标 题:
【原创】WinImage 8.10注册算法简单分析
作 者: herx 时 间: 2007-10-15,18:47 链 接: http://bbs.pediy.com/showthread.php?t=53348 【文章标题】: WinImage 8.10注册算法分析 【文章作者】: herx 【作者邮箱】: heuix1422@163.com 【作者QQ号】: 369136816 【软件名称】: WinImage(英文版) 【下载地址】: http://www.winimage.com/winimage.htm 【加壳方式】: 无壳 【编写语言】: VC8 【使用工具】: W32DASM,OLLYDBG,PEID 【操作平台】: xp sp2 【软件介绍】: 制作.img,.iso,等映像文件 【作者声明】: 只是感兴趣,作为学习,如果需要请购买正版,由于水平有限错误之处请高手指出。。。。 -------------------------------------------------------------------------------- 【详细过程】 由于刚开始进行算法分析,希望大虾们给提点宝贵意见。。 用PEID查看是VC8 -> Microsoft Corporation [Overlay] * 软件未注册有30天试用 不输入或输入假的注册码都提示 "Registration information is invalid" 用W32DASM或下断点bp GetDlgItemTextA很容易找到关键地方 00466474 > /8B7424 0C mov esi,dword ptr ss:[esp+C] ; 00466478 . 8B3D 587549>mov edi,dword ptr ds:[<&USER32.GetD>; USER32.GetDlgItemTextA 0046647E . 68 01010000 push 101 ; 00466483 . 68 F83A4B00 push winimage.004B3AF8 ; |Buffer = 004B3AF8 获得name后放在这 00466488 . 68 16080000 push 816 ; 0046648D . 56 push esi ; 0046648E . FFD7 call edi ; GetDlgItemTextA 00466490 . 6A 7F push 7F ; 下断点后在注册框输入假注册码,返回后停在这 00466492 . 68 683E4B00 push winimage.004B3E68 ; |Buffer = 004B3E68 输入假注册码放在这 00466497 . 68 17080000 push 817 ; 0046649C . 56 push esi ; 0046649D . FFD7 call edi ; GetDlgItemTextA 0046649F . 68 F83A4B00 push winimage.004B3AF8 ; ASCII "heruixi" 输入的name 004664A4 . B8 683E4B00 mov eax,winimage.004B3E68 ; ASCII "9876543210" eax<=假注册码 004664A9 . E8 42C4FAFF call winimage.004128F0 ;进行计算的CALL ,跟进, 004664AE . 8B15 B0374B>mov edx,dword ptr ds:[4B37B0] 004664B4 . 33C9 xor ecx,ecx 004664B6 . 83C4 04 add esp,4 004664B9 . 3BC1 cmp eax,ecx ;关键比较eax是不是零,注册码正确eax=1,不正确为0 004664BB . A3 1C424B00 mov dword ptr ds:[4B421C],eax 004664C0 . 74 06 je short winimage.004664C8 004664C2 . 8915 20344B>mov dword ptr ds:[4B3420],edx 004664C8 > 390D 20344B>cmp dword ptr ds:[4B3420],ecx 004664CE . 8915 CC3A4B>mov dword ptr ds:[4B3ACC],edx 004664D4 . 75 05 jnz short winimage.004664DB 004664D6 . A3 CC3A4B00 mov dword ptr ds:[4B3ACC],eax 004664DB > 3BC1 cmp eax,ecx ; 关键比较 004664DD . 75 4B jnz short winimage.0046652A ;eax不为零跳到注册成功 004664DF . 68 10200000 push 2010 ;显示注册码无效 004664E4 . 68 2D040000 push 42D 004664E9 . 68 2B040000 push 42B 004664EE . 56 push esi 004664EF . C705 203F4B>mov dword ptr ds:[4B3F20],1 004664F9 . C705 C43A4B>mov dword ptr ds:[4B3AC4],1 00466503 . 880D 683E4B>mov byte ptr ds:[4B3E68],cl 00466509 . 880D F83A4B>mov byte ptr ds:[4B3AF8],cl 0046650F . E8 DC80FFFF call winimage.0045E5F0 ; 00466514 . 83C4 10 add esp,10 00466517 . 6A 01 push 1 ; /Result = 1 00466519 . 56 push esi ; |hWnd 0046651A . FF15 7C7549>call dword ptr ds:[<&USER32.EndDial>; /EndDialog 00466520 . 5F pop edi 00466521 . B8 01000000 mov eax,1 00466526 . 5E pop esi 00466527 . C2 1000 retn 10 0046652A > 68 40200000 push 2040 ;显示注册成功 0046652F . 68 2D040000 push 42D 00466534 . 68 2A040000 push 42A 00466539 . 56 push esi 0046653A . 890D 203F4B>mov dword ptr ds:[4B3F20],ecx 00466540 . 890D C43A4B>mov dword ptr ds:[4B3AC4],ecx 00466546 . E8 A580FFFF call winimage.0045E5F0 0046654B . 83C4 10 add esp,10 0046654E . 6A 01 push 1 ; /Result = 1 00466550 . 56 push esi ; |hWnd 00466551 . FF15 7C7549>call dword ptr ds:[<&USER32.EndDial>; /EndDialog 00466557 . 5F pop edi 00466558 . B8 01000000 mov eax,1 0046655D . 5E pop esi 0046655E . C2 1000 retn 10 跟进计算的CALL: 004128F0 $ 81EC 000200>sub esp,200 004128F6 . 56 push esi 004128F7 . 8D7424 04 lea esi,dword ptr ss:[esp+4] 004128FB . C705 B0374B>mov dword ptr ds:[4B37B0],0 00412905 . E8 C6210000 call winimage.00414AD0 ;取得注册码,并转为大写存入[esp+4] 0041290A . 8B8424 0802>mov eax,dword ptr ss:[esp+208] ;取得用户名——》eax 00412911 . E8 0A210000 call winimage.00414A20 ;对用户名进行计算call,然后跟进 00412916 . 3D 26DDDCB8 cmp eax,B8DCDD26 ;如果没有输入用户名 0041291B . 0F84 3DA102>je winimage.0043CA5E ;计算结果为B8DCDD26 跳到0043CA5E xor eax,eax,然后跳到 004129F4 > 5E pop esi 004129F5 . 81C4 000200>add esp,200 004129FB . C3 retn 00412921 . 8BF0 mov esi,eax ;esi指向第一次计算出的结果 00412923 . 57 push edi 00412924 . 8D4424 08 lea eax,dword ptr ss:[esp+8] ;eax指向假注册码 00412928 . 50 push eax 00412929 . 8BC6 mov eax,esi 0041292B . 8DBC24 0C01>lea edi,dword ptr ss:[esp+10C] 00412932 . E8 69FFFFFF call winimage.004128A0 ;计算出最后的真注册码 00412937 . 50 push eax 00412938 . E8 33870000 call winimage.0041B070 ;与假注册码每一位进行比较call 0041293D . 83C4 08 add esp,8 00412940 . 85C0 test eax,eax 00412942 . 0F84 E9A102>je winimage.0043CB31 ;注册码正确跳转到0043CB31 mov eax,1 jmp 004129F3返回 . . . . 004129C8 . 8D5424 08 lea edx,dword ptr ss:[esp+8] 004129CC . 52 push edx 004129CD . 8D86 971906>lea eax,dword ptr ds:[esi+2061997] 004129D3 . E8 C8FEFFFF call winimage.004128A0 004129D8 . 50 push eax 004129D9 . E8 92860000 call winimage.0041B070 004129DE . 83C4 08 add esp,8 004129E1 . 85C0 test eax,eax 004129E3 . 0F85 7CA002>jnz winimage.0043CA65 004129E9 > B8 01000000 mov eax,1 004129EE . A3 B0374B00 mov dword ptr ds:[4B37B0],eax 004129F3 > 5F pop edi 004129F4 > 5E pop esi 004129F5 . 81C4 000200>add esp,200 004129FB . C3 retn 用户名计算call 00414A20 <> $ 81EC 04010000 sub esp,104 00414A26 . 56 push esi 00414A27 . 57 push edi 00414A28 . 8D7424 0C lea esi,dword ptr ss:[esp+C] 00414A2C . BF 4C694700 mov edi,winimage.0047694C 00414A31 . E8 9A000000 call <winimage.00414AD0> ;用户名转为大写 00414A36 . 56 push esi ; esi指向转换后的用户名 00414A37 . FF15 1C734900 call dword ptr ds:[<&KERNEL32.lstrlen>; /lstrlenA 00414A3D . 85C0 test eax,eax 00414A3F . 7E 75 jle short winimage.00414AB6 ; 用户名长度为零? 00414A41 . 53 push ebx 00414A42 . 55 push ebp 00414A43 . 8BEE mov ebp,esi ; ebp指向转换后的用户名 00414A45 . 33C9 xor ecx,ecx 00414A47 . 83ED 03 sub ebp,3 00414A4A . 896C24 10 mov dword ptr ss:[esp+10],ebp 00414A4E . 8B7424 10 mov esi,dword ptr ss:[esp+10] ; esi=ebp-3 00414A52 . 8BD8 mov ebx,eax ; 用户名长度-》ebx 00414A54 . EB 0E jmp short winimage.00414A64 00414A56 . EB 08 jmp short winimage.00414A60 00414A58 . 8DA424 00000000 lea esp,dword ptr ss:[esp] 00414A5F . 90 nop 00414A60 > 8B6C24 10 mov ebp,dword ptr ss:[esp+10] ; 循环计算用户名 00414A64 > B8 93244992 mov eax,92492493 ; 92492493为固定值 00414A69 . F7E9 imul ecx ; 92492493*位序ecx 00414A6B . 03D1 add edx,ecx 00414A6D . C1FA 03 sar edx,3 00414A70 . 8BC2 mov eax,edx 00414A72 . C1E8 1F shr eax,1F 00414A75 . 03C2 add eax,edx 00414A77 . 8D14C5 00000000 lea edx,dword ptr ds:[eax*8] 00414A7E . 2BD0 sub edx,eax 00414A80 . 03D2 add edx,edx 00414A82 . 8BC1 mov eax,ecx 00414A84 . 2BC2 sub eax,edx 00414A86 . 75 05 jnz short winimage.00414A8D 00414A88 . BE 27000000 mov esi,27 00414A8D > 0FB65429 03 movzx edx,byte ptr ds:[ecx+ebp+3] ; edx==取得用户名每一位 00414A92 . 8D41 03 lea eax,dword ptr ds:[ecx+3] 00414A95 . 0FAFD6 imul edx,esi ; 用户名每一位与esi相乘 00414A98 . 03FA add edi,edx ;edi存放计算后的值 00414A9A . 99 cdq ; edx设为eax最高为的值 00414A9B . BD 0E000000 mov ebp,0E 00414AA0 . F7FD idiv ebp ; edx-eax除0e 00414AA2 . 85D2 test edx,edx ; 余数 00414AA4 . 0F84 D1570200 je winimage.0043A27B ; 余数为零跳到0043A27B { 0043A27B > /8D04F5 00000000 lea eax,dword ptr ds:[esi*8] 0043A282 . 2BC6 sub eax,esi 0043A284 . 8BF0 mov esi,eax 0043A286 .^ E9 22A8FDFF jmp winimage.00414AAD } 00414AAA . 8D3476 lea esi,dword ptr ds:[esi+esi*2] 00414AAD > 83C1 01 add ecx,1 00414AB0 . 3BCB cmp ecx,ebx ; 比较用户名计算完了吗 00414AB2 .^ 7C AC jl short winimage.00414A60 ; 循环计算 00414AB4 . 5D pop ebp 00414AB5 . 5B pop ebx 00414AB6 > 8BC7 mov eax,edi ;计算结果存入eax 00414AB8 . 5F pop edi 00414AB9 . 5E pop esi 00414ABA . 81C4 04010000 add esp,104 00414AC0 . C3 retn 计算出的真注册码进行转换: 004128A0 /$ 83EC 10 sub esp,10 004128A3 |. 56 push esi 004128A4 |. 50 push eax ; /<%lX> 004128A5 |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8] ; | 004128A9 |. 68 E4204A00 push winimage.004A20E4 ; |%lX 004128AE |. 51 push ecx ; |s 004128AF |. 8BF7 mov esi,edi ; | 004128B1 |. FF15 14754900 call dword ptr ds:[<&USER32.w>; /wsprintfA 004128B7 |. 8A4424 10 mov al,byte ptr ss:[esp+10] ; 取得第一位注册码 004128BB |. 83C4 0C add esp,0C 004128BE |. 84C0 test al,al 004128C0 |. 74 1B je short winimage.004128DD 004128C2 |. 8D4C24 04 lea ecx,dword ptr ss:[esp+4] 004128C6 |. 2BCF sub ecx,edi 004128C8 |> 3C 38 cmp al,38 ; 比较每一位是不是8,是8转为B 004128CA |. 74 1F je short winimage.004128EB 004128CC |. 3C 42 cmp al,42 ; 比较每一位是不是B,是B转为8 004128CE |. 74 17 je short winimage.004128E7 004128D0 |> 8806 mov byte ptr ds:[esi],al 004128D2 |. 8A4431 01 mov al,byte ptr ds:[ecx+esi+1>; 取得计算出的注册码的一位 004128D6 |. 83C6 01 add esi,1 004128D9 |. 84C0 test al,al 004128DB |.^ 75 EB jnz short winimage.004128C8 ; 循环比较 004128DD |> C606 00 mov byte ptr ds:[esi],0 004128E0 |. 8BC7 mov eax,edi ; 计算结果->edi 004128E2 |. 5E pop esi 004128E3 |. 83C4 10 add esp,10 004128E6 |. C3 retn 计算出的注册码与输入的每一位进行比较: 0041B070 /$ 8B5424 04 mov edx,dword ptr ss:[esp+4] ;指向计算出的注册码7948AA 0041B074 |. 8B4C24 08 mov ecx,dword ptr ss:[esp+8] ;指向假码9876543210 0041B078 |. F7C2 03000000 test edx,3 0041B07E |. 75 3C jnz short winimage.0041B0BC 0041B080 |> 8B02 /mov eax,dword ptr ds:[edx] ; 循环比较注册码 0041B082 |. 3A01 |cmp al,byte ptr ds:[ecx] ; 比较注册码第一位7,第五位A 0041B084 74 2E je short winimage.0041B0B4 0041B086 |. 0AC0 |or al,al 0041B088 |. 74 26 |je short winimage.0041B0B0 判断比较完毕? 0041B08A |. 3A61 01 |cmp ah,byte ptr ds:[ecx+1] ; 比较注册码第二位9,第六位A 0041B08D 74 25 je short winimage.0041B0B4 0041B08F |. 0AE4 |or ah,ah 0041B091 |. 74 1D |je short winimage.0041B0B0 ; 判断比较完毕? 0041B093 |. C1E8 10 |shr eax,10 ; eax右移 0041B096 |. 3A41 02 |cmp al,byte ptr ds:[ecx+2] ; 比较注册码第三位4 0041B099 74 19 je short winimage.0041B0B4 0041B09B |. 0AC0 |or al,al 0041B09D |. 74 11 |je short winimage.0041B0B0 0041B09F |. 3A61 03 |cmp ah,byte ptr ds:[ecx+3] ; 比较注册码第四位8 0041B0A2 74 10 je short winimage.0041B0B4 0041B0A4 |. 83C1 04 |add ecx,4 0041B0A7 |. 83C2 04 |add edx,4 0041B0AA |. 0AE4 |or ah,ah 0041B0AC |.^ 75 D2 /jnz short winimage.0041B080 ; 循环比较注册码 0041B0AE |. 8BFF mov edi,edi 0041B0B0 |> 33C0 xor eax,eax 0041B0B2 |. C3 retn 0041B0B3 | 90 nop 0041B0B4 |> 1BC0 sbb eax,eax 0041B0B6 |. D1E0 shl eax,1 0041B0B8 |. 83C0 01 add eax,1 0041B0BB |. C3 retn 这个算法比较简单,对用户名转换为大写后,进行计算,对计算后的值每一位比较,如果位8转换为B, 如果为B转换为8,最后结果再与输入的注册码的每一位进行比较。。。 附件中有注册机完整源代码,请高手指出不足,在此表示感谢。。。 -------------------------------------------------------------------------------- 【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢! 2007年10月15日 |
WinImage 8.10注册算法简单分析
最新推荐文章于 2020-12-31 17:08:43 发布