【破解作者】 yijun
【作者邮箱】 yijun8354@sina.com
【使用工具】 OD,PEID
【破解平台】 WinXP
【软件名称】 隐身专家2.41
【软件简介】 《隐身专家》是一个快速隐藏桌面和任务栏的窗口的程序。用如果你正在做一些不想让你的老师、老板...看到的操作,那么这个程序正好适合你。它可以让你只按下鼠标的左右键(或使用快捷键)就快速隐藏桌面上所有的窗口,等合适的时候你再恢复。
【软件大小】 132k
【加壳方式】 无
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
peid查知道该软件无壳Microsoft Visual C++ 6.0编写,OD载入查找关键信息来到以下关键处:
00406C19 |. 6A 00
push 0
; |c = 00
00406C1B |. 8D85 50FFFFFF
lea eax,
dword ptr ss:[
ebp-B0]
; |
00406C21 |. 50
push eax ; |s
00406C22 |. E8 75970000
call <jmp.&MSVCRT.memset>
; \memset//在此下断
00406C27 |. 83C4 0C
add esp,0C
00406C2A |. 6A 50
push 50
; /n = 50 (80.)
00406C2C |. 6A 00
push 0
; |c = 00
00406C2E |. 8D4D AC
lea ecx,
dword ptr ss:[
ebp-54]
; |
00406C31 |. 51
push ecx ; |s
00406C32 |. E8 65970000
call <jmp.&MSVCRT.memset>
; \memset
00406C37 |. 83C4 0C
add esp,0C
00406C3A |. 6A 50
push 50
; /WideBufSize = 50 (80.)
00406C3C |. 8D95 50FFFFFF
lea edx,
dword ptr ss:[
ebp-B0]
; |
00406C42 |. 52
push edx ; |WideCharBuf
00406C43 |. 6A FF
push -1
; |StringSize = FFFFFFFF (-1.)
00406C45 |. A1 046A4100
mov eax,
dword ptr ds:[416A04]
; |取机器码
00406C4A |. 50
push eax ; |StringToMap => "D9A1-6F81-B1C9-07E9"
00406C4B |. 6A 02
push 2
; |Options = MB_COMPOSITE
00406C4D |. 6A 00
push 0
; |CodePage = CP_ACP
00406C4F |. FF15 DC104100
call dword ptr ds:[<&KERNEL32.MultiByte>
; \测试机器码长度
00406C55 |. 68 FC484100
push HideDrag.004148FC
; /src = "{"
00406C5A |. 8D4D AC
lea ecx,
dword ptr ss:[
ebp-54]
; |
00406C5D |. 51
push ecx ; |dest
00406C5E |. E8 3F970000
call <jmp.&MSVCRT.strcpy>
; \strcpy
00406C63 |. 83C4 08
add esp,8
00406C66 |. C645 AD 00
mov byte ptr ss:[
ebp-53],0
00406C6A |. 8D55 AC
lea edx,
dword ptr ss:[
ebp-54]
00406C6D |. 8955 A8
mov dword ptr ss:[
ebp-58],
edx
00406C70 |. 8B45 A8
mov eax,
dword ptr ss:[
ebp-58]
00406C73 |. 83C0 02
add eax,2
00406C76 |. 8945 A8
mov dword ptr ss:[
ebp-58],
eax
00406C79 |. 6A 4B
push 4B
; /n = 4B (75.)
00406C7B |. 8D8D 50FFFFFF
lea ecx,
dword ptr ss:[
ebp-B0]
; |机器码送ECX
00406C81 |. 51
push ecx ; |src
00406C82 |. 8B55 A8
mov edx,
dword ptr ss:[
ebp-58]
; |
00406C85 |. 52
push edx ; |dest
00406C86 |. E8 FD960000
call <jmp.&MSVCRT.memcpy>
; \memcpy
00406C8B |. 83C4 0C
add esp,0C
00406C8E |. C645 F6 7D
mov byte ptr ss:[
ebp-A],7D
00406C92 |. 68 587D4100
push HideDrag.00417D58
00406C97 |. 8D45 AC
lea eax,
dword ptr ss:[
ebp-54]
00406C9A |. 50
push eax
00406C9B |. FF15 98134100
call dword ptr ds:[<&ole32.CLSIDFromStr>
; ole32.CLSIDFromString
00406CA1 |. 6A 50
push 50
; /n = 50 (80.)
00406CA3 |. 6A 00
push 0
; |c = 00
00406CA5 |. 8D4D AC
lea ecx,
dword ptr ss:[
ebp-54]
; |
00406CA8 |. 51
push ecx ; |s
00406CA9 |. E8 EE960000
call <jmp.&MSVCRT.memset>
; \memset
00406CAE |. 83C4 0C
add esp,0C
00406CB1 |. 6A 50
push 50
; /n = 50 (80.)
00406CB3 |. 6A 00
push 0
; |c = 00
00406CB5 |. 8D95 50FFFFFF
lea edx,
dword ptr ss:[
ebp-B0]
; |
00406CBB |. 52
push edx ; |s
00406CBC |. E8 DB960000
call <jmp.&MSVCRT.memset>
; \memset
00406CC1 |. 83C4 0C
add esp,0C
00406CC4 |. 68 00494100
push HideDrag.00414900
; /src = "{"
00406CC9 |. 8D85 50FFFFFF
lea eax,
dword ptr ss:[
ebp-B0]
; |
00406CCF |. 50
push eax ; |dest
00406CD0 |. E8 CD960000
call <jmp.&MSVCRT.strcpy>
; \strcpy
00406CD5 |. 83C4 08
add esp,8
00406CD8 |. C745 A4 00000000
mov dword ptr ss:[
ebp-5C],0
00406CDF |. EB 09
jmp short HideDrag.00406CEA
00406CE1 |> 8B4D A4 /
mov ecx,
dword ptr ss:[
ebp-5C]
; ****以下是处理输入的4段注册码****
00406CE4 |. 83C1 01 |
add ecx,1
; ECX加1
00406CE7 894D A4
mov dword ptr ss:[
ebp-5C],
ecx ; ECX送[ebp-5C]
00406CEA |> 837D A4 05
cmp dword ptr ss:[
ebp-5C],5
; [ebp-5C]和5比较
00406CEE |. 7D 56 |
jge short HideDrag.00406D46
; 大于等于就跳,最后由这里跳出去
00406CF0 |. 6A 10 |
push 10
; /Count = 10 (16.)
00406CF2 |. 8D55 AC |
lea edx,
dword ptr ss:[
ebp-54]
; |
00406CF5 |. 52 |
push edx ; |Buffer
00406CF6 |. 8B45 A4 |
mov eax,
dword ptr ss:[
ebp-5C]
; |
00406CF9 |. 8B0C85 B8E74100 |
mov ecx,
dword ptr ds:[
eax*4+41E7B8]
; |
00406D00 |. 51 |
push ecx ; |hWnd
00406D01 |. FF15 00134100 |
call dword ptr ds:[<&USER32.GetWindowT>
; \获得该段假码长度送EAX
00406D07 |. 8D55 AC |
lea edx,
dword ptr ss:[
ebp-54]
00406D0A |. 52 |
push edx ; /该段送EDX
00406D0B |. 8D85 50FFFFFF |
lea eax,
dword ptr ss:[
ebp-B0]
; |
00406D11 |. 50 |
push eax ; |EAX压栈
00406D12 |. E8 79960000 |
call <jmp.&MSVCRT.strcat>
; \连接输入注册码CALL
00406D17 |. 83C4 08 |
add esp,8
00406D1A |. 837D A4 04 |
cmp dword ptr ss:[
ebp-5C],4
; [ebp-5C]和4比较
00406D1E |. 7D 14 |
jge short HideDrag.00406D34
; 大于等于就跳,从00406D34跳来
00406D20 |. 68 04494100 |
push HideDrag.00414904
; /送符号“-”
00406D25 |. 8D8D 50FFFFFF |
lea ecx,
dword ptr ss:[
ebp-B0]
; |连接后的送ECX
00406D2B |. 51 |
push ecx ; |ECX压栈
00406D2C |. E8 5F960000 |
call <jmp.&MSVCRT.strcat>
; \再在刚才得到的注册码后面连上“-”
00406D31 |. 83C4 08 |
add esp,8
00406D34 |> 6A 50 |
push 50
; /跳到这里~~
00406D36 |. 6A 00 |
push 0
; |c = 00
00406D38 |. 8D55 AC |
lea edx,
dword ptr ss:[
ebp-54]
; |该段码送EDX
00406D3B |. 52 |
push edx ; |s
00406D3C |. E8 5B960000 |
call <jmp.&MSVCRT.memset>
; \memset
00406D41 |. 83C4 0C |
add esp,0C
00406D44 |.^ EB 9B \jmp short HideDrag.00406CE1
; ****没完就跳回去****
00406D46 |> 68 08494100
push HideDrag.00414908
; /最后跳到这里(从00406CEE跳来)
00406D4B |. 8D85 50FFFFFF
lea eax,
dword ptr ss:[
ebp-B0]
; |
00406D51 |. 50
push eax ; |dest
00406D52 |. E8 39960000
call <jmp.&MSVCRT.strcat>
; \最后连成完送EAX,记为N
00406D57 |. 83C4 08
add esp,8
00406D5A |. 6A 50
push 50
; /n = 50 (80.)
00406D5C |. 6A 00
push 0
; |c = 00
00406D5E |. 8D4D AC
lea ecx,
dword ptr ss:[
ebp-54]
; |
00406D61 |. 51
push ecx ; |s
00406D62 |. E8 35960000
call <jmp.&MSVCRT.memset>
; \memset
00406D67 |. 83C4 0C
add esp,0C
00406D6A |. 6A 50
push 50
; /WideBufSize = 50 (80.)
00406D6C |. 8D55 AC
lea edx,
dword ptr ss:[
ebp-54]
; |
00406D6F |. 52
push edx ; |WideCharBuf
00406D70 |. 6A FF
push -1
; |StringSize = FFFFFFFF (-1.)
00406D72 |. 8D85 50FFFFFF
lea eax,
dword ptr ss:[
ebp-B0]
; |
00406D78 |. 50
push eax ; |StringToMap
00406D79 |. 6A 02
push 2
; |Options = MB_COMPOSITE
00406D7B |. 6A 00
push 0
; |CodePage = CP_ACP
00406D7D |. FF15 DC104100
call dword ptr ds:[<&KERNEL32.MultiByte>
; \MultiByteToWideChar//计算总的位数送EAX
00406D83 |. 68 A0CB4100
push HideDrag.0041CBA0
00406D88 |. 8D4D AC
lea ecx,
dword ptr ss:[
ebp-54]
; 刚才结果送ECX
00406D8B |. 51
push ecx
00406D8C |. FF15 98134100
call dword ptr ds:[<&ole32.CLSIDFromStr>
; 看看
00406D92 |. 8B15 587D4100
mov edx,
dword ptr ds:[417D58]
; [417D58]送EDX
00406D98 81F2 FFE0F505
xor edx,5F5E0FF
; 和5F5E0FF异或送EDX
00406D9E |. 8915 587D4100
mov dword ptr ds:[417D58],
edx ; 再送[417D58]
00406DA4 |. 66:A1 5C7D4100
mov ax,
word ptr ds:[417D5C]
; [417D5C]送AX
00406DAA |. 66:35 0F27
xor ax,270F
; AX和270F异或送AX
00406DAE |. 66:A3 5C7D4100
mov word ptr ds:[417D5C],
ax ; 再送[417D5C]
00406DB4 |. 66:8B0D 5E7D4100
mov cx,
word ptr ds:[417D5E]
; [417D5E]送CX
00406DBB |. 66:81F1 1D23
xor cx,231D
; 再和231D异或送CX
00406DC0 |. 66:890D 5E7D4100
mov word ptr ds:[417D5E],
cx ; 再送[417D5E]
00406DC7 |. 8A15 617D4100
mov dl,
byte ptr ds:[417D61]
; [417D61]送DL
00406DCD |. 80F2 06
xor dl,6
; DL和6取异或
00406DD0 |. 8815 617D4100
mov byte ptr ds:[417D61],
dl ; 再送[417D61]
00406DD6 |. A0 627D4100
mov al,
byte ptr ds:[417D62]
; [417D62]送AL
00406DDB |. 34 09
xor al,9
; AL和9异或
00406DDD |. A2 627D4100
mov byte ptr ds:[417D62],
al ; 在送[417D62]
00406DE2 |. 8A0D 637D4100
mov cl,
byte ptr ds:[417D63]
; [417D63]送CL
00406DE8 |. 80F1 03
xor cl,3
; 和3异或
00406DEB |. 880D 637D4100
mov byte ptr ds:[417D63],
cl ; 再送回去
00406DF1 |. 8A15 647D4100
mov dl,
byte ptr ds:[417D64]
; [417D64]送DL
00406DF7 |. 80F2 01
xor dl,1
; 和1异或
00406DFA |. 8815 647D4100
mov byte ptr ds:[417D64],
dl ; 再送回去
00406E00 |. A0 657D4100
mov al,
byte ptr ds:[417D65]
; [417D65]送AL
00406E05 |. 34 0A
xor al,0A
; 和0A异或
00406E07 |. A2 657D4100
mov byte ptr ds:[417D65],
al ; 再送回去
00406E0C |. 8A0D 667D4100
mov cl,
byte ptr ds:[417D66]
; [417D66]送CL
00406E12 |. 80F1 08
xor cl,8
; 和8异或
00406E15 |. 880D 667D4100
mov byte ptr ds:[417D66],
cl ; 再送回去
00406E1B |. 8A15 677D4100
mov dl,
byte ptr ds:[417D67]
; [417D67]送DL
00406E21 |. 80F2 08
xor dl,8
; 和8异或
00406E24 |. 8815 677D4100
mov byte ptr ds:[417D67],
dl ; 再送回去
00406E2A |. 6A 50
push 50
; /n = 50 (80.)
00406E2C |. 6A 00
push 0
; |c = 00
00406E2E |. 8D45 AC
lea eax,
dword ptr ss:[
ebp-54]
; |//前面计算结果N送EAX
00406E31 |. 50
push eax ; |s
00406E32 |. E8 65950000
call <jmp.&MSVCRT.memset>
; \memset
00406E37 |. 83C4 0C
add esp,0C
00406E3A |. C745 A4 00000000
mov dword ptr ss:[
ebp-5C],0
00406E41 |. EB 09
jmp short HideDrag.00406E4C
00406E43 |> 8B4D A4 /
mov ecx,
dword ptr ss:[
ebp-5C]
; 以下是关键
00406E46 |. 83C1 01 |
add ecx,1
; ECX加一
00406E49 |. 894D A4 |
mov dword ptr ss:[
ebp-5C],
ecx //再送[
ebp-5C]
00406E4C |> 837D A4 04
cmp dword ptr ss:[
ebp-5C],4
; [ebp-5C]和4比较
00406E50 |. 7D 71 |
jge short HideDrag.00406EC3
; 大于等于就跳
00406E52 |. 6A 05 |
push 5
; /Count = 5
00406E54 |. 8D95 50FFFFFF |
lea edx,
dword ptr ss:[
ebp-B0]
; |分段取注册码
00406E5A |. 52 |
push edx ; |Buffer
00406E5B |. 8B45 A4 |
mov eax,
dword ptr ss:[
ebp-5C]
; |
00406E5E |. 8B0C85 B8E74100 |
mov ecx,
dword ptr ds:[
eax*4+41E7B8]
; |[eax*4+41E7B8]送ECX
00406E65 |. 51 |
push ecx ; |hWnd
00406E66 |. FF15 00134100 |
call dword ptr ds:[<&USER32.GetWindowT>
; \测试长度CALL
00406E6C |. 6A 10 |
push 10
; /radix = 10 (16.)
00406E6E |. 6A 00 |
push 0
; |endptr = NULL
00406E70 |. 8D95 50FFFFFF |
lea edx,
dword ptr ss:[
ebp-B0]
; |分段取假码送EDX
00406E76 |. 52 |
push edx ; |s
00406E77 |. FF15 64114100 |
call dword ptr ds:[<&MSVCRT.strtol>]
; \将该段假码值(10进制)当16进值放EAX
00406E7D |. 83C4 0C |
add esp,0C
; ESP+0C送ESP
00406E80 |. 8945 A0 |
mov dword ptr ss:[
ebp-60],
eax
00406E83 |. 6A 10 |
push 10
; /radix = 10 (16.)
00406E85 |. 6A 00 |
push 0
; |endptr = NULL
00406E87 |. 8B45 A4 |
mov eax,
dword ptr ss:[
ebp-5C]
; |//[ebp-5C]送EAX
00406E8A |. 6BC0 05 |
imul eax,
eax,5
; |EAX*5送EAX
00406E8D |. 05 7C404100 |
add eax,HideDrag.0041407C
; |EAX加机器码第一段送EAX
00406E92 |. 50 |
push eax ; |s
00406E93 |. FF15 64114100 |
call dword ptr ds:[<&MSVCRT.strtol>]
; \将该值当16进值放EAX
00406E99 |. 83C4 0C |
add esp,0C
00406E9C 8945 FC
mov dword ptr ss:[
ebp-4],
eax ; EAX送[ebp-4]
00406E9F |. 8B4D FC |
mov ecx,
dword ptr ss:[
ebp-4]
; 再送ECX
00406EA2 |. 81F1 050D0000 |
xor ecx,0D05
; ECX和0D05异或
00406EA8 |. 894D FC |
mov dword ptr ss:[
ebp-4],
ecx ; 再送[ebp-4]
00406EAB |. 8B55 FC |
mov edx,
dword ptr ss:[
ebp-4]
; 再送EDX
00406EAE |. 81CA 050D0000 |
or edx,0D05
; EDX和0D05或
00406EB4 |. 8955 FC |
mov dword ptr ss:[
ebp-4],
edx ; 再送[ebp-4]
00406EB7 |. 8B45 A0 |
mov eax,
dword ptr ss:[
ebp-60]
; [ebp-60]为当前假码段值送EAX
00406EBA |. 3B45 FC |
cmp eax,
dword ptr ss:[
ebp-4]
; 比较[ebp-4]和EAX,在这里可以分段看见真码^-^
00406EBD |. 74 02 |
je short HideDrag.00406EC1
; 必须跳,否则挂~~~
00406EBF |. EB 02 |
jmp short HideDrag.00406EC3
00406EC1 |>^ EB 80 \jmp short HideDrag.00406E43
00406EC3 |> 837D A4 04
cmp dword ptr ss:[
ebp-5C],4
; 如果输入注册码正确,就从00406E50跳来,[ebp-5C]和4比较
00406EC7 |. 7C 66
jl short HideDrag.00406F2F
; 小于就跳
00406EC9 |. 6A 00
push 0
; /Style = MB_OK|MB_APPLMODAL
00406ECB |. 68 0C494100
push HideDrag.0041490C
; |Title = "隐身专家"
00406ED0 |. 68 18494100
push HideDrag.00414918
; |Text = "注册成功,从现在开始您可以获得一年的免费升级"
00406ED5 |. 8B4D 08
mov ecx,
dword ptr ss:[
ebp+8]
; |
00406ED8 |. 51
push ecx ; |hOwner
00406ED9 |. FF15 48124100
call dword ptr ds:[<&USER32.MessageBoxA>
; \MessageBoxA
00406EDF |. 8D95 50FFFFFF
lea edx,
dword ptr ss:[
ebp-B0]
00406EE5 |. 52
push edx ; /src
00406EE6 |. A1 086A4100
mov eax,
dword ptr ds:[416A08]
; |
00406EEB |. 50
push eax ; |dest => 01330000
00406EEC |. E8 B1940000
call <jmp.&MSVCRT.strcpy>
; \strcpy
00406EF1 |. 83C4 08
add esp,8
00406EF4 |. C705 006A4100 010>
mov dword ptr ds:[416A00],1
00406EFE |. 83EC 50
sub esp,50
00406F01 |. B9 14000000
mov ecx,14
00406F06 |. BE D8694100
mov esi,HideDrag.004169D8
00406F0B |. 8BFC
mov edi,
esp
00406F0D |. F3:A5
rep movs dword ptr es:[
edi],
dword ptr d>
00406F0F |. E8 ECEBFFFF
call HideDrag.00405B00
00406F14 |. 83C4 50
add esp,50
00406F17 |. C705 80AF4100 000>
mov dword ptr ds:[41AF80],0
00406F21 |. 6A 01
push 1
; /Result = 1
00406F23 |. 8B4D 08
mov ecx,
dword ptr ss:[
ebp+8]
; |
00406F26 |. 51
push ecx ; |hWnd
00406F27 |. FF15 DC124100
call dword ptr ds:[<&USER32.EndDialog>]
; \EndDialog
00406F2D |. EB 16
jmp short HideDrag.00406F45
00406F2F |> 6A 00
push 0
; /Style = MB_OK|MB_APPLMODAL
00406F31 |. 68 44494100
push HideDrag.00414944
; |Title = "隐身专家"
00406F36 |. 68 50494100
push HideDrag.00414950
; |Text = "序列号不正确,请检查后重新输入!"
00406F3B |. 8B55 08
mov edx,
dword ptr ss:[
ebp+8]
; |
00406F3E |. 52
push edx ; |hOwner //以下就保存注册信息~~~~
00406F3F |. FF15 48124100
call dword ptr ds:[<&USER32.MessageBoxA>
; \MessageBoxA
00406F45 |> EB 32
jmp short HideDrag.00406F79
00406F47 |> C705 80AF4100 000>
mov dword ptr ds:[41AF80],0
--------------------------------------------------------------------------------
【破解总结】
我就不总结了,自己认真看吧^-^
机器码:D9A1-6F81-B1C9-07E9
注册码:DDA5-6F85-BDCD-0FED
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[课程]Android-CTF解题方法汇总!