【破文作者】 simonzh2000[US]
【使用工具】 Ollydbg1.10B, UnPECompact, PEid0.92
【破解平台】 Win2000SP4 English
【软件名称】 苍鹰象棋 1.0
【软件简介】 象棋苍鹰软件是中国大陆大连金星工作室生产的一款人工智能软件。本程序的特点是功能多,棋力强,集人机对弈和打谱软件于一身,是学习象棋,提高象棋水平的好帮手。
本程式的联众对弈功能是采用了联众外挂软件的方式实现的,一旦联众的内部协议改变了,本系统也会正常运行。
【软件主页】 [url]http://www.cangying.com[/url]
【加壳方式】 PECompact, 用UNPECompact脱壳即可
【作者声明】 本软件用了 机器码 + Keyfile 的注册方式. MFC 程序.
注册机是我去年写的, 但一直没有公布, 现在苍鹰象棋 2.0 快推出了, 公布本文对作者影响不大吧.
本笔记只用于学习交流, 初学Crack,只是感兴趣技术,没有其他目的, 如有不妥之处, 希望作者谅解.
【破解之旅】
程序启动后找 Keyfile, 如没有弹出一对话框, 显示机器码, 要求用户提供 Keyfile 位置.
OD 出场, 对 MFC42.#4710_?OnInitDialog@CDialog@@UAEHXZ 下断, F9,
00408CD0 . 81EC 84030000 SUB ESP,384 ; // InitDialog
00408CD6 . 53 PUSH EBX
00408CD7 . 55 PUSH EBP
00408CD8 . 56 PUSH ESI
00408CD9 . 57 PUSH EDI
00408CDA . 8BD9 MOV EBX,ECX
00408CDC . E8 1B780200 CALL <JMP.&MFC42.#4710_?OnInitDialog@CDialog@@UAEHXZ>
00408CE1 . 6A 00 PUSH 0 ; /Arg2 = 00000000
00408CE3 . 53 PUSH EBX ; |Arg1
00408CE4 . 8D4B 60 LEA ECX,DWORD PTR DS:[EBX+60] ; |
00408CE7 . E8 34220100 CALL chess.0041AF20 ; \chess.0041AF20
00408CEC . 8D4424 74 LEA EAX,DWORD PTR SS:[ESP+74]
00408CF0 . 50 PUSH EAX
00408CF1 . E8 6A200200 CALL chess.0042AD60 ; //取程序路径
00408CF6 . BF ECF44300 MOV EDI,chess.0043F4EC ; ASCII "\buy.html"
...
00408D64 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00408D68 . 51 PUSH ECX
00408D69 . E8 12680000 CALL chess.0040F580 ; //计算机器码, 我们就不跟了, F8
00408D6E . 83C4 04 ADD ESP,4
00408D71 . 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
00408D75 . 8D8B 00020000 LEA ECX,DWORD PTR DS:[EBX+200]
00408D7B . 52 PUSH EDX
00408D7C . E8 4B770200 CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>
00408D81 . 6A 00 PUSH 0
00408D83 . 8BCB MOV ECX,EBX
00408D85 . E8 6C770200 CALL <JMP.&MFC42.#6334_?UpdateData@CWnd@@QAEHH@Z>
00408D8A . BF D0084400 MOV EDI,chess.004408D0
00408D8F . 83C9 FF OR ECX,FFFFFFFF
00408D92 . 33C0 XOR EAX,EAX
00408D94 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00408D96 . F7D1 NOT ECX
00408D98 . 2BF9 SUB EDI,ECX
00408D9A . 8BC1 MOV EAX,ECX
00408D9C . 8BF7 MOV ESI,EDI
00408D9E . BF 9C684D00 MOV EDI,chess.004D689C
00408DA3 . C1E9 02 SHR ECX,2
00408DA6 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00408DA8 . 8BC8 MOV ECX,EAX
00408DAA . 83E1 03 AND ECX,3
00408DAD . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00408DAF . 8BCB MOV ECX,EBX
00408DB1 . E8 4A040000 CALL chess.00409200 ; //检查注册文件, F7 跟进
00408DB6 . 5F POP EDI
00408DB7 . 5E POP ESI
00408DB8 . 5D POP EBP
00408DB9 . B8 01000000 MOV EAX,1
00408DBE . 5B POP EBX
00408DBF . 81C4 84030000 ADD ESP,384
00408DC5 . C3 RETN
00409200 $ 55 PUSH EBP
00409201 . 8BEC MOV EBP,ESP
00409203 . 6A FF PUSH -1
00409205 . 68 C8184300 PUSH chess.004318C8 ; SE handler installation
0040920A . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00409210 . 50 PUSH EAX
00409211 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00409218 . 81EC 4C070000 SUB ESP,74C
0040921E . 8B81 00020000 MOV EAX,DWORD PTR DS:[ECX+200]
00409224 . 894D D8 MOV DWORD PTR SS:[EBP-28],ECX
00409227 . 81C1 00020000 ADD ECX,200
0040922D . 53 PUSH EBX
0040922E . 8B40 F8 MOV EAX,DWORD PTR DS:[EAX-8]
00409231 . 56 PUSH ESI
00409232 . 57 PUSH EDI
00409233 . 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
00409236 . 50 PUSH EAX
00409237 . E8 FA710200 CALL <JMP.&MFC42.#2915_?GetBuffer@CString@@QAEPADH@Z> ; //分配20个char的buffer,机器码
0040923C . 8D8D A8F8FFFF LEA ECX,DWORD PTR SS:[EBP-758]
00409242 . 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
00409245 . 51 PUSH ECX
00409246 . E8 151B0200 CALL chess.0042AD60 ; //得到程序路径
0040924B . BF 14F54300 MOV EDI,chess.0043F514 ; ASCII "\goshawk.dat"
00409250 . 83C9 FF OR ECX,FFFFFFFF
00409253 . 33C0 XOR EAX,EAX
00409255 . 83C4 04 ADD ESP,4
00409258 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0040925A . F7D1 NOT ECX
0040925C . 2BF9 SUB EDI,ECX
0040925E . 8D95 A8F8FFFF LEA EDX,DWORD PTR SS:[EBP-758]
00409264 . 8BF7 MOV ESI,EDI
00409266 . 8BD9 MOV EBX,ECX
00409268 . 8BFA MOV EDI,EDX
0040926A . 83C9 FF OR ECX,FFFFFFFF
0040926D . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0040926F . 8BCB MOV ECX,EBX
00409271 . 4F DEC EDI
00409272 . C1E9 02 SHR ECX,2
00409275 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00409277 . 8BCB MOV ECX,EBX
00409279 . 83E1 03 AND ECX,3
0040927C . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040927E . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00409281 . E8 FA720200 CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
00409286 . 33DB XOR EBX,EBX
00409288 . 8D85 A8F8FFFF LEA EAX,DWORD PTR SS:[EBP-758]
0040928E . 53 PUSH EBX
0040928F . 53 PUSH EBX
00409290 . 50 PUSH EAX
00409291 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00409294 . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00409297 . E8 DE720200 CALL <JMP.&MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z> ; //打开注册文件 "goshawk.dat"
0040929C . 85C0 TEST EAX,EAX
0040929E . 0F84 88010000 JE chess.0040942C ; //打开失败, 显示对话框, 到下面 408F80
; //下面是打开成功后的判断, 我们等一会再来
004092A4 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004092A7 . C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
004092AB . E8 C4720200 CALL <JMP.&MFC42.#3318_?GetLength@CFile@@UBEKXZ>
004092B0 . 3D 120C0000 CMP EAX,0C12 ; //文件要>=3090字节
004092B5 . 0F82 69010000 JB chess.00409424 ; //小于则先关闭文件, 显示对话框
004092BB . 8D4D C8 LEA ECX,DWORD PTR SS:[EBP-38]
004092BE . 6A 0A PUSH 0A
004092C0 . 51 PUSH ECX
004092C1 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004092C4 . E8 A5720200 CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z> ; // 读10个字节
004092C9 . BE 48F54300 MOV ESI,chess.0043F548 ; ASCII "GHKFORREG"
004092CE . 8D45 C8 LEA EAX,DWORD PTR SS:[EBP-38]
004092D1 > 8A10 MOV DL,BYTE PTR DS:[EAX] ; //比较是否为"GHKFORREG"
004092D3 . 8ACA MOV CL,DL
004092D5 . 3A16 CMP DL,BYTE PTR DS:[ESI]
004092D7 . 75 1C JNZ SHORT chess.004092F5
004092D9 . 3ACB CMP CL,BL
004092DB . 74 14 JE SHORT chess.004092F1
004092DD . 8A50 01 MOV DL,BYTE PTR DS:[EAX+1]
004092E0 . 8ACA MOV CL,DL
004092E2 . 3A56 01 CMP DL,BYTE PTR DS:[ESI+1]
004092E5 . 75 0E JNZ SHORT chess.004092F5
004092E7 . 83C0 02 ADD EAX,2
004092EA . 83C6 02 ADD ESI,2
004092ED . 3ACB CMP CL,BL
004092EF .^ 75 E0 JNZ SHORT chess.004092D1 ; //===============================
004092F1 > 33C0 XOR EAX,EAX
004092F3 . EB 05 JMP SHORT chess.004092FA
004092F5 > 1BC0 SBB EAX,EAX
004092F7 . 83D8 FF SBB EAX,-1
004092FA > 3BC3 CMP EAX,EBX
004092FC . 0F85 22010000 JNZ chess.00409424 ; //不对则先关闭文件, 显示对话框
00409302 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00409305 . 6A 04 PUSH 4
00409307 . 50 PUSH EAX
00409308 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040930B . 895D DC MOV DWORD PTR SS:[EBP-24],EBX
0040930E . E8 5B720200 CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z> ; //读入4字节表示的长度
00409313 . 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00409316 . 3D 00040000 CMP EAX,400 ; //要小于1024
0040931B . 0F83 03010000 JNB chess.00409424 ; //不对则先关闭文件, 显示对话框
00409321 . 8D8D C8FBFFFF LEA ECX,DWORD PTR SS:[EBP-438]
00409327 . 50 PUSH EAX
00409328 . 51 PUSH ECX
00409329 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040932C . E8 3D720200 CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z> ; //读密文, 这次放在 10AE6C
00409331 . 8B75 DC MOV ESI,DWORD PTR SS:[EBP-24]
00409334 . 33C0 XOR EAX,EAX
00409336 . 889C35 C8FBFF>MOV BYTE PTR SS:[EBP+ESI-438],BL
0040933D > 3BC6 CMP EAX,ESI
0040933F . 7D 16 JGE SHORT chess.00409357 ; //处理完了吗?
00409341 . 8A8C05 C8FBFF>MOV CL,BYTE PTR SS:[EBP+EAX-438]
00409348 . 80CA FF OR DL,0FF
0040934B . 2AD1 SUB DL,CL
0040934D . 889405 C8FBFF>MOV BYTE PTR SS:[EBP+EAX-438],DL ; //取反
00409354 . 40 INC EAX
00409355 .^ EB E6 JMP SHORT chess.0040933D ; //===================================
00409357 > 33C9 XOR ECX,ECX
00409359 > 8BC6 MOV EAX,ESI
0040935B . 99 CDQ
0040935C . 2BC2 SUB EAX,EDX
0040935E . D1F8 SAR EAX,1
00409360 . 3BC8 CMP ECX,EAX
00409362 . 7D 27 JGE SHORT chess.0040938B
00409364 . 8BC6 MOV EAX,ESI
00409366 . 8A940D C8FBFF>MOV DL,BYTE PTR SS:[EBP+ECX-438]
0040936D . 2BC1 SUB EAX,ECX
0040936F . 41 INC ECX
00409370 . 8A9C05 C7FBFF>MOV BL,BYTE PTR SS:[EBP+EAX-439]
00409377 . 8D8405 C7FBFF>LEA EAX,DWORD PTR SS:[EBP+EAX-439]
0040937E . 889C0D C7FBFF>MOV BYTE PTR SS:[EBP+ECX-439],BL
00409385 . 33DB XOR EBX,EBX
00409387 . 8810 MOV BYTE PTR DS:[EAX],DL
00409389 .^ EB CE JMP SHORT chess.00409359 ; //交换顺序
0040938B > 8B75 D4 MOV ESI,DWORD PTR SS:[EBP-2C] ; //比较机器码
0040938E . 8D85 C8FBFFFF LEA EAX,DWORD PTR SS:[EBP-438]
00409394 > 8A10 MOV DL,BYTE PTR DS:[EAX]
00409396 . 8ACA MOV CL,DL
00409398 . 3A16 CMP DL,BYTE PTR DS:[ESI]
0040939A . 75 1C JNZ SHORT chess.004093B8
0040939C . 3ACB CMP CL,BL
0040939E . 74 14 JE SHORT chess.004093B4
004093A0 . 8A50 01 MOV DL,BYTE PTR DS:[EAX+1]
004093A3 . 8ACA MOV CL,DL
004093A5 . 3A56 01 CMP DL,BYTE PTR DS:[ESI+1]
004093A8 . 75 0E JNZ SHORT chess.004093B8
004093AA . 83C0 02 ADD EAX,2
004093AD . 83C6 02 ADD ESI,2
004093B0 . 3ACB CMP CL,BL
004093B2 .^ 75 E0 JNZ SHORT chess.00409394 ; //比较机器码结束
004093B4 > 33C0 XOR EAX,EAX
004093B6 . EB 05 JMP SHORT chess.004093BD
004093B8 > 1BC0 SBB EAX,EAX
004093BA . 83D8 FF SBB EAX,-1
004093BD > 3BC3 CMP EAX,EBX
004093BF . 75 63 JNZ SHORT chess.00409424 ; //不对则先关闭文件, 显示对话框
004093C1 . BF 6CF54300 MOV EDI,chess.0043F56C ; ASCII "NOTABCDE"
004093C6 . 83C9 FF OR ECX,FFFFFFFF
004093C9 . 33C0 XOR EAX,EAX
004093CB . 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004093CE . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004093D0 . F7D1 NOT ECX ; //"NOTABCDE" 长度为9
004093D2 . 2BF9 SUB EDI,ECX
004093D4 . 8BC1 MOV EAX,ECX
004093D6 . 8BF7 MOV ESI,EDI
004093D8 . BF 9C684D00 MOV EDI,chess.004D689C
004093DD . C1E9 02 SHR ECX,2 ; // ECX / 4
004093E0 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
004093E2 . 8BC8 MOV ECX,EAX
004093E4 . 83E1 03 AND ECX,3
004093E7 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004093E9 . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
004093EC . E8 23710200 CALL <JMP.&MFC42.#4853_?OnOK@CDialog@@MAEXXZ> ; // 如上面检查通过, 不再显示对话框
004093F1 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004093F4 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
004093FB . E8 56710200 CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
00409400 . B8 01000000 MOV EAX,1
00409405 . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00409408 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0040940F . 5F POP EDI
00409410 . 5E POP ESI
00409411 . 5B POP EBX
00409412 . 8BE5 MOV ESP,EBP
00409414 . 5D POP EBP
00409415 . C3 RETN
00409416 . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
00409419 . E8 3C700200 CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
0040941E . B8 2C944000 MOV EAX,chess.0040942C
00409423 . C3 RETN
00409424 > 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00409427 . E8 3C710200 CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>
0040942C > 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040942F . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00409436 . E8 1B710200 CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
0040943B . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
0040943E . 5F POP EDI
0040943F . 5E POP ESI
00409440 . 33C0 XOR EAX,EAX
00409442 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00409449 . 5B POP EBX
0040944A . 8BE5 MOV ESP,EBP
0040944C . 5D POP EBP
0040944D . C3 RETN
显示对话框后, 我们选中作者给我们的一个文件, 比如 key.dat, 下断 MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z , 点注册,
00408F80 /. 55 PUSH EBP
00408F81 |. 8BEC MOV EBP,ESP
00408F83 |. 6A FF PUSH -1
00408F85 |. 68 A8184300 PUSH chess.004318A8 ; SE handler installation
00408F8A |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00408F90 |. 50 PUSH EAX
00408F91 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00408F98 |. 81EC 48070000 SUB ESP,748
00408F9E |. 53 PUSH EBX
00408F9F |. 56 PUSH ESI
00408FA0 |. 57 PUSH EDI
00408FA1 |. 8BD9 MOV EBX,ECX
00408FA3 |. 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
00408FA6 |. 6A 01 PUSH 1
00408FA8 |. 895D D8 MOV DWORD PTR SS:[EBP-28],EBX
00408FAB |. E8 46750200 CALL <JMP.&MFC42.#6334_?UpdateData@CWnd@@QAEHH@Z>
00408FB0 |. 8B83 00020000 MOV EAX,DWORD PTR DS:[EBX+200]
00408FB6 |. 8D8B 00020000 LEA ECX,DWORD PTR DS:[EBX+200]
00408FBC |. 8B40 F8 MOV EAX,DWORD PTR DS:[EAX-8]
00408FBF |. 50 PUSH EAX
00408FC0 |. E8 71740200 CALL <JMP.&MFC42.#2915_?GetBuffer@CString@@QAEPADH@Z>
00408FC5 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00408FC8 |. 8BF0 MOV ESI,EAX
00408FCA |. E8 B1750200 CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
00408FCF |. 8B83 FC010000 MOV EAX,DWORD PTR DS:[EBX+1FC]
00408FD5 |. 6A 00 PUSH 0
00408FD7 |. 6A 00 PUSH 0
00408FD9 |. 50 PUSH EAX
00408FDA |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00408FDD |. C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
00408FE4 |. E8 91750200 CALL <JMP.&MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z> ; //打开 Key.dat
00408FE9 |. 85C0 TEST EAX,EAX
00408FEB |. 75 35 JNZ SHORT chess.00409022
00408FED |. 50 PUSH EAX
00408FEE |. 68 54F54300 PUSH chess.0043F554
00408FF3 |> E8 88600200 CALL chess.0042F080
00408FF8 |. 83C4 08 ADD ESP,8
00408FFB |> 8BCB MOV ECX,EBX
00408FFD |. E8 58740200 CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
00409002 |> 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00409005 |. C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0040900C |. E8 45750200 CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
00409011 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00409014 |. 5F POP EDI
00409015 |. 5E POP ESI
00409016 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0040901D |. 5B POP EBX
0040901E |. 8BE5 MOV ESP,EBP
00409020 |. 5D POP EBP
00409021 |. C3 RETN
00409022 |> 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00409025 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00409029 |. E8 46750200 CALL <JMP.&MFC42.#3318_?GetLength@CFile@@UBEKXZ> ; //比较文件大小
0040902E |. 3D 120C0000 CMP EAX,0C12 ; // >3090
00409033 |. 0F82 05010000 JB chess.0040913E
00409039 |. 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
0040903C |. 6A 0A PUSH 0A
0040903E |. 51 PUSH ECX
0040903F |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00409042 |. E8 27750200 CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z> ; //读10个字节文件头
00409047 |. BF 48F54300 MOV EDI,chess.0043F548 ; ASCII "GHKFORREG"
0040904C |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]
0040904F |> 8A10 /MOV DL,BYTE PTR DS:[EAX] ; //判断是否是"GHKFORREG",0
00409051 |. 8ACA |MOV CL,DL
00409053 |. 3A17 |CMP DL,BYTE PTR DS:[EDI]
00409055 |. 75 1C |JNZ SHORT chess.00409073
00409057 |. 84C9 |TEST CL,CL
00409059 |. 74 14 |JE SHORT chess.0040906F
0040905B |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+1]
0040905E |. 8ACA |MOV CL,DL
00409060 |. 3A57 01 |CMP DL,BYTE PTR DS:[EDI+1]
00409063 |. 75 0E |JNZ SHORT chess.00409073
00409065 |. 83C0 02 |ADD EAX,2
00409068 |. 83C7 02 |ADD EDI,2
0040906B |. 84C9 |TEST CL,CL
0040906D |.^ 75 E0 \JNZ SHORT chess.0040904F
0040906F |> 33C0 XOR EAX,EAX
00409071 |. EB 05 JMP SHORT chess.00409078
00409073 |> 1BC0 SBB EAX,EAX
00409075 |. 83D8 FF SBB EAX,-1
00409078 |> 85C0 TEST EAX,EAX
0040907A |. 0F85 BE000000 JNZ chess.0040913E
00409080 |. 8945 DC MOV DWORD PTR SS:[EBP-24],EAX
00409083 |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00409086 |. 6A 04 PUSH 4
00409088 |. 50 PUSH EAX
00409089 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040908C |. E8 DD740200 CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z> ; //读4个字节, 包的长度
00409091 |. 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
00409094 |. 3D 00040000 CMP EAX,400 ; //要小于1024
00409099 |. 0F83 AE000000 JNB chess.0040914D
0040909F |. 8D8D CCFBFFFF LEA ECX,DWORD PTR SS:[EBP-434]
004090A5 |. 50 PUSH EAX
004090A6 |. 51 PUSH ECX
004090A7 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; //读上述长度的数据包
004090AA |. E8 BF740200 CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z> ; //放在堆栈 0010AF48
004090AF |. 8B7D DC MOV EDI,DWORD PTR SS:[EBP-24]
004090B2 |. 33C0 XOR EAX,EAX
004090B4 |. C6843D CCFBFF>MOV BYTE PTR SS:[EBP+EDI-434],0 ; //在内存数据包最后放 0
004090BC |> 3BC7 /CMP EAX,EDI ; //处理每一字节
004090BE |. 7D 16 |JGE SHORT chess.004090D6
004090C0 |. 8A8C05 CCFBFF>|MOV CL,BYTE PTR SS:[EBP+EAX-434] ; //原来 XX
004090C7 |. 80CA FF |OR DL,0FF
004090CA |. 2AD1 |SUB DL,CL ; //现在 FF-XX
004090CC |. 889405 CCFBFF>|MOV BYTE PTR SS:[EBP+EAX-434],DL ; //相当于每一 Bit 取反
004090D3 |. 40 |INC EAX
004090D4 |.^ EB E6 \JMP SHORT chess.004090BC
004090D6 |> 33C9 XOR ECX,ECX
004090D8 |> 8BC7 /MOV EAX,EDI ; //EAX = 长度
004090DA |. 99 |CDQ ; //符号扩展 EAX -> EDX:EAX
004090DB |. 2BC2 |SUB EAX,EDX ; // if EAX<0 then EAX-0xFFFFFFFF
004090DD |. D1F8 |SAR EAX,1 ; // EAX / 2
004090DF |. 3BC8 |CMP ECX,EAX
004090E1 |. 7D 28 |JGE SHORT chess.0040910B
004090E3 |. 8BC7 |MOV EAX,EDI
004090E5 |. 8A940D CCFBFF>|MOV DL,BYTE PTR SS:[EBP+ECX-434] ; //从前往后取一字节 -> DL
004090EC |. 2BC1 |SUB EAX,ECX
004090EE |. 41 |INC ECX
004090EF |. 8A9C05 CBFBFF>|MOV BL,BYTE PTR SS:[EBP+EAX-435] ; //从后往前取一字节 -> BL
004090F6 |. 8D8405 CBFBFF>|LEA EAX,DWORD PTR SS:[EBP+EAX-435]
004090FD |. 889C0D CBFBFF>|MOV BYTE PTR SS:[EBP+ECX-435],BL ; //后面移到前面
00409104 |. 8B5D D8 |MOV EBX,DWORD PTR SS:[EBP-28]
00409107 |. 8810 |MOV BYTE PTR DS:[EAX],DL ; //前面移到后面
00409109 |.^ EB CD \JMP SHORT chess.004090D8
0040910B |> 8D85 CCFBFFFF LEA EAX,DWORD PTR SS:[EBP-434] ; //解密后与机器码比较
00409111 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
00409113 |. 8ACA |MOV CL,DL
00409115 |. 3A16 |CMP DL,BYTE PTR DS:[ESI]
00409117 |. 75 1C |JNZ SHORT chess.00409135
00409119 |. 84C9 |TEST CL,CL
0040911B |. 74 14 |JE SHORT chess.00409131
0040911D |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+1]
00409120 |. 8ACA |MOV CL,DL
00409122 |. 3A56 01 |CMP DL,BYTE PTR DS:[ESI+1]
00409125 |. 75 0E |JNZ SHORT chess.00409135
00409127 |. 83C0 02 |ADD EAX,2
0040912A |. 83C6 02 |ADD ESI,2
0040912D |. 84C9 |TEST CL,CL
0040912F |.^ 75 E0 \JNZ SHORT chess.00409111
00409131 |> 33C0 XOR EAX,EAX ; //对了才到这里
00409133 |. EB 05 JMP SHORT chess.0040913A
00409135 |> 1BC0 SBB EAX,EAX
00409137 |. 83D8 FF SBB EAX,-1
0040913A |> 85C0 TEST EAX,EAX
0040913C |. 74 1C JE SHORT chess.0040915A
0040913E |> 6A 00 PUSH 0
00409140 |. 68 24F54300 PUSH chess.0043F524
00409145 |. E8 365F0200 CALL chess.0042F080
0040914A |. 83C4 08 ADD ESP,8
0040914D |> 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
00409150 |. E8 13740200 CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>
00409155 |.^ E9 A1FEFFFF JMP chess.00408FFB
0040915A |> 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20] ; //对了才到这里
0040915D |. E8 06740200 CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ> ; //关闭key.dat
00409162 |. 8D85 ACF8FFFF LEA EAX,DWORD PTR SS:[EBP-754]
00409168 |. C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0040916F |. 50 PUSH EAX
00409170 |. E8 EB1B0200 CALL chess.0042AD60 ; //取EXE文件路径
00409175 |. BF 14F54300 MOV EDI,chess.0043F514 ; ASCII "\goshawk.dat"
0040917A |. 83C9 FF OR ECX,FFFFFFFF
0040917D |. 33C0 XOR EAX,EAX
0040917F |. 83C4 04 ADD ESP,4
00409182 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00409184 |. F7D1 NOT ECX
00409186 |. 2BF9 SUB EDI,ECX
00409188 |. 8D95 ACF8FFFF LEA EDX,DWORD PTR SS:[EBP-754]
0040918E |. 8BF7 MOV ESI,EDI
00409190 |. 8BFA MOV EDI,EDX
00409192 |. 8BD1 MOV EDX,ECX
00409194 |. 83C9 FF OR ECX,FFFFFFFF
00409197 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00409199 |. 8BCA MOV ECX,EDX
0040919B |. 4F DEC EDI
0040919C |. C1E9 02 SHR ECX,2
0040919F |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; //得到 goshawk.dat 全路径名
004091A1 |. 8B83 FC010000 MOV EAX,DWORD PTR DS:[EBX+1FC]
004091A7 |. 8BCA MOV ECX,EDX
004091A9 |. 83E1 03 AND ECX,3
004091AC |. 6A 00 PUSH 0 ; /FailIfExists = FALSE
004091AE |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; |
004091B0 |. 8D8D ACF8FFFF LEA ECX,DWORD PTR SS:[EBP-754] ; |
004091B6 |. 51 PUSH ECX ; |NewFileName
004091B7 |. 50 PUSH EAX ; |ExistingFileName
004091B8 |. FF15 64404300 CALL DWORD PTR DS:[<&KERNEL32.CopyFileA>] ; \CopyFileA
004091BE |. 85C0 TEST EAX,EAX ; //key.dat 拷贝到 goshawk.dat
004091C0 |. 75 0B JNZ SHORT chess.004091CD ; //if EAX>0 则拷贝文件正确
004091C2 |. 50 PUSH EAX
004091C3 |. 68 04F54300 PUSH chess.0043F504
004091C8 |.^ E9 26FEFFFF JMP chess.00408FF3
004091CD |> 8BCB MOV ECX,EBX
004091CF |. E8 2C000000 CALL chess.00409200 ; //用goshawk.dat再来判断是否注册成功, 见上面 409200
004091D4 \.^ E9 29FEFFFF JMP chess.00409002 ; //下次直接打开 goshawk.dat
004091D9 . 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004091DC . E8 87730200 CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>
004091E1 . 6A 00 PUSH 0
004091E3 . 68 04F54300 PUSH chess.0043F504
004091E8 . E8 935E0200 CALL chess.0042F080
004091ED . 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28]
004091F0 . 83C4 08 ADD ESP,8
004091F3 . E8 62720200 CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
004091F8 . B8 02904000 MOV EAX,chess.00409002
004091FD . C3 RETN
就这么简单, 取反再交换顺序? NO, 当启用了联众自动下棋, 还有复杂的比较等你啊.
启动联众, 过一会, 再次中断在 MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z,
00415400 . 6A FF PUSH -1
00415402 . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00415408 . 68 AB2C4300 PUSH chess.00432CAB
0041540D . 50 PUSH EAX
0041540E . B8 30100000 MOV EAX,1030
00415413 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0041541A . E8 21B60100 CALL chess.00430A40
0041541F . 53 PUSH EBX
00415420 . 55 PUSH EBP
00415421 . 8BE9 MOV EBP,ECX
00415423 . 56 PUSH ESI
00415424 . 57 PUSH EDI
00415425 . 68 E8030000 PUSH 3E8 ; /TimerID = 3E8 (1000.)
0041542A . 8B45 20 MOV EAX,DWORD PTR SS:[EBP+20] ; |
0041542D . 50 PUSH EAX ; |hWnd
0041542E . FF15 50454300 CALL DWORD PTR DS:[<&USER32.KillTimer>] ; \KillTimer //hehe
00415434 . 8D8C24 400400>LEA ECX,DWORD PTR SS:[ESP+440]
0041543B . 51 PUSH ECX
0041543C . E8 3FA1FFFF CALL chess.0040F580
00415441 . 8D9424 240100>LEA EDX,DWORD PTR SS:[ESP+124]
00415448 . 52 PUSH EDX
00415449 . E8 12590100 CALL chess.0042AD60
0041544E . BF 14F54300 MOV EDI,chess.0043F514 ; ASCII "\goshawk.dat"
00415453 . 83C9 FF OR ECX,FFFFFFFF
00415456 . 33C0 XOR EAX,EAX
00415458 . 83C4 08 ADD ESP,8
0041545B . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0041545D . F7D1 NOT ECX
0041545F . 2BF9 SUB EDI,ECX
00415461 . 8D9424 200100>LEA EDX,DWORD PTR SS:[ESP+120]
00415468 . 8BF7 MOV ESI,EDI
0041546A . 8BD9 MOV EBX,ECX
0041546C . 8BFA MOV EDI,EDX
0041546E . 83C9 FF OR ECX,FFFFFFFF
00415471 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00415473 . 8BCB MOV ECX,EBX
00415475 . 4F DEC EDI
00415476 . C1E9 02 SHR ECX,2
00415479 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0041547B . 8BCB MOV ECX,EBX
0041547D . 83E1 03 AND ECX,3
00415480 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00415482 . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
00415486 . E8 F5B00100 CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
0041548B . 6A 00 PUSH 0
0041548D . 8D8424 240100>LEA EAX,DWORD PTR SS:[ESP+124]
00415494 . 6A 00 PUSH 0
00415496 . 50 PUSH EAX
00415497 . 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
0041549B . C78424 541000>MOV DWORD PTR SS:[ESP+1054],0
004154A6 . E8 CFB00100 CALL <JMP.&MFC42.#5186_?Open@CFile@@UAEHPBDIPAVCFileException@@@Z> ; //联众还要检查注册文件
004154AB . 85C0 TEST EAX,EAX
004154AD . B3 6B MOV BL,6B
004154AF . 75 19 JNZ SHORT chess.004154CA
004154B1 . C600 6F MOV BYTE PTR DS:[EAX],6F
004154B4 . B8 01000000 MOV EAX,1
004154B9 . 8BCD MOV ECX,EBP
004154BB . 8818 MOV BYTE PTR DS:[EAX],BL
004154BD . B8 02000000 MOV EAX,2
004154C2 . C600 00 MOV BYTE PTR DS:[EAX],0
004154C5 . E8 90AF0100 CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
004154CA > 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004154CE . E8 A1B00100 CALL <JMP.&MFC42.#3318_?GetLength@CFile@@UBEKXZ>
004154D3 . 3D 120C0000 CMP EAX,0C12 ; //比较长度
004154D8 . 73 1B JNB SHORT chess.004154F5
004154DA . 33C0 XOR EAX,EAX
004154DC . 8BCD MOV ECX,EBP
004154DE . C600 6F MOV BYTE PTR DS:[EAX],6F
004154E1 . B8 01000000 MOV EAX,1
004154E6 . 8818 MOV BYTE PTR DS:[EAX],BL
004154E8 . B8 02000000 MOV EAX,2
004154ED . C600 00 MOV BYTE PTR DS:[EAX],0
004154F0 . E8 65AF0100 CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
004154F5 > 6A 00 PUSH 0
004154F7 . 68 12040000 PUSH 412
004154FC . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00415500 . E8 CDB20100 CALL <JMP.&MFC42.#5773_?Seek@CFile@@UAEJJI@Z> ; //文件指针移到 412h
00415505 . 8D8C24 400800>LEA ECX,DWORD PTR SS:[ESP+840]
0041550C . 68 00040000 PUSH 400
00415511 . 51 PUSH ECX
00415512 . 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18] ; //读 1024 字节
00415516 . E8 53B00100 CALL <JMP.&MFC42.#5442_?Read@CFile@@UAEIPAXI@Z> ; //放到 10B96C
0041551B . 8D8C24 400800>LEA ECX,DWORD PTR SS:[ESP+840]
00415522 . B8 30024400 MOV EAX,chess.00440230 ; //取其中最前面的 128 字节到 440230
; //密码表1
00415527 > 8BD1 MOV EDX,ECX
00415529 . 8BF0 MOV ESI,EAX
0041552B . 83C0 10 ADD EAX,10
0041552E . 83C1 10 ADD ECX,10
00415531 . 8B3A MOV EDI,DWORD PTR DS:[EDX]
00415533 . 3D B0024400 CMP EAX,chess.004402B0
00415538 . 893E MOV DWORD PTR DS:[ESI],EDI
0041553A . 8B7A 04 MOV EDI,DWORD PTR DS:[EDX+4]
0041553D . 897E 04 MOV DWORD PTR DS:[ESI+4],EDI
00415540 . 8B7A 08 MOV EDI,DWORD PTR DS:[EDX+8]
00415543 . 897E 08 MOV DWORD PTR DS:[ESI+8],EDI
00415546 . 8B52 0C MOV EDX,DWORD PTR DS:[EDX+C]
00415549 . 8956 0C MOV DWORD PTR DS:[ESI+C],EDX
0041554C .^ 7C D9 JL SHORT chess.00415527 ; //=================================
0041554E . B9 40000000 MOV ECX,40
00415553 . 8DB424 080900>LEA ESI,DWORD PTR SS:[ESP+908]
0041555A . 8D7C24 20 LEA EDI,DWORD PTR SS:[ESP+20]
0041555E . 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
00415562 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; // 拷贝从第200个开始的 256 字节到 10B14C
00415564 . 8D8C24 400C00>LEA ECX,DWORD PTR SS:[ESP+C40] ; //也就是注册文件的 0x4DA 处, 密码表2
0041556B . 50 PUSH EAX
0041556C . 8D9424 380A00>LEA EDX,DWORD PTR SS:[ESP+A38] ; //从第 500 个开始的字符
00415573 . 51 PUSH ECX ; //也就是注册文件的 0x606 处
00415574 . 52 PUSH EDX
00415575 . E8 A6830000 CALL chess.0041D920 ; //密文转换到明文, 关键算法, F7
0041557A . 83C4 0C ADD ESP,0C
0041557D . 8DB424 400400>LEA ESI,DWORD PTR SS:[ESP+440] ; //机器码
00415584 . 8D8424 400C00>LEA EAX,DWORD PTR SS:[ESP+C40] ; //明文应该等于机器码
0041558B > 8A10 MOV DL,BYTE PTR DS:[EAX]
0041558D . 8ACA MOV CL,DL
0041558F . 3A16 CMP DL,BYTE PTR DS:[ESI]
00415591 . 75 1C JNZ SHORT chess.004155AF
00415593 . 84C9 TEST CL,CL
00415595 . 74 14 JE SHORT chess.004155AB
00415597 . 8A50 01 MOV DL,BYTE PTR DS:[EAX+1]
0041559A . 8ACA MOV CL,DL
0041559C . 3A56 01 CMP DL,BYTE PTR DS:[ESI+1]
0041559F . 75 0E JNZ SHORT chess.004155AF
004155A1 . 83C0 02 ADD EAX,2
004155A4 . 83C6 02 ADD ESI,2
004155A7 . 84C9 TEST CL,CL
004155A9 .^ 75 E0 JNZ SHORT chess.0041558B
004155AB > 33C0 XOR EAX,EAX
004155AD . EB 05 JMP SHORT chess.004155B4
004155AF > 1BC0 SBB EAX,EAX
004155B1 . 83D8 FF SBB EAX,-1
004155B4 > 85C0 TEST EAX,EAX
004155B6 . 75 11 JNZ SHORT chess.004155C9
004155B8 . C68424 400400>MOV BYTE PTR SS:[ESP+440],6F ; // o
004155C0 . 889C24 410400>MOV BYTE PTR SS:[ESP+441],BL ; // k
004155C7 . EB 12 JMP SHORT chess.004155DB
004155C9 > 33C0 XOR EAX,EAX
004155CB . 8BCD MOV ECX,EBP
004155CD 88 DB 88
004155CE . 1D 01000000 SBB EAX,1
004155D3 . C600 6F MOV BYTE PTR DS:[EAX],6F
004155D6 . E8 7FAE0100 CALL <JMP.&MFC42.#4376_?OnCancel@CDialog@@MAEXXZ>
004155DB > 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004155DF . E8 84AF0100 CALL <JMP.&MFC42.#1979_?Close@CFile@@UAEXXZ>
004155E4 . 8BCD MOV ECX,EBP
004155E6 . E8 17AF0100 CALL <JMP.&MFC42.#2379_?Default@CWnd@@IAEJXZ>
004155EB . 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004155EF . C78424 481000>MOV DWORD PTR SS:[ESP+1048],-1
004155FA . E8 57AF0100 CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
004155FF . 8B8C24 401000>MOV ECX,DWORD PTR SS:[ESP+1040]
00415606 . 5F POP EDI
00415607 . 5E POP ESI
00415608 . 5D POP EBP
00415609 . 5B POP EBX
0041560A . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00415611 . 81C4 3C100000 ADD ESP,103C
00415617 . C2 0400 RETN 4
0041D920 /$ 53 PUSH EBX
0041D921 |. 55 PUSH EBP
0041D922 |. 56 PUSH ESI
0041D923 |. 57 PUSH EDI
0041D924 |. 68 00500000 PUSH 5000
0041D929 |. E8 D22A0100 CALL <JMP.&MFC42.#823_??2@YAPAXI@Z> ; //new (5000h)
0041D92E |. 8BD8 MOV EBX,EAX ; //分配的空间
0041D930 |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18] ; // 第 500个字符地址, 0x606
0041D934 |. 8BFB MOV EDI,EBX
0041D936 |. 83C4 04 ADD ESP,4
0041D939 |. 8B10 MOV EDX,DWORD PTR DS:[EAX]
0041D93B |. 8B68 04 MOV EBP,DWORD PTR DS:[EAX+4]
0041D93E |. 83C0 04 ADD EAX,4
0041D941 |. 8BCD MOV ECX,EBP
0041D943 |. 895424 14 MOV DWORD PTR SS:[ESP+14],EDX
0041D947 |. 8D70 04 LEA ESI,DWORD PTR DS:[EAX+4]
0041D94A |. 8BC1 MOV EAX,ECX
0041D94C |. C1E9 02 SHR ECX,2
0041D94F |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; //拷贝第508个字符到分配的空间
0041D951 |. 8BC8 MOV ECX,EAX ; //长度为504字节里存放的数
0041D953 |. 83E1 03 AND ECX,3
0041D956 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; //比如机器码 23 位, 那么还要再传 3 字节
0041D958 |. 33F6 XOR ESI,ESI
0041D95A |. 85ED TEST EBP,EBP
0041D95C |. 7E 1C JLE SHORT chess.0041D97A
0041D95E |. 8B7C24 1C MOV EDI,DWORD PTR SS:[ESP+1C] ; //第200个字符, 密码表2
0041D962 |> 8D0C1E /LEA ECX,DWORD PTR DS:[ESI+EBX] ; //分配的空间, 放密文 2
0041D965 |. 57 |PUSH EDI
0041D966 |. 51 |PUSH ECX
0041D967 |. E8 94FFFFFF |CALL chess.0041D900 ; //一次解密8个字符, F7
0041D96C |. 83C6 08 |ADD ESI,8
0041D96F |. 83C4 08 |ADD ESP,8
0041D972 |. 3BF5 |CMP ESI,EBP
0041D974 |.^ 7C EC \JL SHORT chess.0041D962
0041D976 |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
0041D97A |> 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
0041D97E |. 8BCA MOV ECX,EDX
0041D980 |. 8BE9 MOV EBP,ECX
0041D982 |. 8BF3 MOV ESI,EBX
0041D984 |. 8BF8 MOV EDI,EAX
0041D986 |. 53 PUSH EBX
0041D987 |. C1E9 02 SHR ECX,2
0041D98A |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0041D98C |. 8BCD MOV ECX,EBP
0041D98E |. 83E1 03 AND ECX,3
0041D991 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0041D993 |. C60402 00 MOV BYTE PTR DS:[EDX+EAX],0 ; // 以0 结尾
0041D997 |. E8 702A0100 CALL <JMP.&MFC42.#825_??3@YAXPAX@Z> ; //delete()
0041D99C |. 83C4 04 ADD ESP,4
0041D99F |. 5F POP EDI
0041D9A0 |. 5E POP ESI
0041D9A1 |. 5D POP EBP
0041D9A2 |. 5B POP EBX
0041D9A3 \. C3 RETN
0041D900 /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0041D904 |. 50 PUSH EAX
0041D905 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0041D909 |. 8D48 04 LEA ECX,DWORD PTR DS:[EAX+4]
0041D90C |. 51 PUSH ECX
0041D90D |. 50 PUSH EAX
0041D90E |. E8 9DFFFFFF CALL chess.0041D8B0 ; // F7
0041D913 |. 83C4 0C ADD ESP,0C
0041D916 \. C3 RETN
0041D8B0 /$ 53 PUSH EBX
0041D8B1 |. 55 PUSH EBP
0041D8B2 |. 56 PUSH ESI
0041D8B3 |. 8B7424 14 MOV ESI,DWORD PTR SS:[ESP+14]
0041D8B7 |. 57 PUSH EDI
0041D8B8 |. 8B7C24 14 MOV EDI,DWORD PTR SS:[ESP+14]
0041D8BC |. BB 2C034400 MOV EBX,chess.0044032C
0041D8C1 |. BD 20000000 MOV EBP,20 ; // 以下过程循环32次
0041D8C6 |> 8B03 MOV EAX,DWORD PTR DS:[EBX] ; //0...7, 7...0, 7...0, 7...0, 密码表 3, 在 EXE 中
0041D8C8 |. 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
0041D8CC |. 8B1481 MOV EDX,DWORD PTR DS:[ECX+EAX*4] ; // 密码表 2
0041D8CF |. 8B0F MOV ECX,DWORD PTR DS:[EDI] ; // 密文 2
0041D8D1 |. 03D1 ADD EDX,ECX
0041D8D3 |. 52 PUSH EDX
0041D8D4 |. E8 07FFFFFF CALL chess.0041D7E0 ; //对EDX进行变换, 用到密码表 1,结果放EAX, F7
0041D8D9 |. 8B16 MOV EDX,DWORD PTR DS:[ESI]
0041D8DB |. 56 PUSH ESI
0041D8DC |. 33D0 XOR EDX,EAX ; //后面4个字节与前面的结果异或
0041D8DE |. 57 PUSH EDI
0041D8DF |. 8916 MOV DWORD PTR DS:[ESI],EDX ; // 覆盖后4个字节
0041D8E1 |. E8 AAFFFFFF CALL chess.0041D890 ; // 交换前后4个字节
0041D8E6 |. 83C4 0C ADD ESP,0C
0041D8E9 |. 83EB 04 SUB EBX,4
0041D8EC |. 4D DEC EBP
0041D8ED |.^ 75 D7 JNZ SHORT chess.0041D8C6 ; //==============================
0041D8EF |. 56 PUSH ESI
0041D8F0 |. 57 PUSH EDI
0041D8F1 |. E8 9AFFFFFF CALL chess.0041D890 ; //最后再交换一次
0041D8F6 |. 83C4 08 ADD ESP,8
0041D8F9 |. 5F POP EDI
0041D8FA |. 5E POP ESI
0041D8FB |. 5D POP EBP
0041D8FC |. 5B POP EBX
0041D8FD \. C3 RETN
0041D7E0 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; // 取出相加结果
0041D7E4 |. 33D2 XOR EDX,EDX
0041D7E6 |. 8BC8 MOV ECX,EAX
0041D7E8 |. 53 PUSH EBX
0041D7E9 |. C1E9 18 SHR ECX,18 ; // 相加的结果 右移24次
0041D7EC |. 83E1 0F AND ECX,0F ; // 相当于取最高字节的低 4 Bit
0041D7EF |. 33DB XOR EBX,EBX
0041D7F1 |. 8A91 90024400 MOV DL,BYTE PTR DS:[ECX+440290] ; // 440230 密码表 1
0041D7F7 |. 8BCA MOV ECX,EDX
0041D7F9 |. 8BD0 MOV EDX,EAX
0041D7FB |. C1EA 1C SHR EDX,1C ; // 相加的结果 右移28次
0041D7FE |. 8A9A A0024400 MOV BL,BYTE PTR DS:[EDX+4402A0]
0041D804 |. 8BD0 MOV EDX,EAX
0041D806 |. C1E3 04 SHL EBX,4
0041D809 |. C1EA 14 SHR EDX,14 ; // 相加的结果 右移20次
0041D80C |. 0BCB OR ECX,EBX
0041D80E |. 83E2 0F AND EDX,0F
0041D811 |. 33DB XOR EBX,EBX
0041D813 |. 8A9A 80024400 MOV BL,BYTE PTR DS:[EDX+440280]
0041D819 |. 8BD0 MOV EDX,EAX
0041D81B |. C1E1 04 SHL ECX,4
0041D81E |. C1EA 10 SHR EDX,10 ; // 相加的结果 右移16次
0041D821 |. 0BCB OR ECX,EBX
0041D823 |. 83E2 0F AND EDX,0F
0041D826 |. 33DB XOR EBX,EBX
0041D828 |. 8A9A 70024400 MOV BL,BYTE PTR DS:[EDX+440270]
0041D82E |. 8BD0 MOV EDX,EAX
0041D830 |. C1E1 04 SHL ECX,4
0041D833 |. C1EA 0C SHR EDX,0C ; // 相加的结果 右移12次
0041D836 |. 0BCB OR ECX,EBX
0041D838 |. 83E2 0F AND EDX,0F
0041D83B |. 33DB XOR EBX,EBX
0041D83D |. 8A9A 60024400 MOV BL,BYTE PTR DS:[EDX+440260]
0041D843 |. 8BD0 MOV EDX,EAX
0041D845 |. C1E1 04 SHL ECX,4
0041D848 |. C1EA 08 SHR EDX,8 ; // 相加的结果 右移8次
0041D84B |. 0BCB OR ECX,EBX
0041D84D |. 83E2 0F AND EDX,0F
0041D850 |. 33DB XOR EBX,EBX
0041D852 |. 8A9A 50024400 MOV BL,BYTE PTR DS:[EDX+440250]
0041D858 |. 8BD0 MOV EDX,EAX
0041D85A |. C1E1 04 SHL ECX,4
0041D85D |. C1EA 04 SHR EDX,4 ; // 相加的结果 右移4次
0041D860 |. 0BCB OR ECX,EBX
0041D862 |. 83E2 0F AND EDX,0F
0041D865 |. 33DB XOR EBX,EBX
0041D867 |. 83E0 0F AND EAX,0F ; // 相加的结果 右移0次
0041D86A |. 8A9A 40024400 MOV BL,BYTE PTR DS:[EDX+440240]
0041D870 |. 33D2 XOR EDX,EDX
0041D872 |. 8A90 30024400 MOV DL,BYTE PTR DS:[EAX+440230]
0041D878 |. C1E1 04 SHL ECX,4
0041D87B |. 0BCB OR ECX,EBX
0041D87D |. 5B POP EBX
0041D87E |. C1E1 04 SHL ECX,4
0041D881 |. 0BCA OR ECX,EDX
0041D883 |. 8BC1 MOV EAX,ECX
0041D885 |. C1E8 15 SHR EAX,15
0041D888 |. C1E1 0B SHL ECX,0B
0041D88B |. 0BC1 OR EAX,ECX ; 高11Bit 与低 21Bit 交换
0041D88D \. C3 RETN
0041D890 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
0041D894 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0041D898 |. 56 PUSH ESI
0041D899 |. 8B32 MOV ESI,DWORD PTR DS:[EDX] ; //前 4 个字节
0041D89B |. 8B08 MOV ECX,DWORD PTR DS:[EAX] ; //后 4 个字节
0041D89D |. 8930 MOV DWORD PTR DS:[EAX],ESI
0041D89F |. 890A MOV DWORD PTR DS:[EDX],ECX
0041D8A1 |. 5E POP ESI
0041D8A2 \. C3 RETN
累死了, 给出注册机代码 , 各位慢慢看吧.
#include <stdio.h>
#include <string.h>
#include <fstream.h>
/*
注册文件格式:
1. "GHKFORREG",0 10字节
2. 密文1的长度 LEN < 0x400 4字节
3. 密文1 encrypted[LEN] LEN个字节
对应的明文 decrypted[LEN] = machine[LEN]
对机器码每一字节取反
交换前后顺序即得到密文1
4. 0000... LEN+14 - 0x411
5. 第二次检查 从 0x412 到 0x811 0x400字节
密码表1 0x412 - 0x491 128字节
密码表2 0x4DA - 0x5D9 256字节
密码表3 在苍鹰象棋 EXE 程序中 0, 1,..., 7, 7,6,..0, 7,...0, 7,...,0
密文2 0x606 - 0x609 机器码长度LEN 4字节
0x60A - 0x60D (LEN/8 + (LEN%8 >0)) * 8 4字节
0x60E - 0x60E+LEN 机器码密文 LEN个字节
6. 0000... 0x812 - 0xC11
*/
void encrypt(unsigned *m1, unsigned *m2)
{
unsigned a = *m1;
unsigned b = *m2;
unsigned temp = b;
b = a;
a = temp;
for (int i=0; i<32; i++)
{
temp = b;
b = a;
a = temp;
temp = (a>>21) | (a<<11);
b ^= temp;
}
*m1 = a;
*m2 = b;
}
void main(void)
{
char null=0;
char machine[32]="";
char regfileName[40]="C:\\";
printf("输入机器码:");
gets(machine);
machine[31]=0;
strcat(regfileName, machine);
strcat(regfileName, ".DAT");
printf("\n注册文件是 %s\n", regfileName);
fstream regfile(regfileName, ios::out | ios::binary);
//文件头
regfile.write("GHKFORREG", 10);
//密文 1 的长度
int length=strlen(machine);
regfile.write((char*)&length, sizeof(int));
//密文 1
for (int i=length-1; i>=0; i--)
{
machine[i] = ~machine[i];
regfile.write(&machine[i], 1);
machine[i] = ~machine[i];
}
//空白
for (i=length+14; i<0x412; i++)
regfile.write(&null, 1);
//密码表1, 最简单的一种
char temp=0;
for (i=0x412; i<0x492; i++)
{
regfile.write(&temp, 1);
temp++;
temp %= 0x10;
}
//空白
for (i=0x492; i<0x4DA; i++)
regfile.write(&null, 1);
//密码表2, 最简单放 0, 这样可以不管 密码表 3
for (i=0x4DA; i<0x5DA; i++)
regfile.write(&null, 1);
//空白
for (i=0x5DA; i<0x606; i++)
regfile.write(&null, 1);
//机器码的长度
regfile.write((char*)&length, 4);
//密文 2 长度必须为 8 的倍数
length = (length/8 + (length%8>0))*8;
regfile.write((char*)&length, 4);
//密文 2
for (i=0; i<length; i+=8)
encrypt( (unsigned*)&machine[i], (unsigned*)&machine[i+4]);
regfile.write(machine,length);
//空白
for (i=0x60E+length; i<0xC12; i++)
regfile.write(&null, 1);
regfile.~fstream();
getchar();
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)