在网上随便下了个软件来试试手。
用PEID,提示“Borland Delphi 6.0 - 7.0”。
运行程序,要求输入注册码,输入123456789后弹出注册码错误的提示框。
用OD打开程序,在MessageBoxA下断点,运行程序,输入假注册码123456789,中断在USER32领空,Alt+F9回到主程序。向上看在0048AB6C处有个跳转,如下:
0048AB42 |. 55 push ebp
0048AB43 |. 68 D5AC4800 push 0048ACD5
0048AB48 |. 64:FF30 push dword ptr fs:[eax]
0048AB4B |. 64:8920 mov dword ptr fs:[eax], esp
0048AB4E |. 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
0048AB54 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0048AB5A |. E8 E5F9FCFF call 0045A544
0048AB5F |. 8B85 F4FEFFFF mov eax, dword ptr [ebp-10C]
0048AB65 |. E8 EA070000 call 0048B354 //这里七成可能是算法
0048AB6A |. 84C0 test al, al
0048AB6C /0F84 DF000000 je 0048AC51 //跳过去就失败,可能是爆破点
0048AB72 |. |A1 F0E34800 mov eax, dword ptr [48E3F0]
0048AB77 |. |C600 01 mov byte ptr [eax], 1
0048AB7A |. |8D95 F0FEFFFF lea edx, dword ptr [ebp-110]
0048AB80 |. |8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0048AB86 |. |E8 B9F9FCFF call 0045A544
0048AB8B |. |8B95 F0FEFFFF mov edx, dword ptr [ebp-110]
0048AB91 |. |A1 18E44800 mov eax, dword ptr [48E418]
0048AB96 |. |E8 8D94F7FF call 00404028
0048AB9B |. |68 05010000 push 105 ; /BufSize = 105 (261.)
0048ABA0 |. |8D85 FBFEFFFF lea eax, dword ptr [ebp-105] ; |
0048ABA6 |. |50 push eax ; |Buffer
0048ABA7 |. |E8 88B9F7FF call <jmp.&kernel32.GetSystemDirector>; \GetSystemDirectoryA
0048ABAC |. |8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
0048ABB2 |. |8D95 FBFEFFFF lea edx, dword ptr [ebp-105]
0048ABB8 |. |B9 05010000 mov ecx, 105
0048ABBD |. |E8 8296F7FF call 00404244
0048ABC2 |. |8D85 ECFEFFFF lea eax, dword ptr [ebp-114]
0048ABC8 |. |BA ECAC4800 mov edx, 0048ACEC ; ASCII "\SuperCopy.ini"
0048ABCD |. |E8 CA96F7FF call 0040429C
0048ABD2 |. |8B8D ECFEFFFF mov ecx, dword ptr [ebp-114]
0048ABD8 |. |B2 01 mov dl, 1
0048ABDA |. |A1 F0564300 mov eax, dword ptr [4356F0]
0048ABDF |. |E8 BCABFAFF call 004357A0
0048ABE4 |. |8BF0 mov esi, eax
0048ABE6 |. |8D95 E8FEFFFF lea edx, dword ptr [ebp-118]
0048ABEC |. |8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0048ABF2 |. |E8 4DF9FCFF call 0045A544
0048ABF7 |. |8B85 E8FEFFFF mov eax, dword ptr [ebp-118]
0048ABFD |. |50 push eax
修改程序后保存,运行程序仍有提示未注册,这就推出在启动时会进行注册码比较。从0048AB6A(爆破点)向下看,有个字符串"SuperCopy.ini",推断可能是个ini文件的keyfile的注册方式。
不管它,还是看看算法吧。跟进0048AB65 call 0048B354
0048B354 /$ 55 push ebp
0048B355 |. 8BEC mov ebp, esp
0048B357 |. 51 push ecx
0048B358 |. 53 push ebx
0048B359 |. 8945 FC mov dword ptr [ebp-4], eax
0048B35C |. 8B45 FC mov eax, dword ptr [ebp-4]
0048B35F |. E8 2091F7FF call 00404484
0048B364 |. 33C0 xor eax, eax
0048B366 |. 55 push ebp
0048B367 |. 68 BFB34800 push 0048B3BF
0048B36C |. 64:FF30 push dword ptr fs:[eax]
0048B36F |. 64:8920 mov dword ptr fs:[eax], esp
0048B372 |. 8B45 FC mov eax, dword ptr [ebp-4]
0048B375 |. E8 1A8FF7FF call 00404294 //获取假注册码
0048B37A |. 83F8 0C cmp eax, 0C //注册码必须为12位
0048B37D |. 74 04 je short 0048B383
0048B37F |. 33DB xor ebx, ebx
0048B381 |. EB 26 jmp short 0048B3A9
0048B383 |> BB 05000000 mov ebx, 5
0048B388 |> 8B45 FC /mov eax, dword ptr [ebp-4] //[ebp-4]里面的地址指向注册码
0048B38B |. 8A4418 FF |mov al, byte ptr [eax+ebx-1] //取出第5位放入al
0048B38F |. E8 60FFFFFF |call 0048B2F4 //这里是一个分支表,对al进行转换。分支表我在下面给出了
0048B394 |. 8B55 FC |mov edx, dword ptr [ebp-4]
0048B397 |. 3A441A 03 |cmp al, byte ptr [edx+ebx+3] //转换后的与第9位比较
0048B39B |. 74 04 |je short 0048B3A1
0048B39D |. 33DB |xor ebx, ebx
0048B39F |. EB 08 |jmp short 0048B3A9
0048B3A1 |> 43 |inc ebx
0048B3A2 |. 83FB 09 |cmp ebx, 9 //从这里看出是注册码的5~8位转换后与9~12位比较,
0048B3A5 |.^ 75 E1 \jnz short 0048B388 //分析后得注册码123463759012。
0048B3A7 |. B3 01 mov bl, 1
0048B3A9 |> 33C0 xor eax, eax
0048B3AB |. 5A pop edx
0048B3AC |. 59 pop ecx
0048B3AD |. 59 pop ecx
0048B3AE |. 64:8910 mov dword ptr fs:[eax], edx
0048B3B1 |. 68 C6B34800 push 0048B3C6
0048B3B6 |> 8D45 FC lea eax, dword ptr [ebp-4]
0048B3B9 |. E8 168CF7FF call 00403FD4 //以为是对注册码前四位进行比较,原来什么都没有
0048B3BE \. C3 retn
分支表,用于注册码替换,可知注册码是纯数字的。很简单,自己看。
0048B2F4 /$ 25 FF000000 and eax, 0FF
0048B2F9 |. 83C0 D0 add eax, -30 ; Switch (cases 30..39)
0048B2FC |. 83F8 09 cmp eax, 9
0048B2FF |. 77 4D ja short 0048B34E
0048B301 |. FF2485 08B348>jmp dword ptr [eax*4+48B308]
0048B308 |. 30B34800 dd 文件批量.0048B330 ; 分支表 被用于 0048B301
0048B30C |. 33B34800 dd 文件批量.0048B333
0048B310 |. 36B34800 dd 文件批量.0048B336
0048B314 |. 39B34800 dd 文件批量.0048B339
0048B318 |. 3CB34800 dd 文件批量.0048B33C
0048B31C |. 3FB34800 dd 文件批量.0048B33F
0048B320 |. 42B34800 dd 文件批量.0048B342
0048B324 |. 45B34800 dd 文件批量.0048B345
0048B328 |. 48B34800 dd 文件批量.0048B348
0048B32C |. 4BB34800 dd 文件批量.0048B34B
0048B330 |> B0 38 mov al, 38 ; Case 30 ('0') of switch 0048B2F9
0048B332 |. C3 retn
0048B333 |> B0 36 mov al, 36 ; Case 31 ('1') of switch 0048B2F9
0048B335 |. C3 retn
0048B336 |> B0 34 mov al, 34 ; Case 32 ('2') of switch 0048B2F9
0048B338 |. C3 retn
0048B339 |> B0 30 mov al, 30 ; Case 33 ('3') of switch 0048B2F9
0048B33B |. C3 retn
0048B33C |> B0 35 mov al, 35 ; Case 34 ('4') of switch 0048B2F9
0048B33E |. C3 retn
0048B33F |> B0 32 mov al, 32 ; Case 35 ('5') of switch 0048B2F9
0048B341 |. C3 retn
0048B342 |> B0 39 mov al, 39 ; Case 36 ('6') of switch 0048B2F9
0048B344 |. C3 retn
0048B345 |> B0 31 mov al, 31 ; Case 37 ('7') of switch 0048B2F9
0048B347 |. C3 retn
0048B348 |> B0 33 mov al, 33 ; Case 38 ('8') of switch 0048B2F9
0048B34A |. C3 retn
0048B34B |> B0 37 mov al, 37 ; Case 39 ('9') of switch 0048B2F9
0048B34D |. C3 retn
0048B34E |> 33C0 xor eax, eax ; Default case of switch 0048B2F9
0048B350 \. C3 retn
输入123463759012就注册成功了,简单呀。不过刚说过这是个ini的文件keyfile,在0048ABA7处有GetSystemDirectoryA,也就是C:\Windows\System32, 在这里果有一个SuperCopy.ini,而且还没有加密。同时想说写注册算法的朋友千万别把注册相关代码放在一起。此至。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课