Lemmy v4.4 注册码分析
作者:bbbsl
软件介绍:这是一款在windows下模拟unix|linux下vi的一个工具,我们系没有用unix|linux做实验的条件,所以让我们
用这玩意体验一下,超级恶心!!!没发现用它有什么有意义的地方,但居然还有时间限制,所以,就拿它做个crackme吧!
平台:
windows 2000 advanced server
所用工具:softice for nt 4.05,calc(window自带计算器)
//运行lemmyreg后下断点bpx getwindowtexta后,按F10一直走到这一段代码(当然,前提是你得先输入了你的ID和SN^_^):
:0040178F 8B17
mov edx, dword ptr [edi]
:00401791 50
push eax
//你输入的假注册码
:00401792 52
push edx
//你的ID
:00401793 8D4E68
lea ecx, dword ptr [esi+68] //我一直不明白这个数是怎么来的,程序中用它加14得到一个地址,用这个地址的数做运算,高手给指点指点吧
:00401796 E865020000 call
00401A00 //关键!!!
:0040179B 85C0
test eax, eax //正确否?
:0040179D 7457
je 004017F6 //正确则跳过!
:0040179F 6A00
push 00000000
:004017A1 6A30
push 00000030
* Possible StringData Ref from Data
Obj ->"Check the values supplied"
|
:004017A3 68B0E04200 push
0042E0B0
:004017A8 E8FFD60100
call 0041EEAC
//下面是401A00的代码:
:00401A00 53
push ebx
:00401A01
55
push ebp
:00401A02 56
push esi
:00401A03 57
push edi
:00401A04 8BF9
mov edi, ecx
:00401A06
6A08 push
00000008
:00401A08 83CDFF
or ebp, FFFFFFFF
:00401A0B E816650100
call 00417F26
:00401A10 8B74241C
mov esi, dword ptr [esp+1C]
:00401A14
83C404 add esp,
00000004
:00401A17 8BD8
mov ebx, eax
:00401A19 33D2
xor edx, edx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00401A71(C)
|
:00401A1B 0FBE06
movsx eax, byte ptr [esi]
//esi中是你是输入的假注册码
:00401A1E 0FBE4E01
movsx ecx, byte ptr [esi+01]
//两位两位处理
:00401A22 83F830
cmp eax, 00000030
//是数字否?
:00401A25 7C0A
jl 00401A31
//如果小于‘0’则非数字..
:00401A27
83F839 cmp eax,
00000039
:00401A2A
7F05 jg 00401A31
//如果大于‘9’则非数字..
:00401A2C 83E830
sub eax, 00000030 //转成16进制中相应数字
:00401A2F EB11
jmp 00401A42
//下一位判断
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:00401A25(C), :00401A2A(C)
|
:00401A31 83F841
cmp eax, 00000041
//不是数字,那是不是大写字母A-F中的一个呢?
:00401A34 7C0A
jl 00401A40 //小则清eax
:00401A36 83F846
cmp eax, 00000046 //大也清eax
:00401A39 7F05
jg 00401A40
:00401A3B 83E837
sub eax, 00000037 //如果是则转成16进制中相应字符
:00401A3E EB02
jmp 00401A42
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:00401A34(C), :00401A39(C)
|
:00401A40 33C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401A2F(U),
:00401A3E(U)
|
:00401A42 83F930
cmp ecx, 00000030
//第二位判断,以下均同第一位
:00401A45 7C0A
jl 00401A51
:00401A47 83F939
cmp ecx, 00000039
:00401A4A
7F05 jg 00401A51
:00401A4C 83E930
sub ecx, 00000030
:00401A4F EB11
jmp 00401A62
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00401A45(C), :00401A4A(C)
|
:00401A51 83F941
cmp ecx, 00000041
:00401A54 7C0A
jl 00401A60
:00401A56 83F946
cmp ecx, 00000046
:00401A59 7F05
jg 00401A60
:00401A5B 83E937
sub ecx, 00000037
:00401A5E EB02
jmp 00401A62
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00401A54(C), :00401A59(C)
|
:00401A60 33C9
xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump
at Addresses:
|:00401A4F(U), :00401A5E(U)
|
:00401A62 C0E004
shl al, 04
//合并刚刚处理过的两位假注册码
:00401A65
02C1 add
al, cl //即你输入的东西,假设为‘77’则变为16进制数77放入al中
:00401A67 83C602
add esi, 00000002
:00401A6A 880413
mov byte ptr [ebx+edx], al //存入ebx所指向空间中
:00401A6D 42
inc edx
//edx为计数器
:00401A6E 83FA08
cmp edx, 00000008
//循环是否结束
:00401A71 7CA8
jl 00401A1B
//不结束继续。。
:00401A73 53
push ebx
//保存转换过的东东所在地
:00401A74
8BCF mov
ecx, edi //就是刚才那个数
:00401A76 E8E5F5FFFF call
00401060 //进一步处理,关键!!!
:00401A7B 8B542414
mov edx, dword ptr [esp+14]
:00401A7F 83C9FF
or ecx, FFFFFFFF
//再往下是判断你的ID和用注册码算出来的ID是否一致的一个CALL
:00401A82 8BFA
mov edi, edx
:00401A84
33C0 xor
eax, eax
:00401A86 F2
repnz
:00401A87 AE
scasb
:00401A88 F7D1
not ecx
:00401A8A
49
dec ecx
:00401A8B 83F908
cmp ecx, 00000008 //判断名字的位数是否大于8
:00401A8E 7607
jbe 00401A97
//是就继续不是截断
:00401A90 B908000000
mov ecx, 00000008
:00401A95 EB0C
jmp 00401AA3
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00401A8E(C)
|
:00401A97 8BFA
mov edi, edx
:00401A99 83C9FF
or ecx, FFFFFFFF
:00401A9C 33C0
xor eax, eax
:00401A9E F2
repnz
:00401A9F AE
scasb
:00401AA0 F7D1
not ecx
:00401AA2 49
dec ecx
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
|:00401A95(U)
|
:00401AA3 85C9
test ecx, ecx //位数是否为零
:00401AA5 7E11
jle 00401AB8
:00401AA7 51
push ecx
//这是位数
:00401AA8 53
push ebx
//这是用注册码推出来的ID
:00401AA9
52
push edx //这是你输入的ID
:00401AAA E8515F0000 call
00407A00 //是否相同?
:00401AAF 83C40C
add esp, 0000000C
:00401AB2 85C0
test eax, eax
:00401AB4 7502
jne 00401AB8
//如相同清ebp不然则相反,从而导致最后返回的eax值不同
:00401AB6 33ED
xor ebp, ebp
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401AA5(C), :00401AB4(C)
|
:00401AB8 53
push ebx
:00401AB9 E8A4640100
call 00417F62
:00401ABE 83C404
add esp, 00000004
:00401AC1 8BC5
mov eax, ebp
//eax<==ebp
:00401AC3 5F
pop edi
:00401AC4 5E
pop esi
:00401AC5 5D
pop ebp
:00401AC6
5B
pop ebx
:00401AC7 C20800
ret 0008
//下面是注册码的判断过程:
:00401060 83EC08
sub esp, 00000008
:00401063 8B54240C mov
edx, dword ptr [esp+0C]
:00401067 53
push ebx
:00401068 56
push esi
:00401069
57
push edi
:0040106A 8A4204
mov al, byte ptr [edx+04]
//edx中是刚才处理过的假注册码
:0040106D 8BF9
mov edi, ecx
//同样两位两位处理
:0040106F 8A4A02
mov cl, byte ptr [edx+02]
:00401072 8844240C
mov byte ptr [esp+0C], al
//第五位放入第0位
:00401076 8A4207
mov al, byte ptr [edx+07]
:00401079 884C240D
mov byte ptr [esp+0D], cl
//第三位放入第1位
:0040107D 8A0A
mov cl, byte ptr
[edx]
:0040107F
8844240E mov byte ptr [esp+0E],
al //第八位放入第2位
:00401083
8A4206 mov al, byte
ptr [edx+06]
:00401086
884C240F mov byte ptr [esp+0F],
cl //第零位放入第3位
:0040108A
8A4A03 mov cl, byte
ptr [edx+03]
:0040108D
88442410 mov byte ptr [esp+10],
al //第七位放入第4位
:00401091
8A4205 mov al, byte
ptr [edx+05]
:00401094
884C2411 mov byte ptr [esp+11],
cl //第四位放入第5位
:00401098
8A4A01 mov cl, byte
ptr [edx+01]
:0040109B
88442412 mov byte ptr [esp+12],
al //第六位放入第6位
:0040109F
8D74240C lea esi, dword
ptr [esp+0C] //传地址给esi
:004010A3 33C0
xor eax, eax
:004010A5 884C2413
mov byte ptr [esp+13], cl
//第二位放入第7位
:004010A9 2BF2
sub esi, edx
//用edx作计数器
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010BB(C)
|
:004010AB 8A4C3814
mov cl, byte ptr [eax+edi+14]
//开始将换过位的假注册码和edi+14中的数逐个异或
:004010AF 8A1C16
mov bl, byte ptr [esi+edx]
//edi+14中的数为312ACF04C76BF4DA
:004010B2 32CB
xor cl, bl
:004010B4 40
inc eax
:004010B5 880A
mov byte ptr [edx], cl
//异或出来的东东保存
:004010B7 42
inc edx
:004010B8 83F808
cmp eax, 00000008
//是否已结束
:004010BB 7CEE
jl 004010AB
//否则继续
:004010BD 5F
pop edi
:004010BE 5E
pop esi
:004010BF
5B
pop ebx
:004010C0 83C408
add esp, 00000008
:004010C3 C20400
ret 0004
分析:
其实已经很明显了,这是一个用注册码推ID的软件。它将我们输入的注册码转成16进制数的形式,然后进行换位,这一步得到的东东再和
16进制数31 2A CF 04 C7 6B F4 DA逐位异或,然后这个东东和你的ID比较,相同说明是正确的,否则就让你检查。
我们可以用计算器来推一个你自己的注册码,例如:我的ID为bbbsl,16进制为62
62 62 73 6c,假设注册码为数组a[8],则经它折腾之后实际上数组变为b[8]={
a[5],a[3],a[8],a[0],a[7],a[4],a[6],a[2]},若要让推出来的ID前五位同bbbsl相同,就必须是数组b前五位和31
2a cf 04 c7相异或后得到的东东==62 62 62
73 6c,so拿起计算器算算吧,62^31=53,62^2a=48,62^cf=AD,73^04=77,6c^c7=AB,即a[5]=53,a[3]=48,a[8]=AD,a[0]=77,a[7]=AB,其余各位随意,所以我的注册码为
id: bbbsl
sn: 770048005300ABAD
- 标 题:我的第一篇破文,献给看学学院的!^_^高手免进! (10千字)
- 作 者:bbbsl
- 时 间:2002-6-20
15:56:04
- 链 接:http://bbs.pediy.com