-
-
[原创]WinUtilities 2.0 注册算法分析
-
发表于: 2006-1-25 12:01 5029
-
【破文标题】 WinUtilities 2.0注册算法分析
【破文作者】 koala
【软件名称】 WinUtilities V2.0
【下载地址】 http://www4.skycn.com/soft/25287.html
【软件简介】 WinUtilities是一套Windows优化工具。
【调试环境】 Windows XP+SP2、PEiD、Ollydbg
【作者声明】 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
春节要到了,祝坛子里的兄弟姐妹们新春愉快,学习进步,工作顺利!
【算法总结】
1、注册码形式为****-****-****-****-****共五部分组成,分别记为sn1、sn2、sn3、sn4、sn5
2、格式化读入字符串"1-3-1-4",用于验证比较
3、令m=10,则d=sn5%m,m=d+1
4、d=sn1%m与1比较、d=sn2%m与3比较、d=sn3%m与1比较、d=sn4%m与4比较
全部相等则注册码有效。
【破解过程】
PEiD查壳为 Microsoft Visual C++ 6.0 无壳我喜欢^_^
运行程序输入注册信息
License Name:koala
license Code:12345678-12345678-12345678-12345678-12345678
确定,提示“To verify the license information,Please restart the program.”
还生成注册文件\UserData\User.lcs
OD载入程序,搜索-->所有参考文本串,看看有什么可用信息,发现如下内容,OK就在这设断点了,F9运行,程序被断下
文本字符串参考位于 WO:.text,项目 92
地址=0040471F
反汇编=push WO.0041744C
文本字符串=ASCII "\UserData\User.lcs"
0040471F |> \68 4C744100 push WO.0041744C ; ASCII "\UserData\User.lcs"
00404724 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00404728 |. 53 push ebx
00404729 |. 51 push ecx
0040472A |. E8 C1280000 call WO.00406FF0
0040472F |. 83C4 08 add esp,8
00404732 |. 8D5424 28 lea edx,dword ptr ss:[esp+28] ; |
00404736 |. 50 push eax ; |Arg2
00404737 |. 52 push edx ; |Arg1
00404738 |. E8 F3160000 call WO.00405E30 ; \WO.00405E30
0040473D |. 8BC8 mov ecx,eax
0040473F |. E8 5C0E0000 call WO.004055A0
00404744 |. 51 push ecx
00404745 |. 8BF0 mov esi,eax ; "D:\Program Files\WinUtilities\UserData\User.lcs"
00404747 |. 896424 20 mov dword ptr ss:[esp+20],esp
0040474B |. 8BFC mov edi,esp
0040474D |. 6A 0C push 0C
0040474F |. E8 257A0000 call WO.0040C179
00404754 |. 83C4 04 add esp,4
00404757 |. 3BC3 cmp eax,ebx
00404759 |. 74 0A je short WO.00404765
0040475B |. 56 push esi
0040475C |. 8BC8 mov ecx,eax
0040475E |. E8 3D6E0000 call WO.0040B5A0
00404763 |. EB 02 jmp short WO.00404767
00404765 |> 33C0 xor eax,eax
00404767 |> 3BC3 cmp eax,ebx
00404769 |. 8907 mov dword ptr ds:[edi],eax
0040476B |. 75 0A jnz short WO.00404777
0040476D |. 68 0E000780 push 8007000E
00404772 |. E8 2B730000 call WO.0040BAA2
00404777 |> B9 48A44100 mov ecx,WO.0041A448
0040477C |. E8 1F0E0000 call WO.004055A0
00404781 |. 8BC8 mov ecx,eax
00404783 |. E8 586E0000 call WO.0040B5E0
00404788 |. 8B15 44704100 mov edx,dword ptr ds:[417044] ; WO.00417048
0040478E |. 8B4424 24 mov eax,dword ptr ss:[esp+24] ; "D:\Program Files\WinUtilities\UserData\User.lcs"
00404792 |. 8D48 F4 lea ecx,dword ptr ds:[eax-C]
00404795 |. 3BCA cmp ecx,edx
00404797 |. 74 1A je short WO.004047B3
00404799 |. 83C0 F4 add eax,-0C
0040479C |. 50 push eax
0040479D |. FFD5 call ebp ; KERNEL32.InterlockedDecrement
0040479F |. 85C0 test eax,eax
004047A1 |. 7F 10 jg short WO.004047B3
004047A3 |. 8B5424 24 mov edx,dword ptr ss:[esp+24]
004047A7 |. 83C2 F4 add edx,-0C
004047AA |. 52 push edx
004047AB |. E8 24720000 call WO.0040B9D4
004047B0 |. 83C4 04 add esp,4
004047B3 |> 8B4424 20 mov eax,dword ptr ss:[esp+20]
004047B7 |. 8B15 44704100 mov edx,dword ptr ds:[417044] ; WO.00417048
004047BD |. 8D48 F4 lea ecx,dword ptr ds:[eax-C]
004047C0 |. 3BCA cmp ecx,edx
004047C2 |. 74 1A je short WO.004047DE
004047C4 |. 83C0 F4 add eax,-0C
004047C7 |. 50 push eax
004047C8 |. FFD5 call ebp ; KERNEL32.InterlockedDecrement
004047CA |. 85C0 test eax,eax
004047CC |. 7F 10 jg short WO.004047DE
004047CE |. 8B5424 20 mov edx,dword ptr ss:[esp+20]
004047D2 |. 83C2 F4 add edx,-0C
004047D5 |. 52 push edx
004047D6 |. E8 F9710000 call WO.0040B9D4
004047DB |. 83C4 04 add esp,4
004047DE |> 68 60EA0000 push 0EA60
004047E3 |. 51 push ecx
004047E4 |. 8BCC mov ecx,esp
004047E6 |. 896424 2C mov dword ptr ss:[esp+2C],esp
004047EA |. 68 3C744100 push WO.0041743C ; UNICODE "1-3-1-4"
004047EF |. E8 BC6C0000 call WO.0040B4B0
004047F4 |. B9 48A44100 mov ecx,WO.0041A448
004047F9 |. E8 A20D0000 call WO.004055A0
004047FE |. 8BC8 mov ecx,eax
00404800 |. E8 AB6E0000 call WO.0040B6B0 ; 算法验证,跟进
00404805 |. 53 push ebx ; /lParam
00404806 |. 53 push ebx ; |wParam
00404807 |. 53 push ebx ; |Message
00404808 |. 53 push ebx ; |hWnd
00404809 |. FF15 D0414100 call dword ptr ds:[<&USER32.DefWindowProcA>] ; \DefWindowProcA
0040480F |. 8D4424 24 lea eax,dword ptr ss:[esp+24]
00404813 |. 50 push eax ; /pInitEx
00404814 |. C74424 28 08000>mov dword ptr ss:[esp+28],8 ; |
0040481C |. C74424 2C 04040>mov dword ptr ss:[esp+2C],404 ; |
00404824 |. FF15 08404100 call dword ptr ds:[<&COMCTL32.InitCommonContr>; \InitCommonControlsEx
......
=========== 跟进 00404800 call WO.0040B6B0 ====================
0040B6B0 /$ 64:A1 00000000 mov eax,dword ptr fs:[0]
0040B6B6 |. 6A FF push -1
0040B6B8 |. 68 78384100 push WO.00413878
0040B6BD |. 50 push eax
0040B6BE |. 64:8925 0000000>mov dword ptr fs:[0],esp
0040B6C5 |. 53 push ebx
0040B6C6 |. 56 push esi
0040B6C7 |. 57 push edi
0040B6C8 |. 8BF1 mov esi,ecx
0040B6CA |. 8B7C24 1C mov edi,dword ptr ss:[esp+1C]
0040B6CE |. C74424 14 00000>mov dword ptr ss:[esp+14],0
0040B6D6 |. 85FF test edi,edi
0040B6D8 |. 74 04 je short WO.0040B6DE
0040B6DA |. 8B07 mov eax,dword ptr ds:[edi] ; UNICODE "1-3-1-4"
0040B6DC |. EB 02 jmp short WO.0040B6E0
0040B6DE |> 33C0 xor eax,eax
0040B6E0 |> 8B5424 20 mov edx,dword ptr ss:[esp+20]
0040B6E4 |. 8B0E mov ecx,dword ptr ds:[esi]
0040B6E6 |. 52 push edx
0040B6E7 |. 50 push eax
0040B6E8 |. 56 push esi
0040B6E9 |. FF51 38 call dword ptr ds:[ecx+38] ; 算法验证,跟进
0040B6EC |. 8BD8 mov ebx,eax
0040B6EE |. 85DB test ebx,ebx
0040B6F0 |. 7D 0C jge short WO.0040B6FE
0040B6F2 |. 68 58714100 push WO.00417158
0040B6F7 |. 56 push esi
0040B6F8 |. 53 push ebx
0040B6F9 |. E8 B2030000 call WO.0040BAB0
0040B6FE |> 85FF test edi,edi
0040B700 |. 74 34 je short WO.0040B736
0040B702 |. 8D47 08 lea eax,dword ptr ds:[edi+8]
0040B705 |. 50 push eax ; /pVar
0040B706 |. FF15 4C414100 call dword ptr ds:[<&KERNEL32.InterlockedDecr>; \InterlockedDecrement
......
=========== 跟进 0040B6E9 call dword ptr ds:[ecx+38] ==============
01653C11 B8 68A26601 mov eax,ComLicen.0166A268
01653C16 E8 59F30000 call ComLicen.01662F74
01653C1B 83EC 10 sub esp,10
01653C1E 56 push esi
01653C1F 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
01653C22 FF75 0C push dword ptr ss:[ebp+C]
01653C25 E8 1FC70000 call ComLicen.01660349
01653C2A 8B45 0C mov eax,dword ptr ss:[ebp+C] ; ASCII "1-3-1-4"
01653C2D 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
01653C30 51 push ecx
01653C31 8D4D EC lea ecx,dword ptr ss:[ebp-14]
01653C34 51 push ecx
01653C35 33F6 xor esi,esi
01653C37 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
01653C3A 8975 E4 mov dword ptr ss:[ebp-1C],esi
01653C3D 8975 E8 mov dword ptr ss:[ebp-18],esi
01653C40 8975 EC mov dword ptr ss:[ebp-14],esi
01653C43 8975 F0 mov dword ptr ss:[ebp-10],esi
01653C46 8B40 F8 mov eax,dword ptr ds:[eax-8]
01653C49 51 push ecx
01653C4A 8D4D E4 lea ecx,dword ptr ss:[ebp-1C]
01653C4D 51 push ecx
01653C4E 40 inc eax
01653C4F 68 34E36601 push ComLicen.0166E334 ; ASCII "%ld-%ld-%ld-%ld"
01653C54 50 push eax
01653C55 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
01653C58 8975 FC mov dword ptr ss:[ebp-4],esi
01653C5B E8 51C80000 call ComLicen.016604B1
01653C60 50 push eax
01653C61 E8 23FD0000 call ComLicen.01663989 ; 格式化读入,用于验证比较
01653C66 83C4 18 add esp,18
01653C69 83F8 04 cmp eax,4
01653C6C 75 1A jnz short ComLicen.01653C88
01653C6E FF75 10 push dword ptr ss:[ebp+10]
01653C71 8B45 08 mov eax,dword ptr ss:[ebp+8]
01653C74 FF75 F0 push dword ptr ss:[ebp-10]
01653C77 8B08 mov ecx,dword ptr ds:[eax]
01653C79 FF75 EC push dword ptr ss:[ebp-14]
01653C7C FF75 E8 push dword ptr ss:[ebp-18]
01653C7F FF75 E4 push dword ptr ss:[ebp-1C]
01653C82 50 push eax
01653C83 FF51 30 call dword ptr ds:[ecx+30] ; 算法验证,跟进
01653C86 8BF0 mov esi,eax
01653C88 8D4D 0C lea ecx,dword ptr ss:[ebp+C]
01653C8B E8 F2EEFFFF call ComLicen.01652B82
01653C90 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
01653C93 8BC6 mov eax,esi
01653C95 5E pop esi
01653C96 64:890D 00000000 mov dword ptr fs:[0],ecx
01653C9D C9 leave
01653C9E C2 0C00 retn 0C
=========== 跟进 01653C83 call dword ptr ds:[ecx+30] ==========
01653D1D 50 push eax ; ASCII "D:\Program Files\WinUtilities\UserData\User.lcs"
01653D1E 8D46 14 lea eax,dword ptr ds:[esi+14]
01653D21 68 FF000000 push 0FF
01653D26 50 push eax
01653D27 68 28126701 push ComLicen.01671228
01653D2C 68 68E36601 push ComLicen.0166E368 ; ASCII "Name"
01653D31 68 60E36601 push ComLicen.0166E360 ; ASCII "License"
01653D36 FF15 90B06601 call dword ptr ds:[<&KERNEL32.GetPrivateProfi>; KERNEL32.GetPrivateProfileStringA
01653D3C FF76 10 push dword ptr ds:[esi+10]
01653D3F 8D86 13010000 lea eax,dword ptr ds:[esi+113]
01653D45 68 FF000000 push 0FF
01653D4A 50 push eax
01653D4B 68 28126701 push ComLicen.01671228
01653D50 68 58E36601 push ComLicen.0166E358 ; ASCII "Code"
01653D55 68 60E36601 push ComLicen.0166E360 ; ASCII "License"
01653D5A FF15 90B06601 call dword ptr ds:[<&KERNEL32.GetPrivateProfi>; KERNEL32.GetPrivateProfileStringA
01653D60 FF15 A4B26601 call dword ptr ds:[<&WINMM.timeGetTime>] ; WINMM.timeGetTime
01653D66 6A 0A push 0A
01653D68 33D2 xor edx,edx
01653D6A 59 pop ecx
01653D6B F7F1 div ecx
01653D6D 83FA 09 cmp edx,9
01653D70 0F87 8B4E0000 ja ComLicen.01658C01
01653D76 FF2495 11946501 jmp dword ptr ds:[edx*4+1659411]
01653D7D 33C0 xor eax,eax
01653D7F 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
01653D82 50 push eax
01653D83 50 push eax
01653D84 50 push eax
01653D85 50 push eax
01653D86 51 push ecx
01653D87 50 push eax
01653D88 50 push eax
01653D89 68 54E36601 push ComLicen.0166E354 ; ASCII "c:\"
01653D8E 8945 08 mov dword ptr ss:[ebp+8],eax
01653D91 FF15 8CB06601 call dword ptr ds:[<&KERNEL32.GetVolumeInform>; KERNEL32.GetVolumeInformationA
01653D97 8B45 08 mov eax,dword ptr ss:[ebp+8]
01653D9A 6A 0A push 0A
01653D9C 33D2 xor edx,edx
01653D9E 59 pop ecx
01653D9F F7F1 div ecx
01653DA1 83FA 09 cmp edx,9
01653DA4 0F87 FB060000 ja ComLicen.016544A5
01653DAA FF2495 39946501 jmp dword ptr ds:[edx*4+1659439]
01653D7D 33C0 xor eax,eax
01653D7F 8D4D 08 lea ecx,dword ptr ss:[ebp+8]
01653D82 50 push eax
01653D83 50 push eax
01653D84 50 push eax
01653D85 50 push eax
01653D86 51 push ecx
01653D87 50 push eax
01653D88 50 push eax
01653D89 68 54E36601 push ComLicen.0166E354 ; ASCII "c:\"
01653D8E 8945 08 mov dword ptr ss:[ebp+8],eax
01653D91 FF15 8CB06601 call dword ptr ds:[<&KERNEL32.GetVolumeInform>; KERNEL32.GetVolumeInformationA
01653D97 8B45 08 mov eax,dword ptr ss:[ebp+8]
01653D9A 6A 0A push 0A
01653D9C 33D2 xor edx,edx
01653D9E 59 pop ecx
01653D9F F7F1 div ecx
01653DA1 83FA 09 cmp edx,9
01653DA4 0F87 FB060000 ja ComLicen.016544A5
01653DAA FF2495 39946501 jmp dword ptr ds:[edx*4+1659439]
......
01656E31 8D46 14 lea eax,dword ptr ds:[esi+14] ; 取用户名
01656E34 57 push edi
01656E35 50 push eax
01656E36 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
01656E3C 50 push eax
01656E3D E8 FEC50000 call ComLicen.01663440
01656E42 6A 14 push 14
01656E44 8D45 EC lea eax,dword ptr ss:[ebp-14]
01656E47 6A 00 push 0
01656E49 50 push eax
01656E4A E8 41C90000 call ComLicen.01663790
01656E4F 83C4 18 add esp,18
01656E52 8D45 FC lea eax,dword ptr ss:[ebp-4]
01656E55 50 push eax
01656E56 8D45 F8 lea eax,dword ptr ss:[ebp-8]
01656E59 50 push eax
01656E5A 8D45 F4 lea eax,dword ptr ss:[ebp-C]
01656E5D 50 push eax
01656E5E 8D45 F0 lea eax,dword ptr ss:[ebp-10]
01656E61 50 push eax
01656E62 8D45 EC lea eax,dword ptr ss:[ebp-14]
01656E65 50 push eax
01656E66 8D85 E7FEFFFF lea eax,dword ptr ss:[ebp-119] ; 取注册码
01656E6C 68 44E36601 push ComLicen.0166E344 ; ASCII "%x-%x-%x-%x-%x"
01656E71 50 push eax
01656E72 E8 12CB0000 call ComLicen.01663989 ; 格式化读入注册码
01656E77 8BF8 mov edi,eax
01656E79 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
01656E7F 50 push eax
01656E80 E8 3BCB0000 call ComLicen.016639C0
01656E85 83C4 20 add esp,20
01656E88 85C0 test eax,eax ; 用户名是否为空
01656E8A 0F86 4A250000 jbe ComLicen.016593DA
01656E90 83FF 05 cmp edi,5 ; 注册码是否为5部分组成
01656E93 0F85 41250000 jnz ComLicen.016593DA
01656E99 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 取第5部分
01656E9C 6A 0A push 0A
01656E9E 33D2 xor edx,edx
01656EA0 59 pop ecx
01656EA1 F7F1 div ecx
01656EA3 8B45 EC mov eax,dword ptr ss:[ebp-14] ; 取第1部分
01656EA6 8D4A 01 lea ecx,dword ptr ds:[edx+1] ; ecx=edx+1
01656EA9 33D2 xor edx,edx
01656EAB F7F1 div ecx
01656EAD 3B13 cmp edx,dword ptr ds:[ebx] ; 与1比较
01656EAF 0F85 25250000 jnz ComLicen.016593DA ; 不跳
01656EB5 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 取第2部分
01656EB8 33D2 xor edx,edx
01656EBA F7F1 div ecx
01656EBC 3B96 1C020000 cmp edx,dword ptr ds:[esi+21C] ; 与3比较
01656EC2 0F85 12250000 jnz ComLicen.016593DA ; 不跳
01656EC8 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 取第3部分
01656ECB 33D2 xor edx,edx
01656ECD F7F1 div ecx
01656ECF 3B96 20020000 cmp edx,dword ptr ds:[esi+220] ; 与1比较
01656ED5 0F85 FF240000 jnz ComLicen.016593DA ; 不跳
01656EDB 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 取第4部分
01656EDE E9 DF240000 jmp ComLicen.016593C2
......
016593C2 33D2 xor edx,edx
016593C4 F7F1 div ecx
016593C6 3B96 24020000 cmp edx,dword ptr ds:[esi+224] ; 与4比较
016593CC 75 0C jnz short ComLicen.016593DA ; 不跳
016593CE C786 14020000 010>mov dword ptr ds:[esi+214],1 ; 验证标志
016593D8 EB 07 jmp short ComLicen.016593E1
......
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)