【标题】：支票快打 V3.01 算法分析
【关键字】：算法分析,01,V3,01
【来源】：网络

支票快打 V3.01 算法分析

【软件限制】：时间限制、功能限制。

【破解工具】：TRW2000娃娃修改版、FI2.5、UPXWin、W32Dasm8.93黄金版

—————————————————————————————
【过程】：

zpkda.exe是UPX1.2壳，用UPXWin脱壳。W32Dasm反汇编，很慢很慢。
反汇编后保存的文件竟然有63M之巨！

--------------------------------------------------------
TRW2000装入程序。
填好试炼信息。试炼码要9位！

BPX HMEMCPY 点“注册认证”，拦住！
BD，PMODULE返回程序领空。

F12七次，到达核心。

请看：

* Possible StringData Ref from Code Obj ->"CD750327VU9U7LYANG1F1SWXNEGT52K2HY6MJ9I385R4B8"
->"Q16ZA3LI94P7"
|
:006A7CEE BAD07D6A00 mov edx, 006A7DD0
:006A7CF3 E890CBD5FF call 00404888
:006A7CF8 33DB xor ebx, ebx
:006A7CFA 8B45F8 mov eax, dword ptr [ebp-08]
:006A7CFD E8A6CDD5FF call 00404AA8
:006A7D02 8BF0 mov esi, eax
:006A7D04 8B45F4 mov eax, dword ptr [ebp-0C]

:006A7D07 E89CCDD5FF call 00404AA8

:006A7D0C 3BF0 cmp esi, eax
====>? ESI=9即注册码需要9位！

:006A7D0E 7404 je 006A7D14
====>应跳！不跳则OVER！

:006A7D10 C645F300 mov [ebp-0D], 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006A7D0E(C)
|
:006A7D14 8B45F4 mov eax, dword ptr [ebp-0C]
:006A7D17 E88CCDD5FF call 00404AA8
:006A7D1C 50 push eax
:006A7D1D 8B45F8 mov eax, dword ptr [ebp-08]
:006A7D20 E883CDD5FF call 00404AA8
:006A7D25 5A pop edx
:006A7D26 E819B1D8FF call 00432E44
:006A7D2B 8BF8 mov edi, eax
:006A7D2D 85FF test edi, edi
:006A7D2F 7E40 jle 006A7D71
:006A7D31 BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006A7D6F(C)
|
:006A7D36 8D45E8 lea eax, dword ptr [ebp-18]
:006A7D39 8B55F8 mov edx, dword ptr [ebp-08]
:006A7D3C 8A5432FF mov dl, byte ptr [edx+esi-01]
:006A7D40 E88BCCD5FF call 004049D0
:006A7D45 8B45E8 mov eax, dword ptr [ebp-18]
:006A7D48 E8E71ED6FF call 00409C34
:006A7D4D 03D8 add ebx, eax
:006A7D4F 43 inc ebx
:006A7D50 8BC3 mov eax, ebx
:006A7D52 B93B000000 mov ecx, 0000003B
:006A7D57 99 cdq
:006A7D58 F7F9 idiv ecx

:006A7D5A 8B45EC mov eax, dword ptr [ebp-14]
====>过此行 D EAX=一张表
CD750327VU9U7LYANG1F1SWXNEGT52K2HY6MJ9I385R4B8Q16ZA3LI94P7

:006A7D5D 8A0410 mov al, byte ptr [eax+edx]
====>根据申请码进行运算，
从表中不同位置取数！！

:006A7D60 8B55F4 mov edx, dword ptr [ebp-0C]
====>试炼码移入EDX

====>分9次逐一比较注册码！
你可以？AL=真码。TRW调试时可用R FL Z命令使下面的JE跳转。
共循环9次，分别得出你的真码！！！

:006A7D67 7404 je 006A7D6D
====>应跳！不跳则OVER！
TRW下 R FL Z

:006A7D69 C645F300 mov [ebp-0D], 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006A7D67(C)
|
:006A7D6D 46 inc esi
:006A7D6E 4F dec edi
:006A7D6F 75C5 jne 006A7D36
====>循环9次！！！

--------------------------------------------------------
* Possible StringData Ref from Code Obj ->"伢E"
|
:006D20C4 A1F0166D00 mov eax, dword ptr [006D16F0]
:006D20C9 E85602DAFF call 00472324
:006D20CE 8B15D4136F00 mov edx, dword ptr [006F13D4]
:006D20D4 8902 mov dword ptr [edx], eax
:006D20D6 A1D4136F00 mov eax, dword ptr [006F13D4]
:006D20DB 8B00 mov eax, dword ptr [eax]
:006D20DD 8B10 mov edx, dword ptr [eax]

:006D20DF FF92E8000000 call dword ptr [edx+000000E8]
====>呵呵，胜利女神！

:006D20E5 A1D4136F00 mov eax, dword ptr [006F13D4]
:006D20EA 8B00 mov eax, dword ptr [eax]
:006D20EC E8B318D3FF call 004039A4
:006D20F1 A1D8136F00 mov eax, dword ptr [006F13D8]
:006D20F6 8B00 mov eax, dword ptr [eax]
:006D20F8 8B80AC000000 mov eax, dword ptr [eax+000000AC]
:006D20FE E839B1DFFF call 004CD23C
:006D2103 A194156F00 mov eax, dword ptr [006F1594]
:006D2108 8B00 mov eax, dword ptr [eax]
:006D210A C780F4030000FFFFFFFF mov dword ptr [ebx+000003F4], FFFFFFFF
:006D2114 A1D8136F00 mov eax, dword ptr [006F13D8]
:006D2119 8B00 mov eax, dword ptr [eax]
:006D211B C6802002000001 mov byte ptr [eax+00000220], 01
:006D2122 8D55A0 lea edx, dword ptr [ebp-60]
:006D2125 8B83F8020000 mov eax, dword ptr [ebx+000002F8]
:006D212B E8A05DD8FF call 00457ED0
:006D2130 8B45A0 mov eax, dword ptr [ebp-60]
:006D2133 8D55A4 lea edx, dword ptr [ebp-5C]
:006D2136 E85575D3FF call 00409690
:006D213B 8B55A4 mov edx, dword ptr [ebp-5C]
:006D213E A1D8136F00 mov eax, dword ptr [006F13D8]
:006D2143 8B00 mov eax, dword ptr [eax]
:006D2145 8B8080010000 mov eax, dword ptr [eax+00000180]
:006D214B 8B08 mov ecx, dword ptr [eax]
:006D214D FF91B0000000 call dword ptr [ecx+000000B0]
:006D2153 A1D8136F00 mov eax, dword ptr [006F13D8]
:006D2158 8B00 mov eax, dword ptr [eax]
:006D215A 8B80AC000000 mov eax, dword ptr [eax+000000AC]
:006D2160 8B10 mov edx, dword ptr [eax]
:006D2162 FF9248020000 call dword ptr [edx+00000248]

* Possible StringData Ref from Code Obj ->"退出"
|
:006D2168 BA48226D00 mov edx, 006D2248
:006D216D 8B8324030000 mov eax, dword ptr [ebx+00000324]
:006D2173 E8885DD8FF call 00457F00
:006D2178 EB19 jmp 006D2193

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006D205E(C)
|
:006D217A 6A00 push 00000000

* Possible StringData Ref from Code Obj ->"注册失败!"
====>BAD BOY！

:006D217C 6850226D00 push 006D2250

* Possible StringData Ref from Code Obj ->"请核对注册码后重新注册!"
|
:006D2181 685C226D00 push 006D225C
:006D2186 8BC3 mov eax, ebx
—————————————————————————————

【爆破】：

1、006A7D0E 7404 je 006A7D14--->改为JMP

2、006A7D67 7404 je 006A7D6D--->改为JMP

—————————————————————————————

【整理】：

单位：fly
申请码：21288-60692-HB61075
认证码：77S2IRB37

英语会话精灵 V2.0 算法分析：【上一篇】
飞跃英语Ⅳ算法分析：【下一篇】

【相关文章】

英语会话精灵 V2.0 算法分析

某电子书注册破解实录算法分析

《我也爱背单词2002+》破解过程算法分析

文晟扫描5. 0 之破解经过算法分析