powerarchiver 8.00.58 之不完全破解+簡單演算法分析
軟體名稱:
powerarchiver 8.00.58
軟體簡介: 超強的檔案壓縮解壓縮工具,有點像WINZIP,但比WINZIP強大,支援更多的格式.
下載地址:
http://www.powerarchiver.com/
此文目的:
學習該軟體的註冊碼生成方法
除錯工具: ollydbg1.09中文版、W32dsm9.0中文版、language
除錯平臺: Windows
XP (哈哈,ollydbg真好,XP下也能除錯了,想想吧,還有MP3)
過程:
1) 執行程式,按CTRL+HOME輸入NAME和REGISTRATION CODE,程式彈出對話方塊:Incomplete or incorrect
information,關閉程式.
2) 使用 language 檢測主程式“POWERARC.exe”,沒有殼.
3)
用W32dasm反編譯POWERARC.exe,然後查詢字串"Incomplete or incorrect information"
雙擊找到的字串,來到以下地方:
走到005E5E23時彈出出錯對話方塊,於是向上看,發現005E5DBF有一個跳轉,於是在005E5CC4處設斷.
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005E5D79(C),
:005E5D93(C), :005E5DA4(C)
|
:005E5DB2 8B55F8
mov edx, dword ptr [ebp-08]
<------輸入的REGISTRATION CODE
:005E5DB5 8B45FC
mov eax, dword ptr [ebp-04]
<------輸入的NAME
:005E5DB8 E807FFFFFF
call 005E5CC4
:005E5DBD 84C0
test al, al
:005E5DBF 0F859D000000
jne 005E5E62
:005E5DC5 FE050C93BD00
inc byte ptr [00BD930C]
:005E5DCB
A12C986800 mov eax, dword ptr
[0068982C]
:005E5DD0 8B55FC
mov edx, dword ptr [ebp-04]
:005E5DD3 E848EBE1FF
call 00404920
:005E5DD8 A1BC906800
mov eax, dword ptr [006890BC]
:005E5DDD
8B55F8 mov edx,
dword ptr [ebp-08]
:005E5DE0 E83BEBE1FF
call 00404920
:005E5DE5 A1FC906800
mov eax, dword ptr [006890FC]
:005E5DEA C60000
mov byte ptr [eax], 00
:005E5DED
A1DC926800 mov eax, dword ptr
[006892DC]
:005E5DF2 8B00
mov eax, dword ptr [eax]
:005E5DF4 8B8064060000
mov eax, dword ptr [eax+00000664]
:005E5DFA
B201 mov
dl, 01
:005E5DFC E8E3FDE4FF call
00435BE4
:005E5E01 A1DC926800 mov
eax, dword ptr [006892DC]
:005E5E06 8B00
mov eax, dword ptr [eax]
:005E5E08 8B8068060000
mov eax, dword ptr [eax+00000668]
:005E5E0E
B201 mov
dl, 01
:005E5E10 E8CFFDE4FF call
00435BE4
:005E5E15 668B0D545F5E00 mov cx,
word ptr [005E5F54]
:005E5E1C B201
mov dl, 01
*
Possible StringData Ref from Code Obj ->"Incomplete or incorrect information."
|
:005E5E1E B8605F5E00
mov eax, 005E5F60
:005E5E23 E878650500
call 0063C3A0
:005E5E28 A1AC916800
mov eax, dword ptr [006891AC]
:005E5E2D
833800 cmp dword
ptr [eax], 00000000
:005E5E30 7517
jne 005E5E49
:005E5E32 A1DC926800
mov eax, dword ptr [006892DC]
:005E5E37 8B00
mov eax,
dword ptr [eax]
:005E5E39 8B809C030000 mov
eax, dword ptr [eax+0000039C]
*
Possible StringData Ref from Code Obj ->"PowerArchiver 2002 v8.00 (Unregistered)"
|
:005E5E3F BA905F5E00
mov edx, 005E5F90
:005E5E44 E8B3FEE4FF
call 00435CFC
(略)
*
Possible StringData Ref from Code Obj ->"Registration accepted! Thank
you "
->"for
purchasing PowerArchiver."
|
:005E5EEC
B8C05F5E00 mov eax, 005E5FC0
:005E5EF1
E8AA640500 call 0063C3A0
:005E5EF6
A1AC916800 mov eax, dword ptr
[006891AC]
:005E5EFB 833800
cmp dword ptr [eax], 00000000
:005E5EFE 7517
jne 005E5F17
:005E5F00 A1DC926800
mov eax, dword ptr [006892DC]
:005E5F05
8B00 mov
eax, dword ptr [eax]
:005E5F07 8B809C030000
mov eax, dword ptr [eax+0000039C]
*
Possible StringData Ref from Code Obj ->"PowerArchiver 2002 v8.00"
|
:005E5F0D BA08605E00
mov edx, 005E6008
:005E5F12 E8E5FDE4FF
call 00435CFC
4)
使用ollydbg載入POWERARC.exe在005E5CC4處設定斷點,F9執行程式,輸入name and regcode 點OK中斷於此
*
Referenced by a CALL at Address:
|:005E5DB8
|
:005E5CC4 55
push ebp
:005E5CC5
8BEC mov
ebp, esp
:005E5CC7 83C4F4
add esp, FFFFFFF4
:005E5CCA 53
push ebx
:005E5CCB 33C9
xor ecx, ecx
:005E5CCD
894DF4 mov dword
ptr [ebp-0C], ecx
:005E5CD0 8955F8
mov dword ptr [ebp-08], edx
:005E5CD3 8945FC
mov dword ptr [ebp-04], eax
:005E5CD6
8B45FC mov eax,
dword ptr [ebp-04]
:005E5CD9 E85AF0E1FF
call 00404D38
:005E5CDE 8B45F8
mov eax, dword ptr [ebp-08]
:005E5CE1 E852F0E1FF
call 00404D38
:005E5CE6 33C0
xor eax,
eax
:005E5CE8 55
push ebp
:005E5CE9 682D5D5E00
push 005E5D2D
:005E5CEE 64FF30
push dword ptr fs:[eax]
:005E5CF1 648920
mov dword ptr fs:[eax],
esp
:005E5CF4 8D55F4
lea edx, dword ptr [ebp-0C]
:005E5CF7 8B45FC
mov eax, dword ptr [ebp-04] <------輸入的NAME
:005E5CFA
E8E5AB0800 call 006708E4
:005E5CFF
8B55F4 mov edx,
dword ptr [ebp-0C] <------正確的regcode
:005E5D02 8B45F8
mov eax, dword ptr [ebp-08]
<------輸入的regcode
:005E5D05 E88AEFE1FF
call 00404C94
:005E5D0A 7504
jne 005E5D10
:005E5D0C B301
mov bl, 01
:005E5D0E
EB02 jmp
005E5D12
(略)
按F8一步步跟蹤,在005E5CF7處發現輸入的NAME,同時在005E5CFF發現正確的regcode,直覺告訴我005E5CFA的CALL是計算註冊碼的,於是跟入.
而且在005E5CFF發現一個經典對比:
:005E5CFF
8B55F4 mov edx,
dword ptr [ebp-0C]
:005E5D02 8B45F8
mov eax, dword ptr [ebp-08]
:005E5D05 E88AEFE1FF
call 00404C94
:005E5D0A 7504
jne 005E5D10
跟入005E5CFA來到此地:
*
Referenced by a CALL at Addresses:
|:005E5CFA , :0067681F
|
:006708E4
55 push
ebp
:006708E5 8BEC
mov ebp, esp
:006708E7 81C4CCFDFFFF
add esp, FFFFFDCC
:006708ED 53
push ebx
:006708EE 56
push esi
:006708EF
57 push
edi
:006708F0 33C9
xor ecx, ecx
:006708F2 898DD0FDFFFF
mov dword ptr [ebp+FFFFFDD0], ecx
:006708F8 898DCCFDFFFF
mov dword ptr [ebp+FFFFFDCC], ecx
:006708FE
898DDCFDFFFF mov dword ptr [ebp+FFFFFDDC],
ecx
:00670904 898DD8FDFFFF mov dword
ptr [ebp+FFFFFDD8], ecx
:0067090A 898DE0FDFFFF
mov dword ptr [ebp+FFFFFDE0], ecx
:00670910 894DF0
mov dword ptr [ebp-10], ecx
:00670913
8955F8 mov dword
ptr [ebp-08], edx
:00670916 8945FC
mov dword ptr [ebp-04], eax
:00670919 8B45FC
mov eax, dword ptr [ebp-04]
:0067091C
E81744D9FF call 00404D38
:00670921
33C0 xor
eax, eax
:00670923 55
push ebp
:00670924 68330B6700
push 00670B33
:00670929 64FF30
push dword ptr fs:[eax]
:0067092C 648920
mov dword ptr fs:[eax],
esp
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:006708BD(C)
|
*
Possible StringData Ref from Code Obj ->"IP-POWERARC"
|
:0067092F BE440B6700
mov esi, 00670B44
:00670934 8DBDECFEFFFF
lea edi, dword ptr [ebp+FFFFFEEC]
:0067093A A5
movsd
:0067093B
A5 movsd
:0067093C
A5 movsd
:0067093D
8D85ECFDFFFF lea eax, dword ptr [ebp+FFFFFDEC]
:00670943
8B55FC mov edx,
dword ptr [ebp-04]
:00670946 B9FF000000
mov ecx, 000000FF
:0067094B E81042D9FF
call 00404B60
:00670950 33C0
xor eax, eax
:00670952 8A85ECFEFFFF
mov al, byte ptr [ebp+FFFFFEEC]
:00670958
8945F4 mov dword
ptr [ebp-0C], eax
:0067095B 33FF
xor edi, edi
:0067095D BE03140000
mov esi, 00001403
<-----ESI=1403(H)=5123(O)
:00670962
8D45F0 lea eax,
dword ptr [ebp-10]
:00670965 50
push eax
:00670966 89B5E4FDFFFF
mov dword ptr [ebp+FFFFFDE4], esi
:0067096C C685E8FDFFFF00
mov byte ptr [ebp+FFFFFDE8], 00
:00670973
8D95E4FDFFFF lea edx, dword ptr [ebp+FFFFFDE4]
:00670979
33C9 xor
ecx, ecx
* Possible
StringData Ref from Code Obj ->"%1.2x"
|
:0067097B B8580B6700 mov
eax, 00670B58
:00670980 E89BBBD9FF
call 0040C520
:00670985 33C0
xor eax, eax
:00670987 8A85ECFDFFFF
mov al, byte ptr [ebp+FFFFFDEC]
:0067098D 85C0
test eax, eax
:0067098F
7E6B jle
006709FC
:00670991 8945EC
mov dword ptr [ebp-14], eax
:00670994 8D9DEDFDFFFF
lea ebx, dword ptr [ebp+FFFFFDED]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006709FA(C)
|
:0067099A
33C0 xor
eax, eax
:0067099C 8A03
mov al, byte ptr [ebx] <-----使用者名稱依次ASC()入AL
:0067099E
03C6 add
eax, esi
<-----EAX=EAX+ESI
:006709A0 B9FF000000
mov ecx, 000000FF
<-----ECX=FF(H)=255(O)
:006709A5 99
cdq
:006709A6 F7F9
idiv ecx
<-----除法運算
:006709A8
8BF2 mov
esi, edx
<-----ESI=EAX MOD ECX (EAX除以ECX的餘數入ESI)
:006709AA 3B7DF4
cmp edi, dword ptr [ebp-0C]
<-----檢查是否超出"IP-POWERARC"的長度,保證程式取其中的字元
:006709AD 7D03
jge 006709B2
<-----大於等於就跳
:006709AF
47 inc
edi
<-----否則EDI=EDI+1
:006709B0 EB05
jmp 006709B7
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006709AD(C)
|
:006709B2
BF01000000 mov edi, 00000001
<-----如果EDI超出"IP-POWERARC"的長度,則EDI=1
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:006709B0(U)
|
:006709B7
33C0 xor
eax, eax
:006709B9 8A843DECFEFFFF mov al,
byte ptr [ebp+edi-00000114] <----"IP-POWERARC"指定位置的字元依次ASC()入AL
:006709C0
33F0 xor
esi, eax
<---- ESI=ESI XOR EAX
:006709C2 8D85E0FDFFFF
lea eax, dword ptr [ebp+FFFFFDE0]
:006709C8
50 push
eax
:006709C9 89B5E4FDFFFF mov dword
ptr [ebp+FFFFFDE4], esi
:006709CF C685E8FDFFFF00
mov byte ptr [ebp+FFFFFDE8], 00
:006709D6 8D95E4FDFFFF
lea edx, dword ptr [ebp+FFFFFDE4]
:006709DC 33C9
xor ecx,
ecx
* Possible StringData
Ref from Code Obj ->"%1.2x"
|
:006709DE
B8580B6700 mov eax, 00670B58
:006709E3
E838BBD9FF call 0040C520
:006709E8
8B95E0FDFFFF mov edx, dword ptr [ebp+FFFFFDE0]
<---- EDX=ESI(ESI的值作為字串付給EDX.可能這個功能,因
為我是彙編盲)
:006709EE
8D45F0 lea eax,
dword ptr [ebp-10]
:006709F1 E89641D9FF
call 00404B8C
:006709F6 43
inc ebx
:006709F7 FF4DEC
dec [ebp-14]
:006709FA 759E
jne 0067099A
<------下一迴圈
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0067098F(C)
<----此處向下的程式功能是在字串中取字元,因為我是彙編盲
|
具體方法也不是太清楚,只是靠猜的,好像是從最後開始向前
兩個一組在下面這段字串中取字元,還請哪個大俠不吝賜教
:006709FC
8B45F0 mov eax,
dword ptr [ebp-10] <---NAME經處理後形成的字串,也就是每次運算後的字串聯接起來
:006709FF E88041D9FF
call 00404B84
:00670A04 8BF0
mov esi,
eax
:00670A06 85F6
test esi, esi
:00670A08 7903
jns 00670A0D
:00670A0A 83C603
add esi, 00000003
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00670A08(C)
|
:00670A0D
C1FE02 sar esi,
02
:00670A10 C685ECFDFFFF00 mov byte ptr
[ebp+FFFFFDEC], 00
:00670A17 BB01000000
mov ebx, 00000001
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00670AE1(C)
|
:00670A1C
8D85DCFDFFFF lea eax, dword ptr [ebp+FFFFFDDC]
:00670A22
8D95ECFDFFFF lea edx, dword ptr [ebp+FFFFFDEC]
:00670A28
E8FB40D9FF call 00404B28
:00670A2D
8D85DCFDFFFF lea eax, dword ptr [ebp+FFFFFDDC]
:00670A33
50 push
eax
:00670A34 8D85D4FDFFFF lea eax,
dword ptr [ebp+FFFFFDD4]
:00670A3A 8BFB
mov edi, ebx
:00670A3C 0FAFFE
imul edi, esi
:00670A3F 8B55F0
mov edx, dword ptr
[ebp-10]
:00670A42 8A543AFF
mov dl, byte ptr [edx+edi-01]
:00670A46 885001
mov byte ptr [eax+01], dl
:00670A49 C60001
mov byte ptr [eax],
01
:00670A4C 8D95D4FDFFFF lea edx,
dword ptr [ebp+FFFFFDD4]
:00670A52 8D85D8FDFFFF
lea eax, dword ptr [ebp+FFFFFDD8]
:00670A58 E8CB40D9FF
call 00404B28
:00670A5D 8B95D8FDFFFF
mov edx, dword ptr [ebp+FFFFFDD8]
:00670A63
58 pop
eax
:00670A64 E82341D9FF call
00404B8C
:00670A69 8B95DCFDFFFF mov
edx, dword ptr [ebp+FFFFFDDC]
:00670A6F 8D85ECFDFFFF
lea eax, dword ptr [ebp+FFFFFDEC]
:00670A75 B9FF000000
mov ecx, 000000FF
:00670A7A E8E140D9FF
call 00404B60
:00670A7F 8D85D0FDFFFF
lea eax, dword ptr [ebp+FFFFFDD0]
:00670A85
8D95ECFDFFFF lea edx, dword ptr [ebp+FFFFFDEC]
:00670A8B
E89840D9FF call 00404B28
:00670A90
8D85D0FDFFFF lea eax, dword ptr [ebp+FFFFFDD0]
:00670A96
50 push
eax
:00670A97 8D85D4FDFFFF lea eax,
dword ptr [ebp+FFFFFDD4]
:00670A9D 8B55F0
mov edx, dword ptr [ebp-10]
:00670AA0 8A543AFE
mov dl, byte ptr [edx+edi-02]
:00670AA4
885001 mov byte
ptr [eax+01], dl
:00670AA7 C60001
mov byte ptr [eax], 01
:00670AAA 8D95D4FDFFFF
lea edx, dword ptr [ebp+FFFFFDD4]
:00670AB0 8D85CCFDFFFF
lea eax, dword ptr [ebp+FFFFFDCC]
:00670AB6
E86D40D9FF call 00404B28
:00670ABB
8B95CCFDFFFF mov edx, dword ptr [ebp+FFFFFDCC]
:00670AC1
58 pop
eax
:00670AC2 E8C540D9FF call
00404B8C
:00670AC7 8B95D0FDFFFF mov
edx, dword ptr [ebp+FFFFFDD0]
:00670ACD 8D85ECFDFFFF
lea eax, dword ptr [ebp+FFFFFDEC]
:00670AD3 B9FF000000
mov ecx, 000000FF
:00670AD8 E88340D9FF
call 00404B60
:00670ADD 43
inc ebx
:00670ADE 83FB05
cmp ebx, 00000005
:00670AE1 0F8535FFFFFF
jne 00670A1C
<-----此處與00670A1C之間的程式碼不是太清楚望各位大俠指教
:00670AE7 8B45F8
mov eax, dword ptr [ebp-08]
:00670AEA
8D95ECFDFFFF lea edx, dword ptr [ebp+FFFFFDEC]
<-----此處可見正確的註冊碼
:00670AF0 E83340D9FF
call 00404B28
:00670AF5 33C0
xor eax, eax
:00670AF7 5A
pop edx
:00670AF8
59 pop
ecx
:00670AF9 59
pop ecx
:00670AFA 648910
mov dword ptr fs:[eax], edx
:00670AFD 683A0B6700
push 00670B3A
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00670B38(U)
|
:00670B02
8D85CCFDFFFF lea eax, dword ptr [ebp+FFFFFDCC]
:00670B08
BA02000000 mov edx, 00000002
:00670B0D
E8DE3DD9FF call 004048F0
:00670B12
8D85D8FDFFFF lea eax, dword ptr [ebp+FFFFFDD8]
:00670B18
BA03000000 mov edx, 00000003
:00670B1D
E8CE3DD9FF call 004048F0
:00670B22
8D45F0 lea eax,
dword ptr [ebp-10]
:00670B25 E8A23DD9FF
call 004048CC
:00670B2A 8D45FC
lea eax, dword ptr [ebp-04]
:00670B2D E89A3DD9FF
call 004048CC
:00670B32 C3
ret
說了這麼多真是累死了,看來得好好學一下彙編了.還是用粗通的VB來還原這個過程吧,希望大家能看懂
Sub
Main()
On Error Resume Next
Dim yourname As
String, initstr As String, esi As Long
Dim tmp As String, i As
Integer, temp As String
Dim sn As String
yourname
= Trim(InputBox("請輸入註冊名,名字太短可能會有錯誤的結果."+chr(13)+chr(10)+"因為對字串的篩選方法是猜的"))
yourname = StrConv(yourname, 128) '因為是VB所以要解決UNICODE問題
If LenB(yourname) = 0 Then End
initstr = "IP-POWERARC"
Do Until LenB(yourname) \ Len(initstr) = 0 '保證initstr的長度大於等於yourname的長度以便計算
initstr = initstr + "IP-POWERARC"
DoEvents
Loop
esi = &H1403
'esi的初值
tmp = Hex(esi)
For i = 1 To LenB(yourname)
esi = (AscB(MidB(yourname,
i, 1)) + esi) Mod &HFF Xor Asc(Mid(initstr, i, 1))
'每一位依次ASC()後加ESI,然後對255取模,最後與程式內建的一段字串"IP-POWERARC"的相應位
'的ASC進行異或
If esi < 16 Then
'在小於16(也就是小於等於&hF)的數前加"0"
temp = "0" + Hex(esi)
Else
temp = Hex(esi)
End If
tmp = tmp + temp
Next i
'tmp為程式生成的一串字元,至此應該都是正確的,下面可不敢保證.因為我是彙編盲,以下取註冊碼的過程是猜的.
'程式從最後兩位開始,在tmp中平均取8位註冊碼
For i = Len(tmp) To 1 Step
-(Len(tmp) \ 4)
sn = Mid(tmp, i, 1) + Mid(tmp,
i - 1, 1) + sn
Next i
If Len(sn) > 8 Then
sn = Left(sn,
MsgBox "Your sn is: " + sn, 64, "大概吧!祝好運!"
End
End Sub
相關文章
- PowerArchiver破解過程。2015-11-15Hive
- 簡單演算法---A Speeder
V2.5破解的簡要分析!2015-11-15演算法
- 不完全的破解2000-11-23
- Teleport
pro 演算法簡單分析2004-07-15演算法
- 機械設計系統1.0破解實錄------------演算法簡單,破解過程一2015-11-15演算法
- 演算法學習之簡單排序2016-04-23演算法排序
- 簡單演算法之貪吃豆豆龍2015-11-15演算法
- DeTitle V1.33簡單演算法分析2003-08-06演算法
- Disk
Chief 1.2 簡單註冊演算法分析2015-11-15演算法
- Source Insight 3.5 演算法簡單分析2015-11-15演算法
- [原創]破解-分析Crackme演算法2009-06-13演算法
- Access Animation破解的簡要分析2003-05-10
- 簡單介紹Python迷宮生成和迷宮破解演算法2020-04-24Python演算法
- HTMLock 1.9.3破解手記---演算法分析2003-06-27HTML演算法
- CHM瀏覽器破解+演算法分析2004-06-04瀏覽器演算法
- IEPopupKiller 1.2破解手記--演算法分析2015-11-15演算法
- JRebel 破解最簡單的使用2021-09-30
- Hash破解神器:Hashcat的簡單使用2017-01-11
- Instyler Ex-it!
漢化版 1.64 簡單演算法分析2015-11-15演算法
- ExplosionField簡單分析2017-03-05
- Excel密碼破解超簡單?這樣加密別想破解2012-07-09Excel密碼加密
- QuickCD 1.0.320破解手記--演算法分析2015-11-15UI演算法
- 簡單排序演算法2020-11-27排序演算法
- 簡單演算法:迷你網路電視演算法分析 (8千字)2015-11-15演算法
- 簡單的數字驗證碼破解2020-12-19
- flashsoft得簡單破解 (6千字)2001-05-26
- mr原理簡單分析2020-08-23
- SSRF漏洞簡單分析2020-07-16
- 簡單陰影分析2020-12-27
- Dubbo原理簡單分析2017-04-13
- 菜鳥破解錄自之 Dialup Constructor 及演算法分析
(6千字)2000-09-11Struct演算法
- GreenBrowser 1.0.312破解手記--演算法分析2015-11-15演算法
- Golden 5.7 Build 391破解手記--演算法分析2015-11-15GoUI演算法
- POPMAN時常管家2003版--簡單演算法分析2015-11-15演算法
- LRU演算法簡單例子2013-11-26演算法單例
- IE瀏覽器修復工具 V1.1 不完全演算法分析2003-07-07瀏覽器演算法
- python深拷貝和淺拷貝之簡單分析2018-08-26Python
- 菜鳥破解錄之 GIF Construction Set Pro及演算法分析
(8千字)2000-09-01Struct演算法