Advanced Emailer 2.1 简单注册算法分析+注册机源代码(tc2)
破解目标:Advanced
Emailer 2.1
官方主页:http://www.emailarms.com/
软件简介:好像是发垃圾邮件的工具
下载地址:http://www.emailarms.com/downloads/zip/mailer.zip
使用工具:PEiD 0.8、Ollydbg
作者:炎之川[BCG]
时间:2003.5.11
主页:http://skipli.yeah.net/
========================================================================
声明:
本文纯属技术交流,无其他任何目的,转载请注明作者并保持文章的完整。
========================================================================
印象中,论坛上曾经有朋友问过这软件(或者是同一软件公司的其他某个软件),顺便看看……
经过
PEiD 检查,主程序没加壳,Delphi 写的。用 OD 装入程序,中间可能会有几次异常,按 Shift+F9 跳过。输入假码:01234567890123
(14位): 00508920
(; 后是 Ollydbg 所分析的内容,// 后是我加的注释,文中数值均为十六进制值)
00508921
|. 8BEC MOV EBP,ESP
00508923 |.
B9 05000000 MOV ECX,5
00508928 |> 6A 00
/PUSH 0
0050892A |. 6A 00
|PUSH 0
0050892C |. 49
|DEC ECX
0050892D |.^75 F9 \JNZ SHORT
mailer.00508928
0050892F |. 51
PUSH ECX
00508930 |. 53 PUSH
EBX
00508931 |. 56 PUSH ESI
00508932
|. 8BF0 MOV ESI,EAX
00508934 |.
33C0 XOR EAX,EAX
00508936 |. 55
PUSH EBP
00508937 |. 68 A18A5000
PUSH mailer.00508AA1
0050893C |. 64:FF30 PUSH
DWORD PTR FS:[EAX]
0050893F |. 64:8920 MOV
DWORD PTR FS:[EAX],ESP
00508942 |. 8D55 F4 LEA
EDX,DWORD PTR SS:[EBP-C]
00508945 |. 8B86 3C030000 MOV EAX,DWORD
PTR DS:[ESI+33C]
0050894B |. E8 448FF4FF CALL mailer.00451894
00508950
|. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
//取假码
00508953 |. 8D55 F8 LEA EDX,DWORD PTR
SS:[EBP-8]
00508956 |. E8 5D79FCFF CALL mailer.004D02B8
0050895B
|. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0050895E
|. B8 54725400 MOV EAX,mailer.00547254
00508963 |.
E8 28C1EFFF CALL mailer.00404A90
00508968 |. E8 93FDFFFF
CALL mailer.00508700 //关键call
0050896D |. 8BD8
MOV EBX,EAX //ebx=eax
0050896F |.
84DB TEST BL,BL //bl=0?
00508971
|. 0F84 D8000000 JE mailer.00508A4F //bl=0 就死啦
00508977
|. C686 5C030000 >MOV BYTE PTR DS:[ESI+35C],1
0050897E |. 8D45
FC LEA EAX,DWORD PTR SS:[EBP-4]
00508981 |.
50 PUSH EAX
00508982 |. 8D55
F0 LEA EDX,DWORD PTR SS:[EBP-10]
00508985 |.
B8 B88A5000 MOV EAX,mailer.00508AB8
; ASCII "B99E9DA78684BA9A97B78E"
0050898A
|. E8 A186FCFF CALL mailer.004D1030
0050898F |. 8B45
F0 MOV EAX,DWORD PTR SS:[EBP-10]
00508992 |.
50 PUSH EAX
00508993 |. 8D55
EC LEA EDX,DWORD PTR SS:[EBP-14]
00508996 |.
B8 D88A5000 MOV EAX,mailer.00508AD8
; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
0050899B
|. E8 9086FCFF CALL mailer.004D1030
005089A0 |. 8B55
EC MOV EDX,DWORD PTR SS:[EBP-14]
005089A3 |.
A1 5C725400 MOV EAX,DWORD PTR DS:[54725C]
005089A8 |. 59
POP ECX
005089A9 |. E8 CEF4FFFF
CALL mailer.00507E7C
005089AE |. 8D55 E8
LEA EDX,DWORD PTR SS:[EBP-18]
005089B1 |. A1 54725400 MOV
EAX,DWORD PTR DS:[547254]
005089B6 |. E8 D985FCFF CALL mailer.004D0F94
005089BB
|. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
005089BE
|. 50 PUSH EAX
005089BF |.
8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
005089C2 |.
B8 148B5000 MOV EAX,mailer.00508B14
; ASCII "AC9E95BC9F9BA9819D8EAB95"
005089C7
|. E8 6486FCFF CALL mailer.004D1030
005089CC |. 8B45
E4 MOV EAX,DWORD PTR SS:[EBP-1C]
005089CF |.
50 PUSH EAX
005089D0 |. 8D55
E0 LEA EDX,DWORD PTR SS:[EBP-20]
005089D3 |.
B8 D88A5000 MOV EAX,mailer.00508AD8
; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
005089D8
|. E8 5386FCFF CALL mailer.004D1030
005089DD |. 8B55
E0 MOV EDX,DWORD PTR SS:[EBP-20]
005089E0 |.
A1 5C725400 MOV EAX,DWORD PTR DS:[54725C]
005089E5 |. 59
POP ECX
005089E6 |. E8 D1F5FFFF
CALL mailer.00507FBC
005089EB |. 837D FC 00
CMP DWORD PTR SS:[EBP-4],0
005089EF |. 75 44
JNZ SHORT mailer.00508A35
005089F1 |. E8 7E2DF0FF CALL
mailer.0040B774
005089F6 |. 83C4 F4 ADD ESP,-0C
005089F9
|. DB3C24 FSTP TBYTE PTR SS:[ESP]
; |
005089FC |. 9B
WAIT
; |
005089FD |. 8D45 DC LEA EAX,DWORD
PTR SS:[EBP-24] ; |
00508A00 |.
E8 9F24F0FF CALL mailer.0040AEA4
; \mailer.0040AEA4
00508A05 |.
8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00508A08 |.
50 PUSH EAX
00508A09 |. 8D55
D8 LEA EDX,DWORD PTR SS:[EBP-28]
00508A0C |.
B8 B88A5000 MOV EAX,mailer.00508AB8
; ASCII "B99E9DA78684BA9A97B78E"
00508A11
|. E8 1A86FCFF CALL mailer.004D1030
00508A16 |. 8B45
D8 MOV EAX,DWORD PTR SS:[EBP-28]
00508A19 |.
50 PUSH EAX
00508A1A |. 8D55
D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00508A1D |.
B8 D88A5000 MOV EAX,mailer.00508AD8
; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
00508A22
|. E8 0986FCFF CALL mailer.004D1030
00508A27 |. 8B55
D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00508A2A |.
A1 5C725400 MOV EAX,DWORD PTR DS:[54725C]
00508A2F |. 59
POP ECX
00508A30 |. E8 87F5FFFF
CALL mailer.00507FBC
00508A35 |> 6A 40
PUSH 40
00508A37 |. B9 308B5000 MOV
ECX,mailer.00508B30 ;
ASCII "Information"
00508A3C |. BA 3C8B5000
MOV EDX,mailer.00508B3C
; ASCII "Registration has been completed successfully!"
00508A41
|. A1 AC595400 MOV EAX,DWORD PTR DS:[5459AC]
00508A46 |.
8B00 MOV EAX,DWORD PTR DS:[EAX]
00508A48
|. E8 B79DF6FF CALL mailer.00472804
00508A4D |. EB
22 JMP SHORT mailer.00508A71
00508A4F |>
B8 54725400 MOV EAX,mailer.00547254
00508A54 |. E8 E3BFEFFF
CALL mailer.00404A3C
00508A59 |. 6A 10
PUSH 10
00508A5B |. B9 6C8B5000 MOV ECX,mailer.00508B6C
; ASCII
"Error"
00508A60 |. BA 748B5000 MOV EDX,mailer.00508B74
; ASCII
"Registration code is invalid!"
00508A65 |. A1 AC595400
MOV EAX,DWORD PTR DS:[5459AC]
00508A6A |. 8B00
MOV EAX,DWORD PTR DS:[EAX]
00508A6C |. E8 939DF6FF
CALL mailer.00472804
00508A71 |> 33C0
XOR EAX,EAX
00508A73 |. 5A
POP EDX
00508A74 |. 59
POP ECX
00508A75 |. 59 POP
ECX
00508A76 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00508A79
|. 68 A88A5000 PUSH mailer.00508AA8
00508A7E |>
8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00508A81 |.
BA 08000000 MOV EDX,8
00508A86 |. E8 D5BFEFFF CALL
mailer.00404A60
00508A8B |. 8D45 F4 LEA EAX,DWORD
PTR SS:[EBP-C]
00508A8E |. E8 A9BFEFFF CALL mailer.00404A3C
00508A93
|. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00508A96
|. BA 02000000 MOV EDX,2
00508A9B |. E8 C0BFEFFF
CALL mailer.00404A60
00508AA0 \. C3
RETN
------------------------------------------------------------------------
进入
00508700 的关键call:
00508700 /$ 53
PUSH EBX
00508701 |. 56
PUSH ESI
00508702 |. 57
PUSH EDI
00508703 |. BF 54725400 MOV EDI,mailer.00547254
00508708
|. 33F6 XOR ESI,ESI
0050870A |.
33DB XOR EBX,EBX
0050870C |. 8B07
MOV EAX,DWORD PTR DS:[EDI] //取假码
0050870E
|. E8 E1C5EFFF CALL mailer.00404CF4 //假码长度
00508713
|. 83F8 0E CMP EAX,0E //填入的注册码是否 14 位(0x0E
= 14)
00508716 |. 75 67 JNZ SHORT mailer.0050877F
//不是就死
00508718 |. 8B07 MOV
EAX,DWORD PTR DS:[EDI] //再取假码
0050871A |. 8038 38
CMP BYTE PTR DS:[EAX],38 //取第一个字符,比较ASCII值是否 38(即“8”)
0050871D
|. 0F94C0 SETE AL
00508720 |. 83E0
7F AND EAX,7F //如果这一位相同,则eax&7F=01
00508723
|. 03F0 ADD ESI,EAX //eax的值加到esi,下同
00508725
|. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00508727
|. 8078 02 36 CMP BYTE PTR DS:[EAX+2],36 //第1+2个字符是否为“6”
0050872B
|. 0F94C0 SETE AL
0050872E |. 83E0
7F AND EAX,7F
00508731 |. 03F0
ADD ESI,EAX
00508733 |. 8B07
MOV EAX,DWORD PTR DS:[EDI]
00508735 |. 8078 03 32
CMP BYTE PTR DS:[EAX+3],32 //第1+3个字符是否为“2”
00508739 |.
0F94C0 SETE AL
0050873C |. 83E0 7F
AND EAX,7F
0050873F |. 03F0
ADD ESI,EAX
00508741 |. 8B07
MOV EAX,DWORD PTR DS:[EDI]
00508743 |. 8078 04 37
CMP BYTE PTR DS:[EAX+4],37 //第1+4个字符是否为“7”
00508747 |. 0F94C0
SETE AL
0050874A |. 83E0 7F
AND EAX,7F
0050874D |. 03F0
ADD ESI,EAX
0050874F |. 8B07
MOV EAX,DWORD PTR DS:[EDI]
00508751 |. 8078 07 39 CMP BYTE
PTR DS:[EAX+7],39 //第1+7个字符是否为“9”
00508755 |. 0F94C0
SETE AL
00508758 |. 83E0 7F AND
EAX,7F
0050875B |. 03F0 ADD ESI,EAX
0050875D
|. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0050875F
|. 8078 08 34 CMP BYTE PTR DS:[EAX+8],34 //第1+8个字符是否为“4”
00508763
|. 0F94C0 SETE AL
00508766 |. 83E0
7F AND EAX,7F
00508769 |. 03F0
ADD ESI,EAX
0050876B |. 8B07
MOV EAX,DWORD PTR DS:[EDI]
0050876D |. 8078 0A 30
CMP BYTE PTR DS:[EAX+A],30 //第1+0xA个字符是否为“0”
00508771 |.
0F94C0 SETE AL
00508774 |. 83E0 7F
AND EAX,7F
00508777 |. 03F0
ADD ESI,EAX //eax的值加到esi
00508779 |. 83FE 07
CMP ESI,7 //esi是否等于7?由于上面一共比较7个字符,故此处eax必须为7才能注册成功
0050877C
|. 0F94C3 SETE BL //如果eax=7,则bl置1
0050877F
|> 8BC3 MOV EAX,EBX //ebx的值放入eax
00508781
|. 5F POP EDI
00508782 |.
5E POP ESI
00508783 |. 5B
POP EBX
00508784 \. C3
RETN //返回
算法总结:
1、注册码长度必须为
14 位
2、注册码格式为:8-627--94-0---,“-”代表可以为任意字符(包括数字、字母、标点等)
3、在调试过程中看到的一些奇怪的长字串,原以为是表什么的,结果发现应该是没有用处的
至此 Advanced Emailer 2.1 注册算法分析完成,随便举一个可用的注册码:80627009400000
注册信息保存:
注册成功后,软件在注册表内添加以下键值:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMRSX]
"AsxQrvDlpcFx"="D5C0DBDFDAC0C0D4D9C0DDC0C0C0"
"TspJkiWwzZc"="37752.8389992245"
爆破方法:
00508774
|. 83E0 7F AND EAX,7F
00508777 |. 03F0
ADD ESI,EAX
00508779 |. 83FE 07
CMP ESI,7
改为:
00508774 BE 07000000
MOV ESI,7 //强制给esi赋值为7
00508779 83FE 07
CMP ESI,7
之后随便输入14位注册码即可注册成功。发现检查注册码长度的那个跳转不能改,改了程序会出错。
------------------------------------------------------------------------
注册机源代码(TC
2.0)
顺便写一个最简陋的注册机,tc 2.0 编译通过。
注册码中可为任意字符的位使用随机数填充,其实可以询问是否要再次生成一个注册码,不过好像很麻烦,还要判断键盘输入的字符什么的,还是算了吧,要生成更多的注册码就多运行几次吧^^
#include "stdlib.h"
main()
{ int sn1,sn2,sn3;
printf("\n -= Advanced Emailer 2.1 keygen =-\n
code by lovefire[BCG]\n\n\n");
randomize();
/* 生成随机数,下面是控制随机数长度 */
sn1=random(9);
sn2=random(99);
sn3=random(999);
printf("regkey: 8%d627%d94%d0%d\n",sn1,sn2,sn1,sn3);
printf("\n\nRun keygen again to get another regkey.\n\nhave
fun^^\nwelcome to http://skipli.yeah.net/");
getch();
}
------------------------------------------------------------------------
炎之川
属于中国破解组织BCG
(BeGiNnEr'S CrAcKiNg Group)
_/_/_/ _/_/_/ _/_/_/
_/ _/ _/ _/
_/_/_/ _/ _/ _/_/
_/ _/ _/ _/ _/
_/_/_/ _/_/_/
_/_/_/