《现在汉语词典》注册算法分析
【文章标题】: 《现在汉语词典》注册算法分析【文章作者】: 水中花
【下载地址】: 自己搜索下载
【加壳方式】: ASPack 2.12
【保护方式】: 壳+序列号
【编写语言】: Delphi
【软件介绍】: 〖现代汉语词典〗软件是一个精巧、全面、新颖的文科工具。软件收集了新华词典、现代汉语词典的所有的词语。词语不断新增添加,与时代同步。资料浩瀚,数据量大,全面收集,权威、科学。是一个优秀的学习工具助手。软件支持模糊查询、支持升序降序排列,支持刷新、支持在线......
--------------------------------------------------------------------------------
【详细过程】
一、用PEID查壳,是ASPack 2.12 ,手动脱壳。
二,通过注册失败的相关提示,用字符串参考下断
0051A667|.51 push ecx
0051A668|.53 push ebx
0051A669|.56 push esi
0051A66A|.57 push edi
0051A66B|.8BD8 mov ebx, eax
0051A66D|.33C0 xor eax, eax
0051A66F|.55 push ebp
0051A670|.68 62A95100 push 00.0051A962
0051A675|.64:FF30 push dword ptr fs:
0051A678|.64:8920 mov dword ptr fs:, esp
0051A67B|.B2 01 mov dl, 1
0051A67D|.A1 3CBD4900 mov eax, dword ptr
0051A682|.E8 B517F8FF call 00.0049BE3C
0051A687|.8BF0 mov esi, eax
0051A689|.BA 02000080 mov edx, 80000002
0051A68E|.8BC6 mov eax, esi
0051A690|.E8 4718F8FF call 00.0049BEDC
0051A695|.B1 01 mov cl, 1
0051A697|.BA 78A95100 mov edx, 00.0051A978 ;ASCII "SOFTWARE\Microsoft\xdhy"
0051A69C|.8BC6 mov eax, esi
0051A69E|.E8 9D18F8FF call 00.0049BF40
0051A6A3|.68 80000000 push 80 ; /BufSize = 80 (128.)
0051A6A8|.8D85 7BFFFFFF lea eax, dword ptr ; |
0051A6AE|.50 push eax ; |Buffer
0051A6AF|.E8 18CAEEFF call <jmp.&kernel32.GetSystemD>; \GetSystemDirectoryA
0051A6B4|.8D45 FC lea eax, dword ptr
0051A6B7|.8D95 7BFFFFFF lea edx, dword ptr
0051A6BD|.B9 81000000 mov ecx, 81
0051A6C2|.E8 65A3EEFF call 00.00404A2C
0051A6C7|.8D95 74FFFFFF lea edx, dword ptr
0051A6CD|.8B83 08030000 mov eax, dword ptr
0051A6D3|.E8 90AFF2FF call 00.00445668
0051A6D8|.83BD 74FFFFFF>cmp dword ptr , 0 ;是否有输入注册码
0051A6DF|.74 1A je short 00.0051A6FB
0051A6E1|.8D95 70FFFFFF lea edx, dword ptr
0051A6E7|.8B83 04030000 mov eax, dword ptr
0051A6ED|.E8 76AFF2FF call 00.00445668
0051A6F2|.83BD 70FFFFFF>cmp dword ptr , 0 ;是否有输入确认码
0051A6F9|.75 0F jnz short 00.0051A70A
0051A6FB|>B8 98A95100 mov eax, 00.0051A998
0051A700|.E8 0B3EF2FF call 00.0043E510
0051A705|.E9 D6010000 jmp 00.0051A8E0
0051A70A|>8D95 6CFFFFFF lea edx, dword ptr
0051A710|.8B83 08030000 mov eax, dword ptr
0051A716|.E8 4DAFF2FF call 00.00445668
0051A71B|.8B85 6CFFFFFF mov eax, dword ptr ;输入的假注册码
0051A721|.50 push eax
0051A722|.8D95 64FFFFFF lea edx, dword ptr
0051A728|.8B83 04030000 mov eax, dword ptr
0051A72E|.E8 35AFF2FF call 00.00445668
0051A733|.8B85 64FFFFFF mov eax, dword ptr ;输入的确认码
0051A739|.E8 BAEBEEFF call 00.004092F8
0051A73E|.B9 B1D00000 mov ecx, 0D0B1 ;固定值“0D0B1”
0051A743|.99 cdq ;扩展
0051A744|.F7F9 idiv ecx ;除法
0051A746|.8BC2 mov eax, edx ;取余数
0051A748|.8D95 68FFFFFF lea edx, dword ptr
0051A74E|.E8 41EBEEFF call 00.00409294 ;将余数转换为十进制,设为X
0051A753|.8D85 68FFFFFF lea eax, dword ptr
0051A759|.50 push eax
0051A75A|.8D95 58FFFFFF lea edx, dword ptr
0051A760|.8B83 04030000 mov eax, dword ptr
0051A766|.E8 FDAEF2FF call 00.00445668
0051A76B|.8B85 58FFFFFF mov eax, dword ptr ;输入的确认码
0051A771|.E8 82EBEEFF call 00.004092F8
0051A776|.8D95 5CFFFFFF lea edx, dword ptr
0051A77C|.E8 9FFBFFFF call 00.0051A320 ;算法一,跟进
0051A781|.8B85 5CFFFFFF mov eax, dword ptr ;B值
0051A787|.E8 6CEBEEFF call 00.004092F8
0051A78C|.8D95 60FFFFFF lea edx, dword ptr
0051A792|.E8 69FCFFFF call 00.0051A400 ;算法二,跟进
0051A797|.8B95 60FFFFFF mov edx, dword ptr
0051A79D|.58 pop eax
0051A79E|.E8 E1A2EEFF call 00.00404A84 ;将X连在C的前面,即为注册码
0051A7A3|.8B95 68FFFFFF mov edx, dword ptr
0051A7A9|.58 pop eax
0051A7AA|.E8 11A4EEFF call 00.00404BC0 ;真假注册码比较
0051A7AF|.0F85 07010000 jnz 00.0051A8BC ;关键跳,跳向注册失败处
0051A7B5|.A1 EC095200 mov eax, dword ptr 以下是将正确的注册信息生成在\WINDOWS\system32\dby.sys文件中
0051A7BA|.8B00 mov eax, dword ptr
0051A7BC|.8B80 7C030000 mov eax, dword ptr
0051A7C2|.33D2 xor edx, edx
0051A7C4|.E8 BFADF2FF call 00.00445588
0051A7C9|.A1 EC095200 mov eax, dword ptr
0051A7CE|.8B00 mov eax, dword ptr
0051A7D0|.8B80 60030000 mov eax, dword ptr
0051A7D6|.B2 01 mov dl, 1
0051A7D8|.E8 ABADF2FF call 00.00445588
0051A7DD|.8D95 54FFFFFF lea edx, dword ptr
0051A7E3|.8B83 08030000 mov eax, dword ptr
0051A7E9|.E8 7AAEF2FF call 00.00445668
0051A7EE|.8B8D 54FFFFFF mov ecx, dword ptr
0051A7F4|.BA B8A95100 mov edx, 00.0051A9B8 ;ASCII "yhdsger"
0051A7F9|.8BC6 mov eax, esi
0051A7FB|.E8 DC18F8FF call 00.0049C0DC
0051A800|.8D85 50FFFFFF lea eax, dword ptr
0051A806|.B9 C8A95100 mov ecx, 00.0051A9C8 ;ASCII "\dby.sys"
0051A80B|.8B55 FC mov edx, dword ptr
0051A80E|.E8 B5A2EEFF call 00.00404AC8
0051A813|.8B8D 50FFFFFF mov ecx, dword ptr
0051A819|.B2 01 mov dl, 1
0051A81B|.A1 ECAD4900 mov eax, dword ptr
0051A820|.E8 7706F8FF call 00.0049AE9C
0051A825|.8BF0 mov esi, eax
0051A827|.8D95 4CFFFFFF lea edx, dword ptr
0051A82D|.8B83 08030000 mov eax, dword ptr
0051A833|.E8 30AEF2FF call 00.00445668
0051A838|.8B85 4CFFFFFF mov eax, dword ptr
0051A83E|.50 push eax
0051A83F|.B9 DCA95100 mov ecx, 00.0051A9DC ;ASCII "dd"
0051A844|.BA E8A95100 mov edx, 00.0051A9E8 ;ASCII "syssetup"
0051A849|.8BC6 mov eax, esi
0051A84B|.8B38 mov edi, dword ptr
0051A84D|.FF57 04 call dword ptr
0051A850|.8D95 48FFFFFF lea edx, dword ptr
0051A856|.8B83 04030000 mov eax, dword ptr
0051A85C|.E8 07AEF2FF call 00.00445668
0051A861|.8B85 48FFFFFF mov eax, dword ptr
0051A867|.50 push eax
0051A868|.B9 FCA95100 mov ecx, 00.0051A9FC ;ASCII "zc"
0051A86D|.BA E8A95100 mov edx, 00.0051A9E8 ;syssetup
0051A872|.8BC6 mov eax, esi
0051A874|.8B30 mov esi, dword ptr
0051A876|.FF56 04 call dword ptr
0051A879|.8D85 44FFFFFF lea eax, dword ptr
0051A87F|.B9 C8A95100 mov ecx, 00.0051A9C8 ;\dby.sys
0051A884|.8B55 FC mov edx, dword ptr
0051A887|.E8 3CA2EEFF call 00.00404AC8
0051A88C|.8B85 44FFFFFF mov eax, dword ptr
0051A892|.BA 02000000 mov edx, 2
0051A897|.E8 A4ECEEFF call 00.00409540
0051A89C|.A1 EC095200 mov eax, dword ptr
0051A8A1|.8B00 mov eax, dword ptr
0051A8A3|.8B80 54030000 mov eax, dword ptr
0051A8A9|.BA 08AA5100 mov edx, 00.0051AA08 ;刘夫之
0051A8AE|.E8 E5ADF2FF call 00.00445698
0051A8B3|.8BC3 mov eax, ebx
0051A8B5|.E8 D286F4FF call 00.00462F8C
0051A8BA|.EB 24 jmp short 00.0051A8E0
0051A8BC|>B8 18AA5100 mov eax, 00.0051AA18 ;注册失败,请重试,重试失败请直接与作者联系
算法一,跟进处:0051A77C|.E8 9FFBFFFF call 00.0051A320
0051A320/$55 push ebp
0051A321|.8BEC mov ebp, esp
0051A323|.33C9 xor ecx, ecx
0051A325|.51 push ecx
0051A326|.51 push ecx
0051A327|.51 push ecx
0051A328|.51 push ecx
0051A329|.53 push ebx
0051A32A|.56 push esi
0051A32B|.8BF2 mov esi, edx
0051A32D|.8BD8 mov ebx, eax
0051A32F|.33C0 xor eax, eax
0051A331|.55 push ebp
0051A332|.68 F0A35100 push 00.0051A3F0
0051A337|.64:FF30 push dword ptr fs:
0051A33A|.64:8920 mov dword ptr fs:, esp
0051A33D|.81F3 F1250B00 xor ebx, 0B25F1 ;确认码与B25F1相异或
0051A343|.8BC3 mov eax, ebx
0051A345|.33D2 xor edx, edx ;清零
0051A347|.52 push edx ; /Arg2 => 00000000
0051A348|.50 push eax ; |Arg1
0051A349|.8D45 FC lea eax, dword ptr ; |
0051A34C|.E8 73EFEEFF call 00.004092C4 ; \异或结果转换为十进制,设为a
0051A351|.8B45 FC mov eax, dword ptr
0051A354|.0FB600 movzx eax, byte ptr ;取a的第一位
0051A357|.8B55 FC mov edx, dword ptr
0051A35A|.0FB652 01 movzx edx, byte ptr ;取a的第二位
0051A35E|.03C2 add eax, edx ;相加
0051A360|.B9 05000000 mov ecx, 5 ;赋以5
0051A365|.99 cdq
0051A366|.F7F9 idiv ecx ;除以5
0051A368|.80C2 34 add dl, 34 ;余数+34
0051A36B|.8855 F8 mov byte ptr , dl ;结果放入中,设为a1
0051A36E|.8B45 FC mov eax, dword ptr ;a值
0051A371|.0FB640 02 movzx eax, byte ptr ;取a的第三位
0051A375|.8B55 FC mov edx, dword ptr
0051A378|.0FB652 03 movzx edx, byte ptr ;取a的第四位
0051A37C|.03C2 add eax, edx ;相加
0051A37E|.B9 05000000 mov ecx, 5
0051A383|.99 cdq
0051A384|.F7F9 idiv ecx ;除以5
0051A386|.8BDA mov ebx, edx
0051A388|.80C3 33 add bl, 33 ;余数+33
0051A38B|.885D F9 mov byte ptr , bl ;结果放入中,设为a2
0051A38E|.8D45 F4 lea eax, dword ptr
0051A391|.8A55 F8 mov dl, byte ptr ;的数
0051A394|.E8 0BA6EEFF call 00.004049A4
0051A399|.8B45 F4 mov eax, dword ptr
0051A39C|.8D55 FC lea edx, dword ptr ;a的值
0051A39F|.B9 1B000000 mov ecx, 1B ;
0051A3A4|.E8 B3A9EEFF call 00.00404D5C ;将a1添加在a的末尾,成为新a
0051A3A9|.8D45 F0 lea eax, dword ptr
0051A3AC|.8BD3 mov edx, ebx
0051A3AE|.E8 F1A5EEFF call 00.004049A4
0051A3B3|.8B45 F0 mov eax, dword ptr
0051A3B6|.8D55 FC lea edx, dword ptr
0051A3B9|.B9 19000000 mov ecx, 19
0051A3BE|.E8 99A9EEFF call 00.00404D5C ;将a2添加在新a的末尾,组成的设为B
0051A3C3|.8BC6 mov eax, esi
0051A3C5|.8B55 FC mov edx, dword ptr
0051A3C8|.E8 4BA4EEFF call 00.00404818
0051A3CD|.33C0 xor eax, eax
0051A3CF|.5A pop edx
0051A3D0|.59 pop ecx
0051A3D1|.59 pop ecx
0051A3D2|.64:8910 mov dword ptr fs:, edx
0051A3D5|.68 F7A35100 push 00.0051A3F7
0051A3DA|>8D45 F0 lea eax, dword ptr
0051A3DD|.BA 02000000 mov edx, 2
0051A3E2|.E8 01A4EEFF call 00.004047E8
0051A3E7|.8D45 FC lea eax, dword ptr
0051A3EA|.E8 D5A3EEFF call 00.004047C4
0051A3EF\.C3 retn
0051A3F0 .^ E9 939CEEFF jmp 00.00404088
0051A3F5 .^ EB E3 jmp short 00.0051A3DA
0051A3F7 .5E pop esi
0051A3F8 .5B pop ebx
0051A3F9 .8BE5 mov esp, ebp
0051A3FB .5D pop ebp
0051A3FC .C3 retn
算法二跟进处:
0051A400/$55 push ebp
0051A401|.8BEC mov ebp, esp
0051A403|.33C9 xor ecx, ecx
0051A405|.51 push ecx
0051A406|.51 push ecx
0051A407|.51 push ecx
0051A408|.51 push ecx
0051A409|.51 push ecx
0051A40A|.51 push ecx
0051A40B|.53 push ebx
0051A40C|.56 push esi
0051A40D|.8BF2 mov esi, edx
0051A40F|.8BD8 mov ebx, eax
0051A411|.33C0 xor eax, eax
0051A413|.55 push ebp
0051A414|.68 4CA55100 push 00.0051A54C
0051A419|.64:FF30 push dword ptr fs:
0051A41C|.64:8920 mov dword ptr fs:, esp
0051A41F|.81F3 8776FBDD xor ebx, DDFB7687 ;将B与DDFB7687相异或
0051A425|.8BC3 mov eax, ebx
0051A427|.33D2 xor edx, edx
0051A429|.52 push edx ; /Arg2 => 00000000
0051A42A|.50 push eax ; |Arg1
0051A42B|.8D45 FC lea eax, dword ptr ; |
0051A42E|.E8 91EEEEFF call 00.004092C4 ; \将异或结果转换为十进制,设为C
0051A433|.8B45 FC mov eax, dword ptr ;的值为C
0051A436|.0FB600 movzx eax, byte ptr ;取C的第一位
0051A439|.8B55 FC mov edx, dword ptr ;的值为C
0051A43C|.0FB652 01 movzx edx, byte ptr ;取C的第二位
0051A440|.03C2 add eax, edx ;相加
0051A442|.B9 05000000 mov ecx, 5
0051A447|.99 cdq
0051A448|.F7F9 idiv ecx ;除以5
0051A44A|.80C2 66 add dl, 66 ;余数+66
0051A44D|.8855 F8 mov byte ptr , dl ;结果存入中,设为C1
0051A450|.8B45 FC mov eax, dword ptr
0051A453|.0FB640 02 movzx eax, byte ptr ;取C的第三位
0051A457|.8B55 FC mov edx, dword ptr
0051A45A|.0FB652 03 movzx edx, byte ptr ;取C的第四位
0051A45E|.03C2 add eax, edx ;相加
0051A460|.B9 05000000 mov ecx, 5
0051A465|.99 cdq
0051A466|.F7F9 idiv ecx ;除以5
0051A468|.80C2 75 add dl, 75 ;余数+75
0051A46B|.8855 F9 mov byte ptr , dl ;结果存入中,设为C2
0051A46E|.8B45 FC mov eax, dword ptr
0051A471|.0FB640 04 movzx eax, byte ptr ;取C的第五位
0051A475|.8B55 FC mov edx, dword ptr
0051A478|.0FB652 05 movzx edx, byte ptr ;取C的第六位
0051A47C|.03C2 add eax, edx ;相加
0051A47E|.B9 05000000 mov ecx, 5
0051A483|.99 cdq
0051A484|.F7F9 idiv ecx ;除以5
0051A486|.80C2 7A add dl, 7A ;余数+7A
0051A489|.8855 FA mov byte ptr , dl ;结果存入中,设为C3
0051A48C|.8B45 FC mov eax, dword ptr
0051A48F|.0FB640 06 movzx eax, byte ptr ;取C的第七位
0051A493|.8B55 FC mov edx, dword ptr
0051A496|.0FB652 07 movzx edx, byte ptr ;取C的第八位
0051A49A|.03C2 add eax, edx ;相加
0051A49C|.8B55 FC mov edx, dword ptr
0051A49F|.0FB652 08 movzx edx, byte ptr
0051A4A3|.03C2 add eax, edx
0051A4A5|.B9 05000000 mov ecx, 5
0051A4AA|.99 cdq
0051A4AB|.F7F9 idiv ecx ;除以5
0051A4AD|.80C2 69 add dl, 69 ;余数+69
0051A4B0|.8855 FB mov byte ptr , dl ;结果存入中,设为C4
0051A4B3|.8D45 F4 lea eax, dword ptr
0051A4B6|.8A55 F8 mov dl, byte ptr
0051A4B9|.E8 E6A4EEFF call 00.004049A4
0051A4BE|.8B45 F4 mov eax, dword ptr
0051A4C1|.8D55 FC lea edx, dword ptr
0051A4C4|.B9 07000000 mov ecx, 7
0051A4C9|.E8 8EA8EEFF call 00.00404D5C ;将C1添加在C的第7位的位置,组成新C
0051A4CE|.8D45 F0 lea eax, dword ptr
0051A4D1|.8A55 FB mov dl, byte ptr
0051A4D4|.E8 CBA4EEFF call 00.004049A4
0051A4D9|.8B45 F0 mov eax, dword ptr
0051A4DC|.8D55 FC lea edx, dword ptr
0051A4DF|.B9 03000000 mov ecx, 3
0051A4E4|.E8 73A8EEFF call 00.00404D5C ;将C4添加在新C的第3位的位置,组成新C
0051A4E9|.8D45 EC lea eax, dword ptr
0051A4EC|.8A55 F9 mov dl, byte ptr
0051A4EF|.E8 B0A4EEFF call 00.004049A4
0051A4F4|.8B45 EC mov eax, dword ptr
0051A4F7|.8D55 FC lea edx, dword ptr
0051A4FA|.B9 05000000 mov ecx, 5
0051A4FF|.E8 58A8EEFF call 00.00404D5C ;将C2添加在新C的第5位的位置,组成新C
0051A504|.8D45 E8 lea eax, dword ptr
0051A507|.8A55 FA mov dl, byte ptr
0051A50A|.E8 95A4EEFF call 00.004049A4
0051A50F|.8B45 E8 mov eax, dword ptr
0051A512|.8D55 FC lea edx, dword ptr
0051A515|.B9 09000000 mov ecx, 9
0051A51A|.E8 3DA8EEFF call 00.00404D5C ;将C3添加在新C的第9位的位置,组成新C
0051A51F|.8BC6 mov eax, esi
0051A521|.8B55 FC mov edx, dword ptr
0051A524|.E8 EFA2EEFF call 00.00404818
0051A529|.33C0 xor eax, eax
0051A52B|.5A pop edx
0051A52C|.59 pop ecx
0051A52D|.59 pop ecx
0051A52E|.64:8910 mov dword ptr fs:, edx
0051A531|.68 53A55100 push 00.0051A553
0051A536|>8D45 E8 lea eax, dword ptr
0051A539|.BA 04000000 mov edx, 4
0051A53E|.E8 A5A2EEFF call 00.004047E8
0051A543|.8D45 FC lea eax, dword ptr
0051A546|.E8 79A2EEFF call 00.004047C4
0051A54B\.C3 retn
0051A54C .^ E9 379BEEFF jmp 00.00404088
0051A551 .^ EB E3 jmp short 00.0051A536
0051A553 .5E pop esi
0051A554 .5B pop ebx
0051A555 .8BE5 mov esp, ebp
0051A557 .5D pop ebp
0051A558 .C3 retn
--------------------------------------------------------------------------------
【经验总结】
该软件的注册算法大致如下:
1、将确认码与0D0B1相除取余数,然后转化为十进制设为A
2、将确认码与0B25F1相异或,结果设为B,将B的第一位和第二位相加再除以5,然后取余数+34,将所得字符放在B的后面
再将B的第三位和第四位相加,除以5,余数+33,再放在B的最后位。结果所得设为C
3、将C与DDFB7687相异或,再将结果的1、2位相加,3、4位相加,5、6位相加,7、8位相加再转换为字符,分别放在相异或
结果的相关位置。结果设为D。
4、将A与D相连即为注册码
以上是初手的分析,不对之处请大家多多指教!
谢谢Nisy的提醒!所以更新一下!
[ 本帖最后由 水中花 于 2007-3-26 11:47 编辑 ] 学习了~~
http://www.fuzi.cn/ (从破文中就可以得知是谁的软件)夫子的软件 现在加密强度确实有所提高了~~
cdq 先双字扩展(把EAX中的字符扩展到EDX中)
idiv ecx 整数除法
0051A436|.0FB600 movzx eax, byte ptr ;取C的第一位
0051A439|.8B55 FC mov edx, dword ptr
0051A43C|.0FB652 01 movzx edx, byte ptr ;取C的第二位
0051A440|.03C2 add eax, edx ;相加
0051A442|.B9 05000000 mov ecx, 5
0051A447|.99 cdq
0051A448|.F7F9 idiv ecx ;除以5
0051A44A|.80C2 66 add dl, 66 ;余数+66
0051A44D|.8855 F8 mov byte ptr , dl ;结果存入中,设为C1
0051A450|.8B45 FC mov eax, dword ptr
0051A453|.0FB640 02 movzx eax, byte ptr ;取C的第三位
0051A457|.8B55 FC mov edx, dword ptr
0051A45A|.0FB652 03 movzx edx, byte ptr ;取C的第四位 实际上夫子的软件算法大致都一样的!只是参数变一点。 厉害~支持下楼主~~
页:
[1]