对象:网络监测系统PingPlus V2.15
作者:lordor[BCG]
目的:初学破解,属技术交流,无其它目的,请不要任意散布或用用商业用途。
工具:softice,w32Dasm,ollydbg
试炼码:
用户名:lordor[BCG]
注册码:654321
该程序是采用:注册码=f(用户名)的注册方式,详细分析如下
00407086 . E8 6D0C0000 CALL
<JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040708B . 6A 01
PUSH 1
0040708D . 8BCD
MOV ECX,EBP
0040708F . C74424 7C 000>MOV
DWORD PTR SS:[ESP+7C],0
00407097 . E8 E80D0000 CALL
<JMP.&MFC42.#6334_?UpdateData@CWnd@@QAEHH@Z>
0040709C .
8BBD E4000000 MOV EDI,DWORD PTR SS:[EBP+E4]
004070A2 .
83C9 FF OR ECX,FFFFFFFF
004070A5 .
33C0 XOR EAX,EAX
004070A7 .
8D5424 38 LEA EDX,DWORD PTR SS:[ESP+38]
004070AB .
F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004070AD
. F7D1 NOT ECX
004070AF
. 2BF9 SUB EDI,ECX
004070B1 .
8BC1 MOV EAX,ECX
004070B3 .
8BF7 MOV ESI,EDI
004070B5 .
8BFA MOV EDI,EDX
004070B7 .
C1E9 02 SHR ECX,2
004070BA . F3:A5
REP MOVS DWORD PTR ES:[EDI],DWORD PTR
DS:[ESI]
004070BC . 8BC8 MOV
ECX,EAX
004070BE . 33C0 XOR
EAX,EAX
004070C0 . 83E1 03 AND
ECX,3
004070C3 . F3:A4 REP MOVS BYTE
PTR ES:[EDI],BYTE PTR DS:[ESI]
004070C5 . 8D7C24 38
LEA EDI,DWORD PTR SS:[ESP+38]
004070C9 . 83C9 FF
OR ECX,FFFFFFFF
004070CC . F2:AE
REPNE SCAS BYTE PTR ES:[EDI]
004070CE . F7D1
NOT ECX
004070D0 . 49
DEC ECX
004070D1 . 83F9 13
CMP
ECX,13======>比较用户名是否为19位,如不是19位,则在用户名后从字母表中第i位(i表注册名长度)开始补够19位。
004070D4
. 7D 0F JGE SHORT
PingPlus.004070E5
004070D6 > 8AD1
MOV DL,CL
004070D8 . 80C2 41 ADD
DL,41
004070DB . 88540C 38 MOV BYTE PTR
SS:[ESP+ECX+38],DL
004070DF . 41
INC ECX
004070E0 . 83F9 13 CMP
ECX,13
004070E3 .^ 7C F1 JL SHORT
PingPlus.004070D6
==>用户名保存在esp+38处,此为lordor[BCG]LMNOPQRS
004070E5 > 8B4C24 47 MOV ECX,DWORD PTR
SS:[ESP+47]=>从第16位开始取4位用户名,=>PQRS
004070E9 . 8B4424 43
MOV EAX,DWORD PTR SS:[ESP+43]=>从第12位开始取4位用户名,=>LMNO
004070ED
. 8B5424 3A MOV EDX,DWORD PTR
SS:[ESP+3A]=>从第3位开始取4位用户名,=>ordo
004070F1 . 894C24 54
MOV DWORD PTR SS:[ESP+54],ECX=>用户名第16位-19位保存在ESP+54中
004070F5 .
66:8B4C24 42 MOV CX,WORD PTR
SS:[ESP+42]=>从用户名第10位开始,取2位,=>G]
004070FA . 894424 50
MOV DWORD PTR SS:[ESP+50],EAX=>用户名第12位-15位保存在esp+50中
004070FE .
8B4424 3E MOV EAX,DWORD PTR
SS:[ESP+3E]=>从第6位开始,取4位=>[BCG]
00407102 . 895424 58
MOV DWORD PTR SS:[ESP+58],EDX=>用户名第3位-6位保存在esp+58中
00407106 .
8A5424 44 MOV DL,BYTE PTR
SS:[ESP+44]=>从第13位开始,取2位,=>MN
0040710A . 66:894C24 60 MOV
WORD PTR SS:[ESP+60],CX=>用户名第10-11位存在esp+60中
0040710F . C64424
4B 00 MOV BYTE PTR SS:[ESP+4B],0=>最后一位补0
00407114 . 894424
5C MOV DWORD PTR
SS:[ESP+5C],EAX=>用户名第12位-15位保存在esp+5c中
00407118 . 885424 62
MOV BYTE PTR SS:[ESP+62],DL=>用户名第13位-14位存在esp+62中
0040711C
. C64424 63 00 MOV BYTE PTR SS:[ESP+63],0=>最后一位补0[
=>经过此变换,此时用户名存在esp+50,变为:LMNOPQRSrdor[BCG]LM(即第12位到19位为第一部分,第3位到13为第三部分,两部分接起来。)
00407121 . 33C9 XOR
ECX,ECX=>计数器初始化
00407123 > 0FBE540C 50 MOVSX EDX,BYTE
PTR SS:[ESP+ECX+50]=>串LMNOPQRSrdor[BCG]LM依次入edx
00407128 . BE
1A000000 MOV ESI,1A=>此为26
0040712D . 8D0452
LEA EAX,DWORD PTR DS:[EDX+EDX*2]=>eax=edx*3
00407130 .
C1E0 03 SHL EAX,3===>eax左移3位
00407133 .
2BC2 SUB EAX,EDX=>eax=eax-edx
00407135
. 83C0 1B ADD EAX,1B==>eax=eax+1b
(eax=edx*3*8-edx+1b)
00407138 . 99
CDQ
00407139 . F7FE
IDIV ESI====>eax取26的模
0040713B . 80C2 41
ADD DL,41=>模数+41,即转换为字母
0040713E . 88540C 38
MOV BYTE PTR SS:[ESP+ECX+38],DL=>保存在esp+ecx+38处
00407142 .
41 INC ECX
00407143 .
83F9 13 CMP ECX,13=>循环19次
00407146 .^ 7C
DB JL SHORT PingPlus.00407123====>以上为第一次运算
==>串变为:HEBYVSPMXNGXDLIWIHE
00407148 . BF 1A000000 MOV
EDI,1A==>edi=1a
0040714D . 8D4424 38 LEA
EAX,DWORD PTR SS:[ESP+38]==>开始第二次运算
00407151 . 33F6
XOR ESI,ESI====>计数器初始化
00407153 .
2BF8 SUB
EDI,EAX==>edi=edi-eax
00407155 > 8D4C34 38
LEA ECX,DWORD PTR SS:[ESP+ESI+38]=>串HEBYVSPMXNGXDLIWIHE依次入ecx
00407159
. B8 BC070000 MOV EAX,7BC=>eax=7bc
0040715E . 99
CDQ
0040715F . 8D1C0F
LEA EBX,DWORD PTR
DS:[EDI+ECX]=>ebx=ESI+1a
00407162 . F7FB
IDIV EBX
00407164 . 8BD8
MOV EBX,EAX=>商入ebx
00407166 . 0FBE01
MOVSX EAX,BYTE PTR
DS:[ECX]==>取1位入eax,即为[ESP+ESI+38]
00407169 . 99
CDQ
0040716A . 2BC2
SUB EAX,EDX
0040716C . D1F8
SAR EAX,1=>eax算术右移1位
0040716E . 02D8
ADD BL,AL=>再加上商
=>以上为:7bc除以esi+1a,得商bl,变换的用户名1位(即[ESP+ESI+38])右移1位,得值al,最后bl与al相加,以下是判断得到的(bl+al)值是否在41-5A(大写字母)间如不是则取1a的模数,再加41,即得到第esi位注册码。
00407170 . 80FB 41 CMP
BL,41==>是否41要大,
00407173 . 8819
MOV BYTE PTR DS:[ECX],BL=>保存
00407175 . 7D 10
JGE SHORT
PingPlus.00407187==>如果大于41则取1a的模,然后加41,即变为大写字母
00407177 . 0FBEC3
MOVSX EAX,BL
0040717A . 99
CDQ
0040717B . BB 1A000000
MOV EBX,1A
00407180 . F7FB
IDIV EBX
00407182 . 80C2 41 ADD
DL,41
00407185 . 8811 MOV BYTE
PTR DS:[ECX],DL
00407187 > 8A01
MOV AL,BYTE PTR DS:[ECX]
00407189 . 3C 5A
CMP AL,5A==>是否比5A小
0040718B . 7E 10
JLE SHORT PingPlus.0040719D
0040718D . 0FBEC0
MOVSX EAX,AL
00407190 . 99
CDQ
00407191 . BB 1A000000
MOV EBX,1A
00407196 . F7FB
IDIV EBX
00407198 . 80C2 41 ADD
DL,41
0040719B . 8811 MOV BYTE
PTR DS:[ECX],DL
0040719D > 46
INC ESI
0040719E . 83FE 13 CMP
ESI,13==>循环19次,
004071A1 .^ 7C B2 JL
SHORT PingPlus.00407155
004071A3 . 8D4C24 38 LEA
ECX,DWORD PTR SS:[ESP+38]
004071A7 . 8D5424 1C LEA
EDX,DWORD PTR SS:[ESP+1C]
004071AB . 51
PUSH ECX
004071AC . 68 F8D14000 PUSH
PingPlus.0040D1F8
; ASCII
"%s"
004071B1 . 52 PUSH
EDX
004071B2 . E8 EB0C0000 CALL
<JMP.&MFC42.#2818_?format@CString@@QAAXPBDZZ>==>生成注册真码,入ecx,在此下 d
ecx即得真码
004071B7 . 8B85 E8000000 MOV EAX,DWORD PTR
SS:[EBP+E8]==>输入注册码入eax
004071BD . 50
PUSH EAX
; /s2
004071BE . 8B4424
2C MOV EAX,DWORD PTR SS:[ESP+2C]
; |
004071C2
. 50 PUSH EAX
; |s1
004071C3 . FF15 A8A34000 CALL DWORD PTR
DS:[<&MSVCRT._mbscmp>]
; \_mbscmp
004071C9 . 83C4 14
ADD ESP,14
004071CC . 85C0
TEST EAX,EAX
004071CE . 6A 00
PUSH 0
004071D0 0F85 F2010000 JNZ
PingPlus.004073C8==========>关键出错,在此把jnz改为jz即可爆破
004071D6 . 68
54D94000 PUSH PingPlus.0040D954
004071DB . 68 20D94000
PUSH PingPlus.0040D920
004071E0 . 8BCD
MOV ECX,EBP
004071E2 . E8 970C0000
CALL <JMP.&MFC42.#4224_?MessageBoxA@CWnd@@QAEHPBD0I@Z>
004071E7
. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
004071EB
. 51 PUSH ECX
004071EC
. E8 490E0000 CALL
<JMP.&MFC42.#3811_?GetTickCount@CTime@@SG?AV1@XZ>
004071F1 .
8D5424 28 LEA EDX,DWORD PTR SS:[ESP+28]
004071F5 .
68 1CD94000 PUSH PingPlus.0040D91C
; ASCII "%Y"
004071FA . 52
PUSH EDX
004071FB . 8D4C24 1C
LEA ECX,DWORD PTR SS:[ESP+1C]
004071FF . E8 300E0000
CALL
<JMP.&MFC42.#2820_?format@CTime@@QBE?AVCString@@PB>
00407204
. 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
00407208
. 68 18D94000 PUSH PingPlus.0040D918
; ASCII "%m"
0040720D . 50
PUSH EAX
0040720E . 8D4C24 1C
LEA ECX,DWORD PTR SS:[ESP+1C]
00407212 . C68424
800000>MOV BYTE PTR SS:[ESP+80],1
0040721A . E8 150E0000
CALL
<JMP.&MFC42.#2820_?format@CTime@@QBE?AVCString@@PB>
0040721F
. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
00407223
. 68 78D44000 PUSH PingPlus.0040D478
; ASCII "%d"
00407228 . B3 02
MOV BL,2
0040722A . 51
PUSH ECX
0040722B . 8D4C24 1C LEA
ECX,DWORD PTR SS:[ESP+1C]
0040722F . 889C24 800000>MOV BYTE
PTR SS:[ESP+80],BL
00407236 . E8 F90D0000 CALL
<JMP.&MFC42.#2820_?format@CTime@@QBE?AVCString@@PB>
0040723B
. 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+28]
0040723F
. 8B3D B4A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.atoi>]
;
MSVCRT.atoi
00407245 . 52
PUSH EDX
; /s
00407246 . C64424 7C 03
MOV BYTE PTR SS:[ESP+7C],3
; |
0040724B
. FFD7 CALL EDI
;
\atoi
0040724D . 8BF0 MOV
ESI,EAX
0040724F . 8B4424 28 MOV EAX,DWORD PTR
SS:[ESP+28]
00407253 . 50
PUSH EAX
00407254 . FFD7
CALL EDI
00407256 . 8B4C24 28 MOV ECX,DWORD
PTR SS:[ESP+28]
0040725A . 8BE8
MOV EBP,EAX
0040725C . 51
PUSH ECX
0040725D . FFD7
CALL EDI
0040725F . 8D14F6
LEA EDX,DWORD PTR DS:[ESI+ESI*8]
00407262 . 83C4 0C
ADD ESP,0C
00407265 . 8D0CD6
LEA ECX,DWORD PTR DS:[ESI+EDX*8]
00407268 . 8BD5
MOV EDX,EBP
0040726A . 03C1
ADD EAX,ECX
0040726C . 8B35 10A04000
MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegCreateKeyExA>]
; ADVAPI32.RegCreateKeyExA
00407272 . C1E2 04
SHL EDX,4
00407275 . 2BD5
SUB EDX,EBP
00407277 . 8D0488
LEA EAX,DWORD PTR DS:[EAX+ECX*4]
0040727A . 8D8450
ECF9F4>LEA EAX,DWORD PTR DS:[EAX+EDX*2+FFF4F9EC]
00407281 .
8D0440 LEA EAX,DWORD PTR
DS:[EAX+EAX*2]
00407284 . 8D04C0 LEA
EAX,DWORD PTR DS:[EAX+EAX*8]
00407287 . 8D0480
LEA EAX,DWORD PTR DS:[EAX+EAX*4]
0040728A . 8D0480
LEA EAX,DWORD PTR DS:[EAX+EAX*4]
0040728D .
8D0C80 LEA ECX,DWORD PTR
DS:[EAX+EAX*4]
00407290 . 8D4424 30 LEA EAX,DWORD
PTR SS:[ESP+30]
00407294 . 50
PUSH EAX
; /pDisposition
00407295 . 8D14CD
7F0000>LEA EDX,DWORD PTR DS:[ECX*8+7F]
; |
0040729C .
8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
;
|
004072A0 . 51 PUSH
ECX
; |pHandle
004072A1 . 6A 00
PUSH 0
; |pSecurity = NULL
004072A3 .
68 06000200 PUSH 20006
; |Access = KEY_WRITE
004072A8
. 6A 00 PUSH 0
;
|Options = REG_OPTION_NON_VOLATILE
004072AA . 6A 00
PUSH 0
; |Class = NULL
004072AC
. 6A 00 PUSH 0
;
|Reserved = 0
004072AE . 68 E0D84000 PUSH
PingPlus.0040D8E0
; |Subkey =
"Software\Microsoft\Windows\CurrentVersion\Explorer\PDB"
004072B3 .
68 01000080 PUSH 80000001
; |hKey = HKEY_CURRENT_USER
004072B8 .
895424 50 MOV DWORD PTR SS:[ESP+50],EDX
;
|
004072BC . FFD6 CALL ESI
; \RegCreateKeyExA
004072BE . 8B3D 0CA04000 MOV
EDI,DWORD PTR DS:[<&ADVAPI32.RegSetvalueExA>] ;
ADVAPI32.RegSetvalueExA
004072C4 . 8B2D 00A04000 MOV
EBP,DWORD PTR DS:[<&ADVAPI32.RegCloseKey>]
; ADVAPI32.RegCloseKey
004072CA . 85C0
TEST EAX,EAX
004072CC . 75 30
JNZ SHORT PingPlus.004072FE
004072CE . 8B4424 10
MOV EAX,DWORD PTR SS:[ESP+10]
004072D2 . 8D5424 2C
LEA EDX,DWORD PTR SS:[ESP+2C]
004072D6 . 6A 04
PUSH 4
; /BufSize =
4
004072D8 . 52 PUSH
EDX
; |Buffer
004072D9 . 6A 04
PUSH 4
; |valueType = REG_DWORD
004072DB .
6A 00 PUSH 0
; |Reserved
= 0
004072DD . 68 DCD84000 PUSH PingPlus.0040D8DC
; |valueName = "0"
004072E2 .
50 PUSH EAX
;
|hKey
004072E3 . FFD7 CALL EDI
; \RegSetvalueExA
004072E5 . 85C0
TEST EAX,EAX
004072E7 . 74 0E
JE SHORT PingPlus.004072F7
004072E9 . 6A 00
PUSH 0
004072EB . 6A 00
PUSH 0
004072ED . 68 BCD84000 PUSH
PingPlus.0040D8BC
004072F2 . E8 2F0C0000 CALL
<JMP.&MFC42.#1200_?AfxMessageBox@@YGHPBDII@Z>
004072F7 >
8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
004072FB .
51 PUSH ECX
004072FC .
FFD5 CALL EBP
004072FE >
8D5424 30 LEA EDX,DWORD PTR SS:[ESP+30]
00407302 .
8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
00407306 .
52 PUSH EDX
00407307 .
50 PUSH EAX
00407308 .
6A 00 PUSH 0
0040730A . 68
06000200 PUSH 20006
0040730F . 6A 00
PUSH 0
00407311 . 6A 00 PUSH
0
00407313 . 6A 00 PUSH
0
00407315 . 68 84D84000 PUSH PingPlus.0040D884
; ASCII "Software\PingPlus"
0040731A
. 68 01000080 PUSH 80000001
0040731F . FFD6
CALL ESI
00407321 . 85C0
TEST EAX,EAX
00407323 . 75 51
JNZ SHORT PingPlus.00407376
00407325 .
8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
00407329 .
51 PUSH ECX
0040732A .
8BCC MOV ECX,ESP
0040732C .
896424 38 MOV DWORD PTR SS:[ESP+38],ESP
00407330 .
8DB2 E4000000 LEA ESI,DWORD PTR DS:[EDX+E4]
00407336 . 56
PUSH ESI
00407337 . E8
F20C0000 CALL
<JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>
0040733C .
8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
00407340 .
E8 EB000000 CALL PingPlus.00407430
00407345 . 8B0E
MOV ECX,DWORD PTR DS:[ESI]
00407347
. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
0040734B
. 8B49 F8 MOV ECX,DWORD PTR DS:[ECX-8]
0040734E
. 41 INC ECX
0040734F
. 51 PUSH ECX
00407350
. 50 PUSH EAX
00407351
. 6A 01 PUSH 1
00407353 .
6A 00 PUSH 0
00407355 . 68
78D84000 PUSH PingPlus.0040D878
;
ASCII "UserName"
0040735A . 52
PUSH EDX
0040735B . FFD7
CALL EDI
0040735D . 85C0
TEST EAX,EAX
0040735F . 74 0E
JE SHORT PingPlus.0040736F
00407361 . 6A 00
PUSH 0
00407363 . 6A 00
PUSH 0
00407365 . 68 ACD84000 PUSH
PingPlus.0040D8AC
0040736A . E8 B70B0000 CALL
<JMP.&MFC42.#1200_?AfxMessageBox@@YGHPBDII@Z>
0040736F >
8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
00407373 .
50 PUSH EAX
-------------------------------------------------------
注册机源码(VC6关键部分):
int len,i=0,j=0;
char
abcd[]={'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'};
int
tmpint,tmpint2=0;
char
usename[20],usenametmp[20],regcode[20];
for(i=0;i<20;i++)
{
usename[i]=0;
usenametmp[i]=0;
regcode[i]=0;
}
switch(message)
{
case
WM_COMMAND:
switch(LOWORD(wParam))
{
case
IDC_CREATE:
GetDlgItemText(dhWnd,IDC_EDIT1,usename,20);
len=strlen(usename);
if(len<20)
{
for(j=len;j<19;j++)
{
usename[j]=abcd[j];
}
}
for(i=11;i<19;i++)
{
usenametmp[i-11]=usename[i];
}
for(i=2;i<13;i++)
{
usenametmp[i+6]=usename[i];
}
for(i=0;i<19;i++)
{
/*
tmpint=usenametmp[i]+usenametmp[i]*2;//
EAX=EDX+EDX*2
tmpint=tmpint*8; //SHL
EAX,3
tmpint=tmpint-usenametmp[i]; //SUB
EAX,EDX
tmpint=tmpint+27;//ADD
EAX,1B
regcode[i]=abcd[mod(tmpint,26)];//ADD DL,41
*/
tmpint=usenametmp[i]*23+27;
regcode[i]=abcd[mod(tmpint,26)];//ADD
DL,41
}
for(i=0;i<19;i++)
{
tmpint=(int)(1980/(26+i));
tmpint2=regcode[i]/2;//右移1位
tmpint=tmpint+tmpint2;
if(tmpint<65)
{
regcode[i]=abcd[mod(tmpint,26)];
}
else
if(tmpint>90)
{
regcode[i]=abcd[mod(tmpint,26)];
}
else
regcode[i]=tmpint;
}
SetDlgItemText(dhWnd,IDC_EDIT3,regcode);
return
1;
总结:
用户名:lordor[BCG]
注册码:IDZIFAXUYRZTNXUNSRO
注册码转换后保存在:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PDB]
"0"=dword:0e307e77
用户名保存在:
[HKEY_CURRENT_USER\Software\PingPlus]
"UserName"="lordor[BCG]"
cracked by lordor[BCG]
03.5.24