ZC RM RMVB to DVD Creator1.4&1.4.2算法浅析
程序无壳,Microsoft Visual C++ 6.0编制。1、注册验证部分:
输入假注册信息
xbb
12345678-22345678-32345678-42345678-52345678-62345678-72345678-82345678
0040A99B .E8 ECCD0100 CALL <JMP.&MFC42.#6334_?UpdateData@CWnd@>;取注册码
0040A9A0 .8B86 34010000 MOV EAX,DWORD PTR DS: ;注册码
0040A9A6 .8B8E 38010000 MOV ECX,DWORD PTR DS: ;用户名
0040A9AC .50 PUSH EAX
0040A9AD .51 PUSH ECX
0040A9AE .E8 CD100000 CALL ZC_RM_RM.0040BA80 ;算法Call
0040A9B3 .83C4 08 ADD ESP,8
0040A9B6 .85C0 TEST EAX,EAX
0040A9B8 .75 2A JNZ SHORT ZC_RM_RM.0040A9E4
…………
0040A9E4 > \8B86 38010000 MOV EAX,DWORD PTR DS: ;用户名
0040A9EA .8D8C24 040100>LEA ECX,DWORD PTR SS:
0040A9F1 .50 PUSH EAX ; /<%s>
0040A9F2 .68 30594300 PUSH ZC_RM_RM.00435930 ; |format = "This copy is licensed to:%s "
0040A9F7 .51 PUSH ECX ; |s
0040A9F8 .FF15 14C74200 CALL DWORD PTR DS:[<&MSVCRT.sprintf>] ; \sprintf
0040A9FE .83C4 0C ADD ESP,0C
0040AA01 .E8 82B20100 CALL <JMP.&SkinMagic.#10>
0040AA06 .6A 40 PUSH 40
0040AA08 .8D9424 080100>LEA EDX,DWORD PTR SS:
0040AA0F .68 24594300 PUSH ZC_RM_RM.00435924 ;ASCII "Thank you"
0040AA14 .52 PUSH EDX
0040AA15 .8BCE MOV ECX,ESI
0040AA17 .E8 58CD0100 CALL <JMP.&MFC42.#4224_?MessageBoxA@CWnd@@QAEHPBD0I@Z>;显示感谢注册对话框
0040AA1C .68 74414300 PUSH ZC_RM_RM.00434174 ;ASCII "GenDialog"
0040AA21 .E8 5CB20100 CALL <JMP.&SkinMagic.#8>
0040AA26 .8B8E 38010000 MOV ECX,DWORD PTR DS: ;堆栈 DS:=006C84E0, (ASCII "xbb")
0040AA2C .BA 50A24300 MOV EDX,ZC_RM_RM.0043A250 ;0043A25000000000
0040AA31 >8A01 MOV AL,BYTE PTR DS: ;用户名第N位入AL
0040AA33 .41 INC ECX
0040AA34 .8802 MOV BYTE PTR DS:,AL ;逐位放入43A250
0040AA36 .42 INC EDX
0040AA37 .84C0 TEST AL,AL
0040AA39 .^ 75 F6 JNZ SHORT ZC_RM_RM.0040AA31 ;将用户名保存到数据段中
0040AA3B .8B8E 34010000 MOV ECX,DWORD PTR DS: ;假注册码
0040AA41 .BA 48A14300 MOV EDX,ZC_RM_RM.0043A148 ;0043A14800000000
0040AA46 >8A01 MOV AL,BYTE PTR DS: ;注册码第N位入AL
0040AA48 .41 INC ECX
0040AA49 .8802 MOV BYTE PTR DS:,AL ;逐位放入43A148
0040AA4B .42 INC EDX
0040AA4C .84C0 TEST AL,AL
0040AA4E .^ 75 F6 JNZ SHORT ZC_RM_RM.0040AA46 ;将注册码保存到数据段中
0040AA50 .8D4424 04 LEA EAX,DWORD PTR SS:
0040AA54 .57 PUSH EDI
0040AA55 .50 PUSH EAX
0040AA56 .C705 50A34300>MOV DWORD PTR DS:,1 ;标志位置1
0040AA60 .E8 2B1A0000 CALL ZC_RM_RM.0040C490
0040AA65 .8D7C24 0C LEA EDI,DWORD PTR SS: ;堆栈地址=0012843C, (ASCII "C:\Program Files\ZC RM RMVB to DVD Creator\")
0040AA69 .83C9 FF OR ECX,FFFFFFFF
0040AA6C .33C0 XOR EAX,EAX
0040AA6E .83C4 04 ADD ESP,4
0040AA71 .F2:AE REPNE SCAS BYTE PTR ES:
0040AA73 .F7D1 NOT ECX
0040AA75 .49 DEC ECX
0040AA76 .BA 14594300 MOV EDX,ZC_RM_RM.00435914 ;ASCII "register.ini"
0040AA7B .8D4C0C 08 LEA ECX,DWORD PTR SS:
0040AA7F .2BCA SUB ECX,EDX
0040AA81 >8A02 MOV AL,BYTE PTR DS:
0040AA83 .880411 MOV BYTE PTR DS:,AL
0040AA86 .42 INC EDX
0040AA87 .84C0 TEST AL,AL
0040AA89 .^ 75 F6 JNZ SHORT ZC_RM_RM.0040AA81
0040AA8B .8B3D 10C14200 MOV EDI,DWORD PTR DS:[<&KERNEL32.WritePrivateProfileS>;kernel32.WritePrivateProfileStringA
0040AA91 .8D4C24 08 LEA ECX,DWORD PTR SS:
0040AA95 .51 PUSH ECX ; /FileName
0040AA96 .68 50A24300 PUSH ZC_RM_RM.0043A250 ; |String = "xbb"
0040AA9B .68 08594300 PUSH ZC_RM_RM.00435908 ; |Key = "User name"
0040AAA0 .68 64434300 PUSH ZC_RM_RM.00434364 ; |Section = "Register"
0040AAA5 .FFD7 CALL EDI ; \WritePrivateProfileStringA
0040AAA7 .8D5424 08 LEA EDX,DWORD PTR SS:
0040AAAB .52 PUSH EDX ; /FileName
0040AAAC .68 48A14300 PUSH ZC_RM_RM.0043A148 ; |String = "12345678-22345678-32345678-42345678-52345678-62345678-72345678-82345678"
0040AAB1 .68 F4584300 PUSH ZC_RM_RM.004358F4 ; |Key = "Registration code"
0040AAB6 .68 64434300 PUSH ZC_RM_RM.00434364 ; |Section = "Register"
0040AABB .FFD7 CALL EDI ; \WritePrivateProfileStringA
0040AABD .8BCE MOV ECX,ESI
0040AABF .E8 C4CA0100 CALL <JMP.&MFC42.#4853_?OnOK@CDialog@@MAEXXZ>
0040AAC4 .5F POP EDI
0040AAC5 .5E POP ESI
0040AAC6 .81C4 00020000 ADD ESP,200
0040AACC .C3 RETN ;生成Register.ini文件,保存注册信息
跟入算法Call0040A9AE .E8 CD100000 CALL ZC_RM_RM.0040BA80
(算法Call有四处调用:本地调用来自 0040A9AE, 0040BF89, 0040C043, 0040C059)
0040BAA5|.8D4C24 10 LEA ECX,DWORD PTR SS:
0040BAA9|.C74424 60 875>MOV DWORD PTR SS:,4D185187 ;固定字符 4D185187
0040BAB1|.C74424 64 874>MOV DWORD PTR SS:,3CAB4D87 ;3CAB4D87
0040BAB9|.C74424 68 C76>MOV DWORD PTR SS:,C62C60C7 ;C62C60C7
0040BAC1|.C74424 6C 9E3>MOV DWORD PTR SS:,EDBD329E ;EDBD329E
0040BAC9|.C74424 70 9CA>MOV DWORD PTR SS:,87C5A89C ;87C5A89C
0040BAD1|.C74424 74 995>MOV DWORD PTR SS:,B81B5299 ;B81B5299
0040BAD9|.C74424 78 142>MOV DWORD PTR SS:,E6CE2814 ;E6CE2814
0040BAE1|.C74424 7C FA6>MOV DWORD PTR SS:,95CA60FA ;95CA60FA
0040BAE9|.E8 54BB0100 CALL <JMP.&MFC42.#537_??0CString@@QAE@PBD@Z> ;用户名及注册码放入内存地址
0040BAEE|.8B8C24 B00000>MOV ECX,DWORD PTR SS: ;堆栈 SS:=006C9268, (ASCII "12345678-2345678-3245678-42345678-52345678-62345678-72345678-82345678")
0040BAF5|.C78424 A40000>MOV DWORD PTR SS:,0
0040BB00|.51 PUSH ECX ;入栈
0040BB01|.8D4C24 0C LEA ECX,DWORD PTR SS: ;堆栈地址=0012838C
0040BB05|.E8 38BB0100 CALL <JMP.&MFC42.#537_??0CString@@QAE@PBD@Z> ;00128380006C9268ASCII "12345678-2345678-3245678-42345678-52345678-62345678-72345678-82345678"
0040BB0A|.68 085C4300 PUSH ZC_RM_RM.00435C08 ;00435C0800000020
0040BB0F|.8D4C24 10 LEA ECX,DWORD PTR SS: ;00128390006C85D0ASCII "xbb"
0040BB13|.C68424 A80000>MOV BYTE PTR SS:,1
0040BB1B|.E8 08BD0100 CALL <JMP.&MFC42.#6928_?TrimLeft@CString@@QAEXPBD@Z>;TrimRight()去除左边空格
0040BB20|.68 085C4300 PUSH ZC_RM_RM.00435C08
0040BB25|.8D4C24 10 LEA ECX,DWORD PTR SS:
0040BB29|.E8 F4BC0100 CALL <JMP.&MFC42.#6930_?TrimRight@CString@@QAEXPBD@Z> ;TrimRight()去除右边字符串空格
0040BB2E|.68 085C4300 PUSH ZC_RM_RM.00435C08
0040BB33|.8D4C24 0C LEA ECX,DWORD PTR SS: ;注册码
0040BB37|.E8 ECBC0100 CALL <JMP.&MFC42.#6928_?TrimLeft@CString@@QAEXPBD@Z>;同上
0040BB3C|.68 085C4300 PUSH ZC_RM_RM.00435C08
0040BB41|.8D4C24 0C LEA ECX,DWORD PTR SS:
0040BB45|.E8 D8BC0100 CALL <JMP.&MFC42.#6930_?TrimRight@CString@@QAEXPBD@Z> ;同上
0040BB4A|.8B4424 0C MOV EAX,DWORD PTR SS: ;用户名
0040BB4E|.BE 08A14300 MOV ESI,ZC_RM_RM.0043A108 ;0043A18000000000
0040BB53|>8A10 /MOV DL,BYTE PTR DS: ;用户名N位ASCii值入DL
0040BB55|.8A1E |MOV BL,BYTE PTR DS:
0040BB57|.8ACA |MOV CL,DL
0040BB59|.3AD3 |CMP DL,BL ;与43A180值比较,即与00比较
0040BB5B|.75 1E |JNZ SHORT ZC_RM_RM.0040BB7B
…………
0040BB82|.0F84 58020000 JE ZC_RM_RM.0040BDE0 ;用户名不为0则执行下面代码
0040BB88|.8B4424 08 MOV EAX,DWORD PTR SS: ;注册码
0040BB8C|.BE 08A14300 MOV ESI,ZC_RM_RM.0043A108 ;0043A18000000000
0040BB91|>8A10 /MOV DL,BYTE PTR DS: ;注册码N位ASCii值入DL
0040BB93|.8A1E |MOV BL,BYTE PTR DS:
0040BB95|.8ACA |MOV CL,DL
0040BB97|.3AD3 |CMP DL,BL ;与00比较
0040BB99|.75 1E |JNZ SHORT ZC_RM_RM.0040BBB9
…………
0040BBC0|.0F84 1A020000 JE ZC_RM_RM.0040BDE0 ;注册码不为0则执行下面代码
0040BBC6|.57 PUSH EDI
0040BBC7|.6A 00 PUSH 0
0040BBC9|.8D4C24 44 LEA ECX,DWORD PTR SS:
0040BBCD|.E8 FEF40000 CALL ZC_RM_RM.0041B0D0
0040BBD2|.6A 00 PUSH 0
0040BBD4|.8D4C24 4C LEA ECX,DWORD PTR SS:
0040BBD8|.C68424 AC0000>MOV BYTE PTR SS:,2 ;2
0040BBE0|.E8 EBF40000 CALL ZC_RM_RM.0041B0D0
0040BBE5|.B3 03 MOV BL,3
0040BBE7|.68 01000100 PUSH 10001
0040BBEC|.8D4C24 5C LEA ECX,DWORD PTR SS:
0040BBF0|.889C24 AC0000>MOV BYTE PTR SS:,BL ;3
0040BBF7|.E8 D4F40000 CALL ZC_RM_RM.0041B0D0
0040BBFC|.8D4424 58 LEA EAX,DWORD PTR SS:
0040BC00|.8D4C24 48 LEA ECX,DWORD PTR SS:
0040BC04|.50 PUSH EAX
0040BC05|.C68424 AC0000>MOV BYTE PTR SS:,4 ;4
0040BC0D|.E8 1EF50000 CALL ZC_RM_RM.0041B130
0040BC12|.8D4C24 58 LEA ECX,DWORD PTR SS:
0040BC16|.889C24 A80000>MOV BYTE PTR SS:,BL
0040BC1D|.E8 5EF50000 CALL ZC_RM_RM.0041B180
0040BC22|.8D4C24 60 LEA ECX,DWORD PTR SS: ;ss=001283E04D185187
0040BC26|.6A 08 PUSH 8
0040BC28|.51 PUSH ECX
0040BC29|.8D4C24 48 LEA ECX,DWORD PTR SS:
0040BC2D|.E8 6EF30000 CALL ZC_RM_RM.0041AFA0 ;复制固定参数
0040BC32|.B9 08000000 MOV ECX,8 ;8
0040BC37|.33C0 XOR EAX,EAX
0040BC39|.8D7C24 18 LEA EDI,DWORD PTR SS: ;1
0040BC3D|.8D5424 34 LEA EDX,DWORD PTR SS: ;用户名
0040BC41|.F3:AB REP STOS DWORD PTR ES:
0040BC43|.8D4424 30 LEA EAX,DWORD PTR SS:
0040BC47|.52 PUSH EDX
0040BC48|.8D4C24 30 LEA ECX,DWORD PTR SS:
0040BC4C|.50 PUSH EAX
0040BC4D|.8D5424 30 LEA EDX,DWORD PTR SS:
0040BC51|.51 PUSH ECX
0040BC52|.8D4424 30 LEA EAX,DWORD PTR SS:
0040BC56|.52 PUSH EDX
0040BC57|.8D4C24 30 LEA ECX,DWORD PTR SS:
0040BC5B|.50 PUSH EAX
0040BC5C|.8D5424 30 LEA EDX,DWORD PTR SS:
0040BC60|.51 PUSH ECX ;几个Push为保存真码预留空间
0040BC61|.8B4C24 24 MOV ECX,DWORD PTR SS: ;注册码
0040BC65|.8D4424 30 LEA EAX,DWORD PTR SS: ;0012839800000000
0040BC69|.52 PUSH EDX
0040BC6A|.50 PUSH EAX
0040BC6B|.68 D45B4300 PUSH ZC_RM_RM.00435BD4 ; |注册格式:00435BD4=ZC_RM_RM.00435BD4 (ASCII "%08lX-%08lX-%08lX-%08lX-%08lX-%08lX-%08lX-%08lX")
0040BC70|.51 PUSH ECX ; |S =ECX=006C8620, (ASCII "www.chinapyg.com")
0040BC71|.FF15 D4C64200 CALL DWORD PTR DS:[<&MSVCRT.sscanf>] ; \sscanf
0040BC77|.8B5424 4C MOV EDX,DWORD PTR SS: ;注册码第4段入EDX
0040BC7B|.8B4424 50 MOV EAX,DWORD PTR SS: ;注册码第5段入EAX
0040BC7F|.8B7424 48 MOV ESI,DWORD PTR SS: ;注册码第3段入ESI
0040BC83|.8B4C24 5C MOV ECX,DWORD PTR SS: ;注册码第8段入ECX
0040BC87|.03C2 ADD EAX,EDX ;X1=EAX=第4、5段相加
0040BC89|.8B5424 44 MOV EDX,DWORD PTR SS: ;注册码第2段入EDX
0040BC8D|.03C6 ADD EAX,ESI ;X1=X1+第3段
0040BC8F|.8B7C24 58 MOV EDI,DWORD PTR SS: ;注册码第7段入EDI
0040BC93|.03C2 ADD EAX,EDX ;X1=X1+第2段
0040BC95|.8B5424 54 MOV EDX,DWORD PTR SS: ;注册码第6段入EDX
0040BC99|.33C8 XOR ECX,EAX ;X2=第8段 XOR X1
0040BC9B|.83C4 28 ADD ESP,28
0040BC9E|.894C24 34 MOV DWORD PTR SS:,ECX ;X2放入保存第8段的地址中,001283B482345678
0040BCA2|.8B4C24 18 MOV ECX,DWORD PTR SS: ;注册码第1段入ECX
0040BCA6|.03D1 ADD EDX,ECX ;X3=第6、1相加
0040BCA8|.6A 00 PUSH 0 ;0
0040BCAA|.33FA XOR EDI,EDX ;X4=第7段 Xor 7468ACF0 ???
0040BCAC|.8D4C24 3C LEA ECX,DWORD PTR SS: ;001283B800020C7E
0040BCB0|.897C24 34 MOV DWORD PTR SS:,EDI ;X4放入保存第7段的地址中,001283B072345678
0040BCB4|.E8 17F40000 CALL ZC_RM_RM.0041B0D0 ;
0040BCB9|.8D4424 18 LEA EAX,DWORD PTR SS:
0040BCBD|.6A 08 PUSH 8
0040BCBF|.50 PUSH EAX
0040BCC0|.8D4C24 40 LEA ECX,DWORD PTR SS: ;001283B8009D1010
0040BCC4|.C68424 B00000>MOV BYTE PTR SS:,5 ;5
0040BCCC|.E8 CFF20000 CALL ZC_RM_RM.0041AFA0 ;将上面运算后的内存结果复制到9D4CD0开头的地址中
0040BCD1|.8D4C24 38 LEA ECX,DWORD PTR SS:
0040BCD5|.8D5424 50 LEA EDX,DWORD PTR SS:
0040BCD9|.51 PUSH ECX
0040BCDA|.52 PUSH EDX
0040BCDB|.8D4C24 48 LEA ECX,DWORD PTR SS:
0040BCDF|.E8 6CEA0000 CALL ZC_RM_RM.0041A750 ;
0040BCE4|.B9 08000000 MOV ECX,8
0040BCE9|.33C0 XOR EAX,EAX
0040BCEB|.8D7C24 18 LEA EDI,DWORD PTR SS:
0040BCEF|.6A 08 PUSH 8
0040BCF1|.F3:AB REP STOS DWORD PTR ES: ;128398处地址清0
0040BCF3|.8D4424 1C LEA EAX,DWORD PTR SS:
0040BCF7|.8D4C24 54 LEA ECX,DWORD PTR SS:
0040BCFB|.50 PUSH EAX
0040BCFC|.C68424 B00000>MOV BYTE PTR SS:,6 ;6
0040BD04|.E8 D7F20000 CALL ZC_RM_RM.0041AFE0 ;
0040BD09|.B9 08000000 MOV ECX,8
0040BD0E|.33C0 XOR EAX,EAX
0040BD10|.8DBC24 800000>LEA EDI,DWORD PTR SS:
0040BD17|.F3:AB REP STOS DWORD PTR ES: ;对128400开始的8处地址清0
0040BD19|.5F POP EDI
0040BD1A|>8A4C04 17 /MOV CL,BYTE PTR SS: ;真码第1位入CL,80
0040BD1E|.8A5404 16 |MOV DL,BYTE PTR SS: ;真码第2位入CL,37
0040BD22|.884C04 7C |MOV BYTE PTR SS:,CL ;第1位放入128400
0040BD26|.8B4C04 14 |MOV ECX,DWORD PTR SS: ;真码第1段入ECX
0040BD2A|.885404 7D |MOV BYTE PTR SS:,DL ;第2位放入128401
0040BD2E|.8A5404 14 |MOV DL,BYTE PTR SS: ;第4位入DL,09
0040BD32|.C1E9 08 |SHR ECX,8 ;EAX值右移8位,Y1=008037E2
0040BD35|.884C04 7E |MOV BYTE PTR SS:,CL ;右移后的CL值入128402,E2
0040BD39|.885404 7F |MOV BYTE PTR SS:,DL ;128403=DL=09
0040BD3D|.83C0 04 |ADD EAX,4 ;移动指针
0040BD40|.83F8 20 |CMP EAX,20 ;与32D比较
0040BD43|.^ 7C D5 \JL SHORT ZC_RM_RM.0040BD1A ;小于则循环。从高到低取上面计算出的8段字串并从低到高放入128400开始的地址中去
0040BD45|.8D4424 7C LEA EAX,DWORD PTR SS: ;堆栈地址=00128400
0040BD49|.8D4C24 10 LEA ECX,DWORD PTR SS: ;0012839473D45DB2返回到 MFC42.73D45DB2 来自 MFC42.73DC2B5E
0040BD4D|.50 PUSH EAX
0040BD4E|.E8 EFB80100 CALL <JMP.&MFC42.#537_??0CString@@QAE@PBD@Z> ;128400处的真码放入堆栈 SS:=006C85D0地址中
0040BD53|.8B7424 10 MOV ESI,DWORD PTR SS: ;堆栈 SS:=006C85D0
0040BD57|.8B4424 0C MOV EAX,DWORD PTR SS: ;堆栈 SS:=006C8490, (ASCII "xbb")
0040BD5B|>8A10 /MOV DL,BYTE PTR DS: ;用户名第N位入DL
0040BD5D|.8ACA |MOV CL,DL
0040BD5F|.3A16 |CMP DL,BYTE PTR DS: ;用户名第N位与真码第M位比较
0040BD61 75 1C JNZ SHORT ZC_RM_RM.0040BD7F
0040BD63|.84C9 |TEST CL,CL
0040BD65|.74 14 |JE SHORT ZC_RM_RM.0040BD7B
0040BD67|.8A50 01 |MOV DL,BYTE PTR DS: ;用户名第N+1位入DL
0040BD6A|.8ACA |MOV CL,DL
0040BD6C|.3A56 01 |CMP DL,BYTE PTR DS: ;用户名第N+1位与真码第M+1位比较
0040BD6F 75 0E JNZ SHORT ZC_RM_RM.0040BD7F
0040BD71|.83C0 02 |ADD EAX,2 ;移动用户名指针
0040BD74|.83C6 02 |ADD ESI,2 ;移动真码指针
0040BD77|.84C9 |TEST CL,CL
0040BD79|.^ 75 E0 \JNZ SHORT ZC_RM_RM.0040BD5B
0040BD7B|>33C0 XOR EAX,EAX
0040BD7D|.EB 05 JMP SHORT ZC_RM_RM.0040BD84
0040BD7F|>1BC0 SBB EAX,EAX
0040BD81|.83D8 FF SBB EAX,-1
0040BD84|>85C0 TEST EAX,EAX
0040BD86|.8D4C24 10 LEA ECX,DWORD PTR SS:
0040BD8A|.C68424 A40000>MOV BYTE PTR SS:,6
0040BD92|.0F84 86000000 JE ZC_RM_RM.0040BE1E
0040BD98|.E8 B5B70100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040BD9D|.8D4C24 4C LEA ECX,DWORD PTR SS:
0040BDA1|.C68424 A40000>MOV BYTE PTR SS:,5
0040BDA9|.E8 D2F30000 CALL ZC_RM_RM.0041B180
0040BDAE|.8D4C24 34 LEA ECX,DWORD PTR SS:
0040BDB2|.889C24 A40000>MOV BYTE PTR SS:,BL
0040BDB9|.E8 C2F30000 CALL ZC_RM_RM.0041B180
0040BDBE|.8D4C24 44 LEA ECX,DWORD PTR SS:
0040BDC2|.C68424 A40000>MOV BYTE PTR SS:,8
0040BDCA|.E8 B1F30000 CALL ZC_RM_RM.0041B180
0040BDCF|.8D4C24 3C LEA ECX,DWORD PTR SS:
0040BDD3|.C68424 A40000>MOV BYTE PTR SS:,1
0040BDDB|.E8 A0F30000 CALL ZC_RM_RM.0041B180
0040BDE0|>8D4C24 08 LEA ECX,DWORD PTR SS:
0040BDE4|.C68424 A40000>MOV BYTE PTR SS:,0
0040BDEC|.E8 61B70100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040BDF1|.8D4C24 0C LEA ECX,DWORD PTR SS:
0040BDF5|.C78424 A40000>MOV DWORD PTR SS:,-1
0040BE00|.E8 4DB70100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040BE05|.5E POP ESI
0040BE06|.33C0 XOR EAX,EAX
0040BE08|.5B POP EBX
0040BE09|.8B8C24 940000>MOV ECX,DWORD PTR SS:
0040BE10|.64:890D 00000>MOV DWORD PTR FS:,ECX
0040BE17|.81C4 A0000000 ADD ESP,0A0
0040BE1D|.C3 RETN
0040BE1E|>E8 2FB70100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040BE23|.8D4C24 4C LEA ECX,DWORD PTR SS:
0040BE27|.C68424 A40000>MOV BYTE PTR SS:,5
0040BE2F|.E8 4CF30000 CALL ZC_RM_RM.0041B180
0040BE34|.8D4C24 34 LEA ECX,DWORD PTR SS:
0040BE38|.889C24 A40000>MOV BYTE PTR SS:,BL
0040BE3F|.E8 3CF30000 CALL ZC_RM_RM.0041B180
0040BE44|.8D4C24 44 LEA ECX,DWORD PTR SS:
0040BE48|.C68424 A40000>MOV BYTE PTR SS:,9
0040BE50|.E8 2BF30000 CALL ZC_RM_RM.0041B180
0040BE55|.8D4C24 3C LEA ECX,DWORD PTR SS:
0040BE59|.C68424 A40000>MOV BYTE PTR SS:,1
0040BE61|.E8 1AF30000 CALL ZC_RM_RM.0041B180
0040BE66|.8D4C24 08 LEA ECX,DWORD PTR SS:
0040BE6A|.C68424 A40000>MOV BYTE PTR SS:,0
0040BE72|.E8 DBB60100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040BE77|.8D4C24 0C LEA ECX,DWORD PTR SS:
0040BE7B|.C78424 A40000>MOV DWORD PTR SS:,-1
0040BE86|.E8 C7B60100 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
0040BE8B|.8B8C24 9C0000>MOV ECX,DWORD PTR SS:
0040BE92|.5E POP ESI
0040BE93|.B8 01000000 MOV EAX,1
0040BE98|.5B POP EBX
0040BE99|.64:890D 00000>MOV DWORD PTR FS:,ECX
0040BEA0|.81C4 A0000000 ADD ESP,0A0
0040BEA6\.C3 RETN
跟算法跟了将近2小时~结果还是没有弄清楚~直接爆破了~/:0133" />
2、重启验证及标志位:
超级字串参考, 条目 10
地址=00401B82
反汇编=PUSH ZC_RM_RM.00434120
文本字串=This copy is licensed to:%s
能过上面的字串可找到标志位43A350,配合Dup的搜索字节功能,可以找到下面10处对43A350值的判断代码
第一处(About窗口)
00401B52 .E8 F15A0200 CALL <JMP.&MFC42.#6199_?SetWindowTextA@CWnd@@Q>
00401B57 .A1 50A34300 MOV EAX,DWORD PTR DS:
00401B5C .8B2D 14C74200 MOV EBP,DWORD PTR DS:[<&MSVCRT.sprintf>] ;msvcrt.sprintf
00401B62 .85C0 TEST EAX,EAX
00401B64 .75 13 JNZ SHORT ZC_RM_RM.00401B79
第二处
00401EB1|?4B DEC EBX
00401EB2|?A0 0000A150 MOV AL,BYTE PTR DS:
00401EB7|?A3 430085C0 MOV DWORD PTR DS:,EAX
00401EBC|.0F85 02010000 JNZ ZC_RM_RM.00401FC4
00401EC2|.E8 B9990000 CALL ZC_RM_RM.0040B880
00401EC7|.83F8 01 CMP EAX,1
00401ECA|.6A 00 PUSH 0
00401ECC|.75 46 JNZ SHORT ZC_RM_RM.00401F14
第三处
00401F31|.E8 CA9F0000 CALL ZC_RM_RM.0040BF00
00401F36|.A1 50A34300 MOV EAX,DWORD PTR DS:
00401F3B|.85C0 TEST EAX,EAX
00401F3D|.75 5D JNZ SHORT ZC_RM_RM.00401F9C
第四处
00402C98 .E8 63920000 CALL ZC_RM_RM.0040BF00
00402C9D .A1 50A34300 MOV EAX,DWORD PTR DS:
00402CA2 .85C0 TEST EAX,EAX
00402CA4 .0F85 D9000000 JNZ ZC_RM_RM.00402D83
00402CAA .E8 D18B0000 CALL ZC_RM_RM.0040B880
00402CAF .3BC7 CMP EAX,EDI
00402CB1 .6A 00 PUSH 0
00402CB3 .75 43 JNZ SHORT ZC_RM_RM.00402CF8
第五处
00402D10 .E8 43480200 CALL <JMP.&MFC42.#2514_?DoModal@CDialog@@UAEHX>
00402D15 .83F8 02 CMP EAX,2
00402D18 .75 45 JNZ SHORT ZC_RM_RM.00402D5F
00402D1A .E8 E1910000 CALL ZC_RM_RM.0040BF00
00402D1F .A1 50A34300 MOV EAX,DWORD PTR DS:
00402D24 .85C0 TEST EAX,EAX
00402D26 .75 37 JNZ SHORT ZC_RM_RM.00402D5F
第六处
00402D7E .E8 99470200 CALL <JMP.&MFC42.#641_??1CDialog@@UAE@XZ>
00402D83 >393D 50A34300 CMP DWORD PTR DS:,EDI
00402D89 .75 2F JNZ SHORT ZC_RM_RM.00402DBA
第七处
00406A28 .E8 2B0B0200 CALL <JMP.&MFC42.#2514_?DoModal@CDialog@@UAEHX>
00406A2D .833D 50A34300>CMP DWORD PTR DS:,1
00406A34 .75 15 JNZ SHORT ZC_RM_RM.00406A4B
第八处(注册验证,成功注册则对此地址赋1)
0040AA56 .C705 50A34300>MOV DWORD PTR DS:,1
0040AA60 .E8 2B1A0000 CALL ZC_RM_RM.0040C490
第九处(此段代码有4处调用,本地调用来自 00401EB0, 00401F31, 00402C98, 00402D1A)
0040BF98|.A3 50A34300 MOV DWORD PTR DS:,EAX
0040BF9D|.81C4 00010000 ADD ESP,100
第十处
0040C39E .E8 ABB20100 CALL <JMP.&MFC42.#4710_?OnInitDialog@CDialog@@>
0040C3A3 .A1 50A34300 MOV EAX,DWORD PTR DS:
0040C3A8 .85C0 TEST EAX,EAX
0040C3AA .0F85 9B000000 JNZ ZC_RM_RM.0040C44B
43A350 疑为标志位,设置硬件访问与写入
测试后确定此地址为注册标志位
3、爆破:
0040BF93|.1BC0 SBB EAX,EAX
0040BF95|.5E POP ESI
0040BF96|.F7D8 NEG EAX ;修改为mov al,1即可,B0 01
0040BF98|.A3 50A34300 MOV DWORD PTR DS:,EAX
再在软件目录中建立一个Register.ini文件,内容如下,用户名任意。
User name=xbb
Registration code=12345678-22345678-32345678-42345678-52345678-62345678-72345678-82345678
4、让程序自动显示用户名
找到
0040A9C6 .68 5C594300 PUSH ZC_RM_RM.0043595C ;Invalid user name or registeration code
在数据窗口中修改成自己想要的用户名或者字符串
我这里改为xbb(7862625B444643475D5B5059475D)
然后将
00401B79 > \68 50A24300 push 0043A250
修改为
00401B79 > \68 50A24300 push 0043595C
保存所有修改,运行,点关于,自己显示用户名。
1.4.2简略分析
这个版本的算法没变,只是在标志上加此代码,并且在增加的代码中给出了二组注册码
12639a6d-39388840-3a448982-64383216-28dae7fd-3897d2c5-43ac8021-325ec561
e6aa2181-4d2623c4-51b4e51f-9c5df31b-3871ad3c-9eb7d3f3-fac6f71e-54abfc50
用户名为:ZCRMRMVBtoDVDCreator62B0C2
注册标志位43B370,Dup搜索70 B3 43 00可找到10处
0040C2B6|.F7D8 NEG EAX ;改为mov al,1 B0 01
0040C2B8|.A3 70B34300 MOV DWORD PTR DS:,EAX
0040C2BD|.81C4 00010000 ADD ESP,100
0040C2C3\.C3 RETN
将
0040ACC6 .68 5C694300 PUSH ZC_RM_RM.0043695C ;Invalid user name or registeration code
改为
00401B79 > \68 70B24300 PUSH ZC_RM_RM.0043695C
将
0043695C49 6E 76 61 6C 69 64 20 75 73 65 72 20 6E 61 6DInvalid user nam
0043696C65 20 6F 72 20 72 65 67 69 73 74 65 72 61 74 69e or registerati
0043697C6F 6E 20 63 6F 64 65 00 on code.
改为
0043695C78 62 62 5B 44 46 43 47 5D 5B 50 59 47 5D 00 00xbb..
0043696C00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
0043697C00 00 00 00 00 00 00 .......
00040C35D|.68 18ED4200 push 0042ED18 ;12639a6d-39388840-3a448982-64383216-28dae7fd-3897d2c5-43ac8021-325ec561
0040C362|.52 push edx
0040C363|.E8 38FAFFFF call 0040BDA0 ;调用算法Call
0040C368|.83C4 08 add esp, 8
0040C36B|.85C0 test eax, eax
0040C36D|.74 54 je short 0040C3C3
0040C36F|.8B4424 04 mov eax, dword ptr
0040C373|.68 60ED4200 push 0042ED60 ;e6aa2181-4d2623c4-51b4e51f-9c5df31b-3871ad3c-9eb7d3f3-fac6f71e-54abfc50
0040C378|.50 push eax ;eax=006A8530, (ASCII "ZCRMRMVBtoDVDCreator62B0C2")
0040C379|.E8 22FAFFFF call 0040BDA0 ;调用算法Call
0040C37E|.83C4 08 add esp, 8
0040C381|.85C0 test eax, eax
0040C383|.74 3E je short 0040C3C3
算法Call
0040BDA0/$6A FF push -1
共四处调用:本地调用来自 0040ACAE, 0040C2A9, 0040C363, 0040C379
转载请注明作者 xbb 谢谢!:loveliness:
[ 本帖最后由 xbb 于 2008-6-21 08:42 编辑 ] 把字弄小点不好么~~~/:010 原帖由 lzover 于 2008-6-20 21:38 发表 https://www.chinapyg.com/images/common/back.gif
把字弄小点不好么~~~/:0100" />
怕你们看着累啊~~/:L 支持原创,学习中~~~
页:
[1]