DOC

Visual CHM V4.0

By Lauren Holmes,2014-08-31 12:10
10 views 0
Visual CHM V4.0

【软件名称】:Visual CHM V4.0 【软件限制】:功能限制 【保护方式】:ASPack 2.12 -> Alexey Solodovnikov 【破解工具】:TRW2000娃娃修改版、OllydbgW32Dasm 【编程语言】:Borland Delphi 6.0 - 7.0 【软件简介】:一级棒的制作CHM文件的工具。 Visual CHM 将帮助您非常容易的制作出具有非常专业水准的CHM文件,而且是“所见即所得” ————————————————————————————————— 【破解过程】: 呵呵,记得刚学破解时想把 《看雪论坛精华34》合并为1CHM文件,于是找到了这个软件,Visual CHM 的确是一款一级棒的制作软件,但是未注册版只能编译15个节点的文件。当时我调试了好几次均无功而返。 后来得知软件作者"葛泽华"先生就是一位CRACK高手!前些日从看雪精华里发现 heXer/iPB 老师分析3.10版的算法解文,非常高兴,于是这3天来静下心又重新试试4.0的破解,居然饶幸找到了一点眉目! 用户名:fly[OCN] ,用户名长度须在5-32位间? 试炼码:BCDEFGHIJK ,注册码10位? :1、用户名fly[OCN]N0 2、对N0进行运算后得出的字符TJYIPJFBN1 3、对N1运算后得出的字符TJYIPJFBFWN2 4、试炼码BCDEFGHIJKK0 5、对K0进行运算后得出的字符LJPJLJXJLJK1 6、对K1进行运算后得出的字符RSTUVWXYZJK2 呵呵,我也是晕头转向呀!~@~ ?????????????????????????????????????? 一、对用户名 N0 进行运算后得出 N1 * Possible StringData Ref from Code Obj ->"http://www.vchm.com/ convenient " ->"CHM editor,WYSIWYG." | :004E7684 BA3C8B4E00 mov edx, 004E8B3C ====>EDX=http://www.vchm.com/ convenient CHM editor,WYSIWYG. :004E7689 E8BAD5F1FF call 00404C48 :004E768E 8B45FC mov eax, dword ptr [ebp-04] :004E7691 0550060000 add eax, 00000650 :004E7696 8B55FC mov edx, dword ptr [ebp-04] :004E7699 8B9248060000 mov edx, dword ptr [edx+00000648] :004E769F E860D5F1FF call 00404C04 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E764A(C) | :004E76A4 8D45E8 lea eax, dword ptr [ebp-18] :004E76A7 BA788B4E00 mov edx, 004E8B78 :004E76AC E897D5F1FF call 00404C48 :004E76B1 8B45FC mov eax, dword ptr [ebp-04] :004E76B4 8B8050060000 mov eax, dword ptr [eax+00000650] ====>EAX=fly[OCN] :004E76BA E8C5D7F1FF call 00404E84 ====>取用户名长度 :004E76BF 8BF8 mov edi, eax ====>EDI=8 :004E76C1 85FF test edi, edi :004E76C3 7E66 jle 004E772B :004E76C5 BE01000000 mov esi, 00000001 ====>ESI=1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7729(C) | :004E76CA 8B45FC mov eax, dword ptr [ebp-04] :004E76CD 8B8050060000 mov eax, dword ptr [eax+00000650] ====>EAX=fly[OCN] :004E76D3 8A5C30FF mov bl, byte ptr [eax+esi-01] ====>依次取用户名字符的HEX 1 ====>BL=66 „„ „„ „„ „„ 8 ====>BL=5D :004E76D7 8B45EC mov eax, dword ptr [ebp-14] ====>EAX=http://www.vchm.com/ convenient CHM editor,WYSIWYG. :004E76DA 8A4430FF mov al, byte ptr [eax+esi-01] ====>依次取http://www.vchm.com/ convenient CHM editor,WYSIWYG. 1 ====>AL=68 „„ „„ „„ „„ 8 ====>AL=77 :004E76DE 32D8 xor bl, al 1 ====>BL=66 XOR 68=0E „„ „„ „„ „„ 8 ====>BL=5D XOR 77=2A :004E76E0 81E3FF000000 and ebx, 000000FF :004E76E6 33DE xor ebx, esi 1 ====>EBX=0E XOR 01=0F „„ „„ „„ „„ 8 ====>EBX=2A XOR 08=22 :004E76E8 83FB41 cmp ebx, 00000041 ====>EBX 是否 小于41 :004E76EB 7D0B jge 004E76F8 ====>小于则下面相加 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E76F6(C) | :004E76ED 8D441E16 lea eax, dword ptr [esi+ebx+16] 1、? ====>EAX=01 + 0F + 16=26 1、? ====>EAX=01 + 26 + 16=3D 1、? ====>EAX=01 + 3D + 16=54 „„ „„ „„ „„ 8、? ====>EAX=08 + 22 + 16=40 8、? ====>EAX=08 + 40 + 16=5E :004E76F1 8BD8 mov ebx, eax ====>EBX=EAX :004E76F3 83FB41 cmp ebx, 00000041 ====>EBX 是否 小于41 :004E76F6 7CF5 jl 004E76ED ====>是则跳上去继续相加,直至不小于41 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E76EB(C) | :004E76F8 83FB7A cmp ebx, 0000007A :004E76FB 7E0F jle 004E770C ====>若大于 7A ,则下面相减! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7705(C) | :004E76FD 83EB1B sub ebx, 0000001B :004E7700 2BDE sub ebx, esi :004E7702 83FB7A cmp ebx, 0000007A :004E7705 7FF6 jg 004E76FD :004E7707 EB03 jmp 004E770C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7714(C) | :004E7709 83C304 add ebx, 00000004 „„ „„ „„ „„ 8、? ====>EAX=5E + 04=62 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004E76FB(C), :004E7707(U) | :004E770C 83FB61 cmp ebx, 00000061 ====>EBX 是否 小于61 :004E770F 7D05 jge 004E7716 :004E7711 83FB5A cmp ebx, 0000005A :004E7714 7FF3 jg 004E7709 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E770F(C) | :004E7716 8B45FC mov eax, dword ptr [ebp-04] :004E7719 0550060000 add eax, 00000650 :004E771E E8B1D9F1FF call 004050D4 :004E7723 885C30FF mov byte ptr [eax+esi-01], bl ====>结果入 [eax+esi-01] 1 ====>BL=54 2 ====>BL=4A 3 ====>BL=59 4 ====>BL=49 5 ====>BL=70 6 ====>BL=6A 7 ====>BL=66 8 ====>BL=62 循环结束后[eax+esi-01] 处是fly[OCN](设为N0)经过以上运算转换后的字符:TJYIpjfb,设为N1? :004E7727 46 inc esi ====>ESI 逐次增1 :004E7728 4F dec edi ====>8!用户名长度 :004E7729 759F jne 004E76CA ====>继续循环: ?????????????????????????????????????? „„ „„ „„ „„ * Possible StringData Ref from Code Obj ->"DropZone" | :004E7985 BAFC854E00 mov edx, 004E85FC :004E798A 8B18 mov ebx, dword ptr [eax] :004E798C FF5310 call [ebx+10] :004E798F 8BD0 mov edx, eax :004E7991 A12C154F00 mov eax, dword ptr [004F152C] :004E7996 8B00 mov eax, dword ptr [eax] :004E7998 E84726F8FF call 00469FE4 :004E799D A12C154F00 mov eax, dword ptr [004F152C] :004E79A2 8B00 mov eax, dword ptr [eax] :004E79A4 8A5057 mov dl, byte ptr [eax+57] :004E79A7 8B45FC mov eax, dword ptr [ebp-04] :004E79AA 8B80E8050000 mov eax, dword ptr [eax+000005E8] ?????????????????????????????????????? 二、对试炼码 K0 进行运算后得出 K1 :004E79B0 E8239CF7FF call 004615D8 :004E79B5 8B45FC mov eax, dword ptr [ebp-04] :004E79B8 056C060000 add eax, 0000066C :004E79BD BA0A000000 mov edx, 0000000A :004E79C2 E841D8F1FF call 00405208 ====>取试炼码码前10 呵呵,我只输入10 ^v^ ? :004E79C7 8B45FC mov eax, dword ptr [ebp-04] :004E79CA 8B806C060000 mov eax, dword ptr [eax+0000066C] ====>EAX=BCDEFGHIJK :004E79D0 E8AFD4F1FF call 00404E84 ====>取试炼码位数 :004E79D5 8BD8 mov ebx, eax ====>EBX=A :004E79D7 8B45FC mov eax, dword ptr [ebp-04] :004E79DA 056C060000 add eax, 0000066C :004E79DF 8BD3 mov edx, ebx :004E79E1 E822D8F1FF call 00405208 :004E79E6 8B45FC mov eax, dword ptr [ebp-04] :004E79E9 8B806C060000 mov eax, dword ptr [eax+0000066C] :004E79EF E890D4F1FF call 00404E84 :004E79F4 8BF8 mov edi, eax :004E79F6 85FF test edi, edi :004E79F8 7E5C jle 004E7A56 :004E79FA BE01000000 mov esi, 00000001 ====>ESI 初始值位为1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7A54(C) | :004E79FF 8B45FC mov eax, dword ptr [ebp-04] :004E7A02 8B806C060000 mov eax, dword ptr [eax+0000066C] ====>EAX=BCDEFGHIJK :004E7A08 33DB xor ebx, ebx :004E7A0A 8A5C30FF mov bl, byte ptr [eax+esi-01] ====>依次取ABCDEFGHIJHEX 1 ====>BL=42 2 ====>BL=43 3 ====>BL=44 4 ====>BL=45 5 ====>BL=46 6 ====>BL=47 7 ====>BL=48 8 ====>BL=49 9 ====>BL=4A 10 ====>BL=4B :004E7A0E 33DE xor ebx, esi 1 ====>EBX=42 XOR 01=43 2 ====>EBX=43 XOR 02=41 3 ====>EBX=44 XOR 03=47 4 ====>EBX=45 XOR 04=41 5 ====>EBX=46 XOR 05=43 6 ====>EBX=47 XOR 06=41 7 ====>EBX=48 XOR 07=4F 8 ====>EBX=49 XOR 08=41 9 ====>EBX=4A XOR 09=43 10 ====>EBX=4B XOR 0A=41 :004E7A10 83C329 add ebx, 00000029 1 ====>EBX=43 + 29=6C 2 ====>EBX=41 + 29=6A 3 ====>EBX=47 + 29=70 4 ====>EBX=41 + 29=6A 5 ====>EBX=43 + 29=6C 6 ====>EBX=41 + 29=6A 7 ====>EBX=4F + 29=78 8 ====>EBX=41 + 29=6A 9 ====>EBX=43 + 29=6C 10 ====>EBX=41 + 29=6A :004E7A13 83FB41 cmp ebx, 00000041 :004E7A16 7D0B jge 004E7A23 ====>不小于41则跳 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7A21(C) | :004E7A18 8D441E16 lea eax, dword ptr [esi+ebx+16] :004E7A1C 8BD8 mov ebx, eax :004E7A1E 83FB41 cmp ebx, 00000041 :004E7A21 7CF5 jl 004E7A18 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7A16(C) | :004E7A23 83FB7A cmp ebx, 0000007A :004E7A26 7E0F jle 004E7A37 ====>不大于7A则跳 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7A30(C) | :004E7A28 83EB1B sub ebx, 0000001B :004E7A2B 2BDE sub ebx, esi :004E7A2D 83FB7A cmp ebx, 0000007A :004E7A30 7FF6 jg 004E7A28 :004E7A32 EB03 jmp 004E7A37 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7A3F(C) | :004E7A34 83C304 add ebx, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004E7A26(C), :004E7A32(U) | :004E7A37 83FB61 cmp ebx, 00000061 :004E7A3A 7D05 jge 004E7A41 ====>不小于61则跳 :004E7A3C 83FB5A cmp ebx, 0000005A :004E7A3F 7FF3 jg 004E7A34 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7A3A(C) | :004E7A41 8B45FC mov eax, dword ptr [ebp-04] :004E7A44 056C060000 add eax, 0000066C :004E7A49 E886D6F1FF call 004050D4 :004E7A4E 885C30FF mov byte ptr [eax+esi-01], bl ====>结果入 [eax+esi-01] 1 ====>BL=6C 2 ====>BL=6A 3 ====>BL=70 4 ====>BL=6A 5 ====>BL=6C 6 ====>BL=6A 7 ====>BL=78 8 ====>BL=6A 9 ====>BL=6C 10 ====>BL=6A 循环结束后[eax+esi-01] 处是ABCDEFGHIJ(设为K0)经过以上运算转换后的字符:ljpjljxjlj :004E7A52 46 inc esi :004E7A53 4F dec edi :004E7A54 75A9 jne 004E79FF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E79F8(C) | :004E7A56 8B45FC mov eax, dword ptr [ebp-04] :004E7A59 056C060000 add eax, 0000066C :004E7A5E BA0A000000 mov edx, 0000000A :004E7A63 E8A0D7F1FF call 00405208 :004E7A68 8D9524FEFFFF lea edx, dword ptr [ebp+FFFFFE24] :004E7A6E 8B45FC mov eax, dword ptr [ebp-04] :004E7A71 8B806C060000 mov eax, dword ptr [eax+0000066C] :004E7A77 E84C16F2FF call 004090C8 ====>CALLljpjljxjlj转换成大写字母! :004E7A7C 8B9524FEFFFF mov edx, dword ptr [ebp+FFFFFE24] ====>EDX=LJPJLJXJLJ ,设为K1? ?????????????????????????????????????? :004E7A82 8B45FC mov eax, dword ptr [ebp-04] :004E7A85 056C060000 add eax, 0000066C :004E7A8A E875D1F1FF call 00404C04 :004E7A8F 8B45FC mov eax, dword ptr [ebp-04] :004E7A92 81B8740600005B851C00 cmp dword ptr [eax+00000674], 001C855B :004E7A9C 0F8EA8000000 jle 004E7B4A :004E7AA2 8B45FC mov eax, dword ptr [ebp-04] :004E7AA5 8B806C060000 mov eax, dword ptr [eax+0000066C] :004E7AAB E8D4D3F1FF call 00404E84 ====>LJPJLJXJLJ位数 :004E7AB0 8BF0 mov esi, eax ====>ESI=A :004E7AB2 8B45FC mov eax, dword ptr [ebp-04] :004E7AB5 8B8054060000 mov eax, dword ptr [eax+00000654] :004E7ABB E8C4D3F1FF call 00404E84 :004E7AC0 50 push eax :004E7AC1 8B45FC mov eax, dword ptr [ebp-04] :004E7AC4 8B806C060000 mov eax, dword ptr [eax+0000066C] :004E7ACA E8B5D3F1FF call 00404E84 :004E7ACF 5A pop edx :004E7AD0 E84B7BF4FF call 0042F620 ====>猜测此CALL进行CRC校验::!!! :004E7AD5 48 dec eax :004E7AD6 83F800 cmp eax, 00000000 :004E7AD9 7C60 jl 004E7B3B ====>如果修改了程序或脱壳,则此处不跳! 那么将对上面得出的K1再进行运算,得出K2。呵呵,比较时就用K2代替K1进行比较,无论怎样用K2求逆都无法得出正确的注册码!我在这儿“晕”了6个小时!这也是作者所说的“冗余代码”吧:,再想保护深一点就加入一些冗余代码,Cracker在这堆代码里转的头晕脑涨,你的目的就达到了。 ——作者原话? ?????????????????????????????????????? 三、下面就是迷惑我们CRACKER K1 转化为 K2 的运算了。~Q~~Q~ :004E7ADB 8945E0 mov dword ptr [ebp-20], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7B39(C) | :004E7ADE 8B45FC mov eax, dword ptr [ebp-04] :004E7AE1 8B806C060000 mov eax, dword ptr [eax+0000066C] ====>EAX=LJPJLJXJLJ :004E7AE7 33DB xor ebx, ebx :004E7AE9 8A5C30FF mov bl, byte ptr [eax+esi-01] ====>[eax+esi-01]处的字符值 1 ====>BL=4A J 2 ====>BL=4A J 3 ====>BL=4A J 4 ====>BL=4A J 5 ====>BL=4A J 6 ====>BL=4A J 7 ====>BL=4A J 8 ====>BL=4A J 9 ====>BL=4A J 10 ====>BL=4A J :004E7AED 33DE xor ebx, esi 1 ====>EBX=4A XOR 0A=40 2 ====>EBX=4A XOR 0A=40 3 ====>EBX=4A XOR 0A=40 4 ====>EBX=4A XOR 0A=40 5 ====>EBX=4A XOR 0A=40 6 ====>EBX=4A XOR 0A=40 7 ====>EBX=4A XOR 0A=40 8 ====>EBX=4A XOR 0A=40 9 ====>EBX=4A XOR 0A=40 10 ====>EBX=4A XOR 0A=40 :004E7AEF 83FB41 cmp ebx, 00000041 :004E7AF2 7D0B jge 004E7AFF ====>小于41则不跳!进行下面运算! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7AFD(C) | :004E7AF4 83C311 add ebx, 00000011 1 ====>EBX=40 + 11=51 2 ====>EBX=40 + 11=51 3 ====>EBX=40 + 11=51 4 ====>EBX=40 + 11=51 5 ====>EBX=40 + 11=51 6 ====>EBX=40 + 11=51 7 ====>EBX=40 + 11=51 8 ====>EBX=40 + 11=51 9 ====>EBX=40 + 11=51 10 ====>EBX=40 + 11=51 :004E7AF7 035DE0 add ebx, dword ptr [ebp-20] 1 ====>EBX=51 + 09=5A 2 ====>EBX=51 + 08=59 3 ====>EBX=51 + 07=58 4 ====>EBX=51 + 06=57 5 ====>EBX=51 + 05=56 6 ====>EBX=51 + 04=55 7 ====>EBX=51 + 03=54 8 ====>EBX=51 + 02=53 9 ====>EBX=51 + 01=52 10 ====>EBX=51 + 00=51 :004E7AFA 83FB41 cmp ebx, 00000041 :004E7AFD 7CF5 jl 004E7AF4 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7AF2(C) | :004E7AFF 83FB7A cmp ebx, 0000007A :004E7B02 7E10 jle 004E7B14 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7B0D(C) | :004E7B04 83EB17 sub ebx, 00000017 :004E7B07 2B5DE0 sub ebx, dword ptr [ebp-20] :004E7B0A 83FB7A cmp ebx, 0000007A :004E7B0D 7FF5 jg 004E7B04 :004E7B0F EB03 jmp 004E7B14 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7B1C(C) | :004E7B11 83EB03 sub ebx, 00000003 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004E7B02(C), :004E7B0F(U) | :004E7B14 83FB61 cmp ebx, 00000061 :004E7B17 7D05 jge 004E7B1E :004E7B19 83FB5A cmp ebx, 0000005A :004E7B1C 7FF3 jg 004E7B11 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7B17(C) | :004E7B1E 8B45FC mov eax, dword ptr [ebp-04] :004E7B21 056C060000 add eax, 0000066C :004E7B26 E8A9D5F1FF call 004050D4 :004E7B2B 8B55E0 mov edx, dword ptr [ebp-20] ====>[ebp-20] EDX 1 ====>EDX=09 2 ====>EDX=08 3 ====>EDX=07 4 ====>EDX=06 5 ====>EDX=05 6 ====>EDX=04 7 ====>EDX=03 8 ====>EDX=02

9 ====>EDX=01 10 ====>EDX=00 :004E7B2E 885C10FF mov byte ptr [eax+edx-01], bl ====>结果入 [eax+esi-01] 1 ====>BL=5A [eax+esi-01]=LJPJLJXJZJ 2 ====>BL=59 [eax+esi-01]=LJPJLJXYZJ 3 ====>BL=58 [eax+esi-01]=LJPJLJXYZJ 4 ====>BL=57 [eax+esi-01]=LJPJLWXYZJ 5 ====>BL=56 [eax+esi-01]=LJPJVWXYZJ 6 ====>BL=55 [eax+esi-01]=LJPUVWXYZJ 7 ====>BL=54 [eax+esi-01]=LJTUVWXYZJ 8 ====>BL=53 [eax+esi-01]=LSTUVWXYZJ 9 ====>BL=52 [eax+esi-01]=RSTUVWXYZJ 10 ====>BL=51 [eax+esi-01]=QRSTUVWXYZJ :004E7B32 FF4DE0 dec [ebp-20] ====>[ebp-20]逐次减1。初始值9 :004E7B35 837DE0FF cmp dword ptr [ebp-20], FFFFFFFF :004E7B39 75A3 jne 004E7ADE ====>跳上去继续循环:共10! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7AD9(C) | :004E7B3B 8B45FC mov eax, dword ptr [ebp-04] :004E7B3E 056C060000 add eax, 0000066C :004E7B43 8BD6 mov edx, esi :004E7B45 E8BED6F1FF call 00405208 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7A9C(C) | * Reference To: kernel32.GetTickCount, Ord:0000h | :004E7B4A E879F9F1FF Call 004074C8 :004E7B4F 8B55FC mov edx, dword ptr [ebp-04] :004E7B52 2B827C060000 sub eax, dword ptr [edx+0000067C] :004E7B58 3D9E400000 cmp eax, 0000409E :004E7B5D 730A jnb 004E7B69 :004E7B5F 8B45FC mov eax, dword ptr [ebp-04] :004E7B62 C6804C06000001 mov byte ptr [eax+0000064C], 01 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E7B5D(C) | :004E7B69 8D9520FEFFFF lea edx, dword ptr [ebp+FFFFFE20] :004E7B6F 8B45FC mov eax, dword ptr [ebp-04] :004E7B72 8B806C060000 mov eax, dword ptr [eax+0000066C] :004E7B78 E84B15F2FF call 004090C8 ====>取后10 :004E7B7D 8B9520FEFFFF mov edx, dword ptr [ebp+FFFFFE20] ====>EDX=RSTUVWXYZJ ,设为K2? ?????????????????????????????????????? :004E7B83 8B45FC mov eax, dword ptr [ebp-04] :004E7B86 0558060000 add eax, 00000658 :004E7B8B E874D0F1FF call 00404C04 :004E7B90 BB01000000 mov ebx, 00000001 :004E7B95 8D45EC lea eax, dword ptr [ebp-14] :004E7B98 BA788B4E00 mov edx, 004E8B78 :004E7B9D E8A6D0F1FF call 00404C48 :004E7BA2 682C010000 push 0000012C 呵呵,上面几步运算可以在软件重新启动时中断!而下面的比较则有点麻烦了,先不知道断点的话是不容易找到的。我试了很多次,终于用TRW慢慢找到了。呵呵,殚思极虑呀!^Q^~@~ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E5400(U) | :004E546B 8B45FC mov eax, dword ptr [ebp-04] ====>EAX=LJPJLJXJLJ(或者:RSTUVWXYZJ) :004E546E E811FAF1FF call 00404E84 ====>取位数 :004E5473 83F80B cmp eax, 0000000B :004E5476 7F8A jg 004E5402 ====>不大于B则不跳! ?????????????????????????????????????? 四、对我们第一步求出的 N1 进行运算得出 10位的 N2 :004E5478 33DB xor ebx, ebx :004E547A 8B8664060000 mov eax, dword ptr [esi+00000664] ====>EAX=TJYIPJFB,其中的小写字母已转换成大写? :004E5480 E8FFF9F1FF call 00404E84 :004E5485 8BF8 mov edi, eax :004E5487 E9BA000000 jmp 004E5546 ====>跳下去运算补足10! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E5554(C) | :004E548C 83FF15 cmp edi, 00000015 :004E548F 7D03 jge 004E5494 :004E5491 43 inc ebx :004E5492 EB15 jmp 004E54A9 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E548F(C) | :004E5494 8B8664060000 mov eax, dword ptr [esi+00000664] :004E549A E8E5F9F1FF call 00404E84 :004E549F B909000000 mov ecx, 00000009 :004E54A4 99 cdq :004E54A5 F7F9 idiv ecx :004E54A7 8BDA mov ebx, edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E5492(U) | :004E54A9 8B8664060000 mov eax, dword ptr [esi+00000664] :004E54AF E8D0F9F1FF call 00404E84 :004E54B4 2BC3 sub eax, ebx :004E54B6 8B9664060000 mov edx, dword ptr [esi+00000664] :004E54BC 8A4402FF mov al, byte ptr [edx+eax-01] :004E54C0 8B9664060000 mov edx, dword ptr [esi+00000664] :004E54C6 8A541AFF mov dl, byte ptr [edx+ebx-01] :004E54CA 32C2 xor al, dl :004E54CC 25FF000000 and eax, 000000FF :004E54D1 83C079 add eax, 00000079 :004E54D4 50 push eax :004E54D5 8D8664060000 lea eax, dword ptr [esi+00000664] :004E54DB E8F4FBF1FF call 004050D4 :004E54E0 5A pop edx :004E54E1 885418FF mov byte ptr [eax+ebx-01], dl :004E54E5 8B8664060000 mov eax, dword ptr [esi+00000664] :004E54EB 0FB64418FF movzx eax, byte ptr [eax+ebx-01] :004E54F0 E89367FFFF call 004DBC88 :004E54F5 50 push eax :004E54F6 8D8664060000 lea eax, dword ptr [esi+00000664] :004E54FC E8D3FBF1FF call 004050D4 :004E5501 5A pop edx :004E5502 885418FF mov byte ptr [eax+ebx-01], dl :004E5506 8D8664060000 lea eax, dword ptr [esi+00000664] :004E550C 50 push eax :004E550D 8B8664060000 mov eax, dword ptr [esi+00000664] :004E5513 E86CF9F1FF call 00404E84 :004E5518 8BC8 mov ecx, eax :004E551A 2BCB sub ecx, ebx :004E551C BA01000000 mov edx, 00000001 :004E5521 8B8664060000 mov eax, dword ptr [esi+00000664] :004E5527 E8B0FBF1FF call 004050DC :004E552C 8B8664060000 mov eax, dword ptr [esi+00000664] :004E5532 E84DF9F1FF call 00404E84 :004E5537 8BD0 mov edx, eax :004E5539 2BD3 sub edx, ebx :004E553B 8D8664060000 lea eax, dword ptr [esi+00000664] :004E5541 E8C2FCF1FF call 00405208 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E5487(U) | :004E5546 8B8664060000 mov eax, dword ptr [esi+00000664] ====>EAX=TJYIPJFB :004E554C E833F9F1FF call 00404E84 ====>取位数 :004E5551 83F80B cmp eax, 0000000B :004E5554 0F8F32FFFFFF jg 004E548C ====>不大于B则不跳! :004E555A 33DB xor ebx, ebx :004E555C EB40 jmp 004E559E ====>跳过去! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E55BA(C) | :004E555E 43 inc ebx :004E555F 8B8664060000 mov eax, dword ptr [esi+00000664] ====>EAX=TJYIPJFB :004E5565 8A4418FF mov al, byte ptr [eax+ebx-01] 1 ====>AL=54 2 ====>AL=4A :004E5569 3455 xor al, 55 1 ====>AL=54 XOR 55=01 2 ====>AL=4A XOR 55=1F :004E556B 25FF000000 and eax, 000000FF :004E5570 8D5346 lea edx, dword ptr [ebx+46] 1 ====>EDX=1 + 46=47 2 ====>EDX=2 + 46=48 :004E5573 33C2 xor eax, edx 1 ====>AL=01 XOR 47=46 2 ====>AL=1F XOR 48=57 :004E5575 8845FB mov byte ptr [ebp-05], al :004E5578 33C0 xor eax, eax :004E557A 8A45FB mov al, byte ptr [ebp-05] :004E557D E80667FFFF call 004DBC88 :004E5582 8845FB mov byte ptr [ebp-05], al :004E5585 8D45F0 lea eax, dword ptr [ebp-10] :004E5588 8A55FB mov dl, byte ptr [ebp-05] :004E558B E800F8F1FF call 00404D90 :004E5590 8B55F0 mov edx, dword ptr [ebp-10] :004E5593 8D8664060000 lea eax, dword ptr [esi+00000664] :004E5599 E8EEF8F1FF call 00404E8C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E555C(U) | :004E559E 8B8664060000 mov eax, dword ptr [esi+00000664] ====>上面2次运算把N1转换为TJYIPJFBFW ,设为N2? :004E55A4 E8DBF8F1FF call 00404E84 :004E55A9 83F80A cmp eax, 0000000A ====>是否10位: :004E55AC 7D0E jge 004E55BC ====>不小于10位则跳! :004E55AE 8B8664060000 mov eax, dword ptr [esi+00000664] :004E55B4 E8CBF8F1FF call 00404E84 :004E55B9 48 dec eax :004E55BA 7FA2 jg 004E555E ====>继续跳上去运算!直至10! ?????????????????????????????????????? ?????????????????????????????????????? 五、比较了!用注册名求出的 N2 试炼码求出的 K1进行“倒序”逐位比较! 呵呵,如果你修改或脱壳了原程序,则此处用上面的“冗余代码”得出的K2K1进行比较!很高明的“迷魂阵”呀! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E55AC(C) | :004E55BC 8D8664060000 lea eax, dword ptr [esi+00000664] :004E55C2 BA0A000000 mov edx, 0000000A :004E55C7 E83CFCF1FF call 00405208 :004E55CC 8D55EC lea edx, dword ptr [ebp-14] :004E55CF 8B8664060000 mov eax, dword ptr [esi+00000664] ====>EAX=TJYIPJFBFW :004E55D5 E8EE3AF2FF call 004090C8 :004E55DA 8B55EC mov edx, dword ptr [ebp-14] ====>EDX=TJYIPJFBFW :004E55DD 8D8664060000 lea eax, dword ptr [esi+00000664] :004E55E3 E81CF6F1FF call 00404C04 :004E55E8 8D45FC lea eax, dword ptr [ebp-04] :004E55EB 8B9658060000 mov edx, dword ptr [esi+00000658] ====>EDX=LJPJLJXJLJ :004E55F1 E852F6F1FF call 00404C48 :004E55F6 C6868006000001 mov byte ptr [esi+00000680], 01 :004E55FD BF01000000 mov edi, 00000001 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E5637(C) ====>下面是对运算出来的N2,正向取字符?和K1,反向取字符?进行逐位比较! :004E5602 80BE8006000000 cmp byte ptr [esi+00000680], 00 :004E5609 741C je 004E5627 :004E560B 8B8664060000 mov eax, dword ptr [esi+00000664] ====>EAX=TJYIPJFBFW :004E5611 8A4438FF mov al, byte ptr [eax+edi-01] ====>从前往后取TJYIPJFBFW :004E5615 BA0B000000 mov edx, 0000000B :004E561A 2BD7 sub edx, edi :004E561C 8B4DFC mov ecx, dword ptr [ebp-04] ====>ECX=LJPJLJXJLJ :004E561F 8A5411FF mov dl, byte ptr [ecx+edx-01] ====>从后往前取LJPJLJXJLJ :004E5623 32C2 xor al, dl ====>逐位异或!:比较是否相同! :004E5625 7404 je 004E562B ====>不跳则OVER! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E5609(C) | :004E5627 33C0 xor eax, eax ====>EAX清零!OVER! :004E5629 EB02 jmp 004E562D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E5625(C) | :004E562B B001 mov al, 01 ====>EAX!OK! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E5629(U) | :004E562D 888680060000 mov byte ptr [esi+00000680], al ====>AL值入注册标志!!! :004E5633 47 inc edi :004E5634 83FF0B cmp edi, 0000000B :004E5637 75C9 jne 004E5602 :004E5639 EB2A jmp 004E5665 ?????????????????????????????????????? ————————————————————————————————— 【算 结】: 呵呵,经过三天三夜“千辛万苦”的跟踪,终于得到了算法的大概过程。现在进行求逆! : ?、用户名fly[OCN]N0;?、对N0进行运算后得出的字符TJYIPJFBN1;?、对N1运算后得出的字符TJYIPJFBFWN2; ?、试炼码BCDEFGHIJKK0;?、对K0进行运算后得出的字符LJPJLJXJLJK1;?、对K1进行运算后得出的字符RSTUVWXYZJK2 一、软件最后用N2TJYIPJFBFW?和K1LJPJLJXJLJ?的倒序值进行比较,若相同则OK! 所以:真正的K1=WFBFJPIYJT 二、逆推K0: 程序运算 K1 的代码: :004E7A0E 33DE xor ebx, esi 1 ====>EBX=42 XOR 01=43 2 ====>EBX=43 XOR 02=41 3 ====>EBX=44 XOR 03=47 4 ====>EBX=45 XOR 04=41 5 ====>EBX=46 XOR 05=43 6 ====>EBX=47 XOR 06=41 7 ====>EBX=48 XOR 07=4F 8 ====>EBX=49 XOR 08=41 9 ====>EBX=4A XOR 09=43 10 ====>EBX=4B XOR 0A=41 :004E7A10 83C329 add ebx, 00000029 1 ====>EBX=43 + 29=6C 2 ====>EBX=41 + 29=6A 3 ====>EBX=47 + 29=70 4 ====>EBX=41 + 29=6A 5 ====>EBX=43 + 29=6C 6 ====>EBX=41 + 29=6A 7 ====>EBX=4F + 29=78 8 ====>EBX=41 + 29=6A 9 ====>EBX=43 + 29=6C 10 ====>EBX=41 + 29=6A 我的求逆: 先把WFBFJPIYJT转换为小写wfbfjpiyjt,分别用其对应的HEX值求逆! 1 77-29? XOR 01=4F :O 2 66-29? XOR 02=3F :? 3 62-29? XOR 03=3A :: 4 66-29? XOR 04=39 :9 5 6A-29? XOR 05=44 :D 6 70-29? XOR 06=41 :A 7 69-29? XOR 07=47 :G 8 79-29? XOR 08=58 :X 9 6A-29? XOR 09=48 :H 10、,74-29? XOR 0A=41 :A 呵呵,至此求出我的注册码O?:9DAGXHA 注册信息保存位置 [HKEY_LOCAL_MACHINE\Software\XgSoft\Visual CHM 3.0] "Email"="fly[OCN]" "RegisterCode"="O?:9DAGXHA" ————————————————————————————————— 【爆破】: 也曾见过这个软件的爆破版,:Team Lz0,我试了试却不太好用,可能是我的方法不当?。我也爆破了一下,虽然显示“注册成功”而且“编译”菜单没变成灰色,但是依旧有功能限制!或许软件有非常隐蔽的CRC校验和检验算法 呵呵,真的佩服作者的功力!如果大家有完美的爆破方法,麻烦您指教我! ————————————————————————————————— 【注册码】: 用户名:fly[OCN] 注册码:O?:9DAGXHA 用户名:aqtata 注册码:LKJ>:DGMON ————————————————————————————————

Report this document

For any questions or suggestions please email
cust-service@docsford.com