South Bay 全系列算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → South Bay 全系列算法分析

South Bay 全系列算法分析 时间：2004/10/15 0:57:00来源：本站整理作者：蓝点我要评论(0): 　

软件主页： http://www.southbaypc.com/
软件作品：AutoConnect,FolderView,Hot Corners,PrinterExpress,SuperCleaner,SysDate...
破解对象：SuperCleaner
破解工具：trw2000...

程序用VC编写，未加壳。用trw2000载入SuperCleaner.exe，程序运行，提示没有注册，只能使用30天，不管它，点击Enter Registration，弹出注册框，name输入LeNgHoSt[DFCG]，code输入78787878，然后ctrl+n打开trw2000，bpx hmemcpy，F5回到程序，点击OK，程序被拦截，bc *，pmodule，来到下面：

************************************************************
:00412007 FFD7 call edi----获得用户名
:00412009 8D542408 lea edx, dword ptr [esp+08]
:0041200D 6800010000 push 00000100
:00412012 52 push edx

* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03FC, ""
|
:00412013 68FC030000 push 000003FC
:00412018 56 push esi
:00412019 FFD7 call edi----获得注册码
:0041201B 8D442408 lea eax, dword ptr [esp+08]----注册码放入eax
:0041201F 8D8C2408010000 lea ecx, dword ptr [esp+00000108]----注册名放入ecx
:00412026 50 push eax----注册码入栈
:00412027 51 push ecx----注册名入栈
:00412028 E8B3050000 call 004125E0----关键call，见下面
:0041202D 83C408 add esp, 00000008
:00412030 85C0 test eax, eax
:00412032 5F pop edi
:00412033 7443 je 00412078
:00412035 8D542404 lea edx, dword ptr [esp+04]
:00412039 8D842404010000 lea eax, dword ptr [esp+00000104]
:00412040 52 push edx
:00412041 50 push eax
******************************************************************

接上面00412028----关键call
**************************
:004125E0 81EC00010000 sub esp, 00000100
:004125E6 A080964200 mov al, byte ptr [00429680]
:004125EB 56 push esi
:004125EC 57 push edi
:004125ED 88442408 mov byte ptr [esp+08], al

* Possible Reference to String Resource ID=00063: "The location you specified does not contain a Netscape 4 pro"
|
:004125F1 B93F000000 mov ecx, 0000003F
:004125F6 33C0 xor eax, eax
:004125F8 8D7C2409 lea edi, dword ptr [esp+09]
:004125FC 8B94240C010000 mov edx, dword ptr [esp+0000010C]
:00412603 F3 repz
:00412604 AB stosd
:00412605 66AB stosw
:00412607 8D4C2408 lea ecx, dword ptr [esp+08]
:0041260B 33F6 xor esi, esi
:0041260D 51 push ecx----存放注册码的空间
:0041260E 52 push edx----注册名入栈
:0041260F AA stosb
:00412610 E8AB000000 call 004126C0----计算注册码，分析见下面
:00412615 8B8C2418010000 mov ecx, dword ptr [esp+00000118]----假注册码
:0041261C 8D442410 lea eax, dword ptr [esp+10]----真注册码
:00412620 50 push eax----真注册码入栈
:00412621 51 push ecx----假注册码入栈
:00412622 E869FFFFFF call 00412590----比较真假注册码
:00412627 83C410 add esp, 00000010
:0041262A 85C0 test eax, eax

* Possible Reference to String Resource ID=00001: "Registered to: %s"
|
:0041262C B801000000 mov eax, 00000001
:00412631 7502 jne 00412635
:00412633 8BC6 mov eax, esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412631(C)
|
:00412635 5F pop edi
:00412636 5E pop esi
:00412637 81C400010000 add esp, 00000100
:0041263D C3 ret
************************************************************

接上面00412610----计算注册码
****************************
:004126C0 81EC00010000 sub esp, 00000100
:004126C6 A080964200 mov al, byte ptr [00429680]
:004126CB 53 push ebx
:004126CC 55 push ebp
:004126CD 56 push esi
:004126CE 57 push edi
:004126CF 88442410 mov byte ptr [esp+10], al

* Possible Reference to String Resource ID=00063: "The location you specified does not contain a Netscape 4 pro"
|
:004126D3 B93F000000 mov ecx, 0000003F
:004126D8 33C0 xor eax, eax
:004126DA 8D7C2411 lea edi, dword ptr [esp+11]
:004126DE F3 repz
:004126DF AB stosd
:004126E0 66AB stosw
:004126E2 AA stosb
:004126E3 8BBC2414010000 mov edi, dword ptr [esp+00000114]----用户名放到edi
:004126EA 57 push edi----入栈

* Reference To: KERNEL32.lstrlenA, Ord:03AEh
|
:004126EB FF1538024200 Call dword ptr [00420238]----取用户名长度
:004126F1 8BF0 mov esi, eax----esi=用户名长度
:004126F3 33C9 xor ecx, ecx----ecx清空放计算结果
:004126F5 33C0 xor eax, eax----计数器从0开始
:004126F7 85F6 test esi, esi----用户名是否为空
:004126F9 7E13 jle 0041270E
:004126FB 8B1530664200 mov edx, dword ptr [00426630]----edx=26h

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041270C(C)
|
:00412701 0FBE1C38 movsx ebx, byte ptr [eax+edi]----用户名每一位ascii放到ebx
:00412705 03DA add ebx, edx----ebx=ebx+edx
:00412707 03CB add ecx, ebx----ecx=ecx+ebx
:00412709 40 inc eax----eax计数器加1
:0041270A 3BC6 cmp eax, esi----是否取完
:0041270C 7CF3 jl 00412701----循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004126F9(C)
|
:0041270E 8B9C2418010000 mov ebx, dword ptr [esp+00000118]
:00412715 51 push ecx

* Possible StringData Ref from Data Obj ->"%ld-"
|
:00412716 6844664200 push 00426644
:0041271B 53 push ebx

* Reference To: USER32.wsprintfA, Ord:02D6h
|
:0041271C FF151C034200 Call dword ptr [0042031C]----将上面的结果ecx转化为10进制放到ebx
:00412722 83C40C add esp, 0000000C----注册码第1部分计算完毕，共4部分
:00412725 33C9 xor ecx, ecx----ecx清空放计算结果
:00412727 33C0 xor eax, eax----计数器从0开始
:00412729 85F6 test esi, esi----用户名是否为空
:0041272B 7E14 jle 00412741
:0041272D 8B1534664200 mov edx, dword ptr [00426634]----edx=34h

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041273F(C)
|
:00412733 0FBE2C38 movsx ebp, byte ptr [eax+edi]----用户名每一位ascii放到ebp
:00412737 0FAFEA imul ebp, edx----ebp=ebp*edx
:0041273A 03CD add ecx, ebp----ecx=ecx+ebp
:0041273C 40 inc eax----计数器加1
:0041273D 3BC6 cmp eax, esi----是否取完
:0041273F 7CF2 jl 00412733----循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041272B(C)
|
:00412741 51 push ecx
:00412742 8D4C2414 lea ecx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%ld-"
|
:00412746 6844664200 push 00426644
:0041274B 51 push ecx

* Reference To: USER32.wsprintfA, Ord:02D6h
|
:0041274C FF151C034200 Call dword ptr [0042031C]
:00412752 83C40C add esp, 0000000C
:00412755 8D542410 lea edx, dword ptr [esp+10]----同样将10进制结果放到edx
:00412759 52 push edx----注册码第2部分
:0041275A 53 push ebx----注册码第1部分

* Reference To: KERNEL32.lstrcatA, Ord:039Fh
|
:0041275B FF1520024200 Call dword ptr [00420220]----两部分用"-"连接放到eax
:00412761 33C9 xor ecx, ecx----ecx清空放计算结果
:00412763 33C0 xor eax, eax----计数器从0开始
:00412765 85F6 test esi, esi----用户名是否为空
:00412767 7E13 jle 0041277C
:00412769 8B1538664200 mov edx, dword ptr [00426638]----edx=0Ch

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041277A(C)
|
:0041276F 0FBE2C38 movsx ebp, byte ptr [eax+edi]----用户名每一位ascii放到ebp
:00412773 03EA add ebp, edx----ebp=ebp+edx
:00412775 03CD add ecx, ebp----ecx=ecx+ebp
:00412777 40 inc eax----计数器加1
:00412778 3BC6 cmp eax, esi----是否取完
:0041277A 7CF3 jl 0041276F----循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412767(C)
|
:0041277C 51 push ecx
:0041277D 8D442414 lea eax, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%ld-"
|
:00412781 6844664200 push 00426644
:00412786 50 push eax

* Reference To: USER32.wsprintfA, Ord:02D6h
|
:00412787 FF151C034200 Call dword ptr [0042031C]
:0041278D 83C40C add esp, 0000000C
:00412790 8D4C2410 lea ecx, dword ptr [esp+10]----同样将10进制结果放到ecx
:00412794 51 push ecx
:00412795 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:039Fh
|
:00412796 FF1520024200 Call dword ptr [00420220]----注册码前3部分连接后放到eax
:0041279C 33C9 xor ecx, ecx----ecx清空放计算结果
:0041279E 33C0 xor eax, eax----计数器从0开始
:004127A0 85F6 test esi, esi----用户名是否为空
:004127A2 7E14 jle 004127B8
:004127A4 8B153C664200 mov edx, dword ptr [0042663C]----edx=0Eh

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004127B6(C)
|
:004127AA 0FBE2C38 movsx ebp, byte ptr [eax+edi]----用户名每一位ascii放到ebp
:004127AE 0FAFEA imul ebp, edx----ebp=ebp*edx
:004127B1 03CD add ecx, ebp----ecx=ecx+ebp
:004127B3 40 inc eax----计数器加1
:004127B4 3BC6 cmp eax, esi----是否取完
:004127B6 7CF2 jl 004127AA----循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004127A2(C)
|
:004127B8 51 push ecx
:004127B9 8D542414 lea edx, dword ptr [esp+14]

* Possible StringData Ref from Data Obj ->"%ld"
|
:004127BD 6840664200 push 00426640
:004127C2 52 push edx

* Reference To: USER32.wsprintfA, Ord:02D6h
|
:004127C3 FF151C034200 Call dword ptr [0042031C]
:004127C9 83C40C add esp, 0000000C
:004127CC 8D442410 lea eax, dword ptr [esp+10]----同样将10进制结果放到eax
:004127D0 50 push eax
:004127D1 53 push ebx

* Reference To: KERNEL32.lstrcatA, Ord:039Fh
|
:004127D2 FF1520024200 Call dword ptr [00420220]----4部分连接成完整注册码放到eax，如XXXX-XXXX-XXXX-XXXX
:004127D8 5F pop edi
:004127D9 5E pop esi
:004127DA 5D pop ebp
:004127DB 5B pop ebx
:004127DC 81C400010000 add esp, 00000100
:004127E2 C3 ret
************************************************************

算法总结：（South Bay其它软件算法基本类似，详见下面的注册机）
*********
name:LeNgHoSt[DFCG]
第1部分:name的每一位ascii+26h再全部相加得到6C4，转化10进制为1732
第2部分:name的每一位ascii*34h再全部相加得到F3C0，转化10进制为62400
第3部分:name的每一位ascii+0Ch再全部相加得到558，转化10进制为1368
第4部分:name的每一位ascii*0Eh再全部相加得到41A0，转化10进制为16800
合并后sn=1732-62400-1368-16800
***************************************************************

VC6注册机部分源程序（包括South Bay全系列软件）
*******************
//m_name为注册名，name_len取注册名长度，m_sn为注册码
void CKEYDlg::Reg()
{
int i,name_len,name_x,name;
long sn1,sn2,sn3,sn4;
name_len=m_name.GetLength();
switch(m_soft)
{
case 0: //AutoConnect
//code1:
sn1=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+0x1f;
sn1=sn1+name;
}
//code2:
sn2=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name*0x0c;
sn2=sn2+name;
}
//code3:
sn3=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+0x0d;
sn3=sn3+name;
}
//code4:
sn4=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name*0x20;
sn4=sn4+name;
}
//CODE:
m_sn.Format("%ld-%ld-%ld-%ld",sn1,sn2,sn3,sn4);
break;

case 1: //FolderView
//code1:
name_x=0x32;
sn1=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name_x;
sn1=name+sn1;
}
//code2:
name_x=0x28;
sn2=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name*name_x;
sn2=name+sn2;
}
//code3:
name_x=0x1e;
sn3=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name_x;
sn3=name+sn3;
}
//code4:
name_x=0x0b;
sn4=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name*name_x;
sn4=name+sn4;
}
//CODE:
m_sn.Format("%ld-%ld-%ld-%ld",sn1,sn2,sn3,sn4);
break;

case 2: //Hot Corners
//code1:
name_x=0x6a;
sn1=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name_x=name_x+name*2;
sn1=name_x;
}
//code2:
name_x=0x6a;
sn2=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name*4;
name_x=name_x+name*4;
sn2=name_x;
}
//code3:
sn3=0;
name=(int)m_name.GetAt(name_len-1);
name_x=name+name*4;
name=name+name_x*2;
sn3=name+name+1;
//code4:
sn4=0;
name=(int)m_name.GetAt(name_len-1);
sn4=name*4+0x1d;
//CODE:
m_sn.Format("%ld-%ld-%ld-%ld",sn1,sn2,sn3,sn4);
break;

case 3: //PrinterExpress
//code1:
name_x=0x18;
sn1=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name_x;
sn1=sn1+name;
}
//code2:
name_x=0x27;
sn2=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name*name_x;
sn2=sn2+name;
}
//code3:
name_x=0x1a;
sn3=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name_x;
sn3=sn3+name;
}
//code4:
name_x=0x01;
sn4=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name*name_x;
sn4=sn4+name;
}
//CODE:
m_sn.Format("%ld-%ld-%ld-%ld",sn1,sn2,sn3,sn4);
break;

case 4: //SuperCleaner
//code1:
name_x=0x26;
sn1=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name_x;
sn1=name+sn1;
}
//code2:
name_x=0x34;
sn2=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name*name_x;
sn2=name+sn2;
}
//code3:
name_x=0x0c;
sn3=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name_x;
sn3=name+sn3;
}
//code4:
name_x=0x0e;
sn4=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name*name_x;
sn4=name+sn4;
}
//CODE:
m_sn.Format("%ld-%ld-%ld-%ld",sn1,sn2,sn3,sn4);
break;

case 5: //SysDate
//code1:
name_x=0x6b;
sn1=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name*4;
name_x=name_x+name*4;
sn1=name_x;
}
//code2:
name_x=0x6b;
sn2=0;
for(i=0;i {
name=(int)m_name.GetAt(i);
name=name+name*4;
name=name+name*4;
name_x=name_x+name*8;
sn2=name_x;
}
//code3:
sn3=0;
name=(int)m_name.GetAt(name_len-1);
name=name+2;
sn3=name;
//code4:
sn4=0;
name=(int)m_name.GetAt(name_len-1);
name=name+name*4;
name_x=name+name*4;
name=name_x*4+1;
sn4=name;
//CODE:
m_sn.Format("%ld-%ld-%ld-%ld",sn1,sn2,sn3,sn4);
break;

default:
break;
}
}

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法