?
GIF Movie Gear逆向實戰+注冊代碼+補丁 準備 我是在windows 8.1 x64上進行的操作。有不足之處,還望大蝦指出。
獲取資源 網站下載:http://www.gamani.com/gmgdown.htm,國內站點是漢化破解好的。
GIF Movie Gear4.2.3是一款GIF動畫制作軟件,幾乎有需要 制作GIF動畫的編輯功能它都有,無須再用其它的圖型軟件輔助。GIF Movie Gear可以處理背景透明化而且做法容易,做好的圖片可以做最佳化處理使圖片減肥,另外它除了可 以把做好的圖片存成GIF的動畫圖外,還可支援PSD,JPEG,AVI,BMP,GIF,與AVI格式輸出。
受限預先查看
運行 確實受限了,其實在推出時也惱人,彈窗不然直接退出要等下出現個按鈕,點ok關閉。
?
查看pe信息 貌似沒有欺騙我們,沒加殼
找看看有無注冊窗口Version 4.2.3
定位 程序要判斷注冊的對不對,首先獲取輸入值。 回到od,查找一些符號,這里找GetDlgItemText或者GetWindowText,這里直接找GetWindowText(因為GetDlgItemText=GetDlgItem+GetWindowText,沒有找到也沒關系(如LoadLibary),直接到User2.dll模塊找)并且是ASCII版的。方便點的有cmdBar插件直接入下圖方式下斷。
回到界面點ok按鈕,斷點起作用了,和預想的一樣。 看看堆棧,或者直接Alt+F9執行到程序模塊。
可以看到兩次調用GetWindowTextA,后面一個call,入參是EDX和ECX,來自于獲取到編輯框里的值的緩沖區[LOCAL.49]和[LOCAL.24]。控件1103是Name,1104是Code。
后面還有一個根據返回值來jz的,并且有創建注冊表項的字符串。這也太明顯了,太快了,怎么這個就不設防。。。
?
注冊信息保存在注冊表HKEY_LOCAL_MACHINE \Software\gamani\GIFMovieGear\2.0下的兩個鍵SubKey = "RegName3"和SubKey = "RegCode3" ,過期時間來自HKLM\SOFTWARE\Wow6432Node\Loani\MG4\stamp,保存的是秒數。
new Date(0x540b1713 * 1000) =?Sat Jan 17 1970 15:40:12 GMT+0800 (China Standard Time)
需要注意x64位,這里的調用,注冊表會被重定向:
3 :
29 :
05.3795926 PM movgear.exe
5756 RegQueryValue HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\gamani\GIFMovieGear\
2.0 \RegName3 SUCCESS Type: REG_SZ, Length:
10 , Data: 蘇北小麥 3 :
29 :
06.8898693 AM movgear.exe
4380 RegQueryValue HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\gamani\GIFMovieGear\
2.0 \RegCode3 SUCCESS Type: REG_SZ, Length:
26 , Data: mg37sfhh4045 3 :
29 :
53.9921742 AM movgear.exe
4380 RegQueryValue HKLM\SOFTWARE\Wow6432Node\Loani\MG4\stamp SUCCESS Type: REG_BINARY, Length:
4 , Data:
13 17 0B
54 ?
注冊獲取窗口信息 CPU Disasm地址十六進制數據指令注釋 004344F9 |> \8BBC24 2C0100
MOV EDI,DWORD PTR
SS: [ARG.
1 ]
; 事例 1 of switch movgear.4344D1 00434500 |. 8B35 D0F44700
MOV ESI,DWORD PTR
DS: [<&USER32.GetDlgIte 00434506 |. 6A
64 PUSH 64 ; /MaxCount = 100. 00434508 |. 8D5424
64 LEA EDX,[LOCAL.
49 ]
; | 0043450C |.
52 PUSH EDX
; |String => OFFSET LOCAL.49 0043450D |.
68 4F040000
PUSH 44F
; |/ItemID = 1103. 00434512 |.
57 PUSH EDI
; ||hDialog => [ARG.1] 00434513 |. FFD6
CALL ESI
; |\USER32.GetDlgItem 00434515 |. 8B1D 4CF34700
MOV EBX,DWORD PTR
DS: [<&USER32.GetWindow
; | 0043451B |.
50 PUSH EAX
; |hWnd 0043451C |. FFD3
CALL EBX
; \USER32.GetWindowTextA 0043451E |. 6A
64 PUSH 64 ; /MaxCount = 100. 00434520 |. 8D8424 C80000
LEA EAX,[LOCAL.
24 ]
; | 00434527 |.
50 PUSH EAX
; |String => OFFSET LOCAL.24 00434528 |.
68 50040000 PUSH 450 ; |/ItemID = 1104. 0043452D |.
57 PUSH EDI
; ||hDialog => [ARG.1] 0043452E |. FFD6
CALL ESI
; |\USER32.GetDlgItem 00434530 |.
50 PUSH EAX
; |hWnd 00434531 |. FFD3
CALL EBX
; \USER32.GetWindowTextA 00434533 |. 8D8C24 C40000
LEA ECX,[LOCAL.
24 ] 0043453A |.
51 PUSH ECX
; /Arg2 => OFFSET LOCAL.24 0043453B |. 8D5424
64 LEA EDX,[LOCAL.
49 ]
; | 0043453F |.
52 PUSH EDX
; |Arg1 => OFFSET LOCAL.49 00434540 |. E8 EBFBFFFF
CALL 00434130 ; \movgear.00434130 00434545 |. 83C4
08 ADD ESP,
8 00434548 |. 85C0
TEST EAX,EAX 0043454A |.
0F84 B6000000
JZ 00434606 00434550 |. 8D4424
10 LEA EAX,[LOCAL.
69 ] 00434554 |.
50 PUSH EAX
; /pDisposition => OFFSET LOCAL.69 00434555 |. 8D4C24
10 LEA ECX,[LOCAL.
70 ]
; | 00434559 |.
51 PUSH ECX
; |pResult => OFFSET LOCAL.70 0043455A |. 6A
00 PUSH 0 ; |pSecurity = NULL 0043455C |.
68 3F000F00
PUSH 0F003F ; |DesiredAccess = KEY_ALL_ACCESS 00434561 |. 6A
00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE 00434563 |.
68 85F64700
PUSH OFFSET
0047F685 ; |Class 00434568 |. 6A
00 PUSH 0 ; |Reserved = 0 0043456A |.
68 84E44800
PUSH OFFSET
0048E484 ; |Subkey = "Software\gamani\GIFMovieGear\2.0" 0043456F |.
68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE 00434574 |. FF15
0CF04700 CALL DWORD PTR
DS: [<&ADVAPI32.RegCreateK
; \ADVAPI32.RegCreateKeyExA 0043457A |. 8D4424
60 LEA EAX,[LOCAL.
49 ] 0043457E |. 8D50
01 LEA EDX,[EAX+
1 ] 00434581 |> 8A08 /
MOV CL,BYTE PTR
DS: [EAX] 00434583 |.
40 |
INC EAX 00434584 |. 84C9 |
TEST CL,CL 00434586 |.^
75 F9 \
JNZ SHORT
00434581 00434588 |. 8B35
00F04700 MOV ESI,DWORD PTR
DS: [<&ADVAPI32.RegSetV 0043458E |. 2BC2
SUB EAX,EDX 00434590 |.
40 INC EAX 00434591 |.
50 PUSH EAX
; /DataSize 00434592 |. 8B4424
10 MOV EAX,DWORD PTR
SS: [LOCAL.
70 ]
; | 00434596 |. 8D5424
64 LEA EDX,[LOCAL.
49 ]
; | 0043459A |.
52 PUSH EDX
; |Data => OFFSET LOCAL.49 0043459B |. 6A
01 PUSH 1 ; |Type = REG_SZ 0043459D |. 6A
00 PUSH 0 ; |Reserved = 0 0043459F |.
68 C8F34800
PUSH OFFSET
0048F3C8 ; |SubKey = "RegName3" 004345A4 |.
50 PUSH EAX
; |hKey => [LOCAL.70] 004345A5 |. FFD6
CALL ESI
; \ADVAPI32.RegSetValueExA 004345A7 |. 8D8424 C40000
LEA EAX,[LOCAL.
24 ] 004345AE |. 8D48
01 LEA ECX,[EAX+
1 ] 004345B1 |> 8A10 /
MOV DL,BYTE PTR
DS: [EAX] 004345B3 |.
40 |
INC EAX 004345B4 |. 84D2 |
TEST DL,DL 004345B6 |.^
75 F9 \
JNZ SHORT
004345B1 004345B8 |. 8B5424
0C MOV EDX,DWORD PTR
SS: [LOCAL.
70 ] 004345BC |. 2BC1
SUB EAX,ECX 004345BE |.
40 INC EAX 004345BF |.
50 PUSH EAX
; /DataSize 004345C0 |. 8D8C24 C80000
LEA ECX,[LOCAL.
24 ]
; | 004345C7 |.
51 PUSH ECX
; |Data => OFFSET LOCAL.24 004345C8 |. 6A
01 PUSH 1 ; |Type = REG_SZ 004345CA |. 6A
00 PUSH 0 ; |Reserved = 0 004345CC |.
68 D4F34800
PUSH OFFSET
0048F3D4 ; |SubKey = "RegCode3" 004345D1 |.
52 PUSH EDX
; |hKey => [LOCAL.70] 004345D2 |. FFD6
CALL ESI
; \ADVAPI32.RegSetValueExA 004345D4 |. 8B4424
0C MOV EAX,DWORD PTR
SS: [LOCAL.
70 ] 004345D8 |.
50 PUSH EAX
; /hKey => [LOCAL.70] 004345D9 |. FF15 18F04700
CALL DWORD PTR
DS: [<&ADVAPI32.RegCloseKe
; \ADVAPI32.RegCloseKey 004345DF |.
68 E0F34800
PUSH OFFSET
0048F3E0 ; /Subkey = "Software\Loani\MG4" 004345E4 |.
68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE 004345E9 |. FF15 14F04700
CALL DWORD PTR
DS: [<&ADVAPI32.RegDeleteK
; \ADVAPI32.RegDeleteKeyA 004345EF |. 6A
01 PUSH 1 ; /Result = 1 004345F1 |.
57 PUSH EDI
; |hDialog => [ARG.1] 004345F2 |. FF15 A4F34700
CALL DWORD PTR
DS: [<&USER32.EndDialog>]
; \USER32.EndDialog 004345F8 |. 5F
POP EDI 004345F9 |. 5E
POP ESI 004345FA |. 33C0
XOR EAX,EAX 004345FC |. 5B
POP EBX 004345FD |. 81C4 1C010000
ADD ESP,11C 00434603 |. C2
1000 RETN 10 00434606 |> 6A
30 PUSH 30 ; /Arg4 = 30 00434608 |.
68 159D0000
PUSH 9D15
; |Arg3 = 9D15 0043460D |.
68 149D0000
PUSH 9D14
; |Arg2 = 9D14 00434612 |.
57 PUSH EDI
; |Arg1 => [ARG.1] 00434613 |. E8 F8D8FDFF
CALL 00411F10 ; \movgear.00411F10 00434618 |. 83C4
10 ADD ESP,
10 0043461B |.
68 4F040000
PUSH 44F
; /ItemID = 1103. 00434620 |.
57 PUSH EDI
; |hDialog => [ARG.1] 00434621 |. FFD6
CALL ESI
; \USER32.GetDlgItem 00434623 |.
50 PUSH EAX
; /hWnd 00434624 |. FF15 A8F44700
CALL DWORD PTR
DS: [<&USER32.SetFocus>]
; \USER32.SetFocus 0043462A |. 5F
POP EDI 0043462B |. 5E
POP ESI 0043462C |. 33C0
XOR EAX,EAX 0043462E |. 5B
POP EBX 0043462F |. 81C4 1C010000
ADD ESP,11C 00434635 |. C2
1000 RETN 10 View Code ?
?
失敗彈窗走 CPU Disasm
地址 十六進制數據 指令 注釋
00411EE0 /$ 8B4424 04 MOV EAX,DWORD PTR SS: [ARG.1 ] ; movgear.00411EE0(推測 Arg1)
00411EE4 |. 8B0D C4C24A00 MOV ECX,DWORD PTR DS: [4AC2C4]
00411EEA |. 68 00020000 PUSH 200 ; /Count = 512.
00411EEF |. 68 80BF4A00 PUSH OFFSET 004ABF80 ; |Buffer = "The information you have provided is invalid. Please be sure that you typed it exactly as it was given to you."
00411EF4 |. 50 PUSH EAX ; |StringID => [ARG.1]
00411EF5 |. 51 PUSH ECX ; |hInst => [4AC2C4] = 00400000 ('movgear')
00411EF6 |. FF15 C0F44700 CALL DWORD PTR DS: [<&USER32.LoadStringA> ; \USER32.LoadStringA
00411EFC |. 85C0 TEST EAX,EAX
00411EFE |. 74 0D JZ SHORT 00411F0D
00411F00 |. 3D 00020000 CMP EAX,200
00411F05 |. 7D 06 JGE SHORT 00411F0D
00411F07 |. B8 80BF4A00 MOV EAX,OFFSET 004ABF80 ; ASCII "The information you have provided is invalid. Please be sure that you typed it exactly as it was given to you."
00411F0C |. C3 RETN
00411F0D |> 33C0 XOR EAX,EAX
00411F0F \. C3 RETN 00411F10 /$ 8B4C24 0C MOV ECX,DWORD PTR SS: [ARG.3 ] ; movgear.00411F10(推測 Arg1,Arg2,Arg3,Arg4)
00411F14 |. 8B15 C4C24A00 MOV EDX,DWORD PTR DS: [4AC2C4]
00411F1A |. 81EC 00010000 SUB ESP,100
00411F20 |. 68 FF000000 PUSH 0FF ; /Count = 255.
00411F25 |. 8D4424 04 LEA EAX,[LOCAL.63 ] ; |
00411F29 |. 50 PUSH EAX ; |Buffer => OFFSET LOCAL.63
00411F2A |. 51 PUSH ECX ; |StringID = 40213. => 'Invalid Registration Info'
00411F2B |. 52 PUSH EDX ; |hInst => [4AC2C4] = 00400000 ('movgear')
00411F2C |. FF15 C0F44700 CALL DWORD PTR DS: [<&USER32.LoadStringA> ; \USER32.LoadStringA
00411F32 |. 8B8424 100100 MOV EAX,DWORD PTR SS: [ARG.4 ]
00411F39 |. 8B9424 080100 MOV EDX,DWORD PTR SS: [ARG.2 ]
00411F40 |. 0D 00200000 OR EAX,00002000
00411F45 |. 50 PUSH EAX ; /Type
00411F46 |. 8D4C24 04 LEA ECX,[LOCAL.63 ] ; |
00411F4A |. 51 PUSH ECX ; |Caption => OFFSET LOCAL.63
00411F4B |. 52 PUSH EDX ; |/Arg1 => [ARG.2]
00411F4C |. E8 8FFFFFFF CALL 00411EE0 ; |\movgear.00411EE0
00411F51 |. 83C4 04 ADD ESP,4 ; |
00411F54 |. 50 PUSH EAX ; |Text
00411F55 |. 8B8424 100100 MOV EAX,DWORD PTR SS: [ARG.1 ] ; |
00411F5C |. 50 PUSH EAX ; |hOwner => [ARG.1]
00411F5D |. FF15 C4F44700 CALL DWORD PTR DS: [<&USER32.MessageBoxA> ; \USER32.MessageBoxA
00411F63 |. 81C4 00010000 ADD ESP,100
00411F69 \. C3 RETN View Code ?
關鍵 看注冊過程
我們來看看0048F3F8偏移處的值,32個黑名單
第一種注冊碼驗證過程,Code是mg37開頭就是走這種的。 CPU Disasm
地址 十六進制數據 指令 注釋
00434130 /$
53 PUSH EBX
; movgear.00434130(推測 Arg1,Arg2)
00434131 |.
55 PUSH EBP
00434132 |. 8B6C24
10 MOV EBP,DWORD PTR
SS: [ARG.
2 ]
; EBP指向Code,ASCII "12345678"
00434136 |. 8
07D 00 6D
CMP BYTE PTR
SS: [EBP],6D
; Code的第一字節,和'm'比較
0043413A |.
56 PUSH ESI
0043413B |.
57 PUSH EDI
0043413C |.
0F85 AD000000
JNE 004341EF
00434142 |. 8
07D 01 67 CMP BYTE PTR
SS: [EBP+
1 ],
67 ; Code的第2字節,和'g'比較
00434146 |.
0F85 A3000000
JNE 004341EF
0043414C |. 8
07D 02 33 CMP BYTE PTR
SS: [EBP+
2 ],
33 ; Code的第3字節,和'3'比較
00434150 |.
0F85 99000000 JNE 004341EF
00434156 |. 8
07D 03 37 CMP BYTE PTR
SS: [EBP+
3 ],
37 ; Code的第4字節,和'7'比較
0043415A |.
0F85 8F000000
JNE 004341EF
00434160 |. 33DB
XOR EBX,EBX
; 和黑名單庫里的比較
00434162 |> 8BBB F8F34800 /
MOV EDI,DWORD PTR
DS: [EBX+48F3F8]
; 到 PTR ASCII "mvg21951736"
00434168 |. 8BC7 |
MOV EAX,EDI
; strlen開始
0043416A |. 8D50
01 |
LEA EDX,[EAX+
1 ]
0043416D |. 8D49
00 |
LEA ECX,[ECX]
00434170 |> 8A08 |/
MOV CL,BYTE PTR
DS: [EAX]
00434172 |.
40 ||
INC EAX
00434173 |. 84C9 ||
TEST CL,CL
00434175 |.^
75 F9 |\
JNZ SHORT
00434170
00434177 |. 2BC2 |
SUB EAX,EDX
; EAX = strlen()
00434179 |. 8BC8 |
MOV ECX,EAX
; blackLengthECX = blackLengthEAX,比較次數
0043417B |. 8BF5 |
MOV ESI,EBP
; pszchESI = pszchEBP
0043417D |. 33C0 |
XOR EAX,EAX
0043417F |.
F3: A6 |
REPE CMPS BYTE PTR
DS: [ESI],BYTE PTR
ES: [EDI]
00434181 |.
74 65 |
JE SHORT
004341E8 ; 黑名單直接返回FALSE
00434183 |. 83C3
04 |
ADD EBX,
4
00434186 |. 81FB
80000000 |
CMP EBX,
80
0043418C |.^
72 D4 \
JB SHORT
00434162
0043418E |. 8
07D 04 73 CMP BYTE PTR
SS: [EBP+
4 ],
73 ; Code的第5字節,和's'比較
00434192 |.
75 01 JNE SHORT
00434195
00434194 |.
45 INC EBP
00434195 |> 8D4D
07 LEA ECX,[EBP+
7 ]
; pszchECX = pszchCode + 7或8
00434198 |.
51 PUSH ECX
00434199 |. E8 56BE0300
CALL 0046FFF4
0043419E |. 8B5C24
18 MOV EBX,DWORD PTR
SS: [ARG.
1 ]
; pszchNameEBX指向Name
004341A2 |. 8A13
MOV DL,BYTE PTR
DS: [EBX]
; EDX_DL = *pszchNameEBX
004341A4 |. 83C4
04 ADD ESP,
4
004341A7 |. 33C9
XOR ECX,ECX
004341A9 |. 84D2
TEST DL,DL
; 判斷是否空串
004341AB |. 8BFB
MOV EDI,EBX
; pszchCodeEDI = pszchCodeEBX
004341AD |. BE DF0B0000
MOV ESI,
0BDF ; ESI = 0BDF=3039
004341B2 |.
74 26 JZ SHORT
004341DA ;
004341B4 |>
0FBED2 /
MOVSX EDX,DL
004341B7 |.
41 |
INC ECX
004341B8 |.
0FAFD1 |
IMUL EDX,ECX
004341BB |.
03F2 |
ADD ESI,EDX
; ESI += *pszchEDI * ECX
004341BD |. 81FE BE170000 |
CMP ESI,17BE
004341C3 |. 7E
06 |
JLE SHORT
004341CB
004341C5 |. 81EE BE170000 |
SUB ESI,17BE
; ESI += *pszchEDI * ECX - 6078.
004341CB |> 83F9
0A |
CMP ECX,
0A
004341CE |. 7E
02 |
JLE SHORT
004341D2
004341D0 |. 33C9 |
XOR ECX,ECX
004341D2 |> 8A57
01 |
MOV DL,BYTE PTR
DS: [EDI+
1 ]
004341D5 |.
47 |
INC EDI
004341D6 |. 84D2 |
TEST DL,DL
004341D8 |.^
75 DA \
JNZ SHORT
004341B4
004341DA |> 3BF0
CMP ESI,EAX
004341DC |.
75 15 JNE SHORT
004341F3
004341DE |. 5F
POP EDI
004341DF |. 5E
POP ESI
004341E0 |. 5D
POP EBP
004341E1 |. B8
01000000 MOV EAX,
1
004341E6 |. 5B
POP EBX
004341E7 |. C3
RETN
004341E8 |> 5F
POP EDI
004341E9 |. 5E
POP ESI
004341EA |. 5D
POP EBP
004341EB |. 33C0
XOR EAX,EAX
004341ED |. 5B
POP EBX
004341EE |. C3
RETN
004341EF |> 8B5C24
14 MOV EBX,DWORD PTR
SS: [ARG.
1 ]
; EBX指向Name,ASCII "Fang"
004341F3 |>
55 PUSH EBP
004341F4 |.
53 PUSH EBX
004341F5 |. E8 16FCFFFF
CALL 00433E10
004341FA |. 83C4
08 ADD ESP,
8
004341FD |. 5F
POP EDI
004341FE |. 5E
POP ESI
004341FF |. 5D
POP EBP
00434200 |. 5B
POP EBX
00434201 \. C3
RETN View Code ?
第二種注冊碼生成過程,直接比較Code == Func(Name)形式,這是最初級方式,容易點。 ?
EBP = EDX
= ((EAX + (1 - pszHKRWQ) -1) * (EAX + (1 - pszHKRWQ)) + EBP) % strlen(pszHKRWQ)
= ((EAX - pszHKRWQ) * (EAX - pszHKRWQ + 1) +EBP) % 28
= (indexOf(pszHKRWQ, pszOkName[i]) * (indexOf(pszHKRWQ, pszOkName[i]) + 1) +EBP) % 28
CPU Disasm地址十六進制數據指令注釋 00433E10 /$ 8B4424
04 MOV EAX,DWORD PTR
SS: [ARG.
1 ] 00433E14 |. 8D9424 38FFFF
LEA EDX,[LOCAL.
49 ] 00433E1B |. 81EC D8000000
SUB ESP,
0D8 ; 0D8=216.分配空間 00433E21 |. 2BD0
SUB EDX,EAX 00433E23 |> 8A08 /
MOV CL,BYTE PTR
DS: [EAX]
; 拷貝Name倒Local.49緩沖區 00433E25 |. 88
0C02 |
MOV BYTE PTR
DS: [EAX+EDX],CL 00433E28 |.
40 |
INC EAX 00433E29 |. 84C9 |
TEST CL,CL 00433E2B |.^
75 F6 \
JNZ SHORT
00433E23 00433E2D |.
53 PUSH EBX 00433E2E |.
55 PUSH EBP 00433E2F |.
56 PUSH ESI 00433E30 |.
57 PUSH EDI 00433E31 |. 8D4424
20 LEA EAX,[LOCAL.
49 ] 00433E35 |.
50 PUSH EAX
; /String => OFFSET LOCAL.49 00433E36 |. FF15 1CF34700
CALL DWORD PTR
DS: [<&USER32.CharUpperA>]
; \USER32.CharUpperA 00433E3C |. 8A4424
20 MOV AL,BYTE PTR
SS: [LOCAL.
49 ]
; Local.49里全是大寫了 00433E40 |. 84C0
TEST AL,AL
; 判斷Local.49是否為空串 00433E42 |. 8D7424
20 LEA ESI,[LOCAL.
49 ] 00433E46 |. 8D7C24
20 LEA EDI,[LOCAL.
49 ] 00433E4A |.
74 26 JZ SHORT
00433E72 00433E4C |. 8D6424
00 LEA ESP,[LOCAL.
57 ]
; Name里在"HKRWQV2958DWNTQRGNSCFSXAZPYK"的字符拷貝到pszEDIBuffer里,既寫回LOCAL.49緩沖區 00433E50 |>
0FBE0E /
MOVSX ECX,BYTE PTR
DS: [ESI]
; char chECX = *pszESI 00433E53 |.
51 |
PUSH ECX 00433E54 |.
68 78F44800 |
PUSH OFFSET
0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK" 00433E59 |. E8 E2C10300 |
CALL 00470040 ; 查找字符 00433E5E |. 83C4
08 |
ADD ESP,
8 00433E61 |. 85C0 |
TEST EAX,EAX
; 判斷是否找到,返回值非空為找到 00433E63 |.
74 05 |
JZ SHORT
00433E6A 00433E65 |. 8A16 |
MOV DL,BYTE PTR
DS: [ESI]
; char chDL = *pszESI 00433E67 |.
8817 |
MOV BYTE PTR
DS: [EDI],DL
; *pszEDI = chDL 00433E69 |.
47 |
INC EDI
; pszEDI++ 00433E6A |> 8A46
01 |
MOV AL,BYTE PTR
DS: [ESI+
1 ]
; char chAL = *(pszESI+1) 00433E6D |.
46 |
INC ESI
; pszESI++ 00433E6E |. 84C0 |
TEST AL,AL 00433E70 |.^
75 DE \
JNZ SHORT
00433E50 ; while(0! = chAL) 00433E72 |> 8D4424
20 LEA EAX,[LOCAL.
49 ] 00433E76 |. C607
00 MOV BYTE PTR
DS: [EDI],
0 ; LOCAL.49弄成0結尾字符串 00433E79 |. 8D50
01 LEA EDX,[EAX+
1 ]
; 獲取LOCAL.49長度,開始 00433E7C |. 8D6424
00 LEA ESP,[LOCAL.
57 ] 00433E80 |> 8A08 /
MOV CL,BYTE PTR
DS: [EAX] 00433E82 |.
40 |
INC EAX 00433E83 |. 84C9 |
TEST CL,CL 00433E85 |.^
75 F9 \
JNZ SHORT
00433E80 00433E87 |. 2BC2
SUB EAX,EDX
; 獲取LOCAL.49長度,結束,EAX=EAX-EDX 00433E89 |. 83F8
18 CMP EAX,
18 ; 名字長度和18=24.比較 00433E8C |. 7D 1E
JGE SHORT
00433EAC ; 大于0x18=24.就跳轉 00433E8E |. B9
18000000 MOV ECX,
18 00433E93 |. 2BC8
SUB ECX,EAX
; ECX=ECX-EAX=24.-NameLength_EAX 00433E95 |. 8D7C04
20 LEA EDI,[EAX+ESP+
20 ] 00433E99 |. 8BC1
MOV EAX,ECX 00433E9B |. C1E9
02 SHR ECX,
2 00433E9E |. BE 78F44800
MOV ESI,OFFSET
0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK" 00433EA3 |.
F3: A5
REP MOVS DWORD PTR
ES: [EDI],DWORD PTR
DS: [ESI]
; strcat(LOCAL.49, strchr("HKRW...", LOCAL.49[0])) 00433EA5 |. 8BC8
MOV ECX,EAX 00433EA7 |. 83E1
03 AND ECX,
00000003 00433EAA |.
F3: A4
REP MOVS BYTE PTR
ES: [EDI],BYTE PTR
DS: [ESI] 00433EAC |> B8 78F44800
MOV EAX,OFFSET
0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK" 00433EB1 |. C64424
39 00 MOV BYTE PTR
SS: [LOCAL.
43 +
1 ],
0 00433EB6 |. C68424
840000 MOV BYTE PTR
SS: [LOCAL.
24 ],
0 00433EBE |. 33ED
XOR EBP,EBP
; EBP = 0 00433EC0 |. 8D48
01 LEA ECX,[EAX+
1 ]
; 計算"HKRWQV2958DWNTQRGNSCFSXAZPYK"長度 00433EC3 |> 8A10 /
MOV DL,BYTE PTR
DS: [EAX] 00433EC5 |.
40 |
INC EAX 00433EC6 |. 84D2 |
TEST DL,DL 00433EC8 |.^
75 F9 \
JNZ SHORT
00433EC3 00433ECA |. 2BC1
SUB EAX,ECX
; 計算"HKRWQV2958DWNTQRGNSCFSXAZPYK"結束 00433ECC |.
894424 10 MOV DWORD PTR
SS: [LOCAL.
53 ],EAX
; LOCAL53 = 長度24 00433ED0 |. B8
01000000 MOV EAX,
1 00433ED5 |. 2D 78F44800
SUB EAX,OFFSET
0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK" 00433EDA |.
894424 18 MOV DWORD PTR
SS: [LOCAL.
51 ],EAX
; LOCAL51 = 1 - 0048F478 = FFB70B89 00433EDE |. 33DB
XOR EBX,EBX
; EBX = 0 00433EE0 |. B8 78F44800
MOV EAX,OFFSET
0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK" 00433EE5 |.
48 DEC EAX
; EAX = 0048F478-1=0048F477 00433EE6 |.
894424 14 MOV DWORD PTR
SS: [LOCAL.
52 ],EAX
; LOCAL52 = 0048F477 00433EEA |. 8D4424
20 LEA EAX,[LOCAL.
49 ]
; pszchEAX = pszchOkName 00433EEE |.
48 DEC EAX
; pszchEAX-- 00433EEF |. 8DBC24
840000 LEA EDI,[LOCAL.
24 ] 00433EF6 |.
894424 1C
MOV DWORD PTR
SS: [LOCAL.
50 ],EAX
; pszchLOCAL50 = pszchEAX = pszchOkName - 1 00433EFA |. EB
04 JMP SHORT
00433F00 00433EFC |> 8B4424 1C /
MOV EAX,DWORD PTR
SS: [LOCAL.
50 ] 00433F00 |>
0FBE4C18 01 |
MOVSX ECX,BYTE PTR
DS: [EBX+EAX+
1 ]
; pszchECX = pszchOkName[EBX + 1] 00433F05 |. 8D73
01 |
LEA ESI,[EBX+
1 ]
; ESI = EBX + 1 00433F08 |.
51 |
PUSH ECX 00433F09 |.
68 78F44800 |
PUSH OFFSET
0048F478 ; ASCII "HKRWQV2958DWNTQRGNSCFSXAZPYK" 00433F0E |. E8 2DC10300 |
CALL 00470040 00433F13 |. 8B5424
20 |
MOV EDX,DWORD PTR
SS: [LOCAL.
51 ]
; EDX = FFB70B89 00433F17 |. 8BC8 |
MOV ECX,EAX 00433F19 |.
03CA |
ADD ECX,EDX
; ECX = EAX + FFB70B89 00433F1B |. 8D41 FF |
LEA EAX,[ECX-
1 ]
; EAX = EAX + FFB70B89 - 1 00433F1E |.
0FAFC1 |
IMUL EAX,ECX
; EAX = (ECX - 1) * ECX = FFB70B88 * ECX 00433F21 |.
03C5 |
ADD EAX,EBP
; EAX = EAX + EBP 00433F23 |.
99 |
CDQ ; 雙字數據擴展為四字類型 EDX = EAX < 80000000 ? 00000000 : FFFFFFFF 00433F24 |. F77C24
18 |
IDIV DWORD PTR
SS: [LOCAL.
53 ]
; 商=(EAX)=(EDX,EAX)/(LOCAL53)(長度),余數=(EDX)=(EDX,EAX)%(LOCAL53)(長度) 00433F28 |. 83C4
08 |
ADD ESP,
8 00433F2B |. B9
06000000 |
MOV ECX,
6 00433F30 |.
42 |
INC EDX 00433F31 |. 8BEA |
MOV EBP,EDX
; EBP = EDX = ((EAX + (1 - pszHKRWQ) -1) * (EAX + (1 - pszHKRWQ)) + EBP) % strlen(pszHKRWQ) 00433F33 |. 8B5424
14 |
MOV EDX,DWORD PTR
SS: [LOCAL.
52 ] 00433F37 |. 8A042A |
MOV AL,BYTE PTR
DS: [EBP+EDX]
; AL = pszHKRWQ[EBP] 00433F3A |.
8807 |
MOV BYTE PTR
DS: [EDI],AL
; *pszchEDI = AL = pszHKRWQ[EBP] 00433F3C |. 8BC6 |
MOV EAX,ESI 00433F3E |.
99 |
CDQ 00433F3F |. F7F9 |
IDIV ECX 00433F41 |.
47 |
INC EDI 00433F42 |. 85D2 |
TEST EDX,EDX 00433F44 |.
75 09 |
JNZ SHORT
00433F4F 00433F46 |. 83FB
17 |
CMP EBX,
17 ; EBC 和 17=23.比較 00433F49 |. 7D
04 |
JGE SHORT
00433F4F 00433F4B |. C607 2D |
MOV BYTE PTR
DS: [EDI],2D
; *pszchEDI = '-' 00433F4E |.
47 |
INC EDI 00433F4F |> 8BDE |
MOV EBX,ESI 00433F51 |. 83FB
18 |
CMP EBX,
18 ; 和長度18=24.比較 00433F54 |.^ 7C A6 \
JL SHORT
00433EFC ; 小于繼續循環,否則結束循環 00433F56 |. 8B8424 F00000
MOV EAX,DWORD PTR
SS: [ARG.
2 ]
; pszEAX = pszCode 00433F5D |. C607
00 MOV BYTE PTR
DS: [EDI],
0 00433F60 |. 8DB424
840000 LEA ESI,[LOCAL.
24 ]
; pszESI=pszRealCode; 一段序列,如HSDWQ9-QKFADW-H92C5A-GAGVNK 00433F67 |> 8A10 /
MOV DL,BYTE PTR
DS: [EAX] 00433F69 |. 8A1E |
MOV BL,BYTE PTR
DS: [ESI] 00433F6B |. 8ACA |
MOV CL,DL 00433F6D |. 3AD3 |
CMP DL,BL 00433F6F |.
75 1E |
JNE SHORT
00433F8F 00433F71 |. 84C9 |
TEST CL,CL 00433F73 |.
74 16 |
JZ SHORT
00433F8B 00433F75 |. 8A50
01 |
MOV DL,BYTE PTR
DS: [EAX+
1 ] 00433F78 |. 8A5E
01 |
MOV BL,BYTE PTR
DS: [ESI+
1 ] 00433F7B |. 8ACA |
MOV CL,DL 00433F7D |. 3AD3 |
CMP DL,BL 00433F7F |.
75 0E |
JNE SHORT
00433F8F 00433F81 |. 83C0
02 |
ADD EAX,
2 00433F84 |. 83C6
02 |
ADD ESI,
2 00433F87 |. 84C9 |
TEST CL,CL 00433F89 |.^
75 DC \
JNZ SHORT
00433F67 00433F8B |> 33C0
XOR EAX,EAX 00433F8D |. EB
05 JMP SHORT
00433F94 00433F8F |> 1BC0
SBB EAX,EAX
; Calculates sign(EAX) 00433F91 |. 83D8 FF
SBB EAX,-
1 00433F94 |> 85C0
TEST EAX,EAX 00433F96 |. 5F
POP EDI 00433F97 |. 5E
POP ESI 00433F98 |. 5D
POP EBP 00433F99 |. 5B
POP EBX 00433F9A |.
75 0C JNZ SHORT
00433FA8 ; Code和Func(Name)的值不等,就跳,返回假 00433F9C |. B8
01000000 MOV EAX,
1 00433FA1 |. 81C4 D8000000
ADD ESP,
0D8 00433FA7 |. C3
RETN 00433FA8 |> 33C0
XOR EAX,EAX 00433FAA |. 81C4 D8000000
ADD ESP,
0D8 00433FB0 \. C3
RETN View Code ?
順便 程序打開時驗證模塊代碼 剛打開也會斷到驗證里,看了下堆棧,寫在這。
讀取注冊表注冊信息,位置HKEY_LOCAL_MACHINE \Software\gamani\GIFMovieGear\2.0下的兩個鍵SubKey = "RegName3"和SubKey = "RegCode3",,過期時間來自HKLM\SOFTWARE\Wow6432Node\Loani\MG4\stamp,保存的是秒數。
Windows Registry Editor Version 5.00
[ HKEY_CURRENT_USER\Software\gamani\GIFMovieGear\2.0 ]
"RegName3"="Fang"
"RegCode3"="HSDWQ9-QKFADW-H92C5A-GAGVNK"
?
CPU Disasm
地址 十六進制數據 指令 注釋
00434210 /$ 81EC D0000000
SUB ESP,
0D0 ; movgear.00434210(推測 Arg1,Arg2)
00434216 |.
53 PUSH EBX
00434217 |.
56 PUSH ESI
00434218 |. 8B35
04F04700 MOV ESI,DWORD PTR
DS: [<&ADVAPI32.RegOpenKeyExA>]
0043421E |. 8D4424
08 LEA EAX,[LOCAL.
51 ]
00434222 |.
50 PUSH EAX
; /pResult => OFFSET LOCAL.51
00434223 |.
68 19000200 PUSH 20019 ; |DesiredAccess = KEY_READ
00434228 |. 6A
00 PUSH 0 ; |Reserved = 0
0043422A |.
68 84E44800
PUSH OFFSET
0048E484 ; |SubKey = "Software\gamani\GIFMovieGear\2.0"
0043422F |.
68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00434234 |. 83CB FF
OR EBX,FFFFFFFF
; |
00434237 |. FFD6
CALL ESI
; \ADVAPI32.RegOpenKeyExA
00434239 |. 85C0
TEST EAX,EAX
0043423B |.
74 20 JZ SHORT
0043425D
0043423D |. 8D4C24
08 LEA ECX,[LOCAL.
51 ]
00434241 |.
51 PUSH ECX
; /pResult => OFFSET LOCAL.51
00434242 |.
68 19000200 PUSH 20019 ; |DesiredAccess = KEY_READ
00434247 |. 6A
00 PUSH 0 ; |Reserved = 0
00434249 |.
68 84E44800
PUSH OFFSET
0048E484 ; |SubKey = "Software\gamani\GIFMovieGear\2.0"
0043424E |.
68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
00434253 |. FFD6
CALL ESI
; \ADVAPI32.RegOpenKeyExA
00434255 |. 85C0
TEST EAX,EAX
00434257 |.
0F85 AF000000
JNZ 0043430C
0043425D |> 8B4C24
08 MOV ECX,DWORD PTR
SS: [LOCAL.
51 ]
00434261 |. 8B35
08F04700 MOV ESI,DWORD PTR
DS: [<&ADVAPI32.RegQueryValueEx
00434267 |. 8D5424
0C LEA EDX,[LOCAL.
50 ]
0043426B |.
52 PUSH EDX
; /pDataLen => OFFSET LOCAL.50
0043426C |. 8D4424
14 LEA EAX,[LOCAL.
49 ]
; |
00434270 |.
50 PUSH EAX
; |pData => OFFSET LOCAL.49
00434271 |. 6A
00 PUSH 0 ; |pType = NULL
00434273 |. 6A
00 PUSH 0 ; |Reserved = 0
00434275 |.
68 C8F34800
PUSH OFFSET
0048F3C8 ; |Name = "RegName3"
0043427A |.
51 PUSH ECX
; |hKey => [LOCAL.51]
0043427B |. C74424
24 640 MOV DWORD PTR
SS: [LOCAL.
50 ],
64 ; |
00434283 |. FFD6
CALL ESI
; \ADVAPI32.RegQueryValueExA
00434285 |. 85C0
TEST EAX,EAX
00434287 |.
0F85 7F000000
JNZ 0043430C ; 沒有找到注冊名字信息
0043428D |. 8B4C24
08 MOV ECX,DWORD PTR
SS: [LOCAL.
51 ]
00434291 |. 8D5424
0C LEA EDX,[LOCAL.
50 ]
00434295 |.
52 PUSH EDX
; /pDataLen => OFFSET LOCAL.50
00434296 |. 8D4424
78 LEA EAX,[LOCAL.
24 ]
; |
0043429A |.
50 PUSH EAX
; |pData => OFFSET LOCAL.24
0043429B |. 6A
00 PUSH 0 ; |pType = NULL
0043429D |. 6A
00 PUSH 0 ; |Reserved = 0
0043429F |.
68 D4F34800
PUSH OFFSET
0048F3D4 ; |Name = "RegCode3"
004342A4 |.
51 PUSH ECX
; |hKey => [LOCAL.51]
004342A5 |. C74424
24 640 MOV DWORD PTR
SS: [LOCAL.
50 ],
64 ; |
004342AD |. FFD6
CALL ESI
; \ADVAPI32.RegQueryValueExA
004342AF |. 85C0
TEST EAX,EAX
004342B1 |.
75 59 JNZ SHORT
0043430C ; 沒有找到注冊碼信息
004342B3 |. 8D5424
74 LEA EDX,[LOCAL.
24 ]
004342B7 |.
52 PUSH EDX
; /Arg2 => OFFSET LOCAL.24
004342B8 |. 8D4424
14 LEA EAX,[LOCAL.
49 ]
; |
004342BC |.
50 PUSH EAX
; |Arg1 => OFFSET LOCAL.49
004342BD |. E8 6EFEFFFF
CALL 00434130 ; \movgear.00434130 ;注冊驗證
004342C2 |. 83C4
08 ADD ESP,
8
004342C5 |. 85C0
TEST EAX,EAX
004342C7 |.
74 43 JZ SHORT
0043430C ; 驗證失敗
004342C9 |. 8B9424 DC0000
MOV EDX,DWORD PTR
SS: [ARG.
1 ]
004342D0 |. 85D2
TEST EDX,EDX
004342D2 |. BB
01000000 MOV EBX,
1
004342D7 |.
74 14 JZ SHORT
004342ED
004342D9 |. 8D4C24
10 LEA ECX,[LOCAL.
49 ]
004342DD |. 8D4424
10 LEA EAX,[LOCAL.
49 ]
004342E1 |. 2BD1
SUB EDX,ECX
004342E3 |> 8A08 /
MOV CL,BYTE PTR
DS: [EAX]
004342E5 |. 88
0C02 |
MOV BYTE PTR
DS: [EAX+EDX],CL
004342E8 |.
40 |
INC EAX
004342E9 |. 84C9 |
TEST CL,CL
004342EB |.^
75 F6 \
JNZ SHORT
004342E3
004342ED |> 8B9424 E00000
MOV EDX,DWORD PTR
SS: [ARG.
2 ]
004342F4 |. 85D2
TEST EDX,EDX
004342F6 |.
74 14 JZ SHORT
0043430C
004342F8 |. 8D4C24
74 LEA ECX,[LOCAL.
24 ]
004342FC |. 8D4424
74 LEA EAX,[LOCAL.
24 ]
00434300 |. 2BD1
SUB EDX,ECX
00434302 |> 8A08 /
MOV CL,BYTE PTR
DS: [EAX]
00434304 |. 88
0C02 |
MOV BYTE PTR
DS: [EAX+EDX],CL
00434307 |.
40 |
INC EAX
00434308 |. 84C9 |
TEST CL,CL
0043430A |.^
75 F6 \
JNZ SHORT
00434302
0043430C |> 8B5424
08 MOV EDX,DWORD PTR
SS: [LOCAL.
51 ]
00434310 |.
52 PUSH EDX
; /hKey => [LOCAL.51]
00434311 |. FF15 18F04700
CALL DWORD PTR
DS: [<&ADVAPI32.RegCloseKey>]
; \ADVAPI32.RegCloseKey
00434317 |. 5E
POP ESI
00434318 |. 8BC3
MOV EAX,EBX
0043431A |. 5B
POP EBX
0043431B |. 81C4 D0000000
ADD ESP,
0D0
00434321 \. C3
RETN View Code REPE CMPS OD Shift+F1幫助命令,放在一起說明了
Command: REPE CMPS BYTE PTR DS:[ESI],BYTE PTR ES:[EDI]
Hex dump: F3:A6
?
Searches strings for the first non-matching byte.
?
On each iteration, processor compares byte at address [ESI] with the byte at address [EDI] and sets flags C, O, S, Z, A and P
according to the difference [ESI]-[EDI]. The operands themselves are not modified. After the comparison, registers ESI and
EDI are incremented by 1 (if flag D is cleared) or decremented by 1 (if flag D is set). Register ECX is always decremented
by 1. If ECX after decrement is zero, or if compared operands were different (flag Z was cleared), search stops; otherwise,
processor repeats the whole cycle again and again, until count exhausts or non-matching pair will be found.
?
Note that if ECX initially contains zero, this instruction does nothing.
?
REPE :repeat equal,意思是相等的時候重復,
REPNE repeat not equal,不等的時候重復;
他們每循環一次ECX自動減一。
?
/* *正常使用等價于 */ // 準備int rECX = 循環次數; // 指令開始 bool bZF =
true ;
// 比較標志位,由指令REPE決定 while (bZF && !rECX)
// 循環條件,由指令REPE決定bZF,REPNE決定!bZF
{bZF = *pbyteESI++ == *pbyteEDI++;
// DF位決定++還是--,根據結果設置標志位bZF
rECX --;
// 總是--
} ?
??
字符串比較指令(Compare String Instruction)
該指令是把指針DS:SI和ES:DI所指向字節、字或雙字的值相減,并用所得到的差來設置有關的標志位。與此同時,變址寄存器SI和DI也將根據標志位DF的值作相應增減。
指令的格式:CMPS 地址表達式1, 地址表達式2
受影響的標志位:AF、CF、OF、PF、SF和ZF
注冊代碼 特別寫了個js的代碼,涉及中文名字時的gbk 在內存中的擺放。
Javascript(在線查看?http://runjs.cn/code/npiizz88) <! DOCTYPE html > < html > < head > < meta http-equiv ="Content-Type" content ="text/html; charset=utf-8" /> < title > GIFMovieGear KeyGen
</ title > < style type ="text/css" > p { font-family : 'Lucida Console', Monaco, monospace ; } button { width : 150px ; } .bg { font-style : italic ; color : gray ; } </ style > < script language ="javascript" type ="text/javascript" > // Fang = HSDWQ9-QKFADW-H92C5A-GAGVNK CB D5 B1 B1|D0 A1 C2 F3| = 蘇北小麥 function Generate() { var inputs = document.getElementsByTagName( " input " ); // var addrHKRW = 0x48F478, local51 = 1 - 0x48F478, local52 = 0x48F478 - 1; // local51 = 0xFFB70B89;//0xFFFFFFFF - 0x48F478 + 2 var idx, i, ch; var name = inputs[ 0 ].value, rName = [], resTab = " HKRWQV2958DWNTQRGNSCFSXAZPYK " ; var letterTable = " 0123456789abcdefghijklmnopqrstuvwxyz " var ediRCode = [], ebp = 0 ; // , eax, ecx; var codeTypes = document.getElementsByName( " codetype " ); // 兩種注冊碼,mg37開頭的和不是這開頭的短橫線分割的 if ( ! codeTypes[ 2 ].checked) { do {ediRCode = " mg37 " ;idx = name.length; if (codeTypes[ 0 ].checked)ediRCode += ' s ' ;ediRCode += randomLetter(letterTable) + randomLetter(letterTable) + randomLetter(letterTable); var esi = 3039 , ecx = 0 , edx; // 每一項0x00 - 0xFF var codes = GB2312CodeArray(name); for (i = 0 ; i < codes.length; i ++ ) { ++ ecx;edx = codes[i]; if (edx > 0x7F )edx = - ( ~ (edx - 1 ) & 0xff );esi += ecx * edx; if (esi > 6078 )esi -= 6078 ; if (ecx > 10 )ecx = 0 ;}ediRCode += esi;} while (isBlackCode(ediRCode));} else {name = name.toUpperCase() for (i = 0 ; i < name.length; i ++ ) {ch = name.charAt(i);idx = resTab.indexOf(ch); if ( - 1 != idx) // 有才壓入
rName.push(ch);} // rName每一個字符都存在于resTab中
rName = rName.join( "" ); // 不足24位補齊 if (rName.length < 24 )rName = rName + resTab.substring( 0 , 24 - rName.length);i = 0 ; // Code長度為24 while (i < 24 ) {idx = resTab.indexOf(rName.charAt(i)); // eax = addrHKRW + idx; // ecx = (eax + local51) & 0xFFFFFFFF;//rAdd(eax, local51); // ebp = rAdd(ebp, (ecx - 1)* ecx) % resTab.length;
ebp = (idx * (idx + 1 ) + ebp) % resTab.length;ediRCode.push(resTab.charAt(ebp ++ )); if ( ! ( ++ i % 6 ) && i < 24 )ediRCode.push( ' - ' );}ediRCode = ediRCode.join( "" );}inputs[ 1 ].value = ediRCode;}; // 模擬32位寄存器值相加 /* function rAdd(v1, v2){var v = v1 + v2;if(v > 0xFFFFFFFF)v &= 0xFFFFFFFF;return v;} */ var blackCodes = [ " mvg21951736 " , " mg374604342 " , " mg370534035 " , " mg373465241 " , " mg37NTi " , " mg372503958 " , " mg379843149 " , " mg370151347 " , " mg370353008 " , " mg372021424 " , " mg375953248 " , " mg379223953 " , " mg373473759 " , " mg378542544 " , " mg370473710 " , " mg37064348 " , " mg378822469 " , " mg374394987 " , " mg371073478 " , " mg379773651 " , " mg371895266 " , " mg373223554 " , " mg377583454 " , " mg37644957 " , " mg370342692 " , " mg376484039 " , " mg376871434 " , " mg370704788 " , " mg377643863 " , " mg377753931 " , " mg379342689 " , " mg374344777 " ]; function isBlackCode(code) { for (i = blackCodes.length; i > 0 ; i -- ) { if (code == blackCodes[ -- i]) { return true ;}} return false ;} function randomLetter(letterTable) { return letterTable.charAt(Math.floor(Math.random() * letterTable.length));} function codeChange() { var testCode = document.getElementsByName( " testCode " ); var raw = testCode[ 0 ].value; var charCodes = []; for ( var i = 0 ; i < raw.length; i ++ ) {charCodes.push(raw.charCodeAt(i).toString( 16 ));}testCode[ 1 ].value = charCodes.join(); //
charCodes.length = 0 ; var encodeArray = encodeURI(raw).split( " % " ); for ( var i = 1 ; i < encodeArray.length; i += 3 ) {charCodes.push(encodeArray[i] + encodeArray[i + 1 ] + encodeArray[i + 2 ]);}testCode[ 2 ].value = charCodes.join();charCodes.length = 0 ; //
var gb2312Codes = GB2312CodeArray(raw); for ( var i = 0 ; i < gb2312Codes.length; i += 2 ) {charCodes.push(gb2312Codes[i].toString( 16 ) + gb2312Codes[i + 1 ].toString( 16 ));}testCode[ 3 ].value = charCodes.join();} function init() {Generate();codeChange(); var c = document.getElementById( " c " ); var ctx = c.getContext( " 2d " );c.height = 100 ;c.width = 300 ; var txts = " CRACK " .split( "" ); var font_size = 12 ; var columns = c.width / font_size; var drops = []; for ( var x = 0 ; x < columns; x ++ )drops[x] = 1 ; function draw() {ctx.fillStyle = " rgba(0, 0, 0, 0.05) " ;ctx.fillRect( 0 , 0 , c.width, c.height);ctx.fillStyle = " #0F0 " ;ctx.font = font_size + " px arial " ; for ( var i = 0 ; i < drops.length; i ++ ) { var text = txts[Math.floor(Math.random() * txts.length)];ctx.fillText(text, i * font_size, drops[i] * font_size); if (drops[i] * font_size > c.height || Math.random() > 0.8 )drops[i] = 0 ;drops[i] ++ ;}}setInterval(draw, 66 );} /* * 返回[] http://blog.csdn.net/yimengqiannian/article/details/7016720 */ function GB2312CodeArray(str) { /* ********改自<a href="http://blog.csdn.net/qiushuiwuhen/article/details/14112">qiushuiwuhen(2002-9-16)</a>******* */ var ch, pos, cod, gbkCode = []; for ( var i = 0 ; i < str.length; i ++ ) {ch = str.charAt(i);cod = str.charCodeAt(i); // 漢字字符 if (cod >= 0x4e00 && cod < 0x9FA5 ) { if ( - 1 != (pos = GBhz.indexOf(ch))) {gbkCode.push( 0xB0 + parseInt(pos / 94 ));gbkCode.push( 0xA1 + pos % 94 );}} else if ((pos = GBfh.indexOf(ch)) != - 1 ) {gbkCode.push( 0xA1 + parseInt(pos / 94 ));gbkCode.push( 0xA1 + pos % 94 );} else gbkCode.push(parseInt(cod));} return gbkCode;} // 采錄的只是GB2312編碼 var GBfh = " 、。?ˉˇ¨〃々—~‖…'' "" 〔〕〈〉《》「」『』〖〗【】±×÷∶∧∨∑∏∪∩∈∷√⊥∥∠⌒⊙∫∮≡≌≈∽∝≠≮≯≤≥∞∵∴♂♀°′″℃$¤¢£‰§№☆★○●◎◇◆□■△▲※→←↑↓〓ⅰⅱⅲⅳⅴⅵⅶⅷⅸⅹ⒈⒉⒊⒋⒌⒍⒎⒏⒐⒑⒒⒓⒔⒕⒖⒗⒘⒙⒚⒛⑴⑵⑶⑷⑸⑹⑺⑻⑼⑽⑾⑿⒀⒁⒂⒃⒄⒅⒆⒇①②③④⑤⑥⑦⑧⑨⑩㈠㈡㈢㈣㈤㈥㈦㈧㈨㈩ⅠⅡⅢⅣⅤⅥⅦⅧⅨⅩⅪⅫ!"#¥%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} ̄ぁあぃいぅうぇえぉおかがきぎくぐけげこごさざしじすずせぜそぞただちぢっつづてでとどなにぬねのはばぱひびぴふぶぷへべぺほぼぽまみむめもゃやゅゆょよらりるれろゎわゐゑをんァアィイゥウェエォオカガキギクグケゲコゴサザシジスズセゼソゾタダチヂッツヅテデトドナニヌネノハバパヒビピフブプヘベペホボポマミムメモャヤュユョヨラリルレロヮワヰヱヲンヴヵヶΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩαβγδεζηθικλμνξοπρστυφχψω︵︶︹︺︿﹀︽︾﹁﹂﹃﹄︻︼︷︸︱︳︴АБВГДЕЁЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдеёжзийклмнопрстуфхцчшщъыьэюяāáǎàēéěèīíǐìōóǒòūúǔùǖǘǚǜüêɑńňɡㄅㄆㄇㄈㄉㄊㄋㄌㄍㄎㄏㄐㄑㄒㄓㄔㄕㄖㄗㄘㄙㄚㄛㄜㄝㄞㄟㄠㄡㄢㄣㄤㄥㄦㄧㄨㄩ─━│┃┄┅┆┇┈┉┊┋┌┍┎┏┐┑┒┓└┕┖┗┘┙┚┛├┝┞┟┠┡┢┣┤┥┦┧┨┩┪┫┬┭┮┯┰┱┲┳┴┵┶┷┸┹┺┻┼┽┾┿╀╁╂╃╄╅╆╇╈╉╊╋ " ; var GBhz = " 啊阿埃挨哎唉哀皚癌藹矮艾礙愛隘鞍氨安俺按暗岸胺案骯昂盎凹敖熬翱襖傲奧懊澳芭捌扒叭吧笆八疤巴拔跋靶把耙壩霸罷爸白柏百擺佰敗拜稗斑班搬扳般頒板版扮拌伴瓣半辦絆邦幫梆榜膀綁棒磅蚌鎊傍謗苞胞包褒剝薄雹保堡飽寶抱報暴豹鮑爆杯碑悲卑北輩背貝鋇倍狽備憊焙被奔苯本笨崩繃甭泵蹦迸逼鼻比鄙筆彼碧蓖蔽畢斃毖幣庇痹閉敝弊必辟壁臂避陛鞭邊編貶扁便變卞辨辯辮遍標彪膘表鱉憋別癟彬斌瀕濱賓擯兵冰柄丙秉餅炳病并玻菠播撥缽波博勃搏鉑箔伯帛舶脖膊渤泊駁捕卜哺補埠不布步簿部怖擦猜裁材才財睬踩采彩菜蔡餐參蠶殘慚慘燦蒼艙倉滄藏操糙槽曹草廁策側冊測層蹭插叉茬茶查碴搽察岔差詫拆柴豺攙摻蟬饞讒纏鏟產闡顫昌猖場嘗常長償腸廠敞暢唱倡超抄鈔朝嘲潮巢吵炒車扯撤掣徹澈郴臣辰塵晨忱沉陳趁襯撐稱城橙成呈乘程懲澄誠承逞騁秤吃癡持匙池遲弛馳恥齒侈尺赤翅斥熾充沖蟲崇寵抽酬疇躊稠愁籌仇綢瞅丑臭初出櫥廚躇鋤雛滁除楚礎儲矗搐觸處揣川穿椽傳船喘串瘡窗幢床闖創吹炊捶錘垂春椿醇唇淳純蠢戳綽疵茨磁雌辭慈瓷詞此刺賜次聰蔥囪匆從叢湊粗醋簇促躥篡竄摧崔催脆瘁粹淬翠村存寸磋撮搓措挫錯搭達答瘩打大呆歹傣戴帶殆代貸袋待逮怠耽擔丹單鄲撣膽旦氮但憚淡誕彈蛋當擋黨蕩檔刀搗蹈倒島禱導到稻悼道盜德得的蹬燈登等瞪凳鄧堤低滴迪敵笛狄滌翟嫡抵底地蒂第帝弟遞締顛掂滇碘點典靛墊電佃甸店惦奠淀殿碉叼雕凋刁掉吊釣調跌爹碟蝶迭諜疊丁盯叮釘頂鼎錠定訂丟東冬董懂動棟侗恫凍洞兜抖斗陡豆逗痘都督毒犢獨讀堵睹賭杜鍍肚度渡妒端短鍛段斷緞堆兌隊對墩噸蹲敦頓囤鈍盾遁掇哆多奪垛躲朵跺舵剁惰墮蛾峨鵝俄額訛娥惡厄扼遏鄂餓恩而兒耳爾餌洱二貳發罰筏伐乏閥法琺藩帆番翻樊礬釩繁凡煩反返范販犯飯泛坊芳方肪房防妨仿訪紡放菲非啡飛肥匪誹吠肺廢沸費芬酚吩氛分紛墳焚汾粉奮份忿憤糞豐封楓蜂峰鋒風瘋烽逢馮縫諷奉鳳佛否夫敷膚孵扶拂輻幅氟符伏俘服浮涪福袱弗甫撫輔俯釜斧脯腑府腐赴副覆賦復傅付阜父腹負富訃附婦縛咐噶嘎該改概鈣蓋溉干甘桿柑竿肝趕感稈敢贛岡剛鋼缸肛綱崗港杠篙皋高膏羔糕搞鎬稿告哥歌擱戈鴿胳疙割革葛格蛤閣隔鉻個各給根跟耕更庚羹埂耿梗工攻功恭龔供躬公宮弓鞏汞拱貢共鉤勾溝茍狗垢構購夠辜菇咕箍估沽孤姑鼓古蠱骨谷股故顧固雇刮瓜剮寡掛褂乖拐怪棺關官冠觀管館罐慣灌貫光廣逛瑰規圭硅歸龜閨軌鬼詭癸桂柜跪貴劊輥滾棍鍋郭國果裹過哈骸孩海氦亥害駭酣憨邯韓含涵寒函喊罕翰撼捍旱憾悍焊汗漢夯杭航壕嚎豪毫郝好耗號浩呵喝荷菏核禾和何合盒貉閡河涸赫褐鶴賀嘿黑痕很狠恨哼亨橫衡恒轟哄烘虹鴻洪宏弘紅喉侯猴吼厚候后呼乎忽瑚壺葫胡蝴狐糊湖弧虎唬護互滬戶花嘩華猾滑畫劃化話槐徊懷淮壞歡環桓還緩換患喚瘓豢煥渙宦幻荒慌黃磺蝗簧皇凰惶煌晃幌恍謊灰揮輝徽恢蛔回毀悔慧卉惠晦賄穢會燴匯諱誨繪葷昏婚魂渾混豁活伙火獲或惑霍貨禍擊圾基機畸稽積箕肌饑跡激譏雞姬績緝吉極棘輯籍集及急疾汲即嫉級擠幾脊己薊技冀季伎祭劑悸濟寄寂計記既忌際妓繼紀嘉枷夾佳家加莢頰賈甲鉀假稼價架駕嫁殲監堅尖箋間煎兼肩艱奸緘繭檢柬堿鹼揀撿簡儉剪減薦檻鑒踐賤見鍵箭件健艦劍餞漸濺澗建僵姜將漿江疆蔣槳獎講匠醬降蕉椒礁焦膠交郊澆驕嬌嚼攪鉸矯僥腳狡角餃繳絞剿教酵轎較叫窖揭接皆秸街階截劫節桔杰捷睫竭潔結解姐戒藉芥界借介疥誡屆巾筋斤金今津襟緊錦僅謹進靳晉禁近燼浸盡勁荊兢莖睛晶鯨京驚精粳經井警景頸靜境敬鏡徑痙靖竟競凈炯窘揪究糾玖韭久灸九酒廄救舊臼舅咎就疚鞠拘狙疽居駒菊局咀矩舉沮聚拒據巨具距踞鋸俱句懼炬劇捐鵑娟倦眷卷絹撅攫抉掘倔爵覺決訣絕均菌鈞軍君峻俊竣浚郡駿喀咖卡咯開揩楷凱慨刊堪勘坎砍看康慷糠扛抗亢炕考拷烤靠坷苛柯棵磕顆科殼咳可渴克刻客課肯啃墾懇坑吭空恐孔控摳口扣寇枯哭窟苦酷庫褲夸垮挎跨胯塊筷儈快寬款匡筐狂框礦眶曠況虧盔巋窺葵奎魁傀饋愧潰坤昆捆困括擴廓闊垃拉喇蠟臘辣啦萊來賴藍婪欄攔籃闌蘭瀾讕攬覽懶纜爛濫瑯榔狼廊郎朗浪撈勞牢老佬姥酪烙澇勒樂雷鐳蕾磊累儡壘擂肋類淚棱楞冷厘梨犁黎籬貍離漓理李里鯉禮莉荔吏栗麗厲勵礫歷利傈例俐痢立粒瀝隸力璃哩倆聯蓮連鐮廉憐漣簾斂臉鏈戀煉練糧涼梁粱良兩輛量晾亮諒撩聊僚療燎寥遼潦了撂鐐廖料列裂烈劣獵琳林磷霖臨鄰鱗淋凜賃吝拎玲菱零齡鈴伶羚凌靈陵嶺領另令溜琉榴硫餾留劉瘤流柳六龍聾嚨籠窿隆壟攏隴樓婁摟簍漏陋蘆盧顱廬爐擄鹵虜魯麓碌露路賂鹿潞祿錄陸戮驢呂鋁侶旅履屢縷慮氯律率濾綠巒攣孿灤卵亂掠略掄輪倫侖淪綸論蘿螺羅邏鑼籮騾裸落洛駱絡媽麻瑪碼螞馬罵嘛嗎埋買麥賣邁脈瞞饅蠻滿蔓曼慢漫謾芒茫盲氓忙莽貓茅錨毛矛鉚卯茂冒帽貌貿么玫枚梅酶霉煤沒眉媒鎂每美昧寐妹媚門悶們萌蒙檬盟錳猛夢孟瞇醚靡糜迷謎彌米秘覓泌蜜密冪棉眠綿冕免勉娩緬面苗描瞄藐秒渺廟妙蔑滅民抿皿敏憫閩明螟鳴銘名命謬摸摹蘑模膜磨摩魔抹末莫墨默沫漠寞陌謀牟某拇牡畝姆母墓暮幕募慕木目睦牧穆拿哪吶鈉那娜納氖乃奶耐奈南男難囊撓腦惱鬧淖呢餒內嫩能妮霓倪泥尼擬你匿膩逆溺蔫拈年碾攆捻念娘釀鳥尿捏聶孽嚙鑷鎳涅您檸獰凝寧擰濘牛扭鈕紐膿濃農弄奴努怒女暖虐瘧挪懦糯諾哦歐鷗毆藕嘔偶漚啪趴爬帕怕琶拍排牌徘湃派攀潘盤磐盼畔判叛乓龐旁耪胖拋咆刨炮袍跑泡呸胚培裴賠陪配佩沛噴盆砰抨烹澎彭蓬棚硼篷膨朋鵬捧碰坯砒霹批披劈琵毗啤脾疲皮匹痞僻屁譬篇偏片騙飄漂瓢票撇瞥拼頻貧品聘乒坪蘋萍平憑瓶評屏坡潑頗婆破魄迫粕剖撲鋪仆莆葡菩蒲埔樸圃普浦譜曝瀑期欺棲戚妻七凄漆柒沏其棋奇歧畦崎臍齊旗祈祁騎起豈乞企啟契砌器氣迄棄汽泣訖掐恰洽牽扦釬鉛千遷簽仟謙乾黔錢鉗前潛遣淺譴塹嵌欠歉槍嗆腔羌墻薔強搶橇鍬敲悄橋瞧喬僑巧鞘撬翹峭俏竅切茄且怯竊欽侵親秦琴勤芹擒禽寢沁青輕氫傾卿清擎晴氰情頃請慶瓊窮秋丘邱球求囚酋泅趨區蛆曲軀屈驅渠取娶齲趣去圈顴權醛泉全痊拳犬券勸缺炔瘸卻鵲榷確雀裙群然燃冉染瓤壤攘嚷讓饒擾繞惹熱壬仁人忍韌任認刃妊紉扔仍日戎茸蓉榮融熔溶容絨冗揉柔肉茹蠕儒孺如辱乳汝入褥軟阮蕊瑞銳閏潤若弱撒灑薩腮鰓塞賽三叁傘散桑嗓喪搔騷掃嫂瑟色澀森僧莎砂殺剎沙紗傻啥煞篩曬珊苫杉山刪煽衫閃陜擅贍膳善汕扇繕墑傷商賞晌上尚裳梢捎稍燒芍勺韶少哨邵紹奢賒蛇舌舍赦攝射懾涉社設砷申呻伸身深娠紳神沈審嬸甚腎慎滲聲生甥牲升繩省盛剩勝圣師失獅施濕詩尸虱十石拾時什食蝕實識史矢使屎駛始式示士世柿事拭誓逝勢是嗜噬適仕侍釋飾氏市恃室視試收手首守壽授售受瘦獸蔬樞梳殊抒輸叔舒淑疏書贖孰熟薯暑曙署蜀黍鼠屬術述樹束戍豎墅庶數漱恕刷耍摔衰甩帥栓拴霜雙爽誰水睡稅吮瞬順舜說碩朔爍斯撕嘶思私司絲死肆寺嗣四伺似飼巳松聳慫頌送宋訟誦搜艘擻嗽蘇酥俗素速粟僳塑溯宿訴肅酸蒜算雖隋隨綏髓碎歲穗遂隧祟孫損筍蓑梭唆縮瑣索鎖所塌他它她塔獺撻蹋踏胎苔抬臺泰酞太態汰坍攤貪癱灘壇檀痰潭譚談坦毯袒碳探嘆炭湯塘搪堂棠膛唐糖倘躺淌趟燙掏濤滔絳萄桃逃淘陶討套特藤騰疼謄梯剔踢銻提題蹄啼體替嚏惕涕剃屜天添填田甜恬舔腆挑條迢眺跳貼鐵帖廳聽烴汀廷停亭庭挺艇通桐酮瞳同銅彤童桶捅筒統痛偷投頭透凸禿突圖徒途涂屠土吐兔湍團推頹腿蛻褪退吞屯臀拖托脫鴕陀馱駝橢妥拓唾挖哇蛙洼娃瓦襪歪外豌彎灣玩頑丸烷完碗挽晚皖惋宛婉萬腕汪王亡枉網往旺望忘妄威巍微危韋違桅圍唯惟為濰維葦萎委偉偽尾緯未蔚味畏胃喂魏位渭謂尉慰衛瘟溫蚊文聞紋吻穩紊問嗡翁甕撾蝸渦窩我斡臥握沃巫嗚鎢烏污誣屋無蕪梧吾吳毋武五捂午舞伍侮塢戊霧晤物勿務悟誤昔熙析西硒矽晰嘻吸錫犧稀息希悉膝夕惜熄烯溪汐犀檄襲席習媳喜銑洗系隙戲細瞎蝦匣霞轄暇峽俠狹下廈夏嚇掀锨先仙鮮纖咸賢銜舷閑涎弦嫌顯險現獻縣腺餡羨憲陷限線相廂鑲香箱襄湘鄉翔祥詳想響享項巷橡像向象蕭硝霄削哮囂銷消宵淆曉小孝校肖嘯笑效楔些歇蝎鞋協挾攜邪斜脅諧寫械卸蟹懈泄瀉謝屑薪芯鋅欣辛新忻心信釁星腥猩惺興刑型形邢行醒幸杏性姓兄兇胸匈洶雄熊休修羞朽嗅銹秀袖繡墟戌需虛噓須徐許蓄酗敘旭序畜恤絮婿緒續軒喧宣懸旋玄選癬眩絢靴薛學穴雪血勛熏循旬詢尋馴巡殉汛訓訊遜迅壓押鴉鴨呀丫芽牙蚜崖衙涯雅啞亞訝焉咽閹煙淹鹽嚴研蜒巖延言顏閻炎沿奄掩眼衍演艷堰燕厭硯雁唁彥焰宴諺驗殃央鴦秧楊揚佯瘍羊洋陽氧仰癢養樣漾邀腰妖瑤搖堯遙窯謠姚咬舀藥要耀椰噎耶爺野冶也頁掖業葉曳腋夜液一壹醫揖銥依伊衣頤夷遺移儀胰疑沂宜姨彝椅蟻倚已乙矣以藝抑易邑屹億役臆逸肄疫亦裔意毅憶義益溢詣議誼譯異翼翌繹茵蔭因殷音陰姻吟銀淫寅飲尹引隱印英櫻嬰鷹應纓瑩螢營熒蠅迎贏盈影穎硬映喲擁傭臃癰庸雍踴蛹詠泳涌永恿勇用幽優悠憂尤由郵鈾猶油游酉有友右佑釉誘又幼迂淤于盂榆虞愚輿余俞逾魚愉渝漁隅予娛雨與嶼禹宇語羽玉域芋郁吁遇喻峪御愈欲獄育譽浴寓裕預豫馭鴛淵冤元垣袁原援轅園員圓猿源緣遠苑愿怨院曰約越躍鑰岳粵月悅閱耘云鄖勻隕允運蘊醞暈韻孕匝砸雜栽哉災宰載再在咱攢暫贊贓臟葬遭糟鑿藻棗早澡蚤躁噪造皂灶燥責擇則澤賊怎增憎曾贈扎喳渣札軋鍘閘眨柵榨咋乍炸詐摘齋宅窄債寨瞻氈詹粘沾盞斬輾嶄展蘸棧占戰站湛綻樟章彰漳張掌漲杖丈帳賬仗脹瘴障招昭找沼趙照罩兆肇召遮折哲蟄轍者鍺蔗這浙珍斟真甄砧臻貞針偵枕疹診震振鎮陣蒸掙睜征猙爭怔整拯正政幀癥鄭證芝枝支吱蜘知肢脂汁之織職直植殖執值侄址指止趾只旨紙志摯擲至致置幟峙制智秩稚質炙痔滯治窒中盅忠鐘衷終種腫重仲眾舟周州洲謅粥軸肘帚咒皺宙晝驟珠株蛛朱豬諸誅逐竹燭煮拄矚囑主著柱助蛀貯鑄筑住注祝駐抓爪拽專磚轉撰賺篆樁莊裝妝撞壯狀椎錐追贅墜綴諄準捉拙卓桌琢茁酌啄著灼濁茲咨資姿滋淄孜紫仔籽滓子自漬字鬃棕蹤宗綜總縱鄒走奏揍租足卒族祖詛阻組鉆纂嘴醉最罪尊遵昨左佐柞做作坐座亍丌兀丐廿卅丕亙丞鬲孬噩丨禺丿匕乇夭爻卮氐囟胤馗毓睪鼗丶亟鼐乜乩亓羋孛嗇嘏仄厙厝厴厥廝靨贗匚叵匭匱匾賾卦卣刂刈刎剄刳劌剴剌剞剡剜蒯剽劂劁劐劓冂罔亻仃仉仂仨仡仫仞傴仳伢佤仵倀傖伉佇佞佧攸佚佝佟佗伲伽佶佴侑侉侃侏佾佻儕佼儂侔儔儼儷俅俚俁俜俑俟俸倩偌俳倬倏倮倭俾倜倌倥倨僨偃偕偈偎傯僂儻儐儺傺僖儆僭僬僦僮儇儋仝氽佘僉俎龠汆糴兮巽黌馘囅夔勹匍訇匐鳧夙兕亠兗亳袞袤褻臠裒稟嬴蠃羸冫冱冽冼凇冖冢冥讠訐訌訕謳詎訥詁訶詆詔詘詒誆誄詿詰詼詵詬詮諍諢詡誚誥誑誒諏諑諉諛諗諂誶諶諫謔謁諤諭諼諳諦諮諞謨讜謖謚謐謫谫譖譙譎讞譫讖卩巹阝阢阡阱阪阽阼陂陘陔陟隉陬陲陴隈隍隗隰邗邛鄺邙鄔邡邴邳邶鄴邸邰郟郅邾鄶郄郇鄆酈郢郜郗郛郫郯郾鄄鄢鄞鄣鄱鄯鄹酃酆芻奐勱劬劭劾哿勐勖勰叟燮矍廴凵凼鬯厶弁畚巰坌堊垡塾墼壅壑圩圬圪圳壙圮圯壢圻坂坩垅坫壚坼坻坨坭坶坳埡垤垌塏埏坰垴垓垠埕塒堝塤埒垸埴埯埸埤埝堋堍埽埭堀堞堙塄堠塥塬墁墉墚墀馨鼙懿艸艽艿芏芊芨芄芎芑薌芙芫蕓芾芰藶苊苣芘芷芮莧萇蓯芩芴芡芪芟芐苧芤苡茉苷苤蘢茇苜苴苒苘茌苻苓蔦茚茆塋煢苠苕茜荑蕘蓽茈莒茼茴茱莛蕎茯荏荇荃薈荀茗薺茭茺茳犖滎蕁茛藎荬蓀葒荮莰荸蒔萵莠莪莓莜蒞荼薟莩荽蕕荻莘莞莨鶯莼菁萁菥菘堇萘萋菝菽菖萜萸萑萆菔菟萏萃菸菹菪菅菀縈菰菡葜葑葚葙葳蕆蒈葺蕢葸萼葆葩葶蔞蒎萱葭蓁蓍蓐驀蒽蓓蓊蒿蒺蘺蒡蒹蒴蒗鎣蕷蔌甍蔸蓰蘞蔟藺蕖蔻蓿蓼蕙蕈蕨蕤蕞蕺瞢蕃蘄蕻薤薨薇薏蕹藪薜薅薹薷薰蘚藁藜藿蘧蘅蘩蘗蘼廾弈夼奩耷奕奚奘匏尢尥尬尷扌捫摶抻拊拚拗拮撟拶挹捋捃掭揶捱捺掎摑捭掬掊捩掮摜揲揸揠撳揄揞揎摒揆掾攄摁搋搛搠搌搦搡摞攖摭撖摺擷擼撙攛搟擐擗擤擢攉攥攮弋忒甙弒卟叱嘰叩叨叻吒吖吆呋嘸囈呔嚦呃吡唄咼吣吲咂咔呷呱呤咚嚀咄呶呦咝哐咭哂咴噠咧咦嘵嗶呲咣噦咻咿哌噲哚嚌咩咪咤噥哏哞嘜哧嘮哽唔哳嗩唣唏唑唧唪嘖喏喵啉囀啁啕唿啐唼唷啖啵啶啷唳唰啜喋嗒喃喱喹喈喁喟啾嗖喑啻嗟嘍嚳喔喙嗪嗷嗉嘟嗑囁嗬嗔嗦嗝嗄嗯嗥嗲噯嗌嗍嗨嗵嗤轡嘞嘈嘌嘁嚶嘣嗾嘀嘧嘭噘嘹噗嘬噍噢噙嚕噌噔嚆噤噱噫噻噼嚅嚓嚯囔囗囝囡圇囫囹囿圄圊圉圜幃帙帔帑幬幘幗帷幄幔幛幞幡岌屺岍岐嶇岈峴岙岑嵐岜岵岢崠岬岫岱岣峁岷嶧峒嶠峋崢嶗崍崧崦崮崤崞崆崛嶸崾崴崽嵬崳嵯嶁嵫嵋嵊嵩嵴嶂嶙嶝豳嶷巔彳彷徂徇徉後徠徙徜徨徭徵徼衢彡犭犰犴獷犸狃狁狎狍狒狨獪狩猻狴狷猁狳獫狺狻猗猓玀猊猞猝獼猢猹猥猬猸猱獐獍獗獠獬獯獾舛夥飧夤夂饣餳飩餼飪飫飭飴餉餑馀餛馇餿饃饈饉馓饌馕庀廡庋庖庥庠庹庵庾庳賡廒廑廛廨廩膺忄忉忖懺憮忮慪忡忤愾悵愴忪忭忸怙怵怦怛怏怍怩怫怊懌怡慟懨惻愷恂恪惲悖悚慳悝悃悒悌悛愜悻悱惝惘惆惚悴慍憒愕愣惴愀愎愫慊慵憬憔憧憷懔懵忝隳閂閆闈閎閔閌闥閭閫鬮閬閾閶鬩閿閽閼闃闋闔闐闕闞丬爿戕氵汔汜汊灃沅沐沔沌汨汩汴汶沆溈泐泔沭瀧瀘泱泗沲泠泖濼泫泮沱泓泯涇洹洧洌浹湞洇洄洙洎洫澮洮洵洚瀏滸潯洳涑浯淶潿浞涓涔浜浠浼浣渚淇淅淞瀆涿淠澠淦淝淙瀋涫淥涮渫湮湎湫溲湟溆湓湔渲渥湄滟溱溘灄漭瀅溥溧溽溻溷潷溴滏溏滂溟潢瀠瀟漤漕滹漯漶瀲潴漪漉漩澉澍澌潸潲潼潺瀨濉澧澹澶濂濡濮濞濠濯瀚瀣瀛瀹瀵灝灞宀宄宕宓宥宸甯騫搴寤寮褰寰蹇謇辶迓迕迥迮迤邇迦逕迨逅逄逋邐逑逍逖逡逵逶逭逯遄遑遒遐遨遘遢遛暹遴遽邂邈邃邋彐彗彖彘尻咫屐屙孱屣屨羼弳弩弭艴弼鬻屮妁妃妍嫵嫗妣妗姊媯妞妤姒妲妯姍妾婭嬈姝孌姣姘姹娌娉媧嫻娑娣娓婀婧婊婕娼婢嬋胬媼媛婷婺媾嫫媲嬡嬪媸嫠嫣嬙嫖嫦嫘嫜嬉嬗嬖嬲嬤孀尕尜孚孥孳孑孓孢駔駟駙騶驛駑駘驍驊駢驪騏騍騅驂騭騖驁騮騸驃驄驏驥驤纟紆紂紇紈纊紜紕紓紺紲紱縐紼絀紿绔絎絳綆綃綈綾綺緋绱緄綞綬綹綣綰緇緙緗緹緲繢緦緶緱縋緡縉縝縟縞縭縊縑繽縹縵縲繆繅纈繚繒韁繾繰繯纘幺畿巛甾邕玎璣瑋玢玟玨珂瓏玷玳珀珉珈珥珙頊琊珩珧珞璽琿璉琪瑛琦琥琨琰琮琬琛琚瑁瑜瑗瑕瑙璦瑭瑾璜瓔璀璁璇璋璞璨璩璐璧瓚璺韙韞韜杌杓杞杈榪櫪枇杪杳枘枧杵棖樅梟枋杷杼柰櫛柘櫳柩枰櫨柙枵柚枳柝梔柃枸柢櫟柁檉栲栳椏橈桎楨桄榿梃栝桕樺桁檜桀欒桊桉栩梵梏桴桷梓桫欞楮棼櫝槧棹欏棰椋槨楗棣椐楱椹楠楂楝欖楫榀榘楸椴槌櫬櫚槎櫸楦楣楹榛榧榻榫榭槔榱槁槊檳榕櫧榍槿檣槭樗樘橥槲橄樾檠橐橛樵檎櫓樽樨橘櫞檑檐檁檗檫猷獒歿殂殤殄殞殮殍殫殛殯殪軔軛轱軻轤軹軼軫轷轢軺軾輊輇輅輒輦輞輟輜輳轆轔軎戔戧戛戟戢戡戥戤戩臧甌瓴瓿甏甑甓攴旮旯旰昊曇杲昃昕昀炅曷昝昴昱昶昵耆晟曄晁晏暉晡晗晷暄暌曖暝暾曛曜曦曩賁貰貺貽贄貲賅贐賑賚賕赍賧賻覘覬覡覿覦覯覲覷牮犟牝牦牯牾牿犄犋犍犏犒挈挲掰搿擘耄毪毳毽毿毹氅氌氆氍氕氘氙氚氡氬氤氪氳攵敕敫牘牒牖爰虢刖肟肜肓肼朊肽肱肫肭肴肷朧胨胩臚胛胂胄胙胍胗朐胝脛胱胴胭膾脎胲胼朕脒豚腡脞脬脘脲腈腌腓腴腙腚腱腠腩靦膃腭腧塍媵膈膂臏滕膣膪臌朦臊膻臁膦歟欷欹歃歆歙颮颯颶颼飆飚殳彀轂觳斐齏斕於旆旄旃旌旎旒旖煬煒燉熗炻烀炷炫炱燁烊焐焓燜焯焱煳煜煨煅煲煊煸煺熘熳熵熨熠燠燔燧燹爝爨灬燾煦熹戾戽扃扈扉礻祀祆祉祛祜祓祚禰祗祠禎祧祺禪禊禚禧禳忑忐懟恝恚恧恁恙恣愨愆愍慝憩憝懋懣戇肀聿沓澩淼磯矸碭砉硨砘砑斫砭砜砝砹礪礱砟砼砥砬砣砩硎硭硤磽砦硐硇硌硪磧碓碚碇磣碡碣碲碹碥磔磙磉磬磲礅磴礓礤礞礴龕黹黻黼盱眄眍盹眇眈眚眢眙眭眥眵眸睞瞼睇脧睚睨睢睥睿瞍睽瞀瞌瞑瞟瞠瞰瞵瞽町畀畎畋畈畛畬畹疃罘罡罟詈罨羆罱罹羈罾盍盥蠲钅釓釔釙釗釕釷釧釤鍆釵釹钚鈦鉅鈑鈐鈁鈧鈄鈥鈀鈺鉦鈷鈳钷鈽鈸鉞鉬鉭鈿鑠鈰鉉鉈鉍鈮鈹鐸銬銠鉺銪鋮鋏鐃铘鐺铞銦鎧銖鋌銩鏵銓鉿鎩銚錚銫銃鐋銨銣鐒錸鋱鏗锃鋰鋯鋨銼鋝锍锎锏鋃鋟鋦錒錆锘錛锝錁錕錮锪锫錈錟錙鍥鍇鍶鍔鍤鎪鍰锿鏤鏘鐨镅鏌鎘鐫镎鎦鎰鎵鑌鏢鏜鏝鏍鏞鏃鏇鏑鐔镢鏷镥鐓鑭鐠镩鏹鐙鑊鐲鐿镲鑣鍾矧矬雉秕秭秣秫稆嵇稃稂稞稔稹稷穡黏馥穰皈皎皓皙皤瓞瓠甬鳩鳶鴇鴆鴣鶇鸕鴝鴟鷥鴯鷙鴰鵂鸞鵓鸝鵠鵒鷴鵜鵡鹋鵪鵯鶉鶘鶚鶿鹛鶩鷂鶼鸚鷓鷚鷯鷦鷲鷸鹱鷺鸛疒疔癤癘疝疬疣疳疴疸痄皰疰痃痂痖痍痣癆痦痤癇痧瘃痱痼痿瘐瘀癉瘌瘞瘊瘥瘺瘕瘙瘛瘼瘢瘠癀瘭瘰癭瘵癃癮瘳癍癩癔癜癖癲癯翊竦穸穹窀窆窈窕竇窠窬窨窶窳衤衩衲衽衿袂袢襠袷袼裉褳裎襝裥裱褚裼裨裾裰褡褙褓褸褊襤褫褶襁襦襻疋胥皸皴矜耒耔耖耜耠耢耥耦耬耩耨耱耋耵聃聆聹聒聵聱覃頇頎頏頡頜潁頦頷顎顓顳顢顙顥颥顰虍虔虬蟣蠆虺虼虻蚨蚍蚋蜆蠔蚧蚣蚪蚓蚩蚶蛄蚵蠣蚰蚺蚱蚯蛉蟶蚴蛩蛺蟯蛭螄蛐蜓蛞蠐蛟蛘蛑蜃蜇蛸蜈蜊蜍蜉蜣蜻蜞蜥蜮蜚蜾蟈蜴蜱蜩蜷蜿螂蜢蝽蠑蝻蝠蝰蝌蝮螋蝓蝣螻蝤蝙蝥螓螯螨蟒蟆螈螅螭螗螃螫蟥螬螵螳蟋蟓螽蟑蟀蟊蟛蟪蟠蟮蠖蠓蟾蠊蠛蠡蠹蠼缶罌罄罅舐竺竽笈篤笄筧笊笫笏筇笸笪笙笮笱笠笥笤笳籩笞筘篳筅筵筌箏筠筮筻筢筲筱箐簀篋箸箬箝籜箅簞箜箢簫箴簣篁篌篝篚篥篦篪簌篾篼簏籪簋簟簪簦簸籟籀臾舁舂舄臬衄舡舢艤舭舯舨舫舸艫舳舴舾艄艉艋艏艚艟艨衾裊袈裘裟襞羝羥羧羯羰羲秈敉粑糲糶粞粢粲粼粽糝糇糌糍糈糅糗糨艮暨羿翎翕翥翡翦翩翮翳糸縶綦綮繇纛麩麴赳趄趔趑趲赧赭豇豉酊酐酎酏酤酢酡酰酩酯釅釃酲酴酹醌醅醐醍醑醢醣醪醭醮醯醵醴醺豕鹺躉跫踅蹙蹩趵趿趼趺蹌跖跗跚躒跎跏跛跆跬蹺蹕跣躚躋跤踉跽踔踝踟躓踮踣躑踺蹀踹踵踽踱蹉蹁蹂躡蹣蹊躕蹶蹼蹯蹴躅躪躔躐躦躞豸貂貊貅貘貔斛觖觴觚觜觥觫觶訾謦靚雩靂雯霆霽霈霏霎霪靄霰霾齔齟齙齠齜齦齬齪齷黽黿鼉隹隼雋雎雒瞿讎銎鑾鋈鏨鍪鏊鎏鐾鑫魷魴鲅鲆鲇鱸穌鮒鱟鮐鮭鮚鮪鮞鱭鮫鲞鱘鯁鱺鰱鰹鰣鰷鯀鯊鯇鯽鯖鯪鯫鯡鯤鯧鲴鯢鯰鯛鲺鯔鲼鰈鱷鰍鰒鰉鳊鳋鰲鰭鰨鰥鰩鰳鰾鱈鰻鳘鳙鱖鱔鱒鱧靼鞅韃鞒鞔韉鞫鞣鞲鞴骱骰骷鶻骶骺骼髁髀髏髂髖髕髑魅魃魘魎魈魍魑饗饜餮饕饔髟髡髦髯髫髻髭髹鬈鬏鬢鬟鬣麼麾縻麂麇麈麋麒鏖麝麟黛黜黝黠黟黢黷黧黥黲黯鼢鼬鼯鼴鼷鼽鼾齄 " ; </ script > </ head > < body onload ="init()" > < canvas id ="c" ></ canvas >< br > < p > Name:
< input value ="Fang" size ="36" /></ p > < p > Code:
< input size ="36" readonly ="true" /></ p > < p > < input type ="radio" name ="codetype" checked ="checked" /> Site License
< br > < input type ="radio" name ="codetype" /> Register Code N
< br > < input type ="radio" name ="codetype" /> Register Code A </ p > < p >< button onclick ="Generate()" > Generate
</ button >< button onclick ="window.close();" > Close
</ button ></ p > < p > < span class ="bg" > "HKRWQV2958DWNTQRGNSCFSXAZPYK"
</ span >< br > < span class ="bg" > [Provided by Fang3s]
</ span > </ p > < table > < tr >< td > Input Here:
</ td >< td >< input name ="testCode" onchange ="codeChange()" value ="蘇北小麥" size ="36" /></ td ></ tr > < tr >< td > charCodeAt:
</ td >< td >< input name ="testCode" value ="" size ="36" /></ td ></ tr > < tr >< td > encodeURI:
</ td >< td >< input name ="testCode" value ="" size ="36" /></ td ></ tr > < tr >< td > GB2312:
</ td >< td >< input name ="testCode" value ="" size ="36" /></ td ></ tr > </ table > </ body > </ html > View Code ?
C++ const char *psBlackCodes[] = {
" mvg21951736 " ,
" mg374604342 " ,
" mg370534035 " ,
" mg373465241 " ,
" mg37NTi " ,
" mg372503958 " ,
" mg379843149 " , " mg370151347 " ,
" mg370353008 " ,
" mg372021424 " ,
" mg375953248 " ,
" mg379223953 " ,
" mg373473759 " ,
" mg378542544 " ,
" mg370473710 " ,
" mg37064348 " , " mg378822469 " ,
" mg374394987 " ,
" mg371073478 " ,
" mg379773651 " ,
" mg371895266 " ,
" mg373223554 " ,
" mg377583454 " ,
" mg37644957 " ,
" mg370342692 " , " mg376484039 " ,
" mg376871434 " ,
" mg370704788 " ,
" mg377643863 " ,
" mg377753931 " ,
" mg379342689 " ,
" mg374344777 " }; const char * pszRandomCharTable =
" 0123456789abcdefghijklmnopqrstuvwxyz " ; const int lengthOfCharTable =
lstrlenA(pszRandomCharTable); const char *pResourceTable =
" HKRWQV2958DWNTQRGNSCFSXAZPYK " ;inline char randomChar(
void ){ return pszRandomCharTable[rand() % (lengthOfCharTable +
1 -
0 ) +
0 ];} bool keygen(
const char *pszchName,
int keygenType,
char *
pchCodeBuffer, size_t sizeOfBuffer){ if (NULL == pszchName || !*
pszchName){ return false ;} if (
0 ==
keygenType){ if (sizeOfBuffer >=
28 ){ char buffer[
1024 ], *pNameCursor, *pOkNameCursor, *
pchCodeCursor; int length, indexOfTable, ebp, idx; const int lengthOfTable =
lstrlenA(pResourceTable);pNameCursor =
buffer;pOkNameCursor =
buffer;lstrcpynA(buffer, pszchName, _countof(buffer));CharUpperA(buffer); // 在資源表pResourceTable中的名字才合法 while (*
pNameCursor){ if (strchr(pResourceTable, *
pNameCursor)){ *pOkNameCursor++ = *
pNameCursor;}pNameCursor ++
;} *pOkNameCursor =
' \0 ' ;length =
lstrlenA(buffer); // 名字不足24位補齊 if (length <
24 ){lstrcpynA(buffer, pResourceTable, 25 - length);
// '\0'算在第三個參數長度
} // buffer全是pResourceTable里的字符, 長度為24
ebp =
0 ;idx =
0 ;pchCodeCursor =
pchCodeBuffer; while (idx <
24 ){indexOfTable = strchr(pResourceTable, buffer[idx]) -
pResourceTable;ebp = (indexOfTable * (indexOfTable +
1 ) + ebp) %
lengthOfTable; *pchCodeCursor++ = pResourceTable[ebp++
]; if (!(++idx %
6 ) && idx <
24 ) *pchCodeCursor++ =
' - ' ;} *pchCodeCursor =
' \0 ' ;} else return false ;} else { //
if (sizeOfBuffer >=
4 +
1 +
3 +
10 ){ char *pchCodeAppend, *pNameCursor, buffer[
1024 ]; int esi =
3039 , ecx =
0 ;srand((unsigned int )time(
0 ));pchCodeBuffer[ 0 ] =
' m ' ;pchCodeBuffer[ 1 ] =
' g ' ;pchCodeBuffer[ 2 ] =
' 3 ' ;pchCodeBuffer[ 3 ] =
' 7 ' ;pchCodeBuffer[ 5 ] =
randomChar();pchCodeBuffer[ 6 ] =
randomChar(); if (keygenType ==
1 ){pchCodeBuffer[ 4 ] =
' s ' ;pchCodeBuffer[ 7 ] =
randomChar();pchCodeAppend = pchCodeBuffer+
8 ;} else {pchCodeBuffer[ 4 ] =
randomChar();pchCodeAppend = pchCodeBuffer +
7 ;}pNameCursor = const_cast<
char *>
(pszchName); while (*
pNameCursor){ ++
ecx;esi += ecx * *pNameCursor++
; if (esi >
6078 )esi -=
6078 ; if (ecx >
10 )ecx =
0 ;}_itoa_s(esi, buffer, 10 );lstrcpynA(pchCodeAppend, buffer, sizeOfBuffer - (pchCodeBuffer -
pchCodeAppend));} else { return false ;}} return true ;} int _tmain(
int argc, _TCHAR*
argv[]){ char name[
1024 ], code[
1024 ] = {
0 }; while (
true ){printf( " Input Name :\t " );lstrcpynA(name, " 蘇北小麥 " , _countof(name));scanf_s( " %s " , name);printf( " %s\n " , name);keygen(name, 0 , code, _countof(code));printf( " Site License :\t\t%s\n " , code);keygen(name, 1 , code, _countof(code));printf( " Register Code N :\t%s\n " , code);keygen(name, 2 , code, _countof(code));printf( " Register Code A :\t%s\n " , code);} // getchar(); return 0 ;} View Code ?
?
如果dump代碼,怎么搞都沒搞成,不用ebp的。。
//see
http: //msdn.microsoft.com/zh-cn/library/chh3fb0k(v=vs.
80 ).aspx
http: //msdn.microsoft.com/zh-cn/library/2kxx5t2c(VS.
80 ).aspx//#pragma optimize( " y " , off ) // 對下面的代碼使用 /Oy 優化 Generate frame pointers on the program stack. int keygen_dump(const char *arg_0, const char *arg_4){//框架指針寄存器 " ebp " 被內聯程序集代碼修改_asm{ mov ebp, arg_4 //就亂了。。。。 cmp byte ptr[ebp +
0 ], 6Dh jnz loc_4341EF cmp byte ptr[ebp +
1 ], 67h jnz loc_4341EF cmp byte ptr[ebp +
2 ], 33h jnz loc_4341EF cmp byte ptr[ebp +
3 ], 37h jnz loc_4341EF xor ebx, ebxloc_434162 : mov edi, psBlackCodes mov eax, edi lea edx, [eax +
1 ] lea ecx, [ecx +
0 ]loc_434170 : mov cl, [eax] inc eax test cl, cl jnz short loc_434170 sub eax, edx mov ecx, eax mov esi, ebp xor eax, eax repe cmpsb jz short loc_4341E8 add ebx,
4 cmp ebx, 80h jb short loc_434162 cmp byte ptr[ebp +
4 ], 73h jnz short loc_434195 inc ebploc_434195 : lea ecx, [ebp +
7 ] push ecx push ecx call codekeygen //---------------------------------- pop ecx pop ecx push ecx call atol mov ebx, arg_0 mov dl, [ebx] add esp,
4 xor ecx, ecx test dl, dl mov edi, ebx mov esi, 0BDFh jz short loc_4341DAloc_4341B4 : movsx edx, dl inc ecx imul edx, ecx add esi, edx cmp esi, 17BEh jle short loc_4341CB sub esi, 17BEh loc_4341CB: cmp ecx, 0Ah jle short loc_4341D2 xor ecx, ecxloc_4341D2 : mov dl, [edi +
1 ] inc edi test dl, dl jnz short loc_4341B4loc_4341DA : push esi cmp esi, eax jnz short loc_4341F3 pop ebp mov eax,
1 pop ebx retn //移除pop esi和pop ebploc_4341E8 : pop edi xor eax, eax pop ebx retn //移除pop esi和pop ebploc_4341EF : mov ebx, arg_0loc_4341F3 : push ebp push ebx call codekeygen //移除兩參數 pop ebp pop ebx retn //移除pop esi和pop ebp}}//#pragma optimize( "" , on) // 恢復到編譯器 /O 選項指定的優化
View Code ?
?
匯編(躍然紙上) 注冊時讓注冊碼躍然紙上,這招貌似叫內嵌補丁。
個人覺得算是個費時的活兒,又寫匯編,又要了解PE等,知識點散。而且只適用于程序把注冊碼計算出來和輸入的Code直接比較,即Code == Func(Name)???型。避免了寫注冊機算法等等,如果很復雜這很適合,當然也可以遠程調用。
為了便于好看,有大量截圖,也是用心寫的證明,就想發點有價值的東西,不然不好。
第一處改寫。 主要獲取Code窗口句柄HWND和保存,如果是局部變量就好了,但是我沒看看它是不是,直接保存到代碼區的。
修改前兩處
修改前后
目標代碼。 來到我們預定的空隙處,這里也是準備些代碼的地方,這里call api暫時是拷貝的,后面修改。
設置訪問方式
修改訪問后,再執行此條指令,如下圖我們看到地址0x0047EA94值變了,共4字節。注意這里是臨時修改,要實際修改,還要保存。君子善假于物也。使用論壇工具LordPE。
繼續執行到原來PUSH EAX后的指令CALL EBX時,即此處的寄存器狀態和之前未修改的圖是一致的。這里要說下,原來未修改的截圖還未執行PUSH EAX,所以原ESP比這里的大4,截得不好。
第二處改寫 來到注冊碼已經出來的地方,然后我們想在界面Code編輯框里打印顯示出來。
說明下,由于ESP尋找局部變量,所以只要找到ESP+84(十六進制)處看看就可,右下角堆棧窗口就可以看;或者直接點擊代碼行右鍵-數據窗口中跟隨-內存地址,即可左小角查看。
這條指令大于5字節,直接線程替換為我們的跳轉JMP 0047EA9E,剩余的90填充然后F7或F8跟隨進去。
?
當我們獲取原來LEA ESI, [LOCAL.24]里的[LOCAL.24]=[ESP + 84]時,堆棧和原來不一樣的差了8.*4 = 32. = 20h,從右下角的圖也可以看出,當時記錄的ESP和此時ESP相差$-20。所以取值時多加了這個差值。
?
?
?
我們走一步,通過賦值給ESI看下這時的值,OllyDbg會提示的。
?
再看看第一個入參,[Alt+W]打開當前可預見的窗口。
?
這里call API有一定講究。 導入API 首先看它導入了沒有,OK。
OllyDbg的查找所有模塊中的名稱(Ctrl+N)
?
call地址計算 目標進程右鍵-載入PE編輯器-目錄-輸入表一行左邊省略號按鈕上面ListView點選USER32.dll-下面輸入SetWindowTextA搜索自動定位。
注意未勾選總是查看FisrtThunk時值時,ThunkRVA按照函數列表計算的值是不一樣的。
未勾選時,第一個函數SystemParametersInfoA的ThunkRVA是0008BCC8和USER32.dll的OrigianlFirstThunk一樣的,以后相差+4。
勾選后,地址為0007F30C,記下它,后面會眼熟的。
我們來拿個現成例子看看地址間關系。
回到OllyDbg,在程序模塊movgear.exe,右鍵查找-所有模塊間調用
搜索System看到
點擊進入
我們看看SystemParametersInfoA的調用方式不是CALL xx,而是CALL DWORD PTR DS:[xx],即call機器碼不一樣。
再看看地址關系,可以看出CALL DWORD PTR DS:[xx]的xx是0047F30C,后4位是不是很眼熟。是的,和前面看到的ThunkRVA = 0047F30C,是一致的,只是多了個400000,其實40萬(十六進制)就是我們在前面一起看到的,基本PE頭信息里的鏡像基址(BaseImage)400000。
接下來看我們的SetWindowTextA,以此類推,調用寫法,400000 + 0007F448 = 0047F448 ,48F44700,CALL DWORD PTR DS:[ 0047F448],OllyDbg自動解析為對應符號。
修改的代碼 CPU Disasm
地址 十六進制數據 指令 注釋
00434531 /E9 68A50400
JMP 0047EA9E CPU Disasm
地址 十六進制數據 指令 注釋
00433F60 /E9 39AB0400
JMP 0047EA9E CPU Disasm
地址 十六進制數據 指令 注釋
0047EA97 00 DB
00 ; 原來.text區是不可寫,這也證明了足夠
0047EA98 00 DB
00 ; 安全性,而且原是0映射后還是0,
0047EA99 00 DB
00 ; 不用搞檢測看這段是否可能被修改。
0047EA9A 00 DB
00 ; 一般程序也不會調用API來改吧,又沒殼。
0047EA9B 00 DB
00
0047EA9C 00 DB
00
0047EA9D 00 DB
00
0047EA9E />
60 PUSHAD ; /Arg1_4, >>保存8大寄存器狀態,也可僅push使用的
0047EA9F |. E8
00000000 CALL 0047EAA4 ; \movgear.0047EAA4, 隨意搞吧,不管你怎么使用寄存器,只要棧操作平衡。
0047EAA4 |$
59 POP ECX
; 獲取EIP,即ECX = EIP = 0047EAA4
0047EAA5 |. 8B51 F0
MOV EDX,DWORD PTR
DS: [ECX-
10 ]
; 這里把.text區地址0047EA94上DWORD大小給了EDX
0047EAA8 |. 85D2
TEST EDX,EDX
0047EAAA |.
75 12 JNZ SHORT
0047EABE
0047EAAC |.
8941 F0
MOV DWORD PTR
DS: [ECX-
10 ],EAX
0047EAAF |.
61 POPAD ; <<恢復8大寄存器狀態
0047EAB0 |. FFD3
CALL EBX
; >>恢復原指令的調用流程
0047EAB2 |. 8D8CE4 C40000
LEA ECX,[LOCAL.
24 ]
; <<恢復原指令的調用流程
0047EAB9 |.^ E9 7C5AFBFF
JMP 0043453A ; 回去并執行接下來的指令
0047EABE |> C741 F0
00000 MOV DWORD PTR
DS: [ECX-
10 ],
0
0047EAC5 |. 8DB4E4 A40000
LEA ESI,[LOCAL.
24 ]
; 這里使用ESP的局部變量要注意。
0047EACC |.
56 PUSH ESI
; /Text
0047EACD |.
52 PUSH EDX
; |hWnd
0047EACE |. FF15 48F44700
CALL DWORD PTR
DS: [<&USER32.SetWindowTex
; \USER32.SetWindowTextA, call xx 需要計算xx = ImageBase + ThunkRVAOfAPI
0047EAD4 |.
61 POPAD ; <<恢復8大寄存器狀態
0047EAD5 |. 8DB4E4
840000 LEA ESI,[LOCAL.
24 ]
; >><<恢復原指令的調用流程
0047EADC \.^ E9 8654FBFF
JMP 00433F67 ; 回去并執行接下來的指令
0047EAE1 E8 6B25EB74
CALL SetWindowTextA
; 直接修改為CALL SetWindowTextA,錯,僅臨時偏移對 ?
最后看下效果圖:
在彈窗前注冊碼已經寫入了Code編輯框內了。。。
?
總結 LoadPE使用,熟練OllyDbg,Call API
附件 ?
CPU Disasm 地址 ??????? 十六進制數據 ??????????? 指令 ?????????????????????????????????????? 注釋 00434531 ???? /E9 68A50400?? JMP 0047EA9E ? CPU Disasm 地址 ??????? 十六進制數據 ??????????? 指令 ?????????????????????????????????????? 注釋 00433F60 ???? /E9 39AB0400?? JMP 0047EA9E ?
CPU Disasm 地址 ??????? 十六進制數據 ??????????? 指令 ?????????????????????????????????????? 注釋 0047EA97 ????? 00 ??????????? DB 00 ??????????????????????????????????? ; 原來 .text 區是不可寫,這也證明了足夠 0047EA98 ????? 00 ??????????? DB 00 ??????????????????????????????????? ; 安全性,而且原是 0 映射后還是 0 , 0047EA99 ????? 00 ??????????? DB 00 ??????????????????????????????????? ; 不用搞檢測看這段是否可能被修改。 0047EA9A ????? 00 ??????????? DB 00 ??????????????????????????? ???????? ; 一般程序也不會調用 API 來改吧,又沒殼。 0047EA9B ????? 00 ??????????? DB 00 0047EA9C ????? 00 ??????????? DB 00 0047EA9D ????? 00 ??????????? DB 00 0047EA9E ? />? 60 ??????????? PUSHAD ?????????????????????????????????? ; /Arg1_4, >> 保存 8 大寄存器狀態,也可僅 push 使用的 0047EA9F ? |.? E8 00000000 ?? CALL 0047EAA4 ??????????????????????????? ; \movgear.0047EAA4, 隨意搞吧,不管你怎么使用寄存器,只要棧操作平衡。 0047EAA4 ? |$? 59 ??????????? POP ECX????????????????????????????????? ; 獲取 EIP ,即 ECX = EIP = 0047EAA4 0047EAA5 ? |.? 8B51 F0?????? MOV EDX,DWORD PTR DS: [ECX- 10 ]??????????? ; 這里把 .text 區地址 0047EA94 上 DWORD 大小給了 EDX 0047EAA8 ? |.? 85D2????????? TEST EDX,EDX 0047EAAA ? |.? 75 12 ???????? JNZ SHORT 0047EABE 0047EAAC ? |.? 8941 F0?????? MOV DWORD PTR DS: [ECX- 10 ],EAX 0047EAAF ? |.? 61 ??????????? POPAD ???????????????????????????? ??????? ; << 恢復 8 大寄存器狀態 0047EAB0 ? |.? FFD3????????? CALL EBX???????????????????????????????? ; >> 恢復原指令的調用流程 0047EAB2 ? |.? 8D8CE4 C40000 LEA ECX,[LOCAL. 24 ]?????????????????????? ; << 恢復原指令的調用流程 0047EAB9 ? |.^ E9 7C5AFBFF?? JMP 0043453A ?????????????????????????? ?? ; 回去并執行接下來的指令 0047EABE ? |>? C741 F0 00000 MOV DWORD PTR DS: [ECX- 10 ], 0 0047EAC5 ? |.? 8DB4E4 A40000 LEA ESI,[LOCAL. 24 ]?????????????????????? ; 這里使用 ESP 的局部變量要注意。 0047EACC ? |.? 56 ??????????? PUSH ESI???????????????????????????????? ; /Text 0047EACD ? |.? 52 ??????????? PUSH EDX???????????????????????????????? ; |hWnd 0047EACE ? |.? FF15 48F44700 CALL DWORD PTR DS: [<&USER32.SetWindowTex ; \USER32.SetWindowTextA, call xx 需要計算 xx = ImageBase + ThunkRVAOfAPI 0047EAD4 ? |.? 61 ??????????? POPAD ??????????????????????? ???????????? ; << 恢復 8 大寄存器狀態 0047EAD5 ? |.? 8DB4E4 840000 LEA ESI,[LOCAL. 24 ]?????????????????????? ; >><< 恢復原指令的調用流程 0047EADC ? \.^ E9 8654FBFF?? JMP 00433F67 ???????????????????????????? ; 回去并執行接下來的指令 0047EAE1 ????? E8 6B25EB74?? CALL SetWindowTextA??????????????????????? ; 直接修改為 CALL SetWindowTextA ,錯,僅臨時偏移對 ?
教訓特別修改(已測) 沒有測試打開驗證,由于只走驗證,代碼區本來想保存HWND一直為0,走了保存窗口句柄的,導致CALL失敗。需要拆分為兩個獨立的過程比較好,如下,修改第二個驗證跳轉和內嵌代碼。丑大了,沒有思考過只走驗證和沒有再次打開測試。。。
地址 十六進制數據 指令 注釋 00433F60 E9 59AB0400
JMP 0047EABE
?
CPU Disasm地址 十六進制數據 指令 注釋 0047EA9E \
60 PUSHAD 0047EA9F E8
00000000 CALL 0047EAA4 0047EAA4 59 POP ECX
; movgear_crack.0047EAA4(推測 Arg1,Arg2,Arg3,Arg4) 0047EAA5 8B51 F0
MOV EDX,DWORD PTR
DS: [ECX-
10 ] 0047EAA8 85D2
TEST EDX,EDX 0047EAAA 75 03 JNZ SHORT
0047EAAF 0047EAAC 8941 F0
MOV DWORD PTR
DS: [ECX-
10 ],EAX 0047EAAF 61 POPAD 0047EAB0 FFD3
CALL EBX 0047EAB2 8D8CE4 C40000
LEA ECX,[ESP+
0C4 ] 0047EAB9 ^ E9 7C5AFBFF
JMP 0043453A 0047EABE \
60 PUSHAD 0047EABF E8
00000000 CALL 0047EAC4 0047EAC4 59 POP ECX 0047EAC5 8B51 F0
MOV EDX,DWORD PTR
DS: [ECX-
10 ] 0047EAC8 85D2
TEST EDX,EDX 0047EACA 74 16 JE SHORT
0047EAE2 0047EACC C741 C8
00000 MOV DWORD PTR
DS: [ECX-
38 ],
0 0047EAD3 8DB4E4 A40000
LEA ESI,[ESP+
0A4 ] 0047EADA 56 PUSH ESI 0047EADB 52 PUSH EDX 0047EADC FF15 48F44700
CALL DWORD PTR
DS: [<&USER32.SetWindowTex 0047EAE2 61 POPAD 0047EAE3 8DB4E4
840000 LEA ESI,[ESP+
84 ] 0047EAEA ^ E9 7854FBFF
JMP 00433F67 0047EAEF E8 5D25EB74
CALL SetWindowTextA View Code ?
插件編寫比較方便
?
<
0047EA9E > @L00000001: PUSHAD CALL @L00000002 @L00000002: POP ECX MOV EDX,DWORD PTR
DS: [ECX-
10 ] TEST EDX,EDX JNE SHORT @L00000003 MOV DWORD PTR
DS: [ECX-
10 ],EAX @L00000003: POPAD CALL EBX LEA ECX,[ESP+
0C4 ] JMP 0043453A PUSHAD CALL @L00000004 @L00000004: POP ECX MOV EDX,DWORD PTR
DS: [ECX-
10 ] TEST EDX,EDX JE SHORT @L00000005 MOV DWORD PTR
DS: [ECX-
38 ],
0 LEA ESI,[ESP+
0A4 ] PUSH ESI PUSH EDX CALL DWORD PTR
DS: [47F448] @L00000005: POPAD LEA ESI,[ESP+
84 ] JMP 00433F67 CALL 75331051 ?
?
轉載于:https://www.cnblogs.com/Fang3s/p/3961935.html
總結
以上是生活随笔 為你收集整理的GIF Movie Gear逆向实战+注册代码+补丁 的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔 網站內容還不錯,歡迎將生活随笔 推薦給好友。
