DOC

FolderView 2.1

By Eva Martinez,2014-08-30 17:01
14 views 0
FolderView 2.1

【破文标题】 FolderView 2.1算法分析

【破文作者】 C.zn

【使用工具】 peid, WinHexW32Dasm, olldbg

【破解平台】 XP

【软件名称】 FolderView 2.1

【软件大小】 306 KB

    【下载地址】 http://www.southbaypc.com/download/FVSetup.exe

     http://www.southbaypc.com

    【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享!?

【破解内容】

    peid查壳,提示无壳,软件编程语言Microsoft Visual C++ 6.0

W32Dasm反编译程序。

    找到提示"Sorry, you have entered an incorrect registration code."

    ----------------------------------------------------------- :0040C1B9 81C400020000 add esp, 00000200 :0040C1BF C21000 ret 0010

    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040C164(C), :0040C17D(C)

    |

    :0040C1C2 6A00 push 00000000

    * Possible StringData Ref from Data Obj ->"FolderView"

     |

    :0040C1C4 6874964200 push 00429674

* Possible StringData Ref from Data Obj ->"Sorry, you have entered an incorrect "

     ->"registration code."

     |

    :0040C1C9 6890B84200 push 0042B890 :0040C1CE 56 push esi

* Reference To: USER32.MessageBoxA, Ord:01DEh

     |

    :0040C1CF FF1578624200 Call dword ptr [00426278]

    --------------------------------------------------------------------- 回到OD,设断点后,运行. 点击输入用户名,点确定断在这里.

    0040C173 . E8 D8040000 call FolderVi.0040C650 //重要call这里下断点; 0040C178 . 83C4 08 add esp,8

    0040C17B . 85C0 test eax,eax

    0040C17D 74 43 je short FolderVi.0040C1C2 //跳向错误提示; 0040C17F . 8D5424 04 lea edx,dword ptr ss:[esp+4]

    0040C183 . 8D8424 0401000>lea eax,dword ptr ss:[esp+104]

    0040C18A . 52 push edx

    0040C18B . 50 push eax

    0040C18C . 68 18964200 push FolderVi.00429618 ; ASCII "Software\FolderView\Registration"

    0040C191 . 68 01000080 push 80000001

    0040C196 . E8 15050000 call FolderVi.0040C6B0

    0040C19B . 68 18964200 push FolderVi.00429618 ; ASCII "Software\FolderView\Registration"

    0040C1A0 . 68 01000080 push 80000001

    0040C1A5 . E8 16020000 call FolderVi.0040C3C0

    0040C1AA . 83C4 18 add esp,18

    0040C1AD . 6A 01 push 1 ; /Result = 1 0040C1AF . 56 push esi ; |hWnd 0040C1B0 . FF15 34624200 call dword ptr ds:[<&USER32.EndDialog>] ; \EndDialog 0040C1B6 . 33C0 xor eax,eax

    0040C1B8 . 5E pop esi

    0040C1B9 . 81C4 00020000 add esp,200

    0040C1BF . C2 1000 retn 10

    0040C1C2 > 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL

    0040C1C4 . 68 74964200 push FolderVi.00429674 ; |Title = "FolderView"

    0040C1C9 . 68 90B84200 push FolderVi.0042B890 ; |Text = "Sorry, you have entered an incorrect registration code."

    0040C1CE . 56 push esi ; |hOwner 0040C1CF . FF15 78624200 call dword ptr ds:[<&USER32.MessageBoxA>;

    \MessageBoxA

一路跟到这里

以下全为十六进制值运算

0040C730 /$ 81EC 00010000 sub esp,100

    0040C736 |. A0 C4DA4300 mov al,byte ptr ds:[43DAC4]

    0040C73B |. 53 push ebx

    0040C73C |. 55 push ebp

    0040C73D |. 56 push esi

    0040C73E |. 57 push edi

    0040C73F |. 884424 10 mov byte ptr ss:[esp+10],al

    0040C743 |. B9 3F000000 mov ecx,3F

    0040C748 |. 33C0 xor eax,eax

    0040C74A |. 8D7C24 11 lea edi,dword ptr ss:[esp+11]

    0040C74E |. F3:AB rep stos dword ptr es:[edi]

    0040C750 |. 66:AB stos word ptr es:[edi]

    0040C752 |. AA stos byte ptr es:[edi]

    0040C753 |. 8BBC24 1401000>mov edi,dword ptr ss:[esp+114]

    0040C75A |. 57 push edi ; /String 0040C75B |. FF15 AC614200 call dword ptr ds:[<&KERNEL32.lstrlenA>>; \lstrlenA 0040C761 |. 8BF0 mov esi,eax

    0040C763 |. 33C9 xor ecx,ecx

    0040C765 |. 33C0 xor eax,eax //eax 计算出的用户

名位数

    0040C767 |. 85F6 test esi,esi //esi 计算出的用户名位数

    0040C769 |. 76 13 jbe short FolderVi.0040C77E //密码为空时,直接跳转

    0040C76B |. 8B15 54B54200 mov edx,dword ptr ds:[42B554] //赋值edx=32 0040C771 |> 0FBE1C38 /movsx ebx,byte ptr ds:[eax+edi] //依次取每位的16进制值

    0040C775 |. 03DA |add ebx,edx //ebx=ebx+edx;每位16进制值+cc

    0040C777 |. 03CB |add ecx,ebx //ecx=ecx+ebx;循环相加,初值为ecx=0

    0040C779 |. 40 |inc eax //eax=eax+1 ;循环计数

    0040C77A |. 3BC6 |cmp eax,esi //eax-esi ;esi=位数

    0040C77C |.^ 72 F3 \jb short FolderVi.0040C771 //小于零就跳回,续计算.

    0040C77E |> 8B9C24 1801000>mov ebx,dword ptr ss:[esp+118]

    0040C785 |. 51 push ecx ; /<%u> 0040C786 |. 68 10B94200 push FolderVi.0042B910 ; |Format = "%u-"

    0040C78B |. 53 push ebx ; |s 0040C78C |. FF15 70624200 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA 排列注册码 ???-

    0040C792 |. 83C4 0C add esp,0C

    0040C795 |. 33C9 xor ecx,ecx

    0040C797 |. 33C0 xor eax,eax

    0040C799 |. 85F6 test esi,esi //计算出的用户名位数 0040C79B |. 76 14 jbe short FolderVi.0040C7B1 //密码为空时,直接跳.

    0040C79D |. 8B15 58B54200 mov edx,dword ptr ds:[42B558] //赋值edx=28 0040C7A3 |> 0FBE2C38 /movsx ebp,byte ptr ds:[eax+edi] //依次取每位的16进制

    0040C7A7 |. 0FAFEA |imul ebp,edx //ebp*edx ;ebp每位的16进制值;edx28

    0040C7AA |. 03CD |add ecx,ebp //ecx+ebp ;循环相,初值为ecx=0

    0040C7AC |. 40 |inc eax //eax=eax+1 ;循环计

    0040C7AD |. 3BC6 |cmp eax,esi //eax-esi ;esi=

    0040C7AF |.^ 72 F2 \jb short FolderVi.0040C7A3 //小于零就跳回,继续计.

    0040C7B1 |> 51 push ecx ; /<%u> 0040C7B2 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14] ; | 0040C7B6 |. 68 10B94200 push FolderVi.0042B910 ; |Format = "%u-"

    0040C7BB |. 51 push ecx ; |s 0040C7BC |. FF15 70624200 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA 0040C7C2 |. 83C4 0C add esp,0C

    0040C7C5 |. 8D5424 10 lea edx,dword ptr ss:[esp+10]

    0040C7C9 |. 52 push edx ; /StringToAdd 0040C7CA |. 53 push ebx ; |ConcatString

    0040C7CB |. FF15 C4614200 call dword ptr ds:[<&KERNEL32.lstrcatA>>;

    \lstrcatA //排列注册码 ***-???

    0040C7D1 |. 33C9 xor ecx,ecx

    0040C7D3 |. 33C0 xor eax,eax

    0040C7D5 |. 85F6 test esi,esi //计算出的用户名位

    0040C7D7 |. 76 13 jbe short FolderVi.0040C7EC //密码为空时,直接跳过

    0040C7D9 |. 8B15 5CB54200 mov edx,dword ptr ds:[42B55C] //赋值edx=1E 0040C7DF |> 0FBE2C38 /movsx ebp,byte ptr ds:[eax+edi] //依次取每位的16制值

    0040C7E3 |. 03EA |add ebp,edx //ebp+edx ;ebp为每位的16进制值;edx1E

    0040C7E5 |. 03CD |add ecx,ebp //ecx+ebp ;循环相,初值为ecx=0

    0040C7E7 |. 40 |inc eax //eax=eax+1 ;循环计数

    0040C7E8 |. 3BC6 |cmp eax,esi //eax-esi ;esi=位数

    0040C7EA |.^ 72 F3 \jb short FolderVi.0040C7DF //小于零就跳回,继续计算.

    0040C7EC |> 51 push ecx ; /<%u> 0040C7ED |. 8D4424 14 lea eax,dword ptr ss:[esp+14] ; | 0040C7F1 |. 68 10B94200 push FolderVi.0042B910 ; |Format = "%u-"

    0040C7F6 |. 50 push eax ; |s 0040C7F7 |. FF15 70624200 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA 0040C7FD |. 83C4 0C add esp,0C

    0040C800 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]

    0040C804 |. 51 push ecx ; /StringToAdd 0040C805 |. 53 push ebx ; |ConcatString

    0040C806 |. FF15 C4614200 call dword ptr ds:[<&KERNEL32.lstrcatA>>; \lstrcatA//排列注册码***-***-???

    0040C80C |. 33C9 xor ecx,ecx

    0040C80E |. 33C0 xor eax,eax

    0040C810 |. 85F6 test esi,esi //计算出的用户名位

    0040C812 |. 76 14 jbe short FolderVi.0040C828 //密码为空时,直接跳过

    0040C814 |. 8B15 60B54200 mov edx,dword ptr ds:[42B560] //赋值edx=B 0040C81A |> 0FBE2C38 /movsx ebp,byte ptr ds:[eax+edi] //依次取每位的16进制值

    0040C81E |. 0FAFEA |imul ebp,edx //ebp*edx ;ebp为每位的16进制值;edxB

    0040C821 |. 03CD |add ecx,ebp //ecx=ecx+ebp ;环相加,初值为ecx=0

    0040C823 |. 40 |inc eax //eax=eax+1 ;环计数

    0040C824 |. 3BC6 |cmp eax,esi //eax-esi ;esi=位数

    0040C826 |.^ 72 F2 \jb short FolderVi.0040C81A //小于零就跳回,续计算.

    0040C828 |> 51 push ecx ; /<%u> 0040C829 |. 8D5424 14 lea edx,dword ptr ss:[esp+14] ; | 0040C82D |. 68 749E4200 push FolderVi.00429E74 ; |Format = "%u"

    0040C832 |. 52 push edx ; |s 0040C833 |. FF15 70624200 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA 0040C839 |. 83C4 0C add esp,0C

    0040C83C |. 8D4424 10 lea eax,dword ptr ss:[esp+10]

    0040C840 |. 50 push eax ; /StringToAdd 0040C841 |. 53 push ebx ;

|ConcatString

    0040C842 |. FF15 C4614200 call dword ptr ds:[<&KERNEL32.lstrcatA>>; \lstrcatA//

    排列注册码***-***-***-???

    0040C848 |. 5F pop edi 0040C849 |. 5E pop esi 0040C84A |. 5D pop ebp 0040C84B |. 5B pop ebx 0040C84C |. 81C4 00010000 add esp,100 0040C852 \. C3 retn

注册码的形式为! ***-***-***-*** %u-%u-%u-%u

假如注册名为!123 共三位

对应的1的十六进制值为A

    对应的2的十六进制值为B

    对应的3的十六进制值为C

以下为十六进制值运算

分析:

(32+A)

    (32+B)+(CC+A)

    (32+C)+(CC+B)+(CC+A)=第一段

    3*32+A+B+C...=第一段

28*A

    (28*B)+(28*A)

    (28*C)+(28*B)+(28*A)=第二段

    28*(A+B+C...)=第二段

1E+A

    1E+B+1E+A

    1E+C+1E+B+1E+A=第三段

    1E*3+A+B+C=第三段

b*A

    b*B+b*A

    b*C+b*B+b*A=第四段

    B*(A+B+C...)=第四段

总结!

    第一段=位数*CC+A+B+C...

    第二段=28*(A+B+C...)

    第三段=1E*位数+A+B+C...

    第四段=B*(A+B+C...)

如!用户名为!C.zn 4

    ASCII表十六进制值

C=43

    .=2E

    z=7A

    n=6E

    第一段=位数*32+A+B+C...=4*32+43+2E+7A+6E=211 (545) 第二段=28*(A+B+C...)=28*(43+2E+7A+6E)=35E8 (13800) 第三段=1E*位数+A+B+C=1E*4+43+2E+7A+6E=1D1 (465) 第四段=B*(A+B+C...)=B*(43+2E+7A+6E)=ED3 (3795)

用户名!C.zn

    注册号!545-13800-465-3795

关于十六进制计算和转换,可使用WinHex中的计算器(很好)

Report this document

For any questions or suggestions please email
cust-service@docsford.com