自从发表了第一篇算法分析文章起,自己打心底上就喜欢上算法分析了,O(∩_∩)O哈哈~。
好了,今天继续分享一个简单的算法分析文章,虽然也是参考别人的文章,但是只学理论不去实践的话,永远都开不到东西,所以我选择了自己动手跟着别人的分析文章走,然后再结合自己的思路来进行分析,写注册机。
本文参考文章:http://blog.sina.com.cn/u/2295763487
【软件名称】: SecureExplore 3.3
【下载地址】:
http://www.onlinedown.net/soft/14419.htm
打开软件,输入以下内容点击注册后信息框提示信息
所以我们直接下信息框断点或者是搜索字符串进行快速定位关键破解地方。
100031A0
6A FF push -0x1 ; 注册按钮
100031A2
68 517D0110 push LicenseD.10017D51
100031A7
64:A1 00000000 mov eax,dword ptr fs:[0]
100031AD
50 push eax
100031AE
64:8925 0000000>mov dword ptr fs:[0],esp
100031B5
81EC 28010000 sub esp,0x128
100031BB
A1 B8E50110 mov eax,dword ptr ds:[0x1001E5B8]
100031C0
53 push ebx
100031C1
55 push ebp
100031C2
56 push esi ;
LicenseD.10019498
100031C3
57 push edi
100031C4
8BE9 mov ebp,ecx
100031C6
894424 10 mov dword ptr ss:[esp+0x10],eax
100031CA
33F6 xor esi,esi ;
LicenseD.10019498
100031CC
894424 18 mov dword ptr ss:[esp+0x18],eax
100031D0
89B424 40010000 mov dword ptr ss:[esp+0x140],esi ;
LicenseD.10019498
100031D7
894424 14 mov dword ptr ss:[esp+0x14],eax
100031DB
8D9D 94020000 lea ebx,dword ptr ss:[ebp+0x294]
100031E1
8D4424 38 lea eax,dword ptr ss:[esp+0x38]
100031E5
68 80000000 push 0x80
100031EA
50 push eax
100031EB
8BCB mov ecx,ebx
100031ED
C68424 48010000>mov byte ptr ss:[esp+0x148],0x2
100031F5
E8 90140100 call LicenseD.1001468A
100031FA
8D9424 B8000000 lea edx,dword ptr ss:[esp+0xB8] ;
获取用户名的长度
10003201
68 80000000 push 0x80
10003206
8D8D 58020000 lea ecx,dword ptr ss:[ebp+0x258]
1000320C
52 push edx
1000320D
E8 78140100 call LicenseD.1001468A ;
获取key的长度、
10003212
8D4424 38 lea eax,dword ptr ss:[esp+0x38] ; 用户名
10003216
8BCD mov ecx,ebp
10003218
50 push eax
10003219
E8 E2FEFFFF call LicenseD.10003100
1000321E
8D8C24 B8000000 lea ecx,dword ptr ss:[esp+0xB8] ; key
10003225
51 push ecx
10003226
8BCD mov ecx,ebp
10003228
E8 D3FEFFFF call LicenseD.10003100
1000322D
8D5424 38 lea edx,dword ptr ss:[esp+0x38] ;
uername
10003231
8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
10003235
52 push edx
10003236
E8 50E70000 call LicenseD.1001198B
1000323B
8D8424 B8000000 lea eax,dword ptr ss:[esp+0xB8] ; key
10003242
8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
10003246
50 push eax
我们来到这里
这段地方就是注册按钮事件
1000324C
8B45 74 mov eax,dword ptr ss:[ebp+0x74] ; SE unique Seed
0x0031
1000324F
8B4D 70 mov ecx,dword ptr ss:[ebp+0x70] ;
GlobeSoft
10003252
8B5424 10 mov edx,dword ptr ss:[esp+0x10] ;
username
10003256
50 push eax
10003257
51 push ecx
10003258
8D4C24 20 lea ecx,dword ptr ss:[esp+0x20]
1000325C
51 push ecx
1000325D
52 push edx
1000325E
897424 2C mov dword ptr ss:[esp+0x2C],esi
10003262
E8 89ECFFFF call LicenseD.10001EF0 ;
关键算法Call
10003267
83C4 10 add esp,0x10
1000326A
25 FF000000 and eax,0xFF
1000326F
8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
10003273
8BF8 mov edi,eax
10003275
68 FCE30110 push LicenseD.1001E3FC ; -MNM5
1000327A
E8 22CA0000 call LicenseD.1000FCA1 ; 检测用户名里是否包含
"-MNM5"
1000327F
83F8 FF cmp eax,-0x1 ; 返回用户名- -MNM5的长度
长度7
10003282
74 07 je short LicenseD.1000328B
10003284
BE 01000000 mov esi,0x1
10003289
EB 29 jmp short LicenseD.100032B4
1000328B
807C24 3E 2D cmp byte ptr ss:[esp+0x3E],0x2D
10003290
75 22 jnz short LicenseD.100032B4
10003292
8D85 F8000000 lea eax,dword ptr ss:[ebp+0xF8]
10003298
6A 02 push 0x2
1000329A
8D4C24 3C lea ecx,dword ptr ss:[esp+0x3C]
1000329E
50 push eax
1000329F
51 push ecx
100032A0
E8 FB190000 call LicenseD.10004CA0
100032A5
83C4 0C add esp,0xC
100032A8
85C0 test eax,eax
100032AA
75 08 jnz short LicenseD.100032B4
100032AC
C74424 1C 01000>mov dword ptr ss:[esp+0x1C],0x1
100032B4
85FF test edi,edi
100032B6
0F84 3F020000 je LicenseD.100034FB ;
检测是否注册成功
100032BC
8B5424 1C mov edx,dword ptr ss:[esp+0x1C]
100032C0
0BD6 or edx,esi
我们先单步调试下看看程序流程,通过看错误提示来进行定位关键算法call
我们可以看到标记为红色的判断跳转,这个跳转是跳到提示错误信息的地方,所以我们看到这跳转就大概知道算法call就在这个跳转的不远处。
100034FB
6A 40 push 0x40
100034FD
68 78E20110 push LicenseD.1001E278 ; Unsuccessful
Registration!
10003502
68 54E20110 push LicenseD.1001E254 ; Not a valid
License\nand/or Key!\n
10003507
8BCD mov ecx,ebp
10003509
E8 F1FF0000 call LicenseD.100134FF
1000350E
8D4C24 14 lea ecx,dword ptr ss:[esp+0x14]
10003512
C68424 40010000>mov byte ptr ss:[esp+0x140],0x1
1000351A
E8 15E40000 call LicenseD.10011934
1000351F
8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
10003523
C68424 40010000>mov byte ptr ss:[esp+0x140],0x0
1000352B
E8 04E40000 call LicenseD.10011934
10003530
8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
10003534
C78424 40010000>mov dword ptr ss:[esp+0x140],-0x1
1000353F
E8 F0E30000 call LicenseD.10011934
10003544
8B8C24 38010000 mov ecx,dword ptr ss:[esp+0x138]
1000354B
5F pop edi ;
0012E890
1000354C
5E pop esi ;
0012E890
1000354D
5D pop ebp ;
0012E890
1000354E
5B pop ebx ;
0012E890
1000354F
64:890D 0000000>mov dword ptr fs:[0],ecx
10003556
81C4 34010000 add esp,0x134
1000355C
C3 retn
然后经过几次调试,我们不难发现,10003262
这个地址为关键算法Call。
我们F7进call看看
10001EF0
8B4424 10 mov eax,dword ptr ss:[esp+0x10] ; SE unique Seed
0x0031
10001EF4
8B4C24 0C mov ecx,dword ptr ss:[esp+0xC] ;
GlobeSoft
10001EF8
8B5424 04 mov edx,dword ptr ss:[esp+0x4] ; 用户名
10001EFC
83EC 44 sub esp,0x44
10001EFF
50 push eax
10001F00
51 push ecx
10001F01
8D4424 28 lea eax,dword ptr ss:[esp+0x28]
10001F05
52 push edx
10001F06
50 push eax
10001F07
E8 54000000 call LicenseD.10001F60 ; 核心算法
计算出md5
上面贴出的代码,标记为红色的为关键
我们进入10001F07 E8
54000000 call LicenseD.10001F60 ; 核心算法 计算出md5
这个地址看看
10001FEA
8D4424 20 lea eax,dword ptr ss:[esp+0x20]
10001FEE
83E1 03 and ecx,0x3
10001FF1
50 push eax
10001FF2
F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
10001FF4
E8 D7F2FFFF call LicenseD.100012D0 ; 初始化MD5
10001FF9
8D7C24 7C lea edi,dword ptr ss:[esp+0x7C] ; GlobeSoftSE unique
Seed 0x0031Sendige
10001FFD
83C9 FF or ecx,-0x1
10002000
33C0 xor eax,eax
10002002
8D5424 24 lea edx,dword ptr ss:[esp+0x24]
10002006
F2:AE repne scas byte ptr es:[edi]
来到10001FF9
这个地址,我们看到[esp+0x7C]的数据是 GlobeSoftSE unique Seed 0x0031Sendige
所以可以看出,前面压入的这两个字符串
GlobeSoftSE unique Seed 0x0031 和我们输入的用户名进行合并
我在这里设str=GlobeSoftSE
unique Seed 0x0031
设
user_str=str+用户名=GlobeSoftSE
unique Seed 0x0031Sendige
1000200C 8D8C24 80000000
lea ecx,dword ptr ss:[esp+0x80] ; GlobeSoftSE unique Seed
0x0031Sendige
10002013 51
push ecx
压入user_str进行md5加密
10002014 52
push edx
10002015
E8 E6F2FFFF call LicenseD.10001300 ; MD5加密
1000201A 8D4424 30
lea eax,dword ptr ss:[esp+0x30]
1000201E 8D4C24 1C
lea ecx,dword ptr ss:[esp+0x1C]
10002022 50
push eax
10002023 51
push ecx
10002024
E8 87F3FFFF call LicenseD.100013B0 ; MD5加密
10002029 8B9C24 94020000
mov ebx,dword ptr ss:[esp+0x294]
10002030 83C4 18
add esp,0x18
10002033 33F6
xor esi,esi
10002035 8BFB
mov edi,ebx
10002037 33D2
xor edx,edx
10002039 8A5434 0C
mov dl,byte ptr ss:[esp+esi+0xC] ; DL逐位指向 MD5加密后的结果
1000203D 52
push edx
1000203E 68 2CE10110
push LicenseD.1001E12C ; %02x
10002043 57
push edi
10002044 E8 31280000
call LicenseD.1000487A ; 把内存中的MD5结果格式化为 小写字符串
10002049 83C4 0C
add esp,0xC ;
ebx=8f7ac38427990c023c056f39886bde08(user_str
MD5后的结果)
1000204C 46
inc esi
1000204D 83C7 02
add edi,0x2
10002050 83FE 10
cmp esi,0x10
10002053 ^ 7C E2 jl
short LicenseD.10002037
10002055 5F
pop edi ; 0012DC24
10002056 C643 20 00
mov byte ptr ds:[ebx+0x20],0x0
1000205A 5E
pop esi ; 0012DC24
1000205B 5B
pop ebx ; 0012DC24
1000205C 81C4 6C020000
add esp,0x26C
10002062 C3
retn
这段代码其实就是将user_str
MD5加密 我在这里设user_str md5 =str_md5
然后我们单步出来后来到这里
10001F0C
0FBE4C24 4E movsx ecx,byte ptr ss:[esp+0x4E] ;
md5数据的第31位
10001F11
0FBE5424 38 movsx edx,byte ptr ss:[esp+0x38] ;
md5数据的第第9位
10001F16
0FBE4424 36 movsx eax,byte ptr ss:[esp+0x36] ;
md5数据的第第7位
10001F1B
83C4 10 add esp,0x10
10001F1E
51 push ecx
10001F1F
52 push edx
10001F20
0FBE4C24 2B movsx ecx,byte ptr ss:[esp+0x2B] ;
md5数据的第第4位
10001F25
0FBE5424 28 movsx edx,byte ptr ss:[esp+0x28] ;
md5数据的第第1位
10001F2A
50 push eax
10001F2B
51 push ecx
10001F2C
52 push edx
10001F2D
8D4424 14 lea eax,dword ptr ss:[esp+0x14]
10001F31
68 20E10110 push LicenseD.1001E120 ;
%x%x%x-%x%x
10001F36
50 push eax
10001F37
E8 3E290000 call LicenseD.1000487A ; 转换为真码
10001F3C
8B4C24 68 mov ecx,dword ptr ss:[esp+0x68] ;
393665-6136
10001F40
8D5424 1C lea edx,dword ptr ss:[esp+0x1C]
10001F44
52 push edx
10001F45
8B01 mov eax,dword ptr ds:[ecx]
10001F47
50 push eax
10001F48
E8 7E280000 call LicenseD.100047CB
10001F4D
85C0 test eax,eax
10001F4F
0F94C0 sete al
10001F52
83C4 68 add esp,0x68
10001F55
C3 retn
我们可以看到分别取md5数据的第1、4、7、9、31共五位
字符的ASCII码并转换成十六进制的字符串
分别记为
str_md5_1 str_md5_4 str_md5_7 str_md5_9 str_md5_31
我们怎么知道它是获取数据的第几位,其实我们可以在标记为红色的地址上数据窗口中跟随就能看的一目了然。
如上图,直接定位到哪个数据,接着就自己去数吧。其他我就不再阐述了。
接着我们进入10001F37
这个地址看看
1000487A 55
push ebp
1000487B 8BEC
mov ebp,esp
1000487D 83EC 20
sub esp,0x20
10004880 8B45 08
mov eax,dword ptr ss:[ebp+0x8]
10004883 56
push esi
10004884 8945 E8
mov dword ptr ss:[ebp-0x18],eax
10004887 8945 E0
mov dword ptr ss:[ebp-0x20],eax
1000488A 8D45 10
lea eax,dword ptr ss:[ebp+0x10]
1000488D C745 EC
4200000>mov dword ptr ss:[ebp-0x14],0x42
10004894 50
push eax
10004895 8D45 E0
lea eax,dword ptr ss:[ebp-0x20]
10004898 FF75 0C
push dword ptr ss:[ebp+0xC] ; %x%x%x-%x%x
1000489B C745 E4
FFFFFF7>mov dword ptr ss:[ebp-0x1C],0x7FFFFFFF
100048A2 50
push eax
100048A3 E8 B4350000
call LicenseD.10007E5C
100048A8
83C4 0C add esp,0xC
可以在堆栈看到真正的注册码
100048AB FF4D E4
dec dword ptr ss:[ebp-0x1C] ; LicenseD.100011DF
100048AE 8BF0
mov esi,eax
100048B0 78 08 js
short LicenseD.100048BA
100048B2 8B45 E0
mov eax,dword ptr ss:[ebp-0x20] ; SecExplo.0043654C
100048B5 8020 00
and byte ptr ds:[eax],0x0
100048B8 EB 0D
jmp short LicenseD.100048C7
100048BA 8D45 E0
lea eax,dword ptr ss:[ebp-0x20]
100048BD 50
push eax
100048BE 6A 00
push 0x0
100048C0 E8 7F340000
call LicenseD.10007D44
100048C5 59
pop ecx ;
LicenseD.10001F3C
100048C6 59
pop ecx ;
LicenseD.10001F3C
100048C7 8BC6
mov eax,esi
100048C9 5E
pop esi ;
LicenseD.10001F3C
100048CA C9
leave
100048CB C3
retn
其实这里是连接str_md5_1
str_md5_4 str_md5_7 str_md5_9 str_md5_31 这些数据,然后作为最后的注册码
10004898 FF75 0C
push dword ptr ss:[ebp+0xC] ; %x%x%x-%x%x
这里可以看出注册码格式
所以得出注册码:386138-3230
但是,注册码虽然出来了,拿这个得出的注册码注册的话还是一样提示错误,为什么呢?我们继续跟下去。
10003267 83C4 10
add esp,0x10
1000326A 25 FF000000
and eax,0xFF
1000326F 8D4C24 10
lea ecx,dword ptr ss:[esp+0x10]
10003273 8BF8
mov edi,eax
10003275 68 FCE30110
push LicenseD.1001E3FC ; -MNM5
1000327A
E8 22CA0000 call LicenseD.1000FCA1 ; 检测用户名里是否包含
"-MNM5"
1000327F 83F8 FF
cmp eax,-0x1 ; 返回用户名- -MNM5的长度
长度7
10003282 74 07 je
short LicenseD.1000328B
10003284 BE 01000000
mov esi,0x1
10003289 EB 29
jmp short LicenseD.100032B4
1000328B 807C24 3E 2D
cmp byte ptr ss:[esp+0x3E],0x2D
10003290 75 22
jnz short LicenseD.100032B4
来到这段代码,可以看到检测用户名是否包含-MNM5这个字符串,如果没有,就算正确的注册码也会注册失败。
我们进入1000327A
这个地址的call看看
1000FCA1 6A 00
push 0x0
1000FCA3 FF7424 08
push dword ptr ss:[esp+0x8]
1000FCA7 E8 03000000
call LicenseD.1000FCAF
1000FCAC C2 0400
retn 0x4
1000FCAF 56
push esi
1000FCB0 8BF1
mov esi,ecx
1000FCB2 8B4C24 0C
mov ecx,dword ptr ss:[esp+0xC] ; LicenseD.1000327F
1000FCB6 8B06
mov eax,dword ptr ds:[esi] ; 用户名
1000FCB8 3B48 F8
cmp ecx,dword ptr ds:[eax-0x8] ; 检测用户名的长度是否为0
1000FCBB 7F 12 jg
short LicenseD.1000FCCF
1000FCBD FF7424 08
push dword ptr ss:[esp+0x8] ; -MNM5
1000FCC1 03C1
add eax,ecx
1000FCC3 50
push eax
1000FCC4
E8 8C62FFFF call LicenseD.10005F55 ; 进行对比
1000FCC9 59
pop ecx ;
LicenseD.1000FCAC
1000FCCA 85C0
test eax,eax
1000FCCC 59
pop ecx ;
LicenseD.1000FCAC
1000FCCD 75 05
jnz short LicenseD.1000FCD4
1000FCCF 83C8 FF or
eax,-0x1
1000FCD2 EB 02
jmp short LicenseD.1000FCD6
1000FCD4 2B06
sub eax,dword ptr ds:[esi]
1000FCD6 5E
pop esi ;
LicenseD.1000FCAC
1000FCD7 C2 0800
retn 0x8
继续进入1000FCC4
这个call看看
10005F55 55
push ebp
10005F56 8BEC
mov ebp,esp
10005F58 53
push ebx
10005F59 33DB
xor ebx,ebx
10005F5B 391D 9C4F0210
cmp dword ptr ds:[0x10024F9C],ebx
10005F61 56
push esi
10005F62 57
push edi
10005F63 75 0F
jnz short LicenseD.10005F74
10005F65 FF75 0C
push dword ptr ss:[ebp+0xC]
10005F68 FF75 08
push dword ptr ss:[ebp+0x8]
10005F6B E8 B0EEFFFF
call LicenseD.10004E20
10005F70 59
pop ecx ;
LicenseD.1000FCC9
10005F71 59
pop ecx ;
LicenseD.1000FCC9
10005F72 EB 52
jmp short LicenseD.10005FC6
10005F74 FF75 0C
push dword ptr ss:[ebp+0xC] ; -MNM5
10005F77 8B75 08
mov esi,dword ptr ss:[ebp+0x8]
10005F7A E8 C1000000
call LicenseD.10006040
10005F7F 8BFE
mov edi,esi
10005F81 56
push esi
10005F82 2BF8
sub edi,eax
10005F84 E8 B7000000
call LicenseD.10006040
10005F89 59
pop ecx ;
LicenseD.1000FCC9
10005F8A 03F8
add edi,eax
10005F8C 59
pop ecx ;
LicenseD.1000FCC9
10005F8D 381E
cmp byte ptr ds:[esi],bl
10005F8F 74 33 je
short LicenseD.10005FC4
10005F91 3BF7
cmp esi,edi
10005F93 77 2F ja
short LicenseD.10005FC4
10005F95 381E
cmp byte ptr ds:[esi],bl
10005F97 8B45 0C
mov eax,dword ptr ss:[ebp+0xC]
10005F9A 74 15 je
short LicenseD.10005FB1
10005F9C 8BD6
mov edx,esi
10005F9E 2BD0
sub edx,eax
10005FA0 8A08
mov cl,byte ptr ds:[eax]
10005FA2 3ACB
cmp cl,bl
10005FA4 74 0B je
short LicenseD.10005FB1
10005FA6 380C02
cmp byte ptr ds:[edx+eax],cl
10005FA9 75 06
jnz short LicenseD.10005FB1
10005FAB 40
inc eax
10005FAC 381C02
cmp byte ptr ds:[edx+eax],bl
10005FAF ^ 75 EF
jnz short LicenseD.10005FA0
10005FB1 3818
cmp byte ptr ds:[eax],bl
10005FB3 74 0B je
short LicenseD.10005FC0
10005FB5 56
push esi
10005FB6 E8 44FCFFFF
call LicenseD.10005BFF
10005FBB 59
pop ecx ;
LicenseD.1000FCC9
10005FBC 8BF0
mov esi,eax
10005FBE ^ EB CD
jmp short LicenseD.10005F8D
10005FC0 8BC6
mov eax,esi
10005FC2 EB 02
jmp short LicenseD.10005FC6
10005FC4 33C0
xor eax,eax
10005FC6 5F
pop edi ;
LicenseD.1000FCC9
10005FC7 5E
pop esi ;
LicenseD.1000FCC9
10005FC8 5B
pop ebx ;
LicenseD.1000FCC9
10005FC9 5D
pop ebp ;
LicenseD.1000FCC9
10005FCA C3
retn
这段代码是一个标准的文本对比,如果对这个结构不熟悉的,可以自己在易语言写个文本对比看看,和这个基本差不多。
10003481
8B5424 10 mov edx,dword ptr ss:[esp+0x10]
10003485
8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
10003489
50 push eax
1000348A
51 push ecx
1000348B
52 push edx
1000348C
E8 CFE9FFFF call LicenseD.10001E60 ;
写注册信息到注册表
10003491
83C4 0C add esp,0xC
10003494
8DB5 1C020000 lea esi,dword ptr ss:[ebp+0x21C]
1000349A
8BCE mov ecx,esi
1000349C
68 44E20110 push LicenseD.1001E244 ; OK
100034A1
E8 BD110100 call LicenseD.10014663
100034A6
6A 00 push 0x0
100034A8
8BCB mov ecx,ebx
0012DE14
10003A9A /CALL 到 RegCreateKeyExA 来自 LicenseD.10003A94
0012DE18
80000002 |hKey = HKEY_LOCAL_MACHINE
0012DE1C
00585ED0 |Subkey = "SOFTWARE\GlobeSoft\SecureExplore"
0012DE20
00000000 |Reserved = 0x0
0012DE24
10021A34 |Class = ""
0012DE28
00000000 |Options = REG_OPTION_NON_VOLATILE
0012DE2C
000F003F |Access = KEY_ALL_ACCESS
0012DE30
00000000 |pSecurity = NULL
0012DE34
0012DE44 |pHandle = 0012DE44
0012DE38
0012DE40 \pDisposition = 0012DE40
所以可以知道软件是写注册表进行注册的,Subkey
= "SOFTWARE\GlobeSoft\SecureExplore"。删除这里面的键值就可以继续玩了。
附上自己写的易语言代码,写的很拙。。。。
高清文档下载地址:http://www.vdisk.cn/down/index/19539036
原文地址:https://www.cnblogs.com/Sendige/p/9600838.html