首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[原创]ecGraph3D控件的注册算法分析
发表于: 2009-1-16 12:36 7645

[原创]ecGraph3D控件的注册算法分析

BlueT 活跃值
2
2009-1-16 12:36
7645

ecGraph3D控件的注册算法分析
----和“一个外国人编写的名为ecGraph3D的三维控件的破解”

ecGraph3D的这个控件确实是一个好东西,如果谁能开发出立体几何接口来,将其使用于数学教学中将是非常有益的。

zhuliang先生已经对它进行了破解分析,我本不想再在破解上出风头了,想等别人来做算法分析这件事(见xiaoAngel的承诺)。无奈一直不见动静,只好将自己的研究拿出来献丑了。
作为算法分析,普遍认为VB较难,我恰好相反。原因是VB的数据结构决定了它的计算难度不可能很高(一般地)。VB的的东西的难点在于VB的多级结构指针的使用,让我们难以直接查看操作数是谁,以至于相应的函数做了些什么让人迷迷糊糊的,常谓之看不懂VB的函数是也。
另外,VB自己是一个懒主儿,一般是不会轻易做事的。如果想做点什么,大多数情况下是交给库函数的。如果库函数也做不了,他会告诉库函数,你找谁去解决(自己是不找的)。本文的情况就是如此。所以,怎么进入到ecGraph3D的领空,对一部分人来说可能还是一个新课题。

还是切入主题吧!
开发者给我们提供的范例,使我们大概知道注册码的一般形式,同时也蒙蔽了我们眼睛。

实测,注册码用应该划分为五段,前四段等长,第五段长度不定,原因见后。
计算难度不大,难的是对数据的观察。
当你能进入到ecGraph3D的领空,会来到这里:

110751F3  CALL NEAR DWORD PTR DS:[11001048]                ; 注册码长度
110751F9  CMP EAX,10
110751FC  JLE SHORT 11075236                               ; 长度必须大于16
110751FE  MOV DWORD PTR SS:[EBP-48],5
11075205  MOV DWORD PTR SS:[EBP-50],2
1107520C  LEA EDX,DWORD PTR SS:[EBP-50]
1107520F  PUSH EDX
11075210  PUSH 0D
11075212  MOV EAX,DWORD PTR SS:[EBP-38]
11075215  PUSH EAX
11075216  MOV EBX,DWORD PTR DS:[11001150]                  ; MSVBVM60.rtcMidCharBstr
1107521C  CALL NEAR EBX                                    ; 截取字符串
1107521E  MOV EDX,EAX
11075220  LEA ECX,DWORD PTR SS:[EBP-3C]
11075223  MOV EDI,DWORD PTR DS:[1100133C]                  ; MSVBVM60.__vbaStrMove
11075229  CALL NEAR EDI
1107522B  LEA ECX,DWORD PTR SS:[EBP-50]
1107522E  CALL NEAR DWORD PTR DS:[11001038]                ; MSVBVM60.__vbaFreeVar
11075234  JMP SHORT 11075242
11075236  MOV EDI,DWORD PTR DS:[1100133C]                  ; MSVBVM60.__vbaStrMove
1107523C  MOV EBX,DWORD PTR DS:[11001150]                  ; MSVBVM60.rtcMidCharBstr
11075242  MOV ECX,DWORD PTR SS:[EBP-38]
11075245  PUSH ECX
11075246  CALL NEAR DWORD PTR DS:[11001048]                ; 注册码长度
1107524C  CMP EAX,16
1107524F  JLE SHORT 1107527B                               ; 长度必须大于22
11075251  MOV DWORD PTR SS:[EBP-48],5
11075258  MOV DWORD PTR SS:[EBP-50],2
1107525F  LEA EDX,DWORD PTR SS:[EBP-50]
11075262  PUSH EDX
11075263  PUSH 13
11075265  MOV EAX,DWORD PTR SS:[EBP-38]
11075268  PUSH EAX
11075269  CALL NEAR EBX                                    ; 截取截取字符串
1107526B  MOV EDX,EAX
1107526D  LEA ECX,DWORD PTR SS:[EBP-20]
11075270  CALL NEAR EDI
11075272  LEA ECX,DWORD PTR SS:[EBP-50]
11075275  CALL NEAR DWORD PTR DS:[11001038]                ; MSVBVM60.__vbaFreeVar
1107527B  MOV ECX,DWORD PTR SS:[EBP-38]
1107527E  PUSH ECX
1107527F  CALL NEAR DWORD PTR DS:[11001048]                ; 注册码长度
11075285  CMP EAX,19
11075288  JLE SHORT 110752B4                               ; 长度必须大于25位
1107528A  MOV DWORD PTR SS:[EBP-48],80020004
11075291  MOV DWORD PTR SS:[EBP-50],0A
11075298  LEA EDX,DWORD PTR SS:[EBP-50]
1107529B  PUSH EDX
1107529C  PUSH 19
1107529E  MOV EAX,DWORD PTR SS:[EBP-38]
110752A1  PUSH EAX
110752A2  CALL NEAR EBX                                    ; 截取字符串
11075341  MOV DWORD PTR SS:[EBP-88],11008140               ; UNICODE "BDFHKMPQTWXAREYUSCGVZ"
1107534B  MOV DWORD PTR SS:[EBP-90],8
11075355  MOVSX EDX,SI
11075358  PUSH EDX
11075359  LEA EAX,DWORD PTR SS:[EBP-50]
1107535C  PUSH EAX
1107535D  CALL NEAR DWORD PTR DS:[11001248]                ; MSVBVM60.rtcVarBstrFromAnsi
11075363  PUSH 1
11075365  LEA ECX,DWORD PTR SS:[EBP-90]
1107536B  PUSH ECX
1107536C  LEA EDX,DWORD PTR SS:[EBP-50]
1107536F  PUSH EDX
11075370  PUSH 1
11075372  LEA EAX,DWORD PTR SS:[EBP-60]
11075375  PUSH EAX
11075376  CALL NEAR DWORD PTR DS:[11001250]                ; MSVBVM60.__vbaInStrVar
……
11075488  CALL NEAR DWORD PTR DS:[EAX+AB4]                 ; 求取注册码第五段每一位注册码在字符串中的位置号,得到数字串str1
11075532  CALL NEAR DWORD PTR DS:[EAX+A8C]                 ; 注册码第四段生成整数索引表
11075538  CMP WORD PTR SS:[EBP-A4],BX
1107553F  JNZ 110756F7
11075545  MOV EAX,DWORD PTR DS:[ESI]
11075547  LEA ECX,DWORD PTR SS:[EBP-40]
1107554A  PUSH ECX
1107554B  MOV EDX,DWORD PTR SS:[EBP-38]
1107554E  PUSH EDX
1107554F  PUSH ESI
11075550  CALL NEAR DWORD PTR DS:[EAX+A94]                 ; 利用索引表对str1换位得数字串str2
11075556  MOV EDX,DWORD PTR SS:[EBP-40]
11075559  MOV DWORD PTR SS:[EBP-40],EBX
1107555C  LEA ECX,DWORD PTR SS:[EBP-34]
1107555F  CALL NEAR EDI
11075561  MOV EAX,DWORD PTR SS:[EBP-34]
11075564  PUSH EAX
11075565  PUSH 11008170
1107556A  CALL NEAR DWORD PTR DS:[11001134]                ; MSVBVM60.__vbaStrTextCmp
11075570  TEST EAX,EAX
……
110755DD  LEA EAX,DWORD PTR SS:[EBP-A4]
110755E3  PUSH EAX
110755E4  MOV ECX,DWORD PTR SS:[EBP-3C]
110755E7  PUSH ECX
110755E8  PUSH ESI
110755E9  CALL NEAR DWORD PTR DS:[EDX+A8C]                 ; 利用注册码第三段生成整数索引表
110755EF  CMP WORD PTR SS:[EBP-A4],BX
110755F6  JNZ 110756F7
110755FC  MOV EDX,DWORD PTR DS:[ESI]
110755FE  LEA EAX,DWORD PTR SS:[EBP-40]
11075601  PUSH EAX
11075602  MOV ECX,DWORD PTR SS:[EBP-34]
11075605  PUSH ECX
11075606  PUSH ESI
11075607  CALL NEAR DWORD PTR DS:[EDX+A94]                 ; 利用索引表对str2换位得str3
1107560D  MOV EDX,DWORD PTR SS:[EBP-40]
11075610  MOV DWORD PTR SS:[EBP-40],EBX
……
1107567D  LEA ECX,DWORD PTR SS:[EBP-A4]
11075683  PUSH ECX
11075684  MOV EDX,DWORD PTR SS:[EBP+10]
11075687  MOV ECX,DWORD PTR DS:[EDX]
11075689  PUSH ECX
1107568A  PUSH ESI
1107568B  CALL NEAR DWORD PTR DS:[EAX+A9C]                 ; 利用字符串“”生成字符索引表
11075691  CMP WORD PTR SS:[EBP-A4],BX
11075698  JNZ SHORT 110756F7
1107569A  MOV EDX,DWORD PTR DS:[ESI]
1107569C  LEA EAX,DWORD PTR SS:[EBP-40]
1107569F  PUSH EAX
110756A0  MOV ECX,DWORD PTR SS:[EBP-34]
110756A3  PUSH ECX
110756A4  PUSH ESI
110756A5  CALL NEAR DWORD PTR DS:[EDX+AA0]                 ; 利用索引表和str3产生字符串
110744AD  MOV EAX,1                                        ; i=1
110744B2  MOV DWORD PTR SS:[EBP-58],EAX                    ;i
110744B5  MOV EDI,DWORD PTR DS:[11001388]                  ; MSVBVM60.__vbaFreeStr
	110744BB  MOV ECX,0A                                       ; 外循环==>
	110744C0  CMP EAX,ECX                                      ; i>10?
	110744C2  JG 11074637
	110744C8  MOV ECX,0FF                                      ; FF
	110744CD  CALL NEAR DWORD PTR DS:[110011F0]                ; MSVBVM60.__vbaUI1I2
	110744D3  MOV BYTE PTR SS:[EBP-48],AL                      ; tmp=FF
	110744D6  MOV ESI,1                                        ; j=1
		110744DB  MOV EAX,0A                                       ; 内循环==>
		110744E0  CMP ESI,EAX                                      ; j>10?
		110744E2  JG 110745A4
		110744E8  MOV DWORD PTR SS:[EBP-6C],1
		110744EF  MOV DWORD PTR SS:[EBP-74],2
		110744F6  LEA ECX,DWORD PTR SS:[EBP-54]
		110744F9  MOV DWORD PTR SS:[EBP-C0],ECX
		110744FF  MOV DWORD PTR SS:[EBP-C8],4008
		11074509  LEA EDX,DWORD PTR SS:[EBP-74]
		1107450C  PUSH EDX
		1107450D  PUSH ESI
		1107450E  LEA EAX,DWORD PTR SS:[EBP-C8]
		11074514  PUSH EAX
		11074515  LEA ECX,DWORD PTR SS:[EBP-84]
		1107451B  PUSH ECX
		1107451C  CALL NEAR DWORD PTR DS:[11001158]                ; 读取一位
		11074522  LEA EDX,DWORD PTR SS:[EBP-84]
		11074528  PUSH EDX
		11074529  LEA EAX,DWORD PTR SS:[EBP-94]
		1107452F  PUSH EAX
		11074530  CALL NEAR DWORD PTR DS:[1100117C]                ; 转化为大写
		11074536  LEA ECX,DWORD PTR SS:[EBP-94]
		1107453C  PUSH ECX
		1107453D  LEA EDX,DWORD PTR SS:[EBP-64]
		11074540  PUSH EDX
		11074541  CALL NEAR DWORD PTR DS:[1100125C]                ; MSVBVM60.__vbaStrVarVal
		11074547  PUSH EAX
		11074548  CALL NEAR DWORD PTR DS:[1100106C]                ; 取ASCII码
		1107454E  MOV ECX,EAX
		11074550  CALL NEAR DWORD PTR DS:[110011F0]                ; MSVBVM60.__vbaUI1I2
		11074556  MOV BL,AL                                        ; 转移
		11074558  LEA ECX,DWORD PTR SS:[EBP-64]
		1107455B  CALL NEAR EDI
		1107455D  LEA EAX,DWORD PTR SS:[EBP-94]
		11074563  PUSH EAX
		11074564  LEA ECX,DWORD PTR SS:[EBP-84]
		1107456A  PUSH ECX
		1107456B  LEA EDX,DWORD PTR SS:[EBP-74]
		1107456E  PUSH EDX
		1107456F  PUSH 3
		11074571  CALL NEAR DWORD PTR DS:[1100105C]                ; MSVBVM60.__vbaFreeVarList
		11074577  ADD ESP,10
		1107457A  CMP BL,BYTE PTR SS:[EBP-48]                      ; str<=tmp 谁大?
		1107457D  JNB SHORT 1107458D
			1107457F  MOV BYTE PTR SS:[EBP-48],BL                      ; tmp<==str 小的替换大的
			11074582  MOV ECX,ESI
			11074584  CALL NEAR DWORD PTR DS:[110011A0]                ; MSVBVM60.__vbaI2I4
			1107458A  MOV DWORD PTR SS:[EBP-44],EAX                    ; 暂存j
		1107458D  MOV EAX,1
		11074592  ADD EAX,ESI
		11074594  JO 11074B1E
		1107459A  MOV ESI,EAX                                      ;j++
		1107459C  MOV EBX,DWORD PTR SS:[EBP+8]
		1107459F  JMP 110744DB                                     ; 内循环<==
	110745A4  MOV AX,WORD PTR SS:[EBP-44]                      ; j
	110745A8  CWD
	110745AA  MOV CX,0A
	110745AE  IDIV CX
	110745B1  MOVSX ESI,DX                                     ; j mod 10
	110745B4  CMP ESI,0B
	110745B7  JB SHORT 110745BF
	110745B9  CALL NEAR DWORD PTR DS:[11001184]                ; MSVBVM60.__vbaGenerateBoundsError
	110745BF  MOV EAX,DWORD PTR SS:[EBP-58]                    ; i
	110745C2  CDQ
	110745C3  MOV ECX,0A
	110745C8  IDIV ECX
	110745CA  MOV ECX,EDX                                      ; i mod 10
	110745CC  CALL NEAR DWORD PTR DS:[11001210]                ; MSVBVM60.__vbaUI1I4
	110745D2  MOV EDX,DWORD PTR DS:[EBX+194]                   ; 数组地址
	110745D8  MOV BYTE PTR DS:[EDX+ESI],AL                     ; 保存索引到数组
	110745DB  PUSH 0FF
	110745E0  LEA EAX,DWORD PTR SS:[EBP-74]
	110745E3  PUSH EAX
	110745E4  CALL NEAR DWORD PTR DS:[11001248]                ; MSVBVM60.rtcVarBstrFromAnsi
	110745EA  LEA ECX,DWORD PTR SS:[EBP-54]
	110745ED  PUSH ECX
	110745EE  MOVSX EDX,WORD PTR SS:[EBP-44]
	110745F2  PUSH EDX
	110745F3  PUSH 1
	110745F5  LEA EAX,DWORD PTR SS:[EBP-74]
	110745F8  PUSH EAX
	110745F9  CALL NEAR DWORD PTR DS:[1100104C]                ; MSVBVM60.__vbaStrVarMove
	110745FF  MOV EDX,EAX
	11074601  LEA ECX,DWORD PTR SS:[EBP-64]
	11074604  CALL NEAR DWORD PTR DS:[1100133C]                ; MSVBVM60.__vbaStrMove
	1107460A  PUSH EAX
	1107460B  PUSH 0
	1107460D  CALL NEAR DWORD PTR DS:[1100137C]                ; FF替换第j位
	11074613  LEA ECX,DWORD PTR SS:[EBP-64]
	11074616  CALL NEAR EDI
	11074618  LEA ECX,DWORD PTR SS:[EBP-74]
	1107461B  CALL NEAR DWORD PTR DS:[11001038]                ; MSVBVM60.__vbaFreeVar
	11074621  MOV EAX,1
	11074626  ADD EAX,DWORD PTR SS:[EBP-58]
	11074629  JO 11074B1E
	1107462F  MOV DWORD PTR SS:[EBP-58],EAX
	11074632  JMP 110744BB                                     ; 外循环<==
    B=array(1,2,3,4,5)
    n = Len(in2)   'in2为数字串
    ztmp = Space(n)'作等长的空格串
    t = 1
    For j = 1 To 5
        index = b(j)
        For i = 1 To n
            If index <= 6 Then
                Mid(ztmp, index, 1) = Mid(in2, t, 1)
                index = index + 5
                t = t + 1
            End If
        Next
        If t = n + 1 Then Exit For '如果全部做过交换则退出
    Next

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 7
支持
分享
最新回复 (1)
jerrylhj
雪    币: 349
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
精彩,俺一直对算法分析没什么突破。
2009-1-16 14:52
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//