中華通訊錄演算法分析

看雪資料發表於2015-11-15
演算法

中華通訊錄演算法分析 V3.2
軟體名稱:中華通訊錄
編譯版本:v3.2
原檔案:http://www.skycn.net/soft/12563.html 
軟體大小:  1294 KB
軟體語言:  簡體中文
軟體類別:  國產軟體 / 共享版 / 資訊管理
應用平臺:  Win9x/NT/2000/XP
 
開 發 商:  http://hebreed.6to23.com/

軟體介紹:
  世紀之星進銷存--3大創新!   企能CRM軟體-提高銷售能力   資料管理利器,易表新版上市 
中華通訊錄是一款實用的通訊錄軟體,軟體介面採用WINXP風格,功能完善,最多能夠容納十
萬條通訊記錄,啟動時需要輸入密碼,使其它人不能看到你的通訊資料,讓你的資訊更安全。
查詢欄讓你很快找到你的聯絡人。支援增加分類,新增,刪除資訊。

 


破解工具:OllyDbg pe-scan w32dasm procdump

破解過程: 
pe-scan偵殼 發現為aspack 1.07b
用procdump脫殼
用w32dasm反編譯,其關鍵地方為:

|:00503D7B(U)
|
:00503D35 59                      pop ecx
:00503D36 59                      pop ecx
:00503D37 648910                  mov dword ptr fs:[eax], edx
:00503D3A 68623D5000              push 00503D62

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00503D60(U)
|
:00503D3F 8D45F0                  lea eaxdword ptr [ebp-10]
:00503D42 BA02000000              mov edx, 00000002
:00503D47 E8BCFFEFFF              call 00403D08
:00503D4C 8D45F8                  lea eaxdword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"TChgPwdFormData"
                                  |
:00503D4F 8B15E4E04F00            mov edxdword ptr [004FE0E4]
:00503D55 E8460AF0FF              call 004047A0
:00503D5A C3                      ret


:00503D5B E900FAEFFF              jmp 00403760
:00503D60 EBDD                    jmp 00503D3F
:00503D62 5B                      pop ebx
:00503D63 8BE5                    mov espebp
:00503D65 5D                      pop ebp
:00503D66 C3                      ret


:00503D67 00                      BYTE 0


:00503D68 C3                      ret


:00503D69 DCC2                    fadd st(2), st(0)
:00503D6B EBB8                    jmp 00503D25
:00503D6D FC                      cld
:00503D6E B8C4B3C9B9              mov eax, B9C9B3C4
:00503D73 A6                      cmpsb
:00503D74 A3A10000C3              mov dword ptr [C30000A1], eax
:00503D79 DCC2                    fadd st(2), st(0)
:00503D7B EBB8                    jmp 00503D35
:00503D7D FC                      cld
:00503D7E B8C4CAA7B0              mov eax, B0A7CAC4
:00503D83 DCA3A1000053            fsub qword ptr [ebx+530000A1]
:00503D89 8BD8                    mov ebxeax
:00503D8B 8BC3                    mov eaxebx
:00503D8D E89ECEFFFF              call 00500C30                                      關鍵call 分析見下
:00503D92 84C0                    test alal
:00503D94 7409                    je 00503D9F                                              死亡跳轉
:00503D96 8BC3                    mov eaxebx
:00503D98 E82FCCFFFF              call 005009CC
:00503D9D 5B                      pop ebx
:00503D9E C3                      ret



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00503D94(C)
|

* Possible StringData Ref from Code Obj ->"註冊碼不正確,無法註冊"
                                  |
:00503D9F B8B43D5000              mov eax, 00503DB4
:00503DA4 E86377F5FF              call 0045B50C
:00503DA9 5B                      pop ebx
:00503DAA C3                      ret


關鍵call  於00503D8D


* Referenced by a CALL at Address:
|:00503D8D   
|
:00500C30 55                      push ebp
:00500C31 8BEC                    mov ebpesp
:00500C33 33C9                    xor ecxecx
:00500C35 51                      push ecx
:00500C36 51                      push ecx
:00500C37 51                      push ecx
:00500C38 51                      push ecx
:00500C39 51                      push ecx
:00500C3A 53                      push ebx
:00500C3B 56                      push esi
:00500C3C 8945FC                  mov dword ptr [ebp-04], eax
:00500C3F 33C0                    xor eaxeax
:00500C41 55                      push ebp
:00500C42 680C0D5000              push 00500D0C
:00500C47 64FF30                  push dword ptr fs:[eax]
:00500C4A 648920                  mov dword ptr fs:[eax], esp
:00500C4D 33C0                    xor eaxeax
:00500C4F 8945F4                  mov dword ptr [ebp-0C], eax
:00500C52 8D55F8                  lea edxdword ptr [ebp-08]
:00500C55 8B45FC                  mov eaxdword ptr [ebp-04]
:00500C58 8B8024040000            mov eaxdword ptr [eax+00000424]
:00500C5E E83141F3FF              call 00434D94
:00500C63 8B45F8                  mov eaxdword ptr [ebp-08]
:00500C66 E8F932F0FF              call 00403F64
:00500C6B 8BD8                    mov ebxeax
:00500C6D 85DB                    test ebxebx
:00500C6F 7E2E                    jle 00500C9F
:00500C71 BE01000000              mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500C9D(C)
|
:00500C76 8D45F0                 / lea eaxdword ptr [ebp-10]                 演算法開始
:00500C79 50                     | push eax
:00500C7A B901000000             |  mov ecx, 00000001
:00500C7F 8BD6                   |  mov edxesi
:00500C81 8B45F8                 |  mov eaxdword ptr [ebp-08]
:00500C84 E8E334F0FF             |  call 0040416C
:00500C89 8B45F0                 | mov eaxdword ptr [ebp-10]
:00500C8C E89734F0FF             | call 00404128
:00500C91 8A00                   | mov albyte ptr [eax
:00500C93 25FF000000             | and eax, 000000FF                           eax=name[i]
:00500C98 0145F4                 | add dword ptr [ebp-0C], eax                  結果儲存與ebp-0c    
:00500C9B 46                     | inc esi
:00500C9C 4B                     | dec ebx
:00500C9D 75D7                    jne 00500C76                                   迴圈

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500C6F(C)
|
:00500C9F 8D55EC                  lea edxdword ptr [ebp-14]
:00500CA2 8B45FC                  mov eaxdword ptr [ebp-04]
:00500CA5 8B8028040000            mov eaxdword ptr [eax+00000428]
:00500CAB E8E440F3FF              call 00434D94
:00500CB0 8B45EC                  mov eaxdword ptr [ebp-14]                    
:00500CB3 E8FC8EF0FF              call 00409BB4
:00500CB8 8B55F4                  mov edxdword ptr [ebp-0C]                   上面的結果
:00500CBB 81C2FC7E1200            add edx, 00127EFC                                    結果加1212156(10進位制)
:00500CC1 81C29AE46400            add edx, 0064E49A                                   結果加6612122(10進位制)
:00500CC7 3BC2                    cmp eaxedx                                           比較輸入的註冊碼是否相等
:00500CC9 7519                    jne 00500CE4                                          不相等就死
:00500CCB B301                    mov bl, 01
:00500CCD B8F44B5200              mov eax, 00524BF4
:00500CD2 8B55F8                  mov edxdword ptr [ebp-08]
:00500CD5 E85E30F0FF              call 00403D38
:00500CDA 8B45F4                  mov eaxdword ptr [ebp-0C]
:00500CDD A3F84B5200              mov dword ptr [00524BF8], eax
:00500CE2 EB02                    jmp 00500CE6

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500CC9(C)
|
:00500CE4 33DB                    xor ebxebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500CE2(U)
|
:00500CE6 33C0                    xor eaxeax
:00500CE8 5A                      pop edx
:00500CE9 59               w       pop ecx
:00500CEA 59                      pop ecx
:00500CEB 648910                  mov dword ptr fs:[eax], edx
:00500CEE 68130D5000              push 00500D13

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00500D11(U)
|
:00500CF3 8D45EC                  lea eaxdword ptr [ebp-14]
:00500CF6 E8E92FF0FF              call 00403CE4
:00500CFB 8D45F0                  lea eaxdword ptr [ebp-10]
:00500CFE E8E12FF0FF              call 00403CE4
:00500D03 8D45F8                  lea eaxdword ptr [ebp-08]
:00500D06 E8D92FF0FF              call 00403CE4
:00500D0B C3                      ret


從上面的分析可以看出其註冊過程為:
 將機器碼的asc2碼相加後在加上 1212156 和6612122

所以   機器碼 1652-1cd8
       註冊碼為 7824278

序號產生器為(VB):
 Private Sub Command1_Click()
 Dim i As Integer
 Dim m, n As Single
 For i = 1 To Len(Text1.Text)
  m = m + Asc(Mid(Text1.Text, i, 1))
 nexti
 n = n + 1212156 + 6612122
 Text2.Text = Str(n)
 End Sub

相關文章