video converter算法分析
无壳,是Borland Delphi 6.0 - 7.0写的,od载入,F9运行,下万能断点,77D3352D F3:A5 REP MOVS DWORD PTR ES:,DWORD PTR DS>;断在这里
77D3352F 8BC8 MOV ECX,EAX
77D33531 83E1 03 AND ECX,3
Alt+f9, 回到程序领空,最终来到4C277D,往前看,在入口处4C277D下断点,从新载一遍程序:
004C2734 /.55 PUSH EBP ;下断
004C2735 |.8BEC MOV EBP,ESP
004C2737 |.33C9 XOR ECX,ECX
004C2739 |.51 PUSH ECX
004C273A |.51 PUSH ECX
004C273B |.51 PUSH ECX
004C273C |.51 PUSH ECX
004C273D |.51 PUSH ECX
004C273E |.51 PUSH ECX
004C273F |.53 PUSH EBX
004C2740 |.56 PUSH ESI
004C2741 |.57 PUSH EDI
004C2742 |.8BF8 MOV EDI,EAX
004C2744 |.33C0 XOR EAX,EAX
004C2746 |.55 PUSH EBP
004C2747 |.68 4F294C00 PUSH video_co.004C294F
004C274C |.64:FF30 PUSH DWORD PTR FS:
004C274F |.64:8920 MOV DWORD PTR FS:,ESP
004C2752 |.C605 38BE4C00>MOV BYTE PTR DS:,1
004C2759 |.FF05 34BE4C00 INC DWORD PTR DS:
004C275F |.833D 34BE4C00>CMP DWORD PTR DS:,3
004C2766 |.7E 07 JLE SHORT video_co.004C276F
004C2768 |.8BC7 MOV EAX,EDI
004C276A |.E8 CDD1F9FF CALL video_co.0045F93C
004C276F |>8D55 F4 LEA EDX,DWORD PTR SS:
004C2772 |.8B87 14030000 MOV EAX,DWORD PTR DS:
004C2778 |.E8 3309F8FF CALL video_co.004430B0 ;用户名长度
004C277D |.8B45 F4 MOV EAX,DWORD PTR SS: ;用户名进EAX
004C2780 |.8D55 FC LEA EDX,DWORD PTR SS:
004C2783 |.E8 D065F4FF CALL video_co.00408D58
004C2788 |.8D55 F0 LEA EDX,DWORD PTR SS:
004C278B |.8B45 FC MOV EAX,DWORD PTR SS:
004C278E |.E8 F965F4FF CALL video_co.00408D8C
004C2793 |.8B55 F0 MOV EDX,DWORD PTR SS:
004C2796 |.8D45 FC LEA EAX,DWORD PTR SS:
004C2799 |.E8 9E1FF4FF CALL video_co.0040473C
004C279E |.BB 15000000 MOV EBX,15
004C27A3 |.BE D0994C00 MOV ESI,video_co.004C99D0
004C27A8 |>8B45 FC /MOV EAX,DWORD PTR SS: ;用户名进EAX
004C27AB |.8B16 |MOV EDX,DWORD PTR DS: ;"VS88T6-Vs86"进EDX
004C27AD |.E8 EE22F4FF |CALL video_co.00404AA0 ;这个call比较EAX与EDX是否相同
004C27B2 |.75 09 |JNZ SHORT video_co.004C27BD ;不同再从中取出固定字符
004C27B4 |.C605 38BE4C00>|MOV BYTE PTR DS:,0
004C27BB |.EB 06 |JMP SHORT video_co.004C27C3
004C27BD |>83C6 04 |ADD ESI,4
004C27C0 |.4B |DEC EBX
004C27C1 |.^ 75 E5 \JNZ SHORT video_co.004C27A8 ;直到取完才不跳转,由此可见用户名固定,因此从新载入程序,"VS88T6-Vs86"和"1234567890"注册
004C27C3 |>803D 38BE4C00>CMP BYTE PTR DS:,0
;若用户名符合在004C27B4 处将赋0,这时,就能跳过出错信息,否则不为0,就出错
004C27CA |.74 1A JE SHORT video_co.004C27E6
004C27CC |.6A 00 PUSH 0 ; /Arg1 = 00000000
004C27CE |.66:8B0D 60294>MOV CX,WORD PTR DS: ; |
004C27D5 |.B2 02 MOV DL,2 ; |
004C27D7 |.B8 6C294C00 MOV EAX,video_co.004C296C ; |ASCII "Invalid register code! Please retry!",第一处错误信息
004C27DC |.E8 E79FF7FF CALL video_co.0043C7C8 ; \video_co.0043C7C8
004C27E1 |.E9 2E010000 JMP video_co.004C2914
004C27E6 |>8D55 EC LEA EDX,DWORD PTR SS:
这些是用户名的操作,下面看注册码的操作:
004C27E9 |.8B87 18030000 MOV EAX,DWORD PTR DS:
004C27EF |.E8 BC08F8FF CALL video_co.004430B0 ;注册码长度
004C27F4 |.8B45 EC MOV EAX,DWORD PTR SS: ;注册码进EAX
004C27F7 |.8D55 F8 LEA EDX,DWORD PTR SS:
004C27FA |.E8 5965F4FF CALL video_co.00408D58
004C27FF |.8D55 E8 LEA EDX,DWORD PTR SS:
004C2802 |.8B45 F8 MOV EAX,DWORD PTR SS:
004C2805 |.E8 8265F4FF CALL video_co.00408D8C
004C280A |.8B55 E8 MOV EDX,DWORD PTR SS:
004C280D |.8D45 F8 LEA EAX,DWORD PTR SS:
004C2810 |.E8 271FF4FF CALL video_co.0040473C
004C2815 |.837D FC 00 CMP DWORD PTR SS:,0 ;用户名是否为空
004C2819 |.0F84 F5000000 JE video_co.004C2914
004C281F |.837D F8 00 CMP DWORD PTR SS:,0 ;注册码是否为空
004C2823 |.0F84 EB000000 JE video_co.004C2914
004C2829 |.8B45 F8 MOV EAX,DWORD PTR SS:
004C282C |.E8 2B21F4FF CALL video_co.0040495C
004C2831 |.85C0 TEST EAX,EAX
004C2833 |.7E 38 JLE SHORT video_co.004C286D ;注册码长度是否小于零
004C2835 |.BA 01000000 MOV EDX,1
004C283A |>8B4D F8 /MOV ECX,DWORD PTR SS:
004C283D |.0FB64C11 FF |MOVZX ECX,BYTE PTR DS: ;注册码每一位进入ECX
004C2842 |.83F9 30 |CMP ECX,30
004C2845 |.7C 08 |JL SHORT video_co.004C284F ;是否小于零
004C2847 |.8B5D F8 |MOV EBX,DWORD PTR SS:
004C284A |.83F9 39 |CMP ECX,39 ;是否大于9
004C284D |.7E 1A |JLE SHORT video_co.004C2869
004C284F |>6A 00 |PUSH 0 ; /Arg1 = 00000000
004C2851 |.66:8B0D 60294>|MOV CX,WORD PTR DS: ; |
004C2858 |.B2 02 |MOV DL,2 ; |
004C285A |.B8 6C294C00 |MOV EAX,video_co.004C296C ; |ASCII "Invalid register code! Please retry!"
004C285F |.E8 649FF7FF |CALL video_co.0043C7C8 ; 注册码必须是数字,否则出错
004C2864 |.E9 AB000000 |JMP video_co.004C2914
004C2869 |>42 |INC EDX
004C286A |.48 |DEC EAX
004C286B |.^ 75 CD \JNZ SHORT video_co.004C283A ;直到EAX为零时不再循环
004C286D |>33F6 XOR ESI,ESI ;ESI清零
004C286F |.8B45 FC MOV EAX,DWORD PTR SS:
004C2872 |.E8 E520F4FF CALL video_co.0040495C 用户名长度进入EAX
004C2877 |.85C0 TEST EAX,EAX
004C2879 |.7E 13 JLE SHORT video_co.004C288E ;用户名长度小于零跳转
004C287B |.BB 01000000 MOV EBX,1 ;EBX=1,作为计数器
004C2880 |>8B55 FC /MOV EDX,DWORD PTR SS:
004C2883 |.0FB6541A FF |MOVZX EDX,BYTE PTR DS: ;用户名每一位进入EDX
004C2888 |.03F2 |ADD ESI,EDX ;累加到ESI
004C288A |.43 |INC EBX ;EBX+1
004C288B |.48 |DEC EAX ;EAX-1
004C288C |.^ 75 F2 \JNZ SHORT video_co.004C2880 ;EAX为0,EBX为用户名长度时退出循环
004C288E |>69C6 90B70B00 IMUL EAX,ESI,0BB790 ;EAX=ESI* 0xBB790
004C2894 |.83C0 58 ADD EAX,58 ;EAX=EAX+58
004C2897 |.D1F8 SAR EAX,1 ;EAX=EAX/2
004C2899 |.79 03 JNS SHORT video_co.004C289E
004C289B |.83D0 00 ADC EAX,0
004C289E |>8BF0 MOV ESI,EAX ;结果进入ESI
004C28A0 |.8B45 F8 MOV EAX,DWORD PTR SS: ;EAX存放假注册码
004C28A3 |.E8 E065F4FF CALL video_co.00408E88 ;这个call对假码处理,F7跟入
004C28A8 |.3BF0 CMP ESI,EAX 比较ESI与EAX,不等就注册失败
004C28AA |.75 53 JNZ SHORT video_co.004C28FF
004C28AC |.6A 00 PUSH 0 ; /Arg1 = 00000000
004C28AE |.66:8B0D 60294>MOV CX,WORD PTR DS: ; |
004C28B5 |.B2 02 MOV DL,2 ; |
004C28B7 |.B8 9C294C00 MOV EAX,video_co.004C299C ; |ASCII "Congratuation! You have successfully registered!"
004C28BC |.E8 079FF7FF CALL video_co.0043C7C8 ; \video_co.0043C7C8
004C28C1 |.A1 B09D4C00 MOV EAX,DWORD PTR DS:
004C28C6 |.C600 01 MOV BYTE PTR DS:,1
004C28C9 |.A1 AC9E4C00 MOV EAX,DWORD PTR DS:
004C28CE |.8B00 MOV EAX,DWORD PTR DS:
004C28D0 |.33C9 XOR ECX,ECX
004C28D2 |.BA 04000000 MOV EDX,4
004C28D7 |.8B18 MOV EBX,DWORD PTR DS:
004C28D9 |.FF53 10 CALL DWORD PTR DS:
004C28DC |.8B15 B09D4C00 MOV EDX,DWORD PTR DS: ;video_co.004CBE4E
004C28E2 |.A1 AC9E4C00 MOV EAX,DWORD PTR DS:
004C28E7 |.8B00 MOV EAX,DWORD PTR DS:
004C28E9 |.B9 01000000 MOV ECX,1
004C28EE |.E8 258DF5FF CALL video_co.0041B618
004C28F3 |.A1 30BE4C00 MOV EAX,DWORD PTR DS:
004C28F8 |.E8 3FD0F9FF CALL video_co.0045F93C
004C28FD |.EB 15 JMP SHORT video_co.004C2914
004C28FF |>6A 00 PUSH 0 ; /Arg1 = 00000000
004C2901 |.66:8B0D 60294>MOV CX,WORD PTR DS: ; |
004C2908 |.B2 02 MOV DL,2 ; |
004C290A |.B8 6C294C00 MOV EAX,video_co.004C296C ; |ASCII "Invalid register code! Please retry!"
004C290F |.E8 B49EF7FF CALL video_co.0043C7C8 ; \video_co.0043C7C8
004C2914 |>33C0 XOR EAX,EAX
004C2916 |.5A POP EDX
004C2917 |.59 POP ECX
004C2918 |.59 POP ECX
004C2919 |.64:8910 MOV DWORD PTR FS:,EDX
004C291C |.68 56294C00 PUSH video_co.004C2956
004C2921 |>8D45 E8 LEA EAX,DWORD PTR SS:
004C2924 |.E8 7B1DF4FF CALL video_co.004046A4
004C2929 |.8D45 EC LEA EAX,DWORD PTR SS:
004C292C |.E8 731DF4FF CALL video_co.004046A4
004C2931 |.8D45 F0 LEA EAX,DWORD PTR SS:
004C2934 |.E8 6B1DF4FF CALL video_co.004046A4
004C2939 |.8D45 F4 LEA EAX,DWORD PTR SS:
004C293C |.E8 631DF4FF CALL video_co.004046A4
004C2941 |.8D45 F8 LEA EAX,DWORD PTR SS:
004C2944 |.BA 02000000 MOV EDX,2
004C2949 |.E8 7A1DF4FF CALL video_co.004046C8
004C294E \.C3 RETN
004C294F .^ E9 D416F4FF JMP video_co.00404028
004C2954 .^ EB CB JMP SHORT video_co.004C2921
004C2956 .5F POP EDI
004C2957 .5E POP ESI
004C2958 .5B POP EBX
004C2959 .8BE5 MOV ESP,EBP
004C295B .5D POP EBP
跟入004C28A3 的CALL video_co.00408E88:
00408E88 /$53 PUSH EBX
00408E89 |.56 PUSH ESI
00408E8A |.83C4 F4 ADD ESP,-0C
00408E8D |.8BD8 MOV EBX,EAX
00408E8F |.8BD4 MOV EDX,ESP
00408E91 |.8BC3 MOV EAX,EBX
00408E93 |.E8 A0A2FFFF CALL video_co.00403138 ;EAX的值是在这里变化的,F7跟入
00408E98 |.8BF0 MOV ESI,EAX
00408E9A |.833C24 00 CMP DWORD PTR SS:,0
00408E9E |.74 19 JE SHORT video_co.00408EB9
00408EA0 |.895C24 04 MOV DWORD PTR SS:,EBX
00408EA4 |.C64424 08 0BMOV BYTE PTR SS:,0B
00408EA9 |.8D5424 04 LEA EDX,DWORD PTR SS:
00408EAD |.A1 D49C4C00 MOV EAX,DWORD PTR DS:
00408EB2 |.33C9 XOR ECX,ECX
00408EB4 |.E8 57FBFFFF CALL video_co.00408A10
00408EB9 |>8BC6 MOV EAX,ESI
00408EBB |.83C4 0C ADD ESP,0C
00408EBE |.5E POP ESI
00408EBF |.5B POP EBX
00408EC0 \.C3 RETN
00408E93处的call,前面都是进行数字的检测,我们主要看两个循环:
00403138 /$53 PUSH EBX
00403139 |.56 PUSH ESI
0040313A |.57 PUSH EDI
0040313B |.89C6 MOV ESI,EAX
0040313D |.50 PUSH EAX
0040313E |.85C0 TEST EAX,EAX
00403140 |.74 6C JE SHORT video_co.004031AE
00403142 |.31C0 XOR EAX,EAX
00403144 |.31DB XOR EBX,EBX
00403146 |.BF CCCCCC0C MOV EDI,0CCCCCCC
0040314B |>8A1E /MOV BL,BYTE PTR DS:
0040314D |.46 |INC ESI
0040314E |.80FB 20 |CMP BL,20
00403151 |.^ 74 F8 \JE SHORT video_co.0040314B
00403153 |.B5 00 MOV CH,0
00403155 |.80FB 2D CMP BL,2D
00403158 |.74 62 JE SHORT video_co.004031BC
0040315A |.80FB 2B CMP BL,2B
0040315D |.74 5F JE SHORT video_co.004031BE
0040315F |.80FB 24 CMP BL,24
00403162 |.74 5F JE SHORT video_co.004031C3
00403164 |.80FB 78 CMP BL,78
00403167 |.74 5A JE SHORT video_co.004031C3
00403169 |.80FB 58 CMP BL,58
0040316C |.74 55 JE SHORT video_co.004031C3
0040316E |.80FB 30 CMP BL,30
00403171 |.75 13 JNZ SHORT video_co.00403186
00403173 |.8A1E MOV BL,BYTE PTR DS:
00403175 |.46 INC ESI
00403176 |.80FB 78 CMP BL,78
00403179 |.74 48 JE SHORT video_co.004031C3
0040317B |.80FB 58 CMP BL,58
0040317E |.74 43 JE SHORT video_co.004031C3
00403180 |.84DB TEST BL,BL
00403182 |.74 20 JE SHORT video_co.004031A4
00403184 |.EB 04 JMP SHORT video_co.0040318A
00403186 |>84DB TEST BL,BL
00403188 |.74 2D JE SHORT video_co.004031B7 ;第一位是否存在
0040318A |>80EB 30 /SUB BL,30 ;字符变成数字
0040318D |.80FB 09 |CMP BL,9
00403190 |.77 25 |JA SHORT video_co.004031B7 ;大于九出错
00403192 |.39F8 |CMP EAX,EDI
00403194 |.77 21 |JA SHORT video_co.004031B7 ;EAX>0xCCCCCCC时退出循环,出错
00403196 |.8D0480 |LEA EAX,DWORD PTR DS: ;EAX=EAX*5
00403199 |.01C0 |ADD EAX,EAX ;EAX=EAX*2
0040319B |.01D8 |ADD EAX,EBX ;EAX=EAX+EBX,EBX即各位上的数字
0040319D |.8A1E |MOV BL,BYTE PTR DS: ;注册码每一位进入BL
0040319F |.46 |INC ESI
004031A0 |.84DB |TEST BL,BL
004031A2 |.^ 75 E6 \JNZ SHORT video_co.0040318A
;BL为零时退出循环,这个循环过后以对注册码主力完毕
004031A4 |>FECD DEC CH
004031A6 |.74 09 JE SHORT video_co.004031B1
004031A8 |.85C0 TEST EAX,EAX ;EAX>0,跳转
004031AA |.7D 4E JGE SHORT video_co.004031FA
004031AC |.EB 09 JMP SHORT video_co.004031B7
004031AE |>46 INC ESI
004031AF |.EB 06 JMP SHORT video_co.004031B7
004031B1 |>F7D8 NEG EAX
004031B3 |.7E 45 JLE SHORT video_co.004031FA
004031B5 |.78 43 JS SHORT video_co.004031FA
004031B7 |>5B POP EBX ;Default case of switch 004031D7
004031B8 |.29DE SUB ESI,EBX
004031BA |.EB 41 JMP SHORT video_co.004031FD
004031BC |>FEC5 INC CH
004031BE |>8A1E MOV BL,BYTE PTR DS:
004031C0 |.46 INC ESI
004031C1 |.^ EB C3 JMP SHORT video_co.00403186
004031C3 |>BF FFFFFF0F MOV EDI,0FFFFFFF
004031C8 |.8A1E MOV BL,BYTE PTR DS:
004031CA |.46 INC ESI
004031CB |.84DB TEST BL,BL
004031CD |.^ 74 DF JE SHORT video_co.004031AE
004031CF |>80FB 61 /CMP BL,61
004031D2 |.72 03 |JB SHORT video_co.004031D7
004031D4 |.80EB 20 |SUB BL,20
004031D7 |>80EB 30 |SUB BL,30 ;Switch (cases 30..46)
004031DA |.80FB 09 |CMP BL,9
004031DD |.76 0B |JBE SHORT video_co.004031EA
004031DF |.80EB 11 |SUB BL,11
004031E2 |.80FB 05 |CMP BL,5
004031E5 |.^ 77 D0 |JA SHORT video_co.004031B7
004031E7 |.80C3 0A |ADD BL,0A ;Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 004031D7
004031EA |>39F8 |CMP EAX,EDI ;Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 004031D7
004031EC |.^ 77 C9 |JA SHORT video_co.004031B7
004031EE |.C1E0 04 |SHL EAX,4
004031F1 |.01D8 |ADD EAX,EBX
004031F3 |.8A1E |MOV BL,BYTE PTR DS:
004031F5 |.46 |INC ESI
004031F6 |.84DB |TEST BL,BL
004031F8 |.^ 75 D5 \JNZ SHORT video_co.004031CF
004031FA |>59 POP ECX
004031FB |.31F6 XOR ESI,ESI
004031FD |>8932 MOV DWORD PTR DS:,ESI
004031FF |.5F POP EDI
00403200 |.5E POP ESI
00403201 |.5B POP EBX
后来才知道这里只是将字符串转化成数字,前面EAX的值变化其实只是十进制转化为十六进制,所以后面的CAll不跟入也行,由用户名计算就得到了注册码
------------------------------------------------------------------------
【破解总结】用户名固定,可以在004C27A8到004C27C1的循环中找到所有合法的用户名.
用户名的计算过程如下:
ASCII码求和得S1,(S1*0xBB790+58)/2得S2,S2即为注册码
提供一组可用的注册码:
用户名:VS88T6-Vs86
注册码:297556644
这个算法没什么技术含量,让大家见笑了
页:
[1]