SuperCleaner 2.31注册码算法分析
=================
软件简介:
帮助用户清洗他们的计算机硬盘内不必要的文件的程序。它能扫描你的系
统让你选择不再需要的文件进行删除。并能备份文件已避免你误删除有用的文
件,此备份功能将不必要的文件扔进再循环箱,这样可以让你再必要的时候恢
复信息。
破解工具:SOFTICE,W32DASM
================================================
分析:
此软件采用用户名,注册码的验证方式
在软件注册窗口中输入以下信息:
用户名:alpha
注册码:98765432
用GETWINDOWTEXT 做断点,程序没有被中断。换成GETDLGITEMTEXT,按下确定后,弹出SOFTICE窗口。按两下F12弹出注册失败对话框,因此,ENABLE前面下的断点后,只按一下F12,然后用F10单步跟踪,来到:
* Reference To: USER32.GetDlgItemTextA, Ord:0113h
|
:0041220F 8B3D7C124200 mov edi, dword ptr [0042127C]
:00412215 6817040000 push 00000417
:0041221A 56 push esi
:0041221B FFD7 call edi <<----------取得用户名
:0041221D 8D542408 lea edx, dword ptr [esp+08]
:00412221 6800010000 push 00000100
:00412226 52 push edx
:00412227 68FC030000 push 000003FC
:0041222C 56 push esi
:0041222D FFD7 call edi <<--------取得输入的注册码
:0041222F 8D442408 lea eax, dword ptr [esp+08] <<-------输入的注册码的首地址->EAX
:00412233 8D8C2408010000 lea ecx, dword ptr [esp+00000108] <<----用户名的首地址->ECX
:0041223A 50 push eax
:0041223B 51 push ecx
:0041223C E8BF080000 call 00412B00 <<-----注意这个CALL
:00412241 83C408 add esp, 00000008
:00412244 85C0 test eax, eax
:00412246 5F pop edi
:00412247 7443 je 0041228C <<-----注册码不对就跳
:00412249 8D542404 lea edx, dword ptr [esp+04]
:0041224D 8D842404010000 lea eax, dword ptr [esp+00000104]
:00412254 52 push edx
:00412255 50 push eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412247(C)
|
:0041228C 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"SuperCleaner"
|
:0041228E 686C454200 push 0042456C
* Possible Reference to String Resource ID=00010: "?w `揺勮?
cn"
|
:00412293 6A0A push 0000000A
:00412295 56 push esi
:00412296 E85572FFFF call 004094F0 <<------注册失败对话框
:0041229B 83C410 add esp, 00000010
===================================================
由上面不难看出,关键就在 0041223C处的CALL,跟踪进入这个CALL,来到:
* Referenced by a CALL at Addresses:
|:0041223C , :00412A2E
|
:00412B00 81EC00010000 sub esp, 00000100
:00412B06 A0D09C4200 mov al, byte ptr [00429CD0]
:00412B0B 56 push esi
:00412B0C 57 push edi
:00412B0D 88442408 mov byte ptr [esp+08], al
* Possible Reference to String Resource ID=00063: "`氬~剠?+ Netscape 4 剦棚?"
|
:00412B11 B93F000000 mov ecx, 0000003F
:00412B16 33C0 xor eax, eax
:00412B18 8D7C2409 lea edi, dword ptr [esp+09]
:00412B1C 8B94240C010000 mov edx, dword ptr [esp+0000010C] <<-----用户名的首地址送入EDX
:00412B23 F3 repz
:00412B24 AB stosd
:00412B25 66AB stosw
:00412B27 8D4C2408 lea ecx, dword ptr [esp+08]
:00412B2B 33F6 xor esi, esi
:00412B2D 51 push ecx
:00412B2E 52 push edx
:00412B2F AA stosb
:00412B30 E8AB000000 call 00412BE0 <<--------此CALL如果用F10过的话,EAX将放入正确注册码的首地址,但本文是对这个软件的注册码算法进行分析,因此有必要进入这个CALL看看
:00412B35 8B8C2418010000 mov ecx, dword ptr [esp+00000118] <<-------输入的注册码的首地址->ECX
:00412B3C 8D442410 lea eax, dword ptr [esp+10] <<--------正确的注册码的首地址->EAX
:00412B40 50 push eax
:00412B41 51 push ecx
:00412B42 E869FFFFFF call 00412AB0 <<-----比较函数
:00412B47 83C410 add esp, 00000010
:00412B4A 85C0 test eax, eax
* Possible Reference to String Resource ID=00001: "蜩屬%s"
|
:00412B4C B801000000 mov eax, 00000001
:00412B51 7502 jne 00412B55 <<----相同则跳走
:00412B53 8BC6 mov eax, esi
====================================================
进入 00412B30处的CALL,来到:
* Referenced by a CALL at Address:
|:00412B30
|
:00412BE0 81EC00010000 sub esp, 00000100
:00412BE6 A0D09C4200 mov al, byte ptr [00429CD0]
:00412BEB 53 push ebx
:00412BEC 55 push ebp
:00412BED 56 push esi
:00412BEE 57 push edi
:00412BEF 88442410 mov byte ptr [esp+10], al
* Possible Reference to String Resource ID=00063: "`氬~剠?+ Netscape 4 剦棚?"
|
:00412BF3 B93F000000 mov ecx, 0000003F
:00412BF8 33C0 xor eax, eax
:00412BFA 8D7C2411 lea edi, dword ptr [esp+11]
:00412BFE F3 repz
:00412BFF AB stosd
:00412C00 66AB stosw
:00412C02 AA stosb
:00412C03 8BBC2414010000 mov edi, dword ptr [esp+00000114] <<------用户名首地址送入EDI
:00412C0A 57 push edi
* Reference To: KERNEL32.lstrlenA, Ord:039Eh
|
:00412C0B FF1510124200 Call dword ptr [00421210] <<-----取得用户名的长度并送入EAX
:00412C11 8BF0 mov esi, eax
:00412C13 33C9 xor ecx, ecx
:00412C15 33C0 xor eax, eax <<-----EAX清零,为计数做准备
:00412C17 85F6 test esi, esi
:00412C19 7E13 jle 00412C2E
:00412C1B 8B15406C4200 mov edx, dword ptr [00426C40] <<-----初始化EDX(EDX=0x26)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C2C(C)
|
:00412C21 0FBE1C38 movsx ebx, byte ptr [eax+edi] <<----将用户名中的每个字符按顺序送入EBX,每次循环送入一个
:00412C25 03DA add ebx, edx
:00412C27 03CB add ecx, ebx <<-----本次运算结果在ECX(此例中为0x2C4)
:00412C29 40 inc eax
:00412C2A 3BC6 cmp eax, esi
:00412C2C 7CF3 jl 00412C21
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C19(C)
|
:00412C2E 8B9C2418010000 mov ebx, dword ptr [esp+00000118]
:00412C35 51 push ecx
* Possible Reference to Dialog:
|
:00412C36 68546C4200 push 00426C54
:00412C3B 53 push ebx
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C3C FF15FC124200 Call dword ptr [004212FC] <<-----将ECX中的值以字符串的形式放在[EBX]中,并在其尾部加上'-'(此例中为:“708-”)
:00412C42 83C40C add esp, 0000000C
:00412C45 33C9 xor ecx, ecx
:00412C47 33C0 xor eax, eax
:00412C49 85F6 test esi, esi
:00412C4B 7E14 jle 00412C61
:00412C4D 8B15446C4200 mov edx, dword ptr [00426C44] <<-----初始化EBP(EBP=0x34)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C5F(C)
|
:00412C53 0FBE2C38 movsx ebp, byte ptr [eax+edi] <<----将用户名中的每个字符按顺序送入EBP,每次循环送入一个
:00412C57 0FAFEA imul ebp, edx
:00412C5A 03CD add ecx, ebp <<--------本次运算结果放在ECX
:00412C5C 40 inc eax
:00412C5D 3BC6 cmp eax, esi
:00412C5F 7CF2 jl 00412C53
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C4B(C)
|
:00412C61 51 push ecx
:00412C62 8D4C2414 lea ecx, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412C66 68546C4200 push 00426C54
:00412C6B 51 push ecx
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412C6C FF15FC124200 Call dword ptr [004212FC] <<-----将ECX中的值(0x6938)转化为字符串的形式
:00412C72 83C40C add esp, 0000000C
:00412C75 8D542410 lea edx, dword ptr [esp+10] <<----字符串(此例中为:“26936-”)的首地址送入EDX
:00412C79 52 push edx
:00412C7A 53 push ebx
* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412C7B FF15F8114200 Call dword ptr [004211F8] <<------连接前面两次运算所得的结果
:00412C81 33C9 xor ecx, ecx
:00412C83 33C0 xor eax, eax
:00412C85 85F6 test esi, esi
:00412C87 7E13 jle 00412C9C
:00412C89 8B15486C4200 mov edx, dword ptr [00426C48] <<-----初始化EDX(EDX=0xC)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C9A(C)
|
:00412C8F 0FBE2C38 movsx ebp, byte ptr [eax+edi] <<----将用户名中的每个字符按顺序送入EBP,每次循环送入一个
:00412C93 03EA add ebp, edx
:00412C95 03CD add ecx, ebp <<-----本次运算结果在ECX(此例中为:0x242)
:00412C97 40 inc eax
:00412C98 3BC6 cmp eax, esi
:00412C9A 7CF3 jl 00412C8F
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412C87(C)
|
:00412C9C 51 push ecx
:00412C9D 8D442414 lea eax, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412CA1 68546C4200 push 00426C54
:00412CA6 50 push eax
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412CA7 FF15FC124200 Call dword ptr [004212FC] <<------将ECX中的值(0x242)转化为字符串的形式
:00412CAD 83C40C add esp, 0000000C
:00412CB0 8D4C2410 lea ecx, dword ptr [esp+10] <<----字符串(此例中为:“578-”)的首地址送入EDX
:00412CB4 51 push ecx
:00412CB5 53 push ebx
* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412CB6 FF15F8114200 Call dword ptr [004211F8] <<-----连接前三次运算所得的结果
:00412CBC 33C9 xor ecx, ecx
:00412CBE 33C0 xor eax, eax
:00412CC0 85F6 test esi, esi
:00412CC2 7E14 jle 00412CD8
:00412CC4 8B154C6C4200 mov edx, dword ptr [00426C4C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412CD6(C)
|
:00412CCA 0FBE2C38 movsx ebp, byte ptr [eax+edi] <<----将用户名中的每个字符按顺序送入EBP,每次循环送入一个
:00412CCE 0FAFEA imul ebp, edx
:00412CD1 03CD add ecx, ebp
:00412CD3 40 inc eax
:00412CD4 3BC6 cmp eax, esi
:00412CD6 7CF2 jl 00412CCA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00412CC2(C)
|
:00412CD8 51 push ecx
:00412CD9 8D542414 lea edx, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:00412CDD 68506C4200 push 00426C50
:00412CE2 52 push edx
* Reference To: USER32.wsprintfA, Ord:02D8h
|
:00412CE3 FF15FC124200 Call dword ptr [004212FC] <<------将ECX中的值(0x1C54)转化为字符串的形式
:00412CE9 83C40C add esp, 0000000C
:00412CEC 8D442410 lea eax, dword ptr [esp+10] <<----字符串(此例中为:“-7252”)的首地址送入EAX
:00412CF0 50 push eax
:00412CF1 53 push ebx
* Reference To: KERNEL32.lstrcatA, Ord:038Fh
|
:00412CF2 FF15F8114200 Call dword ptr [004211F8] <<-----字符串的连接
:00412CF8 5F pop edi
:00412CF9 5E pop esi
:00412CFA 5D pop ebp
:00412CFB 5B pop ebx
:00412CFC 81C400010000 add esp, 00000100
:00412D02 C3 ret
===============================================
这个软件的注册码形式为:SN1-SN2-SN3-SN4
它的算法就是对用户名分别进行四次运算,并将每次运算的结果转成字符串形式并连接成 SN1-SN2-SN3-SN4
这四次运算中用到了四个初始值:0x26,0x34,0xC,0xE
===============================================
===============Open Cracking Group=============
CrAcKeD BY alphakk/OCG
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
热门文章 去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>