Source Insight 3.5 算法簡單分析

標 題:Source Insight 3.5 算法簡單分析
發信人:wzh123
時 間:2003年10月17日 10:51
詳細信息:

Source Insight 3.5 算法簡單分析

cracker：wzh123

下載：http://www.sourceinsight.com/index.html
簡介：是一個C++開發環境,有著和Dev c++一樣漂亮的界面，提供代碼的編輯和察看功能，具有豐富的語法加亮功能，可以像VC一樣自動彈出成員函數的提示，并具有快速方便的函數跳轉功能（但是跳轉速度似乎有點慢）。只是默認設置不適合時，需要仔細的調整和修改。無法查找經typedef之后的名字。

作者申明：只是學習，無其他目的。初學破解，錯誤在所難免，寫的也很亂，請各位包涵，也請各位高手指教。好久沒玩破解了，手都生了，逮個簡單的練練手。這個軟件是vc編的，無殼，算法不難，用W32dasm反編譯可以很快定位到關鍵點，然后可用ollydbg下斷。輸入假碼“SI3US-123456-78901”，為什么這樣輸入，經過分析你就可以知道了，一下是我跟蹤后做的筆記，很粗，但基本上反映了整個注冊的流程。

標 題:Source Insight 3.5 算法簡單分析
發信人:wzh123
時 間:2003年10月17日 10:51
詳細信息:

Source Insight 3.5 算法簡單分析

cracker：wzh123

下載：http://www.sourceinsight.com/index.html
簡介：是一個C++開發環境,有著和Dev c++一樣漂亮的界面，提供代碼的編輯和察看功能，具有豐富的語法加亮功能，可以像VC一樣自動彈出成員函數的提示，并具有快速方便的函數跳轉功能（但是跳轉速度似乎有點慢）。只是默認設置不適合時，需要仔細的調整和修改。無法查找經typedef之后的名字。

作者申明：只是學習，無其他目的。初學破解，錯誤在所難免，寫的也很亂，請各位包涵，也請各位高手指教。好久沒玩破解了，手都生了，逮個簡單的練練手。這個軟件是vc編的，無殼，算法不難，用W32dasm反編譯可以很快定位到關鍵點，然后可用ollydbg下斷。輸入假碼“SI3US-123456-78901”，為什么這樣輸入，經過分析你就可以知道了，一下是我跟蹤后做的筆記，很粗，但基本上反映了整個注冊的流程。

:00445D7C 683CC85800              push 0058C83C
:00445D81 E8AC4EFFFF              call 0043AC32
:00445D86 683CC85800              push 0058C83C
:00445D8B E81E1D0D00              call 00517AAE
:00445D90 59                      pop ecx
:00445D91 683CC85800              push 0058C83C  =======>假碼入棧
:00445D96 E848C6FFFF              call 004423E3  =======>關鍵call(1)，追入
:00445D9B 85C0                    test eax, eax  =======>比較eax是否為零
:00445D9D 7450                    je 00445DEF    =======>是0就跳，失敗
:00445D9F 683CC85800              push 0058C83C  =======>不為0，成功，寫入注冊表

* Possible StringData Ref from Data Obj ->"SerialNumber"
                                  |
:00445DA4 683C5A5600              push 00565A3C
:00445DA9 FF355C025700            push dword ptr [0057025C]
:00445DAF E8FADDFEFF              call 00433BAE  =======>寫注冊表
:00445DB4 85C0                    test eax, eax  
:00445DB6 751B                    jne 00445DD3   =======>注冊表寫成功就跳

* Possible StringData Ref from Data Obj ->"You need permission to modify "
                                        ->"the HKEY_LOCAL_MACHINE registry "
                                        ->"hive.

Please run Source Insight "
                                        ->"again while logged in as an Administrator "
                                        ->"or equivalent user."
                                  |
:00445DB8 6820BE5200              push 0052BE20
:00445DBD E81022FCFF              call 00407FD2
:00445DC2 59                      pop ecx
:00445DC3 68E8030000              push 000003E8

* Reference To: KERNEL32.Sleep, Ord:0329h
                                  |
:00445DC8 FF15DC325200            Call dword ptr [005232DC]
:00445DCE E9C0FEFFFF              jmp 00445C93

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445DB6(C)
|
:00445DD3 832524C8580000          and dword ptr [0058C824], 00000000
:00445DDA E8B9BAFFFF              call 00441898

* Possible StringData Ref from Data Obj ->"Thank you for registering Source "=====>哈哈，成功之門
                                        ->"Insight!"
                                  |
:00445DDF 68C0BE5200              push 0052BEC0
:00445DE4 E82923FCFF              call 00408112
:00445DE9 59                      pop ecx
:00445DEA 6A01                    push 00000001
:00445DEC 58                      pop eax
:00445DED EB1D                    jmp 00445E0C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445D9D(C)
|

* Possible StringData Ref from Data Obj ->"You typed an invalid serial number."====>失敗
                                  |
:00445DEF 68ECBE5200              push 0052BEEC
:00445DF4 E8D921FCFF              call 00407FD2
:00445DF9 59                      pop ecx
:00445DFA 68E8030000              push 000003E8

* Reference To: KERNEL32.Sleep, Ord:0329h
                                  |
:00445DFF FF15DC325200            Call dword ptr [005232DC]
:00445E05 E989FEFFFF              jmp 00445C93

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝關鍵call(1)＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

:004423E3 55                      push ebp
:004423E4 8BEC                    mov ebp, esp
:004423E6 83EC18                  sub esp, 00000018
:004423E9 57                      push edi
:004423EA 6A2D                    push 0000002D   =======> "－"入棧
:004423EC FF7508                  push [ebp+08]   =======> 假碼"SI3US-123456-78901"入棧 
:004423EF E89C460D00              call 00516A90   =======>這個call檢查輸入的注冊碼中是否含"-"
:004423F4 59                      pop ecx
:004423F5 59                      pop ecx
:004423F6 8945F8                  mov dword ptr [ebp-08], eax
:004423F9 837DF800                cmp dword ptr [ebp-08], 00000000
:004423FD 7507                    jne 00442406    =======>這里要跳，否則失敗，所以注冊碼中含"－"
:004423FF 33C0                    xor eax, eax
:00442401 E905010000              jmp 0044250B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004423FD(C)
|
:00442406 8B55F8                  mov edx, dword ptr [ebp-08]  =======>"-123456-78901"=>edx
:00442409 2B5508                  sub edx, dword ptr [ebp+08]

* Possible StringData Ref from Data Obj ->"SI3US"
                                  |
:0044240C BFD42F5600              mov edi, 00562FD4  =======>"SI3US"=>edi
:00442411 83C9FF                  or ecx, FFFFFFFF
:00442414 33C0                    xor eax, eax
:00442416 F2                      repnz                        
:00442417 AE                      scasb                       
:00442418 F7D1                    not ecx
:0044241A 49                      dec ecx
:0044241B 3BD1                    cmp edx, ecx       ======>上面這一段為了說明注冊碼的格式，即注冊碼的第一部分有五位
:0044241D 7407                    je 00442426        =======>要跳
:0044241F 33C0                    xor eax, eax
:00442421 E9E5000000              jmp 0044250B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044241D(C)
|

* Possible StringData Ref from Data Obj ->"SI3US"
                                  |
:00442426 BFD42F5600              mov edi, 00562FD4
:0044242B 83C9FF                  or ecx, FFFFFFFF
:0044242E 33C0                    xor eax, eax
:00442430 F2                      repnz
:00442431 AE                      scasb
:00442432 F7D1                    not ecx
:00442434 49                      dec ecx
:00442435 51                      push ecx

* Possible StringData Ref from Data Obj ->"SI3US"
                                  |
:00442436 68D42F5600              push 00562FD4    =======>"SI3US"入棧
:0044243B FF7508                  push [ebp+08]    =======>假碼"SI3US-123456-78901"入棧
:0044243E E88420FDFF              call 004144C7    =======>比較前五位，所以真碼的前五位為"SI3US"   
:00442443 85C0                    test eax, eax
:00442445 7507                    jne 0044244E     =======>要跳
:00442447 33C0                    xor eax, eax
:00442449 E9BD000000              jmp 0044250B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00442445(C)
|
:0044244E 8B45F8                  mov eax, dword ptr [ebp-08]
:00442451 40                      inc eax
:00442452 8945F8                  mov dword ptr [ebp-08], eax
:00442455 8B45F8                  mov eax, dword ptr [ebp-08]
:00442458 8945F0                  mov dword ptr [ebp-10], eax
:0044245B 6A2D                    push 0000002D    =======>"-"入棧
:0044245D FF75F8                  push [ebp-08]    =======>假碼"123456-78901"入棧
:00442460 E82B460D00              call 00516A90    =======>檢查是否含有"-"
:00442465 59                      pop ecx
:00442466 59                      pop ecx
:00442467 8945EC                  mov dword ptr [ebp-14], eax
:0044246A 837DEC00                cmp dword ptr [ebp-14], 00000000
:0044246E 7507                    jne 00442477     =======>要跳
:00442470 33C0                    xor eax, eax
:00442472 E994000000              jmp 0044250B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044246E(C)
|
:00442477 8B45EC                  mov eax, dword ptr [ebp-14]
:0044247A 802000                  and byte ptr [eax], 00
:0044247D 8B45EC                  mov eax, dword ptr [ebp-14]
:00442480 2B45F0                  sub eax, dword ptr [ebp-10]
:00442483 83F806                  cmp eax, 00000006  ======>中間的注冊碼有6位
:00442486 7404                    je 0044248C        ======>要跳
:00442488 33C0                    xor eax, eax
:0044248A EB7F                    jmp 0044250B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00442486(C)
|
:0044248C 8B45F0                  mov eax, dword ptr [ebp-10]
:0044248F 8945E8                  mov dword ptr [ebp-18], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004424B3(U)
|
:00442492 8B45E8                  mov eax, dword ptr [ebp-18]
:00442495 0FB600                  movzx eax, byte ptr [eax]
:00442498 8B4DF0                  mov ecx, dword ptr [ebp-10]
:0044249B 0FB609                  movzx ecx, byte ptr [ecx]
:0044249E 3BC1                    cmp eax, ecx
:004424A0 7513                    jne 004424B5
:004424A2 8B45E8                  mov eax, dword ptr [ebp-18]
:004424A5 0FB600                  movzx eax, byte ptr [eax]
:004424A8 85C0                    test eax, eax
:004424AA 7409                    je 004424B5
:004424AC 8B45E8                  mov eax, dword ptr [ebp-18]
:004424AF 40                      inc eax
:004424B0 8945E8                  mov dword ptr [ebp-18], eax
:004424B3 EBDD                    jmp 00442492          ========判斷注冊碼第二部分各位不全等

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004424A0(C), :004424AA(C)
|
:004424B5 8B45E8                  mov eax, dword ptr [ebp-18]
:004424B8 0FB600                  movzx eax, byte ptr [eax]
:004424BB F7D8                    neg eax
:004424BD 1BC0                    sbb eax, eax
:004424BF 40                      inc eax
:004424C0 85C0                    test eax, eax
:004424C2 7404                    je 004424C8
:004424C4 33C0                    xor eax, eax
:004424C6 EB43                    jmp 0044250B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004424C2(C)
|
:004424C8 8B45EC                  mov eax, dword ptr [ebp-14]
:004424CB 40                      inc eax
:004424CC 8945F4                  mov dword ptr [ebp-0C], eax
:004424CF 8B7DF4                  mov edi, dword ptr [ebp-0C]
:004424D2 83C9FF                  or ecx, FFFFFFFF
:004424D5 33C0                    xor eax, eax
:004424D7 F2                      repnz
:004424D8 AE                      scasb
:004424D9 F7D1                    not ecx
:004424DB 49                      dec ecx
:004424DC 83F905                  cmp ecx, 00000005  =======>表示最后一部分注冊碼有五位，所以注冊碼格式為SI3US-******-*****
:004424DF 7404                    je 004424E5        =======>要跳
:004424E1 33C0                    xor eax, eax
:004424E3 EB26                    jmp 0044250B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004424DF(C)
|
:004424E5 FF75F0                  push [ebp-10]      =======>假碼第二部分"123456"入棧
:004424E8 E850E00A00              call 004F053D      =======>關鍵call(2)
:004424ED 8945FC                  mov dword ptr [ebp-04], eax 
                                                   ======>"123456"變換碼"168DB"=>[ebp-04]
:004424F0 FF75F4                  push [ebp-0C]      =======>假碼第三部分"78901"入棧
:004424F3 E87A450D00              call 00516A72      =======>將"78901"轉為十六進制"13435"
:004424F8 59                      pop ecx
:004424F9 3945FC                  cmp dword ptr [ebp-04], eax====>這里關鍵比較，相等則注冊成功
:004424FC 7404                    je 00442502
:004424FE 33C0                    xor eax, eax
:00442500 EB09                    jmp 0044250B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004424FC(C)
|
:00442502 8B45EC                  mov eax, dword ptr [ebp-14]
:00442505 C6002D                  mov byte ptr [eax], 2D
:00442508 6A01                    push 00000001
:0044250A 58                      pop eax

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00442401(U), :00442421(U), :00442449(U), :00442472(U), :0044248A(U)
|:004424C6(U), :004424E3(U), :00442500(U)
|
:0044250B 5F                      pop edi
:0044250C C9                      leave
:0044250D C20400                  ret 0004

=====================================call(2)============================================

:004F053D 55                      push ebp
:004F053E 8BEC                    mov ebp, esp
:004F0540 83EC10                  sub esp, 00000010
:004F0543 FF7508                  push [ebp+08]
:004F0546 E827650200              call 00516A72   =======>"123456"轉換為十六進制"1E240"
:004F054B 59                      pop ecx
:004F054C 8945F0                  mov dword ptr [ebp-10], eax
:004F054F 8B45F0                  mov eax, dword ptr [ebp-10]
:004F0552 8945FC                  mov dword ptr [ebp-04], eax
:004F0555 8365F400                and dword ptr [ebp-0C], 00000000
:004F0559 8B4508                  mov eax, dword ptr [ebp+08]
:004F055C 8945F8                  mov dword ptr [ebp-08], eax
:004F055F EB07                    jmp 004F0568

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F059C(U)
|
:004F0561 8B45F8                  mov eax, dword ptr [ebp-08]
:004F0564 40                      inc eax
:004F0565 8945F8                  mov dword ptr [ebp-08], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F055F(U)
|
:004F0568 8B45F8                  mov eax, dword ptr [ebp-08]  =======>"123456"==>eax
:004F056B 0FB600                  movzx eax, byte ptr [eax]    =======>依次取"123456"=>eax
:004F056E 85C0                    test eax, eax
:004F0570 742C                    je 004F059E
:004F0572 8B45F8                  mov eax, dword ptr [ebp-08]
:004F0575 0FB600                  movzx eax, byte ptr [eax]
:004F0578 8B4DF4                  mov ecx, dword ptr [ebp-0C]  =======>ecx=0
:004F057B 33048DDC2F5600          xor eax, dword ptr [4*ecx+00562FDC]
                                      1、31^96＝A7==>eax
                                      2、32^95＝A7==>eax
                                      3、33^10＝23==>eax
                                      4、34^23＝17==>eax
                                      5、35^7＝32==>eax
                                      6、35^15＝23==>eax

============================[00562FDC]處內存===============================
00562FDC  96 00 00 00 95 00 00 00 10 00 00 00 23 00 00 00  ?..?.....#... 0
00562FEC  07 00 00 00 15 00 00 00 08 00 00 00 03 00 00 00  ............
00562FFC  10 00 00 00 11 00 00 00 01 00 00 00 53 65 72 76  ......
...Serv
===========================================================================

:004F0582 8B4DFC                  mov ecx, dword ptr [ebp-04]
:004F0585 8D0488                  lea eax, dword ptr [eax+4*ecx]
                                       1、eax＝A7+4*1E240=789A7
                                       2、eax＝A7+4*789A7=1E2743
                                       3、eax＝23+4*1E2743=789D2F
                                       4、eax＝17+4*789D2F=1E274D3
                                       5、eax＝32+4*1E274D3=789D37E
                                       6、eax＝23+4*789D37E=1E274E1B

:004F0588 8945FC                  mov dword ptr [ebp-04], eax
:004F058B 8B45F4                  mov eax, dword ptr [ebp-0C]
:004F058E 40                      inc eax
:004F058F 8945F4                  mov dword ptr [ebp-0C], eax
:004F0592 837DF40A                cmp dword ptr [ebp-0C], 0000000A
:004F0596 7504                    jne 004F059C
:004F0598 8365F400                and dword ptr [ebp-0C], 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F0596(C)
|
:004F059C EBC3                    jmp 004F0561  ========循環

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004F0570(C)
|
:004F059E 8B45FC                  mov eax, dword ptr [ebp-04]  =======>"1E274E1B"==>eax
:004F05A1 33D2                    xor edx, edx                 =======>edx清零
:004F05A3 B9A0860100              mov ecx, 000186A0            "186A0"==>ecx
:004F05A8 F7F1                    div ecx                      1E274E1B/186A0
:004F05AA 8BC2                    mov eax, edx                 余數為"168DB"==>eax
:004F05AC C9                      leave
:004F05AD C20400                  ret 0004

算法總結：

1、注冊碼格式為SI3US－m1m2m3m4m5m6－m7m8m9m10m11
2、將m1m2m3m4m5m6變換得到sn1
3、將m7m8m9m10m11轉為十六進制得到sn2
4、sn1＝sn2，則注冊成功
5、注冊碼放在
HKEY_LOCAL_MACHINESOFTWARESource DynamicsSource Insight3.0InstallSerialNumber下，刪除后可以重新注冊。

一個可用的注冊碼SI3US-123456-92379

注：不知道這個軟件還有沒有暗樁，我沒用過所以不知道，誰有興趣可以看一看。

原文轉自：http://www.kjueaiud.com