飘云阁Buzof 2.0 算法分析 - Powered by Discuz! Archiver

Nisy 发表于 2007-2-24 20:42:04

Buzof 2.0 算法分析

标题: Buzof 2.0 算法分析
作者: xuanyue
时间: 2007-02-24,09:41
链接: http://bbs.pediy.com/showthread.php?threadid=40025

【文章标题】: Buzof 2.0 算法分析
【文章作者】: Xuanyue
【软件名称】: Buzof 2.0
【下载地址】: http://www.basta.com/ProdBuzof.htm
【保护方式】: 注册码
【使用工具】: OllyDBD、Microsoft Visual C++ 6.0
【操作平台】: win2000
【软件介绍】: Buzof允许你自动回答、关闭、最小化任何窗口。
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!初学Crack，这可说是我破的第一个win32软件、写的第一个keygen，望前辈高手指出不足~
--------------------------------------------------------------------------------
【详细过程】
一、算法跟踪

根据注册框提示信息，很容易找到下面；

0041D5B7|. /0F84 4B010000 JE Buzof-BA.0041D708
0041D5BD|. |8BC3       MOV EAX,EBX
0041D5BF|. |8D50 02    LEA EDX,DWORD PTR DS:          ;第一位舍去存edx
0041D5C2|> |66:8B08    /MOV CX,WORD PTR DS:             ;检测长度
0041D5C5|. |83C0 02    |ADD EAX,2
0041D5C8|. |66:85C9    |TEST CX,CX
0041D5CB|.^|75 F5       \JNZ SHORT Buzof-BA.0041D5C2
0041D5CD|. |2BC2       SUB EAX,EDX
0041D5CF|. |D1F8       SAR EAX,1
0041D5D1|. |83F8 10    CMP EAX,10                            ;是否是16位
0041D5D4|. |0F85 30010000 JNZ Buzof-BA.0041D70A
0041D5DA|. |56          PUSH ESI
0041D5DB|. |8BF0       MOV ESI,EAX                            ;长度存esi
0041D5DD|. |8D49 00    LEA ECX,DWORD PTR DS:
0041D5E0|> |0FB74473 FE /MOVZX EAX,WORD PTR DS:
0041D5E5|. |83EE 01    |SUB ESI,1
0041D5E8|. |50          |PUSH EAX
0041D5E9|. |E8 212C0100 |CALL Buzof-BA.0043020F
0041D5EE|. |83C4 04    |ADD ESP,4                            ;出栈
0041D5F1|. |85C0       |TEST EAX,EAX                         ;检测是否为数字
0041D5F3|. |0F84 22010000 |JE Buzof-BA.0041D71B                ;不是则跳出
0041D5F9|. |85F6       |TEST ESI,ESI
0041D5FB|.^|75 E3       \JNZ SHORT Buzof-BA.0041D5E0
0041D5FD|. |55          PUSH EBP
0041D5FE|. |0FB76B 1E MOVZX EBP,WORD PTR DS:       ;最后一位存ebp
0041D602|. |83ED 30    SUB EBP,30                            ;unicode转成数字
0041D605|. |8BC5       MOV EAX,EBP
0041D607|. |0FAFC5    IMUL EAX,EBP                         ;平方
0041D60A|. |99          CDQ
0041D60B|. |B9 0A000000 MOV ECX,0A
0041D610|. |F7F9       IDIV ECX                               ;除以10
0041D612|. |83C2 30    ADD EDX,30                            ;综上，为(x-0x30)^2%10+30
0041D615|. |66:39146B CMP WORD PTR DS:,DX       ;设最后一位是数字a，则第a+1位必须等于edx值
0041D619 |0F85 EF000000 JNZ Buzof-BA.0041D70E
0041D61F|. |8D45 01    LEA EAX,DWORD PTR SS:          ;(a+1)%15存入eax
0041D622|. |83F8 0F    CMP EAX,0F
0041D625|. |7C 03       JL SHORT Buzof-BA.0041D62A
0041D627|. |83E8 0F    SUB EAX,0F
0041D62A|> |0FB70C43    MOVZX ECX,WORD PTR DS:
0041D62E|. |8D71 D0    LEA ESI,DWORD PTR DS:          ;第a+2位转成数字存esi
0041D631|. |83FE 02    CMP ESI,2
0041D634|. |7D 05       JGE SHORT Buzof-BA.0041D63B          ;>2，ecx置1；=2，置0；否则置ffffffff(失败)
0041D636|. |83C9 FF    OR ECX,FFFFFFFF
0041D639|. |EB 08       JMP SHORT Buzof-BA.0041D643
0041D63B|> |33C9       XOR ECX,ECX
0041D63D|. |83FE 02    CMP ESI,2
0041D640|. |0F9FC1    SETG CL
0041D643|> |8B5424 10 MOV EDX,DWORD PTR SS:
0041D647|. |83C0 01    ADD EAX,1                            ;eax<=(a+2)%15
0041D64A|. |83F8 0F    CMP EAX,0F
0041D64D|. |890A       MOV DWORD PTR DS:,ECX
0041D64F|. |7C 03       JL SHORT Buzof-BA.0041D654
0041D651|. |83E8 0F    SUB EAX,0F
0041D654|> |8BC8       MOV ECX,EAX                            ;ecx<=(a+2)%15
0041D656|. |83C0 03    ADD EAX,3                            ;eax<=(a+5)%15
0041D659|. |83F8 0F    CMP EAX,0F
0041D65C|. |7C 03       JL SHORT Buzof-BA.0041D661
0041D65E|. |83E8 0F    SUB EAX,0F
0041D661|> |57          PUSH EDI
0041D662|. |0FB73C4B    MOVZX EDI,WORD PTR DS:
0041D666|. |8BC8       MOV ECX,EAX                            ;ecx<=(a+5)%15
0041D668|. |83C0 03    ADD EAX,3                            ;eax<=(a+8)%15
0041D66B|. |83EF 30    SUB EDI,30                            ;edi<=第a+3位转数字
0041D66E|. |83F8 0F    CMP EAX,0F
0041D671|. |7C 03       JL SHORT Buzof-BA.0041D676
0041D673|. |83E8 0F    SUB EAX,0F
0041D676|> |0FB70C4B    MOVZX ECX,WORD PTR DS:    ;ecx<=第a+6位转数字
0041D67A|. |83E9 30    SUB ECX,30
0041D67D|. |8BD0       MOV EDX,EAX                            ;edx<=(a+8)%15
0041D67F|. |6BC9 64    IMUL ECX,ECX,64                      ;ecx=ecx*100由下知，ecx只能为0
0041D682|. |83C0 03    ADD EAX,3                            ;edx<=(a+11)%15
0041D685|. |83F8 0F    CMP EAX,0F
0041D688|. |7C 03       JL SHORT Buzof-BA.0041D68D
0041D68A|. |83E8 0F    SUB EAX,0F
0041D68D|> |0FB71453    MOVZX EDX,WORD PTR DS:    ;edx<=第a+9位转数字
0041D691|. |0FB70443    MOVZX EAX,WORD PTR DS:    ;eax<=第a+12位Unicode+ecx
0041D695|. |83EA 30    SUB EDX,30
0041D698|. |03C1       ADD EAX,ECX
0041D69A|. |8D1492    LEA EDX,DWORD PTR DS:       ;edx=edx*5
0041D69D|. |8D4C50 D0 LEA ECX,DWORD PTR DS:    ;13==第a+9位数字*10+第a+12位数字+第a+6位数字*100（0）
0041D6A1|. |83F9 0D    CMP ECX,0D
0041D6A4 |75 6E       JNZ SHORT Buzof-BA.0041D714
0041D6A6|. |33C9       XOR ECX,ECX
0041D6A8|. |B8 10000000 MOV EAX,10
0041D6AD|. |8D49 00    LEA ECX,DWORD PTR DS:
0041D6B0|> |0FB75443 FE /MOVZX EDX,WORD PTR DS: ;从最后一位开始循环检查
0041D6B5|. |83E8 01    |SUB EAX,1
0041D6B8|. |0FAFD0    |IMUL EDX,EAX                         ;ecx<=第(x+1)位Unicode*x之和
0041D6BB|. |03CA       |ADD ECX,EDX
0041D6BD|. |85C0       |TEST EAX,EAX
0041D6BF|.^|75 EF       \JNZ SHORT Buzof-BA.0041D6B0
0041D6C1|. |8D45 0E    LEA EAX,DWORD PTR SS:          ;y=(最后一位数字加+14)%15
0041D6C4|. |83F8 0F    CMP EAX,0F
0041D6C7|. |7C 03       JL SHORT Buzof-BA.0041D6CC
0041D6C9|. |83E8 0F    SUB EAX,0F
0041D6CC|> |0FB71443    MOVZX EDX,WORD PTR DS:    ;edx<=第(y+1)位unicode*y
0041D6D0|. |0FAFD0    IMUL EDX,EAX
0041D6D3|. |2BCA       SUB ECX,EDX
0041D6D5|. |83E8 01    SUB EAX,1
0041D6D8|. |79 03       JNS SHORT Buzof-BA.0041D6DD
0041D6DA|. |83C0 0F    ADD EAX,0F
0041D6DD|> |0FB73443    MOVZX ESI,WORD PTR DS:    ;esi<=第y位unicode
0041D6E1|. |0FB7D6    MOVZX EDX,SI                         ;edx<=第y位unicode*(y-1)
0041D6E4|. |0FAFD0    IMUL EDX,EAX
0041D6E7|. |2BCA       SUB ECX,EDX                            ;ecx=sum(sn*i)-sn*y-sn*(y-1)
0041D6E9|. |E8 12FEFFFF CALL Buzof-BA.0041D500
0041D6EE|. |66:3BC6    CMP AX,SI                            ;第y位unicode==0x30+ecx-(高8位(0x66666667*ecx)>>2)*5*2
0041D6F1|. |75 21       JNZ SHORT Buzof-BA.0041D714
0041D6F3|. |57          PUSH EDI
0041D6F4|. |E8 27FEFFFF CALL Buzof-BA.0041D520
0041D6F9|. |83C4 04    ADD ESP,4
0041D6FC|. |85C0       TEST EAX,EAX
0041D6FE |74 14       JE SHORT Buzof-BA.0041D714
0041D700|. |5F          POP EDI
0041D701|. |5D          POP EBP
0041D702|. |B8 01000000 MOV EAX,1
0041D707|. |5E          POP ESI
0041D708|> \5B          POP EBX
0041D709|.C3          RETN

0041D500/$B8 67666666 MOV EAX,66666667
0041D505|.F7E9       IMUL ECX                               ;最大0x37933333869
0041D507|.C1FA 02    SAR EDX,2
0041D50A|.8BC2       MOV EAX,EDX
0041D50C|.C1E8 1F    SHR EAX,1F
0041D50F|.03C2       ADD EAX,EDX
0041D511|.8D0480    LEA EAX,DWORD PTR DS:
0041D514|.03C0       ADD EAX,EAX
0041D516|.8BD0       MOV EDX,EAX
0041D518|.8BC1       MOV EAX,ECX
0041D51A|.2BC2       SUB EAX,EDX
0041D51C|.83C0 30    ADD EAX,30
0041D51F\.C3          RETN

0041D520/$83EC 08    SUB ESP,8
0041D523|.85DB       TEST EBX,EBX
0041D525|.75 06       JNZ SHORT Buzof-BA.0041D52D
0041D527|.33C0       XOR EAX,EAX
0041D529|.83C4 08    ADD ESP,8
0041D52C|.C3          RETN
0041D52D|>55          PUSH EBP
0041D52E|.56          PUSH ESI
0041D52F|.57          PUSH EDI
0041D530|.33ED       XOR EBP,EBP
0041D532|.33FF       XOR EDI,EDI
0041D534|.C74424 0C 020>MOV DWORD PTR SS:,2
0041D53C|.C74424 10 010>MOV DWORD PTR SS:,1
0041D544|.33F6       XOR ESI,ESI
0041D546|>0FB70473    /MOVZX EAX,WORD PTR DS:
0041D54A|.50          |PUSH EAX
0041D54B|.E8 BF2C0100 |CALL Buzof-BA.0043020F                ;判断其是否是数字
0041D550|.83C4 04    |ADD ESP,4
0041D553|.85C0       |TEST EAX,EAX
0041D555|.74 1F       |JE SHORT Buzof-BA.0041D576
0041D557|.0FB70473    |MOVZX EAX,WORD PTR DS:
0041D55B|.83E8 30    |SUB EAX,30
0041D55E|.0FAF44BC 0C |IMUL EAX,DWORD PTR SS: ;十位个位相加(2*第x位数字)（x为奇数）/第x位数字（x偶数）
0041D563|.83F8 0A    |CMP EAX,0A
0041D566|.7C 03       |JL SHORT Buzof-BA.0041D56B
0041D568|.83E8 09    |SUB EAX,9
0041D56B|>33C9       |XOR ECX,ECX
0041D56D|.03E8       |ADD EBP,EAX
0041D56F|.85FF       |TEST EDI,EDI
0041D571|.0F94C1    |SETE CL
0041D574|.8BF9       |MOV EDI,ECX
0041D576|>83C6 01    |ADD ESI,1
0041D579|.83FE 10    |CMP ESI,10
0041D57C|.^ 7C C8       \JL SHORT Buzof-BA.0041D546
0041D57E|.85ED       TEST EBP,EBP
0041D580|.74 17       JE SHORT Buzof-BA.0041D599
0041D582|.8BC5       MOV EAX,EBP
0041D584|.99          CDQ
0041D585|.F77C24 18 IDIV DWORD PTR SS:
0041D589|.85D2       TEST EDX,EDX
0041D58B|.75 0C       JNZ SHORT Buzof-BA.0041D599
0041D58D|.5F          POP EDI
0041D58E|.5E          POP ESI
0041D58F|.B8 01000000 MOV EAX,1
0041D594|.5D          POP EBP
0041D595|.83C4 08    ADD ESP,8
0041D598|.C3          RETN
0041D599|>5F          POP EDI
0041D59A|.5E          POP ESI
0041D59B|.33C0       XOR EAX,EAX
0041D59D|.5D          POP EBP
0041D59E|.83C4 08    ADD ESP,8
0041D5A1\.C3          RETN

二、算法小结

这个程序检测字符是否位数字的办法很有趣，就是Buzof-BA.0043020F，有兴趣可以看下：

0043AC14|> \66:817D 08 00>CMP WORD PTR SS:,100          ;不为0xffff，且<0x0100
0043AC1A|.73 16       JNB SHORT Buzof-BA.0043AC32
0043AC1C|.0FB745 08 MOVZX EAX,WORD PTR SS:
0043AC20|.8B0D 84FC4500 MOV ECX,DWORD PTR DS:          ;该地址为软件自有的一张表，大小0x200
0043AC26|.0FB70441    MOVZX EAX,WORD PTR DS:    ;具观察，数字0x30-0x39表中对应0x84
0043AC2A|.0FB74D 0C MOVZX ECX,WORD PTR SS:          ;为4;显然软件只接受数字，还有一些如B2之类的字符
0043AC2E|.23C1       AND EAX,ECX                            ;0x84&4=4
0043AC30|.C9          LEAVE
0043AC31|.C3          RETN

程序内建了一张对应于0-255ascii码的表，内容如下：

004519C220 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
004519D220 00 68 00 28 00 28 00 28 00 28 00 20 00 20 00 .h.(.(.(.(. . .
004519E220 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
004519F220 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
00451A0248 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00H........
00451A1210 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00........
00451A2284 00 84 00 84 00 84 00 84 00 84 00 84 00 84 00????????
00451A3284 00 84 00 10 00 10 00 10 00 10 00 10 00 10 00??......
00451A4210 00 81 01 81 01 81 01 81 01 81 01 81 01 01 01.??????
00451A5201 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00451A6201 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00451A7201 01 01 01 01 01 10 00 10 00 10 00 10 00 10 00.....
00451A8210 00 82 01 82 01 82 01 82 01 82 01 82 01 02 01.??????
00451A9202 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01
00451AA202 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01
00451AB202 01 02 01 02 01 10 00 10 00 10 00 10 00 20 00.... .
00451AC220 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
00451AD220 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
00451AE220 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
00451AF220 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
00451B0248 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00H........
00451B1210 00 10 00 10 00 10 00 10 00 10 00 10 00 10 00........
00451B2210 00 10 00 14 00 14 00 10 00 10 00 10 00 10 00........
00451B3210 00 14 00 10 00 10 00 10 00 10 00 10 00 10 00........
00451B4201 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00451B5201 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
00451B6201 01 01 01 01 01 01 01 01 01 01 01 01 01 10 00.
00451B7201 01 01 01 01 01 01 01 01 01 01 01 01 01 02 01
00451B8202 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01
00451B9202 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01
00451BA202 01 02 01 02 01 02 01 02 01 02 01 02 01 10 00.
00451BB202 01 02 01 02 01 02 01 02 01 02 01 02 01 02 01
00451BC201 01 00 00 00 00 80 81 82 83 84 85 86 87 88 89....

页: [1]

飘云阁's Archiver

Buzof 2.0 算法分析