教你用IDA做注册机

2014-03-24 06:27 ⁄ 工业·编程 ⁄ 共 25169字 ⁄ 字号小中大 ⁄ 暂无评论

前些天看国外的的一些写注册机的文章,发现不少人喜欢用IDA反汇编后直接使用IDA反汇编后的代码,其实这个可能有很多人很早就用了。但是我使用的时候发现了一些问题,一般如果是象MD5,SHA等散列函数有变形的话,直接用IDA反汇编后的代码是很好,这样就不要去分析变形是那些地方.还有就是一般如blowfish,DES等,这种情况用IDA反汇编后会有很多数据,如blowfish的pbox,sbox,但是如果还是有变形的话,用IDA也是不错的.

IDA做注册机的一些我认为重要的地方

(1):变量一定要和IDA里面的完全一样,下面我举例的Crackme里用到DES算法,DES里面数据很多也很容易出错.

(2):变量定义的位置,这个最好个IDA里一样.

下面举例用Nuke'stutorial1分析一下写注册机的步骤

[代码分析 :]

.shrink:00402340 ; BOOL __stdcall DialogFunc(HWND,UINT,WPARAM,LPARAM)

.shrink:00402340 DialogFunc proc near ; DATA XREF: WinMain(x,x,x,x)+Co

.shrink:00402340

.shrink:00402340 var_D0 = dword ptr -0D0h

.shrink:00402340 var_9C = byte ptr -9Ch

.shrink:00402340 String = byte ptr -68h

.shrink:00402340 var_58 = byte ptr -58h

.shrink:00402340 var_34 = dword ptr -34h

.shrink:00402340 var_30 = dword ptr -30h

.shrink:00402340 lpText = dword ptr -2Ch

.shrink:00402340 var_28 = dword ptr -28h

.shrink:00402340 var_24 = byte ptr -24h

.shrink:00402340 var_22 = byte ptr -22h

.shrink:00402340 var_21 = byte ptr -21h

.shrink:00402340 var_20 = byte ptr -20h

.shrink:00402340 var_1F = byte ptr -1Fh

.shrink:00402340 var_1E = byte ptr -1Eh

.shrink:00402340 var_1D = byte ptr -1Dh

.shrink:00402340 VolumeSerialNumber= dword ptr -1Ch

.shrink:00402340 var_18 = dword ptr -18h

.shrink:00402340 var_10 = dword ptr -10h

.shrink:00402340 var_4 = dword ptr -4

.shrink:00402340 hWnd = dword ptr 8

.shrink:00402340 arg_4 = dword ptr 0Ch

.shrink:00402340 arg_8 = word ptr 10h

.shrink:00402340

.shrink:00402340 push ebp

.shrink:00402341 mov ebp , esp

.shrink:00402343 push 0FFFFFFFFh

.shrink:00402345 push offset unk_412580

.shrink:0040234A push offset __except_handler3

.shrink:0040234F mov eax , large fs :0

.shrink:00402355 push eax

.shrink:00402356 mov large fs :0, esp

.shrink:0040235D sub esp , 0C0h

.shrink:00402363 push ebx

.shrink:00402364 push esi

.shrink:00402365 push edi

.shrink:00402366 mov [ebp +var_18], esp

.shrink:00402369 mov [ebp +var_24], 1 ; DES密钥,8个字节为1,9,8,0,9,1,7,0

.shrink:0040236D mov al , 9

.shrink:0040236F mov [ebp -23h], al

.shrink:00402372 mov [ebp +var_22], 8

.shrink:00402376 mov [ebp +var_21], 0

.shrink:0040237A mov [ebp +var_20], al

.shrink:0040237D mov [ebp +var_1F], 1

.shrink:00402381 mov [ebp +var_1E], 7

.shrink:00402385 mov [ebp +var_1D], 0

.shrink:00402389 mov ecx , 0Ch

.shrink:0040238E xor eax , eax

.shrink:00402390 lea edi , [ebp +String]

.shrink:00402393 rep stosd ; 字符清0

.shrink:00402395 stosw

.shrink:00402397 mov ecx , 0Ch

.shrink:0040239C xor eax , eax

.shrink:0040239E mov edi , offset unk_417810

.shrink:004023A3 rep stosd

.shrink:004023A5 stosw

.shrink:004023A7 mov [ebp +lpText], offset unk_4124D0

.shrink:004023AE mov eax , [ebp +arg_4]

.shrink:004023B1 sub eax , 110h

.shrink:004023B6 jz loc_402590

.shrink:004023BC dec eax

.shrink:004023BD jnz short loc_4023DA

.shrink:004023BF movzx eax , [ebp +arg_8]

.shrink:004023C3 dec eax

.shrink:004023C4 jz loc_402582

.shrink:004023CA sub eax , 3E7h

.shrink:004023CF jz short loc_4023EF

.shrink:004023D1 sub eax , 5

.shrink:004023D4 jz loc_40253F

.shrink:004023DA

.shrink:004023DA loc_4023DA: ; CODE XREF: DialogFunc+7Dj

.shrink:004023DA xor eax , eax

.shrink:004023DC mov ecx , [ebp +var_10]

.shrink:004023DF mov large fs :0, ecx

.shrink:004023E6 pop edi

.shrink:004023E7 pop esi

.shrink:004023E8 pop ebx

.shrink:004023E9 mov esp , ebp

.shrink:004023EB pop ebp

.shrink:004023EC retn 10h ; uType

.shrink:004023EF ; ----------------------------------------------------------------------------

.shrink:004023EF

.shrink:004023EF loc_4023EF: ; CODE XREF: DialogFunc+8Fj

.shrink:004023EF mov [ebp +var_4], 0

.shrink:004023F6 lea eax , [ebp +var_24]

.shrink:004023F9 push eax

.shrink:004023FA call DES_Key_Init

.shrink:004023FF add esp , 4

.shrink:00402402 push 0 ; bSigned

.shrink:00402404 push 0 ; lpTranslated

.shrink:00402406 push 3E9h ; nIDDlgItem

.shrink:0040240B mov esi , [ebp +hWnd]

.shrink:0040240E push esi ; hDlg

.shrink:0040240F call ds :GetDlgItemInt ; 取机器码

.shrink:00402415 mov [ebp +VolumeSerialNumber], eax

.shrink:00402418 push 32h ; nMaxCount

.shrink:0040241A lea ecx , [ebp +String]

.shrink:0040241D push ecx ; lpString

.shrink:0040241E push 3ECh ; nIDDlgItem

.shrink:00402423 push esi ; hDlg

.shrink:00402424 call ds :GetDlgItemTextA ; 取注册码

.shrink:0040242A lea eax , [ebp +String]

.shrink:0040242D lea edx , [eax +1]

.shrink:00402430

.shrink:00402430 loc_402430: ; CODE XREF: DialogFunc+F5j

.shrink:00402430 mov cl , [eax ]

.shrink:00402432 inc eax

.shrink:00402433 test cl , cl

.shrink:00402435 jnz short loc_402430

.shrink:00402437 sub eax , edx ; 长度

.shrink:00402439 mov [ebp +var_30], eax ; 写入

.shrink:0040243C test eax , eax

.shrink:0040243E jnz short loc_402464

.shrink:00402440 push eax ; uType

.shrink:00402441 push offset Caption ; "warming!"

.shrink:00402446 push offset Text ; "请输入注册码!"

.shrink:0040244B mov edx , ds :hWnd

.shrink:00402451 push edx ; hWnd

.shrink:00402452 call ds :MessageBoxA

.shrink:00402458 mov [ebp +var_4], 0FFFFFFFFh

.shrink:0040245F jmp loc_4025E6

.shrink:00402464 ; ----------------------------------------------------------------------------

.shrink:00402464

.shrink:00402464 loc_402464: ; CODE XREF: DialogFunc+FEj

.shrink:00402464 lea eax , [ebp +var_D0]

.shrink:0040246A push eax

.shrink:0040246B lea ecx , [ebp +String]

.shrink:0040246E push ecx

.shrink:0040246F call Hex_Serial ; ;把机器码转化为16进制

{

.shrink:00401080 Hex_Serial proc near ; CODE XREF: DialogFunc+12Fp

.shrink:00401080

.shrink:00401080 arg_0 = dword ptr 10h

.shrink:00401080 arg_4 = dword ptr 14h

.shrink:00401080

.shrink:00401080 push ebx

.shrink:00401081 push esi

.shrink:00401082 push edi

.shrink:00401083 mov edi , [esp +arg_0]

.shrink:00401087 xor eax , eax

.shrink:00401089 mov ecx , edi

.shrink:0040108B jmp short loc_401090

.shrink:0040108B ; ----------------------------------------------------------------------------

.shrink:0040108D align 10h

.shrink:00401090

.shrink:00401090 loc_401090: ; CODE XREF: Hex_Serial+Bj

.shrink:00401090 ; Hex_Serial+15j

.shrink:00401090 mov dl , [ecx ]

.shrink:00401092 inc ecx

.shrink:00401093 test dl , dl

.shrink:00401095 jnz short loc_401090

.shrink:00401097 sub ecx , edi

.shrink:00401099 dec ecx

.shrink:0040109A mov ebx , ecx

.shrink:0040109C xor esi , esi

.shrink:0040109E test ebx , ebx

.shrink:004010A0 jle loc_40114B

.shrink:004010A6 push ebp

.shrink:004010A7 mov ebp , [esp +4+arg_4]

.shrink:004010AB jmp short loc_4010B0

.shrink:004010AB ; ----------------------------------------------------------------------------

.shrink:004010AD align 10h

.shrink:004010B0

.shrink:004010B0 loc_4010B0: ; CODE XREF: Hex_Serial+2Bj

.shrink:004010B0 ; Hex_Serial+C4j

.shrink:004010B0 mov cl , [esi +edi ] ; 取注册码一个字节

.shrink:004010B3 inc esi

.shrink:004010B4 cmp cl , 20h

.shrink:004010B7 jz loc_401142

.shrink:004010BD cmp esi , ebx

.shrink:004010BF jge loc_40114A

.shrink:004010C5 cmp cl , 30h

.shrink:004010C8 mov dl , [esi +edi ]

.shrink:004010CB jl short loc_4010D7

.shrink:004010CD cmp cl , 39h

.shrink:004010D0 jg short loc_4010D7

.shrink:004010D2 sub cl , 30h

.shrink:004010D5 jmp short loc_4010F8

.shrink:004010D7 ; ----------------------------------------------------------------------------

.shrink:004010D7

.shrink:004010D7 loc_4010D7: ; CODE XREF: Hex_Serial+4Bj

.shrink:004010D7 ; Hex_Serial+50j

.shrink:004010D7 cmp cl , 41h

.shrink:004010DA jl short loc_4010E6

.shrink:004010DC cmp cl , 46h

.shrink:004010DF jg short loc_4010E6

.shrink:004010E1 sub cl , 37h

.shrink:004010E4 jmp short loc_4010F8

.shrink:004010E6 ; ----------------------------------------------------------------------------

.shrink:004010E6

.shrink:004010E6 loc_4010E6: ; CODE XREF: Hex_Serial+5Aj

.shrink:004010E6 ; Hex_Serial+5Fj

.shrink:004010E6 cmp cl , 61h

.shrink:004010E9 jl short loc_4010F5

.shrink:004010EB cmp cl , 66h

.shrink:004010EE jg short loc_4010F5

.shrink:004010F0 sub cl , 57h

.shrink:004010F3 jmp short loc_4010F8

.shrink:004010F5 ; ----------------------------------------------------------------------------

.shrink:004010F5

.shrink:004010F5 loc_4010F5: ; CODE XREF: Hex_Serial+69j

.shrink:004010F5 ; Hex_Serial+6Ej

.shrink:004010F5 or cl , 0FFh

.shrink:004010F8

.shrink:004010F8 loc_4010F8: ; CODE XREF: Hex_Serial+55j

.shrink:004010F8 ; Hex_Serial+64j ...

.shrink:004010F8 cmp dl , 30h

.shrink:004010FB movsx ecx , cl

.shrink:004010FE jl short loc_40110A

.shrink:00401100 cmp dl , 39h

.shrink:00401103 jg short loc_40110A

.shrink:00401105 sub dl , 30h

.shrink:00401108 jmp short loc_40112B

.shrink:0040110A ; ----------------------------------------------------------------------------

.shrink:0040110A

.shrink:0040110A loc_40110A: ; CODE XREF: Hex_Serial+7Ej

.shrink:0040110A ; Hex_Serial+83j

.shrink:0040110A cmp dl , 41h

.shrink:0040110D jl short loc_401119

.shrink:0040110F cmp dl , 46h

.shrink:00401112 jg short loc_401119

.shrink:00401114 sub dl , 37h

.shrink:00401117 jmp short loc_40112B

.shrink:00401119 ; ----------------------------------------------------------------------------

.shrink:00401119

.shrink:00401119 loc_401119: ; CODE XREF: Hex_Serial+8Dj

.shrink:00401119 ; Hex_Serial+92j

.shrink:00401119 cmp dl , 61h

.shrink:0040111C jl short loc_401128

.shrink:0040111E cmp dl , 66h

.shrink:00401121 jg short loc_401128

.shrink:00401123 sub dl , 57h

.shrink:00401126 jmp short loc_40112B

.shrink:00401128 ; ----------------------------------------------------------------------------

.shrink:00401128

.shrink:00401128 loc_401128: ; CODE XREF: Hex_Serial+9Cj

.shrink:00401128 ; Hex_Serial+A1j

.shrink:00401128 or dl , 0FFh

.shrink:0040112B

.shrink:0040112B loc_40112B: ; CODE XREF: Hex_Serial+88j

.shrink:0040112B ; Hex_Serial+97j ...

.shrink:0040112B cmp ecx , 10h

.shrink:0040112E movsx edx , dl

.shrink:00401131 jz short loc_40114A

.shrink:00401133 cmp edx , 10h

.shrink:00401136 jz short loc_40114A

.shrink:00401138 shl cl , 4

.shrink:0040113B add cl , dl

.shrink:0040113D inc esi

.shrink:0040113E mov [eax +ebp ], cl ; 写入

.shrink:00401141 inc eax

.shrink:00401142

.shrink:00401142 loc_401142: ; CODE XREF: Hex_Serial+37j

.shrink:00401142 cmp esi , ebx

.shrink:00401144 jl loc_4010B0

.shrink:0040114A

.shrink:0040114A loc_40114A: ; CODE XREF: Hex_Serial+3Fj

.shrink:0040114A ; Hex_Serial+B1j ...

.shrink:0040114A pop ebp

.shrink:0040114B

.shrink:0040114B loc_40114B: ; CODE XREF: Hex_Serial+20j

.shrink:0040114B pop edi

.shrink:0040114C pop esi

.shrink:0040114D pop ebx

.shrink:0040114E retn

.shrink:0040114E Hex_Serial endp

}

.shrink:00402474 mov edi , eax

.shrink:00402476 mov [ebp +var_30], edi

.shrink:00402479 push 0Ah ; int

.shrink:0040247B lea edx , [ebp +var_9C]

.shrink:00402481 push edx ; char *

.shrink:00402482 mov eax , [ebp +VolumeSerialNumber]

.shrink:00402485 push eax ; int

.shrink:00402486 call __itoa ; Int(机器码)

.shrink:0040248B lea ecx , [ebp +var_9C]

.shrink:00402491 push ecx ; MD5_inBuffer

.shrink:00402492 call MD5_ComputerID

.shrink:00402497 add esp , 18h

.shrink:0040249A mov ebx , eax

.shrink:0040249C mov [ebp +var_34], ebx

.shrink:0040249F mov byte ptr [ebx +10h], 0 ; 把MD5结果一刀两断,前面的16位有用

.shrink:004024A3 xor esi , esi

.shrink:004024A5

.shrink:004024A5 loc_4024A5: ; CODE XREF: DialogFunc+190j

.shrink:004024A5 mov [ebp +var_28], esi

.shrink:004024A8 mov eax , edi

.shrink:004024AA cdq

.shrink:004024AB and edx , 7

.shrink:004024AE add eax , edx

.shrink:004024B0 sar eax , 3

.shrink:004024B3 inc eax

.shrink:004024B4 cmp esi , eax

.shrink:004024B6 jge short loc_4024D2

.shrink:004024B8 push 1 ; 类型,0为加密,1为解密

.shrink:004024BA lea edx , [ebp +esi *8+var_D0]

.shrink:004024C1 push edx ; DES_inBuffer

.shrink:004024C2 lea eax , [ebp +esi *8+String]

.shrink:004024C6 push eax ; DES_outBuffer

.shrink:004024C7 call DES

.shrink:004024CC add esp , 0Ch

.shrink:004024CF inc esi

.shrink:004024D0 jmp short loc_4024A5

.shrink:004024D2 ; ----------------------------------------------------------------------------

.shrink:004024D2

.shrink:004024D2 loc_4024D2: ; CODE XREF: DialogFunc+176j

.shrink:004024D2 mov [ebp +var_58], 0

.shrink:004024D6 lea esi , [ebp +String]

.shrink:004024D9 mov eax , ebx

.shrink:004024DB jmp short loc_4024E0

.shrink:004024DB ; ----------------------------------------------------------------------------

.shrink:004024DD align 10h

.shrink:004024E0

.shrink:004024E0 loc_4024E0: ; CODE XREF: DialogFunc+19Bj

.shrink:004024E0 ; DialogFunc+1BEj

.shrink:004024E0 mov dl , [eax ] ; 取MD5(机器码)的一个字节

.shrink:004024E2 mov cl , dl

.shrink:004024E4 cmp dl , [esi ] ; 与DES_De(注册码)比较

.shrink:004024E6 jnz short loc_402504

.shrink:004024E8 test cl , cl

.shrink:004024EA jz short loc_402500

.shrink:004024EC mov dl , [eax +1]

.shrink:004024EF mov cl , dl

.shrink:004024F1 cmp dl , [esi +1]

.shrink:004024F4 jnz short loc_402504

.shrink:004024F6 add eax , 2

.shrink:004024F9 add esi , 2

.shrink:004024FC test cl , cl

.shrink:004024FE jnz short loc_4024E0

.shrink:00402500

.shrink:00402500 loc_402500: ; CODE XREF: DialogFunc+1AAj

.shrink:00402500 xor eax , eax

.shrink:00402502 jmp short loc_402509

.shrink:00402504 ; ----------------------------------------------------------------------------

.shrink:00402504

.shrink:00402504 loc_402504: ; CODE XREF: DialogFunc+1A6j

.shrink:00402504 ; DialogFunc+1B4j

.shrink:00402504 sbb eax , eax

.shrink:00402506 sbb eax , 0FFFFFFFFh

.shrink:00402509

.shrink:00402509 loc_402509: ; CODE XREF: DialogFunc+1C2j

.shrink:00402509 test eax , eax

.shrink:0040250B jnz short loc_402531

.shrink:0040250D push eax ; wLanguageId

.shrink:0040250E push eax ; uType

.shrink:0040250F push offset aSucceed ; "succeed"

.shrink:00402514 push offset aVSJGm ; "注册成功!老兄，?

.shrink:00402519 mov eax , ds :hWnd

.shrink:0040251E push eax ; hWnd

.shrink:0040251F call ds :MessageBoxExA

.shrink:00402525 mov [ebp +var_4], 0FFFFFFFFh

.shrink:0040252C jmp loc_4025E6

.shrink:00402531 ; ----------------------------------------------------------------------------

.shrink:00402531

.shrink:00402531 loc_402531: ; CODE XREF: DialogFunc+1CBj

.shrink:00402531 pusha

.shrink:00402532 xor eax , eax

.shrink:00402534 mov ebx , [eax ]

.shrink:00402536 popa

.shrink:00402537 nop

.shrink:00402538 mov [ebp +var_4], 0FFFFFFFFh

.shrink:0040253F

.shrink:0040253F loc_40253F: ; CODE XREF: DialogFunc+94j

.shrink:0040253F push 0 ; uType

.shrink:00402541 push offset asc_41247C ; "说?

.shrink:00402546 mov ecx , [ebp +lpText]

.shrink:00402549 push ecx ; lpText

.shrink:0040254A push 0 ; hWnd

.shrink:0040254C call ds :MessageBoxA

.shrink:00402552 jmp loc_4025E6

.shrink:00402557 ; ----------------------------------------------------------------------------

.shrink:00402557 mov eax , 1

.shrink:0040255C retn

.shrink:0040255D ; ----------------------------------------------------------------------------

.shrink:0040255D mov esp , [ebp -18h]

.shrink:00402560 push 0

.shrink:00402562 push offset aWarning ; "Warning!"

.shrink:00402567 push offset aVSZ ; "注册失败"

.shrink:0040256C mov edx , ds :hWnd

.shrink:00402572 push edx ; hWnd

.shrink:00402573 call ds :MessageBoxA

.shrink:00402579 mov [ebp +var_4], 0FFFFFFFFh

.shrink:00402580 jmp short loc_4025E6

.shrink:00402582 ; ----------------------------------------------------------------------------

.shrink:00402582

.shrink:00402582 loc_402582: ; CODE XREF: DialogFunc+84j

.shrink:00402582 push 0 ; nResult

.shrink:00402584 mov eax , [ebp +hWnd]

.shrink:00402587 push eax ; hDlg

.shrink:00402588 call ds :EndDialog

.shrink:0040258E jmp short loc_4025E6

.shrink:00402590 ; ----------------------------------------------------------------------------

.shrink:00402590

.shrink:00402590 loc_402590: ; CODE XREF: DialogFunc+76j

.shrink:00402590 push 6Ch ; lpIconName

.shrink:00402592 mov ecx , ds :hInstance

.shrink:00402598 push ecx ; hInstance

.shrink:00402599 call ds :LoadIconA

.shrink:0040259F push eax ; lParam

.shrink:004025A0 push 1 ; wParam

.shrink:004025A2 push 80h ; Msg

.shrink:004025A7 mov esi , [ebp +hWnd]

.shrink:004025AA push esi ; hWnd

.shrink:004025AB call ds :SendMessageA

.shrink:004025B1 push 0 ; nFileSystemNameSize

.shrink:004025B3 push 0 ; lpFileSystemNameBuffer

.shrink:004025B5 push 0 ; lpFileSystemFlags

.shrink:004025B7 push 0 ; lpMaximumComponentLength

.shrink:004025B9 lea edx , [ebp +VolumeSerialNumber]

.shrink:004025BC push edx ; lpVolumeSerialNumber

.shrink:004025BD push 0 ; nVolumeNameSize

.shrink:004025BF push 0 ; lpVolumeNameBuffer

.shrink:004025C1 push offset RootPathName ; "C://"

.shrink:004025C6 call ds :GetVolumeInformationA

.shrink:004025CC mov eax , [ebp +VolumeSerialNumber]

.shrink:004025CF xor eax , 0ABCDE123h ;小小的变换

.shrink:004025D4 mov [ebp +VolumeSerialNumber], eax

.shrink:004025D7 push 0 ; bSigned

.shrink:004025D9 push eax ; uValue

.shrink:004025DA push 3E9h ; nIDDlgItem

.shrink:004025DF push esi ; hDlg

.shrink:004025E0 call ds :SetDlgItemInt

.shrink:004025E6

.shrink:004025E6 loc_4025E6: ; CODE XREF: DialogFunc+11Fj

.shrink:004025E6 ; DialogFunc+1ECj ...

.shrink:004025E6 mov eax , 1

.shrink:004025EB mov ecx , [ebp +var_10]

.shrink:004025EE mov large fs :0, ecx

.shrink:004025F5 pop edi

.shrink:004025F6 pop esi

.shrink:004025F7 pop ebx

.shrink:004025F8 mov esp , ebp

.shrink:004025FA pop ebp

.shrink:004025FB retn 10h

.shrink:004025FB DialogFunc endp

[代码分析 :] --End

算法就是:

DES_De(Serial,key=1,9,8,0,9,1,7,0)=a

MD5(机器码)=b

if (a==b)

msg("success!" )

else

msg("wrong!" )

Serial=DES_En(b,key=1,9,8,0,9,1,7,0)

因为我这里有MD5的汇编代码,所以直接用IDA提取DES代码就可以了

.shrink:004024B8 push 1 ; 类型,0为加密,1为解密

.shrink:004024BA lea edx , [ebp +esi *8+var_D0]

.shrink:004024C1 push edx ; DES_inBuffer

.shrink:004024C2 lea eax , [ebp +esi *8+String]

.shrink:004024C6 push eax ; DES_outBuffer

.shrink:004024C7 call DES

这就是调用DES的代码,所以只要跟进这个call把这个call里面所有的代码和数据弄出来放在一个文件里整理一下就可以了

下面是我整理的一些变量(DES需要的ip,pc等都不在内)

off_415088 dd offset unk_417DBC ; DATA XREF: sub_401A40+8Ar

off_41508C dd offset byte_417DA0 ; DATA XREF: sub_401A40+84r

off_415090 dd offset unk_417E50 ; DATA XREF: DES+A6r

off_415094 dd offset byte_417E30 ; DATA XREF: DES+A1r

unk_417890 db 02D0h dup (?)

unk_417B60 db 030h dup (?)

unk_417B90 db 10h dup (?) ;

byte_417BA0 db ? ; DATA XREF: sub_401A40+44w

; sub_401A40+95o ...

byte_417BA1 db ? ; DATA XREF: sub_401A40+57w

; sub_401A40+180w ...

byte_417BA2 db ? ; DATA XREF: sub_401A40+6Aw

; sub_401A40+193w ...

byte_417BA3 db ? ; DATA XREF: sub_401A40+76w

; sub_401A40+1A6w ...

byte_417BA4 db ? ; DATA XREF: sub_401A40+1B9w

; sub_401E50+66w

byte_417BA5 db ? ; DATA XREF: sub_401A40+1CCw

unk_417CA0 db 0feh dup ( ? ) ; ; DATA XREF: sub_401A40+C5o

byte_417D9F db ?

byte_417DA0 db ? ; DATA XREF: sub_401A40+22w

db ? ;

unk_417DBC db 024h dup (?)

byte_417DE0 db ? ; DATA XREF: sub_401E50+88o

; sub_401E50+93o ...

byte_417DE1 db ? ; DATA XREF: sub_401E50+AFr

; sub_401E50+C7w

byte_417DE2 db ? ; DATA XREF: sub_401E50+C1r

; sub_401E50+D9w

byte_417DE3 db ? ; DATA XREF: sub_401E50+D3r

; sub_401E50+EBw

byte_417DE4 db ? ; DATA XREF: sub_401E50+E5r

; sub_401E50+FDw

byte_417DE5 db 02Bh dup (?)

unk_417E10 db 01Fh dup (?)

byte_417E2F db ?

byte_417E30 db 020h dup (?)

unk_417E50 db 020h dup (?)

下面把DES需要的数据全部弄出来,再把代码部分弄出来就OK了(附件里包括完整的DES代码)

调用这样就可以了

lea eax ,key

push eax

call sub_401A40 ;DES_Key_Init

push 0

lea edx ,hash1

push edx ;InBuffer

lea eax ,string2

push eax ;OutBuffer

call sub_402050 ;DES

这样注册机就做好了,简单吧 ~

参考了 x3chun,bLaCk-eye等一些人的方法感谢他们!

【上篇】Windbg的各种符号服务器
【下篇】修改Bug的心得体会

您可能还会对这些文章感兴趣！

求索阁

该日志由求索阁于10年前发表在工业·编程分类下，最后更新于 2014年03月30日.
转载请注明: 教你用IDA做注册机 | 求索阁 +复制链接
关键字: IDA

给我留言

留言无头像?

求索阁

2024年政府工作报告

习近平：在纪念毛泽东同志诞辰13

开源代码下载地址汇聚

2023年政府工作报告