FastStone Capture v6.5汉化版算法分析 by:yAtEs 2010.1.11
FastStone Capture v6.5汉化版算法分析 by:yAtEs 2010.1.11软件下载地址:http://www.skycn.com/soft/38193.html
http://hdcnc1.skycn.com/down/HA-FSCapture_65-FzH.zip
查壳:ASProtect 1.2x - 1.3x -> Alexey Solodovnikov
OEP=0024C7F0
RVA=002661F4
Size=000CB041
运行Aspr2.XX Unpacker V1.15.OSC脚本,掏出ImportREC进行修复,无效指针直接剪切。
脱壳修复后查壳:Borland Delphi 6.0 - 7.0
查算法:
ADLER32 :: 000E81EF :: 004E81EF
BASE64 table :: 0025D5B8 :: 0065D5B8
BASE64 table :: 0025D90C :: 0065D90C
BLOWFISH :: 0025D994 :: 0065D994
CRC32 :: 00250A40 :: 00650A40
PI fraction (NIMBUS / BLOWFISH) :: 0025D94C :: 0065D94C
SHA1 :: 001E3869 :: 005E3869
SHA-512 :: 001EE4FD :: 005EE4FD
ZLIB deflate :: 0024EB24 :: 0064EB24
{Big number} :: 001EF3A0 :: 005EF3A0
用户名:Spring_2050
注册码:1234567890ABCDEFGHIJKLMN
经分析调整注册信息:
用户名:Spring_2050
注册码:CRACKBYSPRINGHIJKLMN
下bp MessageBoxA拦截无果,不知怎么回事,用DEDE载入后没有办法查找注册按钮事件,只好用脚本了,运行delphi按钮事件脚本.txt,点击注册后断下来,然后F7跟进CALL然后来到关键代码开始分析:
算法分析:
===========================================================================================================================================
005EF756 .55 push ebp ;开始分析
005EF757 .68 78FA5E00 push 005EFA78
005EF75C .64:FF30 push dword ptr fs:
005EF75F .64:8920 mov dword ptr fs:, esp
005EF762 .8D55 E8 lea edx, dword ptr
005EF765 .8B45 FC mov eax, dword ptr
005EF768 .8B80 04030000 mov eax, dword ptr
005EF76E .E8 8DABE5FF call 0044A300 ;取用户名
005EF773 .8B45 E8 mov eax, dword ptr
005EF776 .8D55 F8 lea edx, dword ptr
005EF779 .E8 429BE1FF call 004092C0
005EF77E .8D55 E0 lea edx, dword ptr
005EF781 .8B45 FC mov eax, dword ptr
005EF784 .8B80 0C030000 mov eax, dword ptr
005EF78A .E8 71ABE5FF call 0044A300 ;取假码
005EF78F .8B45 E0 mov eax, dword ptr
005EF792 .8D55 E4 lea edx, dword ptr
005EF795 .E8 269BE1FF call 004092C0
005EF79A .8B45 E4 mov eax, dword ptr
005EF79D .8D55 F0 lea edx, dword ptr
005EF7A0 .E8 CB98E1FF call 00409070
005EF7A5 .8D45 EC lea eax, dword ptr
005EF7A8 .E8 AF50E1FF call 0040485C
005EF7AD .8B45 F0 mov eax, dword ptr ;假码存入EAX
005EF7B0 .E8 5F53E1FF call 00404B14 ;取假码位数存入EAX
005EF7B5 .8BF8 mov edi, eax ;EAX=EDI
005EF7B7 .4F dec edi ;EDI-1结果存入EDI
005EF7B8 .85FF test edi, edi
005EF7BA .7C 66 jl short 005EF822
005EF7BC .47 inc edi ;EDI+1结果存入EDI
005EF7BD .33F6 xor esi, esi ;ESI清零
005EF7BF >8B45 F0 mov eax, dword ptr ;假码存入EAX
005EF7C2 .8A1C30 mov bl, byte ptr ;取假码第一位存入bl
005EF7C5 .80FB 41 cmp bl, 41 ;假码第一位ASCII值与41H的ASCII值A比较
005EF7C8 .72 20 jb short 005EF7EA ;小于等于则跳转实现
005EF7CA .8B45 F0 mov eax, dword ptr ;假码存入EAX
005EF7CD .80FB 5A cmp bl, 5A ;假码第一位ASCII值与5AH的ASCII值A比较
005EF7D0 .77 18 ja short 005EF7EA ;大于Z则跳转实现
005EF7D2 .8D45 DC lea eax, dword ptr
005EF7D5 .8B55 F0 mov edx, dword ptr ;假码存入EDX
005EF7D8 .8BD3 mov edx, ebx ;EBX=EDX
005EF7DA .E8 5D52E1FF call 00404A3C
005EF7DF .8B55 DC mov edx, dword ptr
005EF7E2 .8D45 EC lea eax, dword ptr
005EF7E5 .E8 3253E1FF call 00404B1C
005EF7EA >8B45 EC mov eax, dword ptr ;取计算过的假码存入EAX
005EF7ED .E8 2253E1FF call 00404B14 ;“假码计数器”
005EF7F2 .83F8 05 cmp eax, 5 ;EAX与5比较
005EF7F5 .74 1A je short 005EF811 ;相等则跳
005EF7F7 .8B45 EC mov eax, dword ptr ;假码第一位地址存入EAX
005EF7FA .E8 1553E1FF call 00404B14 ;取假码第一位
005EF7FF .83F8 0B cmp eax, 0B ;假码位数与0B(11)比较
005EF802 .74 0D je short 005EF811 ;相等则跳
005EF804 .8B45 EC mov eax, dword ptr ;假码第一位地址存入EAX
005EF807 .E8 0853E1FF call 00404B14 ;取假码位数存入EAX
005EF80C .83F8 11 cmp eax, 11 ;假码位数与11H(17)比较
005EF80F .75 0D jnz short 005EF81E ;不等则跳
005EF811 >8D45 EC lea eax, dword ptr
005EF814 .BA D8FA5E00 mov edx, 005EFAD8
005EF819 .E8 FE52E1FF call 00404B1C
005EF81E >46 inc esi ;ESI+1结果存入ESI
005EF81F .4F dec edi ;EDI-1结果存入EDI
005EF820 .^ 75 9D jnz short 005EF7BF ;依次取假码比较,并每五个字符之后加上一横线
005EF822 >8D45 F4 lea eax, dword ptr
005EF825 .8B55 EC mov edx, dword ptr ;把上面循环计算的定好格式的字符串存入EDX
005EF828 .E8 C750E1FF call 004048F4 ;取用户名
005EF82D .837D F8 00 cmp dword ptr , 0 ;用户名与0比较
005EF831 .75 33 jnz short 005EF866 ;不等则跳
005EF833 .6A 00 push 0
005EF835 .66:8B0D DCFA5>mov cx, word ptr
005EF83C .B2 02 mov dl, 2
005EF83E .B8 E8FA5E00 mov eax, 005EFAE8
005EF843 .E8 6036E5FF call 00442EA8
005EF848 .8B45 FC mov eax, dword ptr
005EF84B .8B80 04030000 mov eax, dword ptr
005EF851 .8B10 mov edx, dword ptr
005EF853 .FF92 C0000000 call dword ptr
005EF859 .33C0 xor eax, eax
005EF85B .5A pop edx
005EF85C .59 pop ecx
005EF85D .59 pop ecx
005EF85E .64:8910 mov dword ptr fs:, edx
005EF861 .E9 1C020000 jmp 005EFA82
005EF866 >8B4D F4 mov ecx, dword ptr ;计算得出的字符串存入ECX
005EF869 .8B55 F8 mov edx, dword ptr ;用户名存入EDX
005EF86C .8B45 FC mov eax, dword ptr
005EF86F .E8 84FBFFFF call 005EF3F8 ;关键CALL,跟进,计算注册码11~15位
005EF874 .84C0 test al, al
005EF876 .0F84 D3010000 je 005EFA4F
005EF87C .8B4D F4 mov ecx, dword ptr ;假码字符串存入ECX
005EF87F .8B55 F8 mov edx, dword ptr ;用户名存入EDX
005EF882 .8B45 FC mov eax, dword ptr
005EF885 .E8 FEFBFFFF call 005EF488 ;关键CALL,跟进,计算注册码16~20位
005EF88A .84C0 test al, al
005EF88C .0F84 BD010000 je 005EFA4F
005EF892 .8B55 F4 mov edx, dword ptr ;假码存入EDX
005EF895 .8B45 FC mov eax, dword ptr
005EF898 .E8 7BFCFFFF call 005EF518
005EF89D .8BD8 mov ebx, eax
005EF89F .83FB 01 cmp ebx, 1 ;Switch (cases 457..1387)
005EF8A2 .7F 2D jg short 005EF8D1
005EF8A4 .6A 00 push 0
005EF8A6 .6A 00 push 0
005EF8A8 .8D45 D8 lea eax, dword ptr
005EF8AB .50 push eax
005EF8AC .33C9 xor ecx, ecx
005EF8AE .8B55 F8 mov edx, dword ptr ;用户名存入EDX
005EF8B1 .B8 0CFB5E00 mov eax, 005EFB0C
005EF8B6 .E8 81650500 call 00645E3C
005EF8BB .8B45 D8 mov eax, dword ptr
005EF8BE .66:8B0D DCFA5>mov cx, word ptr
005EF8C5 .B2 02 mov dl, 2
005EF8C7 .E8 DC35E5FF call 00442EA8
005EF8CC .E9 36010000 jmp 005EFA07
===========================================================================================================================================
跟进第一个关键CALL后跟进后来到这里:
005EF3F8/$55 push ebp
005EF3F9|.8BEC mov ebp, esp
005EF3FB|.83C4 F4 add esp, -0C
005EF3FE|.53 push ebx
005EF3FF|.33DB xor ebx, ebx
005EF401|.895D F4 mov dword ptr , ebx
005EF404|.894D F8 mov dword ptr , ecx ;结果字符串存入
005EF407|.8955 FC mov dword ptr , edx ;用户名存入
005EF40A|.8BD8 mov ebx, eax
005EF40C|.8B45 FC mov eax, dword ptr ;用户名存入EAX
005EF40F|.E8 E858E1FF call 00404CFC
005EF414|.8B45 F8 mov eax, dword ptr ;结果字符串存入EAX
005EF417|.E8 E058E1FF call 00404CFC
005EF41C|.33C0 xor eax, eax ;EAX清零
005EF41E|.55 push ebp
005EF41F|.68 7AF45E00 push 005EF47A
005EF424|.64:FF30 push dword ptr fs:
005EF427|.64:8920 mov dword ptr fs:, esp
005EF42A|.8B4D F8 mov ecx, dword ptr ;结果字符串存入ECX
005EF42D|.8B55 FC mov edx, dword ptr ;用户名存入EDX
005EF430|.8BC3 mov eax, ebx ;EBX=EAX
005EF432|.E8 F1F7FFFF call 005EEC28 ;关键CALL,跟进去
005EF437|.84C0 test al, al ;标志位比较
005EF439|.75 20 jnz short 005EF45B ;相等则跳
005EF43B|.8D55 F4 lea edx, dword ptr
005EF43E|.8B45 FC mov eax, dword ptr
005EF441|.E8 EAB00500 call 0064A530
005EF446|.8B55 F4 mov edx, dword ptr
005EF449|.8B4D F8 mov ecx, dword ptr
005EF44C|.8BC3 mov eax, ebx
005EF44E|.E8 D5F7FFFF call 005EEC28
005EF453|.84C0 test al, al
005EF455|.75 04 jnz short 005EF45B
005EF457|.33C0 xor eax, eax
005EF459|.EB 02 jmp short 005EF45D
005EF45B|>B0 01 mov al, 1 ;al置1
005EF45D|>8BD8 mov ebx, eax
005EF45F|.33C0 xor eax, eax
005EF461|.5A pop edx
005EF462|.59 pop ecx
005EF463|.59 pop ecx
005EF464|.64:8910 mov dword ptr fs:, edx
005EF467|.68 81F45E00 push 005EF481
005EF46C|>8D45 F4 lea eax, dword ptr
005EF46F|.BA 03000000 mov edx, 3
005EF474|.E8 0754E1FF call 00404880
005EF479\.C3 retn
005EF47A .^ E9 814DE1FF jmp 00404200
005EF47F .^ EB EB jmp short 005EF46C
005EF481 .8BC3 mov eax, ebx
005EF483 .5B pop ebx
005EF484 .8BE5 mov esp, ebp
005EF486 .5D pop ebp
005EF487 .C3 retn
===========================================================================================================================================
005EEC28 $55 push ebp
005EEC29 .8BEC mov ebp, esp
005EEC2B .51 push ecx
005EEC2C .B9 0C000000 mov ecx, 0C
005EEC31 >6A 00 push 0
005EEC33 .6A 00 push 0
005EEC35 .49 dec ecx
005EEC36 .^ 75 F9 jnz short 005EEC31
005EEC38 .874D FC xchg dword ptr , ecx
005EEC3B .53 push ebx
005EEC3C .56 push esi
005EEC3D .57 push edi ;继续分析!!!
005EEC3E .894D F4 mov dword ptr , ecx ;结果字符串存入
005EEC41 .8955 F8 mov dword ptr , edx ;用户名存入
005EEC44 .8945 FC mov dword ptr , eax
005EEC47 .8B45 F8 mov eax, dword ptr ;用户名存入EAX
005EEC4A .E8 AD60E1FF call 00404CFC
005EEC4F .8B45 F4 mov eax, dword ptr ;结果字符串存入EAX
005EEC52 .E8 A560E1FF call 00404CFC
005EEC57 .33C0 xor eax, eax ;EAX清零
005EEC59 .55 push ebp
005EEC5A .68 A2EF5E00 push 005EEFA2
005EEC5F .64:FF30 push dword ptr fs:
005EEC62 .64:8920 mov dword ptr fs:, esp
005EEC65 .33C0 xor eax, eax
005EEC67 .55 push ebp
005EEC68 .68 56EF5E00 push 005EEF56
005EEC6D .64:FF30 push dword ptr fs:
005EEC70 .64:8920 mov dword ptr fs:, esp
005EEC73 .C645 F3 00 mov byte ptr , 0
005EEC77 .8D55 E4 lea edx, dword ptr
005EEC7A .8B45 F8 mov eax, dword ptr ;用户名存入EAX
005EEC7D .E8 EEA3E1FF call 00409070
005EEC82 .8D55 D4 lea edx, dword ptr
005EEC85 .8B45 F4 mov eax, dword ptr ;结果字符串存入EAX
005EEC88 .E8 33A6E1FF call 004092C0 ;结果字符串计算存入
005EEC8D .8B45 D4 mov eax, dword ptr ;结果字符串存入EAX
005EEC90 .8D55 D8 lea edx, dword ptr
005EEC93 .E8 D8A3E1FF call 00409070 ;取用户名
005EEC98 .837D E4 00 cmp dword ptr , 0 ;与0比较
005EEC9C .75 0D jnz short 005EECAB ;不等则跳
005EEC9E .33C0 xor eax, eax
005EECA0 .5A pop edx
005EECA1 .59 pop ecx
005EECA2 .59 pop ecx
005EECA3 .64:8910 mov dword ptr fs:, edx
005EECA6 .E9 B5020000 jmp 005EEF60
005EECAB >837D D8 00 cmp dword ptr , 0 ;取结果字符串与0比较
005EECAF .75 0D jnz short 005EECBE ;不等则跳
005EECB1 .33C0 xor eax, eax
005EECB3 .5A pop edx
005EECB4 .59 pop ecx
005EECB5 .59 pop ecx
005EECB6 .64:8910 mov dword ptr fs:, edx
005EECB9 .E9 A2020000 jmp 005EEF60
005EECBE >8B45 D8 mov eax, dword ptr ;结果字符串存入EAX
005EECC1 .E8 4E5EE1FF call 00404B14 ;假码长度存入EAX
005EECC6 .83F8 17 cmp eax, 17 ;EAX与17H(23)比较
005EECC9 .75 71 jnz short 005EED3C ;不等则跳
005EECCB .8D45 D0 lea eax, dword ptr
005EECCE .50 push eax
005EECCF .B9 05000000 mov ecx, 5
005EECD4 .BA 01000000 mov edx, 1
005EECD9 .8B45 D8 mov eax, dword ptr ;假码存入EAX
005EECDC .E8 8B60E1FF call 00404D6C ;取假码字符串前五位
005EECE1 .FF75 D0 push dword ptr
005EECE4 .8D45 CC lea eax, dword ptr
005EECE7 .50 push eax
005EECE8 .B9 05000000 mov ecx, 5
005EECED .BA 07000000 mov edx, 7
005EECF2 .8B45 D8 mov eax, dword ptr ;假码存入EAX
005EECF5 .E8 7260E1FF call 00404D6C ;取假码字符串6~10位
005EECFA .FF75 CC push dword ptr
005EECFD .8D45 C8 lea eax, dword ptr
005EED00 .50 push eax
005EED01 .B9 05000000 mov ecx, 5
005EED06 .BA 0D000000 mov edx, 0D
005EED0B .8B45 D8 mov eax, dword ptr ;假码存入EAX
005EED0E .E8 5960E1FF call 00404D6C ;取假码字符串11~15位
005EED13 .FF75 C8 push dword ptr
005EED16 .8D45 C4 lea eax, dword ptr
005EED19 .50 push eax
005EED1A .B9 05000000 mov ecx, 5
005EED1F .BA 13000000 mov edx, 13
005EED24 .8B45 D8 mov eax, dword ptr ;假码存入EAX
005EED27 .E8 4060E1FF call 00404D6C ;取假码字符串161~20位
005EED2C .FF75 C4 push dword ptr
005EED2F .8D45 D8 lea eax, dword ptr
005EED32 .BA 04000000 mov edx, 4
005EED37 .E8 985EE1FF call 00404BD4
005EED3C >8B45 E4 mov eax, dword ptr ;取用户名存入EAX
005EED3F .E8 D05DE1FF call 00404B14 ;取用户名位数存入EAX
005EED44 .83F8 03 cmp eax, 3 ;用户名长度与3H比较
005EED47 .7C 0D jl short 005EED56 ;用户名长度≤3则跳
005EED49 .8B45 D8 mov eax, dword ptr ;假码存入EAX
005EED4C .E8 C35DE1FF call 00404B14 ;取假码位数存入EAX
005EED51 .83F8 14 cmp eax, 14 ;假码长度与14H(20)比较
005EED54 .74 0D je short 005EED63 ;相等则跳
005EED56 >33C0 xor eax, eax
005EED58 .5A pop edx
005EED59 .59 pop ecx
005EED5A .59 pop ecx
005EED5B .64:8910 mov dword ptr fs:, edx
005EED5E .E9 FD010000 jmp 005EEF60
005EED63 >8D45 EC lea eax, dword ptr
005EED66 .50 push eax
005EED67 .B9 08000000 mov ecx, 8
005EED6C .BA 01000000 mov edx, 1
005EED71 .8B45 D8 mov eax, dword ptr ;试炼码存入EAX
005EED74 .E8 F35FE1FF call 00404D6C
005EED79 .8D45 E8 lea eax, dword ptr
005EED7C .E8 DB5AE1FF call 0040485C
005EED81 .BB 01000000 mov ebx, 1
005EED86 .BE 01000000 mov esi, 1
005EED8B .BF 01000000 mov edi, 1
005EED90 .EB 63 jmp short 005EEDF5
005EED92 >8BC7 mov eax, edi
005EED94 .25 01000080 and eax, 80000001
005EED99 .79 05 jns short 005EEDA0
005EED9B .48 dec eax
005EED9C .83C8 FE or eax, FFFFFFFE
005EED9F .40 inc eax
005EEDA0 >85C0 test eax, eax
005EEDA2 .75 29 jnz short 005EEDCD
005EEDA4 .8B45 EC mov eax, dword ptr ;假码前八位存入EAX
005EEDA7 .E8 685DE1FF call 00404B14 ;假码位数存入EAX
005EEDAC .3BD8 cmp ebx, eax ;EAX与EBX比较
005EEDAE .7F 44 jg short 005EEDF4 ;大于等于则跳
005EEDB0 .8D45 C0 lea eax, dword ptr
005EEDB3 .8B55 EC mov edx, dword ptr ;假码存入EDX
005EEDB6 .8A541A FF mov dl, byte ptr ;假码ASCII值存入dl
005EEDBA .E8 7D5CE1FF call 00404A3C
005EEDBF .8B55 C0 mov edx, dword ptr
005EEDC2 .8D45 E8 lea eax, dword ptr
005EEDC5 .E8 525DE1FF call 00404B1C
005EEDCA .43 inc ebx
005EEDCB .EB 27 jmp short 005EEDF4
005EEDCD >8B45 E4 mov eax, dword ptr ;取用户名存入EAX
005EEDD0 .E8 3F5DE1FF call 00404B14 ;计算用户名长度存入EAX
005EEDD5 .3BF0 cmp esi, eax ;EAX与ESI比较
005EEDD7 .7F 1B jg short 005EEDF4 ;大于等于则跳
005EEDD9 .8D45 BC lea eax, dword ptr
005EEDDC .8B55 E4 mov edx, dword ptr ;用户名存入EDX
005EEDDF .8A5432 FF mov dl, byte ptr ;取假码后一半存入EDX
005EEDE3 .E8 545CE1FF call 00404A3C
005EEDE8 .8B55 BC mov edx, dword ptr
005EEDEB .8D45 E8 lea eax, dword ptr
005EEDEE .E8 295DE1FF call 00404B1C
005EEDF3 .46 inc esi
005EEDF4 >47 inc edi
005EEDF5 >8B45 EC mov eax, dword ptr ;试炼码前八位存入EAX
005EEDF8 .E8 175DE1FF call 00404B14
005EEDFD .3BD8 cmp ebx, eax ;EAX与EBX比较
005EEDFF .^ 7E 91 jle short 005EED92 ;循环计算假码位数
005EEE01 .8B45 E4 mov eax, dword ptr ;用户名存入EAX
005EEE04 .E8 0B5DE1FF call 00404B14 ;取用户名长度存入EAX
005EEE09 .3BF0 cmp esi, eax ;用户名长度与9H比较
005EEE0B .^ 7E 85 jle short 005EED92 ;用户名长度≤9则跳转
005EEE0D .68 BCEF5E00 push 005EEFBC ;ASCII "me4T6cBLV"
005EEE12 .FF75 EC push dword ptr
005EEE15 .68 D0EF5E00 push 005EEFD0 ;ASCII "CpCwxrvCJZ30pKLu8Svxjhnhut437glCpofVssnFeBh2G0ekUq4VcxFintMix52vL0iJNbdtWqHPyeumkDUC+4AaoSX+xpl56Esonk4="
005EEE1A .8D45 B8 lea eax, dword ptr
005EEE1D .BA 03000000 mov edx, 3
005EEE22 .E8 AD5DE1FF call 00404BD4
005EEE27 .8B55 B8 mov edx, dword ptr ;字符串1+假码前八位+字符串2存入EDX
005EEE2A .8B45 FC mov eax, dword ptr
005EEE2D .8B80 F8020000 mov eax, dword ptr
005EEE33 .8B0D 782A5E00 mov ecx, dword ptr ;UnPack_.005E2AC4
005EEE39 .E8 F610FFFF call 005DFF34
005EEE3E .8D45 AC lea eax, dword ptr
005EEE41 .8B55 EC mov edx, dword ptr ;假码前八位存入EDX
005EEE44 .E8 9362E1FF call 004050DC
005EEE49 .FF75 AC push dword ptr
005EEE4C .A1 64EE6500 mov eax, dword ptr
005EEE51 .8B00 mov eax, dword ptr
005EEE53 .FFB0 C8040000 push dword ptr ;96338
005EEE59 .8D45 A8 lea eax, dword ptr
005EEE5C .8B55 E8 mov edx, dword ptr ;SCPRRAICNKGB_Y2S050存入EDX
005EEE5F .E8 7862E1FF call 004050DC ;组合字符串1存入EAX
005EEE64 .FF75 A8 push dword ptr
005EEE67 .8D45 B0 lea eax, dword ptr
005EEE6A .BA 03000000 mov edx, 3
005EEE6F .E8 F462E1FF call 00405168
005EEE74 .8B55 B0 mov edx, dword ptr ;“假码前八位+96338+组合字符串”存入EDX
005EEE77 .8D45 B4 lea eax, dword ptr
005EEE7A .E8 5D5CE1FF call 00404ADC
005EEE7F .8B55 B4 mov edx, dword ptr ;组合字符串2存入EDX
005EEE82 .8B45 FC mov eax, dword ptr
005EEE85 .8B80 F4020000 mov eax, dword ptr
005EEE8B .8B0D A8405E00 mov ecx, dword ptr ;UnPack_.005E40F4
005EEE91 .E8 9E10FFFF call 005DFF34 ;组合字符串2存入ECX
005EEE96 .8D4D E0 lea ecx, dword ptr
005EEE99 .8B45 FC mov eax, dword ptr
005EEE9C .8B80 F8020000 mov eax, dword ptr
005EEEA2 .8B55 E8 mov edx, dword ptr ;组合字符串1存入EDX
005EEEA5 .8B18 mov ebx, dword ptr
005EEEA7 .FF53 54 call dword ptr ;加密算法1
005EEEAA .8D4D A4 lea ecx, dword ptr
005EEEAD .8B45 FC mov eax, dword ptr
005EEEB0 .8B80 F4020000 mov eax, dword ptr
005EEEB6 .8B55 E0 mov edx, dword ptr
005EEEB9 .8B18 mov ebx, dword ptr
005EEEBB .FF53 54 call dword ptr ;加密算法2
005EEEBE .8B55 A4 mov edx, dword ptr
005EEEC1 .8D45 E0 lea eax, dword ptr
005EEEC4 .E8 2B5AE1FF call 004048F4
005EEEC9 .8D45 DC lea eax, dword ptr
005EEECC .E8 8B59E1FF call 0040485C
005EEED1 .8B45 E0 mov eax, dword ptr ;加密字符串2存入EAX
005EEED4 .E8 3B5CE1FF call 00404B14
005EEED9 .8BF0 mov esi, eax
005EEEDB .85F6 test esi, esi
005EEEDD .7E 46 jle short 005EEF25
005EEEDF .BB 01000000 mov ebx, 1
005EEEE4 >8B45 E0 mov eax, dword ptr ;加密字符串2存入EAX
005EEEE7 .8A4418 FF mov al, byte ptr ;取加密字符串2第一位
005EEEEB .3C 41 cmp al, 41 ;与41H(A)比较
005EEEED .72 32 jb short 005EEF21 ;小于等于则跳
005EEEEF .8B45 E0 mov eax, dword ptr ;加密字符串2存入EAX
005EEEF2 .8A4418 FF mov al, byte ptr ;取加密字符串2第一位
005EEEF6 .3C 5A cmp al, 5A ;与5AH(Z)比较
005EEEF8 .77 27 ja short 005EEF21 ;大于等于则跳
005EEEFA .8B45 DC mov eax, dword ptr
005EEEFD .E8 125CE1FF call 00404B14
005EEF02 .83F8 08 cmp eax, 8
005EEF05 .7D 1A jge short 005EEF21
005EEF07 .8D45 A0 lea eax, dword ptr
005EEF0A .8B55 E0 mov edx, dword ptr ;取加密字符串2存入EDX
005EEF0D .8A541A FF mov dl, byte ptr ;取加密字符串2第一位
005EEF11 .E8 265BE1FF call 00404A3C
005EEF16 .8B55 A0 mov edx, dword ptr
005EEF19 .8D45 DC lea eax, dword ptr
005EEF1C .E8 FB5BE1FF call 00404B1C
005EEF21 >43 inc ebx
005EEF22 .4E dec esi
005EEF23 .^ 75 BF jnz short 005EEEE4 ;逐位取加密字符串循环计算,算法不明白,功力不够哈^_^
005EEF25 >8D45 9C lea eax, dword ptr
005EEF28 .50 push eax
005EEF29 .B9 08000000 mov ecx, 8
005EEF2E .BA 09000000 mov edx, 9
005EEF33 .8B45 D8 mov eax, dword ptr ;取假码存入EAX
005EEF36 .E8 315EE1FF call 00404D6C
005EEF3B .8B55 9C mov edx, dword ptr ;假码9~16位存入EDX
005EEF3E .8B45 DC mov eax, dword ptr ;存入EAX,里面存放的是加密字符串2里面的大写字母
005EEF41 .E8 125DE1FF call 00404C58 ;关键CALL,比较,计算注册码9~16位
005EEF46 .75 04 jnz short 005EEF4C ;相等则跳
005EEF48 .C645 F3 01 mov byte ptr , 1
005EEF4C >33C0 xor eax, eax
===========================================================================================================================================
跟进第二个关键CALL后来到这里:
005EF488/$55 push ebp
005EF489|.8BEC mov ebp, esp
005EF48B|.83C4 F4 add esp, -0C
005EF48E|.53 push ebx
005EF48F|.33DB xor ebx, ebx
005EF491|.895D F4 mov dword ptr , ebx
005EF494|.894D F8 mov dword ptr , ecx
005EF497|.8955 FC mov dword ptr , edx
005EF49A|.8BD8 mov ebx, eax
005EF49C|.8B45 FC mov eax, dword ptr ;用户名存入EAX
005EF49F|.E8 5858E1FF call 00404CFC
005EF4A4|.8B45 F8 mov eax, dword ptr ;假码字符串存入EAX
005EF4A7|.E8 5058E1FF call 00404CFC
005EF4AC|.33C0 xor eax, eax ;EAX清零
005EF4AE|.55 push ebp
005EF4AF|.68 0AF55E00 push 005EF50A
005EF4B4|.64:FF30 push dword ptr fs:
005EF4B7|.64:8920 mov dword ptr fs:, esp
005EF4BA|.8B4D F8 mov ecx, dword ptr ;假码字符串存入ECX
005EF4BD|.8B55 FC mov edx, dword ptr ;用户名存入EDX
005EF4C0|.8BC3 mov eax, ebx
005EF4C2|.E8 75FBFFFF call 005EF03C ;计算16~20位注册码
005EF4C7|.84C0 test al, al
005EF4C9|.75 20 jnz short 005EF4EB
005EF4CB|.8D55 F4 lea edx, dword ptr
005EF4CE|.8B45 FC mov eax, dword ptr
005EF4D1|.E8 5AB00500 call 0064A530
005EF4D6|.8B55 F4 mov edx, dword ptr
005EF4D9|.8B4D F8 mov ecx, dword ptr
005EF4DC|.8BC3 mov eax, ebx
005EF4DE|.E8 59FBFFFF call 005EF03C
005EF4E3|.84C0 test al, al
005EF4E5|.75 04 jnz short 005EF4EB
005EF4E7|.33C0 xor eax, eax
005EF4E9|.EB 02 jmp short 005EF4ED
005EF4EB|>B0 01 mov al, 1
005EF4ED|>8BD8 mov ebx, eax
005EF4EF|.33C0 xor eax, eax
005EF4F1|.5A pop edx
005EF4F2|.59 pop ecx
005EF4F3|.59 pop ecx
005EF4F4|.64:8910 mov dword ptr fs:, edx
005EF4F7|.68 11F55E00 push 005EF511
005EF4FC|>8D45 F4 lea eax, dword ptr
005EF4FF|.BA 03000000 mov edx, 3
005EF504|.E8 7753E1FF call 00404880
005EF509\.C3 retn
005EF50A .^ E9 F14CE1FF jmp 00404200
005EF50F .^ EB EB jmp short 005EF4FC
005EF511 .8BC3 mov eax, ebx
005EF513 .5B pop ebx
005EF514 .8BE5 mov esp, ebp
005EF516 .5D pop ebp
005EF517 .C3 retn
===========================================================================================================================================
005EF03C $55 push ebp
005EF03D .8BEC mov ebp, esp
005EF03F .51 push ecx
005EF040 .B9 0B000000 mov ecx, 0B
005EF045 >6A 00 push 0
005EF047 .6A 00 push 0
005EF049 .49 dec ecx
005EF04A .^ 75 F9 jnz short 005EF045
005EF04C .51 push ecx
005EF04D .874D FC xchg dword ptr , ecx
005EF050 .53 push ebx
005EF051 .56 push esi
005EF052 .57 push edi
005EF053 .894D F4 mov dword ptr , ecx ;假码存入
005EF056 .8955 F8 mov dword ptr , edx ;用户名存入
005EF059 .8945 FC mov dword ptr , eax
005EF05C .8B45 F8 mov eax, dword ptr
005EF05F .E8 985CE1FF call 00404CFC
005EF064 .8B45 F4 mov eax, dword ptr
005EF067 .E8 905CE1FF call 00404CFC
005EF06C .33C0 xor eax, eax
005EF06E .55 push ebp
005EF06F .68 86F35E00 push 005EF386
005EF074 .64:FF30 push dword ptr fs:
005EF077 .64:8920 mov dword ptr fs:, esp
005EF07A .33C0 xor eax, eax
005EF07C .55 push ebp
005EF07D .68 3AF35E00 push 005EF33A
005EF082 .64:FF30 push dword ptr fs:
005EF085 .64:8920 mov dword ptr fs:, esp
005EF088 .8D55 E4 lea edx, dword ptr
005EF08B .8B45 F8 mov eax, dword ptr ;用户名存入EAX
005EF08E .E8 DD9FE1FF call 00409070
005EF093 .8D55 D4 lea edx, dword ptr
005EF096 .8B45 F4 mov eax, dword ptr ;假码存入EAX
005EF099 .E8 22A2E1FF call 004092C0
005EF09E .8B45 D4 mov eax, dword ptr
005EF0A1 .8D55 D8 lea edx, dword ptr
005EF0A4 .E8 C79FE1FF call 00409070
005EF0A9 .8B45 D8 mov eax, dword ptr
005EF0AC .E8 635AE1FF call 00404B14 ;取假码位数存入EAX
005EF0B1 .83F8 17 cmp eax, 17 ;假码位数与17H比较
005EF0B4 .75 71 jnz short 005EF127 ;不等则跳转
005EF0B6 .8D45 D0 lea eax, dword ptr
005EF0B9 .50 push eax
005EF0BA .B9 05000000 mov ecx, 5
005EF0BF .BA 01000000 mov edx, 1
005EF0C4 .8B45 D8 mov eax, dword ptr ;假码存入EAX
005EF0C7 .E8 A05CE1FF call 00404D6C
005EF0CC .FF75 D0 push dword ptr ;取假码前五位
005EF0CF .8D45 CC lea eax, dword ptr
005EF0D2 .50 push eax
005EF0D3 .B9 05000000 mov ecx, 5
005EF0D8 .BA 07000000 mov edx, 7
005EF0DD .8B45 D8 mov eax, dword ptr
005EF0E0 .E8 875CE1FF call 00404D6C ;取假码6~10位
005EF0E5 .FF75 CC push dword ptr
005EF0E8 .8D45 C8 lea eax, dword ptr
005EF0EB .50 push eax
005EF0EC .B9 05000000 mov ecx, 5
005EF0F1 .BA 0D000000 mov edx, 0D
005EF0F6 .8B45 D8 mov eax, dword ptr
005EF0F9 .E8 6E5CE1FF call 00404D6C ;取假码11~15位
005EF0FE .FF75 C8 push dword ptr
005EF101 .8D45 C4 lea eax, dword ptr
005EF104 .50 push eax
005EF105 .B9 05000000 mov ecx, 5
005EF10A .BA 13000000 mov edx, 13
005EF10F .8B45 D8 mov eax, dword ptr
005EF112 .E8 555CE1FF call 00404D6C ;取假码16~20位
005EF117 .FF75 C4 push dword ptr
005EF11A .8D45 D8 lea eax, dword ptr
005EF11D .BA 04000000 mov edx, 4
005EF122 .E8 AD5AE1FF call 00404BD4
005EF127 >8B45 E4 mov eax, dword ptr ;用户名存入EAX
005EF12A .E8 E559E1FF call 00404B14 ;计算用户名位数存入EAX
005EF12F .83F8 03 cmp eax, 3 ;用户名位数与3比较
005EF132 .7C 0D jl short 005EF141 ;小于等于3则跳转
005EF134 .8B45 D8 mov eax, dword ptr ;假码存入EAX
005EF137 .E8 D859E1FF call 00404B14 ;计算假码位数存入EAX
005EF13C .83F8 14 cmp eax, 14 ;用户名长度与14H(20)比较
005EF13F .74 0D je short 005EF14E ;相等则跳
005EF141 >33C0 xor eax, eax
005EF143 .5A pop edx
005EF144 .59 pop ecx
005EF145 .59 pop ecx
005EF146 .64:8910 mov dword ptr fs:, edx
005EF149 .E9 F6010000 jmp 005EF344
005EF14E >8D45 EC lea eax, dword ptr
005EF151 .50 push eax
005EF152 .B9 08000000 mov ecx, 8
005EF157 .BA 01000000 mov edx, 1
005EF15C .8B45 D8 mov eax, dword ptr
005EF15F .E8 085CE1FF call 00404D6C
005EF164 .8D45 E8 lea eax, dword ptr
005EF167 .E8 F056E1FF call 0040485C
005EF16C .BB 01000000 mov ebx, 1
005EF171 .BE 01000000 mov esi, 1
005EF176 .BF 01000000 mov edi, 1
005EF17B .EB 63 jmp short 005EF1E0
005EF17D >8BC7 mov eax, edi
005EF17F .25 01000080 and eax, 80000001
005EF184 .79 05 jns short 005EF18B
005EF186 .48 dec eax
005EF187 .83C8 FE or eax, FFFFFFFE
005EF18A .40 inc eax
005EF18B >85C0 test eax, eax
005EF18D .75 29 jnz short 005EF1B8
005EF18F .8B45 EC mov eax, dword ptr
005EF192 .E8 7D59E1FF call 00404B14
005EF197 .3BD8 cmp ebx, eax
005EF199 .7F 44 jg short 005EF1DF
005EF19B .8D45 C0 lea eax, dword ptr
005EF19E .8B55 EC mov edx, dword ptr
005EF1A1 .8A541A FF mov dl, byte ptr
005EF1A5 .E8 9258E1FF call 00404A3C
005EF1AA .8B55 C0 mov edx, dword ptr
005EF1AD .8D45 E8 lea eax, dword ptr
005EF1B0 .E8 6759E1FF call 00404B1C
005EF1B5 .43 inc ebx
005EF1B6 .EB 27 jmp short 005EF1DF
005EF1B8 >8B45 E4 mov eax, dword ptr ;取用户名
005EF1BB .E8 5459E1FF call 00404B14 ;取用户名位数
005EF1C0 .3BF0 cmp esi, eax ;EAX与ESI比较
005EF1C2 .7F 1B jg short 005EF1DF ;大于等于则跳
005EF1C4 .8D45 BC lea eax, dword ptr
005EF1C7 .8B55 E4 mov edx, dword ptr ;取用户名存入EDX
005EF1CA .8A5432 FF mov dl, byte ptr ;逐位取用户名
005EF1CE .E8 6958E1FF call 00404A3C ;假码后七位
005EF1D3 .8B55 BC mov edx, dword ptr
005EF1D6 .8D45 E8 lea eax, dword ptr
005EF1D9 .E8 3E59E1FF call 00404B1C
005EF1DE .46 inc esi
005EF1DF >47 inc edi
005EF1E0 >8B45 EC mov eax, dword ptr ;假码前八位
005EF1E3 .E8 2C59E1FF call 00404B14 ;假码位数计数器
005EF1E8 .3BD8 cmp ebx, eax ;EAX与EBX比较
005EF1EA .^ 7E 91 jle short 005EF17D ;循环计算!
005EF1EC .8B45 E4 mov eax, dword ptr ;用户名存入EAX
005EF1EF .E8 2059E1FF call 00404B14 ;计算用户名位数
005EF1F4 .3BF0 cmp esi, eax ;EAX与ESI比较
005EF1F6 .^ 7E 85 jle short 005EF17D ;小于等于则跳,循环依次取用户名和注册码计算
005EF1F8 .8B45 FC mov eax, dword ptr
005EF1FB .8B80 F8020000 mov eax, dword ptr
005EF201 .8B0D A8405E00 mov ecx, dword ptr ;UnPack_.005E40F4
005EF207 .BA A0F35E00 mov edx, 005EF3A0 ;ASCII
"09232849248398340903834873297239340547237623242043324398489390309284343843223493299435"
005EF20C .E8 230DFFFF call 005DFF34
005EF211 .8D45 B0 lea eax, dword ptr
005EF214 .8B55 EC mov edx, dword ptr ;假码前八位存入EDX
005EF217 .E8 C05EE1FF call 004050DC
005EF21C .FF75 B0 push dword ptr
005EF21F .A1 64EE6500 mov eax, dword ptr
005EF224 .8B00 mov eax, dword ptr
005EF226 .FFB0 C8040000 push dword ptr ;96338
005EF22C .8D45 AC lea eax, dword ptr
005EF22F .8B55 E8 mov edx, dword ptr ;用户名(大写)前八位与假码前八位奇偶组合
005EF232 .E8 A55EE1FF call 004050DC
005EF237 .FF75 AC push dword ptr
005EF23A .8D45 B4 lea eax, dword ptr
005EF23D .BA 03000000 mov edx, 3
005EF242 .E8 215FE1FF call 00405168
005EF247 .8B55 B4 mov edx, dword ptr ;“假码前八位+96338+组合字符串”存入EDX
005EF24A .8D45 B8 lea eax, dword ptr
005EF24D .E8 8A58E1FF call 00404ADC
005EF252 .8B55 B8 mov edx, dword ptr
005EF255 .8B45 FC mov eax, dword ptr
005EF258 .8B80 F4020000 mov eax, dword ptr
005EF25E .8B0D 782A5E00 mov ecx, dword ptr ;UnPack_.005E2AC4
005EF264 .E8 CB0CFFFF call 005DFF34
005EF269 .8B45 EC mov eax, dword ptr ;假码前八位存入EAX
005EF26C .0FB630 movzx esi, byte ptr ;取假码第一位ASCII值存入ESI
005EF26F .83EE 32 sub esi, 32 ;假码第一位ASCII值C-32H=11H存入ESI
005EF272 .85F6 test esi, esi
005EF274 .7C 18 jl short 005EF28E
005EF276 .46 inc esi ;ESI+1结果存入ESI
005EF277 >8D4D E0 lea ecx, dword ptr
005EF27A .8B45 FC mov eax, dword ptr
005EF27D .8B80 F4020000 mov eax, dword ptr
005EF283 .8B55 E8 mov edx, dword ptr
005EF286 .8B18 mov ebx, dword ptr
005EF288 .FF53 54 call dword ptr ;加密算法3
005EF28B .4E dec esi ;ESI-1结果存入ESI
005EF28C .^ 75 E9 jnz short 005EF277 ;循环计算
005EF28E >8D4D A8 lea ecx, dword ptr
005EF291 .8B45 FC mov eax, dword ptr
005EF294 .8B80 F8020000 mov eax, dword ptr
005EF29A .8B55 E0 mov edx, dword ptr ;加密字符串3
005EF29D .8B18 mov ebx, dword ptr
005EF29F .FF53 54 call dword ptr
005EF2A2 .8B55 A8 mov edx, dword ptr ;加密字符串4
005EF2A5 .8D45 E0 lea eax, dword ptr
005EF2A8 .E8 4756E1FF call 004048F4
005EF2AD .8D45 DC lea eax, dword ptr
005EF2B0 .E8 A755E1FF call 0040485C
005EF2B5 .8B45 E0 mov eax, dword ptr ;加密字符串
005EF2B8 .E8 5758E1FF call 00404B14
005EF2BD .8BF0 mov esi, eax
005EF2BF .85F6 test esi, esi
005EF2C1 .7E 46 jle short 005EF309
005EF2C3 .BB 01000000 mov ebx, 1
005EF2C8 >8B45 E0 mov eax, dword ptr
005EF2CB .8A4418 FF mov al, byte ptr
005EF2CF .3C 41 cmp al, 41
005EF2D1 .72 32 jb short 005EF305
005EF2D3 .8B45 E0 mov eax, dword ptr
005EF2D6 .8A4418 FF mov al, byte ptr
005EF2DA .3C 5A cmp al, 5A
005EF2DC .77 27 ja short 005EF305
005EF2DE .8B45 DC mov eax, dword ptr
005EF2E1 .E8 2E58E1FF call 00404B14
005EF2E6 .83F8 04 cmp eax, 4
005EF2E9 .7D 1A jge short 005EF305
005EF2EB .8D45 A4 lea eax, dword ptr
005EF2EE .8B55 E0 mov edx, dword ptr
005EF2F1 .8A541A FF mov dl, byte ptr
005EF2F5 .E8 4257E1FF call 00404A3C
005EF2FA .8B55 A4 mov edx, dword ptr
005EF2FD .8D45 DC lea eax, dword ptr
005EF300 .E8 1758E1FF call 00404B1C
005EF305 >43 inc ebx
005EF306 .4E dec esi
005EF307 .^ 75 BF jnz short 005EF2C8 ;循环计算
005EF309 >8D45 A0 lea eax, dword ptr
005EF30C .50 push eax
005EF30D .B9 04000000 mov ecx, 4
005EF312 .BA 11000000 mov edx, 11
005EF317 .8B45 D8 mov eax, dword ptr ;取假码
005EF31A .E8 4D5AE1FF call 00404D6C
005EF31F .8B55 A0 mov edx, dword ptr ;假码最后四位存入EDX
005EF322 .8B45 DC mov eax, dword ptr ;计算结果前四位大写字母存入EAX
005EF325 .E8 2E59E1FF call 00404C58 ;关键CALL,比较,后四位计算结果
005EF32A .75 04 jnz short 005EF330
005EF32C .C645 F3 01 mov byte ptr , 1
005EF330 >33C0 xor eax, eax
===========================================================================================================================================
总结:
算法就不总结了,由于功力不到家,写了一下午,也没不清楚,我的破解分析笔记都记录在UnPack_.udd里面了,写的比较乱,凑合着看吧,附件里面的Word版笔记根据颜色找相应代码可便于阅读!
一组可用注册信息:
用户名:Spring_2050
注册码:CRACK-BYSEE-QZXIC-CMYFW
支持飘云阁,回报飘云阁!
附两张胜利截图:
附件下载:
兄弟高产哈。顶下了! 感谢啊!学习一下! 学习算法 UP 学习下, 厉害!!
回复 6# tianxj 的帖子
小弟班门弄斧了,努力ING!:loveliness:谢谢T大!/:good 分析的很详细,继续把注册机写出来吧/:good 不错,兄弟真的很高产 学习了,写的很好
页:
[1]
2