BreezeBrowser v2.13 算法分析
本帖最后由 GeekCat 于 2016-1-17 23:48 编辑【文章标题】: BreezeBrowser v2.13 算法分析【作者邮箱】: [email protected]
【作者主页】:
【软件名称】: BreezeBrowser v2.13【软件大小】: 7.37 MB (7,736,182 字节)
【加壳方式】: 无壳【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 6.0【使用工具】: OD、PEID
【操作平台】: XP SP3【下载地址】: http://www.crsky.com/soft/3458.html【破解声明】: 破解在于交流思路和过程,结果并不重要,请不要用于非法用途;
【软件介绍】:BreezeBrowser是专门为佳能Powershot系列数码相机设计的图像处理程序第三方程序,支持佳能CRW文件格式,可以在进行文件格式转换时调整色阶、饱和度、白平衡等等。该软件是基于佳能开发工具SDK工作的,支持的机型有:Powershot G1、Pro90、G2、S30、S40和D30等。--------------------------------------------------------------------------------------------------------------------------------一、注册名不区分大小写黑名单:
1)、phil winegardner
2)、crsky
3)、team viroil(以这个字符串开头且注册码长度为13位)
二、字符串、万能断点、F12、API都能快速定位到关键点;三、关键点代码如下:
0054B505|.8B49 68 mov ecx,dword ptr ds:
0054B508|.E8 3714EDFF call BreezeBr.0041C944 ;算法CALL
0054B50D|.25 FF000000 and eax,0xFF
0054B512|.85C0 test eax,eax
0054B514|.74 21 je short BreezeBr.0054B537 ;关键跳转 不能跳
0054B516|.6A 30 push 0x30
0054B518|.68 34A36200 push BreezeBr.0062A334 ;BreezeBrowser
0054B51D|.68 44A36200 push BreezeBr.0062A344 ;Thank you!\nYour copy of BreezeBrowser has been registered successfully。
四、算法CALL代码如下:
0041C944/$55 push ebp
————————————————————————略代码N行——————————————————————————————————
0041C991|.81C1 A4030000 add ecx,0x3A4
0041C997|.E8 64DBFEFF call BreezeBr.0040A500 ;计算注册码长度
0041C99C|.83F8 20 cmp eax,0x20 ;注册码长度大于等于0x20-->32(位)
0041C99F|.7C 17 jl short BreezeBr.0041C9B8 ;0
0041C9A1|.6A 2D push 0x2D ;0x2D-->‘-’
0041C9A3|.8B8D E0FDFFFF mov ecx,dword ptr ss:
0041C9A9|.81C1 A4030000 add ecx,0x3A4
0041C9AF|.E8 C60A1A00 call <jmp.&MFC42.#2763> ;计算注册码中‘-’数量,要求注册码有‘-’
————————————————————————略代码N行——————————————————————————————————
0041C9DD|.8D8D 50FFFFFF lea ecx,dword ptr ss: ;注册名
0041C9E3|.E8 CC061A00 call <jmp.&MFC42.#4202> ;注册名,大写转小写
0041C9E8|.8D8D 50FFFFFF lea ecx,dword ptr ss: ;(ASCII "geekcat")
0041C9EE|.E8 0DDBFEFF call BreezeBr.0040A500 ;计算注册名长度
—————————————————————略代码N行(验证黑名单中的三个注册名)————————————
0041CD97|> \68 B0915F00 push BreezeBr.005F91B0 ;+:
0041CD9C|.8D8D 50FFFFFF lea ecx,dword ptr ss: ;注册名 (ASCII "geekcat")
0041CDA2|.E8 F5021A00 call <jmp.&MFC42.#941> ;拼接字符串
0041CDA7|.6A 20 push 0x20
0041CDA9|.8D8D 50FFFFFF lea ecx,dword ptr ss: ;(ASCII "geekcat+:")
0041CDAF|.E8 C0061A00 call <jmp.&MFC42.#6874>
0041CDB4|.6A 25 push 0x25 ;0x25-->‘%’
0041CDB6|.8D8D 50FFFFFF lea ecx,dword ptr ss:
0041CDBC|.E8 E7021A00 call <jmp.&MFC42.#940>
0041CDC1|.68 B4915F00 push BreezeBr.005F91B4 ;a
0041CDC6|.8D8D 50FFFFFF lea ecx,dword ptr ss: ;(ASCII "geekcat+:")
0041CDCC|.E8 CB021A00 call <jmp.&MFC42.#941> ;拼接字符串
0041CDD1|.6A 40 push 0x40 ;0x40-->‘@’
0041CDD3|.8D8D 50FFFFFF lea ecx,dword ptr ss: ;(ASCII "geekcat+:a")
0041CDD9|.E8 CA021A00 call <jmp.&MFC42.#940> ;拼接字符串
0041CDDE|.8D4D C4 lea ecx,dword ptr ss:
0041CDE1|.E8 60011A00 call <jmp.&MFC42.#540>
0041CDE6|.C645 FC 01 mov byte ptr ss:,0x1
0041CDEA|.6A 23 push 0x23 ;0x23-->#
0041CDEC|.8D8D 50FFFFFF lea ecx,dword ptr ss:
0041CDF2|.E8 B1021A00 call <jmp.&MFC42.#940>
0041CDF7|.68 B8915F00 push BreezeBr.005F91B8 ;;
0041CDFC|.8D8D 50FFFFFF lea ecx,dword ptr ss:
0041CE02|.E8 95021A00 call <jmp.&MFC42.#941>
0041CE07|.68 BC915F00 push BreezeBr.005F91BC ;d
0041CE0C|.8D8D 50FFFFFF lea ecx,dword ptr ss:
0041CE12|.E8 85021A00 call <jmp.&MFC42.#941>
0041CE17|.68 C0915F00 push BreezeBr.005F91C0 ;j
0041CE1C|.8D8D 50FFFFFF lea ecx,dword ptr ss:
0041CE22|.E8 75021A00 call <jmp.&MFC42.#941> ;以上是拼接字符串得到 "geekcat+:%a@#;dj"
0041CE27|.8D95 68FFFFFF lea edx,dword ptr ss:
0041CE2D|.52 push edx
0041CE2E|.E8 3DF00E00 call BreezeBr.0050BE70
0041CE33|.83C4 04 add esp,0x4
0041CE36|.8D8D 50FFFFFF lea ecx,dword ptr ss:
0041CE3C|.E8 BFD6FEFF call BreezeBr.0040A500 ;以上是计算拼接后的字符串长度
0041CE41|.50 push eax ;0x10-->16位
0041CE42|.8D8D 50FFFFFF lea ecx,dword ptr ss: ;(ASCII "geekcat+:%a@#;dj")
0041CE48|.E8 D348FEFF call BreezeBr.00401720
0041CE4D|.50 push eax
0041CE4E|.8D85 68FFFFFF lea eax,dword ptr ss:
0041CE54|.50 push eax
0041CE55|.E8 56F00E00 call BreezeBr.0050BEB0
0041CE5A|.83C4 0C add esp,0xC
0041CE5D|.8D8D 68FFFFFF lea ecx,dword ptr ss:
0041CE63|.51 push ecx
0041CE64|.8D55 D8 lea edx,dword ptr ss:
0041CE67|.52 push edx
0041CE68|.E8 70F10E00 call BreezeBr.0050BFDD ;注册名拼接字符MD5计算并大写输出
0041CE6D|.83C4 08 add esp,0x8
0041CE70|.C785 60FFFFFF>mov dword ptr ss:,0x0
0041CE7A|.EB 0F jmp short BreezeBr.0041CE8B
0041CE7C|>8B85 60FFFFFF /mov eax,dword ptr ss: ;下面的循环是把上面得到MD5值以‘-’分成4段,每段8位
0041CE82|.83C0 01 |add eax,0x1
0041CE85|.8985 60FFFFFF |mov dword ptr ss:,eax
0041CE8B|>83BD 60FFFFFF> cmp dword ptr ss:,0x4 ;跟4比较,注册码分为4段
0041CE92|.0F8D 90000000 |jge BreezeBr.0041CF28
0041CE98|.C785 48FFFFFF>|mov dword ptr ss:,0x0
0041CEA2|.C785 44FEFFFF>|mov dword ptr ss:,0x0
0041CEAC|.EB 0F |jmp short BreezeBr.0041CEBD
0041CEAE|>8B8D 44FEFFFF |/mov ecx,dword ptr ss:
0041CEB4|.83C1 01 ||add ecx,0x1
0041CEB7|.898D 44FEFFFF ||mov dword ptr ss:,ecx
0041CEBD|>83BD 44FEFFFF>| cmp dword ptr ss:,0x4 ;跟4比较,每段为4组2个字符拼接
0041CEC4|.7D 28 ||jge short BreezeBr.0041CEEE
0041CEC6|.8B95 48FFFFFF ||mov edx,dword ptr ss:
0041CECC|.C1E2 08 ||shl edx,0x8 ;左移8位
0041CECF|.8B85 60FFFFFF ||mov eax,dword ptr ss:
0041CED5|.8B8D 44FEFFFF ||mov ecx,dword ptr ss:
0041CEDB|.8D0481 ||lea eax,dword ptr ds:
0041CEDE|.33C9 ||xor ecx,ecx
0041CEE0|.8A4C05 D8 ||mov cl,byte ptr ss: ;0012F23832 76 C6 02
0041CEE4|.03D1 ||add edx,ecx ;AS值累加
0041CEE6|.8995 48FFFFFF ||mov dword ptr ss:,edx
0041CEEC|.^ EB C0 |\jmp short BreezeBr.0041CEAE
0041CEEE|>8B95 48FFFFFF |mov edx,dword ptr ss: ;3276C602 E3B79B26 808B23D9 88AD8212拼接而成
0041CEF4|.52 |push edx ; /%08lX 3276C602 E3B79B26 808B23D9 88AD8212
0041CEF5|.68 C4915F00 |push BreezeBr.005F91C4 ; |%08lX
0041CEFA|.8D85 48FEFFFF |lea eax,dword ptr ss: ; |%08lX 3276C602 E3B79B26 808B23D9 88AD8212
0041CF00|.50 |push eax ; |s
0041CF01|.FF15 400C5D00 |call dword ptr ds:[<&MSVCRT.sprintf>] ; \sprintf
0041CF07|.83C4 0C |add esp,0xC ;前面的CALL出来后 2 6 9 2
0041CF0A|.8D8D 48FEFFFF |lea ecx,dword ptr ss: ;(ASCII 3276C602 E3B79B26 808B23D9 88AD8212)
0041CF10|.51 |push ecx
0041CF11|.8D4D C4 |lea ecx,dword ptr ss: ;上一次拼接的结果
0041CF14|.E8 83011A00 |call <jmp.&MFC42.#941> ;拼接字符串 ASCII "3276C602-E3B79B26-808B23D9-88AD8212"
0041CF19|.6A 2D |push 0x2D ;0x2D-->‘-’
0041CF1B|.8D4D C4 |lea ecx,dword ptr ss: ;拼接后注册码
0041CF1E|.E8 85011A00 |call <jmp.&MFC42.#940>
0041CF23|.^ E9 54FFFFFF \jmp BreezeBr.0041CE7C
0041CF28|>68 CC915F00 push BreezeBr.005F91CC ;-
————————————————————————略代码N行——————————————————————————————————
0041CFB4|> \C745 E8 00000>mov dword ptr ss:,0x0
0041CFBB|.6A 01 push 0x1 ;取1位
0041CFBD|.6A 05 push 0x5 ;从第五位开始取
0041CFBF|.8D4D F0 lea ecx,dword ptr ss: ;1234-2567-3890-4qwe-5RTY-6UIOPAS
0041CFC2|.E8 39D6FEFF call BreezeBr.0040A600 ;取注册码第0x5--->5位
0041CFC7|.50 push eax
0041CFC8|.8D8D 40FEFFFF lea ecx,dword ptr ss:
0041CFCE|.E8 9B041A00 call <jmp.&MFC42.#536> ;取字符并拼接“2”
0041CFD3|.C645 FC 04 mov byte ptr ss:,0x4
0041CFD7|.6A 0F push 0xF
0041CFD9|.8D4D F0 lea ecx,dword ptr ss: ;1234-2567-3890-4qwe-5RTY-6UIOPAS
0041CFDC|.E8 1FD6FEFF call BreezeBr.0040A600 ;取注册码第F--->15位
0041CFE1|.50 push eax
0041CFE2|.8D8D 40FEFFFF lea ecx,dword ptr ss:
0041CFE8|.E8 BB001A00 call <jmp.&MFC42.#940> ;取字符并拼接“24”
0041CFED|.6A 19 push 0x19
0041CFEF|.8D4D F0 lea ecx,dword ptr ss:
0041CFF2|.E8 09D6FEFF call BreezeBr.0040A600 ;取注册码第0x19--->25位
0041CFF7|.50 push eax
0041CFF8|.8D8D 40FEFFFF lea ecx,dword ptr ss:
0041CFFE|.E8 A5001A00 call <jmp.&MFC42.#940> ;取字符并拼接“246”
0041D003|.8D4D E8 lea ecx,dword ptr ss:
0041D006|.51 push ecx
0041D007|.68 D4915F00 push BreezeBr.005F91D4 ;%x
0041D00C|.8D8D 40FEFFFF lea ecx,dword ptr ss: ;246/6RA/68A/NBV/N88
0041D012|.E8 0947FEFF call BreezeBr.00401720 ;截取字符串:从左向右取遇上大于F的字符就返回F之前的字符,如果第一位大于F就返回0
0041D017|.50 push eax ; |s
0041D018|.FF15 180C5D00 call dword ptr ds:[<&MSVCRT.sscanf>] ; \sscanf
0041D01E|.83C4 0C add esp,0xC
0041D021|.8B55 E8 mov edx,dword ptr ss:
0041D024|.81F2 AF070000 xor edx,0x7AF ;前面截取到的字符(0x246/6/68A/0/0 xor ox7AF = 0x5E9)
0041D02A|.8955 E8 mov dword ptr ss:,edx ;5E9
0041D02D|.6A 06 push 0x6
——————略代码N行(这里有特别长的垃圾代码,开始分析时会浪费很多时间)————————
0041D324|.C645 FC 02 mov byte ptr ss:,0x2
0041D328|.8D8D 40FEFFFF lea ecx,dword ptr ss: ;246
0041D32E|.E8 C5FB1900 call <jmp.&MFC42.#800>
0041D333|.8B45 E8 mov eax,dword ptr ss: ;5E9
0041D336|.99 cdq
0041D337|.B9 54000000 mov ecx,0x54
0041D33C|.F7F9 idiv ecx ;5E9/54=12当eax最大为FFF时FFF/54=30
0041D33E|.8945 C8 mov dword ptr ss:,eax ;商 12 要求商0~6 从后面反推出来
0041D341|.8B55 C8 mov edx,dword ptr ss:
0041D344|.6BD2 07 imul edx,edx,0x7 ;12*7=7E
0041D347|.6BD2 0C imul edx,edx,0xC ;7E*C=5E8
0041D34A|.8B45 E8 mov eax,dword ptr ss:
0041D34D|.2BC2 sub eax,edx ;5E9-5E8=1 这个差的要求0~B之间 (为月份)
0041D34F|.8945 E8 mov dword ptr ss:,eax
0041D352|.8B4D C8 mov ecx,dword ptr ss: ;商 12
0041D355|.81C1 D0070000 add ecx,0x7D0 ;12+7D0=7E2后面要求相加的和小于等于7D6,商小于等于6
0041D35B|.894D C8 mov dword ptr ss:,ecx ;7E2
0041D35E|.8B45 E8 mov eax,dword ptr ss: ;差 1
0041D361|.99 cdq
0041D362|.B9 0C000000 mov ecx,0xC
0041D367|.F7F9 idiv ecx
0041D369|.8985 5CFFFFFF mov dword ptr ss:,eax ;商 0 只有前面的差在0~B之间这个商才为0,后面有要求
0041D36F|.8B45 E8 mov eax,dword ptr ss: ;差 1
0041D372|.99 cdq
0041D373|.B9 0C000000 mov ecx,0xC
0041D378|.F7F9 idiv ecx ;模
0041D37A|.83C2 01 add edx,0x1 ;余数 1 1+1=2
0041D37D|.8955 EC mov dword ptr ss:,edx ;和 2
0041D380|.8D95 FCFDFFFF lea edx,dword ptr ss:
0041D386|.52 push edx
0041D387|.E8 9A001A00 call <jmp.&MFC42.#3811>
0041D38C|.50 push eax
0041D38D|.8D8D 54FFFFFF lea ecx,dword ptr ss:
0041D393|.E8 18AC0E00 call BreezeBr.00507FB0
0041D398|.68 D8915F00 push BreezeBr.005F91D8 ;Mar 10 2006
0041D39D|.8D4D D4 lea ecx,dword ptr ss:
0041D3A0|.E8 AFFC1900 call <jmp.&MFC42.#537>
0041D3A5|.C645 FC 11 mov byte ptr ss:,0x11
0041D3A9|.6A 04 push 0x4
0041D3AB|.8D85 F8FDFFFF lea eax,dword ptr ss:
0041D3B1|.50 push eax
0041D3B2|.8D4D D4 lea ecx,dword ptr ss: ;Mar 10 2006
0041D3B5|.E8 DCFC1900 call <jmp.&MFC42.#5710>
0041D3BA|.8985 74FDFFFF mov dword ptr ss:,eax ;2006
0041D3C0|.8B8D 74FDFFFF mov ecx,dword ptr ss:
0041D3C6|.898D 70FDFFFF mov dword ptr ss:,ecx
0041D3CC|.C645 FC 12 mov byte ptr ss:,0x12
0041D3D0|.8B8D 70FDFFFF mov ecx,dword ptr ss: ;2006
0041D3D6|.E8 4543FEFF call BreezeBr.00401720
0041D3DB|.50 push eax ; /s
0041D3DC|.FF15 200C5D00 call dword ptr ds:[<&MSVCRT.atoi>] ; \10转16 2006-->7D6
0041D3E2|.83C4 04 add esp,0x4
0041D3E5|.8945 D0 mov dword ptr ss:,eax ;7D6
0041D3E8|.C645 FC 11 mov byte ptr ss:,0x11
0041D3EC|.8D8D F8FDFFFF lea ecx,dword ptr ss: ;2006
0041D3F2|.E8 01FB1900 call <jmp.&MFC42.#800>
0041D3F7|.8D8D 54FFFFFF lea ecx,dword ptr ss:
————————————————————————略代码N行——————————————————————————————————
0041D5B2|.C785 64FFFFFF>mov dword ptr ss:,0xC
0041D5BC|>8D55 C4 lea edx,dword ptr ss: ;3276C602-E3B79B26-808B23D9-88AD8212
0041D5BF|.52 push edx
0041D5C0|.8D45 F0 lea eax,dword ptr ss: ;1234-2567-3890-4QWE-5RTY-6UIOPAS
0041D5C3|.50 push eax
0041D5C4|.E8 27E20200 call BreezeBr.0044B7F0 ;比较CALL 输入的注册码跟前面计算出来的36位注册码相等
0041D5C9|.25 FF000000 and eax,0xFF
0041D5CE|.85C0 test eax,eax
0041D5D0|.75 09 jnz short BreezeBr.0041D5DB ;0 不能跳 这里跳了
0041D5D2|.817D C8 D6070>cmp dword ptr ss:,0x7D6 ;要求 前面的商+7D0 的和小于等于7D6 之前的商为0~6之间
0041D5D9|.7E 58 jle short BreezeBr.0041D633 ;1 要跳
0041D5DB|>8B8D E0FDFFFF mov ecx,dword ptr ss:
————————————————————————略代码N行——————————————————————————————————
0041D628|.8A85 F0FDFFFF mov al,byte ptr ss:
0041D62E|.E9 76010000 jmp BreezeBr.0041D7A9
0041D633|>8B55 C8 mov edx,dword ptr ss: ;商+7D0的和 7D2
0041D636|.6BD2 0C imul edx,edx,0xC ;7D2*C=5DD8
0041D639|.0355 EC add edx,dword ptr ss: ;余数+1=25DD8+2=5DDA
0041D63C|.8955 CC mov dword ptr ss:,edx ;5DDA
0041D63F|.C785 58FFFFFF>mov dword ptr ss:,0x5DE8 ;如果下面用不到月份计算就用5DDA<=5DE8来实现0041D66C的跳转
0041D649|.8B45 D0 mov eax,dword ptr ss: ;7D6(2006 10转16)
0041D64C|.6BC0 0C imul eax,eax,0xC ;7D6*C=5E08
0041D64F|.0385 64FFFFFF add eax,dword ptr ss: ;之前的月份Mar3+5E08=5E0B
0041D655|.8945 C0 mov dword ptr ss:,eax ;5E0B
0041D658|.8B4D C0 mov ecx,dword ptr ss:
0041D65B|.2B4D CC sub ecx,dword ptr ss: ;5E0B-5DDA=31
0041D65E|.83F9 0C cmp ecx,0xC ;上一步的差要求小于等于C猜原程序有可能比较的是月份
0041D661|.7E 63 jle short BreezeBr.0041D6C6 ;1 跟下面的跳转要有一个要实现
0041D663|.8B55 CC mov edx,dword ptr ss:
0041D666|.3B95 58FFFFFF cmp edx,dword ptr ss:
0041D66C|.7C 58 jl short BreezeBr.0041D6C6 ;1 跟上面的跳转要有一个要实现
0041D66E|.8B85 E0FDFFFF mov eax,dword ptr ss:
————————————————————————略代码N行——————————————————————————————————
0041D6C1|. /E9 E3000000 jmp BreezeBr.0041D7A9
0041D6C6|> |83BD 5CFFFFFF>cmp dword ptr ss:,0x0 ;下面一个跳转要实现要求0041D367处的商等于0
0041D6CD|. |0F8E 83000000 jle BreezeBr.0041D756 ;1 跟下面的跳转总有一个要实现
0041D6D3|. |8B4D CC mov ecx,dword ptr ss: ;5DDA
0041D6D6|. |038D 5CFFFFFF add ecx,dword ptr ss: ;5DDA加上0041D367处的商(0)= 5DDA
0041D6DC|. |894D CC mov dword ptr ss:,ecx ;5DDA
0041D6DF|. |8D8D 54FFFFFF lea ecx,dword ptr ss:
0041D6E5|. |E8 26E10200 call BreezeBr.0044B810 ;当前系统时间的年份10转16 2016-->7E0
0041D6EA|. |8BF0 mov esi,eax
0041D6EC|. |6BF6 0C imul esi,esi,0xC ;7E0*C=5E80
0041D6EF|. |8D8D 54FFFFFF lea ecx,dword ptr ss:
0041D6F5|. |E8 36E10200 call BreezeBr.0044B830 ;系统当前时间月份10转10 1-->1 程序调试时间为1月份
0041D6FA|. |03F0 add esi,eax ;年+月5E80+1=5E81
0041D6FC|. |3975 CC cmp dword ptr ss:,esi ;要求5DDA大于等于5E81
0041D6FF|. |7D 55 jge short BreezeBr.0041D756 ;此处验证系统时间的,只要系统时当前时间这个跳转能实现
0041D701|. |8B95 E0FDFFFF mov edx,dword ptr ss:
---------------------------------------------------------------------------------------------------------------------------五、不是总结的总结:
1、这个软件有一个注册名黑名单:
2、这个软件因为是取字符串MD5后的密文中特定位置字符来来验证是否合法,因些写不了注册机;
3、这个软件的特点是算法代码很长,中间垃圾太码很多,花费的时间、精力比较多;
4、软件的注册码:注册名转小写拼接上‘+:%a@#;dj’(蓝色部分)再MD5运算大写输入,并把这个密文以’-‘分成4段每段8位,但不是每一个密文都能注册成功(对密文多次验证);
5、算法分析难度适中,适合练手~~~~~
一组可用注册信息(试了N次才成功):注册名:GeekCat/飘云阁注册码:CCF4E631-6E6A6007-C22CA2C3-8C7207BD---------------------------------------------------------------------------------------------------------------------------【版权声明】:本文原创于GeekCat/P.Y.G,转载请注明作者及论坛并保存文章的完整!我们都爱月姐姐 赞,算法部分看起来好长哦 ~ 必须赞~~~~~ @tree_fly ,先爆破再写KG这个方案肯定没问题。 我是来膜拜大神的 会算法的大牛最牛B,膜拜 不错,学习算法的好文章。
页:
[1]