-
-
[原创]开创属于我自己的小高潮--HEX Comparison v1.9自爆注册码
-
发表于: 2007-5-18 19:43
-
爆破HEX COMPARISON V1.9
快雪时晴,2007.3.27
-------------------------------第一部分 -----------------------------------------
[1]目标程序介绍
http://exeicon.com/hex-comparison/
限制:
[2]思路
[3]开始
平台:WINXPen+SP2+中文MUI,OLLYICE
程序加壳,PEID显示为ASPACK212,简单,直接PEID通用脱壳插件/专用工具/手动脱壳。
脱壳后程序变大389K--〉8.7M,Borland C++ 1999语言编写。
输入试验注册信息:
XIAO
1011222233334444555566667777888899990000HFC1
0040A368 |. 83F8 2C cmp eax, 2C ; 注册码长度应为2C即44.
0040A36B |. 0F85 49020000 jnz 0040A5BA
0040A371 |. BE B0E64C00 mov esi, 004CE6B0 ; 1z1h+2a0n-0g8y*9a1n|
固定字符串,作字典/查表用
0012F1E9 31 1
0012F1F1 7A 31 68 2B 32 61 30 6E z1h+2a0n
0012F1F9 2D 30 67 38 79 2A 39 61 -0g8y*9a
0012F201 31 6E 7C 1n|
试验码
0012F201 00 31 1
0012F209 23 31 31 32 32 32 32 33 #1122223
0012F211 33 33 47 4B 52 34 34 35 33GKR445
0012F219 35 35 35 36 36 36 36 37 55566667
0012F221 37 37 37 38 38 38 38 39 77788889
0012F229 39 39 39 30 30 30 30 48 9990000H
0012F231 46 43 31 FC1
输入试验注册名码,点确定之前下万能断点或者字符串参考都可来到验证过程(此call有两处调用):
算法不复杂,但跟踪有点繁琐,直接修改将该CALL 0040A32C 返回(-1.)FF,注意不是随便一个非0数.爆破得手,经使用无任何出错或未注册提示。
发现程序1个BUG:
在比较脱壳爆破文件(复件 hexcmp.exe.unpacked_1.exe)和脱壳文件(hexcmp.exe.unpacked_.exe)时,程序未提示任何不同处,左右移动指示按钮也都灰色。
只有当输入POSITION:任意数字时程序才找到1处相异处。
[4]后记
没坚持到把算法弄出来,有点遗憾,遵循我最小时间成本原则,选择爆破,且仅爆破1处。
-------------------------------第二部分 -----------------------------------------
[续1]灵感一现,让程序自报注册码
既然程序中逐位比较,就让真值自己弹出来
还是前面那个验证段CALL:
0040A32C 55 push ebp
0040A32D 8BEC mov ebp, esp
0040A32F |. 81C4 74FFFFFF add esp, -8C
0040A335 |. 56 push esi
0040A336 |. 57 push edi
0040A337 |. B8 54EB4C00 mov eax, 004CEB54
0040A33C |. E8 1B4E0B00 call 004BF15C
0040A341 |. C745 F8 01000000 mov dword ptr [ebp-8], 1
0040A348 |. 8D55 08 lea edx, dword ptr [ebp+8]
0040A34B |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A34E |. E8 09EE0B00 call 004C915C
0040A353 |. FF45 F8 inc dword ptr [ebp-8]
0040A356 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8
0040A35C |. C645 DB 00 mov byte ptr [ebp-25], 0
0040A360 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A363 |. E8 D8B7FFFF call 00405B40
0040A368 |. 83F8 2C cmp eax, 2C ; 注册码长度应为2C即44.
0040A36B |. 0F85 49020000 jnz 0040A5BA
0040A371 |. BE B0E64C00 mov esi, 004CE6B0 ; 1z1h+2a0n-0g8y*9a1n|
0040A376 |. 8D7D 88 lea edi, dword ptr [ebp-78]
0040A379 |. B9 05000000 mov ecx, 5
0040A37E |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0040A380 |. A4 movs byte ptr es:[edi], byte ptr [esi]
0040A381 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A384 |. E8 97B7FFFF call 00405B20
0040A389 C640 28 48 mov byte ptr [eax+28], 48 ; EAX=试验码首地址
0040A38D 90 nop ; SN[40]='H'?
0040A38E 90 nop
0040A38F 90 nop
0040A390 EB 23 jmp short 0040A3B5
0040A392 |. 33C0 xor eax, eax
0040A394 |. 50 push eax
0040A395 |. FF4D F8 dec dword ptr [ebp-8]
0040A398 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A39B |. BA 02000000 mov edx, 2
0040A3A0 |. E8 DFEE0B00 call 004C9284
0040A3A5 |. 58 pop eax
0040A3A6 |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A3A9 |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A3B0 |. E9 24020000 jmp 0040A5D9
0040A3B5 |> 8D45 08 lea eax, dword ptr [ebp+8]
0040A3B8 |. E8 63B7FFFF call 00405B20
0040A3BD C640 29 46 mov byte ptr [eax+29], 46 ; SN[41]='F'?
0040A3C1 90 nop
0040A3C2 90 nop
0040A3C3 90 nop
0040A3C4 EB 23 jmp short 0040A3E9
0040A3C6 |. 33C0 xor eax, eax
0040A3C8 |. 50 push eax
0040A3C9 |. FF4D F8 dec dword ptr [ebp-8]
0040A3CC |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A3CF |. BA 02000000 mov edx, 2
0040A3D4 |. E8 ABEE0B00 call 004C9284
0040A3D9 |. 58 pop eax
0040A3DA |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A3DD |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A3E4 |. E9 F0010000 jmp 0040A5D9
0040A3E9 |> 8D45 08 lea eax, dword ptr [ebp+8]
0040A3EC |. E8 2FB7FFFF call 00405B20
0040A3F1 C640 2A 43 mov byte ptr [eax+2A], 43 ; SN[42]='C',43
0040A3F5 90 nop
0040A3F6 90 nop
0040A3F7 90 nop
0040A3F8 EB 23 jmp short 0040A41D
0040A3FA |. 33C0 xor eax, eax
0040A3FC |. 50 push eax
0040A3FD |. FF4D F8 dec dword ptr [ebp-8]
0040A400 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A403 |. BA 02000000 mov edx, 2
0040A408 |. E8 77EE0B00 call 004C9284
0040A40D |. 58 pop eax
0040A40E |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A411 |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A418 |. E9 BC010000 jmp 0040A5D9
0040A41D |> 8D45 08 lea eax, dword ptr [ebp+8]
0040A420 |. E8 FBB6FFFF call 00405B20
0040A425 C640 2B 31 mov byte ptr [eax+2B], 31 ; SN[43]='1',31
0040A429 90 nop
0040A42A 90 nop
0040A42B 90 nop
0040A42C EB 23 jmp short 0040A451
0040A42E |. 33C0 xor eax, eax
0040A430 |. 50 push eax
0040A431 |. FF4D F8 dec dword ptr [ebp-8]
0040A434 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A437 |. BA 02000000 mov edx, 2
0040A43C |. E8 43EE0B00 call 004C9284
0040A441 |. 58 pop eax
0040A442 |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A445 |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A44C |. E9 88010000 jmp 0040A5D9
0040A451 |> 8D45 08 lea eax, dword ptr [ebp+8]
0040A454 |. E8 C7B6FFFF call 00405B20
0040A459 |. 50 push eax ; /Arg2
0040A45A |. 8D55 A0 lea edx, dword ptr [ebp-60] ; |
0040A45D |. 52 push edx ; |Arg1
0040A45E |. E8 8D4A0B00 call 004BEEF0 ; \hexcmp_e.004BEEF0
0040A463 |. 83C4 08 add esp, 8
0040A466 C645 A1 30 mov byte ptr [ebp-5F], 30
0040A46A 90 nop
0040A46B 90 nop
0040A46C 90 nop
0040A46D 90 nop
0040A46E 90 nop
0040A46F 90 nop
0040A470 90 nop
0040A471 90 nop
0040A472 90 nop
0040A473 |. C645 A1 23 mov byte ptr [ebp-5F], 23 ; SN[1]<-'#',23
0040A477 |. C645 DB 01 mov byte ptr [ebp-25], 1 ; 初始化校验结果为1,成功
0040A47B |. C745 D4 02000000 mov dword ptr [ebp-2C], 2 ; 循环变量初始化 i<--2
0040A482 |> 8B45 D4 /mov eax, dword ptr [ebp-2C]
0040A485 |. 0FBE5405 88 |movsx edx, byte ptr [ebp+eax-78]; A<--DICT[i],下标从0开始
0040A48A |. 8B4D D4 |mov ecx, dword ptr [ebp-2C]
0040A48D |. 0FBE440D 9F |movsx eax, byte ptr [ebp+ecx-61] ; B<--SN[i-1]
0040A492 |. 03D0 |add edx, eax ; C<--A+B
0040A494 |. 8B4D D4 |mov ecx, dword ptr [ebp-2C]
0040A497 |. 0FBE440D A0 |movsx eax, byte ptr [ebp+ecx-60] ; D<--SN[i]
0040A49C |. 33D0 |xor edx, eax ; C<-C^D
0040A49E |. 8B4D D4 |mov ecx, dword ptr [ebp-2C]
0040A4A1 |. 0FBE440D 88 |movsx eax, byte ptr [ebp+ecx-78] ; A<--DICT[i]
0040A4A6 |. 33D0 |xor edx, eax ; C<--C^A
0040A4A8 |. 52 |push edx ; /Arg1
0040A4A9 |. E8 AE87FFFF |call 00402C5C ; \hexcmp_e.00402C5C
0040A4AE |. 59 |pop ecx
0040A4AF |. B9 1A000000 |mov ecx, 1A ; 上个CALL返回EAX=A^C-C
0040A4B4 |. 99 |cdq
0040A4B5 |. F7F9 |idiv ecx
0040A4B7 |. 83C2 41 |add edx, 41 ; E<--(EAX % 1A) + 41
0040A4BA |. 8B45 D4 |mov eax, dword ptr [ebp-2C]
0040A4BD 885428 A9 mov byte ptr [eax+ebp-57], dl ; SN[i+9]=E?
0040A4C1 90 nop
0040A4C2 90 nop
0040A4C3 90 nop
0040A4C4 EB 06 jmp short 0040A4CC
0040A4C6 |. C645 DB 00 |mov byte ptr [ebp-25], 0 ;置0表示校验不成功,跳出循环
0040A4CA |. EB 0B |jmp short 0040A4D7
0040A4CC |> FF45 D4 |inc dword ptr [ebp-2C] ; 循环变量i<--i+1
0040A4CF |. 8B55 D4 |mov edx, dword ptr [ebp-2C]
0040A4D2 |. 83FA 0A |cmp edx, 0A ; i<0xA?, 循环8次
0040A4D5 |.^ 7C AB \jl short 0040A482
0040A4D7 |> 8A45 DB mov al, byte ptr [ebp-25]
0040A4DA |. 84C0 test al, al
0040A4DC |. 0F84 CB000000 je 0040A5AD ; 失败
0040A4E2 |. C745 D0 18000000 mov dword ptr [ebp-30], 18 ; 初始化j<--18
0040A4E9 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8
0040A4EF |. 8B55 D0 mov edx, dword ptr [ebp-30]
0040A4F2 |. 83FA 28 cmp edx, 28
0040A4F5 |. 7D 4D jge short 0040A544
0040A4F7 |> 8B4D D0 /mov ecx, dword ptr [ebp-30]
0040A4FA |. 0FBE440D 89 |movsx eax, byte ptr [ebp+ecx-77] ; 'Y'
0040A4FF |. B9 06000000 |mov ecx, 6
0040A504 |. 99 |cdq
0040A505 |. F7F9 |idiv ecx
0040A507 |. 8BCA |mov ecx, edx
0040A509 |. 8B45 D0 |mov eax, dword ptr [ebp-30]
0040A50C |. 0FBE5405 8A |movsx edx, byte ptr [ebp+eax-76] ; '1'
0040A511 |. D3E2 |shl edx, cl
0040A513 |. 8B45 D0 |mov eax, dword ptr [ebp-30]
0040A516 |. 0FBE4C05 8B |movsx ecx, byte ptr [ebp+eax-75]
0040A51B |. 0BD1 |or edx, ecx
0040A51D |. 52 |push edx ; /Arg1
0040A51E |. E8 3987FFFF |call 00402C5C ; \hexcmp_e.00402C5C
0040A523 |. 59 |pop ecx
0040A524 |. B9 1A000000 |mov ecx, 1A
0040A529 |. 99 |cdq
0040A52A |. F7F9 |idiv ecx
0040A52C |. 80C2 61 |add dl, 61
0040A52F |. 8B45 D0 |mov eax, dword ptr [ebp-30]
0040A532 |. 889405 5CFFFFFF |mov byte ptr [ebp+eax-A4], dl
0040A539 |. FF45 D0 |inc dword ptr [ebp-30]
0040A53C |. 8B55 D0 |mov edx, dword ptr [ebp-30]
0040A53F |. 83FA 28 |cmp edx, 28
0040A542 |.^ 7C B3 \jl short 0040A4F7
0040A544 |> C645 84 5A mov byte ptr [ebp-7C], 5A
0040A548 |. C645 85 59 mov byte ptr [ebp-7B], 59
0040A54C |. C745 CC 18000000 mov dword ptr [ebp-34], 18
0040A553 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8
0040A559 |. 8B45 CC mov eax, dword ptr [ebp-34]
0040A55C |. 83F8 28 cmp eax, 28
0040A55F |. 7D 4C jge short 0040A5AD
0040A561 |> 8B55 CC /mov edx, dword ptr [ebp-34]
0040A564 |. 0FBE8C15 5CFFFFFF |movsx ecx, byte ptr [ebp+edx-A4]
0040A56C |. C1E1 04 |shl ecx, 4
0040A56F |. 8B45 CC |mov eax, dword ptr [ebp-34]
0040A572 |. 0FBE9405 5DFFFFFF |movsx edx, byte ptr [ebp+eax-A3]
0040A57A |. D1FA |sar edx, 1
0040A57C |. 33CA |xor ecx, edx
0040A57E |. 51 |push ecx ; /Arg1
0040A57F |. E8 D886FFFF |call 00402C5C ; \hexcmp_e.00402C5C
0040A584 |. 59 |pop ecx
0040A585 |. B9 1A000000 |mov ecx, 1A
0040A58A |. 99 |cdq
0040A58B |. F7F9 |idiv ecx
0040A58D |. 83C2 41 |add edx, 41
0040A590 |. 8B45 CC |mov eax, dword ptr [ebp-34]
0040A593 885428 A0 mov byte ptr [eax+ebp-60], dl
0040A597 90 nop
0040A598 90 nop
0040A599 90 nop
0040A59A EB 06 jmp short 0040A5A2
0040A59C |. C645 DB 00 |mov byte ptr [ebp-25], 0
0040A5A0 |. EB 0B |jmp short 0040A5AD
0040A5A2 |> FF45 CC |inc dword ptr [ebp-34]
0040A5A5 |. 8B55 CC |mov edx, dword ptr [ebp-34]
0040A5A8 |. 83FA 28 |cmp edx, 28
0040A5AB |.^ 7C B4 \jl short 0040A561
0040A5AD > \C645 AA 59 mov byte ptr [ebp-56], 59
0040A5B1 . E9 260A0C00 jmp 004CAFDC
0040A5B6 |. C645 DB 00 mov byte ptr [ebp-25], 0
0040A5BA |> 8A45 DB mov al, byte ptr [ebp-25]
0040A5BD |. 50 push eax
0040A5BE |. FF4D F8 dec dword ptr [ebp-8]
0040A5C1 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A5C4 |. BA 02000000 mov edx, 2
0040A5C9 |. E8 B6EC0B00 call 004C9284
0040A5CE |. 58 pop eax
0040A5CF |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A5D2 |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A5D9 |> 5F pop edi
0040A5DA |. 5E pop esi
0040A5DB |. 8BE5 mov esp, ebp
0040A5DD |. 5D pop ebp
0040A5DE \. C3 retn
在PE空间末尾空白处添加以下代码:
注意,为跨平台,MessageBoxA的地址用IAT中的索引值。
图例:
注意在输入试验注册码的时候,
用户名长度大于等于3;
注册码长度等于44.(0x2C),且第23.(下标0开始,0x17)必须为数字。简单的输就输44.个数字吧。
-------------------------------第三部分 -----------------------------------------
[续2]灵感一现,让程序自报注册码
发现[续1]中得到的注册码序列号不能正确注册,经跟踪发现:
注册码与用户名无关;
注册码自校验;
设定注册码共4段44.字节长,为S1S2S3S4,另临时中间变量T
程序
S1----计算----〉S2;
S2----计算----〉T;
T-----计算----〉S3;
在[续1]中,由于我直接赋真值S2',而在计算S3’前T已经由试验S2计算出来了,因此导致S3’错误。
(hexcmp.exe.unpacked_AUTO_SN_SHOW.exe)
弹出来的注册码CODE1不是真正的注册码,必须把程序在注册表的项目HKCU\SOFTWARE\XTZY\HEXCMP\下的NO删除,然后把CODE1作为试验码再次注册,弹出注册码CODE2,这时才得到的是真正的注册码。
解决方法:(hexcmp.exe.unpacked_AUTO_SN_SHOW_final.exe)
借用验证结果标志变量[EBP-25]作为2次循环变量
最后修正代码:
0040A45E . E8 8D4A0B00 call 004BEEF0 ; \hexcmp_e.004BEEF0
0040A463 . 83C4 08 add esp, 8
0040A466 C645 DB 03 mov byte ptr [ebp-25], 3
0040A46A 807D DB 02 cmp byte ptr [ebp-25], 2
0040A46E 0F8C 680B0C00 jl 004CAFDC
0040A474 FE4D DB dec byte ptr [ebp-25]
0040A477 C645 A1 23 mov byte ptr [ebp-5F], 23
0040A47B C745 D4 02000000 mov dword ptr [ebp-2C], 2
0040A482 > 8B45 D4 mov eax, dword ptr [ebp-2C]
0040A485 . 0FBE5405 88 movsx edx, byte ptr [ebp+eax-78]
跳到计算中间字符串变量T处
测试:
试验码:11223344556677889900112233445566778899001122
弹出码:
---------------------------
sn by xs
---------------------------
1022334455YJKRWLSPS01122BZBMRTBTHLLMKRVLHFC1
---------------------------
确定
---------------------------
快雪时晴,2007.3.27
-------------------------------第一部分 -----------------------------------------
[1]目标程序介绍
http://exeicon.com/hex-comparison/
Hex Comparison is a binary file comparison and hex editor. It helps you to compare files in binary format, serving as a hex editor.
Allow quickly compare two files.
Quickly find every different.
Show different with customizing color.
Allow save comparison result to file.
Go to any offset of file quickly.
Create new binary file.
Find synchronous position by double click.
Scroll every different.
Modify binary file or text file easily.
Find binary or ASCII string easily.
Get Hex Comparison for only $29.95 Now
限制:
Expires after: 20 uses or 15 days
Limitation of trial version: No any functional limitation.
[2]思路
思路1:看介绍知道程序无功能限制,仅20次/15天的使用限制,可以破其数字,永远试用。
思路2:搞清算法,做出注册机
思路3:验证过程爆破,欺骗程序使其认为已正确注册
[3]开始
平台:WINXPen+SP2+中文MUI,OLLYICE
程序加壳,PEID显示为ASPACK212,简单,直接PEID通用脱壳插件/专用工具/手动脱壳。
脱壳后程序变大389K--〉8.7M,Borland C++ 1999语言编写。
输入试验注册信息:
XIAO
1011222233334444555566667777888899990000HFC1
0040A368 |. 83F8 2C cmp eax, 2C ; 注册码长度应为2C即44.
0040A36B |. 0F85 49020000 jnz 0040A5BA
0040A371 |. BE B0E64C00 mov esi, 004CE6B0 ; 1z1h+2a0n-0g8y*9a1n|
固定字符串,作字典/查表用
0012F1E9 31 1
0012F1F1 7A 31 68 2B 32 61 30 6E z1h+2a0n
0012F1F9 2D 30 67 38 79 2A 39 61 -0g8y*9a
0012F201 31 6E 7C 1n|
试验码
0012F201 00 31 1
0012F209 23 31 31 32 32 32 32 33 #1122223
0012F211 33 33 47 4B 52 34 34 35 33GKR445
0012F219 35 35 35 36 36 36 36 37 55566667
0012F221 37 37 37 38 38 38 38 39 77788889
0012F229 39 39 39 30 30 30 30 48 9990000H
0012F231 46 43 31 FC1
输入试验注册名码,点确定之前下万能断点或者字符串参考都可来到验证过程(此call有两处调用):
0040A32C /$ 55 push ebp 0040A32D |. 8BEC mov ebp, esp 0040A32F |. 81C4 74FFFFFF add esp, -8C 0040A335 |. 56 push esi 0040A336 |. 57 push edi 0040A337 |. B8 54EB4C00 mov eax, 004CEB54 0040A33C |. E8 1B4E0B00 call 004BF15C 0040A341 |. C745 F8 01000000 mov dword ptr [ebp-8], 1 0040A348 |. 8D55 08 lea edx, dword ptr [ebp+8] 0040A34B |. 8D45 08 lea eax, dword ptr [ebp+8] 0040A34E |. E8 09EE0B00 call 004C915C 0040A353 |. FF45 F8 inc dword ptr [ebp-8] 0040A356 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8 0040A35C |. C645 DB 00 mov byte ptr [ebp-25], 0 0040A360 |. 8D45 08 lea eax, dword ptr [ebp+8] 0040A363 |. E8 D8B7FFFF call 00405B40 0040A368 |. 83F8 2C cmp eax, 2C ; 注册码长度应为2C即44. 0040A36B |. 0F85 49020000 jnz 0040A5BA 0040A371 |. BE B0E64C00 mov esi, 004CE6B0 ; 1z1h+2a0n-0g8y*9a1n| 0040A376 |. 8D7D 88 lea edi, dword ptr [ebp-78] 0040A379 |. B9 05000000 mov ecx, 5 0040A37E |. F3:A5 rep movs dword ptr es:[edi], dword pt> 0040A380 |. A4 movs byte ptr es:[edi], byte ptr [esi] 0040A381 |. 8D45 08 lea eax, dword ptr [ebp+8] 0040A384 |. E8 97B7FFFF call 00405B20 0040A389 |. 0FBE50 28 movsx edx, byte ptr [eax+28] ; EAX=试验码首地址 0040A38D |. 83FA 48 cmp edx, 48 ; SN[40.]='H'? 0040A390 |. 74 23 je short 0040A3B5 0040A392 |. 33C0 xor eax, eax 0040A394 |. 50 push eax 0040A395 |. FF4D F8 dec dword ptr [ebp-8] 0040A398 |. 8D45 08 lea eax, dword ptr [ebp+8] 0040A39B |. BA 02000000 mov edx, 2 0040A3A0 |. E8 DFEE0B00 call 004C9284 0040A3A5 |. 58 pop eax 0040A3A6 |. 8B55 DC mov edx, dword ptr [ebp-24] 0040A3A9 |. 64:8915 00000000 mov dword ptr fs:[0], edx 0040A3B0 |. E9 24020000 jmp 0040A5D9 0040A3B5 |> 8D45 08 lea eax, dword ptr [ebp+8] 0040A3B8 |. E8 63B7FFFF call 00405B20 0040A3BD |. 0FBE50 29 movsx edx, byte ptr [eax+29] ; SN[41]='F'? 0040A3C1 |. 83FA 46 cmp edx, 46 0040A3C4 |. 74 23 je short 0040A3E9 0040A3C6 |. 33C0 xor eax, eax 0040A3C8 |. 50 push eax 0040A3C9 |. FF4D F8 dec dword ptr [ebp-8] 0040A3CC |. 8D45 08 lea eax, dword ptr [ebp+8] 0040A3CF |. BA 02000000 mov edx, 2 0040A3D4 |. E8 ABEE0B00 call 004C9284 0040A3D9 |. 58 pop eax 0040A3DA |. 8B55 DC mov edx, dword ptr [ebp-24] 0040A3DD |. 64:8915 00000000 mov dword ptr fs:[0], edx 0040A3E4 |. E9 F0010000 jmp 0040A5D9 0040A3E9 |> 8D45 08 lea eax, dword ptr [ebp+8] 0040A3EC |. E8 2FB7FFFF call 00405B20 0040A3F1 |. 0FBE50 2A movsx edx, byte ptr [eax+2A] ; SN[42]='C',43 0040A3F5 |. 83FA 43 cmp edx, 43 0040A3F8 |. 74 23 je short 0040A41D 0040A3FA |. 33C0 xor eax, eax 0040A3FC |. 50 push eax 0040A3FD |. FF4D F8 dec dword ptr [ebp-8] 0040A400 |. 8D45 08 lea eax, dword ptr [ebp+8] 0040A403 |. BA 02000000 mov edx, 2 0040A408 |. E8 77EE0B00 call 004C9284 0040A40D |. 58 pop eax 0040A40E |. 8B55 DC mov edx, dword ptr [ebp-24] 0040A411 |. 64:8915 00000000 mov dword ptr fs:[0], edx 0040A418 |. E9 BC010000 jmp 0040A5D9 0040A41D |> 8D45 08 lea eax, dword ptr [ebp+8] 0040A420 |. E8 FBB6FFFF call 00405B20 0040A425 |. 0FBE50 2B movsx edx, byte ptr [eax+2B] ; SN[43]='1',31 0040A429 |. 83FA 31 cmp edx, 31 0040A42C |. 74 23 je short 0040A451 0040A42E |. 33C0 xor eax, eax 0040A430 |. 50 push eax 0040A431 |. FF4D F8 dec dword ptr [ebp-8] 0040A434 |. 8D45 08 lea eax, dword ptr [ebp+8] 0040A437 |. BA 02000000 mov edx, 2 0040A43C |. E8 43EE0B00 call 004C9284 0040A441 |. 58 pop eax 0040A442 |. 8B55 DC mov edx, dword ptr [ebp-24] 0040A445 |. 64:8915 00000000 mov dword ptr fs:[0], edx 0040A44C |. E9 88010000 jmp 0040A5D9 0040A451 |> 8D45 08 lea eax, dword ptr [ebp+8] 0040A454 |. E8 C7B6FFFF call 00405B20 0040A459 |. 50 push eax ; /Arg2 0040A45A |. 8D55 A0 lea edx, dword ptr [ebp-60] ; | 0040A45D |. 52 push edx ; |Arg1 0040A45E |. E8 8D4A0B00 call 004BEEF0 ; \hexcmp_e.004BEEF0 0040A463 |. 83C4 08 add esp, 8 0040A466 |. 0FBE4D A1 movsx ecx, byte ptr [ebp-5F] ; SN[1]='0',30 0040A46A |. 83F9 30 cmp ecx, 30 0040A46D |. 0F85 47010000 jnz 0040A5BA 0040A473 |. C645 A1 23 mov byte ptr [ebp-5F], 23 ; SN[1]<-'#',23 0040A477 |. C645 DB 01 mov byte ptr [ebp-25], 1 ;初始化校验结果为1,成功 0040A47B |. C745 D4 02000000 mov dword ptr [ebp-2C], 2 ;循环变量初始化 i<--2 0040A482 |> 8B45 D4 /mov eax, dword ptr [ebp-2C] 0040A485 |. 0FBE5405 88 |movsx edx, byte ptr [ebp+eax-78] ; A<--DICT[i],下标以0开始 0040A48A |. 8B4D D4 |mov ecx, dword ptr [ebp-2C] 0040A48D |. 0FBE440D 9F |movsx eax, byte ptr [ebp+ecx-61] ; B<--SN[i-1] 0040A492 |. 03D0 |add edx, eax ; C<--A+B 0040A494 |. 8B4D D4 |mov ecx, dword ptr [ebp-2C] 0040A497 |. 0FBE440D A0 |movsx eax, byte ptr [ebp+ecx-60] ; D<--SN[i] 0040A49C |. 33D0 |xor edx, eax ; C<-C^D 0040A49E |. 8B4D D4 |mov ecx, dword ptr [ebp-2C] 0040A4A1 |. 0FBE440D 88 |movsx eax, byte ptr [ebp+ecx-78] ; A<--DICT[i] 0040A4A6 |. 33D0 |xor edx, eax ; C<--C^A 0040A4A8 |. 52 |push edx ; /Arg1 0040A4A9 |. E8 AE87FFFF |call 00402C5C ; \hexcmp_e.00402C5C 0040A4AE |. 59 |pop ecx 0040A4AF |. B9 1A000000 |mov ecx, 1A ; 上个CALL返回EAX=A^C-C 0040A4B4 |. 99 |cdq 0040A4B5 |. F7F9 |idiv ecx 0040A4B7 |. 83C2 41 |add edx, 41 ; E<--(EAX % 1A) + 41 0040A4BA |. 8B45 D4 |mov eax, dword ptr [ebp-2C] 0040A4BD |. 0FBE4C05 A9 |movsx ecx, byte ptr [ebp+eax-57] ; SN[i+9]=E? 0040A4C2 |. 3BD1 |cmp edx, ecx 0040A4C4 |. 74 06 |je short 0040A4CC 0040A4C6 |. C645 DB 00 |mov byte ptr [ebp-25], 0 ;置0表示校验不成功,跳出循环 0040A4CA |. EB 0B |jmp short 0040A4D7 0040A4CC |> FF45 D4 |inc dword ptr [ebp-2C] ; 循环变量i<--i+1 0040A4CF |. 8B55 D4 |mov edx, dword ptr [ebp-2C] 0040A4D2 |. 83FA 0A |cmp edx, 0A ; i<0xA?, 循环8次 0040A4D5 |.^ 7C AB \jl short 0040A482 0040A4D7 |> 8A45 DB mov al, byte ptr [ebp-25] 0040A4DA |. 84C0 test al, al 0040A4DC |. 0F84 CB000000 je 0040A5AD ; 失败 0040A4E2 |. C745 D0 18000000 mov dword ptr [ebp-30], 18 ; 初始化j<--18 0040A4E9 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8 ;又一个循环 0040A4EF |. 8B55 D0 mov edx, dword ptr [ebp-30] 0040A4F2 |. 83FA 28 cmp edx, 28 0040A4F5 |. 7D 4D jge short 0040A544 0040A4F7 |> 8B4D D0 /mov ecx, dword ptr [ebp-30] 0040A4FA |. 0FBE440D 89 |movsx eax, byte ptr [ebp+ecx-77] ; 'Y' 0040A4FF |. B9 06000000 |mov ecx, 6 0040A504 |. 99 |cdq 0040A505 |. F7F9 |idiv ecx 0040A507 |. 8BCA |mov ecx, edx 0040A509 |. 8B45 D0 |mov eax, dword ptr [ebp-30] 0040A50C |. 0FBE5405 8A |movsx edx, byte ptr [ebp+eax-76] ; '1' 0040A511 |. D3E2 |shl edx, cl 0040A513 |. 8B45 D0 |mov eax, dword ptr [ebp-30] 0040A516 |. 0FBE4C05 8B |movsx ecx, byte ptr [ebp+eax-75] 0040A51B |. 0BD1 |or edx, ecx 0040A51D |. 52 |push edx ; /Arg1 0040A51E |. E8 3987FFFF |call 00402C5C ; \hexcmp_e.00402C5C 0040A523 |. 59 |pop ecx 0040A524 |. B9 1A000000 |mov ecx, 1A 0040A529 |. 99 |cdq 0040A52A |. F7F9 |idiv ecx 0040A52C |. 80C2 61 |add dl, 61 0040A52F |. 8B45 D0 |mov eax, dword ptr [ebp-30] 0040A532 |. 889405 5CFFFFFF |mov byte ptr [ebp+eax-A4], dl 0040A539 |. FF45 D0 |inc dword ptr [ebp-30] 0040A53C |. 8B55 D0 |mov edx, dword ptr [ebp-30] 0040A53F |. 83FA 28 |cmp edx, 28 0040A542 |.^ 7C B3 \jl short 0040A4F7 0040A544 |> C645 84 5A mov byte ptr [ebp-7C], 5A 0040A548 |. C645 85 59 mov byte ptr [ebp-7B], 59 0040A54C |. C745 CC 18000000 mov dword ptr [ebp-34], 18 0040A553 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8 0040A559 |. 8B45 CC mov eax, dword ptr [ebp-34] 0040A55C |. 83F8 28 cmp eax, 28 0040A55F |. 7D 4C jge short 0040A5AD 0040A561 |> 8B55 CC /mov edx, dword ptr [ebp-34] ;又一个循环 0040A564 |. 0FBE8C15 5CFFFFFF |movsx ecx, byte ptr [ebp+edx-A4] 0040A56C |. C1E1 04 |shl ecx, 4 0040A56F |. 8B45 CC |mov eax, dword ptr [ebp-34] 0040A572 |. 0FBE9405 5DFFFFFF |movsx edx, byte ptr [ebp+eax-A3] 0040A57A |. D1FA |sar edx, 1 0040A57C |. 33CA |xor ecx, edx 0040A57E |. 51 |push ecx ; /Arg1 0040A57F |. E8 D886FFFF |call 00402C5C ; \hexcmp_e.00402C5C 0040A584 |. 59 |pop ecx 0040A585 |. B9 1A000000 |mov ecx, 1A 0040A58A |. 99 |cdq 0040A58B |. F7F9 |idiv ecx 0040A58D |. 83C2 41 |add edx, 41 0040A590 |. 8B45 CC |mov eax, dword ptr [ebp-34] 0040A593 |. 0FBE4405 A0 |movsx eax, byte ptr [ebp+eax-60] 0040A598 |. 3BD0 |cmp edx, eax 0040A59A |. 74 06 |je short 0040A5A2 0040A59C |. C645 DB 00 |mov byte ptr [ebp-25], 0 0040A5A0 |. EB 0B |jmp short 0040A5AD 0040A5A2 |> FF45 CC |inc dword ptr [ebp-34] 0040A5A5 |. 8B55 CC |mov edx, dword ptr [ebp-34] 0040A5A8 |. 83FA 28 |cmp edx, 28 0040A5AB |.^ 7C B4 \jl short 0040A561 0040A5AD |> 0FBE4D AA movsx ecx, byte ptr [ebp-56] 0040A5B1 |. 83F9 59 cmp ecx, 59 0040A5B4 |. 74 04 je short 0040A5BA 0040A5B6 |. C645 DB 00 mov byte ptr [ebp-25], 0 0040A5BA |> 8A45 DB mov al, byte ptr [ebp-25] 0040A5BD |. 50 push eax 0040A5BE |. FF4D F8 dec dword ptr [ebp-8] 0040A5C1 |. 8D45 08 lea eax, dword ptr [ebp+8] 0040A5C4 |. BA 02000000 mov edx, 2 0040A5C9 |. E8 B6EC0B00 call 004C9284 0040A5CE |. 58 pop eax 0040A5CF |. 8B55 DC mov edx, dword ptr [ebp-24] 0040A5D2 |. 64:8915 00000000 mov dword ptr fs:[0], edx 0040A5D9 |> 5F pop edi 0040A5DA |. 5E pop esi 0040A5DB |. 8BE5 mov esp, ebp 0040A5DD |. 5D pop ebp 0040A5DE \. C3 retn
算法不复杂,但跟踪有点繁琐,直接修改将该CALL 0040A32C 返回(-1.)FF,注意不是随便一个非0数.爆破得手,经使用无任何出错或未注册提示。
发现程序1个BUG:
在比较脱壳爆破文件(复件 hexcmp.exe.unpacked_1.exe)和脱壳文件(hexcmp.exe.unpacked_.exe)时,程序未提示任何不同处,左右移动指示按钮也都灰色。
只有当输入POSITION:任意数字时程序才找到1处相异处。
[4]后记
没坚持到把算法弄出来,有点遗憾,遵循我最小时间成本原则,选择爆破,且仅爆破1处。
-------------------------------第二部分 -----------------------------------------
[续1]灵感一现,让程序自报注册码
既然程序中逐位比较,就让真值自己弹出来
还是前面那个验证段CALL:
0040A32C 55 push ebp
0040A32D 8BEC mov ebp, esp
0040A32F |. 81C4 74FFFFFF add esp, -8C
0040A335 |. 56 push esi
0040A336 |. 57 push edi
0040A337 |. B8 54EB4C00 mov eax, 004CEB54
0040A33C |. E8 1B4E0B00 call 004BF15C
0040A341 |. C745 F8 01000000 mov dword ptr [ebp-8], 1
0040A348 |. 8D55 08 lea edx, dword ptr [ebp+8]
0040A34B |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A34E |. E8 09EE0B00 call 004C915C
0040A353 |. FF45 F8 inc dword ptr [ebp-8]
0040A356 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8
0040A35C |. C645 DB 00 mov byte ptr [ebp-25], 0
0040A360 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A363 |. E8 D8B7FFFF call 00405B40
0040A368 |. 83F8 2C cmp eax, 2C ; 注册码长度应为2C即44.
0040A36B |. 0F85 49020000 jnz 0040A5BA
0040A371 |. BE B0E64C00 mov esi, 004CE6B0 ; 1z1h+2a0n-0g8y*9a1n|
0040A376 |. 8D7D 88 lea edi, dword ptr [ebp-78]
0040A379 |. B9 05000000 mov ecx, 5
0040A37E |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0040A380 |. A4 movs byte ptr es:[edi], byte ptr [esi]
0040A381 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A384 |. E8 97B7FFFF call 00405B20
0040A389 C640 28 48 mov byte ptr [eax+28], 48 ; EAX=试验码首地址
0040A38D 90 nop ; SN[40]='H'?
0040A38E 90 nop
0040A38F 90 nop
0040A390 EB 23 jmp short 0040A3B5
0040A392 |. 33C0 xor eax, eax
0040A394 |. 50 push eax
0040A395 |. FF4D F8 dec dword ptr [ebp-8]
0040A398 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A39B |. BA 02000000 mov edx, 2
0040A3A0 |. E8 DFEE0B00 call 004C9284
0040A3A5 |. 58 pop eax
0040A3A6 |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A3A9 |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A3B0 |. E9 24020000 jmp 0040A5D9
0040A3B5 |> 8D45 08 lea eax, dword ptr [ebp+8]
0040A3B8 |. E8 63B7FFFF call 00405B20
0040A3BD C640 29 46 mov byte ptr [eax+29], 46 ; SN[41]='F'?
0040A3C1 90 nop
0040A3C2 90 nop
0040A3C3 90 nop
0040A3C4 EB 23 jmp short 0040A3E9
0040A3C6 |. 33C0 xor eax, eax
0040A3C8 |. 50 push eax
0040A3C9 |. FF4D F8 dec dword ptr [ebp-8]
0040A3CC |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A3CF |. BA 02000000 mov edx, 2
0040A3D4 |. E8 ABEE0B00 call 004C9284
0040A3D9 |. 58 pop eax
0040A3DA |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A3DD |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A3E4 |. E9 F0010000 jmp 0040A5D9
0040A3E9 |> 8D45 08 lea eax, dword ptr [ebp+8]
0040A3EC |. E8 2FB7FFFF call 00405B20
0040A3F1 C640 2A 43 mov byte ptr [eax+2A], 43 ; SN[42]='C',43
0040A3F5 90 nop
0040A3F6 90 nop
0040A3F7 90 nop
0040A3F8 EB 23 jmp short 0040A41D
0040A3FA |. 33C0 xor eax, eax
0040A3FC |. 50 push eax
0040A3FD |. FF4D F8 dec dword ptr [ebp-8]
0040A400 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A403 |. BA 02000000 mov edx, 2
0040A408 |. E8 77EE0B00 call 004C9284
0040A40D |. 58 pop eax
0040A40E |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A411 |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A418 |. E9 BC010000 jmp 0040A5D9
0040A41D |> 8D45 08 lea eax, dword ptr [ebp+8]
0040A420 |. E8 FBB6FFFF call 00405B20
0040A425 C640 2B 31 mov byte ptr [eax+2B], 31 ; SN[43]='1',31
0040A429 90 nop
0040A42A 90 nop
0040A42B 90 nop
0040A42C EB 23 jmp short 0040A451
0040A42E |. 33C0 xor eax, eax
0040A430 |. 50 push eax
0040A431 |. FF4D F8 dec dword ptr [ebp-8]
0040A434 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A437 |. BA 02000000 mov edx, 2
0040A43C |. E8 43EE0B00 call 004C9284
0040A441 |. 58 pop eax
0040A442 |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A445 |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A44C |. E9 88010000 jmp 0040A5D9
0040A451 |> 8D45 08 lea eax, dword ptr [ebp+8]
0040A454 |. E8 C7B6FFFF call 00405B20
0040A459 |. 50 push eax ; /Arg2
0040A45A |. 8D55 A0 lea edx, dword ptr [ebp-60] ; |
0040A45D |. 52 push edx ; |Arg1
0040A45E |. E8 8D4A0B00 call 004BEEF0 ; \hexcmp_e.004BEEF0
0040A463 |. 83C4 08 add esp, 8
0040A466 C645 A1 30 mov byte ptr [ebp-5F], 30
0040A46A 90 nop
0040A46B 90 nop
0040A46C 90 nop
0040A46D 90 nop
0040A46E 90 nop
0040A46F 90 nop
0040A470 90 nop
0040A471 90 nop
0040A472 90 nop
0040A473 |. C645 A1 23 mov byte ptr [ebp-5F], 23 ; SN[1]<-'#',23
0040A477 |. C645 DB 01 mov byte ptr [ebp-25], 1 ; 初始化校验结果为1,成功
0040A47B |. C745 D4 02000000 mov dword ptr [ebp-2C], 2 ; 循环变量初始化 i<--2
0040A482 |> 8B45 D4 /mov eax, dword ptr [ebp-2C]
0040A485 |. 0FBE5405 88 |movsx edx, byte ptr [ebp+eax-78]; A<--DICT[i],下标从0开始
0040A48A |. 8B4D D4 |mov ecx, dword ptr [ebp-2C]
0040A48D |. 0FBE440D 9F |movsx eax, byte ptr [ebp+ecx-61] ; B<--SN[i-1]
0040A492 |. 03D0 |add edx, eax ; C<--A+B
0040A494 |. 8B4D D4 |mov ecx, dword ptr [ebp-2C]
0040A497 |. 0FBE440D A0 |movsx eax, byte ptr [ebp+ecx-60] ; D<--SN[i]
0040A49C |. 33D0 |xor edx, eax ; C<-C^D
0040A49E |. 8B4D D4 |mov ecx, dword ptr [ebp-2C]
0040A4A1 |. 0FBE440D 88 |movsx eax, byte ptr [ebp+ecx-78] ; A<--DICT[i]
0040A4A6 |. 33D0 |xor edx, eax ; C<--C^A
0040A4A8 |. 52 |push edx ; /Arg1
0040A4A9 |. E8 AE87FFFF |call 00402C5C ; \hexcmp_e.00402C5C
0040A4AE |. 59 |pop ecx
0040A4AF |. B9 1A000000 |mov ecx, 1A ; 上个CALL返回EAX=A^C-C
0040A4B4 |. 99 |cdq
0040A4B5 |. F7F9 |idiv ecx
0040A4B7 |. 83C2 41 |add edx, 41 ; E<--(EAX % 1A) + 41
0040A4BA |. 8B45 D4 |mov eax, dword ptr [ebp-2C]
0040A4BD 885428 A9 mov byte ptr [eax+ebp-57], dl ; SN[i+9]=E?
0040A4C1 90 nop
0040A4C2 90 nop
0040A4C3 90 nop
0040A4C4 EB 06 jmp short 0040A4CC
0040A4C6 |. C645 DB 00 |mov byte ptr [ebp-25], 0 ;置0表示校验不成功,跳出循环
0040A4CA |. EB 0B |jmp short 0040A4D7
0040A4CC |> FF45 D4 |inc dword ptr [ebp-2C] ; 循环变量i<--i+1
0040A4CF |. 8B55 D4 |mov edx, dword ptr [ebp-2C]
0040A4D2 |. 83FA 0A |cmp edx, 0A ; i<0xA?, 循环8次
0040A4D5 |.^ 7C AB \jl short 0040A482
0040A4D7 |> 8A45 DB mov al, byte ptr [ebp-25]
0040A4DA |. 84C0 test al, al
0040A4DC |. 0F84 CB000000 je 0040A5AD ; 失败
0040A4E2 |. C745 D0 18000000 mov dword ptr [ebp-30], 18 ; 初始化j<--18
0040A4E9 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8
0040A4EF |. 8B55 D0 mov edx, dword ptr [ebp-30]
0040A4F2 |. 83FA 28 cmp edx, 28
0040A4F5 |. 7D 4D jge short 0040A544
0040A4F7 |> 8B4D D0 /mov ecx, dword ptr [ebp-30]
0040A4FA |. 0FBE440D 89 |movsx eax, byte ptr [ebp+ecx-77] ; 'Y'
0040A4FF |. B9 06000000 |mov ecx, 6
0040A504 |. 99 |cdq
0040A505 |. F7F9 |idiv ecx
0040A507 |. 8BCA |mov ecx, edx
0040A509 |. 8B45 D0 |mov eax, dword ptr [ebp-30]
0040A50C |. 0FBE5405 8A |movsx edx, byte ptr [ebp+eax-76] ; '1'
0040A511 |. D3E2 |shl edx, cl
0040A513 |. 8B45 D0 |mov eax, dword ptr [ebp-30]
0040A516 |. 0FBE4C05 8B |movsx ecx, byte ptr [ebp+eax-75]
0040A51B |. 0BD1 |or edx, ecx
0040A51D |. 52 |push edx ; /Arg1
0040A51E |. E8 3987FFFF |call 00402C5C ; \hexcmp_e.00402C5C
0040A523 |. 59 |pop ecx
0040A524 |. B9 1A000000 |mov ecx, 1A
0040A529 |. 99 |cdq
0040A52A |. F7F9 |idiv ecx
0040A52C |. 80C2 61 |add dl, 61
0040A52F |. 8B45 D0 |mov eax, dword ptr [ebp-30]
0040A532 |. 889405 5CFFFFFF |mov byte ptr [ebp+eax-A4], dl
0040A539 |. FF45 D0 |inc dword ptr [ebp-30]
0040A53C |. 8B55 D0 |mov edx, dword ptr [ebp-30]
0040A53F |. 83FA 28 |cmp edx, 28
0040A542 |.^ 7C B3 \jl short 0040A4F7
0040A544 |> C645 84 5A mov byte ptr [ebp-7C], 5A
0040A548 |. C645 85 59 mov byte ptr [ebp-7B], 59
0040A54C |. C745 CC 18000000 mov dword ptr [ebp-34], 18
0040A553 |. 66:C745 EC 0800 mov word ptr [ebp-14], 8
0040A559 |. 8B45 CC mov eax, dword ptr [ebp-34]
0040A55C |. 83F8 28 cmp eax, 28
0040A55F |. 7D 4C jge short 0040A5AD
0040A561 |> 8B55 CC /mov edx, dword ptr [ebp-34]
0040A564 |. 0FBE8C15 5CFFFFFF |movsx ecx, byte ptr [ebp+edx-A4]
0040A56C |. C1E1 04 |shl ecx, 4
0040A56F |. 8B45 CC |mov eax, dword ptr [ebp-34]
0040A572 |. 0FBE9405 5DFFFFFF |movsx edx, byte ptr [ebp+eax-A3]
0040A57A |. D1FA |sar edx, 1
0040A57C |. 33CA |xor ecx, edx
0040A57E |. 51 |push ecx ; /Arg1
0040A57F |. E8 D886FFFF |call 00402C5C ; \hexcmp_e.00402C5C
0040A584 |. 59 |pop ecx
0040A585 |. B9 1A000000 |mov ecx, 1A
0040A58A |. 99 |cdq
0040A58B |. F7F9 |idiv ecx
0040A58D |. 83C2 41 |add edx, 41
0040A590 |. 8B45 CC |mov eax, dword ptr [ebp-34]
0040A593 885428 A0 mov byte ptr [eax+ebp-60], dl
0040A597 90 nop
0040A598 90 nop
0040A599 90 nop
0040A59A EB 06 jmp short 0040A5A2
0040A59C |. C645 DB 00 |mov byte ptr [ebp-25], 0
0040A5A0 |. EB 0B |jmp short 0040A5AD
0040A5A2 |> FF45 CC |inc dword ptr [ebp-34]
0040A5A5 |. 8B55 CC |mov edx, dword ptr [ebp-34]
0040A5A8 |. 83FA 28 |cmp edx, 28
0040A5AB |.^ 7C B4 \jl short 0040A561
0040A5AD > \C645 AA 59 mov byte ptr [ebp-56], 59
0040A5B1 . E9 260A0C00 jmp 004CAFDC
0040A5B6 |. C645 DB 00 mov byte ptr [ebp-25], 0
0040A5BA |> 8A45 DB mov al, byte ptr [ebp-25]
0040A5BD |. 50 push eax
0040A5BE |. FF4D F8 dec dword ptr [ebp-8]
0040A5C1 |. 8D45 08 lea eax, dword ptr [ebp+8]
0040A5C4 |. BA 02000000 mov edx, 2
0040A5C9 |. E8 B6EC0B00 call 004C9284
0040A5CE |. 58 pop eax
0040A5CF |. 8B55 DC mov edx, dword ptr [ebp-24]
0040A5D2 |. 64:8915 00000000 mov dword ptr fs:[0], edx
0040A5D9 |> 5F pop edi
0040A5DA |. 5E pop esi
0040A5DB |. 8BE5 mov esp, ebp
0040A5DD |. 5D pop ebp
0040A5DE \. C3 retn
在PE空间末尾空白处添加以下代码:
004CAFD0 - 73 6E jnb short 004CB040 004CAFD2 2062 79 and byte ptr [edx+79], ah 004CAFD5 2078 73 and byte ptr [eax+73], bh 004CAFD8 0000 add byte ptr [eax], al 004CAFDA 00 db 00 004CAFDB 00 db 00 004CAFDC 8D45 A0 lea eax, dword ptr [ebp-60] ;[ebp-60]真码首地址 004CAFDF C640 01 30 mov byte ptr [eax+1], 30 ;#恢复0 004CAFE3 C640 2C 00 mov byte ptr [eax+2C], 0 ;尾巴 004CAFE7 90 nop 004CAFE8 6A 00 push 0 004CAFEA 68 D0AF4C00 push 004CAFD0 ; ASCII "sn by xs" 004CAFEF 50 push eax 004CAFF0 6A 00 push 0 004CAFF2 90 nop 004CAFF3 90 nop 004CAFF4 FF15 E0FDC700 call dword ptr [<&USER32.MessageBoxA>] ; USER32.MessageBoxA 004CAFFA ^ E9 BBF5F3FF jmp 0040A5BA 004CAFFF 00 db 00
注意,为跨平台,MessageBoxA的地址用IAT中的索引值。
0040C15D |. E8 BE99FFFF call 00405B20 0040C162 |. 0FBE50 17 movsx edx, byte ptr [eax+17];[COLOR="red"]SN[23.]必须为0-9数字 0040C166 |. 83FA 30 cmp edx, 30 0040C169 |. 7C 16 jl short 0040C181 0040C16B |. 8B45 A4 mov eax, dword ptr [ebp-5C] 0040C16E |. 05 18030000 add eax, 318 0040C173 |. E8 A899FFFF call 00405B20 0040C178 |. 0FBE50 17 movsx edx, byte ptr [eax+17] 0040C17C |. 83FA 39 cmp edx, 39 0040C17F |. 7E 0D jle short 0040C18E 0040C181 |> 8B0D EC684D00 mov ecx, dword ptr [4D68EC] 0040C187 C681 C4040000 00 mov byte ptr [ecx+4C4], 0 0040C18E |> B2 01 mov dl, 1 0040C190 |. A1 B05B4A00 mov eax, dword ptr [4A5BB0] 0040C195 |. E8 169B0900 call 004A5CB0 0040C19A |. 8945 9C mov dword ptr [ebp-64], eax 0040C19D |. BA 01000080 mov edx, 80000001 0040C1A2 |. 8B45 9C mov eax, dword ptr [ebp-64] 0040C1A5 |. E8 EECE0B00 call 004C9098 0040C1AA |. 8B0D EC684D00 mov ecx, dword ptr [4D68EC] 0040C1B0 |. 8A81 C4040000 mov al, byte ptr [ecx+4C4] 0040C1B6 |. 84C0 test al, al 0040C1B8 |. 0F84 06010000 je 0040C2C4 0040C1BE |. 66:C745 B8 3800 mov word ptr [ebp-48], 38 0040C1C4 |. BA 54EA4C00 mov edx, 004CEA54 ;software\xtzy\hexcmp
图例:
注意在输入试验注册码的时候,
用户名长度大于等于3;
注册码长度等于44.(0x2C),且第23.(下标0开始,0x17)必须为数字。简单的输就输44.个数字吧。
-------------------------------第三部分 -----------------------------------------
[续2]灵感一现,让程序自报注册码
发现[续1]中得到的注册码序列号不能正确注册,经跟踪发现:
注册码与用户名无关;
注册码自校验;
设定注册码共4段44.字节长,为S1S2S3S4,另临时中间变量T
程序
S1----计算----〉S2;
S2----计算----〉T;
T-----计算----〉S3;
在[续1]中,由于我直接赋真值S2',而在计算S3’前T已经由试验S2计算出来了,因此导致S3’错误。
(hexcmp.exe.unpacked_AUTO_SN_SHOW.exe)
弹出来的注册码CODE1不是真正的注册码,必须把程序在注册表的项目HKCU\SOFTWARE\XTZY\HEXCMP\下的NO删除,然后把CODE1作为试验码再次注册,弹出注册码CODE2,这时才得到的是真正的注册码。
解决方法:(hexcmp.exe.unpacked_AUTO_SN_SHOW_final.exe)
借用验证结果标志变量[EBP-25]作为2次循环变量
最后修正代码:
0040A45E . E8 8D4A0B00 call 004BEEF0 ; \hexcmp_e.004BEEF0
0040A463 . 83C4 08 add esp, 8
0040A466 C645 DB 03 mov byte ptr [ebp-25], 3
0040A46A 807D DB 02 cmp byte ptr [ebp-25], 2
0040A46E 0F8C 680B0C00 jl 004CAFDC
0040A474 FE4D DB dec byte ptr [ebp-25]
0040A477 C645 A1 23 mov byte ptr [ebp-5F], 23
0040A47B C745 D4 02000000 mov dword ptr [ebp-2C], 2
0040A482 > 8B45 D4 mov eax, dword ptr [ebp-2C]
0040A485 . 0FBE5405 88 movsx edx, byte ptr [ebp+eax-78]
跳到计算中间字符串变量T处
0040A5A8 . 83FA 28 cmp edx, 28 0040A5AB .^ 7C B4 jl short 0040A561 0040A5AD > C645 AA 59 mov byte ptr [ebp-56], 59 0040A5B1 ^ E9 B4FEFFFF jmp 0040A46A 0040A5B6 . C645 DB 00 mov byte ptr [ebp-25], 0 0040A5BA > 8A45 DB mov al, byte ptr [ebp-25]
测试:
试验码:11223344556677889900112233445566778899001122
弹出码:
---------------------------
sn by xs
---------------------------
1022334455YJKRWLSPS01122BZBMRTBTHLLMKRVLHFC1
---------------------------
确定
---------------------------
|
|
|---|---|
|
|
|
|
|
|
|
|
感谢分享,学习ing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
