QuickCD 1.0.320破解手記--演算法分析
QuickCD
1.0.320破解手記--演算法分析
作者:newlaos[DFCG]
軟體名稱:QuickCD
1.0.320(系統設定)
整理日期:2003.3.28(華軍網)
最新版本:1.0.320
檔案大小:59KB
軟體授權:共享軟體
使用平臺:Win9x/Me/NT/2000/XP
釋出公司:"http://www.websamba.com/morequick"
軟體簡介:QuickCD可以幫助你方便快捷的開啟關閉光碟機門,你可以選擇熱鍵或者滑鼠點選兩種方式:1.熱鍵(F9:開啟光碟機門,F10:關閉光碟機門,F11:彈出設定對話方塊),當然你可以設定新的熱鍵.2.滑鼠點選(點選托盤圖示:開啟光碟機門,右擊托盤圖示:關閉光碟機門,右雙擊托盤圖示:彈出選單)
加密方式:註冊碼
功能限制:未註冊資訊提示
PJ工具:TRW20001.23註冊版,W32Dasm8.93黃金版,FI2.5,eXeScope6.30
PJ日期:2003-03-31
作者newlaos申明:只是學習,請不用於商業用途或是將本文方法制作的序號產生器任意傳播,造成後果,本人一概不負。
1、先用FI2.5看一下主檔案“QuickCD.exe”,沒加殼。程式是用VC++6.0編的
2、用W32Dasm8.93黃金版對QuickCD.exe進行靜態反彙編,再用串式資料參考,找不到什麼經典的句子,怎麼辦?先用eXeScope6.30對檔案的資源進行分析,在“資源\字串表\1”,可以看見:
7,註冊成功
8,註冊碼錯誤!
9,感謝你的註冊,我們以後將為你提供更好的服務!
再回到W32Dasm8.93,找到"String
Resource ID=00007: "?"(這就是註冊成功)
雙擊有很多,很難找出那一個才是關鍵的部分。
3、再用TRW20001.23註冊版進行動態跟蹤,發現位0040227E處的才是關鍵部分,重新下斷BPX
004021ED(通常在註冊成功與否的前面一些下斷,這樣,才能找到關鍵部分),
先輸入假碼: 78787878
.......
.......
:004021ED
55 push
ebp
:004021EE 56
push esi
:004021EF 57
push edi
:004021F0 8BF1
mov esi, ecx
:004021F2 89442414
mov dword ptr [esp+14],
eax
:004021F6 C744242000000000 mov [esp+20], 00000000
:004021FE
8944240C mov dword ptr
[esp+0C], eax
:00402202 8D442414
lea eax, dword ptr [esp+14]
:00402206 8D8E98000000
lea ecx, dword ptr [esi+00000098]
:0040220C 50
push eax
:0040220D
C644242401 mov [esp+24], 01
:00402212
E843860000 call 0040A85A
:00402217
8D4C240C lea ecx, dword
ptr [esp+0C]
:0040221B 51
push ecx
:0040221C 8D4E5C
lea ecx, dword ptr [esi+5C]
:0040221F E836860000
call 0040A85A
:00402224 8B54240C
mov edx, dword ptr [esp+0C]
:00402228
837AF801 cmp dword ptr
[edx-08], 00000001
:0040222C 0F8EB2000000
jle 004022E4
:00402232 8B442414
mov eax, dword ptr [esp+14] <===EAX=20608611(機器碼),此時,ECX=78787878
:00402236
50 push
eax
:00402237 E81B180000 call
00403A57 <===機器碼進行第一次變形,EAX=13A7663
:0040223C 8B4C2410
mov ecx, dword ptr [esp+10] <===ECX=78787878
:00402240
8BF8 mov
edi, eax
:00402242 51
push ecx
:00402243 E80F180000
call 00403A57 <===將輸入的註冊碼也做同樣的變形處理
:00402248
83C408 add esp,
00000008
:0040224B 8BCE
mov ecx, esi
:0040224D 8BE8
mov ebp, eax <===EBP=變形後的註冊碼
:0040224F
57 push
edi
:00402250 E8EB020000 call
00402540 <===將變形後的機器碼再做一次變形
:00402255 3BC5
cmp eax, ebp
<===進行對比,EAX為兩次變形後的機器碼(5B3D7CC),EBP為一次變形的註冊碼(4B2356),兩者必須相等,註冊才能成功,開始分析演算法
:00402257
0F8587000000 jne 004022E4
<===關鍵跳轉,跳過去,就OVER了
*
Possible Reference to Dialog: DialogID_0084, CONTROL_ID:03F2, ""
|
:0040225D 68F2030000
push 000003F2
:00402262 8BCE
mov ecx, esi
:00402264 E8F1A40000
call 0040C75A
:00402269 8BF8
mov edi,
eax
:0040226B 6A00
push 00000000
:0040226D 8BCF
mov ecx, edi
:0040226F E88EA60000
call 0040C902
:00402274 8B1524B54100
mov edx, dword ptr [0041B524]
:0040227A
89542410 mov dword ptr
[esp+10], edx
* Possible
Reference to String Resource ID=00007: "?<==="註冊成功"
|
:0040227E 6A07
push 00000007
:00402280 8D4C2414
lea ecx, dword ptr [esp+14]
:00402284
C644242402 mov [esp+24], 02
:00402289
E87ABF0000 call 0040E208
:0040228E
8B442410 mov eax, dword
ptr [esp+10]
:00402292 8BCF
mov ecx, edi
:00402294 50
push eax
:00402295 E8B0A50000
call 0040C84A
*
Possible Reference to Dialog: DialogID_0084, CONTROL_ID:03F1, ""
|
:0040229A 68F1030000
push 000003F1
:0040229F 8BCE
mov ecx, esi
:004022A1 E8B4A40000
call 0040C75A
:004022A6 6A00
push 00000000
:004022A8
8BC8 mov
ecx, eax
:004022AA E853A60000 call
0040C902
:004022AF E839020100 call
004124ED
:004022B4 8B4004
mov eax, dword ptr [eax+04]
:004022B7 55
push ebp
*
Possible StringData Ref from Data Obj ->"RKey"
|
:004022B8 68F4B14100
push 0041B1F4
*
Possible StringData Ref from Data Obj ->"Settings"
|
:004022BD 68E8B14100
push 0041B1E8
:004022C2 8BC8
mov ecx, eax
:004022C4 E8F0D50000
call 0040F8B9
:004022C9 6AFF
push FFFFFFFF
:004022CB
6A00 push
00000000
* Possible
Reference to String Resource ID=00009: ""`?戾:`}??"
| <==="感謝你的註冊,我們以後將為你提供更好的服務!"
:004022CD
6A09 push
00000009
:004022CF E8E4D40000 call
0040F7B8
:004022D4 8D4C2410
lea ecx, dword ptr [esp+10]
:004022D8 C644242001
mov [esp+20], 01
:004022DD E8DCBD0000
call 0040E0BE
:004022E2 EB0B
jmp 004022EF
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040222C(C),
:00402257(C)
|
:004022E4 6AFF
push FFFFFFFF
:004022E6 6A00
push 00000000
*
Possible Reference to String Resource ID=00008: "?"<==="註冊碼錯誤!"
|
:004022E8 6A08
push 00000008
:004022EA E8C9D40000
call 0040F7B8
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004022E2(U)
|
:004022EF
8D4C240C lea ecx, dword
ptr [esp+0C]
:004022F3 C644242000
mov [esp+20], 00
:004022F8 E8C1BD0000
call 0040E0BE
:004022FD 8D4C2414
lea ecx, dword ptr [esp+14]
:00402301 C7442420FFFFFFFF
mov [esp+20], FFFFFFFF
:00402309 E8B0BD0000
call 0040E0BE
:0040230E 8B4C2418
mov ecx, dword ptr [esp+18]
:00402312
5F pop
edi
:00402313 5E
pop esi
:00402314 5D
pop ebp
:00402315 64890D00000000
mov dword ptr fs:[00000000], ecx
:0040231C 83C418
add esp, 00000018
:0040231F
C3 ret
.......
.......
---------00402237
call 00403A57 一樣資料變形處理的CALL,F8跟進------------
注:機器碼和輸入的註冊碼都要做的同樣的變形處理,變形處理後的值返回在EAX上
:00403A57
53 push
ebx
:00403A58 55
push ebp
:00403A59 56
push esi
:00403A5A 57
push edi
:00403A5B 8B7C2414
mov edi, dword ptr [esp+14]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A8B(U)
|
:00403A5F
833D24BE410001 cmp dword ptr [0041BE24], 00000001
:00403A66
7E0F jle
00403A77 <===這裡跳走
:00403A68 0FB607
movzx eax, byte ptr [edi]
*
Possible Reference to String Resource ID=00008: "?" <==="註冊碼錯誤!"
|
:00403A6B 6A08
push 00000008
:00403A6D 50
push eax
:00403A6E
E872340000 call 00406EE5
:00403A73
59 pop
ecx
:00403A74 59
pop ecx
:00403A75 EB0F
jmp 00403A86
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A66(C)
|
:00403A77
0FB607 movzx eax,
byte ptr [edi] <===跳來這裡
*
Possible StringData Ref from Data Obj ->"
((((( "
->" H"
|
:00403A7A 8B0D18BC4100
mov ecx, dword ptr [0041BC18]
:00403A80 8A0441
mov al, byte ptr [ecx+2*eax]
:00403A83
83E008 and eax,
00000008
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00403A75(U)
|
:00403A86
85C0 test
eax, eax
:00403A88 7403
je 00403A8D <===這裡再次跳走(好象是檢驗機器碼是否被修改)
:00403A8A
47 inc
edi
:00403A8B EBD2
jmp 00403A5F
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A88(C)
|
:00403A8D
0FB637 movzx esi,
byte ptr [edi] <===跳到這裡
:00403A90 47
inc edi
:00403A91 83FE2D
cmp esi, 0000002D <===“=”字元檢測
:00403A94
8BEE mov
ebp, esi
:00403A96 7405
je 00403A9D
:00403A98 83FE2B
cmp esi, 0000002B <===“+”字元檢測
:00403A9B
7504 jne
00403AA1 <===從這裡跳走
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A96(C)
|
:00403A9D
0FB637 movzx esi,
byte ptr [edi]
:00403AA0 47
inc edi
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403A9B(C)
|
:00403AA1
33DB xor
ebx, ebx <===跳到這裡,EBX清0,準備存貯計算的最終值
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403AD2(U)
<===這一行開始迴圈
|
:00403AA3
833D24BE410001 cmp dword ptr [0041BE24], 00000001
<===判斷迴圈結束的標誌
:00403AAA 7E0C
jle 00403AB8 <===從這裡跳走,就說明迴圈未結束
*
Possible Reference to String Resource ID=00004: "
(X?:?,1n9Fw. !"
|
:00403AAC 6A04
push 00000004
:00403AAE 56
push esi
:00403AAF
E831340000 call 00406EE5
:00403AB4
59 pop
ecx
:00403AB5 59
pop ecx
:00403AB6 EB0B
jmp 00403AC3 <===迴圈結束,則從這裡跳走
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403AAA(C)
|
*
Possible StringData Ref from Data Obj ->"
((((( "
->" H"
|
:00403AB8 A118BC4100
mov eax, dword ptr [0041BC18] <===迴圈未結束時跳到這裡
:00403ABD
8A0470 mov al, byte
ptr [eax+2*esi]
:00403AC0 83E004
and eax, 00000004
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403AB6(U)
|
:00403AC3
85C0 test
eax, eax
:00403AC5 740D
je 00403AD4
<===將本CALL收進來的值(第一次是機器碼20608611,第二次輸入的註冊碼78787878)處理完後,從這裡跳走
:00403AC7
8D049B lea eax,
dword ptr [ebx+4*ebx]
:00403ACA 8D5C46D0
lea ebx, dword ptr [esi+2*eax-30]
:00403ACE 0FB637
movzx esi, byte ptr [edi]
:00403AD1
47 inc
edi
:00403AD2 EBCF
jmp 00403AA3 <===這裡構成一個大迴圈
***機器碼20608611的迴圈結果如下:
***註冊碼78787878的迴圈結果如下:
EBX=32+2*(0+4*0)-30=2
EBX=37+2*(0+4*0)-30=7
EBX=30+2*(2+4*2)-30=14
EBX=38+2*(7+4*7)-30=4E
......
......
......
......
......
......
......
......
......
......
EBX=31+2*(1F723D+4*1F723D)-30=13A7663
EBX=38+2*(783883+4*783883)-30=4B2356
***其實就是機器碼16進製表示形式
***其實就是註冊碼的16進製表示形式
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00403AC5(C)
|
:00403AD4 83FD2D
cmp ebp, 0000002D
:00403AD7
8BC3 mov
eax, ebx
:00403AD9 7502
jne 00403ADD
:00403ADB F7D8
neg eax
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403AD9(C)
|
:00403ADD
5F pop
edi
:00403ADE 5E
pop esi
:00403ADF 5D
pop ebp
:00403AE0 5B
pop ebx
:00403AE1 C3
ret
此段小結:機器處理後的結果是13A7663 註冊碼處理後的結果是4B2356
----------------------------------------------------------------------------------------
-----00402250
call 00402540 <===將變形後的機器碼13A7663再做一次變形-----------
:00402540 8B442404
mov eax, dword ptr [esp+04]<===EAX=13A7663
:00402544
35AC0BBB02 xor eax, 02BB0BAC
<===EAX=13A7663 xor 02BB0BAC=3817DCF
:00402549 05FD593202
add eax, 023259FD <===EAX=3817DCF
+ 023259FD=5B3D7CC
:0040254E 7905
jns 00402555
:00402550 99
cdq
:00402551 33C2
xor eax, edx
:00402553
2BC2 sub
eax, edx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0040254E(C)
|
:00402555
C20400 ret 0004
---------------------------------------------------------------------------------------
4、演算法分析:
---型別:f1(機器碼)=註冊碼---
a、將機器碼和註冊碼都轉為16進製表示形式:
b、將16進製表示形式的機器碼進行如下處理:
機器碼1=(機器碼 xor 02BB0BAC) + 023259FD
c、將機器碼1與註冊碼1(16進製表示形式)做比較,如果相等,就註冊成功
d、機器碼轉為16進位制後與02BB0BAC異或運算,再加上023259FD,得到出來的值再轉為10進位制,就是註冊碼了。
我的機器碼是17421339,那麼註冊碼就是98908596
5、註冊資訊儲存在檔案QuickCD.ini中:
[Settings]
RKey=98908596
相關文章
- HTMLock 1.9.3破解手記---演算法分析2003-06-27HTML演算法
- IEPopupKiller 1.2破解手記--演算法分析2015-11-15演算法
- GreenBrowser 1.0.312破解手記--演算法分析2015-11-15演算法
- Golden 5.7 Build 391破解手記--演算法分析2015-11-15GoUI演算法
- 拱豬大戰 1.8破解手記--演算法分析2015-11-15演算法
- Setup2Go 1.97破解手記--演算法分析2015-11-15Go演算法
- QuickCD V1.0.4演算法分析+序號產生器原始碼2015-11-15UI演算法原始碼
- pcmedik V5.4.8.2003破解手記--演算法分析2003-05-10演算法
- 極速傳真[SpeedFax] 2.4 破解手記--程式逆向分析演算法2015-11-15演算法
- Advanced MP3WMA Recorder 3.7.3破解手記--完美演算法分析2015-11-15演算法
- 法律文書、合同樣本庫
5.10破解手記--演算法分析2015-11-15演算法
- Iparmor 木馬克星 V5.40 Build 0414破解手記-演算法分析2015-11-15UI演算法
- MySQL Manager 2.8.0.1脫殼破解手記破解分析2004-11-03MySql
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- Bannershop 4.5破解手記2015-11-15
- 拱豬大戰 V2.3XP 演算法破解手記2015-11-15演算法
- Irfanview破解手記 (668字)2001-02-02View
- Download Boost 2002 Go 2.0漢化版演算法破解手記2015-11-15Go演算法
- hanami1005破解手記2003-08-19
- 《Erlang
4.08》另類破解手記2002-06-24
- 【 標題:SmartWhoIs 3.0 (build 21) 破解手記
】2000-11-30UI
- GetSmart破解手記 (1011字)2001-02-02
- 分析家資料批量轉換器暴力破解手記 (3千字)2001-09-07
- Turbo Note+ 破解手記 (4千字)2001-05-13
- Trojan Remover 4.3.0破解手記 (8千字)2001-08-31REM
- 漢字通破解手記 (19千字)2000-09-06
- SolSuite v8.0破解手記 (3千字)2001-09-08UI
- ACDSEE4.0的破解手記 (1千字)2002-01-20
- ReGet Junior 2.0破解手記(一) (3千字)2002-02-23
- 轉載:“亂刀”破解手記 (1千字)2000-09-03
- SeaMoon Pic Hunter 1.2破解手記 (8千字)2015-11-15
- ReGet Junior 2.0破解手記(二) (4千字)2015-11-15
- ReGet Junior 2.0破解手記(三) (1千字)2015-11-15
- CVE-2010-3971 CSS記憶體破壞漏洞分析2016-03-24CSS記憶體
- MagicWin 98 Release
1.20 破解手記 (20千字)2002-06-01
- LogoManager 1.18破解手記 (1千字)2001-02-18Go
- 加密MP3光碟破解手記 (1千字)2000-08-02加密
- 快捷反垃圾郵件破解手記--找出註冊碼2015-11-15