S-DEMO2 注册分析 (14千字) 算法分析
-
// S-DEMO2 CODE ANALYSIS BY JMZZ 2002.06.25
1: use w32dasm to find "Register failure!"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403682(C)
|
:0040374A 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Register Failure!"
|
:0040374C 689CD24100 push 0041D29C
:00403751 8BCD mov ecx, ebp
2: goto 00403682 ,look up
:00403672 51 push ecx
:00403673 52 push edx
:00403674 B9C0E74200 mov ecx, 0042E7C0
:00403679 E8D24C0000 call 00408350 ====> track into
:0040367E 85C0 test eax, eax
:00403680 6A00 push 00000000
:00403682 0F84C2000000 je 0040374A
:00403688 8D8C24A8000000 lea ecx, dword ptr [esp+000000A8]
3:
* Referenced by a CALL at Addresses:
|:00403679 , :004044DB , :00404F7B
|
:00408350 81EC34010000 sub esp, 00000134
:00408356 53 push ebx
:00408357 55 push ebp
:00408358 56 push esi
:00408359 8BF1 mov esi, ecx
:0040835B 57 push edi
:0040835C 89742410 mov dword ptr [esp+10], esi
* Reference To: MFC42.Ordinal:0490, Ord:0490h
|
:00408360 E8A9960000 Call 00411A0E
:00408365 8B8C2448010000 mov ecx, dword ptr [esp+00000148]
:0040836C 8B4004 mov eax, dword ptr [eax+04]
* Reference To: MSVCRT.sprintf, Ord:02B2h
|
:0040836F 8B2DC0934100 mov ebp, dword ptr [004193C0]
:00408375 81C6D4000000 add esi, 000000D4
:0040837B 56 push esi
:0040837C 51 push ecx
:0040837D 8D942484000000 lea edx, dword ptr [esp+00000084]
* Possible StringData Ref from Data Obj ->"%s%s"
|
:00408384 68C0D44100 push 0041D4C0
:00408389 52 push edx
:0040838A 89442424 mov dword ptr [esp+24], eax
:0040838E FFD5 call ebp
// strcat(Name,ID)
:00408390 8B9C245C010000 mov ebx, dword ptr [esp+0000015C]
:00408397 83C9FF or ecx, FFFFFFFF
:0040839A 8BFB mov edi, ebx
:0040839C 33C0 xor eax, eax
:0040839E F2 repnz
:0040839F AE scasb
:004083A0 F7D1 not ecx
:004083A2 2BF9 sub edi, ecx
:004083A4 8D542428 lea edx, dword ptr [esp+28]
:004083A8 8BC1 mov eax, ecx
:004083AA 8BF7 mov esi, edi
:004083AC 8BFA mov edi, edx
:004083AE C1E902 shr ecx, 02
:004083B1 F3 repz
:004083B2 A5 movsd
:004083B3 8BC8 mov ecx, eax
:004083B5 83E103 and ecx, 00000003
:004083B8 F3 repz
:004083B9 A4 movsb
:004083BA 8D8C248C000000 lea ecx, dword ptr [esp+0000008C]
:004083C1 51 push ecx
:004083C2 53 push ebx
:004083C3 E848FCFFFF call 00408010 ===> important ,track into
:004083C8 83C418 add esp, 00000018
* Possible StringData Ref from Data Obj ->"Clayman"
|
:004083CB BFD0D14100 mov edi, 0041D1D0
:004083D0 8BF3 mov esi, ebx
// strcmp(pCode,"Clayman")
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004083F4(C)
|
:004083D2 8A16 mov dl, byte ptr [esi]
:004083D4 8A0F mov cl, byte ptr [edi]
:004083D6 8AC2 mov al, dl
:004083D8 3AD1 cmp dl, cl
:004083DA 751E jne 004083FA
:004083DC 84C0 test al, al
:004083DE 7416 je 004083F6
:004083E0 8A4E01 mov cl, byte ptr [esi+01]
:004083E3 8A5701 mov dl, byte ptr [edi+01]
:004083E6 8AC1 mov al, cl
:004083E8 3ACA cmp cl, dl
:004083EA 750E jne 004083FA
:004083EC 83C602 add esi, 00000002
:004083EF 83C702 add edi, 00000002
:004083F2 84C0 test al, al
:004083F4 75DC jne 004083D2
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004083DE(C)
|
:004083F6 33C0 xor eax, eax
:004083F8 EB05 jmp 004083FF
4: main code
// str[] = "FZRHK01WGTPQSAVC";
// "Guest"
// Code[]
// pCode[] // must be "Clayman"
// sCode[18]
* Referenced by a CALL at Addresses:
|:00407F39 , :00407F95 , :004083C3 , :00408428 , :0040862A
|
:00408010 81ECCC000000 sub esp, 000000CC
:00408016 8B9424D0000000 mov edx, dword ptr [esp+000000D0]
:0040801D 53 push ebx
:0040801E 55 push ebp
:0040801F 56 push esi
:00408020 57 push edi
:00408021 8BFA mov edi, edx
:00408023 83C9FF or ecx, FFFFFFFF
:00408026 33C0 xor eax, eax
:00408028 F2 repnz
:00408029 AE scasb
:0040802A F7D1 not ecx
// set code's len to ECX
// ECX = CodeLen + 1
:0040802C 2BF9 sub edi, ecx
:0040802E 8D5C2414 lea ebx, dword ptr [esp+14]
:00408032 8BC1 mov eax, ecx
:00408034 8BF7 mov esi, edi
:00408036 8BFB mov edi, ebx
:00408038 C1E902 shr ecx, 02
:0040803B F3 repz
:0040803C A5 movsd
:0040803D 8BC8 mov ecx, eax
:0040803F 33C0 xor eax, eax
:00408041 83E103 and ecx, 00000003
:00408044 F3 repz
:00408045 A4 movsb
// copy code to EDI = 0x0068dc78
:00408046 8D7C2414 lea edi, dword ptr [esp+14]
:0040804A 83C9FF or ecx, FFFFFFFF
:0040804D F2 repnz
:0040804E AE scasb
:0040804F F7D1 not ecx
:00408051 49 dec ecx
:00408052 8BF1 mov esi, ecx
// set code's len to ESI
:00408054 8A4C2414 mov cl, byte ptr [esp+14]
// set code's first char to CL
:00408058 89742410 mov dword ptr [esp+10], esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408068(C)
|
:0040805C 388828D54100 cmp byte ptr [eax+0041D528], cl
:00408062 7433 je 00408097 // must jmp (eax<0x10)
:00408064 40 inc eax
:00408065 83F810 cmp eax, 00000010
:00408068 7CF2 jl 0040805C
// set index of code first char in the str to EAX (EAX < 0x10)
// sCode[0] = a random char of str[]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040809A(C)
|
* Possible StringData Ref from Data Obj ->"!@#@#SDFG^*&"
|
:0040806A BF68D54100 mov edi, 0041D568
:0040806F 83C9FF or ecx, FFFFFFFF
:00408072 33C0 xor eax, eax
:00408074 F2 repnz
:00408075 AE scasb
:00408076 F7D1 not ecx
:00408078 2BF9 sub edi, ecx
:0040807A 8BC1 mov eax, ecx
:0040807C 8BF7 mov esi, edi
:0040807E 8BFA mov edi, edx
:00408080 C1E902 shr ecx, 02
:00408083 F3 repz
:00408084 A5 movsd
:00408085 8BC8 mov ecx, eax
:00408087 83E103 and ecx, 00000003
:0040808A F3 repz
:0040808B A4 movsb
:0040808C 5F pop edi
:0040808D 5E pop esi
:0040808E 5D pop ebp
:0040808F 5B pop ebx
:00408090 81C4CC000000 add esp, 000000CC
:00408096 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408062(C)
|
:00408097 83F810 cmp eax, 00000010
:0040809A 7DCE jge 0040806A
:0040809C 8B9C24E4000000 mov ebx, dword ptr [esp+000000E4]
:004080A3 BD0F000000 mov ebp, 0000000F
:004080A8 2BE8 sub ebp, eax
// set EBP = 0X0F - IdxCodeFirstCharInStr(EAX)
:004080AA 8BFB mov edi, ebx
:004080AC 83C9FF or ecx, FFFFFFFF
:004080AF 33C0 xor eax, eax
:004080B1 F2 repnz
:004080B2 AE scasb
:004080B3 F7D1 not ecx
:004080B5 49 dec ecx
// set NameIdLen to ECX
:004080B6 33D2 xor edx, edx
:004080B8 8BC1 mov eax, ecx
:004080BA B907000000 mov ecx, 00000007
:004080BF F7F1 div ecx
:004080C1 8BCA mov ecx, edx
// set (NameIdLen % 7) to ECX
:004080C3 85C9 test ecx, ecx
:004080C5 752B jne 004080F2
// if((NameIdLen % 7) == 0)
// {
// sorry, I don't see these code during I tracked!
* Possible StringData Ref from Data Obj ->"Guest"
|
:004080C7 BF20D54100 mov edi, 0041D520
:004080CC 83C9FF or ecx, FFFFFFFF
:004080CF 33C0 xor eax, eax
:004080D1 F2 repnz
:004080D2 AE scasb
:004080D3 F7D1 not ecx
:004080D5 2BF9 sub edi, ecx
:004080D7 8BD1 mov edx, ecx
:004080D9 8BF7 mov esi, edi
:004080DB 8BFB mov edi, ebx
:004080DD C1E902 shr ecx, 02
:004080E0 F3 repz
:004080E1 A5 movsd
:004080E2 8BCA mov ecx, edx
:004080E4 83E103 and ecx, 00000003
:004080E7 F3 repz
:004080E8 A4 movsb
// copy "Guest" to EBX
:004080E9 8B742410 mov esi, dword ptr [esp+10]
:004080ED B905000000 mov ecx, 00000005
// }
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004080C5(C)
|
:004080F2 8BC5 mov eax, ebp
// set (0X0F - IdxCodeFirstCharInStr) to EAX
:004080F4 99 cdq
:004080F5 F7F9 idiv ecx
// EDX = EAX % ECX
// ECX = (NameIdLen % 7) ? (NameIdLen % 7) : 5 ;
// EBX = (NameIdLen % 7) ? NameId : "Guest"
// SET (0X0F - IdxCodeFirstCharInStr) % ECX to EDX
:004080F7 0FBE041A movsx eax, byte ptr [edx+ebx]
// SET EAX = (DWORD)[EBX+EDX]
:004080FB 250F000080 and eax, 8000000F
:00408100 7905 jns 00408107
:00408102 48 dec eax
:00408103 83C8F0 or eax, FFFFFFF0
:00408106 40 inc eax
// ???
// support portion of chinese or bug
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408100(C)
|
:00408107 8A8828D54100 mov cl, byte ptr [eax+0041D528]
:0040810D 8A442415 mov al, byte ptr [esp+15]
:00408111 3AC8 cmp cl, al
:00408113 740A je 0040811F // must jmp
// sCode[1] = str[eax]
* Possible StringData Ref from Data Obj ->"99#SDFG^*&"
|
:00408115 BF5CD54100 mov edi, 0041D55C
:0040811A E9C5000000 jmp 004081E4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408113(C)
|
:0040811F 8D46FD lea eax, dword ptr [esi-03]
// eax = CodeLen - 3
:00408122 33FF xor edi, edi
:00408124 99 cdq
:00408125 2BC2 sub eax, edx
:00408127 D1F8 sar eax, 1
:00408129 85C0 test eax, eax
:0040812B 0F8E8F000000 jle 004081C0
:00408131 8D742416 lea esi, dword ptr [esp+16]
// ESI = &Code[2];
// for(;;) // 004081B6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004081B6(C)
|
:00408135 8A5601 mov dl, byte ptr [esi+01]
// DL = Code[2+2*EAX+1]
:00408138 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408146(C)
|
:0040813A 389128D54100 cmp byte ptr [ecx+0041D528], dl
:00408140 741C je 0040815E // must jmp (ecx <0x10)
:00408142 41 inc ecx
:00408143 83F910 cmp ecx, 00000010
:00408146 7CF2 jl 0040813A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408161(C)
|
:00408148 32D2 xor dl, dl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00408173(C), :0040817A(U)
|
:0040814A 8A1E mov bl, byte ptr [esi]
// BL = Code[2+2*EAX+1]
:0040814C 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040815A(C)
|
:0040814E 389928D54100 cmp byte ptr [ecx+0041D528], bl
:00408154 7426 je 0040817C // must jmp (ecx<0x10)
:00408156 41 inc ecx
:00408157 83F910 cmp ecx, 00000010
:0040815A 7CF2 jl 0040814E
:0040815C EB3A jmp 00408198
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408140(C)
|
:0040815E 83F910 cmp ecx, 00000010
:00408161 7DE5 jge 00408148
:00408163 2BCD sub ecx, ebp
:00408165 81C1803E0000 add ecx, 00003E80
:0040816B 8BD1 mov edx, ecx
:0040816D 81E20F000080 and edx, 8000000F
// edx = (ecx - ebp + 0x3e80) & 0x0f
:00408173 79D5 jns 0040814A
:00408175 4A dec edx
:00408176 83CAF0 or edx, FFFFFFF0
:00408179 42 inc edx
:0040817A EBCE jmp 0040814A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408154(C)
|
:0040817C 83F910 cmp ecx, 00000010
:0040817F 7D17 jge 00408198
:00408181 2BCD sub ecx, ebp
:00408183 81C1803E0000 add ecx, 00003E80
:00408189 81E10F000080 and ecx, 8000000F
// ecx = (ecx - ebp + 0x3e80) & 0x0f
:0040818F 7909 jns 0040819A
:00408191 49 dec ecx
:00408192 83C9F0 or ecx, FFFFFFF0
:00408195 41 inc ecx
:00408196 EB02 jmp 0040819A
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040815C(U), :0040817F(C)
|
:00408198 32C9 xor cl, cl
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040818F(C), :00408196(U)
|
:0040819A 8AD9 mov bl, cl
:0040819C 83C602 add esi, 00000002
:0040819F C0E304 shl bl, 04
:004081A2 02DA add bl, dl
:004081A4 8B9424E0000000 mov edx, dword ptr [esp+000000E0]
:004081AB 0FBEC9 movsx ecx, cl
:004081AE 881C17 mov byte ptr [edi+edx], bl
// pCode[edx] = (CL << 4) + DL
// pCode must be "Clayman".
:004081B1 03E9 add ebp, ecx
// important
// ebp += ecx
:004081B3 47 inc edi
:004081B4 3BF8 cmp edi, eax
:004081B6 0F8C79FFFFFF jl 00408135
:004081BC 8B742410 mov esi, dword ptr [esp+10]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040812B(C)
|
:004081C0 8D542EFD lea edx, dword ptr [esi+ebp-03]
:004081C4 81E20F000080 and edx, 8000000F
// edx = (esi + ebp - 3) & 0x8000000f
:004081CA 7905 jns 004081D1
:004081CC 4A dec edx
:004081CD 83CAF0 or edx, FFFFFFF0
:004081D0 42 inc edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004081CA(C)
|
:004081D1 8A4C3413 mov cl, byte ptr [esp+esi+13]
:004081D5 8A9A28D54100 mov bl, byte ptr [edx+0041D528]
:004081DB 3ACB cmp cl, bl
:004081DD 7432 je 00408211 // must jmp
// sCode last char
// sCode[16] = str[edx]
* Possible StringData Ref from Data Obj ->"45#SDFG^*&"
|
:004081DF BF50D54100 mov edi, 0041D550
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040811A(U)
|
:004081E4 83C9FF or ecx, FFFFFFFF
:004081E7 33C0 xor eax, eax
:004081E9 F2 repnz
:004081EA AE scasb
:004081EB F7D1 not ecx
:004081ED 2BF9 sub edi, ecx
:004081EF 8BD1 mov edx, ecx
:004081F1 8BF7 mov esi, edi
:004081F3 8BBC24E0000000 mov edi, dword ptr [esp+000000E0]
:004081FA C1E902 shr ecx, 02
:004081FD F3 repz
:004081FE A5 movsd
:004081FF 8BCA mov ecx, edx
:00408201 83E103 and ecx, 00000003
:00408204 F3 repz
:00408205 A4 movsb
:00408206 5F pop edi
:00408207 5E pop esi
:00408208 5D pop ebp
:00408209 5B pop ebx
:0040820A 81C4CC000000 add esp, 000000CC
:00408210 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004081DD(C)
|
:00408211 8B8C24E0000000 mov ecx, dword ptr [esp+000000E0]
:00408218 5F pop edi
:00408219 5E pop esi
:0040821A 5D pop ebp
:0040821B C6040800 mov byte ptr [eax+ecx], 00
// pCode[strlen(pCode)] = '\0'
:0040821F 5B pop ebx
:00408220 81C4CC000000 add esp, 000000CC
:00408226 C3 ret
标 题:S-DEMO2 KEY MAKE (MODIFY A BUG) (2千字)
发信人:jmzz003
时 间:2002-6-25 21:50:47
详细信息:
// Write by JMZZ 2002.06.24 (my Birthday)
// Modify a bug 2002.06.25
// I don't see those code from 004080C7 to 004080ED
// during I tracked with SoftIce, sorry!
// A Name can have 16 Codes.
// Note: I don't test
// The length of Name
// CODE : 1 + 1 + 2 * sizeof(str4) + 1
// The length of Code must be 17.
// The first char is a char in the str1.
// The second char is controled by NameID or str2.
// The middle chars make pCode, pCode must be equal to str4.
// The last char is controled by the total index(offset).
#include "stdio.h"
#include "string.h"
typedef unsigned char BYTE ;
typedef unsigned long DWORD;
int main(void)
{
BYTE str1[]="FZRHK01WGTPQSAVC";
BYTE str2[]="Guest";
BYTE str3[]="WARE\0\0\0\0Guest\0\0\0";
BYTE str4[]="Clayman";
BYTE Name[20] ="\0";
BYTE sCode[18]="\0";
BYTE Id[12] ="\0";
BYTE NameId[100];
BYTE c;
DWORD NameIdLen , Index , i, j, k, jEbx, jEdx;
printf("Input Name:");
scanf("%s",Name);
printf("Input ID:");
scanf("%s",Id);
strcpy(NameId,Name);
strcat(NameId,Id);
NameIdLen = strlen(Name) + 11; // IdLen = 11
for(k=0;k<16;k+=1)
{
sCode[0] = str1[k];
Index= 15 - k;
i = NameIdLen % 7;
// if( i != 0)
// sCode[1]=str1[NameId[Index % i]&0x0f];
// else
// sCode[1]=str1[str2[Index % 5]&0x0f];
if( i != 0)
{
c = NameId[Index % i];
if((c & 0x80)==0x80) // support chinese
{
c = (((c & 0x8f - 1) | 0xf0) +1 ) & 0x0f;
if((c+1)%3 == 0)
sCode[0] = '\0';
// portion of sCode will be error!
// I don't know this,if you know ,please tell me!
// Email: leopard003@163.com
sCode[1] = str3[c];
}
else
sCode[1]=str1[c&0x0f];
}
else
sCode[1]=str1[str2[Index % 5]&0x0f];
for(i=0;i< 7; i+=1) // 7 = (CodeLen-3)/2 // CodeLen = 17
{
jEbx = (str4[i] & 0xf0)>>4;
j =(- 0x80 + Index + jEbx) & 0x0f ;
sCode[2+2*i] = str1[j];
jEdx = str4[i] & 0x0f;
j =(- 0x80 + Index + jEdx) & 0x0f ;
sCode[2+2*i+1] = str1[j];
Index += jEbx;
}
sCode[2 + 2*i] = str1[(Index+17-3)&0x0f];
printf("Code= %s\n",sCode);
for(i=0;i<17;i+=1) sCode[i]='\0';
}
return 0;
}
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>