全國電話通1.18 演算法分析+序號產生器

看雪資料發表於2004-04-26

------By leozem  轉貼請註明出處

    使用者名稱:asdfg  假碼:123456
    查一下是“UPX 0.89.6-1.02/1.05-1.24->Markus&Laszlo”的殼,OD拉到最後一個跳F4+F8後脫。
    開啟全國電話通,隨便註冊一下,發現是從起驗證,並在目錄下生了個user.ini,OD出場,在user.ini設斷,

程式碼:
0048E014    50              PUSH    EAX 0048E015    B9 00E64800     MOV     ECX,0048E600                     ; ASCII "username" 0048E01A    BA 14E64800     MOV     EDX,0048E614                     ; ASCII "user" 0048E01F    A1 0C4C4900     MOV     EAX,[494C0C] 0048E024    8B18            MOV     EBX,[EAX] 0048E026    FF13            CALL    [EBX]                            ;  0048E028    8B95 DCFCFFFF   MOV     EDX,[EBP-324]                    ; //取使用者名稱 0048E02E    8B45 FC         MOV     EAX,[EBP-4] 0048E031    05 58050000     ADD     EAX,558 0048E036    B9 FF000000     MOV     ECX,0FF 0048E03B    E8 D862F7FF     CALL    00404318                         ; //此CALL是取位數進EAX(騙人的,使用者名稱跟到後面根本沒用 0048E040    68 24E64800     PUSH    0048E624 0048E045    8D85 D8FCFFFF   LEA     EAX,[EBP-328] 0048E04B    50              PUSH    EAX 0048E04C    B9 30E64800     MOV     ECX,0048E630                     ; ASCII "usercode" 0048E051    BA 14E64800     MOV     EDX,0048E614                     ; ASCII "user" 0048E056    A1 0C4C4900     MOV     EAX,[494C0C] 0048E05B    8B18            MOV     EBX,[EAX] 0048E05D    FF13            CALL    [EBX]                            ;  0048E05F    8B95 D8FCFFFF   MOV     EDX,[EBP-328]                    ; //取註冊碼進EDX 0048E065    8B45 FC         MOV     EAX,[EBP-4] 0048E068    05 58060000     ADD     EAX,658 0048E06D    B9 FF000000     MOV     ECX,0FF 0048E072    E8 A162F7FF     CALL    00404318                         ; 註冊碼位數 0048E077    6A 00           PUSH    0 0048E079    8D85 D4FCFFFF   LEA     EAX,[EBP-32C] 0048E07F    50              PUSH    EAX 0048E080    B9 44E64800     MOV     ECX,0048E644                     ;  0048E085    BA 54E64800     MOV     EDX,0048E654                     ;  0048E08A    A1 0C4C4900     MOV     EAX,[494C0C] 0048E08F    8B18            MOV     EBX,[EAX] 0048E091    FF13            CALL    [EBX]                            ;  0048E093    8B95 D4FCFFFF   MOV     EDX,[EBP-32C] 0048E099    8D85 F8FDFFFF   LEA     EAX,[EBP-208] 0048E09F    B9 FF000000     MOV     ECX,0FF 0048E0A4    E8 6F62F7FF     CALL    00404318 0048E0A9    33DB            XOR     EBX,EBX 0048E0AB    68 00010000     PUSH    100 0048E0B0    8D85 F8FCFFFF   LEA     EAX,[EBP-308] 0048E0B6    50              PUSH    EAX 0048E0B7    E8 DC80F7FF     CALL     0048E0BC    83FB 06         CMP     EBX,6 0048E0BF    0F8D B5000000   JGE     0048E17A 0048E0C5    8D85 CCFCFFFF   LEA     EAX,[EBP-334] 0048E0CB    8B55 FC         MOV     EDX,[EBP-4] 0048E0CE    81C2 58050000   ADD     EDX,558 0048E0D4    E8 0762F7FF     CALL    004042E0 0048E0D9    8B85 CCFCFFFF   MOV     EAX,[EBP-334] 0048E0DF    8D95 D0FCFFFF   LEA     EDX,[EBP-330] 0048E0E5    E8 169EF7FF     CALL    00407F00 0048E0EA    8B85 D0FCFFFF   MOV     EAX,[EBP-330] 0048E0F0    8B149D 143A4900 MOV     EDX,[EBX*4+493A14]       ;依次取“crsky”,“crsky[BCG]”,                                                             “leozem”,“leozem[YCG]”,“yzez”                                                             和使用者名稱比較(呵呵,作者連光榮榜都出來了,很榮幸,我榜上有名)。 0048E0F7    E8 8C63F7FF     CALL    00404488                         ; 比較 0048E0FC    74 35           JE      SHORT 0048E133                   ; 如果相等就在WINDOWS目錄下建一個無內容的WINDOWS.INI,最後面有個判斷,如果WINDOWS.INI存在,那麼軟體無法啟動。 0048E0FE    8D85 C8FCFFFF   LEA     EAX,[EBP-338] 0048E104    8D95 F8FCFFFF   LEA     EDX,[EBP-308] 0048E10A    B9 00010000     MOV     ECX,100 0048E10F    E8 D861F7FF     CALL    004042EC 0048E114    8D85 C8FCFFFF   LEA     EAX,[EBP-338] 0048E11A    BA 68E64800     MOV     EDX,0048E668                     ; ASCII "\\windows.ini" 0048E11F    E8 2062F7FF     CALL    00404344 0048E124    8B85 C8FCFFFF   MOV     EAX,[EBP-338] 0048E12A    E8 21A5F7FF     CALL    00408650 0048E12F    84C0            TEST    AL,AL 0048E131    74 3D           JE      SHORT 0048E170 0048E133    8D85 C4FCFFFF   LEA     EAX,[EBP-33C] 0048E139    8D95 F8FCFFFF   LEA     EDX,[EBP-308] 0048E13F    B9 00010000     MOV     ECX,100 0048E144    E8 A361F7FF     CALL    004042EC 0048E149    8D85 C4FCFFFF   LEA     EAX,[EBP-33C] 0048E14F    BA 68E64800     MOV     EDX,0048E668                     ; ASCII "\\windows.ini" 0048E154    E8 EB61F7FF     CALL    00404344 0048E159    8B85 C4FCFFFF   MOV     EAX,[EBP-33C] 0048E15F    E8 C0A3F7FF     CALL    00408524 0048E164    A1 B03D4900     MOV     EAX,[493DB0] 0048E169    8B00            MOV     EAX,[EAX] 0048E16B    E8 6895FEFF     CALL    004776D8 0048E170    43              INC     EBX 0048E171    83FB 06         CMP     EBX,6 0048E174  ^ 0F8C 4BFFFFFF   JL      0048E0C5 0048E2AB    8B85 A8FCFFFF   MOV     EAX,[EBP-358]                    ; 註冊碼進EAX 0048E2B1    8D95 ACFCFFFF   LEA     EDX,[EBP-354] 0048E2B7    E8 08ECFFFF     CALL    0048CEC4                         ; 關鍵CALL跟 0048E2BC    8B85 ACFCFFFF   MOV     EAX,[EBP-354]                    ; 得2296281783 0048E2C2    50              PUSH    EAX 0048E2C3    8D95 A0FCFFFF   LEA     EDX,[EBP-360] 0048E2C9    8B45 F8         MOV     EAX,[EBP-8]                      ; D649A(暗機器碼)進EAX 0048E2CC    E8 979EF7FF     CALL    00408168                         ; D649A轉成10進位制(其實這就是真正的註冊碼) 0048E2D1    8B85 A0FCFFFF   MOV     EAX,[EBP-360] 0048E2D7    8D95 A4FCFFFF   LEA     EDX,[EBP-35C] 0048E2DD    E8 E2EBFFFF     CALL    0048CEC4                         ; 和上上個CALL的功能一樣 0048E2E2    8B95 A4FCFFFF   MOV     EDX,[EBP-35C]                    ; //“( 暗  機  器 碼(16)*BA+1)10進位制 ”  +“83” 0048E2E8    58              POP     EAX                              ; //“(我們輸入的假碼(16)*BA+1)10進位制 ”  +“83” 0048E2E9    E8 9A61F7FF     CALL    00404488                         ; //最終比較 ----------跟入上面的0048E2B7和0048E2DD 的CALL 0048CEC4    55              PUSH    EBP 0048CEC5    8BEC            MOV     EBP,ESP 0048CEC7    83C4 F8         ADD     ESP,-8 0048CECA    53              PUSH    EBX 0048CECB    33C9            XOR     ECX,ECX 0048CECD    894D F8         MOV     [EBP-8],ECX 0048CED0    8BDA            MOV     EBX,EDX 0048CED2    8945 FC         MOV     [EBP-4],EAX 0048CED5    8B45 FC         MOV     EAX,[EBP-4] 0048CED8    E8 4F76F7FF     CALL    0040452C 0048CEDD    33C0            XOR     EAX,EAX 0048CEDF    55              PUSH    EBP 0048CEE0    68 2CCF4800     PUSH    0048CF2C 0048CEE5    64:FF30         PUSH    DWORD PTR FS:[EAX] 0048CEE8    64:8920         MOV     FS:[EAX],ESP 0048CEEB    8B45 FC         MOV     EAX,[EBP-4] 0048CEEE    E8 B1B3F7FF     CALL    004082A4                         ; //將數值轉換成16進位制放進EAX 0048CEF3    69C0 BA000000   IMUL    EAX,EAX,0BA                      ; //*BA 0048CEF9    40              INC     EAX                              ; //+1 0048CEFA    8D55 F8         LEA     EDX,[EBP-8] 0048CEFD    E8 66B2F7FF     CALL    00408168                         ; 再轉成10進位制放進EDX 0048CF02    8B55 F8         MOV     EDX,[EBP-8] 0048CF05    8BC3            MOV     EAX,EBX 0048CF07    B9 40CF4800     MOV     ECX,0048CF40                     ; ASCII "83" 0048CF0C    E8 7774F7FF     CALL    00404388                         ; 後面加字元83 0048CF11    33C0            XOR     EAX,EAX 0048CF13    5A              POP     EDX                              ;  0048CF14    59              POP     ECX                              ;  0048CF15    59              POP     ECX                              ;  0048CF16    64:8910         MOV     FS:[EAX],EDX 0048CF19    68 33CF4800     PUSH    0048CF33 0048CF1E    8D45 F8         LEA     EAX,[EBP-8] 0048CF21    BA 02000000     MOV     EDX,2 0048CF26    E8 7571F7FF     CALL    004040A0 0048CF2B    C3              RETN --------------------------------------- 到這完了以後發現0048E2C9處的EAX中進了一個D649A轉換後和註冊碼比較,奇怪這個D649A是什麼東西,又不是機器碼,向上拉看看 0048DF8F    05 F9030000     ADD     EAX,3F9                          ; EAX=C5(硬體記號)+3F9 0048DF94    69C0 D3020000   IMUL    EAX,EAX,2D3                      ;  4BE* 2D3=D649A 0048DF9A    8945 F8         MOV     [EBP-8],EAX                      ; 收進[EBP-8],哈哈在這裡 終於看到了,很小的一段,這和機器碼又有什麼關係?跟跟機器碼的生成過程。 0048E813    50              PUSH    EAX 0048E814    8D45 F0         LEA     EAX,[EBP-10] 0048E817    E8 389AF7FF     CALL    00408254 0048E81C    8B45 F0         MOV     EAX,[EBP-10] 0048E81F    8D4D F8         LEA     ECX,[EBP-8] 0048E822    5A              POP     EDX 0048E823    E8 C00BFAFF     CALL    0042F3E8 0048E828    8B45 F8         MOV     EAX,[EBP-8]                      ; //十進位制197(我的某硬體的序列號) 0048E82B    E8 749AF7FF     CALL    004082A4                         ; //16進位制=C5 0048E830    69C0 D3020000   IMUL    EAX,EAX,2D3                      ; //C5 * 2D3=22C5F 0048E836    05 F9030000     ADD     EAX,3F9                          ; //22C5F+3F9=23058(16) 0048E83B    8D55 FC         LEA     EDX,[EBP-4] 0048E83E    E8 2599F7FF     CALL    00408168                         ; 轉成10進位制 0048E843    8B55 FC         MOV     EDX,[EBP-4]                      ; EDX=143448就是軟體的明機器碼 0048E846    8B83 80040000   MOV     EAX,[EBX+480] 0048E84C    E8 678FFCFF     CALL    004577B8

    演算法到此為止已全部清楚了,過程是軟體啟動時取我機器上的某個記號(可能是硬體也可能是.....),在我機器上他是得到“197”。
    然後將197使用不同是演算法計算後生成一個暗碼(不公開,驗證註冊碼時用)和一個明碼(在軟體上的機器碼),驗證註冊碼時用暗碼參與計算。

暗碼=(機器上的某個記號(16進位制)+3F9)*2D3
明碼= 機器上的某個記號(16進位制)*2D3  + 3F9

如果  [我們輸入的註冊碼(16進位制)* BA +1]後面+83   ==   [暗碼(16進位制)* BA +1]後面+83

則註冊成功

該寫序號產生器了,DELPHI 7 在 Windows 2003下除錯透過
程式碼:
unit Unit1; interface uses   Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,   Dialogs, StdCtrls; type   TForm1 = class(TForm)     Edit1: TEdit;     Edit2: TEdit;     Button1: TButton;     Button2: TButton;     procedure Button1Click(Sender: TObject);     procedure Button2Click(Sender: TObject);   private     { Private declarations }   public     { Public declarations }   end; var   Form1: TForm1; implementation {$R *.dfm} procedure TForm1.Button1Click(Sender: TObject); VAR a1:Cardinal; begin a1:=strtoint(edit1.Text); a1:=a1-1017; a1:=a1 div 723; a1:=a1+1017; a1:=a1 * 723; edit2.Text :=inttostr(a1); end; procedure TForm1.Button2Click(Sender: TObject); begin ShowMessage('By leozem[D.4S][DFCG]') end; end.

相關文章