BluffTitler DX9 6.10 简单分析

Nisy · 发表于 2007-4-18 13:39:50

BluffTitler DX9 6.10
软件大小：6835KB
软件类别：国外软件/动画制作
下载次数：37474
软件授权：共享版
软件语言：英文 (多国语言版包括中文)
运行环境：Win9x/Me/NT/2000/XP/2003
更新时间：2007-4-2 9:23:22
Home Page:http://www.outerspace-software.com/(华军也可以找到)

破解声明: 无心插柳柳成荫.错下了软件,欧元注册,简单分析下.这里只是交流下分析思路,破解思路很重要,无它.

注册失败后有弹出对话框,OD可搜索到ASCII,不过这都不好使.我比较懒呀,用CxLrb的脱壳机,用API断点设置插件在对话框API部分反选下断点.

00447588  |.  FF15 50D35500 call dword ptr [<&USER32.MessageBoxW>>; \MessageBoxW
0044758E  |.  8D4C24 04    lea    ecx, dword ptr [esp+4]          ;  我们在CALL的下一行下断
00447592  |.  8BF0       mov    esi, eax
00447594  |.  E8 27DA0200 call 00474FC0
00447599  |.  8BC6       mov    eax, esi
0044759B  |.  C605 08D15900>mov    byte ptr [59D108], 1
004475A2  |.  5E          pop    esi
004475A3  |.  83C4 08    add    esp, 8
004475A6  \.  C3          retn

我们F8单步，退出TETN后来到这里：

00451381  |.  6A 20       push 20                            ;  我们在这里下断
00451383  |.  68 29040000 push 429
00451388  |.  8D4C24 30    lea    ecx, dword ptr [esp+30]
0045138C  |.  56          push esi
0045138D  |.  51          push ecx
0045138E  |.  E8 6D600200 call 00477400
00451393  |.  6A 20       push 20
00451395  |.  68 2A040000 push 42A
0045139A  |.  8D5424 38    lea    edx, dword ptr [esp+38]
0045139E  |.  56          push esi
0045139F  |.  52          push edx
004513A0  |.  C78424 840000>mov    dword ptr [esp+84], 0C
004513AB  |.  E8 50600200 call 00477400
004513B0  |.  6A 20       push 20
004513B2  |.  68 34040000 push 434
004513B7  |.  8D4424 40    lea    eax, dword ptr [esp+40]
004513BB  |.  56          push esi
004513BC  |.  50          push eax
004513BD  |.  C68424 940000>mov    byte ptr [esp+94], 0D
004513C5  |.  E8 36600200 call 00477400
004513CA  |.  83C4 30    add    esp, 30
004513CD  |.  6A 01       push 1                               ; /Arg4 = 00000001
004513CF  |.  8D4C24 1C    lea    ecx, dword ptr [esp+1C]       ; |
004513D3  |.  51          push ecx                            ; |Arg3
004513D4  |.  8B0D 78F85900 mov    ecx, dword ptr [59F878]       ; |
004513DA  |.  8D5424 28    lea    edx, dword ptr [esp+28]       ; |
004513DE  |.  52          push edx                            ; |Arg2
004513DF  |.  8D4424 34    lea    eax, dword ptr [esp+34]       ; |
004513E3  |.  B3 0E       mov    bl, 0E                         ; |
004513E5  |.  50          push eax                            ; |Arg1
004513E6  |.  885C24 74    mov    byte ptr [esp+74], bl          ; |
004513EA  |.  E8 61EDFEFF call 00440150                      ;  这里是算法CALL 跟进
004513EF  |.  84C0       test al, al
004513F1  |.  74 2B       je    short 0045141E                ;  AL返回0则发生跳转要让AL=1
004513F3  |.  6A 05       push 5
004513F5  |.  8D4C24 4C    lea    ecx, dword ptr [esp+4C]
004513F9  |.  51          push ecx
004513FA  |.  8B0D 7CF85900 mov    ecx, dword ptr [59F87C]
00451400  |.  81C1 10020000 add    ecx, 210
00451406  |.  E8 D504FBFF call 004018E0
0045140B  |.  6A 01       push 1
0045140D  |.  50          push eax
0045140E  |.  C64424 6C 0F  mov    byte ptr [esp+6C], 0F
00451413  |.  E8 F860FFFF call 00447510
00451418  |.  8D4C24 50    lea    ecx, dword ptr [esp+50]
0045141C  |.  EB 29       jmp    short 00451447                ;  软件从这里跳走后，软件则可使用注册后的功能
0045141E  |>  8B0D 7CF85900 mov    ecx, dword ptr [59F87C]       ;  我们可以看出跳向注册失败处来自这里
00451424  |.  6A 06       push 6
00451426  |.  8D5424 54    lea    edx, dword ptr [esp+54]
0045142A  |.  52          push edx
0045142B  |.  81C1 10020000 add    ecx, 210
00451431  |.  E8 AA04FBFF call 004018E0
00451436  |.  6A 00       push 0
00451438  |.  50          push eax
00451439  |.  C64424 6C 10  mov    byte ptr [esp+6C], 10
0045143E  |.  E8 CD60FFFF call 00447510
00451443  |.  8D4C24 58    lea    ecx, dword ptr [esp+58]       ;  退出该CALL后来到这里

我们F9运行，OD停在我们下的断点处。我们F7跟算法CALL：

算法CALL跟近：

00440150  /$  83EC 10    sub    esp, 10
00440153  |.  53          push ebx
00440154  |.  55          push ebp
00440155  |.  56          push esi
00440156  |.  57          push edi
00440157  |.  68 40E15800 push 0058E140
0044015C  |.  8BF9       mov    edi, ecx
0044015E  |.  68 D2040000 push 4D2
00440163  |.  8D4C24 18    lea    ecx, dword ptr [esp+18]
00440167  |.  E8 F4070300 call 00470960                ;  跟进看了下无关紧要
0044016C  |.  8B5C24 2C    mov    ebx, dword ptr [esp+2C]
00440170  |.  8B6C24 28    mov    ebp, dword ptr [esp+28]
00440174  |.  8B7424 24    mov    esi, dword ptr [esp+24]
00440178  |.  53          push ebx                      ; /Arg3
00440179  |.  55          push ebp                      ; |Arg2
0044017A  |.  56          push esi                      ; |Arg1
0044017B  |.  8D4C24 1C    lea    ecx, dword ptr [esp+1C] ; |
0044017F  |.  E8 DC0D0300 call 00470F60                ; 关键算法CALL01 跟进
00440184  |.  85C0       test eax, eax
00440186  |.  8BCF       mov    ecx, edi
00440188    74 16       je    short 004401A0          ;  这里必须跳走修改为JMP
0044018A  |.  68 18D55500 push 0055D518
0044018F  |.  E8 3C4F0300 call 004750D0
00440194  |.  32C0       xor    al, al
00440196  |.  5F          pop    edi
00440197  |.  5E          pop    esi
00440198  |.  5D          pop    ebp
00440199  |.  5B          pop    ebx
0044019A  |.  83C4 10    add    esp, 10
0044019D  |.  C2 1000    retn 10
004401A0  |>  56          push esi
004401A0  |> \56          push esi
004401A1  |.  E8 4A4E0300 call 00474FF0
004401A6  |.  8A4424 30    mov    al, byte ptr [esp+30]    ;  [ESP+30]数值为01
004401AA  |.  84C0       test al, al
004401AC  |.  74 4E       je    short 004401FC
004401AE  |.  83EC 08    sub    esp, 8
004401B1  |.  8BCC       mov    ecx, esp
004401B3  |.  896424 38    mov    dword ptr [esp+38], esp
004401B7  |.  56          push esi
004401B8  |.  E8 334B0300 call 00474CF0                ;  取KEY
004401BD  |.  8B0D 44D25900 mov    ecx, dword ptr [59D244]
004401C3  |.  E8 A8FDFFFF call 0043FF70
004401C8  |.  83EC 08    sub    esp, 8
004401CB  |.  8BCC       mov    ecx, esp
004401CD  |.  896424 38    mov    dword ptr [esp+38], esp
004401D1  |.  55          push ebp
004401D2  |.  E8 194B0300 call 00474CF0                ;  取KEY2
004401D7  |.  8B0D 44D25900 mov    ecx, dword ptr [59D244]
004401DD  |.  E8 DEFDFFFF call 0043FFC0
004401E2  |.  83EC 08    sub    esp, 8
004401E5  |.  8BCC       mov    ecx, esp
004401E7  |.  896424 38    mov    dword ptr [esp+38], esp
004401EB  |.  53          push ebx
004401EC  |.  E8 FF4A0300 call 00474CF0                ;  取KEY3
004401F1  |.  8B0D 44D25900 mov    ecx, dword ptr [59D244]
004401F7  |.  E8 14FEFFFF call 00440010
004401FC  |>  5F          pop    edi
004401FD  |.  5E          pop    esi
004401FE  |.  5D          pop    ebp
004401FF  |.  B0 01       mov    al, 1
00440201  |.  5B          pop    ebx
00440202  |.  83C4 10    add    esp, 10
00440205  \.  C2 1000    retn 10

OK，到此我们已找到了第一处的暴破点：即修改此跳转后，软件即可实现注册。未注册的DEMO字样即可消失。
而当我们再次运行软件时，软件又显示了未注册。

为什么呢？软件在重启的时候又进行了对注册信息的判断。而注册信息就保存在BluffTitler.ini。
这里为节省时间，我只说一下我的思路。由于我们第一次暴破后，注册功能已经可以使用，这点就说明，我们修改的关键跳转使软件跳到注册版的代码处，执行了注册版的功能。使用中未发生其他的暗桩。这就为暴破奠定了前提条件。我们知道软件注册成功后，一定会向系统某个文件写入注册信息，因为软件在启动的时候需要对软件是否已注册进行判断。所以，我们暴破一个软件更好的方法就是去了解软件在启动时是如何对注册信息进行验证的。大多的软件算法CALL至少要被两个CALL调用。一处是注册部分，另一个是软件启动时候，软件启动时判断保存的注册信息是否正确，一般仍会调用注册部分的算法CALL来验证注册信息是否正确。所以我们就在算法CALL上下断点：

00470F60  /$  6A FF       push -1                //OK 软件重启时在这里断下
00470F62  |.  68 602E5500 push 00552E60                      ;  SE 处理程序安装
00470F67  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
……
……

我们F8单步退出算法CALL后来到这里：

0044029E  |.  E8 BD0C0300 call 00470F60                      ; \BluffTit.00470F60
004402A3  |.  85C0       test eax, eax                      ;  退出算法CALL后来到这里
004402A5  |.  8BCE       mov    ecx, esi
004402A7    74 0C       je    short 004402B5                ;  这里修改为JMP即可暴破
004402A9  |.  68 18D55500 push 0055D518
004402AE  |.  E8 1D4E0300 call 004750D0
004402B3  |.  EB 06       jmp    short 004402BB
004402B5  |>  57          push edi

到此，我们就将软件暴破掉了。

Nisy · 发表于 2007-4-18 13:44:06

跟进CALL跟进：

00470F60  /$  6A FF       push -1
00470F62  |.  68 602E5500 push 00552E60                      ;  SE 处理程序安装
00470F67  |.  64:A1 0000000>mov    eax, dword ptr fs:[0]
00470F6D  |.  50          push eax
00470F6E  |.  64:8925 00000>mov    dword ptr fs:[0], esp
00470F75  |.  83EC 14    sub    esp, 14
00470F78  |.  53          push ebx
00470F79  |.  55          push ebp
00470F7A  |.  8B6C24 2C    mov    ebp, dword ptr [esp+2C]
00470F7E  |.  56          push esi
00470F7F  |.  57          push edi
00470F80  |.  83EC 08    sub    esp, 8
00470F83  |.  894C24 18    mov    dword ptr [esp+18], ecx
00470F87  |.  8BCC       mov    ecx, esp
00470F89  |.  896424 1C    mov    dword ptr [esp+1C], esp
00470F8D  |.  55          push ebp
00470F8E  |.  E8 5D3D0000 call 00474CF0                      ;  这个CALL取用户名
00470F93  |.  E8 18FCFFFF call 00470BB0
00470F98  |.  83C4 08    add    esp, 8
00470F9B  |.  84C0       test al, al
00470F9D  |.  74 18       je    short 00470FB7
00470F9F  |.  83C8 FF    or    eax, FFFFFFFF
00470FA2  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
00470FA6  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00470FAD  |.  5F          pop    edi
00470FAE  |.  5E          pop    esi
00470FAF  |.  5D          pop    ebp
00470FB0  |.  5B          pop    ebx
00470FB1  |.  83C4 20    add    esp, 20
00470FB4  |.  C2 0C00    retn 0C
00470FB7  |>  8B7D 04    mov    edi, dword ptr [ebp+4]          ;  将KEY1的位数送入到EDI中
00470FBA  |.  85FF       test edi, edi
00470FBC  |.  7F 1A       jg    short 00470FD8
00470FBE  |.  B8 FEFFFFFF mov    eax, -2
00470FC3  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
00470FC7  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00470FCE  |.  5F          pop    edi
00470FCF  |.  5E          pop    esi
00470FD0  |.  5D          pop    ebp
00470FD1  |.  5B          pop    ebx
00470FD2  |.  83C4 20    add    esp, 20
00470FD5  |.  C2 0C00    retn 0C
00470FD8  |>  8B5C24 38    mov    ebx, dword ptr [esp+38]
00470FDC  |.  8B43 04    mov    eax, dword ptr [ebx+4]
00470FDF  |.  85C0       test eax, eax
00470FE1  |.  7F 1A       jg    short 00470FFD
00470FE3  |.  B8 FDFFFFFF mov    eax, -3
00470FE8  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
00470FEC  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00470FF3  |.  5F          pop    edi
00470FF4  |.  5E          pop    esi
00470FF5  |.  5D          pop    ebp
00470FF6  |.  5B          pop    ebx
00470FF7  |.  83C4 20    add    esp, 20
00470FFA  |.  C2 0C00    retn 0C
00470FFD  |>  8B4424 3C    mov    eax, dword ptr [esp+3C]
00471001  |.  8B48 04    mov    ecx, dword ptr [eax+4]
00471004  |.  85C9       test ecx, ecx
00471006  |.  7F 1A       jg    short 00471022
00471008  |.  B8 FCFFFFFF mov    eax, -4
0047100D  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
00471011  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00471018  |.  5F          pop    edi
00471019  |.  5E          pop    esi
0047101A  |.  5D          pop    ebp
0047101B  |.  5B          pop    ebx
0047101C  |.  83C4 20    add    esp, 20
0047101F  |.  C2 0C00    retn 0C
00471022  |>  83FF 08    cmp    edi, 8                         ;  这里判断用户名是否大于或等于8 满足则跳走
00471025  |.  7D 1A       jge    short 00471041
00471027  |.  B8 FBFFFFFF mov    eax, -5
0047102C  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
00471030  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00471037  |.  5F          pop    edi
00471038  |.  5E          pop    esi
00471039  |.  5D          pop    ebp
0047103A  |.  5B          pop    ebx
0047103B  |.  83C4 20    add    esp, 20
0047103E  |.  C2 0C00    retn 0C
00471041  |>  83FF 1E    cmp    edi, 1E                         ;  这里判断用户名是否小于或等与30位满足则跳走
00471044  |.  7E 1A       jle    short 00471060
00471046  |.  B8 FAFFFFFF mov    eax, -6
0047104B  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
0047104F  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00471056  |.  5F          pop    edi
00471057  |.  5E          pop    esi
00471058  |.  5D          pop    ebp
00471059  |.  5B          pop    ebx
0047105A  |.  83C4 20    add    esp, 20
0047105D  |.  C2 0C00    retn 0C
00471060  |>  33F6       xor    esi, esi
00471062  |.  85FF       test edi, edi
00471064  |. /7E 13       jle    short 00471079
00471066  |> |56          /push esi
00471067  |. |8BCD       |mov    ecx, ebp
00471069  |. |E8 82440000 |call 004754F0                ;  关键CALL02 跟进（可认为这里是判断注册信息为何数值）
0047106E  |. |66:3D 2000 |cmp    ax, 20
00471072  |. |72 2B       |jb    short 0047109F          ;  AX数值小于20（16进制）则跳走
00471074  |. |46          |inc    esi                   ;  ESI记位加1
00471075  |. |3BF7       |cmp    esi, edi                ;  比较ESI和EDI（EDI中存放的就是我们的KEY1位数）
00471077  |.^|7C ED       \jl    short 00471066          ;  ESI小于EDI则跳走继续循环
00471079  |>  8B4424 10    mov    eax, dword ptr [esp+10]
0047107D  |.  8B7B 04    mov    edi, dword ptr [ebx+4]
00471080  |.  3B78 08    cmp    edi, dword ptr [eax+8]
00471083  |.  7D 34       jge    short 004710B9
00471085  |.  B8 F8FFFFFF mov    eax, -8
0047108A  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
0047108E  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00471095  |.  5F          pop    edi
00471096  |.  5E          pop    esi
00471097  |.  5D          pop    ebp
00471098  |.  5B          pop    ebx
00471099  |.  83C4 20    add    esp, 20
0047109C  |.  C2 0C00    retn 0C
0047109F  |> \B8 F9FFFFFF mov    eax, -7
004710A4  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
004710A8  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
004710AF  |.  5F          pop    edi
004710B0  |.  5E          pop    esi
004710B1  |.  5D          pop    ebp
004710B2  |.  5B          pop    ebx
004710B3  |.  83C4 20    add    esp, 20
004710B6  |.  C2 0C00    retn 0C
004710B9  |>  3B78 0C    cmp    edi, dword ptr [eax+C]
004710BC  |.  7E 1A       jle    short 004710D8
004710BE  |.  B8 F7FFFFFF mov    eax, -9
004710C3  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
004710C7  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
004710CE  |.  5F          pop    edi
004710CF  |.  5E          pop    esi
004710D0  |.  5D          pop    ebp
004710D1  |.  5B          pop    ebx
004710D2  |.  83C4 20    add    esp, 20
004710D5  |.  C2 0C00    retn 0C
004710D8  |>  33F6       xor    esi, esi
004710DA  |.  85FF       test edi, edi
004710DC  |.  7E 1B       jle    short 004710F9
004710DE  |.  8BFF       mov    edi, edi
004710E0  |>  56          /push esi
004710E1  |.  8BCB       |mov    ecx, ebx
004710E3  |.  E8 08440000 |call 004754F0                ;  这里开始取KEY2 该CALL上方已跟过
004710E8  |.  66:3D 6100 |cmp    ax, 61
004710EC  |.  72 2F       |jb    short 0047111D          ;  下方还有很长的分析由于AX数值小于61 故这里便跳走
004710EE  |.  66:3D 7A00 |cmp    ax, 7A
004710F2  |.  77 43       |ja    short 00471137
004710F4  |.  46          |inc    esi
004710F5  |.  3BF7       |cmp    esi, edi
004710F7  |.^ 7C E7       \jl    short 004710E0
004710F9  |>  8B4C24 3C    mov    ecx, dword ptr [esp+3C]
004710FD  |.  8379 04 08 cmp    dword ptr [ecx+4], 8
00471101  |.  74 4E       je    short 00471151
00471103  |.  B8 F4FFFFFF mov    eax, -0C                ;  这里向EAX赋-0C的数值
00471108  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
0047110C  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00471113  |.  5F          pop    edi
00471114  |.  5E          pop    esi
00471115  |.  5D          pop    ebp
00471116  |.  5B          pop    ebx
00471117  |.  83C4 20    add    esp, 20
0047111A  |.  C2 0C00    retn 0C
0047111D  |> \B8 F6FFFFFF mov    eax, -0A
00471122  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
00471126  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
0047112D  |.  5F          pop    edi
0047112E  |.  5E          pop    esi
0047112F  |.  5D          pop    ebp
00471130  |.  5B          pop    ebx
00471131  |.  83C4 20    add    esp, 20
00471134  |.  C2 0C00    retn 0C
00471137  |>  B8 F5FFFFFF mov    eax, -0B
0047113C  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
00471140  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00471147  |.  5F          pop    edi
00471148  |.  5E          pop    esi
00471149  |.  5D          pop    ebp
0047114A  |.  5B          pop    ebx
0047114B  |.  83C4 20    add    esp, 20
0047114E  |.  C2 0C00    retn 0C
00471151  |>  33F6       xor    esi, esi
00471153  |>  8B4C24 3C    /mov    ecx, dword ptr [esp+3C]
00471157  |.  56          |push esi                            ;  这里的循环检测一下KEY3是否都为数字
00471158  |.  E8 93430000 |call 004754F0
0047115D  |.  66:3D 3000 |cmp    ax, 30
00471161  |.  72 61       |jb    short 004711C4
00471163  |.  66:3D 3900 |cmp    ax, 39
00471167  |.  77 75       |ja    short 004711DE
00471169  |.  46          |inc    esi
0047116A  |.  83FE 08    |cmp    esi, 8
0047116D  |.^ 7C E4       \jl    short 00471153
0047116F  |.  8B4C24 10    mov    ecx, dword ptr [esp+10]
00471173  |.  55          push ebp
00471174  |.  8D5424 18    lea    edx, dword ptr [esp+18]
00471178  |.  52          push edx
00471179  |.  E8 62F9FFFF call 00470AE0                      ;  关键CALL03：KEY2和KEY3的算法CALL
0047117E  |.  53          push ebx
0047117F  |.  8BC8       mov    ecx, eax
00471181  |.  C74424 30 000>mov    dword ptr [esp+30], 0
00471189  |.  E8 B23F0000 call 00475140                      : 比较KEY2的真假注册码
0047118E  |.  8AD8       mov    bl, al
00471190  |.  F6DB       neg    bl
00471192  |.  1ADB       sbb    bl, bl
00471194  |.  83CE FF    or    esi, FFFFFFFF
00471197  |.  8D4C24 14    lea    ecx, dword ptr [esp+14]
0047119B  |.  FEC3       inc    bl
0047119D  |.  897424 2C    mov    dword ptr [esp+2C], esi
004711A1  |.  E8 1A3E0000 call 00474FC0
004711A6  |.  84DB       test bl, bl
004711A8  |.  74 4E       je    short 004711F8                : 这里必须得跳跳走后验证KEY3
004711AA  |.  B8 F1FFFFFF mov    eax, -0F
004711AF  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
004711B3  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
004711BA  |.  5F          pop    edi
004711BB  |.  5E          pop    esi
004711BC  |.  5D          pop    ebp
004711BD  |.  5B          pop    ebx
004711BE  |.  83C4 20    add    esp, 20
004711C1  |.  C2 0C00    retn 0C
004711C4  |>  B8 F3FFFFFF mov    eax, -0D
004711C9  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
004711CD  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
004711D4  |.  5F          pop    edi
004711D5  |.  5E          pop    esi
004711D6  |.  5D          pop    ebp
004711D7  |.  5B          pop    ebx
004711D8  |.  83C4 20    add    esp, 20
004711DB  |.  C2 0C00    retn 0C
004711DE  |>  B8 F2FFFFFF mov    eax, -0E
004711E3  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
004711E7  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
004711EE  |.  5F          pop    edi
004711EF  |.  5E          pop    esi
004711F0  |.  5D          pop    ebp
004711F1  |.  5B          pop    ebx
004711F2  |.  83C4 20    add    esp, 20
004711F5  |.  C2 0C00    retn 0C
004711F8  |>  8B4C24 10    mov    ecx, dword ptr [esp+10]
004711FC  |.  55          push ebp                            ; /Arg2
004711FD  |.  8D4424 20    lea    eax, dword ptr [esp+20]       ; |
00471201  |.  50          push eax                            ; |Arg1
00471202  |.  E8 49F9FFFF call 00470B50                      ; 这又进去计算了一下KEY数值明码其实这里做的有些多余设可变量就可以
00471207  |.  8B4C24 3C    mov    ecx, dword ptr [esp+3C]
0047120B  |.  51          push ecx
0047120C  |.  8BC8       mov    ecx, eax
0047120E  |.  C74424 30 010>mov    dword ptr [esp+30], 1
00471216  |.  E8 253F0000 call 00475140
0047121B  |.  8AD8       mov    bl, al
0047121D  |.  F6DB       neg    bl
0047121F  |.  1ADB       sbb    bl, bl
00471221  |.  8D4C24 1C    lea    ecx, dword ptr [esp+1C]
00471225  |.  FEC3       inc    bl
00471227  |.  897424 2C    mov    dword ptr [esp+2C], esi
0047122B  |.  E8 903D0000 call 00474FC0
00471230  |.  8B4C24 24    mov    ecx, dword ptr [esp+24]
00471234  |.  F6DB       neg    bl
00471236  |.  5F          pop    edi
00471237  |.  5E          pop    esi
00471238  |.  5D          pop    ebp
00471239  |.  64:890D 00000>mov    dword ptr fs:[0], ecx
00471240  |.  1BDB       sbb    ebx, ebx
00471242  |.  83E3 F0    and    ebx, FFFFFFF0
00471245  |.  8BC3       mov    eax, ebx
00471247  |.  5B          pop    ebx
00471248  |.  83C4 20    add    esp, 20
0047124B  \.  C2 0C00    retn 0C

关键CALL02跟进：

004754F0  /$  8B4424 04    mov    eax, dword ptr [esp+4] ;  循环的次数送EAX（=KEY1位数-1）
004754F4  |.  85C0       test eax, eax
004754F6  |.  7C 0E       jl    short 00475506
004754F8  |.  3B41 04    cmp    eax, dword ptr [ecx+4] ;  与KEY1位数比较
004754FB  |.  7D 09       jge    short 00475506          ;  等于则跳走
004754FD  |.  8B09       mov    ecx, dword ptr [ecx]    ;  注册码送ECX（逐位去KEY1的16进制数值）
004754FF  |.  66:8B0441    mov    ax, word ptr [ecx+eax*2]  ;  ECX+EAX*2的值放AX中
00475503  |.  C2 0400    retn 4
00475506  |>  66:B8 3F00 mov    ax, 3F
0047550A  \.  C2 0400    retn 4

关键CALL03：KEY2和KEY3的算法CALL：

00470AE0  /$  51          push ecx
00470AE1  |.  8B4424 0C    mov    eax, dword ptr [esp+C]
00470AE5  |.  56          push esi
00470AE6  |.  50          push eax                            ; /Arg1
00470AE7  |.  8BF1       mov    esi, ecx                      ; |
00470AE9  |.  C74424 08 000>mov    dword ptr [esp+8], 0          ; |
00470AF1  |.  E8 CAFEFFFF call 004709C0                      ; \KEY3的算法CALL
00470AF6  |.  8BC8       mov    ecx, eax                      ;  将EAX数值（KEY3）送ECX中
00470AF8  |.  85C9       test ecx, ecx
00470AFA  |.  6A 00       push 0
00470AFC  |.  7F 17       jg    short 00470B15
00470AFE  |.  8B7424 10    mov    esi, dword ptr [esp+10]
00470B02  |.  68 18D55500 push 0055D518
00470B07  |.  8BCE       mov    ecx, esi
00470B09  |.  E8 B2420000 call 00474DC0
00470B0E  |.  8BC6       mov    eax, esi
00470B10  |.  5E          pop    esi
00470B11  |.  59          pop    ecx
00470B12  |.  C2 0800    retn 8
00470B15  |>  B8 D34D6210 mov    eax, 10624DD3
00470B1A  |.  F7E9       imul ecx
00470B1C  |.  C1FA 06    sar    edx, 6                         ;  算术右移6
00470B1F  |.  8BC2       mov    eax, edx
00470B21  |.  C1E8 1F    shr    eax, 1F                         ;  逻辑右移
00470B24  |.  03C2       add    eax, edx
00470B26  |.  99          cdq
00470B27  |.  B9 14000000 mov    ecx, 14
00470B2C  |.  F7F9       idiv ecx
00470B2E  |.  8B46 04    mov    eax, dword ptr [esi+4]
00470B31  |.  8B7424 10    mov    esi, dword ptr [esp+10]
00470B35  |.  8B0C90       mov    ecx, dword ptr [eax+edx*4]    ;  KEY2出现于ECX中（其实是一个内存地址）
00470B38  |.  51          push ecx
00470B39  |.  8BCE       mov    ecx, esi
00470B3B  |.  E8 80420000 call 00474DC0
00470B40  |.  8BC6       mov    eax, esi
00470B42  |.  5E          pop    esi
00470B43  |.  59          pop    ecx
00470B44  \.  C2 0800    retn 8

KEY3的算法CALL：

004709C0  /$  83EC 08    sub    esp, 8
004709C3  |.  53          push ebx
004709C4  |.  55          push ebp
004709C5  |.  8B6C24 14    mov    ebp, dword ptr [esp+14]
004709C9  |.  8B5D 04    mov    ebx, dword ptr [ebp+4]
004709CC  |.  83FB 08    cmp    ebx, 8
004709CF  |.  894C24 08    mov    dword ptr [esp+8], ecx
004709D3  |.  895C24 0C    mov    dword ptr [esp+C], ebx
004709D7  |.  7D 0B       jge    short 004709E4
004709D9  |.  5D          pop    ebp
004709DA  |.  83C8 FF    or    eax, FFFFFFFF
004709DD  |.  5B          pop    ebx
004709DE  |.  83C4 08    add    esp, 8
004709E1  |.  C2 0400    retn 4
004709E4  |>  83FB 1E    cmp    ebx, 1E
004709E7  |.  7E 0D       jle    short 004709F6
004709E9  |.  5D          pop    ebp
004709EA  |.  B8 FEFFFFFF mov    eax, -2
004709EF  |.  5B          pop    ebx
004709F0  |.  83C4 08    add    esp, 8
004709F3  |.  C2 0400    retn 4
004709F6  |>  56          push esi
004709F7  |.  57          push edi
004709F8  |.  33FF       xor    edi, edi
004709FA  |.  33F6       xor    esi, esi
004709FC  |.  85DB       test ebx, ebx
004709FE  |.  7E 1C       jle    short 00470A1C
00470A00  |>  56          /push esi
00470A01  |.  8BCD       |mov    ecx, ebp
00470A03  |.  E8 E84A0000 |call 004754F0
00470A08  |.  66:3D 2000 |cmp    ax, 20
00470A0C  |.  0F82 B3000000 |jb    00470AC5
00470A12  |.  0FB7C0       |movzx eax, ax
00470A15  |.  03F8       |add    edi, eax                      ;  将KEY1累加和（每位+已取位数*2）放EDI中
00470A17  |.  46          |inc    esi
00470A18  |.  3BF3       |cmp    esi, ebx
00470A1A  |.^ 7C E4       \jl    short 00470A00
00470A1C  |>  6A 05       push 5
00470A1E  |.  8BCD       mov    ecx, ebp
00470A20  |.  E8 CB4A0000 call 004754F0                      ;  得AX=50
00470A25  |.  8B4C24 10    mov    ecx, dword ptr [esp+10]
00470A29  |.  8B31       mov    esi, dword ptr [ecx]          ;  4D2
00470A2B  |.  0FB7C0       movzx eax, ax
00470A2E  |.  03C6       add    eax, esi                      ;  50+4D2
00470A30  |.  03C3       add    eax, ebx                      ;  EAX+自己的位数=52A
00470A32  |.  33F6       xor    esi, esi
00470A34  |.  85C0       test eax, eax
00470A36  |.  BB 01000000 mov    ebx, 1
00470A3B  |.  BD 02000000 mov    ebp, 2
00470A40  |.  7E 46       jle    short 00470A88
00470A42  |.  894424 10    mov    dword ptr [esp+10], eax
00470A46  |>  8B4C24 1C    /mov    ecx, dword ptr [esp+1C]       ;  KEY2位数
00470A4A  |.  56          |push esi
00470A4B  |.  E8 A04A0000 |call 004754F0
00470A50  |.  0FB7C0       |movzx eax, ax
00470A53  |.  8D142B       |lea    edx, dword ptr [ebx+ebp]
00470A56  |.  03D6       |add    edx, esi
00470A58  |.  0FAFD0       |imul edx, eax                      ;  乘法
00470A5B  |.  8B4424 14    |mov    eax, dword ptr [esp+14]
00470A5F  |.  03FA       |add    edi, edx                      ;  再累加到EDI中
00470A61  |.  46          |inc    esi
00470A62  |.  3BF0       |cmp    esi, eax
00470A64  |.  7C 02       |jl    short 00470A68
00470A66  |.  33F6       |xor    esi, esi
00470A68  |>  83C3 02    |add    ebx, 2
00470A6B  |.  83FB 16    |cmp    ebx, 16
00470A6E  |.  7E 05       |jle    short 00470A75
00470A70  |.  BB 02000000 |mov    ebx, 2
00470A75  |>  83C5 03    |add    ebp, 3
00470A78  |.  83FD 0B    |cmp    ebp, 0B
00470A7B  |.  7E 05       |jle    short 00470A82
00470A7D  |.  BD 03000000 |mov    ebp, 3
00470A82  |>  FF4C24 10    |dec    dword ptr [esp+10]
00470A86  |.^ 75 BE       \jnz    short 00470A46
00470A88  |>  8BC6       mov    eax, esi
00470A8A  |.  99          cdq                                     ;  双字扩展
00470A8B  |.  B9 0A000000 mov    ecx, 0A
00470A90  |.  F7F9       idiv ecx
00470A92  |.  81FF 80969800 cmp    edi, 989680                   ;  EDI与989680比较
00470A98  |.  7D 1F       jge    short 00470AB9                ;  大于或等于则跳走
00470A9A  |.  8D9B 00000000 lea    ebx, dword ptr [ebx]
00470AA0  |>  8D04BF       /lea    eax, dword ptr [edi+edi*4]    ;  算术运算
00470AA3  |.  8D3C42       |lea    edi, dword ptr [edx+eax*2]
00470AA6  |.  8D0413       |lea    eax, dword ptr [ebx+edx]
00470AA9  |.  99          |cdq
00470AAA  |.  B9 0A000000 |mov    ecx, 0A
00470AAF  |.  F7F9       |idiv ecx
00470AB1  |.  81FF 80969800 |cmp    edi, 989680                   ;  经过运算后在和EDI比较此时EDI=0185E338（16）=25551672（10）即为KEY3的值
00470AB7  |.^ 7C E7       \jl    short 00470AA0
00470AB9  |>  8BC7       mov    eax, edi
00470ABB  |.  5F          pop    edi
00470ABC  |.  5E          pop    esi
00470ABD  |.  5D          pop    ebp
00470ABE  |.  5B          pop    ebx
00470ABF  |.  83C4 08    add    esp, 8
00470AC2  |.  C2 0400    retn 4
00470AC5  |>  5F          pop    edi
00470AC6  |.  5E          pop    esi
00470AC7  |.  5D          pop    ebp
00470AC8  |.  B8 FDFFFFFF mov    eax, -3
00470ACD  |.  5B          pop    ebx
00470ACE  |.  83C4 08    add    esp, 8
00470AD1  \.  C2 0400    retn 4

KEY2查表可得：

0055FB7C                                     61 62 72 69             abri
0055FB8C  6B 6F 6F 73 00 00 00 00 6C 79 63 68 65 65 00 00  koos....lychee..
0055FB9C  6E 6F 70 61 6C 00 00 00 63 6F 63 6F 6E 75 74 00  nopal...coconut.
0055FBAC  6B 69 72 73 63 68 00 00 64 72 75 69 66 00 00 00  kirsch..druif...
0055FBBC  70 6C 75 6D 00 00 00 00 70 61 70 61 6A 61 00 00  plum....papaja..
0055FBCC  72 61 6D 62 6F 65 74 61 6E 00 00 00 66 72 61 69  ramboetan...frai
0055FBDC  73 65 00 00 6B 69 77 69 00 00 00 00 70 69 73 61  se..kiwi....pisa
0055FBEC  6E 67 00 00 6D 65 6C 6F 6E 00 00 00 70 69 6E 61  ng..melon...pina
0055FBFC  00 00 00 00 70 65 61 63 68 00 00 00 6D 61 6E 67  ....peach...mang
0055FC0C  6F 00 00 00 68 69 6D 62 65 65 72 00 70 6F 69 72  o...himbeer.poir
0055FC1C  65 00 00 00 6E 61 72 61 6E 6A 61 00 61 70 70 6C  e...naranja.appl
0055FC2C  65 00 00 00 45 72 72 6F 72 20 32 20 69 6E 20 52  e...Error 2 in R
0055FC3C  65 6F 72 64 65 72 20 4C 6F 63 61 6C 65 20 4C 69  eorder Locale Li
0055FC4C  73 74 00 00 45 72 72 6F 72 20 31 20 69 6E 20 52  st..Error 1 in R
0055FC5C  65 6F 72 64 65 72 20 4C 6F 63 61 6C 65 20 4C 69  eorder Locale Li
0055FC6C  73 74 00 00 45 72 72 6F 72 20 31 20 43 6F 6E 73  st..Error 1 Cons
0055FC7C  74 72 75 63 74 6F 72 20 4C 6F 63 61 6C 65 20 4C  tructor Locale L
0055FC8C  69 73 74 2C 20 62 65 67 69 6E 6E 69 6E 67 20 77  ist, beginning w
0055FC9C  69 74 68 20                                     ith

KEY1即用户名有不低于8位的限制,无奈我的ID就注册不了了,故暴之.
KEY2查表可得
KEY3用户名的几个简单加法乘法

算法不难,还是明码比较,KenGen已经放出来了.时间关系,有兴趣的朋友自己动手来做吧.软件难度中等,适合新手练手.

提供一组可用信息:

KEY1:ChinaPYG
KEY2:ramboetan
KEY3:25551672

哈哈,用这个软件做了一个3D效果的小东东.

何求 · 发表于 2007-4-18 14:57:09

这个不错，可以用来做教程．呵．我看主要是查表．呵

jjdg · 发表于 2007-4-18 16:58:40

就这个软件谈点想法：
1.peid查出来的oep是27a0，但是od脱出来的oep是001381D4，我用了好几种方法都是在这里了，所以peid的oep也不能尽信！对这个壳esp即可！
2.对MessageBoxW下断点输入key后，我这里的情况是f8出来不是在00451381 ，而是在00451443，不知道其他人是否相同？关于这点，如果Nisy有空，希望能够核实一下，谢谢！

Nisy · 发表于 2007-4-18 19:52:22

找OEP的话使用OEP Finder 这个工具～～

00451443 |. 8D4C24 58 lea ecx, dword ptr [esp+58] ; 退出该CALL后来到这里

我这里也送呀帖子上写的就是退出该CALL后来到这里：00451443 兄弟没注意倒这里哈～～

jjdg · 发表于 2007-4-18 20:53:01

哦
不好意思
光看到上面了：
我们F8单步，退出TETN后来到这里：

00451381 |. 6A 20 push 20

yunfeng · 发表于 2007-4-18 23:17:55

学习一下算法

小子贼野 · 发表于 2007-4-22 00:53:07

牛人,看来我要努力学习了~!

windtrace · 发表于 2007-4-24 13:41:02

学习一下思路，谢谢楼主

		自动登录	找回密码
密码			加入我们

[原创] BluffTitler DX9 6.10 简单分析

评分