- UID
- 91679
注册时间2015-6-9
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2023-11-21 08:38 |
|---|
签到天数: 276 天 [LV.8]以坛为家I
|
优点
搭配 Fences 使用: Fences 把快捷键组织在一起, Desktop Icon Toy 允许仅仅针对 桌面快捷键 单击即运行 (https://forums.stardock.com/378677).
下载链接 http://idesksoft.com/download.html
KeyGen
[C] 纯文本查看 复制代码 #include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(void) {
#define MAXLINE 256
char line[MAXLINE] = {0};
char *name = line;
long name_len = 0, name_sum = 0, i;
if (fgets(line, MAXLINE, stdin) != NULL) {
name_len = strcspn(line, "\r\n");
line[name_len] = 0;
for (i = 0; i < 9; i++) {
if (line[i] < 'A')
break;
if (line[i] >= 'Z')
line[i] = line[i] - 0x20;
name_sum += line[i];
}
name_sum ^= 0x24681357;
name_sum ^= 0x13572468;
printf("name: [%s].\n", name);
printf("key: [%ld].\n", name_sum);
}
return EXIT_SUCCESS;
}
分析
无壳, 查找字符串下断, 单步观察
[Asm] 纯文本查看 复制代码 00410361 |. E8 3C280200 CALL <JMP.&MFC42u.#6279>
00410366 |. A1 188A4400 MOV EAX, DWORD PTR DS:[448A18] ; EAX = 全局变量 [448A18] is char* of 注册名
0041036B |. B9 D0884400 MOV ECX, DesktopI.004488D0
00410370 |. 50 PUSH EAX
00410371 |. 68 8C464400 PUSH DesktopI.0044468C ; User Name
00410376 |. 68 DC244400 PUSH DesktopI.004424DC ; Settings
0041037B |. E8 A8260200 CALL <JMP.&MFC42u.#6399>
00410380 |. 8B0D 1C8A4400 MOV ECX, DWORD PTR DS:[448A1C] ; ECX = 全局变量 [448A1C] is char* of 假码
00410386 |. 51 PUSH ECX
00410387 |. 68 5C3F4400 PUSH DesktopI.00443F5C ; Serial Number
0041038C |. 68 DC244400 PUSH DesktopI.004424DC ; Settings
00410391 |. B9 D0884400 MOV ECX, DesktopI.004488D0
00410396 |. E8 8D260200 CALL <JMP.&MFC42u.#6399>
0041039B |. 8B5424 10 MOV EDX, DWORD PTR SS:[ESP+10] ; EDX = [ESP+10] is char* of 注册名
0041039F |. A1 188A4400 MOV EAX, DWORD PTR DS:[448A18] ; EAX = 全局变量 [448A18] is char* of 注册名
004103A4 |. 8B2D CC774300 MOV EBP, DWORD PTR DS:[<&MSVCRT.wcscmp>] ; 铜羡
004103AA |. 52 PUSH EDX ; /wstr2 = "chinapyg"
004103AB |. 50 PUSH EAX ; |wstr1 = 00000001 ???
004103AC |. FFD5 CALL NEAR EBP ; \wcscmp
004103AE |. 83C4 08 ADD ESP, 8
004103B1 |. 85C0 TEST EAX, EAX ; EAX = 0 if 前后两次尝试的用户名相等
004103B3 |. 75 19 JNZ SHORT DesktopI.004103CE
004103B5 |. 8B4C24 24 MOV ECX, DWORD PTR SS:[ESP+24] ; ECX = [ESP+24] is char* of 新假码
004103B9 |. 8B15 1C8A4400 MOV EDX, DWORD PTR DS:[448A1C] ; EDX = 全局变量 [448A1C] is char* of 旧假码
004103BF |. 51 PUSH ECX
004103C0 |. 52 PUSH EDX
004103C1 |. FFD5 CALL NEAR EBP ; msvcrt.wcscmp
004103C3 |. 83C4 08 ADD ESP, 8
004103C6 |. 85C0 TEST EAX, EAX ; EAX = 0 if 前后两次尝试的假码相等, 都相等的话跳转 (去做什么 ?)
004103C8 |. 0F84 DA010000 JE DesktopI.004105A8
004103CE |> 51 PUSH ECX
004103CF |. 8BCC MOV ECX, ESP
004103D1 |. 896424 18 MOV DWORD PTR SS:[ESP+18], ESP
004103D5 |. 68 1C8A4400 PUSH DesktopI.00448A1C
004103DA |. E8 09270200 CALL <JMP.&MFC42u.#535>
004103DF |. 51 PUSH ECX
004103E0 |. C68424 14120000 1F MOV BYTE PTR SS:[ESP+1214], 1F
004103E8 |. 8BCC MOV ECX, ESP
004103EA |. 896424 28 MOV DWORD PTR SS:[ESP+28], ESP
004103EE |. 68 188A4400 PUSH DesktopI.00448A18 ; ASCII "PG9"
004103F3 |. E8 F0260200 CALL <JMP.&MFC42u.#535>
004103F8 |. C68424 14120000 1E MOV BYTE PTR SS:[ESP+1214], 1E
00410400 |. E8 1BB8FFFF CALL DesktopI.0040BC20 ; 堆栈顶部头两项是注册名和假码
00410405 |. 83C4 08 ADD ESP, 8
00410408 |. 85C0 TEST EAX, EAX
0041040A |. 0F84 CC000000 JE DesktopI.004104DC
00410410 |. 8D4C24 1C LEA ECX, DWORD PTR SS:[ESP+1C]
00410414 |. E8 27260200 CALL <JMP.&MFC42u.#540>
00410419 |. 51 PUSH ECX
0041041A |. C68424 10120000 20 MOV BYTE PTR SS:[ESP+1210], 20
00410422 |. 8BCC MOV ECX, ESP
00410424 |. 896424 18 MOV DWORD PTR SS:[ESP+18], ESP
00410428 |. 68 88504400 PUSH DesktopI.00445088 ; Thank you for using Desktop Icon Toy, registered successfully, please restart!
0040BC20 /$ 6A FF PUSH -1 ; 本地调用来自 0040D180, 00410400. 应该是对应着点击按钮检查注册, 和启动检查注册
0040BC22 |. 68 B0424300 PUSH DesktopI.004342B0 ; SE 处理程序安装
0040BC27 |. 64:A1 00000000 MOV EAX, DWORD PTR FS:[0]
0040BC2D |. 50 PUSH EAX
0040BC2E |. 64:8925 00000000 MOV DWORD PTR FS:[0], ESP
0040BC35 |. 51 PUSH ECX
0040BC36 |. 53 PUSH EBX
0040BC37 |. 56 PUSH ESI
0040BC38 |. 51 PUSH ECX
0040BC39 |. 8D4424 20 LEA EAX, DWORD PTR SS:[ESP+20]
0040BC3D |. 8BCC MOV ECX, ESP
0040BC3F |. 896424 0C MOV DWORD PTR SS:[ESP+C], ESP ; [ESP]+C is char* of 注册名 (try "d [esp]+C"), EDX-C is char* of 假码
0040BC43 |. 50 PUSH EAX
0040BC44 |. C74424 1C 01000000 MOV DWORD PTR SS:[ESP+1C], 1
0040BC4C |. E8 976E0200 CALL <JMP.&MFC42u.#535> ; CALL 后 [EAX] is char* of 注册名
0040BC51 |. E8 2AFFFFFF CALL DesktopI.0040BB80
0040BC56 |. 8D5424 24 LEA EDX, DWORD PTR SS:[ESP+24] ; [EDX] 存放假码
0040BC5A |. 8BCC MOV ECX, ESP ; [ECX] 存放注册名
0040BC5C |. 896424 0C MOV DWORD PTR SS:[ESP+C], ESP
0040BC60 |. 52 PUSH EDX
0040BC61 |. 8BF0 MOV ESI, EAX
0040BC63 |. E8 806E0200 CALL <JMP.&MFC42u.#535>
0040BC68 |. E8 73FFFFFF CALL DesktopI.0040BBE0
0040BC6D |. 83C4 04 ADD ESP, 4
0040BC70 |. 3BF0 CMP ESI, EAX ; 比较分别基于注册名和假码计算的结果. 如果相等, 还需要进一步与程序内置的验证条目相检测 (防止 free license)
0040BC72 |. 74 0A JE SHORT DesktopI.0040BC7E
0040BC74 |. C64424 14 00 MOV BYTE PTR SS:[ESP+14], 0
0040BC79 |. E9 9D000000 JMP DesktopI.0040BD1B
0040BC7E |> 8B4424 1C MOV EAX, DWORD PTR SS:[ESP+1C]
0040BC82 |. 8B35 CC774300 MOV ESI, DWORD PTR DS:[<&MSVCRT.wcscmp>] ; 铜羡
0040BC88 |. 68 0C3F4400 PUSH DesktopI.00443F0C ; /[email protected]
0040BC8D |. 50 PUSH EAX ; |wstr1 = 00000001 ???
0040BC8E |. FFD6 CALL NEAR ESI ; \wcscmp
0040BC90 |. 33DB XOR EBX, EBX
0040BC92 |. 83C4 08 ADD ESP, 8
0040BC95 |. 3BC3 CMP EAX, EBX
0040BC97 |. 74 7E JE SHORT DesktopI.0040BD17
0040BC99 |. 8B4C24 1C MOV ECX, DWORD PTR SS:[ESP+1C]
0040BC9D |? 68 D43E4400 PUSH DesktopI.00443ED4 ; [url=mailto:[email protected]][email protected][/url]
0040BCA2 |? 51 PUSH ECX
0040BCA3 |? FFD6 CALL NEAR ESI
0040BCA5 |. 83C4 08 ADD ESP, 8
0040BCA8 |. 3BC3 CMP EAX, EBX
0040BCAA |. 74 6B JE SHORT DesktopI.0040BD17
0040BB80 /$ 8B4424 04 MOV EAX, DWORD PTR SS:[ESP+4] ; EAX = [ESP+4] is char* of 注册名
0040BB84 |. 56 PUSH ESI
0040BB85 |. 57 PUSH EDI
0040BB86 |. 33FF XOR EDI, EDI
0040BB88 |. 8B70 F8 MOV ESI, DWORD PTR DS:[EAX-8] ; ESI = 注册名长度 (C++ 的字符串, 是否把长度存在第1个DWORD, 把串存在第3-n个DWORD ?)
0040BB8B |. 33C9 XOR ECX, ECX ; ECX 清零
0040BB8D |. 85F6 TEST ESI, ESI
0040BB8F |. 7E 2F JLE SHORT DesktopI.0040BBC0
0040BB91 |. 8BD0 MOV EDX, EAX ; EDX = EAX is char* of 注册名
0040BB93 |> 83F9 09 /CMP ECX, 9
0040BB96 |. 7F 28 |JG SHORT DesktopI.0040BBC0 ; 只计算注册名的前9位
0040BB98 |. 66:8B02 |MOV AX, WORD PTR DS:[EDX]
0040BB9B |. 66:3D 4100 |CMP AX, 41
0040BB9F |. 72 1F |JB SHORT DesktopI.0040BBC0 ; 遇到注册名中第1个小于A的字符,就中止循环
0040BBA1 |. 66:3D 5A00 |CMP AX, 5A
0040BBA5 |. 76 0A |JBE SHORT DesktopI.0040BBB1
0040BBA7 |. 25 FFFF0000 |AND EAX, 0FFFF
0040BBAC |. 83E8 20 |SUB EAX, 20 ; 如果不在[A-Z]范围, 小写转大写
0040BBAF |. EB 05 |JMP SHORT DesktopI.0040BBB6
0040BBB1 |> 25 FFFF0000 |AND EAX, 0FFFF
0040BBB6 |> 03F8 |ADD EDI, EAX ; 累加
0040BBB8 |. 41 |INC ECX
0040BBB9 |. 83C2 02 |ADD EDX, 2 ; UNICODE
0040BBBC |. 3BCE |CMP ECX, ESI
0040BBBE |.^ 7C D3 \JL SHORT DesktopI.0040BB93
0040BBC0 |> 8D4C24 0C LEA ECX, DWORD PTR SS:[ESP+C]
0040BBC4 |. E8 F36D0200 CALL <JMP.&MFC42u.#800>
0040BBC9 |. 8BC7 MOV EAX, EDI
0040BBCB |. 5F POP EDI ; 00397898
0040BBCC |. 35 57136824 XOR EAX, 24681357 ; 结果与 0x24681357 异或, 置于EAX
0040BBD1 |. 5E POP ESI ; 00397898
0040BBD2 \. C3 RETN
0040BBE0 /$ 8B4C24 04 MOV ECX, DWORD PTR SS:[ESP+4] ; ECX is char* of 假码
0040BBE4 |. 56 PUSH ESI
0040BBE5 |. 33F6 XOR ESI, ESI
0040BBE7 |. 33C0 XOR EAX, EAX
0040BBE9 |. 8B51 F8 MOV EDX, DWORD PTR DS:[ECX-8] ; EDX = 假码长度
0040BBEC |. 57 PUSH EDI
0040BBED |. 85D2 TEST EDX, EDX
0040BBEF |. 7E 19 JLE SHORT DesktopI.0040BC0A
0040BBF1 |> 83F8 09 /CMP EAX, 9
0040BBF4 |. 7D 14 |JGE SHORT DesktopI.0040BC0A
0040BBF6 |. 33FF |XOR EDI, EDI
0040BBF8 |. 8D34B6 |LEA ESI, DWORD PTR DS:[ESI+ESI*4] ; ESI'' = ESI' * 5
0040BBFB |. 66:8B39 |MOV DI, WORD PTR DS:[ECX] ; 注意是 WORD PTR, 遍历各个 UNICODE 字符
0040BBFE |. 40 |INC EAX
0040BBFF |. 83C1 02 |ADD ECX, 2
0040BC02 |. 3BC2 |CMP EAX, EDX
0040BC04 |. 8D7477 D0 |LEA ESI, DWORD PTR DS:[EDI+ESI*2-30] ; ESI''' = ESI''*2 或 ESI'*10 + 字符AS值 - 0x30 ('0') . 即 atoi 嘛
0040BC08 |.^ 7C E7 \JL SHORT DesktopI.0040BBF1
0040BC0A |> 8D4C24 0C LEA ECX, DWORD PTR SS:[ESP+C]
0040BC0E |. E8 A96D0200 CALL <JMP.&MFC42u.#800>
0040BC13 |. 8BC6 MOV EAX, ESI ; EAX = ESI = 假码的计算结果
0040BC15 |. 5F POP EDI ;
0040BC16 |. 35 68245713 XOR EAX, 13572468 ; 再与 13572468 异或
0040BC1B |. 5E POP ESI ;
0040BC1C \. C3 RETN
|
评分
-
查看全部评分
|
IP卡
发表于 2017-5-18 20:45:38
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2017-5-18 21:50:11
发表于 2017-5-18 22:23:30