现场实录 v1.02 算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → 现场实录 v1.02 算法分析

现场实录 v1.02 算法分析 时间：2004/10/15 0:53:00来源：本站整理作者：蓝点我要评论(0): 　

软件名称：现场实录 v1.02
软件语言：简体中文
界面预览：
软件类型：共享软件 / 多媒体类 / 录音程序
运行环境： WinXP, Win2000, NT, WinME, Win9X
授权方式：共享软件
软件大小： 2.47 MB
软件等级：
整理时间： 2003-4-21 17:20:00
下载地址: http://www.ttdown.com/SoftView_12745.htm
下载次数：本日：7 本周：22 本月：69 总计：69

软件简介
构思创新的一款录音软件，可以实现Mp3实时录音，并对录音进行管理。在录音过程
中可以分段并对录音段进行文字标注。有声控功能。带声谱分析与波形显示，监控手
段方便，支持声卡的所有音源。操作简单。帮助文档十分详尽

【作者声明】：本人只是对Crack感兴趣，没有其它目的。
【破解工具】：Ollydbg1.09 中文版

—————————————————————————————
【过程】：
这个软件是断点也不好下,我用Ollydbg的搜索字符串参考功能,发现有如下的字符
0041DEA7 PUSH recordin.00473CBC ; ASCII "%02X" 就怀疑是注册
码的格式,选择0041DEA7然后用F2下中断,填试验码:zxcvbnmasdfghjl,然后按注册键,
真的被OD中断了.看来OD的功能真不错.

|
0041DD12 PUSH EBP
0041DD13 MOV EBP, ESP
0041DD15 PUSH -1
0041DD17 PUSH recordin.0045F0D0
0041DD1C MOV EAX, DWORD PTR FS:[0]
0041DD22 PUSH EAX
0041DD23 MOV DWORD PTR FS:[0], ESP
0041DD2A SUB ESP, 6C
0041DD2D MOV [LOCAL.19], ECX
0041DD30 LEA ECX, [LOCAL.5]
0041DD33 CALL
0041DD38 MOV [LOCAL.1], 0
0041DD3F PUSH recordin.004757FC
0041DD44 LEA ECX, [LOCAL.5]
0041DD47 CALL
0041DD4C MOV ECX, [ARG.1]
0041DD4F CALL recordin.0041CD80
0041DD54 TEST EAX, EAX <--注册码不能位空
0041DD56 JNZ SHORT recordin.0041DD76
0041DD58 MOV [LOCAL.9], 0
0041DD5F MOV [LOCAL.1], -1
0041DD66 LEA ECX, [LOCAL.5]
0041DD69 CALL
0041DD6E MOV EAX, [LOCAL.9]
0041DD71 JMP recordin.0041DF94
0041DD76 PUSH ECX
0041DD77 MOV ECX, ESP
0041DD79 MOV [LOCAL.10], ESP
0041DD7C MOV EAX, [ARG.1]
0041DD7F PUSH EAX
0041DD80 CALL
0041DD85 MOV [LOCAL.20], EAX
0041DD88 LEA ECX, [LOCAL.11]
0041DD8B PUSH ECX
0041DD8C MOV ECX, [LOCAL.19]
0041DD8F CALL recordin.0041DFA4 <--把试验码重新排列

---CALL recordin.0041DFA4--把试验码重新排列----

< 第一部分--注册码处理 >
|
0041DFA4 PUSH EBP
0041DFA5 MOV EBP, ESP
0041DFA7 PUSH -1
0041DFA9 PUSH recordin.0045F10C
0041DFAE MOV EAX, DWORD PTR FS:[0]
0041DFB4 PUSH EAX
0041DFB5 MOV DWORD PTR FS:[0], ESP
0041DFBC SUB ESP, 28
0041DFBF MOV [LOCAL.10], ECX
0041DFC2 MOV [LOCAL.9], 0
0041DFC9 MOV [LOCAL.1], 1
0041DFD0 LEA ECX, [LOCAL.5]
0041DFD3 CALL
0041DFD8 MOV BYTE PTR SS:[EBP-4], 2
0041DFDC LEA ECX, [ARG.2]
0041DFDF CALL recordin.0041CD80
0041DFE4 MOV [LOCAL.7], EAX ; EAX=10<--长度
0041DFE7 MOV [LOCAL.6], 0
0041DFEE JMP SHORT recordin.0041DFF9
0041DFF0 /MOV EAX, [LOCAL.6]
0041DFF3 |ADD EAX, 2
0041DFF6 |MOV [LOCAL.6], EAX
0041DFF9 MOV ECX, [LOCAL.6]
0041DFFC |CMP ECX, [LOCAL.7] ; ECX=0
0041DFFF |JGE SHORT recordin.0041E062
0041E001 |MOV EDX, [LOCAL.6]
0041E004 |ADD EDX, 3
0041E007 |CMP EDX, [LOCAL.7]
0041E00A |JGE SHORT recordin.0041E05E
0041E00C |LEA EAX, [ARG.2]
0041E00F |PUSH EAX
0041E010 |LEA ECX, [LOCAL.5]
0041E013 |CALL
0041E018 |MOV ECX, [LOCAL.6]
0041E01B |ADD ECX, 3
0041E01E |PUSH ECX
0041E01F |LEA ECX, [ARG.2]
0041E022 |CALL recordin.0041E2F0
0041E027 |PUSH EAX
0041E028 |MOV EDX, [LOCAL.6]
0041E02B |PUSH EDX
0041E02C |LEA ECX, [LOCAL.5]
0041E02F |CALL ; <--把第4位覆盖第一位
0041E034 |MOV EAX, [LOCAL.6]
0041E037 |PUSH EAX
0041E038 |LEA ECX, [ARG.2]
0041E03B |CALL recordin.0041E2F0
0041E040 |PUSH EAX
0041E041 |MOV ECX, [LOCAL.6]
0041E044 |ADD ECX, 3
0041E047 |PUSH ECX
0041E048 |LEA ECX, [LOCAL.5]
0041E04B |CALL ; <--把原第1位覆盖第4位
0041E050 |LEA EDX, [LOCAL.5]
0041E053 |PUSH EDX
0041E054 |LEA ECX, [ARG.2]
0041E057 |CALL
0041E05C |JMP SHORT recordin.0041E060
0041E05E |JMP SHORT recordin.0041E062
0041E060 \JMP SHORT recordin.0041DFF0

; <--00B046F8 ASCII "vxnzacdbgmjslfkh"

----算法小结----

把注册码的1<->4,3<->6,5<->8,...交换,共计长度次

---------------
|
0041E062 MOV [LOCAL.6], 0
0041E069 JMP SHORT recordin.0041E074
0041E06B /MOV EAX, [LOCAL.6]
0041E06E |ADD EAX, 1
0041E071 |MOV [LOCAL.6], EAX
0041E074 MOV ECX, [LOCAL.6]
0041E077 |CMP ECX, [LOCAL.7]
0041E07A |JGE recordin.0041E155
0041E080 |MOV EDX, [LOCAL.6]
0041E083 |PUSH EDX
0041E084 |LEA ECX, [ARG.2]
0041E087 |CALL recordin.0041E2F0 <--依次取字符串 "vxnzacdbgmjslfkh"的每一位
0041E08C |MOVSX EAX, AL
0041E08F |MOV [LOCAL.11], EAX
0041E092 |MOV ECX, [LOCAL.11]
0041E095 |SUB ECX, 47 ; ECX=76-47=2F
0041E098 |MOV [LOCAL.11], ECX
0041E09B |CMP [LOCAL.11], 13

<-- [LOCAL.11]>13 直接用;<=13就用EDX*4做指针在内存基地址0041E210里寻找跳转的地址

0041E09F |JA recordin.0041E150
0041E0A5 |MOV EDX, [LOCAL.11]
0041E0A8 |JMP DWORD PTR DS:[EDX*4+41E210]

-------DS:[EDX*4+41E210] 内存值:--------------
|
0041E210 AF E0 41 00 C2 E0 41 00 A.锣A.
0041E218 D2 E0 41 00 E2 E0 41 00 亦A.忄A.
0041E220 F2 E0 41 00 02 E1 41 00 蜞A.酇.
0041E228 12 E1 41 00 22 E1 41 00 酇."酇.
0041E230 32 E1 41 00 42 E1 41 00 2酇.B酇.
0041E238 AF E0 41 00 C2 E0 41 00 A.锣A.
0041E240 D2 E0 41 00 E2 E0 41 00 亦A.忄A.
0041E248 F2 E0 41 00 02 E1 41 00 蜞A.酇.
0041E250 12 E1 41 00 22 E1 41 00 酇."酇.
0041E258 32 E1 41 00 42 E1 41 00 2酇.B酇.

----------------------------------------------

|
0041E0AF |PUSH 30 <--变换1--到这里把值改为30
0041E0B1 |MOV EAX, [LOCAL.6]
0041E0B4 |PUSH EAX
0041E0B5 |LEA ECX, [ARG.2]
0041E0B8 |CALL
0041E0BD |JMP recordin.0041E150
0041E0C2 |PUSH 31 <--变换2--到这里把值改为31
0041E0C4 |MOV ECX, [LOCAL.6]
0041E0C7 |PUSH ECX
0041E0C8 |LEA ECX, [ARG.2]
0041E0CB |CALL
0041E0D0 |JMP SHORT recordin.0041E150
0041E0D2 |PUSH 32 <--变换3--到这里把值改为32
0041E0D4 |MOV EDX, [LOCAL.6]
0041E0D7 |PUSH EDX
0041E0D8 |LEA ECX, [ARG.2]
0041E0DB |CALL
0041E0E0 |JMP SHORT recordin.0041E150
0041E0E2 |PUSH 33 <--变换4--到这里把值改为33
0041E0E4 |MOV EAX, [LOCAL.6]
0041E0E7 |PUSH EAX
0041E0E8 |LEA ECX, [ARG.2]
0041E0EB |CALL
0041E0F0 |JMP SHORT recordin.0041E150
0041E0F2 |PUSH 34 <--变换5--到这里把值改为34
0041E0F4 |MOV ECX, [LOCAL.6]
0041E0F7 |PUSH ECX
0041E0F8 |LEA ECX, [ARG.2]
0041E0FB |CALL
0041E100 |JMP SHORT recordin.0041E150
0041E102 |PUSH 35 <--变换6--到这里把值改为35
0041E104 |MOV EDX, [LOCAL.6]
0041E107 |PUSH EDX
0041E108 |LEA ECX, [ARG.2]
0041E10B |CALL
0041E110 |JMP SHORT recordin.0041E150
0041E112 |PUSH 36 <--变换7--到这里把值改为36
0041E114 |MOV EAX, [LOCAL.6]
0041E117 |PUSH EAX
0041E118 |LEA ECX, [ARG.2]
0041E11B |CALL
0041E120 |JMP SHORT recordin.0041E150
0041E122 |PUSH 37 <--变换8--到这里把值改为37
0041E124 |MOV ECX, [LOCAL.6]
0041E127 |PUSH ECX
0041E128 |LEA ECX, [ARG.2]
0041E12B |CALL
0041E130 |JMP SHORT recordin.0041E150
0041E132 |PUSH 38 <--变换9--到这里把值改为38
0041E134 |MOV EDX, [LOCAL.6]
0041E137 |PUSH EDX
0041E138 |LEA ECX, [ARG.2]
0041E13B |CALL
0041E140 |JMP SHORT recordin.0041E150
0041E142 |PUSH 39 <--变换10--到这里把值改为39
0041E144 |MOV EAX, [LOCAL.6]
0041E147 |PUSH EAX
0041E148 |LEA ECX, [ARG.2]
0041E14B |CALL
0041E150 \JMP recordin.0041E06B

----算法说明----

以上把试验码的各位的hex值-47 >13就不变换,<=13就就用EDX*4做指针在内存基地址
0041E210里寻找跳转的地址取新值

0041E155 PUSH recordin.00475800
0041E15A LEA ECX, [LOCAL.5]
0041E15D CALL
0041E162 MOV [LOCAL.4], 0B
0041E169 MOV ECX, [LOCAL.7] ; ECX=10
0041E16C MOV [LOCAL.6], ECX
0041E16F JMP SHORT recordin.0041E17A
0041E171 /MOV EDX, [LOCAL.6]
0041E174 |SUB EDX, 1
0041E177 |MOV [LOCAL.6], EDX
0041E17A CMP [LOCAL.6], 0
0041E17E |JLE SHORT recordin.0041E1C4
0041E180 |MOV EAX, [LOCAL.6]
0041E183 |SUB EAX, 1
0041E186 |PUSH EAX
0041E187 |LEA ECX, [ARG.2]
0041E18A |CALL recordin.0041E2F0 <--倒取注册码的每一位
0041E18F |PUSH EAX
0041E190 |LEA ECX, [LOCAL.5]
0041E193 |PUSH ECX
0041E194 |LEA EDX, [LOCAL.8]
0041E197 |PUSH EDX
0041E198 |CALL
0041E19D |MOV [LOCAL.12], EAX
0041E1A0 |MOV EAX, [LOCAL.12]
0041E1A3 |MOV [LOCAL.13], EAX
0041E1A6 |MOV BYTE PTR SS:[EBP-4], 3
0041E1AA |MOV ECX, [LOCAL.13]
0041E1AD |PUSH ECX
0041E1AE |LEA ECX, [LOCAL.5]
0041E1B1 |CALL
0041E1B6 |MOV BYTE PTR SS:[EBP-4], 2
0041E1BA |LEA ECX, [LOCAL.8]
0041E1BD |CALL
0041E1C2 \JMP SHORT recordin.0041E171

<--把得到的字符串倒序排列00B40978 ASCII "hkflsjmgbdcaznxv"

0041E1C4 LEA EDX, [LOCAL.5]
0041E1C7 PUSH EDX
0041E1C8 LEA ECX, [ARG.2]
0041E1CB CALL
0041E1D0 LEA EAX, [ARG.2]
0041E1D3 PUSH EAX
0041E1D4 MOV ECX, [ARG.1]
0041E1D7 CALL
0041E1DC MOV ECX, [LOCAL.9]
0041E1DF OR ECX, 1
0041E1E2 MOV [LOCAL.9], ECX
0041E1E5 MOV BYTE PTR SS:[EBP-4], 1
0041E1E9 LEA ECX, [LOCAL.5]
0041E1EC CALL
0041E1F1 MOV BYTE PTR SS:[EBP-4], 0
0041E1F5 LEA ECX, [ARG.2]
0041E1F8 CALL
0041E1FD MOV EAX, [ARG.1]
0041E200 MOV ECX, [LOCAL.3]
0041E203 MOV DWORD PTR FS:[0], ECX
0041E20A MOV ESP, EBP
0041E20C POP EBP
0041E20D \. C2 0800 RETN 8

----------------第一部分结束---------------

|
0041DD94 MOV [LOCAL.21], EAX
0041DD97 MOV EDX, [LOCAL.21]
0041DD9A MOV [LOCAL.22], EDX
0041DD9D MOV BYTE PTR SS:[EBP-4], 1
0041DDA1 MOV EAX, [LOCAL.22]
0041DDA4 PUSH EAX
0041DDA5 MOV ECX, [ARG.1]
0041DDA8 CALL
0041DDAD MOV BYTE PTR SS:[EBP-4], 0
0041DDB1 LEA ECX, [LOCAL.11]
0041DDB4 CALL
0041DDB9 MOV [LOCAL.7], 0B
0041DDC0 MOV [LOCAL.8], 0
|
*********第二部分--效验码的计算************
|
0041DDC7 JMP SHORT recordin.0041DDD2
0041DDC9 /MOV ECX, [LOCAL.8]
0041DDCC |ADD ECX, 2
0041DDCF |MOV [LOCAL.8], ECX
0041DDD2 MOV ECX, [ARG.1]
0041DDD5 |CALL recordin.0041CD80
0041DDDA |SUB EAX, 2
0041DDDD |CMP [LOCAL.8], EAX
0041DDE0 |JGE SHORT recordin.0041DE5B
0041DDE2 |PUSH 10
0041DDE4 |PUSH 0
0041DDE6 |PUSH 2
0041DDE8 |MOV EDX, [LOCAL.8]
0041DDEB |PUSH EDX
0041DDEC |LEA EAX, [LOCAL.12]
0041DDEF |PUSH EAX
0041DDF0 |MOV ECX, [ARG.1]
0041DDF3 |CALL
0041DDF8 |MOV [LOCAL.23], EAX
0041DDFB |MOV ECX, [LOCAL.23]
0041DDFE |MOV [LOCAL.24], ECX
0041DE01 |MOV BYTE PTR SS:[EBP-4], 2
0041DE05 |MOV ECX, [LOCAL.24]
0041DE08 |CALL recordin.00402010
0041DE0D |PUSH EAX ; EAX<--00B046F8,(ASCII "hk')("fl").....
0041DE0E |CALL DWORD PTR DS:[<&MSVCRT.strtol>]

<--把组的每一位-57==>ECX,关键计算==>
--------中间值的计算--------
|
78016BA6 PUSH EBP
78016BA7 MOV EBP, ESP
78016BA9 PUSH ECX
78016BAA PUSH EBX
78016BAB PUSH ESI
78016BAC PUSH EDI
78016BAD CALL MSVCRT.780011E6
78016BB2 MOV ESI, DWORD PTR DS:[EAX+60]
78016BB5 CMP ESI, DWORD PTR DS:[7803B270]
78016BBB JE SHORT MSVCRT.78016BC4
78016BBD CALL MSVCRT.78003E82
78016BC2 MOV ESI, EAX
78016BC4 AND DWORD PTR SS:[EBP-4], 0
78016BC8 MOV EDI, DWORD PTR SS:[EBP+8] ; EDI<--00B046F8,(ASCII "hk')
78016BCB MOV BL, BYTE PTR DS:[EDI] ; BL=DS:[EDI]=68 ('h')
78016BCD INC EDI <--取下一位
78016BCE CMP DWORD PTR DS:[ESI+24], 1
78016BD2 JLE SHORT MSVCRT.78016BF5
78016BD4 MOVZX EAX, BL
78016BD7 PUSH 8
78016BD9 PUSH EAX
78016BDA PUSH ESI
78016BDB CALL MSVCRT.7800D42B
78016BE0 ADD ESP, 0C
78016BE3 TEST EAX, EAX
78016BE5 JNZ SHORT MSVCRT.78016BCB
78016BE7 CMP BL, 2D
78016BEA JNZ SHORT MSVCRT.78016C03
78016BEC OR DWORD PTR SS:[EBP+14], 2
78016BF0 MOV BL, BYTE PTR DS:[EDI]
78016BF2 INC EDI
78016BF3 JMP SHORT MSVCRT.78016C08
78016BF5 MOV ECX, DWORD PTR DS:[ESI+48]
78016BF8 MOVZX EAX, BL ; EAX=BL=68 ('h')
78016BFB MOV AL, BYTE PTR DS:[ECX+EAX*2]
78016BFE AND EAX, 8
78016C01 JMP SHORT MSVCRT.78016BE3
78016C03 CMP BL, 2B
78016C06 JE SHORT MSVCRT.78016BF0
78016C08 MOV ESI, DWORD PTR SS:[EBP+10]
78016C0B TEST ESI, ESI
78016C0D JL MSVCRT.78016D4D
78016C13 CMP ESI, 1
78016C16 JE MSVCRT.78016D4D
78016C1C CMP ESI, 24
78016C1F JG MSVCRT.78016D4D
78016C25 TEST ESI, ESI
78016C27 JNZ SHORT MSVCRT.78016C89
78016C29 CMP BL, 30
78016C2C JE SHORT MSVCRT.78016C78
78016C2E PUSH 0A
78016C30 POP ESI
78016C31 OR EAX, FFFFFFFF
78016C34 XOR EDX, EDX
78016C36 DIV ESI
78016C38 MOV DWORD PTR SS:[EBP+10], EAX
78016C3B MOV ECX, DWORD PTR DS:[_pctype]
78016C41 MOVZX EAX, BL
78016C44 MOV AX, WORD PTR DS:[ECX+EAX*2]
78016C48 TEST AL, 4
78016C4A JE SHORT MSVCRT.78016CA4
78016C4C MOVSX ECX, BL
78016C4F SUB ECX, 30
78016C52 CMP ECX, ESI
78016C54 JNB SHORT MSVCRT.78016CCE
78016C56 MOV EBX, DWORD PTR SS:[EBP-4]
78016C59 OR DWORD PTR SS:[EBP+14], 8
78016C5D CMP EBX, DWORD PTR SS:[EBP+10]
78016C60 JB SHORT MSVCRT.78016CC4
78016C62 JNZ SHORT MSVCRT.78016C6F
78016C64 OR EAX, FFFFFFFF
78016C67 XOR EDX, EDX
78016C69 DIV ESI
78016C6B CMP ECX, EDX
78016C6D JBE SHORT MSVCRT.78016CC4
78016C6F OR DWORD PTR SS:[EBP+14], 4
78016C73 MOV BL, BYTE PTR DS:[EDI]
78016C75 INC EDI
78016C76 JMP SHORT MSVCRT.78016C3B
78016C78 MOV AL, BYTE PTR DS:[EDI]
78016C7A CMP AL, 78
78016C7C JE SHORT MSVCRT.78016C86
78016C7E CMP AL, 58
78016C80 JE SHORT MSVCRT.78016C86
78016C82 PUSH 8
78016C84 JMP SHORT MSVCRT.78016C30
78016C86 PUSH 10
78016C88 POP ESI
78016C89 CMP ESI, 10
78016C8C JNZ SHORT MSVCRT.78016C31
78016C8E CMP BL, 30
78016C91 JNZ SHORT MSVCRT.78016C31
78016C93 MOV AL, BYTE PTR DS:[EDI]
78016C95 CMP AL, 78
78016C97 JE SHORT MSVCRT.78016C9D
78016C99 CMP AL, 58
78016C9B JNZ SHORT MSVCRT.78016C31
78016C9D MOV BL, BYTE PTR DS:[EDI+1]
78016CA0 INC EDI
78016CA1 INC EDI
78016CA2 JMP SHORT MSVCRT.78016C31
78016CA4 TEST AX, 103
78016CA8 JE SHORT MSVCRT.78016CCE
78016CAA CMP BL, 61
78016CAD JL SHORT MSVCRT.78016CBF
78016CAF CMP BL, 7A
78016CB2 JG SHORT MSVCRT.78016CBF
78016CB4 MOVSX EAX, BL
78016CB7 SUB EAX, 20
78016CBA LEA ECX, DWORD PTR DS:[EAX-37] <--hex值-57
78016CBD JMP SHORT MSVCRT.78016C52
78016CBF MOVSX EAX, BL
78016CC2 JMP SHORT MSVCRT.78016CBA
78016CC4 IMUL EBX, ESI <--ESI=10 -- EBX进一位
78016CC7 ADD EBX, ECX <--二个值连接
78016CC9 MOV DWORD PTR SS:[EBP-4], EBX
78016CCC JMP SHORT MSVCRT.78016C73
78016CCE MOV EAX, DWORD PTR SS:[EBP+14]
78016CD1 MOV EBX, DWORD PTR SS:[EBP+C]
78016CD4 DEC EDI
78016CD5 TEST AL, 8
78016CD7 JNZ SHORT MSVCRT.78016D00
78016CD9 TEST EBX, EBX
78016CDB JE SHORT MSVCRT.78016CE0
78016CDD MOV EDI, DWORD PTR SS:[EBP+8]
78016CE0 AND DWORD PTR SS:[EBP-4], 0
78016CE4 TEST EBX, EBX
78016CE6 JE SHORT MSVCRT.78016CEA
78016CE8 MOV DWORD PTR DS:[EBX], EDI
78016CEA TEST BYTE PTR SS:[EBP+14], 2
78016CEE JE SHORT MSVCRT.78016CF8
78016CF0 MOV EAX, DWORD PTR SS:[EBP-4]
78016CF3 NEG EAX
78016CF5 MOV DWORD PTR SS:[EBP-4], EAX
78016CF8 MOV EAX, DWORD PTR SS:[EBP-4]
78016CFB POP EDI
78016CFC POP ESI
78016CFD POP EBX
78016CFE LEAVE
78016CFF RETN

----算法总结----

把重新排列的试验码取掉最后二位,然后按照二个一组取出计算.
计算的方法是把一组的每位-57>=10就取0 ;<10就直接取出,然后
重新连接就是中间值.
这里是试验码变换后的字符串"hkflsjmgbdcazn"计算的中间值:
内存中:
|
00B407E8 00 0F 00 00 BD CA 00

----------------
|
0041DE14 |ADD ESP, 0C
0041DE17 |PUSH EAX
0041DE18 |LEA EDX, [LOCAL.5]
0041DE1B |PUSH EDX
0041DE1C |LEA EAX, [LOCAL.13]
0041DE1F |PUSH EAX
0041DE20 |CALL
0041DE25 |MOV [LOCAL.25], EAX
0041DE28 |MOV ECX, [LOCAL.25]
0041DE2B |MOV [LOCAL.26], ECX
0041DE2E |MOV BYTE PTR SS:[EBP-4], 3
0041DE32 |MOV EDX, [LOCAL.26]
0041DE35 |PUSH EDX
0041DE36 |LEA ECX, [LOCAL.5]
0041DE39 |CALL
0041DE3E |MOV BYTE PTR SS:[EBP-4], 2
0041DE42 |LEA ECX, [LOCAL.13]
0041DE45 |CALL
0041DE4A |MOV BYTE PTR SS:[EBP-4], 0
0041DE4E |LEA ECX, [LOCAL.12]
0041DE51 |CALL
0041DE56 \JMP recordin.0041DDC9

<--每二个一组取出,并计算中间值

|
0041DE5B MOV [LOCAL.8], 0
0041DE62 JMP SHORT recordin.0041DE6D
0041DE64 /MOV EAX, [LOCAL.8]
0041DE67 |ADD EAX, 1
0041DE6A |MOV [LOCAL.8], EAX
0041DE6D LEA ECX, [LOCAL.5]
0041DE70 |CALL recordin.0041CD80
0041DE75 |CMP [LOCAL.8], EAX ; EAX=7<--计算次数(16-2)/2
0041DE78 |JGE SHORT recordin.0041DE97
0041DE7A |MOV ECX, [LOCAL.8]
0041DE7D |PUSH ECX
0041DE7E |LEA ECX, [LOCAL.5]
0041DE81 |CALL recordin.0041E2F0
0041DE86 |MOV BYTE PTR SS:[EBP-18], AL
0041DE89 |MOVSX EDX, BYTE PTR SS:[EBP-18]
0041DE8D |MOV EAX, [LOCAL.7] <---EAX=0B(常数)
0041DE90 |XOR EAX, EDX
0041DE92 |MOV [LOCAL.7], EAX
0041DE95 \JMP SHORT recordin.0041DE64

<--利用上面的中间值计算效验位的值
----算法总结----

把上面计算的中间值的第一位与0B XOR 值再与下一位 XOR 最后的值就是
效验位的值--变换后的字符串的最后二位

0041DE97 LEA ECX, [LOCAL.4]
0041DE9A CALL
0041DE9F MOV BYTE PTR SS:[EBP-4], 4
0041DEA3 MOV ECX, [LOCAL.7] ; ECX=73
0041DEA6 PUSH ECX
0041DEA7 PUSH recordin.00473CBC ; ASCII "%02X"
0041DEAC LEA EDX, [LOCAL.4]
0041DEAF PUSH EDX
0041DEB0 CALL
0041DEB5 ADD ESP, 0C
0041DEB8 LEA ECX, [LOCAL.4]
0041DEBB CALL recordin.0041CD80
0041DEC0 CMP EAX, 2
0041DEC3 JLE SHORT recordin.0041DEF8
0041DEC5 PUSH 2
0041DEC7 LEA EAX, [LOCAL.14]
0041DECA PUSH EAX
0041DECB LEA ECX, [LOCAL.4]
0041DECE CALL
0041DED3 MOV [LOCAL.27], EAX
0041DED6 MOV ECX, [LOCAL.27]
0041DED9 MOV [LOCAL.28], ECX
0041DEDC MOV BYTE PTR SS:[EBP-4], 5
0041DEE0 MOV EDX, [LOCAL.28]
0041DEE3 PUSH EDX
0041DEE4 LEA ECX, [LOCAL.4]
0041DEE7 CALL
0041DEEC MOV BYTE PTR SS:[EBP-4], 4
0041DEF0 LEA ECX, [LOCAL.14]
0041DEF3 CALL
0041DEF8 PUSH 2
0041DEFA LEA EAX, [LOCAL.16]
0041DEFD PUSH EAX
0041DEFE MOV ECX, [ARG.1]
0041DF01 CALL
0041DF06 MOV [LOCAL.29], EAX
0041DF09 MOV ECX, [LOCAL.29]
0041DF0C MOV [LOCAL.30], ECX
0041DF0F MOV BYTE PTR SS:[EBP-4], 6
0041DF13 MOV EDX, [LOCAL.30]
0041DF16 PUSH EDX
0041DF17 LEA EAX, [LOCAL.4]
0041DF1A PUSH EAX
0041DF1B CALL recordin.0041E310 <---比较的地方

-----CALL recordin.0041E310--比较的地方 -------
|
7800F969 MOV EDI, DWORD PTR SS:[EBP+C]

; EDI<--00B409C8,(ASCII"xv")<---试验码的第2位和第4位

7800F96C MOV EAX, DWORD PTR SS:[EBP+8]

; EAX<--00B046F8,(ASCII "73")<---计算出来的效验值

7800F96F INC DWORD PTR SS:[EBP+8]
7800F972 MOVZX AX, BYTE PTR DS:[EAX] ; AX=DS:[EAX]=37
7800F976 MOVZX ECX, AL ; ECX=37
7800F979 TEST BYTE PTR DS:[ECX+ESI+25], 4
7800F97E JE SHORT MSVCRT.7800F98B
7800F980 MOV ECX, DWORD PTR SS:[EBP+8]
7800F983 MOV CL, BYTE PTR DS:[ECX]
7800F985 TEST CL, CL
7800F987 JNZ SHORT MSVCRT.7800F9B0
7800F989 XOR EAX, EAX
7800F98B MOVZX CX, BYTE PTR DS:[EDI] ; CX<--DS:[EDI]=78 ('x')
7800F98F MOVZX EDX, CL
7800F992 INC EDI
7800F993 TEST BYTE PTR DS:[EDX+ESI+25], 4
7800F998 JE SHORT MSVCRT.7800F9A2
7800F99A MOV DL, BYTE PTR DS:[EDI]
7800F99C TEST DL, DL
7800F99E JNZ SHORT MSVCRT.7800F9BD
7800F9A0 XOR ECX, ECX
7800F9A2 CMP CX, AX <---关键的比较
7800F9A5 JNZ SHORT MSVCRT.7800F9C8
7800F9A7 TEST AX, AX
7800F9AA JNZ SHORT MSVCRT.7800F96C
7800F9AC XOR EAX, EAX <---设成功标志
7800F9AE JMP SHORT MSVCRT.7800F964
7800F9B0 XOR EDX, EDX
7800F9B2 INC DWORD PTR SS:[EBP+8]
7800F9B5 MOV DH, AL
7800F9B7 MOV DL, CL
7800F9B9 MOV EAX, EDX
7800F9BB JMP SHORT MSVCRT.7800F98B
7800F9BD XOR EBX, EBX
7800F9BF INC EDI
7800F9C0 MOV BH, CL
7800F9C2 MOV BL, DL
7800F9C4 MOV ECX, EBX
7800F9C6 JMP SHORT MSVCRT.7800F9A2
7800F9C8 SBB EAX, EAX
7800F9CA AND EAX, 2
7800F9CD DEC EAX <---设失败标志
7800F9CE JMP SHORT MSVCRT.7800F964

-------------------------
|
0041DF20 MOV BYTE PTR SS:[EBP-3C], AL
0041DF23 MOV BYTE PTR SS:[EBP-4], 4
0041DF27 LEA ECX, [LOCAL.16]
0041DF2A CALL
0041DF2F MOV ECX, [LOCAL.15]
0041DF32 AND ECX, 0FF
0041DF38 TEST ECX, ECX <---比较标志
0041DF3A JE SHORT recordin.0041DF63 <---关键跳转
0041DF3C MOV [LOCAL.17], 0
0041DF43 MOV BYTE PTR SS:[EBP-4], 0
0041DF47 LEA ECX, [LOCAL.4]
0041DF4A CALL
0041DF4F MOV [LOCAL.1], -1
0041DF56 LEA ECX, [LOCAL.5]
0041DF59 CALL
0041DF5E MOV EAX, [LOCAL.17]
0041DF61 JMP SHORT recordin.0041DF94
0041DF63 LEA EDX, [LOCAL.5]
0041DF66 PUSH EDX
0041DF67 MOV ECX, [ARG.1]
0041DF6A CALL
0041DF6F >MOV [LOCAL.18], 1
0041DF76 MOV BYTE PTR SS:[EBP-4], 0
0041DF7A LEA ECX, [LOCAL.4]
0041DF7D CALL
0041DF82 MOV [LOCAL.1], -1
0041DF89 LEA ECX, [LOCAL.5]
0041DF8C CALL
0041DF91 MOV EAX, [LOCAL.18]
0041DF94 MOV ECX, [LOCAL.3]
0041DF97 MOV DWORD PTR FS:[0], ECX
0041DF9E MOV ESP, EBP
0041DFA0 POP EBP
0041DFA1 RETN 4

------第二部分结束--------

===================================================================

到这里注册码的算法跟踪分析已完成,总结一下.
条件--注册码的长度应该>6位(不知道正确不正确)
1.先把注册码按照1<->4,3<->6,5<->8,...交换,重新排列
2.检查注册码的hex值范围如果-47>=13就重新取值,<13就直接用
3.把重新处理的字符串顺序前后颠倒成新的字符串
4.把新的字符串最后二位取出,然后用前面的字符串分成2个一组计算中间值
5.中间值的第一位与0B XOR 值再与下一位 XOR 最后的值就是注册码的第2位和第4位的值

一组可用的注册码:z7c3bnmasdfghjkl(测试后24小时内请删除)

by fxyang[OCN][BCG]

2003.4.23

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法