XXXXXX算法分析、及注册机源码
本帖最后由 姐又寡闻了 于 2019-6-6 22:44 编辑【文章标题】: ImgConverter分析
【文章作者】: expasy
【作者邮箱】: expasy@sina.com
【软件名称】: ImgConverter
【软件介绍】:This program can convert images from up to 23 input formats to up to 18 output formats. To convert them, just drag and drop one or more image files into the program's main window.
【下载地址】:http://davidesperalta.com/download/imgconverter
就是这个软件:
--------------------------------------------------------------------------------
【详细过程】
1、查壳,delphi的,od载入,点击unregistered,输入信息:
user name:expasy
serial code:9887654321
2、od中下断点:
bp CallWindowProcW == 002F0526 && == 0D
其中002F0526是serial code的窗口句柄,F9,ok,断下来了
3、开始一步一步回溯到关键代码,每次回溯注意上下的条件跳
堆栈窗口是,
0012EF28 0049FD5D/CALL 到 CallWindowProcW 来自 ImgConve.0049FD58
0012EF2C 771A3DDA|PrevProc = comctl32.771A3DDA
0012EF30 002F0526|hWnd = 002F0526 (class='TEdit',parent=001E0504)
0012EF34 0000000D|Message = WM_GETTEXT
0012EF38 0000000B|Count = B (11.)
0012EF3C 020EF51C\Buffer = 020EF51C
----->来到0049FD5D
0049FD44|.50 push eax ; /lParam = 0x771A3DDA
0049FD45|.8B43 04 mov eax,dword ptr ds: ; |
0049FD48|.50 push eax ; |wParam = 0x771A3DDA
0049FD49|.57 push edi ; |Message = WM_GETTEXT
0049FD4A|.8B86 60020000 mov eax,dword ptr ds: ; |
0049FD50|.50 push eax ; |hWnd = 771A3DDA
0049FD51|.8B86 5C020000 mov eax,dword ptr ds: ; |comctl32.771A3DDA
0049FD57|.50 push eax ; |PrevProc = comctl32.771A3DDA
0049FD58|.E8 E3FDF6FF call <jmp.&user32.CallWindowProcW> ; \CallWindowProcW
0049FD5D|.8943 0C mov dword ptr ds:,eax ;comctl32.771A3DDA
---------->
004B696F .E8 0C93FEFF call ImgConve.0049FC80
004B6974 .83C4 10 add esp,0x10
---------->
0049B2FD|.FF51 EC call near dword ptr ds:
0049B300|>5F pop edi ;0012F154
---------->
0049FC5B .E8 E0B3FFFF call ImgConve.0049B040
0049FC60 .8B45 F8 mov eax,dword ptr ss:
---------->
0049AF38|.FF53 40 call near dword ptr ds: ;ImgConve.0049F6A8
0049AF3B|>8B45 FC mov eax,
---------->
0049AF50|.E8 BFFFFFFF call ImgConve.0049AF14
0049AF55|.5B pop ebx
---------->
00499956|.E8 ED150000 call ImgConve.0049AF48
0049995B\.C3 retn
---------->
00499A02|.E8 49FFFFFF call ImgConve.00499950
00499A07|.2BD8 sub ebx,eax
---------->
00695F06|.E8 C93AE0FF call ImgConve.004999D4
00695F0B|.8B45 FC mov eax,
00695F0E|.E8 EDF0FFFF call ImgConve.00695000
00695F13|.84C0 test al,al
00695F15|.74 30 je short ImgConve.00695F47
有点像了
这里下个断点,然后单步往下走,失败了,重新来,这里到这里,改跳转,ok显示成功,看来这里就是关键了,慢慢分析吧
00695F06|.E8 C93AE0FF call ImgConve.004999D4 ;取sn
00695F0B|.8B45 FC mov eax,
00695F0E|.E8 EDF0FFFF call ImgConve.00695000 ;关键call之1
00695F13|.84C0 test al,al
00695F15|.74 30 je short ImgConve.00695F47 ;sn满足一定条件才取name
00695F17|.8D55 F8 lea edx,
00695F1A|.8B83 A4030000 mov eax,dword ptr ds:
00695F20|.E8 AF3AE0FF call ImgConve.004999D4
00695F25|.8B45 F8 mov eax, ;kernel32.7C817080
00695F28|.50 push eax
00695F29|.8D55 F4 lea edx,
00695F2C|.8B83 9C030000 mov eax,dword ptr ds:
00695F32|.E8 9D3AE0FF call ImgConve.004999D4 ;取用户名
00695F37|.8B45 F4 mov eax, ;kernel32.7C839AD8
00695F3A|.B9 89720100 mov ecx,0x17289
00695F3F|.5A pop edx ;kernel32.7C817077
00695F40|.E8 5BF1FFFF call ImgConve.006950A0 ;关键call之2
00695F45|.8BF0 mov esi,eax
00695F47|>4E dec esi
00695F48|.75 3B jnz short ImgConve.00695F85 ;不能跳
00695F4A|.A1 18EE7B00 mov eax,dword ptr ds: ;这个是flag,2未注册,1已注册
00695F4F|.C700 01000000 mov dword ptr ds:,0x1
00695F55|.8D55 F0 lea edx,
00695F58|.8B83 A4030000 mov eax,dword ptr ds:
00695F5E|.E8 713AE0FF call ImgConve.004999D4
00695F63|.8B45 F0 mov eax,
00695F66|.50 push eax
00695F67|.8D55 EC lea edx,
00695F6A|.8B83 9C030000 mov eax,dword ptr ds:
00695F70|.E8 5F3AE0FF call ImgConve.004999D4
00695F75|.8B55 EC mov edx,
00695F78|.B8 C45F6900 mov eax,ImgConve.00695FC4 ;Software\David Esperalta\ImgConverter\Options\
00695F7D|.59 pop ecx ;kernel32.7C817077
00695F7E|.E8 8DF6FFFF call ImgConve.00695610
00695F83|.EB 0B jmp short ImgConve.00695F90
00695F85|>A1 18EE7B00 mov eax,dword ptr ds: ;flag
4、首先看下这个全局变量的flag吧
参考位于 ImgConve:.text 于 007BEE18
地址 反汇编 注释
00695F4A mov eax,dword ptr ds: 这个是flag,2未注册,1已注册
00695F85 mov eax,dword ptr ds: flag
006A3611 mov eax,dword ptr ds: =008133A0
006A3ADE mov eax,dword ptr ds: =008133A0
006A3BC3 mov eax,dword ptr ds: =008133A0
006A3C46 mov eax,dword ptr ds: =008133A0
006A4189 mov eax,dword ptr ds: (初始 CPU 选择)
可以每个都下断点分析,反正结果就是:2未注册,1已注册,并且初始是2,通过重启验证才会变成1
直接用这个flag就可以找到重启验证的地方,也可以直接爆破它
006A35D8|.E8 3321FFFF call ImgConve.00695710 ;重启验证,这里改了就爆破了
006A35DD|.84C0 test al,al
006A35DF 74 3B je short ImgConve.006A361C
006A35E1|.8D4D F4 lea ecx,
006A35E4|.BA BC366A00 mov edx,ImgConve.006A36BC ;About...
006A35E9|.8BB3 C0030000 mov esi,dword ptr ds:
006A35EF|.8BC6 mov eax,esi
006A35F1|.E8 F6C6F1FF call ImgConve.005BFCEC
006A35F6|.8B55 F4 mov edx, ;kernel32.7C839AD8
006A35F9|.8D4D F8 lea ecx,
006A35FC|.8BC6 mov eax,esi
006A35FE|.E8 E9C6F1FF call ImgConve.005BFCEC
006A3603|.8B55 F8 mov edx, ;kernel32.7C817080
006A3606|.8B83 AC030000 mov eax,dword ptr ds:
006A360C|.E8 1F64DFFF call ImgConve.00499A30
006A3611|.A1 18EE7B00 mov eax,dword ptr ds: ;又是flag吧
006A3616|.C700 01000000 mov dword ptr ds:,0x1
006A361C|>33C0 xor eax,eax
5、然后来看看算法吧,软件的注册验证和重启验证的是同一个函数,功能验证就是验证flag的值
进关键call 1,00695000
本地调用来自 006950E1, 00695F0E
发现call2会调用它,看来call 2才是关键的验证
然而这个call 1这关不过根本到不了call 2那个地方,所以先看call 1吧
00695000 <>/$55 push ebp ;关键call之1
00695001 |.8BEC mov ebp,esp
00695003 |.6A 00 push 0x0
00695005 |.6A 00 push 0x0
00695007 |.6A 00 push 0x0
00695009 |.53 push ebx
0069500A |.56 push esi
0069500B |.8BF0 mov esi,eax
0069500D |.33C0 xor eax,eax
0069500F |.55 push ebp
00695010 |.68 8F506900 push ImgConve.0069508F
00695015 |.64:FF30 push dword ptr fs:
00695018 |.64:8920 mov dword ptr fs:,esp
0069501B |.33DB xor ebx,ebx
0069501D |.8D55 FC lea edx,
00695020 |.8BC6 mov eax,esi ;szCode
00695022 |.E8 65FFFFFF call <ImgConve.FormatCode> ;去掉“-”符号,并且转大写
00695027 |.8B45 FC mov eax,
0069502A |.85C0 test eax,eax
0069502C |.74 05 je short ImgConve.00695033
0069502E |.83E8 04 sub eax,0x4
00695031 |.8B00 mov eax,dword ptr ds:
00695033 |>83F8 1C cmp eax,0x1C ;strlength(szCode) == 0x1C (28),sn长度判断
00695036 |.75 3C jnz short ImgConve.00695074
00695038 |.8D45 F8 lea eax,
0069503B |.50 push eax
0069503C |.B9 04000000 mov ecx,0x4
00695041 |.BA 19000000 mov edx,0x19
00695046 |.8B45 FC mov eax, ;szCode
00695049 |.E8 3638D7FF call <ImgConve.System.@UStrCopy> ;mid(eax,edx,ecx),取最后4位,szCode25_28
0069504E |.8D45 FC lea eax,
00695051 |.BA 18000000 mov edx,0x18
00695056 |.E8 E135D7FF call <ImgConve.System.@UStrSetLength> ;取前24位,szCode1_24
0069505B |.8D55 F4 lea edx,
0069505E |.8B45 FC mov eax,
00695061 |.E8 F2FDFFFF call <ImgConve.CalcSum_szCode> ;AscSum(szCode1_24+??)-->subxxx--->hex
00695066 |.8B55 F4 mov edx, ;kernel32.7C839AD8
00695069 |.8B45 F8 mov eax, ;szCode25_28 == ret_szCode1_24
0069506C |.E8 DB37D7FF call <ImgConve.System.@UStrEqual>
00695071 |.0F94C3 sete bl
00695074 |>33C0 xor eax,eax
00695076 |.5A pop edx ;kernel32.7C817077
00695077 |.59 pop ecx ;kernel32.7C817077
00695078 |.59 pop ecx ;kernel32.7C817077
00695079 |.64:8910 mov dword ptr fs:,edx ;ntdll.KiFastSystemCallRet
0069507C |.68 96506900 push ImgConve.00695096
00695081 |>8D45 F4 lea eax,
00695084 |.BA 03000000 mov edx,0x3
00695089 |.E8 F626D7FF call <ImgConve.System.@UStrArrayClr>
0069508E \.C3 retn
其中计算sncode的sum值的call
00694E58 <>/$55 push ebp ;CalcSum_szCode
00694E59 |.8BEC mov ebp,esp
00694E5B |.83C4 F8 add esp,-0x8
00694E5E |.53 push ebx
00694E5F |.56 push esi
00694E60 |.8955 F8 mov ,edx ;ntdll.KiFastSystemCallRet
00694E63 |.8945 FC mov ,eax
00694E66 |.8B45 FC mov eax,
00694E69 |.E8 9A29D7FF call <ImgConve.System.@UStrAddRef>
00694E6E |.33C0 xor eax,eax
00694E70 |.55 push ebp
00694E71 |.68 F34E6900 push ImgConve.00694EF3
00694E76 |.64:FF30 push dword ptr fs:
00694E79 |.64:8920 mov dword ptr fs:,esp
00694E7C |.66:BA 5600 mov dx,0x56
00694E80 |.66:B8 AF00 mov ax,0xAF
00694E84 |.8B4D FC mov ecx,
00694E87 |.85C9 test ecx,ecx
00694E89 |.74 05 je short ImgConve.00694E90
00694E8B |.83E9 04 sub ecx,0x4
00694E8E |.8B09 mov ecx,dword ptr ds: ;ntdll.7C92DCBA
00694E90 |>85C9 test ecx,ecx
00694E92 |.7E 31 jle short ImgConve.00694EC5
00694E94 |.85C9 test ecx,ecx
00694E96 |.7E 2D jle short ImgConve.00694EC5
00694E98 |.BB 01000000 mov ebx,0x1
00694E9D |>8B75 FC /mov esi, ;lea esi,
00694EA0 |.0FB6745E FE |movzx esi,byte ptr ds: ;依次取,由于是unicode编码所有*2
00694EA5 |.66:03C6 |add ax,si
00694EA8 |.66:3D FF00 |cmp ax,0xFF
00694EAC |.76 04 |jbe short ImgConve.00694EB2
00694EAE |.66:2D FF00 |sub ax,0xFF
00694EB2 |>66:03D0 |add dx,ax
00694EB5 |.66:81FA FF00 |cmp dx,0xFF
00694EBA |.76 05 |jbe short ImgConve.00694EC1
00694EBC |.66:81EA FF00 |sub dx,0xFF
00694EC1 |>43 |inc ebx ;AscSum()字符串的ascii码和
00694EC2 |.49 |dec ecx ;结果的eax=(0AFh+AscSum(szCode1)) and 0xFF
00694EC3 |.^ 75 D8 \jnz short ImgConve.00694E9D ;结果在edx=(56h+0AFh+AscSum(szCode1)) and 0xFF
00694EC5 |>8BDA mov ebx,edx ;ntdll.KiFastSystemCallRet
00694EC7 |.C1E3 08 shl ebx,0x8 ;ebx=edx shl 08h====>xor ebx,ebx, mov bh,dl
00694ECA |.66:03D8 add bx,ax ;===>mov bl,al
00694ECD |.8B4D F8 mov ecx, ;kernel32.7C817080
00694ED0 |.0FB7C3 movzx eax,bx
00694ED3 |.BA 04000000 mov edx,0x4
00694ED8 |.E8 27BDD8FF call <ImgConve.System.SysUtils.IntToHex> ;转hex,只取4位,字符串
00694EDD |.33C0 xor eax,eax
00694EDF |.5A pop edx ;kernel32.7C817077
00694EE0 |.59 pop ecx ;kernel32.7C817077
00694EE1 |.59 pop ecx ;kernel32.7C817077
00694EE2 |.64:8910 mov dword ptr fs:,edx ;ntdll.KiFastSystemCallRet
00694EE5 |.68 FA4E6900 push ImgConve.00694EFA
00694EEA |>8D45 FC lea eax,
00694EED |.E8 3228D7FF call <ImgConve.System.@UStrClr>
00694EF2 \.C3 retn
整个就是验证sn的有效长度是 28位,sn最后4位是前24位的sum值
ok,过了第一关,继续分析
进入关键call 2
006950A0 <>/$55 push ebp ;关键call之2,返回1则成功,返回2,3,4都失败
006950A1 |.8BEC mov ebp,esp
006950A3 |.51 push ecx
006950A4 |.B9 09000000 mov ecx,0x9
006950A9 |>6A 00 /push 0x0
006950AB |.6A 00 |push 0x0
006950AD |.49 |dec ecx
006950AE |.^ 75 F9 \jnz short ImgConve.006950A9
006950B0 |.874D FC xchg ,ecx
006950B3 |.53 push ebx
006950B4 |.56 push esi
006950B5 |.57 push edi
006950B6 |.894D EC mov ,ecx
006950B9 |.8BDA mov ebx,edx ;
006950BB |.8BF8 mov edi,eax
006950BD |.33C0 xor eax,eax
006950BF |.55 push ebp
006950C0 |.68 A7546900 push ImgConve.006954A7
006950C5 |.64:FF30 push dword ptr fs:
006950C8 |.64:8920 mov dword ptr fs:,esp
006950CB |.BE 02000000 mov esi,0x2
006950D0 |.8BC7 mov eax,edi
006950D2 |.E8 2DFCFFFF call <ImgConve.CheckNameLength> ;用户名的长度验证,30~200位,好长
006950D7 |.84C0 test al,al
006950D9 |.0F84 A0030000 je ImgConve.0069547F
006950DF |.8BC3 mov eax,ebx
006950E1 |.E8 1AFFFFFF call <ImgConve.CheckCodeLast4>
006950E6 |.84C0 test al,al
006950E8 |.0F84 91030000 je ImgConve.0069547F
006950EE |.8D55 FC lea edx,
006950F1 |.8BC3 mov eax,ebx ;szCode
006950F3 |.E8 94FEFFFF call <ImgConve.FormatCode> ;去“-”,转大写
006950F8 |.BE 01000000 mov esi,0x1
006950FD |.8B1D D0EE7B00 mov ebx,dword ptr ds: ;
00695103 |>8D55 F4 /lea edx,
00695106 |.8B03 |mov eax,dword ptr ds: ;"XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX"
00695108 |.E8 7FFEFFFF |call <ImgConve.FormatCode>
0069510D |.8D45 F0 |lea eax,
00695110 |.8B55 FC |mov edx,
00695113 |.E8 342AD7FF |call <ImgConve.System.@UStrLAsg>
00695118 |.8B55 F0 |mov edx,
0069511B |.8B45 F4 |mov eax, ;
0069511E |.E8 657EDCFF |call <ImgConve.strCompare>
00695123 |.84C0 |test al,al
00695125 |.74 0A |je short ImgConve.00695131
00695127 |.BE 03000000 |mov esi,0x3 ;如果sn是上面一串的话,返回3,失败
0069512C |.E9 4E030000 |jmp ImgConve.0069547F
00695131 |>83C3 04 |add ebx,0x4
00695134 |.4E |dec esi
00695135 |.^ 75 CC \jnz short ImgConve.00695103
00695137 |.BE 04000000 mov esi,0x4
0069513C |.8B45 EC mov eax,
0069513F |.99 cdq
00695140 |.52 push edx ;ntdll.KiFastSystemCallRet
00695141 |.50 push eax
00695142 |.8BC7 mov eax,edi
00695144 |.E8 4FFCFFFF call <ImgConve.CalcSum_szName> ;结果为szNameSum
00695149 |.E8 9642D7FF call <ImgConve.System.@_llmul> ;szNameSum * 0x17289 (这个来自上层调用的时候的一个参数)
0069514E |.8945 E0 mov ,eax
00695151 |.8955 E4 mov ,edx ;edx为乘积的更高位(sum>0B0DE),name最少176位才可能
00695154 |.8D45 F8 lea eax,
00695157 |.50 push eax
00695158 |.B9 02000000 mov ecx,0x2
0069515D |.BA 01000000 mov edx,0x1
00695162 |.8B45 FC mov eax,
00695165 |.E8 1A37D7FF call <ImgConve.System.@UStrCopy> ;szCode1_2=mid(eax,edx,ecx)=mid(szCode,1,2)
0069516A |.FF75 E4 push
0069516D |.FF75 E0 push
00695170 |.B1 91 mov cl,0x91 ;ret1=loc8 shr (al mod 0xc)
00695172 |.B2 0B mov dl,0xB ;ret2=loc8 shr (dl mod 0x22)
00695174 |.B0 5E mov al,0x5E ;ret=ret1 xor (ret2 and/or cl)
00695176 |.E8 85FDFFFF call <ImgConve.exshr> ;sub(al,dl,cl,loc8,loc7)
0069517B |.8BD8 mov ebx,eax
0069517D |.8D4D DC lea ecx,
00695180 |.0FB6C3 movzx eax,bl ;eax=ret and 0xFF
00695183 |.BA 02000000 mov edx,0x2
00695188 |.E8 77BAD8FF call <ImgConve.System.SysUtils.IntToHex>
0069518D |.8B55 DC mov edx,
00695190 |.8B45 F8 mov eax, ;kernel32.7C817080
00695193 |.E8 B436D7FF call <ImgConve.System.@UStrEqual> ;前2位是“21”,由用户名计算得出
......省略一大段相似代码,分别是计算验证sn前22位的......
。。。。。。。
。。。。。
。。。
其中计算name的sum的call是
00694D98 <>/$55 push ebp ;CalcSum_szName
00694D99 |.8BEC mov ebp,esp
00694D9B |.83C4 F0 add esp,-0x10
00694D9E |.53 push ebx
00694D9F |.33D2 xor edx,edx ;ntdll.KiFastSystemCallRet
00694DA1 |.8955 F8 mov ,edx ;ntdll.KiFastSystemCallRet
00694DA4 |.8945 FC mov ,eax
00694DA7 |.8B45 FC mov eax,
00694DAA |.E8 592AD7FF call <ImgConve.System.@UStrAddRef>
00694DAF |.33C0 xor eax,eax
00694DB1 |.55 push ebp
00694DB2 |.68 434E6900 push ImgConve.00694E43
00694DB7 |.64:FF30 push dword ptr fs:
00694DBA |.64:8920 mov dword ptr fs:,esp
00694DBD |.33DB xor ebx,ebx
00694DBF |.8B45 FC mov eax,
00694DC2 |.E8 3DFFFFFF call <ImgConve.CheckNameLength>
00694DC7 |.84C0 test al,al
00694DC9 |.74 54 je short ImgConve.00694E1F
00694DCB |.8D45 F8 lea eax,
00694DCE |.8B55 FC mov edx,
00694DD1 |.E8 762DD7FF call <ImgConve.System.@UStrLAsg>
00694DD6 |.8B45 F8 mov eax, ;kernel32.7C817080
00694DD9 |.85C0 test eax,eax
00694DDB |.74 05 je short ImgConve.00694DE2
00694DDD |.83E8 04 sub eax,0x4
00694DE0 |.8B00 mov eax,dword ptr ds:
00694DE2 |>8BD0 mov edx,eax
00694DE4 |.85D2 test edx,edx ;ntdll.KiFastSystemCallRet
00694DE6 |.7E 37 jle short ImgConve.00694E1F
00694DE8 |.B8 01000000 mov eax,0x1 ;ebx=0
00694DED |>83F8 01 /cmp eax,0x1
00694DF0 |.7E 16 |jle short ImgConve.00694E08
00694DF2 |.8B4D F8 |mov ecx, ;kernel32.7C817080
00694DF5 |.0FB74C41 FE |movzx ecx,word ptr ds:
00694DFA |.03D9 |add ebx,ecx
00694DFC |.8B4D F8 |mov ecx, ;kernel32.7C817080
00694DFF |.0FB74C41 FC |movzx ecx,word ptr ds:
00694E04 |.03D9 |add ebx,ecx
00694E06 |.EB 13 |jmp short ImgConve.00694E1B
00694E08 |>8B4D F8 |mov ecx, ;kernel32.7C817080
00694E0B |.0FB74C41 FE |movzx ecx,word ptr ds:
00694E10 |.03D9 |add ebx,ecx
00694E12 |.8B4D F8 |mov ecx, ;kernel32.7C817080
00694E15 |.0FB70C41 |movzx ecx,word ptr ds:
00694E19 |.03D9 |add ebx,ecx ;szName的ascii和,都取了2遍所以*2
00694E1B |>40 |inc eax ;第2位取了3次,最后一位只取了1次
00694E1C |.4A |dec edx ;ntdll.KiFastSystemCallRet
00694E1D |.^ 75 CE \jnz short ImgConve.00694DED ;结果为ebx=AscSum(szName)*2+szName-szName
00694E1F |>8BC3 mov eax,ebx
00694E21 |.99 cdq
00694E22 |.8945 F0 mov ,eax
00694E25 |.8955 F4 mov ,edx ;ntdll.KiFastSystemCallRet
00694E28 |.33C0 xor eax,eax
00694E2A |.5A pop edx ;kernel32.7C817077
00694E2B |.59 pop ecx ;kernel32.7C817077
00694E2C |.59 pop ecx ;kernel32.7C817077
00694E2D |.64:8910 mov dword ptr fs:,edx ;ntdll.KiFastSystemCallRet
00694E30 |.68 4A4E6900 push ImgConve.00694E4A
00694E35 |>8D45 F8 lea eax,
00694E38 |.BA 02000000 mov edx,0x2
00694E3D |.E8 4229D7FF call <ImgConve.System.@UStrArrayClr>
00694E42 \.C3 retn
6、算法总结
用户名长度:30~200
sn有效长度28位,即去掉“-”后28位
sn前22位是name的某sum值乘以一个常数,然后经过某右移后的某运算计算的,每次计算两位
sn23、24位基本没有什么验证
sn最后4位是前24位的某sum值
是个做不了内存注册机的明码比较的软件
另外,注册信息保存的地方,基本算是明码保存的:
HKEY_CURRENT_USER\Software\David Esperalta\ImgConverter\Options\Formats提供一个可用的注册码
用户名:www.52pojie.cn/www.飘云阁.com/expasy
注册码:7E50-504C-8725-3C71-563A-1DE5-E9F3
更在了下keygen
用户名:定风波-苏轼-莫听穿林打叶声,何妨吟啸且徐行。竹杖芒鞋轻胜马,谁怕?一蓑烟雨任平生。料峭春风吹酒醒,微冷,山头斜照却相迎。回首向来萧瑟处,归去,也无风雨也无晴
注册码:8B14-086E-DAAC-221C-C80C-9FVV-9271
7、写注册机,用软件现成的代码直接写
比如说
;########################################################################
;计算用户名的sum值
;lpSrcStr是用户名的地址,sLen是用户名长度,dwDest是结果的值
;calcnamesum proc uses edx eax ecx ebx, lpSrcStr:DWORD,sLen:DWORD,dwDest:DWORD
;返回的值在eax,dword类型
calcnamesum proc lpSrcStr:DWORD,sLen:DWORD
xor ecx,ecx
xor ebx,ebx
mov edx,sLen
mov eax,1
loc00694DED:
cmp eax,1
jle short loc00694E08
mov ecx,lpSrcStr
movzx ecx,WORD ptr ds:
;movzx ecx,BYTE ptr ds: ;如果不是unicode的话就得变成这样,是unicode的话用上面那个
add ebx,ecx
mov ecx,lpSrcStr
movzx ecx,WORD ptr ds:
;movzx ecx,BYTE ptr ds:
add ebx,ecx
jmp short loc00694E1B
loc00694E08:
mov ecx,lpSrcStr
movzx ecx,WORD ptr ds:
;movzx ecx,BYTE ptr ds:
add ebx,ecx
mov ecx,lpSrcStr
movzx ecx,WORD ptr ds:
;movzx ecx,BYTE ptr ds:
add ebx,ecx
loc00694E1B:
inc eax
dec edx
jnz short loc00694DED
mov eax,ebx
ret
calcnamesum endp
;########################################################################
。。。。。。
。。。。。
。。。。
。。。
。。
。
8、无图说个xx
9、最后附上注册机及源码,我使用的是MASMPlus,当然用RadASM也可以用
不得不说,用masm写的注册机加上图标才7kb,程序真小
**** Hidden Message *****
10、总结
之前从来没有考虑过使用程序中的代码写注册机,这是第一次,看了些教程决定自己试一下,写的时候也出了些问题,但是一步一步来,出错了就用od看错在哪里,出了错的地方很多我都没有直接删掉而是把他注释掉了,程序很简单,有不足之处希望批评指正
--------------------------------------------------------------------------------
2016年06月14日 下午 11:50:09
默之 发表于 2016-6-23 09:13
刚开始学习逆向,还没有入门呢,想问一下楼主,下面的备注是怎么知道的?汇编能看出来么?小白问题
汇编一般不能直接看出,调试时看数据窗口分析出来吧 榻榻米 发表于 2016-6-17 11:50
与 == 0D这个不懂为何要这样。。 大神能否说明下
CallWindowProc 函数原型:LRESULT CallWindowProc(WNDPROC lpPrevWndFunc, HWND hWnd, UINT Msg, WPARAM wParam, LPARAM IParam);
在od中
就是HWND hWnd:指向接收消息的窗口过程的句柄。
就是Msg:指定消息类型。
而这个消息类型值 0D 表示的是 WM_GETTEXT
因为有:
#define WM_GETTEXT 0x000D
#define WM_GETTEXTLENGTH 0x000E
#define WM_SETTEXT 0x000C
.....
具体的还是查msdn吧,我也不知道
与 == 0D这个不懂为何要这样。。 大神能否说明下 吃葡萄不吐葡萄皮 期待大神发更多的教程{:1_921:} 支持大神原创教程!又学到了一些知识非常感谢! 很详细的教程,为你的努力加分 谢谢楼主的教程 学习学习 感谢分享源码 前排围观学习。