[转载]Winamp Skin Maker注册码分析(For 菜鸟)
<P>文章作者: qduwg</P><P><FONT face=宋体>题目:WinampSkinMaker注册码分析<BR>软件介绍:制作WinAmp的皮肤的一个小软件,可以用你喜欢的各种图片制作皮肤,设置各种效果。如果不注册,就在你制作的皮肤上显示“Unregistered<BR><BR>”字样,注册费$15.<BR>目的:分析注册码算法逻辑,写个小注册机。<BR>难度:VeryEasy<BR>工具:Softice,PEiD<BR>引子:今天又在光盘上找到这个小软件,来自电脑爱好者2002合订本,纯粹拿来解闷,没有想到太简单了,几分钟就搞定它,但我还是把分析过程稍微一<BR><BR>说吧。不要扔鸡蛋过来哟!!:)<BR><BR>用PEiD查看是否加壳,结果没有,是VC编写的,启动程序,打开Help菜单,点击里面的About,在弹出的对话框内,点击Register按钮,输入用户名和假注<BR><BR>册码,比如wanggang,78787878。在SoftICE内下断点bpxhmemcpy,F5退出,点击OK按钮,被断下。按9次F12来到主程序代码处:<BR>1.程序总体布局<BR>00406346.8D442428LEAEAX,DWORDPTRSS:[ESP+28]<BR>0040634A.6A1EPUSH1E<BR>0040634C.50PUSHEAX<BR>0040634D.68FD030000PUSH3FD<BR>00406352.56PUSHESI<BR>00406353.FFD7CALLEDI//取注册码长度<BR>00406355.8D442408LEAEAX,DWORDPTRSS:[ESP+8]//用户名地址送EAX<BR>00406359.50PUSHEAX<BR>0040635A.E8310B0000CALLSKINNER.00406E90//这个CALL是关键,需要F8跟入,代码在后面分析。<BR>0040635F.83C404ADDESP,4<BR>00406362.8BF8MOVEDI,EAX<BR>00406364.8D442428LEAEAX,DWORDPTRSS:[ESP+28]//前4位注册码地址送EAX。<BR>00406368.50PUSHEAX<BR>00406369.E8A20B0000CALLSKINNER.00406F10//这个CALL是关键,需要F8跟入,代码在后面分析。<BR>0040636E.83C404ADDESP,4<BR>00406371.85C0TESTEAX,EAX<BR>00406373.7535JNZSHORTSKINNER.004063AA//此处跳转<BR>*省去无用代码<BR>004063AA>3BC7CMPEAX,EDI//这里比较得到的用户名累加和和注册码累加和。不相等就OVER。所以注册码就是EAX内用户名累加和<BR><BR>,然后转换为10进制数即可得到注册码。<BR>004063AC.7534JNZSHORTSKINNER.004063E2<BR>004063AE.8D442408LEAEAX,DWORDPTRSS:[ESP+8]<BR>004063B2.8B3DEC334100MOVEDI,DWORDPTRDS:[<&KERNEL32.lstrcpy><BR>004063B8.50PUSHEAX<BR>004063B9.6800294100PUSHSKINNER.00412900<BR>004063BE.FFD7CALLEDI<BR>004063C0.8D4C2428LEAECX,DWORDPTRSS:[ESP+28]<BR>004063C4.51PUSHECX<BR>004063C5.6880264100PUSHSKINNER.00412680<BR>004063CA.FFD7CALLEDI<BR>004063CC.6A02PUSH2<BR>004063CE.56PUSHESI<BR>004063CF.FF15D0344100CALLDWORDPTRDS:[<&USER32.EndDialog>]<BR>======================================================<BR>上面代码返回到下面代码处:<BR>00406248.68F80B4100PUSHSKINNER.00410BF8<BR>0040624D.8B3DC8344100MOVEDI,DWORDPTRDS:[<&USER32.SetDlgItemTextA>]<BR>00406253.68FB030000PUSH3FB<BR>00406258.56PUSHESI<BR>00406259.FFD7CALLEDI<BR>0040625B.6800294100PUSHSKINNER.00412900<BR>00406260.68F8030000PUSH3F8<BR>00406265.56PUSHESI<BR>00406266.FFD7CALLEDI<BR>00406268.6880264100PUSHSKINNER.00412680<BR>0040626D.68F9030000PUSH3F9<BR>00406272.56PUSHESI<BR>00406273.FFD7CALLEDI<BR>00406275.C705140F4100>MOVDWORDPTRDS:[410F14],1<BR>0040627F.6A40PUSH40<BR>00406281.68F00B4100PUSHSKINNER.00410BF0<BR>00406286.68C80B4100PUSHSKINNER.00410BC8<BR>0040628B.56PUSHESI<BR>0040628C.FF1580344100CALLDWORDPTRDS:[<&USER32.MessageBoxA>]//成功注册对话框<BR>======================================================<BR>2.重要函数分析:首先看40635A的CALL00406E90,代码如下:ECX'表示本轮循环的第一次赋值的结果<BR>00406EAA|>0FBE0E/MOVSXECX,BYTEPTRDS:[ESI]//依次取姓名字符,符号扩展后送ECX<BR>00406EAD|.8BD1|MOVEDX,ECX//字符也送EDX<BR>00406EAF|.46|INCESI<BR>00406EB0|.8D0CC9|LEAECX,DWORDPTRDS:[ECX+ECX*8]//ECX=9*ECX'<BR>00406EB3|.8D0CCA|LEAECX,DWORDPTRDS:[EDX+ECX*8]//ECX=8*ECX+EDX=73*ECX'<BR>00406EB6|.8D0CC9|LEAECX,DWORDPTRDS:[ECX+ECX*8]//ECX=9*ECX=9*73*ECX'<BR>00406EB9|.03CA|ADDECX,EDX//ECX=ECX+EDX=658*ECX'<BR>00406EBB|.8D0C49|LEAECX,DWORDPTRDS:[ECX+ECX*2]//ECX=3*ECX=3*658*ECX'=1974*ECX'<BR>00406EBE|.83C119|ADDECX,19//ECX=ECX+19=1974*ECX'+19h<BR>00406EC1|.03C1|ADDEAX,ECX//累加到EAX内。<BR>00406EC3|.803E00|CMPBYTEPTRDS:[ESI],0<BR>00406EC6|.^75E2\JNZSHORTSKINNER.00406EAA//没有结束继续循环上述过程。<BR>00406EC8|>8D04450B00000>LEAEAX,DWORDPTRDS:[EAX*2+B]//EAX=EAX*2+Bh,累加和乘以2,加B。<BR>00406ECF|.3D82841E00CMPEAX,1E8482//与1E8482常量比较,<BR>00406ED4|.721CJBSHORTSKINNER.00406EF2//小于则跳走<BR>00406ED6|.3D3E548900CMPEAX,89543E//与89543E常量比较<BR>00406EDB|.762AJBESHORTSKINNER.00406F07//小于等于则跳走<BR>------------------------------------------------------------------------<BR>00406EF2|>8D04450800000>/LEAEAX,DWORDPTRDS:[EAX*2+8]//继续乘以2加8。<BR>00406EF9|.3D82841E00|CMPEAX,1E8482<BR>00406EFE|.^72F2\JBSHORTSKINNER.00406EF2//小于这个常量则循环。<BR>00406F00|.8D04450800000>LEAEAX,DWORDPTRDS:[EAX*2+8]//大于则继续乘以2加8。<BR>00406F07|>5EPOPESI<BR>00406F08\.C3RETN<BR>======================================================<BR>3.再看第二个关键的CALL的内容:<BR>00406F10/$53PUSHEBX<BR>00406F11|.56PUSHESI<BR>00406F12|.8B74240CMOVESI,DWORDPTRSS:[ESP+C]<BR>00406F16|.57PUSHEDI<BR>00406F17|.56PUSHESI<BR>00406F18|.33DBXOREBX,EBX<BR>00406F1A|.FF1550334100CALLDWORDPTRDS:[<&KERNEL32.lstrlenA>]//取注册码长度<BR>00406F20|.8D78FFLEAEDI,DWORDPTRDS:[EAX-1]//注册码地址送EDI<BR>00406F23|.B901000000MOVECX,1<BR>00406F28|.85C0TESTEAX,EAX<BR>00406F2A|.7E15JLESHORTSKINNER.00406F41<BR>00406F2C|>0FBE143E/MOVSXEDX,BYTEPTRDS:[ESI+EDI]//从最高位取注册码送EDX,循环开始<BR>00406F30|.83EA30|SUBEDX,30//减去30H,变成16进制数。<BR>00406F33|.4F|DECEDI<BR>00406F34|.0FAFD1|IMULEDX,ECX//与ECX相乘,ECX是十进制数位权,个,十,百,千等。<BR>00406F37|.03DA|ADDEBX,EDX//累加到EBX内<BR>00406F39|.8D0C89|LEAECX,DWORDPTRDS:[ECX+ECX*4]//计算下一位的位权,ECX=5*ECX'<BR>00406F3C|.03C9|ADDECX,ECX//ECX=2*ECX=10*ECX',所以是按照10进制乘位权。<BR>00406F3E|.48|DECEAX<BR>00406F3F|.^75EB\JNZSHORTSKINNER.00406F2C//如果EAX不为0,继续循环<BR>00406F41|>8BC3MOVEAX,EBX//累加和送EAX返回主调函数。<BR>00406F43|.5FPOPEDI<BR>00406F44|.5EPOPESI<BR>00406F45|.5BPOPEBX<BR>00406F46\.C3RETN<BR>=======================================================<BR>4.这个小程序的C语言注册机,已经调试通过:<BR>/*keygenforskinnerofwinamp*/<BR>#include"stdio.h"<BR>main()<BR>{<BR>charname[20];<BR>longc=0,s=0;<BR>intl,i;<BR>clrscr();<BR>printf("ThiskeygenismadebyMr.QduWg\n");<BR>printf("pleaseinputyourname,thelenthisless20letterswithoutincludingspace");<BR>scanf("%s",name);<BR>printf("%s\n",name);<BR>l=strlen(name);<BR>printf("%d\n",l);<BR>for(i=0;i<l;i++)<BR>{printf("name[i]=%x",*(name+i));<BR>c=name[i]*9;<BR>c=8*c+name[i];<BR>c=9*c;<BR>c=c+name[i];<BR>c=3*c;<BR>c=c+25;<BR>s=s+c;<BR>}<BR>printf("code1=%ld\n",s);<BR>s=2*s+0xB;<BR>printf("thecodeis%ld\n",s);<BR>if(s<0x1e8482)<BR>{do<BR>s=s*2+8;<BR>while(s<0x1e8482);}<BR>elseif(s<=0x89543e)<BR>printf("YourRegsiterkeyis%ld\n",s);<BR>printf("Thankyouforusethiskeygen!\n");<BR>getchar();<BR>}<BR>=======================================================<BR>后记:经过2个小时的调试加写这篇破文,如Ku大侠说的那样,我们应该抽时间坐下来好好分析注册算法,只有这样才可以提高水平。这就是我响应其号召<BR><BR>的一篇注册码分析破文,算法实在简单,让大侠见笑了!要知道不积圭步,无以至千里!所以,从简单的开始比较容易积累信心和经验!一开始分析比较<BR><BR>复杂的程序算法,如果失败也是暂时的,但是让人感到郁闷!茶饭不思!<BR><BR>给出几个结果:<BR>wanggang--------3324627<BR>liuxin-----------2625731(731??听起来比较可怕吧)<BR>ilovecracker-----5030363<BR><BR>感谢您花费宝贵时间浏览。<BR><BR>QduWg<BR>qduwg@163.com</FONT><BR></P>
页:
[1]