52最终版算法CM分析
【文章标题】: 52最终版算法CM分析【文章作者】: missviola
【下载地址】: http://www.52pojie.cn/thread-14018-1-1.html
【保护方式】: 序列号
【使用工具】: PEID OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
PEID查壳显示为Borland Delphi 6.0 - 7.0,OD载入,在45E2EC下断点,机器码:WD-WXE807415814,输入注册码:
12345678abcdefgh,分析如下:
0045E2EC|.55 push ebp
0045E2ED|.68 24E74500 push <->System.@HandleFinally;>
0045E2F2|.64:FF30 push dword ptr fs:
0045E2F5|.64:8920 mov dword ptr fs:, esp
0045E2F8|.FF35 2CA04600 push dword ptr
0045E2FE|.FF35 28A04600 push dword ptr
0045E304|.8D55 F8 lea edx, dword ptr
0045E307|.B8 3CE74500 mov eax, 0045E73C ;nn
0045E30C|.E8 FBC0FAFF call 0040A40C ;获取分钟
0045E311|.8B45 F8 mov eax, dword ptr
0045E314|.50 push eax
0045E315|.FF35 2CA04600 push dword ptr
0045E31B|.FF35 28A04600 push dword ptr
0045E321|.8D55 F4 lea edx, dword ptr
0045E324|.B8 48E74500 mov eax, 0045E748 ;hh
0045E329|.E8 DEC0FAFF call 0040A40C ;获取小时
0045E32E|.8B55 F4 mov edx, dword ptr
0045E331|.8D45 FC lea eax, dword ptr
0045E334|.59 pop ecx
0045E335 >|.E8 5A5EFAFF call 00404194 ;->System.@LStrCat3;
0045E33A|.833D 24A04600>cmp dword ptr , 3
0045E341|.7C 0C jl short 0045E34F
0045E343|.8BC3 mov eax, ebx
0045E345 >|.E8 EA25FFFF call 00450934 ;->Forms.TCustomForm.Close(TCustomForm);
0045E34A|.E9 E7020000 jmp 0045E636
0045E34F|>8D55 E0 lea edx, dword ptr
0045E352|.A1 20A04600 mov eax, dword ptr
0045E357 >|.8B80 F8020000 mov eax, dword ptr ;*Edit1:TEdit
0045E35D >|.E8 9665FDFF call 004348F8 ;取机器码
0045E362|.8B45 E0 mov eax, dword ptr
0045E365|.8D55 E4 lea edx, dword ptr
0045E368|.E8 0FFFFFFF call 0045E27C ;MD5运算
0045E36D|.8B45 E4 mov eax, dword ptr
0045E370|.8D4D E8 lea ecx, dword ptr
0045E373|.BA 04000000 mov edx, 4
0045E378 >|.E8 9FAEFCFF call 0042921C ;从左边取MD5结果的4位
0045E37D|.8B45 E8 mov eax, dword ptr
0045E380|.8D55 EC lea edx, dword ptr
0045E383|.E8 B8F0FFFF call 0045D440 ;跟进
跟进45D440处call看看:
0045D440/$55 push ebp
0045D441|.8BEC mov ebp, esp
0045D443|.83C4 F8 add esp, -8
0045D446|.56 push esi
0045D447|.8955 F8 mov dword ptr , edx
0045D44A|.8945 FC mov dword ptr , eax
0045D44D|.8B45 FC mov eax, dword ptr
0045D450|.E8 E36EFAFF call 00404338
0045D455|.33C0 xor eax, eax
0045D457|.55 push ebp
0045D458|.68 A9D44500 push 0045D4A9
0045D45D|.64:FF30 push dword ptr fs:
0045D460|.64:8920 mov dword ptr fs:, esp
0045D463|.8B45 FC mov eax, dword ptr
0045D466|.E8 DD6CFAFF call 00404148 ;获取长度
0045D46B|.85C0 test eax, eax
0045D46D|.7E 16 jle short 0045D485
0045D46F|.B9 01000000 mov ecx, 1
0045D474|>8B55 FC /mov edx, dword ptr
0045D477|.0FB6540A FF |movzx edx, byte ptr ;依次取hash前4位各位ASCII码值
0045D47C|.C1E2 07 |shl edx, 7 ;左移7位
0045D47F|.03F2 |add esi, edx ;累加
0045D481|.41 |inc ecx
0045D482|.48 |dec eax
0045D483|.^ 75 EF \jnz short 0045D474
0045D485|>8BC6 mov eax, esi
0045D487|.33D2 xor edx, edx
0045D489|.52 push edx
0045D48A|.50 push eax
0045D48B|.8B45 F8 mov eax, dword ptr
0045D48E|.E8 A9AAFAFF call 00407F3C ;转换为10进制
0045D493|.33C0 xor eax, eax
0045D495|.5A pop edx
0045D496|.59 pop ecx
0045D497|.59 pop ecx
0045D498|.64:8910 mov dword ptr fs:, edx
0045D49B|.68 B0D44500 push 0045D4B0
0045D4A0|>8D45 FC lea eax, dword ptr
0045D4A3|.E8 E069FAFF call 00403E88
0045D4A8\.C3 retn
0045D4A9 .^ E9 DE63FAFF jmp 0040388C
0045D4AE .^ EB F0 jmp short 0045D4A0
0045D4B0 .5E pop esi
0045D4B1 .59 pop ecx
0045D4B2 .59 pop ecx
0045D4B3 .5D pop ebp
0045D4B4 .C3 retn
0045E388|.8B45 EC mov eax, dword ptr
0045E38B|.8D55 F0 lea edx, dword ptr
0045E38E|.E8 ADF0FFFF call 0045D440
0045E393|.8B45 F0 mov eax, dword ptr
0045E396|.50 push eax
0045E397|.8D55 D0 lea edx, dword ptr
0045E39A >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E3A0 >|.E8 5365FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E3A5|.8B45 D0 mov eax, dword ptr
0045E3A8|.8D4D D4 lea ecx, dword ptr
0045E3AB|.BA 04000000 mov edx, 4
0045E3B0 >|.E8 67AEFCFF call 0042921C ;取注册码4位
0045E3B5|.8B45 D4 mov eax, dword ptr
0045E3B8|.8D55 D8 lea edx, dword ptr
0045E3BB|.E8 80F0FFFF call 0045D440
0045E3C0|.8B45 D8 mov eax, dword ptr
0045E3C3|.8D55 DC lea edx, dword ptr
0045E3C6|.E8 75F0FFFF call 0045D440
0045E3CB|.8B55 DC mov edx, dword ptr
0045E3CE|.58 pop eax
0045E3CF >|.E8 C05EFAFF call 00404294 ;比较
0045E3D4 0F85 5C020000 jnz 0045E636
0045E3DA|.8D45 C8 lea eax, dword ptr
0045E3DD|.50 push eax
0045E3DE|.8D55 C0 lea edx, dword ptr
0045E3E1|.A1 20A04600 mov eax, dword ptr
0045E3E6 >|.8B80 F8020000 mov eax, dword ptr ;*Edit1:TEdit
0045E3EC >|.E8 0765FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E3F1|.8B45 C0 mov eax, dword ptr
0045E3F4|.8D55 C4 lea edx, dword ptr
0045E3F7|.E8 80FEFFFF call 0045E27C ;MD5运算
0045E3FC|.8B45 C4 mov eax, dword ptr
0045E3FF|.B9 04000000 mov ecx, 4
0045E404|.BA 06000000 mov edx, 6
0045E409 >|.E8 7EAEFCFF call 0042928C ;从MD5结果中第6位起取4位
0045E40E|.8B45 C8 mov eax, dword ptr
0045E411|.8D55 CC lea edx, dword ptr
0045E414|.E8 27F0FFFF call 0045D440
0045E419|.8B45 CC mov eax, dword ptr
0045E41C|.50 push eax
0045E41D|.8D45 B8 lea eax, dword ptr
0045E420|.50 push eax
0045E421|.8D55 B4 lea edx, dword ptr
0045E424 >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E42A >|.E8 C964FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E42F|.8B45 B4 mov eax, dword ptr
0045E432|.B9 04000000 mov ecx, 4
0045E437|.BA 06000000 mov edx, 6
0045E43C >|.E8 4BAEFCFF call 0042928C ;从假码中第6位取4位
0045E441|.8B45 B8 mov eax, dword ptr
0045E444|.8D55 BC lea edx, dword ptr
0045E447|.E8 F4EFFFFF call 0045D440
0045E44C|.8B55 BC mov edx, dword ptr
0045E44F|.58 pop eax
0045E450 >|.E8 3F5EFAFF call 00404294 ;比较
0045E455 0F85 DB010000 jnz 0045E636
0045E45B|.8D45 AC lea eax, dword ptr
0045E45E|.50 push eax
0045E45F|.B9 04000000 mov ecx, 4
0045E464|.BA 04000000 mov edx, 4
0045E469|.B8 54E74500 mov eax, 0045E754 ;chinapyg
0045E46E >|.E8 19AEFCFF call 0042928C ;从ChinaPYG第4位开始取4位
0045E473|.8B45 AC mov eax, dword ptr
0045E476|.8D55 B0 lea edx, dword ptr
0045E479|.E8 C2EFFFFF call 0045D440
0045E47E|.8B45 B0 mov eax, dword ptr
0045E481|.50 push eax
0045E482|.8D45 A4 lea eax, dword ptr
0045E485|.50 push eax
0045E486|.8D55 A0 lea edx, dword ptr
0045E489 >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E48F >|.E8 6464FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E494|.8B45 A0 mov eax, dword ptr
0045E497|.B9 04000000 mov ecx, 4
0045E49C|.BA 0B000000 mov edx, 0B
0045E4A1 >|.E8 E6ADFCFF call 0042928C ;从假码第11位开始取4位
0045E4A6|.8B45 A4 mov eax, dword ptr
0045E4A9|.8D55 A8 lea edx, dword ptr
0045E4AC|.E8 8FEFFFFF call 0045D440
0045E4B1|.8B55 A8 mov edx, dword ptr
0045E4B4|.58 pop eax
0045E4B5 >|.E8 DA5DFAFF call 00404294 ;比较
0045E4BA 0F85 76010000 jnz 0045E636
0045E4C0|.8D55 9C lea edx, dword ptr ;开始破解时的系统时间
0045E4C3|.8B45 FC mov eax, dword ptr
0045E4C6|.E8 75EFFFFF call 0045D440
0045E4CB|.8B45 9C mov eax, dword ptr
0045E4CE|.50 push eax
0045E4CF|.8D45 94 lea eax, dword ptr
0045E4D2|.50 push eax
0045E4D3|.8D55 90 lea edx, dword ptr
0045E4D6 >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E4DC >|.E8 1764FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E4E1|.8B45 90 mov eax, dword ptr
0045E4E4|.B9 04000000 mov ecx, 4
0045E4E9|.BA 10000000 mov edx, 10
0045E4EE >|.E8 99ADFCFF call 0042928C ;从注册码第16位开始取4位
0045E4F3|.8B45 94 mov eax, dword ptr
0045E4F6|.8D55 98 lea edx, dword ptr
0045E4F9|.E8 42EFFFFF call 0045D440
0045E4FE|.8B55 98 mov edx, dword ptr
0045E501|.58 pop eax
0045E502 >|.E8 8D5DFAFF call 00404294 ;比较
0045E507 0F85 29010000 jnz 0045E636
0045E50D|.8D45 8C lea eax, dword ptr
0045E510|.50 push eax
0045E511|.8D55 88 lea edx, dword ptr
0045E514 >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E51A >|.E8 D963FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E51F|.8B45 88 mov eax, dword ptr
0045E522|.B9 01000000 mov ecx, 1
0045E527|.BA 05000000 mov edx, 5
0045E52C >|.E8 5BADFCFF call 0042928C ;取注册码第5位
0045E531|.8B45 8C mov eax, dword ptr
0045E534|.50 push eax
0045E535|.8D45 84 lea eax, dword ptr
0045E538|.50 push eax
0045E539|.8D55 80 lea edx, dword ptr
0045E53C >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E542 >|.E8 B163FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E547|.8B45 80 mov eax, dword ptr
0045E54A|.B9 01000000 mov ecx, 1
0045E54F|.BA 0A000000 mov edx, 0A
0045E554 >|.E8 33ADFCFF call 0042928C ;取注册码第10位
0045E559|.8B55 84 mov edx, dword ptr
0045E55C|.58 pop eax
0045E55D >|.E8 325DFAFF call 00404294 ;两者要相等
0045E562 0F85 C8000000 jnz 0045E630
0045E568|.8D85 7CFFFFFF lea eax, dword ptr
0045E56E|.50 push eax
0045E56F|.8D95 78FFFFFF lea edx, dword ptr
0045E575 >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E57B >|.E8 7863FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E580|.8B85 78FFFFFF mov eax, dword ptr
0045E586|.B9 01000000 mov ecx, 1
0045E58B|.BA 0A000000 mov edx, 0A
0045E590 >|.E8 F7ACFCFF call 0042928C ;取注册码第10位
0045E595|.8B85 7CFFFFFF mov eax, dword ptr
0045E59B|.50 push eax
0045E59C|.8D85 74FFFFFF lea eax, dword ptr
0045E5A2|.50 push eax
0045E5A3|.8D95 70FFFFFF lea edx, dword ptr
0045E5A9 >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E5AF >|.E8 4463FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E5B4|.8B85 70FFFFFF mov eax, dword ptr
0045E5BA|.B9 01000000 mov ecx, 1
0045E5BF|.BA 0F000000 mov edx, 0F
0045E5C4 >|.E8 C3ACFCFF call 0042928C ;取注册码第15位
0045E5C9|.8B95 74FFFFFF mov edx, dword ptr
0045E5CF|.58 pop eax
0045E5D0 >|.E8 BF5CFAFF call 00404294 ;两者要相等
0045E5D5 75 59 jnz short 0045E630
0045E5D7|.8D85 6CFFFFFF lea eax, dword ptr
0045E5DD|.50 push eax
0045E5DE|.8D95 68FFFFFF lea edx, dword ptr
0045E5E4 >|.8B83 FC020000 mov eax, dword ptr ;*Edit2:TEdit
0045E5EA >|.E8 0963FDFF call 004348F8 ;->Controls.TControl.GetText
(TControl):TCaption;
0045E5EF|.8B85 68FFFFFF mov eax, dword ptr
0045E5F5|.B9 01000000 mov ecx, 1
0045E5FA|.BA 0F000000 mov edx, 0F
0045E5FF >|.E8 88ACFCFF call 0042928C ;取第15位注册码
0045E604|.8B85 6CFFFFFF mov eax, dword ptr
0045E60A|.BA 68E74500 mov edx, 0045E768 ;-
0045E60F >|.E8 805CFAFF call 00404294 ;第15位要为-,即第5,10,15位都要为-
0045E614 75 1A jnz short 0045E630
0045E616 >|.E8 8DB1FAFF call 004097A8 ;->SysUtils.Now:TDateTime; 获取当前系统
时间
到这里总结下算法:
1.取机器码,进行MD5运算
2.注册码一共有4段,前两段分别从MD5运算的hash中获取,第3段固定为naPY,第4段为你开始破解时候的系统时间
3.4段用-连接,形成最终的注册码
最后送上python写的注册机源代码:
import md5
import time
regcode = raw_input('please input your machine code:')
m = md5.new(regcode)
m.digest()
reghash = m.hexdigest()
szhash1 = reghash
szhash2 = reghash
uhour = "%02d" % time.localtime()
uminute = "%02d" % time.localtime()
serial = szhash1 + '-' + szhash2 + '-' + 'naPY' + '-' + uhour + uminute
print 'your serial is %s' % serial
raw_input()
这个算出来的注册码如果在1分钟内注册的话,会被判为耍赖,所以要等一会儿在点注册。。。
--------------------------------------------------------------------------------
【经验总结】
这个cm算法比较简单,在OD中可以看到为分段明码比较,爆破和追码都很方便。最后感谢leafstone大侠提供cm给我们练手
,也希望他在下一个cm中不要在放音乐了。。。 - -||||||||
--------------------------------------------------------------------------------
【版权声明】: 本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年12月05日 11:40:37 这个要顶顶,兄弟如果喜欢CM,有时间多讨论哈 膜拜一下高手~ 向高手学习。 学习了``:Dweeqw 膜拜一下,高人啊 学习啦。。。 CM,是不是就是chinadrm? 回复 8# sdk
是Crack Me,就是破解我!:rggrg
页:
[1]