Magic Photo Recovery 4.4 注册算法分析
上周五看到 http://www.52pojie.cn/thread-525010-1-1.html这个帖子 楼主只爆破了,没追注册码,闲来无事分析一下注册算法运行界面
程序无壳
Delphi的程序
上工具 找到按钮事件
IDR分析一下生成MAP文件od用
载入OD分析
注册 green
假码 1234-5678-5555-8888
假码是分析过的这里就不从12347890000测试了直接上相似的注册码
断到按钮事件那
单步走
006A6198 > .55 push ebp ;_Unit79.TfRegistration.btnRegisterClick
006A6199 .8BEC mov ebp,esp
....
006A61CE .8B80 88030000 mov eax,dword ptr ds:
006A61D4 .E8 BF83DFFF call <Magic_Ph._Unit23.TControl.GetText>
006A61D9 .837D F4 00 cmp dword ptr ss:,0x0 ;判断是否输入注册名
006A61DD .75 40 jnz short Magic_Ph.006A621F
006A61DF .6A 40 push 0x40
.......
006A6281 .8B80 8C030000 mov eax,dword ptr ds:
006A6287 .E8 0C83DFFF call <Magic_Ph._Unit23.TControl.GetText> ;获取注册名
006A628C .8B45 EC mov eax,dword ptr ss:
006A628F .50 push eax
006A6290 .8D55 E8 lea edx,dword ptr ss:
006A6293 .8B45 FC mov eax,dword ptr ss: ;ntdll_1.77BBFB0D
006A6296 .8B80 88030000 mov eax,dword ptr ds:
006A629C .E8 F782DFFF call <Magic_Ph._Unit23.TControl.GetText> ;获取注册码
006A62A1 .8B45 E8 mov eax,dword ptr ss: ;user32.75350230
006A62A4 .5A pop edx ;Magic_Ph.004A0421
006A62A5 .E8 1A38F7FF call Magic_Ph.00619AC4 ;跟进去
来到这个call
00619B5E .E8 490F0000 call Magic_Ph.0061AAAC
部分代码(有省略)
0061AAAC $55 push ebp
0061AAAD .8BEC mov ebp,esp
0061AAAF .83C4 F0 add esp,-0x10
...
0061AAD0 .55 push ebp
0061AAD1 .E8 8AFEFFFF call Magic_Ph.0061A960 ;注册码校验
0061AAD6 .59 pop ecx ;0018E8C4
0061AAD7 .84C0 test al,al
0061AAD9 .75 0A jnz short Magic_Ph.0061AAE5
0061AADB .33C0 xor eax,eax
0061AADD .5A pop edx ;0018E8C4
0061AADE .59 pop ecx ;0018E8C4
0061AADF .59 pop ecx ;0018E8C4
0061AAE0 .64:8910 mov dword ptr fs:,edx
0061AAE3 .EB 67 jmp short Magic_Ph.0061AB4C
0061AAE5 >55 push ebp
0061AAE6 .B8 64AB6100 mov eax,Magic_Ph.0061AB64 ;HOME EDITION 版
0061AAEB .E8 10FEFFFF call Magic_Ph.0061A900
0061AAF0 .59 pop ecx ;0018E8C4
0061AAF1 .84C0 test al,al
0061AAF3 .75 2A jnz short Magic_Ph.0061AB1F
0061AAF5 .55 push ebp
0061AAF6 .B8 8CAB6100 mov eax,Magic_Ph.0061AB8C ;OFFICE EDITION版
0061AAFB .E8 00FEFFFF call Magic_Ph.0061A900
0061AB00 .59 pop ecx ;0018E8C4
0061AB01 .84C0 test al,al
0061AB03 .75 1A jnz short Magic_Ph.0061AB1F
0061AB05 .55 push ebp
0061AB06 .B8 B8AB6100 mov eax,Magic_Ph.0061ABB8 ;COMMERCIAL EDITION版
0061AB0B .E8 F0FDFFFF call Magic_Ph.0061A900
0061AB10 .59 pop ecx ;0018E8C4
0061AB11 .84C0 test al,al
0061AB13 .75 0A jnz short Magic_Ph.0061AB1F
0061AB15 .33C0 xor eax,eax
0061AB17 .5A pop edx ;0018E8C4
0061AB18 .59 pop ecx ;0018E8C4
0061AB19 .59 pop ecx ;0018E8C4
0061AB1A .64:8910 mov dword ptr fs:,edx
0061AB1D .EB 2D jmp short Magic_Ph.0061AB4C
0061AB1F >55 push ebp
可以发现此程序有三个版本
下面开始分析call Magic_Ph.0061A960 ;注册码校验
call的整体功能是 判断注册码长度,按位取出注册码与注册码的位置相乘 然后相加
0061A9AE .8945 E4 mov dword ptr ss:,eax
0061A9B1 >837D E4 13 cmp dword ptr ss:,0x13 ;判断注册码长度 19
0061A9B5 .0F8C B0000000 jl Magic_Ph.0061AA6B
0061A9BB .8D45 F0 lea eax,dword ptr ss:
0061A9BE .50 push eax
0061A9BF .8B45 08 mov eax,dword ptr ss:
0061A9C2 .8B40 FC mov eax,dword ptr ds:
0061A9C5 .B9 12000000 mov ecx,0x12 ;取18位放弃最后一位校验
0061A9CA .BA 01000000 mov edx,0x1
0061A9CF .E8 C4E6DEFF call <Magic_Ph.System.@UStrCopy>
0061A9D4 .8D45 F0 lea eax,dword ptr ss:
0061A9D7 .B9 01000000 mov ecx,0x1
0061A9DC .BA 0F000000 mov edx,0xF ;去掉 -
0061A9E1 .E8 FAE6DEFF call <Magic_Ph.System.@UStrDelete>
0061A9E6 .8D45 F0 lea eax,dword ptr ss:
0061A9E9 .B9 01000000 mov ecx,0x1
0061A9EE .BA 0A000000 mov edx,0xA ;去掉 -
0061A9F3 .E8 E8E6DEFF call <Magic_Ph.System.@UStrDelete>
0061A9F8 .8D45 F0 lea eax,dword ptr ss:
0061A9FB .B9 01000000 mov ecx,0x1
0061AA00 .BA 05000000 mov edx,0x5 ;去掉 -
0061AA05 .E8 D6E6DEFF call <Magic_Ph.System.@UStrDelete>
0061AA0A .33C0 xor eax,eax
0061AA0C .8945 F4 mov dword ptr ss:,eax
0061AA0F .C745 F8 01000>mov dword ptr ss:,0x1
0061AA16 >8B45 F0 mov eax,dword ptr ss: ;Magic_Ph.006799E8
0061AA19 .8B55 F8 mov edx,dword ptr ss:
0061AA1C .0FB74450 FE movzx eax,word ptr ds: ;按位取出注册码
0061AA21 .F76D F8 imul dword ptr ss: ;乘法
0061AA24 .0145 F4 add dword ptr ss:,eax ;相加
0061AA27 .FF45 F8 inc dword ptr ss:
0061AA2A .837D F8 10 cmp dword ptr ss:,0x10
0061AA2E .^ 75 E6 jnz short Magic_Ph.0061AA16
0061AA30 .8D55 EC lea edx,dword ptr ss:
0061AA33 .8B45 F4 mov eax,dword ptr ss:
0061AA36 .E8 9175E0FF call <Magic_Ph._Unit6.IntToStr> ;转成字符串
0061AA3B .8B45 EC mov eax,dword ptr ss:
0061AA3E .8945 E0 mov dword ptr ss:,eax
0061AA41 .837D E0 00 cmp dword ptr ss:,0x0
0061AA45 .74 0B je short Magic_Ph.0061AA52
0061AA47 .8B45 E0 mov eax,dword ptr ss:
0061AA4A .83E8 04 sub eax,0x4
0061AA4D .8B00 mov eax,dword ptr ds:
0061AA4F .8945 E0 mov dword ptr ss:,eax
0061AA52 >8B45 EC mov eax,dword ptr ss:
0061AA55 .8B55 E0 mov edx,dword ptr ss:
0061AA58 .66:8B4450 FEmov ax,word ptr ds: ;取最后一位
0061AA5D .8B55 08 mov edx,dword ptr ss:
0061AA60 .8B52 FC mov edx,dword ptr ds:
0061AA63 .66:3B42 24 cmp ax,word ptr ds: ;判断第十九位
0061AA67 .0f9445 ff sete byte ptr ss: ;相同则置1
得到的一些中间值
6510 判断0与注册码最后一位(19位)是否相同
改变注册码 1234-5678-5555-8880 重来一遍 跳过注册码最后一位校验
过了这层判断之后就来到 各个版本的注册码算法
来到
0061AAEB .E8 10FEFFFF call Magic_Ph.0061A900
HOME EDITION 版的算法 再进入0061A925 .E8 A2FCFFFF call Magic_Ph.0061A5CC中分析
此call 将注册名转大写版本大写 软件名称大写 效果如下
然后按顺序拼接字符串
GREENMAGIC PHOTO RECOVERYHOME EDITION8DE6CF2C-42F3-4709-B8C0-B9BDB0591D4D
对字符串求MD5 之后按位取码 转换看详细注释
0061A6EC .E8 A383FFFF call <Magic_Ph._Unit55.TIdHash.HashStringAsHex> ;求MD5
0061A6F1 .8B45 A8 mov eax,dword ptr ss:
0061A6F4 .8D55 DC lea edx,dword ptr ss:
0061A6F7 .E8 506CE0FF call <Magic_Ph._Unit6.UpperCase>
0061A6FC .33C0 xor eax,eax
0061A6FE .8945 F4 mov dword ptr ss:,eax
0061A701 >837D F4 00 cmp dword ptr ss:,0x0
0061A705 .74 0D je short Magic_Ph.0061A714
0061A707 .8D45 E4 lea eax,dword ptr ss:
0061A70A .BA FCA86100 mov edx,Magic_Ph.0061A8FC ;-
0061A70F .E8 5CE7DEFF call <Magic_Ph.System.@UStrCat>
0061A714 >33C0 xor eax,eax
0061A716 .8945 F0 mov dword ptr ss:,eax
0061A719 >8B45 F4 mov eax,dword ptr ss:
0061A71C .C1E0 02 shl eax,0x2
0061A71F .40 inc eax
0061A720 .0345 F0 add eax,dword ptr ss:
0061A723 .8B55 DC mov edx,dword ptr ss:
0061A726 .0FB74442 FE movzx eax,word ptr ds: ;取字符串
0061A72B .8D55 EC lea edx,dword ptr ss:
0061A72E .E8 9978E0FF call <Magic_Ph._Unit6.IntToStr> ;转int
0061A733 .8B45 EC mov eax,dword ptr ss:
0061A736 .8945 D4 mov dword ptr ss:,eax
0061A739 .837D D4 00 cmp dword ptr ss:,0x0
0061A73D .74 0B je short Magic_Ph.0061A74A
0061A73F .8B45 D4 mov eax,dword ptr ss:
0061A742 .83E8 04 sub eax,0x4
0061A745 .8B00 mov eax,dword ptr ds:
0061A747 .8945 D4 mov dword ptr ss:,eax
0061A74A >8D45 A0 lea eax,dword ptr ss:
0061A74D .8B55 EC mov edx,dword ptr ss:
0061A750 .8B4D D4 mov ecx,dword ptr ss:
0061A753 .66:8B544A FEmov dx,word ptr ds: ;取第二位
0061A758 .E8 27E5DEFF call <Magic_Ph.System.@UStrFromWChar>
0061A75D .8B55 A0 mov edx,dword ptr ss:
0061A760 .8D45 E4 lea eax,dword ptr ss:
0061A763 .E8 08E7DEFF call <Magic_Ph.System.@UStrCat>
0061A768 .FF45 F0 inc dword ptr ss:
0061A76B .837D F0 04 cmp dword ptr ss:,0x4
0061A76F .^ 75 A8 jnz short Magic_Ph.0061A719 ;循环取四次
0061A771 .FF45 F4 inc dword ptr ss:
0061A774 .837D F4 03 cmp dword ptr ss:,0x3
0061A778 .^ 75 87 jnz short Magic_Ph.0061A701 ;循环拼接“-”
0061A77A .8D45 9C lea eax,dword ptr ss:
0061A77D .50 push eax
0061A77E .8B45 08 mov eax,dword ptr ss:
0061A781 .8B40 FC mov eax,dword ptr ds:
0061A784 .B9 0E000000 mov ecx,0xE
0061A789 .BA 01000000 mov edx,0x1
0061A78E .E8 05E9DEFF call <Magic_Ph.System.@UStrCopy>
0061A793 .8B55 9C mov edx,dword ptr ss:
0061A796 .8B45 E4 mov eax,dword ptr ss:
0061A799 .E8 C2E8DEFF call <Magic_Ph.System.@UStrEqual> ;比较注册码
运算过程产生的中间值
md5 72833735294F27492B912314F929DD84
注册码5061-1513-0720
之比较前12位
再把前十二位真码加上 5061-1513-0720-8880 计算最后一位校验值
得到真码5061-1513-0720-8881
看到了注册成功的弹框
分析结束,其它的
OFFICE EDITION 、COMMERCIAL EDITION 这两个版本算法是相似的,就不占地方了
总结:分析难度一般,认真分析就能得到关键。
Delphi的程序,辅助分析工具也很强大,省去了很多麻烦。
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论,请勿商用,如喜欢该软件,建议购买正版。 算法分析都很有用 没有看懂的我 又是一个没懂的飘过。 确实没懂,楼主有联系方式吗?请教 不明觉厉 感谢分享,帖子移动技术区,我把帖子中代码编辑添加代码框会好看一些。
页:
[1]