[原创]易语言桃木剑系列软件之――乾坤六十四卦 V2.01算法分析
【破文标题】易语言桃木剑系列软件之――乾坤六十四卦 V2.01算法分析
【破文作者】CDboy
【作者邮箱】cdboy_cn@yahoo.com.cn
【使用工具】二哥修改版OD,PEiD
【软件名称】桃木剑系列软件之――乾坤六十四卦 V2.01
【下载地址】http://www.skycn.com/soft/14810.html
【保护方式】功能限制
【软件语言】易语言
【软件简介】算卦
【破解声明】菜鸟学习技术,仅此而已
【破解过程】
应二哥要求,特找了个易的东东,正在想哪里有易的,刚好就有个送上门了,呵呵^_^
用PEID检测无法识别,在安装目录下找到文件krnln.fnr
用OD加载
00401000 >/$ E8 06000000 CALL tmjqk64g.0040100B
00401005 |. 50 PUSH EAX ; /ExitCode
00401006 \. E8 BB010000 CALL <JMP.&KERNEL32.ExitProcess> ; \ExitProcess
0040100B /$ 55 PUSH EBP
0040100C |. 8BEC MOV EBP,ESP
0040100E |. 81C4 F0FEFFFF ADD ESP,-110
00401014 |. E9 83000000 JMP tmjqk64g.0040109C
00401019 |. 6B 72 6E 6C 6>ASCII "krnln.fnr",0
00401023 |. 6B 72 6E 6C 6>ASCII "krnln.fne",0
0040102D |. 47 65 74 4E 6>ASCII "GetNewSock",0
00401038 |. 53 6F 66 74 7>ASCII "Software\FlySky\"
00401048 |. 45 5C 49 6E 7>ASCII "E\Install",0
00401052 |. 50 61 74 68 0>ASCII "Path",0
00401057 |. 4E 6F 74 20 6>ASCII "Not found the ke"
00401067 |. 72 6E 65 6C 2>ASCII "rnel library or "
00401077 |. 74 68 65 20 6>ASCII "the kernel libra"
00401087 |. 72 79 20 69 7>ASCII "ry is invalid!",0
00401096 |. 45 72 72 6F 7>ASCII "Error",0
典型的易入口代码,综上判断就是易的东东(其实看安装界面就可以猜到是易的)
F9运行 点注册,机器码2244616410 注册码123456
Alt+M打开内存镜象
内存镜像,项目 36
地址=00403000
大小=00080000 (524288.)
Owner=tmjqk64g 00400000
区段=.ecode //这里F2下断点 一会儿直接中断在其核心代码处
类型=Imag 01001002
访问=R
初始访问=RWE
立刻断在
00481882 55 PUSH EBP //音乐还蛮好听的
00481883 8BEC MOV EBP,ESP
00481885 81EC 30000000 SUB ESP,30
0048188B 68 04000080 PUSH 80000004
00481890 6A 00 PUSH 0
00481892 68 5E754100 PUSH tmjqk64g.0041755E
00481897 68 01000000 PUSH 1
0048189C BB 58050000 MOV EBX,558
004818A1 E8 120B0000 CALL tmjqk64g.004823B8
004818A6 83C4 10 ADD ESP,10
004818A9 68 00000000 PUSH 0
004818AE BB 40060000 MOV EBX,640
004818B3 E8 000B0000 CALL tmjqk64g.004823B8
004818B8 83C4 04 ADD ESP,4
004818BB 68 01030080 PUSH 80000301
004818C0 6A 00 PUSH 0
004818C2 68 01000000 PUSH 1
004818C7 68 01000000 PUSH 1
004818CC BB 20060000 MOV EBX,620
004818D1 E8 E20A0000 CALL tmjqk64g.004823B8 //取机器码前5位的16进制
004818D6 83C4 10 ADD ESP,10 //EAX=机器码前5位的16进制=57A1
004818D9 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004818DC 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
004818DF 894D FC MOV DWORD PTR SS:[EBP-4],ECX //ECX=8000401 是个剧机器码的常数
004818E2 6A FF PUSH -1
004818E4 6A 08 PUSH 8
004818E6 68 A8000116 PUSH 160100A8
004818EB 68 01000152 PUSH 52010001
004818F0 E8 CF0A0000 CALL tmjqk64g.004823C4 //取假码
004818F5 83C4 10 ADD ESP,10
004818F8 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX //假码保存到[EBP-10]即12F738
004818FB 68 01030080 PUSH 80000301
00481900 6A 00 PUSH 0
00481902 68 06000000 PUSH 6
00481907 68 04000080 PUSH 80000004
0048190C 6A 00 PUSH 0
0048190E 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] //[EBP-10]移入EAX
00481911 85C0 TEST EAX,EAX
00481913 75 05 JNZ SHORT tmjqk64g.0048191A
00481915 B8 E44E4000 MOV EAX,tmjqk64g.00404EE4
0048191A 50 PUSH EAX //假码入栈
0048191B 68 02000000 PUSH 2
00481920 BB 34010000 MOV EBX,134
00481925 E8 8E0A0000 CALL tmjqk64g.004823B8 //取假码前6位
0048192A 83C4 1C ADD ESP,1C
0048192D 8945 EC MOV DWORD PTR SS:[EBP-14],EAX //假码前6位移入[EBP-14]
00481930 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10] //原假码再移入EBX
00481933 85DB TEST EBX,EBX
00481935 74 09 JE SHORT tmjqk64g.00481940
00481937 53 PUSH EBX
00481938 E8 6F0A0000 CALL tmjqk64g.004823AC
0048193D 83C4 04 ADD ESP,4
00481940 68 04000080 PUSH 80000004
00481945 6A 00 PUSH 0
00481947 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] //[EBP-14]=假码=EAX
0048194A 85C0 TEST EAX,EAX
0048194C 75 05 JNZ SHORT tmjqk64g.00481953
0048194E B8 E44E4000 MOV EAX,tmjqk64g.00404EE4
00481953 50 PUSH EAX
00481954 68 01000000 PUSH 1
00481959 BB 64010000 MOV EBX,164
0048195E E8 550A0000 CALL tmjqk64g.004823B8
00481963 83C4 10 ADD ESP,10
00481966 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00481969 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX
0048196C 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14]
0048196F 85DB TEST EBX,EBX
00481971 74 09 JE SHORT tmjqk64g.0048197C
00481973 53 PUSH EBX
00481974 E8 330A0000 CALL tmjqk64g.004823AC //下面有大量的浮点运算
00481979 83C4 04 ADD ESP,4
0048197C DD45 E4 FLD QWORD PTR SS:[EBP-1C] //假码存入[EBP-1C]
0048197F DC35 15764100 FDIV QWORD PTR DS:[417615] //假码除以5
00481985 DD5D DC FSTP QWORD PTR SS:[EBP-24] //结果出栈[EBP-24]
00481988 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0048198B 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0048198E 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] //[EBP-C]=57AE=EAX
00481991 81F9 01010080 CMP ECX,80000101 //ECX与80000101比较
00481997 75 07 JNZ SHORT tmjqk64g.004819A0 //跳
00481999 25 FF000000 AND EAX,0FF
0048199E EB 26 JMP SHORT tmjqk64g.004819C6
004819A0 81F9 01020080 CMP ECX,80000201 //ECX与80000201比较
004819A6 75 03 JNZ SHORT tmjqk64g.004819AB //跳
004819A8 98 CWDE
004819A9 EB 1B JMP SHORT tmjqk64g.004819C6
004819AB 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
004819AE 81F9 01030080 CMP ECX,80000301 //ECX与80000201比较
004819B4 74 13 JE SHORT tmjqk64g.004819C9 //没跳
004819B6 81F9 01040080 CMP ECX,80000401 //ECX与80000201比较
004819BC 75 10 JNZ SHORT tmjqk64g.004819CE //没跳
004819BE 8955 D8 MOV DWORD PTR SS:[EBP-28],EDX
004819C1 DF6D D4 FILD QWORD PTR SS:[EBP-2C] //57AE存入
004819C4 EB 2A JMP SHORT tmjqk64g.004819F0 //跳
004819C6 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
004819C9 DB45 D4 FILD DWORD PTR SS:[EBP-2C]
004819CC EB 22 JMP SHORT tmjqk64g.004819F0
004819CE 81F9 01050080 CMP ECX,80000501
004819D4 75 05 JNZ SHORT tmjqk64g.004819DB
004819D6 D945 D4 FLD DWORD PTR SS:[EBP-2C]
004819D9 EB 15 JMP SHORT tmjqk64g.004819F0
004819DB 81F9 01060080 CMP ECX,80000601
004819E1 74 16 JE SHORT tmjqk64g.004819F9
004819E3 68 02000000 PUSH 2
004819E8 E8 DD090000 CALL tmjqk64g.004823CA
004819ED 83C4 04 ADD ESP,4
004819F0 DD5D D4 FSTP QWORD PTR SS:[EBP-2C] //57AE的十进制22446出栈
004819F3 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
004819F6 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
004819F9 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
004819FC 8955 D8 MOV DWORD PTR SS:[EBP-28],EDX
004819FF DD45 D4 FLD QWORD PTR SS:[EBP-2C] //机器码前5位22446存入
00481A02 DC65 DC FSUB QWORD PTR SS:[EBP-24] //减去[EBP-24]里的数 就是减去假码除以5的商
00481A05 D9E4 FTST //与零比较
00481A07 DFE0 FSTSW AX //存入AX
00481A09 F6C4 01 TEST AH,1 //AH和1比较
00481A0C 74 02 JE SHORT tmjqk64g.00481A10 //等跳 这里要跳才行
00481A0E D9E0 FCHS //改变符号
00481A10 DC1D 05764100 FCOMP QWORD PTR DS:[417605] //与[417605]里面的浮点数比较
00481A16 DFE0 FSTSW AX
00481A18 F6C4 41 TEST AH,41
00481A1B B8 00000000 MOV EAX,0 //EAX=0
00481A20 0F95C0 SETNE AL //条件为假时置0 为真(ZF=0)置1
这部分就是说注册码左边6位除以5再减机器码前5位必须等于零
00481A23 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX //EAX=[EBP-30]
00481A26 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] //[EBP-4]=80000401
00481A29 81F9 04000080 CMP ECX,80000004
00481A2F 74 0C JE SHORT tmjqk64g.00481A3D
00481A31 81F9 05000080 CMP ECX,80000005
00481A37 0F85 10000000 JNZ tmjqk64g.00481A4D
00481A3D 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C]
00481A40 85DB TEST EBX,EBX
00481A42 74 09 JE SHORT tmjqk64g.00481A4D
00481A44 53 PUSH EBX
00481A45 E8 62090000 CALL tmjqk64g.004823AC
00481A4A 83C4 04 ADD ESP,4
00481A4D 837D D0 00 CMP DWORD PTR SS:[EBP-30],0 //[EBP-30]不是零则注册成功
00481A51 0F84 86030000 JE tmjqk64g.00481DDD //关键跳1是0跳则over
00481A57 68 01030080 PUSH 80000301
00481A5C 6A 00 PUSH 0
00481A5E 68 04000000 PUSH 4
00481A63 68 01000000 PUSH 1
00481A68 BB 20060000 MOV EBX,620
00481A6D E8 46090000 CALL tmjqk64g.004823B8 //取机器码后5位的16进制401A
00481A72 83C4 10 ADD ESP,10
00481A75 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX //移入[EBP-C]
00481A78 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00481A7B 894D FC MOV DWORD PTR SS:[EBP-4],ECX //ECX=[EBP-4]前面的常数
00481A7E 6A FF PUSH -1
00481A80 6A 08 PUSH 8
00481A82 68 A8000116 PUSH 160100A8
00481A87 68 01000152 PUSH 52010001
00481A8C E8 33090000 CALL tmjqk64g.004823C4 //取注册码
00481A91 83C4 10 ADD ESP,10
00481A94 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX //注册码移入[EBP-10]
00481A97 68 01030080 PUSH 80000301
00481A9C 6A 00 PUSH 0
00481A9E 68 06000000 PUSH 6
00481AA3 68 04000080 PUSH 80000004
00481AA8 6A 00 PUSH 0
00481AAA 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00481AAD 85C0 TEST EAX,EAX
00481AAF 75 05 JNZ SHORT tmjqk64g.00481AB6
00481AB1 B8 E44E4000 MOV EAX,tmjqk64g.00404EE4
00481AB6 50 PUSH EAX
00481AB7 68 02000000 PUSH 2
00481ABC BB 38010000 MOV EBX,138
00481AC1 E8 F2080000 CALL tmjqk64g.004823B8 //取注册码右边6位
00481AC6 83C4 1C ADD ESP,1C
00481AC9 8945 EC MOV DWORD PTR SS:[EBP-14],EAX //移入[EBP-14]
00481ACC 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
00481ACF 85DB TEST EBX,EBX
00481AD1 74 09 JE SHORT tmjqk64g.00481ADC
00481AD3 53 PUSH EBX
00481AD4 E8 D3080000 CALL tmjqk64g.004823AC
00481AD9 83C4 04 ADD ESP,4
00481ADC 68 04000080 PUSH 80000004
00481AE1 6A 00 PUSH 0
00481AE3 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] //[EBP-14]=EAX
00481AE6 85C0 TEST EAX,EAX
00481AE8 75 05 JNZ SHORT tmjqk64g.00481AEF
00481AEA B8 E44E4000 MOV EAX,tmjqk64g.00404EE4
00481AEF 50 PUSH EAX
00481AF0 68 01000000 PUSH 1
00481AF5 BB 64010000 MOV EBX,164
00481AFA E8 B9080000 CALL tmjqk64g.004823B8
00481AFF 83C4 10 ADD ESP,10
00481B02 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00481B05 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX
00481B08 8B5D EC MOV EBX,DWORD PTR SS:[EBP-14] //[EBP-14]=EBX
00481B0B 85DB TEST EBX,EBX
00481B0D 74 09 JE SHORT tmjqk64g.00481B18
00481B0F 53 PUSH EBX //保存
00481B10 E8 97080000 CALL tmjqk64g.004823AC
00481B15 83C4 04 ADD ESP,4
00481B18 DD45 E4 FLD QWORD PTR SS:[EBP-1C] //保存假码右边6位
00481B1B DC35 15764100 FDIV QWORD PTR DS:[417615] //除以5
00481B21 DD5D DC FSTP QWORD PTR SS:[EBP-24] //结果出栈
00481B24 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00481B27 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00481B2A 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] //[EBP-C]=EAX=401A
00481B2D 81F9 01010080 CMP ECX,80000101 //比较ECX
00481B33 75 07 JNZ SHORT tmjqk64g.00481B3C //跳
00481B35 25 FF000000 AND EAX,0FF
00481B3A EB 26 JMP SHORT tmjqk64g.00481B62
00481B3C 81F9 01020080 CMP ECX,80000201 //比较ECX
00481B42 75 03 JNZ SHORT tmjqk64g.00481B47 //跳
00481B44 98 CWDE
00481B45 EB 1B JMP SHORT tmjqk64g.00481B62
00481B47 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX //EAX=[EBP-2C]=401A
00481B4A 81F9 01030080 CMP ECX,80000301 //比较ECX
00481B50 74 13 JE SHORT tmjqk64g.00481B65 //不跳
00481B52 81F9 01040080 CMP ECX,80000401 //比较ECX
00481B58 75 10 JNZ SHORT tmjqk64g.00481B6A //不跳
00481B5A 8955 D8 MOV DWORD PTR SS:[EBP-28],EDX
00481B5D DF6D D4 FILD QWORD PTR SS:[EBP-2C] //[EBP-2C]=401A存入
00481B60 EB 2A JMP SHORT tmjqk64g.00481B8C //跳
00481B62 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
00481B65 DB45 D4 FILD DWORD PTR SS:[EBP-2C]
00481B68 EB 22 JMP SHORT tmjqk64g.00481B8C
00481B6A 81F9 01050080 CMP ECX,80000501
00481B70 75 05 JNZ SHORT tmjqk64g.00481B77
00481B72 D945 D4 FLD DWORD PTR SS:[EBP-2C]
00481B75 EB 15 JMP SHORT tmjqk64g.00481B8C
00481B77 81F9 01060080 CMP ECX,80000601
00481B7D 74 16 JE SHORT tmjqk64g.00481B95
00481B7F 68 02000000 PUSH 2
00481B84 E8 41080000 CALL tmjqk64g.004823CA
00481B89 83C4 04 ADD ESP,4
00481B8C DD5D D4 FSTP QWORD PTR SS:[EBP-2C] //[EBP-2C]的10进制16410出栈
00481B8F 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00481B92 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00481B95 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
00481B98 8955 D8 MOV DWORD PTR SS:[EBP-28],EDX
00481B9B DD45 D4 FLD QWORD PTR SS:[EBP-2C]
00481B9E DC65 DC FSUB QWORD PTR SS:[EBP-24] //16410减[EBP-24]里的数,也就是机器码后5位减假码右边6位
00481BA1 D9E4 FTST //与0比较
00481BA3 DFE0 FSTSW AX //存入
00481BA5 F6C4 01 TEST AH,1
00481BA8 74 02 JE SHORT tmjqk64g.00481BAC
00481BAA D9E0 FCHS
00481BAC DC1D 05764100 FCOMP QWORD PTR DS:[417605]
00481BB2 DFE0 FSTSW AX
00481BB4 F6C4 41 TEST AH,41 //AH和41比较
00481BB7 B8 00000000 MOV EAX,0 //EAX=0
00481BBC 0F95C0 SETNE AL //条件为假时置0 为真(ZF=0)置1
走到这里我们看到这部分的比较方法和上面的一样,也是注册码右边6位除以5再减机器码后5位必须等于零 那么算法就出来了^_^
00481BBF 8945 D0 MOV DWORD PTR SS:[EBP-30],EAX //[EBP-30]=EAX
00481BC2 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00481BC5 81F9 04000080 CMP ECX,80000004
00481BCB 74 0C JE SHORT tmjqk64g.00481BD9
00481BCD 81F9 05000080 CMP ECX,80000005
00481BD3 0F85 10000000 JNZ tmjqk64g.00481BE9
00481BD9 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C]
00481BDC 85DB TEST EBX,EBX
00481BDE 74 09 JE SHORT tmjqk64g.00481BE9
00481BE0 53 PUSH EBX
00481BE1 E8 C6070000 CALL tmjqk64g.004823AC
00481BE6 83C4 04 ADD ESP,4
00481BE9 837D D0 00 CMP DWORD PTR SS:[EBP-30],0
00481BED 0F84 71010000 JE tmjqk64g.00481D64 //跳则over
......省略部分代码
00481C6B BB 24060000 MOV EBX,624
00481C70 E8 43070000 CALL tmjqk64g.004823B8
00481C75 83C4 1C ADD ESP,1C
00481C78 68 04000080 PUSH 80000004
00481C7D 6A 00 PUSH 0
00481C7F 68 1D764100 PUSH tmjqk64g.0041761D
00481C84 68 01030080 PUSH 80000301
00481C89 6A 00 PUSH 0
00481C8B 68 00000000 PUSH 0
00481C90 68 04000080 PUSH 80000004
00481C95 6A 00 PUSH 0
00481C97 68 28764100 PUSH tmjqk64g.00417628
00481C9C 68 03000000 PUSH 3
00481CA1 BB 00030000 MOV EBX,300
00481CA6 E8 0D070000 CALL tmjqk64g.004823B8 //这里弹出成功提示
......省略部分代码
00481DDD 68 04000080 PUSH 80000004 //跳到这里
00481DE2 6A 00 PUSH 0
00481DE4 68 BE764100 PUSH tmjqk64g.004176BE
00481DE9 68 01030080 PUSH 80000301
00481DEE 6A 00 PUSH 0
00481DF0 68 00000000 PUSH 0
00481DF5 68 04000080 PUSH 80000004
00481DFA 6A 00 PUSH 0
00481DFC 68 C9764100 PUSH tmjqk64g.004176C9
00481E01 68 03000000 PUSH 3
00481E06 BB 00030000 MOV EBX,300
00481E0B E8 A8050000 CALL tmjqk64g.004823B8 //这里弹出错误消息匡
算法总结:
注册码左边6位除以5再减机器码前5位必须等于零且
注册码右边6位除以5再减机器码后5位必须等于零
str=2244616410
Code=Left(str,5)*5+Right(str,5)*5
所以
22446*5=112230
16410*5=82050
机器码=2244616410
注册码=11223082050
注册成功后写入安装目录下的reg.edb set.edb两个文件
恢复这两个文件又可以再玩一次
菜鸟写破文,感谢大家看完
==================================================================================
【工程声明】本过程只供内部学习之用!如要转载请保持过程完整!
==================================================================================
[注意]看雪招聘,专注安全领域的专业人才平台!
