Ashampoo Burning Studio v9.21算法分析 by:樊盟 2010.2.7
本帖最后由 樊盟 于 2010-2-7 18:10 编辑Ashampoo Burning Studio v9.21算法分析 by:樊盟 2010.2.7
Ashampoo Burning Studio v9.21
软件下载地址:http://www.crsky.com/soft/4449.html
软件介绍:
CD/DVD刻录工具。提供的功能有: * 创建MP3 CD/DVD * 将电影刻录为DVD/VCD/SVCD * 创建和刻录CD/DVD映像文件 * 保存和加载项目文件 * 擦除CD-RW/DVD+RW/DVD-RW * 从资源管理器中用拖放式操作添加文件 * 支持255个字符的DVD文件名和64个字符的CD文件名 * 自动设置刻录速度及其他选项 * 无需任何插件直接把WAV、MP3、FLAC、WMA和Ogg Vorbis文件刻录为音频CD * 非常方便地复制各种CD/DVD * 已支持的CD和DVD刻录机超过1500种 * 还有更多功能。
随意输入注册信息点击“注册”弹出错误提示:“请输入有效的密钥”。
用F12暂停法回溯来找程序的关键点:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0047DF6B > $E8 FA730000 call 0048536A ;//载入程序后停在这里!
0047DF70 .^ E9 17FEFFFF jmp 0047DD8C
0047DF75/$55 push ebp
0047DF76|.8BEC mov ebp, esp
0047DF78|.56 push esi
0047DF79|.8B75 14 mov esi, dword ptr
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
F9运行,输入试炼信息:123456789012345678901234567890,点击注册弹出错误提示框,此时不要点击确定,F12,Alt+K:
调用堆栈: 主线程
地址 堆栈 函数过程 / 参数 调用来自 结构
00F3D200 77D19418 包含ntdll.KiFastSystemCallRet USER32.77D19416 00F3D234
00F3D204 77D2770A USER32.WaitMessage USER32.77D27705 00F3D234
00F3D238 77D249C4 USER32.77D2757B USER32.77D249BF 00F3D234
00F3D260 77D3A956 USER32.77D2490E USER32.77D3A951 00F3D25C
00F3D520 77D3A2BC USER32.SoftModalMessageBox USER32.77D3A2B7 00F3D51C
00F3D670 77D663FD USER32.77D3A147 USER32.77D663F8 00F3D66C
00F3D6C8 77D50853 USER32.MessageBoxTimeoutW USER32.77D5084E 00F3D6C4
00F3D6E8 77D66579 USER32.MessageBoxExW USER32.77D66574 00F3D6E4
00F3D6EC 00BB057A hOwner = 00BB057A ('注册 Ashampoo
00F3D6F0 01C96CF8 Text = "请输入有效的密钥"
00F3D6F4 01BD4C98 Title = "Ashampoo Burning Studio 9
00F3D6F8 00000030 Style = MB_OK|MB_ICONEXCLAMATION|M
00F3D6FC 00000000 LanguageID = 0 (LANG_NEUTRAL)
00F3D704 004640A9 USER32.MessageBoxW burnings.004640A3 00F3D700 //双击跟随!
00F3D708 00BB057A hOwner = 00BB057A ('注册 Ashampoo
00F3D70C 01C96CF8 Text = "请输入有效的密钥"
00F3D710 01BD4C98 Title = "Ashampoo Burning Studio 9
00F3D714 00000030 Style = MB_OK|MB_ICONEXCLAMATION|M
00F3D750 004642F3 ? burnings.00464061 burnings.004642EE 00F3D74C
00F3D994 00464377 ? burnings.004641D7 burnings.00464372 00F3D7F0
00F3D9A8 00440BD0 burnings.00464334 burnings.00440BCB 00F3D9CC
00F3D9C0 00465FA6 包含burnings.00440BD0 burnings.00465FA3 00F3D9CC
00F3D9D0 004661B3 burnings.00465F63 burnings.004661AE 00F3D9CC
00F3DA00 0046519C burnings.0046609B burnings.00465197 00F3D9FC
00F3DA24 0046BD45 burnings.00465181 burnings.0046BD42 00F3DA20
00F3DA74 0046C74C 可能 burnings.0046BCB5 burnings.0046C746 00F3DA70
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
00464061/$6A 14 push 14 ;//在这里下断点,运行,再点击注册
00464063|.68 384D4E00 push 004E4D38 ;//断下来后,看堆栈提示
00464068|.E8 E7DD0100 call 00481E54
0046406D|.33DB xor ebx, ebx
0046406F|.895D E0 mov dword ptr , ebx
00464072|.8D45 E0 lea eax, dword ptr
00464075|.50 push eax
00464076|.E8 EFE5FFFF call 0046266A
0046407B|.FFB0 80000000 push dword ptr
00464081|.E8 E3DDFFFF call 00461E69
00464086|.8945 DC mov dword ptr , eax
00464089|.895D E4 mov dword ptr , ebx
0046408C|.3BC3 cmp eax, ebx
0046408E|.75 04 jnz short 00464094
00464090|.33C0 xor eax, eax
00464092|.EB 27 jmp short 004640BB
00464094|>895D FC mov dword ptr , ebx
00464097|.FF75 14 push dword ptr ; /Style
0046409A|.FF75 10 push dword ptr ; |Title
0046409D|.FF75 0C push dword ptr ; |Text
004640A0|.FF75 08 push dword ptr ; |hOwner
004640A3|.FF15 80854B00 call dword ptr [<&USER32.MessageB>; \MessageBoxW
004640A9|.8945 E4 mov dword ptr , eax ;//跟随到这里
004640AC|.C745 FC FEFFF>mov dword ptr , -2
004640B3|.E8 0B000000 call 004640C3
004640B8|.8B45 E4 mov eax, dword ptr
004640BB|>E8 D9DD0100 call 00481E99
004640C0\.C3 retn
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
堆栈提示:
00F3D750 004642F3返回到 burnings.004642F3 来自 burnings.00464061//取消断点,在本行上面点击右键,选择反汇编窗口中跟随!
00F3D754 00BB057A
00F3D758 01C96CF8
00F3D75C 01BD4C98UNICODE "Ashampoo Burning Studio 9"
00F3D760 00000030
00F3D764 00F3E2C0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
004641D7/$55 push ebp ;//这里下断点,运行,再点击注册
004641D8|.8DAC24 60FEFF>lea ebp, dword ptr ;//断下来后,看堆栈提示
004641DF|.81EC 20020000 sub esp, 220
004641E5|.A1 442D4F00 mov eax, dword ptr
004641EA|.33C5 xor eax, ebp
…………………………………………………………………………………………………………
004642E8|.FF75 80 push dword ptr
004642EB|.FF75 84 push dword ptr
004642EE|.E8 6EFDFFFF call 00464061
004642F3|.83C4 10 add esp, 10 ;//跟随到此处
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
堆栈提示:
00F3D994 00464377返回到 burnings.00464377 来自 burnings.004641D7//取消断点,在本行上面点击右键,选择反汇编窗口中跟随!
00F3D998 004F6668burnings.004F6668
00F3D99C 01C96CF8
00F3D9A0 00000030
00F3D9A4 00000000
00F3D9A8 00440BD0返回到 burnings.00440BD0 来自 burnings.00464334
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
00464365 .FF7424 0C push dword ptr ;//这里下断点,运行,再点击注册
00464369 .FF7424 0C push dword ptr ;//断下来后,看堆栈提示
0046436D .FF7424 0C push dword ptr
00464371 .51 push ecx
00464372 .E8 60FEFFFF call 004641D7
00464377 .83C4 10 add esp, 10 ;//跟随到此处
0046437A .C2 0C00 retn 0C
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
堆栈提示:
00F3D9A8 00440BD0返回到 burnings.00440BD0 来自 burnings.00464334//取消断点,在本行上面点击右键,选择反汇编窗口中跟随!
00F3D9AC 01C96CF8
00F3D9B0 00000030
00F3D9B4 00000000
00F3D9B8 00F3E150
00F3D9BC 004C9B34burnings.004C9B34
00F3D9C0 00465FA6返回到 burnings.00465FA6
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
00440B90 .56 push esi ;//回溯到这里开始分析
00440B91 .57 push edi
00440B92 .6A 01 push 1
00440B94 .8BF1 mov esi, ecx
00440B96 .E8 3B990200 call 0046A4D6
00440B9B .E8 CA1A0200 call 0046266A
00440BA0 .8B40 04 mov eax, dword ptr
00440BA3 .6A 00 push 0
00440BA5 .8DBE 70010000 lea edi, dword ptr
00440BAB .57 push edi
00440BAC .8BC8 mov ecx, eax
00440BAE .E8 6DDAFFFF call 0043E620 ;//关键CALL!!!
00440BB3 .84C0 test al, al
00440BB5 .75 1C jnz short 00440BD3 ;//关键跳!!!
00440BB7 .6A 00 push 0
00440BB9 .6A 30 push 30
00440BBB .68 C0634C00 push 004C63C0 ;Please enter a valid code
00440BC0 .68 88634C00 push 004C6388 ;CRegisterDlg.EnterValidCode
00440BC5 .E8 C6AAFFFF call 0043B690
00440BCA .50 push eax
00440BCB .E8 64370200 call 00464334
00440BD0 .5F pop edi ;//跟随到此处
00440BD1 .5E pop esi
00440BD2 .C3 retn
00440BD3 >80BE 78010000>cmp byte ptr , 0
00440BDA .74 30 je short 00440C0C
00440BDC .E8 891A0200 call 0046266A
00440BE1 .8B40 04 mov eax, dword ptr
00440BE4 .57 push edi
00440BE5 .8BC8 mov ecx, eax
00440BE7 .E8 84DEFFFF call 0043EA70
00440BEC .84C0 test al, al
00440BEE .75 1C jnz short 00440C0C
00440BF0 .6A 00 push 0
00440BF2 .6A 30 push 30
00440BF4 .68 48634C00 push 004C6348 ;Full version key code required!
00440BF9 .68 0C634C00 push 004C630C ;CRegisterDlg.CodeOk
00440BFE .E8 8DAAFFFF call 0043B690
00440C03 .50 push eax
00440C04 .E8 2B370200 call 00464334
00440C09 .5F pop edi
00440C0A .5E pop esi
00440C0B .C3 retn
00440C0C >6A 00 push 0
00440C0E .6A 40 push 40
00440C10 .68 C0624C00 push 004C62C0 ;The key code was accepted. Thank you!
00440C15 .68 94624C00 push 004C6294 ;CRegisterDlg.CodeOk
00440C1A .E8 71AAFFFF call 0043B690
00440C1F .50 push eax
00440C20 .E8 0F370200 call 00464334
00440C25 .5F pop edi
00440C26 .8BCE mov ecx, esi
00440C28 .5E pop esi
00440C29 .E9 4C440200 jmp 0046507A
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0043E620/$6A FF push -1 ;//跟进来后往下跟踪
0043E622|.68 A0DF4A00 push 004ADFA0
0043E627|.64:A1 0000000>mov eax, dword ptr fs:
0043E62D|.50 push eax
0043E62E|.83EC 1C sub esp, 1C
0043E631|.A1 442D4F00 mov eax, dword ptr
0043E636|.33C4 xor eax, esp
0043E638|.894424 18 mov dword ptr , eax
0043E63C|.53 push ebx
0043E63D|.55 push ebp
0043E63E|.56 push esi
0043E63F|.57 push edi
0043E640|.A1 442D4F00 mov eax, dword ptr
0043E645|.33C4 xor eax, esp
0043E647|.50 push eax
0043E648|.8D4424 30 lea eax, dword ptr
0043E64C|.64:A3 0000000>mov dword ptr fs:, eax
0043E652|.8B4424 40 mov eax, dword ptr
0043E656|.8B00 mov eax, dword ptr
0043E658|.8B5C24 44 mov ebx, dword ptr
0043E65C|.83E8 10 sub eax, 10
0043E65F|.50 push eax
0043E660|.8BE9 mov ebp, ecx
0043E662|.E8 E935FCFF call 00401C50
0043E667|.8D70 10 lea esi, dword ptr
0043E66A|.83C4 04 add esp, 4
0043E66D|.897424 18 mov dword ptr , esi
0043E671|.83BD EC000000>cmp dword ptr , 1
0043E678|.C74424 38 000>mov dword ptr , 0
0043E680|.0F85 4D020000 jnz 0043E8D3 ;***这里感觉程序下面这一段也是一种算法,但是不知道怎样让它不跳转
……………………………………………………………………………………☆省略中间不必要代码☆……………………………………………………………………………………
0043E976|.E8 45080600 call 0049F1C0 ;//算法CALL,跟进去继续分析!
0043E97B|.83C4 14 add esp, 14
0043E97E|.84C0 test al, al
0043E980|.0F84 95000000 je 0043EA1B
0043E986|>56 push esi ;//123456-890ABC-EFGHIJ
0043E987|.E8 B7300200 call 00461A43
0043E98C|.83C4 04 add esp, 4
0043E98F|.8D4424 24 lea eax, dword ptr ;//取试炼码前四位:1234
0043E993|.50 push eax
0043E994|.8D4C24 18 lea ecx, dword ptr
0043E998|.33F6 xor esi, esi
0043E99A|.E8 815DFCFF call 00404720
0043E99F|.8B4C24 14 mov ecx, dword ptr ;//取试炼码前四位:1234
0043E9A3|.8BAD B4000000 mov ebp, dword ptr ;//BRS9
0043E9A9|.51 push ecx
0043E9AA|.55 push ebp
0043E9AB|.E8 9BF80300 call 0047E24B ;//比较字符串,注册码前四位必须是BRS9
0043E9B0|.83C4 08 add esp, 8
0043E9B3|.85C0 test eax, eax
0043E9B5|.8B4424 14 mov eax, dword ptr
0043E9B9|.75 44 jnz short 0043E9FF ;//判断跳转
0043E9BB|.83C0 F0 add eax, -10
0043E9BE|.8D50 0C lea edx, dword ptr
0043E9C1|.83C9 FF or ecx, FFFFFFFF
0043E9C4|.F0:0FC10A lock xadd dword ptr , ecx
0043E9C8|.49 dec ecx
0043E9C9|.85C9 test ecx, ecx
0043E9CB|.7F 0A jg short 0043E9D7
0043E9CD|.8B08 mov ecx, dword ptr
0043E9CF|.8B11 mov edx, dword ptr
0043E9D1|.50 push eax
0043E9D2|.8B42 04 mov eax, dword ptr
0043E9D5|.FFD0 call eax
0043E9D7|>83C7 F0 add edi, -10 ;BRS956-789032-CDE54H
0043E9DA|.C74424 38 FFF>mov dword ptr , -1
0043E9E2|.8D4F 0C lea ecx, dword ptr
0043E9E5|.83CA FF or edx, FFFFFFFF
0043E9E8|.F0:0FC111 lock xadd dword ptr , edx
0043E9EC|.4A dec edx
0043E9ED|.85D2 test edx, edx
0043E9EF|.7F 0A jg short 0043E9FB
0043E9F1|.8B0F mov ecx, dword ptr
0043E9F3|.8B01 mov eax, dword ptr
0043E9F5|.8B50 04 mov edx, dword ptr
0043E9F8|.57 push edi
0043E9F9|.FFD2 call edx
0043E9FB|>B0 01 mov al, 1
0043E9FD|.EB 4B jmp short 0043EA4A
0043E9FF|>83C0 F0 add eax, -10
0043EA02|.8D48 0C lea ecx, dword ptr
0043EA05|.83CA FF or edx, FFFFFFFF
0043EA08|.F0:0FC111 lock xadd dword ptr , edx
0043EA0C|.4A dec edx
0043EA0D|.85D2 test edx, edx
0043EA0F|.7F 0A jg short 0043EA1B
0043EA11|.8B08 mov ecx, dword ptr
0043EA13|.8B11 mov edx, dword ptr
0043EA15|.50 push eax
0043EA16|.8B42 04 mov eax, dword ptr
0043EA19|.FFD0 call eax
0043EA1B|>56 push esi
0043EA1C|.E8 22300200 call 00461A43
0043EA21|.83C7 F0 add edi, -10
0043EA24|.83C4 04 add esp, 4
0043EA27|.C74424 38 FFF>mov dword ptr , -1
0043EA2F|.8D4F 0C lea ecx, dword ptr
0043EA32|.83CA FF or edx, FFFFFFFF
0043EA35|.F0:0FC111 lock xadd dword ptr , edx
0043EA39|.4A dec edx
0043EA3A|.85D2 test edx, edx
0043EA3C|.7F 0A jg short 0043EA48
0043EA3E|.8B0F mov ecx, dword ptr
0043EA40|.57 push edi
0043EA41|>8B01 mov eax, dword ptr
0043EA43|.8B50 04 mov edx, dword ptr
0043EA46|.FFD2 call edx
0043EA48|>32C0 xor al, al ;eax清零
0043EA4A|>8B4C24 30 mov ecx, dword ptr
0043EA4E|.64:890D 00000>mov dword ptr fs:, ecx
0043EA55|.59 pop ecx
0043EA56|.5F pop edi
0043EA57|.5E pop esi
0043EA58|.5D pop ebp
0043EA59|.5B pop ebx
0043EA5A|.8B4C24 18 mov ecx, dword ptr
0043EA5E|.33CC xor ecx, esp
0043EA60|.E8 E6F50300 call 0047E04B
0043EA65|.83C4 28 add esp, 28
0043EA68\.C2 0800 retn 8
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F1C0/$83EC 58 sub esp, 58 ;//进来后来到这里,继续分析
0049F1C3|.A1 442D4F00 mov eax, dword ptr
0049F1C8|.33C4 xor eax, esp
0049F1CA|.894424 54 mov dword ptr , eax
0049F1CE|.8B4424 64 mov eax, dword ptr
0049F1D2|.8B5424 6C mov edx, dword ptr
0049F1D6|.8B4C24 68 mov ecx, dword ptr
0049F1DA|.53 push ebx
0049F1DB|.56 push esi ;//试炼码
0049F1DC|.8B7424 64 mov esi, dword ptr
0049F1E0|.894424 14 mov dword ptr , eax
0049F1E4|.8BC6 mov eax, esi
0049F1E6|.57 push edi
0049F1E7|.8B7C24 6C mov edi, dword ptr ;//.$tf>wse453R754/&%!))8<>d9e12bb存入edi
0049F1EB|.895424 14 mov dword ptr , edx
0049F1EF|.894C24 1C mov dword ptr , ecx
0049F1F3|.8D50 01 lea edx, dword ptr
0049F1F6|.33DB xor ebx, ebx
0049F1F8|>8A08 /mov cl, byte ptr
0049F1FA|.83C0 01 |add eax, 1
0049F1FD|.3ACB |cmp cl, bl
0049F1FF|.^ 75 F7 \jnz short 0049F1F8 ;//计算试炼码位数
0049F201|.2BC2 sub eax, edx ;//eax-edx=EAX,结果是试炼码的位数
0049F203|.83F8 14 cmp eax, 14 ;//eax与14H比较,注册码必须是20位
0049F206|.74 14 je short 0049F21C ;//判断跳转
0049F208|>5F pop edi
0049F209|.5E pop esi
0049F20A|.32C0 xor al, al
0049F20C|.5B pop ebx
0049F20D|.8B4C24 54 mov ecx, dword ptr
0049F211|.33CC xor ecx, esp
0049F213|.E8 33EEFDFF call 0047E04B
0049F218|.83C4 58 add esp, 58
0049F21B|.C3 retn
0049F21C|>B0 2D mov al, 2D ;//2D=al,-
0049F21E|.3846 06 cmp byte ptr , al ;//注册码第七位5与2D比较,注册码第七位必须是-
0049F221|.^ 75 E5 jnz short 0049F208 ;//判断跳转
0049F223|.3846 0D cmp byte ptr , al ;//注册码第14位5与2D比较,注册码第14位必须是-
0049F226|.^ 75 E0 jnz short 0049F208 ;//判断跳转
0049F228|.55 push ebp
0049F229|.6A 04 push 4
0049F22B|.8D4424 38 lea eax, dword ptr
0049F22F|.56 push esi ;123456-890ABC-EFGHIJ
0049F230|.50 push eax
0049F231|.E8 0A3C0000 call 004A2E40
0049F236|.6A 01 push 1
0049F238|.8D6E 04 lea ebp, dword ptr ;56-890ABC-EFGHIJ
0049F23B|.8D4C24 20 lea ecx, dword ptr
0049F23F|.55 push ebp ;56-890ABC-EFGHIJ
0049F240|.51 push ecx
0049F241|.E8 FA3B0000 call 004A2E40 ;//提出了第五位注册码5,字符串变为6-890ABC-EFGHIJ
0049F246|.6A 01 push 1
0049F248|.8D56 05 lea edx, dword ptr ;6-890ABC-EFGHIJ
0049F24B|.52 push edx ;6-890ABC-EFGHIJ
0049F24C|.8D4424 4C lea eax, dword ptr
0049F250|.50 push eax
0049F251|.E8 EA3B0000 call 004A2E40 ;//每次跟进去都会提取排在前面的第一位字符,字符串变为890ABC-EFGHIJ
0049F256|.6A 02 push 2
0049F258|.8D4E 07 lea ecx, dword ptr ;890ABC-EFGHIJ
0049F25B|.51 push ecx ;890ABC-EFGHIJ
0049F25C|.8D5424 40 lea edx, dword ptr ;6-890ABC-EFGHIJ
0049F260|.52 push edx
0049F261|.E8 DA3B0000 call 004A2E40 ;//提出注册码第8~9位89
0049F266|.6A 02 push 2 ;//两位,89
0049F268|.8D46 09 lea eax, dword ptr ;0ABC-EFGHIJ
0049F26B|.50 push eax ;0ABC-EFGHIJ
0049F26C|.8D4C24 65 lea ecx, dword ptr
0049F270|.51 push ecx
0049F271|.E8 CA3B0000 call 004A2E40 ;//提出注册码第10~11位0A
0049F276|.6A 02 push 2 ;//两位,0A
0049F278|.8D56 0B lea edx, dword ptr ;BC-EFGHIJ
0049F27B|.52 push edx ;BC-EFGHIJ
0049F27C|.8D4424 68 lea eax, dword ptr ;0A
0049F280|.50 push eax
0049F281|.E8 BA3B0000 call 004A2E40
0049F286|.83C4 48 add esp, 48 ;//34-EFG78J
0049F289|.6A 03 push 3
0049F28B|.8D4E 0E lea ecx, dword ptr ;EFGHIJ
0049F28E|.51 push ecx ;EFGHIJ
0049F28F|.8D5424 37 lea edx, dword ptr ;BC-EFGHIJ
0049F293|.52 push edx
0049F294|.E8 A73B0000 call 004A2E40 ;//提出注册码第15~17位
0049F299|.6A 02 push 2
0049F29B|.8D46 11 lea eax, dword ptr ;//HIJ
0049F29E|.50 push eax
0049F29F|.8D4C24 3A lea ecx, dword ptr
0049F2A3|.51 push ecx
0049F2A4|.E8 973B0000 call 004A2E40
0049F2A9|.6A 01 push 1
0049F2AB|.8D56 13 lea edx, dword ptr
0049F2AE|.52 push edx
0049F2AF|.8D4424 52 lea eax, dword ptr
0049F2B3|.50 push eax
0049F2B4|.E8 873B0000 call 004A2E40
0049F2B9|.6A 07 push 7
0049F2BB|.8D4C24 54 lea ecx, dword ptr
0049F2BF|.51 push ecx
0049F2C0|.8D5424 70 lea edx, dword ptr
0049F2C4|.52 push edx
0049F2C5|.885C24 68 mov byte ptr , bl
0049F2C9|.885C24 41 mov byte ptr , bl ;//60AEFGJ|1234,6+0A+EFG+J+|+1234
0049F2CD|.885C24 58 mov byte ptr , bl
0049F2D1|.885C24 63 mov byte ptr , bl ;7C ('|')
0049F2D5|.885C24 46 mov byte ptr , bl ;60AEFGJ
0049F2D9|.E8 623B0000 call 004A2E40 ;60AEFGJ
0049F2DE|.6A 01 push 1
0049F2E0|.8D4424 44 lea eax, dword ptr
0049F2E4|.50 push eax
0049F2E5|.8D8C24 830000>lea ecx, dword ptr
0049F2EC|.51 push ecx
0049F2ED|.E8 4E3B0000 call 004A2E40
0049F2F2|.6A 02 push 2
0049F2F4|.8D5424 54 lea edx, dword ptr ;89
0049F2F8|.52 push edx
0049F2F9|.8D8424 900000>lea eax, dword ptr
0049F300|.50 push eax
0049F301|.E8 3A3B0000 call 004A2E40
0049F306|.83C4 48 add esp, 48
0049F309|.6A 04 push 4
0049F30B|.8D4C24 38 lea ecx, dword ptr ;1234
0049F30F|.51 push ecx ;1234
0049F310|.8D5424 56 lea edx, dword ptr ;89
0049F314|.52 push edx
0049F315|.E8 263B0000 call 004A2E40
0049F31A|.57 push edi ;".$tf>wse453R754/&%!))8<>d9e12bb"
0049F31B|.8D4424 54 lea eax, dword ptr
0049F31F|.6A 0E push 0E
0049F321|.50 push eax
0049F322|.E8 99020000 call 0049F5C0
0049F327|.57 push edi ;".$tf>wse453R754/&%!))8<>d9e12bb"
0049F328|.8D4C24 60 lea ecx, dword ptr
0049F32C|.6A 0E push 0E
0049F32E|.51 push ecx
0049F32F|.E8 FC010000 call 0049F530 ;//计算真码,计算值为3478
0049F334|.50 push eax
0049F335|.8D5424 64 lea edx, dword ptr
0049F339|.68 24F14C00 push 004CF124 ;%04x
0049F33E|.52 push edx
0049F33F|.E8 AA14FEFF call 004807EE
0049F344|.83C4 30 add esp, 30 ;//3478,这里每次取得值都不一样,换过前四位以后又会不一样!
0049F347|.8D4C24 24 lea ecx, dword ptr ;//BCHI,试炼码的第12~13位是BC,试炼码的第18~19位是HI
0049F34B|.8D4424 3C lea eax, dword ptr ;//3478存入eax
0049F34F|.90 nop ;(initial cpu selection)
0049F350|>8A10 /mov dl, byte ptr
0049F352|.3A11 |cmp dl, byte ptr ;//第一位字符,比较是否对应相等,第二次循环比较第三位字符是否相等
0049F354|.75 1A |jnz short 0049F370 ;//判断跳转
0049F356|.3AD3 |cmp dl, bl
0049F358|.74 12 |je short 0049F36C
0049F35A|.8A50 01 |mov dl, byte ptr
0049F35D|.3A51 01 |cmp dl, byte ptr ;//第二位字符,比较是否对应相等,第二次循环比较第四位字符是否相等
0049F360|.75 0E |jnz short 0049F370 ;//判断跳转
0049F362|.83C0 02 |add eax, 2
0049F365|.83C1 02 |add ecx, 2
0049F368|.3AD3 |cmp dl, bl
0049F36A|.^ 75 E4 \jnz short 0049F350 ;//循环判断四位字符是否相等
0049F36C|>33C0 xor eax, eax
0049F36E|.EB 05 jmp short 0049F375
0049F370|>1BC0 sbb eax, eax
0049F372|.83D8 FF sbb eax, -1
0049F375|>3BC3 cmp eax, ebx
0049F377|.75 5A jnz short 0049F3D3
0049F379|.8B7C24 1C mov edi, dword ptr ;.$tf>wse453R754/&%!))8<>d9e12bb
0049F37D|.3BFB cmp edi, ebx
0049F37F|.74 0F je short 0049F390
0049F381|.6A 04 push 4
0049F383|.56 push esi ;123456-789054-CDEC7H
0049F384|.57 push edi
0049F385|.E8 B63A0000 call 004A2E40
0049F38A|.83C4 0C add esp, 0C
0049F38D|.885F 04 mov byte ptr , bl
0049F390|>8B7424 20 mov esi, dword ptr
0049F394|.3BF3 cmp esi, ebx
0049F396|.74 0F je short 0049F3A7
0049F398|.6A 01 push 1
0049F39A|.55 push ebp ;56-789054-CDEC7HIJ
0049F39B|.56 push esi
0049F39C|.E8 9F3A0000 call 004A2E40
0049F3A1|.83C4 0C add esp, 0C
0049F3A4|.885E 01 mov byte ptr , bl
0049F3A7|>8B7424 18 mov esi, dword ptr
0049F3AB|.3BF3 cmp esi, ebx
0049F3AD|.74 0F je short 0049F3BE
0049F3AF|.8D4424 14 lea eax, dword ptr
0049F3B3|.50 push eax
0049F3B4|.E8 A772FFFF call 00496660
0049F3B9|.83C4 04 add esp, 4
0049F3BC|.8906 mov dword ptr , eax
0049F3BE|>5D pop ebp
0049F3BF|.5F pop edi
0049F3C0|.5E pop esi
0049F3C1|.B0 01 mov al, 1 ; //al置1,注册成功!
0049F3C3|.5B pop ebx
0049F3C4|.8B4C24 54 mov ecx, dword ptr
0049F3C8|.33CC xor ecx, esp
0049F3CA|.E8 7CECFDFF call 0047E04B
0049F3CF|.83C4 58 add esp, 58
0049F3D2|.C3 retn
0049F3D3|>8B4C24 64 mov ecx, dword ptr
0049F3D7|.5D pop ebp
0049F3D8|.5F pop edi
0049F3D9|.5E pop esi
0049F3DA|.5B pop ebx
0049F3DB|.33CC xor ecx, esp
0049F3DD|.32C0 xor al, al ; //al清零,注册失败!
0049F3DF|.E8 67ECFDFF call 0047E04B
0049F3E4|.83C4 58 add esp, 58
0049F3E7\.C3 retn
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F530/$8B5424 0C mov edx, dword ptr ;//".$tf>wse453R754/&%!))8<>d9e12bb"存入edx
0049F534|.8BC2 mov eax, edx
0049F536|.56 push esi
0049F537|.8D70 01 lea esi, dword ptr
0049F53A|.8D9B 00000000 lea ebx, dword ptr
0049F540|>8A08 /mov cl, byte ptr ;//逐位取字符串相邻两位
0049F542|.83C0 01 |add eax, 1 ;//eax+1,取下一位
0049F545|.84C9 |test cl, cl
0049F547|.^ 75 F7 \jnz short 0049F540 ;//取完字符串以后退出循环
0049F549|.2BC6 sub eax, esi ;//eax-esi
0049F54B|.83F8 03 cmp eax, 3 ;//eax与3比较
0049F54E|.73 04 jnb short 0049F554 ;//判断跳转
0049F550|.33C0 xor eax, eax
0049F552|.EB 1B jmp short 0049F56F
0049F554|>0FBE42 01 movsx eax, byte ptr ;//$(24)存入eax
0049F558|.0FBE0A movsx ecx, byte ptr ;//.(2E)存入ecx
0049F55B|.0FBE52 02 movsx edx, byte ptr ;//t(74)存入edx
0049F55F|.C1E0 04 shl eax, 4 ;//eax逻辑左移4位=00000240
0049F562|.0BC1 or eax, ecx ;//eax与ecx进行或运算,结果=0000026E
0049F564|.C1E0 10 shl eax, 10 ;//eax逻辑左移10位=026E0000
0049F567|.0BC2 or eax, edx ;//eax与edx进行或运算,结果=026E0074
0049F569|.03C0 add eax, eax ;//eax+eax=04DC00E8
0049F56B|.03C0 add eax, eax ;//eax+eax=09B801D0
0049F56D|.03C0 add eax, eax ;//eax+eax=137003A0
0049F56F|>8B4C24 0C mov ecx, dword ptr ;//0000000E存入ecx
0049F573|.8B5424 08 mov edx, dword ptr ;//00F3D934存入edx
0049F577|.51 push ecx ;//ecx压栈
0049F578|.52 push edx ;//edx压栈
0049F579|.50 push eax ;//eax压栈
0049F57A|.E8 71FEFFFF call 0049F3F0 ;//继续进取分析,返回值:EAX=82890BDE
0049F57F|.8BC8 mov ecx, eax ;//eax存入ecx
0049F581|.C1E8 09 shr eax, 9 ;//eax逻辑右移9位=00414485
0049F584|.25 00F87F00 and eax, 7FF800 ;//eax与7FF800进行与运算,结果=414000
0049F589|.8BD1 mov edx, ecx ;//ecx存入edx
0049F58B|.81E2 80070000 and edx, 780 ;//edx与780进行与运算,结果=00000380
0049F591|.0BC2 or eax, edx ;//eax与edx进行或运算,结果=00414380
0049F593|.8BD1 mov edx, ecx ;//ecx存入edx
0049F595|.8BF1 mov esi, ecx ;//ecx存入esi
0049F597|.C1EA 0B shr edx, 0B ;//edx逻辑右移0B位=105121
0049F59A|.83E6 7F and esi, 7F ;//esi与7F进行与运算,结果=0000005E
0049F59D|.C1E6 09 shl esi, 9 ;//esi逻辑左移9位=0000BC00
0049F5A0|.81E2 FF010000 and edx, 1FF ;//edx与1FF进行与运算,结果=00000121
0049F5A6|.C1E8 07 shr eax, 7 ;//eax逻辑右移7位=00008287
0049F5A9|.0BD6 or edx, esi ;//edx与esi进行或运算,结果=0000BD21
0049F5AB|.0FB7C9 movzx ecx, cx ;//ecx=00000BDE
0049F5AE|.83C4 0C add esp, 0C ;//00F3D8B8+0C=00F3D8C4
0049F5B1|.33C2 xor eax, edx ;//eax与edx进行异或运算=00003FA6
0049F5B3|.33C1 xor eax, ecx ;//eax与ecx进行异或运算=00003478
0049F5B5|.5E pop esi
0049F5B6\.C3 retn ;//eax的值为3478
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=☆跟进去继续分析☆=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
0049F3F0/$56 push esi ;burnings.004B8DF1
0049F3F1|.8B7424 0C mov esi, dword ptr ;esi=00F3F8F0
0049F3F5|.57 push edi
0049F3F6|.8B7C24 0C mov edi, dword ptr ;edi=137003A0
0049F3FA|.0FB7CF movzx ecx, di ;ecx=000003A0
0049F3FD|.C1EF 10 shr edi, 10 ;shr 137003A0,10=00001370
0049F400|.85F6 test esi, esi
0049F402|.75 06 jnz short 0049F40A
0049F404|.5F pop edi
0049F405|.8D46 01 lea eax, dword ptr
0049F408|.5E pop esi
0049F409|.C3 retn
0049F40A|>53 push ebx
0049F40B|.8B5C24 18 mov ebx, dword ptr ;//0E存入ebx
0049F40F|.85DB test ebx, ebx
0049F411|.0F86 05010000 jbe 0049F51C
0049F417|.55 push ebp
0049F418|.EB 06 jmp short 0049F420
0049F41A| 8D9B 00000000 lea ebx, dword ptr
0049F420|>81FB B0150000 /cmp ebx, 15B0
0049F426|.8BC3 |mov eax, ebx ;//0E存入eax
0049F428|.72 05 |jb short 0049F42F
0049F42A|.B8 B0150000 |mov eax, 15B0
0049F42F|>2BD8 |sub ebx, eax ;//ebx-eax=0
0049F431|.83F8 10 |cmp eax, 10 ;//eax与10比较
0049F434|.0F8C A1000000 |jl 0049F4DB
0049F43A|.8BD0 |mov edx, eax
0049F43C|.C1EA 04 |shr edx, 4
0049F43F|.8BEA |mov ebp, edx
0049F441|.F7DD |neg ebp
0049F443|.C1E5 04 |shl ebp, 4
0049F446|.03C5 |add eax, ebp
0049F448|.EB 06 |jmp short 0049F450
0049F44A| 8D9B 00000000 |lea ebx, dword ptr
0049F450|>0FB62E |/movzx ebp, byte ptr
0049F453|.03CD ||add ecx, ebp
0049F455|.0FB66E 01 ||movzx ebp, byte ptr
0049F459|.03F9 ||add edi, ecx
0049F45B|.03CD ||add ecx, ebp
0049F45D|.0FB66E 02 ||movzx ebp, byte ptr
0049F461|.03F9 ||add edi, ecx
0049F463|.03CD ||add ecx, ebp
0049F465|.0FB66E 03 ||movzx ebp, byte ptr
0049F469|.03F9 ||add edi, ecx
0049F46B|.03CD ||add ecx, ebp
0049F46D|.0FB66E 04 ||movzx ebp, byte ptr
0049F471|.03F9 ||add edi, ecx
0049F473|.03CD ||add ecx, ebp
0049F475|.0FB66E 05 ||movzx ebp, byte ptr
0049F479|.03F9 ||add edi, ecx
0049F47B|.03CD ||add ecx, ebp
0049F47D|.0FB66E 06 ||movzx ebp, byte ptr
0049F481|.03F9 ||add edi, ecx
0049F483|.03CD ||add ecx, ebp
0049F485|.0FB66E 07 ||movzx ebp, byte ptr
0049F489|.03F9 ||add edi, ecx
0049F48B|.03CD ||add ecx, ebp
0049F48D|.0FB66E 08 ||movzx ebp, byte ptr
0049F491|.03F9 ||add edi, ecx
0049F493|.03CD ||add ecx, ebp
0049F495|.0FB66E 09 ||movzx ebp, byte ptr
0049F499|.03F9 ||add edi, ecx
0049F49B|.03CD ||add ecx, ebp
0049F49D|.0FB66E 0A ||movzx ebp, byte ptr
0049F4A1|.03F9 ||add edi, ecx
0049F4A3|.03CD ||add ecx, ebp
0049F4A5|.0FB66E 0B ||movzx ebp, byte ptr
0049F4A9|.03F9 ||add edi, ecx
0049F4AB|.03CD ||add ecx, ebp
0049F4AD|.0FB66E 0C ||movzx ebp, byte ptr
0049F4B1|.03F9 ||add edi, ecx
0049F4B3|.03CD ||add ecx, ebp
0049F4B5|.0FB66E 0D ||movzx ebp, byte ptr
0049F4B9|.03F9 ||add edi, ecx
0049F4BB|.03CD ||add ecx, ebp
0049F4BD|.0FB66E 0E ||movzx ebp, byte ptr
0049F4C1|.03F9 ||add edi, ecx
0049F4C3|.03CD ||add ecx, ebp
0049F4C5|.0FB66E 0F ||movzx ebp, byte ptr
0049F4C9|.03F9 ||add edi, ecx
0049F4CB|.03CD ||add ecx, ebp
0049F4CD|.03F9 ||add edi, ecx
0049F4CF|.83C6 10 ||add esi, 10
0049F4D2|.83EA 01 ||sub edx, 1
0049F4D5|.^ 0F85 75FFFFFF |\jnz 0049F450
0049F4DB|>85C0 |test eax, eax
0049F4DD|.74 10 |je short 0049F4EF
0049F4DF|.90 |nop
0049F4E0|>0FB616 |/movzx edx, byte ptr ;下面esi的地址低位放到这里开始计算,EDX=6A,BE,49,EA,A3,4B,B8,6D,F0,6E,92,BF,45,DC
0049F4E3|.03CA ||add ecx, edx ;(3A0+6A=40A,4C8,511,5FB,69E,6E9,7A1,80E,8FE,96C,9FE,ABD,B02,BDE
0049F4E5|.83C6 01 ||add esi, 1 ;计算结果作为下一轮循环计算的数据,↑,F3F8F0+1=F3F8F1,F3F8F2……00F3F8FE
0049F4E8|.03F9 ||add edi, ecx ;1370+40A=177A,1C42,2153,274E,2DEC,34D5,3C76,4484,4D82,56EE,60EC,6BA9,76AB,8289
0049F4EA|.83E8 01 ||sub eax, 1 ;EAX-1,循环计数器,循环14次退出
0049F4ED|.^ 75 F1 |\jnz short 0049F4E0 ;循环,eax=0,edi=00008289
0049F4EF|>B8 71800780 |mov eax, 80078071 ;80078071存入eax
0049F4F4|.F7E1 |mul ecx ;mul EAX,ECX=80078071*00000BDE=000005EF59063CFE,000005EF存入edx,59063CFE存入eax
0049F4F6|.C1EA 0F |shr edx, 0F ;shr 000005EF,0F=00000000
0049F4F9|.69D2 0F00FFFF |imul edx, edx, FFFF000F ;imul 0,0,FFFF000F=0
0049F4FF|.03CA |add ecx, edx ;add 00000BDE,0=00000BDE
0049F501|.B8 71800780 |mov eax, 80078071 ;80078071存入eax
0049F506|.F7E7 |mul edi ;mul EAX,EDI=80078071*00008289=00004148533D1E79,00004148存入edx,533D1E79存入eax
0049F508|.C1EA 0F |shr edx, 0F ;shr 00004148,0F=00000000
0049F50B|.69D2 0F00FFFF |imul edx, edx, FFFF000F ;imul 0,0,FFFF000F=0
0049F511|.03FA |add edi, edx ;add 00008289,00000000=00008289
0049F513|.85DB |test ebx, ebx
0049F515|.^ 0F87 05FFFFFF \ja 0049F420
0049F51B|.5D pop ebp
0049F51C|>8BC7 mov eax, edi ;eax=00008289
0049F51E|.5B pop ebx
0049F51F|.C1E0 10 shl eax, 10 ;shl 00008289,10=82890000
0049F522|.5F pop edi
0049F523|.0BC1 or eax, ecx ;or 82890000,00000BDE=82890BDE
0049F525|.5E pop esi
0049F526\.C3 retn ;返回EAX的值为82890BDE
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
输入试炼码:123456789012345678901234567890
调整试炼码位数为20位,为了便于算法分析,我们让每一个试炼码都用不同的字符,调整后试炼码:1234567890ABCDEFGHIJ,继续调整试炼码:123456-890ABC-EFGHIJ,
继续调整:BRS956-890ABC-EFGHIJ
分析后可用注册信息:BRS956-890A34-EFG78J,注册成功提示:注册密钥有效.谢谢!
算法总结:
1.注册码必须是20位;
2.注册码第七位和第十四位必须是-,也就是说注册码形式必须是:XXXXXXX-XXXXXX-XXXXXX;
3.注册码前四位必须是:BRS9;
4.".$tf>wse453R754/&%!))8<>d9e12bb"这个字符串只用了前三个字符串“.$t”的十六进制($→24,.→2E,t→74)进行计算,算出真注册码的12~13位和18~19位与试炼码;
5.现在所有的算法分析都一步一步写出来了,但由于自己水平有限,还不能用简洁的“公式”写出算法表达式,正在继续努力,还是分析的太少,以后分析的多了,也许可以写的破文可读性
强一些,凑合着看吧,希望有时间的高手能指点指点,让小菜鸟也学习一下^_^
6.软件的注册信息保存在进注册表里,地址太长我就不贴了。 膜拜大牛.. 顶礼膜拜 很詳細的教學.
感謝大大無私的分享. 真詳細~
膜拜之後慢慢看~
感謝您的教學~:)eee 不错,继续努力·· 分析的很详细,加精鼓励! 虽然不是看的很懂,但是谢谢大牛分享。在这里我真的学习到很多,谢谢52pojie 精彩精彩。。。 虽然不是看的很懂,但是谢谢大牛分享
页:
[1]
2