TESEI Image Collection 1.3件算法分析-菜鸟篇
【文章作者】: tzl
【作者邮箱】: 无
【软件名称】: TESEI Image Collection 1.3
【软件大小】: 794KB
【下载地址】: http://www.newhua.com/soft/49685.htm
【加壳方式】: UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD PEID
【操作平台】: XP SP2
【软件介绍】: 是帮助管理数字照片和其他图片的全新软件。可以轻松放置照片到收藏集并添加评注,可通过评注查找照片,可使用多种不同特效进行幻灯浏览。
今天不忙,花了点时间,运气不错,算法还算简单,菜鸟学习算法的好软件。
一、查壳,UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub,普通壳,略去脱壳过程。
二、查看字符串相关信息,我们可以在这里下断开始分析,用户名:tigerisme 试练码:1234-5678-9876-5432
004B30BD |. 55 push ebp
004B30BE |. 68 6F344B00 push tic_exe.004B346F
004B30C3 |. 64:FF30 push dword ptr fs:[eax]
004B30C6 |. 64:8920 mov dword ptr fs:[eax],esp
004B30C9 |. 33F6 xor esi,esi
004B30CB |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
004B30CE |. 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
004B30D4 |. E8 7FC7FAFF call tic_exe.0045F858
004B30D9 |. 837D FC 00 cmp dword ptr ss:[ebp-4],0
004B30DD |. 0F84 B0010000 je tic_exe.004B3293 ; 第一组注册码不能为0
004B30E3 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004B30E6 |. 8B83 38030000 mov eax,dword ptr ds:[ebx+338]
004B30EC |. E8 67C7FAFF call tic_exe.0045F858
004B30F1 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; ebp-8=注册名“tigerisme”,送eax
004B30F4 |. E8 DF19F5FF call tic_exe.00404AD8 ; eax=tigerisme
004B30F9 |. 48 dec eax ; eax=9,注册名位数
004B30FA |. 0F8E 93010000 jle tic_exe.004B3293
004B3100 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004B3103 |. 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
004B3109 |. E8 4AC7FAFF call tic_exe.0045F858
004B310E |. 837D F4 00 cmp dword ptr ss:[ebp-C],0
004B3112 |. 0F84 7B010000 je tic_exe.004B3293 ; 第二组注册码不能为0
004B3118 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004B311B |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
004B3121 |. E8 32C7FAFF call tic_exe.0045F858
004B3126 |. 837D F0 00 cmp dword ptr ss:[ebp-10],0 ; 第三组注册码不能为0
004B312A |. 0F84 63010000 je tic_exe.004B3293
004B3130 |. 8D55 EC lea edx,dword ptr ss:[ebp-14]
004B3133 |. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C]
004B3139 |. E8 1AC7FAFF call tic_exe.0045F858
004B313E |. 837D EC 00 cmp dword ptr ss:[ebp-14],0 ; 第四组注册码不能为0
004B3142 |. 0F84 4B010000 je tic_exe.004B3293
004B3148 |. 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004B314B |. 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
004B3151 |. E8 02C7FAFF call tic_exe.0045F858
004B3156 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; ebp-18=第一组“1234”,送eax
004B3159 |. BA 84344B00 mov edx,tic_exe.004B3484 ; 镱礤
004B315E |. E8 C11AF5FF call tic_exe.00404C24
004B3163 |. 0F84 2A010000 je tic_exe.004B3293
004B3169 |. 8D55 E4 lea edx,dword ptr ss:[ebp-1C] ; edx=4
004B316C |. 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
004B3172 |. E8 E1C6FAFF call tic_exe.0045F858
004B3177 |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C] ; 第一组试练码送eax
004B317A |. E8 955CF5FF call tic_exe.00408E14 ; 算法call(1)
004B317F |. 25 01000080 and eax,80000001
004B3184 |. 79 05 jns short tic_exe.004B318B
004B3186 |. 48 dec eax
004B3187 |. 83C8 FE or eax,FFFFFFFE
004B318A |. 40 inc eax
004B318B |> 85C0 test eax,eax 通过上面这个call(1)运算得到的结果除3的余数要为0
004B318D |. 0F85 12020000 jnz tic_exe.004B33A5
004B3193 |. 8D55 E0 lea edx,dword ptr ss:[ebp-20]
004B3196 |. 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
004B319C |. E8 B7C6FAFF call tic_exe.0045F858
004B31A1 |. 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; 第二组试练码送eax
004B31A4 |. E8 6B5CF5FF call tic_exe.00408E14 ; 算法call(2)
004B31A9 |. B9 03000000 mov ecx,3
004B31AE |. 99 cdq
004B31AF |. F7F9 idiv ecx
004B31B1 |. 85D2 test edx,edx ; 通过上面这个call(2)运算得到的结果除3的余数要为0
004B31B3 |. 0F85 EC010000 jnz tic_exe.004B33A5
004B31B9 |. 8D55 DC lea edx,dword ptr ss:[ebp-24]
004B31BC |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
004B31C2 |. E8 91C6FAFF call tic_exe.0045F858
004B31C7 |. 8B45 DC mov eax,dword ptr ss:[ebp-24] ; 第三组试练码送eax
004B31CA |. E8 455CF5FF call tic_exe.00408E14 ; 算法call(3)
004B31CF |. B9 05000000 mov ecx,5
004B31D4 |. 99 cdq
004B31D5 |. F7F9 idiv ecx
004B31D7 |. 85D2 test edx,edx ; 通过上面这个call(3)运算得到的结果除5的余数要为0
004B31D9 |. 0F85 C6010000 jnz tic_exe.004B33A5
004B31DF |. 8D55 D8 lea edx,dword ptr ss:[ebp-28]
004B31E2 |. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C]
004B31E8 |. E8 6BC6FAFF call tic_exe.0045F858
004B31ED |. 8B45 D8 mov eax,dword ptr ss:[ebp-28] ; 第四组试练码送eax
004B31F0 |. E8 1F5CF5FF call tic_exe.00408E14 ; 算法call(4)
004B31F5 |. B9 07000000 mov ecx,7
004B31FA |. 99 cdq
004B31FB |. F7F9 idiv ecx
004B31FD |. 85D2 test edx,edx ; 通过上面这个call(4)运算得到的结果除7的余数要为0
004B31FF |. 0F85 A0010000 jnz tic_exe.004B33A5
004B3205 |. 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
004B3208 |. 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
004B320E |. E8 45C6FAFF call tic_exe.0045F858
004B3213 |. 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
004B3216 |. BA 94344B00 mov edx,tic_exe.004B3494 ; 1234
004B321B |. E8 041AF5FF call tic_exe.00404C24
004B3220 |. 0F84 7F010000 je tic_exe.004B33A5 判断第一组试练码不能为“1234”
004B3226 |. 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004B3229 |. 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
004B322F |. E8 24C6FAFF call tic_exe.0045F858
004B3234 |. 8B45 D0 mov eax,dword ptr ss:[ebp-30]
004B3237 |. BA A4344B00 mov edx,tic_exe.004B34A4 ; 0000
004B323C |. E8 E319F5FF call tic_exe.00404C24
004B3241 |. 0F84 5E010000 je tic_exe.004B33A5
004B3247 |. 8D55 CC lea edx,dword ptr ss:[ebp-34]
004B324A |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
004B3250 |. E8 03C6FAFF call tic_exe.0045F858
004B3255 |. 8B45 CC mov eax,dword ptr ss:[ebp-34]
004B3258 |. BA A4344B00 mov edx,tic_exe.004B34A4 ; 0000
004B325D |. E8 C219F5FF call tic_exe.00404C24
004B3262 |. 0F84 3D010000 je tic_exe.004B33A5
004B3268 |. 8D55 C8 lea edx,dword ptr ss:[ebp-38]
004B326B |. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C]
004B3271 |. E8 E2C5FAFF call tic_exe.0045F858
004B3276 |. 8B45 C8 mov eax,dword ptr ss:[ebp-38]
004B3279 |. BA A4344B00 mov edx,tic_exe.004B34A4 ; 0000
004B327E |. E8 A119F5FF call tic_exe.00404C24
004B3283 |. 0F84 1C010000 je tic_exe.004B33A5
004B3289 |. BE 04000000 mov esi,4
004B328E |. E9 12010000 jmp tic_exe.004B33A5
004B3293 |> 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
004B3296 |. 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
004B329C |. E8 B7C5FAFF call tic_exe.0045F858
004B32A1 |. 837D C4 00 cmp dword ptr ss:[ebp-3C],0
004B32A5 |. 0F84 FA000000 je tic_exe.004B33A5
004B32AB |. 8D55 C0 lea edx,dword ptr ss:[ebp-40]
004B32AE |. 8B83 38030000 mov eax,dword ptr ds:[ebx+338]
004B32B4 |. E8 9FC5FAFF call tic_exe.0045F858
004B32B9 |. 8B45 C0 mov eax,dword ptr ss:[ebp-40]
004B32BC |. E8 1718F5FF call tic_exe.00404AD8
004B32C1 |. 48 dec eax
004B32C2 |. 0F8E DD000000 jle tic_exe.004B33A5
004B32C8 |. 8D55 BC lea edx,dword ptr ss:[ebp-44]
004B32CB |. 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
004B32D1 |. E8 82C5FAFF call tic_exe.0045F858
004B32D6 |. 837D BC 00 cmp dword ptr ss:[ebp-44],0
004B32DA |. 0F84 C5000000 je tic_exe.004B33A5
004B32E0 |. 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004B32E3 |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
004B32E9 |. E8 6AC5FAFF call tic_exe.0045F858
004B32EE |. 837D B8 00 cmp dword ptr ss:[ebp-48],0
004B32F2 |. 0F84 AD000000 je tic_exe.004B33A5
004B32F8 |. 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
004B32FB |. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C]
004B3301 |. E8 52C5FAFF call tic_exe.0045F858
004B3306 |. 837D B4 00 cmp dword ptr ss:[ebp-4C],0
004B330A |. 0F84 95000000 je tic_exe.004B33A5
004B3310 |. 8D55 B0 lea edx,dword ptr ss:[ebp-50]
004B3313 |. 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
004B3319 |. E8 3AC5FAFF call tic_exe.0045F858
004B331E |. 8B45 B0 mov eax,dword ptr ss:[ebp-50]
004B3321 |. BA 84344B00 mov edx,tic_exe.004B3484 ; 镱礤
004B3326 |. E8 F918F5FF call tic_exe.00404C24
004B332B |. 75 78 jnz short tic_exe.004B33A5
004B332D |. 8D55 AC lea edx,dword ptr ss:[ebp-54]
004B3330 |. 8B83 20030000 mov eax,dword ptr ds:[ebx+320]
004B3336 |. E8 1DC5FAFF call tic_exe.0045F858
004B333B |. 8B45 AC mov eax,dword ptr ss:[ebp-54]
004B333E |. BA 84344B00 mov edx,tic_exe.004B3484 ; 镱礤
004B3343 |. E8 DC18F5FF call tic_exe.00404C24
004B3348 |. 75 01 jnz short tic_exe.004B334B
004B334A |. 46 inc esi
004B334B |> 8D55 A8 lea edx,dword ptr ss:[ebp-58]
004B334E |. 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
004B3354 |. E8 FFC4FAFF call tic_exe.0045F858
004B3359 |. 8B45 A8 mov eax,dword ptr ss:[ebp-58]
004B335C |. BA B4344B00 mov edx,tic_exe.004B34B4 ; 怛铕
004B3361 |. E8 BE18F5FF call tic_exe.00404C24
004B3366 |. 75 01 jnz short tic_exe.004B3369
004B3368 |. 46 inc esi
004B3369 |> 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
004B336C |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
004B3372 |. E8 E1C4FAFF call tic_exe.0045F858
004B3377 |. 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
004B337A |. BA C4344B00 mov edx,tic_exe.004B34C4 ; 耩邃
004B337F |. E8 A018F5FF call tic_exe.00404C24
004B3384 |. 75 01 jnz short tic_exe.004B3387
004B3386 |. 46 inc esi
004B3387 |> 8D55 A0 lea edx,dword ptr ss:[ebp-60]
004B338A |. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C]
004B3390 |. E8 C3C4FAFF call tic_exe.0045F858
004B3395 |. 8B45 A0 mov eax,dword ptr ss:[ebp-60]
004B3398 |. BA D4344B00 mov edx,tic_exe.004B34D4 ; 麇蜮
004B339D |. E8 8218F5FF call tic_exe.00404C24
004B33A2 |. 75 01 jnz short tic_exe.004B33A5
004B33A4 |. 46 inc esi
004B33A5 |> 83FE 04 cmp esi,4
004B33A8 |. 0F85 A6000000 jnz tic_exe.004B3454
004B33AE |. 8D55 9C lea edx,dword ptr ss:[ebp-64]
004B33B1 |. 8B83 38030000 mov eax,dword ptr ds:[ebx+338]
004B33B7 |. E8 9CC4FAFF call tic_exe.0045F858
004B33BC |. 8B55 9C mov edx,dword ptr ss:[ebp-64]
004B33BF |. A1 34FC4B00 mov eax,dword ptr ds:[4BFC34]
004B33C4 |. 8B00 mov eax,dword ptr ds:[eax]
004B33C6 |. 8B80 0C030000 mov eax,dword ptr ds:[eax+30C]
004B33CC |. E8 B7C4FAFF call tic_exe.0045F888
004B33D1 |. A1 841C4C00 mov eax,dword ptr ds:[4C1C84]
004B33D6 |. E8 2197FCFF call tic_exe.0047CAFC
004B33DB |. B2 01 mov dl,1
004B33DD |. A1 4CA74300 mov eax,dword ptr ds:[43A74C]
004B33E2 |. E8 6574F8FF call tic_exe.0043A84C
004B33E7 |. 8BF0 mov esi,eax
004B33E9 |. BA 02000080 mov edx,80000002
004B33EE |. 8BC6 mov eax,esi
004B33F0 |. E8 F774F8FF call tic_exe.0043A8EC
004B33F5 |. B1 01 mov cl,1
004B33F7 |. BA E4344B00 mov edx,tic_exe.004B34E4 ; software\image collection
004B33FC |. 8BC6 mov eax,esi
004B33FE |. E8 4D75F8FF call tic_exe.0043A950
004B3403 |. 8D55 98 lea edx,dword ptr ss:[ebp-68]
004B3406 |. 8B83 38030000 mov eax,dword ptr ds:[ebx+338]
004B340C |. E8 47C4FAFF call tic_exe.0045F858
004B3411 |. 8B4D 98 mov ecx,dword ptr ss:[ebp-68]
004B3414 |. BA 08354B00 mov edx,tic_exe.004B3508 ; name
004B3419 |. 8BC6 mov eax,esi
004B341B |. E8 CC76F8FF call tic_exe.0043AAEC
004B3420 |. B9 18354B00 mov ecx,tic_exe.004B3518 ; a:
004B3425 |. BA 24354B00 mov edx,tic_exe.004B3524 ; drive
004B342A |. 8BC6 mov eax,esi
004B342C |. E8 BB76F8FF call tic_exe.0043AAEC
004B3431 |. 8BC6 mov eax,esi
004B3433 |. E8 8474F8FF call tic_exe.0043A8BC
004B3438 |. 8BC6 mov eax,esi
004B343A |. E8 8906F5FF call tic_exe.00403AC8
004B343F |. 6A 00 push 0
004B3441 |. 66:8B0D 2C354>mov cx,word ptr ds:[4B352C]
004B3448 |. B2 02 mov dl,2
004B344A |. B8 38354B00 mov eax,tic_exe.004B3538 ; 注册成功提示 registration successfully complete. thank you for using this software!
004B344F |. E8 48E5F7FF call tic_exe.0043199C
004B3454 |> 33C0 xor eax,eax
004B3456 |. 5A pop edx
004B3457 |. 59 pop ecx
004B3458 |. 59 pop ecx
004B3459 |. 64:8910 mov dword ptr fs:[eax],edx
004B345C |. 68 76344B00 push tic_exe.004B3476
004B3461 |> 8D45 98 lea eax,dword ptr ss:[ebp-68]
004B3464 |. BA 1A000000 mov edx,1A
004B3469 |. E8 CE13F5FF call tic_exe.0040483C
004B346E \. C3 retn
************************************************************************************
算法call(1) call(2) call(3) call(4)
00408E14 53 push ebx
00408E15 56 push esi
00408E16 83C4 F4 add esp,-0C
00408E19 8BD8 mov ebx,eax
00408E1B 8BD4 mov edx,esp
00408E1D 8BC3 mov eax,ebx
00408E1F E8 24A5FFFF call tic_exe.00403348 ; 算法call(5)
00408E24 8BF0 mov esi,eax
00408E26 833C24 00 cmp dword ptr ss:[esp],0
00408E2A 74 19 je short tic_exe.00408E45
00408E2C 895C24 04 mov dword ptr ss:[esp+4],ebx
00408E30 C64424 08 0B mov byte ptr ss:[esp+8],0B
00408E35 8D5424 04 lea edx,dword ptr ss:[esp+4]
00408E39 A1 38FD4B00 mov eax,dword ptr ds:[4BFD38]
00408E3E 33C9 xor ecx,ecx
00408E40 E8 9BFAFFFF call tic_exe.004088E0
00408E45 8BC6 mov eax,esi
00408E47 83C4 0C add esp,0C
00408E4A 5E pop esi
00408E4B 5B pop ebx
00408E4C C3 retn
************************************************************************************
跟进算法call(5)
00403348 53 push ebx
00403349 56 push esi
0040334A 57 push edi
0040334B 89C6 mov esi,eax
0040334D 50 push eax
0040334E 85C0 test eax,eax
00403350 74 6C je short tic_exe.004033BE
00403352 31C0 xor eax,eax
00403354 31DB xor ebx,ebx
00403356 BF CCCCCC0C mov edi,0CCCCCCC
0040335B 8A1E mov bl,byte ptr ds:[esi] ; 每组试练码的第一个数字送bl
0040335D 46 inc esi
0040335E 80FB 20 cmp bl,20
00403361 ^ 74 F8 je short tic_exe.0040335B
00403363 B5 00 mov ch,0
00403365 80FB 2D cmp bl,2D
00403368 74 62 je short tic_exe.004033CC
0040336A 80FB 2B cmp bl,2B
0040336D 74 5F je short tic_exe.004033CE
0040336F 80FB 24 cmp bl,24
00403372 74 5F je short tic_exe.004033D3
00403374 80FB 78 cmp bl,78
00403377 74 5A je short tic_exe.004033D3
00403379 80FB 58 cmp bl,58
0040337C 74 55 je short tic_exe.004033D3
0040337E 80FB 30 cmp bl,30
00403381 75 13 jnz short tic_exe.00403396
00403383 8A1E mov bl,byte ptr ds:[esi]
00403385 46 inc esi
00403386 80FB 78 cmp bl,78
00403389 74 48 je short tic_exe.004033D3
0040338B 80FB 58 cmp bl,58
0040338E 74 43 je short tic_exe.004033D3
00403390 84DB test bl,bl
00403392 74 20 je short tic_exe.004033B4
00403394 EB 04 jmp short tic_exe.0040339A
00403396 84DB test bl,bl
00403398 74 2D je short tic_exe.004033C7
0040339A 80EB 30 sub bl,30 ; 每组试练码各数字减30
0040339D 80FB 09 cmp bl,9 ; 结果不能大于9
004033A0 77 25 ja short tic_exe.004033C7
004033A2 39F8 cmp eax,edi
004033A4 77 21 ja short tic_exe.004033C7
004033A6 8D0480 lea eax,dword ptr ds:[eax+eax*4] ; 数学运算[eax+eax*4]
004033A9 01C0 add eax,eax ; eax*2
004033AB 01D8 add eax,ebx ; ebx分别取每组试练码各数字,与eax运算得到的结果相加
004033AD 8A1E mov bl,byte ptr ds:[esi] ; 逐位取试练码各数字
004033AF 46 inc esi
004033B0 84DB test bl,bl ; 检测各数字是否完全取到
004033B2 ^ 75 E6 jnz short tic_exe.0040339A 循环计算,直到取完4个数字
004033B4 FECD dec ch
…………
**********************************************************************************
算法总结:软件的算法思路是通过四组试练码每位数字逐位计算得到一个固定值(具体可参见跟进的算法call(5)),然后每组计算得到的固定值放在eax中分别除1,3,5,7,判断余数是否为0,若满足条件则注册成功。另注意,这里有一个校验,即第一组试练码不能为“1234”,其它三组不能为“0000”,这是软件设置的一个限制。这里附上一组可用注册码1132-5673-7895-5432,用户名任意。
特别说明:本文仅做学习使用,是一些破解的心得和思路,完全是个人对程序的研究,无其他目的。