好友
阅读权限 10
听众
最后登录 1970-1-1
Magic Photo Editor注册算法分析
【软件名称】Magic Photo Editor
【软件简介】 Magic Photo Editor是一个很简单的图片编辑器,通过它可以很方便的将你的数码照片放到别的美丽的背景中去,使你的照片更漂亮。它是一个共享软件,有30次的试用机会。今天我就来分析一下它的注册算法。
【破解 过程】首先用Peid查壳,发现是UPX 0.89.6 - 1.02 / 1.05 - 1.24的壳,这个简单的压缩壳,直接用Peid的脱壳 插件即可脱去,再次查壳,可以看到程序是用Borland Delphi 6.0 - 7.0写的。到注册页面注册一下,又注册提示。用OD载入,查找ASCII码“Invalid SerialNumber”,由这个提示双击来到代码处。我们一直往前看,看到注册算法的起始处,一般其实处都会压栈,最后我们在483208处F2下断点,F9运行,进行动态分析。填好注册码,注册,程序段了下来。
00483208 6A 00 PUSH 0 ;断在这里
0048320A 6A 00 PUSH 0
0048320C 49 DEC ECX
0048320D ^ 75 F9 JNZ SHORT MagicPho.00483208
0048320F 51 PUSH ECX
00483210 53 PUSH EBX
00483211 56 PUSH ESI
00483212 8BD8 MOV EBX,EAX
00483214 33C0 XOR EAX,EAX
00483216 55 PUSH EBP
00483217 68 BE334800 PUSH MagicPho.004833BE
0048321C 64:FF30 PUSH DWORD PTR FS:[EAX]
0048321F 64:8920 MOV DWORD PTR FS:[EAX],ESP
00483222 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
00483228 8B10 MOV EDX,DWORD PTR DS:[EAX]
0048322A FF52 50 CALL DWORD PTR DS:[EDX+50]
0048322D 3C 01 CMP AL,1
0048322F 0F85 18010000 JNZ MagicPho.0048334D
00483235 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00483238 8BB3 00030000 MOV ESI,DWORD PTR DS:[EBX+300]
0048323E 8BC6 MOV EAX,ESI
00483240 E8 7F39FBFF CALL MagicPho.00436BC4 ;假注册码长度进入EAX
00483245 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ;假注册码进入EAX
00483248 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0048324B E8 DC54F8FF CALL MagicPho.0040872C
00483250 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ;假注册码转移到EDX
00483253 8BC6 MOV EAX,ESI
00483255 E8 9A39FBFF CALL MagicPho.00436BF4
0048325A 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0048325D 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
00483263 E8 5C39FBFF CALL MagicPho.00436BC4
00483268 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 ;比较注册码是否为空
0048326C 0F84 CF000000 JE MagicPho.00483341
00483272 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00483275 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
0048327B E8 4439FBFF CALL MagicPho.00436BC4
00483280 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00483283 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00483286 E8 5152F8FF CALL MagicPho.004084DC ;小写转化为大写
0048328B 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0048328E E8 4DA4FFFF CALL MagicPho.0047D6E0 ;算法call,F7跟入
00483293 84C0 TEST AL,AL
00483295 0F84 9A000000 JE MagicPho.00483335 ;标志位为零,注册失败
0048329B 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0048329E 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
004832A4 E8 1B39FBFF CALL MagicPho.00436BC4
004832A9 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004832AC E8 D713F8FF CALL MagicPho.00404688
004832B1 83F8 0B CMP EAX,0B
004832B4 75 7F JNZ SHORT MagicPho.00483335 ;注册码必须11位
004832B6 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004832B9 50 PUSH EAX
004832BA 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004832BD 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
004832C3 E8 FC38FBFF CALL MagicPho.00436BC4
004832C8 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
004832CB 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004832CE E8 0952F8FF CALL MagicPho.004084DC
004832D3 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
004832D6 B9 01000000 MOV ECX,1
004832DB BA 0B000000 MOV EDX,0B
004832E0 E8 FB15F8FF CALL MagicPho.004048E0
004832E5 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ;第11位的地址进入EAX
004832E8 BA D4334800 MOV EDX,MagicPho.004833D4 ; u
004832ED E8 DA14F8FF CALL MagicPho.004047CC ;所以11位必须为u或U
004832F2 75 41 JNZ SHORT MagicPho.00483335
004832F4 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
004832F7 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
004832FD E8 C238FBFF CALL MagicPho.00436BC4
00483302 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00483305 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
00483308 E8 CF51F8FF CALL MagicPho.004084DC
0048330D 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00483310 B8 E0334800 MOV EAX,MagicPho.004833E0 ; magic.bin
00483315 E8 FEA4FFFF CALL MagicPho.0047D818 ;把注册码写入magic.bin中
0048331A A1 149B4800 MOV EAX,DWORD PTR DS:[489B14]
0048331F BA F4334800 MOV EDX,MagicPho.004833F4 ; y
00483324 E8 FB10F8FF CALL MagicPho.00404424
00483329 B8 00344800 MOV EAX,MagicPho.00483400 ; successfully registered!
0048332E E8 25D4FAFF CALL MagicPho.00430758
00483333 EB 22 JMP SHORT MagicPho.00483357
00483335 B8 24344800 MOV EAX,MagicPho.00483424 ; invalid serialnumber!
0048333A E8 19D4FAFF CALL MagicPho.00430758
0048333F EB 16 JMP SHORT MagicPho.00483357
00483341 B8 24344800 MOV EAX,MagicPho.00483424 ; invalid serialnumber!
00483346 E8 0DD4FAFF CALL MagicPho.00430758
0048334B EB 0A JMP SHORT MagicPho.00483357
0048334D B8 44344800 MOV EAX,MagicPho.00483444 ; ASCII "Already Registered!"
00483352 E8 01D4FAFF CALL MagicPho.00430758
00483357 A1 5CAD4800 MOV EAX,DWORD PTR DS:[48AD5C]
0048335C E8 C708FDFF CALL MagicPho.00453C28
00483361 33C0 XOR EAX,EAX
00483363 5A POP EDX
00483364 59 POP ECX
F7跟入48328E的call,来到这里:
0047D6E0 55 PUSH EBP
0047D6E1 8BEC MOV EBP,ESP
0047D6E3 B9 04000000 MOV ECX,4
0047D6E8 6A 00 PUSH 0
0047D6EA 6A 00 PUSH 0
0047D6EC 49 DEC ECX
0047D6ED ^ 75 F9 JNZ SHORT MagicPho.0047D6E8
0047D6EF 51 PUSH ECX
0047D6F0 53 PUSH EBX
0047D6F1 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0047D6F4 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ;假码进入EAX
0047D6F7 E8 7471F8FF CALL MagicPho.00404870
0047D6FC 33C0 XOR EAX,EAX
0047D6FE 55 PUSH EBP
0047D6FF 68 09D84700 PUSH MagicPho.0047D809
0047D704 64:FF30 PUSH DWORD PTR FS:[EAX]
0047D707 64:8920 MOV DWORD PTR FS:[EAX],ESP
0047D70A 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0047D70D E8 B2FDFFFF CALL MagicPho.0047D4C4
0047D712 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0047D715 33D2 XOR EDX,EDX
0047D717 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ;机器码前十位进入EAX
0047D71A E8 1DFBFFFF CALL MagicPho.0047D23C ;将机器码从新排序,得到新的机器码S1
我就不跟入了,直接写出排序的方法:我来举个例子,假设原来是 0123456789,经过排序变成3902645718。
0047D71F 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0047D722 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0047D725 E8 3E6DF8FF CALL MagicPho.00404468
0047D72A 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0047D72D 50 PUSH EAX
0047D72E B9 0A000000 MOV ECX,0A
0047D733 BA 01000000 MOV EDX,1
0047D738 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ;假码进入EAX
0047D73B E8 A071F8FF CALL MagicPho.004048E0
0047D740 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
0047D743 66:BA 0001 MOV DX,100
0047D747 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047D74A E8 1DFFFFFF CALL MagicPho.0047D66C ;将假码经过计算得到新的一串字符,F7跟入后的代码写在后面
0047D74F 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
0047D752 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0047D755 E8 0E6DF8FF CALL MagicPho.00404468
0047D75A 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0047D75D 33D2 XOR EDX,EDX
0047D75F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047D762 E8 D5FAFFFF CALL MagicPho.0047D23C ;加处理后的假码交换位置,方法与上面相同得到S2
0047D767 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
0047D76A 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0047D76D E8 F66CF8FF CALL MagicPho.00404468
0047D772 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0047D775 50 PUSH EAX
0047D776 B9 04000000 MOV ECX,4
0047D77B BA 0A000000 MOV EDX,0A
0047D780 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047D783 E8 5871F8FF CALL MagicPho.004048E0
0047D788 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0047D78B 50 PUSH EAX
0047D78C B9 06000000 MOV ECX,6
0047D791 BA 05000000 MOV EDX,5
0047D796 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0047D799 E8 4271F8FF CALL MagicPho.004048E0
0047D79E 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0047D7A1 50 PUSH EAX
0047D7A2 B9 04000000 MOV ECX,4
0047D7A7 BA 01000000 MOV EDX,1
0047D7AC 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0047D7AF E8 2C71F8FF CALL MagicPho.004048E0
0047D7B4 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20] ;S1的前四位进入EDX
0047D7B7 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ;S2的前四位进入EAX
0047D7BA E8 0572F8FF CALL MagicPho.004049C4 ;比较S1和S2的前四位是否相同
0047D7BF 85C0 TEST EAX,EAX
0047D7C1 7F 25 JG SHORT MagicPho.0047D7E8
0047D7C3 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0047D7C6 50 PUSH EAX
0047D7C7 B9 06000000 MOV ECX,6
0047D7CC BA 05000000 MOV EDX,5
0047D7D1 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0047D7D4 E8 0771F8FF CALL MagicPho.004048E0
0047D7D9 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24] ;S1剩余的六位进入EDX
0047D7DC 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ;S2剩余的5位进入EAX
0047D7DF E8 E071F8FF CALL MagicPho.004049C4 ;比较是否相同
0047D7E4 85C0 TEST EAX,EAX
0047D7E6 7E 04 JLE SHORT MagicPho.0047D7EC ;上面两个比较相同,赋1,否则赋0
0047D7E8 B3 01 MOV BL,1
0047D7EA EB 02 JMP SHORT MagicPho.0047D7EE
0047D7EC 33DB XOR EBX,EBX
0047D7EE 33C0 XOR EAX,EAX
0047D7F0 5A POP EDX
0047D7F1 59 POP ECX
0047D7F2 59 POP ECX
0047D7F3 64:8910 MOV DWORD PTR FS:[EAX],EDX
0047D7F6 68 10D84700 PUSH MagicPho.0047D810
0047D7FB 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
0047D7FE BA 09000000 MOV EDX,9
0047D803 E8 EC6BF8FF CALL MagicPho.004043F4
0047D808 C3 RETN
0047D809 ^ E9 EA65F8FF JMP MagicPho.00403DF8
0047D80E ^ EB EB JMP SHORT MagicPho.0047D7FB
0047D810 8BC3 MOV EAX,EBX
0047D812 5B POP EBX
0047D813 8BE5 MOV ESP,EBP
0047D815 5D POP EBP
0047D816 C3 RETN
F7跟入后,来到这里:
0047D66F 55 PUSH EBP
0047D670 83C4 F8 ADD ESP,-8
0047D673 8BF9 MOV EDI,ECX
0047D675 8BEA MOV EBP,EDX
0047D677 890424 MOV DWORD PTR SS:[ESP],EAX
0047D67A 8BC7 MOV EAX,EDI
0047D67C 8B1424 MOV EDX,DWORD PTR SS:[ESP]
0047D67F E8 A06DF8FF CALL MagicPho.00404424
0047D684 8BC7 MOV EAX,EDI
0047D686 E8 4D72F8FF CALL MagicPho.004048D8
0047D68B 8B1424 MOV EDX,DWORD PTR SS:[ESP]
0047D68E 8A12 MOV DL,BYTE PTR DS:[EDX] ;假码每一位进入DL
0047D690 8810 MOV BYTE PTR DS:[EAX],DL
0047D692 8B0424 MOV EAX,DWORD PTR SS:[ESP]
0047D695 E8 EE6FF8FF CALL MagicPho.00404688 ;假码长度进入EAX
0047D69A 2C 02 SUB AL,2 ;AL=AL-2
0047D69C 72 3A JB SHORT MagicPho.0047D6D8
0047D69E 40 INC EAX
0047D69F 884424 04 MOV BYTE PTR SS:[ESP+4],AL
0047D6A3 B3 02 MOV BL,2
0047D6A5 8BC7 MOV EAX,EDI
0047D6A7 E8 2C72F8FF CALL MagicPho.004048D8
0047D6AC 8BF3 MOV ESI,EBX
0047D6AE 81E6 FF000000 AND ESI,0FF ;取末两位
0047D6B4 8B1424 MOV EDX,DWORD PTR SS:[ESP] ;假码进入EDX
0047D6B7 8A5432 FF MOV DL,BYTE PTR DS:[EDX+ESI-1] ;假码的每一位进入DL
0047D6BB 0FB7CD MOVZX ECX,BP ;ECX=BP
0047D6BE C1E9 08 SHR ECX,8 ;ECX右移8位
0047D6C1 32D1 XOR DL,CL ;DL=DL Xor CL
0047D6C3 885430 FF MOV BYTE PTR DS:[EAX+ESI-1],DL
0047D6C7 8B07 MOV EAX,DWORD PTR DS:[EDI]
0047D6C9 0FB64430 FF MOVZX EAX,BYTE PTR DS:[EAX+ESI-1] ;假码每一位进入EAX
0047D6CE 66:03E8 ADD BP,AX ;BP=BP+AX
0047D6D1 43 INC EBX
0047D6D2 FE4C24 04 DEC BYTE PTR SS:[ESP+4]
0047D6D6 ^ 75 CD JNZ SHORT MagicPho.0047D6A5 ;EBX计数器为零时退出循环
0047D6D8 59 POP ECX
0047D6D9 5A POP EDX
0047D6DA 5D POP EBP
0047D6DB 5F POP EDI
0047D6DC 5E POP ESI
0047D6DD 5B POP EBX
这里是对假码前十位处理的一个循环,过程是这样的:
从假码的第二位依次取出,将它与它的前一位累加的和右移8位的值异或得到新的数替换原来该位上的数,这样依次进行,得到了处理后的字符。
这里没有明码比较,但是异或是可逆的,因此很容易写出算法注册机,而且交换的方法也相同,实际操作时就不用交换了,这里我用VB写了注册码前十位的算法:
Private Sub Command1_Click()
b = Text1.Text
tmp = 256
c = Mid(b, 1, 1)
For i = 2 To Len(b)
tmpp = Int(tmp \ 256)
c = c & Chr(Asc(Mid(b, i, 1)) Xor tmpp)
tmp = tmp + Asc(Mid(b, i, 1))
Next i
Text2.Text = c
End Sub
注册成功后保存在magic.bin中,搜索一下就能找到,把它删除,可以重复练习。
破解到这里结束了,这个软件的算法中没有明码,对于破解的难度是加强了,但是由于有注册错误提示很容易找到算法部分,而且算法是可逆的又是很简单,很容易被破解写出注册机,这里应改进一下。