****家庭理财非常简单算法分析
【文章作者】: tzl
【作者邮箱】: 无
【软件名称】: ***家庭理财
【软件大小】: 1224KB
【下载地址】: http://www.newhua.com/soft/52975.htm
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 7.0
【使用工具】: OD PEID
【操作平台】: XP SP2
【软件介绍】:
***家庭理财是帮助个人、 家庭、小型企业理财的好帮手,能很方便的知道客户消费了多少钱,收入多少钱,现有现金多少,存款多少。能快速的满足客户的各种统计需求!
非常简单的算法,适合菜鸟学习,这里与大家分享,菜鸟共同进步。
一、查壳无;
二、根据字符串相关信息,我们可以在这里下断开始分析:
注册名:tigerisme
地区:***
邮箱:tigerisme@126.com
注册日期:20061121
密码:123456789
00452EBC . 55
push ebp
00452EBD . 56
push esi
00452EBE . 8BF1
mov esi,
ecx
00452EC0 . 57
push edi
00452EC1 . 8D4C24 20
lea ecx,
dword ptr [
esp+20]
00452EC5 . E8 308A0000
call <jmp.&MFC42.#540>
00452ECA . 8D4C24 14
lea ecx,
dword ptr [
esp+14]
00452ECE . C78424 240100>
mov dword ptr [
esp+124], 0
00452ED9 . E8 1C8A0000
call <jmp.&MFC42.#540>
00452EDE . 8D4C24 1C
lea ecx,
dword ptr [
esp+1C]
00452EE2 . C68424 240100>
mov byte ptr [
esp+124], 1
00452EEA . E8 0B8A0000
call <jmp.&MFC42.#540>
00452EEF . 8D4C24 10
lea ecx,
dword ptr [
esp+10]
00452EF3 . C68424 240100>
mov byte ptr [
esp+124], 2
00452EFB . E8 FA890000
call <jmp.&MFC42.#540>
00452F00 . 8D4C24 18
lea ecx,
dword ptr [
esp+18]
00452F04 . C68424 240100>
mov byte ptr [
esp+124], 3
00452F0C . E8 E9890000
call <jmp.&MFC42.#540>
00452F11 . 8D4424 20
lea eax,
dword ptr [
esp+20]
00452F15 . 8BCE
mov ecx,
esi
00452F17 . 50
push eax
00452F18 . 68 2B040000
push 42B
00452F1D . C68424 2C0100>
mov byte ptr [
esp+12C], 4
00452F25 . E8 4A8B0000
call <jmp.&MFC42.#3097>
00452F2A . 8D4C24 14
lea ecx,
dword ptr [
esp+14]
; ecx=tigerisme
00452F2E . 51
push ecx
00452F2F . 68 2D040000
push 42D
00452F34 . 8BCE
mov ecx,
esi
00452F36 . E8 398B0000
call <jmp.&MFC42.#3097>
00452F3B . 8D5424 1C
lea edx,
dword ptr [
esp+1C]
; ecx=tigerisme@126.com
00452F3F . 8BCE
mov ecx,
esi
00452F41 . 52
push edx
00452F42 . 68 2E040000
push 42E
00452F47 . E8 288B0000
call <jmp.&MFC42.#3097>
00452F4C . 8D4424 10
lea eax,
dword ptr [
esp+10]
00452F50 . 8BCE
mov ecx,
esi
00452F52 . 50
push eax
00452F53 . 68 2F040000
push 42F
00452F58 . E8 178B0000
call <jmp.&MFC42.#3097>
00452F5D . 8D4C24 18
lea ecx,
dword ptr [
esp+18]
; ecx=20061121
00452F61 . 51
push ecx
00452F62 . 68 30040000
push 430
00452F67 . 8BCE
mov ecx,
esi
00452F69 . E8 068B0000
call <jmp.&MFC42.#3097>
00452F6E . 8B5424 20
mov edx,
dword ptr [
esp+20]
00452F72 . 8B3D 84894600
mov edi,
dword ptr [<&MSVCRT._mbscmp>
; msvcrt._mbscmp
00452F78 . 68 80E24700
push 0047E280
; /s2 = ""
00452F7D . 52
push edx ; |s1
00452F7E . FFD7
call edi ; \_mbscmp
00452F80 . 83C4 08
add esp, 8
00452F83 . 85C0
test eax,
eax
00452F85 . 74 4C
je short 00452FD3
; 检测注册信息是否为空
00452F87 . 8B4424 14
mov eax,
dword ptr [
esp+14]
; “tigerisme@126.com",送eax
00452F8B . 68 80E24700
push 0047E280
00452F90 . 50
push eax
00452F91 . FFD7
call edi
00452F93 . 83C4 08
add esp, 8
00452F96 . 85C0
test eax,
eax
00452F98 . 74 39
je short 00452FD3
; 检测注册信息是否为空
00452F9A . 8B4C24 1C
mov ecx,
dword ptr [
esp+1C]
00452F9E . 68 80E24700
push 0047E280
00452FA3 . 51
push ecx
00452FA4 . FFD7
call edi
00452FA6 . 83C4 08
add esp, 8
00452FA9 . 85C0
test eax,
eax
00452FAB . 74 26
je short 00452FD3
; 检测注册信息是否为空
00452FAD . 8B5424 10
mov edx,
dword ptr [
esp+10]
00452FB1 . 68 80E24700
push 0047E280
00452FB6 . 52
push edx
00452FB7 . FFD7
call edi
00452FB9 . 83C4 08
add esp, 8
00452FBC . 85C0
test eax,
eax
00452FBE . 74 13
je short 00452FD3
; 检测注册信息是否为空
00452FC0 . 8B4424 18
mov eax,
dword ptr [
esp+18]
00452FC4 . 68 80E24700
push 0047E280
00452FC9 . 50
push eax
00452FCA . FFD7
call edi
00452FCC . 83C4 08
add esp, 8
00452FCF . 85C0
test eax,
eax
00452FD1 . 75 10
jnz short 00452FE3
; 检测注册信息是否为空,不为空正常跳转
00452FD3 > 6A 00
push 0
00452FD5 . 6A 00
push 0
00452FD7 . 68 38DF4700
push 0047DF38
; 尊敬的客户!你需要在右边的网站上注册后,正确的填写用户、邮箱、地区、注册日期和取得的密码就可以注册啦!
00452FDC . 8BCE
mov ecx,
esi
00452FDE . E8 AD890000
call <jmp.&MFC42.#4224>
00452FE3 > 8D4C24 10
lea ecx,
dword ptr [
esp+10]
00452FE7 . E8 68890000
call <jmp.&MFC42.#6282>
00452FEC . 8D4C24 10
lea ecx,
dword ptr [
esp+10]
00452FF0 . E8 59890000
call <jmp.&MFC42.#6283>
00452FF5 . 8D4C24 14
lea ecx,
dword ptr [
esp+14]
00452FF9 . E8 56890000
call <jmp.&MFC42.#6282>
00452FFE . 8D4C24 14
lea ecx,
dword ptr [
esp+14]
00453002 . E8 47890000
call <jmp.&MFC42.#6283>
00453007 . B9 10000000
mov ecx, 10
0045300C . 33C0
xor eax,
eax
0045300E . 8D7C24 55
lea edi,
dword ptr [
esp+55]
00453012 . C64424 54 00
mov byte ptr [
esp+54], 0
00453017 . F3:AB
rep stos dword ptr es:[
edi]
00453019 . 8D4C24 2C
lea ecx,
dword ptr [
esp+2C]
0045301D . 8D6E 60
lea ebp,
dword ptr [
esi+60]
00453020 . E8 D5880000
call <jmp.&MFC42.#540>
00453025 . 8D4C24 24
lea ecx,
dword ptr [
esp+24]
00453029 . C68424 240100>
mov byte ptr [
esp+124], 5
00453031 . E8 C4880000
call <jmp.&MFC42.#540>
00453036 . 8D4C24 10
lea ecx,
dword ptr [
esp+10]
0045303A . 68 30DF4700
push 0047DF30
; fuck,计算注册码时用到,用这个连接符真BT!
0045303F . 8D5424 2C
lea edx,
dword ptr [
esp+2C]
00453043 . B3 06
mov bl, 6
00453045 . 51
push ecx
00453046 . 52
push edx
00453047 . 889C24 300100>
mov byte ptr [
esp+130],
bl
0045304E . E8 8D8A0000
call <jmp.&MFC42.#924>
00453053 . 8D4C24 14
lea ecx,
dword ptr [
esp+14]
00453057 . 8D5424 34
lea edx,
dword ptr [
esp+34]
0045305B . 51
push ecx
0045305C . 50
push eax
0045305D . 52
push edx
0045305E . C68424 300100>
mov byte ptr [
esp+130], 7
00453066 . E8 37890000
call <jmp.&MFC42.#922>
0045306B . 50
push eax
0045306C . 8D4C24 30
lea ecx,
dword ptr [
esp+30]
00453070 . C68424 280100>
mov byte ptr [
esp+128], 8
00453078 . E8 F5880000
call <jmp.&MFC42.#858>
0045307D . 8D4C24 34
lea ecx,
dword ptr [
esp+34]
00453081 . C68424 240100>
mov byte ptr [
esp+124], 7
00453089 . E8 3C880000
call <jmp.&MFC42.#800>
0045308E . 8D4C24 28
lea ecx,
dword ptr [
esp+28]
00453092 . 889C24 240100>
mov byte ptr [
esp+124],
bl
00453099 . E8 2C880000
call <jmp.&MFC42.#800>
0045309E . 8B45 00
mov eax,
dword ptr [
ebp]
004530A1 . 8BCD
mov ecx,
ebp
004530A3 . FF50 0C
call dword ptr [
eax+C]
; call运算,将注册日期、fuck及注册邮箱连接起来
004530A6 . 8B4424 2C
mov eax,
dword ptr [
esp+2C]
; 连起来的字符串为"20061121fucktigerisme@126.com"
004530AA . 8B55 00
mov edx,
dword ptr [
ebp]
004530AD . 8B48 F8
mov ecx,
dword ptr [
eax-8]
004530B0 . 51
push ecx
004530B1 . 50
push eax
004530B2 . 8BCD
mov ecx,
ebp
004530B4 . FF52 04
call dword ptr [
edx+4]
004530B7 . 8B45 00
mov eax,
dword ptr [
ebp]
004530BA . 8D4C24 54
lea ecx,
dword ptr [
esp+54]
004530BE . 51
push ecx
004530BF . 8BCD
mov ecx,
ebp
004530C1 . FF50 08
call dword ptr [
eax+8]
004530C4 . B9 20000000
mov ecx, 20
004530C9 . 33C0
xor eax,
eax
004530CB . 8DBC24 990000>
lea edi,
dword ptr [
esp+99]
004530D2 . C68424 980000>
mov byte ptr [
esp+98], 0
004530DA . 8D9424 980000>
lea edx,
dword ptr [
esp+98]
004530E1 . F3:AB
rep stos dword ptr es:[
edi]
004530E3 . 52
push edx
004530E4 . 8D4424 58
lea eax,
dword ptr [
esp+58]
004530E8 . 6A 10
push 10
004530EA . 50
push eax
004530EB . E8 40FDFFFF
call 00452E30
; MD5运算,即MD5(20061121fucktigerisme@126.com),有兴趣可以进去看看
004530F0 . 8B5424 24
mov edx,
dword ptr [
esp+24]
004530F4 . 8D8C24 A40000>
lea ecx,
dword ptr [
esp+A4]
004530FB . 51
push ecx ; /MD5结果为“B3EE0D943618B2EB238E9D6F35BCF746”,放在ecx中
004530FC . 52
push edx ; |edx=试练码“123456789”
004530FD . FF15 84894600
call dword ptr [<&MSVCRT._mbscmp>]
; \_mbscmp
00453103 . 83C4 14
add esp, 14
00453106 . 85C0
test eax,
eax
00453108 . 0F85 F0020000
jnz 004533FE
; 关键跳转,爆破点
0045310E . 8D4424 20
lea eax,
dword ptr [
esp+20]
00453112 . 8D4C24 30
lea ecx,
dword ptr [
esp+30]
**********************************************************************************************
算法总结:
软件采算法非常简单,注册码=MD5(注册日期+fuck+注册邮箱),取32位大写。
[/color
特别说明: 本文仅是一些破解的心得和思路,完全是个人对程序的研究,无其他目的。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课