[PYG]算法分析入门第三课

spc_cll · 发表于 2006-4-1 09:52:40

根据总坛主的算法写的注册机。
在我的机器上注册成功(windows 2000 professinal)

godhack · 发表于 2006-4-26 17:15:51

写的好，正适合我等新人，谢谢了，楼主

godhack · 发表于 2006-4-27 16:34:16

0050C783 E8EC260000             call 0050EE74             算法call，跟进去
:0050C788 8BD8                   mov ebx, eax
:0050C78A 8B45FC                mov eax, dword ptr [ebp-04]
:0050C78D E84ACDEFFF             call 004094DC
:0050C792 3BD8                   cmp ebx, eax                这里ebx的十六进制是真码

为什么不是第二个CALL是算法CALL呢？怎么知道第一个CALL是算法CALL呢？谢谢！

lwz864 · 发表于 2006-5-14 10:30:02

还看不懂,先复制,收下了.楼主水平好高.

浮云思音 · 发表于 2006-6-17 17:11:54

这个弄了半天也是不懂,下的软件和楼主的不太一样

wangyc75 · 发表于 2006-7-5 19:02:41

太强了
谢谢

weiruan198 · 发表于 2006-8-5 22:20:10

学习中。。。。

Gue · 发表于 2006-10-26 17:53:01

我的破文和注册机....如果有不对的地方还请大虾指导下..

//OD下断在这里

0050B0F8    55                push ebp
0050B0F9    8BEC             mov ebp,esp
0050B0FB    33C9             xor ecx,ecx //ecx清零
0050B0FD    51                push ecx
0050B0FE    51                push ecx
0050B0FF    51                push ecx
0050B100    51                push ecx
0050B101    51                push ecx
0050B102    53                push ebx
0050B103    56                push esi
0050B104    8BF0             mov esi,eax
0050B106    33C0             xor eax,eax
0050B108    55                push ebp
0050B109    68 88B25000       push dumped_.0050B288
0050B10E    64:FF30          push dword ptr fs:[eax]
0050B111    64:8920          mov dword ptr fs:[eax],esp
0050B114    8D55 F8          lea edx,dword ptr ss:[ebp-8]
0050B117    8B86 00030000    mov eax,dword ptr ds:[esi+300]
0050B11D    E8 8E75F3FF       call dumped_.004426B0 //得到注册码  放在101C4FC
0050B122    837D F8 00       cmp dword ptr ss:[ebp-8],0
0050B126    75 1F             jnz short dumped_.0050B147 //拿到注册码就跳到0050B147
0050B128    B8 A0B25000       mov eax,dumped_.0050B2A0
0050B12D    E8 9A07F3FF       call dumped_.0043B8CC //如果没有拿到就显示一个对话框。"请输入注册认证码!"
0050B132    8B96 00030000    mov edx,dword ptr ds:[esi+300]
0050B138    A1 F8055400       mov eax,dword ptr ds:[5405F8]
0050B13D    E8 CE26F5FF       call dumped_.0045D810 //无关的CALL
0050B142    E9 1E010000       jmp dumped_.0050B265
0050B147    8D55 FC          lea edx,dword ptr ss:[ebp-4]
0050B14A    8B86 00030000    mov eax,dword ptr ds:[esi+300]
0050B150    E8 5B75F3FF       call dumped_.004426B0 //...
0050B155    8D55 F4          lea edx,dword ptr ss:[ebp-C]
0050B158    8B86 00030000    mov eax,dword ptr ds:[esi+300]
0050B15E    E8 4D75F3FF       call dumped_.004426B0 //...
0050B163    8B45 F4          mov eax,dword ptr ss:[ebp-C]
0050B166    E8 DD9DEFFF       call dumped_.00404F48 //返回注册码的长度放在EAX中
0050B16B    8BD0             mov edx,eax
0050B16D    85D2             test edx,edx //检测注册码长度为不为零
0050B16F    7E 3C             jle short dumped_.0050B1AD //<=0跳到50B1AD
0050B171    B8 01000000       mov eax,1 //累加以后可以得到下一个字符
0050B176    8B4D FC          mov ecx,dword ptr ss:[ebp-4]
0050B179    8A4C01 FF          mov cl,byte ptr ds:[ecx+eax-1] //得到EAX对应位数的字符放入cl
0050B17D    80F9 30          cmp cl,30
0050B180    72 08             jb short dumped_.0050B18A //cl中的字符ASCII码<30h则跳转到 50b18a
0050B182    8B5D FC          mov ebx,dword ptr ss:[ebp-4]
0050B185    80F9 39          cmp cl,39
0050B188    76 1F             jbe short dumped_.0050B1A9 //cl中的字符ASCII<=39h则跳转到 50b1a9
0050B18A    B8 BCB25000       mov eax,dumped_.0050B2BC
0050B18F    E8 3807F3FF       call dumped_.0043B8CC //提示"注册码输入有误!" 无关CALL
0050B194    8B96 00030000    mov edx,dword ptr ds:[esi+300]
0050B19A    A1 F8055400       mov eax,dword ptr ds:[5405F8]
0050B19F    E8 6C26F5FF       call dumped_.0045D810 //无关的CALL
0050B1A4    E9 BC000000       jmp dumped_.0050B265
0050B1A9    40                inc eax //指向下一字符
0050B1AA    4A                dec edx //待比较的字符数
0050B1AB ^ 75 C9             jnz short dumped_.0050B176 //还有字符没校验则跳转到 50b176 PS:注册码必须是数字
0050B1AD    8D55 F0          lea edx,dword ptr ss:[ebp-10]
0050B1B0    8B86 FC020000    mov eax,dword ptr ds:[esi+2FC]
0050B1B6    E8 F574F3FF       call dumped_.004426B0 //得到注册码  放在1013024 长度放在EAX
0050B1BB    8B45 F0          mov eax,dword ptr ss:[ebp-10] //机器码放入EAX
0050B1BE    E8 19E3EFFF       call dumped_.004094DC //16进制转换
0050B1C3    E8 F8360000       call dumped_.0050E8C0 //计算wangshuang + yaoyuan + JSBuilder + 前一个CALL的结果
0050B1C8    8BD8             mov ebx,eax
0050B1CA    8B45 FC          mov eax,dword ptr ss:[ebp-4]
0050B1CD    E8 0AE3EFFF       call dumped_.004094DC //上两个CALL产生的值和输入的注册码运算
0050B1D2    3BD8             cmp ebx,eax
0050B1D4    0F85 81000000    jnz dumped_.0050B25B //ebx != eax 跳转到 502B25B 跳必死 PS:爆破点
0050B1DA    B2 01             mov dl,1
0050B1DC    A1 34B94600       mov eax,dword ptr ds:[46B934]
0050B1E1    E8 4E08F6FF       call dumped_.0046BA34
0050B1E6    8BD8             mov ebx,eax
0050B1E8    BA 02000080       mov edx,80000002
0050B1ED    8BC3             mov eax,ebx
0050B1EF    E8 E008F6FF       call dumped_.0046BAD4
0050B1F4    33C9             xor ecx,ecx
0050B1F6    BA E0B25000       mov edx,dumped_.0050B2E0       ; ASCII "System\CurrentControlSet\Services\Class\knightsoft\JSBuilder"
0050B1FB    8BC3             mov eax,ebx
0050B1FD    E8 120AF6FF       call dumped_.0046BC14
0050B202    8D55 EC          lea edx,dword ptr ss:[ebp-14]
0050B205    8B86 FC020000    mov eax,dword ptr ds:[esi+2FC]
0050B20B    E8 A074F3FF       call dumped_.004426B0
0050B210    8B45 EC          mov eax,dword ptr ss:[ebp-14]
0050B213    E8 C4E2EFFF       call dumped_.004094DC
0050B218    E8 A3360000       call dumped_.0050E8C0
0050B21D    8BC8             mov ecx,eax
0050B21F    BA 28B35000       mov edx,dumped_.0050B328       ; ASCII "registecode"
0050B224    8BC3             mov eax,ebx
0050B226    E8 390BF6FF       call dumped_.0046BD64
0050B22B    8BC3             mov eax,ebx
0050B22D    E8 7208F6FF       call dumped_.0046BAA4
0050B232    8BC3             mov eax,ebx
0050B234    E8 678CEFFF       call dumped_.00403EA0
0050B239    B8 3CB35000       mov eax,dumped_.0050B33C
0050B23E    E8 8906F3FF       call dumped_.0043B8CC
0050B243    B8 8CB35000       mov eax,dumped_.0050B38C
0050B248    E8 7F06F3FF       call dumped_.0043B8CC
0050B24D    A1 AC305300       mov eax,dword ptr ds:[5330AC]
0050B252    8B00             mov eax,dword ptr ds:[eax]
0050B254    E8 C775F5FF       call dumped_.00462820
0050B259    EB 0A             jmp short dumped_.0050B265
0050B25B    B8 B8B35000       mov eax,dumped_.0050B3B8
0050B260    E8 6706F3FF       call dumped_.0043B8CC
0050B265    33C0             xor eax,eax
0050B267    5A                pop edx
0050B268    59                pop ecx
0050B269    59                pop ecx
0050B26A    64:8910          mov dword ptr fs:[eax],edx
0050B26D    68 8FB25000       push dumped_.0050B28F
0050B272    8D45 EC          lea eax,dword ptr ss:[ebp-14]
0050B275    BA 04000000       mov edx,4
0050B27A    E8 359AEFFF       call dumped_.00404CB4
0050B27F    8D45 FC          lea eax,dword ptr ss:[ebp-4]
0050B282    E8 099AEFFF       call dumped_.00404C90
0050B287    C3                retn

//CALL from 50B1BE
004094DC /$  53             push ebx
004094DD |.  56             push esi
004094DE |.  83C4 F4          add esp,-0C
004094E1 |.  8BD8             mov ebx,eax //EBX = 机器码
004094E3 |.  8BD4             mov edx,esp
004094E5 |.  8BC3             mov eax,ebx //EAX = 机器码
004094E7 |.  E8 58A2FFFF    call dumped_.00403744 //运算机器码 EAX = 3EA3989 返回值为eax ; eax = 0; eax = 10 * eax + 机器码每一位的ASCII码
004094EC |.  8BF0             mov esi,eax
004094EE |.  833C24 00       cmp dword ptr ss:[esp],0
004094F2 |.  74 19          je short dumped_.0040950D //检测结果
004094F4 |.  895C24 04       mov dword ptr ss:[esp+4],ebx
004094F8 |.  C64424 08 0B    mov byte ptr ss:[esp+8],0B
004094FD |.  8D5424 04       lea edx,dword ptr ss:[esp+4]
00409501 |.  A1 402F5300    mov eax,dword ptr ds:[532F40]
00409506 |.  33C9             xor ecx,ecx
00409508 |.  E8 EBF9FFFF    call dumped_.00408EF8
0040950D |>  8BC6             mov eax,esi
0040950F |.  83C4 0C          add esp,0C
00409512 |.  5E             pop esi
00409513 |.  5B             pop ebx
00409514 \.  C3             retn

CALL from 4094e7 函数功能:检测注册码是不是数字.. eax = 0; eax = ((eax + eax * 4) * 2) + 机器码每一位的ASCII码
00403744 /$  53             push ebx
00403745 |.  56             push esi
00403746 |.  57             push edi
00403747 |.  89C6             mov esi,eax
00403749 |.  50             push eax
0040374A |.  85C0             test eax,eax
0040374C |.  74 6C          je short dumped_.004037BA
0040374E |.  31C0             xor eax,eax
00403750 |.  31DB             xor ebx,ebx
00403752 |.  BF CCCCCC0C    mov edi,0CCCCCCC
00403757 |>  8A1E             /mov bl,byte ptr ds:[esi]
00403759 |.  46             |inc esi
0040375A |.  80FB 20          |cmp bl,20
0040375D |.^ 74 F8          \je short dumped_.00403757 //第一个字符如果是空格的话就跳到  403757
0040375F |.  B5 00          mov ch,0
00403761 |.  80FB 2D          cmp bl,2D
00403764 |.  74 62          je short dumped_.004037C8 //第一个字符如果是'-'的话就跳到 4037c8
00403766 |.  80FB 2B          cmp bl,2B
00403769 |.  74 5F          je short dumped_.004037CA //第一个字符如果是'+'的话就跳到 4037ca
0040376B |.  80FB 24          cmp bl,24
0040376E |.  74 5F          je short dumped_.004037CF //第一个字符如果是'$'的话就跳到 4037cf
00403770 |.  80FB 78          cmp bl,78
00403773 |.  74 5A          je short dumped_.004037CF //第一个字符如果是'x'的话就跳到 4037cf
00403775 |.  80FB 58          cmp bl,58
00403778 |.  74 55          je short dumped_.004037CF //第一个字符如果是'X'的话就跳到 4037cf
0040377A |.  80FB 30          cmp bl,30
0040377D |.  75 13          jnz short dumped_.00403792 //第一个字符如果是零的话就跳到 403792 测试有没有字符.没有的话跳到4037b0
0040377F |.  8A1E             mov bl,byte ptr ds:[esi] //得到第二个字符
00403781 |.  46             inc esi //指向下一个字符
00403782 |.  80FB 78          cmp bl,78
00403785 |.  74 48          je short dumped_.004037CF //第二个字符是'x'的话就跳到 4037cf
00403787 |.  80FB 58          cmp bl,58
0040378A |.  74 43          je short dumped_.004037CF //第二个字符是'X'的话就跳到 4037cf
0040378C |.  84DB             test bl,bl
0040378E |.  74 20          je short dumped_.004037B0 //没有字符的话跳到4037b0
00403790 |.  EB 04          jmp short dumped_.00403796
00403792 |>  84DB             test bl,bl
00403794 |.  74 2D          je short dumped_.004037C3 //测试bl是否有字符
00403796 |>  80EB 30          /sub bl,30
00403799 |.  80FB 09          |cmp bl,9
0040379C |.  77 25          |ja short dumped_.004037C3 //第二个字符不是数字的话跳到 4037c3
0040379E |.  39F8             |cmp eax,edi
004037A0 |.  77 21          |ja short dumped_.004037C3 //eax里面的值大于0CCCCCCC时跳到 4037c3
004037A2 |.  8D0480          |lea eax,dword ptr ds:[eax+eax*4] //eax = eax + eax * 4
004037A5 |.  01C0             |add eax,eax //eax = eax + eax
004037A7 |.  01D8             |add eax,ebx //eax = eax + ebx
004037A9 |.  8A1E             |mov bl,byte ptr ds:[esi] //取得字符
004037AB |.  46             |inc esi //指向下一个字符
004037AC |.  84DB             |test bl,bl
004037AE |.^ 75 E6          \jnz short dumped_.00403796 //还有字符的话就继续循环 PS:机器码必须是数字否则跳出累加循环
004037B0 |>  FECD             dec ch
004037B2 |.  74 09          je short dumped_.004037BD
004037B4 |.  85C0             test eax,eax
004037B6 |.  7D 4E          jge short dumped_.00403806
004037B8 |.  EB 09          jmp short dumped_.004037C3
004037BA |>  46             inc esi
004037BB |.  EB 06          jmp short dumped_.004037C3
004037BD |>  F7D8             neg eax
004037BF |.  7E 45          jle short dumped_.00403806
004037C1 |.  78 43          js short dumped_.00403806
004037C3 |>  5B             pop ebx                            ;  Default case of switch 004037E3
004037C4 |.  29DE             sub esi,ebx
004037C6 |.  EB 41          jmp short dumped_.00403809
004037C8 |>  FEC5             inc ch
004037CA |>  8A1E             mov bl,byte ptr ds:[esi]
004037CC |.  46             inc esi
004037CD |.^ EB C3          jmp short dumped_.00403792
004037CF |>  BF FFFFFF0F    mov edi,0FFFFFFF
004037D4 |.  8A1E             mov bl,byte ptr ds:[esi]
004037D6 |.  46             inc esi
004037D7 |.  84DB             test bl,bl
004037D9 |.^ 74 DF          je short dumped_.004037BA
004037DB |>  80FB 61          /cmp bl,61
004037DE |.  72 03          |jb short dumped_.004037E3
004037E0 |.  80EB 20          |sub bl,20
004037E3 |>  80EB 30          |sub bl,30                         ;  Switch (cases 30..46)
004037E6 |.  80FB 09          |cmp bl,9
004037E9 |.  76 0B          |jbe short dumped_.004037F6
004037EB |.  80EB 11          |sub bl,11
004037EE |.  80FB 05          |cmp bl,5
004037F1 |.^ 77 D0          |ja short dumped_.004037C3
004037F3 |.  80C3 0A          |add bl,0A                         ;  Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 004037E3
004037F6 |>  39F8             |cmp eax,edi                      ;  Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 004037E3
004037F8 |.^ 77 C9          |ja short dumped_.004037C3
004037FA |.  C1E0 04          |shl eax,4
004037FD |.  01D8             |add eax,ebx
004037FF |.  8A1E             |mov bl,byte ptr ds:[esi]
00403801 |.  46             |inc esi
00403802 |.  84DB             |test bl,bl
00403804 |.^ 75 D5          \jnz short dumped_.004037DB
00403806 |>  59             pop ecx
00403807 |.  31F6             xor esi,esi
00403809 |>  8932             mov dword ptr ds:[edx],esi
0040380B |.  5F             pop edi
0040380C |.  5E             pop esi
0040380D |.  5B             pop ebx
0040380E \.  C3             retn

CALL from 50B1C3
0050E8C0 /$  55             push ebp
0050E8C1 |.  8BEC             mov ebp,esp
0050E8C3 |.  6A 00          push 0
0050E8C5 |.  53             push ebx
0050E8C6 |.  56             push esi //输入的注册码的地址
0050E8C7 |.  8BF0             mov esi,eax
0050E8C9 |.  33C0             xor eax,eax //EAX清零
0050E8CB |.  55             push ebp
0050E8CC |.  68 8EE95000    push dumped_.0050E98E
0050E8D1 |.  64:FF30          push dword ptr fs:[eax]
0050E8D4 |.  64:8920          mov dword ptr fs:[eax],esp
0050E8D7 |.  BB D9D10E00    mov ebx,0ED1D9
0050E8DC |.  8D45 FC          lea eax,dword ptr ss:[ebp-4]
0050E8DF |.  BA A4E95000    mov edx,dumped_.0050E9A4       ;  ASCII "wangshuang"
0050E8E4 |.  E8 3F64EFFF    call dumped_.00404D28 //无关CALL
0050E8E9 |.  8B45 FC          mov eax,dword ptr ss:[ebp-4]
0050E8EC |.  E8 5766EFFF    call dumped_.00404F48 //计算传入字符串长度  "wangshuang" 返回值在 EAX
0050E8F1 |.  85C0             test eax,eax
0050E8F3 |.  7E 1B          jle short dumped_.0050E910 //长度 <= 0 跳转到 50E910
0050E8F5 |.  BA 01000000    mov edx,1
0050E8FA |>  8B4D FC          /mov ecx,dword ptr ss:[ebp-4]
0050E8FD |.  0FB64C11 FF    |movzx ecx,byte ptr ds:[ecx+edx-1>
0050E902 |.  8D0C89          |lea ecx,dword ptr ds:[ecx+ecx*4] //ECX = ECX + ECX * 4
0050E905 |.  8D0C89          |lea ecx,dword ptr ds:[ecx+ecx*4] //ECX = ECX + ECX * 4
0050E908 |.  03D9             |add ebx,ecx //ebx = ecx + 0ED1D9
0050E90A |.  03DE             |add ebx,esi //ebx = ebx + esi
0050E90C |.  42             |inc edx
0050E90D |.  48             |dec eax
0050E90E |.^ 75 EA          \jnz short dumped_.0050E8FA // 十六进制转换
0050E910 |>  8D45 FC          lea eax,dword ptr ss:[ebp-4]
0050E913 |.  BA B8E95000    mov edx,dumped_.0050E9B8       ;  ASCII "yaoyuan"
0050E918 |.  E8 0B64EFFF    call dumped_.00404D28 //同上,无关CALL
0050E91D |.  8B45 FC          mov eax,dword ptr ss:[ebp-4]
0050E920 |.  E8 2366EFFF    call dumped_.00404F48 //计算字符串"yaoyuan"的长度  结果放在 eax
0050E925 |.  85C0             test eax,eax
0050E927 |.  7E 1B          jle short dumped_.0050E944
0050E929 |.  BA 01000000    mov edx,1
0050E92E |>  8B4D FC          /mov ecx,dword ptr ss:[ebp-4]
0050E931 |.  0FB64C11 FF    |movzx ecx,byte ptr ds:[ecx+edx-1>
0050E936 |.  8D0C89          |lea ecx,dword ptr ds:[ecx+ecx*4]
0050E939 |.  8D0C89          |lea ecx,dword ptr ds:[ecx+ecx*4]
0050E93C |.  03D9             |add ebx,ecx
0050E93E |.  03DE             |add ebx,esi
0050E940 |.  42             |inc edx
0050E941 |.  48             |dec eax
0050E942 |.^ 75 EA          \jnz short dumped_.0050E92E
0050E944 |>  8D45 FC          lea eax,dword ptr ss:[ebp-4]
0050E947 |.  BA C8E95000    mov edx,dumped_.0050E9C8       ;  ASCII "JSBuilder"
0050E94C |.  E8 D763EFFF    call dumped_.00404D28
0050E951 |.  8B45 FC          mov eax,dword ptr ss:[ebp-4]
0050E954 |.  E8 EF65EFFF    call dumped_.00404F48
0050E959 |.  85C0             test eax,eax
0050E95B |.  7E 1B          jle short dumped_.0050E978
0050E95D |.  BA 01000000    mov edx,1
0050E962 |>  8B4D FC          /mov ecx,dword ptr ss:[ebp-4]
0050E965 |.  0FB64C11 FF    |movzx ecx,byte ptr ds:[ecx+edx-1>
0050E96A |.  8D0C89          |lea ecx,dword ptr ds:[ecx+ecx*4]
0050E96D |.  8D0C89          |lea ecx,dword ptr ds:[ecx+ecx*4]
0050E970 |.  03D9             |add ebx,ecx
0050E972 |.  03DE             |add ebx,esi
0050E974 |.  42             |inc edx
0050E975 |.  48             |dec eax
0050E976 |.^ 75 EA          \jnz short dumped_.0050E962
0050E978 |>  33C0             xor eax,eax
0050E97A |.  5A             pop edx
0050E97B |.  59             pop ecx
0050E97C |.  59             pop ecx
0050E97D |.  64:8910          mov dword ptr fs:[eax],edx
0050E980 |.  68 95E95000    push dumped_.0050E995
0050E985 |>  8D45 FC          lea eax,dword ptr ss:[ebp-4]
0050E988 |.  E8 0363EFFF    call dumped_.00404C90
0050E98D \.  C3             retn

下面是注册机:

#include <iostream.h>

int main(int argc, char *argv[])
{
if (argc != 2)
{
cout << "Usage: Key.exe <UserName>  ";
return 0;
}

int UserNameLen = 0;

unsigned int MachineCode = 0;

while (*argv[1] != '\0')
{
if (*argv[1] < 0x30 || *argv[1] > 0x39)
{
cout << "0 - 9 only! can't contain other!";
return 0;
}

++UserNameLen;
MachineCode = MachineCode + MachineCode * 4;
MachineCode += MachineCode;
MachineCode += *argv[1] - 0x30;

++argv[1];
}
argv[1] -= UserNameLen;

char key[3][11] = {{"wangshuang"},{"yaoyuan"},{"JSBuilder"}};

unsigned int RegCode = 0x0ED1D9;

for (int i = 0; i < 3; ++i)
{
char *p = key[ i ];
while (*p != '\0')
{
unsigned int ecx = *p++;
ecx = ecx + ecx * 4;
ecx = ecx + ecx * 4;
RegCode = RegCode + ecx;
RegCode = RegCode + MachineCode;
}
}

cout << "The " << MachineCode << "\'s regcode is : " << RegCode;

return 1;
}

我进引导小组了..开心中..下面开始学习引导小组的内容..大大的教程就暂停一下..:)

易之侠 · 发表于 2007-2-8 09:28:53

支持老大,学习算法.

情天下雪 · 发表于 2007-2-18 16:59:29

收藏、、、、、学习

		自动登录	找回密码
密码			加入我们