-
您的位置:首页 → 精文荟萃 → 破解文章 → 飞捷计费器 V2.11 标准版算法分析
飞捷计费器 V2.11 标准版算法分析
时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(0)
-
工具: trw2000,AspackDie v1.4
破解过程,首先用 PEID v0.8 看是 Aspack2.12 的壳,用 AspackDie v1.4 很快就脱掉壳了。
运行软件, 输入相关信息 Name:北极熊 ,Code:1234567890123456789
反汇编找到"\software\飞捷计费器",用trw2000跟踪
:004631C6 8BC3 mov eax, ebx
:004631C8 E86F8DFEFF call 0044BF3C
:004631CD 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"\software\飞捷计费器"
|
:004631CF BA143B4600 mov edx, 00463B14
:004631D4 8BC3 mov eax, ebx
:004631D6 E8C58DFEFF call 0044BFA0
:004631DB 84C0 test al, al
:004631DD 740F je 004631EE
:004631DF 8D4DF8 lea ecx, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"UserName"
|
:004631E2 BA343B4600 mov edx, 00463B34
:004631E7 8BC3 mov eax, ebx
:004631E9 E87A8FFEFF call 0044C168
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004631DD(C)
|
:004631EE 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"\software\microsoft\Counter"
|
:004631F0 BA483B4600 mov edx, 00463B48
:004631F5 8BC3 mov eax, ebx
:004631F7 E8A48DFEFF call 0044BFA0
:004631FC 84C0 test al, al
:004631FE 741C je 0046321C
:00463200 8D4DF0 lea ecx, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"flag"
|
:00463203 BA6C3B4600 mov edx, 00463B6C
:00463208 8BC3 mov eax, ebx
:0046320A E8598FFEFF call 0044C168
:0046320F 8B55F0 mov edx, dword ptr [ebp-10]
:00463212 B8987F4600 mov eax, 00467F98
:00463217 E8E006FAFF call 004038FC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004631FE(C)
|
:0046321C 8BC3 mov eax, ebx
:0046321E E8E98CFEFF call 0044BF0C
:00463223 8BC3 mov eax, ebx
:00463225 E86AFBF9FF call 00402D94
:0046322A 8B45F8 mov eax, dword ptr [ebp-08] <<--eax==北极熊,取出用户名
:0046322D E8F208FAFF call 00403B24
:00463232 83F804 cmp eax, 00000004 <<--用户名是否大于4位
:00463235 7D0D jge 00463244
:00463237 8D45F8 lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"guest"
|
:0046323A BAF83A4600 mov edx, 00463AF8
:0046323F E8FC06FAFF call 00403940
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463235(C)
|
:00463244 B8947F4600 mov eax, 00467F94
:00463249 8B55F8 mov edx, dword ptr [ebp-08]
:0046324C E8AB06FAFF call 004038FC
:00463251 A1987F4600 mov eax, dword ptr [00467F98] <<--eax=="1234567890123456789"
:00463256 E8C908FAFF call 00403B24
:0046325B 83F813 cmp eax, 00000013 <<--注册码是19位吗
:0046325E 754B jne 004632AB
从上面的分析看出用户名必须大于4位且注册码必须等于19位,否则,嘿嘿……
:00463260 BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004632A7(C)
|
:00463265 B8987F4600 mov eax, 00467F98
:0046326A E8850AFAFF call 00403CF4
:0046326F 8B15987F4600 mov edx, dword ptr [00467F98]
:00463275 8A541AFF mov dl, byte ptr [edx+ebx-01]
:00463279 4A dec edx
:0046327A 885418FF mov byte ptr [eax+ebx-01], dl
:0046327E A1987F4600 mov eax, dword ptr [00467F98]
:00463283 807C18FF61 cmp byte ptr [eax+ebx-01], 61
:00463288 7619 jbe 004632A3
:0046328A B8987F4600 mov eax, 00467F98
:0046328F E8600AFAFF call 00403CF4
:00463294 8B15987F4600 mov edx, dword ptr [00467F98]
:0046329A 8A541AFF mov dl, byte ptr [edx+ebx-01]
:0046329E 4A dec edx
:0046329F 885418FF mov byte ptr [eax+ebx-01], dl
省略一大段无用代码,来到下面算法分析的地方:
:004634EE E8294FFAFF call 0040841C
:004634F3 83C4F8 add esp, FFFFFFF8
:004634F6 DD1C24 fstp qword ptr [esp]
:004634F9 9B wait
:004634FA 8D55F0 lea edx, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"yyyy"-"mm"-"dd"
|
:004634FD B8A83B4600 mov eax, 00463BA8
:00463502 E81D5BFAFF call 00409024
:00463507 8B55F0 mov edx, dword ptr [ebp-10]
:0046350A 8B45FC mov eax, dword ptr [ebp-04]
:0046350D 8B801C020000 mov eax, dword ptr [eax+0000021C]
:00463513 E814DBFBFF call 0042102C
:00463518 33FF xor edi, edi <<--edi==0x0 清零
:0046351A 8D45F4 lea eax, dword ptr [ebp-0C]
:0046351D E88603FAFF call 004038A8
:00463522 E87DF3F9FF call 004028A4
:00463527 B80A000000 mov eax, 0000000A
:0046352C E8AFF5F9FF call 00402AE0
:00463531 666BC01E imul ax, 001E
:00463535 6605C800 add ax, 00C8
:00463539 66A3A07F4600 mov word ptr [00467FA0], ax
:0046353F A1987F4600 mov eax, dword ptr [00467F98]
:00463544 BA083B4600 mov edx, 00463B08
:00463549 E8E606FAFF call 00403C34
:0046354E 0F8446020000 je 0046379A
:00463554 8B45F8 mov eax, dword ptr [ebp-08] <<--eax=="北极熊"
:00463557 E8C805FAFF call 00403B24 <<--eax=0x6 计算用户名长度
:0046355C 81C7AA550000 add edi, 000055AA <<--edi==edi+0x55AA
:00463562 03C7 add eax, edi <<--eax==eax+edi
:00463564 8BF8 mov edi, eax <<--edi<==eax 结果保存在edi
:00463566 8B45F8 mov eax, dword ptr [ebp-08]
:00463569 E8B605FAFF call 00403B24
:0046356E 8BF0 mov esi, eax
:00463570 85F6 test esi, esi
:00463572 7E15 jle 00463589
:00463574 BB01000000 mov ebx, 00000001 <<--计数器ebx==0x1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463587(C)
|
:00463579 8B45F8 mov eax, dword ptr [ebp-08] <<--eax=="北极熊"
:0046357C 0FB64418FF movzx eax, byte ptr [eax+ebx-01] <<--eax==0xB1,逐个取字符
:00463581 F7EB imul ebx <<--eax==eax*ebx
:00463583 03F8 add edi, eax <<--edi==edi+eax,累加到edi
:00463585 43 inc ebx
:00463586 4E dec esi
:00463587 75F0 jne 00463579
上面是将用户名循环累加到edi,循环完后,edi=0x65DB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463572(C)
|
:00463589 BB01000000 mov ebx, 00000001 <<--计数器ebx==0x1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004635B8(C)
|
:0046358E 8B45F8 mov eax, dword ptr [ebp-08] <<--eax=="北极熊"
:00463591 8A4418FF mov al, byte ptr [eax+ebx-01] <<--al==0xB1,逐个取字符
:00463595 3455 xor al, 55 <<--al==al xor 0x55
:00463597 25FF000000 and eax, 000000FF <<--eax==eax and 0xFF=0xE4 屏蔽高字节
:0046359C 8D4DF0 lea ecx, dword ptr [ebp-10]
:0046359F BA02000000 mov edx, 00000002
:004635A4 E8D73CFAFF call 00407280 <<--转换为字符 "E4"
:004635A9 8B55F0 mov edx, dword ptr [ebp-10] <<--edx=="E4"
:004635AC 8D45F4 lea eax, dword ptr [ebp-0C]
:004635AF E87805FAFF call 00403B2C
:004635B4 43 inc ebx <<--计数器 ebx+1
:004635B5 83FB05 cmp ebx, 00000005 <<--循环4次,得字符串"E4E4E9FE",记为S1
:004635B8 75D4 jne 0046358E
以上是注册码计算的第一部分,通过计算得到字符串"E4E4E9FE",记为S1
:004635BA 8B45F8 mov eax, dword ptr [ebp-08] <<--eax=="北极熊"
:004635BD E86205FAFF call 00403B24 <<--取用户名长度 eax==0x6
:004635C2 8BD8 mov ebx, eax <<--ebx==eax==0x6
:004635C4 8B45F8 mov eax, dword ptr [ebp-08] <<--eax=="北极熊"
:004635C7 E85805FAFF call 00403B24 <<--取用户名长度 eax==0x6
:004635CC 8BF0 mov esi, eax <<--esi==eax==0x6
:004635CE 4E dec esi <<--esi==0x5
:004635CF 2BF3 sub esi, ebx <<--esi==esi-ebx
:004635D1 7F26 jg 004635F9
:004635D3 4E dec esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004635F7(C)
|
:004635D4 8B45F8 mov eax, dword ptr [ebp-08] <<--eax=="北极熊"
:004635D7 0FB64418FF movzx eax, byte ptr [eax+ebx-01] <<--eax==0xD0,逐个倒取字符
:004635DC 40 inc eax <<--eax==eax+1=0xD1
:004635DD 8D4DF0 lea ecx, dword ptr [ebp-10]
:004635E0 BA02000000 mov edx, 00000002
:004635E5 E8963CFAFF call 00407280 <<--转换为字符 "D1"
:004635EA 8B55F0 mov edx, dword ptr [ebp-10]
:004635ED 8D45F4 lea eax, dword ptr [ebp-0C]
:004635F0 E83705FAFF call 00403B2C <<--连接到S1后面"E4E4E9FEDDD1"
:004635F5 4B dec ebx
:004635F6 46 inc esi
:004635F7 75DB jne 004635D4
注册码算法的第二部分得到另一字符串"E4E4E9FEDDD1",记为S2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004635D1(C)
|
:004635F9 8BC7 mov eax, edi <<--eax==edi==0x65DB
* Possible Reference to String Resource ID=65535: "Range check error"
|
:004635FB B9FFFF0000 mov ecx, 0000FFFF <<--ecx==0xFFFF
:00463600 99 cdq
:00463601 F7F9 idiv ecx <<--eax--eax/ecx
:00463603 8BC2 mov eax, edx
:00463605 8D4DF0 lea ecx, dword ptr [ebp-10]
:00463608 BA04000000 mov edx, 00000004
:0046360D E86E3CFAFF call 00407280 <<--转换为字符 "65DB"
:00463612 8B55F0 mov edx, dword ptr [ebp-10]
:00463615 8D45F4 lea eax, dword ptr [ebp-0C]
:00463618 E80F05FAFF call 00403B2C <<--连接到S2后面"E4E4E9FEDDD165DB"
:0046361D 8B45F4 mov eax, dword ptr [ebp-0C] <<--eax=="E4E4E9FEDDD165DB"
:00463620 E8FF04FAFF call 00403B24 <<--取用户名长度 eax==0x6
:00463625 8BF0 mov esi, eax
:00463627 85F6 test esi, esi
:00463629 7E2B jle 00463656
:0046362B BB01000000 mov ebx, 00000001 <<--计数器ebx==0x1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463654(C)
|
:00463630 8BCB mov ecx, ebx <<--ecx==ebx==0x1
:00463632 8BC7 mov eax, edi <<--eax==edi==0x65DB
:00463634 D3E8 shr eax, cl <<--eax==eax shr cl
:00463636 83E001 and eax, 00000001 <<--eax==eax and 0x1
:00463639 48 dec eax <<--eax==eax-1
:0046363A 7516 jne 00463652 <<--不等于0,则不进行下面的计算
:0046363C 8D45F4 lea eax, dword ptr [ebp-0C]
:0046363F E8B006FAFF call 00403CF4
:00463644 8B55F4 mov edx, dword ptr [ebp-0C] <<--edx=="E4E4E9FEDDD165DB"
:00463647 8A541AFF mov dl, byte ptr [edx+ebx-01] <<--dl=0x31
:0046364B 80C213 add dl, 13 <<--dl==dl+0x13
:0046364E 885418FF mov byte ptr [eax+ebx-01], dl <<--替换字符
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046363A(C)
|
:00463652 43 inc ebx
:00463653 4E dec esi
:00463654 75DA jne 00463630
经过上面的计算和替换字符,得到新字符串"X4XGELYXDWD1IHDB",记为S3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463629(C)
|
:00463656 33FF xor edi, edi <<--edi==0x0 清零
:00463658 BB01000000 mov ebx, 00000001 <<--计数器ebx==0x1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463679(C)
|
:0046365D 8BC3 mov eax, ebx <<--eax==ebx==0x1
:0046365F 03C0 add eax, eax <<--eax==eax+eax==0x2
:00463661 8B55F4 mov edx, dword ptr [ebp-0C] <<--edx=="X4XGELYXDWD1IHDB"
:00463664 8A5402FE mov dl, byte ptr [edx+eax-02] <<--eax==0x44,取字符
:00463668 8B0D987F4600 mov ecx, dword ptr [00467F98] <<--ecx=="1234567890123456789",我们输入的注册码
:0046366E 3A5401FE cmp dl, byte ptr [ecx+eax-02] <<--注册码比较
:00463672 7501 jne 00463675
:00463674 47 inc edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463672(C)
|
:00463675 43 inc ebx
:00463676 83FB09 cmp ebx, 00000009
:00463679 75E2 jne 0046365D
上面是取注册码比较,它只取单数位进行比较,如串"X4XGELYXDWD1IHDB" 1,3,5,7,……15位的字符分别为"X","X","E","Y",……,"D",只要以上字符和输入的注册码相等,则完成注册码的第一部分比较,注意,这是第一部分,第二部分的注册码看下面:
:0046367B 8BC7 mov eax, edi
:0046367D A29E7F4600 mov byte ptr [00467F9E], al
:00463682 83FF07 cmp edi, 00000007
:00463685 0F8E0F010000 jle 0046379A
:0046368B 33FF xor edi, edi
:0046368D BB01000000 mov ebx, 00000001 <<--计数器ebx==0x1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004636A7(C)
|
:00463692 8BC3 mov eax, ebx <<--eax==ebx==0x1
:00463694 03C0 add eax, eax <<--eax==eax+eax==0x2
:00463696 8B15987F4600 mov edx, dword ptr [00467F98] <<--edx=="DBFU3C2E6D6DID5B"
:0046369C 0FB64402FF movzx eax, byte ptr [edx+eax-01] <<--取双数位字符的ASCII码 eax==0X42
:004636A1 03F8 add edi, eax <<--edi==edi+eax 累加
:004636A3 43 inc ebx
:004636A4 83FB09 cmp ebx, 00000009
:004636A7 75E9 jne 00463692
哈哈,看明白了吧,这次是计算串S3的双数位字符的累加结果,得一数edi==0x231,记为N
:004636A9 33C0 xor eax, eax
:004636AB 55 push ebp
:004636AC 6874374600 push 00463774
:004636B1 64FF30 push dword ptr fs:[eax]
:004636B4 648920 mov dword ptr fs:[eax], esp
:004636B7 8D45EC lea eax, dword ptr [ebp-14]
:004636BA 50 push eax
:004636BB B903000000 mov ecx, 00000003
:004636C0 BA11000000 mov edx, 00000011
:004636C5 A1987F4600 mov eax, dword ptr [00467F98]
:004636CA E85906FAFF call 00403D28
:004636CF 8B4DEC mov ecx, dword ptr [ebp-14]
:004636D2 8D45F0 lea eax, dword ptr [ebp-10]
:004636D5 BAC03B4600 mov edx, 00463BC0
:004636DA E89104FAFF call 00403B70
:004636DF 8B45F0 mov eax, dword ptr [ebp-10]
:004636E2 E8D53BFAFF call 004072BC <<--取注册码的最后3位
:004636E7 2BC7 sub eax, edi <<--eax==eax-edi==eax-0x231
:004636E9 83F863 cmp eax, 00000063 <<--结果是否小于0x63
:004636EC
:00463716 8B45F0 mov eax, dword ptr [ebp-10]
:00463719 E89E3BFAFF call 004072BC <<--取注册码的最后3位
:0046371E 2BC7 sub eax, edi <<--eax==eax-edi==eax-0x231
:00463720 83F865 cmp eax, 00000065 <<--结果是否大于0x65
:00463723 7D45 jge 0046376A <<--是则注册失败
:00463725 8D45EC lea eax, dword ptr [ebp-14]
:00463728 50 push eax
:00463729 B903000000 mov ecx, 00000003
:0046372E BA11000000 mov edx, 00000011
:00463733 A1987F4600 mov eax, dword ptr [00467F98]
:00463738 E8EB05FAFF call 00403D28
:0046373D 8B4DEC mov ecx, dword ptr [ebp-14]
:00463740 8D45F0 lea eax, dword ptr [ebp-10]
:00463743 BAC03B4600 mov edx, 00463BC0
:00463748 E82304FAFF call 00403B70
:0046374D 8B45F0 mov eax, dword ptr [ebp-10]
从以上分析,可以看出最后3位注册码减去N,所得结果必须大于0x63且小于0x65,既然如此,则最后3位注册码的计算公式为:N+0x64=0x231+0x64=0x295,这不就符合注册条件了吗 ^_^
综合上面的分析,就得到完整的注册码"X4XGELYXDWD1IHDB295"
完整注册信息:
Name:北极熊
Code:X4XGELYXDWD1IHDB295
VB注册机源代码
Function FMTHEX(HEXSTR)
FMTHEX = Hex(HEXSTR)
If Len(FMTHEX) = 1 Then FMTHEX = "0" & FMTHEX '如果是1位前面加0变成2位
End Function
Private Sub Image1_Click()
End
End Sub
Private Sub Image2_Click()
Dim byteAry() As Byte
Dim str5 As String, str1 As String
Dim i As Long
Dim j As Long
Dim zz, zz1, aa1, bb, cc
Dim dd, ee, ff, zz2
str5 = Text1.Text '假如输入"我123"
'用户名长度必须大于4
If LenB(StrConv(str5, vbFromUnicode)) < 4 Then
Msg = MsgBox("注册用户名太短,最少是4个字节长度", 1, "错误")
Else
'取用户名ASCII码
byteAry = StrConv(str5, vbFromUnicode)
For i = LBound(byteAry) To UBound(byteAry)
sn = sn & FMTHEX(byteAry(i)) '得 25 144 97 98 99
Next i
'计算第一段
zz = &H55AA
zz = zz + Val(LenB(StrConv(str5, vbFromUnicode)))
For j = 1 To LenB(StrConv(str5, vbFromUnicode))
aa1 = Val("&h" & Mid(sn, j * 2 - 1, 2)) * j
zz = zz + aa1
Next
bb = Hex(zz)
'计算第二段
For j = 1 To 4
aa1 = Val("&h" & Mid(sn, j * 2 - 1, 2)) Xor &H55
zz1 = zz1 & FMTHEX(aa1)
Next
cc = zz1
'计算第三段
For j = 1 To 2
aa1 = Val("&h" & Mid(sn, LenB(StrConv(str5, vbFromUnicode)) * 2 - j * 2 + 1, 2)) + 1
zz2 = zz2 & FMTHEX(aa1)
Next
dd = zz2
'连接
ee = cc & dd & bb
'替换字符
For j = 1 To Len(ee)
eax = zz \ 2 ^ j
eax = eax And 1
eax = eax - 1
If eax = 0 Then
ebx = Chr(Asc(Mid(ee, j, 1)) + &H13)
Else
ebx = Mid(ee, j, 1)
End If
code = code & ebx
Next
ee = code
'计算最后3位
For j = 1 To 8
eax = Asc(Mid(ee, j * 2, 1))
ecx = ecx + eax
Next
ecx = Hex(ecx + &H64)
'连接成19位
code = code & ecx
Text2.Text = code
End If
End Sub
|
相关阅读
Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>