續未完成破解，寫出它的序號產生器，3k。。。 (8千字)

易經八卦彩票占卜程式.V6.3以前只是追出註冊碼，這個例子演示瞭如何利用源反編譯程式碼寫序號產生器，雖然很簡單，但是大家看看吧，這個也算交作業了吧，該睡覺了。。。

序號產生器：
;cr_yj.asm******************************
.386
.model flat,stdcall
option casemap:none
include hd.h
_ProcDlg proto :DWORD,:DWORD,:DWORD,:DWORD
;->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>data seg
      .data
User db 80 dup(0)
Serial     db 80 dup(0)
Count     dd 0
adsn dd 0
MsgMesaage1 db "Must input Usernmae in oder to generate Reg Code! ",0
MsgCap     db "By (C)hume,July,2001",0

      .data?
hInstance HANDLE ?
      .const
DLG_MAIN equ    1000
IDC_UN    equ    1001
IDC_REG    equ    1002
ID_GEN    equ    1003
ID_EXIT    equ    1004
;-->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>code seg

      .code
start:
  invoke   GetModuleHandle,NULL
  mov   hInstance,eax
  invoke   DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlg,0
  invoke   ExitProcess,NULL

_ProcDlg   proc   uses ebx edi esi, \
      hWnd:DWORD,wMsg:DWORD,wParam:DWORD,lParam:DWORD

      mov   eax,wMsg
      .if   eax == WM_CLOSE
          invoke   EndDialog,hWnd,NULL
      .elseif   eax == WM_COMMAND
        mov eax,wParam
        .IF lParam!=0
          .if ax==ID_GEN
          invoke RtlZeroMemory,addr User,80
          invoke RtlZeroMemory,addr Serial,80
          invoke GetDlgItemText,hWnd,IDC_UN,addr User,80
              .if eax!=NULL
              mov Count,eax
              call Cal
              invoke SetDlgItemText,hWnd,IDC_REG,addr Serial

              .else
              invoke MessageBox,NULL,addr MsgMesaage1,addr MsgCap,MB_OK or MB_ICONEXCLAMATION

              .endif

.elseif ax==ID_EXIT
          invoke SendMessage,hWnd,WM_CLOSE,NULL,NULL
          .endif

        .ENDIF
      .else
      mov eax,FALSE
      ret
    .endif
      mov eax,TRUE
      ret
_ProcDlg   ENDP

Cal       PROC   uses eax ebx
    xor edx,edx
    mov ecx,0
    lea ebx,Serial
    mov adsn,ebx

lopcal: LEA EDI,[ECX+01]
    lea     eax,User
    add eax,ecx
    MOV BL,[EAX]
    MOVSX ESI,BL
    MOV EAX,ESI
    MOV EBX,4Bh
    IMUL ESI
    IMUL ESI
    LEA EDX,[ECX+01]
    IMUL EDX,EDI
    SUB EAX,EDX
    LEA EDX,[ECX+01]
    IMUL EDX,ESI
    SUB EAX,EDX
    INC ECX
    CDQ
    XOR EAX,EDX
    SUB EAX,EDX
    CDQ
    IDIV EBX
    MOV EAX,EDX
    ADD AL,30h
    mov ebx,adsn
    add ebx,ecx
    dec ebx
    MOV [ebx],AL
    inc ebx
    inc eax
    CMP ECX,Count ;//
    JL lopcal ;//比較迴圈是否結束迴圈,計算
ToEit:       ret
Cal       endp
;-->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>end all
  end start
;cr_yj.rc******************************
#include <c:\masm32\include\resource.h>

#define DLG_MAIN    1000
#define IDC_UN       1001
#define IDC_REG       1002
#define ID_GEN       1003
#define ID_EXIT       1004

DLG_MAIN DIALOG 64, 53, 204, 52
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "易經八卦彩票占卜程式.V6.3 Asm Keygen by Hume"
FONT 8, "MS Sans Serif"
{
DEFPUSHBUTTON "GENERATE", ID_GEN, 148, 6, 50, 14
PUSHBUTTON "EXIT", ID_EXIT, 148, 24, 50, 14
EDITTEXT IDC_UN, 52, 10, 78, 12, WS_BORDER | WS_TABSTOP
EDITTEXT IDC_REG, 52, 29, 78, 13, WS_BORDER | WS_TABSTOP
LTEXT "USERNAME:", -1, 8, 12, 40, 10
LTEXT "REG CODE:", -1, 8, 30, 41, 9
}

附件：
易經八卦彩票占卜程式.V6.3暴力及註冊碼破解

作　　者：冷雨飄心 humewen@263.net
破解時間：2001-4-23
破解工具：TRW2000 V1.23 Hiew V6.40 W32dasm黃金版
下載地址: http://member.netease.com/~tr/
說明:彩票軟體,比昨天那個丁氏軟體強點,至少用了八卦占卜,還算有創意,另外至少
還可以寫出註冊程式,價格也便宜

一、暴力破解方法:
W32dasm可見:
:004067E1 8B8310030000 mov eax, dword ptr [ebx+00000310]
:004067E7 E860B1FFFF call 0040194C
:004067EC 84C0 test al, al
:004067EE 7428 je 00406818
<------------------------------不讓它跳即可！
^^^^改為9090
:004067F0 A158525100 mov eax, dword ptr [00515258]
:004067F5 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"提示"
|
:004067F7 B918AA5000 mov ecx, 0050AA18

* Possible StringData Ref from Data Obj ->"恭喜！
註冊成功！"
|
:004067FC BA06AA5000 mov edx, 0050AA06
:00406801 8B00 mov eax, dword ptr [eax]
:00406803 E830F60F00 call 00505E38
:00406808 8BC3 mov eax, ebx
:0040680A E831000000 call 00406840
:0040680F 8BC3 mov eax, ebx
:00406811 E8AE010000 call 004069C4
:00406816 EB18 jmp 00406830

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004067EE(C)
|
:00406818 A158525100 mov eax, dword ptr [00515258]
:0040681D 6A10 push 00000010

* Possible StringData Ref from Data Obj ->"錯誤"
|
:0040681F B947AA5000 mov ecx, 0050AA47

* Possible StringData Ref from Data Obj ->"對不起，使用者名稱和註冊碼不匹配。
註冊失敗！"
|
:00406824 BA1DAA5000 mov edx, 0050AA1D
:00406829 8B00 mov eax, dword ptr [eax]
:0040682B E808F60F00 call 00505E38
但修改後，每次執行都要註冊一次,很煩,估計還有陷阱,每次啟動時還要檢查,故祭出
trw2000動態跟蹤,發現實際上是呼叫yijing.dll進行註冊碼計算追蹤過程
:004019FB FFD3 call ebx//呼叫yijing.dll
//的wackywooky函式
:004019FD 85C0 test eax, eax
:004019FF 0F95C0 setne al//置標誌
:00401A02 83E001 and eax, 00000001
:00401A05 8BD8 mov ebx, eax
//因此:
4019ff setnz al=>setz al
hiew 0fff:0f95c0-->0f94c0
註冊碼隨便輸,只要不是正確的,即可,(正確的機率象中5,000,000嘿嘿)

二、註冊碼查詢
在:004019FB FFD3 call ebx處追入
GO,to here:

0167:013012AF CALL 01302738
0167:013012B4 POP ECX
0167:013012B5 CMP ESI,EAX
0167:013012B7 JZ 013012C0
//比較使用者名稱和序列號的個數若相等,則進一步比較,否則
跳走,你就什麼也看不到了!退出填入相同個數的使用者名稱和密碼
我的是使用者名稱:812153
以下是註冊碼生成全過程,由於沒有時間,所以不寫序號產生器,go on
0167:013012B9 XOR EAX,EAX
0167:013012BB JMP 0130138A
0167:013012C0 PUSH EBX
0167:013012C1 CALL 01302738
0167:013012C6 POP ECX
0167:013012C7 MOV [EBP-08],EAX
0167:013012CA MOV EDX,[EBP-08]
0167:013012CD INC EDX
0167:013012CE PUSH EDX
0167:013012CF CALL 013015C8
0167:013012D4 POP ECX
0167:013012D5 MOV [EBP-04],EAX
0167:013012D8 MOV EAX,[EBP+0C]
0167:013012DB MOV ECX,[EBP-04]
0167:013012DE MOV EDI,EAX
0167:013012E0 XOR EAX,EAX
0167:013012E2 MOV ESI,ECX
0167:013012E4 OR ECX,BYTE -01
0167:013012E7 REPNE SCASB
0167:013012E9 NOT ECX
0167:013012EB SUB EDI,ECX
0167:013012ED MOV EDX,ECX
0167:013012EF XCHG ESI,EDI
0167:013012F1 SHR ECX,02
0167:013012F4 MOV EAX,EDI
0167:013012F6 REP MOVSD
0167:013012F8 MOV ECX,EDX
0167:013012FA AND ECX,BYTE +03
0167:013012FD REP MOVSB
0167:013012FF MOV EAX,[EBP-04]
0167:01301302 XOR ECX,ECX
0167:01301304 MOV EDX,EAX
0167:01301306 MOV EAX,EBX
0167:01301308 MOV [EBP-14],EDX
0167:0130130B MOV [EBP-10],EAX
0167:0130130E MOV EDX,[EBP-08]
0167:01301311 CMP ECX,EDX
0167:01301313 JNL 01301360 //開始注意了
0167:01301315 MOV EAX,[EBP-10]
0167:01301318 LEA EDI,[ECX+01]
0167:0130131B MOV BL,[EAX]
0167:0130131D MOVSX ESI,BL
0167:01301320 MOV EAX,ESI
0167:01301322 MOV EBX,4B
0167:01301327 IMUL ESI
0167:01301329 IMUL ESI
0167:0130132B LEA EDX,[ECX+01]
0167:0130132E IMUL EDX,EDI
0167:01301331 SUB EAX,EDX
0167:01301333 LEA EDX,[ECX+01]
0167:01301336 IMUL EDX,ESI
0167:01301339 SUB EAX,EDX
0167:0130133B INC ECX
0167:0130133C MOV [EBP-0C],EAX
0167:0130133F MOV EAX,[EBP-0C]
0167:01301342 CDQ
0167:01301343 XOR EAX,EDX
0167:01301345 SUB EAX,EDX
0167:01301347 CDQ
0167:01301348 IDIV EBX
0167:0130134A MOV EAX,EDX
0167:0130134C MOV EDX,[EBP-14]
0167:0130134F ADD AL,30
0167:01301351 MOV [EDX],AL
0167:01301353 INC DWORD [EBP-14]
0167:01301356 INC DWORD [EBP-10]
0167:01301359 MOV EAX,[EBP-08]
0167:0130135C CMP ECX,EAX //
0167:0130135E JL 01301315 //比較迴圈是否結束迴圈,計算
0167:01301360 MOV EAX,[EBP-04]
0167:01301363 MOV EDX,[EBP+0C]
0167:01301366 MOV CL,[EAX]----//[EAX],指向註冊碼
//d eax ----->kFYn<9,很奇怪,但就是他!
0167:01301368 CMP CL,[EDX]
0167:0130136A JNZ 01301388
可以bpx 01301368 do "d eax"取得註冊碼,不用寫序號產生器,注意如果一次註冊成功,下次
將無法註冊,是因為在登錄檔裡作了手腳:查詢yijing,你發現什麼,不要猶豫,刪之!
(使用者名稱和密碼要相同長度)
推薦註冊碼:使用者名稱:1
    序列號:z

續未完成破解，寫出它的序號產生器，3k。。。 (8千字)

相關文章