ColorCatcher 3.5 算法分析及算法注册机
【破文标题】ColorCatcher 3.5 算法分析及算法注册机【破文作者】zaas
【破解工具】OllyICE,PEiD v0.94
【破解平台】WinXP
【软件名称】ColorCatcher 3.5
【更新时间】2010-4-17 10:50:20
【软件类别】国外软件/图像捕捉
【软件语言】简体中文
【应用平台】WinXP/2000/2003/Vista
【软件性质】共享(收费)软件
【软件大小】741KB
【原版下载】http://www.newhua.com/soft/81278.htm#down
【保护方式】注册码
【软件简介】ColorCatcher是一款屏幕颜色捕捉工具,它支持这两种格式RGB, HTML的显示
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
这软件是由注册码逆推注册名的,有点意思,像一个CM
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
用PEiD查壳,Borland Delphi 6.0 - 7.0
**************************************************************
下MessageBoxA断点断下,返回:
0051772C|.8B45 F8 mov eax, dword ptr
0051772F|.8D55 FC lea edx, dword ptr
00517732|.E8 C119EFFF call 004090F8 ;注册名
00517737|.8B4D FC mov ecx, dword ptr
0051773A|.BA C4775100 mov edx, 005177C4 ;user
0051773F|.33C0 xor eax, eax
00517741|.E8 BEAFF5FF call 00472704 ;写入注册表software\bistonesoft\colorcatcher\
00517746|.8D55 F0 lea edx, dword ptr
00517749|.8B83 94030000 mov eax, dword ptr
0051774F|.E8 C89AF3FF call 0045121C ;取得假码
00517754|.8B45 F0 mov eax, dword ptr
00517757|.8D55 F4 lea edx, dword ptr
0051775A|.E8 9919EFFF call 004090F8 ;校验去空格
0051775F|.8B4D F4 mov ecx, dword ptr
00517762|.BA D4775100 mov edx, 005177D4 ;no
00517767|.33C0 xor eax, eax
00517769|.E8 96AFF5FF call 00472704 ;写入注册表
0051776E|.B8 E0775100 mov eax, 005177E0 ;please restart your color catcher to verify your key!
00517773|.E8 78A5F2FF call 00441CF0 ;重启验证提示对话框
重启验证型。知道写入注册表了,当然可以下注册表断点,不过我偷个懒,有字符串提示“user”,“no”,直接搜索字符串也可直达:
00518C08|.A1 24F65100 mov eax, dword ptr
00518C0D|.8B00 mov eax, dword ptr
00518C0F|.E8 70A1F5FF call 00472D84 ;关键call
00518C14|.84C0 test al, al
00518C16|.75 3D jnz short 00518C55 ;关键跳转,爆破点
00518C18|.8BC3 mov eax, ebx
00518C1A|.E8 F9FDFFFF call 00518A18
00518C1F|.8D45 FC lea eax, dword ptr
00518C22|.50 push eax
00518C23|.A1 24F65100 mov eax, dword ptr
00518C28|.8B00 mov eax, dword ptr
00518C2A|.E8 51A0F5FF call 00472C80
00518C2F|.8945 F4 mov dword ptr , eax
00518C32|.C645 F8 00 mov byte ptr , 0
00518C36|.8D55 F4 lea edx, dword ptr
00518C39|.33C9 xor ecx, ecx
00518C3B|.B8 508D5100 mov eax, 00518D50 ;ASCII "You have %d times left!"
00518C40|.E8 DB15EFFF call 0040A220
00518C45|.8B55 FC mov edx, dword ptr
00518C48|.8B83 9C030000 mov eax, dword ptr
00518C4E|.E8 F985F3FF call 0045124C
00518C53|.EB 07 jmp short 00518C5C
AL=0则进入试用程序,AL不等于0进入正式版程序,跟进关键call:
00472D84/[ DISCUZ_CODE_2 ]nbsp; 55 push ebp
00472D85|.8BEC mov ebp, esp
00472D87|.6A 00 push 0
00472D89|.6A 00 push 0
00472D8B|.53 push ebx
00472D8C|.33C0 xor eax, eax
00472D8E|.55 push ebp
00472D8F|.68 E22D4700 push 00472DE2
00472D94|.64:FF30 push dword ptr fs:
00472D97|.64:8920 mov dword ptr fs:, esp
00472D9A|.8D4D FC lea ecx, dword ptr
00472D9D|.BA F82D4700 mov edx, 00472DF8 ;no
00472DA2|.33C0 xor eax, eax
00472DA4|.E8 43F8FFFF call 004725EC ;从注册表读取假吗
00472DA9|.8B45 FC mov eax, dword ptr
00472DAC|.50 push eax
00472DAD|.8D4D F8 lea ecx, dword ptr
00472DB0|.BA 042E4700 mov edx, 00472E04 ;user
00472DB5|.33C0 xor eax, eax
00472DB7|.E8 30F8FFFF call 004725EC ;从注册表读取注册名
00472DBC|.8B45 F8 mov eax, dword ptr
00472DBF|.5A pop edx
00472DC0|.E8 83F5FFFF call 00472348 ;关键call
00472DC5|.8BD8 mov ebx, eax ;AL的值由此而来,传递给EBX,爆破点2
00472DC7|.33C0 xor eax, eax
00472DC9|.5A pop edx
00472DCA|.59 pop ecx
00472DCB|.59 pop ecx
00472DCC|.64:8910 mov dword ptr fs:, edx
00472DCF|.68 E92D4700 push 00472DE9
00472DD4|>8D45 F8 lea eax, dword ptr
00472DD7|.BA 02000000 mov edx, 2
00472DDC|.E8 2F1EF9FF call 00404C10 ;清空堆栈的注册部分
00472DE1\.C3 retn
00472DE2 .^ E9 3117F9FF jmp 00404518
00472DE7 .^ EB EB jmp short 00472DD4
00472DE9 .8BC3 mov eax, ebx ;传回eax,爆破点3
00472DEB .5B pop ebx
00472DEC .59 pop ecx
00472DED .59 pop ecx
00472DEE .5D pop ebp
00472DEF .C3 retn
AL的值由call 00472348 而来,继续跟进:
00472375|.64:FF30 push dword ptr fs:
00472378|.64:8920 mov dword ptr fs:, esp
0047237B|.8D45 FC lea eax, dword ptr
0047237E|.8B15 ECDA5100 mov edx, dword ptr ;ColorCat.004722E4
00472384|.E8 2F2BF9FF call 00404EB8 ;注册名连接固定字符串"76#iE*&$Rn@hjhl"
00472389|.8D4D F4 lea ecx, dword ptr
0047238C|.BA 0F000000 mov edx, 0F ;截取前15位
00472391|.8B45 FC mov eax, dword ptr
00472394|.E8 27ADFCFF call 0043D0C0
00472399|.8B55 F4 mov edx, dword ptr
0047239C|.8D45 FC lea eax, dword ptr
0047239F|.E8 E028F9FF call 00404C84
004723A4|.8D4D F0 lea ecx, dword ptr
004723A7|.BA F4234700 mov edx, 004723F4 ;固定字符串"bistonecolor"
004723AC|.8B45 F8 mov eax, dword ptr ;假码
004723AF|.E8 50000000 call 00472404 ;算法call
004723B4|.8B55 F0 mov edx, dword ptr ;算法的结果
004723B7|.8B45 FC mov eax, dword ptr ;注册名
004723BA|.E8 552CF9FF call 00405014 ;比较call
004723BF|.0F94C3 sete bl ;设置bl,爆破点4
004723C2|.33C0 xor eax, eax
004723C4|.5A pop edx
004723C5|.59 pop ecx
004723C6|.59 pop ecx
004723C7|.64:8910 mov dword ptr fs:, edx
004723CA|.68 E4234700 push 004723E4
004723CF|>8D45 F0 lea eax, dword ptr
004723D2|.BA 04000000 mov edx, 4
004723D7|.E8 3428F9FF call 00404C10
004723DC\.C3 retn
004723DD .^ E9 3621F9FF jmp 00404518
004723E2 .^ EB EB jmp short 004723CF
004723E4 .8BC3 mov eax, ebx ;bl传递给al,爆破点5
004723E6 .5B pop ebx
004723E7 .8BE5 mov esp, ebp
004723E9 .5D pop ebp
004723EA .C3 retn
假码在算法call中生成字符串和注册名比较,没办法,继续跟进:
0047243C|.55 push ebp
0047243D|.68 7B254700 push 0047257B
00472442|.64:FF30 push dword ptr fs:
00472445|.64:8920 mov dword ptr fs:, esp
00472448|.8B45 F8 mov eax, dword ptr ;ASCII "BistoneColor"
0047244B|.85C0 test eax, eax
0047244D|.74 05 je short 00472454 ;空则跳
0047244F|.83E8 04 sub eax, 4 ;ASCII "BistoneColor"的长度
00472452|.8B00 mov eax, dword ptr
00472454|>8945 EC mov dword ptr , eax ;为0则跳了不跳
00472457|.837D EC 00 cmp dword ptr , 0
0047245B|.75 0D jnz short 0047246A
0047245D|.8D45 F8 lea eax, dword ptr
00472460|.BA 94254700 mov edx, 00472594 ;bistonecolor
00472465|.E8 1A28F9FF call 00404C84
0047246A|>33F6 xor esi, esi
0047246C|.8D45 DC lea eax, dword ptr
0047246F|.50 push eax
00472470|.B9 02000000 mov ecx, 2 ;字符长度2
00472475|.BA 01000000 mov edx, 1
0047247A|.8B45 FC mov eax, dword ptr ;假码
0047247D|.E8 622CF9FF call 004050E4 ;取前两个字符
00472482|.8B4D DC mov ecx, dword ptr
00472485|.8D45 E0 lea eax, dword ptr
00472488|.BA AC254700 mov edx, 004725AC ;$
0047248D|.E8 722AF9FF call 00404F04 ;$前两个字符
00472492|.8B45 E0 mov eax, dword ptr
00472495|.8D55 E8 lea edx, dword ptr
00472498|.E8 3F71F9FF call 004095DC ;转为16进制数值
0047249D|.84C0 test al, al
0047249F|.75 0D jnz short 004724AE ;不等于0则跳
004724A1|.8B45 F0 mov eax, dword ptr
004724A4|.E8 4327F9FF call 00404BEC
004724A9|.E9 A5000000 jmp 00472553
004724AE|>BF 03000000 mov edi, 3 ;从第三个字符开始
004724B3|>8D45 D4 /lea eax, dword ptr
004724B6|.50 |push eax
004724B7|.B9 02000000 |mov ecx, 2 ;取两个字符
004724BC|.8BD7 |mov edx, edi
004724BE|.8B45 FC |mov eax, dword ptr
004724C1|.E8 1E2CF9FF |call 004050E4
004724C6|.8B4D D4 |mov ecx, dword ptr
004724C9|.8D45 D8 |lea eax, dword ptr
004724CC|.BA AC254700 |mov edx, 004725AC ;$
004724D1|.E8 2E2AF9FF |call 00404F04 ;$两个字符
004724D6|.8B45 D8 |mov eax, dword ptr
004724D9|.8D55 E4 |lea edx, dword ptr
004724DC|.E8 FB70F9FF |call 004095DC ;转为16进制数值
004724E1|.84C0 |test al, al
004724E3|.75 0A |jnz short 004724EF ;不等于0则跳
004724E5|.8B45 F0 |mov eax, dword ptr
004724E8|.E8 FF26F9FF |call 00404BEC
004724ED|.EB 64 |jmp short 00472553
004724EF|>3B75 EC |cmp esi, dword ptr ;比较ASCII "BistoneColor"是否已取完
004724F2|.7D 03 |jge short 004724F7
004724F4|.46 |inc esi ;没取完取下一个字符
004724F5|.EB 05 |jmp short 004724FC
004724F7|>BE 01000000 |mov esi, 1 ;取完从头再取
004724FC|>8B45 F8 |mov eax, dword ptr ;ASCII "BistoneColor"
004724FF|.0FB65C30 FF |movzx ebx, byte ptr ;取字符
00472504|.335D E4 |xor ebx, dword ptr ;和假码从第三位开始的两位数值XOr
00472507|.3B5D E8 |cmp ebx, dword ptr ;结果是否大于前边两位假码的数值
0047250A|.7F 0B |jg short 00472517 ;大于则跳
0047250C|.81C3 FF000000 |add ebx, 0FF ;不大于则+255
00472512|.2B5D E8 |sub ebx, dword ptr ;减去前边两位假码的数值
00472515|.EB 03 |jmp short 0047251A
00472517|>2B5D E8 |sub ebx, dword ptr ;减去前边两位假码的数值
0047251A|>8D45 D0 |lea eax, dword ptr
0047251D|.8BD3 |mov edx, ebx
0047251F|.E8 B028F9FF |call 00404DD4 ;保存
00472524|.8B55 D0 |mov edx, dword ptr
00472527|.8D45 F4 |lea eax, dword ptr
0047252A|.E8 8929F9FF |call 00404EB8 ;(initial cpu selection)
0047252F|.8B45 E4 |mov eax, dword ptr
00472532|.8945 E8 |mov dword ptr , eax
00472535|.83C7 02 |add edi, 2
00472538|.8B45 FC |mov eax, dword ptr
0047253B|.E8 6C29F9FF |call 00404EAC
00472540|.3BF8 |cmp edi, eax ;取完所有假码了吗?
00472542|.^ 0F8C 6BFFFFFF \jl 004724B3 ;没有的话接着取
00472548|.8B45 F0 mov eax, dword ptr
0047254B|.8B55 F4 mov edx, dword ptr
注册名不足15位的,后边加上固定字符串补足15位
【算法总结】算法由注册码逆推注册名。
1.注册名连接固定字符串"76#iE*&$Rn@hjhl"补足15位得到A;
2.假码从第三位开始,每两位作为16进制数值和固定字符串"BistoneColor"取字符的ascii XOr,减去前两位的16进制数值,循环得到结果B
3.A==B,注册成功。
爆破点无数。
逆推的话,只需要注册名asc一次加上前两位数值,再xor "BistoneColor"字符ascii即可。
综上所述,写出VB注册机。注册机关键代码如下:
'参考字符串
Const Index1 = "BistoneColorBistoneColor"
Text2.Text = ""
Dim Code As String
Code = Trim(Text1.Text)
If Text1.Text = "" Then Exit Sub
'注册名补足15位
Code = Left((Code & "76#iE*&$Rn@hjhl"), 15)
Dim Reg(15) As Integer
Randomize
Dim IntNum As Integer
'第一组数随即得来
Reg(0) = (99 - 1) * Rnd() + 1
Dim Name As Integer
Dim temp As Integer
'求剩余的15组数
For a = 1 To 15
temp = (Reg(a - 1) + Asc(Mid(Code, a, 1)))
If temp > 255 Then temp = temp - 255
Reg(a) = temp Xor (Asc(Mid(Index1, a, 1)))
Next
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 精华贴都没人顶 那我来顶!
哈哈....... 回复 zaas 的帖子
破解好详细,支持一下。 先回复后下载,
赞一个了,太棒了,学习
页:
[1]