【破文作者】   lnn1123[[BCG][DCM]]

【 E-mail 】   lnn11231123@163.com

【 作者QQ 】   254513595

【文章题目】   TitleBarClock Pro5.2算法分析

【软件名称】   TitleBarClock Pro5.2

【下载地址】   天空软件

----------------------------------------------------------------------------------------------
【加密方式】   注册码

【破解工具】   OD,PEID

【软件限制】   没看

【破解平台】   Win9x/NT/2000/XP/XP SP2

----------------------------------------------------------------------------------------------


【文章简介】

文章比较简单啊,高手过!

----------------------------------------------------------------------------------------------
【破解过程】

用PEID查看是PECompact 2.x -> Jeremy Collake的壳,设置Ollydbg忽略所有的异常选项
00401000 > B8 58CB4100      MOV EAX,Tbcpro.0041CB58                        ; 停在这里
00401005   50               PUSH EAX
00401006   64:FF35 00000000 PUSH DWORD PTR FS:[0]
0040100D   64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00401014   33C0             XOR EAX,EAX
00401016   8908             MOV DWORD PTR DS:[EAX],ECX
00401018   50               PUSH EAX
00401019   45               INC EBP
0040101A   43               INC EBX

下断:BP VirtualFree (这些API经常要,要记住),运行后,取消断点,ALT+F9
返回,再走几不就到OEP了
下断短在这里:
7C809B14 > 8BFF             MOV EDI,EDI                                    ; Tbcpro.00400000
7C809B16   55               PUSH EBP
7C809B17   8BEC             MOV EBP,ESP
7C809B19   FF75 10          PUSH DWORD PTR SS:[EBP+10]
7C809B1C   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
7C809B1F   FF75 08          PUSH DWORD PTR SS:[EBP+8]
7C809B22   6A FF            PUSH -1
7C809B24   E8 09000000      CALL kernel32.VirtualFreeEx
7C809B29   5D               POP EBP
7C809B2A   C2 0C00          RETN 0C

ALT+F9到这里:
0038039C   58               POP EAX                                        ; <&kernel32.VirtualFree>
0038039D   68 00800000      PUSH 8000
003803A2   6A 00            PUSH 0
003803A4   FFB5 E3120010    PUSH DWORD PTR SS:[EBP+100012E3]
003803AA   FF10             CALL DWORD PTR DS:[EAX]
003803AC   8B46 0C          MOV EAX,DWORD PTR DS:[ESI+C]
003803AF   03C7             ADD EAX,EDI
003803B1   5D               POP EBP
003803B2   5E               POP ESI
003803B3   5F               POP EDI
003803B4   59               POP ECX
003803B5   5B               POP EBX
003803B6   C3               RETN

F8走到这里:
0041CBFE   8985 1C110010    MOV DWORD PTR SS:[EBP+1000111C],EAX            ; Tbcpro.<ModuleEntryPoint>
0041CC04   8BF0             MOV ESI,EAX
0041CC06   59               POP ECX
0041CC07   5A               POP EDX
0041CC08   03CA             ADD ECX,EDX
0041CC0A   68 00800000      PUSH 8000
0041CC0F   6A 00            PUSH 0
0041CC11   57               PUSH EDI
0041CC12   FF11             CALL DWORD PTR DS:[ECX]
0041CC14   8BC6             MOV EAX,ESI
0041CC16   5E               POP ESI
0041CC17   5F               POP EDI
0041CC18   59               POP ECX
0041CC19   5B               POP EBX
0041CC1A   5D               POP EBP
0041CC1B   FFE0             JMP EAX                                        ; JMP OEP

OD插件可以脱壳了,我这里不要修复就可以运行了,脱壳完成。
看算法了,输入Order ID and Regcode后,看到有错误提示,不会加密字符吧,老
罗插件看看,没有加密,找到字符后下断这里:
===================================代码=============================================
00405A10  |. 6A 10          PUSH 10                                        ; /Count = 10 (16.)
00405A12  |. 68 82D94000    PUSH 1.0040D982                                ; |Buffer = 1.0040D982
00405A17  |. 68 AA0F0000    PUSH 0FAA                                      ; |ControlID = FAA (4010.)
00405A1C  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; |hWnd
00405A1F  |. E8 08490000    CALL <JMP.&user32.GetDlgItemTextA>             ; \GetDlgItemTextA
00405A24  |. E8 18370000    CALL 1.00409141                                ;  上面的CALL获取假码,关键CALL,进入
00405A29  |. 833D 4BD74000 >CMP DWORD PTR DS:[40D74B],1                    ;  标志位比较
00405A30  |. 75 19          JNZ SHORT 1.00405A4B                           ;  不跳就死
00405A32  |. 6A 30          PUSH 30                                        ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405A34  |. 68 3CC04000    PUSH 1.0040C03C                                ; |Title = "TitleBarClock Pro 5.2"
00405A39  |. 68 80C04000    PUSH 1.0040C080                                ; |Text = "Invalid Registration Code"
00405A3E  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; |hOwner
00405A41  |. E8 40490000    CALL <JMP.&user32.MessageBoxA>                 ; \MessageBoxA
00405A46  |. E9 B5000000    JMP 1.00405B00
00405A4B  |> 6A 1E          PUSH 1E                                        ; /Count = 1E (30.)
00405A4D  |. 68 E6D94000    PUSH 1.0040D9E6                                ; |Buffer = 1.0040D9E6
00405A52  |. 68 B40F0000    PUSH 0FB4                                      ; |ControlID = FB4 (4020.)
00405A57  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; |hWnd
00405A5A  |. E8 CD480000    CALL <JMP.&user32.GetDlgItemTextA>             ; \GetDlgItemTextA
00405A5F  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX                   ;  注册名长度
00405A62  |. FF75 FC        PUSH DWORD PTR SS:[EBP-4]                      ; /注册名长度
00405A65  |. E8 5F370000    CALL 1.004091C9                                ; \关键CALL,进入
00405A6A  |. 833D 4FD74000 >CMP DWORD PTR DS:[40D74F],1
00405A71  |. 75 62          JNZ SHORT 1.00405AD5
00405A73  |. 66:C705 9FD740>MOV WORD PTR DS:[40D79F],0
00405A7C  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; /Arg1
00405A7F  |. E8 4C300000    CALL 1.00408AD0                                ; \1.00408AD0
00405A84  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; /Arg1
00405A87  |. E8 AC2C0000    CALL 1.00408738                                ; \1.00408738
00405A8C  |. 6A 00          PUSH 0                                         ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00405A8E  |. 68 4C040000    PUSH 44C                                       ; |ItemID = 44C (1100.)
00405A93  |. FF35 84EC4000  PUSH DWORD PTR DS:[40EC84]                     ; |hMenu = ABC00201
00405A99  |. E8 24490000    CALL <JMP.&user32.RemoveMenu>                  ; \RemoveMenu
00405A9E  |. 6A 30          PUSH 30                                        ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405AA0  |. 68 3CC04000    PUSH 1.0040C03C                                ; |Title = "TitleBarClock Pro 5.2"
00405AA5  |. 68 B1C04000    PUSH 1.0040C0B1                                ; |Text = "Thank You!

TitleBarClock Pro

Registration Successful."
00405AAA  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; |hOwner
00405AAD  |. E8 D4480000    CALL <JMP.&user32.MessageBoxA>                 ; \MessageBoxA
00405AB2  |. 6A 00          PUSH 0                                         ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING
00405AB4  |. FF35 88EC4000  PUSH DWORD PTR DS:[40EC88]                     ; |ItemID = 647C01D3 (1685848531.)
00405ABA  |. FF35 84EC4000  PUSH DWORD PTR DS:[40EC84]                     ; |hMenu = ABC00201
00405AC0  |. E8 1F480000    CALL <JMP.&user32.EnableMenuItem>              ; \EnableMenuItem
00405AC5  |. 6A 00          PUSH 0                                         ; /lParam = 0
00405AC7  |. 6A 00          PUSH 0                                         ; |wParam = 0
00405AC9  |. 6A 10          PUSH 10                                        ; |Message = WM_CLOSE
00405ACB  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; |hWnd
00405ACE  |. E8 FB480000    CALL <JMP.&user32.SendMessageA>                ; \SendMessageA
00405AD3  |. EB 14          JMP SHORT 1.00405AE9
00405AD5  |> 6A 30          PUSH 30                                        ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00405AD7  |. 68 3CC04000    PUSH 1.0040C03C                                ; |Title = "TitleBarClock Pro 5.2"
00405ADC  |. 68 9AC04000    PUSH 1.0040C09A                                ; |Text = "Invalid RegNow OrderID"
00405AE1  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; |hOwner
00405AE4  |. E8 9D480000    CALL <JMP.&user32.MessageBoxA>                 ; \MessageBoxA
00405AE9  |> EB 15          JMP SHORT 1.00405B00
00405AEB  |> 3D C80F0000    CMP EAX,0FC8
00405AF0  |. 75 0E          JNZ SHORT 1.00405B00
00405AF2  |. 6A 00          PUSH 0                                         ; /lParam = 0
00405AF4  |. 6A 00          PUSH 0                                         ; |wParam = 0
00405AF6  |. 6A 10          PUSH 10                                        ; |Message = WM_CLOSE
00405AF8  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                      ; |hWnd
00405AFB  |. E8 CE480000    CALL <JMP.&user32.SendMessageA>                ; \SendMessageA
00405B00  |> 33C0           XOR EAX,EAX
00405B02  |. C9             LEAVE
00405B03  \. C2 1000        RETN 10

======================================进CALL 00409141==================================================
00409141  /$ 56             PUSH ESI                                       ;  1.0040594B
00409142  |. 57             PUSH EDI
00409143  |. 51             PUSH ECX
00409144  |. C705 4BD74000 >MOV DWORD PTR DS:[40D74B],0
0040914E  |. BF B4D94000    MOV EDI,1.0040D9B4                             ;  ASCII "Z526WT491QN387B"
00409153  |. 57             PUSH EDI
00409154  |. BE 22DE4000    MOV ESI,1.0040DE22
00409159  |. B9 05000000    MOV ECX,5                                      ;  串传送的计数器
0040915E  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]   ;  串传送
00409160  |. BE 67E04000    MOV ESI,1.0040E067                             ;  特殊字符
00409165  |. B9 05000000    MOV ECX,5                                      ;  串传送的计数器
0040916A  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]   ;  串传送
0040916C  |. BE 92DF4000    MOV ESI,1.0040DF92                             ;  特殊字符
00409171  |. B9 05000000    MOV ECX,5                                      ;  串传送的计数器
00409176  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]   ;  串传送
00409178  |. 5F             POP EDI
00409179  |. 8BF7           MOV ESI,EDI
0040917B  |. E8 21000000    CALL 1.004091A1                                ;  解密上面传送的字符后就是注册码了,跟进
00409180  |. BE 82D94000    MOV ESI,1.0040D982                             ;  ASCII "78787878"
00409185  |. BF B4D94000    MOV EDI,1.0040D9B4                             ;  ASCII "Z526WT491QN387B"
0040918A  |. B9 0F000000    MOV ECX,0F                                     ;  计数器为15
0040918F  |. F3:A6          REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]  ;  串比较
00409191  |. 74 0A          JE SHORT 1.0040919D                            ;  不等就OVER
00409193  |. C705 4BD74000 >MOV DWORD PTR DS:[40D74B],1                    ;  标志位
0040919D  |> 59             POP ECX
0040919E  |. 5F             POP EDI
0040919F  |. 5E             POP ESI
004091A0  \. C3             RETN

=====================================进CALL 004091A1================================================================
004091A1  /$ 56             PUSH ESI
004091A2  |. 57             PUSH EDI
004091A3  |. 8BF7           MOV ESI,EDI                                    ;  1.0040D9B4
004091A5  |. B9 0F000000    MOV ECX,0F                                     ;  计数器为15
004091AA  |> AC             LODS BYTE PTR DS:[ESI]                         ;  串读取字符
004091AB  |. 2C 03          SUB AL,3                                       ;  AL=AL-3
004091AD  |. D0E8           SHR AL,1                                       ;  右移一位
004091AF  |. AA             STOS BYTE PTR ES:[EDI]                         ;  存回去
004091B0  |. 49             DEC ECX                                        ;  计数器减1
004091B1  |.^75 F7          JNZ SHORT 1.004091AA                           ;  循环
004091B3  |. 5F             POP EDI
004091B4  |. 5E             POP ESI
004091B5  \. C3             RETN

到这里Regcode 已经很容易得到了,这个软件的Order ID还有要求呢,我看看


========================================进 CALL 004091C9============================================
004091C9  /$ 55             PUSH EBP
004091CA  |. 8BEC           MOV EBP,ESP
004091CC  |. 83C4 FC        ADD ESP,-4
004091CF  |. 56             PUSH ESI
004091D0  |. 57             PUSH EDI
004091D1  |. 51             PUSH ECX
004091D2  |. BE E6D94000    MOV ESI,1.0040D9E6                             ;  ASCII "1234567890-1123-0000"
004091D7  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
004091DA  |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
004091E1  |> AC             /LODS BYTE PTR DS:[ESI]                        ;  串读取注册名
004091E2  |. 3C 2D          |CMP AL,2D                                     ;  是-号吗?
004091E4  |. 74 1B          |JE SHORT 1.00409201                           ;  是-就跳,如果你输入的ID没有-就OVER!
004091E6  |. 3C 39          |CMP AL,39                                     ;  与9比较
004091E8  |. 7F 29          |JG SHORT 1.00409213
004091EA  |. FF45 FC        |INC DWORD PTR SS:[EBP-4]
004091ED  |. 49             |DEC ECX
004091EE  |.^75 F1          \JNZ SHORT 1.004091E1
004091F0  |. C705 4FD74000 >MOV DWORD PTR DS:[40D74F],0                    ;  标志位
004091FA  |. 59             POP ECX
004091FB  |. 5F             POP EDI
004091FC  |. 5E             POP ESI
004091FD  |. C9             LEAVE
004091FE  |. C2 0400        RETN 4
00409201  |> 837D FC 0A     CMP DWORD PTR SS:[EBP-4],0A                    ;  C常数
00409205  |. 75 0C          JNZ SHORT 1.00409213                           ;  如果你的-号不是出现在ID的第十一位就OVER
00409207  |> AC             /LODS BYTE PTR DS:[ESI]                        ;  串读取第一个-号后面的内容
00409208  |. 3C 2D          |CMP AL,2D                                     ;  是-号吗?看来还要有-号
0040920A  |. 74 18          |JE SHORT 1.00409224                           ;  没有-号OVER
0040920C  |. 3C 39          |CMP AL,39                                     ;  小于9吗?
0040920E  |. 7F 03          |JG SHORT 1.00409213
00409210  |. 49             |DEC ECX
00409211  |.^75 F4          \JNZ SHORT 1.00409207
00409213  |> C705 4FD74000 >MOV DWORD PTR DS:[40D74F],0                    ;  标志位
0040921D  |. 59             POP ECX
0040921E  |. 5F             POP EDI
0040921F  |. 5E             POP ESI
00409220  |. C9             LEAVE
00409221  |. C2 0400        RETN 4
00409224  |> AC             /LODS BYTE PTR DS:[ESI]                        ;  串读取第2个-号后面的内容
00409225  |. 3C 00          |CMP AL,0                                      ;  是0?
00409227  |. 74 07          |JE SHORT 1.00409230
00409229  |. 3C 39          |CMP AL,39                                     ;  小于9?
0040922B  |.^7F E6          |JG SHORT 1.00409213
0040922D  |. 49             |DEC ECX
0040922E  |.^75 F4          \JNZ SHORT 1.00409224
00409230  |> C705 4FD74000 >MOV DWORD PTR DS:[40D74F],1                    ;  标志位
0040923A  |. 59             POP ECX
0040923B  |. 5F             POP EDI
0040923C  |. 5E             POP ESI
0040923D  |. C9             LEAVE
0040923E  \. C2 0400        RETN 4

Order ID的要求总结一下,就是要前十位数字是0-9,第十一位是“-”,第一个“-”
后面还必须有0-9的数字,后面还要有一个“-”,“-”后数字随便,就OK
举例:1234567890-1123-0000
表达能力较差,不要骂我啊
到这里算法就完毕了,比较简单。
================================================================================
注册信息:
Order ID:1234567890-1123-0000
Regcode :Z526WT491QN387B

----------------------------------------------------------------------------------------------
【破解心得】

这个软件刚开始的串传送时候的字符可能各个机子上不一样,就是那段字符解密比较重要
啊,写文章真的好累,破花了一点时间,可写花了不少时间啊

----------------------------------------------------------------------------------------------
【破解声明】   我是一只小菜鸟,偶得一点心得,愿与大家分享:)

【版权声明】   本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 
----------------------------------------------------------------------------------------------
                                                                                 文章写于2004-9-7 19:25:11