软件名称: 社区游戏伴侣 V1.0
软件大小: 213 KB
应用平台: Win9x
软件类别: 游戏记牌器
软件介绍:联众,边锋游戏牌类记牌器,注册后全部功能可用。
破解工具:ollydbg 1.08 ,W32DASM10,UltraEdit8.0,AspackDie,fi2.5
破解方法: 注册算法
朋友玩联众游戏,说有记牌器《****伴侣1.1》要注册才能玩够级,让我看看。他的注册方法有些独特,注册表验证,而且必须连接联众后才验证,分不同地方验证,而且必须用游戏ID,这就是说你只能用一个用户ID玩游戏。上网也没查到有注册机。自己动手吧。
先脱壳,aspack2.12,用AspackDie好脱。
用W32DASM反汇编,查找可疑字符串等。再用ollydbg
1.08调试,断点就好设了。
--------------------------------------------------------------------------------------
0045D16C /. 55 PUSH EBP
0045D16D |. 8BEC
MOV EBP,ESP
0045D16F |. B9 0C000000 MOV ECX,0C
; ecx=0x0C
0045D174 |> 6A 00
/PUSH 0
; 初始化
0045D176
|. 6A 00 |PUSH 0
0045D178 |. 49
|DEC ECX
0045D179 |.^75 F9
\JNZ SHORT UNPACKED.0045D174
0045D17B |.
53 PUSH EBX
; ebx=011ca3f8,不知道什么用
0045D17C |. 56
PUSH ESI
0045D17D |. 8945 FC
MOV DWORD PTR SS:[EBP-4],EAX
0045D180 |. 33C0
XOR EAX,EAX
0045D182 |. 55
PUSH EBP
0045D183 |. 68 A1D34500 PUSH UNPACKED.0045D3A1
0045D188 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0045D18B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0045D18E |. 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
0045D191 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D194 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D19A |. E8 5996FDFF CALL UNPACKED.004367F8
; 取假注册码:12345678
0045D19F
|. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
; 给eax地址处存放假注册码12345678
0045D1A2
|. 33D2 XOR EDX,EDX
0045D1A4 |. E8
07B9FAFF CALL UNPACKED.00408AB0
0045D1A9 |. 8BC8
MOV ECX,EAX
; eax的值给ecx
0045D1AB |. 81F9 80969800 CMP ECX,989680
;
0x989680=10000000,ecx大于就跳。看寄存器窗口ecx双击看到12345678
0045D1B1 |. 7D 0F
JGE SHORT UNPACKED.0045D1C2
0045D1B3 |.
B8 B8D34500 MOV EAX,UNPACKED.0045D3B8
0045D1B8 |. E8 3F31FDFF
CALL UNPACKED.004302FC
0045D1BD |. E9 92010000
JMP UNPACKED.0045D354
0045D1C2 |> 8D45 C4
LEA EAX,DWORD PTR SS:[EBP-3C]
0045D1C5 |. 50
PUSH EAX
0045D1C6 |. 8D55 C0
LEA EDX,DWORD PTR SS:[EBP-40]
0045D1C9 |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
0045D1CC |. 8B80 08030000
MOV EAX,DWORD PTR DS:[EAX+308]
0045D1D2 |. E8 2196FDFF
CALL UNPACKED.004367F8
0045D1D7 |. 8B45 C0
MOV EAX,DWORD PTR SS:[EBP-40]
0045D1DA |. B9 04000000
MOV ECX,4
0045D1DF |. 33D2 XOR EDX,EDX
0045D1E1 |. E8 B277FAFF CALL UNPACKED.00404998
; 取假注册码的前4位,1234
0045D1E6
|. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
; 给eax地址处存放假注册码eax=1234
0045D1E9
|. E8 86B8FAFF CALL UNPACKED.00408A74
0045D1EE |. 8945
F0 MOV DWORD PTR SS:[EBP-10],EAX
; eax=1234存ebp-10
0045D1F1 |. 8D55 B8
LEA EDX,DWORD PTR SS:[EBP-48]
0045D1F4 |. 8B45
FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D1F7
|. 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
0045D1FD |. E8
F695FDFF CALL UNPACKED.004367F8
; 取用户名laoqian
0045D202 |. 8B45 B8
MOV EAX,DWORD PTR SS:[EBP-48]
; eax=7
0045D205 |. 8D55 BC
LEA EDX,DWORD PTR SS:[EBP-44]
0045D208 |. E8 0BB5FAFF
CALL UNPACKED.00408718
0045D20D |. 8B45 BC
MOV EAX,DWORD PTR SS:[EBP-44]
; 给eax地址处存放laoqian
0045D210 |. 8D55 F4
LEA EDX,DWORD PTR SS:[EBP-C] ;
eax=7
0045D213 |. E8 DCB5FAFF CALL UNPACKED.004087F4
0045D218 |. 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
0045D21B |. 50 PUSH EAX
0045D21C |. 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0045D21F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D222 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D228 |. E8 CB95FDFF CALL UNPACKED.004367F8
0045D22D
|. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
; eax=8,12345678
0045D230 |. B9 04000000
MOV ECX,4
0045D235 |. BA 05000000 MOV EDX,5
0045D23A |. E8 5977FAFF CALL UNPACKED.00404998
; 取假注册码的后4位:5678
0045D23F
|. 8B55 B4 MOV EDX,DWORD PTR SS:[EBP-4C]
; edx=5678
0045D242 |. 8D45 F4
LEA EAX,DWORD PTR SS:[EBP-C]
0045D245 |. E8 FE74FAFF
CALL UNPACKED.00404748
; 合并laoqian5678为字符串
0045D24A |. 8B45 F4
MOV EAX,DWORD PTR SS:[EBP-C]
; 存eax
0045D24D |. E8 EE74FAFF CALL UNPACKED.00404740
; 取“假用户名加假注册码后四位”的长度
0045D252 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
; eax=0xB,存的长度
0045D255 |.
8D45 CD LEA EAX,DWORD PTR SS:[EBP-33]
0045D258
|. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
; edx=laoqian5678为字符串,原来是5678
0045D25B
|. E8 F0BBFAFF CALL UNPACKED.00408E50
0045D260 |. BB DE040000
MOV EBX,4DE
; 令ebx=0x4de(1246)
0045D265
|. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
; 取假用户名加假注册码后四位的长度B给eax
0045D268
|. 48 DEC EAX
; eax-1
0045D269 |. 85C0
TEST EAX,EAX
; 测试
0045D26B |. 7C 37
JL SHORT UNPACKED.0045D2A4
0045D26D |. 40
INC EAX
;
eax+1还原
0045D26E |. 8945 EC MOV DWORD PTR
SS:[EBP-14],EAX ; 取假用户名加假注册码后四位的长度B赋值存ebp-4
0045D271 |. 33C9 XOR ECX,ECX
; 清零ecx
0045D273 |. 8D45 CD
LEA EAX,DWORD PTR SS:[EBP-33]
; 装入“假用户名加假注册码后四位”laoqian5678
0045D276 |> 8BD1
/MOV EDX,ECX
; ecx=edx
0045D278
|. 0FAFD1 |IMUL EDX,ECX
;
edx=edx*ecx 整数乘法
0045D27B |. 03DA
|ADD EBX,EDX
; ebx=ebx+edx
0045D27D |. 33D2
|XOR EDX,EDX
; edx=0
0045D27F
|. 8A10 |MOV DL,BYTE PTR DS:[EAX]
; 取依次eax“laoqian5678”字符串的第n个ASCII值
0045D281 |. 0FAFD1 |IMUL EDX,ECX
; edx=edx*ecx
0045D284 |. 03DA
|ADD EBX,EDX
; ebx=ebx+edx
0045D286 |. 8B55 F8
|MOV EDX,DWORD PTR SS:[EBP-8]
; 取假用户名加假注册码后四位的长度给edx=B
0045D289 |. 4A
|DEC EDX
;
edx=edx-1
0045D28A |. 83FA 00 |CMP EDX,0
; 比较是否小于0
0045D28D |. 7C 0E
|JL SHORT UNPACKED.0045D29D
; 循环到0045D276
0045D28F |> 8D1C19
|/LEA EBX,DWORD PTR DS:[ECX+EBX] ; ebx=ebx+ecx
0045D292 |. 0FB630 ||MOVZX ESI,BYTE PTR
DS:[EAX] ; 依次传送eax“laoqian5678”字符串的第n个ASCII值给esi
0045D295 |. 03DE ||ADD EBX,ESI
; ebx=ebx+esi
0045D297 |. 4A
||DEC EDX
; edx=edx-1
0045D298 |. 83FA FF ||CMP EDX,-1
; 比较是否小于-1
0045D29B |.^75 F2 |\JNZ
SHORT UNPACKED.0045D28F ; 循环0045D28F
0045D29D |> 41 |INC ECX
; ecx+1
0045D29E |. 40
|INC EAX
; eax+1地址
0045D29F |. FF4D EC |DEC DWORD PTR SS:[EBP-14]
; “假用户名加假注册码后四位”的长度-1
0045D2A2
|.^75 D2 \JNZ SHORT UNPACKED.0045D276
; 循环0045D276
0045D2A4 |> 85DB
TEST EBX,EBX
;
0045D2A6
|. 7D 0D JGE SHORT UNPACKED.0045D2B5
0045D2A8
|. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0045D2AB
|. BA D4D34500 MOV EDX,UNPACKED.0045D3D4
; ASCII "gg"
0045D2B0 |. E8 6B72FAFF
CALL UNPACKED.00404520
0045D2B5 |> 8BC3
MOV EAX,EBX
; eax存ebx结果
0045D2B7
|. B9 10270000 MOV ECX,2710
; ecx=0X2710=10000
0045D2BC |. 99 CDQ
0045D2BD
|. F7F9 IDIV ECX
0045D2BF |. 8BDA
MOV EBX,EDX
; eax除ecx=0X2710的余数为edx
0045D2C1 |. 81FB E8030000 CMP EBX,3E8
;
是否小于0x3e8=1000
0045D2C7 |. 7D 06
JGE SHORT UNPACKED.0045D2CF
0045D2C9 |. 81C3 70170000 ADD EBX,1770
; 小于0x3e8=1000就加0x1770=6000
0045D2CF |> 3B5D F0
CMP EBX,DWORD PTR SS:[EBP-10]
; ebx,与假注册码前四位1234比较,记住ebx的值,我们把他作注册码的前4位即可!!后四位是我们的不变。就是说我们可以任意设定后四位!?注册码找到。
0045D2D2 |. 74 0C JE SHORT UNPACKED.0045D2E0
; 关键跳,相等注册成功,此处爆破不行,因为还有注册表检测,需要上联众才能验证。<===可以爆破
0045D2D4 |. B8 E0D34500 MOV EAX,UNPACKED.0045D3E0
0045D2D9 |. E8 1E30FDFF CALL UNPACKED.004302FC
0045D2DE
|. EB 74 JMP SHORT UNPACKED.0045D354
0045D2E0
|> B2 01 MOV DL,1
;我们可以不经爆破成功写入注册表,但是.....
0045D2E2 |. A1 C4B44500
MOV EAX,DWORD PTR DS:[45B4C4]
0045D2E7 |. E8 D8E2FFFF
CALL UNPACKED.0045B5C4
0045D2EC |. 8BD8
MOV EBX,EAX
0045D2EE |. B1 01
MOV CL,1
0045D2F0 |. BA 2CD44500 MOV EDX,UNPACKED.0045D42C
; ASCII "Software\zgsq\lzUser"
0045D2F5 |. 8BC3 MOV EAX,EBX
0045D2F7 |. E8 CCE3FFFF CALL UNPACKED.0045B6C8
0045D2FC
|. 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
0045D2FF
|. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D302
|. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D308 |. E8
EB94FDFF CALL UNPACKED.004367F8
0045D30D |. 8B45 AC
MOV EAX,DWORD PTR SS:[EBP-54]
-----------------------------------------------------------------------
以上以为找到联众注册码,我们可以用它注册成功(边锋的注册差不多)。注意是“以为”!!!
注意用户名必须是联众注册用户名,我试用一下,但是游戏够级,梭哈等只显示记牌窗口不能记牌,不注册不显示记牌窗口。去他的主页论坛,好像也有人说不能用够级,而且是购买的正式注册用户。不知道是他的程序的bug,还是他设定的陷阱,我没有找到破解方法?如果按我的方法,那么每个用户可以有无数的注册码,显然不行吧?那就是还有问题没解决。
那么我想其实s2应该与用户名有对应算法,我动态调试没有找到,因为我不能上网,好像虽然成功写入注册表,但是它还需要验证,但可能需要上联众才能验证。我暂时无法解决。只好反编译看看。
*********************************************************************
用W32DASM反编译,查找可疑字符串,找到"联众校验 1 OK"
以下为联众校验的反编译部分,但是无法找到s2与用户名有对应算法,
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B34F(C)
|
:0046B35D 40
inc eax
:0046B35E 43
inc ebx
:0046B35F
83F814 cmp eax,
00000014
:0046B362 75BD
jne 0046B321
:0046B364 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B367 BA28B44700
mov edx, 0047B428
:0046B36C B915000000
mov ecx, 00000015
:0046B371 E87A93F9FF
call 004046F0
:0046B376 8D9574D0FFFF
lea edx, dword ptr [ebp+FFFFD074]
:0046B37C
8B45E4 mov eax,
dword ptr [ebp-1C]
:0046B37F E894D3F9FF
call 00408718
:0046B384 8B9574D0FFFF
mov edx, dword ptr [ebp+FFFFD074]
:0046B38A 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B38D E88E91F9FF call 00404520
:0046B392 8B45E4
mov eax, dword ptr [ebp-1C]
:0046B395 E8A693F9FF
call 00404740
:0046B39A A344B44700
mov dword ptr [0047B444], eax
:0046B39F B828B44700
mov eax, 0047B428
:0046B3A4 8B55E4
mov edx, dword ptr [ebp-1C]
:0046B3A7 E8A4DAF9FF call
00408E50
:0046B3AC B201
mov dl, 01
:0046B3AE A1C4B44500
mov eax, dword ptr [0045B4C4]
:0046B3B3 E80C02FFFF
call 0045B5C4
:0046B3B8 8BF8
mov edi, eax
:0046B3BA B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\zgsq\lzuser"
|
:0046B3BC BAF8B84600
mov edx, 0046B8F8
:0046B3C1 8BC7
mov eax, edi
:0046B3C3 E80003FFFF call 0045B6C8
<====好像在这里取
:0046B3C8
8B55E4 mov edx,
dword ptr [ebp-1C]
:0046B3CB 8BC7
mov eax, edi
:0046B3CD E89A06FFFF
call 0045BA6C
<====好像在这里取
:0046B3D2 8BD8
mov ebx, eax
:0046B3D4 889E95030000 mov byte ptr [esi+00000395],
bl
:0046B3DA 84DB
test bl, bl
:0046B3DC 0F8481000000
je 0046B463
:0046B3E2 8D8D70D0FFFF
lea ecx, dword ptr [ebp+FFFFD070]
:0046B3E8 8B55E4
mov edx, dword ptr [ebp-1C]
:0046B3EB 8BC7
mov eax, edi
:0046B3ED E8BE04FFFF
call 0045B8B0
:0046B3F2 8B9570D0FFFF
mov edx, dword ptr [ebp+FFFFD070]
:0046B3F8 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B3FB
E82091F9FF call 00404520
:0046B400 B840B44700 mov eax,
0047B440
:0046B405 8B55E4
mov edx, dword ptr [ebp-1C]
:0046B408 E8CF90F9FF
call 004044DC
:0046B40D 8D856CD0FFFF
lea eax, dword ptr [ebp+FFFFD06C]
:0046B413
50
push eax
:0046B414 B904000000
mov ecx, 00000004
<====好像在这里取4个数
:0046B419 BA05000000
mov edx, 00000005
<====在这里从第5位取
:0046B41E 8B45E4
mov eax, dword ptr [ebp-1C]
:0046B421 E87295F9FF
call 00404998
<====在这里call
:0046B426 8B856CD0FFFF
mov eax, dword ptr [ebp+FFFFD06C]
:0046B42C
33D2 xor
edx, edx
:0046B42E E87DD6F9FF
call 00408AB0
:0046B433 A348B44700
mov dword ptr [0047B448], eax
《===假注册码后四位存
:0046B438 8D8568D0FFFF
lea eax, dword ptr [ebp+FFFFD068]
:0046B43E 50
push eax
:0046B43F B904000000
mov ecx, 00000004
<====好像在这里取4个数
:0046B444 BA01000000 mov
edx, 00000001
<====在这里从第1位取
:0046B449 8B45E4
mov eax, dword ptr [ebp-1C]
:0046B44C
E84795F9FF call 00404998
<====在这里call
:0046B451 8B8568D0FFFF
mov eax, dword ptr [ebp+FFFFD068]
:0046B457 33D2
xor edx, edx
:0046B459 E852D6F9FF call 00408AB0
:0046B45E A34CB44700 mov
dword ptr [0047B44C], eax 《===假注册码前四位存
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B3DC(C)
|
:0046B463 8BC7
mov eax, edi
:0046B465 E82E82F9FF
call 00403698
:0046B46A 8D8564D0FFFF
lea eax, dword ptr [ebp+FFFFD064]
:0046B470
50
push eax
:0046B471 B904000000
mov ecx, 00000004
:0046B476 BA05000000
mov edx, 00000005
:0046B47B 8B45E4
mov eax, dword ptr [ebp-1C]
:0046B47E
E81595F9FF call 00404998
:0046B483 8B8564D0FFFF mov eax, dword
ptr [ebp+FFFFD064]
:0046B489 50
push eax
:0046B48A 8D8560D0FFFF
lea eax, dword ptr [ebp+FFFFD060]
:0046B490
BA28B44700 mov edx, 0047B428
:0046B495 B915000000 mov ecx,
00000015
:0046B49A E85192F9FF
call 004046F0
:0046B49F 8B9560D0FFFF
mov edx, dword ptr [ebp+FFFFD060]
:0046B4A5 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B4A8
59
pop ecx
:0046B4A9 E8DE92F9FF
call 0040478C
:0046B4AE 8D85A6D8FFFF
lea eax, dword ptr [ebp+FFFFD8A6]
:0046B4B4 8B55E4
mov edx, dword ptr [ebp-1C]
:0046B4B7
E894D9F9FF call 00408E50
:0046B4BC BFDE040000 mov edi,
000004DE <===看到10000,以下算法同上
:0046B4C1 A144B44700 mov
eax, dword ptr [0047B444]
:0046B4C6 83C004
add eax, 00000004
:0046B4C9 48
dec eax
:0046B4CA
85C0 test
eax, eax
:0046B4CC 7C49
jl 0046B517
:0046B4CE 40
inc eax
:0046B4CF 8945D8
mov dword ptr [ebp-28],
eax
:0046B4D2 33C0
xor eax, eax
:0046B4D4 8D9DA6D8FFFF
lea ebx, dword ptr [ebp+FFFFD8A6]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0046B515(C)
|
:0046B4DA 8BD0
mov edx, eax
:0046B4DC 0FAFD0
imul edx, eax
:0046B4DF 03FA
add edi, edx
:0046B4E1 33D2
xor edx, edx
:0046B4E3 8A13
mov dl, byte ptr
[ebx]
:0046B4E5 0FAFD0
imul edx, eax
:0046B4E8 03FA
add edi, edx
:0046B4EA 8B1544B44700
mov edx, dword ptr [0047B444]
:0046B4F0 83C204
add edx, 00000004
:0046B4F3 4A
dec edx
:0046B4F4 83FA00
cmp edx, 00000000
:0046B4F7 7C17
jl 0046B510
:0046B4F9 8955F8
mov dword ptr [ebp-08],
edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B50E(C)
|
:0046B4FC 8D1438
lea edx, dword ptr [eax+edi]
:0046B4FF 33C9
xor ecx, ecx
:0046B501 8A0B
mov cl, byte ptr [ebx]
:0046B503 03D1
add edx, ecx
:0046B505 8BFA
mov edi, edx
:0046B507 FF4DF8
dec [ebp-08]
:0046B50A
837DF8FF cmp dword ptr
[ebp-08], FFFFFFFF
:0046B50E 75EC
jne 0046B4FC
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0046B4F7(C)
|
:0046B510 40
inc eax
:0046B511 43
inc ebx
:0046B512 FF4DD8
dec [ebp-28]
:0046B515 75C3
jne 0046B4DA
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0046B4CC(C)
|
:0046B517 85FF
test edi, edi
:0046B519 7D0D
jge 0046B528
:0046B51B 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B51E
BA18B94600 mov edx, 0046B918
:0046B523 E8F88FF9FF call 00404520
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B519(C)
|
:0046B528 8BC7
mov eax, edi
:0046B52A B910270000
mov ecx, 00002710
:0046B52F 99
cdq
:0046B530 F7F9
idiv ecx
:0046B532 8BFA
mov edi, edx
:0046B534 81FFE8030000
cmp edi, 000003E8
:0046B53A 7D06
jge 0046B542
:0046B53C 81C770170000
add edi, 00001770
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:0046B53A(C)
|
:0046B542 3B3D4CB44700 cmp edi,
dword ptr [0047B44C] <=== 与假注册码前四位比较
:0046B548 7515
jne 0046B55F
<===可以爆破
* Possible StringData Ref from Code
Obj ->"联众校验 1 OK"
|
:0046B54A
BA24B94600 mov edx, 0046B924
:0046B54F 8BC6
mov eax, esi
:0046B551 E896550000
call 00470AEC
:0046B556 C60550B4470001
mov byte ptr [0047B450], 01 <===成功标志
:0046B55D EB13
jmp 0046B572
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0046B548(C)
|
* Possible StringData Ref
from Code Obj ->"联众校验 1 false"
|
:0046B55F BA3CB94600 mov
edx, 0046B93C
:0046B564 8BC6
mov eax, esi
:0046B566 E881550000
call 00470AEC
:0046B56B C60550B4470000
mov byte ptr [0047B450], 00
<===失败标志
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:0046B30A(C), :0046B314(C), :0046B55D(U)
|
:0046B572 8A8567E8FFFF mov al, byte ptr
[ebp+FFFFE867]
:0046B578 3CCD
cmp al, CD
:0046B57A 7408
je 0046B584
:0046B57C 3CCD
cmp al, CD
:0046B57E 0F858D010000 jne 0046B711
.........
------------------------------------------------------------------------------------
************************************************************
再找,功夫不负有心人!
用W32DASM反编译,查找可疑字符串,"联众注册检测2通过"
找到以下为联众注册检测s2的反编译部分,这里是关键了!!!
连接联众后,从注册表读出注册信息,来到以下call:
* Referenced by a CALL at Address:
|:00460DF1
|
:00463404 55
push ebp
:00463405 8BEC
mov ebp, esp
:00463407 83C4E4
add esp, FFFFFFE4
:0046340A 53
push ebx
:0046340B
56
push esi
:0046340C 57
push edi
:0046340D 894DF8
mov dword ptr [ebp-08], ecx
:00463410
8945FC mov dword
ptr [ebp-04], eax
:00463413 8B7508
mov esi, dword ptr [ebp+08]
:00463416 8BDA
mov ebx, edx
:00463418
8B83109D0000 mov eax, dword ptr [ebx+00009D10]
:0046341E 8945F0
mov dword ptr [ebp-10], eax
:00463421 8B83089D0000
mov eax, dword ptr [ebx+00009D08]
:00463427 8D940330080000
lea edx, dword ptr [ebx+eax+00000830]
:0046342E
8B45F8 mov eax,
dword ptr [ebp-08]
:00463431 8BCE
mov ecx, esi
:00463433 E8ACF4F9FF
call 004028E4
:00463438 01B3089D0000
add dword ptr [ebx+00009D08], esi
:0046343E
81BB089D000088130000 cmp dword ptr [ebx+00009D08], 00001388
:00463448 7E17
jle 00463461
:0046344A 33C0
xor eax, eax
:0046344C 8983089D0000
mov dword ptr [ebx+00009D08], eax
:00463452 C783109D0000FFFFFFFF
mov dword ptr [ebx+00009D10], FFFFFFFF
:0046345C E9E8020000
jmp 00463749
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:00463448(C), :00463743(C)
|
:00463461 8B83089D0000 mov
eax, dword ptr [ebx+00009D08]
:00463467 8945F4
mov dword ptr [ebp-0C], eax
:0046346A
837DF40A cmp dword ptr
[ebp-0C], 0000000A
:0046346E 0F8CD5020000
jl 00463749
:00463474 80BB3308000000
cmp byte ptr [ebx+00000833], 00
:0046347B 7507
jne 00463484
:0046347D BE08000000
mov esi, 00000008
:00463482 EB05
jmp 00463489
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046347B(C)
|
:00463484 BE0C000000
mov esi, 0000000C
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:00463482(U)
|
:00463489 8D55EC
lea edx, dword ptr [ebp-14]
:0046348C 8D8334080000 lea eax,
dword ptr [ebx+00000834]
:00463492 B904000000
mov ecx, 00000004
:00463497 E848F4F9FF
call 004028E4
:0046349C 0375EC
add esi, dword ptr [ebp-14]
:0046349F 3B75F4
cmp esi, dword ptr [ebp-0C]
:004634A2 7E03
jle 004634A7
:004634A4 83CEFF
or esi, FFFFFFFF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634A2(C)
|
:004634A7 83FEFF
cmp esi, FFFFFFFF
:004634AA 0F8499020000
je 00463749
:004634B0 80BB3008000000
cmp byte ptr [ebx+00000830], 00
:004634B7 0F8589000000
jne 00463546
:004634BD A1A04D4900
mov eax, dword ptr [00494DA0]
:004634C2
8945E8 mov dword
ptr [ebp-18], eax <====取“用户名”
:004634C5 33C9
xor ecx, ecx
<====ecx清零
:004634C7 8B45E8
mov eax, dword ptr [ebp-18]
:004634CA 8B401C
mov eax, dword ptr [eax+1C]
:004634CD 85C0
test eax, eax
:004634CF 7E23
jle 004634F4
:004634D1 8945E4
mov dword ptr [ebp-1C], eax
<====“用户名”的位数
:004634D4 B801000000
mov eax, 00000001
<====eax=1赋值
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004634F2(C)
|
:004634D9 8B55E8
mov edx, dword ptr [ebp-18]
<====取“用户名”给edx
:004634DC 0FB65402FF
movzx edx, byte ptr [edx+eax-01] <====依次取“用户名”的ASCII码
:004634E1 8D787A
lea edi, dword ptr [eax+7A] <====edi=eax+7A
:004634E4 0FAFD7
imul edx, edi <====
edx=edx*edi
:004634E7 8D0C08
lea ecx, dword ptr [eax+ecx] <==== ecx=eax+ecx
:004634EA 03D1
add edx, ecx <====
edx=edx+ecx
:004634EC 8BCA
mov ecx, edx
<====ecx=edx
:004634EE 40
inc eax
<==== eax+1
:004634EF FF4DE4
dec [ebp-1C]
<====“用户名”的位数递减
:004634F2 75E5
jne 004634D9
<==== 循环
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004634CF(C)
|
:004634F4 8BC1
mov eax, ecx <====
eax=ecx
:004634F6 B910270000
mov ecx, 00002710 <==== ecx=0X2710=10000
:004634FB 99
cdq
:004634FC F7F9
idiv ecx
<====eax除ecx=0X2710的余数为edx
:004634FE 8BCA
mov ecx, edx
<====ecx=edx
:00463500 837DF01A
cmp dword ptr [ebp-10], 0000001A
<====这里因为不是动态调试,不知道是什么?不过好像没什么用,以下是否是为了补足3位前面的0?。不明白以下的作用,请高手指点。
:00463504 7C1C
jl 00463522 <====一般不会跳走吧,可以爆破。不明白以下的作用,请高手指点。
:00463506 8BC1
mov eax, ecx
:00463508 BF10270000
mov edi, 00002710
:0046350D 99
cdq
:0046350E F7FF
idiv edi
<====再来一次取余?eax除edx=0X2710的余数为edx
:00463510
8B45E8 mov eax,
dword ptr [ebp-18] <====用户名
:00463513 3B5020
cmp edx, dword ptr [eax+20]
<====注册码后四位比较
:00463516 740A
je 00463522
<====相等跳,可以爆破
:00463518 C783109D0000FFFFFFFF
mov dword ptr [ebx+00009D10], FFFFFFFF
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00463504(C), :00463516(C)
|
:00463522 8B45E8
mov eax, dword ptr [ebp-18] <====用户名
:00463525 3B4820
cmp ecx, dword ptr [eax+20]
<====真注册码后四位就是ecx!!!!
:00463528 750F
jne 00463539
<====关键跳,爆破可以吗?可能行
* Possible StringData
Ref from Code Obj ->"联众注册检测2通过" 《===注意这是什么??
|
:0046352A BA5C374600
mov edx, 0046375C
:0046352F 8B45FC
mov eax, dword ptr [ebp-04]
:00463532 E8B5D50000
call 00470AEC
:00463537 EB0D
jmp 00463546
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463528(C)
|
* Possible StringData Ref from Code Obj ->"联众注册检测2错误"
|
:00463539 BA78374600
mov edx, 00463778
:0046353E 8B45FC
mov eax, dword ptr [ebp-04]
:00463541 E8A6D50000 call
00470AEC
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:004634B7(C), :00463537(U)
|
:00463546 3B75F4
cmp esi, dword ptr [ebp-0C]
:00463549 0F8FEB010000 jg 0046373A
:0046354F 8B45F0
mov eax, dword ptr [ebp-10]
:00463552 83F81F
cmp eax, 0000001F
:00463555 0F87C1010000
ja 0046371C
:0046355B FF248562354600
jmp dword ptr [4*eax+00463562]
:00463562
F7354600 DWORD 004635F7
:00463566 E2354600
DWORD 004635E2
:0046356A 1C374600
DWORD 0046371C
终于找到了,连蒙带猜。
以下部分为注册机程序,delphi,联众经过验证。
边锋的我不玩,有兴趣的朋友可以自己作验证。
//======================================================================
//联众部分注册机程序
//------------------------------------------------------------
procedure TForm1.Button1Click(Sender: TObject);
var
s1,s2,s3 :
string;
m,n,i,inc :integer;
c1 : char;
begin
s1:=trim(edit1.Text);
m:=length(s1);
n:=0;
for i:=1 to m do begin
c1:=s1[i];
inc:= ord(c1);
n:=n+inc*(i+122)+i;
end;
n:=n mod 10000;
s2:=inttostr(n);
if (length(s2)=3
) then s2:='0'+s2;
s3:=s1+s2;
m:=length(s3);
n:=1246;
for i:=1 to m do begin
c1:=s3[i];
inc:= ord(c1);
n:=n+(i-1)*m+ inc*(m+i-1)+(i-1)*(i-1);
end;
n:=n mod 10000;
if n<1000
then n:=n+6000;
edit2.Text := inttostr(n)+S2;
end;
//------------------------------------------------------------
//边锋部分注册机程序
//------------------------------------------------------------
procedure
TForm1.Button3Click(Sender: TObject);
var
s1,s2,s3 : string;
m,n,i,inc
:integer;
c1 : char;
begin
s1:=trim(edit3.Text);
m:=length(s1);
n:=0;
for i:=1 to m do begin
c1:=s1[i];
inc:= ord(c1);
n:=n+inc*(i+255);
//此部分没经过验证,不知道对错
end;
n:=n mod 10000;
s2:=inttostr(n);
if (length(s2)=3
) then s2:='0'+s2;
s3:=s1+s2;
m:=length(s3);
n:=3210;
for i:=1 to m do begin
c1:=s3[i];
inc:= ord(c1);
n:=n+(i-1)*m+ inc*(m+i-1)+(i-1)*(i-1);
end;
n:=n mod 100000;
if n<10000
then n:=n+80000;
edit4.Text := inttostr(n)+S2;
end;
========================================================================
随想:是否可以找到他的连接联众时的断点,改变跳过或者跳到注册检测2部分,那我们就不需要上网
就可以动态调试他的检测部分了,是否可行?
有兴趣的朋友还可以试一下爆破,爆破点我已经注明,边锋的类似。
你可以注册你的所有游戏ID了。不知道爆破后是否所有游戏ID都能用呢?试试吧。我是累了。
- 标 题:社区游戏伴侣 V1.0注册码的计算,注册机 (30千字)
- 作 者:La0Qian
- 时 间:2003-5-9 13:19:25
- 链 接:http://bbs.pediy.com