好友
阅读权限25
听众
最后登录1970-1-1
|
樊盟
发表于 2010-2-13 23:50
Flagimation V1.05 汉化版算法分析 by:Spring_2050 2010.2.13
下载地址:http://www.skycn.com/soft/2415.html
Flagimation V1.05 汉化版
软件介绍: 是 GIF 动画工具,可以将 BMP 和 JPG 格式的图形文件制作成 3D 旗帜动画。程序本身提供了多种特效功能让使用者自行调整使用,像是调整大小、色彩、方向、风的强度、背景颜色等多种特效。同时也附有预览功能,可以随时边看边调整。制作好的3D旗帜动画可以储存成 GIF 格式的图形文件和让网页使用。
用户名:Spring_2050
注册码:1234567890
错误提示:对不起,注册号码不正确。请再试。
Borland Delphi 3.0
查找字符串:请点击这里跟随到相应代码处找段首下断点,点击注册,断下来后开始分析:
0046EDB3 |. BA 80F04600 mov edx, 0046F080 ; 请点击这里
0046EDB8 |. E8 5BE2FAFF call 0041D018
0046EDBD |. A1 541B4800 mov eax, dword ptr [481B54]
0046EDC2 |. 8B80 FC010000 mov eax, dword ptr [eax+1FC]
0046EDC8 |. 05 C4000000 add eax, 0C4
0046EDCD |. 8B53 48 mov edx, dword ptr [ebx+48]
0046EDD0 |. E8 1F4BF9FF call 004038F4
0046EDD5 |. A1 541B4800 mov eax, dword ptr [481B54]
0046EDDA |. 8B80 FC010000 mov eax, dword ptr [eax+1FC]
0046EDE0 |. B2 01 mov dl, 1
0046EDE2 |. E8 5DE1FAFF call 0041CF44
0046EDE7 |> 8B53 38 mov edx, dword ptr [ebx+38]
0046EDEA |. A1 541B4800 mov eax, dword ptr [481B54]
0046EDEF |. 8B80 F0010000 mov eax, dword ptr [eax+1F0]
0046EDF5 |. E8 1EE2FAFF call 0041D018
0046EDFA |. 8B53 3C mov edx, dword ptr [ebx+3C]
0046EDFD |. A1 541B4800 mov eax, dword ptr [481B54]
0046EE02 |. 8B80 F4010000 mov eax, dword ptr [eax+1F4]
0046EE08 |. E8 0BE2FAFF call 0041D018
0046EE0D |. A1 541B4800 mov eax, dword ptr [481B54]
0046EE12 |. E8 19C8FBFF call 0042B630 ; //弹出注册框
0046EE17 |. 48 dec eax
0046EE18 |. 0F85 C8000000 jnz 0046EEE6
0046EE1E |. 8D55 F8 lea edx, dword ptr [ebp-8]
0046EE21 |. A1 541B4800 mov eax, dword ptr [481B54]
0046EE26 |. 8B80 F4010000 mov eax, dword ptr [eax+1F4]
0046EE2C |. E8 B7E1FAFF call 0041CFE8 ; //取试炼码,试炼码长度存入eax
0046EE31 |. 8B45 F8 mov eax, dword ptr [ebp-8]
0046EE34 |. 50 push eax
0046EE35 |. 8D55 F4 lea edx, dword ptr [ebp-C]
0046EE38 |. A1 541B4800 mov eax, dword ptr [481B54]
0046EE3D |. 8B80 F0010000 mov eax, dword ptr [eax+1F0]
0046EE43 |. E8 A0E1FAFF call 0041CFE8 ; //取用户名,用户名长度存入eax
0046EE48 |. 8B55 F4 mov edx, dword ptr [ebp-C]
0046EE4B |. 8BC3 mov eax, ebx
0046EE4D |. 59 pop ecx
0046EE4E |. E8 15F9FFFF call 0046E768 ; //关键CALL,跟进去继续分析
0046EE53 |. 84C0 test al, al
0046EE55 |. 0F84 83000000 je 0046EEDE ; //关键跳转
---------------------------------------------------------------------------------------------------------------
0046E768 /$ 55 push ebp ; //进来后继续跟踪分析
0046E769 |. 8BEC mov ebp, esp
0046E76B |. 6A 00 push 0
0046E76D |. 6A 00 push 0
0046E76F |. 6A 00 push 0
0046E771 |. 6A 00 push 0
0046E773 |. 6A 00 push 0
0046E775 |. 53 push ebx
0046E776 |. 56 push esi
0046E777 |. 894D F8 mov dword ptr [ebp-8], ecx
0046E77A |. 8955 FC mov dword ptr [ebp-4], edx
0046E77D |. 8BF0 mov esi, eax
0046E77F |. 8B45 FC mov eax, dword ptr [ebp-4] ; //用户名存入eax
0046E782 |. E8 4955F9FF call 00403CD0
0046E787 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; //试炼码存入eax
0046E78A |. E8 4155F9FF call 00403CD0
0046E78F |. 33C0 xor eax, eax
0046E791 |. 55 push ebp
0046E792 |. 68 1CE84600 push 0046E81C
0046E797 |. 64:FF30 push dword ptr fs:[eax]
0046E79A |. 64:8920 mov dword ptr fs:[eax], esp
0046E79D |. 33DB xor ebx, ebx
0046E79F |. 6A 00 push 0
0046E7A1 |. 8D45 F0 lea eax, dword ptr [ebp-10]
0046E7A4 |. 50 push eax
0046E7A5 |. B9 08000000 mov ecx, 8
0046E7AA |. 8B56 24 mov edx, dword ptr [esi+24] ; //PFL28JUL存入edx
0046E7AD |. 8BC6 mov eax, esi
0046E7AF |. E8 78000000 call 0046E82C
0046E7B4 |. 6A 01 push 1
0046E7B6 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0046E7B9 |. 50 push eax
0046E7BA |. B9 08000000 mov ecx, 8
0046E7BF |. 8B55 FC mov edx, dword ptr [ebp-4]
0046E7C2 |. 8BC6 mov eax, esi
0046E7C4 |. E8 63000000 call 0046E82C ; //提取八位用户名,SPRINGSP,小写变大写,若有其他字符则不参与计算,循环取字母字符
0046E7C9 |. 8B45 F4 mov eax, dword ptr [ebp-C]
0046E7CC |. E8 4B53F9FF call 00403B1C ; //计算长度,存入eax
0046E7D1 |. 85C0 test eax, eax
0046E7D3 |. 7E 2C jle short 0046E801 ; //小于8则跳
0046E7D5 |. 8B45 F0 mov eax, dword ptr [ebp-10] ; //PFL28JUL存入eax
0046E7D8 |. E8 3F53F9FF call 00403B1C ; //计算长度,存入eax
0046E7DD |. 85C0 test eax, eax
0046E7DF |. 7E 20 jle short 0046E801 ; //小于8则跳
0046E7E1 |. 8D45 EC lea eax, dword ptr [ebp-14]
0046E7E4 |. 50 push eax
0046E7E5 |. 8B4D F4 mov ecx, dword ptr [ebp-C] ; //SPRINGSP存入ecx
0046E7E8 |. 8B55 F0 mov edx, dword ptr [ebp-10] ; //PFL28JUL存入edx
0046E7EB |. 8BC6 mov eax, esi
0046E7ED |. E8 86010000 call 0046E978 ; //算法CALL,跟进去
0046E7F2 |. 8B45 EC mov eax, dword ptr [ebp-14] ; //真码出现,真码存入eax
0046E7F5 |. 8B55 F8 mov edx, dword ptr [ebp-8] ; //假码存入edx
0046E7F8 |. E8 2F54F9FF call 00403C2C ; //真假注册码比较
0046E7FD |. 75 02 jnz short 0046E801 ; //关键跳转
0046E7FF |. B3 01 mov bl, 1
0046E801 |> 33C0 xor eax, eax ; //eax清零
0046E803 |. 5A pop edx
0046E804 |. 59 pop ecx
0046E805 |. 59 pop ecx
0046E806 |. 64:8910 mov dword ptr fs:[eax], edx
0046E809 |. 68 23E84600 push 0046E823
0046E80E |> 8D45 EC lea eax, dword ptr [ebp-14]
0046E811 |. BA 05000000 mov edx, 5
0046E816 |. E8 A950F9FF call 004038C4
0046E81B \. C3 retn
---------------------------------------------------------------------------------------------------------------
0046E978 /$ 55 push ebp ; //进来后,继续跟踪
0046E979 |. 8BEC mov ebp, esp
0046E97B |. 81C4 B4FEFFFF add esp, -14C
0046E981 |. 53 push ebx
0046E982 |. 56 push esi
0046E983 |. 57 push edi
0046E984 |. 33DB xor ebx, ebx
0046E986 |. 899D D8FEFFFF mov dword ptr [ebp-128], ebx
0046E98C |. 899D D4FEFFFF mov dword ptr [ebp-12C], ebx
0046E992 |. 899D D0FEFFFF mov dword ptr [ebp-130], ebx
0046E998 |. 894D F8 mov dword ptr [ebp-8], ecx
0046E99B |. 8955 FC mov dword ptr [ebp-4], edx
0046E99E |. 8BD8 mov ebx, eax
0046E9A0 |. 8B75 08 mov esi, dword ptr [ebp+8]
0046E9A3 |. 8B45 FC mov eax, dword ptr [ebp-4] ; //PFL28JUL存入eax
0046E9A6 |. E8 2553F9FF call 00403CD0
0046E9AB |. 8B45 F8 mov eax, dword ptr [ebp-8] ; //SPRINGSP存入eax
0046E9AE |. E8 1D53F9FF call 00403CD0
0046E9B3 |. 33C0 xor eax, eax
0046E9B5 |. 55 push ebp
0046E9B6 |. 68 79EB4600 push 0046EB79
0046E9BB |. 64:FF30 push dword ptr fs:[eax]
0046E9BE |. 64:8920 mov dword ptr fs:[eax], esp
0046E9C1 |. 8BC6 mov eax, esi
0046E9C3 |. E8 D84EF9FF call 004038A0
0046E9C8 |. 8B45 FC mov eax, dword ptr [ebp-4] ; //PFL28JUL存入eax
0046E9CB |. E8 4C51F9FF call 00403B1C ; //计算字符串PFL28JUL的长度,存入eax
0046E9D0 |. 83F8 08 cmp eax, 8 ; //字符串长度与8比较
0046E9D3 |. 0F8C 75010000 jl 0046EB4E ; //小于则跳
0046E9D9 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; //SPRINGSP存入eax
0046E9DC |. E8 3B51F9FF call 00403B1C ; //计算字符串SPRINGSP的长度,存入eax
0046E9E1 |. 83F8 08 cmp eax, 8 ; //字符串长度与8比较
0046E9E4 |. 0F8C 64010000 jl 0046EB4E ; //小于则跳
0046E9EA |. 8D85 D4FEFFFF lea eax, dword ptr [ebp-12C]
0046E9F0 |. 50 push eax
0046E9F1 |. B9 08000000 mov ecx, 8
0046E9F6 |. BA 01000000 mov edx, 1
0046E9FB |. 8B45 FC mov eax, dword ptr [ebp-4]
0046E9FE |. E8 1D53F9FF call 00403D20
0046EA03 |. FFB5 D4FEFFFF push dword ptr [ebp-12C]
0046EA09 |. 8D85 D0FEFFFF lea eax, dword ptr [ebp-130]
0046EA0F |. 50 push eax
0046EA10 |. B9 08000000 mov ecx, 8
0046EA15 |. BA 01000000 mov edx, 1
0046EA1A |. 8B45 F8 mov eax, dword ptr [ebp-8]
0046EA1D |. E8 FE52F9FF call 00403D20
0046EA22 |. FFB5 D0FEFFFF push dword ptr [ebp-130]
0046EA28 |. 68 94EB4600 push 0046EB94 ; ASCII "########"
0046EA2D |. 8D85 D8FEFFFF lea eax, dword ptr [ebp-128]
0046EA33 |. BA 03000000 mov edx, 3
0046EA38 |. E8 9F51F9FF call 00403BDC ; //PFL28JUL+SPRINGSP+########,组合字符串
0046EA3D |. 8B95 D8FEFFFF mov edx, dword ptr [ebp-128] ; //PFL28JULSPRINGSP########
0046EA43 |. 8D85 DCFEFFFF lea eax, dword ptr [ebp-124]
0046EA49 |. B9 FF000000 mov ecx, 0FF
0046EA4E |. E8 A550F9FF call 00403AF8 ; //计算字符串长度,存入eax
0046EA53 |. 8D95 DCFEFFFF lea edx, dword ptr [ebp-124]
0046EA59 |. 8D45 DF lea eax, dword ptr [ebp-21]
0046EA5C |. B1 18 mov cl, 18
0046EA5E |. E8 F13EF9FF call 00402954
0046EA63 |. 6A 03 push 3
0046EA65 |. 6A 05 push 5
0046EA67 |. 6A 07 push 7
0046EA69 |. 8D55 DF lea edx, dword ptr [ebp-21]
0046EA6C |. B1 01 mov cl, 1
0046EA6E |. 8BC3 mov eax, ebx
0046EA70 |. E8 C7FEFFFF call 0046E93C
0046EA75 |. 8845 F0 mov byte ptr [ebp-10], al ; //I,#
0046EA78 |. 6A 04 push 4
0046EA7A |. 6A 0A push 0A
0046EA7C |. 6A 0C push 0C
0046EA7E |. 8D55 DF lea edx, dword ptr [ebp-21] ; //PFL28JULSPRINGSPI#######
0046EA81 |. B1 02 mov cl, 2
0046EA83 |. 8BC3 mov eax, ebx
0046EA85 |. E8 B2FEFFFF call 0046E93C
0046EA8A |. 8845 F1 mov byte ptr [ebp-F], al ; //=,#
0046EA8D |. 6A 0B push 0B
0046EA8F |. 6A 0D push 0D
0046EA91 |. 6A 0F push 0F
0046EA93 |. 8D55 DF lea edx, dword ptr [ebp-21] ; //PFL28JULSPRINGSPI=######
0046EA96 |. B1 09 mov cl, 9
0046EA98 |. 8BC3 mov eax, ebx
0046EA9A |. E8 9DFEFFFF call 0046E93C
0046EA9F |. 8845 F2 mov byte ptr [ebp-E], al ; //13,#
0046EAA2 |. 6A 08 push 8
0046EAA4 |. 6A 0E push 0E
0046EAA6 |. 6A 10 push 10
0046EAA8 |. 8D55 DF lea edx, dword ptr [ebp-21]
0046EAAB |. B1 06 mov cl, 6
0046EAAD |. 8BC3 mov eax, ebx
0046EAAF |. E8 88FEFFFF call 0046E93C
0046EAB4 |. 8845 F3 mov byte ptr [ebp-D], al ; //S,#
0046EAB7 |. 6A 10 push 10
0046EAB9 |. 6A 02 push 2
0046EABB |. 6A 0F push 0F
0046EABD |. 8D55 DF lea edx, dword ptr [ebp-21]
0046EAC0 |. B1 01 mov cl, 1
0046EAC2 |. 8BC3 mov eax, ebx
0046EAC4 |. E8 73FEFFFF call 0046E93C
0046EAC9 |. 8845 F4 mov byte ptr [ebp-C], al ; //S,#
0046EACC |. 6A 0E push 0E
0046EACE |. 6A 04 push 4
0046EAD0 |. 6A 0D push 0D
0046EAD2 |. 8D55 DF lea edx, dword ptr [ebp-21]
0046EAD5 |. B1 03 mov cl, 3
0046EAD7 |. 8BC3 mov eax, ebx
0046EAD9 |. E8 5EFEFFFF call 0046E93C
0046EADE |. 8845 F5 mov byte ptr [ebp-B], al ; //b,#
0046EAE1 |. 6A 0C push 0C
0046EAE3 |. 6A 06 push 6
0046EAE5 |. 6A 0B push 0B
0046EAE7 |. 8D55 DF lea edx, dword ptr [ebp-21]
0046EAEA |. B1 05 mov cl, 5
0046EAEC |. 8BC3 mov eax, ebx
0046EAEE |. E8 49FEFFFF call 0046E93C
0046EAF3 |. 8845 F6 mov byte ptr [ebp-A], al ; //97,#
0046EAF6 |. 6A 0A push 0A
0046EAF8 |. 6A 08 push 8
0046EAFA |. 6A 09 push 9
0046EAFC |. 8D55 DF lea edx, dword ptr [ebp-21]
0046EAFF |. B1 07 mov cl, 7
0046EB01 |. 8BC3 mov eax, ebx
0046EB03 |. E8 34FEFFFF call 0046E93C
0046EB08 |. 8845 F7 mov byte ptr [ebp-9], al ; //03,#
0046EB0B |. BB 08000000 mov ebx, 8
0046EB10 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0046EB13 |> 33C0 /xor eax, eax ; //eax清零
0046EB15 |. 8A01 |mov al, byte ptr [ecx] ; //I,=,13,S,S,b,97,03,存入al
0046EB17 |. BF 0A000000 |mov edi, 0A ; //0A存入edi
0046EB1C |. 99 |cdq ; //双字扩展,把EAX中的字的符号扩展到EDX中去
0046EB1D |. F7FF |idiv edi ; //al/0A,商回送AX,余数回送DX
0046EB1F |. 83C2 30 |add edx, 30 ; //edx+30
0046EB22 |. 8811 |mov byte ptr [ecx], dl ; //dl依次出现真码16进制,3、1、9、3、3、8、1、3
0046EB24 |. 41 |inc ecx ; //字符串替换,计算出来的字符替换########
0046EB25 |. 4B |dec ebx ; //ebx-1,计算下一位注册码
0046EB26 |.^ 75 EB \jnz short 0046EB13 ; //循环
0046EB28 |. 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
0046EB2E |. 50 push eax
0046EB2F |. B9 08000000 mov ecx, 8
0046EB34 |. BA 11000000 mov edx, 11
0046EB39 |. 8D45 DF lea eax, dword ptr [ebp-21] ; //上面计算的字符串在这里出现,PFL28JULSPRINGSP31933813
0046EB3C |. E8 533CF9FF call 00402794 ; //提取所得字符串后八位
0046EB41 |. 8D95 B4FEFFFF lea edx, dword ptr [ebp-14C] ; //注册码:31933813
0046EB47 |. 8BC6 mov eax, esi
0046EB49 |. E8 724FF9FF call 00403AC0
0046EB4E |> 33C0 xor eax, eax
0046EB50 |. 5A pop edx
0046EB51 |. 59 pop ecx
0046EB52 |. 59 pop ecx
0046EB53 |. 64:8910 mov dword ptr fs:[eax], edx
0046EB56 |. 68 80EB4600 push 0046EB80
0046EB5B |> 8D85 D0FEFFFF lea eax, dword ptr [ebp-130]
0046EB61 |. BA 03000000 mov edx, 3
0046EB66 |. E8 594DF9FF call 004038C4
0046EB6B |. 8D45 F8 lea eax, dword ptr [ebp-8]
0046EB6E |. BA 02000000 mov edx, 2
0046EB73 |. E8 4C4DF9FF call 004038C4
0046EB78 \. C3 retn
---------------------------------------------------------------------------------------------------------------
用户名:Spring_2050
注册码:31933813
注册表信息:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Pegtop\Flagimation]
"Version"="版本 1.05 - 1999 年 12 月 11 日"
"InstallPath"="C:\\Documents and Settings\\Administrator\\桌面\\Flagimation\\"
"RegName"="Spring_2050"
"RegNumber"="31933813"
算法总结:
1.用户名凑够8位进行注册码计算,规则是这样的:目的要提取八位用户名,有小写则变大写,若有其他字符则不参与计算,循环取字母字符直到取完8位为止,我用的用户名是Spring_2050,取出的八位字符为SPRINGSP,没有研究汉字的用户名,这里就不敢妄下断语了;
2.用户名长度没有什么要求;提取的八位字符串参加计算,Spring_2050&SPRINGSP计算的注册码是一样的;
3.PFL28JUL+提取的八位用户名字符+########组合成字符串,本例中组合的字符串为:PFL28JULSPRINGSP########,然后分别用I,=,13,S,S,b,97,03八个字符替换第1个~第8个#,字符串被替换后也做相应变化,(数字的时候例外,用黑方块代替);
4.(I,=,13,S,S,b,97,03)分别除以0A,
I/0A=X1余Y1;Y1+30=33;→3
=/0A=X2余Y2;Y2+30=31;→1
13/0A=X3余Y3;Y3+30=39;→9
S/0A=X4余Y4;Y4+30=33;→3
S/0A=X5余Y5;Y5+30=33;→3
b/0A=X6余Y6;Y6+30=38;→8
97/0A=X7余Y7;Y7+30=31;→1
03/0A=X8余Y8;Y8+30=33。→3
计算字符串为:31933813;
5.替换后字符串:PFL28JULSPRINGSP31933813,最后再把计算后的字符串后八位提取出来作为注册码。
胜利截图:
今天除夕,看春晚的同时分析了一个小软件,软柿子……祝大家新春快乐,身体健康,工作顺利! |
|
发表于 2010-2-16 21:33
