|
論壇說明 | 標記討論區已讀 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2006-02-13, 12:30 PM | #1 |
榮譽會員
|
用keymake製作算法註冊機教學
用keymake製作算法註冊機教學
=============================== 護花使者2.1.1註冊號產生算法分析 作者:畢強 跟進計算註冊號的程序段: :004552C0 55 push ebp :004552C1 8BEC mov ebp, esp :004552C3 81C4F4FDFFFF add esp, FFFFFDF4 :004552C9 53 push ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455255(C) | :004552CA 56 push esi :004552CB 57 push edi :004552CC 8BF8 mov edi, eax :004552CE C745FCD2040000 mov [ebp-04], 000004D2 :004552D5 68FF000000 push 000000FF :004552DA 8D85F4FDFFFF lea eax, dword ptr [ebp+FFFFFDF4] :004552E0 50 push eax :004552E1 8D45F4 lea eax, dword ptr [ebp-0C] :004552E4 50 push eax :004552E5 8D45F8 lea eax, dword ptr [ebp-08] :004552E8 50 push eax :004552E9 8D45FC lea eax, dword ptr [ebp-04] :004552EC 50 push eax :004552ED 68FF000000 push 000000FF :004552F2 8D85F4FEFFFF lea eax, dword ptr [ebp+FFFFFEF4] :004552F8 50 push eax * Possible StringData Ref from Code Obj ->"c:\" | :004552F9 684C534500 push 0045534C * Reference To: kernel32.GetVolumeInformationA, Ord:0000h | :004552FE E8F917FBFF Call 00406AFC ****C碟的卷冊序列號即為軟體的序列號 :00455303 8B45FC mov eax, dword ptr [ebp-04] ****EAX得序列號的十六制數 :00455306 05E1100000 add eax, 000010E1 ****設序列號為a,EAX為a+10E1 :0045530B 6BC00D imul eax, 0000000D ****EAX乘以0D :0045530E B907000000 mov ecx, 00000007 :00455313 33D2 xor edx, edx :00455315 F7F1 div ecx ****再除以7 :00455317 8BD8 mov ebx, eax ****EBX儲存商 :00455319 8B45FC mov eax, dword ptr [ebp-04] :0045531C 2DD2040000 sub eax, 000004D2 ****EAX為a-4D2 :00455321 8BD0 mov edx, eax :00455323 C1E003 shl eax, 03 :00455326 2BC2 sub eax, edx ****乘以7 :00455328 B90D000000 mov ecx, 0000000D :0045532D 33D2 xor edx, edx :0045532F F7F1 div ecx ****再除以0D :00455331 8BF0 mov esi, eax ****ESI為商 :00455333 8BCF mov ecx, edi ****ECX為儲存註冊號位址的位址 :00455335 8D141E lea edx, dword ptr [esi+ebx] ****EDX為兩商之和 * Possible StringData Ref from Code Obj ->"hazz" | :00455338 B858534500 mov eax, 00455358 ****"hazz"位址 :0045533D E89E060000 call 004559E0 ****繼續計算註冊號並將位址放入ECX指向位址 :00455342 5F pop edi :00455343 5E pop esi :00455344 5B pop ebx :00455345 8BE5 mov esp, ebp :00455347 5D pop ebp :00455348 C3 ret 繼續跟進4559E0分析,程式碼如下: :004559E0 55 push ebp ****EAX為"hazz"位址 :004559E1 8BEC mov ebp, esp ****ECX註冊號位址的存放位址 :004559E3 83C4C8 add esp, FFFFFFC8 ****EDX為根據序列號算出的東西,記為b :004559E6 53 push ebx :004559E7 33DB xor ebx, ebx ****EBX置0 :004559E9 895DC8 mov dword ptr [ebp-38], ebx :004559EC 895DEC mov dword ptr [ebp-14], ebx :004559EF 894DF4 mov dword ptr [ebp-0C], ecx :004559F2 8955F8 mov dword ptr [ebp-08], edx :004559F5 8945FC mov dword ptr [ebp-04], eax :004559F8 8B45FC mov eax, dword ptr [ebp-04] :004559FB E800E6FAFF call 00404000 :00455A00 33C0 xor eax, eax :00455A02 55 push ebp :00455A03 68F95A4500 push 00455AF9 :00455A08 64FF30 push dword ptr fs:[eax] :00455A0B 648920 mov dword ptr fs:[eax], esp :00455A0E 33C0 xor eax, eax :00455A10 8945F0 mov dword ptr [ebp-10], eax :00455A13 33DB xor ebx, ebx :00455A15 8B45FC mov eax, dword ptr [ebp-04] ****EAX為"hazz"位址 :00455A18 E82FE4FAFF call 00403E4C ****求出其長度放入EAX中 :00455A1D 85C0 test eax, eax :00455A1F 7E13 jle 00455A34 :00455A21 BA01000000 mov edx, 00000001 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455A32(C) | :00455A26 8B4DFC mov ecx, dword ptr [ebp-04] ****以下幾句將"hazz"ASCII碼相加 :00455A29 0FB64C11FF movzx ecx, byte ptr [ecx+edx-01] ****並將和1BD置入EBX :00455A2E 03D9 add ebx, ecx :00455A30 42 inc edx :00455A31 48 dec eax :00455A32 75F2 jne 00455A26 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455A1F(C) | :00455A34 035DF8 add ebx, dword ptr [ebp-08] ****EBX為b+1BD :00455A37 6BC30D imul eax, ebx, 0000000D ****EAX為EBX*0D :00455A3A 8945F8 mov dword ptr [ebp-08], eax ****重新儲存新資料 :00455A3D 8D45EC lea eax, dword ptr [ebp-14] * Possible StringData Ref from Code Obj ->"delphi" | :00455A40 BA105B4500 mov edx, 00455B10 ****EDX為"delphi"位址 :00455A45 E81AE2FAFF call 00403C64 ****交換EBP-14內容和EDX的值 :00455A4A 33D2 xor edx, edx :00455A4C 8D45CC lea eax, dword ptr [ebp-34] ****EAX=EBP-34 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455A5F(C) ****下面一段將"delphi"每字元增強為DWORD存於EBP-34開始的位址中 | :00455A4F 8B4DEC mov ecx, dword ptr [ebp-14] :00455A52 0FB60C11 movzx ecx, byte ptr [ecx+edx] :00455A56 8908 mov dword ptr [eax], ecx :00455A58 42 inc edx :00455A59 83C004 add eax, 00000004 :00455A5C 83FA06 cmp edx, 00000006 :00455A5F 75EE jne 00455A4F :00455A61 C745E808000000 mov [ebp-18], 00000008 ****循環次數8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455AAB(C) ****開始計算,此段估計為某一算法,但我搞不懂 | :00455A68 8B45DC mov eax, dword ptr [ebp-24] :00455A6B 2B45E0 sub eax, dword ptr [ebp-20] :00455A6E 99 cdq :00455A6F 33C2 xor eax, edx :00455A71 2BC2 sub eax, edx :00455A73 8B4DCC mov ecx, dword ptr [ebp-34] :00455A76 034DD0 add ecx, dword ptr [ebp-30] :00455A79 8B55D4 mov edx, dword ptr [ebp-2C] :00455A7C 3355D8 xor edx, dword ptr [ebp-28] :00455A7F 03CA add ecx, edx :00455A81 2BC8 sub ecx, eax :00455A83 894DE4 mov dword ptr [ebp-1C], ecx :00455A86 8B45F8 mov eax, dword ptr [ebp-08] :00455A89 33C1 xor eax, ecx :00455A8B 0145F0 add dword ptr [ebp-10], eax :00455A8E 0FAF4DF0 imul ecx, dword ptr [ebp-10] :00455A92 894DE4 mov dword ptr [ebp-1C], ecx :00455A95 BA06000000 mov edx, 00000006 :00455A9A 8D45D0 lea eax, dword ptr [ebp-30] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455AA6(C) ****此段將從EBP-30開始的6個DWORD資料向前移一個位置 | ****即將EBP-30至EBP-1C移至EBP-34至EBP-20,用於下次循環運算 :00455A9D 8B08 mov ecx, dword ptr [eax] :00455A9F 8948FC mov dword ptr [eax-04], ecx :00455AA2 83C004 add eax, 00000004 :00455AA5 4A dec edx :00455AA6 75F5 jne 00455A9D :00455AA8 FF4DE8 dec [ebp-18] :00455AAB 75BB jne 00455A68 ****整個循環完畢後,EBP-10中即為註冊號的十六進制 :00455AAD 8B45F4 mov eax, dword ptr [ebp-0C] ****要儲存註冊號位址的位址 :00455AB0 50 push eax :00455AB1 8D4DC8 lea ecx, dword ptr [ebp-38] :00455AB4 BA08000000 mov edx, 00000008 :00455AB9 8B45F0 mov eax, dword ptr [ebp-10] ****EAX為註冊號十六進制 :00455ABC E8972EFBFF call 00408958 ****將十六進制數轉換為字元串置入EBP-38開始位址 :00455AC1 8B45C8 mov eax, dword ptr [ebp-38] :00455AC4 B908000000 mov ecx, 00000008 :00455AC9 BA01000000 mov edx, 00000001 :00455ACE E881E5FAFF call 00404054 ****將註冊號位址置入剛壓棧的EAX位址中 :00455AD3 33C0 xor eax, eax :00455AD5 5A pop edx :00455AD6 59 pop ecx :00455AD7 59 pop ecx :00455AD8 648910 mov dword ptr fs:[eax], edx :00455ADB 68005B4500 push 00455B00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00455AFE(U) | :00455AE0 8D45C8 lea eax, dword ptr [ebp-38] :00455AE3 E8E4E0FAFF call 00403BCC :00455AE8 8D45EC lea eax, dword ptr [ebp-14] :00455AEB E8DCE0FAFF call 00403BCC :00455AF0 8D45FC lea eax, dword ptr [ebp-04] :00455AF3 E8D4E0FAFF call 00403BCC :00455AF8 C3 ret 由上面程式碼分析可知,軟體的序列號為C碟的卷冊序列號,記為a,將(((a+10E1)*0D\7+(a-4d2)*7\0D)+1BD)*0D用於循環時初始運算,具體算法就不管它了。 根據前面分析,可以寫註冊機了。因為運算時值很可能超過DWORD,用VB編寫難以正確處理,所以改用keymake註冊機編寫器製作註冊機,此處要用MASM32彙編語言編寫。具體程式碼如下: 資料部分(按F2輸入): szHomePage db "http://www.biqiang.com",0 szEmail db "mailto:biqiang@kzinfo.net",0 szErrMess db "輸入的序列號不正確!",0 a1 dd 0 a2 dd 0 a3 dd 0 a4 db 10 dup(0) ;用於存放註冊號 a5 db "%1X",0 ;用於輸出時設定格式,即將十六進制數轉換為字元串 a6 dd 64h,65h,6ch,70h,68h,69h,0 ;"delphi"增強為DWORD後的資料 程式碼部分(視窗中輸入): MOV ECX,EAX ;EAX為輸入序列號位址 XOR EBX,EBX ;下面將序列號換為十六進制數存於EBX中 n1: MOVZX EAX,BYTE PTR [ECX] OR AL,AL JZ n3 CMP AL,3Ah JC n2 and al,0dfh SUB AL,7 n2: SUB AL,30h SHL EBX,4 ADD EBX,EAX INC ECX JMP n1 n3: xor eax,eax ;以下模擬前面程序中的算法 mov a1,eax mov a2,eax mov a3,eax mov eax,ebx push eax add eax,10e1h imul eax,0dh xor edx,edx mov ecx,7 div ecx mov ebx,eax pop eax sub eax,4d2h mov edx,eax shl eax,3 sub eax,edx xor edx,edx mov ecx,0dh div ecx add eax,ebx add eax,1bdh mov ebx,eax imul eax,ebx,0dh mov a1,eax mov a2,8 mov edx,6 mov a6,64h mov a6+4,65h mov a6+8,6ch mov a6+0ch,70h mov a6+10h,68h mov a6+14h,69h mov a6+18h,0 loop1: mov eax,a6+10h sub eax,a6+14h cdq xor eax,edx sub eax,edx mov ecx,a6 add ecx,a6+4 mov edx,a6+8 xor edx,a6+0ch add ecx,edx sub ecx,eax mov a6+18h,ecx mov eax,a1 xor eax,ecx add a3,eax imul ecx,a3 mov a6+18h,ecx mov edx,6 lea eax,a6 loop2: mov ecx,dword ptr [eax+4] mov dword ptr[eax],ecx add eax,4 dec edx jne loop2 dec a2 jne loop1 mov eax,a3 push eax lea eax,a5 push eax lea eax,a4 push eax CALL wsprintfA lea eax,a4 最後編譯即可。另外要說明的是:在安裝keymake時不要使用預設目錄(C:\Program Files\KeyMake),即在安裝目錄名選項時不能有空格,這是因為編譯時,MASM32編譯程序檢查include文件時,如果目錄名有空格,將導致找不到包含文件,就無法完成編譯了。 |
__________________ |
|
送花文章: 3,
|