好友
阅读权限35
听众
最后登录1970-1-1
|
【文章标题】: 宝宝成长日记 V3.0 算法分析+注册机
【文章作者】: null
【作者邮箱】: null_vbt@163.com
【作者主页】: http://hi.baidu.com/null_vbt
【软件名称】: 宝宝成长日记 V3.0
【软件大小】: 3.63 MB
【下载地址】: http://www.newhua.com/soft/100128.htm
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD/PEID/破解计算器/密码学综合工具
【作者声明】: 比较适合小鸟练手
--------------------------------------------------------------------------------
【详细过程】
PEID检查无壳,Borland Delphi 6.0 - 7.0,KANAL插件查出MD5算法
OD载入,通过字符串参考找到如下注册提示信息,
地址=00676F4D 反汇编=mov eax,BB.0067703C 文本字串=注册成功,感谢您的支持 //左键双击或Enter跟随
00676F4D |. B8 3C706700 mov eax,BB.0067703C ; 注册成功,感谢您的支持 //来到这里
向上查看,找到段首,下面就是注册按钮的事件代码
00676CBC /. 55 push ebp
00676CBD |. 8BEC mov ebp,esp
00676CBF |. B9 0A000000 mov ecx,0A
00676CC4 |> 6A 00 /push 0
00676CC6 |. 6A 00 |push 0
00676CC8 |. 49 |dec ecx
00676CC9 |.^ 75 F9 \jnz short BB.00676CC4
00676CCB |. 51 push ecx //因为上面有一个小循环,为了节省分析时间,在这里F2下断
00676CCC |. 53 push ebx
00676CCD |. 56 push esi
00676CCE |. 8BD8 mov ebx,eax
00676CD0 |. 33C0 xor eax,eax
00676CD2 |. 55 push ebp
00676CD3 |. 68 A66F6700 push BB.00676FA6
00676CD8 |. 64:FF30 push dword ptr fs:[eax]
00676CDB |. 64:8920 mov dword ptr fs:[eax],esp
00676CDE |. 8D55 F8 lea edx,[local.2]
00676CE1 |. 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00676CE7 |. E8 500CE1FF call BB.0048793C ; 取注册码
00676CEC |. 8B45 F8 mov eax,[local.2]
00676CEF |. 8D55 FC lea edx,[local.1]
00676CF2 |. E8 7D2BD9FF call BB.00409874
00676CF7 |. 8D4D E0 lea ecx,[local.8]
00676CFA |. BA 02000000 mov edx,2
00676CFF |. 8B45 FC mov eax,[local.1]
00676D02 |. E8 0DAEDCFF call BB.00441B14
00676D07 |. 8B45 E0 mov eax,[local.8]
00676D0A |. 8D55 E4 lea edx,[local.7]
00676D0D |. E8 36FCFFFF call BB.00676948 ; 取前两位
00676D12 |. 8D45 E4 lea eax,[local.7]
00676D15 |. 8D55 F4 lea edx,[local.3]
00676D18 |. E8 9FFCFFFF call BB.006769BC ; 计算MD5(注册码前两位)
00676D1D |. 8B45 F4 mov eax,[local.3]
00676D20 |. 50 push eax
00676D21 |. 8D55 E4 lea edx,[local.7]
00676D24 |. B8 BC6F6700 mov eax,BB.00676FBC ; 68
00676D29 |. E8 1AFCFFFF call BB.00676948
00676D2E |. 8D45 E4 lea eax,[local.7]
00676D31 |. 8D55 DC lea edx,[local.9]
00676D34 |. E8 83FCFFFF call BB.006769BC ; 计算MD5("68")
00676D39 |. 8B55 DC mov edx,[local.9]
00676D3C |. 58 pop eax
00676D3D |. E8 1EE0D8FF call BB.00404D60 ; 取MD5(注册码前两位)与MD5("68")比较
00676D42 |. 74 3F je short BB.00676D83
00676D44 |. 6A 30 push 30
00676D46 |. 8D55 D8 lea edx,[local.10]
00676D49 |. A1 94D16800 mov eax,dword ptr ds:[68D194]
00676D4E |. 8B00 mov eax,dword ptr ds:[eax]
00676D50 |. E8 5F1EE3FF call BB.004A8BB4
00676D55 |. 8B45 D8 mov eax,[local.10]
00676D58 |. E8 B7E0D8FF call BB.00404E14
00676D5D |. 8BC8 mov ecx,eax
00676D5F |. BA C06F6700 mov edx,BB.00676FC0 ; 注册码有误,请联系qq:1429635849
00676D64 |. A1 94D16800 mov eax,dword ptr ds:[68D194]
00676D69 |. 8B00 mov eax,dword ptr ds:[eax]
00676D6B |. E8 D024E3FF call BB.004A9240
00676D70 |. 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00676D76 |. 8B10 mov edx,dword ptr ds:[eax]
00676D78 |. FF92 C4000000 call dword ptr ds:[edx+C4]
00676D7E |. E9 DB010000 jmp BB.00676F5E
00676D83 |> 8B45 FC mov eax,[local.1]
00676D86 |. E8 89DED8FF call BB.00404C14
00676D8B |. 83F8 0A cmp eax,0A ; 检查注册码是否为10位
00676D8E |. 74 3F je short BB.00676DCF
00676D90 |. 6A 30 push 30
00676D92 |. 8D55 D4 lea edx,[local.11]
00676D95 |. A1 94D16800 mov eax,dword ptr ds:[68D194]
00676D9A |. 8B00 mov eax,dword ptr ds:[eax]
00676D9C |. E8 131EE3FF call BB.004A8BB4
00676DA1 |. 8B45 D4 mov eax,[local.11]
00676DA4 |. E8 6BE0D8FF call BB.00404E14
00676DA9 |. 8BC8 mov ecx,eax
00676DAB |. BA C06F6700 mov edx,BB.00676FC0 ; 注册码有误,请联系qq:1429635849
00676DB0 |. A1 94D16800 mov eax,dword ptr ds:[68D194]
00676DB5 |. 8B00 mov eax,dword ptr ds:[eax]
00676DB7 |. E8 8424E3FF call BB.004A9240
00676DBC |. 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00676DC2 |. 8B10 mov edx,dword ptr ds:[eax]
00676DC4 |. FF92 C4000000 call dword ptr ds:[edx+C4]
00676DCA |. E9 8F010000 jmp BB.00676F5E
00676DCF |> 8D55 C0 lea edx,[local.16]
00676DD2 |. A1 90F86800 mov eax,dword ptr ds:[68F890]
00676DD7 |. 8B80 F8020000 mov eax,dword ptr ds:[eax+2F8]
00676DDD |. E8 5A0BE1FF call BB.0048793C ; 取机器码
00676DE2 |. 8B45 C0 mov eax,[local.16]
00676DE5 |. E8 9631D9FF call BB.00409F80
00676DEA |. 8BF0 mov esi,eax
00676DEC |. B8 E86F6700 mov eax,BB.00676FE8 ; 20100602
00676DF1 |. E8 8A31D9FF call BB.00409F80
00676DF6 |. 03F0 add esi,eax
00676DF8 |. 8BC6 mov eax,esi
00676DFA |. 8D55 C4 lea edx,[local.15]
00676DFD |. E8 4230D9FF call BB.00409E44 ; 机器码+20100602
00676E02 |. 8B45 C4 mov eax,[local.15]
00676E05 |. 8D4D C8 lea ecx,[local.14]
00676E08 |. BA 08000000 mov edx,8
00676E0D |. E8 02ADDCFF call BB.00441B14 ; 取机器码+20100602结果前8位
00676E12 |. 8B4D C8 mov ecx,[local.14]
00676E15 |. 8D45 CC lea eax,[local.13]
00676E18 |. BA BC6F6700 mov edx,BB.00676FBC ; 68
00676E1D |. E8 3EDED8FF call BB.00404C60
00676E22 |. 8B45 CC mov eax,[local.13]
00676E25 |. 8D55 E4 lea edx,[local.7]
00676E28 |. E8 1BFBFFFF call BB.00676948 ; 取68&机器码+20100602结果前8位
00676E2D |. 8D45 E4 lea eax,[local.7]
00676E30 |. 8D55 D0 lea edx,[local.12]
00676E33 |. E8 84FBFFFF call BB.006769BC ; MD5(68&(机器码+20100602结果前8位))
00676E38 |. 8B45 D0 mov eax,[local.12]
00676E3B |. 50 push eax
00676E3C |. 8D55 E4 lea edx,[local.7]
00676E3F |. 8B45 FC mov eax,[local.1]
00676E42 |. E8 01FBFFFF call BB.00676948
00676E47 |. 8D45 E4 lea eax,[local.7]
00676E4A |. 8D55 BC lea edx,[local.17]
00676E4D |. E8 6AFBFFFF call BB.006769BC ; 68&假码32位MD5
00676E52 |. 8B55 BC mov edx,[local.17]
00676E55 |. 58 pop eax
00676E56 |. E8 05DFD8FF call BB.00404D60 ; 将MD5(68&(机器码+20100602)前8位)与MD5(注册码)比较
00676E5B |. 74 3F je short BB.00676E9C
00676E5D |. 6A 30 push 30
00676E5F |. 8D55 B8 lea edx,[local.18]
00676E62 |. A1 94D16800 mov eax,dword ptr ds:[68D194]
00676E67 |. 8B00 mov eax,dword ptr ds:[eax]
00676E69 |. E8 461DE3FF call BB.004A8BB4
00676E6E |. 8B45 B8 mov eax,[local.18]
00676E71 |. E8 9EDFD8FF call BB.00404E14
00676E76 |. 8BC8 mov ecx,eax
00676E78 |. BA C06F6700 mov edx,BB.00676FC0 ; 注册码有误,请联系qq:1429635849
00676E7D |. A1 94D16800 mov eax,dword ptr ds:[68D194]
00676E82 |. 8B00 mov eax,dword ptr ds:[eax]
00676E84 |. E8 B723E3FF call BB.004A9240
00676E89 |. 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00676E8F |. 8B10 mov edx,dword ptr ds:[eax]
00676E91 |. FF92 C4000000 call dword ptr ds:[edx+C4]
00676E97 |. E9 C2000000 jmp BB.00676F5E
00676E9C |> A1 40CF6800 mov eax,dword ptr ds:[68CF40]
00676EA1 |. 8B00 mov eax,dword ptr ds:[eax]
00676EA3 |. 8B40 5C mov eax,dword ptr ds:[eax+5C]
00676EA6 |. 33D2 xor edx,edx
00676EA8 |. 8B08 mov ecx,dword ptr ds:[eax]
00676EAA |. FF91 78010000 call dword ptr ds:[ecx+178]
00676EB0 |. 8D55 E4 lea edx,[local.7]
00676EB3 |. 8B45 FC mov eax,[local.1]
00676EB6 |. E8 8DFAFFFF call BB.00676948
00676EBB |. 8D45 E4 lea eax,[local.7]
00676EBE |. 8D55 AC lea edx,[local.21]
00676EC1 |. E8 F6FAFFFF call BB.006769BC
00676EC6 |. 8B45 AC mov eax,[local.21]
00676EC9 |. 8D55 B0 lea edx,[local.20]
00676ECC |. E8 5B2AD9FF call BB.0040992C
00676ED1 |. 8B4D B0 mov ecx,[local.20]
00676ED4 |. 8D45 B4 lea eax,[local.19]
00676ED7 |. BA FC6F6700 mov edx,BB.00676FFC ; update xl set xl =
00676EDC |. E8 7FDDD8FF call BB.00404C60
00676EE1 |. 8B45 B4 mov eax,[local.19]
00676EE4 |. 50 push eax
00676EE5 |. A1 40CF6800 mov eax,dword ptr ds:[68CF40]
00676EEA |. 8B00 mov eax,dword ptr ds:[eax]
00676EEC |. 8B40 5C mov eax,dword ptr ds:[eax+5C]
00676EEF |. E8 303AFFFF call BB.0066A924
00676EF4 |. 5A pop edx
00676EF5 |. 8B08 mov ecx,dword ptr ds:[eax]
00676EF7 |. FF51 2C call dword ptr ds:[ecx+2C]
00676EFA |. A1 40CF6800 mov eax,dword ptr ds:[68CF40]
00676EFF |. 8B00 mov eax,dword ptr ds:[eax]
00676F01 |. 8B40 5C mov eax,dword ptr ds:[eax+5C]
00676F04 |. E8 4339FFFF call BB.0066A84C
00676F09 |. 33D2 xor edx,edx
00676F0B |. 8B83 F8020000 mov eax,dword ptr ds:[ebx+2F8]
00676F11 |. 8B08 mov ecx,dword ptr ds:[eax]
00676F13 |. FF51 64 call dword ptr ds:[ecx+64]
00676F16 |. 33D2 xor edx,edx
00676F18 |. 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00676F1E |. 8B08 mov ecx,dword ptr ds:[eax]
00676F20 |. FF51 64 call dword ptr ds:[ecx+64]
00676F23 |. 33D2 xor edx,edx
00676F25 |. 8B83 0C030000 mov eax,dword ptr ds:[ebx+30C]
00676F2B |. 8B08 mov ecx,dword ptr ds:[eax]
00676F2D |. FF51 64 call dword ptr ds:[ecx+64]
00676F30 |. 33D2 xor edx,edx
00676F32 |. 8B83 10030000 mov eax,dword ptr ds:[ebx+310]
00676F38 |. 8B08 mov ecx,dword ptr ds:[eax]
00676F3A |. FF51 64 call dword ptr ds:[ecx+64]
00676F3D |. BA 18706700 mov edx,BB.00677018 ; 注册版本,感谢你的支持!
00676F42 |. 8B83 14030000 mov eax,dword ptr ds:[ebx+314]
00676F48 |. E8 1F0AE1FF call BB.0048796C
00676F4D |. B8 3C706700 mov eax,BB.0067703C ; 注册成功,感谢您的支持
00676F52 |. E8 215FDCFF call BB.0043CE78
00676F57 |. 8BC3 mov eax,ebx
00676F59 |. E8 9AE8E2FF call BB.004A57F8
00676F5E |> 33C0 xor eax,eax
00676F60 |. 5A pop edx
00676F61 |. 59 pop ecx
00676F62 |. 59 pop ecx
00676F63 |. 64:8910 mov dword ptr fs:[eax],edx
00676F66 |. 68 AD6F6700 push BB.00676FAD
00676F6B |> 8D45 AC lea eax,[local.21]
00676F6E |. BA 05000000 mov edx,5
00676F73 |. E8 00DAD8FF call BB.00404978
00676F78 |. 8D45 C0 lea eax,[local.16]
00676F7B |. E8 D4D9D8FF call BB.00404954
00676F80 |. 8D45 C4 lea eax,[local.15]
00676F83 |. BA 08000000 mov edx,8
00676F88 |. E8 EBD9D8FF call BB.00404978
00676F8D |. 8D45 F4 lea eax,[local.3]
00676F90 |> E8 BFD9D8FF call BB.00404954
00676F95 |. 8D45 F8 lea eax,[local.2]
00676F98 |. E8 B7D9D8FF call BB.00404954
00676F9D |. 8D45 FC lea eax,[local.1]
00676FA0 |. E8 AFD9D8FF call BB.00404954
00676FA5 \. C3 retn
经过分析可以看出来这个程序的MD5算法完全是个摆设,具体算法用VB语言实现就一句:
注册码= 68 & Mid(机器码+20100602,1,8)
用VB写个注册机,在 : http://www.52pojie.cn/viewthread.php?tid=50550&extra=
--------------------------------------------------------------------------------
【版权声明】: 本文原创于null, 转载请注明作者并保持文章的完整, 谢谢!
2010年06月28日 AM 10:31:57 |
|
发表于 2010-6-28 19:13
发表于 2010-6-28 20:24
