【文章标题】: clipboard box 2.8算法的简单分析
【文章作者】: OCNZHAO[OCN]
【软件名称】: clipboard box 2.8
【软件大小】: 729K
【下载地址】: 华军软件园
【加壳方式】: ASPACK 2.12
【保护方式】: 使用次数
【编写语言】: DELPHI
【使用工具】: OD 1.1,PEID 0.94 ETC
【操作平台】: WINXP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
程序加的是ASPACK 2.12,很好脱,注册码的计算过程的定位也比较容易,下面给出关键算法:
0049E418 /. 55 PUSH EBP
0049E419 |. 8BEC MOV EBP,ESP
0049E41B |. 33C9 XOR ECX,ECX
0049E41D |. 51 PUSH ECX
0049E41E |. 51 PUSH ECX
0049E41F |. 51 PUSH ECX
0049E420 |. 51 PUSH ECX
0049E421 |. 51 PUSH ECX
0049E422 |. 51 PUSH ECX
0049E423 |. 51 PUSH ECX
0049E424 |. 51 PUSH ECX
0049E425 |. 53 PUSH EBX
0049E426 |. 56 PUSH ESI
0049E427 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0049E42A |. 33C0 XOR EAX,EAX
0049E42C |. 55 PUSH EBP
0049E42D |. 68 95E54900 PUSH clipboar.0049E595
0049E432 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0049E435 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0049E438 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049E43B |. BA ACE54900 MOV EDX,clipboar.0049E5AC ; ASCII "820109"
0049E440 |. E8 4764F6FF CALL clipboar.0040488C
0049E445 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0049E448 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049E44B |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0049E451 |. E8 4A4DFCFF CALL clipboar.004631A0 ; name
0049E456 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0049E459 |. E8 5666F6FF CALL clipboar.00404AB4 ; strlen(name)
0049E45E |. 8BD8 MOV EBX,EAX
0049E460 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0049E463 |. B8 6D000000 MOV EAX,6D ; 6D->EAX
0049E468 |. E8 97A9F6FF CALL clipboar.00408E04 ; 计算,跟进
//////////////////////////////////////////////////////////////////////////
00408E04 /$ 56 PUSH ESI
00408E05 |. 89E6 MOV ESI,ESP
00408E07 |. 83EC 10 SUB ESP,10
00408E0A |. 31C9 XOR ECX,ECX
00408E0C |. 52 PUSH EDX
00408E0D |. 31D2 XOR EDX,EDX
00408E0F |. E8 A4FFFFFF CALL clipboar.00408DB8 ;跟进这个CALL
00408E14 |. 89F2 MOV EDX,ESI
00408E16 |. 58 POP EAX
00408E17 |. E8 C8BAFFFF CALL clipboar.004048E4
00408E1C |. 83C4 10 ADD ESP,10
00408E1F |. 5E POP ESI
00408E20 \. C3 RETN
///////////////////////////////////////////////////////跟进
00408DCE |$ B9 0A000000 MOV ECX,0A ;作商的常数
00408DD3 |> 52 PUSH EDX
00408DD4 |. 56 PUSH ESI
00408DD5 |> 31D2 /XOR EDX,EDX
00408DD7 |. F7F1 |DIV ECX
00408DD9 |. 4E |DEC ESI
00408DDA |. 80C2 30 |ADD DL,30 ;name[i] % A+0X30
00408DDD |. 80FA 3A |CMP DL,3A ;
00408DE0 |. 72 03 |JB SHORT clipboar.00408DE5 ;小于3A跳,都小于
00408DE2 |. 80C2 07 |ADD DL,7
00408DE5 |> 8816 |MOV BYTE PTR DS:[ESI],DL ;保存
00408DE7 |. 09C0 |OR EAX,EAX
00408DE9 |.^ 75 EA \JNZ SHORT clipboar.00408DD5 ;未计算完,跳回继续
00408DEB |. 59 POP ECX
00408DEC |. 5A POP EDX
00408DED |. 29F1 SUB ECX,ESI
00408DEF |. 29CA SUB EDX,ECX
00408DF1 |. 76 10 JBE SHORT clipboar.00408E03
00408DF3 |. 01D1 ADD ECX,EDX
00408DF5 |. B0 30 MOV AL,30
00408DF7 |. 29D6 SUB ESI,EDX
00408DF9 |. EB 03 JMP SHORT clipboar.00408DFE
00408DFB |> 880432 /MOV BYTE PTR DS:[EDX+ESI],AL
00408DFE |> 4A DEC EDX
00408DFF |.^ 75 FA \JNZ SHORT clipboar.00408DFB
00408E01 |. 8806 MOV BYTE PTR DS:[ESI],AL
00408E03 \> C3 RETN
00408E04 /$ 56 PUSH ESI
00408E05 |. 89E6 MOV ESI,ESP
00408E07 |. 83EC 10 SUB ESP,10
00408E0A |. 31C9 XOR ECX,ECX
00408E0C |. 52 PUSH EDX
00408E0D |. 31D2 XOR EDX,EDX
00408E0F |. E8 A4FFFFFF CALL clipboar.00408DB8
00408E14 |. 89F2 MOV EDX,ESI
00408E16 |. 58 POP EAX
00408E17 |. E8 C8BAFFFF CALL clipboar.004048E4
00408E1C |. 83C4 10 ADD ESP,10
00408E1F |. 5E POP ESI
00408E20 \. C3 RETN
/////////////////////////////////////////////////////////////////////////
0049E46D |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] ; EDX=109
0049E470 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0049E473 |. E8 4466F6FF CALL clipboar.00404ABC
0049E478 |. 83FB 05 CMP EBX,5
0049E47B |. 7C 05 JL SHORT clipboar.0049E482
0049E47D |. BB 05000000 MOV EBX,5
0049E482 |> 8BF3 MOV ESI,EBX
0049E484 |. 83EE 02 SUB ESI,2
0049E487 |. 7C 43 JL SHORT clipboar.0049E4CC ; 注册名得大于2位
0049E489 |. 46 INC ESI ; ESI=4
0049E48A |. C745 F4 02000000 MOV DWORD PTR SS:[EBP-C],2
0049E491 |> 8D45 E8 /LEA EAX,DWORD PTR SS:[EBP-18]
0049E494 |. 50 |PUSH EAX
0049E495 |. B9 01000000 |MOV ECX,1
0049E49A |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C] ; EDX=2
0049E49D |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
0049E4A0 |. E8 6F68F6FF |CALL clipboar.00404D14
0049E4A5 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
0049E4A8 |. E8 0768F6FF |CALL clipboar.00404CB4
0049E4AD |. 8A18 |MOV BL,BYTE PTR DS:[EAX] ; 循环取注册名的各位name[i]
0049E4AF |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C]
0049E4B2 |. 33C0 |XOR EAX,EAX
0049E4B4 |. 8AC3 |MOV AL,BL ; name[i]->AL
0049E4B6 |. E8 49A9F6FF |CALL clipboar.00408E04 ; 关键CALL,每位注册名除以A,直到为0
0049E4BB |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
0049E4BE |. 8D45 F0 |LEA EAX,DWORD PTR SS:[EBP-10]
0049E4C1 |. E8 F665F6FF |CALL clipboar.00404ABC
0049E4C6 |. FF45 F4 |INC DWORD PTR SS:[EBP-C]
0049E4C9 |. 4E |DEC ESI
0049E4CA |.^ 75 C5 \JNZ SHORT clipboar.0049E491
0049E4CC |> 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
0049E4CF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0049E4D2 |. 8B80 0C030000 MOV EAX,DWORD PTR DS:[EAX+30C]
0049E4D8 |. E8 C34CFCFF CALL clipboar.004631A0 ; strlen(SN)
0049E4DD |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; 假码
0049E4E0 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] ; 真码
0049E4E3 |. E8 1867F6FF CALL clipboar.00404C00 ; 明码比较
0049E4E8 |. 75 68 JNZ SHORT clipboar.0049E552 ; 不相等跳
0049E4EA |. B2 01 MOV DL,1
0049E4EC |. A1 64604300 MOV EAX,DWORD PTR DS:[436064]
0049E4F1 |. E8 6E7CF9FF CALL clipboar.00436164
0049E4F6 |. 8BD8 MOV EBX,EAX
0049E4F8 |. BA 00000080 MOV EDX,80000000
0049E4FD |. 8BC3 MOV EAX,EBX
0049E4FF |. E8 007DF9FF CALL clipboar.00436204
0049E504 |. B1 01 MOV CL,1
0049E506 |. BA BCE54900 MOV EDX,clipboar.0049E5BC ; ASCII ".lwx1"
0049E50B |. 8BC3 MOV EAX,EBX
0049E50D |. E8 567DF9FF CALL clipboar.00436268
0049E512 |. 84C0 TEST AL,AL
0049E514 |. 74 11 JE SHORT clipboar.0049E527
0049E516 |. B9 CCE54900 MOV ECX,clipboar.0049E5CC ; ASCII "!oncemoreagain"
0049E51B |. BA E4E54900 MOV EDX,clipboar.0049E5E4 ; ASCII "registerok"
0049E520 |. 8BC3 MOV EAX,EBX
0049E522 |. E8 FD7EF9FF CALL clipboar.00436424
0049E527 |> 6A 00 PUSH 0
0049E529 |. B9 F0E54900 MOV ECX,clipboar.0049E5F0 ; ASCII "Register OK"
0049E52E |. BA FCE54900 MOV EDX,clipboar.0049E5FC ; ASCII "Register OK,Enjoy it!"
0049E533 |. A1 B83A4A00 MOV EAX,DWORD PTR DS:[4A3AB8]
0049E538 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0049E53A |. E8 8960FBFF CALL clipboar.004545C8
0049E53F |. A1 7C4D4A00 MOV EAX,DWORD PTR DS:[4A4D7C]
0049E544 |. E8 3727FBFF CALL clipboar.00450C80
0049E549 |. 8BC3 MOV EAX,EBX
0049E54B |. E8 3455F6FF CALL clipboar.00403A84
0049E550 |. EB 18 JMP SHORT clipboar.0049E56A
0049E552 |> 6A 00 PUSH 0
0049E554 |. B9 14E64900 MOV ECX,clipboar.0049E614 ; ASCII "Warning"
0049E559 |. BA 1CE64900 MOV EDX,clipboar.0049E61C ; ASCII "Invalid registration!!"
0049E55E |. A1 B83A4A00 MOV EAX,DWORD PTR DS:[4A3AB8]
0049E563 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0049E565 |. E8 5E60FBFF CALL clipboar.004545C8
0049E56A |> 33C0 XOR EAX,EAX
0049E56C |. 5A POP EDX
0049E56D |. 59 POP ECX
0049E56E |. 59 POP ECX
0049E56F |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0049E572 |. 68 9CE54900 PUSH clipboar.0049E59C
0049E577 |> 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
0049E57A |. E8 7562F6FF CALL clipboar.004047F4
0049E57F |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0049E582 |. BA 04000000 MOV EDX,4
0049E587 |. E8 8C62F6FF CALL clipboar.00404818
0049E58C |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0049E58F |. E8 6062F6FF CALL clipboar.004047F4
0049E594 \. C3 RETN
0049E595 .^ E9 3E5CF6FF JMP clipboar.004041D8
0049E59A .^ EB DB JMP SHORT clipboar.0049E577
0049E59C . 5E POP ESI
0049E59D . 5B POP EBX
0049E59E . 8BE5 MOV ESP,EBP
0049E5A0 . 5D POP EBP
0049E5A1 . C3 RETN
/////////////////////////////////////////////////////////////////////////////
--------------------------------------------------------------------------------
【经验总结】
算法总结:
(1)程序内置一个串820109;
(2)紧接着用6D除以A计算出另一个串109;
(3)然后依次取注册名,从第二位开始取;位数大于等于5的话计算4次,位数小于5的计算strlen(name)-1次;
以注册名大于等于5为例:
<5>从第二位开始取出对应的字母的ASCII值,余数作为注册码,商作为循环条件,直到商为0停止,直到取完;
<6>注册码的形式是820109109+<5>的计算结果。
#include <stdio.h>
#include <string.h>
#include <math.h>
main()
{ char name[50];
long i,j,l,k=0;
int temp[50];
printf("////////////////////////////////////////////////////\n");
printf("// Clipboard Box V2.8 Key Generator //\n");
printf("// //\n");
printf("// Author: ocnzhao[OCN] //\n");
printf("// //\n");
printf("// E-mail: ocnzhao@163.com //\n");
printf("// //\n");
printf("// OS : WinXP, PEiD, Ollydbg, C-Free3.5 //\n");
printf("// //\n");
printf("// Date : 2006-05-16 //\n");
printf("//////////////////////////////////////////////////\n\n");
printf("请输入注册名: ");
scanf("%s",&name);
printf("注册码是");
printf("\n");
if ( strlen(name) >= 5)
{ printf("820109109");
for(i=1;i<5;i++)
{ j=0;
do
{
temp[j] = name[i] % 0xA;
name[i] = name[i] / 0xA;
j++;
}
while(name[i] != 0);
for(k=j-1;k>=0;k--)
{
printf("%d",temp[k]);}
}
}
else
if(strlen(name) < 5)
{
l=strlen(name);
l--;
printf("820109109");
for(i=1;i<=l;i++)
{ j=0;
do
{
temp[j] = name[i] % 0xA;
name[i] = name[i] / 0xA;
j++;
}
while(name[i] != 0);
for(k=j-1;k>=0;k--)
{
printf("%d",temp[k]);}
}
}
printf("\n");
}
注: CMD窗口出现的注册码直接不好复制,可以点鼠标右键选择“标记”再复制,省得照着往里输,麻烦
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年05月16日 21:03:08
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!