WinImage 8.10注册算法分析
【文章标题】: WinImage 8.10注册算法分析【文章作者】: herx
【作者邮箱】: [email protected]
【作者QQ号】: 369136816
【软件名称】: WinImage(英文版)
【下载地址】: http://www.winimage.com/winimage.htm
【加壳方式】: 无壳
【编写语言】: VC8
【使用工具】: W32DASM,OLLYDBG,PEID
【操作平台】: xp sp2
【软件介绍】: 制作.img,.iso,等映像文件
【作者声明】: 只是感兴趣,作为学习,如果需要请购买正版,由于水平有限错误之处请高手指出。。。。
--------------------------------------------------------------------------------
【详细过程】
由于刚开始进行算法分析,希望大虾们给提点宝贵意见。。
用PEID查看是VC8 -> Microsoft Corporation *
软件未注册有30天试用
不输入或输入假的注册码都提示 "Registration information is invalid"
用W32DASM或下断点bp GetDlgItemTextA很容易找到关键地方
00466474 > \8B7424 0C mov esi,dword ptr ss: ;
00466478 .8B3D 587549>mov edi,dword ptr ds:[<&USER32.GetD>;USER32.GetDlgItemTextA
0046647E .68 01010000 push 101 ;
00466483 .68 F83A4B00 push winimage.004B3AF8 ; |Buffer = 004B3AF8 获得name后放在这
00466488 .68 16080000 push 816 ;
0046648D .56 push esi ;
0046648E .FFD7 call edi ; GetDlgItemTextA
00466490 .6A 7F push 7F ; 下断点后在注册框输入假注册码,返回后停在这
00466492 .68 683E4B00 push winimage.004B3E68 ; |Buffer = 004B3E68输入假注册码放在这
00466497 .68 17080000 push 817 ;
0046649C .56 push esi ;
0046649D .FFD7 call edi ; GetDlgItemTextA
0046649F .68 F83A4B00 push winimage.004B3AF8 ; ASCII "heruixi" 输入的name
004664A4 .B8 683E4B00 mov eax,winimage.004B3E68 ; ASCII "9876543210" eax<=假注册码
004664A9 .E8 42C4FAFF call winimage.004128F0 ;进行计算的CALL ,跟进,
004664AE .8B15 B0374B>mov edx,dword ptr ds:
004664B4 .33C9 xor ecx,ecx
004664B6 .83C4 04 add esp,4
004664B9 .3BC1 cmp eax,ecx ;关键比较eax是不是零,注册码正确eax=1,不正确为0
004664BB .A3 1C424B00 mov dword ptr ds:,eax
004664C0 .74 06 je short winimage.004664C8
004664C2 .8915 20344B>mov dword ptr ds:,edx
004664C8 >390D 20344B>cmp dword ptr ds:,ecx
004664CE .8915 CC3A4B>mov dword ptr ds:,edx
004664D4 .75 05 jnz short winimage.004664DB
004664D6 .A3 CC3A4B00 mov dword ptr ds:,eax
004664DB >3BC1 cmp eax,ecx ; 关键比较
004664DD .75 4B jnz short winimage.0046652A ;eax不为零跳到注册成功
004664DF .68 10200000 push 2010 ;显示注册码无效
004664E4 .68 2D040000 push 42D
004664E9 .68 2B040000 push 42B
004664EE .56 push esi
004664EF .C705 203F4B>mov dword ptr ds:,1
004664F9 .C705 C43A4B>mov dword ptr ds:,1
00466503 .880D 683E4B>mov byte ptr ds:,cl
00466509 .880D F83A4B>mov byte ptr ds:,cl
0046650F .E8 DC80FFFF call winimage.0045E5F0 ;
00466514 .83C4 10 add esp,10
00466517 .6A 01 push 1 ; /Result = 1
00466519 .56 push esi ; |hWnd
0046651A .FF15 7C7549>call dword ptr ds:[<&USER32.EndDial>; \EndDialog
00466520 .5F pop edi
00466521 .B8 01000000 mov eax,1
00466526 .5E pop esi
00466527 .C2 1000 retn 10
0046652A >68 40200000 push 2040 ;显示注册成功
0046652F .68 2D040000 push 42D
00466534 .68 2A040000 push 42A
00466539 .56 push esi
0046653A .890D 203F4B>mov dword ptr ds:,ecx
00466540 .890D C43A4B>mov dword ptr ds:,ecx
00466546 .E8 A580FFFF call winimage.0045E5F0
0046654B .83C4 10 add esp,10
0046654E .6A 01 push 1 ; /Result = 1
00466550 .56 push esi ; |hWnd
00466551 .FF15 7C7549>call dword ptr ds:[<&USER32.EndDial>; \EndDialog
00466557 .5F pop edi
00466558 .B8 01000000 mov eax,1
0046655D .5E pop esi
0046655E .C2 1000 retn 10
跟进计算的CALL:
004128F0 $81EC 000200>sub esp,200
004128F6 .56 push esi
004128F7 .8D7424 04 lea esi,dword ptr ss:
004128FB .C705 B0374B>mov dword ptr ds:,0
00412905 .E8 C6210000 call winimage.00414AD0 ;取得注册码,并转为大写存入
0041290A .8B8424 0802>mov eax,dword ptr ss:;取得用户名——》eax
00412911 .E8 0A210000 call winimage.00414A20 ;对用户名进行计算call,然后跟进
00412916 .3D 26DDDCB8 cmp eax,B8DCDD26 ;如果没有输入用户名
0041291B .0F84 3DA102>je winimage.0043CA5E ;计算结果为B8DCDD26
跳到0043CA5Exor eax,eax,然后跳到
004129F4 >5E pop esi
004129F5 .81C4 000200>add esp,200
004129FB .C3 retn
00412921 .8BF0 mov esi,eax ;esi指向第一次计算出的结果
00412923 .57 push edi
00412924 .8D4424 08 lea eax,dword ptr ss:;eax指向假注册码
00412928 .50 push eax
00412929 .8BC6 mov eax,esi
0041292B .8DBC24 0C01>lea edi,dword ptr ss:
00412932 .E8 69FFFFFF call winimage.004128A0 ;计算出最后的真注册码
00412937 .50 push eax
00412938 .E8 33870000 call winimage.0041B070 ;与假注册码每一位进行比较call
0041293D .83C4 08 add esp,8
00412940 .85C0 test eax,eax
00412942 .0F84 E9A102>je winimage.0043CB31 ;注册码正确跳转到0043CB31mov eax,1
jmp 004129F3返回
.
.
.
.
004129C8 .8D5424 08 lea edx,dword ptr ss:
004129CC .52 push edx
004129CD .8D86 971906>lea eax,dword ptr ds:
004129D3 .E8 C8FEFFFF call winimage.004128A0
004129D8 .50 push eax
004129D9 .E8 92860000 call winimage.0041B070
004129DE .83C4 08 add esp,8
004129E1 .85C0 test eax,eax
004129E3 .0F85 7CA002>jnz winimage.0043CA65
004129E9 >B8 01000000 mov eax,1
004129EE .A3 B0374B00 mov dword ptr ds:,eax
004129F3 >5F pop edi
004129F4 >5E pop esi
004129F5 .81C4 000200>add esp,200
004129FB .C3 retn
用户名计算call
00414A20 <> $81EC 04010000 sub esp,104
00414A26 .56 push esi
00414A27 .57 push edi
00414A28 .8D7424 0C lea esi,dword ptr ss:
00414A2C .BF 4C694700 mov edi,winimage.0047694C
00414A31 .E8 9A000000 call <winimage.00414AD0> ;用户名转为大写
00414A36 .56 push esi ; esi指向转换后的用户名
00414A37 .FF15 1C734900 call dword ptr ds:[<&KERNEL32.lstrlen>; \lstrlenA
00414A3D .85C0 test eax,eax
00414A3F .7E 75 jle short winimage.00414AB6 ; 用户名长度为零?
00414A41 .53 push ebx
00414A42 .55 push ebp
00414A43 .8BEE mov ebp,esi ; ebp指向转换后的用户名
00414A45 .33C9 xor ecx,ecx
00414A47 .83ED 03 sub ebp,3
00414A4A .896C24 10 mov dword ptr ss:,ebp
00414A4E .8B7424 10 mov esi,dword ptr ss: ;esi=ebp-3
00414A52 .8BD8 mov ebx,eax ;用户名长度-》ebx
00414A54 .EB 0E jmp short winimage.00414A64
00414A56 .EB 08 jmp short winimage.00414A60
00414A58 .8DA424 00000000 lea esp,dword ptr ss:
00414A5F .90 nop
00414A60 >8B6C24 10 mov ebp,dword ptr ss: ;循环计算用户名
00414A64 >B8 93244992 mov eax,92492493 ;92492493为固定值
00414A69 .F7E9 imul ecx ;92492493*位序ecx
00414A6B .03D1 add edx,ecx
00414A6D .C1FA 03 sar edx,3
00414A70 .8BC2 mov eax,edx
00414A72 .C1E8 1F shr eax,1F
00414A75 .03C2 add eax,edx
00414A77 .8D14C5 00000000 lea edx,dword ptr ds:
00414A7E .2BD0 sub edx,eax
00414A80 .03D2 add edx,edx
00414A82 .8BC1 mov eax,ecx
00414A84 .2BC2 sub eax,edx
00414A86 .75 05 jnz short winimage.00414A8D
00414A88 .BE 27000000 mov esi,27
00414A8D >0FB65429 03 movzx edx,byte ptr ds: ;edx==取得用户名每一位
00414A92 .8D41 03 lea eax,dword ptr ds:
00414A95 .0FAFD6 imul edx,esi ;用户名每一位与esi相乘
00414A98 .03FA add edi,edx ;edi存放计算后的值
00414A9A .99 cdq ;edx设为eax最高为的值
00414A9B .BD 0E000000 mov ebp,0E
00414AA0 .F7FD idiv ebp ;edx-eax除0e
00414AA2 .85D2 test edx,edx ;余数
00414AA4 .0F84 D1570200 je winimage.0043A27B ;余数为零跳到0043A27B
{0043A27B > \8D04F5 00000000 lea eax,dword ptr ds:
0043A282 .2BC6 sub eax,esi
0043A284 .8BF0 mov esi,eax
0043A286 .^ E9 22A8FDFF jmp winimage.00414AAD
}
00414AAA .8D3476 lea esi,dword ptr ds:
00414AAD >83C1 01 add ecx,1
00414AB0 .3BCB cmp ecx,ebx ;比较用户名计算完了吗
00414AB2 .^ 7C AC jl short winimage.00414A60 ;循环计算
00414AB4 .5D pop ebp
00414AB5 .5B pop ebx
00414AB6 >8BC7 mov eax,edi ;计算结果存入eax
00414AB8 .5F pop edi
00414AB9 .5E pop esi
00414ABA .81C4 04010000 add esp,104
00414AC0 .C3 retn
计算出的真注册码进行转换:
004128A0 /$83EC 10 sub esp,10
004128A3 |.56 push esi
004128A4 |.50 push eax ; /<%lX>
004128A5 |.8D4C24 08 lea ecx,dword ptr ss:; |
004128A9 |.68 E4204A00 push winimage.004A20E4 ; |%lX
004128AE |.51 push ecx ; |s
004128AF |.8BF7 mov esi,edi ; |
004128B1 |.FF15 14754900 call dword ptr ds:[<&USER32.w>; \wsprintfA
004128B7 |.8A4424 10 mov al,byte ptr ss: ;取得第一位注册码
004128BB |.83C4 0C add esp,0C
004128BE |.84C0 test al,al
004128C0 |.74 1B je short winimage.004128DD
004128C2 |.8D4C24 04 lea ecx,dword ptr ss:
004128C6 |.2BCF sub ecx,edi
004128C8 |>3C 38 cmp al,38 ;比较每一位是不是8,是8转为B
004128CA |.74 1F je short winimage.004128EB
004128CC |.3C 42 cmp al,42 ;比较每一位是不是B,是B转为8
004128CE |.74 17 je short winimage.004128E7
004128D0 |>8806 mov byte ptr ds:,al
004128D2 |.8A4431 01 mov al,byte ptr ds:[ecx+esi+1>;取得计算出的注册码的一位
004128D6 |.83C6 01 add esi,1
004128D9 |.84C0 test al,al
004128DB |.^ 75 EB jnz short winimage.004128C8 ;循环比较
004128DD |>C606 00 mov byte ptr ds:,0
004128E0 |.8BC7 mov eax,edi ;计算结果->edi
004128E2 |.5E pop esi
004128E3 |.83C4 10 add esp,10
004128E6 |.C3 retn
计算出的注册码与输入的每一位进行比较:
0041B070 /$8B5424 04 mov edx,dword ptr ss: ;指向计算出的注册码7948AA
0041B074 |.8B4C24 08 mov ecx,dword ptr ss: ;指向假码9876543210
0041B078 |.F7C2 03000000 test edx,3
0041B07E |.75 3C jnz short winimage.0041B0BC
0041B080 |>8B02 /mov eax,dword ptr ds: ;循环比较注册码
0041B082 |.3A01 |cmp al,byte ptr ds: ;比较注册码第一位7,第五位A
0041B084 74 2E je short winimage.0041B0B4
0041B086 |.0AC0 |or al,al
0041B088 |.74 26 |je short winimage.0041B0B0 判断比较完毕?
0041B08A |.3A61 01 |cmp ah,byte ptr ds: ;比较注册码第二位9,第六位A
0041B08D 74 25 je short winimage.0041B0B4
0041B08F |.0AE4 |or ah,ah
0041B091 |.74 1D |je short winimage.0041B0B0 ;判断比较完毕?
0041B093 |.C1E8 10 |shr eax,10 ;eax右移
0041B096 |.3A41 02 |cmp al,byte ptr ds: ;比较注册码第三位4
0041B099 74 19 je short winimage.0041B0B4
0041B09B |.0AC0 |or al,al
0041B09D |.74 11 |je short winimage.0041B0B0
0041B09F |.3A61 03 |cmp ah,byte ptr ds: ;比较注册码第四位8
0041B0A2 74 10 je short winimage.0041B0B4
0041B0A4 |.83C1 04 |add ecx,4
0041B0A7 |.83C2 04 |add edx,4
0041B0AA |.0AE4 |or ah,ah
0041B0AC |.^ 75 D2 \jnz short winimage.0041B080 ;循环比较注册码
0041B0AE |.8BFF mov edi,edi
0041B0B0 |>33C0 xor eax,eax
0041B0B2 |.C3 retn
0041B0B3 | 90 nop
0041B0B4 |>1BC0 sbb eax,eax
0041B0B6 |.D1E0 shl eax,1
0041B0B8 |.83C0 01 add eax,1
0041B0BB |.C3 retn
这个算法比较简单,对用户名转换为大写后,进行计算,对计算后的值每一位比较,如果位8转换为B,
如果为B转换为8,最后结果再与输入的注册码的每一位进行比较。。。
附件中有注册机完整源代码,请高手指出不足,在此表示感谢。。。
--------------------------------------------------------------------------------
2007年10月15日 好文章,/:good 楼主牛啊,看雪精华都有两篇了! 下载来学习,谢谢! /:011
〓★〓正要學習算法
〓★〓搜集搜集
〓★〓謝謝LZ 厉害啊!!!这个都破解了,不知道难不难!!1 思路很清晰,强啊。受教了 强悍.学习了,呵. /:QQ2 太牛逼了,感谢楼主,winimage是款常用软件,破解它比较实用! 写的很细致呵呵/:014
页:
[1]