SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)
SuperCleaner
2.31註冊碼演算法分析
=================
軟體簡介:
幫助使用者清洗他們的計算機硬碟內不必要的檔案的程式。它能掃描你的系
統讓你選擇不再需要的檔案進行刪除。並能備份檔案已避免你誤刪除有用的文
件,此備份功能將不必要的檔案扔進再迴圈箱,這樣可以讓你再必要的時候恢
覆資訊。
破解工具:SOFTICE,W32DASM
================================================
分析:
此軟體採用使用者名稱,註冊碼的驗證方式
在軟體註冊視窗中輸入以下資訊:
使用者名稱:alpha
註冊碼:98765432
用GETWINDOWTEXT 做斷點,程式沒有被中斷。換成GETDLGITEMTEXT,按下確定後,彈出SOFTICE視窗。按兩下F12彈出註冊失敗對話方塊,因此,ENABLE前面下的斷點後,只按一下F12,然後用F10單步跟蹤,來到:
* Reference To: USER32.GetDlgItemTextA, Ord:0113h
|
:0041220F 8B3D7C124200
mov edi, dword ptr [0042127C]
:00412215 6817040000
push 00000417
:0041221A 56
push esi
:0041221B
FFD7 call
edi <<----------取得使用者名稱
:0041221D 8D542408
lea edx, dword ptr [esp+08]
:00412221 6800010000
push 00000100
:00412226 52
push edx
:00412227 68FC030000 push
000003FC
:0041222C 56
push esi
:0041222D FFD7
call edi <<--------取得輸入的註冊碼
:0041222F
8D442408 lea eax, dword
ptr [esp+08] <<-------輸入的註冊碼的首地址->EAX
:00412233 8D8C2408010000
lea ecx, dword ptr [esp+00000108] <<----使用者名稱的首地址->ECX
:0041223A 50
push eax
:0041223B 51
push ecx
:0041223C E8BF080000
call 00412B00 <<-----注意這個CALL
:00412241
83C408 add esp,
00000008
:00412244 85C0
test eax, eax
:00412246 5F
pop edi
:00412247 7443
je 0041228C <<-----註冊碼不對就跳
:00412249 8D542404
lea edx, dword ptr [esp+04]
:0041224D 8D842404010000
lea eax, dword ptr [esp+00000104]
:00412254 52
push edx
:00412255
50
push eax
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:00412247(C)
|
:0041228C 6A00
push 00000000
* Possible StringData
Ref from Data Obj ->"SuperCleaner"
|
:0041228E
686C454200 push 0042456C
* Possible Reference to String Resource ID=00010: "?w `e?
cn"
|
:00412293 6A0A
push 0000000A
:00412295 56
push esi
:00412296
E85572FFFF call 004094F0 <<------註冊失敗對話方塊
:0041229B 83C410
add esp, 00000010
===================================================
由上面不難看出,關鍵就在 0041223C處的CALL,跟蹤進入這個CALL,來到:
* Referenced by a CALL at
Addresses:
|:0041223C , :00412A2E
|
:00412B00 81EC00010000
sub esp, 00000100
:00412B06 A0D09C4200
mov al, byte ptr [00429CD0]
:00412B0B
56
push esi
:00412B0C 57
push edi
:00412B0D 88442408
mov byte ptr [esp+08], al
* Possible Reference
to String Resource ID=00063: "`~?+ Netscape 4 棚?"
|
:00412B11 B93F000000
mov ecx, 0000003F
:00412B16 33C0
xor eax, eax
:00412B18 8D7C2409
lea edi, dword ptr [esp+09]
:00412B1C
8B94240C010000 mov edx, dword ptr [esp+0000010C] <<-----使用者名稱的首地址送入EDX
:00412B23 F3
repz
:00412B24 AB
stosd
:00412B25 66AB
stosw
:00412B27 8D4C2408
lea ecx, dword ptr [esp+08]
:00412B2B 33F6
xor esi, esi
:00412B2D 51
push ecx
:00412B2E 52
push edx
:00412B2F AA
stosb
:00412B30 E8AB000000 call 00412BE0 <<--------此CALL如果用F10過的話,EAX將放入正確註冊碼的首地址,但本文是對這個軟體的註冊碼演算法進行分析,因此有必要進入這個CALL看看
:00412B35 8B8C2418010000 mov ecx, dword
ptr [esp+00000118] <<-------輸入的註冊碼的首地址->ECX
:00412B3C 8D442410
lea eax, dword ptr [esp+10]
<<--------正確的註冊碼的首地址->EAX
:00412B40 50
push eax
:00412B41 51
push ecx
:00412B42 E869FFFFFF call
00412AB0 <<-----比較函式
:00412B47 83C410
add esp, 00000010
:00412B4A 85C0
test eax, eax
* Possible Reference to String Resource ID=00001: "蜩%s"
|
:00412B4C B801000000
mov eax, 00000001
:00412B51 7502
jne 00412B55 <<----相同則跳走
:00412B53
8BC6 mov
eax, esi
====================================================
進入 00412B30處的CALL,來到:
* Referenced by a CALL at Address:
|:00412B30
|
:00412BE0 81EC00010000 sub esp, 00000100
:00412BE6 A0D09C4200 mov
al, byte ptr [00429CD0]
:00412BEB 53
push ebx
:00412BEC 55
push ebp
:00412BED
56
push esi
:00412BEE 57
push edi
:00412BEF 88442410
mov byte ptr [esp+10], al
* Possible Reference
to String Resource ID=00063: "`~?+ Netscape 4 棚?"
|
:00412BF3 B93F000000
mov ecx, 0000003F
:00412BF8 33C0
xor eax, eax
:00412BFA 8D7C2411
lea edi, dword ptr [esp+11]
:00412BFE
F3
repz
:00412BFF AB
stosd
:00412C00 66AB
stosw
:00412C02 AA
stosb
:00412C03 8BBC2414010000
mov edi, dword ptr [esp+00000114] <<------使用者名稱首地址送入EDI
:00412C0A 57
push edi
* Reference To: KERNEL32.lstrlenA, Ord:039Eh
|
:00412C0B FF1510124200
Call dword ptr [00421210] <<-----取得使用者名稱的長度並送入EAX
:00412C11 8BF0
mov esi, eax
:00412C13 33C9
xor ecx, ecx
:00412C15 33C0
xor eax, eax <<-----EAX清零,為計數做準備
:00412C17 85F6
test esi, esi
:00412C19 7E13
jle 00412C2E
:00412C1B 8B15406C4200
mov edx, dword ptr [00426C40] <<-----初始化EDX(EDX=0x26)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C2C(C)
|
:00412C21 0FBE1C38
movsx ebx, byte ptr [eax+edi] <<----將使用者名稱中的每個字元按順序送入EBX,每次迴圈送入一個
:00412C25 03DA
add ebx, edx
:00412C27 03CB
add ecx, ebx <<-----本次運算結果在ECX(此例中為0x2C4)
:00412C29 40
inc eax
:00412C2A 3BC6
cmp eax, esi
:00412C2C 7CF3
jl 00412C21
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00412C19(C)
|
:00412C2E 8B9C2418010000 mov ebx, dword
ptr [esp+00000118]
:00412C35 51
push ecx
* Possible Reference to
Dialog:
|
:00412C36 68546C4200
push 00426C54
:00412C3B 53
push ebx
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C3C FF15FC124200
Call dword ptr [004212FC] <<-----將ECX中的值以字串的形式放在[EBX]中,並在其尾部加上'-'(此例中為:“708-”)
:00412C42 83C40C
add esp, 0000000C
:00412C45 33C9
xor ecx, ecx
:00412C47 33C0
xor eax, eax
:00412C49 85F6
test esi, esi
:00412C4B 7E14
jle 00412C61
:00412C4D 8B15446C4200
mov edx, dword ptr [00426C44] <<-----初始化EBP(EBP=0x34)
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00412C5F(C)
|
:00412C53 0FBE2C38
movsx ebp, byte ptr [eax+edi] <<----將使用者名稱中的每個字元按順序送入EBP,每次迴圈送入一個
:00412C57
0FAFEA imul ebp,
edx
:00412C5A 03CD
add ecx, ebp <<--------本次運算結果放在ECX
:00412C5C 40
inc eax
:00412C5D 3BC6
cmp eax, esi
:00412C5F 7CF2
jl 00412C53
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412C4B(C)
|
:00412C61 51
push ecx
:00412C62 8D4C2414
lea ecx, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412C66 68546C4200
push 00426C54
:00412C6B 51
push ecx
* Reference
To: USER32.wsprintfA, Ord:02D8h
|
:00412C6C
FF15FC124200 Call dword ptr [004212FC] <<-----將ECX中的值(0x6938)轉化為字串的形式
:00412C72 83C40C
add esp, 0000000C
:00412C75 8D542410
lea edx, dword ptr [esp+10] <<----字串(此例中為:“26936-”)的首地址送入EDX
:00412C79 52
push edx
:00412C7A 53
push ebx
* Reference To: KERNEL32.lstrcatA,
Ord:038Fh
|
:00412C7B FF15F8114200
Call dword ptr [004211F8] <<------連線前面兩次運算所得的結果
:00412C81 33C9
xor ecx, ecx
:00412C83 33C0
xor eax, eax
:00412C85 85F6
test esi, esi
:00412C87
7E13 jle
00412C9C
:00412C89 8B15486C4200
mov edx, dword ptr [00426C48] <<-----初始化EDX(EDX=0xC)
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00412C9A(C)
|
:00412C8F 0FBE2C38
movsx ebp, byte ptr [eax+edi] <<----將使用者名稱中的每個字元按順序送入EBP,每次迴圈送入一個
:00412C93
03EA add
ebp, edx
:00412C95 03CD
add ecx, ebp <<-----本次運算結果在ECX(此例中為:0x242)
:00412C97
40
inc eax
:00412C98 3BC6
cmp eax, esi
:00412C9A 7CF3
jl 00412C8F
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00412C87(C)
|
:00412C9C 51
push ecx
:00412C9D 8D442414
lea eax, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412CA1 68546C4200
push 00426C54
:00412CA6 50
push eax
* Reference
To: USER32.wsprintfA, Ord:02D8h
|
:00412CA7
FF15FC124200 Call dword ptr [004212FC] <<------將ECX中的值(0x242)轉化為字串的形式
:00412CAD 83C40C
add esp, 0000000C
:00412CB0 8D4C2410
lea ecx, dword ptr [esp+10] <<----字串(此例中為:“578-”)的首地址送入EDX
:00412CB4 51
push ecx
:00412CB5 53
push ebx
* Reference To: KERNEL32.lstrcatA,
Ord:038Fh
|
:00412CB6 FF15F8114200
Call dword ptr [004211F8] <<-----連線前三次運算所得的結果
:00412CBC 33C9
xor ecx, ecx
:00412CBE 33C0
xor eax, eax
:00412CC0 85F6
test esi, esi
:00412CC2
7E14 jle
00412CD8
:00412CC4 8B154C6C4200
mov edx, dword ptr [00426C4C]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00412CD6(C)
|
:00412CCA 0FBE2C38
movsx ebp, byte ptr [eax+edi] <<----將使用者名稱中的每個字元按順序送入EBP,每次迴圈送入一個
:00412CCE 0FAFEA
imul ebp, edx
:00412CD1 03CD
add ecx, ebp
:00412CD3 40
inc eax
:00412CD4 3BC6
cmp eax, esi
:00412CD6 7CF2
jl 00412CCA
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00412CC2(C)
|
:00412CD8 51
push ecx
:00412CD9 8D542414
lea edx, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412CDD 68506C4200 push
00426C50
:00412CE2 52
push edx
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412CE3 FF15FC124200
Call dword ptr [004212FC] <<------將ECX中的值(0x1C54)轉化為字串的形式
:00412CE9 83C40C
add esp, 0000000C
:00412CEC 8D442410
lea eax, dword ptr [esp+10] <<----字串(此例中為:“-7252”)的首地址送入EAX
:00412CF0 50
push eax
:00412CF1 53
push ebx
* Reference To: KERNEL32.lstrcatA,
Ord:038Fh
|
:00412CF2 FF15F8114200
Call dword ptr [004211F8] <<-----字串的連線
:00412CF8 5F
pop edi
:00412CF9 5E
pop esi
:00412CFA 5D
pop ebp
:00412CFB
5B
pop ebx
:00412CFC 81C400010000 add
esp, 00000100
:00412D02 C3
ret
===============================================
這個軟體的註冊碼形式為:SN1-SN2-SN3-SN4
它的演算法就是對使用者名稱分別進行四次運算,並將每次運算的結果轉成字串形式並連線成 SN1-SN2-SN3-SN4
這四次運算中用到了四個初始值:0x26,0x34,0xC,0xE
===============================================
===============Open Cracking Group=============
CrAcKeD BY alphakk/OCG
相關文章
- supercleaner註冊演算法分析2015-11-15演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)2002-04-10演算法
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- GSview V4.12 for Windows註冊演算法分析 -
OCG (8千字)2015-11-15ViewWindows演算法
- Search32-PRO
v6.05註冊演算法分析 - OCG (46千字)2002-04-07演算法
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- SuperCleaner演算法分析----菜鳥級
(12千字)2015-11-15演算法
- 註冊碼演算法 (2千字)2001-01-14演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- 中文撥號上網計時計費器 V4.12註冊演算法分析--[OCG] (23千字)2002-03-26演算法
- 鬥地主4.0註冊演算法,序號產生器在OCG論壇
(22千字)2015-11-15演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- JProfiler 13 Mac版,JProfiler 13註冊碼2023-04-20Mac
- FolderView註冊部分的計算 (13千字)2001-05-27View
- Gif2Swf2.1註冊演算法分析 特別獻給CNCG組織 (13千字)2001-10-28演算法
- CPUCOOL 5.1000註冊碼分析 (6千字)2001-01-19
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- EmEditor v3 Version 3.09 漢化版註冊碼演算法分析
(8千字)2001-01-09演算法
- Screen Demo Maker
V3.0註冊演算法分析 (8千字)2002-09-10演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- 一個區域網工具的註冊演算法分析
(5千字)2015-11-15演算法
- SpeedFlash註冊演算法分析(VB)2015-11-15演算法
- 空檔接龍助手2.01註冊碼分析。 (6千字)2003-01-13
- getPassword2.3註冊碼計算分析過程 (3千字)2001-11-07
- 財智老闆通3.04註冊版---註冊演算法分析2003-03-16演算法