Desktop Icon Toy 5.0 keygen
优点搭配 Fences 使用: Fences 把快捷键组织在一起, Desktop Icon Toy 允许仅仅针对 桌面快捷键 单击即运行 (https://forums.stardock.com/378677).
下载链接 http://idesksoft.com/download.html
keygen
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(void) {
#define MAXLINE 256
char line = {0};
char *name = line;
long name_len = 0, name_sum = 0, i;
if (fgets(line, MAXLINE, stdin) != NULL) {
name_len = strcspn(line, "\r\n");
line = 0;
for (i = 0; i < 9; i++) {
if (line < 'A')
break;
if (line >= 'Z')
line = line - 0x20;
name_sum += line;
}
name_sum ^= 0x24681357;
name_sum ^= 0x13572468;
printf("name: [%s].\n", name);
printf("key: [%ld].\n", name_sum);
}
return EXIT_SUCCESS;
}
分析
无壳, 查找字符串下断, 单步观察
00410361|.E8 3C280200 CALL <JMP.&MFC42u.#6279>
00410366|.A1 188A4400 MOV EAX, DWORD PTR DS: ;EAX = 全局变量 is char* of 注册名
0041036B|.B9 D0884400 MOV ECX, DesktopI.004488D0
00410370|.50 PUSH EAX
00410371|.68 8C464400 PUSH DesktopI.0044468C ;User Name
00410376|.68 DC244400 PUSH DesktopI.004424DC ;Settings
0041037B|.E8 A8260200 CALL <JMP.&MFC42u.#6399>
00410380|.8B0D 1C8A4400 MOV ECX, DWORD PTR DS: ;ECX = 全局变量 is char* of 假码
00410386|.51 PUSH ECX
00410387|.68 5C3F4400 PUSH DesktopI.00443F5C ;Serial Number
0041038C|.68 DC244400 PUSH DesktopI.004424DC ;Settings
00410391|.B9 D0884400 MOV ECX, DesktopI.004488D0
00410396|.E8 8D260200 CALL <JMP.&MFC42u.#6399>
0041039B|.8B5424 10 MOV EDX, DWORD PTR SS: ;EDX = is char* of 注册名
0041039F|.A1 188A4400 MOV EAX, DWORD PTR DS: ;EAX = 全局变量 is char* of 注册名
004103A4|.8B2D CC774300 MOV EBP, DWORD PTR DS:[<&MSVCRT.wcscmp>] ;铜羡
004103AA|.52 PUSH EDX ; /wstr2 = "chinapyg"
004103AB|.50 PUSH EAX ; |wstr1 = 00000001 ???
004103AC|.FFD5 CALL NEAR EBP ; \wcscmp
004103AE|.83C4 08 ADD ESP, 8
004103B1|.85C0 TEST EAX, EAX ;EAX = 0 if 前后两次尝试的用户名相等
004103B3|.75 19 JNZ SHORT DesktopI.004103CE
004103B5|.8B4C24 24 MOV ECX, DWORD PTR SS: ;ECX = is char* of 新假码
004103B9|.8B15 1C8A4400 MOV EDX, DWORD PTR DS: ;EDX = 全局变量 is char* of 旧假码
004103BF|.51 PUSH ECX
004103C0|.52 PUSH EDX
004103C1|.FFD5 CALL NEAR EBP ;msvcrt.wcscmp
004103C3|.83C4 08 ADD ESP, 8
004103C6|.85C0 TEST EAX, EAX ;EAX = 0 if 前后两次尝试的假码相等, 都相等的话跳转 (去做什么 ?)
004103C8|.0F84 DA010000 JE DesktopI.004105A8
004103CE|>51 PUSH ECX
004103CF|.8BCC MOV ECX, ESP
004103D1|.896424 18 MOV DWORD PTR SS:, ESP
004103D5|.68 1C8A4400 PUSH DesktopI.00448A1C
004103DA|.E8 09270200 CALL <JMP.&MFC42u.#535>
004103DF|.51 PUSH ECX
004103E0|.C68424 14120000 1F MOV BYTE PTR SS:, 1F
004103E8|.8BCC MOV ECX, ESP
004103EA|.896424 28 MOV DWORD PTR SS:, ESP
004103EE|.68 188A4400 PUSH DesktopI.00448A18 ;ASCII "PG9"
004103F3|.E8 F0260200 CALL <JMP.&MFC42u.#535>
004103F8|.C68424 14120000 1E MOV BYTE PTR SS:, 1E
00410400|.E8 1BB8FFFF CALL DesktopI.0040BC20 ;堆栈顶部头两项是注册名和假码
00410405|.83C4 08 ADD ESP, 8
00410408|.85C0 TEST EAX, EAX
0041040A|.0F84 CC000000 JE DesktopI.004104DC
00410410|.8D4C24 1C LEA ECX, DWORD PTR SS:
00410414|.E8 27260200 CALL <JMP.&MFC42u.#540>
00410419|.51 PUSH ECX
0041041A|.C68424 10120000 20 MOV BYTE PTR SS:, 20
00410422|.8BCC MOV ECX, ESP
00410424|.896424 18 MOV DWORD PTR SS:, ESP
00410428|.68 88504400 PUSH DesktopI.00445088 ;Thank you for using Desktop Icon Toy, registered successfully, please restart!
0040BC20/$6A FF PUSH -1 ;本地调用来自 0040D180, 00410400. 应该是对应着点击按钮检查注册, 和启动检查注册
0040BC22|.68 B0424300 PUSH DesktopI.004342B0 ;SE 处理程序安装
0040BC27|.64:A1 00000000 MOV EAX, DWORD PTR FS:
0040BC2D|.50 PUSH EAX
0040BC2E|.64:8925 00000000 MOV DWORD PTR FS:, ESP
0040BC35|.51 PUSH ECX
0040BC36|.53 PUSH EBX
0040BC37|.56 PUSH ESI
0040BC38|.51 PUSH ECX
0040BC39|.8D4424 20 LEA EAX, DWORD PTR SS:
0040BC3D|.8BCC MOV ECX, ESP
0040BC3F|.896424 0C MOV DWORD PTR SS:, ESP ;+C is char* of 注册名 (try "d +C"), EDX-C is char* of 假码
0040BC43|.50 PUSH EAX
0040BC44|.C74424 1C 01000000 MOV DWORD PTR SS:, 1
0040BC4C|.E8 976E0200 CALL <JMP.&MFC42u.#535> ;CALL 后 is char* of 注册名
0040BC51|.E8 2AFFFFFF CALL DesktopI.0040BB80
0040BC56|.8D5424 24 LEA EDX, DWORD PTR SS: ; 存放假码
0040BC5A|.8BCC MOV ECX, ESP ; 存放注册名
0040BC5C|.896424 0C MOV DWORD PTR SS:, ESP
0040BC60|.52 PUSH EDX
0040BC61|.8BF0 MOV ESI, EAX
0040BC63|.E8 806E0200 CALL <JMP.&MFC42u.#535>
0040BC68|.E8 73FFFFFF CALL DesktopI.0040BBE0
0040BC6D|.83C4 04 ADD ESP, 4
0040BC70|.3BF0 CMP ESI, EAX ;比较分别基于注册名和假码计算的结果. 如果相等, 还需要进一步与程序内置的验证条目相检测 (防止 free license)
0040BC72|.74 0A JE SHORT DesktopI.0040BC7E
0040BC74|.C64424 14 00 MOV BYTE PTR SS:, 0
0040BC79|.E9 9D000000 JMP DesktopI.0040BD1B
0040BC7E|>8B4424 1C MOV EAX, DWORD PTR SS:
0040BC82|.8B35 CC774300 MOV ESI, DWORD PTR DS:[<&MSVCRT.wcscmp>] ;铜羡
0040BC88|.68 0C3F4400 PUSH DesktopI.00443F0C ; /[email protected]
0040BC8D|.50 PUSH EAX ; |wstr1 = 00000001 ???
0040BC8E|.FFD6 CALL NEAR ESI ; \wcscmp
0040BC90|.33DB XOR EBX, EBX
0040BC92|.83C4 08 ADD ESP, 8
0040BC95|.3BC3 CMP EAX, EBX
0040BC97|.74 7E JE SHORT DesktopI.0040BD17
0040BC99|.8B4C24 1C MOV ECX, DWORD PTR SS:
0040BC9D|?68 D43E4400 PUSH DesktopI.00443ED4 ;[email protected]
0040BCA2|?51 PUSH ECX
0040BCA3|?FFD6 CALL NEAR ESI
0040BCA5|.83C4 08 ADD ESP, 8
0040BCA8|.3BC3 CMP EAX, EBX
0040BCAA|.74 6B JE SHORT DesktopI.0040BD17
0040BB80/$8B4424 04 MOV EAX, DWORD PTR SS: ;EAX = is char* of 注册名
0040BB84|.56 PUSH ESI
0040BB85|.57 PUSH EDI
0040BB86|.33FF XOR EDI, EDI
0040BB88|.8B70 F8 MOV ESI, DWORD PTR DS: ;ESI = 注册名长度 (C++ 的字符串, 是否把长度存在第1个DWORD, 把串存在第3-n个DWORD ?)
0040BB8B|.33C9 XOR ECX, ECX ;ECX 清零
0040BB8D|.85F6 TEST ESI, ESI
0040BB8F|.7E 2F JLE SHORT DesktopI.0040BBC0
0040BB91|.8BD0 MOV EDX, EAX ;EDX = EAX is char* of 注册名
0040BB93|>83F9 09 /CMP ECX, 9
0040BB96|.7F 28 |JG SHORT DesktopI.0040BBC0 ;只计算注册名的前9位
0040BB98|.66:8B02 |MOV AX, WORD PTR DS:
0040BB9B|.66:3D 4100 |CMP AX, 41
0040BB9F|.72 1F |JB SHORT DesktopI.0040BBC0 ;遇到注册名中第1个小于A的字符,就中止循环
0040BBA1|.66:3D 5A00 |CMP AX, 5A
0040BBA5|.76 0A |JBE SHORT DesktopI.0040BBB1
0040BBA7|.25 FFFF0000 |AND EAX, 0FFFF
0040BBAC|.83E8 20 |SUB EAX, 20 ;如果不在范围, 小写转大写
0040BBAF|.EB 05 |JMP SHORT DesktopI.0040BBB6
0040BBB1|>25 FFFF0000 |AND EAX, 0FFFF
0040BBB6|>03F8 |ADD EDI, EAX ;累加
0040BBB8|.41 |INC ECX
0040BBB9|.83C2 02 |ADD EDX, 2 ;UNICODE
0040BBBC|.3BCE |CMP ECX, ESI
0040BBBE|.^ 7C D3 \JL SHORT DesktopI.0040BB93
0040BBC0|>8D4C24 0C LEA ECX, DWORD PTR SS:
0040BBC4|.E8 F36D0200 CALL <JMP.&MFC42u.#800>
0040BBC9|.8BC7 MOV EAX, EDI
0040BBCB|.5F POP EDI ;00397898
0040BBCC|.35 57136824 XOR EAX, 24681357 ;结果与 0x24681357 异或, 置于EAX
0040BBD1|.5E POP ESI ;00397898
0040BBD2\.C3 RETN
0040BBE0/$8B4C24 04 MOV ECX, DWORD PTR SS: ;ECX is char* of 假码
0040BBE4|.56 PUSH ESI
0040BBE5|.33F6 XOR ESI, ESI
0040BBE7|.33C0 XOR EAX, EAX
0040BBE9|.8B51 F8 MOV EDX, DWORD PTR DS: ;EDX = 假码长度
0040BBEC|.57 PUSH EDI
0040BBED|.85D2 TEST EDX, EDX
0040BBEF|.7E 19 JLE SHORT DesktopI.0040BC0A
0040BBF1|>83F8 09 /CMP EAX, 9
0040BBF4|.7D 14 |JGE SHORT DesktopI.0040BC0A
0040BBF6|.33FF |XOR EDI, EDI
0040BBF8|.8D34B6 |LEA ESI, DWORD PTR DS: ;ESI'' = ESI' * 5
0040BBFB|.66:8B39 |MOV DI, WORD PTR DS: ;注意是 WORD PTR, 遍历各个 UNICODE 字符
0040BBFE|.40 |INC EAX
0040BBFF|.83C1 02 |ADD ECX, 2
0040BC02|.3BC2 |CMP EAX, EDX
0040BC04|.8D7477 D0 |LEA ESI, DWORD PTR DS: ;ESI''' = ESI''*2 或 ESI'*10 + 字符AS值 - 0x30 ('0') . 即 atoi 嘛
0040BC08|.^ 7C E7 \JL SHORT DesktopI.0040BBF1
0040BC0A|>8D4C24 0C LEA ECX, DWORD PTR SS:
0040BC0E|.E8 A96D0200 CALL <JMP.&MFC42u.#800>
0040BC13|.8BC6 MOV EAX, ESI ;EAX = ESI = 假码的计算结果
0040BC15|.5F POP EDI ;
0040BC16|.35 68245713 XOR EAX, 13572468 ;再与 13572468 异或
0040BC1B|.5E POP ESI ;
0040BC1C\.C3 RETN
0day 注册机http://www.0daydown.com/07/392583.html
54教学的题目... (注册机制好像一模一样) https://www.chinapyg.com/search.php?mod=forum&searchid=352&orderby=lastpost&ascdesc=desc&searchsubmit=yes&kw=Desktop+Icon+Toy
注册信息 HKCU\Software\IDeskSoft\DesktopIconToy\Settings 謝謝大神的提供下載玩玩 感谢大师分享,收下了
页:
[1]