文章作者:rdsnow[BCG][PYG][D.4s]
【破文作者】rdsnow[BCG][PYG][D.4s]
【作者主页】http://rdsnow.ys168.com
【E-mail】rdsnow@163.com
【作者QQ】83757177
【文章题目】变形的MD5
【软件名称】AutoRunProEnterprise
【软件版本】V4.0.0.32
【下载地址】http://www.longtion.com
----------------------------------------------------------------------------------------
【加密方式】序列号
【破解工具】ODbyDYKv1.10[05.09]
【软件限制】功能限制
【破解平台】MicrosoftWindowsXPProfessional
【平台版本】5.1.2600ServicePack2内部版本号2600
----------------------------------------------------------------------------------------
【软件简介】
AutoRunProEnterprisecancreate,editprofessionalautoruninterfaceandgenerateautorunfilesforCD/DVDsinaWYSIWYGenvironment.
Displayaprofessionalandbeautifulinterfaceforuserstoopenorexecutefiles,printdocuments,sende-mail,visitWebsites,browseCDs,
playsound,musicandsoon,whenyourCDisinserted.It'sfastandeasytouse.AnyonecanquicklycreateautorunCD-ROMswithinminutes.
【文章简介】
我编程只有5、6年前学习的一点turboc的基础,为了学习编程,一般的程序都是尽可能的学出keygen,这下遇到了个采用变形MD5算法的软件,也来试了下。
给变形的MD5的程序要写出keygen,必须找到变形的地方,然后在标准MD5源码中作出相应的修改。
----------------------------------------------------------------------------------------
【破解过程】
程序注册窗口要输入三个编辑框:username,serial和key,从后面代码看出serial的前四位必须是"0018"
所以输入:
username=rdsnow[BCG][PYG][D.4s]
serial=001812345678cdef
key=9898989832323232
因为有注册码错误的对话框,所以很容易找到关键的地方。
00562BD2.8B8314030000MOVEAX,DWORDPTR[EBX+314]
00562BD8.E83F78F1FFCALLAutoRunP.0047A41C;取得username
00562BDD.8B45E4MOVEAX,DWORDPTR[EBP-1C]
00562BE0.8D55FCLEAEDX,DWORDPTR[EBP-4]
00562BE3.E88460EAFFCALLAutoRunP.00408C6C
00562BE8.8D55E0LEAEDX,DWORDPTR[EBP-20]
00562BEB.8B83F8020000MOVEAX,DWORDPTR[EBX+2F8]
00562BF1.E82678F1FFCALLAutoRunP.0047A41C;取得serial
00562BF6.8B45E0MOVEAX,DWORDPTR[EBP-20]
00562BF9.8D55F8LEAEDX,DWORDPTR[EBP-8]
00562BFC.E86B60EAFFCALLAutoRunP.00408C6C
00562C01.8D55DCLEAEDX,DWORDPTR[EBP-24]
00562C04.8B83FC020000MOVEAX,DWORDPTR[EBX+2FC]
00562C0A.E80D78F1FFCALLAutoRunP.0047A41C;取得key
00562C0F.8B45DCMOVEAX,DWORDPTR[EBP-24]
00562C12.8D55F4LEAEDX,DWORDPTR[EBP-C]
00562C15.E85260EAFFCALLAutoRunP.00408C6C
00562C1A.8B45F4MOVEAX,DWORDPTR[EBP-C]
00562C1D.50PUSHEAX;压入key
00562C1E.A1709E5600MOVEAX,DWORDPTR[569E70]
00562C23.8B00MOVEAX,DWORDPTR[EAX]
00562C25.8B4DF8MOVECX,DWORDPTR[EBP-8];serial
00562C28.8B55FCMOVEDX,DWORDPTR[EBP-4];username
00562C2B.E85466FFFFCALLAutoRunP.00559284;关键CALL
00562C30.84C0TESTAL,AL
00562C32.751DJNZSHORTAutoRunP.00562C51;关键跳转
00562C34.6A10PUSH10
00562C36.B9602D5600MOVECX,AutoRunP.00562D60;ASCII"Register"
00562C3B.BA6C2D5600MOVEDX,AutoRunP.00562D6C;ASCII"Incompleteorincorrectinformation."
00562C40.A15CA15600MOVEAX,DWORDPTR[56A15C]
00562C45.8B00MOVEAX,DWORDPTR[EAX]
00562C47.E8788DF3FFCALLAutoRunP.0049B9C4;错误的对话框
00562C4C.E9C8000000JMPAutoRunP.00562D19
00562C51>33C0XOREAX,EAX
如果是爆破,不建议在00562C32关键跳转处改跳转,应该跟进关键CALL,修改注册标志
----------------------------------------------------------------------------------------
下面就跟进吧:
005592F5.8B45E4MOVEAX,DWORDPTR[EBP-1C]
005592F8.E8F7B3EAFFCALLAutoRunP.004046F4;取Serial的长度
005592FD.8BD8MOVEBX,EAX
005592FF.83FB01CMPEBX,1
00559302.7C1EJLSHORTAutoRunP.00559322;Serial为空就跳走
00559304>8B45E4MOVEAX,DWORDPTR[EBP-1C]
00559307.807C18FF20CMPBYTEPTR[EAX+EBX-1],20
0055930C.750FJNZSHORTAutoRunP.0055931D
0055930E.8D45E4LEAEAX,DWORDPTR[EBP-1C]
00559311.B901000000MOVECX,1
00559316.8BD3MOVEDX,EBX
00559318.E877B6EAFFCALLAutoRunP.00404994;去掉Serial中的空格
0055931D>4BDECEBX
0055931E.85DBTESTEBX,EBX
00559320.^75E2JNZSHORTAutoRunP.00559304
00559322>8B45E0MOVEAX,DWORDPTR[EBP-20]
00559325.E8CAB3EAFFCALLAutoRunP.004046F4;取key的长度
0055932A.8BD8MOVEBX,EAX
0055932C.83FB01CMPEBX,1
0055932F.7C1EJLSHORTAutoRunP.0055934F;key为空就跳走
00559331>8B45E0MOVEAX,DWORDPTR[EBP-20]
00559334.807C18FF20CMPBYTEPTR[EAX+EBX-1],20
00559339.750FJNZSHORTAutoRunP.0055934A
0055933B.8D45E0LEAEAX,DWORDPTR[EBP-20]
0055933E.B901000000MOVECX,1
00559343.8BD3MOVEDX,EBX
00559345.E84AB6EAFFCALLAutoRunP.00404994;去掉key中的空格
0055934A>4BDECEBX
0055934B.85DBTESTEBX,EBX
0055934D.^75E2JNZSHORTAutoRunP.00559331
0055934F>8B45E4MOVEAX,DWORDPTR[EBP-1C]
00559352.E89DB3EAFFCALLAutoRunP.004046F4;取Serial的长度
00559357.83F810CMPEAX,10
0055935A.0F8598010000JNZAutoRunP.005594F8;Serial的长度不等于16就跳走
00559360.8B45E0MOVEAX,DWORDPTR[EBP-20]
00559363.E88CB3EAFFCALLAutoRunP.004046F4;取key的长度
00559368.83F810CMPEAX,10
0055936B.0F8587010000JNZAutoRunP.005594F8;key的长度不等于16就跳走
00559371.33C0XOREAX,EAX
00559373.55PUSHEBP
00559374.684B945500PUSHAutoRunP.0055944B
00559379.64:FF30PUSHDWORDPTRFS:[EAX]
0055937C.64:8920MOVDWORDPTRFS:[EAX],ESP
0055937F.8D45D4LEAEAX,DWORDPTR[EBP-2C]
00559382.50PUSHEAX
00559383.B908000000MOVECX,8
00559388.BA01000000MOVEDX,1
0055938D.8B45E4MOVEAX,DWORDPTR[EBP-1C]
00559390.E8BFB5EAFFCALLAutoRunP.00404954;取Serial的前8个字符
00559395.8B4DD4MOVECX,DWORDPTR[EBP-2C]
00559398.8D45D8LEAEAX,DWORDPTR[EBP-28]
0055939B.BA3C955500MOVEDX,AutoRunP.0055953C
005593A0.E89BB3EAFFCALLAutoRunP.00404740;准备转换
005593A5.8B45D8MOVEAX,DWORDPTR[EBP-28]
005593A8.E863FCEAFFCALLAutoRunP.00409010;将8个字符组成的Hex文本转为数值a
005593AD.8945F8MOVDWORDPTR[EBP-8],EAX;保存a进inbuff
005593B0.8D45CCLEAEAX,DWORDPTR[EBP-34]
005593B3.50PUSHEAX
005593B4.B908000000MOVECX,8
005593B9.BA09000000MOVEDX,9
005593BE.8B45E4MOVEAX,DWORDPTR[EBP-1C]
005593C1.E88EB5EAFFCALLAutoRunP.00404954;取Serial的后8个字符
005593C6.8B4DCCMOVECX,DWORDPTR[EBP-34]
005593C9.8D45D0LEAEAX,DWORDPTR[EBP-30]
005593CC.BA3C955500MOVEDX,AutoRunP.0055953C
005593D1.E86AB3EAFFCALLAutoRunP.00404740;准备转换
005593D6.8B45D0MOVEAX,DWORDPTR[EBP-30]
005593D9.E832FCEAFFCALLAutoRunP.00409010;将8个字符组成的Hex文本转为数值b
005593DE.8945F4MOVDWORDPTR[EBP-C],EAX;保存b进入inbuff
005593E1.8D45C4LEAEAX,DWORDPTR[EBP-3C]
005593E4.50PUSHEAX
005593E5.B908000000MOVECX,8
005593EA.BA01000000MOVEDX,1
005593EF.8B45E0MOVEAX,DWORDPTR[EBP-20]
005593F2.E85DB5EAFFCALLAutoRunP.00404954;取key的前8个字符
005593F7.8B4DC4MOVECX,DWORDPTR[EBP-3C]
005593FA.8D45C8LEAEAX,DWORDPTR[EBP-38]
005593FD.BA3C955500MOVEDX,AutoRunP.0055953C
00559402.E839B3EAFFCALLAutoRunP.00404740;准备转换
00559407.8B45C8MOVEAX,DWORDPTR[EBP-38]
0055940A.E801FCEAFFCALLAutoRunP.00409010;将8个字符组成的Hex文本转为数值c
0055940F.8BD8MOVEBX,EAX;c保存到EBX
00559411.8D45BCLEAEAX,DWORDPTR[EBP-44]
00559414.50PUSHEAX
00559415.B908000000MOVECX,8
0055941A.BA09000000MOVEDX,9
0055941F.8B45E0MOVEAX,DWORDPTR[EBP-20]
00559422.E82DB5EAFFCALLAutoRunP.00404954;取key的后8个字符
00559427.8B4DBCMOVECX,DWORDPTR[EBP-44]
0055942A.8D45C0LEAEAX,DWORDPTR[EBP-40]
0055942D.BA3C955500MOVEDX,AutoRunP.0055953C
00559432.E809B3EAFFCALLAutoRunP.00404740;准备转换
00559437.8B45C0MOVEAX,DWORDPTR[EBP-40]
0055943A.E8D1FBEAFFCALLAutoRunP.00409010;将8个字符组成的Hex文本转为数值d
0055943F.8BF0MOVESI,EAX;d保存到ESI
00559441.33C0XOREAX,EAX
00559443.5APOPEDX
00559444.59POPECX
00559445.59POPECX
00559446.64:8910MOVDWORDPTRFS:[EAX],EDX
00559449.EB14JMPSHORTAutoRunP.0055945F
0055944B.^E990A6EAFFJMPAutoRunP.00403AE0
00559450.E8F3A9EAFFCALLAutoRunP.00403E48
00559455.E99E000000JMPAutoRunP.005594F8
0055945A.E8E9A9EAFFCALLAutoRunP.00403E48
0055945F>8B45F4MOVEAX,DWORDPTR[EBP-C];取出b
00559462.83E00FANDEAX,0F;取b的低4位
00559465.8945DCMOVDWORDPTR[EBP-24],EAX;保存,他会作为其中一个注册标志,不要等于0
00559468.8B45F8MOVEAX,DWORDPTR[EBP-8];取出a
0055946B.C1E810SHREAX,10;取a的高16位
0055946E.66:83F818CMPAX,18
00559472.0F8580000000JNZAutoRunP.005594F8;a的高16位不等于0x18就跳
00559478.8B45F8MOVEAX,DWORDPTR[EBP-8];取a
0055947B.8945F0MOVDWORDPTR[EBP-10],EAX;保存a进inbuff
0055947E.8B45F4MOVEAX,DWORDPTR[EBP-C];取b
00559481.8945ECMOVDWORDPTR[EBP-14],EAX;保存b进inbuff
00559484.8B45F8MOVEAX,DWORDPTR[EBP-8];取a
00559487.25FFFF0000ANDEAX,0FFFF;取a的低16位
0055948C.8BF8MOVEDI,EAX
0055948E.C1E710SHLEDI,10;放在32位数据的高16位
00559491.8B45F4MOVEAX,DWORDPTR[EBP-C];取b的高16位
00559494.C1E810SHREAX,10;放在32位数据的低16位
00559497.03F8ADDEDI,EAX;a的高16位和b的低16位拼成一个32位数值
00559499.8D45ECLEAEAX,DWORDPTR[EBP-14]
0055949C.50PUSHEAX;此时inbuff在内存中显示成baba
0055949D.8D4DF0LEAECX,DWORDPTR[EBP-10]
005594A0.8D55F4LEAEDX,DWORDPTR[EBP-C]
005594A3.8D45F8LEAEAX,DWORDPTR[EBP-8]
005594A6.E8295DFCFFCALLAutoRunP.0051F1D4;baba组成的128位进行MD5编码
005594AB.3B5DF8CMPEBX,DWORDPTR[EBP-8];c跟MD5结果的前32位比较
005594AE.7511JNZSHORTAutoRunP.005594C1
005594B0.3B75F4CMPESI,DWORDPTR[EBP-C];d跟MD5结果的32-64位比较
005594B3.750CJNZSHORTAutoRunP.005594C1;即key跟MD5结果的前64位比较
005594B5.8B45E8MOVEAX,DWORDPTR[EBP-18];取name
005594B8.E8FF5BFCFFCALLAutoRunP.0051F0BC;计算serial
005594BD.3BF8CMPEDI,EAX
005594BF.7404JESHORTAutoRunP.005594C5
005594C1>33C0XOREAX,EAX;=0
005594C3.EB02JMPSHORTAutoRunP.005594C7
005594C5>B001MOVAL,1;=1
005594C7>8845FFMOVBYTEPTR[EBP-1],AL;保存注册标志
005594CA.807DFF00CMPBYTEPTR[EBP-1],0;判断注册标志是不是0
005594CE.7428JESHORTAutoRunP.005594F8
005594D0.837DDC00CMPDWORDPTR[EBP-24],0;判断另外一个注册标志是不是0
005594D4.750AJNZSHORTAutoRunP.005594E0
程序是这样判断的:serial和key都是16个字符组成。
1、看serial的前4位是不是"0018",serial的最后一位不能是'0'
2、将serial填充到inbuff中,注意,因为程序是用dword传送的,所以内存中低位在前,高位在后,我的serial在buff中显示成:
0012F104EFCD785634121800EFCD785634121800锿xV4��.锿xV4��.
3、inbuff中数据进行变形MD5编码,得到
0012F104E5F90F72A3469E09B25AABE343EE3D3F妁�r?瞆C??
4、这个结果从后面开始的3F3DEE43AB5AB209组成的字符串"3F3DEE43AB5AB209"是个符合要求的key是个符合要求的serial,但是这个时候serial还没有
得到验证,所以用serial生成的key只能躲过第一次跳转。
5、程序把serial的验证放在最后。
----------------------------------------------------------------------------------------
大致跟了下serial的生成,前四位必须是"0018",中间8个字符由username生成,最后四位任意。
跟进,在005594B8CALLAutoRunP.0051F0BC来到:
0051F0E6|.8B45ECMOVEAX,DWORDPTR[EBP-14]
0051F0E9|.E80656EEFFCALLAutoRunP.004046F4;取name的长度Length
0051F0EE|.2507000080ANDEAX,80000007;长度%8,准备下面消息分组
0051F0F3|.7905JNSSHORTAutoRunP.0051F0FA
0051F0F5|.48DECEAX
0051F0F6|.83C8F8OREAX,FFFFFFF8
0051F0F9|.40INCEAX
0051F0FA|>BA08000000MOVEDX,8
0051F0FF|.2BD0SUBEDX,EAX;8-余数=在用户名的后面添加0的个数
0051F101|.8BC2MOVEAX,EDX
0051F103|.8BD8MOVEBX,EAX
0051F105|.85DBTESTEBX,EBX
0051F107|.7E10JLESHORTAutoRunP.0051F119
0051F109|>8D45EC/LEAEAX,DWORDPTR[EBP-14]
0051F10C|.BAB0F15100|MOVEDX,AutoRunP.0051F1B0
0051F111|.E8E655EEFF|CALLAutoRunP.004046FC;在用户名信息后面添加0
0051F116|.4B|DECEBX
0051F117|.^75F0\JNZSHORTAutoRunP.0051F109
这个地方要小心的是即使用户名本身的长度是8的倍数,也会在后面加上8个0,不是8的倍数,正好通过补0,补0后的用户名的长度应该是8的倍数。
0051F119|>8B45ECMOVEAX,DWORDPTR[EBP-14]
0051F11C|.E8D355EEFFCALLAutoRunP.004046F4
0051F121|.33D2XOREDX,EDX
0051F123|.8955FCMOVDWORDPTR[EBP-4],EDX
0051F126|.33D2XOREDX,EDX
0051F128|.8955F8MOVDWORDPTR[EBP-8],EDX
0051F12B|.8BD8MOVEBX,EAX
0051F12D|.85DBTESTEBX,EBX
0051F12F|.7903JNSSHORTAutoRunP.0051F134
0051F131|.83C307ADDEBX,7
0051F134|>C1FB03SAREBX,3
0051F137|.4BDECEBX
0051F138|.85DBTESTEBX,EBX
0051F13A|.7C3EJLSHORTAutoRunP.0051F17A
0051F13C|.43INCEBX
0051F13D|.33F6XORESI,ESI
0051F13F|>8D45E8/LEAEAX,DWORDPTR[EBP-18]
0051F142|.50|PUSHEAX
0051F143|.8BD6|MOVEDX,ESI
0051F145|.C1E203|SHLEDX,3
0051F148|.42|INCEDX
0051F149|.B908000000|MOVECX,8
0051F14E|.8B45EC|MOVEAX,DWORDPTR[EBP-14]
0051F151|.E8FE57EEFF|CALLAutoRunP.00404954;取出分组后的各组消息,每组8个字符
0051F156|.8B45E8|MOVEAX,DWORDPTR[EBP-18]
0051F159|.8D4DF0|LEAECX,DWORDPTR[EBP-10]
0051F15C|.8D55F4|LEAEDX,DWORDPTR[EBP-C]
0051F15F|.E8D0FEFFFF|CALLAutoRunP.0051F034;将得到的8个字符顺序颠倒,并填入inbuff息的高64位
0051F164|.8D45F0|LEAEAX,DWORDPTR[EBP-10]
0051F167|.50|PUSHEAX
0051F168|.8D4DF4|LEAECX,DWORDPTR[EBP-C]
0051F16B|.8D55F8|LEAEDX,DWORDPTR[EBP-8]
0051F16E|.8D45FC|LEAEAX,DWORDPTR[EBP-4]
0051F171|.E85E000000|CALLAutoRunP.0051F1D4;MD5(inbuff)
0051F176|.46|INCESI
0051F177|.4B|DECEBX
0051F178|.^75C5\JNZSHORTAutoRunP.0051F13F
0051F17A|>8B5DFCMOVEBX,DWORDPTR[EBP-4]
0051F17D|.33C0XOREAX,EAX
这里就是将用户名添0后成8字节的倍数,然后分成n组,分别用每一组消息修改inbuff的前8个字节,然后进行MD5编码,循环n次。
----------------------------------------------------------------------------------------
要写出keygen,必须跟进CALLAutoRunP.0051F034,跟进MD5函数
0051F1FF|.64:8920MOVDWORDPTRFS:[EAX],ESP
0051F202|.C745E46745>MOVDWORDPTR[EBP-1C],1234567;传递四个链接变量(已经变形)
0051F209|.C745E8EFCD>MOVDWORDPTR[EBP-18],89ABCDE>
0051F210|.C745ECDCFE>MOVDWORDPTR[EBP-14],BA98FED>
0051F217|.C745F02143>MOVDWORDPTR[EBP-10],7650432>
★★★★★变形1★★★★★
这里已经不是:
A=0x67452301
B=0xefcdab89
C=0x98badcfe
D=0x10325476
找到一个变形
0051F21E|.8B45F0MOVEAX,DWORDPTR[EBP-10]
0051F221|.8903MOVDWORDPTR[EBX],EAX;复制四个链接变量的副本
0051F223|.8B45ECMOVEAX,DWORDPTR[EBP-14]
0051F226|.8906MOVDWORDPTR[ESI],EAX;复制四个链接变量的副本
0051F228|.8B45E8MOVEAX,DWORDPTR[EBP-18]
0051F22B|.8907MOVDWORDPTR[EDI],EAX;复制四个链接变量的副本
0051F22D|.8B45E4MOVEAX,DWORDPTR[EBP-1C]
0051F230|.8945D4MOVDWORDPTR[EBP-2C],EAX;复制四个链接变量的副本
0051F233|.6A10PUSH10
0051F235|.8D45D0LEAEAX,DWORDPTR[EBP-30]
0051F238|.B901000000MOVECX,1
0051F23D|.8B15B4F15100MOVEDX,DWORDPTR[51F1B4];AutoRunP.0051F1B8
0051F243|.E87465EEFFCALLAutoRunP.004057BC
0051F248|.83C404ADDESP,4;下面将128位信息填充成512位
0051F24B|.8B45FCMOVEAX,DWORDPTR[EBP-4]
0051F24E|.8B00MOVEAX,DWORDPTR[EAX]
0051F250|.8B55D0MOVEDX,DWORDPTR[EBP-30]
0051F253|.8902MOVDWORDPTR[EDX],EAX;填充
……………………(总共有16个填充)
0051F2EF|.8B45FCMOVEAX,DWORDPTR[EBP-4]
0051F2F2|.8B00MOVEAX,DWORDPTR[EAX]
0051F2F4|.8B55D0MOVEDX,DWORDPTR[EBP-30]
0051F2F7|.89423CMOVDWORDPTR[EDX+3C],EAX;填充
0051F2FA|.8B45D4MOVEAX,DWORDPTR[EBP-2C]
★★★★★变形2★★★★★
和标准的MD5的填充不一样,并不是加个1在消息后然后填充0,最后附上消息长度
而是将消息分为四个dword,逆序、顺序、逆序、顺序填充成512位
比如消息是:
0012F104313233343536373839304142434445461234567890ABCDEF
填充后是:
0106CF7443444546393041423536373831323334CDEF90AB56781234
0106CF84313233343536373839304142434445461234567890ABCDEF
0106CF9443444546393041423536373831323334CDEF90AB56781234
0106CFA4313233343536373839304142434445461234567890ABCDEF
//-------------round1-------------//
0051F2FD|.50PUSHEAX;/Arg4
0051F2FE|.8B45D0MOVEAX,DWORDPTR[EBP-30];|
0051F301|.8B00MOVEAX,DWORDPTR[EAX];|
0051F303|.50PUSHEAX;|Arg3
0051F304|.6A07PUSH7;|Arg2=00000007
0051F306|.6878A46AD7PUSHD76AA478;|Arg1=D76AA478
0051F30B|.8BC3MOVEAX,EBX;|
0051F30D|.8B0FMOVECX,DWORDPTR[EDI];|
0051F30F|.8B16MOVEDX,DWORDPTR[ESI];|
0051F311|.E8CE070000CALLAutoRunP.0051FAE4;\AutoRunP.0051FAE4
0051F316|.8B07MOVEAX,DWORDPTR[EDI]
……………………
0051F4C2|.8B17MOVEDX,DWORDPTR[EDI];|
0051F4C4|.E81B060000CALLAutoRunP.0051FAE4;\AutoRunP.0051FAE4
0051F4C9|.8B45D4MOVEAX,DWORDPTR[EBP-2C]
//-------------round2-------------//
0051F4CC|.50PUSHEAX;/Arg4
0051F4CD|.8B45D0MOVEAX,DWORDPTR[EBP-30];|
0051F4D0|.8B4004MOVEAX,DWORDPTR[EAX+4];|
0051F4D3|.50PUSHEAX;|Arg3
0051F4D4|.6A05PUSH5;|Arg2=00000005
0051F4D6|.6862251EF6PUSHF61E2562;|Arg1=F61E2562
0051F4DB|.8BC3MOVEAX,EBX;|
0051F4DD|.8B0FMOVECX,DWORDPTR[EDI];|
0051F4DF|.8B16MOVEDX,DWORDPTR[ESI];|
0051F4E1|.E83A060000CALLAutoRunP.0051FB20;\AutoRunP.0051FB20
0051F4E6|.8B07MOVEAX,DWORDPTR[EDI]
……………………
0051F691|.8B17MOVEDX,DWORDPTR[EDI];|
0051F693|.E888040000CALLAutoRunP.0051FB20;\AutoRunP.0051FB20
0051F698|.8B45D4MOVEAX,DWORDPTR[EBP-2C]
//-------------round3-------------//
0051F69B|.50PUSHEAX;/Arg4
0051F69C|.8B45D0MOVEAX,DWORDPTR[EBP-30];|
0051F69F|.8B4014MOVEAX,DWORDPTR[EAX+14];|
0051F6A2|.50PUSHEAX;|Arg3
0051F6A3|.6A04PUSH4;|Arg2=00000004
0051F6A5|.684239FAFFPUSHFFFA3942;|Arg1=FFFA3942
0051F6AA|.8BC3MOVEAX,EBX;|
0051F6AC|.8B0FMOVECX,DWORDPTR[EDI];|
0051F6AE|.8B16MOVEDX,DWORDPTR[ESI];|
0051F6B0|.E8A7040000CALLAutoRunP.0051FB5C;\AutoRunP.0051FB5C
0051F6B5|.8B07MOVEAX,DWORDPTR[EDI]
……………………
0051F860|.8B17MOVEDX,DWORDPTR[EDI];|
0051F862|.E8F5020000CALLAutoRunP.0051FB5C;\AutoRunP.0051FB5C
0051F867|.8B45D4MOVEAX,DWORDPTR[EBP-2C]
//-------------round4-------------//
0051F86A|.50PUSHEAX;/Arg4
0051F86B|.8B45D0MOVEAX,DWORDPTR[EBP-30];|
0051F86E|.8B00MOVEAX,DWORDPTR[EAX];|
0051F870|.50PUSHEAX;|Arg3
0051F871|.6A06PUSH6;|Arg2=00000006
0051F873|.68442229F4PUSHF4292244;|Arg1=F4292244
0051F878|.8BC3MOVEAX,EBX;|
0051F87A|.8B0FMOVECX,DWORDPTR[EDI];|
0051F87C|.8B16MOVEDX,DWORDPTR[ESI];|
0051F87E|.E815030000CALLAutoRunP.0051FB98;\AutoRunP.0051FB98
0051F883|.8B07MOVEAX,DWORDPTR[EDI]
……………………
0051FA2F|.8B17MOVEDX,DWORDPTR[EDI];|
0051FA31|.E862010000CALLAutoRunP.0051FB98;\AutoRunP.0051FB98
0051FA36|.8B45F0MOVEAX,DWORDPTR[EBP-10]
0051FA39|.0303ADDEAX,DWORDPTR[EBX];+d
0051FA3B|.8B55FCMOVEDX,DWORDPTR[EBP-4]
0051FA3E|.8902MOVDWORDPTR[EDX],EAX;save
0051FA40|.8B45ECMOVEAX,DWORDPTR[EBP-14]
0051FA43|.0306ADDEAX,DWORDPTR[ESI];+c
0051FA45|.8B55F8MOVEDX,DWORDPTR[EBP-8]
0051FA48|.8902MOVDWORDPTR[EDX],EAX;save
0051FA4A|.8B45E8MOVEAX,DWORDPTR[EBP-18]
0051FA4D|.0307ADDEAX,DWORDPTR[EDI];+b
0051FA4F|.8B55F4MOVEDX,DWORDPTR[EBP-C]
0051FA52|.8902MOVDWORDPTR[EDX],EAX;save
0051FA54|.8B45E4MOVEAX,DWORDPTR[EBP-1C]
0051FA57|.0345D4ADDEAX,DWORDPTR[EBP-2C];+a
0051FA5A|.8B5508MOVEDX,DWORDPTR[EBP+8]
0051FA5D|.8902MOVDWORDPTR[EDX],EAX;save
★★★★★变形3★★★★★
跟进后发现HASH函数本身没有变形,但是参与运算的链接变量的顺序变化了。
----------------------------------------------------------------------------------------
【破解心得】
要得到正确的serial和key,按照下面的流程:
先对用户名添0后分成n组,再反序,分别用每一组消息修改inbuff的前8个字节,然后进行MD5编码,循环n次后,结果的最后32位作为dword转为十六进制
文本作为serial的中间8个字符。
然后前面接上"0018",后面接上长度是4的任意16进制文本,总共16个字符作为serial
将serial填入inbuff的高64位,同时也填入低64位,MD5(inbuff)得到key
这个MD5有三处变形,变形没有什么新意,还是老一套:
(1)四个变量的变形
(2)数据填充变形
(3)参与HASH运算的变量的顺序变形,HASH本身没有变形。
----------------------------------------------------------------------------------------
【注册机源码】
因为程序只对128位消息进行MD5编码,为了便于编辑,没有采用类,大家直接看吧。
//响应Generate按钮
voidCkeygenDlg::OnOK()
{
//TODO:Addextravalidationhere
CkeygenDlg::OnChangeEdit1();
}
voidCkeygenDlg::OnChangeEdit1()
{
//TODO:IfthisisaRICHEDITcontrol,thecontrolwillnot
//sendthisnotificationunlessyouoverridetheCDialog::OnInitDialog()
//functionandcallCRichEditCtrl().SetEventMask()
//withtheENM_CHANGEflagORedintothemask.
//TODO:Addyourcontrolnotificationhandlercodehere
UpdateData(true);
Beep(1000,50);
charinbuff[16]={0},name[12];
unsignedlongstate[4];
inti,n,namelen;
//对用户名处理
namelen=m_Edit1.GetLength();
n=namelen>>3;
for(i=0;istrcpy(name,m_Edit1.Mid(i<<3,8))//取用户名的8个字符
strrev(name);//将8个字符顺序反转
memcpy(inbuff,name,8);//复制到待加密信息的高64位
MD5(inbuff,state);//MD5编码
memcpy(inbuff,state,16);//替换掉待加密信息
}
n=namelen&7;//判断用户名有没有处理完毕
strcpy(name,m_Edit1.Mid(i<<3,n));;//取出剩余字符
strrev(name);//剩余字符顺序反转
i=8-n;//计算补0的个数
memset(inbuff,0,i);//将0填入待加密信息
memcpy(inbuff+i,name,n);//将反转字符填入待加密信息
MD5(inbuff,state);//MD5编码
m_Edit2.Format("%08X",state[3]);//将State[3]转为16进制字符串作为Serial的一部分
m_Edit2.Insert(0,"0018");//serial前面插入"0018"
n=rand();
sprintf(inbuff,"%04X",n);
m_Edit2+=inbuff;//serial的最后四位任意,并且传递给编辑框
memcpy(inbuff,&n,2);
memcpy(inbuff+2,state+3,4);
inbuff[6]=char(0x18);
inbuff[7]=char(0);
memcpy(inbuff+8,inbuff,8);//serial填充到inbuff
MD5(inbuff,state);//对serialMD5编码
sprintf(inbuff,"%08X",state[2]);
m_Edit3.Format("%08X",state[3]);//取state[2]和state[2]作为Code
m_Edit3+=inbuff;//将code传递给编辑框
UpdateData(false);
}
//将128待加密信息填充成512位,即16个整数
voidCkeygenDlg::FillBuff(unsignedlong*buff,char*inbuff)
{
int*from=(int*)inbuff;
buff[3]=*from;buff[2]=*(from+1);buff[1]=*(from+2);buff[0]=*(from+3);
buff[4]=*from;buff[5]=*(from+1);buff[6]=*(from+2);buff[7]=*(from+3);
buff[11]=*from;buff[10]=*(from+1);buff[9]=*(from+2);buff[8]=*(from+3);
buff[12]=*from;buff[13]=*(from+1);buff[14]=*(from+2);buff[15]=*(from+3);
}
//四个函数定义1FF
unsignedlongCkeygenDlg::FF(unsignedlonga,unsignedlongb,unsignedlongc,unsignedlongd,unsignedlongx,bytes,unsignedlongac)
{
a=((b&c)|((~b)&d))+a+x+ac;
a=(a<>(32-s));
a+=b;
returna;
}
//四个函数定义2GG
unsignedlongCkeygenDlg::GG(unsignedlonga,unsignedlongb,unsignedlongc,unsignedlongd,unsignedlongx,bytes,unsignedlongac)
{
a=((b&d)|(c&(~d)))+a+x+ac;
a=(a<>(32-s));
a+=b;
returna;
}
//四个函数定义3HH
unsignedlongCkeygenDlg::HH(unsignedlonga,unsignedlongb,unsignedlongc,unsignedlongd,unsignedlongx,bytes,unsignedlongac)
{
a=(b^c^d)+a+x+ac;
a=(a<>(32-s));
a+=b;
returna;
}
//四个函数定义4II
unsignedlongCkeygenDlg::II(unsignedlonga,unsignedlongb,unsignedlongc,unsignedlongd,unsignedlongx,bytes,unsignedlongac)
{
a=(c^(b|(~d)))+a+x+ac;
a=(a<>(32-s));
a+=b;
returna;
}
//MD5运算主函数待加密信息保存在在inbuff中,结果保存在state[4]中
voidCkeygenDlg::MD5(char*inbuff,unsignedlong*state)
{
unsignedlongcontext[16];
state[0]=0x1234567;
state[1]=0x89ABCDEF;
state[2]=0xBA98FEDC;
state[3]=0x76504321;
FillBuff(context,inbuff);
//-------------round1-------------//
state[3]=FF(state[3],state[2],state[1],state[0],context[0],7,0xd76aa478);//-1
state[0]=FF(state[0],state[3],state[2],state[1],context[1],12,0xe8c7b756);//-2
state[1]=FF(state[1],state[0],state[3],state[2],context[2],17,0x242070db);//-3
state[2]=FF(state[2],state[1],state[0],state[3],context[3],22,0xc1bdceee);//-4
state[3]=FF(state[3],state[2],state[1],state[0],context[4],7,0xf57c0faf);//-5
state[0]=FF(state[0],state[3],state[2],state[1],context[5],12,0x4787c62a);//-6
state[1]=FF(state[1],state[0],state[3],state[2],context[6],17,0xa8304613);//-7
state[2]=FF(state[2],state[1],state[0],state[3],context[7],22,0xfd469501);//-8
state[3]=FF(state[3],state[2],state[1],state[0],context[8],7,0x698098d8);//-9
state[0]=FF(state[0],state[3],state[2],state[1],context[9],12,0x8b44f7af);//-10
state[1]=FF(state[1],state[0],state[3],state[2],context[10],17,0xffff5bb1);//-11
state[2]=FF(state[2],state[1],state[0],state[3],context[11],22,0x895cd7be);//-12
state[3]=FF(state[3],state[2],state[1],state[0],context[12],7,0x6b901122);//-13
state[0]=FF(state[0],state[3],state[2],state[1],context[13],12,0xfd987193);//-14
state[1]=FF(state[1],state[0],state[3],state[2],context[14],17,0xa679438e);//-15
state[2]=FF(state[2],state[1],state[0],state[3],context[15],22,0x49b40821);//-16
//-------------round2-------------//
state[3]=GG(state[3],state[2],state[1],state[0],context[1],5,0xf61e2562);//-17
state[0]=GG(state[0],state[3],state[2],state[1],context[6],9,0xc040b340);//-18
state[1]=GG(state[1],state[0],state[3],state[2],context[11],14,0x265e5a51);//-19
state[2]=GG(state[2],state[1],state[0],state[3],context[0],20,0xe9b6c7aa);//-20
state[3]=GG(state[3],state[2],state[1],state[0],context[5],5,0xd62f105d);//-21
state[0]=GG(state[0],state[3],state[2],state[1],context[10],9,0x2441453);//-22
state[1]=GG(state[1],state[0],state[3],state[2],context[15],14,0xd8a1e681);//-23
state[2]=GG(state[2],state[1],state[0],state[3],context[4],20,0xe7d3fbc8);//-24
state[3]=GG(state[3],state[2],state[1],state[0],context[9],5,0x21e1cde6);//-25
state[0]=GG(state[0],state[3],state[2],state[1],context[14],9,0xc33707d6);//-26
state[1]=GG(state[1],state[0],state[3],state[2],context[3],14,0xf4d50d87);//-27
state[2]=GG(state[2],state[1],state[0],state[3],context[8],20,0x455a14ed);//-28
state[3]=GG(state[3],state[2],state[1],state[0],context[13],5,0xa9e3e905);//-28
state[0]=GG(state[0],state[3],state[2],state[1],context[2],9,0xfcefa3f8);//-30
state[1]=GG(state[1],state[0],state[3],state[2],context[7],14,0x676f02d9);//-31
state[2]=GG(state[2],state[1],state[0],state[3],context[12],20,0x8d2a4c8a);//-32
//-------------round3-------------//
state[3]=HH(state[3],state[2],state[1],state[0],context[5],4,0xfffa3942);//-33
state[0]=HH(state[0],state[3],state[2],state[1],context[8],11,0x8771f681);//-34
state[1]=HH(state[1],state[0],state[3],state[2],context[11],16,0x6d9d6122);//-35
state[2]=HH(state[2],state[1],state[0],state[3],context[14],23,0xfde5380c);//-36
state[3]=HH(state[3],state[2],state[1],state[0],context[1],4,0xa4beea44);//-37
state[0]=HH(state[0],state[3],state[2],state[1],context[4],11,0x4bdecfa9);//-38
state[1]=HH(state[1],state[0],state[3],state[2],context[7],16,0xf6bb4b60);//-39
state[2]=HH(state[2],state[1],state[0],state[3],context[10],23,0xbebfbc70);//-40
state[3]=HH(state[3],state[2],state[1],state[0],context[13],4,0x289b7ec6);//-41
state[0]=HH(state[0],state[3],state[2],state[1],context[0],11,0xeaa127fa);//-42
state[1]=HH(state[1],state[0],state[3],state[2],context[3],16,0xd4ef3085);//-43
state[2]=HH(state[2],state[1],state[0],state[3],context[6],23,0x4881d05);//-44
state[3]=HH(state[3],state[2],state[1],state[0],context[9],4,0xd9d4d039);//-45
state[0]=HH(state[0],state[3],state[2],state[1],context[12],11,0xe6db99e5);//-46
state[1]=HH(state[1],state[0],state[3],state[2],context[15],16,0x1fa27cf8);//-47
state[2]=HH(state[2],state[1],state[0],state[3],context[2],23,0xc4ac5665);//-48
//-------------round4-------------//
state[3]=II(state[3],state[2],state[1],state[0],context[0],6,0xf4292244);//-49
state[0]=II(state[0],state[3],state[2],state[1],context[7],10,0x432aff97);//-50
state[1]=II(state[1],state[0],state[3],state[2],context[14],15,0xab9423a7);//-51
state[2]=II(state[2],state[1],state[0],state[3],context[5],21,0xfc93a039);//-52
state[3]=II(state[3],state[2],state[1],state[0],context[12],6,0x655b59c3);//-53
state[0]=II(state[0],state[3],state[2],state[1],context[3],10,0x8f0ccc92);//-54
state[1]=II(state[1],state[0],state[3],state[2],context[10],15,0xffeff47d);//-55
state[2]=II(state[2],state[1],state[0],state[3],context[1],21,0x85845dd1);//-56
state[3]=II(state[3],state[2],state[1],state[0],context[8],6,0x6fa87e4f);//-57
state[0]=II(state[0],state[3],state[2],state[1],context[15],10,0xfe2ce6e0);//-58
state[1]=II(state[1],state[0],state[3],state[2],context[6],15,0xa3014314);//-59
state[2]=II(state[2],state[1],state[0],state[3],context[13],21,0x4e0811a1);//-60
state[3]=II(state[3],state[2],state[1],state[0],context[4],6,0xf7537e82);//-61
state[0]=II(state[0],state[3],state[2],state[1],context[11],10,0xbd3af235);//-62
state[1]=II(state[1],state[0],state[3],state[2],context[2],15,0x2ad7d2bb);//-63
state[2]=II(state[2],state[1],state[0],state[3],context[9],21,0xeb86d391);//-64
state[0]+=0x1234567;
state[1]+=0x89ABCDEF;
state[2]+=0xBA98FEDC;
state[3]+=0x76504321;
}
----------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】本文纯属技术交流,转载请注明作者并保持文章的完整,谢谢!
----------------------------------------------------------------------------------------
文章写于2006-1-2118:10:17
