Phelios Super Sprites 1.61简单算法分析-菜鸟篇
Phelios Super Sprites 1.61简单算法分析-菜鸟篇【文章作者】:tigerisme
【作者邮箱】: 无
【软件名称】: Phelios Super Sprites 1.61
【软件大小】: 499KB
【下载地址】: http://www.newhua.com/soft/20452.htm
【加壳方式】: 无
【保护方式】: 注册码
【编写语言】: CAN (Crunched ANsi) file
【使用工具】: OD PEID
【操作平台】: XP SP2
【软件介绍】: 制作及优化 Tile(动画小图标)的工具软件。
前几天工作很忙,今天放松一下,找了个体积最小的软件来练手,很幸运算法很简单,适合我这只小菜鸟,这里与大家分享一下,菜鸟共同进步。:3:
一、查壳,无。
二、根据字符串相关信息,我们可以在这里下断开始分析,第一位用户名:tigerisme;第二位用户名:tzl ;试练码:123456789
004152C0/$55 push ebp
004152C1|.31C0 xor eax, eax
004152C3|.89E5 mov ebp, esp
004152C5|.53 push ebx
004152C6|.56 push esi
004152C7|.57 push edi
004152C8|.BF 89444200 mov edi, 00424489 ;引入"supersprites"放到edi中,算注册码时用到,记做codeA
004152CD|.81EC 08060000 sub esp, 608
004152D3|.83C9 FF or ecx, FFFFFFFF
004152D6|.F2:AE repne scas byte ptr es:[>
004152D8|.8B7D 10 mov edi, [ebp+10]
004152DB|.C785 ECFAFFFF>mov dword ptr [ebp-514>
004152E5|.298D ECFAFFFF sub [ebp-514], ecx
004152EB|.8385 ECFAFFFF>add dword ptr [ebp-514>
004152F2|.83C9 FF or ecx, FFFFFFFF
004152F5|.F2:AE repne scas byte ptr es:[>
004152F7|.BF FEFFFFFF mov edi, -2
004152FC|.29CF sub edi, ecx
004152FE|.74 09 je short 00415309
00415300|.FF75 10 push dword ptr [ebp+10]
00415303|.E8 F8620000 call 0041B600
00415308|.59 pop ecx
00415309|>B9 40000000 mov ecx, 40
0041530E|.8DBD ECF9FFFF lea edi, [ebp-614]
00415314|.31C0 xor eax, eax
00415316|.8D9D F4FDFFFF lea ebx, [ebp-20C]
0041531C|.F3:AB rep stos dword ptr es:>
0041531E|.B9 80000000 mov ecx, 80
00415323|.8DBD F4FDFFFF lea edi, [ebp-20C]
00415329|.F3:AB rep stos dword ptr es:>
0041532B|.FF75 0C push dword ptr [ebp+C]
0041532E|.FF75 08 push dword ptr [ebp+8]
00415331|.68 C0484200 push 004248C0 ;ASCII "%s%s"
00415336|.53 push ebx
00415337|.E8 A42E0000 call 004181E0 ;将两部分注册名合起来
0041533C|.31C0 xor eax, eax ;ebx=tzltigerisme,eax=C
0041533E|.83C4 10 add esp, 10
00415341|.83C9 FF or ecx, FFFFFFFF
00415344|.8DBD F4FDFFFF lea edi, [ebp-20C]
0041534A|.F2:AE repne scas byte ptr es:[>
0041534C|.BE FEFFFFFF mov esi, -2
00415351|.29CE sub esi, ecx
00415353|.83FE 08 cmp esi, 8
00415356|.7F 22 jg short 0041537A ;两部分合成的位数须大于8,若不大于8则通过下面的计算自动将合成的位数
放大一倍
00415358|.8D8D F4FDFFFF lea ecx, [ebp-20C]
0041535E|.FF75 08 push dword ptr [ebp+8]
00415361|.51 push ecx
00415362|.E8 292F0000 call 00418290
00415367|.8D85 F4FDFFFF lea eax, [ebp-20C]
0041536D|.59 pop ecx
0041536E|.59 pop ecx
0041536F|.FF75 0C push dword ptr [ebp+C]
00415372|.50 push eax
00415373|.E8 182F0000 call 00418290
00415378|.59 pop ecx
00415379|.59 pop ecx
0041537A|>31C0 xor eax, eax
0041537C|.8DBD F4FDFFFF lea edi, [ebp-20C]
00415382|.83C9 FF or ecx, FFFFFFFF
00415385|.F2:AE repne scas byte ptr es:[>
00415387|.C785 F0FDFFFF>mov dword ptr [ebp-210>
00415391|.298D F0FDFFFF sub [ebp-210], ecx
00415397|.83BD F0FDFFFF>cmp dword ptr [ebp-210>
0041539E|.7F 20 jg short 004153C0
004153A0|.6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004153A2|.68 C8484200 push 004248C8 ; |Title = "Operation Failed !"
004153A7|.68 DC484200 push 004248DC ; |invalid code.
004153AC|.6A 00 push 0 ; |hOwner = NULL
004153AE|.FF15 58254900 call [<&USER32.MessageB>; \MessageBoxA
004153B4|.8D65 F4 lea esp, [ebp-C]
004153B7|.30C0 xor al, al
004153B9|.5F pop edi
004153BA|.5E pop esi
004153BB|.5B pop ebx
004153BC|.5D pop ebp
004153BD|.C3 retn
004153BE| 89C0 mov eax, eax
004153C0|>8D95 F4FDFFFF lea edx, [ebp-20C] ;edx=tzltigerisme
004153C6|.52 push edx
004153C7|.E8 34620000 call 0041B600 ;将小写专成大写TZLTIGERISME,记做codeB
004153CC|.31F6 xor esi, esi
004153CE|.83BD F0FDFFFF>cmp dword ptr [ebp-210>
004153D5|.59 pop ecx
004153D6|.7E 53 jle short 0041542B ;进入循环计算
004153D8|>0FBFDE /movsx ebx, si ;si=0,1,2……
004153DB|.0FBFFE |movsx edi, si
004153DE|.46 |inc esi ;esi+1
004153DF|.89D8 |mov eax, ebx ;eax置0
004153E1|.99 |cdq
004153E2|.F7BD ECFAFFFF |idiv dword ptr [ebp-51>
004153E8|.0FBE843D F4FD>|movsx eax, byte ptr ;codeB逐位送eax
004153F0|.89D3 |mov ebx, edx
004153F2|.0FBE8B 894442>|movsx ecx, byte ptr ;codeA逐位送ecx
004153F9|.0FAFC8 |imul ecx, eax ;codeA与codeB逐位ascii码相乘,结果放在ecx中,记做codeC(25BC,2922,
2140……)
004153FC|.B8 89888888 |mov eax, 88888889
00415401|.89CA |mov edx, ecx ;codeC送edx
00415403|.89D3 |mov ebx, edx ;codeC送ebx
00415405|.F7EA |imul edx ;edx与eax内的值88888889相乘,结果的余数放edx,记做codeD
00415407|.01DA |add edx, ebx ;codeC+codeD,结果放edx中,记做codeE (1420,15F0,11BB……)
00415409|.C1EB 1F |shr ebx, 1F ;codeC逻辑右移右移1F,ebx置零
0041540C|.C1FA 03 |sar edx, 3 ;codeE算术右移3,记做codeF,结果在edx中
0041540F|.01D3 |add ebx, edx ;codeF+0,结果放ebx中
00415411|.6BDB 0F |imul ebx, ebx, 0F ;codeF*0F,结果分别为25BC,2922,2139,结果放ebx中
00415414|.0FBFD6 |movsx edx, si ;si=1,2,3……,送edx
00415417|.29D9 |sub ecx, ebx ;逐位运算,即codeC-25BC,codeC-2922,codeC-2139……结果放cl中
00415419|.80C1 46 |add cl, 46 ;cl+46
0041541C|.3B95 F0FDFFFF |cmp edx, [ebp-210] ;比较codeB的位数,小于则继续循环
00415422|.888C3D ECF9FF>|mov [ebp+edi-614], cl ;cl送ebp+edi-614,ascii码转成字符,即真注册码逐位出现(F,F,M……)
00415429|.^ 7C AD \jl short 004153D8
0041542B|>8D85 ECF9FFFF lea eax, [ebp-614] ;真码出现 "FFMORKIIFSMF"
00415431|.6A 09 push 9
00415433|.FF75 10 push dword ptr [ebp+10]
00415436|.50 push eax
00415437|.E8 C42E0000 call 00418300 ;这里可以做内存注册机 ,可以进去简单看一下
0041543C|.83C4 0C add esp, 0C
0041543F|.85C0 test eax, eax
00415441|.74 1E je short 00415461 关键跳转,也是爆破点
00415443|.6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00415445|.68 C8484200 push 004248C8 ; |operation failed !
0041544A|.68 DC484200 push 004248DC ; |invalid code.
0041544F|.6A 00 push 0 ; |hOwner = NULL
00415451|.FF15 58254900 call [<&USER32.MessageB>; \MessageBoxA
00415457|.8D65 F4 lea esp, [ebp-C]
0041545A|.30C0 xor al, al
0041545C|.5F pop edi
0041545D|.5E pop esi
0041545E|.5B pop ebx
0041545F|.5D pop ebp
00415460|.C3 retn
00415461|>8DBD F0FAFFFF lea edi, [ebp-510]
00415467|.FF75 08 push dword ptr [ebp+8]
0041546A|.57 push edi
0041546B|.E8 C02D0000 call 00418230
00415470|.59 pop ecx
00415471|.59 pop ecx
00415472|.8D8D F0FBFFFF lea ecx, [ebp-410]
00415478|.FF75 0C push dword ptr [ebp+C]
0041547B|.51 push ecx
0041547C|.E8 AF2D0000 call 00418230
00415481|.8D95 F0FCFFFF lea edx, [ebp-310]
00415487|.59 pop ecx
00415488|.59 pop ecx
00415489|.FF75 10 push dword ptr [ebp+10]
0041548C|.52 push edx
0041548D|.E8 9E2D0000 call 00418230
00415492|.59 pop ecx
00415493|.59 pop ecx
00415494|.68 EC484200 push 004248EC ;wb
00415499|.68 F0484200 push 004248F0 ;hsrg.raw
0041549E|.E8 2D300000 call 004184D0
004154A3|.89C3 mov ebx, eax
004154A5|.59 pop ecx
004154A6|.85DB test ebx, ebx
004154A8|.59 pop ecx
004154A9|.75 0A jnz short 004154B5
004154AB|.8D65 F4 lea esp, [ebp-C]
004154AE|.B0 01 mov al, 1
004154B0|.5F pop edi
004154B1|.5E pop esi
004154B2|.5B pop ebx
004154B3|.5D pop ebp
004154B4|.C3 retn
004154B5|>8D85 F0FAFFFF lea eax, [ebp-510]
004154BB|.53 push ebx
004154BC|.6A 01 push 1
004154BE|.68 00030000 push 300
004154C3|.50 push eax
004154C4|.E8 77350000 call 00418A40
004154C9|.83C4 10 add esp, 10
004154CC|.53 push ebx
004154CD|.E8 9E2E0000 call 00418370
004154D2|.59 pop ecx
004154D3|.C705 84444200>mov dword ptr >
004154DD|.6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004154DF|.68 FC484200 push 004248FC ; |operation successful !
004154E4|.68 14494200 push 00424914 ; |cutter has been successfully registered !
004154E9|.6A 00 push 0 ; |hOwner = NULL
004154EB|.FF15 58254900 call [<&USER32.MessageB>; \MessageBoxA
***************************************************************************************************
跟进 call 00418300,来到这里
00418301|.55 push ebp
00418302|.31ED xor ebp, ebp
00418304|.8B5424 14 mov edx, [esp+14]
00418308|.8B5C24 0C mov ebx, [esp+C]
0041830C|.8B4C24 10 mov ecx, [esp+10] ;eax为真码,ecx为试练码
00418310|.85D2 test edx, edx
00418312|.74 1D je short 00418331 ;逐位验证试练码是否正确的一个小循环
00418314|>8A03 /mov al, [ebx]
00418316|.3A01 |cmp al, [ecx]
00418318|.75 0D |jnz short 00418327
0041831A|.84C0 |test al, al
0041831C|.74 09 |je short 00418327
0041831E|.43 |inc ebx
0041831F|.41 |inc ecx
00418320|.83EA 01 |sub edx, 1
00418323|.^ 75 EF \jnz short 00418314
00418325|.EB 0A jmp short 00418331 试练码正确则正常跳出循环
00418327|>0FB609 movzx ecx, byte ptr [ecx>
0041832A|.0FB6C0 movzx eax, al
0041832D|.29C8 sub eax, ecx
0041832F|.89C5 mov ebp, eax
00418331|>89E8 mov eax, ebp
00418333|.5D pop ebp
00418334|.5B pop ebx
00418335\.C3 retn
****************************************************************************************************
算法总结:
软件算法很简单,主要思路如下:
1.将第一位注册名与第二位注册名合起来并转成大写字母,然后与固定字符串"supersprites"逐位进行imul运算结果记做codeC;
2.codeC与固定值88888889进行imul运算,结果的余数与codeC相加,并右移3,结果记做codeF;
3.imul运算,即codeF*0F,然后进行codeC-codeF运算;
4.codeC-codeF的运算结果放cl中,并与46相加,结果的ascii码转成字符即为注册码
5.逐位循环计算,将计算结果合起来即是注册码;
特别说明:鉴于对编程还不是很通,咱就不做算法注册机了,哪位兄弟写出注册机咱可以好好学习一下。:eek: 本文仅是一些破解的心得和思路,完全是个人对程序的研究,无其他目的。 强~~:lol: 学习!!支持!!!!
页:
[1]