论坛: 编程破解 标题: Cleaner 3.2注册分析全过程 复制本贴地址    
作者: jiekspil [jiekspil]    论坛用户   登录
by Fpc/CCG&BCG @2001/12
tools: trw1.22

[info]
软件名称:The Cleaner 
整理日期:2001.12.8
最新版本:3.2 Build 3213 
文件大小:1833KB
软件授权:共享软件
使用平台:Win9x/Me/NT/2000
软件下载:hXtp://gt.onlinedown.net/down/cleaner3.exe
软件简介: 
一个专门检测和清除侵入您系统中的特洛伊木马的专业程序, 内置3093个木马标识。可在线升级版本和病毒数据库, 操作简单, 功能强大! 查杀的各类特洛伊木马种类最多,几乎所有较出名的这里都有,如 Netspy、BO、Netbus、 Girlfriend、Happy99、BackDoor 以及它们的一些不同版本。还有很多种我们大多数网友听都没听过,有了它我们可以将电脑“清洁”得干干净净,放心大胆地上网。将毒数据库cleaner.cdb复制到The Cleaner的安装目录下,就可以完成升级了。 

[protection]
NAG, serial

[level]
1.5/5 

[essay]
好久没有什么破解了,找到这个软件,估计会有点用,下载后安装、运行。一个NAG跳出来:“你还有30天试用时间”*_*呵呵,还可以输入注册码。好了,用户名:Fpc/CCG&BCG,注册码:123654,点注册,@$%#$%#@!@%&,不正确。它首先检查注册码长度应该是19,还与两个黑名单比较。这些我们不关心,看它如何计算:其实注册名用不到,是对输入的注册码作一些转换和验证,如果通过即注册。 

由delphi或bcb编译,UPX加的壳,懒得脱了~~注册信息好象是写在文件时,每次运行时检查。另外不清楚它有没有网上检验。 

   输入注册码后跟踪,很容易到这里:
...
017F:004933B2  MOV      EAX,[004B50B0]
017F:004933B7  MOV      EAX,[EAX]
017F:004933B9  CALL     004B043C <- 检验注册码,重要
017F:004933BE  TEST     AL,AL <- al==0表示注册失败
017F:004933C0  JZ       004933D9
017F:004933C2  MOV      EAX,[EBX+01F4]
017F:004933C8  CALL     00492474
017F:004933CD  MOV      DWORD [EBX+0150],01
017F:004933D7  JMP      SHORT 004933F9 <-
017F:004933D9  ADD      BYTE [EBX+0200],01
017F:004933E0  JNC      004933E7
017F:004933E2  CALL     00402E5C
017F:004933E7  PUSH     BYTE +30
017F:004933E9  CALL     `USER32!MessageBeep` <- 呵呵,小喇叭响一声
017F:004933EE  MOV      EAX,[EBX+01F8]
017F:004933F4  CALL     00492B84
017F:004933F9  XOR      EAX,EAX
017F:004933FB  POP      EDX
017F:004933FC  POP      ECX
017F:004933DA  ADD      DWORD [EAX],BYTE +02
017F:004933DD  ADD      [EAX],AL
017F:004933DF  ADD      [EBX+05],ESI
017F:004933E2  CALL     00402E5C
017F:004933E7  PUSH     BYTE +30
017F:004933E9  CALL     `USER32!MessageBeep`
017F:004933EE  MOV      EAX,[EBX+01F8]
017F:004933F4  CALL     00492B84
017F:004933F9  XOR      EAX,EAX
017F:004933FB  POP      EDX
017F:004933FC  POP      ECX
...


   显然得追进CALL     004B043:


017F:004B043C  PUSH     EBP
017F:004B043D  MOV      EBP,ESP
017F:004B043F  ADD      ESP,FFFFFDF0
017F:004B0445  PUSH     EBX
017F:004B0446  PUSH     ESI
017F:004B0447  PUSH     EDI
017F:004B0448  XOR      EDX,EDX
017F:004B044A  MOV      [EBP+FFFFFDF4],EDX
017F:004B0450  MOV      [EBP+FFFFFDF0],EDX
017F:004B0456  MOV      [EBP-04],EDX
017F:004B0459  MOV      [EBP-08],EDX
017F:004B045C  MOV      EDI,EAX
017F:004B045E  MOV      ECX,08
017F:004B0463  LEA      EAX,[EBP+FFFFFE08]
017F:004B0469  MOV      EDX,[004010AC]
017F:004B046F  CALL     004042A8
017F:004B0474  XOR      EAX,EAX
017F:004B0476  PUSH     EBP
017F:004B0477  PUSH     DWORD 004B0801
017F:004B047C  PUSH     DWORD [FS:EAX]
017F:004B047F  MOV      [FS:EAX],ESP
017F:004B0482  XOR      EAX,EAX
017F:004B0484  PUSH     EBP
017F:004B0485  PUSH     DWORD 004B07B4
017F:004B048A  PUSH     DWORD [FS:EAX]
017F:004B048D  MOV      [FS:EAX],ESP
017F:004B0490  MOV      EDX,[EDI+534C]
017F:004B0496  LEA      EAX,[EBP-04]
017F:004B0499  MOV      ECX,004B081C
017F:004B049E  CALL     00403D88
017F:004B04A3  LEA      EAX,[EDI+0151B36C]
017F:004B04A9  MOV      EDX,004B082C
017F:004B04AE  CALL     00403B14
017F:004B04B3  LEA      EAX,[EDI+0151B370]
017F:004B04B9  CALL     00403AC0
017F:004B04BE  MOV      EAX,[EBP-04]
017F:004B04C1  CALL     00407B4C <- 上面的许多call都不重要
017F:004B04C6  TEST     AL,AL <- 这里不会跳走
017F:004B04C8  JZ       NEAR 004B0788
017F:004B04CE  MOV      EDX,[EBP-04]
017F:004B04D1  LEA      EAX,[EBP+FFFFFE28]
017F:004B04D7  CALL     00405222


经验:
   borland编译结果就是这个特征,你经常可见到:

mov/lea eax, [SomeAddress]
mov/lea edx, [SomeAddress]
call SomeFuntion
mov...

eax, edx是重要的两个寄存器,根据它的 __fastcall 调用规则,函数参数首先是通过eax, edx, ecx(通常是记录字节个数),如果还有其它的参数,就会用到push压入堆栈。关于borland逆向工程,你最好有一些delphi/BCB的编程经验,DEDE可以提供丰富的反编译信息~~不算是作广告。动态跟踪时,多用这些命令:d eax, d edx, d *eax, d *edx, 通常的call不要追进去,因为就算跟进那个call你也看不明白,而遇到参数较多的call,极有可能是作者自己写的,需要追进,注册码的计算可能就在里面哦~ 

017F:004B04DC  LEA      EAX,[EBP+FFFFFE28]
017F:004B04E2  CALL     00405527
017F:004B04E7  LEA      EDX,[EDI+0151B36C]
017F:004B04ED  LEA      EAX,[EBP+FFFFFE28]
017F:004B04F3  CALL     004040F8
017F:004B04F8  LEA      EAX,[EBP+FFFFFE28]
017F:004B04FE  CALL     004054C4
017F:004B0503  LEA      EDX,[EBP-08]
017F:004B0506  LEA      EAX,[EBP+FFFFFE28]
017F:004B050C  CALL     004040F8
017F:004B0511  LEA      EAX,[EBP+FFFFFE28]
017F:004B0517  CALL     004054C4
017F:004B051C  LEA      EAX,[EBP+FFFFFE28]
017F:004B0522  CALL     00405328
017F:004B0527  LEA      EAX,[EDI+0151B370] <- a buffer
017F:004B052D  MOV      EDX,[EBP-08] <- 输入的注册码,我用Irc来代替
017F:004B0530  CALL     00403B14 <- 复制字符串或复制一个字符串的指针

017F:004B0535  MOV      EAX,[EBP-08] <- Irc
017F:004B0538  MOV      EDX,004B084C <- 一个黑名单上的注册码
017F:004B053D  CALL     00403E4C <- 比较
017F:004B0542  JZ       004B0553 <- 一致就去死

017F:004B0544  MOV      EAX,[EBP-08]
017F:004B0547  MOV      EDX,004B0868
017F:004B054C  CALL     00403E4C <- 比较另一个黑名单
017F:004B0551  JNZ      004B057D <- 不在其上则继续

017F:004B0553  LEA      EAX,[EDI+0151B36C]
017F:004B0559  MOV      EDX,004B082C
017F:004B055E  CALL     00403B14
017F:004B0563  LEA      EAX,[EDI+0151B370]
017F:004B0569  CALL     00403AC0
017F:004B056E  XOR      EBX,EBX
017F:004B0570  XOR      EAX,EAX
017F:004B0572  POP      EDX
017F:004B0573  POP      ECX
017F:004B0574  POP      ECX
017F:004B0575  MOV      [FS:EAX],EDX
017F:004B0578  JMP      004B07C0

017F:004B057D  MOV      EAX,[EBP-08] <- 好了,到这里
017F:004B0580  CALL     00403D3C <- eax=[eax-4],取Irc长度
017F:004B0585  CMP      EAX,BYTE +13
017F:004B0588  JZ       004B05B4 <- 为19则继续

017F:004B058A  LEA      EAX,[EDI+0151B36C] <- 否则继续
017F:004B0590  MOV      EDX,004B082C
017F:004B0595  CALL     00403B14
017F:004B059A  LEA      EAX,[EDI+0151B370]
017F:004B05A0  CALL     00403AC0
017F:004B05A5  XOR      EBX,EBX
017F:004B05A7  XOR      EAX,EAX
017F:004B05A9  POP      EDX
017F:004B05AA  POP      ECX
017F:004B05AB  POP      ECX
017F:004B05AC  MOV      [FS:EAX],EDX
017F:004B05AF  JMP      004B07C0

017F:004B05B4  MOV      EAX,[EBP-08] <- 继续
017F:004B05B7  CALL     00403D3C
017F:004B05BC  MOV      ESI,EAX <- Irc长度保存到esi
017F:004B05BE  TEST     ESI,ESI
017F:004B05C0  JNG      004B05E4 <- 不会跳

017F:004B05C2  MOV      EBX,01 <- ebx作为循环变量
017F:004B05C7  MOV      EAX,[EBP-08]
017F:004B05CA  CMP      BYTE [EAX+EBX-01],2D <- Irc[i]=='-'?
017F:004B05CF  JNZ      004B05E0 <- 不等比较下一个

017F:004B05D1  LEA      EAX,[EBP-08]
017F:004B05D4  MOV      ECX,01
017F:004B05D9  MOV      EDX,EBX
017F:004B05DB  CALL     00403F80 <- 这个call删除当前位置的字符('-'),位置由edx决定,个数由ecx决定
017F:004B05E0  INC      EBX
017F:004B05E1  DEC      ESI
017F:004B05E2  JNZ      004B05C7 <- 未完继续,此循环删除Irc中的'-',如果有的话

<- 下面这一段会按顺序取出Irc中的字符,每次取2字节,共8次
017F:004B05E4  LEA      EAX,[EBP+FFFFFE08]
017F:004B05EA  PUSH     EAX <- eax是指向缓冲区的指针
017F:004B05EB  MOV      ECX,02 <- ecx=2
017F:004B05F0  MOV      EDX,01 <- edx=1
017F:004B05F5  MOV      EAX,[EBP-08] <- Irc
017F:004B05F8  CALL     00403F40 <- 取字符到缓冲区去,位置由edx决定,长度由ecx决定

017F:004B05FD  LEA      EAX,[EBP+FFFFFE0C]
017F:004B0603  PUSH     EAX
017F:004B0604  MOV      ECX,02
017F:004B0609  MOV      EDX,03
017F:004B060E  MOV      EAX,[EBP-08]
017F:004B0611  CALL     00403F40 <-

017F:004B0616  LEA      EAX,[EBP+FFFFFE10]
017F:004B061C  PUSH     EAX
017F:004B061D  MOV      ECX,02
017F:004B0622  MOV      EDX,05
017F:004B0627  MOV      EAX,[EBP-08]
017F:004B062A  CALL     00403F40

017F:004B062F  LEA      EAX,[EBP+FFFFFE14]
017F:004B0635  PUSH     EAX
017F:004B0636  MOV      ECX,02
017F:004B063B  MOV      EDX,07
017F:004B0640  MOV      EAX,[EBP-08]
017F:004B0643  CALL     00403F40

017F:004B0648  LEA      EAX,[EBP+FFFFFE18]
017F:004B064E  PUSH     EAX
017F:004B064F  MOV      ECX,02
017F:004B0654  MOV      EDX,09
017F:004B0659  MOV      EAX,[EBP-08]
017F:004B065C  CALL     00403F40

017F:004B0661  LEA      EAX,[EBP+FFFFFE1C]
017F:004B0667  PUSH     EAX
017F:004B0668  MOV      ECX,02
017F:004B066D  MOV      EDX,0B
017F:004B0672  MOV      EAX,[EBP-08]
017F:004B0675  CALL     00403F40

017F:004B067A  LEA      EAX,[EBP+FFFFFE20]
017F:004B0680  PUSH     EAX
017F:004B0681  MOV      ECX,02
017F:004B0686  MOV      EDX,0D
017F:004B068B  MOV      EAX,[EBP-08]
017F:004B068E  CALL     00403F40

017F:004B0693  LEA      EAX,[EBP+FFFFFE24]
017F:004B0699  PUSH     EAX
017F:004B069A  MOV      ECX,02
017F:004B069F  MOV      EDX,0F
017F:004B06A4  MOV      EAX,[EBP-08]
017F:004B06A7  CALL     00403F40 <- 取字符到这里完成了

017F:004B06AC  LEA      EAX,[EBP-08]
017F:004B06AF  CALL     00403AC0 <- 初始化

017F:004B06B4  PUSH     EDI
017F:004B06B5  MOV      ESI,004B087C <- 这里是 16 字节的0x0
017F:004B06BA  LEA      EDI,[EBP+FFFFFDF8]
017F:004B06C0  MOV      ECX,04
017F:004B06C5  REP MOVSD  <- 数组初始化
017F:004B06C7  POP      EDI

017F:004B06C8  MOV      EBX,08
017F:004B06CD  LEA      ESI,[EBP+FFFFFE08] <- esi初始化为指向Irc的前两个字节,见上面

017F:004B06D3  PUSH     BYTE +0A
017F:004B06D5  LEA      EAX,[EBP-0C]
017F:004B06D8  PUSH     EAX <- 缓冲区
017F:004B06D9  MOV      EAX,[ESI] <- eax指向Irc的两个字节
017F:004B06DB  CALL     00403F00
017F:004B06E0  LEA      ECX,[EBP+FFFFFDF8]
017F:004B06E6  MOV      EDX,10
017F:004B06EB  CALL     004B023C
017F:004B06F0  LEA      EAX,[EBP+FFFFFDF0]
017F:004B06F6  LEA      EDX,[EBP+FFFFFDF8]
017F:004B06FC  MOV      ECX,10
017F:004B0701  CALL     00403CEC
017F:004B0706  MOV      EAX,[EBP+FFFFFDF0]
017F:004B070C  CALL     00407904 <- 这几个call实现str->Hex, 结果在eax,即:假设这两字节是"FA",则eax=0xFA

017F:004B0711  MOV      EDX,EAX
017F:004B0713  LEA      EAX,[EBP+FFFFFDF4] <- 缓冲区
017F:004B0719  CALL     00403C64 <- 保存edx

017F:004B071E  MOV      EDX,[EBP+FFFFFDF4]
017F:004B0724  LEA      EAX,[EBP-08] <- 目标位置
017F:004B0727  CALL     00403D44 <- strcat
017F:004B072C  ADD      ESI,BYTE +04
017F:004B072F  DEC      EBX
017F:004B0730  JNZ      004B06D3

   到这里,Irc变成了Hex值,并保存在[ebp-8],称为IrcA。我输入的是:1236-5465-4123-1236,[ebp-8]=12 36 54 65 41 23 12 36
   
   继续:
   
017F:004B0732  PUSH     DWORD 8C33 <- 参数
017F:004B0737  LEA      EAX,[EBP+FFFFFDF4]
017F:004B073D  PUSH     EAX <- 目标缓冲区,称为IrcB
017F:004B073E  MOV      ECX,3182 <- 参数
017F:004B0743  MOV      EDX,03D5 <- 参数
017F:004B0748  MOV      EAX,[EBP-08] <- IrcA
017F:004B074B  CALL     00474658 <- (1)这里计算注册的关键,需要跟进去

017F:004B0750  MOV      EDX,[EBP+FFFFFDF4] <- IrcB
017F:004B0756  LEA      EAX,[EBP-08]
017F:004B0759  CALL     00403B58 <- 又是复制一个指针
017F:004B075E  XOR      EDX,EDX
017F:004B0760  MOV      EAX,[EBP-08] <- eax指向一个转换后的8字节数据
017F:004B0763  CALL     0040797C <- (2)验证注册数据,追进

017F:004B0768  MOV      [EBP-0C],EAX <- eax是错误值,否则相当于str->int
017F:004B076B  CMP      DWORD [EBP-0C],BYTE +00
017F:004B076F  JZ       004B0780 <- jump to BAD CRAcker

017F:004B0771  MOV      EAX,[EBP-0C]
017F:004B0774  MOV      ECX,7A
017F:004B0779  CDQ     
017F:004B077A  IDIV     ECX
017F:004B077C  TEST     EDX,EDX
017F:004B077E  JZ       004B0784 <- 还需要能被122整除

017F:004B0780  XOR      EBX,EBX <- BAD Guy
017F:004B0782  JMP      SHORT 004B078A

017F:004B0784  MOV      BL,01 <- Good Guy
017F:004B0786  JMP      SHORT 004B078A
017F:004B0788  XOR      EBX,EBX
017F:004B078A  MOV      EDX,EBX
... 不重要了


(1)先看 CALL     00474658:

017F:0047465E  PUSH     EBX
017F:0047465F  PUSH     ESI
017F:00474660  PUSH     EDI

017F:00474661  XOR      EBX,EBX <- 初始化
017F:00474663  MOV      [EBP-0C],EBX <- [ebp-c]=0
017F:00474666  MOV      [EBP-04],ECX <- [ebp-4]=0x3182
017F:00474669  MOV      ESI,EDX <- esi=0x3D5
017F:0047466B  MOV      EDI,EAX <- [edi]=IrcA
017F:0047466D  XOR      EAX,EAX <- eax=0

017F:0047466F  PUSH     EBP
017F:00474670  PUSH     DWORD 004746E6
017F:00474675  PUSH     DWORD [FS:EAX]
017F:00474678  MOV      [FS:EAX],ESP
017F:0047467B  MOV      EAX,[EBP+08]
017F:0047467E  CALL     00403AC0

017F:00474683  MOV      EAX,EDI
017F:00474685  CALL     00403D3C <- 取长度
017F:0047468A  TEST     AL,AL <- al=8
017F:0047468C  JNA      004746D0 <- 不跳

017F:0047468E  MOV      [EBP-05],AL <- [ebp-5]=8
017F:00474691  MOV      BL,01 <- bl=1,循环变量

017F:00474693  LEA      EAX,[EBP-0C] <- 缓冲区
017F:00474696  XOR      EDX,EDX
017F:00474698  MOV      DL,BL
017F:0047469A  MOV      DL,[EDI+EDX-01] <- dl=IrcA[i]
017F:0047469E  MOV      ECX,ESI <- ecx=esi
017F:004746A0  SHR      ECX,08 <- ecx>>=8
017F:004746A3  XOR      DL,CL <- dl^=cl
017F:004746A5  CALL     00403C64 <- 保存edx到缓冲区

017F:004746AA  MOV      EDX,[EBP-0C]
017F:004746AD  MOV      EAX,[EBP+08]
017F:004746B0  CALL     00403D44 <- strcat

017F:004746B5  MOV      EAX,[EBP+08] <- 无用的指令,可能是为对齐
017F:004746B8  XOR      EAX,EAX
017F:004746BA  MOV      AL,BL
017F:004746BC  MOVZX    EAX,BYTE [EDI+EAX-01] <- eax=IrcA[i]
017F:004746C1  ADD      ESI,EAX <- esi+=eax
017F:004746C3  IMUL     ESI,[EBP-04] <- esi*=0x3182
017F:004746C7  ADD      ESI,[EBP+0C] <- esi+=0x8C33
017F:004746CA  INC      EBX
017F:004746CB  DEC      BYTE [EBP-05]
017F:004746CE  JNZ      00474693 <- 未完继续
...

   这一段可以描述为:

int esi=0x3D5;
char IrcA[8]="....";
char IrcB[8];
for(short i=0; i<8; i++)
{
IrcB[i]=IrcA[i]^(esi>>8&0xFF);
esi+=IrcA[i];
esi*=0x3182;
esi+=0x8C33;
}



   (2)继续看CALL     0040797C:
017F:0040797C  PUSH     EBX
017F:0040797D  PUSH     ECX
017F:0040797E  MOV      EBX,EDX
017F:00407980  MOV      EDX,ESP
017F:00407982  CALL     00402C40 <- trace into
017F:00407987  CMP      DWORD [ESP],BYTE +00
017F:0040798B  JZ       0040798F
017F:0040798D  MOV      EAX,EBX
017F:0040798F  POP      EDX
017F:00407990  POP      EBX
017F:00407991  RET     

简单起见,这段代码检查IrcB每个字符是否是数字,不是则失败,并将其转为int到eax,结果要小于0x0CCCCCCC: 

017F:00402C40  PUSH     EBX
017F:00402C41  PUSH     ESI
017F:00402C42  PUSH     EDI
017F:00402C43  MOV      ESI,EAX
017F:00402C45  PUSH     EAX
017F:00402C46  TEST     EAX,EAX
017F:00402C48  JZ       00402C9B
017F:00402C4A  XOR      EAX,EAX
017F:00402C4C  XOR      EBX,EBX
017F:00402C4E  MOV      EDI,0CCCCCCC
017F:00402C53  MOV      BL,[ESI]
017F:00402C55  INC      ESI
017F:00402C56  CMP      BL,20
017F:00402C59  JZ       00402C53
017F:00402C5B  MOV      CH,00
017F:00402C5D  CMP      BL,2D
017F:00402C60  JZ       00402CA7
017F:00402C62  CMP      BL,2B
017F:00402C65  JZ       00402CA9
017F:00402C67  CMP      BL,24
017F:00402C6A  JZ       00402CAE
017F:00402C6C  TEST     BL,BL
017F:00402C6E  JZ       00402CA2 <- 这里不能去

017F:00402C70  SUB      BL,30
017F:00402C73  CMP      BL,09 <- 是否为数字
017F:00402C76  JA       00402CA2
017F:00402C78  CMP      EAX,EDI <- eax不能比edi大
017F:00402C7A  JA       00402CA2

017F:00402C7C  LEA      EAX,[EAX+EAX*4]
017F:00402C7F  ADD      EAX,EAX
017F:00402C81  ADD      EAX,EBX <- eax=eax*10+bl
017F:00402C83  MOV      BL,[ESI]
017F:00402C85  INC      ESI
017F:00402C86  TEST     BL,BL
017F:00402C88  JNZ      00402C70
017F:00402C8A  DEC      CH
017F:00402C8C  JZ       00402C9E
017F:00402C8E  TEST     EAX,EAX
017F:00402C90  JL       00402CA2
017F:00402C92  POP      ECX
017F:00402C93  XOR      ESI,ESI
017F:00402C95  MOV      [EDX],ESI
017F:00402C97  POP      EDI
017F:00402C98  POP      ESI
017F:00402C99  POP      EBX
017F:00402C9A  RET     
017F:00402C9B  INC      ESI
017F:00402C9C  JMP      SHORT 00402CA2
017F:00402C9E  NEG      EAX
017F:00402CA0  JNG      00402C92
017F:00402CA2  POP      EBX
017F:00402CA3  SUB      ESI,EBX
017F:00402CA5  JMP      SHORT 00402C95
017F:00402CA7  INC      CH
017F:00402CA9  MOV      BL,[ESI]
017F:00402CAB  INC      ESI
017F:00402CAC  JMP      SHORT 00402C6C
017F:00402CAE  MOV      EDI,0FFFFFFF
017F:00402CB3  MOV      BL,[ESI]
017F:00402CB5  INC      ESI
017F:00402CB6  TEST     BL,BL
017F:00402CB8  JZ       00402C9B
017F:00402CBA  CMP      BL,61
017F:00402CBD  JC       00402CC2
017F:00402CBF  SUB      BL,20
017F:00402CC2  SUB      BL,30
017F:00402CC5  CMP      BL,09
017F:00402CC8  JNA      00402CD5
017F:00402CCA  SUB      BL,11
017F:00402CCD  CMP      BL,05
017F:00402CD0  JA       00402CA2
017F:00402CD2  ADD      BL,0A
017F:00402CD5  CMP      EAX,EDI
017F:00402CD7  JA       00402CA2
017F:00402CD9  SHL      EAX,04
017F:00402CDC  ADD      EAX,EBX
017F:00402CDE  MOV      BL,[ESI]
017F:00402CE0  INC      ESI
017F:00402CE1  TEST     BL,BL
017F:00402CE3  JNZ      00402CBA
017F:00402CE5  JMP      SHORT 00402C92

很明显,我们需要找一个数,能被122整除,比0x0CCCCCCC小,这个数作为IrcB,反推出IrcA,从而得到注册码。 

随机找到一个数:95830268=0x5B640FC,则IrcB[8]="95830268",将上面的程序稍动一下: 

int esi=0x3D5;
char IrcA[8];
char IrcB[8]="95830268";
for(short i=0; i<8; i++)
{
IrcA[i]=IrcB[i]^(esi>>8&0xFF);
esi+=IrcA[i];
esi*=0x3182;
esi+=0x8C33;
}
   运行后得到注册码,注册通过。
   

附:
//注册机,BCB 5.0编译通过
//---------------------------------------------------------------------------

#include 
//--- head added
#include 
#include 
#include 
//--- added stoped
#pragma hdrstop

//---------------------------------------------------------------------------

#pragma argsused
int main(int argc, char* argv[])
{
    int Acc=0x3D5;
    unsigned int Nul=0;                 //多余的变量防止出现符号扩展
    char buff[100];
    unsigned char IrcA[9];              //需要定义为unsigned
    char IrcB[9];
    cout<<"The Cleaner 3.2 Build 3213 KeyMaker"<<endl;
    cout<<"cracked by Fpc/CCG&BCG"<<endl<<endl;
    cout<<"InPut Your Name: ";
    cin>>buff;
    cout<< "Your Code is   : ";
    randomize();
    Nul=122*rand()%819600;
    sprintf(IrcB, "%08d", Nul);
    for(short i=0; i<8; i++)
    {
Nul=0;
IrcA[i]=IrcB[i]^((Acc>>8)&0xFF);
Nul=IrcA[i];
Acc+=Nul;
Acc*=0x3182;
Acc+=0x8C33;
sprintf(buff, "%02X", IrcA[i]);
cout<<buff;
if(i%2 && i!=7)
cout<<'-';
    }
    cout<<endl<<endl<<"any key to quit...";
    getch();
    return 0;
}

[End]


转自:http://person.longcity.net/home3/feeling/crack/mytutors/kclner32.htm

地主 发表时间: 12/30 8:18
回复: bellamy [bellamy]   论坛用户   登录
不错不错!

B1层 发表时间: 01/19 10:40
回复: lubai [lubai]   论坛用户   登录
食不大厌精,脍不厌细。

B2层 发表时间: 03/25 08:39

论坛: 编程破解

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号