标题:
[转帖]FamilyTree 8.0 注册算法分析[简单]
[打印本页]
作者:
yongmin
时间:
2006-11-25 10:04
标题:
[转帖]FamilyTree 8.0 注册算法分析[简单]
【破解软件】FamilyTree 8.0
【下载地址】http://www.onlinedown.net/soft/51071.htm
【软件类别】国外软件/共享版/记事管理
【运行环境】Win9x/Me/NT/2000/XP/2003
【保护方式】UPX、Long(E-Mail)、Password
【调试工具】OllyDBD、PEiD
【作者声明】初学Crack,只是感兴趣,消遣业余时间,错误之处敬请诸位前辈不吝赐教。
【软件信息】是一个用于建立家谱的软件。你可以建立详细的家族谱系,可以增加照片和自传,本软件界面简洁美观。
一、准备工作
PEiD检查:UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
脱壳略过,脱壳后PEiD再查:Borland Delphi 6.0 - 7.0
输入 Login(E-Mail): wzwgp@163.com Password: 12345678
DEDE定位注册按钮地址:005357B4
二、算法跟踪
005357B4 55 PUSH EBP
005357B5 8BEC MOV EBP,ESP
005357B7 B9 0D000000 MOV ECX,0D
005357BC 6A 00 PUSH 0
005357BE 6A 00 PUSH 0
005357C0 49 DEC ECX
005357C1 ^ 75 F9 JNZ SHORT tk.005357BC
005357C3 53 PUSH EBX
005357C4 56 PUSH ESI
005357C5 57 PUSH EDI
005357C6 8BF8 MOV EDI,EAX
005357C8 33C0 XOR EAX,EAX
005357CA 55 PUSH EBP
005357CB 68 955C5300 PUSH tk.00535C95
005357D0 64:FF30 PUSH DWORD PTR FS:[EAX]
005357D3 64:8920 MOV DWORD PTR FS:[EAX],ESP
005357D6 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
005357D9 8B87 F0020000 MOV EAX,DWORD PTR DS:[EDI+2F0]
005357DF E8 1464F1FF CALL tk.0044BBF8 ; 取出E-mail设为E
005357E4 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30] ; [EBP-30]=E
005357E7 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
005357EA E8 513FEDFF CALL tk.00409740
005357EF 837D D4 00 CMP DWORD PTR SS:[EBP-2C],0
005357F3 75 2E JNZ SHORT tk.00535823 ; Login(E-Mail)已输入就跳走
005357F5 8B15 EC035700 MOV EDX,DWORD PTR DS:[5703EC] ; tk.00575A38
005357FB 8B12 MOV EDX,DWORD PTR DS:[EDX]
005357FD A1 D4035700 MOV EAX,DWORD PTR DS:[5703D4]
00535802 8B00 MOV EAX,DWORD PTR DS:[EAX]
00535804 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
0053580A E8 1964F1FF CALL tk.0044BC28
0053580F A1 D4035700 MOV EAX,DWORD PTR DS:[5703D4]
00535814 8B00 MOV EAX,DWORD PTR DS:[EAX]
00535816 8B10 MOV EDX,DWORD PTR DS:[EAX]
00535818 FF92 E8000000 CALL NEAR DWORD PTR DS:[EDX+E8]
0053581E E9 1D040000 JMP tk.00535C40
00535823 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
00535826 8B87 F4020000 MOV EAX,DWORD PTR DS:[EDI+2F4]
0053582C E8 572BF5FF CALL tk.00488388
00535831 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
00535834 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
00535837 E8 043FEDFF CALL tk.00409740
0053583C 837D CC 00 CMP DWORD PTR SS:[EBP-34],0
00535840 75 2E JNZ SHORT tk.00535870 ; Password已输入就跳走
00535842 8B15 EC035700 MOV EDX,DWORD PTR DS:[5703EC] ; tk.00575A38
00535848 8B12 MOV EDX,DWORD PTR DS:[EDX]
0053584A A1 D4035700 MOV EAX,DWORD PTR DS:[5703D4]
0053584F 8B00 MOV EAX,DWORD PTR DS:[EAX]
00535851 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
00535857 E8 CC63F1FF CALL tk.0044BC28
0053585C A1 D4035700 MOV EAX,DWORD PTR DS:[5703D4]
00535861 8B00 MOV EAX,DWORD PTR DS:[EAX]
00535863 8B10 MOV EDX,DWORD PTR DS:[EAX]
00535865 FF92 E8000000 CALL NEAR DWORD PTR DS:[EDX+E8]
0053586B E9 D0030000 JMP tk.00535C40
00535870 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
00535873 8B87 F0020000 MOV EAX,DWORD PTR DS:[EDI+2F0]
00535879 E8 7A63F1FF CALL tk.0044BBF8
0053587E 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C] ; [EBP-3C]E地址
00535881 B8 AC5C5300 MOV EAX,tk.00535CAC ; EAX=40 ( @ )
00535886 E8 79FAECFF CALL tk.00405304 ; 得到E[@]前的长度(含@)
0053588B 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; 保存得到的长度
0053588E 837D EC 00 CMP DWORD PTR SS:[EBP-14],0
00535892 75 2E JNZ SHORT tk.005358C2 ; 跳
00535894 8B15 80045700 MOV EDX,DWORD PTR DS:[570480] ; tk.00575A3C
0053589A 8B12 MOV EDX,DWORD PTR DS:[EDX]
0053589C A1 D4035700 MOV EAX,DWORD PTR DS:[5703D4]
005358A1 8B00 MOV EAX,DWORD PTR DS:[EAX]
005358A3 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
005358A9 E8 7A63F1FF CALL tk.0044BC28
005358AE A1 D4035700 MOV EAX,DWORD PTR DS:[5703D4]
005358B3 8B00 MOV EAX,DWORD PTR DS:[EAX]
005358B5 8B10 MOV EDX,DWORD PTR DS:[EAX]
005358B7 FF92 E8000000 CALL NEAR DWORD PTR DS:[EDX+E8]
005358BD E9 7E030000 JMP tk.00535C40
005358C2 C745 E4 7A0D0000 MOV DWORD PTR SS:[EBP-1C],0D7A ; 常数 s1=D7A
005358C9 8B75 EC MOV ESI,DWORD PTR SS:[EBP-14] ; [EBP-14]=E[@]前的长度
005358CC 85F6 TEST ESI,ESI
005358CE 7E 24 JLE SHORT tk.005358F4
005358D0 BB 01000000 MOV EBX,1 ; EBX赋初值=1
005358D5 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40] ; [EBP-40]=0
005358D8 8B87 F0020000 MOV EAX,DWORD PTR DS:[EDI+2F0]
005358DE E8 1563F1FF CALL tk.0044BBF8
005358E3 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40] ; [EBP-40]E地址
005358E6 0FB64418 FF MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] ; 取E字符的16进制值
005358EB F7EB IMUL EBX
005358ED 0145 E4 ADD DWORD PTR SS:[EBP-1C],EAX ; 乘积与s1相加
005358F0 43 INC EBX ; EBX+1
005358F1 4E DEC ESI ; ESI-1
005358F2 ^ 75 E1 JNZ SHORT tk.005358D5 ; E[@]前的长度是循环次数
005358F4 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
005358F7 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; [EBP-1C]=1596(计算结果)
005358FA E8 5D41EDFF CALL tk.00409A5C ; [EAX]=5526(转成10进制)
005358FF 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
00535902 8B87 F0020000 MOV EAX,DWORD PTR DS:[EDI+2F0]
00535908 E8 EB62F1FF CALL tk.0044BBF8
0053590D 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
00535910 E8 B3F6ECFF CALL tk.00404FC8
00535915 83F8 00 CMP EAX,0 ; EAX=E长度
00535918 7C 27 JL SHORT tk.00535941
0053591A 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0053591D 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
00535920 8B87 F0020000 MOV EAX,DWORD PTR DS:[EDI+2F0]
00535926 E8 CD62F1FF CALL tk.0044BBF8
0053592B 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48] ; [EBP-48]E地址
0053592E 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ; [EBP-18]=E长度
00535931 807C10 FF 2E CMP BYTE PTR DS:[EAX+EDX-1],2E ; [EAX+EDX-1]=E字符串中有2E(.)吗?
00535936 74 09 JE SHORT tk.00535941 ; E字符串中有2E(.)跳走
00535938 FF4D E8 DEC DWORD PTR SS:[EBP-18] ; -1
0053593B 837D E8 FF CMP DWORD PTR SS:[EBP-18],-1
0053593F ^ 75 DC JNZ SHORT tk.0053591D ; 循环检查有"."吗
00535941 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; “.”前有字符吗?
00535945 75 2E JNZ SHORT tk.00535975 ; 有就跳
00535947 8B15 80045700 MOV EDX,DWORD PTR DS:[570480] ; tk.00575A3C
0053594D 8B12 MOV EDX,DWORD PTR DS:[EDX]
0053594F A1 D4035700 MOV EAX,DWORD PTR DS:[5703D4]
00535954 8B00 MOV EAX,DWORD PTR DS:[EAX]
00535956 8B80 F4020000 MOV EAX,DWORD PTR DS:[EAX+2F4]
0053595C E8 C762F1FF CALL tk.0044BC28
00535961 A1 D4035700 MOV EAX,DWORD PTR DS:[5703D4]
00535966 8B00 MOV EAX,DWORD PTR DS:[EAX]
00535968 8B10 MOV EDX,DWORD PTR DS:[EAX]
0053596A FF92 E8000000 CALL NEAR DWORD PTR DS:[EDX+E8]
00535970 E9 CB020000 JMP tk.00535C40
00535975 C745 E0 B41C0000 MOV DWORD PTR SS:[EBP-20],1CB4 ; 常数 s2=1CB4
0053597C 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] ; [EBP-14]=@前的长度(含@)
0053597F 8B75 E8 MOV ESI,DWORD PTR SS:[EBP-18] ; [EBP-18]"."前的长度(含.)
00535982 83EE 02 SUB ESI,2
00535985 2BF3 SUB ESI,EBX
00535987 7C 20 JL SHORT tk.005359A9 ; @与"."之间字符小于2跳
00535989 46 INC ESI ; ESI+1(还原@与"."之间的字符长度)
0053598A 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
0053598D 8B87 F0020000 MOV EAX,DWORD PTR DS:[EDI+2F0]
00535993 E8 6062F1FF CALL tk.0044BBF8
00535998 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C] ; [EBP-4C]E地址
0053599B 0FB64418 FF MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] ; [EAX+EBX-1]=@ 1 6
005359A0 F7EB IMUL EBX ; EBX=6 (@前的长度)
005359A2 0145 E0 ADD DWORD PTR SS:[EBP-20],EAX ; [EBP-20]=s2加乘积
005359A5 43 INC EBX ; +1
005359A6 4E DEC ESI ; ESI=3
005359A7 ^ 75 E1 JNZ SHORT tk.0053598A
005359A9 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
005359AC 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; [EBP-20]=213B (计算结果)
005359AF E8 A840EDFF CALL tk.00409A5C ; [EAX]=8507 (转成10进制)
005359B4 C745 DC E9100000 MOV DWORD PTR SS:[EBP-24],10E9 ; 常数 s3=10E9
005359BB 8B5D E8 MOV EBX,DWORD PTR SS:[EBP-18] ; [EBP-18]"."前的长度(含.)
005359BE 83EB 02 SUB EBX,2 ; -2
005359C1 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
005359C4 8B87 F0020000 MOV EAX,DWORD PTR DS:[EDI+2F0]
005359CA E8 2962F1FF CALL tk.0044BBF8
005359CF 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] ; [EBP-50]E地址
005359D2 E8 F1F5ECFF CALL tk.00404FC8
005359D7 8BF0 MOV ESI,EAX ; EAX=E字符串长度
005359D9 2BF3 SUB ESI,EBX ; D-8=5 ("."后的字符长度加2)
005359DB 7C 20 JL SHORT tk.005359FD
005359DD 46 INC ESI ; ESI再加1
005359DE 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
005359E1 8B87 F0020000 MOV EAX,DWORD PTR DS:[EDI+2F0]
005359E7 E8 0C62F1FF CALL tk.0044BBF8
005359EC 8B45 AC MOV EAX,DWORD PTR SS:[EBP-54] ; [EBP-54]E-mail地址
005359EF 0FB64418 FF MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] ; E[8,9,10…]
005359F4 F7EB IMUL EBX ; EBX=8
005359F6 0145 DC ADD DWORD PTR SS:[EBP-24],EAX ; 常数s3加乘积
005359F9 43 INC EBX
005359FA 4E DEC ESI
005359FB ^ 75 E1 JNZ SHORT tk.005359DE
005359FD 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00535A00 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] ; [EBP-24]=252E
00535A03 E8 5440EDFF CALL tk.00409A5C ; 转成10进制 EAX=9518
00535A08 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
00535A0B 8B87 F4020000 MOV EAX,DWORD PTR DS:[EDI+2F4]
00535A11 E8 7229F5FF CALL tk.00488388
00535A16 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; [EBP-4]假码地址设为P1-P2-P3
00535A19 B8 B85C5300 MOV EAX,tk.00535CB8 ; "-"
00535A1E E8 E1F8ECFF CALL tk.00405304 ; 扫描假码中的"-"
00535A23 8BD8 MOV EBX,EAX ; EAX=P1
00535A25 85DB TEST EBX,EBX
00535A27 75 04 JNZ SHORT tk.00535A2D
00535A29 33F6 XOR ESI,ESI
00535A2B EB 32 JMP SHORT tk.00535A5F
00535A2D 8D45 A8 LEA EAX,DWORD PTR SS:[EBP-58]
00535A30 50 PUSH EAX
00535A31 8BCB MOV ECX,EBX
00535A33 49 DEC ECX
00535A34 BA 01000000 MOV EDX,1
00535A39 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00535A3C E8 DFF7ECFF CALL tk.00405220
00535A41 8B45 A8 MOV EAX,DWORD PTR SS:[EBP-58] ; [EBP-58]=P1
00535A44 E8 7740EDFF CALL tk.00409AC0 ; 转成16进制
00535A49 8BF0 MOV ESI,EAX
00535A4B 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00535A4E 50 PUSH EAX
00535A4F 8D53 01 LEA EDX,DWORD PTR DS:[EBX+1] ; P2开始的位置
00535A52 B9 FF000000 MOV ECX,0FF
00535A57 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00535A5A E8 C1F7ECFF CALL tk.00405220
00535A5F 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00535A62 B8 B85C5300 MOV EAX,tk.00535CB8 ; -
00535A67 E8 98F8ECFF CALL tk.00405304
00535A6C 8BD8 MOV EBX,EAX
00535A6E 85DB TEST EBX,EBX
00535A70 75 09 JNZ SHORT tk.00535A7B
00535A72 33C0 XOR EAX,EAX
00535A74 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
00535A77 33C0 XOR EAX,EAX
00535A79 EB 3B JMP SHORT tk.00535AB6
00535A7B 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00535A7E 50 PUSH EAX
00535A7F 8BCB MOV ECX,EBX
00535A81 49 DEC ECX
00535A82 BA 01000000 MOV EDX,1
00535A87 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00535A8A E8 91F7ECFF CALL tk.00405220
00535A8F 8B45 A4 MOV EAX,DWORD PTR SS:[EBP-5C] ; [EBP-5C]=P2
00535A92 E8 2940EDFF CALL tk.00409AC0 ; 转成16进制
00535A97 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
00535A9A 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00535A9D 50 PUSH EAX
00535A9E 8D53 01 LEA EDX,DWORD PTR DS:[EBX+1]
00535AA1 B9 FF000000 MOV ECX,0FF
00535AA6 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00535AA9 E8 72F7ECFF CALL tk.00405220
00535AAE 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; [EBP-4]=P3
00535AB1 E8 0A40EDFF CALL tk.00409AC0 ; 转成16进制
00535AB6 3B75 E4 CMP ESI,DWORD PTR SS:[EBP-1C] ; ESI=P1 [EBP-1C]=1596
00535AB9 0F85 53010000 JNZ tk.00535C12
00535ABF 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00535AC2 3B55 E0 CMP EDX,DWORD PTR SS:[EBP-20] ; EDX=P2 [EBP-20]=213B
00535AC5 0F85 47010000 JNZ tk.00535C12
00535ACB 3B45 DC CMP EAX,DWORD PTR SS:[EBP-24] ; EAX=P3 [EBP-24]=252E
00535ACE 0F85 3E010000 JNZ tk.00535C12
00535AD4 B2 01 MOV DL,1
00535AD6 A1 442B4700 MOV EAX,DWORD PTR DS:[472B44]
00535ADB E8 64D1F3FF CALL tk.00472C44
00535AE0 A3 645A5700 MOV DWORD PTR DS:[575A64],EAX
三、算法小结
1.注册码形式:****-****-**** (P1-P2-P3)
2.Login(E-Mail):wzwgp@163.com (0X 777A776770403136332E636F6D)
计算方法是常数加上字符的16进制值与下标乘积之和
P1计算E-Mail的第一个字符到"@"(含@)
s1=D7A(常数)
P1=s1+(77*1)+(7A*2)+(77*3)+(67*4)+(70*5)+(40*6)=1596
转成10进制:P1=5526
P2计算E-Mail从字符"@"(含@)开始,计算字符个数是"@"和"."之间的字符个数值
s2=1CB4(常数)
P1=s2+(40*6)+(31*7)+(36*8)=213B
转成10进制:P2=8507
P3计算E-Mail字符的开始位置是E-Mail字符个数减"."后的字符个数与2之和
s3=10E9(常数)
P3=s3+(36*8)+(33*9)+(2E*A)+(63*B)+(6F*C)+(6D*D)=252E
转成10进制:P3=9518
Password: 5526-8507-9518
注册信息保存在:HKEY_CURRENT_USER\Software\FamilyTree
欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/)
Powered by Discuz! 7.2