返回列表 发帖
yongmin 该用户已被删除
楼主 跳转到 » 倒序看帖
打印
tT
yongmin发表于 2006-11-15 10:02 | 只看该作者

[转帖]XXXX专家 X.0 简单算法分析

【破解日期】 2006年11月10日 【破解作者】 冷血书生 【作者邮箱】 meiyou 【作者主页】 hxxp://www.126sohu.com 【使用工具】 OD 【破解平台】 Win9x/NT/2000/XP 【软件名称】 XXXX专家 X.0 【下载地址】 略 【软件简介】 XXXX专家 X.0 【软件大小】 710KB 【加壳方式】 无 【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:) -------------------------------------------------------------------------------- 【破解内容】 CODE:[Copy to clipboard]004DA467 mov eax,dword ptr ss:[ebp-78] ; 识别码 004DA46A lea ecx,dword ptr ss:[ebp-A0] 004DA470 mov dword ptr ss:[ebp-88],eax 004DA476 lea eax,dword ptr ss:[ebp-90] 004DA47C push eax 004DA47D push ecx 004DA47E mov dword ptr ss:[ebp-78],edi 004DA481 mov dword ptr ss:[ebp-90],8 004DA48B call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar 004DA491 lea edx,dword ptr ss:[ebp-A0] 004DA497 lea ecx,dword ptr ss:[ebp-74] 004DA49A call esi 004DA49C lea edx,dword ptr ss:[ebp-80] 004DA49F lea eax,dword ptr ss:[ebp-7C] 004DA4A2 push edx 004DA4A3 push eax 004DA4A4 push 2 004DA4A6 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObjList 004DA4AC add esp,0C 004DA4AF lea ecx,dword ptr ss:[ebp-90] 004DA4B5 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVar 004DA4BB lea edx,dword ptr ss:[ebp-160] 004DA4C1 lea ecx,dword ptr ss:[ebp-90] 004DA4C7 mov dword ptr ss:[ebp-158],cardpro.00> 004DA4D1 mov dword ptr ss:[ebp-160],8 004DA4DB call dword ptr ds:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarDup 004DA4E1 push edi 004DA4E2 lea ecx,dword ptr ss:[ebp-90] 004DA4E8 push -1 004DA4EA lea edx,dword ptr ss:[ebp-74] 004DA4ED push ecx 004DA4EE lea eax,dword ptr ss:[ebp-78] 004DA4F1 push edx 004DA4F2 push eax 004DA4F3 call dword ptr ds:[<&MSVBVM60.__vbaSt>; MSVBVM60.__vbaStrVarVal 004DA4F9 lea ecx,dword ptr ss:[ebp-A0] 004DA4FF push eax ; 004DA500 push ecx 004DA501 call dword ptr ds:[<&MSVBVM60.#711>] ; MSVBVM60.rtcSplit 004DA507 lea edx,dword ptr ss:[ebp-A0] 004DA50D lea ecx,dword ptr ss:[ebp-64] 004DA510 call esi 004DA512 lea ecx,dword ptr ss:[ebp-78] 004DA515 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeStr 004DA51B lea ecx,dword ptr ss:[ebp-90] 004DA521 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVar 004DA527 mov edx,dword ptr ds:[ebx] 004DA529 push ebx 004DA52A call dword ptr ds:[edx+304] 004DA530 push eax 004DA531 lea eax,dword ptr ss:[ebp-7C] 004DA534 push eax 004DA535 call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSet 004DA53B mov ebx,eax 004DA53D lea edx,dword ptr ss:[ebp-80] 004DA540 push edx 004DA541 push 2 004DA543 mov ecx,dword ptr ds:[ebx] 004DA545 push ebx 004DA546 call dword ptr ds:[ecx+40] 004DA549 cmp eax,edi 004DA54B fclex 004DA54D jge short cardpro.004DA55E 004DA54F push 40 004DA551 push cardpro.0040ABFC 004DA556 push ebx 004DA557 push eax 004DA558 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj 004DA55E mov eax,dword ptr ss:[ebp-80] 004DA561 lea edx,dword ptr ss:[ebp-78] 004DA564 push edx 004DA565 push eax 004DA566 mov ecx,dword ptr ds:[eax] 004DA568 mov ebx,eax 004DA56A call dword ptr ds:[ecx+A0] 004DA570 cmp eax,edi 004DA572 fclex 004DA574 jge short cardpro.004DA588 004DA576 push 0A0 004DA57B push cardpro.0040ABEC 004DA580 push ebx 004DA581 push eax 004DA582 call dword ptr ds:[<&MSVBVM60.__vbaHr>; MSVBVM60.__vbaHresultCheckObj 004DA588 mov eax,dword ptr ss:[ebp-78] ; 004DA58B lea ecx,dword ptr ss:[ebp-A0] 004DA591 mov dword ptr ss:[ebp-88],eax 004DA597 lea eax,dword ptr ss:[ebp-90] 004DA59D mov ebx,8 004DA5A2 push eax 004DA5A3 push ecx 004DA5A4 mov dword ptr ss:[ebp-78],edi 004DA5A7 mov dword ptr ss:[ebp-90],ebx 004DA5AD call dword ptr ds:[<&MSVBVM60.#520>] ; MSVBVM60.rtcTrimVar 004DA5B3 lea edx,dword ptr ss:[ebp-A0] 004DA5B9 lea ecx,dword ptr ss:[ebp-54] 004DA5BC call esi 004DA5BE lea edx,dword ptr ss:[ebp-80] 004DA5C1 lea eax,dword ptr ss:[ebp-7C] 004DA5C4 push edx 004DA5C5 mov edi,2 004DA5CA push eax 004DA5CB push edi 004DA5CC call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObjList 004DA5D2 add esp,0C 004DA5D5 lea ecx,dword ptr ss:[ebp-90] 004DA5DB call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVar 004DA5E1 mov edx,dword ptr ss:[ebp-24] 004DA5E4 mov eax,dword ptr ss:[ebp-20] 004DA5E7 sub esp,10 004DA5EA mov ecx,esp 004DA5EC mov dword ptr ds:[ecx],edx 004DA5EE mov edx,dword ptr ss:[ebp-1C] 004DA5F1 mov dword ptr ds:[ecx+4],eax 004DA5F4 mov eax,dword ptr ss:[ebp-18] 004DA5F7 mov dword ptr ds:[ecx+8],edx 004DA5FA mov dword ptr ds:[ecx+C],eax 004DA5FD lea ecx,dword ptr ss:[ebp-90] 004DA603 push ecx 004DA604 call cardpro.004C5650 ; 004DA609 lea edx,dword ptr ss:[ebp-90] 004DA60F lea ecx,dword ptr ss:[ebp-44] 004DA612 call esi 004DA614 sub esp,10 004DA617 mov ecx,edi 004DA619 mov edx,esp 004DA61B mov dword ptr ss:[ebp-160],ecx 004DA621 mov eax,1 004DA626 push 1 004DA628 mov dword ptr ds:[edx],ecx 004DA62A mov ecx,dword ptr ss:[ebp-15C] 004DA630 mov dword ptr ss:[ebp-158],eax 004DA636 mov dword ptr ds:[edx+4],ecx 004DA639 lea ecx,dword ptr ss:[ebp-64] 004DA63C push ecx 004DA63D mov dword ptr ds:[edx+8],eax 004DA640 mov eax,dword ptr ss:[ebp-154] 004DA646 mov dword ptr ds:[edx+C],eax ; 004DA649 lea edx,dword ptr ss:[ebp-90] 004DA64F push edx 004DA650 call dword ptr ds:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarIndexLoad 004DA656 add esp,1C 004DA659 lea eax,dword ptr ss:[ebp-90] 004DA65F lea ecx,dword ptr ss:[ebp-180] 004DA665 lea edx,dword ptr ss:[ebp-A0] 004DA66B push eax 004DA66C push ecx 004DA66D push edx 004DA66E mov dword ptr ss:[ebp-B8],4 004DA678 mov dword ptr ss:[ebp-C0],edi 004DA67E mov dword ptr ss:[ebp-178],5 004DA688 mov dword ptr ss:[ebp-180],edi 004DA68E call dword ptr ds:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarDiv /// 识别码中间部分/5 004DA694 mov edx,eax 004DA696 lea ecx,dword ptr ss:[ebp-B0] 004DA69C call esi 004DA69E lea eax,dword ptr ss:[ebp-C0] 004DA6A4 lea ecx,dword ptr ss:[ebp-B0] 004DA6AA push eax 004DA6AB push edi 004DA6AC lea edx,dword ptr ss:[ebp-D0] 004DA6B2 push ecx 004DA6B3 push edx 004DA6B4 call dword ptr ds:[<&MSVBVM60.#632>] ; MSVBVM60.rtcMidCharVar 004DA6BA mov dword ptr ss:[ebp-198],65 ; 固定字符串 004DA6C4 lea eax,dword ptr ss:[ebp-44] ; 004DA6C7 push 3 004DA6C9 lea ecx,dword ptr ss:[ebp-100] 004DA6CF mov dword ptr ss:[ebp-1B0],ebx 004DA6D5 mov ebx,dword ptr ds:[<&MSVBVM60.#617>; MSVBVM60.rtcLeftCharVar 004DA6DB push eax ; 从左边开始取 004DA6DC push ecx 004DA6DD mov dword ptr ss:[ebp-1A0],edi 004DA6E3 mov dword ptr ss:[ebp-1A8],cardpro.00> 004DA6ED call ebx ; 取用户名第一位 004DA6EF lea edx,dword ptr ss:[ebp-44] ; 004DA6F2 push 4 004DA6F4 lea eax,dword ptr ss:[ebp-130] 004DA6FA push edx 004DA6FB push eax 004DA6FC mov dword ptr ss:[ebp-1B8],8 004DA706 mov dword ptr ss:[ebp-1C0],edi 004DA70C call ebx 004DA70E mov ebx,dword ptr ds:[<&MSVBVM60.__vb>; 取用户名第一位和第二位 004DA714 lea ecx,dword ptr ss:[ebp-D0] 004DA71A lea edx,dword ptr ss:[ebp-1A0] 004DA720 push ecx 004DA721 lea eax,dword ptr ss:[ebp-E0] 004DA727 push edx 004DA728 push eax 004DA729 mov dword ptr ss:[ebp-1C8],edi 004DA72F mov dword ptr ss:[ebp-1D0],edi 004DA735 call ebx ; 固定字符串101*A 004DA737 mov edi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaVarCat 004DA73D lea ecx,dword ptr ss:[ebp-1B0] 004DA743 push eax 004DA744 lea edx,dword ptr ss:[ebp-F0] 004DA74A push ecx 004DA74B push edx 004DA74C call edi 004DA74E push eax 004DA74F lea eax,dword ptr ss:[ebp-100] 004DA755 lea ecx,dword ptr ss:[ebp-1C0] 004DA75B push eax 004DA75C lea edx,dword ptr ss:[ebp-110] 004DA762 push ecx 004DA763 push edx 004DA764 call ebx ;8*(用户名第一位)D 004DA766 push eax 004DA767 lea eax,dword ptr ss:[ebp-120] 004DA76D push eax 004DA76E call edi 004DA770 lea ecx,dword ptr ss:[ebp-130] 004DA776 push eax 004DA777 lea edx,dword ptr ss:[ebp-1D0] 004DA77D push ecx 004DA77E lea eax,dword ptr ss:[ebp-140] 004DA784 push edx 004DA785 push eax 004DA786 call ebx ; 2*(用户名第一位和第二位)D的前四位 004DA788 lea ecx,dword ptr ss:[ebp-150] 004DA78E push eax 004DA78F push ecx 004DA790 call edi 004DA792 mov edx,eax 004DA794 lea ecx,dword ptr ss:[ebp-34] 004DA797 call esi ; 不要以为不是明码,其实进去就可以看见了,呵呵 004DA799 lea edx,dword ptr ss:[ebp-120] 004DA79F lea eax,dword ptr ss:[ebp-130] 004DA7A5 push edx 004DA7A6 lea ecx,dword ptr ss:[ebp-F0] 004DA7AC push eax 004DA7AD lea edx,dword ptr ss:[ebp-100] 004DA7B3 push ecx 004DA7B4 lea eax,dword ptr ss:[ebp-D0] 004DA7BA push edx 004DA7BB lea ecx,dword ptr ss:[ebp-C0] 004DA7C1 push eax 004DA7C2 lea edx,dword ptr ss:[ebp-B0] 004DA7C8 push ecx 004DA7C9 lea eax,dword ptr ss:[ebp-90] 004DA7CF push edx 004DA7D0 push eax 004DA7D1 push 8 004DA7D3 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeVarList 004DA7D9 add esp,24 004DA7DC mov ecx,dword ptr ss:[ebp+C] 004DA7DF movsx eax,word ptr ds:[ecx] 004DA7E2 sub eax,0 004DA7E5 je cardpro.004DAB50 004DA7EB dec eax 004DA7EC je cardpro.004DA8DA 004DA7F2 dec eax 004DA7F3 jnz cardpro.004DAD2A 004DA7F9 mov eax,dword ptr ds:[4E1740] 004DA7FE test eax,eax 004DA800 jnz short cardpro.004DA816 004DA802 mov ebx,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaNew2 004DA808 push cardpro.004E1740 004DA80D push cardpro.0040B3DC 004DA812 call ebx 004DA814 jmp short cardpro.004DA81C 004DA816 mov ebx,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaNew2 004DA81C mov edx,dword ptr ss:[ebp+8] 004DA81F mov esi,dword ptr ds:[4E1740] 004DA825 lea eax,dword ptr ss:[ebp-7C] 004DA828 push edx 004DA829 mov edi,dword ptr ds:[esi] 004DA82B push eax 004DA82C call dword ptr ds:[<&MSVBVM60.__vbaOb>; MSVBVM60.__vbaObjSetAddref 004DA832 push eax 004DA833 push esi 004DA834 call dword ptr ds:[edi+10] 004DA837 test eax,eax 004DA839 fclex 004DA83B jge short cardpro.004DA850 004DA83D mov edi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaHresultCheckObj 004DA843 push 10 004DA845 push cardpro.0040B3CC 004DA84A push esi 004DA84B push eax 004DA84C call edi 004DA84E jmp short cardpro.004DA856 004DA850 mov edi,dword ptr ds:[<&MSVBVM60.__vb>; MSVBVM60.__vbaHresultCheckObj 004DA856 lea ecx,dword ptr ss:[ebp-7C] 004DA859 call dword ptr ds:[<&MSVBVM60.__vbaFr>; MSVBVM60.__vbaFreeObj 004DA85F mov eax,dword ptr ds:[4E1010] 004DA864 test eax,eax 004DA866 jnz short cardpro.004DA874 004DA868 push cardpro.004E1010 004DA86D push cardpro.0040DBB0 004DA872 call ebx 004DA874 mov esi,dword ptr ds:[4E1010] 004DA87A push -1 004DA87C push esi 004DA87D mov ecx,dword ptr ds:[esi] 004DA87F call dword ptr ds:[ecx+94] 004DA885 test eax,eax 004DA887 fclex 004DA889 jge short cardpro.004DA899 004DA88B push 94 004DA890 push cardpro.00409DCC 004DA895 push esi 004DA896 push eax 004DA897 call edi 004DA899 mov eax,dword ptr ds:[4E1010] 004DA89E test eax,eax 004DA8A0 jnz short cardpro.004DA8AE 004DA8A2 push cardpro.004E1010 004DA8A7 push cardpro.0040DBB0 004DA8AC call ebx 004DA8AE mov esi,dword ptr ds:[4E1010] 004DA8B4 push esi 004DA8B5 mov edx,dword ptr ds:[esi] 004DA8B7 call dword ptr ds:[edx+2A8] 004DA8BD test eax,eax 004DA8BF fclex 004DA8C1 jge cardpro.004DAD2A 004DA8C7 push 2A8 004DA8CC push cardpro.00409DCC 004DA8D1 push esi 004DA8D2 push eax 004DA8D3 call edi 004DA8D5 jmp cardpro.004DAD2A 004DA8DA lea eax,dword ptr ss:[ebp-54] 004DA8DD lea ecx,dword ptr ss:[ebp-34] 004DA8E0 push eax 004DA8E1 push ecx 004DA8E2 call dword ptr ds:[<&MSVBVM60.__vbaVa>; MSVBVM60.__vbaVarTstNe 004DA8E8 test ax,ax 004DA8EB je cardpro.004DA9E9 ; 爆破点 004DA8F1 lea edx,dword ptr ss:[ebp-90] 004DA8F7 push 0D //////////////////////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////////////////////// 算法总结: 1) 识别码中间部分/5,取其2--5位,记为A 1) 固定字符串101*A = B 2) 8*(用户名第一位)D=C 3) 2*(用户名第一位和第二位)D的前四位=D 4) "B" - "CD" = 注册码
收藏 分享

返回列表 回复 发帖