好友
阅读权限40
听众
最后登录1970-1-1
|
网络断魂
发表于 2008-3-15 02:12
【文章作者】: 网络断魂
【软件名称】: 新华字典词典 [V2008 build 02.01]
【下载地址】: 自己搜索
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 序列号
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: PEID,OD,
【操作平台】: XP SP3,
【软件介绍】: 新华字典词典〗软件是一个精巧、全面、新颖的桌面资料工具。软件收集了中国所有的国标汉字,所有的规范词语,所有的规范成语,所有的英汉词典。全面收集,权威、科学。是一个优秀的学习工具助手。新华字典包括汉字拼音、笔划、部首、检字法、五笔编码,字源、组词、举例、意思等等。详尽、齐全、细致、深入。成语词典包括拼音、出处、举例等等。歇后语典包括前部分及后部分。英汉词典包括汉英对照及英汉对照。新华字典、成语词典、歇后语典都包括模糊检索功能。方便、快捷、高效。软件同时集成了众多的资料,包括名人名言、对联、名句欣赏、魔鬼词典、绕口令、千字文、三字经、百家姓、昔时贤文、俗语、谚语等等。是一款不可多得的优秀工具软件。
【作者声明】: 菜鸟学习算法,失误之处敬请诸位大侠赐教!
1、ESP定律脱壳,打开软件试运行,输入验证码及假码,提示*******不是有效的整形值,可以肯定验证码必须是数字!
2、根据字符串找到关键函数:
005444D8 . 55 push ebp
005444D9 . 8BEC mov ebp, esp
005444DB . 81C4 98FEFFFF add esp, -168
005444E1 . 33C9 xor ecx, ecx
005444E3 . 898D 9CFEFFFF mov dword ptr [ebp-164], ecx
005444E9 . 898D 98FEFFFF mov dword ptr [ebp-168], ecx
005444EF . 898D A8FEFFFF mov dword ptr [ebp-158], ecx
005444F5 . 898D A4FEFFFF mov dword ptr [ebp-15C], ecx
005444FB . 898D A0FEFFFF mov dword ptr [ebp-160], ecx
00544501 . 8945 FC mov dword ptr [ebp-4], eax
00544504 . 33C0 xor eax, eax
00544506 . 55 push ebp
00544507 . 68 FF465400 push 005446FF
0054450C . 64:FF30 push dword ptr fs:[eax]
0054450F . 64:8920 mov dword ptr fs:[eax], esp
00544512 . 8D95 A8FEFFFF lea edx, dword ptr [ebp-158]
00544518 . 8B45 FC mov eax, dword ptr [ebp-4]
0054451B . 8B80 70040000 mov eax, dword ptr [eax+470]
00544521 . E8 F630F0FF call 0044761C ; //取假码(123456789)
00544526 . 8B85 A8FEFFFF mov eax, dword ptr [ebp-158] ; //送给EAX
0054452C . 50 push eax
0054452D . 8D95 A0FEFFFF lea edx, dword ptr [ebp-160]
00544533 . 8B45 FC mov eax, dword ptr [ebp-4]
00544536 . 8B80 6C040000 mov eax, dword ptr [eax+46C]
0054453C . E8 DB30F0FF call 0044761C ; //取验证码,
00544541 . 8B85 A0FEFFFF mov eax, dword ptr [ebp-160] ; //送给EAX
00544547 . E8 7052ECFF call 004097BC ; //转换为十六进制,放在EAX中,
0054454C . 03C0 add eax, eax ; //EAX乘2
0054454E . 8D04C0 lea eax, dword ptr [eax+eax*8] ; //EAX乘9(结果等于84746B7A=2222222202)
00544551 . 8D95 A4FEFFFF lea edx, dword ptr [ebp-15C]
00544557 . E8 9CFEFFFF call 005443F8 ; //关键CALL,跟进,
0054455C . 8B95 A4FEFFFF mov edx, dword ptr [ebp-15C]
00544562 . 58 pop eax
00544563 . E8 840AECFF call 00404FEC ; //关键比较,不等则跳
00544568 . 0F85 48010000 jnz 005446B6 ; //不等则跳往注册失败
0054456E . 8D95 98FEFFFF lea edx, dword ptr [ebp-168]
00544574 . A1 94B05400 mov eax, dword ptr [54B094]
00544579 . 8B00 mov eax, dword ptr [eax]
0054457B . E8 BC47F2FF call 00468D3C
00544580 . 8B85 98FEFFFF mov eax, dword ptr [ebp-168]
00544586 . 8D95 9CFEFFFF lea edx, dword ptr [ebp-164]
0054458C . E8 D755ECFF call 00409B68
00544591 . 8D85 9CFEFFFF lea eax, dword ptr [ebp-164]
00544597 . BA 14475400 mov edx, 00544714 ; skins\9.skn
0054459C . E8 0F09ECFF call 00404EB0 ; //保存注册码
005445A1 . 8B95 9CFEFFFF mov edx, dword ptr [ebp-164]
005445A7 . 8D85 ACFEFFFF lea eax, dword ptr [ebp-154]
005445AD . E8 92E9EBFF call 00402F44
005445B2 . BA 01000000 mov edx, 1
005445B7 . 8D85 ACFEFFFF lea eax, dword ptr [ebp-154]
005445BD . E8 36EFEBFF call 004034F8
005445C2 . E8 B5E3EBFF call 0040297C
005445C7 . 33C0 xor eax, eax
005445C9 . 55 push ebp
005445CA . 68 3C465400 push 0054463C
005445CF . 64:FF30 push dword ptr fs:[eax]
005445D2 . 64:8920 mov dword ptr fs:[eax], esp
005445D5 . 6A 00 push 0
005445D7 . 8D55 FB lea edx, dword ptr [ebp-5]
005445DA . B9 01000000 mov ecx, 1
005445DF . 8D85 ACFEFFFF lea eax, dword ptr [ebp-154]
005445E5 . E8 B6EAEBFF call 004030A0
005445EA . E8 8DE3EBFF call 0040297C
005445EF . BA 05000000 mov edx, 5
005445F4 . 8D85 ACFEFFFF lea eax, dword ptr [ebp-154]
005445FA . E8 05EFEBFF call 00403504
005445FF . E8 78E3EBFF call 0040297C
00544604 . 6A 00 push 0
00544606 . 8D55 FB lea edx, dword ptr [ebp-5]
00544609 . B9 01000000 mov ecx, 1
0054460E . 8D85 ACFEFFFF lea eax, dword ptr [ebp-154]
00544614 . E8 87EAEBFF call 004030A0
00544619 . E8 5EE3EBFF call 0040297C
0054461E . 33C0 xor eax, eax
00544620 . 5A pop edx
00544621 . 59 pop ecx
00544622 . 59 pop ecx
00544623 . 64:8910 mov dword ptr fs:[eax], edx
00544626 . 68 43465400 push 00544643
0054462B > 8D85 ACFEFFFF lea eax, dword ptr [ebp-154]
00544631 . E8 8AEAEBFF call 004030C0
00544636 . E8 41E3EBFF call 0040297C
0054463B . C3 retn
0054463C .^ E9 53FEEBFF jmp 00404494
00544641 .^ EB E8 jmp short 0054462B
00544643 . B8 28475400 mov eax, 00544728 ; 软件注册成功!
00544648 . E8 B7C1EFFF call 00440804
0054464D . 8B45 FC mov eax, dword ptr [ebp-4]
00544650 . 8B80 64040000 mov eax, dword ptr [eax+464]
00544656 . BA 40475400 mov edx, 00544740 ; 软件已注册
0054465B . E8 EC2FF0FF call 0044764C
00544660 . 8B45 FC mov eax, dword ptr [ebp-4]
00544663 . 8B90 A8040000 mov edx, dword ptr [eax+4A8]
00544669 . 8B45 FC mov eax, dword ptr [ebp-4]
0054466C . 8B80 C0040000 mov eax, dword ptr [eax+4C0]
00544672 . E8 A5DFF8FF call 004D261C
00544677 . 8B45 FC mov eax, dword ptr [ebp-4]
0054467A . 8B80 C0040000 mov eax, dword ptr [eax+4C0]
00544680 . BA 54475400 mov edx, 00544754 ; 解释
00544685 . E8 DEDFF8FF call 004D2668
0054468A . 8B45 FC mov eax, dword ptr [ebp-4]
0054468D . 8B90 F0020000 mov edx, dword ptr [eax+2F0]
00544693 . 8B45 FC mov eax, dword ptr [ebp-4]
00544696 . 8B80 2C050000 mov eax, dword ptr [eax+52C]
0054469C . E8 9FE3F8FF call 004D2A40
005446A1 . 8B45 FC mov eax, dword ptr [ebp-4]
005446A4 . 8B80 2C050000 mov eax, dword ptr [eax+52C]
005446AA . BA 64475400 mov edx, 00544764 ; content
005446AF . E8 D8E3F8FF call 004D2A8C
005446B4 . EB 0A jmp short 005446C0
005446B6 > B8 74475400 mov eax, 00544774 ; 注册失败,请重试!\n\n注册用户重试失败请与作者联系!
005446BB . E8 44C1EFFF call 00440804
005446C0 > 33C0 xor eax, eax
005446C2 . 5A pop edx
005446C3 . 59 pop ecx
005446C4 . 59 pop ecx
005446C5 . 64:8910 mov dword ptr fs:[eax], edx
005446C8 . 68 06475400 push 00544706
005446CD > 8D85 98FEFFFF lea eax, dword ptr [ebp-168]
005446D3 . BA 02000000 mov edx, 2
005446D8 . E8 3705ECFF call 00404C14
005446DD . 8D85 A0FEFFFF lea eax, dword ptr [ebp-160]
005446E3 . E8 0805ECFF call 00404BF0
005446E8 . 8D85 A4FEFFFF lea eax, dword ptr [ebp-15C]
005446EE . E8 FD04ECFF call 00404BF0
005446F3 . 8D85 A8FEFFFF lea eax, dword ptr [ebp-158]
005446F9 . E8 F204ECFF call 00404BF0
005446FE . C3 retn
005446FF .^ E9 90FDEBFF jmp 00404494
00544704 .^ EB C7 jmp short 005446CD
00544706 . 8BE5 mov esp, ebp
00544708 . 5D pop ebp
00544709 . C3 retn
3、由00544557 call 005443F8 ; //关键CALL,跟进,
005443F8 /$ 55 push ebp
005443F9 |. 8BEC mov ebp, esp
005443FB |. 33C9 xor ecx, ecx
005443FD |. 51 push ecx
005443FE |. 51 push ecx
005443FF |. 51 push ecx
00544400 |. 51 push ecx
00544401 |. 53 push ebx
00544402 |. 56 push esi
00544403 |. 8BF2 mov esi, edx
00544405 |. 8BD8 mov ebx, eax ; //乘积送给EBX
00544407 |. 33C0 xor eax, eax ; //EAX清零
00544409 |. 55 push ebp
0054440A |. 68 C8445400 push 005444C8
0054440F |. 64:FF30 push dword ptr fs:[eax]
00544412 |. 64:8920 mov dword ptr fs:[eax], esp
00544415 |. 81F3 F1250B00 xor ebx, 0B25F1 ; //乘积异或 0B25F1
0054441B |. 8BC3 mov eax, ebx ; //结果送给EAX
0054441D |. 33D2 xor edx, edx ; //EDX清零
0054441F |. 52 push edx
00544420 |. 50 push eax
00544421 |. 8D45 FC lea eax, dword ptr [ebp-4]
00544424 |. E8 5F53ECFF call 00409788 ; //转换为十进制字符串(2222935691)
00544429 |. 8B45 FC mov eax, dword ptr [ebp-4] ; //十进制字符串送给EAX
0054442C |. 0FB600 movzx eax, byte ptr [eax] ; //第一位ASCII值送给EAX
0054442F |. 8B55 FC mov edx, dword ptr [ebp-4] ; //十进制字符串送给EDX
00544432 |. 0FB652 01 movzx edx, byte ptr [edx+1] ; //第二位ASCII值送给EDX
00544436 |. 03C2 add eax, edx ; //两个ASCII值相加
00544438 |. B9 05000000 mov ecx, 5 ; //送除数5
0054443D |. 99 cdq
0054443E |. F7F9 idiv ecx ; //ASCII值之各除以5,商放EAX,余数放EDX
00544440 |. 80C2 34 add dl, 34 ; //余数+34
00544443 |. 8855 F8 mov byte ptr [ebp-8], dl ; //余数相加的结果放入FC18堆栈中,
00544446 |. 8B45 FC mov eax, dword ptr [ebp-4] ; //十进制字符串送给EAX
00544449 |. 0FB640 02 movzx eax, byte ptr [eax+2] ; //第三位ASCII值送给EAX
0054444D |. 8B55 FC mov edx, dword ptr [ebp-4] ; //十进制字符串送给EDX
00544450 |. 0FB652 03 movzx edx, byte ptr [edx+3] ; //第四位ASCII值送给EDX
00544454 |. 03C2 add eax, edx ; //ASCII值相加
00544456 |. B9 05000000 mov ecx, 5 ; //送除数5
0054445B |. 99 cdq
0054445C |. F7F9 idiv ecx ; //ASCII值之各除以5,商放EAX,余数放EDX
0054445E |. 8BDA mov ebx, edx ; //余数送给EBX
00544460 |. 80C3 33 add bl, 33 ; //余数+33
00544463 |. 885D F9 mov byte ptr [ebp-7], bl ; //余数相加的结果放入FC18堆栈中
00544466 |. 8D45 F4 lea eax, dword ptr [ebp-C] ; //下面这一段就是把两个余数相加的值各自转换为对应的数字,连接前面的十进制字符串,
00544469 |. 8A55 F8 mov dl, byte ptr [ebp-8]
0054446C |. E8 5F09ECFF call 00404DD0
00544471 |. 8B45 F4 mov eax, dword ptr [ebp-C]
00544474 |. 8D55 FC lea edx, dword ptr [ebp-4]
00544477 |. B9 1B000000 mov ecx, 1B
0054447C |. E8 070DECFF call 00405188
00544481 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00544484 |. 8BD3 mov edx, ebx
00544486 |. E8 4509ECFF call 00404DD0
0054448B |. 8B45 F0 mov eax, dword ptr [ebp-10]
0054448E |. 8D55 FC lea edx, dword ptr [ebp-4]
00544491 |. B9 19000000 mov ecx, 19
00544496 |. E8 ED0CECFF call 00405188
0054449B |. 8BC6 mov eax, esi
0054449D |. 8B55 FC mov edx, dword ptr [ebp-4]
005444A0 |. E8 9F07ECFF call 00404C44
005444A5 |. 33C0 xor eax, eax
005444A7 |. 5A pop edx
005444A8 |. 59 pop ecx
005444A9 |. 59 pop ecx
005444AA |. 64:8910 mov dword ptr fs:[eax], edx
005444AD |. 68 CF445400 push 005444CF
005444B2 |> 8D45 F0 lea eax, dword ptr [ebp-10]
005444B5 |. BA 02000000 mov edx, 2
005444BA |. E8 5507ECFF call 00404C14
005444BF |. 8D45 FC lea eax, dword ptr [ebp-4]
005444C2 |. E8 2907ECFF call 00404BF0
005444C7 \. C3 retn
005444C8 .^ E9 C7FFEBFF jmp 00404494
005444CD .^ EB E3 jmp short 005444B2
005444CF . 5E pop esi
005444D0 . 5B pop ebx
005444D1 . 8BE5 mov esp, ebp
005444D3 . 5D pop ebp
005444D4 . C3 retn
4、算法总结:
验证码(整数)乘以18,记作A;
A异或0B25F1,记作B;
(第一位数字ASCII值+第二位数字ASCII值)%5+34 转换为数字后作为倒数第二位注册码,记作C;
(第三位数字ASCII值+第四位数字ASCII值)%5+33 转换为数字后作为倒数第二位注册码,记作D;
“B”+“C”+“D”连接在一块作为最终注册码。 |
|
|
发表于 2008-3-15 02:16
发表于 2008-3-15 02:45
