[转载]资料收集管理专家1.7正式版算法详尽分析
<P>文章作者:windayjian</P><FONT face=宋体>【破解工具】OLLDBG,PEID<BR>【破解难度】EASY<BR>【软件保护】SN<BR><BR>没有加壳,查一下字串,向上翻来到这里:<BR>00505A40.>CALLDataColl.0044DCA4<BR>00505A45.>MOVEAX,DWORDPTRSS:[EBP-8];注册码到EAX<BR>00505A48.>PUSHEAX<BR>00505A49.>LEAEDX,DWORDPTRSS:[EBP-C]<BR>00505A4C.>MOVEAX,DWORDPTRDS:[EBX+314]<BR>00505A52.>CALLDataColl.0044DCA4<BR>00505A57.>MOVEAX,DWORDPTRSS:[EBP-C];组织名到EAX<BR>00505A5A.>PUSHEAX<BR>00505A5B.>LEAEDX,DWORDPTRSS:[EBP-10]<BR>00505A5E.>MOVEAX,DWORDPTRDS:[EBX+310]<BR>00505A64.>CALLDataColl.0044DCA4<BR>00505A69.>MOVEDX,DWORDPTRSS:[EBP-10];用户名到EDx<BR>00505A6C.>MOVEAX,DWORDPTRDS:[EBX+32C]<BR>00505A72.>POPECX<BR>00505A73.>CALLDataColl.00504AF0;算法CALL<BR>00505A78.>TESTAL,AL<BR>00505A7A.>JNZSHORTDataColl.00505AA8;不跳GAMEOVER<BR>.......................................................<BR><BR>跟进505A73后见到:<BR>......省略一部分不关重要的......<BR>00504B21|.>PUSHEBP<BR>00504B22|.>PUSHDataColl.00504BDA<BR>00504B27|.>PUSHDWORDPTRFS:[EAX]<BR>00504B2A|.>MOVDWORDPTRFS:[EAX],ESP<BR>00504B2D|.>MOVEAX,DWORDPTRSS:[EBP-4]<BR>00504B30|.>CALLDataColl.00404FFC<BR>00504B35|.>CMPEAX,DWORDPTRDS:[EBX+4C];用户名长度与100作比较<BR>00504B38|.>JGSHORTDataColl.00504B53;没有人用那么长的吧。。。汗<BR>00504B3A|.>MOVEAX,DWORDPTRSS:[EBP-4];用户名到EAX<BR>00504B3D|.>CALLDataColl.00404FFC<BR>00504B42|.>CMPEAX,DWORDPTRDS:[EBX+50];用户名长度与3作比较<BR>00504B45|.>JLSHORTDataColl.00504B53;小于3大于100估计都没好事<BR>00504B47|.>MOVEAX,DWORDPTRSS:[EBP+8];注册码到EAX<BR>00504B4A|.>CALLDataColl.00404FFC<BR>00504B4F|.>TESTEAX,EAX;这里判断注册码是否为空<BR>00504B51|.>JNZSHORTDataColl.00504B57<BR>00504B53|>>XOREBX,EBX<BR>00504B55|.>JMPSHORTDataColl.00504BB7<BR>00504B57|>>LEAEDX,DWORDPTRSS:[EBP-C]<BR>00504B5A|.>MOVEAX,DWORDPTRSS:[EBP+8]<BR>00504B5D|.>CALLDataColl.00409574;这里将注册码的字母变大写<BR>00504B62|.>MOVEDX,DWORDPTRSS:[EBP-C]<BR>00504B65|.>LEAEAX,DWORDPTRSS:[EBP+8]<BR>00504B68|.>CALLDataColl.00404DDC<BR>00504B6D|.>LEAECX,DWORDPTRSS:[EBP-10]<BR>00504B70|.>MOVEDX,DWORDPTRSS:[EBP-4]<BR>00504B73|.>MOVEAX,EBX<BR>00504B75|.>CALLDataColl.005046C0;算法CALL<BR>00504B7A|.>MOVEAX,DWORDPTRSS:[EBP-10];真码<BR>00504B7D|.>MOVEDX,DWORDPTRSS:[EBP+8];假码<BR>00504B80|.>CALLDataColl.004095EC;比较CALL<BR>00504B85|.>TESTEAX,EAX<BR>00504B87|.>JESHORTDataColl.00504B8D<BR>00504B89|.>XOREBX,EBX;清空标志位<BR>00504B8B|.>JMPSHORTDataColl.00504BB7<BR>00504B8D|>>LEAEAX,DWORDPTRDS:[EBX+48]<BR>00504B90|.>MOVEDX,DWORDPTRSS:[EBP-4]<BR>00504B93|.>CALLDataColl.00404D98<BR>00504B98|.>LEAEAX,DWORDPTRDS:[EBX+54]<BR>00504B9B|.>MOVEDX,DWORDPTRSS:[EBP-8]<BR>00504B9E|.>CALLDataColl.00404D98<BR>00504BA3|.>LEAEAX,DWORDPTRDS:[EBX+5C]<BR>00504BA6|.>MOVEDX,DWORDPTRSS:[EBP+8]<BR>00504BA9|.>CALLDataColl.00404D98<BR>00504BAE|.>MOVEAX,EBX<BR>00504BB0|.>CALLDataColl.00504E10<BR>00504BB5|.>MOVBL,1;标志位置1<BR>00504BB7|>>XOREAX,EAX<BR>00504BB9|.>POPEDX<BR>00504BBA|.>POPECX<BR>00504BBB|.>POPECX<BR>00504BBC|.>MOVDWORDPTRFS:[EAX],EDX<BR>00504BBF|.>PUSHDataColl.00504BE1<BR>00504BC4|>>LEAEAX,DWORDPTRSS:[EBP-10]<BR>00504BC7|.>MOVEDX,4<BR>00504BCC|.>CALLDataColl.00404D68<BR>00504BD1|.>LEAEAX,DWORDPTRSS:[EBP+8]<BR>00504BD4|.>CALLDataColl.00404D44<BR>00504BD9\.>RETN<BR>00504BDA.>JMPDataColl.00404608<BR>00504BDF.>JMPSHORTDataColl.00504BC4<BR>00504BE1.>MOVEAX,EBX;标志位到EAX,待会就用AL比较<BR>00504BE3.>POPEBX<BR>00504BE4.>MOVESP,EBP<BR>00504BE6.>POPEBP<BR>00504BE7.>RETN4<BR>......................................................<BR><BR>跟进504B75看看<BR>......省略一部分......<BR>005046F3|.>LEAEDX,DWORDPTRSS:[EBP-24]<BR>005046F6|.>MOVEAX,ESI<BR>005046F8|.>CALLDataColl.00505604;检验码CALL<BR>005046FD|.>MOVEAX,DWORDPTRSS:[EBP-24]<BR>00504700|.>LEAEDX,DWORDPTRSS:[EBP-14]<BR>00504703|.>CALLDataColl.004097C4<BR>00504708|.>CMPDWORDPTRSS:[EBP-14],0;检验码是否为0<BR>0050470C|.>JNZSHORTDataColl.0050471B<BR>0050470E|.>LEAEAX,DWORDPTRSS:[EBP-20]<BR>00504711|.>MOVEDX,DWORDPTRSS:[EBP-4]<BR>00504714|.>CALLDataColl.00404DDC<BR>00504719|.>JMPSHORTDataColl.00504778<BR>0050471B|>>MOVEAX,DWORDPTRSS:[EBP-14]<BR>0050471E|.>CALLDataColl.00404FFC;检验码长度<BR>00504723|.>MOVEBX,EAX<BR>00504725|.>LEAEAX,DWORDPTRSS:[EBP-18]<BR>00504728|.>PUSHEAX<BR>00504729|.>MOVECX,EBX<BR>0050472B|.>SARECX,1;ECX逻辑右移1(欲取的长度)<BR>0050472D|.>JNSSHORTDataColl.00504732<BR>0050472F|.>ADCECX,0<BR>00504732|>>MOVEDX,1<BR>00504737|.>MOVEAX,DWORDPTRSS:[EBP-14]<BR>0050473A|.>CALLDataColl.00405254;类似MID功能<BR>0050473F|.>LEAEAX,DWORDPTRSS:[EBP-1C]<BR>00504742|.>PUSHEAX<BR>00504743|.>MOVEAX,EBX<BR>00504745|.>SAREAX,1<BR>00504747|.>JNSSHORTDataColl.0050474C<BR>00504749|.>ADCEAX,0<BR>0050474C|>>MOVECX,EBX<BR>0050474E|.>SUBECX,EAX;用检验码长度减刚才的长度<BR>00504750|.>MOVEDX,EBX<BR>00504752|.>SAREDX,1<BR>00504754|.>JNSSHORTDataColl.00504759<BR>00504756|.>ADCEDX,0<BR>00504759|>>INCEDX<BR>0050475A|.>MOVEAX,DWORDPTRSS:[EBP-14]<BR>0050475D|.>CALLDataColl.00405254;类似MID功能<BR>00504762|.>PUSHDWORDPTRSS:[EBP-18]<BR>00504765|.>PUSHDWORDPTRSS:[EBP-4]<BR>00504768|.>PUSHDWORDPTRSS:[EBP-1C]<BR>0050476B|.>LEAEAX,DWORDPTRSS:[EBP-20]<BR>0050476E|.>MOVEDX,3<BR>00504773|.>CALLDataColl.004050BC;串接字符:检验码一部分+用户名+另一部分<BR>00504778|>>MOVDWORDPTRSS:[EBP-10],0<BR>0050477F|.>MOVDWORDPTRSS:[EBP-C],0<BR>00504786|.>MOVEAX,DWORDPTRSS:[EBP-4]<BR>00504789|.>CALLDataColl.00404FFC;用户名长度<BR>0050478E|.>CMPEAX,DWORDPTRDS:[ESI+4C]<BR>00504791|.>JGSHORTDataColl.005047A0;大于100跳<BR>00504793|.>MOVEAX,DWORDPTRSS:[EBP-4]<BR>00504796|.>CALLDataColl.00404FFC<BR>0050479B|.>CMPEAX,DWORDPTRDS:[ESI+50]<BR>0050479E|.>JGESHORTDataColl.005047AC;大于等于3跳<BR>005047A0|>>MOVEAX,EDI<BR>005047A2|.>CALLDataColl.00404D44<BR>005047A7|.>JMPDataColl.0050483D<BR>005047AC|>>MOVEAX,DWORDPTRSS:[EBP-20]<BR>005047AF|.>CALLDataColl.00404FFC;串接后的字符串长度<BR>005047B4|.>MOVEBX,EAX<BR>005047B6|.>JMPSHORTDataColl.005047EF<BR>005047B8|>>/MOVEAX,DWORDPTRSS:[EBP-10]<BR>005047BB|.>|MOVEDX,DWORDPTRSS:[EBP-C]<BR>005047BE|.>|ADDEAX,DWORDPTRDS:[ESI+68];将计算的EAX加上0xA934C0AF<BR>005047C1|.>|ADCEDX,DWORDPTRDS:[ESI+6C];将计算的EDX进位加上0x2E<BR>005047C4|.>|PUSHEDX<BR>005047C5|.>|PUSHEAX<BR>005047C6|.>|MOVEAX,DWORDPTRSS:[EBP-20]<BR>005047C9|.>|MOVZXEAX,BYTEPTRDS:[EAX+EBX-1];从最后串接字符串开始依次向前取字符<BR>005047CE|.>|PUSHEAX<BR>005047CF|.>|MOVEAX,459;EAX=459<BR>005047D4|.>|POPEDX<BR>005047D5|.>|MOVECX,EDX;EDX是字符值<BR>005047D7|.>|XOREDX,EDX<BR>005047D9|.>|DIVECX;除法运算<BR>005047DB|.>|MOVEAX,EDX;余数到EAX<BR>005047DD|.>|XOREDX,EDX<BR>005047DF|.>|SUBDWORDPTRSS:[ESP],EAX;保存的结果减余数<BR>005047E2|.>|SBBDWORDPTRSS:[ESP+4],EDX<BR>005047E6|.>|POPEAX<BR>005047E7|.>|POPEDX<BR>005047E8|.>|MOVDWORDPTRSS:[EBP-10],EAX;保存新的结果,等会做迭加<BR>005047EB|.>|MOVDWORDPTRSS:[EBP-C],EDX;同上<BR>005047EE|.>|DECEBX<BR>005047EF|>>MOVEAX,DWORDPTRSS:[EBP-20]<BR>005047F2|.>|CALLDataColl.00404FFC<BR>005047F7|.>|CMPEBX,EAX<BR>005047F9|.>|JGSHORTDataColl.005047FF<BR>005047FB|.>|TESTEBX,EBX<BR>005047FD|.>\JGSHORTDataColl.005047B8<BR>005047FF|>>MOVEBX,DWORDPTRDS:[ESI+60]<BR>00504802|.>TESTEBX,EBX<BR>00504804|.>JGSHORTDataColl.00504817;比较检验码长度,大于0跳,正常应该会跳的<BR>00504806|.>PUSHDWORDPTRSS:[EBP-C];/Arg2<BR>00504809|.>PUSHDWORDPTRSS:[EBP-10];|Arg1<BR>0050480C|.>MOVEDX,EDI;|<BR>0050480E|.>XOREAX,EAX;|<BR>00504810|.>CALLDataColl.00409B44;\DataColl.00409B44<BR>00504815|.>JMPSHORTDataColl.0050483D<BR>00504817|>>PUSHDWORDPTRSS:[EBP-C];/刚才的结果1<BR>0050481A|.>PUSHDWORDPTRSS:[EBP-10];|结果2<BR>0050481D|.>MOVEDX,EDI;|<BR>0050481F|.>MOVEAX,EBX;|<BR>00504821|.>CALLDataColl.00409B44;\串接<BR>00504826|.>MOVEAX,DWORDPTRDS:[EDI];DS:[EDI]就是注册码了<BR><BR>总的来说,算法还是可以的,思路也很清淅,可惜用了明码作比较,败笔!</FONT><BR><P></P>
页:
[1]