Disk Chief 1.2 简单注册算法分析
破解目标:Disk
Chief 1.2
官方主页:http://dekasoftware.mastak.com/
软件简介:Windows 下类似资源管理器的文件管理软件
下载地址:http://dekasoftware.mastak.com/diskchief.zip
作者:炎之川[BCG]
时间:2003.4.29
主页:http://skipli.yeah.net/
========================================================================
声明:
本文纯属技术交流,无其他任何目的,转载请注明作者并保持文章的完整。
========================================================================
简单分析后用
Ollydbg 载入程序,在 0046FD0C 处下断点,然后 Ctrl+F2 重新开始,F9 运行程序,在注册对话框中填入注册名和假注册码:
Name:
lovefire[BCG]
S/N: 9876543210
按
Register,被 Ollydbg 断下: 0046FD0C
(; 后是 Ollydbg 所分析的内容,// 后是我加的注释,文中数值均为十六进制值)
0046FD0D
|. 8BEC MOV EBP,ESP
0046FD0F |.
6A 00 PUSH 0
0046FD11 |. 6A 00
PUSH 0
0046FD13 |. 53
PUSH EBX
0046FD14 |. 56
PUSH ESI
0046FD15 |. 8BD8
MOV EBX,EAX
0046FD17 |. 33C0 XOR EAX,EAX
0046FD19
|. 55 PUSH EBP
0046FD1A |.
68 1DFE4600 PUSH DiskChie.0046FE1D
0046FD1F |. 64:FF30
PUSH DWORD PTR FS:[EAX]
0046FD22 |. 64:8920
MOV DWORD PTR FS:[EAX],ESP
0046FD25 |. 8D55 F8
LEA EDX,DWORD PTR SS:[EBP-8]
0046FD28 |. 8B83 E8010000
MOV EAX,DWORD PTR DS:[EBX+1E8]
0046FD2E |. E8 1D1DFBFF CALL
DiskChie.00421A50
0046FD33 |. 8B45 F8 MOV
EAX,DWORD PTR SS:[EBP-8]
0046FD36 |. 33D2
XOR EDX,EDX
0046FD38 |. E8 277DF9FF CALL DiskChie.00407A64
0046FD3D
|. 8BF0 MOV ESI,EAX
0046FD3F |.
8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0046FD42 |.
8B83 E0010000 MOV EAX,DWORD PTR DS:[EBX+1E0]
0046FD48 |. E8 031DFBFF
CALL DiskChie.00421A50
0046FD4D |. 8BD6
MOV EDX,ESI
0046FD4F |. 8B45 FC MOV
EAX,DWORD PTR SS:[EBP-4] //注册名放入eax
0046FD52 |. E8 85B90500
CALL DiskChie.004CB6DC //算法,我们跟进去
0046FD57 |. 84C0
TEST AL,AL //al=1 则注册成功
0046FD59 |.
74 7E JE SHORT DiskChie.0046FDD9
0046FD5B
|. 85F6 TEST ESI,ESI
0046FD5D |.
74 7A JE SHORT DiskChie.0046FDD9
0046FD5F
|. A1 20464D00 MOV EAX,DWORD PTR DS:[4D4620]
0046FD64 |.
8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0046FD67 |.
E8 5C3EF9FF CALL DiskChie.00403BC8
0046FD6C |. A1 1C454D00
MOV EAX,DWORD PTR DS:[4D451C]
0046FD71 |. 8930
MOV DWORD PTR DS:[EAX],ESI
0046FD73 |. B9 34FE4600
MOV ECX,DiskChie.0046FE34
; ASCII "diskchief.ini" //注册成功就将信息写入 dirscan.ini
中
0046FD78 |. B2 01 MOV DL,1
0046FD7A
|. A1 88784500 MOV EAX,DWORD PTR DS:[457888]
0046FD7F |.
E8 607BFEFF CALL DiskChie.004578E4
0046FD84 |. 8BF0
MOV ESI,EAX
0046FD86 |. A1 20464D00
MOV EAX,DWORD PTR DS:[4D4620]
0046FD8B |. 8B00
MOV EAX,DWORD PTR DS:[EAX]
0046FD8D |. 50
PUSH EAX
0046FD8E |. B9 4CFE4600 MOV
ECX,DiskChie.0046FE4C ;
ASCII "User"
0046FD93 |. BA 5CFE4600 MOV
EDX,DiskChie.0046FE5C ;
ASCII "GENERAL"
0046FD98 |. 8BC6
MOV EAX,ESI
0046FD9A |. E8 D97BFEFF CALL DiskChie.00457978
0046FD9F
|. A1 1C454D00 MOV EAX,DWORD PTR DS:[4D451C]
0046FDA4 |.
8B00 MOV EAX,DWORD PTR DS:[EAX]
0046FDA6
|. 50 PUSH EAX
0046FDA7 |.
B9 6CFE4600 MOV ECX,DiskChie.0046FE6C
; ASCII "Number"
0046FDAC |.
BA 5CFE4600 MOV EDX,DiskChie.0046FE5C
; ASCII "GENERAL"
0046FDB1 |.
8BC6 MOV EAX,ESI
0046FDB3 |. E8 247DFEFF
CALL DiskChie.00457ADC
0046FDB8 |. 8BC6
MOV EAX,ESI
0046FDBA |. E8 8D32F9FF CALL DiskChie.0040304C
0046FDBF
|. 6A 00 PUSH 0
0046FDC1 |. B9
74FE4600 MOV ECX,DiskChie.0046FE74
; ASCII "Disk Chief v. 1.2"
0046FDC6
|. BA 88FE4600 MOV EDX,DiskChie.0046FE88
; ASCII "Thank you for registering
Disk Chief" //注册成功
0046FDCB |. A1 28464D00 MOV
EAX,DWORD PTR DS:[4D4628]
0046FDD0 |. 8B00
MOV EAX,DWORD PTR DS:[EAX]
0046FDD2 |. E8 811AFCFF CALL
DiskChie.00431858
0046FDD7 |. EB 18 JMP
SHORT DiskChie.0046FDF1
0046FDD9 |> 6A 00
PUSH 0
0046FDDB |. B9 74FE4600 MOV ECX,DiskChie.0046FE74
; ASCII "Disk
Chief v. 1.2"
0046FDE0 |. BA B0FE4600 MOV EDX,DiskChie.0046FEB0
; ASCII "Wrong
serial number!" //注册失败
0046FDE5 |. A1 28464D00 MOV
EAX,DWORD PTR DS:[4D4628]
0046FDEA |. 8B00
MOV EAX,DWORD PTR DS:[EAX]
0046FDEC |. E8 671AFCFF CALL
DiskChie.00431858
0046FDF1 |> 8BC3
MOV EAX,EBX
0046FDF3 |. E8 ECF7FBFF CALL DiskChie.0042F5E4
0046FDF8
|. 8BC3 MOV EAX,EBX
0046FDFA |.
E8 25FAFBFF CALL DiskChie.0042F824
0046FDFF |. 33C0
XOR EAX,EAX
0046FE01 |. 5A
POP EDX
0046FE02 |. 59
POP ECX
0046FE03 |. 59
POP ECX
0046FE04 |. 64:8910 MOV
DWORD PTR FS:[EAX],EDX
0046FE07 |. 68 24FE4600 PUSH DiskChie.0046FE24
0046FE0C
|> 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0046FE0F
|. E8 603DF9FF CALL DiskChie.00403B74
0046FE14 |.
8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0046FE17 |.
E8 583DF9FF CALL DiskChie.00403B74
0046FE1C \. C3
RETN
------------------------------------------------------------------------
进入
004CB6DC 的算法call
004CB6DC
/$ 55 PUSH EBP //算法开始 004CB732
004CB6DD |.
8BEC MOV EBP,ESP
004CB6DF |. 83C4
F8 ADD ESP,-8
004CB6E2 |. 53
PUSH EBX
004CB6E3 |. 56
PUSH ESI
004CB6E4 |. 8955 F8
MOV DWORD PTR SS:[EBP-8],EDX
004CB6E7 |. 8945 FC
MOV DWORD PTR SS:[EBP-4],EAX //取用户名
004CB6EA |. 8B45
FC MOV EAX,DWORD PTR SS:[EBP-4]
004CB6ED |.
E8 B288F3FF CALL DiskChie.00403FA4
004CB6F2 |. 33C0
XOR EAX,EAX
004CB6F4 |. 55
PUSH EBP
004CB6F5 |. 68 53B74C00 PUSH
DiskChie.004CB753
004CB6FA |. 64:FF30 PUSH
DWORD PTR FS:[EAX]
004CB6FD |. 64:8920 MOV
DWORD PTR FS:[EAX],ESP
004CB700 |. 8B45 FC MOV
EAX,DWORD PTR SS:[EBP-4]
004CB703 |. E8 E886F3FF CALL DiskChie.00403DF0
//取得注册名长度
004CB708 |. 33DB
XOR EBX,EBX //清零
004CB70A |. 8BF0
MOV ESI,EAX //eax 中是注册名,esi作为计数器的参照数
004CB70C |. 85F6
TEST ESI,ESI //注册名输入了么?
004CB70E |.
7E 22 JLE SHORT DiskChie.004CB732 //没有输入就886啦~~~
004CB710
|. B9 01000000 MOV ECX,1 //ecx 置1,作为记数器
004CB715
|> 69C1 15AE510D /IMUL EAX,ECX,0D51AE15//eax = ecx*0D51AE15,ecx
是记数器
004CB71B |. 8B55 FC |MOV EDX,DWORD PTR
SS:[EBP-4] //注册名送 edx
004CB71E |. 0FB6540A FF |MOVZX
EDX,BYTE PTR DS:[EDX+ECX-1] //逐位取注册名的字符
004CB723 |. F7EA
|IMUL EDX //eax*edx,得数放入eax,溢出值放入edx
004CB725
|. 03C3 |ADD EAX,EBX //eax=eax+ebx,此处第一次循环时ebx=0
004CB727
|. 99 |CDQ //edx 清零
004CB728
|. 33C2 |XOR EAX,EDX //eax^edx,得数放入eax
004CB72A
|. 2BC2 |SUB EAX,EDX //eax=eax-edx,edx中是上面乘法运算的溢出值
004CB72C
|. 8BD8 |MOV EBX,EAX //ebx=eax
004CB72E
|. 41 |INC ECX //记数器+1
004CB72F
|. 4E |DEC ESI //计数器的参照数-1
004CB730
|.^75 E3 \JNZ SHORT DiskChie.004CB715
//跳回去继续循环
//算法结束,eax 中保存的就是注册码的16进制值,转换为10进制即是注册码
004CB735 |. 75 04 JNZ SHORT
DiskChie.004CB73B //不一样就……
004CB737 |. B3 01
MOV BL,1
004CB739 |. EB 02 JMP
SHORT DiskChie.004CB73D
004CB73B |> 33DB
XOR EBX,EBX
004CB73D |> 33C0
XOR EAX,EAX
004CB73F |. 5A
POP EDX
004CB740 |. 59 POP
ECX
004CB741 |. 59 POP ECX
004CB742
|. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004CB745
|. 68 5AB74C00 PUSH DiskChie.004CB75A
004CB74A |>
8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004CB74D |.
E8 2284F3FF CALL DiskChie.00403B74
004CB752 \. C3
RETN
004CB753 .^E9 C07EF3FF
JMP DiskChie.00403618
004CB758 .^EB F0
JMP SHORT DiskChie.004CB74A
004CB75A . 8BC3
MOV EAX,EBX
004CB75C . 5E
POP ESI
004CB75D . 5B
POP EBX
004CB75E . 59
POP ECX
004CB75F . 59 POP
ECX
004CB760 . 5D POP EBP
004CB761
. C3 RETN
------------------------------------------------------------------------
算法总结:
1、具体循环次数乘预设的数0D51AE15,再乘逐位取得的注册名的ASCII值,值放入eax,溢出值放入edx,最后加上ebx的值,ebx初始值为0,第二次循环的值由第一次循环所得值决定,之后累加;
2、edx清零之后,(eax*edx)-edx,得出的值放入
ebx,供下次循环使用;
3、循环完成之后,eax中存放的值即注册码的16进制数,转换为10进制即为注册码。
至此
Disk Chief 1.2 注册算法分析完成,一组可用的注册码:
Name: lovefire[BCG]
S/N: 1373681969
注册信息保存:
注册成功后,注册信息写入
windows 安装目录下的 diskchief.ini 文件中。
[GENERAL]
User=lovefire[BCG]
Number=1373681969
------------------------------------------------------------------------
炎之川
属于中国破解组织BCG
(BeGiNnEr'S CrAcKiNg Group)
_/_/_/ _/_/_/
_/_/_/
_/ _/ _/ _/
_/_/_/ _/ _/ _/_/
_/ _/ _/ _/ _/
_/_/_/ _/_/_/
_/_/_/