TitleBarClock Pro5.2算法分析

【破文作者】 lnn1123[[BCG][DCM]]

【 E-mail 】 lnn11231123@163.com

【作者QQ 】 254513595

【文章题目】 TitleBarClock Pro5.2算法分析

【软件名称】 TitleBarClock Pro5.2

【下载地址】天空软件

----------------------------------------------------------------------------------------------

【加密方式】注册码

【破解工具】 OD，PEID

【软件限制】没看

【破解平台】 Win9x/NT/2000/XP/XP SP2

----------------------------------------------------------------------------------------------

【软件简介】

TitleBarClock Pro Copyright ?2002-2005

Runs on Windows 98-Me-NT4-2000-XP.

This is a full functioning 15 day free trial of TBC Pro.

After the trial is up you must register. Right click on

the TBC Pro tray icon then click on the "TBC Pro Website"

menu option. This will take you to the online registration

website. Click on "Buy TitleBarClock Pro" to purchase a

registration number for $9.95 US. After registration is

completed a registration number will be sent to your email

address. Your one(1) time registration entitles you to all

future updates of TitleBarClock Pro.

TBC Pro displays the Day Month Date Time Year and

Megabytes of free physical memory in right side of

the Title Bar of any main window that has the mouse

or keyboard focus.

TBC Pro also places a clock icon in the System Tray

when you start the program. Right click on the Tray

Icon to change default settings.

Changes made to these settings are saved for the next

time you start up your computer.

XP USERS:

When switching between XP theme and Classic Theme it is

recommended that you exit the TitleBarClock Pro program

change to the other theme then reload the program.

StyleXP USERS:

When switching between StyleXP theme it is recommended

that you exit the TitleBarClock Pro program change to

the new StyleXP theme then reload the program.

Run the un-install program to completely remove TBC Pro.

You MUST EXIT the TitleBarClock Pro program first before

you run the un-install operation.

Will worth the $9.95 purchase registration price!!

Please report any bugs or suggestions to improve the

program to - support@quickersoft.com

www.wfcravener.com/tbcpro.html

www.quickersoft.com/tbcpro.html

【文章简介】

文章比较简单啊，高手过！

----------------------------------------------------------------------------------------------

【破解过程】

用PEID查看是PECompact 2.x -> Jeremy Collake的壳，设置Ollydbg忽略所有的异常选项

00401000 > B8 58CB4100 MOV EAX,Tbcpro.0041CB58 ; 停在这里

00401005 50 PUSH EAX

00401006 64:FF35 00000000 PUSH DWORD PTR FS:[0]

0040100D 64:8925 00000000 MOV DWORD PTR FS:[0],ESP

00401014 33C0 XOR EAX,EAX

00401016 8908 MOV DWORD PTR DS:[EAX],ECX

00401018 50 PUSH EAX

00401019 45 INC EBP

0040101A 43 INC EBX

下断：BP VirtualFree （这些API经常要，要记住），运行后，取消断点，ALT+F9

返回，再走几不就到OEP了

下断短在这里：

7C809B14 > 8BFF MOV EDI,EDI ; Tbcpro.00400000

7C809B16 55 PUSH EBP

7C809B17 8BEC MOV EBP,ESP

7C809B19 FF75 10 PUSH DWORD PTR SS:[EBP+10]

7C809B1C FF75 0C PUSH DWORD PTR SS:[EBP+C]

7C809B1F FF75 08 PUSH DWORD PTR SS:[EBP+8]

7C809B22 6A FF PUSH -1

7C809B24 E8 09000000 CALL kernel32.VirtualFreeEx

7C809B29 5D POP EBP

7C809B2A C2 0C00 RETN 0C

ALT+F9到这里：

0038039C 58 POP EAX ; <&kernel32.VirtualFree>

0038039D 68 00800000 PUSH 8000

003803A2 6A 00 PUSH 0

003803A4 FFB5 E3120010 PUSH DWORD PTR SS:[EBP+100012E3]

003803AA FF10 CALL DWORD PTR DS:[EAX]

003803AC 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]

003803AF 03C7 ADD EAX,EDI

003803B1 5D POP EBP

003803B2 5E POP ESI

003803B3 5F POP EDI

003803B4 59 POP ECX

003803B5 5B POP EBX

003803B6 C3 RETN

F8走到这里：

0041CBFE 8985 1C110010 MOV DWORD PTR SS:[EBP+1000111C],EAX ; Tbcpro.<ModuleEntryPoint>

0041CC04 8BF0 MOV ESI,EAX

0041CC06 59 POP ECX

0041CC07 5A POP EDX

0041CC08 03CA ADD ECX,EDX

0041CC0A 68 00800000 PUSH 8000

0041CC0F 6A 00 PUSH 0

0041CC11 57 PUSH EDI

0041CC12 FF11 CALL DWORD PTR DS:[ECX]

0041CC14 8BC6 MOV EAX,ESI

0041CC16 5E POP ESI

0041CC17 5F POP EDI

0041CC18 59 POP ECX

0041CC19 5B POP EBX

0041CC1A 5D POP EBP

0041CC1B FFE0 JMP EAX ; JMP OEP

OD插件可以脱壳了，我这里不要修复就可以运行了，脱壳完成。

看算法了，输入Order ID and Regcode后，看到有错误提示，不会加密字符吧，老

罗插件看看，没有加密，找到字符后下断这里：

===================================代码=============================================

00405A10 |. 6A 10 PUSH 10 ; /Count = 10 (16.)

00405A12 |. 68 82D94000 PUSH 1.0040D982 ; |Buffer = 1.0040D982

00405A17 |. 68 AA0F0000 PUSH 0FAA ; |ControlID = FAA (4010.)

00405A1C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd

00405A1F |. E8 08490000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA

00405A24 |. E8 18370000 CALL 1.00409141 ; 上面的CALL获取假码，关键CALL，进入

00405A29 |. 833D 4BD74000 >CMP DWORD PTR DS:[40D74B],1 ; 标志位比较

00405A30 |. 75 19 JNZ SHORT 1.00405A4B ; 不跳就死

00405A32 |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL

00405A34 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"

00405A39 |. 68 80C04000 PUSH 1.0040C080 ; |Text = "Invalid Registration Code"

00405A3E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner

00405A41 |. E8 40490000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA

00405A46 |. E9 B5000000 JMP 1.00405B00

00405A4B |> 6A 1E PUSH 1E ; /Count = 1E (30.)

00405A4D |. 68 E6D94000 PUSH 1.0040D9E6 ; |Buffer = 1.0040D9E6

00405A52 |. 68 B40F0000 PUSH 0FB4 ; |ControlID = FB4 (4020.)

00405A57 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd

00405A5A |. E8 CD480000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA

00405A5F |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; 注册名长度

00405A62 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /注册名长度

00405A65 |. E8 5F370000 CALL 1.004091C9 ; \关键CALL，进入

00405A6A |. 833D 4FD74000 >CMP DWORD PTR DS:[40D74F],1

00405A71 |. 75 62 JNZ SHORT 1.00405AD5

00405A73 |. 66:C705 9FD740>MOV WORD PTR DS:[40D79F],0

00405A7C |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Arg1

00405A7F |. E8 4C300000 CALL 1.00408AD0 ; \1.00408AD0

00405A84 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Arg1

00405A87 |. E8 AC2C0000 CALL 1.00408738 ; \1.00408738

00405A8C |. 6A 00 PUSH 0 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING

00405A8E |. 68 4C040000 PUSH 44C ; |ItemID = 44C (1100.)

00405A93 |. FF35 84EC4000 PUSH DWORD PTR DS:[40EC84] ; |hMenu = ABC00201

00405A99 |. E8 24490000 CALL <JMP.&user32.RemoveMenu> ; \RemoveMenu

00405A9E |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL

00405AA0 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"

00405AA5 |. 68 B1C04000 PUSH 1.0040C0B1 ; |Text = "Thank You!

TitleBarClock Pro

Registration Successful."

00405AAA |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner

00405AAD |. E8 D4480000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA

00405AB2 |. 6A 00 PUSH 0 ; /Flags = MF_BYCOMMAND|MF_ENABLED|MF_STRING

00405AB4 |. FF35 88EC4000 PUSH DWORD PTR DS:[40EC88] ; |ItemID = 647C01D3 (1685848531.)

00405ABA |. FF35 84EC4000 PUSH DWORD PTR DS:[40EC84] ; |hMenu = ABC00201

00405AC0 |. E8 1F480000 CALL <JMP.&user32.EnableMenuItem> ; \EnableMenuItem

00405AC5 |. 6A 00 PUSH 0 ; /lParam = 0

00405AC7 |. 6A 00 PUSH 0 ; |wParam = 0

00405AC9 |. 6A 10 PUSH 10 ; |Message = WM_CLOSE

00405ACB |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd

00405ACE |. E8 FB480000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA

00405AD3 |. EB 14 JMP SHORT 1.00405AE9

00405AD5 |> 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL

00405AD7 |. 68 3CC04000 PUSH 1.0040C03C ; |Title = "TitleBarClock Pro 5.2"

00405ADC |. 68 9AC04000 PUSH 1.0040C09A ; |Text = "Invalid RegNow OrderID"

00405AE1 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner

00405AE4 |. E8 9D480000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA

00405AE9 |> EB 15 JMP SHORT 1.00405B00

00405AEB |> 3D C80F0000 CMP EAX,0FC8

00405AF0 |. 75 0E JNZ SHORT 1.00405B00

00405AF2 |. 6A 00 PUSH 0 ; /lParam = 0

00405AF4 |. 6A 00 PUSH 0 ; |wParam = 0

00405AF6 |. 6A 10 PUSH 10 ; |Message = WM_CLOSE

00405AF8 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd

00405AFB |. E8 CE480000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA

00405B00 |> 33C0 XOR EAX,EAX

00405B02 |. C9 LEAVE

00405B03 \. C2 1000 RETN 10

======================================进CALL 00409141==================================================

00409141 /$ 56 PUSH ESI ; 1.0040594B

00409142 |. 57 PUSH EDI

00409143 |. 51 PUSH ECX

00409144 |. C705 4BD74000 >MOV DWORD PTR DS:[40D74B],0

0040914E |. BF B4D94000 MOV EDI,1.0040D9B4 ; ASCII "Z526WT491QN387B"

00409153 |. 57 PUSH EDI

00409154 |. BE 22DE4000 MOV ESI,1.0040DE22

00409159 |. B9 05000000 MOV ECX,5 ; 串传送的计数器

0040915E |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送

00409160 |. BE 67E04000 MOV ESI,1.0040E067 ; 特殊字符

00409165 |. B9 05000000 MOV ECX,5 ; 串传送的计数器

0040916A |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送

0040916C |. BE 92DF4000 MOV ESI,1.0040DF92 ; 特殊字符

00409171 |. B9 05000000 MOV ECX,5 ; 串传送的计数器

00409176 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串传送

00409178 |. 5F POP EDI

00409179 |. 8BF7 MOV ESI,EDI

0040917B |. E8 21000000 CALL 1.004091A1 ; 解密上面传送的字符后就是注册码了，跟进

00409180 |. BE 82D94000 MOV ESI,1.0040D982 ; ASCII "78787878"

00409185 |. BF B4D94000 MOV EDI,1.0040D9B4 ; ASCII "Z526WT491QN387B"

0040918A |. B9 0F000000 MOV ECX,0F ; 计数器为15

0040918F |. F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 串比较

00409191 |. 74 0A JE SHORT 1.0040919D ; 不等就OVER

00409193 |. C705 4BD74000 >MOV DWORD PTR DS:[40D74B],1 ; 标志位

0040919D |> 59 POP ECX

0040919E |. 5F POP EDI

0040919F |. 5E POP ESI

004091A0 \. C3 RETN

=====================================进CALL 004091A1================================================================

004091A1 /$ 56 PUSH ESI

004091A2 |. 57 PUSH EDI

004091A3 |. 8BF7 MOV ESI,EDI ; 1.0040D9B4

004091A5 |. B9 0F000000 MOV ECX,0F ; 计数器为15

004091AA |> AC LODS BYTE PTR DS:[ESI] ; 串读取字符

004091AB |. 2C 03 SUB AL,3 ; AL=AL-3

004091AD |. D0E8 SHR AL,1 ; 右移一位

004091AF |. AA STOS BYTE PTR ES:[EDI] ; 存回去

004091B0 |. 49 DEC ECX ; 计数器减1

004091B1 |.^75 F7 JNZ SHORT 1.004091AA ; 循环

004091B3 |. 5F POP EDI

004091B4 |. 5E POP ESI

004091B5 \. C3 RETN

到这里Regcode 已经很容易得到了，这个软件的Order ID还有要求呢，我看看

========================================进 CALL 004091C9============================================

004091C9 /$ 55 PUSH EBP

004091CA |. 8BEC MOV EBP,ESP

004091CC |. 83C4 FC ADD ESP,-4

004091CF |. 56 PUSH ESI

004091D0 |. 57 PUSH EDI

004091D1 |. 51 PUSH ECX

004091D2 |. BE E6D94000 MOV ESI,1.0040D9E6 ; ASCII "1234567890-1123-0000"

004091D7 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]

004091DA |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0

004091E1 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取注册名

004091E2 |. 3C 2D |CMP AL,2D ; 是-号吗？

004091E4 |. 74 1B |JE SHORT 1.00409201 ; 是-就跳，如果你输入的ID没有-就OVER！

004091E6 |. 3C 39 |CMP AL,39 ; 与9比较

004091E8 |. 7F 29 |JG SHORT 1.00409213

004091EA |. FF45 FC |INC DWORD PTR SS:[EBP-4]

004091ED |. 49 |DEC ECX

004091EE |.^75 F1 \JNZ SHORT 1.004091E1

004091F0 |. C705 4FD74000 >MOV DWORD PTR DS:[40D74F],0 ; 标志位

004091FA |. 59 POP ECX

004091FB |. 5F POP EDI

004091FC |. 5E POP ESI

004091FD |. C9 LEAVE

004091FE |. C2 0400 RETN 4

00409201 |> 837D FC 0A CMP DWORD PTR SS:[EBP-4],0A ; C常数

00409205 |. 75 0C JNZ SHORT 1.00409213 ; 如果你的-号不是出现在ID的第十一位就OVER

00409207 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取第一个-号后面的内容

00409208 |. 3C 2D |CMP AL,2D ; 是-号吗？看来还要有-号

0040920A |. 74 18 |JE SHORT 1.00409224 ; 没有-号OVER

0040920C |. 3C 39 |CMP AL,39 ; 小于9吗？

0040920E |. 7F 03 |JG SHORT 1.00409213

00409210 |. 49 |DEC ECX

00409211 |.^75 F4 \JNZ SHORT 1.00409207

00409213 |> C705 4FD74000 >MOV DWORD PTR DS:[40D74F],0 ; 标志位

0040921D |. 59 POP ECX

0040921E |. 5F POP EDI

0040921F |. 5E POP ESI

00409220 |. C9 LEAVE

00409221 |. C2 0400 RETN 4

00409224 |> AC /LODS BYTE PTR DS:[ESI] ; 串读取第2个-号后面的内容

00409225 |. 3C 00 |CMP AL,0 ; 是0？

00409227 |. 74 07 |JE SHORT 1.00409230

00409229 |. 3C 39 |CMP AL,39 ; 小于9？

0040922B |.^7F E6 |JG SHORT 1.00409213

0040922D |. 49 |DEC ECX

0040922E |.^75 F4 \JNZ SHORT 1.00409224

00409230 |> C705 4FD74000 >MOV DWORD PTR DS:[40D74F],1 ; 标志位

0040923A |. 59 POP ECX

0040923B |. 5F POP EDI

0040923C |. 5E POP ESI

0040923D |. C9 LEAVE

0040923E \. C2 0400 RETN 4

Order ID的要求总结一下，就是要前十位数字是0-9，第十一位是“-”，第一个“-”

后面还必须有0-9的数字，后面还要有一个“-”，“-”后数字随便，就OK

举例：1234567890-1123-0000

表达能力较差，不要骂我啊

到这里算法就完毕了，比较简单。

================================================================================

注册信息：

Order ID：1234567890-1123-0000

Regcode ：Z526WT491QN387B

----------------------------------------------------------------------------------------------

【破解心得】

这个软件刚开始的串传送时候的字符可能各个机子上不一样，就是那段字符解密比较重要

啊，写文章真的好累，破花了一点时间，可写花了不少时间啊

----------------------------------------------------------------------------------------------

【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享

----------------------------------------------------------------------------------------------

文章写于2004-9-7 19:25:11