|
論壇說明 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2004-04-01, 06:36 AM | #1 |
榮譽會員
|
拼圖遊戲
Software:B-Jigsaw V7.7
拼圖遊戲。可任意選擇圖片,可將你自己的圖片分成數塊後產生為exe檔案,將之發送給朋友 可自定義伴音,對圖塊可設置陰影及邊框效果 試用 10 天,等你上癮後,付 $14.95 (美金)再繼續 http://www.adcsoft.com/bjigsaw.html Toolse-scan 3.31, DeDe 3.50, OllyDbg 1.09 Cracker:lq7972 [bruceyu13@sina.com] Notes:菜鳥一個,向大家學習 這個軟體主程式的殼是 ASPack 2.12 -> Alexey Solodovnikov,用 pe-scan 脫,能執行 用 W32Dasm 反編譯會不回應,只好用 DeDe 了( Borland C++ ) 在【過程】欄有【license】單元有【BitBtnRegCodeClick】事件即程序啟動畫面上的【Enter reg cod】按鈕,連按兩下開啟代碼過程,訊息很多也很有用: * Reference to : TFormTimes._PROC_00413A70() * Reference to: controls.TControl.GetText(TControl):TCaption; * Reference to: controls.TControl.GetText(TControl):TCaption; * Reference to : TFormMain._PROC_004116E8() * Reference to class TRegistry * Reference to: registry.constructorTRegistry.Create(TRegistry;boolean); 這是一個註冊流程,先得到用戶輸入,產生註冊碼(T),然後將其與用戶輸入的註冊碼(F)比較,不等就"Invalid user name or registration code.",對呢就寫註冊表並"Thank you for registering." 其次,我們可以得到我們跟蹤的下手(斷點)的地方: BitBtnRegCodeClick 00411040 0019 注意,還有一個【reg】單元,初下手時我們更願意去分析和跟蹤它;不過我沒有這樣去做,軟體有這麼一個簡明的註冊流程(真是方便了廣大Cracker),為什麼不用呢?在那裡的分析可能是做無用功(我沒有仔細看,不敢肯定;希望你研究後告訴我,期待ing……) 下面我們來動態跟蹤調試: (如果在軟體啟動畫面出來前斷點,退出) 開啟 OllyDbg ,載入主程式,在 00411040 處 F2 斷點,F9 執行,等上 3 秒鐘後單擊【Enter reg code】,攔住: 00411040 /. 55 push ebp ; …… 00411070 |. FF92 CC000000 call dword ptr ds:[edx+CC] ; 這裡彈出註冊窗dword p 00411076 |. 48 dec eax 00411077 0F85 A1020000 jnz 0041131E ; bt.0041131E 0041107D |. 66:C745 B4 140>mov word ptr ss:[ebp-4C], 14 00411083 |. 33C9 xor ecx, ecx 00411085 |. A1 C0DF4D00 mov eax, dword ptr ds:[4DDFC0] 0041108A |. 894D FC mov dword ptr ss:[ebp-4], ecx 0041108D |. 8D55 FC lea edx, dword ptr ss:[ebp-4] 00411090 |. FF45 C0 inc dword ptr ss:[ebp-40] 00411093 |. 8B08 mov ecx, dword ptr ds:[eax] 00411095 |. 8B81 D4020000 mov eax, dword ptr ds:[ecx+2D4] 0041109B |. E8 70CC0700 call 0048DD10 ; eax = name_len 004110A0 |. 66:C745 B4 080>mov word ptr ss:[ebp-4C], 8 004110A6 |. 66:C745 B4 200>mov word ptr ss:[ebp-4C], 20 004110AC |. 33D2 xor edx, edx 004110AE |. A1 C0DF4D00 mov eax, dword ptr ds:[4DDFC0] 004110B3 |. 8955 F8 mov dword ptr ss:[ebp-8], edx 004110B6 |. 8D55 F8 lea edx, dword ptr ss:[ebp-8] 004110B9 |. FF45 C0 inc dword ptr ss:[ebp-40] 004110BC |. 8B08 mov ecx, dword ptr ds:[eax] 004110BE |. 8B81 D8020000 mov eax, dword ptr ds:[ecx+2D8] 004110C4 |. E8 47CC0700 call 0048DD10 ; 得到用戶輸入的註冊碼(F),eax = reg_code(F)_len 004110C9 |. 66:C745 B4 080>mov word ptr ss:[ebp-4C], 8 004110CF |. 8BC3 mov eax, ebx 004110D1 |. E8 A60B0000 call 00411C7C ; bt.00411C7C 004110D6 |. 66:C745 B4 2C0>mov word ptr ss:[ebp-4C], 2C 004110DC |. 33D2 xor edx, edx 004110DE |. 8D4D F4 lea ecx, dword ptr ss:[ebp-C] 004110E1 |. 8955 F4 mov dword ptr ss:[ebp-C], edx 004110E4 |. 8BC3 mov eax, ebx 004110E6 |. FF45 C0 inc dword ptr ss:[ebp-40] 004110E9 |. 8B55 FC mov edx, dword ptr ss:[ebp-4] ; user_name 004110EC |. E8 F7050000 call 004116E8 ; 產生註冊碼算法 004116E8 見下 004110F1 |. 8D55 F4 lea edx, dword ptr ss:[ebp-C] ; reg_code(T)_addr 004110F4 |. 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; reg_code(F)_addr 004110F7 |. E8 A0FE0B00 call 004D0F9C ; 當然是比較啦,不等 eax = 0 004110FC |. 50 push eax ; /Arg1 004110FD |. FF4D C0 dec dword ptr ss:[ebp-40] ; | 00411100 |. 8D45 F4 lea eax, dword ptr ss:[ebp-C] ; | 00411103 |. BA 02000000 mov edx, 2 ; | 00411108 |. E8 ABFD0B00 call 004D0EB8 ; \bt.004D0EB8 0041110D |. 59 pop ecx ; 不等則 0 0041110E |. 84C9 test cl, cl 00411110 0F84 63010000 je 00411279 ; jump, gAMeoVeR 00411116 |. B2 01 mov dl, 1 00411118 |. A1 50814600 mov eax, dword ptr ds:[468150] 0041111D |. E8 DA710500 call 004682FC ; 寫註冊表 ;+++++++++++++++++++++++++++++++++++++++++++++++++++++++ ; 註冊算法 ;+++++++++++++++++++++++++++++++++++++++++++++++++++++++ 004116E8 $ 55 push ebp 004116E9 . 8BEC mov ebp, esp 004116EB . 83C4 8C add esp, -74 004116EE . B8 38634D00 mov eax, 4D6338 004116F3 . 53 push ebx 004116F4 . 56 push esi 004116F5 . 57 push edi 004116F6 . 894D BC mov dword ptr ss:[ebp-44], ecx ; 0 004116F9 . 8955 F8 mov dword ptr ss:[ebp-8], edx ; user_name 004116FC . E8 F3450B00 call 004C5CF4 ; bt.004C5CF4 00411701 . C745 B4 010000>mov dword ptr ss:[ebp-4C], 1 00411708 . 8D55 F8 lea edx, dword ptr ss:[ebp-8] ; user_name_addr 0041170B . 8D45 F8 lea eax, dword ptr ss:[ebp-8] 0041170E . E8 D9F60B00 call 004D0DEC ; bt.004D0DEC 00411713 . FF45 B4 inc dword ptr ss:[ebp-4C] 00411716 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 0041171C . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; user_name_addr 0041171F . E8 04F90B00 call 004D1028 ; eax = user_name_len 00411724 . 83F8 08 cmp eax, 8 00411727 . 7F 5E jg short 00411787 ; 如果大/等於 8,就直接進入註冊碼計算 00411787 00411729 . 66:C745 A8 140>mov word ptr ss:[ebp-58], 14 0041172F . 33D2 xor edx, edx 00411731 . 8955 EC mov dword ptr ss:[ebp-14], edx 00411734 . 8D4D EC lea ecx, dword ptr ss:[ebp-14] 00411737 . FF45 B4 inc dword ptr ss:[ebp-4C] 0041173A . BA 08000000 mov edx, 8 0041173F . B0 20 mov al, 20 00411741 . E8 02F90B00 call 004D1048 ; 得到 8 個空格 00411746 . 8D55 EC lea edx, dword ptr ss:[ebp-14] ; 8 個空格 00411749 . 33C0 xor eax, eax 0041174B . 8945 E8 mov dword ptr ss:[ebp-18], eax 0041174E . 8D4D E8 lea ecx, dword ptr ss:[ebp-18] 00411751 . FF45 B4 inc dword ptr ss:[ebp-4C] 00411754 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; user_name 00411757 . E8 B4F70B00 call 004D0F10 ; "user_name"+8個" "∼new_user_name 0041175C . 8D55 E8 lea edx, dword ptr ss:[ebp-18] ; new_user_name 0041175F . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; "user_name" ∼ old_user_namep 00411762 . E8 81F70B00 call 004D0EE8 ; 將 new_user_name 替 old_user_nam 00411767 . FF4D B4 dec dword ptr ss:[ebp-4C] 0041176A . 8D45 E8 lea eax, dword ptr ss:[ebp-18] 0041176D . BA 02000000 mov edx, 2 00411772 . E8 41F70B00 call 004D0EB8 ; bt.004D0EB8 00411777 . FF4D B4 dec dword ptr ss:[ebp-4C] 0041177A . 8D45 EC lea eax, dword ptr ss:[ebp-14] 0041177D . BA 02000000 mov edx, 2 00411782 . E8 31F70B00 call 004D0EB8 ; bt.004D0EB8 00411787 > E8 44FF0B00 call 004D16D0 ; [GetTickCount] 0041178C . 8945 94 mov dword ptr ss:[ebp-6C], eax ; 作反跟蹤用 0041178F . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 00411795 . B8 01000000 mov eax, 1 0041179A > 40 inc eax 0041179B . 83F8 64 cmp eax, 64 0041179E .^7C FA jl short 0041179A ; bt.0041179A 004117A0 . E8 2BFF0B00 call 004D16D0 ; [GetTickCount] 004117A5 . 8B55 94 mov edx, dword ptr ss:[ebp-6C] 004117A8 . 2BC2 sub eax, edx 004117AA . 3D E8030000 cmp eax, 3E8 004117AF . 76 0D jbe short 004117BE ; bt.004117BE 004117B1 . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] ; bt.004DE7AC 004117B7 . 8B01 mov eax, dword ptr ds:[ecx] 004117B9 . E8 06200700 call 004837C4 ; bt.004837C4 004117BE > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 004117C4 . 66:C745 A8 200>mov word ptr ss:[ebp-58], 20 004117CA . 33C0 xor eax, eax 004117CC . BB 01000000 mov ebx, 1 ; ebx = 1 004117D1 . 8945 F4 mov dword ptr ss:[ebp-C], eax 004117D4 . FF45 B4 inc dword ptr ss:[ebp-4C] 004117D7 . 83FB 08 cmp ebx, 8 004117DA . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 004117E0 . 0F8F 4A020000 jg 00411A30 ; bt.00411A30 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 這是第一次運算,實質是字元 Xor,再 Reverse 004117E6 > 8B3D 50584D00 mov edi, dword ptr ds:[4D5850] ; bt.004D5860 004117EC . 57 push edi ; "awgsJiBtAANrPNYOntA" ∼ string 004117ED . E8 36420B00 call 004C5A28 004117F2 . 59 pop ecx ; string 004117F3 . 50 push eax ; string_len = 19 004117F4 . 8BC3 mov eax, ebx ; eax = ebx 004117F6 . 5A pop edx ; edx = 19 004117F7 . 8BCA mov ecx, edx 004117F9 . 33D2 xor edx, edx 004117FB . F7F1 div ecx ; eax div ecx: eax = eax/ecx, edx = eax % ecx 004117FD . 8A0417 mov al, byte ptr ds:[edi+edx] ; string [ebx], (1, ...) 00411800 . 50 push eax 00411801 . 8BF3 mov esi, ebx 00411803 . 56 push esi ; /Arg2 00411804 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; |new_user_name_addr 00411807 . 50 push eax ; |Arg1 00411808 . E8 23F50B00 call 004D0D30 ; \bt.004D0D30 0041180D . 83C4 08 add esp, 8 00411810 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] 00411813 . E8 A4F90B00 call 004D11BC ; edx = new_user_name 00411818 . 8B55 F8 mov edx, dword ptr ss:[ebp-8] 0041181B . 03F2 add esi, edx 0041181D . 4E dec esi ; new_user_name [ebx-1], (0,...) 0041181E . 58 pop eax ; string [ebx] 0041181F . 8A16 mov dl, byte ptr ds:[esi] ; new_user_name [ebx-1] 00411821 . 32C2 xor al, dl ; string [ebx] xor new_user_name [ebx-1] 00411823 . 0FBEC0 movsx eax, al 00411826 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 0041182C . 85C0 test eax, eax 0041182E . 7D 02 jge short 00411832 ; 大/等於0則跳 bt.00411832 00411830 . F7D8 neg eax ; 否則(主要是寬字元), (opr) ← -(opr) 00411832 > 66:C745 A8 380>mov word ptr ss:[ebp-58], 38 00411838 . 33D2 xor edx, edx 0041183A . 8955 E4 mov dword ptr ss:[ebp-1C], edx 0041183D . 8D55 E4 lea edx, dword ptr ss:[ebp-1C] 00411840 . FF45 B4 inc dword ptr ss:[ebp-4C] 00411843 . E8 38950A00 call 004BAD80 ; 把 al xor dl 的結果 Hex2Dec2Str 00411848 . 66:C745 A8 2C0>mov word ptr ss:[ebp-58], 2C 0041184E . 8D45 E4 lea eax, dword ptr ss:[ebp-1C] 00411851 . E8 D2F70B00 call 004D1028 ; new_user_name_len->tmp_reg_code_len 00411856 . 48 dec eax 00411857 . 7E 22 jle short 0041187B ; <= 0 ? 即 eax <= 1,或者說xor的結果是一位數(<10) ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 00411859 . 6A 02 push 2 ; /Arg2 = 00000002 0041185B . 8D4D E4 lea ecx, dword ptr ss:[ebp-1C] ; | 0041185E . 51 push ecx ; |Arg1 0041185F . E8 CCF40B00 call 004D0D30 ; \bt.004D0D30 00411864 . 83C4 08 add esp, 8 00411867 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C] ; tmp_reg_code_addr 0041186A . E8 4DF90B00 call 004D11BC ; bt.004D11BC 0041186F . 8B55 E4 mov edx, dword ptr ss:[ebp-1C] ; edx = tmp_reg_code 00411872 . 42 inc edx ; tmp_reg_code [1] 00411873 . 0FBE0A movsx ecx, byte ptr ds:[edx] 00411876 . 83F9 30 cmp ecx, 30 ; equal to 0 ? 即xor的結果(>=10)%10=0 00411879 . 75 56 jnz short 004118D1 ; bt.004118D1 ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ; 上述兩種情況的處理是一樣的 0041187B > 66:C745 A8 440>mov word ptr ss:[ebp-58], 44 ; 即用 "1" 來代替 "0",連到 reg_code_A[0] ; 省略 N 行…… 004118CF . EB 6E jmp short 0041193F ; bt.0041193F ;=================================================================================================== 004118D1 > 66:C745 A8 500>mov word ptr ss:[ebp-58], 50 004118D7 . 6A 02 push 2 ; /Arg2 = 00000002 004118D9 . 8D4D E4 lea ecx, dword ptr ss:[ebp-1C] ; |tmp_reg_code_addr 004118DC . 51 push ecx ; |Arg1 004118DD . E8 4EF40B00 call 004D0D30 ; \bt.004D0D30 004118E2 . 83C4 08 add esp, 8 004118E5 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C] 004118E8 . E8 CFF80B00 call 004D11BC ; bt.004D11BC 004118ED . 8B55 E4 mov edx, dword ptr ss:[ebp-1C] 004118F0 . 8D45 D8 lea eax, dword ptr ss:[ebp-28] 004118F3 . 42 inc edx ; tmp_reg_code [1] 004118F4 . 8A12 mov dl, byte ptr ds:[edx] 004118F6 . E8 2DF50B00 call 004D0E28 ; bt.004D0E28 004118FB . FF45 B4 inc dword ptr ss:[ebp-4C] 004118FE . 33C0 xor eax, eax 00411900 . 8945 D4 mov dword ptr ss:[ebp-2C], eax 00411903 . 8D45 F4 lea eax, dword ptr ss:[ebp-C] ; reg_code_A(S)_addr 00411906 . FF45 B4 inc dword ptr ss:[ebp-4C] 00411909 . 8D55 D8 lea edx, dword ptr ss:[ebp-28] 0041190C . 8D4D D4 lea ecx, dword ptr ss:[ebp-2C] 0041190F . E8 FCF50B00 call 004D0F10 ; 提 tmp_reg_code[1] 出來 00411914 . 8D55 D4 lea edx, dword ptr ss:[ebp-2C] 00411917 . 8D45 F4 lea eax, dword ptr ss:[ebp-C] 0041191A . E8 C9F50B00 call 004D0EE8 ; reg_code_A(S)[0] = tmp_reg_code[1] 0041191F . FF4D B4 dec dword ptr ss:[ebp-4C] 00411922 . 8D45 D4 lea eax, dword ptr ss:[ebp-2C] 00411925 Software:B-Jigsaw V7.7 Cracker:lq7972 [bruceyu13@sina.com] [C] 00411925 . BA 02000000 mov edx, 2 0041192A . E8 89F50B00 call 004D0EB8 ; bt.004D0EB8 0041192F . FF4D B4 dec dword ptr ss:[ebp-4C] 00411932 . 8D45 D8 lea eax, dword ptr ss:[ebp-28] 00411935 . BA 02000000 mov edx, 2 0041193A . E8 79F50B00 call 004D0EB8 ; bt.004D0EB8 ;=================================================================================================== 0041193F > 8D45 E4 lea eax, dword ptr ss:[ebp-1C] ; 省略 N 行…… 004119DE . E8 2DF50B00 call 004D0F10 ; 提 tmp_reg_code[0] 出來 004119E3 . 8D55 C4 lea edx, dword ptr ss:[ebp-3C] 004119E6 . 8D45 F4 lea eax, dword ptr ss:[ebp-C] 004119E9 . E8 FAF40B00 call 004D0EE8 ; reg_code_A(S)[1] = tmp_reg_code[0] 004119EE . FF4D B4 dec dword ptr ss:[ebp-4C] 004119F1 . 8D45 C4 lea eax, dword ptr ss:[ebp-3C] 004119F4 . BA 02000000 mov edx, 2 004119F9 . E8 BAF40B00 call 004D0EB8 ; 清除臨時變量值 004D0EB 004119FE . FF4D B4 dec dword ptr ss:[ebp-4C] 00411A01 . 8D45 C8 lea eax, dword ptr ss:[ebp-38] 00411A04 . BA 02000000 mov edx, 2 00411A09 . E8 AAF40B00 call 004D0EB8 ; bt.004D0EB8 00411A0E > 83C3 02 add ebx, 2 ; ebx += 2 00411A11 . FF4D B4 dec dword ptr ss:[ebp-4C] 00411A14 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C] 00411A17 . BA 02000000 mov edx, 2 00411A1C . E8 97F40B00 call 004D0EB8 ; 清除 tmp_reg_code 的值 00411A21 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 00411A27 . 83FB 08 cmp ebx, 8 ; ebx <= 8 ? 00411A2A .^0F8E B6FDFFFF jle 004117E6 ; yes, jump ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 00411A30 > E8 9BFC0B00 call 004D16D0 ; [GetTickCount] 00411A35 . 8B4D 94 mov ecx, dword ptr ss:[ebp-6C] 00411A38 . 2BC1 sub eax, ecx 00411A3A . 3D E8030000 cmp eax, 3E8 00411A3F . 76 0C jbe short 00411A4D ; bt.00411A4D 00411A41 . A1 FCDF4D00 mov eax, dword ptr ds:[4DDFFC] 00411A46 . 8B00 mov eax, dword ptr ds:[eax] 00411A48 . E8 771D0700 call 004837C4 ; bt.004837C4 00411A4D > 66:C745 A8 740>mov word ptr ss:[ebp-58], 74 00411A53 . 8B45 F4 mov eax, dword ptr ss:[ebp-C] ; reg_code_A ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 第二次運算,對 new_user_name 操作,累加到 reg_code_A(N) 00411A56 . E8 55930A00 call 004BADB0 ; reg_code_A(N), Dec2Hex bt.004BADB0 00411A5B . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 00411A61 . 8BF0 mov esi, eax 00411A63 . EB 0D jmp short 00411A72 ; bt.00411A72 00411A65 . 33F6 xor esi, esi 00411A67 . 66:C745 A8 7C0>mov word ptr ss:[ebp-58], 7C 00411A6D . E8 F8C50B00 call 004CE06A 00411A72 > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 00411A78 . BB 01000000 mov ebx, 1 ; ebx = 1 00411A7D . EB 2E jmp short 00411AAD ; bt.00411AAD ;======================================================================================================================= 00411A7F > 8BFB mov edi, ebx ; edi = ebx 00411A81 . 57 push edi ; /Arg2 00411A82 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; |new_user_name_addr 00411A85 . 50 push eax ; |Arg1 00411A86 . E8 A5F20B00 call 004D0D30 ; \bt.004D0D30 00411A8B . 83C4 08 add esp, 8 00411A8E . 8D45 F8 lea eax, dword ptr ss:[ebp-8] 00411A91 . E8 26F70B00 call 004D11BC ; edx = new_user_name 00411A96 . 8B55 F8 mov edx, dword ptr ss:[ebp-8] 00411A99 . 8D041B lea eax, dword ptr ds:[ebx+ebx] ; eax = ebx+ebx 00411A9C . 03FA add edi, edx ; edi = new_user_name [edi] 00411A9E . 8D53 FF lea edx, dword ptr ds:[ebx-1] ; edx = ebx-1 00411AA1 . F7EA imul edx ; eax IMUL edx,高位在 edx,低位在 eax 00411AA3 . 4F dec edi ; new_user_name [edi-1] 00411AA4 . 0FBE0F movsx ecx, byte ptr ds:[edi] ; 00411AA7 . 0FAFC8 imul ecx, eax 00411AAA . 03F1 add esi, ecx ; reg_code_A(N) += ecx 00411AAC . 43 inc ebx ; ebx ++ 00411AAD > 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; new_user_name_addr 00411AB0 . E8 73F50B00 call 004D1028 ; eax = new_user_name_len 00411AB5 . 3BD8 cmp ebx, eax 00411AB7 .^7E C6 jle short 00411A7F ; bt.00411A7F ;======================================================================================================================= 00411AB9 . E8 12FC0B00 call 004D16D0 ; [GetTickCount] 00411ABE . 8B55 94 mov edx, dword ptr ss:[ebp-6C] 00411AC1 . 2BC2 sub eax, edx 00411AC3 . 3D E8030000 cmp eax, 3E8 00411AC8 . 76 0D jbe short 00411AD7 ; bt.00411AD7 00411ACA . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] ; bt.004DE7AC 00411AD0 . 8B01 mov eax, dword ptr ds:[ecx] 00411AD2 . E8 ED1C0700 call 004837C4 ; bt.004837C4 00411AD7 > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 第三次運算,分三步,都是對 new_user_name 操作,累加到 reg_code_A(N) 00411ADD . BB 01000000 mov ebx, 1 ; ebx = 1 00411AE2 . E9 93000000 jmp 00411B7A ; bt.00411B7A ;======================================================================================================================= 00411AE7 > 8BFB mov edi, ebx ; edi=ebx 00411AE9 . 57 push edi ; /Arg2 00411AEA . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; |new_user_name_addr 00411AED . 50 push eax ; |Arg1 00411AEE . E8 3DF20B00 call 004D0D30 ; \bt.004D0D30 00411AF3 . 83C4 08 add esp, 8 00411AF6 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] 00411AF9 . E8 BEF60B00 call 004D11BC ; edx = new_user_name 00411AFE . 8B55 F8 mov edx, dword ptr ss:[ebp-8] 00411B01 . 03FA add edi, edx 00411B03 . 4F dec edi ; edi = new_user_name [i++], i=0,... 00411B04 . 0FBE0F movsx ecx, byte ptr ds:[edi] 00411B07 . 8BC1 mov eax, ecx 00411B09 . 895D 90 mov dword ptr ss:[ebp-70], ebx ; = ebx 00411B0C . C1E0 03 shl eax, 3 00411B0F . 8B55 90 mov edx, dword ptr ss:[ebp-70] 00411B12 . 2BC1 sub eax, ecx 00411B14 . 8D4D F8 lea ecx, dword ptr ss:[ebp-8] 00411B17 . 52 push edx ; /Arg2 00411B18 . 51 push ecx ; |Arg1 00411B19 . 03F0 add esi, eax ; |reg_code_A(N) += eax 00411B1B . E8 10F20B00 call 004D0D30 ; \bt.004D0D30 ; 第一步過 ;**************************************************************************************************************** 00411B20 . 83C4 08 add esp, 8 00411B23 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] 00411B26 . E8 91F60B00 call 004D11BC ; ecx = new_user_name 00411B2B . 8B55 90 mov edx, dword ptr ss:[ebp-70] ; 還記得這個嗎? 00411B2E . 8B4D F8 mov ecx, dword ptr ss:[ebp-8] 00411B31 . 03D1 add edx, ecx 00411B33 . 4A dec edx ; edx = new_user_name [i++], i=0,... 00411B34 . 0FBE02 movsx eax, byte ptr ds:[edx] 00411B37 . 8BD0 mov edx, eax 00411B39 . 895D 8C mov dword ptr ss:[ebp-74], ebx 00411B3C . C1E2 04 shl edx, 4 00411B3F . 8B4D 8C mov ecx, dword ptr ss:[ebp-74] 00411B42 . 2BD0 sub edx, eax 00411B44 . 51 push ecx ; /Arg2 00411B45 . 8D1490 lea edx, dword ptr ds:[eax+edx*4] ; |edx = eax+edx*4 00411B48 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; | 00411B4B . 50 push eax ; |Arg1 00411B4C . 03F2 add esi, edx ; |reg_code_A(N) += edx 00411B4E . E8 DDF10B00 call 004D0D30 ; \bt.004D0D30 ; 第二步過 ;**************************************************************************************************************** 00411B53 . 83C4 08 add esp, 8 00411B56 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] 00411B59 . E8 5EF60B00 call 004D11BC ; bt.004D11BC 00411B5E . 8B55 8C mov edx, dword ptr ss:[ebp-74] 00411B61 . 8B4D F8 mov ecx, dword ptr ss:[ebp-8] 00411B64 . 03D1 add edx, ecx 00411B66 . 4A dec edx ; edx = new_user_name [i++], i=0,... 00411B67 . 0FBE02 movsx eax, byte ptr ds:[edx] 00411B6A . 8D1440 lea edx, dword ptr ds:[eax+eax*2] ; edx = eax+eax*2 00411B6D . C1E2 05 shl edx, 5 00411B70 . 2BD0 sub edx, eax 00411B72 . C1E2 04 shl edx, 4 00411B75 . 03D0 add edx, eax 00411B77 . 03F2 add esi, edx ; reg_code_A(N) += edx ; 第三步過 ;**************************************************************************************************************** 00411B79 . 43 inc ebx 00411B7A > 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; new_user_name_addr 00411B7D . E8 A6F40B00 call 004D1028 ; eax = new_user_name_len 00411B82 . 3BD8 cmp ebx, eax 00411B84 .^0F8E 5DFFFFFF jle 00411AE7 ; bt.00411AE7 ;======================================================================================================================= 00411B8A . E8 41FB0B00 call 004D16D0 ; [GetTickCount] 00411B8F . 8B55 94 mov edx, dword ptr ss:[ebp-6C] 00411B92 . 2BC2 sub eax, edx 00411B94 . 3D E8030000 cmp eax, 3E8 00411B99 . 76 0D jbe short 00411BA8 ; bt.00411BA8 00411B9B . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] ; bt.004DE7AC 00411BA1 . 8B01 mov eax, dword ptr ds:[ecx] 00411BA3 . E8 1C1C0700 call 004837C4 ; bt.004837C4 00411BA8 > 66:C745 A8 800>mov word ptr ss:[ebp-58], 80 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ; 下面是連接 "BJ" 和 reg_code_A ,這就是我們所要得到的 00411BAE . BA 4A5A4D00 mov edx, 4D5A4A ; ASCII "BJ" 00411BB3 . 8D45 F0 lea eax, dword ptr ss:[ebp-10] ; reg_code(F)_addr 00411BB6 . E8 F9F10B00 call 004D0DB4 ; reg_code = "BJ" 00411BBB . FF45 B4 inc dword ptr ss:[ebp-4C] 00411BBE . 33D2 xor edx, edx 00411BC0 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8 00411BC6 . 66:C745 A8 8C0>mov word ptr ss:[ebp-58], 8C 00411BCC . 8955 C0 mov dword ptr ss:[ebp-40], edx 00411BCF . 8D55 C0 lea edx, dword ptr ss:[ebp-40] 00411BD2 . FF45 B4 inc dword ptr ss:[ebp-4C] 00411BD5 . 8BC6 mov eax, esi ; eax = reg_code_A(N) 00411BD7 . E8 A4910A00 call 004BAD80 ; reg_code_A(N) : Hex2Dec2Str 00411BDC . 8D55 C0 lea edx, dword ptr ss:[ebp-40] ; reg_code_A(S) 00411BDF . 8D45 F0 lea eax, dword ptr ss:[ebp-10] ; reg_code 00411BE2 . E8 15F30B00 call 004D0EFC ; reg_code += reg_code_A(S) 00411BE7 . FF4D B4 dec dword ptr ss:[ebp-4C] ; …… 00411C1D . E8 96F20B00 call 004D0EB8 ; edx = reg_code ;…… 00411C5C . C3 retn [C] 拼圖遊戲註冊機(c) Software:B-Jigsaw V7.7 Cracker:lq7972 [bruceyu13@sina.com] 【總結】 我想上面應該講的比較清楚,這裡歸納一下: 1、軟體獲得用戶輸入後,比較用戶名長度(user_name_len)是否小/等於 8;是,則在後面添上 8 個 0x20,得到 new_user_name 2、對 new_user_name 與 string 依次作 XOR ,將其結果(十進制)轉為字元再調換前後位置; 這裡要注意,不管你的用戶名多長,它總只取到 8 並且取奇數位; 其次,程序還判斷 XOR 的結果是否 <= 0,只有一位數,和有兩位但個位是 0 等三種情況,這需要一些經驗(ASM, CRACK) 3、接下來就比較簡單了,兩個循環依次從 new_user_name 取值運算(各具體操作不同,見前),並累加到 reg_code_A(N),然後累加到 reg_code_A(N); 第二次循環有這樣的三步。(S)表示這是字元串,(N)表示是值 4、連接 "BJ" 和 reg_code_A(S),就是 reg_code 註冊成功,則沒有啟動畫面,並在註冊表中寫入訊息: [HKEY\CURRENT_USER\Software\ADCSotf\BJigsaw] "RegCode"="BJ74029154" "UserName"="lq7972" 軟體給出的字元串:string : "awgsJiBtAANrPNYOntA" 【註冊機】 /* BJigsaw V 7.7 KeyGen */ /* with C Language */ /* by lq7972 */ /* bruceyu13@sina.com */ #include <stdio.h> #include <string.h> #include <stdlib.h> /*///////////////////////////////////////////////////////*/ /* 主程式 */ int main () { int i=0, j; int nameLen; int tmp01, tmp02, tmp03; int regCode_N; char regCode_S [10] = "0"; char regName [255]; char * setString = "awgsJiBtAANrPNYOntA"; printf ("Enter your name : "); gets (regName); nameLen = strlen (regName); /* 根據用戶名長度作相應處理 */ if (nameLen < 8) { while (i++ <= 8) regName [nameLen+i-1] = 0x20; /* space character */ regName [nameLen+i-2] = 0; /* nul */ nameLen = strlen (regName); } /* 做第一次運算 */ for (i=1, j=0; i <= 8; i += 2, j += 2) { tmp01 = setString [i]; tmp02 = regName [i-1]; tmp03 = tmp01 ^ tmp02; if (tmp03 < 0) tmp03 *= -1; tmp01 = tmp03 % 10; tmp02 = tmp03 / 10; if (0 == tmp02) { regCode_S [j] = 0x31; regCode_S [j+1] = tmp01 + 0x30; } else if (0 == tmp01) { regCode_S [j] = 0x31; regCode_S [j+1] = tmp01 + 0x30; } else { regCode_S [j] = tmp01 + 0x30; regCode_S [j+1] = tmp02 + 0x30; } } regCode_N = atoi (regCode_S); /* 第二次運算 */ for (i=1; i <= nameLen; i ++) { tmp01 = i+i; tmp02 = regName [i-1]; tmp03 = i-1; regCode_N += tmp01 * tmp03 * tmp02; } printf ("\n\n"); /* 第三步運算 */ for (i=1; i <= nameLen; i ++) { tmp01 = tmp02 = tmp03 = regName [i-1]; tmp01 <<= 3; tmp01 -= tmp03; regCode_N += tmp01; tmp02 <<= 4; tmp02 -= tmp03; tmp01 = tmp03+tmp02*4; regCode_N += tmp01; tmp01 = tmp03 + tmp03*2; tmp01 <<= 5; tmp01 -= tmp03; tmp01 <<= 4; tmp01 += tmp03; regCode_N += tmp01; } printf ("You Reg Code : %s%d\n", "BJ", regCode_N); return 0; } /* Thanks. */ |
送花文章: 3,
|