Golden 5.7 Build 391破解手記--演算法分析
Golden 5.7 Build 391破解手記--演算法分析
作者:newlaos[DFCG]
軟體名稱:Golden
5.7 Build 391(程式設計工具)
整理日期:2003.3.15
最新版本:5.7 Build 391
檔案大小:2562KB
軟體授權:共享軟體
使用平臺:Win9x/Me/NT/2000
釋出公司:http://www.benthicsoftware.com
軟體簡介:是一個32位多執行緒的應用程式,具有多種功能,類似於SQL,包括變數提示和引數傳遞指令碼顯示等,能編寫和執行程式,使用非常簡單,速度快,介面好。
加密方式:註冊碼
功能限制:30天試用
PJ工具:TRW20001.23註冊版、W32Dasm8.93黃金版,FI2.5
PJ日期:2003-03-27
作者newlaos申明:只是學習,請不用於商業用途或是將本文方法制作的序號產生器任意傳播,造成後果,本人一概不負。
1、先用FI2.5看一下主檔案“Golden32.exe”,沒有加殼,程式是用DELPHI編的
2、用W32Dasm8.93黃金版對Golden32.exe進行靜態反彙編,再用串式資料參考,找到"Incorrect Registration Code"(很經典的句子),雙擊來到下面程式碼段。這樣就找到註冊碼的計算部分。
3、再用TRW20001.23註冊版進行動態跟蹤,下斷BPX 005171A8(通常在註冊成功與否的前面一些下斷,這樣,才能找到關鍵部分),先輸入假碼78787878
.......
.......
*
Possible StringData Ref from Code Obj ->"_H"
|
:005171A8 A1044F5100
mov eax, dword ptr [00514F04]
:005171AD E8D20BF8FF
call 00497D84
:005171B2 8B1518186B00
mov edx, dword ptr [006B1818]
:005171B8 8902
mov dword ptr [edx],
eax
:005171BA 33C0
xor eax, eax
:005171BC 55
push ebp
:005171BD 687F725100
push 0051727F
:005171C2 64FF30
push dword ptr fs:[eax]
:005171C5
648920 mov dword
ptr fs:[eax], esp
:005171C8 A118186B00
mov eax, dword ptr [006B1818]
:005171CD 8B00
mov eax, dword ptr [eax]
:005171CF
8B10 mov
edx, dword ptr [eax]
:005171D1 FF92EC000000
call dword ptr [edx+000000EC]
:005171D7 48
dec eax
:005171D8 0F8587000000
jne 00517265
:005171DE 8D55F8
lea edx, dword ptr
[ebp-08]
:005171E1 A118186B00 mov
eax, dword ptr [006B1818]
:005171E6 8B00
mov eax, dword ptr [eax]
:005171E8 8B80FC020000
mov eax, dword ptr [eax+000002FC]
:005171EE
E84979F6FF call 0047EB3C
:005171F3
8B4DF8 mov ecx,
dword ptr [ebp-08] <===ECX=78787878
:005171F6 8B9318030000
mov edx, dword ptr [ebx+00000318] <===EDX=Golden32
:005171FC
8D45FC lea eax,
dword ptr [ebp-04]
:005171FF E89CDBEEFF
call 00404DA0
:00517204 8B45FC
mov eax, dword ptr [ebp-04] <===EAX=Golden3278787878(將它全起來了),EDX=78787878
:00517207
E894F7FFFF call 005169A0
<===如果要正確,則這個CALL返回時,AL不能為0,F8跟進
:0051720C 84C0
test al, al
<===AL不能為0
:0051720E 743C
je 0051724C <===呵呵,只有一處跳向失敗
:00517210
8D55F4 lea edx,
dword ptr [ebp-0C]
:00517213 A118186B00
mov eax, dword ptr [006B1818]
:00517218 8B00
mov eax, dword ptr [eax]
:0051721A
8B80FC020000 mov eax, dword ptr [eax+000002FC]
:00517220
E81779F6FF call 0047EB3C
:00517225
8B55F4 mov edx,
dword ptr [ebp-0C]
:00517228 8D831C030000
lea eax, dword ptr [ebx+0000031C]
:0051722E E889D8EEFF
call 00404ABC
:00517233 8B8304030000
mov eax, dword ptr [ebx+00000304]
:00517239
B201 mov
dl, 01
:0051723B 8B08
mov ecx, dword ptr [eax]
:0051723D FF5164
call [ecx+64]
:00517240 C7834C02000001000000
mov dword ptr [ebx+0000024C], 00000001
:0051724A EB19
jmp 00517265
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0051720E(C)
|
:0051724C
6A00 push
00000000
* Possible
StringData Ref from Code Obj ->"Benthic Software"
|
:0051724E 68B8725100
push 005172B8
*
Possible StringData Ref from Code Obj ->"Incorrect Registration Code"
|
:00517253 68CC725100
push 005172CC <===錯誤的註冊碼
:00517258 8BC3
mov eax, ebx
:0051725A E811E2F6FF
call 00485470
:0051725F 50
push eax
*
Reference To: user32.MessageBoxA, Ord:0000h
|
:00517260
E81F0DEFFF Call 00407F84
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005171D8(C),
:0051724A(U)
|
:00517265 33C0
xor eax, eax
:00517267 5A
pop edx
:00517268 59
pop ecx
:00517269
59 pop
ecx
:0051726A 648910
mov dword ptr fs:[eax], edx
:0051726D 6886725100
push 00517286
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00517284(U)
|
:00517272
A118186B00 mov eax, dword ptr
[006B1818]
:00517277 8B00
mov eax, dword ptr [eax]
:00517279 E89AC9EEFF
call 00403C18
:0051727E C3
ret
.......
.......
---00517207
call 005169A0-----關鍵的演算法CALL,F8跟進來到下列程式碼段-------------------------------
要求:如果要正確註冊,則返回時AL不能為0
初始值:EAX=Golden3278787878,EDX=78787878
:005169A0
55 push
ebp
:005169A1 8BEC
mov ebp, esp
:005169A3 33C9
xor ecx, ecx
:005169A5 51
push ecx
:005169A6 51
push
ecx
:005169A7 51
push ecx
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00516941(C)
|
:005169A8
51 push
ecx
:005169A9 51
push ecx
:005169AA 51
push ecx
:005169AB 53
push ebx
:005169AC 56
push
esi
:005169AD 8945FC
mov dword ptr [ebp-04], eax
:005169B0 8B45FC
mov eax, dword ptr [ebp-04]
:005169B3 E88CE5EEFF
call 00404F44
:005169B8 33C0
xor eax,
eax
:005169BA 55
push ebp
:005169BB 68C56A5100
push 00516AC5
:005169C0 64FF30
push dword ptr fs:[eax]
:005169C3 648920
mov dword ptr fs:[eax],
esp
:005169C6 C645FB00 mov
[ebp-05], 00
:005169CA 8D55EC
lea edx, dword ptr [ebp-14]
:005169CD 8B45FC
mov eax, dword ptr [ebp-04]
:005169D0
E82F2CEFFF call 00409604
:005169D5
8B55EC mov edx,
dword ptr [ebp-14]
:005169D8 8D45FC
lea eax, dword ptr [ebp-04]
:005169DB E820E1EEFF
call 00404B00
:005169E0 8D45F0
lea eax, dword ptr [ebp-10]
:005169E3
E880E0EEFF call 00404A68
:005169E8
8B45FC mov eax,
dword ptr [ebp-04]
:005169EB E864E3EEFF
call 00404D54 <===這個CALL算出Golden3278787878的長度10,放入EAX
:005169F0
8BD8 mov
ebx, eax
:005169F2 EB01
jmp 005169F5
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00516A04(C)
|
:005169F4
4B dec
ebx <===計數器EBX=EBX-1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005169F2(U)
|
:005169F5
8B45FC mov eax,
dword ptr [ebp-04]
:005169F8 8A4418FF
mov al, byte ptr [eax+ebx-01]
:005169FC 04D0
add al, D0
:005169FE 2C0A
sub al, 0A
:00516A00
7304 jnb
00516A06
:00516A02 85DB
test ebx, ebx
:00516A04 7FEE
jg 005169F4 <===這裡構成一個小迴圈,主要功能是從尾部開始,找只要一遇到字元就跳出,用在後面提取字串,進行運算,我們這裡,是GOLDEN字串了
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00516A00(C)
|
:00516A06
8D45F0 lea eax,
dword ptr [ebp-10]
:00516A09 50
push eax
:00516A0A 8B45FC
mov eax, dword ptr [ebp-04]
:00516A0D E842E3EEFF
call 00404D54
:00516A12 8BC8
mov ecx,
eax
:00516A14 2BCB
sub ecx, ebx
:00516A16 8D5301
lea edx, dword ptr [ebx+01]
:00516A19 8B45FC
mov eax, dword ptr [ebp-04]
:00516A1C
E893E5EEFF call 00404FB4
:00516A21
8D45F4 lea eax,
dword ptr [ebp-0C]
:00516A24 50
push eax
:00516A25 8B45FC
mov eax, dword ptr [ebp-04]
:00516A28 E827E3EEFF
call 00404D54
:00516A2D 50
push
eax
:00516A2E 8B45F0
mov eax, dword ptr [ebp-10]
:00516A31 E81EE3EEFF
call 00404D54
:00516A36 59
pop ecx
:00516A37 2BC8
sub ecx,
eax
:00516A39 BA01000000 mov
edx, 00000001
:00516A3E 8B45FC
mov eax, dword ptr [ebp-04]
:00516A41 E86EE5EEFF
call 00404FB4
:00516A46 33F6
xor esi, esi
***************下面這段是花指令*******************
:00516A48
8B45F4 mov eax,
dword ptr [ebp-0C]
:00516A4B E804E3EEFF
call 00404D54<===算長度的CALL
:00516A50 85C0
test eax, eax
:00516A52 7E4E
jle 00516AA2
:00516A54
8B45F4 mov eax,
dword ptr [ebp-0C]
:00516A57 E8F8E2EEFF
call 00404D54
:00516A5C 85C0
test eax, eax
:00516A5E 7E42
jle 00516AA2
:00516A60
8B45F4 mov eax,
dword ptr [ebp-0C]
:00516A63 E8ECE2EEFF
call 00404D54
:00516A68 85C0
test eax, eax
:00516A6A 7E1B
jle 00516A87
*************************************************
:00516A6C
BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00516A85(C)
|
:00516A71 8B55F4
mov edx, dword ptr [ebp-0C]
:00516A74
0FB6541AFF movzx edx, byte ptr
[edx+ebx-01]<===依次提取GOLDEN字串中每個字元的ASC碼
:00516A79 0FAFD3
imul edx, ebx
:00516A7C 6BCB0B
imul ecx, ebx, 0000000B
:00516A7F
03D1 add
edx, ecx
:00516A81 03F2
add esi, edx
:00516A83 43
inc ebx
:00516A84
48 dec
eax <===計數器EAX初始值為6,也就是GOLDEN字串長度,
:00516A85 75EA
jne 00516A71
<===向上構成一個小迴圈,ESI=0
+47*1+1*B=52
ESI=52 +4F*2+2*B=106
ESI=106 +4C*3+3*B=20B
ESI=20B +44*4+4*B=347
ESI=347 +45*5+5*B=4D7
ESI=4D7 +4E*6+6*B=6ED
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00516A6A(C)
|
:00516A87
8D55E8 lea edx,
dword ptr [ebp-18]
:00516A8A 8BC6
mov eax, esi <===EAX=6ED
:00516A8C
E8F732EFFF call 00409D88
<===EAX=97F380,位置上放了一個地址指標,指向1773(正好是6ED的十進位制表示形式)
:00516A91
8B45E8 mov eax,
dword ptr [ebp-18] <===EAX=1773
:00516A94 8B55F0
mov edx, dword ptr [ebp-10] <===EDX=3278787878
:00516A97
E804E4EEFF call 00404EA0
<===關鍵的CALL,如果EAX和EDX相等,這裡就對了。如何才能相等請看下面的演算法分析
:00516A9C 7504
jne 00516AA2
<===如果輸入有誤,就從這裡跳走,也就錯了。因為下一行一定要經過
:00516A9E C645FB01
mov [ebp-05], 01 <===這一行是關鍵的標誌位的賦值,一定要經過。
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00516A52(C),
:00516A5E(C), :00516A9C(C)
|
:00516AA2 33C0
xor eax, eax
:00516AA4 5A
pop edx
:00516AA5
59 pop
ecx
:00516AA6 59
pop ecx
:00516AA7 648910
mov dword ptr fs:[eax], edx
:00516AAA 68CC6A5100
push 00516ACC
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00516ACA(U)
|
:00516AAF
8D45E8 lea eax,
dword ptr [ebp-18]
:00516AB2 BA04000000
mov edx, 00000004
:00516AB7 E8D0DFEEFF
call 00404A8C
:00516ABC 8D45FC
lea eax, dword ptr [ebp-04]
:00516ABF E8A4DFEEFF
call 00404A68
:00516AC4 C3
ret
:00516AC5
E9E2D8EEFF jmp 004043AC
:00516ACA
EBE3 jmp
00516AAF
:00516ACC 8A45FB
mov al, byte ptr [ebp-05] <===[ebp-05]位置上的值太關鍵了,向上看
:00516ACF
5E pop
esi
:00516AD0 5B
pop ebx
:00516AD1 8BE5
mov esp, ebp
:00516AD3 5D
pop ebp
:00516AD4 C3
ret
4、演算法分析:----型別:數學計算----
a、先將軟體內定的GOLDEN32和輸入的註冊碼合成一個字串,假設合為GOLDEN32XX99999(X代表字元,9代表數字)
b、從GOLDEN32XX99999字串的尾部開始,到遇到第一個字元停止,分為兩串,即GOLDEN32XX和99999
c、對第一部分做如下計算,
例:取到第n位值,則將這個值的ASC碼值乘以n,再加上n*B,得出一個數值
最後將這些數值相加起來,得到一個十六進位制的總數。
d、將這個十六進位制的總數,轉為十進位制後,必須和第二部分,相等。
所以,這裡輸入的註冊碼不能完全是數字,否則只有GOLDEN,經過計算到十進位制後是1773,是無法和3299999(99999為輸入的純數字註冊碼)相等的。
這裡提供一個註冊碼就是:NEWLAOS10076
5、註冊資訊存放在登錄檔:(刪掉此鍵值就成未註冊版本)
[HKEY_CURRENT_USER\Software\Benthic\Golden32\Login]
"RVal"="C327589CDA2D49A8EA2968AAD4"
相關文章
- Iparmor 木馬克星 V5.40 Build 0414破解手記-演算法分析2015-11-15UI演算法
- HTMLock 1.9.3破解手記---演算法分析2003-06-27HTML演算法
- IEPopupKiller 1.2破解手記--演算法分析2015-11-15演算法
- QuickCD 1.0.320破解手記--演算法分析2015-11-15UI演算法
- 【 標題:SmartWhoIs 3.0 (build 21) 破解手記
】2000-11-30UI
- GreenBrowser 1.0.312破解手記--演算法分析2015-11-15演算法
- 拱豬大戰 1.8破解手記--演算法分析2015-11-15演算法
- Setup2Go 1.97破解手記--演算法分析2015-11-15Go演算法
- pcmedik V5.4.8.2003破解手記--演算法分析2003-05-10演算法
- 極速傳真[SpeedFax] 2.4 破解手記--程式逆向分析演算法2015-11-15演算法
- 【日記】今天好忙(391 字)2024-07-09
- Advanced MP3WMA Recorder 3.7.3破解手記--完美演算法分析2015-11-15演算法
- 法律文書、合同樣本庫
5.10破解手記--演算法分析2015-11-15演算法
- MySQL Manager 2.8.0.1脫殼破解手記破解分析2004-11-03MySql
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- Bannershop 4.5破解手記2015-11-15
- 拱豬大戰 V2.3XP 演算法破解手記2015-11-15演算法
- Irfanview破解手記 (668字)2001-02-02View
- Download Boost 2002 Go 2.0漢化版演算法破解手記2015-11-15Go演算法
- hanami1005破解手記2003-08-19
- 《Erlang
4.08》另類破解手記2002-06-24
- Golden Gate 初探2011-09-23Go
- GetSmart破解手記 (1011字)2001-02-02
- CF391D2 Supercollider2024-07-14IDE
- 分析家資料批量轉換器暴力破解手記 (3千字)2001-09-07
- Turbo Note+ 破解手記 (4千字)2001-05-13
- Trojan Remover 4.3.0破解手記 (8千字)2001-08-31REM
- 漢字通破解手記 (19千字)2000-09-06
- ORACLE golden gate 機制2015-04-13OracleGo
- 初探Oracle Golden Gate(一)2010-04-23OracleGo
- zt_oracle golden gate2013-04-17OracleGo
- golden gate 引數 PURGEOLDEXTRACTS2012-08-28Go
- 中華燈謎 XP 2005 Build 01.20 --簡單演算法分析2015-11-15UI演算法
- SolSuite v8.0破解手記 (3千字)2001-09-08UI
- ACDSEE4.0的破解手記 (1千字)2002-01-20
- ReGet Junior 2.0破解手記(一) (3千字)2002-02-23
- 轉載:“亂刀”破解手記 (1千字)2000-09-03
- SeaMoon Pic Hunter 1.2破解手記 (8千字)2015-11-15