- UID
- 1542
注册时间2005-5-10
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 擦汗
2017-9-28 11:05 |
|---|
签到天数: 3 天 [LV.2]偶尔看看I
|
【破文标题】WinCHM V2.51算法分析及TNT方法~~
【破文作者】pentacle
【作者邮箱】
【作者主页】
【破解工具】OD
【破解平台】WinXP
【软件名称】WinCHM V2.51
【软件大小】3M
【原版下载】http://www.softany.com/purchase.htm
【保护方式】
【软件简介】WinCHM is an easy-to-use HTML help authoring tool. It can help you create Windows HTML help system more easily and quickly. WinCHM can not only create help files from start to finish but also convert existent html files to html help(chm).
WinCHM combines a WYSIWYG (What You See Is What You Get) html editor and a content tree-view in one window. You can easily navigate the Table of Contents and insert or edit help topics without much fuss.
------------------------------------------------------------------------
【破解过程】用PEid0.93查完后发现没有别的东东,不多说了。OD载入~~~
查找关键来到下面~~
004B9E2E |. E8 EDADF4FF CALL winchm.00404C20
004B9E33 |. 74 0C JE SHORT winchm.004B9E41 ; 相等就跳~~
004B9E35 |. B8 C49E4B00 MOV EAX,winchm.004B9EC4 ; ASCII "Thank you!"
004B9E3A |. E8 DDC3F7FF CALL winchm.0043621C
004B9E3F |. EB 0A JMP SHORT winchm.004B9E4B
004B9E41 |> B8 D89E4B00 MOV EAX,winchm.004B9ED8 ; ASCII "Illegal registration code!"
我们向上找
004B9DA7 |. E8 AC6BF8FF CALL winchm.00440958
004B9DAC |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004B9DAF |. 8B86 08030000 MOV EAX,DWORD PTR DS:[ESI+308]
004B9DB5 |. E8 6A04FCFF CALL winchm.0047A224 ; 注册名入EAX
004B9DBA |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B9DBD |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004B9DC0 |. E8 0BEBF4FF CALL winchm.004088D0
004B9DC5 |. 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004B9DC8 |. BA A49E4B00 MOV EDX,winchm.004B9EA4 ; ASCII "RegName"
004B9DCD |. 8BC3 MOV EAX,EBX
004B9DCF |. E8 A071F8FF CALL winchm.00440F74
004B9DD4 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004B9DD7 |. 50 PUSH EAX
004B9DD8 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004B9DDB |. 8B86 0C030000 MOV EAX,DWORD PTR DS:[ESI+30C]
004B9DE1 |. E8 3E04FCFF CALL winchm.0047A224 ; 注册码入EAX
004B9DE6 |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
004B9DE9 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004B9DEC |. E8 DFEAF4FF CALL winchm.004088D0
004B9DF1 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; |
004B9DF4 |. B1 01 MOV CL,1 ; |
004B9DF6 |. 66:BA FE05 MOV DX,5FE ; |下面这个CALL开始计算注册码
004B9DFA |. E8 ADF9FFFF CALL winchm.004B97AC ; \winchm.004B97AC
004B9DFF |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004B9E02 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004B9E05 |. E8 02F8FFFF CALL winchm.004B960C ; 将上面CALL计算出来的值转为ASCII字符串
004B9E0A |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
004B9E0D |. BA B49E4B00 MOV EDX,winchm.004B9EB4 ; ASCII "RegCode"
004B9E12 |. 8BC3 MOV EAX,EBX
004B9E14 |. E8 5B71F8FF CALL winchm.00440F74
004B9E19 |. 8BC3 MOV EAX,EBX
004B9E1B |. E8 D896F4FF CALL winchm.004034F8 ; 算法比较,关键CALL
004B9E20 |. E8 13FAFFFF CALL winchm.004B9838
004B9E25 |. A1 84BB4D00 MOV EAX,DWORD PTR DS:[4DBB84]
004B9E2A |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B9E2C |. 33D2 XOR EDX,EDX
004B9E2E |. E8 EDADF4FF CALL winchm.00404C20
004B9E33 |. 74 0C JE SHORT winchm.004B9E41
我们先看计算注册码的CALL的算法:
004B9DF4 |. B1 01 MOV CL,1 ; |
004B9DF6 |. 66:BA FE05 MOV DX,5FE ; |下面这个CALL开始计算注册码
004B9DFA |. E8 ADF9FFFF CALL winchm.004B97AC ; \winchm.004B97AC
进入CALL:
004B97AC /$ 55 PUSH EBP
004B97AD |. 8BEC MOV EBP,ESP
004B97AF |. 83C4 F8 ADD ESP,-8
004B97B2 |. 53 PUSH EBX
004B97B3 |. 56 PUSH ESI
004B97B4 |. 57 PUSH EDI
004B97B5 |. 884D FB MOV BYTE PTR SS:[EBP-5],CL
004B97B8 |. 8BFA MOV EDI,EDX
004B97BA |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004B97BD |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
004B97C0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B97C3 |. E8 80ADF4FF CALL winchm.00404548
004B97C8 |. 8BD0 MOV EDX,EAX
004B97CA |. 8BC6 MOV EAX,ESI
004B97CC |. E8 03B1F4FF CALL winchm.004048D4
004B97D1 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B97D4 |. E8 6FAFF4FF CALL winchm.00404748
004B97D9 |. 8BD8 MOV EBX,EAX
004B97DB |. 8BC6 MOV EAX,ESI
004B97DD |. E8 BEAFF4FF CALL winchm.004047A0
004B97E2 |. 8BF0 MOV ESI,EAX
004B97E4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B97E7 |. E8 5CADF4FF CALL winchm.00404548
004B97EC |. 85C0 TEST EAX,EAX
004B97EE |. 7E 3F JLE SHORT winchm.004B982F
004B97F0 |> 0FB7D7 /MOVZX EDX,DI ; 将注册码通过下面的计算转存在[ESI]中,也可以通过计算完的值再还原注册码
004B97F3 |. C1EA 08 |SHR EDX,8 ; 右移8位
004B97F6 |. 3213 |XOR DL,BYTE PTR DS:[EBX] ; DL与当前EBX的第1位 XOR
004B97F8 |. 8816 |MOV BYTE PTR DS:[ESI],DL
004B97FA |. 807D FB 00 |CMP BYTE PTR SS:[EBP-5],0
004B97FE |. 74 17 |JE SHORT winchm.004B9817
004B9800 |. 81E2 FF000000 |AND EDX,0FF
004B9806 |. 66:03FA |ADD DI,DX ; DI=DI+DX
004B9809 |. 66:69D7 540D |IMUL DX,DI,0D54 ; DX=DI*D54
004B980E |. 66:81C2 3422 |ADD DX,2234 ; DX=DX+2234
004B9813 |. 8BFA |MOV EDI,EDX
004B9815 |. EB 13 |JMP SHORT winchm.004B982A
004B9817 |> 33D2 |XOR EDX,EDX ; 还原注册码部份
004B9819 |. 8A13 |MOV DL,BYTE PTR DS:[EBX]
004B981B |. 66:03FA |ADD DI,DX
004B981E |. 66:69D7 540D |IMUL DX,DI,0D54
004B9823 |. 66:81C2 3422 |ADD DX,2234
004B9828 |. 8BFA |MOV EDI,EDX
004B982A |> 46 |INC ESI
004B982B |. 43 |INC EBX
004B982C |. 48 |DEC EAX
004B982D |.^ 75 C1 \JNZ SHORT winchm.004B97F0
004B982F |> 5F POP EDI
004B9830 |. 5E POP ESI
004B9831 |. 5B POP EBX
004B9832 |. 59 POP ECX
004B9833 |. 59 POP ECX
004B9834 |. 5D POP EBP
004B9835 \. C2 0400 RETN 4
用OD跟踪下去~~
004B9E19 |. 8BC3 MOV EAX,EBX
004B9E1B |. E8 D896F4FF CALL winchm.004034F8 ; 算法比较,关键CALL
进入后往下跟
004B9969 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
004B996C . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004B996F . 5A POP EDX
004B9970 . E8 77FAFFFF CALL winchm.004B93EC ; 关键CALL
004B9975 . 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004B9978 . A1 84BB4D00 MOV EAX,DWORD PTR DS:[4DBB84]
004B997D . E8 66B1F4FF CALL winchm.00404AE8
004B9982 . A1 84BB4D00 MOV EAX,DWORD PTR DS:[4DBB84]
004B9987 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
004B9989 . 33D2 XOR EDX,EDX
004B998B . E8 90B2F4FF CALL winchm.00404C20
004B9990 . 75 16 JNZ SHORT winchm.004B99A8 ; 是否注册成功
004B9992 . A1 80BD4D00 MOV EAX,DWORD PTR DS:[4DBD80]
004B9997 . BA 009A4B00 MOV EDX,winchm.004B9A00 ; UNICODE " [Unregistered]"
004B999C . E8 73B1F4FF CALL winchm.00404B14
我们跟进关键CALL,来到下面,很有意思的~~
004B93EC /$ 55 PUSH EBP
004B93ED |. 8BEC MOV EBP,ESP
004B93EF |. 6A 00 PUSH 0
004B93F1 |. 6A 00 PUSH 0
004B93F3 |. 6A 00 PUSH 0
004B93F5 |. 6A 00 PUSH 0
004B93F7 |. 6A 00 PUSH 0
004B93F9 |. 6A 00 PUSH 0
004B93FB |. 6A 00 PUSH 0
004B93FD |. 53 PUSH EBX
004B93FE |. 8BD9 MOV EBX,ECX
004B9400 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
004B9403 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004B9406 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B9409 |. E8 2AB3F4FF CALL winchm.00404738
004B940E |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004B9411 |. E8 22B3F4FF CALL winchm.00404738
004B9416 |. 33C0 XOR EAX,EAX
004B9418 |. 55 PUSH EBP
004B9419 |. 68 B3954B00 PUSH winchm.004B95B3
004B941E |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004B9421 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004B9424 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004B9427 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004B942A |. E8 F1AEF4FF CALL winchm.00404320
004B942F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B9432 |. E8 11B1F4FF CALL winchm.00404548
004B9437 |. 83F8 14 CMP EAX,14
004B943A |. 75 34 JNZ SHORT winchm.004B9470
004B943C |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B943F |. E8 84F8FFFF CALL winchm.004B8CC8
004B9444 |. 81FA 99020000 CMP EDX,299
004B944A |. 75 18 JNZ SHORT winchm.004B9464
004B944C |. 3D 5BA60EF9 CMP EAX,F90EA65B
004B9451 |. 75 11 JNZ SHORT winchm.004B9464
004B9453 |. 8BC3 MOV EAX,EBX ; 其实这儿也是算法。但我没有去跟,单机版和企业版我当然要用好的啦~~
004B9455 |. BA C8954B00 MOV EDX,winchm.004B95C8 ; ASCII "Single-user License"
004B945A |. E8 7DAEF4FF CALL winchm.004042DC ; 成功就是单机版了~~
004B945F |. E9 34010000 JMP winchm.004B9598
004B9464 |> 8BC3 MOV EAX,EBX
004B9466 |. E8 1DAEF4FF CALL winchm.00404288
004B946B |. E9 28010000 JMP winchm.004B9598
004B9470 |> 83F8 1D CMP EAX,1D
004B9473 |. 0F85 A1000000 JNZ winchm.004B951A
004B9479 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004B947C |. 50 PUSH EAX
004B947D |. B9 13000000 MOV ECX,13
004B9482 |. BA 01000000 MOV EDX,1
004B9487 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B948A |. E8 ED12F8FF CALL winchm.0043A77C
004B948F |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004B9492 |. 50 PUSH EAX
004B9493 |. B9 04000000 MOV ECX,4
004B9498 |. BA 15000000 MOV EDX,15
004B949D |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B94A0 |. E8 D712F8FF CALL winchm.0043A77C
004B94A5 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004B94A8 |. 50 PUSH EAX
004B94A9 |. B9 04000000 MOV ECX,4
004B94AE |. BA 1A000000 MOV EDX,1A
004B94B3 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B94B6 |. E8 C112F8FF CALL winchm.0043A77C
004B94BB |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B94BE |. E8 05F8FFFF CALL winchm.004B8CC8
004B94C3 |. 81FA 0A010000 CMP EDX,10A
004B94C9 |. 75 46 JNZ SHORT winchm.004B9511
004B94CB |. 3D 987406DE CMP EAX,DE067498
004B94D0 |. 75 3F JNZ SHORT winchm.004B9511
004B94D2 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004B94D5 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B94D8 |. E8 DBFDFFFF CALL winchm.004B92B8
004B94DD |. 84C0 TEST AL,AL
004B94DF |. 74 24 JE SHORT winchm.004B9505
004B94E1 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004B94E4 |. E8 A3F8FFFF CALL winchm.004B8D8C
004B94E9 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004B94EC |. E8 CBF7F4FF CALL winchm.00408CBC
004B94F1 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
004B94F4 |. 8BC3 MOV EAX,EBX
004B94F6 |. B9 E4954B00 MOV ECX,winchm.004B95E4 ; ASCII "-user License"
004B94FB |. E8 94B0F4FF CALL winchm.00404594
004B9500 |. E9 93000000 JMP winchm.004B9598
004B9505 |> 8BC3 MOV EAX,EBX
004B9507 |. E8 7CADF4FF CALL winchm.00404288
004B950C |. E9 87000000 JMP winchm.004B9598
004B9511 |> 8BC3 MOV EAX,EBX
004B9513 |. E8 70ADF4FF CALL winchm.00404288
004B9518 |. EB 7E JMP SHORT winchm.004B9598
004B951A |> 83F8 18 CMP EAX,18 ; 比较注册码是否为24位
004B951D |. 75 72 JNZ SHORT winchm.004B9591
004B951F |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004B9522 |. 50 PUSH EAX
004B9523 |. B9 13000000 MOV ECX,13
004B9528 |. BA 01000000 MOV EDX,1
004B952D |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B9530 |. E8 4712F8FF CALL winchm.0043A77C
004B9535 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004B9538 |. 50 PUSH EAX
004B9539 |. B9 04000000 MOV ECX,4
004B953E |. BA 15000000 MOV EDX,15
004B9543 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
004B9546 |. E8 3112F8FF CALL winchm.0043A77C ; 拆分注册码,取前19位和后4位~~
004B954B |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004B954E |. E8 75F7FFFF CALL winchm.004B8CC8 ; 这个CALL计算注册码前19位的值,并经过计算的值放入EAX和EDX中~~
004B9553 81FA CE000000 CMP EDX,0CE ; 第一个条件。EDX=E6。TNT第一处:将0E6改0CE
004B9559 |. 75 2D JNZ SHORT winchm.004B9588
004B955B 3D F6E99068 CMP EAX,6890E9F6 ; 第二个条件就是EAX=31161748,TNT第二处:改成6890E9F6
004B9560 |. 75 26 JNZ SHORT winchm.004B9588
004B9562 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004B9565 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004B9568 |. E8 4BFDFFFF CALL winchm.004B92B8 ; 判断最后4位注册码
004B956D |. 84C0 TEST AL,AL
004B956F |. 74 0E JE SHORT winchm.004B957F ; 不跳就注册成功~~
004B9571 |. 8BC3 MOV EAX,EBX
004B9573 |. BA FC954B00 MOV EDX,winchm.004B95FC ; ASCII "Site License"
004B9578 |. E8 5FADF4FF CALL winchm.004042DC ; 企业版注册成功~~~
004B957D |. EB 19 JMP SHORT winchm.004B9598
004B957F |> 8BC3 MOV EAX,EBX
004B9581 |. E8 02ADF4FF CALL winchm.00404288
004B9586 |. EB 10 JMP SHORT winchm.004B9598
004B9588 |> 8BC3 MOV EAX,EBX
004B958A |. E8 F9ACF4FF CALL winchm.00404288
004B958F |. EB 07 JMP SHORT winchm.004B9598
004B9591 |> 8BC3 MOV EAX,EBX
004B9593 |. E8 F0ACF4FF CALL winchm.00404288
004B9598 |> 33C0 XOR EAX,EAX
004B959A |. 5A POP EDX
004B959B |. 59 POP ECX
004B959C |. 59 POP ECX
004B959D |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004B95A0 |. 68 BA954B00 PUSH winchm.004B95BA
004B95A5 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004B95A8 |. BA 07000000 MOV EDX,7
004B95AD |. E8 FAACF4FF CALL winchm.004042AC
004B95B2 \. C3 RETN
我们再进入跟一下企业版后4位的算法~~
004B9323 |. BB 01000000 MOV EBX,1
004B9328 |> 8B45 F4 /MOV EAX,DWORD PTR SS:[EBP-C] ; 将注册名的ASCII值之和*2
004B932B |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
004B9330 |. 03C0 |ADD EAX,EAX
004B9332 |. 33D2 |XOR EDX,EDX
004B9334 |. 0345 E8 |ADD EAX,DWORD PTR SS:[EBP-18]
004B9337 |. 1355 EC |ADC EDX,DWORD PTR SS:[EBP-14]
004B933A |. 8945 E8 |MOV DWORD PTR SS:[EBP-18],EAX
004B933D |. 8955 EC |MOV DWORD PTR SS:[EBP-14],EDX
004B9340 |. 43 |INC EBX
004B9341 |. 49 |DEC ECX
004B9342 |.^ 75 E4 \JNZ SHORT winchm.004B9328
004B9344 |> 6A 00 PUSH 0
004B9346 |. 68 409C0000 PUSH 9C40
004B934B |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
004B934E |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004B9351 |. E8 AABFF4FF CALL winchm.00405300
004B9356 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004B9359 |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
004B935C |. BB 04000000 MOV EBX,4
004B9361 |> 6A 00 /PUSH 0 ; 将注册码后4位计算出来,是明码
004B9363 |. 6A 1A |PUSH 1A
004B9365 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004B9368 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
004B936B |. E8 90BFF4FF |CALL winchm.00405300
004B9370 |. 83C0 41 |ADD EAX,41
004B9373 |. 83D2 00 |ADC EDX,0
004B9376 |. 8BD0 |MOV EDX,EAX
004B9378 |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]
004B937B |. E8 F0B0F4FF |CALL winchm.00404470
004B9380 |. 8B55 DC |MOV EDX,DWORD PTR SS:[EBP-24]
004B9383 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C]
004B9386 |. 8B4D E4 |MOV ECX,DWORD PTR SS:[EBP-1C]
004B9389 |. E8 06B2F4FF |CALL winchm.00404594
004B938E |. 6A 00 |PUSH 0
004B9390 |. 6A 1A |PUSH 1A
004B9392 |. 8B45 E8 |MOV EAX,DWORD PTR SS:[EBP-18]
004B9395 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
004B9398 |. E8 E7BEF4FF |CALL winchm.00405284
004B939D |. 8945 E8 |MOV DWORD PTR SS:[EBP-18],EAX
004B93A0 |. 8955 EC |MOV DWORD PTR SS:[EBP-14],EDX
004B93A3 |. 4B |DEC EBX
004B93A4 |.^ 75 BB \JNZ SHORT winchm.004B9361
唉~~有些算法还没有分析清楚~~~
但是经过上面的二个TNT之后已经成功爆破~~~
按上面的TNT方法后可用下面的注册名和注册码~~~
注册名:penta
注册码:12345678901234567890ABPH
单机版的我就不算了~~
等有空闲时间再好好分析一下这个东西~~
------------------------------------------------------------------------
【破解总结】我是一只小小鸟~~~
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢!
[ Last edited by pentacle on 2005-10-15 at 10:36 AM ] |
|
IP卡
发表于 2005-10-15 10:32:54
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2016-7-17 13:54:35