[转帖][求助]KEY文件注册，MD5＋rsa算法，代码不长，但精，无人能解

楼主^#

更多发布于：2005-06-09 17:14

工具：w32dasm无级片和od 0325修正版 破解软件，一个很小的认证软件，VC编写，不加壳软件不超过100K， 爆破简单，爆破点很多，但爆破的东西有30用户限制，所以等于不能用。算法目前无人能搞定，很多破解组织的高手都试过了，此软件加密做到了，不用加壳，有错误提示，但你还是搞不定，关健是算法太强。 声明：本软件是一个很牛的人写的，像他这样的人，在亚州只有6个， 本人无其它目的，只是测试的此软件加密码强度和此牛人的技术是不是真的很强。如果有人喜欢研究算法，我有真正的KEY文件，可以向我要 QQ:730451 代码如下： :004064C1 68106D4100 push 00416D10 :004064C6 FFD6 call esi :004064C8 83C404 add esp, 00000004 :004064CB 68A07A4100 push 00417AA0 :004064D0 FFD6 call esi :004064D2 83C404 add esp, 00000004 :004064D5 68A07A4100 push 00417AA0 :004064DA FFD6 call esi :004064DC 83C404 add esp, 00000004 :004064DF 68A07A4100 push 00417AA0 :004064E4 FFD6 call esi :004064E6 83C404 add esp, 00000004 :004064E9 68A07A4100 push 00417AA0 :004064EE FFD6 call esi :004064F0 83C404 add esp, 00000004 :004064F3 8D4C2408 lea ecx, dword ptr [esp+08] :004064F7 51 push ecx :004064F8 6802020000 push 00000202 * Reference T WS2_32.WSAStartup, Ord:0073h | :004064FD E82A4E0000 Call 0040B32C :00406502 85C0 test eax, eax :00406504 756C jne 00406572 :00406506 E8354E0000 call 0040B340 关健CALL 里边是算法。 :0040650B 84C0 test al, al :0040650D 751D jne 0040652C 爆破点 jne改成jmp爆破成功，但爆破的只能验证30用户 * Possible StringData Ref from Data Obj ->"本机未找到指定MAC的网卡,请确认网卡工作正常! " | :0040650F 68E06C4100 push 00416CE0 :00406514 FFD6 call esi * Possible StringData Ref from Data Obj ->"pause" | :00406516 68D86C4100 push 00416CD8 * Reference T MSVCRT.system, Ord:02CDh | :0040651B FF15CC214100 Call dword ptr [004121CC] :0040B340 81EC14020000 sub esp, 00000214 此处下断，F7 进入关健CALL :0040B346 53 push ebx :0040B347 55 push ebp :0040B348 56 push esi :0040B349 8D44240C lea eax, dword ptr [esp+0C] :0040B34D 57 push edi :0040B34E 33ED xor ebp, ebp :0040B350 50 push eax :0040B351 896C2414 mov dword ptr [esp+14], ebp :0040B355 E8A6010000 call 0040B500 :0040B35A 8BD8 mov ebx, eax :0040B35C 83C404 add esp, 00000004 :0040B35F 83FB01 cmp ebx, 00000001 :0040B362 0F8285010000 jb 0040B4ED :0040B368 8D8C2420010000 lea ecx, dword ptr [esp+00000120] :0040B36F 6804010000 push 00000104 :0040B374 51 push ecx :0040B375 55 push ebp * Reference T KERNEL32.GetModuleFileNameA, Ord:0124h | :0040B376 FF1524204100 Call dword ptr [00412024] :0040B37C 85C0 test eax, eax :0040B37E 0F8469010000 je 0040B4ED :0040B384 8D942420010000 lea edx, dword ptr [esp+00000120] :0040B38B 6A5C push 0000005C :0040B38D 52 push edx * Reference T MSVCRT.strrchr, Ord:02C3h | :0040B38E E89D590000 Call 00410D30 :0040B393 83C408 add esp, 00000008 :0040B396 3BC5 cmp eax, ebp :0040B398 7404 je 0040B39E :0040B39A C6400100 mov [eax+01], 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B398(C) | * Possible StringData Ref from Data Obj ->"grcw.rk" | :0040B39E BF74784100 mov edi, 00417874 :0040B3A3 83C9FF or ecx, FFFFFFFF :0040B3A6 33C0 xor eax, eax :0040B3A8 8D942420010000 lea edx, dword ptr [esp+00000120] :0040B3AF F2 repnz :0040B3B0 AE scasb :0040B3B1 F7D1 not ecx :0040B3B3 2BF9 sub edi, ecx * Possible StringData Ref from Data Obj ->"rr" | :0040B3B5 6870784100 push 00417870 :0040B3BA 8BF7 mov esi, edi :0040B3BC 8BFA mov edi, edx :0040B3BE 8BD1 mov edx, ecx :0040B3C0 83C9FF or ecx, FFFFFFFF :0040B3C3 F2 repnz :0040B3C4 AE scasb :0040B3C5 8BCA mov ecx, edx :0040B3C7 4F dec edi :0040B3C8 C1E902 shr ecx, 02 :0040B3CB F3 repz :0040B3CC A5 movsd :0040B3CD 8BCA mov ecx, edx :0040B3CF 8D842424010000 lea eax, dword ptr [esp+00000124] :0040B3D6 83E103 and ecx, 00000003 :0040B3D9 50 push eax :0040B3DA F3 repz :0040B3DB A4 movsb * Reference T MSVCRT.fopen, Ord:0257h | :0040B3DC E87D5A0000 Call 00410E5E :0040B3E1 8BF0 mov esi, eax :0040B3E3 83C408 add esp, 00000008 :0040B3E6 3BF5 cmp esi, ebp :0040B3E8 0F84EE000000 je 0040B4DC 如果找不到grcw.rk 直接跳走，然后就over 我们可以自己建一个grcw.rk的文件， :0040B3EE 55 push ebp 以下是算法，读取网卡MAC，计算。判断KEY文件是否正确 :0040B3EF 6A02 push 00000002 :0040B3F1 56 push esi * Reference T MSVCRT.fseek, Ord:0262h | :0040B3F2 E8615A0000 Call 00410E58 :0040B3F7 56 push esi :0040B3F8 8D4C2430 lea ecx, dword ptr [esp+30] :0040B3FC 68EF000000 push 000000EF :0040B401 51 push ecx * Reference T MSVCRT.fgets, Ord:0252h | :0040B402 E84B5A0000 Call 00410E52 :0040B407 56 push esi * Reference T MSVCRT.fclose, Ord:024Ch | :0040B408 E83F5A0000 Call 00410E4C :0040B40D 6A01 push 00000001 :0040B40F 6A0F push 0000000F :0040B411 6880234100 push 00412380 :0040B416 8D542448 lea edx, dword ptr [esp+48] :0040B41A 68F0000000 push 000000F0 :0040B41F 8D44244C lea eax, dword ptr [esp+4C] :0040B423 52 push edx :0040B424 50 push eax :0040B425 E8B6010000 call 0040B5E0 :0040B42A 8B44246D mov eax, dword ptr [esp+6D] :0040B42E 8B4C2465 mov ecx, dword ptr [esp+65] :0040B432 8B542469 mov edx, dword ptr [esp+69] :0040B436 83C434 add esp, 00000034 :0040B439 8944241C mov dword ptr [esp+1C], eax :0040B43D 894C2414 mov dword ptr [esp+14], ecx :0040B441 89542418 mov dword ptr [esp+18], edx :0040B445 33C0 xor eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B44E(C) | :0040B447 40 inc eax :0040B448 8D4811 lea ecx, dword ptr [eax+11] :0040B44B 83F91D cmp ecx, 0000001D :0040B44E 72F7 jb 0040B447 :0040B450 85DB test ebx, ebx :0040B452 7660 jbe 0040B4B4 :0040B454 33F6 xor esi, esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B4B2(C) | :0040B456 B940000000 mov ecx, 00000040 :0040B45B B830303030 mov eax, 30303030 :0040B460 8D7C2420 lea edi, dword ptr [esp+20] :0040B464 33D2 xor edx, edx :0040B466 F3 repz :0040B467 AB stosd :0040B468 8B442410 mov eax, dword ptr [esp+10] :0040B46C 8D4C2420 lea ecx, dword ptr [esp+20] :0040B470 8A540604 mov dl, byte ptr [esi+eax+04] :0040B474 52 push edx :0040B475 8D540605 lea edx, dword ptr [esi+eax+05] :0040B479 51 push ecx :0040B47A 52 push edx :0040B47B E8F0110000 call 0040C670 :0040B480 8D442420 lea eax, dword ptr [esp+20] :0040B484 50 push eax * Reference T MSVCRT._strupr, Ord:01CBh | :0040B485 E8BC590000 Call 00410E46 :0040B48A 8D4C2430 lea ecx, dword ptr [esp+30] :0040B48E 51 push ecx * Reference T MSVCRT._strupr, Ord:01CBh | :0040B48F E8B2590000 Call 00410E46 :0040B494 8D542428 lea edx, dword ptr [esp+28] :0040B498 6A0C push 0000000C :0040B49A 8D442438 lea eax, dword ptr [esp+38] :0040B49E 52 push edx :0040B49F 50 push eax * Reference T MSVCRT.strncmp, Ord:02C0h | :0040B4A0 E885580000 Call 00410D2A :0040B4A5 83C420 add esp, 00000020 :0040B4A8 85C0 test eax, eax :0040B4AA EB12 jmp 0040B4BE :0040B4AC 45 inc ebp :0040B4AD 83C65C add esi, 0000005C :0040B4B0 3BEB cmp ebp, ebx :0040B4B2 72A2 jb 0040B456 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B452(C) | :0040B4B4 8B442410 mov eax, dword ptr [esp+10] :0040B4B8 85C0 test eax, eax :0040B4BA 7431 je 0040B4ED :0040B4BC EB26 jmp 0040B4E4 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B4AA(U) | :0040B4BE 8B442410 mov eax, dword ptr [esp+10] :0040B4C2 85C0 test eax, eax :0040B4C4 7409 je 0040B4CF :0040B4C6 50 push eax :0040B4C7 E80C550000 call 004109D8 :0040B4CC 83C404 add esp, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B4C4(C) | :0040B4CF 5F pop edi :0040B4D0 5E pop esi :0040B4D1 5D pop ebp :0040B4D2 B001 mov al, 01 :0040B4D4 5B pop ebx :0040B4D5 81C414020000 add esp, 00000214 :0040B4DB C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B3E8(C) | :0040B4DC 8B442410 mov eax, dword ptr [esp+10] :0040B4E0 3BC5 cmp eax, ebp :0040B4E2 7409 je 0040B4ED * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040B4BC(U) | :0040B4E4 50 push eax :0040B4E5 E8EE540000 call 004109D8 :0040B4EA 83C404 add esp, 00000004 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040B362(C), :0040B37E(C), :0040B4BA(C), :0040B4E2(C) | :0040B4ED 5F pop edi :0040B4EE 5E pop esi :0040B4EF 5D pop ebp :0040B4F0 32C0 xor al, al :0040B4F2 5B pop ebx :0040B4F3 81C414020000 add esp, 00000214 :0040B4F9 C3 ret

喜欢0 评分0

举报回复

发帖回复

« 返回列表

您需要登录后才可以回帖，登录或者注册

返回顶部

[转帖][求助]KEY文件注册，MD5＋rsa算法，代码不长，但精，无人能解

最新喜欢：