Magic Photo Editor注册算法分析
Magic Photo Editor注册算法分析【软件名称】Magic Photo Editor
【软件简介】 Magic Photo Editor是一个很简单的图片编辑器,通过它可以很方便的将你的数码照片放到别的美丽的背景中去,使你的照片更漂亮。它是一个共享软件,有30次的试用机会。今天我就来分析一下它的注册算法。
【破解过程】首先用Peid查壳,发现是UPX 0.89.6 - 1.02 / 1.05 - 1.24的壳,这个简单的压缩壳,直接用Peid的脱壳插件即可脱去,再次查壳,可以看到程序是用Borland Delphi 6.0 - 7.0写的。到注册页面注册一下,又注册提示。用OD载入,查找ASCII码“Invalid SerialNumber”,由这个提示双击来到代码处。我们一直往前看,看到注册算法的起始处,一般其实处都会压栈,最后我们在483208处F2下断点,F9运行,进行动态分析。填好注册码,注册,程序段了下来。
004832086A 00 PUSH 0 ;断在这里
0048320A6A 00 PUSH 0
0048320C49 DEC ECX
0048320D ^ 75 F9 JNZ SHORT MagicPho.00483208
0048320F51 PUSH ECX
0048321053 PUSH EBX
0048321156 PUSH ESI
004832128BD8 MOV EBX,EAX
0048321433C0 XOR EAX,EAX
0048321655 PUSH EBP
0048321768 BE334800 PUSH MagicPho.004833BE
0048321C64:FF30 PUSH DWORD PTR FS:
0048321F64:8920 MOV DWORD PTR FS:,ESP
004832228B83 00030000MOV EAX,DWORD PTR DS:
004832288B10 MOV EDX,DWORD PTR DS:
0048322AFF52 50 CALL DWORD PTR DS:
0048322D3C 01 CMP AL,1
0048322F0F85 18010000JNZ MagicPho.0048334D
004832358D55 F8 LEA EDX,DWORD PTR SS:
004832388BB3 00030000MOV ESI,DWORD PTR DS:
0048323E8BC6 MOV EAX,ESI
00483240E8 7F39FBFF CALL MagicPho.00436BC4 ;假注册码长度进入EAX
004832458B45 F8 MOV EAX,DWORD PTR SS: ;假注册码进入EAX
004832488D55 FC LEA EDX,DWORD PTR SS:
0048324BE8 DC54F8FF CALL MagicPho.0040872C
004832508B55 FC MOV EDX,DWORD PTR SS: ;假注册码转移到EDX
004832538BC6 MOV EAX,ESI
00483255E8 9A39FBFF CALL MagicPho.00436BF4
0048325A8D55 F4 LEA EDX,DWORD PTR SS:
0048325D8B83 00030000MOV EAX,DWORD PTR DS:
00483263E8 5C39FBFF CALL MagicPho.00436BC4
00483268837D F4 00 CMP DWORD PTR SS:,0 ;比较注册码是否为空
0048326C0F84 CF000000JE MagicPho.00483341
004832728D55 EC LEA EDX,DWORD PTR SS:
004832758B83 00030000MOV EAX,DWORD PTR DS:
0048327BE8 4439FBFF CALL MagicPho.00436BC4
004832808B45 EC MOV EAX,DWORD PTR SS:
004832838D55 F0 LEA EDX,DWORD PTR SS:
00483286E8 5152F8FF CALL MagicPho.004084DC ;小写转化为大写
0048328B8B45 F0 MOV EAX,DWORD PTR SS:
0048328EE8 4DA4FFFF CALL MagicPho.0047D6E0 ;算法call,F7跟入
0048329384C0 TEST AL,AL
004832950F84 9A000000JE MagicPho.00483335 ;标志位为零,注册失败
0048329B8D55 E8 LEA EDX,DWORD PTR SS:
0048329E8B83 00030000MOV EAX,DWORD PTR DS:
004832A4E8 1B39FBFF CALL MagicPho.00436BC4
004832A98B45 E8 MOV EAX,DWORD PTR SS:
004832ACE8 D713F8FF CALL MagicPho.00404688
004832B183F8 0B CMP EAX,0B
004832B475 7F JNZ SHORT MagicPho.00483335 ;注册码必须11位
004832B68D45 E4 LEA EAX,DWORD PTR SS:
004832B950 PUSH EAX
004832BA8D55 DC LEA EDX,DWORD PTR SS:
004832BD8B83 00030000MOV EAX,DWORD PTR DS:
004832C3E8 FC38FBFF CALL MagicPho.00436BC4
004832C88B45 DC MOV EAX,DWORD PTR SS:
004832CB8D55 E0 LEA EDX,DWORD PTR SS:
004832CEE8 0952F8FF CALL MagicPho.004084DC
004832D38B45 E0 MOV EAX,DWORD PTR SS:
004832D6B9 01000000 MOV ECX,1
004832DBBA 0B000000 MOV EDX,0B
004832E0E8 FB15F8FF CALL MagicPho.004048E0
004832E58B45 E4 MOV EAX,DWORD PTR SS: ;第11位的地址进入EAX
004832E8BA D4334800 MOV EDX,MagicPho.004833D4 ; u
004832EDE8 DA14F8FF CALL MagicPho.004047CC ;所以11位必须为u或U
004832F275 41 JNZ SHORT MagicPho.00483335
004832F48D55 D4 LEA EDX,DWORD PTR SS:
004832F78B83 00030000MOV EAX,DWORD PTR DS:
004832FDE8 C238FBFF CALL MagicPho.00436BC4
004833028B45 D4 MOV EAX,DWORD PTR SS:
004833058D55 D8 LEA EDX,DWORD PTR SS:
00483308E8 CF51F8FF CALL MagicPho.004084DC
0048330D8B55 D8 MOV EDX,DWORD PTR SS:
00483310B8 E0334800 MOV EAX,MagicPho.004833E0 ; magic.bin
00483315E8 FEA4FFFF CALL MagicPho.0047D818 ;把注册码写入magic.bin中
0048331AA1 149B4800 MOV EAX,DWORD PTR DS:
0048331FBA F4334800 MOV EDX,MagicPho.004833F4 ; y
00483324E8 FB10F8FF CALL MagicPho.00404424
00483329B8 00344800 MOV EAX,MagicPho.00483400 ; successfully registered!
0048332EE8 25D4FAFF CALL MagicPho.00430758
00483333EB 22 JMP SHORT MagicPho.00483357
00483335B8 24344800 MOV EAX,MagicPho.00483424 ; invalid serialnumber!
0048333AE8 19D4FAFF CALL MagicPho.00430758
0048333FEB 16 JMP SHORT MagicPho.00483357
00483341B8 24344800 MOV EAX,MagicPho.00483424 ; invalid serialnumber!
00483346E8 0DD4FAFF CALL MagicPho.00430758
0048334BEB 0A JMP SHORT MagicPho.00483357
0048334DB8 44344800 MOV EAX,MagicPho.00483444 ; ASCII "Already Registered!"
00483352E8 01D4FAFF CALL MagicPho.00430758
00483357A1 5CAD4800 MOV EAX,DWORD PTR DS:
0048335CE8 C708FDFF CALL MagicPho.00453C28
0048336133C0 XOR EAX,EAX
004833635A POP EDX
0048336459 POP ECX
F7跟入48328E的call,来到这里:
0047D6E055 PUSH EBP
0047D6E18BEC MOV EBP,ESP
0047D6E3B9 04000000 MOV ECX,4
0047D6E86A 00 PUSH 0
0047D6EA6A 00 PUSH 0
0047D6EC49 DEC ECX
0047D6ED ^ 75 F9 JNZ SHORT MagicPho.0047D6E8
0047D6EF51 PUSH ECX
0047D6F053 PUSH EBX
0047D6F18945 FC MOV DWORD PTR SS:,EAX
0047D6F48B45 FC MOV EAX,DWORD PTR SS: ;假码进入EAX
0047D6F7E8 7471F8FF CALL MagicPho.00404870
0047D6FC33C0 XOR EAX,EAX
0047D6FE55 PUSH EBP
0047D6FF68 09D84700 PUSH MagicPho.0047D809
0047D70464:FF30 PUSH DWORD PTR FS:
0047D70764:8920 MOV DWORD PTR FS:,ESP
0047D70A8D45 F8 LEA EAX,DWORD PTR SS:
0047D70DE8 B2FDFFFF CALL MagicPho.0047D4C4
0047D7128D4D EC LEA ECX,DWORD PTR SS:
0047D71533D2 XOR EDX,EDX
0047D7178B45 F8 MOV EAX,DWORD PTR SS: ;机器码前十位进入EAX
0047D71AE8 1DFBFFFF CALL MagicPho.0047D23C ;将机器码从新排序,得到新的机器码S1
我就不跟入了,直接写出排序的方法:我来举个例子,假设原来是 0123456789,经过排序变成3902645718。
0047D71F8B55 EC MOV EDX,DWORD PTR SS:
0047D7228D45 F8 LEA EAX,DWORD PTR SS:
0047D725E8 3E6DF8FF CALL MagicPho.00404468
0047D72A8D45 FC LEA EAX,DWORD PTR SS:
0047D72D50 PUSH EAX
0047D72EB9 0A000000 MOV ECX,0A
0047D733BA 01000000 MOV EDX,1
0047D7388B45 FC MOV EAX,DWORD PTR SS: ;假码进入EAX
0047D73BE8 A071F8FF CALL MagicPho.004048E0
0047D7408D4D E8 LEA ECX,DWORD PTR SS:
0047D74366:BA 0001 MOV DX,100
0047D7478B45 FC MOV EAX,DWORD PTR SS:
0047D74AE8 1DFFFFFF CALL MagicPho.0047D66C ;将假码经过计算得到新的一串字符,F7跟入后的代码写在后面
0047D74F8B55 E8 MOV EDX,DWORD PTR SS:
0047D7528D45 FC LEA EAX,DWORD PTR SS:
0047D755E8 0E6DF8FF CALL MagicPho.00404468
0047D75A8D4D E4 LEA ECX,DWORD PTR SS:
0047D75D33D2 XOR EDX,EDX
0047D75F8B45 FC MOV EAX,DWORD PTR SS:
0047D762E8 D5FAFFFF CALL MagicPho.0047D23C ;加处理后的假码交换位置,方法与上面相同得到S2
0047D7678B55 E4 MOV EDX,DWORD PTR SS:
0047D76A8D45 FC LEA EAX,DWORD PTR SS:
0047D76DE8 F66CF8FF CALL MagicPho.00404468
0047D7728D45 F4 LEA EAX,DWORD PTR SS:
0047D77550 PUSH EAX
0047D776B9 04000000 MOV ECX,4
0047D77BBA 0A000000 MOV EDX,0A
0047D7808B45 FC MOV EAX,DWORD PTR SS:
0047D783E8 5871F8FF CALL MagicPho.004048E0
0047D7888D45 F0 LEA EAX,DWORD PTR SS:
0047D78B50 PUSH EAX
0047D78CB9 06000000 MOV ECX,6
0047D791BA 05000000 MOV EDX,5
0047D7968B45 FC MOV EAX,DWORD PTR SS:
0047D799E8 4271F8FF CALL MagicPho.004048E0
0047D79E8D45 E0 LEA EAX,DWORD PTR SS:
0047D7A150 PUSH EAX
0047D7A2B9 04000000 MOV ECX,4
0047D7A7BA 01000000 MOV EDX,1
0047D7AC8B45 F8 MOV EAX,DWORD PTR SS:
0047D7AFE8 2C71F8FF CALL MagicPho.004048E0
0047D7B48B55 E0 MOV EDX,DWORD PTR SS: ;S1的前四位进入EDX
0047D7B78B45 F4 MOV EAX,DWORD PTR SS: ;S2的前四位进入EAX
0047D7BAE8 0572F8FF CALL MagicPho.004049C4 ;比较S1和S2的前四位是否相同
0047D7BF85C0 TEST EAX,EAX
0047D7C17F 25 JG SHORT MagicPho.0047D7E8
0047D7C38D45 DC LEA EAX,DWORD PTR SS:
0047D7C650 PUSH EAX
0047D7C7B9 06000000 MOV ECX,6
0047D7CCBA 05000000 MOV EDX,5
0047D7D18B45 F8 MOV EAX,DWORD PTR SS:
0047D7D4E8 0771F8FF CALL MagicPho.004048E0
0047D7D98B55 DC MOV EDX,DWORD PTR SS: ;S1剩余的六位进入EDX
0047D7DC8B45 F0 MOV EAX,DWORD PTR SS: ;S2剩余的5位进入EAX
0047D7DFE8 E071F8FF CALL MagicPho.004049C4 ;比较是否相同
0047D7E485C0 TEST EAX,EAX
0047D7E67E 04 JLE SHORT MagicPho.0047D7EC ;上面两个比较相同,赋1,否则赋0
0047D7E8B3 01 MOV BL,1
0047D7EAEB 02 JMP SHORT MagicPho.0047D7EE
0047D7EC33DB XOR EBX,EBX
0047D7EE33C0 XOR EAX,EAX
0047D7F05A POP EDX
0047D7F159 POP ECX
0047D7F259 POP ECX
0047D7F364:8910 MOV DWORD PTR FS:,EDX
0047D7F668 10D84700 PUSH MagicPho.0047D810
0047D7FB8D45 DC LEA EAX,DWORD PTR SS:
0047D7FEBA 09000000 MOV EDX,9
0047D803E8 EC6BF8FF CALL MagicPho.004043F4
0047D808C3 RETN
0047D809 ^ E9 EA65F8FF JMP MagicPho.00403DF8
0047D80E ^ EB EB JMP SHORT MagicPho.0047D7FB
0047D8108BC3 MOV EAX,EBX
0047D8125B POP EBX
0047D8138BE5 MOV ESP,EBP
0047D8155D POP EBP
0047D816C3 RETN
F7跟入后,来到这里:
0047D66F55 PUSH EBP
0047D67083C4 F8 ADD ESP,-8
0047D6738BF9 MOV EDI,ECX
0047D6758BEA MOV EBP,EDX
0047D677890424 MOV DWORD PTR SS:,EAX
0047D67A8BC7 MOV EAX,EDI
0047D67C8B1424 MOV EDX,DWORD PTR SS:
0047D67FE8 A06DF8FF CALL MagicPho.00404424
0047D6848BC7 MOV EAX,EDI
0047D686E8 4D72F8FF CALL MagicPho.004048D8
0047D68B8B1424 MOV EDX,DWORD PTR SS:
0047D68E8A12 MOV DL,BYTE PTR DS: ;假码每一位进入DL
0047D6908810 MOV BYTE PTR DS:,DL
0047D6928B0424 MOV EAX,DWORD PTR SS:
0047D695E8 EE6FF8FF CALL MagicPho.00404688 ;假码长度进入EAX
0047D69A2C 02 SUB AL,2 ;AL=AL-2
0047D69C72 3A JB SHORT MagicPho.0047D6D8
0047D69E40 INC EAX
0047D69F884424 04 MOV BYTE PTR SS:,AL
0047D6A3B3 02 MOV BL,2
0047D6A58BC7 MOV EAX,EDI
0047D6A7E8 2C72F8FF CALL MagicPho.004048D8
0047D6AC8BF3 MOV ESI,EBX
0047D6AE81E6 FF000000AND ESI,0FF ;取末两位
0047D6B48B1424 MOV EDX,DWORD PTR SS: ;假码进入EDX
0047D6B78A5432 FF MOV DL,BYTE PTR DS:;假码的每一位进入DL
0047D6BB0FB7CD MOVZX ECX,BP ;ECX=BP
0047D6BEC1E9 08 SHR ECX,8 ;ECX右移8位
0047D6C132D1 XOR DL,CL ;DL=DL Xor CL
0047D6C3885430 FF MOV BYTE PTR DS:,DL
0047D6C78B07 MOV EAX,DWORD PTR DS:
0047D6C90FB64430 FF MOVZX EAX,BYTE PTR DS: ;假码每一位进入EAX
0047D6CE66:03E8 ADD BP,AX ;BP=BP+AX
0047D6D143 INC EBX
0047D6D2FE4C24 04 DEC BYTE PTR SS:
0047D6D6 ^ 75 CD JNZ SHORT MagicPho.0047D6A5 ;EBX计数器为零时退出循环
0047D6D859 POP ECX
0047D6D95A POP EDX
0047D6DA5D POP EBP
0047D6DB5F POP EDI
0047D6DC5E POP ESI
0047D6DD5B POP EBX
这里是对假码前十位处理的一个循环,过程是这样的:
从假码的第二位依次取出,将它与它的前一位累加的和右移8位的值异或得到新的数替换原来该位上的数,这样依次进行,得到了处理后的字符。
这里没有明码比较,但是异或是可逆的,因此很容易写出算法注册机,而且交换的方法也相同,实际操作时就不用交换了,这里我用VB写了注册码前十位的算法:
Private Sub Command1_Click()
b = Text1.Text
tmp = 256
c = Mid(b, 1, 1)
For i = 2 To Len(b)
tmpp = Int(tmp \ 256)
c = c & Chr(Asc(Mid(b, i, 1)) Xor tmpp)
tmp = tmp + Asc(Mid(b, i, 1))
Next i
Text2.Text = c
End Sub
注册成功后保存在magic.bin中,搜索一下就能找到,把它删除,可以重复练习。
破解到这里结束了,这个软件的算法中没有明码,对于破解的难度是加强了,但是由于有注册错误提示很容易找到算法部分,而且算法是可逆的又是很简单,很容易被破解写出注册机,这里应改进一下。
页:
[1]