好友
阅读权限40
听众
最后登录1970-1-1
|
【文章标题】: 52最终版算法CM分析
【文章作者】: missviola[LCG]
【下载地址】: http://www.52pojie.cn/thread-14018-1-1.html
【保护方式】: 序列号
【使用工具】: PEID OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
PEID查壳显示为Borland Delphi 6.0 - 7.0,OD载入,在45E2EC下断点,机器码:WD-WXE807415814,输入注册码:
12345678abcdefgh,分析如下:
0045E2EC |. 55 push ebp
0045E2ED |. 68 24E74500 push <->System.@HandleFinally;>
0045E2F2 |. 64:FF30 push dword ptr fs:[eax]
0045E2F5 |. 64:8920 mov dword ptr fs:[eax], esp
0045E2F8 |. FF35 2CA04600 push dword ptr [46A02C]
0045E2FE |. FF35 28A04600 push dword ptr [46A028]
0045E304 |. 8D55 F8 lea edx, dword ptr [ebp-8]
0045E307 |. B8 3CE74500 mov eax, 0045E73C ; nn
0045E30C |. E8 FBC0FAFF call 0040A40C ; 获取分钟
0045E311 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0045E314 |. 50 push eax
0045E315 |. FF35 2CA04600 push dword ptr [46A02C]
0045E31B |. FF35 28A04600 push dword ptr [46A028]
0045E321 |. 8D55 F4 lea edx, dword ptr [ebp-C]
0045E324 |. B8 48E74500 mov eax, 0045E748 ; hh
0045E329 |. E8 DEC0FAFF call 0040A40C ; 获取小时
0045E32E |. 8B55 F4 mov edx, dword ptr [ebp-C]
0045E331 |. 8D45 FC lea eax, dword ptr [ebp-4]
0045E334 |. 59 pop ecx
0045E335 >|. E8 5A5EFAFF call 00404194 ; ->System.@LStrCat3;
0045E33A |. 833D 24A04600>cmp dword ptr [46A024], 3
0045E341 |. 7C 0C jl short 0045E34F
0045E343 |. 8BC3 mov eax, ebx
0045E345 >|. E8 EA25FFFF call 00450934 ; ->Forms.TCustomForm.Close(TCustomForm);
0045E34A |. E9 E7020000 jmp 0045E636
0045E34F |> 8D55 E0 lea edx, dword ptr [ebp-20]
0045E352 |. A1 20A04600 mov eax, dword ptr [46A020]
0045E357 >|. 8B80 F8020000 mov eax, dword ptr [eax+2F8] ; *Edit1:TEdit
0045E35D >|. E8 9665FDFF call 004348F8 ; 取机器码
0045E362 |. 8B45 E0 mov eax, dword ptr [ebp-20]
0045E365 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0045E368 |. E8 0FFFFFFF call 0045E27C ; MD5运算
0045E36D |. 8B45 E4 mov eax, dword ptr [ebp-1C]
0045E370 |. 8D4D E8 lea ecx, dword ptr [ebp-18]
0045E373 |. BA 04000000 mov edx, 4
0045E378 >|. E8 9FAEFCFF call 0042921C ; 从左边取MD5结果的4位
0045E37D |. 8B45 E8 mov eax, dword ptr [ebp-18]
0045E380 |. 8D55 EC lea edx, dword ptr [ebp-14]
0045E383 |. E8 B8F0FFFF call 0045D440 ; 跟进
跟进45D440处call看看:
0045D440 /$ 55 push ebp
0045D441 |. 8BEC mov ebp, esp
0045D443 |. 83C4 F8 add esp, -8
0045D446 |. 56 push esi
0045D447 |. 8955 F8 mov dword ptr [ebp-8], edx
0045D44A |. 8945 FC mov dword ptr [ebp-4], eax
0045D44D |. 8B45 FC mov eax, dword ptr [ebp-4]
0045D450 |. E8 E36EFAFF call 00404338
0045D455 |. 33C0 xor eax, eax
0045D457 |. 55 push ebp
0045D458 |. 68 A9D44500 push 0045D4A9
0045D45D |. 64:FF30 push dword ptr fs:[eax]
0045D460 |. 64:8920 mov dword ptr fs:[eax], esp
0045D463 |. 8B45 FC mov eax, dword ptr [ebp-4]
0045D466 |. E8 DD6CFAFF call 00404148 ; 获取长度
0045D46B |. 85C0 test eax, eax
0045D46D |. 7E 16 jle short 0045D485
0045D46F |. B9 01000000 mov ecx, 1
0045D474 |> 8B55 FC /mov edx, dword ptr [ebp-4]
0045D477 |. 0FB6540A FF |movzx edx, byte ptr [edx+ecx-1] ; 依次取hash前4位各位ASCII码值
0045D47C |. C1E2 07 |shl edx, 7 ; 左移7位
0045D47F |. 03F2 |add esi, edx ; 累加
0045D481 |. 41 |inc ecx
0045D482 |. 48 |dec eax
0045D483 |.^ 75 EF \jnz short 0045D474
0045D485 |> 8BC6 mov eax, esi
0045D487 |. 33D2 xor edx, edx
0045D489 |. 52 push edx
0045D48A |. 50 push eax
0045D48B |. 8B45 F8 mov eax, dword ptr [ebp-8]
0045D48E |. E8 A9AAFAFF call 00407F3C ; 转换为10进制
0045D493 |. 33C0 xor eax, eax
0045D495 |. 5A pop edx
0045D496 |. 59 pop ecx
0045D497 |. 59 pop ecx
0045D498 |. 64:8910 mov dword ptr fs:[eax], edx
0045D49B |. 68 B0D44500 push 0045D4B0
0045D4A0 |> 8D45 FC lea eax, dword ptr [ebp-4]
0045D4A3 |. E8 E069FAFF call 00403E88
0045D4A8 \. C3 retn
0045D4A9 .^ E9 DE63FAFF jmp 0040388C
0045D4AE .^ EB F0 jmp short 0045D4A0
0045D4B0 . 5E pop esi
0045D4B1 . 59 pop ecx
0045D4B2 . 59 pop ecx
0045D4B3 . 5D pop ebp
0045D4B4 . C3 retn
0045E388 |. 8B45 EC mov eax, dword ptr [ebp-14]
0045E38B |. 8D55 F0 lea edx, dword ptr [ebp-10]
0045E38E |. E8 ADF0FFFF call 0045D440
0045E393 |. 8B45 F0 mov eax, dword ptr [ebp-10]
0045E396 |. 50 push eax
0045E397 |. 8D55 D0 lea edx, dword ptr [ebp-30]
0045E39A >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E3A0 >|. E8 5365FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E3A5 |. 8B45 D0 mov eax, dword ptr [ebp-30]
0045E3A8 |. 8D4D D4 lea ecx, dword ptr [ebp-2C]
0045E3AB |. BA 04000000 mov edx, 4
0045E3B0 >|. E8 67AEFCFF call 0042921C ; 取注册码4位
0045E3B5 |. 8B45 D4 mov eax, dword ptr [ebp-2C]
0045E3B8 |. 8D55 D8 lea edx, dword ptr [ebp-28]
0045E3BB |. E8 80F0FFFF call 0045D440
0045E3C0 |. 8B45 D8 mov eax, dword ptr [ebp-28]
0045E3C3 |. 8D55 DC lea edx, dword ptr [ebp-24]
0045E3C6 |. E8 75F0FFFF call 0045D440
0045E3CB |. 8B55 DC mov edx, dword ptr [ebp-24]
0045E3CE |. 58 pop eax
0045E3CF >|. E8 C05EFAFF call 00404294 ; 比较
0045E3D4 0F85 5C020000 jnz 0045E636
0045E3DA |. 8D45 C8 lea eax, dword ptr [ebp-38]
0045E3DD |. 50 push eax
0045E3DE |. 8D55 C0 lea edx, dword ptr [ebp-40]
0045E3E1 |. A1 20A04600 mov eax, dword ptr [46A020]
0045E3E6 >|. 8B80 F8020000 mov eax, dword ptr [eax+2F8] ; *Edit1:TEdit
0045E3EC >|. E8 0765FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E3F1 |. 8B45 C0 mov eax, dword ptr [ebp-40]
0045E3F4 |. 8D55 C4 lea edx, dword ptr [ebp-3C]
0045E3F7 |. E8 80FEFFFF call 0045E27C ; MD5运算
0045E3FC |. 8B45 C4 mov eax, dword ptr [ebp-3C]
0045E3FF |. B9 04000000 mov ecx, 4
0045E404 |. BA 06000000 mov edx, 6
0045E409 >|. E8 7EAEFCFF call 0042928C ; 从MD5结果中第6位起取4位
0045E40E |. 8B45 C8 mov eax, dword ptr [ebp-38]
0045E411 |. 8D55 CC lea edx, dword ptr [ebp-34]
0045E414 |. E8 27F0FFFF call 0045D440
0045E419 |. 8B45 CC mov eax, dword ptr [ebp-34]
0045E41C |. 50 push eax
0045E41D |. 8D45 B8 lea eax, dword ptr [ebp-48]
0045E420 |. 50 push eax
0045E421 |. 8D55 B4 lea edx, dword ptr [ebp-4C]
0045E424 >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E42A >|. E8 C964FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E42F |. 8B45 B4 mov eax, dword ptr [ebp-4C]
0045E432 |. B9 04000000 mov ecx, 4
0045E437 |. BA 06000000 mov edx, 6
0045E43C >|. E8 4BAEFCFF call 0042928C ; 从假码中第6位取4位
0045E441 |. 8B45 B8 mov eax, dword ptr [ebp-48]
0045E444 |. 8D55 BC lea edx, dword ptr [ebp-44]
0045E447 |. E8 F4EFFFFF call 0045D440
0045E44C |. 8B55 BC mov edx, dword ptr [ebp-44]
0045E44F |. 58 pop eax
0045E450 >|. E8 3F5EFAFF call 00404294 ; 比较
0045E455 0F85 DB010000 jnz 0045E636
0045E45B |. 8D45 AC lea eax, dword ptr [ebp-54]
0045E45E |. 50 push eax
0045E45F |. B9 04000000 mov ecx, 4
0045E464 |. BA 04000000 mov edx, 4
0045E469 |. B8 54E74500 mov eax, 0045E754 ; chinapyg
0045E46E >|. E8 19AEFCFF call 0042928C ; 从ChinaPYG第4位开始取4位
0045E473 |. 8B45 AC mov eax, dword ptr [ebp-54]
0045E476 |. 8D55 B0 lea edx, dword ptr [ebp-50]
0045E479 |. E8 C2EFFFFF call 0045D440
0045E47E |. 8B45 B0 mov eax, dword ptr [ebp-50]
0045E481 |. 50 push eax
0045E482 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
0045E485 |. 50 push eax
0045E486 |. 8D55 A0 lea edx, dword ptr [ebp-60]
0045E489 >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E48F >|. E8 6464FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E494 |. 8B45 A0 mov eax, dword ptr [ebp-60]
0045E497 |. B9 04000000 mov ecx, 4
0045E49C |. BA 0B000000 mov edx, 0B
0045E4A1 >|. E8 E6ADFCFF call 0042928C ; 从假码第11位开始取4位
0045E4A6 |. 8B45 A4 mov eax, dword ptr [ebp-5C]
0045E4A9 |. 8D55 A8 lea edx, dword ptr [ebp-58]
0045E4AC |. E8 8FEFFFFF call 0045D440
0045E4B1 |. 8B55 A8 mov edx, dword ptr [ebp-58]
0045E4B4 |. 58 pop eax
0045E4B5 >|. E8 DA5DFAFF call 00404294 ; 比较
0045E4BA 0F85 76010000 jnz 0045E636
0045E4C0 |. 8D55 9C lea edx, dword ptr [ebp-64] ; 开始破解时的系统时间
0045E4C3 |. 8B45 FC mov eax, dword ptr [ebp-4]
0045E4C6 |. E8 75EFFFFF call 0045D440
0045E4CB |. 8B45 9C mov eax, dword ptr [ebp-64]
0045E4CE |. 50 push eax
0045E4CF |. 8D45 94 lea eax, dword ptr [ebp-6C]
0045E4D2 |. 50 push eax
0045E4D3 |. 8D55 90 lea edx, dword ptr [ebp-70]
0045E4D6 >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E4DC >|. E8 1764FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E4E1 |. 8B45 90 mov eax, dword ptr [ebp-70]
0045E4E4 |. B9 04000000 mov ecx, 4
0045E4E9 |. BA 10000000 mov edx, 10
0045E4EE >|. E8 99ADFCFF call 0042928C ; 从注册码第16位开始取4位
0045E4F3 |. 8B45 94 mov eax, dword ptr [ebp-6C]
0045E4F6 |. 8D55 98 lea edx, dword ptr [ebp-68]
0045E4F9 |. E8 42EFFFFF call 0045D440
0045E4FE |. 8B55 98 mov edx, dword ptr [ebp-68]
0045E501 |. 58 pop eax
0045E502 >|. E8 8D5DFAFF call 00404294 ; 比较
0045E507 0F85 29010000 jnz 0045E636
0045E50D |. 8D45 8C lea eax, dword ptr [ebp-74]
0045E510 |. 50 push eax
0045E511 |. 8D55 88 lea edx, dword ptr [ebp-78]
0045E514 >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E51A >|. E8 D963FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E51F |. 8B45 88 mov eax, dword ptr [ebp-78]
0045E522 |. B9 01000000 mov ecx, 1
0045E527 |. BA 05000000 mov edx, 5
0045E52C >|. E8 5BADFCFF call 0042928C ; 取注册码第5位
0045E531 |. 8B45 8C mov eax, dword ptr [ebp-74]
0045E534 |. 50 push eax
0045E535 |. 8D45 84 lea eax, dword ptr [ebp-7C]
0045E538 |. 50 push eax
0045E539 |. 8D55 80 lea edx, dword ptr [ebp-80]
0045E53C >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E542 >|. E8 B163FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E547 |. 8B45 80 mov eax, dword ptr [ebp-80]
0045E54A |. B9 01000000 mov ecx, 1
0045E54F |. BA 0A000000 mov edx, 0A
0045E554 >|. E8 33ADFCFF call 0042928C ; 取注册码第10位
0045E559 |. 8B55 84 mov edx, dword ptr [ebp-7C]
0045E55C |. 58 pop eax
0045E55D >|. E8 325DFAFF call 00404294 ; 两者要相等
0045E562 0F85 C8000000 jnz 0045E630
0045E568 |. 8D85 7CFFFFFF lea eax, dword ptr [ebp-84]
0045E56E |. 50 push eax
0045E56F |. 8D95 78FFFFFF lea edx, dword ptr [ebp-88]
0045E575 >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E57B >|. E8 7863FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E580 |. 8B85 78FFFFFF mov eax, dword ptr [ebp-88]
0045E586 |. B9 01000000 mov ecx, 1
0045E58B |. BA 0A000000 mov edx, 0A
0045E590 >|. E8 F7ACFCFF call 0042928C ; 取注册码第10位
0045E595 |. 8B85 7CFFFFFF mov eax, dword ptr [ebp-84]
0045E59B |. 50 push eax
0045E59C |. 8D85 74FFFFFF lea eax, dword ptr [ebp-8C]
0045E5A2 |. 50 push eax
0045E5A3 |. 8D95 70FFFFFF lea edx, dword ptr [ebp-90]
0045E5A9 >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E5AF >|. E8 4463FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E5B4 |. 8B85 70FFFFFF mov eax, dword ptr [ebp-90]
0045E5BA |. B9 01000000 mov ecx, 1
0045E5BF |. BA 0F000000 mov edx, 0F
0045E5C4 >|. E8 C3ACFCFF call 0042928C ; 取注册码第15位
0045E5C9 |. 8B95 74FFFFFF mov edx, dword ptr [ebp-8C]
0045E5CF |. 58 pop eax
0045E5D0 >|. E8 BF5CFAFF call 00404294 ; 两者要相等
0045E5D5 75 59 jnz short 0045E630
0045E5D7 |. 8D85 6CFFFFFF lea eax, dword ptr [ebp-94]
0045E5DD |. 50 push eax
0045E5DE |. 8D95 68FFFFFF lea edx, dword ptr [ebp-98]
0045E5E4 >|. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] ; *Edit2:TEdit
0045E5EA >|. E8 0963FDFF call 004348F8 ; ->Controls.TControl.GetText
(TControl):TCaption;
0045E5EF |. 8B85 68FFFFFF mov eax, dword ptr [ebp-98]
0045E5F5 |. B9 01000000 mov ecx, 1
0045E5FA |. BA 0F000000 mov edx, 0F
0045E5FF >|. E8 88ACFCFF call 0042928C ; 取第15位注册码
0045E604 |. 8B85 6CFFFFFF mov eax, dword ptr [ebp-94]
0045E60A |. BA 68E74500 mov edx, 0045E768 ; -
0045E60F >|. E8 805CFAFF call 00404294 ; 第15位要为-,即第5,10,15位都要为-
0045E614 75 1A jnz short 0045E630
0045E616 >|. E8 8DB1FAFF call 004097A8 ; ->SysUtils.Now:TDateTime; 获取当前系统
时间
到这里总结下算法:
1.取机器码,进行MD5运算
2.注册码一共有4段,前两段分别从MD5运算的hash中获取,第3段固定为naPY,第4段为你开始破解时候的系统时间
3.4段用-连接,形成最终的注册码
最后送上python写的注册机源代码:
import md5
import time
regcode = raw_input('please input your machine code:')
m = md5.new(regcode)
m.digest()
reghash = m.hexdigest()
szhash1 = reghash[0:4]
szhash2 = reghash[5:9]
uhour = "%02d" % time.localtime()[3]
uminute = "%02d" % time.localtime()[4]
serial = szhash1 + '-' + szhash2 + '-' + 'naPY' + '-' + uhour + uminute
print 'your serial is %s' % serial
raw_input()
这个算出来的注册码如果在1分钟内注册的话,会被判为耍赖,所以要等一会儿在点注册。。。
--------------------------------------------------------------------------------
【经验总结】
这个cm算法比较简单,在OD中可以看到为分段明码比较,爆破和追码都很方便。最后感谢leafstone大侠提供cm给我们练手
,也希望他在下一个cm中不要在放音乐了。。。 - -||||||||
--------------------------------------------------------------------------------
【版权声明】: 本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2009年12月05日 11:40:37 |
免费评分
-
查看全部评分
|
发表于 2009-12-5 11:46
发表于 2009-12-5 12:16
