TA的每日心情 | 慵懒
2016-4-4 16:17 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文标题】WorkPause1.3算法分析
【破文作者】梦里水香
【作者邮箱】[email][email protected][/email]
【作者主页】[url]www.dayol.cn[/url]
【破解工具】OD
【破解平台】XP
【软件名称】WorkPause1.3
【软件大小】347K
【原版下载】[url]http://www.newhua.com/soft/56667.htm[/url]
【保护方式】码
【软件简介】WorkPause是一款保健软件,适用于长时间在办公桌前进行工作的人士, 它可以定时提醒用户进行休息来预防重复性压迫损伤的发生。
------------------------------------------------------------------------
【破解过程】
一、查壳:Microsoft Visual C++ 6.0。有错误提示,直接搜索字符串,或者MessageBoxA断点都可以,分析如下:
二、分析
004062C0 . 64:A1 0000000>mov eax, dword ptr fs:[0]
004062C6 . 6A FF push -1
004062C8 . 68 88A64000 push 0040A688
004062CD . 50 push eax
004062CE . 64:8925 00000>mov dword ptr fs:[0], esp
004062D5 . 83EC 18 sub esp, 18
004062D8 . 53 push ebx
004062D9 . 55 push ebp
004062DA . 8BE9 mov ebp, ecx
004062DC . 56 push esi
004062DD . 57 push edi
004062DE . 8D8D D8010000 lea ecx, dword ptr [ebp+1D8]
004062E4 . E8 8D360000 call <jmp.&MFC42.#3876>
004062E9 . 85C0 test eax, eax
004062EB . 75 0C jnz short 004062F9 ; 名字是否为空
004062ED . 50 push eax
004062EE . 50 push eax
004062EF . 68 78084100 push 00410878 ; no user name is entered
004062F4 . E9 25010000 jmp 0040641E
004062F9 > 8D9D 98010000 lea ebx, dword ptr [ebp+198]
004062FF . 8BCB mov ecx, ebx
00406301 . E8 70360000 call <jmp.&MFC42.#3876>
00406306 . 83F8 04 cmp eax, 4
00406309 . 0F85 06010000 jnz 00406415 ; 比较第1框长度是否为4
0040630F . 8DBD 58010000 lea edi, dword ptr [ebp+158]
00406315 . 8BCF mov ecx, edi
00406317 . E8 5A360000 call <jmp.&MFC42.#3876>
0040631C . 83F8 04 cmp eax, 4
0040631F . 0F85 F0000000 jnz 00406415 ; 比较第2框长度是否为4
00406325 . 8DB5 18010000 lea esi, dword ptr [ebp+118]
0040632B . 8BCE mov ecx, esi
0040632D . E8 44360000 call <jmp.&MFC42.#3876>
00406332 . 83F8 04 cmp eax, 4
00406335 . 0F85 DA000000 jnz 00406415 ; 比较第3框长度是否为4
0040633B . 8D4424 14 lea eax, dword ptr [esp+14]
0040633F . 6A 05 push 5
00406341 . 50 push eax
00406342 . 8BCB mov ecx, ebx
00406344 . E8 39360000 call <jmp.&MFC42.#3873>
00406349 . 8D4C24 19 lea ecx, dword ptr [esp+19]
0040634D . 6A 05 push 5
0040634F . B3 2D mov bl, 2D
00406351 . 51 push ecx
00406352 . 8BCF mov ecx, edi
00406354 . 885C24 20 mov byte ptr [esp+20], bl
00406358 . E8 25360000 call <jmp.&MFC42.#3873>
0040635D . 8D5424 1E lea edx, dword ptr [esp+1E]
00406361 . 6A 05 push 5
00406363 . 52 push edx
00406364 . 8BCE mov ecx, esi
00406366 . 885C24 25 mov byte ptr [esp+25], bl
0040636A . E8 13360000 call <jmp.&MFC42.#3873>
0040636F . 8D4C24 10 lea ecx, dword ptr [esp+10]
00406373 . E8 9E320000 call <jmp.&MFC42.#540>
00406378 . 8D4424 10 lea eax, dword ptr [esp+10]
0040637C . 8D8D D8010000 lea ecx, dword ptr [ebp+1D8]
00406382 . 50 push eax
00406383 . C74424 34 000>mov dword ptr [esp+34], 0
0040638B . E8 EE330000 call <jmp.&MFC42.#3874>
00406390 . 8B5424 10 mov edx, dword ptr [esp+10]
00406394 . 8D4C24 14 lea ecx, dword ptr [esp+14]
00406398 . 51 push ecx ; 假码
00406399 . 52 push edx ; 用户名
0040639A . E8 112F0000 call 004092B0 ; 关键call
0040639F . 83C4 08 add esp, 8
004063A2 . 84C0 test al, al
004063A4 . 75 32 jnz short 004063D8 ; 关键跳
004063A6 . 6A 00 push 0
004063A8 . 6A 00 push 0
004063AA . 68 50084100 push 00410850 ; invalid registration key or user name
004063AF . E8 70330000 call <jmp.&MFC42.#1200>
004063B4 . 8D4C24 10 lea ecx, dword ptr [esp+10]
004063B8 . C74424 30 FFF>mov dword ptr [esp+30], -1
004063C0 . E8 3F320000 call <jmp.&MFC42.#800>
004063C5 . 5F pop edi
004063C6 . 5E pop esi
004063C7 . 5D pop ebp
004063C8 . 5B pop ebx
004063C9 . 8B4C24 18 mov ecx, dword ptr [esp+18]
004063CD . 64:890D 00000>mov dword ptr fs:[0], ecx
004063D4 . 83C4 24 add esp, 24
004063D7 . C3 retn
004063D8 > 8B4C24 10 mov ecx, dword ptr [esp+10]
004063DC . 8D4424 14 lea eax, dword ptr [esp+14]
004063E0 . 50 push eax
004063E1 . 51 push ecx
004063E2 . E8 E92E0000 call 004092D0
004063E7 . 83C4 08 add esp, 8
004063EA . 8BCD mov ecx, ebp
004063EC . E8 8B350000 call <jmp.&MFC42.#4853>
004063F1 . 8D4C24 10 lea ecx, dword ptr [esp+10]
004063F5 . C74424 30 FFF>mov dword ptr [esp+30], -1
004063FD . E8 02320000 call <jmp.&MFC42.#800>
00406402 . 5F pop edi
00406403 . 5E pop esi
00406404 . 5D pop ebp
00406405 . 5B pop ebx
00406406 . 8B4C24 18 mov ecx, dword ptr [esp+18]
0040640A . 64:890D 00000>mov dword ptr fs:[0], ecx
00406411 . 83C4 24 add esp, 24
00406414 . C3 retn
00406415 > 6A 00 push 0
00406417 . 6A 00 push 0
00406419 . 68 34084100 push 00410834 ; invalid registration key
0040641E > E8 01330000 call <jmp.&MFC42.#1200>
00406423 . 8B4C24 28 mov ecx, dword ptr [esp+28]
00406427 . 5F pop edi
00406428 . 5E pop esi
00406429 . 5D pop ebp
0040642A . 5B pop ebx
0040642B . 64:890D 00000>mov dword ptr fs:[0], ecx
00406432 . 83C4 24 add esp, 24
00406435 . C3 retn
call 004092B0
004092B0 /$ 8B4424 08 mov eax, dword ptr [esp+8]
004092B4 |. 8B5424 04 mov edx, dword ptr [esp+4]
004092B8 |. 83EC 08 sub esp, 8
004092BB |. 8D4C24 00 lea ecx, dword ptr [esp]
004092BF |. 50 push eax
004092C0 |. 51 push ecx
004092C1 |. 52 push edx
004092C2 |. E8 59D4FFFF call 00406720 ; 关键call进
004092C7 |. 85C0 test eax, eax
004092C9 |. 0F94C0 sete al
004092CC |. 83C4 14 add esp, 14
004092CF \. C3 retn
call 00406720
00406720 /$ 83EC 20 sub esp, 20
00406723 |. 33C0 xor eax, eax
00406725 |. 8B5424 2C mov edx, dword ptr [esp+2C]
00406729 |. 56 push esi
0040672A |. 8B7424 2C mov esi, dword ptr [esp+2C]
0040672E |. 8BCE mov ecx, esi
00406730 |. 57 push edi
00406731 |. 8D7C24 08 lea edi, dword ptr [esp+8]
00406735 |. 52 push edx
00406736 |. 8901 mov dword ptr [ecx], eax
00406738 |. 66:8941 04 mov word ptr [ecx+4], ax
0040673C |. 8841 06 mov byte ptr [ecx+6], al
0040673F |. B9 07000000 mov ecx, 7
00406744 |. F3:AB rep stos dword ptr es:[edi]
00406746 |. 66:AB stos word ptr es:[edi]
00406748 |. 8D4424 0C lea eax, dword ptr [esp+C]
0040674C |. 50 push eax
0040674D |. E8 7EFDFFFF call 004064D0 ; 去字符‘-’
00406752 |. 8D7C24 10 lea edi, dword ptr [esp+10]
00406756 |. 83C9 FF or ecx, FFFFFFFF
00406759 |. 33C0 xor eax, eax
0040675B |. F2:AE repne scas byte ptr es:[edi]
0040675D |. F7D1 not ecx
0040675F |. 49 dec ecx
00406760 |. 51 push ecx
00406761 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00406765 |. 51 push ecx
00406766 |. 56 push esi
00406767 |. E8 B4FDFFFF call 00406520 ; 关键假码运算生成中间码1
0040676C |. 83C4 14 add esp, 14
0040676F |. 85C0 test eax, eax ; 返回的不存在的字符
00406771 |. 74 0B je short 0040677E ; 不存在则死
00406773 |. 5F pop edi
00406774 |. B8 02000000 mov eax, 2
00406779 |. 5E pop esi
0040677A |. 83C4 20 add esp, 20
0040677D |. C3 retn
0040677E |> 56 push esi
0040677F |. E8 2CFDFFFF call 004064B0 ; 中间码2生成
00406784 |. 8B5424 30 mov edx, dword ptr [esp+30]
00406788 |. 52 push edx
00406789 |. 56 push esi
0040678A |. E8 11FFFFFF call 004066A0 ; 用户名参加关键运算生成中间码3
0040678F |. 8BF8 mov edi, eax
00406791 |. 8B46 03 mov eax, dword ptr [esi+3]
00406794 |. 50 push eax
00406795 |. E8 E6FCFFFF call 00406480 ; 倒续排列中间码2的4-7位
0040679A |. 83C4 10 add esp, 10
0040679D |. 33C9 xor ecx, ecx
0040679F 3BF8 cmp edi, eax ; 关键比较倒续排列中间码2的4-7位和中间码3
004067A1 |. 0F95C1 setne cl ; 相同则ok
004067A4 |. 5F pop edi
004067A5 |. 8BC1 mov eax, ecx
004067A7 |. 5E pop esi
004067A8 |. 83C4 20 add esp, 20
004067AB \. C3 retn
call 00406520
00406520 /$ 83EC 10 sub esp, 10
00406523 |. 8B4424 18 mov eax, dword ptr [esp+18]
00406527 |. 53 push ebx
00406528 |. 8B5C24 20 mov ebx, dword ptr [esp+20]
0040652C |. 55 push ebp
0040652D |. 56 push esi
0040652E |. 57 push edi
0040652F |. 85DB test ebx, ebx
00406531 |. 894424 28 mov dword ptr [esp+28], eax
00406535 |. 0F8E A7000000 jle 004065E2
0040653B |> 83FB 08 /cmp ebx, 8
0040653E |. BE 08000000 |mov esi, 8
00406543 |. 7F 02 |jg short 00406547
00406545 |. 8BF3 |mov esi, ebx
00406547 |> 8D44B6 07 |lea eax, dword ptr [esi+esi*4+7]
0040654B |. 33C9 |xor ecx, ecx
0040654D |. 99 |cdq
0040654E |. 83E2 07 |and edx, 7
00406551 |. 894C24 10 |mov dword ptr [esp+10], ecx
00406555 |. 03C2 |add eax, edx
00406557 |. 884C24 14 |mov byte ptr [esp+14], cl
0040655B |. 8BE8 |mov ebp, eax
0040655D |. 33C0 |xor eax, eax
0040655F |. C1FD 03 |sar ebp, 3
00406562 |. 85F6 |test esi, esi
00406564 |. 7E 14 |jle short 0040657A
00406566 |. 8B5424 28 |mov edx, dword ptr [esp+28]
0040656A |. 8D4C16 FF |lea ecx, dword ptr [esi+edx-1]
0040656E |> 8A11 |/mov dl, byte ptr [ecx]
00406570 |. 885404 18 ||mov byte ptr [esp+eax+18], dl ; 循环倒序排列
00406574 |. 40 ||inc eax
00406575 |. 49 ||dec ecx
00406576 |. 3BC6 ||cmp eax, esi ; 比较是否完成,第1次前8位,第2次后4位
00406578 |.^ 7C F4 |\jl short 0040656E
0040657A |> 8B4C24 28 |mov ecx, dword ptr [esp+28]
0040657E |. 33FF |xor edi, edi
00406580 |. 03CE |add ecx, esi
00406582 |. 85F6 |test esi, esi
00406584 |. 894C24 28 |mov dword ptr [esp+28], ecx
00406588 |. 7E 2E |jle short 004065B8
0040658A |> 6A 05 |/push 5
0040658C |. 8D4424 14 ||lea eax, dword ptr [esp+14]
00406590 |. 6A 05 ||push 5
00406592 |. 50 ||push eax
00406593 |. E8 68000000 ||call 00406600 ; 关键call生成部分中间码1
00406598 |. 8A4C3C 24 ||mov cl, byte ptr [esp+edi+24] ; 取假码字符
0040659C |. 51 ||push ecx
0040659D |. E8 CE000000 ||call 00406670 ; 取在固定字符串中的位置
004065A2 |. 83C4 10 ||add esp, 10
004065A5 |. 85C0 ||test eax, eax
004065A7 |. 7C 43 ||jl short 004065EC ; 如果不存在则死
004065A9 |. 8A5424 10 ||mov dl, byte ptr [esp+10]
004065AD |. 0AD0 ||or dl, al ; 中间码1的最低位与位置进行or
004065AF |. 47 ||inc edi
004065B0 |. 3BFE ||cmp edi, esi ; 循环第1次为前8位,第2次为后4位
004065B2 |. 885424 10 ||mov byte ptr [esp+10], dl ; or的结果再写回去
004065B6 |.^ 7C D2 |\jl short 0040658A
004065B8 |> 8B4424 24 |mov eax, dword ptr [esp+24]
004065BC |. 8BCD |mov ecx, ebp
004065BE |. 8BD1 |mov edx, ecx
004065C0 |. 2BDE |sub ebx, esi
004065C2 |. 8D7424 10 |lea esi, dword ptr [esp+10]
004065C6 |. 8BF8 |mov edi, eax
004065C8 |. C1E9 02 |shr ecx, 2
004065CB |. F3:A5 |rep movs dword ptr es:[edi], dword >; 保存2次循环的中间码
004065CD |. 8BCA |mov ecx, edx
004065CF |. 03C5 |add eax, ebp
004065D1 |. 83E1 03 |and ecx, 3
004065D4 |. 894424 24 |mov dword ptr [esp+24], eax
004065D8 |. 85DB |test ebx, ebx
004065DA |. F3:A4 |rep movs byte ptr es:[edi], byte pt>
004065DC |.^ 0F8F 59FFFFFF \jg 0040653B
004065E2 |> 5F pop edi
004065E3 |. 5E pop esi
004065E4 |. 5D pop ebp
004065E5 |. 33C0 xor eax, eax
004065E7 |. 5B pop ebx
004065E8 |. 83C4 10 add esp, 10
004065EB |. C3 retn
004065EC |> 33C0 xor eax, eax
004065EE |. 8A443C 18 mov al, byte ptr [esp+edi+18] ; 不存在的字符返回
004065F2 |. 5F pop edi
004065F3 |. 5E pop esi
004065F4 |. 5D pop ebp
004065F5 |. 5B pop ebx
004065F6 |. 83C4 10 add esp, 10
004065F9 \. C3 retn
call 00406600
00406600 /$ 8B4424 08 mov eax, dword ptr [esp+8]
00406604 |. 48 dec eax
00406605 |. 85C0 test eax, eax
00406607 |. 7E 4E jle short 00406657
00406609 |. 8B4C24 0C mov ecx, dword ptr [esp+C]
0040660D |. 53 push ebx
0040660E |. BB 08000000 mov ebx, 8
00406613 |. 56 push esi
00406614 |. 8B7424 0C mov esi, dword ptr [esp+C]
00406618 |. 2BD9 sub ebx, ecx
0040661A |. 895C24 10 mov dword ptr [esp+10], ebx
0040661E |. EB 04 jmp short 00406624
00406620 |> 8B5C24 10 /mov ebx, dword ptr [esp+10]
00406624 |> 8A4C24 14 mov cl, byte ptr [esp+14]
00406628 |. 8A1430 |mov dl, byte ptr [eax+esi]
0040662B |. D2E2 |shl dl, cl ; 高一位shl 5
0040662D |. 881430 |mov byte ptr [eax+esi], dl ; 高一位写回去
00406630 |. 8A4C30 FF |mov cl, byte ptr [eax+esi-1]
00406634 |. 884C24 0C |mov byte ptr [esp+C], cl
00406638 |. 8ACB |mov cl, bl
0040663A |. 8A5C24 0C |mov bl, byte ptr [esp+C]
0040663E |. D2EB |shr bl, cl ; 低一位shr 3
00406640 |. 0ADA |or bl, dl ; 再与高一位shl 5的结果 or
00406642 |. 881C30 |mov byte ptr [eax+esi], bl ; 高一位写回去
00406645 |. 48 |dec eax
00406646 |. 85C0 |test eax, eax ; 4次循环
00406648 |.^ 7F D6 \jg short 00406620
0040664A |. 8A4C24 14 mov cl, byte ptr [esp+14]
0040664E |. 8A06 mov al, byte ptr [esi]
00406650 |. D2E0 shl al, cl ; 最低1位shl 5
00406652 |. 8806 mov byte ptr [esi], al
00406654 |. 5E pop esi
00406655 |. 5B pop ebx
00406656 |. C3 retn
00406657 |> 8B4424 04 mov eax, dword ptr [esp+4]
0040665B |. 8A4C24 0C mov cl, byte ptr [esp+C]
0040665F |. D220 shl byte ptr [eax], cl
00406661 \. C3 retn
call 004064B0
004064B0 /$ 8B4424 04 mov eax, dword ptr [esp+4]
004064B4 |. 53 push ebx
004064B5 |. B1 0D mov cl, 0D
004064B7 |. BA 07000000 mov edx, 7
004064BC |> 8A18 /mov bl, byte ptr [eax] ; 循环取中间码1的每位
004064BE |. 32D9 |xor bl, cl ; 与cl xor
004064C0 |. 80C1 05 |add cl, 5 ; cl初始值为0D,每次+5
004064C3 |. 8818 |mov byte ptr [eax], bl ; 写回去
004064C5 |. 40 |inc eax
004064C6 |. 4A |dec edx ; 只取中间码1前7位
004064C7 |.^ 75 F3 \jnz short 004064BC
004064C9 |. 5B pop ebx
004064CA \. C3 retn
call 004066A0
004066A0 /$ 83EC 28 sub esp, 28
004066A3 |. 56 push esi
004066A4 |. 57 push edi
004066A5 |. B9 09000000 mov ecx, 9
004066AA |. 33C0 xor eax, eax
004066AC |. 8D7C24 08 lea edi, dword ptr [esp+8]
004066B0 |. 8D5424 08 lea edx, dword ptr [esp+8]
004066B4 |. F3:AB rep stos dword ptr es:[edi]
004066B6 |. 66:AB stos word ptr es:[edi]
004066B8 |. AA stos byte ptr es:[edi]
004066B9 |. 8B7C24 38 mov edi, dword ptr [esp+38]
004066BD |. 83C9 FF or ecx, FFFFFFFF
004066C0 |. 33C0 xor eax, eax
004066C2 |. 68 27191113 push 13111927 ; 固定值13111927
004066C7 |. F2:AE repne scas byte ptr es:[edi]
004066C9 |. F7D1 not ecx
004066CB |. 2BF9 sub edi, ecx
004066CD |. 8BC1 mov eax, ecx
004066CF |. 8BF7 mov esi, edi
004066D1 |. 8BFA mov edi, edx
004066D3 |. C1E9 02 shr ecx, 2
004066D6 |. F3:A5 rep movs dword ptr es:[edi], dword p>
004066D8 |. 8BC8 mov ecx, eax
004066DA |. 83E1 03 and ecx, 3
004066DD |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
004066DF |. C64424 2B 00 mov byte ptr [esp+2B], 0
004066E4 |. E8 97FDFFFF call 00406480 ; 把固定值13111927高低换位为27191113
004066E9 |. 894424 2C mov dword ptr [esp+2C], eax
004066ED |. 8B4424 38 mov eax, dword ptr [esp+38]
004066F1 |. 6A 27 push 27 ; 循环总次数27,其中有用户名20位,不足则补空字符
004066F3 |. 66:8B08 mov cx, word ptr [eax] ; 中间码2的前2位
004066F6 |. 8A50 02 mov dl, byte ptr [eax+2] ; 中间码2的第3位
004066F9 |. 8D4424 10 lea eax, dword ptr [esp+10]
004066FD |. 66:894C24 34 mov word ptr [esp+34], cx
00406702 |. 50 push eax
00406703 |. 885424 3A mov byte ptr [esp+3A], dl
00406707 |. E8 34FDFFFF call 00406440 ; 生成中间码3
0040670C |. 83C4 0C add esp, 0C
0040670F |. 5F pop edi
00406710 |. 5E pop esi
00406711 |. 83C4 28 add esp, 28
00406714 \. C3 retn
call 00406440
00406440 /$ 8B4C24 08 mov ecx, dword ptr [esp+8]
00406444 |. 83C8 FF or eax, FFFFFFFF ; eax初始值
00406447 |. 8BD1 mov edx, ecx
00406449 |. 49 dec ecx
0040644A |. 85D2 test edx, edx
0040644C |. 74 2D je short 0040647B
0040644E |. 56 push esi
0040644F |. 8D71 01 lea esi, dword ptr [ecx+1]
00406452 |. 8B4C24 08 mov ecx, dword ptr [esp+8]
00406456 |. 57 push edi
00406457 |> 8A11 /mov dl, byte ptr [ecx] ; 循环取(32位用户名+固定值13111927+中间码2的前3位[按照低位到高位的存储顺序])
00406459 |. 8BF8 |mov edi, eax
0040645B |. 81E2 FF000000 |and edx, 0FF ; 只保留低位
00406461 |. 81E7 FF000000 |and edi, 0FF ; 只保留低位
00406467 |. 33D7 |xor edx, edi ; 进行xor
00406469 |. C1E8 08 |shr eax, 8 ; eax shr 8
0040646C |. 8B1495 940841>|mov edx, dword ptr [edx*4+410894] ; 通过edx查找数据,为了方便分析已经提取出来了
00406473 |. 33C2 |xor eax, edx ; eax再和查找值xor
00406475 |. 41 |inc ecx
00406476 |. 4E |dec esi ; 一共循环39=32+4+3次
00406477 |.^ 75 DE \jnz short 00406457
00406479 |. 5F pop edi
0040647A |. 5E pop esi
0040647B \> C3 retn
三、注册信息位置:
HKEY_CURRENT_USER\Software\Praven3 Software\WorkPause\Registration
四、算法代码:
var
Form1: TForm1;
const zhu2:string='ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
var
zhu:array[1..10] of integer;
str1,str2,str:string;
i,j,k:integer;
iFileHandle: Integer;
Buffer: PChar;
m,n,wz: Integer;
eax,edx:int64;
strname:string;
begin
str:=edit1.Text;
if length(str)<>12 then
begin
showmessage('注册码为12位!');
exit;
end;
edit2.Clear;
edit5.Clear;
for i:=1 to 10 do
zhu[i]:=0;
for i:=1 to 8 do
begin
for j:=1 to 4 do
begin
zhu[6-j]:=(zhu[6-j] shl 5)mod $100;
zhu[6-j]:=(zhu[5-j] shr 3)or zhu[6-j];
end;
zhu[1]:=(zhu[1]shl 5)mod $100;
zhu[1]:=zhu[1]or (pos(str[9-i],zhu2)-1);
end;
for i:=1 to 4 do
begin
for j:=1 to 4 do
begin
zhu[11-j]:=(zhu[11-j] shl 5)mod $100;
zhu[11-j]:=(zhu[10-j] shr 3)or zhu[11-j];
end;
zhu[6]:=(zhu[6]shl 5)mod $100;
zhu[6]:=zhu[6]or (pos(str[13-i],zhu2)-1);
end;
for i:=1 to 10 do
edit5.Text:=edit5.Text+inttohex(zhu[i],2);
k:=$d;
for i:=1 to 7 do
begin
zhu[i]:=zhu[i]xor k;
k:=k+5;
end;
for i:=1 to 7 do
edit2.Text:=edit2.Text+inttohex(zhu[i],2);
eax:=$ffffffff;
strname:=edit3.Text;
try
iFileHandle := FileOpen('梦里水香', fmOpenRead);
// iFileLength := FileSeek(iFileHandle,0,2);
FileSeek(iFileHandle,0,0);
Buffer := PChar(AllocMem(1024));
FileRead(iFileHandle, Buffer^, 1024);
FileClose(iFileHandle);
while length(strname)<32 do
strname:=strname+#0;
strname:=strname+char($13)+char($11)+char($19)+char($27)+char(zhu[1])+char(zhu[2])+char(zhu[3]); //+char($35)+char($f9)+char($da)
for n:=1 to 39 do
begin
wz:=(ord(strname[n])xor(eax and $ff))*4;
eax:=eax shr 8;
for m:=0 to 3 do
edx :=(edx*$100+ord(Buffer[wz+3-m]))mod $100000000;
eax:=eax xor edx;
end;
finally
FreeMem(Buffer);
end;
edit4.Text:=inttohex(eax,8);
edit7.Text:=edit4.Text+'<---->'+copy(edit2.Text,7,8);
end;
五、算法总结:
假码的录入范围:“ABCDEFGHJKLMNPQRSTUVWXYZ23456789”如果有不存在其中的字符出现则出错,第1次取假码的前8位倒续排列,通过00406600的call生成中间码1的前5位,第2次取假码的后4位倒续排列,通过00406600的call生成中间码1的后5位,既是中间码1为10位,不过只利用了前面7位;前7位的中间码1通过004064B0的call的简单xor生成中间码2;把用户名长度增加到32位,如果录入不足则补空字符(00)处理,连接4位固定字串13 11 19 27再连接中间码2的前3位字串组成39位通过00406440的call生成中间码3,其中利用查找数据字典的方法,该数据为1k长度,为了方面写分析已经把他提取出来,放到分析工具中了,文件名就是“梦里水香”哈哈!因为中间码3的生成需要该文件,所以如果该数据文件不存在则不会成功咯。最后的判断的标志既是中间码3和中间码倒续排列中间码2的4-7位比较,其实是2个数字之间的比较,为了方便分析就表示成了16进制来表示。具体可以看下附带的算法分析工具。至于算法注册机应该怎么做,哈哈,俺不知道,想了下好像要解方程组,俺的天,还是算了吧。因为比较的2个值其中一个只与假码有关系,另一个和用户名假码都有关系,俺是晕啦。算法分析代码也同时奉上,大家有兴趣就去写个算法注册机来吧,记得让俺也拜读一下。 |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2007-4-1 17:36:51
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-4-2 07:42:37