【破文标题】:壁纸雷达 2005b.4 注册算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:壁纸雷达 2005b.4
【整理时间】:2005-09-07
【开 发 商】:http://wallradar.vip.nease.net
【下载地址】:http://www.shareware.cn/pub/12661.html
【保护方式】:注册码 + 试用功能限制
【编译语言】:Borland Delphi 6.0 - 7.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-09-21
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Borland Delphi 6.0 - 7.0 编译。
试探:运行程序注册,输入试炼码,确认!程序提示:"注册码不正确,请查实."
安装完成后注册不在主程序,分析主程序并不能找到注册提示信息,在目录下的“wrmain.exe”这个程序内注册,用OD载入这个程序,找到注册错误提示双击"注册码不正确,请查实."提示信息,来到 004D34E2 处,向上来到 004D3380 处下断,F9运行,输入试炼码:
****** 试炼信息 ******
注册码:1234512345123
**********************
004D3380 55 push ebp ; 在此下断,F8往下走
004D3381 8BEC mov ebp,esp
004D3383 81C4 F4FEFFFF add esp,-10C
004D3389 53 push ebx
004D338A 56 push esi
004D338B 57 push edi
004D338C 33C9 xor ecx,ecx
004D338E 894D F4 mov dword ptr ss:[ebp-C],ecx
004D3391 894D FC mov dword ptr ss:[ebp-4],ecx
004D3394 8BF0 mov esi,eax
004D3396 33C0 xor eax,eax
004D3398 55 push ebp
004D3399 68 42354D00 push wrmain.004D3542
004D339E 64:FF30 push dword ptr fs:[eax]
004D33A1 64:8920 mov dword ptr fs:[eax],esp
004D33A4 66:C745 FA 4F04 mov word ptr ss:[ebp-6],44F
004D33AA 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004D33AD 8B86 68030000 mov eax,dword ptr ds:[esi+368]
004D33B3 E8 00E0F6FF call wrmain.004413B8
004D33B8 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 试炼码送EAX,ASCII "1234512345123"
004D33BB 8D55 FC lea edx,dword ptr ss:[ebp-4]
004D33BE E8 2D5AF3FF call wrmain.00408DF0
004D33C3 8B45 FC mov eax,dword ptr ss:[ebp-4]
004D33C6 E8 C517F3FF call wrmain.00404B90
004D33CB 83F8 0B cmp eax,0B ; 试炼码位数和11比较
004D33CE 0F8E 2F010000 jle wrmain.004D3503 ; 小于或等于就跳,跳则挂!
004D33D4 33DB xor ebx,ebx
004D33D6 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 试炼码再次送EAX,ASCII "1234512345123"
004D33D9 E8 B217F3FF call wrmain.00404B90
004D33DE 8BD0 mov edx,eax
004D33E0 85D2 test edx,edx
004D33E2 7E 26 jle short wrmain.004D340A
004D33E4 B8 01000000 mov eax,1 ; 开始计数
004D33E9 8B4D FC mov ecx,dword ptr ss:[ebp-4] ; 试炼码送ECX,ASCII "1234512345123"
004D33EC 0FB64C01 FF movzx ecx,byte ptr ds:[ecx+eax-1] ; 开始循环逐个取试炼码的HEX值
004D33F1 0FB77D FA movzx edi,word ptr ss:[ebp-6] ; EDI=[ebp-6]=44F
004D33F5 C1EF 08 shr edi,8 ; EDI逻辑右移8位,为4
004D33F8 33CF xor ecx,edi ; ECX=ECX xor EDI
004D33FA BF 12000000 mov edi,12 ; 12->EDI
004D33FF 2BF8 sub edi,eax ; EDI=EDI-EAX(eax初始为1,循环一次加1)
004D3401 0FAFCF imul ecx,edi ; ECX=ECX*EDI
004D3404 03D9 add ebx,ecx ; 计算结果累加后送EBX
004D3406 40 inc eax ; 计数器加1,指向下一位
004D3407 4A dec edx
004D3408 ^ 75 DF jnz short wrmain.004D33E9 ; *循环点*
004D340A 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 试炼码送EAX,ASCII "1234512345123"
004D340D 0FB640 05 movzx eax,byte ptr ds:[eax+5] ; 取试炼码第六位送EAX
004D3411 6BC0 13 imul eax,eax,13 ; 注册码第六位*13
004D3414 50 push eax
004D3415 8BC3 mov eax,ebx
004D3417 5A pop edx
004D3418 8BCA mov ecx,edx
004D341A 99 cdq
004D341B F7F9 idiv ecx ; 1C1E/3A3->商EAX,余数EDX
004D341D 85D2 test edx,edx ; 比较EDX
004D341F 0F85 AD000000 jnz wrmain.004D34D2 ; EDX不为0就跳,跳则挂~
004D3425 6A 00 push 0
004D3427 A1 EC654D00 mov eax,dword ptr ds:[4D65EC]
004D342C 8B00 mov eax,dword ptr ds:[eax]
004D342E E8 5519F3FF call wrmain.00404D88
004D3433 8BC8 mov ecx,eax
004D3435 BA 50354D00 mov edx,wrmain.004D3550 ; 恭喜您,注册成功! 感谢您的支持!!!
004D343A A1 D0684D00 mov eax,dword ptr ds:[4D68D0]
004D343F 8B00 mov eax,dword ptr ds:[eax]
004D3441 E8 F6E0F8FF call wrmain.0046153C
004D3446 8B86 68030000 mov eax,dword ptr ds:[esi+368]
004D344C B2 01 mov dl,1
004D344E E8 99E6F5FF call wrmain.00431AEC
004D3453 8B86 34030000 mov eax,dword ptr ds:[esi+334]
004D3459 33D2 xor edx,edx
004D345B 8B08 mov ecx,dword ptr ds:[eax]
004D345D FF51 64 call dword ptr ds:[ecx+64]
004D3460 8B86 DC030000 mov eax,dword ptr ds:[esi+3DC]
004D3466 B2 01 mov dl,1
004D3468 E8 7FE6F5FF call wrmain.00431AEC
004D346D 8B86 BC030000 mov eax,dword ptr ds:[esi+3BC]
004D3473 B2 01 mov dl,1
004D3475 8B08 mov ecx,dword ptr ds:[eax]
004D3477 FF51 64 call dword ptr ds:[ecx+64]
004D347A 8B86 E4030000 mov eax,dword ptr ds:[esi+3E4]
004D3480 33D2 xor edx,edx
004D3482 E8 61DFF6FF call wrmain.004413E8
004D3487 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C]
004D348D 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D3490 B9 FF000000 mov ecx,0FF
004D3495 E8 D216F3FF call wrmain.00404B6C
004D349A 8D95 F4FEFFFF lea edx,dword ptr ss:[ebp-10C]
004D34A0 A1 9C694D00 mov eax,dword ptr ds:[4D699C]
004D34A5 05 E0000000 add eax,0E0
004D34AA B1 10 mov cl,10
004D34AC E8 27FBF2FF call wrmain.00402FD8
004D34B1 8B86 F0020000 mov eax,dword ptr ds:[esi+2F0]
004D34B7 BA 7C354D00 mov edx,wrmain.004D357C ; 壁纸雷达
004D34BC E8 2752FDFF call wrmain.004A86E8
004D34C1 A1 14664D00 mov eax,dword ptr ds:[4D6614]
004D34C6 C600 01 mov byte ptr ds:[eax],1
004D34C9 8BC6 mov eax,esi
004D34CB E8 50E8FFFF call wrmain.004D1D20
004D34D0 EB 52 jmp short wrmain.004D3524
004D34D2 6A 00 push 0
004D34D4 A1 EC654D00 mov eax,dword ptr ds:[4D65EC]
004D34D9 8B00 mov eax,dword ptr ds:[eax]
004D34DB E8 A818F3FF call wrmain.00404D88
004D34E0 8BC8 mov ecx,eax
004D34E2 BA 88354D00 mov edx,wrmain.004D3588 ; 注册码不正确, 请查实.
004D34E7 A1 D0684D00 mov eax,dword ptr ds:[4D68D0]
004D34EC 8B00 mov eax,dword ptr ds:[eax]
004D34EE E8 49E0F8FF call wrmain.0046153C
004D34F3 8B86 68030000 mov eax,dword ptr ds:[esi+368]
004D34F9 8B10 mov edx,dword ptr ds:[eax]
004D34FB FF92 C0000000 call dword ptr ds:[edx+C0]
004D3501 EB 21 jmp short wrmain.004D3524
004D3503 6A 00 push 0
004D3505 A1 EC654D00 mov eax,dword ptr ds:[4D65EC]
004D350A 8B00 mov eax,dword ptr ds:[eax]
004D350C E8 7718F3FF call wrmain.00404D88
004D3511 8BC8 mov ecx,eax
004D3513 BA 88354D00 mov edx,wrmain.004D3588 ; 注册码不正确, 请查实.
004D3518 A1 D0684D00 mov eax,dword ptr ds:[4D68D0]
004D351D 8B00 mov eax,dword ptr ds:[eax]
004D351F E8 18E0F8FF call wrmain.0046153C
004D3524 33C0 xor eax,eax
004D3526 5A pop edx
004D3527 59 pop ecx
004D3528 59 pop ecx
004D3529 64:8910 mov dword ptr fs:[eax],edx
004D352C 68 49354D00 push wrmain.004D3549
004D3531 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004D3534 E8 9F13F3FF call wrmain.004048D8
004D3539 8D45 FC lea eax,dword ptr ss:[ebp-4]
004D353C E8 9713F3FF call wrmain.004048D8
004D3541 C3 retn
004D3542 ^ E9 990DF3FF jmp wrmain.004042E0
004D3547 ^ EB E8 jmp short wrmain.004D3531
004D3549 5F pop edi
004D354A 5E pop esi
004D354B 5B pop ebx
004D354C 8BE5 mov esp,ebp
004D354E 5D pop ebp
004D354F C3 retn ; 返回程序
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单:
1、注册码位数必须大于等于12位
2、每个注册码先和4异或然后乘以(12-所在位数)后循环累加,累加后的和除以(注册码第六位*13),能够整除则注册成功!
3、注册信息保存在安装目录“setcfg.dat”下,删除后即可重玩!
以规律算出的一组可用注册码:1234512345126
============================================================================================
【注册信息】:
注册码(序列号):1234512345126
--------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------------------------
Cracked By KuNgBiM[DFCG]
2005-09-21
01:00:00 AM