好友
阅读权限10
听众
最后登录1970-1-1
|
nv21
发表于 2008-9-24 15:11
[[一起学算法三]象棋桥V2.1算法分析+简单爆破
【破文标题】[一起学算法]象棋桥V2.1算法分析+简单爆破
【破文作者】lzover[PYG]
【破解工具】PEiD,OD
【破解平台】DB.XP SP2
【软件名称】象棋桥 V2.1
【软件大小】2225 KB
【原版下载】http://www.skycn.com/soft/4122.html
【保护方式】注册码
【软件简介】 象棋桥是一个功能强大的中国象棋打谱软件,支持局域网的联机对弈,可以进行人机的模拟对弈,已有的韬略元机、适情雅趣、桔中密、梅花谱、崇本堂梅花秘谱等精彩棋谱定会让您爱不释手。
【破解声明】我是小菜菜,只为学习,高人见谅了!
一个简单的软件,大家一起学。PEID查一下,无壳,试注册呀下,有错误提示框出现,好了,那就用OD载入程序,F9运行起来(中间会有些异常,一直SHIFT+F9就得了),下BPMessageBoxA断点,注册一下,断下后ALT+F9返回程序领空,F8走一会再返回一次,OK了,段首下个断以后重新注册,断下后开始分析:
0051E318 .55pushebp
0051E319 .68 5AE65100 push0051E65A
0051E31E .64:FF30 pushdword ptr fs:[eax]
0051E321 .64:8920 mov dword ptr fs:[eax], esp
0051E324 .8B45 FC mov eax, dword ptr [ebp-4]
0051E327 .8B90 68090000 mov edx, dword ptr [eax+968]
0051E32D .A1 3C915400 mov eax, dword ptr [54913C]
0051E332 .8B80 D8020000 mov eax, dword ptr [eax+2D8]
0051E338 .E8 0F5DF1FF call0043404C
0051E33D .A1 3C915400 mov eax, dword ptr [54913C]
0051E342 .05 00030000 add eax, 300
0051E347 .8B55 FC mov edx, dword ptr [ebp-4]
0051E34A .8B92 5C090000 mov edx, dword ptr [edx+95C]
0051E350 .E8 4F59EEFF call00403CA4
0051E355 .A1 3C915400 mov eax, dword ptr [54913C]
0051E35A .8B10mov edx, dword ptr [eax]
0051E35C .FF92 D8000000 calldword ptr [edx+D8] ;出现注册框
0051E362 .48dec eax
0051E363 .0F85 B1020000 jnz 0051E61A
0051E369 .8D55 EC lea edx, dword ptr [ebp-14]
0051E36C .A1 3C915400 mov eax, dword ptr [54913C]
0051E371 .8B80 D8020000 mov eax, dword ptr [eax+2D8]
0051E377 .E8 A05CF1FF call0043401C ;取用户名
0051E37C .8B55 EC mov edx, dword ptr [ebp-14]
0051E37F .8B45 FC mov eax, dword ptr [ebp-4]
0051E382 .05 70090000 add eax, 970
0051E387 .E8 1859EEFF call00403CA4
0051E38C .8D55 E8 lea edx, dword ptr [ebp-18]
0051E38F .A1 3C915400 mov eax, dword ptr [54913C]
0051E394 .8B80 E0020000 mov eax, dword ptr [eax+2E0]
0051E39A .E8 7D5CF1FF call0043401C ;取注册码
0051E39F .8B45 E8 mov eax, dword ptr [ebp-18]
0051E3A2 .8D55 F4 lea edx, dword ptr [ebp-C]
0051E3A5 .E8 42A5EEFF call004088EC
0051E3AA .B3 01 mov bl, 1
0051E3AC .8B45 F4 mov eax, dword ptr [ebp-C]
0051E3AF .E8 1C5BEEFF call00403ED0
0051E3B4 .83F8 0C cmp eax, 0C;注册码为12位,否则OVER
0051E3B775 60 jnz short 0051E419
0051E3B9 .8D45 F0 lea eax, dword ptr [ebp-10]
0051E3BC .8B55 F4 mov edx, dword ptr [ebp-C]
0051E3BF .E8 2459EEFF call00403CE8
0051E3C4 .8D45 F0 lea eax, dword ptr [ebp-10]
0051E3C7 .B9 07000000 mov ecx, 7
0051E3CC .BA 01000000 mov edx, 1
0051E3D1 .E8 425DEEFF call00404118 ;取后5位
0051E3D6 .8D45 F4 lea eax, dword ptr [ebp-C]
0051E3D9 .B9 05000000 mov ecx, 5
0051E3DE .BA 08000000 mov edx, 8
0051E3E3 .E8 305DEEFF call00404118 ;取前7位
0051E3E8 .8B45 F4 mov eax, dword ptr [ebp-C]
0051E3EB .BA 70E65100 mov edx, 0051E670;ASCII "CCB21R-"
0051E3F0 .E8 EB5BEEFF call00403FE0
0051E3F5 .75 1E jnz short 0051E415 ;前7位要等于CCB21R-
0051E3F7 .8D55 E4 lea edx, dword ptr [ebp-1C]
0051E3FA .8B45 FC mov eax, dword ptr [ebp-4]
0051E3FD .8B80 70090000 mov eax, dword ptr [eax+970]
0051E403 .E8 5462F6FF call0048465C ;用户名计算出后5位
0051E408 .8B55 E4 mov edx, dword ptr [ebp-1C]
0051E40B .8B45 F0 mov eax, dword ptr [ebp-10]
0051E40E .E8 CD5BEEFF call00403FE0 ;比较后5位,想等则OK
0051E413 .74 06 jeshort 0051E41B ;跳则成功
0051E415 >33DBxor ebx, ebx
0051E417 .EB 02 jmp short 0051E41B
0051E419 >33DBxor ebx, ebx
0051E41B >84DBtestbl, bl
0051E41D .0F84 11010000 je0051E534
0051E423 .8B45 FC mov eax, dword ptr [ebp-4]
0051E426 .C680 84090000>mov byte ptr [eax+984], 1
0051E42D .8B45 FC mov eax, dword ptr [ebp-4]
0051E430 .C680 85090000>mov byte ptr [eax+985], 0
0051E437 .8B45 FC mov eax, dword ptr [ebp-4]
这里可以分析出注册码为12位,而且前面7为是固定字符串"CCB21R-",0051E403的CALL是关键算法,F7进入可以看到:
00484691|.8B45 F4 mov eax, dword ptr [ebp-C]
00484694|.E8 37F8F7FF call00403ED0
00484699|.40inc eax
0048469A|.8BD8mov ebx, eax
0048469C|.83FB 05 cmp ebx, 5
0048469F|.7F 13 jgshort 004846B4 ;用户名大于4位跳向计算部分
004846A1|>8D45 F4 /lea eax, dword ptr [ebp-C]
004846A4|.BA 60474800 |mov edx, 00484760
004846A9|.E8 2AF8F7FF |call00403ED8
004846AE|.43|inc ebx
004846AF|.83FB 06 |cmp ebx, 6
004846B2|.^ 75 ED \jnz short 004846A1;循环:如果小于等于4位则在后面加空格填充至5位
004846B4|>8B45 F4 mov eax, dword ptr [ebp-C]
004846B7|.33C9xor ecx, ecx
004846B9|.8A08mov cl, byte ptr [eax] ;第一位进CL X1
004846BB|.8B45 F4 mov eax, dword ptr [ebp-C]
004846BE|.33DBxor ebx, ebx
004846C0|.8A58 01 mov bl, byte ptr [eax+1] ;第二位进BL X2
004846C3|.8B45 F4 mov eax, dword ptr [ebp-C]
004846C6|.0FB670 02 movzx esi, byte ptr [eax+2];第三位扩展进ESIX3
004846CA|.8B45 F4 mov eax, dword ptr [ebp-C]
004846CD|.0FB678 03 movzx edi, byte ptr [eax+3];第4位扩展进EDIX4
004846D1|.8B45 F4 mov eax, dword ptr [ebp-C]
004846D4|.0FB640 04 movzx eax, byte ptr [eax+4];第5位扩展进EAXX5
004846D8|.8945 F0 mov dword ptr [ebp-10], eax;EAX进地址[EBP-10]
004846DB|.8D040Blea eax, dword ptr [ebx+ecx] ;地址EAX=EBX+ECXX1+X2
004846DE|.03FEadd edi, esi ;EDI = EDI + ESI X4+X3
004846E0|.F7EFimuledi;EAX = EAX * EDI
004846E2|.F76D F0 imuldword ptr [ebp-10] ;EAX与前面存进去的第五位想乘(X1 + X2) * (x3 + x4)
004846E5|.B9 A0860100 mov ecx, 186A0 ;ECX = 186A0
004846EA|.99cdq;清空
004846EB|.F7F9idivecx;带符号数除法运算:EAX = EAX/ECX
004846ED|.8BDAmov ebx, edx ;余数进EBX
004846EF|.8D55 F4 lea edx, dword ptr [ebp-C]
004846F2|.8BC3mov eax, ebx
004846F4|.E8 B745F8FF call00408CB0 ;把余数转为10进制
004846F9|.8B45 F4 mov eax, dword ptr [ebp-C] ;转换后进EAX
004846FC|.E8 CFF7F7FF call00403ED0 ;EAX的字数
00484701|.40inc eax
00484702|.8BD8mov ebx, eax
00484704|.83FB 05 cmp ebx, 5
00484707|.7F 16 jgshort 0048471F ;小于5则不跳
00484709|>8D45 F4 /lea eax, dword ptr [ebp-C]
0048470C|.8B4D F4 |mov ecx, dword ptr [ebp-C]
0048470F|.BA 6C474800 |mov edx, 0048476C
00484714|.E8 03F8F7FF |call00403F1C
00484719|.43|inc ebx
0048471A|.83FB 06 |cmp ebx, 6
0048471D|.^ 75 EA \jnz short 00484709;循环给在前面加上0直到5位
0048471F|>8B45 F8 mov eax, dword ptr [ebp-8]
00484722|.8B55 F4 mov edx, dword ptr [ebp-C]
00484725|.E8 7AF5F7FF call00403CA4
0048472A|.33C0xor eax, eax
0048472C|.5Apop edx
这里计算出Y=(x1+x2)*(x3+x4)*x5 mod 100000 ,如果注册码后5位为Y则成功.注册信息保存地址:HKEY_CURRENT_USER\Software\ShengYu\CCBridge
//////////////////////////////////////////////////////////////////////////////////////////////////////////
关于此软件的爆破也相对简单,这个软件无重起验证,只要在软件中注册成功一次,以后再开就是注册版了,所以改以下几处就OK了:
0051E3B775 60 jnz short 0051E419 //把这个JNZ给NOP掉就是输入多少位数都行~~~~
0051E3F5 .75 1E jnz short 0051E415 ;前7位要等于CCB21R-//NOP掉~~~~
0051E413 .74 06 jeshort 0051E41B//这里的JE改为JMP
/////////////////////////////////////////////////////////////////////////////////////////////////////////
///VB写注册机代码如下,很简单:
Private Sub Command1_Click()
Dim a() As Byte
Dim Name As String
Name = CStr(Text1.Text)
L = LenB(StrConv(Name, vbFromUnicode))
If L < 5 Then
Name = Name + " "
End If
a = StrConv(Name, vbFromUnicode)
X1 = a(0)
X2 = a(1)
X3 = a(2)
x4 = a(3)
x5 = a(4)
Y = CStr(((X1 + X2) * (X3 + x4) * x5) Mod 100000)
If Len(Y) < 5 Then
For i = 1 To (5 - Len(Y))
Y = "0" + Y
Next i
End If
Text2.Text = "CCB21R-" + Y
End Sub
Private Sub Command2_Click()
End |
|
