關於S-SPLINE的問題，哪位高手給我一個完美的爆破方案？ (10千字)

下載地：http://www.shortcut.nl/S-Spline/Shortcut_S-SplineDemo.zip

這個軟體註冊碼非常難算,軟體設計者演算法到了變態的地步.我看的頭都大了.而且這個軟體還設了陷井.當你上網後,他會到它網站的資料庫去比較,如果沒有註冊過,當即將你的註冊版改為未註冊版.
這個軟體用用Asprotect1.2以後的版本加殼 ,得手動脫殼,還得修復輸入表.以下分析部分引BLOWFISH的分析結果。
輸入註冊碼之後的判斷：

0177:0040BB11 PUSH 004BF728 //DialogRegister::RegisterButton.OnClick( )
0177:0040BB16 CALL 0041EBB6
0177:0040BB1B LEA ECX,[EBP-01EC]
0177:0040BB21 CALL 0041C0CF
0177:0040BB26 AND DWORD PTR [EBP-04],00
0177:0040BB2A PUSH 0040118F
0177:0040BB2F PUSH 0041EB3F
0177:0040BB34 PUSH 03
0177:0040BB36 PUSH 18
0177:0040BB38 LEA EAX,[EBP-00F0]
0177:0040BB3E PUSH EAX
0177:0040BB3F CALL 0047E80A
0177:0040BB44 MOV ECX,[EBP-24]
0177:0040BB47 MOV BYTE PTR [EBP-04],01
0177:0040BB4B CALL 00427F9E
0177:0040BB50 MOV EBX,EAX
0177:0040BB52 CALL 0042FA11
0177:0040BB57 LEA EAX,[EBP-00A8]
0177:0040BB5D PUSH EAX
0177:0040BB5E LEA ECX,[EBX+000001E0]
0177:0040BB64 CALL 00428000 //GetWindowTextA( ), Name
0177:0040BB69 MOV ESI,004BF724
0177:0040BB6E PUSH ESI
0177:0040BB6F LEA ECX,[EBP-00A8]
0177:0040BB75 MOV BYTE PTR [EBP-04],02
0177:0040BB79 CALL 00420B42
0177:0040BB7E LEA EAX,[EBP-0090]
0177:0040BB84 PUSH EAX
0177:0040BB85 LEA ECX,[EBX+00000224]
0177:0040BB8B CALL 00428000 //GetWindowTextA( ), Company
0177:0040BB90 PUSH ESI
0177:0040BB91 LEA ECX,[EBP-0090]
0177:0040BB97 MOV BYTE PTR [EBP-04],03
0177:0040BB9B CALL 00420B42
0177:0040BBA0 MOV ECX,EBX
0177:0040BBA2 CALL 0040B9D9
0177:0040BBA7 LEA EAX,[EBP-01B8]
0177:0040BBAD LEA ECX,[EBX+0000019C]
0177:0040BBB3 PUSH EAX
0177:0040BBB4 CALL 00428000 //GetWindowTextA( ), Serial[1]
0177:0040BBB9 MOV ESI,EAX
0177:0040BBBB LEA EAX,[EBP-01A0]
0177:0040BBC1 PUSH EAX
0177:0040BBC2 LEA ECX,[EBX+00000158]
0177:0040BBC8 MOV BYTE PTR [EBP-04],04
0177:0040BBCC CALL 00428000 //GetWindowTextA( ), Serial[2]
0177:0040BBD1 MOV EDI,EAX
0177:0040BBD3 LEA EAX,[EBP-0170]
0177:0040BBD9 PUSH EAX
0177:0040BBDA LEA ECX,[EBX+00000114]
0177:0040BBE0 MOV BYTE PTR [EBP-04],05
0177:0040BBE4 CALL 00428000 //GetWindowTextA( ), Serial[3]
0177:0040BBE9 MOV [EBP-1C],EAX
0177:0040BBEC LEA EAX,[EBP-0158]
0177:0040BBF2 PUSH EAX
0177:0040BBF3 LEA ECX,[EBX+000000D0]
0177:0040BBF9 MOV BYTE PTR [EBP-04],06
0177:0040BBFD CALL 00428000 //GetWindowTextA( ), Serial[4]
0177:0040BC02 MOV [EBP-14],EAX
0177:0040BC05 LEA EAX,[EBP-0188]
0177:0040BC0B PUSH EAX
0177:0040BC0C LEA ECX,[EBX+0000008C]
0177:0040BC12 MOV BYTE PTR [EBP-04],07
0177:0040BC16 CALL 00428000 //GetWindowTextA( ), Serial[5]
........
0177:0040BE4E PUSH EAX
0177:0040BE4F MOV ECX,ESI
0177:0040BE51 CALL 00459A71 //第一處瘋狂計算的地方，
0177:0040BE56 TEST AL,AL
0177:0040BE58 MOV [EBP-15],AL //返回值
0177:0040BE5B JNZ 0040BF1C
0177:0040BE61 LEA EAX,[EBP-40]
0177:0040BE64 PUSH EAX
0177:0040BE65 LEA ECX,[EBX+48]
0177:0040BE68 CALL 00428000 //GetWindowTextA
...........
0177:0040BF0F PUSH EAX
0177:0040BF10 MOV ECX,ESI
0177:0040BF12 CALL 00459A71 //第二處瘋狂計算的地方
0177:0040BF17 MOV [EBP-15],AL //返回值
0177:0040BF1A JMP 0040BF1E
0177:0040BF1C XOR EDI,EDI
0177:0040BF1E LEA EAX,[EBP-60]
0177:0040BF21 PUSH EAX
0177:0040BF22 LEA ECX,[EBX+48]
0177:0040BF25 CALL 00428000
0177:0040BF2A PUSH 004BF704 //註冊碼的第一部分Serial[1]的黑名單“!AMOK”？
0177:0040BF2F MOV ECX,EAX
0177:0040BF31 MOV BYTE PTR [EBP-04],27
0177:0040BF35 CALL 0041FC03 //strcmp( )
0177:0040BF3A TEST AL,AL
0177:0040BF3C JNZ 0040BF84
0177:0040BF3E LEA EAX,[EBP-40]
0177:0040BF41 PUSH EAX
0177:0040BF42 LEA ECX,[EBX+0000019C]
0177:0040BF48 CALL 00428000 //GetWindowTextA( ), Serial[6]
0177:0040BF4D PUSH 004BF6FC //註冊碼的最後一部分的黑名單？（有不可顯示字元）
0177:0040BF52 MOV ECX,EAX
0177:0040BF54 MOV BYTE PTR [EBP-04],28
0177:0040BF58 CALL 0041FC03 //strcmp( )，跟進去可看到CMPSB指令
0177:0040BF5D MOV [EBP-0D],AL //比較的結果。
0177:0040BF60 LEA ECX,[EBP-3C]
0177:0040BF63 MOV BYTE PTR [EBP-04],29
0177:0040BF67 CALL 0040117A
0177:0040BF6C LEA ECX,[EBP-40]
0177:0040BF6F MOV BYTE PTR [EBP-04],27
0177:0040BF73 CALL 0040117A
0177:0040BF78 CMP BYTE PTR [EBP-0D],00 //標誌位
0177:0040BF7C JNZ 0040BF84
0177:0040BF7E AND BYTE PTR [EBP-0D],00
0177:0040BF82 JMP 0040BF88
0177:0040BF84 MOV BYTE PTR [EBP-0D],01

啟動時聯網檢查新版本（BPM WININET!InternetOpenUrlA X DO "d *(esp+8)"）：
017F:00AF1870 68 74 74 70 3A 2F 2F 77-77 77 2E 73 68 6F 72 74 http://www.short
017F:00AF1880 63 75 74 2E 6E 6C 2F 63-67 69 2D 62 69 6E 2F 43 cut.nl/cgi-bin/C
017F:00AF1890 68 65 63 6B 2E 63 67 69-3F 75 70 64 61 74 65 25 heck.cgi?update%
017F:00AF18A0 32 30 73 2D 73 70 6C 69-6E 65 5F 32 5F 78 00 00 20s-spline_2_x..

啟動時聯網檢查註冊碼，如果檢查不透過又成為unregistered。這個檢查是隨機的，即並非每次啟動都檢查。
017F:00AF2C10 68 74 74 70 3A 2F 2F 77-77 77 2E 73 68 6F 72 74 http://www.short
017F:00AF2C20 63 75 74 2E 6E 6C 2F 63-67 69 2D 62 69 6E 2F 43 cut.nl/cgi-bin/C
017F:00AF2C30 68 65 63 6B 2E 63 67 69-3F 4A 56 43 36 35 4A 58 heck.cgi?JVC65JX
017F:00AF2C40 46 56 4F 56 57 36 4E 47-50 50 56 56 45 34 4B 48 FVOVW6NGPPVVE4KH
017F:00AF2C50 49 41 00 2E 6E 6C 2F 53-51 00 00 00 51 00 00 00 IA..nl/SQ...Q...

相關的程式碼：
0177:004159DD LEA ECX,[ESI+0000089C]
0177:004159E3 PUSH ECX
0177:004159E4 LEA EAX,[ESI+00000884]
0177:004159EA PUSH EAX
0177:004159EB LEA EAX,[ESI+0000086C]
0177:004159F1 PUSH EAX
0177:004159F2 MOV ECX,ESI
0177:004159F4 CALL 00413013 //聯網檢查有無新版本
0177:004159F9 TEST AL,AL
0177:004159FB JZ 00415A4B
0177:004159FD LEA EAX,[ESI+00000884]
0177:00415A03 PUSH EAX
0177:00415A04 LEA EAX,[EBP-30]
0177:00415A07 PUSH 004C065C //"update"
0177:00415A0C PUSH EAX
0177:00415A0D CALL 00402CF8
0177:00415A12 SUB ESP,0C
0177:00415A15 MOV ECX,ESP
0177:00415A17 MOV [EBP-10],ESP
0177:00415A1A PUSH 004C0650 //"available"
0177:00415A1F PUSH ECX
0177:00415A20 MOV ECX,EAX
0177:00415A22 MOV BYTE PTR [EBP-04],37
0177:00415A26 CALL 0041FFC9
0177:00415A2B MOV ECX,[EBP-14]
0177:00415A2E CALL 0041BADD
0177:00415A33 LEA ECX,[EBP-2C]
0177:00415A36 MOV BYTE PTR [EBP-04],38
0177:00415A3A CALL 0040117A
0177:00415A3F MOV BYTE PTR [EBP-04],24
0177:00415A43 LEA ECX,[EBP-30]
0177:00415A46 JMP 00415AEA
0177:00415A4B CMP BYTE PTR [ESI+000000D4],00 //標誌位
0177:00415A52 PUSH FF
0177:00415A54 JZ 00415AA1
0177:00415A56 PUSH 0000E156
.......................
0177:00415A9F JMP 00415AEA
0177:00415AA1 PUSH 0000E15E
.......................
0177:00415AEA CALL 0040117A
0177:00415AEF MOV ECX,ESI
0177:00415AF1 CALL 004161C5 //本地檢查註冊碼，並隨機聯網檢查註冊碼
0177:00415AF6 FLD1
0177:00415AF8 FSTP REAL8 PTR [ESI+00000298]

在上面的0177:00415AF1處跟進去，看見本地判斷註冊碼的地方：

0177:0041644C CALL [EAX+14] //判斷註冊碼，裡面是瘋狂的計算
0177:0041644F MOV ECX,004D420C
0177:00416454 MOV [EBP-0D],AL //判斷的結果
0177:00416457 CALL 0041E80A
0177:0041645C CMP BYTE PTR [EBP-0D],00 //註冊碼錯誤？
0177:00416460 JZ 004168BD
0177:00416466 MOV ECX,[EDI+00000208]
0177:0041646C CMP ECX,[004A5C78]
0177:00416472 LEA EAX,[EDI+00000208]
0177:00416478 JNZ 00416482

再在上面的0177:0041644C處跟進去，瘋狂的計算就開始了。第一處比較註冊碼的地方如下：

0177:004629C8 MOV EAX,[EBP-0244]
0177:004629CE IMUL EAX,EAX,000343FD //瘋狂的乘法（RSA？）
0177:004629D4 ADD EAX,00269EC3
0177:004629D9 MOV [EBP-0244],EAX
0177:004629DF MOV EAX,[EBP+FFFFF1A8]
0177:004629E5 ADD EAX,[EBP+FFFFF19C]
0177:004629EB PUSH EAX
0177:004629EC PUSH 00
0177:004629EE PUSH DWORD PTR [EBP-0244]
0177:004629F4 CALL 004791DC
0177:004629F9 ADD ESP,0C
0177:004629FC MOV [EBP+FFFFF198],EAX
0177:00462A02 MOV EAX,[EBP+FFFFF1B4]
0177:00462A08 SUB EAX,[EBP+FFFFF198]
0177:00462A0E SUB EAX,0A
0177:00462A11 CMP [EBP-0174],EAX
0177:00462A17 JGE 00462A7D
0177:00462A19 MOV EAX,[EBP-0174]
0177:00462A1F MOVSX EAX,BYTE PTR [EAX+EBP-0160]
0177:00462A27 MOV [EBP-0178],EAX
0177:00462A2D CMP DWORD PTR [EBP-0178],39
0177:00462A34 JLE 00462A47
0177:00462A36 MOV EAX,[EBP-0178]
0177:00462A3C SUB EAX,41
0177:00462A3F MOV [EBP-0178],EAX
0177:00462A45 JMP 00462A56
0177:00462A47 MOV EAX,[EBP-0178]
0177:00462A4D SUB EAX,30
0177:00462A50 MOV [EBP-0178],EAX
0177:00462A56 MOV EAX,[EBP-0178]
0177:00462A5C MOVSX EAX,BYTE PTR [EAX+EBP-34] //真註冊碼
0177:00462A61 MOV ECX,[EBP+10]
0177:00462A64 ADD ECX,[EBP-0174]
0177:00462A6A MOVSX ECX,BYTE PTR [ECX] //假註冊碼
0177:00462A6D CMP EAX,ECX //比較
0177:00462A6F JZ 00462A78
0177:00462A71 XOR AL,AL //bad guy
0177:00462A73 JMP 0046A910
0177:00462A78 JMP 004626A5
我共找到跳到46A910的有5個比較分別為：462A73，463069，4647F7，465BB5，46A90C。
我將其全部JZ改為JNZ，但程式出錯，而且自動啟動OUTLOOK發信給作者。哪位高手給我一個完美的爆破方案？

關於S-SPLINE的問題，哪位高手給我一個完美的爆破方案？ (10千字)

相關文章