史萊姆論壇

史萊姆論壇 (http://forum.slime.com.tw/)
-   Hacker/Cracker 及加解密技術文件 (http://forum.slime.com.tw/f132.html)
-   -   拼圖遊戲 (http://forum.slime.com.tw/thread103316.html)

psac 2004-04-01 06:36 AM
拼圖遊戲
 
Software:B-Jigsaw V7.7
拼圖遊戲。可任意選擇圖片,可將你自己的圖片分成數塊後產生為exe檔案,將之發送給朋友
可自定義伴音,對圖塊可設置陰影及邊框效果
試用 10 天,等你上癮後,付 $14.95 (美金)再繼續
http://www.adcsoft.com/bjigsaw.html
Tools:pe-scan 3.31, DeDe 3.50, OllyDbg 1.09
Cracker:lq7972 [bruceyu13@sina.com]
Notes:菜鳥一個,向大家學習


這個軟體主程式的殼是 ASPack 2.12 -> Alexey Solodovnikov,用 pe-scan 脫,能執行
用 W32Dasm 反編譯會不回應,只好用 DeDe 了( Borland C++ )
在【過程】欄有【license】單元有【BitBtnRegCodeClick】事件即程序啟動畫面上的【Enter reg cod】按鈕,連按兩下開啟代碼過程,訊息很多也很有用:

* Reference to : TFormTimes._PROC_00413A70()
* Reference to: controls.TControl.GetText(TControl):TCaption;
* Reference to: controls.TControl.GetText(TControl):TCaption;
* Reference to : TFormMain._PROC_004116E8()
* Reference to class TRegistry
* Reference to: registry.constructorTRegistry.Create(TRegistry;boolean);

這是一個註冊流程,先得到用戶輸入,產生註冊碼(T),然後將其與用戶輸入的註冊碼(F)比較,不等就"Invalid user name or registration code.",對呢就寫註冊表並"Thank you for registering."
其次,我們可以得到我們跟蹤的下手(斷點)的地方:
BitBtnRegCodeClick 00411040 0019
注意,還有一個【reg】單元,初下手時我們更願意去分析和跟蹤它;不過我沒有這樣去做,軟體有這麼一個簡明的註冊流程(真是方便了廣大Cracker),為什麼不用呢?在那裡的分析可能是做無用功(我沒有仔細看,不敢肯定;希望你研究後告訴我,期待ing……)


下面我們來動態跟蹤調試:
(如果在軟體啟動畫面出來前斷點,退出)
開啟 OllyDbg ,載入主程式,在 00411040 處 F2 斷點,F9 執行,等上 3 秒鐘後單擊【Enter reg code】,攔住:

00411040 /. 55 push ebp
; ……
00411070 |. FF92 CC000000 call dword ptr ds:[edx+CC] ; 這裡彈出註冊窗dword p
00411076 |. 48 dec eax
00411077 0F85 A1020000 jnz 0041131E ; bt.0041131E
0041107D |. 66:C745 B4 140>mov word ptr ss:[ebp-4C], 14
00411083 |. 33C9 xor ecx, ecx
00411085 |. A1 C0DF4D00 mov eax, dword ptr ds:[4DDFC0]
0041108A |. 894D FC mov dword ptr ss:[ebp-4], ecx
0041108D |. 8D55 FC lea edx, dword ptr ss:[ebp-4]
00411090 |. FF45 C0 inc dword ptr ss:[ebp-40]
00411093 |. 8B08 mov ecx, dword ptr ds:[eax]
00411095 |. 8B81 D4020000 mov eax, dword ptr ds:[ecx+2D4]
0041109B |. E8 70CC0700 call 0048DD10 ; eax = name_len
004110A0 |. 66:C745 B4 080>mov word ptr ss:[ebp-4C], 8
004110A6 |. 66:C745 B4 200>mov word ptr ss:[ebp-4C], 20
004110AC |. 33D2 xor edx, edx
004110AE |. A1 C0DF4D00 mov eax, dword ptr ds:[4DDFC0]
004110B3 |. 8955 F8 mov dword ptr ss:[ebp-8], edx
004110B6 |. 8D55 F8 lea edx, dword ptr ss:[ebp-8]
004110B9 |. FF45 C0 inc dword ptr ss:[ebp-40]
004110BC |. 8B08 mov ecx, dword ptr ds:[eax]
004110BE |. 8B81 D8020000 mov eax, dword ptr ds:[ecx+2D8]
004110C4 |. E8 47CC0700 call 0048DD10 ; 得到用戶輸入的註冊碼(F),eax = reg_code(F)_len
004110C9 |. 66:C745 B4 080>mov word ptr ss:[ebp-4C], 8
004110CF |. 8BC3 mov eax, ebx
004110D1 |. E8 A60B0000 call 00411C7C ; bt.00411C7C
004110D6 |. 66:C745 B4 2C0>mov word ptr ss:[ebp-4C], 2C
004110DC |. 33D2 xor edx, edx
004110DE |. 8D4D F4 lea ecx, dword ptr ss:[ebp-C]
004110E1 |. 8955 F4 mov dword ptr ss:[ebp-C], edx
004110E4 |. 8BC3 mov eax, ebx
004110E6 |. FF45 C0 inc dword ptr ss:[ebp-40]
004110E9 |. 8B55 FC mov edx, dword ptr ss:[ebp-4] ; user_name
004110EC |. E8 F7050000 call 004116E8 ; 產生註冊碼算法 004116E8 見下
004110F1 |. 8D55 F4 lea edx, dword ptr ss:[ebp-C] ; reg_code(T)_addr
004110F4 |. 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; reg_code(F)_addr
004110F7 |. E8 A0FE0B00 call 004D0F9C ; 當然是比較啦,不等 eax = 0
004110FC |. 50 push eax ; /Arg1
004110FD |. FF4D C0 dec dword ptr ss:[ebp-40] ; |
00411100 |. 8D45 F4 lea eax, dword ptr ss:[ebp-C] ; |
00411103 |. BA 02000000 mov edx, 2 ; |
00411108 |. E8 ABFD0B00 call 004D0EB8 ; \bt.004D0EB8
0041110D |. 59 pop ecx ; 不等則 0
0041110E |. 84C9 test cl, cl
00411110 0F84 63010000 je 00411279 ; jump, gAMeoVeR
00411116 |. B2 01 mov dl, 1
00411118 |. A1 50814600 mov eax, dword ptr ds:[468150]
0041111D |. E8 DA710500 call 004682FC ; 寫註冊表


;+++++++++++++++++++++++++++++++++++++++++++++++++++++++
; 註冊算法
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++
004116E8 $ 55 push ebp
004116E9 . 8BEC mov ebp, esp
004116EB . 83C4 8C add esp, -74
004116EE . B8 38634D00 mov eax, 4D6338
004116F3 . 53 push ebx
004116F4 . 56 push esi
004116F5 . 57 push edi
004116F6 . 894D BC mov dword ptr ss:[ebp-44], ecx ; 0
004116F9 . 8955 F8 mov dword ptr ss:[ebp-8], edx ; user_name
004116FC . E8 F3450B00 call 004C5CF4 ; bt.004C5CF4
00411701 . C745 B4 010000>mov dword ptr ss:[ebp-4C], 1
00411708 . 8D55 F8 lea edx, dword ptr ss:[ebp-8] ; user_name_addr
0041170B . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
0041170E . E8 D9F60B00 call 004D0DEC ; bt.004D0DEC
00411713 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411716 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
0041171C . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; user_name_addr
0041171F . E8 04F90B00 call 004D1028 ; eax = user_name_len
00411724 . 83F8 08 cmp eax, 8
00411727 . 7F 5E jg short 00411787 ; 如果大/等於 8,就直接進入註冊碼計算 00411787
00411729 . 66:C745 A8 140>mov word ptr ss:[ebp-58], 14
0041172F . 33D2 xor edx, edx
00411731 . 8955 EC mov dword ptr ss:[ebp-14], edx
00411734 . 8D4D EC lea ecx, dword ptr ss:[ebp-14]
00411737 . FF45 B4 inc dword ptr ss:[ebp-4C]
0041173A . BA 08000000 mov edx, 8
0041173F . B0 20 mov al, 20
00411741 . E8 02F90B00 call 004D1048 ; 得到 8 個空格
00411746 . 8D55 EC lea edx, dword ptr ss:[ebp-14] ; 8 個空格
00411749 . 33C0 xor eax, eax
0041174B . 8945 E8 mov dword ptr ss:[ebp-18], eax
0041174E . 8D4D E8 lea ecx, dword ptr ss:[ebp-18]
00411751 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411754 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; user_name
00411757 . E8 B4F70B00 call 004D0F10 ; "user_name"+8個" "∼new_user_name
0041175C . 8D55 E8 lea edx, dword ptr ss:[ebp-18] ; new_user_name
0041175F . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; "user_name" ∼ old_user_namep
00411762 . E8 81F70B00 call 004D0EE8 ; 將 new_user_name 替 old_user_nam
00411767 . FF4D B4 dec dword ptr ss:[ebp-4C]
0041176A . 8D45 E8 lea eax, dword ptr ss:[ebp-18]
0041176D . BA 02000000 mov edx, 2
00411772 . E8 41F70B00 call 004D0EB8 ; bt.004D0EB8
00411777 . FF4D B4 dec dword ptr ss:[ebp-4C]
0041177A . 8D45 EC lea eax, dword ptr ss:[ebp-14]
0041177D . BA 02000000 mov edx, 2
00411782 . E8 31F70B00 call 004D0EB8 ; bt.004D0EB8
00411787 > E8 44FF0B00 call 004D16D0 ; [GetTickCount]
0041178C . 8945 94 mov dword ptr ss:[ebp-6C], eax ; 作反跟蹤用
0041178F . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411795 . B8 01000000 mov eax, 1
0041179A > 40 inc eax
0041179B . 83F8 64 cmp eax, 64
0041179E .^7C FA jl short 0041179A ; bt.0041179A
004117A0 . E8 2BFF0B00 call 004D16D0 ; [GetTickCount]
004117A5 . 8B55 94 mov edx, dword ptr ss:[ebp-6C]
004117A8 . 2BC2 sub eax, edx
004117AA . 3D E8030000 cmp eax, 3E8
004117AF . 76 0D jbe short 004117BE ; bt.004117BE
004117B1 . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] ; bt.004DE7AC
004117B7 . 8B01 mov eax, dword ptr ds:[ecx]
004117B9 . E8 06200700 call 004837C4 ; bt.004837C4
004117BE > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
004117C4 . 66:C745 A8 200>mov word ptr ss:[ebp-58], 20
004117CA . 33C0 xor eax, eax
004117CC . BB 01000000 mov ebx, 1 ; ebx = 1
004117D1 . 8945 F4 mov dword ptr ss:[ebp-C], eax
004117D4 . FF45 B4 inc dword ptr ss:[ebp-4C]
004117D7 . 83FB 08 cmp ebx, 8
004117DA . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
004117E0 . 0F8F 4A020000 jg 00411A30 ; bt.00411A30

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 這是第一次運算,實質是字元 Xor,再 Reverse
004117E6 > 8B3D 50584D00 mov edi, dword ptr ds:[4D5850] ; bt.004D5860
004117EC . 57 push edi ; "awgsJiBtAANrPNYOntA" ∼ string
004117ED . E8 36420B00 call 004C5A28
004117F2 . 59 pop ecx ; string
004117F3 . 50 push eax ; string_len = 19
004117F4 . 8BC3 mov eax, ebx ; eax = ebx
004117F6 . 5A pop edx ; edx = 19
004117F7 . 8BCA mov ecx, edx
004117F9 . 33D2 xor edx, edx
004117FB . F7F1 div ecx ; eax div ecx: eax = eax/ecx, edx = eax % ecx
004117FD . 8A0417 mov al, byte ptr ds:[edi+edx] ; string [ebx], (1, ...)
00411800 . 50 push eax
00411801 . 8BF3 mov esi, ebx
00411803 . 56 push esi ; /Arg2
00411804 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; |new_user_name_addr
00411807 . 50 push eax ; |Arg1
00411808 . E8 23F50B00 call 004D0D30 ; \bt.004D0D30
0041180D . 83C4 08 add esp, 8
00411810 . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411813 . E8 A4F90B00 call 004D11BC ; edx = new_user_name
00411818 . 8B55 F8 mov edx, dword ptr ss:[ebp-8]
0041181B . 03F2 add esi, edx
0041181D . 4E dec esi ; new_user_name [ebx-1], (0,...)
0041181E . 58 pop eax ; string [ebx]
0041181F . 8A16 mov dl, byte ptr ds:[esi] ; new_user_name [ebx-1]
00411821 . 32C2 xor al, dl ; string [ebx] xor new_user_name [ebx-1]
00411823 . 0FBEC0 movsx eax, al
00411826 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
0041182C . 85C0 test eax, eax
0041182E . 7D 02 jge short 00411832 ; 大/等於0則跳 bt.00411832
00411830 . F7D8 neg eax ; 否則(主要是寬字元), (opr) ← -(opr)
00411832 > 66:C745 A8 380>mov word ptr ss:[ebp-58], 38
00411838 . 33D2 xor edx, edx
0041183A . 8955 E4 mov dword ptr ss:[ebp-1C], edx
0041183D . 8D55 E4 lea edx, dword ptr ss:[ebp-1C]
00411840 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411843 . E8 38950A00 call 004BAD80 ; 把 al xor dl 的結果 Hex2Dec2Str
00411848 . 66:C745 A8 2C0>mov word ptr ss:[ebp-58], 2C
0041184E . 8D45 E4 lea eax, dword ptr ss:[ebp-1C]
00411851 . E8 D2F70B00 call 004D1028 ; new_user_name_len->tmp_reg_code_len
00411856 . 48 dec eax
00411857 . 7E 22 jle short 0041187B ; <= 0 ? 即 eax <= 1,或者說xor的結果是一位數(<10)
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
00411859 . 6A 02 push 2 ; /Arg2 = 00000002
0041185B . 8D4D E4 lea ecx, dword ptr ss:[ebp-1C] ; |
0041185E . 51 push ecx ; |Arg1
0041185F . E8 CCF40B00 call 004D0D30 ; \bt.004D0D30
00411864 . 83C4 08 add esp, 8
00411867 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C] ; tmp_reg_code_addr
0041186A . E8 4DF90B00 call 004D11BC ; bt.004D11BC
0041186F . 8B55 E4 mov edx, dword ptr ss:[ebp-1C] ; edx = tmp_reg_code
00411872 . 42 inc edx ; tmp_reg_code [1]
00411873 . 0FBE0A movsx ecx, byte ptr ds:[edx]
00411876 . 83F9 30 cmp ecx, 30 ; equal to 0 ? 即xor的結果(>=10)%10=0
00411879 . 75 56 jnz short 004118D1 ; bt.004118D1
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; 上述兩種情況的處理是一樣的
0041187B > 66:C745 A8 440>mov word ptr ss:[ebp-58], 44
; 即用 "1" 來代替 "0",連到 reg_code_A[0]
; 省略 N 行……

004118CF . EB 6E jmp short 0041193F ; bt.0041193F
;===================================================================================================
004118D1 > 66:C745 A8 500>mov word ptr ss:[ebp-58], 50
004118D7 . 6A 02 push 2 ; /Arg2 = 00000002
004118D9 . 8D4D E4 lea ecx, dword ptr ss:[ebp-1C] ; |tmp_reg_code_addr
004118DC . 51 push ecx ; |Arg1
004118DD . E8 4EF40B00 call 004D0D30 ; \bt.004D0D30
004118E2 . 83C4 08 add esp, 8
004118E5 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C]
004118E8 . E8 CFF80B00 call 004D11BC ; bt.004D11BC
004118ED . 8B55 E4 mov edx, dword ptr ss:[ebp-1C]
004118F0 . 8D45 D8 lea eax, dword ptr ss:[ebp-28]
004118F3 . 42 inc edx ; tmp_reg_code [1]
004118F4 . 8A12 mov dl, byte ptr ds:[edx]
004118F6 . E8 2DF50B00 call 004D0E28 ; bt.004D0E28
004118FB . FF45 B4 inc dword ptr ss:[ebp-4C]
004118FE . 33C0 xor eax, eax
00411900 . 8945 D4 mov dword ptr ss:[ebp-2C], eax
00411903 . 8D45 F4 lea eax, dword ptr ss:[ebp-C] ; reg_code_A(S)_addr
00411906 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411909 . 8D55 D8 lea edx, dword ptr ss:[ebp-28]
0041190C . 8D4D D4 lea ecx, dword ptr ss:[ebp-2C]
0041190F . E8 FCF50B00 call 004D0F10 ; 提 tmp_reg_code[1] 出來
00411914 . 8D55 D4 lea edx, dword ptr ss:[ebp-2C]
00411917 . 8D45 F4 lea eax, dword ptr ss:[ebp-C]
0041191A . E8 C9F50B00 call 004D0EE8 ; reg_code_A(S)[0] = tmp_reg_code[1]
0041191F . FF4D B4 dec dword ptr ss:[ebp-4C]
00411922 . 8D45 D4 lea eax, dword ptr ss:[ebp-2C]
00411925
Software:B-Jigsaw V7.7
Cracker:lq7972 [bruceyu13@sina.com]
[C]

00411925 . BA 02000000 mov edx, 2
0041192A . E8 89F50B00 call 004D0EB8 ; bt.004D0EB8
0041192F . FF4D B4 dec dword ptr ss:[ebp-4C]
00411932 . 8D45 D8 lea eax, dword ptr ss:[ebp-28]
00411935 . BA 02000000 mov edx, 2
0041193A . E8 79F50B00 call 004D0EB8 ; bt.004D0EB8
;===================================================================================================
0041193F > 8D45 E4 lea eax, dword ptr ss:[ebp-1C]

; 省略 N 行……
004119DE . E8 2DF50B00 call 004D0F10 ; 提 tmp_reg_code[0] 出來
004119E3 . 8D55 C4 lea edx, dword ptr ss:[ebp-3C]
004119E6 . 8D45 F4 lea eax, dword ptr ss:[ebp-C]
004119E9 . E8 FAF40B00 call 004D0EE8 ; reg_code_A(S)[1] = tmp_reg_code[0]
004119EE . FF4D B4 dec dword ptr ss:[ebp-4C]
004119F1 . 8D45 C4 lea eax, dword ptr ss:[ebp-3C]
004119F4 . BA 02000000 mov edx, 2
004119F9 . E8 BAF40B00 call 004D0EB8 ; 清除臨時變量值 004D0EB
004119FE . FF4D B4 dec dword ptr ss:[ebp-4C]
00411A01 . 8D45 C8 lea eax, dword ptr ss:[ebp-38]
00411A04 . BA 02000000 mov edx, 2
00411A09 . E8 AAF40B00 call 004D0EB8 ; bt.004D0EB8
00411A0E > 83C3 02 add ebx, 2 ; ebx += 2
00411A11 . FF4D B4 dec dword ptr ss:[ebp-4C]
00411A14 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C]
00411A17 . BA 02000000 mov edx, 2
00411A1C . E8 97F40B00 call 004D0EB8 ; 清除 tmp_reg_code 的值
00411A21 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411A27 . 83FB 08 cmp ebx, 8 ; ebx <= 8 ?
00411A2A .^0F8E B6FDFFFF jle 004117E6 ; yes, jump
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

00411A30 > E8 9BFC0B00 call 004D16D0 ; [GetTickCount]
00411A35 . 8B4D 94 mov ecx, dword ptr ss:[ebp-6C]
00411A38 . 2BC1 sub eax, ecx
00411A3A . 3D E8030000 cmp eax, 3E8
00411A3F . 76 0C jbe short 00411A4D ; bt.00411A4D
00411A41 . A1 FCDF4D00 mov eax, dword ptr ds:[4DDFFC]
00411A46 . 8B00 mov eax, dword ptr ds:[eax]
00411A48 . E8 771D0700 call 004837C4 ; bt.004837C4
00411A4D > 66:C745 A8 740>mov word ptr ss:[ebp-58], 74
00411A53 . 8B45 F4 mov eax, dword ptr ss:[ebp-C] ; reg_code_A
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 第二次運算,對 new_user_name 操作,累加到 reg_code_A(N)
00411A56 . E8 55930A00 call 004BADB0 ; reg_code_A(N), Dec2Hex bt.004BADB0
00411A5B . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411A61 . 8BF0 mov esi, eax
00411A63 . EB 0D jmp short 00411A72 ; bt.00411A72
00411A65 . 33F6 xor esi, esi
00411A67 . 66:C745 A8 7C0>mov word ptr ss:[ebp-58], 7C
00411A6D . E8 F8C50B00 call 004CE06A
00411A72 > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411A78 . BB 01000000 mov ebx, 1 ; ebx = 1
00411A7D . EB 2E jmp short 00411AAD ; bt.00411AAD
;=======================================================================================================================
00411A7F > 8BFB mov edi, ebx ; edi = ebx
00411A81 . 57 push edi ; /Arg2
00411A82 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; |new_user_name_addr
00411A85 . 50 push eax ; |Arg1
00411A86 . E8 A5F20B00 call 004D0D30 ; \bt.004D0D30
00411A8B . 83C4 08 add esp, 8
00411A8E . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411A91 . E8 26F70B00 call 004D11BC ; edx = new_user_name
00411A96 . 8B55 F8 mov edx, dword ptr ss:[ebp-8]
00411A99 . 8D041B lea eax, dword ptr ds:[ebx+ebx] ; eax = ebx+ebx
00411A9C . 03FA add edi, edx ; edi = new_user_name [edi]
00411A9E . 8D53 FF lea edx, dword ptr ds:[ebx-1] ; edx = ebx-1
00411AA1 . F7EA imul edx ; eax IMUL edx,高位在 edx,低位在 eax
00411AA3 . 4F dec edi ; new_user_name [edi-1]
00411AA4 . 0FBE0F movsx ecx, byte ptr ds:[edi] ;
00411AA7 . 0FAFC8 imul ecx, eax
00411AAA . 03F1 add esi, ecx ; reg_code_A(N) += ecx
00411AAC . 43 inc ebx ; ebx ++
00411AAD > 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; new_user_name_addr
00411AB0 . E8 73F50B00 call 004D1028 ; eax = new_user_name_len
00411AB5 . 3BD8 cmp ebx, eax
00411AB7 .^7E C6 jle short 00411A7F ; bt.00411A7F
;=======================================================================================================================
00411AB9 . E8 12FC0B00 call 004D16D0 ; [GetTickCount]
00411ABE . 8B55 94 mov edx, dword ptr ss:[ebp-6C]
00411AC1 . 2BC2 sub eax, edx
00411AC3 . 3D E8030000 cmp eax, 3E8
00411AC8 . 76 0D jbe short 00411AD7 ; bt.00411AD7
00411ACA . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] ; bt.004DE7AC
00411AD0 . 8B01 mov eax, dword ptr ds:[ecx]
00411AD2 . E8 ED1C0700 call 004837C4 ; bt.004837C4
00411AD7 > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 第三次運算,分三步,都是對 new_user_name 操作,累加到 reg_code_A(N)
00411ADD . BB 01000000 mov ebx, 1 ; ebx = 1
00411AE2 . E9 93000000 jmp 00411B7A ; bt.00411B7A
;=======================================================================================================================
00411AE7 > 8BFB mov edi, ebx ; edi=ebx
00411AE9 . 57 push edi ; /Arg2
00411AEA . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; |new_user_name_addr
00411AED . 50 push eax ; |Arg1
00411AEE . E8 3DF20B00 call 004D0D30 ; \bt.004D0D30
00411AF3 . 83C4 08 add esp, 8
00411AF6 . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411AF9 . E8 BEF60B00 call 004D11BC ; edx = new_user_name
00411AFE . 8B55 F8 mov edx, dword ptr ss:[ebp-8]
00411B01 . 03FA add edi, edx
00411B03 . 4F dec edi ; edi = new_user_name [i++], i=0,...
00411B04 . 0FBE0F movsx ecx, byte ptr ds:[edi]
00411B07 . 8BC1 mov eax, ecx
00411B09 . 895D 90 mov dword ptr ss:[ebp-70], ebx ; = ebx
00411B0C . C1E0 03 shl eax, 3
00411B0F . 8B55 90 mov edx, dword ptr ss:[ebp-70]
00411B12 . 2BC1 sub eax, ecx
00411B14 . 8D4D F8 lea ecx, dword ptr ss:[ebp-8]
00411B17 . 52 push edx ; /Arg2
00411B18 . 51 push ecx ; |Arg1
00411B19 . 03F0 add esi, eax ; |reg_code_A(N) += eax
00411B1B . E8 10F20B00 call 004D0D30 ; \bt.004D0D30
; 第一步過
;****************************************************************************************************************
00411B20 . 83C4 08 add esp, 8
00411B23 . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411B26 . E8 91F60B00 call 004D11BC ; ecx = new_user_name
00411B2B . 8B55 90 mov edx, dword ptr ss:[ebp-70] ; 還記得這個嗎?
00411B2E . 8B4D F8 mov ecx, dword ptr ss:[ebp-8]
00411B31 . 03D1 add edx, ecx
00411B33 . 4A dec edx ; edx = new_user_name [i++], i=0,...
00411B34 . 0FBE02 movsx eax, byte ptr ds:[edx]
00411B37 . 8BD0 mov edx, eax
00411B39 . 895D 8C mov dword ptr ss:[ebp-74], ebx
00411B3C . C1E2 04 shl edx, 4
00411B3F . 8B4D 8C mov ecx, dword ptr ss:[ebp-74]
00411B42 . 2BD0 sub edx, eax
00411B44 . 51 push ecx ; /Arg2
00411B45 . 8D1490 lea edx, dword ptr ds:[eax+edx*4] ; |edx = eax+edx*4
00411B48 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; |
00411B4B . 50 push eax ; |Arg1
00411B4C . 03F2 add esi, edx ; |reg_code_A(N) += edx
00411B4E . E8 DDF10B00 call 004D0D30 ; \bt.004D0D30
; 第二步過
;****************************************************************************************************************
00411B53 . 83C4 08 add esp, 8
00411B56 . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411B59 . E8 5EF60B00 call 004D11BC ; bt.004D11BC
00411B5E . 8B55 8C mov edx, dword ptr ss:[ebp-74]
00411B61 . 8B4D F8 mov ecx, dword ptr ss:[ebp-8]
00411B64 . 03D1 add edx, ecx
00411B66 . 4A dec edx ; edx = new_user_name [i++], i=0,...
00411B67 . 0FBE02 movsx eax, byte ptr ds:[edx]
00411B6A . 8D1440 lea edx, dword ptr ds:[eax+eax*2] ; edx = eax+eax*2
00411B6D . C1E2 05 shl edx, 5
00411B70 . 2BD0 sub edx, eax
00411B72 . C1E2 04 shl edx, 4
00411B75 . 03D0 add edx, eax
00411B77 . 03F2 add esi, edx ; reg_code_A(N) += edx
; 第三步過
;****************************************************************************************************************
00411B79 . 43 inc ebx
00411B7A > 8D45 F8 lea eax, dword ptr ss:[ebp-8] ; new_user_name_addr
00411B7D . E8 A6F40B00 call 004D1028 ; eax = new_user_name_len
00411B82 . 3BD8 cmp ebx, eax
00411B84 .^0F8E 5DFFFFFF jle 00411AE7 ; bt.00411AE7
;=======================================================================================================================

00411B8A . E8 41FB0B00 call 004D16D0 ; [GetTickCount]
00411B8F . 8B55 94 mov edx, dword ptr ss:[ebp-6C]
00411B92 . 2BC2 sub eax, edx
00411B94 . 3D E8030000 cmp eax, 3E8
00411B99 . 76 0D jbe short 00411BA8 ; bt.00411BA8
00411B9B . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] ; bt.004DE7AC
00411BA1 . 8B01 mov eax, dword ptr ds:[ecx]
00411BA3 . E8 1C1C0700 call 004837C4 ; bt.004837C4
00411BA8 > 66:C745 A8 800>mov word ptr ss:[ebp-58], 80
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 下面是連接 "BJ" 和 reg_code_A ,這就是我們所要得到的
00411BAE . BA 4A5A4D00 mov edx, 4D5A4A ; ASCII "BJ"
00411BB3 . 8D45 F0 lea eax, dword ptr ss:[ebp-10] ; reg_code(F)_addr
00411BB6 . E8 F9F10B00 call 004D0DB4 ; reg_code = "BJ"
00411BBB . FF45 B4 inc dword ptr ss:[ebp-4C]
00411BBE . 33D2 xor edx, edx
00411BC0 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411BC6 . 66:C745 A8 8C0>mov word ptr ss:[ebp-58], 8C
00411BCC . 8955 C0 mov dword ptr ss:[ebp-40], edx
00411BCF . 8D55 C0 lea edx, dword ptr ss:[ebp-40]
00411BD2 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411BD5 . 8BC6 mov eax, esi ; eax = reg_code_A(N)
00411BD7 . E8 A4910A00 call 004BAD80 ; reg_code_A(N) : Hex2Dec2Str
00411BDC . 8D55 C0 lea edx, dword ptr ss:[ebp-40] ; reg_code_A(S)
00411BDF . 8D45 F0 lea eax, dword ptr ss:[ebp-10] ; reg_code
00411BE2 . E8 15F30B00 call 004D0EFC ; reg_code += reg_code_A(S)
00411BE7 . FF4D B4 dec dword ptr ss:[ebp-4C]
; ……

00411C1D . E8 96F20B00 call 004D0EB8 ; edx = reg_code

;……
00411C5C . C3 retn

[C]
拼圖遊戲註冊機(c)


Software:B-Jigsaw V7.7
Cracker:lq7972 [bruceyu13@sina.com]

【總結】
我想上面應該講的比較清楚,這裡歸納一下:
1、軟體獲得用戶輸入後,比較用戶名長度(user_name_len)是否小/等於 8;是,則在後面添上 8 個 0x20,得到 new_user_name
2、對 new_user_name 與 string 依次作 XOR ,將其結果(十進制)轉為字元再調換前後位置;
這裡要注意,不管你的用戶名多長,它總只取到 8 並且取奇數位;
其次,程序還判斷 XOR 的結果是否 <= 0,只有一位數,和有兩位但個位是 0 等三種情況,這需要一些經驗(ASM, CRACK)
3、接下來就比較簡單了,兩個循環依次從 new_user_name 取值運算(各具體操作不同,見前),並累加到 reg_code_A(N),然後累加到 reg_code_A(N);
第二次循環有這樣的三步。(S)表示這是字元串,(N)表示是值
4、連接 "BJ" 和 reg_code_A(S),就是 reg_code

註冊成功,則沒有啟動畫面,並在註冊表中寫入訊息:
[HKEY\CURRENT_USER\Software\ADCSotf\BJigsaw]
"RegCode"="BJ74029154"
"UserName"="lq7972"

軟體給出的字元串:string : "awgsJiBtAANrPNYOntA"

【註冊機】
/* BJigsaw V 7.7 KeyGen */
/* with C Language */
/* by lq7972 */
/* bruceyu13@sina.com */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

/*///////////////////////////////////////////////////////*/
/* 主程式 */
int main ()
{
int i=0, j;
int nameLen;
int tmp01, tmp02, tmp03;
int regCode_N;
char regCode_S [10] = "0";
char regName [255];
char * setString = "awgsJiBtAANrPNYOntA";

printf ("Enter your name : ");
gets (regName);
nameLen = strlen (regName);

/* 根據用戶名長度作相應處理 */
if (nameLen < 8) {
while (i++ <= 8)
regName [nameLen+i-1] = 0x20; /* space character */

regName [nameLen+i-2] = 0; /* nul */
nameLen = strlen (regName);
}

/* 做第一次運算 */
for (i=1, j=0; i <= 8; i += 2, j += 2) {
tmp01 = setString [i];
tmp02 = regName [i-1];
tmp03 = tmp01 ^ tmp02;

if (tmp03 < 0)
tmp03 *= -1;

tmp01 = tmp03 % 10; tmp02 = tmp03 / 10;
if (0 == tmp02) {
regCode_S [j] = 0x31;
regCode_S [j+1] = tmp01 + 0x30;
}
else if (0 == tmp01) {
regCode_S [j] = 0x31;
regCode_S [j+1] = tmp01 + 0x30;
}

else {
regCode_S [j] = tmp01 + 0x30;
regCode_S [j+1] = tmp02 + 0x30;
}
}
regCode_N = atoi (regCode_S);

/* 第二次運算 */
for (i=1; i <= nameLen; i ++) {
tmp01 = i+i; tmp02 = regName [i-1]; tmp03 = i-1;
regCode_N += tmp01 * tmp03 * tmp02;
}
printf ("\n\n");

/* 第三步運算 */
for (i=1; i <= nameLen; i ++) {
tmp01 = tmp02 = tmp03 = regName [i-1];

tmp01 <<= 3; tmp01 -= tmp03;
regCode_N += tmp01;

tmp02 <<= 4; tmp02 -= tmp03;
tmp01 = tmp03+tmp02*4;
regCode_N += tmp01;

tmp01 = tmp03 + tmp03*2;
tmp01 <<= 5; tmp01 -= tmp03;
tmp01 <<= 4; tmp01 += tmp03;
regCode_N += tmp01;
}

printf ("You Reg Code : %s%d\n", "BJ", regCode_N);

return 0;
}

/* Thanks. */


所有時間均為台北時間。現在的時間是 02:10 AM

Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2024, Jelsoft Enterprises Ltd.

『服務條款』

* 有問題不知道該怎麼解決嗎?請聯絡本站的系統管理員 *


SEO by vBSEO 3.6.1