好友
阅读权限10
听众
最后登录1970-1-1
|
上周五看到 http://www.52pojie.cn/thread-525010-1-1.html这个帖子 楼主只爆破了,没追注册码,闲来无事分析一下注册算法
运行界面
程序无壳
Delphi的程序
上工具 找到按钮事件
IDR分析一下生成MAP文件 od用
载入OD分析
注册 green
假码 1234-5678-5555-8888
假码是分析过的 这里就不从12347890000测试了 直接上相似的注册码
断到按钮事件那
单步走
[Asm] 纯文本查看 复制代码 006A6198 > . 55 push ebp ; _Unit79.TfRegistration.btnRegisterClick
006A6199 . 8BEC mov ebp,esp
....
006A61CE . 8B80 88030000 mov eax,dword ptr ds:[eax+0x388]
006A61D4 . E8 BF83DFFF call <Magic_Ph._Unit23.TControl.GetText>
006A61D9 . 837D F4 00 cmp dword ptr ss:[ebp-0xC],0x0 ; 判断是否输入注册名
006A61DD . 75 40 jnz short Magic_Ph.006A621F
006A61DF . 6A 40 push 0x40
.......
006A6281 . 8B80 8C030000 mov eax,dword ptr ds:[eax+0x38C]
006A6287 . E8 0C83DFFF call <Magic_Ph._Unit23.TControl.GetText> ;获取注册名
006A628C . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
006A628F . 50 push eax
006A6290 . 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
006A6293 . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; ntdll_1.77BBFB0D
006A6296 . 8B80 88030000 mov eax,dword ptr ds:[eax+0x388]
006A629C . E8 F782DFFF call <Magic_Ph._Unit23.TControl.GetText> ;获取注册码
006A62A1 . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; user32.75350230
006A62A4 . 5A pop edx ; Magic_Ph.004A0421
006A62A5 . E8 1A38F7FF call Magic_Ph.00619AC4 ;跟进去
来到这个call
[Asm] 纯文本查看 复制代码 00619B5E . E8 490F0000 call Magic_Ph.0061AAAC
部分代码(有省略)
[Asm] 纯文本查看 复制代码 0061AAAC $ 55 push ebp
0061AAAD . 8BEC mov ebp,esp
0061AAAF . 83C4 F0 add esp,-0x10
...
0061AAD0 . 55 push ebp
0061AAD1 . E8 8AFEFFFF call Magic_Ph.0061A960 ; 注册码校验
0061AAD6 . 59 pop ecx ; 0018E8C4
0061AAD7 . 84C0 test al,al
0061AAD9 . 75 0A jnz short Magic_Ph.0061AAE5
0061AADB . 33C0 xor eax,eax
0061AADD . 5A pop edx ; 0018E8C4
0061AADE . 59 pop ecx ; 0018E8C4
0061AADF . 59 pop ecx ; 0018E8C4
0061AAE0 . 64:8910 mov dword ptr fs:[eax],edx
0061AAE3 . EB 67 jmp short Magic_Ph.0061AB4C
0061AAE5 > 55 push ebp
0061AAE6 . B8 64AB6100 mov eax,Magic_Ph.0061AB64 ; HOME EDITION 版
0061AAEB . E8 10FEFFFF call Magic_Ph.0061A900
0061AAF0 . 59 pop ecx ; 0018E8C4
0061AAF1 . 84C0 test al,al
0061AAF3 . 75 2A jnz short Magic_Ph.0061AB1F
0061AAF5 . 55 push ebp
0061AAF6 . B8 8CAB6100 mov eax,Magic_Ph.0061AB8C ; OFFICE EDITION版
0061AAFB . E8 00FEFFFF call Magic_Ph.0061A900
0061AB00 . 59 pop ecx ; 0018E8C4
0061AB01 . 84C0 test al,al
0061AB03 . 75 1A jnz short Magic_Ph.0061AB1F
0061AB05 . 55 push ebp
0061AB06 . B8 B8AB6100 mov eax,Magic_Ph.0061ABB8 ; COMMERCIAL EDITION版
0061AB0B . E8 F0FDFFFF call Magic_Ph.0061A900
0061AB10 . 59 pop ecx ; 0018E8C4
0061AB11 . 84C0 test al,al
0061AB13 . 75 0A jnz short Magic_Ph.0061AB1F
0061AB15 . 33C0 xor eax,eax
0061AB17 . 5A pop edx ; 0018E8C4
0061AB18 . 59 pop ecx ; 0018E8C4
0061AB19 . 59 pop ecx ; 0018E8C4
0061AB1A . 64:8910 mov dword ptr fs:[eax],edx
0061AB1D . EB 2D jmp short Magic_Ph.0061AB4C
0061AB1F > 55 push ebp
可以发现此程序有三个版本
下面开始分析call Magic_Ph.0061A960 ; 注册码校验
call的整体功能是 判断注册码长度,按位取出注册码与注册码的位置相乘 然后相加
[Asm] 纯文本查看 复制代码 0061A9AE . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
0061A9B1 > 837D E4 13 cmp dword ptr ss:[ebp-0x1C],0x13 ; 判断注册码长度 19
0061A9B5 . 0F8C B0000000 jl Magic_Ph.0061AA6B
0061A9BB . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
0061A9BE . 50 push eax
0061A9BF . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0061A9C2 . 8B40 FC mov eax,dword ptr ds:[eax-0x4]
0061A9C5 . B9 12000000 mov ecx,0x12 ; 取18位 放弃最后一位校验
0061A9CA . BA 01000000 mov edx,0x1
0061A9CF . E8 C4E6DEFF call <Magic_Ph.System.@UStrCopy>
0061A9D4 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
0061A9D7 . B9 01000000 mov ecx,0x1
0061A9DC . BA 0F000000 mov edx,0xF ; 去掉 -
0061A9E1 . E8 FAE6DEFF call <Magic_Ph.System.@UStrDelete>
0061A9E6 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
0061A9E9 . B9 01000000 mov ecx,0x1
0061A9EE . BA 0A000000 mov edx,0xA ; 去掉 -
0061A9F3 . E8 E8E6DEFF call <Magic_Ph.System.@UStrDelete>
0061A9F8 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
0061A9FB . B9 01000000 mov ecx,0x1
0061AA00 . BA 05000000 mov edx,0x5 ; 去掉 -
0061AA05 . E8 D6E6DEFF call <Magic_Ph.System.@UStrDelete>
0061AA0A . 33C0 xor eax,eax
0061AA0C . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0061AA0F . C745 F8 01000>mov dword ptr ss:[ebp-0x8],0x1
0061AA16 > 8B45 F0 mov eax,dword ptr ss:[ebp-0x10] ; Magic_Ph.006799E8
0061AA19 . 8B55 F8 mov edx,dword ptr ss:[ebp-0x8]
0061AA1C . 0FB74450 FE movzx eax,word ptr ds:[eax+edx*2-0x2] ; 按位取出注册码
0061AA21 . F76D F8 imul dword ptr ss:[ebp-0x8] ; 乘法
0061AA24 . 0145 F4 add dword ptr ss:[ebp-0xC],eax ; 相加
0061AA27 . FF45 F8 inc dword ptr ss:[ebp-0x8]
0061AA2A . 837D F8 10 cmp dword ptr ss:[ebp-0x8],0x10
0061AA2E .^ 75 E6 jnz short Magic_Ph.0061AA16
0061AA30 . 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
0061AA33 . 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
0061AA36 . E8 9175E0FF call <Magic_Ph._Unit6.IntToStr> ; 转成字符串
0061AA3B . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0061AA3E . 8945 E0 mov dword ptr ss:[ebp-0x20],eax
0061AA41 . 837D E0 00 cmp dword ptr ss:[ebp-0x20],0x0
0061AA45 . 74 0B je short Magic_Ph.0061AA52
0061AA47 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20]
0061AA4A . 83E8 04 sub eax,0x4
0061AA4D . 8B00 mov eax,dword ptr ds:[eax]
0061AA4F . 8945 E0 mov dword ptr ss:[ebp-0x20],eax
0061AA52 > 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0061AA55 . 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
0061AA58 . 66:8B4450 FE mov ax,word ptr ds:[eax+edx*2-0x2] ; 取最后一位
0061AA5D . 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
0061AA60 . 8B52 FC mov edx,dword ptr ds:[edx-0x4]
0061AA63 . 66:3B42 24 cmp ax,word ptr ds:[edx+0x24] ; 判断第十九位
0061AA67 . 0f9445 ff sete byte ptr ss:[ebp-0x1] ; 相同则置1
得到的一些中间值
6510 判断0与注册码最后一位(19位)是否相同
改变注册码 1234-5678-5555-8880 重来一遍 跳过注册码最后一位校验
过了这层判断之后就来到 各个版本的注册码算法
来到
0061AAEB . E8 10FEFFFF call Magic_Ph.0061A900
HOME EDITION 版的算法 再进入0061A925 . E8 A2FCFFFF call Magic_Ph.0061A5CC 中分析
此call 将注册名转大写 版本大写 软件名称大写 效果如下
然后按顺序拼接字符串
GREENMAGIC PHOTO RECOVERYHOME EDITION8DE6CF2C-42F3-4709-B8C0-B9BDB0591D4D
对字符串求MD5 之后按位取码 转换 看详细注释
[Asm] 纯文本查看 复制代码 0061A6EC . E8 A383FFFF call <Magic_Ph._Unit55.TIdHash.HashStringAsHex> ; 求MD5
0061A6F1 . 8B45 A8 mov eax,dword ptr ss:[ebp-0x58]
0061A6F4 . 8D55 DC lea edx,dword ptr ss:[ebp-0x24]
0061A6F7 . E8 506CE0FF call <Magic_Ph._Unit6.UpperCase>
0061A6FC . 33C0 xor eax,eax
0061A6FE . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0061A701 > 837D F4 00 cmp dword ptr ss:[ebp-0xC],0x0
0061A705 . 74 0D je short Magic_Ph.0061A714
0061A707 . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
0061A70A . BA FCA86100 mov edx,Magic_Ph.0061A8FC ; -
0061A70F . E8 5CE7DEFF call <Magic_Ph.System.@UStrCat>
0061A714 > 33C0 xor eax,eax
0061A716 . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
0061A719 > 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
0061A71C . C1E0 02 shl eax,0x2
0061A71F . 40 inc eax
0061A720 . 0345 F0 add eax,dword ptr ss:[ebp-0x10]
0061A723 . 8B55 DC mov edx,dword ptr ss:[ebp-0x24]
0061A726 . 0FB74442 FE movzx eax,word ptr ds:[edx+eax*2-0x2] ; 取字符串
0061A72B . 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
0061A72E . E8 9978E0FF call <Magic_Ph._Unit6.IntToStr> ; 转int
0061A733 . 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0061A736 . 8945 D4 mov dword ptr ss:[ebp-0x2C],eax
0061A739 . 837D D4 00 cmp dword ptr ss:[ebp-0x2C],0x0
0061A73D . 74 0B je short Magic_Ph.0061A74A
0061A73F . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
0061A742 . 83E8 04 sub eax,0x4
0061A745 . 8B00 mov eax,dword ptr ds:[eax]
0061A747 . 8945 D4 mov dword ptr ss:[ebp-0x2C],eax
0061A74A > 8D45 A0 lea eax,dword ptr ss:[ebp-0x60]
0061A74D . 8B55 EC mov edx,dword ptr ss:[ebp-0x14]
0061A750 . 8B4D D4 mov ecx,dword ptr ss:[ebp-0x2C]
0061A753 . 66:8B544A FE mov dx,word ptr ds:[edx+ecx*2-0x2] ; 取第二位
0061A758 . E8 27E5DEFF call <Magic_Ph.System.@UStrFromWChar>
0061A75D . 8B55 A0 mov edx,dword ptr ss:[ebp-0x60]
0061A760 . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
0061A763 . E8 08E7DEFF call <Magic_Ph.System.@UStrCat>
0061A768 . FF45 F0 inc dword ptr ss:[ebp-0x10]
0061A76B . 837D F0 04 cmp dword ptr ss:[ebp-0x10],0x4
0061A76F .^ 75 A8 jnz short Magic_Ph.0061A719 ; 循环取四次
0061A771 . FF45 F4 inc dword ptr ss:[ebp-0xC]
0061A774 . 837D F4 03 cmp dword ptr ss:[ebp-0xC],0x3
0061A778 .^ 75 87 jnz short Magic_Ph.0061A701 ; 循环拼接“-”
0061A77A . 8D45 9C lea eax,dword ptr ss:[ebp-0x64]
0061A77D . 50 push eax
0061A77E . 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0061A781 . 8B40 FC mov eax,dword ptr ds:[eax-0x4]
0061A784 . B9 0E000000 mov ecx,0xE
0061A789 . BA 01000000 mov edx,0x1
0061A78E . E8 05E9DEFF call <Magic_Ph.System.@UStrCopy>
0061A793 . 8B55 9C mov edx,dword ptr ss:[ebp-0x64]
0061A796 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
0061A799 . E8 C2E8DEFF call <Magic_Ph.System.@UStrEqual> ; 比较注册码
运算过程产生的中间值
md5 72833735294F27492B912314F929DD84
注册码 5061-1513-0720
之比较前12位
再把前十二位真码加上 5061-1513-0720-8880 计算最后一位校验值
得到真码 5061-1513-0720-8881
看到了注册成功的弹框
分析结束,其它的
OFFICE EDITION 、COMMERCIAL EDITION 这两个版本算法是相似的,就不占地方了
总结:分析难度一般,认真分析就能得到关键。
Delphi的程序,辅助分析工具也很强大,省去了很多麻烦。
【破解声明】本文仅做研究所用,供破解技术爱好者学习研究讨论,请勿商用,如喜欢该软件,建议购买正版。 |
免费评分
-
查看全部评分
|
发表于 2016-8-8 17:14
