【破文作者】lnn1123
【所属组织】[BCG][DFCG]
【作者主页】http://blog.csdn.net/lnn1123
【文章题目】WebPageMaker 2.2.0 注册算法分析
【加密方式】MD5
【破解工具】ollydbg+IDA
=======================================================================================================
【软件简介】
肯定是用来做WEB 的拉
=======================================================================================================
【解密过程】
预处理注册名,注册码
CODE:00699D4C push ebp
CODE:00699D4D mov ebp, esp
CODE:00699D4F push 0
CODE:00699D51 push 0
CODE:00699D53 push ebx
CODE:00699D54 mov ebx, eax
CODE:00699D56 xor eax, eax
CODE:00699D58 push ebp
CODE:00699D59 push offset loc_699DD5
CODE:00699D5E push dword ptr fs:[eax]
CODE:00699D61 mov fs:[eax], esp
CODE:00699D64 lea edx, [ebp+var_4]
CODE:00699D67 mov eax, [ebx+320h]
CODE:00699D6D call sub_48AD70
CODE:00699D72 lea edx, [ebp+var_8]
CODE:00699D75 mov eax, [ebx+324h]
CODE:00699D7B call sub_48AD70
CODE:00699D80 cmp [ebp+var_4], 0 ; 注册名为空?
CODE:00699D80 ;
CODE:00699D80 ;
CODE:00699D84 jz short loc_699D8C
CODE:00699D86 cmp [ebp+var_8], 0 ; 注册码为空?
CODE:00699D86 ;
CODE:00699D8A jnz short loc_699D96
CODE:00699D8C
CODE:00699D8C loc_699D8C: ; CODE XREF: sub_699D4C+38j
CODE:00699D8C xor eax, eax
CODE:00699D8E mov [ebx+24Ch], eax
CODE:00699D94 jmp short loc_699DBA
CODE:00699D96 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
CODE:00699D96
CODE:00699D96 loc_699D96: ; CODE XREF: sub_699D4C+3Ej
CODE:00699D96 mov edx, [ebp+var_8] ; 指向注册码
CODE:00699D99 mov eax, [ebp+var_4] ; 指向注册名
CODE:00699D9C call sub_4A16A0 ; 把注册信息写进Config.dat文件
{
CODE:004A16A0 push ebp
CODE:004A16A1 mov ebp, esp
CODE:004A16A3 add esp, 0FFFFFFF8h
CODE:004A16A6 push ebx
CODE:004A16A7 push esi
CODE:004A16A8 xor ecx, ecx
CODE:004A16AA mov [ebp+var_8], ecx
CODE:004A16AD mov [ebp+var_4], edx
CODE:004A16B0 mov esi, eax
CODE:004A16B2 xor eax, eax
CODE:004A16B4 push ebp
CODE:004A16B5 push offset loc_4A172A
CODE:004A16BA push dword ptr fs:[eax]
CODE:004A16BD mov fs:[eax], esp
CODE:004A16C0 mov edx, ds:off_6C5CB8
CODE:004A16C6 mov edx, [edx]
CODE:004A16C8 lea eax, [ebp+var_8]
CODE:004A16CB mov ecx, offset dword_4A1740
CODE:004A16D0 call sub_404EE8
CODE:004A16D5 mov ecx, [ebp+var_8]
CODE:004A16D8 mov dl, 1
CODE:004A16DA mov eax, off_432830
CODE:004A16DF call sub_4328E0
CODE:004A16E4 mov ebx, eax
CODE:004A16E6 push esi
CODE:004A16E7 mov ecx, offset aUser_0 ; "User"
CODE:004A16EC mov edx, offset aRegistration_1 ; "Registration"
CODE:004A16F1 mov eax, ebx
CODE:004A16F3 mov esi, [eax]
CODE:004A16F5 call dword ptr [esi+4] ; 写入注册名
CODE:004A16F8 mov eax, [ebp+var_4]
CODE:004A16FB push eax
CODE:004A16FC mov ecx, offset aLicense_0 ; "License"
CODE:004A1701 mov edx, offset aRegistration_1 ; "Registration"
CODE:004A1706 mov eax, ebx
CODE:004A1708 mov esi, [eax]
CODE:004A170A call dword ptr [esi+4] ; 写入注册码
CODE:004A170D mov eax, ebx
CODE:004A170F call sub_403D50
CODE:004A1714 xor eax, eax
CODE:004A1716 pop edx
CODE:004A1717 pop ecx
CODE:004A1718 pop ecx
CODE:004A1719 mov fs:[eax], edx
CODE:004A171C push offset loc_4A1731
CODE:004A1721
CODE:004A1721 loc_4A1721: ; CODE XREF: CODE:004A172Fj
CODE:004A1721 lea eax, [ebp+var_8]
CODE:004A1724 call sub_404BC0
CODE:004A1729 retn
}
CODE:00699DA1 push 40h ; uType
CODE:00699DA3 push offset aWebPageMake_10 ; "Web Page Maker V2"
CODE:00699DA8 push offset aPleaseCloseWeb ; "Please close Web Page Maker and restart"...
CODE:00699DAD mov eax, ebx
CODE:00699DAF call sub_4916AC
CODE:00699DB4 push eax ; hWnd
CODE:00699DB5 call MessageBoxA_0
CODE:00699DBA
CODE:00699DBA loc_699DBA: ; CODE XREF: sub_699D4C+48j
CODE:00699DBA xor eax, eax
CODE:00699DBC pop edx
CODE:00699DBD pop ecx
CODE:00699DBE pop ecx
CODE:00699DBF mov fs:[eax], edx
CODE:00699DC2 push offset loc_699DDC
CODE:00699DC7
CODE:00699DC7 loc_699DC7: ; CODE XREF: CODE:00699DDAj
CODE:00699DC7 lea eax, [ebp+var_8]
CODE:00699DCA mov edx, 2
CODE:00699DCF call sub_404BE4
CODE:00699DD4 retn
验证函数
CODE:006B818C push ebx
CODE:006B818D mov ebx, eax
CODE:006B818F mov ecx, ebx
CODE:006B8191 mov dl, 1
CODE:006B8193 mov eax, off_69D660
CODE:006B8198 call sub_473E8C
CODE:006B819D mov edx, ds:off_6C5AC4
CODE:006B81A3 mov [edx], eax
CODE:006B81A5 mov eax, ds:off_6C5AC4
CODE:006B81AA mov eax, [eax]
CODE:006B81AC call sub_6A004C ; 注册验证函数
CODE:006B81AC ;
CODE:006B81B1 test al, al
CODE:006B81B3 jz short loc_6B8228
CODE:006B81B5 mov edx, offset aWebPageMake_21 ; "Web Page Maker V2 Unregistered Version"
CODE:006B81BA mov eax, ebx
CODE:006B81BC call sub_48ADA0
CODE:006B81C1 call sub_4A1124
CODE:006B81C6 inc eax
CODE:006B81C7 jnz short loc_6B8234
CODE:006B81C9 push 21h ; uType
CODE:006B81CB push offset aWebPageMake_22 ; "Web Page Maker V2"
CODE:006B81D0 push offset aYour15DayTrial ; "Your 15 day trial period for Web Page M"...
CODE:006B81D5 mov eax, ebx
CODE:006B81D7 call sub_4916AC
CODE:006B81DC push eax ; hWnd
CODE:006B81DD call MessageBoxA_0
CODE:006B81E2 dec eax
CODE:006B81E3 jnz short loc_6B821F
CODE:006B81E5 xor ecx, ecx
CODE:006B81E7 mov dl, 1
CODE:006B81E9 mov eax, off_699A78
CODE:006B81EE call sub_473E8C
CODE:006B81F3 mov edx, ds:off_6C5A5C
CODE:006B81F9 mov [edx], eax
CODE:006B81FB mov eax, ds:off_6C5A5C
CODE:006B8200 mov eax, [eax]
CODE:006B8202 mov edx, [eax]
CODE:006B8204 call dword ptr [edx+0ECh]
CODE:006B820A mov eax, ds:off_6C5A5C
CODE:006B820F mov eax, [eax]
CODE:006B8211 call sub_403D50
CODE:006B8216 mov eax, ebx
CODE:006B8218 call sub_478054
CODE:006B821D pop ebx
CODE:006B821E retn
===========================================call sub_6A004C=========================================
CODE:006A004C var_70 = dword ptr -70h
CODE:006A004C var_6C = dword ptr -6Ch
CODE:006A004C var_68 = dword ptr -68h
CODE:006A004C var_64 = dword ptr -64h
CODE:006A004C var_60 = dword ptr -60h
CODE:006A004C var_5C = dword ptr -5Ch
CODE:006A004C var_58 = dword ptr -58h
CODE:006A004C var_54 = dword ptr -54h
CODE:006A004C var_50 = dword ptr -50h
CODE:006A004C var_4C = dword ptr -4Ch
CODE:006A004C var_48 = dword ptr -48h
CODE:006A004C var_44 = dword ptr -44h
CODE:006A004C var_40 = dword ptr -40h
CODE:006A004C var_3C = dword ptr -3Ch
CODE:006A004C var_38 = dword ptr -38h
CODE:006A004C var_34 = dword ptr -34h
CODE:006A004C var_24 = dword ptr -24h
CODE:006A004C var_20 = dword ptr -20h
CODE:006A004C var_1C = dword ptr -1Ch
CODE:006A004C var_18 = dword ptr -18h
CODE:006A004C var_10 = dword ptr -10h
CODE:006A004C var_C = dword ptr -0Ch
CODE:006A004C var_8 = dword ptr -8
CODE:006A004C var_4 = dword ptr -4
CODE:006A004C
CODE:006A004C push ebp
CODE:006A004D mov ebp, esp
CODE:006A004F mov ecx, 0Eh
CODE:006A0054
CODE:006A0054 loc_6A0054: ; CODE XREF: sub_6A004C+Dj
CODE:006A0054 push 0
CODE:006A0056 push 0
CODE:006A0058 dec ecx
CODE:006A0059 jnz short loc_6A0054
CODE:006A005B push ebx
CODE:006A005C push esi
CODE:006A005D push edi
CODE:006A005E mov esi, eax
CODE:006A0060 xor eax, eax
CODE:006A0062 push ebp
CODE:006A0063 push offset loc_6A0407
CODE:006A0068
CODE:006A0068 loc_6A0068: ; DATA XREF: CODE:off_47CF60o
CODE:006A0068 ; CODE:off_49BD82o ...
CODE:006A0068 push dword ptr fs:[eax]
CODE:006A006B mov fs:[eax], esp
CODE:006A006E mov bl, 1
CODE:006A0070 mov eax, ds:off_6C5A60
CODE:006A0075 cmp dword ptr [eax], 0FFFFFFFFh
CODE:006A0078 jnz short loc_6A00B0
CODE:006A007A mov eax, ds:off_6C5A60
CODE:006A007F cmp dword ptr [eax+4], 0FFFFFFFFh
CODE:006A0083 jnz short loc_6A00B0
CODE:006A0085 mov edi, [esi+520h]
CODE:006A008B mov eax, [esi+48h]
CODE:006A008E sub eax, [edi+2DCh]
CODE:006A0094 sub eax, 32h
CODE:006A0097 lea ecx, [ebp+var_18]
CODE:006A009A mov edx, 64h
CODE:006A009F call sub_41B49C
CODE:006A00A4 lea edx, [ebp+var_18]
CODE:006A00A7 mov eax, edi
CODE:006A00A9 call sub_55D0E0
CODE:006A00AE jmp short loc_6A00C1
CODE:006A00B0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
CODE:006A00B0
CODE:006A00B0 loc_6A00B0: ; CODE XREF: sub_6A004C+2Cj
CODE:006A00B0 ; sub_6A004C+37j
CODE:006A00B0 mov edx, ds:off_6C5A60
CODE:006A00B6 mov eax, [esi+520h]
CODE:006A00BC call sub_55D0E0
CODE:006A00C1
CODE:006A00C1 loc_6A00C1: ; CODE XREF: sub_6A004C+62j
CODE:006A00C1 mov eax, ds:off_6C624C
CODE:006A00C6 mov eax, [eax]
CODE:006A00C8 call sub_4792F0
CODE:006A00CD cmp eax, 320h
CODE:006A00D2 jle short loc_6A00DE
CODE:006A00D4 mov eax, ds:off_6C61C8
CODE:006A00D9 cmp byte ptr [eax], 0
CODE:006A00DC jz short loc_6A00F8
CODE:006A00DE
CODE:006A00DE loc_6A00DE: ; CODE XREF: sub_6A004C+86j
CODE:006A00DE mov dl, 1
CODE:006A00E0 mov eax, [esi+520h]
CODE:006A00E6 call sub_55CEC4
CODE:006A00EB mov dl, 1
CODE:006A00ED mov eax, [esi+520h]
CODE:006A00F3 call sub_559708
CODE:006A00F8
CODE:006A00F8 loc_6A00F8: ; CODE XREF: sub_6A004C+90j
CODE:006A00F8 xor edx, edx
CODE:006A00FA mov eax, [esi+780h]
CODE:006A0100 call sub_450F90
CODE:006A0105 mov edx, ds:off_6C5958
CODE:006A010B mov dl, [edx]
CODE:006A010D mov eax, [esi+520h]
CODE:006A0113 call sub_48AC90
CODE:006A0118 mov edx, ds:off_6C5958
CODE:006A011E mov dl, [edx]
CODE:006A0120 mov eax, [esi+664h]
CODE:006A0126 call sub_46E810
CODE:006A012B mov eax, esi
CODE:006A012D call sub_6AF848
CODE:006A0132 lea edx, [ebp+var_4]
CODE:006A0135 lea eax, [ebp+var_10]
CODE:006A0138 call sub_4A1578
CODE:006A013D cmp [ebp+var_10], 0 ; 注册名为空?
CODE:006A0141 jz loc_6A03C0
CODE:006A0147 cmp [ebp+var_4], 0 ; 注册码为空?
CODE:006A014B jz loc_6A03C0
CODE:006A0151 mov eax, [ebp+var_4] ; 指向注册码
CODE:006A0154 call sub_404E9C ; 返回注册码长度
CODE:006A0159 cmp eax, 17h ; 输入的注册码必须为23位
CODE:006A015C jnz loc_6A03C0
CODE:006A0162 mov dl, 1
CODE:006A0164 mov eax, off_41A798
CODE:006A0169 call sub_403D20
CODE:006A016E mov [ebp+var_8], eax
CODE:006A0171 push ebp
CODE:006A0172 call sub_69FF88
CODE:006A0177 pop ecx
CODE:006A0178 mov eax, [ebp+var_8]
CODE:006A017B mov edx, [eax]
CODE:006A017D call dword ptr [edx+14h]
CODE:006A0180 cmp eax, 4
CODE:006A0183 jnz loc_6A03B8
CODE:006A0189 lea ecx, [ebp+var_1C]
CODE:006A018C xor edx, edx ; 要取得的注册码的段索引
CODE:006A018E mov eax, [ebp+var_8]
CODE:006A0191 mov edi, [eax]
CODE:006A0193 call dword ptr [edi+0Ch]
CODE:006A0196 mov eax, [ebp+var_1C] ; eax指向注册码前5位
CODE:006A0199 or edx, 0FFFFFFFFh
CODE:006A019C call sub_409E40 ; 把eax指向的转化为16进制表示
CODE:006A01A1 mov [ebp+var_C], eax ; 保存
CODE:006A01A4 lea ecx, [ebp+var_20]
CODE:006A01A7 mov edx, 3 ; 要取得的注册码的段索引
CODE:006A01AC mov eax, [ebp+var_8]
CODE:006A01AF mov edi, [eax]
CODE:006A01B1 call dword ptr [edi+0Ch]
CODE:006A01B4 mov eax, [ebp+var_20] ; 指向注册码最后5位
CODE:006A01B7 or edx, 0FFFFFFFFh
CODE:006A01BA call sub_409E40 ; 把eax指向的转化为16进制表示
CODE:006A01BF cmp [ebp+var_C], 0FFFFFFFFh ; 返回是-1?
CODE:006A01C3 jz loc_6A03B8
CODE:006A01C9 cmp eax, 0FFFFFFFFh ; 返回是-1?
CODE:006A01CC jz loc_6A03B8
CODE:006A01D2 mov edi, [ebp+var_C] ; a
CODE:006A01D5 add edi, eax ; a+=b
CODE:006A01D7 lea edx, [ebp+var_38]
CODE:006A01DA mov eax, edi
CODE:006A01DC call sub_409C98 ; a转化为10进制
CODE:006A01E1 mov eax, [ebp+var_38] ; a转化为10进制的结果记为c
CODE:006A01E4 lea edx, [ebp+var_34]
CODE:006A01E7 call sub_49F2B4
CODE:006A01EC lea eax, [ebp+var_34]
CODE:006A01EF lea edx, [ebp+var_24]
CODE:006A01F2 call sub_49F240
CODE:006A01F7 mov eax, [ebp+var_24]
CODE:006A01FA mov edx, offset a1c395a8dce13_0 ; "1c395a8dce135849bd73c6dba3b54809"
CODE:006A01FF call sub_4095D4 ; MD5(c)与内置密文比较
CODE:006A0204 test eax, eax
CODE:006A0206 jnz loc_6A03B8 ; 不等就注册失败
CODE:006A020C lea ecx, [ebp+var_3C]
CODE:006A020F mov edx, 1 ; 要取得的注册码的段索引
CODE:006A0214 mov eax, [ebp+var_8]
CODE:006A0217 mov edi, [eax]
CODE:006A0219 call dword ptr [edi+0Ch]
CODE:006A021C mov eax, [ebp+var_3C] ; 指向注册码第2段
CODE:006A021F or edx, 0FFFFFFFFh
CODE:006A0222 call sub_409E40 ; 把eax指向的转化为16进制表示记为d
CODE:006A0227 mov [ebp+var_C], eax ; 保存返回值
CODE:006A022A lea ecx, [ebp+var_40]
CODE:006A022D mov edx, 2 ; 要取得的注册码的段索引
CODE:006A0232 mov eax, [ebp+var_8]
CODE:006A0235 mov edi, [eax]
CODE:006A0237 call dword ptr [edi+0Ch]
CODE:006A023A mov eax, [ebp+var_40] ; 指向注册码的第三段
CODE:006A023D or edx, 0FFFFFFFFh
CODE:006A0240 call sub_409E40 ; 把eax指向的转化为16进制表示记为e
CODE:006A0245 cmp [ebp+var_C], 0FFFFFFFFh
CODE:006A0249 jz loc_6A03B8
CODE:006A024F inc eax
CODE:006A0250 jz loc_6A03B8
CODE:006A0256 lea eax, [ebp+var_44]
CODE:006A0259 push eax
CODE:006A025A lea ecx, [ebp+var_48]
CODE:006A025D mov edx, 1 ; 要取得的注册码的段索引
CODE:006A0262 mov eax, [ebp+var_8]
CODE:006A0265 mov edi, [eax]
CODE:006A0267 call dword ptr [edi+0Ch]
CODE:006A026A mov eax, [ebp+var_48] ; 指向注册码的第2段
CODE:006A026D mov ecx, 7FFFFFFFh
CODE:006A0272 mov edx, 3 ; 在第2段取得后三位
CODE:006A0277 call sub_4050FC
CODE:006A027C mov eax, [ebp+var_44] ; 指向第2段后3位
CODE:006A027F xor edx, edx
CODE:006A0281 call sub_409E40 ; 转化为16进制表示
CODE:006A0286 mov [ebp+var_C], eax ; 保存
CODE:006A0289 lea eax, [ebp+var_4C]
CODE:006A028C push eax
CODE:006A028D lea ecx, [ebp+var_50]
CODE:006A0290 mov edx, 2 ; 要取得的注册码的段索引
CODE:006A0295 mov eax, [ebp+var_8]
CODE:006A0298 mov edi, [eax]
CODE:006A029A call dword ptr [edi+0Ch]
CODE:006A029D mov eax, [ebp+var_50] ; 指向注册玛第3段
CODE:006A02A0 mov ecx, 7FFFFFFFh
CODE:006A02A5 mov edx, 3 ; 指向第3段后3位
CODE:006A02AA call sub_4050FC
CODE:006A02AF mov eax, [ebp+var_4C] ; 指向第3段后3位
CODE:006A02B2 xor edx, edx
CODE:006A02B4 call sub_409E40 ; 转化为16进制表示
CODE:006A02B9 mov edi, [ebp+var_C] ; 第2段注册码后3位的16进制
CODE:006A02BC add edi, eax ; 加上第3段后3位16进制表示
CODE:006A02BE lea edx, [ebp+var_58]
CODE:006A02C1 mov eax, edi
CODE:006A02C3 call sub_409C98 ; 转化为10进制表示记为a1
CODE:006A02C8 mov eax, [ebp+var_58]
CODE:006A02CB lea edx, [ebp+var_34]
CODE:006A02CE call sub_49F2B4 ; MD5(a1)
CODE:006A02D3 lea eax, [ebp+var_34]
CODE:006A02D6 lea edx, [ebp+var_54]
CODE:006A02D9 call sub_49F240 ; MD5(a1)结果字符化
CODE:006A02DE mov eax, [ebp+var_54]
CODE:006A02E1 mov edx, offset a65cc2c8205a0_0 ; "65cc2c8205a05d7379fa3a6386f710e1"
CODE:006A02E6 call sub_4095D4 ; MD5(a1)与内置密文比较
CODE:006A02EB test eax, eax
CODE:006A02ED jnz loc_6A03B8 ; 不等就注册失败
CODE:006A02F3 lea eax, [ebp+var_5C]
CODE:006A02F6 push eax
CODE:006A02F7 lea ecx, [ebp+var_60]
CODE:006A02FA mov edx, 1 ; 要取得的注册码的段索引
CODE:006A02FF mov eax, [ebp+var_8]
CODE:006A0302 mov edi, [eax]
CODE:006A0304 call dword ptr [edi+0Ch]
CODE:006A0307 mov eax, [ebp+var_60] ; 指向注册码第2段
CODE:006A030A mov ecx, 2 ; 取第2段的前2位
CODE:006A030F xor edx, edx
CODE:006A0311 call sub_4050FC
CODE:006A0316 mov eax, [ebp+var_5C] ; 指向第2段的前2位
CODE:006A0319 xor edx, edx
CODE:006A031B call sub_409E40 ; 转化为16进制表示
CODE:006A0320 mov [ebp+var_C], eax ; 保存
CODE:006A0323 lea eax, [ebp+var_64]
CODE:006A0326 push eax
CODE:006A0327 lea ecx, [ebp+var_68]
CODE:006A032A mov edx, 2 ; 要取得的注册码的段索引
CODE:006A032F mov eax, [ebp+var_8]
CODE:006A0332 mov edi, [eax]
CODE:006A0334 call dword ptr [edi+0Ch]
CODE:006A0337 mov eax, [ebp+var_68] ; 指向注册码第3段
CODE:006A033A mov ecx, 2 ; 指向第3段的前2位
CODE:006A033F xor edx, edx
CODE:006A0341 call sub_4050FC
CODE:006A0346 mov eax, [ebp+var_64] ; 指向第3段的前2位
CODE:006A0349 xor edx, edx
CODE:006A034B call sub_409E40 ; 转化为16进制表示
CODE:006A0350 mov edi, [ebp+var_C] ; 转化后的result1
CODE:006A0353 add edi, eax ; result1+=result2
CODE:006A0355 lea edx, [ebp+var_70]
CODE:006A0358 mov eax, edi
CODE:006A035A call sub_409C98 ; 将result1转化为10进表示
CODE:006A035F mov eax, [ebp+var_70]
CODE:006A0362 lea edx, [ebp+var_34]
CODE:006A0365 call sub_49F2B4 ; MD5(result1)
CODE:006A0365 ;
CODE:006A036A lea eax, [ebp+var_34]
CODE:006A036D lea edx, [ebp+var_6C]
CODE:006A0370 call sub_49F240 ; MD5(result)字符化
CODE:006A0375 mov eax, [ebp+var_6C]
CODE:006A0378 mov edx, offset aD1fe173d08e959 ; "d1fe173d08e959397adf34b1d77e88d7"
CODE:006A037D call sub_4095D4 ; Md5(result1)与内置密文比较
CODE:006A0382 test eax, eax
CODE:006A0384 jnz short loc_6A03B8 ; 不等就注册失败
CODE:006A0386 xor ebx, ebx
CODE:006A0388 xor edx, edx
CODE:006A038A mov eax, [esi+764h]
CODE:006A0390 call sub_46EC20 ; 到这里就注册成功了
CODE:006A0395 xor edx, edx
CODE:006A0397 mov eax, [esi+768h]
CODE:006A039D call sub_46EC20
CODE:006A03A2 mov eax, [esi+764h]
CODE:006A03A8 mov al, [eax+86h]
CODE:006A03AE xor al, 1
CODE:006A03B0 mov edx, ds:off_6C6188
CODE:006A03B6 mov [edx], al
CODE:006A03B8
CODE:006A03B8 loc_6A03B8: ; CODE XREF: sub_6A004C+137j
CODE:006A03B8 ; sub_6A004C+177j ...
CODE:006A03B8 mov eax, [ebp+var_8]
CODE:006A03BB call sub_403D50
CODE:006A03C0
CODE:006A03C0 loc_6A03C0: ; CODE XREF: sub_6A004C+F5j
CODE:006A03C0 ; sub_6A004C+FFj ...
CODE:006A03C0 xor eax, eax
CODE:006A03C2 mov al, bl
CODE:006A03C4 add eax, 320h
CODE:006A03C9 mov [esi+88Ch], eax
CODE:006A03CF xor eax, eax
CODE:006A03D1 pop edx
CODE:006A03D2 pop ecx
CODE:006A03D3 pop ecx
CODE:006A03D4 mov fs:[eax], edx
CODE:006A03D7 push offset loc_6A040E
CODE:006A03DC
CODE:006A03DC loc_6A03DC: ; CODE XREF: sub_6A004C+3C0j
CODE:006A03DC lea eax, [ebp+var_70]
CODE:006A03DF mov edx, 0Fh
CODE:006A03E4 call sub_404BE4
CODE:006A03E9 lea eax, [ebp+var_24]
CODE:006A03EC mov edx, 3
CODE:006A03F1 call sub_404BE4
CODE:006A03F6 lea eax, [ebp+var_10]
CODE:006A03F9 call sub_404BC0
CODE:006A03FE lea eax, [ebp+var_4]
CODE:006A0401 call sub_404BC0
CODE:006A0406 retn
分析到这里,有一个很重要的东西就是三个密文
"1c395a8dce135849bd73c6dba3b54809"
"65cc2c8205a05d7379fa3a6386f710e1"
"d1fe173d08e959397adf34b1d77e88d7"
软件注册验证的时候用到了MD5,那我猜这三个密文很可能是MD5 密文,用Md5Crack跑看看,很快解的明文是
88888 MD5(88888)=1c395a8dce135849bd73c6dba3b54809
1020 MD5(1020)=65cc2c8205a05d7379fa3a6386f710e1
79 MD5(79)=d1fe173d08e959397adf34b1d77e88d7
到这里注册算法已经很清楚了
注册码格式是这样的XXXXX-XXXXX-XXXXX-XXXXX
假设a指向注册码,注册成功的条件是
第1段+第4段=88888
第2段后3位+ 第3段后3位=1020
第2段前2位+ 第3段前2位=79
分析到这里,已经发现关键是这段密文的破解,如果是设置的比较复杂的话,那要你会很多时间跑,但是这个软件用的还是比较简单的,
机机好写的很吧 呵呵
【破解声明】我是一个小小菜虫子,文章如有错误,请高手指正!
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
=======================================================================================================
文章完成于2006-4-8 欣?网吧 6:02:59
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!