【破文标题】一个KeygenMe的算法分析及算法注册机
【破文作者】zaas
【破解工具】OllyICE
【破解平台】WinXP
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享
--------------------------------------------------------------
【破解内容】
--------------------------------------------------------------
很久没有玩过什么软件了。今天闲暇，翻了翻Tuts4U，发现一个新的KeygenMe，玩玩。

首先查壳：peid显示是ASPack 2.12 -> Alexey Solodovnikov。
OD看了看，原来是修改了特征码假冒的。。。

00401414 > $  60            pushad
00401415   .  E8 03000000   call    0040141D
0040141A      E9            db      E9
0040141B      EB            db      EB
0040141C      04            db      04
0040141D  /$  5D            pop     ebp
0040141E  |.  45            inc     ebp
0040141F  |.  55            push    ebp
00401420  \.  C3            retn
00401421      E8            db      E8
00401422      01            db      01
00401423      00            db      00
00401424      00            db      00
00401425   .  00EB          add     bl, ch

0040135B   .  68 95010000   push    0x195                            ; /ControlID = 195 (405.)
00401360   .  FF75 08       push    dword ptr [ebp+0x8]              ; |hWnd
00401363   .  E8 16030000   call    <jmp.&user32.GetDlgItem>         ; \GetDlgItem得到注册名editbox的hWnd
00401368   .  A3 90344000   mov     dword ptr [0x403490], eax
0040136D   .  16            push    ss
0040136E   .  81C3 8EA80800 add     ebx, 0x8A88E
00401374   .  42            inc     edx
00401375   .  83F2 3C       xor     edx, 0x3C
00401378   .  83E2 00       and     edx, 0x0
0040137B   .  17            pop     ss
0040137C   .  9C            pushfd
0040137D   .  58            pop     eax                              ;  无用代码
0040137E   .  25 00010000   and     eax, 0x100
00401383   .  0BC0          or      eax, eax
00401385   .  F64424 01 01  test    byte ptr [esp+0x1], 0x1          ;  判断是否成功获取注册名editbox的hWnd
0040138A   .  0F85 D8010000 jnz     00401568
00401390   .  E8 A4020000   call    00401639                         ;  动态加载SendMessageA
00401395   .  68 9C344000   push    0040349C                         ;  注册名的保存地址Buffer
0040139A   .  6A 15         push    0x15                             ;  len
0040139C   .  6A 0D         push    0xD                              ;  WM_GETTEXT
0040139E   .  FF35 90344000 push    dword ptr [0x403490]             ;  hWnd
004013A4   .  FFD0          call    eax                              ;  SendMessageA
004013A6   .  8BD0          mov     edx, eax                         ;  eax返回获取字符串长度 len

004013A6   .  8BD0          mov     edx, eax                         ;  eax返回获取字符串长度 len
004013A8   .  42            inc     edx                              ;  len+1
004013A9   .  C1E2 03       shl     edx, 0x3                         ;  (len+1)<<3
004013AC   .  BE 80000000   mov     esi, 0x80
004013B1   .  8D3C32        lea     edi, dword ptr [edx+esi]         ;  80+(len+1)<<3
004013B4   .  69D7 E6010000 imul    edx, edi, 0x1E6                  ;  (80+(len+1)<<3)*1E6
004013BA   .  83E6 00       and     esi, 0x0
004013BD   .  87F2          xchg    edx, esi
004013BF   .  33D2          xor     edx, edx
004013C1   .  81FE 505D0100 cmp     esi, 0x15D50                     ;  (80+(len+1)<<3)*1E6 >= 0x15D50
004013C7   .  73 05         jnb     short 004013CE                   ;  不小于跳
004013C9   .  E9 9A010000   jmp     00401568
004013CE   >  83F8 0C       cmp     eax, 0xC                         ;  最多0xC位
004013D1   .  0F87 91010000 ja      00401568

004013F1   .  B8 9C344000   mov     eax, 0040349C
004013F6   .  EB 06         jmp     short 004013FE
004013F8   >  8030 4E       xor     byte ptr [eax], 0x4E             ;  ^=4E
004013FB   .  D020          shl     byte ptr [eax], 1                ;  (char ^4E)<<1
004013FD   .  40            inc     eax
004013FE   >  8038 00       cmp     byte ptr [eax], 0x0              ;  检测字符串是否为空
00401401   .^ 75 F5         jnz     short 004013F8

for (int i = 0;i <len;i++)
	{
		*(str + i) ^= 0x4E;
		*(str + i) <<= 1;
	}

004011E7  /$  55            push    ebp
004011E8  |.  8BEC          mov     ebp, esp
004011EA  |.  53            push    ebx
004011EB  |.  56            push    esi
004011EC  |.  33C0          xor     eax, eax
004011EE  |.  40            inc     eax                              ;  int eax =1
004011EF  |.  33DB          xor     ebx, ebx                         ;  int ebx =0
004011F1  |.  8B75 08       mov     esi, dword ptr [ebp+0x8]         ;  str2
004011F4  |>  837D 0C 00    /cmp     dword ptr [ebp+0xC], 0x0
004011F8  |.  74 3B         |je      short 00401235
004011FA  |.  817D 0C B0150>|cmp     dword ptr [ebp+0xC], 0x15B0
00401201  |.  77 05         |ja      short 00401208
00401203  |.  8B55 0C       |mov     edx, dword ptr [ebp+0xC]
00401206  |.  EB 05         |jmp     short 0040120D
00401208  |>  BA B0150000   |mov     edx, 0x15B0
0040120D  |>  2955 0C       |sub     dword ptr [ebp+0xC], edx
00401210  |>  85D2          |/test    edx, edx
00401212  |.  74 0C         ||je      short 00401220
00401214  |.  4A            ||dec     edx
00401215  |.  33C9          ||xor     ecx, ecx                       ;  int i=0
00401217  |.  8A0E          ||mov     cl, byte ptr [esi]             ;  str[i]
00401219  |.  03C1          ||add     eax, ecx                       ;  eax += str[i]
0040121B  |.  46            ||inc     esi                            ;  str++
0040121C  |.  03D8          ||add     ebx, eax                       ;  ebx += eax
0040121E  |.^ EB F0         |\jmp     short 00401210
00401220  |>  B9 F1FF0000   |mov     ecx, 0xFFF1
00401225  |.  33D2          |xor     edx, edx
00401227  |.  F7F1          |div     ecx
00401229  |.  52            |push    edx                             ;  eax %= FFF1
0040122A  |.  8BC3          |mov     eax, ebx
0040122C  |.  33D2          |xor     edx, edx
0040122E  |.  F7F1          |div     ecx
00401230  |.  8BDA          |mov     ebx, edx                        ;  ebx %= FFF1
00401232  |.  58            |pop     eax
00401233  |.^ EB BF         \jmp     short 004011F4
00401235  |>  C1E3 10       shl     ebx, 0x10                        ;  eax =ebx <<10 +eax
00401238  |.  0BC3          or      eax, ebx
0040123A  |.  5E            pop     esi
0040123B  |.  5B            pop     ebx
0040123C  |.  C9            leave
0040123D  \.  C2 0800       retn    0x8

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课