護花使者 2.0演算法分析

看雪資料發表於2015-11-15

標 題:護花使者 2.0演算法分析

發信人:onlyu

時 間:2003年11月20日 07:55 

詳細資訊: 




護花使者 2.0演算法分析
作者:onlyu[FCG]
軟體大小: 
軟體語言: 中文
軟體類別:  共享版 
應用平臺:  Win9x/NT/2000/XP
下載地址: 
軟體介紹:
【作者宣告】:本人是個初學者,只是感興趣,沒有其它目的。失誤之處敬請諸位大俠賜教!
【破解工具】:softice 4.01
【過    程】:
執行C:WINDOWSiflower.exe,點右鍵選註冊軟體,出來一個對話方塊,對話方塊告訴你序列號了,然後要你輸入使用者名稱和註冊號,好,就從這裡入手了,我的相關資訊如下:
序列號:033014D6
使用者名稱:onlyu
註冊號:78787878
按ctrl+d調出softice,下斷點bpx hmemcpy,回到護花使者 2.0註冊對話方塊,按確定,進入softice,下bd *,一路按F10,來到:
0167:00492F2F 8B45FC             MOV      EAX,[EBP-04]
0167:00492F32 50                       PUSH     EAX
0167:00492F33 8D45F8              LEA      EAX,[EBP-08]
0167:00492F36 E88523FCFF     CALL     004552C0-----------------註冊碼計算函式
0167:00492F3B 8B55F8              MOV      EDX,[EBP-08]
0167:00492F3E 58                       POP      EAX
0167:00492F3F E81810F7FF      CALL     00403F5C-----------------註冊碼對比函式
0167:00492F44 7505                   JNZ      00492F4B
0167:00492F46 83CEFF             OR       ESI,BYTE -01
0167:00492F49 EB02                  JMP      SHORT 00492F4D
0167:00492F4B 33F6                  XOR      ESI,ESI
0167:00492F4D 8BC6                 MOV      EAX,ESI
0167:00492F4F F7D8                  NEG      EAX
0167:00492F51 1BC0                  SBB      EAX,EAX
0167:00492F53 F7D8                  NEG      EAX
0167:00492F55 3C01                  CMP      AL,01
0167:00492F57 0F85D7000000   JNZ      NEAR 00493034
0167:00492F5D BAF0304900      MOV      EDX,004930F0
0167:00492F62 8BC3                   MOV      EAX,EBX
0167:00492F64 E8ABBEF9FF     CALL     0042EE14
執行到call 403d5c時,按F8進入函式來到:
0167:00403F5C 53               PUSH     EBX
0167:00403F5D 56               PUSH     ESI
0167:00403F5E 57               PUSH     EDI
0167:00403F5F 89C6             MOV      ESI,EAX
0167:00403F61 89D7             MOV      EDI,EDX
0167:00403F63 39D0             CMP      EAX,EDX
0167:00403F65 0F848F000000     JZ       NEAR 00403FFA
0167:00403F6B 85F6             TEST     ESI,ESI
0167:00403F6D 7468             JZ       00403FD7
0167:00403F6F 85FF             TEST     EDI,EDI
0167:00403F71 746B             JZ       00403FDE
0167:00403F73 8B46FC           MOV      EAX,[ESI-04]
0167:00403F76 8B57FC           MOV      EDX,[EDI-04]
0167:00403F79 29D0             SUB      EAX,EDX
0167:00403F7B 7702             JA       00403F7F
0167:00403F7D 01C2             ADD      EDX,EAX
0167:00403F7F 52               PUSH     EDX
0167:00403F80 C1EA02           SHR      EDX,02
0167:00403F83 7426             JZ       00403FAB
0167:00403F85 8B0E             MOV      ECX,[ESI]--------------------我輸入的註冊碼
0167:00403F87 8B1F             MOV      EBX,[EDI]--------------------真正的註冊碼
0167:00403F89 39D9             CMP      ECX,EBX---------------------典型的比較方式
0167:00403F8B 7558             JNZ      00403FE5
0167:00403F8D 4A               DEC      EDX
0167:00403F8E 7415             JZ       00403FA5
0167:00403F90 8B4E04           MOV      ECX,[ESI+04]
0167:00403F93 8B5F04           MOV      EBX,[EDI+04]
0167:00403F96 39D9             CMP      ECX,EBX
0167:00403F98 754B             JNZ      00403FE5
0167:00403F9A 83C608           ADD      ESI,BYTE +08
0167:00403F9D 83C708           ADD      EDI,BYTE +08
0167:00403FA0 4A               DEC      EDX
0167:00403FA1 75E2             JNZ      00403F85
0167:00403FA3 EB06             JMP      SHORT 00403FAB
0167:00403FA5 83C604           ADD      ESI,BYTE +04
0167:00403FA8 83C704           ADD      EDI,BYTE +04
0167:00403FAB 5A               POP      EDX
0167:00403FAC 83E203           AND      EDX,BYTE +03
0167:00403FAF 7422             JZ       00403FD3
0167:00403FB1 8B0E             MOV      ECX,[ESI]
0167:00403FB3 8B1F             MOV      EBX,[EDI]
0167:00403FB5 38D9             CMP      CL,BL
0167:00403FB7 7541             JNZ      00403FFA
0167:00403FB9 4A               DEC      EDX
0167:00403FBA 7417             JZ       00403FD3
0167:00403FBC 38FD             CMP      CH,BH
0167:00403FBE 753A             JNZ      00403FFA
0167:00403FC0 4A               DEC      EDX
0167:00403FC1 7410             JZ       00403FD3
0167:00403FC3 81E30000FF00     AND      EBX,00FF0000
0167:00403FC9 81E10000FF00     AND      ECX,00FF0000
0167:00403FCF 39D9             CMP      ECX,EBX
0167:00403FD1 7527             JNZ      00403FFA
0167:00403FD3 01C0             ADD      EAX,EAX
0167:00403FD5 EB23             JMP      SHORT 00403FFA
0167:00403FD7 8B57FC           MOV      EDX,[EDI-04]
0167:00403FDA 29D0             SUB      EAX,EDX
0167:00403FDC EB1C             JMP      SHORT 00403FFA
0167:00403FDE 8B46FC           MOV      EAX,[ESI-04]
0167:00403FE1 29D0             SUB      EAX,EDX
0167:00403FE3 EB15             JMP      SHORT 00403FFA
0167:00403FE5 5A               POP      EDX
0167:00403FE6 38D9             CMP      CL,BL
0167:00403FE8 7510             JNZ      00403FFA
0167:00403FEA 38FD             CMP      CH,BH
0167:00403FEC 750C             JNZ      00403FFA
0167:00403FEE C1E910           SHR      ECX,10
0167:00403FF1 C1EB10           SHR      EBX,10
0167:00403FF4 38D9             CMP      CL,BL
0167:00403FF6 7502             JNZ      00403FFA
0167:00403FF8 38FD             CMP      CH,BH
0167:00403FFA 5F               POP      EDI
0167:00403FFB 5E               POP      ESI
0167:00403FFC 5B               POP      EBX
0167:00403FFD C3               RET     
我們來看看這個註冊碼到底是怎麼生成的,執行到 CALL     004552C0的時候按F8進入,來到:
0167:004552C0 55               PUSH     EBP
0167:004552C1 8BEC             MOV      EBP,ESP
0167:004552C3 81C4F4FDFFFF     ADD      ESP,FFFFFDF4
0167:004552C9 53               PUSH     EBX
0167:004552CA 56               PUSH     ESI
0167:004552CB 57               PUSH     EDI
0167:004552CC 8BF8             MOV      EDI,EAX
0167:004552CE C745FCD2040000   MOV      DWORD [EBP-04],04D2
0167:004552D5 68FF000000       PUSH     DWORD FF
0167:004552DA 8D85F4FDFFFF     LEA      EAX,[EBP+FFFFFDF4]
0167:004552E0 50               PUSH     EAX
0167:004552E1 8D45F4           LEA      EAX,[EBP-0C]
0167:004552E4 50               PUSH     EAX
0167:004552E5 8D45F8           LEA      EAX,[EBP-08]
0167:004552E8 50               PUSH     EAX
0167:004552E9 8D45FC           LEA      EAX,[EBP-04]
0167:004552EC 50               PUSH     EAX
0167:004552ED 68FF000000       PUSH     DWORD FF
0167:004552F2 8D85F4FEFFFF     LEA      EAX,[EBP+FFFFFEF4]
0167:004552F8 50               PUSH     EAX
0167:004552F9 684C534500       PUSH     DWORD 0045534C
0167:004552FE E8F917FBFF       CALL     `KERNEL32!GetVolumeInformationA`
0167:00455303 8B45FC           MOV      EAX,[EBP-04]------------------------eax的值為對話方塊中的序列號
0167:00455306 05E1100000       ADD      EAX,10E1---------------------eax=eax+10E1
0167:0045530B 6BC00D           IMUL     EAX,EAX,BYTE 

相關文章