简单算法---主页浏览工具GreenBrowser算法分析!
作者: ShenGe 转摘自:http://www.cracksoft.org/cgi-bin/topic.cgi?forum=19&topic=4175
--------------------------------------------------------------------------------
软件大小: 383 KB
软件语言: 英文
软件类别: 国产软件 / 共享版 / 主页浏览
应用平台: Win9x/NT/2000/XP
加入时间: 2003-06-25 16:03:12
下载次数: 2321
推荐等级: ★★★
软件介绍:
GreenBrowser是一个基于IE的多窗口浏览器, 并更拥有更多更好的其他特性. 例如:热键,搜集器,鼠标手势,鼠标拖曳,弹出窗口过滤,搜索引擎,网页背景色设置,工具条皮肤,代理服务器,自动滚动,自动保存,自动填表,启动模式。
破解工具:Pescan3.31,OllyDby1.09
作者声明:初学破解,仅作学习交流之用,失误之处敬请大侠赐教
这个软件的破解非常简单.用Pescan检测为Aspack2.12的壳,就用Pescan的脱壳功能脱壳,382K--->1100K,OD载入。
任填用户名:ShenGe[BCG],注册码:1234567890
..........
00412DBD CALL 12.0046A8AD
<---取用户名
00412DC2 MOV ECX, DWORD PTR SS:[ESP+8]
<---ECX中为我输入的用户名"ShenGe[BCG]"
00412DC6 CMP DWORD PTR DS:[ECX-8], 1
<---判断有无输入用户名
00412DCA JGE SHORT 12.00412DDA
00412DCC PUSH -1
00412DCE PUSH 0
00412DD0 PUSH 0EF4F
00412DD5 JMP 12.00412E73
00412DDA LEA EDX, DWORD PTR SS:[ESP+4]
00412DDE LEA ECX, DWORD PTR DS:[ESI+98]
00412DE4 PUSH EDX
00412DE5 CALL 12.0046A8AD
<---取输入的注册码
00412DEA MOV EAX, DWORD PTR SS:[ESP+4]
<---EAX中为假码"1234567890"
00412DEE CMP DWORD PTR DS:[EAX-8], 1
<---比较有无输入注册码
00412DF2 JLE SHORT 12.00412E6A
00412DF4 PUSH ECX
00412DF5 LEA EDX, DWORD PTR SS:[ESP+8]
00412DF9 MOV ECX, ESP
00412DFB MOV DWORD PTR SS:[ESP+10], ESP
00412DFF PUSH EDX
00412E00 CALL 12.0046D47E
<---这个Call将注册信息写入文件。
00412E05 CALL 12.00412990
<---跟进此Call!
00412E0A ADD ESP, 4
00412E0D TEST EAX, EAX
00412E0F JE SHORT 12.00412E5F
<---关键跳转!不能跳哦!接跟着后面
的代码是将按钮变灰!
00412E11 CALL 12.0047ECB0
00412E16 MOV ECX, DWORD PTR SS:[ESP+8]
00412E1A MOV EAX, DWORD PTR DS:[EAX+4]
00412E1D PUSH ECX
00412E1E PUSH 12.004AEBD4
00412E23 PUSH 12.004AEBC8
00412E28 MOV ECX, EAX
00412E2A CALL 12.00475101
00412E2F CALL 12.0047ECB0
00412E34 MOV EDX, DWORD PTR SS:[ESP+4]
00412E38 MOV EAX, DWORD PTR DS:[EAX+4]
00412E3B PUSH EDX
00412E3C PUSH 12.004AEBC0
00412E41 PUSH 12.004AEBC8
00412E46 MOV ECX, EAX
00412E48 CALL 12.00475101
00412E4D MOV ECX, ESI
00412E4F CALL 12.00412BB0
00412E54 PUSH -1
00412E56 PUSH 0
00412E58 PUSH 0EF52
00412E5D JMP SHORT 12.00412E73
00412E5F PUSH -1
00412E61 PUSH 0
00412E63 PUSH 0EF50
00412E68 JMP SHORT 12.00412E73
00412E6A PUSH -1
00412E6C PUSH 0
00412E6E PUSH 0EF51
00412E73 CALL 12.00474F8B
<---注册码错误!
00412E78 LEA ECX, DWORD PTR SS:[ESP+8]
00412E7C MOV BYTE PTR SS:[ESP+18], 0
...............
跟进那个关键的Call,可看到以下代码:
00412990 PUSH -1
00412992 PUSH 12.00485388
00412997 MOV EAX, DWORD PTR FS:[0]
0041299D PUSH EAX
0041299E MOV DWORD PTR FS:[0], ESP
004129A5 SUB ESP, 38
004129A8 PUSH ESI
004129A9 XOR ESI, ESI
004129AB LEA ECX, DWORD PTR SS:[ESP+4C]
004129AF MOV DWORD PTR SS:[ESP+44], ESI
004129B3 CALL 12.00466730
004129B8 LEA ECX, DWORD PTR SS:[ESP+4C]
004129BC CALL 12.004666E4
004129C1 MOV EAX, DWORD PTR SS:[ESP+4C]
004129C5 MOV EAX, DWORD PTR DS:[EAX-8]
<---取注册码位数到EAX中
004129C8 CMP EAX, 0A
<---判断注册码位数是否为10位
004129CB JE SHORT 12.004129F0
004129CD LEA ECX, DWORD PTR SS:[ESP+4C]
004129D1 MOV DWORD PTR SS:[ESP+44], -1
004129D9 CALL 12.0046D709
004129DE XOR EAX, EAX
004129E0 POP ESI
004129E1 MOV ECX, DWORD PTR SS:[ESP+38]
004129E5 MOV DWORD PTR FS:[0], ECX
004129EC ADD ESP, 44
004129EF RETN
004129F0 MOV EAX, DWORD PTR DS:[4B08B8]
004129F5 PUSH EBX
004129F6 PUSH EDI
004129F7 MOV DWORD PTR SS:[ESP+C], EAX
004129FB MOV DWORD PTR SS:[ESP+10], EAX
004129FF LEA ECX, DWORD PTR SS:[ESP+14]
00412A03 PUSH 5
<---这个参数决定取几位
00412A05 PUSH ECX
00412A06 LEA ECX, DWORD PTR SS:[ESP+5C]
00412A0A MOV BYTE PTR SS:[ESP+54], 2
00412A0F CALL 12.004662F6
<---取注册码的前5位
00412A14 PUSH EAX
<---[EAX]="12345"
00412A15 LEA ECX, DWORD PTR SS:[ESP+10]
00412A19 MOV BYTE PTR SS:[ESP+50], 3
00412A1E CALL 12.0046D842
00412A23 LEA ECX, DWORD PTR SS:[ESP+14]
00412A27 MOV BYTE PTR SS:[ESP+4C], 2
00412A2C CALL 12.0046D709
00412A31 LEA EDX, DWORD PTR SS:[ESP+18]
00412A35 PUSH 5
00412A37 PUSH EDX
00412A38 LEA ECX, DWORD PTR SS:[ESP+5C]
00412A3C CALL 12.0046627A
<---取注册码的后5位
00412A41 PUSH EAX
<---[EAX]="67890"
00412A42 LEA ECX, DWORD PTR SS:[ESP+14]
00412A46 MOV BYTE PTR SS:[ESP+50], 4
00412A4B CALL 12.0046D842
00412A50 LEA ECX, DWORD PTR SS:[ESP+18]
00412A54 MOV BYTE PTR SS:[ESP+4C], 2
00412A59 CALL 12.0046D709
00412A5E LEA ECX, DWORD PTR SS:[ESP+C]
00412A62 CALL 12.0046DC4F
00412A67 XOR EAX, EAX
------------------------------------------
00412A69 MOV DWORD PTR SS:[ESP+1C], 2
00412A71 MOV DWORD PTR SS:[ESP+34], EAX
00412A75 MOV DWORD PTR SS:[ESP+20], 6
00412A7D MOV DWORD PTR SS:[ESP+38], EAX
00412A81 MOV DWORD PTR SS:[ESP+24], -7
00412A89 MOV DWORD PTR SS:[ESP+3C], EAX
00412A8D MOV DWORD PTR SS:[ESP+28], 4
00412A95 MOV DWORD PTR SS:[ESP+2C], -1
00412A9D MOV DWORD PTR SS:[ESP+30], 8
00412AA5 MOV DWORD PTR SS:[ESP+40], EAX
-------------------------------------------
这段将一组值2,6,-7,4,-1,8赋给连续内存单元[ESP+1C]
00412AA9 LEA EDI, DWORD PTR SS:[ESP+1C]
00412AAD /MOV ECX, DWORD PTR SS:[ESP+C]
00412AB1 |MOV DL, BYTE PTR DS:[EDI]
<---[EDI]中为上面赋值的第1个值,DL=02
00412AB3 |MOV AL, BYTE PTR DS:[ESI+ECX]
<---[ESI+ECX]中为注册码前5位字符,"54321"
ESI作指针,第1次AL=35
00412AB6 |ADD AL, DL
<---AL=35+2=37
00412AB8 |CMP AL, 30
00412ABA |MOV BYTE PTR SS:[ESP+14], AL
<---结果入[ESP+14]中
--------------------------------------
00412ABE |JGE SHORT 12.00412AC6
00412AC0 |ADD AL, 0A
00412AC2 |MOV BYTE PTR SS:[ESP+14], AL
00412AC6 |CMP AL, 39
00412AC8 |JLE SHORT 12.00412AD0
00412ACA |ADD AL, 0F6
-------------------------------------
上面的结果若小于30,则将其加0AH再存入[ESP+14]中;若
和大于39,则将其加0F6H再存入[ESP+14]中,若在30至39之
间则直接存入[ESP+14]中
00412ACC |MOV BYTE PTR SS:[ESP+14], AL
00412AD0 |MOV EDX, DWORD PTR SS:[ESP+14]
00412AD4 |LEA ECX, DWORD PTR SS:[ESP+C]
00412AD8 |PUSH EDX
00412AD9 |PUSH ESI
00412ADA |CALL 12.0046DC61
<---Hex--->Char,如"37"--->7
00412ADF |INC ESI
00412AE0 |ADD EDI, 4
00412AE3 |CMP ESI, 5
00412AE6 /JL SHORT 12.00412AAD
<---循环完成后D EAX可看到"70660"
00412AE8 LEA ECX, DWORD PTR SS:[ESP+C]
00412AEC CALL 12.0046DC4F
<---将字符串倒序,"70660"--->"06607"
00412AF1 MOV ESI, DWORD PTR SS:[ESP+10]
<---[ESP+10]中为注册码的后5位"67890"
00412AF5 MOV EAX, DWORD PTR SS:[ESP+C]
<---[ESP+C]中为倒序的字符串"06607"
--------------------
00412AF9 /MOV DL, BYTE PTR DS:[EAX]
00412AFB |MOV BL, BYTE PTR DS:[ESI]
00412AFD |MOV CL, DL
00412AFF |CMP DL, BL
00412B01 |JNZ SHORT 12.00412B21
00412B03 |TEST CL, CL
00412B05 |JE SHORT 12.00412B1D
00412B07 |MOV DL, BYTE PTR DS:[EAX+1]
00412B0A |MOV BL, BYTE PTR DS:[ESI+1]
00412B0D |MOV CL, DL
00412B0F |CMP DL, BL
00412B11 |JNZ SHORT 12.00412B21
00412B13 |ADD EAX, 2
00412B16 |ADD ESI, 2
00412B19 |TEST CL, CL
00412B1B /JNZ SHORT 12.00412AF9
--------------------
呵呵,太经典了不注释了!
00412B1D XOR EAX, EAX
<---EAX=0
00412B1F JMP SHORT 12.00412B26
00412B21 SBB EAX, EAX
<---EAX=FFFFFFFF
00412B23 SBB EAX, -1
<---EAX=FFFFFFFF!
00412B26 POP EDI
00412B27 POP EBX
00412B28 TEST EAX, EAX
00412B2A MOV BYTE PTR SS:[ESP+44], 1
00412B2F LEA ECX, DWORD PTR SS:[ESP+8]
00412B33 JE SHORT 12.00412B6B
<---这里要跳噢!
00412B35 CALL 12.0046D709
00412B3A LEA ECX, DWORD PTR SS:[ESP+4]
00412B3E MOV BYTE PTR SS:[ESP+44], 0
00412B43 CALL 12.0046D709
00412B48 LEA ECX, DWORD PTR SS:[ESP+4C]
00412B4C MOV DWORD PTR SS:[ESP+44], -1
00412B54 CALL 12.0046D709
00412B59 XOR EAX, EAX
<---EAX=0
00412B5B POP ESI
00412B5C MOV ECX, DWORD PTR SS:[ESP+38]
00412B60 MOV DWORD PTR FS:[0], ECX
00412B67 ADD ESP, 44
00412B6A RETN
00412B6B CALL 12.0046D709
00412B70 LEA ECX, DWORD PTR SS:[ESP+4]
00412B74 MOV BYTE PTR SS:[ESP+44], 0
00412B79 CALL 12.0046D709
00412B7E LEA ECX, DWORD PTR SS:[ESP+4C]
00412B82 MOV DWORD PTR SS:[ESP+44], -1
00412B8A CALL 12.0046D709
00412B8F MOV ECX, DWORD PTR SS:[ESP+3C]
00412B93 MOV EAX, 1
<---EAX=1,到这就可以收工了!
00412B98 POP ESI
00412B99 MOV DWORD PTR FS:[0], ECX
00412BA0 ADD ESP, 44
00412BA3 RETN
总结:注册码与用户名无关!注册码须为10位,假设前5位为abcde,则后5位可
由此推出:a,b,c,d,e分别取其Hex值对应与-1,4,-7,6,2相加,和分别为a1,b1,c1,
d1,f1.
if (a1>39) a1=(a1+0xF6)&0xFF;
else if(a1<30) a1=a1+0x0A;
m1=a1;
依此类推就可得到后五位注册码的Hex值。
可用注册码:
用户名:ShenGe[BCG]
注册码:1234506607
软件注册成功后将注册信息保存在安装文件夹下的GreenBrowser.ini文件中。
Cracked By ShenGe[BCG]
扫一扫
2855
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
