送mlskin最后一程
本帖最后由 popsky 于 2020-7-18 09:25 编辑首先,感谢@冥界3大法王 的破文,通过您的破文,了解到Delphi还有款不错的皮肤控件。
破文地址:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1219210
仔细看完破文后,还是觉得对我这种小白来说,操作太复杂了。
所以,本着我们吾爱小白的精神,送他最后一程。。
下载控件安装后运行,显示如下:
果然要钱,可能因为是最新版,所以和原破文截图不一样。。
下断点:bp UpdateWindow
断下来后,执行到返回。
00683687|.50 PUSH EAX ; /hWnd
00683688|.E8 472ED9FF CALL <JMP.&user32.UpdateWindow> ; \UpdateWindow
0068368D|.6A 03 PUSH 3 ; /Flags = SWP_NOSIZE|SWP_NOMOVE
0068368F|.6A 00 PUSH 0 ; |Height = 0
00683691|.6A 00 PUSH 0 ; |Width = 0
00683693|.6A 00 PUSH 0 ; |Y = 0
00683695|.6A 00 PUSH 0 ; |X = 0
00683697|.6A FF PUSH -1 ; |InsertAfter = HWND_TOPMOST
00683699|.8B45 FC MOV EAX,DWORD PTR SS: ; |
0068369C|.50 PUSH EAX ; |hWnd
0068369D|.E8 B22DD9FF CALL <JMP.&user32.SetWindowPos> ; \SetWindowPos
找到过程头。。
本地调用来自 00684441
Ctrl+G 跳转到00684441
往上找。。
00684354 .68 B4446800 PUSH Project1.006844B4 ;UNICODE "Key"
00684359 .68 BC446800 PUSH Project1.006844BC ;UNICODE "TestData"
0068435E .8B0D 34166D00 MOV ECX,DWORD PTR DS: ;Project1.00400000
目测应该是干和KEY相关的活了。。
函数头下断点,执行到返回。
0068439F .E8 9086DEFF CALL Project1.0046CA34 ;取出注册的KEY
006843A4 .8D55 C0 LEA EDX,DWORD PTR SS:
006843A7 .8B45 F0 MOV EAX,DWORD PTR SS: ;"mlskindemo"给EAX
006843AA .E8 5101DAFF CALL Project1.00424500 ;字符串mlskindemo转大写
006843AF .8B55 C0 MOV EDX,DWORD PTR SS:
006843B2 .B9 01000000 MOV ECX,1
006843B7 .B8 DC446800 MOV EAX,Project1.006844DC ;UNICODE "PUBLIC"
006843BC .E8 5B6ED8FF CALL Project1.0040B21C ;判断字符串是否是PUBLIC开头
006843C1 .85C0 TEST EAX,EAX
006843C3 .7E 2D JLE SHORT Project1.006843F2 ;如果不是PUBLIC开头,就飞了
重载,再来,手动把注册码改成PUBLIC开头
006843DA .E8 2101DAFF CALL Project1.00424500 ;小写转大写
006843DF .8B45 BC MOV EAX,DWORD PTR SS:
006843E2 .8B55 EC MOV EDX,DWORD PTR SS:
006843E5 .E8 16F9FFFF CALL Project1.00683D00 ;算法CALL
跟进 00683D00
00683D3B|.BA 643F6800 MOV EDX,Project1.00683F64 ;UNICODE "0000-0252-DA7A-3924-0C0B"
00683D40|.8B45 F0 MOV EAX,DWORD PTR SS:
00683D43|.8B08 MOV ECX,DWORD PTR DS:
00683D45|.FF51 3C CALL DWORD PTR DS:
00683D48|.BA A43F6800 MOV EDX,Project1.00683FA4 ;UNICODE "0000-025D-DD7D-3D20-EF2A"
00683D4D|.8B45 F0 MOV EAX,DWORD PTR SS:
00683D50|.8B08 MOV ECX,DWORD PTR DS:
00683D52|.FF51 3C CALL DWORD PTR DS:
00683D55|.BA E43F6800 MOV EDX,Project1.00683FE4 ;UNICODE "0000-0259-D979-3E20-0B0A"
00683D5A|.8B45 F0 MOV EAX,DWORD PTR SS:
00683D5D|.8B08 MOV ECX,DWORD PTR DS:
00683D5F|.FF51 3C CALL DWORD PTR DS:
00683D62|.BA 24406800 MOV EDX,Project1.00684024 ;UNICODE "0000-038B-CBBB-8743-1D2F"
00683D67|.8B45 F0 MOV EAX,DWORD PTR SS:
00683D6A|.8B08 MOV ECX,DWORD PTR DS:
00683D6C|.FF51 3C CALL DWORD PTR DS:
00683D6F|.BA 64406800 MOV EDX,Project1.00684064 ;UNICODE "0000-025B-DB7B-3F20-CB26"
00683D74|.8B45 F0 MOV EAX,DWORD PTR SS:
00683D77|.8B08 MOV ECX,DWORD PTR DS:
00683D79|.FF51 3C CALL DWORD PTR DS:
00683D7C|.BA A4406800 MOV EDX,Project1.006840A4 ;UNICODE "0000-0458-D879-3E2C-241D"
00683D81|.8B45 F0 MOV EAX,DWORD PTR SS:
00683D84|.8B08 MOV ECX,DWORD PTR DS:
00683D86|.FF51 3C CALL DWORD PTR DS:
00683D89|.BA E4406800 MOV EDX,Project1.006840E4 ;UNICODE "0000-03FA-FAFA-A763-EC4C"
00683D8E|.8B45 F0 MOV EAX,DWORD PTR SS:
00683D91|.8B08 MOV ECX,DWORD PTR DS:
00683D93|.FF51 3C CALL DWORD PTR DS:
00683D96|.BA 24416800 MOV EDX,Project1.00684124 ;UNICODE "0000-0260-E878-2824-98F6"
00683DDD|.B8 64416800 MOV EAX,Project1.00684164 ;UNICODE "public111"
00683DE2|.E8 1907DAFF CALL Project1.00424500
00683DE7|.8B55 E4 MOV EDX,DWORD PTR SS:
00683DEA|.58 POP EAX
00683DEB|.E8 E471D8FF CALL Project1.0040AFD4
00683DF0|.0F84 1D010000 JE Project1.00683F13
00683DF6|.8D55 E0 LEA EDX,DWORD PTR SS:
00683DF9|.8B45 FC MOV EAX,DWORD PTR SS:
00683DFC|.E8 FF06DAFF CALL Project1.00424500
00683E01|.8B45 E0 MOV EAX,DWORD PTR SS:
00683E04|.50 PUSH EAX
00683E05|.8D55 DC LEA EDX,DWORD PTR SS:
00683E08|.B8 84416800 MOV EAX,Project1.00684184 ;UNICODE "public192"
00683E0D|.E8 EE06DAFF CALL Project1.00424500
00683E12|.8B55 DC MOV EDX,DWORD PTR SS:
00683E15|.58 POP EAX
00683E16|.E8 B971D8FF CALL Project1.0040AFD4
00683E1B|.0F84 F2000000 JE Project1.00683F13
00683E21|.8D55 D8 LEA EDX,DWORD PTR SS:
00683E24|.8B45 FC MOV EAX,DWORD PTR SS:
00683E27|.E8 D406DAFF CALL Project1.00424500
00683E2C|.8B45 D8 MOV EAX,DWORD PTR SS:
00683E2F|.50 PUSH EAX
00683E30|.8D55 D4 LEA EDX,DWORD PTR SS:
00683E33|.B8 A4416800 MOV EAX,Project1.006841A4 ;UNICODE "public226"
00683E38|.E8 C306DAFF CALL Project1.00424500
00683E3D|.8B55 D4 MOV EDX,DWORD PTR SS:
00683E40|.58 POP EAX
00683E41|.E8 8E71D8FF CALL Project1.0040AFD4
00683E46|.0F84 C7000000 JE Project1.00683F13
00683E4C|.8D55 D0 LEA EDX,DWORD PTR SS:
00683E4F|.8B45 FC MOV EAX,DWORD PTR SS:
00683E52|.E8 A906DAFF CALL Project1.00424500
00683E57|.8B45 D0 MOV EAX,DWORD PTR SS:
00683E5A|.50 PUSH EAX
00683E5B|.8D55 CC LEA EDX,DWORD PTR SS:
00683E5E|.B8 C4416800 MOV EAX,Project1.006841C4 ;UNICODE "public167"
00683E63|.E8 9806DAFF CALL Project1.00424500
00683E68|.8B55 CC MOV EDX,DWORD PTR SS:
00683E6B|.58 POP EAX
00683E6C|.E8 6371D8FF CALL Project1.0040AFD4
00683E71|.0F84 9C000000 JE Project1.00683F13
00683E77|.8D55 C8 LEA EDX,DWORD PTR SS:
00683E7A|.8B45 FC MOV EAX,DWORD PTR SS:
00683E7D|.E8 7E06DAFF CALL Project1.00424500
00683E82|.8B45 C8 MOV EAX,DWORD PTR SS:
00683E85|.50 PUSH EAX
00683E86|.8D55 C4 LEA EDX,DWORD PTR SS:
00683E89|.B8 E4416800 MOV EAX,Project1.006841E4 ;UNICODE "public197"
00683E8E|.E8 6D06DAFF CALL Project1.00424500
00683E93|.8B55 C4 MOV EDX,DWORD PTR SS:
00683E96|.58 POP EAX
00683E97|.E8 3871D8FF CALL Project1.0040AFD4
00683E9C|.74 75 JE SHORT Project1.00683F13
00683E9E|.8D55 C0 LEA EDX,DWORD PTR SS:
00683EA1|.8B45 FC MOV EAX,DWORD PTR SS:
00683EA4|.E8 5706DAFF CALL Project1.00424500
00683EA9|.8B45 C0 MOV EAX,DWORD PTR SS:
00683EAC|.50 PUSH EAX
00683EAD|.8D55 BC LEA EDX,DWORD PTR SS:
00683EB0|.B8 04426800 MOV EAX,Project1.00684204 ;UNICODE "public1905110919500"
00683EB5|.E8 4606DAFF CALL Project1.00424500
00683EBA|.8B55 BC MOV EDX,DWORD PTR SS:
00683EBD|.58 POP EAX
00683EBE|.E8 1171D8FF CALL Project1.0040AFD4
00683EC3|.74 4E JE SHORT Project1.00683F13
00683EC5|.8D55 B8 LEA EDX,DWORD PTR SS:
00683EC8|.8B45 FC MOV EAX,DWORD PTR SS:
00683ECB|.E8 3006DAFF CALL Project1.00424500
00683ED0|.8B45 B8 MOV EAX,DWORD PTR SS:
00683ED3|.50 PUSH EAX
00683ED4|.8D55 B4 LEA EDX,DWORD PTR SS:
00683ED7|.B8 38426800 MOV EAX,Project1.00684238 ;UNICODE "public18070928440"
00683EDC|.E8 1F06DAFF CALL Project1.00424500
00683EE1|.8B55 B4 MOV EDX,DWORD PTR SS:
00683EE4|.58 POP EAX
00683EE5|.E8 EA70D8FF CALL Project1.0040AFD4
00683EEA|.74 27 JE SHORT Project1.00683F13
00683EEC|.8D55 B0 LEA EDX,DWORD PTR SS:
00683EEF|.8B45 FC MOV EAX,DWORD PTR SS:
00683EF2|.E8 0906DAFF CALL Project1.00424500
00683EF7|.8B45 B0 MOV EAX,DWORD PTR SS:
00683EFA|.50 PUSH EAX
00683EFB|.8D55 AC LEA EDX,DWORD PTR SS:
00683EFE|.B8 68426800 MOV EAX,Project1.00684268 ;UNICODE "public170516341"
以上2段为黑名单,估计有过不少人把KEY给泄漏出去了。
00683F1F|.E8 F0F4FFFF CALL Project1.00683414 ; 算法CALL 跟进
00683439|.E8 46FFFFFF CALL Project1.00683384 ;算法CALL 跟进
算法部分:
006833CE|> /8B45 EC /MOV EAX,DWORD PTR SS: ;用户名给EAX
006833D1|. |8B55 F4 |MOV EDX,DWORD PTR SS: ;获取位置给EDX
006833D4|. |0FB64410 FF |MOVZX EAX,BYTE PTR DS: ;当前位置ASCII码给EAX
006833D9|. |0145 F0 |ADD DWORD PTR SS:,EAX ;加上上一次的ASCII码(初始为0) 保存
006833DC|. |FF45 F4 |INC DWORD PTR SS: ;获取位置增加1
006833DF|. |FF4D E8 |DEC DWORD PTR SS: ;计数器减1
006833E8|.52 PUSH EDX ;0
006833E9|.50 PUSH EAX ;计算结果
006833EA|.8B45 F8 MOV EAX,DWORD PTR SS:
006833ED|.E8 5AFEFFFF CALL Project1.0068324C ;核心算法
0068324C算法,我直接抄成汇编代码了,以下是整个算法的DELPHI代码:
var
EBP1,EBP2,EBP3:Byte; //全局变量
EBP8,EBPC,fanhui:DWORD; //全局变量
function No1(str:string):DWORD;
var
i:Integer;
begin
Result:=0;
for i:=1 to Length(str) do
begin
Result:=Result+ord(str);
end;
end;
procedure xxx1;
asm
AND CL,$3F
CMP CL,$20
JL @Exit0
MOV EAX,EDX
XOR EDX,EDX
SHR EAX,CL
RETN
@Exit0:
SHRD EAX,EDX,CL
SHR EDX,CL
RETN
end;
procedure xxx;
ASM
PUSHAD
PUSHFD
XOR EAX,EAX
MOV AL,BYTE PTR SS:
MOV ECX,$19
XOR EDX,EDX
DIV ECX
MOV BYTE PTR SS:,DL
XOR EAX,EAX
MOV AL,BYTE PTR SS:
MOV ECX,3
XOR EDX,EDX
DIV ECX
MOV BYTE PTR SS:,DL
XOR EAX,EAX
MOV AL,BYTE PTR SS:
AND EAX,1
TEST EAX,EAX
JNZ @go1
MOV EAX,DWORD PTR SS:
MOV EDX,DWORD PTR SS:
MOV CL,BYTE PTR SS:
CALL xxx1
MOV EBX,EAX
AND BL,$0FF
MOV EAX,DWORD PTR SS:
MOV EDX,DWORD PTR SS:
MOV CL,BYTE PTR SS:
CALL xxx1
OR AL,BYTE PTR SS:
XOR BL,AL
MOV BYTE PTR SS:,BL
JMP @go2
@go1:
MOV EAX,DWORD PTR SS:
MOV EDX,DWORD PTR SS:
MOV CL,BYTE PTR SS:
CALL xxx1
MOV EBX,EAX
AND BL,$0FF
MOV EAX,DWORD PTR SS:
MOV EDX,DWORD PTR SS:
MOV CL,BYTE PTR SS:
CALL xxx1
AND AL,BYTE PTR SS:
XOR BL,AL
MOV BYTE PTR SS:,BL
@go2:
MOV AL,BYTE PTR SS:
POPFD
POPAD
RETN
end;
function XXX2(key2:string):string;
var
i:Integer;
ebpA,ebpC:Word;
EAX_EAX:Word;
begin
ebpA:=$56;
ebpC:=$0AF;
for i:=1 to Length(key2) do
begin
EAX_EAX:=ord(key2);
asm
MOV AX,EAX_EAX
ADD WORD PTR SS:,AX
CMP WORD PTR SS:,$0FF
JBE @GO1
SUB WORD PTR SS:,$0FF
@GO1:
MOV AX,WORD PTR SS:
ADD WORD PTR SS:,AX
CMP WORD PTR SS:,$0FF
JBE @GO2
SUB WORD PTR SS:,$0FF
@GO2:
end;
end;
Result:=IntToHex(ebpA,2)+IntToHex(ebpC,2);
end;
function MyKeyStr(UserName:String):string;
var
k:DWORD;
Key,key2:string;
i:Integer;
begin
k:=No1(AnsiUpperCase('public'+UserName));
key:=IntToHex(k,2);
EBP3:=$0C8;
EBP2:=3;
EBP1:=$18;
EBP8:=K;
EBPC:=0;
xxx;
i:=Length(Key);
while True do
begin
if i < 4 then
begin
Key:='0'+key;
inc(i);
end else Break;
end;
key2:=Key;
key:='0000-'+key+'-'+IntToHex(fanhui,2);
key2:='0000'+key2+IntToHex(fanhui,2);
EBP3:=$038;
EBP2:=0;
EBP1:=$0A;
EBP8:=K;
EBPC:=0;
xxx;
key:=Key+IntToHex(fanhui,2)+'-';
key2:=key2+IntToHex(fanhui,2);
EBP3:=$5B;
EBP2:=2;
EBP1:=$1;
EBP8:=K;
EBPC:=0;
xxx;
Key:=Key+IntToHex(fanhui,2);
key2:=key2+IntToHex(fanhui,2);
EBP3:=$64;
EBP2:=1;
EBP1:=$7;
EBP8:=K;
EBPC:=0;
xxx;
Key:=Key+IntToHex(fanhui,2)+'-';
key2:=key2+IntToHex(fanhui,2);
Result :=Key+XXX2(Key2);
end;
不提供注册机,应该就是一件很和谐的事情了吧?
另外,不要吐槽我的命名,也不要吐槽我那个帅气的循环写法。
就一句话解释:恶心了。
最后有朋友要问,具体怎么用呢?
哎,多观察,再好好分析一下目录文件:MlSkinKey.RES
分析不出来?抱歉,本破文不适合伸手党!!!
@涛之雨咱家的软件真的有救了。 004A08BA|.C745 F4 01000>mov ,0x1
004A08C1|>8B45 EC /mov eax, ;真正的算法开始
004A08C4|.8B55 F4 |mov edx,
004A08C7|.0FB64410 FF |movzx eax,byte ptr ds:
004A08CC|.0145 F0 |add ,eax
004A08CF|.FF45 F4 |inc
004A08D2|.FF4D E8 |dec
004A08D5|.^ 75 EA \jnz short Project1.004A08C1
004A08D7|>8B45 F0 mov eax, ;PUBLIC225ASCII累加为258
004A08DA|.99 cdq
004A08DB|.52 push edx
004A08DC|.50 push eax
004A08DD|.8B45 F8 mov eax,
004A08E0|.E8 63FEFFFF call Project1.004A0748
004A08E5|.33C0 xor eax,eax
004A08E7|.5A pop edx
004A08E8|.59 pop ecx
004A08E9|.59 pop ecx
004A08EA|.64:8910 mov dword ptr fs:,edx
004A08ED|.68 02094A00 push Project1.004A0902
004A08F2|>8D45 EC lea eax,
004A08F5|.E8 563CF6FF call Project1.00404550
004A08FA\.C3 retn
以下会生成一串完整的字符串注册码:
004A0745 8D40 00 lea eax,dword ptr ds:
004A0748/$55 push ebp
004A0749|.8BEC mov ebp,esp
004A074B|.83C4 EC add esp,-0x14
004A074E|.33D2 xor edx,edx
004A0750|.8955 EC mov ,edx
004A0753|.8955 F0 mov ,edx
004A0756|.8945 FC mov ,eax
004A0759|.33C0 xor eax,eax
004A075B|.55 push ebp
004A075C|.68 61084A00 push Project1.004A0861
004A0761|.64:FF30 push dword ptr fs:
004A0764|.64:8920 mov dword ptr fs:,esp
004A0767|.FF75 0C push
004A076A|.FF75 08 push
004A076D|.B1 C8 mov cl,0xC8
004A076F|.B2 03 mov dl,0x3
004A0771|.B0 18 mov al,0x18
004A0773|.E8 98FEFFFF call Project1.004A0610
004A0778|.8845 F8 mov byte ptr ss:,al
004A077B|.FF75 0C push
004A077E|.FF75 08 push
004A0781|.B1 38 mov cl,0x38
004A0783|.33D2 xor edx,edx
004A0785|.B0 0A mov al,0xA
004A0787|.E8 84FEFFFF call Project1.004A0610
004A078C|.8845 F9 mov byte ptr ss:,al
004A078F|.FF75 0C push
004A0792|.FF75 08 push
004A0795|.B1 5B mov cl,0x5B
004A0797|.B2 02 mov dl,0x2
004A0799|.B0 01 mov al,0x1
004A079B|.E8 70FEFFFF call Project1.004A0610
004A07A0|.8845 FA mov byte ptr ss:,al
004A07A3|.FF75 0C push
004A07A6|.FF75 08 push
004A07A9|.B1 64 mov cl,0x64
004A07AB|.B2 01 mov dl,0x1
004A07AD|.B0 07 mov al,0x7
004A07AF|.E8 5CFEFFFF call Project1.004A0610
004A07B4|.8845 FB mov byte ptr ss:,al
004A07B7|.FF75 0C push
004A07BA|.FF75 08 push
004A07BD|.8B55 FC mov edx,
004A07C0|.B8 08000000 mov eax,0x8
004A07C5|.E8 0284F6FF call Project1.00408BCC
004A07CA|.33C0 xor eax,eax
004A07CC|.8945 F4 mov ,eax
004A07CF|>8D4D F0 /lea ecx,
004A07D2|.8B45 F4 |mov eax,
004A07D5|.0FB64405 F8 |movzx eax,byte ptr ss:
004A07DA|.BA 02000000 |mov edx,0x2
004A07DF|.E8 C083F6FF |call Project1.00408BA4
004A07E4|.8B55 F0 |mov edx,
004A07E7|.8B45 FC |mov eax,
004A07EA|.E8 2940F6FF |call Project1.00404818
004A07EF|.8B45 FC |mov eax,
004A07F2|.FF45 F4 |inc
004A07F5|.837D F4 04 |cmp ,0x4
004A07F9|.^ 75 D4 \jnz short Project1.004A07CF
004A07FB|.8D55 EC lea edx,
004A07FE|.8B45 FC mov eax,
004A0801|.8B00 mov eax,dword ptr ds:
004A0803|.E8 A4FEFFFF call Project1.004A06AC
004A0808|.8B55 EC mov edx,
004A080B|.8B45 FC mov eax,
004A080E|.E8 0540F6FF call Project1.00404818
004A0813|.8B45 FC mov eax,
004A0816|.8B45 FC mov eax,
004A0819|.8B00 mov eax,dword ptr ds:
004A081B|.E8 F03FF6FF call Project1.00404810
004A0820|.83E8 03 sub eax,0x3
004A0823|.8945 F4 mov ,eax
004A0826|.837D F4 01 cmp ,0x1
004A082A|.7E 1A jle short Project1.004A0846
004A082C|>8B55 FC /mov edx,
004A082F|.8B4D F4 |mov ecx,
004A0832|.B8 78084A00 |mov eax,Project1.004A0878 ;UNICODE "-"
004A0837|.E8 BC42F6FF |call Project1.00404AF8
004A083C|.836D F4 04 |sub ,0x4
004A0840|.837D F4 01 |cmp ,0x1
004A0844|.^ 7F E6 \jg short Project1.004A082C
004A0846|>33C0 xor eax,eax
004A0848|.5A pop edx ;0018F96C
004A0849|.59 pop ecx ;0018F96C
004A084A|.59 pop ecx ;0018F96C
004A084B|.64:8910 mov dword ptr fs:,edx
004A084E|.68 68084A00 push Project1.004A0868
004A0853|>8D45 EC lea eax,
004A0856|.BA 02000000 mov edx,0x2
004A085B|.E8 143DF6FF call Project1.00404574
004A0860\.C3 retn
堆栈 ds:=00305740, (ASCII "00000258D8783E20F507")0000-0258-D878-3E20-F507
eax=0018F9A4, (UNICODE "址0\t")
之后的比较结果就不用看了。因为是控件,所以每次生成的程序,这些关键代码也许不在同一个地址。但是都差不多。 @popsky
其实我那个文章吧,有另外两种改法:搜索那个比较处上面的常量一共三处
第1处,修改无效,第二处直接返回注册状态。
只是最后反向定位DCU文件操作起来实在不便。 好文章,学习了。 编译很方便,收藏了,原来是一组注册码用了好几年。 vipcrack 发表于 2020-7-18 09:54
编译很方便,收藏了,原来是一组注册码用了好几年。
那我这么公布出来可能就不是好事了,官方估计下一个版本会换算法了 popsky 发表于 2020-7-18 10:16
那我这么公布出来可能就不是好事了,官方估计下一个版本会换算法了
基本不写程序,无所谓了{:1_918:} 挺好的 感谢楼主精彩的分析 现成源码编译个注册机测试了下没问题 不过你说的没错,这个算法估计是保不住了 进来学习了下哈。原来是这样验证验证码的。 看到艾特我(还是朋友看到了私我的)一脸懵逼{:301_1001:}
感谢分享