DVD影碟制作专家 V4.0.1.258 简单算法分析
【文章标题】: DVD影碟制作专家 V4.0.1.258 简单算法分析【文章作者】: 蚊香 / magic659117852
【作者邮箱】: [email protected]
【作者主页】: http://www.xpi386.com
【软件名称】: DVD影碟制作专家
【软件大小】: 17183 KB
【下载地址】: 自己搜索下载
【保护方式】: 注册码
【编写语言】: Delphi
【使用工具】: PEiD OllyDBG
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!刚刚刚刚刚刚接触简单算法 -_-
--------------------------------------------------------------------------------
【详细过程】
PEiD查壳,Borland Delphi 6.0 - 7.0
试注册(5组注册码,每组5位),提示“注册失败”
载入OD,F9运行,输入假码12345-67890-40001-13579-24680注册:
00AA337E 55 push ebp ; 通过堆栈调用法定位到这里,下断开始分析
00AA337F 68 A237AA00 push 00AA37A2
00AA3384 64:FF30 push dword ptr fs:
00AA3387 64:8920 mov dword ptr fs:, esp
00AA338A 8D55 FC lea edx, dword ptr
00AA338D 8B83 98030000 mov eax, dword ptr
00AA3393 E8 8028FFFF call 00A95C18
00AA3398 8B45 FC mov eax, dword ptr
00AA339B E8 1821F5FF call 009F54B8
00AA33A0 E8 A76AF5FF call 009F9E4C
00AA33A5 83F8 05 cmp eax, 5
00AA33A8 0F85 80000000 jnz 00AA342E ; 检查是否5位..不是则挂,下面还有4处
00AA33AE 8D55 F8 lea edx, dword ptr
00AA33B1 8B83 9C030000 mov eax, dword ptr
00AA33B7 E8 5C28FFFF call 00A95C18
00AA33BC 8B45 F8 mov eax, dword ptr
00AA33BF E8 F420F5FF call 009F54B8
00AA33C4 E8 836AF5FF call 009F9E4C
00AA33C9 83F8 05 cmp eax, 5
00AA33CC 75 60 jnz short 00AA342E
00AA33CE 8D55 F4 lea edx, dword ptr
00AA33D1 8B83 A0030000 mov eax, dword ptr
00AA33D7 E8 3C28FFFF call 00A95C18
00AA33DC 8B45 F4 mov eax, dword ptr
00AA33DF E8 D420F5FF call 009F54B8
00AA33E4 E8 636AF5FF call 009F9E4C
00AA33E9 83F8 05 cmp eax, 5
00AA33EC 75 40 jnz short 00AA342E
00AA33EE 8D55 F0 lea edx, dword ptr
00AA33F1 8B83 A4030000 mov eax, dword ptr
00AA33F7 E8 1C28FFFF call 00A95C18
00AA33FC 8B45 F0 mov eax, dword ptr
00AA33FF E8 B420F5FF call 009F54B8
00AA3404 E8 436AF5FF call 009F9E4C
00AA3409 83F8 05 cmp eax, 5
00AA340C 75 20 jnz short 00AA342E
00AA340E 8D55 EC lea edx, dword ptr
00AA3411 8B83 A8030000 mov eax, dword ptr
00AA3417 E8 FC27FFFF call 00A95C18
00AA341C 8B45 EC mov eax, dword ptr
00AA341F E8 9420F5FF call 009F54B8
00AA3424 E8 236AF5FF call 009F9E4C
00AA3429 83F8 05 cmp eax, 5
00AA342C 74 2A je short 00AA3458 ; 每组是5位则从这里跳过下面这个失败处
00AA342E 6A 40 push 40 ; 以上有任一组不为5则跳到这里
00AA3430 A1 2017AB00 mov eax, dword ptr
00AA3435 E8 7E20F5FF call 009F54B8
00AA343A 50 push eax
00AA343B A1 2817AB00 mov eax, dword ptr
00AA3440 E8 7320F5FF call 009F54B8
00AA3445 50 push eax
00AA3446 8BC3 mov eax, ebx
00AA3448 E8 332FFAFF call 00A46380
00AA344D 50 push eax
00AA344E E8 454DF5FF call <jmp.&user32.MessageBoxA> ; 这里提示注册失败
00AA3453 E9 0D030000 jmp 00AA3765
00AA3458 8D55 E8 lea edx, dword ptr
00AA345B 8B83 A0030000 mov eax, dword ptr
00AA3461 E8 B227FFFF call 00A95C18
00AA3466 8B45 E8 mov eax, dword ptr
00AA3469 8B15 1817AB00 mov edx, dword ptr
00AA346F E8 901FF5FF call 009F5404
00AA3474 74 2A je short 00AA34A0 ; 通过堆栈窗口可见,第三组必须是40001
00AA3476 6A 40 push 40
00AA3478 A1 2017AB00 mov eax, dword ptr
00AA347D E8 3620F5FF call 009F54B8
00AA3482 50 push eax
00AA3483 A1 2817AB00 mov eax, dword ptr
00AA3488 E8 2B20F5FF call 009F54B8
00AA348D 50 push eax
00AA348E 8BC3 mov eax, ebx
00AA3490 E8 EB2EFAFF call 00A46380
00AA3495 50 push eax
00AA3496 E8 FD4CF5FF call <jmp.&user32.MessageBoxA> ; 这里是注册失败
00AA349B E9 C5020000 jmp 00AA3765
00AA34A0 8D55 E4 lea edx, dword ptr
00AA34A3 8B83 98030000 mov eax, dword ptr
00AA34A9 E8 6A27FFFF call 00A95C18
00AA34AE 837D E4 00 cmp dword ptr , 0
00AA34B2 74 3C je short 00AA34F0
00AA34B4 8D55 E0 lea edx, dword ptr
00AA34B7 8B83 9C030000 mov eax, dword ptr
00AA34BD E8 5627FFFF call 00A95C18
00AA34C2 837D E0 00 cmp dword ptr , 0
00AA34C6 74 28 je short 00AA34F0
00AA34C8 8D55 DC lea edx, dword ptr
00AA34CB 8B83 A0030000 mov eax, dword ptr
00AA34D1 E8 4227FFFF call 00A95C18
00AA34D6 837D DC 00 cmp dword ptr , 0
00AA34DA 74 14 je short 00AA34F0
00AA34DC 8D55 D8 lea edx, dword ptr
00AA34DF 8B83 A4030000 mov eax, dword ptr
00AA34E5 E8 2E27FFFF call 00A95C18
00AA34EA 837D D8 00 cmp dword ptr , 0
00AA34EE 75 2A jnz short 00AA351A
00AA34F0 6A 40 push 40
00AA34F2 A1 2017AB00 mov eax, dword ptr
00AA34F7 E8 BC1FF5FF call 009F54B8
00AA34FC 50 push eax
00AA34FD A1 2817AB00 mov eax, dword ptr
00AA3502 E8 B11FF5FF call 009F54B8
00AA3507 50 push eax
00AA3508 8BC3 mov eax, ebx
00AA350A E8 712EFAFF call 00A46380
00AA350F 50 push eax
00AA3510 E8 834CF5FF call <jmp.&user32.MessageBoxA>
00AA3515 E9 4B020000 jmp 00AA3765
00AA351A 8D45 D4 lea eax, dword ptr
00AA351D E8 BA5BFCFF call 00A690DC
00AA3522 8B45 D4 mov eax, dword ptr
00AA3525 50 push eax
00AA3526 8D55 D0 lea edx, dword ptr
00AA3529 8B83 A0030000 mov eax, dword ptr
00AA352F E8 E426FFFF call 00A95C18
00AA3534 8B55 D0 mov edx, dword ptr
00AA3537 58 pop eax
00AA3538 E8 C71EF5FF call 009F5404
00AA353D 74 2A je short 00AA3569 ; 又出现第三组和40001比较
00AA353F 6A 40 push 40
00AA3541 A1 2017AB00 mov eax, dword ptr
00AA3546 E8 6D1FF5FF call 009F54B8
00AA354B 50 push eax
00AA354C A1 2817AB00 mov eax, dword ptr
00AA3551 E8 621FF5FF call 009F54B8
00AA3556 50 push eax
00AA3557 8BC3 mov eax, ebx
00AA3559 E8 222EFAFF call 00A46380
00AA355E 50 push eax
00AA355F E8 344CF5FF call <jmp.&user32.MessageBoxA>
00AA3564 E9 FC010000 jmp 00AA3765
00AA3569 8D55 CC lea edx, dword ptr
00AA356C 8B83 98030000 mov eax, dword ptr
00AA3572 E8 A126FFFF call 00A95C18 ; 取第一组注册码
00AA3577 8B45 CC mov eax, dword ptr
00AA357A E8 0963F5FF call 009F9888 ; 第一组注册码转16进制=3039
00AA357F E8 1862FCFF call 00A6979C ; 里面有算法,F7进入
进入上面的00AA357F
00A6979A 8BC0 mov eax, eax
00A6979C 8BC8 mov ecx, eax
00A6979E 8D81 9F860100 lea eax, dword ptr ; EAX=3039 + 1869F = 1B6D8
00A697A4 B9 03000000 mov ecx, 3 ; ECX=3
00A697A9 33D2 xor edx, edx
00A697AB F7F1 div ecx ; EAX=1B6D8 / 3 = 9248
00A697AD 83C0 58 add eax, 58 ; EAX = 9248+58=92A0
00A697B0 C3 retn
00AA3584 8BF0 mov esi, eax
00AA3586 8D55 C8 lea edx, dword ptr
00AA3589 8B83 9C030000 mov eax, dword ptr
00AA358F E8 8426FFFF call 00A95C18 ; 取第二组注册码
00AA3594 8B45 C8 mov eax, dword ptr
00AA3597 E8 EC62F5FF call 009F9888 ; 第二组注册码转16进制=10932
00AA359C E8 1362FCFF call 00A697B4 ; 里面又有算法,F7进
进入上面的00AA359C
00A697B1 8D40 00 lea eax, dword ptr
00A697B4 8BC8 mov ecx, eax
00A697B6 8BC1 mov eax, ecx
00A697B8 B9 09000000 mov ecx, 9 ; ECX=9
00A697BD 33D2 xor edx, edx
00A697BF F7F1 div ecx ; EAX=10932/9=1D77
00A697C1 03C0 add eax, eax
00A697C3 03C0 add eax, eax
00A697C5 03C0 add eax, eax ; EAX=1D77*8=EBB8
00A697C7 50 push eax
00A697C8 B8 9E860100 mov eax, 1869E ; EAX=1869E
00A697CD 5A pop edx
00A697CE 2BC2 sub eax, edx ; EAX=1869E-EBB8=9AE6
00A697D0 C3 retn
00AA35A1 8BF8 mov edi, eax
00AA35A3 8D55 C4 lea edx, dword ptr
00AA35A6 8B83 A4030000 mov eax, dword ptr
00AA35AC E8 6726FFFF call 00A95C18
00AA35B1 8B45 C4 mov eax, dword ptr
00AA35B4 E8 CF62F5FF call 009F9888 ; 第四组注册码转16进制=350B
00AA35B9 99 cdq ; 清空EDX
00AA35BA 52 push edx
00AA35BB 50 push eax
00AA35BC 8BC6 mov eax, esi
00AA35BE 33D2 xor edx, edx
00AA35C0 3B5424 04 cmp edx, dword ptr ; 比较350B和上面得到的92A0
00AA35C4 75 03 jnz short 00AA35C9
00AA35C6 3B0424 cmp eax, dword ptr
00AA35C9 5A pop edx
00AA35CA 58 pop eax
00AA35CB 0F85 94010000 jnz 00AA3765 ; 不能跳
00AA35D1 8D55 C0 lea edx, dword ptr
00AA35D4 8B83 A8030000 mov eax, dword ptr
00AA35DA E8 3926FFFF call 00A95C18 ; ??????
00AA35DF 8B45 C0 mov eax, dword ptr
00AA35E2 E8 A162F5FF call 009F9888 ; 第五组注册码转16进制=6068
00AA35E7 99 cdq
00AA35E8 52 push edx
00AA35E9 50 push eax
00AA35EA 8BC7 mov eax, edi
00AA35EC 33D2 xor edx, edx
00AA35EE 3B5424 04 cmp edx, dword ptr ; 比较6068和上面得到的9AE6
00AA35F2 75 03 jnz short 00AA35F7
00AA35F4 3B0424 cmp eax, dword ptr
00AA35F7 5A pop edx
00AA35F8 58 pop eax
00AA35F9 0F85 66010000 jnz 00AA3765
00AA35FF 8D55 BC lea edx, dword ptr
00AA3602 8B83 98030000 mov eax, dword ptr
00AA3608 E8 0B26FFFF call 00A95C18
00AA360D 8B45 BC mov eax, dword ptr
00AA3610 E8 7362F5FF call 009F9888
00AA3615 E8 BA61FCFF call 00A697D4
00AA361A 8D55 B8 lea edx, dword ptr
00AA361D 8B83 98030000 mov eax, dword ptr
00AA3623 E8 F025FFFF call 00A95C18
00AA3628 8B45 B8 mov eax, dword ptr
00AA362B E8 5862F5FF call 009F9888
00AA3630 E8 E36BFCFF call 00A6A218
00AA3635 8D55 B4 lea edx, dword ptr
00AA3638 8B83 9C030000 mov eax, dword ptr
00AA363E E8 D525FFFF call 00A95C18
00AA3643 8B45 B4 mov eax, dword ptr
00AA3646 E8 3D62F5FF call 009F9888
00AA364B E8 4462FCFF call 00A69894
00AA3650 8D55 B0 lea edx, dword ptr
00AA3653 8B83 9C030000 mov eax, dword ptr
00AA3659 E8 BA25FFFF call 00A95C18
00AA365E 8B45 B0 mov eax, dword ptr
00AA3661 E8 2262F5FF call 009F9888
00AA3666 E8 256DFCFF call 00A6A390
00AA366B 8D55 AC lea edx, dword ptr
00AA366E 8B83 A0030000 mov eax, dword ptr
00AA3674 E8 9F25FFFF call 00A95C18
00AA3679 8B45 AC mov eax, dword ptr
00AA367C E8 0762F5FF call 009F9888
00AA3681 E8 CE62FCFF call 00A69954
00AA3686 8D55 A8 lea edx, dword ptr
00AA3689 8B83 A0030000 mov eax, dword ptr
00AA368F E8 8425FFFF call 00A95C18
00AA3694 8B45 A8 mov eax, dword ptr
00AA3697 E8 EC61F5FF call 009F9888
00AA369C E8 7B6EFCFF call 00A6A51C
00AA36A1 8D55 A4 lea edx, dword ptr
00AA36A4 8B83 A4030000 mov eax, dword ptr
00AA36AA E8 6925FFFF call 00A95C18
00AA36AF 8B45 A4 mov eax, dword ptr
00AA36B2 E8 D161F5FF call 009F9888
00AA36B7 E8 9063FCFF call 00A69A4C
00AA36BC 8D55 A0 lea edx, dword ptr
00AA36BF 8B83 A4030000 mov eax, dword ptr
00AA36C5 E8 4E25FFFF call 00A95C18
00AA36CA 8B45 A0 mov eax, dword ptr
00AA36CD E8 B661F5FF call 009F9888
00AA36D2 E8 D16FFCFF call 00A6A6A8
00AA36D7 8D55 9C lea edx, dword ptr
00AA36DA 8B83 A8030000 mov eax, dword ptr
00AA36E0 E8 3325FFFF call 00A95C18
00AA36E5 8B45 9C mov eax, dword ptr
00AA36E8 E8 9B61F5FF call 009F9888
00AA36ED E8 5264FCFF call 00A69B44
00AA36F2 8D55 98 lea edx, dword ptr
00AA36F5 8B83 A8030000 mov eax, dword ptr
00AA36FB E8 1825FFFF call 00A95C18
00AA3700 8B45 98 mov eax, dword ptr
00AA3703 E8 8061F5FF call 009F9888
00AA3708 E8 1371FCFF call 00A6A820
00AA370D 8D55 90 lea edx, dword ptr
00AA3710 A1 34CFAA00 mov eax, dword ptr
00AA3715 8B00 mov eax, dword ptr
00AA3717 E8 9087FBFF call 00A5BEAC
00AA371C 8B45 90 mov eax, dword ptr
00AA371F 8D55 94 lea edx, dword ptr
00AA3722 E8 9D65F5FF call 009F9CC4
00AA3727 8B45 94 mov eax, dword ptr
00AA372A E8 1150FCFF call 00A68740
00AA372F 6A 40 push 40
00AA3731 A1 2017AB00 mov eax, dword ptr
00AA3736 E8 7D1DF5FF call 009F54B8
00AA373B 50 push eax
00AA373C A1 1C17AB00 mov eax, dword ptr
00AA3741 E8 721DF5FF call 009F54B8
00AA3746 50 push eax
00AA3747 8BC3 mov eax, ebx
00AA3749 E8 322CFAFF call 00A46380
00AA374E 50 push eax
00AA374F E8 444AF5FF call <jmp.&user32.MessageBoxA>
00AA3754 C705 1017AB00 0>mov dword ptr , 1
00AA375E 8BC3 mov eax, ebx
00AA3760 E8 A743FBFF call 00A57B0C
00AA3765 33C0 xor eax, eax
00AA3767 5A pop edx
00AA3768 59 pop ecx
00AA3769 59 pop ecx
00AA376A 64:8910 mov dword ptr fs:, edx
00AA376D 68 A937AA00 push 00AA37A9
00AA3772 8D45 90 lea eax, dword ptr
00AA3775 BA 02000000 mov edx, 2
00AA377A E8 9918F5FF call 009F5018
00AA377F 8D45 98 lea eax, dword ptr
00AA3782 BA 0F000000 mov edx, 0F
00AA3787 E8 8C18F5FF call 009F5018
00AA378C 8D45 D4 lea eax, dword ptr
00AA378F E8 6018F5FF call 009F4FF4
00AA3794 8D45 D8 lea eax, dword ptr
00AA3797 BA 0A000000 mov edx, 0A
00AA379C E8 7718F5FF call 009F5018
00AA37A1 C3 retn
00AA37A2^ E9 0D11F5FF jmp 009F48B4
00AA37A7^ EB C9 jmp short 00AA3772
00AA37A9 5F pop edi
00AA37AA 5E pop esi
00AA37AB 5B pop ebx
00AA37AC 8BE5 mov esp, ebp
00AA37AE 5D pop ebp
00AA37AF C3 retn
--------------------------------------------------------------------------------
【算法总结】
软件注册只需要填注册码,为每组5位的5组。第三组固定为40001。
以12345和67890分别作为第1组和第2组为例:
12345转16进制 = 3039 3039 + 1869F = 1B6D8 1B6D8 / 3 = 9248 9248+58=92A0 (要和第四组相同)
67890转16进制 = 10932 10932/9=1D77 1D77*8=EBB8 1869E-EBB8=9AE6 (要和第五组相同)
符合上面的要求即为合法注册码,例如:12345-67890-40001-37536-39654
--------------------------------------------------------------------------------
【版权声明】: 本文 蚊香 原创, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 magic659117852 于 2008-6-19 16:30 编辑 ] 学习一下,很好很详细.
页:
[1]