-
-
[原创]My Notes Keeper V1.4注册算法分析
-
发表于:
2005-12-22 18:25
11073
-
[原创]My Notes Keeper V1.4注册算法分析
【破文作者】lnn1123
【作者主页】http://blog.csdn.net/lnn1123
【 E-mail 】lnn11231123@163.com
【文章题目】My Notes Keeper V1.4注册算法分析
【软件名称】My Notes Keeper V1.4
【下载地址】天空软件
【加密方式】注册码
【加壳方式】 aspack
【破解工具】PEID,OLLYDBG
【破解平台】WIN200 AND WINXP
=======================================================================================================
【软件简介】
My Notes Keeper
是一款功能强大、简单易用的树状标签结构个人数据库管理软件,能进行个人信息管理和文字、表格处理,有密码保护功能 。你可以通过它管理你的通讯簿、网址收藏和安排日程表等,甚至可以用它来制作电子书。软件的操作方式跟 Word 几乎没有多大区别,推荐 使用!
=======================================================================================================
【文章简介】
要过年了,在看雪也混了一年了,没学到什么技术惭愧!,写一篇文章安慰一下自己
=======================================================================================================
【解密过程】
PEID
发现是ASPACK,不想脱直接调试了,找到user32.dll的messageboxa函数并下断,很容易到达这里.
00703207 68 66337000
PUSH MyNotesK.00703366
0070320C 64:FF30
PUSH DWORD PTR FS:[
EAX]
0070320F 64:8920
MOV DWORD PTR FS:[
EAX],
ESP
00703212 8D55 FC
LEA EDX,
DWORD PTR SS:[
EBP-4]
00703215 8B83 00030000
MOV EAX,
DWORD PTR DS:[
EBX+300]
0070321B E8 A473D7FF
CALL MyNotesK.0047A5C4
; 取注册名,长度返回在EAX
00703220 837D FC 00
CMP DWORD PTR SS:[
EBP-4],0
; 是否输入
00703224 74 14
JE SHORT MyNotesK.0070323A
; 不输入就死
00703226 8D55 F8
LEA EDX,
DWORD PTR SS:[
EBP-8]
00703229 8B83 04030000
MOV EAX,
DWORD PTR DS:[
EBX+304]
0070322F E8 9073D7FF
CALL MyNotesK.0047A5C4
; 取注册码,长度返回在EAX
00703234 837D F8 00
CMP DWORD PTR SS:[
EBP-8],0
; 是否输入
00703238 75 5B
JNZ SHORT MyNotesK.00703295
; 输入就跳了
0070323A 6A 10
PUSH 10
0070323C 68 74337000
PUSH MyNotesK.00703374
; ASCII "My Notes Keeper"
00703241 8D45 F4
LEA EAX,
DWORD PTR SS:[
EBP-C]
00703244 50
PUSH EAX
00703245 8D55 F0
LEA EDX,
DWORD PTR SS:[
EBP-10]
00703248 A1 B8997700
MOV EAX,
DWORD PTR DS:[7799B8]
0070324D E8 DE3BD0FF
CALL MyNotesK.00406E30
00703252 8B55 F0
MOV EDX,
DWORD PTR SS:[
EBP-10]
00703255 B9 8C337000
MOV ECX,MyNotesK.0070338C
; ASCII "Reg"
0070325A B8 98337000
MOV EAX,MyNotesK.00703398
; ASCII "strBothNameCode"
0070325F E8 1CCFF1FF
CALL MyNotesK.00620180
00703264 8B45 F4
MOV EAX,
DWORD PTR SS:[
EBP-C]
00703267 E8 EC1BD0FF
CALL MyNotesK.00404E58
0070326C 50
PUSH EAX
0070326D 8BC3
MOV EAX,
EBX
0070326F E8 70DBD7FF
CALL MyNotesK.00480DE4
00703274 50
PUSH EAX
00703275 E8 024DD0FF
CALL MyNotesK.00407F7C
; JMP to user32.MessageBoxA
0070327A 8B83 00030000
MOV EAX,
DWORD PTR DS:[
EBX+300]
00703280 8B10
MOV EDX,
DWORD PTR DS:[
EAX]
00703282 FF92 C4000000
CALL DWORD PTR DS:[
EDX+C4]
00703288 33C0
XOR EAX,
EAX
0070328A 8983 4C020000
MOV DWORD PTR DS:[
EBX+24C],
EAX
00703290 E9 8F000000
JMP MyNotesK.00703324
00703295 8D55 EC
LEA EDX,
DWORD PTR SS:[
EBP-14]
00703298 8B83 04030000
MOV EAX,
DWORD PTR DS:[
EBX+304]
0070329E E8 2173D7FF
CALL MyNotesK.0047A5C4
007032A3 8B45 EC
MOV EAX,
DWORD PTR SS:[
EBP-14]
; 注册码
007032A6 50
PUSH EAX ; PUSH 注册码
007032A7 8D55 E8
LEA EDX,
DWORD PTR SS:[
EBP-18]
007032AA 8B83 00030000
MOV EAX,
DWORD PTR DS:[
EBX+300]
007032B0 E8 0F73D7FF
CALL MyNotesK.0047A5C4
007032B5 8B45 E8
MOV EAX,
DWORD PTR SS:[
EBP-18]
; 注册名
007032B8 5A
POP EDX
007032B9 E8 5ED7F1FF
CALL MyNotesK.00620A1C
; 注册验证函数
007032BE 84C0
TEST AL,
AL ; AL位返回值,不为0就注册成功
007032C0 74 0C
JE SHORT MyNotesK.007032CE
007032C2 C783 4C020000 01>
MOV DWORD PTR DS:[
EBX+24C],1
007032CC EB 56
JMP SHORT MyNotesK.00703324
007032CE 6A 10
PUSH 10
007032D0 68 74337000
PUSH MyNotesK.00703374
; ASCII "My Notes Keeper"
007032D5 8D45 E4
LEA EAX,
DWORD PTR SS:[
EBP-1C]
007032D8 50
PUSH EAX
007032D9 8D55 E0
LEA EDX,
DWORD PTR SS:[
EBP-20]
007032DC A1 A89E7700
MOV EAX,
DWORD PTR DS:[779EA8]
007032E1 E8 4A3BD0FF
CALL MyNotesK.00406E30
007032E6 8B55 E0
MOV EDX,
DWORD PTR SS:[
EBP-20]
007032E9 B9 8C337000
MOV ECX,MyNotesK.0070338C
; ASCII "Reg"
007032EE B8 B0337000
MOV EAX,MyNotesK.007033B0
; ASCII "strInvalidNameCode"
007032F3 E8 88CEF1FF
CALL MyNotesK.00620180
007032F8 8B45 E4
MOV EAX,
DWORD PTR SS:[
EBP-1C]
007032FB E8 581BD0FF
CALL MyNotesK.00404E58
00703300 50
PUSH EAX
00703301 8BC3
MOV EAX,
EBX
00703303 E8 DCDAD7FF
CALL MyNotesK.00480DE4
00703308 50
PUSH EAX
00703309 E8 6E4CD0FF
CALL MyNotesK.00407F7C
; JMP to user32.MessageBoxA
0070330E 8B83 00030000
MOV EAX,
DWORD PTR DS:[
EBX+300]
==================================
CALL MyNotesK.00620A1C===================================
00620A1C 55
PUSH EBP
00620A1D 8BEC
MOV EBP,
ESP
00620A1F 83C4 F4
ADD ESP,-0C
00620A22 53
PUSH EBX
00620A23 56
PUSH ESI
00620A24 33C9
XOR ECX,
ECX
00620A26 894D FC
MOV DWORD PTR SS:[
EBP-4],
ECX
00620A29 8BF2
MOV ESI,
EDX
00620A2B 8BD8
MOV EBX,
EAX
00620A2D 33C0
XOR EAX,
EAX
00620A2F 55
PUSH EBP
00620A30 68 A60A6200
PUSH MyNotesK.00620AA6
00620A35 64:FF30
PUSH DWORD PTR FS:[
EAX]
00620A38 64:8920
MOV DWORD PTR FS:[
EAX],
ESP
00620A3B 66:B9 1F00
MOV CX,1F
; 常数填充CX
00620A3F 66:BA 0C00
MOV DX,0C
; 常数填充DX
00620A43 66:B8 0F27
MOV AX,270F
; 常数填充AX
00620A47 E8 D4B9DEFF
CALL MyNotesK.0040C420
; 进行运算得到一个值,不过跟注册没关系
00620A4C 83C4 F8
ADD ESP,-8
00620A4F DD1C24
FSTP QWORD PTR SS:[
ESP]
; 浮点数
00620A52 9B
WAIT
00620A53 8D4D F4
LEA ECX,
DWORD PTR SS:[
EBP-C]
00620A56 B8 80987600
MOV EAX,MyNotesK.00769880
00620A5B 8BD3
MOV EDX,
EBX
00620A5D E8 5A92F2FF
CALL MyNotesK.00549CBC
; 关键CALL,注册码产生就在这里
00620A62 8D4D FC
LEA ECX,
DWORD PTR SS:[
EBP-4]
00620A65 8D45 F4
LEA EAX,
DWORD PTR SS:[
EBP-C]
00620A68 BA 08000000
MOV EDX,8
00620A6D E8 DE73F2FF
CALL MyNotesK.00547E50
00620A72 8BD6
MOV EDX,
ESI ; 假码
00620A74 8B45 FC
MOV EAX,
DWORD PTR SS:[
EBP-4]
; 真码
00620A77 E8 908CDEFF
CALL MyNotesK.0040970C
; 比较注册码
00620A7C 85C0
TEST EAX,
EAX ; EAX是否为0
00620A7E 75 08
JNZ SHORT MyNotesK.00620A88
00620A80 85DB
TEST EBX,
EBX
00620A82 74 04
JE SHORT MyNotesK.00620A88
00620A84 85F6
TEST ESI,
ESI
00620A86 75 04
JNZ SHORT MyNotesK.00620A8C
00620A88 33C0
XOR EAX,
EAX
00620A8A EB 02
JMP SHORT MyNotesK.00620A8E
00620A8C B0 01
MOV AL,1
; 如果注册成功,AL填充1
00620A8E 8BD8
MOV EBX,
EAX
00620A90 33C0
XOR EAX,
EAX
00620A92 5A
POP EDX
00620A93 59
POP ECX
00620A94 59
POP ECX
00620A95 64:8910
MOV DWORD PTR FS:[
EAX],
EDX
00620A98 68 AD0A6200
PUSH MyNotesK.00620AAD
00620A9D 8D45 FC
LEA EAX,
DWORD PTR SS:[
EBP-4]
00620AA0 E8 F33EDEFF
CALL MyNotesK.00404998
00620AA5 C3
RETN
==============================
CALL MyNotesK.00549CBC========================
00549CBC 55
PUSH EBP
00549CBD 8BEC
MOV EBP,
ESP
00549CBF 6A 00
PUSH 0
00549CC1 6A 00
PUSH 0
00549CC3 53
PUSH EBX
00549CC4 56
PUSH ESI
00549CC5 57
PUSH EDI
00549CC6 8BF1
MOV ESI,
ECX
00549CC8 8BDA
MOV EBX,
EDX
00549CCA 8BF8
MOV EDI,
EAX
00549CCC 33C0
XOR EAX,
EAX
00549CCE 55
PUSH EBP
00549CCF 68 629D5400
PUSH MyNotesK.00549D62
00549CD4 64:FF30
PUSH DWORD PTR FS:[
EAX]
00549CD7 64:8920
MOV DWORD PTR FS:[
EAX],
ESP
00549CDA 66:C706 F6D9
MOV WORD PTR DS:[
ESI],0D9F6
00549CDF FF75 0C
PUSH DWORD PTR SS:[
EBP+C]
00549CE2 FF75 08
PUSH DWORD PTR SS:[
EBP+8]
00549CE5 E8 32FDFFFF
CALL MyNotesK.00549A1C
00549CEA 66:8946 02
MOV WORD PTR DS:[
ESI+2],
AX
00549CEE 8D45 FC
LEA EAX,
DWORD PTR SS:[
EBP-4]
00549CF1 8BD3
MOV EDX,
EBX ; 注册名
00549CF3 E8 38ADEBFF
CALL MyNotesK.00404A30
00549CF8 8B45 FC
MOV EAX,
DWORD PTR SS:[
EBP-4]
00549CFB E8 58AFEBFF
CALL MyNotesK.00404C58
00549D00 8BD8
MOV EBX,
EAX
00549D02 83FB 01
CMP EBX,1
00549D05 7C 1F
JL SHORT MyNotesK.00549D26
00549D07 8B45 FC
MOV EAX,
DWORD PTR SS:[
EBP-4]
; EAX指向注册名
00549D0A 8A4418 FF
MOV AL,
BYTE PTR DS:[
EAX+
EBX-1]
; 倒取注册名一个字节
00549D0E 3C 7F
CMP AL,7F
; 与0X7F比较,是否大于ASCII表达字符
00549D10 76 0F
JBE SHORT MyNotesK.00549D21
00549D12 8D45 FC
LEA EAX,
DWORD PTR SS:[
EBP-4]
00549D15 B9 01000000
MOV ECX,1
00549D1A 8BD3
MOV EDX,
EBX
00549D1C E8 D7B1EBFF
CALL MyNotesK.00404EF8
00549D21 4B
DEC EBX ; 计数器--
00549D22 85DB
TEST EBX,
EBX
00549D24 ^75 E1
JNZ SHORT MyNotesK.00549D07
00549D26 8D55 F8
LEA EDX,
DWORD PTR SS:[
EBP-8]
00549D29 8B45 FC
MOV EAX,
DWORD PTR SS:[
EBP-4]
00549D2C E8 53FAEBFF
CALL MyNotesK.00409784
; 把注册名中小写字符转化为大写
00549D31 8B45 F8
MOV EAX,
DWORD PTR SS:[
EBP-8]
; EAX指向转化后的字符
00549D34 E8 DBF5FFFF
CALL MyNotesK.00549314
; 运算得到注册中间值
00549D39 8946 04
MOV DWORD PTR DS:[
ESI+4],
EAX
00549D3C 8BD6
MOV EDX,
ESI
00549D3E 8BC7
MOV EAX,
EDI
00549D40 B1 01
MOV CL,1
00549D42 E8 A5F4FFFF
CALL MyNotesK.005491EC
; 重要运算子过程
00549D47 33C0
XOR EAX,
EAX
00549D49 5A
POP EDX
00549D4A 59
POP ECX
00549D4B 59
POP ECX
00549D4C 64:8910
MOV DWORD PTR FS:[
EAX],
EDX
00549D4F 68 699D5400
PUSH MyNotesK.00549D69
00549D54 8D45 F8
LEA EAX,
DWORD PTR SS:[
EBP-8]
00549D57 BA 02000000
MOV EDX,2
00549D5C E8 5BACEBFF
CALL MyNotesK.004049BC
============================
CALL MyNotesK.00549314==============================
00549314 53
PUSH EBX
00549315 8BD8
MOV EBX,
EAX
00549317 8BC3
MOV EAX,
EBX
00549319 E8 3AB9EBFF
CALL MyNotesK.00404C58
0054931E 50
PUSH EAX
0054931F 8BC3
MOV EAX,
EBX
00549321 E8 32BBEBFF
CALL MyNotesK.00404E58
00549326 5A
POP EDX
00549327 E8 B0FFFFFF
CALL MyNotesK.005492DC
{
005492DC 53
PUSH EBX
005492DD 56
PUSH ESI
005492DE 33C9
XOR ECX,
ECX ; 清0
005492E0 8BDA
MOV EBX,
EDX
005492E2 4B
DEC EBX
005492E3 85DB
TEST EBX,
EBX
005492E5 7C 25
JL SHORT MyNotesK.0054930C
005492E7 43
INC EBX
005492E8 C1E1 04
SHL ECX,4
; ECX左移4位
005492EB 33D2
XOR EDX,
EDX
005492ED 8A10
MOV DL,
BYTE PTR DS:[
EAX]
; 取变换后注册名的一个字节
005492EF 03CA
ADD ECX,
EDX ; ECX=ECX+EDX
005492F1 8BD1
MOV EDX,
ECX ; EDX《=ECX
005492F3 81E2 000000F0
AND EDX,F0000000
; EDX=EDX AND 0XF0000000
005492F9 85D2
TEST EDX,
EDX ; 是否为0
005492FB 74 07
JE SHORT MyNotesK.00549304
005492FD 8BF2
MOV ESI,
EDX ; ESI〈=EDX
005492FF C1EE 18
SHR ESI,18
; 右移0X18位
00549302 33CE
XOR ECX,
ESI ; ECX=ECX XOR ESI
00549304 F7D2
NOT EDX ; 取反
00549306 23CA
AND ECX,
EDX ; ECX=ECX AND EDX
00549308 40
INC EAX ; 指向下一个字符
00549309 4B
DEC EBX ; 计数器--
0054930A ^75 DC
JNZ SHORT MyNotesK.005492E8
0054930C 8BC1
MOV EAX,
ECX
0054930E 5E
POP ESI
0054930F 5B
POP EBX
00549310 C3
RETN
}
逆向C函数代码如下:
unsigned long reg(char name[])
{
int len
;
unsigned long
ecx,
edx,
esi,c
;
len=strlen(name)
;
ecx=0
;
edx=0
;
esi=0
;
for(
int b=0
;b<len;b++)
{
c=name
;
if(c>=97 && c<=122)
{c=c-32; //把注册名中小写的转化为大写
name=c;}
}
for(int a=0;a<len;a++) //对转化后的注册名进行运算
{
ecx=ecx << 4;
edx=name[a];
ecx=ecx + edx;
edx=ecx;
edx=edx & 0xf0000000;
if(edx==0)
{edx=~edx;
ecx=ecx & edx;}
else
{esi=edx;
esi=esi >> 0x18;
ecx=ecx ^ esi;
edx=~edx;
ecx=ecx & edx;}
}
return ecx; //返回运算值
}
0054932C 5B POP EBX
0054932D C3 RETN
=============================CALL MyNotesK.005491EC===========================
005491EC 53 PUSH EBX
005491ED 56 PUSH ESI
005491EE 57 PUSH EDI
005491EF 83C4 E8 ADD ESP,-18
005491F2 884C24 08 MOV BYTE PTR SS:[ESP+8],CL ; 填充1
005491F6 895424 04 MOV DWORD PTR SS:[ESP+4],EDX
005491FA 890424 MOV DWORD PTR SS:[ESP],EAX
005491FD 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
00549201 8B00 MOV EAX,DWORD PTR DS:[EAX]
00549203 894424 0C MOV DWORD PTR SS:[ESP+C],EAX ; 填充0XD9F6
00549207 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
0054920B 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
0054920E 894424 10 MOV DWORD PTR SS:[ESP+10],EAX ; 填充值
00549212 C74424 14 040000>MOV DWORD PTR SS:[ESP+14],4 ; 计数器为4
0054921A BE 00D07500 MOV ESI,MyNotesK.0075D000
0054921F 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] ; EDX〈=0XD9F6
00549223 33C0 XOR EAX,EAX ; 清0
00549225 8A4424 08 MOV AL,BYTE PTR SS:[ESP+8] ; 取刚才填充的一个字节
00549229 8BD8 MOV EBX,EAX ; EBX〈=EAX
0054922B 03DB ADD EBX,EBX ; EBX=EBX+EBX
0054922D 8D1C5B LEA EBX,DWORD PTR DS:[EBX+EBX*2] ; EBX=EBX*3
00549230 8B04DE MOV EAX,DWORD PTR DS:[ESI+EBX*8] ; 查表
表是这样的{0,3,1,2,1,3,1,0,2,3,2,0,3,2,0,1,0,2,2,1,3,0,3,1}
00549233 8B0C24 MOV ECX,DWORD PTR SS:[ESP]
00549236 8B0C81 MOV ECX,DWORD PTR DS:[ECX+EAX*4] ; 又是查表(不同的数组)
这里的表是{0x55147626,0x8d0bf107,0xF9492A40,0x2874514A}
00549239 8B44DE 04 MOV EAX,DWORD PTR DS:[ESI+EBX*8+4] ; 查表
0054923D 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
00549240 8B0487 MOV EAX,DWORD PTR DS:[EDI+EAX*4] ; 查表
00549243 8B5CDE 08 MOV EBX,DWORD PTR DS:[ESI+EBX*8+8] ; 查表
00549247 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
0054924A 8B1C9F MOV EBX,DWORD PTR DS:[EDI+EBX*4] ; 查表
0054924D 03D3 ADD EDX,EBX ; EDX=EDX+EBX
0054924F 03DA ADD EBX,EDX ; EBX=EBX+EDX
00549251 8BFA MOV EDI,EDX ; EDI〈=EDX
00549253 C1EF 07 SHR EDI,7 ; EDI右移7位
00549256 33D7 XOR EDX,EDI ; EDX=EDX XOR EDI
00549258 03CA ADD ECX,EDX ; ECX=ECX+EDX
0054925A 03D1 ADD EDX,ECX ; EDX=EDX+ECX
0054925C 8BF9 MOV EDI,ECX ; EDI〈=ECX
0054925E C1E7 0D SHL EDI,0D ; 左移0XD位
00549261 33CF XOR ECX,EDI ; ECX=ECX XOR EDI
00549263 03C1 ADD EAX,ECX ; EAX=EAX+ECX
00549265 03C8 ADD ECX,EAX ; ECX=ECX+EAX
00549267 8BF8 MOV EDI,EAX ; EDI〈=EAX
00549269 C1EF 11 SHR EDI,11 ; EDI右移0X11位
0054926C 33C7 XOR EAX,EDI ; EAX=EAX XOR EDI
0054926E 03D8 ADD EBX,EAX ; EBX=EBX+EAX
00549270 03C3 ADD EAX,EBX ; EAX=EAX+EBX
00549272 8BFB MOV EDI,EBX ; EDI〈=EBX
00549274 C1E7 09 SHL EDI,9 ; EDI左移9位
00549277 33DF XOR EBX,EDI ; EBX=EBX XOR EDI
00549279 03D3 ADD EDX,EBX ; EDX=EDX+EBX
0054927B 03DA ADD EBX,EDX ; EBX=EBX+EDX
0054927D 8BFA MOV EDI,EDX ; EDI〈=EDX
0054927F C1EF 03 SHR EDI,3 ; EDI右移3位
00549282 33D7 XOR EDX,EDI ; EDX=EDX XOR EDI
00549284 03CA ADD ECX,EDX ; ECX=ECX+EDX
00549286 8BD1 MOV EDX,ECX ; EDX〈=ECX
00549288 C1E2 07 SHL EDX,7 ; EDX左移7位
0054928B 33CA XOR ECX,EDX ; ECX=ECX XOR EDX
0054928D 03C1 ADD EAX,ECX ; EAX=EAX+ECX
0054928F 8BD3 MOV EDX,EBX ; EDX〈=EBX
00549291 C1EA 0F SHR EDX,0F ; 右移0XF位
00549294 33C2 XOR EAX,EDX ; EAX=EAX XOR EDX
00549296 03D8 ADD EBX,EAX ; EBX=EBX+EAX
00549298 8BC3 MOV EAX,EBX ; EAX〈=EBX
0054929A C1E0 0B SHL EAX,0B ; 左移0XB位
0054929D 33D8 XOR EBX,EAX ; EBX=EBX XOR EAX
0054929F 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10] ; 取4个字节到EAX
005492A3 33C3 XOR EAX,EBX ; EAX=EAX XOR EBX
005492A5 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C] ; 取4个字节到EDX
005492A9 895424 10 MOV DWORD PTR SS:[ESP+10],EDX ; 填充
005492AD 894424 0C MOV DWORD PTR SS:[ESP+C],EAX ; 填充
005492B1 83C6 0C ADD ESI,0C ; ESI=ESI+0XC(这个是把数组初始地址加高)
005492B4 FF4C24 14 DEC DWORD PTR SS:[ESP+14] ; 计数器--
005492B8 ^0F85 61FFFFFF JNZ MyNotesK.0054921F
005492BE 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
005492C2 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
005492C6 8910 MOV DWORD PTR DS:[EAX],EDX ; 填充
005492C8 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
005492CC 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
005492D0 8950 04 MOV DWORD PTR DS:[EAX+4],EDX ; 填充
005492D3 83C4 18 ADD ESP,18
005492D6 5F POP EDI
005492D7 5E POP ESI
005492D8 5B POP EBX
005492D9 C3 RETN
这里的运算,我认为就是变换数组里的值,第一次填充的是常数(0XD9F6,注册中间值),然后进行复杂运算,变换数组里的值,里面
还用到了2个表第一个是{0,3,1,2,1,3,1,0,2,3,2,0,3,2,0,1,0,2,2,1,3,0,3,1},第2个是{0x55147626,0x8d0bf107,0xF9492A40,0x2874514A}
不知道为什么复杂的运算后是明码比较,悲。
算法小结:
先运算得到注册中间值,然后根据(注册中间值,和常数0XD9F6),进行运算,得到最后的注册码。
KeyGen 代码如下(C语言)
//为了省事没有对中文注册名进行处理,所以只能输入英文注册名
#include <stdio.h>
#include <math.h>
#include <string.h>
unsigned long temp[8];
int regcode[8];
unsigned long reg(char name[]) //根据注册名运算得到一个注册中间值,后面运算将用到
{
int len;
unsigned long ecx,edx,esi,c;
len=strlen(name);
ecx=0;
edx=0;
esi=0;
for(int b=0;b<len;b++)
{
c=name;
if(c>=97 && c<=122)
{c=c-32; //把注册名中小写的转化为大写
name=c;}
}
for(int a=0;a<len;a++) //对转化后的注册名进行运算
{
ecx=ecx << 4;
edx=name[a];
ecx=ecx + edx;
edx=ecx;
edx=edx & 0xf0000000;
if(edx==0)
{edx=~edx;
ecx=ecx & edx;}
else
{esi=edx;
esi=esi >> 0x18;
ecx=ecx ^ esi;
edx=~edx;
ecx=ecx & edx;}
}
return ecx; //返回运算值
}
void DecToHex(unsigned long t) //dectohex后变换一下字符并输出
{
unsigned long a;
long c;
int i=0;
int p;
do
{
c=t%16;
temp[ i]=c;
i++;
}while((t/=16)!=0);
for(i--;i>=0;i--)
{
if(temp[ i]>=10&&temp[ i]<=15)//是字母?
temp[i]=(temp[ i]+55); //转化为ascii
}
for (int w=0;w<8;w++)
{
if(w%2==0) //根据情况变换
regcode[w]=temp[w+1];
else
regcode[w]=temp[w-1];
}
for(int o=0;o<=7;o++)
{
if(regcode[o]>=10) //是字母?
printf("%c",regcode[o]);
else
printf("%d",regcode[o]);
}
}
main()
{
char name[100];
unsigned long a,eax,ebx,edi,ecx,edx;
unsigned long cs[4]={0x55147626,0x8d0bf107,0xF9492A40,0x2874514A};
//程序内定16进制值
unsigned long hh[4]={0x1,0xd9f6,0x0,0x4};
//自己根据汇编代码定义的数组,第2个元素待填充(先设为0)
unsigned long zz[]={0,3,1,2,1,3,1,0,2,3,2,0,3,2,0,1,0,2,2,1,3,0,3,1};
//程序中定义的表
int b,pp;
printf("\t\t***************************************************\n");
printf("\t\t* KeyGen For MyNotesKeeper V1.4 *\n");
printf("\t\t* Coded By lnn1123 *\n");
printf("\t\t***************************************************\n");
printf("Please input your name:\n");
gets(name);
a=reg(name);
b=1;
hh[2]=a;
pp=4;
edx=0xd9f6;
int t=0;
for(int s=0;s<4;s++) //循环4次
{
edx=hh[1];
eax=hh[0];
ebx=eax;
ebx=ebx+ebx;
ebx=ebx*3;
if(t==0) //根据t值对数组访问,可能效率比较低
eax=zz[ebx*2];
if(t==3)
eax=zz[ebx*2+3];
if(t==6)
eax=zz[ebx*2+6];
if(t==9)
eax=zz[ebx*2+9];
ecx=cs[eax];
if(t==0) //根据t值对数组访问,可能效率比较低
eax=zz[ebx*2+1];
if(t==3)
eax=zz[ebx*2+3+1];
if(t==6)
eax=zz[ebx*2+6+1];
if(t==9)
eax=zz[ebx*2+9+1];
eax=cs[eax];
if(t==0) //根据t值对数组访问,可能效率比较低
ebx=zz[ebx*2+2];
if(t==3)
ebx=zz[ebx*2+3+2];
if(t==6)
ebx=zz[ebx*2+6+2];
if(t==9)
ebx=zz[ebx*2+9+2];
ebx=cs[ebx]; //下面是是进行运算
edx=edx+ebx;
ebx=ebx+edx;
edi=edx;
edi=edi >> 7;
edx=edx ^ edi;
ecx=ecx+edx;
edx=edx+ecx;
edi=ecx;
edi=edi << 0xd;
ecx=ecx ^ edi;
eax=eax+ecx;
ecx=ecx+eax;
edi=eax;
edi=edi >> 0x11;
eax=eax ^ edi;
ebx=ebx+eax;
eax=eax+ebx;
edi=ebx;
edi=edi << 0x9;
ebx=ebx ^ edi;
edx=edx+ebx;
ebx=ebx+edx;
edi=edx;
edi=edi >> 0x3;
edx=edx ^ edi;
ecx=ecx +edx;
edx=ecx;
edx=edx << 0x7;
ecx=ecx ^ edx;
eax=eax+ecx;
edx=ebx;
edx=edx >> 0xf;
eax=eax ^ edx;
ebx=ebx+eax;
eax=ebx;
eax=eax << 0xb;
ebx=ebx ^ eax;
eax=hh[2];
eax=eax ^ ebx;
edx=hh[1];
hh[2]=edx;
hh[1]=eax;
t=t+3;
}
printf("Your Regcode is :\n");
DecToHex(hh[2]);
DecToHex(hh[1]);
getchar();
}
特别感谢:
Phoenix,爱情诗人和所有帮助过我的人。^_^
=======================================================================================================
【破解声明】我是一个小小菜虫子,文章如有错误,请高手指正!
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
=======================================================================================================
文章完成于2005-12-22 18:08:46
[课程]Linux pwn 探索篇!