还原精灵2003 单机版算法分析下

后有隐藏的判断,但是做出KEYGEN后安装后一直没报错??? :(

0040F92A MOV CL,BYTE PTR SS:[ESP+13] ; last routine to check result
0040F92E MOV DL,BYTE PTR SS:[ESP+12]
0040F932 MOVSX EAX,CL
0040F935 MOVSX EDI,DL
0040F938 MOV BL,BYTE PTR SS:[ESP+10]
0040F93C ADD EAX,EDI
0040F93E MOVSX EDI,BYTE PTR SS:[ESP+11]
0040F943 ADD EAX,EDI
0040F945 XOR CL,DL
0040F947 MOV DL,BYTE PTR SS:[ESP+11]
0040F94B MOVSX EDI,BL
0040F94E XOR CL,DL
0040F950 ADD EAX,EDI
0040F952 XOR CL,BL
0040F954 MOV BYTE PTR SS:[ESP+1D],AL ; FIRST BYTE OF theLaw:)
0040F958 MOV BYTE PTR SS:[ESP+1E],CL ; AND SECOND BYTE OF theLaw:)
0040F95C MOV ECX,0D
0040F961 CDQ
0040F962 IDIV ECX
0040F964 MOV EDI,DWORD PTR DS:[ESI+8]
0040F967 MOV AL,CL
0040F969 MOV ECX,EDI
0040F96B SHR ECX,8 ; to check the 8-0xc bit(base 0)
0040F96E SUB AL,DL
0040F970 MOV DX,WORD PTR SS:[ESP+1D]
0040F975 MOV WORD PTR SS:[ESP+34],DX
0040F97A MOV BYTE PTR SS:[ESP+36],AL ; THE THIRD BYTE OF theLaw:)
0040F97E MOV EAX,DWORD PTR SS:[ESP+34]
0040F982 MOV EDX,ECX
0040F984 XOR EDX,EAX
0040F986 TEST DL,1 ; 8 bit( base 1 decimal)
0040F989 JNZ SETUP.0040FB5D
0040F98F MOV EDX,ECX
0040F991 XOR EDX,EAX
0040F993 TEST DL,2 ; 9 bit
0040F996 JNZ SETUP.0040FB5D
0040F99C MOV EDX,ECX
0040F99E XOR EDX,EAX
0040F9A0 TEST DL,4
0040F9A3 JNZ SETUP.0040FB5D ; a bit
0040F9A9 MOV EDX,ECX
0040F9AB XOR EDX,EAX
0040F9AD TEST DL,8
0040F9B0 JNZ SETUP.0040FB5D ; b bit
0040F9B6 XOR ECX,EAX
0040F9B8 TEST CL,10
0040F9BB JNZ SETUP.0040FB5D ; c bit
0040F9C1 MOV ECX,EDI
0040F9C3 SHR ECX,5 ; check 0xd-0x11 bit
0040F9C6 MOV EDX,ECX
0040F9C8 XOR EDX,EAX
0040F9CA TEST DH,1
0040F9CD JNZ SETUP.0040FB5D ; d bit
0040F9D3 MOV EDX,ECX
0040F9D5 XOR EDX,EAX
0040F9D7 TEST DH,2
0040F9DA JNZ SETUP.0040FB5D ; e bit
0040F9E0 MOV EDX,ECX
0040F9E2 XOR EDX,EAX
0040F9E4 TEST DH,4
0040F9E7 JNZ SETUP.0040FB5D ; f bit
0040F9ED MOV EDX,ECX
0040F9EF XOR EDX,EAX
0040F9F1 TEST DH,8
0040F9F4 JNZ SETUP.0040FB5D ; 10 bit
0040F9FA XOR ECX,EAX
0040F9FC TEST CH,10
0040F9FF JNZ SETUP.0040FB5D` ; 11 bit
0040FA05 MOV ECX,EDI
0040FA07 SHR ECX,2 ; check 0x12-16 bit
0040FA0A MOV EDX,ECX
0040FA0C XOR EDX,EAX
0040FA0E TEST EDX,10000
0040FA14 JNZ SETUP.0040FB5D ; 12 bit
0040FA1A MOV EDX,ECX
0040FA1C XOR EDX,EAX
0040FA1E TEST EDX,20000
0040FA24 JNZ SETUP.0040FB5D ; 13 bit
0040FA2A MOV EDX,ECX
0040FA2C XOR EDX,EAX
0040FA2E TEST EDX,40000
0040FA34 JNZ SETUP.0040FB5D ; 14 bit
0040FA3A MOV EDX,ECX
0040FA3C XOR EDX,EAX
0040FA3E TEST EDX,80000
0040FA44 JNZ SETUP.0040FB5D ; 15 bit
0040FA4A XOR ECX,EAX
0040FA4C TEST ECX,100000
0040FA52 JNZ SETUP.0040FB5D ; 16 bit
0040FA58 MOV ESI,DWORD PTR DS:[ESI+4]
0040FA5B MOV EAX,DWORD PTR SS:[ESP+C]
0040FA5F MOV ECX,ESI
0040FA61 SHR ECX,14 ; check BASE_OUT_L3W[0]
0040FA64 MOV EDX,ECX ; from 0x14 bit
0040FA66 XOR EDX,EAX
0040FA68 TEST DL,1
0040FA6B JNZ SETUP.0040FB5D ; 14 bit
0040FA71 MOV EDX,ECX
0040FA73 XOR EDX,EAX
0040FA75 TEST DL,2
0040FA78 JNZ SETUP.0040FB5D ; 15 bit
0040FA7E MOV EDX,ECX
0040FA80 XOR EDX,EAX
0040FA82 TEST DL,4
0040FA85 JNZ SETUP.0040FB5D ; 16 bit
0040FA8B MOV EDX,ECX
0040FA8D XOR EDX,EAX
0040FA8F TEST DL,8
0040FA92 JNZ SETUP.0040FB5D ; 17 bit
0040FA98 XOR ECX,EAX
0040FA9A TEST CL,10
0040FA9D JNZ SETUP.0040FB5D ; 18 bit
0040FAA3 MOV ECX,ESI
0040FAA5 SHR ECX,11 ; from 19 bit
0040FAA8 MOV EDX,ECX
0040FAAA XOR EDX,EAX
0040FAAC TEST DH,1
0040FAAF JNZ SETUP.0040FB5D ; 19 bit
0040FAB5 MOV EDX,ECX
0040FAB7 XOR EDX,EAX
0040FAB9 TEST DH,2
0040FABC JNZ SETUP.0040FB5D ; 1a bit
0040FAC2 MOV EDX,ECX
0040FAC4 XOR EDX,EAX
0040FAC6 TEST DH,4
0040FAC9 JNZ SETUP.0040FB5D ; 1b bit
0040FACF MOV EDX,ECX
0040FAD1 XOR EDX,EAX
0040FAD3 TEST DH,8
0040FAD6 JNZ SETUP.0040FB5D ; 1c bit
0040FADC XOR ECX,EAX
0040FADE TEST CH,10
0040FAE1 JNZ SHORT SETUP.0040FB5D ; 1d bit
0040FAE3 MOV ECX,ESI
0040FAE5 SHR ECX,0E
0040FAE8 MOV EDX,ECX
0040FAEA XOR EDX,EAX
0040FAEC TEST EDX,10000 ; 1e bit
0040FAF2 JNZ SHORT SETUP.0040FB5D
0040FAF4 MOV EDX,EAX
0040FAF6 AND EDX,20000
0040FAFC XOR EDX,ECX
0040FAFE TEST EDX,FFFE0000
0040FB04 JNZ SHORT SETUP.0040FB5D ; 1f bit
0040FB06 MOV ECX,EAX ; check BASE_OUT_L3W[1]
0040FB08 SHR ECX,12
0040FB0B MOV EDX,ECX
0040FB0D XOR EDX,EDI
0040FB0F TEST DL,1
0040FB12 JNZ SHORT SETUP.0040FB5D ; 0 bit
0040FB14 MOV EDX,ECX
0040FB16 XOR EDX,EDI
0040FB18 TEST DL,2
0040FB1B JNZ SHORT SETUP.0040FB5D ; 1 bit
0040FB1D XOR ECX,EDI
0040FB1F TEST CL,4
0040FB22 JNZ SHORT SETUP.0040FB5D ; 2 bit
0040FB24 SHR EAX,15
0040FB27 MOV ECX,EAX
0040FB29 XOR ECX,EDI
0040FB2B TEST CL,8
0040FB2E JNZ SHORT SETUP.0040FB5D ; 3 bit
0040FB30 MOV EDX,EAX
0040FB32 XOR EDX,EDI
0040FB34 TEST DL,10
0040FB37 JNZ SHORT SETUP.0040FB5D ; 4 bit
0040FB39 MOV ECX,EAX
0040FB3B XOR ECX,EDI
0040FB3D TEST CL,20
0040FB40 JNZ SHORT SETUP.0040FB5D ; 5 bit
0040FB42 MOV EDX,EAX
0040FB44 XOR EDX,EDI
0040FB46 TEST DL,40
0040FB49 JNZ SHORT SETUP.0040FB5D ; 6 bit
0040FB4B XOR EAX,EDI
0040FB4D TEST AL,80
0040FB4F JNZ SHORT SETUP.0040FB5D ; 7 bit
0040FB51 POP EDI
0040FB52 POP ESI
0040FB53 MOV AL,1 ; ohhh........yeah....result is TRUE^_*
0040FB55 POP EBX
0040FB56 ADD ESP,110
0040FB5C RETN

总结一下:
算法不难,就是麻烦点,要逆出来也不难,需要点耐心:)

我觉得那些用经典密码学写出来的还不如这些自己编的烂算法有用,至少这个没有可参考的算法说明和可用的算法包...

送份垃圾代码,没打草,想到哪写到哪了,所以一些变量名可能很恶心:)

#include "windows.h"
#include "time.h"
#include "resource.h"

HINSTANCE hInst;
char szCode[21];
const char szAbout[]="\n KeyGen for 还原精灵2003 \n\n\t by bbbsl[iPB]";

void GENERATE(void){
int i,j=0;
unsigned char MCode[21];
BYTE temp2[8];
union{
BYTE ohfuck[8];
DWORD yumen[2];
} woria,wokao;
union{
BYTE test2[4];
DWORD newdw;
} test1;
DWORD result[2];
memset(&test1,0x0,4);
memset(&result,0x0,2*sizeof(DWORD));
unsigned char BASE_data[]={
'2' , '3' , '4' , '5' , '6' , '7' , '8' , '9' , 'A' , 'B' , 'C' , 'D' , 'E' , 'F' , 'G' , 'H' ,
'J' , 'K' , 'L' , 'M' , 'N' , 'P' , 'Q' , 'R' , 'S' , 'T' , 'U' , 'V' , 'W' , 'X' , 'Y' , 'Z'
};// VIP chart...
BYTE reverse_table[]={
0x21 , 0x25 , 0x12 , 0x1B , 0x26 , 0x04 , 0x2D , 0x05,
0x07 , 0x0E , 0x1D , 0x17 , 0x20 , 0x0A , 0x1C , 0x19,
0x34 , 0x08 , 0x14 , 0x32 , 0x2E , 0x2C , 0x30 , 0x18,
0x00 , 0x06 , 0x27 , 0x0D , 0x28 , 0x1E , 0x09 , 0x16,
0x0F , 0x33 , 0x02 , 0x01 , 0x10 , 0x03 , 0x36 , 0x2F,
0x35 , 0x22 , 0x23 , 0x1A , 0x0C , 0x24 , 0x15 , 0x13,
0x2B , 0x0B , 0x2A , 0x29 , 0x1F , 0x11 , 0x31 , 0x37
};//for 56 bit select...
BYTE Mask[]={
0x1,0x2,0x4,0x8,0x10,0x20,0x40,0x80
};//Masks usually be convient:)
//get the random 8 chars ...
srand((unsigned)time(NULL));
for (i=0;i<8;i++)
MCode[i]=BASE_data[rand()%0x20];
//find the char in the table...
memset(&temp2,0xff,8);
for (i=0;i<8;i++){
while(BASE_data[j]!=MCode[i])
j++;
if (j>=0x20) temp2[i]=0xff;
else temp2[i]=j;

j=0;
}
test1.test2[0]=test1.test2[1]=0x0;
for (i=0;i<4;i++){
test1.test2[0]+=temp2[i+4];
test1.test2[1]^=temp2[i+4];
}
test1.test2[2]=0xd-test1.test2[0]%0xd;
result[0]=(test1.newdw&0x1f)<<8|(test1.newdw&0x1f00)
<<5|(test1.newdw&0x1f0000)<<2;
//8--23 bits;
for (i=0;i<4;i++) test1.test2[i]=temp2[i];
result[1]=(test1.newdw&0x1f)<<0x14|(test1.newdw&0x1f00)
<<0x11|(test1.newdw&0x10000)<<0xe|(test1.newdw&0x20000)<<0xe;
//hmm...there must be another area to check result[1]'s other bits
result[0]|=(test1.newdw>>0x12)&0x7; //0-2 bits;
result[0]|=(test1.newdw>>0x15)&0xf8; //3-7 bits;
result[0]|=0xff000000; //25-31 bits..

memset(temp2,0x0,8);

woria.yumen[0]=result[1];
woria.yumen[1]=result[0];
int sum=0; //bit sum;
for (i=1;i<8;i++)
for (j=0;j<8;j++)
if(woria.ohfuck[i]&Mask[j])
sum++;
sum%=2;
if (sum)
woria.ohfuck[6]|=0x80;
//the highest bit --24 bit
//set every bit to the correct value:)
memset(result,0x0,8);
memset(&wokao,0x0,8);

for (i=0;i<56;i++)
if(woria.ohfuck[reverse_table[i]>>3]&Mask[reverse_table[i]&0x7])
wokao.ohfuck[i>>3]|=Mask[i&0x7];
//56 bit select;
wokao.ohfuck[7]=0xe;
BYTE stamp=0x0,stamp1=0x0;
j=wokao.ohfuck[7];//backup high byte...
for (i=0;iif(wokao.yumen[0]&0x80000000)
stamp=0x1;
if(wokao.yumen[1]&0x800000)
stamp1=0x1;
wokao.yumen[0]<<=1;
wokao.yumen[0]|=stamp1;
wokao.yumen[1]<<=1;
wokao.yumen[1]|=stamp;
stamp1=stamp=0x0;
}//ROL routine;
wokao.ohfuck[7]=j;//and set the high byte back...
BYTE d[12];
d[0]= wokao.ohfuck[0]>>3; d[1]=((wokao.ohfuck[0]&0x7)<<2)|(wokao.ohfuck[1]>>6);
d[2]=(wokao.ohfuck[1]>>1)&0x1f; d[3]=((wokao.ohfuck[1]&0x1)<<4)|(wokao.ohfuck[2]>>4);
d[4]=((wokao.ohfuck[2]&0xf)<<1)|(wokao.ohfuck[3]>>7); d[5]=(wokao.ohfuck[3]>>2)&0x1f;
d[6]=((wokao.ohfuck[3]&0x3)<<3)|(wokao.ohfuck[4]>>5); d[7]=wokao.ohfuck[4]&0x1f;
d[8]= wokao.ohfuck[5]>>3; d[9]=((wokao.ohfuck[5]&0x7)<<2)|(wokao.ohfuck[6]>>6);
d[10]=(wokao.ohfuck[6]>>1)&0x1f; d[11]=((wokao.ohfuck[6]&0x1)<<4)|(wokao.ohfuck[7]&0xf);
for (i=0;i<12;i++)
MCode[i+8]=BASE_data[d[i]];
MCode[20]='\0';
strcpy(szCode,(const char *)MCode);
return;
}

LRESULT CALLBACK MainProc(HWND hWnd,UINT MsG,WPARAM wParam,LPARAM lParam)
{
HWND hMcode;
switch(MsG)
{
case WM_INITDIALOG:
hMcode=GetDlgItem(hWnd,IDC_Code);
SetFocus(hMcode);
break;
case WM_COMMAND:
switch(wParam)
{
case IDC_GEN:
GENERATE();
SetDlgItemText(hWnd,IDC_Code,szCode);
break;
case IDC_ABOUT:
MessageBox(hWnd,szAbout,NULL,MB_OK);
break;
case IDC_EXIT:
EndDialog(hWnd,0);
break;
}
break;
case WM_LBUTTONDOWN:
PostMessage(hWnd, WM_NCLBUTTONDOWN, HTCAPTION, NULL);
break;
}
return 0;
}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,\
int nShowCmd)
{
hInst=hInstance;
DialogBox(hInstance,(LPTSTR)IDD_MainDlg,0,(DLGPROC)MainProc);
return 0;
}

	电脑入门 \| 操作系统 \| 工具软件 \| 病毒安全 \| 平面设计 \| 媒体动画 \| 网页制作 \| 网络编程 \| 数据库 \| 服务器 \| 程序设计
	认证考试 \| 网管大全 \| 站长CLUB \| 游戏娱乐 \| 机械电子 \| 学院热门 \| 热门源码 \| 软件新闻 \| 驱动下载

	Copyright © 2000-2006 18839.Com. All Rights Reserved .
	EMAIL：webmaster@18839.com 联系QQ：63191918 苏ICP备05065193号带宽支持：三九互联