好久没写破解文章,像BW所说'刀本来钝,现在还生锈了',再不用可能真不会破解了.这个软件是位朋友要求我帮忙破解,在精华III看到过它前面几个版本的破解过程,心里想应该不难.ok,开工干活..用Peid查出他是
ASProtect 1.2 的壳,脱壳后记得把2ce01的7434改为eb34,才可以运行,不过有个密码窗口出来,这方面我没再研究.请高手指点..
:0042DBEB E8D433FFFF call 00420FC4
//对假注册码进行比较和计算出三个数!!!!
:0042DBF0 84C0
test al, al
:0042DBF2 0F84A7000000 je 0042DC9F
:0042DBF8 8B1500796400 mov edx, dword
ptr [00647900]
:0042DBFE 8B02
mov eax, dword ptr [edx]
:0042DC00 8B9538FFFFFF mov edx, dword
ptr [ebp+FFFFFF38]
:0042DC06 E8C92DFFFF call 004209D4
//把注册名和序列号串起来计算出三个数!!
:0042DC0B 84C0
test al, al
:0042DC0D 0F848C000000 je 0042DC9F
:0042DC13 EB04
jmp 0042DC19
:0042DC15 EB05
jmp 0042DC1C
:0042DC17 8901
mov dword ptr [ecx], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DC13(U)
|
:0042DC19 8B8D34FFFFFF mov ecx, dword
ptr [ebp+FFFFFF34]
:0042DC1F 8B9538FFFFFF mov edx, dword
ptr [ebp+FFFFFF38]
:0042DC25 8B01
mov eax, dword ptr [ecx]
:0042DC27 3B02
cmp eax, dword ptr [edx] //比较①
:0042DC29 756E
jne 0042DC99
:0042DC2B 8B8D34FFFFFF mov ecx, dword
ptr [ebp+FFFFFF34]
:0042DC31 8B9538FFFFFF mov edx, dword
ptr [ebp+FFFFFF38]
:0042DC37 8B4104
mov eax, dword ptr [ecx+04]
:0042DC3A 3B4204
cmp eax, dword ptr [edx+04]//比较②
:0042DC3D 755A
jne 0042DC99
:0042DC3F 8B8D34FFFFFF mov ecx, dword
ptr [ebp+FFFFFF34]
:0042DC45 8B9538FFFFFF mov edx, dword
ptr [ebp+FFFFFF38]
:0042DC4B 8B4108
mov eax, dword ptr [ecx+08]
:0042DC4E 3B4208
cmp eax, dword ptr [edx+08]//比较③
:0042DC51 7546
jne 0042DC99
:0042DC53 66C746109800 mov [esi+10],
0098
:0042DC59 BA33816300 mov edx,
00638133
:0042DC5E 8D45C4
lea eax, dword ptr [ebp-3C]
:0042DC61 E8C66C1F00 call 0062492C
:0042DC66 FF461C
inc [esi+1C]
:0042DC69 8B10
mov edx, dword ptr [eax]
:0042DC6B A15C846400 mov eax,
dword ptr [0064845C]
:0042DC70 E8F3E21A00 call 005DBF68
:0042DC75 FF4E1C
dec [esi+1C]
:0042DC78 8D45C4
lea eax, dword ptr [ebp-3C]
:0042DC7B BA02000000 mov edx,
00000002
:0042DC80 E81B6D1F00 call 006249A0
:0042DC85 8B8734030000 mov eax, dword
ptr [edi+00000334]
:0042DC8B 33D2
xor edx, edx
:0042DC8D E8EADC1700 call 005AB97C
:0042DC92 C687DC06000001 mov byte ptr [edi+000006DC],
01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042DC29(C), :0042DC3D(C), :0042DC51(C)
|
:0042DC99 EB04
jmp 0042DC9F
:0042DC9B EB05
jmp 0042DCA2
:0042DC9D 99
cdq
:0042DC9E 018BC3E8624D add dword ptr
[ebx+4D62E8C3], ecx
:0042DCA4 17
pop ss
:0042DCA5 00EB
add bl, ch
:0042DCA7 04EB
add al, EB
:0042DCA9 05890133D2 add eax,
D2330189
:0042DCAE 33C9
xor ecx, ecx
:0042DCB0 8997C0060000 mov dword ptr
[edi+000006C0], edx
:0042DCB6 898D3CFFFFFF mov dword ptr
[ebp+FFFFFF3C], ecx
:0042DCBC 80BFDC06000000 cmp byte ptr [edi+000006DC],
00
:0042DCC3 743E
je 0042DD03
:0042DCC5 8B8534FFFFFF mov eax, dword
ptr [ebp+FFFFFF34]
:0042DCCB 8B8D38FFFFFF mov ecx, dword
ptr [ebp+FFFFFF38]
:0042DCD1 8B10
mov edx, dword ptr [eax]
:0042DCD3 3B11
cmp edx, dword ptr [ecx]//比较④
:0042DCD5 752C
jne 0042DD03
:0042DCD7 8B8534FFFFFF mov eax, dword
ptr [ebp+FFFFFF34]
:0042DCDD 8B8D38FFFFFF mov ecx, dword
ptr [ebp+FFFFFF38]
:0042DCE3 8B5004
mov edx, dword ptr [eax+04]
:0042DCE6 3B5104
cmp edx, dword ptr [ecx+04]//比较⑤
:0042DCE9 7518
jne 0042DD03
:0042DCEB 8B8534FFFFFF mov eax, dword
ptr [ebp+FFFFFF34]
:0042DCF1 8B8D38FFFFFF mov ecx, dword
ptr [ebp+FFFFFF38]
:0042DCF7 8B5008
mov edx, dword ptr [eax+08]
:0042DCFA 3B5108
cmp edx, dword ptr [ecx+08]//比较⑥
:0042DCFD 0F8440020000 je 0042DF43
==========================================A===================================
上面通过六次比教其实只是三数值进行两次比较..这里不罗嗦了下面先进入假注册码的比较和计算过程看看..
=========================================00420FC4 BEGIN===================================
:00420FC4 53
push ebx
:00420FC5 56
push esi
:00420FC6 57
push edi
:00420FC7 83C4E4
add esp, FFFFFFE4
:00420FCA 894C2404 mov
dword ptr [esp+04], ecx
:00420FCE 8BFA
mov edi, edx
:00420FD0 890424
mov dword ptr [esp], eax
:00420FD3 8BC7
mov eax, edi
:00420FD5 E882C61E00 call 0060D65C
:00420FDA 83F80E
cmp eax, 0000000E//比较假注册码为数是否14为
:00420FDD 750C
jne 00420FEB
:00420FDF 807F042D cmp
byte ptr [edi+04], 2D//比较假注册码的第五位是否'-'
:00420FE3 7506
jne 00420FEB
:00420FE5 807F092D cmp
byte ptr [edi+09], 2D//比较假注册码的第十位是否'-'
:00420FE9 7407
je 00420FF2
从上面看出注册码的形式是:XXXX-XXXX-XXXX
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00420FDD(C), :00420FE3(C)
|
:00420FEB 33C0
xor eax, eax
:00420FED E9E9000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420FE9(C)
|
:00420FF2 33D2
xor edx, edx
:00420FF4 8D442410 lea
eax, dword ptr [esp+10]
:00420FF8 89542408 mov
dword ptr [esp+08], edx
:00420FFC 89442418 mov
dword ptr [esp+18], eax
:00421000 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421082(C)
|
:00421002 8B542418 mov
edx, dword ptr [esp+18]
:00421006 66C7020000 mov word
ptr [edx], 0000
:0042100B 33DB
xor ebx, ebx
:0042100D 8B442418 mov
eax, dword ptr [esp+18]
:00421011 8BD0
mov edx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421077(C)
|
:00421013 8D0CB6
lea ecx, dword ptr [esi+4*esi]
:00421016 83C103
add ecx, 00000003
:00421019 2BCB
sub ecx, ebx
:0042101B 85DB
test ebx, ebx
:0042101D 8A040F
mov al, byte ptr [edi+ecx]
:00421020 7504
jne 00421026
:00421022 8844240C mov
byte ptr [esp+0C], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421020(C)
|
:00421026 85DB
test ebx, ebx
:00421028 760A
jbe 00421034
:0042102A 3A44240C cmp
al, byte ptr [esp+0C]
:0042102E 7504
jne 00421034
:00421030 FF442408 inc
[esp+08]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421028(C), :0042102E(C)
|
:00421034 3C30
cmp al, 30
:00421036 7204
jb 0042103C
:00421038 3C46
cmp al, 46
:0042103A 7607
jbe 00421043
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421036(C)
|
:0042103C 33C0
xor eax, eax
:0042103E E998000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042103A(C)
|
:00421043 3C39
cmp al, 39
:00421045 760B
jbe 00421052
:00421047 3C41
cmp al, 41
:00421049 7307
jnb 00421052
:0042104B 33C0
xor eax, eax
:0042104D E989000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421045(C), :00421049(C)
|
:00421052 3C41
cmp al, 41
:00421054 720B
jb 00421061
:00421056 33C9
xor ecx, ecx
:00421058 8AC8
mov cl, al
:0042105A 83E937
sub ecx, 00000037
:0042105D 8BC1
mov eax, ecx
:0042105F EB08
jmp 00421069
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421054(C)
|
:00421061 25FF000000 and eax,
000000FF
:00421066 83E830
sub eax, 00000030
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042105F(U)
|
:00421069 8BCB
mov ecx, ebx
:0042106B C1E102
shl ecx, 02
:0042106E D3E0
shl eax, cl
:00421070 660102
add word ptr [edx], ax
:00421073 43
inc ebx
:00421074 83FB04
cmp ebx, 00000004
:00421077 729A
jb 00421013
:00421079 46
inc esi
:0042107A 8344241802 add dword
ptr [esp+18], 00000002
:0042107F 83FE03
cmp esi, 00000003
:00421082 0F827AFFFFFF jb 00421002
===============================================================================================
上面判断假注册码是否在0-9和A-Z范围,并把假注册码由ASCII转换成数字和字母存放,譬如假注册码为:
1234-6789-ABCD转换成34128967CDAB形式存放,.
:00421088 33DB
xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004210A2(C)
|
:0042108A 6A06
push 00000006
:0042108C 8D442414 lea
eax, dword ptr [esp+14]
:00421090 50
push eax
:00421091 8B542408 mov
edx, dword ptr [esp+08]
:00421095 52
push edx
:00421096 E8ADFEFFFF call 00420F48//过程A
:0042109B 83C40C
add esp, 0000000C
:0042109E 43
inc ebx
:0042109F 83FB02
cmp ebx, 00000002
:004210A2 72E6
jb 0042108A
================================================================================================
把刚才的34128967CDAB分成六组A1=3412,A2=1289,A3=8967,A4=67CD,A5=CDAB,A6=AB34通过过程A换算,其算法如下:
B1=((A1 SHL 1) AND $FFOO) SHR 8=68
B2=((A2 SHL 1) AND $FF00) SHR 8=25
B3=((A3 SHL 1) AND $FF00) SHR 8=12
B4=((A4 SHL 1) AND $FF00) SHR 8=CF
B5=((A5 SHL 1) AND $FF00) SHR 8=9B
B6=((A6 SHL 1) AND $FF00) SHR 8=56
然后将B1,B2,B3,B4,B5,B6在组成新六组数C1=6825,C2=2512,C3=12CF,C4=CF9B,C5=9B56在用过程A换算一次得出
D04A259F36AC
================================================================================================
:004210A4 33F6
xor esi, esi
:004210A6 8B442404 mov
eax, dword ptr [esp+04]
:004210AA 8BD8
mov ebx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004210CF(C)
|
:004210AC 8BD6
mov edx, esi
:004210AE 03D2
add edx, edx
:004210B0 8D442410 lea
eax, dword ptr [esp+10]
:004210B4 03D0
add edx, eax
:004210B6 B902000000 mov ecx,
00000002
:004210BB 8B0424
mov eax, dword ptr [esp]
:004210BE E8D10F0000 call 00422094
//将D04A259F36AC分成三组D1=D04A,D2=259F,D3=36AC进行换算,F8跟进..
:004210C3 0FB7D0
movzx edx, ax//将上面计算出来的数值保存
:004210C6 8913
mov dword ptr [ebx], edx
:004210C8 46
inc esi
:004210C9 83C304
add ebx, 00000004
:004210CC 83FE03
cmp esi, 00000003
:004210CF 72DB
jb 004210AC
:004210D1 33C0
xor eax, eax
:004210D3 837C240808 cmp dword
ptr [esp+08], 00000008
:004210D8 7701
ja 004210DB
:004210DA 40
inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00420FED(U), :0042103E(U), :0042104D(U), :004210D8(C)
|
:004210DB 83C41C
add esp, 0000001C
:004210DE 5F
pop edi
:004210DF 5E
pop esi
:004210E0 5B
pop ebx
:004210E1 C3
ret
==========================================00422094 BEGIN=======================================
:00422094 53
push ebx
:00422095 56
push esi
:00422096 57
push edi
:00422097 83C494
add esp, FFFFFF94
:0042209A 8BF9
mov edi, ecx
:0042209C 8BF2
mov esi, edx
:0042209E 8BD8
mov ebx, eax
:004220A0 54
push esp
:004220A1 E816F4FFFF call 004214BC
//初始化四个常数,A=$76543210,B=$FEDCBA98,C=$89ABCDEF,D=$01234567,看到这四个数是否很面熟,MD5??看清楚..不一样啊..
:004220A6 59
pop ecx
:004220A7 57
push edi
:004220A8 56
push esi
:004220A9 8D442408 lea
eax, dword ptr [esp+08]
:004220AD 50
push eax
:004220AE E835F4FFFF call 004214E8//初始化数组这和MD5一样..
:004220B3 83C40C
add esp, 0000000C
:004220B6 54
push esp
:004220B7 8D54245C lea
edx, dword ptr [esp+5C]
:004220BB 52
push edx
:004220BC E8BFF4FFFF call 00421580//这过过程我叫它为变形MD5,因为它所采用的数据和那四轮循环都和MD5一样,只是顺序变动..有兴趣的朋友可以进一步分析..这里分别将D1,D2,D3进行计算
:004220C1 83C408
add esp, 00000008
:004220C4 B910000000 mov ecx,
00000010
:004220C9 8BC3
mov eax, ebx
:004220CB C644246800 mov [esp+68],
00
:004220D0 8D542458 lea
edx, dword ptr [esp+58]
:004220D4 E80BF0FFFF call 004210E4//将变形MD5计算出来的128BIT的数再进行计算,我叫这过程为过程B
:004220D9 83C46C
add esp, 0000006C
:004220DC 5F
pop edi
:004220DD 5E
pop esi
:004220DE 5B
pop ebx
:004220DF C3
ret
=======================================00422094 END==============================================
通过过程B计算出来的三个数值将和注册名计算出来三个的数值比较..OK..假注册码的换算分析完毕下面简单说说注册名换算过程..
=======================================00420FC4 END=============================================注册名换算再过程004209D4完成,它的步骤大概如下:
1.将序列号换算,假设为11223344
2.将1122334400和注册名串起来,通过变形MD5和过程B计算出CODE1
3.将注册名和0011223344串起来,通过变形MD5和过程B计算出CODE2
4.将CODE1和CODE2串起来,通过变形MD5和过程B计算出CODE3
5.再将CODE1,CODE2,CODE3分别通过变形MD5和过程B计算出计算出三个数,这三个数就和假注册码计算出来的三个数进行比较...
========================================END=====================================================
这个软件是启动验证,所以这部分算法是在启动那里.在输入注册码那里主要的是分析序列号的换算过程..在拦截方面我开始也是'老鼠拉龟',后来得到DiKeN和PaulYoung的指点才找到方法,先用BPX
GETCOMMANDLINEA,按3次F5,清除断点,再用BPC REGCREATEKEYEXA中断就可以到达上面...
ssljxOCG
2002.3.21
- 标 题:炒股理财3.1 算法分析(15千字)
- 作 者:ssljx
- 时 间:2002-3-25
17:38:19
- 链 接:http://bbs.pediy.com