TextDraw Registration Algorithm Analysis

Text/figure zjjtr
Recently, I found a small software TextDraw on the Internet and wrote a registration machine. Later I thought the algorithm was quite good, so I wrote this article to study with everyone. TextDraw is an easy-to-use and powerful Text Graphics Production tool. You can draw straight lines, ovans, rectangles, polygons, curves, and other figures in the plot area, just like using a general drawing tool. But you are using text, what we get is a text graph that can be displayed on notepad! I don't want to talk about it anymore. It has good functions. Let's try it on your own.
Now go to the topic. Check the shell with PEiD first. It is a good luck that the program is not shelled and written using Borland C ++ 1999. Run the program and enter "zjjtr" and "1234567890" for registration. Some strange characters are displayed, as shown in 1, prompting "not a valid integer ", I have counted ten digits, most likely from 1234567890. It seems that the result of the registration code calculation is an integer. Put it in OD. Find the characters, but find "registration failed, please check whether your input is correct". I think those characters may be nearby, so double-click "registration failed, check whether your input is correct.
 

00415829 |> 66: C745 A4 D4> mov word ptr ss: [EBP-5C], 0D4
0036682f |. BA ADEC4900 mov edx, TextDraw.0049ECAD
; Registration failed. Please check whether your input is correct
00415834 |. 8D45 B8 lea eax, dword ptr ss: [EBP-48]

In section 00415829, the "jump from 0000004ed" is displayed in the information window, so let's take a look at 0000004ed.
 
003664ea |. 83F8 64 cmp eax, 64
0000004ed |. 0F85 36030000 JNZ textdraw.000000829
003474f3 |. 66: C745 A4 44> mov word ptr ss: [EBP-5C], 44
003664f9 |. BA 88EC4900 mov edx, textdra3160049ec88
; Registration successful. Thank you for your support

Compare EAX with 0x64, and jump to the place where the registration fails. Here we should be able to crack down and change JNZ to JE, but we are an analysis algorithm, so let's look down. In the subsequent analysis, we can see that the brute-force attack here is not enough, because the result calculated by the registration code is not an integer and won't run here. Let's look forward to the entrance to the algorithm. Generally, there is a RETN in front of it. We broke the breakpoint at 0020.2b0, F9 was running, filled in the registration code, and confirmed that the program was stopped.
 
003662b0/. 55 push ebp; disconnected here
003472b1 |. 8BEC mov ebp, ESP
003472b3 |. 81C4 6CF7FFFF add esp,-894
003662b9 |. 53 PUSH EBX
003472ba |. 8955 8C mov dword ptr ss: [EBP-74], EDX
00da-2bd |. 8945 90 mov dword ptr ss: [EBP-70], EAX
003662c0 |. B8 14EE4900 mov eax, textdra1_0049ee14
0000002c5 |. E8 864E0600 CALL TextDraw.0047A150
001272ca |. 66: C745 A4 08> mov word ptr ss: [EBP-5C], 8
001272d0 |. 8D45 fc lea eax, dword ptr ss: [EBP-4]
003662d3 |. E8 44C4FEFF CALL TextDraw.0040171C
00da-2d8 |. FF45 B0 inc dword ptr ss: [EBP-50]
003472db |. 66: C745 A4 14> mov word ptr ss: [EBP-5C], 14
00da-2e1 |. 66: C745 A4 20> mov word ptr ss: [EBP-5C], 20
001272e7 |. 8D45 F8 lea eax, dword ptr ss: [EBP-8]
0000002ea |. E8 2DC4FEFF CALL TextDraw.0040171C
003662ef |. 8BD0 mov edx, EAX
00da-2f1 |. FF45 B0 inc dword ptr ss: [EBP-50]
00da-2f4 |. 8B4D 90 mov ecx, dword ptr ss: [EBP-70]
001272f7 |. 8B81 DC020000 mov eax, dword ptr ds: [ECX + 2DC]
0000002fd |. E8 8A570300 CALL TextDraw.0044AA8C; enter the EAX User Name Length
00415302 |. 8D45 F8 lea eax, dword ptr ss: [EBP-8]
00415305 |. E8 A2D1FEFF CALL textdra0000004024ac; enter the EAX User Name
0020.30a |. 50 push eax;/Arg2
0036630b |. 8D95 74 fbffff lea edx, dword ptr ss: [EBP-48C]; |
00415311 |. 52 push edx; | Arg1
00415312 |. E8 CD4B0600 CALL TextDraw.00479EE4; TextDraw.00479EE4
00415317 |. 83C4 08 add esp, 8
00da-31a |. FF4D B0 dec dword ptr ss: [EBP-50]
00da-31d |. 8D45 F8 lea eax, dword ptr ss: [EBP-8]
00415320 |. BA 02000000 mov edx, 2
00415325 |. E8 12F70600 CALL textdra000000484a3c
00000032a |. 8D8D 74 fbffff lea ecx, dword ptr ss: [EBP-48C]
00415330 |. 51 PUSH ECX
00415331 |. E8 DE4B0600 CALL TextDraw.00479F14
00415336 |. 59 POP ECX
00415337 |. 8945 80 mov dword ptr ss: [EBP-80], EAX
00000033a |. C785 7 CFFFFFF> mov dword ptr ss: [EBP-84],-64
; Register EBP initial storage-0x64
00415344 |. 33C0 xor eax, EAX
00415346 |. 8945 84 mov dword ptr ss: [EBP-7C], EAX
00415349 |. 8B55 84 mov edx, dword ptr ss: [EBP-7C]
001000034c |. 3B55 80 cmp edx, dword ptr ss: [EBP-80]
00000034f |. 7D 23 jge short textdraw.000000374
00415351 |> 8B4D 84/mov ecx, dword ptr ss: [EBP-7C]
00415354 |. 8A840D 74 FBFF> | mov al, byte ptr ss: [EBP + ECX-48C]; each user name enters AL
0041535B |. 8845 8B | mov byte ptr ss: [EBP-75], AL
0036635e |. 33D2 | xor edx, EDX
00415360 |. 8A55 8B | mov dl, byte ptr ss: [EBP-75]
00415363 |. 0195 7 CFFFFFF | add dword ptr ss: [EBP-84], EDX; ADD to [EBP-84]
00415369 |. FF45 84 | inc dword ptr ss: [EBP-7C]
0036636c |. 8B4D 84 | mov ecx, dword ptr ss: [EBP-7C]
0036636f |. 3B4D 80 | cmp ecx, dword ptr ss: [EBP-80]
00415372 |. ^ 7C dd jl short textdra0000000000351; jump back if the user name is not obtained

Here, we add the ASCII code of the user name minus 100 in decimal format. What is the purpose? Let's look down.
 
00415374 |> 8B85 7 cffffff mov eax, dword ptr ss: [EBP-84]; Result Put in EAX, recorded as s1
0036637a |. 8985 6CF7FFFF mov dword ptr ss: [EBP-894], EAX
00415380 |. 33D2 xor edx, EDX
00415382 |. 8995 70F7FFFF mov dword ptr ss: [EBP-890], EDX
00415388 |. DFAD 6CF7FFFF fild qword ptr ss: [EBP-894]
0041538E |. DB2D 80584100 fld tbyte ptr ds: [415880]; floating point number "0.6480041472265422897"
00415394 |. DEC9 fmulp st (1), ST; s1 × 0. 6480041472265422897
00415396 |. D805 8C584100 fadd dword ptr ds: [12788c]; s1 × 0. 6480041472265422897 + 1234, recorded as s2
0036639c |. E8 5F800600 CALL TextDraw.0047D400
The call is converted to hexadecimal, which is actually an integer.
003473a1 |. 8985 7 cffffff mov dword ptr ss: [EBP-84], EAX
003473a7 |. 8B95 7 cffffff mov edx, dword ptr ss: [EBP-84]
003663ad |. 8995 6CF7FFFF mov dword ptr ss: [EBP-894], EDX
003663b3 |. 33C9 xor ecx, ECX
002133b5 |. 898D 70F7FFFF mov dword ptr ss: [EBP-890], ECX
003663bb |. DFAD 6CF7FFFF fild qword ptr ss: [EBP-894]
00100003c1 |. DC0D 90584100 fmul qword ptr ds: [415890]; s2 × 3121. 141592600000
0000003c7 |. E8 34800600 CALL textdra00000047d400; integer
003663cc |. 8985 7 cffffff mov dword ptr ss: [EBP-84], EAX
003473d2 |. 66: C745 A4 2C> mov word ptr ss: [EBP-5C], 2C
0020.3d8 |. 8D45 F4 lea eax, dword ptr ss: [EBP-C]

Here, the calculation of the user name has come to an end. Let's take a look at how the user name is handled.
 
00366db |. E8 3CC3FEFF CALL TextDraw.0040171C
003473e0 |. 8BD0 mov edx, EAX
003663e2 |. FF45 B0 inc dword ptr ss: [EBP-50]
00da-3e5 |. 8B4D 90 mov ecx, dword ptr ss: [EBP-70]
003473e8 |. 8B81 E4020000 mov eax, dword ptr ds: [ECX + 2E4]
0000003ee |. E8 99560300 CALL TextDraw.0044AA8C
003473f3 |. 8D45 F4 lea eax, dword ptr ss: [EBP-C]
003663f6 |. E8 B1D0FEFF CALL TextDraw.004024AC; enter the registration code to EAX
003473fb |. 50 push eax;/Arg2
003663fc |. 8D95 74 fbffff lea edx, dword ptr ss: [EBP-48C]; |
00415402