请教冷血文集里的一个算法最后一位的得来～

野猫III · 发表于 2006-7-23 11:57:34

算法分析以下：

            【原创】QQ游戏[对对碰]助手 2.0 简单算法分析

　　　　　日期：2005年8月12日　　　破解人：冷血书生[OCN][CCU]
—————————————————————————————————————

【软件名称】：QQ游戏[对对碰]助手　　　软件版本：2.0
【软件大小】： 297 KB
【下载地址】：http://www1.skycn.com/soft/23713.html
【软件简介】：使用此辅助软件，让你也成为 [对对碰] 游戏的高手。
最新版本特点:
1、可自动开始游戏；
2、游戏加速功能，速度提高三倍；
3、自动对对手使用道具；
4、不会被检测出使用外挂。

【软件限制】：注册码限制
【破解声明】：初学Crack，只是感兴趣，没有其它目的。失误之处敬请诸位大侠赐教！
【破解工具】：PEID,OD

—————————————————————————————————————
【破解过程】：
查壳,检测到Borland Delphi 6.0 - 7.0编写，干净利落！我喜欢！接着OD载入，右键，查找字符，找到错误提示，向上翻，来到下面：
004AF95D 55          push ebp                                     ; 下断
004AF95E 68 71FB4A00 push ddpwg.004AFB71
004AF963 64:FF30       push dword ptr fs:[eax]
004AF966 64:8920       mov dword ptr fs:[eax],esp
004AF969 8D55 FC       lea edx,dword ptr ss:[ebp-4]
004AF96C 8B83 08030000  mov eax,dword ptr ds:[ebx+308]
004AF972 E8 D513F9FF call ddpwg.00440D4C
004AF977 837D FC 00    cmp dword ptr ss:[ebp-4],0                   ; 比较注册码是否为0
004AF97B 75 1E       jnz short ddpwg.004AF99B                      ; 为0就跳到出错
004AF97D 6A 30       push 30
004AF97F 68 80FB4A00 push ddpwg.004AFB80
004AF984 68 88FB4A00 push ddpwg.004AFB88
004AF989 8BC3          mov eax,ebx
004AF98B E8 687BF9FF call ddpwg.004474F8
004AF990 50          push eax
004AF991 E8 B677F5FF call <jmp.&user32.MessageBoxA>
004AF996 E9 7B010000 jmp ddpwg.004AFB16
004AF99B 8D55 F4       lea edx,dword ptr ss:[ebp-C]
004AF99E 8B83 08030000  mov eax,dword ptr ds:[ebx+308]
004AF9A4 E8 A313F9FF call ddpwg.00440D4C
004AF9A9 8B45 F4       mov eax,dword ptr ss:[ebp-C]
004AF9AC 8D55 F8       lea edx,dword ptr ss:[ebp-8]
004AF9AF E8 DC8DF5FF call ddpwg.00408790
004AF9B4 8B45 F8       mov eax,dword ptr ss:[ebp-8]
004AF9B7 50          push eax
004AF9B8 8D55 E8       lea edx,dword ptr ss:[ebp-18]
004AF9BB 8B83 04030000  mov eax,dword ptr ds:[ebx+304]
004AF9C1 E8 8613F9FF call ddpwg.00440D4C                            ; 看到假码
004AF9C6 8B45 E8       mov eax,dword ptr ss:[ebp-18]
004AF9C9 8D55 EC       lea edx,dword ptr ss:[ebp-14]
004AF9CC E8 BF8DF5FF call ddpwg.00408790                            ; 看到机器码
004AF9D1 8B45 EC       mov eax,dword ptr ss:[ebp-14]
004AF9D4 8D55 F0       lea edx,dword ptr ss:[ebp-10]
004AF9D7 E8 F4FCFFFF call ddpwg.004AF6D0                            ; 算法CALL,F7跟进
004AF9DC 8B55 F0       mov edx,dword ptr ss:[ebp-10]                ; EDX为真码
004AF9DF 58          pop eax
004AF9E0 E8 1B4DF5FF call ddpwg.00404700                            ; 真假码比较,可做内存注册机
004AF9E5 0F85 05010000  jnz ddpwg.004AFAF0                            ; 不相等就跳到错误
004AF9EB B2 01       mov dl,1                                     ; 注册成功标志
004AF9ED A1 44C24600 mov eax,dword ptr ds:[46C244]
004AF9F2 E8 4DC9FBFF call ddpwg.0046C344
004AF9F7 8BF0          mov esi,eax
004AF9F9 BA 02000080 mov edx,80000002
004AF9FE 8BC6          mov eax,esi
004AFA00 E8 DFC9FBFF call ddpwg.0046C3E4
004AFA05 B1 01       mov cl,1
004AFA07 BA A0FB4A00 mov edx,ddpwg.004AFBA0                         ; ASCII "SOFTWARE\Microsoft\qqddpyx"
004AFA0C 8BC6          mov eax,esi
004AFA0E E8 11CBFBFF call ddpwg.0046C524
004AFA13 B9 01000000 mov ecx,1
004AFA18 BA C4FB4A00 mov edx,ddpwg.004AFBC4                         ; ASCII "qqddpyxreg"
004AFA1D 8BC6          mov eax,esi
004AFA1F E8 A0CCFBFF call ddpwg.0046C6C4
004AFA24 8D55 E0       lea edx,dword ptr ss:[ebp-20]
004AFA27 8B83 08030000  mov eax,dword ptr ds:[ebx+308]
004AFA2D E8 1A13F9FF call ddpwg.00440D4C
004AFA32 8B45 E0       mov eax,dword ptr ss:[ebp-20]
004AFA35 8D55 E4       lea edx,dword ptr ss:[ebp-1C]
004AFA38 E8 538DF5FF call ddpwg.00408790
004AFA3D 8B4D E4       mov ecx,dword ptr ss:[ebp-1C]
004AFA40 BA D8FB4A00 mov edx,ddpwg.004AFBD8                         ; ASCII "sn"
004AFA45 8BC6          mov eax,esi
004AFA47 E8 4CCCFBFF call ddpwg.0046C698
004AFA4C 8D55 D8       lea edx,dword ptr ss:[ebp-28]
004AFA4F 8B83 04030000  mov eax,dword ptr ds:[ebx+304]
004AFA55 E8 F212F9FF call ddpwg.00440D4C
004AFA5A 8B45 D8       mov eax,dword ptr ss:[ebp-28]
004AFA5D 8D55 DC       lea edx,dword ptr ss:[ebp-24]
004AFA60 E8 2B8DF5FF call ddpwg.00408790
004AFA65 8B4D DC       mov ecx,dword ptr ss:[ebp-24]
004AFA68 BA E4FB4A00 mov edx,ddpwg.004AFBE4                         ; ASCII "macstr"
004AFA6D 8BC6          mov eax,esi
004AFA6F E8 24CCFBFF call ddpwg.0046C698
004AFA74 8BC6          mov eax,esi
004AFA76 E8 39C9FBFF call ddpwg.0046C3B4
004AFA7B 8BC6          mov eax,esi
004AFA7D E8 163BF5FF call ddpwg.00403598
004AFA82 6A 00       push 0
004AFA84 B9 ECFB4A00 mov ecx,ddpwg.004AFBEC
004AFA89 BA F4FB4A00 mov edx,ddpwg.004AFBF4
004AFA8E A1 68464B00 mov eax,dword ptr ds:[4B4668]
004AFA93 8B00          mov eax,dword ptr ds:[eax]
004AFA95 E8 BA21FBFF call ddpwg.00461C54
004AFA9A A1 84474B00 mov eax,dword ptr ds:[4B4784]
004AFA9F 8B00          mov eax,dword ptr ds:[eax]
004AFAA1 8B80 18030000  mov eax,dword ptr ds:[eax+318]
004AFAA7 BA 10FC4A00 mov edx,ddpwg.004AFC10
004AFAAC E8 CB12F9FF call ddpwg.00440D7C
004AFAB1 A1 84474B00 mov eax,dword ptr ds:[4B4784]
004AFAB6 8B00          mov eax,dword ptr ds:[eax]
004AFAB8 8B80 18030000  mov eax,dword ptr ds:[eax+318]
004AFABE 33D2          xor edx,edx
004AFAC0 8B08          mov ecx,dword ptr ds:[eax]
004AFAC2 FF51 64       call dword ptr ds:[ecx+64]
004AFAC5 A1 84474B00 mov eax,dword ptr ds:[4B4784]
004AFACA 8B00          mov eax,dword ptr ds:[eax]
004AFACC 8B80 14030000  mov eax,dword ptr ds:[eax+314]
004AFAD2 33D2          xor edx,edx
004AFAD4 8B08          mov ecx,dword ptr ds:[eax]
004AFAD6 FF51 64       call dword ptr ds:[ecx+64]
004AFAD9 A1 84474B00 mov eax,dword ptr ds:[4B4784]
004AFADE 8B00          mov eax,dword ptr ds:[eax]
004AFAE0 C680 25030000 >mov byte ptr ds:[eax+325],1
004AFAE7 8BC3          mov eax,ebx
004AFAE9 E8 42E9FAFF call ddpwg.0045E430
004AFAEE EB 19       jmp short ddpwg.004AFB09
004AFAF0 6A 30       push 30
004AFAF2 68 80FB4A00 push ddpwg.004AFB80
004AFAF7 68 1CFC4A00 push ddpwg.004AFC1C
004AFAFC 8BC3          mov eax,ebx
004AFAFE E8 F579F9FF call ddpwg.004474F8
004AFB03 50          push eax
004AFB04 E8 4376F5FF call <jmp.&user32.MessageBoxA>
004AFB09 33D2          xor edx,edx
004AFB0B 8B83 08030000  mov eax,dword ptr ds:[ebx+308]
004AFB11 E8 6612F9FF call ddpwg.00440D7C
004AFB16 33C0          xor eax,eax
004AFB18 5A          pop edx
004AFB19 59          pop ecx
004AFB1A 59          pop ecx
004AFB1B 64:8910       mov dword ptr fs:[eax],edx
004AFB1E 68 78FB4A00 push ddpwg.004AFB78
004AFB23 8D45 D8       lea eax,dword ptr ss:[ebp-28]
004AFB26 E8 D947F5FF call ddpwg.00404304
004AFB2B 8D45 DC       lea eax,dword ptr ss:[ebp-24]
004AFB2E E8 D147F5FF call ddpwg.00404304
004AFB33 8D45 E0       lea eax,dword ptr ss:[ebp-20]
004AFB36 E8 C947F5FF call ddpwg.00404304
004AFB3B 8D45 E4       lea eax,dword ptr ss:[ebp-1C]
004AFB3E E8 C147F5FF call ddpwg.00404304
004AFB43 8D45 E8       lea eax,dword ptr ss:[ebp-18]
004AFB46 E8 B947F5FF call ddpwg.00404304
004AFB4B 8D45 EC       lea eax,dword ptr ss:[ebp-14]
004AFB4E BA 02000000 mov edx,2
004AFB53 E8 D047F5FF call ddpwg.00404328
004AFB58 8D45 F4       lea eax,dword ptr ss:[ebp-C]
004AFB5B E8 A447F5FF call ddpwg.00404304
004AFB60 8D45 F8       lea eax,dword ptr ss:[ebp-8]
004AFB63 E8 9C47F5FF call ddpwg.00404304
004AFB68 8D45 FC       lea eax,dword ptr ss:[ebp-4]
004AFB6B E8 9447F5FF call ddpwg.00404304
004AFB70 C3          retn
004AFB71  ^ E9 B641F5FF jmp ddpwg.00403D2C
004AFB76  ^ EB AB       jmp short ddpwg.004AFB23
004AFB78 5E          pop esi
004AFB79 5B          pop ebx
004AFB7A 8BE5          mov esp,ebp
004AFB7C 5D          pop ebp
004AFB7D C3          retn
*********跟进 004AF9D7 E8 F4FCFFFF call ddpwg.004AF6D0
004AF6D0 55          push ebp                ; F7跟进来到这里
004AF6D1 8BEC          mov ebp,esp
004AF6D3 B9 07000000 mov ecx,7
004AF6D8 6A 00       push 0
004AF6DA 6A 00       push 0
004AF6DC 49          dec ecx
004AF6DD  ^ 75 F9       jnz short ddpwg.004AF6D8                      ; F4
004AF6DF 53          push ebx
004AF6E0 56          push esi
004AF6E1 57          push edi
004AF6E2 8BFA          mov edi,edx
004AF6E4 8945 FC       mov dword ptr ss:[ebp-4],eax
004AF6E7 8B45 FC       mov eax,dword ptr ss:[ebp-4]
004AF6EA E8 B550F5FF call ddpwg.004047A4
004AF6EF 33C0          xor eax,eax
004AF6F1 55          push ebp
004AF6F2 68 96F84A00 push ddpwg.004AF896
004AF6F7 64:FF30       push dword ptr fs:[eax]
004AF6FA 64:8920       mov dword ptr fs:[eax],esp
004AF6FD 8D45 F8       lea eax,dword ptr ss:[ebp-8]
004AF700 8B55 FC       mov edx,dword ptr ss:[ebp-4]
004AF703 E8 944CF5FF call ddpwg.0040439C
004AF708 8D45 F4       lea eax,dword ptr ss:[ebp-C]
004AF70B E8 F44BF5FF call ddpwg.00404304
004AF710 8B45 F8       mov eax,dword ptr ss:[ebp-8]
004AF713 E8 A44EF5FF call ddpwg.004045BC
004AF718 8BF0          mov esi,eax
004AF71A 85F6          test esi,esi
004AF71C 0F8E 4F010000  jle ddpwg.004AF871
004AF722 BB 01000000 mov ebx,1
004AF727 8D45 EC       lea eax,dword ptr ss:[ebp-14]
004AF72A 8B55 F8       mov edx,dword ptr ss:[ebp-8]
004AF72D 8A541A FF    mov dl,byte ptr ds:[edx+ebx-1]
004AF731 E8 AE4DF5FF call ddpwg.004044E4
004AF736 8B45 EC       mov eax,dword ptr ss:[ebp-14]
004AF739 8D55 F0       lea edx,dword ptr ss:[ebp-10]
004AF73C E8 FF8DF5FF call ddpwg.00408540
004AF741 8B45 F0       mov eax,dword ptr ss:[ebp-10]
004AF744 BA ACF84A00 mov edx,ddpwg.004AF8AC
004AF749 E8 B24FF5FF call ddpwg.00404700
004AF74E 75 12       jnz short ddpwg.004AF762
004AF750 8D45 F4       lea eax,dword ptr ss:[ebp-C]
004AF753 BA B8F84A00 mov edx,ddpwg.004AF8B8
004AF758 E8 674EF5FF call ddpwg.004045C4
004AF75D E9 07010000 jmp ddpwg.004AF869
004AF762 8D45 E4       lea eax,dword ptr ss:[ebp-1C]
004AF765 8B55 F8       mov edx,dword ptr ss:[ebp-8]
004AF768 8A541A FF    mov dl,byte ptr ds:[edx+ebx-1]
004AF76C E8 734DF5FF call ddpwg.004044E4
004AF771 8B45 E4       mov eax,dword ptr ss:[ebp-1C]
004AF774 8D55 E8       lea edx,dword ptr ss:[ebp-18]
004AF777 E8 C48DF5FF call ddpwg.00408540
004AF77C 8B45 E8       mov eax,dword ptr ss:[ebp-18]
004AF77F BA C4F84A00 mov edx,ddpwg.004AF8C4
004AF784 E8 774FF5FF call ddpwg.00404700
004AF789 75 12       jnz short ddpwg.004AF79D
004AF78B 8D45 F4       lea eax,dword ptr ss:[ebp-C]
004AF78E BA D0F84A00 mov edx,ddpwg.004AF8D0
004AF793 E8 2C4EF5FF call ddpwg.004045C4
004AF798 E9 CC000000 jmp ddpwg.004AF869
004AF79D 8D45 DC       lea eax,dword ptr ss:[ebp-24]
004AF7A0 8B55 F8       mov edx,dword ptr ss:[ebp-8]
004AF7A3 8A541A FF    mov dl,byte ptr ds:[edx+ebx-1]
004AF7A7 E8 384DF5FF call ddpwg.004044E4
004AF7AC 8B45 DC       mov eax,dword ptr ss:[ebp-24]
004AF7AF 8D55 E0       lea edx,dword ptr ss:[ebp-20]
004AF7B2 E8 898DF5FF call ddpwg.00408540
004AF7B7 8B45 E0       mov eax,dword ptr ss:[ebp-20]
004AF7BA BA DCF84A00 mov edx,ddpwg.004AF8DC
004AF7BF E8 3C4FF5FF call ddpwg.00404700
004AF7C4 75 12       jnz short ddpwg.004AF7D8
004AF7C6 8D45 F4       lea eax,dword ptr ss:[ebp-C]
004AF7C9 BA E8F84A00 mov edx,ddpwg.004AF8E8
004AF7CE E8 F14DF5FF call ddpwg.004045C4
004AF7D3 E9 91000000 jmp ddpwg.004AF869
004AF7D8 8D45 D4       lea eax,dword ptr ss:[ebp-2C]
004AF7DB 8B55 F8       mov edx,dword ptr ss:[ebp-8]
004AF7DE 8A541A FF    mov dl,byte ptr ds:[edx+ebx-1]
004AF7E2 E8 FD4CF5FF call ddpwg.004044E4
004AF7E7 8B45 D4       mov eax,dword ptr ss:[ebp-2C]
004AF7EA 8D55 D8       lea edx,dword ptr ss:[ebp-28]
004AF7ED E8 4E8DF5FF call ddpwg.00408540
004AF7F2 8B45 D8       mov eax,dword ptr ss:[ebp-28]
004AF7F5 BA F4F84A00 mov edx,ddpwg.004AF8F4
004AF7FA E8 014FF5FF call ddpwg.00404700
004AF7FF 75 0F       jnz short ddpwg.004AF810
004AF801 8D45 F4       lea eax,dword ptr ss:[ebp-C]
004AF804 BA 00F94A00 mov edx,ddpwg.004AF900
004AF809 E8 B64DF5FF call ddpwg.004045C4
004AF80E EB 59       jmp short ddpwg.004AF869
004AF810 8D45 CC       lea eax,dword ptr ss:[ebp-34]
004AF813 8B55 F8       mov edx,dword ptr ss:[ebp-8]
004AF816 8A541A FF    mov dl,byte ptr ds:[edx+ebx-1]
004AF81A E8 C54CF5FF call ddpwg.004044E4
004AF81F 8B45 CC       mov eax,dword ptr ss:[ebp-34]
004AF822 8D55 D0       lea edx,dword ptr ss:[ebp-30]
004AF825 E8 168DF5FF call ddpwg.00408540
004AF82A 8B45 D0       mov eax,dword ptr ss:[ebp-30]
004AF82D BA 0CF94A00 mov edx,ddpwg.004AF90C
004AF832 E8 C94EF5FF call ddpwg.00404700
004AF837 75 0F       jnz short ddpwg.004AF848
004AF839 8D45 F4       lea eax,dword ptr ss:[ebp-C]
004AF83C BA 18F94A00 mov edx,ddpwg.004AF918
004AF841 E8 7E4DF5FF call ddpwg.004045C4
004AF846 EB 21       jmp short ddpwg.004AF869
004AF848 8D45 C8       lea eax,dword ptr ss:[ebp-38]
004AF84B 8B55 F8       mov edx,dword ptr ss:[ebp-8]
004AF84E 0FB6541A FF movzx edx,byte ptr ds:[edx+ebx-1]    ; 取A(41)
004AF853 83C2 31       add edx,31                                     ; EDX=EDX+31
004AF856 83E2 7F       and edx,7F                                     ; EDX=EDX+7F
004AF859 E8 864CF5FF call ddpwg.004044E4
004AF85E 8B55 C8       mov edx,dword ptr ss:[ebp-38]
004AF861 8D45 F4       lea eax,dword ptr ss:[ebp-C]
004AF864 E8 5B4DF5FF call ddpwg.004045C4
004AF869 43          inc ebx                                        ; 计数器加1
004AF86A 4E          dec esi                                        ; 长度减1
004AF86B  ^ 0F85 B6FEFFFF  jnz ddpwg.004AF727       ; 取完往下走,没取完就跳回去
004AF871 8BC7          mov eax,edi
004AF873 8B55 F4       mov edx,dword ptr ss:[ebp-C]
004AF876 E8 DD4AF5FF call ddpwg.00404358       ; EDX为真码
004AF87B 33C0          xor eax,eax
004AF87D 5A          pop edx
004AF87E 59          pop ecx
004AF87F 59          pop ecx
004AF880 64:8910       mov dword ptr fs:[eax],edx
004AF883 68 9DF84A00 push ddpwg.004AF89D
004AF888 8D45 C8       lea eax,dword ptr ss:[ebp-38]
004AF88B BA 0E000000 mov edx,0E
004AF890 E8 934AF5FF call ddpwg.00404328
004AF895 C3          retn
004AF896  ^ E9 9144F5FF jmp ddpwg.00403D2C
004AF89B  ^ EB EB       jmp short ddpwg.004AF888
004AF89D 5F          pop edi
004AF89E 5E          pop esi
004AF89F 5B          pop ebx
004AF8A0 8BE5          mov esp,ebp
004AF8A2 5D          pop ebp
004AF8A3 C3          retn                                           ;返回
【算法总结】
第一位：机器码的第一位HEX值+31即为注册码第一位
第二位：机器码的第二位HEX值+31即为注册码第二位
…………
最后一位机器码不参与计算，最后一位注册码为固定值“z“
机器码：ABCD1234
注册码：rstubcdz
—————————————————————————————————————
【Crack＿总结】：
初学算法，如有错误之处，还请各位大侠指点！

＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋＋

提问：

分析到最后，发现最后一位注册码如果是4的话，得到的将是z。
我把它改成了1之后，得到的结果是b,可见最后一位注册码不是固定的。
追踪了一下发现：
004AF74E |. /75 12 |JNZ SHORT B2088.004AF762
//在这个断，看到程序循环算完前7位之后就不跟了。
004AF750 |. |8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
004AF753 |. |BA B8F84A00 |MOV EDX,B2088.004AF8B8
004AF758 |. |E8 674EF5FF |CALL B2088.004045C4
//注册码最后的一位运算应该是在这～
试跟了一下，好像是在一个rep的汇编语言段出现过最后一位注册码。但不知道何解。
004AF75D |. |E9 07010000 |JMP B2088.004AF869
//上面的跟转不跳，就从这个大跳是避开最后一位机器码的运算的。
004AF762 |> \8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C]
＋＋＋＋＋＋＋＋＋＋＋＋
具体的运算过程希望向大家讨教一下。。。。。。
如果本问题的确搞不了的话，那咱就只好在算法注册机的制作演示中加一个固定码了。
因为机器码是固定的～
呵呵～这几天做第三课的演示闷的欢，准备出走～

复制代码

[ 本帖最后由野猫III 于 2006-7-23 11:59 编辑 ]

显示全部楼层 · 发表于 2006-8-3 16:18:41

提示: 作者被禁止或删除内容自动屏蔽

ljq897 · 发表于 2007-12-18 11:10:08

学习了，BPX是代码断点，BP是函数断点

ljq897 · 发表于 2007-12-18 11:12:01

学习了，BPX是代码断点，BP是函数断点

ljq897 · 发表于 2007-12-18 11:14:45

学习了，BPX是代码断点，BP是函数断点

leafstone · 发表于 2007-12-22 13:39:05

冷血的基础非常扎实，向冷血前辈学习
最后一位估计是硬盘号之类的截取，斑竹有什么心得一定要发出来，学习了

xianguo1985 · 发表于 2007-12-23 03:48:13

..........................................................

		自动登录	找回密码
密码			加入我们

wxh9833 该用户已被删除	发表于 2006-8-3 16:18:41 \| 显示全部楼层提示: 作者被禁止或删除内容自动屏蔽
wxh9833 该用户已被删除	PYG19周年生日快乐！
	回复支持反对使用道具举报显身卡