“加密金刚锁”的前身就是“fedt for windows”,是一款专业的文件加密解密工具。它适用于windows9x/me/nt/2000/XP
等操作平台。
这个软件的加密有一点过份,如果你暴破得不彻底的话,它会很不礼貌的说你的解密水平很差等等啦,我看到这些东西就他妈的反胃了,呵呵,所以破它是天经地义的啦。
工具:
trw2000
hview
w32dasm
破解:crackjack[CCG]
好,我们看看他是用什么样的保护方式,以至作者那么的嚣张。用fi245检查,发现它是用aspack V2.11加的壳,呵呵,这个壳是很温柔的呵,解它就随便在网上拉一个工具下来就可以解它了,我们今天要研究它的加密方法。这个软件采取动态注册的方法,如果输入的注册码不正确,注册按钮就不可用。破解这类软件一般用的中断是bpx
hmemcpy,我们先输入名字,名字不小于4个字符,并且输入7个注册码,然后切换到TRW,下断点bpx hmemcpy,然后输入第八个字符,程序被中点了,如下:
:0041175B 8B4DFC
mov ecx, dword ptr [ebp-04] <====返回到这里
:0041175E 85C9
test ecx, ecx
:00411760 7408
je 0041176A
:00411762 8B45FC
mov eax, dword ptr [ebp-04]
:00411765 8B50FC
mov edx, dword ptr [eax-04] <=====取注册用户名长度过
:00411768 EB02
jmp 0041176C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411760(C)
|
:0041176A 33D2
xor edx, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411768(U)
|
:0041176C 83FA04
cmp edx, 00000004 <=====比较用户名长度,如果小于4则注册失败
:00411775 33C0
xor eax, eax
:00411777 8945F8
mov dword ptr [ebp-08], eax
:0041177A 8D55F8
lea edx, dword ptr [ebp-08]
:0041177D FF45E4
inc [ebp-1C]
:00411780 8B83EC020000 mov eax, dword
ptr [ebx+000002EC]
:00411786 E839B70400 call 0045CEC4
:0041178B 8B4DF8
mov ecx, dword ptr [ebp-08]
:0041178E 85C9
test ecx, ecx
:00411790 7408
je 0041179A
:00411792 8B45F8
mov eax, dword ptr [ebp-08]
:00411795 8B50FC
mov edx, dword ptr [eax-04] <====取注册码长度
:00411798 EB02
jmp 0041179C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411790(C)
|
:0041179A 33D2
xor edx, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411798(U)
|
:0041179C 83FA08
cmp edx, 00000008 <====比较注册码长度,如果小于8则注册失败
然后按f10,来到下面的地方:
:004117D8 33C0
xor eax, eax
:004117DA 8D4DEC
lea ecx, dword ptr [ebp-14]
:004117DD 8B12
mov edx, dword ptr [edx]
:004117DF 8945EC
mov dword ptr [ebp-14], eax
:004117E2 A1446E4C00 mov eax,
dword ptr [004C6E44]
:004117E7 FF45E4
inc [ebp-1C]
:004117EA 8B00
mov eax, dword ptr [eax]
:004117EC E8EFBDFFFF call 0040D5E0
<=====注册算法
:004117F1 8D55EC
lea edx, dword ptr [ebp-14] <====真正的注册码地址
:004117F4 33C9
xor ecx, ecx
:004117F6 52
push edx
:004117F7 894DF4
mov dword ptr [ebp-0C], ecx
:0041176F 0F8CDD000000 jl 00411852
好,我们追进4117ec的CALL,看它的注册算法是怎么样的:
程序将用户名和机器码连接在一起做为注册码的运算常数,如用户名是linjie,机器码是3CG5A3D8,则运算码为linjie3CG5A3D8(0),注意,还要在运算码最后加一个0H
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D69A(U)
|
:0040D6A1 021C01
add bl, byte ptr [ecx+eax] <=====累加运算码,取结果的一个字节(total)
:0040D6A4 40
inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D68E(U)
|
:0040D6A5 8B55F8
mov edx, dword ptr [ebp-08]
:0040D6A8 85D2
test edx, edx
:0040D6AA 7408
je 0040D6B4
:0040D6AC 8B55F8
mov edx, dword ptr [ebp-08]
:0040D6AF 8B4AFC
mov ecx, dword ptr [edx-04]
:0040D6B2 EB02
jmp 0040D6B6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D6AA(C)
|
:0040D6B4 33C9
xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D6B2(U)
|
:0040D6B6 3BC1
cmp eax, ecx
:0040D6B8 7CD6
jl 0040D690
:0040D6BA 8B45F8
mov eax, dword ptr [ebp-08] <====取运算码地址
。
。
。
:0040D6CB 8B45A4
mov eax, dword ptr [ebp-5C] <====取运算码地址
:0040D6CE 8A0C02
mov cl, byte ptr [edx+eax] <====取运算码第N位
:0040D6D1 8BC6
mov eax, esi <====运算码的位置
:0040D6D3 02C8
add cl, al
<====cl=运算码ASCII值+运算码位置(fx1)
:0040D6D5 8BD6
mov edx, esi <====运算码位置
:0040D6D7 02DA
add bl, dl
<====累加总数(total)+运算码(fx2)位置
:0040D6D9 32CB
xor cl, bl
<=====cl(fx)=fx1 xor fx2
:0040D6DB 8B45F8
mov eax, dword ptr [ebp-08]
:0040D6DE 85C0
test eax, eax
:0040D6E0 7408
je 0040D6EA
:0040D6E2 8B55F8
mov edx, dword ptr [ebp-08]
:0040D6E5 8B42FC
mov eax, dword ptr [edx-04]
:0040D6E8 EB02
jmp 0040D6EC
.
.
.
:0040D702 8A0402
mov al, byte ptr [edx+eax] <====取运算码的最后一位
:0040D705 8BD6
mov edx, esi <=====要计算的注册码位置regcode(第一位注册码是0,第二位是1,其它的类推)
:0040D707 02C2
add al, dl <=====运算码+运算码位置
:0040D709 8BD6
mov edx, esi
:0040D70B 0FAFD6
imul edx, esi <=====regcode*regcode
:0040D70E 02C2
add al, dl <=====(运算码+运算码位置)+(regcode*regcode)
:0040D710 8B55A0
mov edx, dword ptr [ebp-60] <=====循环变量
:0040D713 0FAF55A0 imul
edx, dword ptr [ebp-60] <=====循环变量*循环变量
:0040D717 2AC2
sub al, dl <=====相减(fy)
:0040D719 8B55F8
mov edx, dword ptr [ebp-08]
:0040D71C 85D2
test edx, edx
:0040D71E 7408
je 0040D728
:0040D720 8B55F8
mov edx, dword ptr [ebp-08]
:0040D723 8B52FC
mov edx, dword ptr [edx-04]
:0040D726 EB02
jmp 0040D72A
.
.
.
:0040D72A 66C745C82000 mov [ebp-38],
0020
:0040D730 2AC2
sub al, dl <====fy-0E(运算码长度)
:0040D732 8D55F0
lea edx, dword ptr [ebp-10]
:0040D735 32C8
xor cl, al <====fx xor (fy-0E)结果作为第一个注册码运算函数的参数
:0040D737 33C0
xor eax, eax
:0040D739 8945F0
mov dword ptr [ebp-10], eax
:0040D73C 8BD9
mov ebx, ecx
:0040D73E FF45D4
inc [ebp-2C]
:0040D741 8B45B4
mov eax, dword ptr [ebp-4C]
:0040D744 E887FCFFFF call 0040D3D0
:0040D749 8B4DF0
mov ecx, dword ptr [ebp-10]
:0040D74C 85C9
test ecx, ecx
:0040D74E 7405
je 0040D755
:0040D750 8B4DF0
mov ecx, dword ptr [ebp-10]
:0040D753 EB05
jmp 0040D75A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D74E(C)
|
:0040D755 B90A7F4B00 mov ecx,
004B7F0A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D753(U)
|
:0040D75A 8BD3
mov edx, ebx
:0040D75C 8B45B4
mov eax, dword ptr [ebp-4C]
:0040D75F E81CE0FFFF call 0040B780
<====第一个注册码运算函数
(未完待续)
:0040D764 8B55A0
mov edx, dword ptr [ebp-60]
- 标 题:加密金刚锁V3.00注册算法----(上集) (7千字)
- 作 者:crackjack[CCG]
- 时 间:2001-11-9 1:42:39
- 链 接:http://bbs.pediy.com