-
-
[原创]PhotoShrink简单算法分析
-
发表于: 2007-6-21 17:31 4435
-
【破文标题】PhotoShrink简单算法分析
【破文作者】wuhanqi[CR][ICY][48PG]
【作者邮箱】wuhanqi@qq.com
【作者主页】http://www.edisk.org/?wuhanqi
【破解工具】peid od
【破解平台】XP2
【软件名称】PhotoShrink V2.0
【软件大小】1245 KB
【原版下载】http://www.skycn.com/soft/37035.html
【保护方式】注册码
【软件简介】PhotoShrink是一个使用方便的图形优化工具,可以根据电子邮件或者网页设计的需要对图形文件进行缩放以节省存储空间。它使用简单,支持批量缩放和鼠标操作,可以调整JPG格式文件的质量。
【破解声明】菜鸟一个,还需多多学习
------------------------------------------------------------------------
【破解过程】1.查壳 Peid显示“Borland Delphi 6.0 - 7.0” 无壳
2.用DeDe轻松找到注册按钮地址 00506A74 /. 55 push ebp
3.下断 运行软件 来到:
00506A74 /. 55 push ebp
00506A75 |. 8BEC mov ebp, esp
00506A77 |. 33C9 xor ecx, ecx
00506A79 |. 51 push ecx
00506A7A |. 51 push ecx
00506A7B |. 51 push ecx
00506A7C |. 51 push ecx
00506A7D |. 51 push ecx
00506A7E |. 51 push ecx
00506A7F |. 53 push ebx
00506A80 |. 8BD8 mov ebx, eax
00506A82 |. 33C0 xor eax, eax
00506A84 |. 55 push ebp
00506A85 |. 68 C86B5000 push 00506BC8
00506A8A |. 64:FF30 push dword ptr fs:[eax]
00506A8D |. 64:8920 mov dword ptr fs:[eax], esp
00506A90 |. 8D55 FC lea edx, dword ptr [ebp-4]
00506A93 |. 8B83 08030000 mov eax, dword ptr [ebx+308]
00506A99 |. E8 02DFF3FF call 004449A0
00506A9E |. 837D FC 00 cmp dword ptr [ebp-4], 0 ; 检验是否输入EMAIL
00506AA2 |. 0F84 E4000000 je 00506B8C
00506AA8 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00506AAB |. 8B83 08030000 mov eax, dword ptr [ebx+308]
00506AB1 |. E8 EADEF3FF call 004449A0
00506AB6 |. 8B55 F4 mov edx, dword ptr [ebp-C]
00506AB9 |. 8D4D F8 lea ecx, dword ptr [ebp-8]
00506ABC |. A1 BC185100 mov eax, dword ptr [5118BC]
00506AC1 |. 8B00 mov eax, dword ptr [eax]
00506AC3 |. E8 8C050000 call 00507054 ; 关键CALL 跟进
00506AC8 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00506ACB |. 50 push eax
00506ACC |. 8D55 F0 lea edx, dword ptr [ebp-10]
00506ACF |. 8B83 10030000 mov eax, dword ptr [ebx+310]
00506AD5 |. E8 C6DEF3FF call 004449A0
00506ADA |. 8B55 F0 mov edx, dword ptr [ebp-10]
00506ADD |. 58 pop eax
00506ADE |. E8 D9DEEFFF call 004049BC ; 经典比较 可作内存注册机
00506AE3 |. 0F85 A3000000 jnz 00506B8C ; 爆破点 改为NOP
00506AE9 |. 8D55 EC lea edx, dword ptr [ebp-14]
00506AEC |. 8B83 08030000 mov eax, dword ptr [ebx+308]
00506AF2 |. E8 A9DEF3FF call 004449A0
00506AF7 |. 8B55 EC mov edx, dword ptr [ebp-14]
00506AFA |. A1 BC185100 mov eax, dword ptr [5118BC]
00506AFF |. 8B00 mov eax, dword ptr [eax]
00506B01 |. 05 28030000 add eax, 328
00506B06 |. E8 EDDAEFFF call 004045F8
00506B0B |. 8D55 E8 lea edx, dword ptr [ebp-18]
00506B0E |. 8B83 10030000 mov eax, dword ptr [ebx+310]
00506B14 |. E8 87DEF3FF call 004449A0
00506B19 |. 8B55 E8 mov edx, dword ptr [ebp-18]
00506B1C |. A1 BC185100 mov eax, dword ptr [5118BC]
00506B21 |. 8B00 mov eax, dword ptr [eax]
00506B23 |. 05 2C030000 add eax, 32C
00506B28 |. E8 CBDAEFFF call 004045F8
00506B2D |. A1 BC185100 mov eax, dword ptr [5118BC]
00506B32 |. 8B00 mov eax, dword ptr [eax]
00506B34 |. C680 24030000>mov byte ptr [eax+324], 1
00506B3B |. A1 BC185100 mov eax, dword ptr [5118BC]
00506B40 |. 8B00 mov eax, dword ptr [eax]
00506B42 |. E8 05060000 call 0050714C
00506B47 |. A1 BC185100 mov eax, dword ptr [5118BC]
00506B4C |. 8B00 mov eax, dword ptr [eax]
00506B4E |. 8B80 F4020000 mov eax, dword ptr [eax+2F4]
00506B54 |. 33D2 xor edx, edx
00506B56 |. E8 65DDF3FF call 004448C0
00506B5B |. A1 BC185100 mov eax, dword ptr [5118BC]
00506B60 |. 8B00 mov eax, dword ptr [eax]
00506B62 |. 8B80 08030000 mov eax, dword ptr [eax+308]
00506B68 |. BA 08000000 mov edx, 8
00506B6D |. E8 76D5F3FF call 004440E8
00506B72 |. 8BC3 mov eax, ebx
00506B74 |. E8 BB45F4FF call 0044B134
00506B79 |. BA D86B5000 mov edx, 00506BD8 ; t
00506B7E |. E8 75B5F8FF call 004920F8
00506B83 |. 8BC3 mov eax, ebx
00506B85 |. E8 7EB3F5FF call 00461F08
00506B8A |. EB 11 jmp short 00506B9D
00506B8C |> 8BC3 mov eax, ebx
00506B8E |. E8 A145F4FF call 0044B134
00506B93 |. BA 286C5000 mov edx, 00506C28 ; n
00506B98 |. E8 CBB5F8FF call 00492168
00506B9D |> 33C0 xor eax, eax
00506B9F |. 5A pop edx
00506BA0 |. 59 pop ecx
00506BA1 |. 59 pop ecx
00506BA2 |. 64:8910 mov dword ptr fs:[eax], edx
00506BA5 |. 68 CF6B5000 push 00506BCF
00506BAA |> 8D45 E8 lea eax, dword ptr [ebp-18]
00506BAD |. BA 04000000 mov edx, 4
00506BB2 |. E8 11DAEFFF call 004045C8
00506BB7 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00506BBA |. E8 E5D9EFFF call 004045A4
00506BBF |. 8D45 FC lea eax, dword ptr [ebp-4]
00506BC2 |. E8 DDD9EFFF call 004045A4
00506BC7 \. C3 retn
00506BC8 .^ E9 3FD3EFFF jmp 00403F0C
00506BCD .^ EB DB jmp short 00506BAA
00506BCF . 5B pop ebx
00506BD0 . 8BE5 mov esp, ebp
00506BD2 . 5D pop ebp
00506BD3 . C3 retn
----------------------------------------------------------------------------------------------------
跟进 00506AC3 |. E8 8C050000 call 00507054 来到
----------------------------------------------------------------------------------------------------
00507054 /$ 55 push ebp
00507055 |. 8BEC mov ebp, esp
00507057 |. 6A 00 push 0
00507059 |. 6A 00 push 0
0050705B |. 6A 00 push 0
0050705D |. 53 push ebx
0050705E |. 56 push esi
0050705F |. 8BF1 mov esi, ecx
00507061 |. 8955 FC mov dword ptr [ebp-4], edx
00507064 |. 8B45 FC mov eax, dword ptr [ebp-4]
00507067 |. E8 F4D9EFFF call 00404A60
0050706C |. 33C0 xor eax, eax
0050706E |. 55 push ebp
0050706F |. 68 16715000 push 00507116
00507074 |. 64:FF30 push dword ptr fs:[eax]
00507077 |. 64:8920 mov dword ptr fs:[eax], esp
0050707A |. 837D FC 00 cmp dword ptr [ebp-4], 0
0050707E |. 75 09 jnz short 00507089
00507080 |. 8BC6 mov eax, esi
00507082 |. E8 1DD5EFFF call 004045A4
00507087 |. EB 72 jmp short 005070FB
00507089 |> 8D4D F8 lea ecx, dword ptr [ebp-8]
0050708C |. BA 14000000 mov edx, 14
00507091 |. B8 2C715000 mov eax, 0050712C ; 出现固定值“how dare you crack my software!”
00507096 |. E8 0DB4F8FF call 004924A8
0050709B |. BB 01000000 mov ebx, 1
005070A0 |> 8B45 FC /mov eax, dword ptr [ebp-4] ; 邮箱地址到EAX
005070A3 |. E8 D0D7EFFF |call 00404878 ; 计算邮箱地址位数
005070A8 |. 50 |push eax
005070A9 |. 8BC3 |mov eax, ebx ; EBX到EAX
005070AB |. 48 |dec eax
005070AC |. 5A |pop edx
005070AD |. 8BCA |mov ecx, edx
005070AF |. 99 |cdq
005070B0 |. F7F9 |idiv ecx
005070B2 |. 8B45 FC |mov eax, dword ptr [ebp-4]
005070B5 |. 8A0410 |mov al, byte ptr [eax+edx] ; 逐位取邮箱地址ASCII码
005070B8 |. 8B55 F8 |mov edx, dword ptr [ebp-8] ; 取固定值前20位
005070BB |. 8A541A FF |mov dl, byte ptr [edx+ebx-1] ; 逐位取固定值前20位ASCII码
005070BF |. 32C2 |xor al, dl ; 将邮箱地址ASCII码与固定值ASCII码作异或运算
005070C1 |. 25 FF000000 |and eax, 0FF
005070C6 |. 8D55 F4 |lea edx, dword ptr [ebp-C]
005070C9 |. E8 A221F0FF |call 00409270
005070CE |. 8B45 F4 |mov eax, dword ptr [ebp-C]
005070D1 |. E8 A2D7EFFF |call 00404878
005070D6 |. 8B55 F4 |mov edx, dword ptr [ebp-C] ; 将运算结果送到EAX
005070D9 |. 8A4402 FF |mov al, byte ptr [edx+eax-1] ; 取运算结果个位数
005070DD |. 50 |push eax
005070DE |. 8D45 F8 |lea eax, dword ptr [ebp-8]
005070E1 |. E8 E2D9EFFF |call 00404AC8
005070E6 |. 5A |pop edx ; 固定值出栈
005070E7 |. 885418 FF |mov byte ptr [eax+ebx-1], dl ; 将运算结果的个位数逐位替换固定值
005070EB |. 43 |inc ebx ; EBX+1
005070EC |. 83FB 15 |cmp ebx, 15 ; 比较EBX是否为EBX
005070EF |.^ 75 AF \jnz short 005070A0
005070F1 |. 8BC6 mov eax, esi
005070F3 |. 8B55 F8 mov edx, dword ptr [ebp-8]
005070F6 |. E8 FDD4EFFF call 004045F8
005070FB |> 33C0 xor eax, eax
005070FD |. 5A pop edx
005070FE |. 59 pop ecx
005070FF |. 59 pop ecx
00507100 |. 64:8910 mov dword ptr fs:[eax], edx
00507103 |. 68 1D715000 push 0050711D
00507108 |> 8D45 F4 lea eax, dword ptr [ebp-C]
0050710B |. BA 03000000 mov edx, 3
00507110 |. E8 B3D4EFFF call 004045C8
00507115 \. C3 retn
00507116 .^ E9 F1CDEFFF jmp 00403F0C
0050711B .^ EB EB jmp short 00507108
0050711D . 5E pop esi
0050711E . 5B pop ebx
0050711F . 8BE5 mov esp, ebp
00507121 . 5D pop ebp
00507122 . C3 retn
------------------------------------------------------------------------
【破解总结】算法很简单
就是逐位取邮箱地址ASCII码和固定值前20位逐位作异或运算 在取结果的个位数 逐位替换固定值
并且还有明码比较 很容易找到注册码
注:此软件冷血书生前辈发过一篇破文 但内容过于简略 不适合新手 本篇献给新手们
------------------------------------------------------------------------
【版权声明】原创内容 仍需学习
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
|
|
|---|---|
|
|
- [求助]有什么方法能给iR修复过的程序添加导入表嘛? 4687
- [求助]Delphi如何把整数型十六进制转换成十进制的字符串? 12094
- [求助]Delphi中十六进制如何转ASCII? 10912
- [求助]为什么VMP程序脱壳后文件OD载入不是OEP? 2725
- 求助生成每帧图像的API 4414
