Kyodai Mahjongg 19.00(四川省麻将)--算法分析
作者:newlaos[DFCG]
软件名称:
Kyodai Mahjongg 19.00(四川省麻将)
软件授权: 共享软件
注册费用: 25美元
使用平台: Win95/98/NT
软件开发: http://kyodai.com/
软件简介:
非常好玩的四川省麻将游戏,支持DirectX,可改变背景音乐...制作画面精美,如果用四川方言形容----“不摆了”,爱好麻将的朋友可不要错过机会哟!
加密方式:ASPACK2.1+注册码
功能限制:未注册信息提示
PJ工具:TRW20001.23注册版、W32Dasm8.93黄金版,FI2.5,PE-scan3.1
PJ日期:2003-03-30
作者newlaos申明:只是学习,请不用于商业用途或是将本文方法制作的注册机任意传播,造成后果,本人一概不负。
1、先用FI2.5看一下主文件“kmj.exe”,加了ASPACK2.1壳,自动脱壳用PE-scan3.1很快搞定,生成UNPACK.EXE文件,再看,程序是用DELPHI编的。手动脱壳也不难,OEP在4F2858。
2、用W32Dasm8.93黄金版对UNPACK.EXE进行静态反汇编,再用串式数据参考,找到"Thanks again ! You're now registered."(很经典的句子),双击来到下面代码段。这样就找到注册码的计算部分。
3、再用TRW20001.23注册版进行动态跟踪,下断BPX
004B1807(通常在注册成功与否的前面一些下断,这样,才能找到关键部分),
先输入注码名:newlaos[DFCG]
假码: 78787878
.......
.......
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B17A0(C)
|
:004B1807
8D55FC lea edx,
dword ptr [ebp-04]
:004B180A 8B8358930A00
mov eax, dword ptr [ebx+000A9358]
:004B1810 8B8028030000
mov eax, dword ptr [eax+00000328]
:004B1816 E8D952F9FF
call 00446AF4 <===计算注册名的长度,EAX=D
:004B181B 8B55FC
mov edx, dword ptr [ebp-04] <===EDX=newlaos[DFCG]
:004B181E
8D83BCDF0800 lea eax, dword ptr [ebx+0008DFBC]
:004B1824
E8CB31F5FF call 004049F4
:004B1829
8D55F8 lea edx,
dword ptr [ebp-08]
:004B182C 8B8358930A00
mov eax, dword ptr [ebx+000A9358]
:004B1832 8B8024030000
mov eax, dword ptr [eax+00000324]
:004B1838 E8B752F9FF
call 00446AF4 <===计算注册名的长度,EAX=8
:004B183D 8B55F8
mov edx, dword ptr [ebp-08] <===EDX=78787878
:004B1840
8D83C0DF0800 lea eax, dword ptr [ebx+0008DFC0]
:004B1846
E8A931F5FF call 004049F4
:004B184B
8BC3 mov
eax, ebx
:004B184D E8B2410300 call
004E5A04
:004B1852 8BC3
mov eax, ebx
:004B1854 E8871C0000
call 004B34E0 <===关键的CALL,F8跟进
:004B1859 84C0
test al,
al
:004B185B 7470
je 004B18CD <===关键跳转,这里跳过去就OVER!
*
Possible StringData Ref from Data Obj ->"Software\Namida"<===从这一段开始,到004B18A7是将正确的注册信息写入注册表
|
:004B185D B970194B00
mov ecx, 004B1970
:004B1862 B201
mov dl, 01
*
Possible StringData Ref from Data Obj ->"窫C"
|
:004B1864 A118344300
mov eax, dword ptr [00433418]
:004B1869 E8862CF8FF
call 004344F4
:004B186E 8BF0
mov esi, eax
:004B1870 8B83BCDF0800
mov eax, dword ptr [ebx+0008DFBC]
:004B1876
50 push
eax
* Possible StringData
Ref from Data Obj ->"RegUser"
|
:004B1877
B988194B00 mov ecx, 004B1988
*
Possible StringData Ref from Data Obj ->"Kyodai"
|
:004B187C BA98194B00
mov edx, 004B1998
:004B1881 8BC6
mov eax, esi
:004B1883 8B38
mov edi, dword ptr [eax]
:004B1885
FF5704 call [edi+04]
:004B1888
8B83C0DF0800 mov eax, dword ptr [ebx+0008DFC0]
:004B188E
50 push
eax
* Possible StringData
Ref from Data Obj ->"RegPass"
|
:004B188F
B9A8194B00 mov ecx, 004B19A8
*
Possible StringData Ref from Data Obj ->"Kyodai"
|
:004B1894 BA98194B00
mov edx, 004B1998
:004B1899 8BC6
mov eax, esi
:004B189B 8B38
mov edi, dword ptr [eax]
:004B189D
FF5704 call [edi+04]
:004B18A0
8BC6 mov
eax, esi
:004B18A2 E80523F5FF call
00403BAC
:004B18A7 8D4DF4
lea ecx, dword ptr [ebp-0C]
*
Possible StringData Ref from Data Obj ->"Thanks again ! You're now registered."
|
:004B18AA BAB8194B00
mov edx, 004B19B8
<===显示“再次感谢你,你已经成功注册”
:004B18AF 8B8348040000
mov eax, dword ptr [ebx+00000448]
:004B18B5 E882C1FCFF
call 0047DA3C
:004B18BA 8B45F4
mov eax, dword ptr
[ebp-0C]
:004B18BD 668B0DE0194B00 mov cx,
word ptr [004B19E0]
:004B18C4 B202
mov dl, 02
:004B18C6 E8F5B3FFFF
call 004ACCC0
:004B18CB EB63
jmp 004B1930
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B185B(C)
|
:004B18CD
8B83BCDF0800 mov eax, dword ptr [ebx+0008DFBC]
:004B18D3
E88833F5FF call 00404C60
:004B18D8
83F808 cmp eax,
00000008 <===EAX为注册名长度,如果等于,这里就跳走,显示注册名错误信息
:004B18DB 7D26
jge 004B1903
<===这里跳过去,就是显示错误的注册信息!如果不跳走,就是显示注册名不够8个字符。
:004B18DD
8D4DF0 lea ecx,
dword ptr [ebp-10]
*
Possible StringData Ref from Data Obj ->"The user name must be at least
"
->"8
characters long !"
|
:004B18E0 BAEC194B00
mov edx, 004B19EC
:004B18E5
8B8348040000 mov eax, dword ptr [ebx+00000448]
:004B18EB
E84CC1FCFF call 0047DA3C
:004B18F0
8B45F0 mov eax,
dword ptr [ebp-10]
:004B18F3 668B0DE0194B00 mov
cx, word ptr [004B19E0]
:004B18FA B202
mov dl, 02
:004B18FC E8BFB3FFFF
call 004ACCC0
:004B1901 EB2D
jmp 004B1930
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B18DB(C)
|
:004B1903
8D4DEC lea ecx,
dword ptr [ebp-14]
*
Possible StringData Ref from Data Obj ->"Sorry, wrong password. Please
"
->"check
out if you entered the user "
->"name and password exactly as I "
->"gave them to you."
|
:004B1906 BA281A4B00
mov edx, 004B1A28
:004B190B 8B8348040000
mov eax, dword ptr [ebx+00000448]
:004B1911
E826C1FCFF call 0047DA3C
:004B1916
8B45EC mov eax,
dword ptr [ebp-14]
:004B1919 668B0DE0194B00 mov
cx, word ptr [004B19E0]
:004B1920 B202
mov dl, 02
:004B1922 E899B3FFFF
call 004ACCC0
:004B1927 EB07
jmp 004B1930
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B1801(C)
|
:004B1929
8BC3 mov
eax, ebx
:004B192B E8D4400300 call
004E5A04
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B18CB(U), :004B1901(U),
:004B1927(U)
|
:004B1930 33C0
xor eax, eax
:004B1932 5A
pop edx
:004B1933 59
pop ecx
:004B1934
59 pop
ecx
:004B1935 648910
mov dword ptr fs:[eax], edx
:004B1938 685F194B00
push 004B195F
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B195D(U)
|
:004B193D
8D45EC lea eax,
dword ptr [ebp-14]
:004B1940 BA03000000
mov edx, 00000003
:004B1945 E87A30F5FF
call 004049C4
:004B194A 8D45F8
lea eax, dword ptr [ebp-08]
:004B194D BA02000000
mov edx, 00000002
:004B1952
E86D30F5FF call 004049C4
:004B1957
C3 ret
.......
.......
-------004B1854
call 004B34E0 --关键的CALL,F8跟进----------------------
如果要正确注册,则AL返回时,不能为0
:004B34E0
55 push
ebp
:004B34E1 8BEC
mov ebp, esp
:004B34E3 B91B000000
mov ecx, 0000001B
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B34ED(C)
|
:004B34E8
6A00 push
00000000
:004B34EA 6A00
push 00000000
:004B34EC 49
dec ecx
:004B34ED 75F9
jne 004B34E8
:004B34EF
53 push
ebx
:004B34F0 56
push esi
:004B34F1 8BD8
mov ebx, eax
:004B34F3 33C0
xor eax, eax
:004B34F5 55
push ebp
:004B34F6
68BE424B00 push 004B42BE
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3486(C)
|
:004B34FB
64FF30 push dword
ptr fs:[eax]
:004B34FE 648920
mov dword ptr fs:[eax], esp
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B349A(C)
|
:004B3501
C645FF01 mov [ebp-01],
01
:004B3505 8B83BCDF0800 mov eax,
dword ptr [ebx+0008DFBC]
:004B350B E85017F5FF
call 00404C60
:004B3510 83E802
sub eax, 00000002
:004B3513 7C22
jl 004B3537
:004B3515 40
inc eax
:004B3516
BA02000000 mov edx, 00000002
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3535(C)
|
:004B351B
8B8BBCDF0800 mov ecx, dword ptr [ebx+0008DFBC]
:004B3521
8A4C11FF mov cl, byte ptr
[ecx+edx-01] <===从注册名第二个字符开始,依次提取每个字符的ASC码
:004B3525 8BB3BCDF0800
mov esi, dword ptr [ebx+0008DFBC]
:004B352B
3A0E cmp
cl, byte ptr [esi] <===提出的ASC码值,与第一个字符的ASC码值作比较
:004B352D 7404
je 004B3533
<===只要有一个比较出来,就跳出来循环结构
:004B352F C645FF00
mov [ebp-01], 00
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B352D(C)
|
:004B3533
42 inc
edx
:004B3534 48
dec eax
:004B3535 75E4
jne 004B351B <===这里构成一个循环结构,这里的功能好象是确定注册名的第一个字符后,在后面找与第一个字符相同的字符,以确定一个位置。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3513(C)
|
:004B3537
807DFF01 cmp byte ptr [ebp-01],
01
:004B353B 7509
jne 004B3546 <===这里跳走
:004B353D C645FF00
mov [ebp-01], 00
:004B3541 E95A0D0000
jmp 004B42A0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B353B(C)
|
:004B3546
8B83BCDF0800 mov eax, dword ptr [ebx+0008DFBC]
:004B354C
E80F17F5FF call 00404C60
:004B3551
85C0 test
eax, eax
:004B3553 0F8EEA0C0000 jle
004B4243
:004B3559 8D4DF8
lea ecx, dword ptr [ebp-08]
:004B355C 8B93BCDF0800
mov edx, dword ptr [ebx+0008DFBC] <===EDX=newlaos[DFCG]
:004B3562
8BC3 mov
eax, ebx
:004B3564 E85BC6FFFF call
004AFBC4 <===算法CALL,F8跟进
:004B3569 8B45F8
mov eax, dword ptr [ebp-08]
<===EAX就是真注册码了
:004B356C 8B93C0DF0800
mov edx, dword ptr [ebx+0008DFC0]<===EDX=78787878
:004B3572 E83518F5FF
call 00404DAC <===对比真假的CALL
:004B3577
0F85C60C0000 jne 004B4243 <===不正确,就从这里跳走。
:004B357D
8D4DF4 lea ecx,
dword ptr [ebp-0C]
***************
.......
此处省去若干行,主要是此软件列出的n多的黑名单,
.......
***************
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B3553(C),
:004B3577(C), :004B359E(C)
|
:004B4243 8D8D28FFFFFF
lea ecx, dword ptr [ebp+FFFFFF28] <===跳到这里
*
Possible StringData Ref from Data Obj ->"Unregistered version - Please
"
->"Register
!!!"
|
:004B4249 BA644C4B00
mov edx, 004B4C64
:004B424E 8B8348040000
mov eax, dword ptr [ebx+00000448]
:004B4254
E8E397FCFF call 0047DA3C
:004B4259
8B8D28FFFFFF mov ecx, dword ptr [ebp+FFFFFF28]
:004B425F
8D83C4DF0800 lea eax, dword ptr [ebx+0008DFC4]
*
Possible StringData Ref from Data Obj ->" - "
|
:004B4265 BA984C4B00
mov edx, 004B4C98
:004B426A E83D0AF5FF
call 00404CAC
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B4229(U),
:004B4241(U)
|
:004B426F FFB3C4DF0800
push dword ptr [ebx+0008DFC4]
*
Possible StringData Ref from Data Obj ->" "
|
:004B4275 68A44C4B00
push 004B4CA4
:004B427A FFB3C8DF0800
push dword ptr [ebx+0008DFC8]
:004B4280 8D83FC4A0A00
lea eax, dword ptr [ebx+000A4AFC]
:004B4286 BA03000000
mov edx, 00000003
:004B428B
E8900AF5FF call 00404D20
:004B4290
80BBC44C0A0000 cmp byte ptr [ebx+000A4CC4],
00
:004B4297 7407
je 004B42A0
:004B4299 8BC3
mov eax, ebx
:004B429B E85CEF0100
call 004D31FC
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B3541(U),
:004B4297(C)
|
:004B42A0 33C0
xor eax, eax
:004B42A2 5A
pop edx
:004B42A3 59
pop ecx
:004B42A4
59 pop
ecx
:004B42A5 648910
mov dword ptr fs:[eax], edx
:004B42A8 68C5424B00
push 004B42C5
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B42C3(U)
|
:004B42AD
8D8528FFFFFF lea eax, dword ptr [ebp+FFFFFF28]
:004B42B3
BA35000000 mov edx, 00000035
:004B42B8
E80707F5FF call 004049C4
:004B42BD
C3 ret
:004B42BE
E93D00F5FF jmp 00404300
:004B42C3
EBE8 jmp
004B42AD
:004B42C5 8A45FF
mov al, byte ptr [ebp-01]
:004B42C8 5E
pop esi
:004B42C9 5B
pop ebx
:004B42CA
8BE5 mov
esp, ebp
:004B42CC 5D
pop ebp
:004B42CD C3
ret
-------004B3564
call 004AFBC4 算法CALL,F8跟进----------------------
初始值EDX=newlaos[DFCG]
返回时,EAX就为真码(前提是输入的注册名要长于8位)
:004AFBC4
55 push
ebp
:004AFBC5 8BEC
mov ebp, esp
:004AFBC7 83C4F0
add esp, FFFFFFF0
:004AFBCA 53
push ebx
:004AFBCB 56
push
esi
:004AFBCC 57
push edi
:004AFBCD 33DB
xor ebx, ebx
:004AFBCF 895DF0
mov dword ptr [ebp-10], ebx
:004AFBD2
8BF9 mov
edi, ecx
:004AFBD4 8955F8
mov dword ptr [ebp-08], edx
:004AFBD7 8945FC
mov dword ptr [ebp-04], eax
:004AFBDA
8B45F8 mov eax,
dword ptr [ebp-08]
:004AFBDD E86E52F5FF
call 00404E50
:004AFBE2 33C0
xor eax, eax
:004AFBE4 55
push ebp
:004AFBE5 68D9FC4A00
push 004AFCD9
:004AFBEA 64FF30
push dword ptr fs:[eax]
:004AFBED
648920 mov dword
ptr fs:[eax], esp
:004AFBF0 8B45F8
mov eax, dword ptr [ebp-08]
:004AFBF3 E86850F5FF
call 00404C60
:004AFBF8 8B55F8
mov edx, dword ptr [ebp-08]
<===EDX=newlaos[DFCG]
:004AFBFB 0FB64402FF
movzx eax, byte ptr [edx+eax-01] <===将注册名的最后一个字符的ASC码值放入EAX
:004AFC00
8B55F8 mov edx,
dword ptr [ebp-08]
:004AFC03 0FB612
movzx edx, byte ptr [edx] <===将注册名的第一个字符的ASC码值放入EDX
:004AFC06
03C2 add
eax, edx <===两值相加
:004AFC08 B90A000000
mov ecx, 0000000A
<===ECX=A,是被除数
:004AFC0D 33D2
xor edx, edx
:004AFC0F
F7F1 div
ecx
:004AFC11 83C230
add edx, 00000030 ***<===余数为9,加上30。构成39,正好是9的ASCII(十六位进制),这就得出了注册码的第一部分
:004AFC14
8BC7 mov
eax, edi
:004AFC16 E86D4FF5FF call
00404B88
:004AFC1B 8B45F8
mov eax, dword ptr [ebp-08]
:004AFC1E E83D50F5FF
call 00404C60
:004AFC23 8BF0
mov esi, eax
:004AFC25
83EE02 sub esi,
00000002
:004AFC28 7C3A
jl 004AFC64 <===如果注册名小于8位,就从这里跳走
:004AFC2A
46 inc
esi
:004AFC2B BB02000000 mov
ebx, 00000002
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC62(C)
|
:004AFC30
8B45F8 mov eax,
dword ptr [ebp-08]
:004AFC33 0FB64418FE
movzx eax, byte ptr [eax+ebx-02] <===依次提取注册名的第n位字符(n=1,.....m-1),m为输入注册名的长度
:004AFC38
8B55F8 mov edx,
dword ptr [ebp-08]
:004AFC3B 0FB6541AFF
movzx edx, byte ptr [edx+ebx-01] <===依次提取注册名的第n+1位字符
:004AFC40
03C2 add
eax, edx <===两个字符的ASC码值相加
:004AFC42 B90A000000
mov ecx, 0000000A
:004AFC47
33D2 xor
edx, edx
:004AFC49 F7F1
div ecx <===相加之和,除以A,余数构成注册码的第n+1位
:004AFC4B
83C230 add edx,
00000030
:004AFC4E 8D45F0
lea eax, dword ptr [ebp-10]
:004AFC51 E8324FF5FF
call 00404B88
:004AFC56 8B55F0
mov edx, dword ptr [ebp-10]
:004AFC59
8BC7 mov
eax, edi
:004AFC5B E80850F5FF call
00404C68
:004AFC60 43
inc ebx
:004AFC61 4E
dec esi
:004AFC62 75CC
jne 004AFC30 ***<===向上构成一个小循环,主要功能是计算注册码的第二部分
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC28(C)
|
:004AFC64
C645F701 mov [ebp-09],
01
:004AFC68 8B45F8
mov eax, dword ptr [ebp-08]
:004AFC6B E8F04FF5FF
call 00404C60
:004AFC70 8BF0
mov esi, eax
:004AFC72 83EE02
sub esi, 00000002
:004AFC75
7C1C jl 004AFC93
:004AFC77
46 inc
esi
:004AFC78 BB02000000 mov
ebx, 00000002
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC91(C)
|
:004AFC7D
8B45F8 mov eax,
dword ptr [ebp-08]
:004AFC80 8A4418FF
mov al, byte ptr [eax+ebx-01]
:004AFC84 8B55F8
mov edx, dword ptr [ebp-08]
:004AFC87
3A02 cmp
al, byte ptr [edx]
:004AFC89 7404
je 004AFC8F
:004AFC8B C645F700
mov [ebp-09], 00
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC89(C)
|
:004AFC8F
43 inc
ebx
:004AFC90 4E
dec esi
:004AFC91 75EA
jne 004AFC7D
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC75(C)
|
:004AFC93
807DF700 cmp byte ptr [ebp-09],
00
:004AFC97 750D
jne 004AFCA6
:004AFC99 8B45F8
mov eax, dword ptr [ebp-08]
:004AFC9C E8BF4FF5FF
call 00404C60
:004AFCA1 83F808
cmp eax, 00000008
:004AFCA4
7D15 jge
004AFCBB
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC97(C)
|
:004AFCA6
8BCF mov
ecx, edi
:004AFCA8 8B45FC
mov eax, dword ptr [ebp-04]
:004AFCAB 8B8048040000
mov eax, dword ptr [eax+00000448]
*
Possible StringData Ref from Data Obj ->"UNREGISTERED"
|
:004AFCB1 BAF0FC4A00
mov edx, 004AFCF0
:004AFCB6 E881DDFCFF
call 0047DA3C
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFCA4(C)
|
:004AFCBB
33C0 xor
eax, eax
:004AFCBD 5A
pop edx
:004AFCBE 59
pop ecx
:004AFCBF 59
pop ecx
:004AFCC0
648910 mov dword
ptr fs:[eax], edx
:004AFCC3 68E0FC4A00
push 004AFCE0
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFCDE(U)
|
:004AFCC8
8D45F0 lea eax,
dword ptr [ebp-10]
:004AFCCB E8D04CF5FF
call 004049A0
:004AFCD0 8D45F8
lea eax, dword ptr [ebp-08]
:004AFCD3 E8C84CF5FF
call 004049A0
:004AFCD8 C3
ret
:004AFCD9
E92246F5FF jmp 00404300
:004AFCDE
EBE8 jmp
004AFCC8
:004AFCE0 5F
pop edi
:004AFCE1 5E
pop esi
:004AFCE2 5B
pop ebx
:004AFCE3
8BE5 mov
esp, ebp
:004AFCE5 5D
pop ebp
:004AFCE6 C3
ret
---------------------------------------------------------------------------------------
4、算法分析:---类型:f(注册名)=注册码---
a、输入注册名的第一个字符和最后一个字符的ASC码值相加,除以A,余数即为注册码的第一个字符
b、依次提取注册名的第n位字符和第n+1位字符,两者的ASC码值相加除以A,余数即为注册码的第n+1位字符(n为注册名的长度-1),构成注册码的第二部分
c、将第一部分和第二部分最终组成真正的注册码
5、用KEYMAKE1.73制作注册机:(呵呵,好象一运行就出错)
一、选择F8 → 另类注册机!
程序名称:kmj.exe
添加数据:
中断地址:004B3569
中断次数:2
第一字节:8B
指令长度:3
保存下列信息为注册码 → 内存方式
→ 寄存器 → EAX
二、选择内存方式:内存地址 → 1A3D068 → 点生成,就有你乐的了
6、注册信息保存在注册表:
[HKEY_CURRENT_USER\Software\Namida\Kyodai]
"RegUser"="newlaos[DFCG]"
"RegPass"="3107586698784"
"Launches"=dword:00000008
<===这是使用次数