**神数 V1.7注册分析
【文章标题】: **神数 V1.7注册分析【文章作者】: yzslly
【软件名称】: 诸葛铁板神数 V1.7
【软件大小】: 111KB
【下载地址】: 自己搜索下载
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 注册码
【编写语言】: VB
【使用工具】: OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
脱壳很简单,这里就不写,OD加载运行,点注册输入试炼码,注册码:123456,用户名:yzs,下断bp __vbaStrCmp,点注册
中断后按ALT+F9返回到:
0044703D .FFD3 call ebx ;<&MSVBVM60.__vbaStrCmp>
0044703F .8B4D 08 mov ecx,dword ptr ss: ;返回到这里
00447042 .8BD0 mov edx,eax
00447044 .F7DA neg edx
00447046 .8B01 mov eax,dword ptr ds: ;压入机器码
00447048 .1BD2 sbb edx,edx
0044704A .50 push eax
0044704B .F7DA neg edx
0044704D .68 1CCB4000 push TBShSh_u.0040CB1C
00447052 .8995 50FFFFFF mov dword ptr ss:,edx
00447058 .FFD3 call ebx ;<&MSVBVM60.__vbaStrCmp>
0044705A .8B8D 50FFFFFF mov ecx,dword ptr ss:
00447060 .F7D8 neg eax
00447062 .1BC0 sbb eax,eax
00447064 .F7D8 neg eax
00447066 .85C8 test eax,ecx
00447068 .75 0D jnz short TBShSh_u.00447077
0044706A .8975 E8 mov dword ptr ss:,esi
0044706D .68 A7714400 push TBShSh_u.004471A7
00447072 .E9 26010000 jmp TBShSh_u.0044719D
/////////////////////////////////////////////////////////////////////////////////////////////////
00447077 >8B35 E8104000 mov esi,dword ptr ds:[<&MSVBVM60.#6>;MSVBVM60.rtcMidCharVar
0044707D .8D55 D8 lea edx,dword ptr ss:
00447080 .52 push edx
00447081 .8D45 88 lea eax,dword ptr ss:
00447084 .6A 01 push 1
00447086 .8D4D C8 lea ecx,dword ptr ss:
00447089 .BB 08400000 mov ebx,4008
0044708E .50 push eax
0044708F .51 push ecx
00447090 .C745 E0 03000000 mov dword ptr ss:,3
00447097 .C745 D8 02000000 mov dword ptr ss:,2
0044709E .897D 90 mov dword ptr ss:,edi
004470A1 .895D 88 mov dword ptr ss:,ebx
004470A4 .FFD6 call esi ;<&MSVBVM60.#632>
004470A6 .8D55 B8 lea edx,dword ptr ss:
004470A9 .8D85 68FFFFFF lea eax,dword ptr ss:
004470AF .52 push edx
004470B0 .6A 05 push 5
004470B2 .8D4D A8 lea ecx,dword ptr ss:
004470B5 .50 push eax
004470B6 .51 push ecx
004470B7 .C745 C0 04000280 mov dword ptr ss:,80020004
004470BE .C745 B8 0A000000 mov dword ptr ss:,0A
004470C5 .89BD 70FFFFFF mov dword ptr ss:,edi
004470CB .899D 68FFFFFF mov dword ptr ss:,ebx
004470D1 .FFD6 call esi ;<&MSVBVM60.#632>
004470D3 .8D55 C8 lea edx,dword ptr ss:
004470D6 .8D45 A8 lea eax,dword ptr ss:
004470D9 .52 push edx
004470DA .8D4D 98 lea ecx,dword ptr ss:
004470DD .50 push eax
004470DE .51 push ecx
004470DF .FF15 98114000 call dword ptr ds:[<&MSVBVM60.__vba>;MSVBVM60.__vbaVarCat
004470E5 .50 push eax
004470E6 .FF15 30104000 call dword ptr ds:[<&MSVBVM60.__vba>;MSVBVM60.__vbaStrVarMove
///////////////////////////////////////////////////////////////////////////////////////////////////
上面这段主要完成的功能是去掉注册码的第四位字符,我们输入的注册码到这里就变成了“12356”,记为S
//////////////////////////////////////////////////////////////////////////////////////////////////
004470EC .8BD0 mov edx,eax ;这里就可以看到组装后的注册码
004470EE .8D4D EC lea ecx,dword ptr ss:
004470F1 .FF15 3C124000 call dword ptr ds:[<&MSVBVM60.__vba>;MSVBVM60.__vbaStrMove
004470F7 .8D55 98 lea edx,dword ptr ss:
004470FA .8D45 A8 lea eax,dword ptr ss:
004470FD .52 push edx
004470FE .8D4D C8 lea ecx,dword ptr ss:
00447101 .50 push eax
00447102 .8D55 B8 lea edx,dword ptr ss:
00447105 .51 push ecx
00447106 .8D45 D8 lea eax,dword ptr ss:
00447109 .52 push edx
0044710A .50 push eax
0044710B .6A 05 push 5
0044710D .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeVarList
00447113 .8B55 EC mov edx,dword ptr ss:
00447116 .83C4 18 add esp,18
00447119 .8D4D EC lea ecx,dword ptr ss:
0044711C .895D 88 mov dword ptr ss:,ebx
0044711F .52 push edx
00447120 .894D 90 mov dword ptr ss:,ecx
00447123 .FF15 2C104000 call dword ptr ds:[<&MSVBVM60.__vba>;取S的长度
00447129 .33DB xor ebx,ebx
0044712B .83F8 0B cmp eax,0B ;是否小于过11位
0044712E .8D45 88 lea eax,dword ptr ss:
00447131 .50 push eax
00447132 .0F9EC3 setle bl
00447135 .FF15 20114000 call dword ptr ds:[<&MSVBVM60.#561>>;判断S是否为数值
0044713B .66:F7D8 neg ax
0044713E .1BC0 sbb eax,eax
00447140 .F7D8 neg eax
00447142 .85D8 test eax,ebx
00447144 .74 30 je short TBShSh_u.00447176
////////////////////////////////////////////////////////////////////////////////////////////////
前面2个判断如果不满足,这里就会跳,跳就OVER
////////////////////////////////////////////////////////////////////////////////////////////////
00447146 .8B4D EC mov ecx,dword ptr ss:
00447149 .8B35 D8114000 mov esi,dword ptr ds:[<&MSVBVM60.__>;MSVBVM60.__vbaI4Str
0044714F .51 push ecx
00447150 .FFD6 call esi ;<&MSVBVM60.__vbaI4Str>
00447152 .8B55 08 mov edx,dword ptr ss:
/////////////////////////////////////////////////////////////////////////////////////////////////
上面是将S转化为16进制,将结果存在EAX,记为A
////////////////////////////////////////////////////////////////////////////////////////////////
00447155 .8BF8 mov edi,eax ;将A移至EDI
00447157 .81EF 1BCE6101 sub edi,161CE1B ;将A-161ce1b,记为B
0044715D .8B02 mov eax,dword ptr ds: ;将机器码送入EAX
0044715F .50 push eax
00447160 .70 5C jo short TBShSh_u.004471BE
00447162 .FFD6 call esi ;<&MSVBVM60.__vbaI4Str>
///////////////////////////////////////////////////////////////////////////////////////////////
将机器码转化为16进制,结果存在EAX,记为C
//////////////////////////////////////////////////////////////////////////////////////////////
00447164 .33F8 xor edi,eax ;B XOR C,记为D
00447166 .81EF 76718401 sub edi,1847176 ;D-1847176,记为E
0044716C .F7DF neg edi ;取反,
0044716E .1BFF sbb edi,edi ;补位求减
00447170 .F7DF neg edi ;取反
00447172 .4F dec edi ;减去1
00447173 .897D E8 mov dword ptr ss:,edi ;标志位赋值
/////////////////////////////////////////////////////////////////////////////////////////////////
根据标志位比较数值,和前面4个运算步骤,可以推算出E=0。
////////////////////////////////////////////////////////////////////////////////////////////////
00447176 >68 A7714400 push TBShSh_u.004471A7
0044717B .EB 20 jmp short TBShSh_u.0044719D
0044717D .8D4D 98 lea ecx,dword ptr ss:
00447180 .8D55 A8 lea edx,dword ptr ss:
00447183 .51 push ecx
00447184 .8D45 B8 lea eax,dword ptr ss:
00447187 .52 push edx
00447188 .8D4D C8 lea ecx,dword ptr ss:
0044718B .50 push eax
0044718C .8D55 D8 lea edx,dword ptr ss:
0044718F .51 push ecx
00447190 .52 push edx
00447191 .6A 05 push 5
00447193 .FF15 38104000 call dword ptr ds:[<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeVarList
00447199 .83C4 18 add esp,18
0044719C .C3 retn
0044719D >8D4D EC lea ecx,dword ptr ss:
004471A0 .FF15 84124000 call dword ptr ds:[<&MSVBVM60.__vba>;MSVBVM60.__vbaFreeStr
004471A6 .C3 retn
004471A7 .8B4D F0 mov ecx,dword ptr ss:
004471AA 66:8B45 E8 mov ax,word ptr ss:
004471AE .5F pop edi
004471AF .5E pop esi
004471B0 .64:890D 00000000 mov dword ptr fs:,ecx
004471B7 .5B pop ebx
004471B8 .8BE5 mov esp,ebp
004471BA .5D pop ebp ;返回
004471BB .C2 0800 retn 8
返回到这里:
00431FD2 .66:3D FFFF cmp ax,0FFFF ; 标志位比较
00431FD6 .0F85 98020000 jnz TBShSh_u.00432274 ;跳就OVER,否则注册成功。
00431FDC .8B55 DC mov edx,dword ptr ss:
00431FDF .52 push edx
00431FE0 .68 88F04000 push TBShSh_u.0040F088 ;pawd
00431FE5 .68 F0CA4000 push TBShSh_u.0040CAF0 ;shenshu
00431FEA .68 DCCA4000 push TBShSh_u.0040CADC ;zhuge
--------------------------------------------------------------------------------
【经验总结】
1、注册码必需小于11位,且为数字
2、将注册码的第四位去掉,组成新的字窜,记为S
3、如果[(S(16H)-161CE1B)XOR 机器码(16H)]-1847176=0,注册成功,否则注册失败。
4、整个注册过程与注册名无关。
--------------------------------------------------------------------------------
【版权声明】: 转载请注明作者并保持文章的完整, 谢谢!
2006年12月16日 20:44:46
页:
[1]