- UID
- 4011
注册时间2005-10-27
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2017-2-23 16:41 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
[转帖] 家庭财务精灵
【应用平台】Win9x, WinME, WinNT, Win2000, WinXP, Linux/Unix
【软件限制】时间限制
【破解声明】破解只是感兴趣,无其它目的。失误之处敬请诸位大侠赐教!
【破解工具】Pescan3.31,OllyDbg1.09,Wdasm8.93
========================================================================================
【分析过程】
用Pescan检查,无壳.反汇编,查找字串,很快就找到关键点,用OD载入!
任意填入序列号12345678和注册码13572468。
----------------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00643611(U)
|
:0064362F 8B55FC mov edx, dword ptr [ebp-04]
:00643632 B8CC366400 mov eax, 006436CC
:00643637 E8E817DCFF call 00404E24
:0064363C 85C0 test eax, eax
:0064363E 7FD3 jg 00643613
:00643640 FF3584D36400 push dword ptr [0064D384]
:00643646 FF3580D36400 push dword ptr [0064D380]
:0064364C 8D4DF4 lea ecx, dword ptr [ebp-0C]
:0064364F B870D36400 mov eax, 0064D370
:00643654 8BD3 mov edx, ebx //序列号: 0x00bc614e
:00643656 E82D51F8FF call 005C8788 //关键call进入==> 1
:0064365B 8D55F0 lea edx, dword ptr [ebp-10]
:0064365E 8B45FC mov eax, dword ptr [ebp-04]
:00643661 E87A5DDCFF call 004093E0
:00643666 8B45F0 mov eax, dword ptr [ebp-10] //伪码13572468
:00643669 50 push eax
:0064366A 8D4DE8 lea ecx, dword ptr [ebp-18]
:0064366D 8D45F4 lea eax, dword ptr [ebp-0C]
:00643670 BA08000000 mov edx, 00000008
:00643675 E87240F8FF call 005C76EC //次call将激活码转换位ASCII码形式
:0064367A 8B45E8 mov eax, dword ptr [ebp-18]
:0064367D 8D55EC lea edx, dword ptr [ebp-14]
:00643680 E85B5DDCFF call 004093E0
:00643685 8B55EC mov edx, dword ptr [ebp-14] //激活码
:00643688 58 pop eax //激活码
:00643689 E89E15DCFF call 00404C2C
:0064368E 0F94C3 sete bl
:00643691 33C0 xor eax, eax
:00643693 5A pop edx
:00643694 59 pop ecx
:00643695 59 pop ecx
:00643696 648910 mov dword ptr fs:[eax], edx
:00643699 68BB366400 push 006436BB
------------------------------------call 1 ----------------------------------------------
* Referenced by a CALL at Address:
|
:005C8788 55 push ebp
:005C8789 8BEC mov ebp, esp
:005C878B 53 push ebx
:005C878C 56 push esi
:005C878D 57 push edi
:005C878E 8BD9 mov ebx, ecx
:005C8790 8BFA mov edi, edx
:005C8792 8BF0 mov esi, eax
:005C8794 66C703693C mov word ptr [ebx], 3C69
:005C8799 FF750C push [ebp+0C]
:005C879C FF7508 push [ebp+08]
:005C879F E8B4FEFFFF call 005C8658
:005C87A4 66894302 mov word ptr [ebx+02], ax
:005C87A8 897B04 mov dword ptr [ebx+04], edi
:005C87AB 8BD3 mov edx, ebx //序列号: 0x00bc614e
:005C87AD 8BC6 mov eax, esi
:005C87AF B101 mov cl, 01
:005C87B1 E8AEF7FFFF call 005C7F64 //算法call进入==> 2
:005C87B6 5F pop edi
:005C87B7 5E pop esi
:005C87B8 5B pop ebx
:005C87B9 5D pop ebp
:005C87BA C20800 ret 0008
-------------------------------------call 2 ---------------------------------------------
* Referenced by a CALL at Addresses:
|
:005C7F64 53 push ebx
:005C7F65 56 push esi
:005C7F66 57 push edi
:005C7F67 83C4E8 add esp, FFFFFFE8
:005C7F6A 884C2408 mov byte ptr [esp+08], cl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005C7F07(C)
|
:005C7F6E 89542404 mov dword ptr [esp+04], edx
:005C7F72 890424 mov dword ptr [esp], eax
:005C7F75 8B442404 mov eax, dword ptr [esp+04]
:005C7F79 8B00 mov eax, dword ptr [eax]
:005C7F7B 8944240C mov dword ptr [esp+0C], eax
:005C7F7F 8B442404 mov eax, dword ptr [esp+04]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005C7F1D(C)
|
:005C7F83 8B4004 mov eax, dword ptr [eax+04]
:005C7F86 89442410 mov dword ptr [esp+10], eax
:005C7F8A C744241404000000 mov [esp+14], 00000004 //[esp+14]=00000004
:005C7F92 BE1C946400 mov esi, 0064941C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005C8030(C)
|
:005C7F97 8B54240C mov edx, dword ptr [esp+0C] //edx=0x00003c69
:005C7F9B 33C0 xor eax, eax
:005C7F9D 8A442408 mov al, byte ptr [esp+08]
:005C7FA1 8BD8 mov ebx, eax
:005C7FA3 03DB add ebx, ebx
:005C7FA5 8D1C5B lea ebx, dword ptr [ebx+2*ebx]
:005C7FA8 8B04DE mov eax, dword ptr [esi+8*ebx]
:005C7FAB 8B0C24 mov ecx, dword ptr [esp]
:005C7FAE 8B0C81 mov ecx, dword ptr [ecx+4*eax] //ecx=0x64d370
:005C7FB1 8B44DE04 mov eax, dword ptr [esi+8*ebx+04]
:005C7FB5 8B3C24 mov edi, dword ptr [esp]
:005C7FB8 8B0487 mov eax, dword ptr [edi+4*eax] //eax=0xd92da051
:005C7FBB 8B5CDE08 mov ebx, dword ptr [esi+8*ebx+08]
:005C7FBF 8B3C24 mov edi, dword ptr [esp]
:005C7FC2 8B1C9F mov ebx, dword ptr [edi+4*ebx] //ebx=0xb1a48361
----下面的eax ebx ecx 每次循环前是变化的,但是都是固定的参数,不随序列号变化-------
第 1 次循环前eax=0xd92da051 ebx=0xb1a48361 ecx=0x0064d370 edx=0x00003c69
第 2 次循环前eax=0xb1a48361 ebx=0xd92da051 ecx=0x91057ebe edx=循环后的eax
第 3 次循环前eax=0x91057ebe ebx=0x9f638ce6 ecx=0xd92da051 edx=循环后的eax
第 4 次循环前eax=0x9f638ce6 ebx=0x91057ebe ecx=0xb1a48361 edx=循环后的eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005C7F5E(C)
|--------------------------------call 2 算法开始----------------------------------
:005C7FC5 03D3 add edx, ebx //edx=edx+ebx
:005C7FC7 03DA add ebx, edx //ebx=ebx+edx
:005C7FC9 8BFA mov edi, edx //edi=edx
:005C7FCB C1EF07 shr edi, 07 //edi=edi逻辑右移0x7
:005C7FCE 33D7 xor edx, edi //edx=edx xor edi
:005C7FD0 03CA add ecx, edx //ecx=ecx+edx
:005C7FD2 03D1 add edx, ecx //edx=edx+ecx
:005C7FD4 8BF9 mov edi, ecx //edi=ecx
:005C7FD6 C1E70D shl edi, 0D //edi=edi << 0xd
:005C7FD9 33CF xor ecx, edi //ecx=ecx xor edi
:005C7FDB 03C1 add eax, ecx //eax=eax+ecx
:005C7FDD 03C8 add ecx, eax //ecx=ecx+eax
:005C7FDF 8BF8 mov edi, eax //edi=eax
:005C7FE1 C1EF11 shr edi, 11 //edi=edi >> 0x11
:005C7FE4 33C7 xor eax, edi //eax=eax xor edi
:005C7FE6 03D8 add ebx, eax //ebx=ebx+eax
:005C7FE8 03C3 add eax, ebx //eax=eax+ebx
:005C7FEA 8BFB mov edi, ebx //edi=ebx
:005C7FEC C1E709 shl edi, 09 //edi=edi << 0x9
:005C7FEF 33DF xor ebx, edi //ebx=ebx xor edi
:005C7FF1 03D3 add edx, ebx //edx=edx+ebx
:005C7FF3 03DA add ebx, edx //ebx=ebx+edx
:005C7FF5 8BFA mov edi, edx //edi=edx
:005C7FF7 C1EF03 shr edi, 03 //edi=edi >> 0x3
:005C7FFA 33D7 xor edx, edi //edx=edx xor edi
:005C7FFC 03CA add ecx, edx //ecx=ecx+edx
:005C7FFE 8BD1 mov edx, ecx //edx=ecx
:005C8000 C1E207 shl edx, 07 //edx=edx << 0x7
:005C8003 33CA xor ecx, edx //ecx=ecx xor edx
:005C8005 03C1 add eax, ecx //eax=eax+ecx
:005C8007 8BD3 mov edx, ebx //edx=ebx
:005C8009 C1EA0F shr edx, 0F //edx=edx >>0xf
:005C800C 33C2 xor eax, edx //eax=eax xor edx
:005C800E 03D8 add ebx, eax //ebx=ebx+eax
:005C8010 8BC3 mov eax, ebx //eax=ebx
:005C8012 C1E00B shl eax, 0B //eax=eax << 0xb
:005C8015 33D8 xor ebx, eax //ebx=ebx xor eax
:005C8017 8B442410 mov eax, dword ptr [esp+10] //eax=序列号
:005C801B 33C3 xor eax, ebx //eax=eax xor ebx
:005C801D 8B54240C mov edx, dword ptr [esp+0C] //edx=0x00003c69
:005C8021 89542410 mov dword ptr [esp+10], edx //[esp+10]=edx
:005C8025 8944240C mov dword ptr [esp+0C], eax //[esp+0c]=eax
:005C8029 83C60C add esi, 0000000C
:005C802C FF4C2414 dec [esp+14] //[esp+14]-1
:005C8030 0F8561FFFFFF jne 005C7F97 //不等于0继续循环
:005C8036 8B442404 mov eax, dword ptr [esp+04]
:005C803A 8B542410 mov edx, dword ptr [esp+10] //edx=激活码第一部分
:005C803E 8910 mov dword ptr [eax], edx
:005C8040 8B442404 mov eax, dword ptr [esp+04]
:005C8044 8B54240C mov edx, dword ptr [esp+0C] //edx=激活码第二部分
:005C8048 895004 mov dword ptr [eax+04], edx
:005C804B 83C418 add esp, 00000018
:005C804E 5F pop edi
:005C804F 5E pop esi
:005C8050 5B pop ebx
:005C8051 C3 ret
========================================================================================
【分析总结】
运算前 eax=0xd92da051 ebx=0xb1a48361 ecx=0x9f638ce6 edx=0x00003c69
h1=0xbc614e(序列号16进制) h2=0x00003c69
----------------------------------------------------------------------------------------
k1=edx+ebx k2=ebx+k1 k3=edx >> 0x7 k4=k1 xor k3
m1=ecx+k4 m2=k4+m1 m3=m1 << 0x0d m4=m1 xor m3
s1=eax+M4 s2=m4+s1 s3=s1 >> 0x11 s4=s1 xor s3
u1=k2+s4 u2=s4+u1 u3=u1 << 0x09 u4=u1 xor u3
f1=m2+u4 f2=u4+f1 f3=f1 >> 0x3 f4=f1 xor f3
g1=s2+f4 g2=g1 << 0x7 g3=g1 xor g2
l1=u2+g3 l2=f2 >> 0xf l3=l1 xor l2
n1=f2+l3 n2=n1 << 0xb n3=n1 xor n2
eax=h1 xor n3 h1=h2 h2=eax edx=h2
----------------------------------------------------------------------------------------
以上是算法的第一步,将以上计算再循环3遍(哎,作者也不累啊,我都转晕了)
第 1 次循环前eax=0xb1a48361 ebx=0xd92da051 ecx=0x91057ebe edx=h2(1)
第 2 次循环前eax=0x91057ebe ebx=0x9f638ce6 ecx=0xd92da051 edx=h2(2)
第 3 次循环前eax=0x9f638ce6 ebx=0x91057ebe ecx=0xb1a48361 edx=h2(3)
上面这些参数除edx外都是固定的.
--------------------------------------------------
经过循环运算后得出:
h1=20ed1b35 依次从后两位取得出351bed20 = 注册码第1部分.
h2=e35b8793 依次从后两位取得出93875be3 = 注册码第2部分.
两部分合起来就是注册码了.
一组可用的注册信息:
序列号:12345678
激活码:351BED2093875BE3
注册信息保存:REGISTRATION.DAT文件中
注册机:
中断地址:643688
中断次数:2
第一字节:58
指令长度:1
内存方式:EAX |
|
IP卡
发表于 2005-12-18 12:44:06
提升卡
置顶卡
变色卡
千斤顶
显身卡