本帖最后由 Sendige 于 2016-7-20 15:49 编辑
【软件名称】: 蒲公英WMA/MP3格式转换器 3.9.7.0 这里就不提供链接了,自己百度一下就能找到。
最近也是到一些软件站找软件练习算法分析,刚好找到一个挺符合我的,但是分析的时候真的是一波三折,最后可以算是成功计算出该软件的算法吧!!!⊙﹏⊙b汗!! 先来看看软件界面
非注册用户提示转换的时候有限制
软件查壳得出是Borland Delphi 2009-2010 - www.borland.com 哈哈,又是Delphi的软件,之前分析的几个也是delphi,所以我对这个语言编写的软件还算比较熟悉吧!O(∩_∩)O哈哈~ 好了,既然是Delphi 写的,我们按老规矩,继续使用那个Delphi的按钮事件脚本 输入以下注册信息
点确定后断在这里
[Asm] 纯文本查看 复制代码 007647A4 . 55 push ebp ; 注册验证
007647A5 . 8BEC mov ebp,esp
007647A7 . B9 07000000 mov ecx,0x7
007647AC > 6A 00 push 0x0
007647AE . 6A 00 push 0x0
007647B0 . 49 dec ecx
007647B1 .^ 75 F9 jnz short wma-conv.007647AC
007647B3 . 53 push ebx
007647B4 . 56 push esi
007647B5 . 57 push edi
007647B6 . 8BD8 mov ebx,eax
007647B8 . 33C0 xor eax,eax
007647BA . 55 push ebp
007647BB . 68 D5497600 push wma-conv.007649D5
007647C0 . 64:FF30 push dword ptr fs:[eax]
007647C3 . 64:8920 mov dword ptr fs:[eax],esp
007647C6 . 33D2 xor edx,edx
007647C8 . 55 push ebp
007647C9 . 68 45497600 push wma-conv.00764945
007647CE . 64:FF32 push dword ptr fs:[edx]
007647D1 . 64:8922 mov dword ptr fs:[edx],esp
007647D4 . 8D55 F8 lea edx,dword ptr ss:[ebp-0x8]
007647D7 . 8B83 A4030000 mov eax,dword ptr ds:[ebx+0x3A4]
007647DD . E8 2E4FDFFF call wma-conv.00559710
007647E2 . 8B45 F8 mov eax,dword ptr ss:[ebp-0x8] ; 用户名
007647E5 . 8D55 FC lea edx,dword ptr ss:[ebp-0x4]
007647E8 . E8 0307CBFF call wma-conv.00414EF0
007647ED . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; 用户名
007647F0 . BA F0497600 mov edx,wma-conv.007649F0 ; user3827
007647F5 . E8 5E3ACAFF call wma-conv.00408258 ; 用户名
007647FA . 0F84 A0000000 je wma-conv.007648A0
00764800 . 8D55 F0 lea edx,dword ptr ss:[ebp-0x10] ; user3827
00764803 . 8B83 A0030000 mov eax,dword ptr ds:[ebx+0x3A0] ; 用户名
00764809 . E8 024FDFFF call wma-conv.00559710
0076480E . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] ; 假码
00764811 . 8D55 F4 lea edx,dword ptr ss:[ebp-0xC]
00764814 . E8 D706CBFF call wma-conv.00414EF0
00764819 . 8B45 F4 mov eax,dword ptr ss:[ebp-0xC] ; wma-conv.005F0550
0076481C . BA 104A7600 mov edx,wma-conv.00764A10 ; 138296314
00764821 . E8 323ACAFF call wma-conv.00408258
00764826 . 74 78 je short wma-conv.007648A0
00764828 . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
0076482B . 8B83 A4030000 mov eax,dword ptr ds:[ebx+0x3A4]
00764831 . E8 DA4EDFFF call wma-conv.00559710
00764836 . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 用户名
00764839 . 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
0076483C . E8 AF06CBFF call wma-conv.00414EF0
00764841 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14] ; 用户名
00764844 . BA 304A7600 mov edx,wma-conv.00764A30 ; user3825
00764849 . E8 0A3ACAFF call wma-conv.00408258
0076484E . 74 50 je short wma-conv.007648A0
00764850 . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20] ; user3825
00764853 . 8B83 A4030000 mov eax,dword ptr ds:[ebx+0x3A4] ; 用户名
00764859 . E8 B24EDFFF call wma-conv.00559710
0076485E . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20] ; 用户名
00764861 . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]
00764864 . E8 8706CBFF call wma-conv.00414EF0
00764869 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; 用户名
0076486C . BA 504A7600 mov edx,wma-conv.00764A50 ; user3826
00764871 . E8 E239CAFF call wma-conv.00408258
00764876 . 74 28 je short wma-conv.007648A0 ; ecx为用户名长度
00764878 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
0076487B . 8B83 A4030000 mov eax,dword ptr ds:[ebx+0x3A4]
00764881 . E8 8A4EDFFF call wma-conv.00559710
00764886 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28] ; 用户名
00764889 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
0076488C . E8 5F06CBFF call wma-conv.00414EF0
00764891 . 8B45 DC mov eax,dword ptr ss:[ebp-0x24] ; 用户名
00764894 . BA 704A7600 mov edx,wma-conv.00764A70 ; user3828
00764899 . E8 BA39CAFF call wma-conv.00408258
0076489E . 75 1F jnz short wma-conv.007648BF
007648A0 > B8 88130000 mov eax,0x1388
007648A5 > 48 dec eax
007648A6 .^ 75 FD jnz short wma-conv.007648A5
007648A8 . A1 642A7900 mov eax,dword ptr ds:[0x792A64]
007648AD . E8 2ED5D9FF call wma-conv.00501DE0
007648B2 . 33C0 xor eax,eax
007648B4 . 5A pop edx ; wma-conv.005EE80C
007648B5 . 59 pop ecx ; wma-conv.005EE80C
007648B6 . 59 pop ecx ; wma-conv.005EE80C
007648B7 . 64:8910 mov dword ptr fs:[eax],edx
007648BA . E9 98000000 jmp wma-conv.00764957
007648BF > \8D55 D0 lea edx,dword ptr ss:[ebp-0x30]
007648C2 . 8B83 A4030000 mov eax,dword ptr ds:[ebx+0x3A4]
007648C8 . E8 434EDFFF call wma-conv.00559710
007648CD . 8B45 D0 mov eax,dword ptr ss:[ebp-0x30] ; 用户名
007648D0 . 8D55 D4 lea edx,dword ptr ss:[ebp-0x2C]
007648D3 . E8 1806CBFF call wma-conv.00414EF0
007648D8 . 837D D4 00 cmp dword ptr ss:[ebp-0x2C],0x0 ; 对比用户名是否为空
007648DC . 75 0C jnz short wma-conv.007648EA
007648DE . A1 642A7900 mov eax,dword ptr ds:[0x792A64]
007648E3 . E8 F8D4D9FF call wma-conv.00501DE0
007648E8 . EB 51 jmp short wma-conv.0076493B
007648EA > 8D55 C8 lea edx,dword ptr ss:[ebp-0x38]
007648ED . 8B83 A0030000 mov eax,dword ptr ds:[ebx+0x3A0] ; wma-conv.007647A4
007648F3 . E8 184EDFFF call wma-conv.00559710
007648F8 . 8B45 C8 mov eax,dword ptr ss:[ebp-0x38] ; 假码
007648FB . 8D55 CC lea edx,dword ptr ss:[ebp-0x34]
007648FE . E8 ED05CBFF call wma-conv.00414EF0
00764903 . 837D CC 00 cmp dword ptr ss:[ebp-0x34],0x0 ; 对比假码长度是否等于空
00764907 . 75 0C jnz short wma-conv.00764915
00764909 . A1 642A7900 mov eax,dword ptr ds:[0x792A64]
0076490E . E8 CDD4D9FF call wma-conv.00501DE0
00764913 . EB 26 jmp short wma-conv.0076493B
00764915 > 8BC3 mov eax,ebx
00764917 . E8 9C040000 call wma-conv.00764DB8 ; 算法call
0076491C . 84C0 test al,al
0076491E . 74 09 je short wma-conv.00764929
00764920 . 8BC3 mov eax,ebx
小结: 1.检测用户名是否为“user3827”user3828、user3825、user3826 2.接着检测注册码是否为“138296314” 3.检测这些我也不知道干什么,反正后面用不上,这个可以不用管它。 4.其实分析软件分析多了,都可以一眼看出哪个是关键算法,一般经过算法call后,后面都会接着test al,al 这个应该是Delphi软件的特性吧,不知道你们有没有注意到。 00764917 . E8 9C040000 call wma-conv.00764DB8 ; 算法call 好了,我们进入这个call进一步分析算法吧!!
[Asm] 纯文本查看 复制代码 00764DB8 /$ 55 push ebp ; 关键算法[/size][/font][/color][/align][align=left][color=rgb(0, 0, 0)][font=微软雅黑][size=12pt]00764DB9 |. 8BEC mov ebp,esp
00764DBB |. 83C4 E8 add esp,-0x18
00764DBE |. 53 push ebx
00764DBF |. 56 push esi
00764DC0 |. 33D2 xor edx,edx
00764DC2 |. 8955 E8 mov [local.6],edx
00764DC5 |. 8955 EC mov [local.5],edx
00764DC8 |. 8955 FC mov [local.1],edx
00764DCB |. 8945 F8 mov [local.2],eax
00764DCE |. 33C0 xor eax,eax
00764DD0 |. 55 push ebp
00764DD1 |. 68 D44E7600 push wma-conv.00764ED4
00764DD6 |. 64:FF30 push dword ptr fs:[eax]
00764DD9 |. 64:8920 mov dword ptr fs:[eax],esp
00764DDC |. 33DB xor ebx,ebx
00764DDE |. 8D55 FC lea edx,[local.1]
00764DE1 |. 8B45 F8 mov eax,[local.2]
00764DE4 |. 8B80 A4030000 mov eax,dword ptr ds:[eax+0x3A4]
00764DEA |. E8 2149DFFF call wma-conv.00559710
00764DEF |. 8B45 FC mov eax,[local.1] ; 用户名
00764DF2 |. 85C0 test eax,eax
00764DF4 |. 74 16 je short wma-conv.00764E0C ; 检测用户名是否为空
00764DF6 |. 8BD0 mov edx,eax
00764DF8 |. 83EA 0A sub edx,0xA
00764DFB |. 66:833A 02 cmp word ptr ds:[edx],0x2 ; 2和2比较
00764DFF |. 74 0B je short wma-conv.00764E0C
00764E01 |. 8D45 FC lea eax,[local.1]
00764E04 |. 8B55 FC mov edx,[local.1]
00764E07 |. E8 941ECAFF call wma-conv.00406CA0
00764E0C |> 85C0 test eax,eax
00764E0E |. 74 05 je short wma-conv.00764E15
00764E10 |. 83E8 04 sub eax,0x4
00764E13 |. 8B00 mov eax,dword ptr ds:[eax] ; 用户名长度
00764E15 |> 8BF0 mov esi,eax
00764E17 |. 85F6 test esi,esi
00764E19 |. 7E 37 jle short wma-conv.00764E52
00764E1B |. C745 F0 01000>mov [local.4],0x1
00764E22 |> 8D45 EC /lea eax,[local.5]
00764E25 |. 50 |push eax
00764E26 |. B9 01000000 |mov ecx,0x1
00764E2B |. 8B55 F0 |mov edx,[local.4]
00764E2E |. 8B45 FC |mov eax,[local.1] ; 用户名
00764E31 |. E8 8A34CAFF |call wma-conv.004082C0
00764E36 |. 8B45 EC |mov eax,[local.5] ; 用户名各字符串
00764E39 |. E8 2E2DCAFF |call wma-conv.00407B6C
00764E3E |. 0FB700 |movzx eax,word ptr ds:[eax] ; 字符串转16进制
00764E41 |. 0FB7C0 |movzx eax,ax
00764E44 |. 03D8 |add ebx,eax ; 所有字符串相加 结果存在ebx
00764E46 |. 81F3 05FA0B00 |xor ebx,0xBFA05 ; ebx=000BFCC6
00764E4C |. FF45 F0 |inc [local.4]
00764E4F |. 4E |dec esi
00764E50 |.^ 75 D0 \jnz short wma-conv.00764E22
00764E52 |> A1 702A7900 mov eax,dword ptr ds:[0x792A70] ; 特殊数据 051D05E6
00764E57 |. 8BD0 mov edx,eax
00764E59 |. C1E0 04 shl eax,0x4
00764E5C |. 03C2 add eax,edx
00764E5E |. 03D8 add ebx,eax
00764E60 |. 81C3 D4A31300 add ebx,0x13A3D4
00764E66 |. 81F3 8DED5900 xor ebx,0x59ED8D
00764E6C |. 8D55 E8 lea edx,[local.6]
00764E6F |. 8B45 F8 mov eax,[local.2]
00764E72 |. 8B80 A0030000 mov eax,dword ptr ds:[eax+0x3A0]
00764E78 |. E8 9348DFFF call wma-conv.00559710
00764E7D |. 8B45 E8 mov eax,[local.6] ; 假码
00764E80 |. E8 470ACBFF call wma-conv.004158CC ; 关键算法 计算注册码的结果
00764E85 |. 8BF3 mov esi,ebx ; ebx=5754E96D
00764E87 |. 81F6 2473C400 xor esi,0xC47324 ; esi=57909A49
00764E8D |. 3BC6 cmp eax,esi ; eax为注册码计算出来的结果 esi是用户名计算出来的结果
00764E8F |. 75 19 jnz short wma-conv.00764EAA ; 跳了就over
00764E91 |. C645 F7 01 mov byte ptr ss:[ebp-0x9],0x1
00764E95 |. B8 682A7900 mov eax,wma-conv.00792A68
00764E9A |. 8B55 FC mov edx,[local.1] ; 用户名
00764E9D |. E8 3E2CCAFF call wma-conv.00407AE0
00764EA2 |. 8935 6C2A7900 mov dword ptr ds:[0x792A6C],esi
00764EA8 |. EB 04 jmp short wma-conv.00764EAE
00764EAA |> C645 F7 00 mov byte ptr ss:[ebp-0x9],0x0
00764EAE |> 33C0 xor eax,eax
00764EB0 |. 5A pop edx ; wma-conv.0076491C
00764EB1 |. 59 pop ecx ; wma-conv.0076491C
00764EB2 |. 59 pop ecx ; wma-conv.0076491C
00764EB3 |. 64:8910 mov dword ptr fs:[eax],edx
00764EB6 |. 68 DB4E7600 push wma-conv.00764EDB
00764EBB |> 8D45 E8 lea eax,[local.6]
00764EBE |. E8 0D2CCAFF call wma-conv.00407AD0
00764EC3 |. 8D45 EC lea eax,[local.5]
00764EC6 |. E8 052CCAFF call wma-conv.00407AD0
00764ECB |. 8D45 FC lea eax,[local.1]
00764ECE |. E8 FD2BCAFF call wma-conv.00407AD0
00764ED3 \. C3 retn
00764ED4 .^ E9 1313CAFF jmp wma-conv.004061EC
00764ED9 .^ EB E0 jmp short wma-conv.00764EBB
00764EDB . 0FB645 F7 movzx eax,byte ptr ss:[ebp-0x9]
00764EDF . 5E pop esi ; wma-conv.0076491C
00764EE0 . 5B pop ebx ; wma-conv.0076491C
00764EE1 . 8BE5 mov esp,ebp
00764EE3 . 5D pop ebp ; wma-conv.0076491C
00764EE4 . C3 retn
小结:
1.检测用户名是否为空
2.逐个取用户名,然后把取出的字符转换为16进制,然后和ebx相加,第一个ebx=0 然后和0xBFA05异或,异或后的结果存在ebx,这样就一直循环计算
3.然后下面也是一连串计算,具体看我的例子
S=53
xor 53,0xBFA05 = 000BFA56
----------------------------------
e=65
65+ BFA56 = 000BFABB
xor 000BFABB,0xBFA05 = 000000BE
-------------------------------------
n=6E
6E+BE=0000012C
xor 12C,0xBFA05 = 000BFB29
-------------------------------------
d=64
64+BFB29=000BFB8D
xor 000BFB8D,0xBFA05 = 00000188
-------------------------------------
i=69
69+188=000001F1
xor 1F1,0xBFA05 = 000BFBF4
-------------------------------------
g=67
67+BFBF4=000BFC5B
xor BFC5B,0xBFA05 = 65E
-------------------------------------
e=65
65+65E=6C3
xor 6C3,0xBFA05 = BFCC6
-------------------------------------
eax=051D05E6 mov edx,eax
shl eax,0x4 = 51D05E60
51D05E60+051D05E6=56ED6446 add eax,edx
56ED6446+BFCC6=56F9610C
56F9610C+0x13A3D4=570D04E0
xor 570D04E0,0x59ED8D = 5754E96D
xor 5754E96D,0xC47324 =57909A49 这句在地址 00764E87 处
最后用户名计算得出的结果是57909A49
00764E8F |. /75 19 jnz short wma-conv.00764EAA ; 跳了就over 00764E91 |. |C645 F7 01 mov byte ptr ss:[ebp-0x9],0x1 我们直接看这2句,可以看出如果jnz 实现了跳转的话,这样就赋值不了1给[ebp-0x9],所以前面的那句,test al,al 就会跳走,这样就会导致注册失败。 好了,也不用我多说了,这样就能确定出下一个算法call是哪个了。 00764E80 |. E8 470ACBFF call wma-conv.004158CC ; 关键算法 计算注册码的结果
[Asm] 纯文本查看 复制代码 004158CC /$ 53 push ebx
004158CD |. 56 push esi
004158CE |. 83C4 F4 add esp,-0xC
004158D1 |. 8BD8 mov ebx,eax
004158D3 |. 8BD4 mov edx,esp
004158D5 |. 8BC3 mov eax,ebx
004158D7 |. E8 A8F6FEFF call wma-conv.00404F84 ; 注册码算法
004158DC |. 8BF0 mov esi,eax
004158DE |. 833C24 00 cmp dword ptr ss:[esp],0x0
004158E2 |. 74 19 je short wma-conv.004158FD ; 一定要跳
004158E4 |. 895C24 04 mov dword ptr ss:[esp+0x4],ebx
004158E8 |. C64424 08 11 mov byte ptr ss:[esp+0x8],0x11
004158ED |. 8D5424 04 lea edx,dword ptr ss:[esp+0x4]
004158F1 |. A1 B4B47800 mov eax,dword ptr ds:[0x78B4B4]
004158F6 |. 33C9 xor ecx,ecx
004158F8 |. E8 E3EBFFFF call wma-conv.004144E0 ; 触发异常
004158FD |> 8BC6 mov eax,esi
004158FF |. 83C4 0C add esp,0xC
00415902 |. 5E pop esi ; wma-conv.00764E85
00415903 |. 5B pop ebx ; wma-conv.00764E85
00415904 \. C3 retn
这段代码和以前分析的软件很相似,也是有个跳转,如果跳转不跳的话就会触发异常。 004158D7 |. E8 A8F6FEFF call wma-conv.00404F84 ; 注册码算法 我们继续跟进去看看。
[Asm] 纯文本查看 复制代码 00404F84 /$ 53 push ebx ; 关键算法
00404F85 |. 56 push esi
00404F86 |. 57 push edi
00404F87 |. 89C6 mov esi,eax
00404F89 |. 50 push eax
00404F8A |. 85C0 test eax,eax
00404F8C |. 0F84 83000000 je wma-conv.00405015 ; 再次检查注册码是否为空
00404F92 |. 31C0 xor eax,eax
00404F94 |. 31DB xor ebx,ebx
00404F96 |. BF CCCCCC0C mov edi,0xCCCCCCC
00404F9B |> 66:8B1E /mov bx,word ptr ds:[esi] ; 指向每一个注册码
00404F9E |. 83C6 02 |add esi,0x2
00404FA1 |. 66:83FB 20 |cmp bx,0x20
00404FA5 |.^ 74 F4 \je short wma-conv.00404F9B ; 检测注册码是否有空格
00404FA7 |. B5 00 mov ch,0x0
00404FA9 |. 66:83FB 2D cmp bx,0x2D ; 检测注册码是否有“-”
00404FAD |. 74 76 je short wma-conv.00405025
00404FAF |. 66:83FB 2B cmp bx,0x2B ; 检测注册码是否有“+”
00404FB3 |. 74 72 je short wma-conv.00405027
00404FB5 |> 66:83FB 24 cmp bx,0x24 ; 检测注册码是否有“$”
00404FB9 |. 74 74 je short wma-conv.0040502F
00404FBB |. 66:83FB 78 cmp bx,0x78 ; 检测注册码是否有“x”
00404FBF |. 74 6E je short wma-conv.0040502F
00404FC1 |. 66:83FB 58 cmp bx,0x58 ; 检测注册码是否有“X”
00404FC5 |. 74 68 je short wma-conv.0040502F
00404FC7 |. 66:83FB 30 cmp bx,0x30 ; 检测注册码是否有“0”
00404FCB |. 75 19 jnz short wma-conv.00404FE6 ; 检测注册码是否有0 是怕后面注册码-30后等于空
00404FCD |. 66:8B1E mov bx,word ptr ds:[esi] ; 指向下一个注册码
00404FD0 |. 83C6 02 add esi,0x2
00404FD3 |. 66:83FB 78 cmp bx,0x78 ; 检测注册码是否有“X”
00404FD7 |. 74 56 je short wma-conv.0040502F
00404FD9 |. 66:83FB 58 cmp bx,0x58 ; 检测注册码是否有“X”
00404FDD |. 74 50 je short wma-conv.0040502F
00404FDF |. 66:85DB test bx,bx
00404FE2 |. 74 27 je short wma-conv.0040500B
00404FE4 |. EB 05 jmp short wma-conv.00404FEB
00404FE6 |> 66:85DB test bx,bx
00404FE9 |. 74 35 je short wma-conv.00405020
00404FEB |> 66:83EB 30 /sub bx,0x30 ; 注册码第x位-30
00404FEF |. 66:83FB 09 |cmp bx,0x9 ; 这句证明注册码为全数字 注册码的数字不能大于9
00404FF3 |. 77 2B |ja short wma-conv.00405020 ; 比较标志位C和Z,意思是高于转移
00404FF5 |. 39F8 |cmp eax,edi ; 相加后的结果eax和作者指定的数据进行对比 不能大于它指定的数据 否则错误
00404FF7 |. 77 27 |ja short wma-conv.00405020
00404FF9 |. 8D0480 |lea eax,dword ptr ds:[eax+eax*4] ; 5eax
00404FFC |. 01C0 |add eax,eax ; eax+eax
00404FFE |. 01D8 |add eax,ebx
00405000 |. 66:8B1E |mov bx,word ptr ds:[esi] ; 指向下一个注册码
00405003 |. 83C6 02 |add esi,0x2
00405006 |. 66:85DB |test bx,bx
00405009 |.^ 75 E0 \jnz short wma-conv.00404FEB ; 注册码开头是0的话 0不参与计算
0040500B |> FECD dec ch
0040500D |. 74 0B je short wma-conv.0040501A
0040500F |. 85C0 test eax,eax
00405011 |. 7D 68 jge short wma-conv.0040507B
00405013 |. EB 0B jmp short wma-conv.00405020
00405015 |> 83C6 02 add esi,0x2
00405018 |. EB 06 jmp short wma-conv.00405020
0040501A |> F7D8 neg eax
0040501C |. 7E 5D jle short wma-conv.0040507B
0040501E |. 78 5B js short wma-conv.0040507B
00405020 |> 5B pop ebx ; wma-conv.004158DC
00405021 |. 29DE sub esi,ebx
00405023 |. EB 59 jmp short wma-conv.0040507E
00405025 |> FEC5 inc ch
00405027 |> 66:8B1E mov bx,word ptr ds:[esi]
0040502A |. 83C6 02 add esi,0x2
0040502D |.^ EB 86 jmp short wma-conv.00404FB5
0040502F |> BF FFFFFF0F mov edi,0xFFFFFFF
00405034 |. 66:8B1E mov bx,word ptr ds:[esi]
00405037 |. 83C6 02 add esi,0x2
0040503A |. 66:85DB test bx,bx
0040503D |.^ 74 D6 je short wma-conv.00405015
0040503F |> 66:83FB 61 /cmp bx,0x61
00405043 |. 72 04 |jb short wma-conv.00405049
00405045 |. 66:83EB 20 |sub bx,0x20
00405049 |> 66:83EB 30 |sub bx,0x30
0040504D |. 66:83FB 09 |cmp bx,0x9
00405051 |. 76 0E |jbe short wma-conv.00405061
00405053 |. 66:83EB 11 |sub bx,0x11
00405057 |. 66:83FB 05 |cmp bx,0x5
0040505B |.^ 77 C3 |ja short wma-conv.00405020
0040505D |. 66:83C3 0A |add bx,0xA
00405061 |> 39F8 |cmp eax,edi
00405063 |.^ 77 BB |ja short wma-conv.00405020
00405065 |. C1E0 04 |shl eax,0x4
00405068 |. 01D8 |add eax,ebx
0040506A |. 66:8B1E |mov bx,word ptr ds:[esi]
0040506D |. 83C6 02 |add esi,0x2
00405070 |. 66:85DB |test bx,bx
00405073 |.^ 75 CA \jnz short wma-conv.0040503F
00405075 |. FECD dec ch
00405077 |. 75 02 jnz short wma-conv.0040507B
00405079 |. F7D8 neg eax
0040507B |> 59 pop ecx ; wma-conv.004158DC
0040507C |. 31F6 xor esi,esi
0040507E |> D1EE shr esi,1
00405080 |. 8932 mov dword ptr ds:[edx],esi
00405082 |. 5F pop edi ; wma-conv.004158DC
00405083 |. 5E pop esi ; wma-conv.004158DC
00405084 |. 5B pop ebx ; wma-conv.004158DC
00405085 \. C3 retn
小结: 1.检测注册码是否为空 2.检测注册码是否有空格 3.检测注册码是否有“-” 4.检测注册码是否有“+” 5.检测注册码是否有“$” 我这里省略一下,其实就是检测是否有特殊字符 6. 注意一下:00404FBB 和00404FC1 这两个检测不是同一个字符“X”来的,我为了方便理解,直接填了“X”,其实这两个的“X”是不一样的,大家可以去OD看就知道了。 7.检测注册码开头是否有0,因为后面有一个和30相减的,这个是我自己猜测的,不知道对不对。 8.拿出注册码的每一位字符减去30,然后得出的结果和9对比,这里就可以证明,注册码必须是0-9的数字,不能含有英文和特殊字符。 9.算法分析看下面的例子 例子: 1=31 31-30=1 ebx 0+0*4=0 eax+eax*4 0+0=0 add eax,eax 1+0=1 add eax,ebx 2=32 32-30=2 4*eax+eax 4*1+1=5 5+5=A A+2=C 3=33 33-30=3 4*C+C=3C 3C+3C=78 78+3=7B 4=34 34-30=4 4*7B+7B=267 267+267=4CE 4CE+4=4D2 。 。 。 最后结果等于 075BCD15 00764E8D |. 3BC6 cmp eax,esi ; eax为注册码计算出来的结果 esi是用户名计算出来的结果 00764E8F |. 75 19 jnz short wma-conv.00764EAA ; 跳了就over
Esi=075BCD15 eax=57909A49 很明显了,这两个得出的结果必须是要相等的,那这里我们怎么办呢??? 其实我思考这个问题想了我差不多有一小时,究竟是怎么相等的呢?自己不断的举例子,比如用户名为“1” 我可以经过自己的计算得出一个结果,因为举例子,所以肯定要简单的,就1+1=2吧 然后对应的注册码举个例子为3吧 算法是3-1=2 这样就能判断出是有关系了。卧槽,这样不就是有两边都有一个“1”吗?是不是用户名经过某种转换得出注册码,这样才能相等啊。就在自己 百思不得求解的时候,我把 075BCD15 转换为10进制 惊喜的得出:123456789 这不就是我刚才输入的假码吗。所以这里已经很明显了,注册码那里的算法,我想高手应该是能看得出只不过转 换了进制而已。。。。。 所以得出注册码就是用户名计算出来的一个16进制数据,即57909A49 转换10进制后就是我们真正的注册码!! 用户名:Sendige 最后的注册码为:1469094473
不过这里有个小问题,希望能有大神帮我解决下。软件确实是注册成功了,但是注册表写不进相关的注册信息,所以打开软件后还是显示为未注册版本,但是,当我按添加按钮添加一个音乐进去后, 点击开始转换,他还是提示我注册,但是我关闭那个注册的窗口,软件又继续检测我刚才输入的用户名和注册码,当然肯定是注册成功的。
软件开始检测注册信息代码段 [Asm] 纯文本查看 复制代码 00775108 . 53 push ebx ; 未注册
00775109 . 8BD8 mov ebx,eax
0077510B . C705 8C2A7900>mov dword ptr ds:[0x792A8C],0x51D05E6
00775115 . BA 3C517700 mov edx,wma-conv.0077513C ; UNICODE "蒲公英WMA/MP3格式转换器 - 未注册"
0077511A . A1 802A7900 mov eax,dword ptr ds:[0x792A80]
0077511F . E8 8020D6FF call wma-conv.004D71A4
00775124 . 8BC3 mov eax,ebx
00775126 . E8 A5E5FFFF call wma-conv.007736D0 验证注册码是否正确
0077512B . 5B pop ebx ; wma-conv.0077512B
0077512C . C3 retn
[Asm] 纯文本查看 复制代码 007736D0 /$ 55 push ebp
007736D1 |. 8BEC mov ebp,esp
007736D3 |. 33C9 xor ecx,ecx
007736D5 |. 51 push ecx
007736D6 |. 51 push ecx
007736D7 |. 51 push ecx
007736D8 |. 51 push ecx
007736D9 |. 51 push ecx
007736DA |. 51 push ecx
007736DB |. 53 push ebx
007736DC |. 56 push esi ; wma-conv.005004C4
007736DD |. 57 push edi
007736DE |. 8BF0 mov esi,eax
007736E0 |. 33C0 xor eax,eax
007736E2 |. 55 push ebp
007736E3 |. 68 66387700 push wma-conv.00773866
007736E8 |. 64:FF30 push dword ptr fs:[eax]
007736EB |. 64:8920 mov dword ptr fs:[eax],esp
007736EE |. B2 01 mov dl,0x1
007736F0 |. A1 B0FC4400 mov eax,dword ptr ds:[0x44FCB0]
007736F5 |. E8 12E7CDFF call wma-conv.00451E0C
007736FA |. 8BF8 mov edi,eax
007736FC |. BA 01000080 mov edx,0x80000001
00773701 |. 8BC7 mov eax,edi
00773703 |. E8 ECE7CDFF call wma-conv.00451EF4
00773708 |. 33C9 xor ecx,ecx
0077370A |. BA 80387700 mov edx,wma-conv.00773880 ; \Software\Microsoft\Windows\CurrentVersion\Explorer\Superbgestive
0077370F |. 8BC7 mov eax,edi
00773711 |. E8 26E9CDFF call wma-conv.0045203C
00773716 |. 84C0 test al,al
00773718 |. 0F84 06010000 je wma-conv.00773824
0077371E |. 8D45 F8 lea eax,[local.2]
00773721 |. 33D2 xor edx,edx
00773723 |. E8 0C44C9FF call wma-conv.00407B34
00773728 |. 8D4D FC lea ecx,[local.1]
0077372B |. BA 10397700 mov edx,wma-conv.00773910 ; FN ame
00773730 |. 8BC7 mov eax,edi
00773732 |. E8 35F3CDFF call wma-conv.00452A6C
00773737 |. 8B45 FC mov eax,[local.1] ; wma-conv.008D540A
0077373A |. 85C0 test eax,eax
0077373C |. 74 16 je short wma-conv.00773754
0077373E |. 8BD0 mov edx,eax
00773740 |. 83EA 0A sub edx,0xA
00773743 |. 66:833A 02 cmp word ptr ds:[edx],0x2
00773747 |. 74 0B je short wma-conv.00773754
00773749 |. 8D45 FC lea eax,[local.1]
0077374C |. 8B55 FC mov edx,[local.1] ; wma-conv.008D540A
0077374F |. E8 4C35C9FF call wma-conv.00406CA0
00773754 |> 85C0 test eax,eax
00773756 |. 74 05 je short wma-conv.0077375D
00773758 |. 83E8 04 sub eax,0x4
0077375B |. 8B00 mov eax,dword ptr ds:[eax] ; wma-conv.00765328
0077375D |> 8BD8 mov ebx,eax
0077375F |. 85DB test ebx,ebx
00773761 |. 7E 42 jle short wma-conv.007737A5
00773763 |. C745 F4 01000>mov [local.3],0x1
0077376A |> 8D45 EC /lea eax,[local.5]
0077376D |. 50 |push eax
0077376E |. B9 01000000 |mov ecx,0x1
00773773 |. 8B55 F4 |mov edx,[local.3]
00773776 |. 8B45 FC |mov eax,[local.1] ; wma-conv.008D540A
00773779 |. E8 424BC9FF |call wma-conv.004082C0
0077377E |. 8B45 EC |mov eax,[local.5]
00773781 |. E8 E643C9FF |call wma-conv.00407B6C
00773786 |. 0FB710 |movzx edx,word ptr ds:[eax]
00773789 |. 83EA 05 |sub edx,0x5
0077378C |. 8D45 F0 |lea eax,[local.4]
0077378F |. E8 B844C9FF |call wma-conv.00407C4C
00773794 |. 8B55 F0 |mov edx,[local.4] ; wma-conv.008B101B
00773797 |. 8D45 F8 |lea eax,[local.2]
0077379A |. E8 5547C9FF |call wma-conv.00407EF4
0077379F |. FF45 F4 |inc [local.3]
007737A2 |. 4B |dec ebx
007737A3 |.^ 75 C5 \jnz short wma-conv.0077376A
007737A5 |> 8B55 F8 mov edx,[local.2]
007737A8 |. 8B86 0C060000 mov eax,dword ptr ds:[esi+0x60C]
007737AE |. E8 F139D6FF call wma-conv.004D71A4
007737B3 |. BA 2C397700 mov edx,wma-conv.0077392C ; FP ass
007737B8 |. 8BC7 mov eax,edi
007737BA |. E8 2DF5CDFF call wma-conv.00452CEC
007737BF |. 35 0AB30000 xor eax,0xB30A
007737C4 |. 8D55 E8 lea edx,[local.6]
007737C7 |. E8 6C1ECAFF call wma-conv.00415638
007737CC |. 8B55 E8 mov edx,[local.6]
007737CF |. 8B86 10060000 mov eax,dword ptr ds:[esi+0x610]
007737D5 |. E8 CA39D6FF call wma-conv.004D71A4
007737DA |. 8BC7 mov eax,edi
007737DC |. E8 1320C9FF call wma-conv.004057F4
007737E1 |. 8BC6 mov eax,esi ; wma-conv.005004C4
007737E3 |. E8 54010000 call wma-conv.0077393C 验证注册信息
007737E8 |. 84C0 test al,al
007737EA |. 74 1C je short wma-conv.00773808
007737EC |. 33D2 xor edx,edx
007737EE |. 8B86 0C060000 mov eax,dword ptr ds:[esi+0x60C]
007737F4 |. E8 AB39D6FF call wma-conv.004D71A4
007737F9 |. 33D2 xor edx,edx
007737FB |. 8B86 10060000 mov eax,dword ptr ds:[esi+0x610]
00773801 |. E8 9E39D6FF call wma-conv.004D71A4
00773806 |. EB 36 jmp short wma-conv.0077383E
00773808 |> 33D2 xor edx,edx
0077380A |. 8B86 0C060000 mov eax,dword ptr ds:[esi+0x60C]
00773810 |. E8 8F39D6FF call wma-conv.004D71A4
00773815 |. 33D2 xor edx,edx
00773817 |. 8B86 10060000 mov eax,dword ptr ds:[esi+0x610]
0077381D |. E8 8239D6FF call wma-conv.004D71A4
00773822 |. EB 1A jmp short wma-conv.0077383E
00773824 |> 33D2 xor edx,edx
00773826 |. 8B86 0C060000 mov eax,dword ptr ds:[esi+0x60C]
0077382C |. E8 7339D6FF call wma-conv.004D71A4
00773831 |. 33D2 xor edx,edx
00773833 |. 8B86 10060000 mov eax,dword ptr ds:[esi+0x610]
00773839 |. E8 6639D6FF call wma-conv.004D71A4
0077383E |> 33C0 xor eax,eax
00773840 |. 5A pop edx ; wma-conv.0077512B
00773841 |. 59 pop ecx ; wma-conv.0077512B
00773842 |. 59 pop ecx ; wma-conv.0077512B
00773843 |. 64:8910 mov dword ptr fs:[eax],edx
00773846 |. 68 6D387700 push wma-conv.0077386D
0077384B |> 8D45 E8 lea eax,[local.6]
0077384E |. BA 03000000 mov edx,0x3
00773853 |. E8 8042C9FF call wma-conv.00407AD8
00773858 |. 8D45 F8 lea eax,[local.2]
0077385B |. BA 02000000 mov edx,0x2
00773860 |. E8 7342C9FF call wma-conv.00407AD8
00773865 \. C3 retn
为了保障该软件作者的合法权益,注册机就不写了,想写的话也是很简单的,此文仅供研究,请勿用于非法用途,请支持正版!!!本文如有失误,欢迎各位看官指正!!谢谢!
|
发表于 2016-7-20 13:17
|
发表于 2016-7-20 15:48
