ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
＝
＝
＝
＝ClockWise 3.22e註冊碼演算法分析
＝
＝
＝
＝　　　　　　　　　CrAcKeD BY alphakk/OCG
＝
＝
＝
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
軟體簡介：（略）
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
破解工具：TRW2000　1.22娃娃版，W32DASM
題外話：
　　本來我是用SOFTICE分析的，但這個軟體對SOFTICE防了一手，連我的SOFTICE　4.05＋後門補丁＋ICEDUMP＋SUPERBPM＋FROGICE都搞不定它，害得我轉了很大一圈，最後用TRW2000才搞定：（，在此感謝FiNALSAPrH兄的幫助：）
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
分析：
用W32DASM反彙編它，查詢註冊失敗對話方塊中的文字，來到：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004227FD(C)
|
:00422823 B801000000 mov eax, 00000001
:00422828 5E pop esi
:00422829 C3 ret

:0042282A 90 nop
:0042282B 90 nop
:0042282C 90 nop
:0042282D 90 nop
:0042282E 90 nop
:0042282F 90 nop
:00422830 56 push esi
:00422831 8BF1 mov esi, ecx
:00422833 E848000000 call 00422880　　＜＜－－－－很明顯，註冊碼的演算法就在這裡面了
:00422838 85C0 test eax, eax
:0042283A 7425 je 00422861
:0042283C 8BCE mov ecx, esi
:0042283E E83D020000 call 00422A80
:00422843 6A40 push 00000040

* Possible Reference to Dialog:
|
:00422845 68280E4600 push 00460E28

* Possible StringData Ref from Data Obj ->"THANK YOU for registering ClockWise"
|
:0042284A 6874124600 push 00461274
:0042284F 8BCE mov ecx, esi
:00422851 E8F3F90100 call 00442249
:00422856 6A00 push 00000000
:00422858 8BCE mov ecx, esi
:0042285A E83EDB0100 call 0044039D
:0042285F 5E pop esi
:00422860 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042283A(C)
|
:00422861 6A30 push 00000030

* Possible Reference to Dialog:
|
:00422863 68C0D14500 push 0045D1C0

* Possible StringData Ref from Data Obj ->"Sorry, registration didn't work!"
|
:00422868 6850124600 push 00461250
:0042286D 8BCE mov ecx, esi
:0042286F E8D5F90100 call 00442249
:00422874 6A01 push 00000001
:00422876 8BCE mov ecx, esi
:00422878 E820DB0100 call 0044039D
:0042287D 5E pop esi
:0042287E C3 ret

:0042287F 90 nop
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
在註冊視窗中填入：
User Name:alphakk/OCG
Serial Number:987654
Registration:98765432
用TRW2000下斷：BPX　167：422833（用SOFTICE下斷的話，會沒反應的）
中斷後，按F8跟進167：42833處的CALL
來到：
* Referenced by a CALL at Addresses:
|:00422801 , :00422833
|
:00422880 55 push ebp
:00422881 8BEC mov ebp, esp
:00422883 83EC14 sub esp, 00000014
:00422886 53 push ebx
:00422887 56 push esi
:00422888 57 push edi
:00422889 8BF9 mov edi, ecx
:0042288B 33F6 xor esi, esi
:0042288D 897DF4 mov dword ptr [ebp-0C], edi
:00422890 8B4760 mov eax, dword ptr [edi+60]　　<<--------使用者名稱首地址－＞EAX
:00422893 8975F8 mov dword ptr [ebp-08], esi
:00422896 8B40F8 mov eax, dword ptr [eax-08]　　<<--------使用者名稱長度－＞EAX
:00422899 3BC6 cmp eax, esi　　<<-----------------判斷操作是否成功
:0042289B 8945FC mov dword ptr [ebp-04], eax
:0042289E 0F84C4010000 je 00422A68
:004228A4 8B4768 mov eax, dword ptr [edi+68]　　<<------序列號首地址－＞EAX
:004228A7 3970F8 cmp dword ptr [eax-08], esi
:004228AA 0F8EB8010000 jle 00422A68
:004228B0 8B4F64 mov ecx, dword ptr [edi+64]
:004228B3 8379F805 cmp dword ptr [ecx-08], 00000005
:004228B7 0F8EAB010000 jle 00422A68　<<-----------------比較使用者名稱長度是否大於5，否則跳
:004228BD 50 push eax
:004228BE E8F1C40000 call 0042EDB4 <<--------將使用者輸入的序列號轉換成十六進位制－＞EAX
:004228C3 8BD8 mov ebx, eax
:004228C5 83C404 add esp, 00000004
:004228C8 83FB01 cmp ebx, 00000001
:004228CB 0F8294010000 jb 00422A65　　<<-------小於1則跳走（即跳出，不再進行下面的運算）
:004228D1 81FB2C010000 cmp ebx, 0000012C
:004228D7 760C jbe 004228E5　　<<----小於或等於300則跳至　4228E5　處
:004228D9 81FBE8030000 cmp ebx, 000003E8
:004228DF 0F8280010000 jb 00422A65　　<<-------小於1000則跳走（即跳出，不再進行下面的運算）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004228D7(C)
|
:004228E5 81FBC4090000 cmp ebx, 000009C4
:004228EB 760C jbe 004228F9　　<<-----小於或等於2500則跳至　4228F9　處
:004228ED 81FB88130000 cmp ebx, 00001388
:004228F3 0F826C010000 jb 00422A65　　<<-------小於5000則跳走（即跳出，不再進行下面的運算）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004228EB(C)
|
:004228F9 81FB401F0000 cmp ebx, 00001F40
:004228FF 760C jbe 0042290D　<<------小於或等於8000則跳至　42290D　處
:00422901 81FB67270000 cmp ebx, 00002767
:00422907 0F8258010000 jb 00422A65　　<<-------小於10087則跳至　422A65 處（即跳出，不再進行下面的運算）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004228FF(C)
|
:0042290D 81FB162A0000 cmp ebx, 00002A16
:00422913 760C jbe 00422921　　<<-----小於或等於10774則跳至　422921　處
:00422915 81FB532A0000 cmp ebx, 00002A53
:0042291B 0F8244010000 jb 00422A65　<<-----小於10835則跳至　422A65 處（即跳出，不再進行下面的運算）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422913(C)
|
:00422921 81FBE02E0000 cmp ebx, 00002EE0
:00422927 760C jbe 00422935　　<<------小於或等於12000則跳至　422935　處
:00422929 81FB204E0000 cmp ebx, 00004E20
:0042292F 0F8230010000 jb 00422A65　　<<-------小於或等於17120則跳至　422A65 處（即跳出，不再進行下面的運算）

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422927(C)
|
:00422935 81FBF0550000 cmp ebx, 000055F0
:0042293B 0F8724010000 ja 00422A65　　<<---------大於22000則跳走（即跳出，不再進行下面的運算）
:00422941 8B4DFC mov ecx, dword ptr [ebp-04]　　<<------使用者名稱長度－＞ECX
:00422944 33C0 xor eax, eax　　<<-----EAX清零，準備計數
:00422946 3BCE cmp ecx, esi
:00422948 7E1C jle 00422966
:0042294A 8B5760 mov edx, dword ptr [edi+60]　　<<------使用者名稱首地址－＞EDX
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
由上面不難看出，序列號的範圍為：（1,300］，（1000，2500］，（5000,8000］，（10087,10774］，（10835,12000］，（17120，22000）
因此，將註冊視窗中的Serial Number改為12000，再進行第二次跟蹤，來到：

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422964(C)
|
:0042294D 8D4801 lea ecx, dword ptr [eax+01]　<<-----計數器加一送入ECX
:00422950 8B7DFC mov edi, dword ptr [ebp-04]　　　<<-----使用者名稱長度－＞EDI
:00422953 0FBE0402 movsx eax, byte ptr [edx+eax]　<<----按順序取使用者名稱的每一個字元
:00422957 0FAFC1 imul eax, ecx
:0042295A 03C7 add eax, edi
:0042295C 03F0 add esi, eax
:0042295E 8BC1 mov eax, ecx
:00422960 8BCF mov ecx, edi
:00422962 3BC1 cmp eax, ecx
:00422964 7CE7 jl 0042294D
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
上面這段程式碼為註冊碼演算法中的一部分，很重要
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422948(C)
|
:00422966 8B55FC mov edx, dword ptr [ebp-04]　　<<-----使用者名稱長度－＞EDX
:00422969 8D4DEC lea ecx, dword ptr [ebp-14]
:0042296C 0FAFD3 imul edx, ebx　　<<--------EBX中為使用者輸入的序列號的十六進位制形式
:0042296F 6A10 push 00000010
:00422971 03D6 add edx, esi
:00422973 51 push ecx
:00422974 52 push edx
:00422975 E8517A0100 call 0043A3CB　<<---------將EDX中的值轉化為字串形式
:0042297A 8A55EC mov dl, byte ptr [ebp-14]
:0042297D 83C40C add esp, 0000000C
:00422980 84D2 test dl, dl
:00422982 741C je 004229A0
:00422984 8D75EC lea esi, dword ptr [ebp-14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042299B(C)
|
:00422987 0FBEC2 movsx eax, dl
:0042298A 50 push eax
:0042298B E8A0D80000 call 00430230
:00422990 83C404 add esp, 00000004
:00422993 8806 mov byte ptr [esi], al
:00422995 8A5601 mov dl, byte ptr [esi+01]
:00422998 46 inc esi
:00422999 84D2 test dl, dl
:0042299B 75EA jne 00422987
:0042299D 8A55EC mov dl, byte ptr [ebp-14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422982(C)
|
:004229A0 8D7DEC lea edi, dword ptr [ebp-14]
:004229A3 83C9FF or ecx, FFFFFFFF　\
:004229A6 33C0 xor eax, eax \
:004229A8 F2 repnz \
:004229A9 AE scasb 測試字串長度－＞ECX
:004229AA F7D1 not ecx /
:004229AC 49 dec ecx /
:004229AD 83F904 cmp ecx, 00000004　　　<<------比較字串長度是否大於4
:004229B0 7341 jnb 004229F3　　<<----大於則跳

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004229F1(C)
|
:004229B2 8D7DEC lea edi, dword ptr [ebp-14]
:004229B5 83C9FF or ecx, FFFFFFFF
:004229B8 33C0 xor eax, eax
:004229BA F2 repnz
:004229BB AE scasb
:004229BC F7D1 not ecx
:004229BE 49 dec ecx
:004229BF 8D7DEC lea edi, dword ptr [ebp-14]
:004229C2 88440DED mov byte ptr [ebp+ecx-13], al
:004229C6 83C9FF or ecx, FFFFFFFF
:004229C9 F2 repnz
:004229CA AE scasb
:004229CB F7D1 not ecx
:004229CD 49 dec ecx
:004229CE 41 inc ecx
:004229CF 740B je 004229DC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004229DA(C)
|
:004229D1 8A540DEB mov dl, byte ptr [ebp+ecx-15]
:004229D5 88540DEC mov byte ptr [ebp+ecx-14], dl
:004229D9 49 dec ecx
:004229DA 75F5 jne 004229D1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004229CF(C)
|
:004229DC B230 mov dl, 30
:004229DE 8D7DEC lea edi, dword ptr [ebp-14]
:004229E1 83C9FF or ecx, FFFFFFFF
:004229E4 33C0 xor eax, eax
:004229E6 8855EC mov byte ptr [ebp-14], dl
:004229E9 F2 repnz
:004229EA AE scasb
:004229EB F7D1 not ecx
:004229ED 49 dec ecx
:004229EE 83F904 cmp ecx, 00000004
:004229F1 72BF jb 004229B2

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004229B0(C)
|
:004229F3 8A45EF mov al, byte ptr [ebp-11]　　　
:004229F6 8A4DEE mov cl, byte ptr [ebp-12]
:004229F9 8845F1 mov byte ptr [ebp-0F], al
:004229FC 884DF0 mov byte ptr [ebp-10], cl
:004229FF 8A4DED mov cl, byte ptr [ebp-13]
:00422A02 8AC3 mov al, bl
:00422A04 C645F200 mov [ebp-0E], 00
:00422A08 884DEF mov byte ptr [ebp-11], cl
:00422A0B 8855EE mov byte ptr [ebp-12], dl
:00422A0E F6EA imul dl

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00422A20(C), :00422A24(U)
|
:00422A10 3C41 cmp al, 41
:00422A12 7204 jb 00422A18
:00422A14 3C5A cmp al, 5A
:00422A16 760E jbe 00422A26

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A12(C)
|
:00422A18 044A add al, 4A
:00422A1A 3C4F cmp al, 4F
:00422A1C 7404 je 00422A22
:00422A1E 3C49 cmp al, 49
:00422A20 75EE jne 00422A10

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A1C(C)
|
:00422A22 044A add al, 4A
:00422A24 EBEA jmp 00422A10

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A16(C)
|
:00422A26 8845EC mov byte ptr [ebp-14], al
:00422A29 8A45FC mov al, byte ptr [ebp-04]
:00422A2C F6E9 imul cl

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A38(U)
|
:00422A2E 3C30 cmp al, 30
:00422A30 7204 jb 00422A36
:00422A32 3C39 cmp al, 39
:00422A34 7604 jbe 00422A3A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A30(C)
|
:00422A36 044A add al, 4A
:00422A38 EBF4 jmp 00422A2E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A34(C)
|
:00422A3A 8845ED mov byte ptr [ebp-13], al
:00422A3D 90 nop
:00422A3E 90 nop
:00422A3F 90 nop
:00422A40 90 nop
:00422A41 90 nop
:00422A42 8B55F4 mov edx, dword ptr [ebp-0C]
:00422A45 8B4264 mov eax, dword ptr [edx+64]
:00422A48 50 push eax
:00422A49 8D45EC lea eax, dword ptr [ebp-14]
:00422A4C 50 push eax

* Reference To: KERNEL32.lstrcmpA, Ord:02FCh <<--------很熟悉吧？：）
|
:00422A4D FF1518F34400 Call dword ptr [0044F318]
:00422A53 85C0 test eax, eax
:00422A55 7511 jne 00422A68
:00422A57 90 nop
:00422A58 90 nop
:00422A59 90 nop
:00422A5A 90 nop
:00422A5B 90 nop
:00422A5C C745F801000000 mov [ebp-08], 00000001
:00422A63 EB03 jmp 00422A68

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
後記：
在快寫完本文時，我突然想起，在看雪的教程裡，有一處提到如果不能中斷的話，可在程式中插入INT　3　指令來強行中斷，於是，重新來到422833處，往上不遠處有一串NOP指令，先將最後一個NOP指令用WINHEX改為INT　3（機器碼為CC），再用SOFTICE下BPINT　3，結果沒反應：（，思考了一下，試試將它的下一條指令PUSH　ESI（機器碼為56）改成INT　3（機器碼為CC），成功中斷！這下SOFTICE也可以進行跟蹤了：），不過，在斷後要記得執行　EB　EIP　56，將程式的原來的指令恢復，要不然會沒有響應的：）
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
＝
＝
＝
＝ClockWise 3.22e註冊碼演算法分析
＝
＝
＝
＝　　　　　　　　　CrAcKeD BY alphakk/OCG
＝
＝序號產生器在OCG論壇上
＝ http://www.newclw.com/lllufh/cgi-bin/topic.cgi?forum=2&topic=26&show=0
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)

相關文章