TT86刷QQ空间人气软件版算法分析,附注册机及源代码
【文章标题】: TT86刷QQ空间人气软件版算法分析【文章作者】: caterpilla(惊涛)
【软件名称】: TT86刷QQ空间人气软件版
【下载地址】: 自己搜索下载
【编写语言】: VB
【操作平台】: XP,SP2
【软件介绍】: OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
应香香油油饭兄弟之邀,尝试跟踪这个软件,总算弄出来了,写破文以记之。。。。。。。
一、PEID查壳
实际上我得到这个软件的时候,香香油油饭兄弟已经脱壳了(嘿嘿,脱壳比较弱,正好占便宜),只用PEID查了下算法,发现有MD5标记。
二、跟踪
OD载入,没有任何反跟踪,直接在RTCMSGBOX各参考上下断,运行之。
运行后,中断,向上看,找由哪跳过来的,发现这段代码。
00422388 > \C785 7CFEFFFF>mov dword ptr , 0
00422392 >C785 48FFFFFF>mov dword ptr , 5
0042239C .C785 40FFFFFF>mov dword ptr , 2
004223A6 .8B85 7CFFFFFF mov eax, ;注册码
004223AC .8985 98FEFFFF mov , eax
004223B2 .C785 7CFFFFFF>mov dword ptr , 0
004223BC .8B8D 98FEFFFF mov ecx,
004223C2 .898D 58FFFFFF mov , ecx
004223C8 .C785 50FFFFFF>mov dword ptr , 8
004223D2 .8D95 40FFFFFF lea edx,
004223D8 .52 push edx ; /Arg4
004223D9 .6A 01 push 1 ; |Arg3 = 00000001
004223DB .8D85 50FFFFFF lea eax, ; |
004223E1 .50 push eax ; |Arg2
004223E2 .8D8D 30FFFFFF lea ecx, ; |
004223E8 .51 push ecx ; |Arg1
004223E9 .FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar//取前五位
004223EF .8D95 30FFFFFF lea edx,
004223F5 .8D4D B0 lea ecx,
004223F8 .FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ;msvbvm60.__vbaVarMove
004223FE .8D8D 64FFFFFF lea ecx,
00422404 .FF15 0C124000 call [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
0042240A .8D95 40FFFFFF lea edx,
00422410 .52 push edx
00422411 .8D85 50FFFFFF lea eax,
00422417 .50 push eax
00422418 .6A 02 push 2
0042241A .FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
00422420 .83C4 0C add esp, 0C
00422423 .C745 FC 04000>mov dword ptr , 4
0042242A .8B4D 08 mov ecx,
0042242D .8B11 mov edx,
0042242F .8B45 08 mov eax,
00422432 .50 push eax
00422433 .FF92 FC020000 call
00422439 .50 push eax ; /Arg2
0042243A .8D8D 64FFFFFF lea ecx, ; |
00422440 .51 push ecx ; |Arg1
00422441 .FF15 88104000 call [<&msvbvm60.__vbaObjSet>] ; \__vbaObjSet
00422447 .8985 DCFEFFFF mov , eax
0042244D .8D95 7CFFFFFF lea edx,
00422453 .52 push edx
00422454 .8B85 DCFEFFFF mov eax,
0042245A .8B08 mov ecx,
0042245C .8B95 DCFEFFFF mov edx,
00422462 .52 push edx
00422463 .FF91 A0000000 call
00422469 .DBE2 fclex
0042246B .8985 D8FEFFFF mov , eax
00422471 .83BD D8FEFFFF>cmp dword ptr , 0
00422478 .7D 26 jge short 004224A0
0042247A .68 A0000000 push 0A0 ; /Arg4 = 000000A0
0042247F .68 54874000 push 00408754 ; |Arg3 = 00408754
00422484 .8B85 DCFEFFFF mov eax, ; |
0042248A .50 push eax ; |Arg2
0042248B .8B8D D8FEFFFF mov ecx, ; |
00422491 .51 push ecx ; |Arg1
00422492 .FF15 70104000 call [<&msvbvm60.__vbaHresultCheckObj>; \__vbaHresultCheckObj
00422498 .8985 78FEFFFF mov , eax
0042249E .EB 0A jmp short 004224AA
004224A0 >C785 78FEFFFF>mov dword ptr , 0
004224AA >C785 48FFFFFF>mov dword ptr , 1
004224B4 .C785 40FFFFFF>mov dword ptr , 2
004224BE .8B95 7CFFFFFF mov edx,
004224C4 .8995 94FEFFFF mov , edx
004224CA .C785 7CFFFFFF>mov dword ptr , 0
004224D4 .8B85 94FEFFFF mov eax,
004224DA .8985 58FFFFFF mov , eax
004224E0 .C785 50FFFFFF>mov dword ptr , 8
004224EA .8D8D 40FFFFFF lea ecx,
004224F0 .51 push ecx ; /Arg4
004224F1 .6A 12 push 12 ; |Arg3 = 00000012
004224F3 .8D95 50FFFFFF lea edx, ; |
004224F9 .52 push edx ; |Arg2
004224FA .8D85 30FFFFFF lea eax, ; |
00422500 .50 push eax ; |Arg1
00422501 .FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar取第18位
00422507 .8D95 30FFFFFF lea edx,
0042250D .8D4D A0 lea ecx,
00422510 .FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ;msvbvm60.__vbaVarMove
00422516 .8D8D 64FFFFFF lea ecx,
0042251C .FF15 0C124000 call [<&msvbvm60.__vbaFreeObj>] ;msvbvm60.__vbaFreeObj
00422522 .8D8D 40FFFFFF lea ecx,
00422528 .51 push ecx
00422529 .8D95 50FFFFFF lea edx,
0042252F .52 push edx
00422530 .6A 02 push 2
00422532 .FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
00422538 .83C4 0C add esp, 0C
0042253B .C745 FC 05000>mov dword ptr , 5
00422542 .C785 18FFFFFF>mov dword ptr , 00409240 ;UNICODE "TT86-"
0042254C .C785 10FFFFFF>mov dword ptr , 8008
00422556 .C785 08FFFFFF>mov dword ptr , 00409250
00422560 .C785 00FFFFFF>mov dword ptr , 8008
0042256A .8D45 B0 lea eax,
0042256D .50 push eax ; /Arg3
0042256E .8D8D 10FFFFFF lea ecx, ; |
00422574 .51 push ecx ; |Arg2
00422575 .8D95 50FFFFFF lea edx, ; |
0042257B .52 push edx ; |Arg1
0042257C .FF15 60104000 call [<&msvbvm60.__vbaVarCmpNe>] ; \__vbaVarCmpNe//前五位要等于TT86-
00422582 .50 push eax
00422583 .8D45 A0 lea eax,
00422586 .50 push eax ; /Arg3
00422587 .8D8D 00FFFFFF lea ecx, ; |
0042258D .51 push ecx ; |Arg2
0042258E .8D95 40FFFFFF lea edx, ; |
00422594 .52 push edx ; |Arg1
00422595 .FF15 60104000 call [<&msvbvm60.__vbaVarCmpNe>] ; \__vbaVarCmpNe//最后一位要等于-
0042259B .50 push eax
0042259C .8D85 30FFFFFF lea eax,
004225A2 .50 push eax
004225A3 .FF15 F8104000 call [<&msvbvm60.__vbaVarOr>] ;msvbvm60.__vbaVarOr
004225A9 .50 push eax ; /Arg1
004225AA .FF15 AC104000 call [<&msvbvm60.__vbaBoolVarNull>] ; \__vbaBoolVarNull
004225B0 .0FBFC8 movsx ecx, ax
004225B3 .85C9 test ecx, ecx
004225B5 .0F84 B9000000 je 00422674
通过分析知道,注册码共18位,前五位为定值TT86-,最后一位为-
按照这个规则,再写入18位,中间12位任意,比如写入TT86-0123456789AB-,点注册,在OD中跟踪,发现下面。
004226F1 > \C785 74FEFFFF>mov dword ptr , 0
004226FB >8B95 7CFFFFFF mov edx,
00422701 .8995 90FEFFFF mov , edx
00422707 .C785 7CFFFFFF>mov dword ptr , 0
00422711 .8B95 90FEFFFF mov edx,
00422717 .8D8D 78FFFFFF lea ecx,
0042271D .FF15 F4114000 call [<&msvbvm60.__vbaStrMove>] ;msvbvm60.__vbaStrMove
00422723 .8D85 78FFFFFF lea eax,
00422729 .50 push eax
0042272A .E8 A1F80000 call 00431FD0//对上面读入的QQ号进行MD5变化
0042272F .8985 58FFFFFF mov , eax
00422735 .C785 50FFFFFF>mov dword ptr , 8
0042273F .8D95 50FFFFFF lea edx,
然后在下面是漫长的RTCMIDCHARVAR操作,即取子串操作,相当于MID或DELPHI中的MIDSTR。
00422787 .51 push ecx ; /Arg4
00422788 .6A 02 push 2 ; |Arg3 = 00000002
0042278A .8D55 90 lea edx, ; |
0042278D .52 push edx ; |Arg2
0042278E .8D85 40FFFFFF lea eax, ; |
00422794 .50 push eax ; |Arg1
00422795 .FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar
0042279B .C785 DCFEFFFF>mov dword ptr , 1
004227A5 .83BD DCFEFFFF>cmp dword ptr , 0D
004227AC .73 0C jnb short 004227BA
004227AE .C785 70FEFFFF>mov dword ptr , 0
004227B8 .EB 0C jmp short 004227C6
004227BA >FF15 DC104000 call [<&msvbvm60.__vbaGenerateBoundsE>; \__vbaGenerateBoundsError
004227C0 .8985 70FEFFFF mov , eax
004227C6 >8D95 40FFFFFF lea edx,
004227CC .8B8D DCFEFFFF mov ecx,
004227D2 .C1E1 04 shl ecx, 4
004227D5 .8B45 08 mov eax,
004227D8 .8B40 44 mov eax,
004227DB .03C8 add ecx, eax
004227DD .FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ;msvbvm60.__vbaVarMove
004227E3 .8D8D 40FFFFFF lea ecx,
004227E9 .51 push ecx
004227EA .8D95 50FFFFFF lea edx,
004227F0 .52 push edx
004227F1 .6A 02 push 2
004227F3 .FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
004227F9 .83C4 0C add esp, 0C
004227FC .C745 FC 0A000>mov dword ptr , 0A
00422803 .C785 58FFFFFF>mov dword ptr , 1
0042280D .C785 50FFFFFF>mov dword ptr , 2
00422817 .8D85 50FFFFFF lea eax,
0042281D .50 push eax ; /Arg4
0042281E .6A 05 push 5 ; |Arg3 = 00000005
00422820 .8D4D 90 lea ecx, ; |
00422823 .51 push ecx ; |Arg2
00422824 .8D95 40FFFFFF lea edx, ; |
0042282A .52 push edx ; |Arg1
0042282B .FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar
00422831 .C785 DCFEFFFF>mov dword ptr , 2
0042283B .83BD DCFEFFFF>cmp dword ptr , 0D
00422842 .73 0C jnb short 00422850
00422844 .C785 6CFEFFFF>mov dword ptr , 0
0042284E .EB 0C jmp short 0042285C
00422850 >FF15 DC104000 call [<&msvbvm60.__vbaGenerateBoundsE>; \__vbaGenerateBoundsError
00422856 .8985 6CFEFFFF mov , eax
0042285C >8D95 40FFFFFF lea edx,
00422862 .8B85 DCFEFFFF mov eax,
00422868 .C1E0 04 shl eax, 4
0042286B .8B4D 08 mov ecx,
0042286E .8B49 44 mov ecx,
00422871 .03C8 add ecx, eax
00422873 .FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ;msvbvm60.__vbaVarMove
00422879 .8D95 40FFFFFF lea edx,
0042287F .52 push edx
00422880 .8D85 50FFFFFF lea eax,
00422886 .50 push eax
00422887 .6A 02 push 2
00422889 .FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
0042288F .83C4 0C add esp, 0C
00422892 .C745 FC 0B000>mov dword ptr , 0B
00422899 .C785 58FFFFFF>mov dword ptr , 1
004228A3 .C785 50FFFFFF>mov dword ptr , 2
004228AD .8D8D 50FFFFFF lea ecx,
004228B3 .51 push ecx ; /Arg4
004228B4 .6A 08 push 8 ; |Arg3 = 00000008
004228B6 .8D55 90 lea edx, ; |
004228B9 .52 push edx ; |Arg2
004228BA .8D85 40FFFFFF lea eax, ; |
004228C0 .50 push eax ; |Arg1
004228C1 .FF15 C0104000 call [<&msvbvm60.rtcMidCharVar>] ; \rtcMidCharVar
004228C7 .C785 DCFEFFFF>mov dword ptr , 3
004228D1 .83BD DCFEFFFF>cmp dword ptr , 0D
004228D8 .73 0C jnb short 004228E6
004228DA .C785 68FEFFFF>mov dword ptr , 0
004228E4 .EB 0C jmp short 004228F2
004228E6 >FF15 DC104000 call [<&msvbvm60.__vbaGenerateBoundsE>; \__vbaGenerateBoundsError
004228EC .8985 68FEFFFF mov , eax
004228F2 >8D95 40FFFFFF lea edx,
004228F8 .8B8D DCFEFFFF mov ecx,
004228FE .C1E1 04 shl ecx, 4
00422901 .8B45 08 mov eax,
00422904 .8B40 44 mov eax,
00422907 .03C8 add ecx, eax
00422909 .FF15 1C104000 call [<&msvbvm60.__vbaVarMove>] ;msvbvm60.__vbaVarMove
0042290F .8D8D 40FFFFFF lea ecx,
00422915 .51 push ecx
00422916 .8D95 50FFFFFF lea edx,
0042291C .52 push edx
0042291D .6A 02 push 2
0042291F .FF15 38104000 call [<&msvbvm60.__vbaFreeVarList>] ;msvbvm60.__vbaFreeVarList
00422925 .83C4 0C add esp, 0C
00422928 .C745 FC 0C000>mov dword ptr , 0C
0042292F .C785 58FFFFFF>mov dword ptr , 1
00422939 .C785 50FFFFFF>mov dword ptr , 2
00422943 .8D85 50FFFFFF lea eax,
。。。。。。。。。。。。。。。。。。。
这里面略去了很多取子串的操作,这里每次都是取一位,只不过起点不同,跟踪注意起点和所取的子串就没问题了,因为其中
有时取的是MD5变化过的串,有时取的是原始串(作者比较阻险,呵呵,一般人都会以为只在MD5串取呢。。。。。。。)
这部分串一共12位,正好是中间要补充的串,假设为B,最后注册码就为TT86-B-这样的形式。
算法总结:
中间串生成规则:
起点:2,5,8,A,D,E ——MD5
起点:2 ——原始串,即QQ号
起点:15,17,19,1E ——MD5
起点:5 ——原始串
一共12位拼成一个串再加上头尾就可以了,呵呵
下面是算法注册机和原始程序。
--------------------------------------------------------------------------------
2006年07月17日 16:27:39
[ 本帖最后由 caterpilla 于 2006-7-18 10:29 编辑 ] 哈哈,先占位置,坐前面看得清楚点/:D 来顶一个!!!~~ 贴个源码吧,呵呵。。。。。。。。。。。。
unit keygenforqq;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs,StrUtils,IdHash,IdHashMessageDigest, StdCtrls;
type
TForm1 = class(TForm)
Label1: TLabel;
Edit1: TEdit;
Button1: TButton;
Edit2: TEdit;
Label2: TLabel;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
const
codetable:array of byte=($2,$5,$8,$a,$d,$e,$2,$15,$17,$19,$1e,$5);
var
MyMD5:TIdHashMessageDigest5;
hashvalue:T4x4LongWordRecord;
internalMD5:string;
str:string;
i:integer;
reg:string;
begin
MyMD5:=TIdHashMessageDigest5.Create;
try
hashvalue:=MyMD5.HashValue(edit1.Text);
internalMD5:=MyMD5.AsHex(hashvalue);
finally
MyMD5.Free;
end;
str:=edit1.Text;
SetLength(str,length(str));
SetLength(internalMD5,length(internalMD5));
reg:='TT86-';
for i := 1 to 12 do
begin
if (i=7) or (i=12) then
begin
reg:=reg+str];
end
else
begin
reg:=reg+internalMD5];
end;
end;
reg:=reg+'-';
edit2.Text:=reg;
end;
end. 这个好啊,可惜来晚了,支持一下 不错,学习一下~~~ /:? /:? /:? /:? /:? /:? /:? :lol: :victory: :handshake
页:
[1]