Actual checker v1.0 之完全pj 算法分析
-
Actual checker v1.0 之完全pj
软件简介:这是一个俄国棋类游戏,由atlant software公司出品。
工具:w32dasm ,trw2000,
:pj人:三脚猫(trilegcat)
一:用wdasm查找,发现敏感字串,“register.key”。双击找到以下代码。
0047D3F9 40 inc eax
:0047D3FA 83F81E cmp eax, 0000001E *****
:0047D3FD 7CB4 jl 0047D3B3
* Possible StringData Ref from Code Obj ->"Register.key"
|
:0047D3FF BA84D54700 mov edx, 0047D584
:0047D404 B83CE44900 mov eax, 0049E43C
* Possible StringData Ref from Code Obj ->"Name "
|
:0047D42A 689CD54700 push 0047D59C
:0047D42F 8D55E4 lea edx, dword ptr [ebp-1C]
:0047D444 68ACD54700 push 0047D5AC
:
* Possible StringData Ref from Code Obj ->"cod "
|
:0047D463 68C4D54700 push 0047D5C4
:0047D468 8D55E0 lea edx, dword ptr [ebp-20]
: * Possible StringData Ref from Code Obj ->"Please restart program"
|
:0047D4B3 B8D4D54700 mov eax, 0047D5D4
:0047D4B8 E81F27FEFF call 0045FBDC
:0047D4BD 8BC6 mov eax, esi
:0047D4BF E8B4D2FCFF call 0044A778
标记的地方是关键比较,原来只要输入的注册码不小于30(1eh)位,就会将注册名与注册码写入一个文件名为register.key 的keyfile中,并提示重新启动程序以验证注册码。
二:再用wdasm查找字串:register.key,找到另一处,这里一定是程序启动时读取的代码。
* Referenced by a CALL at Addresses:
|:0047CDEA , :0047CE0B , :0047CE2C , :0047CE4B , :0047CE65
|
:0047CCBC 55 push ebp
:0047CCDE E8BD6EF8FF call 00403BA0
* Possible StringData Ref from Code Obj ->"Register.key"
|
:0047CCE3 BA4CCD4700 mov edx, 0047CD4C
:0047CCE8 B83CE44900 mov eax, 0049E43C
:0047CCED E8AC8CF8FF call 0040599E
哇,共有五处地址呼叫它,一看原来都在0047D245 的 call 0047CD5C里面。进入原来是读keyfile里的name,num,cod,addr,size,这五项的值。
三:输入 name:trilegcat fn:67895432678954326789543267895432.自动生成keyfile,按提示重启程序。用trw下bpx 0047d245,中断后用f8进入call。
* Possible StringData Ref from Code Obj ->"cod "
|
:0047CE27 B8E0D04700 mov eax, 0047D0E0
:0047CE2C E88BFEFFFF call 0047CCBC
:0047CE31 8B55EC mov edx, dword ptr [ebp-14]
此处下d edx 可见到fn。下bpmw edx r 跟踪对fn的读取。中断后可跟踪到下面。
0047D142 A1F8E34900 mov eax, dword ptr [0049E3F8]
:0047D147 8A4418FF mov al, byte ptr [eax+ebx-01]
:0047D14B 3C30 cmp al, 30 | fn 的各个值必须在
:0047D14D 0F82A9000000 jb 0047D1FC | 30--------46之间
:0047D153 8B15F8E34900 mov edx, dword ptr [0049E3F8] | ascii字符不就是
:0047D159 3C46 cmp al, 46 | 0—f之间吗?有意思
:0047D15B 0F879B000000 ja 0047D1FC
:0047D161 43 inc ebx
:0047D162 83FB1E cmp ebx, 0000001E
:0047D165 7CDB jl 0047D142
:0047D167 BB01000000 mov ebx, 00000001
:0047D16C 8D45F8 lea eax, dword ptr [ebp-08]
:0047D16F 8B15F8E34900 mov edx, dword ptr [0049E3F8]
:0047D175 8A541AFF mov dl, byte ptr [edx+ebx-01]
:0047D179 885001 mov byte ptr [eax+01], dl
:0047D17C C60001 mov byte ptr [eax], 01
:0047D17F 8D55F8 lea edx, dword ptr [ebp-08]
:0047D182 8D45F4 lea eax, dword ptr [ebp-0C]
:0047D185 E87258F8FF call 004029FC
:0047D18A 8D45F0 lea eax, dword ptr [ebp-10]
:0047D18D 8B15F8E34900 mov edx, dword ptr [0049E3F8]
:0047D193 8A141A mov dl, byte ptr [edx+ebx]
:0047D196 885001 mov byte ptr [eax+01], dl
:0047D199 C60001 mov byte ptr [eax], 01
:0047D19C 8D55F0 lea edx, dword ptr [ebp-10]
:0047D19F 8D45F4 lea eax, dword ptr [ebp-0C]
:0047D1A2 B102 mov cl, 02
:0047D1A4 E82358F8FF call 004029CC
:0047D1A9 8D55F4 lea edx, dword ptr [ebp-0C]
:0047D1AC 8D45FC lea eax, dword ptr [ebp-04]
:0047D1AF E8106CF8FF call 00403DC4
:0047D1B4 A1ECE34900 mov eax, dword ptr [0049E3EC]
:0047D1B9 0FB64438FF movzx eax, byte ptr [eax+edi-01]
:0047D1BE 8904B5FCE34900 mov dword ptr [4*esi+0049E3FC], eax——>循环取name,的前五位,(此处即triletriletrilet)设为Ai
:0047D1C5 8D45EC lea eax, dword ptr [ebp-14]
:0047D1C8 8B4DFC mov ecx, dword ptr [ebp-04]
:0047D1CB BA30D24700 mov edx, 0047D230
:0047D1D0 E8976CF8FF call 00403E6C
:0047D1D5 8B45EC mov eax, dword ptr [ebp-14]-----;两位一组取注册码字符(如:67 89 54 32 67 89 …..)设为Bi
:0047D1D8 E8ABB6F8FF call 00408888
:0047D1DD 2904B5FCE34900 sub dword ptr [4*esi+0049E3FC], eax--;将Ai-Bi所得结果设为Ci
:0047D1E4 46 inc esi
:0047D1E5 47 inc edi
:0047D1E6 83C302 add ebx, 00000002
:0047D1E9 83FF05 cmp edi, 00000005
:0047D1EC 7E05 jle 0047D1F3
:0047D1EE BF01000000 mov edi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047D1EC(C)
|
:0047D1F3 83FE10 cmp esi, 00000010-------;共循环16次。
:0047D1F6 0F8C70FFFFFF jl 0047D16C
同样用bpm设断来追踪对Ci的读取,将来到这里:
004998EE 8B03 mov eax, dword ptr [ebx]---->取C1
:004998F0 03431C add eax, dword ptr [ebx+1C]-;将C1+C8(1C/4+1=8)
:004998F3 034310 add eax, dword ptr [ebx+10]--;将C1+C8+C5(10/4+1=5)
:004998F6 83F80F cmp eax, 0000000F--;和必须为F。
:004998F9 750F jne 0049990A
:004998FB B201 mov dl, 01
:004998FD 8B86DC020000 mov eax, dword ptr [esi+000002DC]
:00499903 E8B064FAFF call 0043FDB8
:00499908 EB0D jmp 00499917
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004998F9(C)
|
:0049990A 33D2 xor edx, edx
:0049990C 8B86DC020000 mov eax, dword ptr [esi+000002DC]
:00499912 E8A164FAFF call 0043FDB8
以下是一个长长的相似的代码段,直到这里:
00499DF3 8B4304 mov eax, dword ptr [ebx+04]
:00499DF6 034318 add eax, dword ptr [ebx+18]
:00499DF9 0303 add eax, dword ptr [ebx]
:00499DFB 83F814 cmp eax, 00000014
:00499DFE 753E jne 00499E3E
:00499E00 8B0D3CCD4900 mov ecx, dword ptr [0049CD3C]
:00499E06 8B09 mov ecx, dword ptr [ecx]
:00499E08 8D45FC lea eax, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Registered by: "
|
:00499E0B BA7C9E4900 mov edx, 00499E7C
:00499E10 E857A0F6FF call 00403E6C
:00499E15 8B55FC mov edx, dword ptr [ebp-04]
:00499E18 A16CCB4900 mov eax, dword ptr [0049CB6C]
:00499E1D 8B00 mov eax, dword ptr [eax]
:00499E1F 8B8000030000 mov eax, dword ptr [eax+00000300]
:00499E25 E86E56F9FF call 0042F498
:00499E2A A16CCB4900 mov eax, dword ptr [0049CB6C]
:00499E2F 8B00 mov eax, dword ptr [eax]
:00499E31 8B8000030000 mov eax, dword ptr [eax+00000300]
:00499E37 B201 mov dl, 01
:00499E39 E84255F9FF call 0042F380
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00499DFE(C)
|
:00499E3E 33C0 xor eax, eax
:00499E40 5A pop edx
整理得必须满足以下式子:
C1+C8+C5=F C3+C14+C10+C11=9 C5+C13=9 C2+C7+C9=14 C4+C+C14=D C2+C7+C8=18 C9+C11=4 C2+C9+C10=11 C2+C1+C13=F C1+C2=B C6+C9+C11=5 C2+C12=8 C4+C6=3 C3+C14+C10+C11=9 C5+C6=6 C2+C5+C7=16 C4+C5+C8=E C12+C13=4 C1+C2+C6=C C7+C8=10 C5+C13=9 C5+C7=17 C1+C7+C10=12 C2+C7+C8=18 C4+C8+C6=A C5+C6=6 C5+C13=9 C5+C2=D C2+C1+C7=14
计算得:
C1 .C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12 C13 C14
3 8 0 2 5 1 9 7 3 6 1 0 4 2
整理可得注册码:
name: trilegcat
code: 716A696A60736962695F7372656A5858
四:可写key如下:(c++编译)
include
void main()
{
cout<<"please input your name:\n";
char name[16];
cin>>name;
int acsname[16],i;
for(i=0;i<16;i++)
{ acsname[i]=name[i]; //取名字的ascii码
}
int code[16];
code[0]=acsname[0]-3;
code[1]=acsname[1]-8;
code[2]=acsname[2];
code[3]=acsname[3]-2;
code[4]=acsname[4]-5;
code[5]=acsname[0]-1;
code[6]=acsname[1]-9;
code[7]=acsname[2]-7;
code[8]=acsname[3]-3;
code[9]=acsname[4]-6;
code[10]=acsname[0]-1;
code[11]=acsname[1];
code[12]=acsname[2]-4;
code[13]=acsname[3]-2;
code[14]=88;
code[15]=88; //减去Ci
int divide[16],mode[16];
for(i=0;i<16;i++)
{divide[i]=code[i]/16;
mode[i]=code[i]%16;
}
cout<<"the regcode is:";
for(i=0;i<16;i++)
{switch(mode[i])
{case(10):
cout<
case(11):
cout<
case(12):
cout<
case(13):
cout<
case(14):
cout<
case(15):
cout<
default:
cout<
} //转化成十六进制输出
cout<<"\n";
}
菜鸟菜文 , 请诸位大侠多多指教,感激不 尽.。
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>