飘云阁Hidden Carema　v2.27算法分析 - Powered by Discuz! Archiver

鹭影依凌 发表于 2007-12-17 02:36:37

Hidden Carema　v2.27算法分析

【破解作者】鹭影依凌
【作者邮箱】 [email protected]
【使用工具】 ODv1.10
【破解平台】 Win9x/NT/2000/XP
【软件简介】可以同时监控局域网里的50台电脑，并且能够对电脑显示器上的画面进行截屏
【加壳方式】 UPX
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
--------------------------------------------------------------------------------
【破解内容】

->试练码<-
UserName:luying10
E-mail:[email protected]
Quanty:256
Key:9876543210abcdef

标志：wrong key!

PEiD查壳:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
ESP定律搞定，不用修复就可以正常运行

OllyDbg超级字符串定位
在段首00419127下断,运行程序，程序被断下(未出现注册窗口)，Ｆ８继续
在地址00419184处弹出注册窗口，重新填入注册信息

程序没有马上继续正常判断，先闪了一小会儿，然后才停在00419189处

分析如下：

;=================================================================|
00419127 B8 2D634500 mov eax, 0045632D             ; //开始
0041912C E8 2F5E0100 call 0042EF60
00419131 81EC 20010000 sub esp, 120
00419137 A1 34244700 mov eax, dword ptr
0041913C 3345 04       xor eax, dword ptr
0041913F 53          push ebx
00419140 56          push esi
00419141 57          push edi
00419142 8BF1          mov esi, ecx
00419144 33DB          xor ebx, ebx
00419146 33FF          xor edi, edi
00419148 8965 F0       mov dword ptr , esp
0041914B 47          inc edi
0041914C 53          push ebx
0041914D 8D8E 54240100 lea ecx, dword ptr
00419153 8945 EC       mov dword ptr , eax
00419156 8975 94       mov dword ptr , esi
00419159 895D FC       mov dword ptr , ebx
0041915C 89BE 002E0100 mov dword ptr , edi
00419162 E8 A9470200 call 0043D910
00419167 8BCE          mov ecx, esi
00419169 E8 32F7FEFF call 004088A0
0041916E 53          push ebx
0041916F 8D8D D4FEFFFF lea ecx, dword ptr
00419175 E8 978C0000 call 00421E11
0041917A 8D8D D4FEFFFF lea ecx, dword ptr
00419180 C645 FC 01    mov byte ptr , 1
00419184 E8 84430200 call 0043D50D                   ; //弹出注册对话框
00419189 3BC7          cmp eax, edi                   ; 未填入注册信息则跳走
0041918B 0F85 B4030000 jnz 00419545                   ; //跳转(未实现)
;---------------------------<密码地址初始化为零>------------------|
00419191 8D86 18240100 lea eax, dword ptr ; 载入数量的地址
00419197 50          push eax
00419198 8D86 14240100 lea eax, dword ptr ; 载入序列号地址
0041919E 50          push eax
0041919F 8D86 10240100 lea eax, dword ptr ; 加载:{用数量+邮箱}的地址
004191A5 50          push eax
004191A6 8D86 0C240100 lea eax, dword ptr ; 加载:{用户名+数量}地址
004191AC 50          push eax
004191AD 8D8D D4FEFFFF lea ecx, dword ptr
004191B3 E8 528A0000 call 00421C0A
004191B8 68 4C974500 push 0045974C
004191BD 8D4D A0       lea ecx, dword ptr    ; (ASCII " s8")
004191C0 E8 6E8BFEFF call 00401D33
004191C5 C645 FC 02    mov byte ptr , 2
004191C9 895D E8       mov dword ptr , ebx
004191CC 33C0          xor eax, eax                   ; EAX置零
.
004191CE 83F8 20       cmp eax, 20                   ;
004191D1 7D 15       jge short 004191E8             ; //跳出循环体
004191D3 806405 C4 00 and byte ptr , 0    ; 0012FB2C - 0012FB4B
004191D8 806405 A4 00 and byte ptr , 0    ; 0012FB0C - 0012FB2B
004191DD 80A405 64FFFFFF>and byte ptr , 0    ; 0012FACC - 0012FAEB
004191E5 40          inc eax                         ; EAX++
004191E6^ EB E6       jmp short 004191CE             ; //循环(20H)次
;-----------|
004191E8 33C0          xor eax, eax                   ; EAX置零
004191EA 83F8 10       cmp eax, 10
004191ED 7D 08       jge short 004191F7
004191EF 806405 84 00 and byte ptr , 0    ; 数据清零(2)
004191F4 40          inc eax                         ;
004191F5^ EB F3       jmp short 004191EA             ;//循环(10H次)
;-----------------------------------------------------------------|
004191F7 8DBE 0C240100 lea edi, dword ptr
004191FD 57          push edi
004191FE 8D4D 9C       lea ecx, dword ptr    ; //

;---------------------------<(用于计算的)密码表初始化>------------|
00419201 C645 C4 2B    mov byte ptr , 2B
00419205 C645 A4 59    mov byte ptr , 59
00419209 C645 C5 2D    mov byte ptr , 2D
0041920D C645 A5 77    mov byte ptr , 77
00419211 C645 C6 26    mov byte ptr , 26
00419215 C645 A6 82    mov byte ptr , 82
00419219 C645 C7 EA    mov byte ptr , 0EA
0041921D C645 A7 75    mov byte ptr , 75
00419221 C645 C8 5A    mov byte ptr , 5A
00419225 C645 A8 3B    mov byte ptr , 3B
00419229 C645 C9 56    mov byte ptr , 56
0041922D C645 A9 59    mov byte ptr , 59
00419231 C645 CA 22    mov byte ptr , 22
00419235 C645 AA 47    mov byte ptr , 47
00419239 C645 CB 5D    mov byte ptr , 5D
0041923D C645 AB 58    mov byte ptr , 58
00419241 C645 CC 4B    mov byte ptr , 4B
00419245 C645 AC 9E    mov byte ptr , 9E
00419249 C645 CD CB    mov byte ptr , 0CB
0041924D C645 AD 3B    mov byte ptr , 3B
00419251 C645 CE 40    mov byte ptr , 40
00419255 C645 AE 8B    mov byte ptr , 8B
00419259 C645 CF 9A    mov byte ptr , 9A
0041925D C645 AF 94    mov byte ptr , 94
00419261 C645 D0 23    mov byte ptr , 23
00419265 C645 B0 BF    mov byte ptr , 0BF
00419269 C645 D1 A4    mov byte ptr , 0A4
0041926D C645 B1 93    mov byte ptr , 93
00419271 C645 D2 61    mov byte ptr , 61
00419275 C645 B2 B2    mov byte ptr , 0B2
00419279 C645 D3 AB    mov byte ptr , 0AB
0041927D C645 B3 7F    mov byte ptr , 7F
00419281 C645 D4 ED    mov byte ptr , 0ED
00419285 C645 B4 B2    mov byte ptr , 0B2
00419289 C645 D5 94    mov byte ptr , 94
0041928D C645 B5 B7    mov byte ptr , 0B7
00419291 C645 D6 83    mov byte ptr , 83
00419295 C645 B6 3B    mov byte ptr , 3B
00419299 C645 D7 1F    mov byte ptr , 1F
0041929D C645 B7 B9    mov byte ptr , 0B9
004192A1 C645 D8 DB    mov byte ptr , 0DB
004192A5 C645 B8 8F    mov byte ptr , 8F
004192A9 C645 D9 8B    mov byte ptr , 8B
004192AD C645 B9 53    mov byte ptr , 53
004192B1 C645 DA 19    mov byte ptr , 19
004192B5 C645 BA 70    mov byte ptr , 70
004192B9 C645 DB D8    mov byte ptr , 0D8
004192BD C645 BB 5F    mov byte ptr , 5F
004192C1 C645 DC C4    mov byte ptr , 0C4
004192C5 C645 BC EB    mov byte ptr , 0EB
004192C9 C645 DD 63    mov byte ptr , 63
004192CD C645 BD 7B    mov byte ptr , 7B
004192D1 C645 DE EB    mov byte ptr , 0EB
004192D5 C645 BE 87    mov byte ptr , 87
004192D9 C645 DF 95    mov byte ptr , 95
004192DD C645 BF 05    mov byte ptr , 5
004192E1 C645 E0 9D    mov byte ptr , 9D
004192E5 C645 C0 96    mov byte ptr , 96
004192E9 C645 E1 0E    mov byte ptr , 0E
004192ED C645 C1 03    mov byte ptr , 3
004192F1 C645 E2 73    mov byte ptr , 73
004192F5 C645 C2 5B    mov byte ptr , 5B
004192F9 C645 E3 C7    mov byte ptr , 0C7
004192FD C645 C3 9F    mov byte ptr , 9F
;-----------------------------------------------------------------|
00419301 E8 1F82FEFF call 00401525                   ; //
00419306 8D86 10240100 lea eax, dword ptr ; 载入邮箱的地址
0041930C 50          push eax
0041930D 8D4D 98       lea ecx, dword ptr    ; themewnd
00419310 C645 FC 03    mov byte ptr , 3
00419314 E8 0C82FEFF call 00401525
00419319 8D9E 18240100 lea ebx, dword ptr ; 载入用户数量地址
0041931F 53          push ebx
00419320 8BCF          mov ecx, edi
00419322 C645 FC 04    mov byte ptr , 4
00419326 E8 A087FEFF call 00401ACB                   ; ECX = ASCII "luying10256"
0041932B 8D86 10240100 lea eax, dword ptr ; 载入邮箱地址
00419331 50          push eax
00419332 8D45 E4       lea eax, dword ptr
00419335 53          push ebx
00419336 50          push eax
00419337 E8 3985FEFF call 00401875                   ; 堆栈窗口
0041933C 83C4 0C       add esp, 0C                   ; (ASCII "[email protected]")
0041933F 50          push eax
00419340 8D8E 10240100 lea ecx, dword ptr ; 载入邮箱地址
00419346 C645 FC 05    mov byte ptr , 5
0041934A E8 A784FEFF call 004017F6
0041934F 8B4D E4       mov ecx, dword ptr    ;ECX = (ASCII "[email protected]")
00419352 83C1 F0       add ecx, -10
00419355 C645 FC 04    mov byte ptr , 4
00419359 E8 877EFEFF call 004011E5
;---------------------------<对进行"异或"加密运算>--------|
0041935E 33DB          xor ebx, ebx                   ; EBX置零
00419360 33C0          xor eax, eax                   ; EAX置零
.
00419362 8B0F          mov ecx, dword ptr       ; (ASCII "luying10256")
00419364 3B41 F4       cmp eax, dword ptr
00419367 7D 10       jge short 00419379             ; //跳出循环体
00419369 8A0C01       mov cl, byte ptr    ; 字符串的第i个字符
0041936C 304C05 C4    xor byte ptr , cl ; = | cl
00419370 0FB6C9       movzx ecx, cl
00419373 014D E8       add dword ptr , ecx    ; = + ECX
00419376 40          inc eax                         ; EAX++
00419377^ EB E9       jmp short 00419362             ; //循环20H次
;---------------------------<对进行"异或"加密运算>-----|
00419379 33C0          xor eax, eax
.
0041937B 8B8E 10240100 mov ecx, dword ptr ; (ASCII "[email protected]")
00419381 3B41 F4       cmp eax, dword ptr
00419384 7D 10       jge short 00419396             ; //跳出循环体
00419386 8A0C01       mov cl, byte ptr
00419389 304C05 A4    xor byte ptr , cl ; 上表
0041938D 0FB6C9       movzx ecx, cl
00419390 014D E8       add dword ptr , ecx    ; = + ECX
00419393 40          inc eax                         ; EAX++
00419394^ EB E5       jmp short 0041937B             ; //循环20H次
;-----------------------------------------------------------------|
00419396 8B45 E8       mov eax, dword ptr    ; ss:=00000979
00419399 6A 19       push 19
0041939B 33D2          xor edx, edx                   ; EDX置零
0041939D 59          pop ecx                         ; ECX = 19H
0041939E F7F1          div ecx                         ; EDX = EAX % ECX
004193A0 8BFA          mov edi, edx                   ; EDI = EDX
004193A2 83FF 03       cmp edi, 3                      ;
004193A5 73 02       jnb short 004193A9             ; <=3,则跳走
.
004193A7 51          push ecx                         ; ECX = 19H
004193A8 5F          pop edi                         ; EDI = 19H
;---------------------------<对两组"异或"结果进行"异或"运算>------|
004193A9 33C0          xor eax, eax                   ; EAX置零
.
004193AB 83F8 20       cmp eax, 20                   ;
004193AE 7D 12       jge short 004193C2             ; >= 20H,则跳出循环体
.
004193B0 8A4C05 A4    mov cl, byte ptr ; cl =
004193B4 324C05 C4    xor cl, byte ptr ; cl = cl |
004193B8 40          inc eax                         ; EAX++
004193B9 888C05 63FFFFFF mov byte ptr , cl ; 保存结果:
004193C0^ EB E9       jmp short 004193AB             ; //循环(20H次)
;-----------------------------------------------------------------|
004193C2 33C9          xor ecx, ecx
004193C4 83F9 10       cmp ecx, 10
004193C7 7D 20       jge short 004193E9             ; >=10H,跳出循环体

004193C9 0FB6940D 64FFFF>movzx edx, byte ptr ; EDX =
004193D1 0FB6840D 74FFFF>movzx eax, byte ptr ; EDX =
004193D9 33C2          xor eax, edx                   ; EAX = EAX + EDX
004193DB 33D2          xor edx, edx                   ; EDX = 0
004193DD F7F7          div edi                         ; EDX = EAX % EDI
004193DF 80C2 41       add dl, 41                      ; dl = dl + 41H
004193E2 88540D 84    mov byte ptr , dl ; 保存结果:
004193E6 41          inc ecx                         ; ECX++
004193E7^ EB DB       jmp short 004193C4             ; //循环(10H次)
;---------------------------<从内存地址中取出注册码>--------------|
004193E9 33FF          xor edi, edi
.
004193EB 83FF 10       cmp edi, 10
004193EE 7D 30       jge short 00419420
004193F0 33C0          xor eax, eax
004193F2 8A443D 84    mov al, byte ptr ; 堆栈 ss:=44 ('D')
004193F6 6A 01       push 1
004193F8 8D4D E4       lea ecx, dword ptr
004193FB 50          push eax
004193FC E8 71EDFEFF call 00408172
00419401 50          push eax
00419402 8D4D A0       lea ecx, dword ptr
00419405 C645 FC 06    mov byte ptr , 6
00419409 E8 BD86FEFF call 00401ACB
0041940E 8B4D E4       mov ecx, dword ptr
00419411 83C1 F0       add ecx, -10
00419414 C645 FC 04    mov byte ptr , 4
00419418 E8 C87DFEFF call 004011E5
0041941D 47          inc edi
0041941E^ EB CB       jmp short 004193EB             ;//循环(10H次)
;---------------------------<真假码比较>--------------------------|
00419420 8D45 A0       lea eax, dword ptr    ;加载真码地址
00419423 50          push eax
00419424 8D86 14240100 lea eax, dword ptr ; 加载假码地址
0041942A 50          push eax
0041942B E8 1CE1FEFF call 0040754C                   ; |*|真假码比较
00419430 84C0          test al, al                      ; 测试标志位
00419432 59          pop ecx
00419433 59          pop ecx
00419434 0F84 CF000000 je    00419509                   ; //跳则挂
;---------------------------<提示:注册成功>-----------------------|
0041943A FFB6 18240100 push dword ptr       ;数量压栈
00419440 E8 C45E0100 call 0042F309                   ;转化为10进制放入EAX中
00419445 59          pop ecx
00419446 8BF8          mov edi, eax                   ;EDI = EAX
00419448 C786 00240100 0>mov dword ptr , 1
00419452 8B86 B8000000 mov eax, dword ptr
00419458 3BC7          cmp eax, edi
0041945A 7E 10       jle short 0041946C
0041945C 48          dec eax
0041945D 8BCE          mov ecx, esi
0041945F 8986 04240100 mov dword ptr , eax
00419465 E8 C8D7FFFF call 00416C32
0041946A^ EB E6       jmp short 00419452
0041946C 8D86 18240100 lea eax, dword ptr
00419472 50          push eax
00419473 8D45 E8       lea eax, dword ptr
00419476 68 F8C04500 push 0045C0F8                   ; oleansoft hidden camera 250x1 v2.27 manager & remote control - full version -
0041947B 50          push eax
0041947C 899E 00240100 mov dword ptr , ebx
00419482 E8 DC84FEFF call 00401963
00419487 83C4 0C       add esp, 0C
0041948A 68 E4C04500 push 0045C0E4                   ;employees pcs
0041948F 50          push eax
00419490 8D45 E4       lea eax, dword ptr
00419493 50          push eax
00419494 C645 FC 07    mov byte ptr , 7
00419498 E8 4884FEFF call 004018E5
0041949D 83C4 0C       add esp, 0C
004194A0 8B38          mov edi, dword ptr
004194A2 C645 FC 08    mov byte ptr , 8
004194A6 E8 DE5D0300 call 0044F289
004194AB 8B40 04       mov eax, dword ptr
004194AE 8B48 1C       mov ecx, dword ptr
004194B1 57          push edi
004194B2 E8 DF430200 call 0043D896
004194B7 8B4D E4       mov ecx, dword ptr
004194BA 83C1 F0       add ecx, -10
004194BD E8 237DFEFF call 004011E5
004194C2 8B4D E8       mov ecx, dword ptr
004194C5 83C1 F0       add ecx, -10
004194C8 C645 FC 04    mov byte ptr , 4
004194CC E8 147DFEFF call 004011E5
004194D1 53          push ebx
004194D2 53          push ebx
004194D3 68 ACC04500 push 0045C0AC                   ; full version activation has been successfully finished
004194D8 E8 4AD40200 call 00446927                   ;//提示注册成功
004194DD 53          push ebx
004194DE 8D8E 202B0100 lea ecx, dword ptr
004194E4 E8 27440200 call 0043D910
004194E9 8D45 9C       lea eax, dword ptr
004194EC 8D8E 0C240100 lea ecx, dword ptr
004194F2 50          push eax
004194F3 E8 FE82FEFF call 004017F6
004194F8 8D45 98       lea eax, dword ptr
004194FB 8D8E 10240100 lea ecx, dword ptr
00419501 50          push eax
00419502 E8 EF82FEFF call 004017F6
00419507 EB 12       jmp short 0041951B
;---------------------------<提示:注册失败>-----------------------|
00419509 53          push ebx
0041950A 53          push ebx
0041950B 68 90C04500 push 0045C090                   ; wrong key! please try againfull version activation has been successfully finished
00419510 E8 12D40200 call 00446927                   ; //提示出错
00419515 33C0          xor eax, eax
00419517 3BC3          cmp eax, ebx
00419519 74 07       je    short 00419522
0041951B C746 54 2C83863>mov dword ptr , 3F86832C
00419522 8B4D 98       mov ecx, dword ptr    ; (ASCII "[email protected]")
00419525 83C1 F0       add ecx, -10
00419528 E8 B87CFEFF call 004011E5
0041952D 8B4D 9C       mov ecx, dword ptr    ; (ASCII "luying10")
00419530 83C1 F0       add ecx, -10
00419533 E8 AD7CFEFF call 004011E5
00419538 8B4D A0       mov ecx, dword ptr    ; (ASCII "DJIMFVELLEJALJNO")
0041953B 83C1 F0       add ecx, -10
0041953E E8 A27CFEFF call 004011E5
00419543 33DB          xor ebx, ebx
00419545 8065 FC 00    and byte ptr , 0
00419549 8D8D D4FEFFFF lea ecx, dword ptr
0041954F 899E 002E0100 mov dword ptr , ebx
00419555 E8 DE840000 call 00421A38
0041955A 8B4D F4       mov ecx, dword ptr
0041955D 64:890D 0000000>mov dword ptr fs:, ecx
00419564 8B4D EC       mov ecx, dword ptr
00419567 334D 04       xor ecx, dword ptr
0041956A E8 A74C0100 call 0042E216
0041956F 5F          pop edi
00419570 5E          pop esi
00419571 5B          pop ebx
00419572 C9          leave
00419573 C3          retn                               ; //结束

--------------------------------------------------------------------------------
【破解总结】

算法如下：
1.和特定数值组array_A进行异或运算,更新、保存到array_A

= 0;

int array_A = {0x2B, 0x2D, 0x26, 0xEA, 0x5A, 0x56, 0x22, 0x5D, 0x4B, 0xCB, 0x40, 0x9A, 0x23, 0xA4, 0x61, 0xAB,
               0xED, 0x94, 0x83, 0x1F, 0xDB, 0x8B, 0x19, 0xD8, 0xC4, 0x63, 0xEB, 0x95, 0x9D, 0x0E, 0x73, 0xC7}

for(int i = 0, i < 32, i++)
{
if(i > UserName-Quanty.length)
   break;

array_A = array_A | UserName-Quanty(i);
sum = sum + UserName-Quanty(i)
}

2.和特定数值array_B进行异或运算,更新、保存到array_B

int array_B = {0x59, 0x77, 0x82, 0x75, 0x3B, 0x59, 0x47, 0x58, 0x9E, 0x3B, 0x8B, 0x94, 0xBF, 0x93, 0xB2, 0x7F,
               0xB2, 0xB7, 0x3B, 0xB9, 0x8F, 0x53, 0x70, 0x5F, 0xEB, 0x7B, 0x87, 0x05, 0x96, 0x03, 0x5B, 0x9F}

for(int i = 0, i < 32, i++)
{
if(i > Quanty-Email.length)
   break;

array_B = array_B | Quanty-Email(i);
sum = sum + Quanty-Email(i)
}

3.计算EDI

int EDI = sum % 0x19;
if(EDI < 3)
EDI = 0x19;

4.将两个异或值再次进行异或运算,得到一组为32个数值的序列array_C

int array_C = {};

for(int i = 0, i < 32, i++)
array_C = array_B | array_A;

5.将所得的异或值的上下两行进行第三次异或运算,得到一组为16个数值的序列array_D

int array_D = {};

for(int i = 0, i < 16, i++)
{
array_D = array_C | array_C;
array_D = array_D % EDI + 0x41;
}

6.所得值转化为字符串作为注册码

说明:
(1).用户名长度不足32位
对应的数值的异或值不变

(2).用户名长度超过32位
取前32位进行运算

注册信息保存在C:\WINDOWS下的hcreg212.ini文件中：

         ultrain[email protected]FFECCEEFECDBFDDF256
emptyemptyemptyemptyemptyemptyemptyemptyemptyempty
Group 00Group 01Group 02Group 03Group 04Group 05Group 06Group 07Group 08Group 09
Group 10Group 11Group 12Group 13Group 14Group 15Group 16Group 17Group 18Group 19
Group 20Group 21Group 22Group 23Group 24
--------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

wxq 发表于 2007-12-17 08:29:03

支持一下。原版哪里下载的呀？GOOGLE里找不到咧

sufeiyu 发表于 2007-12-17 09:18:23

写作开始学习算法了不错的文章

lvcaolhx 发表于 2007-12-17 09:55:15

找到了一个免费的v2.27
软件大小：1.59 MB
软件语言：简体中文
软件类型：国产软件 - 网络软件 - 远程监控
运行环境：Win9X/Win2000/WinXP/Win2003
授权方式：免费软件

http://down.4j365.com/soft/show.asp?id=1917

用google搜"可以同时监控局域网里的50台电脑"可找到

共享版：http://www.itzoom.cn/down/soft/15702.html

[ 本帖最后由 lvcaolhx 于 2007-12-17 10:02 编辑 ]

页: [1]

飘云阁's Archiver

Hidden Carema v2.27算法分析

Hidden Carema　v2.27算法分析