鍵盤滑鼠工具CMDbarV2.3演算法淺析!
標 題:鍵盤滑鼠工具CMDbarV2.3演算法淺析!
發信人:ShenGe
時 間:2003/08/01 06:47pm
詳細資訊:
〖軟體大小〗:812
KB
〖軟體語言〗:英文
〖軟體類別〗:國外軟體 / 共享版 / 鍵盤滑鼠
〖執行環境〗:Win95/98/NT
〖加入時間〗:2003-07-05 08:08:22
〖下載地址〗:http://count.skycn.com/softdown.php?id=12770&url=http://on165-http.skycn.net:8080/down/cmdbar.zip
〖軟體評級〗:☆☆☆☆
【軟體介紹】:
這是一個用鍵盤控制Windows的命令列的軟體,在Windows 95, Windows 98 和Windows NT作業系統中均可使用。使用者可透過鍵盤執行大多數命令,比如複製、刪除、顯示檔案列表、輕鬆地啟動喜愛的程式、連結全球資訊網、快速進入並搜尋喜愛的資料夾,等等。CMDbar支援使用方便的檔案管理視窗、多命令別名、喜愛的檔案、資料夾、程式、檔案過濾和許多內建的命令。CMDbar也可以儲存和執行使用者編的小程式。
〖破解工具〗:OllyDbgV1.09,WdasmV10.0,Windows自帶計算器
〖作者宣告〗:初學破解,僅作學習交流之用,失誤之處敬請大俠賜教.
【簡要過程】:
任意填入註冊資訊
Name:ShenGe[BCG]
Company:HOME
Postal:沒有,所以沒填
Number of licences:8888
Registration:12345678
再接再勵,算作節日獻禮,放上一個老外的軟體的破解過程。
無殼,VC編寫,用Wdasm反彙編,然後用串式參考,定位到中斷點,用OD載入分析:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00402364(C)
|
:0040236F 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:00402373 8D465C lea
eax, dword ptr [esi+5C]
:00402376 8D4F04 lea
ecx, dword ptr [edi+04]
:00402379 50
push eax
:0040237A E8A7FF0100 call
00422326
:0040237F 8D4660 lea
eax, dword ptr [esi+60]
<===[eax]="ShenGe[BCG]"
:00402382 8BCF
mov ecx, edi
:00402384 50
push eax
:00402385 E89CFF0100 call
00422326
:0040238A 8D466C lea
eax, dword ptr [esi+6C]
:0040238D 8D4F08 lea
ecx, dword ptr [edi+08]
:00402390 50
push eax
:00402391 E890FF0100 call
00422326
:00402396 8B4664 mov
eax, dword ptr [esi+64]
<===eax=22B8,Licences值8888的16進位制
:00402399 89470C mov
dword ptr [edi+0C], eax
:0040239C A178694300 mov eax,
dword ptr [00436978]
:004023A1 8945F0 mov
dword ptr [ebp-10], eax
:004023A4 895DFC mov
dword ptr [ebp-04], ebx
:004023A7 8945EC mov
dword ptr [ebp-14], eax
:004023AA 53
push ebx
:004023AB 8D4DEC lea
ecx, dword ptr [ebp-14]
:004023AE C645FC02 mov
[ebp-04], 02
:004023B2 E85A020200 call
00422611
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004023B7 FF7668 push
[esi+68]
<===[esi+68]中為假碼"12345678"
:004023BA 8D5E68 lea
ebx, dword ptr [esi+68]
:004023BD 8BCF
mov ecx, edi
<===[ecx]="ShenGe[BCG]"
:004023BF E8F0490000 call
00406DB4
<===上面緊跟著就是一個判斷和長
跳轉,此處當然要跟進了!①
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
:004023C4 84C0
test al, al
:004023C6 747C
je 00402444
:004023C8 8BCB
mov ecx, ebx
:004023CA E8E8010200 call
004225B7
:004023CF 6A00
push 00000000
:004023D1 8BCE
mov ecx, esi
:004023D3 E812EB0100 call
00420EEA
:004023D8 E89C470200 call
00426B79
:004023DD 8B4004 mov
eax, dword ptr [eax+04]
:004023E0 8D98E4000000 lea ebx, dword
ptr [eax+000000E4]
:004023E6 8D4704 lea
eax, dword ptr [edi+04]
:004023E9 50
push eax
:004023EA 8D4B04 lea
ecx, dword ptr [ebx+04]
:004023ED E834FF0100 call
00422326
:004023F2 57
push edi
:004023F3 8BCB
mov ecx, ebx
:004023F5 E82CFF0100 call
00422326
:004023FA 8D4708 lea
eax, dword ptr [edi+08]
:004023FD 8D4B08 lea
ecx, dword ptr [ebx+08]
:00402400 50
push eax
:00402401 E820FF0100 call
00422326
:00402406 8B470C mov
eax, dword ptr [edi+0C]
:00402409 89430C mov
dword ptr [ebx+0C], eax
:0040240C E868470200 call
00426B79
:00402411 8B4004 mov
eax, dword ptr [eax+04]
:00402414 8D5668 lea
edx, dword ptr [esi+68]
:00402417 52
push edx
:00402418 8BC8
mov ecx, eax
:0040241A E84D580000 call
00407C6C
* Possible Reference to String
Resource ID=00275: "The registration number is accepted. Thank
you for register"
|
:0040241F 6813010000 push
00000113
:00402424 8D4DF0 lea
ecx, dword ptr [ebp-10]
:00402427 E8E5010200 call
00422611
<===可以收工了!
* Possible Ref to Menu: MenuID_0079,
Item: "Exit"
|
:0040242C 6A40
push 00000040
:0040242E 8BCE
mov ecx, esi
:00402430 FF75EC push
[ebp-14]
:00402433 FF75F0 push
[ebp-10]
:00402436 E853E30100 call
0042078E
:0040243B 8BCE
mov ecx, esi
:0040243D E86AC70100 call
0041EBAC
:00402442 EB1C
jmp 00402460
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004023C6(C)
|
* Possible Reference to String
Resource ID=00276: "The registration number is not valid. Make
sure you have en"
|
:00402444 6814010000 push
00000114
:00402449 8D4DF0 lea
ecx, dword ptr [ebp-10]
:0040244C E8C0010200 call
00422611
<===Bad Boy!
:00402451 6A10
push 00000010
:00402453 8BCE
mov ecx, esi
:00402455 FF75EC push
[ebp-14]
:00402458 FF75F0 push
[ebp-10]
:0040245B E82EE30100 call
0042078E
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00402442(U)
|
:00402460 85FF
test edi, edi
:00402462 740E
je 00402472
:00402464 8BCF
mov ecx, edi
:00402466 E88A470000 call
00406BF5
:0040246B 57
push edi
:0040246C E876FB0100 call
00421FE7
:00402471 59
pop ecx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00402462(C)
|
:00402472 8D4DEC lea
ecx, dword ptr [ebp-14]
:00402475 C645FC01 mov
[ebp-04], 01
:00402479 E8FFFD0100 call
0042227D
:0040247E 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:00402482 8D4DF0 lea
ecx, dword ptr [ebp-10]
:00402485 E8F3FD0100 call
0042227D
:0040248A 5F
pop edi
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040234B(C)
|
:0040248B 8B4DF4 mov
ecx, dword ptr [ebp-0C]
:0040248E 5E
pop esi
:0040248F 5B
pop ebx
:00402490 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00402497 C9
leave
:00402498 C3
ret
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★
①跟進這個Call看看都有些什麼:
:00406DB4 B8AC9B4200
mov eax, 00429BAC
:00406DB9 E8BE870000 call
0040F57C
:00406DBE 51
push ecx
:00406DBF A178694300 mov eax,
dword ptr [00436978]
:00406DC4 53
push ebx
:00406DC5 56
push esi
:00406DC6 8BF1
mov esi, ecx
:00406DC8 8945F0 mov
dword ptr [ebp-10], eax
:00406DCB FF7508 push
[ebp+08]
:00406DCE 8365FC00 and
dword ptr [ebp-04], 00000000
:00406DD2 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406DD5 E8CDB40100 call
004222A7
:00406DDA 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406DDD C645FC01 mov
[ebp-04], 01
:00406DE1 E8805A0100 call
0041C866
<===取假碼,eax="12345678"
:00406DE6 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406DE9 E82C5A0100 call
0041C81A
:00406DEE 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406DF1 E8C1B70100 call
004225B7
:00406DF6 8D45F0 lea
eax, dword ptr [ebp-10]
:00406DF9 8BCE
mov ecx, esi
:00406DFB 50
push eax
:00406DFC E836FFFFFF call
00406D37
<====此Call後ecx="4032ffffde7003e9",不用
說,當然也要跟進了!②
:00406E01 84C0
test al, al
:00406E03 743C
je 00406E41
:00406E05 8D4DF0 lea
ecx, dword ptr [ebp-10]
:00406E08 E8AAB70100 call
004225B7
<===這個Call是將字串中的小寫字元轉換成大寫
:00406E0D 8B4508 mov
eax, dword ptr [ebp+08]
<===eax="12345678",假碼
:00406E10 8B48F8 mov
ecx, dword ptr [eax-08]
<===ecx=8,假碼位數
:00406E13 83F908 cmp
ecx, 00000008
<===註冊碼必須為8位(第1次機會)
:00406E16 7517
jne 00406E2F
:00406E18 51
push ecx
:00406E19 FF75F0 push
[ebp-10]
<===[ebp-10]中為"4032FFFFDE7003E9"
:00406E1C 50
push eax
<===eax="12345678",假碼
:00406E1D E8AE920000 call
004100D0
<===猜想是比對的Call,如果你願意就跟進去看看吧!
我是懶得跟了!猜想正確的註冊碼為"4032FFFF"
:00406E22 8BD8
mov ebx, eax
:00406E24 83C40C add
esp, 0000000C
:00406E27 F7DB
neg ebx
:00406E29 1ADB
sbb bl, bl
:00406E2B FEC3
inc bl
:00406E2D EB14
jmp 00406E43
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00406E16(C)
|
--------------------------------------------------------------
這裡開始是第2次機會
:00406E2F 50
push eax
<===假碼
:00406E30 FF75F0 push
[ebp-10]
<===真碼,後面就不用我多說了吧!
:00406E33 E8688B0000 call
0040F9A0
:00406E38 59
pop ecx
:00406E39 85C0
test eax, eax
:00406E3B 59
pop ecx
:00406E3C 0F94C3 sete
bl
:00406E3F EB02
jmp 00406E43
--------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00406E03(C)
|
:00406E41 32DB
xor bl, bl
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00406E2D(U), :00406E3F(U)
|
:00406E43 8065FC00 and
byte ptr [ebp-04], 00
:00406E47 8D4D08 lea
ecx, dword ptr [ebp+08]
:00406E4A E82EB40100 call
0042227D
:00406E4F 834DFCFF or
dword ptr [ebp-04], FFFFFFFF
:00406E53 8D4DF0 lea
ecx, dword ptr [ebp-10]
:00406E56 E822B40100 call
0042227D
:00406E5B 8B4DF4 mov
ecx, dword ptr [ebp-0C]
:00406E5E 8AC3
mov al, bl
:00406E60 5E
pop esi
:00406E61 5B
pop ebx
:00406E62 64890D00000000 mov dword ptr fs:[00000000],
ecx
:00406E69 C9
leave
:00406E6A C20400 ret
0004
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
② 看來演算法就在這個Call當中了:
* Referenced by a CALL at Addresses:
|:00406DFC , :00407D35
|
:00406D37 55
push ebp
:00406D38 8BEC
mov ebp, esp
:00406D3A 51
push ecx
:00406D3B 53
push ebx
:00406D3C 56
push esi
:00406D3D 8BF1
mov esi, ecx
:00406D3F 57
push edi
:00406D40 56
push esi
<===[esi]="ShenGe[BCG]",使用者名稱
:00406D41 E827010000 call
00406E6D
<===這個Call的作用是將字串中的小寫字元轉換
成大寫,過濾掉其中的其它字元(即只取A~Z之間的字
符參與運算)然後累 加取和的低位值(Hex),如我的為
"SHENGE[BCG]"---53+48+45+4E+47+45+42+43+47=286
:00406D46 8945FC mov
dword ptr [ebp-04], eax
<===eax=286
:00406D49 8D4604 lea
eax, dword ptr [esi+04]
:00406D4C 50
push eax
<===[eax]="HOME"
:00406D4D 8BCE
mov ecx, esi
:00406D4F E819010000 call
00406E6D
<===同上
:00406D54 8BF8
mov edi, eax
<===eax=129
:00406D56 8D4608 lea
eax, dword ptr [esi+08]
:00406D59 50
push eax
:00406D5A 8BCE
mov ecx, esi
<===[ecx]="ShenGe[BCG]"
:00406D5C E80C010000 call
00406E6D
:00406D61 8B4D08 mov
ecx, dword ptr [ebp+08]
:00406D64 8BD8
mov ebx, eax
<===ebx=3E8,好像是定值!
:00406D66 E89DB40100 call
00422208
:00406D6B B8E8030000 mov eax,
000003E8
:00406D70 3945FC cmp
dword ptr [ebp-04], eax
:00406D73 750C
jne 00406D81
:00406D75 3BF8
cmp edi, eax
:00406D77 7508
jne 00406D81
:00406D79 3BD8
cmp ebx, eax
:00406D7B 7504
jne 00406D81
:00406D7D 32C0
xor al, al
:00406D7F EB2C
jmp 00406DAD
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00406D73(C), :00406D77(C), :00406D7B(C)
|
:00406D81 8B4610 mov
eax, dword ptr [esi+10]
<===eax=3E8,定值
:00406D84 8B760C mov
esi, dword ptr [esi+0C]
<===esi=22B8-->8888的16進位制值
:00406D87 2BFE
sub edi, esi
<===edi=129-22B8=FFFFDE71
:00406D89 2B75FC sub
esi, dword ptr [ebp-04]
<===esi=22B8-286=2032
:00406D8C 8D0C18 lea
ecx, dword ptr [eax+ebx]
<===ecx=3E8+1=03E9
:00406D8F 2BF8
sub edi, eax
<===edi=FFFFDE71-1=FFFFDE70
:00406D91 51
push ecx
<===入棧引數1
:00406D92 57
push edi
<===入棧引數2
:00406D93 8D8406FF1F0000 lea eax, dword
ptr [esi+eax+00001FFF]
<===eax=2032+1+1FFF=4032
:00406D9A 50
push eax
<===入棧引數3
* Possible StringData Ref from
Data Obj ->"%04x%04x%04x"
|
:00406D9B 6870624300 push
00436270
:00406DA0 FF7508 push
[ebp+08]
:00406DA3 E8165A0100 call
0041C7BE
<===看見上面的"%04x%04x%04x"了嗎?這個Call是
將上面壓入棧的3個三個引數連線起來並轉化成
字串形式
返回值在ecx中,我的為"4032ffffde7003e9"
:00406DA8 83C414 add
esp, 00000014
:00406DAB B001
mov al, 01
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00406D7F(U)
|
:00406DAD 5F
pop edi
:00406DAE 5E
pop esi
:00406DAF 5B
pop ebx
:00406DB0 C9
leave
:00406DB1 C20400 ret
0004
【總結】:
至此我們基本上清楚了這個軟體的演算法:
求出使用者名稱和Company的各字元16進位制累加和(小寫轉換成大寫,特殊字元不參與運算,即只有A~Z之間的字元參與運算)取其低位值設為a和b,使用者填入的Licences的16進位制值設為c,則註冊碼為將(b-c-1)與(c-a)的值和"03E9"連線起來組成的字串或者取字串的前8位,即有兩個。(呵呵,實在不知該怎麼描述,不明白的話就看上面的程式碼吧!)
軟體將註冊資訊儲存在登錄檔的"HKEY_CURRENT_USER\Software\Rovensky Software\CMDbar\General"下
給出一個可用註冊碼:
Name:ShenGe[BCG]
Company:HOME
Postal:
Number of licences:8888
Registration:4032FFFF或4032FFFFDE7003E9
Cracked
By ShenGe[BCG] 2003.8.1
相關文章
- 鍵盤滑鼠共享效率工具-Synergy2018-06-13
- FTP工具LeapFTP演算法淺析!2015-11-15FTP演算法
- 滑鼠、鍵盤事件2020-10-01事件
- 電腦鍵盤怎麼代替滑鼠 win10鍵盤代替滑鼠2021-12-30Win10
- redux中間鍵淺析2019-03-02Redux
- Linux 虛擬滑鼠,鍵盤2013-08-21Linux
- 鍵盤滑鼠一起失靈怎麼辦 win10滑鼠鍵盤同時失靈鍵盤滑鼠一起失靈怎麼辦 win10滑鼠鍵盤同時失靈2022-03-06Win10
- 淺析Buddy演算法2022-07-30演算法
- 鍵盤滑鼠一起失靈怎麼辦 win10滑鼠鍵盤同時失靈鍵盤滑鼠一起失靈怎麼辦2022-03-21Win10
- Mac 鍵盤與滑鼠的對映2019-01-31Mac
- tkinter中滑鼠與鍵盤事件(十五)2018-04-13事件
- AngularJs 鍵盤事件和滑鼠事件2017-04-28AngularJS事件
- jQuery 事件(一) 滑鼠與鍵盤事件2017-08-15jQuery事件
- java全域性滑鼠鍵盤監聽2015-09-18Java
- win10滑鼠鍵盤沒反應怎麼辦_win10滑鼠鍵盤失靈一鍵修復2020-07-03Win10
- 淺析雜湊演算法2019-03-10演算法
- USB驅動程式之滑鼠用做鍵盤2017-03-20
- C#實現滑鼠、鍵盤鉤子2013-09-06C#
- 開啟win7鍵盤滑鼠鍵的步驟2016-11-02Win7
- ShareMouse for Mac(滑鼠鍵盤共享工具) v6.0.59中文版2023-11-22REMMac
- 鍵盤快捷鍵工具:AutoTyper for Mac2023-04-07Mac
- WaterWall 5.01演算法淺析2015-11-15演算法
- 張洋:淺析PageRank演算法2013-03-26演算法
- 滑鼠和鍵盤同時失靈應該怎麼辦 win10滑鼠鍵盤突然同時失靈2022-02-12Win10
- 2.3用按鍵精靈錄製鍵盤與滑鼠操作2018-09-25
- 眾多Logitech滑鼠/鍵盤支援改進2019-05-22Git
- 有趣的Python:Python控制鍵盤滑鼠2019-07-19Python
- Python-模擬滑鼠鍵盤動作2021-09-09Python
- python selenium2 - 滑鼠鍵盤操作2017-05-04Python
- java10 var關鍵字淺析2018-07-29Java
- Karabiner Elements for Mac鍵盤改鍵工具2021-01-26Mac
- iOS元件化通用工具淺析2018-06-12iOS元件化
- 介紹一個統計鍵盤和滑鼠輸入情況的工具軟體2021-06-29
- Mac鍵盤增強工具2021-12-07Mac
- mac mini純鍵盤操作連線藍芽滑鼠2018-07-31Mac藍芽
- 微軟XboxOne遊戲將支援鍵盤滑鼠操控2018-05-23微軟遊戲
- 利用滑鼠鍵盤鉤子截獲密碼。 (轉)2007-11-28密碼
- 淺析vue2.0的diff演算法2019-02-28Vue演算法