• 标 题:中华通讯录算法分析
  • 作 者:sunkingbure
  • 时 间:2003年12月08日 04:27
  • 链 接:http://bbs.pediy.com

中华通讯录算法分析 V3.2
软件名称:中华通讯录
编译版本:v3.2
原文件:http://www.skycn.net/soft/12563.html 
软件大小:  1294 KB
软件语言:  简体中文
软件类别:  国产软件 / 共享版 / 信息管理
应用平台:  Win9x/NT/2000/XP
 
开 发 商:  http://hebreed.6to23.com/

软件介绍:
  世纪之星进销存--3大创新!   企能CRM软件-提高销售能力   数据管理利器,易表新版上市 
中华通讯录是一款实用的通讯录软件,软件界面采用WINXP风格,功能完善,最多能够容纳十
万条通讯记录,启动时需要输入密码,使其它人不能看到你的通讯资料,让你的信息更安全。
查询栏让你很快找到你的联系人。支持增加分类,添加,删除信息。

 


破解工具:OllyDbg pe-scan w32dasm procdump

破解过程: 
pe-scan侦壳 发现为aspack 1.07b
用procdump脱壳
用w32dasm反编译,其关键地方为:

|:00503D7B(U)
|
:00503D35 59                      pop ecx
:00503D36 59                      pop ecx
:00503D37 648910                  mov dword ptr fs:[eax], edx
:00503D3A 68623D5000              push 00503D62

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00503D60(U)
|
:00503D3F 8D45F0                  lea eaxdword ptr [ebp-10]
:00503D42 BA02000000              mov edx, 00000002
:00503D47 E8BCFFEFFF              call 00403D08
:00503D4C 8D45F8                  lea eaxdword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"TChgPwdFormData"
                                  |
:00503D4F 8B15E4E04F00            mov edxdword ptr [004FE0E4]
:00503D55 E8460AF0FF              call 004047A0
:00503D5A C3                      ret


:00503D5B E900FAEFFF              jmp 00403760
:00503D60 EBDD                    jmp 00503D3F
:00503D62 5B                      pop ebx
:00503D63 8BE5                    mov espebp
:00503D65 5D                      pop ebp
:00503D66 C3                      ret


:00503D67 00                      BYTE 0


:00503D68 C3                      ret


:00503D69 DCC2                    fadd st(2), st(0)
:00503D6B EBB8                    jmp 00503D25
:00503D6D FC                      cld
:00503D6E B8C4B3C9B9              mov eax, B9C9B3C4
:00503D73 A6                      cmpsb
:00503D74 A3A10000C3              mov dword ptr [C30000A1], eax
:00503D79 DCC2                    fadd st(2), st(0)
:00503D7B EBB8                    jmp 00503D35
:00503D7D FC                      cld
:00503D7E B8C4CAA7B0              mov eax, B0A7CAC4
:00503D83 DCA3A1000053            fsub qword ptr [ebx+530000A1]
:00503D89 8BD8                    mov ebxeax
:00503D8B 8BC3                    mov eaxebx
:00503D8D E89ECEFFFF              call 00500C30                                      关键call 分析见下
:00503D92 84C0                    test alal
:00503D94 7409                    je 00503D9F                                              死亡跳转
:00503D96 8BC3                    mov eaxebx
:00503D98 E82FCCFFFF              call 005009CC
:00503D9D 5B                      pop ebx
:00503D9E C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00503D94(C)
|

* Possible StringData Ref from Code Obj ->"注册码不正确,无法注册"
                                  |
:00503D9F B8B43D5000              mov eax, 00503DB4
:00503DA4 E86377F5FF              call 0045B50C
:00503DA9 5B                      pop ebx
:00503DAA C3                      ret


关键call  于00503D8D


* Referenced by a CALL at Address:
|:00503D8D   
|
:00500C30 55                      push ebp
:00500C31 8BEC                    mov ebpesp
:00500C33 33C9                    xor ecxecx
:00500C35 51                      push ecx
:00500C36 51                      push ecx
:00500C37 51                      push ecx
:00500C38 51                      push ecx
:00500C39 51                      push ecx
:00500C3A 53                      push ebx
:00500C3B 56                      push esi
:00500C3C 8945FC                  mov dword ptr [ebp-04], eax
:00500C3F 33C0                    xor eaxeax
:00500C41 55                      push ebp
:00500C42 680C0D5000              push 00500D0C
:00500C47 64FF30                  push dword ptr fs:[eax]
:00500C4A 648920                  mov dword ptr fs:[eax], esp
:00500C4D 33C0                    xor eaxeax
:00500C4F 8945F4                  mov dword ptr [ebp-0C], eax
:00500C52 8D55F8                  lea edxdword ptr [ebp-08]
:00500C55 8B45FC                  mov eaxdword ptr [ebp-04]
:00500C58 8B8024040000            mov eaxdword ptr [eax+00000424]
:00500C5E E83141F3FF              call 00434D94
:00500C63 8B45F8                  mov eaxdword ptr [ebp-08]
:00500C66 E8F932F0FF              call 00403F64
:00500C6B 8BD8                    mov ebxeax
:00500C6D 85DB                    test ebxebx
:00500C6F 7E2E                    jle 00500C9F
:00500C71 BE01000000              mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500C9D(C)
|
:00500C76 8D45F0                 / lea eaxdword ptr [ebp-10]                 算法开始
:00500C79 50                     | push eax
:00500C7A B901000000             |  mov ecx, 00000001
:00500C7F 8BD6                   |  mov edxesi
:00500C81 8B45F8                 |  mov eaxdword ptr [ebp-08]
:00500C84 E8E334F0FF             |  call 0040416C
:00500C89 8B45F0                 | mov eaxdword ptr [ebp-10]
:00500C8C E89734F0FF             | call 00404128
:00500C91 8A00                   | mov albyte ptr [eax
:00500C93 25FF000000             | and eax, 000000FF                           eax=name[i]
:00500C98 0145F4                 | add dword ptr [ebp-0C], eax                  结果保存与ebp-0c    
:00500C9B 46                     | inc esi
:00500C9C 4B                     | dec ebx
:00500C9D 75D7                    jne 00500C76                                   循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500C6F(C)
|
:00500C9F 8D55EC                  lea edxdword ptr [ebp-14]
:00500CA2 8B45FC                  mov eaxdword ptr [ebp-04]
:00500CA5 8B8028040000            mov eaxdword ptr [eax+00000428]
:00500CAB E8E440F3FF              call 00434D94
:00500CB0 8B45EC                  mov eaxdword ptr [ebp-14]                    
:00500CB3 E8FC8EF0FF              call 00409BB4
:00500CB8 8B55F4                  mov edxdword ptr [ebp-0C]                   上面的结果
:00500CBB 81C2FC7E1200            add edx, 00127EFC                                    结果加1212156(10进制)
:00500CC1 81C29AE46400            add edx, 0064E49A                                   结果加6612122(10进制)
:00500CC7 3BC2                    cmp eaxedx                                           比较输入的注册码是否相等
:00500CC9 7519                    jne 00500CE4                                          不相等就死
:00500CCB B301                    mov bl, 01
:00500CCD B8F44B5200              mov eax, 00524BF4
:00500CD2 8B55F8                  mov edxdword ptr [ebp-08]
:00500CD5 E85E30F0FF              call 00403D38
:00500CDA 8B45F4                  mov eaxdword ptr [ebp-0C]
:00500CDD A3F84B5200              mov dword ptr [00524BF8], eax
:00500CE2 EB02                    jmp 00500CE6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500CC9(C)
|
:00500CE4 33DB                    xor ebxebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500CE2(U)
|
:00500CE6 33C0                    xor eaxeax
:00500CE8 5A                      pop edx
:00500CE9 59               w       pop ecx
:00500CEA 59                      pop ecx
:00500CEB 648910                  mov dword ptr fs:[eax], edx
:00500CEE 68130D5000              push 00500D13

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500D11(U)
|
:00500CF3 8D45EC                  lea eaxdword ptr [ebp-14]
:00500CF6 E8E92FF0FF              call 00403CE4
:00500CFB 8D45F0                  lea eaxdword ptr [ebp-10]
:00500CFE E8E12FF0FF              call 00403CE4
:00500D03 8D45F8                  lea eaxdword ptr [ebp-08]
:00500D06 E8D92FF0FF              call 00403CE4
:00500D0B C3                      ret


从上面的分析可以看出其注册过程为:
 将机器码的asc2码相加后在加上 1212156 和6612122

所以   机器码 1652-1cd8
       注册码为 7824278

注册机为(VB):
 Private Sub Command1_Click()
 Dim i As Integer
 Dim m, n As Single
 For i = 1 To Len(Text1.Text)
  m = m + Asc(Mid(Text1.Text, i, 1))
 nexti
 n = n + 1212156 + 6612122
 Text2.Text = Str(n)
 End Sub