暴风共享软件管理器I V1.0　　

标题：简单算法——暴风共享软件管理器I V1.0　　
作者：fly
时间：2003/04/11 10:07am
链接：http://bbs.pediy.com

下载页面： http://www.skycn.com/soft/10315.html
软件大小： 378 KB
软件语言：简体中文
软件类别：国产软件 / 共享版 / 杂类工具
应用平台： Win9x/NT/2000/XP
加入时间： 2003-01-05 09:01:25
下载次数： 383
推荐等级： ***
开发商： http://www.380000.com/

【软件简介】：《暴风共享软件管理器I》是一款专业的共享软件管理工具，它能帮助你方便地管理你的共享软件。《暴风共享软件管理器I》利用“接口式动态链接库注册码自动生成系统”可以自动用你提供的算法算出相应的注册码；可以画出各产品销售额、利润、销售量的统计图形；采用适合中国共享软件销售方式的定单式管理风格。《暴风共享软件管理器I》必将成为你管理共享软件的好帮手。

【软件限制】：30天试用。

【作者声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！

【破解工具】：TRW2000娃娃修改版、Ollydbg1.09、PEiD、W32Dasm 10修改版

—————————————————————————————————
【过程】：

暴风共享软件管理器I.exe 无壳。Visual C++ 6.0编写。

呵呵，分析完了后看到newlaos兄写的《奇门遁甲演义V6.3》，发觉算法很相似，再看看软件的开发公司，哦，是一家的，“共享”了一套注册算法。看来函数图像大师、鼠到擒来等等同门软件也是差不多了。

虽然注册码很长，但算法基本的流程是一样的，变换了参数而得到其它几组注册码，所以我只是记录了第一组的算法过程。

用户名：fly
试炼码：12345-67890-ABCDE-FGHIJ-KLMNO

反汇编，看看参考，很容易就能找到下面的核心。
—————————————————————————————————

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C13(C)
|
:00408C21 8D44242C lea eax, dword ptr [esp+2C]
:00408C25 6A1E push 0000001E
:00408C27 50 push eax
:00408C28 8D8E0C010000 lea ecx, dword ptr [esi+0000010C]
:00408C2E E88D350000 call 0040C1C0
:00408C33 8D4C240C lea ecx, dword ptr [esp+0C]
:00408C37 6A1E push 0000001E
:00408C39 51 push ecx
:00408C3A 8D8E1C010000 lea ecx, dword ptr [esi+0000011C]
:00408C40 E87B350000 call 0040C1C0
:00408C45 8D7C242C lea edi, dword ptr [esp+2C]
:00408C49 83C9FF or ecx, FFFFFFFF
:00408C4C 33C0 xor eax, eax
:00408C4E F2 repnz
:00408C4F AE scasb
:00408C50 F7D1 not ecx
:00408C52 49 dec ecx
:00408C53 7511 jne 00408C66
====>填用户名了吗？

:00408C55 6A10 push 00000010

* Possible StringData Ref from Data Obj ->"错误"
|
:00408C57 680CC24200 push 0042C20C

* Possible StringData Ref from Data Obj ->"没有用户名！"
|
:00408C5C 68F0C34200 push 0042C3F0
:00408C61 E983000000 jmp 00408CE9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C53(C)
|
:00408C66 8D7C240C lea edi, dword ptr [esp+0C]
:00408C6A 83C9FF or ecx, FFFFFFFF
:00408C6D 33C0 xor eax, eax
:00408C6F F2 repnz
:00408C70 AE scasb
:00408C71 F7D1 not ecx
:00408C73 49 dec ecx
:00408C74 7512 jne 00408C88
====>填注册码了吗？

:00408C76 8B460C mov eax, dword ptr [esi+0C]
:00408C79 6A10 push 00000010

* Possible StringData Ref from Data Obj ->"错误"
|
:00408C7B 680CC24200 push 0042C20C

* Possible StringData Ref from Data Obj ->"没有注册码！"
|
:00408C80 68E0C34200 push 0042C3E0
:00408C85 50 push eax
:00408C86 EB65 jmp 00408CED

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C74(C)
|
:00408C88 8B8E08010000 mov ecx, dword ptr [esi+00000108]
:00408C8E E8DD84FFFF call 00401170
:00408C93 84C0 test al, al
:00408C95 7412 je 00408CA9
====>注册过了吗？呵呵，挺逗。

:00408C97 8B4E0C mov ecx, dword ptr [esi+0C]
:00408C9A 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"你已经注册过了。"
|
:00408C9C 6898C34200 push 0042C398

* Possible StringData Ref from Data Obj ->"你已经注册过了。"
|
:00408CA1 6898C34200 push 0042C398
:00408CA6 51 push ecx
:00408CA7 EB44 jmp 00408CED

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408C95(C)
|
:00408CA9 8B8E08010000 mov ecx, dword ptr [esi+00000108]
:00408CAF 8D54240C lea edx, dword ptr [esp+0C]
====>EDX=12345-67890-ABCDE-FGHIJ-KLMNO

:00408CB3 8D44242C lea eax, dword ptr [esp+2C]
====>EAX=fly 用户名

:00408CB7 52 push edx
:00408CB8 50 push eax
:00408CB9 E88286FFFF call 00401340
:00408CBE 8B8E08010000 mov ecx, dword ptr [esi+00000108]
:00408CC4 E8A784FFFF call 00401170
====>关键CALL！进入！

:00408CC9 84C0 test al, al
:00408CCB 6A40 push 00000040
:00408CCD 7410 je 00408CDF
====>跳则OVER！

:00408CCF 8B4E0C mov ecx, dword ptr [esi+0C]

* Possible StringData Ref from Data Obj ->"成功"
====>呵呵，胜利女神！

:00408CD2 68D8C34200 push 0042C3D8

* Possible StringData Ref from Data Obj ->"注册将在重启后生效！"
|
:00408CD7 68C0C34200 push 0042C3C0
:00408CDC 51 push ecx
:00408CDD EB0E jmp 00408CED

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408CCD(C)
|

* Possible StringData Ref from Data Obj ->"失败"
|
:00408CDF 68B8C34200 push 0042C3B8

* Possible StringData Ref from Data Obj ->"非法注册码"
====>BAD BOY！

:00408CE4 68ACC34200 push 0042C3AC

—————————————————————————————————
进入关键CALL：408CC4 call 00401170

* Referenced by a CALL at Addresses:
|:00403D92 , :00408B93 , :00408C8E , :00408CC4

…… ……省略…… ……

:00401223 8A4C2425 mov cl, byte ptr [esp+25]
:00401227 B02D mov al, 2D
====>AL=2D 即：-

:00401229 3AC8 cmp cl, al
====>比较注册码第6个字符是否是 -

:0040122B 7572 jne 0040129F
:0040122D 3844242B cmp byte ptr [esp+2B], al
====>比较注册码第12个字符是否是 -

:00401231 756C jne 0040129F
:00401233 38442431 cmp byte ptr [esp+31], al
====>比较注册码第18个字符是否是 -

:00401237 7566 jne 0040129F
:00401239 38442437 cmp byte ptr [esp+37], al
====>比较注册码第24个字符是否是 -

:0040123D 7560 jne 0040129F
:0040123F 33FF xor edi, edi
:00401241 8D742422 lea esi, dword ptr [esp+22]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401294(C)
|
:00401245 8D4C2418 lea ecx, dword ptr [esp+18]
:00401249 8D542440 lea edx, dword ptr [esp+40]
====>EDX=fly

:0040124D 51 push ecx
:0040124E 57 push edi
:0040124F 52 push edx
:00401250 8BCD mov ecx, ebp
:00401252 E859000000 call 004012B0
====>算法CALL！进入！

====>下面是逐位比较！有一处不同就OVER了！
:00401257 8A46FE mov al, byte ptr [esi-02]
====>[esi-02]=12345

:0040125A 8A4C2418 mov cl, byte ptr [esp+18]
====>[esp+18]=1E9TT
第一个大循环得出：1E9TT
第二个大循环得出：5GDGG
第三个大循环得出：72WW8
第四个大循环得出：72WR9
第五个大循环得出：11MGG

:0040125E 3AC1 cmp al, cl
:00401260 753D jne 0040129F
:00401262 8A4EFF mov cl, byte ptr [esi-01]
:00401265 8A442419 mov al, byte ptr [esp+19]
:00401269 3AC8 cmp cl, al
:0040126B 7532 jne 0040129F
:0040126D 8A16 mov dl, byte ptr [esi]
:0040126F 8A44241A mov al, byte ptr [esp+1A]
:00401273 3AD0 cmp dl, al
:00401275 7528 jne 0040129F
:00401277 8A4601 mov al, byte ptr [esi+01]
:0040127A 8A4C241B mov cl, byte ptr [esp+1B]
:0040127E 3AC1 cmp al, cl
:00401280 751D jne 0040129F
:00401282 8A4E02 mov cl, byte ptr [esi+02]
:00401285 8A44241C mov al, byte ptr [esp+1C]
:00401289 3AC8 cmp cl, al
:0040128B 7512 jne 0040129F
:0040128D 47 inc edi
:0040128E 83C606 add esi, 00000006
:00401291 83FF05 cmp edi, 00000005
:00401294 7CAF jl 00401245
:00401296 5F pop edi
:00401297 5E pop esi
:00401298 B001 mov al, 01
====>置1则OK！

:0040129A 5D pop ebp
:0040129B 83C454 add esp, 00000054
:0040129E C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401221(C), :0040122B(C), :00401231(C), :00401237(C), :0040123D(C)
|:00401260(C), :0040126B(C), :00401275(C), :00401280(C), :0040128B(C)
|
:0040129F 5F pop edi
:004012A0 5E pop esi
:004012A1 32C0 xor al, al
====>清0则OVER！

:004012A3 5D pop ebp
:004012A4 83C454 add esp, 00000054
:004012A7 C3 ret

—————————————————————————————————
进入算法CALL：401252 call 004012B0

* Referenced by a CALL at Address:
|:00401252
|
:004012B0 8B4C2408 mov ecx, dword ptr [esp+08]
:004012B4 8B542404 mov edx, dword ptr [esp+04]
====>EDX=fly

:004012B8 03D1 add edx, ecx
:004012BA 83EC0C sub esp, 0000000C
:004012BD B801000000 mov eax, 00000001
:004012C2 8A0A mov cl, byte ptr [edx]
====>CL=66

:004012C4 56 push esi
:004012C5 84C9 test cl, cl
:004012C7 7413 je 004012DC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012DA(C)
|
:004012C9 0FBEC9 movsx ecx, cl
1、 ====>ECX=CL=66
2、 ====>ECX=6C
3、 ====>ECX=79

:004012CC 8BF1 mov esi, ecx
:004012CE 0FAFF1 imul esi, ecx
1、 ====>ESI=66 * 66=28A4
2、 ====>ESI=6C * 6C=2D90
3、 ====>ESI=79 * 79=3931

:004012D1 8A4A01 mov cl, byte ptr [edx+01]
1、 ====>CL=6C

:004012D4 0FAFC6 imul eax, esi
1、 ====>EAX=01 * 28A4=28A4
2、 ====>EAX=28A4 * 2D90=073BB040
3、 ====>EAX=073BB040 * 3931=ACAAFC40

:004012D7 42 inc edx
:004012D8 84C9 test cl, cl
:004012DA 75ED jne 004012C9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012C7(C)
|
:004012DC 8B74241C mov esi, dword ptr [esp+1C]
:004012E0 33C9 xor ecx, ecx
:004012E2 8BD6 mov edx, esi
:004012E4 6A24 push 00000024
:004012E6 3517108519 xor eax, 19851017
====>EAX=ACAAFC40 XOR 19851017=B52FEC57

:004012EB 890A mov dword ptr [edx], ecx
:004012ED 66894A04 mov word ptr [edx+04], cx
:004012F1 8D4C2408 lea ecx, dword ptr [esp+08]
:004012F5 51 push ecx
:004012F6 50 push eax
:004012F7 E8C70B0200 call 00421EC3
====>又是一个子运算CALL！进入！

:004012FC 8D542410 lea edx, dword ptr [esp+10]
====>EDX=1e9ttnb

:00401300 52 push edx

* Possible StringData Ref from Data Obj ->"%.5s"
|
:00401301 681CC14200 push 0042C11C
:00401306 56 push esi
:00401307 E8BC730100 call 004186C8
====>此CALL将上面所得字符截取前5位！
====>ESI=1e9tt

:0040130C 83C418 add esp, 00000018
:0040130F 33C9 xor ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040132F(C)
|
:00401311 8A0431 mov al, byte ptr [ecx+esi]
:00401314 3C61 cmp al, 61
:00401316 7C0B jl 00401323
:00401318 3C7A cmp al, 7A
:0040131A 7F07 jg 00401323
:0040131C 2C20 sub al, 20
:0040131E 880431 mov byte ptr [ecx+esi], al
:00401321 EB08 jmp 0040132B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401316(C), :0040131A(C)
|
:00401323 84C0 test al, al
:00401325 7504 jne 0040132B
:00401327 C6043130 mov byte ptr [ecx+esi], 30

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401321(U), :00401325(C)
|
:0040132B 41 inc ecx
:0040132C 83F905 cmp ecx, 00000005
:0040132F 7CE0 jl 00401311
====>这个小循环是将1e9tt中的小写字母转换为大写字母！
====>ESI=1e9tt 转换为 1E9TT

:00401331 5E pop esi
:00401332 83C40C add esp, 0000000C
:00401335 C20C00 ret 000C

—————————————————————————————————
进入子运算CALL:004012F7 call 00421EC3

再进入:00421EE0 call 00421E67

* Referenced by a CALL at Addresses:
|:00421E5A , :00421EE0
|
:00421E67 55 push ebp
:00421E68 8BEC mov ebp, esp
:00421E6A 837D1400 cmp dword ptr [ebp+14], 00000000
:00421E6E 8B4D0C mov ecx, dword ptr [ebp+0C]
:00421E71 53 push ebx
:00421E72 56 push esi
:00421E73 57 push edi
:00421E74 740B je 00421E81
:00421E76 8B7508 mov esi, dword ptr [ebp+08]
:00421E79 C6012D mov byte ptr [ecx], 2D
:00421E7C 41 inc ecx
:00421E7D F7DE neg esi
:00421E7F EB03 jmp 00421E84

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421E74(C)
|
:00421E81 8B7508 mov esi, dword ptr [ebp+08]
====>ESI=B52FEC57

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421E7F(U)
|
:00421E84 8BF9 mov edi, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421EAA(C)
|
:00421E86 8BC6 mov eax, esi
:00421E88 33D2 xor edx, edx
:00421E8A F77510 div [ebp+10]
====>[ebp+10]=24
1、 ====>EDX=B52FEC57 % 24=0B
2、 ====>EDX=0508713B % 24=17
3、 ====>EDX=0023CA41 % 24=1D
4、 ====>EDX=0000FE81 % 24=1D
5、 ====>EDX=00000711 % 24=09
6、 ====>EDX=00000032 % 24=0E
7、 ====>EDX=00000001 % 24=01

:00421E8D 8BC6 mov eax, esi
:00421E8F 8BDA mov ebx, edx
:00421E91 33D2 xor edx, edx
:00421E93 F77510 div [ebp+10]
1、 ====>EAX=B52FEC57 / 24=0508713B
2、 ====>EAX=0508713B / 24=0023CA41
3、 ====>EAX=0023CA41 / 24=0000FE81
4、 ====>EAX=0000FE81 / 24=00000711
5、 ====>EAX=00000711 / 24=00000032
6、 ====>EAX=00000032 / 24=00000001
7、 ====>EAX=00000001 / 24=00000000

:00421E96 83FB09 cmp ebx, 00000009
:00421E99 8BF0 mov esi, eax
====>ESI=EAX

:00421E9B 7605 jbe 00421EA2
:00421E9D 80C357 add bl, 57
1、 ====>BL=0B + 57=62 即字符：b
2、 ====>BL=17 + 57=6E 即字符：n
3、 ====>BL=1D + 57=74 即字符：t
4、 ====>BL=1D + 57=74 即字符：t
6、 ====>BL=0E + 57=65 即字符：e

:00421EA0 EB03 jmp 00421EA5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421E9B(C)
|
:00421EA2 80C330 add bl, 30
5、 ====>BL=09 + 30=39 即字符：9
7、 ====>BL=01 + 30=31 即字符：1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421EA0(U)
|
:00421EA5 8819 mov byte ptr [ecx], bl
====>BL 入 [ecx]处
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
循环结束后[ECX]内存中的值：

006DEE3C 62 6E 74 74 39 65 31 bntt9e1
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆

:00421EA7 41 inc ecx
:00421EA8 85F6 test esi, esi
:00421EAA 77DA ja 00421E86
====>循环！

:00421EAC 802100 and byte ptr [ecx], 00
:00421EAF 49 dec ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421EBC(C)
|
:00421EB0 8A17 mov dl, byte ptr [edi]
:00421EB2 8A01 mov al, byte ptr [ecx]
:00421EB4 8811 mov byte ptr [ecx], dl
:00421EB6 8807 mov byte ptr [edi], al
:00421EB8 49 dec ecx
:00421EB9 47 inc edi
:00421EBA 3BF9 cmp edi, ecx
:00421EBC 72F2 jb 00421EB0
====>这个小循环是将bntt9e1倒序为：1e9ttnb

:00421EBE 5F pop edi
:00421EBF 5E pop esi
:00421EC0 5B pop ebx
:00421EC1 5D pop ebp
:00421EC2 C3 ret

—————————————————————————————————
【完美爆破】：

呵呵，完美爆破很简单。

004012A1 32C0 xor al, al
改为： B001 mov al, 01 就OK了！与401298处相映成趣！

—————————————————————————————————
【注册信息保存】：

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\SsmI]
"User Name"=hex:66,6c,79,00,4c,ef,6d,00,80,ef,6d,00,18,02,00,00,37,01,00,00,17,\
03,00,00,fd,01,00,00,8f,03
"Register Code"=hex:31,45,39,54,54,2d,35,47,44,47,47,2d,37,32,57,57,38,2d,37,\
32,57,52,39,2d,31,31,4d,47,47,00

—————————————————————————————————
【整理】：

用户名：fly
注册码：1E9TT-5GDGG-72WW8-72WR9-11MGG

—————————————————————————————————

Cracked By 巢水工作坊——fly【OCN】

2003-10-10 21:21