[转载]备份工具Iomega QuikSyncV3.1注册机制之分析破文
<P>文章作者:qduwg</P><FONT face=宋体>适用平台:Win9x/Me/NT/2000<BR>软件简介:这是由ZIP磁盘大厂Iomega公司所出的自动备份软件,它可以在后台自动定时备份你的文件到本地驱动器及网络驱动<BR><BR>器。可让你保护好你重要的文件,如此亦可让你免于受到病毒侵害或系统当机崩溃时,仍能够将重要的文件免于受到波及。<BR>工具:Softice,PEID。<BR>引子:今天安装了这个小系统工具,试验了一下果然好用。可惜在安装过程中需要输入序列号,否则只有30天试用期。现在我们<BR><BR>就通过跟踪找到其注册码生成机制,用了30分钟分析完毕,用1个小时写出以下破文,作为献给各位菜鸟的礼物好了。因为是在安<BR><BR>装过程中输入注册码的,所以输入用户名wanggang,再输入注册码11111-22222-33333-44444总共20位,分4段组成。调出<BR><BR>Softice下断点bpxGetwindowtextA,F5退出,然后点击Register被拦截。按一次F12回到主程序空间来。然后换F10慢慢跟踪<BR><BR>到下面代码处:<BR>0043A1F1|.E8EEAF0400CALLQUIKSYNC.004851E4<BR>0043A1F6|.8B55FCMOVEDX,DWORDPTRSS:[EBP-4]<BR>0043A1F9|.81C248020000ADDEDX,248<BR>0043A1FF|.52PUSHEDX<BR>0043A200|.68F0030000PUSH3F0<BR>0043A205|.8B4508MOVEAX,DWORDPTRSS:[EBP+8]<BR>0043A208|.50PUSHEAX<BR>0043A209|.E8A1AE0400CALLQUIKSYNC.004850AF//读入第一段注册码。<BR>0043A20E|.6A05PUSH5<BR>0043A210|.8B4DFCMOVECX,DWORDPTRSS:[EBP-4]<BR>0043A213|.81C148020000ADDECX,248<BR>0043A219|.51PUSHECX<BR>0043A21A|.8B5508MOVEDX,DWORDPTRSS:[EBP+8]<BR>0043A21D|.52PUSHEDX<BR>0043A21E|.E8C1AF0400CALLQUIKSYNC.004851E4<BR>0043A223|.8B45FCMOVEAX,DWORDPTRSS:[EBP-4]<BR>0043A226|.054C020000ADDEAX,24C<BR>0043A22B|.50PUSHEAX<BR>0043A22C|.68EC030000PUSH3EC<BR>0043A231|.8B4D08MOVECX,DWORDPTRSS:[EBP+8]<BR>0043A234|.51PUSHECX<BR>0043A235|.E875AE0400CALLQUIKSYNC.004850AF//读入第二段注册码。<BR>0043A23A|.6A05PUSH5<BR>0043A23C|.8B55FCMOVEDX,DWORDPTRSS:[EBP-4]<BR>0043A23F|.81C24C020000ADDEDX,24C<BR>0043A245|.52PUSHEDX<BR>0043A246|.8B4508MOVEAX,DWORDPTRSS:[EBP+8]<BR>0043A249|.50PUSHEAX<BR>0043A24A|.E895AF0400CALLQUIKSYNC.004851E4<BR>0043A24F|.8B4DFCMOVECX,DWORDPTRSS:[EBP-4]<BR>0043A252|.81C150020000ADDECX,250<BR>0043A258|.51PUSHECX<BR>0043A259|.68EE030000PUSH3EE<BR>0043A25E|.8B5508MOVEDX,DWORDPTRSS:[EBP+8]<BR>0043A261|.52PUSHEDX<BR>0043A262|.E848AE0400CALLQUIKSYNC.004850AF//读入第三段注册码。<BR>0043A267|.6A05PUSH5<BR>0043A269|.8B45FCMOVEAX,DWORDPTRSS:[EBP-4]<BR>0043A26C|.0550020000ADDEAX,250<BR>0043A271|.50PUSHEAX<BR>0043A272|.8B4D08MOVECX,DWORDPTRSS:[EBP+8]<BR>0043A275|.51PUSHECX<BR>0043A276|.E869AF0400CALLQUIKSYNC.004851E4<BR>0043A27B|.8B55FCMOVEDX,DWORDPTRSS:[EBP-4]<BR>0043A27E|.81C254020000ADDEDX,254<BR>0043A284|.52PUSHEDX<BR>0043A285|.68EF030000PUSH3EF<BR>0043A28A|.8B4508MOVEAX,DWORDPTRSS:[EBP+8]<BR>0043A28D|.50PUSHEAX<BR>0043A28E|.E81CAE0400CALLQUIKSYNC.004850AF//读入第四段注册码。<BR>=============================================================================<BR>下面返回到如下代码处:<BR>0043A44A|.8B8578FDFFFFMOVEAX,DWORDPTRSS:[EBP-288]<BR>0043A450|.0548020000ADDEAX,248<BR>0043A455|.50PUSHEAX<BR>0043A456|.B99CFD4A00MOVECX,QUIKSYNC.004AFD9C<BR>0043A45B|.E8732D0400CALLQUIKSYNC.0047D1D3<BR>0043A460|.8B8D78FDFFFFMOVECX,DWORDPTRSS:[EBP-288]<BR>0043A466|.81C14C020000ADDECX,24C<BR>0043A46C|.51PUSHECX<BR>0043A46D|.B99CFD4A00MOVECX,QUIKSYNC.004AFD9C<BR>0043A472|.E83B300400CALLQUIKSYNC.0047D4B2//把第一,二段注册码拷贝到另一位置并串接起来。<BR>0043A477|.8B9578FDFFFFMOVEDX,DWORDPTRSS:[EBP-288]<BR>0043A47D|.81C250020000ADDEDX,250<BR>0043A483|.52PUSHEDX<BR>0043A484|.B99CFD4A00MOVECX,QUIKSYNC.004AFD9C<BR>0043A489|.E824300400CALLQUIKSYNC.0047D4B2//把第三段注册码复制到前面2段的后面。<BR>0043A48E|.8B8578FDFFFFMOVEAX,DWORDPTRSS:[EBP-288]<BR>0043A494|.0554020000ADDEAX,254<BR>0043A499|.50PUSHEAX<BR>0043A49A|.B99CFD4A00MOVECX,QUIKSYNC.004AFD9C<BR>0043A49F|.E80E300400CALLQUIKSYNC.0047D4B2//把第四段注册码复制到前面3段的后面。<BR>0043A4A4|.B998FD4A00MOVECX,QUIKSYNC.004AFD98<BR>0043A4A9|.E8D2C3FCFFCALLQUIKSYNC.00406880//取用户名长度。<BR>0043A4AE|.85C0TESTEAX,EAX<BR>0043A4B0|.740EJESHORTQUIKSYNC.0043A4C0<BR>0043A4B2|.B99CFD4A00MOVECX,QUIKSYNC.004AFD9C<BR>0043A4B7|.E8C4C3FCFFCALLQUIKSYNC.00406880//取注册码长度。<BR>0043A4BC|.85C0TESTEAX,EAX<BR>0043A4BE|.7535JNZSHORTQUIKSYNC.0043A4F5//此处自然跳走。<BR>=============================================================================<BR>0043A50E|.6A20PUSH20<BR>0043A510|.8D4DF0LEAECX,DWORDPTRSS:[EBP-10]<BR>0043A513|.E8B22F0400CALLQUIKSYNC.0047D4CA//复制注册码到另一位置。<BR>0043A518|.50PUSHEAX<BR>0043A519|.8D857CFDFFFFLEAEAX,DWORDPTRSS:[EBP-284]<BR>0043A51F|.50PUSHEAX<BR>0043A520|.8B8D20FFFFFFMOVECX,DWORDPTRSS:[EBP-E0]<BR>0043A526|.E8431A0000CALLQUIKSYNC.0043BF6E//这里就是关键了,产生注册码。后面分析。(1)<BR>0043A52B|.898574FDFFFFMOVDWORDPTRSS:[EBP-28C],EAX<BR>0043A531|.8B8D74FDFFFFMOVECX,DWORDPTRSS:[EBP-28C]<BR>0043A537|.898D70FDFFFFMOVDWORDPTRSS:[EBP-290],ECX<BR>0043A53D|.C645FC02MOVBYTEPTRSS:[EBP-4],2<BR>0043A541|.8B9570FDFFFFMOVEDX,DWORDPTRSS:[EBP-290]<BR>0043A547|.52PUSHEDX<BR>0043A548|.8D4DF0LEAECX,DWORDPTRSS:[EBP-10]<BR>0043A54B|.E8832C0400CALLQUIKSYNC.0047D1D3<BR>0043A550|.C645FC00MOVBYTEPTRSS:[EBP-4],0<BR>0043A554|.8D8D7CFDFFFFLEAECX,DWORDPTRSS:[EBP-284]<BR>0043A55A|.E83B2B0400CALLQUIKSYNC.0047D09A<BR>0043A55F|.6AFFPUSH-1<BR>0043A561|.8D4DF0LEAECX,DWORDPTRSS:[EBP-10]<BR>0043A564|.E8B02F0400CALLQUIKSYNC.0047D519//取刚刚产生的新注册码的地址送EAX。<BR>0043A569|.8D45F0LEAEAX,DWORDPTRSS:[EBP-10]<BR>0043A56C|.50PUSHEAX<BR>0043A56D|.689CFD4A00PUSHQUIKSYNC.004AFD9C<BR>0043A572|.E8D9F0FCFFCALLQUIKSYNC.00409650//这里就是对真假进行对比的地方了。(2)<BR>0043A577|.25FF000000ANDEAX,0FF<BR>0043A57C|.85C0TESTEAX,EAX<BR>0043A57E|.0F8457010000JEQUIKSYNC.0043A6DB<BR>=============================================================================<BR>下面分析(1)处的函数:<BR>0043BF6E/$55PUSHEBP<BR>0043BF6F|.8BECMOVEBP,ESP<BR>0043BF71|.6AFFPUSH-1<BR>0043BF73|.6800FE4800PUSHQUIKSYNC.0048FE00<BR>0043BF78|.64:A100000000MOVEAX,DWORDPTRFS:[0]<BR>0043BF7E|.50PUSHEAX<BR>0043BF7F|.64:8925000000>MOVDWORDPTRFS:[0],ESP<BR>0043BF86|.83EC1CSUBESP,1C<BR>0043BF89|.894DE0MOVDWORDPTRSS:[EBP-20],ECX<BR>0043BF8C|.C745E4000000>MOVDWORDPTRSS:[EBP-1C],0<BR>0043BF93|.8D4DECLEAECX,DWORDPTRSS:[EBP-14]<BR>0043BF96|.E8757CFCFFCALLQUIKSYNC.00403C10<BR>0043BF9B|.C745FC010000>MOVDWORDPTRSS:[EBP-4],1<BR>0043BFA2|.8B450CMOVEAX,DWORDPTRSS:[EBP+C]<BR>0043BFA5|.50PUSHEAX<BR>0043BFA6|.8D4DE8LEAECX,DWORDPTRSS:[EBP-18]<BR>0043BFA9|.51PUSHECX<BR>0043BFAA|.8D4DF0LEAECX,DWORDPTRSS:[EBP-10]<BR>0043BFAD|.E8BEECFFFFCALLQUIKSYNC.0043AC70//这个函数关键地方,我们后面分析。(3)<BR>0043BFB2|.8945DCMOVDWORDPTRSS:[EBP-24],EAX<BR>0043BFB5|.8B55DCMOVEDX,DWORDPTRSS:[EBP-24]<BR>0043BFB8|.8955D8MOVDWORDPTRSS:[EBP-28],EDX<BR>0043BFBB|.C645FC02MOVBYTEPTRSS:[EBP-4],2<BR>0043BFBF|.8B45D8MOVEAX,DWORDPTRSS:[EBP-28]<BR>0043BFC2|.50PUSHEAX<BR>0043BFC3|.8D4DECLEAECX,DWORDPTRSS:[EBP-14]<BR>0043BFC6|.E808120400CALLQUIKSYNC.0047D1D3<BR>0043BFCB|.C645FC01MOVBYTEPTRSS:[EBP-4],1<BR>0043BFCF|.8D4DE8LEAECX,DWORDPTRSS:[EBP-18]<BR>0043BFD2|.E8C3100400CALLQUIKSYNC.0047D09A<BR>0043BFD7|.8D4DECLEAECX,DWORDPTRSS:[EBP-14]<BR>0043BFDA|.51PUSHECX<BR>0043BFDB|.8B4D08MOVECX,DWORDPTRSS:[EBP+8]<BR>0043BFDE|.E82C0E0400CALLQUIKSYNC.0047CE0F<BR>0043BFE3|.8B55E4MOVEDX,DWORDPTRSS:[EBP-1C]<BR>0043BFE6|.83CA01OREDX,1<BR>0043BFE9|.8955E4MOVDWORDPTRSS:[EBP-1C],EDX<BR>0043BFEC|.C645FC00MOVBYTEPTRSS:[EBP-4],0<BR>0043BFF0|.8D4DECLEAECX,DWORDPTRSS:[EBP-14]<BR>0043BFF3|.E8A2100400CALLQUIKSYNC.0047D09A<BR>0043BFF8|.8B4508MOVEAX,DWORDPTRSS:[EBP+8]<BR>0043BFFB|.8B4DF4MOVECX,DWORDPTRSS:[EBP-C]<BR>0043BFFE|.64:890D000000>MOVDWORDPTRFS:[0],ECX<BR>0043C005|.8BE5MOVESP,EBP<BR>0043C007|.5DPOPEBP<BR>0043C008\.C20800RETN8<BR>============================================================================<BR>下面分析(3)处的函数,就是这个函数产生的注册码:<BR>0043AC70/$55PUSHEBP<BR>0043AC71|.8BECMOVEBP,ESP<BR>0043AC73|.6AFFPUSH-1<BR>0043AC75|.68C0FC4800PUSHQUIKSYNC.0048FCC0<BR>0043AC7A|.64:A100000000MOVEAX,DWORDPTRFS:[0]<BR>0043AC80|.50PUSHEAX<BR>0043AC81|.64:8925000000>MOVDWORDPTRFS:[0],ESP<BR>0043AC88|.83EC58SUBESP,58<BR>0043AC8B|.894D9CMOVDWORDPTRSS:[EBP-64],ECX<BR>0043AC8E|.C745A0000000>MOVDWORDPTRSS:[EBP-60],0<BR>0043AC95|.8D4DACLEAECX,DWORDPTRSS:[EBP-54]<BR>0043AC98|.E8738FFCFFCALLQUIKSYNC.00403C10<BR>0043AC9D|.C745FC010000>MOVDWORDPTRSS:[EBP-4],1<BR>0043ACA4|.8B450CMOVEAX,DWORDPTRSS:[EBP+C]<BR>0043ACA7|.8945F0MOVDWORDPTRSS:[EBP-10],EAX<BR>0043ACAA|.C745EC000000>MOVDWORDPTRSS:[EBP-14],0<BR>0043ACB1|.C745A4000000>MOVDWORDPTRSS:[EBP-5C],0<BR>0043ACB8|.C745E4000000>MOVDWORDPTRSS:[EBP-1C],0<BR>0043ACBF|.6A15PUSH15<BR>0043ACC1|.8D4DACLEAECX,DWORDPTRSS:[EBP-54]<BR>0043ACC4|.E878280400CALLQUIKSYNC.0047D541<BR>0043ACC9|.8945E8MOVDWORDPTRSS:[EBP-18],EAX<BR>0043ACCC|.6A15PUSH15<BR>0043ACCE|.6A00PUSH0<BR>0043ACD0|.8B4DE8MOVECX,DWORDPTRSS:[EBP-18]<BR>0043ACD3|.51PUSHECX<BR>0043ACD4|.E8A7430300CALLQUIKSYNC.0046F080//把一段内存清零,准备产生注册码。<BR>0043ACD9|.83C40CADDESP,0C<BR>0043ACDC|>8B55F0/MOVEDX,DWORDPTRSS:[EBP-10]//从这里开始到0043AD27处的循环是复制假码的前4位<BR><BR>到另一地址。EDX为假码地址。记新串为S1。<BR>0043ACDF|.0FBE02|MOVSXEAX,BYTEPTRDS:[EDX]//依次取假码前4位送EAX。<BR>0043ACE2|.85C0|TESTEAX,EAX//如果EAX为0则OVER。<BR>0043ACE4|.7443|JESHORTQUIKSYNC.0043AD29<BR>0043ACE6|.837DE404|CMPDWORDPTRSS:[EBP-1C],4//判断是否已经到4位了。<BR>0043ACEA|.7D3D|JGESHORTQUIKSYNC.0043AD29//如果到了则跳走。<BR>0043ACEC|.8B4DE8|MOVECX,DWORDPTRSS:[EBP-18]<BR>0043ACEF|.034DA4|ADDECX,DWORDPTRSS:[EBP-5C]//目的地址送ECX。<BR>0043ACF2|.8B55F0|MOVEDX,DWORDPTRSS:[EBP-10]<BR>0043ACF5|.8A02|MOVAL,BYTEPTRDS:[EDX]//把假码依次送AL。<BR>0043ACF7|.8801|MOVBYTEPTRDS:[ECX],AL//把假码送ECX指定的地址保存。<BR>0043ACF9|.8B4DA4|MOVECX,DWORDPTRSS:[EBP-5C]<BR>0043ACFC|.83C101|ADDECX,1//ECX增1。<BR>0043ACFF|.894DA4|MOVDWORDPTRSS:[EBP-5C],ECX//送回保存。<BR>0043AD02|.8B55F0|MOVEDX,DWORDPTRSS:[EBP-10]<BR>0043AD05|.0FBE02|MOVSXEAX,BYTEPTRDS:[EDX]<BR>0043AD08|.8B4DE4|MOVECX,DWORDPTRSS:[EBP-1C]<BR>0043AD0B|.D3E0|SHLEAX,CL//EAX左移CL位。CL依次取0,1,2,3。<BR>0043AD0D|.8B4DEC|MOVECX,DWORDPTRSS:[EBP-14]//取上次累加结果送ECX。<BR>0043AD10|.03C8|ADDECX,EAX//本次EAX值累加到ECX。<BR>0043AD12|.894DEC|MOVDWORDPTRSS:[EBP-14],ECX//保存结果。<BR>0043AD15|.8B55F0|MOVEDX,DWORDPTRSS:[EBP-10]<BR>0043AD18|.83C201|ADDEDX,1//地址增1。<BR>0043AD1B|.8955F0|MOVDWORDPTRSS:[EBP-10],EDX//送回保存。<BR>0043AD1E|.8B45E4|MOVEAX,DWORDPTRSS:[EBP-1C]//循环次数送EAX。<BR>0043AD21|.83C001|ADDEAX,1//EAX增1。<BR>0043AD24|.8945E4|MOVDWORDPTRSS:[EBP-1C],EAX//送回保存。<BR>0043AD27|.^EBB3\JMPSHORTQUIKSYNC.0043ACDC//未完继续。<BR>注意:这个循环把前4位循环累加起来,比如前4位是abcd,则结束后计算过程为R=a+b*2+c*4+d*8.下面就要用这个结果R。<BR>0043AD29|>6AFFPUSH-1<BR>0043AD2B|.8D4DACLEAECX,DWORDPTRSS:[EBP-54]<BR>0043AD2E|.E8E6270400CALLQUIKSYNC.0047D519<BR>0043AD33|.8B4DECMOVECX,DWORDPTRSS:[EBP-14]//前面计算的前4位累加和R送ECX。<BR>0043AD36|.51PUSHECX<BR>0043AD37|.8B4D9CMOVECX,DWORDPTRSS:[EBP-64]<BR>0043AD3A|.E811150000CALLQUIKSYNC.0043C250//取前面累加和R送EAX。<BR>0043AD3F|.C745A8000000>MOVDWORDPTRSS:[EBP-58],0<BR>0043AD46|.EB09JMPSHORTQUIKSYNC.0043AD51//这里跳下去。<BR>0043AD48|>8B55A8/MOVEDX,DWORDPTRSS:[EBP-58]//这里循环开始。求注册码了。<BR>0043AD4B|.83C201|ADDEDX,1<BR>0043AD4E|.8955A8|MOVDWORDPTRSS:[EBP-58],EDX<BR>0043AD51|>837DA832CMPDWORDPTRSS:[EBP-58],32//查表次数与32h比较。<BR>0043AD55|.7D4E|JGESHORTQUIKSYNC.0043ADA5//大于32h次则结束循环。<BR>0043AD57|.8B4D9C|MOVECX,DWORDPTRSS:[EBP-64]//上次计算结果地址送ECX。<BR>0043AD5A|.E811150000|CALLQUIKSYNC.0043C270//这个函数用累加和做参数进行简单计算。(4)<BR>0043AD5F|.99|CDQ//扩展到EDX。<BR>0043AD60|.B95F000000|MOVECX,5F//把常数5Fh送ECX。<BR>0043AD65|.F7F9|IDIVECX//EAX除以ECX,余数在EDX。<BR>0043AD67|.8B45A8|MOVEAX,DWORDPTRSS:[EBP-58]<BR>0043AD6A|.8A8AB4BE4A00|MOVCL,BYTEPTRDS:[EDX+4ABEB4]//根据得到的余数EDX查表,结果送CL。<BR>0043AD70|.884C05B0|MOVBYTEPTRSS:[EBP+EAX-50],CL//保存CL。<BR>0043AD74|.8B55A8|MOVEDX,DWORDPTRSS:[EBP-58]<BR>0043AD77|.0FBE4415B0|MOVSXEAX,BYTEPTRSS:[EBP+EDX-50]//取出刚刚得到的查表结果。<BR>0043AD7C|.85C0|TESTEAX,EAX//判断是否为0。<BR>0043AD7E|.7502|JNZSHORTQUIKSYNC.0043AD82//如果不为0则跳到下面处理。<BR>0043AD80|.^EBC6|JMPSHORTQUIKSYNC.0043AD48//如果上面不跳,说明取出的值为0,则需要重新<BR><BR>计算,然后查表取值。<BR>0043AD82|>8B4DA4|MOVECX,DWORDPTRSS:[EBP-5C]//新得到的字符要存放的相对位置。<BR>0043AD85|.83C101|ADDECX,1//相对偏移增1。<BR>0043AD88|.894DA4|MOVDWORDPTRSS:[EBP-5C],ECX//送回保存。<BR>0043AD8B|.837DA414|CMPDWORDPTRSS:[EBP-5C],14//和14h比较是否到达20。<BR>0043AD8F|.7E02|JLESHORTQUIKSYNC.0043AD93//如果没有到20则跳下面。<BR>0043AD91|.EB12|JMPSHORTQUIKSYNC.0043ADA5<BR>0043AD93|>8B55A8|MOVEDX,DWORDPTRSS:[EBP-58]<BR>0043AD96|.8A4415B0|MOVAL,BYTEPTRSS:[EBP+EDX-50]//取出得到的查表结果送AL。<BR>0043AD9A|.50|PUSHEAX<BR>0043AD9B|.8D4DAC|LEAECX,DWORDPTRSS:[EBP-54]//取出新注册码串地址送ECX。<BR>0043AD9E|.E8FA260400|CALLQUIKSYNC.0047D49D//把查得的字符送到新串S的后面。<BR>0043ADA3|.^EBA3\JMPSHORTQUIKSYNC.0043AD48//一直循环到满20位为止。<BR>0043ADA5|>8D4DACLEAECX,DWORDPTRSS:[EBP-54]<BR>0043ADA8|.51PUSHECX<BR>0043ADA9|.8B4D08MOVECX,DWORDPTRSS:[EBP+8]//后面几个函数无用。<BR>0043ADAC|.E85E200400CALLQUIKSYNC.0047CE0F<BR>0043ADB1|.8B55A0MOVEDX,DWORDPTRSS:[EBP-60]<BR>0043ADB4|.83CA01OREDX,1<BR>0043ADB7|.8955A0MOVDWORDPTRSS:[EBP-60],EDX<BR>0043ADBA|.C645FC00MOVBYTEPTRSS:[EBP-4],0<BR>0043ADBE|.8D4DACLEAECX,DWORDPTRSS:[EBP-54]<BR>0043ADC1|.E8D4220400CALLQUIKSYNC.0047D09A<BR>0043ADC6|.8B4508MOVEAX,DWORDPTRSS:[EBP+8]<BR>0043ADC9|.8B4DF4MOVECX,DWORDPTRSS:[EBP-C]<BR>0043ADCC|.64:890D000000>MOVDWORDPTRFS:[0],ECX<BR>0043ADD3|.8BE5MOVESP,EBP<BR>0043ADD5|.5DPOPEBP<BR>0043ADD6\.C20800RETN8<BR>============================================================================<BR>下面分析(4)处的函数,这个函数通过计算得到一个数。<BR>0043C270/$55PUSHEBP<BR>0043C271|.8BECMOVEBP,ESP<BR>0043C273|.51PUSHECX<BR>0043C274|.894DFCMOVDWORDPTRSS:[EBP-4],ECX<BR>0043C277|.8B45FCMOVEAX,DWORDPTRSS:[EBP-4]<BR>0043C27A|.8B08MOVECX,DWORDPTRDS:[EAX]//上次计算结果送ECX。<BR>0043C27C|.69C94DBD2000IMULECX,ECX,20BD4D//ECX=ECX*20BD4D。<BR>0043C282|.81C1C39E2600ADDECX,269EC3//ECX=ECX+269EC3。<BR>0043C288|.8B55FCMOVEDX,DWORDPTRSS:[EBP-4]<BR>0043C28B|.890AMOVDWORDPTRDS:[EDX],ECX//ECX保存到EDX指定的地址。<BR>0043C28D|.8B45FCMOVEAX,DWORDPTRSS:[EBP-4]<BR>0043C290|.8B00MOVEAX,DWORDPTRDS:[EAX]//把刚才的结果送EAX。<BR>0043C292|.C1F810SAREAX,10//EAX右移10h次,即16位。<BR>0043C295|.25FF7F0000ANDEAX,7FFF//EAX和7FFF进行与运算,取最低15位。<BR>0043C29A|.8BE5MOVESP,EBP<BR>0043C29C|.5DPOPEBP<BR>0043C29D\.C3RETN<BR>============================================================================<BR>下面分析(2)处的函数,这个函数对注册码进行比较。<BR>00409650/$55PUSHEBP<BR>00409651|.8BECMOVEBP,ESP<BR>00409653|.8B4D0CMOVECX,DWORDPTRSS:[EBP+C]<BR>00409656|.E8552E0000CALLQUIKSYNC.0040C4B0<BR>0040965B|.50PUSHEAX<BR>0040965C|.8B4D08MOVECX,DWORDPTRSS:[EBP+8]<BR>0040965F|.E87CD2FFFFCALLQUIKSYNC.004068E0//这个函数通往真正比较的地方。(5)<BR>00409664|.F7D8NEGEAX<BR>00409666|.1BC0SBBEAX,EAX<BR>00409668|.40INCEAX<BR>00409669|.5DPOPEBP<BR>0040966A\.C20800RETN8<BR>============================================================================<BR>下面分析(5)处的函数,这个函数对注册码进行比较。<BR>004068E0/$55PUSHEBP<BR>004068E1|.8BECMOVEBP,ESP<BR>004068E3|.51PUSHECX<BR>004068E4|.894DFCMOVDWORDPTRSS:[EBP-4],ECX<BR>004068E7|.8B4508MOVEAX,DWORDPTRSS:[EBP+8]<BR>004068EA|.50PUSHEAX<BR>004068EB|.8B4DFCMOVECX,DWORDPTRSS:[EBP-4]<BR>004068EE|.8B11MOVEDX,DWORDPTRDS:[ECX]<BR>004068F0|.52PUSHEDX<BR>004068F1|.E80A000000CALLQUIKSYNC.00406900//在这个函数里进行。(6)<BR>004068F6|.83C408ADDESP,8<BR>004068F9|.8BE5MOVESP,EBP<BR>004068FB|.5DPOPEBP<BR>004068FC\.C20400RETN4<BR>(6)处函数调用下面代码。<BR>00406900/$55PUSHEBP<BR>00406901|.8BECMOVEBP,ESP<BR>00406903|.8B450CMOVEAX,DWORDPTRSS:[EBP+C]<BR>00406906|.50PUSHEAX<BR>00406907|.8B4D08MOVECX,DWORDPTRSS:[EBP+8]<BR>0040690A|.51PUSHECX<BR>0040690B|.E8308B0600CALLQUIKSYNC.0046F440//我们找的"兔子"在这里藏着啦。(7)<BR>00406910|.83C408ADDESP,8<BR>00406913|.5DPOPEBP<BR>00406914\.C3RETN<BR>============================================================================<BR>下面分析(7)处的函数,这个函数对注册码进行比较。<BR>*省去多行*<BR>0046F46F|>66:0FB60F/MOVZXCX,BYTEPTRDS:[EDI]//假码字符依次送CX。<BR>0046F473|.0FB6C1|MOVZXEAX,CL//CL送EAX。<BR>0046F476|.47|INCEDI//EDI地址增1。<BR>0046F477|.894D0C|MOVDWORDPTRSS:[EBP+C],ECX//把假码送内存单元保存。<BR>0046F47A|.F680C1354B00>|TESTBYTEPTRDS:[EAX+4B35C1],4<BR>0046F481|.7416|JESHORTQUIKSYNC.0046F499<BR>0046F483|.8A07|MOVAL,BYTEPTRDS:[EDI]//取0送AL。<BR>0046F485|.84C0|TESTAL,AL<BR>0046F487|.7506|JNZSHORTQUIKSYNC.0046F48F//如果为0则不跳。<BR>0046F489|.83650C00|ANDDWORDPTRSS:[EBP+C],0<BR>0046F48D|.EB0A|JMPSHORTQUIKSYNC.0046F499//这里跳。<BR>0046F48F|>33D2|XOREDX,EDX<BR>0046F491|.47|INCEDI<BR>0046F492|.8AF1|MOVDH,CL<BR>0046F494|.8AD0|MOVDL,AL<BR>0046F496|.89550C|MOVDWORDPTRSS:[EBP+C],EDX<BR>0046F499|>66:0FB61E|MOVZXBX,BYTEPTRDS:[ESI]//真码送BX。<BR>0046F49D|.0FB6C3|MOVZXEAX,BL//然后送EAX。<BR>0046F4A0|.46|INCESI//ESI增1。<BR>0046F4A1|.F680C1354B00>|TESTBYTEPTRDS:[EAX+4B35C1],4//EAX作为偏移地址取一个数与4“与”运算。<BR>0046F4A8|.7413|JESHORTQUIKSYNC.0046F4BD//这里自动跳。<BR>0046F4AA|.8A06|MOVAL,BYTEPTRDS:[ESI]<BR>0046F4AC|.84C0|TESTAL,AL<BR>0046F4AE|.7504|JNZSHORTQUIKSYNC.0046F4B4<BR>0046F4B0|.33DB|XOREBX,EBX<BR>0046F4B2|.EB09|JMPSHORTQUIKSYNC.0046F4BD<BR>0046F4B4|>33C9|XORECX,ECX<BR>0046F4B6|.46|INCESI<BR>0046F4B7|.8AEB|MOVCH,BL<BR>0046F4B9|.8AC8|MOVCL,AL<BR>0046F4BB|.8BD9|MOVEBX,ECX<BR>0046F4BD|>66:395D0C|CMPWORDPTRSS:[EBP+C],BX//[EBP+C]里的假码跟BX内的真码比较。<BR>0046F4C1|.7509|JNZSHORTQUIKSYNC.0046F4CC//不相等就OVER。<BR>0046F4C3|.66:837D0C00|CMPWORDPTRSS:[EBP+C],0//假码与0比较。<BR>0046F4C8|.7416|JESHORTQUIKSYNC.0046F4E0//相等时则结束。<BR>0046F4CA|.^EBA3\JMPSHORTQUIKSYNC.0046F46F//否则继续循环。<BR>0046F4CC|>6A19PUSH19<BR>0046F4CE|.E8283C0000CALLQUIKSYNC.004730FB<BR>0046F4D3|.66:3B5D0CCMPBX,WORDPTRSS:[EBP+C]<BR>0046F4D7|.59POPECX<BR>0046F4D8|.1BC0SBBEAX,EAX<BR>0046F4DA|.83E002ANDEAX,2<BR>0046F4DD|.48DECEAX<BR>0046F4DE|.EB0AJMPSHORTQUIKSYNC.0046F4EA<BR>0046F4E0|>6A19PUSH19<BR>0046F4E2|.E8143C0000CALLQUIKSYNC.004730FB<BR>0046F4E7|.59POPECX<BR>0046F4E8|.33C0XOREAX,EAX//EAX清0。<BR>0046F4EA|>5FPOPEDI<BR>0046F4EB|.5EPOPESI<BR>0046F4EC|.5BPOPEBX<BR>0046F4ED|.5DPOPEBP<BR>0046F4EE\.C3RETN<BR>============================================================================<BR>后记:<BR>通过30分钟的跟踪分析出注册码产生机制了。但是没有时间写出注册机,原理搞明白了,写注册机也是水到渠成的事情了。写这<BR><BR>篇破文却花了俺1个小时的时间呢。为了给广大坛友提供一点帮助,助坛友一臂之力,再苦再累也值得了!因为身后有许多坛友给<BR><BR>予我极大支持和关注!所以,我的每篇破文里面应该都包含了看雪论坛各位坛友的无形的帮助,也有你的一份功劳在里面的!如<BR><BR>果没有各位的支持,相信我是坚持不下来的。非常高兴跟大家分享我的快乐!^_*<BR><BR>结论:随便给出几组注册码,注册码的产生只与前4位有关:<BR><BR>1111t-lWRRF-eRKxH-546nm(第6位是小写的L)<BR>7878A-4j8PF-TlSzl-8dZDe(第2段内第12、15位是小写的L,不是数字1.)<BR>5211z-tUYrx-p2xv7-1Ia5o(最后一位不是数字0,而是小写的字符O)<BR><BR>注册成功后在H.C.U\Software\IomegaQuickSync3\Sync键下面建立Init子键,里面是注册码的16进制明码形式。</FONT><BR><BR><P></P>
页:
[1]