【破文标题】:HTML2TXT V4.1.050202 注册算法分析 + VB注册机
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:HTML2TXT V4.1.050202
【软件大小】:676 KB
【软件语言】:英文
【软件类别】:国外软件 / 试用版 / 文字处理
【整理时间】:2005-07-04
【开 发 商】:http://www.infomedia.it/artic/Baccan/
【下载地址】:http://www.skycn.com/soft/20971.html
【保护方式】:注册码 + 启动NAG + 功能限制 + 重启验证
【编译语言】:Borland Delphi 6.0 - 7.0
【调试环境】:WinXP、PEiD、W32Dasm、Ollydbg
【破解日期】:2005-11-02
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Borland Delphi 6.0 - 7.0 编译。
试探:运行主程序注册,输入试炼码,确认!程序提示:"Thanks. You registration code will be checked when you start this application again."
BTW:但正确注册关键提示不在此处!在"Unregistered Copy" 这个信息!
对症下药:Ollydbg载入主程序,用查找字符串插件查找"Unregistered Copy" 这个信息!双击来到 004A67C4 处下断,一路F9运行,直到程序运行,先取消注册,然后再手动点击选项,输入试炼信息:
************ 试炼信息 *************
Registered Email:gb_1227@163.com
Registration Code:9876543210
***********************************
004A67AC 55 push ebp ; 此处F2下断!F9运行!
004A67AD 68 84684A00 push h2t.004A6884
004A67B2 64:FF30 push dword ptr fs:[eax]
004A67B5 64:8920 mov dword ptr fs:[eax],esp
004A67B8 C605 58DC4A00 0>mov byte ptr ds:[4ADC58],0
004A67BF B8 5CDC4A00 mov eax,h2t.004ADC5C
004A67C4 BA 9C684A00 mov edx,h2t.004A689C ; ASCII "Unregistered Copy"
004A67C9 E8 0ADEF5FF call h2t.004045D8
004A67CE 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004A67D1 B9 B8684A00 mov ecx,h2t.004A68B8 ; 检查是否有"h2t.ini"注册文件!ASCII "h2t.ini"
004A67D6 8B15 54DC4A00 mov edx,dword ptr ds:[4ADC54] ; 是否在安装目录下!ASCII "F:\HTML2TXT\"
004A67DC E8 AFE0F5FF call h2t.00404890
004A67E1 8B4D F4 mov ecx,dword ptr ss:[ebp-C] ; ASCII "F:\HTML2TXT\h2t.ini"
004A67E4 B2 01 mov dl,1 ; dl=54 ('T')
004A67E6 A1 48334200 mov eax,dword ptr ds:[423348]
004A67EB E8 10CCF7FF call h2t.00423400 ; 取出注册使用的"Registered Email"
004A67F0 8BD8 mov ebx,eax
004A67F2 6A 00 push 0
004A67F4 8D45 FC lea eax,dword ptr ss:[ebp-4]
004A67F7 50 push eax
004A67F8 B9 C8684A00 mov ecx,h2t.004A68C8 ; ASCII "Email"
004A67FD BA D8684A00 mov edx,h2t.004A68D8 ; ASCII "Register"
004A6802 8BC3 mov eax,ebx
004A6804 8B30 mov esi,dword ptr ds:[eax]
004A6806 FF16 call dword ptr ds:[esi] ; 取出注册使用的"Registration Code"
004A6808 6A 00 push 0
004A680A 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004A680D 50 push eax
004A680E B9 EC684A00 mov ecx,h2t.004A68EC ; ASCII "Code"
004A6813 BA D8684A00 mov edx,h2t.004A68D8 ; ASCII "Register"
004A6818 8BC3 mov eax,ebx
004A681A 8B30 mov esi,dword ptr ds:[eax]
004A681C FF16 call dword ptr ds:[esi] ; 取固定的字符串"h2t"
004A681E 8D45 FC lea eax,dword ptr ss:[ebp-4]
004A6821 BA FC684A00 mov edx,h2t.004A68FC ; ASCII "h2t"
004A6826 E8 21E0F5FF call h2t.0040484C ; 连接Registered Email+"h2t"
004A682B 8D55 E0 lea edx,dword ptr ss:[ebp-20]
004A682E 8B45 FC mov eax,dword ptr ss:[ebp-4]
004A6831 E8 A6F8FFFF call h2t.004A60DC ; 检测是否连接无误!
004A6836 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004A6839 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004A683C E8 0FF9FFFF call h2t.004A6150 ; ★算法CALL★F7跟进!
004A6841 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 获取真注册码!
004A6844 8B55 F8 mov edx,dword ptr ss:[ebp-8] ; 获取假注册码!
004A6847 E8 44E1F5FF call h2t.00404990 ; 经典比较!这里就不用跟进了!
004A684C 75 14 jnz short h2t.004A6862 ; ★完美爆破点★ nop掉即可!
004A684E C605 58DC4A00 0>mov byte ptr ds:[4ADC58],1
004A6855 B8 5CDC4A00 mov eax,h2t.004ADC5C
004A685A 8B55 FC mov edx,dword ptr ss:[ebp-4]
004A685D E8 76DDF5FF call h2t.004045D8
004A6862 8BC3 mov eax,ebx ; 跳到这里就OVER了~
004A6864 E8 57CFF5FF call h2t.004037C0
004A6869 33C0 xor eax,eax
004A686B 5A pop edx
004A686C 59 pop ecx
004A686D 59 pop ecx
004A686E 64:8910 mov dword ptr fs:[eax],edx
004A6871 68 8B684A00 push h2t.004A688B
004A6876 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004A6879 BA 04000000 mov edx,4
004A687E E8 25DDF5FF call h2t.004045A8
004A6883 C3 retn
........
========================= 跟进 004A683C E8 0FF9FFFF call h2t.004A6150 =========================
004A6150 55 push ebp ; 跟进到这里!
004A6151 8BEC mov ebp,esp
004A6153 83C4 E8 add esp,-18
004A6156 53 push ebx
004A6157 56 push esi
004A6158 57 push edi
004A6159 33C9 xor ecx,ecx
004A615B 894D EC mov dword ptr ss:[ebp-14],ecx
004A615E 894D E8 mov dword ptr ss:[ebp-18],ecx
004A6161 8BF0 mov esi,eax
004A6163 8D7D F0 lea edi,dword ptr ss:[ebp-10]
004A6166 A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; 调用标准MD5第一个常数
004A6167 A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; 调用标准MD5第二个常数
004A6168 A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; 调用标准MD5第三个常数
004A6169 A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; 调用标准MD5第四个常数
004A616A 8BFA mov edi,edx
004A616C 33C0 xor eax,eax
004A616E 55 push ebp
004A616F 68 EA614A00 push h2t.004A61EA
004A6174 64:FF30 push dword ptr fs:[eax]
004A6177 64:8920 mov dword ptr fs:[eax],esp
004A617A 8BC7 mov eax,edi
004A617C E8 03E4F5FF call h2t.00404584
004A6181 B3 10 mov bl,10
004A6183 8D75 F0 lea esi,dword ptr ss:[ebp-10]
004A6186 FF37 push dword ptr ds:[edi]
004A6188 8D45 EC lea eax,dword ptr ss:[ebp-14]
004A618B 0FB616 movzx edx,byte ptr ds:[esi]
004A618E C1EA 04 shr edx,4
004A6191 83E2 0F and edx,0F
004A6194 0FB692 D0BD4A00 movzx edx,byte ptr ds:[edx+4ABDD0]
004A619B E8 CCE5F5FF call h2t.0040476C
004A61A0 FF75 EC push dword ptr ss:[ebp-14]
004A61A3 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004A61A6 0FB616 movzx edx,byte ptr ds:[esi]
004A61A9 80E2 0F and dl,0F
004A61AC 0FB6D2 movzx edx,dl
004A61AF 0FB692 D0BD4A00 movzx edx,byte ptr ds:[edx+4ABDD0]
004A61B6 E8 B1E5F5FF call h2t.0040476C
004A61BB FF75 E8 push dword ptr ss:[ebp-18]
004A61BE 8BC7 mov eax,edi
004A61C0 BA 03000000 mov edx,3
004A61C5 E8 3AE7F5FF call h2t.00404904
004A61CA 46 inc esi
004A61CB FECB dec bl
004A61CD ^ 75 B7 jnz short h2t.004A6186
004A61CF 33C0 xor eax,eax
004A61D1 5A pop edx
004A61D2 59 pop ecx
004A61D3 59 pop ecx
004A61D4 64:8910 mov dword ptr fs:[eax],edx
004A61D7 68 F1614A00 push h2t.004A61F1
004A61DC 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004A61DF BA 02000000 mov edx,2
004A61E4 E8 BFE3F5FF call h2t.004045A8
004A61E9 C3 retn ; 返回程序
........
-------------------------------------------------------------------------------------------------------------------------
【算法总结】
注册验证非常简单:
1.取Registered Email与固定字符串"h2t"相连接组合成新字符串记为KEY
2.用标准MD5算法模块转换运算KEY,然后以小写输出作为注册码
(即:邮箱+固定信息--->转换为MD5码--->再转为小写--->输出注册码)
SN=LCase(MD5(Email+"h2t"))
【算法注册机代码】
'//////////////////////////////////////////////////////////////////////////////
'/ /
'/ Program Disassembler & Debugger & Cracked /
'/ Author: KuNgBiM[DFCG] /
'/ E-mail: gb_1227@163.com /
'/ OS : WinXP、PEiD、Ollydbg、Visual Basic 6 /
'/ Date : 2005-07-04 /
'/ /
'//////////////////////////////////////////////////////////////////////////////
'/ Note : If you have one or more question, email me please,thank you! /
'//////////////////////////////////////////////////////////////////////////////
'窗体部分
Option Explicit
Private Sub Command1_Click()
Set c1 = New clsMD5 '调用算法模块将ID转换成 MD5密钥
sn = c1.Md5_String_Calc(Text1.Text + "h2t")
Text2.Text = LCase(sn) '把转换后的MD5码转换为小写然后输出作为Key
End Sub
'类模块部分,模块名称:clsMD5
Option Explicit
Private Const OFFSET_4 = 4294967296#
Private Const MAXINT_4 = 2147483647
Private State(4) As Long
Private ByteCounter As Long
Private ByteBuffer(63) As Byte
Private Const S11 = 7
Private Const S12 = 12
Private Const S13 = 17
Private Const S14 = 22
Private Const S21 = 5
Private Const S22 = 9
Private Const S23 = 14
Private Const S24 = 20
Private Const S31 = 4
Private Const S32 = 11
Private Const S33 = 16
Private Const S34 = 23
Private Const S41 = 6
Private Const S42 = 10
Private Const S43 = 15
Private Const S44 = 21
Property Get RegisterA() As String
RegisterA = State(1)
End Property
Property Get RegisterB() As String
RegisterB = State(2)
End Property
Property Get RegisterC() As String
RegisterC = State(3)
End Property
Property Get RegisterD() As String
RegisterD = State(4)
End Property
Public Function Md5_String_Calc(SourceString As String) As String
MD5Init
MD5Update LenB(StrConv(SourceString, vbFromUnicode)), StringToArray(SourceString)
MD5Final
Md5_String_Calc = GetValues
End Function
Public Function Md5_File_Calc(InFile As String) As String
GoSub begin
begin:
Dim FileO As Integer
FileO = FreeFile
Call FileLen(InFile)
Open InFile For Binary Access Read As #FileO
MD5Init
Do While Not EOF(FileO)
Get #FileO, , ByteBuffer
If Loc(FileO) < LOF(FileO) Then
ByteCounter = ByteCounter + 64
MD5Transform ByteBuffer
End If
Loop
ByteCounter = ByteCounter + (LOF(FileO) Mod 64)
Close #FileO
MD5Final
Md5_File_Calc = GetValues
End Function
Private Function StringToArray(InString As String) As Byte()
Dim I As Integer, bytBuffer() As Byte
ReDim bytBuffer(LenB(StrConv(InString, vbFromUnicode)))
bytBuffer = StrConv(InString, vbFromUnicode)
StringToArray = bytBuffer
End Function
Public Function GetValues() As String
GetValues = LongToString(State(1)) & LongToString(State(2)) & LongToString(State(3)) & LongToString(State(4))
End Function
Private Function LongToString(Num As Long) As String
Dim a As Byte, B As Byte, C As Byte, D As Byte
a = Num And &HFF&
If a < 16 Then LongToString = "0" & Hex(a) Else LongToString = Hex(a)
B = (Num And &HFF00&) \ 256
If B < 16 Then LongToString = LongToString & "0" & Hex(B) Else LongToString = LongToString & Hex(B)
C = (Num And &HFF0000) \ 65536
If C < 16 Then LongToString = LongToString & "0" & Hex(C) Else LongToString = LongToString & Hex(C)
If Num < 0 Then D = ((Num And &H7F000000) \ 16777216) Or &H80& Else D = (Num And &HFF000000) \ 16777216
If D < 16 Then LongToString = LongToString & "0" & Hex(D) Else LongToString = LongToString & Hex(D)
End Function
Public Sub MD5Init()
ByteCounter = 0
State(1) = UnsignedToLong(1732584193#)
State(2) = UnsignedToLong(4023233417#)
State(3) = UnsignedToLong(2562383102#)
State(4) = UnsignedToLong(271733878#)
End Sub
Public Sub MD5Final()
Dim dblBits As Double, padding(72) As Byte, lngBytesBuffered As Long
padding(0) = &H80
dblBits = ByteCounter * 8
lngBytesBuffered = ByteCounter Mod 64
If lngBytesBuffered <= 56 Then MD5Update 56 - lngBytesBuffered, padding Else MD5Update 120 - ByteCounter, padding
padding(0) = UnsignedToLong(dblBits) And &HFF&
padding(1) = UnsignedToLong(dblBits) \ 256 And &HFF&
padding(2) = UnsignedToLong(dblBits) \ 65536 And &HFF&
padding(3) = UnsignedToLong(dblBits) \ 16777216 And &HFF&
padding(4) = 0
padding(5) = 0
padding(6) = 0
padding(7) = 0
MD5Update 8, padding
End Sub
Public Sub MD5Update(InputLen As Long, InputBuffer() As Byte)
Dim II As Integer, I As Integer, J As Integer, K As Integer, lngBufferedBytes As Long, lngBufferRemaining As Long, lngRem As Long
lngBufferedBytes = ByteCounter Mod 64
lngBufferRemaining = 64 - lngBufferedBytes
ByteCounter = ByteCounter + InputLen
If InputLen >= lngBufferRemaining Then
For II = 0 To lngBufferRemaining - 1
ByteBuffer(lngBufferedBytes + II) = InputBuffer(II)
Next II
MD5Transform ByteBuffer
lngRem = (InputLen) Mod 64
For I = lngBufferRemaining To InputLen - II - lngRem Step 64
For J = 0 To 63
ByteBuffer(J) = InputBuffer(I + J)
Next J
MD5Transform ByteBuffer
Next I
lngBufferedBytes = 0
Else
I = 0
End If
For K = 0 To InputLen - I - 1
ByteBuffer(lngBufferedBytes + K) = InputBuffer(I + K)
Next K
End Sub
Private Sub MD5Transform(Buffer() As Byte)
Dim X(16) As Long, a As Long, B As Long, C As Long, D As Long
a = State(1)
B = State(2)
C = State(3)
D = State(4)
Decode 64, X, Buffer
FF a, B, C, D, X(0), S11, -680876936
FF D, a, B, C, X(1), S12, -389564586
FF C, D, a, B, X(2), S13, 606105819
FF B, C, D, a, X(3), S14, -1044525330
FF a, B, C, D, X(4), S11, -176418897
FF D, a, B, C, X(5), S12, 1200080426
FF C, D, a, B, X(6), S13, -1473231341
FF B, C, D, a, X(7), S14, -45705983
FF a, B, C, D, X(8), S11, 1770035416
FF D, a, B, C, X(9), S12, -1958414417
FF C, D, a, B, X(10), S13, -42063
FF B, C, D, a, X(11), S14, -1990404162
FF a, B, C, D, X(12), S11, 1804603682
FF D, a, B, C, X(13), S12, -40341101
FF C, D, a, B, X(14), S13, -1502002290
FF B, C, D, a, X(15), S14, 1236535329
GG a, B, C, D, X(1), S21, -165796510
GG D, a, B, C, X(6), S22, -1069501632
GG C, D, a, B, X(11), S23, 643717713
GG B, C, D, a, X(0), S24, -373897302
GG a, B, C, D, X(5), S21, -701558691
GG D, a, B, C, X(10), S22, 38016083
GG C, D, a, B, X(15), S23, -660478335
GG B, C, D, a, X(4), S24, -405537848
GG a, B, C, D, X(9), S21, 568446438
GG D, a, B, C, X(14), S22, -1019803690
GG C, D, a, B, X(3), S23, -187363961
GG B, C, D, a, X(8), S24, 1163531501
GG a, B, C, D, X(13), S21, -1444681467
GG D, a, B, C, X(2), S22, -51403784
GG C, D, a, B, X(7), S23, 1735328473
GG B, C, D, a, X(12), S24, -1926607734
HH a, B, C, D, X(5), S31, -378558
HH D, a, B, C, X(8), S32, -2022574463
HH C, D, a, B, X(11), S33, 1839030562
HH B, C, D, a, X(14), S34, -35309556
HH a, B, C, D, X(1), S31, -1530992060
HH D, a, B, C, X(4), S32, 1272893353
HH C, D, a, B, X(7), S33, -155497632
HH B, C, D, a, X(10), S34, -1094730640
HH a, B, C, D, X(13), S31, 681279174
HH D, a, B, C, X(0), S32, -358537222
HH C, D, a, B, X(3), S33, -722521979
HH B, C, D, a, X(6), S34, 76029189
HH a, B, C, D, X(9), S31, -640364487
HH D, a, B, C, X(12), S32, -421815835
HH C, D, a, B, X(15), S33, 530742520
HH B, C, D, a, X(2), S34, -995338651
II a, B, C, D, X(0), S41, -198630844
II D, a, B, C, X(7), S42, 1126891415
II C, D, a, B, X(14), S43, -1416354905
II B, C, D, a, X(5), S44, -57434055
II a, B, C, D, X(12), S41, 1700485571
II D, a, B, C, X(3), S42, -1894986606
II C, D, a, B, X(10), S43, -1051523
II B, C, D, a, X(1), S44, -2054922799
II a, B, C, D, X(8), S41, 1873313359
II D, a, B, C, X(15), S42, -30611744
II C, D, a, B, X(6), S43, -1560198380
II B, C, D, a, X(13), S44, 1309151649
II a, B, C, D, X(4), S41, -145523070
II D, a, B, C, X(11), S42, -1120210379
II C, D, a, B, X(2), S43, 718787259
II B, C, D, a, X(9), S44, -343485551
State(1) = LongOverflowAdd(State(1), a)
State(2) = LongOverflowAdd(State(2), B)
State(3) = LongOverflowAdd(State(3), C)
State(4) = LongOverflowAdd(State(4), D)
End Sub
Private Sub Decode(Length As Integer, OutputBuffer() As Long, InputBuffer() As Byte)
Dim intDblIndex As Integer, intByteIndex As Integer, dblSum As Double
For intByteIndex = 0 To Length - 1 Step 4
dblSum = InputBuffer(intByteIndex) + InputBuffer(intByteIndex + 1) * 256# + InputBuffer(intByteIndex + 2) * 65536# + InputBuffer(intByteIndex + 3) * 16777216#
OutputBuffer(intDblIndex) = UnsignedToLong(dblSum)
intDblIndex = intDblIndex + 1
Next intByteIndex
End Sub
Private Function FF(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, (B And C) Or (Not (B) And D), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function GG(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, (B And D) Or (C And Not (D)), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function HH(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, B Xor C Xor D, X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Private Function II(a As Long, B As Long, C As Long, D As Long, X As Long, S As Long, ac As Long) As Long
a = LongOverflowAdd4(a, C Xor (B Or Not (D)), X, ac)
a = LongLeftRotate(a, S)
a = LongOverflowAdd(a, B)
End Function
Function LongLeftRotate(value As Long, Bits As Long) As Long
Dim lngSign As Long, lngI As Long
Bits = Bits Mod 32
If Bits = 0 Then LongLeftRotate = value: Exit Function
For lngI = 1 To Bits
lngSign = value And &HC0000000
value = (value And &H3FFFFFFF) * 2
value = value Or ((lngSign < 0) And 1) Or (CBool(lngSign And &H40000000) And &H80000000)
Next
LongLeftRotate = value
End Function
Private Function LongOverflowAdd(Val1 As Long, Val2 As Long) As Long
Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long
lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&)
lngOverflow = lngLowWord \ 65536
lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
LongOverflowAdd = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
End Function
Private Function LongOverflowAdd4(Val1 As Long, Val2 As Long, val3 As Long, val4 As Long) As Long
Dim lngHighWord As Long, lngLowWord As Long, lngOverflow As Long
lngLowWord = (Val1 And &HFFFF&) + (Val2 And &HFFFF&) + (val3 And &HFFFF&) + (val4 And &HFFFF&)
lngOverflow = lngLowWord \ 65536
lngHighWord = (((Val1 And &HFFFF0000) \ 65536) + ((Val2 And &HFFFF0000) \ 65536) + ((val3 And &HFFFF0000) \ 65536) + ((val4 And &HFFFF0000) \ 65536) + lngOverflow) And &HFFFF&
LongOverflowAdd4 = UnsignedToLong((lngHighWord * 65536#) + (lngLowWord And &HFFFF&))
End Function
Private Function UnsignedToLong(value As Double) As Long
If value < 0 Or value >= OFFSET_4 Then Error 6
If value <= MAXINT_4 Then UnsignedToLong = value Else UnsignedToLong = value - OFFSET_4
End Function
Private Function LongToUnsigned(value As Long) As Double
If value < 0 Then LongToUnsigned = value + OFFSET_4 Else LongToUnsigned = value
End Function
'/////////////////////////////////////////////////////////////////////////
============================================================================================
【注册信息】:
Registered Email:gb_1227@163.com
Registration Code:db4fe4675f6920911d1f16bac52475fd
--------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-11-02
12:42:36 AM