右键-->Ultra字符串参考-->查找ASCII-->Ctrl+F-->输入"注册号无效"-->双击来到:0040890C处!
00408890 . 6A FF PUSH -1
00408892 . 68 18004300 PUSH Windows_.00430018 ; SE 处理程序安装
00408897 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0040889D . 50 PUSH EAX
0040889E . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
004088A5 . 83EC 08 SUB ESP,8
004088A8 . 56 PUSH ESI
004088A9 . 8BF1 MOV ESI,ECX
004088AB . 6A 01 PUSH 1
004088AD . E8 2BD50100 CALL Windows_.00425DDD
004088B2 . A1 5CFD4300 MOV EAX,DWORD PTR DS:[43FD5C]
004088B7 . 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
004088BB . 8D8E 1C010000 LEA ECX,DWORD PTR DS:[ESI+11C]
004088C1 . C74424 14 000>MOV DWORD PTR SS:[ESP+14],0
004088C9 . 51 PUSH ECX
004088CA . 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004088CE . E8 0DEA0100 CALL Windows_.004272E0
004088D3 . 51 PUSH ECX
004088D4 . 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
004088D8 . 8BCC MOV ECX,ESP
004088DA . 896424 0C MOV DWORD PTR SS:[ESP+C],ESP
004088DE . 52 PUSH EDX
004088DF . E8 38E60100 CALL Windows_.00426F1C
004088E4 . E8 77FEFFFF CALL Windows_.00408760 ; 重要算法CALL进入
004088E9 . 83C4 04 ADD ESP,4
004088EC . 85C0 TEST EAX,EAX
004088EE . 6A 00 PUSH 0
004088F0 . 68 1CF54300 PUSH Windows_.0043F51C ; ngnsss
004088F5 . 74 15 JE SHORT Windows_.0040890C
004088F7 . 68 24F54300 PUSH Windows_.0043F524 ; 注册成功
004088FC . 8BCE MOV ECX,ESI
004088FE . E8 7ECD0100 CALL Windows_.00425681
00408903 . 8BCE MOV ECX,ESI
00408905 . E8 8BB10100 CALL Windows_.00423A95
0040890A . EB 0C JMP SHORT Windows_.00408918
0040890C > 68 10F54300 PUSH Windows_.0043F510 ; 注册号无效
00408911 . 8BCE MOV ECX,ESI
00408913 . E8 69CD0100 CALL Windows_.00425681
00408918 > 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
0040891C . C74424 14 FFF>MOV DWORD PTR SS:[ESP+14],-1
00408924 . E8 7EE80100 CALL Windows_.004271A7
00408929 . 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
0040892D . 5E POP ESI
0040892E . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00408935 . 83C4 14 ADD ESP,14
00408938 . C3 RETN
------------------CALL Windows_.00408760------------------------ ;这里要重复调用二次
00408760 /$ 6A FF PUSH -1
00408762 |. 68 F8FF4200 PUSH Windows_.0042FFF8 ; SE 处理程序安装
00408767 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0040876D |. 50 PUSH EAX
0040876E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00408775 |. 83EC 18 SUB ESP,18
00408778 |. 53 PUSH EBX
00408779 |. 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C] ; 注册码给ECX
0040877D |. 33C0 XOR EAX,EAX
0040877F |. 894424 05 MOV DWORD PTR SS:[ESP+5],EAX
00408783 |. 33DB XOR EBX,EBX
00408785 |. 66:894424 09 MOV WORD PTR SS:[ESP+9],AX
0040878A |. 895C24 24 MOV DWORD PTR SS:[ESP+24],EBX
0040878E |. 884424 0B MOV BYTE PTR SS:[ESP+B],AL
00408792 |. 8B41 F8 MOV EAX,DWORD PTR DS:[ECX-8] ; 注册码位数给EAX
00408795 |. 83F8 10 CMP EAX,10 ; 注册码位数是否为16位数
00408798 |. 885C24 04 MOV BYTE PTR SS:[ESP+4],BL
0040879C |. 0F8C C0000000 JL Windows_.00408862
004087A2 |. 56 PUSH ESI
004087A3 |. 68 04010000 PUSH 104
004087A8 |. 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
004087AC |. E8 D8EC0100 CALL Windows_.00427489
004087B1 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
004087B3 |. 33F6 XOR ESI,ESI
004087B5 |. 895424 10 MOV DWORD PTR SS:[ESP+10],EDX
004087B9 |. 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
004087BC |. 894C24 14 MOV DWORD PTR SS:[ESP+14],ECX
004087C0 |. 8B50 08 MOV EDX,DWORD PTR DS:[EAX+8]
004087C3 |. 895424 18 MOV DWORD PTR SS:[ESP+18],EDX
004087C7 |. 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
004087CA |. 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
004087CE |> 8A4C34 10 /MOV CL,BYTE PTR SS:[ESP+ESI+10]
004087D2 |. 51 |PUSH ECX
004087D3 |. E8 68FFFFFF |CALL Windows_.00408740
004087D8 |. 83C4 04 |ADD ESP,4
004087DB |. 884434 10 |MOV BYTE PTR SS:[ESP+ESI+10],AL
004087DF |. 46 |INC ESI
004087E0 |. 83FE 10 |CMP ESI,10
004087E3 |.^ 7C E9 \JL SHORT Windows_.004087CE
004087E5 |. 33C0 XOR EAX,EAX
004087E7 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004087EB |. 5E POP ESI
004087EC |> 8A51 01 /MOV DL,BYTE PTR DS:[ECX+1]
004087EF |. 8A19 |MOV BL,BYTE PTR DS:[ECX]
004087F1 |. C0E2 04 |SHL DL,4
004087F4 |. 02D3 |ADD DL,BL
004087F6 |. 83C1 02 |ADD ECX,2
004087F9 |. 885404 04 |MOV BYTE PTR SS:[ESP+EAX+4],DL
004087FD |. 40 |INC EAX
004087FE |. 83F8 08 |CMP EAX,8
00408801 |.^ 7C E9 \JL SHORT Windows_.004087EC
(上面是把注册码每2位数交换例如:1234567890123456交换后的结果为2143658709214365)
00408803 |. 8A4424 07 MOV AL,BYTE PTR SS:[ESP+7]
00408807 |. 8A5C24 04 MOV BL,BYTE PTR SS:[ESP+4]
0040880B |. 8A4C24 0B MOV CL,BYTE PTR SS:[ESP+B]
0040880F |. 8A5424 05 MOV DL,BYTE PTR SS:[ESP+5]
00408813 |. 32C3 XOR AL,BL 异或运算
00408815 |. 8A5C24 06 MOV BL,BYTE PTR SS:[ESP+6]
00408819 |. 32CA XOR CL,DL 异或运算
0040881B |. 8A5424 09 MOV DL,BYTE PTR SS:[ESP+9]
0040881F |. 32D3 XOR DL,BL 异或运算
00408821 |. 8A5C24 08 MOV BL,BYTE PTR SS:[ESP+8]
00408825 |. 325C24 0A XOR BL,BYTE PTR SS:[ESP+A] 异或运算
00408829 |. 3C 39 CMP AL,39 ; 比较AL是否等于0x39
0040882B 75 35 JNZ SHORT Windows_.00408862 ; 爆破口
0040882D |. 80F9 6F CMP CL,6F ; 比较CL是否等于0x6F
00408830 75 30 JNZ SHORT Windows_.00408862 ; 爆破口
00408832 |. 80FA 4F CMP DL,4F ; 比较DL是否等于0x4F
00408835 75 2B JNZ SHORT Windows_.00408862 ; 爆破口
00408837 |. 80FB 1B CMP BL,1B ; 比较BL是否等于0x1B
0040883A 75 26 JNZ SHORT Windows_.00408862
0040883C |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
00408840 |. C74424 24 FFF>MOV DWORD PTR SS:[ESP+24],-1
00408848 |. E8 5AE90100 CALL Windows_.004271A7
0040884D |. B8 01000000 MOV EAX,1
00408852 |. 5B POP EBX
00408853 |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
00408857 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0040885E |. 83C4 24 ADD ESP,24
00408861 |. C3 RETN
00408862 |> 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
00408866 |. C74424 24 FFF>MOV DWORD PTR SS:[ESP+24],-1
0040886E |. E8 34E90100 CALL Windows_.004271A7
00408873 |. 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
00408877 |. 33C0 XOR EAX,EAX
00408879 |. 5B POP EBX
0040887A |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00408881 |. 83C4 24 ADD ESP,24
00408884 \. C3 RETN
---------------------------------------------------------
C程序为:(太冗长,请不要见笑,如有更好的还请教了)
- #include <stdlib.h>
- #include <stdio.h>
- #include <time.h>
- #include <ctype.h>
- int main(void)
- { int num[4];
- static int str[16];
- int i;
- int a,b,c,d;
- time_t t;
- srand((unsigned) time(&t));
- for(i=0; i<4; i++)
- num[i]=rand() % 0x100;
- a=0x39^num[0];
- b=0x6f^num[1];
- c=0x4f^num[2];
- d=0x1b^num[3];
- str[0]=num[0]%0x10;
- str[1]=num[0]/0x10;
- str[2]=num[1]%0x10;
- str[3]=num[1]/0x10;
- str[4]=num[2]%0x10;
- str[5]=num[2]/0x10;
- str[6]=a%0x10;
- str[7]=a/0x10;
- str[8]=num[3]%0x10;
- str[9]=num[3]/0x10;
- str[10]=c%0x10;
- str[11]=c/0x10;
- str[12]=d%0x10;
- str[13]=d/0x10;
- str[14]=b%0x10;
- str[15]=b/0x10;
- printf("\n\n UPPER [ ");
- for (i=0;i<16;i++)
- printf("%x",str[i]);
- printf(" ]");
- getch();
- return 0;
- }
注:输入注册码时字母请输入大写字母。
注册信息保存在注册表中:
[HKEY_LOCAL_MACHINE\SOFTWARE\ngnsss]
"diskcleaner"="1234567890123456"
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! |
|
IP卡
发表于 2006-3-21 20:38:54
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-3-22 00:40:53
发表于 2006-3-22 06:48:29
发表于 2006-3-22 20:13:50