软件的介绍与注册见:[url=http://bbs.7softs.com/read.php?tid=30910]http://bbs.7softs.com/read.php?tid=30910[/url]
这个软件是Delphi写的,Borland Delphi 6.0 – 7.0。
无壳,无论是寻码还是爆破都很简单,只所以写篇文章,是因为这个软件的算法机制:非明码却也与明码无别!
我们先跟一下再说吧,先用PEid的插件分析了一下大概的算法有哪些:
BASE64 table :: 000AF910 :: 004B0510
BASE64 table :: 0015AF04 :: 0055BB04
MD5 :: 000CEBF5 :: 004CF7F5
RIJNDAEL [S] [long] :: 00159BDC :: 0055A7DC
RIJNDAEL [S-inv] [long] :: 0015A3DC :: 0055AFDC
{Big number} :: 000D2350 :: 004D2F50
{Big number} :: 000D2EBC :: 004D3ABC
{Big number} :: 000D3EAC :: 004D4AAC
{Big number} :: 000D9EC8 :: 004DAAC8
还挺多的,但我们跟过之后就会知道,真正的算法里只用到了MD5算法,而且还是非变异的,呵!
按照提示输入我们的假码:11111111111111112222222222222222@333333333333
也就是以@为分隔,前面32位,后面12位!!
运用F12堆栈暂停法,很快就找到了关键的地方:
004D376F |. 8BC3 mov eax,ebx
004D3771 |. E8 C66CFBFF call RegGeniu.0048A43C
004D3776 |. EB 68 jmp short RegGeniu.004D37E0
004D3778 |> 33D2 xor edx,edx
004D377A |. 8B83 3403000>mov eax,dword ptr ds:[ebx+334]
004D3780 |. E8 5398F9FF call RegGeniu.0046CFD8
004D3785 |. 6A 30 push 30
004D3787 |. B9 4C384D00 mov ecx,RegGeniu.004D384C ; ASCII "Registry Genius"
004D378C |. BA 5C384D00 mov edx,RegGeniu.004D385C ; ASCII "Invalid Serial Number!
Please contact us to correct it..."
004D3791 |. A1 28C45500 mov eax,dword ptr ds:[55C428]
004D3796 |. 8B00 mov eax,dword ptr ds:[eax]
004D3798 |. E8 FFA5FBFF call RegGeniu.0048DD9C
004D379D |. 8B83 1003000>mov eax,dword ptr ds:[ebx+310]
004D37A3 |. 8B10 mov edx,dword ptr ds:[eax]
004D37A5 |. FF92 C400000>call dword ptr ds:[edx+C4]
004D37AB |. EB 33 jmp short RegGeniu.004D37E0
004D37AD |> 33D2 xor edx,edx
004D37AF |. 8B83 3403000>mov eax,dword ptr ds:[ebx+334]
004D37B5 |. E8 1E98F9FF call RegGeniu.0046CFD8
004D37BA |. 6A 30 push 30
004D37BC |. B9 4C384D00 mov ecx,RegGeniu.004D384C ; ASCII "Registry Genius"
004D37C1 |. BA 5C384D00 mov edx,RegGeniu.004D385C ; ASCII "Invalid Serial Number!
Please contact us to correct it..."
选中这一句:004D3778 |> 33D2 xor edx,edx
然后在提示窗口点击鼠标右键,来到:
004D36F9 |. 8B83 3403000>mov eax,dword ptr ds:[ebx+334]
004D36FF |. E8 D498F9FF call RegGeniu.0046CFD8
004D3704 |. 8B83 3403000>mov eax,dword ptr ds:[ebx+334]
004D370A |. 8B10 mov edx,dword ptr ds:[eax]
004D370C |. FF92 8800000>call dword ptr ds:[edx+88]
004D3712 |. 8D45 CC lea eax,dword ptr ss:[ebp-34]
004D3715 |. 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
004D3718 |. 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004D371B |. E8 5414F3FF call RegGeniu.00404B74
004D3720 |. 8B45 CC mov eax,dword ptr ss:[ebp-34]
004D3723 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004D3726 |. E8 C9C9FFFF call RegGeniu.004D00F4
004D372B |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004D372E |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
004D3731 |. E8 3E15F3FF call RegGeniu.00404C74
004D3736 |. 75 40 jnz short RegGeniu.004D3778
至于004D37AD处的错误提示是当注册码的格式出错时跳转到的,呵呵!当家稍微分析一下就知道了!!
好了,我们在004D36F9处用F2下断,重新注册,中断了下来,留意一下堆栈:
0012F22C 00D8BFE4 ASCII "333333333333"
0012F230 00D8BF84 ASCII "11111111111111112222222222222222"
呵呵,这里就已经把的两部分以”@”为界线分开了!好了,我们单步,看看有什么变化!
执行到:
004D371B |. E8 5414F3FF call RegGeniu.00404B74
004D3720 |. 8B45 CC mov eax,dword ptr ss:[ebp-34]
呵呵,有了新变化了,很简单的,就是把后一部分与@想嫁接,结果为:
0012F224 00D84D0C ASCII “333333333333@”
继续单步到:
004D3731 |. E8 3E15F3FF call RegGeniu.00404C74
看看寄存器里的值:
EAX 00D84D28 ASCII "6ae38c2c9caee13bd9bd57de99671bec"
ECX 00000001
EDX 00D84CDC ASCII "11111111111111112222222222222222"
嗯,EAX里的值是怎么来的???
拿出一个算法的分析辅助工具,再结合最新算法分析结果计算一下:
嗯??333333333333@的MD5值就是EAX里的值????
不可思议!就是这么简单,再分析一下,原来注册码还可以更自由,呵呵,这个就留待大家自己动手了!