Gif2Swf2.1註冊演算法分析 特別獻給CNCG組織 (13千字)
Gif2Swf2.1註冊演算法分析
好久沒有寫破解文章了 手都有點生了 現在中國破解界新人輩出 我也覺得我要跟不上時代了 ^_^
本來想一直等到CHiNA CrACKiNG GrOUp出新的CrackMe 再來練練手 但是SunBird老大可能比較忙 新的CrackMe遲遲不出
所以從網上下載了一個Gif2Swf2.1來練練手 ^_^ 也不知道是不是有人已經作出KeyGen了
用TRW載入程式 到輸入註冊碼的對話方塊中 輸入註冊資訊:
使用者名稱:NYDoll 註冊碼:38383838 下斷點BPX LOCKMYTASK
點選確定按鈕 程式被攔下 F10單步跟蹤 直到看到下面的程式碼:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004079C4(C)
|
:004079CF 83FF01
cmp edi, 00000001
:004079D2 5F
pop edi
:004079D3 0F85A5000000 jne 00407A7E
:004079D9 E842BDFFFF call 00403720
/關鍵Call 要知道註冊演算法就要跟進這個Call,具體參見附錄一
:004079DE 85C0
test eax, eax
:004079E0 0F8485000000 je 00407A6B
/標誌位比對 若註冊碼不正確則跳轉到註冊失敗對話方塊
:004079E6 6A00
push 00000000
:004079E8 8BCB
mov ecx, ebx
:004079EA C7056CC5410001000000 mov dword ptr [0041C56C], 00000001
* Reference To: MFC42.Ordinal:0A55, Ord:0A55h
|
:004079F4 E8A17A0000 Call 0040F49A
:004079F9 A168C54100 mov eax,
dword ptr [0041C568]
:004079FE 85C0
test eax, eax
:00407A00 743A
je 00407A3C
:00407A02 A1E03A4100 mov eax,
dword ptr [00413AE0]
:00407A07 6A00
push 00000000
:00407A09 6A00
push 00000000
:00407A0B 6810010000 push 00000110
:00407A10 50
push eax
* Reference To: USER32.SendMessageA, Ord:0214h
|
:00407A11 FF1500044100 Call dword ptr
[00410400]
:00407A17 6A40
push 00000040
* Possible StringData Ref from Data Obj ->"Congratulations" /註冊成功則出現如下資訊
|
:00407A19 6800374100 push 00413700
* Possible StringData Ref from Data Obj ->"GIF2SWF has been successfuly registered
"
->"!"
|
:00407A1E 68D4364100 push 004136D4
:00407A23 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00407A25 FF15FC034100 Call dword ptr
[004103FC]
:00407A2B 5E
pop esi
:00407A2C 5B
pop ebx
:00407A2D 8B4C2404 mov
ecx, dword ptr [esp+04]
:00407A31 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00407A38 83C410
add esp, 00000010
:00407A3B C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00407A00(C)
|
:00407A3C 6A40
push 00000040
* Possible StringData Ref from Data Obj ->"Congratulations"
|
:00407A3E 6800374100 push 00413700
* Possible StringData Ref from Data Obj ->"GIF2SWF has been successfuly registered
"
->"!"
|
:00407A43 68D4364100 push 004136D4
:00407A48 6A00
push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:00407A4A FF15FC034100 Call dword ptr
[004103FC]
:00407A50 6A00
push 00000000
:00407A52 E8F9B7FFFF call 00403250
:00407A57 83C404
add esp, 00000004
:00407A5A 5E
pop esi
:00407A5B 5B
pop ebx
:00407A5C 8B4C2404 mov
ecx, dword ptr [esp+04]
:00407A60 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00407A67 83C410
add esp, 00000010
:00407A6A C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004079E0(C)
|
:00407A6B 6A30
push 00000030
* Possible StringData Ref from Data Obj ->"Registration" /註冊失敗則顯示如下資訊
|
:00407A6D 68C4364100 push 004136C4
* Possible StringData Ref from Data Obj ->"You have entered and incorrect "
->"Name or Serial
number
Please "
->"try again
!"
---------------※附錄一※--------------------
* Referenced by a CALL at Addresses:
|:00404168 , :004079D9
|
:00403720 6AFF
push FFFFFFFF
:00403722 68E8F94000 push 0040F9E8
:00403727 64A100000000 mov eax, dword
ptr fs:[00000000]
:0040372D 50
push eax
:0040372E 64892500000000 mov dword ptr fs:[00000000],
esp
:00403735 83EC08
sub esp, 00000008
:00403738 51
push ecx
:00403739 8BCC
mov ecx, esp
:0040373B 89642404 mov
dword ptr [esp+04], esp
:0040373F 68D83A4100 push 00413AD8
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:00403744 E827BD0000 Call 0040F470
:00403749 51
push ecx
:0040374A C744241800000000 mov [esp+18], 00000000
:00403752 8BCC
mov ecx, esp
:00403754 8964240C mov
dword ptr [esp+0C], esp
:00403758 68DC3A4100 push 00413ADC
* Reference To: MFC42.Ordinal:0217, Ord:0217h
|
:0040375D E80EBD0000 Call 0040F470
:00403762 C7442418FFFFFFFF mov [esp+18], FFFFFFFF
:0040376A E841FEFFFF call 004035B0
/關鍵Call
:0040376F 83C408
add esp, 00000008
:00403772 85C0
test eax, eax
:00403774 7544
jne 004037BA /跟到這裡的時候發現 若在這裡跳轉則跳出當前Call 故懷疑 call 004035B0 為關鍵Call
按F8跟入 具體參見附錄二
:00403776 B9DC3A4100 mov ecx,
00413ADC
* Reference To: MFC42.Ordinal:104B, Ord:104Bh
|
:0040377B E8EABC0000 Call 0040F46A
:00403780 50
push eax
* Possible StringData Ref from Data Obj ->"RegisteredUserName" /推測是將驗證成功的使用者名稱資訊存入登錄檔
|
:00403781 686C354100 push 0041356C
:00403786 E805FDFFFF call 00403490
:0040378B 83C408
add esp, 00000008
:0040378E B9D83A4100 mov ecx,
00413AD8
* Reference To: MFC42.Ordinal:104B, Ord:104Bh
|
:00403793 E8D2BC0000 Call 0040F46A
:00403798 50
push eax
* Possible StringData Ref from Data Obj ->"RegisteredUserKey" /推測是將驗證成功的註冊碼資訊存入登錄檔
|
:00403799 6858354100 push 00413558
:0040379E E8EDFCFFFF call 00403490
:004037A3 83C408
add esp, 00000008
:004037A6 B801000000 mov eax,
00000001
:004037AB 8B4C2408 mov
ecx, dword ptr [esp+08]
:004037AF 64890D00000000 mov dword ptr fs:[00000000],
ecx
:004037B6 83C414
add esp, 00000014
:004037B9 C3
ret
------------------※附錄二※--------------------
* Referenced by a CALL at Addresses:
|:0040376A , :00403E22
|
:004035B0 6AFF
push FFFFFFFF
:004035B2 68D0F94000 push 0040F9D0
:004035B7 64A100000000 mov eax, dword
ptr fs:[00000000]
:004035BD 50
push eax
:004035BE 64892500000000 mov dword ptr fs:[00000000],
esp
:004035C5 83EC64
sub esp, 00000064
:004035C8 55
push ebp
:004035C9 56
push esi
:004035CA 57
push edi
:004035CB 8D8C2480000000 lea ecx, dword ptr
[esp+00000080]
:004035D2 C744247801000000 mov [esp+78], 00000001
* Reference To: MFC42.Ordinal:106C, Ord:106Ch
|
:004035DA E8A7BD0000 Call 0040F386
:004035DF 8D8C2480000000 lea ecx, dword ptr
[esp+00000080]
* Reference To: MFC42.Ordinal:104B, Ord:104Bh
|
:004035E6 E87FBE0000 Call 0040F46A
:004035EB 8D8C2484000000 lea ecx, dword ptr
[esp+00000084]
:004035F2 8BF0
mov esi, eax /使用者名稱入棧
* Reference To: MFC42.Ordinal:104B, Ord:104Bh
|
:004035F4 E871BE0000 Call 0040F46A
--------\
:004035F9 8BE8
mov ebp, eax
\
:004035FB 8BFE
mov edi, esi
:004035FD 83C9FF
or ecx, FFFFFFFF
:00403600 33C0
xor eax, eax
很常見到一種透過迴圈獲得使用者名稱字元數和比對是否為零的程式碼段
:00403602 F2
repnz
:00403603 AE
scasb
:00403604 F7D1
not ecx
/
:00403606 49
dec ecx
/
:00403607 0F84D2000000 je 004036DF
----------
:0040360D 8BFD
mov edi, ebp
:0040360F 83C9FF
or ecx, FFFFFFFF
:00403612 F2
repnz
:00403613 AE
scasb
:00403614 F7D1
not ecx /先取反 在減一 等到字串的位數 常見方法
:00403616 49
dec ecx /好像使用MFC編寫的程式都使用這樣的方法驗證字串的個數
:00403617 0F84C2000000 je 004036DF
/比對註冊碼是否為零
:0040361D 53
push ebx
:0040361E 8BFE
mov edi, esi
:00403620 83C9FF
or ecx, FFFFFFFF
:00403623 33DB
xor ebx, ebx
:00403625 F2
repnz
:00403626 AE
scasb
:00403627 F7D1
not ecx
:00403629 49
dec ecx
:0040362A 83F920
cmp ecx, 00000020 /比對使用者名稱位數是否大於32,若小於則正常計算 若大於則只計算使用者名稱的前32為
:0040362D 7E05
jle 00403634 /小於等於則跳轉
:0040362F B920000000 mov ecx,
00000020 /將使用者名稱字元數強行賦值為32
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040362D(C)
|
:00403634 33F6
xor esi, esi /ESI暫存器清零
:00403636 85C9
test ecx, ecx
:00403638 7E1E
jle 00403658
:0040363A B887D61200 mov eax,
0012D687 /EAX暫存器賦值為1234567
:0040363F 99
cdq
:00403640 F7F9
idiv ecx /EAX暫存器的值除以ECX暫存器的值 設結果為常量a,ECX暫存器中儲存的是使用者名稱的位數
:00403642 8B942484000000 mov edx, dword ptr
[esp+00000084] /載入使用者名稱
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403656(C)
|
:00403649 0FBE3C16 movsx
edi, byte ptr [esi+edx] /依次取使用者名稱的大寫字元的ASCII碼參與計算
:0040364D 0FAFF8
imul edi, eax /用當前字元的ASCII碼與常量a相乘
:00403650 03DF
add ebx, edi /結果累加進EBX暫存器中
:00403652 46
inc esi /計數器加一
:00403653 40
inc eax /迴圈位數加一
:00403654 3BF1
cmp esi, ecx /對比迴圈次數和使用者名稱位數 相等則認為迴圈結束 跳出迴圈 不相等則繼續
:00403656 7CF1
jl 00403649
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403638(C)
|
:00403658 81C31FF97E00 add ebx, 007EF91F
/累加結果加上8321311
:0040365E 8D442410 lea
eax, dword ptr [esp+10]
:00403662 53
push ebx
* Possible StringData Ref from Data Obj ->"%i"
|
:00403663 6854354100 push 00413554
:00403668 50
push eax
* Reference To: MSVCRT.sprintf, Ord:02B2h
|
:00403669 FF156C034100 Call dword ptr
[0041036C]
:0040366F 83C40C
add esp, 0000000C
:00403672 8BF5
mov esi, ebp
:00403674 8D442410 lea
eax, dword ptr [esp+10]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040369A(C)
|
:00403678 8A10
mov dl, byte ptr [eax] /迴圈比對Fuck SN和Real SN是否相等
:0040367A 8A1E
mov bl, byte ptr [esi]
:0040367C 8ACA
mov cl, dl
:0040367E 3AD3
cmp dl, bl
:00403680 751E
jne 004036A0
:00403682 84C9
test cl, cl
:00403684 7416
je 0040369C
:00403686 8A5001
mov dl, byte ptr [eax+01]
:00403689 8A5E01
mov bl, byte ptr [esi+01]
:0040368C 8ACA
mov cl, dl
:0040368E 3AD3
cmp dl, bl
:00403690 750E
jne 004036A0
:00403692 83C002
add eax, 00000002
:00403695 83C602
add esi, 00000002
:00403698 84C9
test cl, cl
:0040369A 75DC
jne 00403678
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403684(C)
|
:0040369C 33F6
xor esi, esi
:0040369E EB05
jmp 004036A5
序號產生器正在編譯中………………
------------ Gif2Swf2.1 Cracked ------------------
娃娃(NYDoll)
屬於中國破解組織CCG(CHiNA CrACKiNG GrOUp)
僅以此文獻給我們可愛的組織CCG 希望它能蒸蒸日上
特別獻給新興組織CNCG
相關文章
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- 小李登錄檔大師 v1.41 註冊演算法分析--獻給 LILITH 和解密演算法初學者 (10千字)2001-11-09演算法解密
- 演算法分析: <獻給初學者>
之一 (4千字)2002-06-06演算法
- 演算法分析: <獻給初學者>
之四 (9千字)2002-06-06演算法
- 演算法分析:
<獻給初學者> 之二 (7千字)2002-06-07演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- FolderView註冊部分的計算 (13千字)2001-05-27View
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- 給TAE!的小禮物---對DISKdata v3.3.2註冊演算法的分析 (14千字)2001-07-13演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- 註冊碼演算法 (2千字)2001-01-14演算法
- 申請加入CNCG破文-小李登錄檔大師D註冊碼法 (2千字)2001-11-07
- supercleaner註冊演算法分析2015-11-15演算法
- Screen Demo Maker
V3.0註冊演算法分析 (8千字)2002-09-10演算法
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- Vue(12)元件的組織結構和元件註冊2021-07-02Vue元件
- 學演算法的看過來 》》》演算法分析:
<獻給初學者> 之五 (5千字)2002-06-07演算法
- Seekyou v4.32 註冊演算法 給CRACKABC一個交代 (2千字)2015-11-15演算法
- ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)2002-04-10演算法
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法
- GSview V4.12 for Windows註冊演算法分析 -
OCG (8千字)2015-11-15ViewWindows演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- 一個區域網工具的註冊演算法分析
(5千字)2015-11-15演算法
- SpeedFlash註冊演算法分析(VB)2015-11-15演算法
- 財智老闆通3.04註冊版---註冊演算法分析2003-03-16演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- S-DEMO2 註冊分析 (14千字)2002-06-25