对称算法,没能查出是何种算法,请知情人告知,谢谢.
快速抠图 1.08
软件大小:6659KB
软件语言:简体中文
软件类别:国产软件/共享版/图像处理
运行环境:Win9x/Me/NT/2000/XP/2003
加入时间:2006-9-29 10:56:49
软件详细信息
只要用鼠标在前景、背景上分别划拉几下,大致地标明哪部份属于前景,哪部份属于背景,程序就会用快速抠图算法自动地把前景抠出来。
程序包括三部份功能:
1. 快速抠图。快速抠图算法对所有的图像都适用,不要求前景、背景对比分明,也不要求背景是单色背景。
2. 手工调整。对快速抠图算法抠出来的不够准确的前景边界线进行调整。
3. 换背景。把抠出来的前景放到别的背景图上,或把原来的背景换成单色背景。
Microsoft Visual C++ 6.0
注册有提示,很容易找到源头:
0044197C 55 push ebp
关键地方:
00441A89 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00441A8C E8 A94EFDFF call lazyedit.0041693A ; 跟进
00441A91 85C0 test eax,eax
00441A93 75 69 jnz short lazyedit.00441AFE
1.算法流程:
跟进00441A8C处的call lazyedit.0041693A
输入的注册码与下列字符串比较:
00416A00 68 A8C14C00 push lazyedit.004CC1A8 ; ASCII "45p734p434p545p3"
00416A17 68 BCC14C00 push lazyedit.004CC1BC ; ASCII "89d699f63d56012p"
不知用意?
1.1注册码转换:00416A82 E8 80840600 call lazyedit.0047EF07
0047EDEB 55 push ebp
0047EDEC 8BEC mov ebp,esp
0047EDEE 0FBE45 08 movsx eax,byte ptr ss:[ebp+8]
0047EDF2 83F8 30 cmp eax,30
0047EDF5 75 07 jnz short lazyedit.0047EDFE
0047EDF7 33C0 xor eax,eax
0047EDF9 E9 07010000 jmp lazyedit.0047EF05
0047EDFE 0FBE4D 08 movsx ecx,byte ptr ss:[ebp+8]
0047EE02 83F9 31 cmp ecx,31
0047EE05 75 0A jnz short lazyedit.0047EE11
0047EE07 B8 01000000 mov eax,1
0047EE0C E9 F4000000 jmp lazyedit.0047EF05
0047EE11 0FBE55 08 movsx edx,byte ptr ss:[ebp+8]
0047EE15 83FA 32 cmp edx,32
0047EE18 75 0A jnz short lazyedit.0047EE24
0047EE1A B8 02000000 mov eax,2
0047EE1F E9 E1000000 jmp lazyedit.0047EF05
0047EE24 0FBE45 08 movsx eax,byte ptr ss:[ebp+8]
0047EE28 83F8 33 cmp eax,33
0047EE2B 75 0A jnz short lazyedit.0047EE37
0047EE2D B8 03000000 mov eax,3
0047EE32 E9 CE000000 jmp lazyedit.0047EF05
0047EE37 0FBE4D 08 movsx ecx,byte ptr ss:[ebp+8]
0047EE3B 83F9 34 cmp ecx,34
0047EE3E 75 0A jnz short lazyedit.0047EE4A
0047EE40 B8 04000000 mov eax,4
0047EE45 E9 BB000000 jmp lazyedit.0047EF05
0047EE4A 0FBE55 08 movsx edx,byte ptr ss:[ebp+8]
0047EE4E 83FA 35 cmp edx,35
0047EE51 75 0A jnz short lazyedit.0047EE5D
0047EE53 B8 05000000 mov eax,5
0047EE58 E9 A8000000 jmp lazyedit.0047EF05
0047EE5D 0FBE45 08 movsx eax,byte ptr ss:[ebp+8]
0047EE61 83F8 36 cmp eax,36
0047EE64 75 0A jnz short lazyedit.0047EE70
0047EE66 B8 06000000 mov eax,6
0047EE6B E9 95000000 jmp lazyedit.0047EF05
0047EE70 0FBE4D 08 movsx ecx,byte ptr ss:[ebp+8]
0047EE74 83F9 37 cmp ecx,37
0047EE77 75 0A jnz short lazyedit.0047EE83
0047EE79 B8 07000000 mov eax,7
0047EE7E E9 82000000 jmp lazyedit.0047EF05
0047EE83 0FBE55 08 movsx edx,byte ptr ss:[ebp+8]
0047EE87 83FA 38 cmp edx,38
0047EE8A 75 07 jnz short lazyedit.0047EE93
0047EE8C B8 08000000 mov eax,8
0047EE91 EB 72 jmp short lazyedit.0047EF05
0047EE93 0FBE45 08 movsx eax,byte ptr ss:[ebp+8]
0047EE97 83F8 39 cmp eax,39
0047EE9A 75 07 jnz short lazyedit.0047EEA3
0047EE9C B8 09000000 mov eax,9
0047EEA1 EB 62 jmp short lazyedit.0047EF05
0047EEA3 0FBE4D 08 movsx ecx,byte ptr ss:[ebp+8]
0047EEA7 83F9 61 cmp ecx,61
0047EEAA 75 07 jnz short lazyedit.0047EEB3
0047EEAC B8 0A000000 mov eax,0A
0047EEB1 EB 52 jmp short lazyedit.0047EF05
0047EEB3 0FBE55 08 movsx edx,byte ptr ss:[ebp+8]
0047EEB7 83FA 62 cmp edx,62
0047EEBA 75 07 jnz short lazyedit.0047EEC3
0047EEBC B8 0B000000 mov eax,0B
0047EEC1 EB 42 jmp short lazyedit.0047EF05
0047EEC3 0FBE45 08 movsx eax,byte ptr ss:[ebp+8]
0047EEC7 83F8 63 cmp eax,63
0047EECA 75 07 jnz short lazyedit.0047EED3
0047EECC B8 0C000000 mov eax,0C
0047EED1 EB 32 jmp short lazyedit.0047EF05
0047EED3 0FBE4D 08 movsx ecx,byte ptr ss:[ebp+8]
0047EED7 83F9 64 cmp ecx,64
0047EEDA 75 07 jnz short lazyedit.0047EEE3
0047EEDC B8 0D000000 mov eax,0D
0047EEE1 EB 22 jmp short lazyedit.0047EF05
0047EEE3 0FBE55 08 movsx edx,byte ptr ss:[ebp+8]
0047EEE7 83FA 65 cmp edx,65
0047EEEA 75 07 jnz short lazyedit.0047EEF3
0047EEEC B8 0E000000 mov eax,0E
0047EEF1 EB 12 jmp short lazyedit.0047EF05
0047EEF3 0FBE45 08 movsx eax,byte ptr ss:[ebp+8]
0047EEF7 83F8 66 cmp eax,66
0047EEFA 75 07 jnz short lazyedit.0047EF03
0047EEFC B8 0F000000 mov eax,0F
0047EF01 EB 02 jmp short lazyedit.0047EF05
0047EF03 33C0 xor eax,eax
0047EF05 5D pop ebp
0047EF06 C3 retn
转换关系如下:
0-9保持原样,a对应A,b对应B,c对应C,d对应D,e对应E,f对应F,其余为0.
比如练码:1111 2222 3333 4444
转换后:0012FBB4 11 11 22 22 33 33 44 44 ""33DD
1.2加密:??
00416A8A 8D85 94FDFFFF lea eax,dword ptr ss:[ebp-26C]
00416A90 50 push eax
00416A91 8D8D 80FDFFFF lea ecx,dword ptr ss:[ebp-280]
00416A97 51 push ecx
00416A98 68 3CBD4C00 push lazyedit.004CBD3C ; ASCII "488440905310825"
00416A9D 6A 01 push 1
00416A9F E8 A1A4FFFF call lazyedit.00410F45 ; 加密处
关键比较:
00416ACC 50 push eax ; 注册码加密值
00416ACD 8D8D 7CFDFFFF lea ecx,dword ptr ss:[ebp-284] ; 注册号
00416AD3 51 push ecx
00416AD4 E8 A7FAFEFF call lazyedit.00406580 ; 比较
00416AD9 25 FF000000 and eax,0FF
00416ADE 85C0 test eax,eax
00416AE0 74 3F je short lazyedit.00416B21 ; 爆破点
00416AE2 C785 70FDFFFF >mov dword ptr ss:[ebp-290],1 ; 关键赋值地方
如果注册号=注册码计算值,那么就注册成功.
2.整个过程如上所述,重点在加密处:
00416A9F E8 A1A4FFFF call lazyedit.00410F45 ; 加密处
跟进后发现有加密与解密之分,这个主要是根据:
有一个判断跳转,跳转实现与否的2段代码极其相似(DES,MARS等对称算法都是如此),因此判断为加解密之分.
代码如下:
00410F45 55 push ebp
00410F46 8BEC mov ebp,esp
00410F48 83EC 20 sub esp,20
00410F4B 8B45 08 mov eax,dword ptr ss:[ebp+8]
00410F4E 25 FF000000 and eax,0FF
00410F53 85C0 test eax,eax
00410F55 75 47 jnz short lazyedit.00410F9E ; 可能是加密与解密的分类
00410F57 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00410F5A 51 push ecx
00410F5B 8B55 10 mov edx,dword ptr ss:[ebp+10]
00410F5E 52 push edx
00410F5F 8B45 0C mov eax,dword ptr ss:[ebp+C]
00410F62 50 push eax
00410F63 6A 00 push 0
00410F65 E8 B6FFFFFF call lazyedit.00410F20
00410F6A 83C4 10 add esp,10
00410F6D 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00410F70 51 push ecx
00410F71 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00410F74 52 push edx
00410F75 8B45 0C mov eax,dword ptr ss:[ebp+C]
00410F78 83C0 08 add eax,8
00410F7B 50 push eax
00410F7C 6A 01 push 1
00410F7E E8 9DFFFFFF call lazyedit.00410F20
00410F83 83C4 10 add esp,10
00410F86 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
00410F89 51 push ecx
00410F8A 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00410F8D 52 push edx
00410F8E 8B45 0C mov eax,dword ptr ss:[ebp+C]
00410F91 50 push eax
00410F92 6A 00 push 0
00410F94 E8 87FFFFFF call lazyedit.00410F20
00410F99 83C4 10 add esp,10
00410F9C EB 45 jmp short lazyedit.00410FE3
00410F9E 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
00410FA1 51 push ecx
00410FA2 8B55 10 mov edx,dword ptr ss:[ebp+10]
00410FA5 52 push edx
00410FA6 8B45 0C mov eax,dword ptr ss:[ebp+C]
00410FA9 50 push eax
00410FAA 6A 01 push 1
00410FAC E8 6FFFFFFF call lazyedit.00410F20
00410FB1 83C4 10 add esp,10
00410FB4 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00410FB7 51 push ecx
00410FB8 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00410FBB 52 push edx
00410FBC 8B45 0C mov eax,dword ptr ss:[ebp+C]
00410FBF 83C0 08 add eax,8
00410FC2 50 push eax
00410FC3 6A 00 push 0
00410FC5 E8 56FFFFFF call lazyedit.00410F20
00410FCA 83C4 10 add esp,10
00410FCD 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
00410FD0 51 push ecx
00410FD1 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00410FD4 52 push edx
00410FD5 8B45 0C mov eax,dword ptr ss:[ebp+C]
00410FD8 50 push eax
00410FD9 6A 01 push 1
00410FDB E8 40FFFFFF call lazyedit.00410F20
00410FE0 83C4 10 add esp,10
00410FE3 8BE5 mov esp,ebp
00410FE5 5D pop ebp
00410FE6 C3 retn
验证:
练码:1111222233334444
加密值:3A 01 E6 45 F2 C6 A4 BA
进入00416A9F E8 A1A4FFFF call lazyedit.00410F45 时修改练码为:3A 01 E6 45 F2 C6 A4 BA,然后进入后修改跳转:00410F55 75 47 jnz short lazyedit.00410F9E ,返回后的确得到1111222233334444的值,好,的确是对称算法,搞定它.
3.反推注册码:
该程序对输入的注册码进行转换并加密,加密值要等于注册号.
假设注册码为87654321,即加密值要为:38 37 36 35 34 33 32 31,得到加密前的值:31 93 6E A9 5D 14 25 71
根据对应关系,注册码应该为:3193 6ea9 5d14 2571
4.后记:
在对算法的跟踪上花了不少时间,过程极其繁琐,返回后发现2段代码几乎一样,怀疑对称算法,于是修改跳转试了下,的确如此,因此轻松搞定注册码.
顺祝各位国庆与中秋快乐!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)