首页
论坛
课程
招聘
[原创]IrfanView 注册算法分析及注册机
2005-6-4 00:26 9828

[原创]IrfanView 注册算法分析及注册机

2005-6-4 00:26
9828
【软件名称】:IrfanView
【软件大小】:440 KB  
【下载地址】:http://www.irfanview.com/
【软件简介】:图像浏览处理
【软件限制】:免费软件
【保护方式】:注册码
【破解作者】:w.h.m
【破解日期】:06/03/2005
【破解声明】:学习注册算法,失误之处敬请诸位大侠赐教!
【调试环境】:WinXP、OllyDBG、PEiD、ImportREC

―――――――――――――――――――――――――――――――――――――――――――

【破解过程】:

看雪上已经有一篇介绍IrfanView 3.97的注册算法:
http://bbs.pediy.com//showthread.php?s=&threadid=13336
但是分析的并不彻底,没有写出注册机.出于学习目的,我独立的又分析了它的注册算法,但是
这里省去了一些步骤,直接分析其计算注册码部分,其余请参考前作. 我用的不是最新版,而是
3.80, 实际算法没有变,至少我知道的自3.70后一直没有变,因为我手头有一个3.70的注册机,
作了比较,而且和baby2008计算的3.97 比较也一样,所以我懒得去下载最新的.
且看我的分析:
(注:分析所用数字为十六进制.)

00436600   /$  8B4424 08   mov eax,dword ptr ss:[esp+8]
00436604   |.  83EC 14     sub esp,14
00436607   |.  53          push ebx
00436608   |.  55          push ebp
00436609   |.  56          push esi
0043660A   |.  57          push edi
0043660B   |.  50          push eax                            ;  参数为注册码
0043660C   |.  33DB        xor ebx,ebx
0043660E   |.  E8 9A2A0800 call x.004B90AD                     ;  eax=注册码串转化的十六进制;记为code
00436613   |.  8B7424 2C   mov esi,dword ptr ss:[esp+2C]       ;  用户名
00436617   |.  8BE8        mov ebp,eax
00436619   |.  8BFE        mov edi,esi
0043661B   |.  83C9 FF     or ecx,FFFFFFFF
0043661E   |.  33C0        xor eax,eax
00436620   |.  83C4 04     add esp,4
00436623   |.  33D2        xor edx,edx
00436625   |.  F2:AE       repne scas byte ptr es:[edi]
00436627   |.  F7D1        not ecx
00436629   |.  49          dec ecx
0043662A   |.  85C9        test ecx,ecx                        ;  ecx用户名长度
0043662C   |.  7E 17       jle short x.00436645
0043662E   |>  0FBE0C32    /movsx ecx,byte ptr ds:[edx+esi]
00436632   |.  03D9        |add ebx,ecx
00436634   |.  8BFE        |mov edi,esi
00436636   |.  83C9 FF     |or ecx,FFFFFFFF
00436639   |.  33C0        |xor eax,eax
0043663B   |.  42          |inc edx
0043663C   |.  F2:AE       |repne scas byte ptr es:[edi]
0043663E   |.  F7D1        |not ecx
00436640   |.  49          |dec ecx
00436641   |.  3BD1        |cmp edx,ecx
00436643   |.^ 7C E9       \jl short x.0043662E                ;  ebx=用户名[i]累加;记为sum
00436645   |>  B8 04010000 mov eax,104
0043664A   |.  6A 0A       push 0A                             ; /Arg3 = 0000000A, 十进制
0043664C   |.  2BC3        sub eax,ebx                         ; |
0043664E   |.  99          cdq                                 ; |
0043664F   |.  33C2        xor eax,edx                         ; |
00436651   |.  2BC2        sub eax,edx                         ; |
00436653   |.  05 4C010000 add eax,14C                         ; |eax=abs(104-sum)+14c
00436658   |.  8D14C5 0000>lea edx,dword ptr ds:[eax*8]        ; |
0043665F   |.  2BD0        sub edx,eax                         ; |
00436661   |.  8D0C90      lea ecx,dword ptr ds:[eax+edx*4]    ; |ecx=1d*eax
00436664   |.  8D5424 14   lea edx,dword ptr ss:[esp+14]       ; |
00436668   |.  52          push edx                            ; |Arg2, 存放结果
00436669   |.  8D3448      lea esi,dword ptr ds:[eax+ecx*2]    ; |
0043666C   |.  C1E6 03     shl esi,3                           ; |esi=1d8*eax
0043666F   |.  56          push esi                            ; |Arg1=1d8*(abs(104-sum)+14c)
00436670   |.  E8 6FE10800 call x.004C47E4                     ; \把Arg1转化成十进制串,存放在Arg2地址,记为s
00436675   |.  8A4C24 20   mov cl,byte ptr ss:[esp+20]         ;  s[4]
00436679   |.  8A4424 21   mov al,byte ptr ss:[esp+21]         ;  s[5]
0043667D   |.  83C4 0C     add esp,0C
00436680   |.  81FE 3F420F>cmp esi,0F423F
00436686   |.  0F87 E70000>ja x.00436773
0043668C   |.  8A5424 13   mov dl,byte ptr ss:[esp+13]         ;  s[3]
00436690   |.  884C24 16   mov byte ptr ss:[esp+16],cl         ;  s[6]=s[4]
00436694   |.  8A4C24 11   mov cl,byte ptr ss:[esp+11]         ;  s[1]
00436698   |.  884424 18   mov byte ptr ss:[esp+18],al         ;  s[8]=s[5]
0043669C   |.  8A4424 12   mov al,byte ptr ss:[esp+12]         ;  s[2]
004366A0   |.  885424 15   mov byte ptr ss:[esp+15],dl         ;  s[5]=s[3]
004366A4   |.  884C24 12   mov byte ptr ss:[esp+12],cl         ;  s[2]=s[1]
004366A8   |.  8B4C24 14   mov ecx,dword ptr ss:[esp+14]
004366AC   |.  81E1 FF0000>and ecx,0FF                         ;  s[4]
004366B2   |.  884424 13   mov byte ptr ss:[esp+13],al         ;  s[3]=s[2]
004366B6   |.  8BC1        mov eax,ecx
004366B8   |.  C1E0 05     shl eax,5
004366BB   |.  2BC1        sub eax,ecx                         ;  eax=s[4]*1f
004366BD   |.  8B4C24 18   mov ecx,dword ptr ss:[esp+18]
004366C1   |.  81E1 FF0000>and ecx,0FF                         ;  s[8]
004366C7   |.  8D1440      lea edx,dword ptr ds:[eax+eax*2]    ;  edx=eax*3=s[4]*5d
004366CA   |.  8D0489      lea eax,dword ptr ds:[ecx+ecx*4]
004366CD   |.  C1E0 03     shl eax,3
004366D0   |.  2BC1        sub eax,ecx                         ;  eax=ecx*27=s[8]*27
004366D2   |.  2BC2        sub eax,edx
004366D4   |.  99          cdq
004366D5   |.  8BC8        mov ecx,eax
004366D7   |.  33CA        xor ecx,edx
004366D9   |.  2BCA        sub ecx,edx                         ;  ecx=abs(eax-edx)
004366DB   |.  8D0489      lea eax,dword ptr ds:[ecx+ecx*4]
004366DE   |.  C1E0 03     shl eax,3
004366E1   |.  2BC1        sub eax,ecx                         ;  eax=ecx*27=abs(s[8]*27-s[4]*5d)*27
004366E3   |.  B9 09000000 mov ecx,9
004366E8   |.  99          cdq
004366E9   |.  F7F9        idiv ecx
004366EB   |.  8B4424 13   mov eax,dword ptr ss:[esp+13]
004366EF   |.  25 FF000000 and eax,0FF                         ;  s[3]
004366F4   |.  80C2 30     add dl,30
004366F7   |.  885424 17   mov byte ptr ss:[esp+17],dl         ;  s[7]=abs(s[8]*27-s[4]*5d)*27%9+30
004366FB   |.  8D1440      lea edx,dword ptr ds:[eax+eax*2]
004366FE   |.  C1E2 04     shl edx,4
00436701   |.  2BD0        sub edx,eax                         ;  edx=eax*2f=s[3]*2f
00436703   |.  8B4424 15   mov eax,dword ptr ss:[esp+15]
00436707   |.  25 FF000000 and eax,0FF                         ;  s[5]
0043670C   |.  8D0CC0      lea ecx,dword ptr ds:[eax+eax*8]
0043670F   |.  8D0488      lea eax,dword ptr ds:[eax+ecx*4]
00436712   |.  8D0442      lea eax,dword ptr ds:[edx+eax*2]    ;  eax=s[5]*a4+s[3]*2f
00436715   |.  99          cdq
00436716   |.  33C2        xor eax,edx
00436718   |.  2BC2        sub eax,edx                         ;  eax=abs(s[5]*a4+s[3]*2f)
0043671A   |.  8D0CC0      lea ecx,dword ptr ds:[eax+eax*8]
0043671D   |.  8D0488      lea eax,dword ptr ds:[eax+ecx*4]
00436720   |.  B9 09000000 mov ecx,9
00436725   |.  03C0        add eax,eax                         ;  eax=abs(s[5]*a4+s[3]*2f)*4a
00436727   |.  99          cdq
00436728   |.  F7F9        idiv ecx
0043672A   |.  8B4C24 10   mov ecx,dword ptr ss:[esp+10]       ;  s[0]
0043672E   |.  81E1 FF0000>and ecx,0FF
00436734   |.  8D0449      lea eax,dword ptr ds:[ecx+ecx*2]
00436737   |.  8D04C0      lea eax,dword ptr ds:[eax+eax*8]
0043673A   |.  03C0        add eax,eax
0043673C   |.  2BC1        sub eax,ecx                         ;  eax=s[0]*35
0043673E   |.  80C2 30     add dl,30
00436741   |.  885424 14   mov byte ptr ss:[esp+14],dl         ;  s[4]=abs(s[5]*a4+s[3]*2f)*4a%9+30
00436745   |.  8B4C24 11   mov ecx,dword ptr ss:[esp+11]       ;  s[1]
00436749   |.  81E1 FF0000>and ecx,0FF
0043674F   |.  8D14CD 0000>lea edx,dword ptr ds:[ecx*8]
00436756   |.  2BD1        sub edx,ecx
00436758   |.  8D1492      lea edx,dword ptr ds:[edx+edx*4]    ;  edx=s[1]*23
0043675B   |.  2BC2        sub eax,edx
0043675D   |.  99          cdq
0043675E   |.  8BC8        mov ecx,eax
00436760   |.  33CA        xor ecx,edx
00436762   |.  2BCA        sub ecx,edx                         ;  ecx=abs(eax-edx)=abs(s[0]*35-s[1]*23)
00436764   |.  8D0449      lea eax,dword ptr ds:[ecx+ecx*2]
00436767   |.  8D04C0      lea eax,dword ptr ds:[eax+eax*8]
0043676A   |.  03C0        add eax,eax
0043676C   |.  2BC1        sub eax,ecx                         ;  eax=abs(s[0]*35-s[1]*23)*35
0043676E   |.  E9 ED000000 jmp x.00436860                      ;  跳过大段
00436773   |>  8A5424 16   mov dl,byte ptr ss:[esp+16]
00436777   |.  884424 16   mov byte ptr ss:[esp+16],al
0043677B   |.  8A4424 11   mov al,byte ptr ss:[esp+11]
0043677F   |.  885424 18   mov byte ptr ss:[esp+18],dl
00436783   |.  8A5424 12   mov dl,byte ptr ss:[esp+12]
00436787   |.  884424 12   mov byte ptr ss:[esp+12],al
0043678B   |.  8B4424 16   mov eax,dword ptr ss:[esp+16]
0043678F   |.  884C24 15   mov byte ptr ss:[esp+15],cl
00436793   |.  25 FF000000 and eax,0FF
00436798   |.  885424 13   mov byte ptr ss:[esp+13],dl
0043679C   |.  8BC8        mov ecx,eax
0043679E   |.  C1E1 06     shl ecx,6
004367A1   |.  2BC8        sub ecx,eax
004367A3   |.  8B4424 18   mov eax,dword ptr ss:[esp+18]
004367A7   |.  25 FF000000 and eax,0FF
004367AC   |.  8D04C0      lea eax,dword ptr ds:[eax+eax*8]
004367AF   |.  C1E0 02     shl eax,2
004367B2   |.  2BC1        sub eax,ecx
004367B4   |.  B9 09000000 mov ecx,9
004367B9   |.  99          cdq
004367BA   |.  33C2        xor eax,edx
004367BC   |.  2BC2        sub eax,edx
004367BE   |.  8D04C0      lea eax,dword ptr ds:[eax+eax*8]
004367C1   |.  C1E0 02     shl eax,2
004367C4   |.  99          cdq
004367C5   |.  F7F9        idiv ecx
004367C7   |.  80C2 30     add dl,30
004367CA   |.  885424 17   mov byte ptr ss:[esp+17],dl
004367CE   |.  8B4424 14   mov eax,dword ptr ss:[esp+14]
004367D2   |.  25 FF000000 and eax,0FF
004367D7   |.  83C0 20     add eax,20
004367DA   |.  8D14C5 0000>lea edx,dword ptr ds:[eax*8]
004367E1   |.  2BD0        sub edx,eax
004367E3   |.  8D0490      lea eax,dword ptr ds:[eax+edx*4]
004367E6   |.  8D0C40      lea ecx,dword ptr ds:[eax+eax*2]
004367E9   |.  8B4424 13   mov eax,dword ptr ss:[esp+13]
004367ED   |.  25 FF000000 and eax,0FF
004367F2   |.  8D1480      lea edx,dword ptr ds:[eax+eax*4]
004367F5   |.  C1E2 03     shl edx,3
004367F8   |.  2BD0        sub edx,eax
004367FA   |.  8D0451      lea eax,dword ptr ds:[ecx+edx*2]
004367FD   |.  99          cdq
004367FE   |.  33C2        xor eax,edx
00436800   |.  2BC2        sub eax,edx
00436802   |.  8D0CC5 0000>lea ecx,dword ptr ds:[eax*8]
00436809   |.  2BC8        sub ecx,eax
0043680B   |.  8D0488      lea eax,dword ptr ds:[eax+ecx*4]
0043680E   |.  B9 09000000 mov ecx,9
00436813   |.  8D0440      lea eax,dword ptr ds:[eax+eax*2]
00436816   |.  99          cdq
00436817   |.  F7F9        idiv ecx
00436819   |.  8B4424 10   mov eax,dword ptr ss:[esp+10]
0043681D   |.  25 FF000000 and eax,0FF
00436822   |.  80C2 30     add dl,30
00436825   |.  885424 14   mov byte ptr ss:[esp+14],dl
00436829   |.  8D14C5 0000>lea edx,dword ptr ds:[eax*8]
00436830   |.  2BD0        sub edx,eax
00436832   |.  8D0490      lea eax,dword ptr ds:[eax+edx*4]
00436835   |.  8B5424 11   mov edx,dword ptr ss:[esp+11]
00436839   |.  81E2 FF0000>and edx,0FF
0043683F   |.  03C0        add eax,eax
00436841   |.  8BCA        mov ecx,edx
00436843   |.  C1E1 04     shl ecx,4
00436846   |.  03CA        add ecx,edx
00436848   |.  8D0C89      lea ecx,dword ptr ds:[ecx+ecx*4]
0043684B   |.  2BC1        sub eax,ecx
0043684D   |.  99          cdq
0043684E   |.  33C2        xor eax,edx
00436850   |.  2BC2        sub eax,edx
00436852   |.  8D14C5 0000>lea edx,dword ptr ds:[eax*8]
00436859   |.  2BD0        sub edx,eax
0043685B   |.  8D0490      lea eax,dword ptr ds:[eax+edx*4]
0043685E   |.  03C0        add eax,eax
00436860   |>  99          cdq
00436861   |.  B9 09000000 mov ecx,9
00436866   |.  C64424 19 0>mov byte ptr ss:[esp+19],0          ;  s[9]=0,确定只有9个字符
0043686B   |.  F7F9        idiv ecx
0043686D   |.  80C2 30     add dl,30
00436870   |.  885424 11   mov byte ptr ss:[esp+11],dl         ;  s[1]=abs(s[0]*35-s[1]*23)*35%9+30
00436874   |.  8D5424 10   lea edx,dword ptr ss:[esp+10]
00436878   |.  52          push edx
00436879   |.  E8 2F280800 call x.004B90AD                     ;  比较
0043687E   |.  83C4 04     add esp,4
00436881   |.  33C9        xor ecx,ecx
00436883   |.  3BE8        cmp ebp,eax
00436885   |.  5F          pop edi
00436886   |.  5E          pop esi
00436887   |.  0F94C1      sete cl
0043688A   |.  5D          pop ebp
0043688B   |.  8BC1        mov eax,ecx
0043688D   |.  5B          pop ebx
0043688E   |.  83C4 14     add esp,14
00436891   \.  C3          retn

总结一下: 

1.sum=sum(name[i])
2.把1d8*(abs(104-sum)+14c)转化成10进制串s 
3.
  s[8]=s[5],s[5]=s[3],s[3]=s[2],s[2]=s[1],s[6]=s[4]
  s[7]=abs(s[8]*27-s[4]*5d)*27%9+30
  s[4]=abs(s[5]*a4+s[3]*2f)*4a%9+30
  s[1]=abs(s[0]*35-s[1]*23)*35%9+30
4.9位数字串s即为注册码 

于是写出注册机:

keygen_irfanview(char *name)
{
	DWORD sum=0;
	DWORD p[7]=
	{
		1000000,100000,10000,1000,100,10,1
	};
	BYTE s[10];
	int i;

	for(i=0;i<strlen(name);i++)
	{
		sum+=(DWORD)name[i];
	}

	sum=0x1d8*(0x14c+(DWORD)abs((signed long)sum-260));

	for (i=0;i<6;i++)
	{
		s[i]=(sum%p[i])/p[i+1]+0x30;
	}

	s[8]=s[5],s[5]=s[3],s[3]=s[2],s[2]=s[1],s[6]=s[4];
	s[7]=(DWORD)abs((signed long)(s[8]*0x27)-(signed long)(s[4]*0x5d))*0x27%9+0x30;
	s[4]=(DWORD)abs((signed long)(s[5]*0xa4)+(signed long)(s[3]*0x2f))*0x4a%9+0x30;
	s[1]=(DWORD)abs((signed long)(s[0]*0x35)-(signed long)(s[1]*0x23))*0x35%9+0x30;
	s[9]=0;
	printf("key is %s",(char*)s);
}


注册信息:
name: whm
code: 119036808

[注意] 欢迎加入看雪团队!base上海,招聘CTF安全工程师,将兴趣和工作融合在一起!看雪20年安全圈的口碑,助你快速成长!

收藏
点赞0
打赏
分享
最新回复 (2)
雪    币: 137
活跃值: 活跃值 (21)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
shuair 活跃值 2 2005-6-4 10:02
2
0
支持..算法.
雪    币: 151
活跃值: 活跃值 (10)
能力值: ( LV9,RANK:1010 )
在线值:
发帖
回帖
粉丝
liyangsj 活跃值 25 2005-6-4 16:07
3
0
支持一下!!!
游客
登录 | 注册 方可回帖
返回