【破文标题】Chinese Character Stroke Order Animator V2.10 算法分析
【破文作者】tianxj
【作者邮箱】tianxj_2007@126.com
【作者主页】WwW.ChiNaPYG.CoM
【破解工具】PEiD,OD
【破解平台】Windows XP
【软件名称】Chinese Character Stroke Order Animator V2.10
【原版下载】http://www.monkeykingsoft.com/chinese-character-stroke-order-animator/animator210Setup.exe
【保护方式】注册码
【软件简介】一款学习汉字笔画笔顺的软件:一笔一划写汉字(只支持简体中文笔顺)
可以一次书写所有笔画,也可以一次写一笔。另外还可以显示汉字所有的拼音,并且带真人读音。也包括了汉字常见的英文解释。
这个软件实现了6000多个简体中文汉字一笔一划的动态显示
老外出品,$29.50美元,未注册版本试用30天!
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
**************************************************************
一、运行程序,进行注册,输入错误的注册信息进行检测,有提示信息"sorry, the registration code is invaild."
**************************************************************
二、用PEiD对animator211.exe查壳,为 Software Compress V1.4 -> BG Software Protect Technologies *
**************************************************************
三、带壳调试,用F12暂停法可以找到关键之处,由于代码太多,下面仅仅贴出算法部分
==============================================================
00451790 > \55 push ebp 00451791 . 8BEC mov ebp, esp 00451793 . 83EC 0C sub esp, 0C 00451796 . 68 66184000 push 00401866 ; jmp 到; SE 句柄安装 0045179B . 64:A1 0000000>mov eax, dword ptr fs:[0] 004517A1 . 50 push eax 004517A2 . 64:8925 00000>mov dword ptr fs:[0], esp 004517A9 . 81EC A8000000 sub esp, 0A8 004517AF . 53 push ebx 004517B0 . 56 push esi 004517B1 . 57 push edi 004517B2 . 8965 F4 mov dword ptr [ebp-C], esp 004517B5 . C745 F8 50184>mov dword ptr [ebp-8], 00401850 004517BC . 33FF xor edi, edi 004517BE . 897D FC mov dword ptr [ebp-4], edi 004517C1 . 8B45 08 mov eax, dword ptr [ebp+8] 004517C4 . 50 push eax 004517C5 . 8B08 mov ecx, dword ptr [eax] 004517C7 . FF51 04 call dword ptr [ecx+4] 004517CA . 68 B0204000 push 004020B0 004517CF . 897D E8 mov dword ptr [ebp-18], edi 004517D2 . 897D E4 mov dword ptr [ebp-1C], edi 004517D5 . 897D DC mov dword ptr [ebp-24], edi 004517D8 . 897D D8 mov dword ptr [ebp-28], edi 004517DB . 897D D0 mov dword ptr [ebp-30], edi 004517DE . 897D CC mov dword ptr [ebp-34], edi 004517E1 . 897D BC mov dword ptr [ebp-44], edi 004517E4 . 897D AC mov dword ptr [ebp-54], edi 004517E7 . 897D 9C mov dword ptr [ebp-64], edi 004517EA . 897D 8C mov dword ptr [ebp-74], edi 004517ED . 89BD 7CFFFFFF mov dword ptr [ebp-84], edi 004517F3 . 89BD 6CFFFFFF mov dword ptr [ebp-94], edi 004517F9 . 89BD 5CFFFFFF mov dword ptr [ebp-A4], edi 004517FF . FF15 DC104000 call dword ptr [4010DC] ; msvbvm60.__vbaNew 00451805 . 8B35 78104000 mov esi, dword ptr [401078] ; msvbvm60.__vbaObjSet 0045180B . 8D55 D8 lea edx, dword ptr [ebp-28] 0045180E . 50 push eax 0045180F . 52 push edx 00451810 . FFD6 call esi 00451812 . 8B45 10 mov eax, dword ptr [ebp+10] 00451815 . 8D8D 7CFFFFFF lea ecx, dword ptr [ebp-84] 0045181B . 8D55 BC lea edx, dword ptr [ebp-44] 0045181E . 51 push ecx 0045181F . 52 push edx 00451820 . 8945 84 mov dword ptr [ebp-7C], eax 00451823 . C785 7CFFFFFF>mov dword ptr [ebp-84], 4008 0045182D . FF15 B0104000 call dword ptr [4010B0] ; msvbvm60.rtcUpperCaseVar 00451833 . 8B45 14 mov eax, dword ptr [ebp+14] ; //将用户名转大写 00451836 . 8D55 BC lea edx, dword ptr [ebp-44] 00451839 . 52 push edx 0045183A . C785 6CFFFFFF>mov dword ptr [ebp-94], 8 00451844 . 8B08 mov ecx, dword ptr [eax] 00451846 . 8D85 6CFFFFFF lea eax, dword ptr [ebp-94] 0045184C . 898D 74FFFFFF mov dword ptr [ebp-8C], ecx 00451852 . 8D4D AC lea ecx, dword ptr [ebp-54] 00451855 . 50 push eax 00451856 . 51 push ecx 00451857 . FF15 0C114000 call dword ptr [40110C] ; msvbvm60.__vbaVarCat 0045185D . 50 push eax ; //将大写用户名与"Chinese Character Stroke Order Animator v2.10"相连 0045185E . FF15 24104000 call dword ptr [401024] ; msvbvm60.__vbaStrVarMove 00451864 . 8B1D 84114000 mov ebx, dword ptr [401184] ; msvbvm60.__vbaStrMove 0045186A . 8BD0 mov edx, eax 0045186C . 8D4D D0 lea ecx, dword ptr [ebp-30] 0045186F . FFD3 call ebx 00451871 . 8B45 D8 mov eax, dword ptr [ebp-28] 00451874 . 8D4D CC lea ecx, dword ptr [ebp-34] 00451877 . 51 push ecx 00451878 . 8D4D D0 lea ecx, dword ptr [ebp-30] 0045187B . 8B10 mov edx, dword ptr [eax] 0045187D . 51 push ecx 0045187E . 50 push eax 0045187F . FF52 1C call dword ptr [edx+1C] ; //取相连字符串的MD5值小写 00451882 . 3BC7 cmp eax, edi 00451884 . DBE2 fclex 00451886 . 7D 12 jge short 0045189A 00451888 . 8B55 D8 mov edx, dword ptr [ebp-28] 0045188B . 6A 1C push 1C 0045188D . 68 0C7F4000 push 00407F0C 00451892 . 52 push edx 00451893 . 50 push eax 00451894 . FF15 58104000 call dword ptr [401058] ; msvbvm60.__vbaHresultCheckObj 0045189A > 8B55 CC mov edx, dword ptr [ebp-34] ; //MD5值小写 0045189D . 8D4D E4 lea ecx, dword ptr [ebp-1C] 004518A0 . 897D CC mov dword ptr [ebp-34], edi 004518A3 . FFD3 call ebx 004518A5 . 8D4D D0 lea ecx, dword ptr [ebp-30] 004518A8 . FF15 B0114000 call dword ptr [4011B0] ; msvbvm60.__vbaFreeStr 004518AE . 8B1D 2C104000 mov ebx, dword ptr [40102C] ; msvbvm60.__vbaFreeVarList 004518B4 . 8D45 AC lea eax, dword ptr [ebp-54] 004518B7 . 8D4D BC lea ecx, dword ptr [ebp-44] 004518BA . 50 push eax 004518BB . 51 push ecx 004518BC . 6A 02 push 2 004518BE . FFD3 call ebx 004518C0 . 83C4 0C add esp, 0C 004518C3 . 68 0C7F4000 push 00407F0C 004518C8 . 57 push edi 004518C9 . FF15 88114000 call dword ptr [401188] ; msvbvm60.__vbaCastObj 004518CF . 8D55 D8 lea edx, dword ptr [ebp-28] 004518D2 . 50 push eax 004518D3 . 52 push edx 004518D4 . FFD6 call esi 004518D6 . BA E06C4000 mov edx, 00406CE0 004518DB . 8D4D E8 lea ecx, dword ptr [ebp-18] 004518DE . FF15 40114000 call dword ptr [401140] ; msvbvm60.__vbaStrCopy 004518E4 . BF 01000000 mov edi, 1 ; //edi=1 004518E9 > B8 10000000 mov eax, 10 004518EE . 3BF8 cmp edi, eax 004518F0 . 0F8F 47010000 jg 00451A3D 004518F6 . 8BD7 mov edx, edi ; //edx=edi 004518F8 . B8 02000000 mov eax, 2 ; //eax=2 004518FD . 6BD2 02 imul edx, edx, 2 ; //edx=edx*2 00451900 . 8945 C4 mov dword ptr [ebp-3C], eax 00451903 . 8945 BC mov dword ptr [ebp-44], eax 00451906 . 0F80 C1010000 jo 00451ACD 0045190C . 8D45 E4 lea eax, dword ptr [ebp-1C] 0045190F . 8D4D BC lea ecx, dword ptr [ebp-44] 00451912 . 83EA 01 sub edx, 1 ; //edx=edx-1 00451915 . 8945 84 mov dword ptr [ebp-7C], eax 00451918 . 51 push ecx 00451919 . 8D85 7CFFFFFF lea eax, dword ptr [ebp-84] 0045191F . 0F80 A8010000 jo 00451ACD 00451925 . 52 push edx 00451926 . 8D4D AC lea ecx, dword ptr [ebp-54] 00451929 . 50 push eax 0045192A . 51 push ecx 0045192B . C785 64FFFFFF>mov dword ptr [ebp-9C], 0040826C ; UNICODE "&H" 00451935 . C785 5CFFFFFF>mov dword ptr [ebp-A4], 8 0045193F . C785 7CFFFFFF>mov dword ptr [ebp-84], 4008 00451949 . FF15 A0104000 call dword ptr [4010A0] ; msvbvm60.rtcMidCharVar 0045194F . 8D95 5CFFFFFF lea edx, dword ptr [ebp-A4] ; //每次取2个字符 00451955 . 8D45 AC lea eax, dword ptr [ebp-54] 00451958 . 52 push edx 00451959 . 8D4D 9C lea ecx, dword ptr [ebp-64] 0045195C . 50 push eax 0045195D . 51 push ecx 0045195E . FF15 0C114000 call dword ptr [40110C] ; msvbvm60.__vbaVarCat 00451964 . 50 push eax ; //与"&H"相连 00451965 . FF15 A8114000 call dword ptr [4011A8] ; msvbvm60.__vbaI4ErrVar 0045196B . 8BF0 mov esi, eax ; //将字符转十六进制数字 0045196D . 81E6 1F000080 and esi, 8000001F ; //十六进制数字和1Fh做与运算 00451973 . 79 05 jns short 0045197A 00451975 . 4E dec esi 00451976 . 83CE E0 or esi, FFFFFFE0 00451979 . 46 inc esi 0045197A > 8D55 9C lea edx, dword ptr [ebp-64] 0045197D . 8D45 9C lea eax, dword ptr [ebp-64] 00451980 . 52 push edx 00451981 . 8D4D AC lea ecx, dword ptr [ebp-54] 00451984 . 50 push eax 00451985 . 8D55 BC lea edx, dword ptr [ebp-44] 00451988 . 51 push ecx 00451989 . 52 push edx 0045198A . 6A 04 push 4 0045198C . FFD3 call ebx 0045198E . 8B45 E8 mov eax, dword ptr [ebp-18] 00451991 . 83C4 14 add esp, 14 00451994 . 8985 64FFFFFF mov dword ptr [ebp-9C], eax 0045199A . B8 08000000 mov eax, 8 0045199F . 8D95 7CFFFFFF lea edx, dword ptr [ebp-84] 004519A5 . 8D4D BC lea ecx, dword ptr [ebp-44] 004519A8 . 8985 5CFFFFFF mov dword ptr [ebp-A4], eax 004519AE . C745 B4 01000>mov dword ptr [ebp-4C], 1 004519B5 . C745 AC 02000>mov dword ptr [ebp-54], 2 004519BC . C745 84 AC664>mov dword ptr [ebp-7C], 004066AC ; UNICODE "0123456789ABCDEFGHJKLMNPQRTUVWXY" 004519C3 . 8985 7CFFFFFF mov dword ptr [ebp-84], eax 004519C9 . FF15 6C114000 call dword ptr [40116C] ; msvbvm60.__vbaVarDup 004519CF . 8D4D AC lea ecx, dword ptr [ebp-54] 004519D2 . 83C6 01 add esi, 1 004519D5 . 51 push ecx 004519D6 . 8D55 BC lea edx, dword ptr [ebp-44] 004519D9 . 0F80 EE000000 jo 00451ACD 004519DF . 56 push esi 004519E0 . 8D45 9C lea eax, dword ptr [ebp-64] 004519E3 . 52 push edx 004519E4 . 50 push eax 004519E5 . FF15 A0104000 call dword ptr [4010A0] ; msvbvm60.rtcMidCharVar 004519EB . 8D8D 5CFFFFFF lea ecx, dword ptr [ebp-A4] ; //按数值取字符 004519F1 . 8D55 9C lea edx, dword ptr [ebp-64] 004519F4 . 51 push ecx 004519F5 . 8D45 8C lea eax, dword ptr [ebp-74] 004519F8 . 52 push edx 004519F9 . 50 push eax 004519FA . FF15 0C114000 call dword ptr [40110C] ; msvbvm60.__vbaVarCat 00451A00 . 50 push eax ; //将字符相连 00451A01 . FF15 24104000 call dword ptr [401024] ; msvbvm60.__vbaStrVarMove 00451A07 . 8BD0 mov edx, eax 00451A09 . 8D4D E8 lea ecx, dword ptr [ebp-18] 00451A0C . FF15 84114000 call dword ptr [401184] ; msvbvm60.__vbaStrMove 00451A12 . 8D4D 8C lea ecx, dword ptr [ebp-74] 00451A15 . 8D55 9C lea edx, dword ptr [ebp-64] 00451A18 . 51 push ecx 00451A19 . 8D45 AC lea eax, dword ptr [ebp-54] 00451A1C . 52 push edx 00451A1D . 8D4D BC lea ecx, dword ptr [ebp-44] 00451A20 . 50 push eax 00451A21 . 51 push ecx 00451A22 . 6A 04 push 4 00451A24 . FFD3 call ebx 00451A26 . B8 01000000 mov eax, 1 00451A2B . 83C4 14 add esp, 14 00451A2E . 03C7 add eax, edi 00451A30 . 0F80 97000000 jo 00451ACD 00451A36 . 8BF8 mov edi, eax 00451A38 .^ E9 ACFEFFFF jmp 004518E9 ; //循环 00451A3D > 8B45 0C mov eax, dword ptr [ebp+C] 00451A40 . 8B55 E8 mov edx, dword ptr [ebp-18] 00451A43 . 52 push edx ; //注册码 00451A44 . 8B08 mov ecx, dword ptr [eax] 00451A46 . 51 push ecx ; //试炼码 00451A47 . FF15 B8104000 call dword ptr [4010B8] ; msvbvm60.__vbaStrCmp 00451A4D . F7D8 neg eax ; //关键比较
【破解总结】
VB程序,用到MD5算法
--------------------------------------------------------------
【算法总结】
以tianxj为例
1.将"tianxj"转成大写即"TIANXJ"后与"Chinese Character Stroke Order Animator v2.10"相连,形成"TIANXJChinese Character Stroke Order Animator v2.10"
2.取"TIANXJChinese Character Stroke Order Animator v2.10"的MD5值"1d3466d7584130d896ec9fc6d48b598f"
3.循环取"1d3466d7584130d896ec9fc6d48b598f"里的字符,每次取2个作运算。比如:第1次取"1d"与"1f"作与运算后,按结果"1d"的顺序取字符串"0123456789ABCDEFGHJKLMNPQRTUVWXY"里的字符"W",第2次取"34"与"1f"作与运算后按结果"1d"的顺序取字符串"0123456789ABCDEFGHJKLMNPQRTUVWXY"里的字符"L",依此类推,相连得到注册码"WL6PQ1GQNCY6LBRF"
--------------------------------------------------------------
【算法注册机】
〖VB代码〗
Private Sub Command1_Click()
If Len(Text1.Text) = 0 Then
Text2.Text = "输入有误,请重新输入!"
Else
SN = MD5(UCase(Text1.Text) & "Chinese Character Stroke Order Animator v2.10")
For I = 1 To 16
X = ("&H" & Mid(SN, 2 * I - 1, 2)) And 31
Y = Y & Mid("0123456789ABCDEFGHJKLMNPQRTUVWXY", X + 1, 1)
Next I
Text2.Text = Y
End If
End Sub
--------------------------------------------------------------。
感谢飘云老大、猫老大、Nisy老大以及很多前辈们的学习教程以及所有帮助过我的论坛兄弟姐妹们!谢谢
--------------------------------------------------------------
【版权声明】破文是学习的手记,兴趣是成功的源泉;本破文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!