【破解作者】 qhst/老虫子[D.4s][CZG]
【作者主页】 http://free.aofa.net/www/qhst/index.htm
【使用工具】 od,W32,AspackDie141
【破解平台】 Win9x/NT/2000/XP
【软件名称】 心理测试小精灵 3.5
【下载地址】 http://www.onlinedown.net/soft/1356.htm
【软件简介】 包纳天下所有趣味测试题。有心理、爱情、搞笑、个性、魅力、智力、情商、工作、能力、两性等几个类别几百道趣味测试题,新版本增加了很多心理方面的文章,希望能帮助一些朋友。题库可每月上网更新。用这个软件的神奇功能还可以让你偷偷测知到其他人的内心世界哟!非常的好玩!你还可以利用这个软件添加你自己的题库。强烈推荐!
【软件大小】 1355KB
【加壳方式】 ASPack 2.12
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
PEID查壳,ASPack 2.12 -> Alexey Solodovnikov,用脱壳机脱壳成功,是Borland Delphi 6.0 - 7.0编写的软件,运行软件输入用户名和假码后点注册跳出注册失败提示,用W32反汇编查找字串"注册失败",双击来到
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B47A0(C)――――――――――――――――――――――从这里跳来
|
:004B4856 A1584C4C00 mov eax, dword ptr [004C4C58]
:004B485B 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"注册失败"
|
:004B485D BA7C494B00 mov edx, 004B497C ――――――来到这里
:004B4862 E889EFF8FF call 004437F0
:004B4867 A1584C4C00 mov eax, dword ptr [004C4C58]
:004B486C 8B00 mov eax, dword ptr [eax]
:004B486E 8B80F4020000 mov eax, dword ptr [eax+000002F4]
======================================================================
向上找到跳来的地址004B47A0,用OD载入,在上面的4B4744处下断点,输入用户名laochongzi, 假码123456789后中断下来。
004B4744 /. 55 PUSH EBP
004B4745 |. 8BEC MOV EBP,ESP
004B4747 |. 33C9 XOR ECX,ECX
004B4749 |. 51 PUSH ECX
004B474A |. 51 PUSH ECX
004B474B |. 51 PUSH ECX
004B474C |. 51 PUSH ECX
004B474D |. 53 PUSH EBX
004B474E |. 56 PUSH ESI
004B474F |. 57 PUSH EDI
004B4750 |. 8BD8 MOV EBX,EAX
004B4752 |. 33C0 XOR EAX,EAX
004B4754 |. 55 PUSH EBP
004B4755 |. 68 CD484B00 PUSH Unpacked.004B48CD
004B475A |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B475D |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B4760 |. A1 78514C00 MOV EAX,DWORD PTR DS:[4C5178]
004B4765 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B4767 |. E8 90AC0000 CALL Unpacked.004BF3FC
004B476C |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004B476F |. 8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004B4775 |. E8 46F0F8FF CALL Unpacked.004437C0
004B477A |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; 取用户名laochongzi
004B477D |. 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
004B4780 |. 8BC3 MOV EAX,EBX
004B4782 |. E8 49020000 CALL Unpacked.004B49D0 ; 算法CALL,跟进去
004B4787 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004B478A |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+2FC]
004B4790 |. E8 2BF0F8FF CALL Unpacked.004437C0
004B4795 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 取假码123456789
004B4798 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 取真码
004B479B |. E8 F403F5FF CALL Unpacked.00404B94 ; 进行比较,真码在EDX,做内存注册机的地址
004B47A0 |. 0F85 B0000000 JNZ Unpacked.004B4856 ; 不相等则OVER
004B47A6 |. 8B0D 4C4F4C00 MOV ECX,DWORD PTR DS:[4C4F4C] ; Unpacked.004C6E34
004B47AC |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
004B47AE |. B2 01 MOV DL,1
004B47B0 |. A1 94464600 MOV EAX,DWORD PTR DS:[464694]
004B47B5 |. E8 8AFFFAFF CALL Unpacked.00464744
004B47BA |. 8BF0 MOV ESI,EAX
004B47BC |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004B47BF |. 8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004B47C5 |. E8 F6EFF8FF CALL Unpacked.004437C0
004B47CA |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B47CD |. 50 PUSH EAX
004B47CE |. B9 E4484B00 MOV ECX,Unpacked.004B48E4 ; ASCII "username"
004B47D3 |. BA F8484B00 MOV EDX,Unpacked.004B48F8 ; ASCII "inifile"
004B47D8 |. 8BC6 MOV EAX,ESI
004B47DA |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
004B47DC |. FF57 04 CALL DWORD PTR DS:[EDI+4]
004B47DF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B47E2 |. 50 PUSH EAX
004B47E3 |. B9 08494B00 MOV ECX,Unpacked.004B4908 ; ASCII "regcode"
004B47E8 |. BA F8484B00 MOV EDX,Unpacked.004B48F8 ; ASCII "inifile"
004B47ED |. 8BC6 MOV EAX,ESI
004B47EF |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
004B47F1 |. FF57 04 CALL DWORD PTR DS:[EDI+4]
004B47F4 |. 8BC6 MOV EAX,ESI
004B47F6 |. E8 51F1F4FF CALL Unpacked.0040394C
004B47FB |. A1 704F4C00 MOV EAX,DWORD PTR DS:[4C4F70]
004B4800 |. C600 01 MOV BYTE PTR DS:[EAX],1
004B4803 |. A1 78514C00 MOV EAX,DWORD PTR DS:[4C5178]
004B4808 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B480A |. BA 18494B00 MOV EDX,Unpacked.004B4918
004B480F |. E8 DCEFF8FF CALL Unpacked.004437F0
004B4814 |. A1 584C4C00 MOV EAX,DWORD PTR DS:[4C4C58]
004B4819 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B481B |. BA 30494B00 MOV EDX,Unpacked.004B4930
004B4820 |. E8 CBEFF8FF CALL Unpacked.004437F0
004B4825 |. A1 584C4C00 MOV EAX,DWORD PTR DS:[4C4C58]
004B482A |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B482C |. 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
004B4832 |. B9 40494B00 MOV ECX,Unpacked.004B4940
004B4837 |. BA FBFDFFFF MOV EDX,-205
004B483C |. E8 EF5CFBFF CALL Unpacked.0046A530
004B4841 |. A1 584C4C00 MOV EAX,DWORD PTR DS:[4C4C58]
004B4846 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B4848 |. E8 2FB4FAFF CALL Unpacked.0045FC7C
004B484D |. 8BC3 MOV EAX,EBX
004B484F |. E8 80B2FAFF CALL Unpacked.0045FAD4
004B4854 |. EB 39 JMP SHORT Unpacked.004B488F
004B4856 |> A1 584C4C00 MOV EAX,DWORD PTR DS:[4C4C58]
004B485B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B485D |. BA 7C494B00 MOV EDX,Unpacked.004B497C
004B4862 |. E8 89EFF8FF CALL Unpacked.004437F0
004B4867 |. A1 584C4C00 MOV EAX,DWORD PTR DS:[4C4C58]
004B486C |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B486E |. 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
004B4874 |. B9 8C494B00 MOV ECX,Unpacked.004B498C
004B4879 |. BA FBFDFFFF MOV EDX,-205
004B487E |. E8 AD5CFBFF CALL Unpacked.0046A530
004B4883 |. A1 584C4C00 MOV EAX,DWORD PTR DS:[4C4C58]
004B4888 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B488A |. E8 EDB3FAFF CALL Unpacked.0045FC7C
004B488F |> FE05 8C6D4C00 INC BYTE PTR DS:[4C6D8C]
004B4895 |. 803D 8C6D4C00>CMP BYTE PTR DS:[4C6D8C],3
004B489C |. 72 0C JB SHORT Unpacked.004B48AA
004B489E |. A1 14504C00 MOV EAX,DWORD PTR DS:[4C5014]
004B48A3 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B48A5 |. E8 4AE9FAFF CALL Unpacked.004631F4
004B48AA |> 33C0 XOR EAX,EAX
004B48AC |. 5A POP EDX
004B48AD |. 59 POP ECX
004B48AE |. 59 POP ECX
004B48AF |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B48B2 |. 68 D4484B00 PUSH Unpacked.004B48D4
004B48B7 |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004B48BA |. BA 03000000 MOV EDX,3
004B48BF |. E8 F8FEF4FF CALL Unpacked.004047BC
004B48C4 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004B48C7 |. E8 CCFEF4FF CALL Unpacked.00404798
004B48CC \. C3 RETN
===================================================================
算法CALL内
004B49D0 /$ 55 PUSH EBP
004B49D1 |. 8BEC MOV EBP,ESP
004B49D3 |. 51 PUSH ECX
004B49D4 |. B9 06000000 MOV ECX,6
004B49D9 |> 6A 00 /PUSH 0
004B49DB |. 6A 00 |PUSH 0
004B49DD |. 49 |DEC ECX
004B49DE |.^ 75 F9 \JNZ SHORT Unpacked.004B49D9
004B49E0 |. 51 PUSH ECX
004B49E1 |. 874D FC XCHG DWORD PTR SS:[EBP-4],ECX
004B49E4 |. 53 PUSH EBX
004B49E5 |. 56 PUSH ESI
004B49E6 |. 57 PUSH EDI
004B49E7 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
004B49EA |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
004B49ED |. 8BD8 MOV EBX,EAX
004B49EF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B49F2 |. E8 4102F5FF CALL Unpacked.00404C38
004B49F7 |. 33C0 XOR EAX,EAX
004B49F9 |. 55 PUSH EBP
004B49FA |. 68 A04C4B00 PUSH Unpacked.004B4CA0
004B49FF |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B4A02 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B4A05 |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
004B4A08 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B4A0B |. E8 D843F5FF CALL Unpacked.00408DE8
004B4A10 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28] ; 取用户名放EDX
004B4A13 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004B4A16 |. E8 15FEF4FF CALL Unpacked.00404830
004B4A1B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 取用户放EAX
004B4A1E |. E8 2D00F5FF CALL Unpacked.00404A50
004B4A23 |. 8BF8 MOV EDI,EAX ; 用户名位数放EDI
004B4A25 |. BE EE8D1E00 MOV ESI,1E8DEE ; ESI=1E8DEE
004B4A2A |. 85FF TEST EDI,EDI
004B4A2C |. 75 15 JNZ SHORT Unpacked.004B4A43
004B4A2E |. 8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004B4A34 |. BA B84C4B00 MOV EDX,Unpacked.004B4CB8
004B4A39 |. E8 B2EDF8FF CALL Unpacked.004437F0
004B4A3E |. E9 2D020000 JMP Unpacked.004B4C70
004B4A43 |> 83FF 32 CMP EDI,32 ; 比较用户名位数是否小于32
004B4A46 |. 7E 1B JLE SHORT Unpacked.004B4A63
004B4A48 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004B4A4B |. 50 PUSH EAX
004B4A4C |. B9 32000000 MOV ECX,32
004B4A51 |. BA 01000000 MOV EDX,1
004B4A56 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B4A59 |. E8 4A02F5FF CALL Unpacked.00404CA8
004B4A5E |. BF 32000000 MOV EDI,32
004B4A63 |> 85FF TEST EDI,EDI
004B4A65 |. 0F8E FA010000 JLE Unpacked.004B4C65
004B4A6B |. 83FF 32 CMP EDI,32 ; 比较用户名位数是否大于32
004B4A6E |. 0F8F F1010000 JG Unpacked.004B4C65
004B4A74 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B4A77 |. 8A18 MOV BL,BYTE PTR DS:[EAX] ; 取用户名第一位的ASCII码值放BL
004B4A79 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B4A7C |. 8A4438 FF MOV AL,BYTE PTR DS:[EAX+EDI-1] ; 取最后一位的ASCII码值放AL
004B4A80 |. 8845 F7 MOV BYTE PTR SS:[EBP-9],AL ; 送入堆栈
004B4A83 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004B4A86 |. 33C0 XOR EAX,EAX ; EAX清零
004B4A88 |. 8AC3 MOV AL,BL ; 第一位的值送入AL=6C
004B4A8A |. E8 7546F5FF CALL Unpacked.00409104
004B4A8F |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004B4A92 |. 33C0 XOR EAX,EAX
004B4A94 |. 8A45 F7 MOV AL,BYTE PTR SS:[EBP-9] ; 最后一位的值69送AL
004B4A97 |. E8 6846F5FF CALL Unpacked.00409104
004B4A9C |. 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
004B4A9F |. 50 PUSH EAX
004B4AA0 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B4AA3 |. E8 A8FFF4FF CALL Unpacked.00404A50 ; 第一位的值6C转成十进制数108
004B4AA8 |. 8BD0 MOV EDX,EAX ; EDX=第一位的ASCII值转十进制后的位数3
004B4AAA |. B9 01000000 MOV ECX,1
004B4AAF |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B4AB2 |. E8 F101F5FF CALL Unpacked.00404CA8
004B4AB7 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004B4ABA |. E8 A946F5FF CALL Unpacked.00409168
004B4ABF |. 8BD8 MOV EBX,EAX
004B4AC1 |. 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
004B4AC4 |. 50 PUSH EAX
004B4AC5 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; 最后一位的值转十进制105
004B4AC8 |. E8 83FFF4FF CALL Unpacked.00404A50
004B4ACD |. 8BD0 MOV EDX,EAX ; EDX=最后一位的ASCII值转十进制后的位数3
004B4ACF |. B9 01000000 MOV ECX,1 ; ECX=1
004B4AD4 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ; 105进EAX
004B4AD7 |. E8 CC01F5FF CALL Unpacked.00404CA8
004B4ADC |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
004B4ADF |. E8 8446F5FF CALL Unpacked.00409168
004B4AE4 |. 33D2 XOR EDX,EDX
004B4AE6 |. 8AD3 MOV DL,BL ; 108最后一位的值8放入DL
004B4AE8 |. 69D2 BD070000 IMUL EDX,EDX,7BD ; EDX=8*7BD=3DE8
004B4AEE |. 25 FF000000 AND EAX,0FF ; 105最后一位的值5与0FF做AND运算=5
004B4AF3 |. 0FAFD0 IMUL EDX,EAX ; 5*3DE8=13588
004B4AF6 |. 8955 E0 MOV DWORD PTR SS:[EBP-20],EDX ; 13588送入堆栈
004B4AF9 |. 8BC7 MOV EAX,EDI ; 用户名位数A放入EAX
004B4AFB |. 84C0 TEST AL,AL
004B4AFD |. 76 3C JBE SHORT Unpacked.004B4B3B
004B4AFF |. 8845 DF MOV BYTE PTR SS:[EBP-21],AL ; AL的值0A放入堆栈
004B4B02 |. B3 01 MOV BL,1 ; BL=1
004B4B04 |> 8BC3 /MOV EAX,EBX ; 依次取用户名的位数
004B4B06 |. 48 |DEC EAX ; 减1
004B4B07 |. 2C 05 |SUB AL,5 ; 减5,小于则跳; Switch (cases 0..31)
004B4B09 |. 72 06 |JB SHORT Unpacked.004B4B11
004B4B0B |. 2C 2D |SUB AL,2D ; 减2D小于则跳
004B4B0D |. 72 18 |JB SHORT Unpacked.004B4B27
004B4B0F |. EB 24 |JMP SHORT Unpacked.004B4B35
004B4B11 |> 33C0 |XOR EAX,EAX ; Cases 0,1,2,3,4 of switch 004B4B07
004B4B13 |. 8AC3 |MOV AL,BL
004B4B15 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4] ; 取用户名放EDX
004B4B18 |. 0FB64402 FF |MOVZX EAX,BYTE PTR DS:[EDX+EAX->; 依次取用户每一位的ASCII码值,取到第5位
004B4B1D |. 33D2 |XOR EDX,EDX ; EDX清零
004B4B1F |. 8AD3 |MOV DL,BL ; 依次取位数
004B4B21 |. F7EA |IMUL EDX ; 用户名每一位的值与位数相乘
004B4B23 |. 03F0 |ADD ESI,EAX ; 累加起来再加上1E8DEE的结果保存在ESI
004B4B25 |. EB 0E |JMP SHORT Unpacked.004B4B35
004B4B27 |> 33C0 |XOR EAX,EAX ; EAX清零; Cases 5,6,7,8,9,A,B,C,D,E,F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F,20,21,22,23,24,25,26,27,28,29,2A,2B,2C,2D,2E,2F,30,31 of switch 004B4B07
004B4B29 |. 8AC3 |MOV AL,BL ; 用户名第六位起的位数
004B4B2B |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
004B4B2E |. 0FB64402 FF |MOVZX EAX,BYTE PTR DS:[EDX+EAX->; 从第六位起依次取用户名每一位的ASCII值
004B4B33 |. 03F0 |ADD ESI,EAX ; 和ESI的值累加
004B4B35 |> 43 |INC EBX ; 计数器加1; Default case of switch 004B4B07
004B4B36 |. FE4D DF |DEC BYTE PTR SS:[EBP-21] ; 用户名位数减1
004B4B39 |.^ 75 C9 \JNZ SHORT Unpacked.004B4B04 ; 循环
004B4B3B |> 8BC6 MOV EAX,ESI ; EAX=1E9624即上面计算的结果
004B4B3D |. 33D2 XOR EDX,EDX
004B4B3F |. 52 PUSH EDX ; /Arg2 => 00000000
004B4B40 |. 50 PUSH EAX ; |Arg1
004B4B41 |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34] ; |
004B4B44 |. E8 EB45F5FF CALL Unpacked.00409134 ; \Unpacked.00409134
004B4B49 |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; 1E9624转成十进制2004516放EAX
004B4B4C |. 50 PUSH EAX ; EAX的值送入堆栈
004B4B4D |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; EAX=13588
004B4B50 |. 33D2 XOR EDX,EDX
004B4B52 |. 52 PUSH EDX ; /Arg2 => 00000000
004B4B53 |. 50 PUSH EAX ; |13588送入堆栈
004B4B54 |. 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38] ; |
004B4B57 |. E8 D845F5FF CALL Unpacked.00409134 ; \Unpacked.00409134
004B4B5C |. 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38] ; 13588转十进制=79240送EDXA
004B4B5F |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004B4B62 |. 59 POP ECX
004B4B63 |. E8 34FFF4FF CALL Unpacked.00404A9C
004B4B68 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; 将79240和2004516连接起来送EAX=792402004516
004B4B6B |. E8 E0FEF4FF CALL Unpacked.00404A50
004B4B70 |. 84C0 TEST AL,AL ; AL=C,即刚才得到的数792402004516的位数
004B4B72 |. 0F86 ED000000 JBE Unpacked.004B4C65
004B4B78 |. 8845 DF MOV BYTE PTR SS:[EBP-21],AL
004B4B7B |. B3 01 MOV BL,1
004B4B7D |> 33C0 /XOR EAX,EAX
004B4B7F |. 8AC3 |MOV AL,BL
004B4B81 |. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18] ; 取792402004516
004B4B84 |. 0FB64402 FF |MOVZX EAX,BYTE PTR DS:[EDX+EAX->; 依次取每一位的ASCII值
004B4B89 |. 83C0 D0 |ADD EAX,-30 ; 减30; Switch (cases 30..39)
004B4B8C |. 83F8 09 |CMP EAX,9 ; 比较是否大于9
004B4B8F |. 0F87 C6000000 |JA Unpacked.004B4C5B ; 高于则跳
004B4B95 |. FF2485 9C4B4B>|JMP DWORD PTR DS:[EAX*4+4B4B9C] ; 跳往依次取每一位的减30后的值*4加上4B4B9C所得的地址进行查表
004B4B9C |. C44B4B00 |DD Unpacked.004B4BC4 ; Switch table used at 004B4B95
004B4BA0 |. D64B4B00 |DD Unpacked.004B4BD6
004B4BA4 |. E54B4B00 |DD Unpacked.004B4BE5
004B4BA8 |. F44B4B00 |DD Unpacked.004B4BF4
004B4BAC |. 034C4B00 |DD Unpacked.004B4C03
004B4BB0 |. 124C4B00 |DD Unpacked.004B4C12
004B4BB4 |. 214C4B00 |DD Unpacked.004B4C21
004B4BB8 |. 304C4B00 |DD Unpacked.004B4C30
004B4BBC |. 3F4C4B00 |DD Unpacked.004B4C3F
004B4BC0 |. 4E4C4B00 |DD Unpacked.004B4C4E
004B4BC4 |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 30 ('0') of switch 004B4B89
004B4BC7 |. BA DC4C4B00 |MOV EDX,Unpacked.004B4CDC ; 0对4
004B4BCC |. E8 87FEF4FF |CALL Unpacked.00404A58
004B4BD1 |. E9 85000000 |JMP Unpacked.004B4C5B
004B4BD6 |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 31 ('1') of switch 004B4B89
004B4BD9 |. BA E84C4B00 |MOV EDX,Unpacked.004B4CE8 ; 1对0
004B4BDE |. E8 75FEF4FF |CALL Unpacked.00404A58
004B4BE3 |. EB 76 |JMP SHORT Unpacked.004B4C5B
004B4BE5 |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 32 ('2') of switch 004B4B89
004B4BE8 |. BA F44C4B00 |MOV EDX,Unpacked.004B4CF4 ; 2对5
004B4BED |. E8 66FEF4FF |CALL Unpacked.00404A58
004B4BF2 |. EB 67 |JMP SHORT Unpacked.004B4C5B
004B4BF4 |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 33 ('3') of switch 004B4B89
004B4BF7 |. BA 004D4B00 |MOV EDX,Unpacked.004B4D00 ; 3对9
004B4BFC |. E8 57FEF4FF |CALL Unpacked.00404A58
004B4C01 |. EB 58 |JMP SHORT Unpacked.004B4C5B
004B4C03 |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 34 ('4') of switch 004B4B89
004B4C06 |. BA 0C4D4B00 |MOV EDX,Unpacked.004B4D0C ; 4对6
004B4C0B |. E8 48FEF4FF |CALL Unpacked.00404A58
004B4C10 |. EB 49 |JMP SHORT Unpacked.004B4C5B
004B4C12 |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 35 ('5') of switch 004B4B89
004B4C15 |. BA 184D4B00 |MOV EDX,Unpacked.004B4D18 ; 5对1
004B4C1A |. E8 39FEF4FF |CALL Unpacked.00404A58
004B4C1F |. EB 3A |JMP SHORT Unpacked.004B4C5B
004B4C21 |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 36 ('6') of switch 004B4B89
004B4C24 |. BA 244D4B00 |MOV EDX,Unpacked.004B4D24 ; 6对7
004B4C29 |. E8 2AFEF4FF |CALL Unpacked.00404A58
004B4C2E |. EB 2B |JMP SHORT Unpacked.004B4C5B
004B4C30 |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 37 ('7') of switch 004B4B89
004B4C33 |. BA 304D4B00 |MOV EDX,Unpacked.004B4D30 ; 7对3
004B4C38 |. E8 1BFEF4FF |CALL Unpacked.00404A58
004B4C3D |. EB 1C |JMP SHORT Unpacked.004B4C5B
004B4C3F |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 38 ('8') of switch 004B4B89
004B4C42 |. BA 3C4D4B00 |MOV EDX,Unpacked.004B4D3C ; 8对8
004B4C47 |. E8 0CFEF4FF |CALL Unpacked.00404A58
004B4C4C |. EB 0D |JMP SHORT Unpacked.004B4C5B
004B4C4E |> 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; Case 39 ('9') of switch 004B4B89
004B4C51 |. BA 484D4B00 |MOV EDX,Unpacked.004B4D48 ; 9对2
004B4C56 |. E8 FDFDF4FF |CALL Unpacked.00404A58
004B4C5B |> 43 |INC EBX ; Default case of switch 004B4B89
004B4C5C |. FE4D DF |DEC BYTE PTR SS:[EBP-21]
004B4C5F |.^ 0F85 18FFFFFF \JNZ Unpacked.004B4B7D
004B4C65 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B4C68 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004B4C6B |. E8 7CFBF4FF CALL Unpacked.004047EC
004B4C70 |> 33C0 XOR EAX,EAX
004B4C72 |. 5A POP EDX
004B4C73 |. 59 POP ECX
004B4C74 |> 59 POP ECX
004B4C75 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B4C78 |. 68 A74C4B00 PUSH Unpacked.004B4CA7
004B4C7D |> 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
004B4C80 |. BA 05000000 MOV EDX,5
004B4C85 |. E8 32FBF4FF CALL Unpacked.004047BC
004B4C8A |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004B4C8D |. BA 04000000 MOV EDX,4
004B4C92 |. E8 25FBF4FF CALL Unpacked.004047BC
004B4C97 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004B4C9A |. E8 F9FAF4FF CALL Unpacked.00404798
004B4C9F \. C3 RETN
=================================================================================
查表的数据部份:
004B4CD4 . FFFFFFFF DD FFFFFFFF
004B4CD8 . 01000000 DD 00000001
004B4CDC . 34 00 ASCII "4",0
004B4CDE 00 DB 00
004B4CDF 00 DB 00
004B4CE0 . FFFFFFFF DD FFFFFFFF
004B4CE4 . 01000000 DD 00000001
004B4CE8 . 30 00 ASCII "0",0
004B4CEA 00 DB 00
004B4CEB 00 DB 00
004B4CEC . FFFFFFFF DD FFFFFFFF
004B4CF0 . 01000000 DD 00000001
004B4CF4 . 35 00 ASCII "5",0
004B4CF6 00 DB 00
004B4CF7 00 DB 00
004B4CF8 . FFFFFFFF DD FFFFFFFF
004B4CFC . 01000000 DD 00000001
004B4D00 . 39 00 ASCII "9",0
004B4D02 00 DB 00
004B4D03 00 DB 00
004B4D04 . FFFFFFFF DD FFFFFFFF
004B4D08 . 01000000 DD 00000001
004B4D0C . 36 00 ASCII "6",0
004B4D0E 00 DB 00
004B4D0F 00 DB 00
004B4D10 . FFFFFFFF DD FFFFFFFF
004B4D14 . 01000000 DD 00000001
004B4D18 . 31 00 ASCII "1",0
004B4D1A 00 DB 00
004B4D1B 00 DB 00
004B4D1C . FFFFFFFF DD FFFFFFFF
004B4D20 . 01000000 DD 00000001
004B4D24 . 37 00 ASCII "7",0
004B4D26 00 DB 00
004B4D27 00 DB 00
004B4D28 . FFFFFFFF DD FFFFFFFF
004B4D2C . 01000000 DD 00000001
004B4D30 . 33 00 ASCII "3",0
004B4D32 00 DB 00
004B4D33 00 DB 00
004B4D34 . FFFFFFFF DD FFFFFFFF
004B4D38 . 01000000 DD 00000001
004B4D3C . 38 00 ASCII "8",0
004B4D3E 00 DB 00
004B4D3F 00 DB 00
004B4D40 . FFFFFFFF DD FFFFFFFF
004B4D44 . 01000000 DD 00000001
004B4D48 . 32 00 ASCII "2",0
004B4D4A 00 DB 00
004B4D4B 00 DB 00
--------------------------------------------------------------------------------
【破解总结】
算法总结:取用户名的第一位后最后一位的ASCII码值转成十进制数,然后取第一位转换后的数的最后一位的ASCII码值减30的结果*7BD,取最后一位转换后的数的最后一位的ASCII值与0FF做AND运算,然后把两个结果相乘,然后转换成十进制数,做为查表数的第一部分,取用户名的前五位的ASCII值分别与其位数相乘,然后累加,取第六位后面的每一位的ASCII值累加,再加上1E8DEE结果转成十进制数,做为查表数的第二部分,把两部分连起来进行查表
0对4,1对0,2对5,3对9,4对6,5对1,6对7,7对3,8对8,9对2
算了两组号
laochongzi qhst
792402004516 查表的数 356582003544 查表的数
325645446107注册码 917185449166注册码
_______________________________________________________________________
【算法注册机】
易语言编写
子程序:_按钮2_被单击
销毁 ()
ㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔㄔ
子程序:_按钮1_被单击
局部容器:变量1 数据类型:整数型
局部容器:变量2 数据类型:整数型
局部容器:变量3 数据类型:整数型
局部容器:变量4 数据类型:整数型
局部容器:变量5 数据类型:整数型
局部容器:变量6 数据类型:整数型
局部容器:变量7 数据类型:整数型
局部容器:变量8 数据类型:整数型
局部容器:变量9 数据类型:整数型
局部容器:变量10 数据类型:整数型
局部容器:变量11 数据类型:整数型
局部容器:变量12 数据类型:文本型
局部容器:变量13 数据类型:文本型
局部容器:变量14 数据类型:文本型
局部容器:变量15 数据类型:文本型
局部容器:变量16 数据类型:整数型
变量1 = 到数值 (取代码 (取文本左边 (编辑框1.内容, 1), ))
变量2 = 到数值 (取代码 (取文本右边 (编辑框1.内容, 1), ))
变量3 = 到数值 (取文本右边 (到文本 (变量1), 1)) × 1981
变量4 = 位与 (到数值 (取文本右边 (到文本 (变量2), 1)), 255) × 变量3
变量5 = 取文本长度 (编辑框1.内容)
变量7 = 5
如果 (变量5 > 5)
计次循环首 (变量7, 变量7)
变量6 = 取代码 (编辑框1.内容, 变量7) × 变量7 + 变量6
计次循环尾 ()
否则
计次循环首 (变量5, 变量5)
变量6 = 取代码 (编辑框1.内容, 变量5) × 变量5 + 变量6
计次循环尾 ()
如果结束
如果真 (变量5 > 5)
变量10 = 变量5 - 5
计次循环首 (变量10, 变量10)
变量8 = 取代码 (取文本右边 (编辑框1.内容, 变量10), 1) + 变量8
计次循环尾 ()
如果真结束
变量9 = 变量6 + 2002414 + 变量8
变量12 = 到文本 (变量4) + 到文本 (变量9)
变量16 = 取文本长度 (变量12)
计次循环首 (变量16, 变量16)
如果 (取代码 (变量12, 变量16) = 48)
变量14 = “4”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 49)
变量14 = “0”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 50)
变量14 = “5”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 51)
变量14 = “9”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 52)
变量14 = “6”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 53)
变量14 = “1”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 54)
变量14 = “7”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 55)
变量14 = “3”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 56)
变量14 = “8”
否则
如果结束
如果 (取代码 (变量12, 变量16) = 57)
变量14 = “2”
否则
如果结束
变量15 = 变量15 + 变量14
计次循环尾 ()
如果 (编辑框1.内容 = “”)
信息框 (“请输入用户名”, 0, )
否则
如果结束
编辑框2.内容 = 到文本 (变量15)
--------------------------------------------------------------------------------
【内存注册机】
中断地址:4B479B,中断次数:1,第一字节:E8,长度:5
内存方式:EDX
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
