中文拨号计费器 V4.12

标题：中文拨号上网计时计费器 V4.12注册算法分析--[OCG] (23千字)
作者：DiKeN
时间：2002-3-26 18:09:15
链接：http://bbs.pediy.com

=================Open Cracking Group=====================
=
= 中文拨号上网计时计费器 V4.12注册算法分析
= DiKeN/OCG
=
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
=================Open Cracking Group======================
=我的
=序列号：22P2ffmyM1zMecefbzyMrq4bzGbcrPbZ4MZQmqyv64FwX4kFVQ
=关键字：2222fhJkLDLpqvLp8JB8qLJLvqqnpp8pLCkLJkBDLDqv8pnDkJJ
=
=================Open Cracking Group======================
=
:004C5800 55 push ebp
:004C5801 8BEC mov ebp, esp
:004C5803 83C4C8 add esp, FFFFFFC8
:004C5806 53 push ebx
:004C5807 56 push esi
:004C5808 33C9 xor ecx, ecx
:004C580A 894DD8 mov dword ptr [ebp-28], ecx
:004C580D 894DD4 mov dword ptr [ebp-2C], ecx
:004C5810 894DD0 mov dword ptr [ebp-30], ecx
:004C5813 894DCC mov dword ptr [ebp-34], ecx
:004C5816 894DC8 mov dword ptr [ebp-38], ecx
:004C5819 894DF4 mov dword ptr [ebp-0C], ecx
:004C581C 894DF0 mov dword ptr [ebp-10], ecx
:004C581F 8955F8 mov dword ptr [ebp-08], edx
:004C5822 8945FC mov dword ptr [ebp-04], eax
:004C5825 8B45FC mov eax, dword ptr [ebp-04]
:004C5828 E867E7F3FF call 00403F94
:004C582D 8B45F8 mov eax, dword ptr [ebp-08]
:004C5830 E85FE7F3FF call 00403F94
:004C5835 33C0 xor eax, eax
:004C5837 55 push ebp
:004C5838 682A594C00 push 004C592A
:004C583D 64FF30 push dword ptr fs:[eax]
:004C5840 648920 mov dword ptr fs:[eax], esp
:004C5843 8B45FC mov eax, dword ptr [ebp-04]
:004C5846 E895E5F3FF call 00403DE0
:004C584B 83F832 cmp eax, 00000032<=====检查软件序列号长度
:004C584E 7407 je 004C5857
:004C5850 33DB xor ebx, ebx
:004C5852 E9AB000000 jmp 004C5902

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C584E(C)
|
:004C5857 8B45FC mov eax, dword ptr [ebp-04]
:004C585A E845E7F3FF call 00403FA4
:004C585F 8BD8 mov ebx, eax
:004C5861 B901000000 mov ecx, 00000001
:004C5866 8D45DC lea eax, dword ptr [ebp-24]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C588E(C)
|
:004C5869 33D2 xor edx, edx
:004C586B 8910 mov dword ptr [eax], edx
:004C586D BA01000000 mov edx, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C5885(C)
|
:004C5872 8BF2 mov esi, edx
:004C5874 4E dec esi
:004C5875 8D34B6 lea esi, dword ptr [esi+4*esi]
:004C5878 03F1 add esi, ecx
:004C587A 0FB67433FF movzx esi, byte ptr [ebx+esi-01]
:004C587F 0130 add dword ptr [eax], esi
:004C5881 42 inc edx
:004C5882 83FA0B cmp edx, 0000000B
:004C5885 75EB jne 004C5872
:004C5887 41 inc ecx
:004C5888 83C004 add eax, 00000004
:004C588B 83F906 cmp ecx, 00000006
:004C588E 75D9 jne 004C5869
==========================================================
//0x32=48+2=50
//连续求5个累加和10
SN:=''//0x32位长的序列号

//22P2ffmyM1zMecefbzyMrq4bzGbcrPbZ4MZQmqyv64FwX4kFVQ
buf[i]:=//5个累加和
for index:=1 to 5 do
begin
buf[i]:=0;
for j:=1 to 10 do
begin
buf[i]:=buf[i]+ord(SN[i+5*(j-1)]);
end;
end;
//[eax-00000014] - 0000034e N...=846
//[eax-00000010] - 00000387 ....=903
//[eax-0000000C] - 00000370 p...=880
//[eax-00000008] - 000003c2 ....=962
//[eax-00000004] - 0000038c ....=908
==========================================================
:004C5890 8D55D8 lea edx, dword ptr [ebp-28]
:004C5893 8B45DC mov eax, dword ptr [ebp-24]
:004C5896 E8E128F4FF call 0040817C
:004C589B FF75D8 push [ebp-28]
:004C589E 8D55D4 lea edx, dword ptr [ebp-2C]
:004C58A1 8B45E0 mov eax, dword ptr [ebp-20]
:004C58A4 E8D328F4FF call 0040817C
:004C58A9 FF75D4 push [ebp-2C]
:004C58AC 8D55D0 lea edx, dword ptr [ebp-30]
:004C58AF 8B45E4 mov eax, dword ptr [ebp-1C]
:004C58B2 E8C528F4FF call 0040817C
:004C58B7 FF75D0 push [ebp-30]
:004C58BA 8D55CC lea edx, dword ptr [ebp-34]
:004C58BD 8B45E8 mov eax, dword ptr [ebp-18]
:004C58C0 E8B728F4FF call 0040817C
:004C58C5 FF75CC push [ebp-34]
:004C58C8 8D55C8 lea edx, dword ptr [ebp-38]
:004C58CB 8B45EC mov eax, dword ptr [ebp-14]
:004C58CE E8A928F4FF call 0040817C====>buf转为字符串
:004C58D3 FF75C8 push [ebp-38]
:004C58D6 8D45F4 lea eax, dword ptr [ebp-0C]
:004C58D9 BA05000000 mov edx, 00000005
:004C58DE E8BDE5F3FF call 00403EA0====>5个字符串连接，用于和后面的结果比较
// 相等则正确
:004C58E3 8D4DF0 lea ecx, dword ptr [ebp-10]
//===========================================================
//846903880962908
//===========================================================
* Possible StringData Ref from Code Obj ->"JDqpBkLvn8Cm0HYIr1KQMSagURlieFAEb3jd7N4zwZoOGy"
->"xu6T2fstchVP9X5WwNC3OHDlm1efyqzcbM4GrZjP9TQ7gk"
->"2ov8F0IitXSJaAEBYxKunVL5Uhs6pRWd"
|
:004C58E6 8B1584174D00 mov edx, dword ptr [004D1784]===>Magicstr
:004C58EC 8B45F8 mov eax, dword ptr [ebp-08]=====>输入注册码
:004C58EF E8747BF8FF call 0044D468===>把输入注册码加密
//===========================================================
MagicStr:='JDqpBkLvn8Cm0HYIr1KQMSagURlieFAEb3jd7N4zwZoOGyxu6T2fstchVP9X5WwNC3OHDlm1efyqzcbM4GrZjP9TQ7gk2ov8F0IitXSJaAEBYxKunVL5Uhs6pRWd'
具体又是累加
由12字符计算长度
由后面的字符计算后面的注册码
只要这个过程可以逆过来，那么这个keygen就可以做出；我们的先把这个算法搞明白

//==========================================================
:0044D4B0 BF33000000 mov edi, 00000033
:0044D4B5 8B45FC mov eax, dword ptr [ebp-04]
:0044D4B8 8A10 mov dl, byte ptr [eax]
:0044D4BA B933000000 mov ecx, 00000033
:0044D4BF 8B45F8 mov eax, dword ptr [ebp-08]
:0044D4C2 E825FAFFFF call 0044CEEC========>
===========================================================
sub_0044CEEC(arg1,arg2,arg3)//返回arg3在arg1中的位置，从arg2开始查找
//当arg2>length(arg1)时；返回-1；否则返回索引或者length(arg1);
//==============================================
:0044CEEC 55 push ebp
:0044CEED 8BEC mov ebp, esp
:0044CEEF 51 push ecx
:0044CEF0 53 push ebx
:0044CEF1 56 push esi
:0044CEF2 57 push edi
:0044CEF3 8BF9 mov edi, ecx===>startIndex
:0044CEF5 8BDA mov ebx, edx===>arg3
:0044CEF7 8945FC mov dword ptr [ebp-04], eax
:0044CEFA 8B45FC mov eax, dword ptr [ebp-04]
:0044CEFD E89270FBFF call 00403F94
:0044CF02 33C0 xor eax, eax
:0044CF04 55 push ebp
:0044CF05 684BCF4400 push 0044CF4B
:0044CF0A 64FF30 push dword ptr fs:[eax]
:0044CF0D 648920 mov dword ptr fs:[eax], esp
:0044CF10 83CEFF or esi, FFFFFFFF===>初始付值-1
:0044CF13 8B45FC mov eax, dword ptr [ebp-04]
:0044CF16 E8C56EFBFF call 00403DE0===>取输入字符串的长度
:0044CF1B 8BD0 mov edx, eax
:0044CF1D 2BD7 sub edx, edi
:0044CF1F 7C14 jl 0044CF35
:0044CF21 42 inc edx
:0044CF22 89F8 mov eax, edi===>startIndex
//==========================================================
// mmesi:=-1;
// mmedx:=length(str)-startIndex;
// while (mmedx>=0) and (str[])
// if mmedx>=0 then
// begin
// inc mmedx;
// mmeax:=startIndex;
// repeat
// inc(mmeax);
// dec(mmedx);
// until str[mmeax]=mmebx;//mmebx=arg3
// end;
// 分析知道实际是从startIndex查找arg3的索引
//1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234
// 1 2 3 4 5 6 7
//123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDE F0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABC
//JDqpBkLvn8Cm0HYIr1KQMSagURlieFAEb3jd7N4zwZoOGyxu6T2fstchVP9X5W wNC3OHDlm1efyqzcbM4GrZjP9TQ7gk2ov8F0IitXSJaAEBYxKunVL5Uhs6pRWd
//这个字符串有一定特殊性由0-9,a-z,A-Z的乱序组合
//共(26+26+10)*2=124个字符，
// *
//===========================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044CF33(C)
|
:0044CF24 8B4DFC mov ecx, dword ptr [ebp-04]
:0044CF27 3A5C01FF cmp bl, byte ptr [ecx+eax-01]
:0044CF2B 7504 jne 0044CF31
:0044CF2D 8BF0 mov esi, eax===>作为输出
:0044CF2F EB04 jmp 0044CF35

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044CF2B(C)
|
:0044CF31 40 inc eax
:0044CF32 4A dec edx
:0044CF33 75EF jne 0044CF24

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044CF1F(C), :0044CF2F(U)
|
:0044CF35 33C0 xor eax, eax
:0044CF37 5A pop edx
:0044CF38 59 pop ecx
:0044CF39 59 pop ecx
:0044CF3A 648910 mov dword ptr fs:[eax], edx
:0044CF3D 6852CF4400 push 0044CF52

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044CF50(U)
|
:0044CF42 8D45FC lea eax, dword ptr [ebp-04]
:0044CF45 E81A6CFBFF call 00403B64
:0044CF4A C3 ret
//===============================================
//eax=str,ecx=startindex,edx=num
//
//function sub_0044CEEC(const str,startindex,num):integer;
// len:=length(str)-startindex
// if len>=0 then
// begin
// inc(len);
// if (str[startindex])<>0
//
// end;
// edi=$33;
// 1. eax:=MagicStr;ecx=edi;edx:=code[1];
// 2. eax:=MagicStr;ecx=edi;edx:=code[2];
// 3. eax:=MagicStr;ecx=edi;edx:=code[3];
// 4. eax:=MagicStr;ecx=edi;edx:=code[4];
// 5. eax:=MagicStr;ecx=edi;edx:=code[5];
// 6. eax:=MagicStr;ecx=edi;edx:=code[6];
// 6轮完毕；然后做:0044D56D E8426BFBFF call 004040B4
// 输出edi,ebx为后面所用
// edi:=esi*10;ebx=累加和-$33
// edi=lenCode*10;ebx=lenCode;//才是正确的注册码
//处理长度
//
//
//for index:=1 to lenCode do
//begin
//
// eax:=MagicStr;ecx=??(edi)??;edx:=code[index*3+3+1];
//end
//==================================================
:0044D4C7 8BD8 mov ebx, eax
:0044D4C9 83EB33 sub ebx, 00000033
:0044D4CC 8BC3 mov eax, ebx
:0044D4CE 03C0 add eax, eax
:0044D4D0 8D0480 lea eax, dword ptr [eax+4*eax]
:0044D4D3 8BD8 mov ebx, eax
:0044D4D5 8B45FC mov eax, dword ptr [ebp-04]
:0044D4D8 8A5001 mov dl, byte ptr [eax+01]
:0044D4DB B933000000 mov ecx, 00000033
:0044D4E0 8B45F8 mov eax, dword ptr [ebp-08]
:0044D4E3 E804FAFFFF call 0044CEEC
:0044D4E8 03D8 add ebx, eax
:0044D4EA 83EB33 sub ebx, 00000033
:0044D4ED 8BC3 mov eax, ebx
:0044D4EF 03C0 add eax, eax
:0044D4F1 8D0480 lea eax, dword ptr [eax+4*eax]
:0044D4F4 8BD8 mov ebx, eax
:0044D4F6 8B45FC mov eax, dword ptr [ebp-04]
:0044D4F9 8A5002 mov dl, byte ptr [eax+02]
:0044D4FC B933000000 mov ecx, 00000033
:0044D501 8B45F8 mov eax, dword ptr [ebp-08]
:0044D504 E8E3F9FFFF call 0044CEEC
:0044D509 03D8 add ebx, eax
:0044D50B 83EB33 sub ebx, 00000033
:0044D50E 8BF3 mov esi, ebx===========>>>>
:0044D510 8B45FC mov eax, dword ptr [ebp-04]
:0044D513 8A5003 mov dl, byte ptr [eax+03]
:0044D516 8BCF mov ecx, edi
:0044D518 8B45F8 mov eax, dword ptr [ebp-08]
:0044D51B E8CCF9FFFF call 0044CEEC
:0044D520 8BD8 mov ebx, eax
:0044D522 83EB33 sub ebx, 00000033
:0044D525 8BC3 mov eax, ebx
:0044D527 03C0 add eax, eax
:0044D529 8D0480 lea eax, dword ptr [eax+4*eax]
:0044D52C 8BD8 mov ebx, eax
:0044D52E 8B45FC mov eax, dword ptr [ebp-04]
:0044D531 8A5004 mov dl, byte ptr [eax+04]
:0044D534 8BCF mov ecx, edi
:0044D536 8B45F8 mov eax, dword ptr [ebp-08]
:0044D539 E8AEF9FFFF call 0044CEEC
:0044D53E 03D8 add ebx, eax
:0044D540 83EB33 sub ebx, 00000033
:0044D543 8BC3 mov eax, ebx
:0044D545 03C0 add eax, eax
:0044D547 8D0480 lea eax, dword ptr [eax+4*eax]
:0044D54A 8BD8 mov ebx, eax
:0044D54C 8B45FC mov eax, dword ptr [ebp-04]
:0044D54F 8A5005 mov dl, byte ptr [eax+05]
:0044D552 8BCF mov ecx, edi
:0044D554 8B45F8 mov eax, dword ptr [ebp-08]
:0044D557 E890F9FFFF call 0044CEEC
:0044D55C 03D8 add ebx, eax
:0044D55E 83EB33 sub ebx, 00000033
:0044D561 8BFE mov edi, esi==============>>>>
//===================================0 0 0 0 1 5
//求索引和；表示将检查的长度，分为：十万万位千位百位十位个位
// idx1 idx2 idx3 idx4 idx5 idx6
// 2 2 2 2 f h
//===========================
:0044D563 03FF add edi, edi
:0044D565 8D3CBF lea edi, dword ptr [edi+4*edi]
:0044D568 8D45F0 lea eax, dword ptr [ebp-10]
:0044D56B 8BD3 mov edx, ebx======>必须等于序列好算出来的数字的长度
:0044D56D E8426BFBFF call 004040B4
:0044D572 85DB test ebx, ebx======>必须等于序列好算出来的数字的长度
:0044D574 0F8EA2000000 jle 0044D61C
:0044D57A 895DEC mov dword ptr [ebp-14], ebx
:0044D57D BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044D616(C)
|
//===========================================================
for index:=1 to lenCode do
begin
处理输入的注册码
end;
//===================================================================
:0044D582 8D0476 lea eax, dword ptr [esi+2*esi]
:0044D585 8B55FC mov edx, dword ptr [ebp-04]
:0044D588 8A540203 mov dl, byte ptr [edx+eax+03]
:0044D58C 8BCF mov ecx, edi
:0044D58E 8B45F8 mov eax, dword ptr [ebp-08]

JDqpBkLvn8Cm0HYIr1KQMSagURlieFAEb3jd7N4zwZoOGyxu6T2fstchVP9X5WwNC3OHDlm1efyqzcbM4GrZjP9TQ7gk2ov8F0IitXSJaAEBYxKunVL5Uhs6pRWd

:0044D591 E856F9FFFF call 0044CEEC
:0044D596 8BD8 mov ebx, eax
:0044D598 2BDF sub ebx, edi
:0044D59A 8BC6 mov eax, esi
:0044D59C 48 dec eax
:0044D59D B90A000000 mov ecx, 0000000A
:0044D5A2 99 cdq
:0044D5A3 F7F9 idiv ecx
:0044D5A5 42 inc edx
:0044D5A6 2BDA sub ebx, edx
:0044D5A8 8BC3 mov eax, ebx
:0044D5AA 03C0 add eax, eax
:0044D5AC 8D0480 lea eax, dword ptr [eax+4*eax]
:0044D5AF 8BD8 mov ebx, eax
//=======================================(fpos(MagicStr,edi,strCode[])-((index mod 10)+1))*10
//==========fpos函数实际如下
function fpos(const str:string;startIndex:integer;tag:char):integer;
var
index,len:integer;
mmeax:integer;
begin
len:=length(str);
mmeax:=-1;
if startIndex>len then
begin
//index:=startIndex-1;
mmeax:=startIndex-1;
repeat
inc(mmeax);
until ((str[mmeax]=tag) or (mmeax=len));
end;
fpos:=mmeax;
end;
//===========================================================================
:0044D5B1 8D0476 lea eax, dword ptr [esi+2*esi]
:0044D5B4 8B55FC mov edx, dword ptr [ebp-04]
:0044D5B7 8A540204 mov dl, byte ptr [edx+eax+04]
:0044D5BB 8BCF mov ecx, edi
:0044D5BD 8B45F8 mov eax, dword ptr [ebp-08]
:0044D5C0 E827F9FFFF call 0044CEEC
:0044D5C5 03D8 add ebx, eax
:0044D5C7 2BDF sub ebx, edi
:0044D5C9 8BC6 mov eax, esi
:0044D5CB 48 dec eax
:0044D5CC B90A000000 mov ecx, 0000000A
:0044D5D1 99 cdq
:0044D5D2 F7F9 idiv ecx
:0044D5D4 42 inc edx
//====================================(第几个注册码 mod 10+1)
:0044D5D5 2BDA sub ebx, edx
:0044D5D7 8BC3 mov eax, ebx
:0044D5D9 03C0 add eax, eax
:0044D5DB 8D0480 lea eax, dword ptr [eax+4*eax]
:0044D5DE 8BD8 mov ebx, eax
:0044D5E0 8D0476 lea eax, dword ptr [esi+2*esi]
:0044D5E3 8B55FC mov edx, dword ptr [ebp-04]
:0044D5E6 8A540205 mov dl, byte ptr [edx+eax+05]
:0044D5EA 8BCF mov ecx, edi
:0044D5EC 8B45F8 mov eax, dword ptr [ebp-08]
:0044D5EF E8F8F8FFFF call 0044CEEC
:0044D5F4 03D8 add ebx, eax
:0044D5F6 2BDF sub ebx, edi===>索引=1-124，-1
=================================================> 1-62
=================================================>62-124
//由连续的3个注册码计算出：百位十位个位
// idx1 idx2 idx3
//0x30-0x39=48-57
================================================>
:0044D5F8 8BC6 mov eax, esi
:0044D5FA 48 dec eax
:0044D5FB B90A000000 mov ecx, 0000000A
:0044D600 99 cdq
:0044D601 F7F9 idiv ecx
:0044D603 42 inc edx=((index-1) mod 10)+1;
//===========================================================
// index=[1-lenCode]
//===========================================================
//========mpos(MagicStr,edi,strCode[])-((index mod 10)+1)
//
//====================================(第几个注册码 mod 10+1)
//===========================================================
:0044D604 2BDA sub ebx, edx
:0044D606 8D45F0 lea eax, dword ptr [ebp-10]
:0044D609 E8A269FBFF call 00403FB0
:0044D60E 885C30FF mov byte ptr [eax+esi-01], bl
//===============================================
//==================>这个bl一定是在0x30-0x39之内，应该可以简化还原
//===============================================
:0044D612 46 inc esi
:0044D613 FF4DEC dec [ebp-14]=========>循环注册码程度
:0044D616 0F8566FFFFFF jne 0044D582

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044D574(C)
|
:0044D61C 8B45F4 mov eax, dword ptr [ebp-0C]
:0044D61F 8B55F0 mov edx, dword ptr [ebp-10]
:0044D622 E8D565FBFF call 00403BFC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044D4AB(U)
|
:0044D627 33C0 xor eax, eax
:0044D629 5A pop edx
:0044D62A 59 pop ecx
:0044D62B 59 pop ecx
:0044D62C 648910 mov dword ptr fs:[eax], edx
:0044D62F 6851D64400 push 0044D651

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044D64F(U)
|
:0044D634 8D45F0 lea eax, dword ptr [ebp-10]
:0044D637 E82865FBFF call 00403B64
:0044D63C 8D45F8 lea eax, dword ptr [ebp-08]
:0044D63F BA02000000 mov edx, 00000002
:0044D644 E83F65FBFF call 00403B88
:0044D649 C3 ret
//===========================注册码加密算法完毕========================
:004C58F4 8B45F4 mov eax, dword ptr [ebp-0C]
:004C58F7 8B55F0 mov edx, dword ptr [ebp-10]
:004C58FA E8F1E5F3FF call 00403EF0========>比较函数
:004C58FF 0F94C3 sete bl

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C5852(U)
|
:004C5902 33C0 xor eax, eax
:004C5904 5A pop edx
:004C5905 59 pop ecx
:004C5906 59 pop ecx
:004C5907 648910 mov dword ptr fs:[eax], edx
:004C590A 6831594C00 push 004C5931

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C592F(U)
|
:004C590F 8D45C8 lea eax, dword ptr [ebp-38]
:004C5912 BA05000000 mov edx, 00000005
:004C5917 E86CE2F3FF call 00403B88
:004C591C 8D45F0 lea eax, dword ptr [ebp-10]
:004C591F BA04000000 mov edx, 00000004
:004C5924 E85FE2F3FF call 00403B88
:004C5929 C3 ret
==============================================================
=
=这个注册码反算过程还有点复杂，浪费了我1天时间
=keygen已经做出，因为是国产软件，所以无法公布
=
====================Open Cracking Group=====================
=
= 中文拨号上网计时计费器 V4.12注册算法分析
=
= DiKeN/OCG
=
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
====================Open Cracking Group=====================