|
論壇說明 |
歡迎您來到『史萊姆論壇』 ^___^ 您目前正以訪客的身份瀏覽本論壇,訪客所擁有的權限將受到限制,您可以瀏覽本論壇大部份的版區與文章,但您將無法參與任何討論或是使用私人訊息與其他會員交流。若您希望擁有完整的使用權限,請註冊成為我們的一份子,註冊的程序十分簡單、快速,而且最重要的是--註冊是完全免費的! 請點擊這裡:『註冊成為我們的一份子!』 |
|
主題工具 | 顯示模式 |
2003-12-12, 01:00 PM | #1 |
榮譽會員
|
書香XX 算法分析 + 無註冊機
書香門第 V1.30 Build 1732
軟體大小: 720 KB 軟體語言: 簡體中文 軟體類別: 大陸開發軟體 / 共享版 / 電子閱讀 套用平台: Win9x/NT/2000/XP 界面預覽: 加入時間: 2003-09-30 09:47:24 下載次數: 12748 推薦等級: *** 聯 系 人: gentlebreeze@vip.163.com 開 發 商: http://www.gentle-breeze.com/ 軟體介紹: 《書香門第》是一款適合於真正讀書迷的電子小說、文本閱讀軟體,它外表並不花哨,但對於長時間、大量閱讀的讀書迷,卻最舒適、體貼、細緻,因為它具有十二個鮮明特點:1. 多達27種各種質感的視窗背景、頁面背景可供選項,總共超過700種背景組合,為讀書迷提供最高舒適度和最大程度的視力保護。2. 強大、智能化的自動排版功能,並可以隨意設定字體大小、顏色、行距、標題行。3. 極其高速的排版速度:目前主流電腦上排版速度超過一萬頁/秒,所以通常你根本無法感覺到排版程序。 4. 高速的DirectDraw圖形引擎,翻頁尋跡流暢自如。5.附帶的html轉換、合成工具能夠迅速依次將一批html文件轉換且合併為一個大的文本文件,方便閱讀。6.寬廣的平台適用性:從486/win95到最新P4/XP都能從容應對。7.體貼的左手鍵操作,使你從此擺脫長期右手操作滑鼠、鍵盤帶來的疲勞。8.與頁面字數成正比的自動翻頁間隔,自然優於呆板的類BIOS翻頁間隔。9.可以選項使用視窗模式(尋跡方便)或全螢幕幕模式(閱讀效果更好)。10.全書遍歷/測試功能,保護你的電腦,節約能源。11.搜尋功能方便讀者在書中搜尋。12. 具有強於word和IE的漢字亂碼糾錯功能。 下載位址: http://www.skycn.com/soft/9090.html 輸入一個EMAIL和一個註冊碼(必須是24位,見下),用一般方法很容易找到這裡: :00403A3B 6A20 push 00000020 :00403A3D 57 push edi <--輸入的EMAIL :00403A3E 8BCD mov ecx, ebp :00403A40 E881770100 call 0041B1C6 <--得到長度 :00403A45 8D9E00010000 lea ebx, dword ptr [esi+00000100] :00403A4B 6A20 push 00000020 :00403A4D 68202C4500 push 00452C20 <--假碼 :00403A52 8BCB mov ecx, ebx :00403A54 A300204500 mov dword ptr [00452000], eax <--先把EMAIL長度存起來 :00403A59 E868770100 call 0041B1C6 <--得到長度 :00403A5E 83F818 cmp eax, 00000018 :00403A61 0F85C0000000 jne 00403B27 <--長度必須為18h :00403A67 A100204500 mov eax, dword ptr [00452000] <--讀出EMAIL長度 :00403A6C 83F804 cmp eax, 00000004 :00403A6F 0F8CB2000000 jl 00403B27 <--EMAIL長度不小於4 :00403A75 8364241000 and dword ptr [esp+10], 00000000 :00403A7A EB05 jmp 00403A81 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403A9F(C) | :00403A7C A100204500 mov eax, dword ptr [00452000] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403A7A(U) | :00403A81 50 push eax :00403A82 0FAF442414 imul eax, dword ptr [esp+14] :00403A87 05402C4500 add eax, 00452C40 :00403A8C 57 push edi :00403A8D 50 push eax :00403A8E E8BD570000 call 00409250 <--把[EDI]處的記憶體寫入[eax] :00403A93 83C40C add esp, 0000000C :00403A96 FF442410 inc [esp+10] :00403A9A 837C241040 cmp dword ptr [esp+10], 00000040 :00403A9F 7CDB jl 00403A7C <--把EMAIL重寫40次??作者在和我兜圈子? :00403AA1 BF20244500 mov edi, 00452420 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403ABF(C) | :00403AA6 6A20 push 00000020 :00403AA8 68202C4500 push 00452C20 :00403AAD 57 push edi :00403AAE E89D570000 call 00409250 :00403AB3 83C720 add edi, 00000020 :00403AB6 83C40C add esp, 0000000C :00403AB9 81FF202C4500 cmp edi, 00452C20 :00403ABF 7CE5 jl 00403AA6 <--又把假碼重寫40次 *_* :00403AC1 33FF xor edi, edi :00403AC3 57 push edi :00403AC4 57 push edi :00403AC5 6801150000 push 00001501 :00403ACA FF761C push [esi+1C] * Reference To: USER32.SendMessageA, Ord:0214h | :00403ACD FF15F0544200 Call dword ptr [004254F0] :00403AD3 80BEC000000000 cmp byte ptr [esi+000000C0], 00 <--重要標誌 :00403ADA 742F je 00403B0B <--這裡修改為JNE就成功了 * Possible StringData Ref from Data Obj ->" --------- 祝賀你! ---------- " ->" 你已經成為了《書香門第》註冊用戶!" | :00403ADC 6828D74200 push 0042D728 :00403AE1 893DC83E4500 mov dword ptr [00453EC8], edi :00403AE7 E8AC220000 call 00405D98 看上去似乎沒什麼時候難的,很傳統的判斷,一個CALL,然後CMP,JE,可是跟進CALL一看,卻是系統的USER32.DLL, 百思不得其解,其它地方也找不到什麼判斷.怎麼辦呢??考慮N分鐘後決定用BPM試一下.不是比較[ESI+C0]處是否為0嗎,如果判斷註冊的話肯定要像這裡寫上0或者其它什麼東西.我們就看看程序什麼時候在這裡寫了東西. 下指令: BPM ESI+C0 中斷在下面: :00403B4D 817C240401150000 cmp dword ptr [esp+04], 00001501 :00403B55 56 push esi :00403B56 8BF1 mov esi, ecx :00403B58 750B jne 00403B65 :00403B5A E81D000000 call 00403B7C <--很明顯是關鍵的CALL :00403B5F 8886C0000000 mov byte ptr [esi+000000C0], al <--呵呵,中斷在這裡 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403B58(C) | :00403B65 FF742410 push [esp+10] :00403B69 8BCE mov ecx, esi :00403B6B FF742410 push [esp+10] :00403B6F FF742410 push [esp+10] :00403B73 E8B7540100 call 0041902F :00403B78 5E pop esi :00403B79 C20C00 ret 000C 跟進403B5A處的關鍵CALL: * Referenced by a CALL at Addresses: |:004017E2 , :00402135 , :004030B9 , :00403B5A , :00404DA0 | :00403B7C 55 push ebp :00403B7D 8BEC mov ebp, esp :00403B7F 81EC00010000 sub esp, 00000100 :00403B85 56 push esi :00403B86 6A20 push 00000020 :00403B88 E8DE5B0000 call 0040976B :00403B8D 6A40 push 00000040 :00403B8F BE20234500 mov esi, 00452320 :00403B94 99 cdq :00403B95 59 pop ecx :00403B96 F7F9 idiv ecx :00403B98 C1E205 shl edx, 05 :00403B9B 81C220244500 add edx, 00452420 :00403BA1 52 push edx :00403BA2 56 push esi :00403BA3 E8A8560000 call 00409250 :00403BA8 68FF000000 push 000000FF :00403BAD 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :00403BB3 6A00 push 00000000 :00403BB5 50 push eax :00403BB6 E8555A0000 call 00409610 :00403BBB 83C418 add esp, 00000018 :00403BBE FF3500204500 push dword ptr [00452000] :00403BC4 E8A25B0000 call 0040976B :00403BC9 6A40 push 00000040 :00403BCB 99 cdq :00403BCC 59 pop ecx :00403BCD F7F9 idiv ecx :00403BCF 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :00403BD5 0FAF1500204500 imul edx, dword ptr [00452000] :00403BDC 81C2402C4500 add edx, 00452C40 :00403BE2 52 push edx :00403BE3 50 push eax :00403BE4 E867560000 call 00409250 :00403BE9 6A0C push 0000000C :00403BEB 56 push esi :00403BEC 68A0224500 push 004522A0 :00403BF1 E85A560000 call 00409250 :00403BF6 6A0C push 0000000C :00403BF8 682C234500 push 0045232C :00403BFD 6820224500 push 00452220 :00403C02 E849560000 call 00409250 :00403C07 A100204500 mov eax, dword ptr [00452000] :00403C0C 80252C22450000 and byte ptr [0045222C], 00 :00403C13 8025AC22450000 and byte ptr [004522AC], 00 :00403C1A 83C424 add esp, 00000024 :00403C1D 33D2 xor edx, edx :00403C1F 85C0 test eax, eax :00403C21 7E2E jle 00403C51 :00403C23 53 push ebx :00403C24 57 push edi :00403C25 8D58FF lea ebx, dword ptr [eax-01] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403C4D(C) | :00403C28 8DBC1500FFFFFF lea edi, dword ptr [ebp+edx-00000100] :00403C2F 8A0F mov cl, byte ptr [edi] <-依次取EMAIL的字串 :00403C31 80F940 cmp cl, 40 :00403C34 7405 je 00403C3B <--是否為'@' :00403C36 80F92E cmp cl, 2E :00403C39 750F jne 00403C4A<--是否為'.' * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403C34(C) | :00403C3B 3BD3 cmp edx, ebx :00403C3D 7D09 jge 00403C48 :00403C3F 8BCB mov ecx, ebx :00403C41 8D7701 lea esi, dword ptr [edi+01] :00403C44 2BCA sub ecx, edx :00403C46 F3 repz :00403C47 A4 movsb * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403C3D(C) | :00403C48 48 dec eax :00403C49 4B dec ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403C39(C) | :00403C4A 42 inc edx :00403C4B 3BD0 cmp edx, eax :00403C4D 7CD9 jl 00403C28 <--上面的一段是對EMAIL的處理,去掉@,在後面補齊等 :00403C4F 5F pop edi :00403C50 5B pop ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403C21(C) | :00403C51 83F80C cmp eax, 0000000C :00403C54 5E pop esi :00403C55 7D18 jge 00403C6F :00403C57 6A0C push 0000000C :00403C59 59 pop ecx :00403C5A 2BC8 sub ecx, eax :00403C5C 8D840500FFFFFF lea eax, dword ptr [ebp+eax-00000100] :00403C63 51 push ecx :00403C64 6A30 push 00000030 :00403C66 50 push eax :00403C67 E8A4590000 call 00409610 :00403C6C 83C40C add esp, 0000000C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403C55(C) | :00403C6F 80A50CFFFFFF00 and byte ptr [ebp+FFFFFF0C], 00 :00403C76 E847000000 call 00403CC2 <--關鍵的CALL :00403C7B 6A0C push 0000000C :00403C7D 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :00403C83 68A0234500 push 004523A0 :00403C88 50 push eax :00403C89 E8D2600000 call 00409D60 <--這裡就是比較了 :00403C8E 83C40C add esp, 0000000C :00403C91 85C0 test eax, eax :00403C93 751B jne 00403CB0 :00403C95 2005FB1C4500 and byte ptr [00451CFB], al :00403C9B 2005FA1C4500 and byte ptr [00451CFA], al :00403CA1 2005F91C4500 and byte ptr [00451CF9], al :00403CA7 2005F81C4500 and byte ptr [00451CF8], al :00403CAD 40 inc eax :00403CAE C9 leave :00403CAF C3 ret 進入403C89處的CALL: * Referenced by a CALL at Addresses: |:00403C76 , :004044A5 | :00403CC2 6A0C push 0000000C :00403CC4 E802000000 call 00403CCB <--進入 :00403CC9 59 pop ecx :00403CCA C3 ret * Referenced by a CALL at Address: |:00403CC4 | :00403CCB 56 push esi :00403CCC 8B742408 mov esi, dword ptr [esp+08] :00403CD0 33C9 xor ecx, ecx :00403CD2 57 push edi :00403CD3 85F6 test esi, esi :00403CD5 7E20 jle 00403CF7 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403CF5(C) <--第一處循環計算 | :00403CD7 8D0431 lea eax, dword ptr [ecx+esi] :00403CDA 6A09 push 00000009 :00403CDC 99 cdq :00403CDD 5F pop edi :00403CDE F7FF idiv edi :00403CE0 B008 mov al, 08 :00403CE2 2AC2 sub al, dl :00403CE4 88144D20234500 mov byte ptr [2*ecx+00452320], dl :00403CEB 88044D21234500 mov byte ptr [2*ecx+00452321], al :00403CF2 41 inc ecx :00403CF3 3BCE cmp ecx, esi :00403CF5 7CE0 jl 00403CD7 <--上面的計算挺熱鬧,但結果都是常數,所以只要知道結果就行了 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403CD5(C) | :00403CF7 8024752023450000 and byte ptr [2*esi+00452320], 00 :00403CFF 53 push ebx :00403D00 55 push ebp :00403D01 8DBE20234500 lea edi, dword ptr [esi+00452320] :00403D07 56 push esi :00403D08 BD20214500 mov ebp, 00452120 :00403D0D 57 push edi :00403D0E 55 push ebp :00403D0F E83C550000 call 00409250 :00403D14 BB20234500 mov ebx, 00452320 :00403D19 56 push esi :00403D1A 53 push ebx :00403D1B 57 push edi :00403D1C E82F550000 call 00409250 :00403D21 56 push esi :00403D22 55 push ebp :00403D23 53 push ebx :00403D24 E827550000 call 00409250 <--頻繁使用這個CALL(上面提到過),目的是把上面的計算結果前半段和後半段對調一下 :00403D29 83C424 add esp, 00000024 :00403D2C 33DB xor ebx, ebx :00403D2E 85F6 test esi, esi :00403D30 7E51 jle 00403D83 計算至此後記憶體中的情況:[00452320] __________________________________________________________________ 016F:00452320 00 08 01 07 02 06 03 05-04 04 05 03 03 05 04 04 016F:00452330 05 03 06 02 07 01 08 00-00 00 00 00 00 00 00 00 __________________________________________________________________ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403D81(C) <--第二處循環計算 | :00403D32 8AC3 mov al, bl :00403D34 8A8BA0224500 mov cl, byte ptr [ebx+004522A0] <-依次取出假碼前半段的字串ch1 :00403D3A FEC0 inc al :00403D3C 8A9320224500 mov dl, byte ptr [ebx+00452220] <-依次取出假碼後半段的字串ch2 :00403D42 F6EB imul bl <-ch1=ch1*循環變數N (由0遞增) :00403D44 8D3C1B lea edi, dword ptr [ebx+ebx] :00403D47 FEC0 inc al :00403D49 240F and al, 0F :00403D4B 2A8F20234500 sub cl, byte ptr [edi+00452320]<-ch1=ch1-從[452320]處依次取的值 :00403D51 2A9721234500 sub dl, byte ptr [edi+00452321]<-ch2=ch2-從[452320]處倣傚取的值 :00403D57 A218214500 mov byte ptr [00452118], al :00403D5C 80E941 sub cl, 41 <-ch1=ch1-41 :00403D5F 80EA41 sub dl, 41 <-ch2=ch2-41 :00403D62 32C8 xor cl, al <-ch1=ch1 xor 循環變數N :00403D64 32D0 xor dl, al <-ch2=ch2 xor 循環變數N :00403D66 888BA0224500 mov byte ptr [ebx+004522A0], cl :00403D6C 889320224500 mov byte ptr [ebx+00452220], dl <-把結果寫在[4522A0] :00403D72 43 inc ebx :00403D73 888F20214500 mov byte ptr [edi+00452120], cl :00403D79 3BDE cmp ebx, esi :00403D7B 889721214500 mov byte ptr [edi+00452121], dl <-再寫在[452120] :00403D81 7CAF jl 00403D32 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403D30(C) | :00403D83 56 pus * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403D30(C) | :00403D83 56 push esi :00403D84 55 push ebp :00403D85 6820224500 push 00452220 :00403D8A E8C1540000 call 00409250 :00403D8F 8DBE20214500 lea edi, dword ptr [esi+00452120] :00403D95 56 push esi :00403D96 BBA0224500 mov ebx, 004522A0 :00403D9B 57 push edi :00403D9C 53 push ebx :00403D9D E8AE540000 call 00409250 :00403DA2 56 push esi :00403DA3 53 push ebx :00403DA4 55 push ebp :00403DA5 E8A6540000 call 00409250 :00403DAA 56 push esi :00403DAB 6820224500 push 00452220 :00403DB0 57 push edi :00403DB1 E89A540000 call 00409250 <--又是同樣的方法把前半段ch1和後半段ch2再調換 :00403DB6 83C430 add esp, 00000030 :00403DB9 33C0 xor eax, eax :00403DBB 85F6 test esi, esi :00403DBD 5D pop ebp :00403DBE 5B pop ebx :00403DBF 7E1C jle 00403DDD * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403DDB(C) <--第三處循環計算 | :00403DC1 8A0C4521214500 mov cl, byte ptr [2*eax+00452121] <--從[452120]處每次取兩個值 :00403DC8 C0E104 shl cl, 04 即第二次計算的結果,把後一值 :00403DCB 0A0C4520214500 or cl, byte ptr [2*eax+00452120] 左移四位後與前值進行OR運算, :00403DD2 40 inc eax 結果寫在[4523A0] :00403DD3 3BC6 cmp eax, esi :00403DD5 88889F234500 mov byte ptr [eax+0045239F], cl :00403DDB 7CE4 jl 00403DC1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403DBF(C) | :00403DDD 80A6A023450000 and byte ptr [esi+004523A0], 00 :00403DE4 5F pop edi :00403DE5 5E pop esi :00403DE6 C3 ret 進行比較的那個CALL我就不寫了(因為這篇文章太長了),但它好像只比較前四位,也就是說只要你的EMAIL前四位與[4523A0]處的結果一致就可以.可我隨意填的假碼經反算後根本不是可顯示字串,要想寫出註冊機必須把算法逆回去,我想了好半天也不知道這個算法怎樣逆運算,看著清清楚楚的程式碼就是寫不出註冊機,痛苦中..... 哪位大哥幫我分析一下,我的數學太爛了... 程序判斷註冊的思路: 1.先將EMAIL中的'@','.'字串去掉,如果小於12個字串就在後面補'0'.然後把前六位和後六位顛倒過來. 2.取註冊碼(24位)按下表計算: (假設輸入的是ABCDEFGHIJKLMNOPQRSTUVWX) +----+---+---+---+---+---+---+---+---+---+---+---+---+ |假碼| A | B | C | D | E | F | G | H | I | J | K | L | |Num | 0 | 1 | 2 | 3 | 4 | 5 | 3 | 4 | 5 | 6 | 7 | 8 | +----+---+---+---+---+---+---+---+---+---+---+---+---+ |假碼| M | N | O | P | Q | R | S | T | U | V | W | X | |Num | 8 | 7 | 6 | 5 | 4 | 3 | 5 | 4 | 3 | 2 | 1 | 0 | +----+---+---+---+---+---+---+---+---+---+---+---+---+ |Nxor| 1 | 3 | 7 | D | 5 | F | B | 9 | 9 | B | F | 5 | +----+---+---+---+---+---+---+---+---+---+---+---+---+ 其中第N列的Nxor值計算方法是((N-1)*N+1) mod 10h 判斷時將每列上一格裡的(註冊碼-Num-41h) xor 該格對應列的Nxor值,記結果為S1,用同樣方法算出該列下一格的值S2,計算(S2 SHR 4) OR S1. 12列的結果組成的字串如果和EMAIL經處理後的字串一致就成功. 因為程序將註冊碼反算,所以註冊機要求它的逆運算.逆運算的關鍵是如何把EMAIL中的一個值拆分成S1和S2,因為這個逆運算產生的結果不惟一,但要保證計算出的註冊碼是可顯示字串.不妨把一個兩位的十六進位值拆成高位和低位元.如字母'R'=52h,可拆成S1=2,S2=5,這樣計算出來的註冊碼在'A'-'X'之間,完全符合要求. 註冊機: (Borland Pascal 7.0) Program CrackZbook; var fmail,mail,code,temp:string; p,p1,s1,s2,s :integer; Num:array[1..24] of integer; Nxor:array[1..12] of integer; begin Num[1]:=0; Num[2]:=1; Num[3]:=2; Num[4]:=3; Num[5]:=4; Num[6]:=5; Num[7]:=3; Num[8]:=4; Num[9]:=5; Num[10]:=6; Num[11]:=7; Num[12]:=8; Num[13]:=8; Num[14]:=7; Num[15]:=6; Num[16]:=5; Num[17]:=4; Num[18]:=3; Num[19]:=5; Num[20]:=4; Num[21]:=3; Num[22]:=2; Num[23]:=1; Num[24]:=0; Nxor[1]:=1;Nxor[2]:=3;Nxor[3]:=7;Nxor[4]:=13; Nxor[5]:=5;Nxor[6]:=15;Nxor[7]:=11;Nxor[8]:=9; Nxor[9]:=9;Nxor[10]:=11;Nxor[11]:=15;Nxor[12]:=5; //啟始化計算表 p1:=1; repeat write('Please input your Email:'); readln(fmail); until length(fmail)>=4; for p:=1 to length(fmail) do if (fmail[p]<>'.') and (fmail[p]<>'@') then begin mail[p1]:=fmail[p]; inc(p1); end; for p:=p1 to 12 do mail[p]:='0'; for p:=1 to 6 do temp[p]:=mail[p]; for p:=7 to 12 do mail[p-6]:=mail[p]; for p:=7 to 12 do mail[p]:=temp[p-6]; //對EMAIL的處理 for p:=1 to 12 do begin s:=ord(mail[p]); s1:=s mod 16; s2:=s div 16; s1:=s1 xor Nxor[p]; s2:=s2 xor Nxor[p]; s1:=s1+$41+Num[p]; s2:=s2+$41+Num[p+12]; code[p]:=chr(s1); code[p+12]:=chr(s2); end; for p:=1 to 24 do write(code[p]); writeln; writeln('Crack by RoBa Thank you'); end. 一個可用的註冊碼: EMAIL: RoBa CODE : BEJQJUMKQQWNKHKTKPTTQPNG |
送花文章: 3,
|