|
 |
推荐文章 |
|
|
|
|
|
|
|
|
|
|
|
------------------------RC2加密CALL---------------------------------
0043C9A0 $ 55 PUSH EBP
0043C9A1 . 8BEC MOV EBP,ESP
0043C9A3 . 6A FF PUSH -1
0043C9A5 . 68 B0074A00 PUSH IDMAN.004A07B0 ; SE handler installation
0043C9AA . 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0043C9B0 . 50 PUSH EAX
0043C9B1 . 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0043C9B8 . 81EC 84010000 SUB ESP,184
0043C9BE . 53 PUSH EBX
0043C9BF . 56 PUSH ESI
0043C9C0 . 57 PUSH EDI
0043C9C1 . 8D85 70FEFFFF LEA EAX,DWORD PTR SS:[EBP-190]
0043C9C7 . 8965 F0 MOV DWORD PTR SS:[EBP-10],ESP
0043C9CA . 33F6 XOR ESI,ESI
0043C9CC . 8BD9 MOV EBX,ECX
0043C9CE . 50 PUSH EAX
0043C9CF . 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
0043C9D2 . E8 79FCFFFF CALL IDMAN.0043C650
0043C9D7 . 8B45 14 MOV EAX,DWORD PTR SS:[EBP+14]
0043C9DA . 8D8D 70FEFFFF LEA ECX,DWORD PTR SS:[EBP-190]
0043C9E0 . 8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
0043C9E6 . 51 PUSH ECX
0043C9E7 . 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] <==="506938841"为内定的密钥
0043C9EA . 52 PUSH EDX
0043C9EB . 50 PUSH EAX
0043C9EC . 51 PUSH ECX
0043C9ED . 8BCB MOV ECX,EBX
0043C9EF . E8 9CFCFFFF CALL IDMAN.0043C690 <===跟进
0043C9F4 . 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] <==="ABCDE-GHIJK-MNOPQ-STUVW"
0043C9F7 > 3B75 0C CMP ESI,DWORD PTR SS:[EBP+C]
0043C9FA . 7D 2A JGE SHORT IDMAN.0043CA26 <===循环结束就这里跳出
0043C9FC . 8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
0043CA02 . 8BCB MOV ECX,EBX
0043CA04 . 52 PUSH EDX
0043CA05 . 57 PUSH EDI
0043CA06 . E8 F5FCFFFF CALL IDMAN.0043C700 <===加密CALL
0043CA0B . 83C6 08 ADD ESI,8 <===可以看得出,在这里是每8位一处理
0043CA0E . 83C7 08 ADD EDI,8
0043CA11 .^EB E4 JMP SHORT IDMAN.0043C9F7 <===从这里向上跳构成一个循环结构,主要每8位加密:
**************这里就是注册表加密后的列表********************
0074DD98 A1 A3 4B 70 DB C5 05 22 。Kp叟�"
0074DDA0 DE 26 A7 BB 53 3E A9 9D ?ЩS>
0074DDA8 24 3D 45 42 91 B3 9D 06 $=EB懗?
************************************************************
0043CA13 . 68 E4064D00 PUSH IDMAN.004D06E4
<===CProtection::rrc2_encrypt(byte* data,int length_of_data, char* key, int length_of_key)很明显这就是一个加密算法的CALL(RC2加密算法)
0043CA18 . E8 D37AFEFF CALL IDMAN.004244F0
0043CA1D . 83C4 04 ADD ESP,4
0043CA20 . B8 26CA4300 MOV EAX,IDMAN.0043CA26
0043CA25 . C3 RETN
0043CA26 > 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] <===直接就跳到这里了
0043CA29 . 5F POP EDI
0043CA2A . 5E POP ESI
0043CA2B . 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0043CA32 . 5B POP EBX
0043CA33 . 8BE5 MOV ESP,EBP
0043CA35 . 5D POP EBP
0043CA36 . C2 1000 RETN 10
---------------0043C9EF CALL IDMAN.0043C690 跟进(对"506938841"密钥的预处理)-------------------
0043C690 /$ 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
0043C694 |. 56 PUSH ESI
0043C695 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
0043C699 |. 57 PUSH EDI
0043C69A |. 85F6 TEST ESI,ESI
0043C69C |. 7E 15 JLE SHORT IDMAN.0043C6B3
0043C69E |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C] <===EDI="506938841"
0043C6A2 |. 55 PUSH EBP
0043C6A3 |. 8BC1 MOV EAX,ECX
0043C6A5 |. 2BF9 SUB EDI,ECX
0043C6A7 |. 8BEE MOV EBP,ESI
0043C6A9 |> 8A1407 /MOV DL,BYTE PTR DS:[EDI+EAX] <===依次取密钥的字符ASC值
0043C6AC |. 8810 |MOV BYTE PTR DS:[EAX],DL
0043C6AE |. 40 |INC EAX
0043C6AF |. 4D |DEC EBP
0043C6B0 |.^75 F7 \JNZ SHORT IDMAN.0043C6A9 <===这里构成循环,实现的功能是将密钥在内存中再复制一份出来
0043C6B2 |. 5D POP EBP
0043C6B3 |> 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18]
0043C6B7 |. 83FE 7F CMP ESI,7F
0043C6BA |. 8BC6 MOV EAX,ESI
0043C6BC |. 7F 2F JG SHORT IDMAN.0043C6ED
0043C6BE |. 53 PUSH EBX
0043C6BF |> 8BD0 /MOV EDX,EAX <===循环开始
0043C6C1 |. 33DB |XOR EBX,EBX
0043C6C3 |. 2BD6 |SUB EDX,ESI
0043C6C5 |. 8A1C0A |MOV BL,BYTE PTR DS:[EDX+ECX] <===依次取密钥"506938841"的字符ASC值
0043C6C8 |. 33D2 |XOR EDX,EDX
0043C6CA |. 8A5408 FF |MOV DL,BYTE PTR DS:[EAX+ECX-1] <===依次反向取密钥"506938841"的字符ASC值
0043C6CE |. 03DA |ADD EBX,EDX <===相加
0043C6D0 |. 81E3 FF000080 |AND EBX,800000FF <===再作与运算
0043C6D6 |. 79 08 |JNS SHORT IDMAN.0043C6E0
0043C6D8 |. 4B |DEC EBX
0043C6D9 |. 81CB 00FFFFFF |OR EBX,FFFFFF00
0043C6DF |. 43 |INC EBX
0043C6E0 |> 8A143B |MOV DL,BYTE PTR DS:[EBX+EDI] <===EDI里是一个很大的列表,根据EBX的不同决定DL的取值
****************天大的列表*******************************
0074DBE4 D9 78 F9 C4 19 DD B5 ED 28 E9 FD 79 4A A0 D8 9D
0074DBF4 C6 7E 37 83 2B 76 53 8E 62 4C 64 88 44 8B FB A2
0074DC04 17 9A 59 F5 87 B3 4F 13 61 45 6D 09 81 7D 32
0074DC14 BD 8F 40 EB 86 B7 7B 0B F0 95 21 22 5C 6B 4E 82
0074DC24 54 D6 65 93 CE 60 B2 1C 73 56 C0 14 A7 8C F1 DC
0074DC34 12 75 CA 1F 3B BE E4 D1 42 3D D4 30 A3 3C B6 26
0074DC44 6F BF 0E DA 46 69 07 57 27 F2 1D 9B BC 94 43 03
0074DC54 F8 11 C7 F6 90 EF 3E E7 06 C3 D5 2F C8 66 1E D7
0074DC64 08 E8 EA DE 80 52 EE F7 84 AA 72 AC 35 4D 6A 2A
0074DC74 96 1A D2 71 5A 15 49 74 4B 9F D0 5E 04 18 A4 EC
0074DC84 C2 E0 41 6E 0F 51 CB CC 24 91 AF 50 A1 F4 70 39
0074DC94 99 7C 3A 85 23 B8 B4 7A FC 02 36 5B 25 55 97 31
0074DCA4 2D 5D FA 98 E3 8A 92 AE 05 DF 29 10 67 6C BA C9
0074DCB4 D3 00 E6 CF E1 9E A8 2C 63 16 01 3F 58 E2 89 A9
0074DCC4 0D 38 34 1B AB 33 FF B0 BB 48 0C 5F B9 B1 CD 2E
0074DCD4 C5 F3 DB 47 E5 A5 9C 77 0A A6 20 68 FE 7F C1 AD
*********************************************************
0043C6E3 |. 881408 |MOV BYTE PTR DS:[EAX+ECX],DL <===得出的来的再接在密钥"506938841"的后面
0043C6E6 |. 40 |INC EAX
0043C6E7 |. 83F8 7F |CMP EAX,7F <===因为EAX的初始值为9,所以这里将构成一个新的128位的数值群(呵呵,典型的RC加密算法的风格)
0043C6EA |.^7E D3 \JLE SHORT IDMAN.0043C6BF
*********************新的128位加密群***************************************
0074DCE4 35 30 36 39 33 38 38 34 31 07 0B D6 9D D3 79 7C 506938841 譂觵|
0074DCF4 99 29 BD 05 3F 58 B5 8F 61 72 32 0B C0 62 2E ???X嵉廰r2 纀.
0074DD04 1B AF C6 F0 59 46 B5 8E 25 54 C4 72 0E 57 18 6C 餣F祹%T膔�W�l
0074DD14 20 60 23 B0 59 57 70 84 C5 33 71 5A FD E4 22 D2 `#癥Wp勁3qZ"
0074DD24 E4 91 E3 3B 15 37 88 AF E8 67 0A B1 B9 BA F3 2F 鋺?�7埊鑗.惫后/
0074DD34 89 11 06 C6 E7 C2 C8 5B 72 68 C3 DF 51 F0 3A F9 ?�歧氯[rh眠Q?
0074DD44 3B F4 A3 07 FF 12 F9 EB AB FF 47 0C 83 EA FE 77 ;簦�?G.冴䎱
0074DD54 0E 02 78 31 6B CD 7A 06 66 90 D2 C0 F3 B6 DE 42 ��x1kz�f愐荔掇B
***************************************************************************
0043C6EC |. 5B POP EBX
0043C6ED |> 33C0 XOR EAX,EAX
0043C6EF |. 8A01 MOV AL,BYTE PTR DS:[ECX]
0043C6F1 |. 8A1438 MOV DL,BYTE PTR DS:[EAX+EDI]
0043C6F4 |. 5F POP EDI
0043C6F5 |. 8811 MOV BYTE PTR DS:[ECX],DL <===又对最前面的值进行变换
0043C6F7 |. 5E POP ESI
0043C6F8 \. C2 1000 RETN 10
---------------0043CA06 CALL IDMAN.0043C700 对注册码进行加密(共进行3次)-------------------
0043C700 /$ 51 PUSH ECX
0043C701 |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0043C705 |. 53 PUSH EBX
0043C706 |. 55 PUSH EBP
0043C707 |. 56 PUSH ESI
0043C708 |. 66:8B08 MOV CX,WORD PTR DS:[EAX]
0043C70B |. 66:8B50 02 MOV DX,WORD PTR DS:[EAX+2]
0043C70F |. 66:8B70 04 MOV SI,WORD PTR DS:[EAX+4]
0043C713 |. 57 PUSH EDI
0043C714 |. 66:8B78 06 MOV DI,WORD PTR DS:[EAX+6]
0043C718 |. 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]
0043C71C |. C74424 10 0000>MOV DWORD PTR SS:[ESP+10],0
0043C724 |. 8D58 04 LEA EBX,DWORD PTR DS:[EAX+4]
0043C727 |> 8BC7 /MOV EAX,EDI
0043C729 |. 8BEF |MOV EBP,EDI
0043C72B |. F7D0 |NOT EAX
0043C72D |. 23C2 |AND EAX,EDX
0043C72F |. 23EE |AND EBP,ESI
0043C731 |. 03C5 |ADD EAX,EBP
0043C733 |. 8BEF |MOV EBP,EDI
0043C735 |. 66:0343 FC |ADD AX,WORD PTR DS:[EBX-4]
0043C739 |. 03C8 |ADD ECX,EAX
0043C73B |. 66:8BC1 |MOV AX,CX
0043C73E |. 03C9 |ADD ECX,ECX
0043C740 |. 66:C1E8 0F |SHR AX,0F
0043C744 |. 0BC8 |OR ECX,EAX
0043C746 |. 8BC1 |MOV EAX,ECX
0043C748 |. 23E9 |AND EBP,ECX
0043C74A |. F7D0 |NOT EAX
0043C74C |. 23C6 |AND EAX,ESI
0043C74E |. 03C5 |ADD EAX,EBP
0043C750 |. 66:0343 FE |ADD AX,WORD PTR DS:[EBX-2]
0043C754 |. 03D0 |ADD EDX,EAX
0043C756 |. 66:8BC2 |MOV AX,DX
0043C759 |. 66:C1E8 0E |SHR AX,0E
0043C75D |. C1E2 02 |SHL EDX,2
0043C760 |. 0BD0 |OR EDX,EAX
0043C762 |. 8BEA |MOV EBP,EDX
0043C764 |. 8BC2 |MOV EAX,EDX
0043C766 |. F7D5 |NOT EBP
0043C768 |. 23EF |AND EBP,EDI
0043C76A |. 23C1 |AND EAX,ECX
0043C76C |. 03F5 |ADD ESI,EBP
0043C76E |. 03C6 |ADD EAX,ESI
0043C770 |. 66:0303 |ADD AX,WORD PTR DS:[EBX]
0043C773 |. 66:8BF0 |MOV SI,AX
0043C776 |. 66:C1EE 0D |SHR SI,0D
0043C77A |. C1E0 03 |SHL EAX,3
0043C77D |. 0BF0 |OR ESI,EAX
0043C77F |. 8BC6 |MOV EAX,ESI
0043C781 |. 8BEE |MOV EBP,ESI
0043C783 |. F7D0 |NOT EAX
0043C785 |. 23C1 |AND EAX,ECX
0043C787 |. 23EA |AND EBP,EDX
0043C789 |. 03C5 |ADD EAX,EBP
0043C78B |. 66:0343 02 |ADD AX,WORD PTR DS:[EBX+2]
0043C78F |. 03C7 |ADD EAX,EDI
0043C791 |. 8BF8 |MOV EDI,EAX
0043C793 |. C1E7 05 |SHL EDI,5
0043C796 |. 66:C1E8 0B |SHR AX,0B
0043C79A |. 0BF8 |OR EDI,EAX
0043C79C |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10]
0043C7A0 |. 83F8 04 |CMP EAX,4
0043C7A3 |. 74 05 |JE SHORT IDMAN.0043C7AA
0043C7A5 |. 83F8 0A |CMP EAX,0A
0043C7A8 |. 75 34 |JNZ SHORT IDMAN.0043C7DE
0043C7AA |> 8B4424 1C |MOV EAX,DWORD PTR SS:[ESP+1C]
0043C7AE |. 8BEF |MOV EBP,EDI
0043C7B0 |. 83E5 3F |AND EBP,3F
0043C7B3 |. 66:8B2C68 |MOV BP,WORD PTR DS:[EAX+EBP*2]
0043C7B7 |. 03CD |ADD ECX,EBP
0043C7B9 |. 8BE9 |MOV EBP,ECX
0043C7BB |. 83E5 3F |AND EBP,3F
0043C7BE |. 66:8B2C68 |MOV BP,WORD PTR DS:[EAX+EBP*2]
0043C7C2 |. 03D5 |ADD EDX,EBP
0043C7C4 |. 8BEA |MOV EBP,EDX
0043C7C6 |. 83E5 3F |AND EBP,3F
0043C7C9 |. 66:8B2C68 |MOV BP,WORD PTR DS:[EAX+EBP*2]
0043C7CD |. 03F5 |ADD ESI,EBP
0043C7CF |. 8BEE |MOV EBP,ESI
0043C7D1 |. 83E5 3F |AND EBP,3F
0043C7D4 |. 66:8B0468 |MOV AX,WORD PTR DS:[EAX+EBP*2]
0043C7D8 |. 03F8 |ADD EDI,EAX
0043C7DA |. 8B4424 10 |MOV EAX,DWORD PTR SS:[ESP+10]
0043C7DE |> 40 |INC EAX
0043C7DF |. 83C3 08 |ADD EBX,8
0043C7E2 |. 83F8 0F |CMP EAX,0F
0043C7E5 |. 894424 10 |MOV DWORD PTR SS:[ESP+10],EAX
0043C7E9 |.^0F8E 38FFFFFF \JLE IDMAN.0043C727
0043C7EF |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
0043C7F3 |. 66:8978 06 MOV WORD PTR DS:[EAX+6],DI
0043C7F7 |. 66:8970 04 MOV WORD PTR DS:[EAX+4],SI
0043C7FB |. 5F POP EDI
0043C7FC |. 5E POP ESI
0043C7FD |. 5D POP EBP
0043C7FE |. 66:8908 MOV WORD PTR DS:[EAX],CX
0043C801 |. 66:8950 02 MOV WORD PTR DS:[EAX+2],DX
0043C805 |. 5B POP EBX
0043C806 |. 59 POP ECX
0043C807 \. C2 0800 RETN 8
--------------------------------------------------------------------------------
4、附上RC4加密算法的VB源代码(和上面的有点类似,只是我们这里的密钥是固定的,但码表开始又是乱序)
Public Sub main()
Dim key As String
For i = 1 To 16
Randomize '每次都随机给个种子值
'对最初给定的种子都会生成相同的数列,因为每一次调用 Rnd 函数都用数列中的前一个数作为下一个
'数的种子。在调用 Rnd 之前,先使用无参数的 Randomize 语句初始化随机数生成器,该生成器具有根
'据系统计时器得到的种子。
key = key & Chr(Rnd * 255) '随机得到一个长16位的字符串(密钥),串中每个字符的ASC值被限制在(0~255之间)
Next i
MsgBox RC4(RC4("Welcome To Plindge Studio!", key), key) '这里又进行两次RC4运算
End Sub
Public Function RC4(inp As String, key As String) As String
Dim S(0 To 255) As Byte, K(0 To 255) As Byte, i As Long
Dim j As Long, temp As Byte, Y As Byte, t As Long, x As Long
Dim Outp As String
For i = 0 To 255
S(i) = i
Next
j = 1
For i = 0 To 255
If j > Len(key) Then j = 1
K(i) = Asc(Mid(key, j, 1))
j = j + 1
Next i
j = 0
For i = 0 To 255
j = (j + S(i) + K(i)) Mod 256
temp = S(i)
S(i) = S(j)
S(j) = temp
Next i
i = 0
j = 0
For x = 1 To Len(inp)
i = (i + 1) Mod 256
j = (j + S(i)) Mod 256
temp = S(i)
S(i) = S(j)
S(j) = temp
t = (S(i) + (S(j) Mod 256)) Mod 256
Y = S(t)
Outp = Outp & Chr(Asc(Mid(inp, x, 1)) Xor Y)
Next
RC4 = Outp
End Function
5、得出注册码的可能性
因为作者内定RC加密后的值有三个,必须在密钥"506938841"可知的情况下,解密RC算法逆推出可能的注册码,然后再找到符合填入注册码时符合要求的注册码。 |
|
|
|
|
|
特别声明: 本站除部分特别声明禁止转载的专稿外的其他文章可以自由转载,但请务必注明出处和原始作者。文章版权归文章原始作者所有。对于被本站转载文章的个人和网站,我们表示深深的谢意。如果本站转载的文章有版权问题请联系编辑人员,我们尽快予以更正。 |
|
|
|
|
|
责任编辑: 原点 |
投稿作者: 本站收集 |
|
|
信息来源: 网络 |
录入时间: 2005-5-26 |
|
|
|
| |
|
设为首页
加入收藏
总编信箱
投稿或申请专栏请先 [登 陆]