软件名称:Shiznit Scanner V2.1
软件介绍:Fast configurable highly featured UDP/TCP
Port/Subnet Scanner for windows. Some key features are: TCP Port scanning of stealth
and non-stealth hosts, Extreme UDP Port scanning, UDP Subnet scanning!, High speed
ping scanning of subnets, TCP Subnet scanning of stealth and non-stealth hosts,
Setting of start and stop ports, Gives you the ability to save results, Nice looking
interface, Tells you if remote computer being scanned is stealth, You choose the
speed of scan, Tells you the host responses for TCP Port scan and Subnet scan,
Tells you the port use from huge lists of ports as found, Port scanner & Subnet
scanner integration, so as though you can double click an IP found with the Subnet
scanner to port scan with the Port scanner... Many new features in V2.0, a must
have for TCP/IP network administrators.
破解人:BurSH[FCG][BCG][DFCG] (于2003.4.20)
破解工具:Trw2000 1.23
Ok,Let's begin now!
Ctrl+n呼出Trw2000,下断点BPX
GetDlgItemTextA,输入任意注册信息,点击Register Shiznit Scanner 2.1.拦住了!我们下PMODULE指令回到软件领空,然后下BC指令清除断点,按三下F10,看到下面的代码:
016F:00406DB7 PUSH BYTE +01
016F:00406DB9
PUSH BYTE +00
016F:00406DBB PUSH DWORD 0421
016F:00406DC0 MOV ECX,[EBP+FFFFFBEC]
016F:00406DC6
CALL 004379C8==>取输入的注册码
016F:00406DCB PUSH
EAX==>输入的注册码入栈
016F:00406DCC LEA EAX,[EBP-20]==>将取得到的用户名放到EAX中
016F:00406DCF PUSH EAX==>用户名入栈
016F:00406DD0
CALL 00406870==>关键Call,进行了注册码的计算与校验!F8跟进去~
016F:00406DD5
AND EAX,FF
016F:00406DDA TEST EAX,EAX==>注册码正确吗?
016F:00406DDC JZ NEAR 00406E98==>不正确就跳去死:(
016F:00406DE2 PUSH BYTE +00
016F:00406DE4 PUSH
DWORD 00448C98
016F:00406DE9 PUSH DWORD 00448BCC
016F:00406DEE MOV ECX,[EBP+FFFFFBEC]
016F:00406DF4
CALL 004368A5
F8跟入406DD0的关键后看到:
016F:00406870
PUSH EBP
016F:00406871 MOV EBP,ESP
016F:00406873 SUB ESP,0430
016F:00406879
PUSH EBX
016F:0040687A PUSH ESI
016F:0040687B
PUSH EDI
016F:0040687C MOV EDI,[EBP+08]
016F:0040687F LEA EDX,[EBP-2C]
016F:00406882
OR ECX,BYTE -01
016F:00406885 XOR
EAX,EAX
016F:00406887 REPNE SCASB
016F:00406889 NOT
ECX
016F:0040688B SUB EDI,ECX
016F:0040688D MOV ESI,EDI
016F:0040688F MOV
EAX,ECX
016F:00406891 MOV EDI,EDX
016F:00406893 SHR ECX,02
016F:00406896
REP MOVSD ==>这句汇编指令我不明白,哪位高手教我一下?若F8跳过就会出现注册失败:(所以,我就直接g 到了下一条指令
016F:00406898
MOV ECX,EAX
016F:0040689A AND
ECX,BYTE +03
016F:0040689D REP MOVSB ==>g 40689F
016F:0040689F
MOV DWORD [EBP-08],00
016F:004068A6 JMP
SHORT 004068B1==>跳到下面4068B1处
016F:004068A8 MOV
ECX,[EBP-08]
016F:004068AB ADD ECX,BYTE
+01==>ECX加1!
016F:004068AE MOV [EBP-08],ECX==>将ECX值赋给[EBP-08]
016F:004068B1 MOV EDX,[EBP-08]==>EDX为计数器
016F:004068B4
MOVSX EAX,BYTE [EBP+EDX-2C]==>依次取出用户名的十六进制放入EAX([EBP-2C]放的是用户名)
016F:004068B9 TEST EAX,EAX==>用户名所有字符取出了没有?
016F:004068BB
JZ 004068D0==>没有则继续往下
016F:004068BD MOV
ECX,[EBP-08]==>ECX为计数器
016F:004068C0 MOV
DL,[EBP+ECX-2C]==>依次取出用户名的十六进制放入DL([EBP-2C]放的是用户名)
016F:004068C4 ADD
DL,0A==>依次将用户名的十六进制加AH,结果放入DL!
016F:004068C7 MOV
EAX,[EBP-08]
016F:004068CA MOV [EBP+EAX-2C],DL==>将用户名逐个转换后放入[EBP-2C]
016F:004068CE JMP SHORT 004068A8
016F:004068D0
MOV DWORD [EBP+FFFFFBE0],00448B50==>448B50处放的是一串字符:^OKW*V_MsN(逐个减AH后为:TEAM
LUiD.黑名单哟!^0^)
016F:004068DA LEA ECX,[EBP-2C]==>将上面转换后的用户名放入ECX
016F:004068DD MOV [EBP+FFFFFBDC],ECX------------
016F:004068E3 MOV EDX,[EBP+FFFFFBDC]
\
016F:004068E9 MOV
AL,[EDX]
|
016F:004068EB MOV [EBP+FFFFFBDB],AL
|这
016F:004068F1 MOV
ECX,[EBP+FFFFFBE0] |段
016F:004068F7 CMP AL,[ECX]
|逐
016F:004068F9 JNZ
00406941
|位
016F:004068FB CMP BYTE
[EBP+FFFFFBDB],00 |比
016F:00406902 JZ
00406935
|较
016F:00406904 MOV EDX,[EBP+FFFFFBDC]
|用
016F:0040690A MOV
AL,[EDX+01]
|户
016F:0040690D MOV [EBP+FFFFFBDA],AL
|名
016F:00406913 MOV
ECX,[EBP+FFFFFBE0] |是
016F:00406919 CMP AL,[ECX+01]
|否
016F:0040691C JNZ
00406941
|属
016F:0040691E ADD DWORD
[EBP+FFFFFBDC],BYTE +02 |于
016F:00406925 ADD
DWORD [EBP+FFFFFBE0],BYTE +02 |黑
016F:0040692C CMP
BYTE [EBP+FFFFFBDA],00 |名
016F:00406933
JNZ 004068E3
|单
016F:00406935 MOV
DWORD [EBP+FFFFFBD4],00 |.
016F:0040693F
JMP SHORT 0040694C
|不
016F:00406941 SBB EDX,EDX
|是
016F:00406943 SBB EDX,BYTE -01
|就
016F:00406946 MOV
[EBP+FFFFFBD4],EDX |跳
016F:0040694C MOV EAX,[EBP+FFFFFBD4]
|去
016F:00406952 MOV [EBP+FFFFFBD0],EAX
|4
016F:00406958 CMP
DWORD [EBP+FFFFFBD0],BYTE +00 |0
016F:0040695F JNZ
NEAR 00406AB1
|6
016F:00406965 MOV DWORD [EBP+FFFFFBE8],00
|A
016F:0040696F CMP DWORD
[EBP+FFFFFBE8],BYTE +00 |C
016F:00406976 JNZ
0040697F
|3
016F:00406978 XOR AL,AL==>注册码校验错误的标志!
/
016F:0040697A JMP 00406D61==>黑名单?你死定了^_^--
016F:0040697F MOV EDI,00448B48
016F:00406984
LEA EDX,[EBP-2C]
016F:00406987 OR
ECX,BYTE -01
016F:0040698A XOR EAX,EAX
016F:0040698C REPNE SCASB
016F:0040698E NOT
ECX
016F:00406990 SUB EDI,ECX
016F:00406992
MOV ESI,EDI
016F:00406994 MOV
EAX,ECX
上面罗里罗嗦半天就是校验一个黑名单-_-0作者"不好意思"把黑名单直接写出来,搞成"f(用户名)=特定字符串"进行比较……
…………
016F:00406ABA MOV EAX,[EBP-04]
016F:00406ABD
ADD EAX,BYTE +01
016F:00406AC0 MOV
[EBP-04],EAX
016F:00406AC3 MOV ECX,[EBP+08]==>ECX为计数器!
016F:00406AC6 ADD ECX,[EBP-04]==>
016F:00406AC9
MOVSX EDX,BYTE [ECX]==>逐位用户名十六进制放入EDX
016F:00406ACC TEST
EDX,EDX==>循环完了?
016F:00406ACE JZ 00406AD2==>完了就走人!这段是为了用户名位数(放在EAX)
016F:00406AD0 JMP SHORT 00406ABA
016F:00406AD2
MOV DWORD [EBP-0C],00==>[EBP-0C]清空
016F:00406AD9
MOV EAX,[EBP+08]==>将用户名放入EAX
016F:00406ADC MOVSX
ECX,BYTE [EAX]==>逐位取出第一位用户名的十六进制放入EAX
016F:00406ADF IMUL
ECX,ECX,54BF==>将第一位用户名的十六进制乘以54BFH,结果放入ECX
016F:00406AE5 MOV
EDX,[EBP-0C]==>将[EBP-0C]值(开始为空,因为406AD2处的运算)放入EDX
016F:00406AE8
ADD EDX,ECX==>相加
016F:00406AEA MOV
[EBP-0C],EDX==>再放回去,[EBP-0C]放的上面的计算结果
016F:00406AED MOV
EAX,[EBP+08]
016F:00406AF0 MOVSX ECX,BYTE
[EAX+01]==>取用户名第二位
016F:00406AF4 MOV EDX,[EBP-0C]==>去得前面计算的结果放入EDX
016F:00406AF7 LEA EAX,[EDX+ECX+00205FDF]==>EAX=EDX+ECX+205FDFH!
016F:00406AFE MOV [EBP-0C],EAX==>结果仍然还是放入到[EBP-0C]中去
016F:00406B01 MOV ECX,[EBP+08]
016F:00406B04
MOVSX EDX,BYTE [ECX+02]
016F:00406B08 IMUL EDX,EDX,5C8F
016F:00406B0E MOV EAX,[EBP-0C]
016F:00406B11
ADD EAX,EDX
016F:00406B13 MOV
[EBP-0C],EAX
016F:00406B16 MOV ECX,[EBP+08]
016F:00406B19 MOVSX EDX,BYTE [ECX+03]
016F:00406B1D
MOV EAX,[EBP-0C]
016F:00406B20 LEA
ECX,[EAX+EDX+00987227]
016F:00406B27 MOV
[EBP-0C],ECX
016F:00406B2A MOV EDX,[EBP+08]
016F:00406B2D MOVSX EAX,BYTE [EDX+04]
016F:00406B31
IMUL EAX,EAX,645F
016F:00406B37 MOV
ECX,[EBP-0C]
016F:00406B3A ADD ECX,EAX
016F:00406B3C
MOV [EBP-0C],ECX
016F:00406B3F MOV
EDX,[EBP+08]
016F:00406B42 MOVSX EAX,BYTE [EDX+05]
016F:00406B46 MOV ECX,[EBP-0C]
016F:00406B49
LEA EDX,[ECX+EAX+006A595F]
016F:00406B50 MOV
[EBP-0C],EDX
016F:00406B53 MOV EAX,[EBP+08]
016F:00406B56 MOVSX ECX,BYTE [EAX+06]
016F:00406B5A
IMUL ECX,ECX,6C2F
016F:00406B60 MOV
EDX,[EBP-0C]
016F:00406B63 ADD EDX,ECX
016F:00406B65
MOV [EBP-0C],EDX
016F:00406B68 MOV
EAX,[EBP+08]
016F:00406B6B MOVSX ECX,BYTE [EAX+07]
016F:00406B6F MOV EDX,[EBP-0C]
016F:00406B72
LEA EAX,[EDX+ECX+00140B9F]
016F:00406B79 MOV
[EBP-0C],EAX
016F:00406B7C MOV ECX,[EBP+08]
016F:00406B7F MOVSX EDX,BYTE [ECX+08]
016F:00406B83
IMUL EDX,EDX,73FF
016F:00406B89 MOV
EAX,[EBP-0C]
016F:00406B8C ADD EAX,EDX
016F:00406B8E
MOV [EBP-0C],EAX
016F:00406B91 MOV
ECX,[EBP+08]
016F:00406B94 MOVSX EDX,BYTE [ECX+09]
016F:00406B98 IMUL EDX,EDX,29C7
016F:00406B9E
MOV EAX,[EBP-0C]
016F:00406BA1 ADD
EAX,EDX
016F:00406BA3 MOV [EBP-0C],EAX
016F:00406BA6 MOV ECX,[EBP+08]
016F:00406BA9
MOVSX EDX,BYTE [ECX+0A]
016F:00406BAD MOV
EAX,[EBP-0C]
016F:00406BB0 LEA ECX,[EAX+EDX+00020A3F]
016F:00406BB7 MOV [EBP-0C],ECX
016F:00406BBA
MOV EDX,[EBP+08]
016F:00406BBD MOVSX
EAX,BYTE [EDX+0B]
016F:00406BC1 IMUL EAX,EAX,0001DF47
016F:00406BC7 MOV ECX,[EBP-0C]
016F:00406BCA
ADD ECX,EAX
016F:00406BCC MOV
[EBP-0C],ECX
016F:00406BCF MOV EDX,[EBP+08]
016F:00406BD2 MOVSX EAX,BYTE [EDX+0C]
016F:00406BD6
MOV ECX,[EBP-0C]
016F:00406BD9 LEA
EDX,[ECX+EAX+0001B44F]
016F:00406BE0 MOV
[EBP-0C],EDX
016F:00406BE3 MOV EAX,[EBP+08]
016F:00406BE6 MOVSX ECX,BYTE [EAX+0D]
016F:00406BEA
IMUL ECX,ECX,00018957
016F:00406BF0 MOV
EDX,[EBP-0C]
016F:00406BF3 ADD EDX,ECX
016F:00406BF5
MOV [EBP-0C],EDX
016F:00406BF8 MOV
EAX,[EBP+08]
016F:00406BFB MOVSX ECX,BYTE [EAX+0E]
016F:00406BFF MOV EDX,[EBP-0C]
016F:00406C02
LEA EAX,[EDX+ECX+00030FF7]
016F:00406C09 MOV
[EBP-0C],EAX
016F:00406C0C MOV ECX,[EBP+08]
016F:00406C0F MOVSX EDX,BYTE [ECX+0F]
016F:00406C13
IMUL EDX,EDX,000365E7
016F:00406C19 MOV
EAX,[EBP-0C]
016F:00406C1C ADD EAX,EDX
016F:00406C1E
MOV [EBP-0C],EAX
016F:00406C21 MOV
ECX,[EBP+08]
016F:00406C24 MOVSX EDX,BYTE [ECX+10]
016F:00406C28 MOV EAX,[EBP-0C]
016F:00406C2B
LEA ECX,[EAX+EDX+0005177F]
016F:00406C32 MOV
[EBP-0C],ECX
016F:00406C35 MOV EDX,[EBP+08]
016F:00406C38 MOVSX EAX,BYTE [EDX+11]
016F:00406C3C
IMUL EAX,EAX,0006C917
016F:00406C42 MOV
ECX,[EBP-0C]
016F:00406C45 ADD ECX,EAX
016F:00406C47
MOV [EBP-0C],ECX
016F:00406C4A MOV
EDX,[EBP+08]
016F:00406C4D MOVSX EAX,BYTE [EDX+12]
016F:00406C51 MOV ECX,[EBP-0C]
016F:00406C54
LEA EDX,[ECX+EAX+00087AAF]
016F:00406C5B MOV
[EBP-0C],EDX
016F:00406C5E MOV EAX,[EBP+08]
016F:00406C61 MOVSX ECX,BYTE [EAX+13]
016F:00406C65
IMUL ECX,ECX,3039
016F:00406C6B MOV
EDX,[EBP-0C]
016F:00406C6E ADD EDX,ECX
016F:00406C70
MOV [EBP-0C],EDX
016F:00406C73 MOV
EAX,[EBP+08]
016F:00406C76 MOVSX ECX,BYTE [EAX+14]
016F:00406C7A IMUL ECX,ECX,D431
016F:00406C80
MOV EDX,[EBP-0C]
016F:00406C83 ADD
EDX,ECX
016F:00406C85 MOV [EBP-0C],EDX
016F:00406C88 MOV EAX,[EBP+08]
016F:00406C8B
MOVSX ECX,BYTE [EAX+15]
016F:00406C8F IMUL
ECX,ECX,372B
016F:00406C95 MOV EDX,[EBP-0C]
016F:00406C98 ADD EDX,ECX
016F:00406C9A MOV
[EBP-0C],EDX
016F:00406C9D MOV EAX,[EBP+08]
016F:00406CA0 MOVSX ECX,BYTE [EAX+16]
016F:00406CA4
IMUL ECX,ECX,DE0D
016F:00406CAA MOV
EDX,[EBP-0C]
016F:00406CAD ADD EDX,ECX
016F:00406CAF
MOV [EBP-0C],EDX
016F:00406CB2 MOV
EAX,[EBP+08]
016F:00406CB5 MOVSX ECX,BYTE [EAX+17]
016F:00406CB9 IMUL ECX,ECX,00010104
016F:00406CBF
MOV EDX,[EBP-0C]
016F:00406CC2 ADD
EDX,ECX
016F:00406CC4 MOV [EBP-0C],EDX
016F:00406CC7 MOV EAX,[EBP+08]
016F:00406CCA
MOVSX ECX,BYTE [EAX+18]
016F:00406CCE IMUL
ECX,ECX,8711
016F:00406CD4 MOV EDX,[EBP-0C]
016F:00406CD7 ADD EDX,ECX
016F:00406CD9 MOV
[EBP-0C],EDX
016F:00406CDC MOV EAX,[EBP+08]
016F:00406CDF MOVSX ECX,BYTE [EAX+19]
016F:00406CE3
IMUL ECX,ECX,00010845
016F:00406CE9 MOV
EDX,[EBP-0C]
016F:00406CEC ADD EDX,ECX
016F:00406CEE
MOV [EBP-0C],EDX
016F:00406CF1 MOV
EAX,[EBP+08]
016F:00406CF4 MOVSX ECX,BYTE [EAX+1A]
016F:00406CF8 IMUL ECX,ECX,8711
016F:00406CFE
MOV EDX,[EBP-0C]
016F:00406D01 ADD
EDX,ECX
016F:00406D03 MOV [EBP-0C],EDX
016F:00406D06 MOV EAX,[EBP+08]
016F:00406D09
MOVSX ECX,BYTE [EAX+1B]
016F:00406D0D IMUL
ECX,ECX,FFBA
016F:00406D13 MOV EDX,[EBP-0C]
016F:00406D16 ADD EDX,ECX
016F:00406D18 MOV
[EBP-0C],EDX
016F:00406D1B MOV EAX,[EBP+08]
016F:00406D1E MOVSX ECX,BYTE [EAX+1C]
016F:00406D22
IMUL ECX,ECX,000181B7
016F:00406D28 MOV
EDX,[EBP-0C]
016F:00406D2B ADD EDX,ECX
016F:00406D2D
MOV [EBP-0C],EDX
016F:00406D30 MOV
EAX,[EBP+08]
016F:00406D33 MOVSX ECX,BYTE [EAX+1D]
016F:00406D37 IMUL ECX,ECX,85BA
016F:00406D3D
MOV EDX,[EBP-0C]
016F:00406D40 ADD
EDX,ECX
016F:00406D42 MOV [EBP-0C],EDX
016F:00406D45 MOV EAX,[EBP-0C]==>将正确注册码放入EAX
016F:00406D48
CMP EAX,[EBP+0C]==>真假注册码比较!
016F:00406D4B JNZ
00406D58
016F:00406D4D MOV DWORD
[EBP-0C],00
016F:00406D54 MOV AL,01
016F:00406D56
JMP SHORT 00406D61
016F:00406D58 MOV
DWORD [EBP-0C],00
016F:00406D5F XOR AL,AL
016F:00406D61 POP EDI
016F:00406D62
POP ESI
016F:00406D63 POP EBX
016F:00406D64 MOV ESP,EBP
016F:00406D66
POP EBP
016F:00406D67 RET
08
406B01--406D42这段进行一些跟上面(406AD9--406AFE)类似的运算,第2n+1位乘以某一个数后,与前面的计算结果(放在[EBP-0C])相加,结果在继续与下一位和某一定值相加,[EBP-0C]放着地最终计算结果就是真正的注册码!!
BTW:软件的注册信息保存在C:\WINDOWS\Srpesg.dat
Ok,that's all!谢谢你耐心看完:)
- 标 题:Shiznit Scanner V2.1简单算法学习手记(期中考完总算有一点时间玩Crack,希望大家多多帮帮我,谢谢^_^) (14千字)
- 作 者:BurSH
- 时 间:2003-4-20
17:39:18
- 链 接:http://bbs.pediy.com