侠客系统修改器1.21破解手记--算法分析
作者:newlaos[CCG][DFCG]
软件名称:侠客系统修改器1.21(系统设置)
最新版本:1.21
文件大小:604KB
软件授权:共享软件
使用平台:Win9x/Me/NT/
发布公司:"http://xksoft.yeah.net"
软件简介:Windows
9x/NT 系统中有很多注册表选项没有直接提供设置界面,如开始菜单项的弹出速度,桌面上系统图标的隐藏,系统安全属性设置等等。当我们需要修改这些选项的时候,就要使用Windows
注册表编辑器来手工修改注册表信息,这样做不仅很麻烦,而且不安全,还需要一定的注册表知识。为了方便大家修改注册表选项,我编写了这个系统设置修改器,可轻松修改Windows
系统中大部分注册表选项,还可以对一些非注册表选项进行设置(如IE4支持的文件夹图标,电脑启动选项等)。
加密方式:注册码
功能限制:未注册信息提示
PJ工具:TRW20001.23注册版,W32Dasm8.93黄金版,FI2.5,eXeScope6.30
PJ日期:2003-04-20
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
1、先用FI2.5看一下主文件“SysSet.exe”,没加壳。程序是用VC++6.0编的
2、用W32Dasm8.93黄金版对SysSet.exe进行静态反汇编,再用串式数据参考,找不到什么经典的句子,怎么办?先用eXeScope6.30对文件的资源进行分析,在“资源\字串表\1”,可以看见:
136," 非常感谢您对本软件的支持!!!$0A再也不会有注册提示对话框出现了,预祝您用的开心。"
137,您的注册姓名与注册码不匹配,请检查一下重新输入。
再回到W32Dasm8.93,找到"String
Resource ID=00137: "▌鑼?鑼
9M骼"(注册失败),双击来到下面代码段。
3、再用TRW20001.23注册版进行动态跟踪,下断BPX
004240E8(通常在注册成功与否的前面一些下断,这样,才能找到关键部分),
先输入注册名:newlaos
假码: 78787878
.......
.......
:004240E8
51 push
ecx
:004240E9 8D6E5C
lea ebp, dword ptr [esi+5C]
:004240EC 8BCC
mov ecx, esp
:004240EE 89642420
mov dword ptr [esp+20], esp
:004240F2
55 push
ebp
:004240F3 E8CD5A0200 call
00449BC5
:004240F8 51
push ecx
:004240F9 8D7E60
lea edi, dword ptr [esi+60]
:004240FC 8BCC
mov ecx, esp
:004240FE
89642428 mov dword ptr
[esp+28], esp
:00424102 57
push edi
:00424103 C784249001000000000000 mov
dword ptr [esp+00000190], 00000000
:0042410E E8B25A0200
call 00449BC5
:00424113 83CBFF
or ebx, FFFFFFFF
:00424116 899C248C010000
mov dword ptr [esp+0000018C], ebx
:0042411D
E88E040000 call 004245B0
:00424122
8BC8 mov
ecx, eax
:00424124 E8B7890000 call
0042CAE0 <===关键的CALL了,F8跟进
:00424129 85C0
test eax, eax <===EAX不能为0
:0042412B
0F8457010000 je 00424288
<===关键跳转,
:00424131 6A00
push 00000000
:00424133 8D4C2434
lea ecx, dword ptr [esp+34]
:00424137 E8C4020000
call 00424400
:0042413C BB02000000
mov ebx, 00000002
:00424141
8D4C2430 lea ecx, dword
ptr [esp+30]
:00424145 899C2484010000 mov
dword ptr [esp+00000184], ebx
:0042414C E83A220200
call 0044638B
:00424151 51
push ecx
:00424152 8BCC
mov ecx, esp
:00424154
89642420 mov dword ptr
[esp+20], esp
:00424158 57
push edi
:00424159 E8675A0200
call 00449BC5
:0042415E 6A01
push 00000001
:00424160 889C248C010000
mov byte ptr [esp+0000018C], bl
:00424167
E854040000 call 004245C0
:0042416C
8BC8 mov
ecx, eax
:0042416E E82DCD0000 call
00430EA0
:00424173 8D4C2424
lea ecx, dword ptr [esp+24]
:00424177 E8A4F0FFFF
call 00423220
:0042417C A154234700
mov eax, dword ptr [00472354]
:00424181 89442410
mov dword ptr [esp+10],
eax
:00424185 8B0DF85D4700 mov ecx,
dword ptr [00475DF8]
:0042418B 8D44241C
lea eax, dword ptr [esp+1C]
:0042418F C684248401000005
mov byte ptr [esp+00000184], 05
:00424197 8B11
mov edx, dword ptr
[ecx]
:00424199 52
push edx
:0042419A 50
push eax
:0042419B E87020FFFF
call 00416210
:004241A0 83C408
add esp, 00000008
*
Possible StringData Ref from Data Obj ->"\SysSet.cfg"
|
:004241A3 68640D4700
push 00470D64
.......
此处删除一段注册信息保存代码
.......
:0042427E
E8F5230200 call 00446678
:00424283
E980000000 jmp 00424308
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042412B(C)
<===这里向上就是关键跳转了
|
:00424288 A154234700
mov eax, dword ptr [00472354]
:0042428D 89442418
mov dword ptr [esp+18], eax
:00424291
C784248401000009000000 mov dword ptr [esp+00000184], 00000009
:0042429C
89442414 mov dword ptr
[esp+14], eax
* Possible
Reference to String Resource ID=00103: "牏?h V1.21"
|
:004242A0 6A67
push 00000067
:004242A2 8D4C2418
lea ecx, dword ptr [esp+18]
:004242A6 C68424880100000A
mov byte ptr [esp+00000188], 0A
:004242AE E835670200
call 0044A9E8
*
Possible Reference to String Resource ID=00137: "▌鑼?鑼
9M骼?
| <==="您的注册姓名与注册码不匹配,请检查一下重新输入。"
:004242B3
6889000000 push 00000089
:004242B8 8D4C241C
lea ecx, dword ptr [esp+1C]
:004242BC E827670200
call 0044A9E8
.......
.......
-----00424124
call 0042CAE0 关键的CALL了,F8跟进----------------
:0042CAE0
6AFF push
FFFFFFFF
:0042CAE2 68B07D4500 push
00457DB0
:0042CAE7 64A100000000 mov
eax, dword ptr fs:[00000000]
:0042CAED 50
push eax
:0042CAEE 64892500000000
mov dword ptr fs:[00000000], esp
:0042CAF5
83EC30 sub esp,
00000030
:0042CAF8 53
push ebx
:0042CAF9 55
push ebp
:0042CAFA 56
push esi
:0042CAFB
57 push
edi
:0042CAFC 33FF
xor edi, edi
:0042CAFE 897C2448
mov dword ptr [esp+48], edi
:0042CB02 8B4C2450
mov ecx, dword ptr [esp+50]
:0042CB06
C644241301 mov [esp+13], 01
:0042CB0B
8B41F8 mov eax,
dword ptr [ecx-08]
:0042CB0E 83F803
cmp eax, 00000003
:0042CB11 0F8C74010000
jl 0042CC8B <===这里跳了就OVER了,注册码长度必须大于3
:0042CB17
8B442454 mov eax, dword
ptr [esp+54]
:0042CB1B 8378F801
cmp dword ptr [eax-08], 00000001
:0042CB1F 0F8C66010000
jl 0042CC8B <===这里跳了就OVER了,注册名长度必须大于1
*
Possible StringData Ref from Data Obj ->"opq98"
|
:0042CB25 68C0144700
push 004714C0 <===感觉是黑名单
:0042CB2A 51
push ecx
:0042CB2B E830970000
call 00436260
:0042CB30 83C408
add esp, 00000008
:0042CB33
3BC7 cmp
eax, edi
:0042CB35 0F8450010000 je
0042CC8B <===这里一跳也OVER,就是黑名单了。
:0042CB3B 8B4C2450
mov ecx, dword ptr [esp+50]
:0042CB3F 8B542454
mov edx, dword ptr [esp+54]
:0042CB43
897C2414 mov dword ptr
[esp+14], edi
:0042CB47 8B49F8
mov ecx, dword ptr [ecx-08]
:0042CB4A 8B42F8
mov eax, dword ptr [edx-08] <===EAX=8(假码78787878的长度)
:0042CB4D
894C2418 mov dword ptr
[esp+18], ecx <===ECX=7(注册名的长度)
:0042CB51 8D1409
lea edx, dword ptr [ecx+ecx]
:0042CB54 3BC2
cmp eax,
edx <===呵呵,注册码的长度就是注册名长度的两倍
:0042CB56 0F852F010000
jne 0042CC8B <===如果不相等,就跳向OVER了。
:0042CB5C
3BCF cmp
ecx, edi
:0042CB5E 0F8E01010000 jle
0042CC65 <===这里一跳,就是正确了。呵呵,但是不会跳的
:0042CB64 8A5C2450
mov bl, byte ptr [esp+50]
:0042CB68
EB04 jmp
0042CB6E <===程序从这里跳走
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CC5F(C)
<===这里是个外部循环
|
:0042CB6A 8B4C2418
mov ecx, dword ptr [esp+18]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CB68(U)
|
:0042CB6E
8D4701 lea eax,
dword ptr [edi+01]
:0042CB71 33D2
xor edx, edx
:0042CB73 3BC1
cmp eax, ecx
:0042CB75 8B442450
mov eax, dword ptr [esp+50]
:0042CB79
0F9CC2 setl dl
:0042CB7C
8A0C07 mov cl, byte
ptr [edi+eax]
:0042CB7F 8BF2
mov esi, edx
:0042CB81 884C241C
mov byte ptr [esp+1C], cl
:0042CB85 8D542428
lea edx, dword ptr [esp+28]
:0042CB89
8B44241C mov eax, dword
ptr [esp+1C]
:0042CB8D 6A24
push 00000024 <===这是一个关键数值36(正好为数字10位和英文字母26位)
:0042CB8F
25FF000000 and eax, 000000FF
:0042CB94
52 push
edx
:0042CB95 50
push eax
:0042CB96 89742430
mov dword ptr [esp+30], esi
:0042CB9A E8D2990000
call 00436571
***********************
<===对注册名的奇数位进行变形处理,生成两个数值SS1、SS2,(变形处理:取的ASC值除以24,余数为SS1,商再除以24,余数为SS2),注:作者的程序设计时,设定如果两次除以24,商还大于24的话,就出来SS3,但作为被除数AL,最大也只是FF,所以不可能出现SS3,更不可以出现SS4
***********************
:0042CB9F
83C40C add esp,
0000000C
:0042CBA2 85F6
test esi, esi
:0042CBA4 742D
je 0042CBD3 <===这是对注册名最后一位的判断,如果是奇数,就从这里跳走了。
:0042CBA6
8B4C2450 mov ecx, dword
ptr [esp+50]
:0042CBAA 8D442434
lea eax, dword ptr [esp+34]
:0042CBAE 6A24
push 00000024
:0042CBB0 50
push eax
:0042CBB1
8A540F01 mov dl, byte ptr
[edi+ecx+01]
:0042CBB5 88542428
mov byte ptr [esp+28], dl
:0042CBB9 8B4C2428
mov ecx, dword ptr [esp+28]
:0042CBBD 81E1FF000000
and ecx, 000000FF
:0042CBC3 51
push ecx
:0042CBC4
E8A8990000 call 00436571 <===对注册名的偶数位进行变形处理,生成两个数值SD1、SD2,(变形处理:取的ASC值除以24,余数为SD1,商再除以24,余数为SD2)
:0042CBC9
83C40C add esp,
0000000C
:0042CBCC BD04000000 mov
ebp, 00000004
:0042CBD1 EB05
jmp 0042CBD8
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CBA4(C)
|
:0042CBD3
BD02000000 mov ebp, 00000002 <===到这里说明最后一位是奇数
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CBD1(U)
|
:0042CBD8
33F6 xor
esi, esi
:0042CBDA 85ED
test ebp, ebp
:0042CBDC 7E78
jle 0042CC56
:0042CBDE 8A4C2428
mov cl, byte ptr [esp+28]
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CC54(C)
<===这里是个内部循环,共四次,就注册名的两个字符生成的4位数值,进行不同变换,以生成真注册码的4位值。
|
:0042CBE2
83FE03 cmp esi,
00000003
:0042CBE5 7739
ja 0042CC20
:0042CBE7 FF24B5C4CC4200
jmp dword ptr [4*esi+0042CCC4]
<===这里由于ESI值的不同产生不同的四次跳转
:0042CBEE
8A5C2429 mov bl, byte ptr
[esp+29]<===第一次跳到这里,处理SS1
:0042CBF2 EB2C
jmp 0042CC20
:0042CBF4 8B442424
mov eax, dword ptr [esp+24]<===第二次跳到这里,处理SD1
:0042CBF8
85C0 test
eax, eax <===[esp+24]是一个标志位,如果注册名最后一位不是偶数位就跳走了。因为不可能有SD1和SD2了。
:0042CBFA
7406 je 0042CC02
<===如果EAX为0,则这里跳走。
:0042CBFC 8A5C2434
mov bl, byte ptr [esp+34]
:0042CC00 EB1E
jmp 0042CC20
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CBFA(C)
|
:0042CC02 8AD9
mov bl, cl <===如果最后一位是奇数位,则来到这里,就直接用SS2(商)了
:0042CC04
EB1A jmp
0042CC20
:0042CC06 0FBED1
movsx edx, cl <===第三次跳到这里,处理SS2
:0042CC09 6A01
push 00000001
:0042CC0B
52 push
edx
:0042CC0C E8CFFBFFFF call
0042C7E0 <===因为有了它,所以在真正注册码的3的倍数位都是大写的英文字母
:0042CC11 8A4C2430
mov cl, byte ptr [esp+30]
:0042CC15
83C408 add esp,
00000008
:0042CC18 8AD8
mov bl, al
:0042CC1A EB04
jmp 0042CC20
:0042CC1C 8A5C2435
mov bl, byte ptr [esp+35] <===第四次跳到这里,处理SD2
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042CBE5(C),
:0042CBF2(U), :0042CC00(U), :0042CC04(U), :0042CC1A(U)
|
:0042CC20 84DB
test bl,
bl
:0042CC22 7519
jne 0042CC3D <===如果BL不为0,则跳走
:0042CC24 8A442413
mov al, byte ptr [esp+13]
<===BL为0,则来到这里
:0042CC28 8AD8
mov bl, al
:0042CC2A F6DB
neg bl
:0042CC2C 1ADB
sbb bl, bl
:0042CC2E
80E3E0 and bl, E0
:0042CC31
80C368 add bl, 68
:0042CC34
84C0 test
al, al
:0042CC36 0F94C0
sete al
:0042CC39 88442413
mov byte ptr [esp+13], al
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CC22(C)
|
:0042CC3D
8B542414 mov edx, dword
ptr [esp+14]
:0042CC41 8BC2
mov eax, edx
:0042CC43 42
inc edx
:0042CC44 89542414
mov dword ptr [esp+14], edx
:0042CC48
8B542454 mov edx, dword
ptr [esp+54]
:0042CC4C 381C10
cmp byte ptr [eax+edx], bl
<===[eax+edx]为依次取出的注册码值,BL为注册名的字符算出的正确注册码(仅一位)
:0042CC4F
753A jne
0042CC8B <===这里一跳就OVER了。
:0042CC51 46
inc esi
:0042CC52 3BF5
cmp esi, ebp
:0042CC54
7C8C jl 0042CBE2
<===这里是一个内部循环,取两位注册名的字符生成4位注册码
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CBDC(C)
|
:0042CC56
8B442418 mov eax, dword
ptr [esp+18]
:0042CC5A 83C702
add edi, 00000002
:0042CC5D 3BF8
cmp edi, eax
:0042CC5F 0F8C05FFFFFF
jl 0042CB6A <===这里是一个外部循环
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CB5E(C)
|
:0042CC65
8D4C2450 lea ecx, dword
ptr [esp+50]
:0042CC69 C644244800
mov [esp+48], 00
:0042CC6E E8DDD10100
call 00449E50
:0042CC73 8D4C2454
lea ecx, dword ptr [esp+54]
:0042CC77 C7442448FFFFFFFF
mov [esp+48], FFFFFFFF
:0042CC7F E8CCD10100
call 00449E50
:0042CC84 B801000000
mov eax, 00000001 <===这里是关键的标志赋值,一定要经过
:0042CC89
EB21 jmp
0042CCAC
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042CB11(C), :0042CB1F(C),
:0042CB35(C), :0042CB56(C), :0042CC4F(C)
<===这里5个,都是错误的跳转
:0042CC8B 8D4C2450
lea ecx, dword ptr [esp+50]
:0042CC8F
C644244800 mov [esp+48], 00
:0042CC94
E8B7D10100 call 00449E50
:0042CC99
8D4C2454 lea ecx, dword
ptr [esp+54]
:0042CC9D C7442448FFFFFFFF mov [esp+48],
FFFFFFFF
:0042CCA5 E8A6D10100 call
00449E50
:0042CCAA 33C0
xor eax, eax <===EAX被清0,也就是失败了。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CC89(U)
|
:0042CCAC
8B4C2440 mov ecx, dword
ptr [esp+40]
:0042CCB0 5F
pop edi
:0042CCB1 5E
pop esi
:0042CCB2 5D
pop ebp
:0042CCB3
5B pop
ebx
:0042CCB4 64890D00000000 mov dword ptr
fs:[00000000], ecx
:0042CCBB 83C43C
add esp, 0000003C
:0042CCBE C20800
ret 0008
---------0042CC0C
call 0042C7E0--对SS2进行处理---------------
:0042C7E0 81EC20010000
sub esp, 00000120
:0042C7E6 BA37000000
mov edx, 00000037
:0042C7EB 56
push esi
:0042C7EC
89542420 mov dword ptr
[esp+20], edx
:0042C7F0 899424B0000000 mov
dword ptr [esp+000000B0], edx
:0042C7F7 8B94242C010000
mov edx, dword ptr [esp+0000012C]
:0042C7FE B938000000
mov ecx, 00000038
:0042C803 B839000000
mov eax, 00000039
:0042C808
BE36000000 mov esi, 00000036
:0042C80D
894C2424 mov dword ptr
[esp+24], ecx
:0042C811 89442428
mov dword ptr [esp+28], eax
:0042C815 898C24B4000000
mov dword ptr [esp+000000B4], ecx
:0042C81C 898424B8000000
mov dword ptr [esp+000000B8], eax
:0042C823
C744240430000000 mov [esp+04], 00000030
.......
此处略去一段产生规则的码表,作者真有心一个一个的做,我这里却省了;-)
.......
:0042CA92
C78424200100005A000000 mov dword ptr [esp+00000120], 0000005A
:0042CA9D
33C0 xor
eax, eax <===EAX被清0
:0042CA9F 8D0CD2
lea ecx, dword ptr [edx+8*edx] <===ECX=9
:0042CAA2
8BB42428010000 mov esi, dword ptr [esp+00000128]
<===这个值十分的关键,它就是SS2
:0042CAA9 C1E104
shl ecx, 04 <===ECX=90
:0042CAAC 8D4C0C04
lea ecx, dword ptr [esp+ecx+04]<===[esp+ecx+04]就是一个码表的开始,这个码表是0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ(英文字母是大写)
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CABB(C)
|
:0042CAB0
3B31 cmp
esi, dword ptr [ecx]<===ESI就是SS2,(由于ASC码值最大也就是FF,所以SS2的范围在1-7之间)在新码表里找位数。
:0042CAB2
7409 je 0042CABD
:0042CAB4
40 inc
eax <===EAX递增,步进为1
:0042CAB5 83C104
add ecx, 00000004 <===因为码表的数是每隔4位放一个,所以这里ECX也依次加4
:0042CAB8
83F824 cmp eax,
00000024 <===保证EAX不会超出36。
:0042CABB 7CF3
jl 0042CAB0 <===呵呵,这里构成一小循环
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042CAB2(C)
|
:0042CABD
8D14D2 lea edx,
dword ptr [edx+8*edx] <===EDX=9
:0042CAC0 C1E202
shl edx, 02 <===EDX=24(十进制就是36,正好和码表个数相同)
:0042CAC3
2BD0 sub
edx, eax <===EAX就是倒数位,24-EAX就是正数的位数
:0042CAC5 5E
pop esi
:0042CAC6 8B84948C000000
mov eax, dword ptr [esp+4*edx+0000008C]<===因为码表是每隔4位放一个数,所以4*edx,就表示EDX就是码表中的第几位数。所以得出的结论是EAX就是新码表,倒数第SS2位(1-7位)
:0042CACD
81C420010000 add esp, 00000120
:0042CAD3
C3 ret
---------------------------------------------------------------------
4、算法分析:---类型注册:
f(注册名)=注册码---
a、依次取出注册名的两个字符(一个中文为两个字符),奇数位除以24(10进制36),余数为SS1,商为SS2。偶数位也除以24(10进制36),余数为SD1,商为SD2。
b、将SS2单独取出,对字符串"STUVWXYZ"取倒数SS2+1位数值,如果SS2为0,那么新的SS2就是Z;如果SS2是3,则新的SS2就是W了
c、这样就得出真注册码的4位,SS1 SD2 SS2(新) SD1, 依此类推。如果注册名的最后一位是奇数位的话,那么SS2就不做任何处理(b步骤),直接用了。
5、-------VB6.0制作的注册机原码(只能用英文注册)-----------
Private
Sub Command1_Click()
strtmp = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
strtmp1
= "0123456789abcdefghijklmnopqrstuvwxyz"
startin = Text1.Text
nlen
= Len(startin)
For i = 1 To nlen
z1 = Asc(Mid(startin, i, 1)) '奇数位字符处理
ss1 = Mid(strtmp1, (z1 Mod 36) + 1, 1)
ss2x = Int(z1 / 36)
ss2 = Mid(strtmp, 36 - ss2x, 1)
i = i + 1
If i <=
nlen Then
z2 = Asc(Mid(startin, i, 1)) '偶数位字符处理
sd1 = Mid(strtmp1,
(z2 Mod 36) + 1, 1)
sd2 = CStr(Int(z2 / 36))
Else
sd1 = ""
sd2 = ""
ss2=cstr(ss2x)
End If
laststr = laststr + ss1 + sd2 + ss2 + sd1
Next i
Text2.Text
= laststr
End Sub
6、注册信息保存在文件SysSet.cfg:
(略)
[Reg]
RegName=newlaos
RegCode=XXXXXXXXXXXXXX
(此处即为真注册码,为维护作者利益=>隐)