Ada99 eBook workshop生成的电子书注册法
编译软件:eBook Workshop [亿唯e书]
eBook Workshop生成的电子书在注册表中建立下列键值,可以用于判断是否为该软件编译生成。
注册表键值:
[HKEY_CURRENT_USERSoftwareAda99eBook workshopSecurity1.exe] 1 表示电子书名
"UserName"="coldeye" |用户名 未注册用户无
"PassWord"="787878" |注册码 未注册用户无
通过对电子书 生肖V星座、AUTOCAD七天超级速成法2.0版的分析,总结如下:
OllDbg载入程序,不分析软件,直接运行,搜索字符参考,看到类似下列可疑项,全部下断点:
0048C232 MOV EAX, 1.0048C2E0 ASCII "SoftwareAda99eBook workshopSecurity%s"
0048C250 MOV EDX, 1.0048C314 ASCII "UserName"
0048C26A MOV EDX, 1.0048C328 ASCII "Password"
运行注册,被拦至此:
0048C232 B8 E0C24800 MOV EAX, 1.0048C2E0 ; ASCII "SoftwareAda99eBook workshopSecurity%s"
0048C237 E8 48D2F7FF CALL 1.00409484
0048C23C 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
0048C23F B1 01 MOV CL, 1
0048C241 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C244 E8 DFB7FEFF CALL 1.00477A28
0048C249 84C0 TEST AL, AL
0048C24B 74 34 JE SHORT 1.0048C281
0048C24D 8D4D E4 LEA ECX, DWORD PTR SS:[EBP-1C]
0048C250 BA 14C34800 MOV EDX, 1.0048C314 ; ASCII "UserName"
0048C255 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C258 E8 93B9FEFF CALL 1.00477BF0
0048C25D 8B55 E4 MOV EDX, DWORD PTR SS:[EBP-1C] 用户名
0048C260 8BC3 MOV EAX, EBX
0048C262 E8 857AF7FF CALL 1.00403CEC
0048C267 8D4D E0 LEA ECX, DWORD PTR SS:[EBP-20]
0048C26A BA 28C34800 MOV EDX, 1.0048C328 ; ASCII "Password"
0048C26F 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C272 E8 79B9FEFF CALL 1.00477BF0
0048C277 8B55 E0 MOV EDX, DWORD PTR SS:[EBP-20] 假注册码
0048C27A 8BC6 MOV EAX, ESI
0048C27C E8 6B7AF7FF CALL 1.00403CEC
0048C281 33C0 XOR EAX, EAX
0048C283 5A POP EDX
0048C284 59 POP ECX
0048C285 59 POP ECX
0048C286 64:8910 MOV DWORD PTR FS:[EAX], EDX
0048C289 68 A6C24800 PUSH 1.0048C2A6
0048C28E 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C291 E8 FEB6FEFF CALL 1.00477994
0048C296 8B45 FC MOV EAX, DWORD PTR SS:[EBP-4]
0048C299 E8 AE6CF7FF CALL 1.00402F4C
0048C29E C3 RETN
—————————————————————————————————————————————————————————————
多次返回后到下列代码处:(两本电子书的关键注册部分都在此,应该是eBook Workshop生成的电子书的效验代码)
0048BE0C A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BE11 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE13 8B80 18030000 MOV EAX, DWORD PTR DS:[EAX+318]
0048BE19 8B55 FC MOV EDX, DWORD PTR SS:[EBP-4]
0048BE1C E8 A7E0F9FF CALL 1.00429EC8
0048BE21 A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BE26 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE28 8B80 1C030000 MOV EAX, DWORD PTR DS:[EAX+31C]
0048BE2E 8B55 F8 MOV EDX, DWORD PTR SS:[EBP-8]
0048BE31 E8 92E0F9FF CALL 1.00429EC8
0048BE36 A1 84E94800 MOV EAX, DWORD PTR DS:[48E984]
0048BE3B 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE3D 83E8 01 SUB EAX, 1
0048BE40 72 0A JB SHORT 1.0048BE4C
0048BE42 74 0C JE SHORT 1.0048BE50 生肖V星座在此跳转,估计直接对注册码进行校验的都在此跳转
0048BE44 48 DEC EAX
0048BE45 83E8 02 SUB EAX, 2
0048BE48 72 30 JB SHORT 1.0048BE7A AUTOCAD七天超级速成法2.0版在此跳转,估计需要通过对用户名进行运算后得到注册码的都在此跳转
0048BE4A EB 7C JMP SHORT 1.0048BEC8
0048BE4C B3 01 MOV BL, 1
0048BE4E EB 78 JMP SHORT 1.0048BEC8
0048BE50 8D55 F4 LEA EDX, DWORD PTR SS:[EBP-C]
0048BE53 A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BE58 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE5A 8B80 1C030000 MOV EAX, DWORD PTR DS:[EAX+31C]
0048BE60 E8 33E0F9FF CALL 1.00429E98
0048BE65 8B55 F4 MOV EDX, DWORD PTR SS:[EBP-C] |EDX=假注册码 |
0048BE68 A1 54E54800 MOV EAX, DWORD PTR DS:[48E554] |
0048BE6D 8B00 MOV EAX, DWORD PTR DS:[EAX] |EAX=真注册码 |
0048BE6F E8 B481F7FF CALL 1.00404028 |进入后是一段标准的比较代码 |生肖V星座的注册部分
0048BE74 75 52 JNZ SHORT 1.0048BEC8 |不相同,跳转完完 |
0048BE76 B3 01 MOV BL, 1 |BL=1标志位 |
0048BE78 EB 4E JMP SHORT 1.0048BEC8 |跳转,注册成功 |
0048BE7A 8D55 EC LEA EDX, DWORD PTR SS:[EBP-14]
0048BE7D A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BE82 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BE84 8B80 18030000 MOV EAX, DWORD PTR DS:[EAX+318]
0048BE8A E8 09E0F9FF CALL 1.00429E98
0048BE8F 8B45 EC MOV EAX, DWORD PTR SS:[EBP-14]
0048BE92 8D4D F0 LEA ECX, DWORD PTR SS:[EBP-10]
0048BE95 8B15 54E54800 MOV EDX, DWORD PTR DS:[48E554]
0048BE9B 8B12 MOV EDX, DWORD PTR DS:[EDX]
0048BE9D E8 DE9EFFFF CALL 1.00485D80 |计算真注册码 |
0048BEA2 8B45 F0 MOV EAX, DWORD PTR SS:[EBP-10] |真注册码 |
0048BEA5 50 PUSH EAX | |
0048BEA6 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-18] | |
0048BEA9 A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8] | |
0048BEAE 8B00 MOV EAX, DWORD PTR DS:[EAX] | |
0048BEB0 8B80 1C030000 MOV EAX, DWORD PTR DS:[EAX+31C] | |
0048BEB6 E8 DDDFF9FF CALL 1.00429E98 | |AUTOCAD七天超级速成法2.0版的注册部分
0048BEBB 8B55 E8 MOV EDX, DWORD PTR SS:[EBP-18] |假注册码 |
0048BEBE 58 POP EAX |真注册码 |
0048BEBF E8 6481F7FF CALL 1.00404028 |标准的比较代码 |
0048BEC4 75 02 JNZ SHORT 1.0048BEC8 |跳转完完,可以用(9090)NOPNOP去除 |
0048BEC6 B3 01 MOV BL, 1 |BL=1标志位 |
0048BEC8 84DB TEST BL, BL | |
0048BECA 0F85 FE000000 JNZ 1.0048BFCE |跳转,注册成功 |
0048BED0 A1 E8E44800 MOV EAX, DWORD PTR DS:[48E4E8]
0048BED5 8B00 MOV EAX, DWORD PTR DS:[EAX]
0048BED7 8B10 MOV EDX, DWORD PTR DS:[EAX]
0048BED9 FF92 D8000000 CALL DWORD PTR DS:[EDX+D8]
0048BEDF 48 DEC EAX
0048BEE0 0F85 E8000000 JNZ 1.0048BFCE
总结:
Book Workshop生成的电子书根据对注册方式不同的效验方法使用不同的代码进行校验,用BL作为标志位来表示是否注册成功。