好友
阅读权限30
听众
最后登录1970-1-1
|
蚊香
发表于 2008-6-19 16:30
【文章标题】: DVD影碟制作专家 V4.0.1.258 简单算法分析
【文章作者】: 蚊香
【作者邮箱】: xpi386com@163.com
【作者主页】: http://www.xpi386.com
【软件名称】: DVD影碟制作专家
【软件大小】: 17183 KB
【下载地址】: 自己搜索下载
【保护方式】: 注册码
【编写语言】: Delphi
【使用工具】: PEiD OllyDbg
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!刚刚刚刚刚刚接触简单算法 -_-
--------------------------------------------------------------------------------
【详细过程】
PEiD查壳,Borland Delphi 6.0 - 7.0 [Overlay]
试注册(5组注册码,每组5位),提示“注册失败”
载入OD,F9运行,输入假码12345-67890-40001-13579-24680注册:
00AA337E 55 push ebp ; 通过堆栈调用法定位到这里,下断开始分析
00AA337F 68 A237AA00 push 00AA37A2
00AA3384 64:FF30 push dword ptr fs:[eax]
00AA3387 64:8920 mov dword ptr fs:[eax], esp
00AA338A 8D55 FC lea edx, dword ptr [ebp-4]
00AA338D 8B83 98030000 mov eax, dword ptr [ebx+398]
00AA3393 E8 8028FFFF call 00A95C18
00AA3398 8B45 FC mov eax, dword ptr [ebp-4]
00AA339B E8 1821F5FF call 009F54B8
00AA33A0 E8 A76AF5FF call 009F9E4C
00AA33A5 83F8 05 cmp eax, 5
00AA33A8 0F85 80000000 jnz 00AA342E ; 检查是否5位..不是则挂,下面还有4处
00AA33AE 8D55 F8 lea edx, dword ptr [ebp-8]
00AA33B1 8B83 9C030000 mov eax, dword ptr [ebx+39C]
00AA33B7 E8 5C28FFFF call 00A95C18
00AA33BC 8B45 F8 mov eax, dword ptr [ebp-8]
00AA33BF E8 F420F5FF call 009F54B8
00AA33C4 E8 836AF5FF call 009F9E4C
00AA33C9 83F8 05 cmp eax, 5
00AA33CC 75 60 jnz short 00AA342E
00AA33CE 8D55 F4 lea edx, dword ptr [ebp-C]
00AA33D1 8B83 A0030000 mov eax, dword ptr [ebx+3A0]
00AA33D7 E8 3C28FFFF call 00A95C18
00AA33DC 8B45 F4 mov eax, dword ptr [ebp-C]
00AA33DF E8 D420F5FF call 009F54B8
00AA33E4 E8 636AF5FF call 009F9E4C
00AA33E9 83F8 05 cmp eax, 5
00AA33EC 75 40 jnz short 00AA342E
00AA33EE 8D55 F0 lea edx, dword ptr [ebp-10]
00AA33F1 8B83 A4030000 mov eax, dword ptr [ebx+3A4]
00AA33F7 E8 1C28FFFF call 00A95C18
00AA33FC 8B45 F0 mov eax, dword ptr [ebp-10]
00AA33FF E8 B420F5FF call 009F54B8
00AA3404 E8 436AF5FF call 009F9E4C
00AA3409 83F8 05 cmp eax, 5
00AA340C 75 20 jnz short 00AA342E
00AA340E 8D55 EC lea edx, dword ptr [ebp-14]
00AA3411 8B83 A8030000 mov eax, dword ptr [ebx+3A8]
00AA3417 E8 FC27FFFF call 00A95C18
00AA341C 8B45 EC mov eax, dword ptr [ebp-14]
00AA341F E8 9420F5FF call 009F54B8
00AA3424 E8 236AF5FF call 009F9E4C
00AA3429 83F8 05 cmp eax, 5
00AA342C 74 2A je short 00AA3458 ; 每组是5位则从这里跳过下面这个失败处
00AA342E 6A 40 push 40 ; 以上有任一组不为5则跳到这里
00AA3430 A1 2017AB00 mov eax, dword ptr [AB1720]
00AA3435 E8 7E20F5FF call 009F54B8
00AA343A 50 push eax
00AA343B A1 2817AB00 mov eax, dword ptr [AB1728]
00AA3440 E8 7320F5FF call 009F54B8
00AA3445 50 push eax
00AA3446 8BC3 mov eax, ebx
00AA3448 E8 332FFAFF call 00A46380
00AA344D 50 push eax
00AA344E E8 454DF5FF call <jmp.&user32.MessageBoxA> ; 这里提示注册失败
00AA3453 E9 0D030000 jmp 00AA3765
00AA3458 8D55 E8 lea edx, dword ptr [ebp-18]
00AA345B 8B83 A0030000 mov eax, dword ptr [ebx+3A0]
00AA3461 E8 B227FFFF call 00A95C18
00AA3466 8B45 E8 mov eax, dword ptr [ebp-18]
00AA3469 8B15 1817AB00 mov edx, dword ptr [AB1718]
00AA346F E8 901FF5FF call 009F5404
00AA3474 74 2A je short 00AA34A0 ; 通过堆栈窗口可见,第三组必须是40001
00AA3476 6A 40 push 40
00AA3478 A1 2017AB00 mov eax, dword ptr [AB1720]
00AA347D E8 3620F5FF call 009F54B8
00AA3482 50 push eax
00AA3483 A1 2817AB00 mov eax, dword ptr [AB1728]
00AA3488 E8 2B20F5FF call 009F54B8
00AA348D 50 push eax
00AA348E 8BC3 mov eax, ebx
00AA3490 E8 EB2EFAFF call 00A46380
00AA3495 50 push eax
00AA3496 E8 FD4CF5FF call <jmp.&user32.MessageBoxA> ; 这里是注册失败
00AA349B E9 C5020000 jmp 00AA3765
00AA34A0 8D55 E4 lea edx, dword ptr [ebp-1C]
00AA34A3 8B83 98030000 mov eax, dword ptr [ebx+398]
00AA34A9 E8 6A27FFFF call 00A95C18
00AA34AE 837D E4 00 cmp dword ptr [ebp-1C], 0
00AA34B2 74 3C je short 00AA34F0
00AA34B4 8D55 E0 lea edx, dword ptr [ebp-20]
00AA34B7 8B83 9C030000 mov eax, dword ptr [ebx+39C]
00AA34BD E8 5627FFFF call 00A95C18
00AA34C2 837D E0 00 cmp dword ptr [ebp-20], 0
00AA34C6 74 28 je short 00AA34F0
00AA34C8 8D55 DC lea edx, dword ptr [ebp-24]
00AA34CB 8B83 A0030000 mov eax, dword ptr [ebx+3A0]
00AA34D1 E8 4227FFFF call 00A95C18
00AA34D6 837D DC 00 cmp dword ptr [ebp-24], 0
00AA34DA 74 14 je short 00AA34F0
00AA34DC 8D55 D8 lea edx, dword ptr [ebp-28]
00AA34DF 8B83 A4030000 mov eax, dword ptr [ebx+3A4]
00AA34E5 E8 2E27FFFF call 00A95C18
00AA34EA 837D D8 00 cmp dword ptr [ebp-28], 0
00AA34EE 75 2A jnz short 00AA351A
00AA34F0 6A 40 push 40
00AA34F2 A1 2017AB00 mov eax, dword ptr [AB1720]
00AA34F7 E8 BC1FF5FF call 009F54B8
00AA34FC 50 push eax
00AA34FD A1 2817AB00 mov eax, dword ptr [AB1728]
00AA3502 E8 B11FF5FF call 009F54B8
00AA3507 50 push eax
00AA3508 8BC3 mov eax, ebx
00AA350A E8 712EFAFF call 00A46380
00AA350F 50 push eax
00AA3510 E8 834CF5FF call <jmp.&user32.MessageBoxA>
00AA3515 E9 4B020000 jmp 00AA3765
00AA351A 8D45 D4 lea eax, dword ptr [ebp-2C]
00AA351D E8 BA5BFCFF call 00A690DC
00AA3522 8B45 D4 mov eax, dword ptr [ebp-2C]
00AA3525 50 push eax
00AA3526 8D55 D0 lea edx, dword ptr [ebp-30]
00AA3529 8B83 A0030000 mov eax, dword ptr [ebx+3A0]
00AA352F E8 E426FFFF call 00A95C18
00AA3534 8B55 D0 mov edx, dword ptr [ebp-30]
00AA3537 58 pop eax
00AA3538 E8 C71EF5FF call 009F5404
00AA353D 74 2A je short 00AA3569 ; 又出现第三组和40001比较
00AA353F 6A 40 push 40
00AA3541 A1 2017AB00 mov eax, dword ptr [AB1720]
00AA3546 E8 6D1FF5FF call 009F54B8
00AA354B 50 push eax
00AA354C A1 2817AB00 mov eax, dword ptr [AB1728]
00AA3551 E8 621FF5FF call 009F54B8
00AA3556 50 push eax
00AA3557 8BC3 mov eax, ebx
00AA3559 E8 222EFAFF call 00A46380
00AA355E 50 push eax
00AA355F E8 344CF5FF call <jmp.&user32.MessageBoxA>
00AA3564 E9 FC010000 jmp 00AA3765
00AA3569 8D55 CC lea edx, dword ptr [ebp-34]
00AA356C 8B83 98030000 mov eax, dword ptr [ebx+398]
00AA3572 E8 A126FFFF call 00A95C18 ; 取第一组注册码
00AA3577 8B45 CC mov eax, dword ptr [ebp-34]
00AA357A E8 0963F5FF call 009F9888 ; 第一组注册码转16进制=3039
00AA357F E8 1862FCFF call 00A6979C ; 里面有算法,F7进入
进入上面的00AA357F
00A6979A 8BC0 mov eax, eax
00A6979C 8BC8 mov ecx, eax
00A6979E 8D81 9F860100 lea eax, dword ptr [ecx+1869F] ; EAX=3039 + 1869F = 1B6D8
00A697A4 B9 03000000 mov ecx, 3 ; ECX=3
00A697A9 33D2 xor edx, edx
00A697AB F7F1 div ecx ; EAX=1B6D8 / 3 = 9248
00A697AD 83C0 58 add eax, 58 ; EAX = 9248+58=92A0
00A697B0 C3 retn
00AA3584 8BF0 mov esi, eax
00AA3586 8D55 C8 lea edx, dword ptr [ebp-38]
00AA3589 8B83 9C030000 mov eax, dword ptr [ebx+39C]
00AA358F E8 8426FFFF call 00A95C18 ; 取第二组注册码
00AA3594 8B45 C8 mov eax, dword ptr [ebp-38]
00AA3597 E8 EC62F5FF call 009F9888 ; 第二组注册码转16进制=10932
00AA359C E8 1362FCFF call 00A697B4 ; 里面又有算法,F7进
进入上面的00AA359C
00A697B1 8D40 00 lea eax, dword ptr [eax]
00A697B4 8BC8 mov ecx, eax
00A697B6 8BC1 mov eax, ecx
00A697B8 B9 09000000 mov ecx, 9 ; ECX=9
00A697BD 33D2 xor edx, edx
00A697BF F7F1 div ecx ; EAX=10932/9=1D77
00A697C1 03C0 add eax, eax
00A697C3 03C0 add eax, eax
00A697C5 03C0 add eax, eax ; EAX=1D77*8=EBB8
00A697C7 50 push eax
00A697C8 B8 9E860100 mov eax, 1869E ; EAX=1869E
00A697CD 5A pop edx
00A697CE 2BC2 sub eax, edx ; EAX=1869E-EBB8=9AE6
00A697D0 C3 retn
00AA35A1 8BF8 mov edi, eax
00AA35A3 8D55 C4 lea edx, dword ptr [ebp-3C]
00AA35A6 8B83 A4030000 mov eax, dword ptr [ebx+3A4]
00AA35AC E8 6726FFFF call 00A95C18
00AA35B1 8B45 C4 mov eax, dword ptr [ebp-3C]
00AA35B4 E8 CF62F5FF call 009F9888 ; 第四组注册码转16进制=350B
00AA35B9 99 cdq ; 清空EDX
00AA35BA 52 push edx
00AA35BB 50 push eax
00AA35BC 8BC6 mov eax, esi
00AA35BE 33D2 xor edx, edx
00AA35C0 3B5424 04 cmp edx, dword ptr [esp+4] ; 比较350B和上面得到的92A0
00AA35C4 75 03 jnz short 00AA35C9
00AA35C6 3B0424 cmp eax, dword ptr [esp]
00AA35C9 5A pop edx
00AA35CA 58 pop eax
00AA35CB 0F85 94010000 jnz 00AA3765 ; 不能跳
00AA35D1 8D55 C0 lea edx, dword ptr [ebp-40]
00AA35D4 8B83 A8030000 mov eax, dword ptr [ebx+3A8]
00AA35DA E8 3926FFFF call 00A95C18 ; ??????
00AA35DF 8B45 C0 mov eax, dword ptr [ebp-40]
00AA35E2 E8 A162F5FF call 009F9888 ; 第五组注册码转16进制=6068
00AA35E7 99 cdq
00AA35E8 52 push edx
00AA35E9 50 push eax
00AA35EA 8BC7 mov eax, edi
00AA35EC 33D2 xor edx, edx
00AA35EE 3B5424 04 cmp edx, dword ptr [esp+4] ; 比较6068和上面得到的9AE6
00AA35F2 75 03 jnz short 00AA35F7
00AA35F4 3B0424 cmp eax, dword ptr [esp]
00AA35F7 5A pop edx
00AA35F8 58 pop eax
00AA35F9 0F85 66010000 jnz 00AA3765
00AA35FF 8D55 BC lea edx, dword ptr [ebp-44]
00AA3602 8B83 98030000 mov eax, dword ptr [ebx+398]
00AA3608 E8 0B26FFFF call 00A95C18
00AA360D 8B45 BC mov eax, dword ptr [ebp-44]
00AA3610 E8 7362F5FF call 009F9888
00AA3615 E8 BA61FCFF call 00A697D4
00AA361A 8D55 B8 lea edx, dword ptr [ebp-48]
00AA361D 8B83 98030000 mov eax, dword ptr [ebx+398]
00AA3623 E8 F025FFFF call 00A95C18
00AA3628 8B45 B8 mov eax, dword ptr [ebp-48]
00AA362B E8 5862F5FF call 009F9888
00AA3630 E8 E36BFCFF call 00A6A218
00AA3635 8D55 B4 lea edx, dword ptr [ebp-4C]
00AA3638 8B83 9C030000 mov eax, dword ptr [ebx+39C]
00AA363E E8 D525FFFF call 00A95C18
00AA3643 8B45 B4 mov eax, dword ptr [ebp-4C]
00AA3646 E8 3D62F5FF call 009F9888
00AA364B E8 4462FCFF call 00A69894
00AA3650 8D55 B0 lea edx, dword ptr [ebp-50]
00AA3653 8B83 9C030000 mov eax, dword ptr [ebx+39C]
00AA3659 E8 BA25FFFF call 00A95C18
00AA365E 8B45 B0 mov eax, dword ptr [ebp-50]
00AA3661 E8 2262F5FF call 009F9888
00AA3666 E8 256DFCFF call 00A6A390
00AA366B 8D55 AC lea edx, dword ptr [ebp-54]
00AA366E 8B83 A0030000 mov eax, dword ptr [ebx+3A0]
00AA3674 E8 9F25FFFF call 00A95C18
00AA3679 8B45 AC mov eax, dword ptr [ebp-54]
00AA367C E8 0762F5FF call 009F9888
00AA3681 E8 CE62FCFF call 00A69954
00AA3686 8D55 A8 lea edx, dword ptr [ebp-58]
00AA3689 8B83 A0030000 mov eax, dword ptr [ebx+3A0]
00AA368F E8 8425FFFF call 00A95C18
00AA3694 8B45 A8 mov eax, dword ptr [ebp-58]
00AA3697 E8 EC61F5FF call 009F9888
00AA369C E8 7B6EFCFF call 00A6A51C
00AA36A1 8D55 A4 lea edx, dword ptr [ebp-5C]
00AA36A4 8B83 A4030000 mov eax, dword ptr [ebx+3A4]
00AA36AA E8 6925FFFF call 00A95C18
00AA36AF 8B45 A4 mov eax, dword ptr [ebp-5C]
00AA36B2 E8 D161F5FF call 009F9888
00AA36B7 E8 9063FCFF call 00A69A4C
00AA36BC 8D55 A0 lea edx, dword ptr [ebp-60]
00AA36BF 8B83 A4030000 mov eax, dword ptr [ebx+3A4]
00AA36C5 E8 4E25FFFF call 00A95C18
00AA36CA 8B45 A0 mov eax, dword ptr [ebp-60]
00AA36CD E8 B661F5FF call 009F9888
00AA36D2 E8 D16FFCFF call 00A6A6A8
00AA36D7 8D55 9C lea edx, dword ptr [ebp-64]
00AA36DA 8B83 A8030000 mov eax, dword ptr [ebx+3A8]
00AA36E0 E8 3325FFFF call 00A95C18
00AA36E5 8B45 9C mov eax, dword ptr [ebp-64]
00AA36E8 E8 9B61F5FF call 009F9888
00AA36ED E8 5264FCFF call 00A69B44
00AA36F2 8D55 98 lea edx, dword ptr [ebp-68]
00AA36F5 8B83 A8030000 mov eax, dword ptr [ebx+3A8]
00AA36FB E8 1825FFFF call 00A95C18
00AA3700 8B45 98 mov eax, dword ptr [ebp-68]
00AA3703 E8 8061F5FF call 009F9888
00AA3708 E8 1371FCFF call 00A6A820
00AA370D 8D55 90 lea edx, dword ptr [ebp-70]
00AA3710 A1 34CFAA00 mov eax, dword ptr [AACF34]
00AA3715 8B00 mov eax, dword ptr [eax]
00AA3717 E8 9087FBFF call 00A5BEAC
00AA371C 8B45 90 mov eax, dword ptr [ebp-70]
00AA371F 8D55 94 lea edx, dword ptr [ebp-6C]
00AA3722 E8 9D65F5FF call 009F9CC4
00AA3727 8B45 94 mov eax, dword ptr [ebp-6C]
00AA372A E8 1150FCFF call 00A68740
00AA372F 6A 40 push 40
00AA3731 A1 2017AB00 mov eax, dword ptr [AB1720]
00AA3736 E8 7D1DF5FF call 009F54B8
00AA373B 50 push eax
00AA373C A1 1C17AB00 mov eax, dword ptr [AB171C]
00AA3741 E8 721DF5FF call 009F54B8
00AA3746 50 push eax
00AA3747 8BC3 mov eax, ebx
00AA3749 E8 322CFAFF call 00A46380
00AA374E 50 push eax
00AA374F E8 444AF5FF call <jmp.&user32.MessageBoxA>
00AA3754 C705 1017AB00 0>mov dword ptr [AB1710], 1
00AA375E 8BC3 mov eax, ebx
00AA3760 E8 A743FBFF call 00A57B0C
00AA3765 33C0 xor eax, eax
00AA3767 5A pop edx
00AA3768 59 pop ecx
00AA3769 59 pop ecx
00AA376A 64:8910 mov dword ptr fs:[eax], edx
00AA376D 68 A937AA00 push 00AA37A9
00AA3772 8D45 90 lea eax, dword ptr [ebp-70]
00AA3775 BA 02000000 mov edx, 2
00AA377A E8 9918F5FF call 009F5018
00AA377F 8D45 98 lea eax, dword ptr [ebp-68]
00AA3782 BA 0F000000 mov edx, 0F
00AA3787 E8 8C18F5FF call 009F5018
00AA378C 8D45 D4 lea eax, dword ptr [ebp-2C]
00AA378F E8 6018F5FF call 009F4FF4
00AA3794 8D45 D8 lea eax, dword ptr [ebp-28]
00AA3797 BA 0A000000 mov edx, 0A
00AA379C E8 7718F5FF call 009F5018
00AA37A1 C3 retn
00AA37A2 ^ E9 0D11F5FF jmp 009F48B4
00AA37A7 ^ EB C9 jmp short 00AA3772
00AA37A9 5F pop edi
00AA37AA 5E pop esi
00AA37AB 5B pop ebx
00AA37AC 8BE5 mov esp, ebp
00AA37AE 5D pop ebp
00AA37AF C3 retn
--------------------------------------------------------------------------------
【算法总结】
软件注册只需要填注册码,为每组5位的5组。第三组固定为40001。
以12345和67890分别作为第1组和第2组为例:
12345转16进制 = 3039 3039 + 1869F = 1B6D8 1B6D8 / 3 = 9248 9248+58=92A0 (要和第四组相同)
67890转16进制 = 10932 10932/9=1D77 1D77*8=EBB8 1869E-EBB8=9AE6 (要和第五组相同)
符合上面的要求即为合法注册码,例如:12345-67890-40001-37536-39654
--------------------------------------------------------------------------------
【版权声明】: 本文 蚊香 原创, 转载请注明作者并保持文章的完整, 谢谢! |
|
发表于 2008-6-19 18:19
发表于 2008-6-19 20:38
