GreenBrowser 1.0.312破解手記--演算法分析

標題:GreenBrowser 1.0.312破解手記--演算法分析

發信人:newlaos[DFCG]

時間:2003/04/05 03:00pm　

詳細資訊:

GreenBrowser 1.0.312破解手記--演算法分析
作者：newlaos[DFCG]

軟體名稱：GreenBrowser 1.0.312(主頁瀏覽)
整理日期：2003.3.28(華軍網)
最新版本：1.0.312
檔案大小：443KB
軟體授權：共享軟體
使用平臺：Win9x/Me/NT/2000/XP
釋出公司：http://www.websamba.com/morequick
軟體簡介：GreenBrowser是一個基於IE的多視窗瀏覽器, 並更擁有更多更好的其他特性.例如:熱鍵,蒐集器,滑鼠手勢,滑鼠拖曳,彈出視窗過濾,搜尋引擎,網頁背景色設定,工具條皮膚,代理伺服器,自動滾動,自動儲存,自動填表,啟動模式...

加密方式：註冊碼
PJ工具：TRW20001.23註冊版，W32Dasm8.93黃金版，FI2.5
PJ日期：2003-04-04
作者newlaos申明：只是學習，請不用於商業用途或是將本文方法制作的序號產生器任意傳播，造成後果，本人一概不負。

1、先用FI2.5看一下主檔案“GreenBrowser.exe”，沒加殼。程式是用VC++6.0編的

2、用W32Dasm8.93黃金版對GreenBrowser.exe進行靜態反彙編，再用串式資料參考，找到"Registration key error!"
雙擊來到下面程式碼段。

3、再用TRW20001.23註冊版進行動態跟蹤，下斷BPX 00412500(通常在註冊成功與否的前面一些下斷，這樣，才能找到關鍵部分)，
先輸入假碼: 78787878

.......
.......
:00412500 6AFF push FFFFFFFF
:00412502 68B01E4800 push 00481EB0
:00412507 64A100000000 mov eax, dword ptr fs:[00000000]
:0041250D 50 push eax
:0041250E 64892500000000 mov dword ptr fs:[00000000], esp
:00412515 83EC08 sub esp, 00000008
:00412518 A1B0DC4A00 mov eax, dword ptr [004ADCB0]
:0041251D 55 push ebp
:0041251E 56 push esi
:0041251F 57 push edi
:00412520 8BF1 mov esi, ecx
:00412522 89442410 mov dword ptr [esp+10], eax
:00412526 C744241C00000000 mov [esp+1C], 00000000
:0041252E 8944240C mov dword ptr [esp+0C], eax
:00412532 8D442410 lea eax, dword ptr [esp+10]
:00412536 8D8E98000000 lea ecx, dword ptr [esi+00000098]
:0041253C 50 push eax
:0041253D C644242001 mov [esp+20], 01
:00412542 E8864E0500 call 004673CD <===EAX=8(為機器碼的長度) ECX=30084737
:00412547 8D4C240C lea ecx, dword ptr [esp+0C]
:0041254B 51 push ecx
:0041254C 8D4E5C lea ecx, dword ptr [esi+5C]
:0041254F E8794E0500 call 004673CD <===EAX=8(為註冊碼的長度) ECX=78787878
:00412554 8B54240C mov edx, dword ptr [esp+0C]
:00412558 837AF801 cmp dword ptr [edx-08], 00000001
:0041255C 0F8E8F000000 jle 004125F1 <===從這裡跳走，就說明沒有輸入註冊碼
:00412562 8B442410 mov eax, dword ptr [esp+10]
:00412566 50 push eax
:00412567 E8D2250400 call 00454B3E <===將機器碼轉為十六進位制1CB0E81
:0041256C 8B4C2410 mov ecx, dword ptr [esp+10]
:00412570 8BF8 mov edi, eax
:00412572 51 push ecx
:00412573 E8C6250400 call 00454B3E <===將註冊碼轉為十六進位制4B23526
:00412578 83C408 add esp, 00000008
:0041257B 8BCE mov ecx, esi
:0041257D 8BE8 mov ebp, eax
:0041257F 57 push edi
:00412580 E8AB000000 call 00412630 <===關鍵的CALL，是將十六進位制機器碼進行變形處理
:00412585 3BC5 cmp eax, ebp <===EBP=4B23526 EAX為十六進位制機器碼的變形
:00412587 755D jne 004125E6 <===不相等，就跳向OVER了

* Possible Reference to Dialog: DialogID_0064, CONTROL_ID:04DD, "Register"
|
:00412589 68DD040000 push 000004DD
:0041258E 8BCE mov ecx, esi
:00412590 E80A710500 call 0046969F
:00412595 8BF8 mov edi, eax
:00412597 6A00 push 00000000
:00412599 8BCF mov ecx, edi
:0041259B E87E730500 call 0046991E

* Possible StringData Ref from Data Obj ->"Register Ok"
|
:004125A0 68B4BB4A00 push 004ABBB4 <===註冊成功
:004125A5 8BCF mov ecx, edi
:004125A7 E814720500 call 004697C0

* Possible Reference to Dialog: DialogID_0064, CONTROL_ID:04DF, "Get Key"
|
:004125AC 68DF040000 push 000004DF
:004125B1 8BCE mov ecx, esi
:004125B3 E8E7700500 call 0046969F
:004125B8 6A00 push 00000000
:004125BA 8BC8 mov ecx, eax
:004125BC E85D730500 call 0046991E
:004125C1 E863920600 call 0047B829
:004125C6 8B4004 mov eax, dword ptr [eax+04]
:004125C9 55 push ebp

* Possible StringData Ref from Data Obj ->"RKey"
|
:004125CA 68C0BB4A00 push 004ABBC0

* Possible StringData Ref from Data Obj ->"Settings"
|
:004125CF 68F0B14A00 push 004AB1F0
:004125D4 8BC8 mov ecx, eax
:004125D6 E8ECF40500 call 00471AC7
:004125DB 6A00 push 00000000
:004125DD 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Thanks for you register, best "
->"support will prepare for you!"
|
:004125DF 6828BD4A00 push 004ABD28 <===感謝你的註冊，最好的技術支援為你準備
:004125E4 EB14 jmp 004125FA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412587(C)
|
:004125E6 6A00 push 00000000
:004125E8 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Registration key error!"
|
:004125EA 6810BD4A00 push 004ABD10 <===註冊碼錯誤
:004125EF EB09 jmp 004125FA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041255C(C)
|
:004125F1 6A00 push 00000000
:004125F3 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Please input registration key!"
|
:004125F5 68F0BC4A00 push 004ABCF0 <===請輸入註冊碼(呵呵，就是沒有輸入了)

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004125E4(U), :004125EF(U)
|
:004125FA E88FF30500 call 0047198E
:004125FF 8D4C240C lea ecx, dword ptr [esp+0C]
:00412603 C644241C00 mov [esp+1C], 00
:00412608 E81C7C0500 call 0046A229
:0041260D 8D4C2410 lea ecx, dword ptr [esp+10]
:00412611 C744241CFFFFFFFF mov [esp+1C], FFFFFFFF
:00412619 E80B7C0500 call 0046A229
:0041261E 8B4C2414 mov ecx, dword ptr [esp+14]
:00412622 5F pop edi
:00412623 5E pop esi
:00412624 5D pop ebp
:00412625 64890D00000000 mov dword ptr fs:[00000000], ecx
:0041262C 83C414 add esp, 00000014
:0041262F C3 ret
.......
.......

------00412580 call 00412630 是將十六進位制機器碼進行變形處理------------------

:00412630 8B442404 mov eax, dword ptr [esp+04] <===EAX=1CB0E81
:00412634 350B484802 xor eax, 0248480B <===EAX=1CB0E81 XOR 0248480B =3A3468A
:00412639 054271F900 add eax, 00F97142 <===EAX=3A3468A AND F97142 =47CB7CC
:0041263E 7905 jns 00412645
:00412640 99 cdq
:00412641 33C2 xor eax, edx
:00412643 2BC2 sub eax, edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041263E(C)
|
:00412645 C20400 ret 0004

-----------------------------------------------------------------------------
4、演算法分析： ---型別：f1(機器碼)=註冊碼---
a、將機器碼和註冊碼都轉為16進製表示形式：
b、將16進製表示形式的機器碼進行如下處理：
機器碼1=(機器碼 xor 0248480B) + F97142
c、將機器碼1與註冊碼1(16進製表示形式)做比較，如果相等，就註冊成功
d、機器碼轉為16進位制後與0248480B異或運算，再加上F97142，得到出來的值再轉為10進位制，就是註冊碼了。我的機器碼是30084737，那麼註冊碼就是75282380

5、註冊資訊儲存在檔案GreenBrowser.ini裡：
[Settings]
RKey=75282380

GreenBrowser 1.0.312破解手記--演算法分析

相關文章