|
論壇說明 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-12-11, 08:19 PM | #1 |
榮譽會員
|
WinHex10.92的研究
研究目標: WinHex 10.92
軟體類型: 十六進位編輯器 語言: ENGLISH 發佈日期: 11/04/03 CRACKER BY: NewHand[BCG] 保護方式: KEYFILE/DEMO-LIMITS(好像沒殼,作者多自信) 難度: GUESS! 運作平台要求: WIN9X/ME/NT/2000/XP 價值: $???.00 Personal licenses: EUR 38.90 / US$ 45 (基本license) EUR 19.90 / US$ 23 (每增加l個license) Professional licenses: EUR 69.90 / US$ 82 (基本license) EUR 39.90 / US$ 47 (每增加l個license) Specialist licenses: EUR 109.90 / US$ 129 (基本license) EUR 62.90 / US$ 73 (每增加l個license) 網站: http://www.winhex.com/winhex/index-m.html Order注意: When transferring from outside of Germany, please add EUR 7 / US$ 8 once. Please specify "WinHex 10.92" and your address when ordering/sending payment/notifying us. If you like it and own much money 建議你可以 Buy it! 以下信息僅供參考(Personal licenses): Name: NewHand[BCG] <----打了修正檔才能這樣加組織標識或者用「」引姓名時可用空格等 Addr1: China Addr2: FOSHAN Key1: 202045C7FA5B45F201E3440489266424 Key2: 5C545D8121C15DB45AF15611215E152C Chksm: 1185 註冊區別: You may evaluate WinHex free of charge, as long as you need. For regular use and for use as a full version, you need a base license (personal, professional, or specialist). If you are going to install WinHex on more than one machine, you will also need additional licenses. The full version will save files larger than 200 KB, write disk sectors, edit virtual memory and show no evaluation version reminders. It will reveal its license status on start-up and in the About box.(許可類型的顯示在啟動和關於box中,按作者這句我已OK了) 註冊許可類型功能: Personal licenses are available at a reduced price for non-commercial purposes only, in a non-business, non-institutional, and non-government environment. Professional licenses allow usage of the software in any environment (at home, in a company, in an organization, or in public administration). Professional licenses provide the ability to execute scripts and to use the WinHex API. Specialist licenses in addition to this allow to use the Specialist Tools menu section. Particularly useful for computer forensics and IT security specialists. 總結:Keyfile方式註冊,軟體運用了引誤手段,使跟蹤的朋友容易上當(我不就是那只羔羊), 迷途在它設計的圈套裡面,那當然道高一尺,思高一丈,跳出圈地,註冊標誌不太難找,但要 找出開放各種版本(personal, professional, or specialist)的code和顯示許可版本號, 需花一些功夫,下面是我的筆記,不想寫得太直白,希多對你的研究有所說明 ,多多努力奧; 如果你在不看我的筆記下,取得相應的Key文件,就獲得一次很好的鍛煉機會(高手不計入內), 這裡註冊機不必寫,你也可以手動計算的,還算挺容易的。。。 不知還有沒有我沒發現的東西,你若發現了告訴我QQ:13565988。 來自局部使用Call:43B674(輸入註冊信息),459E72(啟動檢測註冊文件user.txt) 0040C328 /$ 55 PUSH EBP 0040C329 |. 8BEC MOV EBP,ESP 0040C32B |. 83C4 E4 ADD ESP,-1C 一段分隔符的檢測比較 0040DA9C |> FF00 /INC DWORD PTR DS:[EAX] 0040DA9E |> 8B10 MOV EDX,DWORD PTR DS:[EAX] 0040DAA0 |. 8A12 |MOV DL,BYTE PTR DS:[EDX] 0040DAA2 |. 80FA 09 |CMP DL,9 ; 是否為'Tab' 0040DAA5 |. 74 22 |JE SHORT WINHEX2.0040DAC9 0040DAA7 |. 80FA 0D |CMP DL,0D ; 是否為'Enter鍵' 0040DAAA |. 74 1D |JE SHORT WINHEX2.0040DAC9 0040DAAC |. 80FA 0A |CMP DL,0A ; 是否為'line feed' 0040DAAF |. 74 18 |JE SHORT WINHEX2.0040DAC9 0040DAB1 |. 80FA 20 |CMP DL,20 ; 是否為空格 0040DAB4 |. 74 13 |JE SHORT WINHEX2.0040DAC9 0040DAB6 |. 84D2 |TEST DL,DL ; 是否為'NULL' 0040DAB8 |. 74 0F |JE SHORT WINHEX2.0040DAC9 0040DABA |. 80FA 5B |CMP DL,5B ; 是否為'[' 0040DABD |. 74 0A |JE SHORT WINHEX2.0040DAC9 ; Nop掉它,可打修正檔 0040DABF |. 80FA 7B |CMP DL,7B ; 是否為'{' 0040DAC2 |. 74 05 |JE SHORT WINHEX2.0040DAC9 0040DAC4 |. 80FA 7D |CMP DL,7D ; 是否為'}' 0040DAC7 |.^75 D3 \JNZ SHORT WINHEX2.0040DA9C 省略程式碼。。。 0040C3C7 |. E8 5499FFFF CALL WINHEX2.00405D20 ; 是否等於"User:" 0040C3CC |. 85C0 TEST EAX,EAX 0040C3CE |. 74 33 JE SHORT WINHEX2.0040C403 ; 不等就跳 0040C3D0 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0040C3D3 |. 33D2 XOR EDX,EDX 0040C3D5 |. E8 2E170000 CALL WINHEX2.0040DB08 ; 檢測東東 0040C3DA |. 84C0 TEST AL,AL 0040C3DC |. 0F84 F6050000 JE WINHEX2.0040C9D8 ; 跳死 省略程式碼。。。 0040C403 |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0040C406 |. 33D2 XOR EDX,EDX 0040C408 |. E8 FB160000 CALL WINHEX2.0040DB08 ; 檢測長度是否為5 0040C40D |. 84C0 TEST AL,AL 0040C40F |. 0F84 C3050000 JE WINHEX2.0040C9D8 ; 跳死 0040C415 |. 68 04CA4000 PUSH WINHEX2.0040CA04 ; /String2 = "Name:" 0040C41A |. 68 C4164900 PUSH WINHEX2.004916C4 ; |String1 = "" 0040C41F |. E8 2C90FFFF CALL <JMP.&kernel32.lstrcmpiA> ; \lstrcmpiA 0040C424 |. 85C0 TEST EAX,EAX 0040C426 |. 0F85 AC050000 JNZ WINHEX2.0040C9D8 省略程式碼。。。 0040C434 |. E8 E798FFFF CALL WINHEX2.00405D20 0040C439 |. 85C0 TEST EAX,EAX 0040C43B |. 74 09 JE SHORT WINHEX2.0040C446 ; 有D野 0040C43D |. C605 BC074900 >MOV BYTE PTR DS:[4907BC],1 0040C444 |. EB 25 JMP SHORT WINHEX2.0040C46B 0040C446 |> C605 BC074900 >MOV BYTE PTR DS:[4907BC],2 ; 有D野 省略程式碼。。。 0040C599 |. 83C9 FF |OR ECX,FFFFFFFF ; | 0040C59C |. E8 0B580000 |CALL WINHEX2.00411DAC ; \WINHEX2.00411DAC 0040C5A1 |. 83F8 10 |CMP EAX,10 ; 要等於0x10,要求Code、Key有32位的長度 0040C5A4 |. 0F85 2E040000 |JNZ WINHEX2.0040C9D8 ; 跳死 省略程式碼。。。 0040C5B3 |. 803D BC074900 >CMP BYTE PTR DS:[4907BC],0 0040C5BA |. 75 0E JNZ SHORT WINHEX2.0040C5CA 0040C5BC |. B8 21074900 MOV EAX,WINHEX2.00490721 0040C5C1 |. 66:8B00 MOV AX,WORD PTR DS:[EAX] 0040C5C4 |. 66:A3 7A084900 MOV WORD PTR DS:[49087A],AX 0040C5CA |> 803D BC074900 >CMP BYTE PTR DS:[4907BC],1 0040C5D1 |. 75 11 JNZ SHORT WINHEX2.0040C5E4 0040C5D3 |. B8 25074900 MOV EAX,WINHEX2.00490725 0040C5D8 |. 66:8B00 MOV AX,WORD PTR DS:[EAX] 0040C5DB |. 66:F7D0 NOT AX 0040C5DE |. 66:A3 7A084900 MOV WORD PTR DS:[49087A],AX 0040C5E4 |> 803D BC074900 >CMP BYTE PTR DS:[4907BC],2 ; 要等於 0040C5EB |. 75 0C JNZ SHORT WINHEX2.0040C5F9 0040C5ED |. A0 24074900 MOV AL,BYTE PTR DS:[490724] ; 有料到,想知道跟跟 0040C5F2 |. 24 0F AND AL,0F 0040C5F4 |. A2 BC074900 MOV BYTE PTR DS:[4907BC],AL 0040C5F9 |> 803D BC074900 >CMP BYTE PTR DS:[4907BC],2 0040C600 |. 72 16 JB SHORT WINHEX2.0040C618 0040C602 |. B8 25074900 MOV EAX,WINHEX2.00490725 0040C607 |. 66:8B00 MOV AX,WORD PTR DS:[EAX] 0040C60A |. BA 17074900 MOV EDX,WINHEX2.00490717 0040C60F |. 66:3302 XOR AX,WORD PTR DS:[EDX] ; 有料到Key1的其中兩字元與其中兩字元異或 0040C612 |. 66:A3 7A084900 MOV WORD PTR DS:[49087A],AX 0040C618 |> C645 EE 00 MOV BYTE PTR SS:[EBP-12],0 0040C61C |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] ; 復合位址指向註冊碼的「Key2:或Code2:.......」後面 省略程式碼。。。 0040C680 |> 33F6 XOR ESI,ESI 0040C682 |. 33DB XOR EBX,EBX 0040C684 |> B8 60064900 /MOV EAX,WINHEX2.00490660 ; ASCII "NewHand" 0040C689 |. 03C3 |ADD EAX,EBX 0040C68B |. 0FB600 |MOVZX EAX,BYTE PTR DS:[EAX] 0040C68E |. 03F0 |ADD ESI,EAX ; 累加((用戶名、位址1、位址2的各字元)、Code1或Key1:、Code2或Key2和的結果放入esi 0040C690 |. 43 |INC EBX 0040C691 |. 81FB D7000000 |CMP EBX,0D7 ; 將每字元值循環累加(215個字串為限) 0040C697 |.^75 EB \JNZ SHORT WINHEX2.0040C684 0040C699 |. 0FB705 7A08490>MOVZX EAX,WORD PTR DS:[49087A] ; 在Key1:中隱藏的版本值暗碼 0040C6A0 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX 0040C6A3 |. DB45 E8 FILD DWORD PTR SS:[EBP-18] 0040C6A6 |. 83C4 F8 ADD ESP,-8 ; / 0040C6A9 |. DF3C24 FISTP QWORD PTR SS:[ESP] ; |Arg1 (8-byte) 0040C6AC |. 9B WAIT ; | 0040C6AD |. E8 FE5A0000 CALL WINHEX2.004121B0 ; \WINHEX2.004121B0 0040C6B2 |. 8BD0 MOV EDX,EAX 0040C6B4 |. B8 D40F4900 MOV EAX,WINHEX2.00490FD4 ; ASCII "" 0040C6B9 |. E8 9295FFFF CALL WINHEX2.00405C50 0040C6BE |. B8 D40F4900 MOV EAX,WINHEX2.00490FD4 ; ASCII "" 0040C6C3 |. E8 1C95FFFF CALL WINHEX2.00405BE4 0040C6C8 |. 33D2 XOR EDX,EDX 0040C6CA |. 8AD0 MOV DL,AL 0040C6CC |. 80BA D30F4900 >CMP BYTE PTR DS:[EDX+490FD3],30 ; 計算版本值最後1位字元值與'0'相比 0040C6D3 |. 75 07 JNZ SHORT WINHEX2.0040C6DC 0040C6D5 |. C682 D30F4900 >MOV BYTE PTR DS:[EDX+490FD3],0 ; 490FD7置'0' 0040C6DC |> 8A8A D30F4900 MOV CL,BYTE PTR DS:[EDX+490FD3] 0040C6E2 |. 888A D40F4900 MOV BYTE PTR DS:[EDX+490FD4],CL ; 490FD8置'490FD7'的值 0040C6E8 |. 8A8A D20F4900 MOV CL,BYTE PTR DS:[EDX+490FD2] 0040C6EE |. 888A D30F4900 MOV BYTE PTR DS:[EDX+490FD3],CL ; 490FD7置'490FD6'的值 0040C6F4 |. C682 D20F4900 >MOV BYTE PTR DS:[EDX+490FD2],2E ; 490FD6置小數點'.' 0040C6FB |. 66:813D 7A0849>CMP WORD PTR DS:[49087A],401 ; 比較在Code中隱藏的4位版本值暗碼,要少於401 0040C704 |. 73 0A JNB SHORT WINHEX2.0040C710 0040C706 |. 66:833D 7A0849>CMP WORD PTR DS:[49087A],64 ; 相等說明就是早期版本的Code 0040C70E |. 75 0D JNZ SHORT WINHEX2.0040C71D 0040C710 |> 803D BC074900 >CMP BYTE PTR DS:[4907BC],6 0040C717 |. 0F84 3D010000 JE WINHEX2.0040C85A ; 要跳 省略程式碼。。。 0040C85A |> 33C0 XOR EAX,EAX 0040C85C |. A0 24074900 MOV AL,BYTE PTR DS:[490724] ; 這裡也是關鍵,往上看看 0040C861 |. C1E8 04 SHR EAX,4 0040C864 |. A2 24084900 MOV BYTE PTR DS:[490824],AL ; 這裡是關鍵變化,要送去下面檢驗 0040C869 |. 807D EE 00 CMP BYTE PTR SS:[EBP-12],0 0040C86D |. 74 6D JE SHORT WINHEX2.0040C8DC ; 要跳 省略程式碼。。。 0040C8DC |> 33C0 XOR EAX,EAX ; 看看跳達這裡的jump 0040C8DE |. A0 24074900 MOV AL,BYTE PTR DS:[490724] 0040C8E3 |. C1E8 04 SHR EAX,4 0040C8E6 |. A2 24084900 MOV BYTE PTR DS:[490824],AL 0040C8EB |. BA 28CA4000 MOV EDX,WINHEX2.0040CA28 ; ASCII "// WinHex license file" 0040C8F0 |. B8 A4D44800 MOV EAX,WINHEX2.0048D4A4 0040C8F5 |. E8 5693FFFF CALL WINHEX2.00405C50 0040C8FA |. B8 A4D44800 MOV EAX,WINHEX2.0048D4A4 0040C8FF |. E8 DC020000 CALL WINHEX2.0040CBE0 0040C904 |. B8 A4D44800 MOV EAX,WINHEX2.0048D4A4 0040C909 |. E8 D2020000 CALL WINHEX2.0040CBE0 0040C90E |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0040C911 |. 50 PUSH EAX ; /StringToAdd 0040C912 |. 68 A4D44800 PUSH WINHEX2.0048D4A4 ; |ConcatString = "" 0040C917 |. E8 248BFFFF CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA 0040C91C |. 807D 08 00 CMP BYTE PTR SS:[EBP+8],0 0040C920 |. 0F85 8C000000 JNZ WINHEX2.0040C9B2 ; 下面寫註冊文件 0040C926 |. B8 407C4800 MOV EAX,WINHEX2.00487C40 ; ASCII "user.txt" 省略程式碼。。。 0040C9AD |. E8 B2510000 CALL WINHEX2.00411B64 ; 對話視窗提示:註冊文件已經寫完 0040C9B2 |> 803D 17074900 >CMP BYTE PTR DS:[490717],0 ; Key1的第一字元 0040C9B9 |. 74 12 JE SHORT WINHEX2.0040C9CD 0040C9BB |. 803D 24084900 >CMP BYTE PTR DS:[490824],2 ; 要等於大於2 0040C9C2 |. 72 09 JB SHORT WINHEX2.0040C9CD 0040C9C4 |. 803D 24084900 >CMP BYTE PTR DS:[490824],5 ; 要小於等於5 0040C9CB |. 76 04 JBE SHORT WINHEX2.0040C9D1 ; 關鍵 0040C9CD |> 33C0 XOR EAX,EAX 0040C9CF |. EB 02 JMP SHORT WINHEX2.0040C9D3 0040C9D1 |> B0 01 MOV AL,1 ; (基本license)註冊標誌 0040C9D3 |> A2 F1074900 MOV BYTE PTR DS:[4907F1],AL ; 裝入註冊標誌 0040C9D8 |> 33C0 XOR EAX,EAX 0040C9DA |. 5A POP EDX 0040C9DB |. 59 POP ECX 0040C9DC |. 59 POP ECX Key文件的關注提示說明(通過跟蹤你也可以瞭解的): 1要按指定格式進行書寫:各註冊信息字段的分隔是以空格、Enter鍵、製表符、'line feed'、'NULL'、'['、'{'、'}'等作為基準 User:(分隔符)???? Addr1:(分隔符)???? Addr2:(分隔符)???? Code1:(分隔符)???? Code2:(分隔符)???? Chksm:(分隔符)???? 或 Name:(分隔符)???? Addr1:(分隔符)???? Addr2:(分隔符)???? Key1:(分隔符)???? Key2:(分隔符)???? Chksm:(分隔符)???? 提示:有的項是可以不要的!有的必須要有的! 2Key1:和Kel2:的密碼要求長度為32位,且字串範圍必須是0~9和A~F(算碼的時候你就知點解這樣規定) 3注意Key1:的第27、28位(都算幾關鍵的) 4注意Key1:的第1、2、3、4和第29、30、31、32位 5Chksm:值項不能為01和10(不信你試試看) 由於下面的筆記較為敏感,不方便透露,望讀者努力,哈哈....... ******************************************************************************************** 6Key1:的第27位是註冊許可類型功能位:0和1代表evaluation only,2代表personal, 3代表professional, 4代表specialist,5代表Configured for API Usage, 6以上可能代表非法註冊 7Key1:的第28位要為6 8Key1:的第31、32、29、30位和第3、4、1、2位順序進行XOR,結果要等於版本號的十六進位值 9Key1:的第1、2位都不能為0 |
送花文章: 3,
|