目标:易优超级字典生成器 V3.35
作者:alive
在看雪潜水多年,学到了不少知识,昨晚突然想自己试试软件的破解,结果就是一个晚上的时间,才发现写破文的不易,十分感谢那些前辈们,感谢看雪论坛,感谢CCTV。。。。
软件使用的是NsPacK V3.6,拿出OD中的脚本将壳脱去,使用Microsoft Visual C++ 6.0编写。尝试用错误的注册码注册发现使用的是重启效验的方式。
软件的流程是将申请号进行md5加密,然后算出一个16位的值,然后再将20位的注册码提取算出16位的值,然后进行比较,不多说了,语言表达能力太差。。。
申请号的算法,md5加密的那里跳过了:
00403528 |> /8D4C24 08 /lea ecx,dword ptr ss:[esp+8]
0040352C |. |E8 2FFFFFFF |call 1213.00403460
00403531 |. |803C70 39 |cmp byte ptr ds:[eax+esi*2],39
00403535 |. |7F 23 |jg short 1213.0040355A
00403537 |. |8D4C24 08 |lea ecx,dword ptr ss:[esp+8]
0040353B |. |E8 20FFFFFF |call 1213.00403460
00403540 |. |803C30 30 |cmp byte ptr ds:[eax+esi],30
00403544 |. |7C 14 |jl short 1213.0040355A
00403546 |. |8D4C24 08 |lea ecx,dword ptr ss:[esp+8]
0040354A |. |E8 11FFFFFF |call 1213.00403460
0040354F |. |0FBE0C70 |movsx ecx,byte ptr ds:[eax+esi*2]
00403553 |. |83E9 30 |sub ecx,30
00403556 |. |890F |mov dword ptr ds:[edi],ecx
00403558 |. |EB 12 |jmp short 1213.0040356C
0040355A |> |8D4C24 08 |lea ecx,dword ptr ss:[esp+8]
0040355E |. |E8 FDFEFFFF |call 1213.00403460
00403563 |. |0FBE1470 |movsx edx,byte ptr ds:[eax+esi*2]
00403567 |. |83EA 56 |sub edx,56
0040356A |. |8917 |mov dword ptr ds:[edi],edx
0040356C |> |46 |inc esi
0040356D |. |83C7 04 |add edi,4
00403570 |. |83FE 10 |cmp esi,10
00403573 |.^\7C B3 \jl short 1213.00403528
0040357E |> /8BD1 /mov edx,ecx
00403580 |. |81E2 0F000080 |and edx,8000000F
00403586 |. |79 05 |jns short 1213.0040358D
00403588 |. |4A |dec edx
00403589 |. |83CA F0 |or edx,FFFFFFF0
0040358C |. |42 |inc edx
0040358D |> |8BC7 |mov eax,edi
0040358F |. |83C1 5B |add ecx,5B
00403592 |. |0FAF06 |imul eax,dword ptr ds:[esi]
00403595 |. |83C6 04 |add esi,4
00403598 |. |8D1CC5 000000>|lea ebx,dword ptr ds:[eax*8]
0040359F |. |2BD8 |sub ebx,eax
004035A1 |. |8D1C98 |lea ebx,dword ptr ds:[eax+ebx*4]
004035A4 |. |8B4494 48 |mov eax,dword ptr ss:[esp+edx*4+48]
004035A8 |. |03C3 |add eax,ebx
004035AA |. |BB 3D000000 |mov ebx,3D
004035AF |. |99 |cdq
004035B0 |. |F7FB |idiv ebx
004035B2 |. |47 |inc edi
004035B3 |. |81F9 B0050000 |cmp ecx,5B0
004035B9 |. |8956 FC |mov dword ptr ds:[esi-4],edx
004035BC |.^\7C C0 \jl short 1213.0040357E
004035CC |> /8B02 /mov eax,dword ptr ds:[edx]
004035CE |. |83F8 19 |cmp eax,19
004035D1 |. |7F 08 |jg short 1213.004035DB
004035D3 |. |85C0 |test eax,eax
004035D5 |. |7C 04 |jl short 1213.004035DB
004035D7 |. |04 41 |add al,41
004035D9 |. |EB 1E |jmp short 1213.004035F9
004035DB |> |83F8 23 |cmp eax,23
004035DE |. |7F 0B |jg short 1213.004035EB
004035E0 |. |83F8 1A |cmp eax,1A
004035E3 |. |7C 06 |jl short 1213.004035EB
004035E5 |. |8A02 |mov al,byte ptr ds:[edx]
004035E7 |. |04 16 |add al,16
004035E9 |. |EB 0E |jmp short 1213.004035F9
004035EB |> |83F8 3D |cmp eax,3D
004035EE |. |7D 0C |jge short 1213.004035FC
004035F0 |. |83F8 24 |cmp eax,24
004035F3 |. |7C 07 |jl short 1213.004035FC
004035F5 |. |8A02 |mov al,byte ptr ds:[edx]
004035F7 |. |04 3D |add al,3D
004035F9 |> |880431 |mov byte ptr ds:[ecx+esi],al
004035FC |> |41 |inc ecx
004035FD |. |83C2 04 |add edx,4
00403600 |. |83F9 10 |cmp ecx,10
00403603 |.^\7C C7 \jl short 1213.004035CC
为了不在大牛面前丢人现眼,我就不写注释了。。。
还原的C源码:
int main()
{
char soure[]={"e3127bb9fc14b3f3c1fe1e5e5d0df63c"};
char result[16]={"0"};
int i,a=0,b=0,c=0x5b;
for(i=0;i<16;i++)
{
if(soure[i*2]>57||soure[i]<48)
{
result[i]=soure[i*2]-86;
continue;
}
result[i]=soure[i*2]-48;
}
for(i=0;i<16;i++)
{
a=i;
a=a*result[i];
a=(a*8-a)*4+a+result
;
b=a%61;
result[i]=b;
b=c&0xf;
c+=0x5b;
}
for(i=0;i<16;i++)
{
if(result[i]<=0x19)
{
result[i]+=0x41;
continue;
}
if(0x1a<=result[i]&&result[i]<=0x23)
{
result[i]+=0x16;
continue;
}
if(0x24<=result[i]<0x3d)
{
result[i]+=0x3d;
}
}
for(i=0;i<16;i++)
{
printf("%c",result[i]);
}
}
注册码的过程:
00403653 |> /8A042A /mov al,byte ptr ds:[edx+ebp]
00403656 |. |3C 39 |cmp al,39
00403658 |. |7F 0C |jg short 1213.00403666
0040365A |. |3C 30 |cmp al,30
0040365C |. |7C 08 |jl short 1213.00403666
0040365E |. |0FBEC0 |movsx eax,al
00403661 |. |83E8 16 |sub eax,16
00403664 |. |EB 1E |jmp short 1213.00403684
00403666 |> |3C 7A |cmp al,7A
00403668 |. |7F 0C |jg short 1213.00403676
0040366A |. |3C 61 |cmp al,61
0040366C |. |7C 08 |jl short 1213.00403676
0040366E |. |0FBEC0 |movsx eax,al
00403671 |. |83E8 3D |sub eax,3D
00403674 |. |EB 0E |jmp short 1213.00403684
00403676 |> |3C 5A |cmp al,5A
00403678 |. |7F 0C |jg short 1213.00403686
0040367A |. |3C 41 |cmp al,41
0040367C |. |7C 08 |jl short 1213.00403686
0040367E |. |0FBEC0 |movsx eax,al
00403681 |. |83E8 41 |sub eax,41
00403684 |> |8901 |mov dword ptr ds:[ecx],eax
00403686 |> |42 |inc edx
00403687 |. |83C1 04 |add ecx,4
0040368A |. |83FA 14 |cmp edx,14
0040368D |.^\7C C4 \jl short 1213.00403653
00403695 |> /8BC3 /mov eax,ebx
00403697 |. |99 |cdq
00403698 |. |83E2 03 |and edx,3
0040369B |. |03C2 |add eax,edx
0040369D |. |C1F8 02 |sar eax,2
004036A0 |. |8D7484 50 |lea esi,dword ptr ss:[esp+eax*4+50]
004036A4 |. |8B4484 50 |mov eax,dword ptr ss:[esp+eax*4+50]
004036A8 |. |8BC8 |mov ecx,eax
004036AA |. |81E1 01000080 |and ecx,80000001
004036B0 |. |79 05 |jns short 1213.004036B7
004036B2 |. |49 |dec ecx
004036B3 |. |83C9 FE |or ecx,FFFFFFFE
004036B6 |. |41 |inc ecx
004036B7 |> |99 |cdq
004036B8 |. |2BC2 |sub eax,edx
004036BA |. |D1F8 |sar eax,1
004036BC |. |83F9 01 |cmp ecx,1
004036BF |. |8906 |mov dword ptr ds:[esi],eax
004036C1 |. |75 06 |jnz short 1213.004036C9
004036C3 |. |017C3C 10 |add dword ptr ss:[esp+edi+10],edi
004036C7 |. |EB 0C |jmp short 1213.004036D5
004036C9 |> |8B443C 10 |mov eax,dword ptr ss:[esp+edi+10]
004036CD |. |8BCF |mov ecx,edi
004036CF |. |2BC8 |sub ecx,eax
004036D1 |. |894C3C 10 |mov dword ptr ss:[esp+edi+10],ecx
004036D5 |> |83C7 04 |add edi,4
004036D8 |. |43 |inc ebx
004036D9 |. |83FF 40 |cmp edi,40
004036DC |.^\7C B7 \jl short 1213.00403695
004036E6 |> /8B02 /mov eax,dword ptr ds:[edx]
004036E8 |. |83F8 19 |cmp eax,19
004036EB |. |7F 08 |jg short 1213.004036F5
004036ED |. |85C0 |test eax,eax
004036EF |. |7C 04 |jl short 1213.004036F5
004036F1 |. |04 41 |add al,41
004036F3 |. |EB 1E |jmp short 1213.00403713
004036F5 |> |83F8 23 |cmp eax,23
004036F8 |. |7F 0B |jg short 1213.00403705
004036FA |. |83F8 1A |cmp eax,1A
004036FD |. |7C 06 |jl short 1213.00403705
004036FF |. |8A02 |mov al,byte ptr ds:[edx]
00403701 |. |04 16 |add al,16
00403703 |. |EB 0E |jmp short 1213.00403713
00403705 |> |83F8 3D |cmp eax,3D
00403708 |. |7D 0C |jge short 1213.00403716
0040370A |. |83F8 24 |cmp eax,24
0040370D |. |7C 07 |jl short 1213.00403716
0040370F |. |8A02 |mov al,byte ptr ds:[edx]
00403711 |. |04 3D |add al,3D
00403713 |> |880429 |mov byte ptr ds:[ecx+ebp],al
00403716 |> |41 |inc ecx
00403717 |. |83C2 04 |add edx,4
0040371A |. |83F9 10 |cmp ecx,10
0040371D |.^\7C C7 \jl short 1213.004036E6
还原的代码:
int main()
{
char pass[21]={"CCCCCCCCCCCCCCCCCCCC"};
char result[21]={"CCCCCCCCCCCCCCCCCCCC"};
int i;
char a=0,b=0,c=0;
for(i=0;i<20;i++)
{
if(pass[i]>=0x30&&pass[i]<=0x39)
{
pass[i]-=0x16;
continue;
}
if(pass[i]>=0x61&&pass[i]<=0x7a)
{
pass[i]-=0x3d;
continue;
}
if(pass[i]<=0x5a&&pass[i]>=0x41)
{
pass[i]-=0x41;
}
}
for(i=0;i<16;i++)
{
a=i;
a=i/4;
b=16+a;
a=pass;
c=a%2;
a=a/2;
pass=a;
if(c!=1)
{
a=pass[i];
if(i==0)
{
pass[i]=0-a;
}
else
{
pass[i]=i*4-pass[i];
}
continue;
}
pass[i]+=i*4;
}
for(i=0;i<16;i++)
{
printf("%X ",pass[i]);
}
printf("\n");
for(i=0;i<16;i++)
{
if(pass[i]<=0x19&&pass[i]>0x0)
{
result[i]=pass[i]+0x41;
}
if(pass[i]<=0x23&&pass[i]>=0x1a)
{
result[i]=pass[i]+0x16;
}
if(pass[i]<0x3d&&pass[i]>=0x24)
{
result[i]=pass[i]+0x3d;
}
}
for(i=0;i<20;i++)
{
printf("%c",result[i]);
}
return 0;
}
这里要将申请号算出来的那个值还原成我们需要的注册码,主要就是这里:
for(i=0;i<16;i++)
{
a=i;
a=i/4;
b=16+a;
a=pass;
c=a%2;
a=a/2;
pass=a;
if(c!=1)
{
a=pass[i];
if(i==0)
{
pass[i]=0-a;
}
else
{
pass[i]=i*4-pass[i];
}
continue;
}
pass[i]+=i*4;
}
我写的逆算法:
for(i=0;i<16;i++)
{
b=15-i;
a=b*4;
c=b/4;
if(backpass<=a)
{
if(i==b)
{
backpass[16+c]*=2;
continue;
}
backpass=a-backpass;
backpass[16+c]*=2;
}
else
{
backpass=backpass-a;
backpass[16+c]=backpass[16+c]*2+1;
}
}
语言能力太差,我就不解释了。。。有很多不合理的地方请各位前辈们指正。。。
附上自己写的注册机,因为md5加密不会,所以请大家自己去www.xmd5.com上加密申请号吧。。
crack.rar
最后由衷感谢看雪论坛,睡觉去了。。。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
