roundclock 3.00 beta4

标题：有点新意
作者：blowfish
时间：2000-12-9 17:02:20

正如你先前所说的，如果FindAtomA( )返回的值不为0，则注册成功。

:0040F06D 80B89500000000 cmp byte ptr [eax+00000095], 00 //FindAtomA的返回值
:0040F074 744F je 0040F0C5

* Possible Reference to String Resource ID=30111: "This copy of $PROGNAME
is licensed to:"
|
:0040F076 B99F750000 mov ecx, 0000759F

.........................................................

* Possible Reference to Dialog: DialogID_7918, CONTROL_ID:791E, "Thank you for your registration!"
|
:0040F0AF C745BC1E790000 mov [ebp-44], 0000791E
:0040F0B6 8D55BC lea edx, dword ptr [ebp-44]
:0040F0B9 33C9 xor ecx, ecx
:0040F0BB 8B45FC mov eax, dword ptr [ebp-04]
:0040F0BE E8DD9EFFFF call 00408FA0
:0040F0C3 EB56 jmp 0040F11B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F074(C)
|

* Possible Reference to String Resource ID=30112: "This is an UNREGISTERED copy of $PROGNAME!"
|
:0040F0C5 B9A0750000 mov ecx, 000075A0

看一下传给FindAtomA( )的参数，发现它是在试图找一个值为“sdf”的atom。这说明如果注册码正确的话，它会在原子表中加入一个值为“sdf”的原子，以此作为标志。后面将会看到这一点。

1、启动时将RegCode加入到原子表中：

:004143B7 803D3C69420000 cmp byte ptr [0042693C], 00
:004143BE 7410 je 004143D0
:004143C0 683C694200 push 0042693C

* Reference To: kernel32.AddAtomA, Ord:0000h
|
:004143C5 E87E02FFFF Call 00404648
:004143CA 66A35E694200 mov word ptr [0042695E], ax

2、启动时将UserName加入到原子表中：

:0042402D 83787400 cmp dword ptr [eax+74], 00000000
:00424031 7428 je 0042405B
:00424033 8B45F4 mov eax, dword ptr [ebp-0C]
:00424036 8B4074 mov eax, dword ptr [eax+74]
:00424039 50 push eax

* Reference To: kernel32.AddAtomA, Ord:0000h
|
:0042403A E80906FEFF Call 00404648
:0042403F 8B1570564200 mov edx, dword ptr [00425670]
:00424045 668902 mov word ptr [edx], ax

3、从原子表中取出UserName：

:004228F3 A170564200 mov eax, dword ptr [00425670]
:004228F8 668B00 mov ax, word ptr [eax]
:004228FB 50 push eax

* Reference To: kernel32.GetAtomNameA, Ord:0000h
|
:004228FC E89F1DFEFF Call 004046A0

4、利用从原子表中取出的UserName来计算注册码。把下面的代码拷贝下来稍加修改就可写个注册机。久违了的TSecHash算法又在这里露面了 :)

* Referenced by a CALL at Address:
|:00422912
|
:00407FAC 55 push ebp
:00407FAD 8BEC mov ebp, esp
:00407FAF 81C418FFFFFF add esp, FFFFFF18
:00407FB5 894DF4 mov dword ptr [ebp-0C], ecx
:00407FB8 8955F8 mov dword ptr [ebp-08], edx
:00407FBB 8945FC mov dword ptr [ebp-04], eax
:00407FBE BAD4804000 mov edx, 004080D4
:00407FC3 8D856BFFFFFF lea eax, dword ptr [ebp+FFFFFF6B]
:00407FC9 E812CEFFFF call 00404DE0
:00407FCE 8D856BFFFFFF lea eax, dword ptr [ebp+FFFFFF6B]
:00407FD4 8B55FC mov edx, dword ptr [ebp-04]
:00407FD7 E860CEFFFF call 00404E3C
:00407FDC BAD8804000 mov edx, 004080D8
:00407FE1 8D856BFFFFFF lea eax, dword ptr [ebp+FFFFFF6B]
:00407FE7 E850CEFFFF call 00404E3C
:00407FEC 8D856BFFFFFF lea eax, dword ptr [ebp+FFFFFF6B]
:00407FF2 E821D2FFFF call 00405218
:00407FF7 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"TSecHash岪"
|
:00407FF9 A134784000 mov eax, dword ptr [00407834]
:00407FFE E87DA8FFFF call 00402880
:00408003 8945F0 mov dword ptr [ebp-10], eax
:00408006 8D8518FFFFFF lea eax, dword ptr [ebp+FFFFFF18]
:0040800C 50 push eax
:0040800D 8B45F8 mov eax, dword ptr [ebp-08]
:00408010 E837CFFFFF call 00404F4C
:00408015 8BC8 mov ecx, eax
:00408017 8B55F8 mov edx, dword ptr [ebp-08]
:0040801A 8B45F0 mov eax, dword ptr [ebp-10]
:0040801D E86AFCFFFF call 00407C8C
:00408022 8D8D43FFFFFF lea ecx, dword ptr [ebp+FFFFFF43]
:00408028 8D9518FFFFFF lea edx, dword ptr [ebp+FFFFFF18]
:0040802E 8B45F0 mov eax, dword ptr [ebp-10]
:00408031 E8CEFEFFFF call 00407F04
:00408036 8B45F0 mov eax, dword ptr [ebp-10]
:00408039 E8AAA8FFFF call 004028E8
:0040803E B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"TSecHash岪"
|
:00408040 A134784000 mov eax, dword ptr [00407834]
:00408045 E836A8FFFF call 00402880
:0040804A 8945F0 mov dword ptr [ebp-10], eax
:0040804D 8D852CFFFFFF lea eax, dword ptr [ebp+FFFFFF2C]
:00408053 50 push eax
:00408054 8D856BFFFFFF lea eax, dword ptr [ebp+FFFFFF6B]
:0040805A E8EDCEFFFF call 00404F4C
:0040805F 8BC8 mov ecx, eax
:00408061 8D956BFFFFFF lea edx, dword ptr [ebp+FFFFFF6B]
:00408067 8B45F0 mov eax, dword ptr [ebp-10]
:0040806A E81DFCFFFF call 00407C8C
:0040806F 8D8D57FFFFFF lea ecx, dword ptr [ebp+FFFFFF57]
:00408075 8D952CFFFFFF lea edx, dword ptr [ebp+FFFFFF2C]
:0040807B 8B45F0 mov eax, dword ptr [ebp-10]
:0040807E E881FEFFFF call 00407F04
:00408083 8B45F0 mov eax, dword ptr [ebp-10]
:00408086 E85DA8FFFF call 004028E8
:0040808B 33C0 xor eax, eax
:0040808D 8945EC mov dword ptr [ebp-14], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004080CE(C)
|
:00408090 8B45EC mov eax, dword ptr [ebp-14]
:00408093 0FB6840557FFFFFF movzx eax, byte ptr [ebp+eax-000000A9]
:0040809B 8B55EC mov edx, dword ptr [ebp-14]
:0040809E 03D2 add edx, edx
:004080A0 0FB6941557FFFFFF movzx edx, byte ptr [ebp+edx-000000A9]
:004080A8 03C2 add eax, edx
:004080AA 8B55EC mov edx, dword ptr [ebp-14]
:004080AD 03D2 add edx, edx
:004080AF 0FB6941543FFFFFF movzx edx, byte ptr [ebp+edx-000000BD]
:004080B7 03C2 add eax, edx
:004080B9 25FF000000 and eax, 000000FF
:004080BE 8B55F4 mov edx, dword ptr [ebp-0C]
:004080C1 8B4DEC mov ecx, dword ptr [ebp-14]
:004080C4 88040A mov byte ptr [edx+ecx], al //保存生成的注册码
:004080C7 FF45EC inc [ebp-14]
:004080CA 837DEC0A cmp dword ptr [ebp-14], 0000000A //注册码共20个字符（10个字节）
:004080CE 75C0 jne 00408090
:004080D0 8BE5 mov esp, ebp
:004080D2 5D pop ebp
:004080D3 C3 ret

5、从原子表中取出我们输入的假RegCode：

:00422778 8D4597 lea eax, dword ptr [ebp-69]
:0042277B 50 push eax
:0042277C A1A4564200 mov eax, dword ptr [004256A4]
:00422781 668B00 mov ax, word ptr [eax]
:00422784 50 push eax

* Reference To: kernel32.GetAtomNameA, Ord:0000h
|
:00422785 E8161FFEFF Call 004046A0

6、将假RegCode每两个字符转换成一个字节：

* Referenced by a CALL at Address:
|:004227DF
|
:004080DC 55 push ebp
:004080DD 8BEC mov ebp, esp
:004080DF 83C4EC add esp, FFFFFFEC
:004080E2 8955F8 mov dword ptr [ebp-08], edx
:004080E5 8945FC mov dword ptr [ebp-04], eax
:004080E8 33C0 xor eax, eax
:004080EA 8945F0 mov dword ptr [ebp-10], eax
:004080ED C645EF00 mov [ebp-11], 00
:004080F1 33C0 xor eax, eax
:004080F3 8945F4 mov dword ptr [ebp-0C], eax
:004080F6 8B45F8 mov eax, dword ptr [ebp-08]
:004080F9 33C9 xor ecx, ecx
|
:004080FB BA0A000000 mov edx, 0000000A //10字节
:00408100 E827A5FFFF call 0040262C
:00408105 C645ED01 mov [ebp-13], 01
:00408109 EB66 jmp 00408171

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040817C(C)
|
:0040810B 8B45F4 mov eax, dword ptr [ebp-0C]
:0040810E 8B55FC mov edx, dword ptr [ebp-04]
:00408111 803C022D cmp byte ptr [edx+eax], 2D
:00408115 7457 je 0040816E
:00408117 8B45F4 mov eax, dword ptr [ebp-0C]
:0040811A 8B55FC mov edx, dword ptr [ebp-04]
:0040811D 803C0239 cmp byte ptr [edx+eax], 39
:00408121 7710 ja 00408133
:00408123 8B45F4 mov eax, dword ptr [ebp-0C]
:00408126 8B55FC mov edx, dword ptr [ebp-04]
:00408129 8A0402 mov al, byte ptr [edx+eax]
:0040812C 2C30 sub al, 30
:0040812E 8845EE mov byte ptr [ebp-12], al
:00408131 EB10 jmp 00408143

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408121(C)
|
:00408133 8B45F4 mov eax, dword ptr [ebp-0C]
:00408136 8B55FC mov edx, dword ptr [ebp-04]
:00408139 8A0402 mov al, byte ptr [edx+eax]
:0040813C 2C41 sub al, 41
:0040813E 0408 add al, 08
:00408140 8845EE mov byte ptr [ebp-12], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408131(U)
|
:00408143 807DED00 cmp byte ptr [ebp-13], 00
:00408147 740C je 00408155
:00408149 8A45EE mov al, byte ptr [ebp-12]
:0040814C 8845EF mov byte ptr [ebp-11], al
:0040814F C645ED00 mov [ebp-13], 00
:00408153 EB19 jmp 0040816E

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408147(C)
|
:00408155 8B45F8 mov eax, dword ptr [ebp-08]
:00408158 8B55F0 mov edx, dword ptr [ebp-10]
:0040815B 8A4DEE mov cl, byte ptr [ebp-12]
:0040815E C1E104 shl ecx, 04
:00408161 024DEF add cl, byte ptr [ebp-11]
:00408164 880C10 mov byte ptr [eax+edx], cl //保存转换结果
:00408167 FF45F0 inc [ebp-10]
:0040816A C645ED01 mov [ebp-13], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00408115(C), :00408153(U)
|
:0040816E FF45F4 inc [ebp-0C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408109(U)
|
:00408171 8B45FC mov eax, dword ptr [ebp-04]
:00408174 E8D3CDFFFF call 00404F4C
:00408179 3B45F4 cmp eax, dword ptr [ebp-0C]
:0040817C 778D ja 0040810B //循环
:0040817E 8BE5 mov esp, ebp
:00408180 5D pop ebp
:00408181 C3 ret

7、比较真假RegCode：

:004227E4 33C0 xor eax, eax
:004227E6 8945F0 mov dword ptr [ebp-10], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042280F(C)
|
:004227E9 8B45F0 mov eax, dword ptr [ebp-10]
:004227EC 8A4405C9 mov al, byte ptr [ebp+eax-37]
:004227F0 8B55F0 mov edx, dword ptr [ebp-10]
:004227F3 8B4DFC mov ecx, dword ptr [ebp-04]
:004227F6 3A441168 cmp al, byte ptr [ecx+edx+68] //比较一个字节
:004227FA 7506 jne 00422802
:004227FC C645DF01 mov [ebp-21], 01 //good guy
:00422800 EB06 jmp 00422808

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004227FA(C)
|
:00422802 C645DF00 mov [ebp-21], 00 //bad guy
:00422806 EB09 jmp 00422811

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422800(U)
|
:00422808 FF45F0 inc [ebp-10]
:0042280B 837DF00A cmp dword ptr [ebp-10], 0000000A //循环比较10个字节
:0042280F 75D8 jne 004227E9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00422806(U)
|
:00422811 8B45FC mov eax, dword ptr [ebp-04]
:00422814 C6407300 mov [eax+73], 00
:00422818 8B45FC mov eax, dword ptr [ebp-04]
:0042281B C6407201 mov [eax+72], 01
:0042281F 807DDF00 cmp byte ptr [ebp-21], 00 //bag guy?
:00422823 740A je 0042282F

* Possible StringData Ref from Code Obj ->"sdf"
|
:00422825 686C284200 push 0042286C //注册与否的标志！

* Reference To: kernel32.AddAtomA, Ord:0000h
|
:0042282A E8191EFEFF Call 00404648

可见关键的断点是GetAtomNameA( )。

BF