【文章标题】: uCF2000 keygenme 1.0分析
【文章作者】: HappyTown
【软件名称】: uCF2000 keygenme 1.0
【下载地址】: 附件内
【加壳方式】: FSG1.33,Krypton
【保护方式】: RSA,ElGamal,Base64,SHA1
【编写语言】: Delphi
【使用工具】: OD,IDA,BigCalc,
【软件介绍】: uCF2000 官方2003年的trial keygenme,现在应该早已经过期了。
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
首先感谢forgot兄弟帮我脱壳,才能使大家现在就看到这篇文章,否则,可就不知道到猴年马月了才能贴出来了。
这个程序可以带壳调试,但每次都附加,太麻烦了。
输入假码sn:87654321
不要用鼠标点击Check按钮,用Alt+C。你只有跟踪了程序才能知道这两者到底不同在什么地方,不要简单地猜想,要实际动手。其实另外一种思路也是很优秀的,只是它永远也不能做出作者希望的keygen。
0045D9E6 |. >call <GetLenth> ; 取sn的长度
0045D9EB |. >dec eax
0045D9EC |. >jle 0045E06E
0045D9F2 |. >mov eax, dword ptr [ebp-4]
0045D9F5 |. >call <GetLenth>
0045D9FA |. >test al, 1
0045D9FC |. >jnz 0045E06E
0045DA02 |. >mov eax, dword ptr [ebp-4]
0045DA05 |. >call 0045D6D0
0045DA0A |. >test al, al ; sn长度必须为偶数
0045DA0C |. >je 0045E06E
0045DA12 |. >lea edx, dword ptr [ebp-114]
0045DA18 |. >mov al, 5
0045DA1A |. >call <GetStrFromTable> ; n:00BB5403304D31CCB3BA0CB7D8A87940A215F9FA9B4D1F9F62D5BCCD16E55902B9A4A529
0045DA1F |. >mov eax, dword ptr [ebp-114] ; 字符串内容
0045DA25 |. >lea edx, dword ptr [ebp-10] ; 缓存,执行后,指向串对应的Hex
0045DA28 |. >call <Str2Hex>
0045DA2D |. >lea edx, dword ptr [ebp-2C] ; n:缓存,执行函数后,指向一Record,Record的第2个DWORD指向真正内容,当为负数时,估计存储的是反码
0045DA30 |. >mov eax, dword ptr [ebp-10] ; 就是Hex值,字节顺序按照串明文顺序
0045DA33 |. >call <@Base256StringToFGInt>
0045DA38 |. >lea edx, dword ptr [ebp-114]
0045DA3E |. >mov al, 6
0045DA40 |. >call <GetStrFromTable> ; e:0058B987158252E3114A801A6D196392C0700DF0850E1256E9FD37FFB0285A6A56318277
0045DA45 |. >mov eax, dword ptr [ebp-114]
0045DA4B |. >lea edx, dword ptr [ebp-10]
0045DA4E |. >call <Str2Hex>
0045DA53 |. >lea edx, dword ptr [ebp-34] ; e
0045DA56 |. >mov eax, dword ptr [ebp-10]
0045DA59 |. >call <@Base256StringToFGInt>
0045DA5E |. >lea edx, dword ptr [ebp-10]
0045DA61 |. >mov eax, dword ptr [ebp-4]
0045DA64 |. >call <Str2Hex>
0045DA69 |. >lea edx, dword ptr [ebp-3C]
0045DA6C |. >mov eax, dword ptr [ebp-10] ; sn
0045DA6F |. >call <@Base256StringToFGInt>
0045DA74 |. >lea eax, dword ptr [ebp-44]
0045DA77 |. >push eax ; c
0045DA78 |. >lea ecx, dword ptr [ebp-2C] ; n
0045DA7B |. >lea edx, dword ptr [ebp-34] ; e
0045DA7E |. >lea eax, dword ptr [ebp-3C] ; sn
0045DA81 |. >call <FGIntModExp> ; c = sn ^ e (mod n)
0045DA86 |. >lea edx, dword ptr [ebp-10] ; 缓存,执行后,指向真实Hex
0045DA89 |. >lea eax, dword ptr [ebp-44] ; c
0045DA8C |. >call <FGIntToBase256String>
0045DA91 |. >lea edx, dword ptr [ebp-C] ; Str缓存
0045DA94 |. >mov eax, dword ptr [ebp-10] ; Hex
0045DA97 |. >call <Hex2Str>
0045DA9C |. >lea eax, dword ptr [ebp-44]
0045DA9F |. >call <@FGIntDestroy>
0045DAA4 |. >lea eax, dword ptr [ebp-34]
0045DAA7 |. >call <@FGIntDestroy>
0045DAAC |. >lea eax, dword ptr [ebp-2C]
0045DAAF |. >call <@FGIntDestroy>
0045DAB4 |. >lea eax, dword ptr [ebp-3C]
0045DAB7 |. >call <@FGIntDestroy>
0045DABC |. >mov eax, dword ptr [ebp-C] ; //c串
0045DABF |. >call <GetLenth>
0045DAC4 |. >xor eax, 35
0045DAC7 |. >add eax, 3A
0045DACA |. >xor eax, 17
0045DACD |. >sub eax, 0F
0045DAD0 |. >xor eax, 4F
0045DAD3 |. >sub eax, 9
0045DAD6 |. >dec eax
0045DAD7 |. >jnz 0045E06E ; \\这段告诉我们c串的长度必须为0x3C(60)
聪明的你肯定看出来了,这是一个RSA算法,真正的SN(就是上面的c)必须先经过RSA解密,才能得到我们应该输入的sn。看来,我们得分解n求得d才行。用P4 2.8,1G内存的机器和RSATool(用MPQS方法)跑了16个小时。结果为:
d: 26846B44965D8E02C12AE8269FFBE8B9C6400BD01CA0613F0461885A4A0BAF4AE60BEF
根据要求,我们假设真正的SN为:
123456782222222222221244444444AB5555555599666666662477778888
然后写一段RSA代码,计算应该输入的sn:
8B1D4665E14157E695D92B142209E23E5647B764F09B85AB1B7ACBF128187EDE0F6BAA
我们做这一标记:
123456782222222222221244444444AB5555555599666666662477778888
-- -- -- --
A B F G
-------------------- ======== -------- ======== --------
m r s t u
0045DADD |. >lea eax, dword ptr [ebp-114]
0045DAE3 |. >push eax
0045DAE4 |. >mov ecx, 2
0045DAE9 |. >mov edx, 15
0045DAEE |. >mov eax, dword ptr [ebp-C] ; c
0045DAF1 |. >call <@@LStrCopy> ; A:12
0045DAF6 |. >mov eax, dword ptr [ebp-114]
0045DAFC |. >call <Str2Int>
0045DB01 |. >mov ebx, eax
0045DB03 |. >lea eax, dword ptr [ebp-114]
0045DB09 |. >push eax
0045DB0A |. >mov ecx, 2
0045DB0F |. >mov edx, 1F
0045DB14 |. >mov eax, dword ptr [ebp-C]
0045DB17 |. >call <@@LStrCopy> ; B:AB
0045DB1C |. >mov eax, dword ptr [ebp-114]
0045DB22 |. >call <Str2Int>
0045DB27 |. >mov esi, eax
0045DB29 |. >lea eax, dword ptr [ebp-114]
0045DB2F |. >push eax
0045DB30 |. >mov ecx, 2
0045DB35 |. >mov edx, 29
0045DB3A |. >mov eax, dword ptr [ebp-C]
0045DB3D |. >call <@@LStrCopy> ; F:99
0045DB42 |. >mov eax, dword ptr [ebp-114]
0045DB48 |. >call <Str2Int>
0045DB4D |. >mov edi, eax
0045DB4F |. >lea eax, dword ptr [ebp-114]
0045DB55 |. >push eax
0045DB56 |. >mov ecx, 2
0045DB5B |. >mov edx, 33
0045DB60 |. >mov eax, dword ptr [ebp-C]
0045DB63 |. >call <@@LStrCopy> ; G:24
0045DB68 |. >mov eax, dword ptr [ebp-114]
0045DB6E |. >call <Str2Int>
0045DB73 |. >mov dword ptr [ebp-98], eax ; //G
0045DB79 |. >lea eax, dword ptr [edi+1] ; F+1
0045DB7C |. >push eax
0045DB7D |. >mov eax, dword ptr [ebp-98] ; G
0045DB83 |. >pop edx ; F+1
0045DB84 |. >mov ecx, edx
0045DB86 |. >xor edx, edx
0045DB88 |. >div ecx
0045DB8A |. >mov eax, ebx
0045DB8C |. >xor eax, edi
0045DB8E |. >add edx, eax
0045DB90 |. >lea eax, dword ptr [esi+ebx]
0045DB93 |. >sub esi, edi
0045DB95 |. >xor eax, esi
0045DB97 |. >cmp edx, eax
0045DB99 |. >jnz 0045E06E ; \\G mod(F+1) + (A xor F) = (A + B) xor (B - F),所以说,B>=F
上面这段就是检查A、B、F、G之间是否有这种关系成立。这个很容易构造出来。
0045DB9F |. >lea eax, dword ptr [ebp-14]
0045DBA2 |. >push eax
0045DBA3 |. >mov ecx, 14
0045DBA8 |. >mov edx, 1
0045DBAD |. >mov eax, dword ptr [ebp-C]
0045DBB0 |. >call <@@LStrCopy> ; m
0045DBB5 |. >lea eax, dword ptr [ebp-18]
0045DBB8 |. >push eax
0045DBB9 |. >mov ecx, 8
0045DBBE |. >mov edx, 17
0045DBC3 |. >mov eax, dword ptr [ebp-C]
0045DBC6 |. >call <@@LStrCopy> ; r
0045DBCB |. >lea eax, dword ptr [ebp-1C]
0045DBCE |. >push eax
0045DBCF |. >mov ecx, 8
0045DBD4 |. >mov edx, 21
0045DBD9 |. >mov eax, dword ptr [ebp-C]
0045DBDC |. >call <@@LStrCopy> ; s
0045DBE1 |. >lea eax, dword ptr [ebp-20]
0045DBE4 |. >push eax
0045DBE5 |. >mov ecx, 8
0045DBEA |. >mov edx, 2B
0045DBEF |. >mov eax, dword ptr [ebp-C]
0045DBF2 |. >call <@@LStrCopy> ; t
0045DBF7 |. >lea eax, dword ptr [ebp-24]
0045DBFA |. >push eax
0045DBFB |. >mov ecx, 8
0045DC00 |. >mov edx, 35
0045DC05 |. >mov eax, dword ptr [ebp-C]
0045DC08 |. >call <@@LStrCopy> ; u
上面把各段提取出来。呵呵,好戏才刚刚拉开帷幕。
0045DC0D |. >mov eax, dword ptr [ebp-14] ; m
0045DC10 |. >call <CRC32_>
0045DC15 |. >mov esi, eax ; B231FB48
0045DC17 |. >mov eax, dword ptr [ebp-14] ; m
0045DC1A |. >call <MD5_inside>
0045DC1F |. >mov ebx, eax ; 49CBC78A
0045DC21 |. >mov eax, dword ptr [ebp-14] ; m
0045DC24 |. >call 00458FD8 ; 一单项hash函数sf:B41E03A0
0045DC29 |. >mov dword ptr [ebp-FC], esi ; B231FB48
0045DC2F |. >mov dword ptr [ebp-F8], ebx ; 49CBC78A
0045DC35 |. >mov dword ptr [ebp-F4], eax ; B41E03A0
0045DC3B |. >mov dword ptr [ebp-F0], 20464375
0045DC45 |. >mov dword ptr [ebp-EC], 78584F52
0045DC4F |. >lea eax, dword ptr [ebp-FC]
0045DC55 |. >call <SHA1_Init>
0045DC5A |. >mov eax, dword ptr [ebp-14] ; m
0045DC5D |. >call <GetLenth>
0045DC62 |. >push eax
0045DC63 |. >mov eax, dword ptr [ebp-14]
0045DC66 |. >call <@@LStrToPChar>
0045DC6B |. >mov edx, eax
0045DC6D |. >lea eax, dword ptr [ebp-FC]
0045DC73 |. >pop ecx
0045DC74 |. >call <SHA1_Update>
0045DC79 |. >lea edx, dword ptr [ebp-110]
0045DC7F |. >lea eax, dword ptr [ebp-FC]
0045DC85 |. >call <SHA1_Final> ; 标准SHA1(m) = E2 0C 44 94 F9 30 EC AC B1 6C 51 F8 A0 8F 03 0F 53 FB 47 54
0045DC8A |. >xor ebx, ebx ; //
0045DC8C |. >mov bl, byte ptr [ebp-110]
0045DC92 |. >shl ebx, 18
0045DC95 |. >xor eax, eax
0045DC97 |. >mov al, byte ptr [ebp-10F]
0045DC9D |. >shl eax, 10
0045DCA0 |. >add ebx, eax
0045DCA2 |. >xor eax, eax
0045DCA4 |. >mov al, byte ptr [ebp-10E]
0045DCAA |. >shl eax, 8
0045DCAD |. >add ebx, eax
0045DCAF |. >xor eax, eax
0045DCB1 |. >mov al, byte ptr [ebp-10D]
0045DCB7 |. >add ebx, eax ; \\ebx = E20C4494
0045DCB9 |. >movzx esi, byte ptr [ebp-10C] ; //
0045DCC0 |. >shl esi, 18
0045DCC3 |. >xor eax, eax
0045DCC5 |. >mov al, byte ptr [ebp-10B]
0045DCCB |. >shl eax, 10
0045DCCE |. >add esi, eax
0045DCD0 |. >xor eax, eax
0045DCD2 |. >mov al, byte ptr [ebp-10A]
0045DCD8 |. >shl eax, 8
0045DCDB |. >add esi, eax
0045DCDD |. >xor eax, eax
0045DCDF |. >mov al, byte ptr [ebp-109]
0045DCE5 |. >add esi, eax ; \\esi = F930ECAC
0045DCE7 |. >movzx edi, byte ptr [ebp-108] ; //
0045DCEE |. >shl edi, 18
0045DCF1 |. >xor eax, eax
0045DCF3 |. >mov al, byte ptr [ebp-107]
0045DCF9 |. >shl eax, 10
0045DCFC |. >add edi, eax
0045DCFE |. >xor eax, eax
0045DD00 |. >mov al, byte ptr [ebp-106]
0045DD06 |. >shl eax, 8
0045DD09 |. >add edi, eax
0045DD0B |. >xor eax, eax
0045DD0D |. >mov al, byte ptr [ebp-105]
0045DD13 |. >add edi, eax ; \\edi = B16C51F8
0045DD15 |. >xor eax, eax ; //
0045DD17 |. >mov al, byte ptr [ebp-104]
0045DD1D |. >shl eax, 18
0045DD20 |. >xor edx, edx
0045DD22 |. >mov dl, byte ptr [ebp-103]
0045DD28 |. >shl edx, 10
0045DD2B |. >add eax, edx
0045DD2D |. >xor edx, edx
0045DD2F |. >mov dl, byte ptr [ebp-102]
0045DD35 |. >shl edx, 8
0045DD38 |. >add eax, edx
0045DD3A |. >xor edx, edx
0045DD3C |. >mov dl, byte ptr [ebp-101]
0045DD42 |. >add eax, edx ; \\eax = A08F030F
0045DD44 |. >mov dword ptr [ebp-98], eax ; //
0045DD4A |. >xor eax, eax
0045DD4C |. >mov al, byte ptr [ebp-100]
0045DD52 |. >shl eax, 18
0045DD55 |. >xor edx, edx
0045DD57 |. >mov dl, byte ptr [ebp-FF]
0045DD5D |. >shl edx, 10
0045DD60 |. >add eax, edx
0045DD62 |. >xor edx, edx
0045DD64 |. >mov dl, byte ptr [ebp-FE]
0045DD6A |. >shl edx, 8
0045DD6D |. >add eax, edx
0045DD6F |. >xor edx, edx
0045DD71 |. >mov dl, byte ptr [ebp-FD]
0045DD77 |. >add eax, edx ; \\eax = 53FB4754
0045DD79 |. >mov dword ptr [ebp-9C], eax ; 53FB4754
0045DD7F |. >mov dl, 3
0045DD81 |. >mov eax, ebx ; E20C4494
0045DD83 |. >call <ROL> ; 106224A7
0045DD88 |. >not edi ; not B16C51F8 = 4E93AE07
0045DD8A |. >or esi, edi ; F930ECAC or 4E93AE07 = FFB3EEAF
0045DD8C |. >xor eax, esi ; EE: 106224A7 xor FFB3EEAF = EFD1CA08
0045DD8E |. >mov ebx, eax ; EFD1CA08
0045DD90 |. >mov dl, 5
0045DD92 |. >mov eax, dword ptr [ebp-9C] ; 53FB4754
0045DD98 |. >call <ROR> ; 循环右移:A29FDA3A
上面除过SHA1为标准的散列函数外,其余似乎均乃变形算法,我们不理睬算法细节,只要它是散列函数就行,因为我们有IDA。
0045DD9D |. >mov esi, eax ; A29FDA3A
0045DD9F |. >add esi, dword ptr [ebp-98] ; + A08F030F = FF: 432EDD49
0045DDA5 |. >lea edx, dword ptr [ebp-114] ; "24"
0045DDAB |. >mov al, 7
0045DDAD |. >call <GetStrFromTable> ; "ED540C2D3CA2525B"
0045DDB2 |. >mov eax, dword ptr [ebp-114] ; p
0045DDB8 |. >lea edx, dword ptr [ebp-10]
0045DDBB |. >call <Str2Hex>
0045DDC0 |. >lea edx, dword ptr [ebp-4C]
0045DDC3 |. >mov eax, dword ptr [ebp-10]
0045DDC6 |. >call <@Base256StringToFGInt>
0045DDCB |. >lea edx, dword ptr [ebp-114]
0045DDD1 |. >mov al, 8
0045DDD3 |. >call <GetStrFromTable> ; "269C31348A00DE79"
0045DDD8 |. >mov eax, dword ptr [ebp-114] ; y
0045DDDE |. >lea edx, dword ptr [ebp-10]
0045DDE1 |. >call <Str2Hex>
0045DDE6 |. >lea edx, dword ptr [ebp-64]
0045DDE9 |. >mov eax, dword ptr [ebp-10]
0045DDEC |. >call <@Base256StringToFGInt>
0045DDF1 |. >lea edx, dword ptr [ebp-114]
0045DDF7 |. >mov al, 9
0045DDF9 |. >call <GetStrFromTable> ; "8AA419551BBF4DDB"
0045DDFE |. >mov eax, dword ptr [ebp-114] ; g
0045DE04 |. >lea edx, dword ptr [ebp-10]
0045DE07 |. >call <Str2Hex>
0045DE0C |. >lea edx, dword ptr [ebp-6C]
0045DE0F |. >mov eax, dword ptr [ebp-10]
0045DE12 |. >call <@Base256StringToFGInt>
0045DE17 |. >lea eax, dword ptr [ebp-114]
0045DE1D |. >mov ecx, dword ptr [ebp-20] ; t:"66666666"
0045DE20 |. >mov edx, dword ptr [ebp-18] ; r:"44444444"
0045DE23 |. >call <@@LStrCat3> ; a: 4444444466666666
0045DE28 |. >mov eax, dword ptr [ebp-114]
0045DE2E |. >lea edx, dword ptr [ebp-10]
0045DE31 |. >call <Str2Hex>
0045DE36 |. >lea edx, dword ptr [ebp-54]
0045DE39 |. >mov eax, dword ptr [ebp-10]
0045DE3C |. >call <@Base256StringToFGInt> ; a
0045DE41 |. >mov eax, ebx
0045DE43 |. >xor edx, edx
0045DE45 |. >push edx ; /Arg2 => 00000000
0045DE46 |. >push eax ; |EE: EFD1CA08
0045DE47 |. >lea edx, dword ptr [ebp-114] ; |
0045DE4D |. >mov eax, 8 ; |
0045DE52 |. >call <@IntToHex_0> ; \@IntToHex_0
0045DE57 |. >lea eax, dword ptr [ebp-114]
0045DE5D |. >push eax
0045DE5E |. >mov eax, esi
0045DE60 |. >xor edx, edx
0045DE62 |. >push edx ; /Arg2 => 00000000
0045DE63 |. >push eax ; |FF: 432EDD49
0045DE64 |. >lea edx, dword ptr [ebp-118] ; |
0045DE6A |. >mov eax, 8 ; |
0045DE6F |. >call <@IntToHex_0> ; \@IntToHex_0
0045DE74 |. >mov edx, dword ptr [ebp-118] ; FF
0045DE7A |. >pop eax
0045DE7B |. >call <@@LStrCat>
0045DE80 |. >mov eax, dword ptr [ebp-114]
0045DE86 |. >lea edx, dword ptr [ebp-10]
0045DE89 |. >call <Str2Hex>
0045DE8E |. >lea edx, dword ptr [ebp-5C]
0045DE91 |. >mov eax, dword ptr [ebp-10]
0045DE94 |. >call <@Base256StringToFGInt> ; b: EFD1CA08432EDD49
0045DE99 |. >lea eax, dword ptr [ebp-114]
0045DE9F |. >mov ecx, dword ptr [ebp-24] ; u: 77778888
0045DEA2 |. >mov edx, dword ptr [ebp-1C] ; s: 55555555
0045DEA5 |. >call <@@LStrCat3>
0045DEAA |. >mov eax, dword ptr [ebp-114]
0045DEB0 |. >lea edx, dword ptr [ebp-10]
0045DEB3 |. >call <Str2Hex>
0045DEB8 |. >lea edx, dword ptr [ebp-74]
0045DEBB |. >mov eax, dword ptr [ebp-10]
0045DEBE |. >call <@Base256StringToFGInt> ; M: 5555555577778888
0045DEC3 |. >lea eax, dword ptr [ebp-7C]
0045DEC6 |. >push eax ; II
0045DEC7 |. >lea ecx, dword ptr [ebp-4C] ; p: ED540C2D3CA2525B
0045DECA |. >lea edx, dword ptr [ebp-54] ; a: 4444444466666666
0045DECD |. >lea eax, dword ptr [ebp-64] ; y: 269C31348A00DE79
0045DED0 |. >call <FGIntModExp> ; II = y ^ a(mod p) = A1C12BDE16B4CADD
0045DED5 |. >lea eax, dword ptr [ebp-84]
0045DEDB |. >push eax
0045DEDC |. >lea ecx, dword ptr [ebp-4C] ; p: ED540C2D3CA2525B
0045DEDF |. >lea edx, dword ptr [ebp-5C] ; b: EFD1CA08432EDD49
0045DEE2 |. >lea eax, dword ptr [ebp-54] ; a: 4444444466666666
0045DEE5 |. >call <FGIntModExp> ; JJ = a ^ b(mod p) = C458C21B037AB697
0045DEEA |. >lea eax, dword ptr [ebp-8C]
0045DEF0 |. >push eax ; KK
0045DEF1 |. >lea ecx, dword ptr [ebp-4C] ; p: ED540C2D3CA2525B
0045DEF4 |. >lea edx, dword ptr [ebp-84] ; JJ: C458C21B037AB697
0045DEFA |. >lea eax, dword ptr [ebp-7C] ; II: A1C12BDE16B4CADD
0045DEFD |. >call <FGIntMulMod> ; KK = (II * JJ)(mod p) = A5ED25A9FFA6E084
0045DF02 |. >lea eax, dword ptr [ebp-94]
0045DF08 |. >push eax ; LL
0045DF09 |. >lea ecx, dword ptr [ebp-4C] ; p: ED540C2D3CA2525B
0045DF0C |. >lea edx, dword ptr [ebp-74] ; M: 5555555577778888
0045DF0F |. >lea eax, dword ptr [ebp-6C] ; g: 8AA419551BBF4DDB
0045DF12 |. >call <FGIntModExp> ; LL = g ^ M(mod p) = 373BB0840F366C2F
0045DF17 |. >lea edx, dword ptr [ebp-10]
0045DF1A |. >lea eax, dword ptr [ebp-8C]
0045DF20 |. >call <FGIntToBase256String> ; KK: A5ED25A9FFA6E084
0045DF25 |. >lea edx, dword ptr [ebp-18]
0045DF28 |. >mov eax, dword ptr [ebp-10]
0045DF2B |. >call <Hex2Str>
0045DF30 |. >lea edx, dword ptr [ebp-10]
0045DF33 |. >lea eax, dword ptr [ebp-94]
0045DF39 |. >call <FGIntToBase256String> ; LL: 373BB0840F366C2F
0045DF3E |. >lea edx, dword ptr [ebp-1C]
0045DF41 |. >mov eax, dword ptr [ebp-10]
0045DF44 |. >call <Hex2Str>
0045DF49 |. >lea eax, dword ptr [ebp-4C]
0045DF4C |. >call <@FGIntDestroy>
0045DF51 |. >lea eax, dword ptr [ebp-64]
0045DF54 |. >call <@FGIntDestroy>
0045DF59 |. >lea eax, dword ptr [ebp-6C]
0045DF5C |. >call <@FGIntDestroy>
0045DF61 |. >lea eax, dword ptr [ebp-54]
0045DF64 |. >call <@FGIntDestroy>
0045DF69 |. >lea eax, dword ptr [ebp-5C]
0045DF6C |. >call <@FGIntDestroy>
0045DF71 |. >lea eax, dword ptr [ebp-74]
0045DF74 |. >call <@FGIntDestroy>
0045DF79 |. >lea eax, dword ptr [ebp-7C]
0045DF7C |. >call <@FGIntDestroy>
0045DF81 |. >lea eax, dword ptr [ebp-84]
0045DF87 |. >call <@FGIntDestroy>
0045DF8C |. >lea eax, dword ptr [ebp-8C]
0045DF92 |. >call <@FGIntDestroy>
0045DF97 |. >lea eax, dword ptr [ebp-94]
0045DF9D |. >call <@FGIntDestroy>
0045DFA2 |. >mov eax, dword ptr [ebp-18] ; KK
0045DFA5 |. >mov edx, dword ptr [ebp-1C] ; LL
0045DFA8 |. >call <@@LStrCmp> ; 比较KK和LL
0045DFAD |. >jnz 0045E06E
整理一下上段代码的思路:
(y^a) * (a^b) ?≡ (g^M) (mod p)
很标准的ElGamal签名算法嘛。这里就不介绍ElGamal算法了,在论坛里面搜搜ryosuke的精华帖就可以找到。我们给定一个k,然后计算a,再然后,根据
M = (xa + kb)(mod p-1)
来构造出M,以满足程序所需。
OK,我们假设k = 17,验证GCD(k, p-1) = 1通过,计算出a和M分别为:
a = 1259CFD32DB3FE6C; M = 53BBDD8ACF81ECA9
用a和M中相应位置的数替换掉44444444、66666666、55555555和77778888,得:
12345678222222222222121259CFD3AB53BBDD8A992DB3FE6C24CF81ECA9
用这个SN从新计算新的sn,得:
990F38CF27F5EF757B65B579AE33F06EBE060B74DEB12A10350B1B0A723DBBD1301789
嗯,的确通过了0045DFA8处的验证。
F9继续执行程序,它说:
Registered to: 4Vx""""""
说明我们已经注册成功了,只是,我们的名称有点问题,我们找到消息框的弹出地点:
0045D4D4 |. 5>push eax ; |Text
0045D4D5 |. A>mov eax, dword ptr [468CBC] ; |
0045D4DA |. 8>mov eax, dword ptr [eax] ; |
0045D4DC |. 8>mov eax, dword ptr [eax+24] ; |
0045D4DF |. 5>push eax ; |hOwner
0045D4E0 |. E>call <MessageBoxA_0_0> ; \MessageBoxA
在0045D4D4下断点,再次输入我们上面的注册码,发现eax正是m串对应的十六进制序列,呵呵,明白的不能再明白了。
分析完了,这出戏正看得过瘾时却嘎然而止了。
是的,那个CRC32和变形MD5没有用,是扰乱视线的。给出3组可用的注册码:
1ED7DC75945BF7A16026F4C2223F983734710C05502A1C383CE4EA4A6C9AFC44753A43
5A3FB052E614CC83668CF9F998987BAC585393DF7318CA0D144F56907274F37F141668
02D56B2B6BD94C185D78CCFA94FA398A5DF0802DBE859D4B902D7278E9D11DD7D34361
你猜猜看哪一组是注册给pediy的。附件内包含注册机源代码。
--------------------------------------------------------------------------------
【经验总结】
uCF2000宣称这个keygenme是very hard,呵呵,那是他们在忽悠我们,不要被他们吓倒。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪软件安全论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年12月21日 20:22:41
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件: