-
-
indomit's indoKGM1 Crackme
-
2006-4-24 17:17 4799
-
【软件名称】indomit's indoKGM1
【下载地址】Crackmes.de
【应用平台】Win2000
【软件大小】42 KB
【软件限制】Name/Serial
【破解声明】Me Crack CrackMe
【破解工具】OllyDbg
【软件简介】作者介绍该软件"Hello All!
This my first crackme and it very easy. Just find the correct serial,
create keygen, and write a small tut. =)
But it have TWO ways to key it:
1: For newbie: Find serial for your name
which make a goodboy message :)
2: For profi : Try to find name & serial
which make a VERY goodboy message %)
It was perfect if you try to create keygen without brute force.
And of coz, patches disallowed.
It hasn't any anti-debugger stuff...
Good luck! ;)
PS: Tested only on Windows XP SP2.
Difficulty: 1 - Very easy, for newbies
Platform: Windows
Language: Borland Delphi
"
========================================================================================
【分析过程】
1 用PEID查看,没有加壳,Delphi写的程序,用DEDE查看,没有什么有价值的信息。
2 用OD打开程序,搜索字符串,定位到下面的代码:
0040861C > $ 55 PUSH EBP
0040861D . 8BEC MOV EBP,ESP
0040861F . 83C4 F0 ADD ESP,-10
00408622 . 53 PUSH EBX
00408623 . 56 PUSH ESI
00408624 . A1 B0934000 MOV EAX,DWORD PTR DS:[4093B0]
00408629 . C600 01 MOV BYTE PTR DS:[EAX],1
0040862C . B8 DC854000 MOV EAX,indoKGM1.004085DC
00408631 . E8 06C5FFFF CALL indoKGM1.00404B3C
00408636 . 33C0 XOR EAX,EAX
00408638 . 55 PUSH EBP
00408639 . 68 A1884000 PUSH indoKGM1.004088A1
0040863E . 64:FF30 PUSH DWORD PTR FS:[EAX]
00408641 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00408644 . C605 B4A74000>MOV BYTE PTR DS:[40A7B4],0
0040864B . 33C0 XOR EAX,EAX
0040864D . A3 A0A74000 MOV DWORD PTR DS:[40A7A0],EAX
00408652 . 33C0 XOR EAX,EAX
00408654 . A3 BCA74000 MOV DWORD PTR DS:[40A7BC],EAX
00408659 . A1 04934000 MOV EAX,DWORD PTR DS:[409304]
0040865E . BA B8884000 MOV EDX,indoKGM1.004088B8 ; ASCII 0A,"<<---[ Key"
00408663 . E8 78BAFFFF CALL indoKGM1.004040E0
00408668 . E8 87A7FFFF CALL indoKGM1.00402DF4
0040866D . E8 BA9FFFFF CALL indoKGM1.0040262C
00408672 > A1 04934000 MOV EAX,DWORD PTR DS:[409304]
00408677 . BA EC884000 MOV EDX,indoKGM1.004088EC ; ASCII 0A,"--> Name: "
0040867C . E8 5FBAFFFF CALL indoKGM1.004040E0
00408681 . E8 52A3FFFF CALL indoKGM1.004029D8
00408686 . E8 A19FFFFF CALL indoKGM1.0040262C
0040868B . BA 98A74000 MOV EDX,indoKGM1.0040A798
00408690 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
00408695 . E8 D6A4FFFF CALL indoKGM1.00402B70
0040869A . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
0040869F . E8 38A5FFFF CALL indoKGM1.00402BDC
004086A4 . E8 839FFFFF CALL indoKGM1.0040262C
004086A9 . A1 98A74000 MOV EAX,DWORD PTR DS:[40A798]
004086AE . E8 01B8FFFF CALL indoKGM1.00403EB4
004086B3 . 8BD8 MOV EBX,EAX
004086B5 . 83FB 04 CMP EBX,4
004086B8 . 7C 05 JL SHORT indoKGM1.004086BF
004086BA . 83FB 10 CMP EBX,10
004086BD . 7E 19 JLE SHORT indoKGM1.004086D8
004086BF > A1 04934000 MOV EAX,DWORD PTR DS:[409304]
004086C4 . BA 00894000 MOV EDX,indoKGM1.00408900 ; ASCII 0A,"<--! Plz, "
004086C9 . E8 12BAFFFF CALL indoKGM1.004040E0
004086CE . E8 21A7FFFF CALL indoKGM1.00402DF4
004086D3 . E8 549FFFFF CALL indoKGM1.0040262C
004086D8 > 83FB 04 CMP EBX,4
004086DB .^ 7C 95 JL SHORT indoKGM1.00408672
004086DD . 83FB 10 CMP EBX,10
004086E0 .^ 7F 90 JG SHORT indoKGM1.00408672
004086E2 . A1 04934000 MOV EAX,DWORD PTR DS:[409304]
004086E7 . BA 2C894000 MOV EDX,indoKGM1.0040892C ; ASCII 0A,"--> Serial"
004086EC . E8 EFB9FFFF CALL indoKGM1.004040E0
004086F1 . E8 E2A2FFFF CALL indoKGM1.004029D8
004086F6 . E8 319FFFFF CALL indoKGM1.0040262C
004086FB . BA 9CA74000 MOV EDX,indoKGM1.0040A79C
00408700 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
00408705 . E8 66A4FFFF CALL indoKGM1.00402B70
0040870A . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
0040870F . E8 C8A4FFFF CALL indoKGM1.00402BDC
00408714 . E8 139FFFFF CALL indoKGM1.0040262C
00408719 . A1 9CA74000 MOV EAX,DWORD PTR DS:[40A79C]
0040871E . E8 91B7FFFF CALL indoKGM1.00403EB4
00408723 . 83F8 10 CMP EAX,10
00408726 . 74 0A JE SHORT indoKGM1.00408732
00408728 . E8 77FDFFFF CALL indoKGM1.004084A4
0040872D . E9 39010000 JMP indoKGM1.0040886B
00408732 > B8 01000000 MOV EAX,1
00408737 . BE A4A74000 MOV ESI,indoKGM1.0040A7A4 ; 用户输入的注册码
0040873C > 8B15 9CA74000 MOV EDX,DWORD PTR DS:[40A79C]
00408742 . 8A5402 FF MOV DL,BYTE PTR DS:[EDX+EAX-1]
00408746 . 8BCA MOV ECX,EDX
00408748 . 80C1 BF ADD CL,0BF
0040874B . 80E9 06 SUB CL,6
0040874E . 73 04 JNB SHORT indoKGM1.00408754 ; 判断用户输入的注册码是否合法
00408750 . 8816 MOV BYTE PTR DS:[ESI],DL
00408752 . EB 18 JMP SHORT indoKGM1.0040876C
00408754 > 8BCA MOV ECX,EDX
00408756 . 80C1 D0 ADD CL,0D0
00408759 . 80E9 0A SUB CL,0A
0040875C . 73 04 JNB SHORT indoKGM1.00408762 ; 判断用户输入的注册码是否合法
0040875E . 8816 MOV BYTE PTR DS:[ESI],DL
00408760 . EB 0A JMP SHORT indoKGM1.0040876C
00408762 > E8 3DFDFFFF CALL indoKGM1.004084A4 ; 如果不合法,调用错误注册码的函数
00408767 . E9 FF000000 JMP indoKGM1.0040886B
0040876C > 40 INC EAX
0040876D . 46 INC ESI
0040876E . 83F8 11 CMP EAX,11
00408771 .^ 75 C9 JNZ SHORT indoKGM1.0040873C
00408773 . 50 PUSH EAX
00408774 . 53 PUSH EBX
00408775 . 51 PUSH ECX
00408776 . 52 PUSH EDX
00408777 . 31C0 XOR EAX,EAX
00408779 . 31DB XOR EBX,EBX
0040877B . 31C9 XOR ECX,ECX
0040877D . 31D2 XOR EDX,EDX
0040877F . 8B0D 98A74000 MOV ECX,DWORD PTR DS:[40A798] ; 用户名称
00408785 > 0FB619 MOVZX EBX,BYTE PTR DS:[ECX]
00408788 . 31D3 XOR EBX,EDX
0040878A . 01D8 ADD EAX,EBX
0040878C . C1C0 07 ROL EAX,7
0040878F . 89DA MOV EDX,EBX
00408791 . 41 INC ECX
00408792 . 8039 00 CMP BYTE PTR DS:[ECX],0
00408795 .^ 75 EE JNZ SHORT indoKGM1.00408785
00408797 . 31C9 XOR ECX,ECX
00408799 > 31D8 XOR EAX,EBX
0040879B . C1C3 10 ROL EBX,10
0040879E . 01D3 ADD EBX,EDX
004087A0 . 31D8 XOR EAX,EBX
004087A2 . C1C0 03 ROL EAX,3
004087A5 . 31D0 XOR EAX,EDX
004087A7 . C1C2 08 ROL EDX,8
004087AA . 01DA ADD EDX,EBX
004087AC . 31D0 XOR EAX,EDX
004087AE . C1C0 05 ROL EAX,5
004087B1 . 41 INC ECX
004087B2 . 83F9 0A CMP ECX,0A
004087B5 .^ 75 E2 JNZ SHORT indoKGM1.00408799
004087B7 . A3 A0A74000 MOV DWORD PTR DS:[40A7A0],EAX ; 写入关键数据Data1
004087BC . 5A POP EDX
004087BD . 59 POP ECX
004087BE . 5B POP EBX
004087BF . 58 POP EAX
004087C0 . B8 01000000 MOV EAX,1
004087C5 . BA A4A74000 MOV EDX,indoKGM1.0040A7A4 ; 用户输入的注册码
004087CA > 33C9 XOR ECX,ECX
004087CC . 8A0A MOV CL,BYTE PTR DS:[EDX]
004087CE . 310D BCA74000 XOR DWORD PTR DS:[40A7BC],ECX ; 关键数据Data2的处理
004087D4 . 83F8 10 CMP EAX,10
004087D7 . 74 07 JE SHORT indoKGM1.004087E0
004087D9 . C125 BCA74000>SHL DWORD PTR DS:[40A7BC],2 ; 关键数据Data2的处理
004087E0 > 40 INC EAX
004087E1 . 42 INC EDX
004087E2 . 83F8 11 CMP EAX,11
004087E5 .^ 75 E3 JNZ SHORT indoKGM1.004087CA
004087E7 . A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC]
004087EC . C1E8 0C SHR EAX,0C
004087EF . C1E0 0C SHL EAX,0C
004087F2 . 8B15 A0A74000 MOV EDX,DWORD PTR DS:[40A7A0]
004087F8 . C1EA 14 SHR EDX,14
004087FB . 03C2 ADD EAX,EDX
004087FD . 8B15 A0A74000 MOV EDX,DWORD PTR DS:[40A7A0]
00408803 . C1E2 14 SHL EDX,14
00408806 . C1EA 14 SHR EDX,14
00408809 . 33C2 XOR EAX,EDX
0040880B . 8B15 A0A74000 MOV EDX,DWORD PTR DS:[40A7A0]
00408811 . C1E2 0C SHL EDX,0C
00408814 . C1EA 18 SHR EDX,18
00408817 . 33C2 XOR EAX,EDX
00408819 . A3 BCA74000 MOV DWORD PTR DS:[40A7BC],EAX
0040881E . A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC]
00408823 . 3B05 A0A74000 CMP EAX,DWORD PTR DS:[40A7A0]
00408829 . 75 07 JNZ SHORT indoKGM1.00408832
0040882B . E8 B0FCFFFF CALL indoKGM1.004084E0
00408830 . EB 39 JMP SHORT indoKGM1.0040886B
00408832 > \E8 CDFBFFFF CALL indoKGM1.00408404 ; 注册码是否正确比较函数
00408837 . 84C0 TEST AL,AL
00408839 . 74 07 JE SHORT indoKGM1.00408842
0040883B . C605 B4A74000>MOV BYTE PTR DS:[40A7B4],1
00408842 > 803D B4A74000>CMP BYTE PTR DS:[40A7B4],0
00408849 . 74 1B JE SHORT indoKGM1.00408866
0040884B . A1 04934000 MOV EAX,DWORD PTR DS:[409304]
00408850 . BA 44894000 MOV EDX,indoKGM1.00408944 ; ASCII "
<-- You did it! Now write a small tutorial! -->
<-- And not forget about keygen ;) -->
"
00408855 . E8 86B8FFFF CALL indoKGM1.004040E0
0040885A . E8 95A5FFFF CALL indoKGM1.00402DF4
0040885F . E8 C89DFFFF CALL indoKGM1.0040262C
00408864 . EB 05 JMP SHORT indoKGM1.0040886B
00408866 > E8 39FCFFFF CALL indoKGM1.004084A4
0040886B > A1 04934000 MOV EAX,DWORD PTR DS:[409304]
00408870 . BA A8894000 MOV EDX,indoKGM1.004089A8 ; ASCII "Hit <Enter> to exit"
00408875 . E8 66B8FFFF CALL indoKGM1.004040E0
0040887A . E8 75A5FFFF CALL indoKGM1.00402DF4
0040887F . E8 A89DFFFF CALL indoKGM1.0040262C
00408884 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
00408889 . E8 4EA3FFFF CALL indoKGM1.00402BDC
0040888E . E8 999DFFFF CALL indoKGM1.0040262C
00408893 . 33C0 XOR EAX,EAX
00408895 . 5A POP EDX
00408896 . 59 POP ECX
00408897 . 59 POP ECX
00408898 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0040889B . 68 A8884000 PUSH indoKGM1.004088A8
004088A0 > C3 RETN ; RET used as a jump to 004088A8
其中00408832 > \E8 CDFBFFFF CALL indoKGM1.00408404 ; 注册码是否正确比较函数代码分析如下:
00408404 /$ 55 PUSH EBP
00408405 |. 8BEC MOV EBP,ESP
00408407 |. 83C4 EC ADD ESP,-14
0040840A |. 53 PUSH EBX
0040840B |. 33C0 XOR EAX,EAX
0040840D |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00408410 |. 33C0 XOR EAX,EAX
00408412 |. 55 PUSH EBP
00408413 |. 68 7F844000 PUSH indoKGM1.0040847F
00408418 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0040841B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0040841E |. B3 01 MOV BL,1
00408420 |. E8 53FFFFFF CALL indoKGM1.00408378
00408425 |. 84C0 TEST AL,AL
00408427 |. 74 40 JE SHORT indoKGM1.00408469
00408429 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0040842C |. 50 PUSH EAX ; /Arg1
0040842D |. A1 A0A74000 MOV EAX,DWORD PTR DS:[40A7A0] ; |
00408432 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; |
00408435 |. C645 F0 00 MOV BYTE PTR SS:[EBP-10],0 ; |
00408439 |. A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC] ; |
0040843E |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; |
00408441 |. C645 F8 00 MOV BYTE PTR SS:[EBP-8],0 ; |
00408445 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] ; |
00408448 |. B9 01000000 MOV ECX,1 ; |
0040844D |. B8 98844000 MOV EAX,indoKGM1.00408498 ; |ASCII "%.8x%.8x"
00408452 |. E8 71DCFFFF CALL indoKGM1.004060C8 ; \indoKGM1.004060C8
00408457 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 正确的注册码
0040845A |. 8B15 B8A74000 MOV EDX,DWORD PTR DS:[40A7B8] ; 你输入的注册码
00408460 |. E8 27BBFFFF CALL indoKGM1.00403F8C
00408465 |. 74 02 JE SHORT indoKGM1.00408469
00408467 |. 33DB XOR EBX,EBX
00408469 |> 33C0 XOR EAX,EAX
0040846B |. 5A POP EDX
0040846C |. 59 POP ECX
0040846D |. 59 POP ECX
0040846E |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00408471 |. 68 86844000 PUSH indoKGM1.00408486
00408476 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00408479 |. E8 B6B7FFFF CALL indoKGM1.00403C34
0040847E \. C3 RETN
对注册码的要求必须是数字或大写的ABCDEF.
根据上面的程序,可以发现程序根据用户名称生成关键数据Data1,然后根据你输入的注册码算出关键数据Data2。正确的注册码必须是Data1和Dat2的十六进制数据的字符串。例如Data1=0x12345678.Data2=0x87654321,则正确的注册码就是“1234567887654321”。而由于生成的正确的注册码与你输入的注册码有关,这样,通过制作内存注册机的办法来获得用户名对应的注册码的办法,就不可行了。必须写程序计算了。
后经过试验发现,计算关键数据Data2的大段代码,其实与你输入的注册码的后8位数据密切相关,而你输入的注册码的后8位数据改变,Data2改变的只有下面标出的两位:
Data2 [][][][+][+][][][]
这样,在穷举计算的时候,可以计算出一个初始值,然后只用循环0xFF000次,而不是0xFFFFFFFF次。
根据上面,写出注册机如下:
说明:由于有大量的ROL,SHL,SHR等运算,我很懒了,没有自己写C语言的函数,而是嵌汇编了,代码比较乱。高手请指点。
#include "stdio.h"
#include "string.h"
char name[20];
void main()
{
int flag;
char sn[16];
char temp[16];
unsigned long dataAny;
unsigned long eax1,ebx1,ecx1,edx1;//说明此处必须是无符号数,否则,运算ROL时出错.
unsigned long data1,data2;
printf("please input your name!\n");
scanf("%s",name);
int length=strlen(name);
eax1=0;
ebx1=0;
ecx1=0;
edx1=0;
for(int i=0;i<length;i++)
{
ebx1=name[i];
ebx1=ebx1^edx1;
eax1+=ebx1;
__asm
{
mov eax,eax1
ROL eax,7
mov eax1,eax
}
edx1=ebx1;
}
for(ecx1=0;ecx1<0xA;ecx1++)
{
eax1=eax1^ebx1;
__asm
{
mov eax,ebx1
ROL eax,0x10
mov ebx1,eax
}
ebx1+=edx1;
eax1=eax1^ebx1;
__asm
{
mov eax,eax1
ROL eax,3
mov eax1,eax
}
eax1=eax1^edx1;
__asm
{
mov eax,edx1
ROL eax,8
mov edx1,eax
}
edx1+=ebx1;
eax1=eax1^edx1;
__asm
{
mov eax,eax1
ROL eax,5
mov eax1,eax
}
}
data1=eax1;
//求一个初始循环值
dataAny=0;
sprintf(sn,"%.8X",data1);
sprintf(temp,"%.8X",dataAny);
strcat(sn,temp);
data2=0;
for(eax1=1;eax1<0x11;eax1++)
{
ecx1=0;
ecx1=sn[eax1-1];
data2=data2^ecx1;
if(eax1!=0x10)
{
__asm
{
mov eax,data2
SHL eax,2
mov data2,eax
}
}
}
eax1=data2;
__asm
{
mov eax,eax1
SHR eax,0xC
SHL eax,0xC
mov eax1,eax
}
edx1=data1;
__asm
{
mov eax,edx1
SHR eax,0x14
mov edx1,eax
}
eax1+=edx1;
edx1=data1;
__asm
{
mov eax,edx1
SHL eax,0x14
SHR eax,0x14
mov edx1,eax
}
eax1=eax1^edx1;
edx1=data1;
__asm
{
mov eax,edx1
SHL eax,0xC
SHR eax,0x18
mov edx1,eax
}
eax1=eax1^edx1;
data2=eax1;
unsigned long start=data2&0xFFF00FFF;
unsigned long end=start+0xFF000;
for(dataAny=start;dataAny<=end;dataAny++)
{
sprintf(sn,"%.8X",data1);
sprintf(temp,"%.8X",dataAny);
strcat(sn,temp);
data2=0;
for(eax1=1;eax1<0x11;eax1++)
{
ecx1=0;
ecx1=sn[eax1-1];
data2=data2^ecx1;
if(eax1!=0x10)
{
__asm
{
mov eax,data2
SHL eax,2
mov data2,eax
}
}
}
eax1=data2;
__asm
{
mov eax,eax1
SHR eax,0xC
SHL eax,0xC
mov eax1,eax
}
edx1=data1;
__asm
{
mov eax,edx1
SHR eax,0x14
mov edx1,eax
}
eax1+=edx1;
edx1=data1;
__asm
{
mov eax,edx1
SHL eax,0x14
SHR eax,0x14
mov edx1,eax
}
eax1=eax1^edx1;
edx1=data1;
__asm
{
mov eax,edx1
SHL eax,0xC
SHR eax,0x18
mov edx1,eax
}
eax1=eax1^edx1;
data2=eax1;
if(data2==dataAny)
printf("The %s de The correct Serial is %s\n",name,sn);
}
}
最后生成一组可用的注册码为:
name: laowang
sn: 308310871C9FC3BE
我只能是newbie: Find serial for your name
which make a goodboy message :)
没有完成这个任务 For profi : Try to find name & serial
which make a VERY goodboy message %)
【下载地址】Crackmes.de
【应用平台】Win2000
【软件大小】42 KB
【软件限制】Name/Serial
【破解声明】Me Crack CrackMe
【破解工具】OllyDbg
【软件简介】作者介绍该软件"Hello All!
This my first crackme and it very easy. Just find the correct serial,
create keygen, and write a small tut. =)
But it have TWO ways to key it:
1: For newbie: Find serial for your name
which make a goodboy message :)
2: For profi : Try to find name & serial
which make a VERY goodboy message %)
It was perfect if you try to create keygen without brute force.
And of coz, patches disallowed.
It hasn't any anti-debugger stuff...
Good luck! ;)
PS: Tested only on Windows XP SP2.
Difficulty: 1 - Very easy, for newbies
Platform: Windows
Language: Borland Delphi
"
========================================================================================
【分析过程】
1 用PEID查看,没有加壳,Delphi写的程序,用DEDE查看,没有什么有价值的信息。
2 用OD打开程序,搜索字符串,定位到下面的代码:
0040861C > $ 55 PUSH EBP
0040861D . 8BEC MOV EBP,ESP
0040861F . 83C4 F0 ADD ESP,-10
00408622 . 53 PUSH EBX
00408623 . 56 PUSH ESI
00408624 . A1 B0934000 MOV EAX,DWORD PTR DS:[4093B0]
00408629 . C600 01 MOV BYTE PTR DS:[EAX],1
0040862C . B8 DC854000 MOV EAX,indoKGM1.004085DC
00408631 . E8 06C5FFFF CALL indoKGM1.00404B3C
00408636 . 33C0 XOR EAX,EAX
00408638 . 55 PUSH EBP
00408639 . 68 A1884000 PUSH indoKGM1.004088A1
0040863E . 64:FF30 PUSH DWORD PTR FS:[EAX]
00408641 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00408644 . C605 B4A74000>MOV BYTE PTR DS:[40A7B4],0
0040864B . 33C0 XOR EAX,EAX
0040864D . A3 A0A74000 MOV DWORD PTR DS:[40A7A0],EAX
00408652 . 33C0 XOR EAX,EAX
00408654 . A3 BCA74000 MOV DWORD PTR DS:[40A7BC],EAX
00408659 . A1 04934000 MOV EAX,DWORD PTR DS:[409304]
0040865E . BA B8884000 MOV EDX,indoKGM1.004088B8 ; ASCII 0A,"<<---[ Key"
00408663 . E8 78BAFFFF CALL indoKGM1.004040E0
00408668 . E8 87A7FFFF CALL indoKGM1.00402DF4
0040866D . E8 BA9FFFFF CALL indoKGM1.0040262C
00408672 > A1 04934000 MOV EAX,DWORD PTR DS:[409304]
00408677 . BA EC884000 MOV EDX,indoKGM1.004088EC ; ASCII 0A,"--> Name: "
0040867C . E8 5FBAFFFF CALL indoKGM1.004040E0
00408681 . E8 52A3FFFF CALL indoKGM1.004029D8
00408686 . E8 A19FFFFF CALL indoKGM1.0040262C
0040868B . BA 98A74000 MOV EDX,indoKGM1.0040A798
00408690 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
00408695 . E8 D6A4FFFF CALL indoKGM1.00402B70
0040869A . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
0040869F . E8 38A5FFFF CALL indoKGM1.00402BDC
004086A4 . E8 839FFFFF CALL indoKGM1.0040262C
004086A9 . A1 98A74000 MOV EAX,DWORD PTR DS:[40A798]
004086AE . E8 01B8FFFF CALL indoKGM1.00403EB4
004086B3 . 8BD8 MOV EBX,EAX
004086B5 . 83FB 04 CMP EBX,4
004086B8 . 7C 05 JL SHORT indoKGM1.004086BF
004086BA . 83FB 10 CMP EBX,10
004086BD . 7E 19 JLE SHORT indoKGM1.004086D8
004086BF > A1 04934000 MOV EAX,DWORD PTR DS:[409304]
004086C4 . BA 00894000 MOV EDX,indoKGM1.00408900 ; ASCII 0A,"<--! Plz, "
004086C9 . E8 12BAFFFF CALL indoKGM1.004040E0
004086CE . E8 21A7FFFF CALL indoKGM1.00402DF4
004086D3 . E8 549FFFFF CALL indoKGM1.0040262C
004086D8 > 83FB 04 CMP EBX,4
004086DB .^ 7C 95 JL SHORT indoKGM1.00408672
004086DD . 83FB 10 CMP EBX,10
004086E0 .^ 7F 90 JG SHORT indoKGM1.00408672
004086E2 . A1 04934000 MOV EAX,DWORD PTR DS:[409304]
004086E7 . BA 2C894000 MOV EDX,indoKGM1.0040892C ; ASCII 0A,"--> Serial"
004086EC . E8 EFB9FFFF CALL indoKGM1.004040E0
004086F1 . E8 E2A2FFFF CALL indoKGM1.004029D8
004086F6 . E8 319FFFFF CALL indoKGM1.0040262C
004086FB . BA 9CA74000 MOV EDX,indoKGM1.0040A79C
00408700 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
00408705 . E8 66A4FFFF CALL indoKGM1.00402B70
0040870A . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
0040870F . E8 C8A4FFFF CALL indoKGM1.00402BDC
00408714 . E8 139FFFFF CALL indoKGM1.0040262C
00408719 . A1 9CA74000 MOV EAX,DWORD PTR DS:[40A79C]
0040871E . E8 91B7FFFF CALL indoKGM1.00403EB4
00408723 . 83F8 10 CMP EAX,10
00408726 . 74 0A JE SHORT indoKGM1.00408732
00408728 . E8 77FDFFFF CALL indoKGM1.004084A4
0040872D . E9 39010000 JMP indoKGM1.0040886B
00408732 > B8 01000000 MOV EAX,1
00408737 . BE A4A74000 MOV ESI,indoKGM1.0040A7A4 ; 用户输入的注册码
0040873C > 8B15 9CA74000 MOV EDX,DWORD PTR DS:[40A79C]
00408742 . 8A5402 FF MOV DL,BYTE PTR DS:[EDX+EAX-1]
00408746 . 8BCA MOV ECX,EDX
00408748 . 80C1 BF ADD CL,0BF
0040874B . 80E9 06 SUB CL,6
0040874E . 73 04 JNB SHORT indoKGM1.00408754 ; 判断用户输入的注册码是否合法
00408750 . 8816 MOV BYTE PTR DS:[ESI],DL
00408752 . EB 18 JMP SHORT indoKGM1.0040876C
00408754 > 8BCA MOV ECX,EDX
00408756 . 80C1 D0 ADD CL,0D0
00408759 . 80E9 0A SUB CL,0A
0040875C . 73 04 JNB SHORT indoKGM1.00408762 ; 判断用户输入的注册码是否合法
0040875E . 8816 MOV BYTE PTR DS:[ESI],DL
00408760 . EB 0A JMP SHORT indoKGM1.0040876C
00408762 > E8 3DFDFFFF CALL indoKGM1.004084A4 ; 如果不合法,调用错误注册码的函数
00408767 . E9 FF000000 JMP indoKGM1.0040886B
0040876C > 40 INC EAX
0040876D . 46 INC ESI
0040876E . 83F8 11 CMP EAX,11
00408771 .^ 75 C9 JNZ SHORT indoKGM1.0040873C
00408773 . 50 PUSH EAX
00408774 . 53 PUSH EBX
00408775 . 51 PUSH ECX
00408776 . 52 PUSH EDX
00408777 . 31C0 XOR EAX,EAX
00408779 . 31DB XOR EBX,EBX
0040877B . 31C9 XOR ECX,ECX
0040877D . 31D2 XOR EDX,EDX
0040877F . 8B0D 98A74000 MOV ECX,DWORD PTR DS:[40A798] ; 用户名称
00408785 > 0FB619 MOVZX EBX,BYTE PTR DS:[ECX]
00408788 . 31D3 XOR EBX,EDX
0040878A . 01D8 ADD EAX,EBX
0040878C . C1C0 07 ROL EAX,7
0040878F . 89DA MOV EDX,EBX
00408791 . 41 INC ECX
00408792 . 8039 00 CMP BYTE PTR DS:[ECX],0
00408795 .^ 75 EE JNZ SHORT indoKGM1.00408785
00408797 . 31C9 XOR ECX,ECX
00408799 > 31D8 XOR EAX,EBX
0040879B . C1C3 10 ROL EBX,10
0040879E . 01D3 ADD EBX,EDX
004087A0 . 31D8 XOR EAX,EBX
004087A2 . C1C0 03 ROL EAX,3
004087A5 . 31D0 XOR EAX,EDX
004087A7 . C1C2 08 ROL EDX,8
004087AA . 01DA ADD EDX,EBX
004087AC . 31D0 XOR EAX,EDX
004087AE . C1C0 05 ROL EAX,5
004087B1 . 41 INC ECX
004087B2 . 83F9 0A CMP ECX,0A
004087B5 .^ 75 E2 JNZ SHORT indoKGM1.00408799
004087B7 . A3 A0A74000 MOV DWORD PTR DS:[40A7A0],EAX ; 写入关键数据Data1
004087BC . 5A POP EDX
004087BD . 59 POP ECX
004087BE . 5B POP EBX
004087BF . 58 POP EAX
004087C0 . B8 01000000 MOV EAX,1
004087C5 . BA A4A74000 MOV EDX,indoKGM1.0040A7A4 ; 用户输入的注册码
004087CA > 33C9 XOR ECX,ECX
004087CC . 8A0A MOV CL,BYTE PTR DS:[EDX]
004087CE . 310D BCA74000 XOR DWORD PTR DS:[40A7BC],ECX ; 关键数据Data2的处理
004087D4 . 83F8 10 CMP EAX,10
004087D7 . 74 07 JE SHORT indoKGM1.004087E0
004087D9 . C125 BCA74000>SHL DWORD PTR DS:[40A7BC],2 ; 关键数据Data2的处理
004087E0 > 40 INC EAX
004087E1 . 42 INC EDX
004087E2 . 83F8 11 CMP EAX,11
004087E5 .^ 75 E3 JNZ SHORT indoKGM1.004087CA
004087E7 . A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC]
004087EC . C1E8 0C SHR EAX,0C
004087EF . C1E0 0C SHL EAX,0C
004087F2 . 8B15 A0A74000 MOV EDX,DWORD PTR DS:[40A7A0]
004087F8 . C1EA 14 SHR EDX,14
004087FB . 03C2 ADD EAX,EDX
004087FD . 8B15 A0A74000 MOV EDX,DWORD PTR DS:[40A7A0]
00408803 . C1E2 14 SHL EDX,14
00408806 . C1EA 14 SHR EDX,14
00408809 . 33C2 XOR EAX,EDX
0040880B . 8B15 A0A74000 MOV EDX,DWORD PTR DS:[40A7A0]
00408811 . C1E2 0C SHL EDX,0C
00408814 . C1EA 18 SHR EDX,18
00408817 . 33C2 XOR EAX,EDX
00408819 . A3 BCA74000 MOV DWORD PTR DS:[40A7BC],EAX
0040881E . A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC]
00408823 . 3B05 A0A74000 CMP EAX,DWORD PTR DS:[40A7A0]
00408829 . 75 07 JNZ SHORT indoKGM1.00408832
0040882B . E8 B0FCFFFF CALL indoKGM1.004084E0
00408830 . EB 39 JMP SHORT indoKGM1.0040886B
00408832 > \E8 CDFBFFFF CALL indoKGM1.00408404 ; 注册码是否正确比较函数
00408837 . 84C0 TEST AL,AL
00408839 . 74 07 JE SHORT indoKGM1.00408842
0040883B . C605 B4A74000>MOV BYTE PTR DS:[40A7B4],1
00408842 > 803D B4A74000>CMP BYTE PTR DS:[40A7B4],0
00408849 . 74 1B JE SHORT indoKGM1.00408866
0040884B . A1 04934000 MOV EAX,DWORD PTR DS:[409304]
00408850 . BA 44894000 MOV EDX,indoKGM1.00408944 ; ASCII "
<-- You did it! Now write a small tutorial! -->
<-- And not forget about keygen ;) -->
"
00408855 . E8 86B8FFFF CALL indoKGM1.004040E0
0040885A . E8 95A5FFFF CALL indoKGM1.00402DF4
0040885F . E8 C89DFFFF CALL indoKGM1.0040262C
00408864 . EB 05 JMP SHORT indoKGM1.0040886B
00408866 > E8 39FCFFFF CALL indoKGM1.004084A4
0040886B > A1 04934000 MOV EAX,DWORD PTR DS:[409304]
00408870 . BA A8894000 MOV EDX,indoKGM1.004089A8 ; ASCII "Hit <Enter> to exit"
00408875 . E8 66B8FFFF CALL indoKGM1.004040E0
0040887A . E8 75A5FFFF CALL indoKGM1.00402DF4
0040887F . E8 A89DFFFF CALL indoKGM1.0040262C
00408884 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]
00408889 . E8 4EA3FFFF CALL indoKGM1.00402BDC
0040888E . E8 999DFFFF CALL indoKGM1.0040262C
00408893 . 33C0 XOR EAX,EAX
00408895 . 5A POP EDX
00408896 . 59 POP ECX
00408897 . 59 POP ECX
00408898 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
0040889B . 68 A8884000 PUSH indoKGM1.004088A8
004088A0 > C3 RETN ; RET used as a jump to 004088A8
其中00408832 > \E8 CDFBFFFF CALL indoKGM1.00408404 ; 注册码是否正确比较函数代码分析如下:
00408404 /$ 55 PUSH EBP
00408405 |. 8BEC MOV EBP,ESP
00408407 |. 83C4 EC ADD ESP,-14
0040840A |. 53 PUSH EBX
0040840B |. 33C0 XOR EAX,EAX
0040840D |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00408410 |. 33C0 XOR EAX,EAX
00408412 |. 55 PUSH EBP
00408413 |. 68 7F844000 PUSH indoKGM1.0040847F
00408418 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0040841B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0040841E |. B3 01 MOV BL,1
00408420 |. E8 53FFFFFF CALL indoKGM1.00408378
00408425 |. 84C0 TEST AL,AL
00408427 |. 74 40 JE SHORT indoKGM1.00408469
00408429 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0040842C |. 50 PUSH EAX ; /Arg1
0040842D |. A1 A0A74000 MOV EAX,DWORD PTR DS:[40A7A0] ; |
00408432 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; |
00408435 |. C645 F0 00 MOV BYTE PTR SS:[EBP-10],0 ; |
00408439 |. A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC] ; |
0040843E |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; |
00408441 |. C645 F8 00 MOV BYTE PTR SS:[EBP-8],0 ; |
00408445 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] ; |
00408448 |. B9 01000000 MOV ECX,1 ; |
0040844D |. B8 98844000 MOV EAX,indoKGM1.00408498 ; |ASCII "%.8x%.8x"
00408452 |. E8 71DCFFFF CALL indoKGM1.004060C8 ; \indoKGM1.004060C8
00408457 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 正确的注册码
0040845A |. 8B15 B8A74000 MOV EDX,DWORD PTR DS:[40A7B8] ; 你输入的注册码
00408460 |. E8 27BBFFFF CALL indoKGM1.00403F8C
00408465 |. 74 02 JE SHORT indoKGM1.00408469
00408467 |. 33DB XOR EBX,EBX
00408469 |> 33C0 XOR EAX,EAX
0040846B |. 5A POP EDX
0040846C |. 59 POP ECX
0040846D |. 59 POP ECX
0040846E |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00408471 |. 68 86844000 PUSH indoKGM1.00408486
00408476 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00408479 |. E8 B6B7FFFF CALL indoKGM1.00403C34
0040847E \. C3 RETN
对注册码的要求必须是数字或大写的ABCDEF.
根据上面的程序,可以发现程序根据用户名称生成关键数据Data1,然后根据你输入的注册码算出关键数据Data2。正确的注册码必须是Data1和Dat2的十六进制数据的字符串。例如Data1=0x12345678.Data2=0x87654321,则正确的注册码就是“1234567887654321”。而由于生成的正确的注册码与你输入的注册码有关,这样,通过制作内存注册机的办法来获得用户名对应的注册码的办法,就不可行了。必须写程序计算了。
后经过试验发现,计算关键数据Data2的大段代码,其实与你输入的注册码的后8位数据密切相关,而你输入的注册码的后8位数据改变,Data2改变的只有下面标出的两位:
Data2 [][][][+][+][][][]
这样,在穷举计算的时候,可以计算出一个初始值,然后只用循环0xFF000次,而不是0xFFFFFFFF次。
根据上面,写出注册机如下:
说明:由于有大量的ROL,SHL,SHR等运算,我很懒了,没有自己写C语言的函数,而是嵌汇编了,代码比较乱。高手请指点。
#include "stdio.h"
#include "string.h"
char name[20];
void main()
{
int flag;
char sn[16];
char temp[16];
unsigned long dataAny;
unsigned long eax1,ebx1,ecx1,edx1;//说明此处必须是无符号数,否则,运算ROL时出错.
unsigned long data1,data2;
printf("please input your name!\n");
scanf("%s",name);
int length=strlen(name);
eax1=0;
ebx1=0;
ecx1=0;
edx1=0;
for(int i=0;i<length;i++)
{
ebx1=name[i];
ebx1=ebx1^edx1;
eax1+=ebx1;
__asm
{
mov eax,eax1
ROL eax,7
mov eax1,eax
}
edx1=ebx1;
}
for(ecx1=0;ecx1<0xA;ecx1++)
{
eax1=eax1^ebx1;
__asm
{
mov eax,ebx1
ROL eax,0x10
mov ebx1,eax
}
ebx1+=edx1;
eax1=eax1^ebx1;
__asm
{
mov eax,eax1
ROL eax,3
mov eax1,eax
}
eax1=eax1^edx1;
__asm
{
mov eax,edx1
ROL eax,8
mov edx1,eax
}
edx1+=ebx1;
eax1=eax1^edx1;
__asm
{
mov eax,eax1
ROL eax,5
mov eax1,eax
}
}
data1=eax1;
//求一个初始循环值
dataAny=0;
sprintf(sn,"%.8X",data1);
sprintf(temp,"%.8X",dataAny);
strcat(sn,temp);
data2=0;
for(eax1=1;eax1<0x11;eax1++)
{
ecx1=0;
ecx1=sn[eax1-1];
data2=data2^ecx1;
if(eax1!=0x10)
{
__asm
{
mov eax,data2
SHL eax,2
mov data2,eax
}
}
}
eax1=data2;
__asm
{
mov eax,eax1
SHR eax,0xC
SHL eax,0xC
mov eax1,eax
}
edx1=data1;
__asm
{
mov eax,edx1
SHR eax,0x14
mov edx1,eax
}
eax1+=edx1;
edx1=data1;
__asm
{
mov eax,edx1
SHL eax,0x14
SHR eax,0x14
mov edx1,eax
}
eax1=eax1^edx1;
edx1=data1;
__asm
{
mov eax,edx1
SHL eax,0xC
SHR eax,0x18
mov edx1,eax
}
eax1=eax1^edx1;
data2=eax1;
unsigned long start=data2&0xFFF00FFF;
unsigned long end=start+0xFF000;
for(dataAny=start;dataAny<=end;dataAny++)
{
sprintf(sn,"%.8X",data1);
sprintf(temp,"%.8X",dataAny);
strcat(sn,temp);
data2=0;
for(eax1=1;eax1<0x11;eax1++)
{
ecx1=0;
ecx1=sn[eax1-1];
data2=data2^ecx1;
if(eax1!=0x10)
{
__asm
{
mov eax,data2
SHL eax,2
mov data2,eax
}
}
}
eax1=data2;
__asm
{
mov eax,eax1
SHR eax,0xC
SHL eax,0xC
mov eax1,eax
}
edx1=data1;
__asm
{
mov eax,edx1
SHR eax,0x14
mov edx1,eax
}
eax1+=edx1;
edx1=data1;
__asm
{
mov eax,edx1
SHL eax,0x14
SHR eax,0x14
mov edx1,eax
}
eax1=eax1^edx1;
edx1=data1;
__asm
{
mov eax,edx1
SHL eax,0xC
SHR eax,0x18
mov edx1,eax
}
eax1=eax1^edx1;
data2=eax1;
if(data2==dataAny)
printf("The %s de The correct Serial is %s\n",name,sn);
}
}
最后生成一组可用的注册码为:
name: laowang
sn: 308310871C9FC3BE
我只能是newbie: Find serial for your name
which make a goodboy message :)
没有完成这个任务 For profi : Try to find name & serial
which make a VERY goodboy message %)
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
赞赏
|
|
|---|---|
|
|
他的文章
[原创]VMP编译的完整笔记
11794
[分享]简单打狗文章一二
17882
