好友 阅读权限 40
听众 最后登录 1970-1-1
zaas
发表于 2010-4-18 15:49
【破文标题】ColorCatcher 3.5 算法分析及算法注册机破解 工具】OllyICE,PEiD v0.940051772C |. 8B45 F8 mov eax, dword ptr [ebp-8]
0051772F |. 8D55 FC lea edx, dword ptr [ebp-4]
00517732 |. E8 C119EFFF call 004090F8 ; 注册名
00517737 |. 8B4D FC mov ecx, dword ptr [ebp-4]
0051773A |. BA C4775100 mov edx, 005177C4 ; user
0051773F |. 33C0 xor eax, eax
00517741 |. E8 BEAFF5FF call 00472704 ; 写入注册表software\bistonesoft\colorcatcher\
00517746 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00517749 |. 8B83 94030000 mov eax, dword ptr [ebx+394]
0051774F |. E8 C89AF3FF call 0045121C ; 取得假码
00517754 |. 8B45 F0 mov eax, dword ptr [ebp-10]
00517757 |. 8D55 F4 lea edx, dword ptr [ebp-C]
0051775A |. E8 9919EFFF call 004090F8 ; 校验去空格
0051775F |. 8B4D F4 mov ecx, dword ptr [ebp-C]
00517762 |. BA D4775100 mov edx, 005177D4 ; no
00517767 |. 33C0 xor eax, eax
00517769 |. E8 96AFF5FF call 00472704 ; 写入注册表
0051776E |. B8 E0775100 mov eax, 005177E0 ; please restart your color catcher to verify your key!
00517773 |. E8 78A5F2FF call 00441CF0 ; 重启验证提示对话框00518C08 |. A1 24F65100 mov eax, dword ptr [51F624]
00518C0D |. 8B00 mov eax, dword ptr [eax]
00518C0F |. E8 70A1F5FF call 00472D84 ; 关键call
00518C14 |. 84C0 test al, al
00518C16 |. 75 3D jnz short 00518C55 ; 关键跳转,爆破点
00518C18 |. 8BC3 mov eax, ebx
00518C1A |. E8 F9FDFFFF call 00518A18
00518C1F |. 8D45 FC lea eax, dword ptr [ebp-4]
00518C22 |. 50 push eax
00518C23 |. A1 24F65100 mov eax, dword ptr [51F624]
00518C28 |. 8B00 mov eax, dword ptr [eax]
00518C2A |. E8 51A0F5FF call 00472C80
00518C2F |. 8945 F4 mov dword ptr [ebp-C], eax
00518C32 |. C645 F8 00 mov byte ptr [ebp-8], 0
00518C36 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00518C39 |. 33C9 xor ecx, ecx
00518C3B |. B8 508D5100 mov eax, 00518D50 ; ASCII "You have %d times left!"
00518C40 |. E8 DB15EFFF call 0040A220
00518C45 |. 8B55 FC mov edx, dword ptr [ebp-4]
00518C48 |. 8B83 9C030000 mov eax, dword ptr [ebx+39C]
00518C4E |. E8 F985F3FF call 0045124C
00518C53 |. EB 07 jmp short 00518C5C00472D84 /nbsp; 55 push ebp
00472D85 |. 8BEC mov ebp, esp
00472D87 |. 6A 00 push 0
00472D89 |. 6A 00 push 0
00472D8B |. 53 push ebx
00472D8C |. 33C0 xor eax, eax
00472D8E |. 55 push ebp
00472D8F |. 68 E22D4700 push 00472DE2
00472D94 |. 64:FF30 push dword ptr fs:[eax]
00472D97 |. 64:8920 mov dword ptr fs:[eax], esp
00472D9A |. 8D4D FC lea ecx, dword ptr [ebp-4]
00472D9D |. BA F82D4700 mov edx, 00472DF8 ; no
00472DA2 |. 33C0 xor eax, eax
00472DA4 |. E8 43F8FFFF call 004725EC ; 从注册表读取假吗
00472DA9 |. 8B45 FC mov eax, dword ptr [ebp-4]
00472DAC |. 50 push eax
00472DAD |. 8D4D F8 lea ecx, dword ptr [ebp-8]
00472DB0 |. BA 042E4700 mov edx, 00472E04 ; user
00472DB5 |. 33C0 xor eax, eax
00472DB7 |. E8 30F8FFFF call 004725EC ; 从注册表读取注册名
00472DBC |. 8B45 F8 mov eax, dword ptr [ebp-8]
00472DBF |. 5A pop edx
00472DC0 |. E8 83F5FFFF call 00472348 ; 关键call
00472DC5 |. 8BD8 mov ebx, eax ; AL的值由此而来,传递给EBX,爆破点2
00472DC7 |. 33C0 xor eax, eax
00472DC9 |. 5A pop edx
00472DCA |. 59 pop ecx
00472DCB |. 59 pop ecx
00472DCC |. 64:8910 mov dword ptr fs:[eax], edx
00472DCF |. 68 E92D4700 push 00472DE9
00472DD4 |> 8D45 F8 lea eax, dword ptr [ebp-8]
00472DD7 |. BA 02000000 mov edx, 2
00472DDC |. E8 2F1EF9FF call 00404C10 ; 清空堆栈的注册部分
00472DE1 \. C3 retn
00472DE2 .^ E9 3117F9FF jmp 00404518
00472DE7 .^ EB EB jmp short 00472DD4
00472DE9 . 8BC3 mov eax, ebx ; 传回eax,爆破点3
00472DEB . 5B pop ebx
00472DEC . 59 pop ecx
00472DED . 59 pop ecx
00472DEE . 5D pop ebp
00472DEF . C3 retn00472375 |. 64:FF30 push dword ptr fs:[eax]
00472378 |. 64:8920 mov dword ptr fs:[eax], esp
0047237B |. 8D45 FC lea eax, dword ptr [ebp-4]
0047237E |. 8B15 ECDA5100 mov edx, dword ptr [51DAEC] ; ColorCat.004722E4
00472384 |. E8 2F2BF9FF call 00404EB8 ; 注册名连接固定字符串"76#iE*&$Rn@hjhl"
00472389 |. 8D4D F4 lea ecx, dword ptr [ebp-C]
0047238C |. BA 0F000000 mov edx, 0F ; 截取前15位
00472391 |. 8B45 FC mov eax, dword ptr [ebp-4]
00472394 |. E8 27ADFCFF call 0043D0C0
00472399 |. 8B55 F4 mov edx, dword ptr [ebp-C]
0047239C |. 8D45 FC lea eax, dword ptr [ebp-4]
0047239F |. E8 E028F9FF call 00404C84
004723A4 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004723A7 |. BA F4234700 mov edx, 004723F4 ; 固定字符串"bistonecolor"
004723AC |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 假码
004723AF |. E8 50000000 call 00472404 ; 算法call
004723B4 |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 算法的结果
004723B7 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 注册名
004723BA |. E8 552CF9FF call 00405014 ; 比较call
004723BF |. 0F94C3 sete bl ; 设置bl,爆破点4
004723C2 |. 33C0 xor eax, eax
004723C4 |. 5A pop edx
004723C5 |. 59 pop ecx
004723C6 |. 59 pop ecx
004723C7 |. 64:8910 mov dword ptr fs:[eax], edx
004723CA |. 68 E4234700 push 004723E4
004723CF |> 8D45 F0 lea eax, dword ptr [ebp-10]
004723D2 |. BA 04000000 mov edx, 4
004723D7 |. E8 3428F9FF call 00404C10
004723DC \. C3 retn
004723DD .^ E9 3621F9FF jmp 00404518
004723E2 .^ EB EB jmp short 004723CF
004723E4 . 8BC3 mov eax, ebx ; bl传递给al,爆破点5
004723E6 . 5B pop ebx
004723E7 . 8BE5 mov esp, ebp
004723E9 . 5D pop ebp
004723EA . C3 retn0047243C |. 55 push ebp
0047243D |. 68 7B254700 push 0047257B
00472442 |. 64:FF30 push dword ptr fs:[eax]
00472445 |. 64:8920 mov dword ptr fs:[eax], esp
00472448 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII "BistoneColor"
0047244B |. 85C0 test eax, eax
0047244D |. 74 05 je short 00472454 ; 空则跳
0047244F |. 83E8 04 sub eax, 4 ; ASCII "BistoneColor"的长度
00472452 |. 8B00 mov eax, dword ptr [eax]
00472454 |> 8945 EC mov dword ptr [ebp-14], eax ; 为0则跳了不跳
00472457 |. 837D EC 00 cmp dword ptr [ebp-14], 0
0047245B |. 75 0D jnz short 0047246A
0047245D |. 8D45 F8 lea eax, dword ptr [ebp-8]
00472460 |. BA 94254700 mov edx, 00472594 ; bistonecolor
00472465 |. E8 1A28F9FF call 00404C84
0047246A |> 33F6 xor esi, esi
0047246C |. 8D45 DC lea eax, dword ptr [ebp-24]
0047246F |. 50 push eax
00472470 |. B9 02000000 mov ecx, 2 ; 字符长度2
00472475 |. BA 01000000 mov edx, 1
0047247A |. 8B45 FC mov eax, dword ptr [ebp-4] ; 假码
0047247D |. E8 622CF9FF call 004050E4 ; 取前两个字符
00472482 |. 8B4D DC mov ecx, dword ptr [ebp-24]
00472485 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00472488 |. BA AC254700 mov edx, 004725AC ; $
0047248D |. E8 722AF9FF call 00404F04 ; $前两个字符
00472492 |. 8B45 E0 mov eax, dword ptr [ebp-20]
00472495 |. 8D55 E8 lea edx, dword ptr [ebp-18]
00472498 |. E8 3F71F9FF call 004095DC ; 转为16进制数值
0047249D |. 84C0 test al, al
0047249F |. 75 0D jnz short 004724AE ; 不等于0则跳
004724A1 |. 8B45 F0 mov eax, dword ptr [ebp-10]
004724A4 |. E8 4327F9FF call 00404BEC
004724A9 |. E9 A5000000 jmp 00472553
004724AE |> BF 03000000 mov edi, 3 ; 从第三个字符开始
004724B3 |> 8D45 D4 /lea eax, dword ptr [ebp-2C]
004724B6 |. 50 |push eax
004724B7 |. B9 02000000 |mov ecx, 2 ; 取两个字符
004724BC |. 8BD7 |mov edx, edi
004724BE |. 8B45 FC |mov eax, dword ptr [ebp-4]
004724C1 |. E8 1E2CF9FF |call 004050E4
004724C6 |. 8B4D D4 |mov ecx, dword ptr [ebp-2C]
004724C9 |. 8D45 D8 |lea eax, dword ptr [ebp-28]
004724CC |. BA AC254700 |mov edx, 004725AC ; $
004724D1 |. E8 2E2AF9FF |call 00404F04 ; $两个字符
004724D6 |. 8B45 D8 |mov eax, dword ptr [ebp-28]
004724D9 |. 8D55 E4 |lea edx, dword ptr [ebp-1C]
004724DC |. E8 FB70F9FF |call 004095DC ; 转为16进制数值
004724E1 |. 84C0 |test al, al
004724E3 |. 75 0A |jnz short 004724EF ; 不等于0则跳
004724E5 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
004724E8 |. E8 FF26F9FF |call 00404BEC
004724ED |. EB 64 |jmp short 00472553
004724EF |> 3B75 EC |cmp esi, dword ptr [ebp-14] ; 比较ASCII "BistoneColor"是否已取完
004724F2 |. 7D 03 |jge short 004724F7
004724F4 |. 46 |inc esi ; 没取完取下一个字符
004724F5 |. EB 05 |jmp short 004724FC
004724F7 |> BE 01000000 |mov esi, 1 ; 取完从头再取
004724FC |> 8B45 F8 |mov eax, dword ptr [ebp-8] ; ASCII "BistoneColor"
004724FF |. 0FB65C30 FF |movzx ebx, byte ptr [eax+esi-1] ; 取字符
00472504 |. 335D E4 |xor ebx, dword ptr [ebp-1C] ; 和假码从第三位开始的两位数值XOr
00472507 |. 3B5D E8 |cmp ebx, dword ptr [ebp-18] ; 结果是否大于前边两位假码的数值
0047250A |. 7F 0B |jg short 00472517 ; 大于则跳
0047250C |. 81C3 FF000000 |add ebx, 0FF ; 不大于则+255
00472512 |. 2B5D E8 |sub ebx, dword ptr [ebp-18] ; 减去前边两位假码的数值
00472515 |. EB 03 |jmp short 0047251A
00472517 |> 2B5D E8 |sub ebx, dword ptr [ebp-18] ; 减去前边两位假码的数值
0047251A |> 8D45 D0 |lea eax, dword ptr [ebp-30]
0047251D |. 8BD3 |mov edx, ebx
0047251F |. E8 B028F9FF |call 00404DD4 ; 保存
00472524 |. 8B55 D0 |mov edx, dword ptr [ebp-30]
00472527 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
0047252A |. E8 8929F9FF |call 00404EB8 ; (initial cpu selection)
0047252F |. 8B45 E4 |mov eax, dword ptr [ebp-1C]
00472532 |. 8945 E8 |mov dword ptr [ebp-18], eax
00472535 |. 83C7 02 |add edi, 2
00472538 |. 8B45 FC |mov eax, dword ptr [ebp-4]
0047253B |. E8 6C29F9FF |call 00404EAC
00472540 |. 3BF8 |cmp edi, eax ; 取完所有假码了吗?
00472542 |.^ 0F8C 6BFFFFFF \jl 004724B3 ; 没有的话接着取
00472548 |. 8B45 F0 mov eax, dword ptr [ebp-10]
0047254B |. 8B55 F4 mov edx, dword ptr [ebp-C]'参考字符串
Const Index1 = "BistoneColorBistoneColor"
Text2.Text = ""
Dim Code As String
Code = Trim(Text1.Text)
If Text1.Text = "" Then Exit Sub
'注册名补足15位
Code = Left((Code & "76#iE*&$Rn@hjhl"), 15)
Dim Reg(15) As Integer
Randomize
Dim IntNum As Integer
'第一组数随即得来
Reg(0) = (99 - 1) * Rnd() + 1
Dim Name As Integer
Dim temp As Integer
'求剩余的15组数
For a = 1 To 15
temp = (Reg(a - 1) + Asc(Mid(Code, a, 1)))
If temp > 255 Then temp = temp - 255
Reg(a) = temp Xor (Asc(Mid(Index1, a, 1)))
Next
[复制链接]
发表于 2010-4-18 15:49
发表于 2010-5-17 10:38
