【文章标题】: Quick Budget V1.14注册算法简单分析
【文章作者】: 蚊香
【作者邮箱】: xpi386com@gmail.com
【作者主页】: http://www.xpi386.com
【下载地址】: http://www.justapps.com/download/quickbudget_setup.exe
【保护方式】: 用户名 + 注册码
【使用工具】: OD,计算器
【操作平台】: D版XP-SP3
【软件介绍】: 是一款快速预算财政的软件.
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
下载安装,试注册,有弹框错误提示.于是首先想到用F12暂停查看堆栈调用的方法,,很快可以定位到关键.
为方便说明,假注册时统一使用用户名'abcde'和假码'123456789'.出现的计算数字均为16进制形式.
代码:
00690804 /. 55 push ebp ; F2下断,F9运行,F8单步往下。 00690805 |. 8BEC mov ebp, esp 00690807 |. 81C4 ECFEFFFF add esp, -114 0069080D |. 53 push ebx 0069080E |. 33C9 xor ecx, ecx 00690810 |. 898D ECFEFFFF mov dword ptr [ebp-114], ecx 00690816 |. 898D F4FEFFFF mov dword ptr [ebp-10C], ecx 0069081C |. 898D F0FEFFFF mov dword ptr [ebp-110], ecx 00690822 |. 894D FC mov dword ptr [ebp-4], ecx 00690825 |. 894D F8 mov dword ptr [ebp-8], ecx 00690828 |. 8BD8 mov ebx, eax 0069082A |. 33C0 xor eax, eax 0069082C |. 55 push ebp 0069082D |. 68 8B096900 push 0069098B 00690832 |. 64:FF30 push dword ptr fs:[eax] 00690835 |. 64:8920 mov dword ptr fs:[eax], esp 00690838 |. 8D55 F8 lea edx, dword ptr [ebp-8] 0069083B |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC] 00690841 |. E8 CEFDDDFF call 00470614 ; 用户名 00690846 |. 8B45 F8 mov eax, dword ptr [ebp-8] 00690849 |. 8D55 FC lea edx, dword ptr [ebp-4] 0069084C |. E8 7B95D7FF call 00409DCC 00690851 |. 8B55 FC mov edx, dword ptr [ebp-4] 00690854 |. A1 A4EC6900 mov eax, dword ptr [69ECA4] 00690859 |. E8 2247D7FF call 00404F80 0069085E |. 8D95 F0FEFFFF lea edx, dword ptr [ebp-110] 00690864 |. 8B83 00030000 mov eax, dword ptr [ebx+300] 0069086A |. E8 A5FDDDFF call 00470614 ; 假码 0069086F |. 8B85 F0FEFFFF mov eax, dword ptr [ebp-110] 00690875 |. 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C] 0069087B |. E8 4C95D7FF call 00409DCC 00690880 |. 8B95 F4FEFFFF mov edx, dword ptr [ebp-10C] 00690886 |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108] 0069088C |. B9 FF000000 mov ecx, 0FF ; ? 不知道1 00690891 |. E8 3249D7FF call 004051C8 00690896 |. 8D95 F8FEFFFF lea edx, dword ptr [ebp-108] 0069089C |. A1 24F36900 mov eax, dword ptr [69F324] 006908A1 |. B1 1E mov cl, 1E ; ? 不知道2 006908A3 |. E8 C02DD7FF call 00403668 ; 不知道上面两个mov是干什么的 ??? 006908A8 |. 68 62040000 push 462 ; 后面表现英勇的常数462压栈 006908AD |. 8D85 ECFEFFFF lea eax, dword ptr [ebp-114] 006908B3 |. 8B15 24F36900 mov edx, dword ptr [69F324] ; QuickBud.006A2B14 006908B9 |. E8 D248D7FF call 00405190 006908BE |. 8B8D ECFEFFFF mov ecx, dword ptr [ebp-114] 006908C4 |. 8B15 A4EC6900 mov edx, dword ptr [69ECA4] ; QuickBud.006A2B0C 006908CA |. 8B12 mov edx, dword ptr [edx] 006908CC |. A1 20ED6900 mov eax, dword ptr [69ED20] 006908D1 |. 8B00 mov eax, dword ptr [eax] 006908D3 |. 8B80 A8030000 mov eax, dword ptr [eax+3A8] 006908D9 |. E8 DACCE4FF call 004DD5B8 ; 关键CALL,F7进 006908DE |. 84C0 test al, al 006908E0 |. 75 29 jnz short 0069090B ; 关键跳转 006908E2 |. 6A 00 push 0 006908E4 |. 66:8B0D 98096>mov cx, word ptr [690998] 006908EB |. B2 01 mov dl, 1 006908ED |. B8 A4096900 mov eax, 006909A4 ; ASCII "The Registration Code that you provided does not",CR,"match the Name entered." 006908F2 |. E8 09C1DAFF call 0043CA00 006908F7 |. 48 dec eax 006908F8 |. 75 52 jnz short 0069094C 006908FA |. A1 2C2D6A00 mov eax, dword ptr [6A2D2C] 006908FF |. C780 4C020000>mov dword ptr [eax+24C], 1 00690909 |. EB 41 jmp short 0069094C 0069090B |> 803D 302D6A00>cmp byte ptr [6A2D30], 0 00690912 |. 75 29 jnz short 0069093D 00690914 |. 6A 00 push 0 00690916 |. 66:8B0D 98096>mov cx, word ptr [690998] 0069091D |. B2 03 mov dl, 3 0069091F |. B8 F8096900 mov eax, 006909F8 ; ASCII "Thank you for Registering Quick Budget." 00690924 |. E8 D7C0DAFF call 0043CA00 00690929 |. 48 dec eax 0069092A |. 75 20 jnz short 0069094C 0069092C |. A1 2C2D6A00 mov eax, dword ptr [6A2D2C] 00690931 |. C780 4C020000>mov dword ptr [eax+24C], 1 0069093B |. EB 0F jmp short 0069094C 0069093D |> A1 2C2D6A00 mov eax, dword ptr [6A2D2C] 00690942 |. C780 4C020000>mov dword ptr [eax+24C], 1 0069094C |> 33C0 xor eax, eax 0069094E |. 5A pop edx 0069094F |. 59 pop ecx 00690950 |. 59 pop ecx 00690951 |. 64:8910 mov dword ptr fs:[eax], edx 00690954 |. 68 92096900 push 00690992 00690959 |> 8D85 ECFEFFFF lea eax, dword ptr [ebp-114] 0069095F |. E8 C845D7FF call 00404F2C 00690964 |. 8D85 F0FEFFFF lea eax, dword ptr [ebp-110] 0069096A |. E8 BD45D7FF call 00404F2C 0069096F |. 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C] 00690975 |. E8 B245D7FF call 00404F2C 0069097A |. 8D45 F8 lea eax, dword ptr [ebp-8] 0069097D |. E8 AA45D7FF call 00404F2C 00690982 |. 8D45 FC lea eax, dword ptr [ebp-4] 00690985 |. E8 A245D7FF call 00404F2C 0069098A \. C3 retn 0069098B .^ E9 D43ED7FF jmp 00404864 00690990 .^ EB C7 jmp short 00690959 00690992 . 5B pop ebx 00690993 . 8BE5 mov esp, ebp 00690995 . 5D pop ebp 00690996 . C3 retn
进入006908D9
代码:
004DD5B8 /$ 55 push ebp 004DD5B9 |. 8BEC mov ebp, esp 004DD5BB |. 83C4 F4 add esp, -0C 004DD5BE |. 53 push ebx 004DD5BF |. 56 push esi 004DD5C0 |. 57 push edi 004DD5C1 |. 33DB xor ebx, ebx 004DD5C3 |. 895D F4 mov dword ptr [ebp-C], ebx 004DD5C6 |. 894D F8 mov dword ptr [ebp-8], ecx 004DD5C9 |. 8955 FC mov dword ptr [ebp-4], edx 004DD5CC |. 8BF8 mov edi, eax 004DD5CE |. 8B75 08 mov esi, dword ptr [ebp+8] ; ESI=常数462 004DD5D1 |. 8B45 FC mov eax, dword ptr [ebp-4] 004DD5D4 |. E8 037EF2FF call 004053DC 004DD5D9 |. 8B45 F8 mov eax, dword ptr [ebp-8] 004DD5DC |. E8 FB7DF2FF call 004053DC 004DD5E1 |. 33C0 xor eax, eax 004DD5E3 |. 55 push ebp 004DD5E4 |. 68 37D64D00 push 004DD637 004DD5E9 |. 64:FF30 push dword ptr fs:[eax] 004DD5EC |. 64:8920 mov dword ptr fs:[eax], esp 004DD5EF |. 33DB xor ebx, ebx 004DD5F1 |. 837D FC 00 cmp dword ptr [ebp-4], 0 004DD5F5 |. 74 25 je short 004DD61C 004DD5F7 |. 85F6 test esi, esi 004DD5F9 |. 74 21 je short 004DD61C 004DD5FB |. 8D45 F4 lea eax, dword ptr [ebp-C] 004DD5FE |. 50 push eax 004DD5FF |. 8BCE mov ecx, esi 004DD601 |. 8B55 FC mov edx, dword ptr [ebp-4] 004DD604 |. 8BC7 mov eax, edi 004DD606 |. E8 8DFEFFFF call 004DD498 ; 经过此CALL后真码现身,F7进 004DD60B |. 8B45 F4 mov eax, dword ptr [ebp-C] 004DD60E |. 8B55 F8 mov edx, dword ptr [ebp-8] 004DD611 |. E8 9EF1FFFF call 004DC7B4 ; 真假码比较 004DD616 |. 84C0 test al, al 004DD618 |. 74 02 je short 004DD61C ; 关键跳转 004DD61A |. B3 01 mov bl, 1 ; 关键赋值 004DD61C |> 33C0 xor eax, eax 004DD61E |. 5A pop edx 004DD61F |. 59 pop ecx 004DD620 |. 59 pop ecx 004DD621 |. 64:8910 mov dword ptr fs:[eax], edx 004DD624 |. 68 3ED64D00 push 004DD63E 004DD629 |> 8D45 F4 lea eax, dword ptr [ebp-C] 004DD62C |. BA 03000000 mov edx, 3 004DD631 |. E8 1A79F2FF call 00404F50 004DD636 \. C3 retn 004DD637 .^ E9 2872F2FF jmp 00404864 004DD63C .^ EB EB jmp short 004DD629 004DD63E . 8BC3 mov eax, ebx ; 关键传递 004DD640 . 5F pop edi 004DD641 . 5E pop esi 004DD642 . 5B pop ebx 004DD643 . 8BE5 mov esp, ebp 004DD645 . 5D pop ebp 004DD646 . C2 0400 retn 4
进入004DD606
代码:
004DD498 /$ 55 push ebp 004DD499 |. 8BEC mov ebp, esp 004DD49B |. 6A 00 push 0 004DD49D |. 6A 00 push 0 004DD49F |. 6A 00 push 0 004DD4A1 |. 6A 00 push 0 004DD4A3 |. 6A 00 push 0 004DD4A5 |. 53 push ebx 004DD4A6 |. 56 push esi 004DD4A7 |. 57 push edi 004DD4A8 |. 8BF1 mov esi, ecx 004DD4AA |. 8955 FC mov dword ptr [ebp-4], edx 004DD4AD |. 8B7D 08 mov edi, dword ptr [ebp+8] 004DD4B0 |. 8B45 FC mov eax, dword ptr [ebp-4] 004DD4B3 |. E8 247FF2FF call 004053DC 004DD4B8 |. 33C0 xor eax, eax 004DD4BA |. 55 push ebp 004DD4BB |. 68 9BD54D00 push 004DD59B 004DD4C0 |. 64:FF30 push dword ptr fs:[eax] 004DD4C3 |. 64:8920 mov dword ptr fs:[eax], esp 004DD4C6 |. 837D FC 00 cmp dword ptr [ebp-4], 0 ; 用户名长度是否为0 004DD4CA |. 74 04 je short 004DD4D0 004DD4CC |. 85F6 test esi, esi 004DD4CE |. 75 0C jnz short 004DD4DC 004DD4D0 |> 8BC7 mov eax, edi 004DD4D2 |. E8 557AF2FF call 00404F2C 004DD4D7 |. E9 A4000000 jmp 004DD580 004DD4DC |> 8D45 F8 lea eax, dword ptr [ebp-8] 004DD4DF |. E8 487AF2FF call 00404F2C 004DD4E4 |. 8B45 FC mov eax, dword ptr [ebp-4] 004DD4E7 |. E8 007DF2FF call 004051EC ; 用户名长度5 004DD4EC |. 8BD8 mov ebx, eax 004DD4EE |. 0FAFDE imul ebx, esi ; EBX=462*5=15EA 004DD4F1 |. 8B45 FC mov eax, dword ptr [ebp-4] 004DD4F4 |. 0FB600 movzx eax, byte ptr [eax] ; 用户名第一位a=61 004DD4F7 |. 69C0 842F0100 imul eax, eax, 12F84 ; EAX=61*12F84=730104 004DD4FD |. 03D8 add ebx, eax ; EBX=15EA+730104=7316EE 004DD4FF |. 8D55 F4 lea edx, dword ptr [ebp-C] 004DD502 |. 8BC3 mov eax, ebx 004DD504 |. E8 B3CCF2FF call 0040A1BC ; 7316EE转10进制=7542510 004DD509 |. 8B55 F4 mov edx, dword ptr [ebp-C] 004DD50C |. 8D45 F8 lea eax, dword ptr [ebp-8] 004DD50F |. B9 B4D54D00 mov ecx, 004DD5B4 004DD514 |. E8 1F7DF2FF call 00405238 004DD519 |. 8B45 FC mov eax, dword ptr [ebp-4] 004DD51C |. 0FB600 movzx eax, byte ptr [eax] ; 用户名第一位a=61 004DD51F |. F7EE imul esi ; EAX=61*462=1A922 004DD521 |. 69D8 C8010000 imul ebx, eax, 1C8 ; EBX=1A922*1C8=2F54490 004DD527 |. FF75 F8 push dword ptr [ebp-8] 004DD52A |. 8D55 F0 lea edx, dword ptr [ebp-10] 004DD52D |. 8BC3 mov eax, ebx 004DD52F |. E8 88CCF2FF call 0040A1BC ; 2F54490转10进制=49628304 004DD534 |. FF75 F0 push dword ptr [ebp-10] 004DD537 |. 68 B4D54D00 push 004DD5B4 004DD53C |. 8D45 F8 lea eax, dword ptr [ebp-8] 004DD53F |. BA 03000000 mov edx, 3 004DD544 |. E8 637DF2FF call 004052AC 004DD549 |. 8B45 FC mov eax, dword ptr [ebp-4] ; EAX=用户名长度=5 004DD54C |. E8 9B7CF2FF call 004051EC 004DD551 |. 8B55 FC mov edx, dword ptr [ebp-4] 004DD554 |. 0FB612 movzx edx, byte ptr [edx] ; 用户名第一位a=61 004DD557 |. F7EA imul edx ; EAX=5*61=1E5 004DD559 |. 69D8 2E160000 imul ebx, eax, 162E ; EBX=1E5*162E=2A0526 004DD55F |. 03DE add ebx, esi ; EBX=2A0526+462=2A0988 004DD561 |. 8D55 EC lea edx, dword ptr [ebp-14] 004DD564 |. 8BC3 mov eax, ebx 004DD566 |. E8 51CCF2FF call 0040A1BC ; 2A0988转10进制=2754952 004DD56B |. 8B55 EC mov edx, dword ptr [ebp-14] 004DD56E |. 8D45 F8 lea eax, dword ptr [ebp-8] 004DD571 |. E8 7E7CF2FF call 004051F4 ; 以'-'连接上面三组10进制数 004DD576 |. 8BC7 mov eax, edi 004DD578 |. 8B55 F8 mov edx, dword ptr [ebp-8] ; 7542510-49628304-2754952 004DD57B |. E8 007AF2FF call 00404F80 004DD580 |> 33C0 xor eax, eax 004DD582 |. 5A pop edx 004DD583 |. 59 pop ecx 004DD584 |. 59 pop ecx 004DD585 |. 64:8910 mov dword ptr fs:[eax], edx 004DD588 |. 68 A2D54D00 push 004DD5A2 004DD58D |> 8D45 EC lea eax, dword ptr [ebp-14] 004DD590 |. BA 05000000 mov edx, 5 004DD595 |. E8 B679F2FF call 00404F50 004DD59A \. C3 retn 004DD59B .^ E9 C472F2FF jmp 00404864 004DD5A0 .^ EB EB jmp short 004DD58D 004DD5A2 . 5F pop edi 004DD5A3 . 5E pop esi 004DD5A4 . 5B pop ebx 004DD5A5 . 8BE5 mov esp, ebp 004DD5A7 . 5D pop ebp 004DD5A8 . C2 0400 retn 4
--------------------------------------------------------------------------------
【算法总结】
用户名长度乘固定值1122(462h) + 用户名第一位的ASCII乘固定值77700(12F84h),结果作为注册码第一段;
用户名第一位的ASCII乘固定值511632(462h*1C8h=7CE90h),结果作为注册码第二段;
用户名第一位的ASCII乘用户名长度,再乘5678(1621h),结果加上1122(462h)作为注册码第三段;
用'-'连接上面三段即为注册码...注册码记录在同目录下的quickbudget.ini
KG源码(VB Code):
代码:
'VB6.0精简版测试通过. Private Sub Command1_Click() Dim Name As String Dim L As Integer Dim a, b, c, d As Long Name = CStr(Text1.Text) L = Len(Name) If L = 0 Then Text2.Text = "Input your name,Please!" Else a = 1122 * L + Asc(Mid(Name, 1, 1)) * 77700 b = Asc(Mid(Name, 1, 1)) * 511632 c = Asc(Mid(Name, 1, 1)) * L d = c * 5678 + 1122 Text2.Text = CStr(a) & "-" & CStr(b) & "-" & CStr(d) End If End Sub
--------------------------------------------------------------------------------
【版权声明】: 本文由 蚊香 原创, 转载请注明作者并保持文章的完整, 谢谢!