XDos v1.1~Dos的外殼程式 (9千字)

看雪資料發表於2015-11-15

標 題:XDos v1.1~Dos的外殼程式 (9千字)

發信人:lq7972  [發短訊息]

時 間:2003-10-05 14:31:34

詳細資訊:



Software:XDos v1.1
http://www.MoreQuick.com/
Dos的外殼程式,可以執行大多數Dos命令,也可以執行一些Windows程式,它是一個多視窗的程式,可以在XDos中使用複製,貼上等命令
Tools:TRW 2000
Cracker:lq7972[bruceyu13@sina.com]
Notes:學習ing~

這是個典型的註冊碼比較程式,跟蹤不難;很適合我等生手練習
用TRW載入後,斷點“bpx hmemcpy”,再“pmodule”轉到程式領空(要記得“bc”清除斷點);大約按15次F15,按F10返回,來到
0167:00401B10 E8B08F0100       CALL     0041AAC5                                  使用者名稱
0167:00401B15 8B4C2408         MOV      ECX,[ESP+08]
0167:00401B19 8379F801         CMP      DWORD [ECX-08],BYTE +01
0167:00401B1D 7D0E             JNL      00401B2D
0167:00401B1F 6AFF             PUSH     BYTE -01
0167:00401B21 6A00             PUSH     BYTE +00
0167:00401B23 680BF00000       PUSH     DWORD F00B
0167:00401B28 E996000000       JMP      00401BC3
0167:00401B2D 8D542404         LEA      EDX,[ESP+04]
0167:00401B31 8D4E5C           LEA      ECX,[ESI+5C]
0167:00401B34 52               PUSH     EDX
0167:00401B35 E88B8F0100       CALL     0041AAC5                                  輸入的註冊碼
0167:00401B3A 8B442404         MOV      EAX,[ESP+04]
0167:00401B3E 8378F801         CMP      DWORD [EAX-08],BYTE +01
0167:00401B42 7E76             JNG      00401BBA
0167:00401B44 51               PUSH     ECX
0167:00401B45 8D542408         LEA      EDX,[ESP+08]
0167:00401B49 8BCC             MOV      ECX,ESP
0167:00401B4B 89642410         MOV      [ESP+10],ESP
0167:00401B4F 52               PUSH     EDX
0167:00401B50 E8C1D00100       CALL     0041EC16
0167:00401B55 E856FDFFFF       CALL     004018B0                                  這裡是關鍵,【跟進】
0167:00401B5A 83C404           ADD      ESP,BYTE +04
0167:00401B5D 85C0             TEST     EAX,EAX
0167:00401B5F 744E             JZ       00401BAF

;【跟進】
0167:004018B0 6AFF             PUSH     BYTE -01
0167:004018B2 6858A44300       PUSH     DWORD 0043A458
0167:004018B7 64A100000000     MOV      EAX,[FS:00]
0167:004018BD 50               PUSH     EAX
0167:004018BE 64892500000000   MOV      [FS:00],ESP
0167:004018C5 83EC38           SUB      ESP,BYTE +38
0167:004018C8 53               PUSH     EBX
0167:004018C9 56               PUSH     ESI
0167:004018CA 33F6             XOR      ESI,ESI                                  esi清零
0167:004018CC 8D4C2450         LEA      ECX,[ESP+50]
0167:004018D0 89742448         MOV      [ESP+48],ESI
0167:004018D4 E804620100       CALL     00417ADD
0167:004018D9 8D4C2450         LEA      ECX,[ESP+50]
0167:004018DD E8AF610100       CALL     00417A91                       這個Call檢查輸入的註冊碼全部是數字嗎?
0167:004018E2 8B442450         MOV      EAX,[ESP+50]                             輸入註冊碼
0167:004018E6 8B40F8           MOV      EAX,[EAX-08]                                的長度
0167:004018E9 83F80A           CMP      EAX,BYTE +0A                                  等於10D嗎?
0167:004018EC 7424             JZ       00401912                                      是,一定要跳

0167:004018EE 8D4C2450         LEA      ECX,[ESP+50]
0167:004018F2 C7442448FFFFFFFF MOV      DWORD [ESP+48],FFFFFFFF
0167:004018FA E8A2D50100       CALL     0041EEA1
0167:004018FF 5E               POP      ESI
0167:00401900 33C0             XOR      EAX,EAX
0167:00401902 5B               POP      EBX
0167:00401903 8B4C2438         MOV      ECX,[ESP+38]
0167:00401907 64890D00000000   MOV      [FS:00],ECX
0167:0040190E 83C444           ADD      ESP,BYTE +44
0167:00401911 C3               RET     

0167:00401912 A11CD64400       MOV      EAX,[0044D61C]                           跳轉到了這裡
0167:00401917 57               PUSH     EDI
0167:00401918 8944240C         MOV      [ESP+0C],EAX
0167:0040191C 89442410         MOV      [ESP+10],EAX
0167:00401920 8D4C2414         LEA      ECX,[ESP+14]
0167:00401924 6A05             PUSH     BYTE +05
0167:00401926 BB02000000       MOV      EBX,02                                   ebx=2,下面用
0167:0040192B 51               PUSH     ECX
0167:0040192C 8D4C245C         LEA      ECX,[ESP+5C]
0167:00401930 885C2454         MOV      [ESP+54],BL
0167:00401934 E8C55D0100       CALL     004176FE
                                             這個Call是把輸入的註冊碼攔腰截斷,並且翻轉第一部分得Num1,Num2
0167:00401939 50               PUSH     EAX
0167:0040193A 8D4C2410         LEA      ECX,[ESP+10]
0167:0040193E C644245003       MOV      BYTE [ESP+50],03
0167:00401943 E892D60100       CALL     0041EFDA
0167:00401948 8D4C2414         LEA      ECX,[ESP+14]
0167:0040194C 885C244C         MOV      [ESP+4C],BL
0167:00401950 E84CD50100       CALL     0041EEA1
0167:00401955 8D542418         LEA      EDX,[ESP+18]
0167:00401959 6A05             PUSH     BYTE +05
0167:0040195B 52               PUSH     EDX
0167:0040195C 8D4C245C         LEA      ECX,[ESP+5C]
0167:00401960 E81D5D0100       CALL     00417682
0167:00401965 50               PUSH     EAX
0167:00401966 8D4C2414         LEA      ECX,[ESP+14]
0167:0040196A C644245004       MOV      BYTE [ESP+50],04
0167:0040196F E866D60100       CALL     0041EFDA
0167:00401974 8D4C2418         LEA      ECX,[ESP+18]
0167:00401978 885C244C         MOV      [ESP+4C],BL
0167:0040197C E820D50100       CALL     0041EEA1
0167:00401981 8D4C240C         LEA      ECX,[ESP+0C]
;************************************************************************把你的眼球轉到這裡來
0167:00401985 E8D7D90100       CALL     0041F361
0167:0040198A 895C241C         MOV      [ESP+1C],EBX                     ebx=2,還記得嗎?
0167:0040198E 83CBFF           OR       EBX,BYTE -01
0167:00401991 33C0             XOR      EAX,EAX
0167:00401993 C744242006000000 MOV      DWORD [ESP+20],06
0167:0040199B 89442434         MOV      [ESP+34],EAX
0167:0040199F C7442424F9FFFFFF MOV      DWORD [ESP+24],FFFFFFF9
0167:004019A7 89442438         MOV      [ESP+38],EAX
0167:004019AB C744242804000000 MOV      DWORD [ESP+28],04
0167:004019B3 8944243C         MOV      [ESP+3C],EAX
0167:004019B7 895C242C         MOV      [ESP+2C],EBX
0167:004019BB C744243008000000 MOV      DWORD [ESP+30],08
0167:004019C3 89442440         MOV      [ESP+40],EAX
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++最後定位在這裡
0167:004019C7 8D7C241C         LEA      EDI,[ESP+1C]                    [edi]=2
;-----------------------------------------------------------------------
0167:004019CB 8B4C240C         MOV      ECX,[ESP+0C]                    Num1
0167:004019CF 8A17             MOV      DL,[EDI]                        [edi]送dl
0167:004019D1 8A040E           MOV      AL,[ESI+ECX]                    Num1第i位,(i從0到4)
0167:004019D4 02C2             ADD      AL,DL                           al+dl
0167:004019D6 3C30             CMP      AL,30                             大於/等於30h嗎?
0167:004019D8 88442414         MOV      [ESP+14],AL                     (結果存放)
0167:004019DC 7D06             JNL      004019E4                           是,跳~
0167:004019DE 040A             ADD      AL,0A                              否,加0Ah
0167:004019E0 88442414         MOV      [ESP+14],AL
0167:004019E4 3C39             CMP      AL,39                              小於/等於39h嗎?
0167:004019E6 7E06             JNG      004019EE                             是,跳~
0167:004019E8 04F6             ADD      AL,F6                                否,加6Fh
0167:004019EA 88442414         MOV      [ESP+14],AL
0167:004019EE 8B542414         MOV      EDX,[ESP+14]                    計算結果
0167:004019F2 8D4C240C         LEA      ECX,[ESP+0C]                    Num1
0167:004019F6 52               PUSH     EDX
0167:004019F7 56               PUSH     ESI
0167:004019F8 E876D90100       CALL     0041F373                        這個Call是用結果置換Num1的第i位
0167:004019FD 46               INC      ESI                             esi+1
0167:004019FE 83C704           ADD      EDI,BYTE +04                    edi+4,【注意】見後
0167:00401A01 83FE05           CMP      ESI,BYTE +05                    esi小於5嗎?
0167:00401A04 7CC5             JL       004019CB                          是,跳~
;-----------------------------------------------------------------------
0167:00401A06 8D4C240C         LEA      ECX,[ESP+0C]
;【注意】edi每次移動4位,移5次,其值分別是:02、06、F9h、04、FFh、08h

【總結】
透過上面的分析,聰明的你一定想到了軟體的註冊演算法--對,它就是:
註冊碼前半截    ①       ②       ③       ④       ⑤
               ↓-1     ↓+4     ↓+3     ↓+6     ↓+2
註冊碼後半截    ⑥       ⑦       ⑧       ⑨       ⑩
如果相加/減超出範圍[0,9],不計進位和借位,再求絕對值。而使用者名稱不過是擺設

【序號產生器】
用MASM32的話,把004019CB~00401A04複製下來(可以利用UltraEdit的列編輯功能),稍加修改即可。這裡我們使用Delphi 6編譯
/////////////////////////////////////////////////////////////////////
//   The KeyGen by lq7972,with Delphi 6
//   E-Mail:bruceyu13@sina.com
//   XDos v1.1 KeyGen
////////////////////////////////////////////////////////////////////
procedure TForm1.Button1Click(Sender: TObject);
var
  i:Integer;
  Code1,Code2:String;
  Temp1,Temp2,Temp3,Temp4,Temp5:Char;
begin  Code1:=IntToStr(Random(9))+IntToStr(Random(9))+IntToStr(Random(9))+IntToStr(Random(9))+IntToStr(Random(9));
for i:=1 to 5 do
  case i of
    1:
    begin
      Temp1:=Char(Ord(Code1[1])-1);
      if Ord(Temp1) < $30 then
        Temp1:=Char(Ord(Temp1)+$A); 
    end;
    2:
    begin
      Temp2:=Char(Ord(Code1[2])+4);
      if Ord(Temp2) > $39 then
        Temp2:=Char(Ord(Temp2)-$A);
    end;
    3:
    begin
      Temp3:=Char(Ord(Code1[3])+3);
      if Ord(Temp3) > $39 then
        Temp3:=Char(Ord(Temp3)-$A);
    end;
    4:
    begin
      Temp4:=Char(Ord(Code1[4])+6);
      if Ord(Temp4) > $39 then
        Temp4:=Char(Ord(Temp4)-$A);
    end;
    5:
    begin
      Temp5:=Char(Ord(Code1[5])+2);
      if Ord(Temp5) > $39 then
        Temp5:=Char(Ord(Temp5)-$A);
    end;
  end;
  Code2:=Temp1+Temp2+Temp3+Temp4+Temp5;
  Edit2.Text:=Code1+Code2;
end;

相關文章