【文章标题】: 菜鸟初试算法分析之二PocketKiosk Builder v2.2.2
【文章作者】: wind
【作者邮箱】: qf100@163.com
【软件名称】: PocketKiosk Builder
【下载地址】: http://www.askarya.com/pocketpc/pocketkiosk/pk.asp
【加壳方式】: 无
【保护方式】: Serial
【编写语言】: Visual C++ 6.0
【使用工具】: Ollydbg Peid
【操作平台】: winXPsp2
【软件介绍】: 一款限制任何PocketPC中的软件只能同时运行单一程序
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
查壳:Visual C++ 6.0 无壳
试探:程序启动后跳出NAG要求注册,机器码1027197713 输入注册码78787878 点击后提示"Registration key is not valid. Please try again."
OD加载后,右键搜索关键字符来到
00402DE5 > \6A 00 push 0 ; 这里显示Jump from 00402CBF 去看看
00402DE7 . 68 F8004200 push PKBuilde.004200F8 ; ASCII "PocketKiosk Builder"
00402DEC . 68 90044200 push PKBuilde.00420490 ; ASCII "Registration key is not valid. Please try again."
00402DF1 > 8B4B 1C mov ecx,dword ptr ds:[ebx+1C] ; |
00402DF4 . 51 push ecx ; |hOwner
00402DF5 . FF15 E4A34100 call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA
来到提示的00402CBF处
00402C9C . 6A 01 push 1
00402C9E . E8 27F50000 call PKBuilde.004121CA
00402CA3 . 51 push ecx
00402CA4 . 8DAB 6C040000 lea ebp,dword ptr ds:[ebx+46C]
00402CAA . 8BCC mov ecx,esp
00402CAC . 896424 14 mov dword ptr ss:[esp+14],esp
00402CB0 . 55 push ebp
00402CB1 . E8 AF050100 call PKBuilde.00413265
00402CB6 . 8BCB mov ecx,ebx ;
00402CB8 . E8 13FDFFFF call PKBuilde.004029D0 ; 关键CALL F7 ☆☆☆☆☆
00402CBD . 85C0 test eax,eax
00402CBF . 0F84 20010000 je PKBuilde.00402DE5 ; 来到这里 跳则注册失败
00402CC5 . 8B45 00 mov eax,dword ptr ss:[ebp]
00402CC8 . 8378 F8 10 cmp dword ptr ds:[eax-8],10 ; 注册码位数和16比较
00402CCC . 75 3B jnz short PKBuilde.00402D09 ; 不等则跳显示已经过期
00402CCE . 55 push ebp ; 注册成功
00402CCF . 8D4B 60 lea ecx,dword ptr ds:[ebx+60]
00402CD2 . E8 C2080100 call PKBuilde.00413599
00402CD7 . 8BCB mov ecx,ebx
00402CD9 . E8 02020000 call PKBuilde.00402EE0
00402CDE . 8B4B 1C mov ecx,dword ptr ds:[ebx+1C]
00402CE1 . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00402CE3 . 68 F8004200 push PKBuilde.004200F8 ; |Title = "PocketKiosk Builder"
00402CE8 . 68 68054200 push PKBuilde.00420568 ; |Text = "Registration was successful."
00402CED . 51 push ecx ; |hOwner
00402CEE . FF15 E4A34100 call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA
==========================来到00402CB8 call PKBuilde.004029D0 ==============================================
004029D0 /$ 6A FF push -1
004029D2 |. 68 188F4100 push PKBuilde.00418F18 ; SE 句柄安装
004029D7 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
...省略部分代码...
00402A40 |. FF15 40A24100 call dword ptr ds:[<&KERNEL32.GetVolumeInformationA>; \取机器码
00402A46 |. 3BC3 cmp eax,ebx
00402A48 |. 74 17 je short PKBuilde.00402A61
00402A4A |. 8B4424 10 mov eax,dword ptr ss:[esp+10]
00402A4E |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00402A52 |. 50 push eax
00402A53 |. 68 84044200 push PKBuilde.00420484 ; ASCII "%u"
00402A58 |. 51 push ecx
00402A59 |. E8 9FC80000 call PKBuilde.0040F2FD ; 机器码转换为10进制
00402A5E |. 83C4 0C add esp,0C
00402A61 |> 8B15 08074200 mov edx,dword ptr ds:[420708] ; PKBuilde.0042071C
00402A67 |. 56 push esi
00402A68 |. 895424 0C mov dword ptr ss:[esp+C],edx
00402A6C |. 8B4424 10 mov eax,dword ptr ss:[esp+10]
00402A70 |. 33F6 xor esi,esi
00402A72 |. C64424 24 02 mov byte ptr ss:[esp+24],2
00402A77 |. 3958 F8 cmp dword ptr ds:[eax-8],ebx
00402A7A |. 7E 21 jle short PKBuilde.00402A9D
00402A7C |> 0FBE0406 /movsx eax,byte ptr ds:[esi+eax] ; 机器码每一位的ASC码依次进eax
00402A80 |. 83E8 30 |sub eax,30 ; eax-30
00402A83 |. 8D4C24 0C |lea ecx,dword ptr ss:[esp+C]
00402A87 |. 8A80 68044200 |mov al,byte ptr ds:[eax+420468] ; 查表 将结果放在al 表在420468
这个就是420468处的表
00420468 39 41 58 31 42 59 44 33 9AX1BYD3
00420470 43 47 45 37 30 48 35 4A CGE70H5J
00420478 50 4B 45 PKE
00402A8D |. 50 |push eax
00402A8E |. E8 820C0100 |call PKBuilde.00413715 ; 结果保存到eax
00402A93 |. 8B4424 10 |mov eax,dword ptr ss:[esp+10] ; eax=机器码
00402A97 |. 46 |inc esi ; 计数器加1
00402A98 |. 3B70 F8 |cmp esi,dword ptr ds:[eax-8] ; 比较是否继续
00402A9B |.^ 7C DF \jl short PKBuilde.00402A7C ; 循环计算
00402A9D |> 8B40 F8 mov eax,dword ptr ds:[eax-8]
00402AA0 |. 83F8 10 cmp eax,10 ; 和16比较
00402AA3 |. 7D 1B jge short PKBuilde.00402AC0 ; >=则跳 这里是小于没有跳
00402AA5 |. 8DB0 68044200 lea esi,dword ptr ds:[eax+420468] ; 查表取字串从机器码位数开始取完
00402AAB |> 8A0E /mov cl,byte ptr ds:[esi] ; 新字串每一位的ASC码依次进cl
00402AAD |. 51 |push ecx
00402AAE |. 8D4C24 10 |lea ecx,dword ptr ss:[esp+10]
00402AB2 |. E8 5E0C0100 |call PKBuilde.00413715 ; 继续保存到eax
00402AB7 |. 46 |inc esi
00402AB8 |. 81FE 78044200 |cmp esi,PKBuilde.00420478 ; 与PKE比较
00402ABE |.^ 7C EB \jl short PKBuilde.00402AAB ; 取到PKE前面为止
00402AC0 |> 8B4C24 0C mov ecx,dword ptr ss:[esp+C] ; ecx=真码
00402AC4 |. 8B5424 2C mov edx,dword ptr ss:[esp+2C] ; edx=假码
00402AC8 |. 8B41 F8 mov eax,dword ptr ds:[ecx-8]
00402ACB |. 50 push eax
00402ACC |. 52 push edx
00402ACD |. 51 push ecx
00402ACE |. E8 5D250000 call PKBuilde.00405030 ; 关键的比较CALL
00402AD3 |. 83C4 0C add esp,0C
00402AD6 |. 85C0 test eax,eax
00402AD8 |. 5E pop esi
00402AD9 |. 74 41 je short PKBuilde.00402B1C ; 不跳则挂
00402ADB |. 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00402ADF |. C64424 20 01 mov byte ptr ss:[esp+20],1
00402AE4 |. E8 070A0100 call PKBuilde.004134F0
00402AE9 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00402AED |. 885C24 20 mov byte ptr ss:[esp+20],bl
00402AF1 |. E8 FA090100 call PKBuilde.004134F0
00402AF6 |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00402AFA |. C74424 20 FFFFFFFF mov dword ptr ss:[esp+20],-1
00402B02 |. E8 E9090100 call PKBuilde.004134F0
00402B07 |. 5F pop edi
00402B08 |. 33C0 xor eax,eax
00402B0A |. 5B pop ebx
00402B0B |. 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
00402B0F |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00402B16 |. 83C4 1C add esp,1C
00402B19 |. C2 0400 retn 4
00402B1C |> 8B4424 28 mov eax,dword ptr ss:[esp+28] ; eax=注册码
00402B20 |. 8378 F8 10 cmp dword ptr ds:[eax-8],10 ; [eax-8]是注册码位数 和16比较
00402B24 |. 7E 19 jle short PKBuilde.00402B3F ; 小于等于则跳
00402B26 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00402B2A |. 51 push ecx
00402B2B |. E8 10C90000 call PKBuilde.0040F440
00402B30 |. 8B10 mov edx,dword ptr ds:[eax]
00402B32 |. 8BCF mov ecx,edi
00402B34 |. 8997 64040000 mov dword ptr ds:[edi+464],edx
00402B3A |. E8 A1030000 call PKBuilde.00402EE0
00402B3F |> 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
00402B43 |. C64424 20 01 mov byte ptr ss:[esp+20],1
00402B48 |. E8 A3090100 call PKBuilde.004134F0
00402B4D |. 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00402B51 |. 885C24 20 mov byte ptr ss:[esp+20],bl
00402B55 |. E8 96090100 call PKBuilde.004134F0
00402B5A |. 8D4C24 28 lea ecx,dword ptr ss:[esp+28]
00402B5E |. C74424 20 FFFFFFFF mov dword ptr ss:[esp+20],-1
00402B66 |. E8 85090100 call PKBuilde.004134F0
00402B6B |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
00402B6F |. 5F pop edi
00402B70 |. B8 01000000 mov eax,1
00402B75 |. 5B pop ebx
00402B76 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
00402B7D |. 83C4 1C add esp,1C
00402B80 \. C2 0400 retn 4
总结:
机器码:1027197713
注册码:A9X3AG33A1E70H5J
注册后写入“%systemroot%\system32下文件名pkelic 没有后缀名
删除以后就可以再玩一次
--------------------------------------------------------------------------------
【经验总结】
算法如下:
1:取当前安装盘信息转换成10进制就是机器码
2:机器码每一位的ASC码减30后再依次取表9AX1BYD3CGE70H5JPKE对应的数并连接起来
3:取表9AX1BYD3CGE70H5JPKE中的E70H5J连接第2部后的结果
比如我的机器码是1027197713
机器码 1027197713
对应的ASC码减30就是 1027197713
在表9AX1BYD3CGE70H5JPKE中对应的就是A9X3AG33A1
再连上E70H5J就是注册码了 A9X3AG33A1E70H5J
菜鸟写文章,感谢大家看完。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流,请支持正版软件,转载请注明作者并保持文章的完整, 谢谢!
Crack by wind
Greetz are flying to all my friends and you!