FolderView 1.71破解手记--算法初步分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → FolderView 1.71破解手记--算法初步分析

FolderView 1.71破解手记--算法初步分析 时间：2004/10/15 0:57:00来源：本站整理作者：蓝点我要评论(0): 　
软件名称：FolderView 1.71(系统辅助)
整理日期：2003.3.15(华军网)
最新版本：1.71
文件大小：194KB
软件授权：共享软件
使用平台：Win9x/Me/2000/XP
发布公司： http://www.southbaypc.com/"
软件简介：这是一个简单易用的小工具，可以将文件夹当中的每个文件，依照大小(byte)、日期、名称作详细列表，并导出成TXT纯文字文件或者将文件资料打列出来。

加密方式：注册码
功能限制：30天试用
PJ工具：TRW20001.23注册版、W32Dasm8.93黄金版，FI2.5
PJ日期：2003-03-26
作者newlaos申明：只是学习，请不用于商业用途或是将本文方法制作的注册机任意传播，造成后果，本人一概不负。

1、先用FI2.5看一下主程序“FolderView.exe”，没加壳

2、用W32Dasm8.93黄金版对主程序进行静态反汇编，再用串式数据参考，找到"Sorry, you have entered an incorrect registration code."(很经典的句子)，双击来到下面代码段。这样就很快定位注册码的计算部分。

3、再用TRW20001.23注册版进行动态跟踪，下断BPX 004072AC(通常在注册成功与否的前面一些下断，这样，才能找到关键部分)，先输入注册名newlaos，假码78787878

* Reference To: USER32.GetDlgItemTextA, Ord:0113h
|
:004072AC 8B3D4C124100 mov edi, dword ptr [0041124C]

* Possible Reference to Dialog: DialogID_0067, CONTROL_ID:03EF, ""
|
:004072B2 68EF030000 push 000003EF
:004072B7 56 push esi
:004072B8 FFD7 call edi
:004072BA 8D542408 lea edx, dword ptr [esp+08]
:004072BE 6800010000 push 00000100
:004072C3 52 push edx

* Possible Reference to Dialog: DialogID_0067, CONTROL_ID:03ED, ""
|
:004072C4 68ED030000 push 000003ED
:004072C9 56 push esi
:004072CA FFD7 call edi
:004072CC 8D442408 lea eax, dword ptr [esp+08]
:004072D0 8D8C2408010000 lea ecx, dword ptr [esp+00000108]
:004072D7 50 push eax
:004072D8 51 push ecx
:004072D9 E852030000 call 00407630 <===关键的CALL，F8跟进看看
:004072DE 83C408 add esp, 00000008
:004072E1 85C0 test eax, eax <===如果要正确注册，则这里EAX不能为0
:004072E3 5F pop edi
:004072E4 7443 je 00407329 <===跳走，就OVER了
:004072E6 8D542404 lea edx, dword ptr [esp+04]
:004072EA 8D842404010000 lea eax, dword ptr [esp+00000104]
:004072F1 52 push edx
:004072F2 50 push eax

* Possible StringData Ref from Data Obj ->"Software\FolderView\Registration"
|
:004072F3 6818354100 push 00413518
:004072F8 6801000080 push 80000001
:004072FD E86E030000 call 00407670

* Possible StringData Ref from Data Obj ->"Software\FolderView\Registration"
|
:00407302 6818354100 push 00413518
:00407307 6801000080 push 80000001
:0040730C E8CF010000 call 004074E0
:00407311 83C418 add esp, 00000018

* Possible Reference to String Resource ID=00001: "Registered to: %s"
|
:00407314 6A01 push 00000001
:00407316 56 push esi

* Reference To: USER32.EndDialog, Ord:00C6h
|
:00407317 FF1514124100 Call dword ptr [00411214]
:0040731D 33C0 xor eax, eax
:0040731F 5E pop esi
:00407320 81C400020000 add esp, 00000200
:00407326 C21000 ret 0010

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004072E4(C)
|
:00407329 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"FolderView"
|
:0040732B 6874354100 push 00413574

* Possible StringData Ref from Data Obj ->"Sorry, you have entered an incorrect "
->"registration code."
|
:00407330 68083A4100 push 00413A08
:00407335 56 push esi

* Reference To: USER32.MessageBoxA, Ord:01DEh
|
:00407336 FF151C124100 Call dword ptr [0041121C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407241(C)
|
:0040733C 33C0 xor eax, eax
:0040733E 5E pop esi
:0040733F 81C400020000 add esp, 00000200
:00407345 C21000 ret 0010
.......
.......

-------004072D9 call 00407630 ---关键的CALL，F8跟进来到下列代码段----------------------
要求：EAX返回时不能为0

:00407630 8B4C2404 mov ecx, dword ptr [esp+04]
:00407634 81EC00010000 sub esp, 00000100
:0040763A 8D442400 lea eax, dword ptr [esp]
:0040763E 50 push eax
:0040763F 51 push ecx
:00407640 E8AB000000 call 004076F0 <===这里算法CALL，F8跟进
:00407645 8B842410010000 mov eax, dword ptr [esp+00000110] <===EAX=78787878
:0040764C 8D542408 lea edx, dword ptr [esp+08] <===EDX就是真正的注册码了
:00407650 52 push edx
:00407651 50 push eax
:00407652 E889FFFFFF call 004075E0
:00407657 F7D8 neg eax
:00407659 1BC0 sbb eax, eax
:0040765B F7D8 neg eax
:0040765D 81C410010000 add esp, 00000110
:00407663 C3 ret

------00407640 call 004076F0 算法CALL，F8跟进-----------------------------------------

:004076F0 81EC00010000 sub esp, 00000100
:004076F6 A07C684100 mov al, byte ptr [0041687C]
:004076FB 53 push ebx
:004076FC 55 push ebp
:004076FD 56 push esi
:004076FE 57 push edi
:004076FF 88442410 mov byte ptr [esp+10], al
:00407703 B93F000000 mov ecx, 0000003F
:00407708 33C0 xor eax, eax
:0040770A 8D7C2411 lea edi, dword ptr [esp+11]
:0040770E F3 repz
:0040770F AB stosd
:00407710 66AB stosw
:00407712 AA stosb
:00407713 8BBC2414010000 mov edi, dword ptr [esp+00000114]
:0040771A 57 push edi

* Reference To: KERNEL32.lstrlenA, Ord:03BEh
|
:0040771B FF1568114100 Call dword ptr [00411168]<===EAX=7(注册名的长度)
:00407721 8BF0 mov esi, eax
:00407723 33C9 xor ecx, ecx
:00407725 33C0 xor eax, eax <===EAX计数，初始化为0
:00407727 85F6 test esi, esi
:00407729 7613 jbe 0040773E <===看有没有输入注册名，当然不跳了
:0040772B 8B15F8394100 mov edx, dword ptr [004139F8]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040773C(C)
|
:00407731 0FBE1C38 movsx ebx, byte ptr [eax+edi]
:00407735 03DA add ebx, edx
:00407737 03CB add ecx, ebx
<===ECX的值是注册名每个字符的ASC码相加，再加上32*7(注册名长度)此为十六进制
:00407739 40 inc eax <===EAX=EAX+1
:0040773A 3BC6 cmp eax, esi <===这里定义循环次数为7次，为注册名的长度
:0040773C 72F3 jb 00407731

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407729(C)
|
:0040773E 8B9C2418010000 mov ebx, dword ptr [esp+00000118]
:00407745 51 push ecx <===将上面的和，压入栈ECX=567(十六进制)

* Possible StringData Ref from Data Obj ->"%u-"
|
:00407746 68503A4100 push 00413A50
:0040774B 53 push ebx <===EBX=1CF

* Reference To: USER32.wsprintfA, Ord:02D5h
|
:0040774C FF150C124100 Call dword ptr [0041120C] <===不知道这个CALL的作用，请高手指点!
************** 以上这个CALL就是能算出注册码的第一部分。**************

:00407752 83C40C add esp, 0000000C
:00407755 33C9 xor ecx, ecx
:00407757 33C0 xor eax, eax <===EAX为计数器，初始化为0
:00407759 85F6 test esi, esi <===ESI=7注册名的长度
:0040775B 7614 jbe 00407771 <===不能跳了
:0040775D 8B15FC394100 mov edx, dword ptr [004139FC] <===EDX=28，程序给定的值

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040776F(C)
|
:00407763 0FBE2C38 movsx ebp, byte ptr [eax+edi] <===依次取注册名的字符
:00407767 0FAFEA imul ebp, edx <===取出的字符的ASC码乘以28
:0040776A 03CD add ecx, ebp <===ECX为所有注册名字符的ASC码乘以28后的之和
:0040776C 40 inc eax <===EAX=EAX+1
:0040776D 3BC6 cmp eax, esi <===此处说明，循环7次，为注册名的长度
:0040776F 72F2 jb 00407763 <===构成一个小循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040775B(C)
|
:00407771 51 push ecx <===将上面循环得出来的和压入栈，ECX=76E8(十六进制)
:00407772 8D4C2414 lea ecx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%u-"
|
:00407776 68503A4100 push 00413A50 <===这里是注册码的形式
:0040777B 51 push ecx

* Reference To: USER32.wsprintfA, Ord:02D5h
|
:0040777C FF150C124100 Call dword ptr [0041120C]<===不知道这个CALL的作用，请高手指点!
************** 以上这个CALL就是能算出注册码的第二部分。**************

:00407782 83C40C add esp, 0000000C
:00407785 8D542410 lea edx, dword ptr [esp+10]
:00407789 52 push edx
:0040778A 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:03AFh
|
:0040778B FF1594114100 Call dword ptr [00411194] <===注册码第一部分和第二部分，合起来。
:00407791 33C9 xor ecx, ecx
:00407793 33C0 xor eax, eax
:00407795 85F6 test esi, esi
:00407797 7613 jbe 004077AC
:00407799 8B15003A4100 mov edx, dword ptr [00413A00] <===EDX=1E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004077AA(C)
|
:0040779F 0FBE2C38 movsx ebp, byte ptr [eax+edi] <===依次取注册名的字符
:004077A3 03EA add ebp, edx
:004077A5 03CD add ecx, ebp
<===ECX的值是注册名每个字符的ASC码相加，再加上1E*7(注册名长度)此为十六进制
:004077A7 40 inc eax
:004077A8 3BC6 cmp eax, esi <===这里定义循环次数为7次，为注册名的长度
:004077AA 72F3 jb 0040779F <===构成一个小循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407797(C)
|
:004077AC 51 push ecx <===将上面的和，压入栈ECX=3CB(十六进制)
:004077AD 8D442414 lea eax, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%u-"
|
:004077B1 68503A4100 push 00413A50 <===这里是注册码的形式
:004077B6 50 push eax

* Reference To: USER32.wsprintfA, Ord:02D5h
|
:004077B7 FF150C124100 Call dword ptr [0041120C]
************** 以上这个CALL就是能算出注册码的第三部分。**************
:004077BD 83C40C add esp, 0000000C
:004077C0 8D4C2410 lea ecx, dword ptr [esp+10]
:004077C4 51 push ecx
:004077C5 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:03AFh
|
:004077C6 FF1594114100 Call dword ptr [00411194] <===将注册码第三部分和前面两部分合起来
:004077CC 33C9 xor ecx, ecx
:004077CE 33C0 xor eax, eax <===EAX为计数器，初始化为0
:004077D0 85F6 test esi, esi
:004077D2 7614 jbe 004077E8
:004077D4 8B15043A4100 mov edx, dword ptr [00413A04] <===EDX=B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004077E6(C)
|
:004077DA 0FBE2C38 movsx ebp, byte ptr [eax+edi] <===依次取注册名的字符
:004077DE 0FAFEA imul ebp, edx <===取出的字符的ASC码乘以B
:004077E1 03CD add ecx, ebp <===ECX为所有注册名字符的ASC码乘以B后的之和
:004077E3 40 inc eax
:004077E4 3BC6 cmp eax, esi
:004077E6 72F2 jb 004077DA <===此处构成一个小循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004077D2(C)
|
:004077E8 51 push ecx <===将上面循环得出来的和压入栈，ECX=20B3(十六进制)
:004077E9 8D542414 lea edx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%u"
|
:004077ED 686C384100 push 0041386C <===注册码第四部分的形式，由于是结尾部分，所以与前三个不同
:004077F2 52 push edx

* Reference To: USER32.wsprintfA, Ord:02D5h
|
:004077F3 FF150C124100 Call dword ptr [0041120C]
************** 以上这个CALL就是能算出注册码的第四部分。**************
:004077F9 83C40C add esp, 0000000C
:004077FC 8D442410 lea eax, dword ptr [esp+10]
:00407800 50 push eax
:00407801 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:03AFh
|
:00407802 FF1594114100 Call dword ptr [00411194]
<===将注册码第四部分和前面三部分合起来，得出最终的注册码1111-30440-971-8371
:00407808 5F pop edi
:00407809 5E pop esi
:0040780A 5D pop ebp
:0040780B 5B pop ebx
:0040780C 81C400010000 add esp, 00000100
:00407812 C3 ret

4、算法分析： ---类型：f(注册名)=注册码---
将注册名做四种处理后，分别得到注册码的四个部分，
a、注册名每个字符的ASC码相加，再加上32*7(注册名长度)此为十六进制，再用USER32.wsprintfA函数处理
b、所有注册名字符的ASC码乘以28，再将它们相加之和，用USER32.wsprintfA函数处理
c、注册名每个字符的ASC码相加，再加上1E*7(注册名长度)此为十六进制，再用USER32.wsprintfA函数处理
d、所有注册名字符的ASC码乘以B，再将它们相加之和，用USER32.wsprintfA函数处理
最后合起来就是注册码
(由于我是菜鸟对USER32.wsprintfA函数不明白是什么作用，还请高手指点，不胜感激)

5、注册信息保存注册表：
[HKEY_CURRENT_USER\Software\FolderView\Registration]
"Name"="newlaos"
"Code"="1111-30440-971-8371"

6、用KEYMAKE1.73制作内存注册机：
一、选择F8 → 另类注册机！
程序名称：FolderView.exe
添加数据：
　中断地址：00407650
中断次数：1
第一字节：52
指令长度：1
　　保存下列信息为注册码 → 内存方式 → 寄存器 → EDX
二、选择内存方式：内存地址 → 65E838 →宽字符 → 点生成，祝你好运!

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法