2005/05/30 | 破解:小省工具盒1。2
类别(软件破解及黑客技术) | 评论(2) | 阅读(134) | 发表于 11:24
软件名称:小小工具盒 1.2

下载地址:http://www.shareware.cn/pub/826.html

软件介绍:
使用方便而功能强大的小小工具盒,拥有它能让您的系统立即增加以下功能:

一、快捷文件夹访问 - 再也不用为经常使用到的文件夹打开我的电脑一步步深入这样的麻烦事而烦恼了,如 D:\Picture,每次都要先打开我的电脑,然后打开D盘,再打开Picture,够烦人的。
二、定时关机 - 可以在指定时间点或时间间隔后自动关机、重启或注销,放心走人吧
三、系统密码锁定 - 热键锁定计算机,拒绝他人使用,更好的保护您电脑的使用安全
四、查看密码 - 查看系统中以“***”显示的密码的真正内容
五、进程管理 - 强劲显示所有运行的进程及所在路径,并可选择结束它的生命,帮你发现清除木马等不安全程序,享受高手感觉
六、Windows 窗口管理 - 显示、隐藏、关闭、退出您当前系统中所有的窗口,让您自己来为窗口们当家作主
七、常用软件的快捷运行 - 为自己经常运行的软件设置快捷菜单,方便自己的操作管理
八、老板键功能 - 热键快速 隐藏/显示 自己设定的窗口(支持多个),神不知鬼不觉,老板又怎会知道自己在做啥,嘿嘿
九、其他功能 - 禁用/允许桌面、弹出/关闭光驱等等

破解作者:wofan[OCN] 来自网眼天下破解组织

注册名:wofan
注册码:123456
真注册码:a3UTt2V>13a-9/JW


无壳:Microsoft Visual C++ 6.0

00404F92 . 8B1D ACA14000 mov ebx,dword ptr ds:[<&USER32.GetWind>; |USER32.GetWindowTextA
00404F98 . 50 push eax ; |hWnd
00404F99 . FFD3 call ebx ; \GetWindowTextA ***取得注册名wofan 的位数5送EAX
00404F9B . 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
00404FA1 . 56 push esi ; /Count => 80 (128.)
00404FA2 . 50 push eax ; |Buffer
00404FA3 . 68 15040000 push 415 ; |/ControlID = 415 (1045.)
00404FA8 . FF75 08 push dword ptr ss:[ebp+8] ; ||hWnd
00404FAB . FFD7 call edi ; |\GetDlgItem
00404FAD . 50 push eax ; |hWnd
00404FAE . FFD3 call ebx ; \GetWindowTextA ***取得注册码123456的位数6送EAX
00404FB0 . 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100] ***注册码:123456
00404FB6 . 50 push eax
00404FB7 . 8D45 80 lea eax,dword ptr ss:[ebp-80] ***注册名:wofan
00404FBA . 50 push eax
00404FBB . E8 BC040000 call ToolBox.0040547C ***F7跟进看算法Call****
00404FC0 . 59 pop ecx
00404FC1 . A3 64FC4000 mov dword ptr ds:[40FC64],eax
00404FC6 . 85C0 test eax,eax
00404FC8 . 59 pop ecx
00404FC9 . 0F84 9A000000 je ToolBox.00405069
00404FCF . 8D45 80 lea eax,dword ptr ss:[ebp-80]
00404FD2 . 50 push eax ; /String2
00404FD3 . 68 E4FB4000 push ToolBox.0040FBE4 ; |String1 = ToolBox.0040FBE4
00404FD8 . FF15 18A14000 call dword ptr ds:[<&KERNEL32.lstrcpyA>; \lstrcpyA
00404FDE . 33D2 xor edx,edx
00404FE0 > 8A4415 80 mov al,byte ptr ss:[ebp+edx-80]
00404FE4 . 8D4C15 80 lea ecx,dword ptr ss:[ebp+edx-80]
00404FE8 . 84C0 test al,al
00404FEA . 74 09 je short ToolBox.00404FF5
00404FEC . 2C 02 sub al,2
00404FEE . 42 inc edx
00404FEF . 3BD6 cmp edx,esi
00404FF1 . 8801 mov byte ptr ds:[ecx],al
00404FF3 .^ 7C EB jl short ToolBox.00404FE0
00404FF5 > 33D2 xor edx,edx
00404FF7 > 8A8415 00FFFFFF mov al,byte ptr ss:[ebp+edx-100]
00404FFE . 8D8C15 00FFFFFF lea ecx,dword ptr ss:[ebp+edx-100]
00405005 . 84C0 test al,al
00405007 . 74 09 je short ToolBox.00405012
00405009 . FEC8 dec al
0040500B . 42 inc edx
0040500C . 3BD6 cmp edx,esi
0040500E . 8801 mov byte ptr ds:[ecx],al
00405010 .^ 7C E5 jl short ToolBox.00404FF7
00405012 > 8B35 38A14000 mov esi,dword ptr ds:[<&KERNEL32.Write>; kernel32.WritePrivateProfileStringA
00405018 . BB D4F94000 mov ebx,ToolBox.0040F9D4 ; ASCII "F:\小小工具盒\ToolBox.ini"
0040501D . 8D45 80 lea eax,dword ptr ss:[ebp-80]
00405020 . 53 push ebx ; /FileName => "F:\小小工具盒\ToolBox.ini"
00405021 . 50 push eax ; |String
00405022 . BF E0C04000 mov edi,ToolBox.0040C0E0 ; |ASCII "Set"
00405027 . 68 B0C54000 push ToolBox.0040C5B0 ; |Key = "am"
0040502C . 57 push edi ; |Section => "Set"
0040502D . FFD6 call esi ; \WritePrivateProfileStringA
0040502F . 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
00405035 . 53 push ebx ; /FileName => "F:\小小工具盒\ToolBox.ini"
00405036 . 50 push eax ; |String
00405037 . 68 ACC54000 push ToolBox.0040C5AC ; |Key = "bm"
0040503C . 57 push edi ; |Section => "Set"
0040503D . FFD6 call esi ; \WritePrivateProfileStringA
0040503F . 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00405041 . 68 64C44000 push ToolBox.0040C464 ; |Title = "恭喜"
00405046 . 68 74C64000 push ToolBox.0040C674 ; |Text = "注册成功! 谢谢您的支持!"
0040504B . FF75 08 push dword ptr ss:[ebp+8] ; |hOwner
0040504E . FF15 08A24000 call dword ptr ds:[<&USER32.MessageBox>; \MessageBoxA
00405054 . 6A 01 push 1
00405056 > FF75 08 push dword ptr ss:[ebp+8] ; |hWnd




***F7跟进看算法Call****
……
00405488 |. 33F6 xor esi,esi ****ESI清零
0040548A |. 57 push edi
0040548B |. 8975 FC mov dword ptr ss:[ebp-4],esi dword ptr ss:[ebp-4]=0
0040548E |. C745 F8 01000000 mov dword ptr ss:[ebp-8],1 dword ptr ss:[ebp-8]=1
00405495 |. E8 360C0000 call ToolBox.004060D0 ****注册名长度5送EAX
0040549A |. 83F8 04 cmp eax,4 ****注册名不能少于4位!!!
0040549D |. 59 pop ecx ****注册名
0040549E |. 8945 F0 mov dword ptr ss:[ebp-10],eax ****保存注册名长度
004054A1 |. 7D 06 jge short ToolBox.004054A9 *****注册名长度5>4 注册名至少要四位!
004054A3 |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
004054A6 |. 8021 00 and byte ptr ds:[ecx],0
004054A9 |> 8A5D 0F mov bl,byte ptr ss:[ebp+F] ***到这里:BL=0
004054AC |. 3BC6 cmp eax,esi
004054AE |. 0F8E 15010000 jle ToolBox.004055C9
004054B4 |> 83F8 08 /cmp eax,8 ****注册名长度5<=8时,跳到004054C1
004054B7 |. 7E 08 |jle short ToolBox.004054C1
004054B9 |. 83FE 05 |cmp esi,5
004054BC |. 7E 03 |jle short ToolBox.004054C1
004054BE |. 8D70 FE |lea esi,dword ptr ds:[eax-2]
004054C1 |> 8D4E 01 |lea ecx,dword ptr ds:[esi+1] ****到这里:ECX=ESI+1=1
004054C4 |. 33D2 |xor edx,edx *****EDX清掉
004054C6 |. 3BC8 |cmp ecx,eax
004054C8 |. 8D45 DC |lea eax,dword ptr ss:[ebp-24]
004054CB |. 6A 24 |push 24 ; /Arg3 = 00000024 ****push 一个数24
004054CD |. 50 |push eax ; |Arg2
004054CE |. 0FB6043E |movzx eax,byte ptr ds:[esi+edi] ; | ****典型的处理注册名的ASCII码,第一位w(77)
004054D2 |. 0F9CC2 |setl dl ; | *****set1 dL DL=1
004054D5 |. 50 |push eax ; |Arg1
004054D6 |. 8955 EC |mov dword ptr ss:[ebp-14],edx ; | *****看一下*******,得到第一,二位注册码的ASCII+1的值是62,即第一位注册码是a(61),第二位是3(33)
004054D9 |. E8 CB0E0000 |call ToolBox.004063A9 ; \ToolBox.004063A9
004054DE |. 83C4 0C |add esp,0C
004054E1 |. 837D EC 00 |cmp dword ptr ss:[ebp-14],0
004054E5 |. 74 1D |je short ToolBox.00405504
004054E7 |. 8D45 D0 |lea eax,dword ptr ss:[ebp-30] ******“3b”
004054EA |. 6A 24 |push 24 ; /Arg3 = 00000024
004054EC |. 50 |push eax ; |Arg2
004054ED |. 0FB6443E 01 |movzx eax,byte ptr ds:[esi+edi+1] ; | ****第二位:o(6F)
004054F2 |. 50 |push eax ; |Arg1
004054F3 |. E8 B10E0000 |call ToolBox.004063A9 ; \ToolBox.004063A9 ****同一个Call处理,得到第3第4位注册码用来查表的数据3(33),3(33)
********************************************************
wofan

77 div 24=3 --------B
B>9 B+57=62(保存在0012EF3C
3<>0
3 div 24=0 --------3
3<9 3+30=33(保存在0012EF3D
得到3b *****第一位注册码是a ,第二位是3



6F div 24=3 --------3
3<9 3+30=33(保存在0012EF3C
3<>0
3 div 24=0 --------3
3<9 3+30=33(保存在0012EF3D
0=0 结束循环!
然后互换存储位置,得到33 用来查表的!!!以3的ASCII码33查表得到57,第三位注册码是57-2=55(U),第四位57-3=54(T)



66 div 24=00000002 r 0000001E
1E>9 1E+57=75 *******u ****第5位注册码是t 75-1=74(t)
2<>0
2 div 24=00000000 r 00000002
2<9 2+30=32 *******2 *****第6位注册码是2
然后互换位置,得到2u


61 div 24=00000002 r 00000019
19>9 19+57=70 *****p
2<>0
2 div 24=00000000 r 00000002
2<9 2+30=32 ******2
得到2p 然后大写化为2P 用来查表,32在表中相对58,58-2=56(V)第七位注册码 ,P(50)相对的是41(A),41-3=3E(> ),即第八位注册码是>


6E div 24=00000003 r 00000002
2<9 2+30=32*******2
3<>0
3 div 24=00000000 r 00000003
3<9 3+30=33********3
得到32 ********第九位注册码是32-1=31(1),第十位注册码是3


*********************************************************
004054F8 |. 83C4 0C |add esp,0C
004054FB |. C745 F4 04000000 |mov dword ptr ss:[ebp-C],4 ******dword ptr ss:[ebp-C]=4(记住它!!)
00405502 |. EB 07 |jmp short ToolBox.0040550B
00405504 |> C745 F4 02000000 |mov dword ptr ss:[ebp-C],2
0040550B |> 33C0 |xor eax,eax
0040550D |. 3945 F4 |cmp dword ptr ss:[ebp-C],eax
00405510 |. 8945 E8 |mov dword ptr ss:[ebp-18],eax
00405513 |. 0F8E A2000000 |jle ToolBox.004055BB
00405519 |> 83E8 00 |/sub eax,0 ; Switch (cases 0..3)
0040551C |. 74 57 ||je short ToolBox.00405575
0040551E |. 48 ||dec eax
0040551F |. 74 44 ||je short ToolBox.00405565
00405521 |. 48 ||dec eax
00405522 |. 74 22 ||je short ToolBox.00405546
00405524 |. 48 ||dec eax
00405525 |. 75 53 ||jnz short ToolBox.0040557A
00405527 |. 8D45 D0 ||lea eax,dword ptr ss:[ebp-30] ; Case 3 of switch 00405519
0040552A |. 50 ||push eax
0040552B |. E8 04090000 ||call ToolBox.00405E34
00405530 |. 0FBE45 D1 ||movsx eax,byte ptr ss:[ebp-2F]
00405534 |. 6A 01 ||push 1
00405536 |. 50 ||push eax
00405537 |. E8 6DFCFFFF ||call ToolBox.004051A9 *******如果第1,2,3位注册码正确,查表得到第四位注册码ASCII+3的值57
0040553C |. 8BD8 ||mov ebx,eax
0040553E |. 83C4 0C ||add esp,0C
00405541 |. 80EB 03 ||sub bl,3 ******Sub 3,得到第4位注册码,54(T)
00405544 |. EB 34 ||jmp short ToolBox.0040557A
00405546 |> 8D45 DC ||lea eax,dword ptr ss:[ebp-24] ; Case 2 of switch 00405519 (Case 2第三位注册码)
00405549 |. 50 ||push eax
0040554A |. E8 E5080000 ||call ToolBox.00405E34 ********如果第1,2位注册码是正确的,就来到这里,这个Call也要看一下,它将3b中字母转为大写为3B,用来查表********
0040554F |. 0FBE45 DC ||movsx eax,byte ptr ss:[ebp-24]
00405553 |. 6A 01 ||push 1
00405555 |. 50 ||push eax
00405556 |. E8 4EFCFFFF ||call ToolBox.004051A9 *****查表,算出第3位注册码中间数57
0040555B |. 8BD8 ||mov ebx,eax
0040555D |. 83C4 0C ||add esp,0C
00405560 |. 80EB 02 ||sub bl,2 *******BL=BL-2=57-2=55(U)第三位注册码!!
00405563 |. EB 15 ||jmp short ToolBox.0040557A
00405565 |> 837D EC 00 ||cmp dword ptr ss:[ebp-14],0 ; Case 1 of switch 00405519 (Case 1第二位注册码)
00405569 |. 74 05 ||je short ToolBox.00405570
0040556B |. 8A5D D0 ||mov bl,byte ptr ss:[ebp-30] ****第二位注册码3(33)
0040556E |. EB 0A ||jmp short ToolBox.0040557A
00405570 |> 8A5D DC ||mov bl,byte ptr ss:[ebp-24]
00405573 |. EB 05 ||jmp short ToolBox.0040557A
00405575 |> 8A5D DD ||mov bl,byte ptr ss:[ebp-23] ; Case 0 of switch 00405519(Case 0第一位注册码) *****byte ptr ss:[ebp-23]=62
00405578 |. FECB ||dec bl *****(62-1=61(a)第一位注册码)
0040557A |> 84DB ||test bl,bl ; Default case of switch 00405519 ****测试一下
0040557C |. 75 19 ||jnz short ToolBox.00405597
0040557E |. 837D F8 00 ||cmp dword ptr ss:[ebp-8],0
00405582 |. 0F94C3 ||sete bl
00405585 |. 4B ||dec ebx
00405586 |. 33C0 ||xor eax,eax
00405588 |. 83E3 E0 ||and ebx,FFFFFFE0
0040558B |. 83C3 61 ||add ebx,61
0040558E |. 3945 F8 ||cmp dword ptr ss:[ebp-8],eax
00405591 |. 0F94C0 ||sete al
00405594 |. 8945 F8 ||mov dword ptr ss:[ebp-8],eax
00405597 |> 8B45 0C ||mov eax,dword ptr ss:[ebp+C] ******不是1,跳到这儿, 假码123456
0040559A |. 8B4D FC ||mov ecx,dword ptr ss:[ebp-4] ****************************33
0040559D |. FF45 FC ||inc dword ptr ss:[ebp-4]
004055A0 |. 8A0401 ||mov al,byte ptr ds:[ecx+eax] *****第一位假码是1(31)
004055A3 |. 3AC3 ||cmp al,bl *****比一比!!第一位真码是a(61)
004055A5 |. 0F85 1F010000 ||jnz ToolBox.004056CA *****不相等肯定就玩完,爆破点之一,Nop掉!!!******************
004055AB |. 8B45 E8 ||mov eax,dword ptr ss:[ebp-18] ****第一次:EAX=dword ptr ss:[ebp-18]=0
004055AE |. 40 ||inc eax ****EAX=EAX+1=1
004055AF |. 3B45 F4 ||cmp eax,dword ptr ss:[ebp-C] ****看见啦:dword ptr ss:[ebp-C]=4,4表示每次处理四位注册码
004055B2 |. 8945 E8 ||mov dword ptr ss:[ebp-18],eax ****dword ptr ss:[ebp-18]=EAX
004055B5 |.^ 0F8C 5EFFFFFF |\jl ToolBox.00405519
004055BB |> 8B45 F0 |mov eax,dword ptr ss:[ebp-10]
004055BE |. 46 |inc esi ***ESI+2=2
004055BF |. 46 |inc esi
004055C0 |. 3B75 F0 |cmp esi,dword ptr ss:[ebp-10] ***dword ptr ss:[ebp-10]注册名长度5
004055C3 |.^ 0F8C EBFEFFFF \jl ToolBox.004054B4 ****还没完,继续跳上去处理!
004055C9 |> 03C0 add eax,eax ****EAX+EAX=5+5=A(这是注册码的位数,因为一个注册名字符产生两个注册码字符)
004055CB |. 8BF8 mov edi,eax
004055CD |. 8945 E8 mov dword ptr ss:[ebp-18],eax
004055D0 |. 83FF 10 cmp edi,10 ****比较,0x10 (是否有16位注册码了?)
004055D3 |. 0F8D E9000000 jge ToolBox.004056C2 ****没有,就还得继续生成!
004055D9 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004055DC |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
004055DF |. 03C1 add eax,ecx
004055E1 |. 8D77 F8 lea esi,dword ptr ds:[edi-8]
004055E4 |. 8945 0C mov dword ptr ss:[ebp+C],eax
004055E7 |> 8BCF /mov ecx,edi
004055E9 |. 8D45 DC |lea eax,dword ptr ss:[ebp-24]
004055EC |. 2B4D E8 |sub ecx,dword ptr ss:[ebp-18]
004055EF |. 6A 24 |push 24 ; /Arg3 = 00000024
004055F1 |. 50 |push eax ; |Arg2
004055F2 |. 8BC1 |mov eax,ecx ; |
004055F4 |. 99 |cdq ; |
004055F5 |. 2BC2 |sub eax,edx ; |
004055F7 |. D1F8 |sar eax,1 ; |
004055F9 |. D1E0 |shl eax,1 ; |
004055FB |. 2BC8 |sub ecx,eax ; |
004055FD |. 8B45 08 |mov eax,dword ptr ss:[ebp+8] ; | ***注册名wofan
00405600 |. 0FB60401 |movzx eax,byte ptr ds:[ecx+eax] ; | ****注册名ASCII依次送EAX,第一位是77(w)
00405604 |. 50 |push eax ; |Arg1
00405605 |. E8 9F0D0000 |call ToolBox.004063A9 ; \ToolBox.004063A9 ****还得看看,其实这个Call已经分析了,不过为了好看,依然记录一下************
0040560A |. 83C4 0C |add esp,0C
0040560D |. 83FE 07 |cmp esi,7 ; Switch (cases 0..7) *****Case0..7 这里可能产生8位注册码
00405610 |. 0F87 95000000 |ja ToolBox.004056AB
00405616 |. FF24B5 CE564000 |jmp dword ptr ds:[esi*4+4056CE]
0040561D |> 8A5D DD |mov bl,byte ptr ss:[ebp-23] ; Case 0 of switch 0040560D
00405620 |. 80EB 03 |sub bl,3
00405623 |. E9 83000000 |jmp ToolBox.004056AB
00405628 |> 0FBE45 DC |movsx eax,byte ptr ss:[ebp-24] ; Case 1 of switch 0040560D
0040562C |. 6A 00 |push 0
0040562E |. 50 |push eax
0040562F |. E8 75FBFFFF |call ToolBox.004051A9
00405634 |. 59 |pop ecx
00405635 |. 8AD8 |mov bl,al
00405637 |. 59 |pop ecx
00405638 |. EB 71 |jmp short ToolBox.004056AB
0040563A |> 8A5D DD |mov bl,byte ptr ss:[ebp-23] ; Case 2 of switch 0040560D
0040563D |. FECB |dec bl 因为前面已产生10位,还要6位,所以ESI=2****Case2 62-1=61(a) 第十一位
0040563F |. EB 6A |jmp short ToolBox.004056AB
00405641 |> 8A5D DC |mov bl,byte ptr ss:[ebp-24] ; Case 3 of switch 0040560D
00405644 |. 80EB 06 |sub bl,6 ***************Case3 33-6=2D(-)第十二位
00405647 |. EB 62 |jmp short ToolBox.004056AB
00405649 |> 8D45 DC |lea eax,dword ptr ss:[ebp-24] ; Case 4 of switch 0040560D
0040564C |. 50 |push eax
0040564D |. E8 E2070000 |call ToolBox.00405E34 ****3b大写化为3BAscII为33 42
00405652 |. 8A5D DD |mov bl,byte ptr ss:[ebp-23] *****BL=42
00405655 |. 59 |pop ecx
00405656 |. 80EB 09 |sub bl,9 *****42-9=39(9)第十三位
00405659 |. EB 50 |jmp short ToolBox.004056AB
0040565B |> 8A5D DC |mov bl,byte ptr ss:[ebp-24] ; Case 5 of switch 0040560D
0040565E |. 80EB 04 |sub bl,4 *****由wofan中的o得到33,ASCII为33,33,****33-4=2F(/)第十四位
00405661 |. EB 48 |jmp short ToolBox.004056AB
00405663 |> 0FBE45 DC |movsx eax,byte ptr ss:[ebp-24] ; Case 6 of switch 0040560D
00405667 |. 0FBE4D DD |movsx ecx,byte ptr ss:[ebp-23]
0040566B |. 03C1 |add eax,ecx ****由wofan中第一个字符w得到3b的ASCII码33,62******33+62=95
0040566D |. 99 |cdq
0040566E |. 2BC2 |sub eax,edx
00405670 |. 8BD8 |mov ebx,eax
00405672 |. D1FB |sar ebx,1 ******95 sar 1=4A(J) 第十五位
00405674 |. EB 35 |jmp short ToolBox.004056AB
00405676 |> 0FBE45 DC |movsx eax,byte ptr ss:[ebp-24] ; Case 7 of switch 0040560D
0040567A |. 0FBE4D DD |movsx ecx,byte ptr ss:[ebp-23]
0040567E |. 8065 DD 00 |and byte ptr ss:[ebp-23],0
00405682 |. 8D4408 FD |lea eax,dword ptr ds:[eax+ecx-3] *****注册名第二个字符得到33,ASCII 码33,33 ******33+33-3=63
00405686 |. 99 |cdq
00405687 |. 2BC2 |sub eax,edx
00405689 |. D1F8 |sar eax,1 ****66 sar 1=31(1)
0040568B |. 8845 DC |mov byte ptr ss:[ebp-24],al
0040568E |. 8D45 DC |lea eax,dword ptr ss:[ebp-24]
00405691 |. 50 |push eax
00405692 |. E8 9D070000 |call ToolBox.00405E34 *****大写化后作为查表的依据
00405697 |. 0FBE45 DC |movsx eax,byte ptr ss:[ebp-24]
0040569B |. 6A 01 |push 1
0040569D |. 50 |push eax
0040569E |. E8 06FBFFFF |call ToolBox.004051A9 ******依据31查表,得到相对的59
004056A3 |. 8BD8 |mov ebx,eax
004056A5 |. 83C4 0C |add esp,0C
004056A8 |. 80EB 02 |sub bl,2 *****59-2=57(W) 第十六位注册码
004056AB |> 8B45 0C |mov eax,dword ptr ss:[ebp+C] ; Default case of switch 0040560D
004056AE |. FF45 0C |inc dword ptr ss:[ebp+C]
004056B1 |. 8A00 |mov al,byte ptr ds:[eax]
004056B3 |. 3AC3 |cmp al,bl
004056B5 |. 75 13 |jnz short ToolBox.004056CA ******爆破点之二,Nop掉!!!*******
004056B7 |. 47 |inc edi
004056B8 |. 46 |inc esi
004056B9 |. 83FE 08 |cmp esi,8
004056BC |.^ 0F8C 25FFFFFF \jl ToolBox.004055E7
004056C2 |> 6A 01 push 1 ******全部正确,Push 1
004056C4 |. 58 pop eax *******弹出到EAX作为注册成功的标志!!!
004056C5 |> 5F pop edi
004056C6 |. 5E pop esi
004056C7 |. 5B pop ebx
004056C8 |. C9 leave
004056C9 |. C3 retn

*****看一下*******
……
004063F0 |> \8B75 08 mov esi,dword ptr ss:[ebp+8] ******注册名的ASCII,第一位是77(w)
004063F3 |> 8BF9 mov edi,ecx
004063F5 |> 8BC6 /mov eax,esi
004063F7 |. 33D2 |xor edx,edx ******EDX清零
004063F9 |. F775 10 |div dword ptr ss:[ebp+10] ******div dword ptr ss:[ebp+10]=24 77 div 24之后,商EAX=3 余数EDX=B
004063FC |. 8BC6 |mov eax,esi ******EAX=ESI=77
004063FE |. 8BDA |mov ebx,edx ******EBX=EDX=B
00406400 |. 33D2 |xor edx,edx ******EDX依然清零
00406402 |. F775 10 |div dword ptr ss:[ebp+10] *****再Div一次
00406405 |. 83FB 09 |cmp ebx,9 余数与9相比较
00406408 |. 8BF0 |mov esi,eax *****商存于ESI=3
0040640A |. 76 05 |jbe short ToolBox.00406411 余数少于等于9时,跳到00406411去,Add 30
0040640C |. 80C3 57 |add bl,57 否则Add 57
0040640F |. EB 03 |jmp short ToolBox.00406414
00406411 |> 80C3 30 |add bl,30
00406414 |> 8819 |mov byte ptr ds:[ecx],bl 保存,ECX保存内存地址:0012EF3C
00406416 |. 41 |inc ecx ECX自加1,开辟下一个保存地址!!
00406417 |. 85F6 |test esi,esi Div的商是0吗?看看是否要结束了!!
00406419 |.^ 77 DA \ja short ToolBox.004063F5
**********************************************

wofan
77 div 24=3 --------B
B>9 B+57=62(保存在0012EF3C
3<>0
3 div 24=0 --------3
3<9 3+30=33(保存在0012EF3D
0=0 结束循环!
××××××××××××××××××××××××××
0040641B |. 8021 00 and byte ptr ds:[ecx],0 *****and一下, 清空下一个保存区
0040641E |. 49 dec ecx *****Dec 一下,指针回移!
0040641F |> 8A17 mov dl,byte ptr ds:[edi] *****DL=62
00406421 |. 8A01 mov al,byte ptr ds:[ecx] *****AL=33
00406423 |. 8811 mov byte ptr ds:[ecx],dl *****以下将存储位置互换一下!
00406425 |. 8807 mov byte ptr ds:[edi],al
00406427 |. 49 dec ecx
00406428 |. 47 inc edi
00406429 |. 3BF9 cmp edi,ecx
0040642B |.^ 72 F2 jb short ToolBox.0040641F
0040642D |. 5F pop edi
0040642E |. 5E pop esi
0040642F |. 5B pop ebx
00406430 |. 5D pop ebp
00406431 \. C3 retn



********如果第1,2位注册码是正确的,就来到这里,这个Call也要看一下对字母小写转大写的Call:大写之后用来作为查表的依据********
……
00405E35 |. 8BEC mov ebp,esp
00405E37 |. 51 push ecx
00405E38 |. A1 24FD4000 mov eax,dword ptr ds:[40FD24]
00405E3D |. 53 push ebx
00405E3E |. 33DB xor ebx,ebx
00405E40 |. 3BC3 cmp eax,ebx
00405E42 |. 895D FC mov dword ptr ss:[ebp-4],ebx
00405E45 |. 75 21 jnz short ToolBox.00405E68
00405E47 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
00405E4A |. 8BD0 mov edx,eax
00405E4C |. 3818 cmp byte ptr ds:[eax],bl
00405E4E |. 74 7F je short ToolBox.00405ECF
00405E50 |> 8A0A /mov cl,byte ptr ds:[edx]
00405E52 |. 80F9 61 |cmp cl,61
00405E55 |. 7C 0A |jl short ToolBox.00405E61
00405E57 |. 80F9 7A |cmp cl,7A
00405E5A |. 7F 05 |jg short ToolBox.00405E61
00405E5C |. 80E9 20 |sub cl,20 *********62(b)是字母,就来到这里,62-20=42(B)变成大写的过程。
00405E5F |. 880A |mov byte ptr ds:[edx],cl ******EDX=0012EF3D,这可接着上面来的存储区噢!存起来吧!
00405E61 |> 42 |inc edx ****inc EDX 开辟下一个存储区
00405E62 |. 381A |cmp byte ptr ds:[edx],bl
00405E64 |.^ 75 EA \jnz short ToolBox.00405E50

00405ED1 \. C3 retn



*********************查表找到后面的注册码或中间数据!!!!!*********************************

004051A9 /$ 55 push ebp
004051AA |. 8BEC mov ebp,esp
004051AC |. 81EC 20010000 sub esp,120
004051B2 |. 53 push ebx
004051B3 |. 56 push esi
004051B4 |. 57 push edi
004051B5 |. 6A 34 push 34
004051B7 |. 5B pop ebx
004051B8 |. C785 E0FEFFFF 300>mov dword ptr ss:[ebp-120],30 *****从这里一开始,复制了一张表
004051C2 |. 6A 35 push 35
004051C4 |. C785 E4FEFFFF 310>mov dword ptr ss:[ebp-11C],31
004051CE |. 5F pop edi
004051CF |. C785 E8FEFFFF 320>mov dword ptr ss:[ebp-118],32
004051D9 |. 6A 36 push 36
004051DB |. C785 ECFEFFFF 330>mov dword ptr ss:[ebp-114],33
004051E5 |. 5E pop esi
004051E6 |. 899D F0FEFFFF mov dword ptr ss:[ebp-110],ebx
004051EC |. 6A 37 push 37
004051EE |. 89BD F4FEFFFF mov dword ptr ss:[ebp-10C],edi
004051F4 |. 5A pop edx
004051F5 |. 89B5 F8FEFFFF mov dword ptr ss:[ebp-108],esi
004051FB |. 6A 38 push 38
004051FD |. 8995 FCFEFFFF mov dword ptr ss:[ebp-104],edx
00405203 |. 59 pop ecx
00405204 |. C785 08FFFFFF 610>mov dword ptr ss:[ebp-F8],61
0040520E |. 6A 39 push 39
00405210 |. 898D 00FFFFFF mov dword ptr ss:[ebp-100],ecx
00405216 |. 58 pop eax
00405217 |. C785 0CFFFFFF 620>mov dword ptr ss:[ebp-F4],62
00405221 |. 8985 04FFFFFF mov dword ptr ss:[ebp-FC],eax
00405227 |. C785 10FFFFFF 630>mov dword ptr ss:[ebp-F0],63
00405231 |. C785 14FFFFFF 640>mov dword ptr ss:[ebp-EC],64
0040523B |. C785 18FFFFFF 650>mov dword ptr ss:[ebp-E8],65
00405245 |. C785 1CFFFFFF 660>mov dword ptr ss:[ebp-E4],66
0040524F |. C785 20FFFFFF 670>mov dword ptr ss:[ebp-E0],67
00405259 |. C785 24FFFFFF 680>mov dword ptr ss:[ebp-DC],68
00405263 |. C785 28FFFFFF 690>mov dword ptr ss:[ebp-D8],69
0040526D |. C785 2CFFFFFF 6A0>mov dword ptr ss:[ebp-D4],6A
00405277 |. C785 30FFFFFF 6B0>mov dword ptr ss:[ebp-D0],6B
00405281 |. C785 34FFFFFF 6C0>mov dword ptr ss:[ebp-CC],6C
0040528B |. C785 38FFFFFF 6D0>mov dword ptr ss:[ebp-C8],6D
00405295 |. C785 3CFFFFFF 6E0>mov dword ptr ss:[ebp-C4],6E
0040529F |. C785 40FFFFFF 6F0>mov dword ptr ss:[ebp-C0],6F
004052A9 |. C785 44FFFFFF 700>mov dword ptr ss:[ebp-BC],70
004052B3 |. C785 48FFFFFF 710>mov dword ptr ss:[ebp-B8],71
004052BD |. C785 4CFFFFFF 720>mov dword ptr ss:[ebp-B4],72
004052C7 |. C785 50FFFFFF 730>mov dword ptr ss:[ebp-B0],73
004052D1 |. C785 54FFFFFF 740>mov dword ptr ss:[ebp-AC],74
004052DB |. C785 58FFFFFF 750>mov dword ptr ss:[ebp-A8],75
004052E5 |. C785 5CFFFFFF 760>mov dword ptr ss:[ebp-A4],76
004052EF |. C785 60FFFFFF 770>mov dword ptr ss:[ebp-A0],77
004052F9 |. C785 64FFFFFF 780>mov dword ptr ss:[ebp-9C],78
00405303 |. C785 68FFFFFF 790>mov dword ptr ss:[ebp-98],79
0040530D |. C785 6CFFFFFF 7A0>mov dword ptr ss:[ebp-94],7A
00405317 |. C785 70FFFFFF 300>mov dword ptr ss:[ebp-90],30
00405321 |. C785 74FFFFFF 310>mov dword ptr ss:[ebp-8C],31
0040532B |. C785 78FFFFFF 320>mov dword ptr ss:[ebp-88],32
00405335 |. C785 7CFFFFFF 330>mov dword ptr ss:[ebp-84],33
0040533F |. 895D 80 mov dword ptr ss:[ebp-80],ebx
00405342 |. 897D 84 mov dword ptr ss:[ebp-7C],edi
00405345 |. 8975 88 mov dword ptr ss:[ebp-78],esi
00405348 |. 8955 8C mov dword ptr ss:[ebp-74],edx
0040534B |. 894D 90 mov dword ptr ss:[ebp-70],ecx
0040534E |. 8945 94 mov dword ptr ss:[ebp-6C],eax
00405351 |. C745 98 41000000 mov dword ptr ss:[ebp-68],41
00405358 |. C745 9C 42000000 mov dword ptr ss:[ebp-64],42
0040535F |. C745 A0 43000000 mov dword ptr ss:[ebp-60],43
00405366 |. C745 A4 44000000 mov dword ptr ss:[ebp-5C],44
0040536D |. C745 A8 45000000 mov dword ptr ss:[ebp-58],45
00405374 |. C745 AC 46000000 mov dword ptr ss:[ebp-54],46
0040537B |. C745 B0 47000000 mov dword ptr ss:[ebp-50],47
00405382 |. C745 B4 48000000 mov dword ptr ss:[ebp-4C],48
00405389 |. C745 B8 49000000 mov dword ptr ss:[ebp-48],49
00405390 |. C745 BC 4A000000 mov dword ptr ss:[ebp-44],4A
00405397 |. C745 C0 4B000000 mov dword ptr ss:[ebp-40],4B
0040539E |. C745 C4 4C000000 mov dword ptr ss:[ebp-3C],4C
004053A5 |. C745 C8 4D000000 mov dword ptr ss:[ebp-38],4D
004053AC |. C745 CC 4E000000 mov dword ptr ss:[ebp-34],4E
004053B3 |. C745 D0 4F000000 mov dword ptr ss:[ebp-30],4F
004053BA |. C745 D4 50000000 mov dword ptr ss:[ebp-2C],50
004053C1 |. C745 D8 51000000 mov dword ptr ss:[ebp-28],51
004053C8 |. C745 DC 52000000 mov dword ptr ss:[ebp-24],52
004053CF |. C745 E0 53000000 mov dword ptr ss:[ebp-20],53
004053D6 |. C745 E4 54000000 mov dword ptr ss:[ebp-1C],54
004053DD |. 8B45 0C mov eax,dword ptr ss:[ebp+C]
004053E0 |. 33D2 xor edx,edx
004053E2 |. C745 E8 55000000 mov dword ptr ss:[ebp-18],55
004053E9 |. C745 EC 56000000 mov dword ptr ss:[ebp-14],56
004053F0 |. 8D0CC0 lea ecx,dword ptr ds:[eax+eax*8]
004053F3 |. C745 F0 57000000 mov dword ptr ss:[ebp-10],57
004053FA |. C1E1 04 shl ecx,4
004053FD |. C745 F4 58000000 mov dword ptr ss:[ebp-C],58
00405404 |. C745 F8 59000000 mov dword ptr ss:[ebp-8],59
0040540B |. C745 FC 5A000000 mov dword ptr ss:[ebp-4],5A
00405412 |. 8D8C0D E0FEFFFF lea ecx,dword ptr ss:[ebp+ecx-120]
00405419 |> 8B75 08 /mov esi,dword ptr ss:[ebp+8] ****上面是一张表,在这里查找,找到要查的数据在这张表中的位置,位置数放在EDX
0040541C |. 3B31 |cmp esi,dword ptr ds:[ecx]
0040541E |. 74 09 |je short ToolBox.00405429
00405420 |. 42 |inc edx
00405421 |. 83C1 04 |add ecx,4
00405424 |. 83FA 24 |cmp edx,24
00405427 |.^ 7C F0 \jl short ToolBox.00405419
00405429 |> 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
0040542C |. 5F pop edi
0040542D |. C1E0 02 shl eax,2
00405430 |. 2BC2 sub eax,edx *****找到表中相对的位置中的数据就是注册码的中间数据
00405432 |. 5E pop esi
00405433 |. 5B pop ebx
00405434 |. 8B8485 6CFFFFFF mov eax,dword ptr ss:[ebp+eax*4-94] ****将注册码中间数送EAX,返回
0040543B |. C9 leave
0040543C \. C3 retn
就是这张表:
0012EE80 30 00 00 00 31 00 00 00 32 00 00 00 33 00 00 00 0...1...2...3...
0012EE90 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 4...5...6...7...
0012EEA0 38 00 00 00 39 00 00 00 41 00 00 00 42 00 00 00 8...9...A...B...
0012EEB0 43 00 00 00 44 00 00 00 45 00 00 00 46 00 00 00 C...D...E...F...
0012EEC0 47 00 00 00 48 00 00 00 49 00 00 00 4A 00 00 00 G...H...I...J...
0012EED0 4B 00 00 00 4C 00 00 00 4D 00 00 00 4E 00 00 00 K...L...M...N...
0012EEE0 4F 00 00 00 50 00 00 00 51 00 00 00 52 00 00 00 O...P...Q...R...
0012EEF0 53 00 00 00 54 00 00 00 55 00 00 00 56 00 00 00 S...T...U...V...
0012EF00 57 00 00 00 58 00 00 00 59 00 00 00 5A 00 00 00 W...X...Y...Z...
……
这张表大小为0x24
例如以33为查表依据,它在第3个位置(注意,是以0开始的!),0x24-0x3=0x21
在0x21的位置存放的是57

×××××××××××××××××××××××××××



×××× ****还得看看,其实这个Call已经分析了,不过为了好看,依然记录一下************××××××
……
004063F5 |> /8BC6 /mov eax,esi ***** EAX=77
004063F7 |. |33D2 |xor edx,edx
004063F9 |. |F775 10 |div dword ptr ss:[ebp+10] *****dword ptr ss:[ebp+10]=24
004063FC |. |8BC6 |mov eax,esi
004063FE |. |8BDA |mov ebx,edx
00406400 |. |33D2 |xor edx,edx
00406402 |. |F775 10 |div dword ptr ss:[ebp+10]
00406405 |. |83FB 09 |cmp ebx,9
00406408 |. |8BF0 |mov esi,eax
0040640A |. |76 05 |jbe short ToolBox.00406411
0040640C |. |80C3 57 |add bl,57
0040640F |. |EB 03 |jmp short ToolBox.00406414
00406411 |> |80C3 30 |add bl,30
00406414 |> |8819 |mov byte ptr ds:[ecx],bl
00406416 |. |41 |inc ecx
00406417 |. |85F6 |test esi,esi
00406419 |.^\77 DA \ja short ToolBox.004063F5
0040641B |. 8021 00 and byte ptr ds:[ecx],0
0040641E |. 49 dec ecx
0040641F |> 8A17 mov dl,byte ptr ds:[edi]
00406421 |. 8A01 mov al,byte ptr ds:[ecx]
00406423 |. 8811 mov byte ptr ds:[ecx],dl
00406425 |. 8807 mov byte ptr ds:[edi],al
00406427 |. 49 dec ecx
00406428 |. 47 inc edi
00406429 |. 3BF9 cmp edi,ecx
0040642B |.^ 72 F2 jb short ToolBox.0040641F
0040642D |. 5F pop edi
0040642E |. 5E pop esi
0040642F |. 5B pop ebx
00406430 |. 5D pop ebp
00406431 \. C3 retn

77 div 24=00000003 r 0000000B B+57=62
3 div 24= 00000000 r 00000003 3+30=33
6F div 24=00000003 r 00000003 3+30=33
3 div 24=00000000 r 00000003 3+30=33



我看起来也有点头大了!!!!
感谢你看完,如果让你烦,我真的不是有意的!

传言说:西有张家界,东有酒埠江,我在酒仙湖身旁!!!


注册名:wofan
注册码:a3UTt2V>13a-9/JW

by wofan[OCN][PYG]


0

评论Comments