- UID
- 52455
注册时间2008-6-1
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 郁闷 2021-10-2 23:26 |
---|
签到天数: 46 天 [LV.5]常住居民I
|
标 题: 【原创】抢先过萧老大发个算法分析
作 者: as3852711
时 间: 2009-03-29,22:05
链 接: https://www.chinapyg.com/viewthr ... &extra=page%3D1
―――――――――――――――――――――――――――――――――――――
【文章标题】: 抢先过萧老大发个算法分析
【文章作者】: xiaojiam
【程序名称】: XXX RM 转换大师
【程序大小】: 955 KB
【下载地址】: 自己搜索
【保护方式】: 注册码
【编写语言】: Delphi
【使用工具】: PEID,OD
【操作平台】: D-Windows XP3
【程序介绍】: 用来转换 RM 文件的
【作者声明】: 我只是一只小菜鸟,失误之处难免,敬望诸位大侠赐教!
--------------------------------------------------------------------------------
【分析前闲谈】
--------------------------------------------------------------------------------
今天无意中看到萧老大小发了个XXX RM 转换大师注册机,于是用心跟跟发现算法比较适
合我们这些菜菜学习。就没等萧总发个分析,我就先来做个小人发份算法分析了。
--------------------------------------------------------------------------------
【详细过程】
--------------------------------------------------------------------------------
一、用PEID对程序进行查壳 → Borland Delphi 6.0 - 7.0
Delphi写得,一看到是Delphi写的心就不由的爽起来。正所谓:
易语言的浮点多,
delphi的好看多。
VB写的代码超长,
VC写的最正常啊!
二、用OD载入程序进行分析。
载入OD后运行程序,字符串插件查找一下一大堆提示,用脑子想想来到这里。
------------------------------(第一部分))---------------------------------------------------------
- 004BD698 /. 55 push ebp ; 程序按钮入口:
- 004BD699 |. 8BEC mov ebp, esp
- 004BD69B |. 6A 00 push 0
- 004BD69D |. 6A 00 push 0
- 004BD69F |. 53 push ebx
- 004BD6A0 |. 8BD8 mov ebx, eax
- 004BD6A2 |. 33C0 xor eax, eax
- 004BD6A4 |. 55 push ebp
- 004BD6A5 |. 68 58D74B00 push 004BD758
- 004BD6AA |. 64:FF30 push dword ptr fs:[eax]
- 004BD6AD |. 64:8920 mov dword ptr fs:[eax], esp
- 004BD6B0 |. 8D55 FC lea edx, dword ptr [ebp-4]
- 004BD6B3 |. 8B83 20030000 mov eax, dword ptr [ebx+320]
- 004BD6B9 |. E8 CE6DFAFF call 0046448C
- 004BD6BE |. 8B45 FC mov eax, dword ptr [ebp-4] ; 取用户名:"hanyu"的长度;
- 004BD6C1 |. E8 C66EF4FF call 0040458C
- 004BD6C6 |. 85C0 test eax, eax ; 为"0"就不跳转了提示输入用户明;
- 004BD6C8 |. 75 29 jnz short 004BD6F3
- 004BD6CA |. 6A 40 push 40
- 004BD6CC |. 68 64D74B00 push 004BD764 ; 警告
- 004BD6D1 |. 68 6CD74B00 push 004BD76C ; 请输入用户名!
- 004BD6D6 |. 8BC3 mov eax, ebx
- 004BD6D8 |. E8 97D5FAFF call 0046AC74
- 004BD6DD |. 50 push eax ; |hOwner
- 004BD6DE |. E8 7199F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
- 004BD6E3 |. 8B83 20030000 mov eax, dword ptr [ebx+320]
- 004BD6E9 |. 8B10 mov edx, dword ptr [eax]
- 004BD6EB |. FF92 C4000000 call dword ptr [edx+C4]
- 004BD6F1 |. EB 4A jmp short 004BD73D
- 004BD6F3 |> 8D55 F8 lea edx, dword ptr [ebp-8]
- 004BD6F6 |. 8B83 24030000 mov eax, dword ptr [ebx+324]
- 004BD6FC |. E8 8B6DFAFF call 0046448C
- 004BD701 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 取注册码"RMCo-5797nv268-E616"的长度;
- 004BD704 |. E8 836EF4FF call 0040458C
- 004BD709 |. 85C0 test eax, eax ; 同上;
- 004BD70B |. 75 29 jnz short 004BD736
- 004BD70D |. 6A 40 push 40
- 004BD70F |. 68 64D74B00 push 004BD764 ; 警告
- 004BD714 |. 68 7CD74B00 push 004BD77C ; 请输入注册码!
- 004BD719 |. 8BC3 mov eax, ebx
- 004BD71B |. E8 54D5FAFF call 0046AC74
- 004BD720 |. 50 push eax ; |hOwner
- 004BD721 |. E8 2E99F4FF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
- 004BD726 |. 8B83 24030000 mov eax, dword ptr [ebx+324]
- 004BD72C |. 8B10 mov edx, dword ptr [eax]
- 004BD72E |. FF92 C4000000 call dword ptr [edx+C4]
- 004BD734 |. EB 07 jmp short 004BD73D
- 004BD736 |> 8BC3 mov eax, ebx
- 004BD738 |. E8 47F9FFFF call 004BD084 ; 写注册表CALL(F7跟进);
复制代码 ------------------------------(第二部分)-----------------------------------------------------------
- 004BD084 $ 55 push ebp
- 004BD085 . 8BEC mov ebp, esp
- 004BD087 . 33C9 xor ecx, ecx
- 004BD089 . 51 push ecx
- 004BD08A . 51 push ecx
- 004BD08B . 51 push ecx
- 004BD08C . 51 push ecx
- 004BD08D . 51 push ecx
- 004BD08E . 53 push ebx
- 004BD08F . 56 push esi
- 004BD090 . 57 push edi
- 004BD091 . 8945 FC mov dword ptr [ebp-4], eax
- 004BD094 . 33C0 xor eax, eax
- 004BD096 . 55 push ebp
- 004BD097 . 68 D5D14B00 push 004BD1D5
- 004BD09C . 64:FF30 push dword ptr fs:[eax]
- 004BD09F . 64:8920 mov dword ptr fs:[eax], esp
- 004BD0A2 . 8B45 FC mov eax, dword ptr [ebp-4]
- 004BD0A5 . E8 92020000 call 004BD33C ; 比较CALL(F7跟进);
复制代码 ------------------------------(第三部分)-----------------------------------------------------------
- 004BD33C /$ 55 push ebp
- 004BD33D |. 8BEC mov ebp, esp
- 004BD33F |. B9 04000000 mov ecx, 4
- 004BD344 |> 6A 00 /push 0
- 004BD346 |. 6A 00 |push 0
- 004BD348 |. 49 |dec ecx
- 004BD349 |.^ 75 F9 \jnz short 004BD344
- 004BD34B |. 51 push ecx
- 004BD34C |. 53 push ebx
- 004BD34D |. 56 push esi
- 004BD34E |. 8BF0 mov esi, eax
- 004BD350 |. 33C0 xor eax, eax
- 004BD352 |. 55 push ebp
- 004BD353 |. 68 51D44B00 push 004BD451
- 004BD358 |. 64:FF30 push dword ptr fs:[eax]
- 004BD35B |. 64:8920 mov dword ptr fs:[eax], esp
- 004BD35E |. 8D55 F8 lea edx, dword ptr [ebp-8]
- 004BD361 |. 8B86 24030000 mov eax, dword ptr [esi+324]
- 004BD367 |. E8 2071FAFF call 0046448C
- 004BD36C |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 注册码:"RMCo-5797nv268-E616"
- 004BD36F |. 8D55 FC lea edx, dword ptr [ebp-4]
- 004BD372 |. E8 CDB3F4FF call 00408744
- 004BD377 |. 8B45 FC mov eax, dword ptr [ebp-4]
- 004BD37A |. 50 push eax
- 004BD37B |. 8D55 EC lea edx, dword ptr [ebp-14]
- 004BD37E |. 8B86 20030000 mov eax, dword ptr [esi+320]
- 004BD384 |. E8 0371FAFF call 0046448C
- 004BD389 |. 8B45 EC mov eax, dword ptr [ebp-14] ; 用户名:hanyu
- 004BD38C |. 8D55 F0 lea edx, dword ptr [ebp-10]
- 004BD38F |. E8 B0B3F4FF call 00408744
- 004BD394 |. 8B55 F0 mov edx, dword ptr [ebp-10]
- 004BD397 |. 8D4D F4 lea ecx, dword ptr [ebp-C]
- 004BD39A |. 8BC6 mov eax, esi
- 004BD39C |. E8 03010000 call 004BD4A4 ; 算法CALL(F7跟进);
复制代码 由于作者的算法隐藏的比较深,所以我们事先要一点弯路。找到后下好断就可以了:
------------------------------(第四部分)-----------------------------------------------------------
- 004BD4A4 /$ 55 push ebp ; 算法函数入口;
- 004BD4A5 |. 8BEC mov ebp, esp
- 004BD4A7 |. 51 push ecx
- 004BD4A8 |. B9 04000000 mov ecx, 4
- 004BD4AD |> 6A 00 /push 0
- 004BD4AF |. 6A 00 |push 0
- 004BD4B1 |. 49 |dec ecx
- 004BD4B2 |.^ 75 F9 \jnz short 004BD4AD
- 004BD4B4 |. 51 push ecx
- 004BD4B5 |. 874D FC xchg dword ptr [ebp-4], ecx
- 004BD4B8 |. 53 push ebx
- 004BD4B9 |. 56 push esi
- 004BD4BA |. 57 push edi
- 004BD4BB |. 8BF9 mov edi, ecx
- 004BD4BD |. 8955 FC mov dword ptr [ebp-4], edx ; 用户明:"hanyu";
- 004BD4C0 |. 8B45 FC mov eax, dword ptr [ebp-4]
- 004BD4C3 |. E8 B472F4FF call 0040477C
- 004BD4C8 |. 33C0 xor eax, eax
- 004BD4CA |. 55 push ebp
- 004BD4CB |. 68 65D64B00 push 004BD665
- 004BD4D0 |. 64:FF30 push dword ptr fs:[eax]
- 004BD4D3 |. 64:8920 mov dword ptr fs:[eax], esp
- 004BD4D6 |. 8BC7 mov eax, edi
- 004BD4D8 |. E8 EF6DF4FF call 004042CC
- 004BD4DD |. 8B45 FC mov eax, dword ptr [ebp-4] ; 把"hanyu"值给EAX;
- 004BD4E0 |. E8 A770F4FF call 0040458C ; //取用户名ASCII十六进制循环:
- 004BD4E5 |. 8BF0 mov esi, eax ; 把用户名长度:5给ESI;
- 004BD4E7 |. 85F6 test esi, esi
- 004BD4E9 |. 7E 26 jle short 004BD511 ; 开始循环;
- 004BD4EB |. BB 01000000 mov ebx, 1
- 004BD4F0 |> 8D4D EC /lea ecx, dword ptr [ebp-14]
- 004BD4F3 |. 8B45 FC |mov eax, dword ptr [ebp-4]
- 004BD4F6 |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1] ; 每位ASCII码;
- 004BD4FB |. 33D2 |xor edx, edx
- 004BD4FD |. E8 BEB5F4FF |call 00408AC0
- 004BD502 |. 8B55 EC |mov edx, dword ptr [ebp-14] ; 每位ASCII码的十六进制值;
- 004BD505 |. 8D45 F8 |lea eax, dword ptr [ebp-8] ; 转化为字符;
- 004BD508 |. E8 8770F4FF |call 00404594
- 004BD50D |. 43 |inc ebx ; 加1;
- 004BD50E |. 4E |dec esi ; 减1;
- 004BD50F |.^ 75 DF \jnz short 004BD4F0
- 004BD511 |> 8B45 F8 mov eax, dword ptr [ebp-8] ; 循环后得到的字符串:"68616E7975"
- 004BD514 |. E8 7370F4FF call 0040458C ; //以下是倒序循环:
- 004BD519 |. 8BF0 mov esi, eax
- 004BD51B |. 85F6 test esi, esi
- 004BD51D |. 7E 2C jle short 004BD54B
- 004BD51F |. BB 01000000 mov ebx, 1 ; 给EBX赋值为1;
- 004BD524 |> 8B45 F8 /mov eax, dword ptr [ebp-8] ; 二次循环开始了:"68616E7975"
- 004BD527 |. E8 6070F4FF |call 0040458C
- 004BD52C |. 2BC3 |sub eax, ebx ; EAX-EBX;
- 004BD52E |. 8B55 F8 |mov edx, dword ptr [ebp-8] ; 把字符传递到EBX:"68616E7975"
- 004BD531 |. 8A1402 |mov dl, byte ptr [edx+eax] ; 倒顺序开始:
- 004BD534 |. 8D45 E8 |lea eax, dword ptr [ebp-18] ; 把i位的值给EAX;
- 004BD537 |. E8 786FF4FF |call 004044B4
- 004BD53C |. 8B55 E8 |mov edx, dword ptr [ebp-18]
- 004BD53F |. 8D45 F4 |lea eax, dword ptr [ebp-C]
- 004BD542 |. E8 4D70F4FF |call 00404594
- 004BD547 |. 43 |inc ebx ; EBX加1;
- 004BD548 |. 4E |dec esi ; ESI减1;
- 004BD549 |.^ 75 D9 \jnz short 004BD524
- 004BD54B |> 8D45 F8 lea eax, dword ptr [ebp-8]
- 004BD54E |. 50 push eax
- 004BD54F |. B9 04000000 mov ecx, 4
- 004BD554 |. BA 01000000 mov edx, 1
- 004BD559 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 通过以上倒序循环得到的字符串:"5797E61686"
- 004BD55C |. E8 8B72F4FF call 004047EC
- 004BD561 |. 8D45 F4 lea eax, dword ptr [ebp-C]
- 004BD564 |. 50 push eax
- 004BD565 |. B9 04000000 mov ecx, 4
- 004BD56A |. BA 05000000 mov edx, 5
- 004BD56F |. 8B45 F4 mov eax, dword ptr [ebp-C]
- 004BD572 |. E8 7572F4FF call 004047EC
- 004BD577 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 首位选4个: "5797"
- 004BD57A |. E8 0D70F4FF call 0040458C
- 004BD57F |. 83F8 04 cmp eax, 4 ; 判断大不大于4
- 004BD582 |. 7D 2F jge short 004BD5B3 ; 小于就进入循环;
- 004BD584 |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 取头四位:"5797" //[EBP-8]
- 004BD587 |. E8 0070F4FF call 0040458C
- 004BD58C |. 8BD8 mov ebx, eax ; 把长度值给EBX;
- 004BD58E |. 83FB 03 cmp ebx, 3 ; 比较大于3么,够就跳;
- 004BD591 |. 7F 20 jg short 004BD5B3
- 004BD593 |> 8D4D E4 /lea ecx, dword ptr [ebp-1C]
- 004BD596 |. 8BC3 |mov eax, ebx ; EBX->EAX;
- 004BD598 |. C1E0 02 |shl eax, 2 ; EAX 向左移动两位,也就是乘于四;
- 004BD59B |. 33D2 |xor edx, edx
- 004BD59D |. E8 1EB5F4FF |call 00408AC0
- 004BD5A2 |. 8B55 E4 |mov edx, dword ptr [ebp-1C]
- 004BD5A5 |. 8D45 F8 |lea eax, dword ptr [ebp-8] ; 把EAX的地址给[EBP-8];
- 004BD5A8 |. E8 E76FF4FF |call 00404594
- 004BD5AD |. 43 |inc ebx
- 004BD5AE |. 83FB 04 |cmp ebx, 4
- 004BD5B1 |.^ 75 E0 \jnz short 004BD593
- 004BD5B3 |> 8B45 F4 mov eax, dword ptr [ebp-C] ; 从第五为开始取4位;"E616"
- 004BD5B6 |. E8 D16FF4FF call 0040458C
- 004BD5BB |. 83F8 04 cmp eax, 4 ; 同上
- 004BD5BE |. 7D 2F jge short 004BD5EF
- 004BD5C0 |. 8B45 F4 mov eax, dword ptr [ebp-C]
- 004BD5C3 |. E8 C46FF4FF call 0040458C
- 004BD5C8 |. 8BD8 mov ebx, eax
- 004BD5CA |. 83FB 03 cmp ebx, 3
- 004BD5CD |. 7F 20 jg short 004BD5EF
- 004BD5CF |> 8D4D E0 /lea ecx, dword ptr [ebp-20]
- 004BD5D2 |. 8BC3 |mov eax, ebx
- 004BD5D4 |. C1E0 02 |shl eax, 2
- 004BD5D7 |. 33D2 |xor edx, edx
- 004BD5D9 |. E8 E2B4F4FF |call 00408AC0
- 004BD5DE |. 8B55 E0 |mov edx, dword ptr [ebp-20]
- 004BD5E1 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
- 004BD5E4 |. E8 AB6FF4FF |call 00404594
- 004BD5E9 |. 43 |inc ebx
- 004BD5EA |. 83FB 04 |cmp ebx, 4
- 004BD5ED |.^ 75 E0 \jnz short 004BD5CF
- 004BD5EF |> 8D45 F0 lea eax, dword ptr [ebp-10]
- 004BD5F2 |. BA 7CD64B00 mov edx, 004BD67C ; RMConv268d58k:固定字符;
- 004BD5F7 |. E8 686DF4FF call 00404364
- 004BD5FC |. 8D45 DC lea eax, dword ptr [ebp-24]
- 004BD5FF |. 50 push eax
- 004BD600 |. B9 04000000 mov ecx, 4
- 004BD605 |. BA 01000000 mov edx, 1
- 004BD60A |. 8B45 F0 mov eax, dword ptr [ebp-10]
- 004BD60D |. E8 DA71F4FF call 004047EC
- 004BD612 |. FF75 DC push dword ptr [ebp-24] ; 取前4位:"RMCo"
- 004BD615 |. 68 94D64B00 push 004BD694 ; -:也是固定的;
- 004BD61A |. FF75 F8 push dword ptr [ebp-8] ; 第一次取的:"5797"
- 004BD61D |. 8D45 D8 lea eax, dword ptr [ebp-28]
- 004BD620 |. 50 push eax
- 004BD621 |. B9 05000000 mov ecx, 5
- 004BD626 |. BA 05000000 mov edx, 5
- 004BD62B |. 8B45 F0 mov eax, dword ptr [ebp-10]
- 004BD62E |. E8 B971F4FF call 004047EC
- 004BD633 |. FF75 D8 push dword ptr [ebp-28] ; 5位开始取5位:"nv268"
- 004BD636 |. 68 94D64B00 push 004BD694 ; -:同上;
- 004BD63B |. FF75 F4 push dword ptr [ebp-C] ; 二次取值:"E616"
- 004BD63E |. 8BC7 mov eax, edi ; 全部连接好发到EDI这个地址去;
- 004BD640 |. BA 06000000 mov edx, 6
- 004BD645 |. E8 0270F4FF call 0040464C
- 004BD64A |. 33C0 xor eax, eax
- 004BD64C |. 5A pop edx
- 004BD64D |. 59 pop ecx
- 004BD64E |. 59 pop ecx
- 004BD64F |. 64:8910 mov dword ptr fs:[eax], edx
- 004BD652 |. 68 6CD64B00 push 004BD66C
- 004BD657 |> 8D45 D8 lea eax, dword ptr [ebp-28]
- 004BD65A |. BA 0A000000 mov edx, 0A
- 004BD65F |. E8 8C6CF4FF call 004042F0
- 004BD664 \. C3 retn
- 004BD665 .^ E9 C265F4FF jmp 00403C2C
- 004BD66A .^ EB EB jmp short 004BD657
- 004BD66C . 5F pop edi
- 004BD66D . 5E pop esi
- 004BD66E . 5B pop ebx
- 004BD66F . 8BE5 mov esp, ebp
- 004BD671 . 5D pop ebp
- 004BD672 . C3 retn
复制代码 --------------------------------------------------------------------------------
【经验总结】
1.把注册码转换成十六进制的ASCII字符;
2.把得到的字符倒序;
3.判断倒序后的字符长度够4位么,不够则取位数乘于4取十六进制的ASCII字符;
4.判断倒序后的字符长度够8位么,不够则取位数乘于4取十六进制的ASCII字符;
5.写算法注册机:细看汇编代码,然后用Delphi还原算法部分发现相识度高达80%;
6.只是做学习用途,请勿做非法用途。如做任何非法用途后果自负;
--------------------------------------------------------------------------------------------------------
【版权声明】: 本文原创于飘云阁论坛, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 as3852711 于 2009-3-29 23:24 编辑 ] |
|