好友
阅读权限40
听众
最后登录1970-1-1
|
[ 破文标题 ] 光盘复制专家6.1算法分析
[ 破文作者 ] missviola[LCG]
[ 破解工具 ] PEID OD
[ 破解平台 ] Windows XP
[ 软件名称 ] 光盘复制专家6.1
[ 破解声明 ] 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
-----------------------------------------------------
[ 破解过程 ]-----------------------------------------
这个软件小糊涂虫已经分析了脱壳的过程,但是他的帖子中没有分析到算法。所以我这里就给他做下补充吧。用PEID扫描脱壳后
的软件,显示为Borland Delphi 6.0 - 7.0。直接用OD载入。用F12暂停法,在D30563处下断点。输入试炼码11111-22222-33333
-44444-55555。点击注册,断下后F8单步分析如下:
00D30563 55 push ebp
00D30564 68 B80AD300 push checkreg.00D30AB8
00D30569 64:FF30 push dword ptr fs:[eax]
00D3056C 64:8920 mov dword ptr fs:[eax],esp
00D3056F 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00D30572 8BB3 98030000 mov esi,dword ptr ds:[ebx+398]
00D30578 8BC6 mov eax,esi
00D3057A E8 05DDF9FF call checkreg.00CCE284 ; 取第一框注册码
00D3057F 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00D30582 8D55 FC lea edx,dword ptr ss:[ebp-4]
00D30585 E8 5A90F5FF call checkreg.00C895E4
00D3058A 8B55 FC mov edx,dword ptr ss:[ebp-4]
00D3058D 8BC6 mov eax,esi
00D3058F E8 20DDF9FF call checkreg.00CCE2B4
00D30594 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00D30597 8BB3 9C030000 mov esi,dword ptr ds:[ebx+39C]
00D3059D 8BC6 mov eax,esi
00D3059F E8 E0DCF9FF call checkreg.00CCE284 ; 取第二框注册码
00D305A4 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00D305A7 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00D305AA E8 3590F5FF call checkreg.00C895E4
00D305AF 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00D305B2 8BC6 mov eax,esi
00D305B4 E8 FBDCF9FF call checkreg.00CCE2B4
00D305B9 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00D305BC 8BB3 A0030000 mov esi,dword ptr ds:[ebx+3A0]
00D305C2 8BC6 mov eax,esi
00D305C4 E8 BBDCF9FF call checkreg.00CCE284
00D305C9 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 取第三框注册码
00D305CC 8D55 EC lea edx,dword ptr ss:[ebp-14]
00D305CF E8 1090F5FF call checkreg.00C895E4
00D305D4 8B55 EC mov edx,dword ptr ss:[ebp-14]
00D305D7 8BC6 mov eax,esi
00D305D9 E8 D6DCF9FF call checkreg.00CCE2B4
00D305DE 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00D305E1 8BB3 A4030000 mov esi,dword ptr ds:[ebx+3A4]
00D305E7 8BC6 mov eax,esi
00D305E9 E8 96DCF9FF call checkreg.00CCE284 ; 取第四框注册码
00D305EE 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00D305F1 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00D305F4 E8 EB8FF5FF call checkreg.00C895E4
00D305F9 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
00D305FC 8BC6 mov eax,esi
00D305FE E8 B1DCF9FF call checkreg.00CCE2B4
00D30603 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00D30606 8BB3 A8030000 mov esi,dword ptr ds:[ebx+3A8]
00D3060C 8BC6 mov eax,esi
00D3060E E8 71DCF9FF call checkreg.00CCE284
00D30613 8B45 D8 mov eax,dword ptr ss:[ebp-28] ; 取第五框注册码
00D30616 8D55 DC lea edx,dword ptr ss:[ebp-24]
00D30619 E8 C68FF5FF call checkreg.00C895E4
00D3061E 8B55 DC mov edx,dword ptr ss:[ebp-24]
00D30621 8BC6 mov eax,esi
00D30623 E8 8CDCF9FF call checkreg.00CCE2B4
00D30628 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00D3062B 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
00D30631 E8 4EDCF9FF call checkreg.00CCE284
00D30636 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00D30639 E8 964EF5FF call checkreg.00C854D4
00D3063E E8 3D98F5FF call checkreg.00C89E80
00D30643 83F8 05 cmp eax,5 ; 第一框注册码长度要等于5
00D30646 0F85 80000000 jnz checkreg.00D306CC
00D3064C 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00D3064F 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C]
00D30655 E8 2ADCF9FF call checkreg.00CCE284
00D3065A 8B45 D0 mov eax,dword ptr ss:[ebp-30]
00D3065D E8 724EF5FF call checkreg.00C854D4
00D30662 E8 1998F5FF call checkreg.00C89E80
00D30667 83F8 05 cmp eax,5 ; 第二框注册码长度要等于5
00D3066A 75 60 jnz short checkreg.00D306CC
00D3066C 8D55 CC lea edx,dword ptr ss:[ebp-34]
00D3066F 8B83 A0030000 mov eax,dword ptr ds:[ebx+3A0]
00D30675 E8 0ADCF9FF call checkreg.00CCE284
00D3067A 8B45 CC mov eax,dword ptr ss:[ebp-34]
00D3067D E8 524EF5FF call checkreg.00C854D4
00D30682 E8 F997F5FF call checkreg.00C89E80
00D30687 83F8 05 cmp eax,5 ; 第三框注册码长度要等于5
00D3068A 75 40 jnz short checkreg.00D306CC
00D3068C 8D55 C8 lea edx,dword ptr ss:[ebp-38]
00D3068F 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4]
00D30695 E8 EADBF9FF call checkreg.00CCE284
00D3069A 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00D3069D E8 324EF5FF call checkreg.00C854D4
00D306A2 E8 D997F5FF call checkreg.00C89E80
00D306A7 83F8 05 cmp eax,5 ; 第四框注册码长度要等于5
00D306AA 75 20 jnz short checkreg.00D306CC
00D306AC 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00D306AF 8B83 A8030000 mov eax,dword ptr ds:[ebx+3A8]
00D306B5 E8 CADBF9FF call checkreg.00CCE284
00D306BA 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
00D306BD E8 124EF5FF call checkreg.00C854D4
00D306C2 E8 B997F5FF call checkreg.00C89E80
00D306C7 83F8 05 cmp eax,5 ; 第五框注册码长度要等于5
00D306CA 74 2A je short checkreg.00D306F6
00D306CC 6A 40 push 40
00D306CE A1 1C07D400 mov eax,dword ptr ds:[D4071C]
00D306D3 E8 FC4DF5FF call checkreg.00C854D4
00D306D8 50 push eax
00D306D9 A1 2407D400 mov eax,dword ptr ds:[D40724]
00D306DE E8 F14DF5FF call checkreg.00C854D4
00D306E3 50 push eax
00D306E4 8BC3 mov eax,ebx
00D306E6 E8 D156FAFF call checkreg.00CD5DBC
00D306EB 50 push eax
00D306EC E8 B37AF5FF call <jmp.&user32.MessageBoxA>
00D306F1 E9 37030000 jmp checkreg.00D30A2D
00D306F6 8D55 C0 lea edx,dword ptr ss:[ebp-40]
00D306F9 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
00D306FF E8 80DBF9FF call checkreg.00CCE284
00D30704 837D C0 00 cmp dword ptr ss:[ebp-40],0
00D30708 74 3C je short checkreg.00D30746
00D3070A 8D55 BC lea edx,dword ptr ss:[ebp-44]
00D3070D 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C]
00D30713 E8 6CDBF9FF call checkreg.00CCE284
00D30718 837D BC 00 cmp dword ptr ss:[ebp-44],0
00D3071C 74 28 je short checkreg.00D30746
00D3071E 8D55 B8 lea edx,dword ptr ss:[ebp-48]
00D30721 8B83 A0030000 mov eax,dword ptr ds:[ebx+3A0]
00D30727 E8 58DBF9FF call checkreg.00CCE284
00D3072C 837D B8 00 cmp dword ptr ss:[ebp-48],0
00D30730 74 14 je short checkreg.00D30746
00D30732 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00D30735 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4]
00D3073B E8 44DBF9FF call checkreg.00CCE284
00D30740 837D B4 00 cmp dword ptr ss:[ebp-4C],0
00D30744 75 2A jnz short checkreg.00D30770
00D30746 6A 40 push 40
00D30748 A1 1C07D400 mov eax,dword ptr ds:[D4071C]
00D3074D E8 824DF5FF call checkreg.00C854D4
00D30752 50 push eax
00D30753 A1 2407D400 mov eax,dword ptr ds:[D40724]
00D30758 E8 774DF5FF call checkreg.00C854D4
00D3075D 50 push eax
00D3075E 8BC3 mov eax,ebx
00D30760 E8 5756FAFF call checkreg.00CD5DBC
00D30765 50 push eax
00D30766 E8 397AF5FF call <jmp.&user32.MessageBoxA>
00D3076B E9 BD020000 jmp checkreg.00D30A2D
00D30770 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00D30773 8B83 A0030000 mov eax,dword ptr ds:[ebx+3A0]
00D30779 E8 06DBF9FF call checkreg.00CCE284
00D3077E 8B45 B0 mov eax,dword ptr ss:[ebp-50]
00D30781 E8 3691F5FF call checkreg.00C898BC
00D30786 8BF0 mov esi,eax
00D30788 8D45 AC lea eax,dword ptr ss:[ebp-54]
00D3078B E8 7C84FCFF call checkreg.00CF8C0C 此CALL步过后产生一个数为60000(十进制)
00D30790 8B45 AC mov eax,dword ptr ss:[ebp-54]
00D30793 E8 2491F5FF call checkreg.00C898BC
00D30798 8BC8 mov ecx,eax
00D3079A 8BC6 mov eax,esi
00D3079C BF 10270000 mov edi,2710
00D307A1 33D2 xor edx,edx
00D307A3 F7F7 div edi 第三框密码除以0x2710
00D307A5 8BF8 mov edi,eax 商送edi
00D307A7 8BC1 mov eax,ecx 60000送eax
00D307A9 B9 10270000 mov ecx,2710
00D307AE 33D2 xor edx,edx
00D307B0 F7F1 div ecx 60000除以0x2710
00D307B2 3BF8 cmp edi,eax 两者的商要相等
00D307B4 74 2F je short checkreg.00D307E5 相等就继续比较
00D307B6 83FF 01 cmp edi,1
00D307B9 74 2A je short checkreg.00D307E5
00D307BB 6A 40 push 40
00D307BD A1 1C07D400 mov eax,dword ptr ds:[D4071C]
00D307C2 E8 0D4DF5FF call checkreg.00C854D4
00D307C7 50 push eax
00D307C8 A1 2407D400 mov eax,dword ptr ds:[D40724]
00D307CD E8 024DF5FF call checkreg.00C854D4
00D307D2 50 push eax
00D307D3 8BC3 mov eax,ebx
00D307D5 E8 E255FAFF call checkreg.00CD5DBC
00D307DA 50 push eax
00D307DB E8 C479F5FF call <jmp.&user32.MessageBoxA>
00D307E0 E9 48020000 jmp checkreg.00D30A2D
00D307E5 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00D307E8 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
00D307EE E8 91DAF9FF call checkreg.00CCE284 ; 第一框密码
00D307F3 8B45 A8 mov eax,dword ptr ss:[ebp-58]
00D307F6 E8 C190F5FF call checkreg.00C898BC ; 判断注册码是否为数字
00D307FB E8 6C8AFCFF call checkreg.00CF926C ; 第一框注册码变换call
F7跟进第一框密码变换call看看:
00CF926C 8BC8 mov ecx,eax
00CF926E 8D81 D3750100 lea eax,dword ptr ds:[ecx+175D3] 第一框密码加上0x175D3
00CF9274 B9 0D000000 mov ecx,0D
00CF9279 33D2 xor edx,edx
00CF927B F7F1 div ecx 和除以0x0D
00CF927D 05 80000000 add eax,80 商加上0x80
00CF9282 C3 retn
00D30800 8BF0 mov esi,eax
00D30802 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
00D30805 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C]
00D3080B E8 74DAF9FF call checkreg.00CCE284 ; 第二框密码
00D30810 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
00D30813 E8 A490F5FF call checkreg.00C898BC
00D30818 E8 678AFCFF call checkreg.00CF9284 ; 第二框注册码变换call
F7跟进第二框密码变换call看下:
00CF9284 8BC8 mov ecx,eax
00CF9286 8BC1 mov eax,ecx
00CF9288 B9 13000000 mov ecx,13
00CF928D 33D2 xor edx,edx
00CF928F F7F1 div ecx 第二框密码除以0x13
00CF9291 8BD0 mov edx,eax
00CF9293 C1E0 04 shl eax,4 商乘以16
00CF9296 03C2 add eax,edx 再加上商
00CF9298 50 push eax
00CF9299 B8 92740100 mov eax,17492
00CF929E 5A pop edx
00CF929F 2BC2 sub eax,edx 0x17492减去上面的结果
00CF92A1 C3 retn
00D3081D 8BF8 mov edi,eax
00D3081F 8D55 A0 lea edx,dword ptr ss:[ebp-60]
00D30822 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4]
00D30828 E8 57DAF9FF call checkreg.00CCE284 ; 第四框密码
00D3082D 8B45 A0 mov eax,dword ptr ss:[ebp-60]
00D30830 E8 8790F5FF call checkreg.00C898BC
00D30835 99 cdq
00D30836 52 push edx
00D30837 50 push eax
00D30838 8BC6 mov eax,esi
00D3083A 33D2 xor edx,edx
00D3083C 3B5424 04 cmp edx,dword ptr ss:[esp+4]
00D30840 75 03 jnz short checkreg.00D30845
00D30842 3B0424 cmp eax,dword ptr ss:[esp] ; 第四框密码要等于第一框密码的变换后的结果
00D30845 5A pop edx
00D30846 58 pop eax
00D30847 0F85 BB010000 jnz checkreg.00D30A08
00D3084D 8D55 9C lea edx,dword ptr ss:[ebp-64]
00D30850 8B83 A8030000 mov eax,dword ptr ds:[ebx+3A8]
00D30856 E8 29DAF9FF call checkreg.00CCE284 ; 第五框注册码
00D3085B 8B45 9C mov eax,dword ptr ss:[ebp-64]
00D3085E E8 5990F5FF call checkreg.00C898BC
00D30863 99 cdq
00D30864 52 push edx
00D30865 50 push eax
00D30866 8BC7 mov eax,edi
00D30868 33D2 xor edx,edx
00D3086A 3B5424 04 cmp edx,dword ptr ss:[esp+4]
00D3086E 75 03 jnz short checkreg.00D30873
00D30870 3B0424 cmp eax,dword ptr ss:[esp] ; 第五框密码要等于第二框密码的变换结果
00D30873 5A pop edx
00D30874 58 pop eax
00D30875 0F85 8D010000 jnz checkreg.00D30A08
[ 破解总结 ]-----------------------------------------
最后总结一下算法:
1.每一框的注册码必须为数字,且长度都要是5位。
2.第三框的注册码除以0x2710的商要等于60000除以0x2710的商。
3.第一框注册码加上0x175D3,除以0x0D,商再加上0x80就是第四框注册码了。
4.第二框注册码除以0x13,商乘以16,再加上商。用0x17492减去以后就是第五框注册码了。
这里给出一组正确的注册码吧:
88888-22222-66666-14327-75505
-----------------------------------------------------
[ 版权声明 ] 本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------- |
|
发表于 2010-1-14 19:24
发表于 2010-1-14 19:47
