[原创]《****查询软件》注册算法分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]《****查询软件》注册算法分析

发表于: 2007-10-31 13:42 4672

[原创]《****查询软件》注册算法分析

suncloud

2007-10-31 13:42

4672

【文章标题】: 《*****查询软件》注册算法分析
【文章作者】: Suncl0ud
【作者邮箱】: ihacku@163.com
【软件名称】: TC2.0函数查询软件
【下载地址】: 见附件
【加壳方式】: 未加壳
【编写语言】: Visual C++ 6.0
【软件介绍】: 一款c语言学习软件。
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  PEiD查看软件没有加壳。

  软件语言：Microsoft Visual C++ 6.0

  用 W32dasm 很容易定位注册算法，下面重点介绍算法分析（看代码注释）：

  \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

  00417CFC 51       push ecx                                  ; 假码AC6EE8
  00417CFD 8D5424 14 lea edx,dword ptr ss:[esp+14]             ; edx->用户名
  00417D01 8BCC    mov ecx,esp                               ; ecx->假码
  00417D03 896424 1C mov dword ptr ss:[esp+1C],esp             ; [esp+1C]->假码
  00417D07 52       push edx                                  ; 用户名指针入栈
  00417D08 E8 9E0A02>call tcsearch.004387AB                   ; eax->用户名
  00417D0D 8D7E 5C lea edi,dword ptr ds:[esi+5C]             ; edi="hfD"[68 66 44 00]
  00417D10 8D4424 1C lea eax,dword ptr ss:[esp+1C]             ; [eax]=用户名
  00417D14 50       push eax                                  ; eax压栈
  00417D15 8BCF    mov ecx,edi                               ; ecx=edi
  00417D17 E8 C40300>call tcsearch.004180E0                   ; *******算法call********
  00417D1C 50       push eax
  00417D1D 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
  00417D21 C64424 28>mov byte ptr ss:[esp+28],3
  00417D26 E8 000E02>call tcsearch.00438B2B
  00417D2B 8D4C24 18 lea ecx,dword ptr ss:[esp+18]             ; ecx->真码
  00417D2F C64424 24>mov byte ptr ss:[esp+24],2
  00417D34 E8 FD0C02>call tcsearch.00438A36
  00417D39 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
  00417D3D 8B5424 14 mov edx,dword ptr ss:[esp+14]
  00417D41 51       push ecx
  00417D42 52       push edx
  00417D43 E8 2C0B01>call tcsearch.00428874                   ; 关键call
  00417D48 83C4 08 add esp,8
  00417D4B 85C0    test eax,eax
  00417D4D 75 15    jnz short tcsearch.00417D64             ; 关键跳，跳转则出错
  00417D4F 8BCF    mov ecx,edi
  00417D51 E8 5A0300>call tcsearch.004180B0
  00417D56 53       push ebx
  00417D57 53       push ebx
  00417D58 68 30D747>push tcsearch.0047D730
  00417D5D E8 507B02>call tcsearch.0043F8B2
  00417D62 EB 15    jmp short tcsearch.00417D79
  00417D64 53       push ebx
  00417D65 6A 10    push 10
  00417D67 68 0CD747>push tcsearch.0047D70C
  00417D6C E8 417B02>call tcsearch.0043F8B2                   ; 错误提示
  00417D71 53       push ebx
  00417D72 8BCE    mov ecx,esi
  00417D74 E8 653B02>call tcsearch.0043B8DE
  00417D79 8BCE    mov ecx,esi
  00417D7B E8 E81702>call tcsearch.00439568
  00417D80 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
  00417D84 C64424 24>mov byte ptr ss:[esp+24],1
  00417D89 E8 A80C02>call tcsearch.00438A36
  00417D8E 8D4C24 0C lea ecx,dword ptr ss:[esp+C]%0
D
  00417D92 885C24 24 mov byte ptr ss:[esp+24],bl
  00417D96 E8 9B0C02>call tcsearch.00438A36
  00417D9B 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
  00417D9F C74424 24>mov dword ptr ss:[esp+24],-1
  00417DA7 E8 8A0C02>call tcsearch.00438A36
  00417DAC 8B4C24 1C mov ecx,dword ptr ss:[esp+1C]
  00417DB0 5F       pop edi
  00417DB1 5E       pop esi
  00417DB2 64:890D 0>mov dword ptr fs:[0],ecx
  00417DB9 5B       pop ebx
  00417DBA 83C4 1C add esp,1C
  00417DBD C3       retn

  \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

  下面跟进算法call进行分析，继续：

  \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

  004180E0 6A FF    push -1
  004180E2 68 BF4144>push tcsearch.004441BF
  004180E7 64:A1 000>mov eax,dword ptr fs:[0]
  004180ED 50       push eax
  004180EE 64:8925 0>mov dword ptr fs:[0],esp                ; SEH
  004180F5 83EC 40 sub esp,40                               ; 开辟临时变量空间
  004180F8 53       push ebx                                  ; \
  004180F9 55       push ebp                                  ; |
  004180FA 56       push esi                                  ; |
  004180FB 57       push edi                                  ; /保存寄存器
  004180FC 33FF    xor edi,edi
  004180FE 897C24 34 mov dword ptr ss:[esp+34],edi             ; 0013ADEC=0
  00418102 A1 40DA47>mov eax,dword ptr ds:[47DA40]             ; eax=0047DA54
  00418107 C74424 58>mov dword ptr ss:[esp+58],1             ; 0013AE10=1~~~
  0041810F 897C24 14 mov dword ptr ss:[esp+14],edi             ; 0013ADCC=0
  00418113 33DB    xor ebx,ebx
  00418115 897C24 24 mov dword ptr ss:[esp+24],edi             ; 0013ADDC=0
  00418119 894424 18 mov dword ptr ss:[esp+18],eax             ; 0013ADd0=47DA54
  0041811D 8B4C24 64 mov ecx,dword ptr ss:[esp+64]             ; ecx=用户名
  00418121 8D5424 1C lea edx,dword ptr ss:[esp+1C]             ;
  00418125 52       push edx
  00418126 C64424 5C>mov byte ptr ss:[esp+5C],2                ;
  0041812B 8B69 F8 mov ebp,dword ptr ds:[ecx-8]             ; ebp=len(用户名)
  0041812E 896C24 34 mov dword ptr ss:[esp+34],ebp             ; 0013ADE8=len(用户名)
  00418132 E8 9FF301>call tcsearch.004374D6                   ;
  00418137 8B00    mov eax,dword ptr ds:[eax]                ; eax=[eax]=46722B2F
  00418139 8D4C24 28 lea ecx,dword ptr ss:[esp+28]             ; ecx=0013ADE0
  0041813D 68 9CD747>push tcsearch.0047D79C                   ; %Y%m%d
  00418142 51       push ecx                                  ; ecx压栈
  00418143 8D4C24 34 lea ecx,dword ptr ss:[esp+34]             ; ecx=0013ADE4
  00418147 894424 34 mov dword ptr ss:[esp+34],eax             ; 0013ADE4=eax
  0041814B E8 99F301>call tcsearch.004374E9                   ; eax="年月日"
  00418150 3BEF    cmp ebp,edi
  00418152 C64424 58>mov byte ptr ss:[esp+58],3                ;
  00418157 0F84 3402>je tcsearch.00418391                      ; ebp=edi则跳
  0041815D BE 010000>mov esi,1                               ; esi=1
  00418162 3BEE    cmp ebp,esi
  00418164 897424 1C mov dword ptr ss:[esp+1C],esi             ; [13ADD4]=esi
  00418168 0F8C 3701>jl tcsearch.004182A5                      ; ebp<esi则跳
  0041816E 8B4424 28 mov eax,dword ptr ss:[esp+28]             ; !!!!!eax=年月日!!!!!!
  00418172 DD05 8066>fld qword ptr ds:[446680]                ; st=0
  00418178 8A58 06 mov bl,byte ptr ds:[eax+6]                ; bl=date[6]
  0041817B 8A48 04 mov cl,byte ptr ds:[eax+4]                ; cl=date[4]
  0041817E 885C24 13 mov byte ptr ss:[esp+13],bl             ; [13ADCB]=bl
  00418182 8A58 07 mov bl,byte ptr ds:[eax+7]                ; bl=date[7]
  00418185 0FBEDB movsx ebx,bl
  00418188 895C24 24 mov dword ptr ss:[esp+24],ebx             ; 0013ADDC=ebx
  0041818C 8A50 05 mov dl,byte ptr ds:[eax+5]                ; dl=date[5]
  0041818F DB4424 24 fild dword ptr ss:[esp+24]
  00418193 0FBE5C24 >movsx ebx,byte ptr ss:[esp+13]
  00418198 D9FA    fsqrt                                     ; st开方
  0041819A 895C24 24 mov dword ptr ss:[esp+24],ebx
  0041819E 8A40 03 mov al,byte ptr ds:[eax+3]                ; date[3]
  004181A1 0FBEC0 movsx eax,al
  004181A4 0FBEEA movsx ebp,dl
  004181A7 0FBEC9 movsx ecx,cl                            ; 1
  004181AA DB4424 24 fild dword ptr ss:[esp+24]
  004181AE 0FAFE9 imul ebp,ecx                            ; !!!!!这里是ebp
  004181B1 D9FA    fsqrt
  004181B3 894424 24 mov dword ptr ss:[esp+24],eax
  004181B7 DEC9    fmulp st(1),st                            ; sqrt(d[6]*d[7])
  004181B9 DD5C24 38 fstp qword ptr ss:[esp+38]                ; !!!!这里是esp+38
  004181BD DB4424 24 fild dword ptr ss:[esp+24]
  004181C1 D9FA    fsqrt
  004181C3 DCC0    fadd st,st
  004181C5 DD5C24 40 fstp qword ptr ss:[esp+40]                ; !!!!!这里是[esp+40]
  004181C9 8B5424 64 mov edx,dword ptr ss:[esp+64]             ; edx=用户名;name
  004181CD DB4424 1C fild dword ptr ss:[esp+1C]                ; \
  004181D1 8A5C32 FF mov bl,byte ptr ds:[edx+esi-1]          ; |bl=name[esi-1]
  004181D5 0FBEC3 movsx eax,bl                            ; |[esp+C]=i
  004181D8 DD5C24 1C fstp qword ptr ss:[esp+1C]                ; /
  004181DC 894424 24 mov dword ptr ss:[esp+24],eax             ; \
  004181E0 DB4424 24 fild dword ptr ss:[esp+24]                ; |
  004181E4 0FBECB movsx ecx,bl
  004181E7 D9FA    fsqrt                                     ; name[esi-1]开方
  004181E9 0FAFCE imul ecx,esi
  004181EC DC4C24 1C fmul qword ptr ss:[esp+1C]
  004181F0 DC05 7866>fadd qword ptr ds:[446678]
  004181F6 0FAFCE imul ecx,esi
  004181F9 0FAFCE imul ecx,esi
  004181FC 894C24 24 mov dword ptr ss:[esp+24],ecx
  00418200 DB4424 24 fild dword ptr ss:[esp+24]
  00418204 DEC9    fmulp st(1),st                            ; |
  00418206 D8C1    fadd st,st(1)                            ; /num1
  00418208 E8 930901>call tcsearch.00428BA0                   ; float_to_long_int()
  0041820D 99       cdq                                     ; 把EAX中的字的符号扩展到EDX中
  0041820E DDD8    fstp st
  00418210 B9 180100>mov ecx,118                               ; ecx=118
  00418215 F7F9    idiv ecx
  00418217 895424 14 mov dword ptr ss:[esp+14],edx             ; num1%118h
  0041821B 0FBED3 movsx edx,bl
  0041821E 895424 24 mov dword ptr ss:[esp+24],edx
  00418222 DB4424 24 fild dword ptr ss:[esp+24]                ; 整型[esp+24]压入st0
  00418226 DD05 7066>fld qword ptr ds:[446670]                ; 2.0
  0041822C E8 4F0701>call tcsearch.00428980                   ; pow([esp+24],2)即[esp+24]^2
  00418231 DC4C24 1C fmul qword ptr ss:[esp+1C]                ; st0*位数
  00418235 E8 660901>call tcsearch.00428BA0                   ; float_to_long_int()
  0041823A DB4424 14 fild dword ptr ss:[esp+14]
  0041823E 8BCE    mov ecx,esi
  00418240 0FAFCF imul ecx,edi
  00418243 D9C0    fld st
  00418245 D9FA    fsqrt
  00418247 03C1    add eax,ecx                               ; eax为num3
  00418249 B9 2C0100>mov ecx,12C
  0041824E 99       cdq
  0041824F F7F9    idiv ecx
  00418251 8BFA    mov edi,edx                               ; 最后的edi
  00418253 E8 480901>call tcsearch.00428BA0                   ; float_to_long_int()
  00418258 03C7    add eax,edi
  0041825A B9 A08601>mov ecx,186A0
  0041825F 99       cdq
  00418260 DD4424 38 fld qword ptr ss:[esp+38]
  00418264 F7F9    idiv ecx
  00418266 DC4C24 1C fmul qword ptr ss:[esp+1C]
  0041826A DC4424 40 fadd qword ptr ss:[esp+40]
  0041826E 8BDA    mov ebx,edx
  00418270 8BD5    mov edx,ebp
  00418272 0FAFD6 imul edx,esi
  00418275 895424 24 mov dword ptr ss:[esp+24],edx
  00418279 DB4424 24 fild dword ptr ss:[esp+24]
  0041827D DEC9    fmulp st(1),st
  0041827F D8C1    fadd st,st(1)
  00418281 E8 1A0901>call tcsearch.00428BA0                   ; float_to_long_int()
  00418286 99       cdq
  00418287 B9 180100>mov ecx,118
  0041828C F7F9    idiv ecx
  0041828E 8B4424 30 mov eax,dword ptr ss:[esp+30]
  00418292 46       inc esi                                  ; esi++；循环递进
  00418293 3BF0    cmp esi,eax
  00418295 897424 1C mov dword ptr ss:[esp+1C],esi
  00418299 895424 24 mov dword ptr ss:[esp+24],edx
  0041829D  ^ 0F8E 26FF>jle tcsearch.004181C9                   ; esi<=eax则跳转循环
  004182A3 DDD8    fstp st
  004182A5 33C9    xor ecx,ecx
  004182A7 8BD1    mov edx,ecx
  004182A9 8B4424 14 mov eax,dword ptr ss:[esp+14]
  004182AD 0FAFD1 imul edx,ecx
  004182B0 0FAFD1 imul edx,ecx
  004182B3 BE 4E0000>mov esi,4E
  004182B8 8D4402 1F lea eax,dword ptr ds:[edx+eax+1F]
  004182BC 99       cdq
  004182BD F7FE    idiv esi
  004182BF 41       inc ecx
  004182C0 83F9 05 cmp ecx,5
  004182C3 88540C 3F mov byte ptr ss:[esp+ecx+3F],dl
  004182C7  ^ 7C DE    jl short tcsearch.004182A7                ; 循环五次
  004182C9 B9 050000>mov ecx,5
  004182CE 8BD1    mov edx,ecx
  004182D0 BE 580000>mov esi,58
  004182D5 0FAFD1 imul edx,ecx
  004182D8 0FAFD1 imul edx,ecx
  004182DB 8D443A 1F lea eax,dword ptr ds:[edx+edi+1F]
  004182DF 99       cdq
  004182E0 F7FE    idiv esi
  004182E2 41       inc ecx
  004182E3 83F9 0A cmp ecx,0A
  004182E6 88540C 3F mov byte ptr ss:[esp+ecx+3F],dl
  004182EA  ^ 7C E2    jl short tcsearch.004182CE                ; 又循环五次
  004182EC B9 0A0000>mov ecx,0A
  004182F1 8BC1    mov eax,ecx
  004182F3 BE 260000>mov esi,26
  004182F8 0FAFC1 imul eax,ecx
  004182FB 0FAFC1 imul eax,ecx
  004182FE 8D4418 1F lea eax,dword ptr ds:[eax+ebx+1F]
  00418302 99       cdq
  00418303 F7FE    idiv esi
  00418305 41       inc ecx
  00418306 83F9 0F cmp ecx,0F
  00418309 88540C 3F mov byte ptr ss:[esp+ecx+3F],dl
  0041830D  ^ 7C E2    jl short tcsearch.004182F1                ; 又循环五次
  0041830F B9 0F0000>mov ecx,0F
  00418314 8BD1    mov edx,ecx
  00418316 8B4424 24 mov eax,dword ptr ss:[esp+24]
  0041831A 0FAFD1 imul edx,ecx
  0041831D 0FAFD1 imul edx,ecx
  00418320 BE 120000>mov esi,12
  00418325 8D4402 1F lea eax,dword ptr ds:[edx+eax+1F]
  00418329 99       cdq
  0041832A F7FE    idiv esi
  0041832C 41       inc ecx
  0041832D 83F9 14 cmp ecx,14
  00418330 88540C 3F mov byte ptr ss:[esp+ecx+3F],dl
  00418334  ^ 7C DE    jl short tcsearch.00418314                ; 又循环五次
  00418336 33D2    xor edx,edx                               ; edx=0
  00418338 33C9    xor ecx,ecx                               ; ecx=0
  0041833A 8A4414 40 mov al,byte ptr ss:[esp+edx+40]          ; \
  0041833E 3C 30    cmp al,30                               ; |
  00418340 7C 04    jl short tcsearch.00418346                ; |
  00418342 3C 39    cmp al,39                               ; |
  00418344 7E 29    jle short tcsearch.0041836F             ; |
  00418346 3C 41    cmp al,41                               ; |
  00418348 7C 04    jl short tcsearch.0041834E                ; |
  0041834A 3C 5A    cmp al,5A                               ; |
  0041834C 7E 21    jle short tcsearch.0041836F             ; |
  0041834E 3C 61    cmp al,61                               ; |
  00418350 7C 04    jl short tcsearch.00418356                ; |
  00418352 3C 7A    cmp al,7A                               ; |
  00418354 7E 19    jle short tcsearch.0041836F             ; |
  00418356 0FBEC0 movsx eax,al                            ; |
  00418359 8D4408 1F lea eax,dword ptr ds:[eax+ecx+1F]       ; |
  0041835D 25 7F0000>and eax,8000007F                         ; |
  00418362 79 05    jns short tcsearch.00418369             ; |
  00418364 48       dec eax                                  ; |
  00418365 83C8 80 or eax,FFFFFF80                         ; |
  00418368 40       inc eax                                  ; |
  00418369 884414 40 mov byte ptr ss:[esp+edx+40],al          ; |
  0041836D  ^ EB CB    jmp short tcsearch.0041833A             ; |
  0041836F 83C1 07 add ecx,7                               ; |
  00418372 42       inc edx                                  ; |取下一个字符
  00418373 81F9 8C00>cmp ecx,8C                               ; |
  00418379  ^ 7C BF    jl short tcsearch.0041833A                ; /循环生成字符串
  0041837B 33F6    xor esi,esi
  0041837D 8A4C34 40 mov cl,byte ptr ss:[esp+esi+40]
  00418381 51       push ecx
  00418382 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
  00418386 E8 690902>call tcsearch.00438CF4
  0041838B 46       inc esi
  0041838C 83FE 14 cmp esi,14
  0041838F  ^ 7C EC    jl short tcsearch.0041837D
  00418391 8B7424 60 mov esi,dword ptr ss:[esp+60]
  00418395 8D5424 18 lea edx,dword ptr ss:[esp+18]
  00418399 52       push edx
  0041839A 8BCE    mov ecx,esi
  0041839C E8 0A0402>call tcsearch.004387AB
  004183A1 C74424 34>mov dword ptr ss:[esp+34],1
  004183A9 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
  004183AD C64424 58>mov byte ptr ss:[esp+58],2
  004183B2 E8 7F0602>call tcsearch.00438A36
  004183B7 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
  004183BB C64424 58>mov byte ptr ss:[esp+58],1
  004183C0 E8 710602>call tcsearch.00438A36
  004183C5 8D4C24 64 lea ecx,dword ptr ss:[esp+64]
  004183C9 C64424 58>mov byte ptr ss:[esp+58],0
  004183CE E8 630602>call tcsearch.00438A36
  004183D3 8B4C24 50 mov ecx,dword ptr ss:[esp+50]
  004183D7 8BC6    mov eax,esi
  004183D9 5F       pop edi
  004183DA 5E       pop esi
  004183DB 5D       pop ebp
  004183DC 5B       pop ebx
  004183DD 64:890D 0>mov dword ptr fs:[0],ecx
  004183E4 83C4 4C add esp,4C
  004183E7 C2 0800 retn 8


  \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

  在算法call中，这个软件是根据用户名和注册时的时间计算出注册码的。

  涉及到很多浮点指令的运算，比较繁琐。

  期间的一些循环处理过程，我在做注册机时是直接从OD中提取出汇编代码嵌入到C++内使用的。

  具体注册算法大家看我注册机的源文件。

--------------------------------------------------------------------------------
【版权声明】: 本文原创，转载请注明作者并保持文章的完整，谢谢!

                                                   2007年10月27日 15:18:45

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・7

支持

最新回复 (1)
tzl 雪币： 242 活跃值： (1664) 能力值： ( LV9，RANK：410 ) 在线值：发帖 21 回帖 532 粉丝 0 关注私信	tzl 10 2 楼鼓励一下.... 2007-10-31 14:25 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

suncloud

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
tzl 雪币： 242 活跃值： (1664) 能力值： ( LV9，RANK：410 ) 在线值：发帖 21 回帖 532 粉丝 0 关注私信	tzl 10 2 楼鼓励一下.... 2007-10-31 14:25 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复