RAR Password Recovery 1.1 RC5
***************************
用OD... ...
0054334B 61 popad
0054334C - E9 4F71F7FF jmp urpwdr11.004BA4A0
...略
004BA4A0 55 push ebp ++++++++>Dump
004BA4A1 8BEC mov ebp, esp
004BA4A3 83C4 F0 add esp, -10
004BA4A6 53 push ebx
004BA4A7 B8 68A14B00 mov eax, urpwdr11.004BA168
-----------对比--------------------------
004BA49F 0055 8B add byte ptr ss:[ebp-75], dl
004BA4A2 EC in al, dx
004BA4A3 83C4 F0 add esp, -10
004BA4A6 53 push ebx
004BA4A7 B8 68A14B00 mov eax, urpwdr11.004BA168
==============================================================================================
ImportREC.exe 修复成功~~~~
Borland Delphi 6.0 - 7.0
SHA::000B5149::004B5149
===============================================================================================
由于我用的是猫~~~,:)只好写上下载地址了:
http://as.onlinedown.net/down/rar-password-recovery.exe
(引用页
http://www.onlinedown.net/soft/14677.htm)
------------------------------------------------------------------------------------------------
004B2EA4 68 642F4B00 push urpwdr11.004B2F64 ; ASCII "Registration"
004B2EA9 68 742F4B00 push urpwdr11.004B2F74 ; ASCII "Registration successfull! Please restart the program..."
004B2EAE 8BC3 mov eax, ebx
004B2EB0 E8 4702FAFF call urpwdr11.004530FC
004B2EB5 50 push eax
004B2EB6 E8 C948F5FF call <jmp.&user32.#477>
004B2EBB A1 98F94D00 mov eax, dword ptr ds:[4DF998]
004B2EC0 E8 B360FBFF call urpwdr11.00468F78
004B2EC5 A1 34404D00 mov eax, dword ptr ds:[4D4034]
004B2ECA 8B00 mov eax, dword ptr ds:[eax]
004B2ECC E8 A760FBFF call urpwdr11.00468F78
004B2ED1 A1 00424D00 mov eax, dword ptr ds:[4D4200]
004B2ED6 8B00 mov eax, dword ptr ds:[eax]
004B2ED8 E8 AF98FBFF call urpwdr11.0046C78C
004B2EDD EB 19 jmp short urpwdr11.004B2EF8
004B2EDF 6A 40 push 40
004B2EE1 68 AC2F4B00 push urpwdr11.004B2FAC ; ASCII "Registration failed..."
004B2EE6 68 C42F4B00 push urpwdr11.004B2FC4 ; ASCII "Invalid registration code!"
-----------------------------------------------------------------------------------------------
call <jmp.&user32.#376> ; GetWindowTextA
call <jmp.&advapi32.#492> ; RegQueryValueExA
call <jmp.&advapi32.#493> ; RegQueryValueExW
call <jmp.&advapi32.#505> ; RegSetValueExA
call <jmp.&kernel32.#515> ; InitializeCriticalSection
^^^^^^^^^^^^^^^^^^注意相对应的冬冬^^^^^^^^^^^^^^^^^
004B7B0B 68 E47B4B00 push urpwdr11.004B7BE4 ; ASCII "SoftWare\Intelore\RAR Password Recovery"
------------------------------------------------------------------------------------------------
004B513B C706 01234567 mov dword ptr ds:[esi], 67452301
004B5141 C746 04 89ABCDE>mov dword ptr ds:[esi+4], EFCDAB89
004B5148 C746 08 FEDCBA9>mov dword ptr ds:[esi+8], 98BADCFE
004B514F C746 0C 7654321>mov dword ptr ds:[esi+C], 10325476
004B5156 C746 10 F0E1D2C>mov dword ptr ds:[esi+10], C3D2E1F0
004B515D 837D FC 00 cmp dword ptr ss:[ebp-4], 0
004B5161 76 16 jbe short urpwdr11.004B5179
fengxu 告诉我从0040CEDE 到 0040CEF2 处的4条MOV指令所使用的4个常数(67452301,EFCDAB89,98BADCFE,10325476)便是MD5的标志。很感谢他.
不知道在这个程序中这个MD5是干什么用的:)~~~菜,没办法了.请教大家.
-------------------------------------------------------------------------------------------------
爆破
--------------------------------------------------------------------- 模式 H -------------------------
ds:[00D6A531]=4C ('L')
004B6031 8078 01 29 cmp byte ptr ds:[eax+1], 29 <*>
004B6035 74 7E je short urpwdr11.004B60B5
004B6037 B9 01000000 mov ecx, 1
004B603C 8B45 FC mov eax, dword ptr ss:[ebp-4] <===2====|
004B603F 8A40 0A mov al, byte ptr ds:[eax+A]
004B6042 3A440E 09 cmp al, byte ptr ds:[esi+ecx+9]
004B6046 75 56 jnz short urpwdr11.004B609E ======1===>|9E ==>90 (75 56 ==>75 48) -- S --
004B6048 8B45 FC mov eax, dword ptr ss:[ebp-4]
004B604B 8A40 0B mov al, byte ptr ds:[eax+B]
004B604E 3A440E 0A cmp al, byte ptr ds:[esi+ecx+A]
004B6052 75 4A jnz short urpwdr11.004B609E ======1===>|
略... ( 全部验证通过才执行 >=004B6090=< )
004B6090 8BC1 mov eax, ecx
004B6092 BF 13000000 mov edi, 13
004B6097 99 cdq
004B6098 F7FF idiv edi
004B609A 85D2 test edx, edx
004B609C 75 17 jnz short urpwdr11.004B60B5 ----->|
004B609E 83C1 13 add ecx, 13 <=====================1====|
004B60A1 81F9 7B490000 cmp ecx, 497B
004B60A7 ^ 7E 93 jle short urpwdr11.004B603C ======2===>|
004B60A9 8BC3 mov eax, ebx
004B60AB BA 38614B00 mov edx, urpwdr11.004B6138 ; ASCII "&)"
004B60B0 E8 5BE9F4FF call urpwdr11.00404A10
004B60B5 33C0 xor eax, eax <------------------|
------------------------------------------------------------------------------------------------------
00D6AA59 29 <==========标记
查找
004B2E9C cmp byte ptr ds:[eax+1], 29
004B6031 cmp byte ptr ds:[eax+1], 29 <*>
004B64DD cmp byte ptr ds:[eax+1], 29
004B6DC9 cmp byte ptr ds:[eax+1], 29
004B6FBC cmp byte ptr ds:[eax+1], 29
004B7060 cmp byte ptr ds:[eax+1], 29
004B70C0 cmp byte ptr ds:[eax+1], 29
004B7145 cmp byte ptr ds:[eax+1], 29
004B7277 cmp byte ptr ds:[eax+1], 29
004B7958 cmp byte ptr ds:[eax+1], 29
004B7FB5 cmp byte ptr ds:[eax+1], 29
004B93B5 cmp byte ptr ds:[eax+1], 29
--------------------------------------------------------------------
从中找到类似模式 H 的-- S --语句:
ds:[00D6A765]=4C ('L')
004B93C9 /75 55 jnz short urpwdr11.004B9420 |20 ==>12 ( 75 55 ==>75 47 )
ds:[00D6BC81]=54 ('T')
004B64F5 /0F85 05010000 jnz urpwdr11.004B6600 |6600 ==>65F2 ( 0501 ==>F700 )
--------------------------------------------------------------------------------------------------------
mov al, byte ptr ds:[eax+X] {0-18}
00D6A5B3 -- -- -- -- -- 4B 1B 6A 44 21 FE 7E D1 5A 38 99
00D6A5C3 53 70 85 46 C3 B0 B7 3C -- -- -- -- -- -- -- --
---------------------------------------------------------------------------------------------------------
cmp al, byte ptr ds:[esi+ecx+X] {0-18}
004CF4DF -- -- -- -- -- 2A 8A BD 11 C7 22 61 78 AF 09 A6 ====> 一张表
004CF4EF 56 44 BD 7B 87 38 79 7F -- -- -- -- -- -- -- --
--------------------------------------------------------------------------------------------------------
共3处检测~~~~~~~~我就只知道这些了
================================================================================================
我把我知道的都说了,期待大家把它down下来,自己看看,大家讨论讨论,我是一个菜虫,没有高人指点,希望在大家的讨论中长些知识,比如说如何得出算法咯,看看我有没有写错咯:).好久没有豁然开朗的感觉了:)
Crack论坛 的前辈都不来了吗?还是另有一片天地啊?我很想念他们的帖子,感觉是在享受世界的美景.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
