抢先过萧老大发个算法分析
标 题: 【原创】抢先过萧老大发个算法分析作 者: as3852711
时 间: 2009-03-29,22:05
链 接: https://www.chinapyg.com/viewthread.php?tid=44549&extra=page%3D1
―――――――――――――――――――――――――――――――――――――
【文章标题】: 抢先过萧老大发个算法分析
【文章作者】: xiaojiam
【程序名称】: XXX RM 转换大师
【程序大小】: 955 KB
【下载地址】: 自己搜索
【保护方式】: 注册码
【编写语言】: Delphi
【使用工具】: PEID,OD
【操作平台】: D-Windows XP3
【程序介绍】: 用来转换 RM 文件的
【作者声明】: 我只是一只小菜鸟,失误之处难免,敬望诸位大侠赐教!
--------------------------------------------------------------------------------
【分析前闲谈】
--------------------------------------------------------------------------------
今天无意中看到萧老大小发了个XXX RM 转换大师注册机,于是用心跟跟发现算法比较适
合我们这些菜菜学习。就没等萧总发个分析,我就先来做个小人发份算法分析了。
--------------------------------------------------------------------------------
【详细过程】
--------------------------------------------------------------------------------
一、用PEID对程序进行查壳 → Borland Delphi 6.0 - 7.0
Delphi写得,一看到是Delphi写的心就不由的爽起来。正所谓:
易语言的浮点多,
delphi的好看多。
VB写的代码超长,
VC写的最正常啊!
二、用OD载入程序进行分析。
载入OD后运行程序,字符串插件查找一下一大堆提示,用脑子想想来到这里。
------------------------------(第一部分))---------------------------------------------------------
004BD698/.55 push ebp ;程序按钮入口:
004BD699|.8BEC mov ebp, esp
004BD69B|.6A 00 push 0
004BD69D|.6A 00 push 0
004BD69F|.53 push ebx
004BD6A0|.8BD8 mov ebx, eax
004BD6A2|.33C0 xor eax, eax
004BD6A4|.55 push ebp
004BD6A5|.68 58D74B00 push 004BD758
004BD6AA|.64:FF30 push dword ptr fs:
004BD6AD|.64:8920 mov dword ptr fs:, esp
004BD6B0|.8D55 FC lea edx, dword ptr
004BD6B3|.8B83 20030000 mov eax, dword ptr
004BD6B9|.E8 CE6DFAFF call 0046448C
004BD6BE|.8B45 FC mov eax, dword ptr ;取用户名:"hanyu"的长度;
004BD6C1|.E8 C66EF4FF call 0040458C
004BD6C6|.85C0 test eax, eax ;为"0"就不跳转了提示输入用户明;
004BD6C8|.75 29 jnz short 004BD6F3
004BD6CA|.6A 40 push 40
004BD6CC|.68 64D74B00 push 004BD764 ;警告
004BD6D1|.68 6CD74B00 push 004BD76C ;请输入用户名!
004BD6D6|.8BC3 mov eax, ebx
004BD6D8|.E8 97D5FAFF call 0046AC74
004BD6DD|.50 push eax ; |hOwner
004BD6DE|.E8 7199F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BD6E3|.8B83 20030000 mov eax, dword ptr
004BD6E9|.8B10 mov edx, dword ptr
004BD6EB|.FF92 C4000000 call dword ptr
004BD6F1|.EB 4A jmp short 004BD73D
004BD6F3|>8D55 F8 lea edx, dword ptr
004BD6F6|.8B83 24030000 mov eax, dword ptr
004BD6FC|.E8 8B6DFAFF call 0046448C
004BD701|.8B45 F8 mov eax, dword ptr ;取注册码"RMCo-5797nv268-E616"的长度;
004BD704|.E8 836EF4FF call 0040458C
004BD709|.85C0 test eax, eax ;同上;
004BD70B|.75 29 jnz short 004BD736
004BD70D|.6A 40 push 40
004BD70F|.68 64D74B00 push 004BD764 ;警告
004BD714|.68 7CD74B00 push 004BD77C ;请输入注册码!
004BD719|.8BC3 mov eax, ebx
004BD71B|.E8 54D5FAFF call 0046AC74
004BD720|.50 push eax ; |hOwner
004BD721|.E8 2E99F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004BD726|.8B83 24030000 mov eax, dword ptr
004BD72C|.8B10 mov edx, dword ptr
004BD72E|.FF92 C4000000 call dword ptr
004BD734|.EB 07 jmp short 004BD73D
004BD736|>8BC3 mov eax, ebx
004BD738|.E8 47F9FFFF call 004BD084 ;写注册表CALL(F7跟进);
------------------------------(第二部分)-----------------------------------------------------------
004BD084 $55 push ebp
004BD085 .8BEC mov ebp, esp
004BD087 .33C9 xor ecx, ecx
004BD089 .51 push ecx
004BD08A .51 push ecx
004BD08B .51 push ecx
004BD08C .51 push ecx
004BD08D .51 push ecx
004BD08E .53 push ebx
004BD08F .56 push esi
004BD090 .57 push edi
004BD091 .8945 FC mov dword ptr , eax
004BD094 .33C0 xor eax, eax
004BD096 .55 push ebp
004BD097 .68 D5D14B00 push 004BD1D5
004BD09C .64:FF30 push dword ptr fs:
004BD09F .64:8920 mov dword ptr fs:, esp
004BD0A2 .8B45 FC mov eax, dword ptr
004BD0A5 .E8 92020000 call 004BD33C ;比较CALL(F7跟进);
------------------------------(第三部分)-----------------------------------------------------------
004BD33C/$55 push ebp
004BD33D|.8BEC mov ebp, esp
004BD33F|.B9 04000000 mov ecx, 4
004BD344|>6A 00 /push 0
004BD346|.6A 00 |push 0
004BD348|.49 |dec ecx
004BD349|.^ 75 F9 \jnz short 004BD344
004BD34B|.51 push ecx
004BD34C|.53 push ebx
004BD34D|.56 push esi
004BD34E|.8BF0 mov esi, eax
004BD350|.33C0 xor eax, eax
004BD352|.55 push ebp
004BD353|.68 51D44B00 push 004BD451
004BD358|.64:FF30 push dword ptr fs:
004BD35B|.64:8920 mov dword ptr fs:, esp
004BD35E|.8D55 F8 lea edx, dword ptr
004BD361|.8B86 24030000 mov eax, dword ptr
004BD367|.E8 2071FAFF call 0046448C
004BD36C|.8B45 F8 mov eax, dword ptr ;注册码:"RMCo-5797nv268-E616"
004BD36F|.8D55 FC lea edx, dword ptr
004BD372|.E8 CDB3F4FF call 00408744
004BD377|.8B45 FC mov eax, dword ptr
004BD37A|.50 push eax
004BD37B|.8D55 EC lea edx, dword ptr
004BD37E|.8B86 20030000 mov eax, dword ptr
004BD384|.E8 0371FAFF call 0046448C
004BD389|.8B45 EC mov eax, dword ptr ;用户名:hanyu
004BD38C|.8D55 F0 lea edx, dword ptr
004BD38F|.E8 B0B3F4FF call 00408744
004BD394|.8B55 F0 mov edx, dword ptr
004BD397|.8D4D F4 lea ecx, dword ptr
004BD39A|.8BC6 mov eax, esi
004BD39C|.E8 03010000 call 004BD4A4 ;算法CALL(F7跟进);
由于作者的算法隐藏的比较深,所以我们事先要一点弯路。找到后下好断就可以了:
------------------------------(第四部分)-----------------------------------------------------------
004BD4A4/$55 push ebp ;算法函数入口;
004BD4A5|.8BEC mov ebp, esp
004BD4A7|.51 push ecx
004BD4A8|.B9 04000000 mov ecx, 4
004BD4AD|>6A 00 /push 0
004BD4AF|.6A 00 |push 0
004BD4B1|.49 |dec ecx
004BD4B2|.^ 75 F9 \jnz short 004BD4AD
004BD4B4|.51 push ecx
004BD4B5|.874D FC xchg dword ptr , ecx
004BD4B8|.53 push ebx
004BD4B9|.56 push esi
004BD4BA|.57 push edi
004BD4BB|.8BF9 mov edi, ecx
004BD4BD|.8955 FC mov dword ptr , edx ;用户明:"hanyu";
004BD4C0|.8B45 FC mov eax, dword ptr
004BD4C3|.E8 B472F4FF call 0040477C
004BD4C8|.33C0 xor eax, eax
004BD4CA|.55 push ebp
004BD4CB|.68 65D64B00 push 004BD665
004BD4D0|.64:FF30 push dword ptr fs:
004BD4D3|.64:8920 mov dword ptr fs:, esp
004BD4D6|.8BC7 mov eax, edi
004BD4D8|.E8 EF6DF4FF call 004042CC
004BD4DD|.8B45 FC mov eax, dword ptr ;把"hanyu"值给EAX;
004BD4E0|.E8 A770F4FF call 0040458C ;//取用户名ASCII十六进制循环:
004BD4E5|.8BF0 mov esi, eax ;把用户名长度:5给ESI;
004BD4E7|.85F6 test esi, esi
004BD4E9|.7E 26 jle short 004BD511 ;开始循环;
004BD4EB|.BB 01000000 mov ebx, 1
004BD4F0|>8D4D EC /lea ecx, dword ptr
004BD4F3|.8B45 FC |mov eax, dword ptr
004BD4F6|.0FB64418 FF |movzx eax, byte ptr ;每位ASCII码;
004BD4FB|.33D2 |xor edx, edx
004BD4FD|.E8 BEB5F4FF |call 00408AC0
004BD502|.8B55 EC |mov edx, dword ptr ;每位ASCII码的十六进制值;
004BD505|.8D45 F8 |lea eax, dword ptr ;转化为字符;
004BD508|.E8 8770F4FF |call 00404594
004BD50D|.43 |inc ebx ;加1;
004BD50E|.4E |dec esi ;减1;
004BD50F|.^ 75 DF \jnz short 004BD4F0
004BD511|>8B45 F8 mov eax, dword ptr ;循环后得到的字符串:"68616E7975"
004BD514|.E8 7370F4FF call 0040458C ;//以下是倒序循环:
004BD519|.8BF0 mov esi, eax
004BD51B|.85F6 test esi, esi
004BD51D|.7E 2C jle short 004BD54B
004BD51F|.BB 01000000 mov ebx, 1 ;给EBX赋值为1;
004BD524|>8B45 F8 /mov eax, dword ptr ;二次循环开始了:"68616E7975"
004BD527|.E8 6070F4FF |call 0040458C
004BD52C|.2BC3 |sub eax, ebx ;EAX-EBX;
004BD52E|.8B55 F8 |mov edx, dword ptr ;把字符传递到EBX:"68616E7975"
004BD531|.8A1402 |mov dl, byte ptr ;倒顺序开始:
004BD534|.8D45 E8 |lea eax, dword ptr ;把i位的值给EAX;
004BD537|.E8 786FF4FF |call 004044B4
004BD53C|.8B55 E8 |mov edx, dword ptr
004BD53F|.8D45 F4 |lea eax, dword ptr
004BD542|.E8 4D70F4FF |call 00404594
004BD547|.43 |inc ebx ;EBX加1;
004BD548|.4E |dec esi ;ESI减1;
004BD549|.^ 75 D9 \jnz short 004BD524
004BD54B|>8D45 F8 lea eax, dword ptr
004BD54E|.50 push eax
004BD54F|.B9 04000000 mov ecx, 4
004BD554|.BA 01000000 mov edx, 1
004BD559|.8B45 F4 mov eax, dword ptr ;通过以上倒序循环得到的字符串:"5797E61686"
004BD55C|.E8 8B72F4FF call 004047EC
004BD561|.8D45 F4 lea eax, dword ptr
004BD564|.50 push eax
004BD565|.B9 04000000 mov ecx, 4
004BD56A|.BA 05000000 mov edx, 5
004BD56F|.8B45 F4 mov eax, dword ptr
004BD572|.E8 7572F4FF call 004047EC
004BD577|.8B45 F8 mov eax, dword ptr ;首位选4个: "5797"
004BD57A|.E8 0D70F4FF call 0040458C
004BD57F|.83F8 04 cmp eax, 4 ;判断大不大于4
004BD582|.7D 2F jge short 004BD5B3 ;小于就进入循环;
004BD584|.8B45 F8 mov eax, dword ptr ;取头四位:"5797"//
004BD587|.E8 0070F4FF call 0040458C
004BD58C|.8BD8 mov ebx, eax ;把长度值给EBX;
004BD58E|.83FB 03 cmp ebx, 3 ;比较大于3么,够就跳;
004BD591|.7F 20 jg short 004BD5B3
004BD593|>8D4D E4 /lea ecx, dword ptr
004BD596|.8BC3 |mov eax, ebx ;EBX->EAX;
004BD598|.C1E0 02 |shl eax, 2 ;EAX 向左移动两位,也就是乘于四;
004BD59B|.33D2 |xor edx, edx
004BD59D|.E8 1EB5F4FF |call 00408AC0
004BD5A2|.8B55 E4 |mov edx, dword ptr
004BD5A5|.8D45 F8 |lea eax, dword ptr ;把EAX的地址给;
004BD5A8|.E8 E76FF4FF |call 00404594
004BD5AD|.43 |inc ebx
004BD5AE|.83FB 04 |cmp ebx, 4
004BD5B1|.^ 75 E0 \jnz short 004BD593
004BD5B3|>8B45 F4 mov eax, dword ptr ;从第五为开始取4位;"E616"
004BD5B6|.E8 D16FF4FF call 0040458C
004BD5BB|.83F8 04 cmp eax, 4 ;同上
004BD5BE|.7D 2F jge short 004BD5EF
004BD5C0|.8B45 F4 mov eax, dword ptr
004BD5C3|.E8 C46FF4FF call 0040458C
004BD5C8|.8BD8 mov ebx, eax
004BD5CA|.83FB 03 cmp ebx, 3
004BD5CD|.7F 20 jg short 004BD5EF
004BD5CF|>8D4D E0 /lea ecx, dword ptr
004BD5D2|.8BC3 |mov eax, ebx
004BD5D4|.C1E0 02 |shl eax, 2
004BD5D7|.33D2 |xor edx, edx
004BD5D9|.E8 E2B4F4FF |call 00408AC0
004BD5DE|.8B55 E0 |mov edx, dword ptr
004BD5E1|.8D45 F4 |lea eax, dword ptr
004BD5E4|.E8 AB6FF4FF |call 00404594
004BD5E9|.43 |inc ebx
004BD5EA|.83FB 04 |cmp ebx, 4
004BD5ED|.^ 75 E0 \jnz short 004BD5CF
004BD5EF|>8D45 F0 lea eax, dword ptr
004BD5F2|.BA 7CD64B00 mov edx, 004BD67C ;RMConv268d58k:固定字符;
004BD5F7|.E8 686DF4FF call 00404364
004BD5FC|.8D45 DC lea eax, dword ptr
004BD5FF|.50 push eax
004BD600|.B9 04000000 mov ecx, 4
004BD605|.BA 01000000 mov edx, 1
004BD60A|.8B45 F0 mov eax, dword ptr
004BD60D|.E8 DA71F4FF call 004047EC
004BD612|.FF75 DC push dword ptr ;取前4位:"RMCo"
004BD615|.68 94D64B00 push 004BD694 ;-:也是固定的;
004BD61A|.FF75 F8 push dword ptr ;第一次取的:"5797"
004BD61D|.8D45 D8 lea eax, dword ptr
004BD620|.50 push eax
004BD621|.B9 05000000 mov ecx, 5
004BD626|.BA 05000000 mov edx, 5
004BD62B|.8B45 F0 mov eax, dword ptr
004BD62E|.E8 B971F4FF call 004047EC
004BD633|.FF75 D8 push dword ptr ;5位开始取5位:"nv268"
004BD636|.68 94D64B00 push 004BD694 ;-:同上;
004BD63B|.FF75 F4 push dword ptr ;二次取值:"E616"
004BD63E|.8BC7 mov eax, edi ;全部连接好发到EDI这个地址去;
004BD640|.BA 06000000 mov edx, 6
004BD645|.E8 0270F4FF call 0040464C
004BD64A|.33C0 xor eax, eax
004BD64C|.5A pop edx
004BD64D|.59 pop ecx
004BD64E|.59 pop ecx
004BD64F|.64:8910 mov dword ptr fs:, edx
004BD652|.68 6CD64B00 push 004BD66C
004BD657|>8D45 D8 lea eax, dword ptr
004BD65A|.BA 0A000000 mov edx, 0A
004BD65F|.E8 8C6CF4FF call 004042F0
004BD664\.C3 retn
004BD665 .^ E9 C265F4FF jmp 00403C2C
004BD66A .^ EB EB jmp short 004BD657
004BD66C .5F pop edi
004BD66D .5E pop esi
004BD66E .5B pop ebx
004BD66F .8BE5 mov esp, ebp
004BD671 .5D pop ebp
004BD672 .C3 retn
--------------------------------------------------------------------------------
【经验总结】
1.把注册码转换成十六进制的ASCII字符;
2.把得到的字符倒序;
3.判断倒序后的字符长度够4位么,不够则取位数乘于4取十六进制的ASCII字符;
4.判断倒序后的字符长度够8位么,不够则取位数乘于4取十六进制的ASCII字符;
5.写算法注册机:细看汇编代码,然后用Delphi还原算法部分发现相识度高达80%;
6.只是做学习用途,请勿做非法用途。如做任何非法用途后果自负;
--------------------------------------------------------------------------------------------------------
【版权声明】: 本文原创于飘云阁论坛, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 as3852711 于 2009-3-29 23:24 编辑 ] Delphi 注册机源码:
--------------------------------------------------------------------------------------------------------
procedure TForm1.Button1Click(Sender: TObject);
var
s:string;
code1:string;
code2:string;
gudin:string;
bugou1:string;
bugou2:string;
i,x,y,z:integer;
begin
s:=edit1.text;
gudin:='RMConv268d58k'; //固定值;
code1:='';
for i:=1 to length(s) do //第一个循环取ASCII码值;
begin
code1:=code1+inttohex(Ord(s),$2);
end;
for x:=length(code1) downto 1 do //第二个循环倒序;
begin
code2:=code2 + code1;
end;
bugou1:=copy(code2,1,4);
if length(bugou1) < 4 then //第一段代码不够长时执行的循环;
begin
for y:=length(bugou1)to 3 do
bugou1:=bugou1 + inttohex(y * 4,$1);
end;
bugou2:=copy(code2,5,4);
if length(bugou2) < 4 then //同上;
begin
for z:=length(bugou2)to 3 do
bugou2:=bugou2 + inttohex(z * 4,$1);
end;
edit2.Text :=copy(gudin,1,4)+ '-' + bugou1 + copy(gudin,5,5) + '-' + bugou2;
end;
[ 本帖最后由 as3852711 于 2009-3-30 11:49 编辑 ] 过来学习一下 /:001 /:001 /:001
学习一下! 我也要认真学习~ 又死了一个软件/:014 下一个软件下来跟跟看,学习学习 学习一下了。 :loveliness: 一会我也看看 学习了,不是冰糖葫芦的吧, 应该把lz拉到作业区看看/:017
页:
[1]
2