【破文标题】:Arial CD Ripper V1.4.0 注册算法分析
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:Arial CD Ripper V1.4.0
【软件大小】:1898 KB
【软件语言】:英文
【软件类别】:国外软件 / 共享版 / 音频转换
【整理时间】:2005-11-05
【下载地址】:http://www.skycn.com/soft/17166.html
【软件简介】:抓音轨和音频转换工具,能够把CD转换成MP3,WAV,OGG,FLAC,APE等文件格式,你可以在不损失质量的前提下只转换一条音轨或者转换整个光盘,软机同时具有在不同的音频格式之间互相转换的功能。
【保护方式】:注册码 + 试用功能限制
【编译语言】:Borland Delphi 6.0 - 7.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-11-08
【破解目的】:研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
侦测:用PEiD查壳,无壳,Borland Delphi 6.0 - 7.0 编译。
试探:运行主程序注册,输入试炼码,确认!程序无提示!
下药:
Ollydbg载入主程序,用字符串插件查找一些关键字符,我们这里找到“Register successfully! Thank you for your support!”,
双击后来到 0057B530 处,然后向上来到 0057B4D0 处F2下断,F9运行,输入试炼信息:
***************** 试炼信息 ******************
Enter User Name:KuNgBiM
Enter registration code:9999999999999999999
*********************************************
0057B4D0 55 push ebp ; 来到这里F2下断!F9运行!
0057B4D1 8BEC mov ebp,esp
0057B4D3 6A 00 push 0
0057B4D5 6A 00 push 0
0057B4D7 53 push ebx
0057B4D8 8BD8 mov ebx,eax
0057B4DA 33C0 xor eax,eax
0057B4DC 55 push ebp
0057B4DD 68 B3B55700 push Arial_CD.0057B5B3
0057B4E2 64:FF30 push dword ptr fs:[eax]
0057B4E5 64:8920 mov dword ptr fs:[eax],esp
0057B4E8 8D55 FC lea edx,dword ptr ss:[ebp-4]
0057B4EB 8B83 14030000 mov eax,dword ptr ds:[ebx+314]
0057B4F1 E8 3EE7ECFF call Arial_CD.00449C34 ; 寄存器全部清零
0057B4F6 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0057B4F9 8B83 1C030000 mov eax,dword ptr ds:[ebx+31C]
0057B4FF E8 30E7ECFF call Arial_CD.00449C34 ; 取用户注册信息
0057B504 A1 80B05800 mov eax,dword ptr ds:[58B080]
0057B509 8B00 mov eax,dword ptr ds:[eax]
0057B50B 8B4D F8 mov ecx,dword ptr ss:[ebp-8] ; 取假码
0057B50E 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 取用户名
0057B511 E8 4EEDFFFF call Arial_CD.0057A264 ; ★关键CALL★F7跟进
0057B516 84C0 test al,al
0057B518 74 7E je short Arial_CD.0057B598 ; 关键跳转
0057B51A A1 80B05800 mov eax,dword ptr ds:[58B080]
0057B51F 8B00 mov eax,dword ptr ds:[eax]
0057B521 8B55 FC mov edx,dword ptr ss:[ebp-4]
0057B524 E8 97F0FFFF call Arial_CD.0057A5C0
0057B529 6A 40 push 40
0057B52B B9 C0B55700 mov ecx,Arial_CD.0057B5C0 ; ASCII "Congratulations!"
0057B530 BA D4B55700 mov edx,Arial_CD.0057B5D4 ; ASCII "Register successfully! Thank you for your support!"
0057B535 A1 A4B35800 mov eax,dword ptr ds:[58B3A4]
0057B53A 8B00 mov eax,dword ptr ds:[eax]
0057B53C E8 7BFBEEFF call Arial_CD.0046B0BC
0057B541 8BC3 mov eax,ebx
0057B543 E8 38C3EEFF call Arial_CD.00467880
0057B548 A1 80B05800 mov eax,dword ptr ds:[58B080]
0057B54D 8B00 mov eax,dword ptr ds:[eax]
0057B54F 8B80 60030000 mov eax,dword ptr ds:[eax+360]
0057B555 B2 01 mov dl,1
0057B557 E8 A007EEFF call Arial_CD.0045BCFC
0057B55C A1 80B05800 mov eax,dword ptr ds:[58B080]
0057B561 8B00 mov eax,dword ptr ds:[eax]
0057B563 8B80 64030000 mov eax,dword ptr ds:[eax+364]
0057B569 B2 01 mov dl,1
0057B56B E8 8C07EEFF call Arial_CD.0045BCFC
0057B570 A1 80B05800 mov eax,dword ptr ds:[58B080]
0057B575 8B00 mov eax,dword ptr ds:[eax]
0057B577 8B80 D4040000 mov eax,dword ptr ds:[eax+4D4]
0057B57D B2 01 mov dl,1
0057B57F E8 7807EEFF call Arial_CD.0045BCFC
0057B584 A1 80B05800 mov eax,dword ptr ds:[58B080]
0057B589 8B00 mov eax,dword ptr ds:[eax]
0057B58B 8B80 D8040000 mov eax,dword ptr ds:[eax+4D8]
0057B591 B2 01 mov dl,1
0057B593 E8 6407EEFF call Arial_CD.0045BCFC
0057B598 33C0 xor eax,eax ; 到这里就挂咯~~
0057B59A 5A pop edx
0057B59B 59 pop ecx
0057B59C 59 pop ecx
0057B59D 64:8910 mov dword ptr fs:[eax],edx
0057B5A0 68 BAB55700 push Arial_CD.0057B5BA
0057B5A5 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0057B5A8 BA 02000000 mov edx,2
0057B5AD E8 3A98E8FF call Arial_CD.00404DEC
0057B5B2 C3 retn ; 完成验证
0057B5B3 ^ E9 7891E8FF jmp Arial_CD.00404730
0057B5B8 ^ EB EB jmp short Arial_CD.0057B5A5
0057B5BA 5B pop ebx
0057B5BB 59 pop ecx
0057B5BC 59 pop ecx
0057B5BD 5D pop ebp
0057B5BE C3 retn ; 返回窗口
........
========================= 跟进 0057B511 E8 4EEDFFFF call Arial_CD.0057A264 =========================
0057A264 55 push ebp ; 跟进来到这里
0057A265 8BEC mov ebp,esp
0057A267 83C4 E4 add esp,-1C
0057A26A 53 push ebx
0057A26B 33DB xor ebx,ebx
0057A26D 895D F4 mov dword ptr ss:[ebp-C],ebx
0057A270 894D F8 mov dword ptr ss:[ebp-8],ecx ; 取假码
0057A273 8955 FC mov dword ptr ss:[ebp-4],edx ; 从EDX中取用户名,ASCII "KuNgBiM"
0057A276 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 从EDX中取用户名后送入EAX
0057A279 E8 EAAFE8FF call Arial_CD.00405268
0057A27E 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 将假码也送入EAX
0057A281 E8 E2AFE8FF call Arial_CD.00405268
0057A286 33C0 xor eax,eax
0057A288 55 push ebp
0057A289 68 D6A25700 push Arial_CD.0057A2D6
0057A28E 64:FF30 push dword ptr fs:[eax]
0057A291 64:8920 mov dword ptr fs:[eax],esp
0057A294 33DB xor ebx,ebx
0057A296 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0057A299 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 从EAX中取出用户名
0057A29C E8 1F02FFFF call Arial_CD.0056A4C0 ; 检验用户名是否符合要求
0057A2A1 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
0057A2A4 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0057A2A7 E8 8802FFFF call Arial_CD.0056A534 ; ★算法CALL★F7跟进
0057A2AC 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 获得MD5加密后的用户名代码(真注册码)
0057A2AF 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 取出假码
0057A2B2 E8 0DAFE8FF call Arial_CD.004051C4 ; ★经典比较★
0057A2B7 75 02 jnz short Arial_CD.0057A2BB ; 跳则完蛋!★完美爆破点★
0057A2B9 B3 01 mov bl,1
0057A2BB 33C0 xor eax,eax
0057A2BD 5A pop edx
0057A2BE 59 pop ecx
0057A2BF 59 pop ecx
0057A2C0 64:8910 mov dword ptr fs:[eax],edx
0057A2C3 68 DDA25700 push Arial_CD.0057A2DD
0057A2C8 8D45 F4 lea eax,dword ptr ss:[ebp-C]
0057A2CB BA 03000000 mov edx,3
0057A2D0 E8 17ABE8FF call Arial_CD.00404DEC
0057A2D5 C3 retn ; 注册验证完毕
0057A2D6 ^ E9 55A4E8FF jmp Arial_CD.00404730
0057A2DB ^ EB EB jmp short Arial_CD.0057A2C8
0057A2DD 8BC3 mov eax,ebx
0057A2DF 5B pop ebx
0057A2E0 8BE5 mov esp,ebp
0057A2E2 5D pop ebp
0057A2E3 C3 retn ; 反馈验证信息
........
========================= 跟进 0057A2A7 E8 8802FFFF call Arial_CD.0056A534 =========================
0056A534 55 push ebp ; 跟进后来到这里!(标准MD5算法)
0056A535 8BEC mov ebp,esp
0056A537 83C4 E8 add esp,-18
0056A53A 53 push ebx
0056A53B 56 push esi
0056A53C 57 push edi
0056A53D 33C9 xor ecx,ecx
0056A53F 894D EC mov dword ptr ss:[ebp-14],ecx
0056A542 894D E8 mov dword ptr ss:[ebp-18],ecx
0056A545 8BF0 mov esi,eax
0056A547 8D7D F0 lea edi,dword ptr ss:[ebp-10]
0056A54A A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; 第一个标准常数:A1E9C9CC
0056A54B A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; 第二个标准常数:C5112DDA
0056A54C A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; 第三个标准常数:B95DCE01
0056A54D A5 movs dword ptr es:[edi],dword ptr ds:[esi] ; 第四个标准常数:E5EB4BD0
0056A54E 8BFA mov edi,edx
0056A550 33C0 xor eax,eax
0056A552 55 push ebp
0056A553 68 CFA55600 push Arial_CD.0056A5CF
0056A558 64:FF30 push dword ptr fs:[eax]
0056A55B 64:8920 mov dword ptr fs:[eax],esp
0056A55E 8BC7 mov eax,edi
0056A560 E8 63A8E9FF call Arial_CD.00404DC8
0056A565 B3 10 mov bl,10
0056A567 8D75 F0 lea esi,dword ptr ss:[ebp-10]
0056A56A FF37 push dword ptr ds:[edi] ; MD5循环运算开始
0056A56C 8D45 EC lea eax,dword ptr ss:[ebp-14]
0056A56F 33D2 xor edx,edx
0056A571 8A16 mov dl,byte ptr ds:[esi]
0056A573 C1EA 04 shr edx,4
0056A576 83E2 0F and edx,0F
0056A579 8A92 BCAD5800 mov dl,byte ptr ds:[edx+58ADBC]
0056A57F E8 24AAE9FF call Arial_CD.00404FA8
0056A584 FF75 EC push dword ptr ss:[ebp-14]
0056A587 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0056A58A 8A16 mov dl,byte ptr ds:[esi]
0056A58C 80E2 0F and dl,0F
0056A58F 81E2 FF000000 and edx,0FF
0056A595 8A92 BCAD5800 mov dl,byte ptr ds:[edx+58ADBC]
0056A59B E8 08AAE9FF call Arial_CD.00404FA8
0056A5A0 FF75 E8 push dword ptr ss:[ebp-18]
0056A5A3 8BC7 mov eax,edi
0056A5A5 BA 03000000 mov edx,3
0056A5AA E8 91ABE9FF call Arial_CD.00405140
0056A5AF 46 inc esi
0056A5B0 FECB dec bl
0056A5B2 ^ 75 B6 jnz short Arial_CD.0056A56A ; 向上循环
0056A5B4 33C0 xor eax,eax
0056A5B6 5A pop edx
0056A5B7 59 pop ecx
0056A5B8 59 pop ecx
0056A5B9 64:8910 mov dword ptr fs:[eax],edx
0056A5BC 68 D6A55600 push Arial_CD.0056A5D6
0056A5C1 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0056A5C4 BA 02000000 mov edx,2
0056A5C9 E8 1EA8E9FF call Arial_CD.00404DEC
0056A5CE C3 retn ; 结束运算
0056A5CF ^ E9 5CA1E9FF jmp Arial_CD.00404730
0056A5D4 ^ EB EB jmp short Arial_CD.0056A5C1
0056A5D6 5F pop edi
0056A5D7 5E pop esi
0056A5D8 5B pop ebx
0056A5D9 8BE5 mov esp,ebp
0056A5DB 5D pop ebp
0056A5DC C3 retn ; 返回程序
........
-------------------------------------------------------------------------------------------------------------------------
【算法总结】:
注册验证非常简单:
1、注册码固定为32位。
2、用户名位数必须大于1,记为Name。
3、把用户名进行标准MD5运算转换加密后得到密钥,结果记为KEY。
4、KEY转换为小写输出,则为注册码,结果记为SN。
即:SN = LCase(MD5(Name))
【完美注册验证爆破点】:
0057A2B7 75 02 jnz short Arial_CD.0057A2BB ; nop掉!
-------------------------------------------------------------------------------------------------------------------------
【注册机】:
注册机我就不写了,太简单了。。。
BTW:这么简单的注册验证都有,真实糟蹋了MD5算法!
【注册信息】:
Enter User Name:KuNgBiM
Enter registration code:ccc9e9a1da2d11c501ce5db9d04bebe5
--------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
--------------------------------------------------------------------------------------------
Cracked By KuNgBiM[DFCG]
2005-11-08
01:55:00 AM