请教冷血文集里的一个算法最后一位的得来~
算法分析以下:【原创】QQ游戏[对对碰]助手 2.0 简单算法分析
日期:2005年8月12日 破解人:冷血书生
—————————————————————————————————————
【软件名称】:QQ游戏[对对碰]助手 软件版本:2.0
【软件大小】: 297 KB
【下载地址】:http://www1.skycn.com/soft/23713.html
【软件简介】: 使用此辅助软件,让你也成为 [对对碰] 游戏的高手。
最新版本特点:
1、可自动开始游戏;
2、游戏加速功能,速度提高三倍;
3、自动对对手使用道具;
4、不会被检测出使用外挂。
【软件限制】:注册码限制
【破解声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:PEID,OD
—————————————————————————————————————
【破解过程】:
查壳,检测到Borland Delphi 6.0 - 7.0编写,干净利落!我喜欢!接着OD载入,右键,查找字符,找到错误提示,向上翻,来到下面:
004AF95D 55 push ebp ; 下断
004AF95E 68 71FB4A00 push ddpwg.004AFB71
004AF963 64:FF30 push dword ptr fs:
004AF966 64:8920 mov dword ptr fs:,esp
004AF969 8D55 FC lea edx,dword ptr ss:
004AF96C 8B83 08030000mov eax,dword ptr ds:
004AF972 E8 D513F9FF call ddpwg.00440D4C
004AF977 837D FC 00 cmp dword ptr ss:,0 ; 比较注册码是否为0
004AF97B 75 1E jnz short ddpwg.004AF99B ; 为0就跳到出错
004AF97D 6A 30 push 30
004AF97F 68 80FB4A00 push ddpwg.004AFB80
004AF984 68 88FB4A00 push ddpwg.004AFB88
004AF989 8BC3 mov eax,ebx
004AF98B E8 687BF9FF call ddpwg.004474F8
004AF990 50 push eax
004AF991 E8 B677F5FF call <jmp.&user32.MessageBoxA>
004AF996 E9 7B010000 jmp ddpwg.004AFB16
004AF99B 8D55 F4 lea edx,dword ptr ss:
004AF99E 8B83 08030000mov eax,dword ptr ds:
004AF9A4 E8 A313F9FF call ddpwg.00440D4C
004AF9A9 8B45 F4 mov eax,dword ptr ss:
004AF9AC 8D55 F8 lea edx,dword ptr ss:
004AF9AF E8 DC8DF5FF call ddpwg.00408790
004AF9B4 8B45 F8 mov eax,dword ptr ss:
004AF9B7 50 push eax
004AF9B8 8D55 E8 lea edx,dword ptr ss:
004AF9BB 8B83 04030000mov eax,dword ptr ds:
004AF9C1 E8 8613F9FF call ddpwg.00440D4C ; 看到假码
004AF9C6 8B45 E8 mov eax,dword ptr ss:
004AF9C9 8D55 EC lea edx,dword ptr ss:
004AF9CC E8 BF8DF5FF call ddpwg.00408790 ; 看到机器码
004AF9D1 8B45 EC mov eax,dword ptr ss:
004AF9D4 8D55 F0 lea edx,dword ptr ss:
004AF9D7 E8 F4FCFFFF call ddpwg.004AF6D0 ; 算法CALL,F7跟进
004AF9DC 8B55 F0 mov edx,dword ptr ss: ; EDX为真码
004AF9DF 58 pop eax
004AF9E0 E8 1B4DF5FF call ddpwg.00404700 ; 真假码比较,可做内存注册机
004AF9E5 0F85 05010000jnz ddpwg.004AFAF0 ; 不相等就跳到错误
004AF9EB B2 01 mov dl,1 ; 注册成功标志
004AF9ED A1 44C24600 mov eax,dword ptr ds:
004AF9F2 E8 4DC9FBFF call ddpwg.0046C344
004AF9F7 8BF0 mov esi,eax
004AF9F9 BA 02000080 mov edx,80000002
004AF9FE 8BC6 mov eax,esi
004AFA00 E8 DFC9FBFF call ddpwg.0046C3E4
004AFA05 B1 01 mov cl,1
004AFA07 BA A0FB4A00 mov edx,ddpwg.004AFBA0 ; ASCII "SOFTWARE\Microsoft\qqddpyx"
004AFA0C 8BC6 mov eax,esi
004AFA0E E8 11CBFBFF call ddpwg.0046C524
004AFA13 B9 01000000 mov ecx,1
004AFA18 BA C4FB4A00 mov edx,ddpwg.004AFBC4 ; ASCII "qqddpyxreg"
004AFA1D 8BC6 mov eax,esi
004AFA1F E8 A0CCFBFF call ddpwg.0046C6C4
004AFA24 8D55 E0 lea edx,dword ptr ss:
004AFA27 8B83 08030000mov eax,dword ptr ds:
004AFA2D E8 1A13F9FF call ddpwg.00440D4C
004AFA32 8B45 E0 mov eax,dword ptr ss:
004AFA35 8D55 E4 lea edx,dword ptr ss:
004AFA38 E8 538DF5FF call ddpwg.00408790
004AFA3D 8B4D E4 mov ecx,dword ptr ss:
004AFA40 BA D8FB4A00 mov edx,ddpwg.004AFBD8 ; ASCII "sn"
004AFA45 8BC6 mov eax,esi
004AFA47 E8 4CCCFBFF call ddpwg.0046C698
004AFA4C 8D55 D8 lea edx,dword ptr ss:
004AFA4F 8B83 04030000mov eax,dword ptr ds:
004AFA55 E8 F212F9FF call ddpwg.00440D4C
004AFA5A 8B45 D8 mov eax,dword ptr ss:
004AFA5D 8D55 DC lea edx,dword ptr ss:
004AFA60 E8 2B8DF5FF call ddpwg.00408790
004AFA65 8B4D DC mov ecx,dword ptr ss:
004AFA68 BA E4FB4A00 mov edx,ddpwg.004AFBE4 ; ASCII "macstr"
004AFA6D 8BC6 mov eax,esi
004AFA6F E8 24CCFBFF call ddpwg.0046C698
004AFA74 8BC6 mov eax,esi
004AFA76 E8 39C9FBFF call ddpwg.0046C3B4
004AFA7B 8BC6 mov eax,esi
004AFA7D E8 163BF5FF call ddpwg.00403598
004AFA82 6A 00 push 0
004AFA84 B9 ECFB4A00 mov ecx,ddpwg.004AFBEC
004AFA89 BA F4FB4A00 mov edx,ddpwg.004AFBF4
004AFA8E A1 68464B00 mov eax,dword ptr ds:
004AFA93 8B00 mov eax,dword ptr ds:
004AFA95 E8 BA21FBFF call ddpwg.00461C54
004AFA9A A1 84474B00 mov eax,dword ptr ds:
004AFA9F 8B00 mov eax,dword ptr ds:
004AFAA1 8B80 18030000mov eax,dword ptr ds:
004AFAA7 BA 10FC4A00 mov edx,ddpwg.004AFC10
004AFAAC E8 CB12F9FF call ddpwg.00440D7C
004AFAB1 A1 84474B00 mov eax,dword ptr ds:
004AFAB6 8B00 mov eax,dword ptr ds:
004AFAB8 8B80 18030000mov eax,dword ptr ds:
004AFABE 33D2 xor edx,edx
004AFAC0 8B08 mov ecx,dword ptr ds:
004AFAC2 FF51 64 call dword ptr ds:
004AFAC5 A1 84474B00 mov eax,dword ptr ds:
004AFACA 8B00 mov eax,dword ptr ds:
004AFACC 8B80 14030000mov eax,dword ptr ds:
004AFAD2 33D2 xor edx,edx
004AFAD4 8B08 mov ecx,dword ptr ds:
004AFAD6 FF51 64 call dword ptr ds:
004AFAD9 A1 84474B00 mov eax,dword ptr ds:
004AFADE 8B00 mov eax,dword ptr ds:
004AFAE0 C680 25030000 >mov byte ptr ds:,1
004AFAE7 8BC3 mov eax,ebx
004AFAE9 E8 42E9FAFF call ddpwg.0045E430
004AFAEE EB 19 jmp short ddpwg.004AFB09
004AFAF0 6A 30 push 30
004AFAF2 68 80FB4A00 push ddpwg.004AFB80
004AFAF7 68 1CFC4A00 push ddpwg.004AFC1C
004AFAFC 8BC3 mov eax,ebx
004AFAFE E8 F579F9FF call ddpwg.004474F8
004AFB03 50 push eax
004AFB04 E8 4376F5FF call <jmp.&user32.MessageBoxA>
004AFB09 33D2 xor edx,edx
004AFB0B 8B83 08030000mov eax,dword ptr ds:
004AFB11 E8 6612F9FF call ddpwg.00440D7C
004AFB16 33C0 xor eax,eax
004AFB18 5A pop edx
004AFB19 59 pop ecx
004AFB1A 59 pop ecx
004AFB1B 64:8910 mov dword ptr fs:,edx
004AFB1E 68 78FB4A00 push ddpwg.004AFB78
004AFB23 8D45 D8 lea eax,dword ptr ss:
004AFB26 E8 D947F5FF call ddpwg.00404304
004AFB2B 8D45 DC lea eax,dword ptr ss:
004AFB2E E8 D147F5FF call ddpwg.00404304
004AFB33 8D45 E0 lea eax,dword ptr ss:
004AFB36 E8 C947F5FF call ddpwg.00404304
004AFB3B 8D45 E4 lea eax,dword ptr ss:
004AFB3E E8 C147F5FF call ddpwg.00404304
004AFB43 8D45 E8 lea eax,dword ptr ss:
004AFB46 E8 B947F5FF call ddpwg.00404304
004AFB4B 8D45 EC lea eax,dword ptr ss:
004AFB4E BA 02000000 mov edx,2
004AFB53 E8 D047F5FF call ddpwg.00404328
004AFB58 8D45 F4 lea eax,dword ptr ss:
004AFB5B E8 A447F5FF call ddpwg.00404304
004AFB60 8D45 F8 lea eax,dword ptr ss:
004AFB63 E8 9C47F5FF call ddpwg.00404304
004AFB68 8D45 FC lea eax,dword ptr ss:
004AFB6B E8 9447F5FF call ddpwg.00404304
004AFB70 C3 retn
004AFB71^ E9 B641F5FF jmp ddpwg.00403D2C
004AFB76^ EB AB jmp short ddpwg.004AFB23
004AFB78 5E pop esi
004AFB79 5B pop ebx
004AFB7A 8BE5 mov esp,ebp
004AFB7C 5D pop ebp
004AFB7D C3 retn
*********跟进 004AF9D7 E8 F4FCFFFF call ddpwg.004AF6D0
004AF6D0 55 push ebp ; F7跟进来到这里
004AF6D1 8BEC mov ebp,esp
004AF6D3 B9 07000000 mov ecx,7
004AF6D8 6A 00 push 0
004AF6DA 6A 00 push 0
004AF6DC 49 dec ecx
004AF6DD^ 75 F9 jnz short ddpwg.004AF6D8 ; F4
004AF6DF 53 push ebx
004AF6E0 56 push esi
004AF6E1 57 push edi
004AF6E2 8BFA mov edi,edx
004AF6E4 8945 FC mov dword ptr ss:,eax
004AF6E7 8B45 FC mov eax,dword ptr ss:
004AF6EA E8 B550F5FF call ddpwg.004047A4
004AF6EF 33C0 xor eax,eax
004AF6F1 55 push ebp
004AF6F2 68 96F84A00 push ddpwg.004AF896
004AF6F7 64:FF30 push dword ptr fs:
004AF6FA 64:8920 mov dword ptr fs:,esp
004AF6FD 8D45 F8 lea eax,dword ptr ss:
004AF700 8B55 FC mov edx,dword ptr ss:
004AF703 E8 944CF5FF call ddpwg.0040439C
004AF708 8D45 F4 lea eax,dword ptr ss:
004AF70B E8 F44BF5FF call ddpwg.00404304
004AF710 8B45 F8 mov eax,dword ptr ss:
004AF713 E8 A44EF5FF call ddpwg.004045BC
004AF718 8BF0 mov esi,eax
004AF71A 85F6 test esi,esi
004AF71C 0F8E 4F010000jle ddpwg.004AF871
004AF722 BB 01000000 mov ebx,1
004AF727 8D45 EC lea eax,dword ptr ss:
004AF72A 8B55 F8 mov edx,dword ptr ss:
004AF72D 8A541A FF mov dl,byte ptr ds:
004AF731 E8 AE4DF5FF call ddpwg.004044E4
004AF736 8B45 EC mov eax,dword ptr ss:
004AF739 8D55 F0 lea edx,dword ptr ss:
004AF73C E8 FF8DF5FF call ddpwg.00408540
004AF741 8B45 F0 mov eax,dword ptr ss:
004AF744 BA ACF84A00 mov edx,ddpwg.004AF8AC
004AF749 E8 B24FF5FF call ddpwg.00404700
004AF74E 75 12 jnz short ddpwg.004AF762
004AF750 8D45 F4 lea eax,dword ptr ss:
004AF753 BA B8F84A00 mov edx,ddpwg.004AF8B8
004AF758 E8 674EF5FF call ddpwg.004045C4
004AF75D E9 07010000 jmp ddpwg.004AF869
004AF762 8D45 E4 lea eax,dword ptr ss:
004AF765 8B55 F8 mov edx,dword ptr ss:
004AF768 8A541A FF mov dl,byte ptr ds:
004AF76C E8 734DF5FF call ddpwg.004044E4
004AF771 8B45 E4 mov eax,dword ptr ss:
004AF774 8D55 E8 lea edx,dword ptr ss:
004AF777 E8 C48DF5FF call ddpwg.00408540
004AF77C 8B45 E8 mov eax,dword ptr ss:
004AF77F BA C4F84A00 mov edx,ddpwg.004AF8C4
004AF784 E8 774FF5FF call ddpwg.00404700
004AF789 75 12 jnz short ddpwg.004AF79D
004AF78B 8D45 F4 lea eax,dword ptr ss:
004AF78E BA D0F84A00 mov edx,ddpwg.004AF8D0
004AF793 E8 2C4EF5FF call ddpwg.004045C4
004AF798 E9 CC000000 jmp ddpwg.004AF869
004AF79D 8D45 DC lea eax,dword ptr ss:
004AF7A0 8B55 F8 mov edx,dword ptr ss:
004AF7A3 8A541A FF mov dl,byte ptr ds:
004AF7A7 E8 384DF5FF call ddpwg.004044E4
004AF7AC 8B45 DC mov eax,dword ptr ss:
004AF7AF 8D55 E0 lea edx,dword ptr ss:
004AF7B2 E8 898DF5FF call ddpwg.00408540
004AF7B7 8B45 E0 mov eax,dword ptr ss:
004AF7BA BA DCF84A00 mov edx,ddpwg.004AF8DC
004AF7BF E8 3C4FF5FF call ddpwg.00404700
004AF7C4 75 12 jnz short ddpwg.004AF7D8
004AF7C6 8D45 F4 lea eax,dword ptr ss:
004AF7C9 BA E8F84A00 mov edx,ddpwg.004AF8E8
004AF7CE E8 F14DF5FF call ddpwg.004045C4
004AF7D3 E9 91000000 jmp ddpwg.004AF869
004AF7D8 8D45 D4 lea eax,dword ptr ss:
004AF7DB 8B55 F8 mov edx,dword ptr ss:
004AF7DE 8A541A FF mov dl,byte ptr ds:
004AF7E2 E8 FD4CF5FF call ddpwg.004044E4
004AF7E7 8B45 D4 mov eax,dword ptr ss:
004AF7EA 8D55 D8 lea edx,dword ptr ss:
004AF7ED E8 4E8DF5FF call ddpwg.00408540
004AF7F2 8B45 D8 mov eax,dword ptr ss:
004AF7F5 BA F4F84A00 mov edx,ddpwg.004AF8F4
004AF7FA E8 014FF5FF call ddpwg.00404700
004AF7FF 75 0F jnz short ddpwg.004AF810
004AF801 8D45 F4 lea eax,dword ptr ss:
004AF804 BA 00F94A00 mov edx,ddpwg.004AF900
004AF809 E8 B64DF5FF call ddpwg.004045C4
004AF80E EB 59 jmp short ddpwg.004AF869
004AF810 8D45 CC lea eax,dword ptr ss:
004AF813 8B55 F8 mov edx,dword ptr ss:
004AF816 8A541A FF mov dl,byte ptr ds:
004AF81A E8 C54CF5FF call ddpwg.004044E4
004AF81F 8B45 CC mov eax,dword ptr ss:
004AF822 8D55 D0 lea edx,dword ptr ss:
004AF825 E8 168DF5FF call ddpwg.00408540
004AF82A 8B45 D0 mov eax,dword ptr ss:
004AF82D BA 0CF94A00 mov edx,ddpwg.004AF90C
004AF832 E8 C94EF5FF call ddpwg.00404700
004AF837 75 0F jnz short ddpwg.004AF848
004AF839 8D45 F4 lea eax,dword ptr ss:
004AF83C BA 18F94A00 mov edx,ddpwg.004AF918
004AF841 E8 7E4DF5FF call ddpwg.004045C4
004AF846 EB 21 jmp short ddpwg.004AF869
004AF848 8D45 C8 lea eax,dword ptr ss:
004AF84B 8B55 F8 mov edx,dword ptr ss:
004AF84E 0FB6541A FF movzx edx,byte ptr ds: ; 取A(41)
004AF853 83C2 31 add edx,31 ; EDX=EDX+31
004AF856 83E2 7F and edx,7F ; EDX=EDX+7F
004AF859 E8 864CF5FF call ddpwg.004044E4
004AF85E 8B55 C8 mov edx,dword ptr ss:
004AF861 8D45 F4 lea eax,dword ptr ss:
004AF864 E8 5B4DF5FF call ddpwg.004045C4
004AF869 43 inc ebx ; 计数器加1
004AF86A 4E dec esi ; 长度减1
004AF86B^ 0F85 B6FEFFFFjnz ddpwg.004AF727 ; 取完往下走,没取完就跳回去
004AF871 8BC7 mov eax,edi
004AF873 8B55 F4 mov edx,dword ptr ss:
004AF876 E8 DD4AF5FF call ddpwg.00404358 ; EDX为真码
004AF87B 33C0 xor eax,eax
004AF87D 5A pop edx
004AF87E 59 pop ecx
004AF87F 59 pop ecx
004AF880 64:8910 mov dword ptr fs:,edx
004AF883 68 9DF84A00 push ddpwg.004AF89D
004AF888 8D45 C8 lea eax,dword ptr ss:
004AF88B BA 0E000000 mov edx,0E
004AF890 E8 934AF5FF call ddpwg.00404328
004AF895 C3 retn
004AF896^ E9 9144F5FF jmp ddpwg.00403D2C
004AF89B^ EB EB jmp short ddpwg.004AF888
004AF89D 5F pop edi
004AF89E 5E pop esi
004AF89F 5B pop ebx
004AF8A0 8BE5 mov esp,ebp
004AF8A2 5D pop ebp
004AF8A3 C3 retn ;返回
【算法总结】
第一位:机器码的第一位HEX值+31即为注册码第一位
第二位:机器码的第二位HEX值+31即为注册码第二位
…………
最后一位机器码不参与计算,最后一位注册码为固定值“z“
机器码:ABCD1234
注册码:rstubcdz
—————————————————————————————————————
【Crack_总结】:
初学算法,如有错误之处,还请各位大侠指点!
+++++++++++++++++++++++++
提问:
分析到最后,发现最后一位注册码如果是4的话,得到的将是z。
我把它改成了1之后,得到的结果是b,可见最后一位注册码不是固定的。
追踪了一下发现:
004AF74E|. /75 12 |JNZ SHORT B2088.004AF762
//在这个断,看到程序循环算完前7位之后就不跟了。
004AF750|. |8D45 F4 |LEA EAX,DWORD PTR SS:
004AF753|. |BA B8F84A00 |MOV EDX,B2088.004AF8B8
004AF758|. |E8 674EF5FF |CALL B2088.004045C4
//注册码最后的一位运算应该是在这~
试跟了一下,好像是在一个rep的汇编语言段出现过最后一位注册码。但不知道何解。
004AF75D|. |E9 07010000 |JMP B2088.004AF869
//上面的跟转不跳,就从这个大跳是避开最后一位机器码的运算的。
004AF762|> \8D45 E4 |LEA EAX,DWORD PTR SS:
++++++++++++
具体的运算过程希望向大家讨教一下。。。。。。
如果本问题的确搞不了的话,那咱就只好在算法注册机的制作演示中加一个固定码了。
因为机器码是固定的~
呵呵~这几天做第三课的演示闷的欢,准备出走~
[ 本帖最后由 野猫III 于 2006-7-23 11:59 编辑 ] 学习了,BPX是代码断点,BP是函数断点 学习了,BPX是代码断点,BP是函数断点 学习了,BPX是代码断点,BP是函数断点 冷血的基础非常扎实,向冷血前辈学习
最后一位估计是硬盘号之类的截取,斑竹有什么心得一定要发出来,学习了 ..........................................................
页:
[1]