AntiSpy PRO 1.02 注册算法分析 + 注册机源代码(tc2)
破解目标:AntiSpy PRO 1.02
官方主页:http://www.antispypro.com/
软件简介:AntiSpy 可以帮你清除Cookies、浏览网站纪录、网络缓存文件、Windows操作系统中的打开程序纪录、最近打开文件。
下载地址:http://www.antispypro.com/antispy/antispypro.exe
使用工具:PEiD 0.8、W32Dasm、Ollydbg
1.09b 汉化版、Windows 自带的计算器、32bit Calculator 1.6 by cybult、UltraEdit
作者:炎之川[BCG]
时间:2003.4.10
主页:http://skipli.yeah.net/
声明: 此文仅用于学习及交流,若要转载请保持文章完整。
经 PEiD 0.8 检查可知,AntiSpy PRO 的主程序为 VC++ 6.0 编写且无壳,W32Dasm 反汇编,一时似乎看不出什么东西,所以直接用
OD 装入程序。载入完成后,在 CPU 窗口中右击,选择“搜索”->“字串参考”,然后在出现的窗口中搜索到了软件注册出错的提示,双击之,进入对应的代码区。
稍作分析后,在 4157C2 处下断点,然后 Ctrl+F2 重新载入程序,F9 运行,输入注册名及假注册码:
Name: lovefire[BCG]
Serial: 78787878
(; 后是 Ollydbg 所分析的内容,// 后是我加的注释,文中数值均为16进制值)
004157C2 . 68 D8B34500 PUSH AntiSpyP.0045B3D8
; SE handler installation
//下断点
004157C7 . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004157CD
. 50 PUSH EAX
004157CE . 64:8925
000000>MOV DWORD PTR FS:[0],ESP
004157D5 . 83EC 0C
SUB ESP,0C
004157D8 . 56
PUSH ESI
004157D9 . 8BF1 MOV ESI,ECX
004157DB . E8 E7080400 CALL AntiSpyP.004560C7
004157E0
. 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4]
004157E3
. E8 BB320300 CALL AntiSpyP.00448AA3
004157E8 . A1 34744700
MOV EAX,DWORD PTR DS:[477434]
004157ED . C74424 18 0000>MOV
DWORD PTR SS:[ESP+18],0
004157F5 . 894424 08 MOV
DWORD PTR SS:[ESP+8],EAX
004157F9 . 894424 04 MOV
DWORD PTR SS:[ESP+4],EAX
004157FD . 8D4424 08 LEA
EAX,DWORD PTR SS:[ESP+8]
00415801 . 8D8E 88010000 LEA ECX,DWORD
PTR DS:[ESI+188]
00415807 . 50
PUSH EAX
00415808 . C64424 1C 02 MOV BYTE PTR SS:[ESP+1C],2
0041580D . E8 914D0300 CALL AntiSpyP.0044A5A3
00415812
. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
00415816
. 51 PUSH ECX
00415817 . 8D8E
98000000 LEA ECX,DWORD PTR DS:[ESI+98]
0041581D . E8 814D0300
CALL AntiSpyP.0044A5A3
00415822 . 8B5424 08
MOV EDX,DWORD PTR SS:[ESP+8] //假码放入edx
00415826 . 8B4424 04
MOV EAX,DWORD PTR SS:[ESP+4] //注册名放入eax
0041582A
. 52 PUSH EDX //edx 入栈
0041582B
. 50 PUSH EAX //eax 入帐
0041582C
. E8 4F010000 CALL AntiSpyP.00415980 //关键 call!F7 跟进
00415831
. 83C4 08 ADD ESP,8
00415834 . 84C0
TEST AL,AL //呵呵,经典的比较
00415836 .
74 7D JE SHORT AntiSpyP.004158B5 //跳转的话就886啦~~
00415838 . 6A 00 PUSH 0
; /Arg3 = 00000000
0041583A . 6A 40
PUSH 40
; |Arg2 = 00000040
0041583C . 68 285C4700 PUSH AntiSpyP.00475C28
; |Arg1 = 00475C28 ASCII "Registration
Successful!" //不跳则注册成功
00415841 . E8 289C0300 CALL
AntiSpyP.0044F46E
; \AntiSpyP.0044F46E
00415846 . 51
PUSH ECX
00415847 . 8D5424 08 LEA EDX,DWORD
PTR SS:[ESP+8]
0041584B . 8BCC MOV
ECX,ESP
0041584D . 896424 10 MOV DWORD PTR SS:[ESP+10],ESP
00415851 . 52 PUSH EDX
00415852 . E8 D2190300 CALL AntiSpyP.00447229
00415857
. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
0041585B
. B9 289C4700 MOV ECX,AntiSpyP.00479C28
00415860 . 50
PUSH EAX
00415861 . E8 CAFEFEFF
CALL AntiSpyP.00405730
00415866 . 8D4C24 0C
LEA ECX,DWORD PTR SS:[ESP+C]
0041586A . E8 451C0300 CALL
AntiSpyP.004474B4
0041586F . 51
PUSH ECX
00415870 . 8D5424 0C LEA EDX,DWORD PTR
SS:[ESP+C]
00415874 . 8BCC MOV ECX,ESP
00415876 . 896424 10 MOV DWORD PTR SS:[ESP+10],ESP
0041587A . 52 PUSH EDX
0041587B . E8 A9190300 CALL AntiSpyP.00447229
00415880
. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
00415884
. B9 089C4700 MOV ECX,AntiSpyP.00479C08
00415889 . 50
PUSH EAX
0041588A . E8 A1FEFEFF
CALL AntiSpyP.00405730
0041588F . 8D4C24 0C
LEA ECX,DWORD PTR SS:[ESP+C]
00415893 . E8 1C1C0300 CALL
AntiSpyP.004474B4
00415898 . B9 289C4700 MOV ECX,AntiSpyP.00479C28
0041589D . E8 1E000100 CALL AntiSpyP.004258C0
004158A2
. B9 089C4700 MOV ECX,AntiSpyP.00479C08
004158A7 . E8
14000100 CALL AntiSpyP.004258C0
004158AC . 8BCE
MOV ECX,ESI
004158AE . E8 C93C0300
CALL AntiSpyP.0044957C
004158B3 . EB 1F
JMP SHORT AntiSpyP.004158D4
004158B5 > 6A 44
PUSH 44
004158B7 . 68 64564700 PUSH
AntiSpyP.00475664
; ASCII "AntiSpy PRO"
004158BC . 68 5C5B4700 PUSH
AntiSpyP.00475B5C
; ASCII "If you haven't ordered this software yet, please press "yes" to
get registration number.
If you already have registration number - please
press "no" and verify that you entered it correctly and try again" //注册失败
004158C1 . 8BCE MOV ECX,ESI
004158C3 . E8 C15A0300 CALL AntiSpyP.0044B389
004158C8
. 83F8 06 CMP EAX,6
004158CB . 75 07
JNZ SHORT AntiSpyP.004158D4
004158CD .
8BCE MOV ECX,ESI
004158CF . E8 4C000000
CALL AntiSpyP.00415920
004158D4 > 8D4C24 04
LEA ECX,DWORD PTR SS:[ESP+4]
004158D8 . C64424 18 01 MOV BYTE
PTR SS:[ESP+18],1
004158DD . E8 D21B0300 CALL AntiSpyP.004474B4
004158E2 . 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004158E6 . C64424 18 00 MOV BYTE PTR SS:[ESP+18],0
004158EB
. E8 C41B0300 CALL AntiSpyP.004474B4
004158F0 . C74424
18 FFFF>MOV DWORD PTR SS:[ESP+18],-1
004158F8 . E8 CA070400
CALL AntiSpyP.004560C7
004158FD . 8B48 04
MOV ECX,DWORD PTR DS:[EAX+4]
00415900 . E8 B3310300 CALL
AntiSpyP.00448AB8
00415905 . 8B4C24 10 MOV ECX,DWORD
PTR SS:[ESP+10]
00415909 . 5E
POP ESI
0041590A . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
00415911
. 83C4 18 ADD ESP,18
00415914 . C3
RETN
-----------------------------------------------------------------------------
进入 41582C 的关键 call:
00415980 /$ 64:A1 00000000 MOV EAX,DWORD
PTR FS:[0]
00415986 |. 6A FF PUSH
-1
00415988 |. 68 F8B34500 PUSH AntiSpyP.0045B3F8
0041598D |. 50 PUSH EAX
0041598E
|. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00415995 |. 53
PUSH EBX
00415996 |. 56
PUSH ESI
00415997 |. 57
PUSH EDI
00415998 |. 8B7C24 1C MOV
EDI,DWORD PTR SS:[ESP+1C] //注册名放入edi
0041599C |. B9 D0A54A27
MOV ECX,274AA5D0 //ecx 赋值为 274AA5D0
004159A1 |. 8A07
MOV AL,BYTE PTR DS:[EDI] //取 edi 中的字符
004159A3
|. 84C0 TEST AL,AL //比较是否为0(这里估计是判断有没有输入注册名)
004159A5 |. 74 1E JE SHORT AntiSpyP.004159C5
//为0则跳,这里一定不能跳转…
//计算开始
004159A7 |> 0FBEF0
/MOVSX ESI,AL //al 送 esi,al 中是注册名
004159AA |. 8BC6
|MOV EAX,ESI //esi 送 eax,注册名字符送回 eax
004159AC
|. BB 11000000 |MOV EBX,11 //ebx=11
004159B1 |.
99 |CDQ //edx双字扩展(清零)
004159B2
|. F7FB |IDIV EBX //eax=eax/11,余数放入 edx
004159B4 |. 8BC1 |MOV EAX,ECX
//eax = ecx,第一次ecx 为循环前赋的值 274AA5D0,第二次开始为上一次累积的值
004159B6 |. 8BCA
|MOV ECX,EDX //ecx=edx,edx 为上面除法运算的余数
004159B8
|. D3E0 |SHL EAX,CL //逻辑左移cl位,cl 为上面除法运算的余数,等于
cl 次 *2 运算
004159BA |. 33C6 |XOR
EAX,ESI //eax 异或 esi,esi 为注册名字符的 ASCII 值
004159BC |. 47
|INC EDI //edi+1,edi中是注册名,所以这是为了下面取下一位的注册名字符作准备
004159BD |. 8BC8 |MOV ECX,EAX
//eax的值放入ecx,留待下次循环使用
004159BF |. 8A07
|MOV AL,BYTE PTR DS:[EDI] //从 edi 中取下一位注册名的字符
004159C1 |. 84C0
|TEST AL,AL //比较 al 是否为0
004159C3
|.^75 E2 \JNZ SHORT AntiSpyP.004159A7
//不为0就跳回去继续循环。当取完注册名字符后的下一次循环时al将为0,故此时才不再循环
//算法结束
//所有循环完成后,eax 中保存的就是真正的注册码。
004159C5 |> 8B15 34744700 MOV EDX,DWORD PTR DS:[477434]
; AntiSpyP.00477448
004159CB
|. 895424 1C MOV DWORD PTR SS:[ESP+1C],EDX
004159CF
|. 51 PUSH ECX
004159D0 |.
8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
004159D4
|. 68 805C4700 PUSH AntiSpyP.00475C80
; ASCII "%08X"
004159D9 |.
50 PUSH EAX
004159DA |. C74424
20 0000>MOV DWORD PTR SS:[ESP+20],0
004159E2 |. E8 FAF60200
CALL AntiSpyP.004450E1
004159E7 |. 8B4C24 2C MOV
ECX,DWORD PTR SS:[ESP+2C] ; | //假码放入
ecx
004159EB |. 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+28]
; | //真码放入 edx
004159EF |.
51 PUSH ECX
; |Arg2
004159F0 |. 52 PUSH
EDX
; |Arg1
004159F1 |. E8 DC120200
CALL AntiSpyP.00436CD2
; \AntiSpyP.00436CD2 //比较真假注册码
004159F6 |. 83C4
14 ADD ESP,14
004159F9 |. 8D4C24 1C
LEA ECX,DWORD PTR SS:[ESP+1C]
004159FD |. 85C0
TEST EAX,EAX
004159FF |. 0F94C3
SETE BL
00415A02 |. C74424 14 FFFF>MOV DWORD PTR SS:[ESP+14],-1
00415A0A |. E8 A51A0300 CALL AntiSpyP.004474B4
00415A0F
|. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
00415A13
|. 5F POP EDI
00415A14 |.
8AC3 MOV AL,BL
00415A16 |. 5E
POP ESI
00415A17 |. 64:890D 000000>MOV
DWORD PTR FS:[0],ECX
00415A1E |. 5B
POP EBX
00415A1F |. 83C4 0C ADD ESP,0C
00415A22 \. C3 RETN
算法总结如下:
设注册名位数为n,即有效循环也为n次,存在 N0、N1、N2、N3、N4、N5…其中 N0=274AA5D0,则:
N(n)=(N(n-1) shl ((注册名ASCII) mod 11)) xor (注册名ASCII)
最后的 N(n) 就是注册码
试按照我输入的注册名“lovefire[BCG]”,列举如下,
第一位注册名“l”,N(1)=(274AA5D0 shl ((6C)
mod 11)) xor 6C = (274AA5D0 shl 6) xor 6C = D2A97400 xor 6C = D2A9746C
第二位注册名“o”,N(2)=(D2A9746C
shl ((6F) mod 11)) xor 6F = (D2A9746C shl 9) xor 6F = 52E8D800 xor 6F = 52E8D86F
……
最后一位注册名“]”,N(12)=(0210025F shl ((5D) mod 11)) xor 5D = (D2A9746C
shl 8) xor 5D = 10025F00 xor 5D = 10025F5D
所以得出正确的注册码:10025F5D
至此 AntiSpy PRO 1.02 算法分析完成,一组可用的注册码:Name: lovefire[BCG] Serial: 10025F5D
注册信息保存:
[HKEY_LOCAL_MACHINE\SOFTWARE\HT\AntiSpyPRO]
"strRegNum"="10025F5D"
"strUserName"="lovefire[BCG]"
----------------------------------------------------------
注册机源代码(TC 2.0)
/* KeyGen by 炎之川[BCG],2003.4.11 */
/* 感谢hoto兄、菩提兄、小楼兄回答我提的弱智问题^^
*/
#include <stdio.h>
main()
{
char name[255];
int name_len,i;
unsigned long sn1=0x274AA5D0;
clrscr(); /*非tc的C编译程序可能不能识别此指令*/
printf("
_/_/_/ _/_/_/ _/_/_/\n _/
_/ _/ _/\n _/_/_/ _/
_/ _/_/\n _/ _/ _/
_/ _/\n_/_/_/ _/_/_/
_/_/_/\n\n -= AntiSpy PRO 1.02 KeyGen by lovefire[BCG] =-\n\n\nPlease enter your
name: ");
gets(name);
name_len=strlen(name);
if (name_len>0)
{
for (i=0;i<name_len;i++)
{
sn1=(sn1<<(name[i]%0x11))^name[i];
}
printf("\nok, try this serial: %08lX\n",sn1);
printf("\n\nNOTE: serial
only for test!");
printf("\nIf you like it, buy it to support the soft's author!");
}
else
{
printf("\nI
think you should tell me your name first ;)\n");
}
printf("\n\nhave fun^^\nwelcome to http://skipli.yeah.net/");
getch();
}
----------------------------------------------------------
炎之川
属于中国破解组织BCG(Beginner's Cracking Group)
_/_/_/ _/_/_/ _/_/_/
_/
_/ _/ _/
_/_/_/ _/
_/ _/_/
_/ _/ _/
_/ _/
_/_/_/ _/_/_/
_/_/_/
- 标 题:AntiSpy PRO 1.02 注册算法分析 + 注册机源代码(tc2) (12千字)
- 作 者:炎之川
- 时 间:2003-4-11 21:22:03
- 链 接:http://bbs.pediy.com