飘云阁超郁闷ing - Powered by Discuz! Archiver

Saver 发表于 2005-3-26 20:53:27

超郁闷ing

前几日，云瑞给我个易吉八字算命。。结果。。。分析的头都大了。。
眼看着那注册码在眼前，眼看着算法在烟前，结果却是被彻底的击败了~
哎……呜呼爱哉啊~~~~~~~~

[ Last edited by Saver on 2005-3-26 at 08:59 PM ]

Saver 发表于 2005-3-26 22:36:36

上面的附件就是原文件
很简单的一个壳，不多说了

下面是我找到的一点算法

这里就是关键的2个call
00405602 E8 A9120100 call yjbz__.004168B0    ////这里就是算你的注册码
00405607 8D4C24 0C lea ecx, dword ptr ss:
0040560B 8BE8    mov ebp, eax
0040560D E8 3E100100 call yjbz__.00416650    //这里你的机器码的转换
00405612 8BC8    mov ecx, eax
00405614 C1E1 04 shl ecx, 4
00405617 03C8    add ecx, eax
00405619 D1E1    shl ecx, 1
0040561B 3BE9    cmp ebp, ecx                ; 关键比较，相等就可以了
0040561D /75 3B    jnz short yjbz__.0040565A
0040561F |51       push ecx
00405620 |8BCC    mov ecx, esp
00405622 |896424 14 mov dword ptr ss:, esp
00405626 |57       push edi

Saver 发表于 2005-3-26 22:37:41

004168B0 81EC 900100>sub esp, 190
004168B6 56       push esi
004168B7 57       push edi
004168B8 C74424 08 1>mov dword ptr ss:, 1C
004168C0 C74424 0C 5>mov dword ptr ss:, 54
004168C8 C74424 10 5>mov dword ptr ss:, 51
004168D0 C74424 14 2>mov dword ptr ss:, 29
004168D8 C74424 18 4>mov dword ptr ss:, 48
004168E0 C74424 1C 2>mov dword ptr ss:, 23
004168E8 C74424 20 5>mov dword ptr ss:, 56
004168F0 C74424 24 1>mov dword ptr ss:, 17
004168F8 C74424 28 5>mov dword ptr ss:, 5C
00416900 C74424 2C 3>mov dword ptr ss:, 3C
00416908 C74424 30 0>mov dword ptr ss:, 0D
00416910 C74424 34 1>mov dword ptr ss:, 13
00416918 C74424 38 5>mov dword ptr ss:, 5B
00416920 C74424 3C 0>mov dword ptr ss:, 1
00416928 C74424 40 3>mov dword ptr ss:, 39
00416930 C74424 44 5>mov dword ptr ss:, 58
00416938 C74424 48 5>mov dword ptr ss:, 52
00416940 C74424 4C 2>mov dword ptr ss:, 2E
00416948 C74424 50 1>mov dword ptr ss:, 11
00416950 C74424 54 4>mov dword ptr ss:, 42
00416958 C74424 58 4>mov dword ptr ss:, 4D
00416960 C74424 5C 3>mov dword ptr ss:, 32
00416968 C74424 60 0>mov dword ptr ss:, 6
00416970 C74424 64 0>mov dword ptr ss:, 9
00416978 C74424 68 6>mov dword ptr ss:, 63
00416980 C74424 6C 0>mov dword ptr ss:, 0B
00416988 C74424 70 0>mov dword ptr ss:, 3
00416990 C74424 74 2>mov dword ptr ss:, 2B
00416998 C74424 78 0>mov dword ptr ss:, 0C
004169A0 C74424 7C 1>mov dword ptr ss:, 1A
004169A8 C78424 8000>mov dword ptr ss:, 2A
004169B3 C78424 8400>mov dword ptr ss:, 10
004169BE C78424 8800>mov dword ptr ss:, 3A
004169C9 C78424 8C00>mov dword ptr ss:, 24
004169D4 C78424 9000>mov dword ptr ss:, 4
004169DF C78424 9400>mov dword ptr ss:, 3D
004169EA C78424 9800>mov dword ptr ss:, 47
004169F5 C78424 9C00>mov dword ptr ss:, 5E
00416A00 C78424 A000>mov dword ptr ss:, 15
00416A0B C78424 A400>mov dword ptr ss:, 3F
00416A16 C78424 A800>mov dword ptr ss:, 16
00416A21 C78424 AC00>mov dword ptr ss:, 14
00416A2C C78424 B000>mov dword ptr ss:, 36
00416A37 C78424 B400>mov dword ptr ss:, 59
00416A42 C78424 B800>mov dword ptr ss:, 1E
00416A4D C78424 BC00>mov dword ptr ss:, 61
00416A58 C78424 C000>mov dword ptr ss:, 19
00416A63 C78424 C400>mov dword ptr ss:, 53
00416A6E C78424 C800>mov dword ptr ss:, 4A
00416A79 C78424 CC00>mov dword ptr ss:, 45
00416A84 C78424 D000>mov dword ptr ss:, 43
00416A8F C78424 D400>mov dword ptr ss:, 27
00416A9A C78424 D800>mov dword ptr ss:, 4C
00416AA5 C78424 DC00>mov dword ptr ss:, 46
00416AB0 C78424 E000>mov dword ptr ss:, 5F
00416ABB C78424 E400>mov dword ptr ss:, 35
00416AC6 C78424 E800>mov dword ptr ss:, 41
00416AD1 C78424 EC00>mov dword ptr ss:, 8
00416ADC C78424 F000>mov dword ptr ss:, 50
00416AE7 C78424 F400>mov dword ptr ss:, 3B
00416AF2 C78424 F800>mov dword ptr ss:, 25
00416AFD C78424 FC00>mov dword ptr ss:, 0F
00416B08 C78424 0001>mov dword ptr ss:, 1F
00416B13 C78424 0401>mov dword ptr ss:, 20
00416B1E C78424 0801>mov dword ptr ss:, 30
00416B29 C78424 0C01>mov dword ptr ss:, 1B
00416B34 C78424 1001>mov dword ptr ss:, 5D
00416B3F C78424 1401>mov dword ptr ss:, 4B
00416B4A C78424 1801>mov dword ptr ss:, 12
00416B55 C78424 1C01>mov dword ptr ss:, 33
00416B60 C78424 2001>mov dword ptr ss:, 34
00416B6B C78424 2401>mov dword ptr ss:, 2C
00416B76 C78424 2801>mov dword ptr ss:, 55
00416B81 C78424 2C01>mov dword ptr ss:, 62
00416B8C C78424 3001>mov dword ptr ss:, 7
00416B97 C78424 3401>mov dword ptr ss:, 18
00416BA2 C78424 3801>mov dword ptr ss:, 4F
00416BAD C78424 3C01>mov dword ptr ss:, 0A
00416BB8 C78424 4001>mov dword ptr ss:, 37
00416BC3 8B8424 9C01>mov eax, dword ptr ss:    ; 假注册码->eax
00416BCA 33F6    xor esi, esi                      ; esi清零
00416BCC 6A 10    push 10
00416BCE 56       push esi
00416BCF 50       push eax
00416BD0 C78424 5001>mov dword ptr ss:, 28
00416BDB 89B424 5401>mov dword ptr ss:, esi
00416BE2 C78424 5801>mov dword ptr ss:, 4E
00416BED C78424 5C01>mov dword ptr ss:, 40
00416BF8 C78424 6001>mov dword ptr ss:, 2
00416C03 C78424 6401>mov dword ptr ss:, 0E
00416C0E C78424 6801>mov dword ptr ss:, 21
00416C19 C78424 6C01>mov dword ptr ss:, 26
00416C24 C78424 7001>mov dword ptr ss:, 1D
00416C2F C78424 7401>mov dword ptr ss:, 2F
00416C3A C78424 7801>mov dword ptr ss:, 57
00416C45 C78424 7C01>mov dword ptr ss:, 22
00416C50 C78424 8001>mov dword ptr ss:, 2D
00416C5B C78424 8401>mov dword ptr ss:, 60
00416C66 C78424 8801>mov dword ptr ss:, 5
00416C71 C78424 8C01>mov dword ptr ss:, 5A
00416C7C C78424 9001>mov dword ptr ss:, 3E
00416C87 C78424 9401>mov dword ptr ss:, 38
00416C92 C78424 9801>mov dword ptr ss:, 31
00416C9D C78424 9C01>mov dword ptr ss:, 44
00416CA8 C78424 A001>mov dword ptr ss:, 49
00416CB3 E8 45C00000 call yjbz__.00422CFD                ; 取假注册码
00416CB8 8BF8    mov edi, eax                      ; edi=eax=假注册码
00416CBA B9 64000000 mov ecx, 64                      ; ecx=64（100）
00416CBF 99       cdq
00416CC0 83C4 0C add esp, 0C
00416CC3 F7F9    idiv ecx                            ; 取余（64），eax为商，edx为余数
00416CC5 8D4424 08 lea eax, dword ptr ss:
00416CC9 3910    cmp dword ptr ds:, edx
00416CCB 74 09    je    short yjbz__.00416CD6
00416CCD 46       inc esi                            ; 比较后取余数所在的第几个（16进制表示）
00416CCE 83C0 04 add eax, 4
00416CD1 83FE 63 cmp esi, 63
00416CD4^ 7E F3    jle short yjbz__.00416CC9
00416CD6 8D8C24 9C01>lea ecx, dword ptr ss:
00416CDD E8 8EE00100 call yjbz__.00434D70                ; 取假注册码
00416CE2 8BC7    mov eax, edi                      ; eax=edi=假注册码
00416CE4 B9 10270000 mov ecx, 2710                      ; 10000
00416CE9 99       cdq                                  ; eax=F35，edx=AD3
00416CEA F7F9    idiv ecx                            ; 取余（2710），eax=商，edx=余数
00416CEC B8 1F85EB51 mov eax, 51EB851F                ; eax=51EB851F
00416CF1 8BCA    mov ecx, edx                      ; ecx=AD3=余数
00416CF3 F7E9    imul ecx                            ; edx为高位（376），eax为低8位（B851EE8D）
00416CF5 C1FA 05 sar edx, 5                         ; edx=edx/2/2/2/2/2（16进制）=1B
00416CF8 8BC2    mov eax, edx
00416CFA C1E8 1F shr eax, 1F                      ; 逻辑右移，eax=0
00416CFD 03D0    add edx, eax                      ; EDX=1B
00416CFF 8B5494 08 mov edx, dword ptr ss:; edx=2B（列表中的数），esp固定为12f2c4
00416D03 8D0492    lea eax, dword ptr ds: ; eax=5*edx=D7
00416D06 8D0480    lea eax, dword ptr ds: ; eax=5*eax
00416D09 C1E0 02 shl eax, 2                         ; eax=eax*4
00416D0C 2BC1    sub eax, ecx                      ; eax=eax-ecx=5F9
00416D0E 03C6    add eax, esi                      ; eax=eax+esi=61D
00416D10 03C7    add eax, edi                      ; eax=eax+edi（既加上假注册码）
00416D12 5F       pop edi
00416D13 5E       pop esi
00416D14 81C4 900100>add esp, 190
00416D1A C2 0400 retn 4

Saver 发表于 2005-3-26 22:42:06

上面有很多都是在实际应用数据上留下的东西，不是很清楚，不好意思了。

0012F2CC1C 00 00 00 54 00 00 00...T...0,1（每行2个）
0012F2D451 00 00 00 29 00 00 00Q...)...2，3（下面都应该以偶数开始的）
0012F2DC48 00 00 00 23 00 00 00H...#...5,6*****这里开始，序号写乱了
0012F2E456 00 00 00 17 00 00 00V......7,8
0012F2EC5C 00 00 00 3C 00 00 00\...<...9,10
0012F2F40D 00 00 00 13 00 00 00.......11,12
0012F2FC5B 00 00 00 01 00 00 00[......13
0012F30439 00 00 00 58 00 00 009...X...15
0012F30C52 00 00 00 2E 00 00 00R.......17
0012F31411 00 00 00 42 00 00 00...B...19
0012F31C4D 00 00 00 32 00 00 00M...2...21
0012F32406 00 00 00 09 00 00 00.......23
0012F32C63 00 00 00 0B 00 00 00c......25
0012F33403 00 00 00 2B 00 00 00...+...27
0012F33C0C 00 00 00 1A 00 00 00.......29
0012F3442A 00 00 00 10 00 00 00*......31
0012F34C3A 00 00 00 24 00 00 00:...$...33
0012F35404 00 00 00 3D 00 00 00...=...35
0012F35C47 00 00 00 5E 00 00 00G...^...37
0012F36415 00 00 00 3F 00 00 00...?...39
0012F36C16 00 00 00 14 00 00 00......41
0012F37436 00 00 00 59 00 00 006...Y...43
0012F37C1E 00 00 00 61 00 00 00...a...45
0012F38419 00 00 00 53 00 00 00...S...47
0012F38C4A 00 00 00 45 00 00 00J...E...49
0012F39443 00 00 00 27 00 00 00C...'...51
0012F39C4C 00 00 00 46 00 00 00L...F...53
0012F3A45F 00 00 00 35 00 00 00_...5...55
0012F3AC41 00 00 00 08 00 00 00A......57
0012F3B450 00 00 00 3B 00 00 00P...;...59
0012F3BC25 00 00 00 0F 00 00 00%......61
0012F3C41F 00 00 00 20 00 00 00... ...63
0012F3CC30 00 00 00 1B 00 00 000......65
0012F3D45D 00 00 00 4B 00 00 00]...K...67
0012F3DC12 00 00 00 33 00 00 00...3...69
0012F3E434 00 00 00 2C 00 00 004...,...71
0012F3EC55 00 00 00 62 00 00 00U...b...73
0012F3F407 00 00 00 18 00 00 00......75
0012F3FC4F 00 00 00 0A 00 00 00O.......77
0012F40437 00 00 00 28 00 00 007...(...79

0012F40C00 00 00 00 4E 00 00 00....N...80*****这里开始改过来了
0012F41440 00 00 00 02 00 00 00@......82
0012F41C0E 00 00 00 21 00 00 00...!...84
0012F42426 00 00 00 1D 00 00 00&......86
0012F42C2F 00 00 00 57 00 00 00/...W...88
0012F43422 00 00 00 2D 00 00 00"...-...90
0012F43C60 00 00 00 05 00 00 00`......92
0012F4445A 00 00 00 3E 00 00 00Z...>...94
0012F44C38 00 00 00 31 00 00 008...1...96
0012F45444 00 00 00 49 00 00 00D...I...98

这里就是上面那1大串MOV在转存中所对应的
一共是100个吧（64，还是63H的）

P.Y.G 发表于 2006-3-3 14:31:09

我看得头都大了

页: [1]

飘云阁's Archiver

超郁闷ing