【软件名称】:图片吸血鬼 1.20
【软件限制】:试用10天
【保护方式】:Aspack 2.12
【破解工具】:Ollydbg
【编程语言】:Delphi 6.0 - 7.0
【下载地址】:http://www.onlinedown.net/soft/32270.htm
【软件简介】:图片吸血鬼是一款从网站上下载图片的共享软件,它可以把网站上的图片都下载下来,特点:1,设定下载图片的格式(如jpg,gif或swf);2,可自己设置下载图片的大小;3,搜索准确度高,可以把下级页面的图片都搜索出来
—————————————————————————————————
【破解过程】:
本文出自:http://www.popbase.net
注册提示重启,搜索注册表找到
[HKEY_LOCAL_MACHINE\SOFTWARE\zy\Pic]
"Date"=hex:00,00,00,00,80,ae,e2,40
"Name"="aqtata"
"Pass"="123456"
OD加载
004FB768 . BA F0B94F00 MOV EDX,Down.004FB9F0 ; ASCII "Pass"
004FB76D . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004FB770 . E8 1705F7FF CALL Down.0046BC8C
004FB775 . 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44]
004FB778 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004FB77B . 05 DC030000 ADD EAX,3DC
004FB780 . E8 4B92F0FF CALL Down.004049D0
004FB785 . 33C0 XOR EAX,EAX
004FB787 . 55 PUSH EBP
004FB788 . 68 AEB74F00 PUSH Down.004FB7AE
004FB78D . 64:FF30 PUSH DWORD PTR FS:[EAX]
004FB790 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
004FB793 . BA 00BA4F00 MOV EDX,Down.004FBA00 ; ASCII "Date"
004FB798 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004FB79B . E8 D405F7FF CALL Down.0046BD74
004FB7A0 . DD5D E0 FSTP QWORD PTR SS:[EBP-20]
004FB7A3 . 9B WAIT
004FB7A4 . 33C0 XOR EAX,EAX
004FB7A6 . 5A POP EDX
004FB7A7 . 59 POP ECX
004FB7A8 . 59 POP ECX
004FB7A9 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004FB7AC . EB 29 JMP SHORT Down.004FB7D7
………………
004FB80F . E8 60DCFFFF CALL Down.004F9474 ====>算法
004FB814 . 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48] ====>真码
004FB817 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004FB81A . 8B80 DC030000 MOV EAX,DWORD PTR DS:[EAX+3DC] ====>假码
004FB820 . E8 5395F0FF CALL Down.00404D78
004FB825 . 75 25 JNZ SHORT Down.004FB84C ====>爆破点,改nop
跟进算法call,下面某些数值因注册名而不同,这里假设为aqtata
004F9474 /$ 55 PUSH EBP
004F9475 |. 8BEC MOV EBP,ESP
004F9477 |. 51 PUSH ECX
004F9478 |. B9 04000000 MOV ECX,4
………………
004F94B7 |. 85F6 TEST ESI,ESI
004F94B9 |. 7E 26 JLE SHORT Down.004F94E1 ====>测试用户名长度,跳了就挂
004F94BB |. BB 01000000 MOV EBX,1
004F94C0 |> 8D4D EC /LEA ECX,DWORD PTR SS:[EBP-14]
004F94C3 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4]
004F94C6 |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] ====>依次取ascii码
004F94CB |. 33D2 |XOR EDX,EDX
004F94CD |. E8 62FDF0FF |CALL Down.00409234 ====>转换成字符
004F94D2 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14] ====>送到edx
004F94D5 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
004F94D8 |. E8 5FB7F0FF |CALL Down.00404C3C ====>连接字符
004F94DD |. 43 |INC EBX
004F94DE |. 4E |DEC ESI
004F94DF |.^75 DF \JNZ SHORT Down.004F94C0
004F94E1 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ====>"617174617461",设为n1
004F94E4 |. E8 4BB7F0FF CALL Down.00404C34
004F94E9 |. 8BF0 MOV ESI,EAX
004F94EB |. 85F6 TEST ESI,ESI
004F94ED |. 7E 2C JLE SHORT Down.004F951B
004F94EF |. BB 01000000 MOV EBX,1
004F94F4 |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] ====>第2个循环开始
004F94F7 |. E8 38B7F0FF |CALL Down.00404C34
004F94FC |. 2BC3 |SUB EAX,EBX
004F94FE |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
004F9501 |. 8A1402 |MOV DL,BYTE PTR DS:[EDX+EAX]
004F9504 |. 8D45 E8 |LEA EAX,DWORD PTR SS:[EBP-18]
004F9507 |. E8 50B6F0FF |CALL Down.00404B5C
004F950C |. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
004F950F |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004F9512 |. E8 25B7F0FF |CALL Down.00404C3C
004F9517 |. 43 |INC EBX
004F9518 |. 4E |DEC ESI
004F9519 |.^75 D9 \JNZ SHORT Down.004F94F4 ====>就是把n1倒序排列,"164716471716",设n2
004F951B |> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004F951E |. 50 PUSH EAX
004F951F |. B9 04000000 MOV ECX,4
004F9524 |. BA 01000000 MOV EDX,1
004F9529 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004F952C |. E8 5BB9F0FF CALL Down.00404E8C
004F9531 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004F9534 |. 50 PUSH EAX
004F9535 |. B9 04000000 MOV ECX,4
004F953A |. BA 05000000 MOV EDX,5
004F953F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004F9542 |. E8 45B9F0FF CALL Down.00404E8C
004F9547 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ====>n2前4位
004F954A |. E8 E5B6F0FF CALL Down.00404C34
004F954F |. 83F8 04 CMP EAX,4
004F9552 |. 7D 2F JGE SHORT Down.004F9583
004F9554 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004F9557 |. E8 D8B6F0FF CALL Down.00404C34
004F955C |. 8BD8 MOV EBX,EAX
004F955E |. 83FB 03 CMP EBX,3
004F9561 |. 7F 20 JG SHORT Down.004F9583
004F9563 |> 8D4D E4 /LEA ECX,DWORD PTR SS:[EBP-1C]
004F9566 |. 8BC3 |MOV EAX,EBX
004F9568 |. C1E0 02 |SHL EAX,2
004F956B |. 33D2 |XOR EDX,EDX
004F956D |. E8 C2FCF0FF |CALL Down.00409234
004F9572 |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
004F9575 |. 8D45 F8 |LEA EAX,DWORD PTR SS:[EBP-8]
004F9578 |. E8 BFB6F0FF |CALL Down.00404C3C
004F957D |. 43 |INC EBX
004F957E |. 83FB 04 |CMP EBX,4
004F9581 |.^75 E0 \JNZ SHORT Down.004F9563
004F9583 |> 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004F9586 |. E8 A9B6F0FF CALL Down.00404C34
004F958B |. 83F8 04 CMP EAX,4
004F958E |. 7D 2F JGE SHORT Down.004F95BF
004F9590 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004F9593 |. E8 9CB6F0FF CALL Down.00404C34
004F9598 |. 8BD8 MOV EBX,EAX
004F959A |. 83FB 03 CMP EBX,3
004F959D |. 7F 20 JG SHORT Down.004F95BF
004F959F |> 8D4D E0 /LEA ECX,DWORD PTR SS:[EBP-20]
004F95A2 |. 8BC3 |MOV EAX,EBX
004F95A4 |. C1E0 02 |SHL EAX,2
004F95A7 |. 33D2 |XOR EDX,EDX
004F95A9 |. E8 86FCF0FF |CALL Down.00409234
004F95AE |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20]
004F95B1 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004F95B4 |. E8 83B6F0FF |CALL Down.00404C3C
004F95B9 |. 43 |INC EBX
004F95BA |. 83FB 04 |CMP EBX,4
004F95BD |.^75 E0 \JNZ SHORT Down.004F959F
004F95BF |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004F95C2 |. BA 4C964F00 MOV EDX,Down.004F964C ; ASCII "Pic4ei8espr"
004F95C7 |. E8 48B4F0FF CALL Down.00404A14
004F95CC |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004F95CF |. 50 PUSH EAX
004F95D0 |. B9 04000000 MOV ECX,4
004F95D5 |. BA 01000000 MOV EDX,1
004F95DA |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004F95DD |. E8 AAB8F0FF CALL Down.00404E8C
004F95E2 |. FF75 DC PUSH DWORD PTR SS:[EBP-24] ====>"pic4"
004F95E5 |. 68 60964F00 PUSH Down.004F9660
004F95EA |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ====>n2前4位
004F95ED |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004F95F0 |. 50 PUSH EAX
004F95F1 |. B9 05000000 MOV ECX,5
004F95F6 |. BA 05000000 MOV EDX,5
004F95FB |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004F95FE |. E8 89B8F0FF CALL Down.00404E8C
004F9603 |. FF75 D8 PUSH DWORD PTR SS:[EBP-28]
004F9606 |. 68 60964F00 PUSH Down.004F9660
004F960B |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
004F960E |. 8BC7 MOV EAX,EDI
004F9610 |. BA 06000000 MOV EDX,6
004F9615 |. E8 DAB6F0FF CALL Down.00404CF4
004F961A |. 33C0 XOR EAX,EAX
004F961C |. 5A POP EDX
004F961D |. 59 POP ECX
004F961E |. 59 POP ECX
004F961F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004F9622 |. 68 3C964F00 PUSH Down.004F963C
004F9627 |> 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004F962A |. BA 0A000000 MOV EDX,0A
004F962F |. E8 6CB3F0FF CALL Down.004049A0
004F9634 \. C3 RETN
004F9635 .^E9 E6ACF0FF JMP Down.00404320
004F963A .^EB EB JMP SHORT Down.004F9627
004F963C . 5F POP EDI
004F963D . 5E POP ESI
004F963E . 5B POP EBX
004F963F . 8BE5 MOV ESP,EBP
004F9641 . 5D POP EBP
004F9642 . C3 RETN
不写了,没什么好写的,很简单
1.将注册码的ascii码连接起来,设为n1
2.将n1倒序排列,设为n2
3.注册码的固定式:Pic4-****ei8es-****
从左往右,星号部分依次为n2的1至8位
—————————————————————————————————
【暴 破】:
004FB825 . 75 25 JNZ SHORT Down.004FB84C ====>改nop
—————————————————————————————————
【注册码】:
注册名:aqtata
注册码:Pic4-1647ei8es-1647
—————————————————————————————————
【注册机】:
Private Sub Command1_Click()
Dim yhm As String
yhm = Text1.Text
If Len(yhm) < 4 Then
MsgBox "用户名至少填写4位!", 64
Exit Sub
End If
Dim i As Integer, ss As String
For i = 1 To Len(yhm)
ss = ss & Hex(Asc(Mid(yhm, i, 1)))
Next
yhm = ""
For i = Len(ss) To 1 Step -1
yhm = yhm & Mid(ss, i, 1)
Next
Text2.Text = "Pic4-" & Left(yhm, 4) & "ei8es-" & Mid(yhm, 5, 4)
End Sub
—————————————————————————————————
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
菜鸟表示很有鸭梨
