【破文标题】Smart Type Assistant 1.7.0.0 算法分析
【破文作者】tianxj
【作者邮箱】[email]tianxj_2007@126.com[/email]
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Smart Type Assistant 1.7.0.0
【软件大小】512KB
【软件类别】国外软件/鼠标键盘
【软件授权】共享版
【软件语言】英文
【运行环境】Win9x/Me/NT/2000/XP/2003
【更新时间】2009-1-12
【原版下载】华军软件园
【保护方式】注册码
【软件简介】自动辅助你在任何地方的键盘输入,让你的键盘变得“聪明”起来!不同于单纯的字串自动完成和拼写检查工具,它的最大特点是可以在全系统范围内提供服务,随时随地给你带来方便,堪称全能的“键盘助手”!
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息
**************************************************************
二、用PEiD对sta.exe查壳,为 "什么也没发现"
**************************************************************
三、运行sta.exe出现注册框后,打开OD附加进程,右键—超级字串参考—查找ASCII.
==============================================================
00402203 55 push ebp
00402204 8D6C24 8C lea ebp,dword ptr ss:[esp-74]
00402208 81EC D0000000 sub esp,0D0
0040220E A1 80444500 mov eax,dword ptr ds:[454480]
00402213 33C5 xor eax,ebp
00402215 8945 70 mov dword ptr ss:[ebp+70],eax
00402218 56 push esi
00402219 8B35 94154400 mov esi,dword ptr ds:[<&USER32.GetDlgItemT>; USER32.GetDlgItemTextA
0040221F 57 push edi
00402220 8B7D 7C mov edi,dword ptr ss:[ebp+7C]
00402223 6A 32 push 32
00402225 8D45 D8 lea eax,dword ptr ss:[ebp-28]
00402228 50 push eax
00402229 68 D9D60000 push 0D6D9
0040222E 57 push edi
0040222F FFD6 call esi
00402231 807D D8 00 cmp byte ptr ss:[ebp-28],0
00402235 75 18 jnz short sta.0040224F ; //用户名不为空则跳
00402237 6A 40 push 40
00402239 68 F81D4400 push sta.00441DF8 ; attention!
0040223E 68 E01D4400 push sta.00441DE0 ; please enter your name!
00402243 57 push edi
00402244 FF15 98154400 call dword ptr ds:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
0040224A E9 D4000000 jmp sta.00402323
0040224F 6A 0A push 0A
00402251 8D45 58 lea eax,dword ptr ss:[ebp+58]
00402254 50 push eax
00402255 68 DAD60000 push 0D6DA
0040225A 57 push edi
0040225B FFD6 call esi
0040225D 6A 0A push 0A
0040225F 8D45 40 lea eax,dword ptr ss:[ebp+40]
00402262 50 push eax
00402263 68 DBD60000 push 0D6DB
00402268 57 push edi
00402269 FFD6 call esi
0040226B 6A 0A push 0A
0040226D 8D45 4C lea eax,dword ptr ss:[ebp+4C]
00402270 50 push eax
00402271 68 DCD60000 push 0D6DC
00402276 57 push edi
00402277 FFD6 call esi
00402279 6A 0A push 0A
0040227B 8D45 64 lea eax,dword ptr ss:[ebp+64]
0040227E 50 push eax
0040227F 68 DDD60000 push 0D6DD
00402284 57 push edi
00402285 FFD6 call esi
00402287 8D45 58 lea eax,dword ptr ss:[ebp+58] ; //第1组试炼码
0040228A 50 push eax
0040228B 8D45 0C lea eax,dword ptr ss:[ebp+C]
0040228E 50 push eax
0040228F FF15 EC124400 call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; kernel32.lstrcpyA
00402295 8B35 DC124400 mov esi,dword ptr ds:[<&KERNEL32.lstrcatA>>; kernel32.lstrcatA
0040229B 8D45 40 lea eax,dword ptr ss:[ebp+40] ; //第2组试炼码
0040229E 50 push eax
0040229F 8D45 0C lea eax,dword ptr ss:[ebp+C] ; //第1组试炼码
004022A2 50 push eax
004022A3 FFD6 call esi ; //相连
004022A5 8D45 4C lea eax,dword ptr ss:[ebp+4C] ; //第3组试炼码
004022A8 50 push eax
004022A9 8D45 0C lea eax,dword ptr ss:[ebp+C] ; //第1、2组相连字符串
004022AC 50 push eax
004022AD FFD6 call esi ; //相连
004022AF 8D45 64 lea eax,dword ptr ss:[ebp+64] ; //第4组试炼码
004022B2 50 push eax
004022B3 8D45 0C lea eax,dword ptr ss:[ebp+C] ; //第1、2、3组相连字符串
004022B6 50 push eax
004022B7 FFD6 call esi ; //相连
004022B9 8D45 A4 lea eax,dword ptr ss:[ebp-5C] ; //第1、2、3、4组相连字符串
004022BC 50 push eax
004022BD 8D45 D8 lea eax,dword ptr ss:[ebp-28] ; //用户名
004022C0 68 C81C4400 push sta.00441CC8 ; _sfy@6-lwf$7gh,>
004022C5 50 push eax
004022C6 E8 07FEFFFF call sta.004020D2 ; //算法CALL
004022CB 83C4 0C add esp,0C
004022CE 8D45 0C lea eax,dword ptr ss:[ebp+C] ; //第1、2、3、4组相连字符串
004022D1 50 push eax
004022D2 8D45 A4 lea eax,dword ptr ss:[ebp-5C] ; //真码相连字符串
004022D5 50 push eax
004022D6 FF15 E0124400 call dword ptr ds:[<&KERNEL32.lstrcmpiA>] ; //关键比较
004022DC 6A 40 push 40
004022DE 85C0 test eax,eax
004022E0 75 25 jnz short sta.00402307 ; //关键跳转
004022E2 68 D01D4400 push sta.00441DD0 ; registration
004022E7 68 881D4400 push sta.00441D88 ; registration succeeded. thank you for choosing smart type assistant!
004022EC 57 push edi
004022ED FF15 98154400 call dword ptr ds:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
004022F3 8D45 0C lea eax,dword ptr ss:[ebp+C]
004022F6 50 push eax
004022F7 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004022FA 50 push eax
004022FB E8 A0FEFFFF call sta.004021A0
00402300 59 pop ecx
00402301 33C0 xor eax,eax
00402303 59 pop ecx
00402304 40 inc eax
00402305 EB 1E jmp short sta.00402325
00402307 68 741D4400 push sta.00441D74 ; registration error
0040230C 68 201D4400 push sta.00441D20 ; registration code or user name is invalid. please check all fields and try again!
00402311 57 push edi
00402312 FF15 98154400 call dword ptr ds:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
00402318 68 2C010000 push 12C
0040231D FF15 E4124400 call dword ptr ds:[<&KERNEL32.Sleep>] ; kernel32.Sleep
00402323 33C0 xor eax,eax
00402325 8B4D 70 mov ecx,dword ptr ss:[ebp+70]
00402328 5F pop edi
00402329 33CD xor ecx,ebp
0040232B 5E pop esi
0040232C E8 DB230200 call sta.0042470C
00402331 83C5 74 add ebp,74
00402334 C9 leave
00402335 C3 retn
==============================================================
004020D2 55 push ebp
004020D3 8BEC mov ebp,esp
004020D5 83EC 0C sub esp,0C
004020D8 53 push ebx
004020D9 56 push esi
004020DA FF75 0C push dword ptr ss:[ebp+C] ; //字符串"_Sfy@6-lwF$7gh,>"
004020DD 8B35 E8124400 mov esi,dword ptr ds:[<&KERNEL32.lstrlenA>>; kernel32.lstrlenA
004020E3 FFD6 call esi ; //取字符串"_Sfy@6-lwF$7gh,>"长度
004020E5 FF75 08 push dword ptr ss:[ebp+8] ; //用户名
004020E8 8BD8 mov ebx,eax ; //字符串"_Sfy@6-lwF$7gh,>"长度
004020EA 895D F8 mov dword ptr ss:[ebp-8],ebx ; //字符串"_Sfy@6-lwF$7gh,>"长度
004020ED FFD6 call esi ; //取用户名长度
004020EF 8BF0 mov esi,eax ; //用户名长度
004020F1 8975 F4 mov dword ptr ss:[ebp-C],esi ; //用户名长度
004020F4 85F6 test esi,esi
004020F6 75 08 jnz short sta.00402100 ; //用户名长度不为空则跳
004020F8 8B45 10 mov eax,dword ptr ss:[ebp+10]
004020FB C600 00 mov byte ptr ds:[eax],0
004020FE EB 4E jmp short sta.0040214E
00402100 57 push edi
00402101 FF75 0C push dword ptr ss:[ebp+C] ; //字符串"_Sfy@6-lwF$7gh,>"
00402104 8B7D 10 mov edi,dword ptr ss:[ebp+10]
00402107 57 push edi
00402108 FF15 EC124400 call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; kernel32.lstrcpyA
0040210E 3BF3 cmp esi,ebx
00402110 8975 FC mov dword ptr ss:[ebp-4],esi
00402113 7F 03 jg short sta.00402118 ; //若用户名长度大于16位保存用户名长度,否则保存字符串"_Sfy@6-lwF$7gh,>"长度在[ebp-4]
00402115 895D FC mov dword ptr ss:[ebp-4],ebx
00402118 33F6 xor esi,esi ; //esi=0
0040211A 3975 FC cmp dword ptr ss:[ebp-4],esi
0040211D 7E 2C jle short sta.0040214B ; //[ebp-4]小于等于0则跳
0040211F 8BC6 mov eax,esi ; //eax=esi=0
00402121 99 cdq
00402122 F77D F8 idiv dword ptr ss:[ebp-8] ; //eax/[ebp-8],[ebp-8]为字符串"_Sfy@6-lwF$7gh,>"的长度
00402125 8BC6 mov eax,esi
00402127 6A 19 push 19
00402129 5B pop ebx
0040212A 8D0C3A lea ecx,dword ptr ds:[edx+edi] ; //字符串"_Sfy@6-lwF$7gh,>"
0040212D 99 cdq
0040212E F77D F4 idiv dword ptr ss:[ebp-C] ; //eax/[ebp-C],[ebp-C]为用户名长度
00402131 8B45 08 mov eax,dword ptr ss:[ebp+8] ; //用户名
00402134 0FB60402 movzx eax,byte ptr ds:[edx+eax] ; //逐位取用户名ASCII码
00402138 0FB611 movzx edx,byte ptr ds:[ecx] ; //逐位取字符串"_Sfy@6-lwF$7gh,>"ASCII码
0040213B 33C2 xor eax,edx ; //eax=eax xor edx
0040213D 99 cdq
0040213E F7FB idiv ebx ; //eax/ebx,即eax/19,商送eax,余送edx
00402140 80C2 41 add dl,41 ; //dl=dl+41
00402143 46 inc esi ; //esi=esi+1
00402144 3B75 FC cmp esi,dword ptr ss:[ebp-4] ; //esi与[ebp-4]比较
00402147 8811 mov byte ptr ds:[ecx],dl ; //保存dl
00402149 ^ 7C D4 jl short sta.0040211F ; //循环
0040214B 8BC7 mov eax,edi
0040214D 5F pop edi
0040214E 5E pop esi
0040214F 5B pop ebx
00402150 C9 leave
00402151 C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
