[转载]ACCESS密码查看器算法分析
文章作者:Genius【破解作者】 Genius
【作者邮箱】 [email]trains1982@163.com[/email]
【作者主页】 [url]http://easysun.3322.net/[/url]
【使用工具】 OD
【破解平台】 Win9x/NT/2000/XP
【软件名称】 ACCESS密码查看器
【软件简介】 “ACCESS密码查看器”的说明
本软件可以查看ACCESS97、ACCESS2000、ACCESS XP数据库的密码。
1.可以查看20位的ACCESS2000,ACCESS XP密码。
2.目前此版本已支持中文密码。
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
00488593 > 8D55 F8 LEA EDX, DWORD PTR SS:[EBP-8]
00488596 . 8B83 00030000 MOV EAX, DWORD PTR DS:[EBX+300]
0048859C . E8 0BDBFAFF CALL accesspa.004360AC ; 取出测试号
004885A1 . 8B45 F8 MOV EAX, DWORD PTR SS:[EBP-8]
004885A4 . 50 PUSH EAX
004885A5 . 8D55 F0 LEA EDX, DWORD PTR SS:[EBP-10]
004885A8 . 8B83 F8020000 MOV EAX, DWORD PTR DS:[EBX+2F8]
004885AE . E8 F9DAFAFF CALL accesspa.004360AC ; 取出机器号
004885B3 . 8B55 F0 MOV EDX, DWORD PTR SS:[EBP-10]
004885B6 . 8D4D F4 LEA ECX, DWORD PTR SS:[EBP-C]
004885B9 . 8BC3 MOV EAX, EBX
004885BB . E8 F0010000 CALL accesspa.004887B0 ;关键call(进入PARTA)
004885C0 . 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-C]
004885C3 . 58 POP EAX
004885C4 . E8 57C3F7FF CALL accesspa.00404920 ;比较call
004885C9 . 0F85 F2000000 JNZ accesspa.004886C1 =======>相等注册成功
004885CF . B2 01 MOV DL, 1
===================写入注册表==================================================================
004885D1 . A1 30984500 MOV EAX, DWORD PTR DS:[459830]
004885D6 . E8 5513FDFF CALL accesspa.00459930
004885DB . 8BF0 MOV ESI, EAX
004885DD . BA 02000080 MOV EDX, 80000002
004885E2 . 8BC6 MOV EAX, ESI
004885E4 . E8 E713FDFF CALL accesspa.004599D0
004885E9 . B1 01 MOV CL, 1
004885EB . BA 44874800 MOV EDX, accesspa.00488744 ; ASCII \"SOFTWARE\\Microsoft\\ap\"
004885F0 . 8BC6 MOV EAX, ESI
004885F2 . E8 1915FDFF CALL accesspa.00459B10
004885F7 . B9 01000000 MOV ECX, 1
004885FC . BA 64874800 MOV EDX, accesspa.00488764 ; ASCII \"apreg\"
00488601 . 8BC6 MOV EAX, ESI
00488603 . E8 A816FDFF CALL accesspa.00459CB0
00488608 . 8D55 EC LEA EDX, DWORD PTR SS:[EBP-14]
0048860B . 8B83 00030000 MOV EAX, DWORD PTR DS:[EBX+300]
00488611 . E8 96DAFAFF CALL accesspa.004360AC
00488616 . 8B4D EC MOV ECX, DWORD PTR SS:[EBP-14]
00488619 . BA 74874800 MOV EDX, accesspa.00488774 ; ASCII \"sn\"
0048861E . 8BC6 MOV EAX, ESI
00488620 . E8 5F16FDFF CALL accesspa.00459C84
00488625 . 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18]
00488628 . 8B83 F8020000 MOV EAX, DWORD PTR DS:[EBX+2F8]
0048862E . E8 79DAFAFF CALL accesspa.004360AC
00488633 . 8B4D E8 MOV ECX, DWORD PTR SS:[EBP-18]
00488636 . BA 80874800 MOV EDX, accesspa.00488780 ; ASCII \"cpuid\"
0048863B . 8BC6 MOV EAX, ESI
==================================================================================================
-------------------------------------
进入PARTA后
00488807 |. BB 01000000 MOV EBX, 1 ; ebx=1
0048880C |> 8D45 EC /LEA EAX, [LOCAL.5]
0048880F |. 8B55 F8 |MOV EDX, [LOCAL.2]
00488812 |. 8A541A FF |MOV DL, BYTE PTR DS:[EDX+EBX-1] ; 取出机器码的每一位送给dl
00488816 |. E8 D9BEF7FF |CALL accesspa.004046F4
0048881B |. 8B45 EC |MOV EAX, [LOCAL.5]
0048881E |. 8D55 F0 |LEA EDX, [LOCAL.4]
00488821 |. E8 6AFFF7FF |CALL accesspa.00408790 ; 检查是否是数字
00488826 |. 8B45 F0 |MOV EAX, [LOCAL.4]
00488829 |. BA 94894800 |MOV EDX, accesspa.00488994
0048882E |. E8 EDC0F7FF |CALL accesspa.00404920 ; 检查是否是1
00488833 |. 75 12 |JNZ SHORT accesspa.00488847
00488835 |. 8D45 F4 |LEA EAX, [LOCAL.3]
00488838 |. BA A0894800 |MOV EDX, accesspa.004889A0
0048883D |. E8 A2BFF7FF |CALL accesspa.004047E4 ; 如果是1就变成L
00488842 |. E9 07010000 |JMP accesspa.0048894E
00488847 |> 8D45 E4 |LEA EAX, [LOCAL.7]
0048884A |. 8B55 F8 |MOV EDX, [LOCAL.2]
0048884D |. 8A541A FF |MOV DL, BYTE PTR DS:[EDX+EBX-1]
00488851 |. E8 9EBEF7FF |CALL accesspa.004046F4
00488856 |. 8B45 E4 |MOV EAX, [LOCAL.7]
00488859 |. 8D55 E8 |LEA EDX, [LOCAL.6]
0048885C |. E8 2FFFF7FF |CALL accesspa.00408790
00488861 |. 8B45 E8 |MOV EAX, [LOCAL.6]
00488864 |. BA AC894800 |MOV EDX, accesspa.004889AC
00488869 |. E8 B2C0F7FF |CALL accesspa.00404920 ; 检查是否是3
0048886E |. 75 12 |JNZ SHORT accesspa.00488882
00488870 |. 8D45 F4 |LEA EAX, [LOCAL.3]
00488873 |. BA B8894800 |MOV EDX, accesspa.004889B8
00488878 |. E8 67BFF7FF |CALL accesspa.004047E4
0048887D |. E9 CC000000 |JMP accesspa.0048894E ;如果是3就变成O
00488882 |> 8D45 DC |LEA EAX, [LOCAL.9]
00488885 |. 8B55 F8 |MOV EDX, [LOCAL.2]
00488888 |. 8A541A FF |MOV DL, BYTE PTR DS:[EDX+EBX-1]
0048888C |. E8 63BEF7FF |CALL accesspa.004046F4
00488891 |. 8B45 DC |MOV EAX, [LOCAL.9]
00488894 |. 8D55 E0 |LEA EDX, [LOCAL.8]
00488897 |. E8 F4FEF7FF |CALL accesspa.00408790
0048889C |. 8B45 E0 |MOV EAX, [LOCAL.8]
0048889F |. BA C4894800 |MOV EDX, accesspa.004889C4
004888A4 |. E8 77C0F7FF |CALL accesspa.00404920 ; 检查是否是5
004888A9 |. 75 12 |JNZ SHORT accesspa.004888BD
004888AB |. 8D45 F4 |LEA EAX, [LOCAL.3]
004888AE |. BA D0894800 |MOV EDX, accesspa.004889D0
004888B3 |. E8 2CBFF7FF |CALL accesspa.004047E4
004888B8 |. E9 91000000 |JMP accesspa.0048894E ;如果是5就变成V
004888BD |> 8D45 D4 |LEA EAX, [LOCAL.11]
004888C0 |. 8B55 F8 |MOV EDX, [LOCAL.2]
004888C3 |. 8A541A FF |MOV DL, BYTE PTR DS:[EDX+EBX-1]
004888C7 |. E8 28BEF7FF |CALL accesspa.004046F4
004888CC |. 8B45 D4 |MOV EAX, [LOCAL.11]
004888CF |. 8D55 D8 |LEA EDX, [LOCAL.10]
004888D2 |. E8 B9FEF7FF |CALL accesspa.00408790
004888D7 |. 8B45 D8 |MOV EAX, [LOCAL.10]
004888DA |. BA DC894800 |MOV EDX, accesspa.004889DC
004888DF |. E8 3CC0F7FF |CALL accesspa.00404920 ; 检查是否是7
004888E4 |. 75 0F |JNZ SHORT accesspa.004888F5
004888E6 |. 8D45 F4 |LEA EAX, [LOCAL.3]
004888E9 |. BA E8894800 |MOV EDX, accesspa.004889E8
004888EE |. E8 F1BEF7FF |CALL accesspa.004047E4
004888F3 |. EB 59 |JMP SHORT accesspa.0048894E ;如果是7就变成E
004888F5 |> 8D45 CC |LEA EAX, [LOCAL.13]
004888F8 |. 8B55 F8 |MOV EDX, [LOCAL.2]
004888FB |. 8A541A FF |MOV DL, BYTE PTR DS:[EDX+EBX-1]
004888FF |. E8 F0BDF7FF |CALL accesspa.004046F4
00488904 |. 8B45 CC |MOV EAX, [LOCAL.13]
00488907 |. 8D55 D0 |LEA EDX, [LOCAL.12]
0048890A |. E8 81FEF7FF |CALL accesspa.00408790
0048890F |. 8B45 D0 |MOV EAX, [LOCAL.12]
00488912 |. BA F4894800 |MOV EDX, accesspa.004889F4
00488917 |. E8 04C0F7FF |CALL accesspa.00404920 ; 检查是否是9
0048891C |. 75 0F |JNZ SHORT accesspa.0048892D
0048891E |. 8D45 F4 |LEA EAX, [LOCAL.3]
00488921 |. BA 008A4800 |MOV EDX, accesspa.00488A00
00488926 |. E8 B9BEF7FF |CALL accesspa.004047E4 ;如果是9就变成U
0048892B |. EB 21 |JMP SHORT accesspa.0048894E
0048892D |> 8D45 C8 |LEA EAX, [LOCAL.14]
00488930 |. 8B55 F8 |MOV EDX, [LOCAL.2]
00488933 |. 0FB6541A FF |MOVZX EDX, BYTE PTR DS:[EDX+EBX-1]
00488938 |. 83C2 40 |ADD EDX, 40 注意*******
0048893B |. 83E2 7F |AND EDX, 7F 注意*********
0048893E |. E8 B1BDF7FF |CALL accesspa.004046F4 ; 把16位ascii码变成字符
00488943 |. 8B55 C8 |MOV EDX, [LOCAL.14]
00488946 |. 8D45 F4 |LEA EAX, [LOCAL.3]
00488949 |. E8 96BEF7FF |CALL accesspa.004047E4
0048894E |> 43 |INC EBX
0048894F |. 4E |DEC ESI
00488950 |.^ 0F85 B6FEFFFF \\JNZ accesspa.0048880C
00488956 |> 8BC7 MOV EAX, EDI
00488958 |. 8B55 F4 MOV EDX, [LOCAL.3] =============> 保存
--------------------------------------------------------------------------------
【破解总结】
这部分的看起来,很长,它的意思很简单,就是
算法:
如果测试号的数字,是基数加0x40 AND 0X7F,最后变为字符串
如果测试号的数字,是偶数就变成1变成\'L\',3变成\'O\',5变成\'V\',\'7\'变成\'E\',\'9\'变成\'U\',连起来就是\'LOVEU\',作者就满有爱心的嘛,如果谁注册机,就喜欢谁:)
--------------------------------------------------------------------------------
【算法注册机】
附VB注册机
Private Sub Command1_Click()
strtmp = Text1.Text
K = Array(0, &H4C, 0, &H4F, 0, &H56, 0, &H45, 0, &H55)
a = Text1.Text
For i = 1 To Len(a)
If (Val(Mid(a, i, 1)) Mod 2) = 0 Then
b = b & LCase(Chr((Asc(Mid(a, i, 1)) + &H40) And &H7F))
Else
b = b & Chr(K(Val(Mid(a, i, 1))))
End If
Next i
Text2.Text = b
End Sub
--------------------------------------------------------------------------------
页:
[1]