【破解软件】ChrisTWEAK 1.50
【下载地址】http://www.onlinedown.net/soft/45416.htm
【软件类别】国外软件/共享版/视频工具
【运行环境】Win9x/Me/NT/2000/XP/2003
【保护方式】用户名、序列号
【调试工具】Winxp、OllyDBD、PEiD
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【软件信息】ChrisTWEAK 为对电视节目录制卡进行微调控制以提高节目录制质量的软件。
一、侦察敌情
PEiD检查:UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
脱壳略过,脱壳后PEiD再查:Borland Delphi 6.0 - 7.0
KANAL分析:MD5+SHA-384+SHA-512+TIGER
输入User Name:wzwgp,Serial Number:12345678,单击“Register”提示“The Serial is not valid”
二、算法跟踪
OD 载入程序查找字串参考,没找到关键信息。搜索加密算法的初始化数据,一层一层返回,来到下面:
004CA690 /. 55 PUSH EBP ; F2
004CA691 |. 8BEC MOV EBP,ESP
004CA693 |. B9 08000000 MOV ECX,8
004CA698 |> 6A 00 /PUSH 0
004CA69A |. 6A 00 |PUSH 0
004CA69C |. 49 |DEC ECX
004CA69D |.^ 75 F9 \JNZ SHORT ChrisTWE.004CA698 ; 堆栈空出64字节
004CA69F |. 53 PUSH EBX
004CA6A0 |. 56 PUSH ESI
004CA6A1 |. 8BD8 MOV EBX,EAX
004CA6A3 |. 33C0 XOR EAX,EAX
004CA6A5 |. 55 PUSH EBP
004CA6A6 |. 68 D4A84C00 PUSH ChrisTWE.004CA8D4
004CA6AB |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004CA6AE |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004CA6B1 |> E8 56C6F3FF /CALL <JMP.&kernel32.GetTickCount> ; [GetTickCount
004CA6B6 |. 8BF0 |MOV ESI,EAX
004CA6B8 |. 68 E8030000 |PUSH 3E8 ; /Timeout = 1000. ms
004CA6BD |. E8 CE3FF4FF |CALL <JMP.&kernel32.Sleep> ; \Sleep
004CA6C2 |. E8 45C6F3FF |CALL <JMP.&kernel32.GetTickCount> ; [GetTickCount
004CA6C7 |. 81C6 E7030000 |ADD ESI,3E7
004CA6CD |. 3BC6 |CMP EAX,ESI
004CA6CF |.^ 72 E0 \JB SHORT ChrisTWE.004CA6B1
004CA6D1 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004CA6D4 |. 8B83 38030000 MOV EAX,DWORD PTR DS:[EBX+338]
004CA6DA |. E8 A1AEF9FF CALL ChrisTWE.00465580 ; 是否输入用户名
004CA6DF |. 837D F0 00 CMP DWORD PTR SS:[EBP-10],0
004CA6E3 |. 75 1F JNZ SHORT ChrisTWE.004CA704 ; 输入用户名就跳
004CA6E5 |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004CA6E8 |. BA 10000000 MOV EDX,10
004CA6ED |. B8 ECA84C00 MOV EAX,ChrisTWE.004CA8EC ; dxu0ecub0^q}u0vyu|t0yc0u}`di>
004CA6F2 |. E8 79AFFBFF CALL ChrisTWE.00485670
004CA6F7 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004CA6FA |. E8 0D7AF6FF CALL ChrisTWE.0043210C
004CA6FF |. E9 66010000 JMP ChrisTWE.004CA86A
004CA704 |> 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004CA707 |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
004CA70D |. E8 6EAEF9FF CALL ChrisTWE.00465580 ; 是否输入注册码
004CA712 |. 837D E8 00 CMP DWORD PTR SS:[EBP-18],0
004CA716 |. 75 1F JNZ SHORT ChrisTWE.004CA737 ; 输入注册码就跳
004CA718 |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004CA71B |. BA 09000000 MOV EDX,9
004CA720 |. B8 14A94C00 MOV EAX,ChrisTWE.004CA914 ; ]al)zl{`he)g|dkl{)o`lem)`z)ldy}p
004CA725 |. E8 46AFFBFF CALL ChrisTWE.00485670
004CA72A |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004CA72D |. E8 DA79F6FF CALL ChrisTWE.0043210C
004CA732 |. E9 33010000 JMP ChrisTWE.004CA86A
004CA737 |> 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004CA73A |. 8BB3 38030000 MOV ESI,DWORD PTR DS:[EBX+338]
004CA740 |. 8BC6 MOV EAX,ESI
004CA742 |. E8 39AEF9FF CALL ChrisTWE.00465580
004CA747 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ; 用户名地址入EAX
004CA74A |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004CA74D |. E8 F6E4F3FF CALL ChrisTWE.00408C48
004CA752 |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
004CA755 |. 8BC6 MOV EAX,ESI
004CA757 |. E8 54AEF9FF CALL ChrisTWE.004655B0
004CA75C |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004CA75F |. 8BB3 78030000 MOV ESI,DWORD PTR DS:[EBX+378]
004CA765 |. 8BC6 MOV EAX,ESI
004CA767 |. E8 14AEF9FF CALL ChrisTWE.00465580 ; 取假码
004CA76C |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004CA76F |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
004CA772 |. E8 D1E4F3FF CALL ChrisTWE.00408C48
004CA777 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
004CA77A |. 8BC6 MOV EAX,ESI
004CA77C |. E8 2FAEF9FF CALL ChrisTWE.004655B0
004CA781 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004CA784 |. 8B83 38030000 MOV EAX,DWORD PTR DS:[EBX+338]
004CA78A |. E8 F1ADF9FF CALL ChrisTWE.00465580
004CA78F |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004CA792 |. 8B83 78030000 MOV EAX,DWORD PTR DS:[EBX+378]
004CA798 |. E8 E3ADF9FF CALL ChrisTWE.00465580
004CA79D |. 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
004CA7A0 |. 8B83 38030000 MOV EAX,DWORD PTR DS:[EBX+338]
004CA7A6 |. E8 D5ADF9FF CALL ChrisTWE.00465580
004CA7AB |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
004CA7AE |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004CA7B1 |. E8 CEB7FBFF CALL ChrisTWE.00485F84 ; 算法Call F7
004CA7B6 |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
004CA7B9 |. 50 PUSH EAX
004CA7BA |. B9 05000000 MOV ECX,5
004CA7BF |. BA 01000000 MOV EDX,1
004CA7C4 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 假码入EAX
004CA7C7 |. E8 A0A4F3FF CALL ChrisTWE.00404C6C
004CA7CC |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; 假码前5位入EAX
004CA7CF |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 计算结果入EDX
004CA7D2 |. E8 79A5F3FF CALL ChrisTWE.00404D50 ; 验证注册码 EAX=1 成功 EAX=0失败
004CA7D7 |. 48 DEC EAX
004CA7D8 |. 75 71 JNZ SHORT ChrisTWE.004CA84B
004CA7DA |. 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
004CA7DD |. 50 PUSH EAX
004CA7DE |. B9 05000000 MOV ECX,5
004CA7E3 |. BA 06000000 MOV EDX,6
004CA7E8 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004CA7EB |. E8 7CA4F3FF CALL ChrisTWE.00404C6C
004CA7F0 |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
004CA7F3 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004CA7F6 |. E8 55A5F3FF CALL ChrisTWE.00404D50 ; 验证注册码
004CA7FB |. 83F8 06 CMP EAX,6
004CA7FE |. 75 4B JNZ SHORT ChrisTWE.004CA84B
004CA800 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004CA803 |. E8 04A2F3FF CALL ChrisTWE.00404A0C ; 取假码位数
004CA808 |. 8BD8 MOV EBX,EAX
004CA80A |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004CA80D |. E8 FAA1F3FF CALL ChrisTWE.00404A0C ; 取真码位数
004CA812 |. 2BD8 SUB EBX,EAX ; 假真码位数相减
004CA814 |. 4B DEC EBX
004CA815 |. 74 34 JE SHORT ChrisTWE.004CA84B
004CA817 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004CA81A |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004CA81D |. E8 36A3F3FF CALL ChrisTWE.00404B58 ; 再次验证注册码
004CA822 |. 75 27 JNZ SHORT ChrisTWE.004CA84B
004CA824 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] ; 加密计算结果入EDX
004CA827 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] ; 用户名地址入EAx
004CA82A |. E8 C9B5FBFF CALL ChrisTWE.00485DF8 ; 注册信息写入注册表
004CA82F |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004CA832 |. BA 08000000 MOV EDX,8
004CA837 |. B8 40A94C00 MOV EAX,ChrisTWE.004CA940 ; \`ifc(qg}(ngz(x}zk`i{afo(k`za{\_mic&
004CA83C |. E8 2FAEFBFF CALL ChrisTWE.00485670
004CA841 |. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
004CA844 |. E8 C378F6FF CALL ChrisTWE.0043210C ; 注册成功提示"Thank You for purchasing ChrisTWEAK."
004CA849 |. EB 1F JMP SHORT ChrisTWE.004CA86A
004CA84B |> E8 74BCFBFF CALL ChrisTWE.004864C4
004CA850 |. 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40]
004CA853 |. BA 1C000000 MOV EDX,1C
004CA858 |. B8 70A94C00 MOV EAX,ChrisTWE.004CA970 ; hty<oynu}p<riq~yn<uo<rsh<j}pux2
004CA85D |. E8 0EAEFBFF CALL ChrisTWE.00485670
004CA862 |. 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
004CA865 |. E8 A278F6FF CALL ChrisTWE.0043210C ; 注册失败提示“The Serial is not valid”
004CA86A |> 33C0 XOR EAX,EAX
004CA86C |. 5A POP EDX
004CA86D |. 59 POP ECX
004CA86E |. 59 POP ECX
004CA86F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004CA872 |. 68 DBA84C00 PUSH ChrisTWE.004CA8DB
004CA877 |> 8D45 C0 LEA EAX,DWORD PTR SS:[EBP-40]
004CA87A |. BA 04000000 MOV EDX,4
004CA87F |. E8 EC9EF3FF CALL ChrisTWE.00404770
004CA884 |. 8D45 D0 LEA EAX,DWORD PTR SS:[EBP-30]
004CA887 |. BA 02000000 MOV EDX,2
004CA88C |. E8 DF9EF3FF CALL ChrisTWE.00404770
004CA891 |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004CA894 |. E8 B39EF3FF CALL ChrisTWE.0040474C
004CA899 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004CA89C |. E8 AB9EF3FF CALL ChrisTWE.0040474C
004CA8A1 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004CA8A4 |. BA 02000000 MOV EDX,2
004CA8A9 |. E8 C29EF3FF CALL ChrisTWE.00404770
004CA8AE |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004CA8B1 |. E8 969EF3FF CALL ChrisTWE.0040474C
004CA8B6 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004CA8B9 |. E8 8E9EF3FF CALL ChrisTWE.0040474C
004CA8BE |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004CA8C1 |. E8 869EF3FF CALL ChrisTWE.0040474C
004CA8C6 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004CA8C9 |. BA 03000000 MOV EDX,3
004CA8CE |. E8 9D9EF3FF CALL ChrisTWE.00404770
004CA8D3 \. C3 RETN
004CA7B1 处F7进入算法Call
00485F84 55 PUSH EBP
00485F85 8BEC MOV EBP,ESP
00485F87 83C4 C4 ADD ESP,-3C
00485F8A 53 PUSH EBX
00485F8B 56 PUSH ESI
00485F8C 57 PUSH EDI
00485F8D 33C9 XOR ECX,ECX
00485F8F 894D C4 MOV DWORD PTR SS:[EBP-3C],ECX ; ECX=0
00485F92 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
00485F95 894D E0 MOV DWORD PTR SS:[EBP-20],ECX
00485F98 894D D8 MOV DWORD PTR SS:[EBP-28],ECX
00485F9B 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00485F9E 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; EAX=用户名地址
00485FA1 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 用户名入EAX
00485FA4 E8 53ECF7FF CALL ChrisTWE.00404BFC
00485FA9 33C0 XOR EAX,EAX
00485FAB 55 PUSH EBP
00485FAC 68 73614800 PUSH ChrisTWE.00486173
00485FB1 64:FF30 PUSH DWORD PTR FS:[EAX]
00485FB4 64:8920 MOV DWORD PTR FS:[EAX],ESP
00485FB7 E8 500DF8FF CALL <JMP.&kernel32.GetTickCount>
00485FBC 8BD8 MOV EBX,EAX
00485FBE 68 58020000 PUSH 258
00485FC3 E8 C886F8FF CALL <JMP.&kernel32.Sleep>
00485FC8 E8 3F0DF8FF CALL <JMP.&kernel32.GetTickCount>
00485FCD 81C3 57020000 ADD EBX,257
00485FD3 3BC3 CMP EAX,EBX
00485FD5 ^ 72 E0 JB SHORT ChrisTWE.00485FB7
00485FD7 68 8C614800 PUSH ChrisTWE.0048618C ; (ASCII "tweak#")
00485FDC FF75 FC PUSH DWORD PTR SS:[EBP-4] ; [EBP-4]=(ASCII "wzwgp")
00485FDF 68 9C614800 PUSH ChrisTWE.0048619C ; [48619C]=26 (&)
00485FE4 68 A8614800 PUSH ChrisTWE.004861A8 ; (ASCII "pc")
00485FE9 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00485FEC BA 04000000 MOV EDX,4
00485FF1 E8 D6EAF7FF CALL ChrisTWE.00404ACC ; 用户名连接(tweak#wzwgp&pc)
00485FF6 33C9 XOR ECX,ECX
00485FF8 B2 01 MOV DL,1
00485FFA A1 40404800 MOV EAX,DWORD PTR DS:[484040]
00485FFF E8 70D2F9FF CALL ChrisTWE.00423274
00486004 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00486007 33C9 XOR ECX,ECX
00486009 B2 01 MOV DL,1
0048600B A1 8C694700 MOV EAX,DWORD PTR DS:[47698C]
00486010 E8 5FD2F9FF CALL ChrisTWE.00423274
00486015 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00486018 33C9 XOR ECX,ECX
0048601A B2 01 MOV DL,1
0048601C A1 CC134800 MOV EAX,DWORD PTR DS:[4813CC]
00486021 E8 4ED2F9FF CALL ChrisTWE.00423274
00486026 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00486029 33C9 XOR ECX,ECX
0048602B B2 01 MOV DL,1
0048602D A1 5C6A4700 MOV EAX,DWORD PTR DS:[476A5C]
00486032 E8 3DD2F9FF CALL ChrisTWE.00423274
00486037 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0048603A 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0048603D 8B10 MOV EDX,DWORD PTR DS:[EAX]
0048603F FF52 40 CALL NEAR DWORD PTR DS:[EDX+40]
00486042 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00486045 8B10 MOV EDX,DWORD PTR DS:[EAX]
00486047 FF52 40 CALL NEAR DWORD PTR DS:[EDX+40]
0048604A 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0048604D 8B10 MOV EDX,DWORD PTR DS:[EAX]
0048604F FF52 40 CALL NEAR DWORD PTR DS:[EDX+40]
00486052 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00486055 8B10 MOV EDX,DWORD PTR DS:[EAX]
00486057 FF52 40 CALL NEAR DWORD PTR DS:[EDX+40]
0048605A 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0048605D 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
00486060 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00486063 8945 C8 MOV DWORD PTR SS:[EBP-38],EAX
00486066 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00486069 8945 CC MOV DWORD PTR SS:[EBP-34],EAX
0048606C 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0048606F 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX
00486072 C745 DC 0400000>MOV DWORD PTR SS:[EBP-24],4
00486079 8D5D C8 LEA EBX,DWORD PTR SS:[EBP-38]
0048607C 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; [EBP-C]=(ASCII "tweak#wzwgp&pc")
0048607F 8B03 MOV EAX,DWORD PTR DS:[EBX]
00486081 E8 9E07FFFF CALL ChrisTWE.00476824 ; 取用户名(计算数据)位数
00486086 8B03 MOV EAX,DWORD PTR DS:[EBX]
00486088 8B10 MOV EDX,DWORD PTR DS:[EAX]
0048608A FF52 38 CALL NEAR DWORD PTR DS:[EDX+38] ; EAX=180、C0、200、80
0048608D 85C0 TEST EAX,EAX
0048608F 79 03 JNS SHORT ChrisTWE.00486094
00486091 83C0 07 ADD EAX,7
00486094 C1F8 03 SAR EAX,3 ; EAX=180、0C、200 sar 3=30、18、40、10
00486097 50 PUSH EAX
00486098 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0048609B B9 01000000 MOV ECX,1
004860A0 8B15 605F4800 MOV EDX,DWORD PTR DS:[485F60] ; ChrisTWE.00485F64
004860A6 E8 85F9F7FF CALL ChrisTWE.00405A30 ; 取出要计算的数据
004860AB 83C4 04 ADD ESP,4
004860AE 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
004860B1 8B03 MOV EAX,DWORD PTR DS:[EBX]
004860B3 8B08 MOV ECX,DWORD PTR DS:[EAX]
004860B5 FF51 44 CALL NEAR DWORD PTR DS:[ECX+44] ; SHA-384、Tiger、SHA-512、MD5计算
004860B8 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004860BB E8 8CE6F7FF CALL ChrisTWE.0040474C
004860C0 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; 计算结果地址入EAX
004860C3 E8 8CF7F7FF CALL ChrisTWE.00405854 ; 取计算结果位数
004860C8 8BF0 MOV ESI,EAX ; EAX=30、18
004860CA 4E DEC ESI ; ESI=30、18-1=2F、17
004860CB 85F6 TEST ESI,ESI
004860CD 7C 26 JL SHORT ChrisTWE.004860F5
004860CF 46 INC ESI
004860D0 33FF XOR EDI,EDI
004860D2 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; 计算结果地址入EAX
004860D5 0FB60438 MOVZX EAX,BYTE PTR DS:[EAX+EDI] ; 逐位取计算结果
004860D9 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004860DC BA 02000000 MOV EDX,2
004860E1 E8 AA2DF8FF CALL ChrisTWE.00408E90 ; 计算结果保存到堆栈
004860E6 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
004860E9 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004860EC E8 23E9F7FF CALL ChrisTWE.00404A14 ; 计算结果连成串
004860F1 47 INC EDI ; EDI=计数器
004860F2 4E DEC ESI ; 取完没有?
004860F3 ^ 75 DD JNZ SHORT ChrisTWE.004860D2 ; 未取完继续
004860F5 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] ; [EBP-C]="tweak#wzwgp&pc"
004860F8 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28] ; 计算结果入EDX
004860FB E8 E4E6F7FF CALL ChrisTWE.004047E4 ; 计算结果入[EBP-C]用于下一轮计算
00486100 83C3 04 ADD EBX,4
00486103 FF4D DC DEC DWORD PTR SS:[EBP-24] ; [EBP-24]=计数器
00486106 ^ 0F85 70FFFFFF JNZ ChrisTWE.0048607C ; 未计算完回跳48607C
0048610C 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0048610F E8 ACD7F7FF CALL ChrisTWE.004038C0
00486114 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00486117 E8 A4D7F7FF CALL ChrisTWE.004038C0
0048611C 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0048611F E8 9CD7F7FF CALL ChrisTWE.004038C0
00486124 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00486127 E8 94D7F7FF CALL ChrisTWE.004038C0
0048612C 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0048612F 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; 最终计算结果地址入EDX
00486132 E8 69E6F7FF CALL ChrisTWE.004047A0 ; 转移到堆栈
00486137 33C0 XOR EAX,EAX
00486139 5A POP EDX
0048613A 59 POP ECX
0048613B 59 POP ECX
0048613C 64:8910 MOV DWORD PTR FS:[EAX],EDX
0048613F 68 7A614800 PUSH ChrisTWE.0048617A
00486144 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
00486147 E8 00E6F7FF CALL ChrisTWE.0040474C
0048614C 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
0048614F E8 F8E5F7FF CALL ChrisTWE.0040474C
00486154 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00486157 8B15 605F4800 MOV EDX,DWORD PTR DS:[485F60] ; ChrisTWE.00485F64
0048615D E8 DAF8F7FF CALL ChrisTWE.00405A3C
00486162 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00486165 E8 E2E5F7FF CALL ChrisTWE.0040474C
0048616A 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0048616D E8 DAE5F7FF CALL ChrisTWE.0040474C
00486172 C3 RETN
00486173 ^\E9 F0DEF7FF JMP ChrisTWE.00404068
00486178 ^ EB CA JMP SHORT ChrisTWE.00486144
0048617A 5F POP EDI
0048617B 5E POP ESI
0048617C 5B POP EBX
0048617D 8BE5 MOV ESP,EBP
0048617F 5D POP EBP
00486180 C3 RETN ; 返回到 004CA7B6
三、算法小结
1.用户名与固定字符串连接
例:wzwgp ---> tweak#+wzwgp+&+pc ---> tweak#wzwgp&pc
2.SHA-384加密连接后的用户名
例:tweak#wzwgp&pc
--SHA-384-->
FCF52ED7CCE37C91A0EED14A82FCD58E96D3D1416D1528EC
6E32CEF5A1AAD0BC239AB0980342ED5E5A2188677A0B93FA
3.TIGER加密SHA-384加密数据的后32位
例:239AB0980342ED5E5A2188677A0B93FA
--TIGER-->
2DCC59CF67FF10D5A679705BDF4AB0EDEB4789917754C4DF
4.SHA-512加密TIGER加密的数据
例:2DCC59CF67FF10D5A679705BDF4AB0EDEB4789917754C4DF
--SHA-512-->
C9798A3C5D602F0EE146F4ED60EF3AB71D81714FD9C7C93E088604E5EBD71D78
6E80DE042D0DDD4E9D7ADA989994C61298C49008E470653DFDE62EC94C457F41
5.MD5加密SHA-512加密的数据得到序列号
例:C9798A3C5D602F0EE146F4ED60EF3AB71D81714FD9C7C93E088604E5EBD71D78
6E80DE042D0DDD4E9D7ADA989994C61298C49008E470653DFDE62EC94C457F41
--MD5--> B5AC6D43AC2715DD5D2EA3D4961F3A6C
用户名:wzwgp
序列号:B5AC6D43AC2715DD5D2EA3D4961F3A6C
注册信息保存在:
HKEY_LOCAL_MACHINE\SOFTWARE\ChrisTWEAK
看雪老师如果路过看到此破文,想请教一个问题:
按照您的方法我定位按钮的地址对吗?
地址是:004CF00C
断不下来估计是什么原因?
谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课