DISKdata v3.3.2

标题：给TAE!的小礼物－－－对DISKdata v3.3.2注册算法的分析 (14千字)
作者：CoolBob[CCG]
时间：2001-7-13 2:05:23
链接：http://bbs.pediy.com

DISKdata v3.3.2 (Write a KeyGen　use TC2.0)

本文作者：CoolBob[CCG] * [CCG] stands for cHINA cRACKING gROUP
coolbob@21cn.com QQ:1618778
所用工具：SoftICE4.05,DeDe v2.50,Turbo C 2.0
目标网址：http://www.digallery.com/diskdata/

前言：
　　　一日TAE!大虾问小弟对DISKdata这个东东的注册算法有没有兴趣，偶当时正与MM聊的火热，也没在意:)　后来收信的时候看到了TAE!的信才想起来。
　　　小弟在匆忙中完成此篇，有什么错误的地方，欢迎广大的高手为小弟指正 ;d
正文：运行DISKdata后，点击右边那个About页，在Licensed to与License key文本框中分别填入姓名与注册码。不要急着点击Set按钮，观察一番先。发现下面有个Licensed copies:None Expiration:None,很明显这个程序有很多种注册方式!现在按Ctrl+D弹出SoftICE，下BPX Hmemcpy.按F5回到系统中来。再点击Set按钮.啪～SoftICE露出了她那丑陋的脸^O^。12次F12后(为什么是12次呢，因为Delphi 5写的GetText(),一般要按12次，嘿嘿，不信你试试!)来到了这里:
* Reference to: controls.TControl.GetText(TControl):System.String;
|
00490ED6 E8E5F7F9FF call 004306C0
00490EDB 8B45F0 mov eax, [ebp-$10]   //d eax,License key
00490EDE 8D55F4 lea edx, [ebp-$0C]

* Reference to: sysutils.Trim(System.AnsiString):System.AnsiString;
|
00490EE1 E82E77F7FF call 00408614
00490EE6 8B45F4 mov eax, [ebp-$0C]
00490EE9 8D4DFC lea ecx, [ebp-$04]

* Possible String Reference to: 'DISKdata'
|
00490EEC BA9C134900 mov edx, $0049139C

|
00490EF1 E8CA05FEFF call 004714C0   //第一个比较点，F8跟进
00490EF6 84C0 test al, al   //出来时al=0就886
00490EF8 0F84C7030000 jz 004912C5
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
在DeDe中双击00490EF1处，
……　……　……
00471559 8B5DF0 mov ebx, [ebp-$10]
0047155C 03DB add ebx, ebx
0047155E 4B dec ebx
0047155F 8D4301 lea eax, [ebx+$01]
00471562 D1F8 sar eax, 1
00471564 7903 jns 00471569
00471566 83D000 adc eax, +$00
00471569 99 cdq
0047156A F7FE idiv esi
0047156C 8BC2 mov eax, edx

|
0047156E E841FFFFFF call 004714B4
00471573 F7EE imul esi
00471575 50 push eax
00471576 8D4301 lea eax, [ebx+$01]
00471579 D1F8 sar eax, 1
0047157B 7903 jns 00471580
0047157D 83D000 adc eax, +$00
00471580 99 cdq
00471581 F7FE idiv esi
00471583 58 pop eax
00471584 2BD0 sub edx, eax
00471586 52 push edx
00471587 8D45DC lea eax, [ebp-$24]
0047158A B9C4164700 mov ecx, $004716C4
0047158F 8B55F8 mov edx, [ebp-$08]

* Reference to: system.@LStrCat3;
|
00471592 E85529F9FF call 00403EEC
00471597 8B45DC mov eax, [ebp-$24]
0047159A 5A pop edx
0047159B 8A4410FF mov al, byte ptr [eax+edx-$01]   //从一个固定的字符串'DISKdata-'中取数'D'放入al中，以后依次循环
0047159F 8845EF mov [ebp-$11], al
004715A2 BAC8164700 mov edx, $004716C8
004715A7 8D45D4 lea eax, [ebp-$2C]

* Reference to: system.@PStrCpy;
|
004715AA E88115F9FF call 00402B30
004715AF 8D45D0 lea eax, [ebp-$30]

* Reference to MainForm
|
004715B2 8B55FC mov edx, [ebp-$04]
004715B5 8A541AFF mov dl, byte ptr [edx+ebx-$01]   //从我们输入的License key中取一个放入dl中
004715B9 885001 mov [eax+$01], dl       //保存dl
004715BC C60001 mov byte ptr [eax], $01
004715BF 8D55D0 lea edx, [ebp-$30]
004715C2 8D45D4 lea eax, [ebp-$2C]
004715C5 B102 mov cl, $02

* Reference to: system.@PStrNCat;
|
004715C7 E83415F9FF call 00402B00
004715CC 8D55D4 lea edx, [ebp-$2C]
004715CF 8D45CC lea eax, [ebp-$34]

* Reference to: system.@PStrCpy;
|
004715D2 E85915F9FF call 00402B30
004715D7 8D45D0 lea eax, [ebp-$30]

* Reference to MainForm
|
004715DA 8B55FC mov edx, [ebp-$04]
004715DD 8A141A mov dl, byte ptr [edx+ebx]   //接着取License key中的数
004715E0 885001 mov [eax+$01], dl
004715E3 C60001 mov byte ptr [eax], $01
004715E6 8D55D0 lea edx, [ebp-$30]
004715E9 8D45CC lea eax, [ebp-$34]
004715EC B103 mov cl, $03

* Reference to: system.@PStrNCat;
|
004715EE E80D15F9FF call 00402B00   //连接这两个数字,假设我们输入的License key为'12345'，那么连接后为$12
004715F3 8D55CC lea edx, [ebp-$34]
004715F6 8D45D8 lea eax, [ebp-$28]

* Reference to: system.@LStrFromString(String;ShortString);
| or: system.@WStrFromString(WideString;ShortString);
|
004715F9 E84628F9FF call 00403E44
004715FE 8B45D8 mov eax, [ebp-$28]

* Reference to: sysutils.StrToInt(System.AnsiString):System.Integer;
|
00471601 E86E71F9FF call 00408774   //字符串转化为十六进制$12
00471606 8BD0 mov edx, eax   //dl就是转化好的数,12->0x12
00471608 8A45EF mov al, byte ptr [ebp-$11]   //al='D'
0047160B 32D0 xor dl, al   //异或
0047160D 8D45E8 lea eax, [ebp-$18]

* Reference to: system.@LStrFromChar(String;Char);
| or: system.@LStrFromWChar(String;WideChar);
| or: system.@WStrFromChar(WideString;Char);
| or: system.@WStrFromWChar(WideString;WideChar);
|
00471610 E8B327F9FF call 00403DC8
00471615 8D45E4 lea eax, [ebp-$1C]
00471618 8B55E8 mov edx, [ebp-$18]

* Reference to: system.@LStrCat;
|
0047161B E88828F9FF call 00403EA8
00471620 FF45F0 inc dword ptr [ebp-$10]
00471623 4F dec edi       //edi=LEN(License key)
00471624 0F852FFFFFFF jnz 00471559   //循环
……　……　……
* Reference to: system.@LStrLen:Integer;
| or: system.@DynArrayLength;
| or: system.DynArraySize(Pointer):Integer;
|
00471649 E85228F9FF call 00403EA0
0047164E 8B55E4 mov edx, [ebp-$1C]
00471651 8A5C02FF mov bl, byte ptr [edx+eax-$01]   //bl=上面循环后算出来的最后一位数
00471655 8B45F4 mov eax, [ebp-$0C]
00471658 8B00 mov eax, [eax]

|
0047165A E86D000000 call 004716CC   //除最后一位外，其它的相加，和&0xff
0047165F 3AD8 cmp bl, al   //比较
00471661 7404 jz 00471667   //不等就886
……　……　……　
call 004716CC　如下：
……　……　……　
004716F8 BA01000000 mov edx, $00000001
004716FD 8B4DFC mov ecx, [ebp-$04]
00471700 0FB64C11FF movzx ecx, byte ptr [ecx+edx-$01]   //取上面那个循环(EIP:0047160B) XOR后的结果
00471705 81E3FF000000 and ebx, $000000FF
0047170B 03CB add ecx, ebx       //连加
0047170D 81E1FF000000 and ecx, $000000FF
00471713 8BD9 mov ebx, ecx
00471715 42 inc edx
00471716 48 dec eax
00471717 75E4 jnz 004716FD
…… …… ……
* Reference to: controls.TControl.GetText(TControl):System.String;
|
00490F37 E884F7F9FF call 004306C0
00490F3C 8B45DC mov eax, [ebp-$24]   //取姓名
00490F3F 8D55E0 lea edx, [ebp-$20]

* Reference to: sysutils.UpperCase(System.AnsiString):System.AnsiString;
|
00490F42 E88974F7FF call 004083D0       //将小写字母转化为大写
00490F47 8B45E0 mov eax, [ebp-$20]
00490F4A 8D55E4 lea edx, [ebp-$1C]

…… …… ……
|
00490F55 E87207FEFF call 004716CC
00490F5A 25FF000000 and eax, $000000FF
00490F5F 3BF0 cmp esi, eax       //esi=上面那个循环XOR后的结果的第5、6两个个数字转化为十六进制后的数，eax=姓名的所有字母大写后的AScii码之和
00490F61 0F8552030000 jnz 004912B9       //不等就886
…… …… ……

* Reference to: system.@LStrCmp;
|
00490FBF E8EC2FF7FF call 00403FB0       //比较。上面那个循环XOR后的结果的第一、二个数字与姓名的第一、二个字母比较
00490FC4 0F85EF020000 jnz 004912B9       //不等就886
00490FCA 8D45C0 lea eax, [ebp-$40]
00490FCD 50 push eax
00490FCE 8D55B8 lea edx, [ebp-$48]

…… …… ……
* Reference to: system.@LStrCmp;
|
00491041 E86A2FF7FF call 00403FB0       //比较。上面那个循环XOR后的结果的第三、四个数字与姓名的倒数第二、一个字母比较
00491046 0F856D020000 jnz 004912B9
…… …… ……
下面的这段代码就是把上面那个循环XOR后的结果中的第十一位至第十四位与系统时间比较了
* Reference to: sysutils.StrToInt(System.AnsiString):System.Integer;
|
00491094 E8DB76F7FF call 00408774   //字符串转化为整数
00491099 66B90100 mov cx, $0001
0049109D 5A pop edx

* Reference to: sysutils.EncodeDate(System.Word;System.Word;System.Word):System.TDateTime;
|
0049109E E8C986F7FF call 0040976C   //经过一番运算后
004910A3 DD5D98 fstp qword ptr [ebp-$68]   //以浮点数保存，在SoftICE下wf
004910A6 9B wait

* Reference to: sysutils.Date:System.TDateTime;
|
004910A7 E83089F7FF call 004099DC   //取系统时间，2001＝0x7D1,经过运算
004910AC DC5D98 fcomp qword ptr [ebp-$68] //与刚才的那个数比较
004910AF DFE0 fstsw ax
004910B1 9E sahf
004910B2 0F83F5010000 jnb 004912AD   //if jump,Bad guy!
004910B8 8D4594 lea eax, [ebp-$6C]
004910BB 50 push eax
004910BC B904000000 mov ecx, $00000004
004910C1 BA07000000 mov edx, $00000007
004910C6 8B45FC mov eax, [ebp-$04]
…… …… ……
* Possible String Reference to: '9999'
|
004910D1 BAC8134900 mov edx, $004913C8

* Reference to: system.@LStrCmp;
|
004910D6 E8D52EF7FF call 00403FB0   //这里是比较，如果面那个循环XOR后的结果的第7～10四个数字要是等于'9999'的话，那么注册栏下面的Licensed copies:会显示Site!
004910DB 7512 jnz 004910EF   //注意上面那个'9999'

* Possible String Reference to: 'Site'           //还有这个'Site'
|
004910E3 BAD8134900 mov edx, $004913D8

* Reference to: controls.TControl.SetText(TControl;System.String);
|
004910E8 E803F6F9FF call 004306F0
004910ED EB24 jmp 00491113
004910EF 8D4590 lea eax, [ebp-$70]
004910F2 50 push eax
004910F3 B904000000 mov ecx, $00000004
004910F8 BA07000000 mov edx, $00000007
004910FD 8B45FC mov eax, [ebp-$04]

…… …… ……
* Possible String Reference to: '12/99'       //注意这个'12/99'
|
0049115A BAF4134900 mov edx, $004913F4

* Reference to: system.@LStrCmp;
|
0049115F E84C2EF7FF call 00403FB0//这里是比较，如果面那个循环XOR后的结果的第11～14四个数字要是等于'1299'的话，那么注册栏下面的Expiration:会显示None!也就是永不过期!
00491164 7512 jnz 00491178

* Reference to control TMainForm.ExpirationLabel : TLabel
|
00491166 8B8360040000 mov eax, [ebx+$0460]

* Possible String Reference to: 'None'       //还有这个'None'
|
0049116C BA04144900 mov edx, $00491404

* Reference to: controls.TControl.SetText(TControl;System.String);
|
00491171 E87AF5F9FF call 004306F0
00491176 EB63 jmp 004911DB
00491178 8D857CFFFFFF lea eax, [ebp+$FFFFFF7C]
0049117E 50 push eax
0049117F B902000000 mov ecx, $00000002
00491184 BA0B000000 mov edx, $0000000B
00491189 8B45FC mov eax, [ebp-$04]
…… …… ……
下面还有一段代码就是对注册表的操作了。忽略
－－－－－－－－－DISKdata.reg－－－－－－－－－－－－－－－－－－－－－－
REGEDIT4

[HKEY_CURRENT_USER\Software\Digital Information Gallery\DiskData\Settings]
"Licensee"="CoolBob[CCG]"
"Key"="070614165C544D58147D7861725D3D"

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
:),还是帖个注册机，嘿嘿。
－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

#include<stdio.h>
#include<ctype.h>
#include<string.h>
main(){
char name[60];
char code[15];
int n=0,i,result_xor=0;
char str[]="DISKdata-DISKdata-";
char date[]="99991299";   /* you can change this for try other License 12 stands for month */
clrscr();       /* 99 stands for 2099 year,Max year in our Windows98,9999 for 'Site' */
printf("DISKdata v3.3.2 keymaker by CoolBob[CCG]\n");
printf("written at 2001-7-13\n");
printf("Enter your name:");
gets(name);
strupr(name);
for(i=0;i<=1;i++)
code[i]=str[i]^name[i];
code[2]=str[2]^name[strlen(name)-2];
code[3]=str[3]^name[strlen(name)-1];
for(i=0;i<strlen(name);i++)
n=n+name[i];
n=n&0xff;
if (n/0x10>9) code[4]=n/0x10+0x37^str[4];
else
code[4]=n/0x10+0x30^str[4];
if (n%0x10>9) code[5]=n%0x10+0x37^str[5];
else
code[5]=n%0x10+0x30^str[5];
for(i=6;i<14;i++)
code[i]=str[i]^date[i-6];
result_xor=name[0]+name[1]+name[strlen(name)-1]+name[strlen(name)-2];
result_xor=result_xor+(code[4]^str[4])+(code[5]^str[5]);
for(i=0;i<8;i++)
result_xor=result_xor+date[i];
result_xor=result_xor&0xff;
code[14]=result_xor^str[14];
printf("License key is:");
for(i=0;i<15;i++)
if (code[i]<=0xF) printf("0%X",code[i]);
else
printf("%X",code[i]);
printf("\npress any key to exit!\n");
getch();
}

-------------------------------------------------------------------------------------
2001-7-13 written by CoolBob