Screen Demo Maker V3.0注册算法分析
软件名称:Screen Demo Maker V3.0
破解作者:LAJIAOLZ[FCG-CCG-iPB-CCG]
破解日期:2002/09/10
用OLLYDBG载入,查找参考串“Bad Register Code!“找到断点
//////////////////////////////////////////////////////////////////////
00406B44 . 6A 0A PUSH 0A
00406B46
. 8BCA MOV ECX,EDX
00406B48 . E8
CFD50000 CALL <JMP.&MFC42.#4171>
00406B4D . 50
PUSH EAX
00406B4E . 8BCB
MOV ECX,EBX
00406B50 . E8 C7D50000
CALL <JMP.&MFC42.#4171>
00406B55 . 50
PUSH EAX
00406B56 . E8 45F5FFFF CALL SDServer.004060A0
//关键调用跟入
00406B5B . 83C4 0C ADD ESP,0C
00406B5E . 85C0 TEST EAX,EAX
00406B60
. 75 14 JNZ SHORT SDServer.00406B76
00406B62
> 6A 00 PUSH 0
00406B64 . 6A 00
PUSH 0
00406B66 . 68 A8F34100
PUSH SDServer.0041F3A8
; ASCII "Bad Register Code!"
00406B6B . 8BCE
MOV ECX,ESI
00406B6D . E8 FCD40000
CALL <JMP.&MFC42.#4224>
00406B72 . 5F
POP EDI
00406B73 . 5E
POP ESI
00406B74 . 5B
POP EBX
00406B75 . C3 RETN
//////////////////////////////////////////////////////////////////////
004060A0 /$ 53 PUSH EBX
004060A1
|. 55 PUSH EBP
004060A2 |.
8B6C24 10 MOV EBP,DWORD PTR SS:[ESP+10]
004060A6
|. 56 PUSH ESI
004060A7 |.
8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10] //指向6位数字序列号
S[0..5]
004060AB |. 57 PUSH
EDI
004060AC |. 8BCE MOV ECX,ESI
004060AE |. 8D5D 07 LEA EBX,DWORD PTR SS:[EBP+7]
004060B1 |. C646 06 00 MOV BYTE PTR DS:[ESI+6],0
004060B5 |. 8BC5 MOV EAX,EBP
004060B7
|. 2BCD SUB ECX,EBP
004060B9 |. BF
06000000 MOV EDI,6
004060BE |> 8A1401
/MOV DL,BYTE PTR DS:[ECX+EAX]
004060C1 |. 8810
|MOV BYTE PTR DS:[EAX],DL
004060C3 |. 40
|INC EAX
004060C4 |. 4F
|DEC EDI
004060C5 |.^75 F7
\JNZ SHORT SDServer.004060BE
004060C7 |. 8B7C24
1C MOV EDI,DWORD PTR SS:[ESP+1C]
004060CB |. C645
06 2D MOV BYTE PTR SS:[EBP+6],2D
004060CF |. 0FBE4E 03
MOVSX ECX,BYTE PTR DS:[ESI+3]
004060D3 |. 0FBE06
MOVSX EAX,BYTE PTR DS:[ESI]
004060D6 |. 8BD7
MOV EDX,EDI
004060D8 |. 6A 03
PUSH 3
; /maxlen = 3
004060DA |. 03D1 ADD EDX,ECX
; |
004060DC |. B9 19000000 MOV ECX,19
; |
004060E1 |. 03C2 ADD EAX,EDX
; |
004060E3 |. C64424 1B 00 MOV BYTE PTR SS:[ESP+1B],0
; |
004060E8 |. 99
CDQ
; |
004060E9 |. F7F9 IDIV
ECX
; |
004060EB |. 0FBE46 01
MOVSX EAX,BYTE PTR DS:[ESI+1]
; |
004060EF |. 8BCF MOV ECX,EDI
; |
004060F1 |. 80C2 41 ADD
DL,41
; |
004060F4 |. 885424 18
MOV BYTE PTR SS:[ESP+18],DL
; |
004060F8 |. 0FBE56 04 MOVSX EDX,BYTE
PTR DS:[ESI+4] ; |
004060FC
|. 03CA ADD ECX,EDX
;
|
004060FE |. 03C1 ADD EAX,ECX
; |
00406100 |. B9 19000000 MOV ECX,19
; |
00406105 |. 99
CDQ
; |
00406106
|. F7F9 IDIV ECX
; |
00406108 |. 0FBE46 02 MOVSX EAX,BYTE PTR DS:[ESI+2]
; |
0040610C |. 8BCF
MOV ECX,EDI
; |
0040610E
|. 80C2 41 ADD DL,41
;
|
00406111 |. 885424 19 MOV BYTE PTR SS:[ESP+19],DL
; |
00406115 |. 0FBE56 05
MOVSX EDX,BYTE PTR DS:[ESI+5]
; |
00406119 |. 03CA ADD ECX,EDX
; |
0040611B |. 03C1
ADD EAX,ECX
; |
0040611D |. B9 19000000
MOV ECX,19
; |
00406122 |. 99
CDQ
; |
00406123 |. F7F9 IDIV
ECX
; |
00406125 |. 80C2 41
ADD DL,41
; |
00406128
|. 885424 1A MOV BYTE PTR SS:[ESP+1A],DL
; |
0040612C |. 8D5424 18
LEA EDX,DWORD PTR SS:[ESP+18]
; |
00406130 |. 52 PUSH EDX
; |src
00406131 |. 53
PUSH EBX
; |dest
00406132
|. 8B1D 8C964100 MOV EBX,DWORD PTR DS:[<&MSVCRT.strncpy>] ; |msvcrt.strncpy
//合并串 S[0..5]+'-'+S1[0..2]
00406138 |. FFD3
CALL EBX
; \strncpy
0040613A |. 0FBE46 03 MOVSX EAX,BYTE PTR DS:[ESI+3]
0040613E |. 0FBE0E MOVSX ECX,BYTE PTR DS:[ESI]
00406141 |. 2BC8 SUB ECX,EAX
00406143 |. 6A 03 PUSH 3
00406145
|. 8D4439 20 LEA EAX,DWORD PTR DS:[ECX+EDI+20]
00406149
|. B9 19000000 MOV ECX,19
0040614E |. 99
CDQ
0040614F |. F7F9
IDIV ECX
00406151 |. 0FBE46 04 MOVSX
EAX,BYTE PTR DS:[ESI+4]
00406155 |. 80C2 41
ADD DL,41
00406158 |. 885424 24 MOV BYTE PTR SS:[ESP+24],DL
0040615C |. 0FBE56 01 MOVSX EDX,BYTE PTR DS:[ESI+1]
00406160 |. 2BD0 SUB EDX,EAX
00406162 |. 8D443A 20 LEA EAX,DWORD PTR DS:[EDX+EDI+20]
00406166 |. 99 CDQ
00406167
|. F7F9 IDIV ECX
00406169 |. 0FBE46
05 MOVSX EAX,BYTE PTR DS:[ESI+5]
0040616D |. 80C2
41 ADD DL,41
00406170 |. 885424 25
MOV BYTE PTR SS:[ESP+25],DL
00406174 |. 0FBE56 02
MOVSX EDX,BYTE PTR DS:[ESI+2]
00406178 |. 2BD0
SUB EDX,EAX
0040617A |. 8D443A 20
LEA EAX,DWORD PTR DS:[EDX+EDI+20]
0040617E |. 99
CDQ
0040617F |. F7F9
IDIV ECX
00406181 |. 8D45 0A
LEA EAX,DWORD PTR SS:[EBP+A]
00406184 |. 80C2 41
ADD DL,41
00406187 |. 885424 26 MOV
BYTE PTR SS:[ESP+26],DL
0040618B |. 8D5424 24 LEA
EDX,DWORD PTR SS:[ESP+24]
0040618F |. 52
PUSH EDX
00406190 |. 50
PUSH EAX
00406191 |. FFD3
CALL EBX
//合并串 S[0..5]+'-'+S1[0..2]+S2[0..2]
00406193 |.
0FBE46 03 MOVSX EAX,BYTE PTR DS:[ESI+3]
00406197
|. 0FBE0E MOVSX ECX,BYTE PTR DS:[ESI]
0040619A
|. 03C7 ADD EAX,EDI
0040619C |. 33C1
XOR EAX,ECX
0040619E |. B9 19000000
MOV ECX,19
004061A3 |. 99
CDQ
004061A4 |. F7F9 IDIV
ECX
004061A6 |. 0FBE46 04 MOVSX EAX,BYTE PTR DS:[ESI+4]
004061AA |. 80C2 41 ADD DL,41
004061AD
|. 03C7 ADD EAX,EDI
004061AF |. 885424
2C MOV BYTE PTR SS:[ESP+2C],DL
004061B3 |. 0FBE56
01 MOVSX EDX,BYTE PTR DS:[ESI+1]
004061B7 |. 33C2
XOR EAX,EDX
004061B9 |. 6A 03
PUSH 3
004061BB |. 99
CDQ
004061BC |. F7F9
IDIV ECX
004061BE |. 0FBE46 05 MOVSX EAX,BYTE PTR
DS:[ESI+5]
004061C2 |. 03C7 ADD EAX,EDI
004061C4 |. 80C2 41 ADD DL,41
004061C7
|. 885424 31 MOV BYTE PTR SS:[ESP+31],DL
004061CB
|. 0FBE56 02 MOVSX EDX,BYTE PTR DS:[ESI+2]
004061CF
|. 33C2 XOR EAX,EDX
004061D1 |. 99
CDQ
004061D2 |. F7F9
IDIV ECX
004061D4 |. 8D45 0D
LEA EAX,DWORD PTR SS:[EBP+D]
004061D7 |. 80C2 41
ADD DL,41
004061DA |. 885424 32 MOV
BYTE PTR SS:[ESP+32],DL
004061DE |. 8D5424 30 LEA
EDX,DWORD PTR SS:[ESP+30]
004061E2 |. 52
PUSH EDX
004061E3 |. 50
PUSH EAX
004061E4 |. FFD3
CALL EBX
//合并串 S[0..5]+'-'+S1[0..2]+S2[0..2]+S3[0..2]
004061E6 |. 83C4 24 ADD ESP,24 //EBP=真注册码
004061E9 |. C645 10 00 MOV BYTE PTR SS:[EBP+10],0
004061ED |. B8 01000000 MOV EAX,1
004061F2 |. 5F
POP EDI
004061F3 |. 5E
POP ESI
004061F4 |. 5D
POP EBP
004061F5 |. 5B
POP EBX
004061F6 \. C3
RETN
//////////////////////////////////////////////////////////////////////
不难看出算法
用一程序来描述
假定序列号为S[0..5]
计算出来3个子串 S1[0..2]
S2[0..2] S3[0..2]
FOR I=0TO 2
S1[I]=((S[I]+S[I+3]+0A) MOD
19)+41
NEXT I
FOR I=0 TO 2
S2[I]=((S[I]+0A+20-S[I+3])
MOD 19)+41
NEXT I
FOR I=0 TO 2
S3[I]=((S[I+3]+0A) XOR
S[I]) MOD 19)+41
NEXT I
T[]=S[]+'-'+S1[]+S2[]+S3[]
//////////////////////////////////////////////////////////////////////
软件下载: http://www.stepok.com/sdemo/SD3Setup.exe
注册机下载:http://fcg.5599.net/lajiaolz/ScreenDemoMaker-V3.0-KEYGEN-LAJIAOLZ.rar
- 标 题:Screen Demo Maker V3.0注册算法分析 (8千字)
- 作 者:lajiaolz
- 时 间:2002-9-10 13:02:30
- 链 接:http://bbs.pediy.com