【软件名称】:IrfanView
【软件大小】:440 KB
【下载地址】:http://www.irfanview.com/
【软件简介】:图像浏览处理
【软件限制】:免费软件
【保护方式】:注册码
【破解作者】:w.h.m
【破解日期】:06/03/2005
【破解声明】:学习注册算法,失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、OllyDBG、PEiD、ImportREC
———————————————————————————————————————————
【破解过程】:
看雪上已经有一篇介绍IrfanView 3.97的注册算法:
http://bbs.pediy.com//showthread.ph...;threadid=13336
但是分析的并不彻底,没有写出注册机.出于学习目的,我独立的又分析了它的注册算法,但是
这里省去了一些步骤,直接分析其计算注册码部分,其余请参考前作. 我用的不是最新版,而是
3.80, 实际算法没有变,至少我知道的自3.70后一直没有变,因为我手头有一个3.70的注册机,
作了比较,而且和baby2008计算的3.97 比较也一样,所以我懒得去下载最新的.
且看我的分析:
(注:分析所用数字为十六进制.)
代码:
00436600 /$ 8B4424 08 mov eax,dword ptr ss:[esp+8]
00436604 |. 83EC 14 sub esp,14
00436607 |. 53 push ebx
00436608 |. 55 push ebp
00436609 |. 56 push esi
0043660A |. 57 push edi
0043660B |. 50 push eax ; 参数为注册码
0043660C |. 33DB xor ebx,ebx
0043660E |. E8 9A2A0800 call x.004B90AD ; eax=注册码串转化的十六进制;记为code
00436613 |. 8B7424 2C mov esi,dword ptr ss:[esp+2C] ; 用户名
00436617 |. 8BE8 mov ebp,eax
00436619 |. 8BFE mov edi,esi
0043661B |. 83C9 FF or ecx,FFFFFFFF
0043661E |. 33C0 xor eax,eax
00436620 |. 83C4 04 add esp,4
00436623 |. 33D2 xor edx,edx
00436625 |. F2:AE repne scas byte ptr es:[edi]
00436627 |. F7D1 not ecx
00436629 |. 49 dec ecx
0043662A |. 85C9 test ecx,ecx ; ecx用户名长度
0043662C |. 7E 17 jle short x.00436645
0043662E |> 0FBE0C32 /movsx ecx,byte ptr ds:[edx+esi]
00436632 |. 03D9 |add ebx,ecx
00436634 |. 8BFE |mov edi,esi
00436636 |. 83C9 FF |or ecx,FFFFFFFF
00436639 |. 33C0 |xor eax,eax
0043663B |. 42 |inc edx
0043663C |. F2:AE |repne scas byte ptr es:[edi]
0043663E |. F7D1 |not ecx
00436640 |. 49 |dec ecx
00436641 |. 3BD1 |cmp edx,ecx
00436643 |.^ 7C E9 \jl short x.0043662E ; ebx=用户名[i]累加;记为sum
00436645 |> B8 04010000 mov eax,104
0043664A |. 6A 0A push 0A ; /Arg3 = 0000000A, 十进制
0043664C |. 2BC3 sub eax,ebx ; |
0043664E |. 99 cdq ; |
0043664F |. 33C2 xor eax,edx ; |
00436651 |. 2BC2 sub eax,edx ; |
00436653 |. 05 4C010000 add eax,14C ; |eax=abs(104-sum)+14c
00436658 |. 8D14C5 0000>lea edx,dword ptr ds:[eax*8] ; |
0043665F |. 2BD0 sub edx,eax ; |
00436661 |. 8D0C90 lea ecx,dword ptr ds:[eax+edx*4] ; |ecx=1d*eax
00436664 |. 8D5424 14 lea edx,dword ptr ss:[esp+14] ; |
00436668 |. 52 push edx ; |Arg2, 存放结果
00436669 |. 8D3448 lea esi,dword ptr ds:[eax+ecx*2] ; |
0043666C |. C1E6 03 shl esi,3 ; |esi=1d8*eax
0043666F |. 56 push esi ; |Arg1=1d8*(abs(104-sum)+14c)
00436670 |. E8 6FE10800 call x.004C47E4 ; \把Arg1转化成十进制串,存放在Arg2地址,记为s
00436675 |. 8A4C24 20 mov cl,byte ptr ss:[esp+20] ; s[4]
00436679 |. 8A4424 21 mov al,byte ptr ss:[esp+21] ; s[5]
0043667D |. 83C4 0C add esp,0C
00436680 |. 81FE 3F420F>cmp esi,0F423F
00436686 |. 0F87 E70000>ja x.00436773
0043668C |. 8A5424 13 mov dl,byte ptr ss:[esp+13] ; s[3]
00436690 |. 884C24 16 mov byte ptr ss:[esp+16],cl ; s[6]=s[4]
00436694 |. 8A4C24 11 mov cl,byte ptr ss:[esp+11] ; s[1]
00436698 |. 884424 18 mov byte ptr ss:[esp+18],al ; s[8]=s[5]
0043669C |. 8A4424 12 mov al,byte ptr ss:[esp+12] ; s[2]
004366A0 |. 885424 15 mov byte ptr ss:[esp+15],dl ; s[5]=s[3]
004366A4 |. 884C24 12 mov byte ptr ss:[esp+12],cl ; s[2]=s[1]
004366A8 |. 8B4C24 14 mov ecx,dword ptr ss:[esp+14]
004366AC |. 81E1 FF0000>and ecx,0FF ; s[4]
004366B2 |. 884424 13 mov byte ptr ss:[esp+13],al ; s[3]=s[2]
004366B6 |. 8BC1 mov eax,ecx
004366B8 |. C1E0 05 shl eax,5
004366BB |. 2BC1 sub eax,ecx ; eax=s[4]*1f
004366BD |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
004366C1 |. 81E1 FF0000>and ecx,0FF ; s[8]
004366C7 |. 8D1440 lea edx,dword ptr ds:[eax+eax*2] ; edx=eax*3=s[4]*5d
004366CA |. 8D0489 lea eax,dword ptr ds:[ecx+ecx*4]
004366CD |. C1E0 03 shl eax,3
004366D0 |. 2BC1 sub eax,ecx ; eax=ecx*27=s[8]*27
004366D2 |. 2BC2 sub eax,edx
004366D4 |. 99 cdq
004366D5 |. 8BC8 mov ecx,eax
004366D7 |. 33CA xor ecx,edx
004366D9 |. 2BCA sub ecx,edx ; ecx=abs(eax-edx)
004366DB |. 8D0489 lea eax,dword ptr ds:[ecx+ecx*4]
004366DE |. C1E0 03 shl eax,3
004366E1 |. 2BC1 sub eax,ecx ; eax=ecx*27=abs(s[8]*27-s[4]*5d)*27
004366E3 |. B9 09000000 mov ecx,9
004366E8 |. 99 cdq
004366E9 |. F7F9 idiv ecx
004366EB |. 8B4424 13 mov eax,dword ptr ss:[esp+13]
004366EF |. 25 FF000000 and eax,0FF ; s[3]
004366F4 |. 80C2 30 add dl,30
004366F7 |. 885424 17 mov byte ptr ss:[esp+17],dl ; s[7]=abs(s[8]*27-s[4]*5d)*27%9+30
004366FB |. 8D1440 lea edx,dword ptr ds:[eax+eax*2]
004366FE |. C1E2 04 shl edx,4
00436701 |. 2BD0 sub edx,eax ; edx=eax*2f=s[3]*2f
00436703 |. 8B4424 15 mov eax,dword ptr ss:[esp+15]
00436707 |. 25 FF000000 and eax,0FF ; s[5]
0043670C |. 8D0CC0 lea ecx,dword ptr ds:[eax+eax*8]
0043670F |. 8D0488 lea eax,dword ptr ds:[eax+ecx*4]
00436712 |. 8D0442 lea eax,dword ptr ds:[edx+eax*2] ; eax=s[5]*a4+s[3]*2f
00436715 |. 99 cdq
00436716 |. 33C2 xor eax,edx
00436718 |. 2BC2 sub eax,edx ; eax=abs(s[5]*a4+s[3]*2f)
0043671A |. 8D0CC0 lea ecx,dword ptr ds:[eax+eax*8]
0043671D |. 8D0488 lea eax,dword ptr ds:[eax+ecx*4]
00436720 |. B9 09000000 mov ecx,9
00436725 |. 03C0 add eax,eax ; eax=abs(s[5]*a4+s[3]*2f)*4a
00436727 |. 99 cdq
00436728 |. F7F9 idiv ecx
0043672A |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10] ; s[0]
0043672E |. 81E1 FF0000>and ecx,0FF
00436734 |. 8D0449 lea eax,dword ptr ds:[ecx+ecx*2]
00436737 |. 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
0043673A |. 03C0 add eax,eax
0043673C |. 2BC1 sub eax,ecx ; eax=s[0]*35
0043673E |. 80C2 30 add dl,30
00436741 |. 885424 14 mov byte ptr ss:[esp+14],dl ; s[4]=abs(s[5]*a4+s[3]*2f)*4a%9+30
00436745 |. 8B4C24 11 mov ecx,dword ptr ss:[esp+11] ; s[1]
00436749 |. 81E1 FF0000>and ecx,0FF
0043674F |. 8D14CD 0000>lea edx,dword ptr ds:[ecx*8]
00436756 |. 2BD1 sub edx,ecx
00436758 |. 8D1492 lea edx,dword ptr ds:[edx+edx*4] ; edx=s[1]*23
0043675B |. 2BC2 sub eax,edx
0043675D |. 99 cdq
0043675E |. 8BC8 mov ecx,eax
00436760 |. 33CA xor ecx,edx
00436762 |. 2BCA sub ecx,edx ; ecx=abs(eax-edx)=abs(s[0]*35-s[1]*23)
00436764 |. 8D0449 lea eax,dword ptr ds:[ecx+ecx*2]
00436767 |. 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
0043676A |. 03C0 add eax,eax
0043676C |. 2BC1 sub eax,ecx ; eax=abs(s[0]*35-s[1]*23)*35
0043676E |. E9 ED000000 jmp x.00436860 ; 跳过大段
00436773 |> 8A5424 16 mov dl,byte ptr ss:[esp+16]
00436777 |. 884424 16 mov byte ptr ss:[esp+16],al
0043677B |. 8A4424 11 mov al,byte ptr ss:[esp+11]
0043677F |. 885424 18 mov byte ptr ss:[esp+18],dl
00436783 |. 8A5424 12 mov dl,byte ptr ss:[esp+12]
00436787 |. 884424 12 mov byte ptr ss:[esp+12],al
0043678B |. 8B4424 16 mov eax,dword ptr ss:[esp+16]
0043678F |. 884C24 15 mov byte ptr ss:[esp+15],cl
00436793 |. 25 FF000000 and eax,0FF
00436798 |. 885424 13 mov byte ptr ss:[esp+13],dl
0043679C |. 8BC8 mov ecx,eax
0043679E |. C1E1 06 shl ecx,6
004367A1 |. 2BC8 sub ecx,eax
004367A3 |. 8B4424 18 mov eax,dword ptr ss:[esp+18]
004367A7 |. 25 FF000000 and eax,0FF
004367AC |. 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
004367AF |. C1E0 02 shl eax,2
004367B2 |. 2BC1 sub eax,ecx
004367B4 |. B9 09000000 mov ecx,9
004367B9 |. 99 cdq
004367BA |. 33C2 xor eax,edx
004367BC |. 2BC2 sub eax,edx
004367BE |. 8D04C0 lea eax,dword ptr ds:[eax+eax*8]
004367C1 |. C1E0 02 shl eax,2
004367C4 |. 99 cdq
004367C5 |. F7F9 idiv ecx
004367C7 |. 80C2 30 add dl,30
004367CA |. 885424 17 mov byte ptr ss:[esp+17],dl
004367CE |. 8B4424 14 mov eax,dword ptr ss:[esp+14]
004367D2 |. 25 FF000000 and eax,0FF
004367D7 |. 83C0 20 add eax,20
004367DA |. 8D14C5 0000>lea edx,dword ptr ds:[eax*8]
004367E1 |. 2BD0 sub edx,eax
004367E3 |. 8D0490 lea eax,dword ptr ds:[eax+edx*4]
004367E6 |. 8D0C40 lea ecx,dword ptr ds:[eax+eax*2]
004367E9 |. 8B4424 13 mov eax,dword ptr ss:[esp+13]
004367ED |. 25 FF000000 and eax,0FF
004367F2 |. 8D1480 lea edx,dword ptr ds:[eax+eax*4]
004367F5 |. C1E2 03 shl edx,3
004367F8 |. 2BD0 sub edx,eax
004367FA |. 8D0451 lea eax,dword ptr ds:[ecx+edx*2]
004367FD |. 99 cdq
004367FE |. 33C2 xor eax,edx
00436800 |. 2BC2 sub eax,edx
00436802 |. 8D0CC5 0000>lea ecx,dword ptr ds:[eax*8]
00436809 |. 2BC8 sub ecx,eax
0043680B |. 8D0488 lea eax,dword ptr ds:[eax+ecx*4]
0043680E |. B9 09000000 mov ecx,9
00436813 |. 8D0440 lea eax,dword ptr ds:[eax+eax*2]
00436816 |. 99 cdq
00436817 |. F7F9 idiv ecx
00436819 |. 8B4424 10 mov eax,dword ptr ss:[esp+10]
0043681D |. 25 FF000000 and eax,0FF
00436822 |. 80C2 30 add dl,30
00436825 |. 885424 14 mov byte ptr ss:[esp+14],dl
00436829 |. 8D14C5 0000>lea edx,dword ptr ds:[eax*8]
00436830 |. 2BD0 sub edx,eax
00436832 |. 8D0490 lea eax,dword ptr ds:[eax+edx*4]
00436835 |. 8B5424 11 mov edx,dword ptr ss:[esp+11]
00436839 |. 81E2 FF0000>and edx,0FF
0043683F |. 03C0 add eax,eax
00436841 |. 8BCA mov ecx,edx
00436843 |. C1E1 04 shl ecx,4
00436846 |. 03CA add ecx,edx
00436848 |. 8D0C89 lea ecx,dword ptr ds:[ecx+ecx*4]
0043684B |. 2BC1 sub eax,ecx
0043684D |. 99 cdq
0043684E |. 33C2 xor eax,edx
00436850 |. 2BC2 sub eax,edx
00436852 |. 8D14C5 0000>lea edx,dword ptr ds:[eax*8]
00436859 |. 2BD0 sub edx,eax
0043685B |. 8D0490 lea eax,dword ptr ds:[eax+edx*4]
0043685E |. 03C0 add eax,eax
00436860 |> 99 cdq
00436861 |. B9 09000000 mov ecx,9
00436866 |. C64424 19 0>mov byte ptr ss:[esp+19],0 ; s[9]=0,确定只有9个字符
0043686B |. F7F9 idiv ecx
0043686D |. 80C2 30 add dl,30
00436870 |. 885424 11 mov byte ptr ss:[esp+11],dl ; s[1]=abs(s[0]*35-s[1]*23)*35%9+30
00436874 |. 8D5424 10 lea edx,dword ptr ss:[esp+10]
00436878 |. 52 push edx
00436879 |. E8 2F280800 call x.004B90AD ; 比较
0043687E |. 83C4 04 add esp,4
00436881 |. 33C9 xor ecx,ecx
00436883 |. 3BE8 cmp ebp,eax
00436885 |. 5F pop edi
00436886 |. 5E pop esi
00436887 |. 0F94C1 sete cl
0043688A |. 5D pop ebp
0043688B |. 8BC1 mov eax,ecx
0043688D |. 5B pop ebx
0043688E |. 83C4 14 add esp,14
00436891 \. C3 retn
总结一下:
1.sum=sum(name[i])
2.把1d8*(abs(104-sum)+14c)转化成10进制串s
3.
s[8]=s[5],s[5]=s[3],s[3]=s[2],s[2]=s[1],s[6]=s[4]
s[7]=abs(s[8]*27-s[4]*5d)*27%9+30
s[4]=abs(s[5]*a4+s[3]*2f)*4a%9+30
s[1]=abs(s[0]*35-s[1]*23)*35%9+30
4.9位数字串s即为注册码
于是写出注册机:
keygen_irfanview(char *name)
{
DWORD sum=0;
DWORD p[7]=
{
1000000,100000,10000,1000,100,10,1
};
BYTE s[10];
int i;
for(i=0;i<strlen(name);i++)
{
sum+=(DWORD)name[i];
}
sum=0x1d8*(0x14c+(DWORD)abs((signed long)sum-260));
for (i=0;i<6;i++)
{
s[i]=(sum%p[i])/p[i+1]+0x30;
}
s[8]=s[5],s[5]=s[3],s[3]=s[2],s[2]=s[1],s[6]=s[4];
s[7]=(DWORD)abs((signed long)(s[8]*0x27)-(signed long)(s[4]*0x5d))*0x27%9+0x30;
s[4]=(DWORD)abs((signed long)(s[5]*0xa4)+(signed long)(s[3]*0x2f))*0x4a%9+0x30;
s[1]=(DWORD)abs((signed long)(s[0]*0x35)-(signed long)(s[1]*0x23))*0x35%9+0x30;
s[9]=0;
printf("key is %s",(char*)s);
}
注册信息:
name: whm
code: 119036808