与AcdSee媲美地看图软件 IrfanView32 v3.97 注册码算法分析
日期:2005年5月2日 破解人:Baby2008
-------------------------------------------------------------------------------------------------------------------------
『软件名称』:IrfanView32 v3.97
『软件大小』:872B
『下载地址』:http://www.irfanview.com/
『保护方式』:注册码保护
『破解声明』:初学Crack,只是感兴趣,失误之处敬请诸位大侠赐教!
『破解工具』:OllyDbg.V1.10 聆风听雨汉化第二版、PeID 0.93、ASPackDie v1.41.HH
『破解过程』:
PeID查壳,ASPack 2.12 -> Alexey Solodovnikov,用ASPackDie v1.41.HH搞定,OD载入,F9运行,输入注册信息,用户名:Baby2008,注册
码:1234567890,下bp GetDlgItemTextA中断,点击确定OD中断在:
77D6AC06 > 8BFF mov edi,edi ; USER32.GetDlgItemTextA
77D6AC08 55 push ebp
77D6AC09 8BEC mov ebp,esp
77D6AC0B FF75 0C push dword ptr ss:[ebp+C]
77D6AC0E FF75 08 push dword ptr ss:[ebp+8]
77D6AC11 E8 8EA6FBFF call USER32.GetDlgItem
77D6AC16 85C0 test eax,eax
77D6AC18 74 0E je short USER32.77D6AC28
取消bc GetDlgItemTextA,Alt+F9
0043E52B 8B15 301A5000 mov edx,dword ptr ds:[501A30] ; 返回这里,用户名
0043E531 68 00010000 push 100
0043E536 81C2 04010000 add edx,104
0043E53C 52 push edx
0043E53D 68 2D070000 push 72D
0043E542 56 push esi
0043E543 FFD7 call edi
0043E545 6A 01 push 1
0043E547 56 push esi
0043E548 FF15 C8F34C00 call dword ptr ds:[<&USER32.EndDialog>] ; USER32.EndDialog
0043E54E 5F pop edi
0043E54F 5E pop esi
0043E550 33C0 xor eax,eax
0043E552 C2 1000 retn 10
继续返回到主模块:
00464A72 FF15 28F54C00 call dword ptr ds:[<&USER32.DialogBoxParamA>] ; USER32.DialogBoxParamA
00464A78 85C0 test eax,eax ; 返回这里
00464A7A 0F84 AD000000 je Unpacked.00464B2D
00464A80 8DBC24 E4050000 lea edi,dword ptr ss:[esp+5E4] ; 用户名
00464A87 83C9 FF or ecx,FFFFFFFF
00464A8A 33C0 xor eax,eax
00464A8C F2:AE repne scas byte ptr es:[edi]
00464A8E F7D1 not ecx
00464A90 49 dec ecx
00464A91 83F9 02 cmp ecx,2
00464A94 0F82 5C010000 jb Unpacked.00464BF6 ; 用户名长度要求>2
00464A9A 8DBC24 E4050000 lea edi,dword ptr ss:[esp+5E4]
00464AA1 83C9 FF or ecx,FFFFFFFF
00464AA4 F2:AE repne scas byte ptr es:[edi]
00464AA6 F7D1 not ecx
00464AA8 49 dec ecx
00464AA9 83F9 55 cmp ecx,55
00464AAC 0F87 44010000 ja Unpacked.00464BF6 ; 用户名长度要求<$55
00464AB2 8DBC24 E8060000 lea edi,dword ptr ss:[esp+6E8] ; 注册码,记为SN
00464AB9 83C9 FF or ecx,FFFFFFFF
00464ABC 33D2 xor edx,edx ; i,i=0
00464ABE F2:AE repne scas byte ptr es:[edi]
00464AC0 F7D1 not ecx
00464AC2 49 dec ecx
00464AC3 85C9 test ecx,ecx
00464AC5 7E 75 jle short Unpacked.00464B3C ; 注册码长度不能为0
00464AC7 8A8414 E8060000 mov al,byte ptr ss:[esp+edx+6E8] ; SN[i]
00464ACE 3C 30 cmp al,30
00464AD0 7C 04 jl short Unpacked.00464AD6 ; SN[i]<'0',置非数字字符标志EBX=1
00464AD2 3C 39 cmp al,39
00464AD4 7E 05 jle short Unpacked.00464ADB ; SN[1]<='9'
00464AD6 BB 01000000 mov ebx,1 ; 置非数字字符标志EBX=1
00464ADB 8DBC24 E8060000 lea edi,dword ptr ss:[esp+6E8] ; SN
00464AE2 83C9 FF or ecx,FFFFFFFF
00464AE5 33C0 xor eax,eax
00464AE7 42 inc edx
00464AE8 F2:AE repne scas byte ptr es:[edi]
00464AEA F7D1 not ecx
00464AEC 49 dec ecx
00464AED 3BD1 cmp edx,ecx ; ECX=Length(SN),EDX=i
00464AEF ^ 7C D6 jl short Unpacked.00464AC7 ; 循环要求注册码为数字字符
00464AF1 85DB test ebx,ebx
00464AF3 74 47 je short Unpacked.00464B3C
00464AF5 8B0D 28275000 mov ecx,dword ptr ds:[502728] ; Unpacked.00400000
00464AFB 68 04010000 push 104
00464B00 68 40355000 push Unpacked.00503540 ; ASCII "No file loaded (use File->Open menu)"
00464B05 68 D6040000 push 4D6
00464B0A 51 push ecx
00464B0B FF15 7CF44C00 call dword ptr ds:[<&USER32.LoadStringA>] ; USER32.LoadStringA
00464B11 8B15 64395000 mov edx,dword ptr ds:[503964]
00464B17 68 30200000 push 2030
00464B1C 68 E03C5000 push Unpacked.00503CE0 ; ASCII "IrfanView"
00464B21 68 40355000 push Unpacked.00503540 ; ASCII "No file loaded (use File->Open menu)"
00464B26 52 push edx
00464B27 FF15 E8F34C00 call dword ptr ds:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
00464B2D 33C0 xor eax,eax
00464B2F 5F pop edi
00464B30 5E pop esi
00464B31 5D pop ebp
00464B32 5B pop ebx
00464B33 81C4 E4090000 add esp,9E4
00464B39 C2 1000 retn 10
00464B3C 8D8424 E8060000 lea eax,dword ptr ss:[esp+6E8] ; 注册码
00464B43 8D8C24 E4050000 lea ecx,dword ptr ss:[esp+5E4] ; 用户名
00464B4A 50 push eax
00464B4B 51 push ecx
00464B4C E8 DF96FDFF call Unpacked.0043E230 ; 关键
00464B51 83C4 08 add esp,8
00464B54 85C0 test eax,eax
00464B56 75 33 jnz short Unpacked.00464B8B ; 爆破
00464B58 8B15 28275000 mov edx,dword ptr ds:[502728] ; Unpacked.00400000
00464B5E 68 04010000 push 104
00464B63 68 40355000 push Unpacked.00503540 ; ASCII "No file loaded (use File->Open menu)"
00464B68 68 D6040000 push 4D6
00464B6D 52 push edx
00464B6E FF15 7CF44C00 call dword ptr ds:[<&USER32.LoadStringA>] ; USER32.LoadStringA
-------------------------------------------------------------------------------------------------------------------------
功能:先判断注册码的格式,再调用00464B4C E8 DF96FDFF call Unpacked.0043E230进行注册验证,跟进:
-------------------------------------------------------------------------------------------------------------------------
0043E230 8B4424 08 mov eax,dword ptr ss:[esp+8] ; 注册码
0043E234 83EC 14 sub esp,14
0043E237 53 push ebx
0043E238 55 push ebp
0043E239 56 push esi
0043E23A 57 push edi
0043E23B 50 push eax
0043E23C 33DB xor ebx,ebx
0043E23E E8 4A500800 call Unpacked.004C328D
0043E243 8B7424 2C mov esi,dword ptr ss:[esp+2C] ; 用户名
0043E247 8BE8 mov ebp,eax
0043E249 8BFE mov edi,esi
0043E24B 83C9 FF or ecx,FFFFFFFF
0043E24E 33C0 xor eax,eax
0043E250 83C4 04 add esp,4
0043E253 33D2 xor edx,edx ; i,i=0
0043E255 F2:AE repne scas byte ptr es:[edi]
0043E257 F7D1 not ecx
0043E259 49 dec ecx
0043E25A 85C9 test ecx,ecx ; Length(用户名)
0043E25C 7E 17 jle short Unpacked.0043E275
0043E25E 0FBE0C32 movsx ecx,byte ptr ds:[edx+esi] ; Name[i]
0043E262 03D9 add ebx,ecx
0043E264 8BFE mov edi,esi
0043E266 83C9 FF or ecx,FFFFFFFF
0043E269 33C0 xor eax,eax
0043E26B 42 inc edx
0043E26C F2:AE repne scas byte ptr es:[edi]
0043E26E F7D1 not ecx
0043E270 49 dec ecx
0043E271 3BD1 cmp edx,ecx ; Length(Name)
0043E273 ^ 7C E9 jl short Unpacked.0043E25E ; 循环将Name[i]累加,结果记为Sum
0043E275 B8 04010000 mov eax,104
0043E27A 6A 0A push 0A
0043E27C 2BC3 sub eax,ebx ; $104-Sum
0043E27E 99 cdq ; EAX<0 EDX=-1否则EDX=0
0043E27F 33C2 xor eax,edx
0043E281 2BC2 sub eax,edx ; 相当于取绝对值
0043E283 05 4C010000 add eax,14C ; Abs(104-Sum)+14C,记为X
0043E288 8D14C5 00000000 lea edx,dword ptr ds:[eax*8] ; EDX=8X
0043E28F 2BD0 sub edx,eax ; EDX=8X-X=7X
0043E291 8D0C90 lea ecx,dword ptr ds:[eax+edx*4] ; ECX=X+7X*4=29X
0043E294 8D5424 14 lea edx,dword ptr ss:[esp+14]
0043E298 52 push edx
0043E299 8D3448 lea esi,dword ptr ds:[eax+ecx*2] ; ESI=X+29X*2=59X
0043E29C C1E6 03 shl esi,3 ; ESI=ESI*8
0043E29F 56 push esi
0043E2A0 E8 91010900 call Unpacked.004CE436 ; IntToStr(ESI),记为Serial
0043E2A5 83C4 0C add esp,0C
0043E2A8 81FE 3F420F00 cmp esi,0F423F ; 十进制999999
0043E2AE 0F87 EF000000 ja Unpacked.0043E3A3
0043E2B4 8A4C24 14 mov cl,byte ptr ss:[esp+14] ; cl=Serial[5]
0043E2B8 8A4424 15 mov al,byte ptr ss:[esp+15] ; al=Serial[6]
0043E2BC 8A5424 13 mov dl,byte ptr ss:[esp+13] ; dl=Serial[4]
0043E2C0 884C24 16 mov byte ptr ss:[esp+16],cl ; Serial[7]=cl=Serial[5]
0043E2C4 8A4C24 11 mov cl,byte ptr ss:[esp+11] ; cl=Serial[2]
0043E2C8 884424 18 mov byte ptr ss:[esp+18],al ; Serial[9]=al=Serial[6]
0043E2CC 8A4424 12 mov al,byte ptr ss:[esp+12] ; al=Serial[3]
0043E2D0 885424 15 mov byte ptr ss:[esp+15],dl ; Serial[6]=dl=Serial[4]
0043E2D4 884C24 12 mov byte ptr ss:[esp+12],cl ; Serial[3]=cl=Serial[2]
0043E2D8 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
0043E2DC 81E1 FF000000 and ecx,0FF ; ECX=cl=Serial[2]
0043E2E2 884424 13 mov byte ptr ss:[esp+13],al ; Serial[4]=al=Serial[3]
0043E2E6 8BC1 mov eax,ecx
0043E2E8 C1E0 05 shl eax,5 ; Serial[2] *32
0043E2EB 2BC1 sub eax,ecx ; EAX=Serial[2]*31
0043E2ED 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
0043E2F1 81E1 FF000000 and ecx,0FF ; ECX=Serial[9]
0043E2F7 8D1440 lea edx,dword ptr ds:[eax+eax*2] ; EDX=Serial[2]*31*3
0043E2FA 8D0489 lea eax,dword ptr ds:[ecx+ecx*4] ; EAX=Serial[9]*5
0043E2FD C1E0 03 shl eax,3 ; EAX=Serial[9]*5*8=Serial[9]*40
0043E300 2BC1 sub eax,ecx ; EAX=Serial[9]*39
0043E302 2BC2 sub eax,edx ; EAX=Serial[9]*39-Serial[2]*31*3
0043E304 99 cdq
0043E305 8BC8 mov ecx,eax
0043E307 33CA xor ecx,edx
0043E309 2BCA sub ecx,edx ; 相当于取绝对值,X
0043E30B 8D0489 lea eax,dword ptr ds:[ecx+ecx*4] ; EAX=5X
0043E30E C1E0 03 shl eax,3 ; EAX=5X*8=40X
0043E311 2BC1 sub eax,ecx ; EAX=39X
0043E313 B9 09000000 mov ecx,9 ; 9
0043E318 99 cdq
0043E319 F7F9 idiv ecx ; 39X DIV 9
0043E31B 8B4424 13 mov eax,dword ptr ss:[esp+13]
0043E31F 25 FF000000 and eax,0FF
0043E324 80C2 30 add dl,30
0043E327 885424 17 mov byte ptr ss:[esp+17],dl ; Serial[8]
0043E32B 8D1440 lea edx,dword ptr ds:[eax+eax*2]
0043E32E C1E2 04 shl edx,4
0043E331 2BD0 sub edx,eax
0043E333 8B4424 15 mov eax,dword ptr ss:[esp+15]
0043E337 25 FF000000 and eax,0FF
0043E33C 8D0CC0 lea ecx,dword ptr ds:[eax+eax*8]
0043E33F 8D0488 lea eax,dword ptr ds:[eax+ecx*4]
0043E342 8D0442 lea eax,dword ptr ds:[edx+eax*2]
0043E345 99 cdq
0043E346 33C2 xor eax,edx
0043E348 2BC2 sub eax,edx
0043E34A 8D0CC0 lea ecx,dword ptr ds:[eax+eax*8]
0043E34D 8D0488 lea eax,dword ptr ds:[eax+ecx*4]
0043E350 B9 09000000 mov ecx,9
0043E355 D1E0 shl eax,1
0043E357 99 cdq
0043E358 F7F9 idiv ecx
0043E35A 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
0043E35E 81E1 FF000000 and ecx,0FF
0043E364 8D0449 lea eax,dword ptr ds:[ecx+ecx*2]
0043E367 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
0043E36A D1E0 shl eax,1
0043E36C 2BC1 sub eax,ecx
0043E36E 80C2 30 add dl,30
0043E371 885424 14 mov byte ptr ss:[esp+14],dl ; Serial[5]
0043E375 8B4C24 11 mov ecx,dword ptr ss:[esp+11]
0043E379 81E1 FF000000 and ecx,0FF
0043E37F 8D14CD 00000000 lea edx,dword ptr ds:[ecx*8]
0043E386 2BD1 sub edx,ecx
0043E388 8D1492 lea edx,dword ptr ds:[edx+edx*4]
0043E38B 2BC2 sub eax,edx
0043E38D 99 cdq
0043E38E 8BC8 mov ecx,eax
0043E390 33CA xor ecx,edx
0043E392 2BCA sub ecx,edx
0043E394 8D0449 lea eax,dword ptr ds:[ecx+ecx*2]
0043E397 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
0043E39A D1E0 shl eax,1
0043E39C 2BC1 sub eax,ecx
0043E39E E9 F5000000 jmp Unpacked.0043E498
0043E3A3 8A4424 15 mov al,byte ptr ss:[esp+15]
0043E3A7 8A5424 16 mov dl,byte ptr ss:[esp+16]
0043E3AB 8A4C24 14 mov cl,byte ptr ss:[esp+14]
0043E3AF 884424 16 mov byte ptr ss:[esp+16],al
0043E3B3 8A4424 11 mov al,byte ptr ss:[esp+11]
0043E3B7 885424 18 mov byte ptr ss:[esp+18],dl
0043E3BB 8A5424 12 mov dl,byte ptr ss:[esp+12]
0043E3BF 884424 12 mov byte ptr ss:[esp+12],al
0043E3C3 8B4424 16 mov eax,dword ptr ss:[esp+16]
0043E3C7 884C24 15 mov byte ptr ss:[esp+15],cl
0043E3CB 25 FF000000 and eax,0FF
0043E3D0 885424 13 mov byte ptr ss:[esp+13],dl
0043E3D4 8BC8 mov ecx,eax
0043E3D6 C1E1 06 shl ecx,6
0043E3D9 2BC8 sub ecx,eax
0043E3DB 8B4424 18 mov eax,dword ptr ss:[esp+18]
0043E3DF 25 FF000000 and eax,0FF
0043E3E4 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
0043E3E7 C1E0 02 shl eax,2
0043E3EA 2BC1 sub eax,ecx
0043E3EC B9 09000000 mov ecx,9
0043E3F1 99 cdq
0043E3F2 33C2 xor eax,edx
0043E3F4 2BC2 sub eax,edx
0043E3F6 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
0043E3F9 C1E0 02 shl eax,2
0043E3FC 99 cdq
0043E3FD F7F9 idiv ecx
0043E3FF 80C2 30 add dl,30
0043E402 885424 17 mov byte ptr ss:[esp+17],dl
0043E406 8B4424 14 mov eax,dword ptr ss:[esp+14]
0043E40A 25 FF000000 and eax,0FF
0043E40F 83C0 20 add eax,20
0043E412 8D14C5 00000000 lea edx,dword ptr ds:[eax*8]
0043E419 2BD0 sub edx,eax
0043E41B 8D0490 lea eax,dword ptr ds:[eax+edx*4]
0043E41E 8D0C40 lea ecx,dword ptr ds:[eax+eax*2]
0043E421 8B4424 13 mov eax,dword ptr ss:[esp+13]
0043E425 25 FF000000 and eax,0FF
0043E42A 8D1480 lea edx,dword ptr ds:[eax+eax*4]
0043E42D C1E2 03 shl edx,3
0043E430 2BD0 sub edx,eax
0043E432 8D0451 lea eax,dword ptr ds:[ecx+edx*2]
0043E435 99 cdq
0043E436 33C2 xor eax,edx
0043E438 2BC2 sub eax,edx
0043E43A 8D0CC5 00000000 lea ecx,dword ptr ds:[eax*8]
0043E441 2BC8 sub ecx,eax
0043E443 8D0488 lea eax,dword ptr ds:[eax+ecx*4]
0043E446 B9 09000000 mov ecx,9
0043E44B 8D0440 lea eax,dword ptr ds:[eax+eax*2]
0043E44E 99 cdq
0043E44F F7F9 idiv ecx
0043E451 8B4424 10 mov eax,dword ptr ss:[esp+10]
0043E455 25 FF000000 and eax,0FF
0043E45A 80C2 30 add dl,30
0043E45D 885424 14 mov byte ptr ss:[esp+14],dl
0043E461 8D14C5 00000000 lea edx,dword ptr ds:[eax*8]
0043E468 2BD0 sub edx,eax
0043E46A 8D0490 lea eax,dword ptr ds:[eax+edx*4]
0043E46D 8B5424 11 mov edx,dword ptr ss:[esp+11]
0043E471 81E2 FF000000 and edx,0FF
0043E477 8BCA mov ecx,edx
0043E479 C1E1 04 shl ecx,4
0043E47C 03CA add ecx,edx
0043E47E D1E0 shl eax,1
0043E480 8D0C89 lea ecx,dword ptr ds:[ecx+ecx*4]
0043E483 2BC1 sub eax,ecx
0043E485 99 cdq
0043E486 33C2 xor eax,edx
0043E488 2BC2 sub eax,edx
0043E48A 8D14C5 00000000 lea edx,dword ptr ds:[eax*8]
0043E491 2BD0 sub edx,eax
0043E493 8D0490 lea eax,dword ptr ds:[eax+edx*4]
0043E496 D1E0 shl eax,1
0043E498 99 cdq
0043E499 B9 09000000 mov ecx,9
0043E49E C64424 19 00 mov byte ptr ss:[esp+19],0
0043E4A3 F7F9 idiv ecx
0043E4A5 80C2 30 add dl,30
0043E4A8 885424 11 mov byte ptr ss:[esp+11],dl ; Serial[2]
0043E4AC 8D5424 10 lea edx,dword ptr ss:[esp+10] ; 真正注册码明码,内存注册机
0043E4B0 52 push edx
0043E4B1 E8 D74D0800 call Unpacked.004C328D
0043E4B6 83C4 04 add esp,4
0043E4B9 33C9 xor ecx,ecx
0043E4BB 3BE8 cmp ebp,eax
0043E4BD 5F pop edi
0043E4BE 5E pop esi
0043E4BF 0F94C1 sete cl
0043E4C2 5D pop ebp
0043E4C3 8BC1 mov eax,ecx
0043E4C5 5B pop ebx
0043E4C6 83C4 14 add esp,14
0043E4C9 C3 retn
-------------------------------------------------------------------------------------------------------------------------
这么长的代码看了头晕^_^,算法还是比较简单的,一看时明码比较,算法马马虎虎的看了一下:
『算法总结』:
1、2<注册码长度<$55,且必须全为数字字符;
2、用户名字符累加,记为Sum;
3、104-Sum取绝对值+14C,记为X;
4、472X转换为10进制字符串
5、分472X是否大于999999的两种情况调整4中10进制字符串产生注册码,算法简单,但看了头晕,注册机的不写了!
我的注册信息:
用户名:Baby2008
注册码:330936302
--完--