【文章标题】: 通用短信收发工具v1.2算法分析
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【软件名称】: 通用短信收发工具v1.2
【软件大小】: 9.76MB
【下载地址】: 来自[龙族破解联盟]
【加壳方式】: ASPack 2.12
【保护方式】: 试用时间+序列号
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: 0D、Stripper
【操作平台】: 盗版XPsp2
【软件介绍】: 搜来的,具体怎么用,偶也不知道。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
该文章献给看雪论坛的“孤城”朋友,我本无马甲,他非说有,论坛逛之,得此软件,分析之,文章之。。。
主程序由ASPack 2.12加壳,懒人脱壳就用Stripper 2.07一步完成!真棒!^__^
------------------------------
用户名:KuNgBiM
机器码:00003ADE67A1
注册码:999999999999
------------------------------
利用OD字符插件搜索关键字符后,找到这里下断:
005AA5B8 /. 55 push ebp ; 搜索来到这里F2设断,F9运行
005AA5B9 |. 8BEC mov ebp, esp
005AA5BB |. 6A 00 push 0
005AA5BD |. 6A 00 push 0
005AA5BF |. 6A 00 push 0
005AA5C1 |. 53 push ebx
005AA5C2 |. 8BD8 mov ebx, eax
005AA5C4 |. 33C0 xor eax, eax
005AA5C6 |. 55 push ebp
005AA5C7 |. 68 C2A65A00 push 005AA6C2
005AA5CC |. 64:FF30 push dword ptr fs:[eax]
005AA5CF |. 64:8920 mov dword ptr fs:[eax], esp
005AA5D2 |. 8D55 F8 lea edx, dword ptr [ebp-8]
005AA5D5 |. 8B83 14030000 mov eax, dword ptr [ebx+314]
005AA5DB |. E8 785EECFF call 00470458 ; 假码入栈
005AA5E0 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; ASCII "999999999999"
005AA5E3 |. 50 push eax
005AA5E4 |. 8D55 F4 lea edx, dword ptr [ebp-C]
005AA5E7 |. 8B83 10030000 mov eax, dword ptr [ebx+310]
005AA5ED |. E8 665EECFF call 00470458
005AA5F2 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; 用户名入栈
005AA5F5 |. A1 7CC27300 mov eax, dword ptr [73C27C] ; ASCII "KuNgBiM"
005AA5FA |. 8B00 mov eax, dword ptr [eax]
005AA5FC |. 8B40 6C mov eax, dword ptr [eax+6C]
005AA5FF |. 33C9 xor ecx, ecx
005AA601 |. E8 4EAFF1FF call 004C5554 ; ★关键CALL,跟进★
005AA606 |. 84C0 test al, al
005AA608 |. 75 2C jnz short 005AA636 ; 不跳则GAME OVER
005AA60A |. 8D45 FC lea eax, dword ptr [ebp-4]
005AA60D |. BA D8A65A00 mov edx, 005AA6D8 ; 输入注册码不正确,请检查!
005AA612 |. E8 3DA5E5FF call 00404B54
005AA617 |. 6A 40 push 40
005AA619 |. 8B45 FC mov eax, dword ptr [ebp-4]
005AA61C |. E8 6BA9E5FF call 00404F8C
005AA621 |. 8BD0 mov edx, eax
005AA623 |. B9 F4A65A00 mov ecx, 005AA6F4 ; 输入错误
005AA628 |. A1 B4BF7300 mov eax, dword ptr [73BFB4]
005AA62D |. 8B00 mov eax, dword ptr [eax]
005AA62F |. E8 846FEEFF call 004915B8
005AA634 |. EB 69 jmp short 005AA69F
005AA636 |> 68 08A75A00 push 005AA708 ; 注册成功!\r注册信息为:\r用户名:
005AA63B |. A1 7CC27300 mov eax, dword ptr [73C27C]
005AA640 |. 8B00 mov eax, dword ptr [eax]
005AA642 |. 8B58 6C mov ebx, dword ptr [eax+6C]
005AA645 |. FF73 48 push dword ptr [ebx+48]
005AA648 |. 68 34A75A00 push 005AA734 ; \r
005AA64D |. 68 34A75A00 push 005AA734 ; \r
005AA652 |. 68 40A75A00 push 005AA740 ; 注册码:
005AA657 |. A1 7CC27300 mov eax, dword ptr [73C27C]
005AA65C |. FF73 5C push dword ptr [ebx+5C]
005AA65F |. 68 34A75A00 push 005AA734 ; \r
005AA664 |. 68 54A75A00 push 005AA754 ; 感谢您对我们的支持!请重新启动。
005AA669 |. 8D45 FC lea eax, dword ptr [ebp-4]
005AA66C |. BA 08000000 mov edx, 8
005AA671 |. E8 D6A7E5FF call 00404E4C
005AA676 |. 6A 40 push 40
005AA678 |. 8B45 FC mov eax, dword ptr [ebp-4]
005AA67B |. E8 0CA9E5FF call 00404F8C
005AA680 |. 8BD0 mov edx, eax
005AA682 |. B9 78A75A00 mov ecx, 005AA778 ; 注册成功
005AA687 |. A1 B4BF7300 mov eax, dword ptr [73BFB4]
005AA68C |. 8B00 mov eax, dword ptr [eax]
005AA68E |. E8 256FEEFF call 004915B8
005AA693 |. A1 B4BF7300 mov eax, dword ptr [73BFB4]
005AA698 |. 8B00 mov eax, dword ptr [eax]
005AA69A |. E8 756EEEFF call 00491514
005AA69F |> 33C0 xor eax, eax
005AA6A1 |. 5A pop edx
005AA6A2 |. 59 pop ecx
005AA6A3 |. 59 pop ecx
005AA6A4 |. 64:8910 mov dword ptr fs:[eax], edx
005AA6A7 |. 68 C9A65A00 push 005AA6C9
005AA6AC |> 8D45 F4 lea eax, dword ptr [ebp-C]
005AA6AF |. BA 02000000 mov edx, 2
005AA6B4 |> E8 27A4E5FF call 00404AE0
005AA6B9 |. 8D45 FC lea eax, dword ptr [ebp-4]
005AA6BC |. E8 FBA3E5FF call 00404ABC
005AA6C1 \. C3 retn
005AA6C2 .^ E9 759CE5FF jmp 0040433C
005AA6C7 .^ EB E3 jmp short 005AA6AC
005AA6C9 . 5B pop ebx
005AA6CA . 8BE5 mov esp, ebp
005AA6CC . 5D pop ebp
005AA6CD . C3 retn ; 返回程序
跟进005AA601:
004C5554 /$ 55 push ebp ; 跟进来到这里
004C5555 |. 8BEC mov ebp, esp
004C5557 |. 83C4 F0 add esp, -10
004C555A |. 53 push ebx
004C555B |. 33DB xor ebx, ebx
004C555D |. 895D F0 mov dword ptr [ebp-10], ebx
004C5560 |. 895D F4 mov dword ptr [ebp-C], ebx
004C5563 |. 894D F8 mov dword ptr [ebp-8], ecx
004C5566 |. 8955 FC mov dword ptr [ebp-4], edx
004C5569 |. 8BD8 mov ebx, eax
004C556B |. 8B45 FC mov eax, dword ptr [ebp-4]
004C556E |. E8 09FAF3FF call 00404F7C
004C5573 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004C5576 |. E8 01FAF3FF call 00404F7C
004C557B |. 8B45 08 mov eax, dword ptr [ebp+8]
004C557E |. E8 F9F9F3FF call 00404F7C
004C5583 |. 33C0 xor eax, eax
004C5585 |. 55 push ebp
004C5586 |. 68 3E564C00 push 004C563E
004C558B |. 64:FF30 push dword ptr fs:[eax]
004C558E |. 64:8920 mov dword ptr fs:[eax], esp
004C5591 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名,ASCII "KuNgBiM"
004C5594 |. E8 F3F7F3FF call 00404D8C
004C5599 |. 3B43 4C cmp eax, dword ptr [ebx+4C] ; 比较用户名长度是否大于64(100位)
004C559C |. 7F 19 jg short 004C55B7 ; 跳则GAME OVER
004C559E |. 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名,ASCII "KuNgBiM"
004C55A1 |. E8 E6F7F3FF call 00404D8C
004C55A6 |. 3B43 50 cmp eax, dword ptr [ebx+50] ; 比较用户名长度是否小于3(3位)
004C55A9 |. 7C 0C jl short 004C55B7 ; 跳则GAME OVER
004C55AB |. 8B45 08 mov eax, dword ptr [ebp+8] ; 试炼码,ASCII "999999999999"
004C55AE |. E8 D9F7F3FF call 00404D8C
004C55B3 |. 85C0 test eax, eax ; 试炼码长度必须为C(12位)
004C55B5 |. 75 04 jnz short 004C55BB ; 不跳则GAME OVER
004C55B7 |> 33DB xor ebx, ebx
004C55B9 |. EB 60 jmp short 004C561B
004C55BB |> 8D55 F4 lea edx, dword ptr [ebp-C]
004C55BE |. 8B45 08 mov eax, dword ptr [ebp+8] ; 试炼码,ASCII "999999999999"
004C55C1 |. E8 C241F4FF call 00409788 ; 注册码转为大写
004C55C6 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; UpperCase(试炼码)
004C55C9 |. 8D45 08 lea eax, dword ptr [ebp+8]
004C55CC |. E8 83F5F3FF call 00404B54
004C55D1 |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004C55D4 |. 8B55 FC mov edx, dword ptr [ebp-4] ; 用户名,ASCII "KuNgBiM"
004C55D7 |. 8BC3 mov eax, ebx
004C55D9 |. E8 46FBFFFF call 004C5124 ; ★算法CALL,跟进★
004C55DE |. 8B45 F0 mov eax, dword ptr [ebp-10] ; 真码,ASCII "00008BD03640"
004C55E1 |. 8B55 08 mov edx, dword ptr [ebp+8] ; 假码,ASCII "999999999999"
004C55E4 |. E8 1742F4FF call 00409800 ; 经典比较
004C55E9 |. 85C0 test eax, eax
004C55EB |. 74 04 je short 004C55F1 ; TNT爆破点,不跳则GAME OVER
004C55ED |. 33DB xor ebx, ebx
004C55EF |. EB 2A jmp short 004C561B
004C55F1 |> 8D43 48 lea eax, dword ptr [ebx+48]
004C55F4 |. 8B55 FC mov edx, dword ptr [ebp-4]
004C55F7 |. E8 14F5F3FF call 00404B10
004C55FC |. 8D43 54 lea eax, dword ptr [ebx+54]
004C55FF |. 8B55 F8 mov edx, dword ptr [ebp-8]
004C5602 |. E8 09F5F3FF call 00404B10
004C5607 |. 8D43 5C lea eax, dword ptr [ebx+5C]
004C560A |. 8B55 08 mov edx, dword ptr [ebp+8]
004C560D |. E8 FEF4F3FF call 00404B10
004C5612 |. 8BC3 mov eax, ebx
004C5614 |. E8 5B020000 call 004C5874
004C5619 |. B3 01 mov bl, 1 ; 标志位
004C561B |> 33C0 xor eax, eax
004C561D |. 5A pop edx
004C561E |. 59 pop ecx
004C561F |. 59 pop ecx
004C5620 |. 64:8910 mov dword ptr fs:[eax], edx
004C5623 |. 68 45564C00 push 004C5645
004C5628 |> 8D45 F0 lea eax, dword ptr [ebp-10]
004C562B |. BA 04000000 mov edx, 4
004C5630 |. E8 ABF4F3FF call 00404AE0
004C5635 |. 8D45 08 lea eax, dword ptr [ebp+8]
004C5638 |. E8 7FF4F3FF call 00404ABC
004C563D \. C3 retn
004C563E .^ E9 F9ECF3FF jmp 0040433C
004C5643 .^ EB E3 jmp short 004C5628
004C5645 . 8BC3 mov eax, ebx
004C5647 . 5B pop ebx
004C5648 . 8BE5 mov esp, ebp
004C564A . 5D pop ebp
004C564B . C2 0400 retn 4 ; 返回上一级
跟进004C55D9:
004C5124 /$ 55 push ebp ; 跟进后来到这里
004C5125 |. 8BEC mov ebp, esp
004C5127 |. 51 push ecx
004C5128 |. B9 04000000 mov ecx, 4
004C512D |> 6A 00 /push 0
004C512F |. 6A 00 |push 0
004C5131 |. 49 |dec ecx
004C5132 |.^ 75 F9 \jnz short 004C512D
004C5134 |. 874D FC xchg dword ptr [ebp-4], ecx
004C5137 |. 53 push ebx
004C5138 |. 56 push esi
004C5139 |. 57 push edi
004C513A |. 8BF9 mov edi, ecx
004C513C |. 8955 FC mov dword ptr [ebp-4], edx ; 用户名,ASCII "KuNgBiM"
004C513F |. 8BF0 mov esi, eax
004C5141 |. 8B45 FC mov eax, dword ptr [ebp-4]
004C5144 |. E8 33FEF3FF call 00404F7C
004C5149 |. 33C0 xor eax, eax
004C514B |. 55 push ebp
004C514C |. 68 C4524C00 push 004C52C4
004C5151 |. 64:FF30 push dword ptr fs:[eax]
004C5154 |. 64:8920 mov dword ptr fs:[eax], esp
004C5157 |. 8D55 DC lea edx, dword ptr [ebp-24]
004C515A |. 8BC6 mov eax, esi
004C515C |. E8 430F0000 call 004C60A4 ; 获得机器码(机器码计算)
004C5161 |. 8B45 DC mov eax, dword ptr [ebp-24] ; ASCII "00003ADE67A1"
004C5164 |. 8D55 EC lea edx, dword ptr [ebp-14] ; 硬盘号,ASCII "E19YNZVE"
004C5167 |. E8 8C48F4FF call 004099F8
004C516C |. 837D EC 00 cmp dword ptr [ebp-14], 0 ; 比较机器码是否为空
004C5170 |. 75 0D jnz short 004C517F ; 不跳就GAME OVER
004C5172 |. 8D45 E0 lea eax, dword ptr [ebp-20]
004C5175 |. 8B55 FC mov edx, dword ptr [ebp-4]
004C5178 |. E8 D7F9F3FF call 00404B54
004C517D |. EB 5D jmp short 004C51DC
004C517F |> 8B45 EC mov eax, dword ptr [ebp-14] ; ASCII "00003ADE67A1"
004C5182 |. E8 05FCF3FF call 00404D8C ; 计算机器码长度
004C5187 |. 8BD8 mov ebx, eax ; eax=0000000C
004C5189 |. 8D45 E8 lea eax, dword ptr [ebp-18]
004C518C |. 50 push eax
004C518D |. 8BCB mov ecx, ebx ; 机器码长度送EBX,记为M
004C518F |. D1F9 sar ecx, 1 ; M/2
004C5191 |. 79 03 jns short 004C5196
004C5193 |. 83D1 00 adc ecx, 0
004C5196 |> BA 01000000 mov edx, 1 ; 1
004C519B |. 8B45 EC mov eax, dword ptr [ebp-14] ; ASCII "00003ADE67A1"
004C519E |. E8 49FEF3FF call 00404FEC ; Mid(机器码,1,M/2)
004C51A3 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
004C51A6 |. 50 push eax
004C51A7 |. 8BC3 mov eax, ebx ; 机器码长度M
004C51A9 |. D1F8 sar eax, 1 ; M/2
004C51AB |. 79 03 jns short 004C51B0
004C51AD |. 83D0 00 adc eax, 0
004C51B0 |> 8BCB mov ecx, ebx
004C51B2 |. 2BC8 sub ecx, eax ; M-M/2
004C51B4 |. 8BD3 mov edx, ebx ; 机器码长度M
004C51B6 |. D1FA sar edx, 1 ; M/2
004C51B8 |. 79 03 jns short 004C51BD
004C51BA |. 83D2 00 adc edx, 0
004C51BD |> 42 inc edx ; M/2+1
004C51BE |. 8B45 EC mov eax, dword ptr [ebp-14] ; ASCII "00003ADE67A1"
004C51C1 |. E8 26FEF3FF call 00404FEC ; Mid(机器码,M/2+1,M-M/2)
004C51C6 |. FF75 E8 push dword ptr [ebp-18] ; 取机器码前6位,ASCII "00003A"
004C51C9 |. FF75 FC push dword ptr [ebp-4] ; ASCII "KuNgBiM"
004C51CC |. FF75 E4 push dword ptr [ebp-1C] ; 取机器码后6位,ASCII "DE67A1"
004C51CF |. 8D45 E0 lea eax, dword ptr [ebp-20]
004C51D2 |. BA 03000000 mov edx, 3
004C51D7 |. E8 70FCF3FF call 00404E4C ; 连接字符串
004C51DC |> C745 F0 00000>mov dword ptr [ebp-10], 0
004C51E3 |. C745 F4 00000>mov dword ptr [ebp-C], 0
004C51EA |. 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名,ASCII "KuNgBiM"
004C51ED |. E8 9AFBF3FF call 00404D8C
004C51F2 |. 3B46 4C cmp eax, dword ptr [esi+4C] ; 比较用户名长度是否大于64(100位)
004C51F5 |. 7F 0D jg short 004C5204 ; 跳则GAME OVER
004C51F7 |. 8B45 FC mov eax, dword ptr [ebp-4] ; 用户名,ASCII "KuNgBiM"
004C51FA |. E8 8DFBF3FF call 00404D8C
004C51FF |. 3B46 50 cmp eax, dword ptr [esi+50] ; 比较用户名长度是否小于3(3位)
004C5202 |. 7D 0C jge short 004C5210 ; 不跳则GAME OVER
004C5204 |> 8BC7 mov eax, edi
004C5206 |. E8 B1F8F3FF call 00404ABC
004C520B |. E9 91000000 jmp 004C52A1
004C5210 |> 8B45 E0 mov eax, dword ptr [ebp-20] ; 连接后,ASCII "00003AKuNgBiMDE67A1"
004C5213 |. E8 74FBF3FF call 00404D8C
004C5218 |. 8BD8 mov ebx, eax ; 计算连接后字符串长度
004C521A |. EB 37 jmp short 004C5253
004C521C |> 8B45 F0 /mov eax, dword ptr [ebp-10] ; 运算开始
004C521F |. 8B55 F4 |mov edx, dword ptr [ebp-C]
004C5222 |. 0346 68 |add eax, dword ptr [esi+68] ; 初始重要值:075BCD15
004C5225 |. 1356 6C |adc edx, dword ptr [esi+6C]
004C5228 |. 52 |push edx
004C5229 |. 50 |push eax
004C522A |. 8B45 E0 |mov eax, dword ptr [ebp-20] ; ASCII "00003AKuNgBiMDE67A1"
004C522D |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1] ; 取反连接后字符串,然后计算ASCII值
004C5232 |. 50 |push eax ; ASCII值入栈
004C5233 |. B8 59040000 |mov eax, 459 ; EAX=459
004C5238 |. 5A |pop edx
004C5239 |. 8BCA |mov ecx, edx
004C523B |. 33D2 |xor edx, edx
004C523D |. F7F1 |div ecx
004C523F |. 8BC2 |mov eax, edx ; EAX与ASCII求余后送EAX保存
004C5241 |. 33D2 |xor edx, edx
004C5243 |. 290424 |sub dword ptr [esp], eax ; 075BCD15减EAX
004C5246 |. 195424 04 |sbb dword ptr [esp+4], edx
004C524A |. 58 |pop eax ; 结果
004C524B |. 5A |pop edx
004C524C |. 8945 F0 |mov dword ptr [ebp-10], eax ; 结果送EAX
004C524F |. 8955 F4 |mov dword ptr [ebp-C], edx
004C5252 |. 4B |dec ebx ; EBX递减1
004C5253 |> 8B45 E0 mov eax, dword ptr [ebp-20] ; ASCII "00003AKuNgBiMDE67A1"
004C5256 |. E8 31FBF3FF |call 00404D8C
004C525B |. 3BD8 |cmp ebx, eax
004C525D |. 7F 04 |jg short 004C5263
004C525F |. 85DB |test ebx, ebx
004C5261 |.^ 7F B9 \jg short 004C521C ; 循环计算
004C5263 |> 8B5E 60 mov ebx, dword ptr [esi+60]
004C5266 |. 85DB test ebx, ebx
004C5268 |. 7F 11 jg short 004C527B
004C526A |. FF75 F4 push dword ptr [ebp-C] ; /Arg2
004C526D |. FF75 F0 push dword ptr [ebp-10] ; |Arg1
004C5270 |. 8BD7 mov edx, edi ; |
004C5272 |. 33C0 xor eax, eax ; |
004C5274 |. E8 AF4DF4FF call 0040A028 ; \SmsTool.0040A028
004C5279 |. EB 26 jmp short 004C52A1
004C527B |> FF75 F4 push dword ptr [ebp-C] ; /Arg2
004C527E |. FF75 F0 push dword ptr [ebp-10] ; |Arg1
004C5281 |. 8BD7 mov edx, edi ; |
004C5283 |. 8BC3 mov eax, ebx ; |
004C5285 |. E8 9E4DF4FF call 0040A028 ; \SmsTool.0040A028
004C528A |. 8B07 mov eax, dword ptr [edi] ; 真码,ASCII "00008BD03640"
004C528C |. E8 FBFAF3FF call 00404D8C
004C5291 |. 8BC8 mov ecx, eax
004C5293 |. 2B4E 60 sub ecx, dword ptr [esi+60]
004C5296 |. 8B56 60 mov edx, dword ptr [esi+60]
004C5299 |. 42 inc edx
004C529A |. 8BC7 mov eax, edi
004C529C |. E8 8BFDF3FF call 0040502C
004C52A1 |> 33C0 xor eax, eax
004C52A3 |. 5A pop edx
004C52A4 |. 59 pop ecx
004C52A5 |. 59 pop ecx
004C52A6 |. 64:8910 mov dword ptr fs:[eax], edx
004C52A9 |. 68 CB524C00 push 004C52CB
004C52AE |> 8D45 DC lea eax, dword ptr [ebp-24]
004C52B1 |. BA 05000000 mov edx, 5
004C52B6 |. E8 25F8F3FF call 00404AE0
004C52BB |. 8D45 FC lea eax, dword ptr [ebp-4]
004C52BE |. E8 F9F7F3FF call 00404ABC
004C52C3 \. C3 retn
004C52C4 .^ E9 73F0F3FF jmp 0040433C
004C52C9 .^ EB E3 jmp short 004C52AE
004C52CB . 5F pop edi ; 0012FABC
004C52CC . 5E pop esi
004C52CD . 5B pop ebx
004C52CE . 8BE5 mov esp, ebp
004C52D0 . 5D pop ebp
004C52D1 . C3 retn ; 保存结果后返回程序
来个注册机:
============ 以下程序在盗版XPsp2、Delphi 6.0下编译测试通过 ============
Procedure TForm1.btn1Click(Sender: TObject);
Const
Temp = $075BCD15;
Var
Sum: Int64;
i: Integer;
MacID: String;
Begin
Sum := 0;
MacID := LeftStr(Edit2.Text, Length(Edit2.Text) Div 2) + Edit1.Text + RightStr(Edit2.Text, Length(Edit2.Text) -
Length(Edit2.Text) Div 2);
MacID := ReverseString(MacID);
For i := 1 To Length(MacID) Do Sum := Temp + (Sum - $459 Mod Ord(MacID[i]));
Edit3.Text := IntToHex(Sum, 12);
End;
--------------------------------------------------------------------------------
【经验总结】
人懒,没什么好总结的。大年初三,真无聊啊。。。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年02月20日 PM 06:57:19
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
