PC6下载站

分类分类

Shiznit Scanner V2.1简单算法学习手记(期中考完总算有一点时间玩Crack,希望大家多多帮帮我,谢谢^_^) (14千字)

关注+2004-10-15作者:蓝点

 


软件名称:Shiznit Scanner V2.1
软件介绍:Fast configurable highly featured UDP/TCP Port/Subnet Scanner for windows. Some key features are: TCP Port scanning of stealth and non-stealth hosts, Extreme UDP Port scanning, UDP Subnet scanning!, High speed ping scanning of subnets, TCP Subnet scanning of stealth and non-stealth hosts, Setting of start and stop ports, Gives you the ability to save results, Nice looking interface, Tells you if remote computer being scanned is stealth, You choose the speed of scan, Tells you the host responses for TCP Port scan and Subnet scan, Tells you the port use from huge lists of ports as found, Port scanner & Subnet scanner integration, so as though you can double click an IP found with the Subnet scanner to port scan with the Port scanner... Many new features in V2.0, a must have for TCP/IP network administrators.

破解人:BurSH[FCG][BCG][DFCG] (于2003.4.20)
破解工具:Trw2000 1.23


Ok,Let's begin now!
Ctrl+n呼出Trw2000,下断点BPX GetDlgItemTextA,输入任意注册信息,点击Register Shiznit Scanner 2.1.拦住了!我们下PMODULE指令回到软件领空,然后下BC指令清除断点,按三下F10,看到下面的代码:


016F:00406DB7  PUSH    BYTE +01
016F:00406DB9  PUSH    BYTE +00
016F:00406DBB  PUSH    DWORD 0421
016F:00406DC0  MOV      ECX,[EBP+FFFFFBEC]
016F:00406DC6  CALL    004379C8==>取输入的注册码
016F:00406DCB  PUSH    EAX==>输入的注册码入栈
016F:00406DCC  LEA      EAX,[EBP-20]==>将取得到的用户名放到EAX中
016F:00406DCF  PUSH    EAX==>用户名入栈
016F:00406DD0  CALL    00406870==>关键Call,进行了注册码的计算与校验!F8跟进去~
016F:00406DD5  AND      EAX,FF
016F:00406DDA  TEST    EAX,EAX==>注册码正确吗?
016F:00406DDC  JZ      NEAR 00406E98==>不正确就跳去死:(
016F:00406DE2  PUSH    BYTE +00
016F:00406DE4  PUSH    DWORD 00448C98
016F:00406DE9  PUSH    DWORD 00448BCC
016F:00406DEE  MOV      ECX,[EBP+FFFFFBEC]
016F:00406DF4  CALL    004368A5


F8跟入406DD0的关键后看到:

016F:00406870  PUSH    EBP
016F:00406871  MOV      EBP,ESP
016F:00406873  SUB      ESP,0430
016F:00406879  PUSH    EBX
016F:0040687A  PUSH    ESI
016F:0040687B  PUSH    EDI
016F:0040687C  MOV      EDI,[EBP+08]
016F:0040687F  LEA      EDX,[EBP-2C]
016F:00406882  OR      ECX,BYTE -01
016F:00406885  XOR      EAX,EAX
016F:00406887  REPNE SCASB
016F:00406889  NOT      ECX
016F:0040688B  SUB      EDI,ECX
016F:0040688D  MOV      ESI,EDI
016F:0040688F  MOV      EAX,ECX
016F:00406891  MOV      EDI,EDX
016F:00406893  SHR      ECX,02
016F:00406896  REP MOVSD ==>这句汇编指令我不明白,哪位高手教我一下?若F8跳过就会出现注册失败:(所以,我就直接g 到了下一条指令
016F:00406898  MOV      ECX,EAX
016F:0040689A  AND      ECX,BYTE +03
016F:0040689D  REP MOVSB ==>g 40689F
016F:0040689F  MOV      DWORD [EBP-08],00
016F:004068A6  JMP      SHORT 004068B1==>跳到下面4068B1处
016F:004068A8  MOV      ECX,[EBP-08]
016F:004068AB  ADD      ECX,BYTE +01==>ECX加1!
016F:004068AE  MOV      [EBP-08],ECX==>将ECX值赋给[EBP-08]
016F:004068B1  MOV      EDX,[EBP-08]==>EDX为计数器
016F:004068B4  MOVSX    EAX,BYTE [EBP+EDX-2C]==>依次取出用户名的十六进制放入EAX([EBP-2C]放的是用户名)
016F:004068B9  TEST    EAX,EAX==>用户名所有字符取出了没有?
016F:004068BB  JZ      004068D0==>没有则继续往下
016F:004068BD  MOV      ECX,[EBP-08]==>ECX为计数器
016F:004068C0  MOV      DL,[EBP+ECX-2C]==>依次取出用户名的十六进制放入DL([EBP-2C]放的是用户名)
016F:004068C4  ADD      DL,0A==>依次将用户名的十六进制加AH,结果放入DL!
016F:004068C7  MOV      EAX,[EBP-08]
016F:004068CA  MOV      [EBP+EAX-2C],DL==>将用户名逐个转换后放入[EBP-2C]
016F:004068CE  JMP      SHORT 004068A8
016F:004068D0  MOV      DWORD [EBP+FFFFFBE0],00448B50==>448B50处放的是一串字符:^OKW*V_MsN(逐个减AH后为:TEAM LUiD.黑名单哟!^0^)
016F:004068DA  LEA      ECX,[EBP-2C]==>将上面转换后的用户名放入ECX
016F:004068DD  MOV      [EBP+FFFFFBDC],ECX------------
016F:004068E3  MOV      EDX,[EBP+FFFFFBDC]            \
016F:004068E9  MOV      AL,[EDX]                      |
016F:004068EB  MOV      [EBP+FFFFFBDB],AL              |这
016F:004068F1  MOV      ECX,[EBP+FFFFFBE0]            |段
016F:004068F7  CMP      AL,[ECX]                      |逐
016F:004068F9  JNZ      00406941                      |位
016F:004068FB  CMP      BYTE [EBP+FFFFFBDB],00        |比
016F:00406902  JZ      00406935                      |较
016F:00406904  MOV      EDX,[EBP+FFFFFBDC]            |用
016F:0040690A  MOV      AL,[EDX+01]                    |户
016F:0040690D  MOV      [EBP+FFFFFBDA],AL              |名
016F:00406913  MOV      ECX,[EBP+FFFFFBE0]            |是
016F:00406919  CMP      AL,[ECX+01]                    |否
016F:0040691C  JNZ      00406941                      |属
016F:0040691E  ADD      DWORD [EBP+FFFFFBDC],BYTE +02  |于
016F:00406925  ADD      DWORD [EBP+FFFFFBE0],BYTE +02  |黑
016F:0040692C  CMP      BYTE [EBP+FFFFFBDA],00        |名
016F:00406933  JNZ      004068E3                      |单
016F:00406935  MOV      DWORD [EBP+FFFFFBD4],00        |.
016F:0040693F  JMP      SHORT 0040694C                |不
016F:00406941  SBB      EDX,EDX                        |是
016F:00406943  SBB      EDX,BYTE -01                  |就
016F:00406946  MOV      [EBP+FFFFFBD4],EDX            |跳
016F:0040694C  MOV      EAX,[EBP+FFFFFBD4]            |去
016F:00406952  MOV      [EBP+FFFFFBD0],EAX            |4
016F:00406958  CMP      DWORD [EBP+FFFFFBD0],BYTE +00  |0
016F:0040695F  JNZ      NEAR 00406AB1                  |6
016F:00406965  MOV      DWORD [EBP+FFFFFBE8],00        |A
016F:0040696F  CMP      DWORD [EBP+FFFFFBE8],BYTE +00  |C
016F:00406976  JNZ      0040697F                      |3
016F:00406978  XOR      AL,AL==>注册码校验错误的标志!  /
016F:0040697A  JMP      00406D61==>黑名单?你死定了^_^-- 
016F:0040697F  MOV      EDI,00448B48
016F:00406984  LEA      EDX,[EBP-2C]
016F:00406987  OR      ECX,BYTE -01
016F:0040698A  XOR      EAX,EAX
016F:0040698C  REPNE SCASB
016F:0040698E  NOT      ECX
016F:00406990  SUB      EDI,ECX
016F:00406992  MOV      ESI,EDI
016F:00406994  MOV      EAX,ECX

上面罗里罗嗦半天就是校验一个黑名单-_-0作者"不好意思"把黑名单直接写出来,搞成"f(用户名)=特定字符串"进行比较……
…………
016F:00406ABA  MOV      EAX,[EBP-04]
016F:00406ABD  ADD      EAX,BYTE +01 
016F:00406AC0  MOV      [EBP-04],EAX
016F:00406AC3  MOV      ECX,[EBP+08]==>ECX为计数器!
016F:00406AC6  ADD      ECX,[EBP-04]==>
016F:00406AC9  MOVSX    EDX,BYTE [ECX]==>逐位用户名十六进制放入EDX
016F:00406ACC  TEST    EDX,EDX==>循环完了?
016F:00406ACE  JZ      00406AD2==>完了就走人!这段是为了用户名位数(放在EAX)
016F:00406AD0  JMP      SHORT 00406ABA
016F:00406AD2  MOV      DWORD [EBP-0C],00==>[EBP-0C]清空
016F:00406AD9  MOV      EAX,[EBP+08]==>将用户名放入EAX
016F:00406ADC  MOVSX    ECX,BYTE [EAX]==>逐位取出第一位用户名的十六进制放入EAX
016F:00406ADF  IMUL    ECX,ECX,54BF==>将第一位用户名的十六进制乘以54BFH,结果放入ECX
016F:00406AE5  MOV      EDX,[EBP-0C]==>将[EBP-0C]值(开始为空,因为406AD2处的运算)放入EDX
016F:00406AE8  ADD      EDX,ECX==>相加
016F:00406AEA  MOV      [EBP-0C],EDX==>再放回去,[EBP-0C]放的上面的计算结果
016F:00406AED  MOV      EAX,[EBP+08]
016F:00406AF0  MOVSX    ECX,BYTE [EAX+01]==>取用户名第二位
016F:00406AF4  MOV      EDX,[EBP-0C]==>去得前面计算的结果放入EDX
016F:00406AF7  LEA      EAX,[EDX+ECX+00205FDF]==>EAX=EDX+ECX+205FDFH!
016F:00406AFE  MOV      [EBP-0C],EAX==>结果仍然还是放入到[EBP-0C]中去 
016F:00406B01  MOV      ECX,[EBP+08]
016F:00406B04  MOVSX    EDX,BYTE [ECX+02]                   
016F:00406B08  IMUL    EDX,EDX,5C8F
016F:00406B0E  MOV      EAX,[EBP-0C]
016F:00406B11  ADD      EAX,EDX
016F:00406B13  MOV      [EBP-0C],EAX
016F:00406B16  MOV      ECX,[EBP+08]
016F:00406B19  MOVSX    EDX,BYTE [ECX+03]
016F:00406B1D  MOV      EAX,[EBP-0C]
016F:00406B20  LEA      ECX,[EAX+EDX+00987227]
016F:00406B27  MOV      [EBP-0C],ECX
016F:00406B2A  MOV      EDX,[EBP+08]
016F:00406B2D  MOVSX    EAX,BYTE [EDX+04]
016F:00406B31  IMUL    EAX,EAX,645F
016F:00406B37  MOV      ECX,[EBP-0C]
016F:00406B3A  ADD      ECX,EAX
016F:00406B3C  MOV      [EBP-0C],ECX
016F:00406B3F  MOV      EDX,[EBP+08]
016F:00406B42  MOVSX    EAX,BYTE [EDX+05]
016F:00406B46  MOV      ECX,[EBP-0C]
016F:00406B49  LEA      EDX,[ECX+EAX+006A595F]
016F:00406B50  MOV      [EBP-0C],EDX
016F:00406B53  MOV      EAX,[EBP+08]
016F:00406B56  MOVSX    ECX,BYTE [EAX+06]
016F:00406B5A  IMUL    ECX,ECX,6C2F
016F:00406B60  MOV      EDX,[EBP-0C]
016F:00406B63  ADD      EDX,ECX
016F:00406B65  MOV      [EBP-0C],EDX
016F:00406B68  MOV      EAX,[EBP+08]
016F:00406B6B  MOVSX    ECX,BYTE [EAX+07]
016F:00406B6F  MOV      EDX,[EBP-0C]
016F:00406B72  LEA      EAX,[EDX+ECX+00140B9F]
016F:00406B79  MOV      [EBP-0C],EAX
016F:00406B7C  MOV      ECX,[EBP+08]
016F:00406B7F  MOVSX    EDX,BYTE [ECX+08]
016F:00406B83  IMUL    EDX,EDX,73FF
016F:00406B89  MOV      EAX,[EBP-0C]
016F:00406B8C  ADD      EAX,EDX
016F:00406B8E  MOV      [EBP-0C],EAX
016F:00406B91  MOV      ECX,[EBP+08]
016F:00406B94  MOVSX    EDX,BYTE [ECX+09]
016F:00406B98  IMUL    EDX,EDX,29C7
016F:00406B9E  MOV      EAX,[EBP-0C]
016F:00406BA1  ADD      EAX,EDX
016F:00406BA3  MOV      [EBP-0C],EAX
016F:00406BA6  MOV      ECX,[EBP+08]
016F:00406BA9  MOVSX    EDX,BYTE [ECX+0A]
016F:00406BAD  MOV      EAX,[EBP-0C]
016F:00406BB0  LEA      ECX,[EAX+EDX+00020A3F]
016F:00406BB7  MOV      [EBP-0C],ECX
016F:00406BBA  MOV      EDX,[EBP+08]
016F:00406BBD  MOVSX    EAX,BYTE [EDX+0B]
016F:00406BC1  IMUL    EAX,EAX,0001DF47
016F:00406BC7  MOV      ECX,[EBP-0C]
016F:00406BCA  ADD      ECX,EAX
016F:00406BCC  MOV      [EBP-0C],ECX
016F:00406BCF  MOV      EDX,[EBP+08]
016F:00406BD2  MOVSX    EAX,BYTE [EDX+0C]
016F:00406BD6  MOV      ECX,[EBP-0C]
016F:00406BD9  LEA      EDX,[ECX+EAX+0001B44F]
016F:00406BE0  MOV      [EBP-0C],EDX
016F:00406BE3  MOV      EAX,[EBP+08]
016F:00406BE6  MOVSX    ECX,BYTE [EAX+0D]
016F:00406BEA  IMUL    ECX,ECX,00018957
016F:00406BF0  MOV      EDX,[EBP-0C]
016F:00406BF3  ADD      EDX,ECX
016F:00406BF5  MOV      [EBP-0C],EDX
016F:00406BF8  MOV      EAX,[EBP+08]
016F:00406BFB  MOVSX    ECX,BYTE [EAX+0E]
016F:00406BFF  MOV      EDX,[EBP-0C]
016F:00406C02  LEA      EAX,[EDX+ECX+00030FF7]
016F:00406C09  MOV      [EBP-0C],EAX
016F:00406C0C  MOV      ECX,[EBP+08]
016F:00406C0F  MOVSX    EDX,BYTE [ECX+0F]
016F:00406C13  IMUL    EDX,EDX,000365E7
016F:00406C19  MOV      EAX,[EBP-0C]
016F:00406C1C  ADD      EAX,EDX
016F:00406C1E  MOV      [EBP-0C],EAX
016F:00406C21  MOV      ECX,[EBP+08]
016F:00406C24  MOVSX    EDX,BYTE [ECX+10]
016F:00406C28  MOV      EAX,[EBP-0C]
016F:00406C2B  LEA      ECX,[EAX+EDX+0005177F]
016F:00406C32  MOV      [EBP-0C],ECX
016F:00406C35  MOV      EDX,[EBP+08]
016F:00406C38  MOVSX    EAX,BYTE [EDX+11]
016F:00406C3C  IMUL    EAX,EAX,0006C917
016F:00406C42  MOV      ECX,[EBP-0C]
016F:00406C45  ADD      ECX,EAX
016F:00406C47  MOV      [EBP-0C],ECX
016F:00406C4A  MOV      EDX,[EBP+08]
016F:00406C4D  MOVSX    EAX,BYTE [EDX+12]
016F:00406C51  MOV      ECX,[EBP-0C]
016F:00406C54  LEA      EDX,[ECX+EAX+00087AAF]
016F:00406C5B  MOV      [EBP-0C],EDX
016F:00406C5E  MOV      EAX,[EBP+08]
016F:00406C61  MOVSX    ECX,BYTE [EAX+13]
016F:00406C65  IMUL    ECX,ECX,3039
016F:00406C6B  MOV      EDX,[EBP-0C]
016F:00406C6E  ADD      EDX,ECX
016F:00406C70  MOV      [EBP-0C],EDX
016F:00406C73  MOV      EAX,[EBP+08]
016F:00406C76  MOVSX    ECX,BYTE [EAX+14]
016F:00406C7A  IMUL    ECX,ECX,D431
016F:00406C80  MOV      EDX,[EBP-0C]
016F:00406C83  ADD      EDX,ECX
016F:00406C85  MOV      [EBP-0C],EDX
016F:00406C88  MOV      EAX,[EBP+08]
016F:00406C8B  MOVSX    ECX,BYTE [EAX+15]
016F:00406C8F  IMUL    ECX,ECX,372B
016F:00406C95  MOV      EDX,[EBP-0C]
016F:00406C98  ADD      EDX,ECX
016F:00406C9A  MOV      [EBP-0C],EDX
016F:00406C9D  MOV      EAX,[EBP+08]
016F:00406CA0  MOVSX    ECX,BYTE [EAX+16]
016F:00406CA4  IMUL    ECX,ECX,DE0D
016F:00406CAA  MOV      EDX,[EBP-0C]
016F:00406CAD  ADD      EDX,ECX
016F:00406CAF  MOV      [EBP-0C],EDX
016F:00406CB2  MOV      EAX,[EBP+08]
016F:00406CB5  MOVSX    ECX,BYTE [EAX+17]
016F:00406CB9  IMUL    ECX,ECX,00010104
016F:00406CBF  MOV      EDX,[EBP-0C]
016F:00406CC2  ADD      EDX,ECX
016F:00406CC4  MOV      [EBP-0C],EDX
016F:00406CC7  MOV      EAX,[EBP+08]
016F:00406CCA  MOVSX    ECX,BYTE [EAX+18]
016F:00406CCE  IMUL    ECX,ECX,8711
016F:00406CD4  MOV      EDX,[EBP-0C]
016F:00406CD7  ADD      EDX,ECX
016F:00406CD9  MOV      [EBP-0C],EDX
016F:00406CDC  MOV      EAX,[EBP+08]
016F:00406CDF  MOVSX    ECX,BYTE [EAX+19]
016F:00406CE3  IMUL    ECX,ECX,00010845
016F:00406CE9  MOV      EDX,[EBP-0C]
016F:00406CEC  ADD      EDX,ECX
016F:00406CEE  MOV      [EBP-0C],EDX
016F:00406CF1  MOV      EAX,[EBP+08]
016F:00406CF4  MOVSX    ECX,BYTE [EAX+1A]
016F:00406CF8  IMUL    ECX,ECX,8711
016F:00406CFE  MOV      EDX,[EBP-0C]
016F:00406D01  ADD      EDX,ECX
016F:00406D03  MOV      [EBP-0C],EDX
016F:00406D06  MOV      EAX,[EBP+08]
016F:00406D09  MOVSX    ECX,BYTE [EAX+1B]
016F:00406D0D  IMUL    ECX,ECX,FFBA
016F:00406D13  MOV      EDX,[EBP-0C]
016F:00406D16  ADD      EDX,ECX
016F:00406D18  MOV      [EBP-0C],EDX
016F:00406D1B  MOV      EAX,[EBP+08]
016F:00406D1E  MOVSX    ECX,BYTE [EAX+1C]
016F:00406D22  IMUL    ECX,ECX,000181B7
016F:00406D28  MOV      EDX,[EBP-0C]
016F:00406D2B  ADD      EDX,ECX
016F:00406D2D  MOV      [EBP-0C],EDX
016F:00406D30  MOV      EAX,[EBP+08]
016F:00406D33  MOVSX    ECX,BYTE [EAX+1D]
016F:00406D37  IMUL    ECX,ECX,85BA
016F:00406D3D  MOV      EDX,[EBP-0C]
016F:00406D40  ADD      EDX,ECX
016F:00406D42  MOV      [EBP-0C],EDX
016F:00406D45  MOV      EAX,[EBP-0C]==>将正确注册码放入EAX
016F:00406D48  CMP      EAX,[EBP+0C]==>真假注册码比较!
016F:00406D4B  JNZ      00406D58
016F:00406D4D  MOV      DWORD [EBP-0C],00
016F:00406D54  MOV      AL,01
016F:00406D56  JMP      SHORT 00406D61
016F:00406D58  MOV      DWORD [EBP-0C],00
016F:00406D5F  XOR      AL,AL
016F:00406D61  POP      EDI
016F:00406D62  POP      ESI
016F:00406D63  POP      EBX
016F:00406D64  MOV      ESP,EBP
016F:00406D66  POP      EBP 
016F:00406D67  RET      08

406B01--406D42这段进行一些跟上面(406AD9--406AFE)类似的运算,第2n+1位乘以某一个数后,与前面的计算结果(放在[EBP-0C])相加,结果在继续与下一位和某一定值相加,[EBP-0C]放着地最终计算结果就是真正的注册码!!


BTW:软件的注册信息保存在C:\WINDOWS\Srpesg.dat       

Ok,that's all!谢谢你耐心看完:)


    
    
     
    
    
展开全部

相关文章

更多+相同厂商

热门推荐

  • 最新排行
  • 最热排行
  • 评分最高
排行榜

    点击查看更多

      点击查看更多

        点击查看更多

        说两句网友评论

          我要评论...
          取消