Chinaunix首页 | 论坛 | 博客
  • 博客访问: 527741
  • 博文数量: 96
  • 博客积分: 2960
  • 博客等级: 少校
  • 技术积分: 1850
  • 用 户 组: 普通用户
  • 注册时间: 2006-12-11 15:25
文章分类

全部博文(96)

文章存档

2009年(37)

2008年(59)

我的朋友

分类: C/C++

2008-12-05 16:46:23

  • Source Insight 3.5 算法简单分析

    标 题:Source Insight 3.5 算法简单分析
    发信人:wzh123
    时 间:2003年10月17日 10:51
    周详信息:


    Source Insight 3.5 算法简单分析

    cracker:wzh123

    下载:
    简 介:是个C++研发环境,有着和Dev c++相同漂亮的界面,提供代码的编辑和察看功能,具有丰富的语法加亮功能,能像VC相同自动弹出成员函数的提示,并具有快速方便的函数跳转功能(不过跳 转速度似乎有点慢)。只是默认设置不适合时,需要仔细的调整和修改。无法查找经typedef之后的名字。

    作者申明:只是学习,无其他 目的。初学破解,错误在所难免,写的也非常乱,请各位包涵,也请各位高手指教。好久没玩破解了,手都生了,逮个简单的练练手。这个软件是vc编的,无壳, 算法不难,用W32dasm反编译能非常快定位到关键点,然后可用ollydbg下断。输入假码“SI3US-123456-78901”,为什么这样输 入,经过分析你就能知道了,一下是我跟踪后做的笔记,非常粗,但基本上反映了整个注册的流程。

    标 题:Source Insight 3.5 算法简单分析
    发信人:wzh123
    时 间:2003年10月17日 10:51
    周详信息:


    Source Insight 3.5 算法简单分析

    cracker:wzh123

    下载:
    简 介:是个C++研发环境,有着和Dev c++相同漂亮的界面,提供代码的编辑和察看功能,具有丰富的语法加亮功能,能像VC相同自动弹出成员函数的提示,并具有快速方便的函数跳转功能(不过跳 转速度似乎有点慢)。只是默认设置不适合时,需要仔细的调整和修改。无法查找经typedef之后的名字。

    作者申明:只是学习,无其他 目的。初学破解,错误在所难免,写的也非常乱,请各位包涵,也请各位高手指教。好久没玩破解了,手都生了,逮个简单的练练手。这个软件是vc编的,无壳, 算法不难,用W32dasm反编译能非常快定位到关键点,然后可用ollydbg下断。输入假码“SI3US-123456-78901”,为什么这样输 入,经过分析你就能知道了,一下是我跟踪后做的笔记,非常粗,但基本上反映了整个注册的流程。


    :00445D7C 683CC85800              push 0058C83C
    :00445D81 E8AC4EFFFF              call 0043AC32
    :00445D86 683CC85800              push 0058C83C
    :00445D8B E81E1D0D00              call 00517AAE
    :00445D90 59                      pop ecx
    :00445D91 683CC85800              push 0058C83C  =======>假码入栈
    :00445D96 E848C6FFFF              call 004423E3  =======>关键call(1),追入
    :00445D9B 85C0                    test eax, eax  =======>比较eax是否为零
    :00445D9D 7450                    je 00445DEF    =======>是0就跳,失败
    :00445D9F 683CC85800              push 0058C83C  =======>不为0,成功,写入注册表

    * Possible StringData Ref from Data Obj ->"SerialNumber"
                                      |
    :00445DA4 683C5A5600              push 00565A3C
    :00445DA9 FF355C025700            push dword ptr [0057025C]
    :00445DAF E8FADDFEFF              call 00433BAE  =======>写注册表
    :00445DB4 85C0                    test eax, eax  
    :00445DB6 751B                    jne 00445DD3   =======>注册表写成功就跳

    * Possible StringData Ref from Data Obj ->"You need permission to modify "
                                            ->"the HKEY_LOCAL_MACHINE registry "
                                            ->"hive.

    Please run Source Insight "
                                            ->"again while logged in as an Administrator "
                                            ->"or equivalent user."
                                      |
    :00445DB8 6820BE5200              push 0052BE20
    :00445DBD E81022FCFF              call 00407FD2
    :00445DC2 59                      pop ecx
    :00445DC3 68E8030000              push 000003E8

    * Reference To: KERNEL32.Sleep, Ord:0329h
                                      |
    :00445DC8 FF15DC325200            Call dword ptr [005232DC]
    :00445DCE E9C0FEFFFF              jmp 00445C93

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00445DB6(C)
    |
    :00445DD3 832524C8580000          and dword ptr [0058C824], 00000000
    :00445DDA E8B9BAFFFF              call 00441898

    * Possible StringData Ref from Data Obj ->"Thank you for registering Source "=====>哈哈,成功之门
                                            ->"Insight!"
                                      |
    :00445DDF 68C0BE5200              push 0052BEC0
    :00445DE4 E82923FCFF              call 00408112
    :00445DE9 59                      pop ecx
    :00445DEA 6A01                    push 00000001
    :00445DEC 58                      pop eax
    :00445DED EB1D                    jmp 00445E0C

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00445D9D(C)
    |

    * Possible StringData Ref from Data Obj ->"You typed an invalid serial number."====>失败
                                      |
    :00445DEF 68ECBE5200              push 0052BEEC
    :00445DF4 E8D921FCFF              call 00407FD2
    :00445DF9 59                      pop ecx
    :00445DFA 68E8030000              push 000003E8

    * Reference To: KERNEL32.Sleep, Ord:0329h
                                      |
    :00445DFF FF15DC325200            Call dword ptr [005232DC]
    :00445E05 E989FEFFFF              jmp 00445C93


    ===================关键call(1)======================

    :004423E3 55                      push ebp
    :004423E4 8BEC                    mov ebp, esp
    :004423E6 83EC18                  sub esp, 00000018
    :004423E9 57                      push edi
    :004423EA 6A2D                    push 0000002D   =======> "-"入栈
    :004423EC FF7508                  push [ebp+08]   =======> 假码"SI3US-123456-78901"入栈 
    :004423EF E89C460D00              call 00516A90   =======>这个call检查输入的注册码中是否含"-"
    :004423F4 59                      pop ecx
    :004423F5 59                      pop ecx
    :004423F6 8945F8                  mov dword ptr [ebp-08], eax
    :004423F9 837DF800                cmp dword ptr [ebp-08], 00000000
    :004423FD 7507                    jne 00442406    =======>这里要跳,否则失败,所以注册码中含"-"
    :004423FF 33C0                    xor eax, eax
    :00442401 E905010000              jmp 0044250B

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004423FD(C)
    |
    :00442406 8B55F8                  mov edx, dword ptr [ebp-08]  =======>"-123456-78901"=>edx
    :00442409 2B5508                  sub edx, dword ptr [ebp+08]

    * Possible StringData Ref from Data Obj ->"SI3US"
                                      |
    :0044240C BFD42F5600              mov edi, 00562FD4  =======>"SI3US"=>edi
    :00442411 83C9FF                  or ecx, FFFFFFFF
    :00442414 33C0                    xor eax, eax
    :00442416 F2                      repnz                        
    :00442417 AE                      scasb                       
    :00442418 F7D1                    not ecx
    :0044241A 49                      dec ecx
    :0044241B 3BD1                    cmp edx, ecx       ======>上面这一段为了说明注册码的格式,即注册码的第一部分有五位
    :0044241D 7407                    je 00442426        =======>要跳
    :0044241F 33C0                    xor eax, eax
    :00442421 E9E5000000              jmp 0044250B

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0044241D(C)
    |

    * Possible StringData Ref from Data Obj ->"SI3US"
                                      |
    :00442426 BFD42F5600              mov edi, 00562FD4
    :0044242B 83C9FF                  or ecx, FFFFFFFF
    :0044242E 33C0                    xor eax, eax
    :00442430 F2                      repnz
    :00442431 AE                      scasb
    :00442432 F7D1                    not ecx
    :00442434 49                      dec ecx
    :00442435 51                      push ecx

    * Possible StringData Ref from Data Obj ->"SI3US"
                                      |
    :00442436 68D42F5600              push 00562FD4    =======>"SI3US"入栈
    :0044243B FF7508                  push [ebp+08]    =======>假码"SI3US-123456-78901"入栈
    :0044243E E88420FDFF              call 004144C7    =======>比较前五位,所以真码的前五位为"SI3US"   
    :00442443 85C0                    test eax, eax
    :00442445 7507                    jne 0044244E     =======>要跳
    :00442447 33C0                    xor eax, eax
    :00442449 E9BD000000              jmp 0044250B

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00442445(C)
    |
    :0044244E 8B45F8                  mov eax, dword ptr [ebp-08]
    :00442451 40                      inc eax
    :00442452 8945F8                  mov dword ptr [ebp-08], eax
    :00442455 8B45F8                  mov eax, dword ptr [ebp-08]
    :00442458 8945F0                  mov dword ptr [ebp-10], eax
    :0044245B 6A2D                    push 0000002D    =======>"-"入栈
    :0044245D FF75F8                  push [ebp-08]    =======>假码"123456-78901"入栈
    :00442460 E82B460D00              call 00516A90    =======>检查是否含有"-"
    :00442465 59                      pop ecx
    :00442466 59                      pop ecx
    :00442467 8945EC                  mov dword ptr [ebp-14], eax
    :0044246A 837DEC00                cmp dword ptr [ebp-14], 00000000
    :0044246E 7507                    jne 00442477     =======>要跳
    :00442470 33C0                    xor eax, eax
    :00442472 E994000000              jmp 0044250B

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:0044246E(C)
    |
    :00442477 8B45EC                  mov eax, dword ptr [ebp-14]
    :0044247A 802000                  and byte ptr [eax], 00
    :0044247D 8B45EC                  mov eax, dword ptr [ebp-14]
    :00442480 2B45F0                  sub eax, dword ptr [ebp-10]
    :00442483 83F806                  cmp eax, 00000006  ======>中间的注册码有6位
    :00442486 7404                    je 0044248C        ======>要跳
    :00442488 33C0                    xor eax, eax
    :0044248A EB7F                    jmp 0044250B

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00442486(C)
    |
    :0044248C 8B45F0                  mov eax, dword ptr [ebp-10]
    :0044248F 8945E8                  mov dword ptr [ebp-18], eax

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004424B3(U)
    |
    :00442492 8B45E8                  mov eax, dword ptr [ebp-18]
    :00442495 0FB600                  movzx eax, byte ptr [eax]
    :00442498 8B4DF0                  mov ecx, dword ptr [ebp-10]
    :0044249B 0FB609                  movzx ecx, byte ptr [ecx]
    :0044249E 3BC1                    cmp eax, ecx
    :004424A0 7513                    jne 004424B5
    :004424A2 8B45E8                  mov eax, dword ptr [ebp-18]
    :004424A5 0FB600                  movzx eax, byte ptr [eax]
    :004424A8 85C0                    test eax, eax
    :004424AA 7409                    je 004424B5
    :004424AC 8B45E8                  mov eax, dword ptr [ebp-18]
    :004424AF 40                      inc eax
    :004424B0 8945E8                  mov dword ptr [ebp-18], eax
    :004424B3 EBDD                    jmp 00442492          ========判断注册码第二部分各位不全等

    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:004424A0(C), :004424AA(C)
    |
    :004424B5 8B45E8                  mov eax, dword ptr [ebp-18]
    :004424B8 0FB600                  movzx eax, byte ptr [eax]
    :004424BB F7D8                    neg eax
    :004424BD 1BC0                    sbb eax, eax
    :004424BF 40                      inc eax
    :004424C0 85C0                    test eax, eax
    :004424C2 7404                    je 004424C8
    :004424C4 33C0                    xor eax, eax
    :004424C6 EB43                    jmp 0044250B

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004424C2(C)
    |
    :004424C8 8B45EC                  mov eax, dword ptr [ebp-14]
    :004424CB 40                      inc eax
    :004424CC 8945F4                  mov dword ptr [ebp-0C], eax
    :004424CF 8B7DF4                  mov edi, dword ptr [ebp-0C]
    :004424D2 83C9FF                  or ecx, FFFFFFFF
    :004424D5 33C0                    xor eax, eax
    :004424D7 F2                      repnz
    :004424D8 AE                      scasb
    :004424D9 F7D1                    not ecx
    :004424DB 49                      dec ecx
    :004424DC 83F905                  cmp ecx, 00000005  =======>表示最后一部分注册码有五位,所以注册码格式为SI3US-******-*****
    :004424DF 7404                    je 004424E5        =======>要跳
    :004424E1 33C0                    xor eax, eax
    :004424E3 EB26                    jmp 0044250B

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004424DF(C)
    |
    :004424E5 FF75F0                  push [ebp-10]      =======>假码第二部分"123456"入栈
    :004424E8 E850E00A00              call 004F053D      =======>关键call(2)
    :004424ED 8945FC                  mov dword ptr [ebp-04], eax 
                                                       ======>"123456"变换码"168DB"=>[ebp-04]
    :004424F0 FF75F4                  push [ebp-0C]      =======>假码第三部分"78901"入栈
    :004424F3 E87A450D00              call 00516A72      =======>将"78901"转为十六进制"13435"
    :004424F8 59                      pop ecx
    :004424F9 3945FC                  cmp dword ptr [ebp-04], eax====>这里关键比较,相等则注册成功
    :004424FC 7404                    je 00442502
    :004424FE 33C0                    xor eax, eax
    :00442500 EB09                    jmp 0044250B

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004424FC(C)
    |
    :00442502 8B45EC                  mov eax, dword ptr [ebp-14]
    :00442505 C6002D                  mov byte ptr [eax], 2D
    :00442508 6A01                    push 00000001
    :0044250A 58                      pop eax

    * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
    |:00442401(U), :00442421(U), :00442449(U), :00442472(U), :0044248A(U)
    |:004424C6(U), :004424E3(U), :00442500(U)
    |
    :0044250B 5F                      pop edi
    :0044250C C9                      leave
    :0044250D C20400                  ret 0004

    =====================================call(2)============================================

    :004F053D 55                      push ebp
    :004F053E 8BEC                    mov ebp, esp
    :004F0540 83EC10                  sub esp, 00000010
    :004F0543 FF7508                  push [ebp+08]
    :004F0546 E827650200              call 00516A72   =======>"123456"转换为十六进制"1E240"
    :004F054B 59                      pop ecx
    :004F054C 8945F0                  mov dword ptr [ebp-10], eax
    :004F054F 8B45F0                  mov eax, dword ptr [ebp-10]
    :004F0552 8945FC                  mov dword ptr [ebp-04], eax
    :004F0555 8365F400                and dword ptr [ebp-0C], 00000000
    :004F0559 8B4508                  mov eax, dword ptr [ebp+08]
    :004F055C 8945F8                  mov dword ptr [ebp-08], eax
    :004F055F EB07                    jmp 004F0568

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004F059C(U)
    |
    :004F0561 8B45F8                  mov eax, dword ptr [ebp-08]
    :004F0564 40                      inc eax
    :004F0565 8945F8                  mov dword ptr [ebp-08], eax

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004F055F(U)
    |
    :004F0568 8B45F8                  mov eax, dword ptr [ebp-08]  =======>"123456"==>eax
    :004F056B 0FB600                  movzx eax, byte ptr [eax]    =======>依次取"123456"=>eax
    :004F056E 85C0                    test eax, eax
    :004F0570 742C                    je 004F059E
    :004F0572 8B45F8                  mov eax, dword ptr [ebp-08]
    :004F0575 0FB600                  movzx eax, byte ptr [eax]
    :004F0578 8B4DF4                  mov ecx, dword ptr [ebp-0C]  =======>ecx=0
    :004F057B 33048DDC2F5600          xor eax, dword ptr [4*ecx+00562FDC]
                                          1、31^96=A7==>eax
                                          2、32^95=A7==>eax
                                          3、33^10=23==>eax
                                          4、34^23=17==>eax
                                          5、35^7=32==>eax
                                          6、35^15=23==>eax

    ============================[00562FDC]处内存===============================
    00562FDC  96 00 00 00 95 00 00 00 10 00 00 00 23 00 00 00  ?..?.....#... 0
    00562FEC  07 00 00 00 15 00 00 00 08 00 00 00 03 00 00 00  ............
    00562FFC  10 00 00 00 11 00 00 00 01 00 00 00 53 65 72 76  .........Serv
    ===========================================================================


    :004F0582 8B4DFC                  mov ecx, dword ptr [ebp-04]
    :004F0585 8D0488                  lea eax, dword ptr [eax+4*ecx]
                                           1、eax=A7+4*1E240=789A7
                                           2、eax=A7+4*789A7=1E2743
                                           3、eax=23+4*1E2743=789D2F
                                           4、eax=17+4*789D2F=1E274D3
                                           5、eax=32+4*1E274D3=789D37E
                                           6、eax=23+4*789D37E=1E274E1B


    :004F0588 8945FC                  mov dword ptr [ebp-04], eax
    :004F058B 8B45F4                  mov eax, dword ptr [ebp-0C]
    :004F058E 40                      inc eax
    :004F058F 8945F4                  mov dword ptr [ebp-0C], eax
    :004F0592 837DF40A                cmp dword ptr [ebp-0C], 0000000A
    :004F0596 7504                    jne 004F059C
    :004F0598 8365F400                and dword ptr [ebp-0C], 00000000

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004F0596(C)
    |
    :004F059C EBC3                    jmp 004F0561  ========循环

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:004F0570(C)
    |
    :004F059E 8B45FC                  mov eax, dword ptr [ebp-04]  =======>"1E274E1B"==>eax
    :004F05A1 33D2                    xor edx, edx                 =======>edx清零
    :004F05A3 B9A0860100              mov ecx, 000186A0            "186A0"==>ecx
    :004F05A8 F7F1                    div ecx                      1E274E1B/186A0
    :004F05AA 8BC2                    mov eax, edx                 余数为"168DB"==>eax
    :004F05AC C9                      leave
    :004F05AD C20400                  ret 0004


    算法总结:

    1、注册码格式为SI3US-m1m2m3m4m5m6-m7m8m9m10m11
    2、将m1m2m3m4m5m6变换得到sn1
    3、将m7m8m9m10m11转为十六进制得到sn2
    4、sn1=sn2,则注册成功
    5、注册码放在
    HKEY_LOCAL_MACHINESOFTWARESource DynamicsSource Insight3.0InstallSerialNumber下,删除后能重新注册。


    一个可用的注册码SI3US-123456-92379

    注:不知道这个软件更有没有暗桩,我没用过所以不知道,谁有兴趣能看一看。

阅读(1623) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~