【原创】《不准玩游戏2005》算法分析及注册机从头说起(新增去暗桩分析)
-------手把手系列之八
【破解作者】 jackily
【作者邮箱】 jackily_zhang@msn.com
【作者主页】 http://estudy.ys168.com
【使用工具】 ollydbg、DeDe
【破解平台】 Win9x/NT/2000/XP
【软件简介】 《不准玩游戏》,一款全能的控制游戏使用的软件。有效控制孩子的游戏时间,防止孩子痴迷游戏,请使用这款软件。限制玩游戏,可以设置需要限制玩的游戏和禁玩时间段,以及自定义限制某游戏。并具有纪录功能,在开启服务的情况下,纪录下使用者玩了哪些游戏。适用于家庭、办公室、网吧等场所。适合所有操作系统。界面豪华、操作简单。
安全性极高,较难被解除禁止,可放心地用于安全性要求较高的场所。(这一点不敢苟同,文中“关于程序启动密码的
安全性问题”有分析)
【加壳方式】 不知名壳,pedi查“什么都没找着 *”
【破解声明】 本破解纯以学习和交流为目的,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
查壳,发现“什么都没找着 *”。只好手动脱壳了。用ollydbg加载,停在004E60000处,小心的跟踪如下:
004E6000 n> 9C pushfd
004E6001 E8 00000000 call nogame.004E6006
004E6006 5D pop ebp
004E6007 8BD5 mov edx,ebp
004E6009 81ED C62B4000 sub ebp,nogame.00402BC6
004E600F 2B95 61344000 sub edx,dword ptr ss:[ebp+403461]
004E6015 81EA 06000000 sub edx,6
004E601B 8995 65344000 mov dword ptr ss:[ebp+403465],edx
004E6021 83BD 69344000 00 cmp dword ptr ss:[ebp+403469],0
004E6028 0F85 BC030000 jnz nogame.004E63EA
004E602E C785 69344000 01000000 mov dword ptr ss:[ebp+403469],1
004E6038 B9 88070000 mov ecx,788
004E603D 8DB5 182C4000 lea esi,dword ptr ss:[ebp+402C18]
004E6043 8A85 60344000 mov al,byte ptr ss:[ebp+403460]
004E6049 8A1E mov bl,byte ptr ds:[esi]
004E604B 32C3 xor al,bl
004E604D 8806 mov byte ptr ds:[esi],al
004E604F 889D 60344000 mov byte ptr ss:[ebp+403460],bl
-------------------------------------------------------------------
004E6055 46 inc esi ;下断,F9
004E6056 ^ E2 EB loopd short nogame.004E6043
004E6058 ^ E1 B9 loopde short nogame.004E6013
004E605A 4F dec edi
004E605B 8B8A FEF979CC mov ecx,dword ptr ds:[edx+CC79F9FE]
004E6061 1B3474 sbb esi,dword ptr ss:[esp+esi*2]
004E6064 - 74 8B je short nogame.004E5FF1
-------------------------------------------------------
结果为:
004E6055 46 inc esi ; nogame.004E6058
004E6056 ^ E2 EB loopd short nogame.004E6043
004E6058 9C pushfd ;下第二断点,F9
004E6059 B9 4F8B8AFE mov ecx,FE8A8B4F
004E605E F9 stc
004E605F ^ 79 CC jns short nogame.004E602D
--------------------------------------------------------------
结果此处代码释放完毕。
004E6055 46 inc esi
004E6056 ^ E2 EB loopd short nogame.004E6043
004E6058 9C pushfd
004E6059 58 pop eax
004E605A F6C4 01 test ah,1
004E605D 74 07 je short nogame.004E6066
004E605F 80B5 D72F4000 FF xor byte ptr ss:[ebp+402FD7],0FF
......
一直跟踪至004E63DC,下断,15次F9,然后F8跟过,跳至004E6292.
004E63DC 83C6 14 add esi,14
004E63DF 8B95 65344000 mov edx,dword ptr ss:[ebp+403465]
004E63E5 ^ E9 A8FEFFFF jmp nogame.004E6292
-----------------------------------------------
004E6292 8B46 0C mov eax,dword ptr ds:[esi+C]
004E6295 0BC0 or eax,eax
004E6297 0F84 65010000 je nogame.004E6402 ;又跳走
----------------------------------------------
004E6402 8B95 65344000 mov edx,dword ptr ss:[ebp+403465] ; nogame.00400000
004E6408 8B85 ED314000 mov eax,dword ptr ss:[ebp+4031ED]
004E640E 03C2 add eax,edx
004E6410 894424 1C mov dword ptr ss:[esp+1C],eax
004E6414 61 popad
004E6415 50 push eax
004E6416 C3 retn ;关键,返回正常代码。
---------------------------------------------------------------------
真正的入口,但此处用花指令加了密,需用Ctr+A重新分析一下。
004AEE48 /. 55 push ebp ; ntdll.77FC4D80
004AEE49 |. 8BEC mov ebp,esp
004AEE4B |. 83C4 D4 add esp,-2C
004AEE4E |. 53 push ebx
004AEE4F |. 56 push esi
004AEE50 |. 33C0 xor eax,eax
004AEE52 |. 8945 DC mov dword ptr ss:[ebp-24],eax
004AEE55 |. 8945 E0 mov dword ptr ss:[ebp-20],eax
004AEE58 |. 8945 E4 mov dword ptr ss:[ebp-1C],eax
004AEE5B |. 8945 E8 mov dword ptr ss:[ebp-18],eax
004AEE5E |. 8945 EC mov dword ptr ss:[ebp-14],eax
004AEE61 |. B8 E8EB4A00 mov eax,nogame.004AEBE8
004AEE66 |. E8 F579F5FF call nogame.00406860
004AEE6B |. 8B35 80164B00 mov esi,dword ptr ds:[4B1680] ; nogame.004B2C30
004AEE71 |. 33C0 xor eax,eax
004AEE73 |. 55 push ebp
004AEE74 |. 68 EDEF4A00 push nogame.004AEFED
004AEE79 |. 64:FF30 push dword ptr fs:[eax]
004AEE7C |. 64:8920 mov dword ptr fs:[eax],esp
004AEE7F |. 8B06 mov eax,dword ptr ds:[esi]
用ollydump插件dump,OEP为004AEE48。但此时IAT还需修复。退出ollydbg,用RECImport载入未脱壳的程序,填入OEP,即004AEE48,点“IAT
自动搜索”,点“获取输入信息”,最后“修理抓取文件”。此时弹出一对话框,选取已经脱壳的程序,修复完毕。
--------------------------------------------------------------------
用PEID再查,为“Delphi 5.0-6.0”。加载DeDe,处理,点过程,在TForm6中发现注册码输入部分,如下:
004AC9CC 55 push ebp
004AC9CD 8BEC mov ebp, esp
004AC9CF 33C9 xor ecx, ecx
004AC9D1 51 push ecx
004AC9D2 51 push ecx
004AC9D3 51 push ecx
004AC9D4 51 push ecx
004AC9D5 51 push ecx
004AC9D6 51 push ecx
004AC9D7 53 push ebx
004AC9D8 56 push esi
004AC9D9 8BD8 mov ebx, eax
004AC9DB 33C0 xor eax, eax
004AC9DD 55 push ebp
* Possible String Reference to: '镾s?胨^[嬪]?
|
004AC9DE 6820CB4A00 push $004ACB20
***** TRY
|
004AC9E3 64FF30 push dword ptr fs:[eax]
004AC9E6 648920 mov fs:[eax], esp
004AC9E9 8D55FC lea edx, [ebp-$04]
* Reference to control TForm6.Edit2 : TEdit
|
004AC9EC 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004AC9F2 E88964F9FF call 00442E80 ; 取用户名
004AC9F7 837DFC00 cmp dword ptr [ebp-$04], +$00 ;相等,则没输入名字
004AC9FB 751E jnz 004ACA1B ;不等,继续下一步
004AC9FD 6A40 push $40
004AC9FF 6830CB4A00 push $004ACB30
* Possible String Reference to: '请输入您的注册名'
|
004ACA04 6834CB4A00 push $004ACB34
004ACA09 8BC3 mov eax, ebx
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
|
004ACA0B E81CCCF9FF call 0044962C
004ACA10 50 push eax
* Reference to: ?MessageBoxA()
|
004ACA11 E86AA8F5FF call 00407280
004ACA16 E9CA000000 jmp 004ACAE5
004ACA1B 8D55F8 lea edx, [ebp-$08]
* Reference to control TForm6.Edit1 : TEdit
|
004ACA1E 8B83F4020000 mov eax, [ebx+$02F4]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004ACA24 E85764F9FF call 00442E80 ;取注册码
004ACA29 837DF800 cmp dword ptr [ebp-$08], +$00 ;;相等,则没输入名字
004ACA2D 751E jnz 004ACA4D ;不等,继续下一步
004ACA2F 6A40 push $40
004ACA31 6830CB4A00 push $004ACB30
* Possible String Reference to: '请输入您的注册名码'
|
004ACA36 6848CB4A00 push $004ACB48
004ACA3B 8BC3 mov eax, ebx
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
|
004ACA3D E8EACBF9FF call 0044962C
004ACA42 50 push eax
* Reference to: ?MessageBoxA()
|
004ACA43 E838A8F5FF call 00407280
004ACA48 E998000000 jmp 004ACAE5
004ACA4D B201 mov dl, $01
* Reference to class TRegistry ;以下为将姓名和注册码写入注册表\SOFTWARE\ExeSoft\NoGame中
|
004ACA4F A1C0B24600 mov eax, dword ptr [$0046B2C0]
* Reference to: Unit_0046B260.Proc_0046B3C0
|
004ACA54 E867E9FBFF call 0046B3C0
004ACA59 8BF0 mov esi, eax
004ACA5B BA02000080 mov edx, $80000002
004ACA60 8BC6 mov eax, esi
* Reference to: Unit_0046B260.Proc_0046B460
|
004ACA62 E8F9E9FBFF call 0046B460
004ACA67 B101 mov cl, $01
* Possible String Reference to: '\SOFTWARE\ExeSoft\NoGame'
|
004ACA69 BA64CB4A00 mov edx, $004ACB64
004ACA6E 8BC6 mov eax, esi
* Reference to: Unit_0046B260.Proc_0046B4C4
|
004ACA70 E84FEAFBFF call 0046B4C4
004ACA75 8D55F0 lea edx, [ebp-$10]
* Reference to control TForm6.Edit2 : TEdit
|
004ACA78 8B83FC020000 mov eax, [ebx+$02FC]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004ACA7E E8FD63F9FF call 00442E80
004ACA83 8B45F0 mov eax, [ebp-$10]
004ACA86 8D55F4 lea edx, [ebp-$0C]
* Reference to: Unit_004079B0.Proc_004088DC
|
004ACA89 E84EBEF5FF call 004088DC
004ACA8E 8B4DF4 mov ecx, [ebp-$0C]
004ACA91 BA88CB4A00 mov edx, $004ACB88
004ACA96 8BC6 mov eax, esi
* Reference to: Unit_0046B260.Proc_0046B680
|
004ACA98 E8E3EBFBFF call 0046B680
004ACA9D 8D55E8 lea edx, [ebp-$18]
* Reference to control TForm6.Edit1 : TEdit
|
004ACAA0 8B83F4020000 mov eax, [ebx+$02F4]
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004ACAA6 E8D563F9FF call 00442E80
004ACAAB 8B45E8 mov eax, [ebp-$18]
004ACAAE 8D55EC lea edx, [ebp-$14]
* Reference to: Unit_004079B0.Proc_004088DC
|
004ACAB1 E826BEF5FF call 004088DC
004ACAB6 8B4DEC mov ecx, [ebp-$14]
004ACAB9 BA94CB4A00 mov edx, $004ACB94
004ACABE 8BC6 mov eax, esi
* Reference to: Unit_0046B260.Proc_0046B680
|
004ACAC0 E8BBEBFBFF call 0046B680
004ACAC5 6A40 push $40
004ACAC7 6830CB4A00 push $004ACB30
* Possible String Reference to: '感谢您的注册,请重新启动本软件。' ,重启动提示
|
004ACACC 6898CB4A00 push $004ACB98
004ACAD1 8BC3 mov eax, ebx
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
|
004ACAD3 E854CBF9FF call 0044962C
004ACAD8 50 push eax
* Reference to: ?MessageBoxA()
|
004ACAD9 E8A2A7F5FF call 00407280
004ACADE 8BC3 mov eax, ebx
......此处代码省略
****** END
|
004ACB27 5E pop esi
004ACB28 5B pop ebx
004ACB29 8BE5 mov esp, ebp
004ACB2B 5D pop ebp
004ACB2C C3 ret
---------------------------------------
经分析,发现,上述代码只是将用户名和注册码写入注册表\SOFTWARE\ExeSoft\NoGame中,并没其它操作,于是加载ollydbg,用Ultra String
Reference搜索ASCII字符,找到“已注册给”,地址是004AE638 mov edx,GA_.004AE87C,双击定位,整个调用代码如下:
004AE4A0 /. 55 push ebp
004AE4A1 |. 8BEC mov ebp,esp
004AE4A3 |. 83C4 B4 add esp,-4C
004AE4A6 |. 53 push ebx
004AE4A7 |. 56 push esi
004AE4A8 |. 57 push edi
004AE4A9 |. 33C9 xor ecx,ecx
004AE4AB |. 894D E0 mov dword ptr ss:[ebp-20],ecx
004AE4AE |. 894D E4 mov dword ptr ss:[ebp-1C],ecx
004AE4B1 |. 894D E8 mov dword ptr ss:[ebp-18],ecx
004AE4B4 |. 894D EC mov dword ptr ss:[ebp-14],ecx
004AE4B7 |. 894D F4 mov dword ptr ss:[ebp-C],ecx
004AE4BA |. 894D F0 mov dword ptr ss:[ebp-10],ecx
004AE4BD |. 894D F8 mov dword ptr ss:[ebp-8],ecx
004AE4C0 |. 894D FC mov dword ptr ss:[ebp-4],ecx
004AE4C3 |. 8BF0 mov esi,eax
004AE4C5 |. 33C0 xor eax,eax
004AE4C7 |. 55 push ebp
004AE4C8 |. 68 4CE74A00 push GA_.004AE74C
004AE4CD |. 64:FF30 push dword ptr fs:[eax]
004AE4D0 |. 64:8920 mov dword ptr fs:[eax],esp
004AE4D3 |. 68 5CE74A00 push GA_.004AE75C ; /Title = ""
004AE4D8 |. 68 60E74A00 push GA_.004AE760 ; |Class = "Tjianshiform"
004AE4DD |. E8 2E8BF5FF call <jmp.&user32.FindWindowA> ; \FindWindowA
004AE4E2 |. 85C0 test eax,eax
004AE4E4 |. 75 40 jnz short GA_.004AE526
004AE4E6 |. BA 78E74A00 mov edx,GA_.004AE778
.................此处非关键代码省略
004AE5F3 |. E8 F8F0FFFF call GA_.004AD6F0
004AE5F8 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004AE5FB |. BA 34E84A00 mov edx,GA_.004AE834 ; ASCII "No!log.lnk"
004AE600 |. E8 0B61F5FF call GA_.00404710
004AE605 |. 8B55 EC mov edx,dword ptr ss:[ebp-14]
004AE608 |. 8BC3 mov eax,ebx
004AE60A |. 8B08 mov ecx,dword ptr ds:[eax]
004AE60C |. FF51 74 call dword ptr ds:[ecx+74]
004AE60F |. 8BC3 mov eax,ebx
004AE611 |. E8 CE50F5FF call GA_.004036E4 ;取注册表中的注册码
004AE616 |. A1 742D4B00 mov eax,dword ptr ds:[4B2D74] ;地址放入EAX
004AE61B |. E8 E860F5FF call GA_.00404708 ;取注册码长度
004AE620 |. 83F8 08 cmp eax,8 ;是否为8
004AE623 75 45 jnz short GA_.004AE66A ;不符,跳走,没注册成功,试用此软件
004AE625 |. A1 742D4B00 mov eax,dword ptr ds:[4B2D74] ;取第一个字符
004AE62A |. 8038 4D cmp byte ptr ds:[eax],4D ;是否为M(HEX值为4D)
004AE62D |. 75 3B jnz short GA_.004AE66A ;否 ,没注册成功
004AE62F |. 8D45 E8 lea eax,dword ptr ss:[ebp-18] ;
004AE632 |. 8B0D 782D4B00 mov ecx,dword ptr ds:[4B2D78] ; 用户名地址给ECX
004AE638 |. BA 7CE84A00 mov edx,GA_.004AE87C ;ASCII字符,“已注册给”
004AE63D |. E8 1261F5FF call GA_.00404754 ;取用户名长度
004AE642 |. 8B55 E8 mov edx,dword ptr ss:[ebp-18]
004AE645 |. 8B86 A0030000 mov eax,dword ptr ds:[esi+3A0]
004AE64B |. E8 6048F9FF call GA_.00442EB0
004AE650 |. B2 01 mov dl,1
004AE652 |. 8B86 A0030000 mov eax,dword ptr ds:[esi+3A0]
004AE658 |. E8 4347F9FF call GA_.00442DA0
004AE65D |. 33D2 xor edx,edx
004AE65F |. 8B86 2C030000 mov eax,dword ptr ds:[esi+32C]
004AE665 |. E8 6649F9FF call GA_.00442FD0
004AE66A |> 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004AE66D |. 8B15 742D4B00 mov edx,dword ptr ds:[4B2D74] ;注册码地址放入EAX
004AE673 |. 8A52 01 mov dl,byte ptr ds:[edx+1] ;取注册码第二个字符
004AE676 |. E8 B55FF5FF call GA_.00404630 ;进行验证,是否为整形值
004AE67B |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004AE67E |. E8 D9A4F5FF call GA_.00408B5C
004AE683 |. 8BD8 mov ebx,eax
004AE685 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004AE688 |. 8B15 742D4B00 mov edx,dword ptr ds:[4B2D74]
004AE68E |. 8A52 05 mov dl,byte ptr ds:[edx+5] ;取注册码第六个字符
004AE691 |. E8 9A5FF5FF call GA_.00404630 ;进行验证,最否为整形值
004AE696 |. 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004AE699 |. E8 BEA4F5FF call GA_.00408B5C
004AE69E |. 8BF8 mov edi,eax ;第六个字符值给EDI
004AE6A0 |. 8D47 03 lea eax,dword ptr ds:[edi+3] ;EDI+3=?(HEX)
]004AE6A3 |. 8945 DC mov dword ptr ss:[ebp-24],eax 以下是浮点运算,较关键的一步在004AE71F处,下一
小节说明
004AE6A6 |. DB45 DC fild dword ptr ss:[ebp-24] ;装入整数到st(0)
004AE6A9 |. D9FA fsqrt ; 平方根 , st(0) <- sqrt st(0)
004AE6AB |. DB7D D0 fstp tbyte ptr ss:[ebp-30] ;保存实数st(0)到]ebp-30]
004AE6AE |. 9B wait
004AE6AF |. 8D47 03 lea eax,dword ptr ds:[edi+3]
004AE6B2 |. 8945 CC mov dword ptr ss:[ebp-34],eax
004AE6B5 |. DB45 CC fild dword ptr ss:[ebp-34]
004AE6B8 |. D9FA fsqrt
004AE6BA |. 8BC3 mov eax,ebx ;ebx就是注册码的第二位
004AE6BC |. F7EB imul ebx ;eax乘ebx
004AE6BE |. 03C3 add eax,ebx
004AE6C0 |. 8945 C8 mov dword ptr ss:[ebp-38],eax
004AE6C3 |. DB45 C8 fild dword ptr ss:[ebp-38] ;装入st(1)
004AE6C6 |. DEC1 faddp st(1),st ; st(1)+st(0)
004AE6C8 |. DB6D D0 fld tbyte ptr ss:[ebp-30]
004AE6CB |. DEC9 fmulp st(1),st ; 相乘
004AE6CD |. 8BC3 mov eax,ebx
004AE6CF |. F7EB imul ebx
004AE6D1 |. F7EB imul ebx
004AE6D3 |. F7EB imul ebx
004AE6D5 |. 8BD3 mov edx,ebx
004AE6D7 |. 03D2 add edx,edx
004AE6D9 |. 0FAFD3 imul edx,ebx
004AE6DC |. 0FAFD3 imul edx,ebx
004AE6DF |. 03C2 add eax,edx
004AE6E1 |. 8BD3 mov edx,ebx
004AE6E3 |. 0FAFD3 imul edx,ebx
004AE6E6 |. 03C2 add eax,edx
004AE6E8 |. 8945 C4 mov dword ptr ss:[ebp-3C],eax
004AE6EB |. DB45 C4 fild dword ptr ss:[ebp-3C]
004AE6EE |. D835 88E84A00 fdiv dword ptr ds:[4AE888] ; 除以实数"4",定值
004AE6F4 |. D805 8CE84A00 fadd dword ptr ds:[4AE88C] ; 加上“3”
004AE6FA |. DEC1 faddp st(1),st
004AE6FC |. DB7D B8 fstp tbyte ptr ss:[ebp-48]
004AE6FF |. 9B wait
004AE700 |. 83C7 03 add edi,3
004AE703 |. 897D B4 mov dword ptr ss:[ebp-4C],edi
004AE706 |. DB45 B4 fild dword ptr ss:[ebp-4C]
004AE709 |. D9FA fsqrt
004AE70B |. D80D 90E84A00 fmul dword ptr ds:[4AE890] ; 乘上实数“12”
004AE711 |. DB6D B8 fld tbyte ptr ss:[ebp-48]
004AE714 |. DEE1 fsubrp st(1),st ; st(1)-st(0)
004AE716 |. D81D 8CE84A00 fcomp dword ptr ds:[4AE88C] ;比较
004AE71C |. DFE0 fstsw ax ;保存状态字的值到AX
004AE71E |. 9E sahf ;(PSW低字节)←AH
004AE71F |. 75 10 jnz short GA_.004AE731
004AE721 |. BA 9CE84A00 mov edx,GA_.004AE89C ; ASCII "AB",此处也是关键,以后还会校验
004AE726 |. 8B86 A4030000 mov eax,dword ptr ds:[esi+3A4]
004AE72C |. E8 7F47F9FF call GA_.00442EB0
004AE731 |> 33C0 xor eax,eax
004AE733 |. 5A pop edx
004AE734 |. 59 pop ecx
004AE735 |. 59 pop ecx
004AE736 |. 64:8910 mov dword ptr fs:[eax],edx
004AE739 |. 68 53E74A00 push GA_.004AE753
004AE73E |> 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004AE741 |. BA 08000000 mov edx,8
004AE746 |. E8 295DF5FF call GA_.00404474
004AE74B \. C3 retn
--------------------------------------------------------------------------------
此小节为新增部分:
分析到这,好像是结束了,但其实还未完,在程序稍后一些的地方还有校验,如下:
004AE9F4 /. 55 push ebp
004AE9F5 |. 8BEC mov ebp,esp
004AE9F7 |. 6A 00 push 0
004AE9F9 |. 6A 00 push 0
004AE9FB |. 53 push ebx
004AE9FC |. 56 push esi
004AE9FD |. 8BD8 mov ebx,eax
004AE9FF |. 33C0 xor eax,eax
004AEA01 |. 55 push ebp
004AEA02 |. 68 ACEA4A00 push GA_.004AEAAC
004AEA07 |. 64:FF30 push dword ptr fs:[eax]
004AEA0A |. 64:8920 mov dword ptr fs:[eax],esp
004AEA0D |. A1 742D4B00 mov eax,dword ptr ds:[4B2D74] ; 注册码
004AEA12 |. 8078 02 33 cmp byte ptr ds:[eax+2],33 ;第三位为3
004AEA16 |. 75 48 jnz short GA_.004AEA60
004AEA18 |. A1 742D4B00 mov eax,dword ptr ds:[4B2D74]
004AEA1D |. 8078 03 51 cmp byte ptr ds:[eax+3],51 ;第4位为Q
004AEA21 |. 75 3D jnz short GA_.004AEA60
004AEA23 |. 8D55 FC lea edx,dword ptr ss:[ebp-4] ;还记得004AE71F处的ASCII码“AB”吗?
004AEA26 |. 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4]
004AEA2C |. E8 4F44F9FF call GA_.00442E80 ;换算,
004AEA31 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004AEA34 |. 0FB630 movzx esi,byte ptr ds:[eax] ;此时,ESI为“A”
004AEA37 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004AEA3A |. 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4]
004AEA40 |. E8 3B44F9FF call GA_.00442E80
004AEA45 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004AEA48 |. 0FB640 01 movzx eax,byte ptr ds:[eax+1] ;此时,ESI为“B”
004AEA4C |. 2BF0 sub esi,eax ;A-B=-1
004AEA4E |. 46 inc esi ;-1+1=0
004AEA4F |. 75 0F jnz short GA_.004AEA60 ;不等0跳至7天比较处
004AEA51 |. B8 742D4B00 mov eax,GA_.004B2D74 ;等于0,注册成功
004AEA56 |. BA C4EA4A00 mov edx,GA_.004AEAC4 ; ASCII "renxi"
004AEA5B |. E8 445AF5FF call GA_.004044A4
004AEA60 |> 83BB AC030000 07 cmp dword ptr ds:[ebx+3AC],7 ;7天比较处
004AEA67 |. 7E 28 jle short GA_.004AEA91
004AEA69 |. A1 742D4B00 mov eax,dword ptr ds:[4B2D74]
004AEA6E |. BA C4EA4A00 mov edx,GA_.004AEAC4 ; ASCII "renxi"
004AEA73 |. E8 D45DF5FF call GA_.0040484C
004AEA78 |. 74 17 je short GA_.004AEA91
004AEA7A |. 33D2 xor edx,edx
004AEA7C |. 8B83 0C030000 mov eax,dword ptr ds:[ebx+30C]
004AEA82 |. 8B08 mov ecx,dword ptr ds:[eax]
004AEA84 |. FF51 64 call dword ptr ds:[ecx+64]
004AEA87 |. B8 D4EA4A00 mov eax,GA_.004AEAD4
004AEA8C |. E8 D7D4F8FF call GA_.0043BF68
004AEA91 |> 33C0 xor eax,eax
004AEA93 |. 5A pop edx
004AEA94 |. 59 pop ecx
004AEA95 |. 59 pop ecx
004AEA96 |. 64:8910 mov dword ptr fs:[eax],edx
004AEA99 |. 68 B3EA4A00 push GA_.004AEAB3
004AEA9E |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004AEAA1 |. BA 02000000 mov edx,2
004AEAA6 |. E8 C959F5FF call GA_.00404474
004AEAAB \. C3 retn
-----------------------------------------------------------------------------------------
【破解总结】
一、心得
1.首先用户名没有进行计算;
2.对注册码检验其第一、第三、第四位是否为定值,且第二位和第六位的换算结果要满足004AEA3处浮点运算的条件;
3.对第六位进行了浮点运算,以判断是否为真正的注册码。
新增部分:
二、注册条件:
1.第一位必须是“M”,第三位是“3”,第四位是“Q”;
2.第二和第六位的值经过计算,最终要fcomp dword ptr ds:[4AE88C],[4AE88C]中为固定值“3”,这样才能真正成功。
--------------------------------------------------------------------------------
【算法注册机】
/*Nogame c语言注册机 */
/* 在Turboc 2.0 下调试通过 */
#include "stdio.h"
#include "string.h"
#include "stdlib.h"
main()
{
char name[50]={0} ,s[8];
int i,j;
float a,b,c,d,e,f,temp,temp1,temp2,temp3;
printf("Nogame KeyGen by jackily 2005-2-18\n");
printf("Email:jackily_zhang@msn.com or jackily_zhang@yahoo.com.cn\n");
printf("please input name:");
scanf("%s",name);
s[0]=0x4d;s[2]=0x33;s[3]=0x51;
for (i=1;i<10;i++)
{ s[1]=i;
for (j=1;j<10;j++)
{s[5]=j; c=j;
c+=3;
a=sqrt(c);
b=i; d=pow(b,3); b+=d;
temp1=a+b; temp1*=c;
b=i;
e=b+b; f=pow(b,2);f*=e;
temp2=d+f;temp2+=e;temp2/=4;temp2+=3;
temp=temp1+temp2;
temp3=a*0xc;
if ((temp-temp3)==3.000000) break;
}
}
s[4]=random(0x40);s[6]=random(0x40);s[7]=random(0x40);
printf("\nYour serial number is:");
for (i=0;i<8;i++)
printf("%c",s[i]);
}
--------------------------------------------------------------------------------
【关于程序启动密码的安全性问题】
软件简介中提到“安全性极高,较难被解除禁止,可放心地用于安全性要求较高的场所”,但其实在如下代码中很容易就可以将其启动密码爆
破或是提取。
004ADA8B |. BA 18DE4A00 mov edx,GA_.004ADE18 ; ASCII "\SOFTWARE\ExeSoft\NoGame"
004ADA90 |. 8BC3 mov eax,ebx
004ADA92 |. E8 2DDAFBFF call GA_.0046B4C4
004ADA97 |. 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004ADA9A |. BA 3CDE4A00 mov edx,GA_.004ADE3C
004ADA9F |. 8BC3 mov eax,ebx
004ADAA1 |. E8 06DCFBFF call GA_.0046B6AC
004ADAA6 |. 8B55 D8 mov edx,dword ptr ss:[ebp-28]
004ADAA9 |. B8 742D4B00 mov eax,GA_.004B2D74
004ADAAE |. E8 F169F5FF call GA_.004044A4
004ADAB3 |. A1 742D4B00 mov eax,dword ptr ds:[4B2D74]
004ADAB8 |. E8 4B6CF5FF call GA_.00404708
004ADABD |. 83F8 08 cmp eax,8
004ADAC0 |. 74 0F je short GA_.004ADAD1
004ADAC2 |. B8 742D4B00 mov eax,GA_.004B2D74
004ADAC7 |. BA 48DE4A00 mov edx,GA_.004ADE48 ; ASCII "00000000"
004ADACC |. E8 D369F5FF call GA_.004044A4
004ADAD1 |> 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
004ADAD4 |. BA 5CDE4A00 mov edx,GA_.004ADE5C
004ADAD9 |. 8BC3 mov eax,ebx
004ADADB |. E8 CCDBFBFF call GA_.0046B6AC
004ADAE0 |. 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
004ADAE3 |. B8 782D4B00 mov eax,GA_.004B2D78
004ADAE8 |. E8 B769F5FF call GA_.004044A4
004ADAED |. 8BC3 mov eax,ebx
004ADAEF |. E8 F05BF5FF call GA_.004036E4
004ADAF4 |. 837D EC 00 cmp dword ptr ss:[ebp-14],0 ;[ebp-14]中存放程序启动密码(明码)
004ADAF8 |. 74 70 je short GA_.004ADB6A
004ADAFA |. 8B0D 80164B00 mov ecx,dword ptr ds:[4B1680] ; GA_.004B2C30
004ADB00 |. 8B09 mov ecx,dword ptr ds:[ecx]
004ADB02 |. B2 01 mov dl,1
004ADB04 |. A1 DCC04A00 mov eax,dword ptr ds:[4AC0DC]
004ADB09 |. E8 C2E9FAFF call GA_.0045C4D0
004ADB0E |. 8B15 38164B00 mov edx,dword ptr ds:[4B1638] ; GA_.004B2D50
004ADB14 |. 8902 mov dword ptr ds:[edx],eax
004ADB16 |. A1 38164B00 mov eax,dword ptr ds:[4B1638]
004ADB1B |. 8B00 mov eax,dword ptr ds:[eax]
004ADB1D |. 05 FC020000 add eax,2FC
004ADB22 |. 8B55 EC mov edx,dword ptr ss:[ebp-14]
004ADB25 |. E8 7A69F5FF call GA_.004044A4
004ADB2A |. A1 38164B00 mov eax,dword ptr ds:[4B1638]
004ADB2F |. 8B00 mov eax,dword ptr ds:[eax]
004ADB31 |. 8B10 mov edx,dword ptr ds:[eax]
004ADB33 |. FF92 E8000000 call dword ptr ds:[edx+E8] ; GA_.004607BC ,调用密码窗口,判断输入码与密码是否相等
004ADB39 |. A1 38164B00 mov eax,dword ptr ds:[4B1638]
004ADB3E |. 8B00 mov eax,dword ptr ds:[eax]
004ADB40 |. 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC] ;相等,则在此放入标志“yes,exesoft”
004ADB46 |. BA 68DE4A00 mov edx,GA_.004ADE68 ; ASCII "yes,exesoft"
004ADB4B |. E8 FC6CF5FF call GA_.0040484C ;判断上两行的标志是否相同,
004ADB50 |. 74 18 je short GA_.004ADB6A ;验证通过
....................没有通过则退出
只要在004ADAF8处跳转,启动密码就失效了;或者直接D ebp-14,提取启动密码。
jackily
二零零五年二月十九日
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!