【破文标题】:边锋游戏之《湖州红五记牌器》脱壳+算法分析一条龙
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:边锋游戏之《湖州红五记牌器》
【保护方式】:注册码 + 使用次数限制
【加密保护】:ASPack 2.12 -> Alexey Solodovnikov
【编译语言】:Borland Delphi 6.0 - 7.0
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【脱壳过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
侦壳脱壳:用PEiD查壳,ASPack 2.12 -> Alexey Solodovnikov加壳。
使用法宝:我们既然知道了是ASPack所加壳保护的,所以拿出Ollydbg结合文章题目手动脱之~~
————————————————————
Ollydbg载入主程序:
0052C001 > 60 pushad //停在这里,F8一次
0052C002 E8 03000000 call hzred5.0052C00A //来到这里,这时查看寄存器窗口
0052C007 - E9 EB045D45 jmp 45AFC4F7
0052C00C 55 push ebp
0052C00D C3 retn
\\\\\\\\\\\\\\\寄存器\\\\\\\\\\\\\\\\
EAX 00000000
ECX 00010101
EDX FFFFFFFF
EBX 7FFDF000
ESP 0012FFA4 //esp=0012ffa4
EBP 0012FFF0
ESI 00000000
EDI 00000000
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
根据ESP定律规则,现在在命令栏中下 hr 0012ffa4 命令,回车,F9运行:
0052C3B0 /75 08 jnz short hzred5.0052C3BA //这里断下,继续F8
0052C3B2 |B8 01000000 mov eax,1
0052C3B7 |C2 0C00 retn 0C
0052C3BA \68 7C654C00 push hzred5.004C657C //这里004C657C所指的就是OEP,F8继续走
0052C3BF C3 retn //飞向光明之颠~~ F8继续走
************************************************************************************************************
004C657C 55 push ebp //飞向这里,程序入口,Dump!
004C657D 8BEC mov ebp,esp
004C657F 83C4 F0 add esp,-10
004C6582 53 push ebx
004C6583 B8 E4624C00 mov eax,hzred5.004C62E4
004C6588 E8 8701F4FF call hzred5.00406714
004C658D 8B1D 848F4C00 mov ebx,dword ptr ds:[4C8F84] ; hzred5.004CAC30
004C6593 8B03 mov eax,dword ptr ds:[ebx]
004C6595 E8 02B6F9FF call hzred5.00461B9C
004C659A 8B03 mov eax,dword ptr ds:[ebx]
004C659C BA F4654C00 mov edx,hzred5.004C65F4
004C65A1 E8 1AB2F9FF call hzred5.004617C0
004C65A6 8B0D A0904C00 mov ecx,dword ptr ds:[4C90A0] ; hzred5.004CAD80
004C65AC 8B03 mov eax,dword ptr ds:[ebx]
004C65AE 8B15 34214C00 mov edx,dword ptr ds:[4C2134] ; hzred5.004C2180
........
************************************************************************************************************
脱壳修复:运行LordPE,Dump整个进程,然后打开ImportREC找到该程序对应进程,OEP填000C657C,“自动搜索IAT”,“获取输入表”,
删去一个无效指针,其余指针全部有效,“修复抓取文件”,OK,脱壳修复完成!运行成功!Fix Dump!!
用PEiD再次检测,程序为Borland Delphi 6.0 - 7.0所编译,优化一下,原始:377 KB -->脱壳优化:1.10 MB
—————————————————————————————————
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 【破解过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
试探:运行脱壳后的主程序注册,输入试炼码,确认!程序提示:" 注册码错误! "
初步下药:用W32Dasm进行静态反汇编,查找 " 注册码错误! " 字符串,找到004C1F9C处,确定注册环节应从004C1E20处开始。
对症下药:Ollydbg重新载入脱壳后的主程序,向上来到 004C1E20 处下断,F9运行,输入试炼信息:
***** 试炼信息 ******
机器码:000AEB97B625
试炼码:9876543210
*********************
点击确定后OD断下:
004C1E20 6A 00 push 0
004C1E22 6A 00 push 0
004C1E24 49 dec ecx //ecx=5
004C1E25 ^ 75 F9 jnz short dumped_.004C1E20 //程序向上检测5次
004C1E27 53 push ebx
004C1E28 56 push esi
004C1E29 8BD8 mov ebx,eax
004C1E2B 33C0 xor eax,eax
004C1E2D 55 push ebp
004C1E2E 68 16204C00 push dumped_.004C2016
004C1E33 64:FF30 push dword ptr fs:[eax]
004C1E36 64:8920 mov dword ptr fs:[eax],esp
004C1E39 8D55 FC lea edx,dword ptr ss:[ebp-4]
004C1E3C 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
004C1E42 E8 75F0F7FF call dumped_.00440EBC //取试炼码
004C1E47 837D FC 00 cmp dword ptr ss:[ebp-4],0 //比较序列号是否为0
004C1E4B 75 1E jnz short dumped_.004C1E6B //为0则跳死!
004C1E4D 6A 30 push 30
004C1E4F 68 24204C00 push dumped_.004C2024 //提示“未输入注册码!”
004C1E54 68 2C204C00 push dumped_.004C202C
004C1E59 8BC3 mov eax,ebx
004C1E5B E8 0858F8FF call dumped_.00447668
004C1E60 50 push eax
004C1E61 E8 CE52F4FF call dumped_.00407134 //调用通用对话框函数,MessageBoxA
004C1E66 E9 50010000 jmp dumped_.004C1FBB
004C1E6B 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004C1E6E 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
004C1E74 E8 43F0F7FF call dumped_.00440EBC //取试炼码
004C1E79 8B45 F4 mov eax,dword ptr ss:[ebp-C] //ASCII "9876543210"
004C1E7C 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004C1E7F E8 EC68F4FF call dumped_.00408770
004C1E84 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004C1E87 50 push eax //试炼码压栈,ASCII "9876543210"
004C1E88 8D55 E8 lea edx,dword ptr ss:[ebp-18] //edx清零
004C1E8B 8B83 F4020000 mov eax,dword ptr ds:[ebx+2F4]
004C1E91 E8 26F0F7FF call dumped_.00440EBC //取机器码
004C1E96 8B45 E8 mov eax,dword ptr ss:[ebp-18] //ASCII "000AEB97B625"
004C1E99 8D55 EC lea edx,dword ptr ss:[ebp-14]
004C1E9C E8 CF68F4FF call dumped_.00408770
004C1EA1 8B45 EC mov eax,dword ptr ss:[ebp-14] //机器码入栈,ASCII "000AEB97B625"
004C1EA4 8D55 F0 lea edx,dword ptr ss:[ebp-10] //edx清零
004C1EA7 E8 74FCFFFF call dumped_.004C1B20 //算法CALL,F7跟进!
004C1EAC 8B55 F0 mov edx,dword ptr ss:[ebp-10] //真码出现,ASCII "aaarvsjvsccx"
004C1EAF 58 pop eax //eax清零
004C1EB0 E8 4B28F4FF call dumped_.00404700 //经典比对CALL
004C1EB5 0F85 DA000000 jnz dumped_.004C1F95 //爆破点
004C1EBB B2 01 mov dl,1
004C1EBD A1 AC8B4800 mov eax,dword ptr ds:[488BAC]
004C1EC2 E8 E56DFCFF call dumped_.00488CAC
004C1EC7 8BF0 mov esi,eax
004C1EC9 BA 02000080 mov edx,80000002
004C1ECE 8BC6 mov eax,esi
004C1ED0 E8 776EFCFF call dumped_.00488D4C
004C1ED5 B1 01 mov cl,1
004C1ED7 BA 44204C00 mov edx,dumped_.004C2044 //注册信息保存位置,ASCII "SOFTWARE\Microsoft\hzred5"
004C1EDC 8BC6 mov eax,esi
004C1EDE E8 A96FFCFF call dumped_.00488E8C
004C1EE3 B9 01000000 mov ecx,1
004C1EE8 BA 68204C00 mov edx,dumped_.004C2068 //注册表里保存机器码位置,ASCII "hzred5reg"
004C1EED 8BC6 mov eax,esi
004C1EEF E8 3871FCFF call dumped_.0048902C
004C1EF4 8D55 E0 lea edx,dword ptr ss:[ebp-20]
004C1EF7 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
004C1EFD E8 BAEFF7FF call dumped_.00440EBC
004C1F02 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004C1F05 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
004C1F08 E8 6368F4FF call dumped_.00408770
004C1F0D 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
004C1F10 BA 7C204C00 mov edx,dumped_.004C207C //注册表里保存注册码位置,ASCII "red5sn"
004C1F15 8BC6 mov eax,esi
004C1F17 E8 E470FCFF call dumped_.00489000
004C1F1C 8D55 D8 lea edx,dword ptr ss:[ebp-28]
004C1F1F 8B83 F4020000 mov eax,dword ptr ds:[ebx+2F4]
004C1F25 E8 92EFF7FF call dumped_.00440EBC
004C1F2A 8B45 D8 mov eax,dword ptr ss:[ebp-28]
004C1F2D 8D55 DC lea edx,dword ptr ss:[ebp-24]
004C1F30 E8 3B68F4FF call dumped_.00408770
004C1F35 8B4D DC mov ecx,dword ptr ss:[ebp-24]
004C1F38 BA 8C204C00 mov edx,dumped_.004C208C //注册信息保存的字符串,ASCII "macstr"
004C1F3D 8BC6 mov eax,esi
004C1F3F E8 BC70FCFF call dumped_.00489000
004C1F44 8BC6 mov eax,esi
004C1F46 E8 D16DFCFF call dumped_.00488D1C
004C1F4B 8BC6 mov eax,esi
004C1F4D E8 4616F4FF call dumped_.00403598
004C1F52 6A 00 push 0
004C1F54 B9 94204C00 mov ecx,dumped_.004C2094 //注册成功返回的信息
004C1F59 BA 9C204C00 mov edx,dumped_.004C209C
004C1F5E A1 848F4C00 mov eax,dword ptr ds:[4C8F84]
004C1F63 8B00 mov eax,dword ptr ds:[eax]
004C1F65 E8 5AFEF9FF call dumped_.00461DC4
004C1F6A A1 A0904C00 mov eax,dword ptr ds:[4C90A0]
004C1F6F 8B00 mov eax,dword ptr ds:[eax]
004C1F71 8B80 70030000 mov eax,dword ptr ds:[eax+370]
004C1F77 33D2 xor edx,edx
004C1F79 8B08 mov ecx,dword ptr ds:[eax]
004C1F7B FF51 64 call dword ptr ds:[ecx+64]
004C1F7E A1 A0904C00 mov eax,dword ptr ds:[4C90A0]
004C1F83 8B00 mov eax,dword ptr ds:[eax]
004C1F85 C680 78030000 0>mov byte ptr ds:[eax+378],1
004C1F8C 8BC3 mov eax,ebx
004C1F8E E8 0DC6F9FF call dumped_.0045E5A0
004C1F93 EB 19 jmp short dumped_.004C1FAE
004C1F95 6A 30 push 30
004C1F97 68 24204C00 push dumped_.004C2024 //注册失败返回的信息
004C1F9C 68 B0204C00 push dumped_.004C20B0
004C1FA1 8BC3 mov eax,ebx
004C1FA3 E8 C056F8FF call dumped_.00447668
004C1FA8 50 push eax
004C1FA9 E8 8651F4FF call dumped_.00407134 //调用通用对话框函数,MessageBoxA
004C1FAE 33D2 xor edx,edx
004C1FB0 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
004C1FB6 E8 31EFF7FF call dumped_.00440EEC
004C1FBB 33C0 xor eax,eax
004C1FBD 5A pop edx
004C1FBE 59 pop ecx
004C1FBF 59 pop ecx
004C1FC0 64:8910 mov dword ptr fs:[eax],edx
004C1FC3 68 1D204C00 push dumped_.004C201D
004C1FC8 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004C1FCB E8 3423F4FF call dumped_.00404304
004C1FD0 8D45 DC lea eax,dword ptr ss:[ebp-24]
004C1FD3 E8 2C23F4FF call dumped_.00404304
004C1FD8 8D45 E0 lea eax,dword ptr ss:[ebp-20]
004C1FDB E8 2423F4FF call dumped_.00404304
004C1FE0 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004C1FE3 E8 1C23F4FF call dumped_.00404304
004C1FE8 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004C1FEB E8 1423F4FF call dumped_.00404304
004C1FF0 8D45 EC lea eax,dword ptr ss:[ebp-14]
004C1FF3 BA 02000000 mov edx,2
004C1FF8 E8 2B23F4FF call dumped_.00404328
004C1FFD 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C2000 E8 FF22F4FF call dumped_.00404304
004C2005 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004C2008 E8 F722F4FF call dumped_.00404304
004C200D 8D45 FC lea eax,dword ptr ss:[ebp-4]
004C2010 E8 EF22F4FF call dumped_.00404304
004C2015 C3 retn //返回程序
============== 跟进:004C1EA7 E8 74FCFFFF call dumped_.004C1B20 ==============
004C1B20 55 push ebp
004C1B21 8BEC mov ebp,esp
004C1B23 B9 07000000 mov ecx,7
004C1B28 6A 00 push 0
004C1B2A 6A 00 push 0
004C1B2C 49 dec ecx //ecx=7
004C1B2D ^ 75 F9 jnz short dumped_.004C1B28 //向上循环7次
004C1B2F 53 push ebx
004C1B30 56 push esi
004C1B31 57 push edi
004C1B32 8BFA mov edi,edx
004C1B34 8945 FC mov dword ptr ss:[ebp-4],eax //取机器码,ASCII "000AEB97B625"
004C1B37 8B45 FC mov eax,dword ptr ss:[ebp-4] //赋值给eax计算
004C1B3A E8 652CF4FF call dumped_.004047A4
004C1B3F 33C0 xor eax,eax
004C1B41 55 push ebp
004C1B42 68 E61C4C00 push dumped_.004C1CE6
004C1B47 64:FF30 push dword ptr fs:[eax]
004C1B4A 64:8920 mov dword ptr fs:[eax],esp
004C1B4D 8D45 F8 lea eax,dword ptr ss:[ebp-8] //取出机器码,ASCII "000AEB97B625"
004C1B50 8B55 FC mov edx,dword ptr ss:[ebp-4] //赋值给edx
004C1B53 E8 4428F4FF call dumped_.0040439C
004C1B58 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C1B5B E8 A427F4FF call dumped_.00404304
004C1B60 8B45 F8 mov eax,dword ptr ss:[ebp-8] //调用机器码,ASCII "000AEB97B625"
004C1B63 E8 542AF4FF call dumped_.004045BC
004C1B68 8BF0 mov esi,eax
004C1B6A 85F6 test esi,esi //比较是否取完12位机器码,esi=0C
004C1B6C 0F8E 4F010000 jle dumped_.004C1CC1 //未取完则继续!
004C1B72 BB 01000000 mov ebx,1
004C1B77 8D45 EC lea eax,dword ptr ss:[ebp-14]
004C1B7A 8B55 F8 mov edx,dword ptr ss:[ebp-8] //edx清零,装入机器码
004C1B7D 8A541A FF mov dl,byte ptr ds:[edx+ebx-1] //ds:[00DDB14C]=30 ('0'),dl=4C ('L')
004C1B81 E8 5E29F4FF call dumped_.004044E4
004C1B86 8B45 EC mov eax,dword ptr ss:[ebp-14]
004C1B89 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004C1B8C E8 8F69F4FF call dumped_.00408520
004C1B91 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004C1B94 BA FC1C4C00 mov edx,dumped_.004C1CFC
004C1B99 E8 622BF4FF call dumped_.00404700
004C1B9E 75 12 jnz short dumped_.004C1BB2 //向上循环运算取字符所对应的ASCII码值
004C1BA0 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C1BA3 BA 081D4C00 mov edx,dumped_.004C1D08
004C1BA8 E8 172AF4FF call dumped_.004045C4
004C1BAD E9 07010000 jmp dumped_.004C1CB9
004C1BB2 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004C1BB5 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004C1BB8 8A541A FF mov dl,byte ptr ds:[edx+ebx-1] //ds:[00DDB14C]=30 ('0'),dl=4C ('L')
004C1BBC E8 2329F4FF call dumped_.004044E4
004C1BC1 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004C1BC4 8D55 E8 lea edx,dword ptr ss:[ebp-18]
004C1BC7 E8 5469F4FF call dumped_.00408520
004C1BCC 8B45 E8 mov eax,dword ptr ss:[ebp-18]
004C1BCF BA 141D4C00 mov edx,dumped_.004C1D14
004C1BD4 E8 272BF4FF call dumped_.00404700
004C1BD9 75 12 jnz short dumped_.004C1BED //向上循环运算取字符所对应的ASCII码值
004C1BDB 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C1BDE BA 201D4C00 mov edx,dumped_.004C1D20
004C1BE3 E8 DC29F4FF call dumped_.004045C4
004C1BE8 E9 CC000000 jmp dumped_.004C1CB9
004C1BED 8D45 DC lea eax,dword ptr ss:[ebp-24]
004C1BF0 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004C1BF3 8A541A FF mov dl,byte ptr ds:[edx+ebx-1] //ds:[00DDB14C]=30 ('0'),dl=4C ('L')
004C1BF7 E8 E828F4FF call dumped_.004044E4
004C1BFC 8B45 DC mov eax,dword ptr ss:[ebp-24]
004C1BFF 8D55 E0 lea edx,dword ptr ss:[ebp-20]
004C1C02 E8 1969F4FF call dumped_.00408520
004C1C07 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004C1C0A BA 2C1D4C00 mov edx,dumped_.004C1D2C
004C1C0F E8 EC2AF4FF call dumped_.00404700
004C1C14 75 12 jnz short dumped_.004C1C28 //向上循环运算取字符所对应的ASCII码值
004C1C16 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C1C19 BA 381D4C00 mov edx,dumped_.004C1D38
004C1C1E E8 A129F4FF call dumped_.004045C4
004C1C23 E9 91000000 jmp dumped_.004C1CB9
004C1C28 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
004C1C2B 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004C1C2E 8A541A FF mov dl,byte ptr ds:[edx+ebx-1] //ds:[00DDB14C]=30 ('0'),dl=4C ('L')
004C1C32 E8 AD28F4FF call dumped_.004044E4
004C1C37 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
004C1C3A 8D55 D8 lea edx,dword ptr ss:[ebp-28]
004C1C3D E8 DE68F4FF call dumped_.00408520
004C1C42 8B45 D8 mov eax,dword ptr ss:[ebp-28]
004C1C45 BA 441D4C00 mov edx,dumped_.004C1D44
004C1C4A E8 B12AF4FF call dumped_.00404700
004C1C4F 75 0F jnz short dumped_.004C1C60 //向上循环运算取字符所对应的ASCII码值
004C1C51 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C1C54 BA 501D4C00 mov edx,dumped_.004C1D50
004C1C59 E8 6629F4FF call dumped_.004045C4
004C1C5E EB 59 jmp short dumped_.004C1CB9
004C1C60 8D45 CC lea eax,dword ptr ss:[ebp-34]
004C1C63 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004C1C66 8A541A FF mov dl,byte ptr ds:[edx+ebx-1] //ds:[00DDB14C]=30 ('0'),dl=4C ('L')
004C1C6A E8 7528F4FF call dumped_.004044E4
004C1C6F 8B45 CC mov eax,dword ptr ss:[ebp-34]
004C1C72 8D55 D0 lea edx,dword ptr ss:[ebp-30]
004C1C75 E8 A668F4FF call dumped_.00408520
004C1C7A 8B45 D0 mov eax,dword ptr ss:[ebp-30]
004C1C7D BA 5C1D4C00 mov edx,dumped_.004C1D5C
004C1C82 E8 792AF4FF call dumped_.00404700
004C1C87 75 0F jnz short dumped_.004C1C98 //向上循环运算取字符所对应的ASCII码值
004C1C89 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C1C8C BA 681D4C00 mov edx,dumped_.004C1D68
004C1C91 E8 2E29F4FF call dumped_.004045C4
004C1C96 EB 21 jmp short dumped_.004C1CB9
004C1C98 8D45 C8 lea eax,dword ptr ss:[ebp-38]
004C1C9B 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004C1C9E 0FB6541A FF movzx edx,byte ptr ds:[edx+ebx-1] //机器码逐位HEX值转换
004C1CA3 83C2 31 add edx,31 //edx=edx+31=30 关键计算值①
004C1CA6 83E2 7F and edx,7F //edx=edx+7F=61 关键计算值②
004C1CA9 E8 3628F4FF call dumped_.004044E4
004C1CAE 8B55 C8 mov edx,dword ptr ss:[ebp-38] //edx=61
004C1CB1 8D45 F4 lea eax,dword ptr ss:[ebp-C]
004C1CB4 E8 0B29F4FF call dumped_.004045C4
004C1CB9 43 inc ebx //ebx自加1,指向下一位
004C1CBA 4E dec esi
004C1CBB ^ 0F85 B6FEFFFF jnz dumped_.004C1B77 //向上作循环运算12次
004C1CC1 8BC7 mov eax,edi
004C1CC3 8B55 F4 mov edx,dword ptr ss:[ebp-C] //真码出现,ASCII "aaarvsjvsccx"
004C1CC6 E8 8D26F4FF call dumped_.00404358
004C1CCB 33C0 xor eax,eax //运算完毕,异或清零
004C1CCD 5A pop edx //edx清零
004C1CCE 59 pop ecx //ecx=2
004C1CCF 59 pop ecx
004C1CD0 64:8910 mov dword ptr fs:[eax],edx
004C1CD3 68 ED1C4C00 push dumped_.004C1CED
004C1CD8 8D45 C8 lea eax,dword ptr ss:[ebp-38] //eax清零
004C1CDB BA 0E000000 mov edx,0E
004C1CE0 E8 4326F4FF call dumped_.00404328
004C1CE5 C3 retn
004C1CE6 ^ E9 4120F4FF jmp dumped_.00403D2C
004C1CEB ^ EB EB jmp short dumped_.004C1CD8
004C1CED 5F pop edi
004C1CEE 5E pop esi //esi清零
004C1CEF 5B pop ebx
004C1CF0 8BE5 mov esp,ebp
004C1CF2 5D pop ebp
004C1CF3 C3 retn //计算完毕返回
---------------------------------------------------------------------------------------------------------------
【算法总结】:
注册验证非常简单:
1.把机器码(A)中的字符逐个转换成ASCII码,另存为(B)
2.再逐个把机器码所对应的(B)字符的值加上31,计算完后另存为(C)
3.再把转换完后的(C),再转换为新的字符,作为序列号(SN)
【注册爆破点】:
004C1EB5 0F85 DA000000 jnz dumped_.004C1F95 jnz 改 nop
--------------------------------------------
【以本机为例】:
机器码 (A):000AEB97B625
--------------------------------------------
ASCII码(B):303030414542393742363235
(B)+31 :313131313131313131313131
--------------------------------------------
转换码 (C):6161617276736A6873676366
--------------------------------------------
注册码(SN):aaarvsjvsccx
=======================
注册信息:
机器码:000AEB97B625
序列号:aaarvsjvsccx
=======================
【注册信息保存位置】:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\hzred5
〓本文完〓
------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]
-------------------------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-06-02
6:26:26 AM