教菜鸟写注册机——中级篇
上次那篇破文(不是破解文章,是破烂文章)丢了,我补在这贴的后面。这次说是中级,其实只难了一点点而已,cmp You,高手 jz offset NextPage。
好了,再来一篇。还是那个系列的: 点击此处本地下载。
运行一下,呵呵,外观一模一样。反汇编,前面的部分几乎完全一样,GetDlgItem,GetWindowText,我都不写了,直接看下面,注意[ebp-2C]是用户名的长度。(可以先跳过去看后面的说明。)
代码:
:004010ED 837DD403 cmp dword ptr [ebp-2C], 00000003 :004010F1 0F8E38010000 jle 0040122F ;用户名必须大于3位 :004010F7 33D2 xor edx, edx :004010F9 33DB xor ebx, ebx :004010FB 8B55D4 mov edx, dword ptr [ebp-2C] :004010FE 0155C4 add dword ptr [ebp-3C], edx :00401101 0155C4 add dword ptr [ebp-3C], edx ;算出[EBP-3C] :00401104 8BC2 mov eax, edx :00401106 83C005 add eax, 00000005 :00401109 8945B8 mov dword ptr [ebp-48], eax ;算出[EBP-48] :0040110C 33C0 xor eax, eax :0040110E 8BCF mov ecx, edi :00401110 83C104 add ecx, 00000004 :00401113 894DB4 mov dword ptr [ebp-4C], ecx ;算出[EBP-4C] :00401116 33C9 xor ecx, ecx :00401118 0155BC add dword ptr [ebp-44], edx :0040111B 017DBC add dword ptr [ebp-44], edi ;算出[EBP-44] :0040111E 6BFF03 imul edi, 00000003 :00401121 897DC0 mov dword ptr [ebp-40], edi ;算出[EBP-40] :00401124 33FF xor edi, edi :00401126 0FBE8C0544FFFFFF movsx ecx, byte ptr [ebp+eax-000000BC] :0040112E 83F961 cmp ecx, 00000061 :00401131 7C07 jl 0040113A :00401133 90 nop :00401134 90 nop :00401135 90 nop :00401136 90 nop :00401137 83E920 sub ecx, 00000020 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401131(C) | :0040113A 8BF1 mov esi, ecx :0040113C 03DE add ebx, esi :0040113E 0FAFD9 imul ebx, ecx :00401141 4A dec edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401178(C) | :00401142 0FBE8C2F44FFFFFF movsx ecx, byte ptr [edi+ebp-000000BC] :0040114A 0FBEB42F45FFFFFF movsx esi, byte ptr [edi+ebp-000000BB] :00401152 83F961 cmp ecx, 00000061 :00401155 7D12 jge 00401169 :00401157 90 nop :00401158 90 nop :00401159 90 nop :0040115A 90 nop * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040116C(U) | :0040115B 83FE61 cmp esi, 00000061 :0040115E 7D0E jge 0040116E :00401160 90 nop :00401161 90 nop :00401162 90 nop :00401163 90 nop :00401164 EB0B jmp 00401171 :00401166 90 nop :00401167 90 nop :00401168 90 nop * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401155(C) | :00401169 83E920 sub ecx, 00000020 :0040116C EBED jmp 0040115B * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040115E(C) | :0040116E 83EE20 sub esi, 00000020 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401164(U) | :00401171 47 inc edi :00401172 03DE add ebx, esi :00401174 0FAFD9 imul ebx, ecx :00401177 4A dec edx :00401178 75C8 jne 00401142 :0040117A 895DC8 mov dword ptr [ebp-38], ebx ;算出[EBP-38] :0040117D 33C9 xor ecx, ecx :0040117F 33D2 xor edx, edx :00401181 33DB xor ebx, ebx :00401183 33C0 xor eax, eax :00401185 837DD432 cmp dword ptr [ebp-2C], 00000032 :00401189 0F8DA0000000 jnl 0040122F * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040119F(C) | :0040118F 0FBE840D44FFFFFF movsx eax, byte ptr [ebp+ecx-000000BC] :00401197 03C1 add eax, ecx :00401199 03D8 add ebx, eax :0040119B 41 inc ecx :0040119C 3B4DD4 cmp ecx, dword ptr [ebp-2C] :0040119F 75EE jne 0040118F :004011A1 D1C0 rol eax, 1 :004011A3 3540E20100 xor eax, 0001E240 :004011A8 8945B0 mov dword ptr [ebp-50], eax ;算出[EBP-50] :004011AB 33C9 xor ecx, ecx :004011AD 33D2 xor edx, edx :004011AF 33DB xor ebx, ebx :004011B1 33C0 xor eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004011C6(C) | :004011B3 0FBE840D44FFFFFF movsx eax, byte ptr [ebp+ecx-000000BC] :004011BB 6BD006 imul edx, eax, 00000006 :004011BE 33C2 xor eax, edx :004011C0 03D8 add ebx, eax :004011C2 41 inc ecx :004011C3 3B4DD4 cmp ecx, dword ptr [ebp-2C] :004011C6 75EB jne 004011B3 :004011C8 035DB0 add ebx, dword ptr [ebp-50] :004011CB 895DAC mov dword ptr [ebp-54], ebx ;算出[EBP-54] :004011CE FF75C0 push [ebp-40] :004011D1 FF75C4 push [ebp-3C] :004011D4 FF75BC push [ebp-44] :004011D7 FF75C8 push [ebp-38] :004011DA FF75B4 push [ebp-4C] :004011DD FF75B8 push [ebp-48] :004011E0 FF75AC push [ebp-54] :004011E3 FF75B0 push [ebp-50] * Possible StringData Ref from Data Obj ->"%lX%lu-%lu%lX-%lu%lu-%lX%lX" | :004011E6 6838B44000 push 0040B438 :004011EB 8D857CFEFFFF lea eax, dword ptr [ebp+FFFFFE7C] :004011F1 50 push eax :004011F2 E88D3D0000 call 00404F84 ;wsprinf() :004011F7 83C428 add esp, 00000028 :004011FA 8D957CFEFFFF lea edx, dword ptr [ebp+FFFFFE7C] :00401200 52 push edx :00401201 8D8DE0FEFFFF lea ecx, dword ptr [ebp+FFFFFEE0] :00401207 51 push ecx * Reference To: KERNEL32.lstrcmpA, Ord:0000h | :00401208 E8399C0000 Call 0040AE46 ;比较 :0040120D 85C0 test eax, eax :0040120F 750F jne 00401220 ;关键跳转
用我上篇文章介绍的方法找串式参考,然后向上找关键跳转。具体过程不说了,看看你是不是找的到。对了,就是40120F这个地方了。向上看看,有一个lstrcmp,上次已经说了,这个就是字符串比较。可以看到它的前面有两个PUSH作为比较的字符串,在这里下断点,看看两个字串是什么?D ecx,是我们输入的假注册码,D edx,是一个长长的字符串,当然就是真正的注册码啦。嗯,再向上看这个注册码是咋来的:
代码:
:004011CE FF75C0 push [ebp-40] :004011D1 FF75C4 push [ebp-3C] :004011D4 FF75BC push [ebp-44] :004011D7 FF75C8 push [ebp-38] :004011DA FF75B4 push [ebp-4C] :004011DD FF75B8 push [ebp-48] :004011E0 FF75AC push [ebp-54] :004011E3 FF75B0 push [ebp-50] * Possible StringData Ref from Data Obj ->"%lX%lu-%lu%lX-%lu%lu-%lX%lX" | :004011E6 6838B44000 push 0040B438 :004011EB 8D857CFEFFFF lea eax, dword ptr [ebp+FFFFFE7C] :004011F1 50 push eax ;结果存在[ebp+FFFFFE7C] :004011F2 E88D3D0000 call 00404F84 ;这个CALL其实是wsprinf :004011F7 83C428 add esp, 00000028
呵呵,一个"%lX%lu-%lu%lX-%lu%lu-%lX%lX"。还记得上次的例子吗,那回是一个"%lX",这回复杂了一些哟。别担心,还是很简单的。上次说了,"%lX"是十六进制的大写形式,那么"%lu"呢,就是普通的十进制形式啦。再看前面PUSH进了一堆参数,这些[ebp-xx]的形式都是函数里面的局部变量,在这里把它们以不同的形式表示出来再组合好,就是真正的注册码了。下一步的目标,当然就是看这8个变量是如何计算出的啦。记住这几个变量都是什么.从头看:
代码:
:004010FB 8B55D4 mov edx, dword ptr [ebp-2C] ;edx=[ebp-2C]是用户名的长度n :004010FE 0155C4 add dword ptr [ebp-3C], edx ;[ebp-3C]可是一个重要变量, :00401101 0155C4 add dword ptr [ebp-3C], edx ;[ebp-3C]=2n,看出来没有 :00401104 8BC2 mov eax, edx :00401106 83C005 add eax, 00000005 :00401109 8945B8 mov dword ptr [ebp-48], eax ;[ebp-48]=n+5,也是一个重要变量 :0040110C 33C0 xor eax, eax :0040110E 8BCF mov ecx, edi ;edi是一个常数64F4F0 :00401110 83C104 add ecx, 00000004 :00401113 894DB4 mov dword ptr [ebp-4C], ecx ;[ebp-4C]=64f4f4 :00401116 33C9 xor ecx, ecx :00401118 0155BC add dword ptr [ebp-44], edx :0040111B 017DBC add dword ptr [ebp-44], edi ;[ebp-44]=64f4f0+n :0040111E 6BFF03 imul edi, 00000003 :00401121 897DC0 mov dword ptr [ebp-40], edi ;[ebp-40]=64f4f0*3
这几个计算都比较简单的,有5个变量已经被搞定了。其中那个EDI我实在没看明白和我们的输入有什么关系,我改动用户名和注册码它也不会变化,因此我认为这是一个常量,如果不对请高手指正。
代码:
:00401126 0FBE8C0544FFFFFF movsx ecx, byte ptr [ebp+eax-BC];[EBP-BC]是用户名,EAX作为指针 :0040112E 83F961 cmp ecx, 00000061 :00401131 7C07 jl 0040113A ;如果小于61即'a'就跳转 :00401137 83E920 sub ecx, 00000020 ;如果大于就减20,对于字母来说是小写转大写 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401131(C) | :0040113A 8BF1 mov esi, ecx ;ECX为用户名第一个字符 :0040113C 03DE add ebx, esi ;EBX=ECX :0040113E 0FAFD9 imul ebx, ecx ;实际上EBX=ECX*ECX :00401141 4A dec edx ;EDX为循环变量减1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401178(C) | :00401142 0FBE8C2F44FFFFFF movsx ecx, byte ptr [edi+ebp-000000BC];前一个字符 :0040114A 0FBEB42F45FFFFFF movsx esi, byte ptr [edi+ebp-000000BB];后一个字符 ;EDI也是控制取字符的指针,这里相当于每次取出两个字符,前一个放在ECX,后一个放在ESI :00401152 83F961 cmp ecx, 00000061 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040116C(U) | :0040115B 83FE61 cmp esi, 00000061 :0040115E 7D0E jge 0040116E ;这里对字符进行同样的转换 :00401164 EB0B jmp 00401171 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401155(C) | :00401169 83E920 sub ecx, 00000020 :0040116C EBED jmp 0040115B * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040115E(C) | :0040116E 83EE20 sub esi, 00000020 :00401171 47 inc edi ;EDI这个指针+1 :00401172 03DE add ebx, esi ;EBX是累加的结果,再加上后一个字符 :00401174 0FAFD9 imul ebx, ecx ;再乘上前一个字符 :00401177 4A dec edx :00401178 75C8 jne 00401142 ;是否取完? :0040117A 895DC8 mov dword ptr [ebp-38], ebx ;累加结果存在[ebp-38]
这段麻烦一些,看不明白的话看我的注册机代码就清楚了.
![](images/smilies/smile.gif)
代码:
:0040118F 0FBE840D44FFFFFF movsx eax, byte ptr [ebp+ecx-000000BC];循环取字符 :00401197 03C1 add eax, ecx ;EAX=每位字符+ECX :00401199 03D8 add ebx, eax ;累加到EBX :0040119B 41 inc ecx ;循环变量递增 :0040119C 3B4DD4 cmp ecx, dword ptr [ebp-2C] :0040119F 75EE jne 0040118F ;如果未取完则继续 :004011A1 D1C0 rol eax, 1 ;EAX左移1位 :004011A3 3540E20100 xor eax, 0001E240 ;EAX XOR 1E240 :004011A8 8945B0 mov dword ptr [ebp-50], eax
相信你已经对这个形式很熟悉了吧,[EBP-BC]这是用户名,然后用一个ECX循环递增来取每个字符,再看看:add eax,ecx / add ebx,eax 好像是把每位字符的值再和字符的位置(ECX)累加起来的,呵呵,作者开了个小玩笑。看看下面的操作,都是对EAX进行的,可是累加的结果是放在EBX中呀,其实EAX是用户名的最后一个字符加上用户的长度。要说下的是ROL,这个本来是“滚动”,但因为EAX肯定很小,最高位为0,所以在注册机中我简单的用左移SHL代替了。计算结果放在[ebp-50]。
代码:
:004011B3 0FBE840D44FFFFFF movsx eax, byte ptr [ebp+ecx-000000BC] :004011BB 6BD006 imul edx, eax, 00000006 :004011BE 33C2 xor eax, edx :004011C0 03D8 add ebx, eax :004011C2 41 inc ecx :004011C3 3B4DD4 cmp ecx, dword ptr [ebp-2C] :004011C6 75EB jne 004011B3 :004011C8 035DB0 add ebx, dword ptr [ebp-50] :004011CB 895DAC mov dword ptr [ebp-54], ebx
这一段不写说明了,当作测验,应该看懂了吧,算出结果放在[ebp-54]。
至此八个变量都出来了,注册机也容易了吧。
代码:
#include <string.h> #include <stdio.h> #include <stdlib.h> void main() { int len,i; int EBP_40,EBP_3C,EBP_44,EBP_38,EBP_4C,EBP_48,EBP_54,EBP_50; int EDI=0x64F4F0; char name[50]={0}; printf("Please input your name:"); scanf("%s",name); len=strlen(name); EBP_3C=len*2; EBP_48=len+5; EBP_4C=EDI+4; EBP_44=EDI+len; EBP_40=EDI*3; EBP_50=((len-1+name[len-1])<<1); EBP_50^=0x1E240; EBP_54=0; for (i=0;i<len;i++) EBP_54+=((name[i]*6)^name[i]); EBP_54+=EBP_50; for (i=0;i<len;i++) if (name[i]>='a') name[i]-=0x20; EBP_38=name[0]*name[0]; for (i=1;i<len;i++) EBP_38=(EBP_38+name[i])*name[i-1]; printf("Your password is: %lX%lu-%lu%lX-%lu%lu-%lX%lX\n", EBP_50,EBP_54,EBP_48,EBP_4C,EBP_38,EBP_44,EBP_3C,EBP_40); printf("KeyGen by RoBa Enjoy Cracking!\n"); }
一个可用的注册码:
Name: RoBa
Serial: 1E288125744-964F4F4-29089574586616308-812EDED0