BluffTitler DX9 6.10 简单分析
BluffTitler DX9 6.10软件大小:6835KB
软件类别:国外软件/动画制作
下载次数:37474
软件授权:共享版
软件语言:英文 (多国语言版 包括中文)
运行环境:Win9x/Me/NT/2000/XP/2003
更新时间:2007-4-2 9:23:22
Home Page:http://www.outerspace-software.com/(华军也可以找到)
破解声明: 无心插柳柳成荫.错下了软件,欧元注册,简单分析下.这里只是交流下分析思路,破解思路很重要,无它.
注册失败后有弹出对话框,OD可搜索到ASCII,不过这都不好使.我比较懒呀,用CxLrb的脱壳机,用API断点设置插件在对话框API部分反选下断点.
00447588|.FF15 50D35500 call dword ptr [<&USER32.MessageBoxW>>; \MessageBoxW
0044758E|.8D4C24 04 lea ecx, dword ptr [esp+4] ;我们在CALL的下一行下断
00447592|.8BF0 mov esi, eax
00447594|.E8 27DA0200 call 00474FC0
00447599|.8BC6 mov eax, esi
0044759B|.C605 08D15900>mov byte ptr , 1
004475A2|.5E pop esi
004475A3|.83C4 08 add esp, 8
004475A6\.C3 retn
我们F8单步,退出TETN后来到这里:
00451381|.6A 20 push 20 ;我们在这里下断
00451383|.68 29040000 push 429
00451388|.8D4C24 30 lea ecx, dword ptr [esp+30]
0045138C|.56 push esi
0045138D|.51 push ecx
0045138E|.E8 6D600200 call 00477400
00451393|.6A 20 push 20
00451395|.68 2A040000 push 42A
0045139A|.8D5424 38 lea edx, dword ptr [esp+38]
0045139E|.56 push esi
0045139F|.52 push edx
004513A0|.C78424 840000>mov dword ptr [esp+84], 0C
004513AB|.E8 50600200 call 00477400
004513B0|.6A 20 push 20
004513B2|.68 34040000 push 434
004513B7|.8D4424 40 lea eax, dword ptr [esp+40]
004513BB|.56 push esi
004513BC|.50 push eax
004513BD|.C68424 940000>mov byte ptr [esp+94], 0D
004513C5|.E8 36600200 call 00477400
004513CA|.83C4 30 add esp, 30
004513CD|.6A 01 push 1 ; /Arg4 = 00000001
004513CF|.8D4C24 1C lea ecx, dword ptr [esp+1C] ; |
004513D3|.51 push ecx ; |Arg3
004513D4|.8B0D 78F85900 mov ecx, dword ptr ; |
004513DA|.8D5424 28 lea edx, dword ptr [esp+28] ; |
004513DE|.52 push edx ; |Arg2
004513DF|.8D4424 34 lea eax, dword ptr [esp+34] ; |
004513E3|.B3 0E mov bl, 0E ; |
004513E5|.50 push eax ; |Arg1
004513E6|.885C24 74 mov byte ptr [esp+74], bl ; |
004513EA|.E8 61EDFEFF call 00440150 ;这里是算法CALL 跟进
004513EF|.84C0 test al, al
004513F1|.74 2B je short 0045141E ;AL返回0则发生跳转 要让AL=1
004513F3|.6A 05 push 5
004513F5|.8D4C24 4C lea ecx, dword ptr [esp+4C]
004513F9|.51 push ecx
004513FA|.8B0D 7CF85900 mov ecx, dword ptr
00451400|.81C1 10020000 add ecx, 210
00451406|.E8 D504FBFF call 004018E0
0045140B|.6A 01 push 1
0045140D|.50 push eax
0045140E|.C64424 6C 0Fmov byte ptr [esp+6C], 0F
00451413|.E8 F860FFFF call 00447510
00451418|.8D4C24 50 lea ecx, dword ptr [esp+50]
0045141C|.EB 29 jmp short 00451447 ;软件从这里跳走后,软件则可使用注册后的功能
0045141E|>8B0D 7CF85900 mov ecx, dword ptr ;我们可以看出跳向注册失败处来自这里
00451424|.6A 06 push 6
00451426|.8D5424 54 lea edx, dword ptr [esp+54]
0045142A|.52 push edx
0045142B|.81C1 10020000 add ecx, 210
00451431|.E8 AA04FBFF call 004018E0
00451436|.6A 00 push 0
00451438|.50 push eax
00451439|.C64424 6C 10mov byte ptr [esp+6C], 10
0045143E|.E8 CD60FFFF call 00447510
00451443|.8D4C24 58 lea ecx, dword ptr [esp+58] ;退出该CALL后来到这里
我们F9运行,OD停在我们下的断点处。我们F7跟算法CALL:
算法CALL跟近:
00440150/$83EC 10 sub esp, 10
00440153|.53 push ebx
00440154|.55 push ebp
00440155|.56 push esi
00440156|.57 push edi
00440157|.68 40E15800 push 0058E140
0044015C|.8BF9 mov edi, ecx
0044015E|.68 D2040000 push 4D2
00440163|.8D4C24 18 lea ecx, dword ptr [esp+18]
00440167|.E8 F4070300 call 00470960 ;跟进看了下 无关紧要
0044016C|.8B5C24 2C mov ebx, dword ptr [esp+2C]
00440170|.8B6C24 28 mov ebp, dword ptr [esp+28]
00440174|.8B7424 24 mov esi, dword ptr [esp+24]
00440178|.53 push ebx ; /Arg3
00440179|.55 push ebp ; |Arg2
0044017A|.56 push esi ; |Arg1
0044017B|.8D4C24 1C lea ecx, dword ptr [esp+1C] ; |
0044017F|.E8 DC0D0300 call 00470F60 ; 关键算法CALL01 跟进
00440184|.85C0 test eax, eax
00440186|.8BCF mov ecx, edi
00440188 74 16 je short 004401A0 ;这里必须跳走 修改为JMP
0044018A|.68 18D55500 push 0055D518
0044018F|.E8 3C4F0300 call 004750D0
00440194|.32C0 xor al, al
00440196|.5F pop edi
00440197|.5E pop esi
00440198|.5D pop ebp
00440199|.5B pop ebx
0044019A|.83C4 10 add esp, 10
0044019D|.C2 1000 retn 10
004401A0|>56 push esi
004401A0|> \56 push esi
004401A1|.E8 4A4E0300 call 00474FF0
004401A6|.8A4424 30 mov al, byte ptr [esp+30] ;数值为01
004401AA|.84C0 test al, al
004401AC|.74 4E je short 004401FC
004401AE|.83EC 08 sub esp, 8
004401B1|.8BCC mov ecx, esp
004401B3|.896424 38 mov dword ptr [esp+38], esp
004401B7|.56 push esi
004401B8|.E8 334B0300 call 00474CF0 ;取KEY
004401BD|.8B0D 44D25900 mov ecx, dword ptr
004401C3|.E8 A8FDFFFF call 0043FF70
004401C8|.83EC 08 sub esp, 8
004401CB|.8BCC mov ecx, esp
004401CD|.896424 38 mov dword ptr [esp+38], esp
004401D1|.55 push ebp
004401D2|.E8 194B0300 call 00474CF0 ;取KEY2
004401D7|.8B0D 44D25900 mov ecx, dword ptr
004401DD|.E8 DEFDFFFF call 0043FFC0
004401E2|.83EC 08 sub esp, 8
004401E5|.8BCC mov ecx, esp
004401E7|.896424 38 mov dword ptr [esp+38], esp
004401EB|.53 push ebx
004401EC|.E8 FF4A0300 call 00474CF0 ;取KEY3
004401F1|.8B0D 44D25900 mov ecx, dword ptr
004401F7|.E8 14FEFFFF call 00440010
004401FC|>5F pop edi
004401FD|.5E pop esi
004401FE|.5D pop ebp
004401FF|.B0 01 mov al, 1
00440201|.5B pop ebx
00440202|.83C4 10 add esp, 10
00440205\.C2 1000 retn 10
OK,到此我们已找到了第一处的暴破点:即修改此跳转后,软件即可实现注册。未注册的DEMO字样即可消失。
而当我们再次运行软件时,软件又显示了未注册。
为什么呢?软件在重启的时候又进行了对注册信息的判断。而注册信息就保存在BluffTitler.ini。
这里为节省时间,我只说一下我的思路。由于我们第一次暴破后,注册功能已经可以使用,这点就说明,我们修改的关键跳转使软件跳到注册版的代码处,执行了注册版的功能。使用中未发生其他的暗桩。这就为暴破奠定了前提条件。我们知道软件注册成功后,一定会向系统某个文件写入注册信息,因为软件在启动的时候需要对软件是否已注册进行判断。所以,我们暴破一个软件更好的方法就是去了解软件在启动时是如何对注册信息进行验证的。大多的软件算法CALL至少要被两个CALL调用。一处是注册部分,另一个是软件启动时候,软件启动时判断保存的注册信息是否正确,一般仍会调用注册部分的算法CALL来验证注册信息是否正确。所以我们就在算法CALL上下断点:
00470F60/$6A FF push -1 //OK 软件重启时在这里断下
00470F62|.68 602E5500 push 00552E60 ;SE 处理程序安装
00470F67|.64:A1 0000000>mov eax, dword ptr fs:
……
……
我们F8单步 退出算法CALL后来到这里:
0044029E|.E8 BD0C0300 call 00470F60 ; \BluffTit.00470F60
004402A3|.85C0 test eax, eax ;退出算法CALL后来到这里
004402A5|.8BCE mov ecx, esi
004402A7 74 0C je short 004402B5 ;这里修改为JMP即可暴破
004402A9|.68 18D55500 push 0055D518
004402AE|.E8 1D4E0300 call 004750D0
004402B3|.EB 06 jmp short 004402BB
004402B5|>57 push edi
到此,我们就将软件暴破掉了。
跟进CALL跟进:
00470F60/$6A FF push -1
00470F62|.68 602E5500 push 00552E60 ;SE 处理程序安装
00470F67|.64:A1 0000000>mov eax, dword ptr fs:
00470F6D|.50 push eax
00470F6E|.64:8925 00000>mov dword ptr fs:, esp
00470F75|.83EC 14 sub esp, 14
00470F78|.53 push ebx
00470F79|.55 push ebp
00470F7A|.8B6C24 2C mov ebp, dword ptr [esp+2C]
00470F7E|.56 push esi
00470F7F|.57 push edi
00470F80|.83EC 08 sub esp, 8
00470F83|.894C24 18 mov dword ptr [esp+18], ecx
00470F87|.8BCC mov ecx, esp
00470F89|.896424 1C mov dword ptr [esp+1C], esp
00470F8D|.55 push ebp
00470F8E|.E8 5D3D0000 call 00474CF0 ;这个CALL取用户名
00470F93|.E8 18FCFFFF call 00470BB0
00470F98|.83C4 08 add esp, 8
00470F9B|.84C0 test al, al
00470F9D|.74 18 je short 00470FB7
00470F9F|.83C8 FF or eax, FFFFFFFF
00470FA2|.8B4C24 24 mov ecx, dword ptr [esp+24]
00470FA6|.64:890D 00000>mov dword ptr fs:, ecx
00470FAD|.5F pop edi
00470FAE|.5E pop esi
00470FAF|.5D pop ebp
00470FB0|.5B pop ebx
00470FB1|.83C4 20 add esp, 20
00470FB4|.C2 0C00 retn 0C
00470FB7|>8B7D 04 mov edi, dword ptr [ebp+4] ;将KEY1的位数送入到EDI中
00470FBA|.85FF test edi, edi
00470FBC|.7F 1A jg short 00470FD8
00470FBE|.B8 FEFFFFFF mov eax, -2
00470FC3|.8B4C24 24 mov ecx, dword ptr [esp+24]
00470FC7|.64:890D 00000>mov dword ptr fs:, ecx
00470FCE|.5F pop edi
00470FCF|.5E pop esi
00470FD0|.5D pop ebp
00470FD1|.5B pop ebx
00470FD2|.83C4 20 add esp, 20
00470FD5|.C2 0C00 retn 0C
00470FD8|>8B5C24 38 mov ebx, dword ptr [esp+38]
00470FDC|.8B43 04 mov eax, dword ptr [ebx+4]
00470FDF|.85C0 test eax, eax
00470FE1|.7F 1A jg short 00470FFD
00470FE3|.B8 FDFFFFFF mov eax, -3
00470FE8|.8B4C24 24 mov ecx, dword ptr [esp+24]
00470FEC|.64:890D 00000>mov dword ptr fs:, ecx
00470FF3|.5F pop edi
00470FF4|.5E pop esi
00470FF5|.5D pop ebp
00470FF6|.5B pop ebx
00470FF7|.83C4 20 add esp, 20
00470FFA|.C2 0C00 retn 0C
00470FFD|>8B4424 3C mov eax, dword ptr [esp+3C]
00471001|.8B48 04 mov ecx, dword ptr [eax+4]
00471004|.85C9 test ecx, ecx
00471006|.7F 1A jg short 00471022
00471008|.B8 FCFFFFFF mov eax, -4
0047100D|.8B4C24 24 mov ecx, dword ptr [esp+24]
00471011|.64:890D 00000>mov dword ptr fs:, ecx
00471018|.5F pop edi
00471019|.5E pop esi
0047101A|.5D pop ebp
0047101B|.5B pop ebx
0047101C|.83C4 20 add esp, 20
0047101F|.C2 0C00 retn 0C
00471022|>83FF 08 cmp edi, 8 ;这里判断用户名是否大于或等于8 满足则跳走
00471025|.7D 1A jge short 00471041
00471027|.B8 FBFFFFFF mov eax, -5
0047102C|.8B4C24 24 mov ecx, dword ptr [esp+24]
00471030|.64:890D 00000>mov dword ptr fs:, ecx
00471037|.5F pop edi
00471038|.5E pop esi
00471039|.5D pop ebp
0047103A|.5B pop ebx
0047103B|.83C4 20 add esp, 20
0047103E|.C2 0C00 retn 0C
00471041|>83FF 1E cmp edi, 1E ;这里判断用户名是否小于或等与30位 满足则跳走
00471044|.7E 1A jle short 00471060
00471046|.B8 FAFFFFFF mov eax, -6
0047104B|.8B4C24 24 mov ecx, dword ptr [esp+24]
0047104F|.64:890D 00000>mov dword ptr fs:, ecx
00471056|.5F pop edi
00471057|.5E pop esi
00471058|.5D pop ebp
00471059|.5B pop ebx
0047105A|.83C4 20 add esp, 20
0047105D|.C2 0C00 retn 0C
00471060|>33F6 xor esi, esi
00471062|.85FF test edi, edi
00471064|. /7E 13 jle short 00471079
00471066|> |56 /push esi
00471067|. |8BCD |mov ecx, ebp
00471069|. |E8 82440000 |call 004754F0 ;关键CALL02 跟进(可认为这里是判断注册信息为何数值)
0047106E|. |66:3D 2000 |cmp ax, 20
00471072|. |72 2B |jb short 0047109F ;AX数值小于20(16进制)则跳走
00471074|. |46 |inc esi ;ESI记位加1
00471075|. |3BF7 |cmp esi, edi ;比较ESI和EDI(EDI中存放的就是我们的KEY1位数)
00471077|.^|7C ED \jl short 00471066 ;ESI小于EDI则跳走 继续循环
00471079|>8B4424 10 mov eax, dword ptr [esp+10]
0047107D|.8B7B 04 mov edi, dword ptr [ebx+4]
00471080|.3B78 08 cmp edi, dword ptr [eax+8]
00471083|.7D 34 jge short 004710B9
00471085|.B8 F8FFFFFF mov eax, -8
0047108A|.8B4C24 24 mov ecx, dword ptr [esp+24]
0047108E|.64:890D 00000>mov dword ptr fs:, ecx
00471095|.5F pop edi
00471096|.5E pop esi
00471097|.5D pop ebp
00471098|.5B pop ebx
00471099|.83C4 20 add esp, 20
0047109C|.C2 0C00 retn 0C
0047109F|> \B8 F9FFFFFF mov eax, -7
004710A4|.8B4C24 24 mov ecx, dword ptr [esp+24]
004710A8|.64:890D 00000>mov dword ptr fs:, ecx
004710AF|.5F pop edi
004710B0|.5E pop esi
004710B1|.5D pop ebp
004710B2|.5B pop ebx
004710B3|.83C4 20 add esp, 20
004710B6|.C2 0C00 retn 0C
004710B9|>3B78 0C cmp edi, dword ptr [eax+C]
004710BC|.7E 1A jle short 004710D8
004710BE|.B8 F7FFFFFF mov eax, -9
004710C3|.8B4C24 24 mov ecx, dword ptr [esp+24]
004710C7|.64:890D 00000>mov dword ptr fs:, ecx
004710CE|.5F pop edi
004710CF|.5E pop esi
004710D0|.5D pop ebp
004710D1|.5B pop ebx
004710D2|.83C4 20 add esp, 20
004710D5|.C2 0C00 retn 0C
004710D8|>33F6 xor esi, esi
004710DA|.85FF test edi, edi
004710DC|.7E 1B jle short 004710F9
004710DE|.8BFF mov edi, edi
004710E0|>56 /push esi
004710E1|.8BCB |mov ecx, ebx
004710E3|.E8 08440000 |call 004754F0 ;这里开始取KEY2 该CALL上方已跟过
004710E8|.66:3D 6100 |cmp ax, 61
004710EC|.72 2F |jb short 0047111D ;下方还有很长的分析 由于AX数值小于61 故这里便跳走
004710EE|.66:3D 7A00 |cmp ax, 7A
004710F2|.77 43 |ja short 00471137
004710F4|.46 |inc esi
004710F5|.3BF7 |cmp esi, edi
004710F7|.^ 7C E7 \jl short 004710E0
004710F9|>8B4C24 3C mov ecx, dword ptr [esp+3C]
004710FD|.8379 04 08 cmp dword ptr [ecx+4], 8
00471101|.74 4E je short 00471151
00471103|.B8 F4FFFFFF mov eax, -0C ;这里向EAX赋-0C的数值
00471108|.8B4C24 24 mov ecx, dword ptr [esp+24]
0047110C|.64:890D 00000>mov dword ptr fs:, ecx
00471113|.5F pop edi
00471114|.5E pop esi
00471115|.5D pop ebp
00471116|.5B pop ebx
00471117|.83C4 20 add esp, 20
0047111A|.C2 0C00 retn 0C
0047111D|> \B8 F6FFFFFF mov eax, -0A
00471122|.8B4C24 24 mov ecx, dword ptr [esp+24]
00471126|.64:890D 00000>mov dword ptr fs:, ecx
0047112D|.5F pop edi
0047112E|.5E pop esi
0047112F|.5D pop ebp
00471130|.5B pop ebx
00471131|.83C4 20 add esp, 20
00471134|.C2 0C00 retn 0C
00471137|>B8 F5FFFFFF mov eax, -0B
0047113C|.8B4C24 24 mov ecx, dword ptr [esp+24]
00471140|.64:890D 00000>mov dword ptr fs:, ecx
00471147|.5F pop edi
00471148|.5E pop esi
00471149|.5D pop ebp
0047114A|.5B pop ebx
0047114B|.83C4 20 add esp, 20
0047114E|.C2 0C00 retn 0C
00471151|>33F6 xor esi, esi
00471153|>8B4C24 3C /mov ecx, dword ptr [esp+3C]
00471157|.56 |push esi ;这里的循环检测一下KEY3是否都为数字
00471158|.E8 93430000 |call 004754F0
0047115D|.66:3D 3000 |cmp ax, 30
00471161|.72 61 |jb short 004711C4
00471163|.66:3D 3900 |cmp ax, 39
00471167|.77 75 |ja short 004711DE
00471169|.46 |inc esi
0047116A|.83FE 08 |cmp esi, 8
0047116D|.^ 7C E4 \jl short 00471153
0047116F|.8B4C24 10 mov ecx, dword ptr [esp+10]
00471173|.55 push ebp
00471174|.8D5424 18 lea edx, dword ptr [esp+18]
00471178|.52 push edx
00471179|.E8 62F9FFFF call 00470AE0 ;关键CALL03:KEY2和KEY3的算法CALL
0047117E|.53 push ebx
0047117F|.8BC8 mov ecx, eax
00471181|.C74424 30 000>mov dword ptr [esp+30], 0
00471189|.E8 B23F0000 call 00475140 : 比较KEY2的真假注册码
0047118E|.8AD8 mov bl, al
00471190|.F6DB neg bl
00471192|.1ADB sbb bl, bl
00471194|.83CE FF or esi, FFFFFFFF
00471197|.8D4C24 14 lea ecx, dword ptr [esp+14]
0047119B|.FEC3 inc bl
0047119D|.897424 2C mov dword ptr [esp+2C], esi
004711A1|.E8 1A3E0000 call 00474FC0
004711A6|.84DB test bl, bl
004711A8|.74 4E je short 004711F8 : 这里必须得跳 跳走后验证KEY3
004711AA|.B8 F1FFFFFF mov eax, -0F
004711AF|.8B4C24 24 mov ecx, dword ptr [esp+24]
004711B3|.64:890D 00000>mov dword ptr fs:, ecx
004711BA|.5F pop edi
004711BB|.5E pop esi
004711BC|.5D pop ebp
004711BD|.5B pop ebx
004711BE|.83C4 20 add esp, 20
004711C1|.C2 0C00 retn 0C
004711C4|>B8 F3FFFFFF mov eax, -0D
004711C9|.8B4C24 24 mov ecx, dword ptr [esp+24]
004711CD|.64:890D 00000>mov dword ptr fs:, ecx
004711D4|.5F pop edi
004711D5|.5E pop esi
004711D6|.5D pop ebp
004711D7|.5B pop ebx
004711D8|.83C4 20 add esp, 20
004711DB|.C2 0C00 retn 0C
004711DE|>B8 F2FFFFFF mov eax, -0E
004711E3|.8B4C24 24 mov ecx, dword ptr [esp+24]
004711E7|.64:890D 00000>mov dword ptr fs:, ecx
004711EE|.5F pop edi
004711EF|.5E pop esi
004711F0|.5D pop ebp
004711F1|.5B pop ebx
004711F2|.83C4 20 add esp, 20
004711F5|.C2 0C00 retn 0C
004711F8|>8B4C24 10 mov ecx, dword ptr [esp+10]
004711FC|.55 push ebp ; /Arg2
004711FD|.8D4424 20 lea eax, dword ptr [esp+20] ; |
00471201|.50 push eax ; |Arg1
00471202|.E8 49F9FFFF call 00470B50 ; 这又进去计算了一下KEY数值 明码 其实这里做的有些多余 设可变量就可以
00471207|.8B4C24 3C mov ecx, dword ptr [esp+3C]
0047120B|.51 push ecx
0047120C|.8BC8 mov ecx, eax
0047120E|.C74424 30 010>mov dword ptr [esp+30], 1
00471216|.E8 253F0000 call 00475140
0047121B|.8AD8 mov bl, al
0047121D|.F6DB neg bl
0047121F|.1ADB sbb bl, bl
00471221|.8D4C24 1C lea ecx, dword ptr [esp+1C]
00471225|.FEC3 inc bl
00471227|.897424 2C mov dword ptr [esp+2C], esi
0047122B|.E8 903D0000 call 00474FC0
00471230|.8B4C24 24 mov ecx, dword ptr [esp+24]
00471234|.F6DB neg bl
00471236|.5F pop edi
00471237|.5E pop esi
00471238|.5D pop ebp
00471239|.64:890D 00000>mov dword ptr fs:, ecx
00471240|.1BDB sbb ebx, ebx
00471242|.83E3 F0 and ebx, FFFFFFF0
00471245|.8BC3 mov eax, ebx
00471247|.5B pop ebx
00471248|.83C4 20 add esp, 20
0047124B\.C2 0C00 retn 0C
关键CALL02跟进:
004754F0/$8B4424 04 mov eax, dword ptr [esp+4] ;循环的次数送EAX(=KEY1位数-1)
004754F4|.85C0 test eax, eax
004754F6|.7C 0E jl short 00475506
004754F8|.3B41 04 cmp eax, dword ptr [ecx+4] ;与KEY1位数比较
004754FB|.7D 09 jge short 00475506 ;等于则跳走
004754FD|.8B09 mov ecx, dword ptr [ecx] ;注册码送ECX(逐位去KEY1的16进制数值)
004754FF|.66:8B0441 mov ax, word ptr [ecx+eax*2];ECX+EAX*2的值放AX中
00475503|.C2 0400 retn 4
00475506|>66:B8 3F00 mov ax, 3F
0047550A\.C2 0400 retn 4
关键CALL03:KEY2和KEY3的算法CALL:
00470AE0/$51 push ecx
00470AE1|.8B4424 0C mov eax, dword ptr [esp+C]
00470AE5|.56 push esi
00470AE6|.50 push eax ; /Arg1
00470AE7|.8BF1 mov esi, ecx ; |
00470AE9|.C74424 08 000>mov dword ptr [esp+8], 0 ; |
00470AF1|.E8 CAFEFFFF call 004709C0 ; \KEY3的算法CALL
00470AF6|.8BC8 mov ecx, eax ;将EAX数值(KEY3)送ECX中
00470AF8|.85C9 test ecx, ecx
00470AFA|.6A 00 push 0
00470AFC|.7F 17 jg short 00470B15
00470AFE|.8B7424 10 mov esi, dword ptr [esp+10]
00470B02|.68 18D55500 push 0055D518
00470B07|.8BCE mov ecx, esi
00470B09|.E8 B2420000 call 00474DC0
00470B0E|.8BC6 mov eax, esi
00470B10|.5E pop esi
00470B11|.59 pop ecx
00470B12|.C2 0800 retn 8
00470B15|>B8 D34D6210 mov eax, 10624DD3
00470B1A|.F7E9 imul ecx
00470B1C|.C1FA 06 sar edx, 6 ;算术右移6
00470B1F|.8BC2 mov eax, edx
00470B21|.C1E8 1F shr eax, 1F ;逻辑右移
00470B24|.03C2 add eax, edx
00470B26|.99 cdq
00470B27|.B9 14000000 mov ecx, 14
00470B2C|.F7F9 idiv ecx
00470B2E|.8B46 04 mov eax, dword ptr [esi+4]
00470B31|.8B7424 10 mov esi, dword ptr [esp+10]
00470B35|.8B0C90 mov ecx, dword ptr [eax+edx*4] ;KEY2出现于ECX中(其实是一个内存地址)
00470B38|.51 push ecx
00470B39|.8BCE mov ecx, esi
00470B3B|.E8 80420000 call 00474DC0
00470B40|.8BC6 mov eax, esi
00470B42|.5E pop esi
00470B43|.59 pop ecx
00470B44\.C2 0800 retn 8
KEY3的算法CALL:
004709C0/$83EC 08 sub esp, 8
004709C3|.53 push ebx
004709C4|.55 push ebp
004709C5|.8B6C24 14 mov ebp, dword ptr [esp+14]
004709C9|.8B5D 04 mov ebx, dword ptr [ebp+4]
004709CC|.83FB 08 cmp ebx, 8
004709CF|.894C24 08 mov dword ptr [esp+8], ecx
004709D3|.895C24 0C mov dword ptr [esp+C], ebx
004709D7|.7D 0B jge short 004709E4
004709D9|.5D pop ebp
004709DA|.83C8 FF or eax, FFFFFFFF
004709DD|.5B pop ebx
004709DE|.83C4 08 add esp, 8
004709E1|.C2 0400 retn 4
004709E4|>83FB 1E cmp ebx, 1E
004709E7|.7E 0D jle short 004709F6
004709E9|.5D pop ebp
004709EA|.B8 FEFFFFFF mov eax, -2
004709EF|.5B pop ebx
004709F0|.83C4 08 add esp, 8
004709F3|.C2 0400 retn 4
004709F6|>56 push esi
004709F7|.57 push edi
004709F8|.33FF xor edi, edi
004709FA|.33F6 xor esi, esi
004709FC|.85DB test ebx, ebx
004709FE|.7E 1C jle short 00470A1C
00470A00|>56 /push esi
00470A01|.8BCD |mov ecx, ebp
00470A03|.E8 E84A0000 |call 004754F0
00470A08|.66:3D 2000 |cmp ax, 20
00470A0C|.0F82 B3000000 |jb 00470AC5
00470A12|.0FB7C0 |movzx eax, ax
00470A15|.03F8 |add edi, eax ;将KEY1累加和(每位+已取位数*2)放EDI中
00470A17|.46 |inc esi
00470A18|.3BF3 |cmp esi, ebx
00470A1A|.^ 7C E4 \jl short 00470A00
00470A1C|>6A 05 push 5
00470A1E|.8BCD mov ecx, ebp
00470A20|.E8 CB4A0000 call 004754F0 ;得AX=50
00470A25|.8B4C24 10 mov ecx, dword ptr [esp+10]
00470A29|.8B31 mov esi, dword ptr [ecx] ;4D2
00470A2B|.0FB7C0 movzx eax, ax
00470A2E|.03C6 add eax, esi ;50+4D2
00470A30|.03C3 add eax, ebx ;EAX+自己的位数=52A
00470A32|.33F6 xor esi, esi
00470A34|.85C0 test eax, eax
00470A36|.BB 01000000 mov ebx, 1
00470A3B|.BD 02000000 mov ebp, 2
00470A40|.7E 46 jle short 00470A88
00470A42|.894424 10 mov dword ptr [esp+10], eax
00470A46|>8B4C24 1C /mov ecx, dword ptr [esp+1C] ;KEY2位数
00470A4A|.56 |push esi
00470A4B|.E8 A04A0000 |call 004754F0
00470A50|.0FB7C0 |movzx eax, ax
00470A53|.8D142B |lea edx, dword ptr [ebx+ebp]
00470A56|.03D6 |add edx, esi
00470A58|.0FAFD0 |imul edx, eax ;乘法
00470A5B|.8B4424 14 |mov eax, dword ptr [esp+14]
00470A5F|.03FA |add edi, edx ;再累加到EDI中
00470A61|.46 |inc esi
00470A62|.3BF0 |cmp esi, eax
00470A64|.7C 02 |jl short 00470A68
00470A66|.33F6 |xor esi, esi
00470A68|>83C3 02 |add ebx, 2
00470A6B|.83FB 16 |cmp ebx, 16
00470A6E|.7E 05 |jle short 00470A75
00470A70|.BB 02000000 |mov ebx, 2
00470A75|>83C5 03 |add ebp, 3
00470A78|.83FD 0B |cmp ebp, 0B
00470A7B|.7E 05 |jle short 00470A82
00470A7D|.BD 03000000 |mov ebp, 3
00470A82|>FF4C24 10 |dec dword ptr [esp+10]
00470A86|.^ 75 BE \jnz short 00470A46
00470A88|>8BC6 mov eax, esi
00470A8A|.99 cdq ;双字扩展
00470A8B|.B9 0A000000 mov ecx, 0A
00470A90|.F7F9 idiv ecx
00470A92|.81FF 80969800 cmp edi, 989680 ;EDI与989680比较
00470A98|.7D 1F jge short 00470AB9 ;大于或等于则跳走
00470A9A|.8D9B 00000000 lea ebx, dword ptr [ebx]
00470AA0|>8D04BF /lea eax, dword ptr [edi+edi*4] ;算术运算
00470AA3|.8D3C42 |lea edi, dword ptr [edx+eax*2]
00470AA6|.8D0413 |lea eax, dword ptr [ebx+edx]
00470AA9|.99 |cdq
00470AAA|.B9 0A000000 |mov ecx, 0A
00470AAF|.F7F9 |idiv ecx
00470AB1|.81FF 80969800 |cmp edi, 989680 ;经过运算后在和EDI比较 此时EDI=0185E338(16)=25551672(10) 即为KEY3的值
00470AB7|.^ 7C E7 \jl short 00470AA0
00470AB9|>8BC7 mov eax, edi
00470ABB|.5F pop edi
00470ABC|.5E pop esi
00470ABD|.5D pop ebp
00470ABE|.5B pop ebx
00470ABF|.83C4 08 add esp, 8
00470AC2|.C2 0400 retn 4
00470AC5|>5F pop edi
00470AC6|.5E pop esi
00470AC7|.5D pop ebp
00470AC8|.B8 FDFFFFFF mov eax, -3
00470ACD|.5B pop ebx
00470ACE|.83C4 08 add esp, 8
00470AD1\.C2 0400 retn 4
KEY2查表可得:
0055FB7C 61 62 72 69 abri
0055FB8C6B 6F 6F 73 00 00 00 00 6C 79 63 68 65 65 00 00koos....lychee..
0055FB9C6E 6F 70 61 6C 00 00 00 63 6F 63 6F 6E 75 74 00nopal...coconut.
0055FBAC6B 69 72 73 63 68 00 00 64 72 75 69 66 00 00 00kirsch..druif...
0055FBBC70 6C 75 6D 00 00 00 00 70 61 70 61 6A 61 00 00plum....papaja..
0055FBCC72 61 6D 62 6F 65 74 61 6E 00 00 00 66 72 61 69ramboetan...frai
0055FBDC73 65 00 00 6B 69 77 69 00 00 00 00 70 69 73 61se..kiwi....pisa
0055FBEC6E 67 00 00 6D 65 6C 6F 6E 00 00 00 70 69 6E 61ng..melon...pina
0055FBFC00 00 00 00 70 65 61 63 68 00 00 00 6D 61 6E 67....peach...mang
0055FC0C6F 00 00 00 68 69 6D 62 65 65 72 00 70 6F 69 72o...himbeer.poir
0055FC1C65 00 00 00 6E 61 72 61 6E 6A 61 00 61 70 70 6Ce...naranja.appl
0055FC2C65 00 00 00 45 72 72 6F 72 20 32 20 69 6E 20 52e...Error 2 in R
0055FC3C65 6F 72 64 65 72 20 4C 6F 63 61 6C 65 20 4C 69eorder Locale Li
0055FC4C73 74 00 00 45 72 72 6F 72 20 31 20 69 6E 20 52st..Error 1 in R
0055FC5C65 6F 72 64 65 72 20 4C 6F 63 61 6C 65 20 4C 69eorder Locale Li
0055FC6C73 74 00 00 45 72 72 6F 72 20 31 20 43 6F 6E 73st..Error 1 Cons
0055FC7C74 72 75 63 74 6F 72 20 4C 6F 63 61 6C 65 20 4Ctructor Locale L
0055FC8C69 73 74 2C 20 62 65 67 69 6E 6E 69 6E 67 20 77ist, beginning w
0055FC9C69 74 68 20 ith
KEY1即用户名有不低于8位的限制,无奈我的ID就注册不了了,故暴之.
KEY2查表可得
KEY3用户名的几个简单加法乘法
算法不难,还是明码比较,KenGen已经放出来了.时间关系,有兴趣的朋友自己动手来做吧.软件难度中等,适合新手练手.
提供一组可用信息:
KEY1:ChinaPYG
KEY2:ramboetan
KEY3:25551672
哈哈,用这个软件做了一个3D效果的小东东.
http://www.chinadforce.com/attachments/day_070418/Nisy_2uksT1x1bLlN.gif
这个不错,可以用来做教程.呵.我看主要是查表.呵 就这个软件谈点想法:
1.peid查出来的oep是27a0,但是od脱出来的oep是001381D4,我用了好几种方法都是在这里了,所以peid的oep也不能尽信!对这个壳esp即可!
2.对MessageBoxW下断点输入key后,我这里的情况是f8出来不是在00451381 ,而是在00451443,不知道其他人是否相同?关于这点,如果Nisy有空,希望能够核实一下,谢谢! 找OEP的话 使用OEP Finder 这个工具~~
00451443|.8D4C24 58 lea ecx, dword ptr ;退出该CALL后来到这里
我这里也送呀 帖子上写的就是 退出该CALL后来到这里:00451443 兄弟没注意倒这里哈~~ 哦
不好意思
光看到上面了:
我们F8单步,退出TETN后来到这里:
00451381|.6A 20 push 20 学习一下算法 牛人,看来我要努力学习了~! 学习一下思路,谢谢楼主
页:
[1]