您的位置:首页精文荟萃破解文章 → Slam!注册保护算法的分析

Slam!注册保护算法的分析

时间:2004/10/15 1:03:00来源:本站整理作者:蓝点我要评论(0)

 





 








软件名称: Slam!seeker1.0汉化版
工具:pw32dasmgold,Hiew32,trw2000.
这是个16位的软件,比较古老了点.所以pw32dasmgold反汇编代码看上去不太习惯.
**************************************************************************************
**************************************************************************************
运行后弹出一个注册框,随便输入注册码,trw2000设断bpx GETDLGITEMTEXT.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.8510(C)
|
:0001.8518 8B760E                 mov si, [bp+0E]
:0001.851B 56                     push si

* Possible Ref to Menu: WSLAMMENU, Item: "新游戏(N)"
                                 |
:0001.851C 6A64                   push 0064
:0001.851E 1E                     push ds
:0001.851F 68302E                 push 2E30
:0001.8522 6A40                   push 0040
:0001.8524 9AFFFF0000             call USER.GETDLGITEMTEXT  ---读入注册码
:0001.8529 803E302E00             cmp byte ptr [2E30], 00 ---是否为空
:0001.852E 7428                   je 8558          ----空则跳offset:8B4E
:0001.8530 E829FF                 call 845C        ----注册码检测的call
:0001.8533 0BC0                   or ax, ax
:0001.8535 7521                   jne 8558         
----可以跳过853F的MESSAGEBOX,用Hiew32改为je,仅是使输入任意错误注册码都不弹出失败提示框.
:0001.8537 56                     push si
:0001.8538 1E                     push ds
:0001.8539 680808                 push 0808
:0001.853C 50                     push ax
:0001.853D 50                     push ax
:0001.853E 50                     push ax
:0001.853F 9AEE110000             call USER.MESSAGEBOX  ----弹出"无效注册码"
:0001.8544 C606302E00             mov byte ptr [2E30], 00
:0001.8549 56                     push si

* Possible Ref to Menu: WSLAMMENU, Item: "新游戏(N)"
                                 |
:0001.854A 6A64                   push 0064
:0001.854C 1E                     push ds
:0001.854D 68302E                 push 2E30
:0001.8550 9AFFFF0000             call USER.SETDLGITEMTEXT
:0001.8555 EBAC                   jmp 8503
**************************************************************************************
**************************************************************************************
16位的软件,怪异,试试去掉nag,注册框nag是个DIALOGBOX

由pw32dasmgold反汇编知有三处代码调用了USER.DIALOGBOX,如下:
第一处:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0001.0928(U), :0001.09D0(U)
|
:0001.088C FF760E                 push word ptr [bp+0E]
:0001.088F 52                     push dx
:0001.0890 50                     push ax
:0001.0891 8BFA                   mov di, dx
:0001.0893 9ADE080000             call USER.DIALOGBOX
:0001.0898 57                     push di
:0001.0899 56                     push si
:0001.089A 9AEA080000             call KERNEL.FREEPROCINSTANCE

第二处:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.0816(C)
|
:0001.08B0 C7060A130100           mov word ptr [130A], 0001
:0001.08B6 680D09                 push SEG ADDR of Segment 0001
:0001.08B9 681A14                 push 141A
:0001.08BC FF36B812               push word ptr [12B8]
:0001.08C0 9A17090000             call KERNEL.MAKEPROCINSTANCE
:0001.08C5 8956FC                 mov [bp-04], dx
:0001.08C8 FF36B812               push word ptr [12B8]
:0001.08CC 1E                     push ds

* Possible Reference to Dialog: ANGLEBOX  
                                 |
:0001.08CD 687202                 push 0272
:0001.08D0 FF760E                 push word ptr [bp+0E]
:0001.08D3 52                     push dx
:0001.08D4 50                     push ax
:0001.08D5 89863AFF               mov [bp+FF3A], ax
:0001.08D9 89963CFF               mov [bp+FF3C], dx
:0001.08DD 9AFFFF0000             call USER.DIALOGBOX
:0001.08E2 8BF8                   mov di, ax
:0001.08E4 66FFB63AFF             push word ptr [bp+FF3A]
:0001.08E9 9AFFFF0000             call KERNEL.FREEPROCINSTANCE
:0001.08EE 0BFF                   or di, di
:0001.08F0 74AD                   je 089F
:0001.08F2 FF760E                 push word ptr [bp+0E]
:0001.08F5 666800000500           push 00050000

* Possible Reference to Dialog: REGISTRATIONINFO, CONTROL_ID:00FF, ""
                                 |
:0001.08FB 666AFF                 push FFFFFFFF
:0001.08FE 9A6B020000             call USER.POSTMESSAGE
:0001.0903 EB9A                   jmp 089F

第三处:
* Referenced by a CALL at Address:
|:0001.0F47
|
:0001.8572 C8040000               enter 0004, 00
:0001.8576 57                     push di
:0001.8577 56                     push si
:0001.8578 1E                     push ds

* Possible StringData Ref from Data Seg 002 ->"Wslam"
                                 |
:0001.8579 683308                 push 0833
:0001.857C 1E                     push ds

* Possible StringData Ref from Data Seg 002 ->"RegisID"
                                 |
:0001.857D 682B08                 push 082B
:0001.8580 1E                     push ds
:0001.8581 682A08                 push 082A
:0001.8584 1E                     push ds
:0001.8585 68302E                 push 2E30
:0001.8588 6A40                   push 0040
:0001.858A 1E                     push ds

* Possible StringData Ref from Data Seg 002 ->"wslam.ini"
                                 |
:0001.858B 682008                 push 0820
:0001.858E 9A4F160000             call KERNEL.GETPRIVATEPROFILESTRING
:0001.8593 E8C6FE                 call 845C   ----注册码检测的call
:0001.8596 0BC0                   or ax, ax
:0001.8598 7548                   jne 85E2   
----这个跳转可以跳过,offset:8BB8,用Hiew32改为je,一运行,爆破成功!去掉了注册框.
:0001.859A 683C5D                 push SEG ADDR of Segment 0001
:0001.859D 68E884                 push 84E8
:0001.85A0 FF36B812               push word ptr [12B8]
:0001.85A4 9A465D0000             call KERNEL.MAKEPROCINSTANCE  
----这儿下断点bpx MAKEPROCINSTANCE就能拦到下面那个弹出注册框的DIALOGBOX.
:0001.85A9 8BF0                   mov si, ax
:0001.85AB FF36B812               push word ptr [12B8]
:0001.85AF 1E                     push ds

* Possible Reference to Dialog: REGISTRATIONINFO  
                                 |
:0001.85B0 683908                 push 0839
:0001.85B3 FF7604                 push word ptr [bp+04]
:0001.85B6 52                     push dx
:0001.85B7 50                     push ax
:0001.85B8 8BFA                   mov di, dx
:0001.85BA 9A94080000             call USER.DIALOGBOX ---向上看有无跳过的地方.
:0001.85BF 57                     push di
:0001.85C0 56                     push si
:0001.85C1 9AD25D0000             call KERNEL.FREEPROCINSTANCE
:0001.85C6 E893FE                 call 845C
:0001.85C9 0BC0                   or ax, ax
:0001.85CB 7415                   je 85E2
:0001.85CD 1E                     push ds

* Possible StringData Ref from Data Seg 002 ->"Wslam"
                                 |
:0001.85CE 685C08                 push 085C
:0001.85D1 1E                     push ds

* Possible StringData Ref from Data Seg 002 ->"RegisID"
                                 |
:0001.85D2 685408                 push 0854
:0001.85D5 1E                     push ds
:0001.85D6 68302E                 push 2E30
:0001.85D9 1E                     push ds

* Possible StringData Ref from Data Seg 002 ->"wslam.ini"
                                 |
:0001.85DA 684A08                 push 084A
:0001.85DD 9A375E0000             call KERNEL.WRITEPRIVATEPROFILESTRING
-----------------------------------------------------------------------------
然后用trw2000拦截DIALOGBOX,设断bpx DIALOGBOX,试探各DIALOGBOX的作用.
:0001.0891 8BFA                   mov di, dx
:0001.0893 9ADE080000             call USER.DIALOGBOX 弹出菜单里的对话框.

:0001.85B8 8BFA                   mov di, dx
:0001.85BA 9A94080000             call USER.DIALOGBOX 弹出注册框.

:0001.08D9 89963CFF               mov [bp+FF3C], dx
:0001.08DD 9AFFFF0000             call USER.DIALOGBOX 功能不明.
-----------------------------------------------------------------------------
注册算法分析
-----注册码检测call 845C如下:
(如需动态分析,trw2000设断bpx GETDLGITEMTEXT,pmodule返回既是)
* Referenced by a CALL at Addresses:
|:0001.8530, :0001.8593, :0001.85C6
----------------------------
三个地方调用了注册码检测call,
:0001.8530,作用为验证输入的注册码
:0001.8593,程序启动时,用来判断是否弹出注册对话框
:0001.85C6,第二次验证输入的注册码,类似双重保险.
----------------------------
:0001.845C C8220000               enter 0022, 00
:0001.8460 57                     push di
:0001.8461 56                     push si
:0001.8462 33D2                   xor dx, dx
:0001.8464 8956FE                 mov [bp-02], dx  ----bp-02地址处双字节清零
:0001.8467 BE302E                 mov si, 2E30      -----2E30处存放了注册码
:0001.846A 3814                   cmp [si], dl  ---判断注册码第一位是否为零
:0001.846C 7426                   je 8494       ----为零则跳转
:0001.846E 8D7EDE                 lea di, [bp-22] ----bp-22的有效值给di

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.8492(C)
|-------下面是一个循环对注册码字符进行变换
:0001.8471 8D46FE                 lea ax, [bp-02] ----bp-02的有效值给ax
:0001.8474 3BF8                   cmp di, ax      ----比较di, ax
:0001.8476 731C                   jnb 8494       ----di>=ax则跳
:0001.8478 8A04                   mov al , [si]  ----注册码首字符ASCII码给al
:0001.847A 98                     cbw ---CBW 字节转换为字. (把AL中字节的符号扩展到AH中去)
:0001.847B 8BD8                   mov bx, ax    ----符号扩展后的注册码首字符给bx
:0001.847D F687FD0804             test byte ptr [bx+08FD], 04
:0001.8482 740A                   je 848E
:0001.8484 98                     cbw  
:0001.8485 2D3000                 sub ax, 0030    ----ax=ax-0030
:0001.8488 8905                   mov [di], ax    ----把ax赋给di所指地址处的值
:0001.848A 83C702                 add di, 0002    ----di=di+0002
:0001.848D 42                     inc dx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.8482(C)
|
:0001.848E 46                     inc si
:0001.848F 803C00                 cmp byte ptr [si], 00  ----判断注册码处理完毕否
:0001.8492 75DD                   jne 8471      ----没完跳回继续循环  
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0001.846C(C), :0001.8476(C)
|
:0001.8494 83FA10                 cmp dx, 0010    
----注册码位数与10(hex)即16(dec)比较,在这儿设断点bpx ****(每次运行不同):8494可拦下所有调用
:0001.8497 7C48                   jl 84E1   ------<=10则跳过下面一大段,直接返回.
------下面的bp-**都是注册码(设为a[i])经过变换后的相应值(设为a[i]')
:0001.8499 8B46E0                 mov ax, [bp-20]     ----注册码第二位变换值a[1]'给ax
:0001.849C F76EEA                 imul word ptr [bp-16]---a[1]'=a[1]'*a[6]'
:0001.849F F76EF4                 imul word ptr [bp-0C]---a[1]'=a[1]'*a[6]'*a[11]'
:0001.84A2 F76EF6                 imul word ptr [bp-0A]---a[1]'=a[1]'*a[6]'*a[11]'*a[12]'
:0001.84A5 8BC8                   mov cx, ax   ---cx=ax=a[1]'*a[6]'*a[11]'*a[12]'
:0001.84A7 8B46E4                 mov ax, [bp-1C]     ----注册码第四位变换值a[3]'给ax
:0001.84AA F76EE6                 imul word ptr [bp-1A]
:0001.84AD F76EF2                 imul word ptr [bp-0E]
:0001.84B0 F76EF8                 imul word ptr [bp-08]
:0001.84B3 03C8                   add cx, ax   
     ---cx=cx+ax=a[1]'*a[6]'*a[11]'*a[12]'+a[3]'*a[4]'*a[10]'*a[13]'
:0001.84B5 8B46EC                 mov ax, [bp-14]    ----注册码第八位变换值a[7]'给ax
:0001.84B8 F76EEE                 imul word ptr [bp-12]
:0001.84BB F76EF0                 imul word ptr [bp-10]
:0001.84BE F76EFC                 imul word ptr [bp-04]
:0001.84C1 03C8                   add cx, ax
---cx=cx+ax=a[1]'*a[6]'*a[11]'*a[12]'+a[3]'*a[4]'*a[10]'*a[13]'+a[7]'*a[8]'*a[9]'*a[15]'
:0001.84C3 8B46E2                 mov ax, [bp-1E]    ----注册码第三位变换值a[2]'给ax
:0001.84C6 F76EE8                 imul word ptr [bp-18]
:0001.84C9 F76EFA                 imul word ptr [bp-06]
:0001.84CC F76EDE                 imul word ptr [bp-22]
:0001.84CF 03C1                   add ax, cx
---ax=cx+ax=a[1]'*a[6]'*a[11]'*a[12]'+a[3]'*a[4]'*a[10]'*a[13]'+a[7]'*a[8]'*a[9]'*a[15]'+a[2]'*a[5]'*a[14]'*a[0]'
* Possible Ref to Menu: WSLAMMENU, Item: "帮助(H)..."
                                 |
:0001.84D1 B9F401                 mov cx, 01F4   ----cx=01F4
:0001.84D4 99                     cwd
:0001.84D5 F7F9                   idiv cx   
----------------------------------------------------
div 源(eax=eax/源,edx=余数)
IDIV    整数除法. 以上两条,结果回送:  
             商回送AL,余数回送AH, (字节运算);  
         或  商回送AX,余数回送DX, (字运算).  
----------------------------------------------------
:0001.84D7 83FA7F                 cmp dx, 007F    ----余数和007F比较
:0001.84DA 7505                   jne 84E1        ----不相等则失败
关键比较,offset:8AFA,用Hiew32改为je,OK了!
:0001.84DC C746FE0100             mov word ptr [bp-02], 0001 ---注册标志位置入

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0001.8497(C), :0001.84DA(C)
|
:0001.84E1 8B46FE                 mov ax, [bp-02]    ----ax存放注册标志位
:0001.84E4 5E                     pop si
:0001.84E5 5F                     pop di
:0001.84E6 C9                     leave
:0001.84E7 C3                     ret

总结:
注册码必须为16位
1.处理过程
[注册码ASCII码值+08FD]处值与04比较,不同则
注册码处理值=注册码ASCII码值-30(hex)

2.检验过程:
简化bp-**=**,所以bp-12下面写为12
22     20      1E      1C     1A      18     16     14     内存中的处理值
1      2       3       4      5       6      7      8      对应第i位注册码
a[0]' a[1]'   a[2]'   a[3]'  a[4]'   a[5]'  a[6]'   a[7]'  对应注册码处理值

12     10      0E       0C      0A       08      06       04
9      10      11       12      13       14      15       16
a[8]' a[9]'   a[10]'   a[11]'  a[12]'   a[13]'  a[14]'   a[15]'

令sum=a[1]'*a[6]'*a[11]'*a[12]'+a[3]'*a[4]'*a[10]'*a[13]'+a[7]'*a[8]'*a[9]'*a[15]'+a[2]'*a[5]'*a[14]'*a[0]'

sum%01F4与007F比较,相等则注册成功!
喜欢做注册机的话,就试试看吧!

    
    
     
    
    
     

相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么

文章评论
发表评论

热门文章 去除winrar注册框方法

最新文章 比特币病毒怎么破解 比去除winrar注册框方法 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据

人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程