您的位置:首页精文荟萃破解文章 → 百里挑一 V1.2 算法分析

百里挑一 V1.2 算法分析

时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(1)

软件简介:可以从成百上千的压缩文档中将有用的迅速查找出来。你只需提供一个要查找文件名(目录名),当然你可以使用通配符,然后点击“搜索”按钮,“百里挑一”就会立即从你选定的目录下搜索出所有包含这个文件(目录)的压缩文档。(强烈推荐)
破解工具:SoftICE , HexWorkShop


************************************************************************************

这个软件是 Keyfiles 加密,一机一码。破它可真是伤透了脑筋,我不得不为这位作者的巧妙设计叫好。
这个软件高明之处,就是它对机器码转换的地方跟你捉迷藏,找它我足足花了三天时间 ^>^&)(##(-=)
这个软件的机器码是由大写字母组成,但当你按常规的办法跟踪时,如在启动时、搜索时,它会验证 keyfiles ,但即使你在验证的地方掘地三尺,也无法找到机器码的踪影,只会看到一个8位长的数字串,这个数字串从何而来?它和机器码有何关系?假设两者之间有关系,在哪里转换?这就是我头痛的地方,也是作者聪明之所在。
问题到底出在哪里?想不到吧?以下纯属个人想象,如有协同,纯属巧合 :) :这个作者研究过不少关于 Keyfiles 的解密教程后,知道常规的办法总是先拦截 Keyfiles ,判断是否存在这个文件,然后验证字节大小,再验证各个字节……作者于是奸笑几声,想出了一个好办法,把机器码藏在某个非常隐蔽的地方,而且以字母形式显示给用户看,再在那个隐蔽的地方偷偷把它转换成数字,在验证 Keyfiles 的地方让数字串直接出现参与运算,让你对这个好象从石头蹦出来一样的数字串摸不着头脑,一边想象那些可爱的 Cracker 在苦苦寻找机器码,一边得意地狂笑自己的聪明……

数字,数字……该死的数字……我找……我找……终于让我找到了!反编译这个软件,在“串式参考”可以发现它有一个数字串……

* Possible StringData Ref from Data Obj ->"5842936071"  (刚好由0,1,2,3,4,5,6,7,8,9十个阿拉伯数字组成)

这段程序看起来很孤单,就象飘浮在汇编代码海洋里的一叶小舟,看它的地址,是0045XXXX,而关键验证的地方是0046XXXX ,刚好在它上面,有问题!

用 HexWorkShop 新建一个假的 as.key ,设断 bpx findclose ,中断后按一下F5,一下F12(注意是否来到004xxxxxx,即程序领空),bd * ,下 bpx 45F338 ,F5退出后,按软件的“关于”、“注册”,程序立即被中断下来……
如果你是用 TRW 2000 ,直接下 bpx 45F338 就可以了,因为 SoftICE 一定要在进入程序领空后才能下 bpx 004XXXX 这类断点。


* Possible StringData Ref from Data Obj ->"5842936071"
|
:0045F338 B8F4F34500 mov eax, 0045F3F4
:0045F33D 59 pop ecx
:0045F33E E8994AFAFF call 00403DDC
:0045F343 8B55F8 mov edx, dword ptr [ebp-08]
:0045F346 B8F4674600 mov eax, 004667F4
:0045F34B E89048FAFF call 00403BE0
:0045F350 B8F8674600 mov eax, 004667F8
:0045F355 E80246FAFF call 0040395C
:0045F35A A1F4674600 mov eax, dword ptr [004667F4] //内存中数字型的机器码地方送 eax
:0045F35F E87448FAFF call 00403BD8 //取数字型机器码长度
:0045F364 8BD8 mov ebx, eax          //长度送 ebx
:0045F366 85DB test ebx, ebx //验证长度
:0045F368 7E44 jle 0045F3AE
:0045F36A BE01000000 mov esi, 00000001 //esi=1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045F3AC(C)
|
:0045F36F 8D45F8 lea eax, dword ptr [ebp-08]
:0045F372 50 push eax
:0045F373 8D45F8 lea eax, dword ptr [ebp-08]
:0045F376 8B15F4674600 mov edx, dword ptr [004667F4]
:0045F37C 8A5432FF mov dl, byte ptr [edx+esi-01] //依次取数字型机器码各个字符
:0045F380 E87B47FAFF call 00403B00
:0045F385 8B45F8 mov eax, dword ptr [ebp-08]
:0045F388 E8D77DFAFF call 00407164
:0045F38D 8BD0 mov edx, eax
:0045F38F 42 inc edx
:0045F390 B901000000 mov ecx, 00000001
:0045F395 8B45FC mov eax, dword ptr [ebp-04] //码表"EWARKTHNYS"地址送 eax
:0045F398 E83F4AFAFF call 00403DDC  //读取码表"EWARKTHNYS"
:0045F39D 8B55F8 mov edx, dword ptr [ebp-08] //码表某个字符地址送 edx
:0045F3A0 B8F8674600 mov eax, 004667F8
:0045F3A5 E83648FAFF call 00403BE0 //读取码表中与上面数字对应的某个字符
:0045F3AA 46 inc esi
:0045F3AB 4B dec ebx
:0045F3AC 75C1 jne 0045F36F //形成循环,直到取完

这段程序作什么用呢?其实,在你按下“注册”到显示字母型机器码这段时间,程序把内存中数字型的机器码立即通过查表的办法,转换成字母型机器码,所以大家看到的是一个10位长的字母型机器码,这就是为什么我们在跟踪时总是找不到自己用眼睛看到的字母型机器码的原因了。精彩!!设计思路妙!!!

*************************************************************************************

继续战斗……

现在下 bpx findclose ,再运行软件,中断后按一下F5,再按3下F12(注意,可能在你按F5时,程序还未真正读取,要多按几下F5),来到这里……


* Possible StringData Ref from Data Obj ->"as.key"
|
:00463CEA BAFC3E4600 mov edx, 00463EFC
:00463CEF E8ECFEF9FF call 00403BE0
:00463CF4 8B45F0 mov eax, dword ptr [ebp-10]
:00463CF7 E8B036FAFF call 004073AC
:00463CFC 84C0 test al, al //停在这里
:00463CFE 0F842A010000 je 00463E2E
:00463D04 B201 mov dl, 01

* Possible StringData Ref from Data Obj ->""
|
:00463D06 A178F84200 mov eax, dword ptr [0042F878]
:00463D0B E8C4BBFCFF call 0042F8D4
:00463D10 80780400 cmp byte ptr [eax+04], 00
:00463D14 740E je 00463D24
:00463D16 8B5808 mov ebx, dword ptr [eax+08]
:00463D19 03580C add ebx, dword ptr [eax+0C]
:00463D1C 035810 add ebx, dword ptr [eax+10]
:00463D1F 035814 add ebx, dword ptr [eax+14]
:00463D22 EB05 jmp 00463D29

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463D14(C)
|
:00463D24 BB54442601 mov ebx, 01264454

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463D22(U)
|
:00463D29 E81AF1F9FF call 00402E48
:00463D2E 8D55F0 lea edx, dword ptr [ebp-10]
:00463D31 8BC3 mov eax, ebx
:00463D33 E8FC33FAFF call 00407134
:00463D38 8B55F0 mov edx, dword ptr [ebp-10]
:00463D3B B830684600 mov eax, 00466830
:00463D40 E86BFCF9FF call 004039B0
:00463D45 8D55EC lea edx, dword ptr [ebp-14]
:00463D48 33C0 xor eax, eax
:00463D4A E805ECF9FF call 00402954
:00463D4F 8B45EC mov eax, dword ptr [ebp-14]
:00463D52 8D55F0 lea edx, dword ptr [ebp-10]
:00463D55 E80238FAFF call 0040755C
:00463D5A 8D45F0 lea eax, dword ptr [ebp-10]

* Possible StringData Ref from Data Obj ->"as.key"
|
:00463D5D BAFC3E4600 mov edx, 00463EFC
:00463D62 E879FEF9FF call 00403BE0
:00463D67 8B55F0 mov edx, dword ptr [ebp-10]
:00463D6A B840684600 mov eax, 00466840
:00463D6F E83211FAFF call 00404EA6
:00463D74 B840684600 mov eax, 00466840
:00463D79 E84D13FAFF call 004050CB
:00463D7E BA34684600 mov edx, 00466834
:00463D83 B840684600 mov eax, 00466840
:00463D88 E8AB01FAFF call 00403F38
:00463D8D B840684600 mov eax, 00466840
:00463D92 E8B111FAFF call 00404F48
:00463D97 6834684600 push 00466834
:00463D9C A130684600 mov eax, dword ptr [00466830] //数字型机器码地址送 eax(注意,数字型机器型本来是有10位的,但这里是已经去掉了首位和末位,剩下8位。我偷了个懒,没去跟它)
:00463DA1 E832FEF9FF call 00403BD8 //取其长度
:00463DA6 8BC8 mov ecx, eax          //长度送 ecx
:00463DA8 C1E103 shl ecx, 03 //左移3位,即ecx=0x40(0x40其实是关键部份验证的长度)
:00463DAB BABE070000 mov edx, 000007BE //edx=0x7BE(0x7BE 实际上是关键验证部份的开始位置,也就是偏移地址)
:00463DB0 A134684600 mov eax, dword ptr [00466834]
:00463DB5 E82200FAFF call 00403DDC
:00463DBA A130684600 mov eax, dword ptr [00466830]
:00463DBF E814FEF9FF call 00403BD8
:00463DC4 8BD8 mov ebx, eax
:00463DC6 85DB test ebx, ebx
:00463DC8 7E49 jle 00463E13
:00463DCA BE01000000 mov esi, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463E11(C)
|
:00463DCF 8D45F0 lea eax, dword ptr [ebp-10]
:00463DD2 50 push eax
:00463DD3 8D45F0 lea eax, dword ptr [ebp-10]
:00463DD6 8B1530684600 mov edx, dword ptr [00466830] //8位长的数字型机器码地址送 edx
:00463DDC 8A5432FF mov dl, byte ptr [edx+esi-01] //依次取其各个字符
:00463DE0 E81BFDF9FF call 00403B00
:00463DE5 8B45F0 mov eax, dword ptr [ebp-10]
:00463DE8 E87733FAFF call 00407164
:00463DED 8BD0 mov edx, eax
:00463DEF C1E203 shl edx, 03
:00463DF2 42 inc edx
:00463DF3 B908000000 mov ecx, 00000008
:00463DF8 A13C684600 mov eax, dword ptr [0046683C] //码表(见总结)地址送 eax
:00463DFD E8DAFFF9FF call 00403DDC
:00463E02 8B55F0 mov edx, dword ptr [ebp-10] //码表中的与上面字符相对应的数字串地址送 edx
:00463E05 B838684600 mov eax, 00466838 //读取码表中与机器码相对应的数字串
:00463E0A E8D1FDF9FF call 00403BE0
:00463E0F 46 inc esi
:00463E10 4B dec ebx
:00463E11 75BC jne 00463DCF         //形成循环

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463DC8(C)
|
:00463E13 8B1534684600 mov edx, dword ptr [00466834] //假关键部分数据地址送 edx
:00463E19 A138684600 mov eax, dword ptr [00466838] //真关键部分数据地址送 eax
:00463E1E E84100FAFF call 00403E64 //真假比较?
:00463E23 8B15E84F4600 mov edx, dword ptr [00464FE8]
:00463E29 8B12 mov edx, dword ptr [edx]
:00463E2B 89420C mov dword ptr [edx+0C], eax

*********************************************************************************************

看上面的分析实在令人摸不着头脑,我还是用实例进行分析吧:

程序内含有一张数字与字母相对应的表,如下:

字母: E W A R K T H N Y S
数字: 0 1 2 3 4 5 6 7 8 9

我的机器码是 YWSAYTENHN ,转换成数字也就是 8192850767 ,去掉了首位和末位,变成 19285076 ,
然后再根据上面8个数字,查第二张表:

01101100111011010011000010101100010011011010010101110101011001010010001110110101

共80位长,数字型机器码每个数字对应其中连续的8位数,其实是平均划分为8段,依次刚好与 0,1,2,3,4,5,6,7,8,9 对应:

0 对应 01101100
1 对应 11101101
2 对应 00110000
3 对应 10101100
4 对应 01001101
5 对应 10100101
6 对应 01110101
7 对应 01100101
8 对应 00100011
9 对应 10110101

19285076依次查表,把各个数字转换成表中的数据,变成

1110110110110101001100000010001110100101101001010110010101110101

这部分数据从 as.key 的 0x7BE 位开始(即偏移地址),即 as.key 字节数不能少于0x7BD+0x40=0x7FD,0 - 0x7BD 及 0x7FD 之后的数据不作验证。

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

当我的机器码为 YWSAYTENHN 时,可用 HexWorkShop 编辑一个如下图的 as.key ,放在程序所在目录即可注册成功!

00000000 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000018 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000030 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000048 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000060 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000078 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000090 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000000A8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000000C0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000000D8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000000F0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000108 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000120 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000138 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000150 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000168 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000180 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000198 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000001B0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000001C8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000001E0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000001F8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000210 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000228 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000240 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000258 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000270 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000288 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000002A0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000002B8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000002D0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000002E8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000300 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000318 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000330 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000348 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000360 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000378 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000390 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000003A8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000003C0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000003D8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000003F0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000408 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000420 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000438 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000450 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000468 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000480 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000498 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000004B0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000004C8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000004E0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000004F8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000510 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000528 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000540 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000558 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000570 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000588 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000005A0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000005B8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000005D0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000005E8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000600 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000618 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000630 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000648 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000660 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000678 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000690 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000006A8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000006C0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000006D8 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000006F0 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000708 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000720 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000738 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000750 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000768 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000780 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
00000798 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 9999 ........................
000007B0 9999 9999 9999 9999 9999 9999 9931 3131 3031 3130 3131 3031 .............11101101101
000007C8 3130 3130 3130 3031 3130 3030 3030 3031 3030 3031 3131 3031 101010011000000100011101
000007E0 3030 3130 3130 3131 3031 3130 3030 3131 3030 3130 3130 3131 001010110110001100101011
000007F8 3130 3130 31 10101



相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程