【破文标题】:边锋游戏之《湖州红五记牌器》脱壳+算法分析一条龙
【破文作者】:KuNgBiM[DFCG]
【作者邮箱】:gb_1227@163.com
【软件名称】:边锋游戏之《湖州红五记牌器》
【软件大小】:377 KB
【软件类别】:国产软件/共享软件/游戏外挂
【整理时间】:2005-5-19
【下载地址】:本地下载
【软件简介】:发第一张牌的时候你就知道可以亮什么主及每门花色会有几张主。
【保护方式】:注册码 + 使用次数限制
【加密保护】:ASPack 2.12 -> Alexey Solodovnikov
【编译语言】:Borland Delphi 6.0 - 7.0
【调试环境】:WinXP、PEiD、Ollydbg、LordPE、ImportREC、W32Dasm
【破解日期】:2005-06-02
【破解目的】:推广使用ESP定律脱壳,以及研究算法分析
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
―――――――――――――――――――――――――――――――――
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
【脱壳过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
侦壳脱壳:用PEiD查壳,ASPack 2.12 -> Alexey Solodovnikov加壳。
使用法宝:我们既然知道了是ASPack所加壳保护的,所以拿出Ollydbg结合文章题目手动脱之~~
――――――――――――――――――――
Ollydbg
载入主程序:
0052C001 > 60
pushad //
停在这里,F8一次
0052C002 E8 03000000
call hzred5.0052C00A //
来到这里,这时查看寄存器窗口
0052C007 - E9 EB045D45
jmp 45AFC4F7
0052C00C 55
push ebp
0052C00D C3
retn
\\\\\\\\\\\\\\\
寄存器\\\\\\\\\\\\\\\\
EAX 00000000
ECX 00010101
EDX FFFFFFFF
EBX 7FFDF000
ESP 0012FFA4 //
esp=0012ffa4
EBP 0012FFF0
ESI 00000000
EDI 00000000
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
根据ESP定律规则,现在在命令栏中下 hr 0012ffa4 命令,回车,F9运行:
0052C3B0 /75 08
jnz short hzred5.0052C3BA //
这里断下,继续F8
0052C3B2 |B8 01000000
mov eax,1
0052C3B7 |C2 0C00
retn 0C
0052C3BA \68 7C654C00
push hzred5.004C657C //
这里004C657C所指的就是OEP,F8继续走
0052C3BF C3
retn //
飞向光明之颠~~ F8继续走
************************************************************************************************************
004C657C 55
push ebp //
飞向这里,程序入口,Dump!
004C657D 8BEC
mov ebp,
esp
004C657F 83C4 F0
add esp,-10
004C6582 53
push ebx
004C6583 B8 E4624C00
mov eax,hzred5.004C62E4
004C6588 E8 8701F4FF
call hzred5.00406714
004C658D 8B1D 848F4C00
mov ebx,
dword ptr ds:[4C8F84]
; hzred5.004CAC30
004C6593 8B03
mov eax,
dword ptr ds:[
ebx]
004C6595 E8 02B6F9FF
call hzred5.00461B9C
004C659A 8B03
mov eax,
dword ptr ds:[
ebx]
004C659C BA F4654C00
mov edx,hzred5.004C65F4
004C65A1 E8 1AB2F9FF
call hzred5.004617C0
004C65A6 8B0D A0904C00
mov ecx,
dword ptr ds:[4C90A0]
; hzred5.004CAD80
004C65AC 8B03
mov eax,
dword ptr ds:[
ebx]
004C65AE 8B15 34214C00
mov edx,
dword ptr ds:[4C2134]
; hzred5.004C2180
........
************************************************************************************************************
脱壳修复:运行LordPE,Dump整个进程,然后打开ImportREC找到该程序对应进程,OEP填000C657C,“自动搜索IAT”,“获取输入表”,
删去一个无效指针,其余指针全部有效,“修复抓取文件”,OK,脱壳修复完成!运行成功!Fix Dump!!
用PEiD再次检测,程序为Borland Delphi 6.0 - 7.0所编译,优化一下,原始:377 KB -->脱壳优化:1.10 MB
―――――――――――――――――――――――――――――――――
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
【破解过程】 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
试探:运行脱壳后的主程序注册,输入试炼码,确认!程序提示:" 注册码错误! "
初步下药:用W32Dasm进行静态反汇编,查找 " 注册码错误! " 字符串,找到004C1F9C处,确定注册环节应从004C1E20处开始。
对症下药:Ollydbg重新载入脱壳后的主程序,向上来到 004C1E20 处下断,F9运行,输入试炼信息:
*****
试炼信息 ******
机器码:000AEB97B625
试炼码:9876543210
*********************
点击确定后OD断下:
004C1E20 6A 00
push 0
004C1E22 6A 00
push 0
004C1E24 49
dec ecx //
ecx=5
004C1E25 ^ 75 F9
jnz short dumped_.004C1E20 //
程序向上检测5次
004C1E27 53
push ebx
004C1E28 56
push esi
004C1E29 8BD8
mov ebx,
eax
004C1E2B 33C0
xor eax,
eax
004C1E2D 55
push ebp
004C1E2E 68 16204C00
push dumped_.004C2016
004C1E33 64:FF30
push dword ptr fs:[
eax]
004C1E36 64:8920
mov dword ptr fs:[
eax],
esp
004C1E39 8D55 FC
lea edx,
dword ptr ss:[
ebp-4]
004C1E3C 8B83 FC020000
mov eax,
dword ptr ds:[
ebx+2FC]
004C1E42 E8 75F0F7FF
call dumped_.00440EBC //
取试炼码
004C1E47 837D FC 00
cmp dword ptr ss:[
ebp-4],0 //
比较序列号是否为0
004C1E4B 75 1E
jnz short dumped_.004C1E6B //
为0则跳死!
004C1E4D 6A 30
push 30
004C1E4F 68 24204C00
push dumped_.004C2024 //
提示“未输入注册码!”
004C1E54 68 2C204C00
push dumped_.004C202C
004C1E59 8BC3
mov eax,
ebx
004C1E5B E8 0858F8FF
call dumped_.00447668
004C1E60 50
push eax
004C1E61 E8 CE52F4FF
call dumped_.00407134 //
调用通用对话框函数,MessageBoxA
004C1E66 E9 50010000
jmp dumped_.004C1FBB
004C1E6B 8D55 F4
lea edx,
dword ptr ss:[
ebp-C]
004C1E6E 8B83 FC020000
mov eax,
dword ptr ds:[
ebx+2FC]
004C1E74 E8 43F0F7FF
call dumped_.00440EBC //
取试炼码
004C1E79 8B45 F4
mov eax,
dword ptr ss:[
ebp-C] //ASCII
"9876543210"
004C1E7C 8D55 F8
lea edx,
dword ptr ss:[
ebp-8]
004C1E7F E8 EC68F4FF
call dumped_.00408770
004C1E84 8B45 F8
mov eax,
dword ptr ss:[
ebp-8]
004C1E87 50
push eax //
试炼码压栈,ASCII "9876543210
"
004C1E88 8D55 E8
lea edx,
dword ptr ss:[
ebp-18] //edx
清零
004C1E8B 8B83 F4020000
mov eax,
dword ptr ds:[
ebx+2F4]
004C1E91 E8 26F0F7FF
call dumped_.00440EBC //
取机器码
004C1E96 8B45 E8
mov eax,
dword ptr ss:[
ebp-18] //ASCII
"000AEB97B625"
004C1E99 8D55 EC
lea edx,
dword ptr ss:[
ebp-14]
004C1E9C E8 CF68F4FF
call dumped_.00408770
004C1EA1 8B45 EC
mov eax,
dword ptr ss:[
ebp-14] //
机器码入栈,ASCII "000AEB97B625
"
004C1EA4 8D55 F0
lea edx,
dword ptr ss:[
ebp-10] //edx
清零
004C1EA7 E8 74FCFFFF
call dumped_.004C1B20 //
算法CALL,F7跟进!
004C1EAC 8B55 F0
mov edx,
dword ptr ss:[
ebp-10] //
真码出现,ASCII "aaarvsjvsccx
"
004C1EAF 58
pop eax //eax
清零
004C1EB0 E8 4B28F4FF
call dumped_.00404700 //
经典比对CALL
004C1EB5 0F85 DA000000
jnz dumped_.004C1F95 //
爆破点
004C1EBB B2 01
mov dl,1
004C1EBD A1 AC8B4800
mov eax,
dword ptr ds:[488BAC]
004C1EC2 E8 E56DFCFF
call dumped_.00488CAC
004C1EC7 8BF0
mov esi,
eax
004C1EC9 BA 02000080
mov edx,80000002
004C1ECE 8BC6
mov eax,
esi
004C1ED0 E8 776EFCFF
call dumped_.00488D4C
004C1ED5 B1 01
mov cl,1
004C1ED7 BA 44204C00
mov edx,dumped_.004C2044 //
注册信息保存位置,ASCII "SOFTWARE\Microsoft\hzred5
"
004C1EDC 8BC6
mov eax,
esi
004C1EDE E8 A96FFCFF
call dumped_.00488E8C
004C1EE3 B9 01000000
mov ecx,1
004C1EE8 BA 68204C00
mov edx,dumped_.004C2068 //
注册表里保存机器码位置,ASCII "hzred5reg
"
004C1EED 8BC6
mov eax,
esi
004C1EEF E8 3871FCFF
call dumped_.0048902C
004C1EF4 8D55 E0
lea edx,
dword ptr ss:[
ebp-20]
004C1EF7 8B83 FC020000
mov eax,
dword ptr ds:[
ebx+2FC]
004C1EFD E8 BAEFF7FF
call dumped_.00440EBC
004C1F02 8B45 E0
mov eax,
dword ptr ss:[
ebp-20]
004C1F05 8D55 E4
lea edx,
dword ptr ss:[
ebp-1C]
004C1F08 E8 6368F4FF
call dumped_.00408770
004C1F0D 8B4D E4
mov ecx,
dword ptr ss:[
ebp-1C]
004C1F10 BA 7C204C00
mov edx,dumped_.004C207C //
注册表里保存注册码位置,ASCII "red5sn
"
004C1F15 8BC6
mov eax,
esi
004C1F17 E8 E470FCFF
call dumped_.00489000
004C1F1C 8D55 D8
lea edx,
dword ptr ss:[
ebp-28]
004C1F1F 8B83 F4020000
mov eax,
dword ptr ds:[
ebx+2F4]
004C1F25 E8 92EFF7FF
call dumped_.00440EBC
004C1F2A 8B45 D8
mov eax,
dword ptr ss:[
ebp-28]
004C1F2D 8D55 DC
lea edx,
dword ptr ss:[
ebp-24]
004C1F30 E8 3B68F4FF
call dumped_.00408770
004C1F35 8B4D DC
mov ecx,
dword ptr ss:[
ebp-24]
004C1F38 BA 8C204C00
mov edx,dumped_.004C208C //
注册信息保存的字符串,ASCII "macstr
"
004C1F3D 8BC6
mov eax,
esi
004C1F3F E8 BC70FCFF
call dumped_.00489000
004C1F44 8BC6
mov eax,
esi
004C1F46 E8 D16DFCFF
call dumped_.00488D1C
004C1F4B 8BC6
mov eax,
esi
004C1F4D E8 4616F4FF
call dumped_.00403598
004C1F52 6A 00
push 0
004C1F54 B9 94204C00
mov ecx,dumped_.004C2094 //
注册成功返回的信息
004C1F59 BA 9C204C00
mov edx,dumped_.004C209C
004C1F5E A1 848F4C00
mov eax,
dword ptr ds:[4C8F84]
004C1F63 8B00
mov eax,
dword ptr ds:[
eax]
004C1F65 E8 5AFEF9FF
call dumped_.00461DC4
004C1F6A A1 A0904C00
mov eax,
dword ptr ds:[4C90A0]
004C1F6F 8B00
mov eax,
dword ptr ds:[
eax]
004C1F71 8B80 70030000
mov eax,
dword ptr ds:[
eax+370]
004C1F77 33D2
xor edx,
edx
004C1F79 8B08
mov ecx,
dword ptr ds:[
eax]
004C1F7B FF51 64
call dword ptr ds:[
ecx+64]
004C1F7E A1 A0904C00
mov eax,
dword ptr ds:[4C90A0]
004C1F83 8B00
mov eax,
dword ptr ds:[
eax]
004C1F85 C680 78030000 0>
mov byte ptr ds:[
eax+378],1
004C1F8C 8BC3
mov eax,
ebx
004C1F8E E8 0DC6F9FF
call dumped_.0045E5A0
004C1F93 EB 19
jmp short dumped_.004C1FAE
004C1F95 6A 30
push 30
004C1F97 68 24204C00
push dumped_.004C2024 //
注册失败返回的信息
004C1F9C 68 B0204C00
push dumped_.004C20B0
004C1FA1 8BC3
mov eax,
ebx
004C1FA3 E8 C056F8FF
call dumped_.00447668
004C1FA8 50
push eax
004C1FA9 E8 8651F4FF
call dumped_.00407134 //
调用通用对话框函数,MessageBoxA
004C1FAE 33D2
xor edx,
edx
004C1FB0 8B83 FC020000
mov eax,
dword ptr ds:[
ebx+2FC]
004C1FB6 E8 31EFF7FF
call dumped_.00440EEC
004C1FBB 33C0
xor eax,
eax
004C1FBD 5A
pop edx
004C1FBE 59
pop ecx
004C1FBF 59
pop ecx
004C1FC0 64:8910
mov dword ptr fs:[
eax],
edx
004C1FC3 68 1D204C00
push dumped_.004C201D
004C1FC8 8D45 D8
lea eax,
dword ptr ss:[
ebp-28]
004C1FCB E8 3423F4FF
call dumped_.00404304
004C1FD0 8D45 DC
lea eax,
dword ptr ss:[
ebp-24]
004C1FD3 E8 2C23F4FF
call dumped_.00404304
004C1FD8 8D45 E0
lea eax,
dword ptr ss:[
ebp-20]
004C1FDB E8 2423F4FF
call dumped_.00404304
004C1FE0 8D45 E4
lea eax,
dword ptr ss:[
ebp-1C]
004C1FE3 E8 1C23F4FF
call dumped_.00404304
004C1FE8 8D45 E8
lea eax,
dword ptr ss:[
ebp-18]
004C1FEB E8 1423F4FF
call dumped_.00404304
004C1FF0 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
004C1FF3 BA 02000000
mov edx,2
004C1FF8 E8 2B23F4FF
call dumped_.00404328
004C1FFD 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004C2000 E8 FF22F4FF
call dumped_.00404304
004C2005 8D45 F8
lea eax,
dword ptr ss:[
ebp-8]
004C2008 E8 F722F4FF
call dumped_.00404304
004C200D 8D45 FC
lea eax,
dword ptr ss:[
ebp-4]
004C2010 E8 EF22F4FF
call dumped_.00404304
004C2015 C3
retn //
返回程序
==============
跟进:004C1EA7 E8 74FCFFFF call dumped_.004C1B20 ==============
004C1B20 55
push ebp
004C1B21 8BEC
mov ebp,
esp
004C1B23 B9 07000000
mov ecx,7
004C1B28 6A 00
push 0
004C1B2A 6A 00
push 0
004C1B2C 49
dec ecx //
ecx=7
004C1B2D ^ 75 F9
jnz short dumped_.004C1B28 //
向上循环7次
004C1B2F 53
push ebx
004C1B30 56
push esi
004C1B31 57
push edi
004C1B32 8BFA
mov edi,
edx
004C1B34 8945 FC
mov dword ptr ss:[
ebp-4],
eax //
取机器码,ASCII "000AEB97B625
"
004C1B37 8B45 FC
mov eax,
dword ptr ss:[
ebp-4] //
赋值给eax计算
004C1B3A E8 652CF4FF
call dumped_.004047A4
004C1B3F 33C0
xor eax,
eax
004C1B41 55
push ebp
004C1B42 68 E61C4C00
push dumped_.004C1CE6
004C1B47 64:FF30
push dword ptr fs:[
eax]
004C1B4A 64:8920
mov dword ptr fs:[
eax],
esp
004C1B4D 8D45 F8
lea eax,
dword ptr ss:[
ebp-8] //
取出机器码,ASCII "000AEB97B625
"
004C1B50 8B55 FC
mov edx,
dword ptr ss:[
ebp-4] //
赋值给edx
004C1B53 E8 4428F4FF
call dumped_.0040439C
004C1B58 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004C1B5B E8 A427F4FF
call dumped_.00404304
004C1B60 8B45 F8
mov eax,
dword ptr ss:[
ebp-8] //
调用机器码,ASCII "000AEB97B625
"
004C1B63 E8 542AF4FF
call dumped_.004045BC
004C1B68 8BF0
mov esi,
eax
004C1B6A 85F6
test esi,
esi //
比较是否取完12位机器码,esi=0C
004C1B6C 0F8E 4F010000
jle dumped_.004C1CC1 //
未取完则继续!
004C1B72 BB 01000000
mov ebx,1
004C1B77 8D45 EC
lea eax,
dword ptr ss:[
ebp-14]
004C1B7A 8B55 F8
mov edx,
dword ptr ss:[
ebp-8] //edx
清零,装入机器码
004C1B7D 8A541A FF
mov dl,
byte ptr ds:[
edx+
ebx-1] //
ds:[00DDB14C]=30 (
'0')
,dl=4C ('L
')
004C1B81 E8 5E29F4FF
call dumped_.004044E4
004C1B86 8B45 EC
mov eax,
dword ptr ss:[
ebp-14]
004C1B89 8D55 F0
lea edx,
dword ptr ss:[
ebp-10]
004C1B8C E8 8F69F4FF
call dumped_.00408520
004C1B91 8B45 F0
mov eax,
dword ptr ss:[
ebp-10]
004C1B94 BA FC1C4C00
mov edx,dumped_.004C1CFC
004C1B99 E8 622BF4FF
call dumped_.00404700
004C1B9E 75 12
jnz short dumped_.004C1BB2 //
向上循环运算取字符所对应的ASCII码值
004C1BA0 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004C1BA3 BA 081D4C00
mov edx,dumped_.004C1D08
004C1BA8 E8 172AF4FF
call dumped_.004045C4
004C1BAD E9 07010000
jmp dumped_.004C1CB9
004C1BB2 8D45 E4
lea eax,
dword ptr ss:[
ebp-1C]
004C1BB5 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
004C1BB8 8A541A FF
mov dl,
byte ptr ds:[
edx+
ebx-1] //
ds:[00DDB14C]=30 (
'0')
,dl=4C ('L
')
004C1BBC E8 2329F4FF
call dumped_.004044E4
004C1BC1 8B45 E4
mov eax,
dword ptr ss:[
ebp-1C]
004C1BC4 8D55 E8
lea edx,
dword ptr ss:[
ebp-18]
004C1BC7 E8 5469F4FF
call dumped_.00408520
004C1BCC 8B45 E8
mov eax,
dword ptr ss:[
ebp-18]
004C1BCF BA 141D4C00
mov edx,dumped_.004C1D14
004C1BD4 E8 272BF4FF
call dumped_.00404700
004C1BD9 75 12
jnz short dumped_.004C1BED //
向上循环运算取字符所对应的ASCII码值
004C1BDB 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004C1BDE BA 201D4C00
mov edx,dumped_.004C1D20
004C1BE3 E8 DC29F4FF
call dumped_.004045C4
004C1BE8 E9 CC000000
jmp dumped_.004C1CB9
004C1BED 8D45 DC
lea eax,
dword ptr ss:[
ebp-24]
004C1BF0 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
004C1BF3 8A541A FF
mov dl,
byte ptr ds:[
edx+
ebx-1] //
ds:[00DDB14C]=30 (
'0')
,dl=4C ('L
')
004C1BF7 E8 E828F4FF
call dumped_.004044E4
004C1BFC 8B45 DC
mov eax,
dword ptr ss:[
ebp-24]
004C1BFF 8D55 E0
lea edx,
dword ptr ss:[
ebp-20]
004C1C02 E8 1969F4FF
call dumped_.00408520
004C1C07 8B45 E0
mov eax,
dword ptr ss:[
ebp-20]
004C1C0A BA 2C1D4C00
mov edx,dumped_.004C1D2C
004C1C0F E8 EC2AF4FF
call dumped_.00404700
004C1C14 75 12
jnz short dumped_.004C1C28 //
向上循环运算取字符所对应的ASCII码值
004C1C16 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004C1C19 BA 381D4C00
mov edx,dumped_.004C1D38
004C1C1E E8 A129F4FF
call dumped_.004045C4
004C1C23 E9 91000000
jmp dumped_.004C1CB9
004C1C28 8D45 D4
lea eax,
dword ptr ss:[
ebp-2C]
004C1C2B 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
004C1C2E 8A541A FF
mov dl,
byte ptr ds:[
edx+
ebx-1] //
ds:[00DDB14C]=30 (
'0')
,dl=4C ('L
')
004C1C32 E8 AD28F4FF
call dumped_.004044E4
004C1C37 8B45 D4
mov eax,
dword ptr ss:[
ebp-2C]
004C1C3A 8D55 D8
lea edx,
dword ptr ss:[
ebp-28]
004C1C3D E8 DE68F4FF
call dumped_.00408520
004C1C42 8B45 D8
mov eax,
dword ptr ss:[
ebp-28]
004C1C45 BA 441D4C00
mov edx,dumped_.004C1D44
004C1C4A E8 B12AF4FF
call dumped_.00404700
004C1C4F 75 0F
jnz short dumped_.004C1C60 //
向上循环运算取字符所对应的ASCII码值
004C1C51 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004C1C54 BA 501D4C00
mov edx,dumped_.004C1D50
004C1C59 E8 6629F4FF
call dumped_.004045C4
004C1C5E EB 59
jmp short dumped_.004C1CB9
004C1C60 8D45 CC
lea eax,
dword ptr ss:[
ebp-34]
004C1C63 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
004C1C66 8A541A FF
mov dl,
byte ptr ds:[
edx+
ebx-1] //
ds:[00DDB14C]=30 (
'0')
,dl=4C ('L
')
004C1C6A E8 7528F4FF
call dumped_.004044E4
004C1C6F 8B45 CC
mov eax,
dword ptr ss:[
ebp-34]
004C1C72 8D55 D0
lea edx,
dword ptr ss:[
ebp-30]
004C1C75 E8 A668F4FF
call dumped_.00408520
004C1C7A 8B45 D0
mov eax,
dword ptr ss:[
ebp-30]
004C1C7D BA 5C1D4C00
mov edx,dumped_.004C1D5C
004C1C82 E8 792AF4FF
call dumped_.00404700
004C1C87 75 0F
jnz short dumped_.004C1C98 //
向上循环运算取字符所对应的ASCII码值
004C1C89 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004C1C8C BA 681D4C00
mov edx,dumped_.004C1D68
004C1C91 E8 2E29F4FF
call dumped_.004045C4
004C1C96 EB 21
jmp short dumped_.004C1CB9
004C1C98 8D45 C8
lea eax,
dword ptr ss:[
ebp-38]
004C1C9B 8B55 F8
mov edx,
dword ptr ss:[
ebp-8]
004C1C9E 0FB6541A FF
movzx edx,
byte ptr ds:[
edx+
ebx-1] //
机器码逐位HEX值转换
004C1CA3 83C2 31
add edx,31 //
edx=
edx+31=30
关键计算值①
004C1CA6 83E2 7F
and edx,7F //
edx=
edx+7F=61
关键计算值②
004C1CA9 E8 3628F4FF
call dumped_.004044E4
004C1CAE 8B55 C8
mov edx,
dword ptr ss:[
ebp-38] //
edx=61
004C1CB1 8D45 F4
lea eax,
dword ptr ss:[
ebp-C]
004C1CB4 E8 0B29F4FF
call dumped_.004045C4
004C1CB9 43
inc ebx //ebx
自加1,指向下一位
004C1CBA 4E
dec esi
004C1CBB ^ 0F85 B6FEFFFF
jnz dumped_.004C1B77 //
向上作循环运算12次
004C1CC1 8BC7
mov eax,
edi
004C1CC3 8B55 F4
mov edx,
dword ptr ss:[
ebp-C] //
真码出现,ASCII "aaarvsjvsccx"
004C1CC6 E8 8D26F4FF
call dumped_.00404358
004C1CCB 33C0
xor eax,
eax //
运算完毕,异或清零
004C1CCD 5A
pop edx //edx
清零
004C1CCE 59
pop ecx //
ecx=2
004C1CCF 59
pop ecx
004C1CD0 64:8910
mov dword ptr fs:[
eax],
edx
004C1CD3 68 ED1C4C00
push dumped_.004C1CED
004C1CD8 8D45 C8
lea eax,
dword ptr ss:[
ebp-38] //eax
清零
004C1CDB BA 0E000000
mov edx,0E
004C1CE0 E8 4326F4FF
call dumped_.00404328
004C1CE5 C3
retn
004C1CE6 ^ E9 4120F4FF
jmp dumped_.00403D2C
004C1CEB ^ EB EB
jmp short dumped_.004C1CD8
004C1CED 5F
pop edi
004C1CEE 5E
pop esi //esi
清零
004C1CEF 5B
pop ebx
004C1CF0 8BE5
mov esp,
ebp
004C1CF2 5D
pop ebp
004C1CF3 C3
retn //
计算完毕返回
---------------------------------------------------------------------------------------------------------------
【算法总结】:
注册验证非常简单:
1.
把机器码(A)中的字符逐个转换成ASCII码,另存为(B)
2.
再逐个把机器码所对应的(B)字符的值加上31,计算完后另存为(C)
3.
再把转换完后的(C),再转换为新的字符,作为序列号(SN)
【注册爆破点】:
004C1EB5 0F85 DA000000
jnz dumped_.004C1F95
jnz 改 nop
--------------------------------------------
【以本机为例】:
机器码 (A):000AEB97B625
--------------------------------------------
ASCII
码(B):303030414542393742363235
(B)+31 :313131313131313131313131
--------------------------------------------
转换码 (C):6161617276736A6873676366
--------------------------------------------
注册码(SN):aaarvsjvsccx
=======================
注册信息:
机器码:000AEB97B625
序列号:aaarvsjvsccx
=======================
【注册信息保存位置】:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\hzred5
〓本文完〓
------------------------------------------------------------------------------------------
版权所有(C)2005 KuNgBiM[DFCG] Copyright (C) 2005 KuNgBiM[DFCG]-------------------------------------------------------------------------------------------
Cracked BY KuNgBiM[DFCG]
2005-06-02
6:26:26 AM
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法