蓝光介绍信管理软件V3.2-算法分析
标 题: 【原创】蓝光介绍信管理软件V3.2-算法分析作 者: johnroot
时 间: 2007-05-22,11:28
链 接: http://bbs.pediy.com/showthread.php?t=45022
【文章标题】: 蓝光介绍信管理软件V3.2-算法分析
【文章作者】: johnroot
【作者主页】: bbs.chinapyg.com
【作者QQ号】: 6426587
【软件名称】: 蓝光介绍信管理软件V3.2
【下载地址】: 自己搜索下载
【加壳方式】: ASPack 2.12
【保护方式】: 加壳,变形DES
【编写语言】: DELPHI
【使用工具】: Ollydbg
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1.ASPack壳手脱很容易搞定。
2.软件是重启验证注册,搜索字符串“SOFTWARE\”找到“SOFTWARE\Referral”
来到:
:00599701::BA 0C995900 MOV EDX,59990C \->:
SOFTWARE\Referral
::00599706::8BC6 MOV EAX,ESI
::00599708::E8 D792E9FF CALL 004329E4 \:JMPUP
::0059970D::84C0 TEST AL,AL
::0059970F::74 1E JE SHORT 0059972F \:JMPDOWN
::00599711::8D4D FC LEA ECX,
::00599714::BA 28995900 MOV EDX,599928 \->:
user
::00599719::8BC6 MOV EAX,ESI
::0059971B::E8 009AE9FF CALL 00433120 \:JMPUP
::00599720::8D4D F8 LEA ECX,
::00599723::BA 38995900 MOV EDX,599938 \->:
RegID
很明显在这里读取用户名,注册码。
Ollydbg加载程序,在599723下断,F9断下,往下跟踪
::00599740::E8 5BC6E6FF CALL 00405DA0 \:JMPUP
::00599745::8B45 E0 MOV EAX,
::00599748::8D55 E4 LEA EDX,
::0059974B::E8 FC12E7FF CALL 0040AA4C \\获取机器
码
::00599750::8B45 E4 MOV EAX,
::00599753::33D2 XOR EDX,EDX
::00599755::E8 36C8E6FF CALL 00405F90 \\机器码是
否为空
::0059975A::75 12 JNZ SHORT 0059976E \\不是就跳
::0059975C::8B83 8C030000 MOV EAX,
::00599762::BA 48995900 MOV EDX,599948 \->:
RNODER8088
\\把机器码
设为固定的“RNODER8088”
::005997B7::8B55 CC MOV EDX, //取密钥
“WAVE990”
::005997BA::8D4D D0 LEA ECX,
::005997BD::8B45 F4 MOV EAX, //取机器码
::005997C0::E8 EFF6FFFF CALL 00598EB4 //变形的DES加
密
::005997C5::8B45 D0 MOV EAX,
::005997C8::8D4D F0 LEA ECX,
::005997CB::BA 09000000 MOV EDX,9
::005997D0::E8 E7F4EBFF CALL 00458CBC //取结果的前9
位
::005997D5::8D4D C8 LEA ECX,
::005997D8::8B55 F0 MOV EDX, //取结果的前9
位作为密钥
::005997DB::8B45 FC MOV EAX, //取用户名
::005997DE::E8 D1F6FFFF CALL 00598EB4 //变形的DES加
密
::005997E3::8B45 C8 MOV EAX,
::005997E6::8D4D EC LEA ECX,
::005997E9::BA 09000000 MOV EDX,9
::005997EE::E8 C9F4EBFF CALL 00458CBC //取结果的前9位
A
::005997F3::8D45 C4 LEA EAX,
::005997F6::E8 3D66FFFF CALL 0058FE38
::005997FB::8B55 C4 MOV EDX, //取密钥
“WAVE990”
::005997FE::8D4D E8 LEA ECX,
::00599801::8B45 F8 MOV EAX, //取注册码假码
::00599804::E8 8FF8FFFF CALL 00599098 //变形的DES解密
::00599809::8B45 EC MOV EAX, //A
::0059980C::8B55 E8 MOV EDX, // 解密的结果 B
::0059980F::E8 3CC0E6FF CALL 00405850 //比较A=B否
::00599814::75 78 JNZ SHORT 0059988E //不等未注册
::00599816::837D EC 00 CMP DWORD PTR ,0 //比较A是否为空
::0059981A::74 72 JE SHORT 0059988E //是就未注册
delphi注册机代码:
DES部分:
unit DES;
interface
uses SysUtils;
type
TKeyByte = array of Byte;
TDesMode = (dmEncry, dmDecry);
function EncryStr(Str, Key: String): String;
function DecryStr(Str, Key: String): String;
function EncryStrHex(Str, Key: String): String;
function DecryStrHex(StrHex, Key: String): String;
const
BitIP: array of Byte =
(57, 49, 41, 33, 25, 17, 9, 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7,
56, 48, 40, 32, 24, 16, 8, 0,
58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6 );
BitCP: array of Byte =
( 39, 7, 47, 15, 55, 23, 63, 31,
38, 6, 46, 14, 54, 22, 62, 30,
37, 5, 45, 13, 53, 21, 61, 29,
36, 4, 44, 12, 52, 20, 60, 28,
35, 3, 43, 11, 51, 19, 59, 27,
34, 2, 42, 10, 50, 18, 58, 26,
33, 1, 41, 9, 49, 17, 57, 25,
32, 0, 40, 8, 48, 16, 56, 24 );
BitExp: array of Integer =
( 31, 0, 1, 2, 3, 4, 3, 4, 5, 6, 7, 8, 7, 8, 9,10,
11,12,11,12,13,14,15,16,15,16,17,18,19,20,19,20,
21,22,23,24,23,24,25,26,27,28,27,28,29,30,31,0 );
BitPM: array of Byte =
( 15, 6,19,20,28,11,27,16, 0,14,22,25, 4,17,30, 9,
1, 7,23,13,31,26, 2, 8,18,12,29, 5,21,10, 3,24 );
sBox: array of array of Byte =
( ( 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 ),
( 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 ),
( 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 ),
( 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 ),
( 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 ),
( 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 ),
( 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 ),
( 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 ) );
BitPMC1: array of Byte =
( 56, 48, 40, 32, 24, 16, 8,
0, 57, 49, 41, 33, 25, 17,
9, 1, 58, 50, 42, 34, 26,
18, 10, 2, 59, 51, 43, 35,
62, 54, 46, 38, 30, 22, 14,
6, 61, 53, 45, 37, 29, 21,
13, 5, 66, 52, 44, 36, 28,
20, 12, 4, 27, 19, 11, $11 );
BitPMC2: array of Byte =
( 13, 16, 10, 23, 0, 4,
2, 27, 14, $19, 20, 9,
22, 18, 11, 3, 25, 7,
15, 6, 26, 19, 12, $1A,
40, 51, 30, 36, 46, 54,
29, 39, 50, 44, 32, 47,
43, 48, 38, 55, 33, 52,
45, 41, 49, 35, 28, $0D ); //红色部分为DES的变形;
var
subKey: array of TKeyByte;
implementation
procedure initPermutation(var inData: array of Byte);
var
newData: array of Byte;
i: Integer;
begin
FillChar(newData, 8, 0);
for i := 0 to 63 do
if (inData shr 3] and (1 shl (7- (BitIP and $07)))) <> 0 then
newData := newData or (1 shl (7-(i and $07)));
for i := 0 to 7 do inData := newData;
end;
procedure conversePermutation(var inData: array of Byte);
var
newData: array of Byte;
i: Integer;
begin
FillChar(newData, 8, 0);
for i := 0 to 63 do
if (inData shr 3] and (1 shl (7-(BitCP and $07)))) <> 0 then
newData := newData or (1 shl (7-(i and $07)));
for i := 0 to 7 do inData := newData;
end;
procedure expand(inData: array of Byte; var outData: array of Byte);
var
i: Integer;
begin
FillChar(outData, 6, 0);
for i := 0 to 47 do
if (inData shr 3] and (1 shl (7-(BitExp and $07)))) <> 0 then
outData := outData or (1 shl (7-(i and $07)));
end;
procedure permutation(var inData: array of Byte);
var
newData: array of Byte;
i: Integer;
begin
FillChar(newData, 4, 0);
for i := 0 to 31 do
if (inData shr 3] and (1 shl (7-(BitPM and $07)))) <> 0 then
newData := newData or (1 shl (7-(i and $07)));
for i := 0 to 3 do inData := newData;
end;
function si(s,inByte: Byte): Byte;
var
c: Byte;
begin
c := (inByte and $20) or ((inByte and $1e) shr 1) or
((inByte and $01) shl 4);
Result := (sBox and $0f);
end;
procedure permutationChoose1(inData: array of Byte;
var outData: array of Byte);
var
i: Integer;
begin
FillChar(outData, 7, 0);
for i := 0 to 55 do
if (inData shr 3] and (1 shl (7-(BitPMC1 and $07)))) <> 0 then
outData := outData or (1 shl (7-(i and $07)));
end;
procedure permutationChoose2(inData: array of Byte;
var outData: array of Byte);
var
i: Integer;
begin
FillChar(outData, 6, 0);
for i := 0 to 47 do
if (inData shr 3] and (1 shl (7-(BitPMC2 and $07)))) <> 0 then
outData := outData or (1 shl (7-(i and $07)));
end;
procedure cycleMove(var inData: array of Byte; bitMove: Byte);
var
i: Integer;
begin
for i := 0 to bitMove - 1 do
begin
inData := (inData shl 1) or (inData shr 7);
inData := (inData shl 1) or (inData shr 7);
inData := (inData shl 1) or (inData shr 7);
inData := (inData shl 1) or ((inData and $10) shr 4);
inData := (inData and $0f);
end;
end;
procedure makeKey(inKey: array of Byte; var outKey: array of TKeyByte);
const
bitDisplace: array of Byte =
( 1,1,2,2, 2,2,2,2, 1,2,2,2, 2,2,2,1 );
var
outData56: array of Byte;
key28l: array of Byte;
key28r: array of Byte;
key56o: array of Byte;
i: Integer;
begin
permutationChoose1(inKey, outData56);
key28l := outData56 shr 4;
key28l := (outData56 shl 4) or (outData56 shr 4);
key28l := (outData56 shl 4) or (outData56 shr 4);
key28l := (outData56 shl 4) or (outData56 shr 4);
key28r := outData56 and $0f;
key28r := outData56;
key28r := outData56;
key28r := outData56;
for i := 0 to 15 do
begin
cycleMove(key28l, bitDisplace);
cycleMove(key28r, bitDisplace);
key56o := (key28l shl 4) or (key28l shr 4);
key56o := (key28l shl 4) or (key28l shr 4);
key56o := (key28l shl 4) or (key28l shr 4);
key56o := (key28l shl 4) or (key28r);
key56o := key28r;
key56o := key28r;
key56o := key28r;
permutationChoose2(key56o, outKey);
end;
end;
procedure encry(inData, subKey: array of Byte;
var outData: array of Byte);
var
outBuf: array of Byte;
buf: array of Byte;
i: Integer;
begin
expand(inData, outBuf);
for i := 0 to 5 do outBuf := outBuf xor subKey;
// outBuf xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
buf := outBuf shr 2; //xxxxxx -> 2
buf := ((outBuf and $03) shl 4) or (outBuf shr 4); // 4 <- xx xxxx -> 4
buf := ((outBuf and $0f) shl 2) or (outBuf shr 6); // 2 <- xxxx xx -> 6
buf := outBuf and $3f; // xxxxxx
buf := outBuf shr 2; // xxxxxx
buf := ((outBuf and $03) shl 4) or (outBuf shr 4); // xx xxxx
buf := ((outBuf and $0f) shl 2) or (outBuf shr 6); // xxxx xx
buf := outBuf and $3f; // xxxxxx
for i := 0 to 7 do buf := si(i, buf);
for i := 0 to 3 do outBuf := (buf shl 4) or buf;
permutation(outBuf);
for i := 0 to 3 do outData := outBuf;
end;
procedure desData(desMode: TDesMode;
inData: array of Byte; var outData: array of Byte);
// inData, outData 都为8Bytes,否则出错
var
i, j: Integer;
temp, buf: array of Byte;
begin
for i := 0 to 7 do outData := inData;
initPermutation(outData);
if desMode = dmEncry then
begin
for i := 0 to 15 do
begin
for j := 0 to 3 do temp := outData; //temp = Ln
for j := 0 to 3 do outData := outData; //Ln+1 = Rn
encry(outData, subKey, buf); //Rn ==Kn==> buf
for j := 0 to 3 do outData := temp xor buf; //Rn+1 = Ln^buf
end;
for j := 0 to 3 do temp := outData;
for j := 0 to 3 do outData := outData;
for j := 0 to 3 do outData := temp;
end
else if desMode = dmDecry then
begin
for i := 15 downto 0 do
begin
for j := 0 to 3 do temp := outData;
for j := 0 to 3 do outData := outData;
encry(outData, subKey, buf);
for j := 0 to 3 do outData := temp xor buf;
end;
for j := 0 to 3 do temp := outData;
for j := 0 to 3 do outData := outData;
for j := 0 to 3 do outData := temp;
end;
conversePermutation(outData);
end;
//////////////////////////////////////////////////////////////
function EncryStr(Str, Key: String): String;
var
StrByte, OutByte, KeyByte: array of Byte;
StrResult: String;
I, J: Integer;
begin
if (Length(Str) > 0) and (Ord(Str) = 0) then
raise Exception.Create('Error: the last char is NULL char.');
if Length(Key) < 8 then
while Length(Key) < 8 do Key := Key + Chr(0);
while Length(Str) mod 8 <> 0 do Str := Str + Chr(0);
for J := 0 to 7 do KeyByte := Ord(Key);
makeKey(keyByte, subKey);
StrResult := '';
for I := 0 to Length(Str) div 8 - 1 do
begin
for J := 0 to 7 do
StrByte := Ord(Str);
desData(dmEncry, StrByte, OutByte);
for J := 0 to 7 do
StrResult := StrResult + Chr(OutByte);
end;
Result := StrResult;
end;
function DecryStr(Str, Key: String): String;
var
StrByte, OutByte, KeyByte: array of Byte;
StrResult: String;
I, J: Integer;
begin
if Length(Key) < 8 then
while Length(Key) < 8 do Key := Key + Chr(0);
for J := 0 to 7 do KeyByte := Ord(Key);
makeKey(keyByte, subKey);
StrResult := '';
for I := 0 to Length(Str) div 8 - 1 do
begin
for J := 0 to 7 do StrByte := Ord(Str);
desData(dmDecry, StrByte, OutByte);
for J := 0 to 7 do
StrResult := StrResult + Chr(OutByte);
end;
while (Length(StrResult) > 0) and
(Ord(StrResult) = 0) do
Delete(StrResult, Length(StrResult), 1);
Result := StrResult;
end;
///////////////////////////////////////////////////////////
function EncryStrHex(Str, Key: String): String;
var
StrResult, TempResult, Temp: String;
I: Integer;
begin
TempResult := EncryStr(Str, Key);
StrResult := '';
for I := 0 to Length(TempResult) - 1 do
begin
Temp := Format('%x', )]);
if Length(Temp) = 1 then Temp := '0' + Temp;
StrResult := StrResult + Temp;
end;
Result := StrResult;
end;
function DecryStrHex(StrHex, Key: String): String;
function HexToInt(Hex: String): Integer;
var
I, Res: Integer;
ch: Char;
begin
Res := 0;
for I := 0 to Length(Hex) - 1 do
begin
ch := Hex;
if (ch >= '0') and (ch <= '9') then
Res := Res * 16 + Ord(ch) - Ord('0')
else if (ch >= 'A') and (ch <= 'F') then
Res := Res * 16 + Ord(ch) - Ord('A') + 10
else if (ch >= 'a') and (ch <= 'f') then
Res := Res * 16 + Ord(ch) - Ord('a') + 10
else raise Exception.Create('Error: not a Hex String');
end;
Result := Res;
end;
var
Str, Temp: String;
I: Integer;
begin
Str := '';
for I := 0 to Length(StrHex) div 2 - 1 do
begin
Temp := Copy(StrHex, I * 2 + 1, 2);
Str := Str + Chr(HexToInt(Temp));
end;
Result := DecryStr(Str, Key);
end;
end.
主程序部分:
uses
des;
procedure TForm1.Button1Click(Sender: TObject);
var
diskid,nameok,regsn:string;
begin
diskid:=copy(edit1.Text,1,8);
nameok:=copy(edit2.Text,1,8);
regsn:=des.EncryStrHex(diskid,'WAVE990');
regsn:=copy(regsn,1,9);
regsn:=des.EncryStrHex(nameok,regsn);
regsn:=copy(regsn,1,9);
regsn:=des.EncryStrHex(regsn,'WAVE990');
edit3.Text:=regsn;
end;
--------------------------------------------------------------------------------
【版权声明】: 本文原创于PYG论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年05月29日 17:39:57
对不起原来的注册机编译错了,5月23日更新了下:
[ 本帖最后由 johnroot 于 2007-5-23 19:54 编辑 ] 好文,望兄弟多写些此类文章。 注册机报毒,呵呵,这无所谓,关键算出的注册码注册不成功。 好,不错,高手的作品,下来看看。 原帖由 kiss-you 于 2007-5-23 10:51 发表 https://www.chinapyg.com/images/common/back.gif
注册机报毒,呵呵,这无所谓,关键算出的注册码注册不成功。
对不起,毒是壳的原因!注册机原来编译错了,23日重传了,大家测试下。 原帖由 johnroot 于 2007-5-23 19:57 发表 https://www.chinapyg.com/images/common/back.gif
对不起,毒是壳的原因!注册机原来编译错了,23日重传了,大家测试下。
呵呵,测试了一下,重编译的,还是注册不成功。 晕了,我试了几台机确实可以注册成功啊!
你重下了注册机没? 学习中。谢谢,辛苦了。
页:
[1]