Search32最新版V5.08注册算法笔记 (一)
作者:moonlite
目标: Search32最新版V5.08
应用平台:Windows 9X
下载:http://www.anetsoft.com
大小:1100k
软件用途: Search32 号称是Windows下最快的32位搜索工具。它是离线的搜索引擎,可在本地硬盘里
包括Cache)中用关键字快速查找。
工具:TRW1.22,W32dasm, file info 2.45,teunlockv1, UltraEdit 。
保护: 每次启动都弹出注册窗,提示注册; 30 天试用期;tELock壳; 反调试。
前言: 记得是半年前了,它的v5.05版没有彻底搞定,不甘心啊!直到现在也没有看到v5.x版的破解资料,
还是再“反攻”一次!
过程实录:
[1] 启动 Search 32, 烦人的注册窗弹出。随便输入姓名和注册码,失败提示 "Entered password is invalid for..."。
[2] 试着启动TRW加载。很快消息窗弹出“Hmm...Debug yourself."这个壳还够厉害。
[3] 用teunlockv1脱掉它后,用w32dasm反汇编,查找"Entered password is invalid for...". 找到一处:
:0048720F 50
push eax
:00487210 8B00
mov eax, dword ptr [eax]
:00487212 FF5074
call [eax+74]<-------------------有问题的call; 如果返回的eax=0,就没戏唱了**
:00487215 8B1510124B00 mov edx, dword
ptr [004B1210]
:0048721B 8902
mov dword ptr [edx], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004871D9(U)
|
:0048721D A110124B00 mov eax,
dword ptr [004B1210]
:00487222 833800
cmp dword ptr [eax], 00000000
:00487225 750F
jne 00487236
* Possible StringData Ref from Data Obj ->"Entered password is invalid for "
<---------------出错信息
->"
the given registration number."
|
:00487227 B864744800 mov eax,
00487464
:0048722C E8CB86FBFF call 0043F8FC
:00487231 E9DE010000 jmp 00487414
很明显,:00487212 处的call有问题。
[3]再次启动 Search 32,在注册窗 输入姓名:
“moonlite&Group [FCG]” 和注册码“78787878121212129898989845454545”
为什么这么长字串呢?我试过,短了不行)。启动TRW, 按CTL+D 来到TRW的领空。
设断: bpx 487212,F5返回主程点击OK,被TRW拦住去路。
进入那个有问题的call:
:00487212 FF5074
call [eax+74]---->进入。。。
----------SRCH32_D! is Expired + 00DF——————
:10001E6F 90
nop
:10001E70 8B44240C mov
eax, dword ptr [esp+0C]//<------光标在这!
:10001E74 8B4C2408 mov
ecx, dword ptr [esp+08]//在此下d eax, d ecx 分别可以看到
//输入的假password 和ID;
:10001E78 56
push esi
:10001E79 50
push eax
:10001E7A 51
push ecx
* Reference To: SRCH32_D.?checkData@@YGHPAD0@Z
|
:10001E7B E880F4FFFF call 10001300//检查注册码的关键call,
进入==>
:10001E80 8BF0
mov esi, eax//返回的eax送 esi;
:10001E82 83FE01
cmp esi, 00000001
:10001E85 7515
jne 10001E9C//eax不是1,就跳走,那就失败!
:10001E87 8B542408 mov
edx, dword ptr [esp+08]
:10001E8B 5E
pop esi
:10001E8C 894224
mov dword ptr [edx+24], eax
:10001E8F C705146C011000000000 mov dword ptr [10016C14], 00000000//送成功标志!
:10001E99 C20C00
ret 000C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001E85(C)
|
:10001E9C 68D0070000 push 000007D0//sleep
7D0h 毫秒;
* Reference To: KERNEL32.Sleep, Ord:0296h
|
:10001EA1 FF1534200110 Call dword ptr
[10012034]
:10001EA7 8BC6
mov eax, esi//将esi,即0的值还给eax;
:10001EA9 5E
pop esi
:10001EAA C20C00
ret 000C
————————————
下面是注册码的算法--》
[4] 检查注册码的关键call:
* Referenced by a CALL at Address:
|:10001E7B
|
Exported fn(): ?checkData@@YGHPAD0@Z - Ord:0001h
:10001300 81ECDC020000 sub esp, 000002DC
:10001306 53
push ebx
:10001307 55
push ebp
:10001308 56
push esi
:10001309 57
push edi
:1000130A 8BBC24F0020000 mov edi, dword ptr
[esp+000002F0]//----->指向输入的ID;
//我的是 “moonlite&Group [FCG]”;
:10001311 83C9FF
or ecx, FFFFFFFF
:10001314 33C0
xor eax, eax
:10001316 33DB
xor ebx, ebx
:10001318 F2
repnz
:10001319 AE
scasb
:1000131A F7D1
not ecx
:1000131C 2BF9
sub edi, ecx
:1000131E 8D9424A8000000 lea edx, dword ptr
[esp+000000A8]
:10001325 8BC1
mov eax, ecx
//以上是算ID的长度;//
:10001327 8BF7
mov esi, edi
:10001329 8BFA
mov edi, edx
:1000132B 895C241C mov
dword ptr [esp+1C], ebx
:1000132F C1E902
shr ecx, 02
:10001332 F3
repz
:10001333 A5
movsd
//ID字串从esi传送到edi 处;//
.............
:10001344 8D8C24A8000000 lea ecx, dword ptr
[esp+000000A8]//----->指向输入的ID;
:1000134B 895C2414 mov
dword ptr [esp+14], ebx
:1000134F 51
push ecx
:10001350 E881020100 call 100115D6//
;若ID是小写字母-->变成大写;若ID是大写字母或数字-->不变
:10001355 83C404
add esp, 00000004
:10001358 53
push ebx
* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:10001359 FF1530200110 Call dword ptr
[10012030]
//这个call检查所用驱动器的类型(可查手册);
//这里返回eax=3,即Fixed Drive;
:1000135F 3BC5
cmp eax, ebp//ebp=5; 5为CD-ROM;
:10001361 8B8424A8000000 mov eax, dword ptr
[esp+000000A8]//----->指向输入的ID;
:10001368 750F
jne 10001379//在此跳转!
.......................
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001368(C)
|
:10001379 3C43
cmp al, 43//比较ID的第一个是不是字母“C”;
:1000137B 7509
jne 10001386//不是就跳走;
:1000137D 80FC44
cmp ah, 44//比较ID的第二个是不是字母“D”;
:10001380 0F842F040000 je 100017B5//如果ID的前二个字母是“CD”就失败!****
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000136C(C), :10001377(U), :1000137B(C)
|
:10001386 A1006C0110 mov eax,
dword ptr [10016C00]
:1000138B 8D9424E8010000 lea edx, dword ptr
[esp+000001E8]
:10001392 6804010000 push 00000104
:10001397 52
push edx
:10001398 50
push eax
* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:10001399 FF152C200110 Call dword ptr
[1001202C]//获取一个已装载模板的完整路径名称;
//返回的EAX等于路径字符串的长度;
:1000139F 85C0
test eax, eax//非0表示成功;
:100013A1 0F840E040000 je 100017B5
:100013A7 8D8C24E8010000 lea ecx, dword ptr
[esp+000001E8]//指向SRCH32_D.DLL所在路径;
:100013AE 6A5C
push 0000005C
:100013B0 51
push ecx
:100013B1 E8CA980000 call 1000AC80//获取SRCH32_D.DLL字串的地址;
:100013B6 8BF0
mov esi, eax//SRCH32_D.DLL字串不存在,则eax=0;
:100013B8 83C408
add esp, 00000008
:100013BB 3BF3
cmp esi, ebx
:100013BD 0F84F2030000 je 100017B5//判断字串存在与否的跳转;
****
:100013C3 46
inc esi
:100013C4 56
push esi
:100013C5 89742428 mov
dword ptr [esp+28], esi
:100013C9 E808020100 call 100115D6//
参考 :10001350的call;
:100013CE 8DBC24AC000000 lea edi, dword ptr
[esp+000000AC]//指向输入的ID字符串;
:100013D5 83C9FF
or ecx, FFFFFFFF
:100013D8 33C0
xor eax, eax
:100013DA 83C404
add esp, 00000004
:100013DD F2
repnz
:100013DE AE
scasb
:100013DF F7D1
not ecx
:100013E1 49
dec ecx//算它的长度;
:100013E2 83F920
cmp ecx, 00000020//长度是否20h位?
:100013E5 732E
jnb 10001415
:100013E7 8BFE
mov edi, esi
.................
:10001404 8BCA
mov ecx, edx
:10001406 4F
dec edi
:10001407 C1E902
shr ecx, 02
:1000140A F3
repz
:1000140B A5
movsd
:1000140C 8BCA
mov ecx, edx
:1000140E 83E103
and ecx, 00000003
:10001411 F3
repz
:10001412 A4
movsb//将“SRCH32_D.DLL”移动到ID字符串的后面,得新ID字串;
//即 “MOONLITE&GROUP [FCG]SRCH32_D.DLL”
:10001413 EB0B
jmp 10001420
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100013E5(C)
|
:10001415 8D840C9C000000 lea eax, dword ptr
[esp+ecx+0000009C]
:1000141C 89442424 mov
dword ptr [esp+24], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001413(U)
|
:10001420 8BB424F4020000 mov esi, dword ptr
[esp+000002F4]//指向输入的注册码;
:10001427 83C9FF
or ecx, FFFFFFFF
:1000142A 8BFE
mov edi, esi
:1000142C 33C0
xor eax, eax
:1000142E F2
repnz
:1000142F AE
scasb
:10001430 F7D1
not ecx
:10001432 49
dec ecx//计算所输入的出注册码的长度;
:10001433 8BD1
mov edx, ecx//送edx;
:10001435 83FA18
cmp edx, 00000018//18h=24位;
:10001438 89542418 mov
dword ptr [esp+18], edx//将注册码的长度保存;
:1000143C 0F8273030000 jb 100017B5//注册码的长度小于24位,就完了;
****
:10001442 B907000000 mov ecx,
00000007//置循环次数;
:10001447 B84D4D4D4D mov eax,
4D4D4D4D
:1000144C 8D7C2448 lea
edi, dword ptr [esp+48]
:10001450 F3
repz
:10001451 AB
stosd
:10001452 66AB
stosw
:10001454 AA
stosb//到此,将4*7+2+1=31字节用“4D”填满:
:10001455 B81F000000 mov eax,
0000001F
:1000145A B14D
mov cl, 4D
..........................
<待续>
- 标 题:Search32最新版V5.08注册算法笔记 (一) (10千字)
- 作 者:moonlite
- 时 间:2001-8-11 11:41:32
- 链 接:http://bbs.pediy.com