MouseStar V3.01注册算法分析
-
===================Open Cracking Group========================
=
= MouseStar V3.01注册算法分析
=
= ssljx/OCG
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
===================Open Cracking Group========================
:0047A051 E81E24FBFF call 0042C474
:0047A056 8B45E4 mov eax, dword ptr [ebp-1C]
:0047A059 8D55F8 lea edx, dword ptr [ebp-08]
:0047A05C E843DEF8FF call 00407EA4
:0047A061 8D4DFC lea ecx, dword ptr [ebp-04]
:0047A064 8B55F8 mov edx, dword ptr [ebp-08]
:0047A067 8BC3 mov eax, ebx
:0047A069 E87EFEFFFF call 00479EEC<=========计算注册码
==============================SUB 00479EEC============================
:00479EEC 55 push ebp
:00479EED 8BEC mov ebp, esp
: :
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00479ED6(C)
|
:00479F19 8D55E4 lea edx, dword ptr [ebp-1C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00479EB9(C)
|
:00479F1C 8B45FC mov eax, dword ptr [ebp-04]
:00479F1F E880DFF8FF call 00407EA4======>去掉注册名最后空格
:00479F24 8B45E4 mov eax, dword ptr [ebp-1C]
:00479F27 8D55E8 lea edx, dword ptr [ebp-18]
:00479F2A E865DDF8FF call 00407C94======>将注册名全部转换成大写字母
:00479F2F 8B55E8 mov edx, dword ptr [ebp-18]
:00479F32 8D45F8 lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Code Obj ->"delphi"
|
:00479F35 B9A89F4700 mov ecx, 00479FA8
:00479F3A E8E59DF8FF call 00403D24======>大写的注册名+'delphi'
:00479F3F 8D45F4 lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"MagicUtils"
|
:00479F42 BAB89F4700 mov edx, 00479FB8
:00479F47 E8A49BF8FF call 00403AF0
:00479F4C 8D45F0 lea eax, dword ptr [ebp-10]
* Possible StringData Ref from Code Obj ->"zhiyuan"
|
:00479F4F BACC9F4700 mov edx, 00479FCC
:00479F54 E8979BF8FF call 00403AF0
:00479F59 8D45EC lea eax, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"3.0"
|
:00479F5C BADC9F4700 mov edx, 00479FDC
:00479F61 E88A9BF8FF call 00403AF0
:00479F66 8B45EC mov eax, dword ptr [ebp-14]==>'3.0'
:00479F69 50 push eax
:00479F6A 53 push ebx
:00479F6B 8B4DF0 mov ecx, dword ptr [ebp-10]==>'zhiyuan'
:00479F6E 8B55F4 mov edx, dword ptr [ebp-0C]==>'MagicUtils'
:00479F71 8B45F8 mov eax, dword ptr [ebp-08]==>UpperCase(Name)+'delphi'
:00479F74 E883A7FFFF call 004746FC======>进行计算
===============================SUB 004746FC===========================
:004746FC 55 push ebp
: :
:00474751 50 push eax
:00474752 8D45EC lea eax, dword ptr [ebp-14]
:00474755 50 push eax
:00474756 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00474759 8B55F8 mov edx, dword ptr [ebp-08]
:0047475C 8B45FC mov eax, dword ptr [ebp-04]
:0047475F E880FDFFFF call 004744E4==>产生后面十位字符串
================================SUB 004744E4=======================================
:004744E4 55 push ebp
:004744E5 8BEC mov ebp, esp
:004744E7 83C4E8 add esp, FFFFFFE8
:: ::
:00474522 689F454700 push 0047459F
:00474527 64FF30 push dword ptr fs:[eax]
:0047452A 648920 mov dword ptr fs:[eax], esp
:0047452D 33D2 xor edx, edx
:0047452F 8B450C mov eax, dword ptr [ebp+0C]
:00474532 E8993BF9FF call 004080D0
:00474537 8BD0 mov edx, eax
:00474539 8D4DF0 lea ecx, dword ptr [ebp-10]
:0047453C B8B0454700 mov eax, 004745B0
:00474541 E86E000000 call 004745B4
:00474546 8B45F4 mov eax, dword ptr [ebp-0C]
:00474549 E84EF9F8FF call 00403E9C
:0047454E 8D4DEC lea ecx, dword ptr [ebp-14]//'zhiyuan'
:00474551 33D2 xor edx, edx
:00474553 E85C000000 call 004745B4
========================SUB 004745B4=================================
:004745B4 55 push ebp
:004745B5 8BEC mov ebp, esp
:004745B7 83C4EC add esp, FFFFFFEC
:004745BA 53 push ebx
:004745BB 56 push esi
:004745BC 57 push edi
:004745BD 33DB xor ebx, ebx
:004745BF 895DEC mov dword ptr [ebp-14], ebx
:004745C2 895DF0 mov dword ptr [ebp-10], ebx
:004745C5 894DF8 mov dword ptr [ebp-08], ecx
:004745C8 8BF2 mov esi, edx
:004745CA 8945FC mov dword ptr [ebp-04], eax
:004745CD 33C0 xor eax, eax
:004745CF 55 push ebp
:004745D0 68EE464700 push 004746EE
:004745D5 64FF30 push dword ptr fs:[eax]
:004745D8 648920 mov dword ptr fs:[eax], esp
:004745DB 8D45F0 lea eax, dword ptr [ebp-10]
:004745DE 8B55FC mov edx, dword ptr [ebp-04]
:004745E1 E82AF6F8FF call 00403C10
:004745E6 8B45F0 mov eax, dword ptr [ebp-10]
:004745E9 E8EAF6F8FF call 00403CD8
:004745EE 8BD8 mov ebx, eax
:004745F0 85DB test ebx, ebx
:004745F2 7513 jne 00474607
:004745F4 8935F8E94700 mov dword ptr [0047E9F8], esi
:004745FA 6BC664 imul eax, esi, 00000064
:004745FD A3FCE94700 mov dword ptr [0047E9FC], eax
:00474602 E9CC000000 jmp 004746D3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004745F2(C)
|
:00474607 8B45F8 mov eax, dword ptr [ebp-08]
:0047460A E849F4F8FF call 00403A58
:0047460F 8BFB mov edi, ebx
:00474611 4F dec edi
:00474612 85FF test edi, edi
:00474614 0F8CB9000000 jl 004746D3
:0047461A 47 inc edi
:0047461B 33F6 xor esi, esi
===============================================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004746CD(C)
|
:0047461D 8B45FC mov eax, dword ptr [ebp-04]
:00474620 8A0430 mov al, byte ptr [eax+esi]
:00474623 3C20 cmp al, 20---------\
:00474625 0F82A0000000 jb 004746CB 规定了注册名的范围
:0047462B 3C7E cmp al, 7E
:0047462D 0F8798000000 ja 004746CB--------/
:00474633 8B15F8E94700 mov edx, dword ptr [0047E9F8]
:00474639 81E2FFFFFF1F and edx, 1FFFFFFF
:0047463F 8B0DF8E94700 mov ecx, dword ptr [0047E9F8]
:00474645 C1E91D shr ecx, 1D
:00474648 83E131 and ecx, 00000031
:0047464B 33D1 xor edx, ecx
:0047464D 8915F8E94700 mov dword ptr [0047E9F8], edx
:00474653 8845F7 mov byte ptr [ebp-09], al
:00474656 A1F8E94700 mov eax, dword ptr [0047E9F8]
:0047465B B95F000000 mov ecx, 0000005F
:00474660 99 cdq
:00474661 F7F9 idiv ecx
:00474663 33D2 xor edx, edx
:00474665 8A55F7 mov dl, byte ptr [ebp-09]
:00474668 83EA20 sub edx, 00000020
:0047466B 2BC2 sub eax, edx
:0047466D E832FEFFFF call 004744A4
:00474672 8BD8 mov ebx, eax
:00474674 80C320 add bl, 20
:00474677 FF05FCE94700 inc dword ptr [0047E9FC]
:0047467D 813DFCE9470079510000 cmp dword ptr [0047E9FC], 00005179
:00474687 7C07 jl 00474690
:00474689 33C0 xor eax, eax
:0047468B A3FCE94700 mov dword ptr [0047E9FC], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474687(C)
|
:00474690 8A45F7 mov al, byte ptr [ebp-09]
:00474693 32C3 xor al, bl
:00474695 25FF000000 and eax, 000000FF
:0047469A 8B15F8E94700 mov edx, dword ptr [0047E9F8]
:004746A0 0315F8E94700 add edx, dword ptr [0047E9F8]
:004746A6 03C2 add eax, edx
:004746A8 0305FCE94700 add eax, dword ptr [0047E9FC]
:004746AE A3F8E94700 mov dword ptr [0047E9F8], eax
:004746B3 8D45EC lea eax, dword ptr [ebp-14]
:004746B6 8BD3 mov edx, ebx
:004746B8 E843F5F8FF call 00403C00
:004746BD 8B55EC mov edx, dword ptr [ebp-14]
:004746C0 8B45F8 mov eax, dword ptr [ebp-08]
:004746C3 E818F6F8FF call 00403CE0//将ebx转化为字符,而产生字符串
:004746C8 8B45F8 mov eax, dword ptr [ebp-08]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00474625(C), :0047462D(C)
|
:004746CB 46 inc esi
:004746CC 4F dec edi
:004746CD 0F854AFFFFFF jne 0047461D
=========================================================================
Buf:=BBuf;====>[0047E9F8]
temp:=ttmp;===>[0047E9FC]
Lencode:=length(STrCode);
for index:=1 to Lencode do
begin
if (ord(STrCode[index])< $7e) and
(ord(STrCode[index]) > $20) then
begin
edx:=buf and $1fffffff;
ecx:=(Buf shr $1d) and $31;
edx:=edx xor ecx;
Buf:=edx;
eax:=Buf div $5f;
eax:=eax-(ord(STrCode[index])-$20);
eax:=CHAG(eax);
ebx:=eax+$20;
temp:=temp+1;
if index >= $5179 then temp:=0;
eax:=(ord(STrCode[index]) xor ebx ) and $000000ff;
eax:=eax+2*Buf;
eax:=eax+temp;
Buf:=eax;
STrpcode:=STrpcode+chr(ebx);
end;
end;
这个过程主要计算[0047E9F8],返回[0047E9F8],[0047E9FC]作为下次调用的参数
============================================================================
:: ::
:004746E0 8D45EC lea eax, dword ptr [ebp-14]
:004746E3 BA02000000 mov edx, 00000002
:004746E8 E88FF3F8FF call 00403A7C
:004746ED C3 ret
============================END 004745B4=====================================
:00474558 8B45FC mov eax, dword ptr [ebp-04]
:0047455B E83CF9F8FF call 00403E9C
:00474560 8D4DE8 lea ecx, dword ptr [ebp-18]//UpperCase(Name)+'delphi'
:00474563 33D2 xor edx, edx
:00474565 E84A000000 call 004745B4
:0047456A 8B45F8 mov eax, dword ptr [ebp-08]
:0047456D E82AF9F8FF call 00403E9C
:00474572 8B4D08 mov ecx, dword ptr [ebp+08]//'MagicUtils'
===========================================================================
这次调用产生的字符串将串到UpperCase(Name)+'delphi'+'MagicUtils'+'zhiyuan'+'3.0'后面,作为计算CRC32(不标准)的strName
===========================================================================
:00474575 33D2 xor edx, edx
:00474577 E838000000 call 004745B4
:0047457C 33C0 xor eax, eax
:0047457E 5A pop edx
==========================END 004744E4=======================================
:00474764 FF75EC push [ebp-14]
:00474767 8D45F0 lea eax, dword ptr [ebp-10]
:0047476A BA05000000 mov edx, 00000005
:0047476F E824F6F8FF call 00403D98
:00474774 8B5508 mov edx, dword ptr [ebp+08]
:00474777 8B45F0 mov eax, dword ptr [ebp-10]
:0047477A E831000000 call 004747B0====>计算CRC32(不标准)
========================SUB 00474B0(CRC32)==================================
:004747B0 55 push ebp
:004747B1 8BEC mov ebp, esp
:004747B3 83C4F4 add esp, FFFFFFF4
:004747B6 53 push ebx
:004747B7 56 push esi
:004747B8 33C9 xor ecx, ecx
:004747BA 894DF4 mov dword ptr [ebp-0C], ecx
:004747BD 8955F8 mov dword ptr [ebp-08], edx
:004747C0 8945FC mov dword ptr [ebp-04], eax
:004747C3 8B45FC mov eax, dword ptr [ebp-04]
:004747C6 E8C1F6F8FF call 00403E8C
:004747CB 33C0 xor eax, eax
:004747CD 55 push ebp
:004747CE 684F484700 push 0047484F
:004747D3 64FF30 push dword ptr fs:[eax]
:004747D6 648920 mov dword ptr fs:[eax], esp
:004747D9 33DB xor ebx, ebx
:004747DB 8B45FC mov eax, dword ptr [ebp-04]
:004747DE E8F5F4F8FF call 00403CD8
:004747E3 85C0 test eax, eax
:004747E5 7E2C jle 00474813
:004747E7 BE01000000 mov esi, 00000001
==============================CRC32===========================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00474811(C)
|
:004747EC 8B55FC mov edx, dword ptr [ebp-04]=====>strName
:004747EF 8A5432FF mov dl, byte ptr [edx+esi-01]===>ord(strName[edx+esi-01])
:004747F3 32D3 xor dl, bl======================>dl:=dl xor bl
:004747F5 81E2FF000000 and edx, 000000FF===============>edx:=edx and $000000ff
:004747FB 8B1495D0D54700 mov edx, dword ptr [4*edx+0047D5D0]==>码表数据固定[0-$FF]
:00474802 C1EB08 shr ebx, 08=====================>ebx:=ebx shr 8
:00474805 81E3FFFFFF00 and ebx, 00FFFFFF===============>ebx:=ebx and $00ffffff;
:0047480B 33D3 xor edx, ebx====================>edx:=edx xor ebx
:0047480D 8BDA mov ebx, edx====================>ebx:=edx
:0047480F 46 inc esi
:00474810 48 dec eax
:00474811 75D9 jne 004747EC
=========================================================
下面将刚才的结果转化成小写字母输出!!!!!!!!!
=========================================================
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004747E5(C)
|
:00474813 8BC3 mov eax, ebx
:00474815 33D2 xor edx, edx
:00474817 52 push edx
:00474818 50 push eax
:00474819 8D55F4 lea edx, dword ptr [ebp-0C]
:0047481C B808000000 mov eax, 00000008
:00474821 E82E38F9FF call 00408054
:00474826 8B45F4 mov eax, dword ptr [ebp-0C]
:00474829 8B55F8 mov edx, dword ptr [ebp-08]
:0047482C E89F34F9FF call 00407CD0
:00474831 33C0 xor eax, eax
:00474833 5A pop edx
===========================END SUB 00474B0(CRC32)========================
:0047477F 33C0 xor eax, eax
:00474781 5A pop edx
:00474782 59 pop ecx
:00474783 59 pop ecx
:00474784 648910 mov dword ptr fs:[eax], edx
:00474787 68A9474700 push 004747A9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004747A7(U)
|
:0047478C 8D45EC lea eax, dword ptr [ebp-14]
:0047478F BA05000000 mov edx, 00000005
:00474794 E8E3F2F8FF call 00403A7C
:00474799 8D450C lea eax, dword ptr [ebp+0C]
:0047479C E8B7F2F8FF call 00403A58
:004747A1 C3 ret
=======================================END 004746FC==============================
:00479F79 33C0 xor eax, eax
:00479F7B 5A pop edx
:00479F7C 59 pop ecx
:00479F7D 59 pop ecx
:00479F7E 648910 mov dword ptr fs:[eax], edx
:00479F81 689B9F4700 push 00479F9B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00479F99(U)
|
:00479F86 8D45E4 lea eax, dword ptr [ebp-1C]
:00479F89 BA07000000 mov edx, 00000007
:00479F8E E8E99AF8FF call 00403A7C
:00479F93 C3 ret
=================================END 00479EEC===================
:0047A06E 8D55E0 lea edx, dword ptr [ebp-20]
:0047A071 8B833C030000 mov eax, dword ptr [ebx+0000033C]
:0047A077 E8F823FBFF call 0042C474
:0047A07C 8B45E0 mov eax, dword ptr [ebp-20]<====输入的注册码
:0047A07F 8B55FC mov edx, dword ptr [ebp-04]<====真注册码
:0047A082 E8619DF8FF call 00403DE8<=========比较注册码
:0047A087 0F85B2000000 jne 0047A13F<==========关键转向
===============================算法总结=========================
1.将注册名转换成大写字母(UpperCase(Name))
2.将UpperCase(Name)+'delphi'和'MagicUtils'和'zhiyuan'分别进行计算出十位的字符串(str)
3.把UpperCase(Name)+'delphi'+'MagicUtils'+'zhiyuan'+'3.0'+str作为CRC32(不标准)的明文进行计算,得出注册码并以小写形式输出..
==============================算法分析完===========================
注册表的值:
HKCU\Software\MouseStar 3.0\enversion
===================Open Cracking Group========================
=
= MouseStar V3.01注册算法分析
=
= ssljx/OCG
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
===================Open Cracking Group========================
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>