文件批量复制工具 2.0注册算法浅析

蚊香

【文章标题】: 文件批量复制工具 2.0注册算法浅析
【文章作者】: 蚊香/magic659117852
【作者邮箱】: xpi386com@gmail.com
【作者主页】: http://www.xpi386.com
【软件大小】: 803KB
【下载地址】: http://www.newhua.com/soft/70381.htm
【保护方式】: 注册码
【编写语言】: Borland Delphi
【使用工具】: PEiD OllyDbg
【操作平台】: D版XP-SP2
【软件介绍】: 可以一次性将多个文件复制到多个目录下的工具。
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】

0048AA18/.55pushebp;通过查找字符串在此下断0048AA19|.8BECmov ebp, esp ;F9运行,输入123456789012试注册0048AA1B|.81C4 E0FEFFFF add esp, -1200048AA21|.53pushebx0048AA22|.56pushesi0048AA23|.57pushedi0048AA24|.33C9xor ecx, ecx0048AA26|.898D E0FEFFFF mov dword ptr [ebp-120], ecx0048AA2C|.898D E4FEFFFF mov dword ptr [ebp-11C], ecx0048AA32|.898D E8FEFFFF mov dword ptr [ebp-118], ecx0048AA38|.898D ECFEFFFF mov dword ptr [ebp-114], ecx0048AA3E|.898D F0FEFFFF mov dword ptr [ebp-110], ecx0048AA44|.898D F4FEFFFF mov dword ptr [ebp-10C], ecx0048AA4A|.8BD8mov ebx, eax0048AA4C|.33C0xor eax, eax0048AA4E|.55pushebp0048AA4F|.68 E1AB4800 push0048ABE10048AA54|.64:FF30 pushdword ptr fs:[eax]0048AA57|.64:8920 mov dword ptr fs:[eax], esp0048AA5A|.8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]0048AA60|.8B83 FC020000 mov eax, dword ptr [ebx+2FC]0048AA66|.E8 E5F9FCFF call0045A450 ;试练码长度0048AA6B|.8B85 F4FEFFFF mov eax, dword ptr [ebp-10C]0048AA71|.E8 FA060000 call0048B170 ;算法CALL,F7进0048AA76|.84C0testal, al0048AA78|.0F84 DF000000 je0048AB5D ;关键跳,跳则挂0048AA7E|.A1 F0E34800 mov eax, dword ptr [48E3F0]0048AA83|.C600 01 mov byte ptr [eax], 10048AA86|.8D95 F0FEFFFF lea edx, dword ptr [ebp-110]0048AA8C|.8B83 FC020000 mov eax, dword ptr [ebx+2FC]0048AA92|.E8 B9F9FCFF call0045A4500048AA97|.8B95 F0FEFFFF mov edx, dword ptr [ebp-110]0048AA9D|.A1 18E44800 mov eax, dword ptr [48E418]0048AAA2|.E8 8195F7FF call004040280048AAA7|.68 05010000 push105; /BufSize = 105 (261.)0048AAAC|.8D85 FBFEFFFF lea eax, dword ptr [ebp-105] ; |0048AAB2|.50pusheax; |Buffer0048AAB3|.E8 7CBAF7FF call<jmp.&kernel32.GetSystemDirector>; \GetSystemDirectoryA0048AAB8|.8D85 ECFEFFFF lea eax, dword ptr [ebp-114]0048AABE|.8D95 FBFEFFFF lea edx, dword ptr [ebp-105]0048AAC4|.B9 05010000 mov ecx, 1050048AAC9|.E8 7697F7FF call004042440048AACE|.8D85 ECFEFFFF lea eax, dword ptr [ebp-114]0048AAD4|.BA F8AB4800 mov edx, 0048ABF8;\supercopy.ini0048AAD9|.E8 BE97F7FF call0040429C ;注册码保存位置 C:\WINDOWS\system32\SuperCopy.ini0048AADE|.8B8D ECFEFFFF mov ecx, dword ptr [ebp-114]0048AAE4|.B2 01 mov dl, 10048AAE6|.A1 FC554300 mov eax, dword ptr [4355FC]0048AAEB|.E8 BCABFAFF call004356AC0048AAF0|.8BF0mov esi, eax0048AAF2|.8D95 E8FEFFFF lea edx, dword ptr [ebp-118]0048AAF8|.8B83 FC020000 mov eax, dword ptr [ebx+2FC]0048AAFE|.E8 4DF9FCFF call0045A4500048AB03|.8B85 E8FEFFFF mov eax, dword ptr [ebp-118]0048AB09|.50pusheax0048AB0A|.B9 10AC4800 mov ecx, 0048AC10;key0048AB0F|.BA 1CAC4800 mov edx, 0048AC1C;regcode0048AB14|.8BC6mov eax, esi0048AB16|.8B38mov edi, dword ptr [eax]0048AB18|.FF57 04 calldword ptr [edi+4]0048AB1B|.8BC6mov eax, esi0048AB1D|.E8 9E86F7FF call004031C00048AB22|.6A 40 push400048AB24|.8D95 E4FEFFFF lea edx, dword ptr [ebp-11C]0048AB2A|.A1 A4E64800 mov eax, dword ptr [48E6A4]0048AB2F|.8B00mov eax, dword ptr [eax]0048AB31|.E8 B6F2FEFF call00479DEC0048AB36|.8B85 E4FEFFFF mov eax, dword ptr [ebp-11C]0048AB3C|.E8 5399F7FF call004044940048AB41|.50pusheax0048AB42|.68 24AC4800 push0048AC24 ;注册成功！0048AB47|.8BC3mov eax, ebx0048AB49|.E8 2261FDFF call00460C700048AB4E|.50pusheax; |hOwner0048AB4F|.E8 28C1F7FF call<jmp.&user32.MessageBoxA>; \MessageBoxA0048AB54|.8BC3mov eax, ebx0048AB56|.E8 3DC0FEFF call00476B980048AB5B|.EB 40 jmp short 0048AB9D0048AB5D|>6A 40 push400048AB5F|.8D95 E0FEFFFF lea edx, dword ptr [ebp-120]0048AB65|.A1 A4E64800 mov eax, dword ptr [48E6A4]0048AB6A|.8B00mov eax, dword ptr [eax]0048AB6C|.E8 7BF2FEFF call00479DEC0048AB71|.8B85 E0FEFFFF mov eax, dword ptr [ebp-120]0048AB77|.E8 1899F7FF call004044940048AB7C|.50pusheax0048AB7D|.68 30AC4800 push0048AC30 ;注册码错误，请重新输入！0048AB82|.8BC3mov eax, ebx0048AB84|.E8 E760FDFF call00460C700048AB89|.50pusheax; |hOwner0048AB8A|.E8 EDC0F7FF call<jmp.&user32.MessageBoxA>; \MessageBoxA0048AB8F|.8B83 FC020000 mov eax, dword ptr [ebx+2FC]0048AB95|.8B10mov edx, dword ptr [eax]0048AB97|.FF92 C4000000 calldword ptr [edx+C4]0048AB9D|>33C0xor eax, eax0048AB9F|.5Apop edx0048ABA0|.59pop ecx0048ABA1|.59pop ecx0048ABA2|.64:8910 mov dword ptr fs:[eax], edx0048ABA5|.68 E8AB4800 push0048ABE80048ABAA|>8D85 E0FEFFFF lea eax, dword ptr [ebp-120]0048ABB0|.BA 02000000 mov edx, 20048ABB5|.E8 3E94F7FF call00403FF80048ABBA|.8D85 E8FEFFFF lea eax, dword ptr [ebp-118]0048ABC0|.E8 0F94F7FF call00403FD40048ABC5|.8D85 ECFEFFFF lea eax, dword ptr [ebp-114]0048ABCB|.E8 0494F7FF call00403FD40048ABD0|.8D85 F0FEFFFF lea eax, dword ptr [ebp-110]0048ABD6|.BA 02000000 mov edx, 20048ABDB|.E8 1894F7FF call00403FF80048ABE0\.C3retn0048ABE1 .^ E9 6E8DF7FF jmp 004039540048ABE6 .^ EB C2 jmp short 0048ABAA0048ABE8 .5Fpop edi0048ABE9 .5Epop esi0048ABEA >5Bpop ebx0048ABEB .8BE5mov esp, ebp0048ABED .5Dpop ebp0048ABEE .C3retn

进入算法CALL 0048AA71

0048B17055pushebp;直接在此赋1给AL后返回可实现爆破0048B1718BECmov ebp, esp0048B17351pushecx0048B174|.53pushebx0048B175|.8945 FC mov dword ptr [ebp-4], eax0048B178|.8B45 FC mov eax, dword ptr [ebp-4]0048B17B|.E8 0493F7FF call004044840048B180|.33C0xor eax, eax0048B182|.55pushebp0048B183|.68 DBB14800 push0048B1DB0048B188|.64:FF30 pushdword ptr fs:[eax]0048B18B|.64:8920 mov dword ptr fs:[eax], esp0048B18E|.8B45 FC mov eax, dword ptr [ebp-4]0048B191|.E8 FE90F7FF call00404294 ;注册码长度0048B196|.83F8 0C cmp eax, 0C;必须为12位0048B199|.74 04 jeshort 0048B19F0048B19B|.33DBxor ebx, ebx0048B19D|.EB 26 jmp short 0048B1C50048B19F|>BB 05000000 mov ebx, 5 ;EBX=50048B1A4|>8B45 FC /mov eax, dword ptr [ebp-4]0048B1A7|.8A4418 FF |mov al, byte ptr [eax+ebx-1];依次取试练码的5-8位0048B1AB|.E8 60FFFFFF |call0048B110;查表0048B1B0|.8B55 FC |mov edx, dword ptr [ebp-4]0048B1B3|.3A441A 03 |cmp al, byte ptr [edx+ebx+3];查表所得分别依次与试练码的9-12位比较0048B1B7|.74 04 |jeshort 0048B1BD;遇不相同则跳向失败0048B1B9|.33DB|xor ebx, ebx0048B1BB|.EB 08 |jmp short 0048B1C50048B1BD43|inc ebx0048B1BE83FB 09 |cmp ebx, 90048B1C1^ 75 E1 \jnz short 0048B1A4;循环4次0048B1C3B3 01 mov bl, 1;关键赋值0048B1C533C0xor eax, eax0048B1C75Apop edx0048B1C859pop ecx0048B1C959pop ecx0048B1CA|.64:8910 mov dword ptr fs:[eax], edx0048B1CD|.68 E2B14800 push0048B1E20048B1D2|>8D45 FC lea eax, dword ptr [ebp-4]0048B1D5E8 FA8DF7FF call00403FD40048B1DAC3retn0048B1DB^ E9 7487F7FF jmp 004039540048B1E0^ EB F0 jmp short 0048B1D20048B1E28BC3mov eax, ebx ;关键传递0048B1E45Bpop ebx0048B1E559pop ecx0048B1E65Dpop ebp0048B1E7C3retn

0048B1AB处表内容为:

0048B14C|> \B0 38 mov al, 38 ;Case 30 ('0') of switch 0048B1150048B14E|.C3retn0048B14F|>B0 36 mov al, 36 ;Case 31 ('1') of switch 0048B1150048B151|.C3retn0048B152|>B0 34 mov al, 34 ;Case 32 ('2') of switch 0048B1150048B154|.C3retn0048B155|>B0 30 mov al, 30 ;Case 33 ('3') of switch 0048B1150048B157|.C3retn0048B158|>B0 35 mov al, 35 ;Case 34 ('4') of switch 0048B1150048B15A|.C3retn0048B15B|>B0 32 mov al, 32 ;Case 35 ('5') of switch 0048B1150048B15D|.C3retn0048B15E|>B0 39 mov al, 39 ;Case 36 ('6') of switch 0048B1150048B160|.C3retn0048B161|>B0 31 mov al, 31 ;Case 37 ('7') of switch 0048B1150048B163|.C3retn0048B164|>B0 33 mov al, 33 ;Case 38 ('8') of switch 0048B1150048B166|.C3retn0048B167|>B0 37 mov al, 37 ;Case 39 ('9') of switch 0048B1150048B169|.C3retn

--------------------------------------------------------------------------------
【算法总结】
注册码12位，前4位任意。
5-8位根据以下规则转换成另一个数字：
0 → 8
1 → 6
2 → 4
3 → 0
4 → 5
5 → 2
6 → 9
7 → 1
8 → 3
9 → 7
转换后的5-8位分别依次与9-12位比较，均相等则注册成功。注册码保存到C:\WINDOWS\system32\SuperCopy.ini

算号器源码（VB Code）：
Private Sub Command1_Click()
Randomize
X1 = Int(Rnd * 90000000) + 10000000
Text1.Text = X1
For i = 5 To 8
temp = Mid(Text1.Text, i, 1)
Select Case temp
Case 0
sn = sn & 8
Case 1
sn = sn & 6
Case 2
sn = sn & 4
Case 3
sn = sn & 0
Case 4
sn = sn & 5
Case 5
sn = sn & 2
Case 6
sn = sn & 9
Case 7
sn = sn & 1
Case 8
sn = sn & 3
Case 9
sn = sn & 7
End Select
Next
Text1.Text = X1 & sn
End Sub

VB6.0精简版测试通过~~~~~~~

--------------------------------------------------------------------------------
【版权声明】: 本文 蚊香 原创, 转载请注明作者并保持文章的完整, 谢谢!

2008年08月06日 上午 10:12:22

ximo

牛,蚊香大牛越来越厉害了,膜拜

石头学破解

0048B17055pushebp;直接在此赋1给AL后返回可实现爆破 这就是传说中的标志位爆破

Tale

学习算法 [s:40][s:40][s:40]

shaomifeng

[s:41][s:41] 写得很详细！
支持一下！

pxf

蚊MM分析的很详细，顶上一贴 [s:39]

小生我菜菜

蚊香MM的算法一定要好好学习，支持下 [s:39][s:39][s:39]

蚊香

[s:43] 偶不是MM的说~~~~~~~~~~~

这是简单的算术运算跟1楼大牛学的

顺便把算号器编译了一下传上来~~~~~~~~~

天蓝色

蚊香好NX 做我师傅吧

Hmily

欢迎蚊香大牛多多发布算法文章，供大家学习~