Trace Arm BY Fpc
在追踪注册码计算过程时很容易到这里。
下面这个CALL的作用是:将输入的0X18字节的注册信息变换为0X10字节的注册码1。
* Referenced by a CALL at Addresses:
|:0048BB15 , :0048BB50 , :0048BBED , :0048BC48
|
:0048BDC8 55
push ebp
:0048BDC9 8BEC
mov ebp, esp
:0048BDCB 83C4E4
add esp, FFFFFFE4
:0048BDCE 894DF8
mov dword ptr [ebp-08], ecx
Ecx指向输入的注册码
:0048BDD1 8955E4
mov dword ptr [ebp-1C], edx Edx好象等于18
:0048BDD4 8945FC
mov dword ptr [ebp-04], eax
Eax指向一个字节的码表:
01 23 45 67 89 AB CD EF FE DC BA 98 76 54 32 10
上面的这三个MOV比较重要
:0048BDD7 8B45FC
mov eax, dword ptr [ebp-04]
:0048BDDA 8B00
mov eax, dword ptr [eax]
:0048BDDC 8945F4
mov dword ptr [ebp-0C], eax
:0048BDDF 8B45FC
mov eax, dword ptr [ebp-04]
:0048BDE2 8B4004
mov eax, dword ptr [eax+04]
:0048BDE5 8945F0
mov dword ptr [ebp-10], eax
:0048BDE8 8B45FC
mov eax, dword ptr [ebp-04]
:0048BDEB 8B4008
mov eax, dword ptr [eax+08]
:0048BDEE 8945EC
mov dword ptr [ebp-14], eax
:0048BDF1 8B45FC
mov eax, dword ptr [ebp-04]
:0048BDF4 8B400C
mov eax, dword ptr [eax+0C]
:0048BDF7 8945E8
mov dword ptr [ebp-18], eax
:0048BDFA 55
push ebp
:0048BDFB 8B45E8
mov eax, dword ptr [ebp-18]
:0048BDFE 50
push eax
:0048BDFF 8B45F8
mov eax, dword ptr [ebp-08]
:0048BE02 8B00
mov eax, dword ptr [eax]
:0048BE04 0578A46AD7 add eax,
D76AA478
:0048BE09 50
push eax
:0048BE0A 6A07
push 00000007
:0048BE0C 8D45F4
lea eax, dword ptr [ebp-0C]
:0048BE0F 8B4DEC
mov ecx, dword ptr [ebp-14]
:0048BE12 8B55F0
mov edx, dword ptr [ebp-10]
:0048BE15 E856FEFFFF call
0048BC70
:0048BE1A 59
pop ecx
:0048BE1B 55
push ebp
:0048BE1C 8B45EC
mov eax, dword ptr [ebp-14]
:0048BE1F 50
push eax
:0048BE20 8B45F8
mov eax, dword ptr [ebp-08]
:0048BE23 8B4004
mov eax, dword ptr [eax+04]
:0048BE26 0556B7C7E8 add eax,
E8C7B756
:0048BE2B 50
push eax
:0048BE2C 6A0C
push 0000000C
:0048BE2E 8D45E8
lea eax, dword ptr [ebp-18]
:0048BE31 8B4DF0
mov ecx, dword ptr [ebp-10]
:0048BE34 8B55F4
mov edx, dword ptr [ebp-0C]
:0048BE37 E834FEFFFF call
0048BC70
。。。。。
:0048C653 59
pop ecx
:0048C654 55
push ebp
:0048C655 8B45F4
mov eax, dword ptr [ebp-0C]
:0048C658 50
push eax
:0048C659 8B45F8
mov eax, dword ptr [ebp-08]
:0048C65C 8B4024
mov eax, dword ptr [eax+24]
:0048C65F 0591D386EB add eax,
EB86D391
:0048C664 50
push eax
:0048C665 6A15
push 00000015
:0048C667 8D45F0
lea eax, dword ptr [ebp-10]
:0048C66A 8B4DE8
mov ecx, dword ptr [ebp-18]
:0048C66D 8B55EC
mov edx, dword ptr [ebp-14]
:0048C670 E8FFF6FFFF call
0048BD74
:0048C675 59
pop ecx
:0048C676 8B45FC
mov eax, dword ptr [ebp-04]
:0048C679 8B55F4
mov edx, dword ptr [ebp-0C]
:0048C67C 0110
add dword ptr [eax], edx
:0048C67E 8B45FC
mov eax, dword ptr [ebp-04]
:0048C681 8B55F0
mov edx, dword ptr [ebp-10]
:0048C684 015004
add dword ptr [eax+04], edx
:0048C687 8B45FC
mov eax, dword ptr [ebp-04]
:0048C68A 8B55EC
mov edx, dword ptr [ebp-14]
:0048C68D 015008
add dword ptr [eax+08], edx
:0048C690 8B45FC
mov eax, dword ptr [ebp-04]
:0048C693 8B55E8
mov edx, dword ptr [ebp-18]
:0048C696 01500C
add dword ptr [eax+0C], edx
:0048C699 8BE5
mov esp, ebp
:0048C69B 5D
pop ebp
:0048C69C C20400
ret 0004
这一段非常长,结构却差不多,因此大部分内容都略过了。这个CALL过后会形成一个0X10字节的注册码1。接下来注册码1会被扩展为0X20字节,然后与已经计算好的0X3F0组字串相比较,与其中一组相同即可。
call 0048BC70是用于变换的一个CALL(共有四个),被调用16次:(真是变态!)
结合入口参数看
:0048BDFA 55
push ebp
:0048BDFB 8B45E8
mov eax, dword ptr [ebp-18]
:0048BDFE 50
push eax
;<1>
:0048BDFF 8B45F8
mov eax, dword ptr [ebp-08]
:0048BE02 8B00
mov eax, dword ptr [eax]
:0048BE04 0578A46AD7 add eax,
D76AA478
:0048BE09 50
push eax
;<2>
:0048BE0A 6A07
push 00000007
;<3>
:0048BE0C 8D45F4
lea eax, dword ptr [ebp-0C]
:0048BE0F 8B4DEC
mov ecx, dword ptr [ebp-14]
:0048BE12 8B55F0
mov edx, dword ptr [ebp-10]
:0048BE15 E856FEFFFF call
0048BC70
:0048BE1A 59
pop ecx
Call(1):
* Referenced by a CALL at Addresses:
|:0048BE15 , :0048BE37 , :0048BE59 , :0048BE7B , :0048BE9D
|:0048BEBF , :0048BEE1 , :0048BF03 , :0048BF25 , :0048BF47
|:0048BF69 , :0048BF8B , :0048BFAD , :0048BFCF , :0048BFF1
|:0048C013
|
:0048BC70 55
push ebp
:0048BC71 8BEC
mov ebp, esp
:0048BC73 83C4F4
add esp, FFFFFFF4
:0048BC76 894DF4
mov dword ptr [ebp-0C], ecx
:0048BC79 8955F8
mov dword ptr [ebp-08], edx
:0048BC7C 8945FC
mov dword ptr [ebp-04], eax
:0048BC7F 8B45F4
mov eax, dword ptr [ebp-0C] ; Eax=Ecx
:0048BC82 334510
xor eax, dword ptr [ebp+10] ; Eax^=<1>
:0048BC85 2345F8
and eax, dword ptr [ebp-08] ; Eax&=Edx
:0048BC88 334510
xor eax, dword ptr [ebp+10] ; Eax^=<1>
:0048BC8B 03450C
add eax, dword ptr [ebp+0C] ; Eax+=<2>
:0048BC8E 8B55FC
mov edx, dword ptr [ebp-04]
:0048BC91 0102
add dword ptr [edx], eax ; Save
it
:0048BC93 33C0
xor eax, eax
:0048BC95 8A4508
mov al, byte ptr [ebp+08] ; Eax=<3>
:0048BC98 B920000000 mov ecx,
00000020
:0048BC9D 2BC8
sub ecx, eax
:0048BC9F 8B45FC
mov eax, dword ptr [ebp-04]
:0048BCA2 8B00
mov eax, dword ptr [eax]
:0048BCA4 D3E8
shr eax, cl
:0048BCA6 8A4D08
mov cl, byte ptr [ebp+08]
:0048BCA9 8B55FC
mov edx, dword ptr [ebp-04]
:0048BCAC 8B12
mov edx, dword ptr [edx]
:0048BCAE D3E2
shl edx, cl
; And this part:
:0048BCB0 0BC2
or eax, edx
; Roll left N<3> bits
:0048BCB2 8B55FC
mov edx, dword ptr [ebp-04]
:0048BCB5 8902
mov dword ptr [edx], eax
:0048BCB7 8B45FC
mov eax, dword ptr [ebp-04]
:0048BCBA 8B55F8
mov edx, dword ptr [ebp-08]
:0048BCBD 0110
add dword ptr [eax], edx ; Add
again
:0048BCBF 8BE5
mov esp, ebp
:0048BCC1 5D
pop ebp
:0048BCC2 C20C00
ret 000C
For short, Call(1) looks like :
push ebp
mov ebp, esp
push ebx ;
Ebx will serve as a Temp
push eax
push edx
mov eax, ecx
xor eax, dword ptr [ebp+10]
and eax, edx ; Shit!
Cant write a KeyGen Coz of this
xor eax, dword ptr [ebp+10]
add eax, dword ptr [ebp+c]
mov ebx, eax ; Temp=Eax
mov al, byte ptr [ebp+08] ; Eax=<3>
mov cl, 20
sub cl, al
mov eax, ebx
shr eax, cl
mov cl, byte ptr [ebp+08]
mov edx, ebx
shl edx, cl ; And
this part:
or eax, edx ; Roll
left N<3> bits
pop edx
add eax, edx
mov ebx, eax
pop eax
mov dword ptr [eax], ebx
pop ebx
mov esp, ebp
pop ebp
ret 000C
本来是要追出注册码计算过程,然后写出注册机。这个注册机原理是根据3F0组字串写出逆过程,现在看是不可能了,原因就在于那个AND(不可逆)。所以ARM只能解压后再暴破。:-(
- 标 题:它是将输入的内容作变换,再与内设的字串相比较,(估计只有暴破这一条路) (8千字)
- 作 者:Fpc
- 时 间:2001-4-8 16:05:52
- 链 接:http://bbs.pediy.com