小李注册表大师 v1.41 注册算法分析－－献给 LILITH 和解密算法初学者 (10千字)

发布者：Editor

发布于：2001-11-09 19:09

小李注册表大师 v1.41 注册算法分析－－献给 LILITH 和解密算法初学者

作者：PaulYoung （属于 China Cracking Group ）
难度：0 级　（共分 10 级，0 级最易）
软件：小李注册表大师 v1.41
下载：http://www.csdn.net/soft/openfile.asp?kind=1&id=14499 ( 456 KB )
简介：看软件名就知道干啥用的了
工具：SoftICE V4.05
日期：2001.11.07

************************************************************************************************

　　今天，“理你死”？？！！哦……不是，是“LILITH”（MM ?! 　:)~ No, 靓仔一名 :( ），在看雪论坛发篇关于小李注册表大师 v1.41 的注册码 D 注册码大法，可惜此兄太懒，不愿跟算法，无奈，就让我这个当师父的来代劳吧。
　　这个软件是明码比较，非常傻瓜的那种，如何取注册码， LILITH 兄已经说得非常清楚了，在此我就省略那些无关枝节吧，重点分析它的注册算法。

　　Let's Go!! 想学算法的 Cracker 们！

　　为方便大家理解，以我的注册序列号" 1D6D-17E5 "和输入的用户名是" CCG "为例，说说这个软件的注册算法。跟踪法请看 LILITH 大侠的文章 :) 。

== 1 ==

* Possible StringData Ref from Code Obj ->"key"
|
:00490EF1 BAD4104900 mov edx, 004910D4
:00490EF6 E88562FEFF call 00477180
:00490EFB A1D4034A00 mov eax, dword ptr [004A03D4]
:00490F00 8B00 mov eax, dword ptr [eax]
:00490F02 E8D95BFEFF call 00476AE0
:00490F07 8D55E8 lea edx, dword ptr [ebp-18]
:00490F0A A1EC024A00 mov eax, dword ptr [004A02EC]
:00490F0F 8B00 mov eax, dword ptr [eax]
:00490F11 E88673F7FF call 0040829C //取序列号"1D6D-17E5"
:00490F16 8D45E8 lea eax, dword ptr [ebp-18]
:00490F19 50 push eax
:00490F1A 8D55E4 lea edx, dword ptr [ebp-1C]
:00490F1D 8B83DC020000 mov eax, dword ptr [ebx+000002DC]
:00490F23 E89403FAFF call 004312BC
:00490F28 8B55E4 mov edx, dword ptr [ebp-1C]
:00490F2B 58 pop eax
:00490F2C E8372EF7FF call 00403D68 //取用户名"CCG"
:00490F31 8B45E8 mov eax, dword ptr [ebp-18]
:00490F34 8D55EC lea edx, dword ptr [ebp-14]
:00490F37 E86875F7FF call 004084A4 //把序列号小写和用户名连成一串"1d6d-17e5CCG"
:00490F3C 8B55EC mov edx, dword ptr [ebp-14]
:00490F3F A174014A00 mov eax, dword ptr [004A0174]
:00490F44 8B00 mov eax, dword ptr [eax]
:00490F46 8B8064030000 mov eax, dword ptr [eax+00000364]
:00490F4C E8EB2DFEFF call 00473D3C //开始计算，F8跟进
:00490F51 8D45FC lea eax, dword ptr [ebp-04] //下面都是些老掉牙的东东，不用多说
:00490F54 8B1574014A00 mov edx, dword ptr [004A0174]
:00490F5A 8B12 mov edx, dword ptr [edx]
:00490F5C 8B9264030000 mov edx, dword ptr [edx+00000364]
:00490F62 8B524C mov edx, dword ptr [edx+4C]
:00490F65 E80E2CF7FF call 00403B78
:00490F6A 8D55E0 lea edx, dword ptr [ebp-20]
:00490F6D 8B83E0020000 mov eax, dword ptr [ebx+000002E0]
:00490F73 E84403FAFF call 004312BC
:00490F78 8B45E0 mov eax, dword ptr [ebp-20]
:00490F7B 8B55FC mov edx, dword ptr [ebp-04]
:00490F7E E8ED2EF7FF call 00403E70
:00490F83 7567 jne 00490FEC
:00490F85 8D55D8 lea edx, dword ptr [ebp-28]
:00490F88 8B83DC020000 mov eax, dword ptr [ebx+000002DC]
:00490F8E E82903FAFF call 004312BC
:00490F93 8B4DD8 mov ecx, dword ptr [ebp-28]
:00490F96 8D45DC lea eax, dword ptr [ebp-24]

* Possible StringData Ref from Code Obj ->"小李注册表大师已经注册给"
|
:00490F99 BAE0104900 mov edx, 004910E0

== 2 ==

:00473D3C 55 push ebp
:00473D3D 8BEC mov ebp, esp
:00473D3F 83C4F8 add esp, FFFFFFF8
:00473D42 53 push ebx
:00473D43 56 push esi
:00473D44 33C9 xor ecx, ecx
:00473D46 894DF8 mov dword ptr [ebp-08], ecx
:00473D49 8955FC mov dword ptr [ebp-04], edx
:00473D4C 8BD8 mov ebx, eax
:00473D4E 8B45FC mov eax, dword ptr [ebp-04]
:00473D51 E8BE01F9FF call 00403F14
:00473D56 33C0 xor eax, eax
:00473D58 55 push ebp
:00473D59 68E33D4700 push 00473DE3
:00473D5E 64FF30 push dword ptr fs:[eax]
:00473D61 648920 mov dword ptr fs:[eax], esp
:00473D64 33F6 xor esi, esi
:00473D66 8D4350 lea eax, dword ptr [ebx+50]
:00473D69 8B55FC mov edx, dword ptr [ebp-04]
:00473D6C E8C3FDF8FF call 00403B34
:00473D71 8B4350 mov eax, dword ptr [ebx+50]
:00473D74 E8E7FFF8FF call 00403D60 //取字符串"1d6d-17e5CCG"长度，保存到 eax
:00473D79 85C0 test eax, eax
:00473D7B 7E20 jle 00473D9D
:00473D7D 8B4350 mov eax, dword ptr [ebx+50]
:00473D80 E8DBFFF8FF call 00403D60 //取字符串"1d6d-17e5CCG"长度，保存到 eax
:00473D85 85C0 test eax, eax
:00473D87 7C14 jl 00473D9D
:00473D89 40 inc eax // eax+1 ，即字符串长度加1，就是下面的循环次数
:00473D8A 33D2 xor edx, edx // edx 初始值为 0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473D9B(C)
|
:00473D8C 8B4B50 mov ecx, dword ptr [ebx+50] //载入字符串
:00473D8F 0FB64C11FF movzx ecx, byte ptr [ecx+edx-01] //依次取字符串以ASCII形式保存到 ecx ,第一次循环值为0
:00473D94 03F1 add esi, ecx //与上一次循环后得到的累加值相加
:00473D96 037354 add esi, dword ptr [ebx+54] //当前字符 ASCII 值 + 57791
:00473D99 42 inc edx // edx 递增
:00473D9A 48 dec eax // eax 即循环次数递减
:00473D9B 75EF jne 00473D8C // eax>0 ?未算完，继续吧…… :(

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00473D7B(C), :00473D87(C)
|
:00473D9D 8D55F8 lea edx, dword ptr [ebp-08]
:00473DA0 8BC6 mov eax, esi //把累加值"752094"放到 eax
:00473DA2 E87D48F9FF call 00408624
:00473DA7 FF7344 push [ebx+44]
:00473DAA FF75F8 push [ebp-08]
:00473DAD FF7348 push [ebx+48]
:00473DB0 8D45F8 lea eax, dword ptr [ebp-08]
:00473DB3 BA03000000 mov edx, 00000003 //把 edx 置值为3，即下面循环的次数
:00473DB8 E86300F9FF call 00403E20 //再次运算，F8进入
:00473DBD 8D434C lea eax, dword ptr [ebx+4C]

== 3 ==

:00403E20 53 push ebx
:00403E21 56 push esi
:00403E22 52 push edx
:00403E23 50 push eax
:00403E24 89D3 mov ebx, edx
:00403E26 31C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403E34(C)
|
:00403E28 8B4C9410 mov ecx, dword ptr [esp+4*edx+10] -----
:00403E2C 85C9 test ecx, ecx |
:00403E2E 7403 je 00403E33 |
:00403E30 0341FC add eax, dword ptr [ecx-04] |循环 3 次，
|在"752094"前后分别
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |加上"8" , "2"
|:00403E2E(C) |
| |
:00403E33 4A dec edx　　　　//循环次数递减 |
:00403E34 75F2 jne 00403E28 -----------------------
:00403E36 E869FDFFFF call 00403BA4
:00403E3B 50 push eax
:00403E3C 89C6 mov esi, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403E53(C)
|
:00403E3E 8B449C14 mov eax, dword ptr [esp+4*ebx+14] -------------
:00403E42 89F2 mov edx, esi |
:00403E44 85C0 test eax, eax |
:00403E46 740A je 00403E52 |
:00403E48 8B48FC mov ecx, dword ptr [eax-04] |
:00403E4B 01CE add esi, ecx |再循环3次，
:00403E4D E8F6EAFFFF call 00402948 |检查注册码格式
                                   |
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |
|:00403E46(C)                                    |
|                                        |
:00403E52 4B dec ebx   　　//循环次数递减     |
:00403E53 75E9 jne 00403E3E-----------------------------------
:00403E55 5A pop edx
:00403E56 58 pop eax
:00403E57 85D2 test edx, edx
:00403E59 7403 je 00403E5E
:00403E5B FF4AF8 dec [edx-08]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403E59(C)
|
:00403E5E E8D1FCFFFF call 00403B34 //至此，正确的注册码已经生成！
:00403E63 5A pop edx
:00403E64 5E pop esi
:00403E65 5B pop ebx
:00403E66 58 pop eax
:00403E67 8D2494 lea esp, dword ptr [esp+4*edx]
:00403E6A FFE0 jmp eax
:00403E6C C3 ret

算法总结：
　　1、软件取你的硬盘序列号并转换成十六进制，然后在中间加上"-"，作为你的注册序列号（此步可忽略）；
　　2、将你的注册序列号转换成小写并与用户名组成一个字符串；
　　3、将字符串的每个字符都转换成 ASCII ，并逐个循环与 57791 相加并将每次的值累加，循环次数是字符串长度加一，初次循环的累加值为 57791 ，直到取完所有字符为止，如以"1d6d-17e5CCG"为例，计算公式为：57791+(49+57791)+(100+57791)+(54+57791)+(100+57791)+(45+57791)+(49+57791)+(55+57791)+(101+57791)+(53+57791)+(67+57791)+(67+57791)+(71+57791)=(49+100+54+100+45+49+55+101+53+67+67+71)+(13*57791)=752094
　　4、最后，再在752094前后分别加上8、2，变成 87520942 ，就是正确的序列号了。

　　是不是好弱智？？？注册机就有劳伪装者[CCG]教大家如何写了，还有我，呵……

声明：该文观点仅代表作者本人，转载请注明来自看雪