这篇文章是我去年11月份的时候随手写的。一直没机会发表出来,今天整理电脑的时候偶尔发现,刚巧论坛中也有兄弟写了关于这个软件的破文,但分析没写。我就抛砖引玉,把自己的分析过程发表出来,希望对大家有用!
==================================================================================
【工程作者】深海游侠
【作者邮箱】shenhaiyouxia@163.com
==================================================================================
【软件名称】超级电脑助手 V2004 build 08.15
【下载地址】http://www.onlinedown.net/soft/32447.htm
【软件介绍】
软件大小:1069KB
软件语言:简体中文
软件类别:国产软件/共享版/桌面辅助
运行环境:Win9x/Me/NT/2000/XP
加入时间:2004-7-18 20:21:25
本软件主要提供下列功能:桌面时钟,闹钟提醒,网络计时,快捷输入,快捷启动,MP3播放,彩票号码随机选取,系统各类实用信息检测,个性化设置电脑桌面,即时更换桌布,清理垃圾,整理内存,优化IE浏览器,提取图标,抓取图像,万年历等等各种实用个性功能。内容丰富并对注册用户不断添加新的功能。
==================================================================================
【工程平台】WIN ME
【调试工具】TRW2000
==================================================================================
【破解过程】
首先查壳--->Borland Delphi 6.0 - 7.0.无壳,直接TRW2000载入,下万能断点,程序断下,按N个F12,程序到这里:
我填写的注册信息:
订单号:1360 (订单号可在他的主页上填表得到,当然也可以随便填写)
注册码:121212
016F:0055D7AA 837DF800 CMP DWORD [EBP-08],BYTE +00
016F:0055D7AE 7414 JZ 0055D7C4
016F:0055D7B0 8D55F4 LEA EDX,[EBP-0C]
016F:0055D7B3 8B8344030000 MOV EAX,[EBX+0344]
016F:0055D7B9 E816D4EEFF CALL 0044ABD4
016F:0055D7BE 837DF400 CMP DWORD [EBP-0C],BYTE +00 ------->是否输入注册信息?
016F:0055D7C2 750F JNZ 0055D7D3
016F:0055D7C4 B88CD95500 MOV EAX,0055D98C
016F:0055D7C9 E8B66BEEFF CALL 00444384 ------->出错CALL
016F:0055D7CE E938010000 JMP 0055D90B
016F:0055D7D3 8D55F0 LEA EDX,[EBP-10]
016F:0055D7D6 8B8344030000 MOV EAX,[EBX+0344]
016F:0055D7DC E8F3D3EEFF CALL 0044ABD4
016F:0055D7E1 8B45F0 MOV EAX,[EBP-10]
016F:0055D7E4 50 PUSH EAX
016F:0055D7E5 8D55E8 LEA EDX,[EBP-18]
016F:0055D7E8 8B8348030000 MOV EAX,[EBX+0348]
016F:0055D7EE E8E1D3EEFF CALL 0044ABD4
016F:0055D7F3 8B45E8 MOV EAX,[EBP-18] ------->订单号EAX=1360
016F:0055D7F6 E85DBEEAFF CALL 00409658 ------->1360转为十六位的550
016F:0055D7FB B954DB0400 MOV ECX,0004DB54 ------->ECX=0004DB54
016F:0055D800 99 CDQ
016F:0055D801 F7F9 IDIV ECX ------->550 mod 0004DB54 = 550
016F:0055D803 8BC2 MOV EAX,EDX
016F:0055D805 8D55EC LEA EDX,[EBP-14]
016F:0055D808 E8A7BDEAFF CALL 004095B4
016F:0055D80D 8D45EC LEA EAX,[EBP-14]
016F:0055D810 50 PUSH EAX
016F:0055D811 8D55DC LEA EDX,[EBP-24]
016F:0055D814 8B8348030000 MOV EAX,[EBX+0348]
016F:0055D81A E8B5D3EEFF CALL 0044ABD4
016F:0055D81F 8B45DC MOV EAX,[EBP-24] ------->EAX=1360(注册码第一部分)
016F:0055D822 E831BEEAFF CALL 00409658 ------->1360转为十六位的550
016F:0055D827 8D55E0 LEA EDX,[EBP-20]
016F:0055D82A E85DFBFFFF CALL 0055D38C ------->算法CALL(1),跟进
016F:0055D82F 8B45E0 MOV EAX,[EBP-20] ------->经过计算EAX=72924945(过渡码)
016F:0055D832 E821BEEAFF CALL 00409658 ------->72924945转为十六位的458BF11
016F:0055D837 8D55E4 LEA EDX,[EBP-1C]
016F:0055D83A E82DFCFFFF CALL 0055D46C ------->算法CALL(2),跟进
016F:0055D83F 8B55E4 MOV EDX,[EBP-1C] ------->EDX=36i5w138|f9846(注册码第二部分)
016F:0055D842 58 POP EAX
016F:0055D843 E8CC74EAFF CALL 00404D14 ------->1360和36i5w138|f9846两部分连起来
016F:0055D848 8B55EC MOV EDX,[EBP-14] ------->EDX=136036i5w138|f9846 (内存注册机)
016F:0055D84B 58 POP EAX ------->EAX=121212
016F:0055D84C E8FF75EAFF CALL 00404E50 ------->比较
016F:0055D851 0F859D000000 JNZ NEAR 0055D8F4 ------->不等游戏结束
.........下面有注册信息,篇幅问题省略..........
算法CALL(1)
016F:0055D82A E85DFBFFFF CALL 0055D38C
|
016F:0055D38F 33C9 XOR ECX,ECX
016F:0055D391 51 PUSH ECX
016F:0055D392 51 PUSH ECX
016F:0055D393 51 PUSH ECX
016F:0055D394 51 PUSH ECX
016F:0055D395 53 PUSH EBX
016F:0055D396 56 PUSH ESI
016F:0055D397 8BF2 MOV ESI,EDX
016F:0055D399 8BD8 MOV EBX,EAX ------>EAX=550,EAX->EBX
016F:0055D39B 33C0 XOR EAX,EAX
016F:0055D39D 55 PUSH EBP
016F:0055D39E 685CD45500 PUSH DWORD 0055D45C
016F:0055D3A3 64FF30 PUSH DWORD [FS:EAX]
016F:0055D3A6 648920 MOV [FS:EAX],ESP
016F:0055D3A9 81F3F1250B00 XOR EBX,000B25F1 ------>EBX=550 xor B25F1=B20A1
016F:0055D3AF 8BC3 MOV EAX,EBX ------>EAX->EBX
016F:0055D3B1 33D2 XOR EDX,EDX
016F:0055D3B3 52 PUSH EDX
016F:0055D3B4 50 PUSH EAX
016F:0055D3B5 8D45FC LEA EAX,[EBP-04]
016F:0055D3B8 E827C2EAFF CALL 004095E4 ------>B20A1转为十进制729249存入寄存器
016F:0055D3BD 8B45FC MOV EAX,[EBP-04] ------>EAX=729249
016F:0055D3C0 0FB600 MOVZX EAX,BYTE [EAX] ------>EAX=37
016F:0055D3C3 8B55FC MOV EDX,[EBP-04]
016F:0055D3C6 0FB65201 MOVZX EDX,BYTE [EDX+01] ------>EDX=32
016F:0055D3CA 03C2 ADD EAX,EDX ------>EAX=37+32=69
016F:0055D3CC B905000000 MOV ECX,05
016F:0055D3D1 99 CDQ
016F:0055D3D2 F7F9 IDIV ECX ------>69 mod 5=0
016F:0055D3D4 80C234 ADD DL,34 ------>34+0=34(ASCII表是数字4)
016F:0055D3D7 8855F8 MOV [EBP-08],DL ------>DL=34->[EBP-08](下面用)
016F:0055D3DA 8B45FC MOV EAX,[EBP-04]
016F:0055D3DD 0FB64002 MOVZX EAX,BYTE [EAX+02] ------>EAX=39
016F:0055D3E1 8B55FC MOV EDX,[EBP-04]
016F:0055D3E4 0FB65203 MOVZX EDX,BYTE [EDX+03] ------>EDX=32
016F:0055D3E8 03C2 ADD EAX,EDX ------>EAX=39+32=6B
016F:0055D3EA B905000000 MOV ECX,05
016F:0055D3EF 99 CDQ
016F:0055D3F0 F7F9 IDIV ECX ------>6B mod 5=2
016F:0055D3F2 8BDA MOV EBX,EDX
016F:0055D3F4 80C333 ADD BL,33 ------>2+33=35(ASCII表是数字5)
016F:0055D3F7 885DF9 MOV [EBP-07],BL ------>DL=35->[EBP-07](下面用)
016F:0055D3FA 8D45F4 LEA EAX,[EBP-0C]
016F:0055D3FD 8A55F8 MOV DL,[EBP-08] ------>DL=34(上边计算得来)
016F:0055D400 E82F78EAFF CALL 00404C34 ------>34以ASCII形式表示为数字4,并存入寄存器
016F:0055D405 8B45F4 MOV EAX,[EBP-0C] ------>D EAX=4
016F:0055D408 8D55FC LEA EDX,[EBP-04]
016F:0055D40B B91B000000 MOV ECX,1B
016F:0055D410 E8D77BEAFF CALL 00404FEC ------>4和前面的729249连起来:7292494
016F:0055D415 8D45F0 LEA EAX,[EBP-10]
016F:0055D418 8BD3 MOV EDX,EBX ------>EBX=EDX=35(上边计算得来)
016F:0055D41A E81578EAFF CALL 00404C34 ------>35以ASCII形式表示为数字5,并存入寄存器
016F:0055D41F 8B45F0 MOV EAX,[EBP-10] ------>D EAX=5
016F:0055D422 8D55FC LEA EDX,[EBP-04]
016F:0055D425 B919000000 MOV ECX,19
016F:0055D42A E8BD7BEAFF CALL 00404FEC ------>5和前面的7292494连起来:72924945(过渡码形成)
016F:0055D42F 8BC6 MOV EAX,ESI
016F:0055D431 8B55FC MOV EDX,[EBP-04]
016F:0055D434 E86F76EAFF CALL 00404AA8
016F:0055D439 33C0 XOR EAX,EAX
016F:0055D43B 5A POP EDX
016F:0055D43C 59 POP ECX
016F:0055D43D 59 POP ECX
016F:0055D43E 648910 MOV [FS:EAX],EDX
016F:0055D441 6863D45500 PUSH DWORD 0055D463
016F:0055D446 8D45F0 LEA EAX,[EBP-10]
016F:0055D449 BA02000000 MOV EDX,02
016F:0055D44E E82576EAFF CALL 00404A78
016F:0055D453 8D45FC LEA EAX,[EBP-04]
016F:0055D456 E8F975EAFF CALL 00404A54
016F:0055D45B C3 RET
算法CALL(2):
016F:0055D83A E82DFCFFFF CALL 0055D46C
|
016F:0055D46D 8BEC MOV EBP,ESP
016F:0055D46F 33C9 XOR ECX,ECX
016F:0055D471 51 PUSH ECX
016F:0055D472 51 PUSH ECX
016F:0055D473 51 PUSH ECX
016F:0055D474 51 PUSH ECX
016F:0055D475 51 PUSH ECX
016F:0055D476 51 PUSH ECX
016F:0055D477 53 PUSH EBX
016F:0055D478 56 PUSH ESI
016F:0055D479 8BF2 MOV ESI,EDX
016F:0055D47B 8BD8 MOV EBX,EAX ----->EAX->EBX=458BF11(过渡码72924945的十六进制)
016F:0055D47D 33C0 XOR EAX,EAX
016F:0055D47F 55 PUSH EBP
016F:0055D480 68B8D55500 PUSH DWORD 0055D5B8
016F:0055D485 64FF30 PUSH DWORD [FS:EAX]
016F:0055D488 648920 MOV [FS:EAX],ESP
016F:0055D48B 81F38776FBDD XOR EBX,DDFB7687 ----->EBX=458BF11 xor DDFB7687=D9A3C996
016F:0055D491 8BC3 MOV EAX,EBX
016F:0055D493 33D2 XOR EDX,EDX
016F:0055D495 52 PUSH EDX
016F:0055D496 50 PUSH EAX
016F:0055D497 8D45FC LEA EAX,[EBP-04]
016F:0055D49A E845C1EAFF CALL 004095E4 ----->D9A3C996转为十进制3651389846并存入寄存器
016F:0055D49F 8B45FC MOV EAX,[EBP-04] ----->EAX=3651389846
016F:0055D4A2 0FB600 MOVZX EAX,BYTE [EAX] ----->EAX=33
016F:0055D4A5 8B55FC MOV EDX,[EBP-04]
016F:0055D4A8 0FB65201 MOVZX EDX,BYTE [EDX+01]----->EDX=36
016F:0055D4AC 03C2 ADD EAX,EDX ----->EAX=33+36=69
016F:0055D4AE B905000000 MOV ECX,05
016F:0055D4B3 99 CDQ
016F:0055D4B4 F7F9 IDIV ECX ----->69 mod 5=0
016F:0055D4B6 80C266 ADD DL,66 ----->DL=0+66=66
016F:0055D4B9 8855F8 MOV [EBP-08],DL ----->DL=66->[EBP-08](下面用)
016F:0055D4BC 8B45FC MOV EAX,[EBP-04]
016F:0055D4BF 0FB64002 MOVZX EAX,BYTE [EAX+02]----->EAX=35
016F:0055D4C3 8B55FC MOV EDX,[EBP-04]
016F:0055D4C6 0FB65203 MOVZX EDX,BYTE [EDX+03]----->EDX=31
016F:0055D4CA 03C2 ADD EAX,EDX ----->EAX=35+31=66
016F:0055D4CC B905000000 MOV ECX,05
016F:0055D4D1 99 CDQ
016F:0055D4D2 F7F9 IDIV ECX ----->66 mod 5=2
016F:0055D4D4 80C275 ADD DL,75 ----->DL=2+75=77
016F:0055D4D7 8855F9 MOV [EBP-07],DL ----->DL=77->[EBP-07](下面用)
016F:0055D4DA 8B45FC MOV EAX,[EBP-04]
016F:0055D4DD 0FB64004 MOVZX EAX,BYTE [EAX+04]----->EAX=33
016F:0055D4E1 8B55FC MOV EDX,[EBP-04]
016F:0055D4E4 0FB65205 MOVZX EDX,BYTE [EDX+05]----->EDX=38
016F:0055D4E8 03C2 ADD EAX,EDX ----->EAX=33+38=6B
016F:0055D4EA B905000000 MOV ECX,05
016F:0055D4EF 99 CDQ
016F:0055D4F0 F7F9 IDIV ECX ----->6B mod 5=2
016F:0055D4F2 80C27A ADD DL,7A ----->DL=7A+2=7C
016F:0055D4F5 8855FA MOV [EBP-06],DL ----->DL=7A->[EBP-06](下面用)
016F:0055D4F8 8B45FC MOV EAX,[EBP-04]
016F:0055D4FB 0FB64006 MOVZX EAX,BYTE [EAX+06]----->EAX=39
016F:0055D4FF 8B55FC MOV EDX,[EBP-04]
016F:0055D502 0FB65207 MOVZX EDX,BYTE [EDX+07]----->EDX=38
016F:0055D506 03C2 ADD EAX,EDX ----->EAX=39+38=71
016F:0055D508 8B55FC MOV EDX,[EBP-04]
016F:0055D50B 0FB65208 MOVZX EDX,BYTE [EDX+08]----->EDX=34
016F:0055D50F 03C2 ADD EAX,EDX ----->EAX=71+34=A5
016F:0055D511 B905000000 MOV ECX,05
016F:0055D516 99 CDQ
016F:0055D517 F7F9 IDIV ECX ----->A5 mod 5=0
016F:0055D519 80C269 ADD DL,69 ----->DL=0+69=69
016F:0055D51C 8855FB MOV [EBP-05],DL ----->DL=69->[EBP-05]
016F:0055D51F 8D45F4 LEA EAX,[EBP-0C]
016F:0055D522 8A55F8 MOV DL,[EBP-08] ----->DL=[EBP-08]=66(看寄存器上边哪个对应,从而找结果,下同)
016F:0055D525 E80A77EAFF CALL 00404C34 ----->66以ASCII形式表示为字母f,并存入寄存器
016F:0055D52A 8B45F4 MOV EAX,[EBP-0C] ----->D EAX=f
016F:0055D52D 8D55FC LEA EDX,[EBP-04]
016F:0055D530 B907000000 MOV ECX,07 ----->ECX=7(应该是插入位数,插入第7位,下同)
016F:0055D535 E8B27AEAFF CALL 00404FEC ----->把字母f插入上边3651389846的第7位:365138f9846
016F:0055D53A 8D45F0 LEA EAX,[EBP-10]
016F:0055D53D 8A55FB MOV DL,[EBP-05] ----->DL=[EBP-05]=69
016F:0055D540 E8EF76EAFF CALL 00404C34 ----->69以ASCII形式表示为字母i,并存入寄存器
016F:0055D545 8B45F0 MOV EAX,[EBP-10] ----->D EAX=i
016F:0055D548 8D55FC LEA EDX,[EBP-04]
016F:0055D54B B903000000 MOV ECX,03 ----->ECX=3
016F:0055D550 E8977AEAFF CALL 00404FEC ----->把字母i插入上边365138f9846的第3位:36i5138f9846
016F:0055D555 8D45EC LEA EAX,[EBP-14]
016F:0055D558 8A55F9 MOV DL,[EBP-07] ----->DL=[EBP-07]=77
016F:0055D55B E8D476EAFF CALL 00404C34 ----->77以ASCII形式表示为字母w,并存入寄存器
016F:0055D560 8B45EC MOV EAX,[EBP-14] ----->D EAX=w
016F:0055D563 8D55FC LEA EDX,[EBP-04]
016F:0055D566 B905000000 MOV ECX,05 ----->ECX=5
016F:0055D56B E87C7AEAFF CALL 00404FEC ----->把字母w插入上边36i5138f9846的第3位:36i5w138f9846
016F:0055D570 8D45E8 LEA EAX,[EBP-18]
016F:0055D573 8A55FA MOV DL,[EBP-06] ----->DL=[EBP-06]=7A
016F:0055D576 E8B976EAFF CALL 00404C34 ----->7A以ASCII形式表示为字符|,并存入寄存器
016F:0055D57B 8B45E8 MOV EAX,[EBP-18] ----->D EAX=|
016F:0055D57E 8D55FC LEA EDX,[EBP-04]
016F:0055D581 B909000000 MOV ECX,09 ----->ECX=9
016F:0055D586 E8617AEAFF CALL 00404FEC ----->把字符|插入上边36i5w138f9846的第3位:36i5w138|f9846
016F:0055D58B 8BC6 MOV EAX,ESI
016F:0055D58D 8B55FC MOV EDX,[EBP-04] ----->EDX=36i5w138|f9846(注册码第二部分)
016F:0055D590 E81375EAFF CALL 00404AA8
016F:0055D595 33C0 XOR EAX,EAX
016F:0055D597 5A POP EDX
016F:0055D598 59 POP ECX
016F:0055D599 59 POP ECX
016F:0055D59A 648910 MOV [FS:EAX],EDX
016F:0055D59D 68BFD55500 PUSH DWORD 0055D5BF
016F:0055D5A2 8D45E8 LEA EAX,[EBP-18]
016F:0055D5A5 BA04000000 MOV EDX,04
016F:0055D5AA E8C974EAFF CALL 00404A78
016F:0055D5AF 8D45FC LEA EAX,[EBP-04]
016F:0055D5B2 E89D74EAFF CALL 00404A54
016F:0055D5B7 C3 RET
总结:
1>注册码是以订单号推出.( (订单号我用X表示,过渡码我用Y表示)
sn1=X mod 4DB54
Y=sn1 xor B25F1(再经过分配运算)
sn2=Y xor DDFB7687(再经过分配运算)
sn="sn1" & "sn2"(组合的意思)
2>下面我拿自己的订单号推算一遍:(订单号=1360=H550)
sn1=550 mod 4DB54=550(1360)
Y=550 xor B25F1(再经过分配运算)=458BF11
sn2=458BF11 xor DDFB7687(再经过分配运算)=(36i5w138|f9846)
sn="1360" & "36i5w138|f9846"=136036i5w138|f9846
订单号:1360
注册码:136036i5w138|f9846
3>内存注册机:
中断地址:55D84B
中断次数:1
第一字节:58
字节长度:1
寄存器:EDX
4>恢复注册方法:
删除软件目录下新建的li12u.dll文件,注意他是隐藏的,且只有你注册成功的时候才会自动生成。
5>感评:
这个软件的保护方式比较简单,很适合大家练手,毕竟只有多动手才会成长。
因为赶时间,所以写的乱了些,希望大家能看懂,如果这篇文章对你有帮助,那么我的目的也就达到了!
不论【OCN】论坛是否存在,但你还是永远存在在我心中,因为是你让我步入了CRACK的殿堂!
希望【OCN】的兄弟们事事顺利,CRACK技术更上一层楼!
------深海游侠
------2004.11.15
==================================================================================
【工程声明】本过程只供内部学习之用!如要转载请保持过程完整!
==================================================================================
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
