神通2001豪华版破解算法分析
作者:lchhome
一、用peid发现它为ASPack 2.1的壳,用OD载入程序可以发现它的OEP=B0798,用插件Dump脱壳,(具体步骤省略),脱壳后发现运行不了,用ImportREC V1.6F修复,即可。
二、用OD载入程序,找到错误提示“您输入的注册码错误!请检查是否输入有误!”,双击,停在如下处:
004AE011 . E8 FA5EF5FF CALL Magic_Po.00403F10 在此下断,按F9,中断了,按F8往下走
004AE016 . 83F8 14 CMP EAX,14 比较你的注册码是否为20位
004AE019 . 7F 0F JG SHORT Magic_Po.004AE02A 小于或等于则跳,这说明注册码一定要大于20位,否则GAME OVER!
004AE01B . B8 24E34A00 MOV EAX,Magic_Po.004AE324 ; 您输入的注册码错误!请检查是否输入有误!
004AE020 . E8 CB77FAFF CALL Magic_Po.004557F0
004AE025 . E9 8E020000 JMP Magic_Po.004AE2B8
004AE02A > 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004AE02D . 50 PUSH EAX
004AE02E . 8D95 14FEFFFF LEA EDX,DWORD PTR SS:[EBP-1EC]
004AE034 . 8B83 0C030000 MOV EAX,DWORD PTR DS:[EBX+30C]
004AE03A . E8 D13FF8FF CALL Magic_Po.00432010
004AE03F . 8B85 14FEFFFF MOV EAX,DWORD PTR SS:[EBP-1EC]
004AE045 . B9 0A000000 MOV ECX,0A
004AE04A . BA 01000000 MOV EDX,1
004AE04F . E8 C460F5FF CALL Magic_Po.00404118
004AE054 . 8D95 10FEFFFF LEA EDX,DWORD PTR SS:[EBP-1F0]
004AE05A . 8B83 0C030000 MOV EAX,DWORD PTR DS:[EBX+30C]
004AE060 . E8 AB3FF8FF CALL Magic_Po.00432010
004AE065 . 8B85 10FEFFFF MOV EAX,DWORD PTR SS:[EBP-1F0] 这里显示你的注册码
004AE06B . 50 PUSH EAX
004AE06C . 8D95 0CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1F4]
004AE072 . 8B83 04030000 MOV EAX,DWORD PTR DS:[EBX+304]
004AE078 . E8 933FF8FF CALL Magic_Po.00432010
004AE07D . 8B85 0CFEFFFF MOV EAX,DWORD PTR SS:[EBP-1F4] 你的用户名
004AE083 . 5A POP EDX
004AE084 . E8 7361F5FF CALL Magic_Po.004041FC 把你的用户名与注册码前几位作比较,
看是否相同,跟进CALL看看吧
004AE089 . 8BF0 MOV ESI,EAX
004AE08B . 85F6 TEST ESI,ESI
004AE08D . 75 0F JNZ SHORT Magic_Po.004AE09E 相同则跳,不跳则GAME OVER
004AE08F . B8 58E34A00 MOV EAX,Magic_Po.004AE358 ; 用户名错误!
004AE094 . E8 5777FAFF CALL Magic_Po.004557F0
004AE099 . E9 1A020000 JMP Magic_Po.004AE2B8
004AE09E > 33C0 XOR EAX,EAX
004AE0A0 . 55 PUSH EBP
004AE0A1 . 68 FBE04A00 PUSH Magic_Po.004AE0FB
004AE0A6 . 64:FF30 PUSH DWORD PTR FS:[EAX]
004AE0A9 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
004AE0AC . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004AE0AF . 50 PUSH EAX
004AE0B0 . 8D95 08FEFFFF LEA EDX,DWORD PTR SS:[EBP-1F8]
004AE0B6 . 8B83 04030000 MOV EAX,DWORD PTR DS:[EBX+304]
004AE0BC . E8 4F3FF8FF CALL Magic_Po.00432010
004AE0C1 . 8B85 08FEFFFF MOV EAX,DWORD PTR SS:[EBP-1F8]
004AE0C7 . E8 445EF5FF CALL Magic_Po.00403F10
004AE0CC . 03F0 ADD ESI,EAX
004AE0CE . 56 PUSH ESI
004AE0CF . 8D95 04FEFFFF LEA EDX,DWORD PTR SS:[EBP-1FC]
004AE0D5 . 8B83 0C030000 MOV EAX,DWORD PTR DS:[EBX+30C]
004AE0DB . E8 303FF8FF CALL Magic_Po.00432010
004AE0E0 . 8B85 04FEFFFF MOV EAX,DWORD PTR SS:[EBP-1FC]
004AE0E6 . B9 0A000000 MOV ECX,0A
004AE0EB . 5A POP EDX
004AE0EC . E8 2760F5FF CALL Magic_Po.00404118
004AE0F1 . 33C0 XOR EAX,EAX
004AE0F3 . 5A POP EDX
004AE0F4 . 59 POP ECX
004AE0F5 . 59 POP ECX
004AE0F6 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
004AE0F9 . EB 1E JMP SHORT Magic_Po.004AE119
004AE0FB .^ E9 F052F5FF JMP Magic_Po.004033F0
004AE100 . B8 70E34A00 MOV EAX,Magic_Po.004AE370 ; 注册码不正确!
004AE105 . E8 E676FAFF CALL Magic_Po.004557F0
004AE10A . E8 3D56F5FF CALL Magic_Po.0040374C
004AE10F . E9 A4010000 JMP Magic_Po.004AE2B8
004AE114 . E8 3356F5FF CALL Magic_Po.0040374C
004AE119 > 33FF XOR EDI,EDI
004AE11B . 33C0 XOR EAX,EAX
004AE11D . 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004AE120 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004AE123 . E8 E85DF5FF CALL Magic_Po.00403F10
004AE128 . 8BD8 MOV EBX,EAX
004AE12A . 85DB TEST EBX,EBX
004AE12C . 7E 26 JLE SHORT Magic_Po.004AE154
004AE12E . BE 01000000 MOV ESI,1
004AE133 > 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 》》》》》》》》》》》》》》
004AE136 . 50 PUSH EAX
004AE137 . B9 01000000 MOV ECX,1
004AE13C . 8BD6 MOV EDX,ESI
004AE13E . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004AE141 . E8 D25FF5FF CALL Magic_Po.00404118
004AE146 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004AE149 . E8 D2AAF5FF CALL Magic_Po.00408C20 这里的CALL句是对用户名的判断,用户名只支持阿拉伯数字,不支持其它符号,否则按注册则没反应,
004AE14E . 03F8 ADD EDI,EAX 这段循环是取注册码的前十位相累加,得A值
004AE150 . 46 INC ESI
004AE151 . 4B DEC EBX
004AE152 .^ 75 DF JNZ SHORT Magic_Po.004AE133 》》》》》》》》》》》》》
004AE154 > 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004AE157 . E8 B45DF5FF CALL Magic_Po.00403F10
004AE15C . 8BD8 MOV EBX,EAX
004AE15E . 85DB TEST EBX,EBX
004AE160 . 7E 27 JLE SHORT Magic_Po.004AE189
004AE162 . BE 01000000 MOV ESI,1
004AE167 > 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 》》》》》》》》》》》》》
004AE16A . 50 PUSH EAX
004AE16B . B9 01000000 MOV ECX,1
004AE170 . 8BD6 MOV EDX,ESI
004AE172 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004AE175 . E8 9E5FF5FF CALL Magic_Po.00404118
004AE17A . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004AE17D . E8 9EAAF5FF CALL Magic_Po.00408C20
004AE182 . 0145 F0 ADD DWORD PTR SS:[EBP-10],EAX 这段循环是取注册码的第六位与第十五位相累加,得B值
004AE185 . 46 INC ESI
004AE186 . 4B DEC EBX
004AE187 .^ 75 DE JNZ SHORT Magic_Po.004AE167 》》》》》》》》》》》》》
004AE189 > 8D85 00FEFFFF LEA EAX,DWORD PTR SS:[EBP-200]
004AE18F . 50 PUSH EAX
004AE190 . 8D95 FCFDFFFF LEA EDX,DWORD PTR SS:[EBP-204]
004AE196 . 8BC7 MOV EAX,EDI
004AE198 . E8 53AAF5FF CALL Magic_Po.00408BF0
004AE19D . 8B85 FCFDFFFF MOV EAX,DWORD PTR SS:[EBP-204]
004AE1A3 . B9 01000000 MOV ECX,1
004AE1A8 . BA 01000000 MOV EDX,1
004AE1AD . E8 665FF5FF CALL Magic_Po.00404118
004AE1B2 . 8B85 00FEFFFF MOV EAX,DWORD PTR SS:[EBP-200]
004AE1B8 . 50 PUSH EAX
004AE1B9 . 8D85 F8FDFFFF LEA EAX,DWORD PTR SS:[EBP-208]
004AE1BF . 50 PUSH EAX
004AE1C0 . 8D95 F4FDFFFF LEA EDX,DWORD PTR SS:[EBP-20C]
004AE1C6 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004AE1C9 . E8 22AAF5FF CALL Magic_Po.00408BF0
004AE1CE . 8B85 F4FDFFFF MOV EAX,DWORD PTR SS:[EBP-20C]
004AE1D4 . B9 01000000 MOV ECX,1
004AE1D9 . BA 01000000 MOV EDX,1
004AE1DE . E8 355FF5FF CALL Magic_Po.00404118
004AE1E3 . 8B95 F8FDFFFF MOV EDX,DWORD PTR SS:[EBP-208]
004AE1E9 . 58 POP EAX
004AE1EA . E8 315EF5FF CALL Magic_Po.00404020 这句CALL是把它们的值的最大位数相比较,跟进看看:
004AE1EF 0F85 B9000000 JNZ Magic_Po.004AE2AE 不相等则跳,GAME OVER
004AE1F5 . B8 88E34A00 MOV EAX,Magic_Po.004AE388
004AE1FA . E8 F175FAFF CALL Magic_Po.004557F0 ; 恭喜您!注册成功
004AE1FF . B2 01 MOV DL,1
004AE201 . A1 D8694500 MOV EAX,DWORD PTR DS:[4569D8]
004AE206 . E8 CD88FAFF CALL Magic_Po.00456AD8
004AE20B . 8BD8 MOV EBX,EAX
004AE20D . BA 00000080 MOV EDX,80000000
004AE212 . 8BC3 MOV EAX,EBX
004AE214 . E8 5F89FAFF CALL Magic_Po.00456B78
004AE219 . B1 01 MOV CL,1
004AE21B . BA D4E34A00 MOV EDX,Magic_Po.004AE3D4 ; ASCII "zzz"
004AE220 . 8BC3 MOV EAX,EBX
004AE222 . E8 B989FAFF CALL Magic_Po.00456BE0
004AE227 . B9 E0E34A00 MOV ECX,Magic_Po.004AE3E0
004AE22C . 33D2 XOR EDX,EDX
004AE22E . 8BC3 MOV EAX,EBX
004AE230 . E8 0F8EFAFF CALL Magic_Po.00457044
004AE235 . 8BC3 MOV EAX,EBX
004AE237 . E8 0C89FAFF CALL Magic_Po.00456B48
004AE23C . 8BC3 MOV EAX,EBX
004AE23E . E8 014DF5FF CALL Magic_Po.00402F44
004AE243 . 8D85 F0FDFFFF LEA EAX,DWORD PTR SS:[EBP-210]
004AE249 . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004AE24C . E8 F75BF5FF CALL Magic_Po.00403E48
004AE251 . 8D85 F0FDFFFF LEA EAX,DWORD PTR SS:[EBP-210]
004AE257 . BA ECE34A00 MOV EDX,Magic_Po.004AE3EC ; ASCII "\System32
\vBios.vxd" (注册成功后,程序在你的电脑C:\Windows\System32\下产生一个vBios.vxd文件,使注册框中的“注册”按钮变灰。删除它,软件又变成未注册版。
004AE25C . E8 B75CF5FF CALL Magic_Po.00403F18
跟进004AE084句:
004041FC /$ 85C0 TEST EAX,EAX
004041FE |. 74 40 JE SHORT Magic_Po.00404240
00404200 |. 85D2 TEST EDX,EDX
00404202 |. 74 31 JE SHORT Magic_Po.00404235
00404204 |. 53 PUSH EBX
00404205 |. 56 PUSH ESI
00404206 |. 57 PUSH EDI
00404207 |. 89C6 MOV ESI,EAX
00404209 |. 89D7 MOV EDI,EDX
0040420B |. 8B4F FC MOV ECX,DWORD PTR DS:[EDI-4] 这里取用户名
0040420E |. 57 PUSH EDI
0040420F |. 8B56 FC MOV EDX,DWORD PTR DS:[ESI-4] 这里取注册码的前面与用户名相同的位数
00404212 |. 4A DEC EDX
00404213 |. 78 1B JS SHORT Magic_Po.00404230
00404215 |. 8A06 MOV AL,BYTE PTR DS:[ESI]
00404217 |. 46 INC ESI
00404218 |. 29D1 SUB ECX,EDX
0040421A |. 7E 14 JLE SHORT Magic_Po.00404230
0040421C |> F2:AE /REPNE SCAS BYTE PTR ES:[EDI]
0040421E |. 75 10 |JNZ SHORT Magic_Po.00404230
00404220 |. 89CB |MOV EBX,ECX
00404222 |. 56 |PUSH ESI
00404223 |. 57 |PUSH EDI
00404224 |. 89D1 |MOV ECX,EDX
00404226 |. F3:A6 |REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS> 这里就把它们逐一比较
00404228 |. 5F |POP EDI ; 00E86C6D
00404229 |. 5E |POP ESI
0040422A |. 74 0C |JE SHORT Magic_Po.00404238
0040422C |. 89D9 |MOV ECX,EBX
0040422E |.^ EB EC \JMP SHORT Magic_Po.0040421C
00404230 |> 5A POP EDX
00404231 |. 31C0 XOR EAX,EAX
00404233 |. EB 08 JMP SHORT Magic_Po.0040423D
00404235 |> 31C0 XOR EAX,EAX
00404237 |. C3 RETN
00404238 |> 5A POP EDX
00404239 |. 89F8 MOV EAX,EDI
0040423B |. 29D0 SUB EAX,EDX
0040423D |> 5F POP EDI
0040423E |. 5E POP ESI
0040423F |. 5B POP EBX
00404240 \> C3 RETN
跟进004AE1EA句
00404020 /$ 53 PUSH EBX
00404021 |. 56 PUSH ESI
00404022 |. 57 PUSH EDI
00404023 |. 89C6 MOV ESI,EAX
00404025 |. 89D7 MOV EDI,EDX
00404027 |. 39D0 CMP EAX,EDX
00404029 |. 0F84 8F000000 JE Magic_Po.004040BE
0040402F |. 85F6 TEST ESI,ESI
00404031 |. 74 68 JE SHORT Magic_Po.0040409B
00404033 |. 85FF TEST EDI,EDI
00404035 |. 74 6B JE SHORT Magic_Po.004040A2
00404037 |. 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
0040403A |. 8B57 FC MOV EDX,DWORD PTR DS:[EDI-4]
0040403D |. 29D0 SUB EAX,EDX
0040403F |. 77 02 JA SHORT Magic_Po.00404043
00404041 |. 01C2 ADD EDX,EAX
00404043 |> 52 PUSH EDX
00404044 |. C1EA 02 SHR EDX,2
00404047 |. 74 26 JE SHORT Magic_Po.0040406F
00404049 |> 8B0E /MOV ECX,DWORD PTR DS:[ESI]
0040404B |. 8B1F |MOV EBX,DWORD PTR DS:[EDI]
0040404D |. 39D9 |CMP ECX,EBX
0040404F |. 75 58 |JNZ SHORT Magic_Po.004040A9
00404051 |. 4A |DEC EDX
00404052 |. 74 15 |JE SHORT Magic_Po.00404069
00404054 |. 8B4E 04 |MOV ECX,DWORD PTR DS:[ESI+4]
00404057 |. 8B5F 04 |MOV EBX,DWORD PTR DS:[EDI+4]
0040405A |. 39D9 |CMP ECX,EBX
0040405C |. 75 4B |JNZ SHORT Magic_Po.004040A9
0040405E |. 83C6 08 |ADD ESI,8
00404061 |. 83C7 08 |ADD EDI,8
00404064 |. 4A |DEC EDX
00404065 |.^ 75 E2 \JNZ SHORT Magic_Po.00404049
00404067 |. EB 06 JMP SHORT Magic_Po.0040406F
00404069 |> 83C6 04 ADD ESI,4
0040406C |. 83C7 04 ADD EDI,4
0040406F |> 5A POP EDX
00404070 |. 83E2 03 AND EDX,3
00404073 |. 74 22 JE SHORT Magic_Po.00404097
00404075 |. 8B0E MOV ECX,DWORD PTR DS:[ESI] 取A值的最高位数的ASCII码值
00404077 |. 8B1F MOV EBX,DWORD PTR DS:[EDI] 取B值的最高位数的ASCII码值
00404079 |. 38D9 CMP CL,BL 比较
0040407B |. 75 41 JNZ SHORT Magic_Po.004040BE 不等则跳,完完了!
0040407D |. 4A DEC EDX
0040407E |. 74 17 JE SHORT Magic_Po.00404097
00404080 |. 38FD CMP CH,BH
00404082 |. 75 3A JNZ SHORT Magic_Po.004040BE
00404084 |. 4A DEC EDX
00404085 |. 74 10 JE SHORT Magic_Po.00404097
00404087 |. 81E3 0000FF00 AND EBX,0FF0000
0040408D |. 81E1 0000FF00 AND ECX,0FF0000
00404093 |. 39D9 CMP ECX,EBX
00404095 |. 75 27 JNZ SHORT Magic_Po.004040BE
00404097 |> 01C0 ADD EAX,EAX
00404099 |. EB 23 JMP SHORT Magic_Po.004040BE
0040409B |> 8B57 FC MOV EDX,DWORD PTR DS:[EDI-4]
0040409E |. 29D0 SUB EAX,EDX
004040A0 |. EB 1C JMP SHORT Magic_Po.004040BE
004040A2 |> 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
004040A5 |. 29D0 SUB EAX,EDX
004040A7 |. EB 15 JMP SHORT Magic_Po.004040BE
004040A9 |> 5A POP EDX
004040AA |. 38D9 CMP CL,BL
004040AC |. 75 10 JNZ SHORT Magic_Po.004040BE
004040AE |. 38FD CMP CH,BH
004040B0 |. 75 0C JNZ SHORT Magic_Po.004040BE
004040B2 |. C1E9 10 SHR ECX,10
004040B5 |. C1EB 10 SHR EBX,10
004040B8 |. 38D9 CMP CL,BL
004040BA |. 75 02 JNZ SHORT Magic_Po.004040BE
004040BC |. 38FD CMP CH,BH
004040BE |> 5F POP EDI
004040BF |. 5E POP ESI
004040C0 |. 5B POP EBX
004040C1 \. C3 RETN
三、算法总结
1、注册码位数应大于20位;
2、注册码前面的位数和值应与用户名相同;
3、注册码前十位之和的值应与注册码第六位至第十五位数之和的值的最高位数相同。
如:用户名:12345
注册码:123456890513256******
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
