Table search for software registration algorithms

Text/graph TC-XB we have seen a variety of registration algorithms, today we want to introduce you to is an old and classic algorithm type: "look-up table computing ". What is table search? The simple description is that the software author sets a data table internally when writing the software. This data table has some taste of the password table, except for the software author, we do not know what the table looks like or what its content is. This table is not used in the process of using software at ordinary times, when registration-related operations are not involved, this table remains in the program in obscurity. However, when we enter registration-related information such as the registration name, this data table begins to play its role. At this time, the program extracts the corresponding content from the data table according to the registration information we enter according to certain rules or sequence, then the content is processed or directly combined into a registration code. It can be seen that this data table is closely related to the software registration algorithm, and it can be said to be the core content of the algorithm. In fact, the principle of table search is very simple. Let me give an example. Imagine that we are in class. The new school teacher needs to ask some students to clean the school. The teacher holds the list and says, "All the students with double numbers sweep the floor, while those with single numbers drag the floor ", when you hear the command, you start to work. This is a simple process that exactly reflects the basic principle of the table-based algorithm. We compared the data table in the program to the list in the teacher's hand. The teacher arranged different tasks for everyone based on the student ID. Similarly, in the software, the program extracts different content from the data table based on the registration information. It sounds like the principle is quite simple. What kind of form does the program Express? Next, we will take a Crackme as an example to introduce in detail the practical application of "look-up table computing" in the program. The process of loading and searching for key code with OD is omitted here, because Crackme is not shelled, and corresponding key code can be quickly found through string search. The detailed code is as follows. Let's analyze it one by one.00401127>/6A 00 push 0;/Here we set the breakpoint 00401129. | 6A 00 push 0; | wParam = 00040112B. | 6A 0E push 0E; | Message = WM_GETTEXTLENGTH0040112D. | 6A 03 push 3; | ControlID = 30040112F. | FF75 08 push dword ptr [ebp + 8]; | hWnd00401132. | E8 41020000 call <jmp. & USER32.SendDlgItemMessageA>; SendDlgItemMessageA00401137. | A3 AF214000 mov [4021AF], eax; the number of digits of the Registration Name 0040113C. | 83F8 00 cmp eax, 0; the number of registration names is 0040113F compared with 0. | 0F84 D5000000 je 0040121A; fail 00401145 if the registration name is not entered. | 83F8 08 cmp eax, 8; the number of registration names is 00401148 compared with 8. | 0F8F CC000000 jg 0040121A; if the value is greater than 8 bits, the hop fails.First, the program checks the registration name. Here, the procedure requires that the length of the registration name must be less than 8 characters, which is the first requirement.0040114E. | 8BF0 mov esi, eax00401150. | 6A 00 push 0;/lParam = 000401152. | 6A 00 push 0; | wParam = 000401154. | 6A 0E push 0E; | Message = WM_GETTEXTLENGTH00401156. | 6A 04 push 4; | ControlID = 400401158. | FF75 08 push dword ptr [ebp + 8]; | hWnd0040115B. | E8 18020000 call <jmp. & USER32.SendDlgItemMessageA>; SendDlgItemMessageA00401160. | 83F8 00 cmp eax, 0; compare the number of digits of the registration code with 0 by 00401163. | 0F84 b000000 je 0040121A; Failure 00401169 if the registration code is not entered. | 3BF0 cmp esi, eax; the number of registration names is 0040116B compared with the number of registration code digits. | 0F85 A9000000 jnz 0040121A; if they are not equal, the jump fails.After the registration name is verified, the registration code is checked. The procedure requires that the registration name and the number of digits of the registration code must be the same to pass. After checking the two main information, the algorithm calculation is started. How does table search work? Let's take a look at the analysis.0040119C> | 41 inc ecx0040119D. | 0FBE81 602140> movsx eax, byte ptr [ecx + 402160]; obtains the ASCII code 004011A4 for each digit of the Registration Name. | 83F8 00 cmp eax, 0; whether it is 0; 004011A7. | 74 32 je short 004011DB004011A9. | be ffffffff mov esi,-1004011AE. | 83F8 41 cmp eax, 41; smaller than 41004011B1. | 7C 67 jl short 0040121A. | 83F8 7A cmp eax, 7A; greater than 7A004011B6. | 77 62 ja short 0040121A; if the value is greater than, the redirection fails. | 83F8 5A cmp eax, 5A; comparison with 5A: 004011BB. | 7C 03 jl short 004011C0; if the value is smaller than, the system jumps to BD. | 83E8 20 sub eax, 20; ASCII code minus 0x20 004011C0> | 46 inc esiBefore calculation, the program further checks the registration name. The first test is to limit the length of the registration name. Here we will test the content of the Registration Name. We noticed that the program first retrieves the ASCII code of each digit of the registration name, and then compares the ASCII code with 41 and 7A. If the ASCII code is smaller than 41 or greater than 7A, it will directly cause failure. Therefore, the ASCII code for each registration name must be in the range of 41 and 7A. Now you may have some questions. What are the 41 and 7A here? In fact, in the ASCII code table, 41 corresponds to A and 7A corresponds to z. Therefore, this code verifies the role of a registration name. Each digit of the registration name must be a letter rather than a number or other symbol. When the registration name meets the requirements of letters, we can see that if the ASCII code of a certain digit of the registration name is greater than the value of 5A, then this ASCII code is subtracted from 20. What is this? Let's first look at which letter is corresponding to 5A. The original 5A corresponds to the letter Z, that is, the last digit in the capital letter. Now we understand that Z is the last character of an uppercase letter. If the ASCII code is greater than the ASCII code of Z, we can judge it, this letter should be one of the lower-case letters. Since the ASCII code of uppercase letters is subtracted from 0x20, the problem is clear, that is, the lowercase letters in the registration name are converted into uppercase letters. For example, if the registration name is tcxb, the process becomes TCXB. After the registration name is converted, the calculation is started. Let's continue to see how the legendary "Table search calculation" is calculated? After some insignificant code, we came to the following code.004011C1. | 0FBE96 172040> movsx edx, byte ptr [esi + 402017]; pay attention to 004011C8. | 3BC2 cmp eax, edx; equal to 004011CA. ^ | 75 F4 jnz short 004011C0; Continue searching if they are not equalNote that the first code points to an address. Let's go to this address and enter the command "D esi + 402017" in the OD command line to see the following content in the data window. 00402017 41 31 4C 53 4B 32 44 4A 46 34 48 47 33 51 57 A1LSK2DJF4HGP3QW00402027 4F 35 45 49 52 36 55 54 5A 38 4D 58 4E 37 43 listen 42 56 39 BV9 this is what is it? After tracking and analyzing the code, we found that the data is actually a data table: A1LSK2DJF4HGP3QWO5EIR6UTYZ8MXN7CBV9. The program will find the letters in the registration name here and write down their respective locations. For your convenience, we mark the characters in the data table in 1 ~ order ~ The serial number of 35, for example, the four letters TCXB, the corresponding positions in the data table are 24, 32, 29, 33. After saving the corresponding location, the program starts the next calculation.004011CC. | 0FBE86 3C2040> movsx eax, byte ptr [esi + 40203C]; The second table 004011D3 is displayed here. | 8981 94214000 mov [ecx + 402194], eax; Save the results of each step for D9. ^ | EB C1 jmp short 0040119C; cyclic computingThe code here points to another address in the memory. We still use the command method to go to the memory to see what is in it. Enter the command "d esi + 40203C" to view the following content. 00402033 53 55 37 43 53 4A 4B SU7CSJK00402043 46 30 39 4E 43 53 44 4F 39 53 44 46 30 39 53 44 F09NCSDO9SDF09SD00402053 52 4C 56 4B 37 38 30 39 53 34 4E 46 RLVK7809S4NF thus, now we can organize a data table: SU7CSJKF09NCSDO9SDF09SDRLVK7809S4NF. What is the use of this table? Or follow 1 ~ Set the serial numbers for them respectively. It turns out that the program looks for characters at the corresponding position here based on the location information obtained from the first table. Well, you may not be able to understand this. Let's give it an example. Contact the calculation in the previous step. The registration name TCXB corresponds to the following positions in Table 1: 23, 31, 28, and 32, in this case, the program will search for letters in the corresponding position in Table 2, that is, take the 23rd, 31, 28, and 32 characters in table 2. In SU7CSJKF09NCSDO9SDF09SDRLVK7809S4N, the corresponding letters are RS84, which is very important. We will analyze the code below.004011DB> | FF35 AF214000 push dword ptr [4021AF] 004011E1. | 68 94214000 push 00402194; | Arg2 = 00402194 ASCII "RS84" 004011E6. | 68 79214000 push 00402179; | Arg1 = 00402179 ASCII "1234" 004011EB. | E8 54000000 call 00401244; comparison of false and false registration codes 004011F0. | 83F8 01 cmp eax, 1; flag check 004011F3. ^ | 0F84 DEFEFFFF je 0 </p>