休闲麻将 P-CODE 浅析
标 题:
【原创】休闲麻将 P-CODE 浅析
作 者:GoOdLeiSuRe
时 间:2007-03-31,20:18:37
链 接:http://bbs.pediy.com/showthread.PHP?t=41926
【文章作者】GoOdLeiSuRe
【分析时间】2007年3月30日
【分析说明】本人很菜,完全入门水准,恳请指正,谢谢。
【软件
名称】休闲麻将3.4
【软件大小】4.43MB
【下载地址】
http://zj1.51.net/mj.htm
【软件限制】这是
一个共享软件(有30次使用及每次7局限制),
注册费:30元,
注册后将无任何使用限制。
【
注册类型】机器码+
用户名->
注册码,网络验证
【破解过程】
主程序:Mj.exe
PEiD检查:ASPack2.12->AlexeySol
odovnikov
脱壳:用AspackDie直接脱
PEiD再检查:MicrosoftVisualBasic5.0/6.0
编译方式:用OllyDBG加载,感觉是P-CODE,用WKTVBDebugger加载,果然是P-CODE
//加载后停于此
0049A850:00LargeBos
//一路F8瞧瞧
0049A852:00LargeBos
0049A854:4BOnErrorGotoNext
0049A857:00LargeBos
0049A859:04FLdRfVar0070FB56h
0049A85C:04FLdRfVar0070FB58h
0049A85F:05ImpAdLdRf
0049A862:24NewIfNullPr0041CEA8
0049A865:0DVCallHresultCVBApp::get_App
0049A86A:08FLdPr
0049A86D:0DVCallHresultget__ipropPrevInstanceAPP
0049A872:6BFLdI2
0049A875:1AFFree1Ad
0049A878:1CBranchF0049A87F(Jump)
0049A87B:00LargeBos
0049A87D:FCLead1/End
0049A87F:00LargeBos
//读取安装目录吧?
0049A881:1BLitStr:'SetupDir'
0049A884:43FStStrcopy
0049A87B:00LargeBos
0049A87D:FCLead1/End
0049A87F:00LargeBos
0049A881:1BLitStr:'SetupDir'
0049A884:43FStStrcopy
0049A887:04FLdRfVar0070FB48h
//注册表字符串,说不定用户名与注册码也会储存在这儿
0049A88A:1BLitStr:'SoftWare\NetMJ\Infomation'
0049A88D:43FStStrcopy
0049A890:04FLdRfVar0070FB4Ch
0049A893:F5LitI4:->80000002h-2147483646
0049A898:59PopTmpLdAdStr
//读取注册表“SoftWare\NetMJ\Infomation”,获取“SetupDir”值
0049A89B:0BImpAdCallI2modPubTools!0044C5C4h
0049A8A0:31FStStr
……
//F5运行
点击:FormManager
在窗口下拉列表中看到了重要窗口:frmUserReg
点击:Command
在弹出窗口选择:cmdOK
点击:BPX,进行中断
接着返回主程序,输入一些
注册信息,一但“确定”就会中断:
0044485C:04FLdRfVar0070F378h
0044485F:21FLdPrThis004FC52Ch
00444860:0FVCallAdfrmUserReg.txtUserName
00444863:19FStAdFunc0070F37C
00444866:08FLdPr
00444869:0DVCallHresultget__ipropTEXTEDIT
0044486E:6CILdRf00000000h
00444871:0BImpAdCallI2rtcTrimBstronaddress660E6AC5h
//
用户名
00444876:FDLead2/PopTmpLdAdStr
0044487A:1BLitStr:'RegName'
0044487D:43FStStr
copy
00444880:04FLdRfVar0070F36Ch
00444883:1BLitStr:'SoftWare\NetMJ\Infomation'
00444886:43FStStr
copy
00444889:04FLdRfVar0070F370h
0044488C:F5LitI4:->80000002h-2147483646
00444891:59PopTmpLdAdStr
00444894:0
aimpAdCallFPR4modPubTools!0044507Ch
00444899:32FFreeStr
004448A4:1AFFree1Ad
004448A7:04FLdRfVar0070F378h
004448AA:21FLdPrThis004FC52Ch
004448AB:0FVCallAdfrmUserReg.txtPassword
004448AE:19FStAdFunc
004448B1:08FLdPr
004448B4:0DVCallHresultget__ipropTEXTEDIT
004448B9:6CILdRf00000000h
004448BC:0BImpAdCallI2rtcTrimBstronaddress660E6AC5h
//
注册码
004448C1:FDLead2/PopTmpLdAdStr
004448C5:1BLitStr:'RegCode'
004448C8:43FStStr
copy
004448CB:04FLdRfVar0070F36Ch
004448CE:1BLitStr:'SoftWare\NetMJ\Infomation'
004448D1:43FStStr
copy
004448D4:04FLdRfVar0070F370h
004448D7:F5LitI4:->80000002h-2147483646
004448DC:59PopTmpLdAdStr
004448DF:0
aimpAdCallFPR4modPubTools!0044507Ch
004448E4:32FFreeStr
很明显,注册信息存储于注册表项:SoftWare\NetMJ\Infomation
RegName
用户名
RegCode
注册码
F5,主程序要求
退出
重新加载,并由以上信息“ImpAdCallI2modPubTools!0044C5C4h”找出
调用注册信息的位置
//
用户名在此使用:GoOdLeiSuRe
00449928:23FStStr
nopop->'GoOdLeiSuRe'
0044992B:0BImpAdCallI2rtcLowerCaseBstronaddress660E6A2Dh
00449930:31FStStr->'goodleisure'
00449933:32FFreeStr
0044993C:1BLitStr:'regcode'
0044993F:43FStStr
copy
00449942:04FLdRfVar0070F690h
00449945:1BLitStr:'SoftWare\NetMJ\Infomation'
00449948:43FStStr
copy
0044994B:04FLdRfVar0070F694h
0044994E:F5LitI4:->80000002h-2147483646
00449953:59PopTmpLdAdStr
00449956:0BImpAdCallI2modPubTools!0044C5C4h
//
注册码在此使用:7878787878
0044995B:31FStStr->'7878787878'
0044995E:32FFreeStr
00449965:05ImpAdLdRf
00449968:F4LitI2_Byte:->1h1
0044996A:FCLead1/FnUBound
0044996C:F5LitI4:->1h1
00449971:AAAddI4
00449972:71FStR4
00449975:6CILdRf004F08F8h
//
用户名长度
00449978:4AFnLenStr004F08F4h,11chars
00449979:F5LitI4:->1h1
0044997E:DBGtI4
0044997F:6CILdRf004F0E44h
//
注册码长度
00449982:4AFnLenStr004F0E40h,10chars
00449983:F5LitI4:->Ah10
//比较
00449988:C7EqI4
00449989:C4AndI4
0044998A:1CBranchF00449A03
0044998D:6CILdRf004F0E44h
//反置
注册码StrReverse()
00449990:0BImpAdCallI2rtcStrRever
SEOnaddress660F7DF1h
00449995:31FStStr004F1590hto0070F7A4h->'8787878787'
00449998:F5LitI4:->0h0
0044999D:04FLdRfVar0070F69Ch
004499A0:05ImpAdLdRf
004499A3:F4LitI2_Byte:->1h1
004499A5:FCLead1/FnUBound
004499A7:FELead3/ForI4:
004499AD:6CILdRf00000003h
004499B0:05ImpAdLdRf
004499B3:9EAry1LdI4
//
注册码长度
004499B4:4AFnLenStr004E5594h,10chars
004499B5:F5LitI4:->Ah10
//比较
004499BA:C7EqI4
004499BB:1CBranchF004499FB
004499BE:1BLitStr:'听'
//取其7位长度
004499C1:F5LitI4:->7h7
004499C6:6CILdRf00000000h
004499C9:05ImpAdLdRf
004499CC:9EAry1LdI4
004499CD:0BImpAdCallI2rtcRightCharBstronaddress660E6362h
004499D2:23FStStr
nopop
->'8888889'
->'3925743'
004499D5:2AConcatStr
004499D6:31FStStr
->'zjm8888889'
->'zjm3925743'
004499D9:2FFFree1Str004F82B0h
004499DC:6CILdRf004F1590h
004499DF:04FLdRfVar0070F694h
004499E2:04FLdRfVar0070F6A8h
004499E5:04FLdRfVar0070F6A0h
//关键处
004499E8:10ThisVCallHresult0043EF68->0043EF68
004499ED:6CILdRf00000000h
//字符串比较
004499F0:30EqStr
004499F2:2FFFree1Str
004499F5:1CBranchF004499FB(Jump?
004499F8:1EBranch00449A03
004499FB:04FLdRfVar0070F69Ch
//循环一次
004499FE:66NextI4:jumpto004499AD
00449A03:6CILdRf00000000h
00449A06:05ImpAdLdRf
00449A09:F4LitI2_Byte:->1h1
00449A0B:FCLead1/FnUBound
00449A0D:D6LeI4
00449A0E:1CBranchF00449A50
00449A11:F4LitI2_Byte:->0h0
00449A13:21FLdPrThis004E5EF8h
00449A14:0FVCallAdfrmGameMain.mnuReg
00449A17:19FStAdFunc
00449A1A:08FLdPr
00449A1D:0DVCallHresultput__ipropVISIBLEMENU
关键处
0043EE68:FFLead4/ZeroRetVal
0043EE6A:80ILdI4
//
用户名长度
0043EE6D:4AFnLenStr
0043EE6E:F5LitI4:->7h7
0043EE73:DBGtI4
//10>7?
0043EE74:1CBranchF0043EE8A
0043EE77:F5LitI4:->7h7
0043EE7C:80ILdI4
//取右边7位:goodleisure
0043EE7F:0BImpAdCallI2rtcRightCharBstronaddress660E6362h
0043EE84:31FStStr->'leisure'
0043EE87:1EBranch0043EE9
0043EE8A:80ILdI4
0043EE8D:43FStStr
copy
0043EE90:F5LitI4:->1h1
0043EE95:6CILdRf00000000h
//取左边1位:leisure
0043EE98:0BImpAdCallI2rtcLeftCharBstronaddress660E625Eh
0043EE9D:31FStStr->'l'
0043EEA0:F5LitI4:->0h0
0043EEA5:F5LitI4:->FFFFFFFFh-1
0043EEAA:F5LitI4:->1h1
0043EEAF:F5LitI4:->0h0
0043EEB4:6CILdRf004E2EBCh
0043EEB7:6CILdRf004F0E44h
//
去除字符“l”:leisure
0043EEBA:0BImpAdCallI2rtcReplaceonaddress660F7E44h
0043EEBF:31FStStr004F2CA4hto0070F6C4h->eisure
0043EEC2:6CILdRf004E2EBCh
0043EEC5:F5LitI4:->0h0
//比较字符串,是否为空?
//以前版本存在同字符漏洞。
0043EECA:30EqStr
0043EECC:1CBranchF0043EED5
0043EECF:FFLead4/ExitProcCbHresult
0043EED5:80ILdI4
//zjm8888889
0043EED8:6CILdRf004F0E44h
0043EEDB:2AConcatStr
0043EEDC:31FStStr004E5EB4hto0070F6C4h->zjm8888889leisure
0043EEDF:F5LitI4:->0h0
0043EEE4:43FStStr
copy
0043EEE7:F5LitI4:->1h1
0043EEEC:04FLdRfVar0070F5C8h
0043EEEF:6CILdRf004F2CA4h
0043EEF2:4AFnLenStr->17char
//FOR循环,字符串长
0043EEF3:FELead3/ForI4:
0043EEF9:6CILdRf00000000h
0043EEFC:28Li
tvarI21h,1
0043EF01:6CILdRf00000001h
//zjm8888889leisure
0043EF04:6CILdRf004E5EB4h
0043EF07:0BImpAdCallI2rtcMidCharBstronaddress660E64A6h
0043EF0C:23FStStr
nopop->逐个字符(z,j,m,...)
//各字符ASC()码
0043EF0F:0BImpAdCallI2rtcAnsiValueBstronaddress660E657Bh
0043EF14:E7CI4UI1
//与上一循环而得的商值相加
0043EF15:AAAddI4
//ABS()
0043EF16:BCFnAbsI4
//
str()
0043EF17:71FStR4
0043EF1A:2FFFree1Str
0043EF1D:35FFree1Var
0043EF20:6CILdRf00000000h
//上述求得的值
0043EF23:6CILdRf0000007Ah
0043EF26:F5LitI4:->Ah10
//与10求余
0043EF2B:C2ModI4
//
str()
0043EF2C:FECStrI4
0043EF2E:23FStStr
nopop->余值字符串
0043EF31:2AConcatStr
0043EF32:31FStStr
0043EF35:2FFFree1Str
0043EF38:6CILdRf0000007Ah
0043EF3B:F5LitI4:->Ah10
//与10相除的商
0043EF40:C0IDvI4
//
str()
0043EF41:71FStR4
0043EF44:04FLdRfVar0070F5C8h
//Next循环
0043EF47:66NextI4:jumpto0043EEF9
0043EF4C:F5LitI4:->Ah10
0043EF51:6CILdRf004F2CFCh
//取右边10位长:2234266963->实际上反置过来就是需要的
注册码了
0043EF54:0BImpAdCallI2rtcRightCharBstronaddress660E6362h
0043EF59:31FStStr
0043EF5C:6CILdRf004F2CFCh
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。