MathType5.2a 汉化版注册算法分析
【软件主页】:http://www.dessci.com/
【破解工具】:OllyDbg、PEiD、系统自带计算器
【本文作者】:好好学习(恨浩[PCG][PYG])
【目标下载】:www.google.com搜索一下到处都是!
安装的时候有两个选项,如果有序列号选“解锁MathType”安装,没有序列号就只能选“评估MathType30天”安装。
安装好后,PEiD检测MathType.exe无壳。
运行MathType.exe,点“帮助==〉选解锁MathType”,注册对话框出现,输入名、姓、组织(随便输入),注册码填入“123456”,提示注册码形式应为MTWxxxx-xxxxxx-xxxxx。
用OD加载MathType.exe,F9运行,,回到OD界面,点“查看”==〉“执行模块”,双击USER32,查找user32模块中F3A58BC883E103处的地址为77CF0EFE是我机器的万能断点,在77CF0EFE处F2下段,在回到MathType界面,输入假码:“MTW1234-123456-98765”,点“完成”,程序被OD拦截在77CF0EFE处,F2取消断点,Alt+F9回到程序代码中。
一路F8来到这里:
0041D95A |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0041D95E |. E8 0DD10600 call MathType.0048AA70 ; 算法就在里面,进去!①
0041D963 |. 83F8 07 cmp eax,7 ; eax和7比较
0041D966 |. 0F87 06010000 ja MathType.0041DA72 ; 跳就死!!!
0041D96C |. FF2485 C8DA4100 jmp dword ptr ds:[eax*4+41DAC8]
0041D973 |> 8D4C24 0C lea ecx,dword ptr ss:[esp+C] ; Cases 0,1 of switch 0041D963
............以下代码略...........
0041DAB9 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
0041DAC0 |. 83C4 3C add esp,3C
0041DAC3 \. C2 0400 retn 4
===========================================================================================================
①call 0048AA70:
0048AA70 /$ 56 push esi ; MathType.0049015C
0048AA71 |. 8BF1 mov esi,ecx
0048AA73 |. 8D4E 24 lea ecx,dword ptr ds:[esi+24]
0048AA76 |. E8 D5F5FFFF call MathType.0048A050 ; 跟进去...②
0048AA7B |. 83F8 04 cmp eax,4 ; eax和4比较
0048AA7E |. 77 2F ja short MathType.0048AAAF ; 不能跳,跳就死!!!
0048AA80 |. FF2485 B8AA4800 jmp dword ptr ds:[eax*4+48AAB8]
0048AA87 |> 8B4E 1C mov ecx,dword ptr ds:[esi+1C] ; Case 1 of switch 0048AA7B
0048AA8A |. 85C9 test ecx,ecx
0048AA8C |. 75 26 jnz short MathType.0048AAB4
0048AA8E |. B8 07000000 mov eax,7
0048AA93 |. 5E pop esi
0048AA94 |. C3 retn
0048AA95 |> 8B4E 04 mov ecx,dword ptr ds:[esi+4] ; Case 0 of switch 0048AA7B
0048AA98 |. 85C9 test ecx,ecx
0048AA9A |. 75 05 jnz short MathType.0048AAA1
0048AA9C |. B8 05000000 mov eax,5
0048AAA1 |> 8B4E 10 mov ecx,dword ptr ds:[esi+10]
0048AAA4 |. 85C9 test ecx,ecx
0048AAA6 |. 75 0C jnz short MathType.0048AAB4
0048AAA8 |. B8 06000000 mov eax,6
0048AAAD |. 5E pop esi
0048AAAE |. C3 retn
0048AAAF |> B8 03000000 mov eax,3 ; Default case of switch 0048AA7B
0048AAB4 |> 5E pop esi ; Cases 2,3,4 of switch 0048AA7B
0048AAB5 \. C3 retn
======================================================================================================================
②call 0048A050:
0048A050 /$ 64:A1 00000000 mov eax,dword ptr fs:[0] ; fs:[00000000]=[7FFDE000]=0012EFAC放入eax
0048A056 |. 6A FF push -1
0048A058 |. 68 70574B00 push MathType.004B5770
0048A05D |. 50 push eax
0048A05E |. 64:8925 00000000 mov dword ptr fs:[0],esp
0048A065 |. 83EC 4C sub esp,4C
0048A068 |. 53 push ebx
0048A069 |. 55 push ebp
0048A06A |. 56 push esi
0048A06B |. 8BF1 mov esi,ecx
0048A06D |. 57 push edi
0048A06E |. 8B7E 04 mov edi,dword ptr ds:[esi+4] ; 取假序列号个数16进制放入edi,假序列号个数为20个,16进制=14
0048A071 |. 85FF test edi,edi ; edi=00000014 测试
0048A073 |. 75 18 jnz short MathType.0048A08D ; 不为0就跳
0048A075 |. 5F pop edi
0048A076 |. 5E pop esi
0048A077 |. 5D pop ebp
0048A078 |. B8 04000000 mov eax,4
0048A07D |. 5B pop ebx
0048A07E |. 8B4C24 4C mov ecx,dword ptr ss:[esp+4C]
0048A082 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
0048A089 |. 83C4 58 add esp,58
0048A08C |. C3 retn
0048A08D |> 83FF 12 cmp edi,12 ; 大于12不跳
0048A090 |. 0F8C B0010000 jl MathType.0048A246
0048A096 |. 83FF 14 cmp edi,14 ; 等于14,不跳
0048A099 |. 0F8F A7010000 jg MathType.0048A246
0048A09F |. 8B46 08 mov eax,dword ptr ds:[esi+8] ; 取假码地址入eax
0048A0A2 |. B3 2D mov bl,2D ; 2D放入bl
0048A0A4 |. 03C7 add eax,edi ; edi=00000014加假码地址eax=068AC130,结果等于68AC144放入eax
0048A0A6 |. 3858 F3 cmp byte ptr ds:[eax-D],bl ; bl=2D与假码第8位比较,相等则不跳
0048A0A9 |. 0F85 97010000 jnz MathType.0048A246
0048A0AF |. 3858 FA cmp byte ptr ds:[eax-6],bl ; bl=2D与假码第15位比较,相等则不跳
0048A0B2 |. 0F85 8E010000 jnz MathType.0048A246
0048A0B8 |. 33ED xor ebp,ebp ; ebp清0
0048A0BA |. 85FF test edi,edi ; edi=00000014 测试
0048A0BC |. 7E 23 jle short MathType.0048A0E1
0048A0BE |> 8B4E 08 /mov ecx,dword ptr ds:[esi+8] ; 取假码地址放入ecx
0048A0C1 |. 8A0429 |mov al,byte ptr ds:[ecx+ebp] ; 依次取假码一位数放入al
0048A0C4 |. 3AC3 |cmp al,bl ; bl、al比较
0048A0C6 |. 74 14 |je short MathType.0048A0DC ; 相等就跳
0048A0C8 |. 0FBED0 |movsx edx,al ; 依次取假码一位数放入edx
0048A0CB |. 52 |push edx ; 入栈
0048A0CC |. E8 CA900100 |call MathType.004A319B
0048A0D1 |. 83C4 04 |add esp,4 ; esp=0012EEF8+4=0012EEFC
0048A0D4 |. 85C0 |test eax,eax ; 测试eax=00000001
0048A0D6 |. 0F84 6A010000 |je MathType.0048A246 ; 等于0就跳
0048A0DC |> 45 |inc ebp ; ebp=00000000+1
0048A0DD |. 3BEF |cmp ebp,edi ; 比较edi=00000014和ebp=00000001
0048A0DF |.^ 7C DD \jl short MathType.0048A0BE ; 不相等就跳,循环开始
0048A0E1 |> 8D4C24 20 lea ecx,dword ptr ss:[esp+20] ; 堆栈地址=0012EF1C放入ecx
0048A0E5 |. E8 F67A0000 call MathType.00491BE0
0048A0EA |. 8D4424 20 lea eax,dword ptr ss:[esp+20]
0048A0EE |. 6A 02 push 2
0048A0F0 |. 50 push eax
0048A0F1 |. 68 60134E00 push MathType.004E1360 ; ASCII "RegNumPrefix"
0048A0F6 |. B9 A8654F00 mov ecx,MathType.004F65A8
0048A0FB |. C74424 70 00000000 mov dword ptr ss:[esp+70],0
0048A103 |. E8 D8E10000 call MathType.004982E0
0048A108 |. 8B4C24 24 mov ecx,dword ptr ss:[esp+24]
0048A10C |. 8B5424 28 mov edx,dword ptr ss:[esp+28]
0048A110 |. 51 push ecx
0048A111 |. 52 push edx
0048A112 |. 8BCE mov ecx,esi
0048A114 |. E8 177E0000 call MathType.00491F30 ; 假序列号前6位与“MTWE52”比较
0048A119 |. 85C0 test eax,eax ; 比较eax,不为0下面就跳
0048A11B |. 0F85 14010000 jnz MathType.0048A235 ; 跳就死!所以序列号前6位必须是“MTWE52”
0048A121 |. 8D4C24 38 lea ecx,dword ptr ss:[esp+38]
0048A125 |. E8 B67A0000 call MathType.00491BE0
0048A12A |. 8B46 08 mov eax,dword ptr ds:[esi+8]
0048A12D |. 8D4F F3 lea ecx,dword ptr ds:[edi-D]
0048A130 |. B3 01 mov bl,1
0048A132 |. 51 push ecx
0048A133 |. 50 push eax
0048A134 |. 8D4C24 40 lea ecx,dword ptr ss:[esp+40]
0048A138 |. 885C24 6C mov byte ptr ss:[esp+6C],bl
0048A13C |. E8 4F800000 call MathType.00492190
0048A141 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0048A145 |. E8 967A0000 call MathType.00491BE0
0048A14A |. 8B46 08 mov eax,dword ptr ds:[esi+8]
0048A14D |. 83C7 F4 add edi,-0C
0048A150 |. 6A 06 push 6
0048A152 |. 57 push edi
0048A153 |. 50 push eax
0048A154 |. 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
0048A158 |. C64424 70 02 mov byte ptr ss:[esp+70],2
0048A15D |. E8 BE7F0000 call MathType.00492120
0048A162 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0048A166 |. E8 757A0000 call MathType.00491BE0
0048A16B |. 8B46 08 mov eax,dword ptr ds:[esi+8]
0048A16E |. 6A 05 push 5
0048A170 |. 50 push eax
0048A171 |. 8D4C24 34 lea ecx,dword ptr ss:[esp+34]
0048A175 |. C64424 6C 03 mov byte ptr ss:[esp+6C],3
0048A17A |. E8 31800000 call MathType.004921B0
0048A17F |. 8B4424 18 mov eax,dword ptr ss:[esp+18]
0048A183 |. 33FF xor edi,edi
0048A185 |. 85C0 test eax,eax
0048A187 |. 7E 1E jle short MathType.0048A1A7
0048A189 |> 8B5424 1C /mov edx,dword ptr ss:[esp+1C] ; / 序
0048A18D |. 0FBE043A |movsx eax,byte ptr ds:[edx+edi] | 列
0048A191 |. 50 |push eax | 号
0048A192 |. E8 878F0100 |call MathType.004A311E | 第
0048A197 |. 83C4 04 |add esp,4 | 二
0048A19A |. 85C0 |test eax,eax | 段
0048A19C |. 74 6E |je short MathType.0048A20C | 只
0048A19E |. 8B4424 18 |mov eax,dword ptr ss:[esp+18] | 能
0048A1A2 |. 47 |inc edi | 是
0048A1A3 |. 3BF8 |cmp edi,eax | 数
0048A1A5 |.^ 7C E2 \jl short MathType.0048A189 \ 字
0048A1A7 |> 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0048A1AB |. C74424 10 00000000 mov dword ptr ss:[esp+10],0
0048A1B3 |. 51 push ecx ; /lParam
0048A1B4 |. 68 00A44800 push MathType.0048A400 ; |Callback = MathType.0048A400
0048A1B9 |. FF15 F4734B00 call dword ptr ds:[<&USER32.EnumW>; \EnumWindows
0048A1BF |. 8B4424 10 mov eax,dword ptr ss:[esp+10]
0048A1C3 |. 85C0 test eax,eax
0048A1C5 |. 75 45 jnz short MathType.0048A20C
0048A1C7 |. 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
0048A1CB |. E8 107A0000 call MathType.00491BE0
0048A1D0 |. 8B4424 1C mov eax,dword ptr ss:[esp+1C]
0048A1D4 |. 8B4C24 40 mov ecx,dword ptr ss:[esp+40]
0048A1D8 |. 8D5424 44 lea edx,dword ptr ss:[esp+44]
0048A1DC |. C64424 64 04 mov byte ptr ss:[esp+64],4
0048A1E1 |. 52 push edx
0048A1E2 |. 50 push eax
0048A1E3 |. 51 push ecx
0048A1E4 |. E8 87FDFFFF call MathType.00489F70 ; 这里对序列号第一段和第二段进行计算,跟进③
0048A1E9 |. 8B5424 58 mov edx,dword ptr ss:[esp+58]
0048A1ED |. 83C4 0C add esp,0C
0048A1F0 |. 8D4C24 2C lea ecx,dword ptr ss:[esp+2C]
0048A1F4 |. 52 push edx
0048A1F5 |. E8 F67C0000 call MathType.00491EF0 ; 真假码最后一段进行比较
0048A1FA |. 85C0 test eax,eax ; 测试eax
0048A1FC |. 74 60 je short MathType.0048A25E ; 为0就跳,必须跳
0048A1FE |. C64424 64 03 mov byte ptr ss:[esp+64],3
0048A203 |. 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
....................以下代码略.................
0048A3F8 \. C3 retn
=========================================================================================================================
③call 00489F70
00489F70 /$ 8B5424 04 mov edx,dword ptr ss:[esp+4]
00489F74 |. 83EC 08 sub esp,8
00489F77 |. 83C9 FF or ecx,FFFFFFFF
00489F7A |. 33C0 xor eax,eax
00489F7C |. 53 push ebx
00489F7D |. 55 push ebp
00489F7E |. 56 push esi
00489F7F |. 57 push edi
00489F80 |. 8BFA mov edi,edx
00489F82 |. 6A 24 push 24
00489F84 |. F2:AE repne scas byte ptr es:[edi]
00489F86 |. F7D1 not ecx
00489F88 |. 49 dec ecx
00489F89 |. 33FF xor edi,edi
00489F8B |. 57 push edi
00489F8C |. 8D4411 FB lea eax,dword ptr ds:[ecx+edx-5] ; 取假序列号第一段后5位放入eax
00489F90 |. 50 push eax ; 入栈
00489F91 |. E8 CE960100 call MathType.004A3664 ; 计算,跟进④
00489F96 |. 8BE8 mov ebp,eax
00489F98 |. 8B4424 2C mov eax,dword ptr ss:[esp+2C] ; 取假码第二段放入eax
00489F9C |. 6A 24 push 24 ; 24入栈
00489F9E |. 57 push edi ; edi=00000000入栈
00489F9F |. 50 push eax ; 入栈
00489FA0 |. E8 BF960100 call MathType.004A3664 ; 第二段计算方式与第一段后五位一样
00489FA5 |. 8BD8 mov ebx,eax
00489FA7 |. 83C4 18 add esp,18
00489FAA |. 3BDF cmp ebx,edi
00489FAC |. 75 05 jnz short MathType.00489FB3
00489FAE |. BB 01000000 mov ebx,1
00489FB3 |> 8B7424 24 mov esi,dword ptr ss:[esp+24]
00489FB7 |. 6A 22 push 22
00489FB9 |. 6A 28 push 28
00489FBB |. 8BCE mov ecx,esi
00489FBD |. E8 2E7D0000 call MathType.00491CF0
00489FC2 |. 895C24 14 mov dword ptr ss:[esp+14],ebx ; 第二段计算结果放入[esp+14]指向地址内
00489FC6 |. 897C24 18 mov dword ptr ss:[esp+18],edi
00489FCA |. DF6C24 14 fild qword ptr ss:[esp+14]
00489FCE |. 896C24 14 mov dword ptr ss:[esp+14],ebp ; 第二段计算结果放入[esp+14]指向地址内
00489FD2 |. 897C24 18 mov dword ptr ss:[esp+18],edi
00489FD6 |. DF6C24 14 fild qword ptr ss:[esp+14]
00489FDA |. 50 push eax
00489FDB |. DEC9 fmulp st(1),st ; st(0)=假码第一段后五位字符计算结果16进制转换成1进制*st(1)假码第二段计算结果16进制转换成10进制,结果放入st(1)
00489FDD |. DD05 50894B00 fld qword ptr ds:[4B8950] ; 将地址[4B8950]内的固定值:44099087装入st(1)
00489FE3 |. E8 62B50100 call MathType.004A554A ; 计算,跟进⑥
00489FE8 |. DC05 48894B00 fadd qword ptr ds:[4B8948] ; st(0)+[004B848]地址内固定的值:1336337
00489FEE |. E8 799A0100 call MathType.004A3A6C
00489FF3 |. 50 push eax
00489FF4 |. E8 089A0100 call MathType.004A3A01 ; 这里计算出序列号最后一段,跟进⑦
00489FF9 |. 83C4 0C add esp,0C
00489FFC |. 8BCE mov ecx,esi
00489FFE |. E8 1D7D0000 call MathType.00491D20
0048A003 |. 397E 04 cmp dword ptr ds:[esi+4],edi
0048A006 |. 7E 3D jle short MathType.0048A045
0048A008 |> 8B4E 08 /mov ecx,dword ptr ds:[esi+8] ; 这里的循环将计算出的序列号最后一段小写字符转换成大写
0048A00B |. 8A0439 |mov al,byte ptr ds:[ecx+edi]
0048A00E |. 3C 49 |cmp al,49
0048A010 |. 74 21 |je short MathType.0048A033
0048A012 |. 3C 69 |cmp al,69
0048A014 |. 74 1D |je short MathType.0048A033
0048A016 |. 3C 4F |cmp al,4F
0048A018 |. 74 14 |je short MathType.0048A02E
0048A01A |. 3C 6F |cmp al,6F
0048A01C |. 74 10 |je short MathType.0048A02E
0048A01E |. 0FBED0 |movsx edx,al
0048A021 |. 57 |push edi
0048A022 |. 52 |push edx
0048A023 |. E8 46B00100 |call MathType.004A506E
0048A028 |. 83C4 04 |add esp,4
0048A02B |. 50 |push eax
0048A02C |. EB 08 |jmp short MathType.0048A036
0048A02E |> 57 |push edi
0048A02F |. 6A 5A |push 5A
0048A031 |. EB 03 |jmp short MathType.0048A036
0048A033 |> 57 |push edi
0048A034 |. 6A 59 |push 59
0048A036 |> 8BCE |mov ecx,esi
0048A038 |. E8 C3800000 |call MathType.00492100
0048A03D |. 8B46 04 |mov eax,dword ptr ds:[esi+4]
0048A040 |. 47 |inc edi
0048A041 |. 3BF8 |cmp edi,eax
0048A043 |.^ 7C C3 \jl short MathType.0048A008
0048A045 |> 5F pop edi
0048A046 |. 5E pop esi
0048A047 |. 5D pop ebp
0048A048 |. 5B pop ebx
0048A049 |. 83C4 08 add esp,8
0048A04C \. C3 retn
===========================================================================================================
④call 004A3664
004A3664 /$ 6A 01 push 1
004A3666 |. FF7424 10 push dword ptr ss:[esp+10]
004A366A |. FF7424 10 push dword ptr ss:[esp+10]
004A366E |. FF7424 10 push dword ptr ss:[esp+10]
004A3672 |. E8 E5FDFFFF call MathType.004A345C ; 跟!!!⑤
004A3677 |. 83C4 10 add esp,10
004A367A \. C3 retn
============================================================================================================================
⑤call 004A345C:
004A345C /$ 55 push ebp ; ebp=00000014入栈
............代码略.................
004A3521 |> 83C8 FF or eax,FFFFFFFF
004A3524 |. 33D2 xor edx,edx
004A3526 |. F775 10 div dword ptr ss:[ebp+10]
004A3529 |. BF 03010000 mov edi,103
004A352E |. 8945 F4 mov dword ptr ss:[ebp-C],eax
004A3531 |> 833D 5C294E00 01 /cmp dword ptr ds:[4E295C],1
004A3538 |. 0FB6F3 |movzx esi,bl ; 依次取假码第一段后五位放入esi
004A353B |. 7E 0C |jle short MathType.004A3549 ; 跳
004A353D |. 6A 04 |push 4
004A353F |. 56 |push esi
004A3540 |. E8 22420000 |call MathType.004A7767
004A3545 |. 59 |pop ecx
004A3546 |. 59 |pop ecx
004A3547 |. EB 0B |jmp short MathType.004A3554
004A3549 |> A1 50274E00 |mov eax,dword ptr ds:[4E2750]
004A354E |. 8A0470 |mov al,byte ptr ds:[eax+esi*2]
004A3551 |. 83E0 04 |and eax,4 ; 与运算
004A3554 |> 85C0 |test eax,eax ; 与运算结果为0就跳,不等于0不跳,如果假码是字符就跳去和37进行减法运算,如果是数字不跳,就与30进行减法运算
004A3556 |. 74 08 |je short MathType.004A3560
004A3558 |. 0FBECB |movsx ecx,bl
004A355B |. 83E9 30 |sub ecx,30
004A355E |. EB 32 |jmp short MathType.004A3592
004A3560 |> 833D 5C294E00 01 |cmp dword ptr ds:[4E295C],1
004A3567 |. 7E 0B |jle short MathType.004A3574
004A3569 |. 57 |push edi
004A356A |. 56 |push esi
004A356B |. E8 F7410000 |call MathType.004A7767
004A3570 |. 59 |pop ecx
004A3571 |. 59 |pop ecx
004A3572 |. EB 0B |jmp short MathType.004A357F
004A3574 |> A1 50274E00 |mov eax,dword ptr ds:[4E2750]
004A3579 |. 66:8B0470 |mov ax,word ptr ds:[eax+esi*2]
004A357D |. 23C7 |and eax,edi
004A357F |> 85C0 |test eax,eax
004A3581 |. 74 4A |je short MathType.004A35CD
004A3583 |. 0FBEC3 |movsx eax,bl ; 依次取假码第一段后五位字符的Hex值放入eax
004A3586 |. 50 |push eax
004A3587 |. E8 E21A0000 |call MathType.004A506E
004A358C |. 59 |pop ecx
004A358D |. 8BC8 |mov ecx,eax ; eax放入ecx
004A358F |. 83E9 37 |sub ecx,37 ; ecx-37,减法运算,依次取假码第一段后五位字符的Hex值减37,结果放入ecx参与下面的运算
004A3592 |> 3B4D 10 |cmp ecx,dword ptr ss:[ebp+10]
004A3595 |. 73 36 |jnb short MathType.004A35CD
004A3597 |. 8B75 F8 |mov esi,dword ptr ss:[ebp-8] ; [ebp-8]指向地址[0012EEA4]的值放入esi
004A359A |. 834D 14 08 |or dword ptr ss:[ebp+14],8
004A359E |. 3B75 F4 |cmp esi,dword ptr ss:[ebp-C]
004A35A1 |. 72 14 |jb short MathType.004A35B7
004A35A3 |. 75 0C |jnz short MathType.004A35B1
004A35A5 |. 83C8 FF |or eax,FFFFFFFF
004A35A8 |. 33D2 |xor edx,edx
004A35AA |. F775 10 |div dword ptr ss:[ebp+10]
004A35AD |. 3BCA |cmp ecx,edx
004A35AF |. 76 06 |jbe short MathType.004A35B7
004A35B1 |> 834D 14 04 |or dword ptr ss:[ebp+14],4
004A35B5 |. EB 09 |jmp short MathType.004A35C0
004A35B7 |> 0FAF75 10 |imul esi,dword ptr ss:[ebp+10] ; esi乘以固定值24,结果放入esi
004A35BB |. 03F1 |add esi,ecx ; esi+上面减法运算的结果,计算结果放入esi
004A35BD |. 8975 F8 |mov dword ptr ss:[ebp-8],esi ; esi放入[ebp-8]指向地址[0012EEA4]中
004A35C0 |> 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004A35C3 |. FF45 FC |inc dword ptr ss:[ebp-4] ; [ebp-4]-1
004A35C6 |. 8A18 |mov bl,byte ptr ds:[eax]
004A35C8 |.^ E9 64FFFFFF \jmp MathType.004A3531
004A35CD |> 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
...................一下代码略..................
004A3663 \. C3 retn
============================================================================================================================
⑥call 004A554A:
004A554A $ BA 30264E00 mov edx,MathType.004E2630 ; 004E2630=MathType.004E2630 (ASCII 04,"fmod")放入edx,此时edx=0000001
004A554F . E9 AC5B0000 jmp MathType.004AB100 ; 无条件跳转
004A5554 . D9C9 fxch st(1)
004A5556 > 833D C46D4F00 01 cmp dword ptr ds:[4F6DC4],1
004A555D . 74 04 je short MathType.004A5563
004A555F . D9F8 fprem ; 取余数,st(0) MOD st(1) 结果放入st(0)
004A5561 . EB 05 jmp short MathType.004A5568
004A5563 > E8 C4690000 call MathType.004ABF2C
004A5568 > 9B wait
004A5569 . DFE0 fstsw ax
004A556B . 9B wait
004A556C . 9E sahf
004A556D . 7A E7 jpe short MathType.004A5556
004A556F . DDD9 fstp st(1)
004A5571 . C3 retn
=============================================================================================================================
⑦call 004A3A01
004A3A01 /$ 6A 00 push 0 ; /Arg4 = 00000000
004A3A03 |. FF7424 10 push dword ptr ss:[esp+10] ; |Arg3
004A3A07 |. FF7424 10 push dword ptr ss:[esp+10] ; |Arg2
004A3A0B |. FF7424 10 push dword ptr ss:[esp+10] ; |Arg1
004A3A0F |. E8 67FFFFFF call MathType.004A397B ; \计算,跟进!⑧
004A3A14 |. 8B4424 18 mov eax,dword ptr ss:[esp+18]
004A3A18 |. 83C4 10 add esp,10
004A3A1B \. C3 retn
==========================================================================================================================
⑧all MathType.004A397B
004A397B /$ 55 push ebp
004A397C |. 8BEC mov ebp,esp
004A397E |. 837D 14 00 cmp dword ptr ss:[ebp+14],0
004A3982 |. 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
004A3985 |. 53 push ebx
004A3986 |. 56 push esi
004A3987 |. 57 push edi
004A3988 |. 74 0B je short MathType.004A3995
004A398A |. 8B75 08 mov esi,dword ptr ss:[ebp+8]
004A398D |. C601 2D mov byte ptr ds:[ecx],2D
004A3990 |. 41 inc ecx
004A3991 |. F7DE neg esi
004A3993 |. EB 03 jmp short MathType.004A3998
004A3995 |> 8B75 08 mov esi,dword ptr ss:[ebp+8]
004A3998 |> 8BF9 mov edi,ecx
004A399A |> 8BC6 /mov eax,esi
004A399C |. 33D2 |xor edx,edx
004A399E |. F775 10 |div dword ptr ss:[ebp+10] ; eax除以22,结果放入eax,eax MOD 22结果放入dx
004A39A1 |. 8BC6 |mov eax,esi
004A39A3 |. 8BDA |mov ebx,edx
004A39A5 |. 33D2 |xor edx,edx
004A39A7 |. F775 10 |div dword ptr ss:[ebp+10] ; ebx MOD 22 结果放入edx
004A39AA |. 83FB 09 |cmp ebx,9 ; 比较ebx和9,
004A39AD |. 8BF0 |mov esi,eax
004A39AF |. 76 05 |jbe short MathType.004A39B6 ; edx大于9不跳,则ebx+57,小于或等于9则跳去+30
004A39B1 |. 80C3 57 |add bl,57
004A39B4 |. EB 03 |jmp short MathType.004A39B9
004A39B6 |> 80C3 30 |add bl,30
004A39B9 |> 8819 |mov byte ptr ds:[ecx],bl
004A39BB |. 41 |inc ecx
004A39BC |. 85F6 |test esi,esi
004A39BE |.^ 77 DA \ja short MathType.004A399A
004A39C0 |. 8021 00 and byte ptr ds:[ecx],0
004A39C3 |. 49 dec ecx
004A39C4 |> 8A17 mov dl,byte ptr ds:[edi]
004A39C6 |. 8A01 mov al,byte ptr ds:[ecx]
004A39C8 |. 8811 mov byte ptr ds:[ecx],dl
004A39CA |. 8807 mov byte ptr ds:[edi],al
004A39CC |. 49 dec ecx
004A39CD |. 47 inc edi
004A39CE |. 3BF9 cmp edi,ecx
004A39D0 |.^ 72 F2 jb short MathType.004A39C4
004A39D2 |. 5F pop edi
004A39D3 |. 5E pop esi
004A39D4 |. 5B pop ebx
004A39D5 |. 5D pop ebp
004A39D6 \. C3 retn
****************************************************************************************************************************
至此,计算完毕,计算过程如下:
输入假码:MTWE528-123456-98765
假码第一段后五位字符:WE528 Hex为:57 45 35 32 38
(W)57-37+0*24=20
(E)45-37+20*24=48E
(5)35-30+48E*24=A3FD
(2)32-30+A3FD*24=170F96
(8)38-30+170F96*24=33E3120
假码第二段6位字符:123456 Hex为:31 32 33 34 35 36
(31)31-30+0*24=1
(32)32-30+1*24=26
(33)33-30+26*24=55B
(34)34-30+55B*24=C0D0
(35)35-30+C0D0*24=1B1D45
(36)36-30+1B1D45*24=3D01DBA
注:24、37、30为固定值。(字符为字母减37、为数字减30)
“33E3120”10进制转换=54407456
“3D01DBA”10进制转换=63970746
54407456*63970746=3480485548282176
3480485548282176 MOD 44099087(固定值) = 33284080
33284080+1336337(固定值)=34620417
“34620417”16进制转换=2104401
2104401/22=F8987
2104401 MOD 22 =13
13(大于9)+57=6A(j)
F8987/22=74FC
F8987 MOD 22 =F
f(大于9)+57=66(f)
74FC/22=370
74FC MOD 22=1C
1C(大于9)+57=73(s)
370/22=19
370 MOD 22=1E
1E(大于9)+57=75(u)
19/22=0
19 MOD 22=19
19(大于9)+57=70(p)
注22为固定值。
最后得出真注册码为:MTWE528-123456-PUSFJ
★★★特别提示,注册码第一段最后一位数只能是4或8,如不是4或8,计算出来的注册码也无法注册成功★★★
=========================================================================================================================
好好学习(恨浩[PCG][PYG])
2005.3.24
************************************************************************************************************************
爆文:
MandSoft 屏幕录像软件,爆破实录!
【软件主页】:http://www.mandsoft.com/
【破解工具】:OllyDbg、PEiD、
【本文作者】:好好学习(恨浩[PCG][PYG])
【目标下载】:http://www.431stock.net/bbs/UploadFile/20053238115825123.rar
PEiD检测Screen Movie Studio.exe无壳。
用OD加载MathType.exe,F9运行,,回到OD界面,点“查看”==〉“执行模块”,双击USER32,查找user32模块中F3A58BC883E103处的地址为77CF0EFE是我机器的万能断点,在77CF0EFE处F2下段,在回到Screen Movie Studio界面,输入用户名“henhao”,假码:“123456”,点“OK”,程序被OD拦截在77CF0EFE处,F2取消断点,Alt+F9回到程序代码中。
一路F8来带这里:
0041AFFA |> \B9 80DA4400 mov ecx,Screen_M.0044DA80 ; ASCII "henhao"
0041AFFF |. E8 181BFFFF call Screen_M.0040CB1C
0041B004 |. 68 DB010000 push 1DB ; /Arg1 = 000001DB
0041B009 |. B9 80DA4400 mov ecx,Screen_M.0044DA80 ; |ASCII "henhao"
0041B00E |. E8 771BFFFF call Screen_M.0040CB8A ; \Screen_M.0040CB8A
0041B013 3D 9C000000 cmp eax,9C
0041B018 |. 74 1D je short Screen_M.0041B037 ; 必须跳!跳过去就注册成功
0041B01A |. 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0041B01C |. 68 DC954400 push Screen_M.004495DC ; |Title = "Screen Movie Studio"
0041B021 |. 68 F0954400 push Screen_M.004495F0 ; |Text = "Not a valid key"
0041B026 |. 8B4D 08 mov ecx,dword ptr ss:[ebp+8] ; |
0041B029 |. 51 push ecx ; |hOwner
0041B02A |. FF15 C8024400 call dword ptr ds:[<&USER32.Messa>; \注册失败对话框
0041B030 |. B8 01000000 mov eax,1
0041B035 |. EB 3D jmp short Screen_M.0041B074
0041B037 |> 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0041B039 |. 68 00964400 push Screen_M.00449600 ; |Title = "Screen Movie Studio"
0041B03E |. 68 14964400 push Screen_M.00449614 ; |Text = "Thank you for purchasing Screen Movie Studio!"
0041B043 |. 8B55 08 mov edx,dword ptr ss:[ebp+8] ; |
0041B046 |. 52 push edx ; |hOwner
0041B047 |. FF15 C8024400 call dword ptr ds:[<&USER32.Messa>; \注册成功对话框
0041B018 |. 74 1D je short Screen_M.0041B037
改为:
0041B018 |. EB 1D jmp short Screen_M.0041B037
保存修改以后,运行程序,启动还要求注册,TNND~~~!肯定是读注册表,再用OD加载程序。
在“Command”框中输入“ bpx R”回车,将所有“Reg”开头的函数全部下断。
F9运行程序,断下来,f2取消断点,f9在运行,直到程序运行,并出现注册对话框。
来到这里:
00414518 |. FF15 98034400 call dword ptr ds:[<&USER32.Regis>; \RegisterHotKey ; 停在这里
0041451E |. 85C0 test eax,eax
00414520 |. 75 5C jnz short Screen_M.0041457E
00414522 |. 8B55 0C mov edx,dword ptr ss:[ebp+C]
00414525 |. 81E2 FF000000 and edx,0FF
0041452B |. 85D2 test edx,edx
0041452D |. 74 4F je short Screen_M.0041457E
0041452F |. C645 BC 01 mov byte ptr ss:[ebp-44],1
00414533 |. 68 5C844400 push Screen_M.0044845C ; ASCII "
AutoPan: "
00414538 |. 8D85 BCFEFFFF lea eax,dword ptr ss:[ebp-144]
0041453E |. 50 push eax
0041453F |. E8 EC120100 call Screen_M.00425830
00414544 |. 83C4 08 add esp,8
00414547 |. 8B8D B8FEFFFF mov ecx,dword ptr ss:[ebp-148]
0041454D |. 8B51 20 mov edx,dword ptr ds:[ecx+20]
00414550 |. 52 push edx ; /Arg3
00414551 |. 8B85 B8FEFFFF mov eax,dword ptr ss:[ebp-148] ; |
00414557 |. 8B48 1C mov ecx,dword ptr ds:[eax+1C] ; |
0041455A |. 51 push ecx ; |Arg2
0041455B |. 8D55 C0 lea edx,dword ptr ss:[ebp-40] ; |
0041455E |. 52 push edx ; |Arg1
0041455F |. E8 4A130000 call Screen_M.004158AE ; \Screen_M.004158AE
00414564 |. 83C4 0C add esp,0C
00414567 |. 85C0 test eax,eax
00414569 |. 74 13 je short Screen_M.0041457E
0041456B |. 8D45 C0 lea eax,dword ptr ss:[ebp-40]
..................以下代码略................................
00414606 |. 5D pop ebp
00414607 \. C3 retn
===========================================================================================================================
在00414518处下断。f9运行!断在00414518处,一路f8走出这个call来到这里:
00402F54 |. B9 80DA4400 mov ecx,Screen_M.0044DA80 ; 停在这里!
00402F59 |. E8 BE9B0000 call Screen_M.0040CB1C
00402F5E |. 68 75050000 push 575 ; /Arg1 = 00000575
00402F63 |. B9 80DA4400 mov ecx,Screen_M.0044DA80 ; |ASCII "henhao"
00402F68 |. E8 1D9C0000 call Screen_M.0040CB8A ; \Screen_M.0040CB8A
00402F6D |. 3D BA020000 cmp eax,2BA
00402F72 |. 74 1F je short Screen_M.00402F93 ; 必须跳,不跳就OVER
00402F74 |. 6A 00 push 0
00402F76 |. 68 819C0000 push 9C81
00402F7B |. 68 11010000 push 111
00402F80 |. B9 78E04400 mov ecx,Screen_M.0044E078
00402F85 |. E8 C7230200 call Screen_M.00425351
00402F8A |. 50 push eax ; |hWnd
00402F8B |. FF15 54034400 call dword ptr ds:[<&USER32.SendM>; \运行到这里,注册对话框就出来了!
00402F91 |. EB 0A jmp short Screen_M.00402F9D
00402F93 |> B9 70E04400 mov ecx,Screen_M.0044E070
====================================================================================================================
00402F72 |. 74 1F je short Screen_M.00402F93
改为:
00402F72 |. EB 1F jmp short Screen_M.00402F93 ; 嘭~~~彻底爆了!
=====================================================================================================================
谢谢各位看官观赏爆破过程!
(完)
好好学习(恨浩[PCG][PYG])
2005.3.24