好友
阅读权限40
听众
最后登录1970-1-1
|
Sound
发表于 2016-11-14 02:57
本帖最后由 Sound 于 2016-11-14 03:01 编辑
查看KeyGenMe的编写语言
Borland Delphi
载入OllyDbg , EIP 位于
[Asm] 纯文本查看 复制代码 0x5B927C > $ 55 push ebp
0x5B927D . 8BEC mov ebp,esp
0x5B927F . 83C4 F0 add esp,-0x10
0x5B9282 . B8 701A5B00 mov eax,Key1.005B1A70
0x5B9287 . E8 B84BE5FF call Key1.0040DE44
0x5B928C . A1 B8ED5B00 mov eax,dword ptr ds:[0x5BEDB8]
0x5B9291 . 8B00 mov eax,dword ptr ds:[eax]
0x5B9293 . E8 40FAFEFF call Key1.005A8CD8
0x5B9298 . A1 B8ED5B00 mov eax,dword ptr ds:[0x5BEDB8]
0x5B929D . 8B00 mov eax,dword ptr ds:[eax]
0x5B929F . B2 01 mov dl,0x1
0x5B92A1 . E8 7617FFFF call Key1.005AAA1C
Cttl+B 搜索HexCode 740E8BD38B83????????FF93???????? 或 script[Asm] 纯文本查看 复制代码 var Addr
mov Addr,401000
loop:
find Addr,#740E8BD38B83????????FF93????????#
cmp $RESULT,0
je Exit
add $RESULT,0A
bp $RESULT
add $RESULT,1
mov Addr,$RESULT
jmp loop
Exit:
ret
EIP = 0x51BDE1
[Asm] 纯文本查看 复制代码 0x51BDE1 |> \66:83BB 1A010>cmp word ptr ds:[ebx+0x11A],0x0
0x51BDE9 |. 74 0E je XKey1.0051BDF9
0x51BDEB |. 8BD3 mov edx,ebx
0x51BDED |. 8B83 1C010000 mov eax,dword ptr ds:[ebx+0x11C]
0x51BDF3 |. FF93 18010000 call dword ptr ds:[ebx+0x118]
0x51BDF9 |> 5B pop ebx
0x51BDFA \. C3 retn
0x51BDFB 90 nop
0x51BDFC . 53 push ebx
0x51BDF3, 设置 int3 bp , run ,键入flase Key : Sound , 点击Check , 中断在 0x51BDF3 , Call子程序 调用address 为0x5B1800
[Asm] 纯文本查看 复制代码 0051BDF3 |. FF93 18010000 call dword ptr ds:[ebx+0x118] ; Key1.005B1800
0x51BDF9 |> 5B pop ebx
0x51BDFA \. C3 retn
Step Into (F7) call dword ptr ds:[ebx+0x118]
[Asm] 纯文本查看 复制代码 0x5B1800 /. 55 push ebp
0x5B1801 |. 8BEC mov ebp,esp
0x5B1803 |. 83C4 C8 add esp,-0x38
0x5B1806 |. 53 push ebx
0x5B1807 |. 33C9 xor ecx,ecx
0x5B1809 |. 894D CC mov [local.13],ecx
0x5B180C |. 894D C8 mov [local.14],ecx
0x5B180F |. 894D D0 mov [local.12],ecx
0x5B1812 |. 894D D4 mov [local.11],ecx
0x5B1815 |. 894D FC mov [local.1],ecx
0x5B1818 |. 894D F8 mov [local.2],ecx
0x5B181B |. 8BD8 mov ebx,eax
0x5B181D |. 33C0 xor eax,eax
0x5B181F |. 55 push ebp
0x5B1820 |. 68 C5195B00 push Key1.005B19C5
Step Over (F8) , 中间的反汇编代码过滤,
[Asm] 纯文本查看 复制代码 0x5B1839 |. 8B45 FC mov eax,[local.1]
0x5B183C |. 85C0 test eax,eax
0x5B183E |. 74 05 je XKey1.005B1845
0x5B1840 |. 83E8 04 sub eax,0x4
0x5B1843 |. 8B00 mov eax,dword ptr ds:[eax]
0x5B1845 |> 83F8 0A cmp eax,0xA
判断注册码的长度 我们只输入了Sound ,共 5位
[Asm] 纯文本查看 复制代码
0x5B184A |. |E8 F5FEFFFF call Key1.005B1744
0x5B184F |. |E9 49010000 jmp Key1.005B199D
步过 0x5B184A的时候 Info :
Bad boy
---------------------------
Oh Bad my friend , Try now
点击确定,中断在
[Asm] 纯文本查看 复制代码
0x5B184F |. /E9 49010000 jmp Key1.005B199D
0x5B1854 |> |0FB605 D4195B00 movzx eax,byte ptr ds:[0x5B19D4]
0x5B185B |. |50 push eax
0x5B185C |. |8D45 F8 lea eax,[local.2]
0x5B185F |. |50 push eax
0x5B184F =>Nop, 注册码为三段且以 - 分隔符隔开, Number_I - Number_II - Number_III
[Asm] 纯文本查看 复制代码 0x5B1860 |. B9 E4195B00 mov ecx,Key1.005B19E4 ; --
0x5B1865 |. BA F8195B00 mov edx,Key1.005B19F8 ; -
0x5B186A |. 8B45 FC mov eax,[local.1]
0x5B186D |. E8 FA64E7FF call Key1.00427D6C
0x5B1872 |. 8B45 FC mov eax,[local.1]
Cmp Number_I , 是否最低位为三位(十进制) 且加 - 分隔符
[Asm] 纯文本查看 复制代码 0x5B1885 |. /74 05 je XKey1.005B188C
0x5B1887 |. |83E8 04 sub eax,0x4
0x5B188A |. |8B00 mov eax,dword ptr ds:[eax]
0x5B188C |> \83C2 02 add edx,0x2
0x5B188F |. 3BC2 cmp eax,edx
0x5B1891 |. 74 0A je XKey1.005B189D
0x5B1893 |. E8 ACFEFFFF call Key1.005B1744
0x5B1898 |. E9 00010000 jmp Key1.005B199D
0x5B189D |> B2 01 mov dl,0x1
0x5B189F |. A1 D4D84800 mov eax,dword ptr ds:[0x48D8D4]
0x5B18A4 |. E8 0BF3EFFF call Key1.004B0BB4
0x5B18A9 |. 8945 F4 mov [local.3],eax
0x5B18AC |. 8D4D F4 lea ecx,[local.3]
0x5B18AF |. 66:BA 2D00 mov dx,0x2D
0x5B18B3 |. 8B45 FC mov eax,[local.1]
0x5B18B6 |. E8 E5FEFFFF call Key1.005B17A0
提示Info : Oh Bad my friend , Try now. 确定后并中断
[Asm] 纯文本查看 复制代码 0x5B1891 |. /74 0A je XKey1.005B189D
0x5B1893 |. |E8 ACFEFFFF call Key1.005B1744
0x5B1898 |. |E9 00010000 jmp Key1.005B199D
0x5B1898=>Nop , Step Over (F8) , 开始Get Number_I
[Asm] 纯文本查看 复制代码 0x5B189D |> \B2 01 mov dl,0x1
0x5B189F |. A1 D4D84800 mov eax,dword ptr ds:[0x48D8D4]
0x5B18A4 |. E8 0BF3EFFF call Key1.004B0BB4
0x5B18A9 |. 8945 F4 mov [local.3],eax
0x5B18AC |. 8D4D F4 lea ecx,[local.3]
0x5B18AF |. 66:BA 2D00 mov dx,0x2D
0x5B18B3 |. 8B45 FC mov eax,[local.1]
0x5B18B6 |. E8 E5FEFFFF call Key1.005B17A0
0x5B18BB |. B8 DBB50000 mov eax,0xB5DB
0x5B18C0 |. E8 2352E5FF call Key1.00406AE8
0x5B18C5 |. 99 cdq
0x5B18C6 |. 52 push edx
0x5B18C7 |. 50 push eax
0x5B18C8 |. 8D4D D4 lea ecx,[local.11]
0x5B18CB |. 33D2 xor edx,edx
0x5B18CD |. 8B45 F4 mov eax,[local.3]
0x5B18D0 |. 8B18 mov ebx,dword ptr ds:[eax]
0x5B18D2 |. FF53 0C call dword ptr ds:[ebx+0xC] ; Key1.004B07D0
Step Over (F8) , Get Number_II , 并StrToInt64
[Asm] 纯文本查看 复制代码 0x5B18EF |. 50 push eax
0x5B18F0 |. 8D4D D0 lea ecx,[local.12]
0x5B18F3 |. BA 01000000 mov edx,0x1
0x5B18F8 |. 8B45 F4 mov eax,[local.3]
0x5B18FB |. 8B18 mov ebx,dword ptr ds:[eax]
0x5B18FD |. FF53 0C call dword ptr ds:[ebx+0xC]
0x5B1900 |. 8B45 D0 mov eax,[local.12]
0x5B1903 |. E8 90FDE6FF call Key1.00421698 [color=#00ff] [/color]
Step Over (F8) , StrToInt64($Number_III )=Get Number_III => hex format
[Asm] 纯文本查看 复制代码 0x5B1928 |. FF53 0C call dword ptr ds:[ebx+0xC]
0x5B192B |. 8B4D C8 mov ecx,[local.14]
0x5B192E |. 8D45 CC lea eax,[local.13]
0x5B1931 |. BA 081A5B00 mov edx,Key1.005B1A08 ; $
0x5B1936 |. E8 3D86E5FF call Key1.00409F78
0x5B193B |. 8B45 CC mov eax,[local.13]
0x5B193E |. E8 55FDE6FF call Key1.00421698
[Asm] 纯文本查看 复制代码 0x5B1943 |. 8945 D8 mov [local.10],eax
0x5B1946 |. 8955 DC mov [local.9],edx
0x5B1949 |. 6A 00 push 0x0
0x5B194B |. 6A 02 push 0x2
0x5B194D |. 8B45 E8 mov eax,[local.6]
0x5B1950 |. 8B55 EC mov edx,[local.5]
0x5B1953 |. E8 3092E5FF call Key1.0040AB88
Step Over (F8) , Number_II=Number_I * 2
[Asm] 纯文本查看 复制代码 0x5B1958 |. 3B55 E4 cmp edx,[local.7]
0x5B195B |. 75 03 jnz XKey1.005B1960
0x5B195D |. 3B45 E0 cmp eax,[local.8]
Step Over (F8) ,Number_III = Number_I (Dec => Hex )
[Asm] 纯文本查看 复制代码 0x5B195D |. 3B45 E0 cmp eax,[local.8]
0x5B1960 |> 74 07 je XKey1.005B1969
0x5B1962 |. E8 DDFDFFFF call Key1.005B1744
0x5B1967 |. EB 34 jmp XKey1.005B199D
0x5B1969 |> 8B45 E8 mov eax,[local.6]
0x5B196C |. 8B55 EC mov edx,[local.5]
0x5B196F |. 3B55 DC cmp edx,[local.9]
0x5B1972 |. 75 03 jnz XKey1.005B1977
0x5B1974 |. 3B45 D8 cmp eax,[local.10]
0x5B1977 |> 74 11 je XKey1.005B198A
Number_I is random
Number_II = Number_I*2
Number_III= Number_I Hex format
0x5B18D2 |. CALL DWORD PTR DS:[EBX+0C] ; Get Number_I
0x5B1903 |. E8 90FDE6FF CALL 00421698 ; StrToInt64(Number_II)
0x5B193E |. E8 55FDE6FF CALL 00421698 ; StrToInt64($Number_III)=get Number_III hex format
0x5B1953 |. E8 3092E5FF CALL 0040AB88 ; 2 * Number_I Number_IX2
0x5B195D |. 3B45 E0 CMP EAX,DWORD PTR SS:[EBP-20] ; Number_II=2 * Number_I 2X 1
0x5B1974 |. 3B45 E0 CMP EAX,DWORD PTR SS:[EBP-28] ; Number_III=Hex Format of Number_I
KeyGen Source ,
Delphi
[Delphi] 纯文本查看 复制代码 var
Serial: string;
part: array [1 .. 3] of string;
num1, num2, num3: Integer;
begin
num1 := 000 + Random(9999);
part[1] := IntToStr(num1);
num2 := num1 * 2;
part[2] := IntToStr(num2);
num3 := num1;
part[3] := IntToHex(num3, 7);
Serial := part[1] + '-' + part[2] + '-' + part[3];
edt1.Text := Serial;
end;
E语言:
[Asm] 纯文本查看 复制代码 .版本 2
.子程序 _按钮1_被单击
.局部变量 key1, 整数型
.局部变量 key2, 文本型
.局部变量 key3, 文本型
.局部变量 keyMaked, 文本型
置随机数种子 ()
key1 = 取随机数 (100, 99999)
key2 = 到文本 (key1 × 2)
key3 = 取十六进制文本 (key1)
keyMaked = 到文本 (key1) + “-” + key2 + “-” + key3
编辑框.内容 = keyMaked
Example Key:
26291-52582-66B3
10041-20082-2739
19126-38252-4AB6
Ps: 这篇文章是13年时候写的,翻硬盘翻到了就发出来了. :P
Key1.7z
(587.71 KB, 下载次数: 35)
|
免费评分
-
查看全部评分
本帖被以下淘专辑推荐:
- · 学习及教程|主题: 1126, 订阅: 1118
- · 优秀逆向文|主题: 238, 订阅: 93
|
[复制链接]
发表于 2016-11-14 03:18
凌晨就起来了,好有毅力
