-
-
[旧帖] [原创]Dr.Batcher 2.3.3注册码算法分析 0.00雪花
-
发表于: 2013-10-7 23:54
-
今天无意中在硬盘中找到以前收藏的别人破解好的Dr.Batcher软件,学过一点破解的皮毛,于是就拿来练练手,遂作此文。
注册看雪很久了,一直没发过贴,一直都是临时会员,希望能有机会转正。
软件官网:http://www.drbatcher.com/
首先用PEiD查壳,无壳,软件是用Delphi写的:
试运行软件,会提示未注册:
OK,既然是用Delphi写的,当然就上DeDe啦,用DeDe很容易分析出注册窗口及其按钮事件:
可以看到Button1Click事件(也就是注册窗口的OK按钮事件)的RVA是00673AFC,用OD载入,bp 00673AFC,输入假的注册码,按OK按钮,就断下来了:
F8单步跟踪,并分析事件代码:
00673AFC /. 55 push ebp ; 注册窗体的OK按钮点击事件
00673AFD |. 8BEC mov ebp, esp
00673AFF |. B9 05000000 mov ecx, 0x5
00673B04 |> 6A 00 /push 0x0
00673B06 |. 6A 00 |push 0x0
00673B08 |. 49 |dec ecx
00673B09 |.^ 75 F9 \jnz short 00673B04
00673B0B |. 51 push ecx
00673B0C |. 8955 F0 mov dword ptr [ebp-0x10], edx
00673B0F |. 8945 FC mov dword ptr [ebp-0x4], eax
00673B12 |. 33C0 xor eax, eax
00673B14 |. 55 push ebp
00673B15 |. 68 0E3D6700 push 00673D0E
00673B1A |. 64:FF30 push dword ptr fs:[eax]
00673B1D |. 64:8920 mov dword ptr fs:[eax], esp
00673B20 |. 8D55 EC lea edx, dword ptr [ebp-0x14]
00673B23 |. 8B45 FC mov eax, dword ptr [ebp-0x4]
00673B26 |. 8B80 6C030000 mov eax, dword ptr [eax+0x36C]
00673B2C |. E8 878CDFFF call 0046C7B8 ; 读取输入的序列号
00673B31 |. 8B45 EC mov eax, dword ptr [ebp-0x14]
00673B34 |. 50 push eax
00673B35 |. 8D55 E8 lea edx, dword ptr [ebp-0x18]
00673B38 |. 8B45 FC mov eax, dword ptr [ebp-0x4]
00673B3B |. 8B80 68030000 mov eax, dword ptr [eax+0x368]
00673B41 |. E8 728CDFFF call 0046C7B8 ; 读取输入的用户名
00673B46 |. 8B45 E8 mov eax, dword ptr [ebp-0x18]
00673B49 |. 5A pop edx
00673B4A |. E8 35FCFFFF call 00673784 ; 算法
00673B4F |. 84C0 test al, al
00673B51 |. 0F84 7D010000 je 00673CD4 ; 关键跳转
00673B4F处判断al是否为0,如果为0则会弹出注册码无效的对话框,故00673B51处为关键跳转,而前面的call 0046C7B8自然就是关键call了,跟进0046C7B8:
00673784 /$ 55 push ebp ; 算法
00673785 |. 8BEC mov ebp, esp
00673787 |. 83C4 B0 add esp, -0x50
0067378A |. 33C9 xor ecx, ecx
0067378C |. 894D B4 mov dword ptr [ebp-0x4C], ecx
0067378F |. 894D B0 mov dword ptr [ebp-0x50], ecx
00673792 |. 894D F0 mov dword ptr [ebp-0x10], ecx
00673795 |. 894D EC mov dword ptr [ebp-0x14], ecx
00673798 |. 894D E8 mov dword ptr [ebp-0x18], ecx
0067379B |. 8955 F8 mov dword ptr [ebp-0x8], edx ; 序列号
0067379E |. 8945 FC mov dword ptr [ebp-0x4], eax ; 用户名
006737A1 |. 8B45 FC mov eax, dword ptr [ebp-0x4]
006737A4 |. E8 2729D9FF call 004060D0 ; 增加引用计数
006737A9 |. 8B45 F8 mov eax, dword ptr [ebp-0x8]
006737AC |. E8 1F29D9FF call 004060D0 ; 增加引用计数
006737B1 |. 33C0 xor eax, eax
006737B3 |. 55 push ebp
006737B4 |. 68 89396700 push 00673989
006737B9 |. 64:FF30 push dword ptr fs:[eax]
006737BC |. 64:8920 mov dword ptr fs:[eax], esp ; SEH
006737BF |. 837D FC 00 cmp dword ptr [ebp-0x4], 0x0 ; 用户名
006737C3 |. 74 06 je short 006737CB
006737C5 |. 837D F8 00 cmp dword ptr [ebp-0x8], 0x0 ; 序列号
006737C9 |. 75 09 jnz short 006737D4
006737CB |> C645 F7 00 mov byte ptr [ebp-0x9], 0x0
006737CF |. E9 80010000 jmp 00673954
006737D4 |> 8D45 F0 lea eax, dword ptr [ebp-0x10]
006737D7 |. BA A0396700 mov edx, 006739A0 ; ASCII "Dr.Batcher"
006737DC |. E8 0725D9FF call 00405CE8
006737E1 |. 8D45 E8 lea eax, dword ptr [ebp-0x18]
006737E4 |. BA B4396700 mov edx, 006739B4 ; ASCII "This version of Windows is not supported by Dr.Batcher!"
006737E9 |. E8 FA24D9FF call 00405CE8
006737EE |. 8D45 EC lea eax, dword ptr [ebp-0x14]
006737F1 |. BA F4396700 mov edx, 006739F4 ; ASCII "Dear cracker! If you have any suggestions concerning Dr.Batcher, especially if you can offer us good protection for reasonable price, feel free to contact us via e-mail (support@m-w-c-s.com). You can use russian or belarusian language in"...
006737F6 |. E8 ED24D9FF call 00405CE8
006737FB |. 33C0 xor eax, eax
006737FD |. 8945 E0 mov dword ptr [ebp-0x20], eax
00673800 |. 8B45 FC mov eax, dword ptr [ebp-0x4] ; 用户名
00673803 |. 8945 D8 mov dword ptr [ebp-0x28], eax
00673806 |. 837D D8 00 cmp dword ptr [ebp-0x28], 0x0
0067380A |. 74 0B je short 00673817
0067380C |. 8B45 D8 mov eax, dword ptr [ebp-0x28]
0067380F |. 83E8 04 sub eax, 0x4
00673812 |. 8B00 mov eax, dword ptr [eax]
00673814 |. 8945 D8 mov dword ptr [ebp-0x28], eax ; 用户名长度
00673817 |> 8B45 D8 mov eax, dword ptr [ebp-0x28]
0067381A |. 48 dec eax
0067381B |. 85C0 test eax, eax
0067381D |. 7C 27 jl short 00673846
0067381F |. 40 inc eax
00673820 |. 8945 DC mov dword ptr [ebp-0x24], eax ; 用户名长度
00673823 |. C745 E4 00000000 mov dword ptr [ebp-0x1C], 0x0
0067382A |> 8B45 FC /mov eax, dword ptr [ebp-0x4] ; 循环,通过简单ASCII相加得到一个值
0067382D |. 8B55 E4 |mov edx, dword ptr [ebp-0x1C]
00673830 |. 0FB64410 FF |movzx eax, byte ptr [eax+edx-0x1]
00673835 |. 0345 E0 |add eax, dword ptr [ebp-0x20]
00673838 |. 0345 E4 |add eax, dword ptr [ebp-0x1C]
0067383B |. 8945 E0 |mov dword ptr [ebp-0x20], eax
0067383E |. FF45 E4 |inc dword ptr [ebp-0x1C]
00673841 |. FF4D DC |dec dword ptr [ebp-0x24]
00673844 |.^ 75 E4 \jnz short 0067382A
00673846 |> 8D45 CC lea eax, dword ptr [ebp-0x34]
00673849 |. 8B55 FC mov edx, dword ptr [ebp-0x4] ; 用户名
0067384C |. 8A52 02 mov dl, byte ptr [edx+0x2] ; 取第三个字符
0067384F |. 8850 01 mov byte ptr [eax+0x1], dl
00673852 |. C600 01 mov byte ptr [eax], 0x1
00673855 |. 8D55 CC lea edx, dword ptr [ebp-0x34]
00673858 |. 8D45 C8 lea eax, dword ptr [ebp-0x38]
0067385B |. E8 7804D9FF call 00403CD8
00673860 |. 8D45 C4 lea eax, dword ptr [ebp-0x3C]
00673863 |. 8B55 FC mov edx, dword ptr [ebp-0x4] ; 用户名
00673866 |. 8A52 02 mov dl, byte ptr [edx+0x2] ; 取第三个字符
00673869 |. 8850 01 mov byte ptr [eax+0x1], dl
0067386C |. C600 01 mov byte ptr [eax], 0x1
0067386F |. 8D55 C4 lea edx, dword ptr [ebp-0x3C]
00673872 |. 8D45 C8 lea eax, dword ptr [ebp-0x38]
00673875 |. B1 02 mov cl, 0x2
00673877 |. E8 2C04D9FF call 00403CA8
0067387C |. 8D55 C8 lea edx, dword ptr [ebp-0x38]
0067387F |. 8D45 C0 lea eax, dword ptr [ebp-0x40]
00673882 |. E8 5104D9FF call 00403CD8
00673887 |. 8D45 C4 lea eax, dword ptr [ebp-0x3C]
0067388A |. 8B55 FC mov edx, dword ptr [ebp-0x4] ; 用户名
0067388D |. 8A52 02 mov dl, byte ptr [edx+0x2] ; 取第三个字符
00673890 |. 8850 01 mov byte ptr [eax+0x1], dl
00673893 |. C600 01 mov byte ptr [eax], 0x1
00673896 |. 8D55 C4 lea edx, dword ptr [ebp-0x3C]
00673899 |. 8D45 C0 lea eax, dword ptr [ebp-0x40]
0067389C |. B1 03 mov cl, 0x3
0067389E |. E8 0504D9FF call 00403CA8
006738A3 |. 8D55 C0 lea edx, dword ptr [ebp-0x40]
006738A6 |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
006738A9 |. E8 2A04D9FF call 00403CD8
006738AE |. 8D45 C4 lea eax, dword ptr [ebp-0x3C]
006738B1 |. 8B55 FC mov edx, dword ptr [ebp-0x4] ; 用户名
006738B4 |. 8A52 01 mov dl, byte ptr [edx+0x1] ; 取第二个字符
006738B7 |. 8850 01 mov byte ptr [eax+0x1], dl
006738BA |. C600 01 mov byte ptr [eax], 0x1
006738BD |. 8D55 C4 lea edx, dword ptr [ebp-0x3C]
006738C0 |. 8D45 B8 lea eax, dword ptr [ebp-0x48]
006738C3 |. B1 04 mov cl, 0x4
006738C5 |. E8 DE03D9FF call 00403CA8
006738CA |. 8D55 B8 lea edx, dword ptr [ebp-0x48]
006738CD |. 8D45 EC lea eax, dword ptr [ebp-0x14]
006738D0 |. E8 DF25D9FF call 00405EB4
006738D5 |. 8D55 B0 lea edx, dword ptr [ebp-0x50]
006738D8 |. 8B45 E0 mov eax, dword ptr [ebp-0x20]
006738DB |. E8 A482D9FF call 0040BB84 ; 将前面计算得到的值转成字符串
006738E0 |. FF75 B0 push dword ptr [ebp-0x50]
006738E3 |. 68 F83A6700 push 00673AF8
006738E8 |. FF75 EC push dword ptr [ebp-0x14]
006738EB |. 8D45 B4 lea eax, dword ptr [ebp-0x4C]
006738EE |. BA 03000000 mov edx, 0x3
006738F3 |. E8 EC26D9FF call 00405FE4 ; 连接字符串
006738F8 |. 8B45 B4 mov eax, dword ptr [ebp-0x4C]
006738FB |. 8D55 F0 lea edx, dword ptr [ebp-0x10]
006738FE |. E8 5977D9FF call 0040B05C ; 将字符串变为大写
00673903 |. 8B55 F8 mov edx, dword ptr [ebp-0x8] ; 序列号
00673906 |. 8B45 F0 mov eax, dword ptr [ebp-0x10]
00673909 |. E8 1E29D9FF call 0040622C ; 判断输入的序列号开头与计算出来的字符串是否相同
0067390E |. 85C0 test eax, eax
00673910 |. 7E 21 jle short 00673933
00673912 |. 8B45 F8 mov eax, dword ptr [ebp-0x8] ; 序列号
00673915 |. 8945 D4 mov dword ptr [ebp-0x2C], eax
00673918 |. 837D D4 00 cmp dword ptr [ebp-0x2C], 0x0
0067391C |. 74 0B je short 00673929
0067391E |. 8B45 D4 mov eax, dword ptr [ebp-0x2C]
00673921 |. 83E8 04 sub eax, 0x4
00673924 |. 8B00 mov eax, dword ptr [eax]
00673926 |. 8945 D4 mov dword ptr [ebp-0x2C], eax
00673929 |> 837D D4 28 cmp dword ptr [ebp-0x2C], 0x28 ; 序列号长度
0067392D |. 0F9445 D3 sete byte ptr [ebp-0x2D]
00673931 |. EB 04 jmp short 00673937
00673933 |> C645 D3 00 mov byte ptr [ebp-0x2D], 0x0
00673937 |> 807D D3 00 cmp byte ptr [ebp-0x2D], 0x0
0067393B |. 74 0D je short 0067394A ; 序列号长度必须为40
0067393D |. 8B45 F8 mov eax, dword ptr [ebp-0x8]
00673940 |. 8078 27 57 cmp byte ptr [eax+0x27], 0x57 ; 第40个字符必须为W
00673944 |. 0F9445 D2 sete byte ptr [ebp-0x2E]
00673948 |. EB 04 jmp short 0067394E
0067394A |> C645 D2 00 mov byte ptr [ebp-0x2E], 0x0
0067394E |> 8A45 D2 mov al, byte ptr [ebp-0x2E]
00673951 |. 8845 F7 mov byte ptr [ebp-0x9], al
00673954 |> 33C0 xor eax, eax
00673956 |. 5A pop edx
00673957 |. 59 pop ecx
00673958 |. 59 pop ecx
00673959 |. 64:8910 mov dword ptr fs:[eax], edx
0067395C |. 68 90396700 push 00673990
00673961 |> 8D45 B0 lea eax, dword ptr [ebp-0x50]
00673964 |. BA 02000000 mov edx, 0x2
00673969 |. E8 0623D9FF call 00405C74 ; 释放内存
0067396E |. 8D45 E8 lea eax, dword ptr [ebp-0x18]
00673971 |. BA 03000000 mov edx, 0x3
00673976 |. E8 F922D9FF call 00405C74 ; 释放内存
0067397B |. 8D45 F8 lea eax, dword ptr [ebp-0x8]
0067397E |. BA 02000000 mov edx, 0x2
00673983 |. E8 EC22D9FF call 00405C74 ; 释放内存
00673988 \. C3 retn
00673989 .^ E9 761AD9FF jmp 00405404
0067398E .^ EB D1 jmp short 00673961
00673990 8A45 F7 mov al, byte ptr [ebp-0x9] ; al为返回值,非0表示注册成功
00673993 . 8BE5 mov esp, ebp
00673995 . 5D pop ebp
00673996 . C3 retn
如果想爆破的话只要在返回的地方把al的值改为非0即可,不过注册码算法那么简单,就没有必要爆破了。简单的分析一下算法,首先是用一个循环将输入的用户名的ASCII码依次相加(还加上了一个每次循环都递增1的变量),然后取用户名的第3个字符3次,第2个字符1次,拼接成字符串;再与前面计算得到的数值对应的字符串连接,中间用-相隔;最后把字母转成大写,与输入的序列号开头进行比较。除此之外,序列号还必须长40个字符,并且第40个字符为大写字母W。
算法简单,就不劳烦高级语言了,用VBScript脚本写的注册机:
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
版主大大,上面不是说“发表一篇文章,达到优秀或精华帖标准直接转为正式会员”的吗?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
