最近发了那么多水帖……不行了,要努力一下了:)
昨天晚上刚刚出炉的,从2003年的CFAN光盘上随便找了一个:)
OK……慢慢看吧
【文章标题】: 家庭银行家算法完全解析
【文章作者】: NONAME剑人
【作者邮箱】: wangjunyi2008@sina.com
【作者主页】: ....Have No....
【作者QQ号】: 464252600(验证:反汇编)
【软件名称】: 家庭银行家 2.0 build 53
【软件大小】: 1.27MB
【下载地址】: 上NEWHUA
【加壳方式】: ASP
【保护方式】: ASP SHELL
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: OllyDbg UnAspPack PeiD
【操作平台】: WindowsXP Pro正
【软件介绍】: "家庭银行家" 是一款面向家庭和个人用户的理财软件
日常收支情况记录
1 方便、快捷、迅速的输入方式:操作类似于电子表格,可以全部用键盘完成输入过程
2 功能强大的查询功能:一改以往复杂的专业查询方式,用接近自然语言的查询条件组合,迅速找出您所需要的数据
3 归类分析:让您马上了解每个收支子项目中钱赚了多少,钱又花了多少
4 功能强大的图表分析:功能日益强劲的图表分析功能,让您用最直观地方式了解收支组成
5 每日收支记录统计分析:让您迅速地察看每天收支情况
6 灵活、自由、全面的各项设置:所有的收支项目内容都可以自由定制,以最适应自己生活习惯的方式运行
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
呵呵,好久以前的软件了。2003年的,之所以找老版本是希望作者不会为一点点小的利益而*** :)
(由于手头没有精华,不好判断是不是写重了……各位发现了表鞭我……)
先用PeiD查壳,ASP的壳,手头正好有脱壳工具,就懒得动手扒皮了(我有撸子:) )
脱完以后用OD加载,没有自效验,没有反DEBUG,好!(窃喜)再来,看注册,居然是内存注册,好!(再次窃喜)
OD插件里选“超级字串参考+”,选UNICODE,往上上上拉,找到了“注册失败,请检查您的注册码是否输入正确。”没?
好!我们来分析……
00736122 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00736125 |. 50 PUSH EAX ; //入假注册码
00736126 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00736129 |. 8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
0073612F |. E8 8851D0FF CALL HomeBank.0043B2BC
00736134 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] ; 入注册名
00736137 |. 33C9 XOR ECX,ECX
00736139 |. 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
0073613F |. E8 74DFF5FF CALL HomeBank.006940B8 ; 关键CALL!!!
00736144 |. 84C0 TEST AL,AL
00736146 |. 75 1A JNZ SHORT HomeBank.00736162
00736148 |. 6A 10 PUSH 10
0073614A |. B9 B8617300 MOV ECX,HomeBank.007361B8 ; 家庭银行家
0073614F |. BA C4617300 MOV EDX,HomeBank.007361C4 ; 注册失败,请检查您的注册码是否输入正确。
00736154 |. A1 E8747500 MOV EAX,DWORD PTR DS:[7574E8]
00736159 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0073615B |. E8 A847D2FF CALL HomeBank.0045A908
00736160 |. EB 2E JMP SHORT HomeBank.00736190
00736162 |> 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
00736168 |. E8 2FDCF5FF CALL HomeBank.00693D9C
0073616D |. 84C0 TEST AL,AL
0073616F |. 74 1F JE SHORT HomeBank.00736190
00736171 |. 6A 40 PUSH 40
00736173 |. B9 B8617300 MOV ECX,HomeBank.007361B8 ; 家庭银行家
00736178 |. BA F0617300 MOV EDX,HomeBank.007361F0 ; 注册成功,谢谢。请退出程序后重新进入。
显然
----------------------------
00736144 |. 84C0 TEST AL,AL
00736146 |. 75 1A JNZ SHORT HomeBank.00736162
----------------------------
两句说明了上面有重要CALL,接进去
006940B8 /$ 55 PUSH EBP
006940B9 |. 8BEC MOV EBP,ESP
006940BB |. 83C4 F0 ADD ESP,-10
006940BE |. 53 PUSH EBX
006940BF |. 33DB XOR EBX,EBX
006940C1 |. 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
006940C4 |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
006940C7 |. 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
006940CA |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX ; [EBP-4]入假用户名
006940CD |. 8BD8 MOV EBX,EAX
006940CF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 取出用户名
006940D2 |. E8 3904D7FF CALL HomeBank.00404510
006940D7 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
006940DA |. E8 3104D7FF CALL HomeBank.00404510
006940DF |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
006940E2 |. E8 2904D7FF CALL HomeBank.00404510
006940E7 |. 33C0 XOR EAX,EAX
006940E9 |. 55 PUSH EBP
006940EA |. 68 A2416900 PUSH HomeBank.006941A2
006940EF |. 64:FF30 PUSH DWORD PTR FS:[EAX]
006940F2 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
006940F5 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
006940F8 |. E8 5F02D7FF CALL HomeBank.0040435C
006940FD |. 3B43 3C CMP EAX,DWORD PTR DS:[EBX+3C]
00694100 |. 7F 19 JG SHORT HomeBank.0069411B
00694102 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00694105 |. E8 5202D7FF CALL HomeBank.0040435C
0069410A |. 3B43 40 CMP EAX,DWORD PTR DS:[EBX+40]
0069410D |. 7C 0C JL SHORT HomeBank.0069411B
0069410F |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00694112 |. E8 4502D7FF CALL HomeBank.0040435C
00694117 |. 85C0 TEST EAX,EAX
00694119 |. 75 04 JNZ SHORT HomeBank.0069411F
0069411B |> 33DB XOR EBX,EBX
0069411D |. EB 60 JMP SHORT HomeBank.0069417F
0069411F |> 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00694122 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00694125 |. E8 7A5DD7FF CALL HomeBank.00409EA4 ; 假注册码全大写
0069412A |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
0069412D |. 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
00694130 |. E8 3F00D7FF CALL HomeBank.00404174
00694135 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00694138 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0069413B |. 8BC3 MOV EAX,EBX
0069413D |. E8 66FCFFFF CALL HomeBank.00693DA8 ; 关键
00694142 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00694145 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00694148 |. E8 CF5DD7FF CALL HomeBank.00409F1C
0069414D |. 85C0 TEST EAX,EAX
0069414F |. 74 04 JE SHORT HomeBank.00694155
00694151 |. 33DB XOR EBX,EBX
00694153 |. EB 2A JMP SHORT HomeBank.0069417F
00694155 |> 8D43 38 LEA EAX,DWORD PTR DS:[EBX+38]
00694158 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
0069415B |. E8 D0FFD6FF CALL HomeBank.00404130
00694160 |. 8D43 44 LEA EAX,DWORD PTR DS:[EBX+44]
00694163 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00694166 |. E8 C5FFD6FF CALL HomeBank.00404130
0069416B |. 8D43 4C LEA EAX,DWORD PTR DS:[EBX+4C]
0069416E |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00694171 |. E8 BAFFD6FF CALL HomeBank.00404130
00694176 |. 8BC3 MOV EAX,EBX
00694178 |. E8 B7010000 CALL HomeBank.00694334
0069417D |. B3 01 MOV BL,1
0069417F |> 33C0 XOR EAX,EAX
00694181 |. 5A POP EDX
00694182 |. 59 POP ECX
00694183 |. 59 POP ECX
00694184 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00694187 |. 68 A9416900 PUSH HomeBank.006941A9
0069418C |> 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0069418F |. BA 04000000 MOV EDX,4
00694194 |. E8 67FFD6FF CALL HomeBank.00404100
00694199 |. 8D45 08 LEA EAX,DWORD PTR SS:[EBP+8]
0069419C |. E8 3BFFD6FF CALL HomeBank.004040DC
006941A1 \. C3 RETN
这时候动态破解吧,很容易可以看出这个关键CALL是在0069413D
再来
00693DD9 |. E8 7E05D7FF CALL HomeBank.0040435C ; EAX=假用户名的位
00693DDE |. 3B46 3C CMP EAX,DWORD PTR DS:[ESI+3C]
00693DE1 |. 7F 0D JG SHORT HomeBank.00693DF0
00693DE3 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00693DE6 |. E8 7105D7FF CALL HomeBank.0040435C
00693DEB |. 3B46 40 CMP EAX,DWORD PTR DS:[ESI+40] ; 如果《=3 则
00693DEE |. 7D 0C JGE SHORT HomeBank.00693DFC
00693DF0 |> 8BC7 MOV EAX,EDI
00693DF2 |. E8 E502D7FF CALL HomeBank.004040DC
00693DF7 |. E9 9F000000 JMP HomeBank.00693E9B
00693DFC |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00693DFF |. E8 5805D7FF CALL HomeBank.0040435C
00693E04 |. 8BD8 MOV EBX,EAX
00693E06 |. EB 31 JMP SHORT HomeBank.00693E39
00693E08 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] ; 入假用户名
00693E0B |. 8A4418 FF |MOV AL,BYTE PTR DS:[EAX+EBX-1] ; 循环,提字符串,不用解释吧(最终到EDX)
解释一下上面,是从末尾开始取字符串
00693E0F |. 25 FF000000 |AND EAX,0FF ; EAX和0FF做与运算
00693E14 |. 33D2 |XOR EDX,EDX ; EDX=0
00693E16 |. 52 |PUSH EDX
00693E17 |. 50 |PUSH EAX
00693E18 |. 8B46 58 |MOV EAX,DWORD PTR DS:[ESI+58]
00693E1B |. 8B56 5C |MOV EDX,DWORD PTR DS:[ESI+5C]
00693E1E |. E8 763BD7FF |CALL HomeBank.00407999 ;计算那个EAX……
00693E23 |. 52 |PUSH EDX ; /Arg2
00693E24 |. 50 |PUSH EAX ; |Arg1
00693E25 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] ; |把EAX做成字符串放到EBP-C里入栈
00693E28 |. E8 1F67D7FF |CALL HomeBank.0040A54C ; \HomeBank.0040A54C
00693E2D |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
00693E30 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
00693E33 |. E8 2C05D7FF |CALL HomeBank.00404364
00693E38 |. 4B |DEC EBX
00693E39 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 入假用户名
00693E3C |. E8 1B05D7FF |CALL HomeBank.0040435C ; 求位
00693E41 |. 83E8 06 |SUB EAX,6 ; EAX=EAX-6(1:E-6=8)
00693E44 |. 3BD8 |CMP EBX,EAX ; 原位数=eax就出循环
00693E46 |. 7C 04 |JL SHORT HomeBank.00693E4C
00693E48 |. 85DB |TEST EBX,EBX
00693E4A |.^ 7F BC \JG SHORT HomeBank.00693E08
00693E4C |> 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00693E4F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; EAX=上面的字符相连
用动态分析,注释说得很详细了……
好了,现在得出一个大长串 我的用户名是NoNameSwordMan得出48955918864438
再下面
00693E4F |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; EAX=上面的字符相连
00693E52 |. E8 F925D7FF CALL HomeBank.00406450
00693E57 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX 1
00693E5A |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX 2
00693E5D |. 8B5E 50 MOV EBX,DWORD PTR DS:[ESI+50]
00693E60 |. 85DB TEST EBX,EBX
00693E62 |. 7F 11 JG SHORT HomeBank.00693E75
00693E64 |. FF75 EC PUSH DWORD PTR SS:[EBP-14] ; /Arg2
00693E67 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |Arg1
00693E6A |. 8BD7 MOV EDX,EDI ; |
00693E6C |. 33C0 XOR EAX,EAX ; |
00693E6E |. E8 4967D7FF CALL HomeBank.0040A5BC ; \HomeBank.0040A5BC
00693E73 |. EB 26 JMP SHORT HomeBank.00693E9B
00693E75 |> FF75 EC PUSH DWORD PTR SS:[EBP-14] ; /Arg2
00693E78 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |Arg1
00693E7B |. 8BD7 MOV EDX,EDI ; |
00693E7D |. 8BC3 MOV EAX,EBX ; |
00693E7F |. E8 3867D7FF CALL HomeBank.0040A5BC ; \HomeBank.0040A5BC
00693E84 |. 8B07 MOV EAX,DWORD PTR DS:[EDI] ------------最佳看注册码点
00693E86 |. E8 D104D7FF CALL HomeBank.0040435C
00693E8B |. 8BC8 MOV ECX,EAX
00693E8D |. 2B4E 50 SUB ECX,DWORD PTR DS:[ESI+50]
00693E90 |. 8B56 50 MOV EDX,DWORD PTR DS:[ESI+50]
00693E93 |. 42 INC EDX
00693E94 |. 8BC7 MOV EAX,EDI
00693E96 |. E8 0907D7FF CALL HomeBank.004045A4
00693E9B |> 33C0 XOR EAX,EAX
00693E9D |. 5A POP EDX
00693E9E |. 59 POP ECX
00693E9F |. 59 POP ECX
00693EA0 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00693EA3 |. 68 C83E6900 PUSH HomeBank.00693EC8
00693EA8 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00693EAB |. E8 2C02D7FF CALL HomeBank.004040DC
00693EB0 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
00693EB3 |. E8 2402D7FF CALL HomeBank.004040DC
00693EB8 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00693EBB |. E8 1C02D7FF CALL HomeBank.004040DC
00693EC0 \. C3 RETN
动分,得知1 2和附近的一些步骤是在做10---》16位(后编辑注:我查了查原来的精华,确实有这个软件的文章----
-----我的表情 #_# 5555~`,不过这步说错了,这是在10--16,不是提位,这是10---16的一种方法(4个一分割) )
OK,把你刚才的那个大长串放到CALC里,再转到16进制……OK!REG FINISH!
整理一下
可用的用户名/序列号
NoNameSwordMan
2c8670275036
最佳爆破点
00736146,改JNZ为JMP
并且
0073616F,改为NOP
完了!(不过好象只是表面现象……)
或者你还可以导入注册表
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0C45C661-6005-11D5-8FF3-0040D6E32A01}\Info]
"Data"=hex:0e,4e,6f,4e,61,6d,65,53,77,6f,72,64,4d,61,6e,00,00,00,00,00,98,55,\
01,01,32,00,00,00,a0,fc,12,00,00,00,00,00,94,fd,12,00,18,ee,92,7c,64,fd,12,\
00,00,00,00,00,c8,05,93,7c,c8,54,d2,01,30,fe,12,00,51,05,93,7c,78,07,14,00,\
80,fd,12,00,00,00,00,00,c8,05,93,7c,78,54,d2,01,4c,fe,12,00,51,05,93,7c,78,\
07,14,00,20,00,84,01,e4,17,85,01,20,d0,84,01,20,d0,84,01,f0,14,85,01,20,d0,\
84,01,00,00,00,00,f0,d4,41,00,06,74,61,62,52,65,67,65,20,d0,84,01,5c,10,85,\
01,20,d0,84,01,00,00,00,00,f0,d4,41,00,07,70,61,67,65,52,65,67,28,00,00,00,\
58,8f,d2,01,a4,fe,12,00,51,05,93,7c,28,00,00,00,a8,01,14,00,80,8f,d2,01,28,\
00,00,00,2c,f1,0c,32,43,38,36,37,30,32,37,35,30,33,36,00,bc,24,85,01,98,1e,\
85,01,ec,d0,41,00,98,1e,85,01,e4,17,85,01,00,00,14,00,e4,17,85,01,01,1a,85,\
01,e4,17,85,01,ec,d0,41,00,e4,17,85,01,5c,10,85,01,ec,d0,41,00,5c,10,85,01,\
01,14,85,01,f0,14,85,01,ec,d0,41,00,f0,14,85,01,5c,10,85,01,ec,d0,41,00,5c,\
10,85,01,01,10,85,01,17,d1,41,00,5c,10,85,01,01,14,85,01,54,19,50,00,bc,f6,\
83,01,ec,d0,41,00,bc,f6,83,01,01,00,00,00,17,d1,41,00,5c,10,85,01,01,10,85,\
01,0c,3a,69,00,02,00,00,00,20,d0,84,01,01,00,00,00,3f,d1,41,00,5c,10,85,01,\
01,10,85,01,00,00,00,00,5c,10,85,01,5c,10,85,01,00,00,00,00,18,3b,41,00,85,\
40,41,00,84,0a,16,01,04,32,2e,30,30,6e,41,00,58,10,85,01,00,00,00,00,5c,10,\
00,00,70,4c,00,41,5c,f6,84,01,00,00,00,00,00,00,00,00,18,3b,41,00,bc,f6,83,\
01
(上面的用户名是NoNameSwordMan的……不了解怎么写进注册表的)
--------------------------分隔线-------------------------
OK,最后既然别人写过了,那最后我就盗用一下别人的成果:) (我上面可是自己分析的……)
谢谢lq7972的注册机---我是懒得写了
【注册机】
; 从反汇编中拷过来的,懒得(用高级语言伪指令)整理了;凑合着看吧
; $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
; keygen.asm
.386
.model flat, stdcall
option casemap : none
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include masm32.inc
includelib masm32.lib
DLG_MAIN equ 101
ICO_MAIN equ 102
IDC_NAME equ 1000
IDC_CODE equ 1001
.data?
hInstance dd ?
.data
szErrTitle db "ErrInfo",0
szErr db "NameLen:[3, 25)", 0
bCounter dd 4
bNameLen dd 4
szUserName db 32 dup (0)
szRegCode db 32 dup (0)
szTemp db 32 dup (0)
szTemp01 db 4 dup (0)
szTemp02 db 4 dup (0)
szTemp03 db 4 dup (0)
szTemp04 db 4 dup (0)
szTemp05 db 4 dup (0)
szTemp06 db 4 dup (0)
szTemp07 db 12 dup (0)
szTemp08 db 12 dup (0)
szFmt db "%s%s", 0
.code
; =====================================================================
_CalcCode proc
pushad
mov dword ptr szTemp01, eax
mov dword ptr szTemp02, edx
mov eax, dword ptr szTemp04
mul dword ptr szTemp01
mov ecx, eax
mov eax, dword ptr szTemp02
mul dword ptr szTemp03
add ecx, eax
mov eax, dword ptr szTemp01
mul dword ptr szTemp03
add edx, ecx
mov dword ptr szTemp03, eax
mov dword ptr szTemp04, edx
popad
ret
_CalcCode endp
; =====================================================================
_Temp2Code proc
pushad
mov esi, eax
mov ebp, 1
mov ebx, 1
xor ecx, ecx
xor edi, edi
mov dword ptr szTemp05, 0
mov dword ptr szTemp06, 0
BEGIN :
mov al, byte ptr [esi+ebp-1]
mov edx, eax
add dl, 0D0h
sub dl, 0Ah
jnb GAMEOVER
mov edi, eax
and edi, 0FFh
sub edi, 030h
cmp dword ptr szTemp06, 0
jnz @F
cmp dword ptr szTemp05, 0
jb GAMEOVER
jmp JMP_HERE
@@ :
jl GAMEOVER
JMP_HERE :
cmp dword ptr szTemp06, 0CCCCCCCh
jnz @F
cmp dword ptr szTemp05, 0CCCCCCCCh
jbe JBE_HERE
jmp GAMEOVER
@@ :
jg GAMEOVER
JBE_HERE :
mov dword ptr szTemp03, 0Ah
mov dword ptr szTemp04, 0
mov eax, dword ptr szTemp05
mov edx, dword ptr szTemp06
call _CalcCode
mov edx, dword ptr szTemp04
mov eax, edi
cdq
add eax, dword ptr szTemp03
adc edx, dword ptr szTemp04
mov dword ptr szTemp05, eax
mov dword ptr szTemp06, edx
inc ebp
xor ebx, ebx
jmp BEGIN
GAMEOVER :
popad
ret
_Temp2Code endp
; =====================================================================
_Name2Temp proc
pushad
xor edi, edi
mov ebx, dword ptr szTemp01
mov ecx, dword ptr szTemp02
or ecx, ecx
jnz @F
or edx, edx
je LAST
or ebx, ebx
je LAST
@@ :
or edx, edx
jns @F
neg edx
neg eax
sbb edx, 0
or edi, 1
@@ :
or ecx, ecx
jns @F
neg ecx
neg ebx
sbb ecx, 0
@@ :
mov ebp, ecx
mov ecx, 040h
xor edi, edi
xor esi, esi
LOOP01 :
shl eax, 1
rcl edx, 1
rcl esi, 1
rcl edi, 1
cmp edi, ebp
jb @F
ja JUMP01
cmp esi, ebx
jb @F
JUMP01 :
sub esi, ebx
sbb edi, ebp
inc eax
@@ :
loop LOOP01
mov eax, esi
mov dword ptr szTemp01, eax
mov edx, edi
mov dword ptr szTemp02, edx
test ebx, 1
je @F
neg edx
neg eax
sbb edx, 0
@@ :
popad
ret
LAST :
div ebx
xchg eax, edx
xor edx, edx
jmp @B
_Name2Temp endp
; =====================================================================
_CalcRegCode proc
pushad
xor edx, edx
mov dword ptr bCounter, edx
mov ebx, dword ptr bNameLen
jmp @F
CALC_START :
mov eax, offset szUserName
mov al, byte ptr [eax+ebx-01]
and eax, 000000FFh
mov dword ptr szTemp01, eax
mov dword ptr szTemp02, edx
mov eax, 0C7BC0D36h
mov edx, 0000025Ch
call _Name2Temp
mov eax, dword ptr szTemp01
invoke dwtoa, eax, addr szTemp02
mov eax, dword ptr szTemp02
mov edi, dword ptr bCounter
mov dword ptr [szTemp+edi], eax
invoke lstrlen, addr szTemp02
add edi, eax
mov dword ptr bCounter, edi
dec ebx
@@ :
mov eax, dword ptr bNameLen
sub eax, 00000006
cmp ebx, eax
jl @F
test ebx, ebx
jg CALC_START
@@ :
mov eax, offset szTemp
call _Temp2Code
mov eax, dword ptr szTemp05
invoke dw2hex, eax, addr szTemp07
mov eax, dword ptr szTemp06
invoke dw2hex, eax, addr szTemp08
invoke wsprintf, addr szTemp, addr szFmt, \
addr szTemp08, addr szTemp07
invoke lstrlen, addr szTemp
mov esi, eax
xor edi, edi
xor edx, edx
mov eax, offset szTemp
.repeat
mov dl, byte ptr [eax+edi]
inc edi
.until edx != 030h
sub esi, edi
inc esi
.if esi <= 0Ch
invoke rstr, addr szTemp, addr szRegCode, 0Ch
.elseif esi < 010h
mov eax, offset szTemp
invoke rstr, eax, addr szTemp, esi
invoke lstr, addr szTemp, addr szRegCode, 0Bh
.else
invoke lstr, addr szTemp, addr szRegCode, 0Bh
.endif
popad
ret
_CalcRegCode endp
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProDlgMain proc uses ebx edi esi hWnd, wMsg, wParam, lParam
mov eax, wMsg
.if eax == WM_CLOSE
invoke EndDialog, hWnd, NULL
.elseif eax == WM_INITDIALOG
invoke LoadIcon, hInstance, ICO_MAIN
invoke SendMessage, hWnd, WM_SETICON, ICON_BIG, eax
.elseif eax == WM_COMMAND
mov eax, wParam
.if ax == IDOK
invoke RtlZeroMemory,addr szRegCode, 32
invoke GetDlgItemText, hWnd, IDC_NAME, \
addr szUserName, 32
invoke lstrlen, addr szUserName
mov bNameLen, eax
.if bNameLen >= 3 && bNameLen < 25
call _CalcRegCode
.else
invoke MessageBox, NULL, addr szErr, \
addr szErrTitle, MB_OK
.endif
invoke SetDlgItemText, hWnd, IDC_CODE, addr szRegCode
.elseif ax == IDCANCEL
invoke EndDialog, hWnd, NULL
.endif
.else
mov eax, FALSE
ret
.endif
mov eax, TRUE
ret
_ProDlgMain endp
; >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke GetModuleHandle, NULL
mov hInstance, eax
invoke DialogBoxParam, hInstance, DLG_MAIN, \
NULL, offset _ProDlgMain, NULL
invoke ExitProcess, NULL
end start
; $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
; keygen.rc
#include <resource.h>
#define DLG_MAIN 101
#define ICO_MAIN 102
#define IDC_NAME 1000
#define IDC_CODE 1001
#define IDC_STATIC -1
IDI_MAIN ICON "KeyGen.ico"
DLG_MAIN DIALOG DISCARDABLE 174, 140, 187, 79
STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "家庭银行家 V 2.53 KeyGen by lq7972 [bruceyu13@sina.com]"
FONT 10, "System"
BEGIN
DEFPUSHBUTTON "确定",IDOK,21,54,50,14
PUSHBUTTON "取消",IDCANCEL,101,55,50,14
LTEXT "用户名:",IDC_STATIC,7,14,27,11
LTEXT "注册码:",IDC_STATIC,7,34,29,11
EDITTEXT IDC_NAME,37,13,143,12,ES_AUTOHSCROLL
EDITTEXT IDC_CODE,36,33,144,12,ES_AUTOHSCROLL
END
; $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
; makefile
NAME = KeyGen
OBJS = $(NAME).obj
RES = $(NAME).res
LINK_FLAG = /subsystem:windows
ML_FLAG = /c /coff
$(NAME).exe: $(OBJS) $(RES)
Link $(LINK_FLAG) $(OBJS) $(RES)
.asm.obj:
ml $(ML_FLAG) $<
.rc.res:
rc $<
clean:
del *.obj
del *.res
; >>>>>>>>>>>>>>>>>>>>>>>>>>
--------------------------------
OK,结束
--------------------------------------------------------------------------------
【经验总结】
最好多看看FILEMON 和REGMON的提示……
最重要的一点!!!!!!那就是写任何破文之前先看看有没有人写………………
希望斑竹能给我+精(斑竹回:u r BIG CABBAGE...别想),那就给个声望吧:)
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
[课程]Linux pwn 探索篇!
