Magic Photo Editor注册算法分析

weihao · 发表于 2008-4-3 19:09

Magic Photo Editor注册算法分析
【软件名称】Magic Photo Editor
【软件简介】 Magic Photo Editor是一个很简单的图片编辑器，通过它可以很方便的将你的数码照片放到别的美丽的背景中去，使你的照片更漂亮。它是一个共享软件，有30次的试用机会。今天我就来分析一下它的注册算法。
【破解过程】首先用Peid查壳，发现是UPX 0.89.6 - 1.02 / 1.05 - 1.24的壳，这个简单的压缩壳，直接用Peid的脱壳插件即可脱去，再次查壳，可以看到程序是用Borland Delphi 6.0 - 7.0写的。到注册页面注册一下，又注册提示。用OD载入，查找ASCII码“Invalid SerialNumber”，由这个提示双击来到代码处。我们一直往前看，看到注册算法的起始处，一般其实处都会压栈，最后我们在483208处F2下断点，F9运行，进行动态分析。填好注册码，注册，程序段了下来。

00483208  6A 00    PUSH 0          ；断在这里
0048320A  6A 00    PUSH 0
0048320C  49    DEC ECX
0048320D ^ 75 F9    JNZ SHORT MagicPho.00483208
0048320F  51    PUSH ECX
00483210  53    PUSH EBX
00483211  56    PUSH ESI
00483212  8BD8    MOV EBX,EAX
00483214  33C0    XOR EAX,EAX
00483216  55    PUSH EBP
00483217  68 BE334800 PUSH MagicPho.004833BE
0048321C  64:FF30    PUSH DWORD PTR FS:[EAX]
0048321F  64:8920    MOV DWORD PTR FS:[EAX],ESP
00483222  8B83 00030000  MOV EAX,DWORD PTR DS:[EBX+300]
00483228  8B10    MOV EDX,DWORD PTR DS:[EAX]
0048322A  FF52 50    CALL DWORD PTR DS:[EDX+50]
0048322D  3C 01    CMP AL,1
0048322F  0F85 18010000  JNZ MagicPho.0048334D
00483235  8D55 F8    LEA EDX,DWORD PTR SS:[EBP-8]
00483238  8BB3 00030000  MOV ESI,DWORD PTR DS:[EBX+300]
0048323E  8BC6    MOV EAX,ESI
00483240  E8 7F39FBFF CALL MagicPho.00436BC4       ；假注册码长度进入EAX
00483245  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]    ；假注册码进入EAX
00483248  8D55 FC    LEA EDX,DWORD PTR SS:[EBP-4]
0048324B  E8 DC54F8FF CALL MagicPho.0040872C
00483250  8B55 FC    MOV EDX,DWORD PTR SS:[EBP-4]    ；假注册码转移到EDX
00483253  8BC6    MOV EAX,ESI
00483255  E8 9A39FBFF CALL MagicPho.00436BF4
0048325A  8D55 F4    LEA EDX,DWORD PTR SS:[EBP-C]
0048325D  8B83 00030000  MOV EAX,DWORD PTR DS:[EBX+300]
00483263  E8 5C39FBFF CALL MagicPho.00436BC4
00483268  837D F4 00 CMP DWORD PTR SS:[EBP-C],0    ；比较注册码是否为空
0048326C  0F84 CF000000  JE MagicPho.00483341
00483272  8D55 EC    LEA EDX,DWORD PTR SS:[EBP-14]
00483275  8B83 00030000  MOV EAX,DWORD PTR DS:[EBX+300]
0048327B  E8 4439FBFF CALL MagicPho.00436BC4
00483280  8B45 EC    MOV EAX,DWORD PTR SS:[EBP-14]
00483283  8D55 F0    LEA EDX,DWORD PTR SS:[EBP-10]
00483286  E8 5152F8FF CALL MagicPho.004084DC       ；小写转化为大写
0048328B  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]
0048328E  E8 4DA4FFFF CALL MagicPho.0047D6E0       ；算法call，F7跟入
00483293  84C0    TEST AL,AL
00483295  0F84 9A000000  JE MagicPho.00483335       ；标志位为零，注册失败
0048329B  8D55 E8    LEA EDX,DWORD PTR SS:[EBP-18]
0048329E  8B83 00030000  MOV EAX,DWORD PTR DS:[EBX+300]
004832A4  E8 1B39FBFF CALL MagicPho.00436BC4
004832A9  8B45 E8    MOV EAX,DWORD PTR SS:[EBP-18]
004832AC  E8 D713F8FF CALL MagicPho.00404688
004832B1  83F8 0B    CMP EAX,0B
004832B4  75 7F    JNZ SHORT MagicPho.00483335    ；注册码必须11位
004832B6  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
004832B9  50    PUSH EAX
004832BA  8D55 DC    LEA EDX,DWORD PTR SS:[EBP-24]
004832BD  8B83 00030000  MOV EAX,DWORD PTR DS:[EBX+300]
004832C3  E8 FC38FBFF CALL MagicPho.00436BC4
004832C8  8B45 DC    MOV EAX,DWORD PTR SS:[EBP-24]
004832CB  8D55 E0    LEA EDX,DWORD PTR SS:[EBP-20]
004832CE  E8 0952F8FF CALL MagicPho.004084DC
004832D3  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
004832D6  B9 01000000 MOV ECX,1
004832DB  BA 0B000000 MOV EDX,0B
004832E0  E8 FB15F8FF CALL MagicPho.004048E0
004832E5  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]    ；第11位的地址进入EAX
004832E8  BA D4334800 MOV EDX,MagicPho.004833D4       ; u
004832ED  E8 DA14F8FF CALL MagicPho.004047CC       ；所以11位必须为u或U
004832F2  75 41    JNZ SHORT MagicPho.00483335
004832F4  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
004832F7  8B83 00030000  MOV EAX,DWORD PTR DS:[EBX+300]
004832FD  E8 C238FBFF CALL MagicPho.00436BC4
00483302  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
00483305  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
00483308  E8 CF51F8FF CALL MagicPho.004084DC
0048330D  8B55 D8    MOV EDX,DWORD PTR SS:[EBP-28]
00483310  B8 E0334800 MOV EAX,MagicPho.004833E0       ; magic.bin
00483315  E8 FEA4FFFF CALL MagicPho.0047D818       ；把注册码写入magic.bin中
0048331A  A1 149B4800 MOV EAX,DWORD PTR DS:[489B14]
0048331F  BA F4334800 MOV EDX,MagicPho.004833F4       ; y
00483324  E8 FB10F8FF CALL MagicPho.00404424
00483329  B8 00344800 MOV EAX,MagicPho.00483400       ; successfully registered!
0048332E  E8 25D4FAFF CALL MagicPho.00430758
00483333  EB 22    JMP SHORT MagicPho.00483357
00483335  B8 24344800 MOV EAX,MagicPho.00483424       ; invalid serialnumber!
0048333A  E8 19D4FAFF CALL MagicPho.00430758
0048333F  EB 16    JMP SHORT MagicPho.00483357
00483341  B8 24344800 MOV EAX,MagicPho.00483424       ; invalid serialnumber!
00483346  E8 0DD4FAFF CALL MagicPho.00430758
0048334B  EB 0A    JMP SHORT MagicPho.00483357
0048334D  B8 44344800 MOV EAX,MagicPho.00483444       ; ASCII "Already Registered!"
00483352  E8 01D4FAFF CALL MagicPho.00430758
00483357  A1 5CAD4800 MOV EAX,DWORD PTR DS:[48AD5C]
0048335C  E8 C708FDFF CALL MagicPho.00453C28
00483361  33C0    XOR EAX,EAX
00483363  5A    POP EDX
00483364  59    POP ECX

F7跟入48328E的call，来到这里：

0047D6E0  55    PUSH EBP
0047D6E1  8BEC    MOV EBP,ESP
0047D6E3  B9 04000000 MOV ECX,4
0047D6E8  6A 00    PUSH 0
0047D6EA  6A 00    PUSH 0
0047D6EC  49    DEC ECX
0047D6ED ^ 75 F9    JNZ SHORT MagicPho.0047D6E8
0047D6EF  51    PUSH ECX
0047D6F0  53    PUSH EBX
0047D6F1  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
0047D6F4  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4] ；假码进入EAX
0047D6F7  E8 7471F8FF CALL MagicPho.00404870
0047D6FC  33C0    XOR EAX,EAX
0047D6FE  55    PUSH EBP
0047D6FF  68 09D84700 PUSH MagicPho.0047D809
0047D704  64:FF30    PUSH DWORD PTR FS:[EAX]
0047D707  64:8920    MOV DWORD PTR FS:[EAX],ESP
0047D70A  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
0047D70D  E8 B2FDFFFF CALL MagicPho.0047D4C4
0047D712  8D4D EC    LEA ECX,DWORD PTR SS:[EBP-14]
0047D715  33D2    XOR EDX,EDX
0047D717  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]    ；机器码前十位进入EAX
0047D71A  E8 1DFBFFFF CALL MagicPho.0047D23C       ；将机器码从新排序，得到新的机器码S1
我就不跟入了，直接写出排序的方法：我来举个例子，假设原来是 0123456789，经过排序变成3902645718。
0047D71F  8B55 EC    MOV EDX,DWORD PTR SS:[EBP-14]
0047D722  8D45 F8    LEA EAX,DWORD PTR SS:[EBP-8]
0047D725  E8 3E6DF8FF CALL MagicPho.00404468
0047D72A  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
0047D72D  50    PUSH EAX
0047D72E  B9 0A000000 MOV ECX,0A
0047D733  BA 01000000 MOV EDX,1
0047D738  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]    ；假码进入EAX
0047D73B  E8 A071F8FF CALL MagicPho.004048E0
0047D740  8D4D E8    LEA ECX,DWORD PTR SS:[EBP-18]
0047D743  66:BA 0001 MOV DX,100
0047D747  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
0047D74A  E8 1DFFFFFF CALL MagicPho.0047D66C       ；将假码经过计算得到新的一串字符，F7跟入后的代码写在后面
0047D74F  8B55 E8    MOV EDX,DWORD PTR SS:[EBP-18]
0047D752  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
0047D755  E8 0E6DF8FF CALL MagicPho.00404468
0047D75A  8D4D E4    LEA ECX,DWORD PTR SS:[EBP-1C]
0047D75D  33D2    XOR EDX,EDX
0047D75F  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
0047D762  E8 D5FAFFFF CALL MagicPho.0047D23C       ；加处理后的假码交换位置，方法与上面相同得到S2
0047D767  8B55 E4    MOV EDX,DWORD PTR SS:[EBP-1C]
0047D76A  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
0047D76D  E8 F66CF8FF CALL MagicPho.00404468
0047D772  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
0047D775  50    PUSH EAX
0047D776  B9 04000000 MOV ECX,4
0047D77B  BA 0A000000 MOV EDX,0A
0047D780  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
0047D783  E8 5871F8FF CALL MagicPho.004048E0
0047D788  8D45 F0    LEA EAX,DWORD PTR SS:[EBP-10]
0047D78B  50    PUSH EAX
0047D78C  B9 06000000 MOV ECX,6
0047D791  BA 05000000 MOV EDX,5
0047D796  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
0047D799  E8 4271F8FF CALL MagicPho.004048E0
0047D79E  8D45 E0    LEA EAX,DWORD PTR SS:[EBP-20]
0047D7A1  50    PUSH EAX
0047D7A2  B9 04000000 MOV ECX,4
0047D7A7  BA 01000000 MOV EDX,1
0047D7AC  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0047D7AF  E8 2C71F8FF CALL MagicPho.004048E0
0047D7B4  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20] ；S1的前四位进入EDX
0047D7B7  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C] ；S2的前四位进入EAX
0047D7BA  E8 0572F8FF CALL MagicPho.004049C4    ；比较S1和S2的前四位是否相同
0047D7BF  85C0    TEST EAX,EAX
0047D7C1  7F 25    JG SHORT MagicPho.0047D7E8
0047D7C3  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]
0047D7C6  50    PUSH EAX
0047D7C7  B9 06000000 MOV ECX,6
0047D7CC  BA 05000000 MOV EDX,5
0047D7D1  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0047D7D4  E8 0771F8FF CALL MagicPho.004048E0
0047D7D9  8B55 DC    MOV EDX,DWORD PTR SS:[EBP-24] ；S1剩余的六位进入EDX
0047D7DC  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10] ；S2剩余的5位进入EAX
0047D7DF  E8 E071F8FF CALL MagicPho.004049C4    ；比较是否相同
0047D7E4  85C0    TEST EAX,EAX
0047D7E6  7E 04    JLE SHORT MagicPho.0047D7EC ；上面两个比较相同，赋1，否则赋0
0047D7E8  B3 01    MOV BL,1
0047D7EA  EB 02    JMP SHORT MagicPho.0047D7EE
0047D7EC  33DB    XOR EBX,EBX
0047D7EE  33C0    XOR EAX,EAX
0047D7F0  5A    POP EDX
0047D7F1  59    POP ECX
0047D7F2  59    POP ECX
0047D7F3  64:8910    MOV DWORD PTR FS:[EAX],EDX
0047D7F6  68 10D84700 PUSH MagicPho.0047D810
0047D7FB  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]
0047D7FE  BA 09000000 MOV EDX,9
0047D803  E8 EC6BF8FF CALL MagicPho.004043F4
0047D808  C3    RETN
0047D809 ^ E9 EA65F8FF JMP MagicPho.00403DF8
0047D80E ^ EB EB    JMP SHORT MagicPho.0047D7FB
0047D810  8BC3    MOV EAX,EBX
0047D812  5B    POP EBX
0047D813  8BE5    MOV ESP,EBP
0047D815  5D    POP EBP
0047D816  C3    RETN

F7跟入后，来到这里：

0047D66F  55    PUSH EBP
0047D670  83C4 F8    ADD ESP,-8
0047D673  8BF9    MOV EDI,ECX
0047D675  8BEA    MOV EBP,EDX
0047D677  890424    MOV DWORD PTR SS:[ESP],EAX
0047D67A  8BC7    MOV EAX,EDI
0047D67C  8B1424    MOV EDX,DWORD PTR SS:[ESP]
0047D67F  E8 A06DF8FF CALL MagicPho.00404424
0047D684  8BC7    MOV EAX,EDI
0047D686  E8 4D72F8FF CALL MagicPho.004048D8
0047D68B  8B1424    MOV EDX,DWORD PTR SS:[ESP]
0047D68E  8A12    MOV DL,BYTE PTR DS:[EDX]    ；假码每一位进入DL
0047D690  8810    MOV BYTE PTR DS:[EAX],DL
0047D692  8B0424    MOV EAX,DWORD PTR SS:[ESP]
0047D695  E8 EE6FF8FF CALL MagicPho.00404688    ；假码长度进入EAX
0047D69A  2C 02    SUB AL,2             ；AL=AL-2
0047D69C  72 3A    JB SHORT MagicPho.0047D6D8
0047D69E  40    INC EAX
0047D69F  884424 04 MOV BYTE PTR SS:[ESP+4],AL
0047D6A3  B3 02    MOV BL,2
0047D6A5  8BC7    MOV EAX,EDI
0047D6A7  E8 2C72F8FF CALL MagicPho.004048D8
0047D6AC  8BF3    MOV ESI,EBX
0047D6AE  81E6 FF000000  AND ESI,0FF          ；取末两位
0047D6B4  8B1424    MOV EDX,DWORD PTR SS:[ESP] ；假码进入EDX
0047D6B7  8A5432 FF MOV DL,BYTE PTR DS:[EDX+ESI-1]  ；假码的每一位进入DL
0047D6BB  0FB7CD    MOVZX ECX,BP          ；ECX=BP
0047D6BE  C1E9 08    SHR ECX,8          ；ECX右移8位
0047D6C1  32D1    XOR DL,CL          ；DL=DL Xor CL
0047D6C3  885430 FF MOV BYTE PTR DS:[EAX+ESI-1],DL
0047D6C7  8B07    MOV EAX,DWORD PTR DS:[EDI]
0047D6C9  0FB64430 FF MOVZX EAX,BYTE PTR DS:[EAX+ESI-1] ；假码每一位进入EAX
0047D6CE  66:03E8    ADD BP,AX          ；BP=BP+AX
0047D6D1  43    INC EBX
0047D6D2  FE4C24 04 DEC BYTE PTR SS:[ESP+4]
0047D6D6 ^ 75 CD    JNZ SHORT MagicPho.0047D6A5 ；EBX计数器为零时退出循环
0047D6D8  59    POP ECX
0047D6D9  5A    POP EDX
0047D6DA  5D    POP EBP
0047D6DB  5F    POP EDI
0047D6DC  5E    POP ESI
0047D6DD  5B    POP EBX

这里是对假码前十位处理的一个循环，过程是这样的：
从假码的第二位依次取出，将它与它的前一位累加的和右移8位的值异或得到新的数替换原来该位上的数，这样依次进行，得到了处理后的字符。
这里没有明码比较，但是异或是可逆的，因此很容易写出算法注册机，而且交换的方法也相同，实际操作时就不用交换了，这里我用VB写了注册码前十位的算法：
Private Sub Command1_Click()
b = Text1.Text
tmp = 256
c = Mid(b, 1, 1)
For i = 2 To Len(b)
tmpp = Int(tmp \ 256)
c = c & Chr(Asc(Mid(b, i, 1)) Xor tmpp)
tmp = tmp + Asc(Mid(b, i, 1))
Next i
Text2.Text = c
End Sub
注册成功后保存在magic.bin中，搜索一下就能找到，把它删除，可以重复练习。
  破解到这里结束了，这个软件的算法中没有明码，对于破解的难度是加强了，但是由于有注册错误提示很容易找到算法部分，而且算法是可逆的又是很简单，很容易被破解写出注册机，这里应改进一下。

帐号		自动登录	找回密码
密码			注册[Register]