破文地址:https://www.52pojie.cn/forum.php?mod=viewthread&tid=1219210
仔细看完破文后,还是觉得对我这种小白来说,操作太复杂了。
所以,本着我们吾爱小白的精神,送他最后一程。。
下载控件安装后运行,显示如下:
QQ图片20200718073944.jpg (102.52 KB, 下载次数: 2)
下载附件
2020-7-18 07:42 上传
果然要钱,可能因为是最新版,所以和原破文截图不一样。。
下断点:bp UpdateWindow
断下来后,执行到返回。
[Asm] 纯文本查看 复制代码00683687 |. 50 PUSH EAX ; /hWnd
00683688 |. E8 472ED9FF CALL ; \UpdateWindow
0068368D |. 6A 03 PUSH 3 ; /Flags = SWP_NOSIZE|SWP_NOMOVE
0068368F |. 6A 00 PUSH 0 ; |Height = 0
00683691 |. 6A 00 PUSH 0 ; |Width = 0
00683693 |. 6A 00 PUSH 0 ; |Y = 0
00683695 |. 6A 00 PUSH 0 ; |X = 0
00683697 |. 6A FF PUSH -1 ; |InsertAfter = HWND_TOPMOST
00683699 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; |
0068369C |. 50 PUSH EAX ; |hWnd
0068369D |. E8 B22DD9FF CALL ; \SetWindowPos
找到过程头。。
2.jpg (89.84 KB, 下载次数: 2)
下载附件
2020-7-18 07:53 上传
本地调用来自 00684441
Ctrl+G 跳转到00684441
往上找。。
[Asm] 纯文本查看 复制代码00684354 . 68 B4446800 PUSH Project1.006844B4 ; UNICODE "Key"
00684359 . 68 BC446800 PUSH Project1.006844BC ; UNICODE "TestData"
0068435E . 8B0D 34166D00 MOV ECX,DWORD PTR DS:[6D1634] ; Project1.00400000
目测应该是干和KEY相关的活了。。
函数头下断点,执行到返回。
[Asm] 纯文本查看 复制代码0068439F . E8 9086DEFF CALL Project1.0046CA34 ; 取出注册的KEY
006843A4 . 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
006843A7 . 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; "mlskindemo"给EAX
006843AA . E8 5101DAFF CALL Project1.00424500 ; 字符串mlskindemo转大写
006843AF . 8B55 C0 MOV EDX,DWORD PTR SS:[EBP-40]
006843B2 . B9 01000000 MOV ECX,1
006843B7 . B8 DC446800 MOV EAX,Project1.006844DC ; UNICODE "PUBLIC"
006843BC . E8 5B6ED8FF CALL Project1.0040B21C ; 判断字符串是否是PUBLIC开头
006843C1 . 85C0 TEST EAX,EAX
006843C3 . 7E 2D JLE SHORT Project1.006843F2 ; 如果不是PUBLIC开头,就飞了
重载,再来,手动把注册码改成PUBLIC开头
[Asm] 纯文本查看 复制代码006843DA . E8 2101DAFF CALL Project1.00424500 ; 小写转大写
006843DF . 8B45 BC MOV EAX,DWORD PTR SS:[EBP-44]
006843E2 . 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
006843E5 . E8 16F9FFFF CALL Project1.00683D00 ; 算法CALL
跟进 00683D00
[Asm] 纯文本查看 复制代码00683D3B |. BA 643F6800 MOV EDX,Project1.00683F64 ; UNICODE "0000-0252-DA7A-3924-0C0B"
00683D40 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00683D43 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00683D45 |. FF51 3C CALL DWORD PTR DS:[ECX+3C]
00683D48 |. BA A43F6800 MOV EDX,Project1.00683FA4 ; UNICODE "0000-025D-DD7D-3D20-EF2A"
00683D4D |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00683D50 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00683D52 |. FF51 3C CALL DWORD PTR DS:[ECX+3C]
00683D55 |. BA E43F6800 MOV EDX,Project1.00683FE4 ; UNICODE "0000-0259-D979-3E20-0B0A"
00683D5A |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00683D5D |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00683D5F |. FF51 3C CALL DWORD PTR DS:[ECX+3C]
00683D62 |. BA 24406800 MOV EDX,Project1.00684024 ; UNICODE "0000-038B-CBBB-8743-1D2F"
00683D67 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00683D6A |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00683D6C |. FF51 3C CALL DWORD PTR DS:[ECX+3C]
00683D6F |. BA 64406800 MOV EDX,Project1.00684064 ; UNICODE "0000-025B-DB7B-3F20-CB26"
00683D74 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00683D77 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00683D79 |. FF51 3C CALL DWORD PTR DS:[ECX+3C]
00683D7C |. BA A4406800 MOV EDX,Project1.006840A4 ; UNICODE "0000-0458-D879-3E2C-241D"
00683D81 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00683D84 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00683D86 |. FF51 3C CALL DWORD PTR DS:[ECX+3C]
00683D89 |. BA E4406800 MOV EDX,Project1.006840E4 ; UNICODE "0000-03FA-FAFA-A763-EC4C"
00683D8E |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00683D91 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
00683D93 |. FF51 3C CALL DWORD PTR DS:[ECX+3C]
00683D96 |. BA 24416800 MOV EDX,Project1.00684124 ; UNICODE "0000-0260-E878-2824-98F6"
[Asm] 纯文本查看 复制代码00683DDD |. B8 64416800 MOV EAX,Project1.00684164 ; UNICODE "public111"
00683DE2 |. E8 1907DAFF CALL Project1.00424500
00683DE7 |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
00683DEA |. 58 POP EAX
00683DEB |. E8 E471D8FF CALL Project1.0040AFD4
00683DF0 |. 0F84 1D010000 JE Project1.00683F13
00683DF6 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00683DF9 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00683DFC |. E8 FF06DAFF CALL Project1.00424500
00683E01 |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00683E04 |. 50 PUSH EAX
00683E05 |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
00683E08 |. B8 84416800 MOV EAX,Project1.00684184 ; UNICODE "public192"
00683E0D |. E8 EE06DAFF CALL Project1.00424500
00683E12 |. 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
00683E15 |. 58 POP EAX
00683E16 |. E8 B971D8FF CALL Project1.0040AFD4
00683E1B |. 0F84 F2000000 JE Project1.00683F13
00683E21 |. 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28]
00683E24 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00683E27 |. E8 D406DAFF CALL Project1.00424500
00683E2C |. 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
00683E2F |. 50 PUSH EAX
00683E30 |. 8D55 D4 LEA EDX,DWORD PTR SS:[EBP-2C]
00683E33 |. B8 A4416800 MOV EAX,Project1.006841A4 ; UNICODE "public226"
00683E38 |. E8 C306DAFF CALL Project1.00424500
00683E3D |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00683E40 |. 58 POP EAX
00683E41 |. E8 8E71D8FF CALL Project1.0040AFD4
00683E46 |. 0F84 C7000000 JE Project1.00683F13
00683E4C |. 8D55 D0 LEA EDX,DWORD PTR SS:[EBP-30]
00683E4F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00683E52 |. E8 A906DAFF CALL Project1.00424500
00683E57 |. 8B45 D0 MOV EAX,DWORD PTR SS:[EBP-30]
00683E5A |. 50 PUSH EAX
00683E5B |. 8D55 CC LEA EDX,DWORD PTR SS:[EBP-34]
00683E5E |. B8 C4416800 MOV EAX,Project1.006841C4 ; UNICODE "public167"
00683E63 |. E8 9806DAFF CALL Project1.00424500
00683E68 |. 8B55 CC MOV EDX,DWORD PTR SS:[EBP-34]
00683E6B |. 58 POP EAX
00683E6C |. E8 6371D8FF CALL Project1.0040AFD4
00683E71 |. 0F84 9C000000 JE Project1.00683F13
00683E77 |. 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
00683E7A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00683E7D |. E8 7E06DAFF CALL Project1.00424500
00683E82 |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
00683E85 |. 50 PUSH EAX
00683E86 |. 8D55 C4 LEA EDX,DWORD PTR SS:[EBP-3C]
00683E89 |. B8 E4416800 MOV EAX,Project1.006841E4 ; UNICODE "public197"
00683E8E |. E8 6D06DAFF CALL Project1.00424500
00683E93 |. 8B55 C4 MOV EDX,DWORD PTR SS:[EBP-3C]
00683E96 |. 58 POP EAX
00683E97 |. E8 3871D8FF CALL Project1.0040AFD4
00683E9C |. 74 75 JE SHORT Project1.00683F13
00683E9E |. 8D55 C0 LEA EDX,DWORD PTR SS:[EBP-40]
00683EA1 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00683EA4 |. E8 5706DAFF CALL Project1.00424500
00683EA9 |. 8B45 C0 MOV EAX,DWORD PTR SS:[EBP-40]
00683EAC |. 50 PUSH EAX
00683EAD |. 8D55 BC LEA EDX,DWORD PTR SS:[EBP-44]
00683EB0 |. B8 04426800 MOV EAX,Project1.00684204 ; UNICODE "public1905110919500"
00683EB5 |. E8 4606DAFF CALL Project1.00424500
00683EBA |. 8B55 BC MOV EDX,DWORD PTR SS:[EBP-44]
00683EBD |. 58 POP EAX
00683EBE |. E8 1171D8FF CALL Project1.0040AFD4
00683EC3 |. 74 4E JE SHORT Project1.00683F13
00683EC5 |. 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
00683EC8 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00683ECB |. E8 3006DAFF CALL Project1.00424500
00683ED0 |. 8B45 B8 MOV EAX,DWORD PTR SS:[EBP-48]
00683ED3 |. 50 PUSH EAX
00683ED4 |. 8D55 B4 LEA EDX,DWORD PTR SS:[EBP-4C]
00683ED7 |. B8 38426800 MOV EAX,Project1.00684238 ; UNICODE "public18070928440"
00683EDC |. E8 1F06DAFF CALL Project1.00424500
00683EE1 |. 8B55 B4 MOV EDX,DWORD PTR SS:[EBP-4C]
00683EE4 |. 58 POP EAX
00683EE5 |. E8 EA70D8FF CALL Project1.0040AFD4
00683EEA |. 74 27 JE SHORT Project1.00683F13
00683EEC |. 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
00683EEF |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00683EF2 |. E8 0906DAFF CALL Project1.00424500
00683EF7 |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
00683EFA |. 50 PUSH EAX
00683EFB |. 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
00683EFE |. B8 68426800 MOV EAX,Project1.00684268 ; UNICODE "public170516341"
以上2段为黑名单,估计有过不少人把KEY给泄漏出去了。
[Asm] 纯文本查看 复制代码00683F1F |. E8 F0F4FFFF CALL Project1.00683414 ; 算法CALL 跟进
[Asm] 纯文本查看 复制代码00683439 |. E8 46FFFFFF CALL Project1.00683384 ; 算法CALL 跟进
算法部分:
006833CE |> /8B45 EC /MOV EAX,DWORD PTR SS:[EBP-14] ; 用户名给EAX
006833D1 |. |8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C] ; 获取位置给EDX
006833D4 |. |0FB64410 FF |MOVZX EAX,BYTE PTR DS:[EAX+EDX-1] ; 当前位置ASCII码给EAX
006833D9 |. |0145 F0 |ADD DWORD PTR SS:[EBP-10],EAX ; 加上上一次的ASCII码(初始为0) 保存
006833DC |. |FF45 F4 |INC DWORD PTR SS:[EBP-C] ; 获取位置增加1
006833DF |. |FF4D E8 |DEC DWORD PTR SS:[EBP-18] ; 计数器减1
[Asm] 纯文本查看 复制代码006833E8 |. 52 PUSH EDX ; 0
006833E9 |. 50 PUSH EAX ; 计算结果
006833EA |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
006833ED |. E8 5AFEFFFF CALL Project1.0068324C ; 核心算法
0068324C算法,我直接抄成汇编代码了,以下是整个算法的DELPHI代码:
[Pascal] 纯文本查看 复制代码
var
EBP1,EBP2,EBP3:Byte; //全局变量
EBP8,EBPC,fanhui:DWORD; //全局变量
function No1(str:string):DWORD;
var
i:Integer;
begin
Result:=0;
for i:=1 to Length(str) do
begin
Result:=Result+ord(str);
end;
end;
procedure xxx1;
asm
AND CL,$3F
CMP CL,$20
JL @Exit0
MOV EAX,EDX
XOR EDX,EDX
SHR EAX,CL
RETN
@Exit0:
SHRD EAX,EDX,CL
SHR EDX,CL
RETN
end;
procedure xxx;
ASM
PUSHAD
PUSHFD
XOR EAX,EAX
MOV AL,BYTE PTR SS:[EBP1]
MOV ECX,$19
XOR EDX,EDX
DIV ECX
MOV BYTE PTR SS:[EBP1],DL
XOR EAX,EAX
MOV AL,BYTE PTR SS:[EBP2]
MOV ECX,3
XOR EDX,EDX
DIV ECX
MOV BYTE PTR SS:[EBP2],DL
XOR EAX,EAX
MOV AL,BYTE PTR SS:[EBP1]
AND EAX,1
TEST EAX,EAX
JNZ @go1
MOV EAX,DWORD PTR SS:[EBP8]
MOV EDX,DWORD PTR SS:[EBPC]
MOV CL,BYTE PTR SS:[EBP1]
CALL xxx1
MOV EBX,EAX
AND BL,$0FF
MOV EAX,DWORD PTR SS:[EBP8]
MOV EDX,DWORD PTR SS:[EBPC]
MOV CL,BYTE PTR SS:[EBP2]
CALL xxx1
OR AL,BYTE PTR SS:[EBP3]
XOR BL,AL
MOV BYTE PTR SS:[fanhui],BL
JMP @go2
@go1:
MOV EAX,DWORD PTR SS:[EBP8]
MOV EDX,DWORD PTR SS:[EBPC]
MOV CL,BYTE PTR SS:[EBP1]
CALL xxx1
MOV EBX,EAX
AND BL,$0FF
MOV EAX,DWORD PTR SS:[EBP8]
MOV EDX,DWORD PTR SS:[EBPC]
MOV CL,BYTE PTR SS:[EBP2]
CALL xxx1
AND AL,BYTE PTR SS:[EBP3]
XOR BL,AL
MOV BYTE PTR SS:[fanhui],BL
@go2:
MOV AL,BYTE PTR SS:[fanhui]
POPFD
POPAD
RETN
end;
function XXX2(key2:string):string;
var
i:Integer;
ebpA,ebpC:Word;
EAX_EAX:Word;
begin
ebpA:=$56;
ebpC:=$0AF;
for i:=1 to Length(key2) do
begin
EAX_EAX:=ord(key2[I]);
asm
MOV AX,EAX_EAX
ADD WORD PTR SS:[ebpC],AX
CMP WORD PTR SS:[ebpC],$0FF
JBE @GO1
SUB WORD PTR SS:[ebpC],$0FF
@GO1:
MOV AX,WORD PTR SS:[ebpC]
ADD WORD PTR SS:[ebpA],AX
CMP WORD PTR SS:[ebpA],$0FF
JBE @GO2
SUB WORD PTR SS:[ebpA],$0FF
@GO2:
end;
end;
Result:=IntToHex(ebpA,2)+IntToHex(ebpC,2);
end;
function MyKeyStr(UserName:String):string;
var
k:DWORD;
Key,key2:string;
i:Integer;
begin
k:=No1(AnsiUpperCase('public'+UserName));
key:=IntToHex(k,2);
EBP3:=$0C8;
EBP2:=3;
EBP1:=$18;
EBP8:=K;
EBPC:=0;
xxx;
i:=Length(Key);
while True do
begin
if i
不提供注册机,应该就是一件很和谐的事情了吧?
另外,不要吐槽我的命名,也不要吐槽我那个帅气的循环写法。
就一句话解释:恶心了。
最后有朋友要问,具体怎么用呢?
哎,多观察,再好好分析一下目录文件:
[color=]MlSkinKey.RES
分析不出来?抱歉,本破文不适合伸手党!!!
@涛之雨
[color=]咱家的软件真的有救了。