Shiznit Scanner V2.1簡單演算法學習手記(期中考完總算有一點時間玩Crack,希望大家多多幫幫我,謝謝^_^) (14千字)

軟體名稱:Shiznit Scanner V2.1
軟體介紹:Fast configurable highly featured UDP/TCP Port/Subnet Scanner for windows. Some key features are: TCP Port scanning of stealth and non-stealth hosts, Extreme UDP Port scanning, UDP Subnet scanning!, High speed ping scanning of subnets, TCP Subnet scanning of stealth and non-stealth hosts, Setting of start and stop ports, Gives you the ability to save results, Nice looking interface, Tells you if remote computer being scanned is stealth, You choose the speed of scan, Tells you the host responses for TCP Port scan and Subnet scan, Tells you the port use from huge lists of ports as found, Port scanner & Subnet scanner integration, so as though you can double click an IP found with the Subnet scanner to port scan with the Port scanner... Many new features in V2.0, a must have for TCP/IP network administrators.

破解人:BurSH[FCG][BCG][DFCG] (於2003.4.20)
破解工具:Trw2000 1.23


Ok,Let's begin now!
Ctrl+n撥出Trw2000,下斷點BPX GetDlgItemTextA,輸入任意註冊資訊,點選Register Shiznit Scanner 2.1.攔住了!我們下PMODULE指令回到軟體領空,然後下BC指令清除斷點,按三下F10,看到下面的程式碼:


016F:00406DB7  PUSH    BYTE +01
016F:00406DB9  PUSH    BYTE +00
016F:00406DBB  PUSH    DWORD 0421
016F:00406DC0  MOV      ECX,[EBP+FFFFFBEC]
016F:00406DC6  CALL    004379C8==>取輸入的註冊碼
016F:00406DCB  PUSH    EAX==>輸入的註冊碼入棧
016F:00406DCC  LEA      EAX,[EBP-20]==>將取得到的使用者名稱放到EAX中
016F:00406DCF  PUSH    EAX==>使用者名稱入棧
016F:00406DD0  CALL    00406870==>關鍵Call,進行了註冊碼的計算與校驗!F8跟進去~
016F:00406DD5  AND      EAX,FF
016F:00406DDA  TEST    EAX,EAX==>註冊碼正確嗎?
016F:00406DDC  JZ      NEAR 00406E98==>不正確就跳去死:(
016F:00406DE2  PUSH    BYTE +00
016F:00406DE4  PUSH    DWORD 00448C98
016F:00406DE9  PUSH    DWORD 00448BCC
016F:00406DEE  MOV      ECX,[EBP+FFFFFBEC]
016F:00406DF4  CALL    004368A5


F8跟入406DD0的關鍵後看到:

016F:00406870  PUSH    EBP
016F:00406871  MOV      EBP,ESP
016F:00406873  SUB      ESP,0430
016F:00406879  PUSH    EBX
016F:0040687A  PUSH    ESI
016F:0040687B  PUSH    EDI
016F:0040687C  MOV      EDI,[EBP+08]
016F:0040687F  LEA      EDX,[EBP-2C]
016F:00406882  OR      ECX,BYTE -01
016F:00406885  XOR      EAX,EAX
016F:00406887  REPNE SCASB
016F:00406889  NOT      ECX
016F:0040688B  SUB      EDI,ECX
016F:0040688D  MOV      ESI,EDI
016F:0040688F  MOV      EAX,ECX
016F:00406891  MOV      EDI,EDX
016F:00406893  SHR      ECX,02
016F:00406896  REP MOVSD ==>這句彙編指令我不明白,哪位高手教我一下?若F8跳過就會出現註冊失敗:(所以,我就直接g 到了下一條指令
016F:00406898  MOV      ECX,EAX
016F:0040689A  AND      ECX,BYTE +03
016F:0040689D  REP MOVSB ==>g 40689F
016F:0040689F  MOV      DWORD [EBP-08],00
016F:004068A6  JMP      SHORT 004068B1==>跳到下面4068B1處
016F:004068A8  MOV      ECX,[EBP-08]
016F:004068AB  ADD      ECX,BYTE +01==>ECX加1!
016F:004068AE  MOV      [EBP-08],ECX==>將ECX值賦給[EBP-08]
016F:004068B1  MOV      EDX,[EBP-08]==>EDX為計數器
016F:004068B4  MOVSX    EAX,BYTE [EBP+EDX-2C]==>依次取出使用者名稱的十六進位制放入EAX([EBP-2C]放的是使用者名稱)
016F:004068B9  TEST    EAX,EAX==>使用者名稱所有字元取出了沒有?
016F:004068BB  JZ      004068D0==>沒有則繼續往下
016F:004068BD  MOV      ECX,[EBP-08]==>ECX為計數器
016F:004068C0  MOV      DL,[EBP+ECX-2C]==>依次取出使用者名稱的十六進位制放入DL([EBP-2C]放的是使用者名稱)
016F:004068C4  ADD      DL,0A==>依次將使用者名稱的十六進位制加AH,結果放入DL!
016F:004068C7  MOV      EAX,[EBP-08]
016F:004068CA  MOV      [EBP+EAX-2C],DL==>將使用者名稱逐個轉換後放入[EBP-2C]
016F:004068CE  JMP      SHORT 004068A8
016F:004068D0  MOV      DWORD [EBP+FFFFFBE0],00448B50==>448B50處放的是一串字元:^OKW*V_MsN(逐個減AH後為:TEAM LUiD.黑名單喲!^0^)
016F:004068DA  LEA      ECX,[EBP-2C]==>將上面轉換後的使用者名稱放入ECX
016F:004068DD  MOV      [EBP+FFFFFBDC],ECX------------
016F:004068E3  MOV      EDX,[EBP+FFFFFBDC]            \
016F:004068E9  MOV      AL,[EDX]                      |
016F:004068EB  MOV      [EBP+FFFFFBDB],AL              |這
016F:004068F1  MOV      ECX,[EBP+FFFFFBE0]            |段
016F:004068F7  CMP      AL,[ECX]                      |逐
016F:004068F9  JNZ      00406941                      |位
016F:004068FB  CMP      BYTE [EBP+FFFFFBDB],00        |比
016F:00406902  JZ      00406935                      |較
016F:00406904  MOV      EDX,[EBP+FFFFFBDC]            |用
016F:0040690A  MOV      AL,[EDX+01]                    |戶
016F:0040690D  MOV      [EBP+FFFFFBDA],AL              |名
016F:00406913  MOV      ECX,[EBP+FFFFFBE0]            |是
016F:00406919  CMP      AL,[ECX+01]                    |否
016F:0040691C  JNZ      00406941                      |屬
016F:0040691E  ADD      DWORD [EBP+FFFFFBDC],BYTE +02  |於
016F:00406925  ADD      DWORD [EBP+FFFFFBE0],BYTE +02  |黑
016F:0040692C  CMP      BYTE [EBP+FFFFFBDA],00        |名
016F:00406933  JNZ      004068E3                      |單
016F:00406935  MOV      DWORD [EBP+FFFFFBD4],00        |.
016F:0040693F  JMP      SHORT 0040694C                |不
016F:00406941  SBB      EDX,EDX                        |是
016F:00406943  SBB      EDX,BYTE -01                  |就
016F:00406946  MOV      [EBP+FFFFFBD4],EDX            |跳
016F:0040694C  MOV      EAX,[EBP+FFFFFBD4]            |去
016F:00406952  MOV      [EBP+FFFFFBD0],EAX            |4
016F:00406958  CMP      DWORD [EBP+FFFFFBD0],BYTE +00  |0
016F:0040695F  JNZ      NEAR 00406AB1                  |6
016F:00406965  MOV      DWORD [EBP+FFFFFBE8],00        |A
016F:0040696F  CMP      DWORD [EBP+FFFFFBE8],BYTE +00  |C
016F:00406976  JNZ      0040697F                      |3
016F:00406978  XOR      AL,AL==>註冊碼校驗錯誤的標誌!  /
016F:0040697A  JMP      00406D61==>黑名單?你死定了^_^-- 
016F:0040697F  MOV      EDI,00448B48
016F:00406984  LEA      EDX,[EBP-2C]
016F:00406987  OR      ECX,BYTE -01
016F:0040698A  XOR      EAX,EAX
016F:0040698C  REPNE SCASB
016F:0040698E  NOT      ECX
016F:00406990  SUB      EDI,ECX
016F:00406992  MOV      ESI,EDI
016F:00406994  MOV      EAX,ECX

上面羅裡羅嗦半天就是校驗一個黑名單-_-0作者"不好意思"把黑名單直接寫出來,搞成"f(使用者名稱)=特定字串"進行比較……
…………
016F:00406ABA  MOV      EAX,[EBP-04]
016F:00406ABD  ADD      EAX,BYTE +01 
016F:00406AC0  MOV      [EBP-04],EAX
016F:00406AC3  MOV      ECX,[EBP+08]==>ECX為計數器!
016F:00406AC6  ADD      ECX,[EBP-04]==>
016F:00406AC9  MOVSX    EDX,BYTE [ECX]==>逐位使用者名稱十六進位制放入EDX
016F:00406ACC  TEST    EDX,EDX==>迴圈完了?
016F:00406ACE  JZ      00406AD2==>完了就走人!這段是為了使用者名稱位數(放在EAX)
016F:00406AD0  JMP      SHORT 00406ABA
016F:00406AD2  MOV      DWORD [EBP-0C],00==>[EBP-0C]清空
016F:00406AD9  MOV      EAX,[EBP+08]==>將使用者名稱放入EAX
016F:00406ADC  MOVSX    ECX,BYTE [EAX]==>逐位取出第一位使用者名稱的十六進位制放入EAX
016F:00406ADF  IMUL    ECX,ECX,54BF==>將第一位使用者名稱的十六進位制乘以54BFH,結果放入ECX
016F:00406AE5  MOV      EDX,[EBP-0C]==>將[EBP-0C]值(開始為空,因為406AD2處的運算)放入EDX
016F:00406AE8  ADD      EDX,ECX==>相加
016F:00406AEA  MOV      [EBP-0C],EDX==>再放回去,[EBP-0C]放的上面的計算結果
016F:00406AED  MOV      EAX,[EBP+08]
016F:00406AF0  MOVSX    ECX,BYTE [EAX+01]==>取使用者名稱第二位
016F:00406AF4  MOV      EDX,[EBP-0C]==>去得前面計算的結果放入EDX
016F:00406AF7  LEA      EAX,[EDX+ECX+00205FDF]==>EAX=EDX+ECX+205FDFH!
016F:00406AFE  MOV      [EBP-0C],EAX==>結果仍然還是放入到[EBP-0C]中去 
016F:00406B01  MOV      ECX,[EBP+08]
016F:00406B04  MOVSX    EDX,BYTE [ECX+02]                   
016F:00406B08  IMUL    EDX,EDX,5C8F
016F:00406B0E  MOV      EAX,[EBP-0C]
016F:00406B11  ADD      EAX,EDX
016F:00406B13  MOV      [EBP-0C],EAX
016F:00406B16  MOV      ECX,[EBP+08]
016F:00406B19  MOVSX    EDX,BYTE [ECX+03]
016F:00406B1D  MOV      EAX,[EBP-0C]
016F:00406B20  LEA      ECX,[EAX+EDX+00987227]
016F:00406B27  MOV      [EBP-0C],ECX
016F:00406B2A  MOV      EDX,[EBP+08]
016F:00406B2D  MOVSX    EAX,BYTE [EDX+04]
016F:00406B31  IMUL    EAX,EAX,645F
016F:00406B37  MOV      ECX,[EBP-0C]
016F:00406B3A  ADD      ECX,EAX
016F:00406B3C  MOV      [EBP-0C],ECX
016F:00406B3F  MOV      EDX,[EBP+08]
016F:00406B42  MOVSX    EAX,BYTE [EDX+05]
016F:00406B46  MOV      ECX,[EBP-0C]
016F:00406B49  LEA      EDX,[ECX+EAX+006A595F]
016F:00406B50  MOV      [EBP-0C],EDX
016F:00406B53  MOV      EAX,[EBP+08]
016F:00406B56  MOVSX    ECX,BYTE [EAX+06]
016F:00406B5A  IMUL    ECX,ECX,6C2F
016F:00406B60  MOV      EDX,[EBP-0C]
016F:00406B63  ADD      EDX,ECX
016F:00406B65  MOV      [EBP-0C],EDX
016F:00406B68  MOV      EAX,[EBP+08]
016F:00406B6B  MOVSX    ECX,BYTE [EAX+07]
016F:00406B6F  MOV      EDX,[EBP-0C]
016F:00406B72  LEA      EAX,[EDX+ECX+00140B9F]
016F:00406B79  MOV      [EBP-0C],EAX
016F:00406B7C  MOV      ECX,[EBP+08]
016F:00406B7F  MOVSX    EDX,BYTE [ECX+08]
016F:00406B83  IMUL    EDX,EDX,73FF
016F:00406B89  MOV      EAX,[EBP-0C]
016F:00406B8C  ADD      EAX,EDX
016F:00406B8E  MOV      [EBP-0C],EAX
016F:00406B91  MOV      ECX,[EBP+08]
016F:00406B94  MOVSX    EDX,BYTE [ECX+09]
016F:00406B98  IMUL    EDX,EDX,29C7
016F:00406B9E  MOV      EAX,[EBP-0C]
016F:00406BA1  ADD      EAX,EDX
016F:00406BA3  MOV      [EBP-0C],EAX
016F:00406BA6  MOV      ECX,[EBP+08]
016F:00406BA9  MOVSX    EDX,BYTE [ECX+0A]
016F:00406BAD  MOV      EAX,[EBP-0C]
016F:00406BB0  LEA      ECX,[EAX+EDX+00020A3F]
016F:00406BB7  MOV      [EBP-0C],ECX
016F:00406BBA  MOV      EDX,[EBP+08]
016F:00406BBD  MOVSX    EAX,BYTE [EDX+0B]
016F:00406BC1  IMUL    EAX,EAX,0001DF47
016F:00406BC7  MOV      ECX,[EBP-0C]
016F:00406BCA  ADD      ECX,EAX
016F:00406BCC  MOV      [EBP-0C],ECX
016F:00406BCF  MOV      EDX,[EBP+08]
016F:00406BD2  MOVSX    EAX,BYTE [EDX+0C]
016F:00406BD6  MOV      ECX,[EBP-0C]
016F:00406BD9  LEA      EDX,[ECX+EAX+0001B44F]
016F:00406BE0  MOV      [EBP-0C],EDX
016F:00406BE3  MOV      EAX,[EBP+08]
016F:00406BE6  MOVSX    ECX,BYTE [EAX+0D]
016F:00406BEA  IMUL    ECX,ECX,00018957
016F:00406BF0  MOV      EDX,[EBP-0C]
016F:00406BF3  ADD      EDX,ECX
016F:00406BF5  MOV      [EBP-0C],EDX
016F:00406BF8  MOV      EAX,[EBP+08]
016F:00406BFB  MOVSX    ECX,BYTE [EAX+0E]
016F:00406BFF  MOV      EDX,[EBP-0C]
016F:00406C02  LEA      EAX,[EDX+ECX+00030FF7]
016F:00406C09  MOV      [EBP-0C],EAX
016F:00406C0C  MOV      ECX,[EBP+08]
016F:00406C0F  MOVSX    EDX,BYTE [ECX+0F]
016F:00406C13  IMUL    EDX,EDX,000365E7
016F:00406C19  MOV      EAX,[EBP-0C]
016F:00406C1C  ADD      EAX,EDX
016F:00406C1E  MOV      [EBP-0C],EAX
016F:00406C21  MOV      ECX,[EBP+08]
016F:00406C24  MOVSX    EDX,BYTE [ECX+10]
016F:00406C28  MOV      EAX,[EBP-0C]
016F:00406C2B  LEA      ECX,[EAX+EDX+0005177F]
016F:00406C32  MOV      [EBP-0C],ECX
016F:00406C35  MOV      EDX,[EBP+08]
016F:00406C38  MOVSX    EAX,BYTE [EDX+11]
016F:00406C3C  IMUL    EAX,EAX,0006C917
016F:00406C42  MOV      ECX,[EBP-0C]
016F:00406C45  ADD      ECX,EAX
016F:00406C47  MOV      [EBP-0C],ECX
016F:00406C4A  MOV      EDX,[EBP+08]
016F:00406C4D  MOVSX    EAX,BYTE [EDX+12]
016F:00406C51  MOV      ECX,[EBP-0C]
016F:00406C54  LEA      EDX,[ECX+EAX+00087AAF]
016F:00406C5B  MOV      [EBP-0C],EDX
016F:00406C5E  MOV      EAX,[EBP+08]
016F:00406C61  MOVSX    ECX,BYTE [EAX+13]
016F:00406C65  IMUL    ECX,ECX,3039
016F:00406C6B  MOV      EDX,[EBP-0C]
016F:00406C6E  ADD      EDX,ECX
016F:00406C70  MOV      [EBP-0C],EDX
016F:00406C73  MOV      EAX,[EBP+08]
016F:00406C76  MOVSX    ECX,BYTE [EAX+14]
016F:00406C7A  IMUL    ECX,ECX,D431
016F:00406C80  MOV      EDX,[EBP-0C]
016F:00406C83  ADD      EDX,ECX
016F:00406C85  MOV      [EBP-0C],EDX
016F:00406C88  MOV      EAX,[EBP+08]
016F:00406C8B  MOVSX    ECX,BYTE [EAX+15]
016F:00406C8F  IMUL    ECX,ECX,372B
016F:00406C95  MOV      EDX,[EBP-0C]
016F:00406C98  ADD      EDX,ECX
016F:00406C9A  MOV      [EBP-0C],EDX
016F:00406C9D  MOV      EAX,[EBP+08]
016F:00406CA0  MOVSX    ECX,BYTE [EAX+16]
016F:00406CA4  IMUL    ECX,ECX,DE0D
016F:00406CAA  MOV      EDX,[EBP-0C]
016F:00406CAD  ADD      EDX,ECX
016F:00406CAF  MOV      [EBP-0C],EDX
016F:00406CB2  MOV      EAX,[EBP+08]
016F:00406CB5  MOVSX    ECX,BYTE [EAX+17]
016F:00406CB9  IMUL    ECX,ECX,00010104
016F:00406CBF  MOV      EDX,[EBP-0C]
016F:00406CC2  ADD      EDX,ECX
016F:00406CC4  MOV      [EBP-0C],EDX
016F:00406CC7  MOV      EAX,[EBP+08]
016F:00406CCA  MOVSX    ECX,BYTE [EAX+18]
016F:00406CCE  IMUL    ECX,ECX,8711
016F:00406CD4  MOV      EDX,[EBP-0C]
016F:00406CD7  ADD      EDX,ECX
016F:00406CD9  MOV      [EBP-0C],EDX
016F:00406CDC  MOV      EAX,[EBP+08]
016F:00406CDF  MOVSX    ECX,BYTE [EAX+19]
016F:00406CE3  IMUL    ECX,ECX,00010845
016F:00406CE9  MOV      EDX,[EBP-0C]
016F:00406CEC  ADD      EDX,ECX
016F:00406CEE  MOV      [EBP-0C],EDX
016F:00406CF1  MOV      EAX,[EBP+08]
016F:00406CF4  MOVSX    ECX,BYTE [EAX+1A]
016F:00406CF8  IMUL    ECX,ECX,8711
016F:00406CFE  MOV      EDX,[EBP-0C]
016F:00406D01  ADD      EDX,ECX
016F:00406D03  MOV      [EBP-0C],EDX
016F:00406D06  MOV      EAX,[EBP+08]
016F:00406D09  MOVSX    ECX,BYTE [EAX+1B]
016F:00406D0D  IMUL    ECX,ECX,FFBA
016F:00406D13  MOV      EDX,[EBP-0C]
016F:00406D16  ADD      EDX,ECX
016F:00406D18  MOV      [EBP-0C],EDX
016F:00406D1B  MOV      EAX,[EBP+08]
016F:00406D1E  MOVSX    ECX,BYTE [EAX+1C]
016F:00406D22  IMUL    ECX,ECX,000181B7
016F:00406D28  MOV      EDX,[EBP-0C]
016F:00406D2B  ADD      EDX,ECX
016F:00406D2D  MOV      [EBP-0C],EDX
016F:00406D30  MOV      EAX,[EBP+08]
016F:00406D33  MOVSX    ECX,BYTE [EAX+1D]
016F:00406D37  IMUL    ECX,ECX,85BA
016F:00406D3D  MOV      EDX,[EBP-0C]
016F:00406D40  ADD      EDX,ECX
016F:00406D42  MOV      [EBP-0C],EDX
016F:00406D45  MOV      EAX,[EBP-0C]==>將正確註冊碼放入EAX
016F:00406D48  CMP      EAX,[EBP+0C]==>真假註冊碼比較!
016F:00406D4B  JNZ      00406D58
016F:00406D4D  MOV      DWORD [EBP-0C],00
016F:00406D54  MOV      AL,01
016F:00406D56  JMP      SHORT 00406D61
016F:00406D58  MOV      DWORD [EBP-0C],00
016F:00406D5F  XOR      AL,AL
016F:00406D61  POP      EDI
016F:00406D62  POP      ESI
016F:00406D63  POP      EBX
016F:00406D64  MOV      ESP,EBP
016F:00406D66  POP      EBP 
016F:00406D67  RET      08

406B01--406D42這段進行一些跟上面(406AD9--406AFE)類似的運算,第2n+1位乘以某一個數後,與前面的計算結果(放在[EBP-0C])相加,結果在繼續與下一位和某一定值相加,[EBP-0C]放著地最終計算結果就是真正的註冊碼!!


BTW:軟體的註冊資訊儲存在C:\WINDOWS\Srpesg.dat       

Ok,that's all!謝謝你耐心看完:)