拼圖遊戲 (32千字)
Software:B-Jigsaw V7.7
拼圖遊戲。可任意選擇圖片,可將你自己的圖片分成數塊後生成為exe檔案,將之傳送給朋友
可自定義伴音,對圖塊可設定陰影及邊框效果
試用 10 天,等你上癮後,付 $14.95 (美金)再繼續
http://www.adcsoft.com/bjigsaw.html
Tools:pe-scan 3.31, DeDe 3.50, OllyDbg 1.09
Cracker:lq7972 [bruceyu13@sina.com]
Notes:菜鳥一個,向大家學習
這個軟體主程式的殼是 ASPack 2.12 -> Alexey Solodovnikov,用 pe-scan 脫,能執行
用 W32Dasm 反編譯會不響應,只好用 DeDe 了( Borland C++ )
在【過程】欄有【license】單元有【BitBtnRegCodeClick】事件即程式啟動畫面上的【Enter reg cod】按鈕,雙擊開啟程式碼過程,資訊很多也很有用:
* Reference to : TFormTimes._PROC_00413A70()
* Reference to: controls.TControl.GetText(TControl):TCaption;
* Reference to: controls.TControl.GetText(TControl):TCaption;
* Reference to : TFormMain._PROC_004116E8()
* Reference to class TRegistry
* Reference to: registry.constructorTRegistry.Create(TRegistry;boolean);
這是一個註冊流程,先得到使用者輸入,生成註冊碼(T),然後將其與使用者輸入的註冊碼(F)比較,不等就"Invalid user name or registration code.",對呢就寫登錄檔並"Thank you for registering."
其次,我們可以得到我們跟蹤的下手(斷點)的地方:
BitBtnRegCodeClick 00411040 0019
注意,還有一個【reg】單元,初下手時我們更願意去分析和跟蹤它;不過我沒有這樣去做,軟體有這麼一個簡明的註冊流程(真是方便了廣大Cracker),為什麼不用呢?在那裡的分析可能是做無用功(我沒有仔細看,不敢肯定;希望你研究後告訴我,期待ing……)
下面我們來動態跟蹤除錯:
(如果在軟體啟動畫面出來前斷點,退出)
開啟 OllyDbg ,載入主程式,在 00411040 處 F2 斷點,F9 執行,等上 3 秒鐘後單擊【Enter reg code】,攔住:
00411040 /. 55 push ebp
; ……
00411070 |. FF92 CC000000 call dword ptr ds:[edx+CC] 這裡彈出註冊窗dword p
00411076 |. 48 dec eax
00411077 0F85 A1020000 jnz 0041131E bt.0041131E
0041107D |. 66:C745 B4 140>mov word ptr ss:[ebp-4C], 14
00411083 |. 33C9 xor ecx, ecx
00411085 |. A1 C0DF4D00 mov eax, dword ptr ds:[4DDFC0]
0041108A |. 894D FC mov dword ptr ss:[ebp-4], ecx
0041108D |. 8D55 FC lea edx, dword ptr ss:[ebp-4]
00411090 |. FF45 C0 inc dword ptr ss:[ebp-40]
00411093 |. 8B08 mov ecx, dword ptr ds:[eax]
00411095 |. 8B81 D4020000 mov eax, dword ptr ds:[ecx+2D4]
0041109B |. E8 70CC0700 call 0048DD10 eax = name_len
004110A0 |. 66:C745 B4 080>mov word ptr ss:[ebp-4C], 8
004110A6 |. 66:C745 B4 200>mov word ptr ss:[ebp-4C], 20
004110AC |. 33D2 xor edx, edx
004110AE |. A1 C0DF4D00 mov eax, dword ptr ds:[4DDFC0]
004110B3 |. 8955 F8 mov dword ptr ss:[ebp-8], edx
004110B6 |. 8D55 F8 lea edx, dword ptr ss:[ebp-8]
004110B9 |. FF45 C0 inc dword ptr ss:[ebp-40]
004110BC |. 8B08 mov ecx, dword ptr ds:[eax]
004110BE |. 8B81 D8020000 mov eax, dword ptr ds:[ecx+2D8]
004110C4 |. E8 47CC0700 call 0048DD10 得到使用者輸入的註冊碼(F),eax = reg_code(F)_len
004110C9 |. 66:C745 B4 080>mov word ptr ss:[ebp-4C], 8
004110CF |. 8BC3 mov eax, ebx
004110D1 |. E8 A60B0000 call 00411C7C bt.00411C7C
004110D6 |. 66:C745 B4 2C0>mov word ptr ss:[ebp-4C], 2C
004110DC |. 33D2 xor edx, edx
004110DE |. 8D4D F4 lea ecx, dword ptr ss:[ebp-C]
004110E1 |. 8955 F4 mov dword ptr ss:[ebp-C], edx
004110E4 |. 8BC3 mov eax, ebx
004110E6 |. FF45 C0 inc dword ptr ss:[ebp-40]
004110E9 |. 8B55 FC mov edx, dword ptr ss:[ebp-4] user_name
004110EC |. E8 F7050000 call 004116E8 生成註冊碼演算法 004116E8 見下
004110F1 |. 8D55 F4 lea edx, dword ptr ss:[ebp-C] reg_code(T)_addr
004110F4 |. 8D45 F8 lea eax, dword ptr ss:[ebp-8] reg_code(F)_addr
004110F7 |. E8 A0FE0B00 call 004D0F9C 當然是比較啦,不等 eax = 0
004110FC |. 50 push eax /Arg1
004110FD |. FF4D C0 dec dword ptr ss:[ebp-40] |
00411100 |. 8D45 F4 lea eax, dword ptr ss:[ebp-C] |
00411103 |. BA 02000000 mov edx, 2 |
00411108 |. E8 ABFD0B00 call 004D0EB8 \bt.004D0EB8
0041110D |. 59 pop ecx 不等則 0
0041110E |. 84C9 test cl, cl
00411110 0F84 63010000 je 00411279 jump, gAMeoVeR
00411116 |. B2 01 mov dl, 1
00411118 |. A1 50814600 mov eax, dword ptr ds:[468150]
0041111D |. E8 DA710500 call 004682FC 寫登錄檔
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++
; 註冊演算法
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++
004116E8 $ 55 push ebp
004116E9 . 8BEC mov ebp, esp
004116EB . 83C4 8C add esp, -74
004116EE . B8 38634D00 mov eax, 4D6338
004116F3 . 53 push ebx
004116F4 . 56 push esi
004116F5 . 57 push edi
004116F6 . 894D BC mov dword ptr ss:[ebp-44], ecx 0
004116F9 . 8955 F8 mov dword ptr ss:[ebp-8], edx user_name
004116FC . E8 F3450B00 call 004C5CF4 bt.004C5CF4
00411701 . C745 B4 010000>mov dword ptr ss:[ebp-4C], 1
00411708 . 8D55 F8 lea edx, dword ptr ss:[ebp-8] user_name_addr
0041170B . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
0041170E . E8 D9F60B00 call 004D0DEC bt.004D0DEC
00411713 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411716 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
0041171C . 8D45 F8 lea eax, dword ptr ss:[ebp-8] user_name_addr
0041171F . E8 04F90B00 call 004D1028 eax = user_name_len
00411724 . 83F8 08 cmp eax, 8
00411727 . 7F 5E jg short 00411787 如果大/等於 8,就直接進入註冊碼計算 00411787
00411729 . 66:C745 A8 140>mov word ptr ss:[ebp-58], 14
0041172F . 33D2 xor edx, edx
00411731 . 8955 EC mov dword ptr ss:[ebp-14], edx
00411734 . 8D4D EC lea ecx, dword ptr ss:[ebp-14]
00411737 . FF45 B4 inc dword ptr ss:[ebp-4C]
0041173A . BA 08000000 mov edx, 8
0041173F . B0 20 mov al, 20
00411741 . E8 02F90B00 call 004D1048 得到 8 個空格
00411746 . 8D55 EC lea edx, dword ptr ss:[ebp-14] 8 個空格
00411749 . 33C0 xor eax, eax
0041174B . 8945 E8 mov dword ptr ss:[ebp-18], eax
0041174E . 8D4D E8 lea ecx, dword ptr ss:[ebp-18]
00411751 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411754 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] user_name
00411757 . E8 B4F70B00 call 004D0F10 "user_name"+8個" "~new_user_name
0041175C . 8D55 E8 lea edx, dword ptr ss:[ebp-18] new_user_name
0041175F . 8D45 F8 lea eax, dword ptr ss:[ebp-8] "user_name" ~ old_user_namep
00411762 . E8 81F70B00 call 004D0EE8 將 new_user_name 替 old_user_nam
00411767 . FF4D B4 dec dword ptr ss:[ebp-4C]
0041176A . 8D45 E8 lea eax, dword ptr ss:[ebp-18]
0041176D . BA 02000000 mov edx, 2
00411772 . E8 41F70B00 call 004D0EB8 bt.004D0EB8
00411777 . FF4D B4 dec dword ptr ss:[ebp-4C]
0041177A . 8D45 EC lea eax, dword ptr ss:[ebp-14]
0041177D . BA 02000000 mov edx, 2
00411782 . E8 31F70B00 call 004D0EB8 bt.004D0EB8
00411787 > E8 44FF0B00 call 004D16D0 [GetTickCount]
0041178C . 8945 94 mov dword ptr ss:[ebp-6C], eax 作反跟蹤用
0041178F . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411795 . B8 01000000 mov eax, 1
0041179A > 40 inc eax
0041179B . 83F8 64 cmp eax, 64
0041179E .^7C FA jl short 0041179A bt.0041179A
004117A0 . E8 2BFF0B00 call 004D16D0 [GetTickCount]
004117A5 . 8B55 94 mov edx, dword ptr ss:[ebp-6C]
004117A8 . 2BC2 sub eax, edx
004117AA . 3D E8030000 cmp eax, 3E8
004117AF . 76 0D jbe short 004117BE bt.004117BE
004117B1 . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] bt.004DE7AC
004117B7 . 8B01 mov eax, dword ptr ds:[ecx]
004117B9 . E8 06200700 call 004837C4 bt.004837C4
004117BE > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
004117C4 . 66:C745 A8 200>mov word ptr ss:[ebp-58], 20
004117CA . 33C0 xor eax, eax
004117CC . BB 01000000 mov ebx, 1 ebx = 1
004117D1 . 8945 F4 mov dword ptr ss:[ebp-C], eax
004117D4 . FF45 B4 inc dword ptr ss:[ebp-4C]
004117D7 . 83FB 08 cmp ebx, 8
004117DA . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
004117E0 . 0F8F 4A020000 jg 00411A30 bt.00411A30
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 這是第一次運算,實質是字元 Xor,再 Reverse
004117E6 > 8B3D 50584D00 mov edi, dword ptr ds:[4D5850] bt.004D5860
004117EC . 57 push edi "awgsJiBtAANrPNYOntA" ~ string
004117ED . E8 36420B00 call 004C5A28
004117F2 . 59 pop ecx string
004117F3 . 50 push eax string_len = 19
004117F4 . 8BC3 mov eax, ebx eax = ebx
004117F6 . 5A pop edx edx = 19
004117F7 . 8BCA mov ecx, edx
004117F9 . 33D2 xor edx, edx
004117FB . F7F1 div ecx eax div ecx: eax = eax/ecx, edx = eax % ecx
004117FD . 8A0417 mov al, byte ptr ds:[edi+edx] string [ebx], (1, ...)
00411800 . 50 push eax
00411801 . 8BF3 mov esi, ebx
00411803 . 56 push esi /Arg2
00411804 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] |new_user_name_addr
00411807 . 50 push eax |Arg1
00411808 . E8 23F50B00 call 004D0D30 \bt.004D0D30
0041180D . 83C4 08 add esp, 8
00411810 . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411813 . E8 A4F90B00 call 004D11BC edx = new_user_name
00411818 . 8B55 F8 mov edx, dword ptr ss:[ebp-8]
0041181B . 03F2 add esi, edx
0041181D . 4E dec esi new_user_name [ebx-1], (0,...)
0041181E . 58 pop eax string [ebx]
0041181F . 8A16 mov dl, byte ptr ds:[esi] new_user_name [ebx-1]
00411821 . 32C2 xor al, dl string [ebx] xor new_user_name [ebx-1]
00411823 . 0FBEC0 movsx eax, al
00411826 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
0041182C . 85C0 test eax, eax
0041182E . 7D 02 jge short 00411832 大/等於0則跳 bt.00411832
00411830 . F7D8 neg eax 否則(主要是寬字元), (opr) ← -(opr)
00411832 > 66:C745 A8 380>mov word ptr ss:[ebp-58], 38
00411838 . 33D2 xor edx, edx
0041183A . 8955 E4 mov dword ptr ss:[ebp-1C], edx
0041183D . 8D55 E4 lea edx, dword ptr ss:[ebp-1C]
00411840 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411843 . E8 38950A00 call 004BAD80 把 al xor dl 的結果 Hex2Dec2Str
00411848 . 66:C745 A8 2C0>mov word ptr ss:[ebp-58], 2C
0041184E . 8D45 E4 lea eax, dword ptr ss:[ebp-1C]
00411851 . E8 D2F70B00 call 004D1028 new_user_name_len->tmp_reg_code_len
00411856 . 48 dec eax
00411857 . 7E 22 jle short 0041187B <= 0 ? 即 eax <= 1,或者說xor的結果是一位數(<10)
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
00411859 . 6A 02 push 2 /Arg2 = 00000002
0041185B . 8D4D E4 lea ecx, dword ptr ss:[ebp-1C] |
0041185E . 51 push ecx |Arg1
0041185F . E8 CCF40B00 call 004D0D30 \bt.004D0D30
00411864 . 83C4 08 add esp, 8
00411867 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C] tmp_reg_code_addr
0041186A . E8 4DF90B00 call 004D11BC bt.004D11BC
0041186F . 8B55 E4 mov edx, dword ptr ss:[ebp-1C] edx = tmp_reg_code
00411872 . 42 inc edx tmp_reg_code [1]
00411873 . 0FBE0A movsx ecx, byte ptr ds:[edx]
00411876 . 83F9 30 cmp ecx, 30 equal to 0 ? 即xor的結果(>=10)%10=0
00411879 . 75 56 jnz short 004118D1 bt.004118D1
;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; 上述兩種情況的處理是一樣的
0041187B > 66:C745 A8 440>mov word ptr ss:[ebp-58], 44
; 即用 "1" 來代替 "0",連到 reg_code_A[0]
; 省略 N 行……
004118CF . EB 6E jmp short 0041193F bt.0041193F
;===================================================================================================
004118D1 > 66:C745 A8 500>mov word ptr ss:[ebp-58], 50
004118D7 . 6A 02 push 2 /Arg2 = 00000002
004118D9 . 8D4D E4 lea ecx, dword ptr ss:[ebp-1C] |tmp_reg_code_addr
004118DC . 51 push ecx |Arg1
004118DD . E8 4EF40B00 call 004D0D30 \bt.004D0D30
004118E2 . 83C4 08 add esp, 8
004118E5 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C]
004118E8 . E8 CFF80B00 call 004D11BC bt.004D11BC
004118ED . 8B55 E4 mov edx, dword ptr ss:[ebp-1C]
004118F0 . 8D45 D8 lea eax, dword ptr ss:[ebp-28]
004118F3 . 42 inc edx tmp_reg_code [1]
004118F4 . 8A12 mov dl, byte ptr ds:[edx]
004118F6 . E8 2DF50B00 call 004D0E28 bt.004D0E28
004118FB . FF45 B4 inc dword ptr ss:[ebp-4C]
004118FE . 33C0 xor eax, eax
00411900 . 8945 D4 mov dword ptr ss:[ebp-2C], eax
00411903 . 8D45 F4 lea eax, dword ptr ss:[ebp-C] reg_code_A(S)_addr
00411906 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411909 . 8D55 D8 lea edx, dword ptr ss:[ebp-28]
0041190C . 8D4D D4 lea ecx, dword ptr ss:[ebp-2C]
0041190F . E8 FCF50B00 call 004D0F10 提 tmp_reg_code[1] 出來
00411914 . 8D55 D4 lea edx, dword ptr ss:[ebp-2C]
00411917 . 8D45 F4 lea eax, dword ptr ss:[ebp-C]
0041191A . E8 C9F50B00 call 004D0EE8 reg_code_A(S)[0] = tmp_reg_code[1]
0041191F . FF4D B4 dec dword ptr ss:[ebp-4C]
00411922 . 8D45 D4 lea eax, dword ptr ss:[ebp-2C]
00411925 . BA 02000000 mov edx, 2
0041192A . E8 89F50B00 call 004D0EB8 bt.004D0EB8
0041192F . FF4D B4 dec dword ptr ss:[ebp-4C]
00411932 . 8D45 D8 lea eax, dword ptr ss:[ebp-28]
00411935 . BA 02000000 mov edx, 2
0041193A . E8 79F50B00 call 004D0EB8 bt.004D0EB8
;===================================================================================================
0041193F > 8D45 E4 lea eax, dword ptr ss:[ebp-1C]
; 省略 N 行……
004119DE . E8 2DF50B00 call 004D0F10 提 tmp_reg_code[0] 出來
004119E3 . 8D55 C4 lea edx, dword ptr ss:[ebp-3C]
004119E6 . 8D45 F4 lea eax, dword ptr ss:[ebp-C]
004119E9 . E8 FAF40B00 call 004D0EE8 reg_code_A(S)[1] = tmp_reg_code[0]
004119EE . FF4D B4 dec dword ptr ss:[ebp-4C]
004119F1 . 8D45 C4 lea eax, dword ptr ss:[ebp-3C]
004119F4 . BA 02000000 mov edx, 2
004119F9 . E8 BAF40B00 call 004D0EB8 清除臨時變數值 004D0EB
004119FE . FF4D B4 dec dword ptr ss:[ebp-4C]
00411A01 . 8D45 C8 lea eax, dword ptr ss:[ebp-38]
00411A04 . BA 02000000 mov edx, 2
00411A09 . E8 AAF40B00 call 004D0EB8 bt.004D0EB8
00411A0E > 83C3 02 add ebx, 2 ebx += 2
00411A11 . FF4D B4 dec dword ptr ss:[ebp-4C]
00411A14 . 8D45 E4 lea eax, dword ptr ss:[ebp-1C]
00411A17 . BA 02000000 mov edx, 2
00411A1C . E8 97F40B00 call 004D0EB8 清除 tmp_reg_code 的值
00411A21 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411A27 . 83FB 08 cmp ebx, 8 ebx <= 8 ?
00411A2A .^0F8E B6FDFFFF jle 004117E6 yes, jump
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
00411A30 > E8 9BFC0B00 call 004D16D0 [GetTickCount]
00411A35 . 8B4D 94 mov ecx, dword ptr ss:[ebp-6C]
00411A38 . 2BC1 sub eax, ecx
00411A3A . 3D E8030000 cmp eax, 3E8
00411A3F . 76 0C jbe short 00411A4D bt.00411A4D
00411A41 . A1 FCDF4D00 mov eax, dword ptr ds:[4DDFFC]
00411A46 . 8B00 mov eax, dword ptr ds:[eax]
00411A48 . E8 771D0700 call 004837C4 bt.004837C4
00411A4D > 66:C745 A8 740>mov word ptr ss:[ebp-58], 74
00411A53 . 8B45 F4 mov eax, dword ptr ss:[ebp-C] reg_code_A
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 第二次運算,對 new_user_name 操作,累加到 reg_code_A(N)
00411A56 . E8 55930A00 call 004BADB0 reg_code_A(N), Dec2Hex bt.004BADB0
00411A5B . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411A61 . 8BF0 mov esi, eax
00411A63 . EB 0D jmp short 00411A72 bt.00411A72
00411A65 . 33F6 xor esi, esi
00411A67 . 66:C745 A8 7C0>mov word ptr ss:[ebp-58], 7C
00411A6D . E8 F8C50B00 call 004CE06A
00411A72 > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411A78 . BB 01000000 mov ebx, 1 ebx = 1
00411A7D . EB 2E jmp short 00411AAD bt.00411AAD
;=======================================================================================================================
00411A7F > 8BFB mov edi, ebx edi = ebx
00411A81 . 57 push edi /Arg2
00411A82 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] |new_user_name_addr
00411A85 . 50 push eax |Arg1
00411A86 . E8 A5F20B00 call 004D0D30 \bt.004D0D30
00411A8B . 83C4 08 add esp, 8
00411A8E . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411A91 . E8 26F70B00 call 004D11BC edx = new_user_name
00411A96 . 8B55 F8 mov edx, dword ptr ss:[ebp-8]
00411A99 . 8D041B lea eax, dword ptr ds:[ebx+ebx] eax = ebx+ebx
00411A9C . 03FA add edi, edx edi = new_user_name [edi]
00411A9E . 8D53 FF lea edx, dword ptr ds:[ebx-1] edx = ebx-1
00411AA1 . F7EA imul edx eax IMUL edx,高位在 edx,低位在 eax
00411AA3 . 4F dec edi new_user_name [edi-1]
00411AA4 . 0FBE0F movsx ecx, byte ptr ds:[edi]
00411AA7 . 0FAFC8 imul ecx, eax
00411AAA . 03F1 add esi, ecx reg_code_A(N) += ecx
00411AAC . 43 inc ebx ebx ++
00411AAD > 8D45 F8 lea eax, dword ptr ss:[ebp-8] new_user_name_addr
00411AB0 . E8 73F50B00 call 004D1028 eax = new_user_name_len
00411AB5 . 3BD8 cmp ebx, eax
00411AB7 .^7E C6 jle short 00411A7F bt.00411A7F
;=======================================================================================================================
00411AB9 . E8 12FC0B00 call 004D16D0 [GetTickCount]
00411ABE . 8B55 94 mov edx, dword ptr ss:[ebp-6C]
00411AC1 . 2BC2 sub eax, edx
00411AC3 . 3D E8030000 cmp eax, 3E8
00411AC8 . 76 0D jbe short 00411AD7 bt.00411AD7
00411ACA . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] bt.004DE7AC
00411AD0 . 8B01 mov eax, dword ptr ds:[ecx]
00411AD2 . E8 ED1C0700 call 004837C4 bt.004837C4
00411AD7 > 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 第三次運算,分三步,都是對 new_user_name 操作,累加到 reg_code_A(N)
00411ADD . BB 01000000 mov ebx, 1 ebx = 1
00411AE2 . E9 93000000 jmp 00411B7A bt.00411B7A
;=======================================================================================================================
00411AE7 > 8BFB mov edi, ebx edi=ebx
00411AE9 . 57 push edi /Arg2
00411AEA . 8D45 F8 lea eax, dword ptr ss:[ebp-8] |new_user_name_addr
00411AED . 50 push eax |Arg1
00411AEE . E8 3DF20B00 call 004D0D30 \bt.004D0D30
00411AF3 . 83C4 08 add esp, 8
00411AF6 . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411AF9 . E8 BEF60B00 call 004D11BC edx = new_user_name
00411AFE . 8B55 F8 mov edx, dword ptr ss:[ebp-8]
00411B01 . 03FA add edi, edx
00411B03 . 4F dec edi edi = new_user_name [i++], i=0,...
00411B04 . 0FBE0F movsx ecx, byte ptr ds:[edi]
00411B07 . 8BC1 mov eax, ecx
00411B09 . 895D 90 mov dword ptr ss:[ebp-70], ebx = ebx
00411B0C . C1E0 03 shl eax, 3
00411B0F . 8B55 90 mov edx, dword ptr ss:[ebp-70]
00411B12 . 2BC1 sub eax, ecx
00411B14 . 8D4D F8 lea ecx, dword ptr ss:[ebp-8]
00411B17 . 52 push edx /Arg2
00411B18 . 51 push ecx |Arg1
00411B19 . 03F0 add esi, eax |reg_code_A(N) += eax
00411B1B . E8 10F20B00 call 004D0D30 \bt.004D0D30
; 第一步過
;****************************************************************************************************************
00411B20 . 83C4 08 add esp, 8
00411B23 . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411B26 . E8 91F60B00 call 004D11BC ecx = new_user_name
00411B2B . 8B55 90 mov edx, dword ptr ss:[ebp-70] 還記得這個嗎?
00411B2E . 8B4D F8 mov ecx, dword ptr ss:[ebp-8]
00411B31 . 03D1 add edx, ecx
00411B33 . 4A dec edx edx = new_user_name [i++], i=0,...
00411B34 . 0FBE02 movsx eax, byte ptr ds:[edx]
00411B37 . 8BD0 mov edx, eax
00411B39 . 895D 8C mov dword ptr ss:[ebp-74], ebx
00411B3C . C1E2 04 shl edx, 4
00411B3F . 8B4D 8C mov ecx, dword ptr ss:[ebp-74]
00411B42 . 2BD0 sub edx, eax
00411B44 . 51 push ecx /Arg2
00411B45 . 8D1490 lea edx, dword ptr ds:[eax+edx*4] |edx = eax+edx*4
00411B48 . 8D45 F8 lea eax, dword ptr ss:[ebp-8] |
00411B4B . 50 push eax |Arg1
00411B4C . 03F2 add esi, edx |reg_code_A(N) += edx
00411B4E . E8 DDF10B00 call 004D0D30 \bt.004D0D30
; 第二步過
;****************************************************************************************************************
00411B53 . 83C4 08 add esp, 8
00411B56 . 8D45 F8 lea eax, dword ptr ss:[ebp-8]
00411B59 . E8 5EF60B00 call 004D11BC bt.004D11BC
00411B5E . 8B55 8C mov edx, dword ptr ss:[ebp-74]
00411B61 . 8B4D F8 mov ecx, dword ptr ss:[ebp-8]
00411B64 . 03D1 add edx, ecx
00411B66 . 4A dec edx edx = new_user_name [i++], i=0,...
00411B67 . 0FBE02 movsx eax, byte ptr ds:[edx]
00411B6A . 8D1440 lea edx, dword ptr ds:[eax+eax*2] edx = eax+eax*2
00411B6D . C1E2 05 shl edx, 5
00411B70 . 2BD0 sub edx, eax
00411B72 . C1E2 04 shl edx, 4
00411B75 . 03D0 add edx, eax
00411B77 . 03F2 add esi, edx reg_code_A(N) += edx
; 第三步過
;****************************************************************************************************************
00411B79 . 43 inc ebx
00411B7A > 8D45 F8 lea eax, dword ptr ss:[ebp-8] new_user_name_addr
00411B7D . E8 A6F40B00 call 004D1028 eax = new_user_name_len
00411B82 . 3BD8 cmp ebx, eax
00411B84 .^0F8E 5DFFFFFF jle 00411AE7 bt.00411AE7
;=======================================================================================================================
00411B8A . E8 41FB0B00 call 004D16D0 [GetTickCount]
00411B8F . 8B55 94 mov edx, dword ptr ss:[ebp-6C]
00411B92 . 2BC2 sub eax, edx
00411B94 . 3D E8030000 cmp eax, 3E8
00411B99 . 76 0D jbe short 00411BA8 bt.00411BA8
00411B9B . 8B0D FCDF4D00 mov ecx, dword ptr ds:[4DDFFC] bt.004DE7AC
00411BA1 . 8B01 mov eax, dword ptr ds:[ecx]
00411BA3 . E8 1C1C0700 call 004837C4 bt.004837C4
00411BA8 > 66:C745 A8 800>mov word ptr ss:[ebp-58], 80
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 下面是連線 "BJ" 和 reg_code_A ,這就是我們所要得到的
00411BAE . BA 4A5A4D00 mov edx, 4D5A4A ASCII "BJ"
00411BB3 . 8D45 F0 lea eax, dword ptr ss:[ebp-10] reg_code(F)_addr
00411BB6 . E8 F9F10B00 call 004D0DB4 reg_code = "BJ"
00411BBB . FF45 B4 inc dword ptr ss:[ebp-4C]
00411BBE . 33D2 xor edx, edx
00411BC0 . 66:C745 A8 080>mov word ptr ss:[ebp-58], 8
00411BC6 . 66:C745 A8 8C0>mov word ptr ss:[ebp-58], 8C
00411BCC . 8955 C0 mov dword ptr ss:[ebp-40], edx
00411BCF . 8D55 C0 lea edx, dword ptr ss:[ebp-40]
00411BD2 . FF45 B4 inc dword ptr ss:[ebp-4C]
00411BD5 . 8BC6 mov eax, esi eax = reg_code_A(N)
00411BD7 . E8 A4910A00 call 004BAD80 reg_code_A(N) : Hex2Dec2Str
00411BDC . 8D55 C0 lea edx, dword ptr ss:[ebp-40] reg_code_A(S)
00411BDF . 8D45 F0 lea eax, dword ptr ss:[ebp-10] reg_code
00411BE2 . E8 15F30B00 call 004D0EFC reg_code += reg_code_A(S)
00411BE7 . FF4D B4 dec dword ptr ss:[ebp-4C]
; ……
00411C1D . E8 96F20B00 call 004D0EB8 edx = reg_code
;……
00411C5C . C3 retn
【總結】
我想上面應該講的比較清楚,這裡歸納一下:
1、軟體獲得使用者輸入後,比較使用者名稱長度(user_name_len)是否小/等於 8;是,則在後面添上 8 個 0x20,得到 new_user_name
2、對 new_user_name 與 string 依次作 XOR ,將其結果(十進位制)轉為字元再調換前後位置;
這裡要注意,不管你的使用者名稱多長,它總只取到 8 並且取奇數位;
其次,程式還判斷 XOR 的結果是否 <= 0,只有一位數,和有兩位但個位是 0 等三種情況,這需要一些經驗(ASM, CRACK)
3、接下來就比較簡單了,兩個迴圈依次從 new_user_name 取值運算(各具體操作不同,見前),並累加到 reg_code_A(N),然後累加到 reg_code_A(N);
第二次迴圈有這樣的三步。(S)表示這是字串,(N)表示是值
4、連線 "BJ" 和 reg_code_A(S),就是 reg_code
註冊成功,則沒有啟動畫面,並在登錄檔中寫入資訊:
[HKEY\CURRENT_USER\Software\ADCSotf\BJigsaw]
"RegCode"="BJ74029154"
"UserName"="lq7972"
軟體給出的字串:string : "awgsJiBtAANrPNYOntA"
【序號產生器】
/* BJigsaw V 7.7 KeyGen */
/* with C Language */
/* by lq7972 */
/* bruceyu13@sina.com */
#include
#include
#include
/*///////////////////////////////////////////////////////*/
/* 主程式 */
int main ()
{
int i=0, j;
int nameLen;
int tmp01, tmp02, tmp03;
int regCode_N;
char regCode_S [10] = "0";
char regName [255];
char * setString = "awgsJiBtAANrPNYOntA";
printf ("Enter your name : ");
gets (regName);
nameLen = strlen (regName);
/* 根據使用者名稱長度作相應處理 */
if (nameLen < 8) {
while (i++ <= 8)
regName [nameLen1] = 0x20; /* space character */
regName [nameLen2] = 0; /* nul */
nameLen = strlen (regName);
}
/* 做第一次運算 */
for (i=1, j=0; i <= 8; i += 2, j += 2) {
tmp01 = setString [i];
tmp02 = regName [i-1];
tmp03 = tmp01 ^ tmp02;
if (tmp03 < 0)
tmp03 *= -1;
tmp01 = tmp03 % 10; tmp02 = tmp03 / 10;
if (0 == tmp02) {
regCode_S [j] = 0x31;
regCode_S [j+1] = tmp01 + 0x30;
}
else if (0 == tmp01) {
regCode_S [j] = 0x31;
regCode_S [j+1] = tmp01 + 0x30;
}
else {
regCode_S [j] = tmp01 + 0x30;
regCode_S [j+1] = tmp02 + 0x30;
}
}
regCode_N = atoi (regCode_S);
/* 第二次運算 */
for (i=1; i <= nameLen; i ++) {
tmp01 = i+i; tmp02 = regName [i-1]; tmp03 = i-1;
regCode_N += tmp01 * tmp03 * tmp02;
}
printf ("\n\n");
/* 第三步運算 */
for (i=1; i <= nameLen; i ++) {
tmp01 = tmp02 = tmp03 = regName [i-1];
tmp01 <<= 3; tmp01 -= tmp03;
regCode_N += tmp01;
tmp02 <<= 4; tmp02 -= tmp03;
tmp01 = tmp03+tmp02*4;
regCode_N += tmp01;
tmp01 = tmp03 + tmp03*2;
tmp01 <<= 5; tmp01 -= tmp03;
tmp01 <<= 4; tmp01 += tmp03;
regCode_N += tmp01;
}
printf ("You Reg Code : %s%d\n", "BJ", regCode_N);
return 0;
}
/* Thanks. */
相關文章
- 微信小程式:拼圖遊戲2018-08-06微信小程式遊戲
- 前端菜鳥遊戲篇,拼圖遊戲!2019-03-21前端遊戲
- 自定義上傳圖片拼圖遊戲2018-11-20遊戲
- ios拼圖遊戲(一)之分割圖片2016-04-30iOS遊戲
- 用 JavaScript 實現簡單拼圖遊戲2018-11-15JavaScript遊戲
- Canvas drag 實現拖拽拼圖小遊戲2016-10-28Canvas遊戲
- 拼圖遊戲和它的AI演算法2017-12-22遊戲AI演算法
- Dreamweaver製作簡易的拼圖遊戲教程2012-06-20遊戲
- 2小時完成HTML5拼圖小遊戲2016-08-22HTML遊戲
- 拼圖解謎遊戲:步行者The Pedestrian mac版2022-07-10圖解遊戲Mac
- 一個囊括很多拼圖遊戲的Python網站2016-10-10遊戲Python網站
- Java 簡單拼圖遊戲(實現音樂播放功能)2017-12-14Java遊戲
- 誰能找出BrainsBreaker3.0(巨好的拼圖遊戲)註冊碼?《論壇精華2》沒搞定!
(16千字)2001-02-27AI遊戲
- vue拼圖動畫Demo2020-10-12Vue動畫
- 使用XNA為Windows phone 7開發簡單拼圖遊戲2013-11-10Windows遊戲
- Android群英傳-拼圖遊戲puzzle-6點吐槽2015-12-05Android遊戲
- 微信收藏拼長圖發朋友圈教程 微信怎麼拼圖?2018-04-12
- 破解flash32(抓圖軟體)實站錄 (2千字)2000-05-28
- 拼高薪、拼福利、拼補貼,上海遊戲大廠成熱門求職聖地?2021-04-09高薪遊戲求職
- 被炒了260年的無味“冷飯”——拼圖遊戲2020-07-03遊戲
- 遊戲市場一塊被忽視的拼圖——俄語區2020-11-06遊戲
- canvas拼圖功能實現2019-02-16Canvas
- web拼圖錯誤分析2018-03-12Web
- SwiftUI圖片處理(縮放、拼圖)2021-08-21SwiftUI
- 開源!開源一個flutter實現的古詩拼圖遊戲2024-07-19Flutter遊戲
- 馬賽克拼圖製作工具2021-10-11
- Android群英傳-拼圖遊戲puzzle-程式碼設計和實現2015-12-05Android遊戲
- Android實現拼圖解鎖2019-08-31Android圖解
- CollageIt Pro for Mac (照片拼圖軟體)2021-11-16Mac
- 方塊、拼圖、填色以及益智猜謎四類Brain & Puzzle遊戲解析2020-08-18AI遊戲
- 圖格 Pro for Mac(多功能照片拼圖切圖大師)2021-11-16Mac
- 新手策劃文件教程:遊戲UI如何拼?2019-04-19遊戲UI
- APISpy32 2.5的註冊 (7千字)2001-04-01API
- 用W32DASM破解圖形捕捉ScreenTaker
最新版本:2.21 (7千字)2015-11-15ASM
- 如何用Python做三階拼圖?2019-02-13Python
- 小程式—九宮格心形拼圖2018-07-31
- Mac圖片拼貼編輯器:Posterino2022-03-23Mac
- fulldisk A32 破解過程!(簡單) (1千字)2001-03-20