好友
阅读权限25
听众
最后登录1970-1-1
|
老万
发表于 2011-8-21 22:13
本帖最后由 老万 于 2011-8-21 22:14 编辑
【文章标题】: Easy File Protector 5.126注册算法分析
【文章作者】: 老万
【下载地址】: http://www.skycn.com/soft/16326.html
【使用工具】: OD PEID
【软件介绍】:Easy File Protector是一个密码保护安全工具,防止别人未经你的许可操作你的文件。你可以选择用户,设定文件/目录及时间段,激活程序。此后,你的系统自动根据当前用户和时间段来取消/激活设置的文件和目录。对文件/目录的保护方式有:禁止删除,禁止改名,禁止读取,禁止修改,禁止执行。你也可以利用通配符来保护有相同扩展名的文件。
【作者声明】: 只是感兴趣,没有其他目的。由于比较简单,大牛飘过。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】:
首先用PEID查壳:Borland Delphi 6.0 - 7.0
试注册,有提示“Registration key is not valid”
用OD载入,很容易就可以发现关键地方,字符串搜索,DEDE找按钮事件,断点什么的都可以。
这里不罗嗦了,直接入题
004A19BC /$ 55 push ebp
004A19BD |. 8BEC mov ebp,esp
004A19BF |. 83C4 F8 add esp,-0x8
004A19C2 |. 53 push ebx
004A19C3 |. 33D2 xor edx,edx
004A19C5 |. 8955 F8 mov [local.2],edx
004A19C8 |. 8945 FC mov [local.1],eax
004A19CB |. 8B45 FC mov eax,[local.1]
004A19CE |. E8 712DF6FF call EFP.00404744
004A19D3 |. 33C0 xor eax,eax
004A19D5 |. 55 push ebp
004A19D6 |. 68 641A4A00 push EFP.004A1A64
004A19DB |. 64:FF30 push dword ptr fs:[eax]
004A19DE |. 64:8920 mov dword ptr fs:[eax],esp
004A19E1 |. 33DB xor ebx,ebx
004A19E3 |. 8D55 F8 lea edx,[local.2]
004A19E6 |. 8B45 FC mov eax,[local.1]
004A19E9 |. E8 326AFEFF call EFP.00488420
004A19EE |. 8B55 F8 mov edx,[local.2]
004A19F1 |. 8D45 FC lea eax,[local.1]
004A19F4 |. E8 3329F6FF call EFP.0040432C
004A19F9 |. 8B45 FC mov eax,[local.1]
004A19FC |. E8 6BFAFEFF call EFP.0049146C ; 关键CALL,F7进入
004A1A01 |. 84C0 test al,al
004A1A03 |. 74 21 je short EFP.004A1A26 ; 关键跳
004A1A05 |. 8B45 FC mov eax,[local.1]
004A1A08 |. E8 B383FFFF call EFP.00499DC0
004A1A0D |. 6A 00 push 0x0
004A1A0F |. 66:8B0D 741A4>mov cx,word ptr ds:[0x4A1A74]
004A1A16 |. B2 02 mov dl,0x2
004A1A18 |. B8 801A4A00 mov eax,EFP.004A1A80 ; Registration key is ok
004A1A1D |. E8 9A06F9FF call EFP.004320BC
004A1A22 |. B3 01 mov bl,0x1
004A1A24 |. EB 23 jmp short EFP.004A1A49
004A1A26 |> 6A 00 push 0x0
004A1A28 |. 66:8B0D 741A4>mov cx,word ptr ds:[0x4A1A74]
004A1A2F |. B2 01 mov dl,0x1
004A1A31 |. B8 A01A4A00 mov eax,EFP.004A1AA0 ; Registration key is not valid
004A1A36 |. E8 8106F9FF call EFP.004320BC
F7进入004A19FC call EFP.0049146C
0049146C /$ 55 push ebp
0049146D |. 8BEC mov ebp,esp
0049146F |. 33C9 xor ecx,ecx
00491471 |. 51 push ecx
00491472 |. 51 push ecx
00491473 |. 51 push ecx
00491474 |. 51 push ecx
00491475 |. 51 push ecx
00491476 |. 51 push ecx
00491477 |. 51 push ecx
00491478 |. 53 push ebx
00491479 |. 56 push esi
0049147A |. 57 push edi
0049147B |. 8945 FC mov [local.1],eax
0049147E |. 8B45 FC mov eax,[local.1]
00491481 |. E8 BE32F7FF call EFP.00404744
00491486 |. 33C0 xor eax,eax
00491488 |. 55 push ebp
00491489 |. 68 B0154900 push EFP.004915B0
0049148E |. 64:FF30 push dword ptr fs:[eax]
00491491 |. 64:8920 mov dword ptr fs:[eax],esp
00491494 |. 33DB xor ebx,ebx
00491496 |. 8D55 EC lea edx,[local.5]
00491499 |. 8B45 FC mov eax,[local.1]
0049149C |. E8 7F6FFFFF call EFP.00488420
004914A1 |. 8B55 EC mov edx,[local.5]
004914A4 |. 8D45 FC lea eax,[local.1]
004914A7 |. E8 802EF7FF call EFP.0040432C
004914AC |. 8B45 FC mov eax,[local.1]
004914AF |. E8 A030F7FF call EFP.00404554
004914B4 |. 83F8 10 cmp eax,0x10 ; 判断注册码是否16位
004914B7 |. 0F85 D0000000 jnz EFP.0049158D
004914BD |. E8 86F6FFFF call EFP.00490B48
004914C2 |. 8D45 E8 lea eax,[local.6]
004914C5 |. 50 push eax
004914C6 |. B9 08000000 mov ecx,0x8
004914CB |. BA 01000000 mov edx,0x1
004914D0 |. 8B45 FC mov eax,[local.1]
004914D3 |. E8 DC32F7FF call EFP.004047B4 ; 从第1位开始取注册码前8位
004914D8 |. 8B4D E8 mov ecx,[local.6]
004914DB |. 8D45 F4 lea eax,[local.3]
004914DE |. BA C8154900 mov edx,EFP.004915C8 ; $
004914E3 |. E8 B830F7FF call EFP.004045A0
004914E8 |. 8D45 E4 lea eax,[local.7]
004914EB |. 50 push eax
004914EC |. B9 08000000 mov ecx,0x8
004914F1 |. BA 09000000 mov edx,0x9
004914F6 |. 8B45 FC mov eax,[local.1]
004914F9 |. E8 B632F7FF call EFP.004047B4 ; 从第9位开始取注册码8位
004914FE |. 8B4D E4 mov ecx,[local.7]
00491501 |. 8D45 F0 lea eax,[local.4]
00491504 |. BA C8154900 mov edx,EFP.004915C8 ; $
00491509 |. E8 9230F7FF call EFP.004045A0
0049150E |. 8D55 F8 lea edx,[local.2]
00491511 |. 8B45 F4 mov eax,[local.3]
00491514 |. E8 C719F7FF call EFP.00402EE0 ; 判断注册码是否由0至9的数字和A到F的字母组成
00491519 |. 837D F8 00 cmp [local.2],0x0
0049151D |. 75 6E jnz short EFP.0049158D
0049151F |. 8D55 F8 lea edx,[local.2]
00491522 |. 8B45 F0 mov eax,[local.4]
00491525 |. E8 B619F7FF call EFP.00402EE0
0049152A |. 837D F8 00 cmp [local.2],0x0
0049152E |. 75 5D jnz short EFP.0049158D
00491530 |. BE 01000000 mov esi,0x1
00491535 |> 33C0 /xor eax,eax
00491537 |. 8945 F8 |mov [local.2],eax
0049153A |. 8B45 FC |mov eax,[local.1]
0049153D |. E8 1230F7FF |call EFP.00404554
00491542 |. 85C0 |test eax,eax
00491544 |. 7E 1E |jle short EFP.00491564
00491546 |. BA 01000000 |mov edx,0x1
0049154B |> B9 D4154900 |/mov ecx,EFP.004915D4 ; 0123456789ABCD胪
00491550 |. 8A4C31 FF ||mov cl,byte ptr ds:[ecx+esi-0x1]
00491554 |. 8B7D FC ||mov edi,[local.1]
00491557 |. 3A4C17 FF ||cmp cl,byte ptr ds:[edi+edx-0x1]
0049155B |. 75 03 ||jnz short EFP.00491560
0049155D |. FF45 F8 ||inc [local.2]
00491560 |> 42 ||inc edx
00491561 |. 48 ||dec eax
00491562 |.^ 75 E7 |\jnz short EFP.0049154B
00491564 |> 837D F8 05 |cmp [local.2],0x5
00491568 |. 7E 09 |jle short EFP.00491573
0049156A |. C745 F8 FFFFF>|mov [local.2],-0x1
00491571 |. EB 06 |jmp short EFP.00491579
00491573 |> 46 |inc esi
00491574 |. 83FE 11 |cmp esi,0x11
00491577 |.^ 75 BC \jnz short EFP.00491535 ; 判断组成注册码的同一数字或字母个数不能超过5
00491579 |> 837D F8 00 cmp [local.2],0x0
0049157D |. 7C 0E jl short EFP.0049158D ; 如果小于就出错
0049157F |. 8B45 FC mov eax,[local.1]
00491582 |. E8 19FDFFFF call EFP.004912A0 ; 算法CALL,F7进入
00491587 |. 84C0 test al,al
00491589 |. 74 02 je short EFP.0049158D
0049158B |. B3 01 mov bl,0x1
0049158D 33C0 xor eax,eax ; 此处可爆破,改为:mov bl,1
0049158F |. 5A pop edx
00491590 |. 59 pop ecx
F7进入00491582 call EFP.004912A0
004912A0 /$ 55 push ebp
004912A1 |. 8BEC mov ebp,esp
004912A3 |. B9 08000000 mov ecx,0x8
004912A8 |> 6A 00 /push 0x0
004912AA |. 6A 00 |push 0x0
004912AC |. 49 |dec ecx
004912AD |.^ 75 F9 \jnz short EFP.004912A8
004912AF |. 53 push ebx
004912B0 |. 56 push esi
004912B1 |. 57 push edi
004912B2 |. 8BF0 mov esi,eax
004912B4 |. 33C0 xor eax,eax
004912B6 |. 55 push ebp
004912B7 |. 68 5B144900 push EFP.0049145B
004912BC |. 64:FF30 push dword ptr fs:[eax]
004912BF |. 64:8920 mov dword ptr fs:[eax],esp
004912C2 |. 33DB xor ebx,ebx
004912C4 |. 8D45 FC lea eax,[local.1]
004912C7 |. 8A16 mov dl,byte ptr ds:[esi] ; 注册码第1位
004912C9 |. E8 AE31F7FF call EFP.0040447C
004912CE |. 8B45 FC mov eax,[local.1]
004912D1 |. E8 4AFFFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
004912D6 |. 8BF8 mov edi,eax
004912D8 |. 8D45 F8 lea eax,[local.2]
004912DB |. 8A56 01 mov dl,byte ptr ds:[esi+0x1] ; 注册码第2位
004912DE |. E8 9931F7FF call EFP.0040447C
004912E3 |. 8B45 F8 mov eax,[local.2]
004912E6 |. E8 35FFFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
004912EB |. 03F8 add edi,eax
004912ED |. 8D45 F4 lea eax,[local.3]
004912F0 |. 8A56 02 mov dl,byte ptr ds:[esi+0x2] ; 注册码第3位
004912F3 |. E8 8431F7FF call EFP.0040447C
004912F8 |. 8B45 F4 mov eax,[local.3]
004912FB |. E8 20FFFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
00491300 |. 03F8 add edi,eax
00491302 |. 8D45 F0 lea eax,[local.4]
00491305 |. 8A56 03 mov dl,byte ptr ds:[esi+0x3] ; 注册码第4位
00491308 |. E8 6F31F7FF call EFP.0040447C
0049130D |. 8B45 F0 mov eax,[local.4]
00491310 |. E8 0BFFFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
00491315 |. 03F8 add edi,eax ; 取商的和
00491317 |. A1 A4464A00 mov eax,dword ptr ds:[0x4A46A4] ; phJ
0049131C |. 3B38 cmp edi,dword ptr ds:[eax] ; 和与8比较
0049131E |. 0F85 1C010000 jnz EFP.00491440
00491324 |. 8D45 EC lea eax,[local.5]
00491327 |. 8A56 04 mov dl,byte ptr ds:[esi+0x4] ; 注册码第5位
0049132A |. E8 4D31F7FF call EFP.0040447C
0049132F |. 8B45 EC mov eax,[local.5]
00491332 |. E8 E9FEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
00491337 |. 8BF8 mov edi,eax
00491339 |. 8D45 E8 lea eax,[local.6]
0049133C |. 8A56 07 mov dl,byte ptr ds:[esi+0x7] ; 注册码第8位
0049133F |. E8 3831F7FF call EFP.0040447C
00491344 |. 8B45 E8 mov eax,[local.6]
00491347 |. E8 D4FEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
0049134C |. 03F8 add edi,eax
0049134E |. 8D45 E4 lea eax,[local.7]
00491351 |. 8A56 0A mov dl,byte ptr ds:[esi+0xA] ; 注册码第11位
00491354 |. E8 2331F7FF call EFP.0040447C
00491359 |. 8B45 E4 mov eax,[local.7]
0049135C |. E8 BFFEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
00491361 |. 03F8 add edi,eax
00491363 |. 8D45 E0 lea eax,[local.8]
00491366 |. 8A56 0D mov dl,byte ptr ds:[esi+0xD] ; 注册码第14位
00491369 |. E8 0E31F7FF call EFP.0040447C
0049136E |. 8B45 E0 mov eax,[local.8]
00491371 |. E8 AAFEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
00491376 |. 03F8 add edi,eax
00491378 |. A1 D8464A00 mov eax,dword ptr ds:[0x4A46D8] ; thJ
0049137D |. 3B38 cmp edi,dword ptr ds:[eax] ; 和与8比较
0049137F |. 0F85 BB000000 jnz EFP.00491440
00491385 |. 8D45 DC lea eax,[local.9]
00491388 |. 8A16 mov dl,byte ptr ds:[esi] ; 注册码第1位
0049138A |. E8 ED30F7FF call EFP.0040447C
0049138F |. 8B45 DC mov eax,[local.9]
00491392 |. E8 89FEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
00491397 |. 8BF8 mov edi,eax
00491399 |. 8D45 D8 lea eax,[local.10]
0049139C |. 8A56 01 mov dl,byte ptr ds:[esi+0x1] ; 注册码第2位
0049139F |. E8 D830F7FF call EFP.0040447C
004913A4 |. 8B45 D8 mov eax,[local.10]
004913A7 |. E8 74FEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
004913AC |. 03F8 add edi,eax
004913AE |. 8D45 D4 lea eax,[local.11]
004913B1 |. 8A56 02 mov dl,byte ptr ds:[esi+0x2] ; 注册码第3位
004913B4 |. E8 C330F7FF call EFP.0040447C
004913B9 |. 8B45 D4 mov eax,[local.11]
004913BC |. E8 5FFEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
004913C1 |. 03F8 add edi,eax
004913C3 |. 8D45 D0 lea eax,[local.12]
004913C6 |. 8A56 03 mov dl,byte ptr ds:[esi+0x3] ; 注册码第4位
004913C9 |. E8 AE30F7FF call EFP.0040447C
004913CE |. 8B45 D0 mov eax,[local.12]
004913D1 |. E8 4AFEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
004913D6 |. 03F8 add edi,eax
004913D8 |. A1 A4464A00 mov eax,dword ptr ds:[0x4A46A4] ; phJ
004913DD |. 3B38 cmp edi,dword ptr ds:[eax] ; 和与8比较
004913DF |. 75 5F jnz short EFP.00491440
004913E1 |. 8D45 CC lea eax,[local.13]
004913E4 |. 8A56 06 mov dl,byte ptr ds:[esi+0x6] ; 注册码第7位
004913E7 |. E8 9030F7FF call EFP.0040447C
004913EC |. 8B45 CC mov eax,[local.13]
004913EF |. E8 2CFEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
004913F4 |. 8BF8 mov edi,eax
004913F6 |. 8D45 C8 lea eax,[local.14]
004913F9 |. 8A56 09 mov dl,byte ptr ds:[esi+0x9] ; 注册码第10位
004913FC |. E8 7B30F7FF call EFP.0040447C
00491401 |. 8B45 C8 mov eax,[local.14]
00491404 |. E8 17FEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
00491409 |. 03F8 add edi,eax
0049140B |. 8D45 C4 lea eax,[local.15]
0049140E |. 8A56 0C mov dl,byte ptr ds:[esi+0xC] ; 注册码第13位
00491411 |. E8 6630F7FF call EFP.0040447C
00491416 |. 8B45 C4 mov eax,[local.15]
00491419 |. E8 02FEFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
0049141E |. 03F8 add edi,eax
00491420 |. 8D45 C0 lea eax,[local.16]
00491423 |. 8A56 0F mov dl,byte ptr ds:[esi+0xF] ; 注册码第16位
00491426 |. E8 5130F7FF call EFP.0040447C
0049142B |. 8B45 C0 mov eax,[local.16]
0049142E |. E8 EDFDFFFF call EFP.00491220 ; 注册码除以4,商存入EAX
00491433 |. 03F8 add edi,eax
00491435 |. A1 D0434A00 mov eax,dword ptr ds:[0x4A43D0] ; xhJ
0049143A |. 3B38 cmp edi,dword ptr ds:[eax] ; 和与8比较
0049143C |. 75 02 jnz short EFP.00491440
0049143E |. B3 01 mov bl,0x1
00491440 |> 33C0 xor eax,eax ; 此处也可爆破:mov bl,1
00491442 |. 5A pop edx
00491443 |. 59 pop ecx
算法分析:
1.注册码必须是由0到9的数字和a到f的字母组成(大小写不限),并且每个字母或数字在注册码中出现的次数小于5次。
2.注册码必须符合以下条件:
a.注册码第1位除以4的商+注册码第2位除以4的商+注册码第3位除以4的商+注册码第4位除以4的商=8
b.注册码第5位除以4的商+注册码第8位除以4的商+注册码第11位除以4的商+注册码第14位除以4的商=8
c.注册码第7位除以4的商+注册码第10位除以4的商+注册码第13位除以4的商+注册码第16位除以4的商=8
根据以上条件,我推算出2组注册码:45cd919a2ba38819 和55dc828a3ab19928
..........................................................................................................................................................................................................................
【版权声明】: 本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
|
|
|
发表于 2011-8-24 20:36
