標 題:
【原創】用IDA做註冊機
作 者:
lnn1123
時 間:
2006-05-23,20:51:44
鏈 接:
http://bbs.pediy.com/showthread.php?t=26134
用IDA做註冊機
lnn1123/BCG/FCG 06.5
廢話:
前些天看國外的的一些寫註冊機的文章,發現不少人喜歡用IDA反彙編後直接使用IDA反彙編後的代碼,其實這個可能有很多人很早就用了
但是我使用的時候發現了一些問題,一般如果是象MD5,SHA等散列函數有變形的話,直接用IDA反彙編後的代碼是很好,這樣就不要去分析
變形是那些地方.還有就是一般如blowfish,DES等,這種情況用IDA反彙編後會有很多數據,如blowfish的pbox,sbox,但是如果
還是有變形
的話,用IDA也是不錯的.
IDA做註冊機的一些我認爲重要的地方
(1):變量一定要和IDA裏面的完全一樣,下面我舉例的Crackme裏用到DES算法,DES裏面數據很多也很容易出錯.
(2):變量定義的位置,這個最好個IDA裏一樣.
下面舉例用Nuke'stutorial1分析一下寫註冊機的步驟
[代碼分析 :]
.shrink:00402340 ; BOOL __stdcall DialogFunc(HWND,UINT,WPARAM,LPARAM)
.shrink:00402340 DialogFunc proc
near ; DATA XREF: WinMain(x,x,x,x)+Co
.shrink:00402340
.shrink:00402340 var_D0 = dword
ptr
-0D0h
.shrink:00402340 var_9C = byte
ptr
-9Ch
.shrink:00402340 String = byte
ptr
-68h
.shrink:00402340 var_58 = byte
ptr
-58h
.shrink:00402340 var_34 = dword
ptr
-34h
.shrink:00402340 var_30 = dword
ptr
-30h
.shrink:00402340 lpText = dword
ptr
-2Ch
.shrink:00402340 var_28 = dword
ptr
-28h
.shrink:00402340 var_24 = byte
ptr
-24h
.shrink:00402340 var_22 = byte
ptr
-22h
.shrink:00402340 var_21 = byte
ptr
-21h
.shrink:00402340 var_20 = byte
ptr
-20h
.shrink:00402340 var_1F = byte
ptr
-1Fh
.shrink:00402340 var_1E = byte
ptr
-1Eh
.shrink:00402340 var_1D = byte
ptr
-1Dh
.shrink:00402340 VolumeSerialNumber= dword
ptr
-1Ch
.shrink:00402340 var_18 = dword
ptr
-18h
.shrink:00402340 var_10 = dword
ptr
-10h
.shrink:00402340 var_4 = dword
ptr
-4
.shrink:00402340 hWnd = dword
ptr
8
.shrink:00402340 arg_4 = dword
ptr
0Ch
.shrink:00402340 arg_8 = word
ptr
10h
.shrink:00402340
.shrink:00402340 push
ebp
.shrink:00402341 mov
ebp
, esp
.shrink:00402343 push
0FFFFFFFFh
.shrink:00402345 push
offset
unk_412580
.shrink:0040234A push
offset
__except_handler3
.shrink:0040234F mov
eax
, large fs
:0
.shrink:00402355 push
eax
.shrink:00402356 mov
large fs
:0, esp
.shrink:0040235D sub
esp
, 0C0h
.shrink:00402363 push
ebx
.shrink:00402364 push
esi
.shrink:00402365 push
edi
.shrink:00402366 mov
[ebp
+var_18], esp
.shrink:00402369 mov
[ebp
+var_24], 1 ; DES密鑰,8個字
節爲1,9,8,0,9,1,7,0
.shrink:0040236D mov
al
, 9
.shrink:0040236F mov
[ebp
-23h], al
.shrink:00402372 mov
[ebp
+var_22], 8
.shrink:00402376 mov
[ebp
+var_21], 0
.shrink:0040237A mov
[ebp
+var_20], al
.shrink:0040237D mov
[ebp
+var_1F], 1
.shrink:00402381 mov
[ebp
+var_1E], 7
.shrink:00402385 mov
[ebp
+var_1D], 0
.shrink:00402389 mov
ecx
, 0Ch
.shrink:0040238E xor
eax
, eax
.shrink:00402390 lea
edi
, [ebp
+String]
.shrink:00402393 rep
stosd
; 字符清0
.shrink:00402395 stosw
.shrink:00402397 mov
ecx
, 0Ch
.shrink:0040239C xor
eax
, eax
.shrink:0040239E mov
edi
, offset
unk_417810
.shrink:004023A3 rep
stosd
.shrink:004023A5 stosw
.shrink:004023A7 mov
[ebp
+lpText], offset
unk_4124D0
.shrink:004023AE mov
eax
, [ebp
+arg_4]
.shrink:004023B1 sub
eax
, 110h
.shrink:004023B6 jz
loc_402590
.shrink:004023BC dec
eax
.shrink:004023BD jnz
short loc_4023DA
.shrink:004023BF movzx
eax
, [ebp
+arg_8]
.shrink:004023C3 dec
eax
.shrink:004023C4 jz
loc_402582
.shrink:004023CA sub
eax
, 3E7h
.shrink:004023CF jz
short loc_4023EF
.shrink:004023D1 sub
eax
, 5
.shrink:004023D4 jz
loc_40253F
.shrink:004023DA
.shrink:004023DA loc_4023DA: ; CODE XREF: DialogFunc+7Dj
.shrink:004023DA xor
eax
, eax
.shrink:004023DC mov
ecx
, [ebp
+var_10]
.shrink:004023DF mov
large fs
:0, ecx
.shrink:004023E6 pop
edi
.shrink:004023E7 pop
esi
.shrink:004023E8 pop
ebx
.shrink:004023E9 mov
esp
, ebp
.shrink:004023EB pop
ebp
.shrink:004023EC retn
10h ; uType
.shrink:004023EF ; ----------------------------------------------------------------------------
.shrink:004023EF
.shrink:004023EF loc_4023EF: ; CODE XREF: DialogFunc+8Fj
.shrink:004023EF mov
[ebp
+var_4], 0
.shrink:004023F6 lea
eax
, [ebp
+var_24]
.shrink:004023F9 push
eax
.shrink:004023FA call
DES_Key_Init
.shrink:004023FF add
esp
, 4
.shrink:00402402 push
0 ; bSigned
.shrink:00402404 push
0 ; lpTranslated
.shrink:00402406 push
3E9h ; nIDDlgItem
.shrink:0040240B mov
esi
, [ebp
+hWnd]
.shrink:0040240E push
esi
; hDlg
.shrink:0040240F call
ds
:GetDlgItemInt
; 取機器碼
.shrink:00402415 mov
[ebp
+VolumeSerialNumber], eax
.shrink:00402418 push
32h ; nMaxCount
.shrink:0040241A lea
ecx
, [ebp
+String]
.shrink:0040241D push
ecx
; lpString
.shrink:0040241E push
3ECh ; nIDDlgItem
.shrink:00402423 push
esi
; hDlg
.shrink:00402424 call
ds
:GetDlgItemTextA ; 取註冊碼
.shrink:0040242A lea
eax
, [ebp
+String]
.shrink:0040242D lea
edx
, [eax
+1]
.shrink:00402430
.shrink:00402430 loc_402430: ; CODE XREF: DialogFunc+F5j
.shrink:00402430 mov
cl
, [eax
]
.shrink:00402432 inc
eax
.shrink:00402433 test
cl
, cl
.shrink:00402435 jnz
short loc_402430
.shrink:00402437 sub
eax
, edx
; 長度
.shrink:00402439 mov
[ebp
+var_30], eax
; 寫入
.shrink:0040243C test
eax
, eax
.shrink:0040243E jnz
short loc_402464
.shrink:00402440 push
eax
; uType
.shrink:00402441 push
offset
Caption ; "warming!"
.shrink:00402446 push
offset
Text ; "請輸入註冊
碼!"
.shrink:0040244B mov
edx
, ds
:hWnd
.shrink:00402451 push
edx
; hWnd
.shrink:00402452 call
ds
:MessageBoxA
.shrink:00402458 mov
[ebp
+var_4], 0FFFFFFFFh
.shrink:0040245F jmp
loc_4025E6
.shrink:00402464 ; ----------------------------------------------------------------------------
.shrink:00402464
.shrink:00402464 loc_402464: ; CODE XREF: DialogFunc+FEj
.shrink:00402464 lea
eax
, [ebp
+var_D0]
.shrink:0040246A push
eax
.shrink:0040246B lea
ecx
, [ebp
+String]
.shrink:0040246E push
ecx
.shrink:0040246F call
Hex_Serial ; ;把機器碼轉化爲16進制
{
.shrink:00401080 Hex_Serial proc
near ; CODE XREF: DialogFunc+12Fp
.shrink:00401080
.shrink:00401080 arg_0 = dword
ptr
10h
.shrink:00401080 arg_4 = dword
ptr
14h
.shrink:00401080
.shrink:00401080 push
ebx
.shrink:00401081 push
esi
.shrink:00401082 push
edi
.shrink:00401083 mov
edi
, [esp
+arg_0]
.shrink:00401087 xor
eax
, eax
.shrink:00401089 mov
ecx
, edi
.shrink:0040108B jmp
short loc_401090
.shrink:0040108B ; ----------------------------------------------------------------------------
.shrink:0040108D align 10h
.shrink:00401090
.shrink:00401090 loc_401090: ; CODE XREF: Hex_Serial+Bj
.shrink:00401090 ; Hex_Serial+15j
.shrink:00401090 mov
dl
, [ecx
]
.shrink:00401092 inc
ecx
.shrink:00401093 test
dl
, dl
.shrink:00401095 jnz
short loc_401090
.shrink:00401097 sub
ecx
, edi
.shrink:00401099 dec
ecx
.shrink:0040109A mov
ebx
, ecx
.shrink:0040109C xor
esi
, esi
.shrink:0040109E test
ebx
, ebx
.shrink:004010A0 jle
loc_40114B
.shrink:004010A6 push
ebp
.shrink:004010A7 mov
ebp
, [esp
+4+arg_4]
.shrink:004010AB jmp
short loc_4010B0
.shrink:004010AB ; ----------------------------------------------------------------------------
.shrink:004010AD align 10h
.shrink:004010B0
.shrink:004010B0 loc_4010B0: ; CODE XREF: Hex_Serial+2Bj
.shrink:004010B0 ; Hex_Serial+C4j
.shrink:004010B0 mov
cl
, [esi
+edi
] ; 取註冊碼一個字節
.shrink:004010B3 inc
esi
.shrink:004010B4 cmp
cl
, 20h
.shrink:004010B7 jz
loc_401142
.shrink:004010BD cmp
esi
, ebx
.shrink:004010BF jge
loc_40114A
.shrink:004010C5 cmp
cl
, 30h
.shrink:004010C8 mov
dl
, [esi
+edi
]
.shrink:004010CB jl
short loc_4010D7
.shrink:004010CD cmp
cl
, 39h
.shrink:004010D0 jg
short loc_4010D7
.shrink:004010D2 sub
cl
, 30h
.shrink:004010D5 jmp
short loc_4010F8
.shrink:004010D7 ; ----------------------------------------------------------------------------
.shrink:004010D7
.shrink:004010D7 loc_4010D7: ; CODE XREF: Hex_Serial+4Bj
.shrink:004010D7 ; Hex_Serial+50j
.shrink:004010D7 cmp
cl
, 41h
.shrink:004010DA jl
short loc_4010E6
.shrink:004010DC cmp
cl
, 46h
.shrink:004010DF jg
short loc_4010E6
.shrink:004010E1 sub
cl
, 37h
.shrink:004010E4 jmp
short loc_4010F8
.shrink:004010E6 ; ----------------------------------------------------------------------------
.shrink:004010E6
.shrink:004010E6 loc_4010E6: ; CODE XREF: Hex_Serial+5Aj
.shrink:004010E6 ; Hex_Serial+5Fj
.shrink:004010E6 cmp
cl
, 61h
.shrink:004010E9 jl
short loc_4010F5
.shrink:004010EB cmp
cl
, 66h
.shrink:004010EE jg
short loc_4010F5
.shrink:004010F0 sub
cl
, 57h
.shrink:004010F3 jmp
short loc_4010F8
.shrink:004010F5 ; ----------------------------------------------------------------------------
.shrink:004010F5
.shrink:004010F5 loc_4010F5: ; CODE XREF: Hex_Serial+69j
.shrink:004010F5 ; Hex_Serial+6Ej
.shrink:004010F5 or
cl
, 0FFh
.shrink:004010F8
.shrink:004010F8 loc_4010F8: ; CODE XREF: Hex_Serial+55j
.shrink:004010F8 ; Hex_Serial+64j ...
.shrink:004010F8 cmp
dl
, 30h
.shrink:004010FB movsx
ecx
, cl
.shrink:004010FE jl
short loc_40110A
.shrink:00401100 cmp
dl
, 39h
.shrink:00401103 jg
short loc_40110A
.shrink:00401105 sub
dl
, 30h
.shrink:00401108 jmp
short loc_40112B
.shrink:0040110A ; ----------------------------------------------------------------------------
.shrink:0040110A
.shrink:0040110A loc_40110A: ; CODE XREF: Hex_Serial+7Ej
.shrink:0040110A ; Hex_Serial+83j
.shrink:0040110A cmp
dl
, 41h
.shrink:0040110D jl
short loc_401119
.shrink:0040110F cmp
dl
, 46h
.shrink:00401112 jg
short loc_401119
.shrink:00401114 sub
dl
, 37h
.shrink:00401117 jmp
short loc_40112B
.shrink:00401119 ; ----------------------------------------------------------------------------
.shrink:00401119
.shrink:00401119 loc_401119: ; CODE XREF: Hex_Serial+8Dj
.shrink:00401119 ; Hex_Serial+92j
.shrink:00401119 cmp
dl
, 61h
.shrink:0040111C jl
short loc_401128
.shrink:0040111E cmp
dl
, 66h
.shrink:00401121 jg
short loc_401128
.shrink:00401123 sub
dl
, 57h
.shrink:00401126 jmp
short loc_40112B
.shrink:00401128 ; ----------------------------------------------------------------------------
.shrink:00401128
.shrink:00401128 loc_401128: ; CODE XREF: Hex_Serial+9Cj
.shrink:00401128 ; Hex_Serial+A1j
.shrink:00401128 or
dl
, 0FFh
.shrink:0040112B
.shrink:0040112B loc_40112B: ; CODE XREF: Hex_Serial+88j
.shrink:0040112B ; Hex_Serial+97j ...
.shrink:0040112B cmp
ecx
, 10h
.shrink:0040112E movsx
edx
, dl
.shrink:00401131 jz
short loc_40114A
.shrink:00401133 cmp
edx
, 10h
.shrink:00401136 jz
short loc_40114A
.shrink:00401138 shl
cl
, 4
.shrink:0040113B add
cl
, dl
.shrink:0040113D inc
esi
.shrink:0040113E mov
[eax
+ebp
], cl
; 寫入
.shrink:00401141 inc
eax
.shrink:00401142
.shrink:00401142 loc_401142: ; CODE XREF: Hex_Serial+37j
.shrink:00401142 cmp
esi
, ebx
.shrink:00401144 jl
loc_4010B0
.shrink:0040114A
.shrink:0040114A loc_40114A: ; CODE XREF: Hex_Serial+3Fj
.shrink:0040114A ; Hex_Serial+B1j ...
.shrink:0040114A pop
ebp
.shrink:0040114B
.shrink:0040114B loc_40114B: ; CODE XREF: Hex_Serial+20j
.shrink:0040114B pop
edi
.shrink:0040114C pop
esi
.shrink:0040114D pop
ebx
.shrink:0040114E retn
.shrink:0040114E Hex_Serial endp
}
.shrink:00402474 mov
edi
, eax
.shrink:00402476 mov
[ebp
+var_30], edi
.shrink:00402479 push
0Ah ; int
.shrink:0040247B lea
edx
, [ebp
+var_9C]
.shrink:00402481 push
edx
; char *
.shrink:00402482 mov
eax
, [ebp
+VolumeSerialNumber]
.shrink:00402485 push
eax
; int
.shrink:00402486 call
__itoa ; Int(機器碼)
.shrink:0040248B lea
ecx
, [ebp
+var_9C]
.shrink:00402491 push
ecx
; MD5_inBuffer
.shrink:00402492 call
MD5_ComputerID
.shrink:00402497 add
esp
, 18h
.shrink:0040249A mov
ebx
, eax
.shrink:0040249C mov
[ebp
+var_34], ebx
.shrink:0040249F mov
byte
ptr
[ebx
+10h], 0 ; 把MD5結果一刀兩斷,前面
的16位有用
.shrink:004024A3 xor
esi
, esi
.shrink:004024A5
.shrink:004024A5 loc_4024A5: ; CODE XREF: DialogFunc+190j
.shrink:004024A5 mov
[ebp
+var_28], esi
.shrink:004024A8 mov
eax
, edi
.shrink:004024AA cdq
.shrink:004024AB and
edx
, 7
.shrink:004024AE add
eax
, edx
.shrink:004024B0 sar
eax
, 3
.shrink:004024B3 inc
eax
.shrink:004024B4 cmp
esi
, eax
.shrink:004024B6 jge
short loc_4024D2
.shrink:004024B8 push
1 ; 類型,0爲加密,1爲解密
.shrink:004024BA lea
edx
, [ebp
+esi
*8+var_D0]
.shrink:004024C1 push
edx
; DES_inBuffer
.shrink:004024C2 lea
eax
, [ebp
+esi
*8+String]
.shrink:004024C6 push
eax
; DES_outBuffer
.shrink:004024C7 call
DES
.shrink:004024CC add
esp
, 0Ch
.shrink:004024CF inc
esi
.shrink:004024D0 jmp
short loc_4024A5
.shrink:004024D2 ; ----------------------------------------------------------------------------
.shrink:004024D2
.shrink:004024D2 loc_4024D2: ; CODE XREF: DialogFunc+176j
.shrink:004024D2 mov
[ebp
+var_58], 0
.shrink:004024D6 lea
esi
, [ebp
+String]
.shrink:004024D9 mov
eax
, ebx
.shrink:004024DB jmp
short loc_4024E0
.shrink:004024DB ; ----------------------------------------------------------------------------
.shrink:004024DD align 10h
.shrink:004024E0
.shrink:004024E0 loc_4024E0: ; CODE XREF: DialogFunc+19Bj
.shrink:004024E0 ; DialogFunc+1BEj
.shrink:004024E0 mov
dl
, [eax
] ; 取MD5(機器碼)的一個字節
.shrink:004024E2 mov
cl
, dl
.shrink:004024E4 cmp
dl
, [esi
] ; 與DES_De(註冊碼)比較
.shrink:004024E6 jnz
short loc_402504
.shrink:004024E8 test
cl
, cl
.shrink:004024EA jz
short loc_402500
.shrink:004024EC mov
dl
, [eax
+1]
.shrink:004024EF mov
cl
, dl
.shrink:004024F1 cmp
dl
, [esi
+1]
.shrink:004024F4 jnz
short loc_402504
.shrink:004024F6 add
eax
, 2
.shrink:004024F9 add
esi
, 2
.shrink:004024FC test
cl
, cl
.shrink:004024FE jnz
short loc_4024E0
.shrink:00402500
.shrink:00402500 loc_402500: ; CODE XREF: DialogFunc+1AAj
.shrink:00402500 xor
eax
, eax
.shrink:00402502 jmp
short loc_402509
.shrink:00402504 ; ----------------------------------------------------------------------------
.shrink:00402504
.shrink:00402504 loc_402504: ; CODE XREF: DialogFunc+1A6j
.shrink:00402504 ; DialogFunc+1B4j
.shrink:00402504 sbb
eax
, eax
.shrink:00402506 sbb
eax
, 0FFFFFFFFh
.shrink:00402509
.shrink:00402509 loc_402509: ; CODE XREF: DialogFunc+1C2j
.shrink:00402509 test
eax
, eax
.shrink:0040250B jnz
short loc_402531
.shrink:0040250D push
eax
; wLanguageId
.shrink:0040250E push
eax
; uType
.shrink:0040250F push
offset
aSucceed ; "succeed"
.shrink:00402514 push
offset
aVSJGm ; "註冊成功!老
兄,?
.shrink:00402519 mov
eax
, ds
:hWnd
.shrink:0040251E push
eax
; hWnd
.shrink:0040251F call
ds
:MessageBoxExA
.shrink:00402525 mov
[ebp
+var_4], 0FFFFFFFFh
.shrink:0040252C jmp
loc_4025E6
.shrink:00402531 ; ----------------------------------------------------------------------------
.shrink:00402531
.shrink:00402531 loc_402531: ; CODE XREF: DialogFunc+1CBj
.shrink:00402531 pusha
.shrink:00402532 xor
eax
, eax
.shrink:00402534 mov
ebx
, [eax
]
.shrink:00402536 popa
.shrink:00402537 nop
.shrink:00402538 mov
[ebp
+var_4], 0FFFFFFFFh
.shrink:0040253F
.shrink:0040253F loc_40253F: ; CODE XREF: DialogFunc+94j
.shrink:0040253F push
0 ; uType
.shrink:00402541 push
offset
asc_41247C ; "說?
.shrink:00402546 mov
ecx
, [ebp
+lpText]
.shrink:00402549 push
ecx
; lpText
.shrink:0040254A push
0 ; hWnd
.shrink:0040254C call
ds
:MessageBoxA
.shrink:00402552 jmp
loc_4025E6
.shrink:00402557 ; ----------------------------------------------------------------------------
.shrink:00402557 mov
eax
, 1
.shrink:0040255C retn
.shrink:0040255D ; ----------------------------------------------------------------------------
.shrink:0040255D mov
esp
, [ebp
-18h]
.shrink:00402560 push
0
.shrink:00402562 push
offset
aWarning ; "Warning!"
.shrink:00402567 push
offset
aVSZ ; "註冊失敗"
.shrink:0040256C mov
edx
, ds
:hWnd
.shrink:00402572 push
edx
; hWnd
.shrink:00402573 call
ds
:MessageBoxA
.shrink:00402579 mov
[ebp
+var_4], 0FFFFFFFFh
.shrink:00402580 jmp
short loc_4025E6
.shrink:00402582 ; ----------------------------------------------------------------------------
.shrink:00402582
.shrink:00402582 loc_402582: ; CODE XREF: DialogFunc+84j
.shrink:00402582 push
0 ; nResult
.shrink:00402584 mov
eax
, [ebp
+hWnd]
.shrink:00402587 push
eax
; hDlg
.shrink:00402588 call
ds
:EndDialog
.shrink:0040258E jmp
short loc_4025E6
.shrink:00402590 ; ----------------------------------------------------------------------------
.shrink:00402590
.shrink:00402590 loc_402590: ; CODE XREF: DialogFunc+76j
.shrink:00402590 push
6Ch ; lpIconName
.shrink:00402592 mov
ecx
, ds
:hInstance
.shrink:00402598 push
ecx
; hInstance
.shrink:00402599 call
ds
:LoadIconA
.shrink:0040259F push
eax
; lParam
.shrink:004025A0 push
1 ; wParam
.shrink:004025A2 push
80h ; Msg
.shrink:004025A7 mov
esi
, [ebp
+hWnd]
.shrink:004025AA push
esi
; hWnd
.shrink:004025AB call
ds
:SendMessageA
.shrink:004025B1 push
0 ; nFileSystemNameSize
.shrink:004025B3 push
0 ; lpFileSystemNameBuffer
.shrink:004025B5 push
0 ; lpFileSystemFlags
.shrink:004025B7 push
0 ; lpMaximumComponentLength
.shrink:004025B9 lea
edx
, [ebp
+VolumeSerialNumber]
.shrink:004025BC push
edx
; lpVolumeSerialNumber
.shrink:004025BD push
0 ; nVolumeNameSize
.shrink:004025BF push
0 ; lpVolumeNameBuffer
.shrink:004025C1 push
offset
RootPathName ; "C://"
.shrink:004025C6 call
ds
:GetVolumeInformationA
.shrink:004025CC mov
eax
, [ebp
+VolumeSerialNumber]
.shrink:004025CF xor
eax
, 0ABCDE123h ;小小的變換
.shrink:004025D4 mov
[ebp
+VolumeSerialNumber], eax
.shrink:004025D7 push
0 ; bSigned
.shrink:004025D9 push
eax
; uValue
.shrink:004025DA push
3E9h ; nIDDlgItem
.shrink:004025DF push
esi
; hDlg
.shrink:004025E0 call
ds
:SetDlgItemInt
.shrink:004025E6
.shrink:004025E6 loc_4025E6: ; CODE XREF: DialogFunc+11Fj
.shrink:004025E6 ; DialogFunc+1ECj ...
.shrink:004025E6 mov
eax
, 1
.shrink:004025EB mov
ecx
, [ebp
+var_10]
.shrink:004025EE mov
large fs
:0, ecx
.shrink:004025F5 pop
edi
.shrink:004025F6 pop
esi
.shrink:004025F7 pop
ebx
.shrink:004025F8 mov
esp
, ebp
.shrink:004025FA pop
ebp
.shrink:004025FB retn
10h
.shrink:004025FB DialogFunc endp
[代碼分析 :] --End
算法就是:
DES_De(Serial,key=1,9,8,0,9,1,7,0)=a
MD5(機器碼)=b
if
(a==b)
msg("success!"
)
else
msg("wrong!"
)
Serial=DES_En(b,key=1,9,8,0,9,1,7,0)
因爲我這裏有MD5的彙編代碼,所以直接用IDA提取DES代碼就可以了
.shrink:004024B8 push
1 ; 類型,0爲加密,1爲解密
.shrink:004024BA lea
edx
, [ebp
+esi
*8+var_D0]
.shrink:004024C1 push
edx
; DES_inBuffer
.shrink:004024C2 lea
eax
, [ebp
+esi
*8+String]
.shrink:004024C6 push
eax
; DES_outBuffer
.shrink:004024C7 call
DES
這就是調用DES的代碼,所以只要跟進這個call把這個call裏面所有的代碼和數據弄出來放在一個文件裏整理一下就可以了
下面是我整理的一些變量(DES需要的ip,pc等都不在內)
off_415088 dd
offset
unk_417DBC ; DATA XREF: sub_401A40+8Ar
off_41508C dd
offset
byte_417DA0 ; DATA XREF: sub_401A40+84r
off_415090 dd
offset
unk_417E50 ; DATA XREF: DES+A6r
off_415094 dd
offset
byte_417E30 ; DATA XREF: DES+A1r
unk_417890 db
02D0h dup
(?)
unk_417B60 db
030h dup
(?)
unk_417B90 db
10h dup
(?) ;
byte_417BA0 db
? ; DATA XREF: sub_401A40+44w
; sub_401A40+95o ...
byte_417BA1 db
? ; DATA XREF: sub_401A40+57w
; sub_401A40+180w ...
byte_417BA2 db
? ; DATA XREF: sub_401A40+6Aw
; sub_401A40+193w ...
byte_417BA3 db
? ; DATA XREF: sub_401A40+76w
; sub_401A40+1A6w ...
byte_417BA4 db
? ; DATA XREF: sub_401A40+1B9w
; sub_401E50+66w
byte_417BA5 db
? ; DATA XREF: sub_401A40+1CCw
unk_417CA0 db
0feh dup
( ? ) ; ; DATA XREF: sub_401A40+C5o
byte_417D9F db
?
byte_417DA0 db
? ; DATA XREF: sub_401A40+22w
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
db
? ;
unk_417DBC db
024h dup
(?)
byte_417DE0 db
? ; DATA XREF: sub_401E50+88o
; sub_401E50+93o ...
byte_417DE1 db
? ; DATA XREF: sub_401E50+AFr
; sub_401E50+C7w
byte_417DE2 db
? ; DATA XREF: sub_401E50+C1r
; sub_401E50+D9w
byte_417DE3 db
? ; DATA XREF: sub_401E50+D3r
; sub_401E50+EBw
byte_417DE4 db
? ; DATA XREF: sub_401E50+E5r
; sub_401E50+FDw
byte_417DE5 db
02Bh dup
(?)
unk_417E10 db
01Fh dup
(?)
byte_417E2F db
?
byte_417E30 db
020h dup
(?)
unk_417E50 db
020h dup
(?)
下面把DES需要的數據全部弄出來,再把代碼部分弄出來就OK了(附件裏包括完整的DES代碼)
調用這樣就可以了
lea
eax
,key
push
eax
call
sub_401A40 ;DES_Key_Init
push
0
lea
edx
,hash1
push
edx
;InBuffer
lea
eax
,string2
push
eax
;OutBuffer
call
sub_402050 ;DES
這樣註冊機就做好了,簡單吧 ~
參考了 x3chun,bLaCk-eye等一些人的方法 感謝他們!