【文章标题】: Photo Wallpaper Maker 1.3.2算法分析(RSA简单)
【文章作者】: 坚持到底
【软件名称】: Photo Wallpaper Maker
【软件大小】: 4188KB
【下载地址】: http://www.newhua.com/soft/55483.htm
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 7.0 Method2 [Debug]
【使用工具】: flyODBG,PEID
【操作平台】: XPsp2
【软件介绍】: 是一款可以用来管理照片图片,制作像册并作为桌布和
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
/////////////////////////////////////////////////////////////////////
通过Register failed!来到这里
/////////////////////////////////////////////////////////////////////
004055B8 56 push esi
004055B9 8BF1 mov esi,ecx
004055BB 68 6CC04000 push PhotoWal.0040C06C
004055C0 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
004055C4 FF15 58B34000 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
004055CA 68 6CC04000 push PhotoWal.0040C06C
004055CF 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
004055D3 C74424 18 00000000 mov dword ptr ss:[esp+18],0
004055DB FF15 58B34000 call dword ptr ds:[<&MFC71.#304>] ; MFC71.7C16A59C
004055E1 8D4424 08 lea eax,dword ptr ss:[esp+8]
004055E5 50 push eax
004055E6 68 F5030000 push 3F5
004055EB 8BCE mov ecx,esi
004055ED C64424 1C 01 mov byte ptr ss:[esp+1C],1
004055F2 E8 3F390000 call <jmp.&MFC71.#2657>
004055F7 8BC8 mov ecx,eax
004055F9 E8 0C3B0000 call <jmp.&MFC71.#3761>
004055FE 8D4C24 04 lea ecx,dword ptr ss:[esp+4] ;//用户名
00405602 51 push ecx
00405603 68 F6030000 push 3F6
00405608 8BCE mov ecx,esi
0040560A E8 27390000 call <jmp.&MFC71.#2657>
0040560F 8BC8 mov ecx,eax
00405611 E8 F43A0000 call <jmp.&MFC71.#3761>
00405616 8D4C24 04 lea ecx,dword ptr ss:[esp+4] ; //假码
0040561A FF15 E8B44000 call dword ptr ds:[<&MFC71.#2469>] ; MFC71.7C143771
00405620 50 push eax
00405621 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00405625 FF15 E8B44000 call dword ptr ds:[<&MFC71.#2469>] ; MFC71.7C143771
0040562B 50 push eax
0040562C FF15 6CB14000 call dword ptr ds:[<&AlbumDesignCore.CalculateRegCode>] ; // 关键CALL
00405632 83C4 08 add esp,8
00405635 85C0 test eax,eax
00405637 74 50 je short PhotoWal.00405689 ; //关键跳转
00405639 57 push edi
0040563A 8B3D 38B04000 mov edi,dword ptr ds:[<&AlbumDesignCore.RegConfig::GetInstance>] ; AlbumDes.RegConfig::StaticCreate
00405640 8D5424 0C lea edx,dword ptr ss:[esp+C]
00405644 52 push edx
00405645 FFD7 call edi
00405647 8BC8 mov ecx,eax
00405649 83C1 04 add ecx,4
0040564C FF15 48B34000 call dword ptr ds:[<&MFC71.#781>] ; MFC71.7C150F15
00405652 8D4424 08 lea eax,dword ptr ss:[esp+8]
00405656 50 push eax
00405657 FFD7 call edi
00405659 8BC8 mov ecx,eax
0040565B 83C1 08 add ecx,8
0040565E FF15 48B34000 call dword ptr ds:[<&MFC71.#781>] ; MFC71.7C150F15
00405664 FFD7 call edi
00405666 8BC8 mov ecx,eax
00405668 FF15 14B14000 call dword ptr ds:[<&AlbumDesignCore.RegConfig::SaveData>] ; AlbumDes.RegConfig::SaveData
0040566E 6A 00 push 0
00405670 6A 00 push 0
00405672 68 04CF4000 push PhotoWal.0040CF04 ; ASCII "Register succeed!"
00405677 E8 78380000 call <jmp.&MFC71.#1123>
0040567C 8B16 mov edx,dword ptr ds:[esi]
0040567E 8BCE mov ecx,esi
00405680 FF92 54010000 call dword ptr ds:[edx+154]
00405686 5F pop edi
00405687 EB 0E jmp short PhotoWal.00405697
00405689 6A 00 push 0
0040568B 6A 00 push 0
0040568D 68 F0CE4000 push PhotoWal.0040CEF0 ; ASCII "Register failed!"
00405692 E8 5D380000 call <jmp.&MFC71.#1123>
00405697 8D4C24 04 lea ecx,dword ptr ss:[esp+4]
0040569B FF15 D0B64000 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
004056A1 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
004056A5 FF15 D0B64000 call dword ptr ds:[<&MFC71.#578>] ; MFC71.7C1771B1
004056AB 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
004056AF 5E pop esi
004056B0 64:890D 00000000 mov dword ptr fs:[0],ecx
004056B7 83C4 14 add esp,14
004056BA C3 retn
/////////////////////////////////////////////////////////////////////
关键CALL
/////////////////////////////////////////////////////////////////////
10008310 55 push ebp
10008311 8BEC mov ebp,esp
10008313 83E4 F8 and esp,FFFFFFF8
10008316 81EC D4000000 sub esp,0D4
1000831C A1 B0520D10 mov eax,dword ptr ds:[100D52B0]
10008321 53 push ebx
10008322 56 push esi
10008323 57 push edi
10008324 6A 00 push 0
10008326 6A 64 push 64
10008328 898424 E4000000 mov dword ptr ss:[esp+E4],eax
1000832F E8 DCA60800 call AlbumDes.10092A10
10008334 8BD8 mov ebx,eax
10008336 83C4 08 add esp,8
10008339 33C0 xor eax,eax
1000833B C64424 10 00 mov byte ptr ss:[esp+10],0
10008340 B9 31000000 mov ecx,31
10008345 8D7C24 11 lea edi,dword ptr ss:[esp+11]
10008349 F3:AB rep stos dword ptr es:[edi]
1000834B 66:AB stos word ptr es:[edi]
1000834D AA stos byte ptr es:[edi]
1000834E 8B45 08 mov eax,dword ptr ss:[ebp+8]
10008351 8D50 01 lea edx,dword ptr ds:[eax+1]
10008354 8A08 mov cl,byte ptr ds:[eax]
10008356 40 inc eax
10008357 84C9 test cl,cl
10008359 ^ 75 F9 jnz short AlbumDes.10008354
1000835B 2BC2 sub eax,edx
1000835D 894424 0C mov dword ptr ss:[esp+C],eax ; //得到用户名长度
10008361 0F84 0C010000 je AlbumDes.10008473
10008367 8B75 0C mov esi,dword ptr ss:[ebp+C] ; //假码
1000836A 8BC6 mov eax,esi
1000836C 8D50 01 lea edx,dword ptr ds:[eax+1]
1000836F 90 nop
10008370 8A08 mov cl,byte ptr ds:[eax]
10008372 40 inc eax
10008373 84C9 test cl,cl
10008375 ^ 75 F9 jnz short AlbumDes.10008370
10008377 2BC2 sub eax,edx
10008379 894424 0C mov dword ptr ss:[esp+C],eax ; //得到假码的长度
1000837D 0F84 F0000000 je AlbumDes.10008473
10008383 803E 00 cmp byte ptr ds:[esi],0
10008386 74 21 je short AlbumDes.100083A9
10008388 8B3D FCE30910 mov edi,dword ptr ds:[<&MSVCR71.isxdigit>] ; MSVCR71.isxdigit
1000838E 8BFF mov edi,edi
10008390 0FBE06 movsx eax,byte ptr ds:[esi]
10008393 50 push eax
10008394 FFD7 call edi
10008396 83C4 04 add esp,4
10008399 85C0 test eax,eax
1000839B 0F84 D2000000 je AlbumDes.10008473
100083A1 8A46 01 mov al,byte ptr ds:[esi+1]
100083A4 46 inc esi
100083A5 84C0 test al,al
100083A7 ^ 75 E7 jnz short AlbumDes.10008390
100083A9 6A 00 push 0
100083AB C783 20020000 100000>mov dword ptr ds:[ebx+220],10
100083B5 E8 D6A40800 call AlbumDes.10092890
100083BA 6A 00 push 0
100083BC 8BF0 mov esi,eax
100083BE E8 CDA40800 call AlbumDes.10092890
100083C3 6A 00 push 0
100083C5 8BD8 mov ebx,eax
100083C7 E8 C4A40800 call AlbumDes.10092890
100083CC 6A 00 push 0
100083CE 8BF8 mov edi,eax
100083D0 E8 BBA40800 call AlbumDes.10092890
100083D5 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
100083D8 51 push ecx
100083D9 57 push edi
100083DA 894424 24 mov dword ptr ss:[esp+24],eax
100083DE E8 7DC30800 call AlbumDes.10094760
100083E3 68 6CEC0910 push AlbumDes.1009EC6C ; ASCII "80C07AFC9D25404D6555B9ACF3567CF1" //大数N
100083E8 56 push esi
100083E9 E8 72C30800 call AlbumDes.10094760
100083EE 68 64EC0910 push AlbumDes.1009EC64 ; ASCII "10001" //e
100083F3 53 push ebx
100083F4 E8 67C30800 call AlbumDes.10094760
100083F9 56 push esi
100083FA 57 push edi
100083FB E8 20B20800 call AlbumDes.10093620
10008400 83C4 30 add esp,30
10008403 83F8 FF cmp eax,-1
10008406 75 6B jnz short AlbumDes.10008473
10008408 8B5424 0C mov edx,dword ptr ss:[esp+C]
1000840C 52 push edx
1000840D 56 push esi
1000840E 53 push ebx
1000840F 57 push edi
10008410 E8 3BC10800 call AlbumDes.10094550
10008415 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
10008419 6A 00 push 0
1000841B 8D4424 24 lea eax,dword ptr ss:[esp+24]
1000841F 50 push eax
10008420 51 push ecx
10008421 6A 00 push 0
10008423 E8 98BB0800 call AlbumDes.10093FC0 ; //假码经过RSA加密
10008428 56 push esi
10008429 E8 62AC0800 call AlbumDes.10093090
1000842E 53 push ebx
1000842F E8 5CAC0800 call AlbumDes.10093090
10008434 57 push edi
10008435 E8 56AC0800 call AlbumDes.10093090
1000843A 8B5424 38 mov edx,dword ptr ss:[esp+38]
1000843E 52 push edx
1000843F E8 4CAC0800 call AlbumDes.10093090
10008444 83C4 30 add esp,30
10008447 E8 64AC0800 call AlbumDes.100930B0
1000844C 8B4D 08 mov ecx,dword ptr ss:[ebp+8] ; //用户名
1000844F 8D4424 10 lea eax,dword ptr ss:[esp+10] ; //假码加密后的字符串
10008453 50 push eax
10008454 51 push ecx
10008455 FF15 04E10910 call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; //关键比较
1000845B F7D8 neg eax
1000845D 1BC0 sbb eax,eax
1000845F 40 inc eax
10008460 8B8C24 DC000000 mov ecx,dword ptr ss:[esp+DC]
10008467 E8 C2320900 call AlbumDes.1009B72E
1000846C 5F pop edi
1000846D 5E pop esi
1000846E 5B pop ebx
1000846F 8BE5 mov esp,ebp
10008471 5D pop ebp
10008472 C3 retn
--------------------------------------------------------------------------------
【经验总结】
总结
用户名的ASCII码连接=RSA(注册码)
如用户名insist
696E73697374=RSA(注册码);
N=80C07AFC9D25404D6555B9ACF3567CF1
E=10001
用RSAtool跑出了
P=A554665CC62120D3
Q=C75CB54BEDFA30AB
求出
D=651A40B9739117EF505DBC33EB8F442D
逆求得注册码
c=696E73697374
m =c^d ( mod n )
注册码
3FCC466163A63AA14D3BA184D39913B1
注册机暂时不会写。。。。。。。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年04月02日 13:31:53
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
