NS-TOWER

标题：NS-TOWER(上100层)seeker汉化版注册算法分析　
作者：FTBirthday
时间：2003/05/31 10:45pm
链接：http://bbs.pediy.com

作者:FTBirthday
目标:NS-TOWER(上100层)seeker汉化版
描述:未加壳
工具:trw2000,w32dasmgold
下载地址:ftp://172.16.240.6/游戏/是男人就上一百层/HA_NS-TOWER_seekr.rar

运行程序,输入用户名,注册码,
下段点:bpx GetDlgItemTextA
按下确定,中断如下
关键代码如下:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004030BB(C)
|
:00402FC6 6800010000 push 00000100
:00402FCB 8D85FCFDFFFF lea eax, dword ptr [ebp+FFFFFDFC]
:00402FD1 50 push eax

* Possible Reference to Dialog: DialogID_008C, CONTROL_ID:03EB, ""
|
:00402FD2 68EB030000 push 000003EB
:00402FD7 8B4508 mov eax, dword ptr [ebp+08]
:00402FDA 50 push eax

* Reference To: USER32.GetDlgItemTextA, Ord:00EFh
------读注册码 |
:00402FDB FF1578F34000 Call dword ptr [0040F378]
:00402FE1 8D85FCFDFFFF lea eax, dword ptr [ebp+FFFFFDFC]
:00402FE7 50 push eax
:00402FE8 E8C0010000 call 004031AD ------处理注册码
:00402FED 83C404 add esp, 00000004
:00402FF0 85C0 test eax, eax
:00402FF2 0F8537000000 jne 0040302F ------必须跳过否则失败
:00402FF8 6800010000 push 00000100
:00402FFD 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:00403003 50 push eax

* Possible Reference to String Resource ID=00004: "鑼?"
|
:00403004 6A04 push 00000004
:00403006 A198D24000 mov eax, dword ptr [0040D298]
:0040300B 50 push eax

* Reference To: USER32.LoadStringA, Ord:0186h
|
:0040300C FF15BCF34000 Call dword ptr [0040F3BC]

* Possible Reference to String Resource ID=00016: "俓(&P)"
|
:00403012 6A10 push 00000010

* Possible StringData Ref from Data Obj ->"NS-TOWER"
|
:00403014 686CC24000 push 0040C26C
:00403019 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC]
:0040301F 50 push eax
:00403020 8B4508 mov eax, dword ptr [ebp+08]
:00403023 50 push eax

* Reference To: USER32.MessageBoxA, Ord:0197h
------失败提示框 |
:00403024 FF15B8F34000 Call dword ptr [0040F3B8]
:0040302A E941000000 jmp 00403070

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FF2(C)
|
:0040302F 6800010000 push 00000100
:00403034 8B45FC mov eax, dword ptr [ebp-04]
:00403037 83C010 add eax, 00000010
:0040303A 50 push eax

* Possible Reference to Dialog: DialogID_008A, CONTROL_ID:03EA, ""
|
:0040303B 68EA030000 push 000003EA
:00403040 8B4508 mov eax, dword ptr [ebp+08]
:00403043 50 push eax

* Reference To: USER32.GetDlgItemTextA, Ord:00EFh-----读取用户名
|
:00403044 FF1578F34000 Call dword ptr [0040F378]
:0040304A 6A08 push 00000008
:0040304C 8B45FC mov eax, dword ptr [ebp-04]
:0040304F 0510010000 add eax, 00000110
:00403054 50 push eax

* Possible Reference to Dialog: DialogID_008C, CONTROL_ID:03EB, ""
|
:00403055 68EB030000 push 000003EB
:0040305A 8B4508 mov eax, dword ptr [ebp+08]
:0040305D 50 push eax

* Reference To: USER32.GetDlgItemTextA, Ord:00EFh
|
:0040305E FF1578F34000 Call dword ptr [0040F378]
:00403064 6A00 push 00000000
:00403066 8B4508 mov eax, dword ptr [ebp+08]
:00403069 50 push eax

* Reference To: USER32.EndDialog, Ord:00AFh
|
:0040306A FF157CF34000 Call dword ptr [0040F37C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040302A(U)
|

* Possible Reference to String Resource ID=00001: "NS-TOWER"
|
:00403070 B801000000 mov eax, 00000001
:00403075 E9B5000000 jmp 0040312F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004030C8(C)
|
:0040307A 6A00 push 00000000
:0040307C 8B4508 mov eax, dword ptr [ebp+08]
:0040307F 50 push eax

* Reference To: USER32.EndDialog, Ord:00AFh
|
:00403080 FF157CF34000 Call dword ptr [0040F37C]

* Possible Reference to String Resource ID=00001: "NS-TOWER"
|
:00403086 B801000000 mov eax, 00000001
:0040308B E99F000000 jmp 0040312F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004030D8(C)
|
:00403090 6A00 push 00000000
:00403092 6A08 push 00000008

* Possible StringData Ref from Data Obj ->"NSTOWER.HLP"
|
:00403094 6878C24000 push 0040C278
:00403099 8B45FC mov eax, dword ptr [ebp-04]
:0040309C 8B00 mov eax, dword ptr [eax]
:0040309E 50 push eax

* Reference To: USER32.WinHelpA, Ord:0266h
|
:0040309F FF1584F34000 Call dword ptr [0040F384]

* Possible Reference to String Resource ID=00001: "NS-TOWER"
|
:004030A5 B801000000 mov eax, 00000001
:004030AA E980000000 jmp 0040312F
:004030AF E92F000000 jmp 004030E3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FC1(U)
|
:004030B4 83BDF4FDFFFF01 cmp dword ptr [ebp+FFFFFDF4], 00000001
:004030BB 0F8405FFFFFF je 00402FC6
:004030C1 83BDF4FDFFFF02 cmp dword ptr [ebp+FFFFFDF4], 00000002
:004030C8 0F84ACFFFFFF je 0040307A
:004030CE 81BDF4FDFFFFE8030000 cmp dword ptr [ebp+FFFFFDF4], 000003E8
:004030D8 0F84B2FFFFFF je 00403090
:004030DE E900000000 jmp 004030E3

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004030AF(U), :004030DE(U)
|
:004030E3 E940000000 jmp 00403128

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040310D(C)
|
:004030E8 8B4508 mov eax, dword ptr [ebp+08]
:004030EB 50 push eax
:004030EC E845000000 call 00403136
:004030F1 83C404 add esp, 00000004

* Possible Reference to String Resource ID=00001: "NS-TOWER"
|
:004030F4 B801000000 mov eax, 00000001
:004030F9 E931000000 jmp 0040312F
:004030FE E925000000 jmp 00403128

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402FAE(U)
|
:00403103 81BDF8FDFFFF10010000 cmp dword ptr [ebp+FFFFFDF8], 00000110
:0040310D 0F84D5FFFFFF je 004030E8
:00403113 81BDF8FDFFFF11010000 cmp dword ptr [ebp+FFFFFDF8], 00000111
:0040311D 0F8490FEFFFF je 00402FB3
:00403123 E900000000 jmp 00403128

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004030E3(U), :004030FE(U), :00403123(U)
|
:00403128 33C0 xor eax, eax
:0040312A E900000000 jmp 0040312F

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403075(U), :0040308B(U), :004030AA(U), :004030F9(U), :0040312A(U)
|
:0040312F 5F pop edi
:00403130 5E pop esi
:00403131 5B pop ebx
:00403132 C9 leave
:00403133 C21000 ret 001
----------------------------------------------------------------------------
----------------------------------------------------------------------------
详细分析如下:
----------------------------------------------------------------------------
----------------------------------------------------------------------------
进入处理注册码的call 004031AD
* Referenced by a CALL at Addresses:
|:004021FF , :0040272A , :00402FE8
|
:004031AD 55 push ebp
:004031AE 8BEC mov ebp, esp
:004031B0 83EC04 sub esp, 00000004
:004031B3 53 push ebx
:004031B4 56 push esi
:004031B5 57 push edi
:004031B6 8B4508 mov eax, dword ptr [ebp+08]
:004031B9 33C9 xor ecx, ecx
:004031BB 8A4807 mov cl, byte ptr [eax+07]
:004031BE 85C9 test ecx, ecx ------注册码必须为7位
:004031C0 0F8407000000 je 004031CD
:004031C6 33C0 xor eax, eax
:004031C8 E945010000 jmp 00403312 -----跳往00403312那就完了

-----je 004031CD------跳过去看看
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004031C0(C)
|
:004031CD C745FC00000000 mov [ebp-04], 00000000 -----[ebp-04]清零
:004031D4 E903000000 jmp 004031DC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040320C(U)
|
:004031D9 FF45FC inc [ebp-04]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004031D4(U)
|
:004031DC 837DFC07 cmp dword ptr [ebp-04], 00000007----[ebp-04]与7比较
:004031E0 0F8D2B000000 jnl 00403211 -------大于7就跳,循环结束
:004031E6 8B45FC mov eax, dword ptr [ebp-04] ----[ebp-04]赋给eax
:004031E9 8B4D08 mov ecx, dword ptr [ebp+08] ----[ebp+08]存有注册码赋给ecx
:004031EC 8A0408 mov al, byte ptr [eax+ecx] ----注册码首字符给al
:004031EF 50 push eax ----eax入栈
:004031F0 E822010000 call 00403317
:004031F5 83C404 add esp, 00000004
:004031F8 33C9 xor ecx, ecx
:004031FA 8AC8 mov cl, al
:004031FC 83F924 cmp ecx, 00000024 -----24 　$
:004031FF 0F8E07000000 jle 0040320C -----小于或等于则跳回继续循环
:00403205 33C0 xor eax, eax
:00403207 E906010000 jmp 00403312 -----跳往00403312那就完了

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004031FF(C)
|
:0040320C E9C8FFFFFF jmp 004031D9 -----跳回继续循环

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004031C8(U), :00403207(U), :00403301(U), :00403306(U), :0040330D(U)
|
:00403312 5F pop edi
:00403313 5E pop esi
:00403314 5B pop ebx
:00403315 C9 leave
:00403316 C3 ret
--------上一个循环结束后,从:004031E0 0F8D2B000000 jnl 00403211跳过来的
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004031E0(C)
|
:00403211 8B4508 mov eax, dword ptr [ebp+08] ----以[ebp+08]处的值作为地址的地方存有注册码,此(作为地址的)值赋给eax
:00403214 8A4005 mov al, byte ptr [eax+05] ----以[eax+05]处的值作为地址的地方的一个字节值赋给al
------注册码第六位进入call 00403317运算,结果放入bl
:00403217 50 push eax ----eax入栈
:00403218 E8FA000000 call 00403317 ----------地址6AF48C处存有注册码mjmABCD
:0040321D 83C404 add esp, 00000004
:00403220 33DB xor ebx, ebx
:00403222 8AD8 mov bl, al
:00403224 8B4508 mov eax, dword ptr [ebp+08] ----以[ebp+08]处的值作为地址的地方存有注册码,此作为地址的值赋给eax
:00403227 8A4002 mov al, byte ptr [eax+02] ----以[eax+05]处的值作为地址的地方的一个字节值赋给al
------注册码第三位进入call 00403317运算,结果放入cl
:0040322A 50 push eax
:0040322B E8E7000000 call 00403317
:00403230 83C404 add esp, 00000004
:00403233 33C9 xor ecx, ecx
:00403235 8AC8 mov cl, al

* Possible Reference to String Resource ID=00036: ","
|
:00403237 BE24000000 mov esi, 00000024
:0040323C 8D44591C lea eax, dword ptr [ecx+2*ebx+1C]
:00403240 99 cdq
-----CDQ 双字扩展. (把EAX中的字的符号扩展到EDX中去)

:00403241 F7FE idiv esi
------IDIV整数除法,以上两条,结果回送:商回送AL,余数回送AH, (字节运算);
或商回送AX,余数回送DX, (字运算). div 源（eax＝eax/源，edx＝余数）

:00403243 8BDA mov ebx, edx
:00403245 8B4508 mov eax, dword ptr [ebp+08]
:00403248 8A00 mov al, byte ptr [eax]
------注册码第一位进入call 00403317运算,结果放入cl
:0040324A 50 push eax
:0040324B E8C7000000 call 00403317
:00403250 83C404 add esp, 00000004
:00403253 33C9 xor ecx, ecx
:00403255 8AC8 mov cl, al
:00403257 3BD9 cmp ebx, ecx -----比较
:00403259 0F85AC000000 jne 0040330B -----失败跳往0040330B把未注册标志位0送入eax
:0040325F 8B4508 mov eax, dword ptr [ebp+08]
:00403262 8A4004 mov al, byte ptr [eax+04]
------注册码第五位进入call 00403317运算,结果放入bl
:00403265 50 push eax
:00403266 E8AC000000 call 00403317
:0040326B 83C404 add esp, 00000004
:0040326E 33DB xor ebx, ebx
:00403270 8AD8 mov bl, al
:00403272 8B4508 mov eax, dword ptr [ebp+08]
:00403275 8A4001 mov al, byte ptr [eax+01]
------注册码第二位进入call 00403317运算,结果放入cl
:00403278 50 push eax
:00403279 E899000000 call 00403317
:0040327E 83C404 add esp, 00000004
:00403281 33C9 xor ecx, ecx
:00403283 8AC8 mov cl, al

* Possible Reference to String Resource ID=00036: ","
|
:00403285 BE24000000 mov esi, 00000024
:0040328A 8D44591C lea eax, dword ptr [ecx+2*ebx+1C]
:0040328E 99 cdq
:0040328F F7FE idiv esi
:00403291 8BDA mov ebx, edx
:00403293 8B4508 mov eax, dword ptr [ebp+08]
:00403296 8A4006 mov al, byte ptr [eax+06]
------注册码第七位进入call 00403317运算,结果放入cl
:00403299 50 push eax
:0040329A E878000000 call 00403317
:0040329F 83C404 add esp, 00000004
:004032A2 33C9 xor ecx, ecx
:004032A4 8AC8 mov cl, al
:004032A6 3BD9 cmp ebx, ecx -----比较
:004032A8 0F855D000000 jne 0040330B -----失败跳往0040330B把未注册标志位0送入eax
:004032AE 8B4508 mov eax, dword ptr [ebp+08]
:004032B1 8A4006 mov al, byte ptr [eax+06]
------注册码第七位进入call 00403317运算,结果放入bl
:004032B4 50 push eax
:004032B5 E85D000000 call 00403317
:004032BA 83C404 add esp, 00000004
:004032BD 33DB xor ebx, ebx
:004032BF 8AD8 mov bl, al
:004032C1 8B4508 mov eax, dword ptr [ebp+08]
:004032C4 8A00 mov al, byte ptr [eax]
------注册码第一位进入call 00403317运算,结果放入cl
:004032C6 50 push eax
:004032C7 E84B000000 call 00403317
:004032CC 83C404 add esp, 00000004
:004032CF 33C9 xor ecx, ecx
:004032D1 8AC8 mov cl, al

* Possible Reference to String Resource ID=00036: ","
|
:004032D3 BE24000000 mov esi, 00000024
:004032D8 8D44591C lea eax, dword ptr [ecx+2*ebx+1C]
:004032DC 99 cdq
:004032DD F7FE idiv esi
:004032DF 8BDA mov ebx, edx
:004032E1 8B4508 mov eax, dword ptr [ebp+08]
:004032E4 8A4003 mov al, byte ptr [eax+03]
------注册码第四位进入call 00403317运算,结果放入cl
:004032E7 50 push eax
:004032E8 E82A000000 call 00403317
:004032ED 83C404 add esp, 00000004
:004032F0 33C9 xor ecx, ecx
:004032F2 8AC8 mov cl, al
:004032F4 3BD9 cmp ebx, ecx -----比较
:004032F6 0F850F000000 jne 0040330B -----失败跳往0040330B把未注册标志位0送入eax

* Possible Reference to String Resource ID=00001: "NS-TOWER"
|
:004032FC B801000000 mov eax, 00000001 -----注册标志位1送入eax
:00403301 E90C000000 jmp 00403312
:00403306 E907000000 jmp 00403312

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403259(C), :004032A8(C), :004032F6(C)
|
:0040330B 33C0 xor eax, eax -----未注册标志位0送入eax
:0040330D E900000000 jmp 00403312

注意有如下三处调用了处理注册码的call 004031AD
* Referenced by a CALL at Addresses:
|:004021FF , :0040272A , :00402FE8
爆破的话只须改三处cmp后的跳转。

来看看三处调用处理注册码的call

* Referenced by a CALL at Addresses:
|:00402F2C , :00403F40 , :00407482 , :004079ED
|
:004021F0 55 push ebp
:004021F1 8BEC mov ebp, esp
:004021F3 53 push ebx
:004021F4 56 push esi
:004021F5 57 push edi
:004021F6 8B4508 mov eax, dword ptr [ebp+08]
:004021F9 0510010000 add eax, 00000110
:004021FE 50 push eax
:004021FF E8A90F0000 call 004031AD -----第一处
:00402204 83C404 add esp, 00000004
:00402207 85C0 test eax, eax -----判断注册标志位
:00402209 0F8428000000 je 00402237

* Reference To: GDI32.SelectObject, Ord:0147h
|
:00402715 FF156CF24000 Call dword ptr [0040F26C]
:0040271B 8985ECFEFFFF mov dword ptr [ebp+FFFFFEEC], eax
:00402721 8B4508 mov eax, dword ptr [ebp+08]
:00402724 0510010000 add eax, 00000110
:00402729 50 push eax
:0040272A E87E0A0000 call 004031AD -----第二处
:0040272F 83C404 add esp, 00000004
:00402732 85C0 test eax, eax -----判断注册标志位
:00402734 0F843A000000 je 00402774

第三处就是一开始那段关键代码
其中前两处是程序在开始运行时进行检测的，第三处是在注册时检测。

----------------------------------------------------------------------------
----------------------------------------------------------------------------
进入处理注册码的call 00403317
* Referenced by a CALL at Addresses:
|:004031F0 , :00403218 , :0040322B , :0040324B , :00403266
|:00403279 , :0040329A , :004032B5 , :004032C7 , :004032E8
|
:00403317 55 push ebp
:00403318 8BEC mov ebp, esp
:0040331A 53 push ebx
:0040331B 56 push esi
:0040331C 57 push edi
:0040331D 33C0 xor eax, eax
:0040331F 8A4508 mov al, byte ptr [ebp+08] ----注册码首字符给al
:00403322 83F861 cmp eax, 00000061 -----和61对应和a比较
:00403325 0F8C0B000000 jl 00403336 -----小于则跳往00403336
:0040332B 33C0 xor eax, eax
:0040332D 8A4508 mov al, byte ptr [ebp+08]
:00403330 83E820 sub eax, 00000020 -----小写字母转换成大写
:00403333 884508 mov byte ptr [ebp+08], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403325(C)
|-------到这里注册码中的小写字母全被转换成大写了
:00403336 33C0 xor eax, eax
:00403338 8A4508 mov al, byte ptr [ebp+08]-----注册码首字符给al
:0040333B 83F841 cmp eax, 00000041 -----和41对应和A比较
:0040333E 0F8C0B000000 jl 0040334F -----小于则跳往0040334F
:00403344 33C0 xor eax, eax
:00403346 8A4508 mov al, byte ptr [ebp+08]
:00403349 83E807 sub eax, 00000007
:0040334C 884508 mov byte ptr [ebp+08], al

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040333E(C)
|
:0040334F 33C0 xor eax, eax
:00403351 8A4508 mov al, byte ptr [ebp+08]
:00403354 83E830 sub eax, 00000030
:00403357 E900000000 jmp 0040335C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403357(U)
|
:0040335C 5F pop edi
:0040335D 5E pop esi
:0040335E 5B pop ebx
:0040335F C9 leave
:00403360 C3 ret

----call 00403317的处理过程如下:
serials[*]=注册码字符;
if(serials[*]>='a')
{serials[*]=serials[*]-20};
elseif('A'<=serials[*]<='a')
{serials[*]=serials[*]-07-30};
else {serials[*]=serials[*]-30};
----------------------------------------------------------------------------
----------------------------------------------------------------------------
注册机制总结:
注册码与用户名无关,注册码为7位
令注册码为字符数组serials[7],call 00403317为函数f(x)
检测过程为:
x1=f(serials[2])+2*f(serials[5])+1C
y1=x1%24(hex)
z1=f(serials[0])
if(y1=z1)

x2=f(serials[1])+2*f(serials[4])+1C
y2=x2%24(hex)
z2=f(serials[6])
if(y2=z2)

x3=f(serials[0])+2*f(serials[6])+1C
y3=x3%24(hex)
z3=f(serials[3])
if(y3=z3)

只要满足这三组条件,就是正确的注册码.
相当于解方程组七元三次方程组.
设七位注册码字符对应的ASCII码十进制数为:
a0 b0 c0 d0 e0 f0 g0
首先通过call 00403317的处理得
a1 b1 c1 d1 e1 f1 g1且都须<=24(hex)/36(dec)
然后代入如下七元三次方程组解出注册码.
用十进制算
a1=(c1+2*f1+28)%36
g1=(b1+2*e1+28)%36
d1=(a1+2*g1+28)%36
_____________________________________________________
631 527 714
由于我最近很忙,注册机就不写了,找出一个注册码看看
下式满足条件
30=(10+2*32+28)%36
30=(10+2*32+28)%36
10=(30+2*30+28)%36
可得出a1=30,b1=10,c1=10,d1=10,e1=32,f1=32,g1=30
由call 00403317的逆运算可得.(都是十进制)
a0=85,b0=5,c0=58,d0=58,e0=87,f0=87,g0=85
对应ASCII为 U : : : W W U
一个注册码为U:::WWU,用户名任意.
如有错误,敬请指正!!!!
_______________________________________________________