ColorPicker V2.06算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → ColorPicker V2.06算法分析

ColorPicker V2.06算法分析 时间：2004/10/15 0:55:00来源：本站整理作者：蓝点我要评论(0)

软件名称：ColorPicker V2.06
软件介绍：小巧的屏幕取色软件，它对程序设计和图形设计非常有用,它能在屏幕上抓取任何你要的颜色，并转成各编程软件的颜色数值。
下载地址：http://www.skycn.com/download.php?id=502&url=http://lnhttp.skycn.net/down/colorpicker206.zip
难度：易
破解工具：AspackDie，TRW2000，Winasm

看见老熊要催作业，马上又要开学了，可能没什么时间了。随便上网拽一个软件破了，嘿，就你了--ColorPicker，算你倒霉。
废话少说开工：
Fi一看是Aspack的壳，AspackDie脱之。Winasm查找字符串"The Registration information is invaild!Please recheck your information."
一查看他的跳转处来到：

:004A0338 8D45DC                 lea eax, dword ptr [ebp-24]
:004A033B 50                     push eax
:004A033C 8B4DF8                 mov ecx, dword ptr [ebp-08]
:004A033F BA2E391E00             mov edx, 001E392E
:004A0344 8B45FC                 mov eax, dword ptr [ebp-04]
:004A0347 E88C020000             call 004A05D8         ********关键处call
:004A034C 8B55DC                 mov edx, dword ptr [ebp-24]
:004A034F 8B45F4                 mov eax, dword ptr [ebp-0C]
:004A0352 E86945F6FF             call 004048C0
:004A0357 0F8541010000           jne 004A049E     〈==跳到出错处

跟进004A0347关键call处：
以下是算法关键处：

:004A0630 BF01000000 mov edi, 00000001 〈==edi这个计数器赋初值

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A0654(C)
|
:004A0635 8B45F8 mov eax, dword ptr [ebp-08] 〈==指向用户名
:004A0638 E83F41F6FF call 0040477C 〈==取用户名长度

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A05D2(C)
|
:004A063D F76DFC                 imul [ebp-04]       〈==用户名长度乘以0x1E392E
:004A0640 03F0                   add esi, eax               〈==结果加上用户名长度
:004A0642 8B45F8                 mov eax, dword ptr [ebp-08]     〈==指向用户名
:004A0645 0FB64438FF             movzx eax, byte ptr [eax+edi-01]   〈==分别取用户名字符的ASCII
:004A064A 69C053200000           imul eax, 00002053 〈==用户名字符ASCII乘以0x2053
:004A0650 03F0                   add esi, eax       〈==esi+eax
:004A0652 47                     inc edi         〈==计数器加一
:004A0653 4B                     dec ebx
:004A0654 75DF                   jne 004A0635   〈==循环

************************记循环后的结果为S1*********************************

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:004A062E(C)
|
:004A0656 8BC6                   mov eax, esi
:004A0658 99                     cdq
:004A0659 33C2                   xor eax, edx
:004A065B 2BC2                   sub eax, edx
:004A065D 8D55F4                 lea edx, dword ptr [ebp-0C]
:004A0660 E81783F6FF             call 0040897C
:004A0665 8D45F4                 lea eax, dword ptr [ebp-0C]
:004A0668 50                     push eax
:004A0669 8B45F4                 mov eax, dword ptr [ebp-0C]
:004A066C E80B41F6FF             call 0040477C
:004A0671 8BD0                   mov edx, eax
:004A0673 83EA0A                 sub edx, 0000000A
:004A0676 B90A000000             mov ecx, 0000000A
:004A067B 8B45F4                 mov eax, dword ptr [ebp-0C]
:004A067E E85143F6FF             call 004049D4
:004A0683 8B45F8                 mov eax, dword ptr [ebp-08]
:004A0686 E8F140F6FF             call 0040477C
:004A068B 8BD8                   mov ebx, eax
:004A068D 85DB                   test ebx, ebx
:004A068F 7E24                   jle 004A06B5
:004A0691 BF01000000             mov edi, 00000001       〈==计数器赋初值

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A06B3(C)
|
:004A0696 8B45F8                 mov eax, dword ptr [ebp-08]   〈==指向用户名
:004A0699 E8DE40F6FF             call 0040477C       〈==取用户名长度
:004A069E 8B55F8                 mov edx, dword ptr [ebp-08]     〈==指向用户名
:004A06A1 0FB6543AFF             movzx edx, byte ptr [edx+edi-01] 〈==分别取用户名字符ASCII
:004A06A6 0FAF55FC               imul edx, dword ptr [ebp-04] 〈==用户名字符ASCII乘以0x1E392E
:004A06AA 6BD253                 imul edx, 00000053       〈==结果再乘以0x53
:004A06AD 03F2                   add esi, edx         〈==结果加上S1
:004A06AF 2BF0                   sub esi, eax         〈==新结果减去用户名长度
:004A06B1 47                     inc edi
:004A06B2 4B                     dec ebx
:004A06B3 75E1                   jne 004A0696     〈==循环

************************记此次运算结果为S2**********************************

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A068F(C)
|
:004A06B5 FF75F4                 push [ebp-0C]
:004A06B8 6880074A00             push 004A0780
:004A06BD 8BC6                   mov eax, esi
:004A06BF 99                     cdq
:004A06C0 33C2                   xor eax, edx
:004A06C2 2BC2                   sub eax, edx
:004A06C4 8D55F0                 lea edx, dword ptr [ebp-10]
:004A06C7 E8B082F6FF             call 0040897C
:004A06CC FF75F0                 push [ebp-10]
:004A06CF 8D45F4                 lea eax, dword ptr [ebp-0C]
:004A06D2 BA03000000             mov edx, 00000003
:004A06D7 E86041F6FF             call 0040483C
:004A06DC 8B45F8                 mov eax, dword ptr [ebp-08]
:004A06DF E89840F6FF             call 0040477C
:004A06E4 8BD8                   mov ebx, eax
:004A06E6 85DB                   test ebx, ebx
:004A06E8 7E2D                   jle 004A0717
:004A06EA BF01000000             mov edi, 00000001           〈==计数器赋初值

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A0715(C)
|
:004A06EF 8B45F8                 mov eax, dword ptr [ebp-08]     〈==指向用户名
:004A06F2 E88540F6FF             call 0040477C                   〈==取用户名长度
:004A06F7 8B55F8                 mov edx, dword ptr [ebp-08]     〈==指向用户名
:004A06FA 0FB6543AFF             movzx edx, byte ptr [edx+edi-01]   〈==分别取用户名字符ASCII
:004A06FF F7EA                   imul edx       〈==用户名字符ASCII乘以用户名长度
:004A0701 69C03B010000           imul eax, 0000013B     〈==结果再乘以0x13B
:004A0707 03F0                   add esi, eax           〈==结果再加上S2
:004A0709 8B45F8                 mov eax, dword ptr [ebp-08]
:004A070C E86B40F6FF             call 0040477C
:004A0711 03F0                   add esi, eax
:004A0713 47                     inc edi
:004A0714 4B                     dec ebx
:004A0715 75D8                   jne 004A06EF     〈==循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A06E8(C)
|
:004A0717 0375FC                 add esi, dword ptr [ebp-04]
:004A071A FF75F4                 push [ebp-0C]
:004A071D 6880074A00             push 004A0780
:004A0722 8BC6                   mov eax, esi
:004A0724 99                     cdq
:004A0725 33C2                   xor eax, edx
:004A0727 2BC2                   sub eax, edx
:004A0729 8D55EC                 lea edx, dword ptr [ebp-14]
:004A072C E84B82F6FF             call 0040897C
:004A0731 FF75EC                 push [ebp-14]
:004A0734 8D45F4                 lea eax, dword ptr [ebp-0C]
:004A0737 BA03000000             mov edx, 00000003
:004A073C E8FB40F6FF             call 0040483C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A0612(C), :004A061C(C)
|
:004A0741 8B4508                 mov eax, dword ptr [ebp+08]
:004A0744 8B55F4                 mov edx, dword ptr [ebp-0C]
:004A0747 E8CC3DF6FF             call 00404518
:004A074C 33C0                   xor eax, eax
:004A074E 5A                     pop edx
:004A074F 59                     pop ecx
:004A0750 59                     pop ecx
:004A0751 648910                 mov dword ptr fs:[eax], edx
:004A0754 686E074A00             push 004A076E

用户名：Stoby[DFCG]
注册码：247850853-369708050-364300326

算法小结：

将结果S1、S2、S3分别转化为十进制S1'、S2'、S3'，然后用"-"将S1'、S2'、S3'连接起来成：
S1'-S2'-S3'即为注册码，算法很简单，算法注册机没空写了。后天就要上火车走了，开学后我也会常来逛逛的。