史萊姆論壇

返回   史萊姆論壇 > 教學文件資料庫 > Hacker/Cracker 及加解密技術文件
忘記密碼?
論壇說明 標記討論區已讀

歡迎您來到『史萊姆論壇』 ^___^

您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的!

請點擊這裡:『註冊成為我們的一份子!』

Google 提供的廣告


 
 
主題工具 顯示模式
舊 2003-12-11, 08:17 PM   #1
psac
榮譽會員
 
psac 的頭像
榮譽勳章
UID - 3662
在線等級: 級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時
註冊日期: 2002-12-07
住址: 木柵市立動物園
文章: 17381
現金: 5253 金幣
資產: 33853 金幣
預設 3DAxy貪吃蛇 AxySnake 破解與註冊機

下載位址
http://download.pchome.net/game/action/7879.html

說實在的,不容易,你得有老好的耐心
SoftICE 與 W32DASM 配合
註冊檢查程式碼被分放在 proton.dll與axysnake.exe兩個模組中
而且 在axysnake中檢查程式碼被分放在五個不同的地方,哎害得我
好慘

在破解時作的筆記 與註冊機的程式碼

DWORD g_dwUserNameLen; //0x1003a498 儲存用戶名長度
DWORD g_dwSNLen; //0x1003a49c 序列號長度
BYTE g_strUserPro[14h] //0x1012f918 初步轉換後的用戶名 0x14h Bytes
char* g_strUser //0x1003a438 儲存用戶名
char* g_strSN //0x1003a478 儲存SN
BYTE g_strSNPro[] //0x1012f8f8 初步轉換後的序列號
char g_strProTable[20] //0x1002cbb0 轉換字典表 0x20 Bytes
BOOL g_bRegistered //0x1012F938 註冊完成的標誌
//BYTE g_byUnk1; //0x1012f909 未知用途
//序列號轉換字典表內容
「23456789ABCDEFGH
JKLMNPQRSTUVWXYZ」

///////////////////////////////////////////////////////////////
/******************************************************************
:100107E0 55 push ebp
:100107E1 8B6C2408 mov ebp, dword ptr [esp+08]
:100107E5 8BCD mov ecx, ebp
:100107E7 8A4500 mov al, byte ptr [ebp+00]
:100107EA 84C0 test al, al
:100107EC 7410 je 100107FE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100107FC(C)
|
:100107EE 3C20 cmp al, 20
:100107F0 7404 je 100107F6
:100107F2 A880 test al, 80
:100107F4 740C je 10010802

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100107F0(C)
|
:100107F6 8A4101 mov al, byte ptr [ecx+01]
:100107F9 41 inc ecx
:100107FA 84C0 test al, al
:100107FC 75F0 jne 100107EE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100107EC(C)
|
:100107FE 33C0 xor eax, eax
:10010800 5D pop ebp
:10010801 C3 ret
******************************************************************/
Sub 0x100107e0 判斷用戶名是否合法,並作初步轉換
用戶名轉換子程序C偽碼
BOOL CheckAndProcessUserName(strUser , strUserPro) :
//PSTR strUser 用戶名緩衝
//PSTR strUserPro 初步轉換後的用戶名

//用戶名處理
/////////////////////////////////////////
char szUserPro[0x100];
int i = 0;
puc = szUser;
char* ppuc = szUserPro;
int nCount = 0;
//////////////////////////////////////////////////////
//產生處理後用戶名資料
ZeroMemory(szUserPro , sizeof(szUserPro));
for (i = 0 ; i < 0x6f ; i ++)
{
if (*puc == '\0')
{
puc = szUser;
ppuc ++;
}

if (*puc != '\x20' && (*puc & 0x80) == 0)
{
*ppuc = *ppuc + *puc;
ppuc ++;
nCount ++;
if (nCount == 0x10)
{
nCount = 0;
ppuc = szUserPro;
}
}
else
i --;
puc ++;
}


////////////////////////////////////////////////////////////////////




/////////////////////////////////////////////////////////////////////////////
CheckSN(char* szSN):

/************************************************************
* Referenced by a CALL at Address:
|:100108A1
|
:10010790 8B4C2404 mov ecx, dword ptr [esp+04]
:10010794 56 push esi
:10010795 33F6 xor esi, esi
:10010797 803900 cmp byte ptr [ecx], 00
:1001079A 742A je 100107C6
:1001079C 53 push ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100107BE(C)
|
:1001079D 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100107B6(C)
|
:1001079F 8A90B0CB0210 mov dl, byte ptr [eax+g_strProTable]
:100107A5 8A19 mov bl, byte ptr [ecx]
:100107A7 3AD3 cmp dl, bl
:100107A9 7507 jne 100107B2

:100107AB 8886F8F81210 mov byte ptr [esi+g_strSNPro], al
:100107B1 46 inc esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100107A9(C)
|
:100107B2 40 inc eax
:100107B3 83F820 cmp eax, 00000020
:100107B6 7CE7 jl 1001079F
:100107B8 8A4101 mov al, byte ptr [ecx+01]
:100107BB 41 inc ecx
:100107BC 84C0 test al, al
:100107BE 75DD jne 1001079D
:100107C0 83FE14 cmp esi, 00000014
:100107C3 5B pop ebx
:100107C4 7404 je 100107CA

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:1001079A(C)
|
:100107C6 33C0 xor eax, eax
:100107C8 5E pop esi
:100107C9 C3 ret
************************************************************/

if (szSN[0] != '\0')
{
DWORD dwCount;
int i = 0 , j = 0; //I = EAX ; J = ESI
char* c = strSN; // c = ECX
where(true)
{
for (i = 0 ; i <= 0x20; i++)
{
if (eax+g_strProTable[i] == c)
{
g_strSNPro[j] = i;
j ++;
}
}

if ( *(c + 1) == '\0')
{
if ( J == 0x14)
return TRUE;
}
else
break;
}
}
return FALSE;


/////////////////////////////////////////////////////////////////////////////

Sub 0x10010790 //通用轉換表找到至少0x14個合法字串,找到返回真,否則返回假

At 0x100108a1 Call Sub 0x100107e0 檢查序列號是否合法,並作初步轉換
At 0x1001088c Call Sub 0x10010790 檢查用戶是否合法,並作初步轉換

///////////////////////////////////////////////////////////////////
At 0x1000fa03 Call Sub 0x10010860 測試輸入的註冊碼是否正確
C偽碼:
CheckReg():
// g_dwUserNameLen; 用戶名長度
// g_dwSNLen; 序列號長度

DWORD dwSum; //累加器
DWORD dwIndex;

/*************************************************************************
:10010860 A198A40310 mov eax, dword ptr [g_dwUserNameLen]
:10010865 85C0 test eax, eax
:10010867 0F84E1000000 je 1001094E
:1001086D 8B0D9CA40310 mov ecx, dword ptr [g_dwSNLen]
:10010873 85C9 test ecx, ecx
:10010875 0F84D3000000 je 1001094E
:1001087B 6818F91210 push g_strUserPro
:10010880 6838A40310 push g_strUser
:10010885 C68038A4031000 mov byte ptr [eax+g_strUser], 00
:1001088C E84FFFFFFF call 100107E0 ;CheckAndProcessUserName
:10010891 83C408 add esp, 00000008
:10010894 85C0 test eax, eax
:10010896 0F84B2000000 je 1001094E
:1001089C 6878A40310 push g_strSN
:100108A1 E8EAFEFFFF call 10010790 ;CheckSN
:100108A6 83C404 add esp, 00000004
:100108A9 85C0 test eax, eax
:100108AB 0F849D000000 je 1001094E
**************************************************************************/
if (g_dwUserNameLen > 0 && g_dwSNLen > 0 &&
CheckAndProcessUserName(g_strUser , g_strUserPro) &&
CheckSN(g_strSN))
{
/**************************************************************************
:100108B1 B949000000 mov ecx, 00000049
:100108B6 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100108C5(C)
|
:100108B8 0FBE9018F91210 movsx edx, byte ptr [eax+g_strUserPro]
:100108BF 03CA add ecx, edx
:100108C1 40 inc eax
:100108C2 83F810 cmp eax, 00000010
:100108C5 7CF1 jl 100108B8
:100108C7 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100108DD(C)
|
:100108C9 0FBE90F8F81210 movsx edx, byte ptr [eax+g_strSNPro]
:100108D0 0FBE92B0CB0210 movsx edx, byte ptr [edx+g_strProTable]
:100108D7 03CA add ecx, edx
:100108D9 40 inc eax
:100108DA 83F811 cmp eax, 00000011
:100108DD 7CEA jl 100108C9
:100108DF A009F91210 mov al, byte ptr [1012F909]
:100108E4 83E11F and ecx, 0000001F
:100108E7 3AC1 cmp al, cl
:100108E9 7563 jne 1001094E
**************************************************************************/
dwSum = 0x49;
for(int i = 0 ; i < 0x10 ; i ++)
dwSum += g_strUserPro[i];

for(int i = 0 ; i < 0x11 ; i ++)
{
dwIndex = g_strSNPro[i];
dwSum += g_strProTable[dwIndex];
}

dwSum &= 0x1f;
if (g_strSNPro[0x11] == (BYTE)dwSum)
{
/***************************************************************************
:100108EB B932000000 mov ecx, 00000032
:100108F0 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:100108FF(C)
|
:100108F2 0FBE9018F91210 movsx edx, byte ptr [eax+g_strUserPro]
:100108F9 2BCA sub ecx, edx
:100108FB 40 inc eax
:100108FC 83F810 cmp eax, 00000010
:100108FF 7CF1 jl 100108F2
:10010901 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10010917(C)
|
:10010903 0FBE90F8F81210 movsx edx, byte ptr [eax+g_strSNPro]
:1001090A 0FBE92B0CB0210 movsx edx, byte ptr [edx+g_strProTable]
:10010911 03CA add ecx, edx
:10010913 40 inc eax
:10010914 83F812 cmp eax, 00000012
:10010917 7CEA jl 10010903
:10010919 A00AF91210 mov al, byte ptr [1012F90A]
:1001091E 83E11F and ecx, 0000001F
:10010921 3AC1 cmp al, cl
:10010923 7529 jne 1001094E
****************************************************************************

//DWORD dwT2 = 0x32;
dwSum = 0x32;
for (int i = 0 ; i < 0x10; i++)
dwSum -= g_strUserPro[i];

for (int i = 0 ; i < 0x12; i ++)
{
dwIndex = g_strSNPro[i];
dwSum += g_strProTable[dwIndex];
}

dwSum &= 0x1f;
if (g_strSNPro[0x12] == (BYTE)dwSum) //0x10010921
{

/***************************************************************************
:10010925 B979000000 mov ecx, 00000079
:1001092A 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10010940(C)
|
:1001092C 0FBE90F8F81210 movsx edx, byte ptr [eax+g_strSNPro]
:10010933 0FBE92B0CB0210 movsx edx, byte ptr [edx+g_strProTable]
:1001093A 2BCA sub ecx, edx
:1001093C 40 inc eax
:1001093D 83F813 cmp eax, 00000013
:10010940 7CEA jl 1001092C
****************************************************************************/

dwSum = 0x79;
for (int i = 0 ; i < 0x13; i ++)
{
dwIndex = g_strSNPro[i];
dwSum -= g_strProTable[dwIndex];
}
/****************************************************************************
:10010942 A00BF91210 mov al, byte ptr [1012F90B]
:10010947 83E11F and ecx, 0000001F
:1001094A 3AC1 cmp al, cl
:1001094C 7416 je 10010964
****************************************************************************/
dwSum &= 0x1f;
if (g_strSNPro[0x13] == (BYTE)dwSum)
{

/****************************************************************************
:10010964 B801000000 mov eax, 00000001
:10010969 A338F91210 mov dword ptr [1012F938], eax
:1001096E C3 ret
****************************************************************************/

//g_bRegistered addr 1012F938
return g_bRegistered = TRUE;

}
else
{
/****************************************************************************
:1001094E 57 push edi
:1001094F B91A000000 mov ecx, 0000001A
:10010954 33C0 xor eax, eax
:10010956 BF38A40310 mov edi, g_strUser
:1001095B F3 repz
:1001095C AB stosd
:1001095D A338F91210 mov dword ptr [1012F938], eax
:10010962 5F pop edi
:10010963 C3 ret
****************************************************************************/
//錯誤處理
_ZeroMemory(g_strUser , sizeof(g_strUser));
return g_bRegistered = FALSE;
}

}

}

}




////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////
//004745DC 的比較 00410857
/*********************************************************************
:00410857 B94D000000 mov ecx, 0000004D
:0041085C 5E pop esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041086B(C)
|
:0041085D 0FBE90B4454700 movsx edx, byte ptr [eax+g_szUserPro]
:00410864 40 inc eax
:00410865 83F810 cmp eax, 00000010
:00410868 8D0C51 lea ecx, dword ptr [ecx+2*edx]
:0041086B 7CF0 jl 0041085D
:0041086D A0DC454700 mov al, byte ptr [g_szSNPro]
:00410872 83E11F and ecx, 0000001F
:00410875 3AC1 cmp al, cl
:00410877 7408 je 00410881
*********************************************************************/

_asm
{
push eax
push ecx
push edx
xor eax , eax
L_Loop1:
movsx edx , byte ptr [eax + g_szUserPro]
inc eax
cmp eax , 00000010h
lea ecx , dword ptr [ecx + 2* edx]
jl L_Loop1;
and ecx , 0000001fh
mov dwSum , ecx
}
//////////////////////////////////////

//////////////////////////////////////
004745DD 的比較 00410B8C
/********************************************************************
:00410B8C B907030000 mov ecx, 00000307

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00410B9E(C)
|
:00410B91 0FBE90B4454700 movsx edx, byte ptr [eax+g_szUserPro]
:00410B98 2BCA sub ecx, edx
:00410B9A 40 inc eax
:00410B9B 83F810 cmp eax, 00000010
:00410B9E 7CF1 jl 00410B91
:00410BA0 A0DD454700 mov al, byte ptr [004745DD]
:00410BA5 83E11F and ecx, 0000001F
********************************************************************/
dwSum = 0x307;
for (i = 0 ; i < 0x10 ; i++)
dwSum -= szUserPro[i];
//////////////////////////////////////

//////////////////////////////////////
004745DE 的比較 0041331A
/********************************************************************
:0041331A B986000000 mov ecx, 00000086
:0041331F 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413339(C)
|
:00413321 0FBE90B4454700 movsx edx, byte ptr [eax+g_szUserPro]
:00413328 A801 test al, 01
:0041332A 7404 je 00413330
:0041332C 03CA add ecx, edx
:0041332E EB05 jmp 00413335

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041332A(C)
|
:00413330 F7DA neg edx
:00413332 8D0C51 lea ecx, dword ptr [ecx+2*edx]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041332E(U)
|
:00413335 40 inc eax
:00413336 83F810 cmp eax, 00000010
:00413339 7CE6 jl 00413321
:0041333B A0DE454700 mov al, byte ptr [004745DE]
:00413340 83E11F and ecx, 0000001F

********************************************************************/
//////////////////////////////////////

//////////////////////////////////////
004745DF 的比較 0040D75E
/********************************************************************
:0040D75E BA07000000 mov edx, 00000007
:0040D763 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D785(C)
L_Label1:
:0040D765 0FBE88B4454700 m
psac 目前離線  
送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次
 


主題工具
顯示模式

發表規則
不可以發文
不可以回覆主題
不可以上傳附加檔案
不可以編輯您的文章

論壇啟用 BB 語法
論壇啟用 表情符號
論壇啟用 [IMG] 語法
論壇禁用 HTML 語法
Trackbacks are 禁用
Pingbacks are 禁用
Refbacks are 禁用


所有時間均為台北時間。現在的時間是 06:11 PM


Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2024, Jelsoft Enterprises Ltd.


SEO by vBSEO 3.6.1