1st Disk Drive Protector注册码分析
1st Disk Drive Protector注册码分析:目标程序: 见附件
程序刚开始未解码完全,貌似找不到提示字符串!
单步跟踪一段代码,或者运行后,(当然也可以采用破外挂常用的暂停堆栈调用法)找到字符串“registration code is invalid”。
来到此处,在段首下断。
0046A6B8/$55 push ebp
0046A6B9|.8BEC mov ebp, esp
0046A6BB|.B9 06000000 mov ecx, 6
0046A6C0|>6A 00 /push 0
0046A6C2|.6A 00 |push 0
0046A6C4|.49 |dec ecx
0046A6C5|.^ 75 F9 \jnz short 0046A6C0
0046A6C7|.51 push ecx
0046A6C8|.8945 FC mov dword ptr , eax
0046A6CB|.33C0 xor eax, eax
0046A6CD|.55 push ebp
0046A6CE|.68 58A84600 push 0046A858
0046A6D3|.64:FF30 push dword ptr fs:
0046A6D6|.64:8920 mov dword ptr fs:, esp
0046A6D9|.8D55 EC lea edx, dword ptr
0046A6DC|.8B45 FC mov eax, dword ptr
0046A6DF|.8B80 AC030000 mov eax, dword ptr
0046A6E5|.E8 7264FDFF call 00440B5C
0046A6EA|.8B45 EC mov eax, dword ptr
0046A6ED|.8D55 F0 lea edx, dword ptr
0046A6F0|.E8 3BBBFFFF call 00466230
0046A6F5|.8B55 F0 mov edx, dword ptr
0046A6F8|.B8 883D4700 mov eax, 00473D88
0046A6FD|.E8 3AA3F9FF call 00404A3C
0046A702|.E8 11FDFFFF call 0046A418 ;关键CALL
0046A707|.8845 FB mov byte ptr , al
0046A70A|.807D FB 00 cmp byte ptr , 0
0046A70E|.0F84 F2000000 je 0046A806 ;跳向“注册失败”!
0046A714|.8B45 FC mov eax, dword ptr
0046A717|.C680 CC030000>mov byte ptr , 1
0046A71E|.8D45 F4 lea eax, dword ptr
0046A721|.50 push eax
0046A722|.8D55 E8 lea edx, dword ptr
0046A725|.B8 70A84600 mov eax, 0046A870 ;b9bb8c819888ab829fba848389829abe849788
0046A72A|.E8 E1BFFFFF call 00466710
0046A72F|.8B45 E8 mov eax, dword ptr
0046A732|.50 push eax
0046A733|.8D55 E4 lea edx, dword ptr
0046A736|.B8 A0A84600 mov eax, 0046A8A0 ;be828b999a8c9f88b1c8bdbfa2aaa3aca0a8c8
0046A73B|.E8 D8FDFFFF call 0046A518
0046A740|.8B55 E4 mov edx, dword ptr
0046A743|.A1 843D4700 mov eax, dword ptr
0046A748|.59 pop ecx
0046A749|.E8 7EC1FFFF call 004668CC
0046A74E|.8D55 E0 lea edx, dword ptr
0046A751|.A1 883D4700 mov eax, dword ptr
0046A756|.E8 FDBEFFFF call 00466658
0046A75B|.8B45 E0 mov eax, dword ptr
0046A75E|.50 push eax
0046A75F|.8D55 DC lea edx, dword ptr
0046A762|.B8 D0A84600 mov eax, 0046A8D0 ;bdbb8c819888ab829fba848389829abe849788
0046A767|.E8 A4BFFFFF call 00466710
0046A76C|.8B45 DC mov eax, dword ptr
0046A76F|.50 push eax
0046A770|.8D55 D8 lea edx, dword ptr
0046A773|.B8 A0A84600 mov eax, 0046A8A0 ;be828b999a8c9f88b1c8bdbfa2aaa3aca0a8c8
0046A778|.E8 9BFDFFFF call 0046A518
0046A77D|.8B55 D8 mov edx, dword ptr
0046A780|.A1 843D4700 mov eax, dword ptr
0046A785|.59 pop ecx
0046A786|.E8 E5C1FFFF call 00466970
0046A78B|.837D F4 00 cmp dword ptr , 0
0046A78F|.75 44 jnz short 0046A7D5 ;
0046A791|.E8 1EFEF9FF call 0040A5B4
0046A796|.83C4 F4 add esp, -0C
0046A799|.DB3C24 fstp tbyte ptr
0046A79C|.9B wait
0046A79D|.8D45 D4 lea eax, dword ptr
0046A7A0|.E8 C7F8F9FF call 0040A06C
0046A7A5|.8B45 D4 mov eax, dword ptr
0046A7A8|.50 push eax
0046A7A9|.8D55 D0 lea edx, dword ptr
0046A7AC|.B8 70A84600 mov eax, 0046A870 ;b9bb8c819888ab829fba848389829abe849788
0046A7B1|.E8 5ABFFFFF call 00466710
0046A7B6|.8B45 D0 mov eax, dword ptr
0046A7B9|.50 push eax
0046A7BA|.8D55 CC lea edx, dword ptr
0046A7BD|.B8 A0A84600 mov eax, 0046A8A0 ;be828b999a8c9f88b1c8bdbfa2aaa3aca0a8c8
0046A7C2|.E8 51FDFFFF call 0046A518
0046A7C7|.8B55 CC mov edx, dword ptr
0046A7CA|.A1 843D4700 mov eax, dword ptr
0046A7CF|.59 pop ecx
0046A7D0|.E8 9BC1FFFF call 00466970
0046A7D5|>A1 A0E94600 mov eax, dword ptr
0046A7DA|.8B00 mov eax, dword ptr
0046A7DC|.8B80 B0030000 mov eax, dword ptr
0046A7E2|.BA 00A94600 mov edx, 0046A900 ;software (ctrl+r)
0046A7E7|.E8 7C7EFEFF call 00452668
0046A7EC|.6A 40 push 40
0046A7EE|.B9 14A94600 mov ecx, 0046A914 ;information
0046A7F3|.BA 20A94600 mov edx, 0046A920 ;registration has been completed successfully!
0046A7F8|.A1 A0EB4600 mov eax, dword ptr
0046A7FD|.8B00 mov eax, dword ptr
0046A7FF|.E8 505DFFFF call 00460554
0046A804|.EB 22 jmp short 0046A828
0046A806|>B8 883D4700 mov eax, 00473D88
0046A80B|.E8 D8A1F9FF call 004049E8
0046A810|.6A 10 push 10
0046A812|.B9 50A94600 mov ecx, 0046A950 ;error
0046A817|.BA 58A94600 mov edx, 0046A958 ;registration code is invalid!
0046A81C|.A1 A0EB4600 mov eax, dword ptr
0046A821|.8B00 mov eax, dword ptr
0046A823|.E8 2C5DFFFF call 00460554
0046A828|>33C0 xor eax, eax
0046A82A|.5A pop edx
0046A82B|.59 pop ecx
0046A82C|.59 pop ecx
0046A82D|.64:8910 mov dword ptr fs:, edx
0046A830|.68 5FA84600 push 0046A85F
0046A835|>8D45 CC lea eax, dword ptr
0046A838|.BA 08000000 mov edx, 8
0046A83D|.E8 CAA1F9FF call 00404A0C
0046A842|.8D45 EC lea eax, dword ptr
0046A845|.E8 9EA1F9FF call 004049E8
0046A84A|.8D45 F0 lea eax, dword ptr
0046A84D|.BA 02000000 mov edx, 2
0046A852|.E8 B5A1F9FF call 00404A0C
0046A857\.C3 retn
在0046A702行(关键CALL)跟进。
0046A418/$55 push ebp
0046A419|.8BEC mov ebp, esp
0046A41B|.83C4 F0 add esp, -10
0046A41E|.33C0 xor eax, eax
0046A420|.8945 F8 mov dword ptr , eax
0046A423|.C645 FF 00 mov byte ptr , 0
0046A427|.A1 883D4700 mov eax, dword ptr
0046A42C|.8945 F4 mov dword ptr , eax
0046A42F|.8B45 F4 mov eax, dword ptr
0046A432|.8945 F0 mov dword ptr , eax
0046A435|.837D F0 00 cmp dword ptr , 0 ;注册码是否为空
0046A439|.74 0B je short 0046A446
0046A43B|.8B45 F0 mov eax, dword ptr
0046A43E|.83E8 04 sub eax, 4
0046A441|.8B00 mov eax, dword ptr
0046A443|.8945 F0 mov dword ptr , eax
0046A446|>837D F0 0E cmp dword ptr , 0E ;注册码须14位
0046A44A|.0F85 85000000 jnz 0046A4D5
0046A450|.A1 883D4700 mov eax, dword ptr
0046A455|.8038 34 cmp byte ptr , 34 ;第1位==4
0046A458|.0F94C0 sete al
0046A45B|.83E0 7F and eax, 7F
0046A45E|.0145 F8 add dword ptr , eax
0046A461|.A1 883D4700 mov eax, dword ptr
0046A466|.8078 02 36 cmp byte ptr , 36 ;第3位==6
0046A46A|.0F94C0 sete al
0046A46D|.83E0 7F and eax, 7F
0046A470|.0145 F8 add dword ptr , eax
0046A473|.A1 883D4700 mov eax, dword ptr
0046A478|.8078 03 31 cmp byte ptr , 31 ;第4位==1
0046A47C|.0F94C0 sete al
0046A47F|.83E0 7F and eax, 7F
0046A482|.0145 F8 add dword ptr , eax
0046A485|.A1 883D4700 mov eax, dword ptr
0046A48A|.8078 04 32 cmp byte ptr , 32 ;第5位==2
0046A48E|.0F94C0 sete al
0046A491|.83E0 7F and eax, 7F
0046A494|.0145 F8 add dword ptr , eax
0046A497|.A1 883D4700 mov eax, dword ptr
0046A49C|.8078 07 36 cmp byte ptr , 36 ;第8位==6
0046A4A0|.0F94C0 sete al
0046A4A3|.83E0 7F and eax, 7F
0046A4A6|.0145 F8 add dword ptr , eax
0046A4A9|.A1 883D4700 mov eax, dword ptr
0046A4AE|.8078 08 36 cmp byte ptr , 36 ;第9位==6
0046A4B2|.0F94C0 sete al
0046A4B5|.83E0 7F and eax, 7F
0046A4B8|.0145 F8 add dword ptr , eax
0046A4BB|.A1 883D4700 mov eax, dword ptr
0046A4C0|.8078 0A 37 cmp byte ptr , 37 ;第11位==7
0046A4C4|.0F94C0 sete al
0046A4C7|.83E0 7F and eax, 7F
0046A4CA|.0145 F8 add dword ptr , eax
0046A4CD|.837D F8 07 cmp dword ptr , 7 ;是否以上七次均正确
0046A4D1|.0F9445 FF sete byte ptr
0046A4D5|>8A45 FF mov al, byte ptr ;正确则置AL为1
0046A4D8|.8BE5 mov esp, ebp
0046A4DA|.5D pop ebp
0046A4DB\.C3 retn
根据以上分析,注册码虽然须为14位,但因为实际判别的只有7位,因此可以构造注册码为“4d612vh66i7uhi”。
该程序只是简单选取注册码中的若干位做比较判断,还比较简单,呵呵,适合我这样的菜鸟学习。
[ 本帖最后由 云飘飘 于 2008-4-25 22:39 编辑 ]
页:
[1]