邪恶八进制信息安全团队技术讨论组 » 工程学类分支{ Engineering Column } » 逆向工程[ Reverse Engineering ] » [转载]Easy Autorun Creator V2.0 的注册 [查看完整版本]

pub!1c 2006-1-23 11:00

[转载]Easy Autorun Creator V2.0 的注册

<P><FONT face=宋体>文章作者:rdsnow[BCG][PYG][D.4s]</FONT></P>
<P><FONT face=宋体><BR>【作者主页】</FONT><A href="http://rdsnow.ys168.com/" target=_blank><FONT face=宋体 color=#000000>[url]http://rdsnow.ys168.com[/url]</FONT></A><BR><FONT face=宋体>【E-mail】</FONT><A href="mailto:rdsnow@163.com"><FONT face=宋体 color=#000000>rdsnow@163.com</FONT></A><BR><FONT face=宋体>【作者QQ】83757177<BR>【文章题目】EasyAutorunCreatorV2.0的注册<BR>【软件名称】EasyAutorunCreator2.0<BR>【下载地址】</FONT><A href="http://www.aw-software.com/" target=_blank><FONT face=宋体 color=#000000>[url]http://www.aw-software.com/[/url]</FONT></A><BR><BR><FONT face=宋体>----------------------------------------------------------------------------------------<BR>【加密方式】序列号<BR>【破解工具】ODbyDYKv1.10[05.09]<BR>【软件限制】功能限制<BR>【破解平台】MicrosoftWindowsXPProfessional<BR>【平台版本】5.1.2600ServicePack2内部版本号2600<BR><BR>----------------------------------------------------------------------------------------<BR>【软件简介】<BR><BR>*AutomaticCDmenucreation<BR>*Templatesupport<BR>*Autorunwizard<BR>*Easy-to-useinterface<BR>*DiskcompatibilitywithWindowsXP,Me,98,NT,2003<BR><BR>【文章简介】<BR><BR>看到这个程序有汉化版下载，就下了一个，ScanwithPeiD0.94，无壳，可能是被汉化的脱掉了，BorlandDelphi6.0-7.0编译。算法比较简单，高手略过。<BR><BR>----------------------------------------------------------------------------------------<BR>【破解过程】<BR><BR>因为有错误的对话框，所以下断BpMessageBoxA，单步到程序领空，很容易找到程序比较的地方。典型的明码比较。<BR><BR>0050708B.68F6735000PUSHEasy_Aut.005073F6<BR>00507090.64:FF30PUSHDWORDPTRFS:[EAX]<BR>00507093.64:8920MOVDWORDPTRFS:[EAX],ESP<BR>00507096.8D55F0LEAEDX,DWORDPTRSS:[EBP-10]<BR>00507099.8B831C030000MOVEAX,DWORDPTRDS:[EBX+31C]<BR>0050709F.E8CCC8F5FFCALLEasy_Aut.00463970;取Email<BR>005070A4.837DF000CMPDWORDPTRSS:[EBP-10],0<BR>005070A8.0F84F0020000JEEasy_Aut.0050739E;没有输入就跳<BR>005070AE.8D55ECLEAEDX,DWORDPTRSS:[EBP-14]<BR>005070B1.8B831C030000MOVEAX,DWORDPTRDS:[EBX+31C]<BR>005070B7.E8B4C8F5FFCALLEasy_Aut.00463970;取Email<BR>005070BC.8B45ECMOVEAX,DWORDPTRSS:[EBP-14]<BR>005070BF.BA0C745000MOVEDX,Easy_Aut.0050740C;ASCII"inf@hot.com"(黑名单)<BR>005070C4.E823D7EFFFCALLEasy_Aut.004047EC<BR>005070C9.0F84CF020000JEEasy_Aut.0050739E<BR>005070CF.8D55E8LEAEDX,DWORDPTRSS:[EBP-18]<BR>005070D2.8B831C030000MOVEAX,DWORDPTRDS:[EBX+31C]<BR>005070D8.E893C8F5FFCALLEasy_Aut.00463970;取Email<BR>005070DD.8B45E8MOVEAX,DWORDPTRSS:[EBP-18]<BR>005070E0.BA20745000MOVEDX,Easy_Aut.00507420;ASCII"TEAMDVT"(黑名单)<BR>0050718A.E85DD6EFFFCALLEasy_Aut.004047EC<BR>0050718F.0F8409020000JEEasy_Aut.0050739E<BR>……………………;省略二十几个黑名单<BR>00507195.8D45F4LEAEAX,DWORDPTRSS:[EBP-C]<BR>00507198.BAAC745000MOVEDX,Easy_Aut.005074AC;ASCII"AWSoftware"(黑名单)<BR>0050719D.E8D6D2EFFFCALLEasy_Aut.00404478<BR>005071A2.8B0DB8345100MOVECX,DWORDPTRDS:[5134B8];Easy_Aut.00516134<BR>005071A8.8B09MOVECX,DWORDPTRDS:[ECX]<BR>005071AA.B201MOVDL,1<BR>005071AC.A1C8284C00MOVEAX,DWORDPTRDS:[4C28C8]<BR>005071B1.E812A1FBFFCALLEasy_Aut.004C12C8<BR>005071B6.8945F8MOVDWORDPTRSS:[EBP-8],EAX<BR>005071B9.8B0D70134C00MOVECX,DWORDPTRDS:[4C1370];Easy_Aut.004C13BC<BR>005071BF.8B55F4MOVEDX,DWORDPTRSS:[EBP-C]<BR>005071C2.8B45F8MOVEAX,DWORDPTRSS:[EBP-8]<BR>005071C5.E8E29EFBFFCALLEasy_Aut.004C10AC<BR>005071CA.8D55D0LEAEDX,DWORDPTRSS:[EBP-30]<BR>005071CD.8B8320030000MOVEAX,DWORDPTRDS:[EBX+320]<BR>005071D3.E898C7F5FFCALLEasy_Aut.00463970;取假码<BR>005071D8.8B45D0MOVEAX,DWORDPTRSS:[EBP-30]<BR>005071DB.50PUSHEAX<BR>005071DC.8D55C8LEAEDX,DWORDPTRSS:[EBP-38]<BR>005071DF.8B831C030000MOVEAX,DWORDPTRDS:[EBX+31C]<BR>005071E5.E886C7F5FFCALLEasy_Aut.00463970;取Email<BR>005071EA.8B55C8MOVEDX,DWORDPTRSS:[EBP-38]<BR>005071ED.8D4DCCLEAECX,DWORDPTRSS:[EBP-34]<BR>005071F0.8B45F8MOVEAX,DWORDPTRSS:[EBP-8]<BR>005071F3.8B30MOVESI,DWORDPTRDS:[EAX]<BR>005071F5.FF5654CALLDWORDPTRDS:[ESI+54];得到真码<BR>005071F8.8B55CCMOVEDX,DWORDPTRSS:[EBP-34]<BR>005071FB.58POPEAX<BR>005071FC.E8EBD5EFFFCALLEasy_Aut.004047EC;真码和假码比较<BR>00507201.0F85C1000000JNZEasy_Aut.005072C8<BR>00507207.B8C0745000MOVEAX,Easy_Aut.005074C0<BR>0050720C.E89BFBF2FFCALLEasy_Aut.00436DAC<BR><BR>跟进<BR>005071F5.FF5654CALLDWORDPTRDS:[ESI+54];得到真码<BR>来到计算注册码的地方<BR><BR>004C120C/.55PUSHEBP<BR>004C120D|.8BECMOVEBP,ESP<BR>004C120F|.6A00PUSH0<BR>004C1211|.53PUSHEBX<BR>004C1212|.56PUSHESI<BR>……………………<BR>004C124F|.8BD0MOVEDX,EAX<BR>004C1251|.8BC7MOVEAX,EDI<BR>004C1253|.59POPECX<BR>004C1254|.8B30MOVESI,DWORDPTRDS:[EAX]<BR>004C1256|.FF564CCALLDWORDPTRDS:[ESI+4C];对Email进行预处理<BR>004C1259|.8D55FCLEAEDX,DWORDPTRSS:[EBP-4]<BR>004C125C|.8B03MOVEAX,DWORDPTRDS:[EBX]<BR>004C125E|.E8C5F7FFFFCALLEasy_Aut.004C0A28;预处理结果进行base64编码<BR>004C1263|.8B55FCMOVEDX,DWORDPTRSS:[EBP-4]<BR>004C1266|.8BC3MOVEAX,EBX<BR>……………………<BR>004C1272|.64:8910MOVDWORDPTRFS:[EAX],EDX<BR>004C1275|.688A124C00PUSHEasy_Aut.004C128A<BR>004C127A|>8D45FCLEAEAX,DWORDPTRSS:[EBP-4]<BR>004C127D|.E85E31F4FFCALLEasy_Aut.004043E0<BR>004C1282\.C3RETN<BR><BR>跟进<BR>004C1256|.FF564CCALLDWORDPTRDS:[ESI+4C];对Email进行预处理<BR>看看对注册码的预处理<BR><BR>004C2D34/.55PUSHEBP<BR>004C2D35|.8BECMOVEBP,ESP<BR>004C2D37|.83C4F0ADDESP,-10<BR>004C2D3A|.53PUSHEBX<BR>004C2D3B|.56PUSHESI<BR>004C2D3C|.57PUSHEDI<BR>004C2D3D|.894DF8MOVDWORDPTRSS:[EBP-8],ECX<BR>004C2D40|.8955FCMOVDWORDPTRSS:[EBP-4],EDX<BR>004C2D43|.80783000CMPBYTEPTRDS:[EAX+30],0<BR>004C2D47|.7516JNZSHORTEasy_Aut.004C2D5F<BR>004C2D49|.B9D82D4C00MOVECX,Easy_Aut.004C2DD8;ASCII"Ciphernotinitialized"<BR>004C2D4E|.B201MOVDL,1<BR>004C2D50|.A1B40D4C00MOVEAX,DWORDPTRDS:[4C0DB4]<BR>004C2D55|.E85E9BF4FFCALLEasy_Aut.0040C8B8<BR>004C2D5A|.E81910F4FFCALLEasy_Aut.00403D78<BR>004C2D5F|>33C9XORECX,ECX<BR>004C2D61|.33D2XOREDX,EDX<BR>004C2D63|.8B5D08MOVEBX,DWORDPTRSS:[EBP+8]<BR>004C2D66|.4BDECEBX<BR>004C2D67|.85DBTESTEBX,EBX<BR>004C2D69|.725AJBSHORTEasy_Aut.004C2DC5<BR>004C2D6B|.43INCEBX<BR>004C2D6C|.895DF0MOVDWORDPTRSS:[EBP-10],EBX<BR>004C2D6F|.C745F40000>MOVDWORDPTRSS:[EBP-C],0<BR>004C2D76|>41/INCECX<BR>004C2D77|.81E1FF000000|ANDECX,0FF<BR>004C2D7D|.0FB6740834|MOVZXESI,BYTEPTRDS:[EAX+ECX+34];取SBox[i]<BR>004C2D82|.8D1416|LEAEDX,DWORDPTRDS:[ESI+EDX];n＝(n+SBox[i])&0xFF<BR>004C2D85|.81E2FF000000|ANDEDX,0FF<BR>004C2D8B|.8A5C1034|MOVBL,BYTEPTRDS:[EAX+EDX+34];取SBox[n]<BR>004C2D8F|.885C0834|MOVBYTEPTRDS:[EAX+ECX+34],BL;SBox[i]=SBox[n]<BR>004C2D93|.8BDE|MOVEBX,ESI<BR>004C2D95|.885C1034|MOVBYTEPTRDS:[EAX+EDX+34],BL;SBox[n]=SBox[i]，即交换SBox[i]和SBox[n]<BR>004C2D99|.33DB|XOREBX,EBX<BR>004C2D9B|.8A5C0834|MOVBL,BYTEPTRDS:[EAX+ECX+34]<BR>004C2D9F|.03F3|ADDESI,EBX;K=(SBox[n]+SBox[i])&0xFF<BR>004C2DA1|.81E6FF000000|ANDESI,0FF<BR>004C2DA7|.8B5DFC|MOVEBX,DWORDPTRSS:[EBP-4]<BR>004C2DAA|.8B7DF4|MOVEDI,DWORDPTRSS:[EBP-C]<BR>004C2DAD|.8A1C3B|MOVBL,BYTEPTRDS:[EBX+EDI];取Email[i]<BR>004C2DB0|.325C3034|XORBL,BYTEPTRDS:[EAX+ESI+34];取Email[i]XorSBox[K]<BR>004C2DB4|.8B75F8|MOVESI,DWORDPTRSS:[EBP-8]<BR>004C2DB7|.8B7DF4|MOVEDI,DWORDPTRSS:[EBP-C]<BR>004C2DBA|.881C3E|MOVBYTEPTRDS:[ESI+EDI],BL;保存结果<BR>004C2DBD|.FF45F4|INCDWORDPTRSS:[EBP-C]<BR>004C2DC0|.FF4DF0|DECDWORDPTRSS:[EBP-10]<BR>004C2DC3|.^75B1\JNZSHORTEasy_Aut.004C2D76<BR>004C2DC5|>5FPOPEDI<BR>004C2DC6|.5EPOPESI<BR>004C2DC7|.5BPOPEBX<BR>004C2DC8|.8BE5MOVESP,EBP<BR>004C2DCA|.5DPOPEBP<BR>004C2DCB\.C20400RETN4<BR><BR>----------------------------------------------------------------------------------------<BR>【破解心得】<BR><BR>注册码的计算分两步进行，<BR><BR>一、先对输入的Email地址进行预先处理<BR><BR>对Email预变换的代码不多，加密过程大致是这样的，首先定义一个byte表SBox[513]，使用一个byte变量n。SBox[513]中预置了一些数据，对Email处理的同时对SBox中的数据进行变换。<BR><BR>*i从1开始循环，每次循环取SBox[i]，并且累加到n上<BR><BR>*交换SBox[i]和SBox[n]<BR><BR>*求SBox[i]和SBox[n]的和<BR><BR>*用求得的和去查SBox表<BR><BR>*查表结果再跟Email[i]异或，并替换掉Email[i]<BR><BR>*等Email中所有字符都被替换掉了，替换后的Email就是预处理结果<BR><BR>二、将预处理结果采用标准的Base64编码，就得到真码了。<BR><BR>【注册机源码】<BR><BR>voidCKeygenDlg::OnChangeEdit1()<BR>{<BR>//TODO:IfthisisaRICHEDITcontrol,thecontrolwillnot<BR>//sendthisnotificationunlessyouoverridetheCDialog::OnInitDialog()<BR>//functionandcallCRichEditCtrl().SetEventMask()<BR>//withtheENM_CHANGEflagORedintothemask.<BR><BR>//TODO:Addyourcontrolnotificationhandlercodehere<BR><BR><BR>//从内存中复制的SBox[513]<BR><BR>unsignedcharSBox[513]={<BR>0xA9,0x8A,0xEC,0x2B,0x4E,0x74,0x69,0xA6,0x88,0x99,0x2A,0x0A,0xCF,0x83,0x22,0xA3,<BR>0xC1,0x6E,0xB0,0x5B,0xB3,0x38,0xE3,0x47,0x85,0x1C,0xB2,0xDC,0x6B,0x92,0xAB,0xF6,<BR>0x2E,0x01,0x1F,0x18,0x17,0x8F,0x10,0xD3,0x53,0xDF,0xBF,0x90,0x7A,0x11,0xC2,0xB9,<BR>0x02,0x5D,0x40,0xED,0x52,0x66,0x4D,0xA0,0xD1,0xE7,0x3F,0x7F,0xE0,0x7E,0x70,0xCB,<BR>0x48,0x39,0x50,0xBA,0x1B,0x7D,0x4F,0x9B,0x57,0x72,0x9D,0x1E,0x9A,0x0F,0x29,0x59,<BR>0x26,0xD9,0x77,0xC5,0xA1,0xFB,0x35,0xD2,0x4C,0x58,0x9E,0xBC,0xA2,0x79,0xD5,0xDD,<BR>0xA7,0x65,0x96,0x84,0xE8,0xC6,0xBB,0x3B,0xF0,0x55,0x04,0x24,0xEF,0x43,0x75,0x23,<BR>0x4A,0xEA,0xC7,0xC0,0xE9,0x00,0x08,0x4B,0x6C,0xDB,0x1A,0xFC,0xC3,0xE2,0x0E,0xAE,<BR>0x1D,0xF9,0x2C,0xB8,0xB7,0x89,0xFA,0xAD,0x68,0xFE,0x8D,0x91,0x21,0x93,0xD4,0x46,<BR>0x7C,0x87,0x19,0xB6,0x98,0xB5,0x2F,0xBE,0x56,0x16,0x03,0x80,0x0C,0x5A,0x49,0x6D,<BR>0x95,0x28,0x0B,0x78,0xC9,0x97,0x61,0xCD,0x06,0x9C,0x13,0x45,0x41,0x6F,0xD8,0x5C,<BR>0x62,0x5F,0x12,0x32,0x94,0xFF,0x73,0x8E,0xF7,0x60,0x0D,0x5E,0x09,0x64,0x30,0x37,<BR>0xA5,0x82,0x54,0x36,0xB4,0x8B,0xD7,0x9F,0x81,0x2D,0x71,0x76,0x15,0x8C,0xDE,0xDA,<BR>0xC8,0x33,0xE1,0x3A,0xD0,0xEB,0x3D,0xF4,0xF8,0x14,0x25,0x6A,0x3C,0x86,0xEE,0x07,<BR>0x51,0x63,0x7B,0x20,0xE5,0xC4,0xE6,0xF3,0x34,0xFD,0xAF,0xAC,0xF1,0x67,0xCC,0xA8,<BR>0xB1,0xCA,0xD6,0x42,0x27,0x44,0x3E,0xCE,0xBD,0x05,0xF2,0xE4,0xAA,0xF5,0xA4,0x31,<BR>0xA9,0x8A,0xEC,0x2B,0x4E,0x74,0x69,0xA6,0x88,0x99,0x2A,0x0A,0xCF,0x83,0x22,0xA3,<BR>0xC1,0x6E,0xB0,0x5B,0xB3,0x38,0xE3,0x47,0x85,0x1C,0xB2,0xDC,0x6B,0x92,0xAB,0xF6,<BR>0x2E,0x01,0x1F,0x18,0x17,0x8F,0x10,0xD3,0x53,0xDF,0xBF,0x90,0x7A,0x11,0xC2,0xB9,<BR>0x02,0x5D,0x40,0xED,0x52,0x66,0x4D,0xA0,0xD1,0xE7,0x3F,0x7F,0xE0,0x7E,0x70,0xCB,<BR>0x48,0x39,0x50,0xBA,0x1B,0x7D,0x4F,0x9B,0x57,0x72,0x9D,0x1E,0x9A,0x0F,0x29,0x59,<BR>0x26,0xD9,0x77,0xC5,0xA1,0xFB,0x35,0xD2,0x4C,0x58,0x9E,0xBC,0xA2,0x79,0xD5,0xDD,<BR>0xA7,0x65,0x96,0x84,0xE8,0xC6,0xBB,0x3B,0xF0,0x55,0x04,0x24,0xEF,0x43,0x75,0x23,<BR>0x4A,0xEA,0xC7,0xC0,0xE9,0x00,0x08,0x4B,0x6C,0xDB,0x1A,0xFC,0xC3,0xE2,0x0E,0xAE,<BR>0x1D,0xF9,0x2C,0xB8,0xB7,0x89,0xFA,0xAD,0x68,0xFE,0x8D,0x91,0x21,0x93,0xD4,0x46,<BR>0x7C,0x87,0x19,0xB6,0x98,0xB5,0x2F,0xBE,0x56,0x16,0x03,0x80,0x0C,0x5A,0x49,0x6D,<BR>0x95,0x28,0x0B,0x78,0xC9,0x97,0x61,0xCD,0x06,0x9C,0x13,0x45,0x41,0x6F,0xD8,0x5C,<BR>0x62,0x5F,0x12,0x32,0x94,0xFF,0x73,0x8E,0xF7,0x60,0x0D,0x5E,0x09,0x64,0x30,0x37,<BR>0xA5,0x82,0x54,0x36,0xB4,0x8B,0xD7,0x9F,0x81,0x2D,0x71,0x76,0x15,0x8C,0xDE,0xDA,<BR>0xC8,0x33,0xE1,0x3A,0xD0,0xEB,0x3D,0xF4,0xF8,0x14,0x25,0x6A,0x3C,0x86,0xEE,0x07,<BR>0x51,0x63,0x7B,0x20,0xE5,0xC4,0xE6,0xF3,0x34,0xFD,0xAF,0xAC,0xF1,0x67,0xCC,0xA8,<BR>0xB1,0xCA,0xD6,0x42,0x27,0x44,0x3E,0xCE,0xBD,0x05,0xF2,0xE4,0xAA,0xF5,0xA4,0x31,<BR>0x26};<BR><BR>inti,j,EmailLength;<BR>unsignedcharn=0,k=0;<BR>charEmail[256],SerialNummber[512];<BR><BR>UpdateData(true);<BR>EmailLength=m_Edit1.GetLength();<BR>strcpy(Email,m_Edit1);<BR><BR>//预处理<BR>for(i=0;i<EmailLength;i++){<BR>j=i+1;<BR>n+=SBox[j];<BR>k=SBox[j];<BR>SBox[j]=SBox[n];<BR>SBox[n]=k;<BR>k=SBox[j]+SBox[n];<BR>Email[i]^=SBox[k];<BR>}<BR><BR>//base64编码<BR>memset(SerialNummber,0,512);<BR>base64_encode(Email,EmailLength,SerialNummber);<BR>m_Edit2=SerialNummber;<BR>UpdateData(false);<BR><BR>}<BR>----------------------------------------------------------------------------------------<BR>【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享:)<BR><BR>【版权声明】本文纯属技术交流,转载请注明作者并保持文章的完整,谢谢!<BR>----------------------------------------------------------------------------------------</FONT><BR></P>

查看完整版本: [转载]Easy Autorun Creator V2.0 的注册

© 1999-2008 EvilOctal Security Team