-
-
Source Insight4 注册机
-
2023-6-14 00:36
-
版本:Source Insight 4.00.0128
一、序列号检验
关闭随机基址,方便分析。
使用 Spy++ 工具查看输入框控制的属性,根据控制句柄在 GetWindowsTextW() 函数下条件断点。
截获到输入的序列号后,使用 IDA 分析。
序列号检验的函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | BOOL __cdecl sub_514BA0(char *szSerial, void *ArgcList_608, void *ArgcList_60C, void *ArgcList_604, int n_1){ char v5; // al char v6; // al char v7; // al char v8; // al int v10; // [esp+4h] [ebp-18h] BYREF char Destination[20]; // [esp+8h] [ebp-14h] BYREF _strupr(szSerial); if ( strlen(szSerial) != 19 ) return 0; if ( szSerial[4] != '-' ) return 0; if ( szSerial[9] != '-' ) return 0; if ( szSerial[14] != '-' ) return 0; if ( *szSerial != 'S' ) return 0; if ( n_1 ) { v5 = szSerial[6]; if ( v5 != 'R' && v5 != 'G' && v5 != 'D' && v5 != 'F' ) return 0; } v6 = szSerial[1]; if ( v6 < '0' || v6 > '9' ) return 0; *ArgcList_604 = v6 - '0'; // *ArgcList_604 = szSerial[1] - '0'; v7 = szSerial[2]; switch ( v7 ) // *ArgcList_604 = [1 3 0 0] { case 'T': *ArgcList_60C = 1; break; case 'B': *ArgcList_60C = 3; break; case 'S': *ArgcList_60C = 0; break; case 'U': *ArgcList_60C = 0; break; default: return 0; } v8 = szSerial[3]; if ( v8 == 'G' ) { *ArgcList_608 = 1; } else { if ( v8 != 'R' ) return 0; *ArgcList_608 = 0; } if ( !n_1 ) return 1; strcpy(Destination, szSerial); Destination[15] = 0; sub_514370(Destination, 15, &unk_604F70, &v10);// 根据序列号的前 15 位生成后四位 return *(szSerial + 15) == v10; // 判断生成的后四位和序列号中的后四位是否相等。} |
软件有提示序列号格式:S4XX-XXXX-XXXX-XXXX
Serial[0] = 'S'
Serial[1] = ‘4’
Serial[2] = ‘T’/‘B’/‘S’/‘U’
Serial[3] = ‘G’,不能是 ‘R’
Serial[6] = ‘R’/‘G’/‘D’/‘F’
这里我们伪造一个序列号:S4SG-ARCD-EFGH-XXXX,后四位可由 sub_514370() 函数生成。
生成后四位的算法
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | int __cdecl sub_514370(_BYTE *szSerial, unsigned int nSerialLength, char *pTable, int nResult){ unsigned int i; // esi unsigned __int8 v5; // cl unsigned int j; // eax int result; // eax for ( i = 0; i < 4; *(i + nResult - 1) = byte_604E50[v5 % 26] ) { v5 = pTable[(i + *szSerial)]; for ( j = 1; j < nSerialLength; ++j ) v5 = pTable[v5 ^ szSerial[j]]; result = nResult; ++i; } return result;} |
根据算法写注册机
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | unsigned char g_szAlphabetTable[] ={ 0x4B, 0x56, 0x39, 0x36, 0x47, 0x4D, 0x4A, 0x59, 0x48, 0x37, 0x51, 0x46, 0x35, 0x54, 0x43, 0x57, 0x34, 0x55, 0x33, 0x58, 0x5A, 0x50, 0x52, 0x53, 0x44, 0x4E, 0x00};int __cdecl sub_514370(char* szSerial, unsigned int nSerialLength, char* pTable, char* pLastFourCharacters){ unsigned int i; // esi unsigned __int8 v5; // cl unsigned int j; // eax int result; // eax for (i = 0; i < 4; *(i + pLastFourCharacters - 1) = g_szAlphabetTable[v5 % 26]) { v5 = pTable[(i + *szSerial)]; for (j = 1; j < nSerialLength; ++j) v5 = pTable[v5 ^ szSerial[j]]; result = pLastFourCharacters; ++i; } return result;}int main(int argc, char* argv[]){ // "S4SG-XRXX-XXXX-XXXX" char szSerial[20] = { 'S', '4', 'S', 'G', '-', 'A', 'R', 'C', 'D', '-', 'E', 'F', 'G', 'H', '-', 'X', 'X', 'X', 'X' , 0 }; char aryLastFourCharacters[4] = {0}; sub_514370(szSerial, 15, g_aryTable, &aryLastFourCharacters); *(PULONG)(szSerial + 15) = *(PLONG)aryLastFourCharacters; printf("Serial: %s", szSerial);} |
生成的后四位为:”36V6”,最后序列号为:“S4SG-ARCD-EFGH-36V6”。
二、网络验证
输入序列号后,填写信息,然后会出现提示信息 "Now activating your license... Please wait...",打开 Fiddler 抓包,发现有发送 HTTP 请求,在 HttpSendRequestW() 函数下断点,发现会调用 HttpQueryInfo() 函数获取返回值的状态码,并判断状态码是否为 200 。但是返回的状态码为 460,所以网络验证不通过,这里可以通过修改指令直接跳过 HttpQueryInfo() 函数,直接给用来判断的变量赋值为 200。这里我们不做修改,因为后面可以通过签名文件实现离线注册。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 | int __usercall sub_425860@<eax>( char *Str, int a3, const CHAR *lpMultiByteStr, char *lpOptional, _BYTE *lpBuffer, int a7){ int v6; // ebp MAPDST DWORD v7; // edi DWORD v8; // ebx INTERNET_PORT v9; // si void *v10; // eax void *v12; // eax void *v13; // ebp void *v14; // eax void *v15; // esi int LastError; // eax int v18; // [esp+0h] [ebp-11Ch] int result; // [esp+Ch] [ebp-110h] BYREF DWORD dwNumberOfBytesRead; // [esp+10h] [ebp-10Ch] BYREF DWORD dwBufferLength; // [esp+14h] [ebp-108h] BYREF HINTERNET hInternet; // [esp+18h] [ebp-104h] char v23[256]; // [esp+1Ch] [ebp-100h] BYREF v7 = strlen(lpOptional); result = 0x3E8; dwBufferLength = 4; v8 = 67420928; if ( a3 ) { v8 = 75817728; v9 = 443; } else { v9 = 80; } v10 = sub_455BE0("Source Insight", 0, 0, 0, 0); hInternet = v10; if ( v10 ) { v12 = sub_455D90(v10, Str, v9, 0, 0, 3u, 0, 0); v13 = v12; if ( v12 ) { v14 = sub_455F60(v12, "POST", lpMultiByteStr, 0, 0, 0, v8, 0); v15 = v14; if ( v14 ) { sub_456190(v14, "Content-Type: application/x-www-form-urlencoded", 0xFFFFFFFF, 0x20000000u); sub_456190(v15, "Accept: text/plain", 0xFFFFFFFF, 0x20000000u); sprintf(v23, "Content-length: %d\n", v7); sub_456190(v15, v23, 0xFFFFFFFF, 0x20000000u); if ( HttpSendRequestW(v15, 0, 0, lpOptional, v7) ) { HttpQueryInfoW(v15, 0x20000013u, &result, &dwBufferLength, 0); if ( result == 0xC8 ) // 返回的状态码判断。 { if ( InternetReadFile(v15, lpBuffer, a7 - 1, &dwNumberOfBytesRead) ) { lpBuffer[dwNumberOfBytesRead] = 0; result = 0xC8; } else { lpBuffer[dwNumberOfBytesRead] = 0; sub_413440(0, 0, "InternetReadFile Error", v6); result = 1007; } } } else { LastError = GetLastError(); result = (LastError == 12045) + 1004; sub_413440(0, 0, "HttpSendRequest Error %d", LastError); } InternetCloseHandle(v15); } else { sub_413440(0, 0, "HttpOpenRequest failed.", v6); result = 1006; } InternetCloseHandle(v13); } else { sub_413440(0, 0, "InternetConnect failed.", v6); result = 0x3EA; } InternetCloseHandle(hInternet); return result; } else { sub_413440(0, 0, "InternetOpen failed.", v18); return 0x3E9; }} |
网页验证通过后,会写注册表和 C:\ProgramData\Source Insight\4.0\si4.lic 文件。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | int __thiscall sub_5171D0(const CHAR *this, int a2){ int result; // eax int v4; // [esp+4h] [ebp-3FA4h] BYREF int v5[2024]; // [esp+8h] [ebp-3FA0h] BYREF char Str[8192]; // [esp+1FA8h] [ebp-2000h] BYREF memset(Str, 0, sizeof(Str)); result = sub_515290(this, v5, 0x1FA0); // 发送 HTTP 数据包进行网络验证 if ( result == 0xC8 ) { if ( a2 ) { if ( sub_514610(this + 0x75C, &v4, 0x1FA0) == 0xC8 ) sub_516FF0(this, &v4); return 0xC8; } else { // 网页验证完后,会进入这个分支。 sub_412990(); // 检查网络验证是否通过 if ( sub_425C80(&v4, &v5[2023], 0x2000u) && strlen(&v5[2023]) >= 8 ) // 检查网络验证信息 { sub_516FF0(this, &Str[4]); // 写注册表 return sub_5148C0(this + 0x75C, &Str[4]); // 写 C:\\ProgramData\\Source Insight\\4.0\\si4.lic 文件 } else { return 0x1D0; } } } return result;} |
三、si.lic 文件
校验 si.lic 文件有三部分:
- 检查 si.lic 文件中 LicenseProperties 各个字段的值。
- 校验 si,lic 文件中 Signature。
- 检查 LicenseProperties 块中的 ActId 字段。
以下是主要函数:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 | 00518160 | 81EC 00010000 | sub esp,100 |00518166 | 56 | push esi |00518167 | 8BF1 | mov esi,ecx |00518169 | E8 A2CFFFFF | call sourceinsight4.515110 |0051816E | 68 D0706000 | push sourceinsight4.6070D0 | 6070D0:"Loading license file"00518173 | E8 18A8EFFF | call sourceinsight4.412990 |00518178 | 83C4 04 | add esp,4 |0051817B | 8BCE | mov ecx,esi |0051817D | E8 4EE6FFFF | call sourceinsight4.5167D0 | 1. 检查文件中的数据00518182 | 3D C8000000 | cmp eax,C8 |00518187 | 74 2A | je sourceinsight4.5181B3 |00518189 | 83BC24 08010000 00 | cmp dword ptr ss:[esp+108],0 |00518191 | 74 0D | je sourceinsight4.5181A0 |00518193 | 50 | push eax |00518194 | 8BCE | mov ecx,esi |00518196 | E8 35CCFFFF | call sourceinsight4.514DD0 |0051819B | E8 F0AAEFFF | call sourceinsight4.412C90 |005181A0 | 8BCE | mov ecx,esi |005181A2 | E8 69CFFFFF | call sourceinsight4.515110 |005181A7 | 33C0 | xor eax,eax |005181A9 | 5E | pop esi |005181AA | 81C4 00010000 | add esp,100 |005181B0 | C2 0400 | ret 4 |005181B3 | 8B06 | mov eax,dword ptr ds:[esi] |005181B5 | 83F8 02 | cmp eax,2 |005181B8 | 75 1F | jne sourceinsight4.5181D9 |005181BA | 68 A4706000 | push sourceinsight4.6070A4 | 6070A4:"Deferred Activation license file loaded."005181BF | E8 CCA7EFFF | call sourceinsight4.412990 |005181C4 | 83C4 04 | add esp,4 |005181C7 | C706 00000000 | mov dword ptr ds:[esi],0 |005181CD | 33C0 | xor eax,eax |005181CF | 5E | pop esi |005181D0 | 81C4 00010000 | add esp,100 |005181D6 | C2 0400 | ret 4 |005181D9 | 83F8 03 | cmp eax,3 |005181DC | 75 2F | jne sourceinsight4.51820D |005181DE | 8D86 3A070000 | lea eax,dword ptr ds:[esi+73A] |005181E4 | 50 | push eax |005181E5 | 8D8E 5C070000 | lea ecx,dword ptr ds:[esi+75C] | esi+75C:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"005181EB | 51 | push ecx |005181EC | E8 9FDDFFFF | call sourceinsight4.515F90 | 2. 检查 Signature005181F1 | 83C4 08 | add esp,8 |005181F4 | 3D C8000000 | cmp eax,C8 |005181F9 | 75 2F | jne sourceinsight4.51822A |005181FB | 8BCE | mov ecx,esi |005181FD | E8 1EF7FFFF | call sourceinsight4.517920 | 3. 检查 ActId 00518202 | 85C0 | test eax,eax |00518204 | 75 4E | jne sourceinsight4.518254 |00518206 | B8 EB010000 | mov eax,1EB |0051820B | EB 1D | jmp sourceinsight4.51822A |0051820D | 8D96 3A070000 | lea edx,dword ptr ds:[esi+73A] |00518213 | 52 | push edx |00518214 | 8D86 5C070000 | lea eax,dword ptr ds:[esi+75C] | esi+75C:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"0051821A | 50 | push eax |0051821B | E8 80EBFFFF | call sourceinsight4.516DA0 |00518220 | 83C4 08 | add esp,8 |00518223 | 3D C8000000 | cmp eax,C8 |00518228 | 74 2A | je sourceinsight4.518254 |0051822A | 83BC24 08010000 00 | cmp dword ptr ss:[esp+108],0 |00518232 | 74 0D | je sourceinsight4.518241 |00518234 | 50 | push eax |00518235 | 8BCE | mov ecx,esi |00518237 | E8 94CBFFFF | call sourceinsight4.514DD0 |0051823C | E8 4FAAEFFF | call sourceinsight4.412C90 |00518241 | 8BCE | mov ecx,esi |00518243 | E8 C8CEFFFF | call sourceinsight4.515110 |00518248 | 33C0 | xor eax,eax |0051824A | 5E | pop esi |0051824B | 81C4 00010000 | add esp,100 |00518251 | C2 0400 | ret 4 |00518254 | 83BE 0C060000 01 | cmp dword ptr ds:[esi+60C],1 |0051825B | 57 | push edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"0051825C | BF DCA25F00 | mov edi,sourceinsight4.5FA2DC | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic", 5FA2DC:"Trial"00518261 | 74 05 | je sourceinsight4.518268 |00518263 | BF 80616000 | mov edi,sourceinsight4.606180 | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic", 606180:"Standard"00518268 | 8D4C24 08 | lea ecx,dword ptr ss:[esp+8] |0051826C | 51 | push ecx |0051826D | 8D8E 1C060000 | lea ecx,dword ptr ds:[esi+61C] |00518273 | E8 F869F3FF | call sourceinsight4.44EC70 | 生成了一个 date 字符串00518278 | 8D5424 08 | lea edx,dword ptr ss:[esp+8] |0051827C | 52 | push edx |0051827D | 57 | push edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"0051827E | 68 7C706000 | push sourceinsight4.60707C | 60707C:"License OK: %s License activated %s UTC"00518283 | E8 08A7EFFF | call sourceinsight4.412990 | 生成注册信息00518288 | 83C4 0C | add esp,C |0051828B | 5F | pop edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"0051828C | B8 01000000 | mov eax,1 |00518291 | 5E | pop esi |00518292 | 81C4 00010000 | add esp,100 |00518298 | C2 0400 | ret 4 | |
3.1 检查 LicenseProperties 块中的各个字段
这个函数返回 0xC8 就表示通过。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 | 005167D0 | 64:A1 00000000 | mov eax,dword ptr fs:[0] | eax:&"ActId"005167D6 | 6A FF | push FFFFFFFF |005167D8 | 68 FB365D00 | push sourceinsight4.5D36FB |005167DD | 50 | push eax | eax:&"ActId"005167DE | 64:8925 00000000 | mov dword ptr fs:[0],esp |005167E5 | 81EC 10040000 | sub esp,410 |005167EB | 53 | push ebx |005167EC | 56 | push esi |005167ED | 33DB | xor ebx,ebx |005167EF | 57 | push edi |005167F0 | 8BF1 | mov esi,ecx |005167F2 | 33C0 | xor eax,eax | eax:&"ActId"005167F4 | 895C84 1C | mov dword ptr ss:[esp+eax*4+1C],ebx |005167F8 | 899C84 1C020000 | mov dword ptr ss:[esp+eax*4+21C],ebx |005167FF | 40 | inc eax | eax:&"ActId"00516800 | 3D 80000000 | cmp eax,80 | eax:&"ActId"00516805 | 72 ED | jb sourceinsight4.5167F4 |00516807 | 899C24 24040000 | mov dword ptr ss:[esp+424],ebx |0051680E | 8D4424 1C | lea eax,dword ptr ss:[esp+1C] |00516812 | 50 | push eax | eax:&"ActId"00516813 | 8D8E 5C070000 | lea ecx,dword ptr ds:[esi+75C] | esi+75C:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00516819 | 51 | push ecx |0051681A | E8 71E9FFFF | call sourceinsight4.515190 | 解释文件中数据,并保存。0051681F | 83C4 08 | add esp,8 |00516822 | 8D5424 0C | lea edx,dword ptr ss:[esp+C] |00516826 | 52 | push edx |00516827 | 68 CCD05E00 | push sourceinsight4.5ED0CC | 5ED0CC:"Type"0051682C | 8D4C24 24 | lea ecx,dword ptr ss:[esp+24] | [esp+24]:"ActId"00516830 | 899E 0C060000 | mov dword ptr ds:[esi+60C],ebx |00516836 | E8 85DDFFFF | call sourceinsight4.5145C0 | 取出 Type 字段的值0051683B | 85C0 | test eax,eax | eax:&"ActId"0051683D | 74 58 | je sourceinsight4.516897 |0051683F | 8B7C24 0C | mov edi,dword ptr ss:[esp+C] |00516843 | 68 DCA25F00 | push sourceinsight4.5FA2DC | 5FA2DC:"Trial"00516848 | 57 | push edi |00516849 | E8 DCA50B00 | call sourceinsight4.5D0E2A | stricmp(["Type"], "Trial")0051684E | 83C4 08 | add esp,8 |00516851 | 85C0 | test eax,eax | eax:&"ActId"00516853 | 75 0C | jne sourceinsight4.516861 |00516855 | C786 0C060000 01000000 | mov dword ptr ds:[esi+60C],1 |0051685F | EB 36 | jmp sourceinsight4.516897 |00516861 | 68 8C616000 | push sourceinsight4.60618C | 60618C:"Beta"00516866 | 57 | push edi |00516867 | E8 BEA50B00 | call sourceinsight4.5D0E2A |0051686C | 83C4 08 | add esp,8 |0051686F | 85C0 | test eax,eax | eax:&"ActId"00516871 | 75 0C | jne sourceinsight4.51687F |00516873 | C786 0C060000 03000000 | mov dword ptr ds:[esi+60C],3 |0051687D | EB 18 | jmp sourceinsight4.516897 |0051687F | 68 80616000 | push sourceinsight4.606180 | 606180:"Standard"00516884 | 57 | push edi |00516885 | E8 A0A50B00 | call sourceinsight4.5D0E2A |0051688A | 83C4 08 | add esp,8 |0051688D | 85C0 | test eax,eax | eax:&"ActId"0051688F | 75 06 | jne sourceinsight4.516897 |00516891 | 899E 0C060000 | mov dword ptr ds:[esi+60C],ebx |00516897 | 8D4424 0C | lea eax,dword ptr ss:[esp+C] |0051689B | 50 | push eax | eax:&"ActId"0051689C | 68 D0656000 | push sourceinsight4.6065D0 | 6065D0:"LicensedUser"005168A1 | 8D4C24 24 | lea ecx,dword ptr ss:[esp+24] | [esp+24]:"ActId"005168A5 | E8 16DDFFFF | call sourceinsight4.5145C0 | 取出 ["LicensedUser"] 的值005168AA | 85C0 | test eax,eax | eax:&"ActId"005168AC | 0F84 36030000 | je sourceinsight4.516BE8 |005168B2 | 8B4C24 0C | mov ecx,dword ptr ss:[esp+C] |005168B6 | 51 | push ecx |005168B7 | 8D96 04010000 | lea edx,dword ptr ds:[esi+104] |005168BD | 52 | push edx |005168BE | E8 BD4E0A00 | call sourceinsight4.5BB780 | strcpy(edx, ["LicensedUser"])005168C3 | 83C4 08 | add esp,8 |005168C6 | 8D4424 0C | lea eax,dword ptr ss:[esp+C] |005168CA | 50 | push eax | eax:&"ActId"005168CB | 68 C0656000 | push sourceinsight4.6065C0 | 6065C0:"Organization"005168D0 | 8D4C24 24 | lea ecx,dword ptr ss:[esp+24] | [esp+24]:"ActId"005168D4 | E8 E7DCFFFF | call sourceinsight4.5145C0 | 取出 ["Organization"] 的值005168D9 | 85C0 | test eax,eax | eax:&"ActId"005168DB | 74 14 | je sourceinsight4.5168F1 |005168DD | 8B4C24 0C | mov ecx,dword ptr ss:[esp+C] |005168E1 | 51 | push ecx |005168E2 | 8D96 04020000 | lea edx,dword ptr ds:[esi+204] |005168E8 | 52 | push edx |005168E9 | E8 924E0A00 | call sourceinsight4.5BB780 | strcpy(edx, ["Organization"])005168EE | 83C4 08 | add esp,8 |005168F1 | 8D4424 0C | lea eax,dword ptr ss:[esp+C] |005168F5 | 50 | push eax | eax:&"ActId"005168F6 | 68 B8656000 | push sourceinsight4.6065B8 | 6065B8:"Email"005168FB | 8D4C24 24 | lea ecx,dword ptr ss:[esp+24] | [esp+24]:"ActId"005168FF | E8 BCDCFFFF | call sourceinsight4.5145C0 | 取出 ["Email"] 的值00516904 | 85C0 | test eax,eax | eax:&"ActId"00516906 | 74 14 | je sourceinsight4.51691C |00516908 | 8B4C24 0C | mov ecx,dword ptr ss:[esp+C] |0051690C | 51 | push ecx |0051690D | 8D96 04030000 | lea edx,dword ptr ds:[esi+304] |00516913 | 52 | push edx |00516914 | E8 674E0A00 | call sourceinsight4.5BB780 | strcpy(edx, ["Email"])00516919 | 83C4 08 | add esp,8 |0051691C | 8D4424 0C | lea eax,dword ptr ss:[esp+C] |00516920 | 50 | push eax | eax:&"ActId"00516921 | 68 B0656000 | push sourceinsight4.6065B0 | 6065B0:"Serial"00516926 | 8D4C24 24 | lea ecx,dword ptr ss:[esp+24] | [esp+24]:"ActId"0051692A | E8 91DCFFFF | call sourceinsight4.5145C0 | 取出 ["Serial"] 的值0051692F | 85C0 | test eax,eax | eax:&"ActId"00516931 | 0F84 B1020000 | je sourceinsight4.516BE8 |00516937 | 8B4C24 0C | mov ecx,dword ptr ss:[esp+C] |0051693B | 55 | push ebp |0051693C | 51 | push ecx |0051693D | 8D6E 04 | lea ebp,dword ptr ds:[esi+4] |00516940 | 55 | push ebp |00516941 | E8 3A4E0A00 | call sourceinsight4.5BB780 | strcpy(edx, ["Serial"])00516946 | 83C4 08 | add esp,8 |00516949 | 8D5424 10 | lea edx,dword ptr ss:[esp+10] |0051694D | 52 | push edx |0051694E | 68 A8656000 | push sourceinsight4.6065A8 | 6065A8:"ActId"00516953 | 8D4C24 28 | lea ecx,dword ptr ss:[esp+28] | [esp+28]:"Serial"00516957 | E8 64DCFFFF | call sourceinsight4.5145C0 | 取出 ["ActId"] 的值0051695C | 85C0 | test eax,eax | eax:&"ActId"0051695E | 0F84 66020000 | je sourceinsight4.516BCA |00516964 | 8B4424 10 | mov eax,dword ptr ss:[esp+10] |00516968 | 50 | push eax | eax:&"ActId"00516969 | 8DBE 3A060000 | lea edi,dword ptr ds:[esi+63A] |0051696F | 57 | push edi |00516970 | E8 0B4E0A00 | call sourceinsight4.5BB780 | strcpy(edx, ["ActId"])00516975 | 68 7F1B0000 | push 1B7F |0051697A | 6A 32 | push 32 |0051697C | 6A 04 | push 4 |0051697E | 68 701A6500 | push sourceinsight4.651A70 |00516983 | 57 | push edi |00516984 | E8 E7CBEEFF | call sourceinsight4.403570 | 检查 ["ActId"] 的值00516989 | 33C9 | xor ecx,ecx |0051698B | 3BC3 | cmp eax,ebx | eax:&"ActId"0051698D | 0F9FC1 | setg cl |00516990 | 68 9C656000 | push sourceinsight4.60659C | 60659C:"Deferred"00516995 | 57 | push edi |00516996 | 8BD9 | mov ebx,ecx |00516998 | E8 8DA40B00 | call sourceinsight4.5D0E2A | stricmp(["ActId"], "Deferred")0051699D | 83C4 24 | add esp,24 |005169A0 | 85C0 | test eax,eax | eax:&"ActId"005169A2 | 75 38 | jne sourceinsight4.5169DC |005169A4 | C706 02000000 | mov dword ptr ds:[esi],2 |005169AA | C78424 28040000 FFFFFF | mov dword ptr ss:[esp+428],FFFFFFFF |005169B5 | 8D4C24 20 | lea ecx,dword ptr ss:[esp+20] |005169B9 | E8 22DBFFFF | call sourceinsight4.5144E0 | 释放掉保存的文件数据005169BE | B8 C8000000 | mov eax,C8 | 返回值为 0XC8,表示通过检查。005169C3 | 5D | pop ebp |005169C4 | 5F | pop edi |005169C5 | 5E | pop esi |005169C6 | 5B | pop ebx |005169C7 | 8B8C24 10040000 | mov ecx,dword ptr ss:[esp+410] |005169CE | 64:890D 00000000 | mov dword ptr fs:[0],ecx |005169D5 | 81C4 1C040000 | add esp,41C |005169DB | C3 | ret | 005169DC | 33D2 | xor edx,edx |005169DE | 85DB | test ebx,ebx |005169E0 | 0F94C2 | sete dl |005169E3 | 8D4424 14 | lea eax,dword ptr ss:[esp+14] |005169E7 | 8D4C24 18 | lea ecx,dword ptr ss:[esp+18] |005169EB | 52 | push edx |005169EC | 50 | push eax | eax:&"ActId"005169ED | 51 | push ecx |005169EE | 8D5424 28 | lea edx,dword ptr ss:[esp+28] | [esp+28]:"Serial"005169F2 | 52 | push edx |005169F3 | 55 | push ebp |005169F4 | E8 A7E1FFFF | call sourceinsight4.514BA0 | 检查 ["Serial"]005169F9 | 83C4 14 | add esp,14 |005169FC | 85C0 | test eax,eax | eax:&"ActId"005169FE | 74 0C | je sourceinsight4.516A0C |00516A00 | 8B4424 18 | mov eax,dword ptr ss:[esp+18] |00516A04 | 3B86 0C060000 | cmp eax,dword ptr ds:[esi+60C] | eax:&"ActId"00516A0A | 74 1B | je sourceinsight4.516A27 |00516A0C | C78424 28040000 FFFFFF | mov dword ptr ss:[esp+428],FFFFFFFF |00516A17 | 8D4C24 20 | lea ecx,dword ptr ss:[esp+20] |00516A1B | E8 C0DAFFFF | call sourceinsight4.5144E0 |00516A20 | B8 EF010000 | mov eax,1EF | eax:&"ActId"00516A25 | EB 9C | jmp sourceinsight4.5169C3 |00516A27 | 0FB60D 13956500 | movzx ecx,byte ptr ds:[659513] |00516A2E | 8B7C24 14 | mov edi,dword ptr ss:[esp+14] |00516A32 | 3BF9 | cmp edi,ecx |00516A34 | 0F85 BA000000 | jne sourceinsight4.516AF4 |00516A3A | 55 | push ebp |00516A3B | B9 40846600 | mov ecx,sourceinsight4.668440 |00516A40 | E8 CB6FF4FF | call sourceinsight4.45DA10 |00516A45 | 85C0 | test eax,eax | eax:&"ActId"00516A47 | 74 1E | je sourceinsight4.516A67 |00516A49 | C78424 28040000 FFFFFF | mov dword ptr ss:[esp+428],FFFFFFFF |00516A54 | 8D4C24 20 | lea ecx,dword ptr ss:[esp+20] |00516A58 | E8 83DAFFFF | call sourceinsight4.5144E0 |00516A5D | B8 CC010000 | mov eax,1CC | eax:&"ActId"00516A62 | E9 5CFFFFFF | jmp sourceinsight4.5169C3 |00516A67 | 85DB | test ebx,ebx |00516A69 | 75 37 | jne sourceinsight4.516AA2 |00516A6B | 8D5424 10 | lea edx,dword ptr ss:[esp+10] |00516A6F | 52 | push edx |00516A70 | 68 94656000 | push sourceinsight4.606594 | 606594:"HWID"00516A75 | 8D4C24 28 | lea ecx,dword ptr ss:[esp+28] | [esp+28]:"Serial"00516A79 | C706 01000000 | mov dword ptr ds:[esi],1 |00516A7F | E8 3CDBFFFF | call sourceinsight4.5145C0 |00516A84 | 85C0 | test eax,eax | eax:&"ActId"00516A86 | 0F84 3E010000 | je sourceinsight4.516BCA |00516A8C | 8B4424 10 | mov eax,dword ptr ss:[esp+10] |00516A90 | 50 | push eax | eax:&"ActId"00516A91 | 8D8E 28060000 | lea ecx,dword ptr ds:[esi+628] |00516A97 | 51 | push ecx |00516A98 | E8 E34C0A00 | call sourceinsight4.5BB780 |00516A9D | 83C4 08 | add esp,8 |00516AA0 | EB 06 | jmp sourceinsight4.516AA8 |00516AA2 | C706 03000000 | mov dword ptr ds:[esi],3 |00516AA8 | 8D5424 10 | lea edx,dword ptr ss:[esp+10] |00516AAC | 52 | push edx |00516AAD | 68 10AC5D00 | push sourceinsight4.5DAC10 | 5DAC10:"Version"00516AB2 | 8D4C24 28 | lea ecx,dword ptr ss:[esp+28] | [esp+28]:"Serial"00516AB6 | E8 05DBFFFF | call sourceinsight4.5145C0 | 取出 ["Version"] 的值00516ABB | 85C0 | test eax,eax | eax:&"ActId"00516ABD | 0F84 07010000 | je sourceinsight4.516BCA |00516AC3 | 8B4424 10 | mov eax,dword ptr ss:[esp+10] |00516AC7 | 8A00 | mov al,byte ptr ds:[eax] | eax:&"ActId"00516AC9 | 3C 30 | cmp al,30 | 30:'0'00516ACB | 0F8C F9000000 | jl sourceinsight4.516BCA |00516AD1 | 3C 39 | cmp al,39 | 39:'9'00516AD3 | 0F8F F1000000 | jg sourceinsight4.516BCA |00516AD9 | 0FBEC0 | movsx eax,al | eax:&"ActId"00516ADC | 83C0 D0 | add eax,FFFFFFD0 | eax:&"ActId"00516ADF | 8986 04060000 | mov dword ptr ds:[esi+604],eax | eax:&"ActId"00516AE5 | 0FB60D 13956500 | movzx ecx,byte ptr ds:[659513] |00516AEC | 3BC1 | cmp eax,ecx | eax:&"ActId"00516AEE | 75 04 | jne sourceinsight4.516AF4 |00516AF0 | 3BC7 | cmp eax,edi | eax:&"ActId"00516AF2 | 74 1E | je sourceinsight4.516B12 |00516AF4 | C78424 28040000 FFFFFF | mov dword ptr ss:[esp+428],FFFFFFFF |00516AFF | 8D4C24 20 | lea ecx,dword ptr ss:[esp+20] |00516B03 | E8 D8D9FFFF | call sourceinsight4.5144E0 |00516B08 | B8 EA010000 | mov eax,1EA | eax:&"ActId"00516B0D | E9 B1FEFFFF | jmp sourceinsight4.5169C3 |00516B12 | 8D5424 10 | lea edx,dword ptr ss:[esp+10] |00516B16 | 33DB | xor ebx,ebx |00516B18 | 52 | push edx |00516B19 | 68 88656000 | push sourceinsight4.606588 | 606588:"Expiration"00516B1E | 8D4C24 28 | lea ecx,dword ptr ss:[esp+28] | [esp+28]:"Serial"00516B22 | 899E 18060000 | mov dword ptr ds:[esi+618],ebx |00516B28 | 899E 14060000 | mov dword ptr ds:[esi+614],ebx |00516B2E | 899E 10060000 | mov dword ptr ds:[esi+610],ebx |00516B34 | E8 87DAFFFF | call sourceinsight4.5145C0 | 取出 ["Expiration"] 的值00516B39 | 85C0 | test eax,eax | eax:&"ActId"00516B3B | 74 1F | je sourceinsight4.516B5C |00516B3D | 8B4424 10 | mov eax,dword ptr ss:[esp+10] |00516B41 | 50 | push eax | eax:&"ActId"00516B42 | 8D8E 10060000 | lea ecx,dword ptr ds:[esi+610] |00516B48 | E8 E394F3FF | call sourceinsight4.450030 |00516B4D | 8D8E 10060000 | lea ecx,dword ptr ds:[esi+610] |00516B53 | E8 8881F3FF | call sourceinsight4.44ECE0 |00516B58 | 85C0 | test eax,eax | eax:&"ActId"00516B5A | 74 50 | je sourceinsight4.516BAC |00516B5C | 8D4C24 10 | lea ecx,dword ptr ss:[esp+10] |00516B60 | 51 | push ecx |00516B61 | 68 D8A65E00 | push sourceinsight4.5EA6D8 | 5EA6D8:"Date"00516B66 | 8D4C24 28 | lea ecx,dword ptr ss:[esp+28] | [esp+28]:"Serial"00516B6A | 899E 24060000 | mov dword ptr ds:[esi+624],ebx |00516B70 | 899E 20060000 | mov dword ptr ds:[esi+620],ebx |00516B76 | 899E 1C060000 | mov dword ptr ds:[esi+61C],ebx |00516B7C | E8 3FDAFFFF | call sourceinsight4.5145C0 | 取出 ["Date"] 的值00516B81 | 85C0 | test eax,eax | eax:&"ActId"00516B83 | 0F84 21FEFFFF | je sourceinsight4.5169AA |00516B89 | 8B5424 10 | mov edx,dword ptr ss:[esp+10] |00516B8D | 52 | push edx |00516B8E | 8D8E 1C060000 | lea ecx,dword ptr ds:[esi+61C] |00516B94 | E8 9794F3FF | call sourceinsight4.450030 | 检查日期的有效性00516B99 | 8D8E 1C060000 | lea ecx,dword ptr ds:[esi+61C] |00516B9F | E8 3C81F3FF | call sourceinsight4.44ECE0 |00516BA4 | 85C0 | test eax,eax | 检查年、月、日的有效性00516BA6 | 0F85 FEFDFFFF | jne sourceinsight4.5169AA |00516BAC | C78424 28040000 FFFFFF | mov dword ptr ss:[esp+428],FFFFFFFF |00516BB7 | 8D4C24 20 | lea ecx,dword ptr ss:[esp+20] |00516BBB | E8 20D9FFFF | call sourceinsight4.5144E0 |00516BC0 | B8 E3010000 | mov eax,1E3 | eax:&"ActId"00516BC5 | E9 F9FDFFFF | jmp sourceinsight4.5169C3 |00516BCA | C78424 28040000 FFFFFF | mov dword ptr ss:[esp+428],FFFFFFFF |00516BD5 | 8D4C24 20 | lea ecx,dword ptr ss:[esp+20] |00516BD9 | E8 02D9FFFF | call sourceinsight4.5144E0 |00516BDE | B8 D5010000 | mov eax,1D5 | eax:&"ActId"00516BE3 | E9 DBFDFFFF | jmp sourceinsight4.5169C3 |00516BE8 | C78424 24040000 FFFFFF | mov dword ptr ss:[esp+424],FFFFFFFF |00516BF3 | 8D4C24 1C | lea ecx,dword ptr ss:[esp+1C] |00516BF7 | E8 E4D8FFFF | call sourceinsight4.5144E0 |00516BFC | 8B8C24 1C040000 | mov ecx,dword ptr ss:[esp+41C] |00516C03 | 5F | pop edi |00516C04 | 5E | pop esi |00516C05 | B8 D5010000 | mov eax,1D5 | eax:&"ActId"00516C0A | 5B | pop ebx |00516C0B | 64:890D 00000000 | mov dword ptr fs:[0],ecx |00516C12 | 81C4 1C040000 | add esp,41C |00516C18 | C3 | ret | |
3.2 校验 Signature
校验 Signature 字段就是读取 si.lic 文件中 Signature 块之前的所有字符,去除掉空格和换行后,通过 00402FF0() 函数生成二进制签名数据,然后对 Signature 块中 Value 字段的字符串进行 Base64 解码,生成二进制签名数据。最后比较这两个签名数据是否相同,相同则返回 0xC8。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 | 00515F90 | B8 24210000 | mov eax,2124 |00515F95 | E8 36850A00 | call sourceinsight4.5BE4D0 |00515F9A | 56 | push esi |00515F9B | 8BB424 2C210000 | mov esi,dword ptr ss:[esp+212C] |00515FA2 | 68 A01F0000 | push 1FA0 |00515FA7 | 8D8424 8C010000 | lea eax,dword ptr ss:[esp+18C] |00515FAE | 50 | push eax |00515FAF | 56 | push esi |00515FB0 | E8 5BE6FFFF | call sourceinsight4.514610 | 打开文件,并读取内容。00515FB5 | 83C4 0C | add esp,C |00515FB8 | 3D C8000000 | cmp eax,C8 |00515FBD | 0F85 49010000 | jne sourceinsight4.51610C |00515FC3 | 8B8C24 30210000 | mov ecx,dword ptr ss:[esp+2130] |00515FCA | 51 | push ecx | ecx:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00515FCB | 8D9424 8C010000 | lea edx,dword ptr ss:[esp+18C] |00515FD2 | 52 | push edx |00515FD3 | E8 88F8FFFF | call sourceinsight4.515860 | 00515FD8 | 56 | push esi |00515FD9 | E8 0257F4FF | call sourceinsight4.45B6E0 | 将文件内容转换为 XML 格式00515FDE | 83C4 0C | add esp,C |00515FE1 | 85C0 | test eax,eax |00515FE3 | 75 0D | jne sourceinsight4.515FF2 |00515FE5 | B8 CC010000 | mov eax,1CC |00515FEA | 5E | pop esi |00515FEB | 81C4 24210000 | add esp,2124 |00515FF1 | C3 | ret |00515FF2 | 68 085E6000 | push sourceinsight4.605E08 | 605E08:"Signature"00515FF7 | 8BC8 | mov ecx,eax | ecx:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00515FF9 | E8 722AF4FF | call sourceinsight4.458A70 | 判断是否有 "Sigature" 字段00515FFE | 8BF0 | mov esi,eax |00516000 | 85F6 | test esi,esi |00516002 | 74 E1 | je sourceinsight4.515FE5 |00516004 | 68 889D5E00 | push sourceinsight4.5E9D88 | 5E9D88:"Value"00516009 | 8BCE | mov ecx,esi | ecx:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"0051600B | E8 4032F4FF | call sourceinsight4.459250 | 检查 "Value" 是否存在00516010 | 85C0 | test eax,eax |00516012 | 74 D1 | je sourceinsight4.515FE5 |00516014 | 55 | push ebp |00516015 | 57 | push edi |00516016 | 8B78 18 | mov edi,dword ptr ds:[eax+18] |00516019 | 8B46 20 | mov eax,dword ptr ds:[esi+20] |0051601C | 8D8C24 90010000 | lea ecx,dword ptr ss:[esp+190] |00516023 | 51 | push ecx | ecx:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00516024 | C68404 94010000 00 | mov byte ptr ss:[esp+eax+194],0 |0051602C | E8 AFE8F2FF | call sourceinsight4.4448E0 | 00516031 | 8BE8 | mov ebp,eax |00516033 | 83C4 04 | add esp,4 |00516036 | 85ED | test ebp,ebp |00516038 | 75 0F | jne sourceinsight4.516049 |0051603A | 5F | pop edi |0051603B | 5D | pop ebp |0051603C | B8 EC010000 | mov eax,1EC |00516041 | 5E | pop esi |00516042 | 81C4 24210000 | add esp,2124 |00516048 | C3 | ret |00516049 | 55 | push ebp |0051604A | 8D9424 94010000 | lea edx,dword ptr ss:[esp+194] |00516051 | 68 0C606000 | push sourceinsight4.60600C | 60600C:"\n\r\t "00516056 | 52 | push edx |00516057 | E8 14EAF2FF | call sourceinsight4.444A70 | 取出掉文件数据中的空白字符和换行符0051605C | 83C4 0C | add esp,C |0051605F | 8D4424 10 | lea eax,dword ptr ss:[esp+10] |00516063 | 50 | push eax |00516064 | 68 80000000 | push 80 |00516069 | 68 B0070000 | push 7B0 |0051606E | 55 | push ebp |0051606F | E8 6C4E0A00 | call sourceinsight4.5BAEE0 | 计算长度00516074 | 83C4 04 | add esp,4 |00516077 | 40 | inc eax |00516078 | 50 | push eax |00516079 | 55 | push ebp |0051607A | E8 91D1EEFF | call sourceinsight4.403210 | 1.0051607F | 8D4C24 20 | lea ecx,dword ptr ss:[esp+20] |00516083 | 51 | push ecx | ecx:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00516084 | 8D9424 A8000000 | lea edx,dword ptr ss:[esp+A8] |0051608B | 52 | push edx |0051608C | 57 | push edi |0051608D | E8 6ECEEEFF | call sourceinsight4.402F00 | 2. 对 Signature 块中 Value 字段的字符串进行 Base64 解码 00516092 | 83C4 20 | add esp,20 |00516095 | 817C24 0C 80000000 | cmp dword ptr ss:[esp+C],80 |0051609D | 75 50 | jne sourceinsight4.5160EF |0051609F | B8 80000000 | mov eax,80 |005160A4 | 8D4C24 10 | lea ecx,dword ptr ss:[esp+10] |005160A8 | 8DB424 90000000 | lea esi,dword ptr ss:[esp+90] | esi:EntryPoint005160AF | 90 | nop |005160B0 | 8B16 | mov edx,dword ptr ds:[esi] | edx:EntryPoint, esi:EntryPoint005160B2 | 3B11 | cmp edx,dword ptr ds:[ecx] | edx:EntryPoint, ecx:EntryPoint005160B4 | 75 39 | jne sourceinsight4_original.5160EF |005160B6 | 83E8 04 | sub eax,4 |005160B9 | 83C1 04 | add ecx,4 | ecx:EntryPoint005160BC | 83C6 04 | add esi,4 | esi:EntryPoint005160BF | 83F8 04 | cmp eax,4 |005160C2 | 73 EC | jae sourceinsight4.5160B0 |005160C4 | 85C0 | test eax,eax |005160C6 | 74 20 | je sourceinsight4.5160E8 |005160C8 | 8A11 | mov dl,byte ptr ds:[ecx] | ecx:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"005160CA | 3A16 | cmp dl,byte ptr ds:[esi] |005160CC | 75 21 | jne sourceinsight4.5160EF |005160CE | 83F8 01 | cmp eax,1 |005160D1 | 76 15 | jbe sourceinsight4.5160E8 |005160D3 | 8A51 01 | mov dl,byte ptr ds:[ecx+1] | ecx+1:":\\ProgramData\\Source Insight\\4.0\\si4.lic"005160D6 | 3A56 01 | cmp dl,byte ptr ds:[esi+1] |005160D9 | 75 14 | jne sourceinsight4.5160EF |005160DB | 83F8 02 | cmp eax,2 |005160DE | 76 08 | jbe sourceinsight4.5160E8 |005160E0 | 8A41 02 | mov al,byte ptr ds:[ecx+2] | ecx+2:"\\ProgramData\\Source Insight\\4.0\\si4.lic"005160E3 | 3A46 02 | cmp al,byte ptr ds:[esi+2] |005160E6 | 75 07 | jne sourceinsight4.5160EF |005160E8 | BE 01000000 | mov esi,1 |005160ED | EB 02 | jmp sourceinsight4.5160F1 |005160EF | 33F6 | xor esi,esi |005160F1 | 55 | push ebp |005160F2 | E8 39EDF0FF | call sourceinsight4.424E30 |005160F7 | 83C4 04 | add esp,4 |005160FA | 8BC6 | mov eax,esi |005160FC | F7D8 | neg eax |005160FE | 1BC0 | sbb eax,eax |00516100 | 25 FAFEFFFF | and eax,FFFFFEFA |00516105 | 5F | pop edi |00516106 | 05 CE010000 | add eax,1CE |0051610B | 5D | pop ebp |0051610C | 5E | pop esi |0051610D | 81C4 24210000 | add esp,2124 |00516113 | C3 | ret | |
生成二进制签名数据的函数:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | 00402FF0 | 53 | push ebx |00402FF1 | 33DB | xor ebx,ebx |00402FF3 | 395C24 14 | cmp dword ptr ss:[esp+14],ebx |00402FF7 | 7E 5C | jle sourceinsight4.403055 |00402FF9 | 8B5424 1C | mov edx,dword ptr ss:[esp+1C] |00402FFD | 55 | push ebp |00402FFE | 56 | push esi |00402FFF | 8B7424 14 | mov esi,dword ptr ss:[esp+14] |00403003 | 57 | push edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00403004 | 8B7C24 14 | mov edi,dword ptr ss:[esp+14] |00403008 | EB 06 | jmp sourceinsight4.403010 |0040300A | 8D9B 00000000 | lea ebx,dword ptr ds:[ebx] |00403010 | 0FB607 | movzx eax,byte ptr ds:[edi] | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00403013 | 03C3 | add eax,ebx |00403015 | 034424 1C | add eax,dword ptr ss:[esp+1C] |00403019 | 25 FF000080 | and eax,800000FF |0040301E | 79 07 | jns sourceinsight4.403027 |00403020 | 48 | dec eax |00403021 | 0D 00FFFFFF | or eax,FFFFFF00 |00403026 | 40 | inc eax |00403027 | 8A0C10 | mov cl,byte ptr ds:[eax+edx] |0040302A | B8 01000000 | mov eax,1 |0040302F | 3BF0 | cmp esi,eax |00403031 | 7E 11 | jle sourceinsight4.403044 |00403033 | 0FB62C38 | movzx ebp,byte ptr ds:[eax+edi] |00403037 | 0FB6C9 | movzx ecx,cl | ecx:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"0040303A | 33E9 | xor ebp,ecx |0040303C | 8A0C2A | mov cl,byte ptr ds:[edx+ebp] |0040303F | 40 | inc eax |00403040 | 3BC6 | cmp eax,esi |00403042 | 7C EF | jl sourceinsight4.403033 |00403044 | 8B4424 24 | mov eax,dword ptr ss:[esp+24] |00403048 | 880C03 | mov byte ptr ds:[ebx+eax],cl |0040304B | 43 | inc ebx |0040304C | 3B5C24 20 | cmp ebx,dword ptr ss:[esp+20] |00403050 | 7C BE | jl sourceinsight4.403010 |00403052 | 5F | pop edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00403053 | 5E | pop esi |00403054 | 5D | pop ebp |00403055 | 5B | pop ebx |00403056 | C3 | ret | |
3.3 校验 ActId
LicenseProperties 块中的 ActId 字段的前四个字符是要和 ActId 表中的各个 ActId 进行比较的,只比较 4 个字符。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | int __cdecl sub_403570(char *pData, int a2, size_t Size_4, int n_x32, int n_1B7F){ int v5; // esi void *ppTable; // ebp int v7; // edi v5 = 0; ppTable = sub_403240(a2, Size_4, n_x32, n_1B7F);// 返回了存有很多的 ActId 的表 if ( n_x32 <= 0 ) {LABEL_4: sub_425090(ppTable); ReleaseBlock(ppTable); return 0; } else { while ( 1 ) { v7 = CheckActIdHeaderFourCharacter(*(ppTable + v5), Size_4, pData); if ( v7 == Size_4 ) // 只比较前面四个字符 break; if ( ++v5 >= n_x32 ) goto LABEL_4; } sub_425090(ppTable); ReleaseBlock(ppTable); return v7; }} |
ActId 表的内容:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | "673A44D35B3608E5C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","44D35B3608E5C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","5B3608E5C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","08E5C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","16F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","55E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","00D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","4B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","18E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","3E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","87A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","68E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","13DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","0A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","61B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","76B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","3BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","0F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","F661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","49F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","4F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","52A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","03A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","0E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","74E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","1EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","FE7E83A6F5090AD61F3F365D1C67DA22A478FA17","83A6F5090AD61F3F365D1C67DA22A478FA17","F5090AD61F3F365D1C67DA22A478FA17","0AD61F3F365D1C67DA22A478FA17","1F3F365D1C67DA22A478FA17","365D1C67DA22A478FA17","1C67DA22A478FA17","DA22A478FA17","A478FA17" |
ActId 字段剩余的字符是通过 C 盘的卷 ID 和 Process Token Sid 和计算机名称拼接而成字符串,再通过 00402FF0() 函数生成四个字节的校验码,最后转换为十进制的字符串而生成的。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | 00517920 | 81EC 00010000 | sub esp,100 |00517926 | 56 | push esi |00517927 | 57 | push edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00517928 | 68 7F1B0000 | push 1B7F |0051792D | 6A 32 | push 32 |0051792F | 8BF1 | mov esi,ecx |00517931 | 6A 04 | push 4 |00517933 | 8D86 3A060000 | lea eax,dword ptr ds:[esi+63A] | eax:"673A2434362875", esi+63A:"673A2434362875"00517939 | 68 701A6500 | push sourceinsight4.651A70 |0051793E | 50 | push eax | eax:"673A2434362875"0051793F | E8 2CBCEEFF | call sourceinsight4.403570 | 1. 检查 ActId 的前四个字符00517944 | 8BF8 | mov edi,eax | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic", eax:"673A2434362875"00517946 | 83C4 14 | add esp,14 |00517949 | 85FF | test edi,edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"0051794B | 75 0B | jne sourceinsight4.517958 |0051794D | 5F | pop edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"0051794E | 33C0 | xor eax,eax | eax:"673A2434362875"00517950 | 5E | pop esi |00517951 | 81C4 00010000 | add esp,100 |00517957 | C3 | ret |00517958 | 8D4C24 08 | lea ecx,dword ptr ss:[esp+8] |0051795C | 6A 00 | push 0 |0051795E | 51 | push ecx |0051795F | E8 7CF5FFFF | call sourceinsight4.516EE0 | 2. C 盘的卷 ID 和 Process Token Sid 和计算机名称生成一个校验字符串。00517964 | 83C4 08 | add esp,8 |00517967 | 85C0 | test eax,eax | eax:"673A2434362875"00517969 | 74 E2 | je sourceinsight4.51794D |0051796B | 8D5424 08 | lea edx,dword ptr ss:[esp+8] |0051796F | 52 | push edx |00517970 | 8D8437 3A060000 | lea eax,dword ptr ds:[edi+esi+63A] | eax:"673A2434362875"00517977 | 50 | push eax | eax:"673A2434362875"00517978 | E8 83400A00 | call sourceinsight4.5BBA00 | ActId 剩余字符串和校验字符串的比较0051797D | 83C4 08 | add esp,8 |00517980 | F7D8 | neg eax | eax:"673A2434362875"00517982 | 1BC0 | sbb eax,eax | eax:"673A2434362875"00517984 | 5F | pop edi | edi:"C:\\ProgramData\\Source Insight\\4.0\\si4.lic"00517985 | 40 | inc eax | eax:"673A2434362875"00517986 | 5E | pop esi |00517987 | 81C4 00010000 | add esp,100 |0051798D | C3 | ret | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | int __cdecl sub_516EE0(char *Buffer, int a2){ int v3; // [esp+0h] [ebp-314h] BYREF char v4[784]; // [esp+4h] [ebp-310h] BYREF sub_515050(v4); if ( sub_515220(v4) ) // 获取硬盘Id、token、电脑名信息 { sub_514810(v4, 4, &v3, a2); // 根据硬盘Id、token、电脑名信息发生校验码 sprintf(Buffer, "%u", v3); // 将校验码转换为十进制字符串格式 return 1; } else { *Buffer = 0; return 0; }} |
获取 C 盘卷 ID 的函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | int __cdecl sub_44F2A0(void *a1){ unsigned int v1; // eax char *v2; // eax const WCHAR *v3; // eax size_t v4; // eax signed int v5; // eax size_t v6; // esi CHAR Str[256]; // [esp+4h] [ebp-51Ch] BYREF char Buf2[11]; // [esp+104h] [ebp-41Ch] BYREF char Src[245]; // [esp+10Fh] [ebp-411h] BYREF char v11[272]; // [esp+204h] [ebp-31Ch] BYREF WCHAR szVolumeName[256]; // [esp+314h] [ebp-20Ch] BYREF int v13; // [esp+51Ch] [ebp-4h] *(_BYTE *)a1 = 0; v1 = sub_4573D0("SystemDrive", Str, 0x100u); if ( v1 < 0x100 && v1 ) { Str[v1] = 0; if ( Str[0] ) goto LABEL_5; } else { Str[0] = 0; } strcpy(Str, "C:\\");LABEL_5: v2 = &Str[strlen(Str)]; if ( v2 != Str ) --v2; if ( *v2 != 92 ) strcat(Str, "\\"); sub_4534A0(Str); v13 = 0; v3 = (const WCHAR *)sub_453B10(v11); if ( GetVolumeNameForVolumeMountPointW(v3, szVolumeName, 0xFFu) && (sub_447330(szVolumeName, Buf2, 255), strlen(Buf2) >= 0x30) && (v4 = strlen("\\\\?\\Volume{"), !memcmp("\\\\?\\Volume{", Buf2, v4)) ) { v5 = strlen(Src); v6 = 36; if ( v5 <= 36 ) v6 = v5; memcpy(a1, Src, v6); *((_BYTE *)a1 + v6) = 0; v13 = -1; sub_453360(v11); return 1; } else { v13 = -1; sub_453360(v11); return 0; }} |
获取 Process Token Sid 的函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | int __cdecl sub_44F490(HANDLE TokenHandle){ CHAR *v1; // ebx HANDLE CurrentProcess; // eax PSID *v4; // esi DWORD ReturnLength; // [esp+4h] [ebp-8h] BYREF LPWSTR StringSid; // [esp+8h] [ebp-4h] BYREF v1 = (CHAR *)TokenHandle; *(_BYTE *)TokenHandle = 0; CurrentProcess = GetCurrentProcess(); if ( !CurrentProcess ) return 0; TokenHandle = 0; if ( !OpenProcessToken(CurrentProcess, 8u, &TokenHandle) ) return 0; if ( (GetTokenInformation(TokenHandle, TokenUser, 0, 0, &ReturnLength) || GetLastError() == 122) && (v4 = (PSID *)sub_425300(ReturnLength, 1), GetTokenInformation(TokenHandle, TokenUser, v4, ReturnLength, &ReturnLength)) && ConvertSidToStringSidW(*v4, &StringSid) ) { sub_447330(StringSid, v1, 255); LocalFree(StringSid); sub_424E30(v4); CloseHandle(TokenHandle); return 1; } else { CloseHandle(TokenHandle); return 0; }} |
获取计算机名称的函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | BOOL __cdecl sub_44D730(LPSTR lpMultiByteStr){ BOOL result; // eax DWORD nSize; // [esp+4h] [ebp-204h] BYREF WCHAR Buffer[256]; // [esp+8h] [ebp-200h] BYREF *lpMultiByteStr = 0; nSize = 256; result = GetComputerNameW(Buffer, &nSize); if ( result ) { Buffer[nSize] = 0; sub_447330(Buffer, lpMultiByteStr, 255); return 1; } return result;} |
拼接 C 盘的卷Id、token、电脑名,生成校验码的函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | int __cdecl sub_514810(const char *a1){ int v1; // eax char Str[512]; // [esp+0h] [ebp-200h] BYREF sprintf(Str, "%s%s%s", a1, a1 + 256, a1 + 512);// 将 C 盘的卷Id、token、电脑名信息拼接起来 v1 = strlen(Str); return sub_403210((int)Str, v1); // 生成校验码}int __cdecl sub_403210(int a1, int a2){ int v3; // [esp+Ch] [ebp+Ch] int v4; // [esp+10h] [ebp+10h] int v5; // [esp+14h] [ebp+14h] return sub_402FF0(a1, a2, v3, v4, v5, &byte_5D6B98);} |
四、注册机
通过上述的注册函数的逆向,我们已经知道了 si,lic 文件是如何生成的了。我们可以按照 si,lic 的检验规则写出生成 si,lic 的注册机。然后通过注册机生成的 si.lic 文件实现离线注册。
- 按照序列号校验算法,编写序列号生成器。将生成的序列号填写 Serial 字段。
- 随机生成 LicensedUser、Organization、Email 字段。
- 获取当前日期填写 Date 字段。
- 读取 “ <Signature” 字符串之前的所有字符,调用 00402FF0() 函数生成二进制签名数据,再通过 Base64 编码生成字符串,填写 Signature 块的 Value 字段。
具体实现代码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 | #include "pch.h"#include "CSourceInsightTool.h"#include "Base64.h"#include "Sddl.h"unsigned char byte_6060F0[] ={ 0x4B, 0x56, 0x39, 0x36, 0x47, 0x4D, 0x4A, 0x59, 0x48, 0x37, 0x51, 0x46, 0x35, 0x54, 0x43, 0x57, 0x34, 0x55, 0x33, 0x58, 0x5A, 0x50, 0x52, 0x53, 0x44, 0x4E, 0x00};unsigned char unk_606210[] ={ 0x23, 0xDD, 0x78, 0xB5, 0x33, 0x6F, 0xD4, 0xF9, 0xA6, 0xE8, 0xCC, 0x7C, 0x9F, 0xB3, 0x22, 0xDA, 0x32, 0xDF, 0x71, 0xB7, 0x61, 0x3D, 0x6B, 0x57, 0xD7, 0xA1, 0x34, 0x38, 0xF2, 0xE1, 0xF3, 0xB8, 0x1A, 0x80, 0xF5, 0xFE, 0x91, 0x01, 0x3C, 0x73, 0x93, 0x48, 0xA0, 0xE0, 0x94, 0xAA, 0x39, 0x8F, 0x58, 0xE2, 0x31, 0x0B, 0xBB, 0xCE, 0x4C, 0xD2, 0x56, 0xC2, 0x5E, 0x27, 0xB6, 0xFB, 0x65, 0xAE, 0x55, 0x60, 0xBD, 0x10, 0x86, 0xF7, 0xC1, 0x88, 0x12, 0xED, 0x67, 0xC4, 0x74, 0x30, 0x1B, 0xBC, 0x9A, 0xB0, 0xEF, 0x36, 0xC5, 0x72, 0x5B, 0x7E, 0x54, 0x2C, 0x0F, 0xF6, 0xA9, 0x85, 0x2A, 0xB1, 0x37, 0xF1, 0x2F, 0x4E, 0xE7, 0x6A, 0x75, 0xA8, 0x26, 0xEB, 0x3F, 0x6C, 0x69, 0x20, 0x87, 0x62, 0x8D, 0x68, 0xA5, 0xFA, 0x3A, 0x04, 0x21, 0x1F, 0xAC, 0x05, 0xA4, 0x76, 0x11, 0x70, 0x9E, 0x46, 0x24, 0x5D, 0xC6, 0xE4, 0x95, 0x82, 0x1C, 0xBA, 0x59, 0x09, 0xD9, 0x44, 0x98, 0x92, 0x07, 0xAF, 0xA7, 0x41, 0x96, 0x90, 0xB4, 0x42, 0x63, 0x99, 0xD0, 0x4D, 0x97, 0xBE, 0x40, 0xCF, 0x84, 0xE5, 0x1D, 0x5A, 0x0C, 0x7F, 0xC7, 0xEA, 0xEE, 0xEC, 0x00, 0xD5, 0x49, 0x2D, 0x51, 0xAD, 0xB9, 0x89, 0x77, 0x52, 0x3E, 0x8C, 0xE6, 0xFF, 0x15, 0xDE, 0x6D, 0x14, 0xA2, 0xCD, 0xA3, 0xD6, 0x17, 0x81, 0xC8, 0x45, 0x4B, 0x35, 0x0A, 0x0D, 0xFC, 0x9D, 0x16, 0x3B, 0xD3, 0x7D, 0xD1, 0xF4, 0xFD, 0xCA, 0x25, 0x06, 0x6E, 0xF8, 0x5F, 0xBF, 0x8A, 0x7B, 0x50, 0xD8, 0x79, 0x9C, 0xAB, 0x43, 0x53, 0xCB, 0x8E, 0x4F, 0xE3, 0xC9, 0x8B, 0xDC, 0x5C, 0xC0, 0x1E, 0x9B, 0x18, 0x02, 0x47, 0x03, 0x2B, 0x0E, 0x66, 0x4A, 0xB2, 0xF0, 0xE9, 0x19, 0x29, 0x7A, 0xC3, 0x08, 0x83, 0xDB, 0x64, 0x13, 0x2E, 0x28};int *__cdecl sub_5153C0(BYTE *pSerial, unsigned int nLength, BYTE *pData, int *pResult){ unsigned int i; // esi BYTE v5; // cl unsigned int j; // eax int *result; // eax for (i = 0; i < 4; *((BYTE *)pResult + i - 1) = byte_6060F0[v5 % 26]) { v5 = pData[(unsigned __int8)(i + *pSerial)]; for (j = 1; j < nLength; ++j) v5 = pData[v5 ^ (char)pSerial[j]]; result = pResult; ++i; } return result;}void CSourceInsightTool::GenerateSerial(char szSerial[20]){ int nResult = 0; sub_5153C0((BYTE *)szSerial, 15, unk_606210, &nResult); *(UINT32 *)&szSerial[15] = nResult; szSerial[19] = 0;}const char *gActIdTable[49] = { "673A44D35B3608E5C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "44D35B3608E5C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "5B3608E5C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "08E5C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "C603D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "D775C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "C76216F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "16F555E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "55E000D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "00D04B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "4B6718E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "18E33E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "3E93F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "F35887A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "87A8A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "A360D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "D2F468E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "68E313DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "13DC7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "7B3E047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "047E08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "08F10A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "0A51B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "B75561B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "61B5L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "L55576B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "76B63BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "3BF2D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "D7750F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "0F09557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "557AF661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "F661F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "F14849F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "49F94F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "4F2652A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "52A903A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "03A10E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "0E9074E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "74E61EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "1EA4FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "FE7E83A6F5090AD61F3F365D1C67DA22A478FA17", "83A6F5090AD61F3F365D1C67DA22A478FA17", "F5090AD61F3F365D1C67DA22A478FA17", "0AD61F3F365D1C67DA22A478FA17", "1F3F365D1C67DA22A478FA17", "365D1C67DA22A478FA17", "1C67DA22A478FA17", "DA22A478FA17", "A478FA17"};unsigned char unk_5D6B98[] ={ 0x32, 0xDF, 0x71, 0xB7, 0x61, 0x3D, 0x6B, 0x57, 0xD7, 0xA1, 0x34, 0x38, 0xF2, 0xE1, 0xF3, 0xB8, 0x23, 0xDD, 0x78, 0xB5, 0x33, 0x6F, 0xD4, 0xF9, 0xA6, 0xE8, 0xCC, 0x7C, 0x9F, 0xB3, 0x22, 0xDA, 0x37, 0xF1, 0x2F, 0x4E, 0xE7, 0x6A, 0x75, 0xA8, 0x26, 0xEB, 0x3F, 0x6C, 0x69, 0x20, 0x87, 0x62, 0xA7, 0x41, 0x96, 0x90, 0xB4, 0x42, 0x63, 0x99, 0xD0, 0x4D, 0x97, 0xBE, 0x40, 0xCF, 0x84, 0xE5, 0x1D, 0x5A, 0x0C, 0x7F, 0xC7, 0xEA, 0xEE, 0xEC, 0x00, 0xD5, 0x49, 0x2D, 0x51, 0xAD, 0xB9, 0x89, 0x1A, 0x80, 0xF5, 0xFE, 0x91, 0x01, 0x3C, 0x73, 0x93, 0x48, 0xA0, 0xE0, 0x94, 0xAA, 0x39, 0x8F, 0x58, 0xE2, 0x31, 0x0B, 0xBB, 0xCE, 0x4C, 0xD2, 0x56, 0xC2, 0x5E, 0x27, 0xB6, 0xFB, 0x65, 0xAE, 0x9A, 0xB0, 0xEF, 0x36, 0xC5, 0x72, 0x5B, 0x7E, 0x54, 0x2C, 0x0F, 0xF6, 0xA9, 0x85, 0x2A, 0xB1, 0x55, 0x60, 0xBD, 0x10, 0x86, 0xF7, 0xC1, 0x88, 0x12, 0xED, 0x67, 0xC4, 0x74, 0x30, 0x1B, 0xBC, 0x77, 0x52, 0x3E, 0x8C, 0xE6, 0xFF, 0x15, 0xDE, 0x6D, 0x14, 0xA2, 0xCD, 0xA3, 0xD6, 0x17, 0x81, 0x8D, 0x68, 0xA5, 0xFA, 0x3A, 0x04, 0x21, 0x1F, 0xAC, 0x05, 0xA4, 0x76, 0x11, 0x70, 0x9E, 0x46, 0x24, 0x5D, 0xC6, 0xE4, 0x95, 0x82, 0x1C, 0xBA, 0x59, 0x09, 0xD9, 0x44, 0x98, 0x92, 0x07, 0xAF, 0xC8, 0x45, 0x4B, 0x35, 0x0A, 0x0D, 0xFC, 0x9D, 0x16, 0x3B, 0xD3, 0x7D, 0xD1, 0xF4, 0xFD, 0xCA, 0x8E, 0x4F, 0xE3, 0xC9, 0x8B, 0xDC, 0x5C, 0xC0, 0x1E, 0x9B, 0x18, 0x02, 0x47, 0x03, 0x2B, 0x0E, 0x25, 0x06, 0x6E, 0xF8, 0x5F, 0xBF, 0x8A, 0x7B, 0x50, 0xD8, 0x79, 0x9C, 0xAB, 0x43, 0x53, 0xCB, 0x66, 0x4A, 0xB2, 0xF0, 0xE9, 0x19, 0x29, 0x7A, 0xC3, 0x08, 0x83, 0xDB, 0x64, 0x13, 0x2E, 0x28};void __declspec(naked) __cdecl sub_402FF0_ASM(unsigned __int8 *Info, int InfoLen, int a3, int Size, unsigned __int8 *buff, unsigned __int8 **a6){ __asm { push ebx xor ebx, ebx cmp[esp + 0x14], ebx jle short loc_403055 mov edx, [esp + 1Ch] push ebp push esi mov esi, [esp + 14h] push edi mov edi, [esp + 14h] jmp short loc_403010 loc_403010 : movzx eax, byte ptr[edi] add eax, ebx add eax, [esp + 1Ch] and eax, 800000FFh jns short loc_403027 dec eax or eax, 0FFFFFF00h inc eax loc_403027 : mov cl, [eax + edx] mov eax, 1 cmp esi, eax jle short loc_403044 loc_403033 : movzx ebp, byte ptr[eax + edi] movzx ecx, cl xor ebp, ecx mov cl, [edx + ebp] inc eax cmp eax, esi jl short loc_403033 loc_403044 : mov eax, [esp + 24h] mov [ebx + eax], cl inc ebx cmp ebx, [esp + 20h] jl short loc_403010 pop edi pop esi pop ebp loc_403055 : pop ebx retn }}bool CSourceInsightTool::GenerateActId(char szActId[16]){ bool bIsFail = FALSE; int nActIdIndex = 0; srand((unsigned int)time(NULL)); nActIdIndex = rand() / sizeof(gActIdTable); //nActIdIndex = 0; for (int i = 0; i < 4; ++i) { szActId[i] = gActIdTable[nActIdIndex][i]; } // 获取磁盘id char szVolumeMountPoint[0xFF] = "C:\\"; char szVolumeName[0xFF] = { 0 }; char szVolumeId[0xFF] = { 0 }; char *pVolumeIdEnd = NULL; if (!GetVolumeNameForVolumeMountPoint(szVolumeMountPoint, szVolumeName, sizeof(szVolumeName))) { return false; } sscanf_s(szVolumeName, "\\\\?\\Volume{%s}\\", szVolumeId, _countof(szVolumeId)); pVolumeIdEnd = strchr(szVolumeId, '}'); if (pVolumeIdEnd) { *pVolumeIdEnd = 0; } // 获取 token HWND hWindow = NULL; DWORD dwProcessId = 0; HANDLE hProcess = NULL; HANDLE hToken = NULL; DWORD dwReturnLength = 0; PVOID TokenInformation = NULL; DWORD TokenInformationLength = 0; LPTSTR StringSid = NULL; do { //hWindow = FindWindowA("si4_Frame", "(No Project) - Source Insight 4.0"); hWindow = FindWindowA("si4_Frame", NULL); if (!hWindow) { bIsFail = true; break; } GetWindowThreadProcessId(hWindow, &dwProcessId); hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); if (!hProcess) { bIsFail = true; break; } OpenProcessToken(hProcess, TOKEN_ALL_ACCESS, &hToken); if (!hToken) { return false; } if (!GetTokenInformation(hToken, TokenUser, NULL, 0, &dwReturnLength)) { if (ERROR_INSUFFICIENT_BUFFER != GetLastError()) { return false; } } TokenInformationLength = dwReturnLength; TokenInformation = calloc(TokenInformationLength, 1); if (!GetTokenInformation(hToken, TokenUser, TokenInformation, TokenInformationLength, &dwReturnLength)) { return false; } ConvertSidToStringSid(*(PSID *)TokenInformation, &StringSid); } while (false); if (!TokenInformation) { free(TokenInformation); TokenInformation = NULL; } if (hToken) { CloseHandle(hToken); hToken = NULL; } if (hProcess) { CloseHandle(hProcess); hProcess = NULL; } //if (hWindow) //{ // CloseHandle(hWindow); // hWindow = NULL; //} if (bIsFail) { return !bIsFail; } // 获取计算机名 char szComputerName[256] = { 0 }; DWORD dwSize = sizeof(szComputerName); if (!GetComputerName(szComputerName, &dwSize)) { return false; } // 生成校验码 int nLength = 0; char *pBuffer = NULL; UINT8 result[4] = { 0 }; char szResult[12] = { 0 }; do { nLength = strlen(szVolumeId) + strlen(StringSid) + strlen(szComputerName) + sizeof('\0'); pBuffer = (char *)calloc(nLength, 1); if (!pBuffer) { bIsFail = true; break; } sprintf_s(pBuffer, nLength, "%s%s%s", szVolumeId, StringSid, szComputerName); sub_402FF0_ASM((unsigned char *)pBuffer, strlen(pBuffer), 0x7A9, sizeof(result), result, (unsigned char **)&unk_5D6B98); sprintf_s(szResult, sizeof(szResult), "%u", *(PDWORD)result); strcat_s(szActId, 16, szResult); } while (false); if (pBuffer) { free(pBuffer); pBuffer = NULL; } return !bIsFail;}bool CSourceInsightTool::GenerateSignatureFile(const char *sFilePath, const char *sActId, const char *sSerial, const char *sLicensedUser, const char *sOrganization, const char *sEmail, const char *sDate){ //char sRegisterInformation[] = "<!--SourceInsight4.xLicenseFileDONOTEDITTHISFILE.Doingsowillrenderitunusable.Thislicensewascreatedfor:userMicrosoftuser@user.com--><SourceInsightLicense><LicensePropertiesActId=\"673A2434362875\"Serial=\"S4SG-ARCD-EFGH-36V6\"LicensedUser=\"user\"Organization=\"Microsoft\"Email=\"user@user.com\"Type=\"Standard\"Version=\"4\"MinorVersion=\"0\"Date=\"2023-04-06\"/>\x00"; char sRegisterInformationFormat[] = "<!--SourceInsight4.xLicenseFileDONOTEDITTHISFILE.Doingsowillrenderitunusable.Thislicensewascreatedfor:%s%s%s--><SourceInsightLicense><LicensePropertiesActId=\"%s\"Serial=\"%s\"LicensedUser=\"%s\"Organization=\"%s\"Email=\"%s\"Type=\"Standard\"Version=\"4\"MinorVersion=\"0\"Date=\"%s\"/>"; char szRegisterInforamtion[512] = { 0 }; unsigned char szBinarySignature[0x80] = { 0 }; int nSignatureLength = 0; char szSignature[0xFF] = { 0 }; sprintf_s(szRegisterInforamtion, sizeof(szRegisterInforamtion), sRegisterInformationFormat, sLicensedUser, sOrganization, sEmail, sActId, sSerial, sLicensedUser, sOrganization, sEmail, sDate ); sub_402FF0_ASM((unsigned char *)szRegisterInforamtion, strlen(szRegisterInforamtion) + 1, 0x7B0, sizeof(szBinarySignature), szBinarySignature, (unsigned char **)&unk_5D6B98 ); nSignatureLength = ::base64_encode(szBinarySignature, sizeof(szBinarySignature), szSignature); // 写文件 const char* sSignatureFileFormat = "<!--\r\n\tSource Insight 4.x License File\r\n\r\n\tDO NOT EDIT THIS FILE. Doing so will render it unusable.\r\n\r\n\tThis license was created for:\r\n\r\n\t\t%s\r\n\t\t%s\r\n\t\t%s\r\n\r\n-->\r\n<SourceInsightLicense>\r\n\t<LicenseProperties\r\n\t\tActId=\"%s\"\r\n\t\tSerial=\"%s\"\r\n\t\tLicensedUser=\"%s\"\r\n\t\tOrganization=\"%s\"\r\n\t\tEmail=\"%s\"\r\n\t\tType=\"Standard\"\r\n\t\tVersion=\"4\"\r\n\t\tMinorVersion=\"0\"\r\n\t\tDate=\"%s\"\r\n\t/>\r\n\t<Signature\r\n\t\tValue=\"%s\"\r\n\t/>\r\n</SourceInsightLicense>\r\n"; HANDLE hFile = NULL; char szBuffer[1024] = { 0 }; DWORD dwNumberOfBytesWritten = 0; sprintf_s(szBuffer, sizeof(szBuffer), sSignatureFileFormat, sLicensedUser, sOrganization, sEmail, sActId, sSerial, sLicensedUser, sOrganization, sEmail, sDate, szSignature ); hFile = CreateFileA(sFilePath, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL ); dwNumberOfBytesWritten = strlen(szBuffer); WriteFile(hFile, szBuffer, dwNumberOfBytesWritten, &dwNumberOfBytesWritten, NULL); if (hFile) { CloseHandle(hFile); hFile = NULL; } return true;} |
五、验证
注册通过:
生成 si.lic 文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | <!-- Source Insight 4.x License File DO NOT EDIT THIS FILE. Doing so will render it unusable. This license was created for: YGF4XNO KAX9H5L QG783WA7@gmail.com--><SourceInsightLicense> <LicenseProperties ActId="047E1691621634" Serial="S4SG-WRBO-LGQC-VQTF" LicensedUser="YGF4XNO" Organization="KAX9H5L" Email="QG783WA7@gmail.com" Type="Standard" Version="4" MinorVersion="0" Date="2023-06-13" /> <Signature Value="t+YYiaGMUOtoTqC7GfnD6PY/GrW0c+PdH26TEsqqT6TLC6iYpwRFAUD9Db3B6az6qx45JhXhriFl5GwkWTTI/8SPMs1t5xtNM4v83D7tn+D42HuDJerClkIsnsCXVDhEN7EKPI5nB9G42VGbtrNBVVyCS32I35IvBeKwOytmWEY=" /></SourceInsightLicense> |
代码和工具下载:SourceInsight4 · Boaster/Crack - 码云 - 开源中国 (gitee.com)
参考: https://bbs.kanxue.com/thread-261478.htm#msg_header_h2_4
Source Insight4 破解-软件逆向-看雪-安全社区|安全招聘|kanxue.com
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
我的也是128但是注册不了。
--------------------------- Source Insight --------------------------- The license file is not valid for this machine. Please provide a serial number and re-activate the license on this machine. --------------------------- 确定 ---------------------------
最后于 2023-6-14 09:31
被无语了啊~嗝编辑
,原因:
|
|
|
看看生成 si4.lic 文件 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
工具更新了。 |
|
|
你要先打开 Source Insight,然后再点击生成注册信息。看看使用说明。 |
|
|
有人说可以激活可能我没有享受注册机的运气了 
|
|
|
好吧。还是我自己的问题。我是先打开注册机的。激活成功了。感谢感谢~~ |
|
|
|
|
|
我刚刚更新了工具,还要改写 hosts 文件,你可以去 gitee 上面看看。 |
|
|
|
|
|
|
|
|
1. 你检查一下 C:\Windows\System32\drivers\etc\hosts 是否有 "127.0.0.1 sls.sourceinsight.com" 这条记录。 2. 打开 Cmd,执行 "ipconfig /flushdns"。 3. "ping sls.sourceinsight.com" 看看 IP 是否为 127.0.0.1。 |
|
|
肯定有啊,你的电脑不会弹吗? 难道我开了代理的原因? |
|
|
我上传了 UrlDisable 工具到 Gitee,你可以使用 UrlDisable 将 sls.sourceinsight.com 屏蔽掉,就可以了。 |
|
|
确实是因为我开了代理的原因,应该是完美破解了! 
|
|
|
补充:
|
|
|
|
|
|
|
|
|
|
