WinImage 7.0.7000 注册算法分析
日期:2005年5月11日 破解人:Baby2008
-------------------------------------------------------------------------------------------------------------------------
『软件名称』:WinImage 7.0.7000
『软件大小』:582KB
『下载地址』:http://www.winimage.com/download.htm
『软件介绍』:WinImage是一个强大的磁盘实用工具,它允许用户创建一张软盘的映像,从映像中提取文件,创建一个空的映像,把一个镜象
恢复到空白的软盘上,等等。它还支持很多标准和非标准的磁盘格式,包括微软的DMF格式。它如同 Ghost 是一套可将文件或是文件夹制成
Image文件的程序,然后完整复制至另一硬盘的工具,它与 Ghost不同的是,它可直接将映像文件分割成数快存储至 A磁盘中,另外程序提供制
作与还原程序、使用起来相当的方便。
『保护方式』:注册码保护,使用时间30天限制
『破解声明』:初学Crack,只是感兴趣,失误之处敬请诸位大侠赐教!
『破解工具』:OllyDbg.V1.10 聆风听雨汉化第二版、PeID 0.93
『破解过程』:
PeID查壳,Nothing found *,直接OD载入,F9运行,输入注册信息,Name:Baby2008,Registration Code:1234567890,切换到OD窗口,下断bp
GetWindowTextA,点击OK按钮,OD中断在:
77D6AC06 > 8BFF mov edi,edi ; 中断在这里
77D6AC08 55 push ebp
77D6AC09 8BEC mov ebp,esp
77D6AC0B FF75 0C push dword ptr ss:[ebp+C]
77D6AC0E FF75 08 push dword ptr ss:[ebp+8]
77D6AC11 E8 8EA6FBFF call USER32.GetDlgItem
77D6AC16 85C0 test eax,eax
77D6AC18 74 0E je short USER32.77D6AC28
77D6AC1A FF75 14 push dword ptr ss:[ebp+14]
77D6AC1D FF75 10 push dword ptr ss:[ebp+10]
77D6AC20 50 push eax
77D6AC21 E8 084CFDFF call USER32.GetWindowTextA
77D6AC26 EB 0E jmp short USER32.77D6AC36
77D6AC28 837D 14 00 cmp dword ptr ss:[ebp+14],0
77D6AC2C 74 06 je short USER32.77D6AC34
77D6AC2E 8B45 10 mov eax,dword ptr ss:[ebp+10]
77D6AC31 C600 00 mov byte ptr ds:[eax],0
77D6AC34 33C0 xor eax,eax
77D6AC36 5D pop ebp
77D6AC37 C2 1000 retn 10
取消断点,Alt+F9返回:
0043AE70 53 push ebx
0043AE71 57 push edi
0043AE72 68 01010000 push 101
0043AE77 BB D01A4600 mov ebx,winimage.00461AD0 ; ASCII "Baby2008"
0043AE7C 53 push ebx
0043AE7D 68 16080000 push 816
0043AE82 FF75 08 push dword ptr ss:[ebp+8]
0043AE85 FFD6 call esi
0043AE87 6A 7F push 7F ; 返回这里
0043AE89 BF 401E4600 mov edi,winimage.00461E40 ; ASCII "1234567890"
0043AE8E 57 push edi
0043AE8F 68 17080000 push 817
0043AE94 FF75 08 push dword ptr ss:[ebp+8]
0043AE97 FFD6 call esi
0043AE99 68 90174600 push winimage.00461790
0043AE9E 57 push edi ; 试炼码
0043AE9F 53 push ebx ; 注册名
0043AEA0 E8 1FDA0000 call winimage.004488C4 ; 关键,跟进!
0043AEA5 8B0D 90174600 mov ecx,dword ptr ds:[461790]
0043AEAB 83C4 0C add esp,0C
0043AEAE 33D2 xor edx,edx
0043AEB0 3BC2 cmp eax,edx
0043AEB2 5F pop edi
0043AEB3 A3 00224600 mov dword ptr ds:[462200],eax
0043AEB8 5B pop ebx
-------------------------------------------------------------------------------------------------------------------------
跟进0043AEA0 E8 1FDA0000 call winimage.004488C4:
-------------------------------------------------------------------------------------------------------------------------
004488C4 55 push ebp
004488C5 8BEC mov ebp,esp
004488C7 81EC 00020000 sub esp,200
004488CD 56 push esi
004488CE 8B75 10 mov esi,dword ptr ss:[ebp+10]
004488D1 85F6 test esi,esi
004488D3 57 push edi
004488D4 74 03 je short winimage.004488D9
004488D6 8326 00 and dword ptr ds:[esi],0
004488D9 FF75 0C push dword ptr ss:[ebp+C]
004488DC 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
004488E2 50 push eax
004488E3 E8 E2FEFFFF call winimage.004487CA
004488E8 FF75 08 push dword ptr ss:[ebp+8] ; 用户名
004488EB E8 06FFFFFF call winimage.004487F6 ; F(用户名),关键函数
004488F0 8BF8 mov edi,eax
004488F2 83C4 0C add esp,0C
004488F5 81FF 26DDDCB8 cmp edi,B8DCDD26
004488FB 0F84 B2010000 je winimage.00448AB3
00448901 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100] ; 试炼码
00448907 50 push eax
00448908 8D85 00FEFFFF lea eax,dword ptr ss:[ebp-200]
0044890E 57 push edi
0044890F 50 push eax
00448910 E8 63FFFFFF call winimage.00448878 ; IntToHex(F(用户名))
00448915 59 pop ecx
00448916 59 pop ecx
00448917 50 push eax
00448918 E8 634B0000 call <jmp.&CRTDLL.strcmp> ; 明码比较
0044891D 85C0 test eax,eax
0044891F 59 pop ecx
00448920 59 pop ecx
00448921 0F84 54010000 je winimage.00448A7B ; 爆破
00448927 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
0044892D 50 push eax
0044892E 8D87 48190514 lea eax,dword ptr ds:[edi+14051948]
00448934 50 push eax
00448935 8D85 00FEFFFF lea eax,dword ptr ss:[ebp-200]
0044893B 50 push eax
0044893C E8 37FFFFFF call winimage.00448878
00448941 59 pop ecx
00448942 59 pop ecx
00448943 50 push eax
-------------------------------------------------------------------------------------------------------------------------
明码比较,F(注册名)=注册名,跟进004488EB E8 06FFFFFF call winimage.004487F6:
-------------------------------------------------------------------------------------------------------------------------
004487F6 55 push ebp
004487F7 8BEC mov ebp,esp
004487F9 81EC 08010000 sub esp,108
004487FF FF75 08 push dword ptr ss:[ebp+8] ; 注册名
00448802 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-108]
00448808 50 push eax
00448809 C745 FC 4C69470>mov dword ptr ss:[ebp-4],winimage.0047694C ; Sum,累计初始值$0047694C
00448810 E8 B5FFFFFF call winimage.004487CA ; CharUpperA函数,将注册名转为大写
00448815 59 pop ecx ; CharUpperA(注册名)
00448816 59 pop ecx ; 注册名
00448817 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-108] ; CharUpperA(注册名)
0044881D 50 push eax
0044881E FF15 98124500 call dword ptr ds:[<&KERNEL32.lstrlenA>] ; kernel32.lstrlenA
00448824 33C9 xor ecx,ecx ; i,初始值=0
00448826 85C0 test eax,eax ; Eax=Length(Name)注册名长度
00448828 8945 F8 mov dword ptr ss:[ebp-8],eax ; 保存长度
0044882B 7E 46 jle short winimage.00448873 ; 长度<=0结束
0044882D 53 push ebx ; 注册名
0044882E 56 push esi
0044882F 8B75 F8 mov esi,dword ptr ss:[ebp-8] ; ESI初始值=注册名长度
00448832 57 push edi ; 试炼码
00448833 8DBD F8FEFFFF lea edi,dword ptr ss:[ebp-108] ; =CharUpperA(注册名)
00448839 83EF 03 sub edi,3 ; Edi-3
0044883C 8BC1 mov eax,ecx ; ECX=i
0044883E 6A 0E push 0E
00448840 99 cdq
00448841 5B pop ebx ; EBX=0E
00448842 F7FB idiv ebx ; i DIV 0E
00448844 85D2 test edx,edx ; EDX=i Mod 0E
00448846 75 03 jnz short winimage.0044884B ; 如果余数等于0,则ESI=27
00448848 6A 27 push 27
0044884A 5E pop esi ; ESI=27
0044884B 8D41 03 lea eax,dword ptr ds:[ecx+3] ; EAX=i+3
0044884E 0FB61407 movzx edx,byte ptr ds:[edi+eax] ; Name[i+1]
00448852 0FAFD6 imul edx,esi ; Name[i]*ESI
00448855 0155 FC add dword ptr ss:[ebp-4],edx ; Sum=Sum+Name[i]*ESI
00448858 6A 0E push 0E
0044885A 99 cdq
0044885B 5B pop ebx ; EBX=0E
0044885C F7FB idiv ebx ; i+3 div 0E
0044885E 85D2 test edx,edx
00448860 74 05 je short winimage.00448867
00448862 8D3476 lea esi,dword ptr ds:[esi+esi*2] ; ESI=ESI*3
00448865 EB 03 jmp short winimage.0044886A
00448867 6BF6 07 imul esi,esi,7 ; 如果余数为0,ESI=ESI*7
0044886A 41 inc ecx ; i=i+1
0044886B 3B4D F8 cmp ecx,dword ptr ss:[ebp-8] ; Length(用户名)
0044886E ^ 7C CC jl short winimage.0044883C
00448870 5F pop edi
00448871 5E pop esi
00448872 5B pop ebx
00448873 8B45 FC mov eax,dword ptr ss:[ebp-4]
00448876 C9 leave
00448877 C3 retn
-------------------------------------------------------------------------------------------------------------------------
『算法总结』
程序采用F(注册名)=注册名形式进行注册验证,F()比较简单,Delphi 7.0注册机源代码如下:
Procedure TForm1.btn3Click(Sender: TObject);
Var
i, Sum, ESI: Integer;
Name: String;
Begin
Name := UpperCase(edt1.Text);
ESI := Length(Name);
Sum := $0047694C;
If Length(Name) = 0 Then Exit; //注册名不能为空
For i := 0 To Length(Name) - 1 Do
Begin
If (i Mod $0E) = 0 Then ESI := $27;
Sum := Sum + Ord(Name[i + 1]) * ESI;
If ((i + 3) Mod $0E) = 0 Then ESI := ESI * 7 Else ESI := ESI * 3;
End;
edt2.Text := IntToHex(Sum, 0);
End;
我的注册信息,需要做EZBoot光盘的朋友不妨试试:
Name=Baby2008
Registration Code=806B3B
-完-