【破文标题】心梦网页特效管理专家8.5 XP算法分析
【破文作者】?幻刹那
【作者主页】???
【作者邮箱】lovecy616927@yahoo.com.cn
【所属组织】??游民
【软件名称】心梦网页特效管理专家8.5 XP
【下载地址】http://www.onlinedown.net/soft/5090.htm
【破解工具】OD
【保护方式】注册码保护
【破解难度】简单
----------------------------------------------------
软件介绍:
不用介绍了哈
----------------------------------------------------
破解声名:我是一只小菜鸟,偶得一点心得,愿与大家分享:)
----------------------------------------------------
【破解分析】
晚上无聊,再来篇算法分析吧,程序是ASPack 2.1 ,轻松脱壳,用od载入,查找关键字,全部下断,很容易来到了算法部分
004D41E3 |. E8 540CF3FF CALL 1.00404E3C
004D41E8 74 16 JE SHORT 1.004D4200 ; 我们把这里改称JMP,软件才能运行,否则推出了
004D41EA B8 54474D00 MOV EAX,1.004D4754 ; 你的操作破坏心梦软件的完整性,请尊重作者的辛苦劳动!
004D41EF |. E8 9CA1F6FF CALL 1.0043E390
004D41F4 |. A1 DCB54D00 MOV EAX,DWORD PTR DS:[4DB5DC]
004D41F9 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D41FB |. E8 B813F9FF CALL 1.004655B8
004D4200 |> A1 DCB54D00 MOV EAX,DWORD PTR DS:[4DB5DC]
004D4205 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D4207 |. 8B90 98000000 MOV EDX,DWORD PTR DS:[EAX+98]
004D420D |. 8B83 40020000 MOV EAX,DWORD PTR DS:[EBX+240]
004D4213 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004D4215 |. FF51 08 CALL DWORD PTR DS:[ECX+8]
004D4218 |. B8 58000000 MOV EAX,58
004D421D |. E8 5AE5F2FF CALL 1.0040277C
004D4222 |. 8BF0 MOV ESI,EAX
004D4224 |. 89B3 70040000 MOV DWORD PTR DS:[EBX+470],ESI
004D422A |. 8BC3 MOV EAX,EBX
=========================================================================
004D0969 . 55 PUSH EBP
004D096A . 68 9E0B4D00 PUSH 1.004D0B9E
004D096F . 64:FF30 PUSH DWORD PTR FS:[EAX]
004D0972 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
004D0975 . 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
004D0978 . 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
004D097E . E8 654BF7FF CALL 1.004454E8 ; 取得我们的注册码
004D0983 . 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 ; 比较是否为0
004D0987 . 74 14 JE SHORT 1.004D099D
004D0989 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004D098C . 8B83 14030000 MOV EAX,DWORD PTR DS:[EBX+314] ; 取得位数
004D0992 . E8 514BF7FF CALL 1.004454E8 ; 取得用户名
004D0997 . 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 ; 比较用户名是否为0
004D099B . 75 1D JNZ SHORT 1.004D09BA
004D099D > 6A 40 PUSH 40
004D099F . B9 300C4D00 MOV ECX,1.004D0C30 ; 提示
004D09A4 . BA 380C4D00 MOV EDX,1.004D0C38 ; 用户名和注册码都必须输入,请你检查输入是否正确!
004D09A9 . A1 DCB54D00 MOV EAX,DWORD PTR DS:[4DB5DC]
004D09AE . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D09B0 . E8 A74CF9FF CALL 1.0046565C
004D09B5 . E9 DA010000 JMP 1.004D0B94
004D09BA > 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004D09BD . 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
004D09C3 . E8 204BF7FF CALL 1.004454E8 ; 取得注册码
004D09C8 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 取得注册码放入eax中
004D09CB . 50 PUSH EAX
004D09CC . 68 700C4D00 PUSH 1.004D0C70 ; 200385522,一个固定数压站
004D09D1 . 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004D09D4 . 8B83 14030000 MOV EAX,DWORD PTR DS:[EBX+314]
004D09DA . E8 094BF7FF CALL 1.004454E8
004D09DF . 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; 把用户名字放入eax中
004D09E2 . E8 1143F3FF CALL 1.00404CF8
004D09E7 . 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004D09EA . E8 A987F3FF CALL 1.00409198
004D09EF . FF75 EC PUSH DWORD PTR SS:[EBP-14]
004D09F2 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004D09F5 . 8B83 0C030000 MOV EAX,DWORD PTR DS:[EBX+30C]
004D09FB . E8 E84AF7FF CALL 1.004454E8 ; 取得机器码
004D0A00 . 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; 把机器码放入eax中
004D0A03 . 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004D0A06 . E8 E1FCFFFF CALL 1.004D06EC ; 把机器码在里面计算我这里得到一个数790102016,F7跟进去
004D0A0B . FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
004D0A0E . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004D0A11 . BA 03000000 MOV EDX,3 ; edx等于3
004D0A16 . E8 9D43F3FF CALL 1.00404DB8 ; 算法吧,把前面的数200385522和机器码计算的数合在一起,我这里是2003855226790102016
004D0A1B . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] ; 合成一个数放在edx中,也就是我们注册码了
004D0A1E . 58 POP EAX ; 我们输入的数出暂,应该两个比较了吧
004D0A1F . E8 1844F3FF CALL 1.00404E3C ; 里面就是2个数相比较的算法了,
004D0A24 . 0F85 5E010000 JNZ 1.004D0B88 ; 不等就跳走,则注册失败,相等就注册成功
004D0A2A . 6A 40 PUSH 40
004D0A2C . B9 300C4D00 MOV ECX,1.004D0C30 ; 提示
004D0A31 . BA 7C0C4D00 MOV EDX,1.004D0C7C ; 软件注册成功!
004D0A36 . A1 DCB54D00 MOV EAX,DWORD PTR DS:[4DB5DC]
004D0A3B . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004D0A3D . E8 1A4CF9FF CALL 1.0046565C
004D0A42 . B2 01 MOV DL,1
004D0A44 . A1 AC294700 MOV EAX,DWORD PTR DS:[4729AC]
004D0A49 . E8 5E20FAFF CALL 1.00472AAC
004D0A4E . 8BF0 MOV ESI,EAX
004D0A50 . BA 02000080 MOV EDX,80000002
004D0A55 . 8BC6 MOV EAX,ESI
004D0A57 . E8 F020FAFF CALL 1.00472B4C
004D0A5C . B1 01 MOV CL,1
004D0A5E . BA 940C4D00 MOV EDX,1.004D0C94 ; software\smsoft\sm85xp
004D0A63 . 8BC6 MOV EAX,ESI
004D0A65 . E8 4621FAFF CALL 1.00472BB0
004D0A6A . 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004D0A6D . 8B83 10030000 MOV EAX,DWORD PTR DS:[EBX+310]
004D0A73 . E8 704AF7FF CALL 1.004454E8
004D0A78 . 8B4D DC MOV ECX,DWORD PTR SS:[EBP-24]
004D0A7B . BA B40C4D00 MOV EDX,1.004D0CB4 ; regcode
004D0A80 . 8BC6 MOV EAX,ESI
004D0A82 . E8 E522FAFF CALL 1.00472D6C
004D0A87 . 8B83 18030000 MOV EAX,DWORD PTR DS:[EBX+318]
004D0A8D . 33D2 XOR EDX,EDX
============================================================================================
由004D0A06 跟进来到
004D06EC /$ 55 PUSH EBP
004D06ED |. 8BEC MOV EBP,ESP
004D06EF |. 6A 00 PUSH 0
004D06F1 |. 6A 00 PUSH 0
004D06F3 |. 6A 00 PUSH 0
004D06F5 |. 53 PUSH EBX
004D06F6 |. 56 PUSH ESI
004D06F7 |. 57 PUSH EDI
004D06F8 |. 8BF2 MOV ESI,EDX
004D06FA |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004D06FD |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D0700 |. E8 DB47F3FF CALL 1.00404EE0
004D0705 |. 33C0 XOR EAX,EAX
004D0707 |. 55 PUSH EBP
004D0708 |. 68 AC074D00 PUSH 1.004D07AC
004D070D |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004D0710 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004D0713 |. BB 611E0000 MOV EBX,1E61
004D0718 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004D071B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004D071E |. E8 0986F3FF CALL 1.00408D2C
004D0723 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004D0726 |. E8 CD45F3FF CALL 1.00404CF8
004D072B |. 85C0 TEST EAX,EAX
004D072D |. 75 09 JNZ SHORT 1.004D0738
004D072F |. 8BC6 MOV EAX,ESI
004D0731 |. E8 0A43F3FF CALL 1.00404A40
004D0736 |. EB 59 JMP SHORT 1.004D0791
004D0738 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004D073B |. E8 B845F3FF CALL 1.00404CF8
004D0740 |. 8BC8 MOV ECX,EAX ; ecx是计算器
004D0742 |. 85C9 TEST ECX,ECX
004D0744 |. 7E 33 JLE SHORT 1.004D0779
004D0746 |. BA 01000000 MOV EDX,1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++这里骇心算法得到一个数,我就不解释了,标了注释我的机器码是85533-1742714892得到数790102016
004D074B |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8]
004D074E |. 0FB64410 FF |MOVZX EAX,BYTE PTR DS:[EAX+EDX-1] ; 依次取机器码的asi码放入eax中
004D0753 |. 8BFA |MOV EDI,EDX ; edx是第几个字符
004D0755 |. 81E7 01000080 |AND EDI,80000001 ; 把edi和80000001取与
004D075B |. 79 05 |JNS SHORT 1.004D0762
004D075D |. 4F |DEC EDI
004D075E |. 83CF FE |OR EDI,FFFFFFFE
004D0761 |. 47 |INC EDI
004D0762 |> 85FF |TEST EDI,EDI ; 检测edi是否为0,
004D0764 |. 75 05 |JNZ SHORT 1.004D076B ; 如果不是就挑走
004D0766 |. 83C0 0D |ADD EAX,0D ; 把eax加0d
004D0769 |. EB 03 |JMP SHORT 1.004D076E
004D076B |> 83C0 1A |ADD EAX,1A ; eax加1a
004D076E |> 03C2 |ADD EAX,EDX ; edx加eax
004D0770 |. 0FAFC3 |IMUL EAX,EBX ; eax乘ebx,放在eax
004D0773 |. 8BD8 |MOV EBX,EAX ; 把eax的值放入ebx,也即计算的值放入eax中
004D0775 |. 42 |INC EDX ; 取下一个数
004D0776 |. 49 |DEC ECX ; ecx减1
004D0777 |.^ 75 D2 \JNZ SHORT 1.004D074B ; 检测取完没,没完继续循环取,把它们的值全部放在ebx
004D0779 |> 8BC3 MOV EAX,EBX ; 最后把ebx的值传给eax=790102016//ebx的初值为7777
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
004D077B |. 33D2 XOR EDX,EDX
004D077D |. 52 PUSH EDX ; /Arg2 => 00000000
004D077E |. 50 PUSH EAX ; |Arg1
004D077F |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] ; |
004D0782 |. E8 418AF3FF CALL 1.004091C8 ; \1.004091C8
004D0787 |. 8BC6 MOV EAX,ESI
004D0789 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
004D078C |. E8 0343F3FF CALL 1.00404A94
004D0791 |> 33C0 XOR EAX,EAX
004D0793 |. 5A POP EDX
004D0794 |. 59 POP ECX
004D0795 |. 59 POP ECX
004D0796 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004D0799 |. 68 B3074D00 PUSH 1.004D07B3
004D079E |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004D07A1 |. BA 03000000 MOV EDX,3
004D07A6 |. E8 B942F3FF CALL 1.00404A64
004D07AB \. C3 RETN
004D07AC .^ E9 973CF3FF JMP 1.00404448
004D07B1 .^ EB EB JMP SHORT 1.004D079E
004D07B3 . 5F POP EDI
004D07B4 . 5E POP ESI
004D07B5 . 5B POP EBX
004D07B6 . 8BE5 MOV ESP,EBP
004D07B8 . 5D POP EBP
004D07B9 . C3 RETN
----------------------------------------------------
【总结】
算法跟用户名无关,就是机器码参与运算得到一个数(运算载算法分析里面看哈,很简单的,头晕了,我就不写了,快晚上2点了),在和一个固定数200385522合成一个数,这个就是我们的注册码,我这里机器码是生成790102016,合成注册码就是200385522790102016,软件采用明码比较,
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
