• 标 题: 中华灯谜 XP 2005 Build 01.20 --简单算法分析
  • 作 者:深海游侠
  • 时 间:2005-01-23 01:53

==================================================================================
【工程作者】深海游侠Star[CZG][OCN]
【作者邮箱】shenhaiyouxia@163.com
==================================================================================
【软件名称】中华灯谜 XP 2005 Build 01.20 
【下载地址】http://www2.skycn.com/soft/6062.html
【所受限制】功能限制
【加壳保护】无壳
==================================================================================
【工程平台】Win ME
【调试工具】TRW2000系列
==================================================================================
【破解过程】
前一段时间因为学习任务比较繁重,且考试较多,所以一直没怎么出过作品,
现在好了,放假了,终于可以继续我的cracker之旅了~~废话不多说!

1>破解过程:
首先查壳,无壳Borland Delphi 6.0 - 7.0,OK直接拿TRW2000载入,下万能断点。程序顺利断下,按N次F12程序到了这里:
016F:00524606 8D9574FFFFFF     LEA      EDX,[EBP+FFFFFF74]
016F:0052460C 8B83F8030000     MOV      EAX,[EBX+03F8]
016F:00524612 E8FD17F2FF       CALL     00445E14
016F:00524617 83BD74FFFFFF00   CMP      DWORD [EBP+FFFFFF74],BYTE +00
016F:0052461E 741A             JZ       0052463A            //是否输入注册码
016F:00524620 8D9570FFFFFF     LEA      EDX,[EBP+FFFFFF70]
016F:00524626 8B83F4030000     MOV      EAX,[EBX+03F4]
016F:0052462C E8E317F2FF       CALL     00445E14
016F:00524631 83BD70FFFFFF00   CMP      DWORD [EBP+FFFFFF70],BYTE +00
016F:00524638 750F             JNZ      00524649            //是否输入定单号
016F:0052463A B828485200       MOV      EAX,00524828
016F:0052463F E8C4A9F1FF       CALL     0043F008
016F:00524644 E951010000       JMP      0052479A
016F:00524649 8D956CFFFFFF     LEA      EDX,[EBP+FFFFFF6C]
016F:0052464F 8B83F8030000     MOV      EAX,[EBX+03F8]
016F:00524655 E8BA17F2FF       CALL     00445E14
016F:0052465A 8B856CFFFFFF     MOV      EAX,[EBP+FFFFFF6C]  //假码12121212出现
016F:00524660 50               PUSH     EAX
016F:00524661 8D9564FFFFFF     LEA      EDX,[EBP+FFFFFF64]
016F:00524667 8B83F4030000     MOV      EAX,[EBX+03F4]
016F:0052466D E8A217F2FF       CALL     00445E14
016F:00524672 8B8564FFFFFF     MOV      EAX,[EBP+FFFFFF64]  //定单号123456出现
016F:00524678 E8774FEEFF       CALL     004095F4            //定单号转为十六位入EAX  
016F:0052467D B909030000       MOV      ECX,0309            //ECX=309
016F:00524682 99               CDQ                          //清EDX
016F:00524683 F7F9             IDIV     ECX                 //EAX/ECX 商入EAX 余数入EDX(1E240 mod 309=2B2)
016F:00524685 8BC2             MOV      EAX,EDX             //EDX=2B2 入EAX        ★注册码第1部分:690
016F:00524687 8D9568FFFFFF     LEA      EDX,[EBP+FFFFFF68]
016F:0052468D E8FE4EEEFF       CALL     00409590
016F:00524692 8D8568FFFFFF     LEA      EAX,[EBP+FFFFFF68]
016F:00524698 50               PUSH     EAX
016F:00524699 8D9558FFFFFF     LEA      EDX,[EBP+FFFFFF58]
016F:0052469F 8B83F4030000     MOV      EAX,[EBX+03F4]
016F:005246A5 E86A17F2FF       CALL     00445E14
016F:005246AA 8B8558FFFFFF     MOV      EAX,[EBP+FFFFFF58]  //EAX=123456定单号
016F:005246B0 E83F4FEEFF       CALL     004095F4            //转为十六位入EAX=1E240
016F:005246B5 8D955CFFFFFF     LEA      EDX,[EBP+FFFFFF5C]
016F:005246BB E844DBFFFF       CALL     00522204            //算法CALL(1)跟进
016F:005246C0 8B855CFFFFFF     MOV      EAX,[EBP+FFFFFF5C]  //算出过渡码EAX=70648174
016F:005246C6 E8294FEEFF       CALL     004095F4            //转为十六位入EAX=436016E
016F:005246CB 8D9560FFFFFF     LEA      EDX,[EBP+FFFFFF60]
016F:005246D1 E80EDCFFFF       CALL     005222E4            //关键算法CALL(2)跟进
016F:005246D6 8B9560FFFFFF     MOV      EDX,[EBP+FFFFFF60]  //EDX=3615u412~f1449   ★注册码第2部分
016F:005246DC 58               POP      EAX
016F:005246DD E8DA04EEFF       CALL     00404BBC            //两部分连接
016F:005246E2 8B9568FFFFFF     MOV      EDX,[EBP+FFFFFF68]  //EDX=6903615u412~f1449
016F:005246E8 58               POP      EAX                 //EAX=12121212 (内存注册机断这里)
016F:005246E9 E80A06EEFF       CALL     00404CF8            //比较
016F:005246EE 0F858F000000     JNZ      NEAR 00524783       //关键跳

关键算法CALL(1)
|
016F:00522204 55               PUSH     EBP
016F:00522205 8BEC             MOV      EBP,ESP
016F:00522207 33C9             XOR      ECX,ECX
016F:00522209 51               PUSH     ECX
016F:0052220A 51               PUSH     ECX
016F:0052220B 51               PUSH     ECX
016F:0052220C 51               PUSH     ECX
016F:0052220D 53               PUSH     EBX
016F:0052220E 56               PUSH     ESI
016F:0052220F 8BF2             MOV      ESI,EDX
016F:00522211 8BD8             MOV      EBX,EAX    //EAX=1E240
016F:00522213 33C0             XOR      EAX,EAX
016F:00522215 55               PUSH     EBP
016F:00522216 68D4225200       PUSH     DWORD 005222D4
016F:0052221B 64FF30           PUSH     DWORD [FS:EAX]
016F:0052221E 648920           MOV      [FS:EAX],ESP
016F:00522221 81F3F1250B00     XOR      EBX,000B25F1    //EBX=1E240 xor B25F1=AC7B1
016F:00522227 8BC3             MOV      EAX,EBX
016F:00522229 33D2             XOR      EDX,EDX
016F:0052222B 52               PUSH     EDX
016F:0052222C 50               PUSH     EAX
016F:0052222D 8D45FC           LEA      EAX,[EBP-04]
016F:00522230 E88B73EEFF       CALL     004095C0        //AC7B1转为十进制入[EBP-04]
016F:00522235 8B45FC           MOV      EAX,[EBP-04]    //EAX=706481
016F:00522238 0FB600           MOVZX    EAX,BYTE [EAX]  //EAX=37
016F:0052223B 8B55FC           MOV      EDX,[EBP-04]    //EDX=706481
016F:0052223E 0FB65201         MOVZX    EDX,BYTE [EDX+01]  //EDX=30
016F:00522242 03C2             ADD      EAX,EDX         //EAX=37+30=67
016F:00522244 B905000000       MOV      ECX,05          
016F:00522249 99               CDQ     
016F:0052224A F7F9             IDIV     ECX             //EDX=EAX mod 5=3
016F:0052224C 80C234           ADD      DL,34           //DL=3+34=37
016F:0052224F 8855F8           MOV      [EBP-08],DL     //存起来
016F:00522252 8B45FC           MOV      EAX,[EBP-04]    //EAX=706481
016F:00522255 0FB64002         MOVZX    EAX,BYTE [EAX+02]  //EAX=36
016F:00522259 8B55FC           MOV      EDX,[EBP-04]
016F:0052225C 0FB65203         MOVZX    EDX,BYTE [EDX+03]  //EDX=34
016F:00522260 03C2             ADD      EAX,EDX            //EAX=36+34=6A
016F:00522262 B905000000       MOV      ECX,05
016F:00522267 99               CDQ     
016F:00522268 F7F9             IDIV     ECX                //EDX=EAX mod 5=1
016F:0052226A 8BDA             MOV      EBX,EDX        
016F:0052226C 80C333           ADD      BL,33              //BL=1+33=34
016F:0052226F 885DF9           MOV      [EBP-07],BL        //存起来
016F:00522272 8D45F4           LEA      EAX,[EBP-0C]
016F:00522275 8A55F8           MOV      DL,[EBP-08]
016F:00522278 E85F28EEFF       CALL     00404ADC           //37转为ASCII码为7存入寄存器
016F:0052227D 8B45F4           MOV      EAX,[EBP-0C]
016F:00522280 8D55FC           LEA      EDX,[EBP-04]
016F:00522283 B91B000000       MOV      ECX,1B
016F:00522288 E8072CEEFF       CALL     00404E94
016F:0052228D 8D45F0           LEA      EAX,[EBP-10]
016F:00522290 8BD3             MOV      EDX,EBX
016F:00522292 E84528EEFF       CALL     00404ADC           //34转为ASCII码为4存入寄存器
016F:00522297 8B45F0           MOV      EAX,[EBP-10]
016F:0052229A 8D55FC           LEA      EDX,[EBP-04]
016F:0052229D B919000000       MOV      ECX,19
016F:005222A2 E8ED2BEEFF       CALL     00404E94           //706481 & 7 & 4=70648174
016F:005222A7 8BC6             MOV      EAX,ESI
016F:005222A9 8B55FC           MOV      EDX,[EBP-04]       //EDX=70648174
016F:005222AC E89F26EEFF       CALL     00404950
016F:005222B1 33C0             XOR      EAX,EAX
016F:005222B3 5A               POP      EDX
016F:005222B4 59               POP      ECX
016F:005222B5 59               POP      ECX
016F:005222B6 648910           MOV      [FS:EAX],EDX
016F:005222B9 68DB225200       PUSH     DWORD 005222DB
016F:005222BE 8D45F0           LEA      EAX,[EBP-10]
016F:005222C1 BA02000000       MOV      EDX,02
016F:005222C6 E85526EEFF       CALL     00404920
016F:005222CB 8D45FC           LEA      EAX,[EBP-04]
016F:005222CE E82926EEFF       CALL     004048FC
016F:005222D3 C3               RET     

关键算法CALL(2)
|
016F:005222E4 55               PUSH     EBP
016F:005222E5 8BEC             MOV      EBP,ESP
016F:005222E7 33C9             XOR      ECX,ECX
016F:005222E9 51               PUSH     ECX
016F:005222EA 51               PUSH     ECX
016F:005222EB 51               PUSH     ECX
016F:005222EC 51               PUSH     ECX
016F:005222ED 51               PUSH     ECX
016F:005222EE 51               PUSH     ECX
016F:005222EF 53               PUSH     EBX
016F:005222F0 56               PUSH     ESI
016F:005222F1 8BF2             MOV      ESI,EDX
016F:005222F3 8BD8             MOV      EBX,EAX     //EAX=436016E
016F:005222F5 33C0             XOR      EAX,EAX
016F:005222F7 55               PUSH     EBP
016F:005222F8 6830245200       PUSH     DWORD 00522430
016F:005222FD 64FF30           PUSH     DWORD [FS:EAX]
016F:00522300 648920           MOV      [FS:EAX],ESP
016F:00522303 81F38776FBDD     XOR      EBX,DDFB7687  //EBX=436016E xor DDFB7687=D9CD77E9
016F:00522309 8BC3             MOV      EAX,EBX
016F:0052230B 33D2             XOR      EDX,EDX
016F:0052230D 52               PUSH     EDX
016F:0052230E 50               PUSH     EAX
016F:0052230F 8D45FC           LEA      EAX,[EBP-04]
016F:00522312 E8A972EEFF       CALL     004095C0      //D9CD77E9转为十进制入[EBP-04]
016F:00522317 8B45FC           MOV      EAX,[EBP-04]  //EAX=3654121449
016F:0052231A 0FB600           MOVZX    EAX,BYTE [EAX]//EAX=33
016F:0052231D 8B55FC           MOV      EDX,[EBP-04]  //EDX=3654121449
016F:00522320 0FB65201         MOVZX    EDX,BYTE [EDX+01]//EDX=36
016F:00522324 03C2             ADD      EAX,EDX       //EAX=33+36=69
016F:00522326 B905000000       MOV      ECX,05
016F:0052232B 99               CDQ     
016F:0052232C F7F9             IDIV     ECX           //EDX=69 mod 5=0
016F:0052232E 80C266           ADD      DL,66         //DL=0+66=66     ★注册码其中一位
016F:00522331 8855F8           MOV      [EBP-08],DL   
016F:00522334 8B45FC           MOV      EAX,[EBP-04]  //EAX=3654121449
016F:00522337 0FB64002         MOVZX    EAX,BYTE [EAX+02]  //EAX=35
016F:0052233B 8B55FC           MOV      EDX,[EBP-04]
016F:0052233E 0FB65203         MOVZX    EDX,BYTE [EDX+03]  //EDX=34
016F:00522342 03C2             ADD      EAX,EDX       //EAX=35+34=69
016F:00522344 B905000000       MOV      ECX,05
016F:00522349 99               CDQ     
016F:0052234A F7F9             IDIV     ECX           //EDX=69 mod 5=0
016F:0052234C 80C275           ADD      DL,75         //DL=0+75=75     ★注册码其中一位
016F:0052234F 8855F9           MOV      [EBP-07],DL   
016F:00522352 8B45FC           MOV      EAX,[EBP-04]  //EAX=3654121449
016F:00522355 0FB64004         MOVZX    EAX,BYTE [EAX+04]  //EAX=31
016F:00522359 8B55FC           MOV      EDX,[EBP-04]
016F:0052235C 0FB65205         MOVZX    EDX,BYTE [EDX+05]  //EDX=32
016F:00522360 03C2             ADD      EAX,EDX       //EAX=31+32=63
016F:00522362 B905000000       MOV      ECX,05 
016F:00522367 99               CDQ     
016F:00522368 F7F9             IDIV     ECX           //EDX=63 mod 5=4
016F:0052236A 80C27A           ADD      DL,7A         //DL=4+7A=7E     ★注册码其中一位
016F:0052236D 8855FA           MOV      [EBP-06],DL
016F:00522370 8B45FC           MOV      EAX,[EBP-04]  //EAX=3654121449
016F:00522373 0FB64006         MOVZX    EAX,BYTE [EAX+06]//EAX=31
016F:00522377 8B55FC           MOV      EDX,[EBP-04]
016F:0052237A 0FB65207         MOVZX    EDX,BYTE [EDX+07]//EDX=34
016F:0052237E 03C2             ADD      EAX,EDX          //EAX=34+31=65
016F:00522380 8B55FC           MOV      EDX,[EBP-04]     //EDX=3654121449
016F:00522383 0FB65208         MOVZX    EDX,BYTE [EDX+08]//EDX=34
016F:00522387 03C2             ADD      EAX,EDX          //EAX=65+34=99
016F:00522389 B905000000       MOV      ECX,05
016F:0052238E 99               CDQ     
016F:0052238F F7F9             IDIV     ECX              //EDX=99 mod 5=3
016F:00522391 80C269           ADD      DL,69            //DL=69+3=6C ★注册码其中一位
016F:00522394 8855FB           MOV      [EBP-05],DL
016F:00522397 8D45F4           LEA      EAX,[EBP-0C]
016F:0052239A 8A55F8           MOV      DL,[EBP-08]      //DL=66
016F:0052239D E83A27EEFF       CALL     00404ADC         //转为ASCII码f
016F:005223A2 8B45F4           MOV      EAX,[EBP-0C]     
016F:005223A5 8D55FC           LEA      EDX,[EBP-04]
016F:005223A8 B907000000       MOV      ECX,07           //应放在3654121449的第7位
016F:005223AD E8E22AEEFF       CALL     00404E94         //实现365412f1449
016F:005223B2 8D45F0           LEA      EAX,[EBP-10]     
016F:005223B5 8A55FB           MOV      DL,[EBP-05]      //DL=6C
016F:005223B8 E81F27EEFF       CALL     00404ADC         //转为ASCII码l
016F:005223BD 8B45F0           MOV      EAX,[EBP-10]
016F:005223C0 8D55FC           LEA      EDX,[EBP-04]
016F:005223C3 B903000000       MOV      ECX,03           //应放在365412f1449的第3位
016F:005223C8 E8C72AEEFF       CALL     00404E94         //实现36l5412f1449
016F:005223CD 8D45EC           LEA      EAX,[EBP-14]
016F:005223D0 8A55F9           MOV      DL,[EBP-07]      //DL=75
016F:005223D3 E80427EEFF       CALL     00404ADC         //转为ASCII码u
016F:005223D8 8B45EC           MOV      EAX,[EBP-14]
016F:005223DB 8D55FC           LEA      EDX,[EBP-04]
016F:005223DE B905000000       MOV      ECX,05           //应放在36l5412f1449的第5位
016F:005223E3 E8AC2AEEFF       CALL     00404E94         //实现36l5u412f1449
016F:005223E8 8D45E8           LEA      EAX,[EBP-18]
016F:005223EB 8A55FA           MOV      DL,[EBP-06]      //DL=7E
016F:005223EE E8E926EEFF       CALL     00404ADC         //转为ASCII码~
016F:005223F3 8B45E8           MOV      EAX,[EBP-18]
016F:005223F6 8D55FC           LEA      EDX,[EBP-04]
016F:005223F9 B909000000       MOV      ECX,09           //应放在36l5u412f1449的第9位
016F:005223FE E8912AEEFF       CALL     00404E94         //实现36l5u412~f1449
016F:00522403 8BC6             MOV      EAX,ESI
016F:00522405 8B55FC           MOV      EDX,[EBP-04]     //EDX=36l5u412~f1449   ★注册码第二部分
016F:00522408 E84325EEFF       CALL     00404950
016F:0052240D 33C0             XOR      EAX,EAX
016F:0052240F 5A               POP      EDX
016F:00522410 59               POP      ECX
016F:00522411 59               POP      ECX
016F:00522412 648910           MOV      [FS:EAX],EDX
016F:00522415 6837245200       PUSH     DWORD 00522437
016F:0052241A 8D45E8           LEA      EAX,[EBP-18]
016F:0052241D BA04000000       MOV      EDX,04
016F:00522422 E8F924EEFF       CALL     00404920
016F:00522427 8D45FC           LEA      EAX,[EBP-04]
016F:0052242A E8CD24EEFF       CALL     004048FC
016F:0052242F C3               RET     

2>总结:
注册码由主要两部分组成,两部分运行不相连,但基本大同。
1)注册码第1部分:
先把输入定单号123456转为16进制1E240,然后1E240 mod 309=2B2,再把结果转为10进制690,就是注册码第一部分。

2)注册码第2部分:
首先利用定单号1E240计算出过渡码436016E,然后再经过一系列计算(计算过程上边我已标明),最后得出注册码第2部分3615u412~f1449

3>推算过程:
         注册码第1部分      
         1E240 mod 309=2B2   (690)

过渡码:1E240 xor B25F1=AC7B1 (706481) 再计算得:70648174
       (70648174)436016E xor DDFB7687=D9CD77E9(3654121449)

                              注册码第2部分
第1位                              33(3)
第2位                              36(6)
第3位        [(34+31+34) mod 5]+69=6C(l)
第4位                              35(5)
第5位           [(35+34) mod 5]+75=75(u)
第6位                              34(4)
第7位                              31(1)
第8位                              32(2)
第9位           [(31+32) mod 5]+7A=7E(~)
第10位          [(33+36) mod 5]+66=66(f)
第11位                             31(1)
第12位                             34(4)
第13位                             34(4)
第14位                             39(9)

最后两部分组合: 69036l5u412~f1449

4>内存注册机:
中断地址:005246E8
中断次数:1
第一字节:58
字节长度:1
寄存器方式:EDX *内存方式*

5>破后总结:
其实本软件早在两天前已经被刀刀兄弟做出内存注册机,我纯粹是为了学习才看算法的,因为我也是新手,所以写的尽量的简单,希望老鸟们不要笑我罗嗦。
如果大家能从我这篇文章中学到点什么,那么我的目的也就达到了。
感冒了,该吃药了.....

==================================================================================
【工程声明】本过程只供内部学习之用!如要转载请保持过程完整!
==================================================================================