捣蛋
本帖最后由 DaShanRen 于 2011-9-9 15:26 编辑看了这个帖子:
https://www.chinapyg.com/viewthread.php?tid=64912
感觉软件可用,想看看注册机算些啥。无奈,嫌我级别不够,不让拉。故而只能采用捣蛋的方式来解决自己所需!
软件的注册验证关键代码如下:0049C593MOV DWORD PTR SS:,9 ; 循环检测==>
0049C59AMOV DWORD PTR SS:,1
0049C5A1MOV DWORD PTR SS:,2
0049C5A8LEA ECX,DWORD PTR SS:
0049C5ABMOV DWORD PTR SS:,ECX
0049C5B1MOV DWORD PTR SS:,4008
0049C5BBLEA EDX,DWORD PTR SS:
0049C5BEPUSH EDX
0049C5BFLEA EAX,DWORD PTR SS:
0049C5C2PUSH EAX
0049C5C3CALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
0049C5C9PUSH EAX
0049C5CALEA ECX,DWORD PTR SS:
0049C5D0PUSH ECX
0049C5D1LEA EDX,DWORD PTR SS:
0049C5D7PUSH EDX
0049C5D8CALL NEAR DWORD PTR DS:[<&MSVBVM60.#632>] ;读取注册码一位
0049C5DEMOV DWORD PTR SS:,PDFTiger.00421AF8 ;W
0049C5E8MOV DWORD PTR SS:,8008
0049C5F2LEA EAX,DWORD PTR SS:
0049C5F8PUSH EAX
0049C5F9LEA ECX,DWORD PTR SS:
0049C5FFPUSH ECX
0049C600CALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;检查是否是W
0049C606MOV WORD PTR SS:,AX
0049C60DLEA EDX,DWORD PTR SS:
0049C613PUSH EDX
0049C614LEA EAX,DWORD PTR SS:
0049C617PUSH EAX
0049C618PUSH 2
0049C61ACALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
0049C620ADD ESP,0C
0049C623MOVSX ECX,WORD PTR SS:
0049C62ATEST ECX,ECX
0049C62CJE SHORT PDFTiger.0049C63B
0049C62EMOV DWORD PTR SS:,0A
0049C635MOV WORD PTR SS:,0FFFF ; 保存标志1
0049C63BMOV DWORD PTR SS:,0C
0049C642MOV DWORD PTR SS:,1
0049C649MOV DWORD PTR SS:,2
0049C650LEA EDX,DWORD PTR SS:
0049C653MOV DWORD PTR SS:,EDX
0049C659MOV DWORD PTR SS:,4008
0049C663LEA EAX,DWORD PTR SS:
0049C666PUSH EAX
0049C667LEA ECX,DWORD PTR SS:
0049C66APUSH ECX
0049C66BCALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
0049C671PUSH EAX
0049C672LEA EDX,DWORD PTR SS:
0049C678PUSH EDX
0049C679LEA EAX,DWORD PTR SS:
0049C67FPUSH EAX
0049C680CALL NEAR DWORD PTR DS:[<&MSVBVM60.#632>] ;再次读取
0049C686MOV DWORD PTR SS:,PDFTiger.00421B00 ;D
0049C690MOV DWORD PTR SS:,8008
0049C69ALEA ECX,DWORD PTR SS:
0049C6A0PUSH ECX
0049C6A1LEA EDX,DWORD PTR SS:
0049C6A7PUSH EDX
0049C6A8CALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;检查是否是D
0049C6AEMOV WORD PTR SS:,AX
0049C6B5LEA EAX,DWORD PTR SS:
0049C6BBPUSH EAX
0049C6BCLEA ECX,DWORD PTR SS:
0049C6BFPUSH ECX
0049C6C0PUSH 2
0049C6C2CALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
0049C6C8ADD ESP,0C
0049C6CBMOVSX EDX,WORD PTR SS:
0049C6D2TEST EDX,EDX
0049C6D4JE SHORT PDFTiger.0049C6E3
0049C6D6MOV DWORD PTR SS:,0D
0049C6DDMOV WORD PTR SS:,0FFFF ; 保存标志2
0049C6E3MOV DWORD PTR SS:,0F
0049C6EAMOV DWORD PTR SS:,1
0049C6F1MOV DWORD PTR SS:,2
0049C6F8LEA EAX,DWORD PTR SS:
0049C6FBMOV DWORD PTR SS:,EAX
0049C701MOV DWORD PTR SS:,4008
0049C70BLEA ECX,DWORD PTR SS:
0049C70EPUSH ECX
0049C70FLEA EDX,DWORD PTR SS:
0049C712PUSH EDX
0049C713CALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
0049C719PUSH EAX
0049C71ALEA EAX,DWORD PTR SS:
0049C720PUSH EAX
0049C721LEA ECX,DWORD PTR SS:
0049C727PUSH ECX
0049C728CALL NEAR DWORD PTR DS:[<&MSVBVM60.#632>] ;再次读取
0049C72EMOV DWORD PTR SS:,PDFTiger.00421B08 ;8
0049C738MOV DWORD PTR SS:,8008
0049C742LEA EDX,DWORD PTR SS:
0049C748PUSH EDX
0049C749LEA EAX,DWORD PTR SS:
0049C74FPUSH EAX
0049C750CALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;检查是否是8
0049C756MOV WORD PTR SS:,AX
0049C75DLEA ECX,DWORD PTR SS:
0049C763PUSH ECX
0049C764LEA EDX,DWORD PTR SS:
0049C767PUSH EDX
0049C768PUSH 2
0049C76ACALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
0049C770ADD ESP,0C
0049C773MOVSX EAX,WORD PTR SS:
0049C77ATEST EAX,EAX
0049C77CJE SHORT PDFTiger.0049C78B
0049C77EMOV DWORD PTR SS:,10
0049C785MOV WORD PTR SS:,0FFFF ; 保存标志3
0049C78BMOV DWORD PTR SS:,12
0049C792MOV DWORD PTR SS:,1
0049C799MOV DWORD PTR SS:,2
0049C7A0LEA ECX,DWORD PTR SS:
0049C7A3MOV DWORD PTR SS:,ECX
0049C7A9MOV DWORD PTR SS:,4008
0049C7B3LEA EDX,DWORD PTR SS:
0049C7B6PUSH EDX
0049C7B7LEA EAX,DWORD PTR SS:
0049C7BAPUSH EAX
0049C7BBCALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaI4Var>;MSVBVM60.__vbaI4Var
0049C7C1PUSH EAX
0049C7C2LEA ECX,DWORD PTR SS:
0049C7C8PUSH ECX
0049C7C9LEA EDX,DWORD PTR SS:
0049C7CFPUSH EDX
0049C7D0CALL NEAR DWORD PTR DS:[<&MSVBVM60.#632>] ;再次读取
0049C7D6MOV DWORD PTR SS:,PDFTiger.00421B10 ;6
0049C7E0MOV DWORD PTR SS:,8008
0049C7EALEA EAX,DWORD PTR SS:
0049C7F0PUSH EAX
0049C7F1LEA ECX,DWORD PTR SS:
0049C7F7PUSH ECX
0049C7F8CALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>;检查是否是6
0049C7FEMOV WORD PTR SS:,AX
0049C805LEA EDX,DWORD PTR SS:
0049C80BPUSH EDX
0049C80CLEA EAX,DWORD PTR SS:
0049C80FPUSH EAX
0049C810PUSH 2
0049C812CALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
0049C818ADD ESP,0C
0049C81BMOVSX ECX,WORD PTR SS:
0049C822TEST ECX,ECX
0049C824JE SHORT PDFTiger.0049C833
0049C826MOV DWORD PTR SS:,13
0049C82DMOV WORD PTR SS:,0FFFF ; 保存标志4
0049C833MOV DWORD PTR SS:,15
0049C83ALEA EDX,DWORD PTR SS:
0049C840PUSH EDX
0049C841LEA EAX,DWORD PTR SS:
0049C847PUSH EAX
0049C848LEA ECX,DWORD PTR SS:
0049C84BPUSH ECX
0049C84CCALL NEAR DWORD PTR DS:[<&MSVBVM60.__vbaVarFo>;MSVBVM60.__vbaVarForNext
0049C852MOV DWORD PTR SS:,EAX
0049C858CMP DWORD PTR SS:,0 ;
0049C85FJNZ PDFTiger.0049C593 ;不等则跳--循环检测<==其功能是对每一位注册码进行检验,看是否是字符W、D、6、8中的一位。如果是,则做个标记,但如果不是并不清除以前的标志。
这一步做完后,再对所作的标记进行检查:0049C86CCMP WORD PTR SS:,0FFFF ;是否包含字符W
0049C871JNZ PDFTiger.0049CCBB
0049C877CMP WORD PTR SS:,0FFFF ;是否包含字符D
0049C87CJNZ PDFTiger.0049CCBB
0049C882CMP WORD PTR SS:,0FFFF ;是否包含字符8
0049C887JNZ PDFTiger.0049CCBB
0049C88DCMP WORD PTR SS:,0FFFF ;是否包含字符6
0049C892JNZ PDFTiger.0049CCBB但这里需要注意的是:
一、注册码的字符串并不要求都是那四个字符之一,但必须包含有这四个字符;
二、按循环次数来看,注册码应该是16位的,而后面的标志判断只有四个,仅所以这四个字符的随机组合也可以成为有效的注册码;
三、注册成功后,软件并未保存注册码,只是在文件sound.dll的最后做了个标记。如果末尾的两个字符是kk,则表示已经注册。注意这个文件存放在几个位置:安装目录、C盘的Application Data文件夹。
故而,注册机并不神秘。
呜呼,捣蛋结束,结束捣蛋也! 分析的不错
像这种作者自己设计的算法 很容易隐藏一些暗桩 或者在今后的程序中加入其他的验证
keyfile保存的地方也很有意思 呵呵 呵呵,俺去年的分析在这里:http://www.unpack.cn/thread-32005-1-1.html 这么好的帖子没人顶?
都半年过去了
页:
[1]