某光盘数据、多媒体恢复工具算法分析
无壳,常规的断点一路追到这里,即验证过程
0041A980 /. 55 push ebp
0041A981 |. 8BEC mov ebp, esp
0041A983 |. 83EC 20 sub esp, 20
0041A986 |. 894D E0 mov dword ptr [ebp-20], ecx
0041A989 |. 6A 01 push 1
0041A98B |. 8B4D E0 mov ecx, dword ptr [ebp-20]
0041A98E |. E8 F3D30100 call 00437D86
0041A993 |. 8B4D E0 mov ecx, dword ptr [ebp-20]
0041A996 |. 83C1 70 add ecx, 70
0041A999 |. E8 F210FFFF call 0040BA90
0041A99E |. 83F8 02 cmp eax, 2
0041A9A1 |. 7D 13 jge short 0041A9B6 ; 用户名长度小于2则失
败
0041A9A3 |. 6A 00 push 0
0041A9A5 |. 6A 00 push 0
0041A9A7 |. 68 F8E34400 push 0044E3F8 ; ASCII “Please input
correct User Name!”
0041A9AC |. E8 58710200 call 00441B09
0041A9B1 |. E9 A9020000 jmp 0041AC5F
0041A9B6 |> 8B4D E0 mov ecx, dword ptr [ebp-20]
0041A9B9 |. 83C1 74 add ecx, 74
0041A9BC |. E8 CF10FFFF call 0040BA90
0041A9C1 |. 83F8 08 cmp eax, 8
0041A9C4 |. 7D 13 jge short 0041A9D9 ; 注册码长度小于8则失
败
0041A9C6 |. 6A 00 push 0
0041A9C8 |. 6A 00 push 0
0041A9CA |. 68 18E44400 push 0044E418 ; ASCII “Please input
correct Registration Code!”
0041A9CF |. E8 35710200 call 00441B09
0041A9D4 |. E9 86020000 jmp 0041AC5F
0041A9D9 |> 6A 00 push 0 ; /Arg1 = 00000000
0041A9DB |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041A9DE |. 83C1 70 add ecx, 70 ; |
0041A9E1 |. E8 0ACEFFFF call 004177F0 ; \CDDVDDR.004177F0
0041A9E6 |. 8845 EF mov byte ptr [ebp-11], al ; 取用户名第一位,var1
0041A9E9 |. 6A 01 push 1 ; /Arg1 = 00000001
0041A9EB |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041A9EE |. 83C1 70 add ecx, 70 ; |
0041A9F1 |. E8 FACDFFFF call 004177F0 ; \CDDVDDR.004177F0
0041A9F6 |. 8845 F8 mov byte ptr [ebp-8], al ; 取用户名第二位,var2
0041A9F9 |. 6A 00 push 0 ; /Arg1 = 00000000
0041A9FB |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041A9FE |. 83C1 70 add ecx, 70 ; |
0041AA01 |. E8 EACDFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AA06 |. 8845 FF mov byte ptr [ebp-1], al ; 取用户名第一位,var3
0041AA09 |. 6A 01 push 1 ; /Arg1 = 00000001
0041AA0B |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AA0E |. 83C1 70 add ecx, 70 ; |
0041AA11 |. E8 DACDFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AA16 |. 8845 FA mov byte ptr [ebp-6], al ; 取用户名第二位,var4
0041AA19 |. 0FB645 EF movzx eax, byte ptr [ebp-11]
0041AA1D |. 83C8 43 or eax, 43 ; var1=var1 or 43h
0041AA20 |. 8845 EF mov byte ptr [ebp-11], al
0041AA23 |. 0FB64D F8 movzx ecx, byte ptr [ebp-8]
0041AA27 |. 83C9 44 or ecx, 44 ; var2=var2 or 44h
0041AA2A |. 884D F8 mov byte ptr [ebp-8], cl
0041AA2D |. 0FB655 FF movzx edx, byte ptr [ebp-1]
0041AA31 |. 83CA 52 or edx, 52 ; var3=var3 or 52h
0041AA34 |. 8855 FF mov byte ptr [ebp-1], dl
0041AA37 |. 0FB645 FA movzx eax, byte ptr [ebp-6]
0041AA3B |. 83C8 45 or eax, 45 ; var4=var4 or 45h
0041AA3E |. 8845 FA mov byte ptr [ebp-6], al
0041AA41 |. 0FB645 EF movzx eax, byte ptr [ebp-11]
0041AA45 |. 99 cdq
0041AA46 |. B9 0A000000 mov ecx, 0A
0041AA4B |. F7F9 idiv ecx
0041AA4D |. 8855 EF mov byte ptr [ebp-11], dl ; var1=var1/10 取余
0041AA50 |. 0FB645 F8 movzx eax, byte ptr [ebp-8]
0041AA54 |. 99 cdq
0041AA55 |. B9 0A000000 mov ecx, 0A
0041AA5A |. F7F9 idiv ecx
0041AA5C |. 8855 F8 mov byte ptr [ebp-8], dl ; var2=var2/10 取余
0041AA5F |. 0FB645 FF movzx eax, byte ptr [ebp-1]
0041AA63 |. 99 cdq
0041AA64 |. B9 0A000000 mov ecx, 0A
0041AA69 |. F7F9 idiv ecx
0041AA6B |. 8855 FF mov byte ptr [ebp-1], dl ; var3=var3/10 取余
0041AA6E |. 0FB645 FA movzx eax, byte ptr [ebp-6]
0041AA72 |. 99 cdq
0041AA73 |. B9 0A000000 mov ecx, 0A
0041AA78 |. F7F9 idiv ecx
0041AA7A |. 8855 FA mov byte ptr [ebp-6], dl ; var4=var4/10 取余
0041AA7D |. C745 F0 00000>mov dword ptr [ebp-10], 0
0041AA84 |. C745 E8 00000>mov dword ptr [ebp-18], 0 ; counter
0041AA8B |. EB 09 jmp short 0041AA96
0041AA8D |> 8B55 E8 /mov edx, dword ptr [ebp-18]
0041AA90 |. 83C2 01 |add edx, 1 ; counter++
0041AA93 |. 8955 E8 |mov dword ptr [ebp-18], edx
0041AA96 |> 8B4D E0 mov ecx, dword ptr [ebp-20]
0041AA99 |. 83C1 70 |add ecx, 70
0041AA9C |. E8 EF0FFFFF |call 0040BA90 ; 取用户名长度
0041AAA1 |. 3945 E8 |cmp dword ptr [ebp-18], eax
0041AAA4 |. 7D 1E |jge short 0041AAC4 ; 循环次数=用户名长度
0041AAA6 |. 8B45 E8 |mov eax, dword ptr [ebp-18]
0041AAA9 |. 50 |push eax ; /Arg1
0041AAAA |. 8B4D E0 |mov ecx, dword ptr [ebp-20] ; |
0041AAAD |. 83C1 70 |add ecx, 70 ; |
0041AAB0 |. E8 3BCDFFFF |call 004177F0 ; \CDDVDDR.004177F0
0041AAB5 |. 8845 E7 |mov byte ptr [ebp-19], al ; 顺次取用户名字符
0041AAB8 |. 0FB64D E7 |movzx ecx, byte ptr [ebp-19]
0041AABC |. 034D F0 |add ecx, dword ptr [ebp-10]
0041AABF |. 894D F0 |mov dword ptr [ebp-10], ecx ; 累加
0041AAC2 |.^ EB C9 \jmp short 0041AA8D
0041AAC4 |> 8B45 F0 mov eax, dword ptr [ebp-10] ; 取累加值
0041AAC7 |. 99 cdq
0041AAC8 |. B9 0A000000 mov ecx, 0A
0041AACD |. F7F9 idiv ecx
0041AACF |. 8855 F4 mov byte ptr [ebp-C], dl ; 除以10取余,m
0041AAD2 |. 6A 00 push 0 ; /Arg1 = 00000000
0041AAD4 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AAD7 |. 83C1 74 add ecx, 74 ; |
0041AADA |. E8 11CDFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AADF |. 8845 FC mov byte ptr [ebp-4], al ; 取注册码第1位,var_1
0041AAE2 |. 6A 01 push 1 ; /Arg1 = 00000001
0041AAE4 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AAE7 |. 83C1 74 add ecx, 74 ; |
0041AAEA |. E8 01CDFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AAEF |. 8845 FD mov byte ptr [ebp-3], al ; 取注册码第2位,var_2
0041AAF2 |. 6A 02 push 2 ; /Arg1 = 00000002
0041AAF4 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AAF7 |. 83C1 74 add ecx, 74 ; |
0041AAFA |. E8 F1CCFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AAFF |. 8845 F6 mov byte ptr [ebp-A], al ; 取注册码第3位,var_3
0041AB02 |. 6A 03 push 3 ; /Arg1 = 00000003
0041AB04 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AB07 |. 83C1 74 add ecx, 74 ; |
0041AB0A |. E8 E1CCFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AB0F |. 8845 F5 mov byte ptr [ebp-B], al ; 取注册码第4位,var_4
0041AB12 |. 6A 04 push 4 ; /Arg1 = 00000004
0041AB14 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AB17 |. 83C1 74 add ecx, 74 ; |
0041AB1A |. E8 D1CCFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AB1F |. 8845 F9 mov byte ptr [ebp-7], al ; 取注册码第5位,var_5
0041AB22 |. 6A 05 push 5 ; /Arg1 = 00000005
0041AB24 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AB27 |. 83C1 74 add ecx, 74 ; |
0041AB2A |. E8 C1CCFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AB2F |. 8845 F7 mov byte ptr [ebp-9], al ; 取注册码第6位,var_6
0041AB32 |. 6A 06 push 6 ; /Arg1 = 00000006
0041AB34 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AB37 |. 83C1 74 add ecx, 74 ; |
0041AB3A |. E8 B1CCFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AB3F |. 8845 FE mov byte ptr [ebp-2], al ; 取注册码第7位,var_7
0041AB42 |. 6A 07 push 7 ; /Arg1 = 00000007
0041AB44 |. 8B4D E0 mov ecx, dword ptr [ebp-20] ; |
0041AB47 |. 83C1 74 add ecx, 74 ; |
0041AB4A |. E8 A1CCFFFF call 004177F0 ; \CDDVDDR.004177F0
0041AB4F |. 8845 FB mov byte ptr [ebp-5], al ; 取注册码第8位,var_8
0041AB52 |. 0FB655 EF movzx edx, byte ptr [ebp-11]
0041AB56 |. 0FB645 FC movzx eax, byte ptr [ebp-4]
0041AB5A |. 83E8 30 sub eax, 30 ; /*
0041AB5D |. 3BD0 cmp edx, eax ; var1 <==> var_1-30h
0041AB5F |. 75 3C jnz short 0041AB9D
0041AB61 |. 0FB64D F8 movzx ecx, byte ptr [ebp-8]
0041AB65 |. 0FB655 FD movzx edx, byte ptr [ebp-3]
0041AB69 |. 83EA 30 sub edx, 30
0041AB6C |. 3BCA cmp ecx, edx ; var2 <==> var_2-30h
0041AB6E |. 75 2D jnz short 0041AB9D
0041AB70 |. 0FB645 FF movzx eax, byte ptr [ebp-1]
0041AB74 |. 0FB64D F6 movzx ecx, byte ptr [ebp-A]
0041AB78 |. 83E9 30 sub ecx, 30
0041AB7B |. 3BC1 cmp eax, ecx ; var3 <==> var_3-30h
0041AB7D |. 75 1E jnz short 0041AB9D
0041AB7F |. 0FB655 FA movzx edx, byte ptr [ebp-6]
0041AB83 |. 0FB645 F5 movzx eax, byte ptr [ebp-B]
0041AB87 |. 83E8 30 sub eax, 30
0041AB8A |. 3BD0 cmp edx, eax ; var4 <==> var_4-30h
0041AB8C |. 75 0F jnz short 0041AB9D ; */这几
组都相等则继续,有一个不相等则对比是否是通用注册码
0041AB8E |. 0FB64D F4 movzx ecx, byte ptr [ebp-C]
0041AB92 |. 0FB655 F9 movzx edx, byte ptr [ebp-7]
0041AB96 |. 83EA 30 sub edx, 30
0041AB99 |. 3BCA cmp ecx, edx ; m <==> var5-30h
0041AB9B |. 74 58 je short 0041ABF5
0041AB9D |> 0FB645 FC movzx eax, byte ptr [ebp-4] ; 通用注册码判断
0041ABA1 |. 83F8 39 cmp eax, 39 ; var_1 <==> 39h
0041ABA4 |. 0F85 A7000000 jnz 0041AC51
0041ABAA |. 0FB64D FD movzx ecx, byte ptr [ebp-3]
0041ABAE |. 83F9 33 cmp ecx, 33 ; var_2 <==> 33h
0041ABB1 |. 0F85 9A000000 jnz 0041AC51
0041ABB7 |. 0FB655 F6 movzx edx, byte ptr [ebp-A]
0041ABBB |. 83FA 30 cmp edx, 30 ; var_3 <==> 30h
0041ABBE |. 0F85 8D000000 jnz 0041AC51
0041ABC4 |. 0FB645 F5 movzx eax, byte ptr [ebp-B]
0041ABC8 |. 83F8 31 cmp eax, 31 ; var_4 <==> 31h
0041ABCB |. 0F85 80000000 jnz 0041AC51
0041ABD1 |. 0FB64D F9 movzx ecx, byte ptr [ebp-7]
0041ABD5 |. 83F9 36 cmp ecx, 36 ; var_5 <==> 36h
0041ABD8 |. 75 77 jnz short 0041AC51
0041ABDA |. 0FB655 F7 movzx edx, byte ptr [ebp-9]
0041ABDE |. 83FA 36 cmp edx, 36 ; var_6 <==> 36h
0041ABE1 |. 75 6E jnz short 0041AC51
0041ABE3 |. 0FB645 FE movzx eax, byte ptr [ebp-2]
0041ABE7 |. 83F8 36 cmp eax, 36 ; var_7 <==> 36h
0041ABEA |. 75 65 jnz short 0041AC51
0041ABEC |. 0FB64D FB movzx ecx, byte ptr [ebp-5]
0041ABF0 |. 83F9 36 cmp ecx, 36 ; var_8 <==> 36h
0041ABF3 |. 75 5C jnz short 0041AC51 ; 这几组都相等,则也能
注册成功,也就是通用注册码93016666
[算法总结]
-=-取用户名前4位分别与0x43,0x44,0x52,0x45进行与操作,分别取所得值的个位数字记
var1,var2,var3,var4
-=-取用户名所有字符的ascii累加值,取个位数字记var5
-=-注册码的第一位-30h <—> var1
注册码的第二位-30h <—> var2
注册码的第三位-30h <—> var3
注册码的第四位-30h <—> var4
注册码的第五位-30h <—> var5 都相等则注册成功
-=-还有一个通用注册码93016666