MouseStar 3.55算法分析
MouseStar 3.55算法分析软件大小:735KB 软件类别:国外软件/鼠标键盘
下载次数:26721 软件授权:共享版
软件语言:英文 运行环境:Win9x/Me/NT/2000/XP/2003
软件评级: 更新时间:2008-1-25 14:51:36
软件下载地址:http://www.onlinedown.net/soft/12912.htm
Nisy老大算法分析地址:http://www.unpack.cn/viewthread.php?tid=12352
大家好,前两天从《一蓑烟雨》里看到Nisy老大的一篇算法分析,我看到Nisy老大最后说算法分析不难,心想正是在学习算法的时候,正好抓一个软柿子捏一捏,于是就下了软件来试一试,蛮以为很简单,没有想到碰到了一个硬脑壳,算法分析花了我三个晚上,字符串串过来串过去串的我头都晕了,所以就有了下面这篇算法分析文章,第一次写算法分析文章,有什么不清楚的请大家谅解。
首先当然是查壳了,无壳,Borland Delphi 4.0 - 5.0写的,于是用DEDE和pexplorer找到了注册地址:
00491BF4/.55 push ebp
OD载入,下断。
用户名:qianjiangyue注册码:0123456789 就这样断下来了。
00491BF4/.55 PUSH EBP
00491BF5|.8BEC MOV EBP,ESP
00491BF7|.33C9 XOR ECX,ECX
00491BF9|.51 PUSH ECX
00491BFA|.51 PUSH ECX
00491BFB|.51 PUSH ECX
00491BFC|.51 PUSH ECX
00491BFD|.51 PUSH ECX
00491BFE|.51 PUSH ECX
00491BFF|.53 PUSH EBX
00491C00|.56 PUSH ESI
00491C01|.8BD8 MOV EBX,EAX
00491C03|.33C0 XOR EAX,EAX
00491C05|.55 PUSH EBP
00491C06|.68 301D4900 PUSH MouseSta.00491D30
00491C0B|.64:FF30 PUSH DWORD PTR FS:
00491C0E|.64:8920 MOV DWORD PTR FS:,ESP
00491C11|.8D55 F4 LEA EDX,DWORD PTR SS:
00491C14|.8B83 FC020000 MOV EAX,DWORD PTR DS:
00491C1A|.E8 05A0F9FF CALL MouseSta.0042BC24 ;取用户名的位数
00491C1F|.8B45 F4 MOV EAX,DWORD PTR SS:
00491C22|.8D55 F8 LEA EDX,DWORD PTR SS:
00491C25|.E8 2E64F7FF CALL MouseSta.00408058
00491C2A|.8D4D FC LEA ECX,DWORD PTR SS:
00491C2D|.A1 98BB4900 MOV EAX,DWORD PTR DS:
00491C32|.8B00 MOV EAX,DWORD PTR DS:
00491C34|.8B55 F8 MOV EDX,DWORD PTR SS:
00491C37|.E8 64560000 CALL MouseSta.004972A0 ;注册码算法call,跟进
00491C3C|.8D55 EC LEA EDX,DWORD PTR SS:
00491C3F|.8B83 00030000 MOV EAX,DWORD PTR DS:
00491C45|.E8 DA9FF9FF CALL MouseSta.0042BC24 ;取假码的位数
00491C4A 8B45 EC MOV EAX,DWORD PTR SS:
00491C4D|.8D55 F0 LEA EDX,DWORD PTR SS:
00491C50|.E8 0364F7FF CALL MouseSta.00408058
00491C55|.8B45 F0 MOV EAX,DWORD PTR SS: ;假码放入eax
00491C58|.8B55 FC MOV EDX,DWORD PTR SS: ;真码给edx,
00491C5B|.E8 4C22F7FF CALL MouseSta.00403EAC ;真假码比较call
00491C60|.0F85 8F000000 JNZ MouseSta.00491CF5 ;爆破点
00491C66|.A1 98BB4900 MOV EAX,DWORD PTR DS:
从00491C37|.E8 64560000 CALL MouseSta.004972A0 进入,这个call算法call ,跟进
004972A0/$55 PUSH EBP
004972A1|.8BEC MOV EBP,ESP
004972A3|.6A 00 PUSH 0
004972A5|.6A 00 PUSH 0
004972A7|.6A 00 PUSH 0
004972A9|.6A 00 PUSH 0
004972AB|.6A 00 PUSH 0
004972AD|.6A 00 PUSH 0
004972AF|.6A 00 PUSH 0
004972B1|.53 PUSH EBX
004972B2|.8BD9 MOV EBX,ECX
004972B4|.8955 FC MOV DWORD PTR SS:,EDX
004972B7|.8B45 FC MOV EAX,DWORD PTR SS:
004972BA|.E8 91CCF6FF CALL MouseSta.00403F50
004972BF|.33C0 XOR EAX,EAX
004972C1|.55 PUSH EBP
004972C2|.68 48734900 PUSH MouseSta.00497348
004972C7|.64:FF30 PUSH DWORD PTR FS:
004972CA|.64:8920 MOV DWORD PTR FS:,ESP
004972CD|.8D55 E4 LEA EDX,DWORD PTR SS:
004972D0|.8B45 FC MOV EAX,DWORD PTR SS: ;用户名放入eax
004972D3|.E8 800DF7FF CALL MouseSta.00408058
004972D8|.8B45 E4 MOV EAX,DWORD PTR SS:
004972DB|.8D55 E8 LEA EDX,DWORD PTR SS:
004972DE|.E8 650BF7FF CALL MouseSta.00407E48 ;把用户名转成大写
004972E3|.8B55 E8 MOV EDX,DWORD PTR SS:
004972E6|.8D45 F8 LEA EAX,DWORD PTR SS:
004972E9|.B9 5C734900 MOV ECX,MouseSta.0049735C ;ASCII "DELPHI2005"
004972EE|.E8 F5CAF6FF CALL MouseSta.00403DE8
004972F3|.8D45 F4 LEA EAX,DWORD PTR SS:
004972F6|.BA 70734900 MOV EDX,MouseSta.00497370 ;ASCII "MagicUtils2005"
004972FB|.E8 B4C8F6FF CALL MouseSta.00403BB4
00497300|.8D45 F0 LEA EAX,DWORD PTR SS:
00497303|.BA 88734900 MOV EDX,MouseSta.00497388 ;ASCII "zhiyuan"
00497308|.E8 A7C8F6FF CALL MouseSta.00403BB4
0049730D|.8D45 EC LEA EAX,DWORD PTR SS:
00497310|.BA 98734900 MOV EDX,MouseSta.00497398 ;ASCII "3.55"
00497315|.E8 9AC8F6FF CALL MouseSta.00403BB4
0049731A|.8B45 EC MOV EAX,DWORD PTR SS:
0049731D|.50 PUSH EAX
0049731E|.53 PUSH EBX
0049731F|.8B4D F0 MOV ECX,DWORD PTR SS:
00497322|.8B55 F4 MOV EDX,DWORD PTR SS:
00497325|.8B45 F8 MOV EAX,DWORD PTR SS:
00497328|.E8 1F8EFFFF CALL MouseSta.0049014C ;关键call,跟进
0049732D|.33C0 XOR EAX,EAX
0049732F|.5A POP EDX
00497330|.59 POP ECX
00497331|.59 POP ECX
00497332|.64:8910 MOV DWORD PTR FS:,EDX
00497335|.68 4F734900 PUSH MouseSta.0049734F
0049733A|>8D45 E4 LEA EAX,DWORD PTR SS:
0049733D|.BA 07000000 MOV EDX,7
00497342|.E8 F9C7F6FF CALL MouseSta.00403B40
00497347\.C3 RETN
跟进去后看到有一些字符串,我们记录下来:
把用户名转成大写:qianjiangyue变大写QIANJIANGYUE
DELPHI2005
MagicUtils2005
zhiyuan
3.55
00497328|.E8 1F8EFFFF CALL MouseSta.0049014C 这个也是是关键call,跟进
0049014C/$55 PUSH EBP
0049014D|.8BEC MOV EBP,ESP
0049014F|.83C4 EC ADD ESP,-14
00490152|.53 PUSH EBX
00490153|.33DB XOR EBX,EBX
00490155|.895D EC MOV DWORD PTR SS:,EBX
00490158|.895D F0 MOV DWORD PTR SS:,EBX
0049015B|.894D F4 MOV DWORD PTR SS:,ECX
0049015E|.8955 F8 MOV DWORD PTR SS:,EDX
00490161|.8945 FC MOV DWORD PTR SS:,EAX
00490164|.8B45 FC MOV EAX,DWORD PTR SS:
00490167|.E8 E43DF7FF CALL MouseSta.00403F50
0049016C|.8B45 F8 MOV EAX,DWORD PTR SS:
0049016F|.E8 DC3DF7FF CALL MouseSta.00403F50
00490174|.8B45 F4 MOV EAX,DWORD PTR SS:
00490177|.E8 D43DF7FF CALL MouseSta.00403F50
0049017C|.8B45 0C MOV EAX,DWORD PTR SS:
0049017F|.E8 CC3DF7FF CALL MouseSta.00403F50
00490184|.33C0 XOR EAX,EAX
00490186|.55 PUSH EBP
00490187|.68 F2014900 PUSH MouseSta.004901F2
0049018C|.64:FF30 PUSH DWORD PTR FS:
0049018F|.64:8920 MOV DWORD PTR FS:,ESP
00490192|.FF75 FC PUSH DWORD PTR SS:
00490195|.FF75 F8 PUSH DWORD PTR SS:
00490198|.FF75 F4 PUSH DWORD PTR SS:
0049019B|.FF75 0C PUSH DWORD PTR SS:
0049019E|.8B45 0C MOV EAX,DWORD PTR SS:
004901A1|.50 PUSH EAX
004901A2|.8D45 EC LEA EAX,DWORD PTR SS:
004901A5|.50 PUSH EAX
004901A6|.8B4D F4 MOV ECX,DWORD PTR SS:
004901A9|.8B55 F8 MOV EDX,DWORD PTR SS:
004901AC|.8B45 FC MOV EAX,DWORD PTR SS:
004901AF|.E8 80FDFFFF CALL MouseSta.0048FF34 ;算重要字符串,此call一定要跟进
004901B4|.FF75 EC PUSH DWORD PTR SS:
004901B7|.8D45 F0 LEA EAX,DWORD PTR SS:
004901BA|.BA 05000000 MOV EDX,5
004901BF|.E8 983CF7FF CALL MouseSta.00403E5C ;把上面出现的一些字符串连接起来,关键算法call2
004901C4|.8B55 08 MOV EDX,DWORD PTR SS:
004901C7|.8B45 F0 MOV EAX,DWORD PTR SS:
004901CA|.E8 31000000 CALL MouseSta.00490200 ;注册码算法call,跟进
004901CF|.33C0 XOR EAX,EAX
004901D1|.5A POP EDX
004901D2|.59 POP ECX
004901D3|.59 POP ECX
004901D4|.64:8910 MOV DWORD PTR FS:,EDX
004901D7|.68 F9014900 PUSH MouseSta.004901F9
004901DC|>8D45 EC LEA EAX,DWORD PTR SS:
004901DF|.BA 05000000 MOV EDX,5
004901E4|.E8 5739F7FF CALL MouseSta.00403B40
004901E9|.8D45 0C LEA EAX,DWORD PTR SS:
004901EC|.E8 2B39F7FF CALL MouseSta.00403B1C
004901F1\.C3 RETN
004901F2 .^ E9 3933F7FF JMP MouseSta.00403530
004901F7 .^ EB E3 JMP SHORT MouseSta.004901DC
004901F9 .5B POP EBX
004901FA .8BE5 MOV ESP,EBP
004901FC .5D POP EBP
004901FD .C2 0800 RETN 8
我们对这个call跟进:004901AF|.E8 80FDFFFF CALL MouseSta.0048FF34 ;算重要字符串,此call一定要跟进
0048FF34/$55 PUSH EBP
0048FF35|.8BEC MOV EBP,ESP
0048FF37|.83C4 E8 ADD ESP,-18
0048FF3A|.53 PUSH EBX
0048FF3B|.33DB XOR EBX,EBX
0048FF3D|.895D E8 MOV DWORD PTR SS:,EBX
0048FF40|.895D EC MOV DWORD PTR SS:,EBX
0048FF43|.895D F0 MOV DWORD PTR SS:,EBX
0048FF46|.894D F4 MOV DWORD PTR SS:,ECX
0048FF49|.8955 F8 MOV DWORD PTR SS:,EDX
0048FF4C|.8945 FC MOV DWORD PTR SS:,EAX
0048FF4F|.8B45 FC MOV EAX,DWORD PTR SS:
0048FF52|.E8 F93FF7FF CALL MouseSta.00403F50
0048FF57|.8B45 F8 MOV EAX,DWORD PTR SS:
0048FF5A|.E8 F13FF7FF CALL MouseSta.00403F50
0048FF5F|.8B45 F4 MOV EAX,DWORD PTR SS:
0048FF62|.E8 E93FF7FF CALL MouseSta.00403F50
0048FF67|.8B45 0C MOV EAX,DWORD PTR SS:
0048FF6A|.E8 E13FF7FF CALL MouseSta.00403F50
0048FF6F|.33C0 XOR EAX,EAX
0048FF71|.55 PUSH EBP
0048FF72|.68 EFFF4800 PUSH MouseSta.0048FFEF
0048FF77|.64:FF30 PUSH DWORD PTR FS:
0048FF7A|.64:8920 MOV DWORD PTR FS:,ESP
0048FF7D|.33D2 XOR EDX,EDX
0048FF7F|.8B45 0C MOV EAX,DWORD PTR SS:
0048FF82|.E8 3182F7FF CALL MouseSta.004081B8
0048FF87|.8BD0 MOV EDX,EAX
0048FF89|.8D4D F0 LEA ECX,DWORD PTR SS:
0048FF8C|.B8 00004900 MOV EAX,MouseSta.00490000
0048FF91|.E8 6E000000 CALL MouseSta.00490004
0048FF96|.8B45 F4 MOV EAX,DWORD PTR SS:
0048FF99|.E8 C23FF7FF CALL MouseSta.00403F60
0048FF9E|.8D4D EC LEA ECX,DWORD PTR SS:
0048FFA1|.33D2 XOR EDX,EDX
0048FFA3|.E8 5C000000 CALL MouseSta.00490004
0048FFA8|.8B45 FC MOV EAX,DWORD PTR SS:
0048FFAB|.E8 B03FF7FF CALL MouseSta.00403F60
0048FFB0|.8D4D E8 LEA ECX,DWORD PTR SS:
0048FFB3|.33D2 XOR EDX,EDX
0048FFB5|.E8 4A000000 CALL MouseSta.00490004 ;关键点之一(把大写的用户名和DELPHI2005连接起来进行计算)
0048FFBA|.8B45 F8 MOV EAX,DWORD PTR SS:
0048FFBD|.E8 9E3FF7FF CALL MouseSta.00403F60
0048FFC2|.8B4D 08 MOV ECX,DWORD PTR SS:
0048FFC5|.33D2 XOR EDX,EDX
0048FFC7|.E8 38000000 CALL MouseSta.00490004 ;又是计算字符串
0048FFCC|.33C0 XOR EAX,EAX
0048FFCE|.5A POP EDX
0048FFCF|.59 POP ECX
0048FFD0|.59 POP ECX
0048FFD1|.64:8910 MOV DWORD PTR FS:,EDX
0048FFD4|.68 F6FF4800 PUSH MouseSta.0048FFF6
0048FFD9|>8D45 E8 LEA EAX,DWORD PTR SS:
0048FFDC|.BA 06000000 MOV EDX,6
0048FFE1|.E8 5A3BF7FF CALL MouseSta.00403B40
0048FFE6|.8D45 0C LEA EAX,DWORD PTR SS:
0048FFE9|.E8 2E3BF7FF CALL MouseSta.00403B1C
0048FFEE\.C3 RETN
0048FFEF .^ E9 3C35F7FF JMP MouseSta.00403530
0048FFF4 .^ EB E3 JMP SHORT MouseSta.0048FFD9
0048FFF6 .5B POP EBX
0048FFF7 .8BE5 MOV ESP,EBP
0048FFF9 .5D POP EBP
0048FFFA .C2 0800 RETN 8
0048FFB5|.E8 4A000000 CALL MouseSta.00490004 ;关键点之一(把大写的用户名和DELPHI2005连接起来进行计算
00490004|.55 PUSH EBP
00490005|.8BEC MOV EBP,ESP
00490007|.83C4 EC ADD ESP,-14
0049000A|.53 PUSH EBX
0049000B|.56 PUSH ESI
0049000C|.57 PUSH EDI
0049000D|.33DB XOR EBX,EBX
0049000F|.895D EC MOV DWORD PTR SS:,EBX
00490012|.895D F0 MOV DWORD PTR SS:,EBX
00490015|.894D F8 MOV DWORD PTR SS:,ECX
00490018|.8BF2 MOV ESI,EDX
0049001A|.8945 FC MOV DWORD PTR SS:,EAX
0049001D|.33C0 XOR EAX,EAX
0049001F|.55 PUSH EBP
00490020|.68 3E014900 PUSH MouseSta.0049013E
00490025|.64:FF30 PUSH DWORD PTR FS:
00490028|.64:8920 MOV DWORD PTR FS:,ESP
0049002B|.8D45 F0 LEA EAX,DWORD PTR SS:
0049002E|.8B55 FC MOV EDX,DWORD PTR SS:
00490031|.E8 9E3CF7FF CALL MouseSta.00403CD4
00490036|.8B45 F0 MOV EAX,DWORD PTR SS:
00490039|.E8 5E3DF7FF CALL MouseSta.00403D9C
0049003E|.8BD8 MOV EBX,EAX
00490040|.85DB TEST EBX,EBX
00490042|.75 13 JNZ SHORT MouseSta.00490057
00490044|.8935 10CC4900 MOV DWORD PTR DS:,ESI
0049004A|.6BC6 64 IMUL EAX,ESI,64
0049004D|.A3 14CC4900 MOV DWORD PTR DS:,EAX
00490052|.E9 CC000000 JMP MouseSta.00490123
00490057|>8B45 F8 MOV EAX,DWORD PTR SS:
0049005A|.E8 BD3AF7FF CALL MouseSta.00403B1C
0049005F|.8BFB MOV EDI,EBX
00490061|.4F DEC EDI
00490062|.85FF TEST EDI,EDI
00490064|.0F8C B9000000 JL MouseSta.00490123 下面是第一次循环我做的注释
0049006A|.47 INC EDI
0049006B|.33F6 XOR ESI,ESI
0049006D|>8B45 FC /MOV EAX,DWORD PTR SS: ;把用户名大写字母+DELPHI2005放到eax中
00490070|.8A0430 |MOV AL,BYTE PTR DS: ;逐个取字符到AL
00490073|.3C 20 |CMP AL,20 ;和20比较,低于20则跳
00490075|.0F82 A0000000 |JB MouseSta.0049011B
0049007B|.3C 7E |CMP AL,7E ;和7E比较,高于7E则跳
0049007D|.0F87 98000000 |JA MouseSta.0049011B ;
00490083|.8B15 10CC4900 |MOV EDX,DWORD PTR DS: ;固定值2C19
00490089|.81E2 FFFFFF1F |AND EDX,1FFFFFFF
0049008F|.8B0D 10CC4900 |MOV ECX,DWORD PTR DS:
00490095|.C1E9 1D |SHR ECX,1D
00490098|.83E1 31 |AND ECX,31
0049009B|.33D1 |XOR EDX,ECX
0049009D|.8915 10CC4900 |MOV DWORD PTR DS:,EDX ;
004900A3|.8845 F7 |MOV BYTE PTR SS:,AL
004900A6|.A1 10CC4900 |MOV EAX,DWORD PTR DS: ;2C19给eax
004900AB|.B9 5F000000 |MOV ECX,5F ;除数5F
004900B0|.99 |CDQ ;
004900B1|.F7F9 |IDIV ECX ;除法运算,商放到eax中,
004900B3|.33D2 |XOR EDX,EDX ;商为76
004900B5|.8A55 F7 |MOV DL,BYTE PTR SS: ;取用户名第一个字符到DL
004900B8|.83EA 20 |SUB EDX,20 ;用户名第一个字符的十六进制数-20
004900BB|.2BC2 |SUB EAX,EDX ;商-(第一个字符的十六进制数-20)
004900BD|.E8 32FEFFFF |CALL MouseSta.0048FEF4
004900C2|.8BD8 |MOV EBX,EAX
004900C4|.80C3 20 |ADD BL,20 ;!!!!49010D这个call就是取的这个BL的值,
004900C7|.FF05 14CC4900 |INC DWORD PTR DS: ;49CC14(值为7)+1
004900CD|.813D 14CC4900>|CMP DWORD PTR DS:,5179
004900D7|.7C 07 |JL SHORT MouseSta.004900E0
004900D9|.33C0 |XOR EAX,EAX
004900DB|.A3 14CC4900 |MOV DWORD PTR DS:,EAX
004900E0|>8A45 F7 |MOV AL,BYTE PTR SS: ;取第一位字符给AL
004900E3|.32C3 |XOR AL,BL ;al和bl异或
004900E5|.25 FF000000 |AND EAX,0FF
004900EA|.8B15 10CC4900 |MOV EDX,DWORD PTR DS: ;2C19给EDX
004900F0|.0315 10CC4900 |ADD EDX,DWORD PTR DS: ;两个2C19相加得5832
004900F6|.03C2 |ADD EAX,EDX
004900F8|.0305 14CC4900 |ADD EAX,DWORD PTR DS:
004900FE|.A3 10CC4900 |MOV DWORD PTR DS:,EAX
00490103|.8D45 EC |LEA EAX,DWORD PTR SS:
00490106|.8BD3 |MOV EDX,EBX
00490108|.E8 B73BF7FF |CALL MouseSta.00403CC4
0049010D|.8B55 EC |MOV EDX,DWORD PTR SS:
00490110|.8B45 F8 |MOV EAX,DWORD PTR SS:
00490113|.E8 8C3CF7FF |CALL MouseSta.00403DA4
00490118|.8B45 F8 |MOV EAX,DWORD PTR SS:
0049011B|>46 |INC ESI ;esi+1
0049011C|.4F |DEC EDI ;edi-1
0049011D|.^ 0F85 4AFFFFFF \JNZ MouseSta.0049006D ;循环
00490123|>33C0 XOR EAX,EAX
00490125|.5A POP EDX
00490126|.59 POP ECX
00490127|.59 POP ECX
00490128|.64:8910 MOV DWORD PTR FS:,EDX
0049012B|.68 45014900 PUSH MouseSta.00490145
00490130|>8D45 EC LEA EAX,DWORD PTR SS:
00490133|.BA 02000000 MOV EDX,2
00490138|.E8 033AF7FF CALL MouseSta.00403B40
0049013D\.C3 RETN
0049013E .^ E9 ED33F7FF JMP MouseSta.00403530
00490143 .^ EB EB JMP SHORT MouseSta.00490130
00490145 .5F POP EDI
00490146 .5E POP ESI
00490147 .5B POP EBX
00490148 .8BE5 MOV ESP,EBP
0049014A .5D POP EBP
0049014B .C3 RETN
这一段循环主要的意思是:
把大写的用户名和DELPHI2005连接起来进行计算
第一:取固定值(被除数)2C19/(除数)5F=(商)
第二步:取大写的用户名的第一位换算过的16进制数-20
第三步:(商)-(取大写的用户名的第一位换算过的16进制数-20)+20
第四步:49CC14(值为7)+1=8【每次循环要加1】
第五步:第三步得出的数和取大写的用户名的第一个转换过的16进制数xor
第六步:固定值(2C19)+固定值(2C19)=和(5832)
第七步:把第六步和第五步得出的数相加
第八步:第七步和第四步的数相加
第九步:第八步得出的值就成了第一步的固定值(被除数),但是除数还是没有变
然后循环,我的用户名是:QIANJIANGYUE+DELPHI2005=QIANJIANGYUEDELPHI2005 ,就是要循环22次。
重点:这里我们主要是要得到我们的用户名+DELPHI2005得出来的最后一次循环过后算出的第八步的数值。
因为这个call被调用了两次,下次被调用的时候我们要用到最后一次循环到第八步的数值。
当我们单步走到:0048FFC7|.E8 38000000 CALL MouseSta.00490004这个call,我们单步跟进去,还是调用00490004这个call.
00490004/$55 PUSH EBP
00490005|.8BEC MOV EBP,ESP
00490007|.83C4 EC ADD ESP,-14
0049000A|.53 PUSH EBX
0049000B|.56 PUSH ESI
0049000C|.57 PUSH EDI
0049000D|.33DB XOR EBX,EBX
0049000F|.895D EC MOV DWORD PTR SS:,EBX
00490012|.895D F0 MOV DWORD PTR SS:,EBX
00490015|.894D F8 MOV DWORD PTR SS:,ECX
00490018|.8BF2 MOV ESI,EDX
0049001A|.8945 FC MOV DWORD PTR SS:,EAX
0049001D|.33C0 XOR EAX,EAX
0049001F|.55 PUSH EBP
00490020|.68 3E014900 PUSH MouseSta.0049013E
00490025|.64:FF30 PUSH DWORD PTR FS:
00490028|.64:8920 MOV DWORD PTR FS:,ESP
0049002B|.8D45 F0 LEA EAX,DWORD PTR SS:
0049002E|.8B55 FC MOV EDX,DWORD PTR SS:
00490031|.E8 9E3CF7FF CALL MouseSta.00403CD4
00490036|.8B45 F0 MOV EAX,DWORD PTR SS:
00490039|.E8 5E3DF7FF CALL MouseSta.00403D9C
0049003E|.8BD8 MOV EBX,EAX
00490040|.85DB TEST EBX,EBX
00490042|.75 13 JNZ SHORT MouseSta.00490057
00490044|.8935 10CC4900 MOV DWORD PTR DS:,ESI
0049004A|.6BC6 64 IMUL EAX,ESI,64
0049004D|.A3 14CC4900 MOV DWORD PTR DS:,EAX
00490052|.E9 CC000000 JMP MouseSta.00490123
00490057|>8B45 F8 MOV EAX,DWORD PTR SS:
0049005A|.E8 BD3AF7FF CALL MouseSta.00403B1C
0049005F|.8BFB MOV EDI,EBX
00490061|.4F DEC EDI
00490062|.85FF TEST EDI,EDI
00490064|.0F8C B9000000 JL MouseSta.00490123
0049006A|.47 INC EDI
0049006B|.33F6 XOR ESI,ESI
0049006D|>8B45 FC /MOV EAX,DWORD PTR SS: ;MagicUtils2005放到eax中
00490070|.8A0430 |MOV AL,BYTE PTR DS: ;按位取字符到AL
00490073|.3C 20 |CMP AL,20 ;和20比较,低于20则跳
00490075|.0F82 A0000000 |JB MouseSta.0049011B
0049007B|.3C 7E |CMP AL,7E ;和7E比较,高于7E则跳
0049007D|.0F87 98000000 |JA MouseSta.0049011B
00490083|.8B15 10CC4900 |MOV EDX,DWORD PTR DS: ;因为上次也是调用的这个call,所以上次循环最后一次的值(180FC3D5)就是这一次的固定值
00490089|.81E2 FFFFFF1F |AND EDX,1FFFFFFF
0049008F|.8B0D 10CC4900 |MOV ECX,DWORD PTR DS:
00490095|.C1E9 1D |SHR ECX,1D
00490098|.83E1 31 |AND ECX,31
0049009B|.33D1 |XOR EDX,ECX
0049009D|.8915 10CC4900 |MOV DWORD PTR DS:,EDX
004900A3|.8845 F7 |MOV BYTE PTR SS:,AL
004900A6|.A1 10CC4900 |MOV EAX,DWORD PTR DS: ;取上次循环最后一次的值(180FC3D5)给eax
004900AB|.B9 5F000000 |MOV ECX,5F ;除数5F
004900B0|.99 |CDQ
004900B1|.F7F9 |IDIV ECX ;除法运算,商放到eax中,
004900B3|.33D2 |XOR EDX,EDX
004900B5|.8A55 F7 |MOV DL,BYTE PTR SS: ;取第一个字符到DL
004900B8|.83EA 20 |SUB EDX,20 ;第一个字符的十六进制数-20
004900BB|.2BC2 |SUB EAX,EDX ;商-(第一个字符的十六进制数-20)
004900BD|.E8 32FEFFFF |CALL MouseSta.0048FEF4
004900C2|.8BD8 |MOV EBX,EAX
004900C4|.80C3 20 |ADD BL,20 ;取第二次循环到这里BL的值,转换成字符,这一次大的循环我们主要是需要这个BL循环过后转换的字符,一共需要循环14次,但是我们从第二次循环到BL开始取结果,一共取13次
004900C7|.FF05 14CC4900 |INC DWORD PTR DS: ;49CC14值(为上次初始值+循环次数)+1
004900CD|.813D 14CC4900>|CMP DWORD PTR DS:,5179
004900D7|.7C 07 |JL SHORT MouseSta.004900E0
004900D9|.33C0 |XOR EAX,EAX
004900DB|.A3 14CC4900 |MOV DWORD PTR DS:,EAX
004900E0|>8A45 F7 |MOV AL,BYTE PTR SS: ;取第一位字符给AL
004900E3|.32C3 |XOR AL,BL ;al和bl异或
004900E5|.25 FF000000 |AND EAX,0FF
004900EA|.8B15 10CC4900 |MOV EDX,DWORD PTR DS: ;上次循环最后的结果(180FC3D5)给EDX
004900F0|.0315 10CC4900 |ADD EDX,DWORD PTR DS: ;上次循环最后的结果*2
004900F6|.03C2 |ADD EAX,EDX
004900F8|.0305 14CC4900 |ADD EAX,DWORD PTR DS:
004900FE|.A3 10CC4900 |MOV DWORD PTR DS:,EAX
00490103|.8D45 EC |LEA EAX,DWORD PTR SS:
00490106|.8BD3 |MOV EDX,EBX
00490108|.E8 B73BF7FF |CALL MouseSta.00403CC4
0049010D|.8B55 EC |MOV EDX,DWORD PTR SS:
00490110|.8B45 F8 |MOV EAX,DWORD PTR SS:
00490113|.E8 8C3CF7FF |CALL MouseSta.00403DA4
00490118|.8B45 F8 |MOV EAX,DWORD PTR SS:
0049011B|>46 |INC ESI ;esi+1
0049011C|.4F |DEC EDI ;edi-1
0049011D|.^ 0F85 4AFFFFFF \JNZ MouseSta.0049006D ;循环
00490123|>33C0 XOR EAX,EAX
00490125|.5A POP EDX
00490126|.59 POP ECX
00490127|.59 POP ECX
00490128|.64:8910 MOV DWORD PTR FS:,EDX
0049012B|.68 45014900 PUSH MouseSta.00490145
00490130|>8D45 EC LEA EAX,DWORD PTR SS:
00490133|.BA 02000000 MOV EDX,2
00490138|.E8 033AF7FF CALL MouseSta.00403B40
0049013D\.C3 RETN
0049013E .^ E9 ED33F7FF JMP MouseSta.00403530
00490143 .^ EB EB JMP SHORT MouseSta.00490130
00490145 .5F POP EDI
00490146 .5E POP ESI
00490147 .5B POP EBX
00490148 .8BE5 MOV ESP,EBP
0049014A .5D POP EBP
0049014B .C3 RETN
这一段循环主要的意思是:
用这个固定的字符串MagicUtils2005来进行计算,
004900C4|.80C3 20 |ADD BL,20 ;,这一次的循环我们主要是需要这个循环过后这个地址BL的数值转换成字符,一共需要循环14次,但是我们从第二次循环到BL时开始取结果,一共取13次,也就得出13位的字符。
从这个call里取完了字符串后我们返回到
004901AF|.E8 80FDFFFF CALL MouseSta.0048FF34 ;算重要字符串,此call一定要跟进
004901B4|.FF75 EC PUSH DWORD PTR SS:
004901B7|.8D45 F0 LEA EAX,DWORD PTR SS:
004901BA|.BA 05000000 MOV EDX,5
004901BF|.E8 983CF7FF CALL MouseSta.00403E5C ;把上面出现的一些字符串连接起来,关键算法call2
004901C4|.8B55 08 MOV EDX,DWORD PTR SS:
004901C7|.8B45 F0 MOV EAX,DWORD PTR SS:
004901CA|.E8 31000000 CALL MouseSta.00490200 ;注册码算法call,跟进
004901CF|.33C0 XOR EAX,EAX
004901D1|.5A POP EDX
004901D2|.59 POP ECX
004901D3|.59 POP ECX
004901D4|.64:8910 MOV DWORD PTR FS:,EDX
004901D7|.68 F9014900 PUSH MouseSta.004901F9
004901DC|>8D45 EC LEA EAX,DWORD PTR SS:
004901DF|.BA 05000000 MOV EDX,5
004901E4|.E8 5739F7FF CALL MouseSta.00403B40
004901E9|.8D45 0C LEA EAX,DWORD PTR SS:
004901EC|.E8 2B39F7FF CALL MouseSta.00403B1C
004901F1\.C3 RETN
下面这个004901BF|.E8 983CF7FF CALL MouseSta.00403E5C 它的意思就是把上面出现的一些字符串连接起来,我经过上两次计算过后注册的用户名连接起来的字符串就是:
QIANJIANGYUEDELPHI2005MagicUtils2005zhiyuan3.55>n3.-.T+~dv|$, 这一些了,一共是61位。
我们接着跟进到真正的注册码算法call里去:
004901CA|.E8 31000000 CALL MouseSta.00490200 ;注册码算法call,跟进
00490200/$55 PUSH EBP
00490201|.8BEC MOV EBP,ESP
00490203|.83C4 F4 ADD ESP,-0C
00490206|.53 PUSH EBX
00490207|.56 PUSH ESI
00490208|.33C9 XOR ECX,ECX
0049020A|.894D F4 MOV DWORD PTR SS:,ECX
0049020D|.8955 F8 MOV DWORD PTR SS:,EDX
00490210|.8945 FC MOV DWORD PTR SS:,EAX
00490213|.8B45 FC MOV EAX,DWORD PTR SS:
00490216|.E8 353DF7FF CALL MouseSta.00403F50
0049021B|.33C0 XOR EAX,EAX
0049021D|.55 PUSH EBP
0049021E|.68 9F024900 PUSH MouseSta.0049029F
00490223|.64:FF30 PUSH DWORD PTR FS:
00490226|.64:8920 MOV DWORD PTR FS:,ESP
00490229|.33DB XOR EBX,EBX
0049022B|.8B45 FC MOV EAX,DWORD PTR SS:
0049022E|.E8 693BF7FF CALL MouseSta.00403D9C
00490233|.85C0 TEST EAX,EAX
00490235|.7E 2C JLE SHORT MouseSta.00490263
00490237|.BE 01000000 MOV ESI,1
0049023C|>8B55 FC /MOV EDX,DWORD PTR SS: ;把连接起来的字符串给edx
0049023F|.8A5432 FF |MOV DL,BYTE PTR DS: ;按位取字符给dl
00490243|.32D3 |XOR DL,BL ;和BL异或
00490245|.81E2 FF000000 |AND EDX,0FF
0049024B|.8B1495 74B649>|MOV EDX,DWORD PTR DS: ;
00490252|.C1EB 08 |SHR EBX,8
00490255|.81E3 FFFFFF00 |AND EBX,0FFFFFF
0049025B|.33D3 |XOR EDX,EBX
0049025D|.8BDA |MOV EBX,EDX
0049025F|.46 |INC ESI ;esi+1,准备取第二位字符
00490260|.48 |DEC EAX ;eax-1,位数减一
00490261|.^ 75 D9 \JNZ SHORT MouseSta.0049023C ; 循环【最后取的就是EDX里的值进行注册码的运算】
00490263|>8BC3 MOV EAX,EBX
00490265|.33D2 XOR EDX,EDX
这一段循环代码最后取的edx的值就是我们最后注册码需要的关键值。
00490267|.52 PUSH EDX ; /Arg2 => 00000000
00490268|.50 PUSH EAX ; |Arg1
00490269|.8D55 F4 LEA EDX,DWORD PTR SS: ; |
0049026C|.B8 08000000 MOV EAX,8 ; |
00490271|.E8 C67EF7FF CALL MouseSta.0040813C ; \MouseSta.0040813C
00490276|.8B45 F4 MOV EAX,DWORD PTR SS:
00490279|.8B55 F8 MOV EDX,DWORD PTR SS:
0049027C|.E8 037CF7FF CALL MouseSta.00407E84 最后的注册码就在这里运算
我们跟进:
00407E84/$53 PUSH EBX
00407E85|.56 PUSH ESI
00407E86|.57 PUSH EDI
00407E87|.8BFA MOV EDI,EDX
00407E89|.8BF0 MOV ESI,EAX
00407E8B|.8BC6 MOV EAX,ESI
00407E8D|.E8 0ABFFFFF CALL MouseSta.00403D9C
00407E92|.8BD8 MOV EBX,EAX
00407E94|.8BC7 MOV EAX,EDI
00407E96|.8BD3 MOV EDX,EBX
00407E98|.E8 33C2FFFF CALL MouseSta.004040D0
00407E9D|.8BD6 MOV EDX,ESI
00407E9F|.8B37 MOV ESI,DWORD PTR DS:
00407EA1|.85DB TEST EBX,EBX
00407EA3|.74 15 JE SHORT MouseSta.00407EBA
00407EA5|>8A02 /MOV AL,BYTE PTR DS: ;把上面一个最后算出来的EDX的值逐位取给al
00407EA7|.3C 41 |CMP AL,41 ;然后和41比较
00407EA9|.72 06 |JB SHORT MouseSta.00407EB1 ;小于41跳走
00407EAB|.3C 5A |CMP AL,5A ;和5A比较
00407EAD|.77 02 |JA SHORT MouseSta.00407EB1 ;大于5A跳走
00407EAF|.04 20 |ADD AL,20 ;和20相加
00407EB1|>8806 |MOV BYTE PTR DS:,AL ;放到ESI中
00407EB3|.42 |INC EDX ;edx取第二位
00407EB4|.46 |INC ESI ;esi加1,第二位
00407EB5|.4B |DEC EBX ;位数减1
00407EB6|.85DB |TEST EBX,EBX
00407EB8|.^ 75 EB \JNZ SHORT MouseSta.00407EA5 ;循环
00407EBA|>5F POP EDI
00407EBB|.5E POP ESI
00407EBC|.5B POP EBX
00407EBD\.C3 RETN
这一段的意思就是把上面一个最后算出来的EDX的值逐位比较,看是不是大写字母,如果是大写字母就改成小写,如果是别的就不动。
现在我们重新分析一下:
第一步:首先把改成大写的用户名和DELPHI2005字符连接起来进行计算,得到一个值。
第二步:接着再用MagicUtils2005这个字符串和上面得到的值进行相关的运算,重新得到一个13位的字符串。
第三步:然后用【大写的用户名 + DELPHI2005 + MagicUtils2005 + zhiyuan + 3.55> + 第二步得到的字符串】一起连接起来
第四步:再用第三步得到的长字符串进行相关的运算,算出的值放到EDX中。
第五步:把第四步得到的值逐位比较,看是不是大写字母,如果是大写字母就改成小写,如果是别的字符就不动。
我的用户名qianjiangyue最后得出的第四步的值是:C8C8414E,那么我的注册码就是c8c8414e
由于是第一次真正的进行算法的分析,可能有些地方说的不是很清楚,请大家谅解,但是大部分我都做了注释。其实和我一样的朋友只要大家多动手,多练习,就一定能够进步。这个软件其实爆破和追码都比较简单,但是分析起来和我一样的菜鸟朋友可能就有点麻烦,大家可以下一个回去自己试一下。
-251C-3B6-5F 好长的算法分析、、、。。。没动力看完。。 哦算法分析 哈哈 膜拜下…… 又一个大牛浮出水面 谢谢 !!!楼主!!! 太长了,收起来慢慢看..
页:
[1]