Search32最新版V5.08註冊演算法筆記 (一） (10千字)

Search32最新版V5.08註冊演算法筆記 (一）

作者：moonlite
目標： Search32最新版V5.08
應用平臺：Windows 9X
下載：http://www.anetsoft.com
大小：1100k
軟體用途： Search32 號稱是Windows下最快的32位搜尋工具。它是離線的搜尋引擎，可在本地硬碟裡
包括Cache）中用關鍵字快速查詢。

工具：TRW1.22，W32dasm, file info 2.45，teunlockv1, UltraEdit 。
保護：每次啟動都彈出註冊窗，提示註冊; 30 天試用期；tELock殼; 反除錯。

前言：記得是半年前了，它的v5.05版沒有徹底搞定，不甘心啊!直到現在也沒有看到v5.x版的破解資料，
還是再“反攻”一次！

過程實錄：

[1] 啟動 Search 32, 煩人的註冊窗彈出。隨便輸入姓名和註冊碼，失敗提示 "Entered password is invalid for..."。
[2] 試著啟動TRW載入。很快訊息窗彈出“Hmm...Debug yourself."這個殼還夠厲害。
[3] 用teunlockv1脫掉它後，用w32dasm反彙編，查詢"Entered password is invalid for...". 找到一處：

:0048720F 50 push eax
:00487210 8B00 mov eax, dword ptr [eax]
:00487212 FF5074 call [eax+74]<-------------------有問題的call; 如果返回的eax=0，就沒戲唱了**
:00487215 8B1510124B00 mov edx, dword ptr [004B1210]
:0048721B 8902 mov dword ptr [edx], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004871D9(U)
|
:0048721D A110124B00 mov eax, dword ptr [004B1210]
:00487222 833800 cmp dword ptr [eax], 00000000
:00487225 750F jne 00487236

* Possible StringData Ref from Data Obj ->"Entered password is invalid for " <---------------出錯資訊
->"
the given registration number."
|
:00487227 B864744800 mov eax, 00487464
:0048722C E8CB86FBFF call 0043F8FC
:00487231 E9DE010000 jmp 00487414

很明顯，:00487212 處的call有問題。

[3]再次啟動 Search 32，在註冊窗輸入姓名:
“moonlite&Group [FCG]” 和註冊碼“78787878121212129898989845454545”
為什麼這麼長字串呢？我試過，短了不行）。啟動TRW，按CTL+D 來到TRW的領空。
設斷： bpx 487212，F5返回主程點選OK，被TRW攔住去路。
進入那個有問題的call:

:00487212 FF5074 call [eax+74]---->進入。。。

----------SRCH32_D! is Expired + 00DF――――――
:10001E6F 90 nop
:10001E70 8B44240C mov eax, dword ptr [esp+0C]//<------游標在這！
:10001E74 8B4C2408 mov ecx, dword ptr [esp+08]//在此下d eax, d ecx 分別可以看到
//輸入的假password 和ID;
:10001E78 56 push esi
:10001E79 50 push eax
:10001E7A 51 push ecx
* Reference To: SRCH32_D.?checkData@@YGHPAD0@Z
|
:10001E7B E880F4FFFF call 10001300//檢查註冊碼的關鍵call, 進入==>
:10001E80 8BF0 mov esi, eax//返回的eax送 esi;
:10001E82 83FE01 cmp esi, 00000001
:10001E85 7515 jne 10001E9C//eax不是1，就跳走，那就失敗！
:10001E87 8B542408 mov edx, dword ptr [esp+08]
:10001E8B 5E pop esi
:10001E8C 894224 mov dword ptr [edx+24], eax
:10001E8F C705146C011000000000 mov dword ptr [10016C14], 00000000//送成功標誌！
:10001E99 C20C00 ret 000C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001E85(C)
|
:10001E9C 68D0070000 push 000007D0//sleep 7D0h 毫秒；

* Reference To: KERNEL32.Sleep, Ord:0296h
|
:10001EA1 FF1534200110 Call dword ptr [10012034]
:10001EA7 8BC6 mov eax, esi//將esi,即0的值還給eax;
:10001EA9 5E pop esi
:10001EAA C20C00 ret 000C
――――――――――――

下面是註冊碼的演算法--》

[4] 檢查註冊碼的關鍵call:

* Referenced by a CALL at Address:
|:10001E7B
|

Exported fn(): ?checkData@@YGHPAD0@Z - Ord:0001h
:10001300 81ECDC020000 sub esp, 000002DC
:10001306 53 push ebx
:10001307 55 push ebp
:10001308 56 push esi
:10001309 57 push edi
:1000130A 8BBC24F0020000 mov edi, dword ptr [esp+000002F0]//----->指向輸入的ID；
//我的是 “moonlite&Group [FCG]”;
:10001311 83C9FF or ecx, FFFFFFFF
:10001314 33C0 xor eax, eax
:10001316 33DB xor ebx, ebx
:10001318 F2 repnz
:10001319 AE scasb
:1000131A F7D1 not ecx
:1000131C 2BF9 sub edi, ecx
:1000131E 8D9424A8000000 lea edx, dword ptr [esp+000000A8]
:10001325 8BC1 mov eax, ecx

//以上是算ID的長度；//

:10001327 8BF7 mov esi, edi
:10001329 8BFA mov edi, edx
:1000132B 895C241C mov dword ptr [esp+1C], ebx
:1000132F C1E902 shr ecx, 02
:10001332 F3 repz
:10001333 A5 movsd

//ID字串從esi傳送到edi 處；//

.............

:10001344 8D8C24A8000000 lea ecx, dword ptr [esp+000000A8]//----->指向輸入的ID；
:1000134B 895C2414 mov dword ptr [esp+14], ebx
:1000134F 51 push ecx
:10001350 E881020100 call 100115D6// ;若ID是小寫字母-->變成大寫；若ID是大寫字母或數字-->不變
:10001355 83C404 add esp, 00000004
:10001358 53 push ebx

* Reference To: KERNEL32.GetDriveTypeA, Ord:0104h
|
:10001359 FF1530200110 Call dword ptr [10012030]

//這個call檢查所用驅動器的型別（可查手冊）;
//這裡返回eax=3，即Fixed Drive;

:1000135F 3BC5 cmp eax, ebp//ebp=5; 5為CD-ROM；
:10001361 8B8424A8000000 mov eax, dword ptr [esp+000000A8]//----->指向輸入的ID；
:10001368 750F jne 10001379//在此跳轉！

.......................

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001368(C)
|
:10001379 3C43 cmp al, 43//比較ID的第一個是不是字母“C”；
:1000137B 7509 jne 10001386//不是就跳走；
:1000137D 80FC44 cmp ah, 44//比較ID的第二個是不是字母“D”；
:10001380 0F842F040000 je 100017B5//如果ID的前二個字母是“CD”就失敗！****

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1000136C(C), :10001377(U), :1000137B(C)
|
:10001386 A1006C0110 mov eax, dword ptr [10016C00]
:1000138B 8D9424E8010000 lea edx, dword ptr [esp+000001E8]
:10001392 6804010000 push 00000104
:10001397 52 push edx
:10001398 50 push eax

* Reference To: KERNEL32.GetModuleFileNameA, Ord:0124h
|
:10001399 FF152C200110 Call dword ptr [1001202C]//獲取一個已裝載模板的完整路徑名稱;
//返回的EAX等於路徑字串的長度;
:1000139F 85C0 test eax, eax//非0表示成功;
:100013A1 0F840E040000 je 100017B5
:100013A7 8D8C24E8010000 lea ecx, dword ptr [esp+000001E8]//指向SRCH32_D.DLL所在路徑;
:100013AE 6A5C push 0000005C
:100013B0 51 push ecx
:100013B1 E8CA980000 call 1000AC80//獲取SRCH32_D.DLL字串的地址;
:100013B6 8BF0 mov esi, eax//SRCH32_D.DLL字串不存在，則eax=0;
:100013B8 83C408 add esp, 00000008
:100013BB 3BF3 cmp esi, ebx
:100013BD 0F84F2030000 je 100017B5//判斷字串存在與否的跳轉; ****
:100013C3 46 inc esi
:100013C4 56 push esi
:100013C5 89742428 mov dword ptr [esp+28], esi
:100013C9 E808020100 call 100115D6// 參考 :10001350的call;
:100013CE 8DBC24AC000000 lea edi, dword ptr [esp+000000AC]//指向輸入的ID字串;
:100013D5 83C9FF or ecx, FFFFFFFF
:100013D8 33C0 xor eax, eax
:100013DA 83C404 add esp, 00000004
:100013DD F2 repnz
:100013DE AE scasb
:100013DF F7D1 not ecx
:100013E1 49 dec ecx//算它的長度;
:100013E2 83F920 cmp ecx, 00000020//長度是否20h位？
:100013E5 732E jnb 10001415
:100013E7 8BFE mov edi, esi

.................

:10001404 8BCA mov ecx, edx
:10001406 4F dec edi
:10001407 C1E902 shr ecx, 02
:1000140A F3 repz
:1000140B A5 movsd
:1000140C 8BCA mov ecx, edx
:1000140E 83E103 and ecx, 00000003
:10001411 F3 repz
:10001412 A4 movsb//將“SRCH32_D.DLL”移動到ID字串的後面，得新ID字串；
//即 “MOONLITE&GROUP [FCG]SRCH32_D.DLL”
:10001413 EB0B jmp 10001420

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100013E5(C)
|
:10001415 8D840C9C000000 lea eax, dword ptr [esp+ecx+0000009C]
:1000141C 89442424 mov dword ptr [esp+24], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10001413(U)
|
:10001420 8BB424F4020000 mov esi, dword ptr [esp+000002F4]//指向輸入的註冊碼;
:10001427 83C9FF or ecx, FFFFFFFF
:1000142A 8BFE mov edi, esi
:1000142C 33C0 xor eax, eax
:1000142E F2 repnz
:1000142F AE scasb
:10001430 F7D1 not ecx
:10001432 49 dec ecx//計算所輸入的出注冊碼的長度;
:10001433 8BD1 mov edx, ecx//送edx;
:10001435 83FA18 cmp edx, 00000018//18h=24位;
:10001438 89542418 mov dword ptr [esp+18], edx//將註冊碼的長度儲存;
:1000143C 0F8273030000 jb 100017B5//註冊碼的長度小於24位，就完了; ****
:10001442 B907000000 mov ecx, 00000007//置迴圈次數;
:10001447 B84D4D4D4D mov eax, 4D4D4D4D
:1000144C 8D7C2448 lea edi, dword ptr [esp+48]
:10001450 F3 repz
:10001451 AB stosd
:10001452 66AB stosw
:10001454 AA stosb//到此，將4*7+2+1=31位元組用“4D”填滿:
:10001455 B81F000000 mov eax, 0000001F
:1000145A B14D mov cl, 4D

..........................

<待續>

Search32最新版V5.08註冊演算法筆記 (一） (10千字)

相關文章