近日碰到一软件,加密比较简单,已经追出注册码,但因水平太低,算法看不懂,请高手指点,我也想作个注册机。
005AEE20 55 push ebp ; ;中断在此,开始。
005AEE21 8BEC mov ebp,esp
005AEE23 B9 05000000 mov ecx,5
005AEE28 6A 00 push 0
005AEE2A 6A 00 push 0
005AEE2C 49 dec ecx
005AEE2D ^ 75 F9 jnz short YB.005AEE28
005AEE2F 56 push esi
005AEE30 57 push edi
005AEE31 8BF0 mov esi,eax
005AEE33 33C0 xor eax,eax
005AEE35 55 push ebp
005AEE36 68 43F05A00 push YB.005AF043
005AEE3B 64:FF30 push dword ptr fs:[eax]
005AEE3E 64:8920 mov dword ptr fs:[eax],>
005AEE41 8D55 F8 lea edx,dword ptr ss:[e>
005AEE44 8B86 F4020000 mov eax,dword ptr ds:[e>
005AEE4A E8 F1E3E9FF call YB.0044D240 ; ;取得机器码
005AEE4F 837D F8 00 cmp dword ptr ss:[ebp-8>; ;堆栈 ss:[0094EDE4]=015CBE74, (ASCII "88878280");机器码不为0,跳走。
005AEE53 75 0F jnz short YB.005AEE64 ; ;跳
005AEE55 B8 58F05A00 mov eax,YB.005AF058
005AEE5A E8 8563E9FF call YB.004451E4 ; ;无法取得机器码!
005AEE5F E9 8F010000 jmp YB.005AEFF3
005AEE64 8D55 F4 lea edx,dword ptr ss:[e>
005AEE67 8B86 FC020000 mov eax,dword ptr ds:[e>
005AEE6D E8 CEE3E9FF call YB.0044D240 ; ;取得随便输的注册码“123456789”
005AEE72 837D F4 00 cmp dword ptr ss:[ebp-C>; ;堆栈 ss:[0094EDE0]=015CBE8C, (ASCII "123456789")
005AEE76 75 0F jnz short YB.005AEE87 ; ;不为0则跳,跳走。
005AEE78 B8 8CF05A00 mov eax,YB.005AF08C
005AEE7D E8 6263E9FF call YB.004451E4 ; ;请输入注册码
005AEE82 E9 6C010000 jmp YB.005AEFF3
005AEE87 6A 01 push 1
005AEE89 6A 01 push 1
005AEE8B 6A 01 push 1
005AEE8D 8D55 F0 lea edx,dword ptr ss:[e>
005AEE90 8B86 F4020000 mov eax,dword ptr ds:[e>
005AEE96 E8 A5E3E9FF call YB.0044D240 ; ;取得机器码“88878280”
005AEE9B 8B45 F0 mov eax,dword ptr ss:[e>; ;机器码赋予EAX
005AEE9E 50 push eax ; ;EAX压栈
005AEE9F 8D45 FC lea eax,dword ptr ss:[e>
005AEEA2 E8 215CE5FF call YB.00404AC8
005AEEA7 8BD0 mov edx,eax
005AEEA9 B9 A4F05A00 mov ecx,YB.005AF0A4 ; ASCII "qd"
005AEEAE 58 pop eax ; ;EAX出栈
005AEEAF E8 801FF8FF call YB.00530E34 ; ;此CALL过后,EDX 015CE4D8 ASCII“88878280”机器码
005AEEB4 8D4D EC lea ecx,dword ptr ss:[e>
005AEEB7 BA 08000000 mov edx,8 ; ;EDX赋8
005AEEBC 8B45 FC mov eax,dword ptr ss:[e>; ;EAX赋值为 (ASCII "414143531000000008000000000000000100010100000000F8B33CA82776AB511E18D9C8AC096BA1")
005AEEBF E8 786FE9FF call YB.00445E3C ; ;关键CALL,计算真正的注册码,跟进F7(见下面)
005AEEC4 8B45 EC mov eax,dword ptr ss:[e>; ;真注册码赋EAX:“AC096BA1”
005AEEC7 50 push eax ; ;压栈
005AEEC8 8D55 E8 lea edx,dword ptr ss:[e>
005AEECB 8B86 FC020000 mov eax,dword ptr ds:[e>
005AEED1 E8 6AE3E9FF call YB.0044D240 ; ;取得假注册码
005AEED6 8B55 E8 mov edx,dword ptr ss:[e>; ;假注册码赋EDX“123456789”
005AEED9 58 pop eax ; ;真注册码出栈“AC096BA1”
005AEEDA E8 E55FE5FF call YB.00404EC4 ; ;比较真假注册码
005AEEDF 0F85 04010000 jnz YB.005AEFE9 ; ;跳走,死翘翘
======================================================================
call YB.00445E3C
00445E3C 53 push ebx
00445E3D 56 push esi
00445E3E 57 push edi
00445E3F 8BF9 mov edi,ecx
00445E41 8BF2 mov esi,edx
00445E43 8BD8 mov ebx,eax ; ;那个80个字符的“41414353......AC096BA1”
00445E45 57 push edi
00445E46 8BC3 mov eax,ebx ; ;还是那个80个字符的“41414353......AC096BA1”
00445E48 E8 33EFFBFF call YB.00404D80 ; ;F7跟进看看(见下面)
00445E4D 8BD0 mov edx,eax ; EDX变为00000050
00445E4F 42 inc edx ; EDX变为00000051
00445E50 2BD6 sub edx,esi ; EDX变为00000049
00445E52 8BCE mov ecx,esi ; ECX变为00000008
00445E54 8BC3 mov eax,ebx ; ;还是那个80个字符的“41414353......AC096BA1”
00445E56 E8 7DF1FBFF call YB.00404FD8 ; ;这可能是真正计算注册码的地方,F7跟进(见下面)
00445E5B 5F pop edi
00445E5C 5E pop esi
00445E5D 5B pop ebx
00445E5E C3 retn ; ;返回到 005AEEC4 (YB.005AEEC4)
==================================================================
call YB.00404D80
00404D80 85C0 test eax,eax ; ;还是那个80个字符的“41414353......AC096BA1”
00404D82 74 03 je short YB.00404D87 ; 不跳
00404D84 8B40 FC mov eax,dword ptr ds:[e>; EAX变为00000050
00404D87 C3 retn ;返回
===================================================================
call YB.00404FD8
00404FD8 53 push ebx ; ;还是那个80个字符的“41414353......AC096BA1”
00404FD9 85C0 test eax,eax
00404FDB 74 2D je short YB.0040500A ; ;不跳
00404FDD 8B58 FC mov ebx,dword ptr ds:[e>; ;EBX变为00000050
00404FE0 85DB test ebx,ebx
00404FE2 74 26 je short YB.0040500A ; ;不跳
00404FE4 4A dec edx ; ;EDX变为00000048
00404FE5 7C 1B jl short YB.00405002 ; ;不跳
00404FE7 39DA cmp edx,ebx ; ;48<50
00404FE9 7D 1F jge short YB.0040500A ; ;不跳
00404FEB 29D3 sub ebx,edx ; ;EBX=00000050-00000048=00000008
00404FED 85C9 test ecx,ecx ; ;ECX为00000008
00404FEF 7C 19 jl short YB.0040500A ; ;不跳
00404FF1 39D9 cmp ecx,ebx ; ;都是00000008
00404FF3 7F 11 jg short YB.00405006 ; ;不跳
00404FF5 01C2 add edx,eax ; ;真注册码第一次出现了:"AC096BA1"就是那80个字符的最后8位
00404FF7 8B4424 08 mov eax,dword ptr ss:[e>
00404FFB E8 B8FBFFFF call YB.00404BB8 ; ;没跟进去
00405000 EB 11 jmp short YB.00405013 ; ;跳走
00405002 31D2 xor edx,edx
00405004 ^ EB E5 jmp short YB.00404FEB
00405006 89D9 mov ecx,ebx
00405008 ^ EB EB jmp short YB.00404FF5
0040500A 8B4424 08 mov eax,dword ptr ss:[e>
0040500E E8 B5FAFFFF call YB.00404AC8
00405013 5B pop ebx
00405014 C2 0400 retn 4 ; ;返回到 00445E5B (YB.00445E5B)
===================================================================
那个CALL 00404FD8 可能是计算真注册码的地方,但在 :00404FF5 add edx,eax 这一句过后计算出真注册码,它是怎么算出来的啊?另外那个(ASCII "414143531000000008000000000000000100010100000000F8B33CA82776AB511E18D9C8AC096BA1")有什么用呢,它的最后8位就是真正的注册码。
请大家指点指点,不胜感激。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)