sitman2.01算法分析
-
软件保护介绍:该软件注册码有两个计算的地址,属于重起效验性。并且只有重起时的注册码算法是正确
的。注册成功后注册码写在注册表中,并且在config.ini中也有标记。
【第一步】
§输入用户名:powerboy
§输入注册码:987654321
§下断点:BPX HMEMCPY
§在算法中你会发现注册码必须为18为和前三位注册码是根据用户名算出的,并且必须都为小写或数字;
§先在注册码输入时用r fl z强行使其注册成功。
§(就是在:00491594 0F8420010000 je 004916BA用啦)
【第二步】
§先重起
§下断点:BPX RegQueryvalueExa DO "D*(esp+8)"不知为什么总是停在api32.TEXT531处不能拦截到软件
§所以下:Bpx GetPrivateProfileStringA拦截到后。
§按F10数百次(看来不会下断点真是不行啊!!!!!)
§如何判断呢(常用D呀,当内存中出现用户名时就要注意有没有比较跳转什么的啦^_^)
到达下面后
:004A3D08 BE01000000 mov esi, 00000001----------------ESI=1
:004A3D0D A174664A00 mov eax, dword ptr [004A6674]----EAX=[4A6674]
:004A3D12 8B00 mov eax, dword ptr [eax]---------EAX=SN
:004A3D14 E88701F6FF call 00403EA0--------------------
:004A3D19 8BC8 mov ecx, eax---------------------ECX=EAX
:004A3D1B 85C9 test ecx, ecx--------------------
:004A3D1D 7E29 jle 004A3D48---------------------
:004A3D1F BB01000000 mov ebx, 00000001----------------EBX=1(小计数)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A3D46(C)
| 前3位通用小循环
:004A3D24 A174664A00 mov eax, dword ptr [004A6674]-----------------------|
:004A3D29 8B00 mov eax, dword ptr [eax] |
:004A3D2B 0FB64418FF movzx eax, byte ptr [eax+ebx-01]--EAX=NAME(n) |
:004A3D30 F7EE imul esi--------------------------EAX=EAX*ESI |
:004A3D32 03055C7C4A00 add eax, dword ptr [004A7C5C]-----EAX=EAX+大计数 |
:004A3D38 03C3 add eax, ebx----------------------EAX=EAX+EBX |
:004A3D3A BE65010000 mov esi, 00000165-----------------ESI=&H165 |
:004A3D3F 99 cdq |
:004A3D40 F7FE idiv esi--------------------------EAX=EAX / ESI |
:004A3D42 8BF2 mov esi, edx----------------------ESI=EDX=EAX % ESI |
:004A3D44 43 inc ebx---------------------------EBX=EBX+1 |
:004A3D45 49 dec ecx---------------------------ECX=ECX-1 |
:004A3D46 75DC jne 004A3D24----------------------------------------|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A3D1D(C)
|
:004A3D48 8BC6 mov eax, esi----------------------EAX=ESI
:004A3D4A B924000000 mov ecx, 00000024-----------------ECX=&H24
:004A3D4F 99 cdq
:004A3D50 F7F9 idiv ecx--------------------------EAX=EAX/ECX
EDX=EAX%ECX
* Possible StringData Ref from Code Obj ->"0123456789abcdefghijklmnopqrstuvwxyz"
| 把EDX的值作为指针查表
:004A3D52 B840434A00 mov eax, 004A4340-----------------EAX=表
:004A3D57 8A0410 mov al, byte ptr [eax+edx]--------AL=正确的注册码
:004A3D5A 8B15A4634A00 mov edx, dword ptr [004A63A4]
:004A3D60 8B12 mov edx, dword ptr [edx]
:004A3D62 8B0D5C7C4A00 mov ecx, dword ptr [004A7C5C]
:004A3D68 3A440AFF cmp al, byte ptr [edx+ecx-01]-----|比较正确的注册码和
:004A3D6C 7408 je 004A3D76-----------------------|取出的注册码相等则跳
:004A3D6E A16C664A00 mov eax, dword ptr [004A666C]
:004A3D73 C60001 mov byte ptr [eax], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A3D6C(C)
|
:004A3D76 FF055C7C4A00 inc dword ptr [004A7C5C]----------计数+1
:004A3D7C 833D5C7C4A0004 cmp dword ptr [004A7C5C], 00000004比较是否等于4
:004A3D83 7583 jne 004A3D08----------------------不等则循环
前3位注册码大循环
-------------------------------------------
:004A3D85 33C0 xor eax, eax
:004A3D87 55 push ebp
:004A3D88 68B53D4A00 push 004A3DB5
:004A3D8D 64FF30 push dword ptr fs:[eax]
:004A3D90 648920 mov dword ptr fs:[eax], esp
:004A3D93 8B0D7C674A00 mov ecx, dword ptr [004A677C]
:004A3D99 A188664A00 mov eax, dword ptr [004A6688]
:004A3D9E 8B00 mov eax, dword ptr [eax]
* Possible StringData Ref from Code Obj ->"HtC"
|
:004A3DA0 8B1530CC4800 mov edx, dword ptr [0048CC30]
:004A3DA6 E84DB3FAFF call 0044F0F8
:004A3DAB 33C0 xor eax, eax
:004A3DAD 5A pop edx
:004A3DAE 59 pop ecx
:004A3DAF 59 pop ecx
:004A3DB0 648910 mov dword ptr fs:[eax], edx
:004A3DB3 EB52 jmp 004A3E07
:004A3DB5 E94AF6F5FF jmp 00403404
:004A3DBA A138674A00 mov eax, dword ptr [004A6738]
:004A3DBF 803800 cmp byte ptr [eax], 00
:004A3DC2 741A je 004A3DDE
:004A3DC4 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"您可能没有安装 RealPlayer"
|
:004A3DC6 B968434A00 mov ecx, 004A4368
* Possible StringData Ref from Code Obj ->"本程序需要媒体播放软件RealPlayer的支持 "
->"!
您可能没有安装,因此本程序无法运行。
详细"
->"说明请参见附带的帮助文件"
|
:004A3DCB BA84434A00 mov edx, 004A4384
:004A3DD0 A188664A00 mov eax, dword ptr [004A6688]
:004A3DD5 8B00 mov eax, dword ptr [eax]
:004A3DD7 E8F4B4FAFF call 0044F2D0
:004A3DDC EB18 jmp 004A3DF6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A3DC2(C)
|
:004A3DDE 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"Perhaps you have not RealPlayer "
->"installed !"
|
:004A3DE0 B9F4434A00 mov ecx, 004A43F4
* Possible StringData Ref from Code Obj ->"This software can't run without "
->"RealPlayer installed !
Click "
->"OK to exit.
Get more infomation "
->"from the HELP file !"
|
:004A3DE5 BA20444A00 mov edx, 004A4420
:004A3DEA A188664A00 mov eax, dword ptr [004A6688]
:004A3DEF 8B00 mov eax, dword ptr [eax]
:004A3DF1 E8DAB4FAFF call 0044F2D0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A3DDC(U)
|
:004A3DF6 A188664A00 mov eax, dword ptr [004A6688]
:004A3DFB 8B00 mov eax, dword ptr [eax]
:004A3DFD E82AB4FAFF call 0044F22C
:004A3E02 E859F9F5FF call 00403760
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A3DB3(U)
|
:004A3E07 A1DC664A00 mov eax, dword ptr [004A66DC]
:004A3E0C 803800 cmp byte ptr [eax], 00
:004A3E0F 0F8481000000 je 004A3E96
:004A3E15 A16C664A00 mov eax, dword ptr [004A666C]
:004A3E1A 803800 cmp byte ptr [eax], 00
:004A3E1D 7577 jne 004A3E96
:004A3E1F 8D45CC lea eax, dword ptr [ebp-34]
:004A3E22 50 push eax
:004A3E23 A1A4634A00 mov eax, dword ptr [004A63A4]
:004A3E28 8B00 mov eax, dword ptr [eax]
:004A3E2A B909000000 mov ecx, 00000009
:004A3E2F BA04000000 mov edx, 00000004
:004A3E34 E8ABE6FEFF call 004924E4
:004A3E39 8B55CC mov edx, dword ptr [ebp-34]
:004A3E3C B8607C4A00 mov eax, 004A7C60
:004A3E41 E82EFEF5FF call 00403C74
:004A3E46 33C0 xor eax, eax
:004A3E48 55 push ebp
:004A3E49 686A3E4A00 push 004A3E6A
:004A3E4E 64FF30 push dword ptr fs:[eax]
:004A3E51 648920 mov dword ptr fs:[eax], esp
:004A3E54 A1607C4A00 mov eax, dword ptr [004A7C60]
:004A3E59 E8964FF6FF call 00408DF4
:004A3E5E 8BD8 mov ebx, eax
:004A3E60 33C0 xor eax, eax
:004A3E62 5A pop edx
:004A3E63 59 pop ecx
:004A3E64 59 pop ecx
:004A3E65 648910 mov dword ptr fs:[eax], edx
:004A3E68 EB15 jmp 004A3E7F
:004A3E6A E995F5F5FF jmp 00403404
:004A3E6F 83CBFF or ebx, FFFFFFFF
:004A3E72 A16C664A00 mov eax, dword ptr [004A666C]
:004A3E77 C60001 mov byte ptr [eax], 01
:004A3E7A E8E1F8F5FF call 00403760
判断4~9位是否位100000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A3E68(U)
|
:004A3E7F 8BC3 mov eax, ebx-----------------EAX=EBX(4~9位注册码)
:004A3E81 B9E8030000 mov ecx, 000003E8------------ECX=&H3E8
:004A3E86 99 cdq
:004A3E87 F7F9 idiv ecx---------------------EAX=EAX/ECX
:004A3E89 83F864 cmp eax, 00000064------------比较EAX是否等于&H64
:004A3E8C 7408 je 004A3E96------------------相等则跳
---------------------------------------------
根据前9位计算后9位注册码
:004A3E96 E8912CFFFF call 00496B2C----------------关键CALL
:004A3E9B A158634A00 mov eax, dword ptr [004A6358]
:004A3EA0 803800 cmp byte ptr [eax], 00-------比较位是否为0
:004A3EA3 0F85A4000000 jne 004A3F4D-----------------不等则跳
---------------------------------------------
F8进入关键CALL后按F10数次到达下面..........
:00497205 C745FC0A000000 mov [ebp-04], 0000000A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497266(C)
|
:0049720C BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497232(C)
|
:00497211 A1A4634A00 mov eax, dword ptr [004A63A4]-----|
:00497216 8B00 mov eax, dword ptr [eax]
:00497218 0FB64418FF movzx eax, byte ptr [eax+ebx-01]----EAX=SN1~9(n)
:0049721D F7E9 imul ecx----------------------------EAX=EAX*ECX
:0049721F 03C3 add eax, ebx------------------------EAX=EAX+EBX
:00497221 0345FC add eax, dword ptr [ebp-04]---------EAX=EAX+大计数
:00497224 B979010000 mov ecx, 00000179-------------------ECX=&H179
:00497229 99 cdq
:0049722A F7F9 idiv ecx----------------------------EAX=EAX/ECX
:0049722C 8BCA mov ecx, edx------------------------ECX=EDX=EAX%ECX
:0049722E 43 inc ebx-----------------------------EBX=EBX+1(小计数)
:0049722F 83FB0A cmp ebx, 0000000A-------------------比较EBX是否为&HA |
:00497232 75DD jne 00497211------------------------不等则跳(小循环) |
:00497234 8BC1 mov eax, ecx------------------------EAX=ECX
:00497236 BB24000000 mov ebx, 00000024-------------------EBX=&H24
:0049723B 99 cdq
:0049723C F7FB idiv ebx----------------------------EAX=EAX/EBX
EDX=EAX%EBX
* Possible StringData Ref from Code Obj ->"0123456789abcdefghijklmnopqrstuvwxyz"
| 把EDX的值作为指针查表
:0049723E B83C7E4900 mov eax, 00497E3C-------------------EAX=表
:00497243 8A0410 mov al, byte ptr [eax+edx]----------AL为正确的注册码
:00497246 8B15A4634A00 mov edx, dword ptr [004A63A4]-------输入的注册码
:0049724C 8B12 mov edx, dword ptr [edx]
:0049724E 8B5DFC mov ebx, dword ptr [ebp-04]
:00497251 3A441AFF cmp al, byte ptr [edx+ebx-01]-------AL与SN(n)n=9~18比较
:00497255 7408 je 0049725F-------------------------相等则跳
:00497257 A16C664A00 mov eax, dword ptr [004A666C]
:0049725C C60001 mov byte ptr [eax], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00497255(C)
|
:0049725F FF45FC inc [ebp-04]------------------------计数+1
:00497262 837DFC13 cmp dword ptr [ebp-04], 00000013----比较计数是否等于&H13
:00497266 75A4 jne 0049720C------------------------不等则跳
后9位大循环
整理:用户名为:powerboy
注册码为:bac100000ka49fmp6i
分析:注册码的计算分为3步
1. (算出前3位的注册码)
ECX=8(用户名个数)
ESI=1(中间量初值为1)
EBX=1(小循环计数)
EAX=ASC(NAME)每次取得1位用户名的ASCII值
EAX=EAX*ESI
EAX=EAX+
EAX=EAX+EBX
ESI=&H165
EDX=EAX MOD ESI
ESI=EDX
EBX=EBX+1
ECX=ECX-1
经过8次循环算出一个ESI值;
EAX=ESI
ECX=&H24
EDX=EAX MOD ECX
以EDX的值作为表"0123456789abcdefghijklmnopqrstuvwxyz"的指针进行查表;
循环3次算出前3位注册码
2.(判断注册码的4~9是否是100000)
EBX="100000"
ECX=&H3E8
EBX=EBX/ECX
判断EBX是否等于&H64
根据前2步的计算可得出前9位的注册码为SN1=***100000
3.(根据前9位的注册码算出后9位的注册码)
ECX=1(为中间量初值为1)
EBX=1(小计数)
[EBP-04]=&HA(大计数初值为10)
EAX=ASC(SN1)每次取得1位SN1中的ASCII值
EAX=EAX*ECX
EAX=EAX+EBX
EAX=EAX+[EBP-04]
ECX=&H179
EDX=EAX MOD ECX
ECX=EDX
EBX=EBX+1
比较EBX是否等于&HA
共循环9次算出一个ECX值
EAX=ECX
EBX=&H24
EDX=EAX MOD EBX
把EDX的值作为表"0123456789abcdefghijklmnopqrstuvwxyz"的指针进行查表。
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>