分类分类
关注+2004-10-15作者:蓝点
破解KeyGenMe(CoDe_InSiDe):
这家伙的用的方法真的利害,和上一个一样,要命!还好,终于用了6个小时以上,把它OK了.作者要求写出注册机,说实在我没办法,但让我找出算法用手工算,也算成功的话,那我也成功了.
这东东还是那些什么PE WIN GUI来的,W32DASM没用,又用那个Borg Disassembler v2.21好东东了...
用GETDLGITEMTEXTA来设断:
...
1000:004010a2 6a10 push 10h
1000:004010a4 68301e4000 push 401e30h
1000:004010a9 6822010000 push 122h
1000:004010ae ff7508 push dword ptr [ebp+08h]
1000:004010b1 ff15701d4000 call dword ptr [GetDlgItemTextA]/*这里取到NAME->00401E30*/
1000:004010b7 a3201e4000 mov [401e20h], eax
1000:004010bc 3c03 cmp al, 03h /*注意这里,NAME要>3*/
1000:004010be 7714 ja 4010d4h
1000:004010c0 5d pop ebp
1000:004010c1 6a10 push 10h
1000:004010c3 68001c4000 push 401c00h
1000:004010c8 689e1b4000 push 401b9eh
1000:004010cd 6a00 push 00h
1000:004010cf e91c0c0000 jmp 401cf0h
; XREFS First: 1000:004010be Number : 1
1000:004010d4 5d pop ebp
1000:004010d5 55 push ebp
1000:004010d6 8bec mov ebp, esp
1000:004010d8 6a10 push 10h
1000:004010da 68701e4000 push 401e70h
1000:004010df 6822020000 push 222h
1000:004010e4 ff7508 push dword ptr [ebp+08h]
1000:004010e7 ff15701d4000 call dword ptr [GetDlgItemTextA]/*取得了NUM.->00401E70*/
1000:004010ed a3601e4000 mov [401e60h], eax
1000:004010f2 3c00 cmp al, 00h
1000:004010f4 7514 jnz 40110ah
...
用F10会到这
...
1000:0040110f b9201e4000 mov ecx, 401e20h
1000:00401114 8b09 mov ecx, [ecx]
1000:00401116 bf301e4000 mov edi, 401e30h/*这里存传进了NAME,下面就开始算了...*/
; XREFS First: 1000:00401129 Number : 1
1000:0040111b 8a07 mov al, [edi]
1000:0040111d 3c00 cmp al, 00h
1000:0040111f 740a jz 40112bh
1000:00401121 0fafc1 imul eax, ecx/*NAME的每个字符乘以NAME字符的个数*/
1000:00401124 01c2 add edx, eax/*加起来*/
1000:00401126 47 inc edi
1000:00401127 33c0 xor eax, eax
1000:00401129 ebf0 jmp 40111bh
; XREFS First: 1000:0040111f Number : 1
1000:0040112b 52 push edx /*保存结果*/
1000:0040112c 33c0 xor eax, eax
1000:0040112e 33d2 xor edx, edx
1000:00401130 bf301e4000 mov edi, 401e30h/*又传入了NAME.*/
; XREFS First: 1000:00401142 Number : 1
1000:00401135 8a07 mov al, [edi]
1000:00401137 3c00 cmp al, 00h
1000:00401139 7409 jz 401144h
1000:0040113b 33c1 xor eax, ecx/*NAME的每个字符 XOR NAME字符的个数*/
1000:0040113d 01c2 add edx, eax/*加起来*/
1000:0040113f 47 inc edi
1000:00401140 33c0 xor eax, eax
1000:00401142 ebf1 jmp 401135h
; XREFS First: 1000:00401139 Number : 1
1000:00401144 5e pop esi
1000:00401145 01d6 add esi, edx/*把两次计算的结果相加*/
1000:00401147 56 push esi /*保存结果*/
1000:00401148 33c0 xor eax, eax
1000:0040114a 33d2 xor edx, edx
1000:0040114c 33f6 xor esi, esi
1000:0040114e 33db xor ebx, ebx
1000:00401150 bf301e4000 mov edi, 401e30h
1000:00401155 be301e4000 mov esi, 401e30h/*又来了*/
; XREFS First: 1000:0040116f Number : 2
1000:0040115a 8a07 mov al, [edi]
1000:0040115c 3c00 cmp al, 00h
1000:0040115e 741b jz 40117bh
1000:00401160 8a0e mov cl, [esi]
1000:00401162 83f900 cmp ecx, 00h
1000:00401165 740a jz 401171h
1000:00401167 0fafc1 imul eax, ecx/*这次是NAME的每个字符都互相相乘
1000:0040116a 01c2 add edx, eax 并加起来*/
1000:0040116c 46 inc esi
1000:0040116d 33c0 xor eax, eax
1000:0040116f ebe9 jmp 40115ah
; XREFS First: 1000:00401165 Number : 1
1000:00401171 47 inc edi
1000:00401172 33c0 xor eax, eax
1000:00401174 be301e4000 mov esi, 401e30h
1000:00401179 ebdf jmp 40115ah
; XREFS First: 1000:0040115e Number : 1
1000:0040117b 5e pop esi
1000:0040117c 01d6 add esi, edx/*把三次计算的结果加起来*/
1000:0040117e 56 push esi
...
这么长的代码...头大了,还好,只要细心,能找到算法的,上面这一段是处理NAME的,用NAME算正确的NUM.能看懂吗?在SICE里比较容易懂.(动态吗!).完了吗?没有下面还要对那个得到的结果进行处理:
...
1000:00401189 58 pop eax
1000:0040118a bf601c4000 mov edi, 401c60h
; XREFS First: 1000:004011ab Number : 1
1000:0040118f 85c0 test eax, eax
1000:00401191 7424 jz 4011b7h
1000:00401193 c1c004 rol eax, 04h
1000:00401196 88c2 mov dl, al
1000:00401198 c1ca04 ror edx, 04h
1000:0040119b 80fa09 cmp dl, 09h
1000:0040119e 770d ja 4011adh
; XREFS First: 1000:004011b5 Number : 1
1000:004011a0 80c230 add dl, 30h
1000:004011a3 8817 mov [edi], dl
1000:004011a5 47 inc edi
1000:004011a6 b000 mov al, 00h
1000:004011a8 c1c808 ror eax, 08h
1000:004011ab ebe2 jmp 40118fh
; XREFS First: 1000:0040119e Number : 2
1000:004011ad 80ea04 sub dl, 04h
1000:004011b0 80fa09 cmp dl, 09h
1000:004011b3 77f8 ja 4011adh
1000:004011b5 ebe9 jmp 4011a0h
...
这里我还是用例子吧!用我的NAME:Vitamin C得出的NUM.为例:
在上面三次计算后会产生:A8FEEH这个数字,那么这个数字在上面的代码中是这样算的:
(注意顺序!)
E >9H 则E-4H,一直减,直到得数<=9h,然后+30h使之变成相应的字符 :36h-="">'6'
E >9H 同上 36H->'6'
F >9H 同上 37H->'7'
8<9h 38h-="">'8'
A >9H 同上 36->'6'
所以,上面的代码只是将得到的16进制代码变成10进制的字符.
好了,最后的正确的NUM.:是:66786.
...
1000:004011ee 8a07 mov al, [edi]
1000:004011f0 3c00 cmp al, 00h
1000:004011f2 740c jz 401200h
1000:004011f4 8a0e mov cl, [esi]
1000:004011f6 3bc1 cmp eax, ecx/*比较了,是和你输入的NUM.比较,且是一个字符
1000:004011f8 7504 jnz 4011feh 一个字符的比较*/
1000:004011fa 46 inc esi
1000:004011fb 47 inc edi
1000:004011fc ebf0 jmp 4011eeh
...
这段是用于NUM.比较的.不难看懂.
好了,到了那个CODE了:
...
1000:0040121f 6a15 push 15h
1000:00401221 68001f4000 push 401f00h
1000:00401226 6822030000 push 322h
1000:0040122b ff7508 push dword ptr [ebp+08h]
1000:0040122e ff15701d4000 call dword ptr [GetDlgItemTextA]/*获得输入的CODE*/
1000:00401234 5d pop ebp
1000:00401235 3c00 cmp al, 00h
...
1000:00401254 b104 mov cl, 04h
1000:00401256 b22d mov dl, 2dh/*是那个'-'*/
1000:00401258 bfa01c4000 mov edi, 401ca0h
1000:0040125d be301e4000 mov esi, 401e30h/*传入NAME*/
; XREFS First: 1000:00401269 Number : 1
1000:00401262 8a06 mov al, [esi]
1000:00401264 8807 mov [edi], al
1000:00401266 46 inc esi
1000:00401267 47 inc edi
1000:00401268 49 dec ecx
1000:00401269 75f7 jnz 401262h
...
这一段产生CODE的前一段,是Vita-,取你输入的NAME的前4个字符加-.
...
1000:0040126e be601c4000 mov esi, 401c60h
; XREFS First: 1000:0040127d Number : 1
1000:00401273 8a06 mov al, [esi]
1000:00401275 3c00 cmp al, 00h
1000:00401277 7406 jz 40127fh
1000:00401279 8807 mov [edi], al
1000:0040127b 47 inc edi
1000:0040127c 46 inc esi
1000:0040127d ebf4 jmp 401273h
...
这段是产生CODE的66786-,那现在正确的CODE是:Vita-66786-.
...
1000:0040127f 8817 mov [edi], dl
1000:00401281 47 inc edi
1000:00401282 57 push edi
1000:00401283 bf601c4000 mov edi, 401c60h/*00401C60是存着那个66786的*/
1000:00401288 33f6 xor esi, esi
; XREFS First: 1000:00401298 Number : 1
1000:0040128a 8a07 mov al, [edi]
1000:0040128c 3c00 cmp al, 00h
1000:0040128e 740a jz 40129ah
1000:00401290 0fafc2 imul eax, edx /*取出66786的每个字符,乘以2DH='-'*/
1000:00401293 01c6 add esi, eax /*加起来*/
1000:00401295 33c0 xor eax, eax
1000:00401297 47 inc edi
1000:00401298 ebf0 jmp 40128ah
; XREFS First: 1000:0040128e Number : 1
1000:0040129a 5f pop edi /*以下的就和计算NUM.的第四步相似了,将得到的数字
1000:0040129b 8bc6 mov eax, esi 转为相应的10进制字符*/
1000:0040129d 33f6 xor esi, esi
1000:0040129f 33c9 xor ecx, ecx
; XREFS First: 1000:004012be Number : 1
1000:004012a1 85c0 test eax, eax
1000:004012a3 7425 jz 4012cah
1000:004012a5 c1c004 rol eax, 04h
1000:004012a8 8ac8 mov cl, al
1000:004012aa c1c904 ror ecx, 04h
1000:004012ad 80f909 cmp cl, 09h
1000:004012b0 770e ja 4012c0h
; XREFS First: 1000:004012c8 Number : 1
1000:004012b2 80c130 add cl, 30h
1000:004012b5 51 push ecx
1000:004012b6 46 inc esi
1000:004012b7 b000 mov al, 00h
1000:004012b9 33c9 xor ecx, ecx
1000:004012bb c1c808 ror eax, 08h
1000:004012be ebe1 jmp 4012a1h
; XREFS First: 1000:004012b0 Number : 2
1000:004012c0 80e904 sub cl, 04h
1000:004012c3 80f909 cmp cl, 09h
1000:004012c6 77f8 ja 4012c0h
1000:004012c8 ebe8 jmp 4012b2h
...
这里漫长的一段是计算CODE的后一部分的,算法和计算NUM.有相似之处:
将用66786得到的16进制数字转为相应的10进制字符.
那么现在正确的CODE:Vita-66786-2779.还有...
...
1000:004012d0 8817 mov [edi], dl/*在CODE的后面加上'-'*/
1000:004012d2 47 inc edi
1000:004012d3 b258 mov dl, 58h /*加上X*/
1000:004012d5 8917 mov [edi], edx
...
1000:004012e1 bf001f4000 mov edi, 401f00h
1000:004012e6 bea01c4000 mov esi, 401ca0h
; XREFS First: 1000:004012f9 Number : 1
1000:004012eb 8a07 mov al, [edi]
1000:004012ed 3c00 cmp al, 00h
1000:004012ef 741f jz 401310h
1000:004012f1 8a0e mov cl, [esi]
1000:004012f3 3bc1 cmp eax, ecx/*最后的比较!CODE:Vita-66786-2779-X*/
1000:004012f5 7504 jnz 4012fbh
...
好了,终于搞完了它了...
最后为我证明我找出来的算法是正确的,我用:
NAME:AAAA用手工算出NUM.:43901,CODE:AAAA-43901-2929-X.
输入程序,OK了.我是成功的...
O,今晚好累啊,又是快天明了...难怪老打错字...
OK!
NAME:Vitamin C
NUM.:66786
CODE:Vita-66786-2779-X
Vitamin C[抗坏血酸].2002.2.6.HY.GD.CHI.
相关文章
更多+相同厂商
热门推荐
点击查看更多
点击查看更多
点击查看更多
说两句网友评论