用IDA做注册机
lnn1123/BCG/FCG 06.5
废话:
前些天看国外的的一些写注册机的文章,发现不少人喜欢用IDA反汇编后直接使用IDA反汇编后的代码,其实这个可能有很多人很早就用了
但是我使用的时候发现了一些问题,一般如果是象MD5,SHA等散列函数有变形的话,直接用IDA反汇编后的代码是很好,这样就不要去分析
变形是那些地方.还有就是一般如blowfish,DES等,这种情况用IDA反汇编后会有很多数据,如blowfish的pbox,sbox,但是如果还是有变形
的话,用IDA也是不错的.
IDA做注册机的一些我认为重要的地方
(1):变量一定要和IDA里面的完全一样,下面我举例的Crackme里用到DES算法,DES里面数据很多也很容易出错.
(2):变量定义的位置,这个最好个IDA里一样.
下面举例用Nuke
'stutorial1分析一下写注册机的步骤
[代码分析 :]
.shrink:00402340
; BOOL __stdcall DialogFunc(HWND,UINT,WPARAM,LPARAM)
.shrink:00402340 DialogFunc
proc near
; DATA XREF: WinMain(x,x,x,x)+Co
.shrink:00402340
.shrink:00402340 var_D0 =
dword ptr -0D0h
.shrink:00402340 var_9C =
byte ptr -9Ch
.shrink:00402340 String =
byte ptr -68h
.shrink:00402340 var_58 =
byte ptr -58h
.shrink:00402340 var_34 =
dword ptr -34h
.shrink:00402340 var_30 =
dword ptr -30h
.shrink:00402340 lpText =
dword ptr -2Ch
.shrink:00402340 var_28 =
dword ptr -28h
.shrink:00402340 var_24 =
byte ptr -24h
.shrink:00402340 var_22 =
byte ptr -22h
.shrink:00402340 var_21 =
byte ptr -21h
.shrink:00402340 var_20 =
byte ptr -20h
.shrink:00402340 var_1F =
byte ptr -1Fh
.shrink:00402340 var_1E =
byte ptr -1Eh
.shrink:00402340 var_1D =
byte ptr -1Dh
.shrink:00402340 VolumeSerialNumber=
dword ptr -1Ch
.shrink:00402340 var_18 =
dword ptr -18h
.shrink:00402340 var_10 =
dword ptr -10h
.shrink:00402340 var_4 =
dword ptr -4
.shrink:00402340 hWnd =
dword ptr 8
.shrink:00402340 arg_4 =
dword ptr 0Ch
.shrink:00402340 arg_8 =
word ptr 10h
.shrink:00402340
.shrink:00402340
push ebp
.shrink:00402341
mov ebp ,
esp
.shrink:00402343
push 0FFFFFFFFh
.shrink:00402345
push offset unk_412580
.shrink:0040234A
push offset __except_handler3
.shrink:0040234F
mov eax , large
fs :0
.shrink:00402355
push eax
.shrink:00402356
mov large
fs :0,
esp
.shrink:0040235D
sub esp , 0C0h
.shrink:00402363
push ebx
.shrink:00402364
push esi
.shrink:00402365
push edi
.shrink:00402366
mov [
ebp +var_18],
esp
.shrink:00402369
mov [
ebp +var_24], 1
; DES密钥,8个字节为1,9,8,0,9,1,7,0
.shrink:0040236D
mov al , 9
.shrink:0040236F
mov [
ebp -23h],
al
.shrink:00402372
mov [
ebp +var_22], 8
.shrink:00402376
mov [
ebp +var_21], 0
.shrink:0040237A
mov [
ebp +var_20],
al
.shrink:0040237D
mov [
ebp +var_1F], 1
.shrink:00402381
mov [
ebp +var_1E], 7
.shrink:00402385
mov [
ebp +var_1D], 0
.shrink:00402389
mov ecx , 0Ch
.shrink:0040238E
xor eax ,
eax
.shrink:00402390
lea edi , [
ebp +String]
.shrink:00402393
rep stosd ; 字符清0
.shrink:00402395
stosw
.shrink:00402397
mov ecx , 0Ch
.shrink:0040239C
xor eax ,
eax
.shrink:0040239E
mov edi ,
offset unk_417810
.shrink:004023A3
rep stosd
.shrink:004023A5
stosw
.shrink:004023A7
mov [
ebp +lpText],
offset unk_4124D0
.shrink:004023AE
mov eax , [
ebp +arg_4]
.shrink:004023B1
sub eax , 110h
.shrink:004023B6
jz loc_402590
.shrink:004023BC
dec eax
.shrink:004023BD
jnz short loc_4023DA
.shrink:004023BF
movzx eax , [
ebp +arg_8]
.shrink:004023C3
dec eax
.shrink:004023C4
jz loc_402582
.shrink:004023CA
sub eax , 3E7h
.shrink:004023CF
jz short loc_4023EF
.shrink:004023D1
sub eax , 5
.shrink:004023D4
jz loc_40253F
.shrink:004023DA
.shrink:004023DA loc_4023DA:
; CODE XREF: DialogFunc+7Dj
.shrink:004023DA
xor eax ,
eax
.shrink:004023DC
mov ecx , [
ebp +var_10]
.shrink:004023DF
mov large
fs :0,
ecx
.shrink:004023E6
pop edi
.shrink:004023E7
pop esi
.shrink:004023E8
pop ebx
.shrink:004023E9
mov esp ,
ebp
.shrink:004023EB
pop ebp
.shrink:004023EC
retn 10h
; uType
.shrink:004023EF
; ----------------------------------------------------------------------------
.shrink:004023EF
.shrink:004023EF loc_4023EF:
; CODE XREF: DialogFunc+8Fj
.shrink:004023EF
mov [
ebp +var_4], 0
.shrink:004023F6
lea eax , [
ebp +var_24]
.shrink:004023F9
push eax
.shrink:004023FA
call DES_Key_Init
.shrink:004023FF
add esp , 4
.shrink:00402402
push 0
; bSigned
.shrink:00402404
push 0
; lpTranslated
.shrink:00402406
push 3E9h
; nIDDlgItem
.shrink:0040240B
mov esi , [
ebp +hWnd]
.shrink:0040240E
push esi ; hDlg
.shrink:0040240F
call ds :
GetDlgItemInt ; 取机器码
.shrink:00402415
mov [
ebp +VolumeSerialNumber],
eax
.shrink:00402418
push 32h
; nMaxCount
.shrink:0040241A
lea ecx , [
ebp +String]
.shrink:0040241D
push ecx ; lpString
.shrink:0040241E
push 3ECh
; nIDDlgItem
.shrink:00402423
push esi ; hDlg
.shrink:00402424
call ds :GetDlgItemTextA
; 取注册码
.shrink:0040242A
lea eax , [
ebp +String]
.shrink:0040242D
lea edx , [
eax +1]
.shrink:00402430
.shrink:00402430 loc_402430:
; CODE XREF: DialogFunc+F5j
.shrink:00402430
mov cl , [
eax ]
.shrink:00402432
inc eax
.shrink:00402433
test cl ,
cl
.shrink:00402435
jnz short loc_402430
.shrink:00402437
sub eax ,
edx ; 长度
.shrink:00402439
mov [
ebp +var_30],
eax ; 写入
.shrink:0040243C
test eax ,
eax
.shrink:0040243E
jnz short loc_402464
.shrink:00402440
push eax ; uType
.shrink:00402441
push offset Caption
; "warming!"
.shrink:00402446
push offset Text
; "请输入注册码!"
.shrink:0040244B
mov edx ,
ds :hWnd
.shrink:00402451
push edx ; hWnd
.shrink:00402452
call ds :MessageBoxA
.shrink:00402458
mov [
ebp +var_4], 0FFFFFFFFh
.shrink:0040245F
jmp loc_4025E6
.shrink:00402464
; ----------------------------------------------------------------------------
.shrink:00402464
.shrink:00402464 loc_402464:
; CODE XREF: DialogFunc+FEj
.shrink:00402464
lea eax , [
ebp +var_D0]
.shrink:0040246A
push eax
.shrink:0040246B
lea ecx , [
ebp +String]
.shrink:0040246E
push ecx
.shrink:0040246F
call Hex_Serial
; ;把机器码转化为16进制
{
.shrink:00401080 Hex_Serial
proc near
; CODE XREF: DialogFunc+12Fp
.shrink:00401080
.shrink:00401080 arg_0 =
dword ptr 10h
.shrink:00401080 arg_4 =
dword ptr 14h
.shrink:00401080
.shrink:00401080
push ebx
.shrink:00401081
push esi
.shrink:00401082
push edi
.shrink:00401083
mov edi , [
esp +arg_0]
.shrink:00401087
xor eax ,
eax
.shrink:00401089
mov ecx ,
edi
.shrink:0040108B
jmp short loc_401090
.shrink:0040108B
; ----------------------------------------------------------------------------
.shrink:0040108D align 10h
.shrink:00401090
.shrink:00401090 loc_401090:
; CODE XREF: Hex_Serial+Bj
.shrink:00401090
; Hex_Serial+15j
.shrink:00401090
mov dl , [
ecx ]
.shrink:00401092
inc ecx
.shrink:00401093
test dl ,
dl
.shrink:00401095
jnz short loc_401090
.shrink:00401097
sub ecx ,
edi
.shrink:00401099
dec ecx
.shrink:0040109A
mov ebx ,
ecx
.shrink:0040109C
xor esi ,
esi
.shrink:0040109E
test ebx ,
ebx
.shrink:004010A0
jle loc_40114B
.shrink:004010A6
push ebp
.shrink:004010A7
mov ebp , [
esp +4+arg_4]
.shrink:004010AB
jmp short loc_4010B0
.shrink:004010AB
; ----------------------------------------------------------------------------
.shrink:004010AD align 10h
.shrink:004010B0
.shrink:004010B0 loc_4010B0:
; CODE XREF: Hex_Serial+2Bj
.shrink:004010B0
; Hex_Serial+C4j
.shrink:004010B0
mov cl , [
esi +
edi ]
; 取注册码一个字节
.shrink:004010B3
inc esi
.shrink:004010B4
cmp cl , 20h
.shrink:004010B7
jz loc_401142
.shrink:004010BD
cmp esi ,
ebx
.shrink:004010BF
jge loc_40114A
.shrink:004010C5
cmp cl , 30h
.shrink:004010C8
mov dl , [
esi +
edi ]
.shrink:004010CB
jl short loc_4010D7
.shrink:004010CD
cmp cl , 39h
.shrink:004010D0
jg short loc_4010D7
.shrink:004010D2
sub cl , 30h
.shrink:004010D5
jmp short loc_4010F8
.shrink:004010D7
; ----------------------------------------------------------------------------
.shrink:004010D7
.shrink:004010D7 loc_4010D7:
; CODE XREF: Hex_Serial+4Bj
.shrink:004010D7
; Hex_Serial+50j
.shrink:004010D7
cmp cl , 41h
.shrink:004010DA
jl short loc_4010E6
.shrink:004010DC
cmp cl , 46h
.shrink:004010DF
jg short loc_4010E6
.shrink:004010E1
sub cl , 37h
.shrink:004010E4
jmp short loc_4010F8
.shrink:004010E6
; ----------------------------------------------------------------------------
.shrink:004010E6
.shrink:004010E6 loc_4010E6:
; CODE XREF: Hex_Serial+5Aj
.shrink:004010E6
; Hex_Serial+5Fj
.shrink:004010E6
cmp cl , 61h
.shrink:004010E9
jl short loc_4010F5
.shrink:004010EB
cmp cl , 66h
.shrink:004010EE
jg short loc_4010F5
.shrink:004010F0
sub cl , 57h
.shrink:004010F3
jmp short loc_4010F8
.shrink:004010F5
; ----------------------------------------------------------------------------
.shrink:004010F5
.shrink:004010F5 loc_4010F5:
; CODE XREF: Hex_Serial+69j
.shrink:004010F5
; Hex_Serial+6Ej
.shrink:004010F5
or cl , 0FFh
.shrink:004010F8
.shrink:004010F8 loc_4010F8:
; CODE XREF: Hex_Serial+55j
.shrink:004010F8
; Hex_Serial+64j ...
.shrink:004010F8
cmp dl , 30h
.shrink:004010FB
movsx ecx ,
cl
.shrink:004010FE
jl short loc_40110A
.shrink:00401100
cmp dl , 39h
.shrink:00401103
jg short loc_40110A
.shrink:00401105
sub dl , 30h
.shrink:00401108
jmp short loc_40112B
.shrink:0040110A
; ----------------------------------------------------------------------------
.shrink:0040110A
.shrink:0040110A loc_40110A:
; CODE XREF: Hex_Serial+7Ej
.shrink:0040110A
; Hex_Serial+83j
.shrink:0040110A
cmp dl , 41h
.shrink:0040110D
jl short loc_401119
.shrink:0040110F
cmp dl , 46h
.shrink:00401112
jg short loc_401119
.shrink:00401114
sub dl , 37h
.shrink:00401117
jmp short loc_40112B
.shrink:00401119
; ----------------------------------------------------------------------------
.shrink:00401119
.shrink:00401119 loc_401119:
; CODE XREF: Hex_Serial+8Dj
.shrink:00401119
; Hex_Serial+92j
.shrink:00401119
cmp dl , 61h
.shrink:0040111C
jl short loc_401128
.shrink:0040111E
cmp dl , 66h
.shrink:00401121
jg short loc_401128
.shrink:00401123
sub dl , 57h
.shrink:00401126
jmp short loc_40112B
.shrink:00401128
; ----------------------------------------------------------------------------
.shrink:00401128
.shrink:00401128 loc_401128:
; CODE XREF: Hex_Serial+9Cj
.shrink:00401128
; Hex_Serial+A1j
.shrink:00401128
or dl , 0FFh
.shrink:0040112B
.shrink:0040112B loc_40112B:
; CODE XREF: Hex_Serial+88j
.shrink:0040112B
; Hex_Serial+97j ...
.shrink:0040112B
cmp ecx , 10h
.shrink:0040112E
movsx edx ,
dl
.shrink:00401131
jz short loc_40114A
.shrink:00401133
cmp edx , 10h
.shrink:00401136
jz short loc_40114A
.shrink:00401138
shl cl , 4
.shrink:0040113B
add cl ,
dl
.shrink:0040113D
inc esi
.shrink:0040113E
mov [
eax +
ebp ],
cl ; 写入
.shrink:00401141
inc eax
.shrink:00401142
.shrink:00401142 loc_401142:
; CODE XREF: Hex_Serial+37j
.shrink:00401142
cmp esi ,
ebx
.shrink:00401144
jl loc_4010B0
.shrink:0040114A
.shrink:0040114A loc_40114A:
; CODE XREF: Hex_Serial+3Fj
.shrink:0040114A
; Hex_Serial+B1j ...
.shrink:0040114A
pop ebp
.shrink:0040114B
.shrink:0040114B loc_40114B:
; CODE XREF: Hex_Serial+20j
.shrink:0040114B
pop edi
.shrink:0040114C
pop esi
.shrink:0040114D
pop ebx
.shrink:0040114E
retn
.shrink:0040114E Hex_Serial
endp }
.shrink:00402474
mov edi ,
eax
.shrink:00402476
mov [
ebp +var_30],
edi
.shrink:00402479
push 0Ah
; int
.shrink:0040247B
lea edx , [
ebp +var_9C]
.shrink:00402481
push edx ; char *
.shrink:00402482
mov eax , [
ebp +VolumeSerialNumber]
.shrink:00402485
push eax ; int
.shrink:00402486
call __itoa
; Int(机器码)
.shrink:0040248B
lea ecx , [
ebp +var_9C]
.shrink:00402491
push ecx ; MD5_inBuffer
.shrink:00402492
call MD5_ComputerID
.shrink:00402497
add esp , 18h
.shrink:0040249A
mov ebx ,
eax
.shrink:0040249C
mov [
ebp +var_34],
ebx
.shrink:0040249F
mov byte ptr [
ebx +10h], 0
; 把MD5结果一刀两断,前面的16位有用
.shrink:004024A3
xor esi ,
esi
.shrink:004024A5
.shrink:004024A5 loc_4024A5:
; CODE XREF: DialogFunc+190j
.shrink:004024A5
mov [
ebp +var_28],
esi
.shrink:004024A8
mov eax ,
edi
.shrink:004024AA
cdq
.shrink:004024AB
and edx , 7
.shrink:004024AE
add eax ,
edx
.shrink:004024B0
sar eax , 3
.shrink:004024B3
inc eax
.shrink:004024B4
cmp esi ,
eax
.shrink:004024B6
jge short loc_4024D2
.shrink:004024B8
push 1
; 类型,0为加密,1为解密
.shrink:004024BA
lea edx , [
ebp +
esi *8+var_D0]
.shrink:004024C1
push edx ; DES_inBuffer
.shrink:004024C2
lea eax , [
ebp +
esi *8+String]
.shrink:004024C6
push eax ; DES_outBuffer
.shrink:004024C7
call DES
.shrink:004024CC
add esp , 0Ch
.shrink:004024CF
inc esi
.shrink:004024D0
jmp short loc_4024A5
.shrink:004024D2
; ----------------------------------------------------------------------------
.shrink:004024D2
.shrink:004024D2 loc_4024D2:
; CODE XREF: DialogFunc+176j
.shrink:004024D2
mov [
ebp +var_58], 0
.shrink:004024D6
lea esi , [
ebp +String]
.shrink:004024D9
mov eax ,
ebx
.shrink:004024DB
jmp short loc_4024E0
.shrink:004024DB
; ----------------------------------------------------------------------------
.shrink:004024DD align 10h
.shrink:004024E0
.shrink:004024E0 loc_4024E0:
; CODE XREF: DialogFunc+19Bj
.shrink:004024E0
; DialogFunc+1BEj
.shrink:004024E0
mov dl , [
eax ]
; 取MD5(机器码)的一个字节
.shrink:004024E2
mov cl ,
dl
.shrink:004024E4
cmp dl , [
esi ]
; 与DES_De(注册码)比较
.shrink:004024E6
jnz short loc_402504
.shrink:004024E8
test cl ,
cl
.shrink:004024EA
jz short loc_402500
.shrink:004024EC
mov dl , [
eax +1]
.shrink:004024EF
mov cl ,
dl
.shrink:004024F1
cmp dl , [
esi +1]
.shrink:004024F4
jnz short loc_402504
.shrink:004024F6
add eax , 2
.shrink:004024F9
add esi , 2
.shrink:004024FC
test cl ,
cl
.shrink:004024FE
jnz short loc_4024E0
.shrink:00402500
.shrink:00402500 loc_402500:
; CODE XREF: DialogFunc+1AAj
.shrink:00402500
xor eax ,
eax
.shrink:00402502
jmp short loc_402509
.shrink:00402504
; ----------------------------------------------------------------------------
.shrink:00402504
.shrink:00402504 loc_402504:
; CODE XREF: DialogFunc+1A6j
.shrink:00402504
; DialogFunc+1B4j
.shrink:00402504
sbb eax ,
eax
.shrink:00402506
sbb eax , 0FFFFFFFFh
.shrink:00402509
.shrink:00402509 loc_402509:
; CODE XREF: DialogFunc+1C2j
.shrink:00402509
test eax ,
eax
.shrink:0040250B
jnz short loc_402531
.shrink:0040250D
push eax ; wLanguageId
.shrink:0040250E
push eax ; uType
.shrink:0040250F
push offset aSucceed
; "succeed"
.shrink:00402514
push offset aVSJGm
; "注册成功!老兄,?
.shrink:00402519
mov eax ,
ds :hWnd
.shrink:0040251E
push eax ; hWnd
.shrink:0040251F
call ds :MessageBoxExA
.shrink:00402525
mov [
ebp +var_4], 0FFFFFFFFh
.shrink:0040252C
jmp loc_4025E6
.shrink:00402531
; ----------------------------------------------------------------------------
.shrink:00402531
.shrink:00402531 loc_402531:
; CODE XREF: DialogFunc+1CBj
.shrink:00402531
pusha
.shrink:00402532
xor eax ,
eax
.shrink:00402534
mov ebx , [
eax ]
.shrink:00402536
popa
.shrink:00402537
nop
.shrink:00402538
mov [
ebp +var_4], 0FFFFFFFFh
.shrink:0040253F
.shrink:0040253F loc_40253F:
; CODE XREF: DialogFunc+94j
.shrink:0040253F
push 0
; uType
.shrink:00402541
push offset asc_41247C
; "说?
.shrink:00402546
mov ecx , [
ebp +lpText]
.shrink:00402549
push ecx ; lpText
.shrink:0040254A
push 0
; hWnd
.shrink:0040254C
call ds :MessageBoxA
.shrink:00402552
jmp loc_4025E6
.shrink:00402557
; ----------------------------------------------------------------------------
.shrink:00402557
mov eax , 1
.shrink:0040255C
retn
.shrink:0040255D
; ----------------------------------------------------------------------------
.shrink:0040255D
mov esp , [
ebp -18h]
.shrink:00402560
push 0
.shrink:00402562
push offset aWarning
; "Warning!"
.shrink:00402567
push offset aVSZ
; "注册失败"
.shrink:0040256C
mov edx ,
ds :hWnd
.shrink:00402572
push edx ; hWnd
.shrink:00402573
call ds :MessageBoxA
.shrink:00402579
mov [
ebp +var_4], 0FFFFFFFFh
.shrink:00402580
jmp short loc_4025E6
.shrink:00402582
; ----------------------------------------------------------------------------
.shrink:00402582
.shrink:00402582 loc_402582:
; CODE XREF: DialogFunc+84j
.shrink:00402582
push 0
; nResult
.shrink:00402584
mov eax , [
ebp +hWnd]
.shrink:00402587
push eax ; hDlg
.shrink:00402588
call ds :
EndDialog
.shrink:0040258E
jmp short loc_4025E6
.shrink:00402590
; ----------------------------------------------------------------------------
.shrink:00402590
.shrink:00402590 loc_402590:
; CODE XREF: DialogFunc+76j
.shrink:00402590
push 6Ch
; lpIconName
.shrink:00402592
mov ecx ,
ds :hInstance
.shrink:00402598
push ecx ; hInstance
.shrink:00402599
call ds :LoadIconA
.shrink:0040259F
push eax ; lParam
.shrink:004025A0
push 1
; wParam
.shrink:004025A2
push 80h
; Msg
.shrink:004025A7
mov esi , [
ebp +hWnd]
.shrink:004025AA
push esi ; hWnd
.shrink:004025AB
call ds :SendMessageA
.shrink:004025B1
push 0
; nFileSystemNameSize
.shrink:004025B3
push 0
; lpFileSystemNameBuffer
.shrink:004025B5
push 0
; lpFileSystemFlags
.shrink:004025B7
push 0
; lpMaximumComponentLength
.shrink:004025B9
lea edx , [
ebp +VolumeSerialNumber]
.shrink:004025BC
push edx ; lpVolumeSerialNumber
.shrink:004025BD
push 0
; nVolumeNameSize
.shrink:004025BF
push 0
; lpVolumeNameBuffer
.shrink:004025C1
push offset RootPathName
; "C:\\"
.shrink:004025C6
call ds :GetVolumeInformationA
.shrink:004025CC
mov eax , [
ebp +VolumeSerialNumber]
.shrink:004025CF
xor eax , 0ABCDE123h
;小小的变换
.shrink:004025D4
mov [
ebp +VolumeSerialNumber],
eax
.shrink:004025D7
push 0
; bSigned
.shrink:004025D9
push eax ; uValue
.shrink:004025DA
push 3E9h
; nIDDlgItem
.shrink:004025DF
push esi ; hDlg
.shrink:004025E0
call ds :
SetDlgItemInt
.shrink:004025E6
.shrink:004025E6 loc_4025E6:
; CODE XREF: DialogFunc+11Fj
.shrink:004025E6
; DialogFunc+1ECj ...
.shrink:004025E6
mov eax , 1
.shrink:004025EB
mov ecx , [
ebp +var_10]
.shrink:004025EE
mov large
fs :0,
ecx
.shrink:004025F5
pop edi
.shrink:004025F6
pop esi
.shrink:004025F7
pop ebx
.shrink:004025F8
mov esp ,
ebp
.shrink:004025FA
pop ebp
.shrink:004025FB
retn 10h
.shrink:004025FB DialogFunc
endp
[代码分析 :] --
End
算法就是:
DES_De(Serial,key=1,9,8,0,9,1,7,0)=a
MD5(机器码)=b
if (a==b)
msg(
"success!" )
else
msg(
"wrong!" )
Serial=DES_En(b,key=1,9,8,0,9,1,7,0)
因为我这里有MD5的汇编代码,所以直接用IDA提取DES代码就可以了
.shrink:004024B8
push 1
; 类型,0为加密,1为解密
.shrink:004024BA
lea edx , [
ebp +
esi *8+var_D0]
.shrink:004024C1
push edx ; DES_inBuffer
.shrink:004024C2
lea eax , [
ebp +
esi *8+String]
.shrink:004024C6
push eax ; DES_outBuffer
.shrink:004024C7
call DES
这就是调用DES的代码,所以只要跟进这个call把这个call里面所有的代码和数据弄出来放在一个文件里整理一下就可以了
下面是我整理的一些变量(DES需要的ip,pc等都不在内)
off_415088
dd offset unk_417DBC
; DATA XREF: sub_401A40+8Ar
off_41508C
dd offset byte_417DA0
; DATA XREF: sub_401A40+84r
off_415090
dd offset unk_417E50
; DATA XREF: DES+A6r
off_415094
dd offset byte_417E30
; DATA XREF: DES+A1r
unk_417890
db 02D0h
dup (?)
unk_417B60
db 030h
dup (?)
unk_417B90
db 10h
dup (?)
;
byte_417BA0
db ?
; DATA XREF: sub_401A40+44w
; sub_401A40+95o ...
byte_417BA1
db ?
; DATA XREF: sub_401A40+57w
; sub_401A40+180w ...
byte_417BA2
db ?
; DATA XREF: sub_401A40+6Aw
; sub_401A40+193w ...
byte_417BA3
db ?
; DATA XREF: sub_401A40+76w
; sub_401A40+1A6w ...
byte_417BA4
db ?
; DATA XREF: sub_401A40+1B9w
; sub_401E50+66w
byte_417BA5
db ?
; DATA XREF: sub_401A40+1CCw
unk_417CA0
db 0feh
dup ( ? )
; ; DATA XREF: sub_401A40+C5o
byte_417D9F
db ?
byte_417DA0
db ?
; DATA XREF: sub_401A40+22w
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
db ?
;
unk_417DBC
db 024h
dup (?)
byte_417DE0
db ?
; DATA XREF: sub_401E50+88o
; sub_401E50+93o ...
byte_417DE1
db ?
; DATA XREF: sub_401E50+AFr
; sub_401E50+C7w
byte_417DE2
db ?
; DATA XREF: sub_401E50+C1r
; sub_401E50+D9w
byte_417DE3
db ?
; DATA XREF: sub_401E50+D3r
; sub_401E50+EBw
byte_417DE4
db ?
; DATA XREF: sub_401E50+E5r
; sub_401E50+FDw
byte_417DE5
db 02Bh
dup (?)
unk_417E10
db 01Fh
dup (?)
byte_417E2F
db ?
byte_417E30
db 020h
dup (?)
unk_417E50
db 020h
dup (?)
下面把DES需要的数据全部弄出来,再把代码部分弄出来就OK了(附件里包括完整的DES代码)
调用这样就可以了
lea eax ,key
push eax
call sub_401A40
;DES_Key_Init
push 0
lea edx ,hash1
push edx ;InBuffer
lea eax ,string2
push eax ;OutBuffer
call sub_402050
;DES
这样注册机就做好了,简单吧 ~
参考了 x3chun,bLaCk-eye等一些人的方法 感谢他们!
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
上传的附件: