Kyodai Mahjongg 19.00(四川省麻将)--算法分析 -pc6资讯

您的位置：首页 → 精文荟萃 → 破解文章 → Kyodai Mahjongg 19.00(四川省麻将)--算法分析

Kyodai Mahjongg 19.00(四川省麻将)--算法分析 时间：2004/10/15 0:52:00来源：本站整理作者：蓝点我要评论(0): 　

Kyodai Mahjongg 19.00(四川省麻将)--算法分析
作者：newlaos[DFCG]

软件名称： Kyodai Mahjongg 19.00(四川省麻将)
软件授权：共享软件
注册费用： 25美元
使用平台： Win95/98/NT
软件开发： http://kyodai.com/

软件简介：
　　非常好玩的四川省麻将游戏，支持DirectX，可改变背景音乐...制作画面精美，如果用四川方言形容----“不摆了”，爱好麻将的朋友可不要错过机会哟！

加密方式：ASPACK2.1+注册码
功能限制：未注册信息提示
PJ工具：TRW20001.23注册版、W32Dasm8.93黄金版，FI2.5,PE-scan3.1
PJ日期：2003-03-30
作者newlaos申明：只是学习，请不用于商业用途或是将本文方法制作的注册机任意传播，造成后果，本人一概不负。

1、先用FI2.5看一下主文件“kmj.exe”，加了ASPACK2.1壳，自动脱壳用PE-scan3.1很快搞定，生成UNPACK.EXE文件，再看，程序是用DELPHI编的。手动脱壳也不难，OEP在4F2858。

2、用W32Dasm8.93黄金版对UNPACK.EXE进行静态反汇编，再用串式数据参考，找到"Thanks again ! You're now registered."(很经典的句子)，双击来到下面代码段。这样就找到注册码的计算部分。

3、再用TRW20001.23注册版进行动态跟踪，下断BPX 004B1807(通常在注册成功与否的前面一些下断，这样，才能找到关键部分)，
先输入注码名：newlaos[DFCG]
假码: 78787878

.......
.......
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B17A0(C)
|
:004B1807 8D55FC lea edx, dword ptr [ebp-04]
:004B180A 8B8358930A00 mov eax, dword ptr [ebx+000A9358]
:004B1810 8B8028030000 mov eax, dword ptr [eax+00000328]
:004B1816 E8D952F9FF call 00446AF4 <===计算注册名的长度，EAX=D
:004B181B 8B55FC mov edx, dword ptr [ebp-04] <===EDX=newlaos[DFCG]
:004B181E 8D83BCDF0800 lea eax, dword ptr [ebx+0008DFBC]
:004B1824 E8CB31F5FF call 004049F4
:004B1829 8D55F8 lea edx, dword ptr [ebp-08]
:004B182C 8B8358930A00 mov eax, dword ptr [ebx+000A9358]
:004B1832 8B8024030000 mov eax, dword ptr [eax+00000324]
:004B1838 E8B752F9FF call 00446AF4 <===计算注册名的长度，EAX=8
:004B183D 8B55F8 mov edx, dword ptr [ebp-08] <===EDX=78787878
:004B1840 8D83C0DF0800 lea eax, dword ptr [ebx+0008DFC0]
:004B1846 E8A931F5FF call 004049F4
:004B184B 8BC3 mov eax, ebx
:004B184D E8B2410300 call 004E5A04
:004B1852 8BC3 mov eax, ebx
:004B1854 E8871C0000 call 004B34E0 <===关键的CALL，F8跟进
:004B1859 84C0 test al, al
:004B185B 7470 je 004B18CD <===关键跳转，这里跳过去就OVER!

* Possible StringData Ref from Data Obj ->"Software\Namida"<===从这一段开始，到004B18A7是将正确的注册信息写入注册表
|
:004B185D B970194B00 mov ecx, 004B1970
:004B1862 B201 mov dl, 01

* Possible StringData Ref from Data Obj ->"窫C"
|
:004B1864 A118344300 mov eax, dword ptr [00433418]
:004B1869 E8862CF8FF call 004344F4
:004B186E 8BF0 mov esi, eax
:004B1870 8B83BCDF0800 mov eax, dword ptr [ebx+0008DFBC]
:004B1876 50 push eax

* Possible StringData Ref from Data Obj ->"RegUser"
|
:004B1877 B988194B00 mov ecx, 004B1988

* Possible StringData Ref from Data Obj ->"Kyodai"
|
:004B187C BA98194B00 mov edx, 004B1998
:004B1881 8BC6 mov eax, esi
:004B1883 8B38 mov edi, dword ptr [eax]
:004B1885 FF5704 call [edi+04]
:004B1888 8B83C0DF0800 mov eax, dword ptr [ebx+0008DFC0]
:004B188E 50 push eax

* Possible StringData Ref from Data Obj ->"RegPass"
|
:004B188F B9A8194B00 mov ecx, 004B19A8

* Possible StringData Ref from Data Obj ->"Kyodai"
|
:004B1894 BA98194B00 mov edx, 004B1998
:004B1899 8BC6 mov eax, esi
:004B189B 8B38 mov edi, dword ptr [eax]
:004B189D FF5704 call [edi+04]
:004B18A0 8BC6 mov eax, esi
:004B18A2 E80523F5FF call 00403BAC
:004B18A7 8D4DF4 lea ecx, dword ptr [ebp-0C]

* Possible StringData Ref from Data Obj ->"Thanks again ! You're now registered."
|
:004B18AA BAB8194B00 mov edx, 004B19B8 <===显示“再次感谢你，你已经成功注册”
:004B18AF 8B8348040000 mov eax, dword ptr [ebx+00000448]
:004B18B5 E882C1FCFF call 0047DA3C
:004B18BA 8B45F4 mov eax, dword ptr [ebp-0C]
:004B18BD 668B0DE0194B00 mov cx, word ptr [004B19E0]
:004B18C4 B202 mov dl, 02
:004B18C6 E8F5B3FFFF call 004ACCC0
:004B18CB EB63 jmp 004B1930

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B185B(C)
|
:004B18CD 8B83BCDF0800 mov eax, dword ptr [ebx+0008DFBC]
:004B18D3 E88833F5FF call 00404C60
:004B18D8 83F808 cmp eax, 00000008 <===EAX为注册名长度，如果等于，这里就跳走,显示注册名错误信息
:004B18DB 7D26 jge 004B1903
<===这里跳过去，就是显示错误的注册信息!如果不跳走，就是显示注册名不够8个字符。
:004B18DD 8D4DF0 lea ecx, dword ptr [ebp-10]

* Possible StringData Ref from Data Obj ->"The user name must be at least "
->"8 characters long !"
|
:004B18E0 BAEC194B00 mov edx, 004B19EC
:004B18E5 8B8348040000 mov eax, dword ptr [ebx+00000448]
:004B18EB E84CC1FCFF call 0047DA3C
:004B18F0 8B45F0 mov eax, dword ptr [ebp-10]
:004B18F3 668B0DE0194B00 mov cx, word ptr [004B19E0]
:004B18FA B202 mov dl, 02
:004B18FC E8BFB3FFFF call 004ACCC0
:004B1901 EB2D jmp 004B1930

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B18DB(C)
|
:004B1903 8D4DEC lea ecx, dword ptr [ebp-14]

* Possible StringData Ref from Data Obj ->"Sorry, wrong password. Please "
->"check out if you entered the user "
->"name and password exactly as I "
->"gave them to you."
|
:004B1906 BA281A4B00 mov edx, 004B1A28
:004B190B 8B8348040000 mov eax, dword ptr [ebx+00000448]
:004B1911 E826C1FCFF call 0047DA3C
:004B1916 8B45EC mov eax, dword ptr [ebp-14]
:004B1919 668B0DE0194B00 mov cx, word ptr [004B19E0]
:004B1920 B202 mov dl, 02
:004B1922 E899B3FFFF call 004ACCC0
:004B1927 EB07 jmp 004B1930

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B1801(C)
|
:004B1929 8BC3 mov eax, ebx
:004B192B E8D4400300 call 004E5A04

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B18CB(U), :004B1901(U), :004B1927(U)
|
:004B1930 33C0 xor eax, eax
:004B1932 5A pop edx
:004B1933 59 pop ecx
:004B1934 59 pop ecx
:004B1935 648910 mov dword ptr fs:[eax], edx
:004B1938 685F194B00 push 004B195F

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B195D(U)
|
:004B193D 8D45EC lea eax, dword ptr [ebp-14]
:004B1940 BA03000000 mov edx, 00000003
:004B1945 E87A30F5FF call 004049C4
:004B194A 8D45F8 lea eax, dword ptr [ebp-08]
:004B194D BA02000000 mov edx, 00000002
:004B1952 E86D30F5FF call 004049C4
:004B1957 C3 ret
.......
.......

-------004B1854 call 004B34E0 --关键的CALL，F8跟进----------------------
如果要正确注册，则AL返回时，不能为0
:004B34E0 55 push ebp
:004B34E1 8BEC mov ebp, esp
:004B34E3 B91B000000 mov ecx, 0000001B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B34ED(C)
|
:004B34E8 6A00 push 00000000
:004B34EA 6A00 push 00000000
:004B34EC 49 dec ecx
:004B34ED 75F9 jne 004B34E8
:004B34EF 53 push ebx
:004B34F0 56 push esi
:004B34F1 8BD8 mov ebx, eax
:004B34F3 33C0 xor eax, eax
:004B34F5 55 push ebp
:004B34F6 68BE424B00 push 004B42BE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3486(C)
|
:004B34FB 64FF30 push dword ptr fs:[eax]
:004B34FE 648920 mov dword ptr fs:[eax], esp

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B349A(C)
|
:004B3501 C645FF01 mov [ebp-01], 01
:004B3505 8B83BCDF0800 mov eax, dword ptr [ebx+0008DFBC]
:004B350B E85017F5FF call 00404C60
:004B3510 83E802 sub eax, 00000002
:004B3513 7C22 jl 004B3537
:004B3515 40 inc eax
:004B3516 BA02000000 mov edx, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3535(C)
|
:004B351B 8B8BBCDF0800 mov ecx, dword ptr [ebx+0008DFBC]
:004B3521 8A4C11FF mov cl, byte ptr [ecx+edx-01] <===从注册名第二个字符开始，依次提取每个字符的ASC码
:004B3525 8BB3BCDF0800 mov esi, dword ptr [ebx+0008DFBC]
:004B352B 3A0E cmp cl, byte ptr [esi] <===提出的ASC码值，与第一个字符的ASC码值作比较
:004B352D 7404 je 004B3533 <===只要有一个比较出来，就跳出来循环结构
:004B352F C645FF00 mov [ebp-01], 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B352D(C)
|
:004B3533 42 inc edx
:004B3534 48 dec eax
:004B3535 75E4 jne 004B351B <===这里构成一个循环结构，这里的功能好象是确定注册名的第一个字符后，在后面找与第一个字符相同的字符，以确定一个位置。

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B3513(C)
|
:004B3537 807DFF01 cmp byte ptr [ebp-01], 01
:004B353B 7509 jne 004B3546 <===这里跳走
:004B353D C645FF00 mov [ebp-01], 00
:004B3541 E95A0D0000 jmp 004B42A0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B353B(C)
|
:004B3546 8B83BCDF0800 mov eax, dword ptr [ebx+0008DFBC]
:004B354C E80F17F5FF call 00404C60
:004B3551 85C0 test eax, eax
:004B3553 0F8EEA0C0000 jle 004B4243
:004B3559 8D4DF8 lea ecx, dword ptr [ebp-08]
:004B355C 8B93BCDF0800 mov edx, dword ptr [ebx+0008DFBC] <===EDX=newlaos[DFCG]
:004B3562 8BC3 mov eax, ebx
:004B3564 E85BC6FFFF call 004AFBC4 <===算法CALL，F8跟进
:004B3569 8B45F8 mov eax, dword ptr [ebp-08] <===EAX就是真注册码了
:004B356C 8B93C0DF0800 mov edx, dword ptr [ebx+0008DFC0]<===EDX=78787878
:004B3572 E83518F5FF call 00404DAC <===对比真假的CALL
:004B3577 0F85C60C0000 jne 004B4243 <===不正确，就从这里跳走。
:004B357D 8D4DF4 lea ecx, dword ptr [ebp-0C]
***************
.......
此处省去若干行，主要是此软件列出的n多的黑名单，
.......
***************
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B3553(C), :004B3577(C), :004B359E(C)
|
:004B4243 8D8D28FFFFFF lea ecx, dword ptr [ebp+FFFFFF28] <===跳到这里

* Possible StringData Ref from Data Obj ->"Unregistered version - Please "
->"Register !!!"
|
:004B4249 BA644C4B00 mov edx, 004B4C64
:004B424E 8B8348040000 mov eax, dword ptr [ebx+00000448]
:004B4254 E8E397FCFF call 0047DA3C
:004B4259 8B8D28FFFFFF mov ecx, dword ptr [ebp+FFFFFF28]
:004B425F 8D83C4DF0800 lea eax, dword ptr [ebx+0008DFC4]

* Possible StringData Ref from Data Obj ->" - "
|
:004B4265 BA984C4B00 mov edx, 004B4C98
:004B426A E83D0AF5FF call 00404CAC

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B4229(U), :004B4241(U)
|
:004B426F FFB3C4DF0800 push dword ptr [ebx+0008DFC4]

* Possible StringData Ref from Data Obj ->" "
|
:004B4275 68A44C4B00 push 004B4CA4
:004B427A FFB3C8DF0800 push dword ptr [ebx+0008DFC8]
:004B4280 8D83FC4A0A00 lea eax, dword ptr [ebx+000A4AFC]
:004B4286 BA03000000 mov edx, 00000003
:004B428B E8900AF5FF call 00404D20
:004B4290 80BBC44C0A0000 cmp byte ptr [ebx+000A4CC4], 00
:004B4297 7407 je 004B42A0
:004B4299 8BC3 mov eax, ebx
:004B429B E85CEF0100 call 004D31FC

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004B3541(U), :004B4297(C)
|
:004B42A0 33C0 xor eax, eax
:004B42A2 5A pop edx
:004B42A3 59 pop ecx
:004B42A4 59 pop ecx
:004B42A5 648910 mov dword ptr fs:[eax], edx
:004B42A8 68C5424B00 push 004B42C5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B42C3(U)
|
:004B42AD 8D8528FFFFFF lea eax, dword ptr [ebp+FFFFFF28]
:004B42B3 BA35000000 mov edx, 00000035
:004B42B8 E80707F5FF call 004049C4
:004B42BD C3 ret

:004B42BE E93D00F5FF jmp 00404300
:004B42C3 EBE8 jmp 004B42AD
:004B42C5 8A45FF mov al, byte ptr [ebp-01]
:004B42C8 5E pop esi
:004B42C9 5B pop ebx
:004B42CA 8BE5 mov esp, ebp
:004B42CC 5D pop ebp
:004B42CD C3 ret

-------004B3564 call 004AFBC4 算法CALL，F8跟进----------------------
初始值EDX=newlaos[DFCG]
返回时，EAX就为真码(前提是输入的注册名要长于8位)
:004AFBC4 55 push ebp
:004AFBC5 8BEC mov ebp, esp
:004AFBC7 83C4F0 add esp, FFFFFFF0
:004AFBCA 53 push ebx
:004AFBCB 56 push esi
:004AFBCC 57 push edi
:004AFBCD 33DB xor ebx, ebx
:004AFBCF 895DF0 mov dword ptr [ebp-10], ebx
:004AFBD2 8BF9 mov edi, ecx
:004AFBD4 8955F8 mov dword ptr [ebp-08], edx
:004AFBD7 8945FC mov dword ptr [ebp-04], eax
:004AFBDA 8B45F8 mov eax, dword ptr [ebp-08]
:004AFBDD E86E52F5FF call 00404E50
:004AFBE2 33C0 xor eax, eax
:004AFBE4 55 push ebp
:004AFBE5 68D9FC4A00 push 004AFCD9
:004AFBEA 64FF30 push dword ptr fs:[eax]
:004AFBED 648920 mov dword ptr fs:[eax], esp
:004AFBF0 8B45F8 mov eax, dword ptr [ebp-08]
:004AFBF3 E86850F5FF call 00404C60
:004AFBF8 8B55F8 mov edx, dword ptr [ebp-08] <===EDX=newlaos[DFCG]
:004AFBFB 0FB64402FF movzx eax, byte ptr [edx+eax-01] <===将注册名的最后一个字符的ASC码值放入EAX
:004AFC00 8B55F8 mov edx, dword ptr [ebp-08]
:004AFC03 0FB612 movzx edx, byte ptr [edx] <===将注册名的第一个字符的ASC码值放入EDX
:004AFC06 03C2 add eax, edx <===两值相加
:004AFC08 B90A000000 mov ecx, 0000000A <===ECX=A，是被除数
:004AFC0D 33D2 xor edx, edx
:004AFC0F F7F1 div ecx
:004AFC11 83C230 add edx, 00000030 ***<===余数为9，加上30。构成39，正好是9的ASCII(十六位进制)，这就得出了注册码的第一部分
:004AFC14 8BC7 mov eax, edi
:004AFC16 E86D4FF5FF call 00404B88
:004AFC1B 8B45F8 mov eax, dword ptr [ebp-08]
:004AFC1E E83D50F5FF call 00404C60
:004AFC23 8BF0 mov esi, eax
:004AFC25 83EE02 sub esi, 00000002
:004AFC28 7C3A jl 004AFC64 <===如果注册名小于8位，就从这里跳走
:004AFC2A 46 inc esi
:004AFC2B BB02000000 mov ebx, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC62(C)
|
:004AFC30 8B45F8 mov eax, dword ptr [ebp-08]
:004AFC33 0FB64418FE movzx eax, byte ptr [eax+ebx-02] <===依次提取注册名的第n位字符(n=1,.....m-1)，m为输入注册名的长度
:004AFC38 8B55F8 mov edx, dword ptr [ebp-08]
:004AFC3B 0FB6541AFF movzx edx, byte ptr [edx+ebx-01] <===依次提取注册名的第n+1位字符
:004AFC40 03C2 add eax, edx <===两个字符的ASC码值相加
:004AFC42 B90A000000 mov ecx, 0000000A
:004AFC47 33D2 xor edx, edx
:004AFC49 F7F1 div ecx <===相加之和，除以A，余数构成注册码的第n+1位
:004AFC4B 83C230 add edx, 00000030
:004AFC4E 8D45F0 lea eax, dword ptr [ebp-10]
:004AFC51 E8324FF5FF call 00404B88
:004AFC56 8B55F0 mov edx, dword ptr [ebp-10]
:004AFC59 8BC7 mov eax, edi
:004AFC5B E80850F5FF call 00404C68
:004AFC60 43 inc ebx
:004AFC61 4E dec esi
:004AFC62 75CC jne 004AFC30 ***<===向上构成一个小循环，主要功能是计算注册码的第二部分

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC28(C)
|
:004AFC64 C645F701 mov [ebp-09], 01
:004AFC68 8B45F8 mov eax, dword ptr [ebp-08]
:004AFC6B E8F04FF5FF call 00404C60
:004AFC70 8BF0 mov esi, eax
:004AFC72 83EE02 sub esi, 00000002
:004AFC75 7C1C jl 004AFC93
:004AFC77 46 inc esi
:004AFC78 BB02000000 mov ebx, 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC91(C)
|
:004AFC7D 8B45F8 mov eax, dword ptr [ebp-08]
:004AFC80 8A4418FF mov al, byte ptr [eax+ebx-01]
:004AFC84 8B55F8 mov edx, dword ptr [ebp-08]
:004AFC87 3A02 cmp al, byte ptr [edx]
:004AFC89 7404 je 004AFC8F
:004AFC8B C645F700 mov [ebp-09], 00

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC89(C)
|
:004AFC8F 43 inc ebx
:004AFC90 4E dec esi
:004AFC91 75EA jne 004AFC7D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC75(C)
|
:004AFC93 807DF700 cmp byte ptr [ebp-09], 00
:004AFC97 750D jne 004AFCA6
:004AFC99 8B45F8 mov eax, dword ptr [ebp-08]
:004AFC9C E8BF4FF5FF call 00404C60
:004AFCA1 83F808 cmp eax, 00000008
:004AFCA4 7D15 jge 004AFCBB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFC97(C)
|
:004AFCA6 8BCF mov ecx, edi
:004AFCA8 8B45FC mov eax, dword ptr [ebp-04]
:004AFCAB 8B8048040000 mov eax, dword ptr [eax+00000448]

* Possible StringData Ref from Data Obj ->"UNREGISTERED"
|
:004AFCB1 BAF0FC4A00 mov edx, 004AFCF0
:004AFCB6 E881DDFCFF call 0047DA3C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFCA4(C)
|
:004AFCBB 33C0 xor eax, eax
:004AFCBD 5A pop edx
:004AFCBE 59 pop ecx
:004AFCBF 59 pop ecx
:004AFCC0 648910 mov dword ptr fs:[eax], edx
:004AFCC3 68E0FC4A00 push 004AFCE0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AFCDE(U)
|
:004AFCC8 8D45F0 lea eax, dword ptr [ebp-10]
:004AFCCB E8D04CF5FF call 004049A0
:004AFCD0 8D45F8 lea eax, dword ptr [ebp-08]
:004AFCD3 E8C84CF5FF call 004049A0
:004AFCD8 C3 ret

:004AFCD9 E92246F5FF jmp 00404300
:004AFCDE EBE8 jmp 004AFCC8
:004AFCE0 5F pop edi
:004AFCE1 5E pop esi
:004AFCE2 5B pop ebx
:004AFCE3 8BE5 mov esp, ebp
:004AFCE5 5D pop ebp
:004AFCE6 C3 ret

---------------------------------------------------------------------------------------

4、算法分析：---类型：f(注册名)=注册码---
a、输入注册名的第一个字符和最后一个字符的ASC码值相加，除以A，余数即为注册码的第一个字符
b、依次提取注册名的第n位字符和第n+1位字符，两者的ASC码值相加除以A，余数即为注册码的第n+1位字符(n为注册名的长度-1)，构成注册码的第二部分
c、将第一部分和第二部分最终组成真正的注册码

5、用KEYMAKE1.73制作注册机：(呵呵，好象一运行就出错)
一、选择F8 → 另类注册机！
程序名称：kmj.exe
添加数据：
　　中断地址：004B3569
中断次数：2
第一字节：8B
指令长度：3
　　保存下列信息为注册码 → 内存方式 → 寄存器 → EAX
二、选择内存方式：内存地址 → 1A3D068 → 点生成，就有你乐的了

6、注册信息保存在注册表：
[HKEY_CURRENT_USER\Software\Namida\Kyodai]
"RegUser"="newlaos[DFCG]"
"RegPass"="3107586698784"
"Launches"=dword:00000008 <===这是使用次数

文章评论

查看所有0条评论>>

热门文章 去除winrar注册框方法