SuperCleaner 2.31

标题：SuperCleaner 2.31注册码算法分析 - OCG (13千字)
作者：alphakk
时间：2002-4-2 10:41:52
链接：http://bbs.pediy.com

SuperCleaner 2.31注册码算法分析
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
软件简介：
帮助用户清洗他们的计算机硬盘内不必要的文件的程序。它能扫描你的系
统让你选择不再需要的文件进行删除。并能备份文件已避免你误删除有用的文
件，此备份功能将不必要的文件扔进再循环箱，这样可以让你再必要的时候恢
复信息。
破解工具：SOFTICE，W32DASM
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
分析：
此软件采用用户名，注册码的验证方式
在软件注册窗口中输入以下信息：
用户名：alpha
注册码：98765432
用GETWINDOWTEXT　做断点，程序没有被中断。换成GETDLGITEMTEXT，按下确定后，弹出SOFTICE窗口。按两下F12弹出注册失败对话框，因此，ENABLE前面下的断点后，只按一下F12，然后用F10单步跟踪，来到：

* Reference To: USER32.GetDlgItemTextA, Ord:0113h
|
:0041220F 8B3D7C124200 mov edi, dword ptr [0042127C]
:00412215 6817040000 push 00000417
:0041221A 56 push esi
:0041221B FFD7 call edi　　　　<<----------取得用户名
:0041221D 8D542408 lea edx, dword ptr [esp+08]
:00412221 6800010000 push 00000100
:00412226 52 push edx
:00412227 68FC030000 push 000003FC
:0041222C 56 push esi
:0041222D FFD7 call edi　　　<<--------取得输入的注册码
:0041222F 8D442408 lea eax, dword ptr [esp+08] <<-------输入的注册码的首地址－＞EAX
:00412233 8D8C2408010000 lea ecx, dword ptr [esp+00000108]　<<----用户名的首地址－＞ECX
:0041223A 50 push eax
:0041223B 51 push ecx
:0041223C E8BF080000 call 00412B00　　<<-----注意这个CALL
:00412241 83C408 add esp, 00000008
:00412244 85C0 test eax, eax　
:00412246 5F pop edi
:00412247 7443 je 0041228C <<-----注册码不对就跳
:00412249 8D542404 lea edx, dword ptr [esp+04]
:0041224D 8D842404010000 lea eax, dword ptr [esp+00000104]
:00412254 52 push edx
:00412255 50 push eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412247(C)
|
:0041228C 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"SuperCleaner"
|
:0041228E 686C454200 push 0042456C

* Possible Reference to String Resource ID=00010: "?w `揺勮?
cn"
|
:00412293 6A0A push 0000000A
:00412295 56 push esi
:00412296 E85572FFFF call 004094F0　　<<------注册失败对话框
:0041229B 83C410 add esp, 00000010
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
由上面不难看出，关键就在　0041223C处的CALL，跟踪进入这个CALL，来到：

* Referenced by a CALL at Addresses:
|:0041223C , :00412A2E
|
:00412B00 81EC00010000 sub esp, 00000100
:00412B06 A0D09C4200 mov al, byte ptr [00429CD0]
:00412B0B 56 push esi
:00412B0C 57 push edi
:00412B0D 88442408 mov byte ptr [esp+08], al

* Possible Reference to String Resource ID=00063: "`氬~剠?+ Netscape 4 剦棚?"
|
:00412B11 B93F000000 mov ecx, 0000003F
:00412B16 33C0 xor eax, eax
:00412B18 8D7C2409 lea edi, dword ptr [esp+09]
:00412B1C 8B94240C010000 mov edx, dword ptr [esp+0000010C]　<<-----用户名的首地址送入EDX
:00412B23 F3 repz
:00412B24 AB stosd
:00412B25 66AB stosw
:00412B27 8D4C2408 lea ecx, dword ptr [esp+08]
:00412B2B 33F6 xor esi, esi
:00412B2D 51 push ecx
:00412B2E 52 push edx
:00412B2F AA stosb
:00412B30 E8AB000000 call 00412BE0　　　<<--------此CALL如果用F10过的话，EAX将放入正确注册码的首地址，但本文是对这个软件的注册码算法进行分析，因此有必要进入这个CALL看看
:00412B35 8B8C2418010000 mov ecx, dword ptr [esp+00000118] <<-------输入的注册码的首地址－＞ECX
:00412B3C 8D442410 lea eax, dword ptr [esp+10] <<--------正确的注册码的首地址－＞EAX
:00412B40 50 push eax
:00412B41 51 push ecx
:00412B42 E869FFFFFF call 00412AB0　　　<<-----比较函数
:00412B47 83C410 add esp, 00000010
:00412B4A 85C0 test eax, eax

* Possible Reference to String Resource ID=00001: "蜩屬%s"
|
:00412B4C B801000000 mov eax, 00000001
:00412B51 7502 jne 00412B55　　　<<----相同则跳走
:00412B53 8BC6 mov eax, esi

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
进入　00412B30处的CALL，来到：

* Referenced by a CALL at Address:
|:00412B30
|
:00412BE0 81EC00010000 sub esp, 00000100
:00412BE6 A0D09C4200 mov al, byte ptr [00429CD0]
:00412BEB 53 push ebx
:00412BEC 55 push ebp
:00412BED 56 push esi
:00412BEE 57 push edi
:00412BEF 88442410 mov byte ptr [esp+10], al

* Possible Reference to String Resource ID=00063: "`氬~剠?+ Netscape 4 剦棚?"
|
:00412BF3 B93F000000 mov ecx, 0000003F　　　　
:00412BF8 33C0 xor eax, eax
:00412BFA 8D7C2411 lea edi, dword ptr [esp+11]
:00412BFE F3 repz
:00412BFF AB stosd
:00412C00 66AB stosw
:00412C02 AA stosb
:00412C03 8BBC2414010000 mov edi, dword ptr [esp+00000114]　　<<------用户名首地址送入EDI
:00412C0A 57 push edi

* Reference To: KERNEL32.lstrlenA, Ord:039Eh
|
:00412C0B FF1510124200 Call dword ptr [00421210]　<<-----取得用户名的长度并送入EAX
:00412C11 8BF0 mov esi, eax
:00412C13 33C9 xor ecx, ecx
:00412C15 33C0 xor eax, eax　<<-----EAX清零，为计数做准备
:00412C17 85F6 test esi, esi
:00412C19 7E13 jle 00412C2E
:00412C1B 8B15406C4200 mov edx, dword ptr [00426C40]　　<<-----初始化EDX（EDX＝0x26）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C2C(C)
|
:00412C21 0FBE1C38 movsx ebx, byte ptr [eax+edi]　　<<----将用户名中的每个字符按顺序送入EBX，每次循环送入一个
:00412C25 03DA add ebx, edx
:00412C27 03CB add ecx, ebx　　　　<<-----本次运算结果在ECX（此例中为0x2C4）
:00412C29 40 inc eax
:00412C2A 3BC6 cmp eax, esi
:00412C2C 7CF3 jl 00412C21

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C19(C)
|
:00412C2E 8B9C2418010000 mov ebx, dword ptr [esp+00000118]
:00412C35 51 push ecx

* Possible Reference to Dialog:
|
:00412C36 68546C4200 push 00426C54　　
:00412C3B 53 push ebx

* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C3C FF15FC124200 Call dword ptr [004212FC]　　<<-----将ECX中的值以字符串的形式放在[EBX]中，并在其尾部加上'-'（此例中为：“708－”）
:00412C42 83C40C add esp, 0000000C
:00412C45 33C9 xor ecx, ecx
:00412C47 33C0 xor eax, eax
:00412C49 85F6 test esi, esi
:00412C4B 7E14 jle 00412C61
:00412C4D 8B15446C4200 mov edx, dword ptr [00426C44]　　　<<-----初始化EBP（EBP＝0x34）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C5F(C)
|
:00412C53 0FBE2C38 movsx ebp, byte ptr [eax+edi]　　<<----将用户名中的每个字符按顺序送入EBP，每次循环送入一个
:00412C57 0FAFEA imul ebp, edx
:00412C5A 03CD add ecx, ebp　　　　　　　<<--------本次运算结果放在ECX
:00412C5C 40 inc eax
:00412C5D 3BC6 cmp eax, esi
:00412C5F 7CF2 jl 00412C53

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C4B(C)
|
:00412C61 51 push ecx
:00412C62 8D4C2414 lea ecx, dword ptr [esp+14]

* Possible Reference to Dialog:
|
:00412C66 68546C4200 push 00426C54
:00412C6B 51 push ecx

* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C6C FF15FC124200 Call dword ptr [004212FC]　　　<<-----将ECX中的值（0x6938）转化为字符串的形式
:00412C72 83C40C add esp, 0000000C
:00412C75 8D542410 lea edx, dword ptr [esp+10] <<----字符串（此例中为：“26936-”）的首地址送入EDX
:00412C79 52 push edx
:00412C7A 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412C7B FF15F8114200 Call dword ptr [004211F8]　<<------连接前面两次运算所得的结果
:00412C81 33C9 xor ecx, ecx
:00412C83 33C0 xor eax, eax
:00412C85 85F6 test esi, esi
:00412C87 7E13 jle 00412C9C
:00412C89 8B15486C4200 mov edx, dword ptr [00426C48]　<<-----初始化EDX（EDX＝0xC）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C9A(C)
|
:00412C8F 0FBE2C38 movsx ebp, byte ptr [eax+edi]　　　<<----将用户名中的每个字符按顺序送入EBP，每次循环送入一个
:00412C93 03EA add ebp, edx
:00412C95 03CD add ecx, ebp　　　　　　　<<-----本次运算结果在ECX（此例中为：0x242）
:00412C97 40 inc eax
:00412C98 3BC6 cmp eax, esi
:00412C9A 7CF3 jl 00412C8F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C87(C)
|
:00412C9C 51 push ecx
:00412C9D 8D442414 lea eax, dword ptr [esp+14]

* Possible Reference to Dialog:
|
:00412CA1 68546C4200 push 00426C54
:00412CA6 50 push eax

* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412CA7 FF15FC124200 Call dword ptr [004212FC]　　<<------将ECX中的值（0x242）转化为字符串的形式
:00412CAD 83C40C add esp, 0000000C
:00412CB0 8D4C2410 lea ecx, dword ptr [esp+10]　　<<----字符串（此例中为：“578-”）的首地址送入EDX
:00412CB4 51 push ecx
:00412CB5 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412CB6 FF15F8114200 Call dword ptr [004211F8] <<-----连接前三次运算所得的结果
:00412CBC 33C9 xor ecx, ecx
:00412CBE 33C0 xor eax, eax
:00412CC0 85F6 test esi, esi
:00412CC2 7E14 jle 00412CD8
:00412CC4 8B154C6C4200 mov edx, dword ptr [00426C4C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412CD6(C)
|
:00412CCA 0FBE2C38 movsx ebp, byte ptr [eax+edi]　　<<----将用户名中的每个字符按顺序送入EBP，每次循环送入一个
:00412CCE 0FAFEA imul ebp, edx
:00412CD1 03CD add ecx, ebp
:00412CD3 40 inc eax
:00412CD4 3BC6 cmp eax, esi
:00412CD6 7CF2 jl 00412CCA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412CC2(C)
|
:00412CD8 51 push ecx
:00412CD9 8D542414 lea edx, dword ptr [esp+14]

* Possible Reference to Dialog:
|
:00412CDD 68506C4200 push 00426C50
:00412CE2 52 push edx

* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412CE3 FF15FC124200 Call dword ptr [004212FC]　　　<<------将ECX中的值（0x1C54）转化为字符串的形式
:00412CE9 83C40C add esp, 0000000C
:00412CEC 8D442410 lea eax, dword ptr [esp+10]　　<<----字符串（此例中为：“-7252”）的首地址送入EAX
:00412CF0 50 push eax
:00412CF1 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412CF2 FF15F8114200 Call dword ptr [004211F8] <<-----字符串的连接
:00412CF8 5F pop edi
:00412CF9 5E pop esi
:00412CFA 5D pop ebp
:00412CFB 5B pop ebx
:00412CFC 81C400010000 add esp, 00000100
:00412D02 C3 ret
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
这个软件的注册码形式为：SN1－SN2－SN3－SN4
它的算法就是对用户名分别进行四次运算，并将每次运算的结果转成字符串形式并连接成　SN1－SN2－SN3－SN4
这四次运算中用到了四个初始值：0x26,0x34,0xC,0xE
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

===============Open Cracking Group=============
CrAcKeD BY alphakk/OCG