【破文作者】 rdsnow[BCG][PYG][D.4s]
【作者主页】 http://rdsnow.ys168.com
【 E-mail 】 rdsnow@163.com
【 作者QQ 】 83757177
【文章题目】 机器猫安全卫士 V1.0 的注册
【软件名称】 机器猫安全卫士V1.0
【下载地址】 http://shareware.skycn.com/soft/4988.htm
http://www.5idd.cn/Soft_list.asp?So...1&ClassId=5
----------------------------------------------------------------------------------------------
【加密方式】 序列号
【破解工具】 ODbyDYK v1.10[05.09]
【软件限制】 功能限制
【破解平台】 Microsoft Windows XP Professional
【平台版本】 5.1.2600 Service Pack 2 内部版本号 2600
----------------------------------------------------------------------------------------------
【软件简介】
1、把文件加密隐藏到图片中
2、把文件从图片中提取出来同时解密
3、把文件从您的电脑中安全彻底的删除掉
【文章简介】
这是个用Microsoft Visual Basic 5.0 / 6.0 写的小程序,作者在注册算法上花了一些心思,但是加密强度依然有所欠缺,另外在文章的最后大家可以看到程序采用了明码比较,等于把注册码暴露在用户面前,Cracker无论是爆破还是作出内存注册机,只要短短几分钟就可以搞定。
----------------------------------------------------------------------------------------------
【破解过程】
一、脱壳
Scan with PeiD 0.94 得到:UPX-Scrambler RC1.x -> ㎡nT畂L
OD载入:
0044B3DF > 90 NOP ; 停在这儿
0044B3E0 61 POPAD
0044B3E1 BE 00D04200 MOV ESI,机器猫安.0042D000
0044B3E6 8DBE 0040FDFF LEA EDI,[ESI+FFFD4000]
0044B3EC 57 PUSH EDI
0044B3ED 83CD FF OR EBP,FFFFFFFF
0044B3F0 EB 10 JMP SHORT 机器猫安.0044B402
0044B3F2 EB 00 JMP SHORT 机器猫安.0044B3F4
0044B3F4 ^ EB EA JMP SHORT 机器猫安.0044B3E0
0044B3F6 ^ EB E8 JMP SHORT 机器猫安.0044B3E0
单步向下走,遇到循环就用F4跳出循环,走不了几步就到了这里:
0044B53F 55 PUSH EBP
0044B540 FF96 08B70400 CALL [ESI+4B708]
0044B546 09C0 OR EAX,EAX
0044B548 74 07 JE SHORT 机器猫安.0044B551
0044B54A 8903 MOV [EBX],EAX
0044B54C 83C3 04 ADD EBX,4
0044B54F ^ EB D8 JMP SHORT 机器猫安.0044B529 ; 不要向上跳了
0044B551 FF96 0CB70400 CALL [ESI+4B70C]
0044B557 60 PUSHAD
0044B558 - E9 A76DFBFF JMP 机器猫安.00402304 ; 直接在00402304下断吧
跳到这儿:
00402304 68 30264000 PUSH 机器猫安.00402630 ; ASCII "VB5!6&vb6chs.dll"
00402309 E8 EEFFFFFF CALL 机器猫安.004022FC ; JMP to MSVBVM60.ThunRTMain
0040230E 0000 ADD [EAX],AL
典型的VB程序的OEP代码,OEP就是 00402304 了,直接用 OllyDump 脱壳,输入表已经被OllyDump修复好了,Dump 一下可以直接运行。
----------------------------------------------------------------------------------------------
二、注册算法
为了说明程序的注册过程,注释中用了两个初值都是 0 的数组 Box1[8]、Box2[8],另外程序中还用到了一个异或表 XorBox[16]。
运行程序,输入假码 987654321abcd 注册,没有出现注册码错误的对话框,于是命令行下断 Bp rtcMidCharVar
下断后继续注册,程序被拦下,单步走出 MSVBVM60.dll 的领空,走到程序领空,发现正在一个循环里面对机器码处理:
就在下面这个循环里,i 从 1 到机器码 MCode[] 的长度循环, j 的初值赋 1 。
00443514 > /66:8B8D 48FF> MOV CX,[EBP-B8] ; 循环开始
0044351B . |66:038D 48FE> ADD CX,[EBP-1B8]
00443522 . |0F80 190A0000 JO dump.00443F41
00443528 . |66:898D 48FF> MOV [EBP-B8],CX
0044352F > |66:8B95 48FF> MOV DX,[EBP-B8]
00443536 . |66:3B95 44FE> CMP DX,[EBP-1BC] ; 判断是否所有机器码字符都处理完了
0044353D . |0F8F BC010000 JG dump.004436FF ; 都处理了就跳出循环
00443543 . |C745 FC 5D00> MOV DWORD PTR [EBP-4],5D
0044354A . |0FBF85 08FFF> MOVSX EAX,WORD PTR [EBP-F8]
00443551 . |8985 80FEFFFF MOV [EBP-180],EAX
00443557 . |83BD 80FEFFF> CMP DWORD PTR [EBP-180],11
0044355E . |73 0C JNB SHORT dump.0044356C
00443560 . |C785 ACFDFFF> MOV DWORD PTR [EBP-254],0
0044356A . |EB 0C JMP SHORT dump.00443578
0044356C > |FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
00443572 . |8985 ACFDFFFF MOV [EBP-254],EAX
00443578 > |C785 F4FEFFF> MOV DWORD PTR [EBP-10C],1
00443582 . |C785 ECFEFFF> MOV DWORD PTR [EBP-114],2
0044358C . |8D8D 40FFFFFF LEA ECX,[EBP-C0]
00443592 . |898D C4FEFFFF MOV [EBP-13C],ECX
00443598 . |C785 BCFEFFF> MOV DWORD PTR [EBP-144],4008
004435A2 . |8D95 ECFEFFFF LEA EDX,[EBP-114]
004435A8 . |52 PUSH EDX
004435A9 . |0FBF85 48FFF> MOVSX EAX,WORD PTR [EBP-B8]
004435B0 . |50 PUSH EAX
004435B1 . |8D8D BCFEFFFF LEA ECX,[EBP-144]
004435B7 . |51 PUSH ECX
004435B8 . |8D95 DCFEFFFF LEA EDX,[EBP-124]
004435BE . |52 PUSH EDX
004435BF . |FF15 D8104000 CALL [<&MSVBVM60.rtcMidCharVar>] ; 取得机器码中的字符 MCode[i]
004435C5 . |0FBF85 08FFF> MOVSX EAX,WORD PTR [EBP-F8]
004435CC . |8985 84FEFFFF MOV [EBP-17C],EAX
004435D2 . |83BD 84FEFFF> CMP DWORD PTR [EBP-17C],11
004435D9 . |73 0C JNB SHORT dump.004435E7
004435DB . |C785 A8FDFFF> MOV DWORD PTR [EBP-258],0
004435E5 . |EB 0C JMP SHORT dump.004435F3
004435E7 > |FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
004435ED . |8985 A8FDFFFF MOV [EBP-258],EAX
004435F3 > |8D8D DCFEFFFF LEA ECX,[EBP-124]
004435F9 . |51 PUSH ECX
004435FA . |8D95 FCFEFFFF LEA EDX,[EBP-104]
00443600 . |52 PUSH EDX
00443601 . |FF15 94114000 CALL [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00443607 . |50 PUSH EAX
00443608 . |FF15 44104000 CALL [<&MSVBVM60.rtcAnsiValueBstr>; 取 MCode[i] 的 ASC 码
0044360E . |8B8D 80FEFFFF MOV ECX,[EBP-180]
00443614 . |8B95 28FFFFFF MOV EDX,[EBP-D8]
0044361A . |66:8B0C4A MOV CX,[EDX+ECX*2] ; 取 Box1[j]
0044361E . |66:03C8 ADD CX,AX ; MCode[i] + Box1[j]
00443621 . |0F80 1A090000 JO dump.00443F41
00443627 . |66:83F1 12 XOR CX,12 ; 相加结果 ^ 0x12
0044362B . |8B95 84FEFFFF MOV EDX,[EBP-17C]
00443631 . |8B85 28FFFFFF MOV EAX,[EBP-D8]
00443637 . |66:890C50 MOV [EAX+EDX*2],CX ; 结果存回 Box1[j]
0044363B . |8D8D FCFEFFFF LEA ECX,[EBP-104]
00443641 . |FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00443647 . |8D8D DCFEFFFF LEA ECX,[EBP-124]
0044364D . |51 PUSH ECX
0044364E . |8D95 ECFEFFFF LEA EDX,[EBP-114]
00443654 . |52 PUSH EDX
00443655 . |6A 02 PUSH 2
00443657 . |FF15 30104000 CALL [<&MSVBVM60.__vbaFreeVarList>; MSVBVM60.__vbaFreeVarList
0044365D . |83C4 0C ADD ESP,0C
00443660 . |C745 FC 5E00> MOV DWORD PTR [EBP-4],5E
00443667 . |0FBF85 08FFF> MOVSX EAX,WORD PTR [EBP-F8]
0044366E . |8985 84FEFFFF MOV [EBP-17C],EAX
00443674 . |83BD 84FEFFF> CMP DWORD PTR [EBP-17C],11
0044367B . |73 0C JNB SHORT dump.00443689
0044367D . |C785 A4FDFFF> MOV DWORD PTR [EBP-25C],0
00443687 . |EB 0C JMP SHORT dump.00443695
00443689 > |FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
0044368F . |8985 A4FDFFFF MOV [EBP-25C],EAX
00443695 > |8B8D 84FEFFFF MOV ECX,[EBP-17C]
0044369B . |8B95 28FFFFFF MOV EDX,[EBP-D8]
004436A1 . |66:8B45 B4 MOV AX,[EBP-4C]
004436A5 . |66:03044A ADD AX,[EDX+ECX*2] ; 将每轮循环结果求和,得到结果 Result1
004436A9 . |0F80 92080000 JO dump.00443F41
004436AF . |66:8945 B4 MOV [EBP-4C],AX ; 保存相加的结果 Result1
004436B3 . |C745 FC 5F00> MOV DWORD PTR [EBP-4],5F
004436BA . |66:8B8D 08FF> MOV CX,[EBP-F8]
004436C1 . |66:83C1 01 ADD CX,1 ; j = j + 1
004436C5 . |0F80 76080000 JO dump.00443F41
004436CB . |66:898D 08FF> MOV [EBP-F8],CX
004436D2 . |C745 FC 6000> MOV DWORD PTR [EBP-4],60
004436D9 . |66:83BD 08FF> CMP WORD PTR [EBP-F8],9 ; 判断 j 是否等于 9
004436E1 . |75 10 JNZ SHORT dump.004436F3
004436E3 . |C745 FC 6100> MOV DWORD PTR [EBP-4],61
004436EA . |66:C785 08FF> MOV WORD PTR [EBP-F8],1 ; if (j==9) j = 1
004436F3 > |C745 FC 6300> MOV DWORD PTR [EBP-4],63
004436FA .^\E9 15FEFFFF JMP dump.00443514 ; 跳上去继续循环
----------------------------------------------------------------------------------------------
004436FF > C745 FC 6400> MOV DWORD PTR [EBP-4],64
00443706 . 66:8B55 DC MOV DX,[EBP-24]
0044370A . 66:8995 3CFE> MOV [EBP-1C4],DX
00443711 . 66:C785 40FE> MOV WORD PTR [EBP-1C0],1
0044371A . 66:C785 48FF> MOV WORD PTR [EBP-B8],1
00443723 . EB 1B JMP SHORT dump.00443740
跳出循环后,又再次进入一个类似的循环,这次不是针对机器码处理了,而是对另外一个字符串String[22]={"SUY2TjhXRjQ2QjdIVThKSA"}处理。使用了另外一个数组 Box2[8],循环时 i 从 1 到 22,j 的初值接着上轮循环。
00443725 > 66:8B85 48FF> MOV AX,[EBP-B8] ; 循环开始
0044372C . 66:0385 40FE> ADD AX,[EBP-1C0]
00443733 . 0F80 08080000 JO dump.00443F41
00443739 . 66:8985 48FF> MOV [EBP-B8],AX
00443740 > 66:8B8D 48FF> MOV CX,[EBP-B8]
00443747 . 66:3B8D 3CFE> CMP CX,[EBP-1C4] ; 是否 String 中每个字符都处理了
0044374E . 0F8F B0010000 JG dump.00443904 ; 都处理了就跳出循环
00443754 . C745 FC 6500> MOV DWORD PTR [EBP-4],65
0044375B . 0FBF95 08FFF> MOVSX EDX,WORD PTR [EBP-F8]
00443762 . 8995 80FEFFFF MOV [EBP-180],EDX
00443768 . 83BD 80FEFFF> CMP DWORD PTR [EBP-180],11
0044376F . 73 0C JNB SHORT dump.0044377D
00443771 . C785 A0FDFFF> MOV DWORD PTR [EBP-260],0
0044377B . EB 0C JMP SHORT dump.00443789
0044377D > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
00443783 . 8985 A0FDFFFF MOV [EBP-260],EAX
00443789 > C785 F4FEFFF> MOV DWORD PTR [EBP-10C],1
00443793 . C785 ECFEFFF> MOV DWORD PTR [EBP-114],2
0044379D . 8B45 0C MOV EAX,[EBP+C]
004437A0 . 8985 C4FEFFFF MOV [EBP-13C],EAX
004437A6 . C785 BCFEFFF> MOV DWORD PTR [EBP-144],4008
004437B0 . 8D8D ECFEFFFF LEA ECX,[EBP-114]
004437B6 . 51 PUSH ECX
004437B7 . 0FBF95 48FFF> MOVSX EDX,WORD PTR [EBP-B8]
004437BE . 52 PUSH EDX
004437BF . 8D85 BCFEFFFF LEA EAX,[EBP-144]
004437C5 . 50 PUSH EAX
004437C6 . 8D8D DCFEFFFF LEA ECX,[EBP-124]
004437CC . 51 PUSH ECX
004437CD . FF15 D8104000 CALL [<&MSVBVM60.rtcMidCharVar>] ; 取字符串中的每个字符 String[i]
004437D3 . 0FBF95 08FFF> MOVSX EDX,WORD PTR [EBP-F8]
004437DA . 8995 84FEFFFF MOV [EBP-17C],EDX
004437E0 . 83BD 84FEFFF> CMP DWORD PTR [EBP-17C],11
004437E7 . 73 0C JNB SHORT dump.004437F5
004437E9 . C785 9CFDFFF> MOV DWORD PTR [EBP-264],0
004437F3 . EB 0C JMP SHORT dump.00443801
004437F5 > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
004437FB . 8985 9CFDFFFF MOV [EBP-264],EAX
00443801 > 8D85 DCFEFFFF LEA EAX,[EBP-124]
00443807 . 50 PUSH EAX
00443808 . 8D8D FCFEFFFF LEA ECX,[EBP-104]
0044380E . 51 PUSH ECX
0044380F . FF15 94114000 CALL [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
00443815 . 50 PUSH EAX
00443816 . FF15 44104000 CALL [<&MSVBVM60.rtcAnsiValueBstr>; 取 String[i] 的 ASC 码
0044381C . 8B95 80FEFFFF MOV EDX,[EBP-180]
00443822 . 8B4D 80 MOV ECX,[EBP-80]
00443825 . 66:8B1451 MOV DX,[ECX+EDX*2] ; 取 Box2[j]
00443829 . 66:03D0 ADD DX,AX ; String[i] + Box2[j]
0044382C . 0F80 0F070000 JO dump.00443F41
00443832 . 66:83F2 19 XOR DX,19 ; 相加结果 ^ 0x19
00443836 . 8B85 84FEFFFF MOV EAX,[EBP-17C]
0044383C . 8B4D 80 MOV ECX,[EBP-80]
0044383F . 66:891441 MOV [ECX+EAX*2],DX ; 结果存回 Box2[j]
00443843 . 8D8D FCFEFFFF LEA ECX,[EBP-104]
00443849 . FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0044384F . 8D95 DCFEFFFF LEA EDX,[EBP-124]
00443855 . 52 PUSH EDX
00443856 . 8D85 ECFEFFFF LEA EAX,[EBP-114]
0044385C . 50 PUSH EAX
0044385D . 6A 02 PUSH 2
0044385F . FF15 30104000 CALL [<&MSVBVM60.__vbaFreeVarList>; MSVBVM60.__vbaFreeVarList
00443865 . 83C4 0C ADD ESP,0C
00443868 . C745 FC 6600> MOV DWORD PTR [EBP-4],66
0044386F . 0FBF8D 08FFF> MOVSX ECX,WORD PTR [EBP-F8]
00443876 . 898D 84FEFFFF MOV [EBP-17C],ECX
0044387C . 83BD 84FEFFF> CMP DWORD PTR [EBP-17C],11
00443883 . 73 0C JNB SHORT dump.00443891
00443885 . C785 98FDFFF> MOV DWORD PTR [EBP-268],0
0044388F . EB 0C JMP SHORT dump.0044389D
00443891 > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
00443897 . 8985 98FDFFFF MOV [EBP-268],EAX
0044389D > 8B95 84FEFFFF MOV EDX,[EBP-17C]
004438A3 . 8B45 80 MOV EAX,[EBP-80]
004438A6 . 66:8B4D A8 MOV CX,[EBP-58]
004438AA . 66:030C50 ADD CX,[EAX+EDX*2] ; 将每轮循环结果求和,得到 Result2
004438AE . 0F80 8D060000 JO dump.00443F41
004438B4 . 66:894D A8 MOV [EBP-58],CX ; 保存相加结果 Resule2
004438B8 . C745 FC 6700> MOV DWORD PTR [EBP-4],67
004438BF . 66:8B95 08FF> MOV DX,[EBP-F8]
004438C6 . 66:83C2 01 ADD DX,1 ; j = j + 1
004438CA . 0F80 71060000 JO dump.00443F41
004438D0 . 66:8995 08FF> MOV [EBP-F8],DX ; 保存 j
004438D7 . C745 FC 6800> MOV DWORD PTR [EBP-4],68
004438DE . 66:83BD 08FF> CMP WORD PTR [EBP-F8],9 ; 判断 j 是否等于 9
004438E6 . 75 10 JNZ SHORT dump.004438F8
004438E8 . C745 FC 6900> MOV DWORD PTR [EBP-4],69
004438EF . 66:C785 08FF> MOV WORD PTR [EBP-F8],1 ; if (j==9) j = 1
004438F8 > C745 FC 6B00> MOV DWORD PTR [EBP-4],6B
004438FF .^ E9 21FEFFFF JMP dump.00443725 ; 跳上去继续循环
----------------------------------------------------------------------------------------------
00443904 > C745 FC 6C00> MOV DWORD PTR [EBP-4],6C
0044390B . 66:8B45 B4 MOV AX,[EBP-4C]
0044390F . 66:0345 A8 ADD AX,[EBP-58] ; Result1 + Result2
00443913 . 0F80 28060000 JO dump.00443F41
00443919 . 66:25 FF01 AND AX,1FF ; ( Result1 + Result2 ) & 0x1FF 得到 Result3
0044391D . 79 08 JNS SHORT dump.00443927
0044391F . 66:48 DEC AX
00443921 . 66:0D 00FE OR AX,0FE00
00443925 . 66:40 INC AX
00443927 > 66:8985 50FF> MOV [EBP-B0],AX
0044392E . C745 FC 6D00> MOV DWORD PTR [EBP-4],6D
00443935 . 66:C785 08FF> MOV WORD PTR [EBP-F8],1
0044393E . C745 FC 6E00> MOV DWORD PTR [EBP-4],6E
00443945 . 66:C785 0CFF> MOV WORD PTR [EBP-F4],1
0044394E . C745 FC 6F00> MOV DWORD PTR [EBP-4],6F
00443955 . 66:8B4D B8 MOV CX,[EBP-48]
00443959 . 66:898D 34FE> MOV [EBP-1CC],CX
00443960 . 66:C785 38FE> MOV WORD PTR [EBP-1C8],1
00443969 . 66:C785 48FF> MOV WORD PTR [EBP-B8],1
00443972 . EB 1B JMP SHORT dump.0044398F
下面进入一个很长的循环,主要作用是利用 Box1[8] 、Box2[8]、Result3 去跟异或表 XorBox[22] 运算后查密码表,得到真码。
00443974 > 66:8B95 48FF> MOV DX,[EBP-B8] ; 循环开始
0044397B . 66:0395 38FE> ADD DX,[EBP-1C8]
00443982 . 0F80 B9050000 JO dump.00443F41
00443988 . 66:8995 48FF> MOV [EBP-B8],DX
0044398F > 66:8B85 48FF> MOV AX,[EBP-B8]
00443996 . 66:3B85 34FE> CMP AX,[EBP-1CC] ; 判断是否循环了 8 次
0044399D . 0F8F 32040000 JG dump.00443DD5
004439A3 . C745 FC 7000> MOV DWORD PTR [EBP-4],70
004439AA . 0FBF8D 48FFF> MOVSX ECX,WORD PTR [EBP-B8]
004439B1 . 898D 80FEFFFF MOV [EBP-180],ECX
004439B7 . 83BD 80FEFFF> CMP DWORD PTR [EBP-180],11
004439BE . 73 0C JNB SHORT dump.004439CC
004439C0 . C785 94FDFFF> MOV DWORD PTR [EBP-26C],0
004439CA . EB 0C JMP SHORT dump.004439D8
004439CC > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
004439D2 . 8985 94FDFFFF MOV [EBP-26C],EAX
004439D8 > 0FBF95 48FFF> MOVSX EDX,WORD PTR [EBP-B8]
004439DF . 8995 7CFEFFFF MOV [EBP-184],EDX
004439E5 . 83BD 7CFEFFF> CMP DWORD PTR [EBP-184],11
004439EC . 73 0C JNB SHORT dump.004439FA
004439EE . C785 90FDFFF> MOV DWORD PTR [EBP-270],0
004439F8 . EB 0C JMP SHORT dump.00443A06
004439FA > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
00443A00 . 8985 90FDFFFF MOV [EBP-270],EAX
00443A06 > 0FBF85 48FFF> MOVSX EAX,WORD PTR [EBP-B8]
00443A0D . 8985 84FEFFFF MOV [EBP-17C],EAX
00443A13 . 83BD 84FEFFF> CMP DWORD PTR [EBP-17C],11
00443A1A . 73 0C JNB SHORT dump.00443A28
00443A1C . C785 8CFDFFF> MOV DWORD PTR [EBP-274],0
00443A26 . EB 0C JMP SHORT dump.00443A34
00443A28 > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
00443A2E . 8985 8CFDFFFF MOV [EBP-274],EAX
00443A34 > 8B8D 80FEFFFF MOV ECX,[EBP-180]
00443A3A . 8B55 80 MOV EDX,[EBP-80]
00443A3D . 8B85 7CFEFFFF MOV EAX,[EBP-184]
00443A43 . 8B75 CC MOV ESI,[EBP-34]
00443A46 . 66:8B0C4A MOV CX,[EDX+ECX*2] ; 取 Box2[i]
00443A4A . 66:330C46 XOR CX,[ESI+EAX*2] ; Box2[i] ^ XorBox[i]
00443A4E . 8B95 84FEFFFF MOV EDX,[EBP-17C]
00443A54 . 8B45 80 MOV EAX,[EBP-80]
00443A57 . 66:890C50 MOV [EAX+EDX*2],CX ; 结果存回 Box2[i]
00443A5B . C745 FC 7100> MOV DWORD PTR [EBP-4],71
00443A62 . 0FBF8D 48FFF> MOVSX ECX,WORD PTR [EBP-B8]
00443A69 . 898D 84FEFFFF MOV [EBP-17C],ECX
00443A6F . 83BD 84FEFFF> CMP DWORD PTR [EBP-17C],11
00443A76 . 73 0C JNB SHORT dump.00443A84
00443A78 . C785 88FDFFF> MOV DWORD PTR [EBP-278],0
00443A82 . EB 0C JMP SHORT dump.00443A90
00443A84 > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
00443A8A . 8985 88FDFFFF MOV [EBP-278],EAX
00443A90 > 0FBF95 48FFF> MOVSX EDX,WORD PTR [EBP-B8]
00443A97 . 8995 80FEFFFF MOV [EBP-180],EDX
00443A9D . 83BD 80FEFFF> CMP DWORD PTR [EBP-180],11
00443AA4 . 73 0C JNB SHORT dump.00443AB2
00443AA6 . C785 84FDFFF> MOV DWORD PTR [EBP-27C],0
00443AB0 . EB 0C JMP SHORT dump.00443ABE
00443AB2 > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
00443AB8 . 8985 84FDFFFF MOV [EBP-27C],EAX
00443ABE > 8B85 84FEFFFF MOV EAX,[EBP-17C]
00443AC4 . 8B8D 28FFFFFF MOV ECX,[EBP-D8]
00443ACA . 8B95 80FEFFFF MOV EDX,[EBP-180]
00443AD0 . 8B75 80 MOV ESI,[EBP-80]
00443AD3 . 66:8B0441 MOV AX,[ECX+EAX*2] ; 取 Box1[i]
00443AD7 . 66:330456 XOR AX,[ESI+EDX*2] ; Box1[i] ^ Box2[i]
00443ADB . 66:8BC8 MOV CX,AX
00443ADE . 66:81E1 FF01 AND CX,1FF ; ( Box2[i] ^ Box2[i] ) & 0x1FF
00443AE3 . 79 09 JNS SHORT dump.00443AEE
00443AE5 . 66:49 DEC CX
00443AE7 . 66:81C9 00FE OR CX,0FE00
00443AEC . 66:41 INC CX
00443AEE > 66:2B8D 50FF> SUB CX,[EBP-B0] ; 结果 - Rusult3
00443AF5 . 0F80 46040000 JO dump.00443F41
00443AFB . FF15 54104000 CALL [<&MSVBVM60.__vbaI2Abs>] ; 取绝对值,得到 Result4
00443B01 . 66:8985 10FF> MOV [EBP-F0],AX
00443B08 . C745 FC 7200> MOV DWORD PTR [EBP-4],72
00443B0F . 8B4D 10 MOV ECX,[EBP+10]
00443B12 . 66:8339 03 CMP WORD PTR [ECX],3
00443B16 . 0F85 10020000 JNZ dump.00443D2C
00443B1C . C745 FC 7300> MOV DWORD PTR [EBP-4],73
00443B23 . 66:83BD 10FF> CMP WORD PTR [EBP-F0],10
00443B2B . 0F8D B3000000 JGE dump.00443BE4
00443B31 . C745 FC 7400> MOV DWORD PTR [EBP-4],74
00443B38 . C785 B4FEFFF> MOV DWORD PTR [EBP-14C],dump.004>
00443B42 . C785 ACFEFFF> MOV DWORD PTR [EBP-154],8
00443B4C . 8D95 10FFFFFF LEA EDX,[EBP-F0]
00443B52 . 8995 C4FEFFFF MOV [EBP-13C],EDX
00443B58 . C785 BCFEFFF> MOV DWORD PTR [EBP-144],4002
00443B62 . 8D85 BCFEFFFF LEA EAX,[EBP-144]
00443B68 . 50 PUSH EAX
00443B69 . 8D8D ECFEFFFF LEA ECX,[EBP-114]
00443B6F . 51 PUSH ECX
00443B70 . FF15 E8114000 CALL [<&MSVBVM60.rtcHexVarFromVar>; MSVBVM60.rtcHexVarFromVar
00443B76 . 8D55 B0 LEA EDX,[EBP-50]
00443B79 . 52 PUSH EDX
00443B7A . 0FBF85 08FFF> MOVSX EAX,WORD PTR [EBP-F8]
00443B81 . 50 PUSH EAX
00443B82 . 6A 02 PUSH 2
00443B84 . 8D8D ACFEFFFF LEA ECX,[EBP-154]
00443B8A . 51 PUSH ECX
00443B8B . 8D95 ECFEFFFF LEA EDX,[EBP-114]
00443B91 . 52 PUSH EDX
00443B92 . 8D85 DCFEFFFF LEA EAX,[EBP-124]
00443B98 . 50 PUSH EAX
00443B99 . FF15 9C114000 CALL [<&MSVBVM60.__vbaVarCat>] ; MSVBVM60.__vbaVarCat
00443B9F . 50 PUSH EAX
00443BA0 . FF15 24104000 CALL [<&MSVBVM60.__vbaStrVarMove>>; MSVBVM60.__vbaStrVarMove
00443BA6 . 8BD0 MOV EDX,EAX
00443BA8 . 8D8D FCFEFFFF LEA ECX,[EBP-104]
00443BAE . FF15 50124000 CALL [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00443BB4 . 50 PUSH EAX
00443BB5 . 6A 00 PUSH 0
00443BB7 . FF15 78124000 CALL [<&MSVBVM60.__vbaMidStmtBstr>; MSVBVM60.__vbaMidStmtBstr
00443BBD . 8D8D FCFEFFFF LEA ECX,[EBP-104]
00443BC3 . FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00443BC9 . 8D8D DCFEFFFF LEA ECX,[EBP-124]
00443BCF . 51 PUSH ECX
00443BD0 . 8D95 ECFEFFFF LEA EDX,[EBP-114]
00443BD6 . 52 PUSH EDX
00443BD7 . 6A 02 PUSH 2
00443BD9 . FF15 30104000 CALL [<&MSVBVM60.__vbaFreeVarList>; MSVBVM60.__vbaFreeVarList
00443BDF . 83C4 0C ADD ESP,0C
00443BE2 . EB 7B JMP SHORT dump.00443C5F
00443BE4 > C745 FC 7600> MOV DWORD PTR [EBP-4],76
00443BEB . 8D85 10FFFFFF LEA EAX,[EBP-F0]
00443BF1 . 8985 C4FEFFFF MOV [EBP-13C],EAX
00443BF7 . C785 BCFEFFF> MOV DWORD PTR [EBP-144],4002
00443C01 . 8D8D BCFEFFFF LEA ECX,[EBP-144]
00443C07 . 51 PUSH ECX
00443C08 . 8D95 ECFEFFFF LEA EDX,[EBP-114]
00443C0E . 52 PUSH EDX
00443C0F . FF15 E8114000 CALL [<&MSVBVM60.rtcHexVarFromVar>; 将 Result4 转化为十六进制文本
00443C15 . 8D45 B0 LEA EAX,[EBP-50]
00443C18 . 50 PUSH EAX
00443C19 . 0FBF8D 08FFF> MOVSX ECX,WORD PTR [EBP-F8]
00443C20 . 51 PUSH ECX
00443C21 . 6A 02 PUSH 2
00443C23 . 8D95 ECFEFFFF LEA EDX,[EBP-114]
00443C29 . 52 PUSH EDX
00443C2A . FF15 24104000 CALL [<&MSVBVM60.__vbaStrVarMove>>; MSVBVM60.__vbaStrVarMove
00443C30 . 8BD0 MOV EDX,EAX
00443C32 . 8D8D FCFEFFFF LEA ECX,[EBP-104]
00443C38 . FF15 50124000 CALL [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00443C3E . 50 PUSH EAX
00443C3F . 6A 00 PUSH 0
00443C41 . FF15 78124000 CALL [<&MSVBVM60.__vbaMidStmtBstr>; 取每轮结果的前两位,连接得到真码
00443C47 . 8D8D FCFEFFFF LEA ECX,[EBP-104]
00443C4D . FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00443C53 . 8D8D ECFEFFFF LEA ECX,[EBP-114]
00443C59 . FF15 20104000 CALL [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00443C5F > C745 FC 7800> MOV DWORD PTR [EBP-4],78
00443C66 . 66:83BD 0CFF> CMP WORD PTR [EBP-F4],2 ; 判断是否是不是 2
00443C6E . 75 58 JNZ SHORT dump.00443CC8
00443C70 . 66:83BD 08FF> CMP WORD PTR [EBP-F8],12
00443C78 . 7D 4E JGE SHORT dump.00443CC8
00443C7A . C745 FC 7900> MOV DWORD PTR [EBP-4],79
00443C81 . 66:8B85 08FF> MOV AX,[EBP-F8]
00443C88 . 66:05 0100 ADD AX,1
00443C8C . 0F80 AF020000 JO dump.00443F41
00443C92 . 66:8985 08FF> MOV [EBP-F8],AX
00443C99 . C745 FC 7A00> MOV DWORD PTR [EBP-4],7A
00443CA0 . 8D4D B0 LEA ECX,[EBP-50]
00443CA3 . 51 PUSH ECX
00443CA4 . 66:8B95 08FF> MOV DX,[EBP-F8]
00443CAB . 66:83C2 01 ADD DX,1
00443CAF . 0F80 8C020000 JO dump.00443F41
00443CB5 . 0FBFC2 MOVSX EAX,DX
00443CB8 . 50 PUSH EAX
00443CB9 . 6A 01 PUSH 1
00443CBB . 68 689E4000 PUSH dump.00409E68
00443CC0 . 6A 00 PUSH 0
00443CC2 . FF15 78124000 CALL [<&MSVBVM60.__vbaMidStmtBstr>; 如果是 2 ,在注册码上接上 "-"
00443CC8 > C745 FC 7C00> MOV DWORD PTR [EBP-4],7C
00443CCF . 66:8B8D 08FF> MOV CX,[EBP-F8]
00443CD6 . 66:83C1 02 ADD CX,2
00443CDA . 0F80 61020000 JO dump.00443F41
00443CE0 . 66:898D 08FF> MOV [EBP-F8],CX
00443CE7 . C745 FC 7D00> MOV DWORD PTR [EBP-4],7D
00443CEE . 66:8B95 0CFF> MOV DX,[EBP-F4]
00443CF5 . 66:83C2 01 ADD DX,1
00443CF9 . 0F80 42020000 JO dump.00443F41
00443CFF . 66:8995 0CFF> MOV [EBP-F4],DX
00443D06 . C745 FC 7E00> MOV DWORD PTR [EBP-4],7E
00443D0D . 66:83BD 0CFF> CMP WORD PTR [EBP-F4],3
00443D15 . 75 10 JNZ SHORT dump.00443D27
00443D17 . C745 FC 7F00> MOV DWORD PTR [EBP-4],7F
00443D1E . 66:C785 0CFF> MOV WORD PTR [EBP-F4],1
00443D27 > E9 9D000000 JMP dump.00443DC9
00443D2C > C745 FC 8200> MOV DWORD PTR [EBP-4],82
00443D33 . 0FBF85 10FFF> MOVSX EAX,WORD PTR [EBP-F0]
00443D3A . 8985 84FEFFFF MOV [EBP-17C],EAX
00443D40 . 81BD 84FEFFF> CMP DWORD PTR [EBP-17C],201
00443D4A . 73 0C JNB SHORT dump.00443D58
00443D4C . C785 80FDFFF> MOV DWORD PTR [EBP-280],0
00443D56 . EB 0C JMP SHORT dump.00443D64
00443D58 > FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>; MSVBVM60.__vbaGenerateBoundsError
00443D5E . 8985 80FDFFFF MOV [EBP-280],EAX
00443D64 > 8B8D 84FEFFFF MOV ECX,[EBP-17C]
00443D6A . 8B55 9C MOV EDX,[EBP-64]
00443D6D . 0FBF044A MOVSX EAX,WORD PTR [EDX+ECX*2]
00443D71 . 50 PUSH EAX
00443D72 . 8D8D ECFEFFFF LEA ECX,[EBP-114]
00443D78 . 51 PUSH ECX
00443D79 . FF15 7C114000 CALL [<&MSVBVM60.rtcVarBstrFromAn>; MSVBVM60.rtcVarBstrFromAnsi
00443D7F . 8D55 B0 LEA EDX,[EBP-50]
00443D82 . 52 PUSH EDX
00443D83 . 0FBF85 48FFF> MOVSX EAX,WORD PTR [EBP-B8]
00443D8A . 50 PUSH EAX
00443D8B . 6A 01 PUSH 1
00443D8D . 8D8D ECFEFFFF LEA ECX,[EBP-114]
00443D93 . 51 PUSH ECX
00443D94 . FF15 24104000 CALL [<&MSVBVM60.__vbaStrVarMove>>; MSVBVM60.__vbaStrVarMove
00443D9A . 8BD0 MOV EDX,EAX
00443D9C . 8D8D FCFEFFFF LEA ECX,[EBP-104]
00443DA2 . FF15 50124000 CALL [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
00443DA8 . 50 PUSH EAX
00443DA9 . 6A 00 PUSH 0
00443DAB . FF15 78124000 CALL [<&MSVBVM60.__vbaMidStmtBstr>; MSVBVM60.__vbaMidStmtBstr
00443DB1 . 8D8D FCFEFFFF LEA ECX,[EBP-104]
00443DB7 . FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
00443DBD . 8D8D ECFEFFFF LEA ECX,[EBP-114]
00443DC3 . FF15 20104000 CALL [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00443DC9 > C745 FC 8400> MOV DWORD PTR [EBP-4],84
00443DD0 .^ E9 9FFBFFFF JMP dump.00443974 ; 跳上去循环
到这里终于循环结束了,大概作用就是:
( Result3 & 0x1FF ) - ( Box1[i] ^ Box2[i] ^ XorBox[i] & 0x1FF )
然后再取绝对值,用得到的结果去查密码字符表,连接就得到真码了,以上循环中在注册码中添加了 "-" 是没有用的,因为后来程序中又把 "-" 去掉了。
00443DD5 > C745 FC 8500> MOV DWORD PTR [EBP-4],85
00443DDC . 6A 00 PUSH 0
00443DDE . 6A FF PUSH -1
00443DE0 . 6A 01 PUSH 1
00443DE2 . 68 587A4000 PUSH dump.00407A58
00443DE7 . 68 689E4000 PUSH dump.00409E68
00443DEC . 8B55 B0 MOV EDX,[EBP-50]
00443DEF . 52 PUSH EDX
00443DF0 . FF15 64114000 CALL [<&MSVBVM60.rtcReplace>] ; 去掉注册码中的"-"
00443DF6 . 8BD0 MOV EDX,EAX
----------------------------------------------------------------------------------------------
以上是生成真码的过程,跟着代码走,Retn 后,就可到了真码和假码比较的地方。
004336DE > \8D45 A4 LEA EAX,[EBP-5C]
004336E1 . 50 PUSH EAX
004336E2 . 8D4D D8 LEA ECX,[EBP-28]
004336E5 . 51 PUSH ECX
004336E6 . 8D55 A8 LEA EDX,[EBP-58]
004336E9 . 52 PUSH EDX
004336EA . E8 71EB0000 CALL dump.00442260 ; 得到真码
004336EF . 8BD0 MOV EDX,EAX
004336F1 . 8D4D D0 LEA ECX,[EBP-30]
004336F4 . FF15 50124000 CALL [<&MSVBVM60.__vbaStrMove>] ; MSVBVM60.__vbaStrMove
004336FA . 50 PUSH EAX
004336FB . 8B45 D4 MOV EAX,[EBP-2C]
004336FE . 50 PUSH EAX
004336FF . FF15 F4104000 CALL [<&MSVBVM60.__vbaStrCmp>] ; 真码和假码比较
00433705 . 8BF8 MOV EDI,EAX
00433707 . F7DF NEG EDI
00433709 . 1BFF SBB EDI,EDI
0043370B . 47 INC EDI
0043370C . F7DF NEG EDI
0043370E . 8D4D D4 LEA ECX,[EBP-2C]
00433711 . 51 PUSH ECX
00433712 . 8D55 D0 LEA EDX,[EBP-30]
00433715 . 52 PUSH EDX
00433716 . 8D45 D8 LEA EAX,[EBP-28]
00433719 . 50 PUSH EAX
0043371A . 6A 03 PUSH 3
0043371C . FF15 F4114000 CALL [<&MSVBVM60.__vbaFreeStrList>; MSVBVM60.__vbaFreeStrList
00433722 . 8D4D B8 LEA ECX,[EBP-48]
00433725 . 51 PUSH ECX
00433726 . 8D55 BC LEA EDX,[EBP-44]
00433729 . 52 PUSH EDX
0043372A . 6A 02 PUSH 2
0043372C . FF15 40104000 CALL [<&MSVBVM60.__vbaFreeObjList>; MSVBVM60.__vbaFreeObjList
00433732 . 83C4 1C ADD ESP,1C
00433735 . 8D4D A8 LEA ECX,[EBP-58]
00433738 . FF15 20104000 CALL [<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0043373E . 66:3BFB CMP DI,BX
00433741 . 0F84 EB010000 JE dump.00433932 ; 爆破点
00433747 . 8B06 MOV EAX,[ESI]
一个典型的明码比较。
----------------------------------------------------------------------------------------------
【破解心得】
程序将机器码的每一位 MCode[i] Xor 0x12 ,并将每一轮结果依次保存到 Box1 中 ,如果 i 超过 8 ,就重新回到box1的第一位填充,同时计算出每轮运算结果的总和 result1 。
然后再对另外一个固定字符串 "SUY2TjhXRjQ2QjdIVThKSA" 的每一位 String[i] Xor 0x19 ,并将每一轮结果依次保存到 Box2 中 ,如果 i 超过 8 ,就重新回到box2的第一位填充,(注意,如果上轮循环填充到 Box1 的第三位,Box2 就从第四位开始填充,接着对 Box1 填充的位置数),同时计算出每轮运算结果的总和 result2 。
[( Rusult1 + Rusult2 ) & 0x1FF ] - ( Box1[i] ^ Box2[i] ^ XorBox[i] & 0x1FF )
然后结果去绝对值,转换为十六进制文本,将每轮结果连接就得到真码。
新的一年又来了,过去的一年对于不是非常的顺利,希望新的一年能够给我带来更好的运气,水平上有更大进步。不过需要学的东西太多了,慢慢来吧!也祝论坛上所有的网友新年快乐。
【注册机源码】
/******************************************************************************/
/* */
/* Microsoft Visual C++ 6.0 MFC --> KeygenDlg.cpp */
/* */
/* Microsoft Windows XP Professional Service Pack 2 编译通过 */
/* */
/******************************************************************************/
int XorBox[16] = {46, 89,142, 63,231, 32,129,51, 28, 97,248, 41,136, 53, 78,164} ;
char MCode2[23]={"SUY2TjhXRjQ2QjdIVThKSA"};
void CKeygenDlg::OnChangeEdit1()
{
// TODO: If this is a RICHEDIT control, the control will not
// send this notification unless you override the CDialog::OnInitDialog()
// function and call CRichEditCtrl().SetEventMask()
// with the ENM_CHANGE flag ORed into the mask.
// TODO: Add your control notification handler code here
UpdateData (true) ;
int Box1[8]={0,0,0,0,0,0,0,0} , Box2[8]={0,0,0,0,0,0,0,0} ;
int i , j = 0 , n , Result1 = 0 , Result2 = 0 ;
char MCode[256];
m_Edit2 = "" ;
n = m_Edit1.GetLength ();
strcpy(MCode,m_Edit1);
for ( i = 0 ; i < n ; i++ ){
Box1[j] = ( MCode[i] + Box1[j] ) ^ 0x12 ;
Result1 += Box1[j] ;
j++ ;
if ( j == 8 ) j = 0 ;
}
for ( i = 0 ; i < 22 ; i++ ){
Box2[j] = ( MCode2[i] + Box2[j] ) ^ 0x19 ;
Result2 += Box2[j] ;
j++ ;
if ( j == 8 ) j = 0 ;
}
Result1 = ( Result1 + Result2 ) & 0x1FF ;
for ( i = 0 ; i < 8 ; i++ ) {
Result2 = abs ( Result1 - ( Box1[i] ^ Box2[i] ^ XorBox[i] & 0x1FF )) ;
sprintf ( MCode , "%02X" , Result2 ) ;
MCode[2] = 0 ;
m_Edit2 += MCode ;
}
UpdateData (false) ;
}
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2005-12-30 23:01:59