POPMAN時常管家2003版--簡單演算法分析
POPMAN時常管家2003版
【軟體簡介】:此軟體可用電腦幫你打點日常資料庫。主要有名片盒、財產表、支出表、收入表、成長錄、區郵碼、營養表等功能。用它來進行家庭理財非常錯。如果你經營有個小店面的話,用它來記錄每天的財目是非常方便的。軟體的設計十分人性化。
【聲 明】:破解旨在學習技術,無其它目的。失誤之處敬請諸位大俠賜教!
【程 序 名】:popman.exe
【版 本】:2003
【大 小】:796KB
【語 言】:Microsoft Visual C++ 6.0
【執行平臺】:W9x/NT/W2K/WXP
【保護方式】:註冊碼(現在的國內的軟體不加殼的可真是希奇啊!)
【分析方式】:追註冊碼及註冊碼演算法
【難 度】:簡單
【工 具】:PEiD/Filemon5.0/W32Dasm8.93+/TRW2000 v1.23
【程式下載】:http://www.sunguns.com/
【作 者】:xbb[DFCG]
【分 析】:
執行軟體後提示註冊,我的機器碼為624955638624955602。填入假註冊碼123456789,點選註冊,提示“密碼不正確”。
從提示框來看我猜軟體用的是messagebox,幫用TRW下斷messagebox果然斷下了:
.............
* Possible StringData Ref from Data Obj ->"密碼不正確"
|
:00411B59 68F89C4500 push 00459CF8
:00411B5E 8BCB mov ecx, ebx
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:00411B60 E8F77A0300 Call 0044965C <-我們斷在這裡
:00411B65 EB2B jmp 00411B92
............
可我要找的是註冊演算法,所以這不是我們要的。不過我們知道了出錯的程式碼也行,我們記下411B60這個地址。然後用PEiD檢視軟體是否加殼,還好,沒殼。再用W32Dasm8.93+反彙編。反彙編後我們我們Goto Code Location處輸入411B60確定,我們來到下面的程式碼:
* Reference To: MFC42.Ordinal:0C17, Ord:0C17h
|
:00411B4C E8917C0300 Call 004497E2 經典 <-字元轉換CALL
:00411B51 3BC6 cmp eax, esi | 比對 <-比較真假註冊碼
:00411B53 7412 je 00411B67 / 程式碼 <-相等則跳到INI檔案處理處寫註冊資訊
:00411B55 6A00 push 00000000
:00411B57 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"密碼不正確" <-這個字串和提示資訊一樣。
|
:00411B59 68F89C4500 push 00459CF8
:00411B5E 8BCB mov ecx, ebx
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:00411B60 E8F77A0300 Call 0044965C <-我們輸入的地址
:00411B65 EB2B jmp 00411B92
上面是對一個軟體的註冊比對核心部分的確定的常用方法,希望新手們能看得懂。
下面是我對註冊碼計算與比對部分的註釋,由於本人彙編不是很好,有錯誤的地方請大家指出。
.....................
:004119B0 6AFF push FFFFFFFF
:004119B2 68E0B24400 push 0044B2E0
:004119B7 64A100000000 mov eax, dword ptr fs:[00000000]
:004119BD 50 push eax
:004119BE 64892500000000 mov dword ptr fs:[00000000], esp
:004119C5 83EC5C sub esp, 0000005C
:004119C8 53 push ebx
:004119C9 55 push ebp
:004119CA 8BD9 mov ebx, ecx
:004119CC 56 push esi
:004119CD 57 push edi
:004119CE 8D4C2414 lea ecx, dword ptr [esp+14]
* Reference To: MFC42.Ordinal:021C, Ord:021Ch
|
:004119D2 E8A9790300 Call 00449380
:004119D7 33F6 xor esi, esi <-ESI清零
* Possible StringData Ref from Data Obj ->"01234567"
|
:004119D9 68049D4500 push 00459D04 <-“01234567”入棧
:004119DE 8D4C2414 lea ecx, dword ptr [esp+14]
:004119E2 89742478 mov dword ptr [esp+78], esi
* Reference To: MFC42.Ordinal:0219, Ord:0219h
|
:004119E6 E8A57B0300 Call 00449590
:004119EB 8D442414 lea eax, dword ptr [esp+14]
:004119EF 8BCB mov ecx, ebx
:004119F1 50 push eax
* Possible Reference to Dialog: DialogID_0067, CONTROL_ID:03E8, ""
|
:004119F2 68E8030000 push 000003E8 <-3E8=1000入棧
:004119F7 C644247C01 mov [esp+7C], 01
* Reference To: MFC42.Ordinal:0C19, Ord:0C19h
|
:004119FC E87B7D0300 Call 0044977C <-取機器碼
* Possible Reference to String Resource ID=00001: "b
h"
|
:00411A01 B801000000 mov eax, 00000001 <-EAX=1
:00411A06 BD08000000 mov ebp, 00000008 <-EBP=8
:00411A0B 89442434 mov dword ptr [esp+34], eax--
:00411A0F 89442438 mov dword ptr [esp+38], eax
:00411A13 B805000000 mov eax, 00000005
:00411A18 896C2424 mov dword ptr [esp+24], ebp |
:00411A1C C744242807000000 mov [esp+28], 00000007 |
:00411A24 8974242C mov dword ptr [esp+2C], esi |
:00411A28 C744243004000000 mov [esp+30], 00000004 |
|
* Possible Reference to String Resource ID=00002: "ubpn? |
9M |此段程式碼是按機器碼的位數(18位)在堆疊
Sp" |ESP+24至ESP+68以DWORD格式填入18個數用
| |於後面程式碼中對3個與註冊碼有關的8位的計
:00411A30 C744243C02000000 mov [esp+3C], 00000002 |算。我稱這18個數為字元表,字元表如下:
:00411A38 C744244009000000 mov [esp+40], 00000009 | 8 7 0 4
:00411A40 C744244406000000 mov [esp+44], 00000006 | 1 1 2 9
:00411A48 89442448 mov dword ptr [esp+48], eax | 6 5 3 8
| A E D C
* Possible Reference to String Resource ID=00003: "b悄*p" | B 5
| |
:00411A4C C744244C03000000 mov [esp+4C], 00000003 |
:00411A54 896C2450 mov dword ptr [esp+50], ebp |
:00411A58 C74424540A000000 mov [esp+54], 0000000A |
:00411A60 C74424580E000000 mov [esp+58], 0000000E |
:00411A68 C744245C0D000000 mov [esp+5C], 0000000D |
:00411A70 C74424600C000000 mov [esp+60], 0000000C /
:00411A78 C74424640B000000 mov [esp+64], 0000000B /
:00411A80 89442468 mov dword ptr [esp+68], eax__/
:00411A84 8D7C2424 lea edi, dword ptr [esp+24] <-EDI=6FF674(字元表首位地址各人電腦中不同)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411AAA(C)
|
:00411A88 8B0F mov ecx, dword ptr [edi] <-ECX=8
:00411A8A 8B542414 mov edx, dword ptr [esp+14] <-機器碼
:00411A8E 8A0411 mov al, byte ptr [ecx+edx] <-取機器第9位(這裡按0-8計數)
:00411A91 88442418 mov byte ptr [esp+18], al <-AL=38 此處ESP+18=1250000+AL=1250038
:00411A95 8B4C2418 mov ecx, dword ptr [esp+18] <-ECX=1250038 |411A88-411AAA是迴圈處理
:00411A99 51 push ecx <-ECX入棧 |將機器碼按字元表前取字元
:00411A9A 56 push esi <-ESI入棧 |並從左至右遂位替換字元
:00411A9B 8D4C2418 lea ecx, dword ptr [esp+18] <-ECX=01234567|01234567,直至ESI>EBP則結束
|迴圈。
* Reference To: MFC42.Ordinal:16E0, Ord:16E0h |字元表用到的字元
| | 8 7 0 4
:00411A9F E8587B0300 Call 004495FC <-EAX=81234567| 1 1 2 9
:00411AA4 46 inc esi <-計數器 |最後結果:83652246
:00411AA5 83C704 add edi, 00000004 <-字元表地址+4|
:00411AA8 3BF5 cmp esi, ebp <-比較 |
:00411AAA 7CDC jl 00411A88 <-小於則跳 |與註冊碼有關的第一位數
:00411AAC 8B542410 mov edx, dword ptr [esp+10] <-EDX=83652246
* Reference To: MSVCRT.atoi, Ord:023Dh
|
:00411AB0 8B2D58EA4400 mov ebp, dword ptr [0044EA58] <-EBP=7800C283
:00411AB6 52 push edx <-83652246入棧
:00411AB7 FFD5 call ebp <-將83652246轉換為4FC6E96
:00411AB9 83C404 add esp, 00000004 <-字元表地址加4
:00411ABC 8944241C mov dword ptr [esp+1C], eax <-ESP+1C=4FC6E96
:00411AC0 33F6 xor esi, esi <-ESI清零
:00411AC2 8D7C2444 lea edi, dword ptr [esp+44]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411AE9(C)
|
:00411AC6 8B07 mov eax, dword ptr [edi]---
:00411AC8 8B4C2414 mov ecx, dword ptr [esp+14]
:00411ACC 8A1408 mov dl, byte ptr [eax+ecx]
:00411ACF 8D4C2410 lea ecx, dword ptr [esp+10]
:00411AD3 88542418 mov byte ptr [esp+18], dl |與註冊碼有關的第二位數
:00411AD7 8B442418 mov eax, dword ptr [esp+18] |
:00411ADB 50 push eax |字元表用到的字元:
:00411ADC 56 push esi | 6 5 3 8
| A E D C
* Reference To: MFC42.Ordinal:16E0, Ord:16E0h |
| |
:00411ADD E81A7B0300 Call 004495FC |最後結果為:65982559
:00411AE2 46 inc esi <-計數器 /
:00411AE3 83C704 add edi, 00000004 /
:00411AE6 83FE08 cmp esi, 00000008 /
:00411AE9 7CDB jl 00411AC6________________/
:00411AEB 8B4C2410 mov ecx, dword ptr [esp+10] <-ECX=65982559
:00411AEF 51 push ecx
:00411AF0 FFD5 call ebp <-65982559轉換為3EED05F
:00411AF2 83C404 add esp, 00000004
:00411AF5 89442420 mov dword ptr [esp+20], eax <-ESP+20=3EED05F
:00411AF9 33F6 xor esi, esi
:00411AFB 8D7C244C lea edi, dword ptr [esp+4C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411B22(C)
|
:00411AFF 8B17 mov edx, dword ptr [edi]---
:00411B01 8B442414 mov eax, dword ptr [esp+14]
:00411B05 8A0C10 mov cl, byte ptr [eax+edx]
:00411B08 884C2418 mov byte ptr [esp+18], cl 與註冊碼有關的第三位數
:00411B0C 8D4C2410 lea ecx, dword ptr [esp+10]
:00411B10 8B542418 mov edx, dword ptr [esp+18] |字元表用到的字元:
:00411B14 52 push edx | 3 8 A E
:00411B15 56 push esi | D C B 5
|
* Reference To: MFC42.Ordinal:16E0, Ord:16E0h |最後結果為:98255945
| /
:00411B16 E8E17A0300 Call 004495FC /
:00411B1B 46 inc esi <-計數器 /
:00411B1C 83C704 add edi, 00000004 /
:00411B1F 83FE08 cmp esi, 00000008 /
:00411B22 7CDB jl 00411AFF_______________/
:00411B24 8B442410 mov eax, dword ptr [esp+10] <-EAX=98255945
:00411B28 50 push eax
:00411B29 FFD5 call ebp <-轉換5DB4449----第三位數
:00411B2B 8B4C2420 mov ecx, dword ptr [esp+20] <-ECX=4FC6E96----第一位數
:00411B2F 8B542424 mov edx, dword ptr [esp+24] <-EDX=3EED05F----第二位數
:00411B33 83C404 add esp, 00000004
:00411B36 8D3409 lea esi, dword ptr [ecx+ecx] <-ESI=4FC6E96+4FC6E96=9F8DD2C
:00411B39 2BF2 sub esi, edx <-ESI=9F8DD2C-3EED05F=60A0CCD
:00411B3B 03F0 add esi, eax <-ESI=60A0CCD+5DB4449=BE55116(註冊碼)
:00411B3D 7902 jns 00411B41 <-跳到註冊碼計算部份
:00411B3F F7DE neg esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411B3D(C)
|
* Possible Reference to String Resource ID=00001: "b
h"
|
:00411B41 6A01 push 00000001
:00411B43 6A00 push 00000000
* Possible Reference to Dialog: DialogID_0069, CONTROL_ID:03EC, ""
|
:00411B45 68EC030000 push 000003EC
:00411B4A 8BCB mov ecx, ebx
* Reference To: MFC42.Ordinal:0C17, Ord:0C17h
|
:00411B4C E8917C0300 Call 004497E2 <-字元轉換CALL,假註冊碼轉為16進位制
:00411B51 3BC6 cmp eax, esi <-比較真假註冊碼
:00411B53 7412 je 00411B67 <-相等則跳到INI檔案處理處寫註冊資訊
:00411B55 6A00 push 00000000
:00411B57 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"密碼不正確"
|
:00411B59 68F89C4500 push 00459CF8
:00411B5E 8BCB mov ecx, ebx
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:00411B60 E8F77A0300 Call 0044965C <-出錯提示
:00411B65 EB2B jmp 00411B92
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411B53(C)
|
* Reference To: MFC42.Ordinal:0490, Ord:0490h
|
:00411B67 E8E8790300 Call 00449554 <-註冊碼正確就跳來此處
:00411B6C 8B7804 mov edi, dword ptr [eax+04]
:00411B6F 56 push esi
* Possible StringData Ref from Data Obj ->"MIMI"------------
|
:00411B70 68F09C4500 push 00459CF0
* Possible StringData Ref from Data Obj ->"REGISTE"
|
:00411B75 68E89C4500 push 00459CE8
:00411B7A 8BCF mov ecx, edi
* Reference To: MFC42.Ordinal:1902, Ord:1902h
|
:00411B7C E85B7C0300 Call 004497DC
:00411B81 8BCB mov ecx, ebx
:00411B83 C787CC00000000000000 mov dword ptr [edi+000000CC], 00000000 |
|此處程式碼在c:
* Reference To: MFC42.Ordinal:12F5, Ord:12F5h |windowspopman.ini
| |檔案中[REGISTE]寫
:00411B8D E86C7B0300 Call 004496FE |入"MIMI=註冊碼"的
|資訊,未註冊時MIMI
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |的值隨啟動次而增加。
|:00411B65(U) |
| |
:00411B92 8D4C2410 lea ecx, dword ptr [esp+10] |
:00411B96 C644247400 mov [esp+74], 00 |
|
* Reference To: MFC42.Ordinal:0320, Ord:0320h |
| |
:00411B9B E8C8770300 Call 00449368 |
:00411BA0 8D4C2414 lea ecx, dword ptr [esp+14] |
:00411BA4 C7442474FFFFFFFF mov [esp+74], FFFFFFFF |
|
* Reference To: MFC42.Ordinal:0320, Ord:0320h |
| |
:00411BAC E8B7770300 Call 00449368 /
:00411BB1 8B4C246C mov ecx, dword ptr [esp+6C] /
:00411BB5 5F pop edi /
:00411BB6 5E pop esi /
:00411BB7 5D pop ebp /
:00411BB8 5B pop ebx /
:00411BB9 64890D00000000 mov dword ptr fs:[00000000], ecx /
:00411BC0 83C468 add esp, 00000068 /
:00411BC3 C3 ret____________________________/
**************************************************************************************
【演算法總結】:
軟體的註冊碼與假註冊碼無關。真註冊碼透過機器碼計算。先給出一個字元表,然後按字元表分別取出三個8位數(16進位制)。
註冊碼=第一位數*2-第二位數+第三位數
**************************************************************************************
【爆 破】:
將411B53 7412 je 00411B67 處的7412改為EB12即可。
**************************************************************************************
【註冊資訊】:
軟體的註冊資訊我們可以用REGmon或者FILEMON這兩個軟體來監測軟體的動作,前者針對登錄檔,後者針對檔案。我用FILEMON進行監測後發現軟體讀寫了c:windowspopman.ini這個檔案,如下:
......
185 14:04:34 Popman Attributes C:WINDOWSPOPMAN.INI SUCCESS GetAttributes
186 14:04:34 Popman Open C:WINDOWSPOPMAN.INI SUCCESS OPENEXISTING READWRITE DENYWRITE
187 14:04:34 Popman Ioctl C: SUCCESS Subfunction: 08h
188 14:04:34 Popman Attributes C:WINDOWSPOPMAN.INI SUCCESS Get Modify
189 14:04:34 Popman Seek C:WINDOWSPOPMAN.INI SUCCESS End Offset: 0
190 14:04:34 Popman Seek C:WINDOWSPOPMAN.INI SUCCESS Beginning Offset: 0
191 14:04:34 Popman Read C:WINDOWSPOPMAN.INI SUCCESS Offset: 0 Length: 340
192 14:04:34 Popman Close C:WINDOWSPOPMAN.INI SUCCESS CLOSE_FINAL
......
如果想重新回到未註冊版只需把DEL處的註冊碼刪除即可。
[INFORMATION]
UNIT=NCG |----此部分是在軟體安裝時要求輸入的。
NAME=xbb_NCG /
[REGISTE]
MIMI=199577878 <------DEL
SKIN=22
**************************************************************************************
【注 冊 機】:
我很想編出序號產生器,想像中這個應該很簡單,可我的程式設計太差,唉。。。。。
誰要是編出來了,請貼出來讓我學習一下。謝謝!
xbb[DFCG]
2003.12.10
相關文章
- Instyler Ex-it!
漢化版 1.64 簡單演算法分析2015-11-15演算法
- Teleport
pro 演算法簡單分析2004-07-15演算法
- 四款常見IT自動化運維工具簡單介紹-行雲管家2021-12-29運維
- 管家婆簡單安裝步驟2008-03-20
- 簡單演算法――Windows設定大師
2003 Build 04152015-11-15演算法WindowsUI
- 黑馬多媒體電子教室精簡版簡單演算法分析 (8千字)2015-11-15演算法
- Blowfish 加密演算法 Java 版簡單實現2016-12-21加密演算法Java
- DeTitle V1.33簡單演算法分析2003-08-06演算法
- Disk
Chief 1.2 簡單註冊演算法分析2015-11-15演算法
- Source Insight 3.5 演算法簡單分析2015-11-15演算法
- 簡單演算法---A Speeder
V2.5破解的簡要分析!2015-11-15演算法
- 高可用之SkybilityHA簡單介紹-行雲管家2022-02-23
- 騰龍備份大師2003
V3.05.01 專業版專業版演算法分析2015-11-15演算法
- 簡單程式的時間複雜度分析2021-09-09時間複雜度
- 鍵盤記錄2003演算法分析2003-08-17演算法
- 簡單演算法――Windows設定大師 2003 V2.0 Build
04202015-11-15演算法WindowsUI
- 簡單演算法2024-08-09演算法
- powerarchiver 8.00.58 之不完全破解+簡單演算法分析2015-11-15Hive演算法
- ExplosionField簡單分析2017-03-05
- 常見加密演算法及常見加密演算法簡述2018-11-15加密演算法
- 單模式匹配 KMP 演算法 簡易版學習筆記2024-10-19模式KMP演算法筆記
- IEIFRAM漏洞的簡單分析和臨時補丁(轉)2007-09-18
- 簡單排序演算法2020-11-27排序演算法
- spark-submit提交任務時執行流程(簡單版)2024-07-12SparkMIT
- 簡單演算法:迷你網路電視演算法分析 (8千字)2015-11-15演算法
- 六種主要伺服器管理協議簡單概述-行雲管家2021-07-22伺服器協議
- 精簡版 koa 簡單實現2018-12-08
- mr原理簡單分析2020-08-23
- SSRF漏洞簡單分析2020-07-16
- 簡單陰影分析2020-12-27
- Dubbo原理簡單分析2017-04-13
- 管家婆7.2A輝煌單機版破解技巧
(4千字)2002-12-04
- 常見國密演算法簡介2023-10-19演算法
- 常見演算法及問題需注意的技巧與簡單實現2020-09-23演算法
- 簡單版Promise實現2019-03-30Promise
- 簡單版計算器2017-04-19
- 簡單題 加強版2024-07-28
- pcmedik V5.4.8.2003破解手記--演算法分析2003-05-10演算法