BreezeBrowser v2.13 算法分析

GeekCat · 发表于 2016-1-17 16:00:59

本帖最后由 GeekCat 于 2016-1-17 23:48 编辑

【文章标题】: BreezeBrowser v2.13 算法分析

【作者邮箱】: [email protected]
【作者主页】:
【软件名称】: BreezeBrowser v2.13

【软件大小】: 7.37 MB (7,736,182 字节)
【加壳方式】: 无壳

【保护方式】: 注册码
【编写语言】: Microsoft Visual C++ 6.0

【使用工具】: OD、PEID
【操作平台】: XP SP3

【下载地址】: http://www.crsky.com/soft/3458.html

【破解声明】: 破解在于交流思路和过程，结果并不重要，请不要用于非法用途；
【软件介绍】: BreezeBrowser是专门为佳能Powershot系列数码相机设计的图像处理程序第三方程序，支持佳能CRW文件格式，可以在进行文件格式转换时调整色阶、饱和度、白平衡等等。该软件是基于佳能开发工具SDK工作的，支持的机型有：Powershot G1、Pro90、G2、S30、S40和D30等。

--------------------------------------------------------------------------------------------------------------------------------

一、注册名不区分大小写黑名单：
1)、phil winegardner
2）、crsky
3）、team viroil(以这个字符串开头且注册码长度为13位)

二、字符串、万能断点、F12、API都能快速定位到关键点；

三、关键点代码如下：

0054B505 |. 8B49 68 mov ecx,dword ptr ds:[ecx+0x68]
0054B508 |. E8 3714EDFF call BreezeBr.0041C944 ; 算法CALL
0054B50D |. 25 FF000000 and eax,0xFF
0054B512 |. 85C0 test eax,eax
0054B514 |. 74 21 je short BreezeBr.0054B537 ; 关键跳转不能跳
0054B516 |. 6A 30 push 0x30
0054B518 |. 68 34A36200 push BreezeBr.0062A334 ; BreezeBrowser
0054B51D |. 68 44A36200 push BreezeBr.0062A344 ; Thank you!\nYour copy of BreezeBrowser has been registered successfully。

复制代码

四、算法CALL代码如下：

0041C944 /$ 55 push ebp
————————————————————————略代码N行——————————————————————————————————
0041C991 |. 81C1 A4030000 add ecx,0x3A4
0041C997 |. E8 64DBFEFF call BreezeBr.0040A500 ; 计算注册码长度
0041C99C |. 83F8 20 cmp eax,0x20 ; 注册码长度大于等于0x20-->32（位）
0041C99F |. 7C 17 jl short BreezeBr.0041C9B8 ; 0
0041C9A1 |. 6A 2D push 0x2D ; 0x2D-->‘-’
0041C9A3 |. 8B8D E0FDFFFF mov ecx,dword ptr ss:[ebp-0x220]
0041C9A9 |. 81C1 A4030000 add ecx,0x3A4
0041C9AF |. E8 C60A1A00 call <jmp.&MFC42.#2763> ; 计算注册码中‘-’数量，要求注册码有‘-’
————————————————————————略代码N行——————————————————————————————————
0041C9DD |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0] ; 注册名
0041C9E3 |. E8 CC061A00 call <jmp.&MFC42.#4202> ; 注册名，大写转小写
0041C9E8 |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0] ; (ASCII "geekcat")
0041C9EE |. E8 0DDBFEFF call BreezeBr.0040A500 ; 计算注册名长度
—————————————————————略代码N行（验证黑名单中的三个注册名）————————————
0041CD97 |> \68 B0915F00 push BreezeBr.005F91B0 ; +:
0041CD9C |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0] ; 注册名 (ASCII "geekcat")
0041CDA2 |. E8 F5021A00 call <jmp.&MFC42.#941> ; 拼接字符串
0041CDA7 |. 6A 20 push 0x20
0041CDA9 |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0] ; (ASCII "geekcat+:")
0041CDAF |. E8 C0061A00 call <jmp.&MFC42.#6874>
0041CDB4 |. 6A 25 push 0x25 ; 0x25-->‘%’
0041CDB6 |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0]
0041CDBC |. E8 E7021A00 call <jmp.&MFC42.#940>
0041CDC1 |. 68 B4915F00 push BreezeBr.005F91B4 ; a
0041CDC6 |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0] ; (ASCII "geekcat+:")
0041CDCC |. E8 CB021A00 call <jmp.&MFC42.#941> ; 拼接字符串
0041CDD1 |. 6A 40 push 0x40 ; 0x40-->‘@’
0041CDD3 |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0] ; (ASCII "geekcat+:a")
0041CDD9 |. E8 CA021A00 call <jmp.&MFC42.#940> ; 拼接字符串
0041CDDE |. 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
0041CDE1 |. E8 60011A00 call <jmp.&MFC42.#540>
0041CDE6 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
0041CDEA |. 6A 23 push 0x23 ; 0x23-->#
0041CDEC |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0]
0041CDF2 |. E8 B1021A00 call <jmp.&MFC42.#940>
0041CDF7 |. 68 B8915F00 push BreezeBr.005F91B8 ; ;
0041CDFC |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0]
0041CE02 |. E8 95021A00 call <jmp.&MFC42.#941>
0041CE07 |. 68 BC915F00 push BreezeBr.005F91BC ; d
0041CE0C |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0]
0041CE12 |. E8 85021A00 call <jmp.&MFC42.#941>
0041CE17 |. 68 C0915F00 push BreezeBr.005F91C0 ; j
0041CE1C |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0]
0041CE22 |. E8 75021A00 call <jmp.&MFC42.#941> ; 以上是拼接字符串得到 "geekcat+:%a@#;dj"
0041CE27 |. 8D95 68FFFFFF lea edx,dword ptr ss:[ebp-0x98]
0041CE2D |. 52 push edx
0041CE2E |. E8 3DF00E00 call BreezeBr.0050BE70
0041CE33 |. 83C4 04 add esp,0x4
0041CE36 |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0]
0041CE3C |. E8 BFD6FEFF call BreezeBr.0040A500 ; 以上是计算拼接后的字符串长度
0041CE41 |. 50 push eax ; 0x10-->16位
0041CE42 |. 8D8D 50FFFFFF lea ecx,dword ptr ss:[ebp-0xB0] ; (ASCII "geekcat+:%a@#;dj")
0041CE48 |. E8 D348FEFF call BreezeBr.00401720
0041CE4D |. 50 push eax
0041CE4E |. 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-0x98]
0041CE54 |. 50 push eax
0041CE55 |. E8 56F00E00 call BreezeBr.0050BEB0
0041CE5A |. 83C4 0C add esp,0xC
0041CE5D |. 8D8D 68FFFFFF lea ecx,dword ptr ss:[ebp-0x98]
0041CE63 |. 51 push ecx
0041CE64 |. 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]
0041CE67 |. 52 push edx
0041CE68 |. E8 70F10E00 call BreezeBr.0050BFDD ; 注册名拼接字符MD5计算并大写输出
0041CE6D |. 83C4 08 add esp,0x8
0041CE70 |. C785 60FFFFFF>mov dword ptr ss:[ebp-0xA0],0x0
0041CE7A |. EB 0F jmp short BreezeBr.0041CE8B
0041CE7C |> 8B85 60FFFFFF /mov eax,dword ptr ss:[ebp-0xA0] ; 下面的循环是把上面得到MD5值以‘-’分成4段，每段8位
0041CE82 |. 83C0 01 |add eax,0x1
0041CE85 |. 8985 60FFFFFF |mov dword ptr ss:[ebp-0xA0],eax
0041CE8B |> 83BD 60FFFFFF> cmp dword ptr ss:[ebp-0xA0],0x4 ; 跟4比较，注册码分为4段
0041CE92 |. 0F8D 90000000 |jge BreezeBr.0041CF28
0041CE98 |. C785 48FFFFFF>|mov dword ptr ss:[ebp-0xB8],0x0
0041CEA2 |. C785 44FEFFFF>|mov dword ptr ss:[ebp-0x1BC],0x0
0041CEAC |. EB 0F |jmp short BreezeBr.0041CEBD
0041CEAE |> 8B8D 44FEFFFF |/mov ecx,dword ptr ss:[ebp-0x1BC]
0041CEB4 |. 83C1 01 ||add ecx,0x1
0041CEB7 |. 898D 44FEFFFF ||mov dword ptr ss:[ebp-0x1BC],ecx
0041CEBD |> 83BD 44FEFFFF>| cmp dword ptr ss:[ebp-0x1BC],0x4 ; 跟4比较，每段为4组2个字符拼接
0041CEC4 |. 7D 28 ||jge short BreezeBr.0041CEEE
0041CEC6 |. 8B95 48FFFFFF ||mov edx,dword ptr ss:[ebp-0xB8]
0041CECC |. C1E2 08 ||shl edx,0x8 ; 左移8位
0041CECF |. 8B85 60FFFFFF ||mov eax,dword ptr ss:[ebp-0xA0]
0041CED5 |. 8B8D 44FEFFFF ||mov ecx,dword ptr ss:[ebp-0x1BC]
0041CEDB |. 8D0481 ||lea eax,dword ptr ds:[ecx+eax*4]
0041CEDE |. 33C9 ||xor ecx,ecx
0041CEE0 |. 8A4C05 D8 ||mov cl,byte ptr ss:[ebp+eax-0x28] ; 0012F238 32 76 C6 02
0041CEE4 |. 03D1 ||add edx,ecx ; AS值累加
0041CEE6 |. 8995 48FFFFFF ||mov dword ptr ss:[ebp-0xB8],edx
0041CEEC |.^ EB C0 |\jmp short BreezeBr.0041CEAE
0041CEEE |> 8B95 48FFFFFF |mov edx,dword ptr ss:[ebp-0xB8] ; 3276C602 E3B79B26 808B23D9 88AD8212拼接而成
0041CEF4 |. 52 |push edx ; /%08lX 3276C602 E3B79B26 808B23D9 88AD8212
0041CEF5 |. 68 C4915F00 |push BreezeBr.005F91C4 ; |%08lX
0041CEFA |. 8D85 48FEFFFF |lea eax,dword ptr ss:[ebp-0x1B8] ; |%08lX 3276C602 E3B79B26 808B23D9 88AD8212
0041CF00 |. 50 |push eax ; |s
0041CF01 |. FF15 400C5D00 |call dword ptr ds:[<&MSVCRT.sprintf>] ; \sprintf
0041CF07 |. 83C4 0C |add esp,0xC ; 前面的CALL出来后 2 6 9 2
0041CF0A |. 8D8D 48FEFFFF |lea ecx,dword ptr ss:[ebp-0x1B8] ; (ASCII 3276C602 E3B79B26 808B23D9 88AD8212)
0041CF10 |. 51 |push ecx
0041CF11 |. 8D4D C4 |lea ecx,dword ptr ss:[ebp-0x3C] ; 上一次拼接的结果
0041CF14 |. E8 83011A00 |call <jmp.&MFC42.#941> ; 拼接字符串 ASCII "3276C602-E3B79B26-808B23D9-88AD8212"
0041CF19 |. 6A 2D |push 0x2D ; 0x2D-->‘-’
0041CF1B |. 8D4D C4 |lea ecx,dword ptr ss:[ebp-0x3C] ; 拼接后注册码
0041CF1E |. E8 85011A00 |call <jmp.&MFC42.#940>
0041CF23 |.^ E9 54FFFFFF \jmp BreezeBr.0041CE7C
0041CF28 |> 68 CC915F00 push BreezeBr.005F91CC ; -
————————————————————————略代码N行——————————————————————————————————
0041CFB4 |> \C745 E8 00000>mov dword ptr ss:[ebp-0x18],0x0
0041CFBB |. 6A 01 push 0x1 ; 取1位
0041CFBD |. 6A 05 push 0x5 ; 从第五位开始取
0041CFBF |. 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10] ; 1234-2567-3890-4qwe-5RTY-6UIOPAS
0041CFC2 |. E8 39D6FEFF call BreezeBr.0040A600 ; 取注册码第0x5--->5位
0041CFC7 |. 50 push eax
0041CFC8 |. 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-0x1C0]
0041CFCE |. E8 9B041A00 call <jmp.&MFC42.#536> ; 取字符并拼接“2”
0041CFD3 |. C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
0041CFD7 |. 6A 0F push 0xF
0041CFD9 |. 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10] ; 1234-2567-3890-4qwe-5RTY-6UIOPAS
0041CFDC |. E8 1FD6FEFF call BreezeBr.0040A600 ; 取注册码第F--->15位
0041CFE1 |. 50 push eax
0041CFE2 |. 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-0x1C0]
0041CFE8 |. E8 BB001A00 call <jmp.&MFC42.#940> ; 取字符并拼接“24”
0041CFED |. 6A 19 push 0x19
0041CFEF |. 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10]
0041CFF2 |. E8 09D6FEFF call BreezeBr.0040A600 ; 取注册码第0x19--->25位
0041CFF7 |. 50 push eax
0041CFF8 |. 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-0x1C0]
0041CFFE |. E8 A5001A00 call <jmp.&MFC42.#940> ; 取字符并拼接“246”
0041D003 |. 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
0041D006 |. 51 push ecx
0041D007 |. 68 D4915F00 push BreezeBr.005F91D4 ; %x
0041D00C |. 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-0x1C0] ; 246/6RA/68A/NBV/N88
0041D012 |. E8 0947FEFF call BreezeBr.00401720 ; 截取字符串：从左向右取遇上大于F的字符就返回F之前的字符，如果第一位大于F就返回0
0041D017 |. 50 push eax ; |s
0041D018 |. FF15 180C5D00 call dword ptr ds:[<&MSVCRT.sscanf>] ; \sscanf
0041D01E |. 83C4 0C add esp,0xC
0041D021 |. 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
0041D024 |. 81F2 AF070000 xor edx,0x7AF ; 前面截取到的字符（0x246/6/68A/0/0 xor ox7AF = 0x5E9）
0041D02A |. 8955 E8 mov dword ptr ss:[ebp-0x18],edx ; 5E9
0041D02D |. 6A 06 push 0x6
——————略代码N行（这里有特别长的垃圾代码，开始分析时会浪费很多时间）————————
0041D324 |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
0041D328 |. 8D8D 40FEFFFF lea ecx,dword ptr ss:[ebp-0x1C0] ; 246
0041D32E |. E8 C5FB1900 call <jmp.&MFC42.#800>
0041D333 |. 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 5E9
0041D336 |. 99 cdq
0041D337 |. B9 54000000 mov ecx,0x54
0041D33C |. F7F9 idiv ecx ; 5E9/54=12 当eax最大为FFF时 FFF/54=30
0041D33E |. 8945 C8 mov dword ptr ss:[ebp-0x38],eax ; 商 12 要求商0~6 从后面反推出来
0041D341 |. 8B55 C8 mov edx,dword ptr ss:[ebp-0x38]
0041D344 |. 6BD2 07 imul edx,edx,0x7 ; 12*7=7E
0041D347 |. 6BD2 0C imul edx,edx,0xC ; 7E*C=5E8
0041D34A |. 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
0041D34D |. 2BC2 sub eax,edx ; 5E9-5E8=1 这个差的要求0~B之间（为月份）
0041D34F |. 8945 E8 mov dword ptr ss:[ebp-0x18],eax
0041D352 |. 8B4D C8 mov ecx,dword ptr ss:[ebp-0x38] ; 商 12
0041D355 |. 81C1 D0070000 add ecx,0x7D0 ; 12+7D0=7E2 后面要求相加的和小于等于7D6，商小于等于6
0041D35B |. 894D C8 mov dword ptr ss:[ebp-0x38],ecx ; 7E2
0041D35E |. 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 差 1
0041D361 |. 99 cdq
0041D362 |. B9 0C000000 mov ecx,0xC
0041D367 |. F7F9 idiv ecx
0041D369 |. 8985 5CFFFFFF mov dword ptr ss:[ebp-0xA4],eax ; 商 0 只有前面的差在0~B之间这个商才为0，后面有要求
0041D36F |. 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; 差 1
0041D372 |. 99 cdq
0041D373 |. B9 0C000000 mov ecx,0xC
0041D378 |. F7F9 idiv ecx ; 模
0041D37A |. 83C2 01 add edx,0x1 ; 余数 1 1+1=2
0041D37D |. 8955 EC mov dword ptr ss:[ebp-0x14],edx ; 和 2
0041D380 |. 8D95 FCFDFFFF lea edx,dword ptr ss:[ebp-0x204]
0041D386 |. 52 push edx
0041D387 |. E8 9A001A00 call <jmp.&MFC42.#3811>
0041D38C |. 50 push eax
0041D38D |. 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
0041D393 |. E8 18AC0E00 call BreezeBr.00507FB0
0041D398 |. 68 D8915F00 push BreezeBr.005F91D8 ; Mar 10 2006
0041D39D |. 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
0041D3A0 |. E8 AFFC1900 call <jmp.&MFC42.#537>
0041D3A5 |. C645 FC 11 mov byte ptr ss:[ebp-0x4],0x11
0041D3A9 |. 6A 04 push 0x4
0041D3AB |. 8D85 F8FDFFFF lea eax,dword ptr ss:[ebp-0x208]
0041D3B1 |. 50 push eax
0041D3B2 |. 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C] ; Mar 10 2006
0041D3B5 |. E8 DCFC1900 call <jmp.&MFC42.#5710>
0041D3BA |. 8985 74FDFFFF mov dword ptr ss:[ebp-0x28C],eax ; 2006
0041D3C0 |. 8B8D 74FDFFFF mov ecx,dword ptr ss:[ebp-0x28C]
0041D3C6 |. 898D 70FDFFFF mov dword ptr ss:[ebp-0x290],ecx
0041D3CC |. C645 FC 12 mov byte ptr ss:[ebp-0x4],0x12
0041D3D0 |. 8B8D 70FDFFFF mov ecx,dword ptr ss:[ebp-0x290] ; 2006
0041D3D6 |. E8 4543FEFF call BreezeBr.00401720
0041D3DB |. 50 push eax ; /s
0041D3DC |. FF15 200C5D00 call dword ptr ds:[<&MSVCRT.atoi>] ; \10转16 2006-->7D6
0041D3E2 |. 83C4 04 add esp,0x4
0041D3E5 |. 8945 D0 mov dword ptr ss:[ebp-0x30],eax ; 7D6
0041D3E8 |. C645 FC 11 mov byte ptr ss:[ebp-0x4],0x11
0041D3EC |. 8D8D F8FDFFFF lea ecx,dword ptr ss:[ebp-0x208] ; 2006
0041D3F2 |. E8 01FB1900 call <jmp.&MFC42.#800>
0041D3F7 |. 8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
————————————————————————略代码N行——————————————————————————————————
0041D5B2 |. C785 64FFFFFF>mov dword ptr ss:[ebp-0x9C],0xC
0041D5BC |> 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C] ; 3276C602-E3B79B26-808B23D9-88AD8212
0041D5BF |. 52 push edx
0041D5C0 |. 8D45 F0 lea eax,dword ptr ss:[ebp-0x10] ; 1234-2567-3890-4QWE-5RTY-6UIOPAS
0041D5C3 |. 50 push eax
0041D5C4 |. E8 27E20200 call BreezeBr.0044B7F0 ; 比较CALL 输入的注册码跟前面计算出来的36位注册码相等
0041D5C9 |. 25 FF000000 and eax,0xFF
0041D5CE |. 85C0 test eax,eax
0041D5D0 |. 75 09 jnz short BreezeBr.0041D5DB ; 0 不能跳这里跳了
0041D5D2 |. 817D C8 D6070>cmp dword ptr ss:[ebp-0x38],0x7D6 ; 要求前面的商+7D0 的和小于等于7D6 之前的商为0~6之间
0041D5D9 |. 7E 58 jle short BreezeBr.0041D633 ; 1 要跳
0041D5DB |> 8B8D E0FDFFFF mov ecx,dword ptr ss:[ebp-0x220]
————————————————————————略代码N行——————————————————————————————————
0041D628 |. 8A85 F0FDFFFF mov al,byte ptr ss:[ebp-0x210]
0041D62E |. E9 76010000 jmp BreezeBr.0041D7A9
0041D633 |> 8B55 C8 mov edx,dword ptr ss:[ebp-0x38] ; 商+7D0的和 7D2
0041D636 |. 6BD2 0C imul edx,edx,0xC ; 7D2*C=5DD8
0041D639 |. 0355 EC add edx,dword ptr ss:[ebp-0x14] ; 余数+1=2 5DD8+2=5DDA
0041D63C |. 8955 CC mov dword ptr ss:[ebp-0x34],edx ; 5DDA
0041D63F |. C785 58FFFFFF>mov dword ptr ss:[ebp-0xA8],0x5DE8 ; 如果下面用不到月份计算就用5DDA<=5DE8来实现0041D66C的跳转
0041D649 |. 8B45 D0 mov eax,dword ptr ss:[ebp-0x30] ; 7D6(2006 10转16)
0041D64C |. 6BC0 0C imul eax,eax,0xC ; 7D6*C=5E08
0041D64F |. 0385 64FFFFFF add eax,dword ptr ss:[ebp-0x9C] ; 之前的月份Mar 3+5E08=5E0B
0041D655 |. 8945 C0 mov dword ptr ss:[ebp-0x40],eax ; 5E0B
0041D658 |. 8B4D C0 mov ecx,dword ptr ss:[ebp-0x40]
0041D65B |. 2B4D CC sub ecx,dword ptr ss:[ebp-0x34] ; 5E0B-5DDA=31
0041D65E |. 83F9 0C cmp ecx,0xC ; 上一步的差要求小于等于C 猜原程序有可能比较的是月份
0041D661 |. 7E 63 jle short BreezeBr.0041D6C6 ; 1 跟下面的跳转要有一个要实现
0041D663 |. 8B55 CC mov edx,dword ptr ss:[ebp-0x34]
0041D666 |. 3B95 58FFFFFF cmp edx,dword ptr ss:[ebp-0xA8]
0041D66C |. 7C 58 jl short BreezeBr.0041D6C6 ; 1 跟上面的跳转要有一个要实现
0041D66E |. 8B85 E0FDFFFF mov eax,dword ptr ss:[ebp-0x220]
————————————————————————略代码N行——————————————————————————————————
0041D6C1 |. /E9 E3000000 jmp BreezeBr.0041D7A9
0041D6C6 |> |83BD 5CFFFFFF>cmp dword ptr ss:[ebp-0xA4],0x0 ; 下面一个跳转要实现要求0041D367处的商等于0
0041D6CD |. |0F8E 83000000 jle BreezeBr.0041D756 ; 1 跟下面的跳转总有一个要实现
0041D6D3 |. |8B4D CC mov ecx,dword ptr ss:[ebp-0x34] ; 5DDA
0041D6D6 |. |038D 5CFFFFFF add ecx,dword ptr ss:[ebp-0xA4] ; 5DDA加上0041D367处的商（0）= 5DDA
0041D6DC |. |894D CC mov dword ptr ss:[ebp-0x34],ecx ; 5DDA
0041D6DF |. |8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
0041D6E5 |. |E8 26E10200 call BreezeBr.0044B810 ; 当前系统时间的年份10转16 2016-->7E0
0041D6EA |. |8BF0 mov esi,eax
0041D6EC |. |6BF6 0C imul esi,esi,0xC ; 7E0*C=5E80
0041D6EF |. |8D8D 54FFFFFF lea ecx,dword ptr ss:[ebp-0xAC]
0041D6F5 |. |E8 36E10200 call BreezeBr.0044B830 ; 系统当前时间月份10转10 1-->1 程序调试时间为1月份
0041D6FA |. |03F0 add esi,eax ; 年+月 5E80+1=5E81
0041D6FC |. |3975 CC cmp dword ptr ss:[ebp-0x34],esi ; 要求5DDA大于等于5E81
0041D6FF |. |7D 55 jge short BreezeBr.0041D756 ; 此处验证系统时间的，只要系统时当前时间这个跳转能实现
0041D701 |. |8B95 E0FDFFFF mov edx,dword ptr ss:[ebp-0x220]

复制代码

---------------------------------------------------------------------------------------------------------------------------

五、不是总结的总结：
1、这个软件有一个注册名黑名单：
2、这个软件因为是取字符串MD5后的密文中特定位置字符来来验证是否合法，因些写不了注册机；
3、这个软件的特点是算法代码很长，中间垃圾太码很多，花费的时间、精力比较多；
4、软件的注册码：注册名转小写拼接上‘+:%a@#;dj’（蓝色部分）再MD5运算大写输入，并把这个密文以’-‘分成4段每段8位，但不是每一个密文都能注册成功（对密文多次验证）；
5、算法分析难度适中，适合练手~~~~~

一组可用注册信息（试了N次才成功）：

注册名：GeekCat/飘云阁

注册码：CCF4E631-6E6A6007-C22CA2C3-8C7207BD

---------------------------------------------------------------------------------------------------------------------------

本文原创于GeekCat/P.Y.G，转载请注明作者及论坛并保存文章的完整！

来自群组: 我们都爱月姐姐

Nisy · 发表于 2016-1-17 16:47:10

赞，算法部分看起来好长哦 ~

gujin162 · 发表于 2016-1-17 18:54:12

必须赞~~~~~

GeekCat · 发表于 2016-1-17 21:21:51

@tree_fly ，先爆破再写KG这个方案肯定没问题。

HXSoft · 发表于 2016-1-17 21:26:50

我是来膜拜大神的

qinccckencn · 发表于 2016-1-17 23:26:31

会算法的大牛最牛B,膜拜

wxq · 发表于 2016-1-18 08:55:05

不错，学习算法的好文章。

		自动登录	找回密码
密码			加入我们

[原创] BreezeBrowser v2.13 算法分析

评分