Advanced Emailer 2.1 简单注册算法分析
-
Advanced Emailer 2.1 简单注册算法分析+注册机源代码(tc2)
破解目标:Advanced Emailer 2.1
官方主页
http://www.emailarms.com/
软件简介:好像是发垃圾邮件的工具
下载地址http://www.emailarms.com/downloads/zip/mailer.zip
使用工具:PEiD 0.8、Ollydbg
========================================================================
声明: 本文纯属技术交流,无其他任何目的,转载请注明作者并保持文章的完整。
========================================================================
印象中,论坛上曾经有朋友问过这软件(或者是同一软件公司的其他某个软件),顺便看看……
经过 PEiD 检查,主程序没加壳,Delphi 写的。用 OD 装入程序,中间可能会有几次异常,按 Shift+F9 跳过。输入假码:01234567890123 (14位):
(; 后是 Ollydbg 所分析的内容,// 后是我加的注释,文中数值均为十六进制值)
00508920 /$ 55 PUSH EBP //断点
00508921 |. 8BEC MOV EBP,ESP
00508923 |. B9 05000000 MOV ECX,5
00508928 |> 6A 00 /PUSH 0
0050892A |. 6A 00 |PUSH 0
0050892C |. 49 |DEC ECX
0050892D |.^75 F9 \JNZ SHORT mailer.00508928
0050892F |. 51 PUSH ECX
00508930 |. 53 PUSH EBX
00508931 |. 56 PUSH ESI
00508932 |. 8BF0 MOV ESI,EAX
00508934 |. 33C0 XOR EAX,EAX
00508936 |. 55 PUSH EBP
00508937 |. 68 A18A5000 PUSH mailer.00508AA1
0050893C |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0050893F |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00508942 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00508945 |. 8B86 3C030000 MOV EAX,DWORD PTR DS:[ESI+33C]
0050894B |. E8 448FF4FF CALL mailer.00451894
00508950 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] //取假码
00508953 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00508956 |. E8 5D79FCFF CALL mailer.004D02B8
0050895B |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0050895E |. B8 54725400 MOV EAX,mailer.00547254
00508963 |. E8 28C1EFFF CALL mailer.00404A90
00508968 |. E8 93FDFFFF CALL mailer.00508700 //关键call
0050896D |. 8BD8 MOV EBX,EAX //ebx=eax
0050896F |. 84DB TEST BL,BL //bl=0?
00508971 |. 0F84 D8000000 JE mailer.00508A4F //bl=0 就死啦
00508977 |. C686 5C030000 >MOV BYTE PTR DS:[ESI+35C],1
0050897E |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00508981 |. 50 PUSH EAX
00508982 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00508985 |. B8 B88A5000 MOV EAX,mailer.00508AB8 ; ASCII "B99E9DA78684BA9A97B78E"
0050898A |. E8 A186FCFF CALL mailer.004D1030
0050898F |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00508992 |. 50 PUSH EAX
00508993 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00508996 |. B8 D88A5000 MOV EAX,mailer.00508AD8 ; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
0050899B |. E8 9086FCFF CALL mailer.004D1030
005089A0 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
005089A3 |. A1 5C725400 MOV EAX,DWORD PTR DS:[54725C]
005089A8 |. 59 POP ECX
005089A9 |. E8 CEF4FFFF CALL mailer.00507E7C
005089AE |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
005089B1 |. A1 54725400 MOV EAX,DWORD PTR DS:[547254]
005089B6 |. E8 D985FCFF CALL mailer.004D0F94
005089BB |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
005089BE |. 50 PUSH EAX
005089BF |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
005089C2 |. B8 148B5000 MOV EAX,mailer.00508B14 ; ASCII "AC9E95BC9F9BA9819D8EAB95"
005089C7 |. E8 6486FCFF CALL mailer.004D1030
005089CC |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
005089CF |. 50 PUSH EAX
005089D0 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
005089D3 |. B8 D88A5000 MOV EAX,mailer.00508AD8 ; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
005089D8 |. E8 5386FCFF CALL mailer.004D1030
005089DD |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
005089E0 |. A1 5C725400 MOV EAX,DWORD PTR DS:[54725C]
005089E5 |. 59 POP ECX
005089E6 |. E8 D1F5FFFF CALL mailer.00507FBC
005089EB |. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
005089EF |. 75 44 JNZ SHORT mailer.00508A35
005089F1 |. E8 7E2DF0FF CALL mailer.0040B774
005089F6 |. 83C4 F4 ADD ESP,-0C
005089F9 |. DB3C24 FSTP TBYTE PTR SS:[ESP] ; |
005089FC |. 9B WAIT ; |
005089FD |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24] ; |
00508A00 |. E8 9F24F0FF CALL mailer.0040AEA4 ; \mailer.0040AEA4
00508A05 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00508A08 |. 50 PUSH EAX
00508A09 |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
00508A0C |. B8 B88A5000 MOV EAX,mailer.00508AB8 ; ASCII "B99E9DA78684BA9A97B78E"
00508A11 |. E8 1A86FCFF CALL mailer.004D1030
00508A16 |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
00508A19 |. 50 PUSH EAX
00508A1A |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00508A1D |. B8 D88A5000 MOV EAX,mailer.00508AD8 ; ASCII "BE828B999A8C9F88B1A0848E9F829E828B99B1A9BFA0BFBEB5"
00508A22 |. E8 0986FCFF CALL mailer.004D1030
00508A27 |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00508A2A |. A1 5C725400 MOV EAX,DWORD PTR DS:[54725C]
00508A2F |. 59 POP ECX
00508A30 |. E8 87F5FFFF CALL mailer.00507FBC
00508A35 |> 6A 40 PUSH 40
00508A37 |. B9 308B5000 MOV ECX,mailer.00508B30 ; ASCII "Information"
00508A3C |. BA 3C8B5000 MOV EDX,mailer.00508B3C ; ASCII "Registration has been completed successfully!"
00508A41 |. A1 AC595400 MOV EAX,DWORD PTR DS:[5459AC]
00508A46 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00508A48 |. E8 B79DF6FF CALL mailer.00472804
00508A4D |. EB 22 JMP SHORT mailer.00508A71
00508A4F |> B8 54725400 MOV EAX,mailer.00547254
00508A54 |. E8 E3BFEFFF CALL mailer.00404A3C
00508A59 |. 6A 10 PUSH 10
00508A5B |. B9 6C8B5000 MOV ECX,mailer.00508B6C ; ASCII "Error"
00508A60 |. BA 748B5000 MOV EDX,mailer.00508B74 ; ASCII "Registration code is invalid!"
00508A65 |. A1 AC595400 MOV EAX,DWORD PTR DS:[5459AC]
00508A6A |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
00508A6C |. E8 939DF6FF CALL mailer.00472804
00508A71 |> 33C0 XOR EAX,EAX
00508A73 |. 5A POP EDX
00508A74 |. 59 POP ECX
00508A75 |. 59 POP ECX
00508A76 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00508A79 |. 68 A88A5000 PUSH mailer.00508AA8
00508A7E |> 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
00508A81 |. BA 08000000 MOV EDX,8
00508A86 |. E8 D5BFEFFF CALL mailer.00404A60
00508A8B |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00508A8E |. E8 A9BFEFFF CALL mailer.00404A3C
00508A93 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00508A96 |. BA 02000000 MOV EDX,2
00508A9B |. E8 C0BFEFFF CALL mailer.00404A60
00508AA0 \. C3 RETN
------------------------------------------------------------------------
进入 00508700 的关键call:
00508700 /$ 53 PUSH EBX
00508701 |. 56 PUSH ESI
00508702 |. 57 PUSH EDI
00508703 |. BF 54725400 MOV EDI,mailer.00547254
00508708 |. 33F6 XOR ESI,ESI
0050870A |. 33DB XOR EBX,EBX
0050870C |. 8B07 MOV EAX,DWORD PTR DS:[EDI] //取假码
0050870E |. E8 E1C5EFFF CALL mailer.00404CF4 //假码长度
00508713 |. 83F8 0E CMP EAX,0E //填入的注册码是否 14 位(0x0E = 14)
00508716 |. 75 67 JNZ SHORT mailer.0050877F //不是就死
00508718 |. 8B07 MOV EAX,DWORD PTR DS:[EDI] //再取假码
0050871A |. 8038 38 CMP BYTE PTR DS:[EAX],38 //取第一个字符,比较ASCII值是否 38(即“8”)
0050871D |. 0F94C0 SETE AL
00508720 |. 83E0 7F AND EAX,7F //如果这一位相同,则eax&7F=01
00508723 |. 03F0 ADD ESI,EAX //eax的值加到esi,下同
00508725 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00508727 |. 8078 02 36 CMP BYTE PTR DS:[EAX+2],36 //第1+2个字符是否为“6”
0050872B |. 0F94C0 SETE AL
0050872E |. 83E0 7F AND EAX,7F
00508731 |. 03F0 ADD ESI,EAX
00508733 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00508735 |. 8078 03 32 CMP BYTE PTR DS:[EAX+3],32 //第1+3个字符是否为“2”
00508739 |. 0F94C0 SETE AL
0050873C |. 83E0 7F AND EAX,7F
0050873F |. 03F0 ADD ESI,EAX
00508741 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00508743 |. 8078 04 37 CMP BYTE PTR DS:[EAX+4],37 //第1+4个字符是否为“7”
00508747 |. 0F94C0 SETE AL
0050874A |. 83E0 7F AND EAX,7F
0050874D |. 03F0 ADD ESI,EAX
0050874F |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
00508751 |. 8078 07 39 CMP BYTE PTR DS:[EAX+7],39 //第1+7个字符是否为“9”
00508755 |. 0F94C0 SETE AL
00508758 |. 83E0 7F AND EAX,7F
0050875B |. 03F0 ADD ESI,EAX
0050875D |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0050875F |. 8078 08 34 CMP BYTE PTR DS:[EAX+8],34 //第1+8个字符是否为“4”
00508763 |. 0F94C0 SETE AL
00508766 |. 83E0 7F AND EAX,7F
00508769 |. 03F0 ADD ESI,EAX
0050876B |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
0050876D |. 8078 0A 30 CMP BYTE PTR DS:[EAX+A],30 //第1+0xA个字符是否为“0”
00508771 |. 0F94C0 SETE AL
00508774 |. 83E0 7F AND EAX,7F
00508777 |. 03F0 ADD ESI,EAX //eax的值加到esi
00508779 |. 83FE 07 CMP ESI,7 //esi是否等于7?由于上面一共比较7个字符,故此处eax必须为7才能注册成功
0050877C |. 0F94C3 SETE BL //如果eax=7,则bl置1
0050877F |> 8BC3 MOV EAX,EBX //ebx的值放入eax
00508781 |. 5F POP EDI
00508782 |. 5E POP ESI
00508783 |. 5B POP EBX
00508784 \. C3 RETN //返回
算法总结:
1、注册码长度必须为 14 位
2、注册码格式为:8-627--94-0---,“-”代表可以为任意字符(包括数字、字母、标点等)
3、在调试过程中看到的一些奇怪的长字串,原以为是表什么的,结果发现应该是没有用处的
至此 Advanced Emailer 2.1 注册算法分析完成,随便举一个可用的注册码:80627009400000
注册信息保存:
注册成功后,软件在注册表内添加以下键值:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DRMRSX]
"AsxQrvDlpcFx"="D5C0DBDFDAC0C0D4D9C0DDC0C0C0"
"TspJkiWwzZc"="37752.8389992245"
爆破方法:
00508774 |. 83E0 7F AND EAX,7F
00508777 |. 03F0 ADD ESI,EAX
00508779 |. 83FE 07 CMP ESI,7
改为:
00508774 BE 07000000 MOV ESI,7 //强制给esi赋值为7
00508779 83FE 07 CMP ESI,7
之后随便输入14位注册码即可注册成功。发现检查注册码长度的那个跳转不能改,改了程序会出错。
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有1条评论>>