1-More Scanner V1.10 注册码算法分析
日期:2005年5月1日 破解人:Baby2008
-------------------------------------------------------------------------------------------------------------------------
『软件名称』:1-More Scanner V1.10
『软件大小』:1.50MB
『下载地址』:http://www.1-more-scanner.com/
『软件介绍』:Find images, MP3s or any type file on the web
『保护方式』:注册码保护
『破解声明』:初学Crack,只是感兴趣,失误之处敬请诸位大侠赐教!
『破解工具』:OllyDbg.V1.10 聆风听雨汉化第二版、PeID 0.93
『破解过程』:
PeID查壳,Borland Delphi 6.0 - 7.0,Dede查的Unlock按钮事件地址00653438,OD载入,F9运行,输入注册信息,Email:jw6y8@21cn.com(给
点面子,请不要发送垃圾给我!),用户名:Baby2008,注册码:1234567890,点击确定OD中断在:
00653438 > 55 push ebp ; BtnRegisterClick
00653439 8BEC mov ebp,esp
0065343B 81C4 D4FEFFFF add esp,-12C
00653441 53 push ebx
00653442 33C9 xor ecx,ecx
00653444 898D DCFEFFFF mov dword ptr ss:[ebp-124],ecx
0065344A 898D E0FEFFFF mov dword ptr ss:[ebp-120],ecx
00653450 898D E4FEFFFF mov dword ptr ss:[ebp-11C],ecx
00653456 898D F0FEFFFF mov dword ptr ss:[ebp-110],ecx
0065345C 898D ECFEFFFF mov dword ptr ss:[ebp-114],ecx
00653462 898D E8FEFFFF mov dword ptr ss:[ebp-118],ecx
00653468 894D FC mov dword ptr ss:[ebp-4],ecx
0065346B 894D F8 mov dword ptr ss:[ebp-8],ecx
0065346E 894D F4 mov dword ptr ss:[ebp-C],ecx
00653471 8BD8 mov ebx,eax
00653473 33C0 xor eax,eax
00653475 55 push ebp
00653476 68 63366500 push <OmS.->System.@HandleFinally;>
0065347B 64:FF30 push dword ptr fs:[eax]
0065347E 64:8920 mov dword ptr fs:[eax],esp
00653481 8D55 FC lea edx,dword ptr ss:[ebp-4] ; 存放试炼码
00653484 > 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
0065348A > E8 25E4DFFF call OmS.004518B4
0065348F 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C]
00653495 50 push eax
00653496 A1 38796600 mov eax,dword ptr ds:[667938]
0065349B 8B00 mov eax,dword ptr ds:[eax]
0065349D B9 70366500 mov ecx,OmS.00653670 ; ASCII 0D,"Freischaltung"
006534A2 BA 80366500 mov edx,OmS.00653680 ; ASCII 0D,"UnlockCaption"
006534A7 E8 544CFEFF call OmS.00638100
006534AC 8D95 F4FEFFFF lea edx,dword ptr ss:[ebp-10C]
006534B2 8D45 F8 lea eax,dword ptr ss:[ebp-8]
006534B5 > E8 7618DBFF call OmS.00404D30 (String;String;ShortString;ShortString);<+>
006534BA 8D95 ECFEFFFF lea edx,dword ptr ss:[ebp-114]
006534C0 > 8B83 F8020000 mov eax,dword ptr ds:[ebx+2F8]
006534C6 > E8 E9E3DFFF call OmS.004518B4
006534CB 8B85 ECFEFFFF mov eax,dword ptr ss:[ebp-114] ; 用户名
006534D1 50 push eax ; 用户名入栈
006534D2 8D95 E8FEFFFF lea edx,dword ptr ss:[ebp-118]
006534D8 > 8B83 F4020000 mov eax,dword ptr ds:[ebx+2F4]
006534DE > E8 D1E3DFFF call OmS.004518B4
006534E3 8B85 E8FEFFFF mov eax,dword ptr ss:[ebp-118] ; Email
006534E9 8D8D F0FEFFFF lea ecx,dword ptr ss:[ebp-110] ; 存放真正的注册码
006534EF 5A pop edx ; 用户名出栈
006534F0 E8 F35AFEFF call OmS.00638FE8 //计算注册码,关键
006534F5 8B85 F0FEFFFF mov eax,dword ptr ss:[ebp-110] ; 正真注册码
006534FB 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 试炼码
006534FE > E8 CD19DBFF call OmS.00404ED0 ; ->System.@LStrCmp;
00653503 0F85 CC000000 jnz OmS.006535D5 ; 明码比较,爆破点。
00653509 8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-11C]
0065350F > 8B83 F4020000 mov eax,dword ptr ds:[ebx+2F4]
00653515 > E8 9AE3DFFF call OmS.004518B4
0065351A 8B95 E4FEFFFF mov edx,dword ptr ss:[ebp-11C]
00653520 A1 1C7C6600 mov eax,dword ptr ds:[667C1C]
..................省略................................
0653662 C3 retn
00653663 >^ E9 E40DDBFF jmp OmS.0040444C
00653668 ^ EB C5 jmp short OmS.0065362F
0065366A 5B pop ebx
0065366B 8BE5 mov esp,ebp
0065366D 5D pop ebp
0065366E C3 retn
-------------------------------------------------------------------------------------------------------------------------
明码比较!!经典,原来国外也流行啊?
跟进006534F0 E8 F35AFEFF call OmS.00638FE8:
-------------------------------------------------------------------------------------------------------------------------
00638FE8 55 push ebp
00638FE9 8BEC mov ebp,esp
00638FEB 6A 00 push 0
00638FED 6A 00 push 0
00638FEF 6A 00 push 0
00638FF1 6A 00 push 0
00638FF3 6A 00 push 0
00638FF5 6A 00 push 0
00638FF7 6A 00 push 0
00638FF9 53 push ebx
00638FFA 56 push esi
00638FFB 57 push edi
00638FFC 8BF9 mov edi,ecx
00638FFE 8955 F8 mov dword ptr ss:[ebp-8],edx ; 用户名
00639001 8945 FC mov dword ptr ss:[ebp-4],eax ; Email
00639004 8B45 FC mov eax,dword ptr ss:[ebp-4]
00639007 E8 68BFDCFF call OmS.00404F74
0063900C 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0063900F E8 60BFDCFF call OmS.00404F74
00639014 33C0 xor eax,eax
00639016 55 push ebp
00639017 68 D3906300 push OmS.006390D3
0063901C 64:FF30 push dword ptr fs:[eax]
0063901F 64:8920 mov dword ptr fs:[eax],esp
00639022 8BC7 mov eax,edi
00639024 E8 9BBADCFF call OmS.00404AC4
00639029 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0063902C 8B45 FC mov eax,dword ptr ss:[ebp-4] ; Email
0063902F E8 34FEFFFF call OmS.00638E68 ; 过滤字符非有效字符
00639034 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00639037 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 用户名
0063903A E8 29FEFFFF call OmS.00638E68 ; 过滤字符非有效字符
0063903F 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 过滤后的Email
00639042 E8 F1FEFFFF call OmS.00638F38 ; 计算
00639047 8BD8 mov ebx,eax ; Email计算结果
00639049 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 过滤后的用户名
0063904C E8 E7FEFFFF call OmS.00638F38 ; 计算
00639051 8BF0 mov esi,eax ; 用户名计算结果
00639053 3BF3 cmp esi,ebx
00639055 75 18 jnz short OmS.0063906F ; Email计算结果不能等于用户名计算结果
00639057 B9 EC906300 mov ecx,OmS.006390EC ; ASCII "Invalid registration info"
0063905C B2 01 mov dl,1
0063905E A1 F0884000 mov eax,dword ptr ds:[4088F0]
00639063 E8 144ADDFF call OmS.0040DA7C
00639068 E8 17B4DCFF call OmS.00404484
0063906D EB 49 jmp short OmS.006390B8
0063906F 85DB test ebx,ebx
00639071 7E 45 jle short OmS.006390B8
00639073 85F6 test esi,esi
00639075 7E 41 jle short OmS.006390B8
00639077 8D55 EC lea edx,dword ptr ss:[ebp-14] ; 用户名
0063907A 8BC3 mov eax,ebx ; EBX=Email计算结果
0063907C E8 6B0BDDFF call OmS.00409BEC ; SysUtils.IntToStr(Integer)
00639081 FF75 EC push dword ptr ss:[ebp-14] ; 第1段
00639084 68 10916300 push OmS.00639110 ; '-'
00639089 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0063908C 33DE xor ebx,esi ; Email计算结果 XOR 用户名计算结果
0063908E 8D045B lea eax,dword ptr ds:[ebx+ebx*2] ; *3
00639091 E8 560BDDFF call OmS.00409BEC ; SysUtils.IntToStr(Integer)
00639096 FF75 E8 push dword ptr ss:[ebp-18] ; 第2段
00639099 68 10916300 push OmS.00639110 ; '-'
0063909E 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
006390A1 8D04B6 lea eax,dword ptr ds:[esi+esi*4] ; 用户名计算结果*5
006390A4 E8 430BDDFF call OmS.00409BEC ; SysUtils.IntToStr(Integer)
006390A9 FF75 E4 push dword ptr ss:[ebp-1C] ; 第3段
006390AC 8BC7 mov eax,edi
006390AE BA 05000000 mov edx,5
006390B3 E8 94BDDCFF call OmS.00404E4C ; System.@LStrCatN,连接成注册码
006390B8 33C0 xor eax,eax
006390BA 5A pop edx
006390BB 59 pop ecx
006390BC 59 pop ecx
006390BD 64:8910 mov dword ptr fs:[eax],edx
006390C0 68 DA906300 push OmS.006390DA
006390C5 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
006390C8 BA 07000000 mov edx,7
006390CD E8 16BADCFF call OmS.00404AE8
006390D2 C3 retn
006390D3 ^ E9 74B3DCFF jmp OmS.0040444C
006390D8 ^ EB EB jmp short OmS.006390C5
006390DA 5F pop edi
006390DB 5E pop esi
006390DC 5B pop ebx
006390DD 8BE5 mov esp,ebp
006390DF 5D pop ebp
006390E0 C3 retn
-------------------------------------------------------------------------------------------------------------------------
1、调用call OmS.00638E68处理Email,Name;
2、调用call OmS.00638F38计算Email,Name;
3、根据2的结果产生注册码。
分别跟进瞧瞧:
call OmS.00638E68
-------------------------------------------------------------------------------------------------------------------------
00638E68 55 push ebp
00638E69 8BEC mov ebp,esp
00638E6B 6A 00 push 0
00638E6D 6A 00 push 0
00638E6F 6A 00 push 0
00638E71 53 push ebx
00638E72 56 push esi
00638E73 57 push edi
00638E74 8BFA mov edi,edx
00638E76 8945 FC mov dword ptr ss:[ebp-4],eax
00638E79 8B45 FC mov eax,dword ptr ss:[ebp-4]
00638E7C E8 F3C0DCFF call OmS.00404F74
00638E81 33C0 xor eax,eax
00638E83 55 push ebp
00638E84 68 288F6300 push OmS.00638F28
00638E89 64:FF30 push dword ptr fs:[eax]
00638E8C 64:8920 mov dword ptr fs:[eax],esp
00638E8F 8BC7 mov eax,edi
00638E91 E8 2EBCDCFF call OmS.00404AC4
00638E96 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00638E99 8B45 FC mov eax,dword ptr ss:[ebp-4] ; Email
00638E9C E8 2F08DDFF call OmS.004096D0 ; 转小写函数UpperCase()
00638EA1 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; UpperCase(Email)
00638EA4 8D45 FC lea eax,dword ptr ss:[ebp-4]
00638EA7 E8 B0BCDCFF call OmS.00404B5C
00638EAC 8B45 FC mov eax,dword ptr ss:[ebp-4]
00638EAF E8 D8BEDCFF call OmS.00404D8C ; Length()函数
00638EB4 8BF0 mov esi,eax
00638EB6 85F6 test esi,esi
00638EB8 76 35 jbe short OmS.00638EEF ; Email长度不能<=0
00638EBA BB 01000000 mov ebx,1 ; i,i=1
00638EBF 8B45 FC mov eax,dword ptr ss:[ebp-4] ; Email
00638EC2 8A4418 FF mov al,byte ptr ds:[eax+ebx-1] ; Email[i]
00638EC6 04 D0 add al,0D0
00638EC8 2C 0A sub al,0A
00638ECA 72 06 jb short OmS.00638ED2 ; 要求是数字字符?
00638ECC 04 D9 add al,0D9
00638ECE 2C 1A sub al,1A
00638ED0 73 19 jnb short OmS.00638EEB ; 要求是小写字符?
00638ED2 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00638ED5 8B55 FC mov edx,dword ptr ss:[ebp-4] ; Email
00638ED8 8A541A FF mov dl,byte ptr ds:[edx+ebx-1] ; Email[i]
00638EDC E8 C3BDDCFF call OmS.00404CA4
00638EE1 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 取得Email中的一个字符
00638EE4 8BC7 mov eax,edi
00638EE6 E8 A9BEDCFF call OmS.00404D94 ; System.@LStrCat;
00638EEB 43 inc ebx
00638EEC 4E dec esi
00638EED ^ 75 D0 jnz short OmS.00638EBF ; 循环过滤掉一些字符
00638EEF 8B07 mov eax,dword ptr ds:[edi]
00638EF1 E8 96BEDCFF call OmS.00404D8C ; System.@LStrLen(String):Integer;
00638EF6 83F8 64 cmp eax,64
00638EF9 76 12 jbe short OmS.00638F0D ; 过滤后的字符长度<=大于$64位
00638EFB 57 push edi
00638EFC 8B07 mov eax,dword ptr ds:[edi]
00638EFE B9 64000000 mov ecx,64
00638F03 BA 01000000 mov edx,1
00638F08 E8 D7C0DCFF call OmS.00404FE4 ; 如果大于$64位,仅取前$64位
00638F0D 33C0 xor eax,eax
00638F0F 5A pop edx
00638F10 59 pop ecx
00638F11 59 pop ecx
00638F12 64:8910 mov dword ptr fs:[eax],edx
00638F15 68 2F8F6300 push OmS.00638F2F
00638F1A 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00638F1D BA 03000000 mov edx,3
00638F22 E8 C1BBDCFF call OmS.00404AE8
00638F27 C3 retn
00638F28 ^ E9 1FB5DCFF jmp OmS.0040444C
00638F2D ^ EB EB jmp short OmS.00638F1A
00638F2F 5F pop edi
00638F30 5E pop esi
00638F31 5B pop ebx
00638F32 8BE5 mov esp,ebp
00638F34 5D pop ebp
00638F35 C3 retn
-------------------------------------------------------------------------------------------------------------------------
call OmS.00638E68的功能:
1、字符串转小写;
2、过滤非数字及小写字符;这里的处理方法很有高明哦!
3、若结果长度超过$64位,仅取前$64位
call OmS.00638F38:
-------------------------------------------------------------------------------------------------------------------------
00638F38 55 push ebp
00638F39 8BEC mov ebp,esp
00638F3B 51 push ecx
00638F3C 53 push ebx
00638F3D 8945 FC mov dword ptr ss:[ebp-4],eax
00638F40 8B45 FC mov eax,dword ptr ss:[ebp-4]
00638F43 E8 2CC0DCFF call OmS.00404F74
00638F48 33C0 xor eax,eax
00638F4A 55 push ebp
00638F4B 68 A28F6300 push OmS.00638FA2
00638F50 64:FF30 push dword ptr fs:[eax]
00638F53 64:8920 mov dword ptr fs:[eax],esp
00638F56 33DB xor ebx,ebx ; EBX=0
00638F58 8B45 FC mov eax,dword ptr ss:[ebp-4] ; Email过滤结果
00638F5B E8 2CBEDCFF call OmS.00404D8C ; Length
00638F60 8BD0 mov edx,eax
00638F62 85D2 test edx,edx
00638F64 7E 26 jle short OmS.00638F8C ; Length不能<=0
00638F66 B8 01000000 mov eax,1 ; i,i=1
00638F6B 8B4D FC mov ecx,dword ptr ss:[ebp-4] ; Email
00638F6E 0FB64C01 FF movzx ecx,byte ptr ds:[ecx+eax-1] ; Email[i]
00638F73 03D9 add ebx,ecx
00638F75 03D8 add ebx,eax ; EBX=EBX+Email[i]+i
00638F77 83F8 2E cmp eax,2E ; i>=46
00638F7A 7D 0C jge short OmS.00638F88
00638F7C B9 B88F6300 mov ecx,OmS.00638FB8 ; ASCII "Cyya12510#!!VV9BY--215yAAd521q92d3cgDJn)
kd?-MM"
00638F81 0FB64C01 FF movzx ecx,byte ptr ds:[ecx+eax-1] ; 取常数字符串中的第i个字母
00638F86 03D9 add ebx,ecx ; 再加EBX
00638F88 40 inc eax
00638F89 4A dec edx
00638F8A ^ 75 DF jnz short OmS.00638F6B
00638F8C 33C0 xor eax,eax
00638F8E 5A pop edx
00638F8F 59 pop ecx
00638F90 59 pop ecx
00638F91 64:8910 mov dword ptr fs:[eax],edx
00638F94 68 A98F6300 push OmS.00638FA9
00638F99 8D45 FC lea eax,dword ptr ss:[ebp-4]
00638F9C E8 23BBDCFF call OmS.00404AC4
00638FA1 C3 retn
00638FA2 ^ E9 A5B4DCFF jmp OmS.0040444C
00638FA7 ^ EB F0 jmp short OmS.00638F99
00638FA9 8BC3 mov eax,ebx
00638FAB 5B pop ebx
00638FAC 59 pop ecx
00638FAD 5D pop ebp
00638FAE C3 retn
-------------------------------------------------------------------------------------------------------------------------
函数功能:按一定的规则累加字符串。
『算法总结』:
1、分别将Email、Name转为小写,再过滤非数字及非小写字符;
2、分别按规则循环累加Email、Name;
3、Email计算结果转为字符串,记为SN1;
4、(Email计算结果 XOR 用户名计算结果)×3转为字符串,记为SN2;
5、用户名计算结果*5转为字符串,记为SN3;
6、连接成SN1-SN2-SN3记为注册码。
附Delphi 7.0注册机源代如下:
Function Filter(S: String): String;
Var
i: Integer;
Str: String;
Begin
Str := LowerCase(S);
For i := 1 To Length(Str) Do
If (Ord(Str[i]) >= Ord('0')) And (Ord(Str[i]) <= Ord('9')) Or
(Ord(Str[i]) >= Ord('a')) And (Ord(Str[i]) <= Ord('z')) Then Result := Result + Str[i];
If Length(Result) > $64 Then Result := Copy(Result, 1, 64);
End;
Function StrTotal(Str: String): Integer;
Const
S = 'Cyya12510#!!VV9BY--215yAAd521q92d3cgDJn)kd?-MM';
Var
i: Integer;
Begin
Result := 0;
For i := 1 To Length(Str) Do
Begin
Result := Result + Ord(Str[i]) + i;
If i < $2E Then Result := Result + Ord(S[i]);
End;
End;
Procedure TFrmMain.btn1Click(Sender: TObject);
Var
EmailTotal, NameTotal: Integer;
Begin
EmailTotal := StrTotal(Filter(edt1.Text));
NameTotal := StrTotal(Filter(edt2.Text));
edt3.Text := IntToStr(EmailTotal) + '-' + IntToStr((EmailTotal Xor NameTotal) * 3) + '-' + IntToStr(NameTotal * 5);
End;
我的注册信息:
Email:jw6y8@21cn.com
Name:Baby2008
Serial:1917-2754-6295
--完--