-
-
再谈关于《社区游戏伴侣 V2.0》 注册算法
-
发表于: 2004-10-3 11:05 4983
-
又看到一篇《社区游戏伴侣 V2.0 简章的东东 破解以来第一次看明白的算法》
没有破解完全的东西,注册码后4为还有算法的,只是必须连上联众和边锋他才启动验证的,否则前面即使显示注册成功,其实没有成功!原文在
http://bbs2.pediy.com/viewtopic.php?t=5377&sid=a7c36fdb8a0346c8a7de343fc18dd2f5
其实我2年前就《社区游戏伴侣 V1.2 》就有了完整的算法破文和注册机,他一直没变算法。
只是发在看雪001论坛精华里,最近001却找不到了 ,哈哈,那先发一个注册机到FCG论坛里,只是当时注册机模板(youknown提供)在xp和2000下显示有些问题,没改。准备有时间再用新FCG模板作一下。
注册机在 http://www.fcgchina.com/ctb
破文我再找找,看雪肯定保存了吧?
在FCG精华集里找到了1.1,再发上来,估计2.0也是一样的,参考一下。
原有信息:
序 号:262838
标 题:社区游戏伴侣1.1 注册码的计算,注册机 (30千字)
发信人:La0Qian
时 间:2003-5-9 13:19:25
阅读次数:373
详细信息:
软件名称: ****伴侣1.1
软件大小: 213 KB
应用平台: Win9x
软件类别: 游戏记牌器
发布主页: http://www.****.com
软件介绍:联众,边锋游戏牌类记牌器,注册后全部功能可用。
破解工具:ollydbg 1.08 ,W32DASM10,UltraEdit8.0,AspackDie,fi2.5
破解方法: 注册算法
朋友玩联众游戏,说有记牌器《****伴侣1.1》要注册才能玩够级,让我看看。他的注册方法有些独特,注册表验证,而且必须连接联众后才验证,分不同地方验证,而且必须用游戏ID,这就是说你只能用一个用户ID玩游戏。上网也没查到有注册机。自己动手吧。
先脱壳,aspack2.12,用AspackDie好脱。
用W32DASM反汇编,查找可疑字符串等。再用ollydbg 1.08调试,断点就好设了。
--------------------------------------------------------------------------------------
0045D16C /. 55 PUSH EBP
0045D16D |. 8BEC MOV EBP,ESP
0045D16F |. B9 0C000000 MOV ECX,0C ; ecx=0x0C
0045D174 |> 6A 00 /PUSH 0 ; 初始化
0045D176 |. 6A 00 |PUSH 0
0045D178 |. 49 |DEC ECX
0045D179 |.^75 F9 \JNZ SHORT UNPACKED.0045D174
0045D17B |. 53 PUSH EBX ; ebx=011ca3f8,不知道什么用
0045D17C |. 56 PUSH ESI
0045D17D |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0045D180 |. 33C0 XOR EAX,EAX
0045D182 |. 55 PUSH EBP
0045D183 |. 68 A1D34500 PUSH UNPACKED.0045D3A1
0045D188 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0045D18B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0045D18E |. 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
0045D191 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D194 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D19A |. E8 5996FDFF CALL UNPACKED.004367F8 ; 取假注册码:12345678
0045D19F |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38] ; 给eax地址处存放假注册码12345678
0045D1A2 |. 33D2 XOR EDX,EDX
0045D1A4 |. E8 07B9FAFF CALL UNPACKED.00408AB0
0045D1A9 |. 8BC8 MOV ECX,EAX ; eax的值给ecx
0045D1AB |. 81F9 80969800 CMP ECX,989680 ; 0x989680=10000000,ecx大于就跳。看寄存器窗口ecx双击看到12345678
0045D1B1 |. 7D 0F JGE SHORT UNPACKED.0045D1C2
0045D1B3 |. B8 B8D34500 MOV EAX,UNPACKED.0045D3B8
0045D1B8 |. E8 3F31FDFF CALL UNPACKED.004302FC
0045D1BD |. E9 92010000 JMP UNPACKED.0045D354
0045D1C2 |> 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
0045D1C5 |. 50 PUSH EAX
0045D1C6 |. 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
0045D1C9 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D1CC |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D1D2 |. E8 2196FDFF CALL UNPACKED.004367F8
0045D1D7 |. 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
0045D1DA |. B9 04000000 MOV ECX,4
0045D1DF |. 33D2 XOR EDX,EDX
0045D1E1 |. E8 B277FAFF CALL UNPACKED.00404998 ; 取假注册码的前4位,1234
0045D1E6 |. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C] ; 给eax地址处存放假注册码eax=1234
0045D1E9 |. E8 86B8FAFF CALL UNPACKED.00408A74
0045D1EE |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; eax=1234存ebp-10
0045D1F1 |. 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
0045D1F4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D1F7 |. 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
0045D1FD |. E8 F695FDFF CALL UNPACKED.004367F8 ; 取用户名laoqian
0045D202 |. 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48] ; eax=7
0045D205 |. 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
0045D208 |. E8 0BB5FAFF CALL UNPACKED.00408718
0045D20D |. 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] ; 给eax地址处存放laoqian
0045D210 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] ; eax=7
0045D213 |. E8 DCB5FAFF CALL UNPACKED.004087F4
0045D218 |. 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
0045D21B |. 50 PUSH EAX
0045D21C |. 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0045D21F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D222 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D228 |. E8 CB95FDFF CALL UNPACKED.004367F8
0045D22D |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] ; eax=8,12345678
0045D230 |. B9 04000000 MOV ECX,4
0045D235 |. BA 05000000 MOV EDX,5
0045D23A |. E8 5977FAFF CALL UNPACKED.00404998 ; 取假注册码的后4位:5678
0045D23F |. 8B55 B4 MOV EDX,DWORD PTR SS:[EBP-4C] ; edx=5678
0045D242 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0045D245 |. E8 FE74FAFF CALL UNPACKED.00404748 ; 合并laoqian5678为字符串
0045D24A |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 存eax
0045D24D |. E8 EE74FAFF CALL UNPACKED.00404740 ; 取“假用户名加假注册码后四位”的长度
0045D252 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX ; eax=0xB,存的长度
0045D255 |. 8D45 CD LEA EAX,DWORD PTR SS:[EBP-33]
0045D258 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; edx=laoqian5678为字符串,原来是5678
0045D25B |. E8 F0BBFAFF CALL UNPACKED.00408E50
0045D260 |. BB DE040000 MOV EBX,4DE ; 令ebx=0x4de(1246)
0045D265 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 取假用户名加假注册码后四位的长度B给eax
0045D268 |. 48 DEC EAX ; eax-1
0045D269 |. 85C0 TEST EAX,EAX ; 测试
0045D26B |. 7C 37 JL SHORT UNPACKED.0045D2A4
0045D26D |. 40 INC EAX ; eax+1还原
0045D26E |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; 取假用户名加假注册码后四位的长度B赋值存ebp-4
0045D271 |. 33C9 XOR ECX,ECX ; 清零ecx
0045D273 |. 8D45 CD LEA EAX,DWORD PTR SS:[EBP-33] ; 装入“假用户名加假注册码后四位”laoqian5678
0045D276 |> 8BD1 /MOV EDX,ECX ; ecx=edx
0045D278 |. 0FAFD1 |IMUL EDX,ECX ; edx=edx*ecx 整数乘法
0045D27B |. 03DA |ADD EBX,EDX ; ebx=ebx+edx
0045D27D |. 33D2 |XOR EDX,EDX ; edx=0
0045D27F |. 8A10 |MOV DL,BYTE PTR DS:[EAX] ; 取依次eax“laoqian5678”字符串的第n个ASCII值
0045D281 |. 0FAFD1 |IMUL EDX,ECX ; edx=edx*ecx
0045D284 |. 03DA |ADD EBX,EDX ; ebx=ebx+edx
0045D286 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8] ; 取假用户名加假注册码后四位的长度给edx=B
0045D289 |. 4A |DEC EDX ; edx=edx-1
0045D28A |. 83FA 00 |CMP EDX,0 ; 比较是否小于0
0045D28D |. 7C 0E |JL SHORT UNPACKED.0045D29D ; 循环到0045D276
0045D28F |> 8D1C19 |/LEA EBX,DWORD PTR DS:[ECX+EBX] ; ebx=ebx+ecx
0045D292 |. 0FB630 ||MOVZX ESI,BYTE PTR DS:[EAX] ; 依次传送eax“laoqian5678”字符串的第n个ASCII值给esi
0045D295 |. 03DE ||ADD EBX,ESI ; ebx=ebx+esi
0045D297 |. 4A ||DEC EDX ; edx=edx-1
0045D298 |. 83FA FF ||CMP EDX,-1 ; 比较是否小于-1
0045D29B |.^75 F2 |\JNZ SHORT UNPACKED.0045D28F ; 循环0045D28F
0045D29D |> 41 |INC ECX ; ecx+1
0045D29E |. 40 |INC EAX ; eax+1地址
0045D29F |. FF4D EC |DEC DWORD PTR SS:[EBP-14] ; “假用户名加假注册码后四位”的长度-1
0045D2A2 |.^75 D2 \JNZ SHORT UNPACKED.0045D276 ; 循环0045D276
0045D2A4 |> 85DB TEST EBX,EBX ;
0045D2A6 |. 7D 0D JGE SHORT UNPACKED.0045D2B5
0045D2A8 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0045D2AB |. BA D4D34500 MOV EDX,UNPACKED.0045D3D4 ; ASCII "gg"
0045D2B0 |. E8 6B72FAFF CALL UNPACKED.00404520
0045D2B5 |> 8BC3 MOV EAX,EBX ; eax存ebx结果
0045D2B7 |. B9 10270000 MOV ECX,2710 ; ecx=0X2710=10000
0045D2BC |. 99 CDQ
0045D2BD |. F7F9 IDIV ECX
0045D2BF |. 8BDA MOV EBX,EDX ; eax除ecx=0X2710的余数为edx
0045D2C1 |. 81FB E8030000 CMP EBX,3E8 ; 是否小于0x3e8=1000
0045D2C7 |. 7D 06 JGE SHORT UNPACKED.0045D2CF
0045D2C9 |. 81C3 70170000 ADD EBX,1770 ; 小于0x3e8=1000就加0x1770=6000
0045D2CF |> 3B5D F0 CMP EBX,DWORD PTR SS:[EBP-10] ; ebx,与假注册码前四位1234比较,记住ebx的值,我们把他作注册码的前4位即可!!后四位是我们的不变。就是说我们可以任意设定后四位!?注册码找到。
0045D2D2 |. 74 0C JE SHORT UNPACKED.0045D2E0 ; 关键跳,相等注册成功,此处爆破不行,因为还有注册表检测,需要上联众才能验证。<===可以爆破
0045D2D4 |. B8 E0D34500 MOV EAX,UNPACKED.0045D3E0
0045D2D9 |. E8 1E30FDFF CALL UNPACKED.004302FC
0045D2DE |. EB 74 JMP SHORT UNPACKED.0045D354
0045D2E0 |> B2 01 MOV DL,1 ;我们可以不经爆破成功写入注册表,但是.....
0045D2E2 |. A1 C4B44500 MOV EAX,DWORD PTR DS:[45B4C4]
0045D2E7 |. E8 D8E2FFFF CALL UNPACKED.0045B5C4
0045D2EC |. 8BD8 MOV EBX,EAX
0045D2EE |. B1 01 MOV CL,1
0045D2F0 |. BA 2CD44500 MOV EDX,UNPACKED.0045D42C ; ASCII "Software\zgsq\lzUser"
0045D2F5 |. 8BC3 MOV EAX,EBX
0045D2F7 |. E8 CCE3FFFF CALL UNPACKED.0045B6C8
0045D2FC |. 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
0045D2FF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D302 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D308 |. E8 EB94FDFF CALL UNPACKED.004367F8
0045D30D |. 8B45 AC MOV EAX,DWORD PTR SS:[EBP-54]
-----------------------------------------------------------------------
以上以为找到联众注册码,我们可以用它注册成功(边锋的注册差不多)。注意是“以为”!!!
注意用户名必须是联众注册用户名,我试用一下,但是游戏够级,梭哈等只显示记牌窗口不能记牌,不注册不显示记牌窗口。去他的主页论坛,好像也有人说不能用够级,而且是购买的正式注册用户。不知道是他的程序的bug,还是他设定的陷阱,我没有找到破解方法?如果按我的方法,那么每个用户可以有无数的注册码,显然不行吧?那就是还有问题没解决。
那么我想其实s2应该与用户名有对应算法,我动态调试没有找到,因为我不能上网,好像虽然成功写入注册表,但是它还需要验证,但可能需要上联众才能验证。我暂时无法解决。只好反编译看看。
*********************************************************************
用W32DASM反编译,查找可疑字符串,找到"联众校验 1 OK"
以下为联众校验的反编译部分,但是无法找到s2与用户名有对应算法,
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B34F(C)
|
:0046B35D 40 inc eax
:0046B35E 43 inc ebx
:0046B35F 83F814 cmp eax, 00000014
:0046B362 75BD jne 0046B321
:0046B364 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B367 BA28B44700 mov edx, 0047B428
:0046B36C B915000000 mov ecx, 00000015
:0046B371 E87A93F9FF call 004046F0
:0046B376 8D9574D0FFFF lea edx, dword ptr [ebp+FFFFD074]
:0046B37C 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B37F E894D3F9FF call 00408718
:0046B384 8B9574D0FFFF mov edx, dword ptr [ebp+FFFFD074]
:0046B38A 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B38D E88E91F9FF call 00404520
:0046B392 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B395 E8A693F9FF call 00404740
:0046B39A A344B44700 mov dword ptr [0047B444], eax
:0046B39F B828B44700 mov eax, 0047B428
:0046B3A4 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B3A7 E8A4DAF9FF call 00408E50
:0046B3AC B201 mov dl, 01
:0046B3AE A1C4B44500 mov eax, dword ptr [0045B4C4]
:0046B3B3 E80C02FFFF call 0045B5C4
:0046B3B8 8BF8 mov edi, eax
:0046B3BA B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\zgsq\lzuser"
|
:0046B3BC BAF8B84600 mov edx, 0046B8F8
:0046B3C1 8BC7 mov eax, edi
:0046B3C3 E80003FFFF call 0045B6C8 <====好像在这里取
:0046B3C8 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B3CB 8BC7 mov eax, edi
:0046B3CD E89A06FFFF call 0045BA6C <====好像在这里取
:0046B3D2 8BD8 mov ebx, eax
:0046B3D4 889E95030000 mov byte ptr [esi+00000395], bl
:0046B3DA 84DB test bl, bl
:0046B3DC 0F8481000000 je 0046B463
:0046B3E2 8D8D70D0FFFF lea ecx, dword ptr [ebp+FFFFD070]
:0046B3E8 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B3EB 8BC7 mov eax, edi
:0046B3ED E8BE04FFFF call 0045B8B0
:0046B3F2 8B9570D0FFFF mov edx, dword ptr [ebp+FFFFD070]
:0046B3F8 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B3FB E82091F9FF call 00404520
:0046B400 B840B44700 mov eax, 0047B440
:0046B405 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B408 E8CF90F9FF call 004044DC
:0046B40D 8D856CD0FFFF lea eax, dword ptr [ebp+FFFFD06C]
:0046B413 50 push eax
:0046B414 B904000000 mov ecx, 00000004 <====好像在这里取4个数
:0046B419 BA05000000 mov edx, 00000005 <====在这里从第5位取
:0046B41E 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B421 E87295F9FF call 00404998 <====在这里call
:0046B426 8B856CD0FFFF mov eax, dword ptr [ebp+FFFFD06C]
:0046B42C 33D2 xor edx, edx
:0046B42E E87DD6F9FF call 00408AB0
:0046B433 A348B44700 mov dword ptr [0047B448], eax 《===假注册码后四位存
:0046B438 8D8568D0FFFF lea eax, dword ptr [ebp+FFFFD068]
:0046B43E 50 push eax
:0046B43F B904000000 mov ecx, 00000004 <====好像在这里取4个数
:0046B444 BA01000000 mov edx, 00000001 <====在这里从第1位取
:0046B449 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B44C E84795F9FF call 00404998 <====在这里call
:0046B451 8B8568D0FFFF mov eax, dword ptr [ebp+FFFFD068]
:0046B457 33D2 xor edx, edx
:0046B459 E852D6F9FF call 00408AB0
:0046B45E A34CB44700 mov dword ptr [0047B44C], eax 《===假注册码前四位存
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B3DC(C)
|
:0046B463 8BC7 mov eax, edi
:0046B465 E82E82F9FF call 00403698
:0046B46A 8D8564D0FFFF lea eax, dword ptr [ebp+FFFFD064]
:0046B470 50 push eax
:0046B471 B904000000 mov ecx, 00000004
:0046B476 BA05000000 mov edx, 00000005
:0046B47B 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B47E E81595F9FF call 00404998
:0046B483 8B8564D0FFFF mov eax, dword ptr [ebp+FFFFD064]
:0046B489 50 push eax
:0046B48A 8D8560D0FFFF lea eax, dword ptr [ebp+FFFFD060]
:0046B490 BA28B44700 mov edx, 0047B428
:0046B495 B915000000 mov ecx, 00000015
:0046B49A E85192F9FF call 004046F0
:0046B49F 8B9560D0FFFF mov edx, dword ptr [ebp+FFFFD060]
:0046B4A5 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B4A8 59 pop ecx
:0046B4A9 E8DE92F9FF call 0040478C
:0046B4AE 8D85A6D8FFFF lea eax, dword ptr [ebp+FFFFD8A6]
:0046B4B4 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B4B7 E894D9F9FF call 00408E50
:0046B4BC BFDE040000 mov edi, 000004DE <===看到10000,以下算法同上
:0046B4C1 A144B44700 mov eax, dword ptr [0047B444]
:0046B4C6 83C004 add eax, 00000004
:0046B4C9 48 dec eax
:0046B4CA 85C0 test eax, eax
:0046B4CC 7C49 jl 0046B517
:0046B4CE 40 inc eax
:0046B4CF 8945D8 mov dword ptr [ebp-28], eax
:0046B4D2 33C0 xor eax, eax
:0046B4D4 8D9DA6D8FFFF lea ebx, dword ptr [ebp+FFFFD8A6]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B515(C)
|
:0046B4DA 8BD0 mov edx, eax
:0046B4DC 0FAFD0 imul edx, eax
:0046B4DF 03FA add edi, edx
:0046B4E1 33D2 xor edx, edx
:0046B4E3 8A13 mov dl, byte ptr [ebx]
:0046B4E5 0FAFD0 imul edx, eax
:0046B4E8 03FA add edi, edx
:0046B4EA 8B1544B44700 mov edx, dword ptr [0047B444]
:0046B4F0 83C204 add edx, 00000004
:0046B4F3 4A dec edx
:0046B4F4 83FA00 cmp edx, 00000000
:0046B4F7 7C17 jl 0046B510
:0046B4F9 8955F8 mov dword ptr [ebp-08], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B50E(C)
|
:0046B4FC 8D1438 lea edx, dword ptr [eax+edi]
:0046B4FF 33C9 xor ecx, ecx
:0046B501 8A0B mov cl, byte ptr [ebx]
:0046B503 03D1 add edx, ecx
:0046B505 8BFA mov edi, edx
:0046B507 FF4DF8 dec [ebp-08]
:0046B50A 837DF8FF cmp dword ptr [ebp-08], FFFFFFFF
:0046B50E 75EC jne 0046B4FC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B4F7(C)
|
:0046B510 40 inc eax
:0046B511 43 inc ebx
:0046B512 FF4DD8 dec [ebp-28]
:0046B515 75C3 jne 0046B4DA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B4CC(C)
|
:0046B517 85FF test edi, edi
:0046B519 7D0D jge 0046B528
:0046B51B 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B51E BA18B94600 mov edx, 0046B918
:0046B523 E8F88FF9FF call 00404520
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B519(C)
|
:0046B528 8BC7 mov eax, edi
:0046B52A B910270000 mov ecx, 00002710
:0046B52F 99 cdq
:0046B530 F7F9 idiv ecx
:0046B532 8BFA mov edi, edx
:0046B534 81FFE8030000 cmp edi, 000003E8
:0046B53A 7D06 jge 0046B542
:0046B53C 81C770170000 add edi, 00001770
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B53A(C)
|
:0046B542 3B3D4CB44700 cmp edi, dword ptr [0047B44C] <=== 与假注册码前四位比较
:0046B548 7515 jne 0046B55F <===可以爆破
* Possible StringData Ref from Code Obj ->"联众校验 1 OK"
|
:0046B54A BA24B94600 mov edx, 0046B924
:0046B54F 8BC6 mov eax, esi
:0046B551 E896550000 call 00470AEC
:0046B556 C60550B4470001 mov byte ptr [0047B450], 01 <===成功标志
:0046B55D EB13 jmp 0046B572
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B548(C)
|
* Possible StringData Ref from Code Obj ->"联众校验 1 false"
|
:0046B55F BA3CB94600 mov edx, 0046B93C
:0046B564 8BC6 mov eax, esi
:0046B566 E881550000 call 00470AEC
:0046B56B C60550B4470000 mov byte ptr [0047B450], 00 <===失败标志
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046B30A(C), :0046B314(C), :0046B55D(U)
|
:0046B572 8A8567E8FFFF mov al, byte ptr [ebp+FFFFE867]
:0046B578 3CCD cmp al, CD
:0046B57A 7408 je 0046B584
:0046B57C 3CCD cmp al, CD
:0046B57E 0F858D010000 jne 0046B711
.........
------------------------------------------------------------------------------------
************************************************************
再找,功夫不负有心人!
用W32DASM反编译,查找可疑字符串,"联众注册检测2通过"
找到以下为联众注册检测s2的反编译部分,这里是关键了!!!
连接联众后,从注册表读出注册信息,来到以下call:
* Referenced by a CALL at Address:
|:00460DF1
|
:00463404 55 push ebp
:00463405 8BEC mov ebp, esp
:00463407 83C4E4 add esp, FFFFFFE4
:0046340A 53 push ebx
:0046340B 56 push esi
:0046340C 57 push edi
:0046340D 894DF8 mov dword ptr [ebp-08], ecx
:00463410 8945FC mov dword ptr [ebp-04], eax
:00463413 8B7508 mov esi, dword ptr [ebp+08]
:00463416 8BDA mov ebx, edx
:00463418 8B83109D0000 mov eax, dword ptr [ebx+00009D10]
:0046341E 8945F0 mov dword ptr [ebp-10], eax
:00463421 8B83089D0000 mov eax, dword ptr [ebx+00009D08]
:00463427 8D940330080000 lea edx, dword ptr [ebx+eax+00000830]
:0046342E 8B45F8 mov eax, dword ptr [ebp-08]
:00463431 8BCE mov ecx, esi
:00463433 E8ACF4F9FF call 004028E4
:00463438 01B3089D0000 add dword ptr [ebx+00009D08], esi
:0046343E 81BB089D000088130000 cmp dword ptr [ebx+00009D08], 00001388
:00463448 7E17 jle 00463461
:0046344A 33C0 xor eax, eax
:0046344C 8983089D0000 mov dword ptr [ebx+00009D08], eax
:00463452 C783109D0000FFFFFFFF mov dword ptr [ebx+00009D10], FFFFFFFF
:0046345C E9E8020000 jmp 00463749
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00463448(C), :00463743(C)
|
:00463461 8B83089D0000 mov eax, dword ptr [ebx+00009D08]
:00463467 8945F4 mov dword ptr [ebp-0C], eax
:0046346A 837DF40A cmp dword ptr [ebp-0C], 0000000A
:0046346E 0F8CD5020000 jl 00463749
:00463474 80BB3308000000 cmp byte ptr [ebx+00000833], 00
:0046347B 7507 jne 00463484
:0046347D BE08000000 mov esi, 00000008
:00463482 EB05 jmp 00463489
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046347B(C)
|
:00463484 BE0C000000 mov esi, 0000000C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463482(U)
|
:00463489 8D55EC lea edx, dword ptr [ebp-14]
:0046348C 8D8334080000 lea eax, dword ptr [ebx+00000834]
:00463492 B904000000 mov ecx, 00000004
:00463497 E848F4F9FF call 004028E4
:0046349C 0375EC add esi, dword ptr [ebp-14]
:0046349F 3B75F4 cmp esi, dword ptr [ebp-0C]
:004634A2 7E03 jle 004634A7
:004634A4 83CEFF or esi, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634A2(C)
|
:004634A7 83FEFF cmp esi, FFFFFFFF
:004634AA 0F8499020000 je 00463749
:004634B0 80BB3008000000 cmp byte ptr [ebx+00000830], 00
:004634B7 0F8589000000 jne 00463546
:004634BD A1A04D4900 mov eax, dword ptr [00494DA0]
:004634C2 8945E8 mov dword ptr [ebp-18], eax <====取“用户名”
:004634C5 33C9 xor ecx, ecx <====ecx清零
:004634C7 8B45E8 mov eax, dword ptr [ebp-18]
:004634CA 8B401C mov eax, dword ptr [eax+1C]
:004634CD 85C0 test eax, eax
:004634CF 7E23 jle 004634F4
:004634D1 8945E4 mov dword ptr [ebp-1C], eax <====“用户名”的位数
:004634D4 B801000000 mov eax, 00000001 <====eax=1赋值
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634F2(C)
|
:004634D9 8B55E8 mov edx, dword ptr [ebp-18] <====取“用户名”给edx
:004634DC 0FB65402FF movzx edx, byte ptr [edx+eax-01] <====依次取“用户名”的ASCII码
:004634E1 8D787A lea edi, dword ptr [eax+7A] <====edi=eax+7A
:004634E4 0FAFD7 imul edx, edi <==== edx=edx*edi
:004634E7 8D0C08 lea ecx, dword ptr [eax+ecx] <==== ecx=eax+ecx
:004634EA 03D1 add edx, ecx <==== edx=edx+ecx
:004634EC 8BCA mov ecx, edx <====ecx=edx
:004634EE 40 inc eax <==== eax+1
:004634EF FF4DE4 dec [ebp-1C] <====“用户名”的位数递减
:004634F2 75E5 jne 004634D9 <==== 循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634CF(C)
|
:004634F4 8BC1 mov eax, ecx <==== eax=ecx
:004634F6 B910270000 mov ecx, 00002710 <==== ecx=0X2710=10000
:004634FB 99 cdq
:004634FC F7F9 idiv ecx <====eax除ecx=0X2710的余数为edx
:004634FE 8BCA mov ecx, edx <====ecx=edx
:00463500 837DF01A cmp dword ptr [ebp-10], 0000001A <====这里因为不是动态调试,不知道是什么?不过好像没什么用,以下是否是为了补足3位前面的0?。不明白以下的作用,请高手指点。
:00463504 7C1C jl 00463522 <====一般不会跳走吧,可以爆破。不明白以下的作用,请高手指点。
:00463506 8BC1 mov eax, ecx
:00463508 BF10270000 mov edi, 00002710
:0046350D 99 cdq
:0046350E F7FF idiv edi <====再来一次取余?eax除edx=0X2710的余数为edx
:00463510 8B45E8 mov eax, dword ptr [ebp-18] <====用户名
:00463513 3B5020 cmp edx, dword ptr [eax+20] <====注册码后四位比较
:00463516 740A je 00463522 <====相等跳,可以爆破
:00463518 C783109D0000FFFFFFFF mov dword ptr [ebx+00009D10], FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00463504(C), :00463516(C)
|
:00463522 8B45E8 mov eax, dword ptr [ebp-18] <====用户名
:00463525 3B4820 cmp ecx, dword ptr [eax+20] <====真注册码后四位就是ecx!!!!
:00463528 750F jne 00463539 <====关键跳,爆破可以吗?可能行
* Possible StringData Ref from Code Obj ->"联众注册检测2通过" 《===注意这是什么??
|
:0046352A BA5C374600 mov edx, 0046375C
:0046352F 8B45FC mov eax, dword ptr [ebp-04]
:00463532 E8B5D50000 call 00470AEC
:00463537 EB0D jmp 00463546
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463528(C)
|
* Possible StringData Ref from Code Obj ->"联众注册检测2错误"
|
:00463539 BA78374600 mov edx, 00463778
:0046353E 8B45FC mov eax, dword ptr [ebp-04]
:00463541 E8A6D50000 call 00470AEC
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004634B7(C), :00463537(U)
|
:00463546 3B75F4 cmp esi, dword ptr [ebp-0C]
:00463549 0F8FEB010000 jg 0046373A
:0046354F 8B45F0 mov eax, dword ptr [ebp-10]
:00463552 83F81F cmp eax, 0000001F
:00463555 0F87C1010000 ja 0046371C
:0046355B FF248562354600 jmp dword ptr [4*eax+00463562]
:00463562 F7354600 DWORD 004635F7
:00463566 E2354600 DWORD 004635E2
:0046356A 1C374600 DWORD 0046371C
终于找到了,连蒙带猜。
以下部分为注册机程序,delphi,联众经过验证。
边锋的我不玩,有兴趣的朋友可以自己作验证。
//======================================================================
//联众部分注册机程序
//------------------------------------------------------------
procedure TForm1.Button1Click(Sender: TObject);
var
s1,s2,s3 : string;
m,n,i,inc :integer;
c1 : char;
begin
s1:=trim(edit1.Text);
m:=length(s1);
n:=0;
for i:=1 to m do begin
c1:=s1[i];
inc:= ord(c1);
n:=n+inc*(i+122)+i;
end;
n:=n mod 10000;
str(n,s2);
case length(s2) of //这里说明若不足4位前面补0
1: s2:='000'+s2;
2: s2:='00'+s2;
3: s2:='0'+s2;
end; //
s3:=s1+s2;
m:=length(s3);
n:=1246;
for i:=1 to m do begin
c1:=s3[i];
inc:= ord(c1);
n:=n+(i-1)*m+ inc*(m+i-1)+(i-1)*(i-1);
end;
n:=n mod 10000;
if n<1000 then n:=n+6000;
edit2.Text := inttostr(n)+S2;
end;
//------------------------------------------------------------
//边锋部分注册机程序
//------------------------------------------------------------
procedure TForm1.Button3Click(Sender: TObject);
var
s1,s2,s3 : string;
m,n,i,inc :integer;
c1 : char;
begin
s1:=trim(edit3.Text);
m:=length(s1);
n:=0;
for i:=1 to m do begin
c1:=s1[i];
inc:= ord(c1);
n:=n+inc*(i+255); //此部分没经过验证,不知道对错
end;
n:=n mod 10000;
str(n,s2);
case length(s2) of //这里说明若不足4位前面补0
1: s2:='000'+s2;
2: s2:='00'+s2;
3: s2:='0'+s2;
end; //
s3:=s1+s2;
m:=length(s3);
n:=3210;
for i:=1 to m do begin
c1:=s3[i];
inc:= ord(c1);
n:=n+(i-1)*m+ inc*(m+i-1)+(i-1)*(i-1);
end;
n:=n mod 100000;
if n<10000 then n:=n+80000;
edit4.Text := inttostr(n)+S2;
end;
========================================================================
随想:是否可以找到他的连接联众时的断点,改变跳过或者跳到注册检测2部分,那我们就不需要上网
就可以动态调试他的检测部分了,是否可行?
有兴趣的朋友还可以试一下爆破,爆破点我已经注明,边锋的类似。
你可以注册你的所有游戏ID了。不知道爆破后是否所有游戏ID都能用呢?试试吧。我是累了。
爆破后所有游戏ID都能用,但是老断线。既然有注册机了,还是每个ID都注册一遍吧。
没有破解完全的东西,注册码后4为还有算法的,只是必须连上联众和边锋他才启动验证的,否则前面即使显示注册成功,其实没有成功!原文在
http://bbs2.pediy.com/viewtopic.php?t=5377&sid=a7c36fdb8a0346c8a7de343fc18dd2f5
其实我2年前就《社区游戏伴侣 V1.2 》就有了完整的算法破文和注册机,他一直没变算法。
只是发在看雪001论坛精华里,最近001却找不到了 ,哈哈,那先发一个注册机到FCG论坛里,只是当时注册机模板(youknown提供)在xp和2000下显示有些问题,没改。准备有时间再用新FCG模板作一下。
注册机在 http://www.fcgchina.com/ctb
破文我再找找,看雪肯定保存了吧?
在FCG精华集里找到了1.1,再发上来,估计2.0也是一样的,参考一下。
原有信息:
序 号:262838
标 题:社区游戏伴侣1.1 注册码的计算,注册机 (30千字)
发信人:La0Qian
时 间:2003-5-9 13:19:25
阅读次数:373
详细信息:
软件名称: ****伴侣1.1
软件大小: 213 KB
应用平台: Win9x
软件类别: 游戏记牌器
发布主页: http://www.****.com
软件介绍:联众,边锋游戏牌类记牌器,注册后全部功能可用。
破解工具:ollydbg 1.08 ,W32DASM10,UltraEdit8.0,AspackDie,fi2.5
破解方法: 注册算法
朋友玩联众游戏,说有记牌器《****伴侣1.1》要注册才能玩够级,让我看看。他的注册方法有些独特,注册表验证,而且必须连接联众后才验证,分不同地方验证,而且必须用游戏ID,这就是说你只能用一个用户ID玩游戏。上网也没查到有注册机。自己动手吧。
先脱壳,aspack2.12,用AspackDie好脱。
用W32DASM反汇编,查找可疑字符串等。再用ollydbg 1.08调试,断点就好设了。
--------------------------------------------------------------------------------------
0045D16C /. 55 PUSH EBP
0045D16D |. 8BEC MOV EBP,ESP
0045D16F |. B9 0C000000 MOV ECX,0C ; ecx=0x0C
0045D174 |> 6A 00 /PUSH 0 ; 初始化
0045D176 |. 6A 00 |PUSH 0
0045D178 |. 49 |DEC ECX
0045D179 |.^75 F9 \JNZ SHORT UNPACKED.0045D174
0045D17B |. 53 PUSH EBX ; ebx=011ca3f8,不知道什么用
0045D17C |. 56 PUSH ESI
0045D17D |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0045D180 |. 33C0 XOR EAX,EAX
0045D182 |. 55 PUSH EBP
0045D183 |. 68 A1D34500 PUSH UNPACKED.0045D3A1
0045D188 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0045D18B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0045D18E |. 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
0045D191 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D194 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D19A |. E8 5996FDFF CALL UNPACKED.004367F8 ; 取假注册码:12345678
0045D19F |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38] ; 给eax地址处存放假注册码12345678
0045D1A2 |. 33D2 XOR EDX,EDX
0045D1A4 |. E8 07B9FAFF CALL UNPACKED.00408AB0
0045D1A9 |. 8BC8 MOV ECX,EAX ; eax的值给ecx
0045D1AB |. 81F9 80969800 CMP ECX,989680 ; 0x989680=10000000,ecx大于就跳。看寄存器窗口ecx双击看到12345678
0045D1B1 |. 7D 0F JGE SHORT UNPACKED.0045D1C2
0045D1B3 |. B8 B8D34500 MOV EAX,UNPACKED.0045D3B8
0045D1B8 |. E8 3F31FDFF CALL UNPACKED.004302FC
0045D1BD |. E9 92010000 JMP UNPACKED.0045D354
0045D1C2 |> 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
0045D1C5 |. 50 PUSH EAX
0045D1C6 |. 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
0045D1C9 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D1CC |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D1D2 |. E8 2196FDFF CALL UNPACKED.004367F8
0045D1D7 |. 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
0045D1DA |. B9 04000000 MOV ECX,4
0045D1DF |. 33D2 XOR EDX,EDX
0045D1E1 |. E8 B277FAFF CALL UNPACKED.00404998 ; 取假注册码的前4位,1234
0045D1E6 |. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C] ; 给eax地址处存放假注册码eax=1234
0045D1E9 |. E8 86B8FAFF CALL UNPACKED.00408A74
0045D1EE |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; eax=1234存ebp-10
0045D1F1 |. 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
0045D1F4 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D1F7 |. 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
0045D1FD |. E8 F695FDFF CALL UNPACKED.004367F8 ; 取用户名laoqian
0045D202 |. 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48] ; eax=7
0045D205 |. 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
0045D208 |. E8 0BB5FAFF CALL UNPACKED.00408718
0045D20D |. 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44] ; 给eax地址处存放laoqian
0045D210 |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C] ; eax=7
0045D213 |. E8 DCB5FAFF CALL UNPACKED.004087F4
0045D218 |. 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
0045D21B |. 50 PUSH EAX
0045D21C |. 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0045D21F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D222 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D228 |. E8 CB95FDFF CALL UNPACKED.004367F8
0045D22D |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50] ; eax=8,12345678
0045D230 |. B9 04000000 MOV ECX,4
0045D235 |. BA 05000000 MOV EDX,5
0045D23A |. E8 5977FAFF CALL UNPACKED.00404998 ; 取假注册码的后4位:5678
0045D23F |. 8B55 B4 MOV EDX,DWORD PTR SS:[EBP-4C] ; edx=5678
0045D242 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0045D245 |. E8 FE74FAFF CALL UNPACKED.00404748 ; 合并laoqian5678为字符串
0045D24A |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 存eax
0045D24D |. E8 EE74FAFF CALL UNPACKED.00404740 ; 取“假用户名加假注册码后四位”的长度
0045D252 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX ; eax=0xB,存的长度
0045D255 |. 8D45 CD LEA EAX,DWORD PTR SS:[EBP-33]
0045D258 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] ; edx=laoqian5678为字符串,原来是5678
0045D25B |. E8 F0BBFAFF CALL UNPACKED.00408E50
0045D260 |. BB DE040000 MOV EBX,4DE ; 令ebx=0x4de(1246)
0045D265 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 取假用户名加假注册码后四位的长度B给eax
0045D268 |. 48 DEC EAX ; eax-1
0045D269 |. 85C0 TEST EAX,EAX ; 测试
0045D26B |. 7C 37 JL SHORT UNPACKED.0045D2A4
0045D26D |. 40 INC EAX ; eax+1还原
0045D26E |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; 取假用户名加假注册码后四位的长度B赋值存ebp-4
0045D271 |. 33C9 XOR ECX,ECX ; 清零ecx
0045D273 |. 8D45 CD LEA EAX,DWORD PTR SS:[EBP-33] ; 装入“假用户名加假注册码后四位”laoqian5678
0045D276 |> 8BD1 /MOV EDX,ECX ; ecx=edx
0045D278 |. 0FAFD1 |IMUL EDX,ECX ; edx=edx*ecx 整数乘法
0045D27B |. 03DA |ADD EBX,EDX ; ebx=ebx+edx
0045D27D |. 33D2 |XOR EDX,EDX ; edx=0
0045D27F |. 8A10 |MOV DL,BYTE PTR DS:[EAX] ; 取依次eax“laoqian5678”字符串的第n个ASCII值
0045D281 |. 0FAFD1 |IMUL EDX,ECX ; edx=edx*ecx
0045D284 |. 03DA |ADD EBX,EDX ; ebx=ebx+edx
0045D286 |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8] ; 取假用户名加假注册码后四位的长度给edx=B
0045D289 |. 4A |DEC EDX ; edx=edx-1
0045D28A |. 83FA 00 |CMP EDX,0 ; 比较是否小于0
0045D28D |. 7C 0E |JL SHORT UNPACKED.0045D29D ; 循环到0045D276
0045D28F |> 8D1C19 |/LEA EBX,DWORD PTR DS:[ECX+EBX] ; ebx=ebx+ecx
0045D292 |. 0FB630 ||MOVZX ESI,BYTE PTR DS:[EAX] ; 依次传送eax“laoqian5678”字符串的第n个ASCII值给esi
0045D295 |. 03DE ||ADD EBX,ESI ; ebx=ebx+esi
0045D297 |. 4A ||DEC EDX ; edx=edx-1
0045D298 |. 83FA FF ||CMP EDX,-1 ; 比较是否小于-1
0045D29B |.^75 F2 |\JNZ SHORT UNPACKED.0045D28F ; 循环0045D28F
0045D29D |> 41 |INC ECX ; ecx+1
0045D29E |. 40 |INC EAX ; eax+1地址
0045D29F |. FF4D EC |DEC DWORD PTR SS:[EBP-14] ; “假用户名加假注册码后四位”的长度-1
0045D2A2 |.^75 D2 \JNZ SHORT UNPACKED.0045D276 ; 循环0045D276
0045D2A4 |> 85DB TEST EBX,EBX ;
0045D2A6 |. 7D 0D JGE SHORT UNPACKED.0045D2B5
0045D2A8 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0045D2AB |. BA D4D34500 MOV EDX,UNPACKED.0045D3D4 ; ASCII "gg"
0045D2B0 |. E8 6B72FAFF CALL UNPACKED.00404520
0045D2B5 |> 8BC3 MOV EAX,EBX ; eax存ebx结果
0045D2B7 |. B9 10270000 MOV ECX,2710 ; ecx=0X2710=10000
0045D2BC |. 99 CDQ
0045D2BD |. F7F9 IDIV ECX
0045D2BF |. 8BDA MOV EBX,EDX ; eax除ecx=0X2710的余数为edx
0045D2C1 |. 81FB E8030000 CMP EBX,3E8 ; 是否小于0x3e8=1000
0045D2C7 |. 7D 06 JGE SHORT UNPACKED.0045D2CF
0045D2C9 |. 81C3 70170000 ADD EBX,1770 ; 小于0x3e8=1000就加0x1770=6000
0045D2CF |> 3B5D F0 CMP EBX,DWORD PTR SS:[EBP-10] ; ebx,与假注册码前四位1234比较,记住ebx的值,我们把他作注册码的前4位即可!!后四位是我们的不变。就是说我们可以任意设定后四位!?注册码找到。
0045D2D2 |. 74 0C JE SHORT UNPACKED.0045D2E0 ; 关键跳,相等注册成功,此处爆破不行,因为还有注册表检测,需要上联众才能验证。<===可以爆破
0045D2D4 |. B8 E0D34500 MOV EAX,UNPACKED.0045D3E0
0045D2D9 |. E8 1E30FDFF CALL UNPACKED.004302FC
0045D2DE |. EB 74 JMP SHORT UNPACKED.0045D354
0045D2E0 |> B2 01 MOV DL,1 ;我们可以不经爆破成功写入注册表,但是.....
0045D2E2 |. A1 C4B44500 MOV EAX,DWORD PTR DS:[45B4C4]
0045D2E7 |. E8 D8E2FFFF CALL UNPACKED.0045B5C4
0045D2EC |. 8BD8 MOV EBX,EAX
0045D2EE |. B1 01 MOV CL,1
0045D2F0 |. BA 2CD44500 MOV EDX,UNPACKED.0045D42C ; ASCII "Software\zgsq\lzUser"
0045D2F5 |. 8BC3 MOV EAX,EBX
0045D2F7 |. E8 CCE3FFFF CALL UNPACKED.0045B6C8
0045D2FC |. 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
0045D2FF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D302 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D308 |. E8 EB94FDFF CALL UNPACKED.004367F8
0045D30D |. 8B45 AC MOV EAX,DWORD PTR SS:[EBP-54]
-----------------------------------------------------------------------
以上以为找到联众注册码,我们可以用它注册成功(边锋的注册差不多)。注意是“以为”!!!
注意用户名必须是联众注册用户名,我试用一下,但是游戏够级,梭哈等只显示记牌窗口不能记牌,不注册不显示记牌窗口。去他的主页论坛,好像也有人说不能用够级,而且是购买的正式注册用户。不知道是他的程序的bug,还是他设定的陷阱,我没有找到破解方法?如果按我的方法,那么每个用户可以有无数的注册码,显然不行吧?那就是还有问题没解决。
那么我想其实s2应该与用户名有对应算法,我动态调试没有找到,因为我不能上网,好像虽然成功写入注册表,但是它还需要验证,但可能需要上联众才能验证。我暂时无法解决。只好反编译看看。
*********************************************************************
用W32DASM反编译,查找可疑字符串,找到"联众校验 1 OK"
以下为联众校验的反编译部分,但是无法找到s2与用户名有对应算法,
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B34F(C)
|
:0046B35D 40 inc eax
:0046B35E 43 inc ebx
:0046B35F 83F814 cmp eax, 00000014
:0046B362 75BD jne 0046B321
:0046B364 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B367 BA28B44700 mov edx, 0047B428
:0046B36C B915000000 mov ecx, 00000015
:0046B371 E87A93F9FF call 004046F0
:0046B376 8D9574D0FFFF lea edx, dword ptr [ebp+FFFFD074]
:0046B37C 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B37F E894D3F9FF call 00408718
:0046B384 8B9574D0FFFF mov edx, dword ptr [ebp+FFFFD074]
:0046B38A 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B38D E88E91F9FF call 00404520
:0046B392 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B395 E8A693F9FF call 00404740
:0046B39A A344B44700 mov dword ptr [0047B444], eax
:0046B39F B828B44700 mov eax, 0047B428
:0046B3A4 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B3A7 E8A4DAF9FF call 00408E50
:0046B3AC B201 mov dl, 01
:0046B3AE A1C4B44500 mov eax, dword ptr [0045B4C4]
:0046B3B3 E80C02FFFF call 0045B5C4
:0046B3B8 8BF8 mov edi, eax
:0046B3BA B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\zgsq\lzuser"
|
:0046B3BC BAF8B84600 mov edx, 0046B8F8
:0046B3C1 8BC7 mov eax, edi
:0046B3C3 E80003FFFF call 0045B6C8 <====好像在这里取
:0046B3C8 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B3CB 8BC7 mov eax, edi
:0046B3CD E89A06FFFF call 0045BA6C <====好像在这里取
:0046B3D2 8BD8 mov ebx, eax
:0046B3D4 889E95030000 mov byte ptr [esi+00000395], bl
:0046B3DA 84DB test bl, bl
:0046B3DC 0F8481000000 je 0046B463
:0046B3E2 8D8D70D0FFFF lea ecx, dword ptr [ebp+FFFFD070]
:0046B3E8 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B3EB 8BC7 mov eax, edi
:0046B3ED E8BE04FFFF call 0045B8B0
:0046B3F2 8B9570D0FFFF mov edx, dword ptr [ebp+FFFFD070]
:0046B3F8 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B3FB E82091F9FF call 00404520
:0046B400 B840B44700 mov eax, 0047B440
:0046B405 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B408 E8CF90F9FF call 004044DC
:0046B40D 8D856CD0FFFF lea eax, dword ptr [ebp+FFFFD06C]
:0046B413 50 push eax
:0046B414 B904000000 mov ecx, 00000004 <====好像在这里取4个数
:0046B419 BA05000000 mov edx, 00000005 <====在这里从第5位取
:0046B41E 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B421 E87295F9FF call 00404998 <====在这里call
:0046B426 8B856CD0FFFF mov eax, dword ptr [ebp+FFFFD06C]
:0046B42C 33D2 xor edx, edx
:0046B42E E87DD6F9FF call 00408AB0
:0046B433 A348B44700 mov dword ptr [0047B448], eax 《===假注册码后四位存
:0046B438 8D8568D0FFFF lea eax, dword ptr [ebp+FFFFD068]
:0046B43E 50 push eax
:0046B43F B904000000 mov ecx, 00000004 <====好像在这里取4个数
:0046B444 BA01000000 mov edx, 00000001 <====在这里从第1位取
:0046B449 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B44C E84795F9FF call 00404998 <====在这里call
:0046B451 8B8568D0FFFF mov eax, dword ptr [ebp+FFFFD068]
:0046B457 33D2 xor edx, edx
:0046B459 E852D6F9FF call 00408AB0
:0046B45E A34CB44700 mov dword ptr [0047B44C], eax 《===假注册码前四位存
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B3DC(C)
|
:0046B463 8BC7 mov eax, edi
:0046B465 E82E82F9FF call 00403698
:0046B46A 8D8564D0FFFF lea eax, dword ptr [ebp+FFFFD064]
:0046B470 50 push eax
:0046B471 B904000000 mov ecx, 00000004
:0046B476 BA05000000 mov edx, 00000005
:0046B47B 8B45E4 mov eax, dword ptr [ebp-1C]
:0046B47E E81595F9FF call 00404998
:0046B483 8B8564D0FFFF mov eax, dword ptr [ebp+FFFFD064]
:0046B489 50 push eax
:0046B48A 8D8560D0FFFF lea eax, dword ptr [ebp+FFFFD060]
:0046B490 BA28B44700 mov edx, 0047B428
:0046B495 B915000000 mov ecx, 00000015
:0046B49A E85192F9FF call 004046F0
:0046B49F 8B9560D0FFFF mov edx, dword ptr [ebp+FFFFD060]
:0046B4A5 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B4A8 59 pop ecx
:0046B4A9 E8DE92F9FF call 0040478C
:0046B4AE 8D85A6D8FFFF lea eax, dword ptr [ebp+FFFFD8A6]
:0046B4B4 8B55E4 mov edx, dword ptr [ebp-1C]
:0046B4B7 E894D9F9FF call 00408E50
:0046B4BC BFDE040000 mov edi, 000004DE <===看到10000,以下算法同上
:0046B4C1 A144B44700 mov eax, dword ptr [0047B444]
:0046B4C6 83C004 add eax, 00000004
:0046B4C9 48 dec eax
:0046B4CA 85C0 test eax, eax
:0046B4CC 7C49 jl 0046B517
:0046B4CE 40 inc eax
:0046B4CF 8945D8 mov dword ptr [ebp-28], eax
:0046B4D2 33C0 xor eax, eax
:0046B4D4 8D9DA6D8FFFF lea ebx, dword ptr [ebp+FFFFD8A6]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B515(C)
|
:0046B4DA 8BD0 mov edx, eax
:0046B4DC 0FAFD0 imul edx, eax
:0046B4DF 03FA add edi, edx
:0046B4E1 33D2 xor edx, edx
:0046B4E3 8A13 mov dl, byte ptr [ebx]
:0046B4E5 0FAFD0 imul edx, eax
:0046B4E8 03FA add edi, edx
:0046B4EA 8B1544B44700 mov edx, dword ptr [0047B444]
:0046B4F0 83C204 add edx, 00000004
:0046B4F3 4A dec edx
:0046B4F4 83FA00 cmp edx, 00000000
:0046B4F7 7C17 jl 0046B510
:0046B4F9 8955F8 mov dword ptr [ebp-08], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B50E(C)
|
:0046B4FC 8D1438 lea edx, dword ptr [eax+edi]
:0046B4FF 33C9 xor ecx, ecx
:0046B501 8A0B mov cl, byte ptr [ebx]
:0046B503 03D1 add edx, ecx
:0046B505 8BFA mov edi, edx
:0046B507 FF4DF8 dec [ebp-08]
:0046B50A 837DF8FF cmp dword ptr [ebp-08], FFFFFFFF
:0046B50E 75EC jne 0046B4FC
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B4F7(C)
|
:0046B510 40 inc eax
:0046B511 43 inc ebx
:0046B512 FF4DD8 dec [ebp-28]
:0046B515 75C3 jne 0046B4DA
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B4CC(C)
|
:0046B517 85FF test edi, edi
:0046B519 7D0D jge 0046B528
:0046B51B 8D45E4 lea eax, dword ptr [ebp-1C]
:0046B51E BA18B94600 mov edx, 0046B918
:0046B523 E8F88FF9FF call 00404520
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B519(C)
|
:0046B528 8BC7 mov eax, edi
:0046B52A B910270000 mov ecx, 00002710
:0046B52F 99 cdq
:0046B530 F7F9 idiv ecx
:0046B532 8BFA mov edi, edx
:0046B534 81FFE8030000 cmp edi, 000003E8
:0046B53A 7D06 jge 0046B542
:0046B53C 81C770170000 add edi, 00001770
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B53A(C)
|
:0046B542 3B3D4CB44700 cmp edi, dword ptr [0047B44C] <=== 与假注册码前四位比较
:0046B548 7515 jne 0046B55F <===可以爆破
* Possible StringData Ref from Code Obj ->"联众校验 1 OK"
|
:0046B54A BA24B94600 mov edx, 0046B924
:0046B54F 8BC6 mov eax, esi
:0046B551 E896550000 call 00470AEC
:0046B556 C60550B4470001 mov byte ptr [0047B450], 01 <===成功标志
:0046B55D EB13 jmp 0046B572
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B548(C)
|
* Possible StringData Ref from Code Obj ->"联众校验 1 false"
|
:0046B55F BA3CB94600 mov edx, 0046B93C
:0046B564 8BC6 mov eax, esi
:0046B566 E881550000 call 00470AEC
:0046B56B C60550B4470000 mov byte ptr [0047B450], 00 <===失败标志
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046B30A(C), :0046B314(C), :0046B55D(U)
|
:0046B572 8A8567E8FFFF mov al, byte ptr [ebp+FFFFE867]
:0046B578 3CCD cmp al, CD
:0046B57A 7408 je 0046B584
:0046B57C 3CCD cmp al, CD
:0046B57E 0F858D010000 jne 0046B711
.........
------------------------------------------------------------------------------------
************************************************************
再找,功夫不负有心人!
用W32DASM反编译,查找可疑字符串,"联众注册检测2通过"
找到以下为联众注册检测s2的反编译部分,这里是关键了!!!
连接联众后,从注册表读出注册信息,来到以下call:
* Referenced by a CALL at Address:
|:00460DF1
|
:00463404 55 push ebp
:00463405 8BEC mov ebp, esp
:00463407 83C4E4 add esp, FFFFFFE4
:0046340A 53 push ebx
:0046340B 56 push esi
:0046340C 57 push edi
:0046340D 894DF8 mov dword ptr [ebp-08], ecx
:00463410 8945FC mov dword ptr [ebp-04], eax
:00463413 8B7508 mov esi, dword ptr [ebp+08]
:00463416 8BDA mov ebx, edx
:00463418 8B83109D0000 mov eax, dword ptr [ebx+00009D10]
:0046341E 8945F0 mov dword ptr [ebp-10], eax
:00463421 8B83089D0000 mov eax, dword ptr [ebx+00009D08]
:00463427 8D940330080000 lea edx, dword ptr [ebx+eax+00000830]
:0046342E 8B45F8 mov eax, dword ptr [ebp-08]
:00463431 8BCE mov ecx, esi
:00463433 E8ACF4F9FF call 004028E4
:00463438 01B3089D0000 add dword ptr [ebx+00009D08], esi
:0046343E 81BB089D000088130000 cmp dword ptr [ebx+00009D08], 00001388
:00463448 7E17 jle 00463461
:0046344A 33C0 xor eax, eax
:0046344C 8983089D0000 mov dword ptr [ebx+00009D08], eax
:00463452 C783109D0000FFFFFFFF mov dword ptr [ebx+00009D10], FFFFFFFF
:0046345C E9E8020000 jmp 00463749
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00463448(C), :00463743(C)
|
:00463461 8B83089D0000 mov eax, dword ptr [ebx+00009D08]
:00463467 8945F4 mov dword ptr [ebp-0C], eax
:0046346A 837DF40A cmp dword ptr [ebp-0C], 0000000A
:0046346E 0F8CD5020000 jl 00463749
:00463474 80BB3308000000 cmp byte ptr [ebx+00000833], 00
:0046347B 7507 jne 00463484
:0046347D BE08000000 mov esi, 00000008
:00463482 EB05 jmp 00463489
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046347B(C)
|
:00463484 BE0C000000 mov esi, 0000000C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463482(U)
|
:00463489 8D55EC lea edx, dword ptr [ebp-14]
:0046348C 8D8334080000 lea eax, dword ptr [ebx+00000834]
:00463492 B904000000 mov ecx, 00000004
:00463497 E848F4F9FF call 004028E4
:0046349C 0375EC add esi, dword ptr [ebp-14]
:0046349F 3B75F4 cmp esi, dword ptr [ebp-0C]
:004634A2 7E03 jle 004634A7
:004634A4 83CEFF or esi, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634A2(C)
|
:004634A7 83FEFF cmp esi, FFFFFFFF
:004634AA 0F8499020000 je 00463749
:004634B0 80BB3008000000 cmp byte ptr [ebx+00000830], 00
:004634B7 0F8589000000 jne 00463546
:004634BD A1A04D4900 mov eax, dword ptr [00494DA0]
:004634C2 8945E8 mov dword ptr [ebp-18], eax <====取“用户名”
:004634C5 33C9 xor ecx, ecx <====ecx清零
:004634C7 8B45E8 mov eax, dword ptr [ebp-18]
:004634CA 8B401C mov eax, dword ptr [eax+1C]
:004634CD 85C0 test eax, eax
:004634CF 7E23 jle 004634F4
:004634D1 8945E4 mov dword ptr [ebp-1C], eax <====“用户名”的位数
:004634D4 B801000000 mov eax, 00000001 <====eax=1赋值
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634F2(C)
|
:004634D9 8B55E8 mov edx, dword ptr [ebp-18] <====取“用户名”给edx
:004634DC 0FB65402FF movzx edx, byte ptr [edx+eax-01] <====依次取“用户名”的ASCII码
:004634E1 8D787A lea edi, dword ptr [eax+7A] <====edi=eax+7A
:004634E4 0FAFD7 imul edx, edi <==== edx=edx*edi
:004634E7 8D0C08 lea ecx, dword ptr [eax+ecx] <==== ecx=eax+ecx
:004634EA 03D1 add edx, ecx <==== edx=edx+ecx
:004634EC 8BCA mov ecx, edx <====ecx=edx
:004634EE 40 inc eax <==== eax+1
:004634EF FF4DE4 dec [ebp-1C] <====“用户名”的位数递减
:004634F2 75E5 jne 004634D9 <==== 循环
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634CF(C)
|
:004634F4 8BC1 mov eax, ecx <==== eax=ecx
:004634F6 B910270000 mov ecx, 00002710 <==== ecx=0X2710=10000
:004634FB 99 cdq
:004634FC F7F9 idiv ecx <====eax除ecx=0X2710的余数为edx
:004634FE 8BCA mov ecx, edx <====ecx=edx
:00463500 837DF01A cmp dword ptr [ebp-10], 0000001A <====这里因为不是动态调试,不知道是什么?不过好像没什么用,以下是否是为了补足3位前面的0?。不明白以下的作用,请高手指点。
:00463504 7C1C jl 00463522 <====一般不会跳走吧,可以爆破。不明白以下的作用,请高手指点。
:00463506 8BC1 mov eax, ecx
:00463508 BF10270000 mov edi, 00002710
:0046350D 99 cdq
:0046350E F7FF idiv edi <====再来一次取余?eax除edx=0X2710的余数为edx
:00463510 8B45E8 mov eax, dword ptr [ebp-18] <====用户名
:00463513 3B5020 cmp edx, dword ptr [eax+20] <====注册码后四位比较
:00463516 740A je 00463522 <====相等跳,可以爆破
:00463518 C783109D0000FFFFFFFF mov dword ptr [ebx+00009D10], FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00463504(C), :00463516(C)
|
:00463522 8B45E8 mov eax, dword ptr [ebp-18] <====用户名
:00463525 3B4820 cmp ecx, dword ptr [eax+20] <====真注册码后四位就是ecx!!!!
:00463528 750F jne 00463539 <====关键跳,爆破可以吗?可能行
* Possible StringData Ref from Code Obj ->"联众注册检测2通过" 《===注意这是什么??
|
:0046352A BA5C374600 mov edx, 0046375C
:0046352F 8B45FC mov eax, dword ptr [ebp-04]
:00463532 E8B5D50000 call 00470AEC
:00463537 EB0D jmp 00463546
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463528(C)
|
* Possible StringData Ref from Code Obj ->"联众注册检测2错误"
|
:00463539 BA78374600 mov edx, 00463778
:0046353E 8B45FC mov eax, dword ptr [ebp-04]
:00463541 E8A6D50000 call 00470AEC
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004634B7(C), :00463537(U)
|
:00463546 3B75F4 cmp esi, dword ptr [ebp-0C]
:00463549 0F8FEB010000 jg 0046373A
:0046354F 8B45F0 mov eax, dword ptr [ebp-10]
:00463552 83F81F cmp eax, 0000001F
:00463555 0F87C1010000 ja 0046371C
:0046355B FF248562354600 jmp dword ptr [4*eax+00463562]
:00463562 F7354600 DWORD 004635F7
:00463566 E2354600 DWORD 004635E2
:0046356A 1C374600 DWORD 0046371C
终于找到了,连蒙带猜。
以下部分为注册机程序,delphi,联众经过验证。
边锋的我不玩,有兴趣的朋友可以自己作验证。
//======================================================================
//联众部分注册机程序
//------------------------------------------------------------
procedure TForm1.Button1Click(Sender: TObject);
var
s1,s2,s3 : string;
m,n,i,inc :integer;
c1 : char;
begin
s1:=trim(edit1.Text);
m:=length(s1);
n:=0;
for i:=1 to m do begin
c1:=s1[i];
inc:= ord(c1);
n:=n+inc*(i+122)+i;
end;
n:=n mod 10000;
str(n,s2);
case length(s2) of //这里说明若不足4位前面补0
1: s2:='000'+s2;
2: s2:='00'+s2;
3: s2:='0'+s2;
end; //
s3:=s1+s2;
m:=length(s3);
n:=1246;
for i:=1 to m do begin
c1:=s3[i];
inc:= ord(c1);
n:=n+(i-1)*m+ inc*(m+i-1)+(i-1)*(i-1);
end;
n:=n mod 10000;
if n<1000 then n:=n+6000;
edit2.Text := inttostr(n)+S2;
end;
//------------------------------------------------------------
//边锋部分注册机程序
//------------------------------------------------------------
procedure TForm1.Button3Click(Sender: TObject);
var
s1,s2,s3 : string;
m,n,i,inc :integer;
c1 : char;
begin
s1:=trim(edit3.Text);
m:=length(s1);
n:=0;
for i:=1 to m do begin
c1:=s1[i];
inc:= ord(c1);
n:=n+inc*(i+255); //此部分没经过验证,不知道对错
end;
n:=n mod 10000;
str(n,s2);
case length(s2) of //这里说明若不足4位前面补0
1: s2:='000'+s2;
2: s2:='00'+s2;
3: s2:='0'+s2;
end; //
s3:=s1+s2;
m:=length(s3);
n:=3210;
for i:=1 to m do begin
c1:=s3[i];
inc:= ord(c1);
n:=n+(i-1)*m+ inc*(m+i-1)+(i-1)*(i-1);
end;
n:=n mod 100000;
if n<10000 then n:=n+80000;
edit4.Text := inttostr(n)+S2;
end;
========================================================================
随想:是否可以找到他的连接联众时的断点,改变跳过或者跳到注册检测2部分,那我们就不需要上网
就可以动态调试他的检测部分了,是否可行?
有兴趣的朋友还可以试一下爆破,爆破点我已经注明,边锋的类似。
你可以注册你的所有游戏ID了。不知道爆破后是否所有游戏ID都能用呢?试试吧。我是累了。
爆破后所有游戏ID都能用,但是老断线。既然有注册机了,还是每个ID都注册一遍吧。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: