用IDA做注册机
lnn1123/BCG/FCG 06.5
废话:
前些天看国外的的一些写注册机的文章,发现不少人喜欢用IDA反汇编后直接使用IDA反汇编后的代码,其实这个可能有很多人很早就用了
但是我使用的时候发现了一些问题,一般如果是象MD5,SHA等散列函数有变形的话,直接用IDA反汇编后的代码是很好,这样就不要去分析
变形是那些地方.还有就是一般如blowfish,DES等,这种情况用IDA反汇编后会有很多数据,如blowfish的pbox,sbox,但是如果还是有变形
的话,用IDA也是不错的.
IDA做注册机的一些我认为重要的地方
(1):变量一定要和IDA里面的完全一样,下面我举例的Crackme里用到DES算法,DES里面数据很多也很容易出错.
(2):变量定义的位置,这个最好个IDA里一样.
下面举例用Nuke'stutorial1分析一下写注册机的步骤
[代码分析 :]
.shrink:00402340 ; BOOL __stdcall DialogFunc(HWND,UINT,WPARAM,LPARAM)
.shrink:00402340 DialogFunc proc near ; DATA XREF: WinMain(x,x,x,x)+Co
.shrink:00402340
.shrink:00402340 var_D0 = dword ptr -0D0h
.shrink:00402340 var_9C = byte ptr -9Ch
.shrink:00402340 String = byte ptr -68h
.shrink:00402340 var_58 = byte ptr -58h
.shrink:00402340 var_34 = dword ptr -34h
.shrink:00402340 var_30 = dword ptr -30h
.shrink:00402340 lpText = dword ptr -2Ch
.shrink:00402340 var_28 = dword ptr -28h
.shrink:00402340 var_24 = byte ptr -24h
.shrink:00402340 var_22 = byte ptr -22h
.shrink:00402340 var_21 = byte ptr -21h
.shrink:00402340 var_20 = byte ptr -20h
.shrink:00402340 var_1F = byte ptr -1Fh
.shrink:00402340 var_1E = byte ptr -1Eh
.shrink:00402340 var_1D = byte ptr -1Dh
.shrink:00402340 VolumeSerialNumber= dword ptr -1Ch
.shrink:00402340 var_18 = dword ptr -18h
.shrink:00402340 var_10 = dword ptr -10h
.shrink:00402340 var_4 = dword ptr -4
.shrink:00402340 hWnd = dword ptr 8
.shrink:00402340 arg_4 = dword ptr 0Ch
.shrink:00402340 arg_8 = word ptr 10h
.shrink:00402340
.shrink:00402340 push ebp
.shrink:00402341 mov ebp , esp
.shrink:00402343 push 0FFFFFFFFh
.shrink:00402345 push offset unk_412580
.shrink:0040234A push offset __except_handler3
.shrink:0040234F mov eax , large fs :0
.shrink:00402355 push eax
.shrink:00402356 mov large fs :0, esp
.shrink:0040235D sub esp , 0C0h
.shrink:00402363 push ebx
.shrink:00402364 push esi
.shrink:00402365 push edi
.shrink:00402366 mov [ebp +var_18], esp
.shrink:00402369 mov [ebp +var_24], 1 ; DES密钥,8个字节为1,9,8,0,9,1,7,0
.shrink:0040236D mov al , 9
.shrink:0040236F mov [ebp -23h], al
.shrink:00402372 mov [ebp +var_22], 8
.shrink:00402376 mov [ebp +var_21], 0
.shrink:0040237A mov [ebp +var_20], al
.shrink:0040237D mov [ebp +var_1F], 1
.shrink:00402381 mov [ebp +var_1E], 7
.shrink:00402385 mov [ebp +var_1D], 0
.shrink:00402389 mov ecx , 0Ch
.shrink:0040238E xor eax , eax
.shrink:00402390 lea edi , [ebp +String]
.shrink:00402393 rep stosd ; 字符清0
.shrink:00402395 stosw
.shrink:00402397 mov ecx , 0Ch
.shrink:0040239C xor eax , eax
.shrink:0040239E mov edi , offset unk_417810
.shrink:004023A3 rep stosd
.shrink:004023A5 stosw
.shrink:004023A7 mov [ebp +lpText], offset unk_4124D0
.shrink:004023AE mov eax , [ebp +arg_4]
.shrink:004023B1 sub eax , 110h
.shrink:004023B6 jz loc_402590
.shrink:004023BC dec eax
.shrink:004023BD jnz short loc_4023DA
.shrink:004023BF movzx eax , [ebp +arg_8]
.shrink:004023C3 dec eax
.shrink:004023C4 jz loc_402582
.shrink:004023CA sub eax , 3E7h
.shrink:004023CF jz short loc_4023EF
.shrink:004023D1 sub eax , 5
.shrink:004023D4 jz loc_40253F
.shrink:004023DA
.shrink:004023DA loc_4023DA: ; CODE XREF: DialogFunc+7Dj
.shrink:004023DA xor eax , eax
.shrink:004023DC mov ecx , [ebp +var_10]
.shrink:004023DF mov large fs :0, ecx
.shrink:004023E6 pop edi
.shrink:004023E7 pop esi
.shrink:004023E8 pop ebx
.shrink:004023E9 mov esp , ebp
.shrink:004023EB pop ebp
.shrink:004023EC retn 10h ; uType
.shrink:004023EF ; ----------------------------------------------------------------------------
.shrink:004023EF
.shrink:004023EF loc_4023EF: ; CODE XREF: DialogFunc+8Fj
.shrink:004023EF mov [ebp +var_4], 0
.shrink:004023F6 lea eax , [ebp +var_24]
.shrink:004023F9 push eax
.shrink:004023FA call DES_Key_Init
.shrink:004023FF add esp , 4
.shrink:00402402 push 0 ; bSigned
.shrink:00402404 push 0 ; lpTranslated
.shrink:00402406 push 3E9h ; nIDDlgItem
.shrink:0040240B mov esi , [ebp +hWnd]
.shrink:0040240E push esi ; hDlg
.shrink:0040240F call ds :GetDlgItemInt ; 取机器码
.shrink:00402415 mov [ebp +VolumeSerialNumber], eax
.shrink:00402418 push 32h ; nMaxCount
.shrink:0040241A lea ecx , [ebp +String]
.shrink:0040241D push ecx ; lpString
.shrink:0040241E push 3ECh ; nIDDlgItem
.shrink:00402423 push esi ; hDlg
.shrink:00402424 call ds :GetDlgItemTextA ; 取注册码
.shrink:0040242A lea eax , [ebp +String]
.shrink:0040242D lea edx , [eax +1]
.shrink:00402430
.shrink:00402430 loc_402430: ; CODE XREF: DialogFunc+F5j
.shrink:00402430 mov cl , [eax ]
.shrink:00402432 inc eax
.shrink:00402433 test cl , cl
.shrink:00402435 jnz short loc_402430
.shrink:00402437 sub eax , edx ; 长度
.shrink:00402439 mov [ebp +var_30], eax ; 写入
.shrink:0040243C test eax , eax
.shrink:0040243E jnz short loc_402464
.shrink:00402440 push eax ; uType
.shrink:00402441 push offset Caption ; "warming!"
.shrink:00402446 push offset Text ; "请输入注册码!"
.shrink:0040244B mov edx , ds :hWnd
.shrink:00402451 push edx ; hWnd
.shrink:00402452 call ds :MessageBoxA
.shrink:00402458 mov [ebp +var_4], 0FFFFFFFFh
.shrink:0040245F jmp loc_4025E6
.shrink:00402464 ; ----------------------------------------------------------------------------
.shrink:00402464
.shrink:00402464 loc_402464: ; CODE XREF: DialogFunc+FEj
.shrink:00402464 lea eax , [ebp +var_D0]
.shrink:0040246A push eax
.shrink:0040246B lea ecx , [ebp +String]
.shrink:0040246E push ecx
.shrink:0040246F call Hex_Serial ; ;把机器码转化为16进制
{
.shrink:00401080 Hex_Serial proc near ; CODE XREF: DialogFunc+12Fp
.shrink:00401080
.shrink:00401080 arg_0 = dword ptr 10h
.shrink:00401080 arg_4 = dword ptr 14h
.shrink:00401080
.shrink:00401080 push ebx
.shrink:00401081 push esi
.shrink:00401082 push edi
.shrink:00401083 mov edi , [esp +arg_0]
.shrink:00401087 xor eax , eax
.shrink:00401089 mov ecx , edi
.shrink:0040108B jmp short loc_401090
.shrink:0040108B ; ----------------------------------------------------------------------------
.shrink:0040108D align 10h
.shrink:00401090
.shrink:00401090 loc_401090: ; CODE XREF: Hex_Serial+Bj
.shrink:00401090 ; Hex_Serial+15j
.shrink:00401090 mov dl , [ecx ]
.shrink:00401092 inc ecx
.shrink:00401093 test dl , dl
.shrink:00401095 jnz short loc_401090
.shrink:00401097 sub ecx , edi
.shrink:00401099 dec ecx
.shrink:0040109A mov ebx , ecx
.shrink:0040109C xor esi , esi
.shrink:0040109E test ebx , ebx
.shrink:004010A0 jle loc_40114B
.shrink:004010A6 push ebp
.shrink:004010A7 mov ebp , [esp +4+arg_4]
.shrink:004010AB jmp short loc_4010B0
.shrink:004010AB ; ----------------------------------------------------------------------------
.shrink:004010AD align 10h
.shrink:004010B0
.shrink:004010B0 loc_4010B0: ; CODE XREF: Hex_Serial+2Bj
.shrink:004010B0 ; Hex_Serial+C4j
.shrink:004010B0 mov cl , [esi +edi ] ; 取注册码一个字节
.shrink:004010B3 inc esi
.shrink:004010B4 cmp cl , 20h
.shrink:004010B7 jz loc_401142
.shrink:004010BD cmp esi , ebx
.shrink:004010BF jge loc_40114A
.shrink:004010C5 cmp cl , 30h
.shrink:004010C8 mov dl , [esi +edi ]
.shrink:004010CB jl short loc_4010D7
.shrink:004010CD cmp cl , 39h
.shrink:004010D0 jg short loc_4010D7
.shrink:004010D2 sub cl , 30h
.shrink:004010D5 jmp short loc_4010F8
.shrink:004010D7 ; ----------------------------------------------------------------------------
.shrink:004010D7
.shrink:004010D7 loc_4010D7: ; CODE XREF: Hex_Serial+4Bj
.shrink:004010D7 ; Hex_Serial+50j
.shrink:004010D7 cmp cl , 41h
.shrink:004010DA jl short loc_4010E6
.shrink:004010DC cmp cl , 46h
.shrink:004010DF jg short loc_4010E6
.shrink:004010E1 sub cl , 37h
.shrink:004010E4 jmp short loc_4010F8
.shrink:004010E6 ; ----------------------------------------------------------------------------
.shrink:004010E6
.shrink:004010E6 loc_4010E6: ; CODE XREF: Hex_Serial+5Aj
.shrink:004010E6 ; Hex_Serial+5Fj
.shrink:004010E6 cmp cl , 61h
.shrink:004010E9 jl short loc_4010F5
.shrink:004010EB cmp cl , 66h
.shrink:004010EE jg short loc_4010F5
.shrink:004010F0 sub cl , 57h
.shrink:004010F3 jmp short loc_4010F8
.shrink:004010F5 ; ----------------------------------------------------------------------------
.shrink:004010F5
.shrink:004010F5 loc_4010F5: ; CODE XREF: Hex_Serial+69j
.shrink:004010F5 ; Hex_Serial+6Ej
.shrink:004010F5 or cl , 0FFh
.shrink:004010F8
.shrink:004010F8 loc_4010F8: ; CODE XREF: Hex_Serial+55j
.shrink:004010F8 ; Hex_Serial+64j ...
.shrink:004010F8 cmp dl , 30h
.shrink:004010FB movsx ecx , cl
.shrink:004010FE jl short loc_40110A
.shrink:00401100 cmp dl , 39h
.shrink:00401103 jg short loc_40110A
.shrink:00401105 sub dl , 30h
.shrink:00401108 jmp short loc_40112B
.shrink:0040110A ; ----------------------------------------------------------------------------
.shrink:0040110A
.shrink:0040110A loc_40110A: ; CODE XREF: Hex_Serial+7Ej
.shrink:0040110A ; Hex_Serial+83j
.shrink:0040110A cmp dl , 41h
.shrink:0040110D jl short loc_401119
.shrink:0040110F cmp dl , 46h
.shrink:00401112 jg short loc_401119
.shrink:00401114 sub dl , 37h
.shrink:00401117 jmp short loc_40112B
.shrink:00401119 ; ----------------------------------------------------------------------------
.shrink:00401119
.shrink:00401119 loc_401119: ; CODE XREF: Hex_Serial+8Dj
.shrink:00401119 ; Hex_Serial+92j
.shrink:00401119 cmp dl , 61h
.shrink:0040111C jl short loc_401128
.shrink:0040111E cmp dl , 66h
.shrink:00401121 jg short loc_401128
.shrink:00401123 sub dl , 57h
.shrink:00401126 jmp short loc_40112B
.shrink:00401128 ; ----------------------------------------------------------------------------
.shrink:00401128
.shrink:00401128 loc_401128: ; CODE XREF: Hex_Serial+9Cj
.shrink:00401128 ; Hex_Serial+A1j
.shrink:00401128 or dl , 0FFh
.shrink:0040112B
.shrink:0040112B loc_40112B: ; CODE XREF: Hex_Serial+88j
.shrink:0040112B ; Hex_Serial+97j ...
.shrink:0040112B cmp ecx , 10h
.shrink:0040112E movsx edx , dl
.shrink:00401131 jz short loc_40114A
.shrink:00401133 cmp edx , 10h
.shrink:00401136 jz short loc_40114A
.shrink:00401138 shl cl , 4
.shrink:0040113B add cl , dl
.shrink:0040113D inc esi
.shrink:0040113E mov [eax +ebp ], cl ; 写入
.shrink:00401141 inc eax
.shrink:00401142
.shrink:00401142 loc_401142: ; CODE XREF: Hex_Serial+37j
.shrink:00401142 cmp esi , ebx
.shrink:00401144 jl loc_4010B0
.shrink:0040114A
.shrink:0040114A loc_40114A: ; CODE XREF: Hex_Serial+3Fj
.shrink:0040114A ; Hex_Serial+B1j ...
.shrink:0040114A pop ebp
.shrink:0040114B
.shrink:0040114B loc_40114B: ; CODE XREF: Hex_Serial+20j
.shrink:0040114B pop edi
.shrink:0040114C pop esi
.shrink:0040114D pop ebx
.shrink:0040114E retn
.shrink:0040114E Hex_Serial endp }
.shrink:00402474 mov edi , eax
.shrink:00402476 mov [ebp +var_30], edi
.shrink:00402479 push 0Ah ; int
.shrink:0040247B lea edx , [ebp +var_9C]
.shrink:00402481 push edx ; char *
.shrink:00402482 mov eax , [ebp +VolumeSerialNumber]
.shrink:00402485 push eax ; int
.shrink:00402486 call __itoa ; Int(机器码)
.shrink:0040248B lea ecx , [ebp +var_9C]
.shrink:00402491 push ecx ; MD5_inBuffer
.shrink:00402492 call MD5_ComputerID
.shrink:00402497 add esp , 18h
.shrink:0040249A mov ebx , eax
.shrink:0040249C mov [ebp +var_34], ebx
.shrink:0040249F mov byte ptr [ebx +10h], 0 ; 把MD5结果一刀两断,前面的16位有用
.shrink:004024A3 xor esi , esi
.shrink:004024A5
.shrink:004024A5 loc_4024A5: ; CODE XREF: DialogFunc+190j
.shrink:004024A5 mov [ebp +var_28], esi
.shrink:004024A8 mov eax , edi
.shrink:004024AA cdq
.shrink:004024AB and edx , 7
.shrink:004024AE add eax , edx
.shrink:004024B0 sar eax , 3
.shrink:004024B3 inc eax
.shrink:004024B4 cmp esi , eax
.shrink:004024B6 jge short loc_4024D2
.shrink:004024B8 push 1 ; 类型,0为加密,1为解密
.shrink:004024BA lea edx , [ebp +esi *8+var_D0]
.shrink:004024C1 push edx ; DES_inBuffer
.shrink:004024C2 lea eax , [ebp +esi *8+String]
.shrink:004024C6 push eax ; DES_outBuffer
.shrink:004024C7 call DES
.shrink:004024CC add esp , 0Ch
.shrink:004024CF inc esi
.shrink:004024D0 jmp short loc_4024A5
.shrink:004024D2 ; ----------------------------------------------------------------------------
.shrink:004024D2
.shrink:004024D2 loc_4024D2: ; CODE XREF: DialogFunc+176j
.shrink:004024D2 mov [ebp +var_58], 0
.shrink:004024D6 lea esi , [ebp +String]
.shrink:004024D9 mov eax , ebx
.shrink:004024DB jmp short loc_4024E0
.shrink:004024DB ; ----------------------------------------------------------------------------
.shrink:004024DD align 10h
.shrink:004024E0
.shrink:004024E0 loc_4024E0: ; CODE XREF: DialogFunc+19Bj
.shrink:004024E0 ; DialogFunc+1BEj
.shrink:004024E0 mov dl , [eax ] ; 取MD5(机器码)的一个字节
.shrink:004024E2 mov cl , dl
.shrink:004024E4 cmp dl , [esi ] ; 与DES_De(注册码)比较
.shrink:004024E6 jnz short loc_402504
.shrink:004024E8 test cl , cl
.shrink:004024EA jz short loc_402500
.shrink:004024EC mov dl , [eax +1]
.shrink:004024EF mov cl , dl
.shrink:004024F1 cmp dl , [esi +1]
.shrink:004024F4 jnz short loc_402504
.shrink:004024F6 add eax , 2
.shrink:004024F9 add esi , 2
.shrink:004024FC test cl , cl
.shrink:004024FE jnz short loc_4024E0
.shrink:00402500
.shrink:00402500 loc_402500: ; CODE XREF: DialogFunc+1AAj
.shrink:00402500 xor eax , eax
.shrink:00402502 jmp short loc_402509
.shrink:00402504 ; ----------------------------------------------------------------------------
.shrink:00402504
.shrink:00402504 loc_402504: ; CODE XREF: DialogFunc+1A6j
.shrink:00402504 ; DialogFunc+1B4j
.shrink:00402504 sbb eax , eax
.shrink:00402506 sbb eax , 0FFFFFFFFh
.shrink:00402509
.shrink:00402509 loc_402509: ; CODE XREF: DialogFunc+1C2j
.shrink:00402509 test eax , eax
.shrink:0040250B jnz short loc_402531
.shrink:0040250D push eax ; wLanguageId
.shrink:0040250E push eax ; uType
.shrink:0040250F push offset aSucceed ; "succeed"
.shrink:00402514 push offset aVSJGm ; "注册成功!老兄,?
.shrink:00402519 mov eax , ds :hWnd
.shrink:0040251E push eax ; hWnd
.shrink:0040251F call ds :MessageBoxExA
.shrink:00402525 mov [ebp +var_4], 0FFFFFFFFh
.shrink:0040252C jmp loc_4025E6
.shrink:00402531 ; ----------------------------------------------------------------------------
.shrink:00402531
.shrink:00402531 loc_402531: ; CODE XREF: DialogFunc+1CBj
.shrink:00402531 pusha
.shrink:00402532 xor eax , eax
.shrink:00402534 mov ebx , [eax ]
.shrink:00402536 popa
.shrink:00402537 nop
.shrink:00402538 mov [ebp +var_4], 0FFFFFFFFh
.shrink:0040253F
.shrink:0040253F loc_40253F: ; CODE XREF: DialogFunc+94j
.shrink:0040253F push 0 ; uType
.shrink:00402541 push offset asc_41247C ; "说?
.shrink:00402546 mov ecx , [ebp +lpText]
.shrink:00402549 push ecx ; lpText
.shrink:0040254A push 0 ; hWnd
.shrink:0040254C call ds :MessageBoxA
.shrink:00402552 jmp loc_4025E6
.shrink:00402557 ; ----------------------------------------------------------------------------
.shrink:00402557 mov eax , 1
.shrink:0040255C retn
.shrink:0040255D ; ----------------------------------------------------------------------------
.shrink:0040255D mov esp , [ebp -18h]
.shrink:00402560 push 0
.shrink:00402562 push offset aWarning ; "Warning!"
.shrink:00402567 push offset aVSZ ; "注册失败"
.shrink:0040256C mov edx , ds :hWnd
.shrink:00402572 push edx ; hWnd
.shrink:00402573 call ds :MessageBoxA
.shrink:00402579 mov [ebp +var_4], 0FFFFFFFFh
.shrink:00402580 jmp short loc_4025E6
.shrink:00402582 ; ----------------------------------------------------------------------------
.shrink:00402582
.shrink:00402582 loc_402582: ; CODE XREF: DialogFunc+84j
.shrink:00402582 push 0 ; nResult
.shrink:00402584 mov eax , [ebp +hWnd]
.shrink:00402587 push eax ; hDlg
.shrink:00402588 call ds :EndDialog
.shrink:0040258E jmp short loc_4025E6
.shrink:00402590 ; ----------------------------------------------------------------------------
.shrink:00402590
.shrink:00402590 loc_402590: ; CODE XREF: DialogFunc+76j
.shrink:00402590 push 6Ch ; lpIconName
.shrink:00402592 mov ecx , ds :hInstance
.shrink:00402598 push ecx ; hInstance
.shrink:00402599 call ds :LoadIconA
.shrink:0040259F push eax ; lParam
.shrink:004025A0 push 1 ; wParam
.shrink:004025A2 push 80h ; Msg
.shrink:004025A7 mov esi , [ebp +hWnd]
.shrink:004025AA push esi ; hWnd
.shrink:004025AB call ds :SendMessageA
.shrink:004025B1 push 0 ; nFileSystemNameSize
.shrink:004025B3 push 0 ; lpFileSystemNameBuffer
.shrink:004025B5 push 0 ; lpFileSystemFlags
.shrink:004025B7 push 0 ; lpMaximumComponentLength
.shrink:004025B9 lea edx , [ebp +VolumeSerialNumber]
.shrink:004025BC push edx ; lpVolumeSerialNumber
.shrink:004025BD push 0 ; nVolumeNameSize
.shrink:004025BF push 0 ; lpVolumeNameBuffer
.shrink:004025C1 push offset RootPathName ; "C:\\"
.shrink:004025C6 call ds :GetVolumeInformationA
.shrink:004025CC mov eax , [ebp +VolumeSerialNumber]
.shrink:004025CF xor eax , 0ABCDE123h ;小小的变换
.shrink:004025D4 mov [ebp +VolumeSerialNumber], eax
.shrink:004025D7 push 0 ; bSigned
.shrink:004025D9 push eax ; uValue
.shrink:004025DA push 3E9h ; nIDDlgItem
.shrink:004025DF push esi ; hDlg
.shrink:004025E0 call ds :SetDlgItemInt
.shrink:004025E6
.shrink:004025E6 loc_4025E6: ; CODE XREF: DialogFunc+11Fj
.shrink:004025E6 ; DialogFunc+1ECj ...
.shrink:004025E6 mov eax , 1
.shrink:004025EB mov ecx , [ebp +var_10]
.shrink:004025EE mov large fs :0, ecx
.shrink:004025F5 pop edi
.shrink:004025F6 pop esi
.shrink:004025F7 pop ebx
.shrink:004025F8 mov esp , ebp
.shrink:004025FA pop ebp
.shrink:004025FB retn 10h
.shrink:004025FB DialogFunc endp
[代码分析 :] --End
算法就是:
DES_De(Serial,key=1,9,8,0,9,1,7,0)=a
MD5(机器码)=bif (a==b)
msg("success!" )else
msg("wrong!" )
Serial=DES_En(b,key=1,9,8,0,9,1,7,0)
因为我这里有MD5的汇编代码,所以直接用IDA提取DES代码就可以了
.shrink:004024B8 push 1 ; 类型,0为加密,1为解密
.shrink:004024BA lea edx , [ebp +esi *8+var_D0]
.shrink:004024C1 push edx ; DES_inBuffer
.shrink:004024C2 lea eax , [ebp +esi *8+String]
.shrink:004024C6 push eax ; DES_outBuffer
.shrink:004024C7 call DES
这就是调用DES的代码,所以只要跟进这个call把这个call里面所有的代码和数据弄出来放在一个文件里整理一下就可以了 下面是我整理的一些变量(DES需要的ip,pc等都不在内)
off_415088 dd offset unk_417DBC ; DATA XREF: sub_401A40+8Ar
off_41508C dd offset byte_417DA0 ; DATA XREF: sub_401A40+84r
off_415090 dd offset unk_417E50 ; DATA XREF: DES+A6r
off_415094 dd offset byte_417E30 ; DATA XREF: DES+A1r
unk_417890 db 02D0h dup (?)
unk_417B60 db 030h dup (?)
unk_417B90 db 10h dup (?) ;
byte_417BA0 db ? ; DATA XREF: sub_401A40+44w
; sub_401A40+95o ...
byte_417BA1 db ? ; DATA XREF: sub_401A40+57w
; sub_401A40+180w ...
byte_417BA2 db ? ; DATA XREF: sub_401A40+6Aw
; sub_401A40+193w ...
byte_417BA3 db ? ; DATA XREF: sub_401A40+76w
; sub_401A40+1A6w ...
byte_417BA4 db ? ; DATA XREF: sub_401A40+1B9w
; sub_401E50+66w
byte_417BA5 db ? ; DATA XREF: sub_401A40+1CCw
unk_417CA0 db 0feh dup ( ? ) ; ; DATA XREF: sub_401A40+C5o
byte_417D9F db ?
byte_417DA0 db ? ; DATA XREF: sub_401A40+22w
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
db ? ;
unk_417DBC db 024h dup (?)
byte_417DE0 db ? ; DATA XREF: sub_401E50+88o
; sub_401E50+93o ...
byte_417DE1 db ? ; DATA XREF: sub_401E50+AFr
; sub_401E50+C7w
byte_417DE2 db ? ; DATA XREF: sub_401E50+C1r
; sub_401E50+D9w
byte_417DE3 db ? ; DATA XREF: sub_401E50+D3r
; sub_401E50+EBw
byte_417DE4 db ? ; DATA XREF: sub_401E50+E5r
; sub_401E50+FDw
byte_417DE5 db 02Bh dup (?)
unk_417E10 db 01Fh dup (?)
byte_417E2F db ?
byte_417E30 db 020h dup (?)
unk_417E50 db 020h dup (?)
下面把DES需要的数据全部弄出来,再把代码部分弄出来就OK了(附件里包括完整的DES代码)
调用这样就可以了
lea eax ,key
push eax
call sub_401A40 ;DES_Key_Init
push 0
lea edx ,hash1
push edx ;InBuffer
lea eax ,string2
push eax ;OutBuffer
call sub_402050 ;DES
这样注册机就做好了,简单吧 ~
参考了 x3chun,bLaCk-eye等一些人的方法 感谢他们!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
上传的附件: