【破文标题】 Teleport pro 算法简单分析
【破文作者】 daxia2002
【作者邮箱】 [email]daxia2002@126.com[/email]
【使用工具】 Peid,Ollydbg,ida
【破解平台】 Win2000/XP
【软件名称】 Teleport pro
【下载地址】 http://www.tenmax.com
【软件简介】Teleport Pro is a fully automated, multithreaded, link-following, file-retrieving webspider. It will retrieve all the files you want ?and only the files you want ?from any part of the Internet.
【软件特性】
1.Completely download a website, enabling you to offffline browse the site at much greater speeds than if you were to browse the site online
2.Create an exact duplicate, or ?irror?of a website, complete with subdirectory structure and all required files
3.Search a website for files of a certain type (and size)
4.Automatically download a list of files from the Internet
5.Explore every website linked from a central website
6.Search a website for keywords
7.Make a list of all pages and files on a website
【软件大小】667KB
【保护方式】无。
【破解目的】研究软件的算法
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【破解内容】
用Peid查壳,发现pro.exe主程序无壳,为Visual C++语言编写。
用Olldby加载运行,点击“帮助”->“注册”,弹出注册界面,用户名输入:daxia2002,注册码:123456789,点击“OK”按钮,弹出友好的提示信息:“We 're sorry...”。
好的,下断点bp MessageBoxA,重新点击“OK”注册按钮,断了下来,注意:这时直接打开堆栈调用窗口,堆栈调用信息显示如下:
调用堆栈
地址 堆栈 例程 / 参数 调用来自 Frame
0012F3F8 004511B3 USER32.MessageBoxA pro.004511AD 0012F52C
0012F3FC 0044027C hOwner = 0044027C ('Register Teleport Pro!',class='#3
0012F400 0048C468 Text = "We're sorry! The registration number you ent
0012F404 009D23F8 Title = "Teleport Pro"
0012F408 00000030 Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0012F530 00451204 Maybe pro.004510FB pro.004511FE 0012F52C
0012F534 0048C468 Arg1 = 0048C468 ASCII "We're sorry! The registration
0012F538 00000000 Arg2 = 00000000
0012F53C 00000000 Arg3 = 00000000
0012F544 0042BD48 pro.004511E2 pro.0042BD43 0012F540
0012F548 0048C468 Arg1 = 0048C468 ASCII "We're sorry! The registration
0012F54C 00000000 Arg2 = 00000000
0012F550 00000000 Arg3 = 00000000
大家知道堆栈是后进现出,也就是最早执行的调用在“下面”,当前的调用在“上面”,所以调用最终来自pro.0042BD43,它调用了pro.004511FE,pro.004511FE又调用了USER32.MessageBoxA。好了,双击pro.0042BD43,来到了“核心”:
0042BCB2 . 51 push ecx
0042BCB3 . 53 push ebx
0042BCB4 . 55 push ebp
0042BCB5 . 56 push esi
0042BCB6 . 57 push edi
0042BCB7 . 8BF9 mov edi,ecx
0042BCB9 . 6A 01 push 1
0042BCBB . E8 9CCD0100 call pro.00448A5C
0042BCC0 . 8B87 D9000000 mov eax,dword ptr ds:[edi+D9]
0042BCC6 . 33DB xor ebx,ebx
0042BCC8 . 6A 0A push 0A
0042BCCA . 53 push ebx
0042BCCB . 50 push eax //注册码入?
0042BCCC . E8 94670000 call pro.00432465 //关键的call1
0042BCD1 . 8BF0 mov esi,eax //把返回值保存到esi
0042BCD3 . A1 A4134900 mov eax,dword ptr ds:[4913A4]
0042BCD8 . 83C4 0C add esp,0C
0042BCDB . 897424 10 mov dword ptr ss:[esp+10],esi
0042BCDF . 3898 CD040000 cmp byte ptr ds:[eax+4CD],bl
0042BCE5 . 0F84 33010000 je pro.0042BE1E
0042BCEB . 3BF3 cmp esi,ebx
0042BCED . BD 64714800 mov ebp,pro.00487164 ; ASCII "User"
0042BCF2 . 74 59 je short pro.0042BD4D
0042BCF4 . FFB7 D5000000 push dword ptr ds:[edi+D5] //用户名入?
0042BCFA . E8 BA090000 call pro.0042C6B9 //关键的call2
0042BCFF . 3BF0 cmp esi,eax //关键的比较,比较call1和call2返回值是否相等
//经典的算法,比较F1(注册码)=F2(用户名)
0042BD01 . 59 pop ecx
0042BD02 . 75 0F jnz short pro.0042BD13
0042BD04 . 53 push ebx ; /Arg3
0042BD05 . 53 push ebx ; |Arg2
0042BD06 . FF35 447B4800 push dword ptr ds:[487B44] ; |Arg1 = 0048CF40 ASCII "Thank you! Your copy of Teleport Pro is now registered. All limits have been removed."
0042BD0C . E8 D1540200 call pro.004511E2 ; \pro.004511E2
0042BD11 . EB 75 jmp short pro.0042BD88
0042BD13 > 8BBF D5000000 mov edi,dword ptr ds:[edi+D5]
0042BD19 . 395F F8 cmp dword ptr ds:[edi-8],ebx
0042BD1C . 75 0A jnz short pro.0042BD28
0042BD1E . 53 push ebx
0042BD1F . 53 push ebx
0042BD20 . FF35 BC7B4800 push dword ptr ds:[487BBC] ; pro.0048C5D8
0042BD26 . EB 1B jmp short pro.0042BD43
0042BD28 > 57 push edi
0042BD29 . E8 8B090000 call pro.0042C6B9
0042BD2E . 59 pop ecx
0042BD2F . 85C0 test eax,eax
0042BD31 . 53 push ebx
0042BD32 . 53 push ebx
0042BD33 . 75 08 jnz short pro.0042BD3D
0042BD35 . FF35 C07B4800 push dword ptr ds:[487BC0] ; pro.0048C580
0042BD3B . EB 06 jmp short pro.0042BD43
0042BD3D > FF35 C47B4800 push dword ptr ds:[487BC4] ; |Arg1 = 0048C468 ASCII "We're sorry! The registration number you entered appears to be invalid. Please check both your name and the registration code and try entering them again. (Your name must be spelled exactly as you spelled it when you "...
0042BD43 > E8 9A540200 call pro.004511E2 ; \pro.004511E2 //我们来到这里
0042BD48 . E9 D8000000 jmp pro.0042BE25
0042BD4D > 8B87 D9000000 mov eax,dword ptr ds:[edi+D9]
0042BD53 . BE 34724800 mov esi,pro.00487234 ; ASCII "For Evaluation Only"
0042BD58 . 56 push esi
0042BD59 . 50 push eax ; /Arg1
0042BD5A . E8 ED670000 call pro.0043254C ; \pro.0043254C
0042BD5F . 59 pop ecx
0042BD60 . 85C0 test eax,eax
0042BD62 . 59 pop ecx
0042BD63 . 0F85 B5000000 jnz pro.0042BE1E
0042BD69 . 53 push ebx ; /Arg3
0042BD6A . 53 push ebx ; |Arg2
0042BD6B . FF35 C87B4800 push dword ptr ds:[487BC8] ; |Arg1 = 0048C3CC ASCII "Thank you! This copy of Teleport Pro has been unlocked for your unrestricted evaluation, until November 30, 1997. We hope you enjoy using the program!"
0042BD71 . E8 6C540200 call pro.004511E2 ; \pro.004511E2
0042BD76 . 8B0D A4134900 mov ecx,dword ptr ds:[4913A4] ; pro.00491B10
0042BD7C . 56 push esi ; /Arg3
0042BD7D . 68 48724800 push pro.00487248 ; |Arg2 = 00487248 ASCII "Tempcode"
0042BD82 . 55 push ebp ; |Arg1
0042BD83 . E8 08560200 call pro.00451390 ; \pro.00451390
0042BD88 > A1 A4134900 mov eax,dword ptr ds:[4913A4]
0042BD8D . 8898 CD040000 mov byte ptr ds:[eax+4CD],bl
0042BD93 . A1 A4134900 mov eax,dword ptr ds:[4913A4]
0042BD98 . 8898 CF040000 mov byte ptr ds:[eax+4CF],bl
0042BD9E . A1 A0134900 mov eax,dword ptr ds:[4913A0]
0042BDA3 . 3BC3 cmp eax,ebx
0042BDA5 . 74 06 je short pro.0042BDAD
0042BDA7 . 8898 E40F0000 mov byte ptr ds:[eax+FE4],bl
0042BDAD > FFB7 D5000000 push dword ptr ds:[edi+D5]
0042BDB3 . 8DB7 D5000000 lea esi,dword ptr ds:[edi+D5]
0042BDB9 . 68 5C714800 push pro.0048715C ; ASCII "Name"
0042BDBE . 68 B0724800 push pro.004872B0 ; ASCII "SOFTWARE\Tennyson Maxwell\Teleport Pro"
0042BDC3 . 68 02000080 push 80000002
0042BDC8 . E8 180F0000 call pro.0042CCE5
0042BDCD . FF7424 20 push dword ptr ss:[esp+20] ; |Arg4
0042BDD1 . BB A0724800 mov ebx,pro.004872A0 ; |ASCII "Registration"
0042BDD6 . 53 push ebx ; |Arg3 => 004872A0 ASCII "Registration"
0042BDD7 . 68 B0724800 push pro.004872B0 ; |Arg2 = 004872B0 ASCII "SOFTWARE\Tennyson Maxwell\Teleport Pro"
0042BDDC . 68 02000080 push 80000002 ; |Arg1 = 80000002
0042BDE1 . E8 630F0000 call pro.0042CD49 ; \pro.0042CD49
0042BDE6 . 8B0D A4134900 mov ecx,dword ptr ds:[4913A4] ; pro.00491B10
0042BDEC . 83C4 20 add esp,20
0042BDEF . FF36 push dword ptr ds:[esi] ; /Arg3
0042BDF1 . 68 5C714800 push pro.0048715C ; |Arg2 = 0048715C ASCII "Name"
0042BDF6 . 55 push ebp ; |Arg1
0042BDF7 . E8 94550200 call pro.00451390 ; \pro.00451390
0042BDFC . FF7424 10 push dword ptr ss:[esp+10] ; /Arg3
0042BE00 . 8B0D A4134900 mov ecx,dword ptr ds:[4913A4] ; |pro.00491B10
0042BE06 . 53 push ebx ; |Arg2
0042BE07 . 55 push ebp ; |Arg1
0042BE08 . E8 0E550200 call pro.0045131B ; \pro.0045131B
0042BE0D . A1 A4134900 mov eax,dword ptr ds:[4913A4]
0042BE12 . 56 push esi
0042BE13 . 8D88 09050000 lea ecx,dword ptr ds:[eax+509]
0042BE19 . E8 F8D90100 call pro.00449816
0042BE1E > 8BCF mov ecx,edi
0042BE20 . E8 69A40100 call pro.0044628E
0042BE25 > 5F pop edi
0042BE26 . 5E pop esi
0042BE27 . 5D pop ebp
0042BE28 . 5B pop ebx
0042BE29 . 59 pop ecx
0042BE2A . C3 retn
进入call pro.00432465,来到:
00432465 /$ 6A 01 push 1
00432467 |. FF7424 10 push dword ptr ss:[esp+10]
0043246B |. FF7424 10 push dword ptr ss:[esp+10]
0043246F |. FF7424 10 push dword ptr ss:[esp+10]
00432473 |. E8 E8FDFFFF call pro.00432260
00432478 |. 83C4 10 add esp,10
0043247B \. C3 retn
进入call call pro.00432260,来到:
00432260 /$ 55 push ebp
00432261 |. 8BEC mov ebp,esp
00432263 |. 83EC 0C sub esp,0C
00432266 |. 53 push ebx
00432267 |. 8365 F8 00 and dword ptr ss:[ebp-8],0
0043226B |. 56 push esi
0043226C |. 57 push edi
0043226D |. 8B7D 08 mov edi,dword ptr ss:[ebp+8]
00432270 |. 8A1F mov bl,byte ptr ds:[edi]
00432272 |. 8D77 01 lea esi,dword ptr ds:[edi+1]
00432275 |. 8975 FC mov dword ptr ss:[ebp-4],esi
00432278 |> 833D ACE64800 01 /cmp dword ptr ds:[48E6AC],1
0043227F |. 7E 0F |jle short pro.00432290
00432281 |. 0FB6C3 |movzx eax,bl
00432284 |. 6A 08 |push 8
00432286 |. 50 |push eax
00432287 |. E8 FA4C0000 |call pro.00436F86
0043228C |. 59 |pop ecx
0043228D |. 59 |pop ecx
0043228E |. EB 0F |jmp short pro.0043229F
00432290 |> 8B0D A0E44800 |mov ecx,dword ptr ds:[48E4A0] ; pro.0048E4AA
00432296 |. 0FB6C3 |movzx eax,bl
00432299 |. 8A0441 |mov al,byte ptr ds:[ecx+eax*2]
0043229C |. 83E0 08 |and eax,8
0043229F |> 85C0 |test eax,eax
004322A1 |. 74 05 |je short pro.004322A8
004322A3 |. 8A1E |mov bl,byte ptr ds:[esi]
004322A5 |. 46 |inc esi
004322A6 |.^ EB D0 \jmp short pro.00432278
004322A8 |> 80FB 2D cmp bl,2D
004322AB |. 8975 FC mov dword ptr ss:[ebp-4],esi
004322AE |. 75 06 jnz short pro.004322B6
004322B0 |. 834D 14 02 or dword ptr ss:[ebp+14],2
004322B4 |. EB 05 jmp short pro.004322BB
004322B6 |> 80FB 2B cmp bl,2B
004322B9 |. 75 06 jnz short pro.004322C1
004322BB |> 8A1E mov bl,byte ptr ds:[esi]
004322BD |. 46 inc esi
004322BE |. 8975 FC mov dword ptr ss:[ebp-4],esi
004322C1 |> 8B45 10 mov eax,dword ptr ss:[ebp+10]
004322C4 |. 85C0 test eax,eax
004322C6 |. 0F8C 89010000 jl pro.00432455
004322CC |. 83F8 01 cmp eax,1
004322CF |. 0F84 80010000 je pro.00432455
004322D5 |. 83F8 24 cmp eax,24
004322D8 |. 0F8F 77010000 jg pro.00432455
004322DE |. 6A 10 push 10
004322E0 |. 85C0 test eax,eax
004322E2 |. 59 pop ecx
004322E3 |. 75 24 jnz short pro.00432309
004322E5 |. 80FB 30 cmp bl,30
004322E8 |. 74 09 je short pro.004322F3
004322EA |. C745 10 0A000000 mov dword ptr ss:[ebp+10],0A
004322F1 |. EB 32 jmp short pro.00432325
004322F3 |> 8A06 mov al,byte ptr ds:[esi]
004322F5 |. 3C 78 cmp al,78
004322F7 |. 74 0D je short pro.00432306
004322F9 |. 3C 58 cmp al,58
004322FB |. 74 09 je short pro.00432306
004322FD |. C745 10 08000000 mov dword ptr ss:[ebp+10],8
00432304 |. EB 1F jmp short pro.00432325
00432306 |> 894D 10 mov dword ptr ss:[ebp+10],ecx
00432309 |> 394D 10 cmp dword ptr ss:[ebp+10],ecx
0043230C |. 75 17 jnz short pro.00432325
0043230E |. 80FB 30 cmp bl,30
00432311 |. 75 12 jnz short pro.00432325
00432313 |. 8A06 mov al,byte ptr ds:[esi]
00432315 |. 3C 78 cmp al,78
00432317 |. 74 04 je short pro.0043231D
00432319 |. 3C 58 cmp al,58
0043231B |. 75 08 jnz short pro.00432325
0043231D |> 8A5E 01 mov bl,byte ptr ds:[esi+1]
00432320 |. 46 inc esi
00432321 |. 46 inc esi
00432322 |. 8975 FC mov dword ptr ss:[ebp-4],esi
00432325 |> 83C8 FF or eax,FFFFFFFF
00432328 |. 33D2 xor edx,edx
0043232A |. F775 10 div dword ptr ss:[ebp+10]
0043232D |. BF 03010000 mov edi,103
00432332 |. 8945 F4 mov dword ptr ss:[ebp-C],eax
00432335 |> 833D ACE64800 01 /cmp dword ptr ds:[48E6AC],1
0043233C |. 0FB6F3 |movzx esi,bl
0043233F |. 7E 0C |jle short pro.0043234D
00432341 |. 6A 04 |push 4
00432343 |. 56 |push esi
00432344 |. E8 3D4C0000 |call pro.00436F86
00432349 |. 59 |pop ecx
0043234A |. 59 |pop ecx
0043234B |. EB 0B |jmp short pro.00432358
0043234D |> A1 A0E44800 |mov eax,dword ptr ds:[48E4A0]
00432352 |. 8A0470 |mov al,byte ptr ds:[eax+esi*2]
00432355 |. 83E0 04 |and eax,4
00432358 |> 85C0 |test eax,eax
0043235A |. 74 08 |je short pro.00432364
0043235C |. 0FBECB |movsx ecx,bl
0043235F |. 83E9 30 |sub ecx,30
00432362 |. EB 32 |jmp short pro.00432396
00432364 |> 833D ACE64800 01 |cmp dword ptr ds:[48E6AC],1
0043236B |. 7E 0B |jle short pro.00432378
0043236D |. 57 |push edi
0043236E |. 56 |push esi
0043236F |. E8 124C0000 |call pro.00436F86
00432374 |. 59 |pop ecx
00432375 |. 59 |pop ecx
00432376 |. EB 0B |jmp short pro.00432383
00432378 |> A1 A0E44800 |mov eax,dword ptr ds:[48E4A0]
0043237D |. 66:8B0470 |mov ax,word ptr ds:[eax+esi*2]
00432381 |. 23C7 |and eax,edi
00432383 |> 85C0 |test eax,eax
00432385 |. 74 4A |je short pro.004323D1
00432387 |. 0FBEC3 |movsx eax,bl
0043238A |. 50 |push eax
0043238B |. E8 EE0F0000 |call pro.0043337E
00432390 |. 59 |pop ecx
00432391 |. 8BC8 |mov ecx,eax
00432393 |. 83E9 37 |sub ecx,37
00432396 |> 3B4D 10 |cmp ecx,dword ptr ss:[ebp+10]
00432399 |. 73 36 |jnb short pro.004323D1
0043239B |. 8B75 F8 |mov esi,dword ptr ss:[ebp-8]
0043239E |. 834D 14 08 |or dword ptr ss:[ebp+14],8
004323A2 |. 3B75 F4 |cmp esi,dword ptr ss:[ebp-C]
004323A5 |. 72 14 |jb short pro.004323BB
004323A7 |. 75 0C |jnz short pro.004323B5
004323A9 |. 83C8 FF |or eax,FFFFFFFF
004323AC |. 33D2 |xor edx,edx
004323AE |. F775 10 |div dword ptr ss:[ebp+10]
004323B1 |. 3BCA |cmp ecx,edx
004323B3 |. 76 06 |jbe short pro.004323BB
004323B5 |> 834D 14 04 |or dword ptr ss:[ebp+14],4
004323B9 |. EB 09 |jmp short pro.004323C4
004323BB |> 0FAF75 10 |imul esi,dword ptr ss:[ebp+10]
004323BF |. 03F1 |add esi,ecx
004323C1 |. 8975 F8 |mov dword ptr ss:[ebp-8],esi
004323C4 |> 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004323C7 |. FF45 FC |inc dword ptr ss:[ebp-4]
004323CA |. 8A18 |mov bl,byte ptr ds:[eax]
004323CC |.^ E9 64FFFFFF \jmp pro.00432335
004323D1 |> 8B45 14 mov eax,dword ptr ss:[ebp+14]
004323D4 |. FF4D FC dec dword ptr ss:[ebp-4]
004323D7 |. 8B5D 0C mov ebx,dword ptr ss:[ebp+C]
004323DA |. A8 08 test al,8
004323DC |. 75 10 jnz short pro.004323EE
004323DE |. 85DB test ebx,ebx
004323E0 |. 74 06 je short pro.004323E8
004323E2 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
004323E5 |. 8945 FC mov dword ptr ss:[ebp-4],eax
004323E8 |> 8365 F8 00 and dword ptr ss:[ebp-8],0
004323EC |. EB 4B jmp short pro.00432439
004323EE |> A8 04 test al,4
004323F0 |. BE FFFFFF7F mov esi,7FFFFFFF
004323F5 |. 75 1B jnz short pro.00432412
004323F7 |. A8 01 test al,1
004323F9 |. 75 3E jnz short pro.00432439
004323FB |. 83E0 02 and eax,2
004323FE |. 74 09 je short pro.00432409
00432400 |. 817D F8 00000080 cmp dword ptr ss:[ebp-8],80000000
00432407 |. 77 09 ja short pro.00432412
00432409 |> 85C0 test eax,eax
0043240B |. 75 2C jnz short pro.00432439
0043240D |. 3975 F8 cmp dword ptr ss:[ebp-8],esi
00432410 |. 76 27 jbe short pro.00432439
00432412 |> E8 BD330000 call pro.004357D4
00432417 |. F645 14 01 test byte ptr ss:[ebp+14],1
0043241B |. C700 22000000 mov dword ptr ds:[eax],22
00432421 |. 74 06 je short pro.00432429
00432423 |. 834D F8 FF or dword ptr ss:[ebp-8],FFFFFFFF
00432427 |. EB 10 jmp short pro.00432439
00432429 |> 8B45 14 mov eax,dword ptr ss:[ebp+14]
0043242C |. 24 02 and al,2
0043242E |. F6D8 neg al
00432430 |. 1BC0 sbb eax,eax
00432432 |. F7D8 neg eax
00432434 |. 03C6 add eax,esi
00432436 |. 8945 F8 mov dword ptr ss:[ebp-8],eax
00432439 |> 85DB test ebx,ebx
0043243B |. 74 05 je short pro.00432442
0043243D |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00432440 |. 8903 mov dword ptr ds:[ebx],eax
00432442 |> F645 14 02 test byte ptr ss:[ebp+14],2
00432446 |. 74 08 je short pro.00432450
00432448 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0043244B |. F7D8 neg eax
0043244D |. 8945 F8 mov dword ptr ss:[ebp-8],eax
00432450 |> 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00432453 |. EB 0B jmp short pro.00432460
00432455 |> 8B45 0C mov eax,dword ptr ss:[ebp+C]
00432458 |. 85C0 test eax,eax
0043245A |. 74 02 je short pro.0043245E
0043245C |. 8938 mov dword ptr ds:[eax],edi
0043245E |> 33C0 xor eax,eax
00432460 |> 5F pop edi
00432461 |. 5E pop esi
00432462 |. 5B pop ebx
00432463 |. C9 leave
00432464 \. C3 retn
好复杂呀,跟了一圈发现eax的返回值是一些16进制数值,好了启动ida让它来帮助智能分析一下:
.text:0042BCB2 ; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
.text:0042BCB2
.text:0042BCB2
.text:0042BCB2 sub_42BCB2 proc near ; DATA XREF: .rdata:004717ACo
.text:0042BCB2
.text:0042BCB2 var_4= dword ptr -4
.text:0042BCB2
.text:0042BCB2 51 push ecx
.text:0042BCB3 53 push ebx
.text:0042BCB4 55 push ebp
.text:0042BCB5 56 push esi
.text:0042BCB6 57 push edi
.text:0042BCB7 8B F9 mov edi, ecx
.text:0042BCB9 6A 01 push 1
.text:0042BCBB E8 9C CD 01 00 call sub_448A5C
.text:0042BCC0 8B 87 D9 00 00 00 mov eax, [edi+0D9h]
.text:0042BCC6 33 DB xor ebx, ebx
.text:0042BCC8 6A 0A push 0Ah ; int //以10进制输出
.text:0042BCCA 53 push ebx ; char **
.text:0042BCCB 50 push eax ; char *
.text:0042BCCC E8 94 67 00 00 call _strtoul //原来这个关键的call1是函数_strtoul,把输入的注册码转成无符号的长整形
.text:0042BCD1 8B F0 mov esi, eax
.text:0042BCD3 A1 A4 13 49 00 mov eax, dword_4913A4
.text:0042BCD8 83 C4 0C add esp, 0Ch
.text:0042BCDB 89 74 24 10 mov [esp+14h+var_4], esi
.text:0042BCDF 38 98 CD 04 00 00 cmp [eax+4CDh], bl
.text:0042BCE5 0F 84 33 01 00 00 jz loc_42BE1E
.text:0042BCEB 3B F3 cmp esi, ebx
.text:0042BCED BD 64 71 48 00 mov ebp, offset aUser ; "User"
.text:0042BCF2 74 59 jz short loc_42BD4D
.text:0042BCF4 FF B7 D5 00 00 00 push dword ptr [edi+0D5h]
.text:0042BCFA E8 BA 09 00 00 call sub_42C6B9
.text:0042BCFF 3B F0 cmp esi, eax
.text:0042BD01 59 pop ecx
.text:0042BD02 75 0F jnz short loc_42BD13
.text:0042BD04 53 push ebx
.text:0042BD05 53 push ebx
.text:0042BD06 FF 35 44 7B 48 00 push dword_487B44
.text:0042BD0C E8 D1 54 02 00 call sub_4511E2
.text:0042BD11 EB 75 jmp short loc_42BD88
.text:0042BD13 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:0042BD13
.text:0042BD13 loc_42BD13: ; CODE XREF: sub_42BCB2+50j
.text:0042BD13 8B BF D5 00 00 00 mov edi, [edi+0D5h]
.text:0042BD19 39 5F F8 cmp [edi-8], ebx
.text:0042BD1C 75 0A jnz short loc_42BD28
.text:0042BD1E 53 push ebx
.text:0042BD1F 53 push ebx
.text:0042BD20 FF 35 BC 7B 48 00 push dword_487BBC
.text:0042BD26 EB 1B jmp short loc_42BD43
.text:0042BD28 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:0042BD28
.text:0042BD28 loc_42BD28: ; CODE XREF: sub_42BCB2+6Aj
.text:0042BD28 57 push edi
.text:0042BD29 E8 8B 09 00 00 call sub_42C6B9
.text:0042BD2E 59 pop ecx
.text:0042BD2F 85 C0 test eax, eax
.text:0042BD31 53 push ebx
.text:0042BD32 53 push ebx
.text:0042BD33 75 08 jnz short loc_42BD3D
.text:0042BD35 FF 35 C0 7B 48 00 push dword_487BC0
.text:0042BD3B EB 06 jmp short loc_42BD43
.text:0042BD3D ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:0042BD3D
.text:0042BD3D loc_42BD3D: ; CODE XREF: sub_42BCB2+81j
.text:0042BD3D FF 35 C4 7B 48 00 push dword_487BC4
.text:0042BD43
.text:0042BD43 loc_42BD43: ; CODE XREF: sub_42BCB2+74j
.text:0042BD43 ; sub_42BCB2+89j
.text:0042BD43 E8 9A 54 02 00 call sub_4511E2
.text:0042BD48 E9 D8 00 00 00 jmp loc_42BE25
.text:0042BD4D ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:0042BD4D
.text:0042BD4D loc_42BD4D: ; CODE XREF: sub_42BCB2+40j
.text:0042BD4D 8B 87 D9 00 00 00 mov eax, [edi+0D9h]
.text:0042BD53 BE 34 72 48 00 mov esi, offset aForEvaluationO ; "For Evaluation Only"
.text:0042BD58 56 push esi
.text:0042BD59 50 push eax
.text:0042BD5A E8 ED 67 00 00 call __mbscmp
.text:0042BD5F 59 pop ecx
.text:0042BD60 85 C0 test eax, eax
.text:0042BD62 59 pop ecx
.text:0042BD63 0F 85 B5 00 00 00 jnz loc_42BE1E
.text:0042BD69 53 push ebx
.text:0042BD6A 53 push ebx
.text:0042BD6B FF 35 C8 7B 48 00 push dword_487BC8
.text:0042BD71 E8 6C 54 02 00 call sub_4511E2
.text:0042BD76 8B 0D A4 13 49 00 mov ecx, dword_4913A4
.text:0042BD7C 56 push esi
.text:0042BD7D 68 48 72 48 00 push offset aTempcode ; "Tempcode"
.text:0042BD82 55 push ebp
.text:0042BD83 E8 08 56 02 00 call sub_451390
.text:0042BD88
.text:0042BD88 loc_42BD88: ; CODE XREF: sub_42BCB2+5Fj
.text:0042BD88 A1 A4 13 49 00 mov eax, dword_4913A4
.text:0042BD8D 88 98 CD 04 00 00 mov [eax+4CDh], bl
.text:0042BD93 A1 A4 13 49 00 mov eax, dword_4913A4
.text:0042BD98 88 98 CF 04 00 00 mov [eax+4CFh], bl
.text:0042BD9E A1 A0 13 49 00 mov eax, dword_4913A0
.text:0042BDA3 3B C3 cmp eax, ebx
.text:0042BDA5 74 06 jz short loc_42BDAD
.text:0042BDA7 88 98 E4 0F 00 00 mov [eax+0FE4h], bl
.text:0042BDAD
.text:0042BDAD loc_42BDAD: ; CODE XREF: sub_42BCB2+F3j
.text:0042BDAD FF B7 D5 00 00 00 push dword ptr [edi+0D5h]
.text:0042BDB3 8D B7 D5 00 00 00 lea esi, [edi+0D5h]
.text:0042BDB9 68 5C 71 48 00 push offset aName_1 ; "Name"
.text:0042BDBE 68 B0 72 48 00 push offset aSoftwareTennys ; "SOFTWARE\\Tennyson Maxwell\\Teleport Pro"
.text:0042BDC3 68 02 00 00 80 push 80000002h
.text:0042BDC8 E8 18 0F 00 00 call sub_42CCE5
.text:0042BDCD FF 74 24 20 push [esp+24h+var_4]
.text:0042BDD1 BB A0 72 48 00 mov ebx, offset aRegistration ; "Registration"
.text:0042BDD6 53 push ebx
.text:0042BDD7 68 B0 72 48 00 push offset aSoftwareTennys ; "SOFTWARE\\Tennyson Maxwell\\Teleport Pro"
.text:0042BDDC 68 02 00 00 80 push 80000002h
.text:0042BDE1 E8 63 0F 00 00 call sub_42CD49
.text:0042BDE6 8B 0D A4 13 49 00 mov ecx, dword_4913A4
.text:0042BDEC 83 C4 20 add esp, 20h
.text:0042BDEF FF 36 push dword ptr [esi]
.text:0042BDF1 68 5C 71 48 00 push offset aName_1 ; "Name"
.text:0042BDF6 55 push ebp
.text:0042BDF7 E8 94 55 02 00 call sub_451390
.text:0042BDFC FF 74 24 10 push [esp+14h+var_4]
.text:0042BE00 8B 0D A4 13 49 00 mov ecx, dword_4913A4
.text:0042BE06 53 push ebx
.text:0042BE07 55 push ebp
.text:0042BE08 E8 0E 55 02 00 call sub_45131B
.text:0042BE0D A1 A4 13 49 00 mov eax, dword_4913A4
.text:0042BE12 56 push esi
.text:0042BE13 8D 88 09 05 00 00 lea ecx, [eax+509h]
.text:0042BE19 E8 F8 D9 01 00 call sub_449816
.text:0042BE1E
.text:0042BE1E loc_42BE1E: ; CODE XREF: sub_42BCB2+33j
.text:0042BE1E ; sub_42BCB2+B1j
.text:0042BE1E 8B CF mov ecx, edi
.text:0042BE20 E8 69 A4 01 00 call ?OnOK@CDialog@@MAEXXZ ; CDialog::OnOK(void)
.text:0042BE25
.text:0042BE25 loc_42BE25: ; CODE XREF: sub_42BCB2+96j
.text:0042BE25 5F pop edi
.text:0042BE26 5E pop esi
.text:0042BE27 5D pop ebp
.text:0042BE28 5B pop ebx
.text:0042BE29 59 pop ecx
.text:0042BE2A C3 retn
.text:0042BE2A sub_42BCB2 endp
再进入call sub_42C6B9
; 〓〓〓〓〓〓〓〓 S U B R O U T I N E 〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓
.text:0042C6B9
.text:0042C6B9
.text:0042C6B9 sub_42C6B9 proc near ; CODE XREF: sub_416EC7+26p
.text:0042C6B9 ; sub_418312+690p
.text:0042C6B9 ; sub_418312+69Cp
.text:0042C6B9 ; sub_42BCB2+48p
.text:0042C6B9 ; sub_42BCB2+77p
.text:0042C6B9
.text:0042C6B9 arg_0= dword ptr 8
.text:0042C6B9
.text:0042C6B9 57 push edi
.text:0042C6BA 8B 7C 24 08 mov edi, [esp+arg_0]
.text:0042C6BE 85 FF test edi, edi
.text:0042C6C0 74 09 jz short loc_42C6CB
.text:0042C6C2 57 push edi ; char * //用户名入?
.text:0042C6C3 E8 F8 59 00 00 call _strlen //计算用户名长度,嘿嘿ida分析出来了
.text:0042C6C8 59 pop ecx
.text:0042C6C9 EB 02 jmp short loc_42C6CD
.text:0042C6CB ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:0042C6CB
.text:0042C6CB loc_42C6CB: ; CODE XREF: sub_42C6B9+7j
.text:0042C6CB 33 C0 xor eax, eax
.text:0042C6CD
.text:0042C6CD loc_42C6CD: ; CODE XREF: sub_42C6B9+10j
.text:0042C6CD 83 F8 05 cmp eax, 5 //判断用户名长度不能小于5
.text:0042C6D0 73 04 jnb short loc_42C6D6
.text:0042C6D2 33 C0 xor eax, eax
.text:0042C6D4 5F pop edi
.text:0042C6D5 C3 retn
.text:0042C6D6 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:0042C6D6 //以下是核心算法:
.text:0042C6D6 loc_42C6D6: ; CODE XREF: sub_42C6B9+17j
.text:0042C6D6 53 push ebx
.text:0042C6D7 56 push esi
.text:0042C6D8 BE A4 E4 FE 5D mov esi, 5DFEE4A4h //给esi赋值常数5DFEE4A4h
.text:0042C6DD 33 DB xor ebx, ebx
.text:0042C6DF
.text:0042C6DF loc_42C6DF: ; CODE XREF: sub_42C6B9+46j
.text:0042C6DF 85 FF test edi, edi //判断用户名是否处理完了?
.text:0042C6E1 74 09 jz short loc_42C6EC
.text:0042C6E3 57 push edi ; char *
.text:0042C6E4 E8 D7 59 00 00 call _strlen //再一次计算用户名长度,嘿嘿ida分析出来了
.text:0042C6E9 59 pop ecx
.text:0042C6EA EB 02 jmp short loc_42C6EE
.text:0042C6EC ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:0042C6EC
.text:0042C6EC loc_42C6EC: ; CODE XREF: sub_42C6B9+28j
.text:0042C6EC 33 C0 xor eax, eax
.text:0042C6EE
.text:0042C6EE loc_42C6EE: ; CODE XREF: sub_42C6B9+31j
.text:0042C6EE 83 C0 FC add eax, 0FFFFFFFCh //eax=用户名长度-4
.text:0042C6F1 3B D8 cmp ebx, eax //比较ebx与eax,初始时ebx=0
.text:0042C6F3 73 0C jnb short loc_42C701 //当ebx大于等于eax时跳到loc_42C701结束循环
.text:0042C6F5 33 34 3B xor esi, [ebx+edi] //edi指向用户名,esi=esi xor tmp
//其中tmp为以edi为起始索引值,用户名的4个连续字节倒序组成的数值
.text:0042C6F8 F6 C3 40 test bl, 40h //测试bl是否等于40h
.text:0042C6FB 74 01 jz short loc_42C6FE //不等跳到loc_42C6FE
.text:0042C6FD 43 inc ebx
.text:0042C6FE
.text:0042C6FE loc_42C6FE: ; CODE XREF: sub_42C6B9+42j
.text:0042C6FE 43 inc ebx //ebx加1
.text:0042C6FF EB DE jmp short loc_42C6DF //循环
.text:0042C701 ; ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
.text:0042C701
.text:0042C701 loc_42C701: ; CODE XREF: sub_42C6B9+3Aj
.text:0042C701 8B C6 mov eax, esi //循环结束后把计算的结果赋值给eax返回
.text:0042C703 5E pop esi
.text:0042C704 5B pop ebx
.text:0042C705 5F pop edi
.text:0042C706 C3 retn
.text:0042C706 sub_42C6B9 endp
在0042BCFF cmp esi,eax 进行关键的比较,比较call1和call2返回值是否相等。
经典的算法,比较F1(注册码)=F2(用户名),因为函数F1只是把输入的注册码转换一下类型,如果输入的注册码是数值,转换后的10进制数值的大小不变,即F1(注册码)=注册码,所以,注册码=F2(用户名)的十进制,简单用VB写了个注册机:
Private Sub Command1_Click()
Dim sn As Long
Dim uname As String
Dim tmp As String
Dim I As Integer
If Len(Text1.Text) < 5 Then
Text2.Text = "用户名长度至少5位."
Exit Sub
End If
uname = Text1.Text
sn = &H5DFEE4A4
For I = 1 To Len(uname) - 4
tmp = "&H" & Hex(Asc(Mid(uname, I + 3, 1))) & Hex(Asc(Mid(uname, I + 2, 1))) & Hex(Asc(Mid(uname, I + 1, 1))) & Hex(Asc(Mid(uname, I, 1)))
sn = sn Xor Val(tmp)
Next I
Text2.Text = CStr(sn)
End Sub 谢谢您耐心看完。
daxia2002 于2004-7-15
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课