【破文标题】Better File Rename V5.3.1算法逆向+系列注册机源码
【破文作者】Playboysen
【作者邮箱】playboysen@126.com
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件大小】1.6 MB
【软件授权】共享版($19.95)
【软件语言】英文
【原版下载】418K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4m8#2j5X3I4A6j5%4y4H3j5h3y4W2i4K6u0W2L8X3g2@1i4K6u0r3N6$3W2F1k6r3!0%4M7#2)9J5c8V1u0W2N6s2c8W2M7V1k6A6L8r3g2d9k6h3&6S2L8h3g2Q4x3V1k6V1L8%4N6F1L8r3!0S2k6q4)9J5k6h3S2@1L8h3H3`.
【保护方式】注册码
【软件简介】一款WINDOWS资源管理器的扩展外壳, 可以帮助你快速简便地修改文件名和文件修改时间。功能有:强大的命名方式,文字、日期和序列数字的添加、去除、插入和替换;支持数字列表的创建、改变、添加、抽取等;支持文件建立日期、修正日期、EXIF中日期的修改;可以分别处理文件名和扩展名
【破解声明】一点心得,愿与大家分享o(∩_∩)o 版权所有,转载注明作者!
【破解内容】
昨天整理一些试题材料(一二百份文件)需要修改一下文件名,就找了一款别人推荐的文件重命名的软件,很好用,但是不注册每次只能修改10个文件名,害我折腾了半个多小时才弄完,火气——我只不过是想用一次,就仅仅一次,都不给机会!干脆,拉出来练手!
Better File Rename V5.3.1(081103更新),无壳,未注册启动有NAG,功能限制,单一注册码保护方式,有错误提示,OD载入查找字符串无果,怀疑是字符串加密或者软件多数功能并不在主程序中,查看软件根目录有同名dll文件——可疑之处。
踩点完毕,开工。OD载入后运行至出现NAG,下MessageBoxA和MessageBoxW断点(以防万一),随便填写注册码注册后断下,逆跟踪至此:
1000D705 |> \6A 00 push 0 ; 错误对话框
1000D707 |. 68 00820910 push Bfr_1.10098200 ; error
1000D70C |. 68 B4810910 push Bfr_1.100981B4 ; the registration code is not correct.
1000D711 |. 8B8D 94FEFFFF mov ecx,dword ptr ss:[ebp-16C]
1000D717 |. E8 11370600 call Bfr_1.10070E2D
1000D71C |> C645 FC 00 mov byte ptr ss:[ebp-4],0
1000D720 |. 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-B4]
1000D726 |. E8 5E520600 call Bfr_1.10072989
1000D72B |> C745 FC 09000000 mov dword ptr ss:[ebp-4],9
1000D59B |. C645 FC 01 mov byte ptr ss:[ebp-4],1
1000D59F |. 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-B4]
1000D5A5 |. E8 FA580600 call Bfr_1.10072EA4 ; 取注册码
1000D5AA |. 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-B4]
1000D5B0 |. E8 31FC0500 call Bfr_1.1006D1E6
1000D5B5 |. C785 48FFFFFF 00>mov dword ptr ss:[ebp-B8],0
1000D5BF |. EB 0F jmp short Bfr_1.1000D5D0
1000D5C1 |> 8B8D 48FFFFFF /mov ecx,dword ptr ss:[ebp-B8] ; 这一段循环目的是加密所输入的注册码
1000D5C7 |. 83C1 01 |add ecx,1 ; 每循环一次计数器加1
1000D5CA |. 898D 48FFFFFF |mov dword ptr ss:[ebp-B8],ecx
1000D5D0 |> 8B95 4CFFFFFF mov edx,dword ptr ss:[ebp-B4] ; 注册码放入
1000D5D6 |. 8B42 F8 |mov eax,dword ptr ds:[edx-8] ; 注册码长度放入
1000D5D9 |. 8985 9CFEFFFF |mov dword ptr ss:[ebp-164],eax
1000D5DF |. 8B8D 48FFFFFF |mov ecx,dword ptr ss:[ebp-B8] ; 计数器
1000D5E5 |. 3B8D 9CFEFFFF |cmp ecx,dword ptr ss:[ebp-164] ; 比较是否加密完成
1000D5EB |. 7D 3E |jge short Bfr_1.1000D62B
1000D5ED |. 8B95 48FFFFFF |mov edx,dword ptr ss:[ebp-B8] ; 计数器的值放入EDX
1000D5F3 |. 8B85 4CFFFFFF |mov eax,dword ptr ss:[ebp-B4] ; 加密后的注册码放入EAX
1000D5F9 |. 66:8B0C50 |mov cx,word ptr ds:[eax+edx*2] ; 从前到后依次取注册码的每一位
1000D5FD |. 66:898D 98FEFFFF |mov word ptr ss:[ebp-168],cx
1000D604 |. 8B95 98FEFFFF |mov edx,dword ptr ss:[ebp-168] ; 取出的每一位单独放入EDX
1000D60A |. 81E2 FFFF0000 |and edx,0FFFF
1000D610 |. 0395 48FFFFFF |add edx,dword ptr ss:[ebp-B8] ; 取出的注册码的每一位+(其所在的位数-1)
1000D616 |. 52 |push edx
1000D617 |. 8B85 48FFFFFF |mov eax,dword ptr ss:[ebp-B8] ; 计数器的值放入
1000D61D |. 50 |push eax
1000D61E |. 8D8D 4CFFFFFF |lea ecx,dword ptr ss:[ebp-B4]
1000D624 |. E8 B1580600 |call Bfr_1.10072EDA
1000D629 |.^ EB 96 \jmp short Bfr_1.1000D5C1
1000D62B |> 51 push ecx
1000D62C |. 8BCC mov ecx,esp
1000D62E |. 89A5 A0FEFFFF mov dword ptr ss:[ebp-160],esp
1000D634 |. 8D95 4CFFFFFF lea edx,dword ptr ss:[ebp-B4] ; 出现加密后的假码
1000D63A |. 52 push edx
1000D63B |. E8 B6500600 call Bfr_1.100726F6
1000D640 |. 8985 90FEFFFF mov dword ptr ss:[ebp-170],eax
1000D646 |. E8 5549FFFF call Bfr_1.10001FA0 ; 跟踪发现此为关键call
1000D64B |. 83C4 04 add esp,4
1000D64E |. 8985 8CFEFFFF mov dword ptr ss:[ebp-174],eax
1000D654 |. 8B85 8CFEFFFF mov eax,dword ptr ss:[ebp-174]
1000D65A |. 8985 50FFFFFF mov dword ptr ss:[ebp-B0],eax
1000D660 |. 83BD 50FFFFFF 00 cmp dword ptr ss:[ebp-B0],0
1000D667 |. 75 2A jnz short Bfr_1.1000D693 ; 关键跳
1000D669 |. 8D8D 4CFFFFFF lea ecx,dword ptr ss:[ebp-B4]
1000D66F |. 51 push ecx
1000D670 |. 8B8D 94FEFFFF mov ecx,dword ptr ss:[ebp-16C]
1000D676 |. 83C1 5C add ecx,5C
1000D679 |. E8 52540600 call Bfr_1.10072AD0
1000D67E |. 68 21300000 push 3021
1000D683 |. 8B8D 94FEFFFF mov ecx,dword ptr ss:[ebp-16C]
1000D689 |. E8 3A1B0600 call Bfr_1.1006F1C8
1000D68E |. E9 89000000 jmp Bfr_1.1000D71C
1000D693 |> 83BD 50FFFFFF 00 cmp dword ptr ss:[ebp-B0],0
1000D69A |. 7E 69 jle short Bfr_1.1000D705 ; 关键跳
......
1000D705 |> 6A 00 push 0 ; /错误对话框
1000D707 |. 68 00820910 push Bfr_1.10098200 ; |error
1000D70C |. 68 B4810910 push Bfr_1.100981B4 ; |the registration code is not correct.
1000D711 |. 8B8D 94FEFFFF mov ecx,dword ptr ss:[ebp-16C] ; |
1000D717 |. E8 11370600 call Bfr_1.10070E2D ; \Bfr_1.10070E2D
10001FB8 |. 81EC A8000000 sub esp,0A8
10001FBE |. C745 FC 00000000 mov dword ptr ss:[ebp-4],0
10001FC5 |. 68 14830910 push Bfr_1.10098314 ; bgt0exzo5:<ce:ahcj?gink
10001FCA |. 8D4D EC lea ecx,dword ptr ss:[ebp-14]
10001FCD |. E8 800A0700 call Bfr_1.10072A52
10001FD2 |. C645 FC 01 mov byte ptr ss:[ebp-4],1
10001FD6 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
10001FD9 |. 8945 A0 mov dword ptr ss:[ebp-60],eax
10001FDC |. 8B4D A0 mov ecx,dword ptr ss:[ebp-60]
10001FDF |. 51 push ecx
10001FE0 |. 8B55 08 mov edx,dword ptr ss:[ebp+8]
10001FE3 |. 52 push edx
10001FE4 |. E8 10360400 call Bfr_1.100455F9 ; 关键处,F7跟进
10001FE9 |. 83C4 08 add esp,8
10001FEC |. 8945 9C mov dword ptr ss:[ebp-64],eax ; 上面call的返回值放入
10001FEF |. 33C0 xor eax,eax
10001FF1 |. 837D 9C 00 cmp dword ptr ss:[ebp-64],0 ; 其实还是比较上面call的返回值
10001FF5 |. 0F94C0 sete al
10001FF8 |. 25 FF000000 and eax,0FF
10001FFD |. 85C0 test eax,eax
10001FFF |. 0F85 E4000000 jnz Bfr_1.100020E9 ; 如果跳转则提示输入的是v4版本的注册码
10002005 |. 68 FC820910 push Bfr_1.100982FC ; bgv0fxzz5b<be:bbij?gjnk
1000200A |. 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
......
10002048 |. 85D2 test edx,edx
1000204A |. 0F85 99000000 jnz Bfr_1.100020E9 ; 提示V4版本注册码
10002050 |. 68 E4820910 push Bfr_1.100982E4 ; bgt0exzo5;=@b:?ceg?ifnn
10002055 |. 8D4D DC lea ecx,dword ptr ss:[ebp-24]
......
1000208D |. 81E1 FF000000 and ecx,0FF
10002093 |. 85C9 test ecx,ecx
10002095 |. 75 52 jnz short Bfr_1.100020E9 ; 提示V4版本注册码
10002097 |. 68 CC820910 push Bfr_1.100982CC ; bgv0fxzz5@>=a:ceii?lgjj
1000209C |. 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
......
100020D4 |. 25 FF000000 and eax,0FF
100020D9 |. 85C0 test eax,eax
100020DB |. 75 0C jnz short Bfr_1.100020E9 ; 提示V4版本注册码
100020DD |. C785 70FFFFFF 00>mov dword ptr ss:[ebp-90],0
100020E7 |. EB 0A jmp short Bfr_1.100020F3
100020E9 |> C785 70FFFFFF 01>mov dword ptr ss:[ebp-90],1
100020F3 |> 8A8D 70FFFFFF mov cl,byte ptr ss:[ebp-90]
100020F9 |. 884D F0 mov byte ptr ss:[ebp-10],cl
100020FC |. C645 FC 00 mov byte ptr ss:[ebp-4],0
10002100 |. 8D4D EC lea ecx,dword ptr ss:[ebp-14]
10002103 |. E8 81080700 call Bfr_1.10072989
10002108 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
1000210B |. 81E2 FF000000 and edx,0FF
10002111 |. 85D2 test edx,edx
10002113 |. 74 1E je short Bfr_1.10002133 ; 如果没有跳,说明是V4注册码
10002115 |. C745 D0 01000000 mov dword ptr ss:[ebp-30],1
1000211C |. C745 FC FFFFFFFF mov dword ptr ss:[ebp-4],-1
10002123 |. 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
10002126 |. E8 5E080700 call Bfr_1.10072989
1000212B |. 8B45 D0 mov eax,dword ptr ss:[ebp-30]
1000212E |. E9 E3010000 jmp Bfr_1.10002316
10002133 |> 68 B4820910 push Bfr_1.100982B4 ; bgt0exlo5=<ce:ahid?lgjl
10002138 |. 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
1000213B |. E8 12090700 call Bfr_1.10072A52
10002140 |. C645 FC 02 mov byte ptr ss:[ebp-4],2
10002144 |. 8B45 C8 mov eax,dword ptr ss:[ebp-38]
10002147 |. 8945 80 mov dword ptr ss:[ebp-80],eax
1000214A |. 8B4D 80 mov ecx,dword ptr ss:[ebp-80]
1000214D |. 51 push ecx
1000214E |. 8B55 08 mov edx,dword ptr ss:[ebp+8]
10002151 |. 52 push edx
10002152 |. E8 A2340400 call Bfr_1.100455F9 ; 关键,同上
10002157 |. 83C4 08 add esp,8
1000215A |. 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
10002160 |. 33C0 xor eax,eax
10002162 |. 83BD 7CFFFFFF 00 cmp dword ptr ss:[ebp-84],0
10002169 |. 0F94C0 sete al
1000216C |. 25 FF000000 and eax,0FF
10002171 |. 85C0 test eax,eax
10002173 |. 75 5F jnz short Bfr_1.100021D4
10002175 |. 68 9C820910 push Bfr_1.1009829C ; bgv0fxlz5<<ae:fhhj?lgnk
1000217A |. 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
1000217D |. E8 D0080700 call Bfr_1.10072A52
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
