記得學習破解時,第一次成功看到註冊碼而註冊成功的就是這個軟體,現在出了2.01版,CrackABC給我這最新版本之後,就再次對他進行了一次分析,這一次就分析一下它的註冊碼的生成過程吧。
0040640F MOV ECX,ESI
00406411 CALL FREECELL.0044143E
00406416 MOV DWORD PTR SS:[ESP+F4],EAX
0040641D LEA ECX,DWORD
PTR SS:[ESP+14]
00406421 CALL FREECELL.00431955 <---------進入“註冊”視窗
00406426 CMP EAX,1 <-------有沒有點選“確定”按鈕,1為確定
00406429 JNZ FREECELL.004064F0
0040642F MOV AL,BYTE PTR
DS:[ESI+C1]
00406435 TEST AL,AL
00406437 JNZ FREECELL.004064F0
0040643D LEA ECX,DWORD PTR SS:[ESP+EC]
00406444 PUSH ECX
00406445 LEA ECX,DWORD PTR SS:[ESP+10]
00406449 CALL FREECELL.0043550A
0040644E MOV EDI,DWORD PTR SS:[ESP+F4]
00406455 PUSH ECX
00406456 LEA EDX,DWORD PTR SS:[ESP+10]
0040645A MOV ECX,ESP
0040645C MOV DWORD PTR SS:[ESP+14],ESP
00406460 PUSH EDX
00406461 MOV BYTE PTR SS:[ESP+108],2
00406469 CALL FREECELL.0043550A
0040646E PUSH EBP <--------EBP中為系統資訊碼的十六進位制值,但是註冊碼生成過程中沒有用到它。
0040646F CALL FREECELL.00405DB0 <---------此CALL為計算註冊碼的地方。跟入可分析註冊碼生成過程。
00406474 ADD ESP,8
00406477 CMP EAX,EDI <------------比較,EAX為真註冊碼,EDI為輸入的註冊碼(輸入值的十六進位制)
00406479 JNZ SHORT FREECELL.004064DF <----------不相等,則跳過。相等時,寫入登錄檔,同時顯示註冊成功對話方塊。
0040647B PUSH 0
; /Arg3 = 00000000
0040647D PUSH 0
;
|Arg2 = 00000000
0040647F PUSH FREECELL.0045428C
; |Arg1 = 0045428C
00406484 CALL
FREECELL.0043849A
; \FREECELL.0043849A
00406489 MOV EAX,DWORD PTR SS:[ESP+C]
0040648D
MOV ECX,ESI
0040648F PUSH EAX
; /Arg3
00406490 PUSH FREECELL.004541B0
; |Arg2 = 004541B0 ASCII "UserName"
00406495 PUSH FREECELL.00454158
; |Arg1 = 00454158 ASCII "Options"
0040649A CALL FREECELL.00438648
; \FREECELL.00438648
0040649F PUSH EDI
; /Arg3
004064A0 PUSH FREECELL.004541BC
; |Arg2 = 004541BC ASCII "RegisterCode"
004064A5 PUSH FREECELL.00454158
; |Arg1 = 00454158 ASCII "Options"
004064AA MOV ECX,ESI
; |
004064AC CALL FREECELL.004385D3
; \FREECELL.004385D3
004064B1
MOV BYTE PTR DS:[ESI+C1],1
004064B8 CALL FREECELL.00435B86
004064BD
TEST EAX,EAX
004064BF JE SHORT FREECELL.004064CA
004064C1
MOV EDX,DWORD PTR DS:[EAX]
004064C3 MOV ECX,EAX
004064C5
CALL DWORD PTR DS:[EDX+74]
004064C8 JMP SHORT FREECELL.004064CC
004064CA XOR EAX,EAX
004064CC MOV EAX,DWORD PTR DS:[EAX+1C]
004064CF PUSH 105
; /Redraw = RDW_INVALIDATE|RDW_ERASE|RDW_UPDATENOW
004064D4 PUSH 0
; |hUpdateRgn = NULL
004064D6
PUSH 0
; |pRect = NULL
004064D8 PUSH EAX
; |hWnd
004064D9 CALL DWORD PTR DS:[<&USER32.RedrawWi>;
\RedrawWindow 重新顯示整個視窗,視窗中將顯示“本軟體註冊為: ...”等字樣。
-----------------------進入註冊碼生成過程的CALL中------------------------
00405DB8 MOV ECX,DWORD PTR DS:[EAX-8]
00405DBB MOV
ESI,0D431 <---------初始化 ESI
00405DC0 TEST ECX,ECX <---------比較使用者名稱是否為空,ECX中為使用者名稱字串長度。
00405DC2 JLE SHORT FREECELL.00405DF8
00405DC4 / MOVSX
EAX,BYTE PTR DS:[EDI+EAX] <--------取出使用者名稱中的一位到EAX
00405DC8 |
XOR EAX,14142135 <-----對其進行一次異或
00405DCD | PUSH EAX
<-----將EAX壓棧
00405DCE
| CALL FREECELL.004108E4
00405DD3
| ADD ESP,4
00405DD6 | CALL FREECELL.004108F1
<-------經過此CALL 後,EAX已經經過了一次變化
-------------------------------------------------------------------
變化的等效程式碼如下:
MOV ECX,EAX
IMUL ECX,ECX,343FD
ADD ECX,269EC3
MOV EAX,ECX
SHR
EAX,10
ADD EAX,7FFF
-------------------------------------------------------------------
00405DDB | MOV ECX,ESI
00405DDD
| SHR ECX,10
00405DE0 | SHL ESI,10
00405DE3
| OR ECX,ESI
00405DE5 | ADD EAX,ECX
00405DE7
| XOR EAX,27181828
00405DEC | INC EDI
00405DED
| MOV ESI,EAX <-------變化後,放入ESI中。
00405DEF | MOV EAX,DWORD PTR SS:[ESP+10]
00405DF3 |
CMP EDI,DWORD PTR DS:[EAX-8]
00405DF6 \ JL SHORT FREECELL.00405DC4
<----使用者字串結束時,結束迴圈。
00405DF8 PUSH 75BCD15
00405DFD CALL
FREECELL.004108E4
00405E02 ADD ESP,4
00405E05 MOV EDI,64
<--------初始化迴圈次數為100次
00405E0A /CALL FREECELL.004108F1<------此CALL內有一個變化過程
----------------------------------------------------------------
變換的等效程式碼為:
MOV ECX ,[地址1]
IMUL ECX,ECX,343FD
ADD
ECX,1269EC3
MOV [地址1],ECX
MOV EAX,ECX
SHR EAX,10
AND EAX,7FFF
----------------------------------------------------------------
00405E0F |MOV EDX,ESI
00405E11 |SHR EDX,10
00405E14
|SHL ESI,10
00405E17 |OR EDX,ESI
00405E19 |ADD EAX,EDX
00405E1B |XOR EAX,17320508
00405E20 |DEC EDI
00405E21
|MOV ESI,EAX <-----------經過變化後,再放入ESI
00405E23 \JNZ SHORT FREECELL.00405E0A
<-------迴圈次數達100次後,結束迴圈。
00405E25 LEA ECX,DWORD PTR SS:[ESP+10]
00405E29 CALL FREECELL.00435795
00405E2E MOV EAX,ESI
<----------將結果放入EAX後返回
00405E30 POP EDI
00405E31 POP
ESI
00405E32 RETN
--------------------------------TC20的演算法實現--------------------------------
main()
{
char name[256];
int nlen;
int i;
unsigned long temp1,temp2,temp3;
unsigned long result;
printf("輸入註冊使用者名稱:");
scanf("%s",name);
nlen = strlen(name);
result = 0xd431;
for(i=0;i<nlen;i++)
{
temp1 = name[i];
temp1 = temp1 ^ 0x14142135;
temp1 = temp1 * 0x343fd;
temp1 += 0x269ec3;
temp1 = temp1 >> 0x10;
temp1 = temp1 & 0x7fff;
temp2 = result;
temp2 = temp2 >> 0x10;
result = result << 0x10;
temp2 =
temp2 | result;
temp1 += temp2;
temp1 = temp1 ^ 0x27181828;
result = temp1;
}
temp1 = 123456789;
for(i=0;i<100;i++)
{
temp1 *= 0x343fd;
temp1+= 0x269ec3;
temp2 = temp1;
temp2 = temp2 >> 0x10;
temp2 = temp2 &
0x7fff;
temp3 = result;
temp3 = temp3 >> 0x10;
result =
result << 0x10;
temp3 = temp3 | result;
temp3 += temp2;
temp3 = temp3 ^ 0x17320508;
result = temp3;
}
printf("註冊碼: %lu\r\n",result);
getch();
}
--------------------------------------------------------------------------