ComWizard 2.08 的算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → ComWizard 2.08 的算法分析

ComWizard 2.08 的算法分析 时间：2004/10/15 0:55:00来源：本站整理作者：蓝点我要评论(0): 　

前言:
拿过这个东东后习惯性的用脱壳工具脱,但是都是·PE WINGUI，怪怪的，用exdec直接可以反汇编，用WktVBdeb
ugger也可以直接load，于是就不管三七二十一，拿过Wktv来分析。。。该程序在启动的时候就有一段注册码是否合法的校
验，如果不正确则弹出注册对话框，让你输入，为了方便，我们从弹出注册对话框这里开始下手:)在Wktv里面点Form Mana
ger(CTRL+F),下拉框选FrmRegister,Command拉下来选CmdRegister,然后回到程序中,输入名字和注册码,点击确认按钮
于是有...
过程:
首先断在415b7c这里,然后是一些无关的操作,哦,这里还要提一下,作者似乎是想用大量生成随机数的指令来混淆我
们的视线。
//判断名字长度的代码。。
00415BB1: 04 FLdRfVar 0065DB74h
00415BB4: 21 FLdPrThis 0043B040h
00415BB5: 0F VCallAd frmRegister.txtRegister
00415BB8: 19 FStAdFunc
00415BBB: 08 FLdPr
00415BBE: 0D VCallHresult get__ipropTEXTEDIT //这里取名字
00415BC3: 6C ILdRf 00439B0Ch
00415BC6: 4A FnLenStr //取名字的长度
00415BC7: F5 LitI4: -> 14h 20 //
00415BCC: DB GtI4 14h,5h ? //是否小于20
00415BCD: 2F FFree1Str
00415BD0: 1A FFree1Ad
00415BD3: 1C BranchF 00415C0C ? //如果小于则继续。。否则出错
//这里需要注意一下了,必须用F8过去才行
00415C5E: 00 LargeBos
00415C60: F4 LitI2_Byte: -> 10h 16
00415C62: EB CR8I2
00415C63: F4 LitI2_Byte: -> 0h 0
00415C65: EB CR8I2
00415C66: B6 DivR8 //是用除零跳到异常处理,不明白
00415C67: E8 CI4R8 //VB的是怎样处理,不过用F8可以正常走过
00415C68: 71 FStR4
00415C6B: 00 LargeBos //跳到这里
00415C6D: 0A ImpAdCallFPR4 Register!00412D48h //这里就是计算随机数的过程,可能是混淆视听用的,至少对注册
00415C72: 00 LargeBos //码的生成没起任何作用:)
00415C74: 04 FLdRfVar 0065DAE8h
00415C77: 10 ThisVCallHresult 00413744->004136A0 //这里进去,这儿是序列号处理和判断的过程
00415C7C: 6C ILdRf 00000000h
00415C7F: 71 FStR4
00415C82: 00 LargeBos
00415C84: 6C ILdRf 00000000h
00415C87: F5 LitI4: -> 63h 99
00415C8C: C7 EqI4
00415C8D: 1C BranchF 00415CCF ? //通过上面的Call后,如果序列号正确这里跳,否则继续
00415C90: 00 LargeBos
00415C92: 0A ImpAdCallFPR4 Register!00412D48h
00415C97: 00 LargeBos
00415C99: 27 LitVar_Missing 0065DB0Ch
00415C9C: 27 LitVar_Missing 0065DB2Ch
00415C9F: 3A LitVarStr '注册信息'
00415CA4: 4E FStVarCopyObj 0065DB4Ch
00415CA7: 04 FLdRfVar 0065DB4Ch
00415CAA: F5 LitI4: -> 10h 16
//进入上面的那个Call里面也有好多生成随机数的过程,跳过不看就行了,这里只给几个重要的过程:
/*********************************************************************************
对注册码的处理过程
*********************************************************************************/
Proc: 413318

41328C: 80 ILdI4: local_param_000C
41328F: 4a FnLenStr
413290: f5 LitI4: 0x0 0 (....)
413295: c7 EqI4 //Code的长度是否为0
413296: 1c BranchF: 41329A
413299: 14 ExitProc
41329A: 80 ILdI4: local_param_000C
41329D: 4a FnLenStr //这里不太明白,跟踪居然显示invalid?
41329E: f5 LitI4: 0x8 8 (....)
4132A3: db GtI4
4132A4: 1c BranchF: 4132A8
4132A7: 14 ExitProc
4132A8: f5 LitI4: 0x1 1 (....) //
4132AD: 04 FLdRfVar local_008C
4132B0: 80 ILdI4: local_param_000C
4132B3: 4a FnLenStr //取Code的长度
4132B4: Lead3/64 ForI4: (when done) 413311 //作为For循环的次数
4132BA: 1b LitStr: &H //
4132BD: 28 LitVarI2: ( local_00BC ) 0x1 (1)//
4132C2: 6c ILdRf local_008C //设计数器为i,这里相当于i
4132C5: 80 ILdI4: local_param_000C //这里是名字的存储地址
4132C8: 0b ImpAdCallI2 _rtcMidCharBstr //取第i个字母,
4132CD: 23 FStStrNoPop local_00C0
4132D0: 2a ConcatStr //和&H相连
4132D1: 23 FStStrNoPop local_00C4
4132D4: 0a ImpAdCallFPR4: _rtcR8ValFromBstr //变成实型变量
4132D9: e8 CI4R8
4132DA: 71 FStR4 local_0094 //
4132DD: 32 FFreeStr
4132E4: 35 FFree1Var local_00BC
4132E7: 6c ILdRf local_0094 //注册码的第i位字母变成的实型变量入栈
4132EA: ec CR8I4 //设为chari
4132EB: f4 LitI2_Byte: 0x10 16 (.) //记住这里
4132ED: eb CR8I2
4132EE: 6c ILdRf local_008C //这是i
4132F1: f5 LitI4: 0x1 1 (....) //常数1
4132F6: ae SubI4 //i-1
4132F7: ec CR8I4
4132F8: Lead0/cf PwrR8R8 //上面的0x10作为参数,计算它的i-1次方
4132FA: b3 MulR8 //乘以chari
4132FB: e8 CI4R8
4132FC: 71 FStR4 local_0094
4132FF: 6c ILdRf local_0090
413302: 6c ILdRf local_0094
413305: aa AddI4 //sum=sum+Mid(Code,i,1)*POWER(0x10,i-1);
413306: 71 FStR4 local_0090
413309: 04 FLdRfVar local_008C
41330C: 66 NextI4: (continue loop) 4132BA//是否继续
413311: 6c ILdRf local_0090
413314: 71 FStR4 local_0088
413317: 14 ExitProc
/*********************************************************************************
对注册码算法的总结
*********************************************************************************/
上面的算法用伪码来描述则为:
{TRICK WITH CODE:}
VAR SUM: LONGWORD=0;
FOR I:= 1 TO LEN(CODE) DO
BEGIN
SUM:=SUM+POWER($10,I-1)*(MID(CODE,I,1));
END;
//HMMM...CODES ABOVE DOES A REVERSE OF YOUR INPUT REALLY:)
LIKE:820411 TO 114028
/*********************************************************************************
对名字的处理过程
*********************************************************************************/
Proc: 415088

414EF0: 4b OnErrorGoto
414EF3: 80 ILdI4: local_param_0010
414EF6: 4a FnLenStr
414EF7: 71 FStR4 local_0094 //取到名字长度,存入..
414EFA: f5 LitI4: 0x1 1 (....)
414EFF: 04 FLdRfVar local_008C
414F02: 6c ILdRf local_0094
414F05: Lead3/64 ForI4: (when done) 414F49 //For循环次数为名字长度
414F0B: 6c ILdRf local_0098
414F0E: 28 LitVarI2: ( local_00E0 ) 0x1 (1)
414F13: 6c ILdRf local_008C
414F16: 6c ILdRf local_param_0010
414F19: 4d CVarRef: ( local_00C0 ) 4008
414F1E: 04 FLdRfVar local_00F0
414F21: 0a ImpAdCallFPR4: _rtcMidCharVar //依次取第i位的字母
414F26: 04 FLdRfVar local_00F0
414F29: Lead2/fe CStrVarVal local_00F4
414F2D: 0b ImpAdCallI2 _rtcAnsiValueBstr //变成Ascii值
414F32: e7 CI4UI1
414F33: aa AddI4 //计算sum=sum+name[i]
414F34: 71 FStR4 local_0098
414F37: 2f FFree1Str local_00F4
414F3A: 36 FFreeVar
414F41: 04 FLdRfVar local_008C
414F44: 66 NextI4: (continue loop) 414F0B //
414F49: 3a LitVarStr: ( local_00D0 ) &H
414F4E: f5 LitI4: 0x3 3 (....)
414F53: 6c ILdRf local_param_000C
//这是CSTCW276F8B22456C53,设为str,好像是定值:)
414F56: 4d CVarRef: ( local_00C0 ) 4008
414F5B: 04 FLdRfVar local_00E0 //
414F5E: 0a ImpAdCallFPR4: _rtcRightCharVar //取固定字符串的后三位
414F63: 04 FLdRfVar local_00E0
414F66: Lead0/94 AddVar local_00F0 //后面加'&H'
414F6A: Lead2/fe CStrVarVal local_00F4
414F6E: 0a ImpAdCallFPR4: _rtcR8ValFromBstr //变成实型变量,设为tem
414F73: 74 FStFPR8 local_00FC
414F76: 6c ILdRf local_0094 //名字的长度
414F79: 6c ILdRf local_0098 //名字的总和
414F7C: b2 MulI4 //sum=sum*strlen(name)
414F7D: ec CR8I4
414F7E: 6f FLdFPR8 local_00FC
414F81: bd FnAbsR4 //取绝对值?
414F82: b3 MulR8 //乘以上面的tem
414F83: e8 CI4R8
414F84: 71 FStR4 local_009C
414F87: 2f FFree1Str local_00F4
414F8A: 36 FFreeVar
414F91: f5 LitI4: 0x0 0 (....)
414F96: 71 FStR4 local_0098
414F99: f5 LitI4: 0x1 1 (....)
414F9E: 04 FLdRfVar local_008C
414FA1: 80 ILdI4: local_param_000C
414FA4: 4a FnLenStr //取str的长度,
414FA5: Lead3/64 ForI4: (when done) 415068 //作为外循环的次数
414FAB: 6c ILdRf local_008C //
414FAE: 80 ILdI4: local_param_0010
414FB1: 4a FnLenStr //名字的长度
414FB2: d6 LeI4 //判断是否i>名字的长度,如果大于进入另外一种处理方式
414FB3: 1c BranchF: 41501B
414FB6: 28 LitVarI2: ( local_00E0 ) 0x1 (1) //这是第一处理
414FBB: 6c ILdRf local_008C
414FBE: 6c ILdRf local_param_000C
414FC1: 4d CVarRef: ( local_00C0 ) 4008
414FC6: 04 FLdRfVar local_00F0
414FC9: 0a ImpAdCallFPR4: _rtcMidCharVar //取str[i]
414FCE: 04 FLdRfVar local_00F0
414FD1: Lead2/fe CStrVarVal local_00F4
414FD5: 0b ImpAdCallI2 _rtcAnsiValueBstr //取它的Ascii值
414FDA: 28 LitVarI2: ( local_0134 ) 0x1 (1)
414FDF: 6c ILdRf local_008C
414FE2: 6c ILdRf local_param_0010
414FE5: 4d CVarRef: ( local_0114 ) 4008
414FEA: 04 FLdRfVar local_0144
414FED: 0a ImpAdCallFPR4: _rtcMidCharVar //取name[i]
414FF2: 04 FLdRfVar local_0144
414FF5: Lead2/fe CStrVarVal local_0148
414FF9: 0b ImpAdCallI2 _rtcAnsiValueBstr //取它的Ascii值
414FFE: Lead0/11 XorI2 //name[i]^str[i]
415000: Lead1/0d CUI1I2
415002: Lead1/f0 FStUI1
415006: 32 FFreeStr
41500D: 36 FFreeVar
415018: 1e Branch: 415054 //跳到415054处理

41501B: 28 LitVarI2: ( local_00E0 ) 0x1 (1) //第二种处理方式
415020: 6c ILdRf local_008C
415023: 6c ILdRf local_param_000C
415026: 4d CVarRef: ( local_00C0 ) 4008
41502B: 04 FLdRfVar local_00F0
41502E: 0a ImpAdCallFPR4: _rtcMidCharVar
415033: 04 FLdRfVar local_00F0
415036: Lead2/fe CStrVarVal local_00F4
41503A: 0b ImpAdCallI2 _rtcAnsiValueBstr
41503F: f3 LitI2: 0xab 171 (..) //str[i]和定值0xab相异或
415042: Lead0/11 XorI2
415044: Lead1/0d CUI1I2
415046: Lead1/f0 FStUI1
41504A: 2f FFree1Str local_00F4
41504D: 36 FFreeVar

415054: 6c ILdRf local_0098 //
415057: Lead1/e0 FLdUI1
41505B: e7 CI4UI1
41505C: aa AddI4 //sum2=sum2+str[i]^name[i]

41505D: 71 FStR4 local_0098 //或者:sum2=sum2+str[i]^0xab
415060: 04 FLdRfVar local_008C
415063: 66 NextI4: (continue loop) 414FAB
415068: 6c ILdRf local_009C
41506B: 6c ILdRf local_0098
41506E: aa AddI4 //sum=sum+sum2(sum是上面名字的sum)
41506F: 71 FStR4 local_00A0
415072: 6c ILdRf local_00A0
415075: 71 FStR4 local_0088
415078: 14 ExitProc
/*********************************************************************************
对注册码的处理算法的总结
*********************************************************************************/
{TRICK WITH NAME:}
VAR SUM: LONGWORD=0;
FOR I:= 1 TO LEN(NAME) DO
BEGIN
SUM:=SUM+MID(NAME,I,1);
END;//SUM NAMES
VAR RESULT: LONGWORD= SUM*LEN(NAME)*0XC53;
SUM:=0;
FOR I:= 1 TO LEN(STR) DO
BEGIN
FOR J:= 1 TO LEN(CODE) DO
BEGIN
SUM:=SUM+(MID(CODE,I,1) XOR MID(STR,I,1));
END;
SUM:=SUM+(MID(STR,I,1) XOR $AB);
END;
RESULT:=SUM+RESULT; (IN HEX FORMS)

/*********************************************************************************
最后的判断
*********************************************************************************/
判断就是上面两个过程的result和sum相等就OK,否则出错

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法