炒股理財3.1 演算法分析(15千字)
好久沒寫破解文章,像BW所說'刀本來鈍,現在還生鏽了',再不用可能真不會破解了.這個軟體是位朋友要求我幫忙破解,在精華III看到過它前面幾個版本的破解過程,心裡想應該不難.ok,開工幹活..用Peid查出他是
ASProtect 1.2 的殼,脫殼後記得把2ce01的7434改為eb34,才可以執行,不過有個密碼視窗出來,這方面我沒再研究.請高手指點..
:0042DBEB E8D433FFFF call 00420FC4
//對假註冊碼進行比較和計算出三個數!!!!
:0042DBF0 84C0
test al, al
:0042DBF2 0F84A7000000 je 0042DC9F
:0042DBF8 8B1500796400 mov edx, dword
ptr [00647900]
:0042DBFE 8B02
mov eax, dword ptr [edx]
:0042DC00 8B9538FFFFFF mov edx, dword
ptr [ebp+FFFFFF38]
:0042DC06 E8C92DFFFF call 004209D4
//把註冊名和序列號串起來計算出三個數!!
:0042DC0B 84C0
test al, al
:0042DC0D 0F848C000000 je 0042DC9F
:0042DC13 EB04
jmp 0042DC19
:0042DC15 EB05
jmp 0042DC1C
:0042DC17 8901
mov dword ptr [ecx], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DC13(U)
|
:0042DC19 8B8D34FFFFFF mov ecx, dword
ptr [ebp+FFFFFF34]
:0042DC1F 8B9538FFFFFF mov edx, dword
ptr [ebp+FFFFFF38]
:0042DC25 8B01
mov eax, dword ptr [ecx]
:0042DC27 3B02
cmp eax, dword ptr [edx] //比較①
:0042DC29 756E
jne 0042DC99
:0042DC2B 8B8D34FFFFFF mov ecx, dword
ptr [ebp+FFFFFF34]
:0042DC31 8B9538FFFFFF mov edx, dword
ptr [ebp+FFFFFF38]
:0042DC37 8B4104
mov eax, dword ptr [ecx+04]
:0042DC3A 3B4204
cmp eax, dword ptr [edx+04]//比較②
:0042DC3D 755A
jne 0042DC99
:0042DC3F 8B8D34FFFFFF mov ecx, dword
ptr [ebp+FFFFFF34]
:0042DC45 8B9538FFFFFF mov edx, dword
ptr [ebp+FFFFFF38]
:0042DC4B 8B4108
mov eax, dword ptr [ecx+08]
:0042DC4E 3B4208
cmp eax, dword ptr [edx+08]//比較③
:0042DC51 7546
jne 0042DC99
:0042DC53 66C746109800 mov [esi+10],
0098
:0042DC59 BA33816300 mov edx,
00638133
:0042DC5E 8D45C4
lea eax, dword ptr [ebp-3C]
:0042DC61 E8C66C1F00 call 0062492C
:0042DC66 FF461C
inc [esi+1C]
:0042DC69 8B10
mov edx, dword ptr [eax]
:0042DC6B A15C846400 mov eax,
dword ptr [0064845C]
:0042DC70 E8F3E21A00 call 005DBF68
:0042DC75 FF4E1C
dec [esi+1C]
:0042DC78 8D45C4
lea eax, dword ptr [ebp-3C]
:0042DC7B BA02000000 mov edx,
00000002
:0042DC80 E81B6D1F00 call 006249A0
:0042DC85 8B8734030000 mov eax, dword
ptr [edi+00000334]
:0042DC8B 33D2
xor edx, edx
:0042DC8D E8EADC1700 call 005AB97C
:0042DC92 C687DC06000001 mov byte ptr [edi+000006DC],
01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042DC29(C), :0042DC3D(C), :0042DC51(C)
|
:0042DC99 EB04
jmp 0042DC9F
:0042DC9B EB05
jmp 0042DCA2
:0042DC9D 99
cdq
:0042DC9E 018BC3E8624D add dword ptr
[ebx+4D62E8C3], ecx
:0042DCA4 17
pop ss
:0042DCA5 00EB
add bl, ch
:0042DCA7 04EB
add al, EB
:0042DCA9 05890133D2 add eax,
D2330189
:0042DCAE 33C9
xor ecx, ecx
:0042DCB0 8997C0060000 mov dword ptr
[edi+000006C0], edx
:0042DCB6 898D3CFFFFFF mov dword ptr
[ebp+FFFFFF3C], ecx
:0042DCBC 80BFDC06000000 cmp byte ptr [edi+000006DC],
00
:0042DCC3 743E
je 0042DD03
:0042DCC5 8B8534FFFFFF mov eax, dword
ptr [ebp+FFFFFF34]
:0042DCCB 8B8D38FFFFFF mov ecx, dword
ptr [ebp+FFFFFF38]
:0042DCD1 8B10
mov edx, dword ptr [eax]
:0042DCD3 3B11
cmp edx, dword ptr [ecx]//比較④
:0042DCD5 752C
jne 0042DD03
:0042DCD7 8B8534FFFFFF mov eax, dword
ptr [ebp+FFFFFF34]
:0042DCDD 8B8D38FFFFFF mov ecx, dword
ptr [ebp+FFFFFF38]
:0042DCE3 8B5004
mov edx, dword ptr [eax+04]
:0042DCE6 3B5104
cmp edx, dword ptr [ecx+04]//比較⑤
:0042DCE9 7518
jne 0042DD03
:0042DCEB 8B8534FFFFFF mov eax, dword
ptr [ebp+FFFFFF34]
:0042DCF1 8B8D38FFFFFF mov ecx, dword
ptr [ebp+FFFFFF38]
:0042DCF7 8B5008
mov edx, dword ptr [eax+08]
:0042DCFA 3B5108
cmp edx, dword ptr [ecx+08]//比較⑥
:0042DCFD 0F8440020000 je 0042DF43
==========================================A===================================
上面透過六次比教其實只是三數值進行兩次比較..這裡不羅嗦了下面先進入假註冊碼的比較和計算過程看看..
=========================================00420FC4 BEGIN===================================
:00420FC4 53
push ebx
:00420FC5 56
push esi
:00420FC6 57
push edi
:00420FC7 83C4E4
add esp, FFFFFFE4
:00420FCA 894C2404 mov
dword ptr [esp+04], ecx
:00420FCE 8BFA
mov edi, edx
:00420FD0 890424
mov dword ptr [esp], eax
:00420FD3 8BC7
mov eax, edi
:00420FD5 E882C61E00 call 0060D65C
:00420FDA 83F80E
cmp eax, 0000000E//比較假註冊碼為數是否14為
:00420FDD 750C
jne 00420FEB
:00420FDF 807F042D cmp
byte ptr [edi+04], 2D//比較假註冊碼的第五位是否'-'
:00420FE3 7506
jne 00420FEB
:00420FE5 807F092D cmp
byte ptr [edi+09], 2D//比較假註冊碼的第十位是否'-'
:00420FE9 7407
je 00420FF2
從上面看出註冊碼的形式是:XXXX-XXXX-XXXX
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00420FDD(C), :00420FE3(C)
|
:00420FEB 33C0
xor eax, eax
:00420FED E9E9000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00420FE9(C)
|
:00420FF2 33D2
xor edx, edx
:00420FF4 8D442410 lea
eax, dword ptr [esp+10]
:00420FF8 89542408 mov
dword ptr [esp+08], edx
:00420FFC 89442418 mov
dword ptr [esp+18], eax
:00421000 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421082(C)
|
:00421002 8B542418 mov
edx, dword ptr [esp+18]
:00421006 66C7020000 mov word
ptr [edx], 0000
:0042100B 33DB
xor ebx, ebx
:0042100D 8B442418 mov
eax, dword ptr [esp+18]
:00421011 8BD0
mov edx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421077(C)
|
:00421013 8D0CB6
lea ecx, dword ptr [esi+4*esi]
:00421016 83C103
add ecx, 00000003
:00421019 2BCB
sub ecx, ebx
:0042101B 85DB
test ebx, ebx
:0042101D 8A040F
mov al, byte ptr [edi+ecx]
:00421020 7504
jne 00421026
:00421022 8844240C mov
byte ptr [esp+0C], al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421020(C)
|
:00421026 85DB
test ebx, ebx
:00421028 760A
jbe 00421034
:0042102A 3A44240C cmp
al, byte ptr [esp+0C]
:0042102E 7504
jne 00421034
:00421030 FF442408 inc
[esp+08]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421028(C), :0042102E(C)
|
:00421034 3C30
cmp al, 30
:00421036 7204
jb 0042103C
:00421038 3C46
cmp al, 46
:0042103A 7607
jbe 00421043
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421036(C)
|
:0042103C 33C0
xor eax, eax
:0042103E E998000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042103A(C)
|
:00421043 3C39
cmp al, 39
:00421045 760B
jbe 00421052
:00421047 3C41
cmp al, 41
:00421049 7307
jnb 00421052
:0042104B 33C0
xor eax, eax
:0042104D E989000000 jmp 004210DB
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00421045(C), :00421049(C)
|
:00421052 3C41
cmp al, 41
:00421054 720B
jb 00421061
:00421056 33C9
xor ecx, ecx
:00421058 8AC8
mov cl, al
:0042105A 83E937
sub ecx, 00000037
:0042105D 8BC1
mov eax, ecx
:0042105F EB08
jmp 00421069
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00421054(C)
|
:00421061 25FF000000 and eax,
000000FF
:00421066 83E830
sub eax, 00000030
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042105F(U)
|
:00421069 8BCB
mov ecx, ebx
:0042106B C1E102
shl ecx, 02
:0042106E D3E0
shl eax, cl
:00421070 660102
add word ptr [edx], ax
:00421073 43
inc ebx
:00421074 83FB04
cmp ebx, 00000004
:00421077 729A
jb 00421013
:00421079 46
inc esi
:0042107A 8344241802 add dword
ptr [esp+18], 00000002
:0042107F 83FE03
cmp esi, 00000003
:00421082 0F827AFFFFFF jb 00421002
===============================================================================================
上面判斷假註冊碼是否在0-9和A-Z範圍,並把假註冊碼由ASCII轉換成數字和字母存放,譬如假註冊碼為:
1234-6789-ABCD轉換成34128967CDAB形式存放,.
:00421088 33DB
xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004210A2(C)
|
:0042108A 6A06
push 00000006
:0042108C 8D442414 lea
eax, dword ptr [esp+14]
:00421090 50
push eax
:00421091 8B542408 mov
edx, dword ptr [esp+08]
:00421095 52
push edx
:00421096 E8ADFEFFFF call 00420F48//過程A
:0042109B 83C40C
add esp, 0000000C
:0042109E 43
inc ebx
:0042109F 83FB02
cmp ebx, 00000002
:004210A2 72E6
jb 0042108A
================================================================================================
把剛才的34128967CDAB分成六組A1=3412,A2=1289,A3=8967,A4=67CD,A5=CDAB,A6=AB34透過過程A換算,其演算法如下:
B1=((A1 SHL 1) AND $FFOO) SHR 8=68
B2=((A2 SHL 1) AND $FF00) SHR 8=25
B3=((A3 SHL 1) AND $FF00) SHR 8=12
B4=((A4 SHL 1) AND $FF00) SHR 8=CF
B5=((A5 SHL 1) AND $FF00) SHR 8=9B
B6=((A6 SHL 1) AND $FF00) SHR 8=56
然後將B1,B2,B3,B4,B5,B6在組成新六組數C1=6825,C2=2512,C3=12CF,C4=CF9B,C5=9B56在用過程A換算一次得出
D04A259F36AC
================================================================================================
:004210A4 33F6
xor esi, esi
:004210A6 8B442404 mov
eax, dword ptr [esp+04]
:004210AA 8BD8
mov ebx, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004210CF(C)
|
:004210AC 8BD6
mov edx, esi
:004210AE 03D2
add edx, edx
:004210B0 8D442410 lea
eax, dword ptr [esp+10]
:004210B4 03D0
add edx, eax
:004210B6 B902000000 mov ecx,
00000002
:004210BB 8B0424
mov eax, dword ptr [esp]
:004210BE E8D10F0000 call 00422094
//將D04A259F36AC分成三組D1=D04A,D2=259F,D3=36AC進行換算,F8跟進..
:004210C3 0FB7D0
movzx edx, ax//將上面計算出來的數值儲存
:004210C6 8913
mov dword ptr [ebx], edx
:004210C8 46
inc esi
:004210C9 83C304
add ebx, 00000004
:004210CC 83FE03
cmp esi, 00000003
:004210CF 72DB
jb 004210AC
:004210D1 33C0
xor eax, eax
:004210D3 837C240808 cmp dword
ptr [esp+08], 00000008
:004210D8 7701
ja 004210DB
:004210DA 40
inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00420FED(U), :0042103E(U), :0042104D(U), :004210D8(C)
|
:004210DB 83C41C
add esp, 0000001C
:004210DE 5F
pop edi
:004210DF 5E
pop esi
:004210E0 5B
pop ebx
:004210E1 C3
ret
==========================================00422094 BEGIN=======================================
:00422094 53
push ebx
:00422095 56
push esi
:00422096 57
push edi
:00422097 83C494
add esp, FFFFFF94
:0042209A 8BF9
mov edi, ecx
:0042209C 8BF2
mov esi, edx
:0042209E 8BD8
mov ebx, eax
:004220A0 54
push esp
:004220A1 E816F4FFFF call 004214BC
//初始化四個常數,A=$76543210,B=$FEDCBA98,C=$89ABCDEF,D=$01234567,看到這四個數是否很面熟,MD5??看清楚..不一樣啊..
:004220A6 59
pop ecx
:004220A7 57
push edi
:004220A8 56
push esi
:004220A9 8D442408 lea
eax, dword ptr [esp+08]
:004220AD 50
push eax
:004220AE E835F4FFFF call 004214E8//初始化陣列這和MD5一樣..
:004220B3 83C40C
add esp, 0000000C
:004220B6 54
push esp
:004220B7 8D54245C lea
edx, dword ptr [esp+5C]
:004220BB 52
push edx
:004220BC E8BFF4FFFF call 00421580//這過過程我叫它為變形MD5,因為它所採用的資料和那四輪迴圈都和MD5一樣,只是順序變動..有興趣的朋友可以進一步分析..這裡分別將D1,D2,D3進行計算
:004220C1 83C408
add esp, 00000008
:004220C4 B910000000 mov ecx,
00000010
:004220C9 8BC3
mov eax, ebx
:004220CB C644246800 mov [esp+68],
00
:004220D0 8D542458 lea
edx, dword ptr [esp+58]
:004220D4 E80BF0FFFF call 004210E4//將變形MD5計算出來的128BIT的數再進行計算,我叫這過程為過程B
:004220D9 83C46C
add esp, 0000006C
:004220DC 5F
pop edi
:004220DD 5E
pop esi
:004220DE 5B
pop ebx
:004220DF C3
ret
=======================================00422094 END==============================================
透過過程B計算出來的三個數值將和註冊名計算出來三個的數值比較..OK..假註冊碼的換算分析完畢下面簡單說說註冊名換算過程..
=======================================00420FC4 END=============================================註冊名換算再過程004209D4完成,它的步驟大概如下:
1.將序列號換算,假設為11223344
2.將1122334400和註冊名串起來,透過變形MD5和過程B計算出CODE1
3.將註冊名和0011223344串起來,透過變形MD5和過程B計算出CODE2
4.將CODE1和CODE2串起來,透過變形MD5和過程B計算出CODE3
5.再將CODE1,CODE2,CODE3分別透過變形MD5和過程B計算出計算出三個數,這三個數就和假註冊碼計算出來的三個數進行比較...
========================================END=====================================================
這個軟體是啟動驗證,所以這部分演算法是在啟動那裡.在輸入註冊碼那裡主要的是分析序列號的換算過程..在攔截方面我開始也是'老鼠拉龜',後來得到DiKeN和PaulYoung的指點才找到方法,先用BPX
GETCOMMANDLINEA,按3次F5,清除斷點,再用BPC REGCREATEKEYEXA中斷就可以到達上面...
ssljxOCG
2002.3.21
相關文章
- 炒股理財演算法分析 (3千字)2001-03-31演算法
- 炒股理財1.65破解方法 (8千字)2001-04-13
- 炒股理財 v1.13破解實戰錄! (3千字)2000-08-24
- Quickness 3.1
註冊演算法分析 + 序號產生器原始碼(tc2) (15千字)2003-04-13UI演算法原始碼
- 財智家庭理財V3.30註冊演算法分析2003-08-19演算法
- 分析破解某個軟體公司出的理財東東!
(14千字)2015-11-15
- Windows System Optimizer V3.1演算法分析2015-11-15Windows演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- 3.1 雜湊演算法2018-08-25演算法
- 再來一篇演算法分析,eryl兄弟你要的東西!! (15千字)2015-11-15演算法
- 演算法解析 => 密碼學應用 => 炒某某財 (6千字)2002-12-01演算法密碼學
- HappyEO演算法分析
(11千字)2015-11-15APP演算法
- Sitman2.1
演算法分析 (5千字)2015-11-15演算法
- 2015,我的投資理財策略(股權眾籌+P2P網貸+活期理財)2015-08-30
- 資料分析告訴你,炒股能賠多少錢?2021-02-05
- rOYALaCCEZZ Trial Crackme 3.2 演算法分析 (10千字)2002-02-27演算法
- SuperCleaner演算法分析----菜鳥級
(12千字)2015-11-15演算法
- Readbook 1.42版 演算法分析。 (1千字)2015-11-15演算法
- Tray Helper V 3.6演算法分析 (26千字)2015-11-15演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- 3.1處理機排程概述2020-11-29
- LLAMA3.1資料處理2024-07-25
- 財智系列破解 (3千字)2001-07-22
- Icontoy3.1破解紀錄(上) (5千字)2000-12-29
- IconToy 3.1 註冊碼快速破解 (11千字)2001-03-02
- 2015理財渠道盤點:域名、比特幣大…2016-04-18比特幣
- 財務分析2007-06-22
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- PC 安全虎[Beta 1]演算法分析 (6千字)2001-12-05演算法
- 屏保自己做2.61版演算法分析! (7千字)2002-02-18演算法
- eLib2.01演算法分析
(31千字)2015-11-15演算法
- 龍文輸入通演算法分析 (27千字)2015-11-15演算法
- HotkeyMaster演算法分析----菜鳥級
(4千字)2015-11-15AST演算法
- 演算法學習筆記(3.1): ST演算法2023-10-13演算法筆記
- ITPUB投資理財2007-07-07
- 破解 Mover98 3.1 的自校驗 (2千字)2001-03-22
- 【投資理財】一起來探索金融理財世界啦2024-10-25
- 簡單演算法:迷你網路電視演算法分析 (8千字)2015-11-15演算法