某国产彩票V3.0软件的算法分析
=========================================
软件说明:不注册可以用30次,注册后为标准版
软件没加壳
算法说明: 这是一个字符串变换的算法
工 具: Trw122,Wasm89,矿泉水一瓶
附 注: 删去一堆废话,直接看它的算法
========================================
分析说明:为了方便 用 ID代表机器号
SN代表注册号
注册号格 式: XXXX-XXXX-XXXX-XXXX
以下用此代号 SN1-SN2-SN3-SN4代表各部份
****************
注册流程
****************
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:005148E6(C)
|
:005148F2 6A24
push 00000024
:005148F4 68B84A5100
push 00514AB8
* Possible StringData Ref from Code Obj
->" 您确认接受以上所声明的内容吗? "
->" "
|
:005148F9 68C04A5100
push 00514AC0
:005148FE 8BC3
mov eax, ebx
:00514900 E8D377F3FF call 0044C0D8
:00514905 50
push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:00514906 E89D31EFFF
Call 00407AA8
:0051490B 83F807
cmp eax, 00000007
:0051490E
7505 jne
00514915
:00514910 E8CB88EFFF
call 0040D1E0
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0051490E(C)
|
:00514915 A1E0E25100
mov eax, dword ptr [0051E2E0]
:0051491A 8B00
mov eax, dword
ptr [eax]
:0051491C FF8030050000
inc dword ptr [eax+00000530]
:00514922 8D55F8
lea edx, dword ptr [ebp-08]
:00514925
8B832C030000 mov eax, dword ptr [ebx+0000032C]
:0051492B E8100FF3FF call
00445840
:00514930 FF75F8
push [ebp-08]
:00514933 68EC4A5100
push 00514AEC
:00514938 8D55F4
lea edx, dword ptr [ebp-0C]
:0051493B
8B8334030000 mov eax, dword ptr [ebx+00000334]
:00514941 E8FA0EF3FF call
00445840
:00514946 FF75F4
push [ebp-0C]
:00514949 68EC4A5100
push 00514AEC
:0051494E 8D55F0
lea edx, dword ptr [ebp-10]
:00514951
8B833C030000 mov eax, dword ptr [ebx+0000033C]
:00514957 E8E40EF3FF call
00445840
:0051495C FF75F0
push [ebp-10]
:0051495F 68EC4A5100
push 00514AEC
:00514964 8D55EC
lea edx, dword ptr [ebp-14]
:00514967
8B8344030000 mov eax, dword ptr [ebx+00000344]
:0051496D E8CE0EF3FF call
00445840
:00514972 FF75EC
push [ebp-14]
:00514975 8D45FC
lea eax, dword ptr [ebp-04]
:00514978 BA07000000
mov edx, 00000007
:0051497D E82E04EFFF
call 00404DB0
:00514982 8B45FC
mov eax, dword ptr [ebp-04]
:00514985 50
push eax
:00514986 8D55E8
lea edx, dword ptr [ebp-18]
:00514989 8B8328030000
mov eax, dword ptr [ebx+00000328]
:0051498F
E8AC0EF3FF call 00445840
:00514994 8B45E8
mov eax, dword ptr [ebp-18] --- eax=机器号地址
:00514997 5A
pop edx
----- edx=输入注册号地址
:00514998
E86BF8FFFF call 00514208----------------注册号比较(分析见下)
:0051499D 84C0
test al, al----------典型结构
:0051499F 7530
jne 005149D1
:005149A1 6A10
push 00000010
* Possible StringData Ref from Code Obj ->"错误"
|
:005149A3 B9F04A5100
mov ecx, 00514AF0
* Possible StringData Ref from Code Obj ->"
注 册 号 错 误! "
|
:005149A8
BAF84A5100 mov edx, 00514AF8
:005149AD A1C4E05100 mov eax,
dword ptr [0051E0C4]
:005149B2 8B00
mov eax, dword ptr [eax]
:005149B4 E8CF11F5FF
call 00465B88
:005149B9 A188005200
mov eax, dword ptr [00520088]
:005149BE
8B802C030000 mov eax, dword ptr [eax+0000032C]
:005149C4 8B10
mov edx, dword ptr [eax]
:005149C6 FF92C0000000
call dword ptr [edx+000000C0]
:005149CC E9C0000000
jmp 00514A91
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0051499F(C)
|
:005149D1 A11CE35100 mov
eax, dword ptr [0051E31C]
:005149D6 8B00
mov eax, dword ptr [eax]
:005149D8 8B5874
mov ebx, dword ptr [eax+74]
:005149DB 8BC3
mov eax, ebx
:005149DD E84682F9FF
call 004ACC28
:005149E2 8BC3
mov eax, ebx
:005149E4 E88BA7F9FF
call 004AF174
:005149E9 8BC3
mov eax, ebx
:005149EB E810ABF9FF call 004AF500
* Possible StringData Ref from Code Obj ->"bbb"
|
:005149F0 BA184B5100
mov edx, 00514B18
:005149F5 8BC3
mov eax, ebx
:005149F7 E8E893F9FF
call 004ADDE4
* Possible StringData
Ref from Code Obj ->"标准版"
|
:005149FC
BA244B5100 mov edx, 00514B24
:00514A01 8B08
mov ecx, dword ptr [eax]
:00514A03 FF91B0000000
call dword ptr [ecx+000000B0]
* Possible StringData Ref
from Code Obj ->"ZCZC"
|
:00514A09
BA344B5100 mov edx, 00514B34
:00514A0E 8BC3
mov eax, ebx
:00514A10 E8CF93F9FF
call 004ADDE4
:00514A15 B201
mov dl, 01
:00514A17 8B08
mov ecx, dword ptr [eax]
:00514A19 FF9194000000 call dword ptr
[ecx+00000094]
* Possible StringData Ref from Code Obj ->"YHDM1"
|
:00514A1F BA444B5100
mov edx, 00514B44
:00514A24 8BC3
mov eax, ebx
:00514A26
E8B993F9FF call 004ADDE4
:00514A2B 33D2
xor edx, edx
:00514A2D 8B08
mov ecx, dword ptr [eax]
:00514A2F FF91B0000000
call dword ptr [ecx+000000B0]
:00514A35
BA544B5100 mov edx, 00514B54
:00514A3A 8BC3
mov eax, ebx
:00514A3C E8A393F9FF
call 004ADDE4
:00514A41 B201
mov dl, 01
:00514A43 8B08
mov ecx, dword ptr [eax]
:00514A45 FF9194000000 call dword ptr
[ecx+00000094]
:00514A4B 8BC3
mov eax, ebx
:00514A4D 8B10
mov edx, dword ptr [eax]
:00514A4F
FF9248020000 call dword ptr [edx+00000248]
:00514A55 8BC3
mov eax, ebx
:00514A57 E8D881F9FF
call 004ACC34
:00514A5C 6A40
push 00000040
* Possible StringData
Ref from Code Obj ->"恭喜您!"
|
:00514A5E
B9584B5100 mov ecx, 00514B58
* Possible StringData Ref from Code Obj ->" 注 册 成 功 ! "
|
:00514A63 BA604B5100
mov edx, 00514B60
:00514A68 A1C4E05100
mov eax, dword ptr [0051E0C4]
:00514A6D
8B00 mov
eax, dword ptr [eax]
:00514A6F E81411F5FF
call 00465B88
:00514A74 A188005200
mov eax, dword ptr [00520088]
:00514A79 E8B6D8F4FF
call 00462334
:00514A7E A1E0E25100
mov eax, dword ptr [0051E2E0]
:00514A83
8B00 mov
eax, dword ptr [eax]
:00514A85 C6805405000001
mov byte ptr [eax+00000554], 01
:00514A8C E8DB480000
call 0051936C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:005149CC(U)
|
:00514A91 33C0
xor eax, eax
:00514A93 5A
pop edx
:00514A94 59
pop ecx
:00514A95 59
pop ecx
:00514A96 648910
mov dword ptr fs:[eax],
edx
:00514A99 68B34A5100
push 00514AB3
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00514AB1(U)
|
:00514A9E 8D45E8
lea eax, dword ptr [ebp-18]
:00514AA1
BA06000000 mov edx, 00000006
:00514AA6 E8B1FFEEFF call 00404A5C
:00514AAB C3
ret
***************
算法分析
***************
=========================================================================
SUB_00514208
功能:注册号比较
入口:eax=机器号地址 edx=输入注册号地址
出口:al=0 正确
al=1 不正确
*************************************************************
* 以下子程序只作说明,以便更好分析算法
* 重要子程序: sub_00404E34
*
* 功能: 字符串比较
*
*
入口:eax=字符串1地址 edx=字符串2地址 *
* 出口:flag
z=0 相同
*
*
flag z=1 不相同
*
* sub_00404F48
*
*
功能: 从字符串中截取字符
*
*
入口:eax=字符串地址 edx=截取字符开始位置 *
*
ecx=截取字符数
*
*
出口:edx=取得的字符地址
*
*************************************************************
注:ID------机器号
SN------注册号 ,格
式: XXXX-XXXX-XXXX-XXXX
以下用此代号 SN1-SN2-SN3-SN4
=========================================================================
* Referenced by a CALL at Address:
|:00514998
|
:00514208 55
push ebp
:00514209 8BEC
mov ebp, esp
:0051420B B90A000000
mov ecx, 0000000A
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00514215(C)
|
:00514210 6A00
push 00000000
:00514212 6A00
push 00000000
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:005141C2(C)
|
:00514214 49
dec ecx
:00514215 75F9
jne 00514210
:00514217 51
push ecx
:00514218 53
push ebx
:00514219 56
push esi
:0051421A 8955F8
mov dword ptr [ebp-08],
edx
:0051421D 8945FC
mov dword ptr [ebp-04], eax
:00514220 8B45FC
mov eax, dword ptr [ebp-04]
:00514223
E8B00CEFFF call 00404ED8
:00514228 8B45F8
mov eax, dword ptr [ebp-08]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:005141C4(C)
|
:0051422B E8A80CEFFF
call 00404ED8
:00514230 33C0
xor eax, eax
:00514232
55
push ebp
:00514233 686C445100
push 0051446C
:00514238 64FF30
push dword ptr fs:[eax]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:005141C6(C)
|
:0051423B 648920
mov dword ptr fs:[eax],
esp
:0051423E 8D45F4
lea eax, dword ptr [ebp-0C]
:00514241 E8F207EFFF
call 00404A38
:00514246 66BB0100
mov bx, 0001
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00514273(C)
|
:0051424A 8BF3
mov esi, ebx '从ID字符串中截取ID(1) ID(3) ID(5)
ID(7)字符
:0051424C 03F6
add esi, esi '组成ID(1)ID(3)ID(5)ID(7)
:0051424E 4E
dec esi
:0051424F 8D45E0
lea eax, dword ptr [ebp-20]
:00514252 50
push eax
:00514253 0FB7D6
movzx edx, si
:00514256 B901000000
mov ecx, 00000001
:0051425B 8B45FC
mov eax, dword ptr [ebp-04]
:0051425E E8E50CEFFF
call 00404F48
:00514263
8B55E0 mov edx,
dword ptr [ebp-20]
:00514266 8D45F4
lea eax, dword ptr [ebp-0C]
:00514269 E88A0AEFFF
call 00404CF8
:0051426E 43
inc ebx
:0051426F 6683FB05
cmp bx, 0005
:00514273 75D5
jne 0051424A
:00514275 8D45F0
lea eax, dword ptr [ebp-10]
:00514278
50
push eax
:00514279 B904000000
mov ecx, 00000004
:0051427E BA01000000
mov edx, 00000001
:00514283 8B45F8
mov eax, dword ptr [ebp-08]
:00514286
E8BD0CEFFF call 00404F48
'从SN字符串中截取SN(1) SN(2) SN(3) SN(4) 字符
:0051428B 8D45EC
lea eax, dword ptr [ebp-14]
:0051428E 50
push eax
:0051428F B904000000
mov ecx, 00000004
:00514294 BA06000000
mov edx, 00000006
:00514299 8B45F8
mov eax, dword ptr [ebp-08]
:0051429C
E8A70CEFFF call 00404F48
'从SN字符串中截取SN(6) SN(7) SN(8) SN(9) 字符
:005142A1 8D45E8
lea eax, dword ptr [ebp-18]
:005142A4 50
push eax
:005142A5 B904000000
mov ecx, 00000004
:005142AA BA0B000000
mov edx, 0000000B
:005142AF 8B45F8
mov eax, dword ptr [ebp-08]
:005142B2
E8910CEFFF call 00404F48
'从SN字符串中截取SN(11) SN(12) SN(13) SN(14) 字符
:005142B7 8D45E4
lea eax, dword ptr [ebp-1C]
:005142BA 50
push eax
:005142BB B904000000
mov ecx, 00000004
:005142C0 BA10000000
mov edx, 00000010
:005142C5 8B45F8
mov eax, dword ptr [ebp-08]
:005142C8
E87B0CEFFF call 00404F48
'从SN字符串中截取SN(16) SN(17) SN(18) SN(19) 字符
:005142CD 8B45FC
mov eax, dword ptr [ebp-04]
:005142D0 E81B0AEFFF call 00404CF0
:005142D5 8BD8
mov ebx, eax
:005142D7 8D45D8
lea eax, dword ptr [ebp-28]
:005142DA 50
push eax
'从SN1字符串中截取SN1(1)
:005142DB B901000000
mov ecx, 00000001
:005142E0 BA01000000
mov edx, 00000001
:005142E5 8B45F0
mov eax, dword ptr [ebp-10]
:005142E8 E85B0CEFFF call
00404F48
:005142ED FF75D8
push [ebp-28]
:005142F0 8D45D4
lea eax, dword ptr [ebp-2C]
:005142F3
50
push eax '从SN2字符串中截取SN2(2)
:005142F4 B901000000
mov ecx, 00000001
:005142F9 BA02000000
mov edx, 00000002
:005142FE 8B45EC
mov eax, dword ptr [ebp-14]
:00514301 E8420CEFFF call
00404F48
:00514306 FF75D4
push [ebp-2C]
:00514309 8D45D0
lea eax, dword ptr [ebp-30]
:0051430C
50
push eax '从SN3字符串中截取SN3(3)
:0051430D B901000000
mov ecx, 00000001
:00514312 BA03000000
mov edx, 00000003
:00514317 8B45E8
mov eax, dword ptr [ebp-18]
:0051431A E8290CEFFF call
00404F48
:0051431F FF75D0
push [ebp-30]
:00514322 8D45CC
lea eax, dword ptr [ebp-34]
:00514325
50
push eax
:00514326 B901000000
mov ecx, 00000001 '从SN4字符串中截取SN4(4)
:0051432B BA04000000
mov edx, 00000004
:00514330 8B45E4
mov eax, dword ptr [ebp-1C]
:00514333 E8100CEFFF call
00404F48
:00514338 FF75CC
push [ebp-34]
:0051433B 8D45DC
lea eax, dword ptr [ebp-24]
:0051433E
BA04000000 mov edx, 00000004
:00514343 E8680AEFFF call 00404DB0
:00514348 8B55DC
mov edx, dword ptr [ebp-24] 'EDX=SN1(1) SN2(2) SN3(3) SN4(4)地址
:0051434B 8B45F4
mov eax, dword ptr [ebp-0C] 'EAX=ID(1) ID(3) ID(5) ID(7) 地址
:0051434E
E8E10AEFFF call 00404E34
'字符串SN1(1) SN2(2) SN3(3) SN4(4)
ID(1) ID(3)
ID(5) ID(7) 比较
:00514353 0F85F2000000
jne 0051444B '不同则跳0051444B
:00514359 8D45C8
lea eax, dword ptr [ebp-38]
:0051435C 50
push eax
:0051435D B901000000 mov
ecx, 00000001
:00514362 BA04000000
mov edx, 00000004
:00514367 8B45F0
mov eax, dword ptr [ebp-10]
:0051436A E8D90BEFFF
call 00404F48 '从SN1字符串中截取SN1(4)
:0051436F 8B45C8
mov eax, dword ptr [ebp-38]
:00514372 50
push eax
:00514373 8D45C4
lea eax, dword ptr [ebp-3C]
:00514376 50
push eax
:00514377 0FB7D3
movzx edx, bx
:0051437A 83EA03
sub edx, 00000003
:0051437D B901000000
mov ecx, 00000001
:00514382 8B45FC
mov eax, dword ptr [ebp-04]
:00514385 E8BE0BEFFF call
00404F48 '从ID字符串中ID(9)
:0051438A 8B55C4
mov edx, dword ptr [ebp-3C]
:0051438D
58
pop eax
:0051438E E8A10AEFFF
call 00404E34 'ID(9)与SN1(4)比较
:00514393 0F85B2000000 jne 0051444B
'不同则跳0051444B
:00514399 8D45C0
lea eax, dword ptr [ebp-40]
:0051439C
50
push eax
:0051439D B901000000
mov ecx, 00000001
:005143A2 BA03000000
mov edx, 00000003
:005143A7 8B45EC
mov eax, dword ptr [ebp-14]
:005143AA
E8990BEFFF call 00404F48
'从SN2字符串中截取SN2(3)字符
:005143AF 8B45C0
mov eax, dword ptr [ebp-40]
:005143B2
50
push eax
:005143B3 8D45BC
lea eax, dword ptr [ebp-44]
:005143B6 50
push eax
:005143B7
0FB7D3 movzx edx,
bx
:005143BA 83EA02
sub edx, 00000002
:005143BD B901000000
mov ecx, 00000001
:005143C2 8B45FC
mov eax, dword ptr [ebp-04]
:005143C5
E87E0BEFFF call 00404F48
'从ID字符串中截取ID(10)字符
:005143CA 8B55BC
mov edx, dword ptr [ebp-44]
:005143CD 58
pop eax
:005143CE E8610AEFFF
call 00404E34
'ID(10)与SN2(3)比较
:005143D3 7576
jne 0051444B
'不同则跳0051444B
:005143D5 8D45B8
lea eax, dword ptr [ebp-48]
:005143D8
50
push eax
:005143D9 B901000000
mov ecx, 00000001
:005143DE BA02000000
mov edx, 00000002
:005143E3 8B45E8
mov eax, dword ptr [ebp-18]
:005143E6
E85D0BEFFF call 00404F48
'从SN3字符串中截取SN3(2)字符
:005143EB 8B45B8
mov eax, dword ptr [ebp-48]
:005143EE
50
push eax
:005143EF 8D45B4
lea eax, dword ptr [ebp-4C]
:005143F2 50
push eax
:005143F3
0FB7D3 movzx edx,
bx
:005143F6 4A
dec edx
:005143F7 B901000000
mov ecx, 00000001
:005143FC 8B45FC
mov eax, dword ptr [ebp-04]
:005143FF
E8440BEFFF call 00404F48
'从ID字符串中截取ID(11)字符
:00514404 8B55B4
mov edx, dword ptr [ebp-4C]
:00514407 58
pop eax
:00514408 E8270AEFFF
call 00404E34 'ID(11)与SN3(2)字符串比较
:0051440D 753C
jne 0051444B '不同则跳0051444B
:0051440F 8D45B0
lea eax, dword ptr [ebp-50]
:00514412 50
push eax
:00514413 B901000000
mov ecx, 00000001
:00514418 BA01000000
mov edx, 00000001
:0051441D 8B45E4
mov eax, dword ptr [ebp-1C]
:00514420 E8230BEFFF call
00404F48 '从SN4字符串中截取SN4(1)字符
:00514425 8B45B0
mov eax, dword ptr [ebp-50]
:00514428
50
push eax
:00514429 8D45AC
lea eax, dword ptr [ebp-54]
:0051442C 50
push eax
:0051442D
0FB7D3 movzx edx,
bx
:00514430 83EA00
sub edx, 00000000
:00514433 B901000000
mov ecx, 00000001
:00514438 8B45FC
mov eax, dword ptr [ebp-04]
:0051443B
E8080BEFFF call 00404F48
'从ID字符串中截取ID(12)字符
:00514440 8B55AC
mov edx, dword ptr [ebp-54]
:00514443 58
pop eax
:00514444
E8EB09EFFF call 00404E34
'ID(12)与 SN4(1)比较
:00514449 7404
je 0051444F
'相同则跳0051444F
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:00514353(C), :00514393(C),
:005143D3(C), :0051440D(C)
|
:0051444B 33DB
xor ebx, ebx
:0051444D EB02
jmp 00514451
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00514449(C)
|
:0051444F B301
mov bl, 01
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0051444D(U)
|
:00514451 33C0
xor eax, eax
:00514453 5A
pop edx
:00514454 59
pop ecx
:00514455 59
pop ecx
:00514456 648910
mov dword ptr fs:[eax],
edx
:00514459 6873445100
push 00514473
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00514471(U)
|
:0051445E 8D45AC
lea eax, dword ptr [ebp-54]
:00514461
BA15000000 mov edx, 00000015
:00514466 E8F105EFFF call 00404A5C
:0051446B C3
ret
============================================================================
算法总结:
I D 号: ID(1)ID(2)ID(3)ID(4)ID(5)ID(6)ID(7)ID(8)ID(9)ID(10)ID(11)ID(12)
注册号:
X X X
X - X X X X - X X X
X - X X X X
|
| | | | | | | |
| | | | | | |
ID(1) | | | | ID(3)| | |
| ID(5) | | | | ID(7)
ID(9) ID(10)
ID(11) ID(12)
注册机:太简单了吧?!,重要的是算法
============================================================================
例:
I D 号: 837222170070
注册号SN: 8 x x 0-x 7
0 x-x 7 2 x-0 x x 1
x---可任取
8110-1701-1721-0111
- 标 题:某国产彩票V3.0软件的算法分析 (22千字)
- 作 者:kpop
- 时 间:2002-8-18
18:18:06
- 链 接:http://bbs.pediy.com