Archiver 算法分析部分
软件下载: http://www.exeone.com/版本号: Ver 2.0.1.004
代码分析部分:
计算4组注册码用到的数据:
008EE535|.B1 3F MOV CL,0x3F
008EE537|.B2 18 MOV DL,0x18
008EE539|.B0 A6 MOV AL,0xA6
008EE57F|.B1 87 MOV CL,0x87
008EE581|.B2 35 MOV DL,0x35
008EE583|.B0 F0 MOV AL,0xF0
008EE5C9|.B1 1A MOV CL,0x1A
008EE5CB|.B2 8E MOV DL,0x8E
008EE5CD|.B0 17 MOV AL,0x17
008EE60F|.B1 0F MOV CL,0xF
008EE611|.B2 22 MOV DL,0x22
008EE613|.B0 8B MOV AL,0x8B
这里根据CL值判断执行代码
00406DA4/$80F9 20 CMP CL,0x20
00406DA7|.7C 11 JL SHORT Archiver.00406DBA
00406DA9|.80F9 40 CMP CL,0x40
00406DAC|.7C 05 JL SHORT Archiver.00406DB3
00406DAE|.31D2 XOR EDX,EDX
00406DB0|.31C0 XOR EAX,EAX
00406DB2|.C3 RETN
00406DB3|>89D0 MOV EAX,EDX
00406DB5|.31D2 XOR EDX,EDX
00406DB7|.D3E8 SHR EAX,CL
00406DB9|.C3 RETN
00406DBA|>0FADD0 SHRD EAX,EDX,CL
00406DBD|.D3EA SHR EDX,CL
00406DBF\.C3 RETN
00406DC0 .C3 RETN
校验值计算:
008EE368|> /0FB67C30 FF /MOVZX EDI,BYTE PTR ;ASCII "123456784BEE3CEE"
008EE36D|. |66:03D7 |ADD DX,DI ;00AF + DI
008EE370|. |66:81FA FF00|CMP DX,0xFF
008EE375|. |76 05 |JBE SHORT Archiver.008EE37C
008EE377|. |66:81EA FF00|SUB DX,0xFF
008EE37C|> |66:03CA |ADD CX,DX ;0x56 + DX
008EE37F|. |66:81F9 FF00|CMP CX,0xFF
008EE384|. |76 05 |JBE SHORT Archiver.008EE38B
008EE386|. |66:81E9 FF00|SUB CX,0xFF
008EE38B|> |46 |INC ESI
008EE38C|. |4B |DEC EBX
008EE38D|.^\75 D9 \JNZ SHORT Archiver.008EE368
008EE38F|>8BD9 MOV EBX,ECX ;0018008F
008EE391|.C1E3 08 SHL EBX,0x8
008EE394|.66:03DA ADD BX,DX ;18008F00
008EE397|.8B0C24 MOV ECX,DWORD PTR
008EE39A|.0FB7C3 MOVZX EAX,BX ;18008F57
008EE39D|.BA 04000000 MOV EDX,0x4
008EE3A2|.E8 5DDEB1FF CALL Archiver.0040C204
008EE3A7|.5A POP EDX
008EE3A8|.5F POP EDI
008EE3A9|.5E POP ESI
008EE3AA|.5B POP EBX
008EE3AB\.C3 RETN
注册码部分计算:
008EE2A8/$55 PUSH EBP ;124B24EE
008EE2A9|.8BEC MOV EBP,ESP
008EE2AB|.51 PUSH ECX
008EE2AC|.53 PUSH EBX
008EE2AD|.884D FE MOV BYTE PTR ,CL ;CL:3F871A
008EE2B0|.8855 FF MOV BYTE PTR ,DL ;DL:18358E
008EE2B3|.8BD8 MOV EBX,EAX ;AL:A6F017
008EE2B5|.0FB6C3 MOVZX EAX,BL
008EE2B8|.B9 19000000 MOV ECX,0x19
008EE2BD|.33D2 XOR EDX,EDX
008EE2BF|.F7F1 DIV ECX
008EE2C1|.8BDA MOV EBX,EDX ;AL % 19 = 0x10F
008EE2C3|.0FB645 FF MOVZX EAX,BYTE PTR ;DL
008EE2C7|.B9 03000000 MOV ECX,0x3
008EE2CC|.33D2 XOR EDX,EDX
008EE2CE|.F7F1 DIV ECX ;DL / 3
008EE2D0|.8855 FF MOV BYTE PTR ,DL ;DL % 3 余数的低位 = 0 2
008EE2D3|.0FB6C3 MOVZX EAX,BL
008EE2D6|.83E0 01 AND EAX,0x1 ;(AL % 19) & 1
008EE2D9|.85C0 TEST EAX,EAX
008EE2DB|.75 29 JNZ SHORT Archiver.008EE306
008EE2DD|.8B45 08 MOV EAX,DWORD PTR ;堆栈 SS:=12345678
008EE2E0|.8B55 0C MOV EDX,DWORD PTR ;0
008EE2E3|.8BCB MOV ECX,EBX ;AL % 19 = 0x10
008EE2E5|.E8 BA8AB1FF CALL Archiver.00406DA4 ;根据 CL 值进行不同计算
008EE2EA|.24 FF AND AL,0xFF ;EAX:1234
008EE2EC|.50 PUSH EAX
008EE2ED|.8B45 08 MOV EAX,DWORD PTR ;堆栈 SS:=12345678
008EE2F0|.8B55 0C MOV EDX,DWORD PTR ;0
008EE2F3|.0FB64D FF MOVZX ECX,BYTE PTR ;DL % 3 余数的低位 = 0
008EE2F7|.E8 A88AB1FF CALL Archiver.00406DA4
008EE2FC|.0A45 FE OR AL,BYTE PTR ;CL 78|3F=7F
008EE2FF|.8BD0 MOV EDX,EAX ;1234567F
008EE301|.58 POP EAX ;1234
008EE302|.32C2 XOR AL,DL ;34^7F=4B
008EE304|.EB 27 JMP SHORT Archiver.008EE32D
008EE306|>8B45 08 MOV EAX,DWORD PTR ;堆栈 SS:=12345678
008EE309|.8B55 0C MOV EDX,DWORD PTR ;0
008EE30C|.8BCB MOV ECX,EBX ;AL % 19 = 0x10F
008EE30E|.E8 918AB1FF CALL Archiver.00406DA4
008EE313|.24 FF AND AL,0xFF ;EAX:2468
008EE315|.50 PUSH EAX
008EE316|.8B45 08 MOV EAX,DWORD PTR ;堆栈 SS:=12345678
008EE319|.8B55 0C MOV EDX,DWORD PTR ;0
008EE31C|.0FB64D FF MOVZX ECX,BYTE PTR ;DL % 3 余数的低位 = 0 2
008EE320|.E8 7F8AB1FF CALL Archiver.00406DA4
008EE325|.2245 FE AND AL,BYTE PTR ;048D159E & CL = 048D1586
008EE328|.8BD0 MOV EDX,EAX
008EE32A|.58 POP EAX ;2468
008EE32B|.32C2 XOR AL,DL ;2468 ^ 86 24EE
008EE32D|>5B POP EBX
008EE32E|.59 POP ECX
008EE32F|.5D POP EBP
008EE330\.C2 0800 RETN 0x8
写注册表位置:
Software\Microsoft\Windows\CurrentVersion\Settings\InstallA3
两组测试用注册码:
0000 0000 3F00 000F B3E1
1234 5678 4BEE 3CEE 8F57
注册机源码部分:
unsigned char mCL = {0x3F,0x87,0x1A,0xF};
unsigned char mDL = {0x18,0x35,0x8E,0x22};
unsigned char mAL = {0xA6,0xF0,0x17,0x8B};
unsigned char mP16 = {0};
unsigned char mReg = {0}; //保存计算出来4位注册码
unsigned intmLReg = 0; //保存注册友最后4位 hash 值
unsigned long mP8 = 0; //注册码前8位,随机生成
stringstrP16 ;
unsigned long mEax = 0;
unsigned long mEdx = 0;
unsigned long mEax1 = 0;
unsigned long mEdx1 = 0;
unsigned char Mod_AL = 0;
unsigned char Mod_DL = 0;
unsigned int i = 0;
srand((unsigned)time(NULL)*10);
mP8 = rand() % 0xFFFFFFFF;
//mP8 = 0x12345678;
for (i=0;i<4;i++)
{
mEax = mP8;
mEdx = 0;
Mod_AL = mAL % 0x19;
Mod_DL = mDL % 0x3;
__asm
{
MOV eax,mEax
MOV edx,mEdx
MOV CL,Mod_AL
CMP CL,0x20
JL _00406DBA1
CMP CL,0x40
JL _00406DB31
XOR EDX,EDX
XOR EAX,EAX
JMP _end1
_00406DB31:
MOV EAX,EDX
XOR EDX,EDX
SHR EAX,CL
JMP _end1
_00406DBA1:
SHRD EAX,EDX,CL
SHR EDX,CL
_end1:
MOV mEax1,eax
MOV mEdx1,edx
}
__asm
{
MOV eax,mEax
MOV edx,mEdx
MOV CL,Mod_DL
CMP CL,0x20
JL _00406DBA
CMP CL,0x40
JL _00406DB3
XOR EDX,EDX
XOR EAX,EAX
JMP _end
_00406DB3:
MOV EAX,EDX
XOR EDX,EDX
SHR EAX,CL
JMP _end
_00406DBA:
SHRD EAX,EDX,CL
SHR EDX,CL
_end:
MOV mEax,eax
MOV mEdx,edx
}
if ((Mod_AL & 1) == 0)
{
mReg= (unsigned char)((mEax | mCL) ^ mEax1) ;
}
else
{
mReg = (unsigned char)((mEax & mCL) ^ mEax1);
}
}
//给前16位赋值
unsigned j=0;
for (i=0;i<0x10;i++)
{
if (i<8)
{
mP16 = ( mP8 >> (i*4)) & 0xF;
}
else
{
mP16 = mReg & 0xF;
mP16 = (mReg >> 4) & 0xF;
i++;
j++;
}
}
strP16.empty();
char temStr = {0};
for (i=0;i<0x10;i++)
{
sprintf_s(temStr,sizeof(temStr),"%X",mP16);
strP16 += temStr;
}
//计算校验值
unsigned int mDX = 0xAF;
unsigned int mCX = 0x56;
unsigned long mEBX = 0;
for (i=0;i<0x10;i++)
{
mDX += strP16;
if (mDX > 0xFF)
{
mDX -= 0xFF;
}
mCX += mDX;
if (mCX > 0xFF)
{
mCX -= 0xFF;
}
}
mEBX = mCX;
mEBX = (mEBX << 8);
mEBX += mDX;
mLReg = (unsigned int)mEBX;
sprintf_s(temStr,sizeof(temStr),"%X",mLReg);
strP16 += temStr;
string strREG;
for (i=0;i<0x14;i++)
{
strREG += strP16;
if (i>1 && (i+1) % 4 ==0 && i<0x10)
{
strREG += '-';
}
}
SetDlgItemText(IDC_RegCode,(LPCTSTR)strREG.c_str());
膜拜算法。。。。。。
不学GG先百度一下软件说明?{:soso_e179:} 赞一个 不得不说,你的却牛X呀。呵呵。。。。。。
支持一下了,呵呵,顶起来 支持一下牛人,学习来了 最喜歡破解分析的文章! 向楼主学习了。。 支持原创作品。
页:
[1]
2