ClockWise 3.22e注册码算法分析
-
=======================
=
=
=
=ClockWise 3.22e注册码算法分析
=
=
=
= CrAcKeD BY alphakk/OCG
=
=
=
=======================
软件简介:(略)
==================
破解工具:TRW2000 1.22娃娃版,W32DASM
题外话:
本来我是用SOFTICE分析的,但这个软件对SOFTICE防了一手,连我的SOFTICE 4.05+后门补丁+ICEDUMP+SUPERBPM+FROGICE都搞不定它,害得我转了很大一圈,最后用TRW2000才搞定:(,在此感谢FiNALSAPrH兄的帮助:)
==================
分析:
用W32DASM反汇编它,查找注册失败对话框中的文字,来到:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004227FD(C)
|
:00422823 B801000000 mov eax, 00000001
:00422828 5E pop esi
:00422829 C3 ret
:0042282A 90 nop
:0042282B 90 nop
:0042282C 90 nop
:0042282D 90 nop
:0042282E 90 nop
:0042282F 90 nop
:00422830 56 push esi
:00422831 8BF1 mov esi, ecx
:00422833 E848000000 call 00422880 <<----很明显,注册码的算法就在这里面了
:00422838 85C0 test eax, eax
:0042283A 7425 je 00422861
:0042283C 8BCE mov ecx, esi
:0042283E E83D020000 call 00422A80
:00422843 6A40 push 00000040
* Possible Reference to Dialog:
|
:00422845 68280E4600 push 00460E28
* Possible StringData Ref from Data Obj ->"THANK YOU for registering ClockWise"
|
:0042284A 6874124600 push 00461274
:0042284F 8BCE mov ecx, esi
:00422851 E8F3F90100 call 00442249
:00422856 6A00 push 00000000
:00422858 8BCE mov ecx, esi
:0042285A E83EDB0100 call 0044039D
:0042285F 5E pop esi
:00422860 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042283A(C)
|
:00422861 6A30 push 00000030
* Possible Reference to Dialog:
|
:00422863 68C0D14500 push 0045D1C0
* Possible StringData Ref from Data Obj ->"Sorry, registration didn't work!"
|
:00422868 6850124600 push 00461250
:0042286D 8BCE mov ecx, esi
:0042286F E8D5F90100 call 00442249
:00422874 6A01 push 00000001
:00422876 8BCE mov ecx, esi
:00422878 E820DB0100 call 0044039D
:0042287D 5E pop esi
:0042287E C3 ret
:0042287F 90 nop
========================================================
在注册窗口中填入:
User Name:alphakk/OCG
Serial Number:987654
Registration:98765432
用TRW2000下断:BPX 167:422833(用SOFTICE下断的话,会没反应的)
中断后,按F8跟进167:42833处的CALL
来到:
* Referenced by a CALL at Addresses:
|:00422801 , :00422833
|
:00422880 55 push ebp
:00422881 8BEC mov ebp, esp
:00422883 83EC14 sub esp, 00000014
:00422886 53 push ebx
:00422887 56 push esi
:00422888 57 push edi
:00422889 8BF9 mov edi, ecx
:0042288B 33F6 xor esi, esi
:0042288D 897DF4 mov dword ptr [ebp-0C], edi
:00422890 8B4760 mov eax, dword ptr [edi+60] <<--------用户名首地址->EAX
:00422893 8975F8 mov dword ptr [ebp-08], esi
:00422896 8B40F8 mov eax, dword ptr [eax-08] <<--------用户名长度->EAX
:00422899 3BC6 cmp eax, esi <<-----------------判断操作是否成功
:0042289B 8945FC mov dword ptr [ebp-04], eax
:0042289E 0F84C4010000 je 00422A68
:004228A4 8B4768 mov eax, dword ptr [edi+68] <<------序列号首地址->EAX
:004228A7 3970F8 cmp dword ptr [eax-08], esi
:004228AA 0F8EB8010000 jle 00422A68
:004228B0 8B4F64 mov ecx, dword ptr [edi+64]
:004228B3 8379F805 cmp dword ptr [ecx-08], 00000005
:004228B7 0F8EAB010000 jle 00422A68 <<-----------------比较用户名长度是否大于5,否则跳
:004228BD 50 push eax
:004228BE E8F1C40000 call 0042EDB4 <<--------将用户输入的序列号转换成十六进制->EAX
:004228C3 8BD8 mov ebx, eax
:004228C5 83C404 add esp, 00000004
:004228C8 83FB01 cmp ebx, 00000001
:004228CB 0F8294010000 jb 00422A65 <<-------小于1则跳走(即跳出,不再进行下面的运算)
:004228D1 81FB2C010000 cmp ebx, 0000012C
:004228D7 760C jbe 004228E5 <<----小于或等于300则跳至 4228E5 处
:004228D9 81FBE8030000 cmp ebx, 000003E8
:004228DF 0F8280010000 jb 00422A65 <<-------小于1000则跳走(即跳出,不再进行下面的运算)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004228D7(C)
|
:004228E5 81FBC4090000 cmp ebx, 000009C4
:004228EB 760C jbe 004228F9 <<-----小于或等于2500则跳至 4228F9 处
:004228ED 81FB88130000 cmp ebx, 00001388
:004228F3 0F826C010000 jb 00422A65 <<-------小于5000则跳走(即跳出,不再进行下面的运算)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004228EB(C)
|
:004228F9 81FB401F0000 cmp ebx, 00001F40
:004228FF 760C jbe 0042290D <<------小于或等于8000则跳至 42290D 处
:00422901 81FB67270000 cmp ebx, 00002767
:00422907 0F8258010000 jb 00422A65 <<-------小于10087则跳至 422A65 处(即跳出,不再进行下面的运算)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004228FF(C)
|
:0042290D 81FB162A0000 cmp ebx, 00002A16
:00422913 760C jbe 00422921 <<-----小于或等于10774则跳至 422921 处
:00422915 81FB532A0000 cmp ebx, 00002A53
:0042291B 0F8244010000 jb 00422A65 <<-----小于10835则跳至 422A65 处(即跳出,不再进行下面的运算)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422913(C)
|
:00422921 81FBE02E0000 cmp ebx, 00002EE0
:00422927 760C jbe 00422935 <<------小于或等于12000则跳至 422935 处
:00422929 81FB204E0000 cmp ebx, 00004E20
:0042292F 0F8230010000 jb 00422A65 <<-------小于或等于17120则跳至 422A65 处(即跳出,不再进行下面的运算)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422927(C)
|
:00422935 81FBF0550000 cmp ebx, 000055F0
:0042293B 0F8724010000 ja 00422A65 <<---------大于22000则跳走(即跳出,不再进行下面的运算)
:00422941 8B4DFC mov ecx, dword ptr [ebp-04] <<------用户名长度->ECX
:00422944 33C0 xor eax, eax <<-----EAX清零,准备计数
:00422946 3BCE cmp ecx, esi
:00422948 7E1C jle 00422966
:0042294A 8B5760 mov edx, dword ptr [edi+60] <<------用户名首地址->EDX
==========================================================
由上面不难看出,序列号的范围为:(1,300],(1000,2500],(5000,8000],(10087,10774],(10835,12000],(17120,22000)
因此,将注册窗口中的Serial Number改为12000,再进行第二次跟踪,来到:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422964(C)
|
:0042294D 8D4801 lea ecx, dword ptr [eax+01] <<-----计数器加一送入ECX
:00422950 8B7DFC mov edi, dword ptr [ebp-04] <<-----用户名长度->EDI
:00422953 0FBE0402 movsx eax, byte ptr [edx+eax] <<----按顺序取用户名的每一个字符
:00422957 0FAFC1 imul eax, ecx
:0042295A 03C7 add eax, edi
:0042295C 03F0 add esi, eax
:0042295E 8BC1 mov eax, ecx
:00422960 8BCF mov ecx, edi
:00422962 3BC1 cmp eax, ecx
:00422964 7CE7 jl 0042294D
==========================================================
上面这段代码为注册码算法中的一部分,很重要
==========================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422948(C)
|
:00422966 8B55FC mov edx, dword ptr [ebp-04] <<-----用户名长度->EDX
:00422969 8D4DEC lea ecx, dword ptr [ebp-14]
:0042296C 0FAFD3 imul edx, ebx <<--------EBX中为用户输入的序列号的十六进制形式
:0042296F 6A10 push 00000010
:00422971 03D6 add edx, esi
:00422973 51 push ecx
:00422974 52 push edx
:00422975 E8517A0100 call 0043A3CB <<---------将EDX中的值转化为字符串形式
:0042297A 8A55EC mov dl, byte ptr [ebp-14]
:0042297D 83C40C add esp, 0000000C
:00422980 84D2 test dl, dl
:00422982 741C je 004229A0
:00422984 8D75EC lea esi, dword ptr [ebp-14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042299B(C)
|
:00422987 0FBEC2 movsx eax, dl
:0042298A 50 push eax
:0042298B E8A0D80000 call 00430230
:00422990 83C404 add esp, 00000004
:00422993 8806 mov byte ptr [esi], al
:00422995 8A5601 mov dl, byte ptr [esi+01]
:00422998 46 inc esi
:00422999 84D2 test dl, dl
:0042299B 75EA jne 00422987
:0042299D 8A55EC mov dl, byte ptr [ebp-14]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422982(C)
|
:004229A0 8D7DEC lea edi, dword ptr [ebp-14]
:004229A3 83C9FF or ecx, FFFFFFFF \
:004229A6 33C0 xor eax, eax \
:004229A8 F2 repnz \
:004229A9 AE scasb 测试字符串长度->ECX
:004229AA F7D1 not ecx /
:004229AC 49 dec ecx /
:004229AD 83F904 cmp ecx, 00000004 <<------比较字符串长度是否大于4
:004229B0 7341 jnb 004229F3 <<----大于则跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004229F1(C)
|
:004229B2 8D7DEC lea edi, dword ptr [ebp-14]
:004229B5 83C9FF or ecx, FFFFFFFF
:004229B8 33C0 xor eax, eax
:004229BA F2 repnz
:004229BB AE scasb
:004229BC F7D1 not ecx
:004229BE 49 dec ecx
:004229BF 8D7DEC lea edi, dword ptr [ebp-14]
:004229C2 88440DED mov byte ptr [ebp+ecx-13], al
:004229C6 83C9FF or ecx, FFFFFFFF
:004229C9 F2 repnz
:004229CA AE scasb
:004229CB F7D1 not ecx
:004229CD 49 dec ecx
:004229CE 41 inc ecx
:004229CF 740B je 004229DC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004229DA(C)
|
:004229D1 8A540DEB mov dl, byte ptr [ebp+ecx-15]
:004229D5 88540DEC mov byte ptr [ebp+ecx-14], dl
:004229D9 49 dec ecx
:004229DA 75F5 jne 004229D1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004229CF(C)
|
:004229DC B230 mov dl, 30
:004229DE 8D7DEC lea edi, dword ptr [ebp-14]
:004229E1 83C9FF or ecx, FFFFFFFF
:004229E4 33C0 xor eax, eax
:004229E6 8855EC mov byte ptr [ebp-14], dl
:004229E9 F2 repnz
:004229EA AE scasb
:004229EB F7D1 not ecx
:004229ED 49 dec ecx
:004229EE 83F904 cmp ecx, 00000004
:004229F1 72BF jb 004229B2
=========================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004229B0(C)
|
:004229F3 8A45EF mov al, byte ptr [ebp-11]
:004229F6 8A4DEE mov cl, byte ptr [ebp-12]
:004229F9 8845F1 mov byte ptr [ebp-0F], al
:004229FC 884DF0 mov byte ptr [ebp-10], cl
:004229FF 8A4DED mov cl, byte ptr [ebp-13]
:00422A02 8AC3 mov al, bl
:00422A04 C645F200 mov [ebp-0E], 00
:00422A08 884DEF mov byte ptr [ebp-11], cl
:00422A0B 8855EE mov byte ptr [ebp-12], dl
:00422A0E F6EA imul dl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00422A20(C), :00422A24(U)
|
:00422A10 3C41 cmp al, 41
:00422A12 7204 jb 00422A18
:00422A14 3C5A cmp al, 5A
:00422A16 760E jbe 00422A26
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A12(C)
|
:00422A18 044A add al, 4A
:00422A1A 3C4F cmp al, 4F
:00422A1C 7404 je 00422A22
:00422A1E 3C49 cmp al, 49
:00422A20 75EE jne 00422A10
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A1C(C)
|
:00422A22 044A add al, 4A
:00422A24 EBEA jmp 00422A10
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A16(C)
|
:00422A26 8845EC mov byte ptr [ebp-14], al
:00422A29 8A45FC mov al, byte ptr [ebp-04]
:00422A2C F6E9 imul cl
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A38(U)
|
:00422A2E 3C30 cmp al, 30
:00422A30 7204 jb 00422A36
:00422A32 3C39 cmp al, 39
:00422A34 7604 jbe 00422A3A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A30(C)
|
:00422A36 044A add al, 4A
:00422A38 EBF4 jmp 00422A2E
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422A34(C)
|
:00422A3A 8845ED mov byte ptr [ebp-13], al
:00422A3D 90 nop
:00422A3E 90 nop
:00422A3F 90 nop
:00422A40 90 nop
:00422A41 90 nop
:00422A42 8B55F4 mov edx, dword ptr [ebp-0C]
:00422A45 8B4264 mov eax, dword ptr [edx+64]
:00422A48 50 push eax
:00422A49 8D45EC lea eax, dword ptr [ebp-14]
:00422A4C 50 push eax
* Reference To: KERNEL32.lstrcmpA, Ord:02FCh <<--------很熟悉吧?:)
|
:00422A4D FF1518F34400 Call dword ptr [0044F318]
:00422A53 85C0 test eax, eax
:00422A55 7511 jne 00422A68
:00422A57 90 nop
:00422A58 90 nop
:00422A59 90 nop
:00422A5A 90 nop
:00422A5B 90 nop
:00422A5C C745F801000000 mov [ebp-08], 00000001
:00422A63 EB03 jmp 00422A68
===================================================
后记:
在快写完本文时,我突然想起,在看雪的教程里,有一处提到如果不能中断的话,可在程序中插入INT 3 指令来强行中断,于是,重新来到422833处,往上不远处有一串NOP指令,先将最后一个NOP指令用WINHEX改为INT 3(机器码为CC),再用SOFTICE下BPINT 3,结果没反应:(,思考了一下,试试将它的下一条指令PUSH ESI(机器码为56)改成INT 3(机器码为CC),成功中断!这下SOFTICE也可以进行跟踪了:),不过,在断后要记得执行 EB EIP 56,将程序的原来的指令恢复,要不然会没有响应的:)
===================================================
相关视频
相关阅读 Mac访问Windows共享文件夹Windows 7正版系统验证方法windows 8.1系统版本号查看方法Windows 8.1系统电话激活时无法输入微软返回代码解决方法Windows 8如何调整屏幕分辨率windows8.1磁盘占用100%解决方法Mac双系统如何删除Boot Camp安装的Windows分区Apple教你如何在Mac 上运行 Windows
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>