批量更名专家 1.5 算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → 批量更名专家 1.5 算法分析

批量更名专家 1.5 算法分析 时间：2004/10/15 0:55:00来源：本站整理作者：蓝点我要评论(0): 　　
软件名称：批量更名专家 1.5
整理日期：2002.11.11
最新版本：1.5 Build 1111
文件大小：888KB
软件授权：共享软件
使用平台：Win9x/Me/NT/2000
发布公司：Home Page
软件简介：
　　是一款优秀的批量文件改名工具，更名速度极快。简明的资源管理器界面，上手极为方便。
提供更名前预览功能，提供批量修改文件属性和日期，修改扩展名，修改大小写，可以插入，
删除，替换，独特的序数改名功能，直接编辑文件名，根据MP3文件的Id3信息改名等。
主要工具：TRW2000 W32DASM UPX
用UPX脱壳，注册时需输入8位以上注册名，重启验证。
启动程序输入"nightstar/987654321",退出用W32DASM加载，查找"RWCode"，代码如下

* Possible StringData Ref from Code Obj ->"\Software\zigsoft\rw1.5\setup\"
|
:004B8E32 BAF08F4B00 mov edx, 004B8FF0
:004B8E37 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8E3A E811BDF9FF call 00454B50
:004B8E3F 84C0 test al, al
:004B8E41 747C je 004B8EBF
:004B8E43 33D2 xor edx, edx
:004B8E45 55 push ebp
:004B8E46 686B8E4B00 push 004B8E6B
:004B8E4B 64FF32 push dword ptr fs:[edx]
:004B8E4E 648922 mov dword ptr fs:[edx], esp
:004B8E51 8D4DFC lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"RWUser"
|
:004B8E54 BA18904B00 mov edx, 004B9018
:004B8E59 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8E5C E897C0F9FF call 00454EF8
:004B8E61 33C0 xor eax, eax
:004B8E63 5A pop edx
:004B8E64 59 pop ecx
:004B8E65 59 pop ecx
:004B8E66 648910 mov dword ptr fs:[eax], edx
:004B8E69 EB16 jmp 004B8E81
:004B8E6B E95CA7F4FF jmp 004035CC
:004B8E70 0100 add dword ptr [eax], eax
:004B8E72 0000 add byte ptr [eax], al
:004B8E74 64 BYTE 064h

:004B8E75 47 inc edi
:004B8E76 45 inc ebp
:004B8E77 007C8E4B add byte ptr [esi+4*ecx+4B], bh
:004B8E7B 00E8 add al, ch
:004B8E7D 7BA9 jpo 004B8E28
:004B8E7F F4 hlt
:004B8E80 FF33 push dword ptr [ebx]
:004B8E82 D25568 rcl byte ptr [ebp+68], cl
:004B8E85 A98E4B0064 test eax, 64004B8E
:004B8E8A FF32 push dword ptr [edx]
:004B8E8C 648922 mov dword ptr fs:[edx], esp
:004B8E8F 8D4DF8 lea ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"RWCode"
|
:004B8E92 BA28904B00 mov edx, 004B9028
:004B8E97 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8E9A E859C0F9FF call 00454EF8
:004B8E9F 33C0 xor eax, eax
:004B8EA1 5A pop edx
:004B8EA2 59 pop ecx
:004B8EA3 59 pop ecx
:004B8EA4 648910 mov dword ptr fs:[eax], edx
:004B8EA7 EB BYTE ebh

* Referenced by a CALL at Address:
|:004B4360
|
:004B8EA8 16 push ss
:004B8EA9 E91EA7F4FF jmp 004035CC
:004B8EAE 0100 add dword ptr [eax], eax
:004B8EB0 0000 add byte ptr [eax], al
:004B8EB2 64 BYTE 064h

:004B8EB3 47 inc edi
:004B8EB4 45 inc ebp
:004B8EB5 00BA8E4B00E8 add byte ptr [edx+E8004B8E], bh
:004B8EBB 3DA9F4FF33 cmp eax, 33FFF4A9
:004B8EC0 C05A5959 rcr byte ptr [edx+59], 59
:004B8EC4 648910 mov dword ptr fs:[eax], edx
:004B8EC7 68DC8E4B00 push 004B8EDC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8EDA(U)
|
:004B8ECC 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8ECF E820A1F4FF call 00402FF4
:004B8ED4 C3 ret

:004B8ED5 E97AA8F4FF jmp 00403754
:004B8EDA EBF0 jmp 004B8ECC
:004B8EDC 837DFC00 cmp dword ptr [ebp-04], 00000000 //无name,跳死
:004B8EE0 0F84D1000000 je 004B8FB7
:004B8EE6 837DF800 cmp dword ptr [ebp-08], 00000000 //无注册码,跳死
:004B8EEA 0F84C7000000 je 004B8FB7
:004B8EF0 8D55F0 lea edx, dword ptr [ebp-10]
:004B8EF3 8B45FC mov eax, dword ptr [ebp-04] //将name送入eax,准备
:004B8EF6 E845FDFFFF call 004B8C40 //关键call，计算注册码,进入
:004B8EFB 8B45F0 mov eax, dword ptr [ebp-10]
:004B8EFE 8B55F8 mov edx, dword ptr [ebp-08] //D EAX=真注册码
:004B8F01 E8CAB1F4FF call 004040D0
:004B8F06 0F85AB000000 jne 004B8FB7
下面进入004B8EF6，看看算法
:004B8EF6 E845FDFFFF call 004B8C40 //关键call，计算注册码,进入
设name的长度为x，name按顺序为N1,N2...Nx;，

* Referenced by a CALL at Address:
|:004B8EF6
|
:004B8C40 55 push ebp
:004B8C41 8BEC mov ebp, esp
:004B8C43 B904000000 mov ecx, 00000004
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8C4D(C)
|
:004B8C48 6A00 push 00000000
:004B8C4A 6A00 push 00000000
:004B8C4C 49 dec ecx
:004B8C4D 75F9 jne 004B8C48
:004B8C4F 51 push ecx
:004B8C50 53 push ebx
:004B8C51 56 push esi
:004B8C52 57 push edi
:004B8C53 8955F8 mov dword ptr [ebp-08], edx
:004B8C56 8945FC mov dword ptr [ebp-04], eax
:004B8C59 8B45FC mov eax, dword ptr [ebp-04]
:004B8C5C E813B5F4FF call 00404174
:004B8C61 33C0 xor eax, eax
:004B8C63 55 push ebp
:004B8C64 68DC8D4B00 push 004B8DDC
:004B8C69 64FF30 push dword ptr fs:[eax]
:004B8C6C 648920 mov dword ptr fs:[eax], esp
:004B8C6F B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"|"A"
|
:004B8C71 A1F8034100 mov eax, dword ptr [004103F8]
:004B8C76 E849A3F4FF call 00402FC4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8C02(C)
|
:004B8C7B 8945EC mov dword ptr [ebp-14], eax
:004B8C7E 33C0 xor eax, eax
:004B8C80 55 push ebp
:004B8C81 689A8D4B00 push 004B8D9A
:004B8C86 64FF30 push dword ptr fs:[eax]
:004B8C89 648920 mov dword ptr fs:[eax], esp
:004B8C8C 8D45F4 lea eax, dword ptr [ebp-0C]
:004B8C8F 8B55FC mov edx, dword ptr [ebp-04]
:004B8C92 E841B1F4FF call 00403DD8
:004B8C97 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8C9A E821B3F4FF call 00403FC0
:004B8C9F 8BF0 mov esi, eax
:004B8CA1 8B45F4 mov eax, dword ptr [ebp-0C]
:004B8CA4 E817B3F4FF call 00403FC0
:004B8CA9 8BD8 mov ebx, eax
:004B8CAB 85DB test ebx, ebx
:004B8CAD 0F8EA0000000 jle 004B8D53
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D4D(C)
|
:004B8CB3 8BC3 mov eax, ebx //ebx是计数器，初值是x(x为name的长度)
:004B8CB5 2501000080 and eax, 80000001
:004B8CBA 7905 jns 004B8CC1
:004B8CBC 48 dec eax
:004B8CBD 83C8FE or eax, FFFFFFFE
:004B8CC0 40 inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CBA(C)
|
:004B8CC1 85C0 test eax, eax
:004B8CC3 752E jne 004B8CF3 //N是偶数位=0不跳,奇数位=1跳
:004B8CC5 8B45F4 mov eax, dword ptr [ebp-0C] //把NAME的字符串送到EAX
:004B8CC8 0FB64418FF movzx eax, byte ptr [eax+ebx-01]//从最后一位开始,依次
把name字符串的ASCII值送到EAX (..N8,N6,N4,N2在这里计算)
:004B8CCD 8BD6 mov edx, esi //edx=x(x位name的长度)
:004B8CCF 2BD3 sub edx, ebx //edx=x-ebx(第一次等于0,)
:004B8CD1 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004B8CD4 0FB65411FF movzx edx, byte ptr [ecx+edx-01] //依次取x-esi位的
name的ASCII值送到edx，(如果是第一次,取的值是空的edx=0)
:004B8CD9 F7EA imul edx //eax*edx
:004B8CDB 83E003 and eax, 00000003
:004B8CDE 8D55E8 lea edx, dword ptr [ebp-18]
:004B8CE1 E87E04F5FF call 00409164
:004B8CE6 8B55E8 mov edx, dword ptr [ebp-18]
:004B8CE9 8B45EC mov eax, dword ptr [ebp-14]
:004B8CEC 8B08 mov ecx, dword ptr [eax]
:004B8CEE FF5134 call [ecx+34]
:004B8CF1 EB57 jmp 004B8D4A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CC3(C) //N是奇数位的跳到这里
|
:004B8CF3 8BC3 mov eax, ebx //将计数器ebx的值重新赋予eax
:004B8CF5 B903000000 mov ecx, 00000003 //ecx=$3
:004B8CFA 99 cdq
:004B8CFB F7F9 idiv ecx //eax/$3
:004B8CFD 85D2 test edx, edx //有余数跳，N9,N3不跳
:004B8CFF 752B jne 004B8D2C
:004B8D01 8B45F4 mov eax, dword ptr [ebp-0C] eax=name
:004B8D04 0FB64418FF movzx eax, byte ptr [eax+ebx-01]//依次取..N9,N3的值
:004B8D09 8BD6 mov edx, esi
:004B8D0B 2BD3 sub edx, ebx
:004B8D0D 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004B8D10 0FB65411FF movzx edx, byte ptr [ecx+edx-01] //同004B8CD4
:004B8D15 03C2 add eax, edx //eax+edx
:004B8D17 8D55E4 lea edx, dword ptr [ebp-1C]
:004B8D1A E84504F5FF call 00409164
:004B8D1F 8B55E4 mov edx, dword ptr [ebp-1C]
:004B8D22 8B45EC mov eax, dword ptr [ebp-14]
:004B8D25 8B08 mov ecx, dword ptr [eax]
:004B8D27 FF5134 call [ecx+34]
:004B8D2A EB1E jmp 004B8D4A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CFF(C) //剩下的跳到这里
|
:004B8D2C 8B45F4 mov eax, dword ptr [ebp-0C] //..n7,n5,n1
:004B8D2F 0FB64418FF movzx eax, byte ptr [eax+ebx-01] //依次取..N7,N5,N1的值
:004B8D34 83C005 add eax, 00000005 //eax+$5
:004B8D37 8D55E0 lea edx, dword ptr [ebp-20]
:004B8D3A E82504F5FF call 00409164
:004B8D3F 8B55E0 mov edx, dword ptr [ebp-20]
:004B8D42 8B45EC mov eax, dword ptr [ebp-14]
:004B8D45 8B08 mov ecx, dword ptr [eax]
:004B8D47 FF5134 call [ecx+34]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B8CF1(U), :004B8D2A(U)
|
:004B8D4A 4B dec ebx //ebx是计数器,减一
:004B8D4B 85DB test ebx, ebx
:004B8D4D 0F8F60FFFFFF jg 004B8CB3 //取完就跳出循环！
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8CAD(C)
|
:004B8D53 8B45EC mov eax, dword ptr [ebp-14]
:004B8D56 8B10 mov edx, dword ptr [eax]
:004B8D58 FF5214 call [edx+14]
:004B8D5B 8BF0 mov esi, eax
:004B8D5D 4E dec esi
:004B8D5E 85F6 test esi, esi
:004B8D60 7C22 jl 004B8D84
:004B8D62 46 inc esi
:004B8D63 33DB xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D82(C)
|
:004B8D65 8D4DDC lea ecx, dword ptr [ebp-24] //按顺序将sn连接
:004B8D68 8BD3 mov edx, ebx
:004B8D6A 8B45EC mov eax, dword ptr [ebp-14]
:004B8D6D 8B38 mov edi, dword ptr [eax]
:004B8D6F FF570C call [edi+0C]
:004B8D72 8B55DC mov edx, dword ptr [ebp-24]
:004B8D75 8D45F0 lea eax, dword ptr [ebp-10]
:004B8D78 8B4DF0 mov ecx, dword ptr [ebp-10]
:004B8D7B E88CB2F4FF call 0040400C
:004B8D80 43 inc ebx
:004B8D81 4E dec esi
:004B8D82 75E1 jne 004B8D65
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D60(C)
|
:004B8D84 33C0 xor eax, eax //d *ebp-10=注册码
:004B8D86 5A pop edx
:004B8D87 59 pop ecx
:004B8D88 59 pop ecx
:004B8D89 648910 mov dword ptr fs:[eax], edx
:004B8D8C 68A18D4B00 push 004B8DA1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B8D9F(U)
|
:004B8D91 8B45EC mov eax, dword ptr [ebp-14]
:004B8D94 E85BA2F4FF call 00402FF4
:004B8D99 C3 ret
　

N9 N8 N7 N6 N5 N4 N3 N2 N1
72 61 74 73 74 68 67 69 6E
0(N0) 6E(N1) 74+5 67(N3) 74+5 74(N5) 73(N6) 74(N7) 6E+5
72+0 61*6E 79 73*67 79 68*74 67+73 69*74 73
29AE 2E45 2F20 DA 2F94
and 3 and 3 and 3 and 3
114 2 121 1 121 0 218 0 115

最后连接1150218012111212114

总结：
设name的长度为x,第几位为y，第y位的ASCII值为Ny，第(x-y)位的ASCII值为N(x-y)
1.N2,N4,N6,N8,...= Ny*N(x-y) and $3
2.n3,n9...3的倍数 = Ny+N(x-y)
3.N1,N5,N7..= Ny+$5
将上面的值转化为10进制值,按N1,N2,N3..Nx的顺序连起来。

不好意思，写的比较乱。

注册表位置:
HKEY_LOCAL_MACHINE\Software\zigsoft\rw1.5\setup\RWCode

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法