公务员之路3.0注册分析 * Possible StringData Ref from Code Obj
->"提示" *
Possible StringData Ref from Code Obj ->"只有重新运行本软件,才能使注册码生效。" ----------------------------------------------------- 005342F5
|. 8BEC MOV EBP,ESP 输入的注册码不作变换,保存在windows下目录:psywg01.dll中 0053415E
|. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00533E7B
|. 83C4 E8 ADD ESP,-18 int
X,Y; for(int i=1;i<14;i++) //求模函数
char mc[30];//机器码 case
IDC_BUTTON4: for(int
i=1;i<=len;i++) 总结: 这是我当时第一个破的软件,可惜当时功力不够,现在终于找到注册码,觉得很感概..... cracked
lordor
■、作者声明:初学破解,纯属技术交流,无其它目的。
■、工具:ollyDBg1.09,W32Dasm10。
■、基本知识:基础汇编知识,基本工具使用。
■、注册形式:机器码+注册码
■、软件介绍:
假设:
机器码:YW99999022986
注册码:654321
一查找出错信息
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005343DB(C)
|
:005343FD
80B81403000000 cmp byte ptr [eax+00000314],
00
:00534404 7429
je 0053442F
:00534406 8BC3
mov eax, ebx
:00534408 E8E7FEFFFF
call 005342F4=====>call(1)注册码写入文件,进入看看
:0053440D
6A00 push
00000000
|
:0053440F B934445300
mov ecx, 00534434
|
:00534414 BA3C445300
mov edx, 0053443C
call(1)
005342F7 |.
6A 00 PUSH 0
005342F9 |. 6A 00
PUSH 0
005342FB |. 53
PUSH EBX
005342FC |. 56
PUSH ESI
005342FD |. 33C0
XOR EAX,EAX
005342FF |. 55
PUSH EBP
00534300 |. 68 99435300 PUSH 公务员之.00534399
00534305
|. 64:FF30 PUSH DWORD PTR FS:[EAX]
00534308
|. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0053430B
|. B8 FF000000 MOV EAX,0FF
00534310 |. E8 A3E4ECFF
CALL 公务员之.004027B8
00534315 |. 8BD8
MOV EBX,EAX
00534317 |. 68 FF000000 PUSH 0FF
; /BufSize = FF (255.)
0053431C |. 53
PUSH EBX
; |Buffer
0053431D |. E8 BA30EDFF CALL <JMP.&kernel32.GetSystemDirectoryA>
; \GetSystemDirectoryA
00534322 |. 8D45 FC LEA
EAX,DWORD PTR SS:[EBP-4]
00534325 |. 8BD3
MOV EDX,EBX
00534327 |. E8 DCFCECFF CALL 公务员之.00404008
0053432C
|. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0053432F
|. BA B0435300 MOV EDX,公务员之.005343B0[EBP
; ASCII "\psywg01.dll"
00534334
|. E8 9FFDECFF CALL 公务员之.004040D8ll"[
00534339 |.
8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0053433C |.
B2 01 MOV DL,1
0053433E |. A1 B05A4500
MOV EAX,DWORD PTR DS:[455AB0]
00534343 |. E8 1018F2FF
CALL 公务员之.00455B58DS:[
00534348 |. 8BD8
MOV EBX,EAX
0053434A |. 8D55 F8 LEA
EDX,DWORD PTR SS:[EBP-8]
0053434D |. A1 B8DE5300 MOV EAX,DWORD
PTR DS:[53DEB8]
00534352 |. 8B00 MOV
EAX,DWORD PTR DS:[EAX]
00534354 |. 8B80 DC020000 MOV EAX,DWORD
PTR DS:[EAX+2DC]
0053435A |. E8 E5ADEFFF CALL 公务员之.0042F144DS:[
0053435F
|. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00534362
|. 50 PUSH EAX
00534363 |.
B9 C8435300 MOV ECX,公务员之.005343C8
; ASCII "User3.0"
00534368
|. BA D8435300 MOV EDX,公务员之.005343D8
; ASCII "User Info"
重启后,再验证:
在用createfile等函数都不能断下来,看一下上面,有了,用GetSystemDirectoryA下断,ok,来到这:
00534161
|. B8 FF000000 MOV EAX,0FF
00534166 |. E8 4DE6ECFF
CALL 公务员之.004027B8
0053416B |. 8BD8
MOV EBX,EAX
0053416D |. 68 FF000000 PUSH 0FF
; /BufSize = FF (255.)
00534172 |. 53
PUSH EBX
; |Buffer
00534173 |. E8 6432EDFF CALL <JMP.&kernel32.GetSystemDirectoryA>
; \GetSystemDirectoryA
00534178 |. 8D45 F0 LEA
EAX,DWORD PTR SS:[EBP-10]
0053417B |. 8BD3
MOV EDX,EBX
0053417D |. E8 86FEECFF CALL 公务员之.00404008
00534182
|. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00534185
|. BA A4425300 MOV EDX,公务员之.005342A4
; ASCII "\psywg01.dll"
0053418A
|. E8 49FFECFF CALL 公务员之.004040D8
0053418F |. 8B4D
F0 MOV ECX,DWORD PTR SS:[EBP-10]
00534192 |.
B2 01 MOV DL,1
00534194 |. A1 B05A4500
MOV EAX,DWORD PTR DS:[455AB0]
00534199 |. E8 BA19F2FF
CALL 公务员之.00455B58
0053419E |. 8BD8
MOV EBX,EAX
005341A0 |. 68 BC425300 PUSH 公务员之.005342BC
005341A5
|. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
005341A8
|. 50 PUSH EAX
005341A9 |.
B9 CC425300 MOV ECX,公务员之.005342CC
; ASCII "User3.0"
005341AE |.
BA DC425300 MOV EDX,公务员之.005342DC
; ASCII "User Info"
005341B3 |.
8BC3 MOV EAX,EBX
005341B5 |. 8B38
MOV EDI,DWORD PTR DS:[EAX]
005341B7 |.
FF17 CALL DWORD PTR DS:[EDI]
; 取输入的得注册码
005341B9
|. 8BC3 MOV EAX,EBX
005341BB |.
E8 E8EFECFF CALL 公务员之.004031A8
005341C0 |. 33DB
XOR EBX,EBX
005341C2 |> 8D86 08030000 /LEA
EAX,DWORD PTR DS:[ESI+308]
005341C8 |. 50
|PUSH EAX
005341C9 |. 53
|PUSH EBX
005341CA |. E8 9124F2FF |CALL <JMP.&DsksSrl.GetDiskSerial>
; 取硬盘序列号,我的为YEEYE2H4108
005341CF |. 85C0
|TEST EAX,EAX
005341D1 |. 74 15
|JE SHORT 公务员之.005341E8
005341D3 |. 8D45 F4
|LEA EAX,DWORD PTR SS:[EBP-C]
005341D6 |.
8D96 08030000 |LEA EDX,DWORD PTR DS:[ESI+308]
005341DC |. B9 04010000
|MOV ECX,104
005341E1 |. E8 9AFEECFF |CALL
公务员之.00404080
005341E6 |. EB 06 |JMP
SHORT 公务员之.005341EE
005341E8 |> 43
|INC EBX
005341E9 |. 83FB 04 |CMP EBX,4
005341EC
|.^75 D4 \JNZ SHORT 公务员之.005341C2
005341EE
|> 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
005341F1
|. E8 DAFEECFF CALL 公务员之.004040D0
; 取硬盘序列号的位数
005341F6 |.
8BF8 MOV EDI,EAX
005341F8 |. 85FF
TEST EDI,EDI
005341FA |. 7E 32
JLE SHORT 公务员之.0053422E
005341FC |. BB 01000000
MOV EBX,1
00534201 |> 8B45 F4 /MOV
EAX,DWORD PTR SS:[EBP-C] ; 硬盘序列号入eax
00534204
|. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
00534209
|. B9 0A000000 |MOV ECX,0A
0053420E |. 33D2
|XOR EDX,EDX
00534210 |. F7F1
|DIV ECX
00534212 |. 8BC2
|MOV EAX,EDX
00534214 |. 8D55 EC |LEA
EDX,DWORD PTR SS:[EBP-14]
00534217 |. E8 2C50EDFF |CALL
公务员之.00409248
0053421C |. 8B55 EC |MOV EDX,DWORD
PTR SS:[EBP-14]
0053421F |. 8D86 00030000 |LEA EAX,DWORD PTR DS:[ESI+300]
00534225
|. E8 AEFEECFF |CALL 公务员之.004040D8
0053422A |. 43
|INC EBX
0053422B |. 4F
|DEC EDI
0053422C |.^75 D3
\JNZ SHORT 公务员之.00534201
0053422E |> 8D86
00030000 LEA EAX,DWORD PTR DS:[ESI+300]
00534234 |. 8B8E 00030000
MOV ECX,DWORD PTR DS:[ESI+300] ;
99999022986入ecx
0053423A |. BA F0425300 MOV EDX,公务员之.005342F0
; YW入edx
0053423F
|. E8 D8FEECFF CALL 公务员之.0040411C
00534244 |. 8D4D
F8 LEA ECX,DWORD PTR SS:[EBP-8]
00534247 |.
8B96 00030000 MOV EDX,DWORD PTR DS:[ESI+300] ; 形成机器码:YW99999022986,入edx
0053424D
|. 8BC6 MOV EAX,ESI
0053424F |.
E8 24FCFFFF CALL 公务员之.00533E78 ; 关键call(2)产生真码:0987474943210
00534254
|. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
; 真码入eax
00534257 |. 8B55 FC MOV
EDX,DWORD PTR SS:[EBP-4] ; 输入的注册码入edx
0053425A |. E8 81FFECFF
CALL 公务员之.004041E0 ; 关键比较
0053425F
|. 75 09 JNZ SHORT 公务员之.0053426A
; 关键跳
00534261 |. C686 04030000 >MOV BYTE PTR DS:[ESI+304],1
00534268
|. EB 07 JMP SHORT 公务员之.00534271
-------------------------------------
关键call(2),产生真码:0987474943210
00533E7E |. 53
PUSH EBX
00533E7F |. 56
PUSH ESI
00533E80 |. 57
PUSH EDI
00533E81 |. 33DB
XOR EBX,EBX
00533E83 |. 895D E8 MOV
DWORD PTR SS:[EBP-18],EBX
00533E86 |. 895D F0 MOV
DWORD PTR SS:[EBP-10],EBX
00533E89 |. 895D EC MOV
DWORD PTR SS:[EBP-14],EBX
00533E8C |. 894D F8 MOV
DWORD PTR SS:[EBP-8],ECX
00533E8F |. 8955 FC MOV
DWORD PTR SS:[EBP-4],EDX
00533E92 |. 8B45 FC MOV
EAX,DWORD PTR SS:[EBP-4]
00533E95 |. E8 EA03EDFF CALL 公务员之.00404284
00533E9A
|. 33C0 XOR EAX,EAX
00533E9C |.
55 PUSH EBP
00533E9D |. 68
6D3F5300 PUSH 公务员之.00533F6D
00533EA2 |. 64:FF30
PUSH DWORD PTR FS:[EAX]
00533EA5 |. 64:8920
MOV DWORD PTR FS:[EAX],ESP
00533EA8 |. 8D45 F0
LEA EAX,DWORD PTR SS:[EBP-10]
00533EAB |. 8B55 FC
MOV EDX,DWORD PTR SS:[EBP-4]
; 机器码入edx
00533EAE |. E8 3500EDFF CALL
公务员之.00403EE8
00533EB3 |. 66:C745 F6 000>MOV WORD PTR SS:[EBP-A],0
00533EB9
|. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
; 机器码入eax
00533EBC |.
E8 0F02EDFF CALL 公务员之.004040D0
; 取位数
00533EC1 |. 8BF0
MOV ESI,EAX
00533EC3 |. 85F6
TEST ESI,ESI
00533EC5 |. 7E 15
JLE SHORT 公务员之.00533EDC
00533EC7 |. BB 01000000 MOV
EBX,1
00533ECC |> 8B45 F0 /MOV EAX,DWORD
PTR SS:[EBP-10] ; 机器码入eax
00533ECF
|. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
; 机器码各位依次入edx
00533ED4 |. 66:0145 F6
|ADD WORD PTR SS:[EBP-A],AX ;
机器码十六进制各位相加
00533ED8 |. 43
|INC EBX
00533ED9 |. 4E |DEC
ESI
00533EDA |.^75 F0 \JNZ SHORT 公务员之.00533ECC
00533EDC
|> 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
; 机器码入eax
00533EDF |.
E8 EC01EDFF CALL 公务员之.004040D0
; 取机器码位数
00533EE4 |. 8BF0
MOV ESI,EAX
00533EE6 |. 85F6
TEST ESI,ESI
00533EE8 |. 7E 55
JLE SHORT 公务员之.00533F3F
00533EEA |. BB 01000000
MOV EBX,1
00533EEF |> 8BCB
/MOV ECX,EBX
; 以下为产生注册码各位
00533EF1 |.
0FAFCB |IMUL ECX,EBX
00533EF4 |. 8BC1
|MOV EAX,ECX
00533EF6 |. F7EB
|IMUL EBX
00533EF8 |. 03C1
|ADD EAX,ECX
00533EFA |. 8D14DB
|LEA EDX,DWORD PTR DS:[EBX+EBX*8]
00533EFD |. 03C2
|ADD EAX,EDX
00533EFF |. 83C0 03 |ADD
EAX,3
00533F02 |. B9 0A000000 |MOV ECX,0A
00533F07 |.
99 |CDQ
00533F08 |. F7F9
|IDIV ECX
;eax除ecx,余数入edx
00533F0A
|. 8BFA |MOV EDI,EDX
00533F0C |.
8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
; 机器码入eax
00533F0F |. 0FB64418
FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]
; 机器码各位依次入edx
00533F14 |. 0FB755 F6 |MOVZX
EDX,WORD PTR SS:[EBP-A] ; 上面计算的机器码各位十六进制相加值入edx,此为0308
00533F18
|. F7EA |IMUL EDX
00533F1A |.
F7EF |IMUL EDI
00533F1C |. 03C7
|ADD EAX,EDI
00533F1E |. B9 0A000000
|MOV ECX,0A
00533F23 |. 99
|CDQ
00533F24 |. F7F9 |IDIV ECX
00533F26
|. 8BC2 |MOV EAX,EDX
00533F28 |.
8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-18]
00533F2B
|. E8 1853EDFF |CALL 公务员之.00409248
; 产生 一位真码,此是把edx处的值转换为十进制
00533F30
|. 8B55 E8 |MOV EDX,DWORD PTR SS:[EBP-18]
; 一位真码入edx
00533F33 |. 8D45
EC |LEA EAX,DWORD PTR SS:[EBP-14]
00533F36 |.
E8 9D01EDFF |CALL 公务员之.004040D8
00533F3B |. 43
|INC EBX
00533F3C |. 4E
|DEC ESI
00533F3D |.^75 B0
\JNZ SHORT 公务员之.00533EEF
00533F3F |> 8B45 F8
MOV EAX,DWORD PTR SS:[EBP-8]
00533F42 |. 8B55 EC
MOV EDX,DWORD PTR SS:[EBP-14]
00533F45 |. E8 5AFFECFF
CALL 公务员之.00403EA4
00533F4A |. 33C0
XOR EAX,EAX
00533F4C |. 5A
POP EDX
00533F4D |. 59
POP ECX
00533F4E |. 59
POP ECX
00533F4F |. 64:8910 MOV DWORD PTR
FS:[EAX],EDX
00533F52 |. 68 743F5300 PUSH 公务员之.00533F74
00533F57
|> 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00533F5A
|. BA 03000000 MOV EDX,3
00533F5F |. E8 10FFECFF
CALL 公务员之.00403E74
00533F64 |. 8D45 FC LEA
EAX,DWORD PTR SS:[EBP-4]
00533F67 |. E8 E4FEECFF CALL 公务员之.00403E50
00533F6C
\. C3 RETN
产生注册码总结如下:
sn[14];注册码
{
Y=(i*i*i+i*i+9*i+3)mod(10);
X=第i位机器码十六进制数*机器码各位十六进制相加值*Y+Y;
sn[i]=(X)mod(0A);
}
注册机源代码VC6(关键部分):
int
mod(int sourcenum,int modnum)
{
int sourcenum;
while(1)
{
if(x>=modnum)
x=x-modnum;
else
break;
}
return x;
}
//以下为定义各变量
char sn[20]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};//注册码
char tmp[1];//用于保存临时注册码
int msun=0;
int x=0;
int y=0;
int len=0;
GetDlgItemText(dhWnd,IDC_EDIT1,mc,30);
len=strlen(mc);
for(int j=0;j<=len;j++)
{
msun=msun+mc[j];//计算机器码各位十六进制数之和
}
{
y=i*i*i+i*i+9*i+3;
y=mod(y,10);
x=mc[i-1]*msun*y+y;
x=mod(x,10);
sprintf(tmp,"%d",x);
strcat(sn,tmp);
//Y=(i*i*i+i*i+9*i+3)mod(10);
//X=第i位机器码十六进制数*机器码各位十六进制相加值*Y+Y;
//sn[i]=(X)mod(0A);
}
//y=mod(100,10);
//sprintf(sn,"%d",y);
SetDlgItemText(dhWnd,IDC_EDIT2,sn);
return
1;
机器码:YW99999022986
注册码:0987474943210
03.5.2
- 标 题:公务员之路3.0注册分析
- 作 者:lordor
- 时 间:2003/05/04
08:26pm
- 链 接:http://bbs.pediy.com