机器猫安全卫士 V1.0 的注册
【破文作者】 rdsnow【作者主页】 http://rdsnow.ys168.com
【 E-mail 】 [email protected]
【 作者QQ 】 83757177
【文章题目】 机器猫安全卫士 V1.0 的注册
【软件名称】 机器猫安全卫士V1.0
【下载地址】 http://shareware.skycn.com/soft/4988.htm
http://www.5idd.cn/Soft_list.asp?SoftId=31&ClassId=5
----------------------------------------------------------------------------------------------
【加密方式】 序列号
【破解工具】 ODbyDYK v1.10
【软件限制】 功能限制
【破解平台】 Microsoft Windows XP Professional
【平台版本】 5.1.2600 Service Pack 2 内部版本号 2600
----------------------------------------------------------------------------------------------
【软件简介】
1、把文件加密隐藏到图片中
2、把文件从图片中提取出来同时解密
3、把文件从您的电脑中安全彻底的删除掉
【文章简介】
这是个用Microsoft Visual Basic 5.0 / 6.0 写的小程序,作者在注册算法上花了一些心思,但是加密强度依然有所欠缺,另外在文章的最后大家可以看到程序采用了明码比较,等于把注册码暴露在用户面前,Cracker无论是爆破还是作出内存注册机,只要短短几分钟就可以搞定。
----------------------------------------------------------------------------------------------
【破解过程】
一、脱壳
Scan with PeiD 0.94 得到:UPX-Scrambler RC1.x -> ㎡nT畂L
OD载入:
0044B3DF >90 NOP ; 停在这儿
0044B3E0 61 POPAD
0044B3E1 BE 00D04200 MOV ESI,机器猫安.0042D000
0044B3E6 8DBE 0040FDFF LEA EDI,
0044B3EC 57 PUSH EDI
0044B3ED 83CD FF OR EBP,FFFFFFFF
0044B3F0 EB 10 JMP SHORT 机器猫安.0044B402
0044B3F2 EB 00 JMP SHORT 机器猫安.0044B3F4
0044B3F4^ EB EA JMP SHORT 机器猫安.0044B3E0
0044B3F6^ EB E8 JMP SHORT 机器猫安.0044B3E0
单步向下走,遇到循环就用F4跳出循环,走不了几步就到了这里:
0044B53F 55 PUSH EBP
0044B540 FF96 08B70400 CALL
0044B546 09C0 OR EAX,EAX
0044B548 74 07 JE SHORT 机器猫安.0044B551
0044B54A 8903 MOV ,EAX
0044B54C 83C3 04 ADD EBX,4
0044B54F^ EB D8 JMP SHORT 机器猫安.0044B529 ; 不要向上跳了
0044B551 FF96 0CB70400 CALL
0044B557 60 PUSHAD
0044B558- E9 A76DFBFF JMP 机器猫安.00402304 ; 直接在00402304下断吧
跳到这儿:
00402304 68 30264000 PUSH 机器猫安.00402630 ; ASCII "VB5!6&vb6chs.dll"
00402309 E8 EEFFFFFF CALL 机器猫安.004022FC ; JMP to MSVBVM60.ThunRTMain
0040230E 0000 ADD ,AL
典型的VB程序的OEP代码,OEP就是 00402304 了,直接用 OllyDump 脱壳,输入表已经被OllyDump修复好了,Dump 一下可以直接运行。
----------------------------------------------------------------------------------------------
二、注册算法
为了说明程序的注册过程,注释中用了两个初值都是 0 的数组 Box1、Box2,另外程序中还用到了一个异或表 XorBox。
运行程序,输入假码 987654321abcd 注册,没有出现注册码错误的对话框,于是命令行下断 Bp rtcMidCharVar
下断后继续注册,程序被拦下,单步走出 MSVBVM60.dll 的领空,走到程序领空,发现正在一个循环里面对机器码处理:
就在下面这个循环里,i 从 1 到机器码 MCode[] 的长度循环, j 的初值赋 1 。
00443514 > /66:8B8D 48FF> MOV CX, ;循环开始
0044351B . |66:038D 48FE> ADD CX,
00443522 . |0F80 190A0000 JO dump.00443F41
00443528 . |66:898D 48FF> MOV ,CX
0044352F > |66:8B95 48FF> MOV DX,
00443536 . |66:3B95 44FE> CMP DX, ;判断是否所有机器码字符都处理完了
0044353D . |0F8F BC010000 JG dump.004436FF ;都处理了就跳出循环
00443543 . |C745 FC 5D00> MOV DWORD PTR ,5D
0044354A . |0FBF85 08FFF> MOVSX EAX,WORD PTR
00443551 . |8985 80FEFFFF MOV ,EAX
00443557 . |83BD 80FEFFF> CMP DWORD PTR ,11
0044355E . |73 0C JNB SHORT dump.0044356C
00443560 . |C785 ACFDFFF> MOV DWORD PTR ,0
0044356A . |EB 0C JMP SHORT dump.00443578
0044356C > |FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00443572 . |8985 ACFDFFFF MOV ,EAX
00443578 > |C785 F4FEFFF> MOV DWORD PTR ,1
00443582 . |C785 ECFEFFF> MOV DWORD PTR ,2
0044358C . |8D8D 40FFFFFF LEA ECX,
00443592 . |898D C4FEFFFF MOV ,ECX
00443598 . |C785 BCFEFFF> MOV DWORD PTR ,4008
004435A2 . |8D95 ECFEFFFF LEA EDX,
004435A8 . |52 PUSH EDX
004435A9 . |0FBF85 48FFF> MOVSX EAX,WORD PTR
004435B0 . |50 PUSH EAX
004435B1 . |8D8D BCFEFFFF LEA ECX,
004435B7 . |51 PUSH ECX
004435B8 . |8D95 DCFEFFFF LEA EDX,
004435BE . |52 PUSH EDX
004435BF . |FF15 D8104000 CALL [<&MSVBVM60.rtcMidCharVar>];取得机器码中的字符 MCode[ i]
004435C5 . |0FBF85 08FFF> MOVSX EAX,WORD PTR
004435CC . |8985 84FEFFFF MOV ,EAX
004435D2 . |83BD 84FEFFF> CMP DWORD PTR ,11
004435D9 . |73 0C JNB SHORT dump.004435E7
004435DB . |C785 A8FDFFF> MOV DWORD PTR ,0
004435E5 . |EB 0C JMP SHORT dump.004435F3
004435E7 > |FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
004435ED . |8985 A8FDFFFF MOV ,EAX
004435F3 > |8D8D DCFEFFFF LEA ECX,
004435F9 . |51 PUSH ECX
004435FA . |8D95 FCFEFFFF LEA EDX,
00443600 . |52 PUSH EDX
00443601 . |FF15 94114000 CALL [<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
00443607 . |50 PUSH EAX
00443608 . |FF15 44104000 CALL [<&MSVBVM60.rtcAnsiValueBstr>;取 MCode[ i] 的 ASC 码
0044360E . |8B8D 80FEFFFF MOV ECX,
00443614 . |8B95 28FFFFFF MOV EDX,
0044361A . |66:8B0C4A MOV CX, ;取 Box1
0044361E . |66:03C8 ADD CX,AX ;MCode[ i] + Box1
00443621 . |0F80 1A090000 JO dump.00443F41
00443627 . |66:83F1 12 XOR CX,12 ;相加结果 ^ 0x12
0044362B . |8B95 84FEFFFF MOV EDX,
00443631 . |8B85 28FFFFFF MOV EAX,
00443637 . |66:890C50 MOV ,CX ;结果存回 Box1
0044363B . |8D8D FCFEFFFF LEA ECX,
00443641 . |FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00443647 . |8D8D DCFEFFFF LEA ECX,
0044364D . |51 PUSH ECX
0044364E . |8D95 ECFEFFFF LEA EDX,
00443654 . |52 PUSH EDX
00443655 . |6A 02 PUSH 2
00443657 . |FF15 30104000 CALL [<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
0044365D . |83C4 0C ADD ESP,0C
00443660 . |C745 FC 5E00> MOV DWORD PTR ,5E
00443667 . |0FBF85 08FFF> MOVSX EAX,WORD PTR
0044366E . |8985 84FEFFFF MOV ,EAX
00443674 . |83BD 84FEFFF> CMP DWORD PTR ,11
0044367B . |73 0C JNB SHORT dump.00443689
0044367D . |C785 A4FDFFF> MOV DWORD PTR ,0
00443687 . |EB 0C JMP SHORT dump.00443695
00443689 > |FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
0044368F . |8985 A4FDFFFF MOV ,EAX
00443695 > |8B8D 84FEFFFF MOV ECX,
0044369B . |8B95 28FFFFFF MOV EDX,
004436A1 . |66:8B45 B4 MOV AX,
004436A5 . |66:03044A ADD AX, ;将每轮循环结果求和,得到结果 Result1
004436A9 . |0F80 92080000 JO dump.00443F41
004436AF . |66:8945 B4 MOV ,AX ;保存相加的结果 Result1
004436B3 . |C745 FC 5F00> MOV DWORD PTR ,5F
004436BA . |66:8B8D 08FF> MOV CX,
004436C1 . |66:83C1 01 ADD CX,1 ;j = j + 1
004436C5 . |0F80 76080000 JO dump.00443F41
004436CB . |66:898D 08FF> MOV ,CX
004436D2 . |C745 FC 6000> MOV DWORD PTR ,60
004436D9 . |66:83BD 08FF> CMP WORD PTR ,9 ;判断 j 是否等于 9
004436E1 . |75 10 JNZ SHORT dump.004436F3
004436E3 . |C745 FC 6100> MOV DWORD PTR ,61
004436EA . |66:C785 08FF> MOV WORD PTR ,1 ;if (j==9)j = 1
004436F3 > |C745 FC 6300> MOV DWORD PTR ,63
004436FA .^\E9 15FEFFFF JMP dump.00443514 ;跳上去继续循环
----------------------------------------------------------------------------------------------
004436FF >C745 FC 6400> MOV DWORD PTR ,64
00443706 .66:8B55 DC MOV DX,
0044370A .66:8995 3CFE> MOV ,DX
00443711 .66:C785 40FE> MOV WORD PTR ,1
0044371A .66:C785 48FF> MOV WORD PTR ,1
00443723 .EB 1B JMP SHORT dump.00443740
跳出循环后,又再次进入一个类似的循环,这次不是针对机器码处理了,而是对另外一个字符串String={"SUY2TjhXRjQ2QjdIVThKSA"}处理。使用了另外一个数组 Box2,循环时 i 从 1 到 22,j 的初值接着上轮循环。
00443725 >66:8B85 48FF> MOV AX, ;循环开始
0044372C .66:0385 40FE> ADD AX,
00443733 .0F80 08080000 JO dump.00443F41
00443739 .66:8985 48FF> MOV ,AX
00443740 >66:8B8D 48FF> MOV CX,
00443747 .66:3B8D 3CFE> CMP CX, ;是否 String 中每个字符都处理了
0044374E .0F8F B0010000 JG dump.00443904 ;都处理了就跳出循环
00443754 .C745 FC 6500> MOV DWORD PTR ,65
0044375B .0FBF95 08FFF> MOVSX EDX,WORD PTR
00443762 .8995 80FEFFFF MOV ,EDX
00443768 .83BD 80FEFFF> CMP DWORD PTR ,11
0044376F .73 0C JNB SHORT dump.0044377D
00443771 .C785 A0FDFFF> MOV DWORD PTR ,0
0044377B .EB 0C JMP SHORT dump.00443789
0044377D >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00443783 .8985 A0FDFFFF MOV ,EAX
00443789 >C785 F4FEFFF> MOV DWORD PTR ,1
00443793 .C785 ECFEFFF> MOV DWORD PTR ,2
0044379D .8B45 0C MOV EAX,
004437A0 .8985 C4FEFFFF MOV ,EAX
004437A6 .C785 BCFEFFF> MOV DWORD PTR ,4008
004437B0 .8D8D ECFEFFFF LEA ECX,
004437B6 .51 PUSH ECX
004437B7 .0FBF95 48FFF> MOVSX EDX,WORD PTR
004437BE .52 PUSH EDX
004437BF .8D85 BCFEFFFF LEA EAX,
004437C5 .50 PUSH EAX
004437C6 .8D8D DCFEFFFF LEA ECX,
004437CC .51 PUSH ECX
004437CD .FF15 D8104000 CALL [<&MSVBVM60.rtcMidCharVar>];取字符串中的每个字符 String[ i]
004437D3 .0FBF95 08FFF> MOVSX EDX,WORD PTR
004437DA .8995 84FEFFFF MOV ,EDX
004437E0 .83BD 84FEFFF> CMP DWORD PTR ,11
004437E7 .73 0C JNB SHORT dump.004437F5
004437E9 .C785 9CFDFFF> MOV DWORD PTR ,0
004437F3 .EB 0C JMP SHORT dump.00443801
004437F5 >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
004437FB .8985 9CFDFFFF MOV ,EAX
00443801 >8D85 DCFEFFFF LEA EAX,
00443807 .50 PUSH EAX
00443808 .8D8D FCFEFFFF LEA ECX,
0044380E .51 PUSH ECX
0044380F .FF15 94114000 CALL [<&MSVBVM60.__vbaStrVarVal>] ;MSVBVM60.__vbaStrVarVal
00443815 .50 PUSH EAX
00443816 .FF15 44104000 CALL [<&MSVBVM60.rtcAnsiValueBstr>;取 String[ i] 的 ASC 码
0044381C .8B95 80FEFFFF MOV EDX,
00443822 .8B4D 80 MOV ECX,
00443825 .66:8B1451 MOV DX, ;取 Box2
00443829 .66:03D0 ADD DX,AX ;String[ i] + Box2
0044382C .0F80 0F070000 JO dump.00443F41
00443832 .66:83F2 19 XOR DX,19 ;相加结果 ^ 0x19
00443836 .8B85 84FEFFFF MOV EAX,
0044383C .8B4D 80 MOV ECX,
0044383F .66:891441 MOV ,DX ;结果存回 Box2
00443843 .8D8D FCFEFFFF LEA ECX,
00443849 .FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
0044384F .8D95 DCFEFFFF LEA EDX,
00443855 .52 PUSH EDX
00443856 .8D85 ECFEFFFF LEA EAX,
0044385C .50 PUSH EAX
0044385D .6A 02 PUSH 2
0044385F .FF15 30104000 CALL [<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
00443865 .83C4 0C ADD ESP,0C
00443868 .C745 FC 6600> MOV DWORD PTR ,66
0044386F .0FBF8D 08FFF> MOVSX ECX,WORD PTR
00443876 .898D 84FEFFFF MOV ,ECX
0044387C .83BD 84FEFFF> CMP DWORD PTR ,11
00443883 .73 0C JNB SHORT dump.00443891
00443885 .C785 98FDFFF> MOV DWORD PTR ,0
0044388F .EB 0C JMP SHORT dump.0044389D
00443891 >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00443897 .8985 98FDFFFF MOV ,EAX
0044389D >8B95 84FEFFFF MOV EDX,
004438A3 .8B45 80 MOV EAX,
004438A6 .66:8B4D A8 MOV CX,
004438AA .66:030C50 ADD CX, ;将每轮循环结果求和,得到 Result2
004438AE .0F80 8D060000 JO dump.00443F41
004438B4 .66:894D A8 MOV ,CX ;保存相加结果 Resule2
004438B8 .C745 FC 6700> MOV DWORD PTR ,67
004438BF .66:8B95 08FF> MOV DX,
004438C6 .66:83C2 01 ADD DX,1 ;j = j + 1
004438CA .0F80 71060000 JO dump.00443F41
004438D0 .66:8995 08FF> MOV ,DX ;保存 j
004438D7 .C745 FC 6800> MOV DWORD PTR ,68
004438DE .66:83BD 08FF> CMP WORD PTR ,9 ;判断 j 是否等于 9
004438E6 .75 10 JNZ SHORT dump.004438F8
004438E8 .C745 FC 6900> MOV DWORD PTR ,69
004438EF .66:C785 08FF> MOV WORD PTR ,1 ;if (j==9) j = 1
004438F8 >C745 FC 6B00> MOV DWORD PTR ,6B
004438FF .^ E9 21FEFFFF JMP dump.00443725 ;跳上去继续循环
----------------------------------------------------------------------------------------------
00443904 >C745 FC 6C00> MOV DWORD PTR ,6C
0044390B .66:8B45 B4 MOV AX,
0044390F .66:0345 A8 ADD AX, ;Result1 + Result2
00443913 .0F80 28060000 JO dump.00443F41
00443919 .66:25 FF01 AND AX,1FF ;( Result1 + Result2 ) & 0x1FF 得到 Result3
0044391D .79 08 JNS SHORT dump.00443927
0044391F .66:48 DEC AX
00443921 .66:0D 00FE OR AX,0FE00
00443925 .66:40 INC AX
00443927 >66:8985 50FF> MOV ,AX
0044392E .C745 FC 6D00> MOV DWORD PTR ,6D
00443935 .66:C785 08FF> MOV WORD PTR ,1
0044393E .C745 FC 6E00> MOV DWORD PTR ,6E
00443945 .66:C785 0CFF> MOV WORD PTR ,1
0044394E .C745 FC 6F00> MOV DWORD PTR ,6F
00443955 .66:8B4D B8 MOV CX,
00443959 .66:898D 34FE> MOV ,CX
00443960 .66:C785 38FE> MOV WORD PTR ,1
00443969 .66:C785 48FF> MOV WORD PTR ,1
00443972 .EB 1B JMP SHORT dump.0044398F
下面进入一个很长的循环,主要作用是利用 Box1 、Box2、Result3 去跟异或表 XorBox 运算后查密码表,得到真码。
00443974 >66:8B95 48FF> MOV DX, ;循环开始
0044397B .66:0395 38FE> ADD DX,
00443982 .0F80 B9050000 JO dump.00443F41
00443988 .66:8995 48FF> MOV ,DX
0044398F >66:8B85 48FF> MOV AX,
00443996 .66:3B85 34FE> CMP AX, ;判断是否循环了 8 次
0044399D .0F8F 32040000 JG dump.00443DD5
004439A3 .C745 FC 7000> MOV DWORD PTR ,70
004439AA .0FBF8D 48FFF> MOVSX ECX,WORD PTR
004439B1 .898D 80FEFFFF MOV ,ECX
004439B7 .83BD 80FEFFF> CMP DWORD PTR ,11
004439BE .73 0C JNB SHORT dump.004439CC
004439C0 .C785 94FDFFF> MOV DWORD PTR ,0
004439CA .EB 0C JMP SHORT dump.004439D8
004439CC >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
004439D2 .8985 94FDFFFF MOV ,EAX
004439D8 >0FBF95 48FFF> MOVSX EDX,WORD PTR
004439DF .8995 7CFEFFFF MOV ,EDX
004439E5 .83BD 7CFEFFF> CMP DWORD PTR ,11
004439EC .73 0C JNB SHORT dump.004439FA
004439EE .C785 90FDFFF> MOV DWORD PTR ,0
004439F8 .EB 0C JMP SHORT dump.00443A06
004439FA >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00443A00 .8985 90FDFFFF MOV ,EAX
00443A06 >0FBF85 48FFF> MOVSX EAX,WORD PTR
00443A0D .8985 84FEFFFF MOV ,EAX
00443A13 .83BD 84FEFFF> CMP DWORD PTR ,11
00443A1A .73 0C JNB SHORT dump.00443A28
00443A1C .C785 8CFDFFF> MOV DWORD PTR ,0
00443A26 .EB 0C JMP SHORT dump.00443A34
00443A28 >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00443A2E .8985 8CFDFFFF MOV ,EAX
00443A34 >8B8D 80FEFFFF MOV ECX,
00443A3A .8B55 80 MOV EDX,
00443A3D .8B85 7CFEFFFF MOV EAX,
00443A43 .8B75 CC MOV ESI,
00443A46 .66:8B0C4A MOV CX, ;取 Box2[ i]
00443A4A .66:330C46 XOR CX, ;Box2[ i] ^ XorBox[ i]
00443A4E .8B95 84FEFFFF MOV EDX,
00443A54 .8B45 80 MOV EAX,
00443A57 .66:890C50 MOV ,CX ;结果存回 Box2[ i]
00443A5B .C745 FC 7100> MOV DWORD PTR ,71
00443A62 .0FBF8D 48FFF> MOVSX ECX,WORD PTR
00443A69 .898D 84FEFFFF MOV ,ECX
00443A6F .83BD 84FEFFF> CMP DWORD PTR ,11
00443A76 .73 0C JNB SHORT dump.00443A84
00443A78 .C785 88FDFFF> MOV DWORD PTR ,0
00443A82 .EB 0C JMP SHORT dump.00443A90
00443A84 >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00443A8A .8985 88FDFFFF MOV ,EAX
00443A90 >0FBF95 48FFF> MOVSX EDX,WORD PTR
00443A97 .8995 80FEFFFF MOV ,EDX
00443A9D .83BD 80FEFFF> CMP DWORD PTR ,11
00443AA4 .73 0C JNB SHORT dump.00443AB2
00443AA6 .C785 84FDFFF> MOV DWORD PTR ,0
00443AB0 .EB 0C JMP SHORT dump.00443ABE
00443AB2 >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00443AB8 .8985 84FDFFFF MOV ,EAX
00443ABE >8B85 84FEFFFF MOV EAX,
00443AC4 .8B8D 28FFFFFF MOV ECX,
00443ACA .8B95 80FEFFFF MOV EDX,
00443AD0 .8B75 80 MOV ESI,
00443AD3 .66:8B0441 MOV AX, ;取 Box1[ i]
00443AD7 .66:330456 XOR AX, ;Box1[ i] ^ Box2[ i]
00443ADB .66:8BC8 MOV CX,AX
00443ADE .66:81E1 FF01AND CX,1FF ;( Box2[ i] ^ Box2[ i] ) & 0x1FF
00443AE3 .79 09 JNS SHORT dump.00443AEE
00443AE5 .66:49 DEC CX
00443AE7 .66:81C9 00FEOR CX,0FE00
00443AEC .66:41 INC CX
00443AEE >66:2B8D 50FF> SUB CX, ;结果 - Rusult3
00443AF5 .0F80 46040000 JO dump.00443F41
00443AFB .FF15 54104000 CALL [<&MSVBVM60.__vbaI2Abs>] ;取绝对值,得到 Result4
00443B01 .66:8985 10FF> MOV ,AX
00443B08 .C745 FC 7200> MOV DWORD PTR ,72
00443B0F .8B4D 10 MOV ECX,
00443B12 .66:8339 03 CMP WORD PTR ,3
00443B16 .0F85 10020000 JNZ dump.00443D2C
00443B1C .C745 FC 7300> MOV DWORD PTR ,73
00443B23 .66:83BD 10FF> CMP WORD PTR ,10
00443B2B .0F8D B3000000 JGE dump.00443BE4
00443B31 .C745 FC 7400> MOV DWORD PTR ,74
00443B38 .C785 B4FEFFF> MOV DWORD PTR ,dump.004>
00443B42 .C785 ACFEFFF> MOV DWORD PTR ,8
00443B4C .8D95 10FFFFFF LEA EDX,
00443B52 .8995 C4FEFFFF MOV ,EDX
00443B58 .C785 BCFEFFF> MOV DWORD PTR ,4002
00443B62 .8D85 BCFEFFFF LEA EAX,
00443B68 .50 PUSH EAX
00443B69 .8D8D ECFEFFFF LEA ECX,
00443B6F .51 PUSH ECX
00443B70 .FF15 E8114000 CALL [<&MSVBVM60.rtcHexVarFromVar>;MSVBVM60.rtcHexVarFromVar
00443B76 .8D55 B0 LEA EDX,
00443B79 .52 PUSH EDX
00443B7A .0FBF85 08FFF> MOVSX EAX,WORD PTR
00443B81 .50 PUSH EAX
00443B82 .6A 02 PUSH 2
00443B84 .8D8D ACFEFFFF LEA ECX,
00443B8A .51 PUSH ECX
00443B8B .8D95 ECFEFFFF LEA EDX,
00443B91 .52 PUSH EDX
00443B92 .8D85 DCFEFFFF LEA EAX,
00443B98 .50 PUSH EAX
00443B99 .FF15 9C114000 CALL [<&MSVBVM60.__vbaVarCat>] ;MSVBVM60.__vbaVarCat
00443B9F .50 PUSH EAX
00443BA0 .FF15 24104000 CALL [<&MSVBVM60.__vbaStrVarMove>>;MSVBVM60.__vbaStrVarMove
00443BA6 .8BD0 MOV EDX,EAX
00443BA8 .8D8D FCFEFFFF LEA ECX,
00443BAE .FF15 50124000 CALL [<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
00443BB4 .50 PUSH EAX
00443BB5 .6A 00 PUSH 0
00443BB7 .FF15 78124000 CALL [<&MSVBVM60.__vbaMidStmtBstr>;MSVBVM60.__vbaMidStmtBstr
00443BBD .8D8D FCFEFFFF LEA ECX,
00443BC3 .FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00443BC9 .8D8D DCFEFFFF LEA ECX,
00443BCF .51 PUSH ECX
00443BD0 .8D95 ECFEFFFF LEA EDX,
00443BD6 .52 PUSH EDX
00443BD7 .6A 02 PUSH 2
00443BD9 .FF15 30104000 CALL [<&MSVBVM60.__vbaFreeVarList>;MSVBVM60.__vbaFreeVarList
00443BDF .83C4 0C ADD ESP,0C
00443BE2 .EB 7B JMP SHORT dump.00443C5F
00443BE4 >C745 FC 7600> MOV DWORD PTR ,76
00443BEB .8D85 10FFFFFF LEA EAX,
00443BF1 .8985 C4FEFFFF MOV ,EAX
00443BF7 .C785 BCFEFFF> MOV DWORD PTR ,4002
00443C01 .8D8D BCFEFFFF LEA ECX,
00443C07 .51 PUSH ECX
00443C08 .8D95 ECFEFFFF LEA EDX,
00443C0E .52 PUSH EDX
00443C0F .FF15 E8114000 CALL [<&MSVBVM60.rtcHexVarFromVar>;将 Result4 转化为十六进制文本
00443C15 .8D45 B0 LEA EAX,
00443C18 .50 PUSH EAX
00443C19 .0FBF8D 08FFF> MOVSX ECX,WORD PTR
00443C20 .51 PUSH ECX
00443C21 .6A 02 PUSH 2
00443C23 .8D95 ECFEFFFF LEA EDX,
00443C29 .52 PUSH EDX
00443C2A .FF15 24104000 CALL [<&MSVBVM60.__vbaStrVarMove>>;MSVBVM60.__vbaStrVarMove
00443C30 .8BD0 MOV EDX,EAX
00443C32 .8D8D FCFEFFFF LEA ECX,
00443C38 .FF15 50124000 CALL [<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
00443C3E .50 PUSH EAX
00443C3F .6A 00 PUSH 0
00443C41 .FF15 78124000 CALL [<&MSVBVM60.__vbaMidStmtBstr>;取每轮结果的前两位,连接得到真码
00443C47 .8D8D FCFEFFFF LEA ECX,
00443C4D .FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00443C53 .8D8D ECFEFFFF LEA ECX,
00443C59 .FF15 20104000 CALL [<&MSVBVM60.__vbaFreeVar>] ;MSVBVM60.__vbaFreeVar
00443C5F >C745 FC 7800> MOV DWORD PTR ,78
00443C66 .66:83BD 0CFF> CMP WORD PTR ,2 ;判断是否是不是 2
00443C6E .75 58 JNZ SHORT dump.00443CC8
00443C70 .66:83BD 08FF> CMP WORD PTR ,12
00443C78 .7D 4E JGE SHORT dump.00443CC8
00443C7A .C745 FC 7900> MOV DWORD PTR ,79
00443C81 .66:8B85 08FF> MOV AX,
00443C88 .66:05 0100 ADD AX,1
00443C8C .0F80 AF020000 JO dump.00443F41
00443C92 .66:8985 08FF> MOV ,AX
00443C99 .C745 FC 7A00> MOV DWORD PTR ,7A
00443CA0 .8D4D B0 LEA ECX,
00443CA3 .51 PUSH ECX
00443CA4 .66:8B95 08FF> MOV DX,
00443CAB .66:83C2 01 ADD DX,1
00443CAF .0F80 8C020000 JO dump.00443F41
00443CB5 .0FBFC2 MOVSX EAX,DX
00443CB8 .50 PUSH EAX
00443CB9 .6A 01 PUSH 1
00443CBB .68 689E4000 PUSH dump.00409E68
00443CC0 .6A 00 PUSH 0
00443CC2 .FF15 78124000 CALL [<&MSVBVM60.__vbaMidStmtBstr>;如果是 2 ,在注册码上接上 "-"
00443CC8 >C745 FC 7C00> MOV DWORD PTR ,7C
00443CCF .66:8B8D 08FF> MOV CX,
00443CD6 .66:83C1 02 ADD CX,2
00443CDA .0F80 61020000 JO dump.00443F41
00443CE0 .66:898D 08FF> MOV ,CX
00443CE7 .C745 FC 7D00> MOV DWORD PTR ,7D
00443CEE .66:8B95 0CFF> MOV DX,
00443CF5 .66:83C2 01 ADD DX,1
00443CF9 .0F80 42020000 JO dump.00443F41
00443CFF .66:8995 0CFF> MOV ,DX
00443D06 .C745 FC 7E00> MOV DWORD PTR ,7E
00443D0D .66:83BD 0CFF> CMP WORD PTR ,3
00443D15 .75 10 JNZ SHORT dump.00443D27
00443D17 .C745 FC 7F00> MOV DWORD PTR ,7F
00443D1E .66:C785 0CFF> MOV WORD PTR ,1
00443D27 >E9 9D000000 JMP dump.00443DC9
00443D2C >C745 FC 8200> MOV DWORD PTR ,82
00443D33 .0FBF85 10FFF> MOVSX EAX,WORD PTR
00443D3A .8985 84FEFFFF MOV ,EAX
00443D40 .81BD 84FEFFF> CMP DWORD PTR ,201
00443D4A .73 0C JNB SHORT dump.00443D58
00443D4C .C785 80FDFFF> MOV DWORD PTR ,0
00443D56 .EB 0C JMP SHORT dump.00443D64
00443D58 >FF15 F0104000 CALL [<&MSVBVM60.__vbaGenerateBou>;MSVBVM60.__vbaGenerateBoundsError
00443D5E .8985 80FDFFFF MOV ,EAX
00443D64 >8B8D 84FEFFFF MOV ECX,
00443D6A .8B55 9C MOV EDX,
00443D6D .0FBF044A MOVSX EAX,WORD PTR
00443D71 .50 PUSH EAX
00443D72 .8D8D ECFEFFFF LEA ECX,
00443D78 .51 PUSH ECX
00443D79 .FF15 7C114000 CALL [<&MSVBVM60.rtcVarBstrFromAn>;MSVBVM60.rtcVarBstrFromAnsi
00443D7F .8D55 B0 LEA EDX,
00443D82 .52 PUSH EDX
00443D83 .0FBF85 48FFF> MOVSX EAX,WORD PTR
00443D8A .50 PUSH EAX
00443D8B .6A 01 PUSH 1
00443D8D .8D8D ECFEFFFF LEA ECX,
00443D93 .51 PUSH ECX
00443D94 .FF15 24104000 CALL [<&MSVBVM60.__vbaStrVarMove>>;MSVBVM60.__vbaStrVarMove
00443D9A .8BD0 MOV EDX,EAX
00443D9C .8D8D FCFEFFFF LEA ECX,
00443DA2 .FF15 50124000 CALL [<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
00443DA8 .50 PUSH EAX
00443DA9 .6A 00 PUSH 0
00443DAB .FF15 78124000 CALL [<&MSVBVM60.__vbaMidStmtBstr>;MSVBVM60.__vbaMidStmtBstr
00443DB1 .8D8D FCFEFFFF LEA ECX,
00443DB7 .FF15 84124000 CALL [<&MSVBVM60.__vbaFreeStr>] ;MSVBVM60.__vbaFreeStr
00443DBD .8D8D ECFEFFFF LEA ECX,
00443DC3 .FF15 20104000 CALL [<&MSVBVM60.__vbaFreeVar>] ;MSVBVM60.__vbaFreeVar
00443DC9 >C745 FC 8400> MOV DWORD PTR ,84
00443DD0 .^ E9 9FFBFFFF JMP dump.00443974 ;跳上去循环
到这里终于循环结束了,大概作用就是:
( Result3 & 0x1FF ) - ( Box1[ i] ^ Box2[ i] ^ XorBox[ i] & 0x1FF )
然后再取绝对值,用得到的结果去查密码字符表,连接就得到真码了,以上循环中在注册码中添加了 "-" 是没有用的,因为后来程序中又把 "-" 去掉了。
00443DD5 >C745 FC 8500> MOV DWORD PTR ,85
00443DDC .6A 00 PUSH 0
00443DDE .6A FF PUSH -1
00443DE0 .6A 01 PUSH 1
00443DE2 .68 587A4000 PUSH dump.00407A58
00443DE7 .68 689E4000 PUSH dump.00409E68
00443DEC .8B55 B0 MOV EDX,
00443DEF .52 PUSH EDX
00443DF0 .FF15 64114000 CALL [<&MSVBVM60.rtcReplace>] ;去掉注册码中的"-"
00443DF6 .8BD0 MOV EDX,EAX
----------------------------------------------------------------------------------------------
以上是生成真码的过程,跟着代码走,Retn 后,就可到了真码和假码比较的地方。
004336DE > \8D45 A4 LEA EAX,
004336E1 .50 PUSH EAX
004336E2 .8D4D D8 LEA ECX,
004336E5 .51 PUSH ECX
004336E6 .8D55 A8 LEA EDX,
004336E9 .52 PUSH EDX
004336EA .E8 71EB0000 CALL dump.00442260 ;得到真码
004336EF .8BD0 MOV EDX,EAX
004336F1 .8D4D D0 LEA ECX,
004336F4 .FF15 50124000 CALL [<&MSVBVM60.__vbaStrMove>] ;MSVBVM60.__vbaStrMove
004336FA .50 PUSH EAX
004336FB .8B45 D4 MOV EAX,
004336FE .50 PUSH EAX
004336FF .FF15 F4104000 CALL [<&MSVBVM60.__vbaStrCmp>] ;真码和假码比较
00433705 .8BF8 MOV EDI,EAX
00433707 .F7DF NEG EDI
00433709 .1BFF SBB EDI,EDI
0043370B .47 INC EDI
0043370C .F7DF NEG EDI
0043370E .8D4D D4 LEA ECX,
00433711 .51 PUSH ECX
00433712 .8D55 D0 LEA EDX,
00433715 .52 PUSH EDX
00433716 .8D45 D8 LEA EAX,
00433719 .50 PUSH EAX
0043371A .6A 03 PUSH 3
0043371C .FF15 F4114000 CALL [<&MSVBVM60.__vbaFreeStrList>;MSVBVM60.__vbaFreeStrList
00433722 .8D4D B8 LEA ECX,
00433725 .51 PUSH ECX
00433726 .8D55 BC LEA EDX,
00433729 .52 PUSH EDX
0043372A .6A 02 PUSH 2
0043372C .FF15 40104000 CALL [<&MSVBVM60.__vbaFreeObjList>;MSVBVM60.__vbaFreeObjList
00433732 .83C4 1C ADD ESP,1C
00433735 .8D4D A8 LEA ECX,
00433738 .FF15 20104000 CALL [<&MSVBVM60.__vbaFreeVar>] ;MSVBVM60.__vbaFreeVar
0043373E .66:3BFB CMP DI,BX
00433741 .0F84 EB010000 JE dump.00433932 ;爆破点
00433747 .8B06 MOV EAX,
一个典型的明码比较。
----------------------------------------------------------------------------------------------
【破解心得】
程序将机器码的每一位 MCode[ i] Xor 0x12 ,并将每一轮结果依次保存到 Box1 中 ,如果 i 超过 8 ,就重新回到box1的第一位填充,同时计算出每轮运算结果的总和 result1 。
然后再对另外一个固定字符串 "SUY2TjhXRjQ2QjdIVThKSA" 的每一位 String[ i] Xor 0x19 ,并将每一轮结果依次保存到 Box2 中 ,如果 i 超过 8 ,就重新回到box2的第一位填充,(注意,如果上轮循环填充到 Box1 的第三位,Box2 就从第四位开始填充,接着对 Box1 填充的位置数),同时计算出每轮运算结果的总和 result2 。
[( Rusult1 + Rusult2 ) & 0x1FF ] - ( Box1[ i] ^ Box2[ i] ^ XorBox[ i] & 0x1FF )
然后结果去绝对值,转换为十六进制文本,将每轮结果连接就得到真码。
新的一年又来了,过去的一年对于不是非常的顺利,希望新的一年能够给我带来更好的运气,水平上有更大进步。不过需要学的东西太多了,慢慢来吧!也祝论坛上所有的网友新年快乐。
【注册机源码】
/******************************************************************************/
/* */
/* Microsoft Visual C++ 6.0MFC--> KeygenDlg.cpp */
/* */
/* Microsoft Windows XP Professional Service Pack 2编译通过 */
/* */
/******************************************************************************/
int XorBox = {46, 89,142, 63,231, 32,129,51, 28, 97,248, 41,136, 53, 78,164} ;
char MCode2={"SUY2TjhXRjQ2QjdIVThKSA"};
void CKeygenDlg::OnChangeEdit1()
{
// TODO: If this is a RICHEDIT control, the control will not
// send this notification unless you override the CDialog::OnInitDialog()
// function and call CRichEditCtrl().SetEventMask()
// with the ENM_CHANGE flag ORed into the mask.
// TODO: Add your control notification handler code here
UpdateData (true) ;
int Box1={0,0,0,0,0,0,0,0} , Box2={0,0,0,0,0,0,0,0} ;
int i , j = 0 , n , Result1 = 0 , Result2 = 0 ;
char MCode;
m_Edit2 = "" ;
n = m_Edit1.GetLength ();
strcpy(MCode,m_Edit1);
for ( i = 0 ; i < n ; i++ ){
Box1 = ( MCode[ i] + Box1 ) ^ 0x12 ;
Result1 += Box1 ;
j++ ;
if ( j == 8 ) j = 0 ;
}
for ( i = 0 ; i < 22 ; i++ ){
Box2 = ( MCode2[ i] + Box2 ) ^ 0x19 ;
Result2 += Box2 ;
j++ ;
if ( j == 8 ) j = 0 ;
}
Result1 = ( Result1 + Result2 ) & 0x1FF ;
for ( i = 0 ; i < 8 ; i++ ) {
Result2 = abs ( Result1 - ( Box1[ i] ^ Box2[ i] ^ XorBox[ i] & 0x1FF )) ;
sprintf ( MCode , "%02X" , Result2 ) ;
MCode = 0 ;
m_Edit2 += MCode ;
}
UpdateData (false) ;
}
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2005-12-30 23:01:59 下断后继续注册,程序被拦下,单步走出 MSVBVM60.dll 的领空,走到程序领空,发现正在一个循环里面对机器码处理
怎么看出来是不是走出了MSVBVM60.DLL了呢?
页:
[1]