- UID
- 1542
注册时间2005-5-10
阅读权限40
最后登录1970-1-1
独步武林
 
TA的每日心情 | 擦汗
2017-9-28 11:05 |
|---|
签到天数: 3 天 [LV.2]偶尔看看I
|
【破文标题】MoneyKeeper 2.53注册算法分析
【破文作者】pentacle[PYG]
【作者邮箱】
【作者主页】www.chinapyg.com
【破解工具】OD汉化第二版、Peid
【破解平台】XP
【软件名称】MoneyKeeper 2.53
【软件大小】1009KB
【原版下载】http://yncnc.onlinedown.net/soft/19389.htm
【保护方式】注册码
【软件简介】If you want to track all of your day-to-day expenditure and income,please try MoneyKeeper.
A simple, easy-to-use but powerful software.
With MoneyKeeper, you can manage your finances smarter,faster and spend time wisely, also you can take care of your personal and home or small business finances.Faster.
MoneyKeeper is the ultimate personal and home finance solution that will help you secure your financial future.
Its automated features, like getting account balances and transactions from your bank and auto-categorization of spending, help simplify your life by showing you how much you have and how much you're spending. MoneyKeeper makes it easy to keep tabs on areas that matter to you, like dining out and groceries.
------------------------------------------------------------------------
【破解过程】1、查壳
ASPack 2.11 -> Alexey Solodovnikov
手动搞轻松搞定。这儿就不说了。不会搞的可以用脱壳机
再查,Microsoft Visual C++ 6.0
2、注册分析
运行后提示重启验证
分析发现注册信息保存在setting.ini文件里,其中
RegCode=pentacle[PYG] ===>注册名
RegPass=789789 ===>注册码(当然是假注册码啦)
用OD载入。查找字串。
搜RegCode,把找到的都下断。F9运行
我们断在00468910
00468910 /$ 6A FF PUSH -1 ; 检查注册
00468912 |. 68 63115400 PUSH _EMoneyK.00541163 ; SE 处理程序安装
00468917 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0046891D |. 50 PUSH EAX
0046891E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00468925 |. 83EC 78 SUB ESP,78
00468928 |. B8 01000000 MOV EAX,1
0046892D |. 55 PUSH EBP
0046892E |. 8BE8 MOV EBP,EAX
00468930 |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX ; 1
00468934 |. 894424 34 MOV DWORD PTR SS:[ESP+34],EAX ; 1
00468938 |. A1 70CC5800 MOV EAX,DWORD PTR DS:[58CC70]
0046893D |. 56 PUSH ESI
0046893E |. 8B35 C4F25400 MOV ESI,DWORD PTR DS:[<&KERNEL32.GetPriv>; kernel32.GetPrivateProfileStringA
00468944 |. 50 PUSH EAX ; /IniFileName => "H:\Program Files\MoneyKeeper\Setting.ini"
00468945 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20] ; |
00468949 |. 6A 0B PUSH 0B ; |BufSize = B (11.)
0046894B |. 51 PUSH ECX ; |ReturnBuffer
0046894C |. 68 205B5800 PUSH _EMoneyK.00585B20 ; |0000000000
00468951 |. 68 185B5800 PUSH _EMoneyK.00585B18 ; |regcode
00468956 |. 68 0C5B5800 PUSH _EMoneyK.00585B0C ; |reguserinfo
0046895B |. C74424 40 080>MOV DWORD PTR SS:[ESP+40],8 ; |
00468963 |. C74424 48 000>MOV DWORD PTR SS:[ESP+48],0 ; |
0046896B |. C74424 4C 060>MOV DWORD PTR SS:[ESP+4C],6 ; |
00468973 |. C74424 54 030>MOV DWORD PTR SS:[ESP+54],3 ; |
0046897B |. FFD6 CALL ESI ; \\GetPrivateProfileStringA 取注册名,仅取10位
0046897D |. 8B15 70CC5800 MOV EDX,DWORD PTR DS:[58CC70]
00468983 |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00468987 |. 52 PUSH EDX ; /IniFileName => "H:\Program Files\MoneyKeeper\Setting.ini"
00468988 |. 6A 07 PUSH 7 ; |BufSize = 7
0046898A |. 50 PUSH EAX ; |ReturnBuffer
0046898B |. 68 045B5800 PUSH _EMoneyK.00585B04 ; |000000
00468990 |. 68 FC5A5800 PUSH _EMoneyK.00585AFC ; |regpass
00468995 |. 68 0C5B5800 PUSH _EMoneyK.00585B0C ; |reguserinfo
0046899A |. FFD6 CALL ESI ; \\GetPrivateProfileStringA 取注册码,仅取6位
0046899C |. 8B0D 10A85800 MOV ECX,DWORD PTR DS:[58A810] ; _EMoneyK.0058A824
004689A2 |. 894C24 08 MOV DWORD PTR SS:[ESP+8],ECX
004689A6 |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C]
004689AA |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
004689AE |. 52 PUSH EDX
004689AF |. 68 080A5800 PUSH _EMoneyK.00580A08 ; %s
004689B4 |. 50 PUSH EAX
004689B5 |. C78424 940000>MOV DWORD PTR SS:[ESP+94],0
004689C0 |. E8 5CAF0A00 CALL _EMoneyK.00513921
004689C5 |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
004689C9 |. 83C4 0C ADD ESP,0C
004689CC |. 8B41 F8 MOV EAX,DWORD PTR DS:[ECX-8]
004689CF |. 83F8 0A CMP EAX,0A ; 比一下注册名是否等10位。不等于就OVER
004689D2 |. 74 2A JE SHORT _EMoneyK.004689FE
004689D4 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004689D8 |. C78424 880000>MOV DWORD PTR SS:[ESP+88],-1
004689E3 |. E8 E6190B00 CALL _EMoneyK.0051A3CE
004689E8 |. 5E POP ESI
004689E9 |. 33C0 XOR EAX,EAX
004689EB |. 5D POP EBP
004689EC |. 8B4C24 78 MOV ECX,DWORD PTR SS:[ESP+78]
004689F0 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004689F7 |. 81C4 84000000 ADD ESP,84
004689FD |. C3 RETN
004689FE |> 53 PUSH EBX
004689FF |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
00468A03 |. 6A 06 PUSH 6
00468A05 |. 52 PUSH EDX
00468A06 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00468A0A |. E8 45AB0A00 CALL _EMoneyK.00513554 ; 检查黑名单
00468A0F |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00468A11 |. 68 F45A5800 PUSH _EMoneyK.00585AF4 ; /123456
00468A16 |. 50 PUSH EAX ; |Arg1
00468A17 |. C68424 940000>MOV BYTE PTR SS:[ESP+94],1 ; |
00468A1F |. E8 9FA80900 CALL _EMoneyK.005032C3 ; \_EMoneyK.005032C3
00468A24 |. 83C4 08 ADD ESP,8
00468A27 |. 85C0 TEST EAX,EAX
00468A29 |. 74 4D JE SHORT _EMoneyK.00468A78 ; 是黑名单,跳
00468A2B |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
00468A2F |. 6A 06 PUSH 6
00468A31 |. 50 PUSH EAX
00468A32 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00468A36 |. E8 19AB0A00 CALL _EMoneyK.00513554
00468A3B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00468A3D |. 68 EC5A5800 PUSH _EMoneyK.00585AEC ; /844718
00468A42 |. 50 PUSH EAX ; |Arg1
00468A43 |. E8 7BA80900 CALL _EMoneyK.005032C3 ; \_EMoneyK.005032C3
00468A48 |. 83C4 08 ADD ESP,8
00468A4B |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00468A4F |. 85C0 TEST EAX,EAX
00468A51 |. 0F94C3 SETE BL
00468A54 |. E8 75190B00 CALL _EMoneyK.0051A3CE
00468A59 |. 84DB TEST BL,BL
00468A5B |. 75 1B JNZ SHORT _EMoneyK.00468A78 ; 是黑名单,跳
00468A5D |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
00468A61 |. 68 205B5800 PUSH _EMoneyK.00585B20 ; /0000000000
00468A66 |. 51 PUSH ECX ; |Arg1
00468A67 |. E8 57A80900 CALL _EMoneyK.005032C3 ; \_EMoneyK.005032C3
00468A6C |. 83C4 08 ADD ESP,8
00468A6F |. 85C0 TEST EAX,EAX
00468A71 |. 0F94C0 SETE AL
00468A74 |. 84C0 TEST AL,AL
00468A76 |. 74 02 JE SHORT _EMoneyK.00468A7A ; 不是黑名单,跳,往下比较去吧
00468A78 |> B3 01 MOV BL,1
00468A7A |> 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00468A7E |. C68424 8C0000>MOV BYTE PTR SS:[ESP+8C],0
00468A86 |. E8 43190B00 CALL _EMoneyK.0051A3CE
00468A8B |. 84DB TEST BL,BL
00468A8D |. 5B POP EBX
00468A8E |. 74 2A JE SHORT _EMoneyK.00468ABA
00468A90 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00468A94 |. C78424 880000>MOV DWORD PTR SS:[ESP+88],-1
00468A9F |. E8 2A190B00 CALL _EMoneyK.0051A3CE
00468AA4 |. 5E POP ESI
00468AA5 |. 33C0 XOR EAX,EAX
00468AA7 |. 5D POP EBP
00468AA8 |. 8B4C24 78 MOV ECX,DWORD PTR SS:[ESP+78]
00468AAC |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00468AB3 |. 81C4 84000000 ADD ESP,84
00468AB9 |. C3 RETN
00468ABA |> 33C0 XOR EAX,EAX ; 清空EAX
00468ABC |. 8D4C24 58 LEA ECX,DWORD PTR SS:[ESP+58]
00468AC0 |> 0FBE5404 1C /MOVSX EDX,BYTE PTR SS:[ESP+EAX+1C] ; 逐位取注册名
00468AC5 |. 83EA 30 |SUB EDX,30 ; EDX=EDX-30
00468AC8 |. 40 |INC EAX ; EAX自加1
00468AC9 |. 8911 |MOV DWORD PTR DS:[ECX],EDX ; 将EDX的值送入DS:[ECX]
00468ACB |. 83C1 04 |ADD ECX,4 ; ECX=ECX+4
00468ACE |. 83F8 06 |CMP EAX,6
00468AD1 |.^ 7C ED \JL SHORT _EMoneyK.00468AC0
00468AD3 |. 33C0 XOR EAX,EAX ; 清空EAX
00468AD5 |. 8D4C24 40 LEA ECX,DWORD PTR SS:[ESP+40]
00468AD9 |> 0FBE5404 14 /MOVSX EDX,BYTE PTR SS:[ESP+EAX+14] ; 逐位取注册码
00468ADE |. 83EA 30 |SUB EDX,30
00468AE1 |. 40 |INC EAX
00468AE2 |. 8911 |MOV DWORD PTR DS:[ECX],EDX
00468AE4 |. 83C1 04 |ADD ECX,4
00468AE7 |. 83F8 06 |CMP EAX,6
00468AEA |.^ 7C ED \JL SHORT _EMoneyK.00468AD9
00468AEC |. 33C9 XOR ECX,ECX ; 清空ECX
00468AEE |> 8B440C 58 /MOV EAX,DWORD PTR SS:[ESP+ECX+58] ; 逐位取注册名-30后值
00468AF2 |. 8B740C 28 |MOV ESI,DWORD PTR SS:[ESP+ECX+28] ; 逐位取注册码-30后值
00468AF6 |. 03C6 |ADD EAX,ESI ; EAX=EAX+ESI
00468AF8 |. 83F8 0A |CMP EAX,0A
00468AFB |. 72 03 |JB SHORT _EMoneyK.00468B00 ; 小于则跳,直接比较
00468AFD |. 83E8 0A |SUB EAX,0A ; EAX=EAX-A
00468B00 |> 3B440C 40 |CMP EAX,DWORD PTR SS:[ESP+ECX+40]
00468B04 |. 74 02 |JE SHORT _EMoneyK.00468B08 ; 等就跳
00468B06 |. 33ED |XOR EBP,EBP ; 清空EBP
00468B08 |> 83C1 04 |ADD ECX,4 ; ECX=ECX+4
00468B0B |. 83F9 18 |CMP ECX,18
00468B0E |.^ 7C DE \JL SHORT _EMoneyK.00468AEE
00468B10 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
00468B14 |. C78424 880000>MOV DWORD PTR SS:[ESP+88],-1
00468B1F |. E8 AA180B00 CALL _EMoneyK.0051A3CE
00468B24 |. 8B8C24 800000>MOV ECX,DWORD PTR SS:[ESP+80]
00468B2B |. 8BC5 MOV EAX,EBP ; EBP是标志位
00468B2D |. 5E POP ESI
00468B2E |. 5D POP EBP
00468B2F |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00468B36 |. 81C4 84000000 ADD ESP,84
00468B3C \. C3 RETN
现在我们再来看看 00468AF6 ADD EAX,ESI
这行的ESI的值
第一次 8
第二次 1
第三次 0
第四次 6
第五次 1
第六次 3
那么这6个值又是怎么来的呢?
重新载入,经分析
00468930 |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX ; 1
00468934 |. 894424 34 MOV DWORD PTR SS:[ESP+34],EAX ; 1
0046895B |. C74424 40 080>MOV DWORD PTR SS:[ESP+40],8 ; |
00468963 |. C74424 48 000>MOV DWORD PTR SS:[ESP+48],0 ; |
0046896B |. C74424 4C 060>MOV DWORD PTR SS:[ESP+4C],6 ; |
00468973 |. C74424 54 030>MOV DWORD PTR SS:[ESP+54],3 ; |
终于清晰了,奉上一组可用注册码
RegCode=pentacle[PYG]
RegPass=n\dpX\
------------------------------------------------------------------------
【破解总结】总结一下算法吧:
注册名:必须大于或等于10位,但仅取注册名前6位进行计算
注册码:至少为6位。仅取前6位进行计算
逐位取注册名、注册码的ASCII值-0x30。
6个计算用的值8、1、0、6、1、3
下面判断
1、逐位取注册名-30的值+逐位取上面的6个值>=A,则 “逐位取注册名-30的值+逐位取上面的6个值”-A,对比 逐位取注册码-30的值
2、逐位取注册名-30的值+逐位取上面的6个值<A,则 逐位取注册名-30的值+逐位取上面的6个值 对比 逐位取注册码-30的值
也就是说。注册名为数字时。仅仅加上6个计算用的值就可以了
注册名为字符时。则加上6个计算用的值还得要减去A的值。
再附上一个数字的注册名,注意黑名单
注册名:1111111111
注册码:921724
------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者信息并保持文章的完整, 谢谢! |
|
IP卡
发表于 2006-1-1 11:19:28
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-1-1 18:04:08
发表于 2006-1-4 09:02:11
