JBookMaker1.06简单算法分析
【文章标题】: JBookMaker1.06简单算法分析【破文作者】: RCracker
【软件名称】: JBookMaker1.06
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
【软件简介】: JBookMaker(简称JBM)将文本(TXT)文件做成Java手机可以支持运行的格式,以方便在手机上阅读。做出来的也就是平时所说的Java书,这里我们称之为JBook。
首先真诚的感谢您使用Bigwater和和Happybird(以后将简称B&H)出品的JBookMaker。JBM是一个只有一个EXE文件的绿色软件,无需安装便可使用,文件只有1兆多,使用本软件时不需要在电脑上安装几十兆的Java运行库,这在同类的Java书制作软件里面是很少有的。
作者:Bigwater和Happybird 作者主页: Http://Www.Bigwater.Org
--------------------------------------------------------------------------------
【详细过程】
运行程序,填入用户名和注册码,点击确定,发现是重启验证。
OD载入,用ESP定律脱壳。
OD载入脱壳后的程序:
00402B38 > $68 B8404000 PUSH JBookMak.004040B8 ;(Initial CPU selection)
00402B3D .E8 EEFFFFFF CALL <JMP.&msvbvm60.ThunRTMain>
00402B42 .0000 ADD BYTE PTR DS:,AL
00402B44 .0000 ADD BYTE PTR DS:,AL
00402B46 .0000 ADD BYTE PTR DS:,AL
00402B48 .3000 XOR BYTE PTR DS:,AL
00402B4A .0000 ADD BYTE PTR DS:,AL
00402B4C .40 INC EAX
00402B4D .0000 ADD BYTE PTR DS:,AL
搜索字符串,找到regcode,有两处。
---------------------------------
A、超级字串参考, 项目 407
地址=004207BF
反汇编=MOV EDX,JBookMak.00409DFC
文本字串=regcode
B、超级字串参考, 项目 452
地址=004284B4
反汇编=MOV EDX,JBookMak.00409DFC
文本字串=regcode
---------------------------------
估计A处是关键(启动时验证),双击:
004207B1 .BA B8804000 MOV EDX,JBookMak.004080B8
004207B6 .8D4D 94 LEA ECX,DWORD PTR SS:
004207B9 .FF15 E8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004207BF .BA FC9D4000 MOV EDX,JBookMak.00409DFC ;regcode
004207C4 .8D4D 98 LEA ECX,DWORD PTR SS:
004207C7 .FF15 E8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004207CD .BA E49D4000 MOV EDX,JBookMak.00409DE4 ;register
004207D2 .8D4D 9C LEA ECX,DWORD PTR SS:
004207D5 .FF15 E8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCopy>] ;msvbvm60.__vbaStrCopy
004207DB .8D4D 94 LEA ECX,DWORD PTR SS:
004207DE .51 PUSH ECX
004207DF .8D55 98 LEA EDX,DWORD PTR SS:
004207E2 .52 PUSH EDX
004207E3 .8D45 9C LEA EAX,DWORD PTR SS:
004207E6 .50 PUSH EAX
004207E7 .8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:
004207ED .51 PUSH ECX
004207EE .E8 0D870000 CALL JBookMak.00428F00
004207F3 .8D95 7CFFFFFF LEA EDX,DWORD PTR SS:
004207F9 .52 PUSH EDX
004207FA .8D85 6CFFFFFF LEA EAX,DWORD PTR SS:
00420800 .50 PUSH EAX
00420801 .FF15 C8104000 CALL DWORD PTR DS:[<&msvbvm60.rtcTrimVar>] ;msvbvm60.rtcTrimVar
00420807 .8D95 6CFFFFFF LEA EDX,DWORD PTR SS:
0042080D .8D4D D0 LEA ECX,DWORD PTR SS:
00420810 .FF15 14104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarMove>] ;msvbvm60.__vbaVarMove
00420816 .8D4D 94 LEA ECX,DWORD PTR SS:
00420819 .51 PUSH ECX
0042081A .8D55 98 LEA EDX,DWORD PTR SS:
0042081D .52 PUSH EDX
0042081E .8D45 9C LEA EAX,DWORD PTR SS:
00420821 .50 PUSH EAX
00420822 .6A 03 PUSH 3
00420824 .FF15 EC114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeStrList>] ;msvbvm60.__vbaFreeStrList
0042082A .83C4 10 ADD ESP,10
0042082D .8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:
00420833 .FF15 20104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
00420839 .C745 FC 08000>MOV DWORD PTR SS:,8
00420840 .66:C785 38FFF>MOV WORD PTR SS:,1
00420849 .8D4D B0 LEA ECX,DWORD PTR SS:
0042084C .51 PUSH ECX
0042084D .FF15 50104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrErrVarCopy>] ;msvbvm60.__vbaStrErrVarCopy
00420853 .8945 84 MOV DWORD PTR SS:,EAX ;系列号
00420856 .C785 7CFFFFFF>MOV DWORD PTR SS:,8
00420860 .C785 44FFFFFF>MOV DWORD PTR SS:,JBookMak.00409E10 ;固定字符串AI34K123
0042086A .C785 3CFFFFFF>MOV DWORD PTR SS:,8
00420874 .8D55 A0 LEA EDX,DWORD PTR SS:
00420877 .52 PUSH EDX
00420878 .8D85 7CFFFFFF LEA EAX,DWORD PTR SS:
0042087E .50 PUSH EAX
0042087F .8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:
00420885 .51 PUSH ECX
00420886 .FF15 AC114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCat>] ;msvbvm60.__vbaVarCat
0042088C .50 PUSH EAX
0042088D .8D95 3CFFFFFF LEA EDX,DWORD PTR SS:
00420893 .52 PUSH EDX
00420894 .8D85 5CFFFFFF LEA EAX,DWORD PTR SS:
0042089A .50 PUSH EAX
0042089B .FF15 AC114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCat>] ;msvbvm60.__vbaVarCat
004208A1 .50 PUSH EAX
004208A2 .FF15 2C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarMove>] ;用户名、系列号和固定字符串依次相连
004208A8 .8BD0 MOV EDX,EAX
004208AA .8D4D 9C LEA ECX,DWORD PTR SS:
004208AD .FF15 40124000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
004208B3 .8D8D 38FFFFFF LEA ECX,DWORD PTR SS:
004208B9 .51 PUSH ECX
004208BA .8D55 9C LEA EDX,DWORD PTR SS:
004208BD .52 PUSH EDX
004208BE .E8 DD8A0000 CALL JBookMak.004293A0 ;关键CALL(1)
004208C3 .8985 54FFFFFF MOV DWORD PTR SS:,EAX ;真码
004208C9 .C785 4CFFFFFF>MOV DWORD PTR SS:,8
进入关键CALL(1):
004293A0 $55 PUSH EBP
004293A1 .8BEC MOV EBP,ESP
004293A3 .83EC 0C SUB ESP,0C
004293A6 .68 76274000 PUSH <JMP.&msvbvm60.__vbaExceptHandler> ;SE 处理程序安装
004293AB .64:A1 0000000>MOV EAX,DWORD PTR FS:
004293B1 .50 PUSH EAX
------------------省略部分代码------------------
004294CB .8D85 90FEFFFF LEA EAX,DWORD PTR SS:
004294D1 .8D8D ACFEFFFF LEA ECX,DWORD PTR SS:
004294D7 .50 PUSH EAX ; /Arg2
004294D8 .51 PUSH ECX ; |Arg1
004294D9 .E8 220C0000 CALL JBookMak.0042A100 ; \JBookMak.0042A100
004294DE .8D4D B0 LEA ECX,DWORD PTR SS:
004294E1 .FF15 20104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeVar>] ;msvbvm60.__vbaFreeVar
004294E7 .8D95 90FEFFFF LEA EDX,DWORD PTR SS:
004294ED .52 PUSH EDX
004294EE .57 PUSH EDI
004294EF .FF15 E4104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaErase>] ;msvbvm60.__vbaErase
004294F5 .E8 360A0000 CALL JBookMak.00429F30 ;关键CALL(2)
//
关键CALL(2),发现:
-------------------------
A=0x01234567
B=0x89abcdef
C=0xfedcba98
D=0x76543210
四个常数,估计是MD5算法
-------------------------
//
004294FA .8B45 0C MOV EAX,DWORD PTR SS:
004294FD .66:8338 01 CMP WORD PTR DS:,1
00429501 .0F85 1E020000 JNZ JBookMak.00429725
00429507 .8B0D 90D04200 MOV ECX,DWORD PTR DS:
0042950D .83C1 04 ADD ECX,4
00429510 .51 PUSH ECX
00429511 .E8 7A050000 CALL JBookMak.00429A90 ; 取字符串的1-8位
00429516 .8B1D 40124000 MOV EBX,DWORD PTR DS:[<&msvbvm60.__vbaStrMove>]
0042951C .8BD0 MOV EDX,EAX
0042951E .8D4D E4 LEA ECX,DWORD PTR SS:
00429521 .FFD3 CALL EBX ;<&msvbvm60.__vbaStrMove>
00429523 .8B15 90D04200 MOV EDX,DWORD PTR DS:
00429529 .83C2 08 ADD EDX,8
0042952C .52 PUSH EDX
0042952D .E8 5E050000 CALL JBookMak.00429A90 ; 取字符串的9-16位
00429532 .8BD0 MOV EDX,EAX
00429534 .8D4D E0 LEA ECX,DWORD PTR SS:
00429537 .FFD3 CALL EBX
00429539 .A1 90D04200 MOV EAX,DWORD PTR DS:
0042953E .83C0 0C ADD EAX,0C
00429541 .50 PUSH EAX
00429542 .E8 49050000 CALL JBookMak.00429A90 ; 取字符串的17-24位
00429547 .8BD0 MOV EDX,EAX
00429549 .8D4D DC LEA ECX,DWORD PTR SS:
0042954C .FFD3 CALL EBX
0042954E .8B0D 90D04200 MOV ECX,DWORD PTR DS:
00429554 .83C1 10 ADD ECX,10
00429557 .51 PUSH ECX
00429558 .E8 33050000 CALL JBookMak.00429A90 ; 取字符串的25-32位
0042955D .8BD0 MOV EDX,EAX
0042955F .8D4D D8 LEA ECX,DWORD PTR SS:
00429562 .FFD3 CALL EBX
00429564 .8B45 E4 MOV EAX,DWORD PTR SS:
00429567 .8B35 38124000 MOV ESI,DWORD PTR DS:[<&msvbvm60.rtcLeftCharVar>] ;msvbvm60.rtcLeftCharVar
0042956D .8945 B8 MOV DWORD PTR SS:,EAX
------------------省略部分代码------------------
00429683 .50 PUSH EAX
00429684 .8D85 F0FEFFFF LEA EAX,DWORD PTR SS:
0042968A .8D8D E0FEFFFF LEA ECX,DWORD PTR SS:
00429690 .50 PUSH EAX
00429691 .51 PUSH ECX
00429692 .FFD6 CALL ESI
00429694 .50 PUSH EAX
00429695 .FF15 2C104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrVarMove>] ;msvbvm60.__vbaStrVarMove
//注册码形式为(1-6位)-(9-14位)-(17-22位)-(25-30位)
【算法总结】
1、用户名、系列号和固定字符串依次相连组成新的字符串
2、将新组成的字符串经MD5加密
3、加密后的字符串按上面形式取出即为注册码
--------------------------------------------------------------------------------
【版权声明】:转载请注明作者并保持文章的完整, 谢谢! //注册码形式为(1-5位)-(9-13位)-(17-21位)-(25-30位)
这样才对啦。/:013
为方便大家我根据楼主的算法做了个注册机哦,楼主要是有异议我马上删除/:001
[ 本帖最后由 wxq 于 2007-9-7 20:17 编辑 ] 楼上的真用心啊 ,加油! 倒~VB的看着就头疼... 不错,谢谢分享,呵呵,算法还不太懂,要努力学习了,唉! 厉害
向楼主学习!! 学习一下
顶了算法真难啊 向楼主学习。。。 2楼发个这个注册机的代码大家学习一下啊最好是VB写的/:001 /:001 /:001
页:
[1]