|
魔 团队执行官
E.S.T核心成员 - 帖子
- 3926
- 精华
- 128
- 积分
- 209876
- 阅读权限
- 200
- 性别
- 男
- 在线时间
- 1108 小时
- 注册时间
- 2007-10-23
- 最后登录
- 2008-9-5
|
楼主
大 中
小 发表于 2006-2-1 23:03 只看该作者
[转载]资料收集管理专家1.7正式版算法详尽分析
文章作者:windayjian 【破解工具】OLLDBG,PEID
【破解难度】EASY
【软件保护】SN
没有加壳,查一下字串,向上翻来到这里:
00505A40.>CALLDataColl.0044DCA4
00505A45.>MOVEAX,DWORDPTRSS:[EBP-8];注册码到EAX
00505A48.>PUSHEAX
00505A49.>LEAEDX,DWORDPTRSS:[EBP-C]
00505A4C.>MOVEAX,DWORDPTRDS:[EBX+314]
00505A52.>CALLDataColl.0044DCA4
00505A57.>MOVEAX,DWORDPTRSS:[EBP-C];组织名到EAX
00505A5A.>PUSHEAX
00505A5B.>LEAEDX,DWORDPTRSS:[EBP-10]
00505A5E.>MOVEAX,DWORDPTRDS:[EBX+310]
00505A64.>CALLDataColl.0044DCA4
00505A69.>MOVEDX,DWORDPTRSS:[EBP-10];用户名到EDx
00505A6C.>MOVEAX,DWORDPTRDS:[EBX+32C]
00505A72.>POPECX
00505A73.>CALLDataColl.00504AF0;算法CALL
00505A78.>TESTAL,AL
00505A7A.>JNZSHORTDataColl.00505AA8;不跳GAMEOVER
.......................................................
跟进505A73后见到:
......省略一部分不关重要的......
00504B21|.>PUSHEBP
00504B22|.>PUSHDataColl.00504BDA
00504B27|.>PUSHDWORDPTRFS:[EAX]
00504B2A|.>MOVDWORDPTRFS:[EAX],ESP
00504B2D|.>MOVEAX,DWORDPTRSS:[EBP-4]
00504B30|.>CALLDataColl.00404FFC
00504B35|.>CMPEAX,DWORDPTRDS:[EBX+4C];用户名长度与100作比较
00504B38|.>JGSHORTDataColl.00504B53;没有人用那么长的吧。。。汗
00504B3A|.>MOVEAX,DWORDPTRSS:[EBP-4];用户名到EAX
00504B3D|.>CALLDataColl.00404FFC
00504B42|.>CMPEAX,DWORDPTRDS:[EBX+50];用户名长度与3作比较
00504B45|.>JLSHORTDataColl.00504B53;小于3大于100估计都没好事
00504B47|.>MOVEAX,DWORDPTRSS:[EBP+8];注册码到EAX
00504B4A|.>CALLDataColl.00404FFC
00504B4F|.>TESTEAX,EAX;这里判断注册码是否为空
00504B51|.>JNZSHORTDataColl.00504B57
00504B53|>>XOREBX,EBX
00504B55|.>JMPSHORTDataColl.00504BB7
00504B57|>>LEAEDX,DWORDPTRSS:[EBP-C]
00504B5A|.>MOVEAX,DWORDPTRSS:[EBP+8]
00504B5D|.>CALLDataColl.00409574;这里将注册码的字母变大写
00504B62|.>MOVEDX,DWORDPTRSS:[EBP-C]
00504B65|.>LEAEAX,DWORDPTRSS:[EBP+8]
00504B68|.>CALLDataColl.00404DDC
00504B6D|.>LEAECX,DWORDPTRSS:[EBP-10]
00504B70|.>MOVEDX,DWORDPTRSS:[EBP-4]
00504B73|.>MOVEAX,EBX
00504B75|.>CALLDataColl.005046C0;算法CALL
00504B7A|.>MOVEAX,DWORDPTRSS:[EBP-10];真码
00504B7D|.>MOVEDX,DWORDPTRSS:[EBP+8];假码
00504B80|.>CALLDataColl.004095EC;比较CALL
00504B85|.>TESTEAX,EAX
00504B87|.>JESHORTDataColl.00504B8D
00504B89|.>XOREBX,EBX;清空标志位
00504B8B|.>JMPSHORTDataColl.00504BB7
00504B8D|>>LEAEAX,DWORDPTRDS:[EBX+48]
00504B90|.>MOVEDX,DWORDPTRSS:[EBP-4]
00504B93|.>CALLDataColl.00404D98
00504B98|.>LEAEAX,DWORDPTRDS:[EBX+54]
00504B9B|.>MOVEDX,DWORDPTRSS:[EBP-8]
00504B9E|.>CALLDataColl.00404D98
00504BA3|.>LEAEAX,DWORDPTRDS:[EBX+5C]
00504BA6|.>MOVEDX,DWORDPTRSS:[EBP+8]
00504BA9|.>CALLDataColl.00404D98
00504BAE|.>MOVEAX,EBX
00504BB0|.>CALLDataColl.00504E10
00504BB5|.>MOVBL,1;标志位置1
00504BB7|>>XOREAX,EAX
00504BB9|.>POPEDX
00504BBA|.>POPECX
00504BBB|.>POPECX
00504BBC|.>MOVDWORDPTRFS:[EAX],EDX
00504BBF|.>PUSHDataColl.00504BE1
00504BC4|>>LEAEAX,DWORDPTRSS:[EBP-10]
00504BC7|.>MOVEDX,4
00504BCC|.>CALLDataColl.00404D68
00504BD1|.>LEAEAX,DWORDPTRSS:[EBP+8]
00504BD4|.>CALLDataColl.00404D44
00504BD9\.>RETN
00504BDA.>JMPDataColl.00404608
00504BDF.>JMPSHORTDataColl.00504BC4
00504BE1.>MOVEAX,EBX;标志位到EAX,待会就用AL比较
00504BE3.>POPEBX
00504BE4.>MOVESP,EBP
00504BE6.>POPEBP
00504BE7.>RETN4
......................................................
跟进504B75看看
......省略一部分......
005046F3|.>LEAEDX,DWORDPTRSS:[EBP-24]
005046F6|.>MOVEAX,ESI
005046F8|.>CALLDataColl.00505604;检验码CALL
005046FD|.>MOVEAX,DWORDPTRSS:[EBP-24]
00504700|.>LEAEDX,DWORDPTRSS:[EBP-14]
00504703|.>CALLDataColl.004097C4
00504708|.>CMPDWORDPTRSS:[EBP-14],0;检验码是否为0
0050470C|.>JNZSHORTDataColl.0050471B
0050470E|.>LEAEAX,DWORDPTRSS:[EBP-20]
00504711|.>MOVEDX,DWORDPTRSS:[EBP-4]
00504714|.>CALLDataColl.00404DDC
00504719|.>JMPSHORTDataColl.00504778
0050471B|>>MOVEAX,DWORDPTRSS:[EBP-14]
0050471E|.>CALLDataColl.00404FFC;检验码长度
00504723|.>MOVEBX,EAX
00504725|.>LEAEAX,DWORDPTRSS:[EBP-18]
00504728|.>PUSHEAX
00504729|.>MOVECX,EBX
0050472B|.>SARECX,1;ECX逻辑右移1(欲取的长度)
0050472D|.>JNSSHORTDataColl.00504732
0050472F|.>ADCECX,0
00504732|>>MOVEDX,1
00504737|.>MOVEAX,DWORDPTRSS:[EBP-14]
0050473A|.>CALLDataColl.00405254;类似MID功能
0050473F|.>LEAEAX,DWORDPTRSS:[EBP-1C]
00504742|.>PUSHEAX
00504743|.>MOVEAX,EBX
00504745|.>SAREAX,1
00504747|.>JNSSHORTDataColl.0050474C
00504749|.>ADCEAX,0
0050474C|>>MOVECX,EBX
0050474E|.>SUBECX,EAX;用检验码长度减刚才的长度
00504750|.>MOVEDX,EBX
00504752|.>SAREDX,1
00504754|.>JNSSHORTDataColl.00504759
00504756|.>ADCEDX,0
00504759|>>INCEDX
0050475A|.>MOVEAX,DWORDPTRSS:[EBP-14]
0050475D|.>CALLDataColl.00405254;类似MID功能
00504762|.>PUSHDWORDPTRSS:[EBP-18]
00504765|.>PUSHDWORDPTRSS:[EBP-4]
00504768|.>PUSHDWORDPTRSS:[EBP-1C]
0050476B|.>LEAEAX,DWORDPTRSS:[EBP-20]
0050476E|.>MOVEDX,3
00504773|.>CALLDataColl.004050BC;串接字符:检验码一部分+用户名+另一部分
00504778|>>MOVDWORDPTRSS:[EBP-10],0
0050477F|.>MOVDWORDPTRSS:[EBP-C],0
00504786|.>MOVEAX,DWORDPTRSS:[EBP-4]
00504789|.>CALLDataColl.00404FFC;用户名长度
0050478E|.>CMPEAX,DWORDPTRDS:[ESI+4C]
00504791|.>JGSHORTDataColl.005047A0;大于100跳
00504793|.>MOVEAX,DWORDPTRSS:[EBP-4]
00504796|.>CALLDataColl.00404FFC
0050479B|.>CMPEAX,DWORDPTRDS:[ESI+50]
0050479E|.>JGESHORTDataColl.005047AC;大于等于3跳
005047A0|>>MOVEAX,EDI
005047A2|.>CALLDataColl.00404D44
005047A7|.>JMPDataColl.0050483D
005047AC|>>MOVEAX,DWORDPTRSS:[EBP-20]
005047AF|.>CALLDataColl.00404FFC;串接后的字符串长度
005047B4|.>MOVEBX,EAX
005047B6|.>JMPSHORTDataColl.005047EF
005047B8|>>/MOVEAX,DWORDPTRSS:[EBP-10]
005047BB|.>|MOVEDX,DWORDPTRSS:[EBP-C]
005047BE|.>|ADDEAX,DWORDPTRDS:[ESI+68];将计算的EAX加上0xA934C0AF
005047C1|.>|ADCEDX,DWORDPTRDS:[ESI+6C];将计算的EDX进位加上0x2E
005047C4|.>|PUSHEDX
005047C5|.>|PUSHEAX
005047C6|.>|MOVEAX,DWORDPTRSS:[EBP-20]
005047C9|.>|MOVZXEAX,BYTEPTRDS:[EAX+EBX-1];从最后串接字符串开始依次向前取字符
005047CE|.>|PUSHEAX
005047CF|.>|MOVEAX,459;EAX=459
005047D4|.>|POPEDX
005047D5|.>|MOVECX,EDX;EDX是字符值
005047D7|.>|XOREDX,EDX
005047D9|.>|DIVECX;除法运算
005047DB|.>|MOVEAX,EDX;余数到EAX
005047DD|.>|XOREDX,EDX
005047DF|.>|SUBDWORDPTRSS:[ESP],EAX;保存的结果减余数
005047E2|.>|SBBDWORDPTRSS:[ESP+4],EDX
005047E6|.>|POPEAX
005047E7|.>|POPEDX
005047E8|.>|MOVDWORDPTRSS:[EBP-10],EAX;保存新的结果,等会做迭加
005047EB|.>|MOVDWORDPTRSS:[EBP-C],EDX;同上
005047EE|.>|DECEBX
005047EF|>>MOVEAX,DWORDPTRSS:[EBP-20]
005047F2|.>|CALLDataColl.00404FFC
005047F7|.>|CMPEBX,EAX
005047F9|.>|JGSHORTDataColl.005047FF
005047FB|.>|TESTEBX,EBX
005047FD|.>\JGSHORTDataColl.005047B8
005047FF|>>MOVEBX,DWORDPTRDS:[ESI+60]
00504802|.>TESTEBX,EBX
00504804|.>JGSHORTDataColl.00504817;比较检验码长度,大于0跳,正常应该会跳的
00504806|.>PUSHDWORDPTRSS:[EBP-C];/Arg2
00504809|.>PUSHDWORDPTRSS:[EBP-10];|Arg1
0050480C|.>MOVEDX,EDI;|
0050480E|.>XOREAX,EAX;|
00504810|.>CALLDataColl.00409B44;\DataColl.00409B44
00504815|.>JMPSHORTDataColl.0050483D
00504817|>>PUSHDWORDPTRSS:[EBP-C];/刚才的结果1
0050481A|.>PUSHDWORDPTRSS:[EBP-10];|结果2
0050481D|.>MOVEDX,EDI;|
0050481F|.>MOVEAX,EBX;|
00504821|.>CALLDataColl.00409B44;\串接
00504826|.>MOVEAX,DWORDPTRDS:[EDI];DS:[EDI]就是注册码了
总的来说,算法还是可以的,思路也很清淅,可惜用了明码作比较,败笔!
|
