好友
阅读权限30
听众
最后登录1970-1-1
|
蚊香
发表于 2008-8-29 18:33
【文章标题】: Quick Budget V1.14注册算法简单分析
【文章作者】: 蚊香
【作者邮箱】: xpi386com@gmail.com
【作者主页】: http://www.xpi386.com
【下载地址】: http://www.justapps.com/download/quickbudget_setup.exe
【保护方式】: 用户名 + 注册码
【使用工具】: OD,计算器
【操作平台】: D版XP-SP3
【软件介绍】: 是一款快速预算财政的软件.
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
下载安装,试注册,有弹框错误提示.于是首先想到用F12暂停查看堆栈调用的方法,,很快可以定位到关键.
为方便说明,假注册时统一使用用户名'abcde'和假码'123456789'.出现的计算数字均为16进制形式.00690804/.55pushebp;F2下断,F9运行,F8单步往下。00690805|.8BECmov ebp, esp00690807|.81C4 ECFEFFFF add esp, -1140069080D|.53pushebx0069080E|.33C9xor ecx, ecx00690810|.898D ECFEFFFF mov dword ptr [ebp-114], ecx00690816|.898D F4FEFFFF mov dword ptr [ebp-10C], ecx0069081C|.898D F0FEFFFF mov dword ptr [ebp-110], ecx00690822|.894D FC mov dword ptr [ebp-4], ecx00690825|.894D F8 mov dword ptr [ebp-8], ecx00690828|.8BD8mov ebx, eax0069082A|.33C0xor eax, eax0069082C|.55pushebp0069082D|.68 8B096900 push0069098B00690832|.64:FF30 pushdword ptr fs:[eax]00690835|.64:8920 mov dword ptr fs:[eax], esp00690838|.8D55 F8 lea edx, dword ptr [ebp-8]0069083B|.8B83 FC020000 mov eax, dword ptr [ebx+2FC]00690841|.E8 CEFDDDFF call00470614 ;用户名00690846|.8B45 F8 mov eax, dword ptr [ebp-8]00690849|.8D55 FC lea edx, dword ptr [ebp-4]0069084C|.E8 7B95D7FF call00409DCC00690851|.8B55 FC mov edx, dword ptr [ebp-4]00690854|.A1 A4EC6900 mov eax, dword ptr [69ECA4]00690859|.E8 2247D7FF call00404F800069085E|.8D95 F0FEFFFF lea edx, dword ptr [ebp-110]00690864|.8B83 00030000 mov eax, dword ptr [ebx+300]0069086A|.E8 A5FDDDFF call00470614 ;假码0069086F|.8B85 F0FEFFFF mov eax, dword ptr [ebp-110]00690875|.8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]0069087B|.E8 4C95D7FF call00409DCC00690880|.8B95 F4FEFFFF mov edx, dword ptr [ebp-10C]00690886|.8D85 F8FEFFFF lea eax, dword ptr [ebp-108]0069088C|.B9 FF000000 mov ecx, 0FF ;? 不知道100690891|.E8 3249D7FF call004051C800690896|.8D95 F8FEFFFF lea edx, dword ptr [ebp-108]0069089C|.A1 24F36900 mov eax, dword ptr [69F324]006908A1|.B1 1E mov cl, 1E ;? 不知道2006908A3|.E8 C02DD7FF call00403668 ;不知道上面两个mov是干什么的 ???006908A8|.68 62040000 push462;后面表现英勇的常数462压栈006908AD|.8D85 ECFEFFFF lea eax, dword ptr [ebp-114]006908B3|.8B15 24F36900 mov edx, dword ptr [69F324];QuickBud.006A2B14006908B9|.E8 D248D7FF call00405190006908BE|.8B8D ECFEFFFF mov ecx, dword ptr [ebp-114]006908C4|.8B15 A4EC6900 mov edx, dword ptr [69ECA4];QuickBud.006A2B0C006908CA|.8B12mov edx, dword ptr [edx]006908CC|.A1 20ED6900 mov eax, dword ptr [69ED20]006908D1|.8B00mov eax, dword ptr [eax]006908D3|.8B80 A8030000 mov eax, dword ptr [eax+3A8]006908D9|.E8 DACCE4FF call004DD5B8 ;关键CALL,F7进006908DE|.84C0testal, al006908E0|.75 29 jnz short 0069090B ;关键跳转006908E2|.6A 00 push0006908E4|.66:8B0D 98096>mov cx, word ptr [690998]006908EB|.B2 01 mov dl, 1006908ED|.B8 A4096900 mov eax, 006909A4;ASCII "The Registration Code that you provided does not",CR,"match the Name entered."006908F2|.E8 09C1DAFF call0043CA00006908F7|.48dec eax006908F8|.75 52 jnz short 0069094C006908FA|.A1 2C2D6A00 mov eax, dword ptr [6A2D2C]006908FF|.C780 4C020000>mov dword ptr [eax+24C], 100690909|.EB 41 jmp short 0069094C0069090B|>803D 302D6A00>cmp byte ptr [6A2D30], 000690912|.75 29 jnz short 0069093D00690914|.6A 00 push000690916|.66:8B0D 98096>mov cx, word ptr [690998]0069091D|.B2 03 mov dl, 30069091F|.B8 F8096900 mov eax, 006909F8;ASCII "Thank you for Registering Quick Budget."00690924|.E8 D7C0DAFF call0043CA0000690929|.48dec eax0069092A|.75 20 jnz short 0069094C0069092C|.A1 2C2D6A00 mov eax, dword ptr [6A2D2C]00690931|.C780 4C020000>mov dword ptr [eax+24C], 10069093B|.EB 0F jmp short 0069094C0069093D|>A1 2C2D6A00 mov eax, dword ptr [6A2D2C]00690942|.C780 4C020000>mov dword ptr [eax+24C], 10069094C|>33C0xor eax, eax0069094E|.5Apop edx0069094F|.59pop ecx00690950|.59pop ecx00690951|.64:8910 mov dword ptr fs:[eax], edx00690954|.68 92096900 push0069099200690959|>8D85 ECFEFFFF lea eax, dword ptr [ebp-114]0069095F|.E8 C845D7FF call00404F2C00690964|.8D85 F0FEFFFF lea eax, dword ptr [ebp-110]0069096A|.E8 BD45D7FF call00404F2C0069096F|.8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]00690975|.E8 B245D7FF call00404F2C0069097A|.8D45 F8 lea eax, dword ptr [ebp-8]0069097D|.E8 AA45D7FF call00404F2C00690982|.8D45 FC lea eax, dword ptr [ebp-4]00690985|.E8 A245D7FF call00404F2C0069098A\.C3retn0069098B .^ E9 D43ED7FF jmp 0040486400690990 .^ EB C7 jmp short 0069095900690992 .5Bpop ebx00690993 .8BE5mov esp, ebp00690995 .5Dpop ebp00690996 .C3retn
进入006908D9004DD5B8/$55pushebp004DD5B9|.8BECmov ebp, esp004DD5BB|.83C4 F4 add esp, -0C004DD5BE|.53pushebx004DD5BF|.56pushesi004DD5C0|.57pushedi004DD5C1|.33DBxor ebx, ebx004DD5C3|.895D F4 mov dword ptr [ebp-C], ebx004DD5C6|.894D F8 mov dword ptr [ebp-8], ecx004DD5C9|.8955 FC mov dword ptr [ebp-4], edx004DD5CC|.8BF8mov edi, eax004DD5CE|.8B75 08 mov esi, dword ptr [ebp+8] ;ESI=常数462004DD5D1|.8B45 FC mov eax, dword ptr [ebp-4]004DD5D4|.E8 037EF2FF call004053DC004DD5D9|.8B45 F8 mov eax, dword ptr [ebp-8]004DD5DC|.E8 FB7DF2FF call004053DC004DD5E1|.33C0xor eax, eax004DD5E3|.55pushebp004DD5E4|.68 37D64D00 push004DD637004DD5E9|.64:FF30 pushdword ptr fs:[eax]004DD5EC|.64:8920 mov dword ptr fs:[eax], esp004DD5EF|.33DBxor ebx, ebx004DD5F1|.837D FC 00cmp dword ptr [ebp-4], 0004DD5F5|.74 25 jeshort 004DD61C004DD5F7|.85F6testesi, esi004DD5F9|.74 21 jeshort 004DD61C004DD5FB|.8D45 F4 lea eax, dword ptr [ebp-C]004DD5FE|.50pusheax004DD5FF|.8BCEmov ecx, esi004DD601|.8B55 FC mov edx, dword ptr [ebp-4]004DD604|.8BC7mov eax, edi004DD606|.E8 8DFEFFFF call004DD498 ;经过此CALL后真码现身,F7进004DD60B|.8B45 F4 mov eax, dword ptr [ebp-C]004DD60E|.8B55 F8 mov edx, dword ptr [ebp-8]004DD611|.E8 9EF1FFFF call004DC7B4 ;真假码比较004DD616|.84C0testal, al004DD618|.74 02 jeshort 004DD61C ;关键跳转004DD61A|.B3 01 mov bl, 1;关键赋值004DD61C|>33C0xor eax, eax004DD61E|.5Apop edx004DD61F|.59pop ecx004DD620|.59pop ecx004DD621|.64:8910 mov dword ptr fs:[eax], edx004DD624|.68 3ED64D00 push004DD63E004DD629|>8D45 F4 lea eax, dword ptr [ebp-C]004DD62C|.BA 03000000 mov edx, 3004DD631|.E8 1A79F2FF call00404F50004DD636\.C3retn004DD637 .^ E9 2872F2FF jmp 00404864004DD63C .^ EB EB jmp short 004DD629004DD63E .8BC3mov eax, ebx ;关键传递004DD640 .5Fpop edi004DD641 .5Epop esi004DD642 .5Bpop ebx004DD643 .8BE5mov esp, ebp004DD645 .5Dpop ebp004DD646 .C2 0400 retn4
进入004DD606004DD498/$55pushebp004DD499|.8BECmov ebp, esp004DD49B|.6A 00 push0004DD49D|.6A 00 push0004DD49F|.6A 00 push0004DD4A1|.6A 00 push0004DD4A3|.6A 00 push0004DD4A5|.53pushebx004DD4A6|.56pushesi004DD4A7|.57pushedi004DD4A8|.8BF1mov esi, ecx004DD4AA|.8955 FC mov dword ptr [ebp-4], edx004DD4AD|.8B7D 08 mov edi, dword ptr [ebp+8]004DD4B0|.8B45 FC mov eax, dword ptr [ebp-4]004DD4B3|.E8 247FF2FF call004053DC004DD4B8|.33C0xor eax, eax004DD4BA|.55pushebp004DD4BB|.68 9BD54D00 push004DD59B004DD4C0|.64:FF30 pushdword ptr fs:[eax]004DD4C3|.64:8920 mov dword ptr fs:[eax], esp004DD4C6|.837D FC 00cmp dword ptr [ebp-4], 0 ;用户名长度是否为0004DD4CA|.74 04 jeshort 004DD4D0004DD4CC|.85F6testesi, esi004DD4CE|.75 0C jnz short 004DD4DC004DD4D0|>8BC7mov eax, edi004DD4D2|.E8 557AF2FF call00404F2C004DD4D7|.E9 A4000000 jmp 004DD580004DD4DC|>8D45 F8 lea eax, dword ptr [ebp-8]004DD4DF|.E8 487AF2FF call00404F2C004DD4E4|.8B45 FC mov eax, dword ptr [ebp-4]004DD4E7|.E8 007DF2FF call004051EC ;用户名长度5004DD4EC|.8BD8mov ebx, eax004DD4EE|.0FAFDEimulebx, esi ;EBX=462*5=15EA004DD4F1|.8B45 FC mov eax, dword ptr [ebp-4]004DD4F4|.0FB600movzx eax, byte ptr [eax];用户名第一位a=61004DD4F7|.69C0 842F0100 imuleax, eax, 12F84;EAX=61*12F84=730104004DD4FD|.03D8add ebx, eax ;EBX=15EA+730104=7316EE004DD4FF|.8D55 F4 lea edx, dword ptr [ebp-C]004DD502|.8BC3mov eax, ebx004DD504|.E8 B3CCF2FF call0040A1BC ;7316EE转10进制=7542510004DD509|.8B55 F4 mov edx, dword ptr [ebp-C]004DD50C|.8D45 F8 lea eax, dword ptr [ebp-8]004DD50F|.B9 B4D54D00 mov ecx, 004DD5B4004DD514|.E8 1F7DF2FF call00405238004DD519|.8B45 FC mov eax, dword ptr [ebp-4]004DD51C|.0FB600movzx eax, byte ptr [eax];用户名第一位a=61004DD51F|.F7EEimulesi;EAX=61*462=1A922004DD521|.69D8 C8010000 imulebx, eax, 1C8;EBX=1A922*1C8=2F54490004DD527|.FF75 F8 pushdword ptr [ebp-8]004DD52A|.8D55 F0 lea edx, dword ptr [ebp-10]004DD52D|.8BC3mov eax, ebx004DD52F|.E8 88CCF2FF call0040A1BC ;2F54490转10进制=49628304004DD534|.FF75 F0 pushdword ptr [ebp-10]004DD537|.68 B4D54D00 push004DD5B4004DD53C|.8D45 F8 lea eax, dword ptr [ebp-8]004DD53F|.BA 03000000 mov edx, 3004DD544|.E8 637DF2FF call004052AC004DD549|.8B45 FC mov eax, dword ptr [ebp-4] ;EAX=用户名长度=5004DD54C|.E8 9B7CF2FF call004051EC004DD551|.8B55 FC mov edx, dword ptr [ebp-4]004DD554|.0FB612movzx edx, byte ptr [edx];用户名第一位a=61004DD557|.F7EAimuledx;EAX=5*61=1E5004DD559|.69D8 2E160000 imulebx, eax, 162E ;EBX=1E5*162E=2A0526004DD55F|.03DEadd ebx, esi ;EBX=2A0526+462=2A0988004DD561|.8D55 EC lea edx, dword ptr [ebp-14]004DD564|.8BC3mov eax, ebx004DD566|.E8 51CCF2FF call0040A1BC ;2A0988转10进制=2754952004DD56B|.8B55 EC mov edx, dword ptr [ebp-14]004DD56E|.8D45 F8 lea eax, dword ptr [ebp-8]004DD571|.E8 7E7CF2FF call004051F4 ;以'-'连接上面三组10进制数004DD576|.8BC7mov eax, edi004DD578|.8B55 F8 mov edx, dword ptr [ebp-8] ;7542510-49628304-2754952004DD57B|.E8 007AF2FF call00404F80004DD580|>33C0xor eax, eax004DD582|.5Apop edx004DD583|.59pop ecx004DD584|.59pop ecx004DD585|.64:8910 mov dword ptr fs:[eax], edx004DD588|.68 A2D54D00 push004DD5A2004DD58D|>8D45 EC lea eax, dword ptr [ebp-14]004DD590|.BA 05000000 mov edx, 5004DD595|.E8 B679F2FF call00404F50004DD59A\.C3retn004DD59B .^ E9 C472F2FF jmp 00404864004DD5A0 .^ EB EB jmp short 004DD58D004DD5A2 .5Fpop edi004DD5A3 .5Epop esi004DD5A4 .5Bpop ebx004DD5A5 .8BE5mov esp, ebp004DD5A7 .5Dpop ebp004DD5A8 .C2 0400 retn4
--------------------------------------------------------------------------------
【算法总结】
用户名长度乘固定值1122(462h) + 用户名第一位的ASCII乘固定值77700(12F84h),结果作为注册码第一段;
用户名第一位的ASCII乘固定值511632(462h*1C8h=7CE90h),结果作为注册码第二段;
用户名第一位的ASCII乘用户名长度,再乘5678(1621h),结果加上1122(462h)作为注册码第三段;
用'-'连接上面三段即为注册码...注册码记录在同目录下的quickbudget.ini
KG源码(VB Code):'VB6.0精简版测试通过.Private Sub Command1_Click()Dim Name As StringDim L As IntegerDim a, b, c, d As LongName = CStr(Text1.Text)L = Len(Name)If L = 0 ThenText2.Text = "Input your name,Please!"Elsea = 1122 * L + Asc(Mid(Name, 1, 1)) * 77700b = Asc(Mid(Name, 1, 1)) * 511632c = Asc(Mid(Name, 1, 1)) * Ld = c * 5678 + 1122Text2.Text = CStr(a) & "-" & CStr(b) & "-" & CStr(d)End IfEnd Sub
--------------------------------------------------------------------------------
【版权声明】: 本文由 蚊香 原创, 转载请注明作者并保持文章的完整, 谢谢! |
|