===================Open Cracking Group========================
=
=
MouseStar V3.01注册算法分析
=
=
ssljx/OCG
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
===================Open Cracking Group========================
:0047A051 E81E24FBFF
call 0042C474
:0047A056 8B45E4
mov eax, dword ptr [ebp-1C]
:0047A059 8D55F8
lea edx, dword ptr [ebp-08]
:0047A05C
E843DEF8FF call 00407EA4
:0047A061 8D4DFC
lea ecx, dword ptr [ebp-04]
:0047A064 8B55F8
mov edx, dword ptr [ebp-08]
:0047A067 8BC3
mov eax, ebx
:0047A069 E87EFEFFFF call 00479EEC<=========计算注册码
==============================SUB 00479EEC============================
:00479EEC 55
push ebp
:00479EED 8BEC
mov ebp, esp
:
:
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00479ED6(C)
|
:00479F19 8D55E4
lea edx, dword ptr [ebp-1C]
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00479EB9(C)
|
:00479F1C 8B45FC
mov eax, dword ptr [ebp-04]
:00479F1F E880DFF8FF
call 00407EA4======>去掉注册名最后空格
:00479F24 8B45E4
mov eax, dword ptr [ebp-1C]
:00479F27 8D55E8
lea edx, dword ptr [ebp-18]
:00479F2A E865DDF8FF
call 00407C94======>将注册名全部转换成大写字母
:00479F2F
8B55E8 mov edx,
dword ptr [ebp-18]
:00479F32 8D45F8
lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"delphi"
|
:00479F35 B9A89F4700
mov ecx, 00479FA8
:00479F3A
E8E59DF8FF call 00403D24======>大写的注册名+'delphi'
:00479F3F 8D45F4
lea eax, dword ptr [ebp-0C]
*
Possible StringData Ref from Code Obj ->"MagicUtils"
|
:00479F42 BAB89F4700
mov edx, 00479FB8
:00479F47
E8A49BF8FF call 00403AF0
:00479F4C 8D45F0
lea eax, dword ptr [ebp-10]
* Possible
StringData Ref from Code Obj ->"zhiyuan"
|
:00479F4F BACC9F4700
mov edx, 00479FCC
:00479F54 E8979BF8FF
call 00403AF0
:00479F59
8D45EC lea eax,
dword ptr [ebp-14]
* Possible StringData Ref from
Code Obj ->"3.0"
|
:00479F5C
BADC9F4700 mov edx, 00479FDC
:00479F61 E88A9BF8FF
call 00403AF0
:00479F66 8B45EC
mov eax, dword ptr [ebp-14]==>'3.0'
:00479F69 50
push eax
:00479F6A
53
push ebx
:00479F6B 8B4DF0
mov ecx, dword ptr [ebp-10]==>'zhiyuan'
:00479F6E 8B55F4
mov edx, dword ptr [ebp-0C]==>'MagicUtils'
:00479F71
8B45F8 mov eax,
dword ptr [ebp-08]==>UpperCase(Name)+'delphi'
:00479F74
E883A7FFFF call 004746FC======>进行计算
===============================SUB 004746FC===========================
:004746FC
55
push ebp
:
:
:00474751 50
push eax
:00474752
8D45EC lea eax,
dword ptr [ebp-14]
:00474755 50
push eax
:00474756 8B4DF4
mov ecx, dword ptr [ebp-0C]
:00474759 8B55F8
mov edx, dword ptr [ebp-08]
:0047475C 8B45FC
mov eax, dword ptr [ebp-04]
:0047475F
E880FDFFFF call 004744E4==>产生后面十位字符串
================================SUB 004744E4=======================================
:004744E4 55
push ebp
:004744E5 8BEC
mov ebp, esp
:004744E7 83C4E8
add esp, FFFFFFE8
::
::
:00474522 689F454700
push 0047459F
:00474527 64FF30
push dword ptr fs:[eax]
:0047452A 648920
mov dword ptr fs:[eax], esp
:0047452D 33D2
xor edx, edx
:0047452F 8B450C
mov eax, dword ptr [ebp+0C]
:00474532 E8993BF9FF
call 004080D0
:00474537 8BD0
mov edx, eax
:00474539
8D4DF0 lea ecx,
dword ptr [ebp-10]
:0047453C B8B0454700
mov eax, 004745B0
:00474541 E86E000000
call 004745B4
:00474546 8B45F4
mov eax, dword ptr [ebp-0C]
:00474549
E84EF9F8FF call 00403E9C
:0047454E 8D4DEC
lea ecx, dword ptr [ebp-14]//'zhiyuan'
:00474551 33D2
xor edx, edx
:00474553 E85C000000
call 004745B4
========================SUB
004745B4=================================
:004745B4 55
push ebp
:004745B5 8BEC
mov ebp, esp
:004745B7 83C4EC
add esp, FFFFFFEC
:004745BA 53
push ebx
:004745BB 56
push esi
:004745BC 57
push edi
:004745BD
33DB xor
ebx, ebx
:004745BF 895DEC
mov dword ptr [ebp-14], ebx
:004745C2
895DF0 mov dword
ptr [ebp-10], ebx
:004745C5 894DF8
mov dword ptr [ebp-08], ecx
:004745C8 8BF2
mov esi, edx
:004745CA 8945FC
mov dword ptr [ebp-04], eax
:004745CD 33C0
xor eax, eax
:004745CF 55
push ebp
:004745D0 68EE464700
push 004746EE
:004745D5 64FF30
push dword ptr fs:[eax]
:004745D8
648920 mov dword
ptr fs:[eax], esp
:004745DB 8D45F0
lea eax, dword ptr [ebp-10]
:004745DE 8B55FC
mov edx, dword ptr [ebp-04]
:004745E1 E82AF6F8FF
call 00403C10
:004745E6
8B45F0 mov eax,
dword ptr [ebp-10]
:004745E9 E8EAF6F8FF
call 00403CD8
:004745EE 8BD8
mov ebx, eax
:004745F0 85DB
test ebx, ebx
:004745F2 7513
jne 00474607
:004745F4 8935F8E94700
mov dword ptr [0047E9F8], esi
:004745FA 6BC664
imul eax, esi, 00000064
:004745FD A3FCE94700
mov dword ptr [0047E9FC], eax
:00474602 E9CC000000
jmp 004746D3
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004745F2(C)
|
:00474607
8B45F8 mov eax,
dword ptr [ebp-08]
:0047460A E849F4F8FF
call 00403A58
:0047460F 8BFB
mov edi, ebx
:00474611 4F
dec edi
:00474612 85FF
test edi, edi
:00474614 0F8CB9000000
jl 004746D3
:0047461A 47
inc edi
:0047461B
33F6 xor
esi, esi
===============================================================================
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:004746CD(C)
|
:0047461D 8B45FC
mov eax, dword ptr [ebp-04]
:00474620 8A0430
mov al, byte ptr [eax+esi]
:00474623 3C20
cmp al, 20---------\
:00474625
0F82A0000000 jb 004746CB
规定了注册名的范围
:0047462B 3C7E
cmp al, 7E
:0047462D
0F8798000000 ja 004746CB--------/
:00474633 8B15F8E94700
mov edx, dword ptr [0047E9F8]
:00474639 81E2FFFFFF1F
and edx, 1FFFFFFF
:0047463F
8B0DF8E94700 mov ecx, dword ptr [0047E9F8]
:00474645 C1E91D
shr ecx, 1D
:00474648 83E131
and ecx, 00000031
:0047464B 33D1
xor edx, ecx
:0047464D 8915F8E94700
mov dword ptr [0047E9F8], edx
:00474653
8845F7 mov byte
ptr [ebp-09], al
:00474656 A1F8E94700
mov eax, dword ptr [0047E9F8]
:0047465B
B95F000000 mov ecx, 0000005F
:00474660 99
cdq
:00474661 F7F9
idiv ecx
:00474663
33D2 xor
edx, edx
:00474665 8A55F7
mov dl, byte ptr [ebp-09]
:00474668
83EA20 sub edx,
00000020
:0047466B 2BC2
sub eax, edx
:0047466D
E832FEFFFF call 004744A4
:00474672 8BD8
mov ebx, eax
:00474674 80C320
add bl, 20
:00474677 FF05FCE94700 inc
dword ptr [0047E9FC]
:0047467D 813DFCE9470079510000
cmp dword ptr [0047E9FC], 00005179
:00474687 7C07
jl 00474690
:00474689 33C0
xor eax, eax
:0047468B A3FCE94700
mov dword ptr [0047E9FC], eax
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00474687(C)
|
:00474690 8A45F7
mov al, byte ptr [ebp-09]
:00474693 32C3
xor al, bl
:00474695 25FF000000
and eax, 000000FF
:0047469A 8B15F8E94700
mov edx, dword ptr [0047E9F8]
:004746A0
0315F8E94700 add edx, dword ptr [0047E9F8]
:004746A6 03C2
add eax, edx
:004746A8 0305FCE94700
add eax, dword ptr [0047E9FC]
:004746AE
A3F8E94700 mov dword ptr [0047E9F8],
eax
:004746B3 8D45EC
lea eax, dword ptr [ebp-14]
:004746B6
8BD3 mov
edx, ebx
:004746B8 E843F5F8FF
call 00403C00
:004746BD 8B55EC
mov edx, dword ptr [ebp-14]
:004746C0 8B45F8
mov eax, dword ptr [ebp-08]
:004746C3
E818F6F8FF call 00403CE0//将ebx转化为字符,而产生字符串
:004746C8 8B45F8
mov eax, dword ptr [ebp-08]
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00474625(C), :0047462D(C)
|
:004746CB 46
inc esi
:004746CC 4F
dec edi
:004746CD 0F854AFFFFFF jne
0047461D
=========================================================================
Buf:=BBuf;====>[0047E9F8]
temp:=ttmp;===>[0047E9FC]
Lencode:=length(STrCode);
for index:=1 to Lencode do
begin
if
(ord(STrCode[index])< $7e) and
(ord(STrCode[index])
> $20) then
begin
edx:=buf and $1fffffff;
ecx:=(Buf shr $1d) and
$31;
edx:=edx xor ecx;
Buf:=edx;
eax:=Buf div $5f;
eax:=eax-(ord(STrCode[index])-$20);
eax:=CHAG(eax);
ebx:=eax+$20;
temp:=temp+1;
if index >=
$5179 then temp:=0;
eax:=(ord(STrCode[index])
xor ebx ) and $000000ff;
eax:=eax+2*Buf;
eax:=eax+temp;
Buf:=eax;
STrpcode:=STrpcode+chr(ebx);
end;
end;
这个过程主要计算[0047E9F8],返回[0047E9F8],[0047E9FC]作为下次调用的参数
============================================================================
::
::
:004746E0 8D45EC
lea eax, dword ptr [ebp-14]
:004746E3
BA02000000 mov edx, 00000002
:004746E8 E88FF3F8FF
call 00403A7C
:004746ED C3
ret
============================END
004745B4=====================================
:00474558 8B45FC
mov eax, dword ptr [ebp-04]
:0047455B E83CF9F8FF call 00403E9C
:00474560 8D4DE8
lea ecx, dword ptr [ebp-18]//UpperCase(Name)+'delphi'
:00474563 33D2
xor edx, edx
:00474565 E84A000000 call 004745B4
:0047456A 8B45F8
mov eax, dword ptr [ebp-08]
:0047456D E82AF9F8FF
call 00403E9C
:00474572 8B4D08
mov ecx, dword ptr [ebp+08]//'MagicUtils'
===========================================================================
这次调用产生的字符串将串到UpperCase(Name)+'delphi'+'MagicUtils'+'zhiyuan'+'3.0'后面,作为计算CRC32(不标准)的strName
===========================================================================
:00474575 33D2
xor edx, edx
:00474577 E838000000
call 004745B4
:0047457C 33C0
xor eax, eax
:0047457E 5A
pop edx
==========================END
004744E4=======================================
:00474764 FF75EC
push [ebp-14]
:00474767 8D45F0
lea eax, dword ptr [ebp-10]
:0047476A BA05000000
mov edx, 00000005
:0047476F
E824F6F8FF call 00403D98
:00474774 8B5508
mov edx, dword ptr [ebp+08]
:00474777 8B45F0
mov eax, dword ptr [ebp-10]
:0047477A
E831000000 call 004747B0====>计算CRC32(不标准)
========================SUB 00474B0(CRC32)==================================
:004747B0 55
push ebp
:004747B1 8BEC
mov ebp, esp
:004747B3 83C4F4
add esp, FFFFFFF4
:004747B6 53
push ebx
:004747B7 56
push esi
:004747B8 33C9
xor ecx, ecx
:004747BA 894DF4
mov dword ptr [ebp-0C], ecx
:004747BD
8955F8 mov dword
ptr [ebp-08], edx
:004747C0 8945FC
mov dword ptr [ebp-04], eax
:004747C3 8B45FC
mov eax, dword ptr [ebp-04]
:004747C6 E8C1F6F8FF call 00403E8C
:004747CB 33C0
xor eax, eax
:004747CD 55
push ebp
:004747CE 684F484700
push 0047484F
:004747D3 64FF30
push dword ptr fs:[eax]
:004747D6 648920
mov dword ptr fs:[eax], esp
:004747D9 33DB
xor ebx, ebx
:004747DB 8B45FC
mov eax, dword ptr [ebp-04]
:004747DE E8F5F4F8FF call 00403CD8
:004747E3 85C0
test eax, eax
:004747E5 7E2C
jle 00474813
:004747E7 BE01000000
mov esi, 00000001
==============================CRC32===========================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474811(C)
|
:004747EC 8B55FC
mov edx, dword ptr [ebp-04]=====>strName
:004747EF 8A5432FF
mov dl, byte ptr [edx+esi-01]===>ord(strName[edx+esi-01])
:004747F3 32D3
xor dl, bl======================>dl:=dl xor bl
:004747F5 81E2FF000000
and edx, 000000FF===============>edx:=edx and
$000000ff
:004747FB 8B1495D0D54700 mov
edx, dword ptr [4*edx+0047D5D0]==>码表数据固定[0-$FF]
:00474802 C1EB08
shr ebx, 08=====================>ebx:=ebx
shr 8
:00474805 81E3FFFFFF00 and
ebx, 00FFFFFF===============>ebx:=ebx and $00ffffff;
:0047480B 33D3
xor edx, ebx====================>edx:=edx
xor ebx
:0047480D 8BDA
mov ebx, edx====================>ebx:=edx
:0047480F 46
inc esi
:00474810 48
dec eax
:00474811 75D9
jne 004747EC
=========================================================
下面将刚才的结果转化成小写字母输出!!!!!!!!!
=========================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004747E5(C)
|
:00474813 8BC3
mov eax, ebx
:00474815 33D2
xor edx, edx
:00474817
52
push edx
:00474818 50
push eax
:00474819 8D55F4
lea edx, dword ptr [ebp-0C]
:0047481C
B808000000 mov eax, 00000008
:00474821 E82E38F9FF call 00408054
:00474826 8B45F4
mov eax, dword ptr [ebp-0C]
:00474829 8B55F8
mov edx, dword ptr [ebp-08]
:0047482C E89F34F9FF
call 00407CD0
:00474831 33C0
xor eax, eax
:00474833 5A
pop edx
===========================END
SUB 00474B0(CRC32)========================
:0047477F
33C0 xor
eax, eax
:00474781 5A
pop edx
:00474782 59
pop ecx
:00474783 59
pop ecx
:00474784
648910 mov dword
ptr fs:[eax], edx
:00474787 68A9474700
push 004747A9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004747A7(U)
|
:0047478C 8D45EC
lea eax, dword ptr [ebp-14]
:0047478F BA05000000
mov edx, 00000005
:00474794
E8E3F2F8FF call 00403A7C
:00474799 8D450C
lea eax, dword ptr [ebp+0C]
:0047479C E8B7F2F8FF
call 00403A58
:004747A1 C3
ret
=======================================END 004746FC==============================
:00479F79 33C0
xor eax, eax
:00479F7B
5A
pop edx
:00479F7C 59
pop ecx
:00479F7D
59
pop ecx
:00479F7E 648910
mov dword ptr fs:[eax], edx
:00479F81
689B9F4700 push 00479F9B
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00479F99(U)
|
:00479F86 8D45E4
lea eax, dword ptr [ebp-1C]
:00479F89 BA07000000
mov edx, 00000007
:00479F8E
E8E99AF8FF call 00403A7C
:00479F93 C3
ret
=================================END 00479EEC===================
:0047A06E 8D55E0
lea edx, dword ptr [ebp-20]
:0047A071 8B833C030000
mov eax, dword ptr [ebx+0000033C]
:0047A077 E8F823FBFF
call 0042C474
:0047A07C 8B45E0
mov eax, dword ptr [ebp-20]<====输入的注册码
:0047A07F 8B55FC
mov edx, dword ptr [ebp-04]<====真注册码
:0047A082 E8619DF8FF
call 00403DE8<=========比较注册码
:0047A087
0F85B2000000 jne 0047A13F<==========关键转向
===============================算法总结=========================
1.将注册名转换成大写字母(UpperCase(Name))
2.将UpperCase(Name)+'delphi'和'MagicUtils'和'zhiyuan'分别进行计算出十位的字符串(str)
3.把UpperCase(Name)+'delphi'+'MagicUtils'+'zhiyuan'+'3.0'+str作为CRC32(不标准)的明文进行计算,得出注册码并以小写形式输出..
==============================算法分析完===========================
注册表的值:
HKCU\Software\MouseStar 3.0\enversion
===================Open
Cracking Group========================
=
=
MouseStar V3.01注册算法分析
=
=
ssljx/OCG
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
===================Open Cracking Group========================
- 标 题:MouseStar V3.01注册算法分析 (18千字)
- 作 者:ssljx
- 时 间:2002-4-3
15:14:41
- 链 接:http://bbs.pediy.com