【破文标题】信华仓库管理专家注册算法分析
【破文作者】紫色缘[tfw][pcg]
【作者邮箱】Cn_Fish@126.com
【作者主页】www.cniso.org
【破解工具】peid0.94 、OllyICE
【破解平台】Win9x/NT/2000/XP
【软件名称】****仓管专家
【软件大小】10MB
【原版下载】无
【保护方式】注册码
【软件简介】仓库管理
------------------------------------------------------------------------
【破解声明】每次在论坛回贴子都受到限制,很无奈。想想我也来写一次破解的算法,希望能得到精华帖,不当之处,欢迎各位多多指正!
【破解过程】
先使用Peid查壳后,发现是Borland Delphi 6.0 - 7.0语言编写,于是用OD载入查找到字符:
超级字串参考+ , 条目 2962
地址=0068A6AA
反汇编=mov edx, 0068A824
文本字串=注册码不正确!请重新输入!
找到68A6AA处后,便于分析算法。向上查找,后来到以下的代码处:
0068A50B |. 55 push ebp ; 此处下断,F8继续跟
0068A50C |. 68 CAA76800 push 0068A7CA
0068A511 |. 64:FF30 push dword ptr fs:[eax]
0068A514 |. 64:8920 mov fs:[eax], esp
0068A517 |. 8D45 F4 lea eax, [ebp-C]
0068A51A |. BA E0A76800 mov edx, 0068A7E0 ; 出现固定字符"l4001168" 68A7E0送入edx
0068A51F |. E8 F0A3D7FF call 00404914
0068A524 |. B2 01 mov dl, 1 ; dl=1
0068A526 |. 8B86 1C030000 mov eax, [esi+31C]
0068A52C |. 8B08 mov ecx, [eax]
0068A52E |. FF91 78010000 call [ecx+178]
0068A534 |. 8B9E 1C030000 mov ebx, [esi+31C]
0068A53A |. 8BC3 mov eax, ebx
0068A53C |. E8 ABBFE3FF call 004C64EC
0068A541 |. 8BC3 mov eax, ebx
0068A543 |. E8 98BFE3FF call 004C64E0
0068A548 |. 8BC3 mov eax, ebx
0068A54A |. E8 2DE4E3FF call 004C897C
0068A54F |. BA F4A76800 mov edx, 0068A7F4 ; 取cpuid“68A7F4”送入edx
0068A554 |. 8BC3 mov eax, ebx ; ebx送入eax
0068A556 |. E8 91D0E3FF call 004C75EC
0068A55B |. 8D55 FC lea edx, [ebp-4]
0068A55E |. 8B08 mov ecx, [eax]
0068A560 |. FF51 60 call [ecx+60]
0068A563 |. 8D45 E4 lea eax, [ebp-1C]
0068A566 |. 50 push eax ; eax压入堆栈
0068A567 |. B9 06000000 mov ecx, 6 ; ecx=6
0068A56C |. BA 02000000 mov edx, 2 ; edx=2
0068A571 |. 8B45 FC mov eax, [ebp-4] ; [ebp-4]=机器码前半段 送入eax
0068A574 |. E8 23A8D7FF call 00404D9C ; 去掉头尾2位
0068A579 |. 8B4D E4 mov ecx, [ebp-1C] ; [ebp-1c]=FEBFBF 送入ecx,设为CPUID
0068A57C |. 8D45 E8 lea eax, [ebp-18]
0068A57F |. BA 04A86800 mov edx, 0068A804 ; 出现固定$
0068A584 |. E8 07A6D7FF call 00404B90 ; 在CPUID前加$,记为$CPUID
0068A589 |. 8B45 E8 mov eax, [ebp-18] ; [EBP-18]送入eax
0068A58C |. E8 5FF5D7FF call 00409AF0
0068A591 |. 05 50080000 add eax, 850 ; eax=eax+850
0068A596 |. 8D3C40 lea edi, [eax+eax*2] ; [eax+eax*2]偏移到edi *3
0068A599 |. 8D55 F0 lea edx, [ebp-10] ; [ebp-10]偏移到edx
0068A59C |. 8BC7 mov eax, edi ; edi=2FC582D送入eax
0068A59E |. E8 ADF4D7FF call 00409A50 ; 转为10进制%d
0068A5A3 |. BA 10A86800 mov edx, 0068A810 ; 取HDID “68A810”送入edx
0068A5A8 |. 8BC3 mov eax, ebx ; ebx送入eax
0068A5AA |. E8 3DD0E3FF call 004C75EC
0068A5AF |. 8D55 F8 lea edx, [ebp-8]
0068A5B2 |. 8B08 mov ecx, [eax]
0068A5B4 |. FF51 60 call [ecx+60]
0068A5B7 |. 8D45 DC lea eax, [ebp-24]
0068A5BA |. 50 push eax
0068A5BB |. B9 06000000 mov ecx, 6
0068A5C0 |. BA 02000000 mov edx, 2
0068A5C5 |. 8B45 F8 mov eax, [ebp-8] ; [EBP-8]=机器码第二段 送入eax
0068A5C8 |. E8 CFA7D7FF call 00404D9C ; 去除第二段机器码的头尾=C5D07F ,设为HDID
0068A5CD |. 8B4D DC mov ecx, [ebp-24] ; [EBP-24]=HDID送入ecx
0068A5D0 |. 8D45 E0 lea eax, [ebp-20]
0068A5D3 |. BA 04A86800 mov edx, 0068A804 ; 出现固定$
0068A5D8 |. E8 B3A5D7FF call 00404B90 ; 加上固定字符$
0068A5DD |. 8B45 E0 mov eax, [ebp-20] ; [EBP-20]=$HDID 送入eax
0068A5E0 |. E8 0BF5D7FF call 00409AF0
0068A5E5 |. 05 50080000 add eax, 850 ; eax=eax+850
0068A5EA |. 8D3C40 lea edi, [eax+eax*2] ; [EAX+EAX*2]偏移到edi *3
0068A5ED |. 8D55 EC lea edx, [ebp-14] ; [EBP-14]偏移到edx
0068A5F0 |. 8BC7 mov eax, edi ; edi送入eax
0068A5F2 |. E8 59F4D7FF call 00409A50 ; 转换为10进制%d
0068A5F7 |. 8D55 D4 lea edx, [ebp-2C]
0068A5FA |. 8B86 10030000 mov eax, [esi+310]
0068A600 |. E8 E7AEDCFF call 004554EC ; 假码第一段出现
0068A605 |. 8B45 D4 mov eax, [ebp-2C] ; 送入EAX
0068A608 |. 8D55 D8 lea edx, [ebp-28]
0068A60B |. E8 98EFD7FF call 004095A8
0068A610 |. 8B45 D8 mov eax, [ebp-28] ; 假码第一段出现
0068A613 |. BA E0A76800 mov edx, 0068A7E0 ; 固定注册码第一段l4001168出现
0068A618 |. E8 6BA6D7FF call 00404C88 ; 经典比较
0068A61D 75 4C jnz short 0068A66B ; 跳则OVER, 此处NOP
0068A61F |. 8D55 CC lea edx, [ebp-34]
0068A622 |. 8B86 20030000 mov eax, [esi+320]
0068A628 |. E8 BFAEDCFF call 004554EC
0068A62D |. 8B45 CC mov eax, [ebp-34]
0068A630 |. 8D55 D0 lea edx, [ebp-30]
0068A633 |. E8 70EFD7FF call 004095A8 ; 第2段假码出现
0068A638 |. 8B45 D0 mov eax, [ebp-30] ; 送入EAX
0068A63B |. 8B55 F0 mov edx, [ebp-10] ; CPUID 对应的注册码=50092077送入edx
0068A63E |. E8 45A6D7FF call 00404C88 ; 经典比较
0068A643 75 26 jnz short 0068A66B ; 跳则OVER, 此处NOP
0068A645 |. 8D55 C4 lea edx, [ebp-3C]
0068A648 |. 8B86 24030000 mov eax, [esi+324]
0068A64E |. E8 99AEDCFF call 004554EC
0068A653 |. 8B45 C4 mov eax, [ebp-3C]
0068A656 |. 8D55 C8 lea edx, [ebp-38]
0068A659 |. E8 4AEFD7FF call 004095A8 ; 第3段假码出现
0068A65E |. 8B45 C8 mov eax, [ebp-38] ; 送EAX
0068A661 |. 8B55 EC mov edx, [ebp-14] ; 真码38898285送入edx
0068A664 |. E8 1FA6D7FF call 00404C88 ; 经典比较
0068A669 74 55 je short 0068A6C0 ; 对则跳转正确
0068A66B |> 8B86 10030000 mov eax, [esi+310]
0068A671 |. 8B10 mov edx, [eax]
0068A673 |. FF92 6C020000 call [edx+26C]
0068A679 |. 8B86 20030000 mov eax, [esi+320]
0068A67F |. 8B10 mov edx, [eax]
0068A681 |. FF92 6C020000 call [edx+26C]
0068A687 |. 8B86 24030000 mov eax, [esi+324]
0068A68D |. 8B10 mov edx, [eax]
0068A68F |. FF92 6C020000 call [edx+26C]
0068A695 |. 8B86 10030000 mov eax, [esi+310]
0068A69B |. 8B10 mov edx, [eax]
0068A69D |. FF92 C0000000 call [edx+C0]
0068A6A3 |. 6A 10 push 10
0068A6A5 |. B9 18A86800 mov ecx, 0068A818 ; 警告信息
0068A6AA |. BA 24A86800 mov edx, 0068A824 ; 注册码不正确!请重新输入!
0068A6AF |. A1 105B6E00 mov eax, [6E5B10]
0068A6B4 |. 8B00 mov eax, [eax]
0068A6B6 |. E8 A5C9DEFF call 00477060
0068A6BB |. E9 C2000000 jmp 0068A782
0068A6C0 |> 8BC3 mov eax, ebx
0068A6C2 |. E8 C1E6E3FF call 004C8D88
0068A6C7 |. 8B86 58030000 mov eax, [esi+358]
0068A6CD |. E8 7673E1FF call 004A1A48
0068A6D2 |. 83C4 F8 add esp, -8
0068A6D5 |. DD1C24 fstp qword ptr [esp]
0068A6D8 |. 9B wait
0068A6D9 |. BA 48A86800 mov edx, 0068A848 ; et
0068A6DE |. 8BC3 mov eax, ebx
0068A6E0 |. E8 07CFE3FF call 004C75EC
0068A6E5 |. 8B10 mov edx, [eax]
0068A6E7 |. FF92 A0000000 call [edx+A0]
0068A6ED |. 8D55 C0 lea edx, [ebp-40]
0068A6F0 |. 8B86 08030000 mov eax, [esi+308]
0068A6F6 |. E8 F1ADDCFF call 004554EC
0068A6FB |. 8B45 C0 mov eax, [ebp-40]
0068A6FE |. 50 push eax
0068A6FF |. BA 54A86800 mov edx, 0068A854 ; 用户名称
0068A704 |. 8BC3 mov eax, ebx
0068A706 |. E8 E1CEE3FF call 004C75EC
0068A70B |. 5A pop edx
0068A70C |. 8B08 mov ecx, [eax]
0068A70E |. FF91 B0000000 call [ecx+B0]
0068A714 |. 8D55 BC lea edx, [ebp-44]
0068A717 |. 8B86 0C030000 mov eax, [esi+30C]
0068A71D |. E8 CAADDCFF call 004554EC
0068A722 |. 8B45 BC mov eax, [ebp-44]
0068A725 |. 50 push eax
0068A726 |. BA 68A86800 mov edx, 0068A868 ; 公司名称
0068A72B |. 8BC3 mov eax, ebx
0068A72D |. E8 BACEE3FF call 004C75EC
0068A732 |. 5A pop edx
0068A733 |. 8B08 mov ecx, [eax]
0068A735 |. FF91 B0000000 call [ecx+B0]
0068A73B |. BA 7CA86800 mov edx, 0068A87C ; flat
0068A740 |. 8BC3 mov eax, ebx
0068A742 |. E8 A5CEE3FF call 004C75EC
0068A747 |. BA 8CA86800 mov edx, 0068A88C ; 是
0068A74C |. 8B08 mov ecx, [eax]
0068A74E |. FF91 B0000000 call [ecx+B0]
0068A754 |. 8BC3 mov eax, ebx
0068A756 |. 8B10 mov edx, [eax]
0068A758 |. FF92 48020000 call [edx+248]
0068A75E |. 8BC3 mov eax, ebx
0068A760 |. E8 87BDE3FF call 004C64EC
0068A765 |. B2 01 mov dl, 1
0068A767 |. 8B86 54030000 mov eax, [esi+354]
0068A76D |. E8 9AACDCFF call 0045540C
0068A772 |. BA 98A86800 mov edx, 0068A898 ; 您已经成功注册本软件,将可以永久使用本软件,
谢谢您的支持。
0068A777 |. 8B86 54030000 mov eax, [esi+354]
0068A77D |. E8 9AADDCFF call 0045551C
0068A782 |> 33C0 xor eax, eax
0068A784 |. 5A pop edx
0068A785 |. 59 pop ecx
0068A786 |. 59 pop ecx
0068A787 |. 64:8910 mov fs:[eax], edx
0068A78A |. 68 D1A76800 push 0068A7D1
0068A78F |> 8D45 BC lea eax, [ebp-44]
0068A792 |. BA 03000000 mov edx, 3
0068A797 |. E8 04A1D7FF call 004048A0
0068A79C |. 8D45 C8 lea eax, [ebp-38]
0068A79F |. E8 D8A0D7FF call 0040487C
0068A7A4 |. 8D45 CC lea eax, [ebp-34]
0068A7A7 |. E8 D0A0D7FF call 0040487C
0068A7AC |. 8D45 D0 lea eax, [ebp-30]
0068A7AF |. E8 C8A0D7FF call 0040487C
0068A7B4 |. 8D45 D4 lea eax, [ebp-2C]
0068A7B7 |. E8 C0A0D7FF call 0040487C
0068A7BC |. 8D45 D8 lea eax, [ebp-28]
0068A7BF |. BA 0A000000 mov edx, 0A
0068A7C4 |. E8 D7A0D7FF call 004048A0
0068A7C9 \. C3 retn
------------------------------------------------------------------------
【破解总结】
注册算法有3步:
机器码出现2段,在跟踪后得知,第一半段是取CPUID ,第二半段是取HDID 。
1、第一步出现固定字符“L4001168”这是注册码第一段。设为A
2、第二步取CPUID 后,去掉字符前后各1位 ,设为CPUID 然后在CPUID的前面加上固定字符$(转换为数值),再加上850 ,最后转换为10进制,再乘3,即是注册码第二段,设为B
3、第三步取HDID后,去掉字符前后各1位 ,设为HDID 然后在HDID的前面加上固定字符$(转换为数值),再加上850 ,最后转换为10进制, 再乘3,即是注册码第三段,设为C
4、最后把A,B,C连接起来即是注册码。
------------------------------------------------------------------------
发个粗糙的算法注册机VB源码:
' 用途:将十六进制转化为十进制
' 输入:Hex(十六进制数)
' 输入数据类型:String
' 输出:HEX_to_DEC(十进制数)
' 输出数据类型:Long
' 输入的最大数为7FFFFFFF,输出的最大数为2147483647
Public Function HEX_to_DEC(ByVal Hex As String) As Long
Dim i As Long
Dim B As Long
Hex = UCase(Hex)
For i = 1 To Len(Hex)
Select Case Mid(Hex, Len(Hex) - i + 1, 1)
Case "0": B = B + 16 ^ (i - 1) * 0
Case "1": B = B + 16 ^ (i - 1) * 1
Case "2": B = B + 16 ^ (i - 1) * 2
Case "3": B = B + 16 ^ (i - 1) * 3
Case "4": B = B + 16 ^ (i - 1) * 4
Case "5": B = B + 16 ^ (i - 1) * 5
Case "6": B = B + 16 ^ (i - 1) * 6
Case "7": B = B + 16 ^ (i - 1) * 7
Case "8": B = B + 16 ^ (i - 1) * 8
Case "9": B = B + 16 ^ (i - 1) * 9
Case "A": B = B + 16 ^ (i - 1) * 10
Case "B": B = B + 16 ^ (i - 1) * 11
Case "C": B = B + 16 ^ (i - 1) * 12
Case "D": B = B + 16 ^ (i - 1) * 13
Case "E": B = B + 16 ^ (i - 1) * 14
Case "F": B = B + 16 ^ (i - 1) * 15
End Select
Next i
HEX_to_DEC = B
End Function
------------------------------------------------------------
Text3.text = "L4001168"
Text4.text = (HEX_to_DEC(Trim(Mid(Text1.text, 2, 6))) + &H850) * 3
Text5.text = (HEX_to_DEC(Trim(Mid(Text2.text, 2, 6))) + &H850) * 3
------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢!