【文章标题】: Serialcracker's的算法分析(VB)
【文章作者】: bxm
【作者邮箱】: bxm78@163.com
【加壳方式】: 无壳
【编写语言】: VB
【使用工具】: OD、计算器
【操作平台】: winxp
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
通过字符串参考下断:
0040AF00 66:3B9D 0CFFFFF>cmp bx, [ebp-F4] ; 循环次数为name长度,比较是否循环完毕
0040AF07 0F8F 8D000000 jg 0040AF9A ; 是,跳
0040AF0D 8D45 DC lea eax, [ebp-24]
0040AF10 8D4D 90 lea ecx, [ebp-70]
0040AF13 0FBFD3 movsx edx, bx
0040AF16 8985 58FFFFFF mov [ebp-A8], eax
0040AF1C 51 push ecx
0040AF1D 8D85 50FFFFFF lea eax, [ebp-B0]
0040AF23 52 push edx
0040AF24 8D4D 80 lea ecx, [ebp-80]
0040AF27 50 push eax
0040AF28 51 push ecx
0040AF29 C745 98 0100000>mov dword ptr [ebp-68], 1
0040AF30 C745 90 0200000>mov dword ptr [ebp-70], 2
0040AF37 C785 50FFFFFF 0>mov dword ptr [ebp-B0], 4008
0040AF41 FF15 40104000 call [<&MSVBVM60.#632>] ; 依次取name的每个字符
0040AF47 8D55 80 lea edx, [ebp-80]
0040AF4A 8D45 CC lea eax, [ebp-34]
0040AF4D 52 push edx
0040AF4E 50 push eax
0040AF4F FF15 74104000 call [<&MSVBVM60.__vbaStrVarVal>] ; MSVBVM60.__vbaStrVarVal
0040AF55 50 push eax
0040AF56 FF15 18104000 call [<&MSVBVM60.#516>] ; 每个字符的ASCII码入EAX
0040AF5C 0FBFC8 movsx ecx, ax ; AX入ECX
0040AF5F 03CE add ecx, esi ; ECX+ESI
0040AF61 0F80 4B030000 jo 0040B2B2 ; 溢出,跳
0040AF67 8BF1 mov esi, ecx ; ECX入ESI,ESI作为累加器
0040AF69 8D4D CC lea ecx, [ebp-34]
0040AF6C FF15 B0104000 call [<&MSVBVM60.__vbaFreeStr>] ; MSVBVM60.__vbaFreeStr
0040AF72 8D55 80 lea edx, [ebp-80]
0040AF75 8D45 90 lea eax, [ebp-70]
0040AF78 52 push edx
0040AF79 50 push eax
0040AF7A 6A 02 push 2
0040AF7C FF15 10104000 call [<&MSVBVM60.__vbaFreeVarList>] ; MSVBVM60.__vbaFreeVarList
0040AF82 B8 01000000 mov eax, 1
0040AF87 83C4 0C add esp, 0C
0040AF8A 66:03C3 add ax, bx
0040AF8D 0F80 1F030000 jo 0040B2B2
0040AF93 8BD8 mov ebx, eax
0040AF95 ^ E9 66FFFFFF jmp 0040AF00
============================================
以上程序功能:对name的每个字符累加,ESI作为累加寄存器,设累加结果为A。
0040AF9A 8BC6 mov eax, esi ; name累加和入EAX
0040AF9C 6BC0 02 imul eax, eax, 2 ; EAX*2
0040AF9F 0F80 0D030000 jo 0040B2B2
0040AFA5 8945 D4 mov [ebp-2C], eax ; EAX存入[ebp-2C]
0040AFA8 8BC6 mov eax, esi ; name累加和入EAX
0040AFAA 6BC0 03 imul eax, eax, 3 ; EAX*3
0040AFAD 0F80 FF020000 jo 0040B2B2
0040AFB3 8945 E8 mov [ebp-18], eax ; EAX存入[ebp-18]
0040AFB6 8BC6 mov eax, esi ; name累加和入EAX
0040AFB8 6BC0 04 imul eax, eax, 4 ; EAX*3
0040AFBB 0F80 F1020000 jo 0040B2B2
0040AFC1 6BF6 05 imul esi, esi, 5 ; ESI*5
0040AFC4 0F80 E8020000 jo 0040B2B2
0040AFCA 8945 E4 mov [ebp-1C], eax ; EAX存入[ebp-1C]
0040AFCD 8975 E0 mov [ebp-20], esi ; EAX存入[ebp-20]
省略一些代码……
0040B018 FF15 08104000 call [<&MSVBVM60.__vbaStrI4>] ; 把name累加和*2转换成十进制字符串,我的“876”
0040B01E 8BD0 mov edx, eax
0040B020 8D4D CC lea ecx, [ebp-34]
0040B023 FFD7 call edi
0040B025 8B35 20104000 mov esi, [<&MSVBVM60.__vbaStrCat>] ; MSVBVM60.__vbaStrCat
0040B02B 50 push eax
0040B02C 68 ECA54000 push 0040A5EC
0040B031 FFD6 call esi ; 与字符"-"连接
0040B033 8BD0 mov edx, eax
0040B035 8D4D C8 lea ecx, [ebp-38]
0040B038 FFD7 call edi
0040B03A 8B4D E8 mov ecx, [ebp-18]
0040B03D 50 push eax
0040B03E 51 push ecx
0040B03F FF15 08104000 call [<&MSVBVM60.__vbaStrI4>] ; 把name累加和*3转换成十进制字符串,我的“1314”
0040B045 8BD0 mov edx, eax
0040B047 8D4D C4 lea ecx, [ebp-3C]
0040B04A FFD7 call edi
0040B04C 50 push eax
0040B04D FFD6 call esi ; 与上一连接结果连接
0040B04F 8BD0 mov edx, eax
0040B051 8D4D C0 lea ecx, [ebp-40]
0040B054 FFD7 call edi
0040B056 50 push eax
0040B057 68 ECA54000 push 0040A5EC
0040B05C FFD6 call esi ; 与字符"-"连接
0040B05E 8BD0 mov edx, eax
0040B060 8D4D BC lea ecx, [ebp-44]
0040B063 FFD7 call edi
0040B065 8B55 E4 mov edx, [ebp-1C]
0040B068 50 push eax
0040B069 52 push edx
0040B06A FF15 08104000 call [<&MSVBVM60.__vbaStrI4>] ; 把name累加和*4转换成十进制字符串,我的“1752”
0040B070 8BD0 mov edx, eax
0040B072 8D4D B8 lea ecx, [ebp-48]
0040B075 FFD7 call edi
0040B077 50 push eax
0040B078 FFD6 call esi ; 与上一连接结果连接
0040B07A 8BD0 mov edx, eax
0040B07C 8D4D B4 lea ecx, [ebp-4C]
0040B07F FFD7 call edi
0040B081 50 push eax
0040B082 68 ECA54000 push 0040A5EC
0040B087 FFD6 call esi ; 与字符"-"连接
0040B089 8BD0 mov edx, eax
0040B08B 8D4D B0 lea ecx, [ebp-50]
0040B08E FFD7 call edi
0040B090 50 push eax
0040B091 8B45 E0 mov eax, [ebp-20]
0040B094 50 push eax
0040B095 FF15 08104000 call [<&MSVBVM60.__vbaStrI4>] ; 把name累加和*5转换成十进制字符串,我的“2190”
0040B09B 8BD0 mov edx, eax
0040B09D 8D4D AC lea ecx, [ebp-54]
0040B0A0 FFD7 call edi
0040B0A2 50 push eax
0040B0A3 FFD6 call esi ; 与上一连接结果连接
0040B0A5 8BD0 mov edx, eax
0040B0A7 8D4D A4 lea ecx, [ebp-5C]
0040B0AA FFD7 call edi
0040B0AC 50 push eax
0040B0AD FF15 4C104000 call [<&MSVBVM60.__vbaStrCmp>] ; 真假码比较
0040B0B3 8BF0 mov esi, eax
0040B0B5 8D4D A4 lea ecx, [ebp-5C]
0040B0B8 F7DE neg esi
0040B0BA 8D55 A8 lea edx, [ebp-58]
0040B0BD 51 push ecx
0040B0BE 1BF6 sbb esi, esi
0040B0C0 8D45 AC lea eax, [ebp-54]
0040B0C3 52 push edx
0040B0C4 8D4D B0 lea ecx, [ebp-50]
0040B0C7 46 inc esi
0040B0C8 50 push eax
0040B0C9 8D55 B4 lea edx, [ebp-4C]
0040B0CC 51 push ecx
0040B0CD F7DE neg esi
0040B0CF 52 push edx
0040B0D0 8D45 B8 lea eax, [ebp-48]
0040B0D3 8D4D BC lea ecx, [ebp-44]
0040B0D6 50 push eax
0040B0D7 8D55 C0 lea edx, [ebp-40]
0040B0DA 51 push ecx
0040B0DB 8D45 C4 lea eax, [ebp-3C]
0040B0DE 52 push edx
0040B0DF 8D4D C8 lea ecx, [ebp-38]
0040B0E2 50 push eax
0040B0E3 8D55 CC lea edx, [ebp-34]
0040B0E6 51 push ecx
0040B0E7 52 push edx
0040B0E8 6A 0B push 0B
0040B0EA FF15 88104000 call [<&MSVBVM60.__vbaFreeStrList>] ; MSVBVM60.__vbaFreeStrList
0040B0F0 83C4 30 add esp, 30
0040B0F3 8D4D A0 lea ecx, [ebp-60]
0040B0F6 FF15 B4104000 call [<&MSVBVM60.__vbaFreeObj>] ; MSVBVM60.__vbaFreeObj
0040B0FC B8 04000280 mov eax, 80020004
0040B101 B9 0A000000 mov ecx, 0A
0040B106 66:3BF3 cmp si, bx
0040B109 8985 68FFFFFF mov [ebp-98], eax
0040B10F 898D 60FFFFFF mov [ebp-A0], ecx
0040B115 8985 78FFFFFF mov [ebp-88], eax
0040B11B 898D 70FFFFFF mov [ebp-90], ecx
0040B121 74 7A je short 0040B19D ; 不等,完蛋
0040B123 8B35 98104000 mov esi, [<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
0040B129 BF 08000000 mov edi, 8
0040B12E 8D95 40FFFFFF lea edx, [ebp-C0]
0040B134 8D4D 80 lea ecx, [ebp-80]
0040B137 C785 48FFFFFF 4>mov dword ptr [ebp-B8], 0040A644 ; UNICODE "Good!"
0040B141 89BD 40FFFFFF mov [ebp-C0], edi
0040B147 FFD6 call esi
0040B149 8D95 50FFFFFF lea edx, [ebp-B0]
0040B14F 8D4D 90 lea ecx, [ebp-70]
0040B152 C785 58FFFFFF F>mov dword ptr [ebp-A8], 0040A5F4 ; UNICODE "You are the best! Now code a KeyGen!"
算法小结:
1、把name的每个字符进行累加,结果记为A。
2、A分别*2、*3、*4、*5,并把运算结果转换成十进制字符串,并在每两个字符串中间加入字符"-"即为注册码。
可用的一组注册码:
name:bxm78
serial:876-1314-1752-2190
附注册机源码:
#include<iostream.h>
#include<string.h>
void main()
{
char name[20];
int i;
long sum=0;
cout<<"Please input your name:";
cin>>name;
cout<<endl;
for(i=0;i<strlen(name);i++)
sum+=name[i];
cout<<"Serial is "<<sum*2<<"-"<<sum*3<<"-"<<sum*4<<"-"<<sum*5<<endl;
}
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年09月25日 下午 01:51:29
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
