【文章标题】: 菜鸟初试算法分析之二PocketKiosk Builder v2.2.2
【文章作者】: wind
【作者邮箱】: qf100@163.com
【软件名称】: PocketKiosk Builder
【下载地址】: http://www.askarya.com/pocketpc/pocketkiosk/pk.asp
【加壳方式】: 无
【保护方式】: Serial
【编写语言】: Visual C++ 6.0
【使用工具】: Ollydbg Peid
【操作平台】: winXPsp2
【软件介绍】: 一款限制任何PocketPC中的软件只能同时运行单一程序
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
查壳:Visual C++ 6.0 无壳
试探:程序启动后跳出NAG要求注册,机器码1027197713 输入注册码78787878 点击后提示"Registration key is not valid. Please try again."
OD
加载后,右键搜索关键字符来到
00402DE5 > \6A 00
push 0
; 这里显示Jump from 00402CBF 去看看
00402DE7 . 68 F8004200
push PKBuilde.004200F8
; ASCII "PocketKiosk Builder"
00402DEC . 68 90044200
push PKBuilde.00420490
; ASCII "Registration key is not valid. Please try again."
00402DF1 > 8B4B 1C
mov ecx,
dword ptr ds:[
ebx+1C]
; |
00402DF4 . 51
push ecx ; |hOwner
00402DF5 . FF15 E4A34100
call dword ptr ds:[<&USER32.MessageBoxA>]
; \MessageBoxA
来到提示的00402CBF处
00402C9C . 6A 01
push 1
00402C9E . E8 27F50000
call PKBuilde.004121CA
00402CA3 . 51
push ecx
00402CA4 . 8DAB 6C040000
lea ebp,
dword ptr ds:[
ebx+46C]
00402CAA . 8BCC
mov ecx,
esp
00402CAC . 896424 14
mov dword ptr ss:[
esp+14],
esp
00402CB0 . 55
push ebp
00402CB1 . E8 AF050100
call PKBuilde.00413265
00402CB6 . 8BCB
mov ecx,
ebx ;
00402CB8 . E8 13FDFFFF
call PKBuilde.004029D0
; 关键CALL F7 ☆☆☆☆☆
00402CBD . 85C0
test eax,
eax
00402CBF . 0F84 20010000
je PKBuilde.00402DE5
; 来到这里 跳则注册失败
00402CC5 . 8B45 00
mov eax,
dword ptr ss:[
ebp]
00402CC8 . 8378 F8 10
cmp dword ptr ds:[
eax-8],10
; 注册码位数和16比较
00402CCC . 75 3B
jnz short PKBuilde.00402D09
; 不等则跳显示已经过期
00402CCE . 55
push ebp ; 注册成功
00402CCF . 8D4B 60
lea ecx,
dword ptr ds:[
ebx+60]
00402CD2 . E8 C2080100
call PKBuilde.00413599
00402CD7 . 8BCB
mov ecx,
ebx
00402CD9 . E8 02020000
call PKBuilde.00402EE0
00402CDE . 8B4B 1C
mov ecx,
dword ptr ds:[
ebx+1C]
00402CE1 . 6A 00
push 0
; /Style = MB_OK|MB_APPLMODAL
00402CE3 . 68 F8004200
push PKBuilde.004200F8
; |Title = "PocketKiosk Builder"
00402CE8 . 68 68054200
push PKBuilde.00420568
; |Text = "Registration was successful."
00402CED . 51
push ecx ; |hOwner
00402CEE . FF15 E4A34100
call dword ptr ds:[<&USER32.MessageBoxA>]
; \MessageBoxA
==========================
来到00402CB8 call PKBuilde.004029D0 ==============================================
004029D0 /$ 6A FF
push -1
004029D2 |. 68 188F4100
push PKBuilde.00418F18
; SE 句柄安装
004029D7 |. 64:A1 00000000
mov eax,
dword ptr fs:[0]
...
省略部分代码...
00402A40 |. FF15 40A24100
call dword ptr ds:[<&KERNEL32.GetVolumeInformationA>
; \取机器码
00402A46 |. 3BC3
cmp eax,
ebx
00402A48 |. 74 17
je short PKBuilde.00402A61
00402A4A |. 8B4424 10
mov eax,
dword ptr ss:[
esp+10]
00402A4E |. 8D4C24 0C
lea ecx,
dword ptr ss:[
esp+C]
00402A52 |. 50
push eax
00402A53 |. 68 84044200
push PKBuilde.00420484
; ASCII "%u"
00402A58 |. 51
push ecx
00402A59 |. E8 9FC80000
call PKBuilde.0040F2FD
; 机器码转换为10进制
00402A5E |. 83C4 0C
add esp,0C
00402A61 |> 8B15 08074200
mov edx,
dword ptr ds:[420708]
; PKBuilde.0042071C
00402A67 |. 56
push esi
00402A68 |. 895424 0C
mov dword ptr ss:[
esp+C],
edx
00402A6C |. 8B4424 10
mov eax,
dword ptr ss:[
esp+10]
00402A70 |. 33F6
xor esi,
esi
00402A72 |. C64424 24 02
mov byte ptr ss:[
esp+24],2
00402A77 |. 3958 F8
cmp dword ptr ds:[
eax-8],
ebx
00402A7A |. 7E 21
jle short PKBuilde.00402A9D
00402A7C |> 0FBE0406 /
movsx eax,
byte ptr ds:[
esi+
eax]
; 机器码每一位的ASC码依次进eax
00402A80 |. 83E8 30 |
sub eax,30
; eax-30
00402A83 |. 8D4C24 0C |
lea ecx,
dword ptr ss:[
esp+C]
00402A87 |. 8A80 68044200 |
mov al,
byte ptr ds:[
eax+420468]
; 查表 将结果放在al 表在420468
这个就是420468处的表
00420468 39 41 58 31 42 59 44 33 9AX1BYD3
00420470 43 47 45 37 30 48 35 4A CGE70H5J
00420478 50 4B 45 PKE
00402A8D |. 50 |
push eax
00402A8E |. E8 820C0100 |
call PKBuilde.00413715
; 结果保存到eax
00402A93 |. 8B4424 10 |
mov eax,
dword ptr ss:[
esp+10]
; eax=机器码
00402A97 |. 46 |
inc esi ; 计数器加1
00402A98 |. 3B70 F8 |
cmp esi,
dword ptr ds:[
eax-8]
; 比较是否继续
00402A9B |.^ 7C DF \jl short PKBuilde.00402A7C
; 循环计算
00402A9D |> 8B40 F8
mov eax,
dword ptr ds:[
eax-8]
00402AA0 |. 83F8 10
cmp eax,10
; 和16比较
00402AA3 |. 7D 1B
jge short PKBuilde.00402AC0
; >=则跳 这里是小于没有跳
00402AA5 |. 8DB0 68044200
lea esi,
dword ptr ds:[
eax+420468]
; 查表取字串从机器码位数开始取完
00402AAB |> 8A0E /
mov cl,
byte ptr ds:[
esi]
; 新字串每一位的ASC码依次进cl
00402AAD |. 51 |
push ecx
00402AAE |. 8D4C24 10 |
lea ecx,
dword ptr ss:[
esp+10]
00402AB2 |. E8 5E0C0100 |
call PKBuilde.00413715
; 继续保存到eax
00402AB7 |. 46 |
inc esi
00402AB8 |. 81FE 78044200 |
cmp esi,PKBuilde.00420478
; 与PKE比较
00402ABE |.^ 7C EB \jl short PKBuilde.00402AAB
; 取到PKE前面为止
00402AC0 |> 8B4C24 0C
mov ecx,
dword ptr ss:[
esp+C]
; ecx=真码
00402AC4 |. 8B5424 2C
mov edx,
dword ptr ss:[
esp+2C]
; edx=假码
00402AC8 |. 8B41 F8
mov eax,
dword ptr ds:[
ecx-8]
00402ACB |. 50
push eax
00402ACC |. 52
push edx
00402ACD |. 51
push ecx
00402ACE |. E8 5D250000
call PKBuilde.00405030
; 关键的比较CALL
00402AD3 |. 83C4 0C
add esp,0C
00402AD6 |. 85C0
test eax,
eax
00402AD8 |. 5E
pop esi
00402AD9 |. 74 41
je short PKBuilde.00402B1C
; 不跳则挂
00402ADB |. 8D4C24 08
lea ecx,
dword ptr ss:[
esp+8]
00402ADF |. C64424 20 01
mov byte ptr ss:[
esp+20],1
00402AE4 |. E8 070A0100
call PKBuilde.004134F0
00402AE9 |. 8D4C24 0C
lea ecx,
dword ptr ss:[
esp+C]
00402AED |. 885C24 20
mov byte ptr ss:[
esp+20],
bl
00402AF1 |. E8 FA090100
call PKBuilde.004134F0
00402AF6 |. 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
00402AFA |. C74424 20 FFFFFFFF
mov dword ptr ss:[
esp+20],-1
00402B02 |. E8 E9090100
call PKBuilde.004134F0
00402B07 |. 5F
pop edi
00402B08 |. 33C0
xor eax,
eax
00402B0A |. 5B
pop ebx
00402B0B |. 8B4C24 10
mov ecx,
dword ptr ss:[
esp+10]
00402B0F |. 64:890D 00000000
mov dword ptr fs:[0],
ecx
00402B16 |. 83C4 1C
add esp,1C
00402B19 |. C2 0400
retn 4
00402B1C |> 8B4424 28
mov eax,
dword ptr ss:[
esp+28]
; eax=注册码
00402B20 |. 8378 F8 10
cmp dword ptr ds:[
eax-8],10
; [eax-8]是注册码位数 和16比较
00402B24 |. 7E 19
jle short PKBuilde.00402B3F
; 小于等于则跳
00402B26 |. 8D4C24 14
lea ecx,
dword ptr ss:[
esp+14]
00402B2A |. 51
push ecx
00402B2B |. E8 10C90000
call PKBuilde.0040F440
00402B30 |. 8B10
mov edx,
dword ptr ds:[
eax]
00402B32 |. 8BCF
mov ecx,
edi
00402B34 |. 8997 64040000
mov dword ptr ds:[
edi+464],
edx
00402B3A |. E8 A1030000
call PKBuilde.00402EE0
00402B3F |> 8D4C24 08
lea ecx,
dword ptr ss:[
esp+8]
00402B43 |. C64424 20 01
mov byte ptr ss:[
esp+20],1
00402B48 |. E8 A3090100
call PKBuilde.004134F0
00402B4D |. 8D4C24 0C
lea ecx,
dword ptr ss:[
esp+C]
00402B51 |. 885C24 20
mov byte ptr ss:[
esp+20],
bl
00402B55 |. E8 96090100
call PKBuilde.004134F0
00402B5A |. 8D4C24 28
lea ecx,
dword ptr ss:[
esp+28]
00402B5E |. C74424 20 FFFFFFFF
mov dword ptr ss:[
esp+20],-1
00402B66 |. E8 85090100
call PKBuilde.004134F0
00402B6B |. 8B4C24 18
mov ecx,
dword ptr ss:[
esp+18]
00402B6F |. 5F
pop edi
00402B70 |. B8 01000000
mov eax,1
00402B75 |. 5B
pop ebx
00402B76 |. 64:890D 00000000
mov dword ptr fs:[0],
ecx
00402B7D |. 83C4 1C
add esp,1C
00402B80 \. C2 0400
retn 4
总结:
机器码:1027197713
注册码:A9X3AG33A1E70H5J
注册后写入“%systemroot%\system32下文件名pkelic 没有后缀名
删除以后就可以再玩一次
--------------------------------------------------------------------------------
【经验总结】
算法如下:
1
:取当前安装盘信息转换成10进制就是机器码
2
:机器码每一位的ASC码减30后再依次取表9AX1BYD3CGE70H5JPKE对应的数并连接起来
3
:取表9AX1BYD3CGE70H5JPKE中的E70H5J连接第2部后的结果
比如我的机器码是1027197713
机器码 1027197713
对应的ASC码减30就是 1027197713
在表9AX1BYD3CGE70H5JPKE中对应的就是A9X3AG33A1
再连上E70H5J就是注册码了 A9X3AG33A1E70H5J
菜鸟写文章,感谢大家看完。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流,请支持正版软件,转载请注明作者并保持文章的完整, 谢谢!
Crack by wind
Greetz are flying to all my friends and you!
[课程]FART 脱壳王!加量不加价!FART作者讲授!