-
-
[原创]A+ Pop Up Blocker 2.1 - MD5算法分析
-
发表于:
2005-5-12 13:03
7975
-
[原创]A+ Pop Up Blocker 2.1 - MD5算法分析
【破文标题】:A+ Pop Up Blocker 2.1 -- MD5算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:A+ Pop Up Blocker 2.1
【软件大小】:450 KB
【软件类别】:国外软件 / 共享版 / 浏览辅助
【下载地址】:http://www.amplusnet.com/
【软件简介】:A+ Pop Up Blocker 可以屏蔽网页中的弹出广告窗口,从而提高你的网络浏览速度。
【保护方式】:注册码+试用时间限制
【编译语言】:Microsoft Visual C++ 7.0 [Debug]
【调试环境】:WinXP、PEiD、W32Dasm、Ollydbg
【破解日期】:2005-05-12
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
【破解过程】:
侦测:用PEiD查壳,无壳,Microsoft Visual C++ 7.0 [Debug] 编译。
试探:运行主程序注册,输入Name、Email、Key,确认!程序提示"The registration key is not valid!"
初步下药:使出法宝,用W32Dasm进行静态反汇编,查找"The registration key is not valid!"字符串,结果什么都没找到!(郁闷~)
对症下药:Ollydbg载入主程序,加载完毕后,搜索--->所有的参考文本字符串"The registration key is not valid!",双击来到004042D3,
向上来到 004040E9 处下断,F9运行,输入注册信息:
Name:KuNgBiM
Email:gb_1227@163.com
Key:9876543210
点击确定OD中断在:
004040E0 E8 D8A10100
call PopUpBlo.0041E2BD
004040E5 8B10
mov edx,
dword ptr ds:[
eax]
004040E7 8BC8
mov ecx,
eax
004040E9 FF52 0C
call dword ptr ds:[
edx+C] //
中断,以下均为F8单步跟踪!
004040EC 83C0 10
add eax,10
004040EF 894424 18
mov dword ptr ss:[
esp+18],
eax
004040F3 8D4424 44
lea eax,
dword ptr ss:[
esp+44]
004040F7 50
push eax
004040F8 68 20034300
push PopUpBlo.00430320
; ASCII "idTextName" //指向检测是否输入用户名
004040FD 8BCE
mov ecx,
esi
004040FF C64424 44 03
mov byte ptr ss:[
esp+44],3
00404104 E8 974A0200
call PopUpBlo.00428BA0
00404109 8B4424 44
mov eax,
dword ptr ss:[
esp+44]
0040410D 8B08
mov ecx,
dword ptr ds:[
eax]
0040410F 8D5424 24
lea edx,
dword ptr ss:[
esp+24]
00404113 52
push edx
00404114 6A 00
push 0
00404116 68 B8054300
push PopUpBlo.004305B8
; UNICODE "value" //已输入用户名标识
0040411B 50
push eax
0040411C FF51 20
call dword ptr ds:[
ecx+20]
0040411F 8D4424 24
lea eax,
dword ptr ss:[
esp+24]
00404123 50
push eax //
用户名压栈待取
00404124 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00404128 E8 53F5FFFF
call PopUpBlo.00403680
0040412D 8D4C24 44
lea ecx,
dword ptr ss:[
esp+44]
00404131 51
push ecx
00404132 68 7C024300
push PopUpBlo.0043027C
; ASCII "idTextCompany" //指向检测是否输入用户邮箱
00404137 8BCE
mov ecx,
esi
00404139 E8 624A0200
call PopUpBlo.00428BA0
0040413E 8B4424 44
mov eax,
dword ptr ss:[
esp+44]
00404142 8B10
mov edx,
dword ptr ds:[
eax]
00404144 8D4C24 24
lea ecx,
dword ptr ss:[
esp+24]
00404148 51
push ecx
00404149 6A 00
push 0
0040414B 68 B8054300
push PopUpBlo.004305B8
; UNICODE "value" //已输入用户邮箱标识
00404150 50
push eax
00404151 FF52 20
call dword ptr ds:[
edx+20]
00404154 8D5424 24
lea edx,
dword ptr ss:[
esp+24]
00404158 52
push edx //
用户邮箱压栈待取
00404159 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
0040415D E8 1EF5FFFF
call PopUpBlo.00403680
00404162 8D4424 44
lea eax,
dword ptr ss:[
esp+44]
00404166 50
push eax
00404167 68 E4014300
push PopUpBlo.004301E4
; ASCII "idTextKey" //指向检测是否输入注册码
0040416C 8BCE
mov ecx,
esi
0040416E E8 2D4A0200
call PopUpBlo.00428BA0
00404173 8B4424 44
mov eax,
dword ptr ss:[
esp+44]
00404177 8B08
mov ecx,
dword ptr ds:[
eax]
00404179 8D5424 24
lea edx,
dword ptr ss:[
esp+24]
0040417D 52
push edx
0040417E 6A 00
push 0
00404180 68 B8054300
push PopUpBlo.004305B8
; UNICODE "value" //已输入注册码标识
00404185 50
push eax
00404186 FF51 20
call dword ptr ds:[
ecx+20]
00404189 8D4424 24
lea eax,
dword ptr ss:[
esp+24]
0040418D 50
push eax //
注册码压栈待取
0040418E 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
00404192 E8 E9F4FFFF
call PopUpBlo.00403680
00404197 8D4C24 10
lea ecx,
dword ptr ss:[
esp+10]
0040419B 51
push ecx
0040419C 8D5424 24
lea edx,
dword ptr ss:[
esp+24]
004041A0 68 94044300
push PopUpBlo.00430494
; ASCII "AmplusnetAPlus20" //字符串压栈待取
004041A5 52
push edx
004041A6 E8 15F6FFFF
call PopUpBlo.004037C0 //
连接字符串与用户名组成新字符串
004041AB 8B6C24 1C
mov ebp,
dword ptr ss:[
esp+1C]
004041AF 8B4D F4
mov ecx,
dword ptr ss:[
ebp-C]
004041B2 8B00
mov eax,
dword ptr ds:[
eax]
; ASCII "AmplusnetAPlus20KuNgBiM"
004041B4 83C1 10
add ecx,10
004041B7 51
push ecx
004041B8 50
push eax //
新字符串再次压栈
004041B9 8D4424 30
lea eax,
dword ptr ss:[
esp+30]
004041BD 50
push eax
004041BE C64424 54 04
mov byte ptr ss:[
esp+54],4
004041C3 E8 68E3FFFF
call PopUpBlo.00402530 //
将压栈的新字符串转换为MD5编码,算法CALL跟进!!!
004041C8 8B00
mov eax,
dword ptr ds:[
eax]
; ASCII "f4d0c4f350a132c8e2bc9451fab178f3"
004041CA 8B7C24 30
mov edi,
dword ptr ss:[
esp+30]
004041CE 50
push eax //
真码入栈,内存注册机
004041CF 57
push edi //
假码入栈
004041D0 E8 DCD20000
call PopUpBlo.004114B1 //
比较CALL
004041D5 8BD8
mov ebx,
eax
004041D7 8B4424 3C
mov eax,
dword ptr ss:[
esp+3C]
; ASCII "f4d0c4f350a132c8e2bc9451fab178f3"
004041DB 83C4 20
add esp,20
004041DE F7DB
neg ebx
004041E0 1ADB
sbb bl,
bl
004041E2 83C0 F0
add eax,-10
004041E5 FEC3
inc bl
004041E7 8D48 0C
lea ecx,
dword ptr ds:[
eax+C]
004041EA 83CA FF
or edx,FFFFFFFF
004041ED F0:0FC111
lock xadd dword ptr ds:[
ecx],
edx
004041F1 4A
dec edx
004041F2 85D2
test edx,
edx
004041F4 7F 08
jg short PopUpBlo.004041FE
004041F6 8B08
mov ecx,
dword ptr ds:[
eax]
004041F8 8B11
mov edx,
dword ptr ds:[
ecx]
004041FA 50
push eax
004041FB FF52 04
call dword ptr ds:[
edx+4]
004041FE 8B4424 20
mov eax,
dword ptr ss:[
esp+20]
; ASCII "AmplusnetAPlus20KuNgBiM"
00404202 83C0 F0
add eax,-10
00404205 C64424 3C 03
mov byte ptr ss:[
esp+3C],3
0040420A 8D48 0C
lea ecx,
dword ptr ds:[
eax+C]
0040420D 83CA FF
or edx,FFFFFFFF
00404210 F0:0FC111
lock xadd dword ptr ds:[
ecx],
edx
00404214 4A
dec edx
00404215 85D2
test edx,
edx
00404217 7F 08
jg short PopUpBlo.00404221
00404219 8B08
mov ecx,
dword ptr ds:[
eax]
0040421B 8B11
mov edx,
dword ptr ds:[
ecx]
0040421D 50
push eax
0040421E FF52 04
call dword ptr ds:[
edx+4]
00404221 84DB
test bl,
bl
00404223 > 0F84 A3000000
je PopUpBlo.004042CC //
注册验证爆破点!^__^
00404229 51
push ecx
0040422A 8D45 F0
lea eax,
dword ptr ss:[
ebp-10]
0040422D 896424 24
mov dword ptr ss:[
esp+24],
esp
00404231 8BDC
mov ebx,
esp
00404233 50
push eax
00404234 E8 57DBFFFF
call PopUpBlo.00401D90
00404239 83C0 10
add eax,10
0040423C 83C4 04
add esp,4
0040423F B9 98E74300
mov ecx,PopUpBlo.0043E798
00404244 8903
mov dword ptr ds:[
ebx],
eax
00404246 E8 951D0000
call PopUpBlo.00405FE0
0040424B 8B4424 14
mov eax,
dword ptr ss:[
esp+14]
0040424F 51
push ecx
00404250 83C0 F0
add eax,-10
00404253 896424 24
mov dword ptr ss:[
esp+24],
esp
00404257 8BDC
mov ebx,
esp
00404259 50
push eax
0040425A E8 31DBFFFF
call PopUpBlo.00401D90
0040425F 83C0 10
add eax,10
00404262 83C4 04
add esp,4
00404265 B9 B8E74300
mov ecx,PopUpBlo.0043E7B8
0040426A 8903
mov dword ptr ds:[
ebx],
eax
0040426C E8 6F1D0000
call PopUpBlo.00405FE0
00404271 51
push ecx
00404272 8D47 F0
lea eax,
dword ptr ds:[
edi-10]
00404275 896424 24
mov dword ptr ss:[
esp+24],
esp
00404279 8BDC
mov ebx,
esp
0040427B 50
push eax
0040427C E8 0FDBFFFF
call PopUpBlo.00401D90
00404281 83C0 10
add eax,10
00404284 83C4 04
add esp,4
00404287 B9 F8E74300
mov ecx,PopUpBlo.0043E7F8
0040428C 8903
mov dword ptr ds:[
ebx],
eax
0040428E E8 4D1D0000
call PopUpBlo.00405FE0
00404293 6A 40
push 40
00404295 68 50F74200
push PopUpBlo.0042F750
; ASCII "A+ PopUp Blocker"
0040429A 68 8C054300
push PopUpBlo.0043058C
; ASCII "A+ PopUp Blocker registration successful!"
0040429F 8BCE
mov ecx,
esi
004042A1 E8 4FCD0100
call PopUpBlo.00420FF5
004042A6 68 8D000000
push 8D
004042AB 8BCE
mov ecx,
esi
004042AD E8 DF4F0200
call PopUpBlo.00429291
004042B2 6A 01
push 1
004042B4 B9 18E74300
mov ecx,PopUpBlo.0043E718
004042B9 E8 82170000
call PopUpBlo.00405A40
004042BE 6A 01
push 1
004042C0 B9 58E74300
mov ecx,PopUpBlo.0043E758
004042C5 E8 76170000
call PopUpBlo.00405A40
004042CA EB 13
jmp short PopUpBlo.004042DF
004042CC 6A 30
push 30
004042CE 68 50F74200
push PopUpBlo.0042F750
; ASCII "A+ PopUp Blocker"
004042D3 68 68054300
push PopUpBlo.00430568
; ASCII "The registration key is not valid!" //字符串
004042D8 8BCE
mov ecx,
esi
=========================================================================================================
注册信息经过MD5计算后与假码明码比较
经典 MD5(注册信息)=注册码。
=========================================================================================================
===================
跟进:004041C3 E8 68E3FFFF call PopUpBlo.00402530 ===========================
00402530 6A FF
push -1
00402532 68 28CC4200
push PopUpBlo.0042CC28
00402537 64:A1 00000000
mov eax,
dword ptr fs:[0]
0040253D 50
push eax
0040253E 64:8925 0000000>
mov dword ptr fs:[0],
esp
00402545 83EC 64
sub esp,64
00402548 A1 48D64300
mov eax,
dword ptr ds:[43D648]
0040254D 53
push ebx
0040254E 8B5C24 7C
mov ebx,
dword ptr ss:[
esp+7C]
00402552 55
push ebp
00402553 56
push esi
00402554 8BB424 88000000
mov esi,
dword ptr ss:[
esp+88]
0040255B 57
push edi
0040255C 33ED
xor ebp,
ebp
0040255E 55
push ebp
0040255F 56
push esi
00402560 894424 78
mov dword ptr ss:[
esp+78],
eax
00402564 53
push ebx
00402565 896C24 1C
mov dword ptr ss:[
esp+1C],
ebp
00402569 E8 83B30100
call PopUpBlo.0041D8F1
0040256E B9 10000000
mov ecx,10
00402573 33C0
xor eax,
eax
00402575 8D7C24 18
lea edi,
dword ptr ss:[
esp+18]
00402579 C74424 14 BCF54>
mov dword ptr ss:[
esp+14],PopUpBlo.0042F5B>
00402581 F3:AB
rep stos dword ptr es:[
edi]
00402583 896C24 5C
mov dword ptr ss:[
esp+5C],
ebp
00402587 896C24 58
mov dword ptr ss:[
esp+58],
ebp
0040258B C74424 60 01234>
mov dword ptr ss:[
esp+60],67452301
00402593 C74424 64 89ABC>
mov dword ptr ss:[
esp+64],EFCDAB89
0040259B C74424 68 FEDCB>
mov dword ptr ss:[
esp+68],98BADCFE
004025A3 C74424 6C 76543>
mov dword ptr ss:[
esp+6C],10325476
004025AB 56
push esi
004025AC 53
push ebx
004025AD 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
004025B1 89AC24 84000000
mov dword ptr ss:[
esp+84],
ebp
004025B8 E8 63F3FFFF
call PopUpBlo.00401920
004025BD 8BB424 84000000
mov esi,
dword ptr ss:[
esp+84]
004025C4 56
push esi
004025C5 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
004025C9 E8 22FDFFFF
call PopUpBlo.004022F0
004025CE 8B4C24 74
mov ecx,
dword ptr ss:[
esp+74]
004025D2 5F
pop edi
004025D3 8BC6
mov eax,
esi
004025D5 5E
pop esi
004025D6 5D
pop ebp
004025D7 64:890D 0000000>
mov dword ptr fs:[0],
ecx
004025DE 8B4C24 64
mov ecx,
dword ptr ss:[
esp+64]
004025E2 5B
pop ebx
004025E3 E8 A1E20000
call PopUpBlo.00410889 //
调用MD5函数,算法CALL,跟进![标准的MD5]
004025E8 83C4 70
add esp,70
004025EB C3
retn===================
跟进 004025E3 E8 A1E20000 call PopUpBlo.00410889 [MD5 算法CALL] ==================
004022F0 6A FF
push -1
; Md5
004022F2 68 08CC4200
push PopUpBlo.0042CC08
004022F7 64:A1 00000000
mov eax,
dword ptr fs:[0]
004022FD 50
push eax
004022FE 64:8925 0000000>
mov dword ptr fs:[0],
esp
00402305 83EC 24
sub esp,24
00402308 A1 48D64300
mov eax,
dword ptr ds:[43D648]
0040230D 53
push ebx
0040230E 55
push ebp
0040230F 56
push esi
00402310 57
push edi
00402311 8BF1
mov esi,
ecx
00402313 33FF
xor edi,
edi
00402315 894424 30
mov dword ptr ss:[
esp+30],
eax
00402319 897C24 18
mov dword ptr ss:[
esp+18],
edi
0040231D 33C9
xor ecx,
ecx
0040231F 8D46 46
lea eax,
dword ptr ds:[
esi+46]
00402322 8A50 FE
mov dl,
byte ptr ds:[
eax-2]
00402325 88540C 18
mov byte ptr ss:[
esp+
ecx+18],
dl
00402329 8A50 FF
mov dl,
byte ptr ds:[
eax-1]
0040232C 88540C 19
mov byte ptr ss:[
esp+
ecx+19],
dl
00402330 8A10
mov dl,
byte ptr ds:[
eax]
00402332 88540C 1A
mov byte ptr ss:[
esp+
ecx+1A],
dl
00402336 8A50 01
mov dl,
byte ptr ds:[
eax+1]
00402339 88540C 1B
mov byte ptr ss:[
esp+
ecx+1B],
dl
0040233D 83C1 04
add ecx,4
00402340 83C0 04
add eax,4
00402343 83F9 08
cmp ecx,8
00402346 ^ 72 DA
jb short PopUpBlo.00402322
00402348 8B4E 44
mov ecx,
dword ptr ds:[
esi+44]
0040234B C1E9 03
shr ecx,3
0040234E 83E1 3F
and ecx,3F
00402351 83F9 38
cmp ecx,38
00402354 B8 38000000
mov eax,38
00402359 72 05
jb short PopUpBlo.00402360
0040235B B8 78000000
mov eax,78
00402360 2BC1
sub eax,
ecx
00402362 50
push eax
00402363 68 18C14300
push PopUpBlo.0043C118
00402368 8BCE
mov ecx,
esi
0040236A E8 B1F5FFFF
call PopUpBlo.00401920
0040236F 6A 08
push 8
00402371 8D4424 1C
lea eax,
dword ptr ss:[
esp+1C]
00402375 50
push eax
00402376 8BCE
mov ecx,
esi
00402378 E8 A3F5FFFF
call PopUpBlo.00401920
0040237D 33C9
xor ecx,
ecx
0040237F 8D46 4E
lea eax,
dword ptr ds:[
esi+4E]
00402382 8A50 FE
mov dl,
byte ptr ds:[
eax-2]
00402385 88540C 20
mov byte ptr ss:[
esp+
ecx+20],
dl
00402389 8A50 FF
mov dl,
byte ptr ds:[
eax-1]
0040238C 88540C 21
mov byte ptr ss:[
esp+
ecx+21],
dl
00402390 8A10
mov dl,
byte ptr ds:[
eax]
00402392 88540C 22
mov byte ptr ss:[
esp+
ecx+22],
dl
00402396 8A50 01
mov dl,
byte ptr ds:[
eax+1]
00402399 88540C 23
mov byte ptr ss:[
esp+
ecx+23],
dl
0040239D 83C1 04
add ecx,4
004023A0 83C0 04
add eax,4
004023A3 83F9 10
cmp ecx,10
004023A6 ^ 72 DA
jb short PopUpBlo.00402382
004023A8 E8 10BF0100
call PopUpBlo.0041E2BD
004023AD 8B10
mov edx,
dword ptr ds:[
eax]
004023AF 8BC8
mov ecx,
eax
004023B1 FF52 0C
call dword ptr ds:[
edx+C]
004023B4 83C0 10
add eax,10
004023B7 894424 14
mov dword ptr ss:[
esp+14],
eax
004023BB 897C24 3C
mov dword ptr ss:[
esp+3C],
edi
004023BF BB 01000000
mov ebx,1
004023C4 E8 F4BE0100
call PopUpBlo.0041E2BD
004023C9 8B10
mov edx,
dword ptr ds:[
eax]
004023CB 8BC8
mov ecx,
eax
004023CD FF52 0C
call dword ptr ds:[
edx+C]
004023D0 83C0 10
add eax,10
004023D3 894424 10
mov dword ptr ss:[
esp+10],
eax
004023D7 8A443C 20
mov al,
byte ptr ss:[
esp+
edi+20]
004023DB 84C0
test al,
al
004023DD 885C24 3C
mov byte ptr ss:[
esp+3C],
bl
004023E1 75 41
jnz short PopUpBlo.00402424
004023E3 68 C8F54200
push PopUpBlo.0042F5C8
; ASCII "00"
004023E8 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
004023EC E8 4FFEFFFF
call PopUpBlo.00402240
004023F1 50
push eax
004023F2 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
004023F6 C64424 40 02
mov byte ptr ss:[
esp+40],2
004023FB E8 70FDFFFF
call PopUpBlo.00402170
00402400 8B4424 18
mov eax,
dword ptr ss:[
esp+18]
00402404 83C0 F0
add eax,-10
00402407 885C24 3C
mov byte ptr ss:[
esp+3C],
bl
0040240B 8D48 0C
lea ecx,
dword ptr ds:[
eax+C]
0040240E 83CA FF
or edx,FFFFFFFF
00402411 F0:0FC111
lock xadd dword ptr ds:[
ecx],
edx
00402415 4A
dec edx
00402416 85D2
test edx,
edx
00402418 7F 34
jg short PopUpBlo.0040244E
0040241A 8B08
mov ecx,
dword ptr ds:[
eax]
0040241C 8B11
mov edx,
dword ptr ds:[
ecx]
0040241E 50
push eax
0040241F FF52 04
call dword ptr ds:[
edx+4]
00402422 EB 2A
jmp short PopUpBlo.0040244E
00402424 3C 0F
cmp al,0F
00402426 77 10
ja short PopUpBlo.00402438
00402428 0FB6C0
movzx eax,
al
0040242B 50
push eax
0040242C 68 C4F54200
push PopUpBlo.0042F5C4
; ASCII "0%x"
00402431 8D4C24 18
lea ecx,
dword ptr ss:[
esp+18]
00402435 51
push ecx
00402436 EB 0E
jmp short PopUpBlo.00402446
00402438 0FB6D0
movzx edx,
al
0040243B 52
push edx
0040243C 68 C0F54200
push PopUpBlo.0042F5C0
; ASCII "%x"
00402441 8D4424 18
lea eax,
dword ptr ss:[
esp+18]
00402445 50
push eax
00402446 E8 D5FDFFFF
call PopUpBlo.00402220
0040244B 83C4 0C
add esp,0C
0040244E 8B7424 10
mov esi,
dword ptr ss:[
esp+10]
00402452 8B46 F4
mov eax,
dword ptr ds:[
esi-C]
00402455 50
push eax
00402456 56
push esi
00402457 8D4C24 1C
lea ecx,
dword ptr ss:[
esp+1C]
0040245B E8 10FCFFFF
call PopUpBlo.00402070
00402460 8D46 F0
lea eax,
dword ptr ds:[
esi-10]
00402463 C64424 3C 00
mov byte ptr ss:[
esp+3C],0
00402468 8D48 0C
lea ecx,
dword ptr ds:[
eax+C]
0040246B 83CA FF
or edx,FFFFFFFF
0040246E F0:0FC111
lock xadd dword ptr ds:[
ecx],
edx
00402472 4A
dec edx
00402473 85D2
test edx,
edx
00402475 7F 08
jg short PopUpBlo.0040247F
00402477 8B08
mov ecx,
dword ptr ds:[
eax]
00402479 8B11
mov edx,
dword ptr ds:[
ecx]
0040247B 50
push eax
0040247C FF52 04
call dword ptr ds:[
edx+4]
0040247F 47
inc edi
00402480 83FF 10
cmp edi,10
00402483 ^ 0F8C 3BFFFFFF
jl PopUpBlo.004023C4 //
向上循环运算16次,产生32位注册码
00402489 8B6C24 14
mov ebp,
dword ptr ss:[
esp+14]
; ASCII "f4d0c4f350a132c8e2bc9451fab178f3"
0040248D 8B4D F0
mov ecx,
dword ptr ss:[
ebp-10]
00402490 8B01
mov eax,
dword ptr ds:[
ecx]
00402492 83C5 F0
add ebp,-10
00402495 FF50 10
call dword ptr ds:[
eax+10]
00402498 8B55 0C
mov edx,
dword ptr ss:[
ebp+C]
0040249B 85D2
test edx,
edx
0040249D 8D4D 0C
lea ecx,
dword ptr ss:[
ebp+C]
004024A0 7C 0D
jl short PopUpBlo.004024AF
004024A2 3B45 00
cmp eax,
dword ptr ss:[
ebp]
004024A5 75 08
jnz short PopUpBlo.004024AF
004024A7 8BC5
mov eax,
ebp
004024A9 F0:0FC119
lock xadd dword ptr ds:[
ecx],
ebx
004024AD EB 32
jmp short PopUpBlo.004024E1
004024AF 8B4D 04
mov ecx,
dword ptr ss:[
ebp+4]
004024B2 8B10
mov edx,
dword ptr ds:[
eax]
004024B4 53
push ebx
004024B5 51
push ecx
004024B6 8BC8
mov ecx,
eax
004024B8 FF12
call dword ptr ds:[
edx]
004024BA 85C0
test eax,
eax
004024BC 75 05
jnz short PopUpBlo.004024C3
004024BE E8 2DF7FFFF
call PopUpBlo.00401BF0
004024C3 8B55 04
mov edx,
dword ptr ss:[
ebp+4]
004024C6 8950 04
mov dword ptr ds:[
eax+4],
edx
004024C9 8B4D 04
mov ecx,
dword ptr ss:[
ebp+4]
004024CC 41
inc ecx
004024CD 8BD1
mov edx,
ecx
004024CF C1E9 02
shr ecx,2
004024D2 8D75 10
lea esi,
dword ptr ss:[
ebp+10]
004024D5 8D78 10
lea edi,
dword ptr ds:[
eax+10]
004024D8 F3:A5
rep movs dword ptr es:[
edi],
dword ptr ds:[>
004024DA 8BCA
mov ecx,
edx
004024DC 83E1 03
and ecx,3
004024DF F3:A4
rep movs byte ptr es:[
edi],
byte ptr ds:[
es>
004024E1 8B7424 44
mov esi,
dword ptr ss:[
esp+44]
004024E5 83C0 10
add eax,10
004024E8 8906
mov dword ptr ds:[
esi],
eax
004024EA C74424 3C FFFFF>
mov dword ptr ss:[
esp+3C],-1
004024F2 8D45 0C
lea eax,
dword ptr ss:[
ebp+C]
004024F5 83C9 FF
or ecx,FFFFFFFF
004024F8 F0:0FC108
lock xadd dword ptr ds:[
eax],
ecx
004024FC 49
dec ecx
004024FD 85C9
test ecx,
ecx
004024FF 7F 09
jg short PopUpBlo.0040250A
00402501 8B4D 00
mov ecx,
dword ptr ss:[
ebp]
00402504 8B11
mov edx,
dword ptr ds:[
ecx]
00402506 55
push ebp
00402507 FF52 04
call dword ptr ds:[
edx+4]
0040250A 8B4C24 34
mov ecx,
dword ptr ss:[
esp+34]
0040250E 5F
pop edi
0040250F 8BC6
mov eax,
esi
00402511 5E
pop esi
00402512 5D
pop ebp
00402513 64:890D 0000000>
mov dword ptr fs:[0],
ecx
0040251A 8B4C24 24
mov ecx,
dword ptr ss:[
esp+24]
0040251E 5B
pop ebx
0040251F E8 65E30000
call PopUpBlo.00410889
00402524 83C4 30
add esp,30
00402527 C2 0400
retn 4 //
返回-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单,MD5(固定字符串"AmplusnetAPlus20"+Name)=Key。(Email在注册码计算中没用到)
=======================
算法注册机代码:
'窗体部分:
Option Explicit
Private
Sub Text1_Change()
Set c1 = New clsMD5
'调用算法模块将ID转换成 MD5密钥
sn = c1.Md5_String_Calc(
"AmplusnetAPlus20" + Text1.Text)
'MD5(固定字符串"AmplusnetAPlus20"+Name)=Key
Text2.Text = LCase(sn)
'把转换后的MD5码转换为小写然后输出作为Key
End Sub
'类模块部分:
(略)
上次我写的《土地拍卖竞标助手 专业版 6.31--MD5算法分析》中有VB的MD5模块,自己写写看!
=======================
内存注册机:
中断地址:004041CE
中断次数:1
第一字节:50
指令长度:1
内存方式--->EAX
=======================
注册信息:
Name:KuNgBiM
Email:gb_1227@163.com
Key:f4d0c4f350a132c8e2bc9451fab178f3
Name:KuNgBiM[DFCG]
Email:gb_1227@163.com
Key:5941ab3a6614ae8a624ba817b476ee89
注册信息保存在注册表:HKEY_LOCAL_MACHINE\SOFTWARE\A+PopupBlocker 中。
--------------------------------------------------------------------------
(本文完)
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-05-12
12:09:18 PM
[课程]FART 脱壳王!加量不加价!FART作者讲授!