- UID
- 2446
注册时间2005-7-21
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
文章标题: 超级电视 V1.4.3 算法分析
破解作者: 风球[PYG]
破解工具: PEiD,OllyDbg
软件下载: http://www.skycn.com/soft/25209.html
软件大小: 480 KB
软件语言: 简体中文
软件类别: 国产软件 / 共享版 / 网络电视
应用平台: Win9x/NT/2000/XP
加入时间: 2006-01-03 15:33:16
软件介绍: 软件界面简洁,人性化的的程序设计,使您操作更简便。所有节目免费试看,给您透明的选择!不包含任何广告和插件。
=============================================================================
[破解过程]
今天终于搞玩一个课程设计了```明天又要搞另外一个课程设计,:( 搞完就放假```哈```
找了个小软件来玩一下```放假后就没电脑玩了```
PEID查壳Microsoft Visual Basic 5.0 / 6.0```无壳```爽```
0042F9D0 55 push ebp //OD载入下断此处往下分析
0042F9D1 8BEC mov ebp,esp
0042F9D3 83EC 0C sub esp,0C
0042F9D6 68 66124000 push <jmp.&MSVBVM50.__vbaExceptHandler>
……省略部分无关代码……
0042FA78 FF92 A0000000 call dword ptr ds:[edx+A0]
0042FA7E 3BC7 cmp eax,edi
0042FA80 7D 18 jge short supernet.0042FA9A
0042FA82 8B95 3CFFFFFF mov edx,dword ptr ss:[ebp-C4]
0042FA88 68 A0000000 push 0A0
0042FA8D 68 B05A4000 push supernet.00405AB0
0042FA92 52 push edx
0042FA93 50 push eax
0042FA94 FF15 04424300 call dword ptr ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
0042FA9A 8B45 E0 mov eax,dword ptr ss:[ebp-20] ; 注册名(UNICODE "feng")
0042FA9D 50 push eax
0042FA9E 68 D05A4000 push supernet.00405AD0
0042FAA3 FF15 74424300 call dword ptr ds:[<&MSVBVM50.__vbaStrCmp>; MSVBVM50.__vbaStrCmp
0042FAA9 F7D8 neg eax
0042FAAB 1BC0 sbb eax,eax
0042FAAD 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0042FAB0 F7D8 neg eax
0042FAB2 F7D8 neg eax
0042FAB4 8985 34FFFFFF mov dword ptr ss:[ebp-CC],eax
0042FABA FF15 54434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
0042FAC0 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0042FAC3 FF15 50434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeOb>; MSVBVM50.__vbaFreeObj
0042FAC9 66:39BD 34FFFFF>cmp word ptr ss:[ebp-CC],di ; 比较注册名是否为空
0042FAD0 0F84 500A0000 je supernet.00430526 ; 空则跳到出错处
0042FAD6 53 push ebx
0042FAD7 FF95 0CFFFFFF call dword ptr ss:[ebp-F4]
0042FADD 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0042FAE0 50 push eax
0042FAE1 51 push ecx
0042FAE2 FF15 28424300 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>; MSVBVM50.__vbaObjSet
0042FAE8 8B10 mov edx,dword ptr ds:[eax]
0042FAEA 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0042FAED 51 push ecx
0042FAEE 50 push eax
0042FAEF 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax
0042FAF5 FF92 A0000000 call dword ptr ds:[edx+A0]
0042FAFB 3BC7 cmp eax,edi
0042FAFD 7D 18 jge short supernet.0042FB17
0042FAFF 8B95 3CFFFFFF mov edx,dword ptr ss:[ebp-C4]
0042FB05 68 A0000000 push 0A0
0042FB0A 68 B05A4000 push supernet.00405AB0
0042FB0F 52 push edx
0042FB10 50 push eax
0042FB11 FF15 04424300 call dword ptr ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
0042FB17 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0042FB1A 50 push eax
0042FB1B FF15 D8414300 call dword ptr ds:[<&MSVBVM50.__vbaLenBst>; MSVBVM50.__vbaLenBstr
0042FB21 8D4D E0 lea ecx,dword ptr ss:[ebp-20] ; 获取注册名的长度
0042FB24 8985 20FFFFFF mov dword ptr ss:[ebp-E0],eax ; eax=00000004
0042FB2A BE 01000000 mov esi,1
0042FB2F FF15 54434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
0042FB35 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0042FB38 FF15 50434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeOb>; MSVBVM50.__vbaFreeObj
0042FB3E 3BB5 20FFFFFF cmp esi,dword ptr ss:[ebp-E0] ; 与长度比较
0042FB44 0F8F A6000000 jg supernet.0042FBF0 ; 大于则跳出循环
0042FB4A 53 push ebx
0042FB4B FF95 0CFFFFFF call dword ptr ss:[ebp-F4]
0042FB51 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0042FB54 50 push eax
0042FB55 51 push ecx
0042FB56 FF15 28424300 call dword ptr ds:[<&MSVBVM50.__vbaObjSet>; MSVBVM50.__vbaObjSet
0042FB5C 8B45 C8 mov eax,dword ptr ss:[ebp-38]
0042FB5F 8D55 A4 lea edx,dword ptr ss:[ebp-5C]
0042FB62 8945 BC mov dword ptr ss:[ebp-44],eax
0042FB65 52 push edx
0042FB66 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
0042FB69 56 push esi
0042FB6A 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
0042FB6D 50 push eax
0042FB6E 51 push ecx
0042FB6F C745 AC 0100000>mov dword ptr ss:[ebp-54],1
0042FB76 C745 A4 0200000>mov dword ptr ss:[ebp-5C],2
0042FB7D C745 C8 0000000>mov dword ptr ss:[ebp-38],0
0042FB84 C745 B4 0900000>mov dword ptr ss:[ebp-4C],9
0042FB8B FF15 60424300 call dword ptr ds:[<&MSVBVM50.#632>] ; MSVBVM50.rtcMidCharVar
0042FB91 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0042FB94 8D45 E0 lea eax,dword ptr ss:[ebp-20]
0042FB97 52 push edx
0042FB98 50 push eax
0042FB99 FF15 C4424300 call dword ptr ds:[<&MSVBVM50.__vbaStrVar>; MSVBVM50.__vbaStrVarVal
0042FB9F 50 push eax
0042FBA0 FF15 F4414300 call dword ptr ds:[<&MSVBVM50.#516>] ; MSVBVM50.rtcAnsiValueBstr
0042FBA6 0FBFC8 movsx ecx,ax ; 逐位ASC(注册名)
0042FBA9 03CF add ecx,edi ; 累加
0042FBAB 0F80 850A0000 jo supernet.00430636
0042FBB1 8BF9 mov edi,ecx ; EDI<-结果
0042FBB3 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0042FBB6 FF15 54434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
0042FBBC 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0042FBBF FF15 50434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeOb>; MSVBVM50.__vbaFreeObj
0042FBC5 8D55 94 lea edx,dword ptr ss:[ebp-6C]
0042FBC8 8D45 A4 lea eax,dword ptr ss:[ebp-5C]
0042FBCB 52 push edx
0042FBCC 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
0042FBCF 50 push eax
0042FBD0 51 push ecx
0042FBD1 6A 03 push 3
0042FBD3 FF15 E4414300 call dword ptr ds:[<&MSVBVM50.__vbaFreeVa>; MSVBVM50.__vbaFreeVarList
0042FBD9 B8 01000000 mov eax,1
0042FBDE 83C4 10 add esp,10
0042FBE1 03C6 add eax,esi
0042FBE3 0F80 4D0A0000 jo supernet.00430636
0042FBE9 8BF0 mov esi,eax
0042FBEB ^ E9 4EFFFFFF jmp supernet.0042FB3E ; 循环,这段循环累加注册名ASCII值
0042FBF0 A1 10204300 mov eax,dword ptr ds:[432010] ; 暂时留意[432010],一会分析
0042FBF5 85C0 test eax,eax ; eax=0014C2E8, (ASCII "t2C")
0042FBF7 75 19 jnz short supernet.0042FC12
0042FBF9 8B1D D8424300 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaNew>; MSVBVM50.__vbaNew2
0042FBFF 68 10204300 push supernet.00432010
……省略部分无关代码……
0042FCA1 8B06 mov eax,dword ptr ds:[esi]
0042FCA3 FF90 A0000000 call dword ptr ds:[eax+A0]
0042FCA9 85C0 test eax,eax
0042FCAB 7D 12 jge short supernet.0042FCBF
0042FCAD 68 A0000000 push 0A0
0042FCB2 68 B05A4000 push supernet.00405AB0
0042FCB7 56 push esi
0042FCB8 50 push eax
0042FCB9 FF15 04424300 call dword ptr ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
0042FCBF 8B95 2CFFFFFF mov edx,dword ptr ss:[ebp-D4] ; (ASCII "t2C")
0042FCC5 8B45 DC mov eax,dword ptr ss:[ebp-24] ; 出来(UNICODE "7140")
0042FCC8 50 push eax ; “7140”怎么来的一会再分析
0042FCC9 8B1A mov ebx,dword ptr ds:[edx]
0042FCCB FF15 58434300 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0042FCD1 FF15 1C434300 call dword ptr ds:[<&MSVBVM50.__vbaFpI4>] ; MSVBVM50.__vbaFpI4
0042FCD7 99 cdq
0042FCD8 B9 E8030000 mov ecx,3E8
0042FCDD F7F9 idiv ecx ; 转换后除以3E8(1000)
0042FCDF 8BF2 mov esi,edx ; esi <= 余数edx
0042FCE1 8B55 E0 mov edx,dword ptr ss:[ebp-20]
0042FCE4 52 push edx ; 再现(UNICODE "7140")
0042FCE5 FF15 58434300 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0042FCEB FF15 1C434300 call dword ptr ds:[<&MSVBVM50.__vbaFpI4>] ; MSVBVM50.__vbaFpI4
0042FCF1 99 cdq
0042FCF2 B9 E8030000 mov ecx,3E8
0042FCF7 F7F9 idiv ecx ; /3E8
0042FCF9 0FAFF2 imul esi,edx ; 两次余数相乘
0042FCFC 0F80 34090000 jo supernet.00430636
0042FD02 03F7 add esi,edi ; 结果再加上注册名ASCII累加值
0042FD04 0F80 2C090000 jo supernet.00430636
0042FD0A 83C6 02 add esi,2 ; +2
0042FD0D 0F80 23090000 jo supernet.00430636
0042FD13 46 inc esi ; +1
0042FD14 0F80 1C090000 jo supernet.00430636
0042FD1A 56 push esi ; push结果esi=00004E33
0042FD1B 8BB5 2CFFFFFF mov esi,dword ptr ss:[ebp-D4]
0042FD21 56 push esi
0042FD22 FF93 04070000 call dword ptr ds:[ebx+704]
0042FD28 85C0 test eax,eax
0042FD2A 7D 12 jge short supernet.0042FD3E
……省略部分无关代码……
0042FDDC 68 B05A4000 push supernet.00405AB0
0042FDE1 56 push esi
0042FDE2 50 push eax
0042FDE3 FF15 04424300 call dword ptr ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
0042FDE9 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 假码(UNICODE "123654")
0042FDEC 52 push edx
0042FDED FF15 58434300 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
0042FDF3 FF15 54424300 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>] ; MSVBVM50.__vbaFpR8
0042FDF9 DB85 40FFFFFF fild dword ptr ss:[ebp-C0] ; ss:[0012F380]=00004E33 (十进制 20019.)
0042FDFF DD9D 04FFFFFF fstp qword ptr ss:[ebp-FC] ; st=20019.000000000000000
0042FE05 DC9D 04FFFFFF fcomp qword ptr ss:[ebp-FC] ; 比较 假码st=123654.00000000000000
0042FE0B DFE0 fstsw ax
0042FE0D F6C4 40 test ah,40
0042FE10 74 07 je short supernet.0042FE19 ; 不相等则跳
0042FE12 BE 01000000 mov esi,1 ; 不跳则esi=1
0042FE17 EB 02 jmp short supernet.0042FE1B
0042FE19 33F6 xor esi,esi ; 跳则esi清零
0042FE1B 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0042FE1E FF15 54434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
0042FE24 8D4D C8 lea ecx,dword ptr ss:[ebp-38]
0042FE27 FF15 50434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeOb>; MSVBVM50.__vbaFreeObj
0042FE2D F7DE neg esi
0042FE2F 66:85F6 test si,si
0042FE32 0F84 92030000 je supernet.004301CA ; 跳则OVER,爆破NOP即可
=============================================================================
Ctrl+G 来到432010下内存访问断点,点“注册”中断,分析来到这里```其实是软件序列号的生成过程
00430937 FFD3 call ebx
00430939 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; (UNICODE "7140")又是取这个字符串
0043093C 8B37 mov esi,dword ptr ds:[edi]
0043093E 52 push edx
0043093F FF15 58434300 call dword ptr ds:[<&MSVBVM50.#581>] ; MSVBVM50.rtcR8ValFromBstr
00430945 DC8D 48FFFFFF fmul qword ptr ss:[ebp-B8] ; 相乘 st=7140.0000000000000000
0043094B 83EC 08 sub esp,8 ; st=50979600.000000000000
0043094E DC25 B0114000 fsub qword ptr ds:[4011B0] ; 再减ds:[004011B0]=-1000000.000000000
00430954 DFE0 fstsw ax
00430956 A8 0D test al,0D
00430958 0F85 7B020000 jnz supernet.00430BD9
0043095E DD1C24 fstp qword ptr ss:[esp] ; st=51979600.000000000000
00430961 FF15 90424300 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>>; MSVBVM50.__vbaStrR8
00430967 8BD0 mov edx,eax ; (UNICODE "51979600")
00430969 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0043096C FF15 28434300 call dword ptr ds:[<&MSVBVM50.__vbaStrMov>; MSVBVM50.__vbaStrMove
00430972 50 push eax ; 得到序列号(UNICODE "51979600")
=============================================================================
至于这个(UNICODE "7140")字符串是怎么来的呢?下面来分析一下
我们发现该软件在C:\目录下有一个文件Iotmrd.sys,用记事本打开其内容如下:
-------------------------------------
[MyApp]
pt1=7140 //这个就是那个字符串了```
pt2=U //记录还可以试用多少次
Form1Top= 945
Form1Left= 2625
Form1Height= 8520
Form1Width= 11520
如果注册成功则多出以下两行
pt3=20019 //注册码
pt4=feng //注册名
-------------------------------------
把Iotmrd.sys这个文件删除,下断 BPX rtcRandomize 来分析,F9运行中断
00410E8D FF15 1C424300 call dword ptr ds:[<&MSVBVM50.#594>] ; MSVBVM50.rtcRandomize
00410E93 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00410E99 FF15 D0414300 call dword ptr ds:[<&MSVBVM50.__vbaFreeVa>; MSVBVM50.__vbaFreeVar
00410E9F 8B0E mov ecx,dword ptr ds:[esi]
00410EA1 56 push esi
00410EA2 FF91 FC020000 call dword ptr ds:[ecx+2FC]
00410EA8 8D55 94 lea edx,dword ptr ss:[ebp-6C]
00410EAB 50 push eax
00410EAC 52 push edx
00410EAD FFD3 call ebx
00410EAF 8B08 mov ecx,dword ptr ds:[eax]
00410EB1 8D55 A8 lea edx,dword ptr ss:[ebp-58]
00410EB4 52 push edx
00410EB5 50 push eax
00410EB6 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax
00410EBC FF91 A0000000 call dword ptr ds:[ecx+A0]
00410EC2 85C0 test eax,eax
00410EC4 7D 18 jge short supernet.00410EDE
00410EC6 8B8D ACFEFFFF mov ecx,dword ptr ss:[ebp-154]
00410ECC 68 A0000000 push 0A0
00410ED1 68 B05A4000 push supernet.00405AB0
00410ED6 51 push ecx
00410ED7 50 push eax
00410ED8 FF15 04424300 call dword ptr ds:[<&MSVBVM50.__vbaHresul>; MSVBVM50.__vbaHresultCheckObj
00410EDE 8B55 A8 mov edx,dword ptr ss:[ebp-58] ; (UNICODE "pt1")
00410EE1 52 push edx
00410EE2 68 A85A4000 push supernet.00405AA8 ; UNICODE "pt1"
00410EE7 FF15 74424300 call dword ptr ds:[<&MSVBVM50.__vbaStrCmp>; MSVBVM50.__vbaStrCmp
00410EED F7D8 neg eax
00410EEF 1BC0 sbb eax,eax
00410EF1 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
00410EF4 40 inc eax
00410EF5 F7D8 neg eax
00410EF7 8985 A4FEFFFF mov dword ptr ss:[ebp-15C],eax
00410EFD FF15 54434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeSt>; MSVBVM50.__vbaFreeStr
00410F03 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
00410F06 FF15 50434300 call dword ptr ds:[<&MSVBVM50.__vbaFreeOb>; MSVBVM50.__vbaFreeObj
00410F0C 66:83BD A4FEFFF>cmp word ptr ss:[ebp-15C],0 ; 判断是否为空
00410F14 0F84 81010000 je supernet.0041109B
00410F1A 8D85 78FFFFFF lea eax,dword ptr ss:[ebp-88]
00410F20 C745 80 0400028>mov dword ptr ss:[ebp-80],80020004
00410F27 50 push eax
00410F28 C785 78FFFFFF 0>mov dword ptr ss:[ebp-88],0A ; 随机数Rnd(10)
00410F32 FF15 10424300 call dword ptr ds:[<&MSVBVM50.#593>] ; MSVBVM50.rtcRandomNext
00410F38 D99D B0FEFFFF fstp dword ptr ss:[ebp-150] ; st=0.5769006609916687360
00410F3E D985 B0FEFFFF fld dword ptr ss:[ebp-150] ; 堆栈 ss:[0012F9B0]=0.5769007
00410F44 D80D 18104000 fmul dword ptr ds:[401018] ; 再乘以10000.00
00410F4A DFE0 fstsw ax
00410F4C A8 0D test al,0D
00410F4E 0F85 FB8B0100 jnz supernet.00429B4F
00410F54 FF15 30434300 call dword ptr ds:[<&MSVBVM50.__vbaR8IntI>; MSVBVM50.__vbaR8IntI4
00410F5A 8D8D 78FFFFFF lea ecx,dword ptr ss:[ebp-88]
00410F60 8BF8 mov edi,eax
00410F62 FF15 D0414300 call dword ptr ds:[<&MSVBVM50.__vbaFreeVa>; MSVBVM50.__vbaFreeVar
00410F68 8BCF mov ecx,edi
00410F6A 8B16 mov edx,dword ptr ds:[esi]
00410F6C 0FAFCF imul ecx,edi
00410F6F 0F80 DF8B0100 jo supernet.00429B54
00410F75 81C1 40420F00 add ecx,0F4240
00410F7B 56 push esi
00410F7C 0F80 D28B0100 jo supernet.00429B54
00410F82 FF92 FC020000 call dword ptr ds:[edx+2FC]
00410F88 50 push eax
00410F89 8D45 94 lea eax,dword ptr ss:[ebp-6C]
00410F8C 50 push eax
00410F8D FFD3 call ebx
00410F8F 8B10 mov edx,dword ptr ds:[eax]
00410F91 57 push edi
00410F92 8985 ACFEFFFF mov dword ptr ss:[ebp-154],eax
00410F98 8995 30FEFFFF mov dword ptr ss:[ebp-1D0],edx
00410F9E FF15 CC414300 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>>; MSVBVM50.__vbaStrI4
00410FA4 8BD0 mov edx,eax ; 得到随机数(UNICODE "5769")
再次打开Iotmrd.sys看其内容pt1=5769 (原来是pt1=7140),软件序列号也变了```可以知道这个字符串是随机产生的```
=============================================================================
[破解总结]
1.爆破 0042FE32 0F84 92030000 je supernet.004301CA //NOP
2.算法总结:简单的算法```由软件产生一个随机数字符串A保存到C:\Iotmrd.sys里,再取A进行运算
序列号=A*A-(-1000000)
注册码=(A mod 1000)*(A mod 1000)+注册名ASCII累加值+2+1
3.VB 算法注册机源码
'超级电视 V1.4.3 算法注册机
Private Sub Command1_Click()
Dim A, B, C, SN, Mcode, temp As Double
If Text1.Text = "" Or Text3.Text = "" Then
MsgBox "请输入序列号和注册名!", 64, "错误"
Else
Mcode = Text3.Text
For I = 1 To Len(Text1.Text)
C = Asc(Mid(Text1.Text, I, 1))
A = A + C
Next I
temp = Sqr(Val(Mcode) - 1000000)
B = temp Mod 1000
SN = A + B * B + 2 + 1
Text2.Text = SN
End If
End Sub
4.注册信息保存在C:\Iotmrd.sys下,删除该文件即可再玩
-------------------------------------------------------------------------------------2006.1.4
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 风球 于 2006-1-5 10:09 编辑 ] |
|