-
-
[原创]CD MP3 Burner V2.15 - DES算法简析
-
发表于:
2005-5-15 03:45
7679
-
[原创]CD MP3 Burner V2.15 - DES算法简析
【破文标题】:CD MP3 Burner V2.15 - DES注算法简析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件简介】:CD MP3 Burner V2.15
【软件大小】:1463 KB
【软件语言】:英文
【软件类别】:国外软件 / 共享版 / 光盘刻录
【产品地址】:http://www.mp3do.com/
【下载地址】:http://www3.skycn.com/soft/1667.html
【软件介绍】:
CD MP3 Burner
可以将 MP3 音乐直接烧路成一般的音乐光碟,它可以编辑 MP3 标签(ID3 Tag v1 & v2),也有 MP3 转 WAV 档的功能,更是一个很棒的 MP3 播放器。
【保护方式】:功能限制+注册提示框+Keyfile
【加密方式】:ASPack 2.12 -> Alexey Solodovnikov
【编译语言】:Borland Delphi 6.0 - 7.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-05-15
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
【破解过程】:
侦壳脱壳:用PEiD查壳,ASPack 2.12 -> Alexey Solodovnikov 所加的壳,OD手动脱之后,程序为 Borland Delphi 6.0 - 7.0 编译。
试探:运行主程序注册,输入Name、Email、Key,确认!程序提示“Your serial number have not been accept.please try again!”
开刀:拿出我们的法宝,OD载入主程序,加载完毕后,搜索--->所有的参考文本字符串“Your serial number have not been accept.please try again!”,双击来到 004CD244,向上来到 004CD22D 处下断,F9运行,输入试炼信息:
============
试炼信息 ===========
Name
:KuNgBiM
Code
:9876543210
=================================
确定后中断如下:
004CD1FC 55
push ebp
004CD1FD 8BEC
mov ebp,
esp
004CD1FF 6A 00
push 0
004CD201 53
push ebx
004CD202 8BD8
mov ebx,
eax
004CD204 33C0
xor eax,
eax
004CD206 55
push ebp
004CD207 68 77D24C00
push Unpacked.004CD277
004CD20C 64:FF30
push dword ptr fs:[
eax]
004CD20F 64:8920
mov dword ptr fs:[
eax],
esp
004CD212 8D55 FC
lea edx,
dword ptr ss:[
ebp-4]
004CD215 8B83 F0020000
mov eax,
dword ptr ds:[
ebx+2F0]
004CD21B E8 ECB2F7FF
call Unpacked.0044850C
004CD220 837D FC 00
cmp dword ptr ss:[
ebp-4],0
004CD224 74 2A
je short Unpacked.004CD250
004CD226 A1 F48B4F00
mov eax,
dword ptr ds:[4F8BF4]
004CD22B 8B00
mov eax,
dword ptr ds:[
eax]
004CD22D E8 BEDB0000
call Unpacked.004DADF0 //
中断在此! 算法CALL,跟进!
004CD232 84C0
test al,
al
004CD234 74 0E
je short Unpacked.004CD244
004CD236 A1 F48B4F00
mov eax,
dword ptr ds:[4F8BF4]
004CD23B 8B00
mov eax,
dword ptr ds:[
eax]
004CD23D E8 CADC0000
call Unpacked.004DAF0C
004CD242 EB 16
jmp short Unpacked.004CD25A
004CD244 B8 8CD24C00
mov eax,Unpacked.004CD28C //
注册码验证失败提示信息!
004CD249 E8 4E44F7FF
call Unpacked.0044169C
004CD24E EB 0A
jmp short Unpacked.004CD25A
004CD250 B8 D0D24C00
mov eax,Unpacked.004CD2D0
; ASCII "please input Your name!"
004CD255 E8 4244F7FF
call Unpacked.0044169C
004CD25A 8BC3
mov eax,
ebx
004CD25C E8 FB7CF9FF
call Unpacked.00464F5C
004CD261 33C0
xor eax,
eax
004CD263 5A
pop edx
004CD264 59
pop ecx
004CD265 59
pop ecx
004CD266 64:8910
mov dword ptr fs:[
eax],
edx
004CD269 68 7ED24C00
push Unpacked.004CD27E
004CD26E 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
004CD271 E8 C676F3FF
call Unpacked.0040493C
004CD276 C3
retn
...........
==============
跟进 004CD22D E8 BEDB0000 call Unpacked.004DADF0 ===============
004DADF0 55
push ebp
004DADF1 8BEC
mov ebp,
esp
004DADF3 33C9
xor ecx,
ecx
004DADF5 51
push ecx
004DADF6 51
push ecx
004DADF7 51
push ecx
004DADF8 51
push ecx
004DADF9 51
push ecx
004DADFA 53
push ebx
004DADFB 33C0
xor eax,
eax
004DADFD 55
push ebp
004DADFE 68 CCAE4D00
push Unpacked.004DAECC
004DAE03 64:FF30
push dword ptr fs:[
eax]
004DAE06 64:8920
mov dword ptr fs:[
eax],
esp
004DAE09 8D55 FC
lea edx,
dword ptr ss:[
ebp-4]
004DAE0C A1 D08A4F00
mov eax,
dword ptr ds:[4F8AD0]
004DAE11 8B00
mov eax,
dword ptr ds:[
eax]
004DAE13 8B80 F0020000
mov eax,
dword ptr ds:[
eax+2F0]
004DAE19 E8 EED6F6FF
call Unpacked.0044850C //
准备调用特殊字符串计算
004DAE1E 8D4D F4
lea ecx,
dword ptr ss:[
ebp-C]
004DAE21 BA E4AE4D00
mov edx,Unpacked.004DAEE4
; ASCII "burn2"
004DAE26 8B45 FC
mov eax,
dword ptr ss:[
ebp-4] //
调用用户名
004DAE29 E8 4A2FFFFF
call Unpacked.004CDD78 //
算法CALL,跟进!(DES算法)
004DAE2E 8B55 F4
mov edx,
dword ptr ss:[
ebp-C] // ASCII
"88E019717896F614"
004DAE31 B8 F8A24F00
mov eax,Unpacked.004FA2F8
004DAE36 E8 559BF2FF
call Unpacked.00404990 //
准备调用固定字符A计算
004DAE3B 68 F4AE4D00
push Unpacked.004DAEF4
; ASCII "cmb21-"
004DAE40 A1 F8A24F00
mov eax,
dword ptr ds:[4FA2F8]
004DAE45 E8 1EFFFFFF
call Unpacked.004DAD68 //
调用ASCII "88E019717896F614"运算!(DES算法sBox1),跟进!
004DAE4A 8D55 F0
lea edx,
dword ptr ss:[
ebp-10]
004DAE4D E8 C2E5F2FF
call Unpacked.00409414 //
准备调用固定字符B计算,跟进!
004DAE52 FF75 F0
push dword ptr ss:[
ebp-10] // ASCII
"93190" 注册码中段
004DAE55 68 04AF4D00
push Unpacked.004DAF04
; ASCII "-2004"
004DAE5A 8D45 F8
lea eax,
dword ptr ss:[
ebp-8]
004DAE5D BA 03000000
mov edx,3
004DAE62 E8 5D9EF2FF
call Unpacked.00404CC4
004DAE67 8D55 EC
lea edx,
dword ptr ss:[
ebp-14] //
连接“固定字符A+注册码中段+固定字符B”
004DAE6A A1 D08A4F00
mov eax,
dword ptr ds:[4F8AD0]
004DAE6F 8B00
mov eax,
dword ptr ds:[
eax]
004DAE71 8B80 F4020000
mov eax,
dword ptr ds:[
eax+2F4]
004DAE77 E8 90D6F6FF
call Unpacked.0044850C
004DAE7C 8B45 EC
mov eax,
dword ptr ss:[
ebp-14] //
试炼码"9876543210"
004DAE7F 8B55 F8
mov edx,
dword ptr ss:[
ebp-8] //
注册码"cmb21-93190-2004"
004DAE82 E8 C19EF2FF
call Unpacked.00404D48 //
经典比对CALL,跟进! 内存注册机
004DAE87 75 1E
jnz short Unpacked.004DAEA7 //
爆破点
004DAE89 B3 01
mov bl,1
004DAE8B B8 F0A24F00
mov eax,Unpacked.004FA2F0
004DAE90 8B55 FC
mov edx,
dword ptr ss:[
ebp-4]
004DAE93 E8 F89AF2FF
call Unpacked.00404990
004DAE98 B8 F4A24F00
mov eax,Unpacked.004FA2F4
004DAE9D 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
004DAEA0 E8 EB9AF2FF
call Unpacked.00404990
004DAEA5 EB 02
jmp short Unpacked.004DAEA9
004DAEA7 33DB
xor ebx,
ebx
004DAEA9 33C0
xor eax,
eax
004DAEAB 5A
pop edx
004DAEAC 59
pop ecx
004DAEAD 59
pop ecx
004DAEAE 64:8910
mov dword ptr fs:[
eax],
edx
004DAEB1 68 D3AE4D00
push Unpacked.004DAED3
004DAEB6 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
004DAEB9 E8 7E9AF2FF
call Unpacked.0040493C
004DAEBE 8D45 F0
lea eax,
dword ptr ss:[
ebp-10]
004DAEC1 BA 04000000
mov edx,4
004DAEC6 E8 959AF2FF
call Unpacked.00404960
004DAECB C3
retn
===============
跟进 004DAE29 E8 4A2FFFFF call Unpacked.004CDD78 [DES算法sBox1加密]==============
004CDD78 55
push ebp
004CDD79 8BEC
mov ebp,
esp
004CDD7B 83C4 E4
add esp,-1C
004CDD7E 53
push ebx
004CDD7F 56
push esi
004CDD80 57
push edi
004CDD81 33DB
xor ebx,
ebx
004CDD83 895D F4
mov dword ptr ss:[
ebp-C],
ebx
004CDD86 895D F0
mov dword ptr ss:[
ebp-10],
ebx
004CDD89 895D EC
mov dword ptr ss:[
ebp-14],
ebx
004CDD8C 8BF9
mov edi,
ecx
004CDD8E 8955 F8
mov dword ptr ss:[
ebp-8],
edx
004CDD91 8945 FC
mov dword ptr ss:[
ebp-4],
eax
004CDD94 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
004CDD97 E8 5070F3FF
call Unpacked.00404DEC
004CDD9C 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
004CDD9F E8 4870F3FF
call Unpacked.00404DEC
004CDDA4 33C0
xor eax,
eax
004CDDA6 55
push ebp
004CDDA7 68 4ADE4C00
push Unpacked.004CDE4A
004CDDAC 64:FF30
push dword ptr fs:[
eax]
004CDDAF 64:8920
mov dword ptr fs:[
eax],
esp
004CDDB2 8D4D F0
lea ecx,
dword ptr ss:[
ebp-10]
004CDDB5 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
004CDDB8 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
004CDDBB E8 D4FDFFFF
call Unpacked.004CDB94
004CDDC0 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004CDDC3 E8 746BF3FF
call Unpacked.0040493C
004CDDC8 8B45 F0
mov eax,
dword ptr ss:[
ebp-10]
004CDDCB E8 346EF3FF
call Unpacked.00404C04
004CDDD0 8BD8
mov ebx,
eax
004CDDD2 4B
dec ebx
004CDDD3 85DB
test ebx,
ebx
004CDDD5 7C 4E
jl short Unpacked.004CDE25
004CDDD7 43
inc ebx
004CDDD8 33F6
xor esi,
esi
004CDDDA 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
004CDDDD 50
push eax
004CDDDE 8B45 F0
mov eax,
dword ptr ss:[
ebp-10]
004CDDE1 0FB60430
movzx eax,
byte ptr ds:[
eax+
esi]
004CDDE5 8945 E4
mov dword ptr ss:[
ebp-1C],
eax
004CDDE8 C645 E8 00
mov byte ptr ss:[
ebp-18],0
004CDDEC 8D55 E4
lea edx,
dword ptr ss:[
ebp-1C]
004CDDEF 33C9
xor ecx,
ecx
004CDDF1 B8 60DE4C00
mov eax,Unpacked.004CDE60
; ASCII "%x"
004CDDF6 E8 05C4F3FF
call Unpacked.0040A200
004CDDFB 8B45 EC
mov eax,
dword ptr ss:[
ebp-14]
004CDDFE E8 016EF3FF
call Unpacked.00404C04
004CDE03 48
dec eax
004CDE04 75 10
jnz short Unpacked.004CDE16
004CDE06 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
004CDE09 8B4D EC
mov ecx,
dword ptr ss:[
ebp-14]
004CDE0C BA 6CDE4C00
mov edx,Unpacked.004CDE6C
004CDE11 E8 3A6EF3FF
call Unpacked.00404C50
004CDE16 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004CDE19 8B55 EC
mov edx,
dword ptr ss:[
ebp-14]
004CDE1C E8 EB6DF3FF
call Unpacked.00404C0C
004CDE21 46
inc esi
004CDE22 4B
dec ebx
004CDE23 ^ 75 B5
jnz short Unpacked.004CDDDA //
向上作循环运算16次,得到加密后的代码"88E019717896F614"
004CDE25 8BC7
mov eax,
edi
004CDE27 8B55 F4
mov edx,
dword ptr ss:[
ebp-C]
004CDE2A E8 616BF3FF
call Unpacked.00404990
004CDE2F 33C0
xor eax,
eax
004CDE31 5A
pop edx
004CDE32 59
pop ecx
004CDE33 59
pop ecx
004CDE34 64:8910
mov dword ptr fs:[
eax],
edx
004CDE37 68 51DE4C00
push Unpacked.004CDE51
004CDE3C 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
004CDE3F BA 05000000
mov edx,5
004CDE44 E8 176BF3FF
call Unpacked.00404960
004CDE49 C3
retn //
运算完毕后返回
...........
==============
跟进 004DAE45 E8 1EFFFFFF call Unpacked.004DAD68 [[DES算法sBox1]预处理密钥,准备解密] ==============
004DAD68 55
push ebp
004DAD69 8BEC
mov ebp,
esp
004DAD6B 51
push ecx
004DAD6C 53
push ebx
004DAD6D 8945 FC
mov dword ptr ss:[
ebp-4],
eax
004DAD70 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
004DAD73 E8 74A0F2FF
call Unpacked.00404DEC
004DAD78 33C0
xor eax,
eax
004DAD7A 55
push ebp
004DAD7B 68 E2AD4D00
push Unpacked.004DADE2
004DAD80 64:FF30
push dword ptr fs:[
eax]
004DAD83 64:8920
mov dword ptr fs:[
eax],
esp
004DAD86 8B45 FC
mov eax,
dword ptr ss:[
ebp-4]
004DAD89 E8 769EF2FF
call Unpacked.00404C04
004DAD8E 33C9
xor ecx,
ecx
004DAD90 8BD0
mov edx,
eax
004DAD92 85D2
test edx,
edx
004DAD94 76 29
jbe short Unpacked.004DADBF
004DAD96 B8 01000000
mov eax,1
004DAD9B 8D0C89
lea ecx,
dword ptr ds:[
ecx+
ecx*4]
004DAD9E 8D0C89
lea ecx,
dword ptr ds:[
ecx+
ecx*4]
004DADA1 8B5D FC
mov ebx,
dword ptr ss:[
ebp-4]
004DADA4 0FB65C03 FF
movzx ebx,
byte ptr ds:[
ebx+
eax-1]
004DADA9 03CB
add ecx,
ebx
004DADAB 8B5D FC
mov ebx,
dword ptr ss:[
ebp-4]
004DADAE 0FB65C03 FF
movzx ebx,
byte ptr ds:[
ebx+
eax-1]
004DADB3 6BDB 0D
imul ebx,
ebx,0D
004DADB6 C1E3 14
shl ebx,14
004DADB9 33CB
xor ecx,
ebx
004DADBB 40
inc eax
004DADBC 4A
dec edx
004DADBD ^ 75 DC
jnz short Unpacked.004DAD9B //
向上作循环运算16次,得到解密后的代码
004DADBF 8BC1
mov eax,
ecx
004DADC1 B9 A0860100
mov ecx,186A0
004DADC6 33D2
xor edx,
edx
004DADC8 F7F1
div ecx
004DADCA 8BDA
mov ebx,
edx
004DADCC 33C0
xor eax,
eax
004DADCE 5A
pop edx
004DADCF 59
pop ecx
004DADD0 59
pop ecx
004DADD1 64:8910
mov dword ptr fs:[
eax],
edx
004DADD4 68 E9AD4D00
push Unpacked.004DADE9
004DADD9 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
004DADDC E8 5B9BF2FF
call Unpacked.0040493C
004DADE1 C3
retn
...........
==============
跟进 004DAE4D E8 C2E5F2FF call Unpacked.00409414 [[DES算法sBox1]开始解密] ==============
00409414 83C4 F8
add esp,-8 // ASCII
"R?"
00409417 6A 00
push 0
00409419 894424 04
mov dword ptr ss:[
esp+4],
eax
0040941D C64424 08 00
mov byte ptr ss:[
esp+8],0 //
堆栈 ss:[0012FC1C]=4C ('L')
00409422 8D4C24 04
lea ecx,
dword ptr ss:[
esp+4] //
ecx=0
00409426 8BC2
mov eax,
edx
00409428 BA 40944000
mov edx,Unpacked.00409440
; ASCII "%d"
0040942D E8 E20D0000
call Unpacked.0040A214
00409432 59
pop ecx
00409433 5A
pop edx
00409434 C3
retn //
解密完毕,返回程序
...........
==============
跟进 004DAE82 E8 C19EF2FF call Unpacked.00404D48 [比对CALL] ==============
00404D48 53
push ebx
00404D49 56
push esi
00404D4A 57
push edi
00404D4B 89C6
mov esi,
eax //
试炼码入栈"9876543210"
00404D4D 89D7
mov edi,
edx //
注册码入栈"cmb21-93190-2004"
00404D4F 39D0
cmp eax,
edx //
经典对比,明码比较!
00404D51 0F84 8F000000
je Unpacked.00404DE6
00404D57 85F6
test esi,
esi
00404D59 74 68
je short Unpacked.00404DC3
00404D5B 85FF
test edi,
edi
...........
【算法总结】
1
、格式:注册码由3段构成,其中2段为固定字符串,格式为:
“固定字符A”+“注册码中段”+“固定字符B” 即:“cmb21-”+注册码中段+“-2004”
2
、加密运算:分别取用户名以及特殊字符串“burn2”的位数自加一,得到正确密钥后,做对应的DES-sBox1加密运算,得到新的密钥。
3
、解密运算:把新密钥再次通过DES-sBox1作解密运算,得到十进制代码,作为注册码的中段。
4
、注册码组合:以固定格式输出:“cmb21-”+注册码中段+“-2004”=======================
内存注册机:
中断地址:004DAE82
中断次数:1
第一字节:E8
指令长度:5
内存方式--->EDX
=======================
注册信息:
Name
:KuNgBiM
Code
:cmb21-93190-2004
注册信息保存在安装目录下 burn.cfg 文件中(删除该文件后可重新注册)
======== burn.cfg
文件内容 =========
[reg]
Name=KuNgBiM
Pass=cmb21-93190-2004
check=88E019717896F614
====================================
--------------------------------------------------------------------------
(本文完)
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-05-15
03:24:00 AM
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法