- UID
- 34376
注册时间2007-8-15
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
1st Disk Drive Protector注册码分析:
目标程序: 见附件
程序刚开始未解码完全,貌似找不到提示字符串!
单步跟踪一段代码,或者运行后,(当然也可以采用破外挂常用的暂停堆栈调用法)找到字符串“registration code is invalid”。
来到此处,在段首下断。
0046A6B8 /$ 55 push ebp
0046A6B9 |. 8BEC mov ebp, esp
0046A6BB |. B9 06000000 mov ecx, 6
0046A6C0 |> 6A 00 /push 0
0046A6C2 |. 6A 00 |push 0
0046A6C4 |. 49 |dec ecx
0046A6C5 |.^ 75 F9 \jnz short 0046A6C0
0046A6C7 |. 51 push ecx
0046A6C8 |. 8945 FC mov dword ptr [ebp-4], eax
0046A6CB |. 33C0 xor eax, eax
0046A6CD |. 55 push ebp
0046A6CE |. 68 58A84600 push 0046A858
0046A6D3 |. 64:FF30 push dword ptr fs:[eax]
0046A6D6 |. 64:8920 mov dword ptr fs:[eax], esp
0046A6D9 |. 8D55 EC lea edx, dword ptr [ebp-14]
0046A6DC |. 8B45 FC mov eax, dword ptr [ebp-4]
0046A6DF |. 8B80 AC030000 mov eax, dword ptr [eax+3AC]
0046A6E5 |. E8 7264FDFF call 00440B5C
0046A6EA |. 8B45 EC mov eax, dword ptr [ebp-14]
0046A6ED |. 8D55 F0 lea edx, dword ptr [ebp-10]
0046A6F0 |. E8 3BBBFFFF call 00466230
0046A6F5 |. 8B55 F0 mov edx, dword ptr [ebp-10]
0046A6F8 |. B8 883D4700 mov eax, 00473D88
0046A6FD |. E8 3AA3F9FF call 00404A3C
0046A702 |. E8 11FDFFFF call 0046A418 ; 关键CALL
0046A707 |. 8845 FB mov byte ptr [ebp-5], al
0046A70A |. 807D FB 00 cmp byte ptr [ebp-5], 0
0046A70E |. 0F84 F2000000 je 0046A806 ; 跳向“注册失败”!
0046A714 |. 8B45 FC mov eax, dword ptr [ebp-4]
0046A717 |. C680 CC030000>mov byte ptr [eax+3CC], 1
0046A71E |. 8D45 F4 lea eax, dword ptr [ebp-C]
0046A721 |. 50 push eax
0046A722 |. 8D55 E8 lea edx, dword ptr [ebp-18]
0046A725 |. B8 70A84600 mov eax, 0046A870 ; b9bb8c819888ab829fba848389829abe849788
0046A72A |. E8 E1BFFFFF call 00466710
0046A72F |. 8B45 E8 mov eax, dword ptr [ebp-18]
0046A732 |. 50 push eax
0046A733 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0046A736 |. B8 A0A84600 mov eax, 0046A8A0 ; be828b999a8c9f88b1c8bdbfa2aaa3aca0a8c8
0046A73B |. E8 D8FDFFFF call 0046A518
0046A740 |. 8B55 E4 mov edx, dword ptr [ebp-1C]
0046A743 |. A1 843D4700 mov eax, dword ptr [473D84]
0046A748 |. 59 pop ecx
0046A749 |. E8 7EC1FFFF call 004668CC
0046A74E |. 8D55 E0 lea edx, dword ptr [ebp-20]
0046A751 |. A1 883D4700 mov eax, dword ptr [473D88]
0046A756 |. E8 FDBEFFFF call 00466658
0046A75B |. 8B45 E0 mov eax, dword ptr [ebp-20]
0046A75E |. 50 push eax
0046A75F |. 8D55 DC lea edx, dword ptr [ebp-24]
0046A762 |. B8 D0A84600 mov eax, 0046A8D0 ; bdbb8c819888ab829fba848389829abe849788
0046A767 |. E8 A4BFFFFF call 00466710
0046A76C |. 8B45 DC mov eax, dword ptr [ebp-24]
0046A76F |. 50 push eax
0046A770 |. 8D55 D8 lea edx, dword ptr [ebp-28]
0046A773 |. B8 A0A84600 mov eax, 0046A8A0 ; be828b999a8c9f88b1c8bdbfa2aaa3aca0a8c8
0046A778 |. E8 9BFDFFFF call 0046A518
0046A77D |. 8B55 D8 mov edx, dword ptr [ebp-28]
0046A780 |. A1 843D4700 mov eax, dword ptr [473D84]
0046A785 |. 59 pop ecx
0046A786 |. E8 E5C1FFFF call 00466970
0046A78B |. 837D F4 00 cmp dword ptr [ebp-C], 0
0046A78F |. 75 44 jnz short 0046A7D5 ;
0046A791 |. E8 1EFEF9FF call 0040A5B4
0046A796 |. 83C4 F4 add esp, -0C
0046A799 |. DB3C24 fstp tbyte ptr [esp]
0046A79C |. 9B wait
0046A79D |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0046A7A0 |. E8 C7F8F9FF call 0040A06C
0046A7A5 |. 8B45 D4 mov eax, dword ptr [ebp-2C]
0046A7A8 |. 50 push eax
0046A7A9 |. 8D55 D0 lea edx, dword ptr [ebp-30]
0046A7AC |. B8 70A84600 mov eax, 0046A870 ; b9bb8c819888ab829fba848389829abe849788
0046A7B1 |. E8 5ABFFFFF call 00466710
0046A7B6 |. 8B45 D0 mov eax, dword ptr [ebp-30]
0046A7B9 |. 50 push eax
0046A7BA |. 8D55 CC lea edx, dword ptr [ebp-34]
0046A7BD |. B8 A0A84600 mov eax, 0046A8A0 ; be828b999a8c9f88b1c8bdbfa2aaa3aca0a8c8
0046A7C2 |. E8 51FDFFFF call 0046A518
0046A7C7 |. 8B55 CC mov edx, dword ptr [ebp-34]
0046A7CA |. A1 843D4700 mov eax, dword ptr [473D84]
0046A7CF |. 59 pop ecx
0046A7D0 |. E8 9BC1FFFF call 00466970
0046A7D5 |> A1 A0E94600 mov eax, dword ptr [46E9A0]
0046A7DA |. 8B00 mov eax, dword ptr [eax]
0046A7DC |. 8B80 B0030000 mov eax, dword ptr [eax+3B0]
0046A7E2 |. BA 00A94600 mov edx, 0046A900 ; software (ctrl+r)
0046A7E7 |. E8 7C7EFEFF call 00452668
0046A7EC |. 6A 40 push 40
0046A7EE |. B9 14A94600 mov ecx, 0046A914 ; information
0046A7F3 |. BA 20A94600 mov edx, 0046A920 ; registration has been completed successfully!
0046A7F8 |. A1 A0EB4600 mov eax, dword ptr [46EBA0]
0046A7FD |. 8B00 mov eax, dword ptr [eax]
0046A7FF |. E8 505DFFFF call 00460554
0046A804 |. EB 22 jmp short 0046A828
0046A806 |> B8 883D4700 mov eax, 00473D88
0046A80B |. E8 D8A1F9FF call 004049E8
0046A810 |. 6A 10 push 10
0046A812 |. B9 50A94600 mov ecx, 0046A950 ; error
0046A817 |. BA 58A94600 mov edx, 0046A958 ; registration code is invalid!
0046A81C |. A1 A0EB4600 mov eax, dword ptr [46EBA0]
0046A821 |. 8B00 mov eax, dword ptr [eax]
0046A823 |. E8 2C5DFFFF call 00460554
0046A828 |> 33C0 xor eax, eax
0046A82A |. 5A pop edx
0046A82B |. 59 pop ecx
0046A82C |. 59 pop ecx
0046A82D |. 64:8910 mov dword ptr fs:[eax], edx
0046A830 |. 68 5FA84600 push 0046A85F
0046A835 |> 8D45 CC lea eax, dword ptr [ebp-34]
0046A838 |. BA 08000000 mov edx, 8
0046A83D |. E8 CAA1F9FF call 00404A0C
0046A842 |. 8D45 EC lea eax, dword ptr [ebp-14]
0046A845 |. E8 9EA1F9FF call 004049E8
0046A84A |. 8D45 F0 lea eax, dword ptr [ebp-10]
0046A84D |. BA 02000000 mov edx, 2
0046A852 |. E8 B5A1F9FF call 00404A0C
0046A857 \. C3 retn
在0046A702行(关键CALL)跟进。
0046A418 /$ 55 push ebp
0046A419 |. 8BEC mov ebp, esp
0046A41B |. 83C4 F0 add esp, -10
0046A41E |. 33C0 xor eax, eax
0046A420 |. 8945 F8 mov dword ptr [ebp-8], eax
0046A423 |. C645 FF 00 mov byte ptr [ebp-1], 0
0046A427 |. A1 883D4700 mov eax, dword ptr [473D88]
0046A42C |. 8945 F4 mov dword ptr [ebp-C], eax
0046A42F |. 8B45 F4 mov eax, dword ptr [ebp-C]
0046A432 |. 8945 F0 mov dword ptr [ebp-10], eax
0046A435 |. 837D F0 00 cmp dword ptr [ebp-10], 0 ; 注册码是否为空
0046A439 |. 74 0B je short 0046A446
0046A43B |. 8B45 F0 mov eax, dword ptr [ebp-10]
0046A43E |. 83E8 04 sub eax, 4
0046A441 |. 8B00 mov eax, dword ptr [eax]
0046A443 |. 8945 F0 mov dword ptr [ebp-10], eax
0046A446 |> 837D F0 0E cmp dword ptr [ebp-10], 0E ; 注册码须14位
0046A44A |. 0F85 85000000 jnz 0046A4D5
0046A450 |. A1 883D4700 mov eax, dword ptr [473D88]
0046A455 |. 8038 34 cmp byte ptr [eax], 34 ; 第1位==4
0046A458 |. 0F94C0 sete al
0046A45B |. 83E0 7F and eax, 7F
0046A45E |. 0145 F8 add dword ptr [ebp-8], eax
0046A461 |. A1 883D4700 mov eax, dword ptr [473D88]
0046A466 |. 8078 02 36 cmp byte ptr [eax+2], 36 ; 第3位==6
0046A46A |. 0F94C0 sete al
0046A46D |. 83E0 7F and eax, 7F
0046A470 |. 0145 F8 add dword ptr [ebp-8], eax
0046A473 |. A1 883D4700 mov eax, dword ptr [473D88]
0046A478 |. 8078 03 31 cmp byte ptr [eax+3], 31 ; 第4位==1
0046A47C |. 0F94C0 sete al
0046A47F |. 83E0 7F and eax, 7F
0046A482 |. 0145 F8 add dword ptr [ebp-8], eax
0046A485 |. A1 883D4700 mov eax, dword ptr [473D88]
0046A48A |. 8078 04 32 cmp byte ptr [eax+4], 32 ; 第5位==2
0046A48E |. 0F94C0 sete al
0046A491 |. 83E0 7F and eax, 7F
0046A494 |. 0145 F8 add dword ptr [ebp-8], eax
0046A497 |. A1 883D4700 mov eax, dword ptr [473D88]
0046A49C |. 8078 07 36 cmp byte ptr [eax+7], 36 ; 第8位==6
0046A4A0 |. 0F94C0 sete al
0046A4A3 |. 83E0 7F and eax, 7F
0046A4A6 |. 0145 F8 add dword ptr [ebp-8], eax
0046A4A9 |. A1 883D4700 mov eax, dword ptr [473D88]
0046A4AE |. 8078 08 36 cmp byte ptr [eax+8], 36 ; 第9位==6
0046A4B2 |. 0F94C0 sete al
0046A4B5 |. 83E0 7F and eax, 7F
0046A4B8 |. 0145 F8 add dword ptr [ebp-8], eax
0046A4BB |. A1 883D4700 mov eax, dword ptr [473D88]
0046A4C0 |. 8078 0A 37 cmp byte ptr [eax+A], 37 ; 第11位==7
0046A4C4 |. 0F94C0 sete al
0046A4C7 |. 83E0 7F and eax, 7F
0046A4CA |. 0145 F8 add dword ptr [ebp-8], eax
0046A4CD |. 837D F8 07 cmp dword ptr [ebp-8], 7 ; 是否以上七次均正确
0046A4D1 |. 0F9445 FF sete byte ptr [ebp-1]
0046A4D5 |> 8A45 FF mov al, byte ptr [ebp-1] ; 正确则置AL为1
0046A4D8 |. 8BE5 mov esp, ebp
0046A4DA |. 5D pop ebp
0046A4DB \. C3 retn
根据以上分析,注册码虽然须为14位,但因为实际判别的只有7位,因此可以构造注册码为“4d612vh66i7uhi”。
该程序只是简单选取注册码中的若干位做比较判断,还比较简单,呵呵,适合我这样的菜鸟学习。
[ 本帖最后由 云飘飘 于 2008-4-25 22:39 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2008-4-25 22:30:35
提升卡
置顶卡
变色卡
千斤顶
显身卡