[转载]Easy Autorun Creator V2.0 的注册

文章作者:rdsnow[BCG][PYG][D.4s]

【作者主页】http://rdsnow.ys168.com
【E-mail】rdsnow@163.com
【作者QQ】83757177
【文章题目】EasyAutorunCreatorV2.0的注册
【软件名称】EasyAutorunCreator2.0
【下载地址】http://www.aw-software.com/

----------------------------------------------------------------------------------------
【加密方式】序列号
【破解工具】ODbyDYKv1.10[05.09]
【软件限制】功能限制
【破解平台】MicrosoftWindowsXPProfessional
【平台版本】5.1.2600ServicePack2内部版本号2600

----------------------------------------------------------------------------------------
【软件简介】

*AutomaticCDmenucreation
*Templatesupport
*Autorunwizard
*Easy-to-useinterface
*DiskcompatibilitywithWindowsXP,Me,98,NT,2003

【文章简介】

看到这个程序有汉化版下载，就下了一个，ScanwithPeiD0.94，无壳，可能是被汉化的脱掉了，BorlandDelphi6.0-7.0编译。算法比较简单，高手略过。

----------------------------------------------------------------------------------------
【破解过程】

因为有错误的对话框，所以下断BpMessageBoxA，单步到程序领空，很容易找到程序比较的地方。典型的明码比较。

0050708B.68F6735000PUSHEasy_Aut.005073F6
00507090.64:FF30PUSHDWORDPTRFS:[EAX]
00507093.64:8920MOVDWORDPTRFS:[EAX],ESP
00507096.8D55F0LEAEDX,DWORDPTRSS:[EBP-10]
00507099.8B831C030000MOVEAX,DWORDPTRDS:[EBX+31C]
0050709F.E8CCC8F5FFCALLEasy_Aut.00463970;取Email
005070A4.837DF000CMPDWORDPTRSS:[EBP-10],0
005070A8.0F84F0020000JEEasy_Aut.0050739E;没有输入就跳
005070AE.8D55ECLEAEDX,DWORDPTRSS:[EBP-14]
005070B1.8B831C030000MOVEAX,DWORDPTRDS:[EBX+31C]
005070B7.E8B4C8F5FFCALLEasy_Aut.00463970;取Email
005070BC.8B45ECMOVEAX,DWORDPTRSS:[EBP-14]
005070BF.BA0C745000MOVEDX,Easy_Aut.0050740C;ASCII"inf@hot.com"(黑名单)
005070C4.E823D7EFFFCALLEasy_Aut.004047EC
005070C9.0F84CF020000JEEasy_Aut.0050739E
005070CF.8D55E8LEAEDX,DWORDPTRSS:[EBP-18]
005070D2.8B831C030000MOVEAX,DWORDPTRDS:[EBX+31C]
005070D8.E893C8F5FFCALLEasy_Aut.00463970;取Email
005070DD.8B45E8MOVEAX,DWORDPTRSS:[EBP-18]
005070E0.BA20745000MOVEDX,Easy_Aut.00507420;ASCII"TEAMDVT"(黑名单)
0050718A.E85DD6EFFFCALLEasy_Aut.004047EC
0050718F.0F8409020000JEEasy_Aut.0050739E
……………………;省略二十几个黑名单
00507195.8D45F4LEAEAX,DWORDPTRSS:[EBP-C]
00507198.BAAC745000MOVEDX,Easy_Aut.005074AC;ASCII"AWSoftware"(黑名单)
0050719D.E8D6D2EFFFCALLEasy_Aut.00404478
005071A2.8B0DB8345100MOVECX,DWORDPTRDS:[5134B8];Easy_Aut.00516134
005071A8.8B09MOVECX,DWORDPTRDS:[ECX]
005071AA.B201MOVDL,1
005071AC.A1C8284C00MOVEAX,DWORDPTRDS:[4C28C8]
005071B1.E812A1FBFFCALLEasy_Aut.004C12C8
005071B6.8945F8MOVDWORDPTRSS:[EBP-8],EAX
005071B9.8B0D70134C00MOVECX,DWORDPTRDS:[4C1370];Easy_Aut.004C13BC
005071BF.8B55F4MOVEDX,DWORDPTRSS:[EBP-C]
005071C2.8B45F8MOVEAX,DWORDPTRSS:[EBP-8]
005071C5.E8E29EFBFFCALLEasy_Aut.004C10AC
005071CA.8D55D0LEAEDX,DWORDPTRSS:[EBP-30]
005071CD.8B8320030000MOVEAX,DWORDPTRDS:[EBX+320]
005071D3.E898C7F5FFCALLEasy_Aut.00463970;取假码
005071D8.8B45D0MOVEAX,DWORDPTRSS:[EBP-30]
005071DB.50PUSHEAX
005071DC.8D55C8LEAEDX,DWORDPTRSS:[EBP-38]
005071DF.8B831C030000MOVEAX,DWORDPTRDS:[EBX+31C]
005071E5.E886C7F5FFCALLEasy_Aut.00463970;取Email
005071EA.8B55C8MOVEDX,DWORDPTRSS:[EBP-38]
005071ED.8D4DCCLEAECX,DWORDPTRSS:[EBP-34]
005071F0.8B45F8MOVEAX,DWORDPTRSS:[EBP-8]
005071F3.8B30MOVESI,DWORDPTRDS:[EAX]
005071F5.FF5654CALLDWORDPTRDS:[ESI+54];得到真码
005071F8.8B55CCMOVEDX,DWORDPTRSS:[EBP-34]
005071FB.58POPEAX
005071FC.E8EBD5EFFFCALLEasy_Aut.004047EC;真码和假码比较
00507201.0F85C1000000JNZEasy_Aut.005072C8
00507207.B8C0745000MOVEAX,Easy_Aut.005074C0
0050720C.E89BFBF2FFCALLEasy_Aut.00436DAC

跟进
005071F5.FF5654CALLDWORDPTRDS:[ESI+54];得到真码
来到计算注册码的地方

004C120C/.55PUSHEBP
004C120D|.8BECMOVEBP,ESP
004C120F|.6A00PUSH0
004C1211|.53PUSHEBX
004C1212|.56PUSHESI
……………………
004C124F|.8BD0MOVEDX,EAX
004C1251|.8BC7MOVEAX,EDI
004C1253|.59POPECX
004C1254|.8B30MOVESI,DWORDPTRDS:[EAX]
004C1256|.FF564CCALLDWORDPTRDS:[ESI+4C];对Email进行预处理
004C1259|.8D55FCLEAEDX,DWORDPTRSS:[EBP-4]
004C125C|.8B03MOVEAX,DWORDPTRDS:[EBX]
004C125E|.E8C5F7FFFFCALLEasy_Aut.004C0A28;预处理结果进行base64编码
004C1263|.8B55FCMOVEDX,DWORDPTRSS:[EBP-4]
004C1266|.8BC3MOVEAX,EBX
……………………
004C1272|.64:8910MOVDWORDPTRFS:[EAX],EDX
004C1275|.688A124C00PUSHEasy_Aut.004C128A
004C127A|>8D45FCLEAEAX,DWORDPTRSS:[EBP-4]
004C127D|.E85E31F4FFCALLEasy_Aut.004043E0
004C1282\.C3RETN

跟进
004C1256|.FF564CCALLDWORDPTRDS:[ESI+4C];对Email进行预处理
看看对注册码的预处理

004C2D34/.55PUSHEBP
004C2D35|.8BECMOVEBP,ESP
004C2D37|.83C4F0ADDESP,-10
004C2D3A|.53PUSHEBX
004C2D3B|.56PUSHESI
004C2D3C|.57PUSHEDI
004C2D3D|.894DF8MOVDWORDPTRSS:[EBP-8],ECX
004C2D40|.8955FCMOVDWORDPTRSS:[EBP-4],EDX
004C2D43|.80783000CMPBYTEPTRDS:[EAX+30],0
004C2D47|.7516JNZSHORTEasy_Aut.004C2D5F
004C2D49|.B9D82D4C00MOVECX,Easy_Aut.004C2DD8;ASCII"Ciphernotinitialized"
004C2D4E|.B201MOVDL,1
004C2D50|.A1B40D4C00MOVEAX,DWORDPTRDS:[4C0DB4]
004C2D55|.E85E9BF4FFCALLEasy_Aut.0040C8B8
004C2D5A|.E81910F4FFCALLEasy_Aut.00403D78
004C2D5F|>33C9XORECX,ECX
004C2D61|.33D2XOREDX,EDX
004C2D63|.8B5D08MOVEBX,DWORDPTRSS:[EBP+8]
004C2D66|.4BDECEBX
004C2D67|.85DBTESTEBX,EBX
004C2D69|.725AJBSHORTEasy_Aut.004C2DC5
004C2D6B|.43INCEBX
004C2D6C|.895DF0MOVDWORDPTRSS:[EBP-10],EBX
004C2D6F|.C745F40000>MOVDWORDPTRSS:[EBP-C],0
004C2D76|>41/INCECX
004C2D77|.81E1FF000000|ANDECX,0FF
004C2D7D|.0FB6740834|MOVZXESI,BYTEPTRDS:[EAX+ECX+34];取SBox
004C2D82|.8D1416|LEAEDX,DWORDPTRDS:[ESI+EDX];n＝(n+SBox)&0xFF
004C2D85|.81E2FF000000|ANDEDX,0FF
004C2D8B|.8A5C1034|MOVBL,BYTEPTRDS:[EAX+EDX+34];取SBox[n]
004C2D8F|.885C0834|MOVBYTEPTRDS:[EAX+ECX+34],BL;SBox=SBox[n]
004C2D93|.8BDE|MOVEBX,ESI
004C2D95|.885C1034|MOVBYTEPTRDS:[EAX+EDX+34],BL;SBox[n]=SBox，即交换SBox和SBox[n]
004C2D99|.33DB|XOREBX,EBX
004C2D9B|.8A5C0834|MOVBL,BYTEPTRDS:[EAX+ECX+34]
004C2D9F|.03F3|ADDESI,EBX;K=(SBox[n]+SBox)&0xFF
004C2DA1|.81E6FF000000|ANDESI,0FF
004C2DA7|.8B5DFC|MOVEBX,DWORDPTRSS:[EBP-4]
004C2DAA|.8B7DF4|MOVEDI,DWORDPTRSS:[EBP-C]
004C2DAD|.8A1C3B|MOVBL,BYTEPTRDS:[EBX+EDI];取Email
004C2DB0|.325C3034|XORBL,BYTEPTRDS:[EAX+ESI+34];取EmailXorSBox[K]
004C2DB4|.8B75F8|MOVESI,DWORDPTRSS:[EBP-8]
004C2DB7|.8B7DF4|MOVEDI,DWORDPTRSS:[EBP-C]
004C2DBA|.881C3E|MOVBYTEPTRDS:[ESI+EDI],BL;保存结果
004C2DBD|.FF45F4|INCDWORDPTRSS:[EBP-C]
004C2DC0|.FF4DF0|DECDWORDPTRSS:[EBP-10]
004C2DC3|.^75B1\JNZSHORTEasy_Aut.004C2D76
004C2DC5|>5FPOPEDI
004C2DC6|.5EPOPESI
004C2DC7|.5BPOPEBX
004C2DC8|.8BE5MOVESP,EBP
004C2DCA|.5DPOPEBP
004C2DCB\.C20400RETN4

----------------------------------------------------------------------------------------
【破解心得】

注册码的计算分两步进行，

一、先对输入的Email地址进行预先处理

对Email预变换的代码不多，加密过程大致是这样的，首先定义一个byte表SBox[513]，使用一个byte变量n。SBox[513]中预置了一些数据，对Email处理的同时对SBox中的数据进行变换。

*i从1开始循环，每次循环取SBox，并且累加到n上

*交换SBox和SBox[n]

*求SBox和SBox[n]的和

*用求得的和去查SBox表

*查表结果再跟Email异或，并替换掉Email

*等Email中所有字符都被替换掉了，替换后的Email就是预处理结果

二、将预处理结果采用标准的Base64编码，就得到真码了。

【注册机源码】

voidCKeygenDlg::OnChangeEdit1()
{
//TODO:IfthisisaRICHEDITcontrol,thecontrolwillnot
//sendthisnotificationunlessyouoverridetheCDialog::OnInitDialog()
//functionandcallCRichEditCtrl().SetEventMask()
//withtheENM_CHANGEflagORedintothemask.

//TODO:Addyourcontrolnotificationhandlercodehere


//从内存中复制的SBox[513]

unsignedcharSBox[513]={
0xA9,0x8A,0xEC,0x2B,0x4E,0x74,0x69,0xA6,0x88,0x99,0x2A,0x0A,0xCF,0x83,0x22,0xA3,
0xC1,0x6E,0xB0,0x5B,0xB3,0x38,0xE3,0x47,0x85,0x1C,0xB2,0xDC,0x6B,0x92,0xAB,0xF6,
0x2E,0x01,0x1F,0x18,0x17,0x8F,0x10,0xD3,0x53,0xDF,0xBF,0x90,0x7A,0x11,0xC2,0xB9,
0x02,0x5D,0x40,0xED,0x52,0x66,0x4D,0xA0,0xD1,0xE7,0x3F,0x7F,0xE0,0x7E,0x70,0xCB,
0x48,0x39,0x50,0xBA,0x1B,0x7D,0x4F,0x9B,0x57,0x72,0x9D,0x1E,0x9A,0x0F,0x29,0x59,
0x26,0xD9,0x77,0xC5,0xA1,0xFB,0x35,0xD2,0x4C,0x58,0x9E,0xBC,0xA2,0x79,0xD5,0xDD,
0xA7,0x65,0x96,0x84,0xE8,0xC6,0xBB,0x3B,0xF0,0x55,0x04,0x24,0xEF,0x43,0x75,0x23,
0x4A,0xEA,0xC7,0xC0,0xE9,0x00,0x08,0x4B,0x6C,0xDB,0x1A,0xFC,0xC3,0xE2,0x0E,0xAE,
0x1D,0xF9,0x2C,0xB8,0xB7,0x89,0xFA,0xAD,0x68,0xFE,0x8D,0x91,0x21,0x93,0xD4,0x46,
0x7C,0x87,0x19,0xB6,0x98,0xB5,0x2F,0xBE,0x56,0x16,0x03,0x80,0x0C,0x5A,0x49,0x6D,
0x95,0x28,0x0B,0x78,0xC9,0x97,0x61,0xCD,0x06,0x9C,0x13,0x45,0x41,0x6F,0xD8,0x5C,
0x62,0x5F,0x12,0x32,0x94,0xFF,0x73,0x8E,0xF7,0x60,0x0D,0x5E,0x09,0x64,0x30,0x37,
0xA5,0x82,0x54,0x36,0xB4,0x8B,0xD7,0x9F,0x81,0x2D,0x71,0x76,0x15,0x8C,0xDE,0xDA,
0xC8,0x33,0xE1,0x3A,0xD0,0xEB,0x3D,0xF4,0xF8,0x14,0x25,0x6A,0x3C,0x86,0xEE,0x07,
0x51,0x63,0x7B,0x20,0xE5,0xC4,0xE6,0xF3,0x34,0xFD,0xAF,0xAC,0xF1,0x67,0xCC,0xA8,
0xB1,0xCA,0xD6,0x42,0x27,0x44,0x3E,0xCE,0xBD,0x05,0xF2,0xE4,0xAA,0xF5,0xA4,0x31,
0xA9,0x8A,0xEC,0x2B,0x4E,0x74,0x69,0xA6,0x88,0x99,0x2A,0x0A,0xCF,0x83,0x22,0xA3,
0xC1,0x6E,0xB0,0x5B,0xB3,0x38,0xE3,0x47,0x85,0x1C,0xB2,0xDC,0x6B,0x92,0xAB,0xF6,
0x2E,0x01,0x1F,0x18,0x17,0x8F,0x10,0xD3,0x53,0xDF,0xBF,0x90,0x7A,0x11,0xC2,0xB9,
0x02,0x5D,0x40,0xED,0x52,0x66,0x4D,0xA0,0xD1,0xE7,0x3F,0x7F,0xE0,0x7E,0x70,0xCB,
0x48,0x39,0x50,0xBA,0x1B,0x7D,0x4F,0x9B,0x57,0x72,0x9D,0x1E,0x9A,0x0F,0x29,0x59,
0x26,0xD9,0x77,0xC5,0xA1,0xFB,0x35,0xD2,0x4C,0x58,0x9E,0xBC,0xA2,0x79,0xD5,0xDD,
0xA7,0x65,0x96,0x84,0xE8,0xC6,0xBB,0x3B,0xF0,0x55,0x04,0x24,0xEF,0x43,0x75,0x23,
0x4A,0xEA,0xC7,0xC0,0xE9,0x00,0x08,0x4B,0x6C,0xDB,0x1A,0xFC,0xC3,0xE2,0x0E,0xAE,
0x1D,0xF9,0x2C,0xB8,0xB7,0x89,0xFA,0xAD,0x68,0xFE,0x8D,0x91,0x21,0x93,0xD4,0x46,
0x7C,0x87,0x19,0xB6,0x98,0xB5,0x2F,0xBE,0x56,0x16,0x03,0x80,0x0C,0x5A,0x49,0x6D,
0x95,0x28,0x0B,0x78,0xC9,0x97,0x61,0xCD,0x06,0x9C,0x13,0x45,0x41,0x6F,0xD8,0x5C,
0x62,0x5F,0x12,0x32,0x94,0xFF,0x73,0x8E,0xF7,0x60,0x0D,0x5E,0x09,0x64,0x30,0x37,
0xA5,0x82,0x54,0x36,0xB4,0x8B,0xD7,0x9F,0x81,0x2D,0x71,0x76,0x15,0x8C,0xDE,0xDA,
0xC8,0x33,0xE1,0x3A,0xD0,0xEB,0x3D,0xF4,0xF8,0x14,0x25,0x6A,0x3C,0x86,0xEE,0x07,
0x51,0x63,0x7B,0x20,0xE5,0xC4,0xE6,0xF3,0x34,0xFD,0xAF,0xAC,0xF1,0x67,0xCC,0xA8,
0xB1,0xCA,0xD6,0x42,0x27,0x44,0x3E,0xCE,0xBD,0x05,0xF2,0xE4,0xAA,0xF5,0xA4,0x31,
0x26};

inti,j,EmailLength;
unsignedcharn=0,k=0;
charEmail[256],SerialNummber[512];

UpdateData(true);
EmailLength=m_Edit1.GetLength();
strcpy(Email,m_Edit1);

//预处理
for(i=0;ij=i+1;
n+=SBox[j];
k=SBox[j];
SBox[j]=SBox[n];
SBox[n]=k;
k=SBox[j]+SBox[n];
Email^=SBox[k];
}

//base64编码
memset(SerialNummber,0,512);
base64_encode(Email,EmailLength,SerialNummber);
m_Edit2=SerialNummber;
UpdateData(false);

}
----------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享:)

【版权声明】本文纯属技术交流,转载请注明作者并保持文章的完整,谢谢!
----------------------------------------------------------------------------------------