(1)破
解:mwd[DFCG]
(2)目 的:找出算法 ,作出注册机。
(3)练习程序: **精灵
V2.0
(4)难 度:简单,明码。
(4)下 载:http://www.skycn.com/soft/8146.html
(5)工
具:Ollydbg,PW32Dasm.PEiD,pe-scan。
(6)开 始:PEiD检查程序带ASPack
2.12 -> Alexey Solodovnikov的壳,pe-scan脱壳,
PW32Dasm载入程序找到相关信息,OLL载入程序过程如下:输入注册信息:注册名;DFCG
注册码:121212。
================================================================================
:004EAF2F
E86897F5FF call 0044469C-----------------此处下断
:004EAF34
8B45FC mov eax,
dword ptr [ebp-04]---假码送入EAX
:004EAF37 E8909AF1FF
call 004049CC
:004EAF3C 85C0
test eax, eax-----------------注册码是否为空
:004EAF3E
741E je 004EAF5E-------------------不是空继续
:004EAF40
8BC3 mov
eax, ebx
:004EAF42 E8C5FCFFFF call
004EAC0C------------------关键CALL--此处进入
:004EAF47 84C0
test al, al-------------------测试0或1
:004EAF49
7409 je 004EAF54-------------------为0则跳--不能跳
:004EAF4B
8BC3 mov
eax, ebx
:004EAF4D E896FAFFFF call
004EA9E8
:004EAF52 EB0A
jmp 004EAF5E
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004EAF49(C)
|
*
Possible StringData Ref from Data Obj ->"注册码错误,请与作者联系!"
********************************************************************************
关键CALL-进入:F8走到以下:
004EAC31
E8 669AF5FF CALL 1.0044469C
004EAC36 8B45
FC MOV EAX,DWORD PTR SS:[EBP-4]------假码送EAX
004EAC39
50 PUSH EAX--------------------------入栈
004EAC3A
8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004EAC3D
8B86 FC020000 MOV EAX,DWORD PTR DS:[ESI+2FC]
004EAC43
E8 549AF5FF CALL 1.0044469C
004EAC48 8B55 F4
MOV EDX,DWORD PTR SS:[EBP-C]-------注册名送入edx
004EAC4B
8D4D F8 LEA ECX,DWORD PTR SS:[EBP-8]
004EAC50
E8 C3000000 CALL 1.004EAD18----------------------算法call-进入
004EAC55
8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]-----真码送入EDX
004EAC58
58 POP EAX--------------------------假码出栈
004EAC59
E8 B29EF1FF CALL 1.00404B10------------------比较
004EAC5E
75 3A JNZ SHORT 1.004EAC9A-------------不等则玩完~!!!!
********************************************************************************
算法call-进入:
004EAD18
55 PUSH EBP
004EAD19
8BEC MOV EBP,ESP
004EAD1B
51 PUSH ECX
004EAD1C
B9 04000000 MOV ECX,4------------------------ECX置4
004EAD21
6A 00 PUSH 0
004EAD23
6A 00 PUSH 0
004EAD25 49
DEC ECX--------------------------再减1
004EAD26
^75 F9 JNZ SHORT 1.004EAD21-------------跳~直到ECX为0
004EAD28
51 PUSH ECX-------------------------入栈
004EAD29
874D FC XCHG DWORD PTR SS:[EBP-4],ECX----相互交换
004EAD2C
53 PUSH EBX
004EAD2D
56 PUSH ESI
004EAD2E
57 PUSH EDI
004EAD2F
8BF9 MOV EDI,ECX---------------------交换后送入EDI
004EAD31
8955 FC MOV DWORD PTR SS:[EBP-4],EDX----注册名送[EBP-4]
004EAD34
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]----再送入EAX
004EAD37
E8 789EF1FF CALL 1.00404BB4
004EAD3C 33C0
XOR EAX,EAX-----------------------EAX清0
004EAD3E
55 PUSH EBP
004EAD3F
68 D9AE4E00 PUSH 1.004EAED9
004EAD44 64:FF30
PUSH DWORD PTR FS:[EAX]
004EAD47 64:8920
MOV DWORD PTR FS:[EAX],ESP
004EAD4A
8BC7 MOV EAX,EDI
004EAD4C
E8 C399F1FF CALL 1.00404714
004EAD51 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]------注册名送EAX
004EAD54
E8 739CF1FF CALL 1.004049CC
004EAD59 8BF0
MOV ESI,EAX-----------------------计数ESI=注册名位数
004EAD5B
85F6 TEST ESI,ESI----------------------测试0或1
004EAD5D
7E 26 JLE SHORT 1.004EAD85--------------继续
004EAD5F
BB 01000000 MOV EBX,1--------------------------EBX=1
004EAD64
8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004EAD67
8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]--------注册名送EAX
004EAD6A
0FB64418 FF MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]---依次取注册名的字符
第1位:44(D)
2:
46(F)
3: 43(C)
4: 47(G)
004EAD6F 33D2
XOR EDX,EDX--------------------EDX清0
004EAD71
E8 3AE4F1FF CALL 1.004091B0
004EAD76 8B55 EC
MOV EDX,DWORD PTR SS:[EBP-14]--将取出的注册名十六进制依次送入EDX
004EAD79 8D45 F8 LEA EAX,DWORD
PTR SS:[EBP-8]
004EAD7C E8 539CF1FF CALL 1.004049D4
004EAD81
43 INC EBX--------------------------加1
004EAD82
4E DEC ESI-------------------------减1
004EAD83
^75 DF JNZ SHORT 1.004EAD64------------直到为0,否则向上循环
004EAD85
8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]-----注册名(44464347)送EAX
004EAD88
E8 3F9CF1FF CALL 1.004049CC
004EAD8D 8BF0
MOV ESI,EAX-------------------ESI=注册名十六进制(44464347)的位数=8
004EAD8F
85F6 TEST ESI,ESI-----------------------测试0或1
004EAD91
7E 2C JLE SHORT 1.004EADBF---------------继续
004EAD93
BB 01000000 MOV EBX,1--------------------------置EBX为1
004EAD98
8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]-------6D7764送入EAX
004EAD9B
E8 2C9CF1FF CALL 1.004049CC
004EADA0 2BC3
SUB EAX,EBX------------------------EAX=EAX-EBX
004EADA2
8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]--------44464347送入EDX
004EADA5
8A1402 MOV DL,BYTE PTR DS:[EDX+EAX]--------倒取44464347的字依次送入DL
004EADA8
8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
004EADAB
E8 449BF1FF CALL 1.004048F4
004EADB0 8B55
E8 MOV EDX,DWORD PTR SS:[EBP-18]
004EADB3
8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004EADB6
E8 199CF1FF CALL 1.004049D4
004EADBB 43
INC EBX----------------------------加1
004EADBC
4E DEC ESI----------------------------减1
004EADBD
^75 D9 JNZ SHORT 1.004EAD98---------------直到为0,否则向上循环
004EADBF
8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004EADC2
50 PUSH EAX
004EADC3
B9 04000000 MOV ECX,4--------------------------ECX=4
004EADC8
BA 01000000 MOV EDX,1--------------------------EDX=1
004EADCD
8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]-------将倒取的值74346444送入EAX
004EADD0
E8 4F9EF1FF CALL 1.00404C24
004EADD5 8D45
F4 LEA EAX,DWORD PTR SS:[EBP-C]
004EADD8
50 PUSH EAX
004EADD9
B9 04000000 MOV ECX,4--------------------------ECX=4
004EADDE
BA 05000000 MOV EDX,5--------------------------EDX=5
004EADE3
8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]-------74346444送入EAX
004EADE6
E8 399EF1FF CALL 1.00404C24
004EADEB 8B45
F8 MOV EAX,DWORD PTR SS:[EBP-8]-------取前四位7434送EAX
004EADEE
E8 D99BF1FF CALL 1.004049CC
004EADF3 83F8
04 CMP EAX,4--------------------------比较是否为4
004EADF6
7D 2F JGE SHORT 1.004EAE27---------------是则跳
004EADF8
8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004EADFB
E8 CC9BF1FF CALL 1.004049CC
004EAE00 8BD8
MOV EBX,EAX
004EAE02 83FB
03 CMP EBX,3
004EAE05 7F 20
JG SHORT 1.004EAE27
004EAE07 8D4D
E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004EAE0A
8BC3 MOV EAX,EBX
004EAE0C
C1E0 02 SHL EAX,2
004EAE0F
33D2 XOR EDX,EDX
004EAE11
E8 9AE3F1FF CALL 1.004091B0
004EAE16 8B55 E4
MOV EDX,DWORD PTR SS:[EBP-1C]
004EAE19 8D45
F8 LEA EAX,DWORD PTR SS:[EBP-8]
004EAE1C
E8 B39BF1FF CALL 1.004049D4
004EAE21 43
INC EBX
004EAE22 83FB 04
CMP EBX,4
004EAE25 ^75 E0
JNZ SHORT 1.004EAE07
004EAE27 8B45 F4
MOV EAX,DWORD PTR SS:[EBP-C]--------取后四位6444
004EAE2A
E8 9D9BF1FF CALL 1.004049CC
004EAE2F 83F8 04
CMP EAX,4---------------------------比较是否为4
004EAE32
7D 2F JGE SHORT 1.004EAE63----------------不是继续
004EAE34
8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]--------后四位6444送EAX
004EAE37
E8 909BF1FF CALL 1.004049CC
004EAE3C 8BD8
MOV EBX,EAX-------------------------EBX=EAX
004EAE3E
83FB 03 CMP EBX,3---------------------------比较
004EAE41
7F 20 JG SHORT 1.004EAE63-----------------小于继续
004EAE43
8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004EAE46
8BC3 MOV EAX,EBX-------------------------EAX=EBX
004EAE48
C1E0 02 SHL EAX,2---------------------------逻辑左移2位
004EAE4B
33D2 XOR EDX,EDX-------------------------EDX清0
004EAE4D
E8 5EE3F1FF CALL 1.004091B0
004EAE52 8B55
E0 MOV EDX,DWORD PTR SS:[EBP-20]
004EAE55
8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004EAE58
E8 779BF1FF CALL 1.004049D4
004EAE5D 43
INC EBX-----------------------------加1
004EAE5E
83FB 04 CMP EBX,4---------------------------与4比较
004EAE61
^75 E0 JNZ SHORT 1.004EAE43----------------小于则循环,相等继续
004EAE63
8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
004EAE66
BA F0AE4E00 MOV EDX,1.004EAEF0-------------------字符串ddf22444送入EDX
004EAE6B
E8 3C99F1FF CALL 1.004047AC
004EAE70 8D45
DC LEA EAX,DWORD PTR SS:[EBP-24]
004EAE73
50 PUSH EAX
004EAE74
B9 04000000 MOV ECX,4---------------------------置ECX为4
004EAE79
BA 01000000 MOV EDX,1---------------------------置EDX为1
004EAE7E
8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]-------ddf22444送入EAX
004EAE81
E8 9E9DF1FF CALL 1.00404C24
004EAE86 FF75
DC PUSH DWORD PTR SS:[EBP-24]----------ddf22444取前四位ddf2入栈
004EAE89
68 04AF4E00 PUSH 1.004EAF04
004EAE8E FF75
F8 PUSH DWORD PTR SS:[EBP-8]-----------7434入栈
004EAE91
8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004EAE94
50 PUSH EAX
004EAE95
B9 05000000 MOV ECX,5---------------------------ECX=5
004EAE9A
BA 05000000 MOV EDX,5---------------------------EDX=5
004EAE9F
8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]-----ddf22444送入EAX
004EAEA2
E8 7D9DF1FF CALL 1.00404C24
004EAEA7 FF75
D8 PUSH DWORD PTR SS:[EBP-28]-----ddf22444取后四位2444入栈
004EAEAA
68 04AF4E00 PUSH 1.004EAF04
004EAEAF FF75
F4 PUSH DWORD PTR SS:[EBP-C]--------6444入栈
004EAEB2
8BC7 MOV EAX,EDI
004EAEB4
BA 06000000 MOV EDX,6
004EAEB9 E8 CE9BF1FF
CALL 1.00404A8C
004EAEBE 33C0
XOR EAX,EAX
004EAEC0 5A
POP EDX
004EAEC1 59
POP ECX
004EAEC2 59
POP ECX
004EAEC3 64:8910
MOV DWORD PTR FS:[EAX],EDX
004EAEC6 68 E0AE4E00
PUSH 1.004EAEE0
004EAECB 8D45 D8 LEA
EAX,DWORD PTR SS:[EBP-28]
004EAECE BA 0A000000 MOV
EDX,0A
004EAED3 E8 6098F1FF CALL 1.00404738
004EAED8
C3 RETN
004EAED9 ^E9
FA90F1FF JMP 1.00403FD8
004EAEDE ^EB EB
JMP SHORT 1.004EAECB
004EAEE0 5F
POP EDI
004EAEE1 5E
POP ESI
004EAEE2 5B
POP EBX
004EAEE3 8BE5
MOV ESP,EBP
004EAEE5 5D
POP EBP
004EAEE6 C3
RETN
-------------------------------------------------------------------------------
整理:注册名:DFCG
注册码:ddf2-74342444-6444
注册码分为三组,是由注册名的十六进制数值倒取数值,再与固定的一组字符串交叉组成。
注册机就不放上了~~!!!!
--------------------------------mwd[DFCG]---------------------------------------