设为首页收藏本站

 找回密码
 注册
搜索
热搜: 回贴
微赢网络技术论坛 门户 安全攻防 加密解密 查看内容

iTime 破解实录(15千字),iTime,加密算法

2010-1-22 18:40| 发布者: admin| 查看: 81| 评论: 0|原作者: 仙之剑缘


iTime 破解实录(15千字),iTime,加密算法
2008年06月23日 星期一 下午 12:54
iTime 破解实录

iTime International Version

http://www.touchstone.de

一个可以同步你的电脑时钟的程序,在2000下不需要了。小弟还是比较喜欢用98作为破解平台,经常泡在SoftICE里面一转就是好几个小时。时钟经常不灵,最近在网上闲逛发现这个程序可以同步时钟,就抓了一个回来。居然还要注册,不然时间到了就不让用。我现在是一看到Register就会条件反射:),还是写个注册机出来吧。OK,Let’s go!

1、工具:DeDe v2.50,TRW2000 or SoftICE,TC2.0 or asm(你喜欢的编译器)

2、用DeDe打开iTime.exe,在DeDe中点击Procedures按钮,找到options(unit name)那一项双击,在右边的窗口中找到mnuRegisterClick这一项,再双击,WOW!

来到这里你已经成功一半啦!^*^(这么简单?)

* Reference to: controls.TControl.GetText(TControl):System.String;

|

004078B4 E80F0C0300 call 004384C8

004078B9 8D45F8 lea eax, [ebp-$08] <--d *eax 看到你输入的名字



|

004078BC E827670500 call 0045DFE8

004078C1 8BF0 mov esi, eax

004078C3 83FE32 cmp esi, $32

004078C6 7E04 jle 004078CC

004078C8 B232 mov dl, $32

004078CA EB02 jmp 004078CE

004078CC 8BD6 mov edx, esi

004078CE 889528FFFFFF mov [ebp $FFFFFF28], dl

004078D4 33C0 xor eax, eax

004078D6 8A8528FFFFFF mov al, byte ptr [ebp $FFFFFF28]

004078DC 50 push eax

004078DD 837DF800 cmp dword ptr [ebp-$08], $00

004078E1 7405 jz 004078E8

004078E3 8B4DF8 mov ecx, [ebp-$08]

004078E6 EB05 jmp 004078ED

004078E8 B9C8AF4600 mov ecx, $0046AFC8

004078ED 51 push ecx

004078EE 8D8529FFFFFF lea eax, [ebp $FFFFFF29]

004078F4 50 push eax



* Reference to: _strncpy()

|

004078F5 E86C1C0600 call 00469566

004078FA 83C40C add esp, $0C

004078FD FF4DD4 dec dword ptr [ebp-$2C]

00407900 8D45F8 lea eax, [ebp-$08]

00407903 BA02000000 mov edx, $00000002



|

00407908 E8DF650500 call 0045DEEC

0040790D 8D9528FFFFFF lea edx, [ebp $FFFFFF28]

00407913 8D855CFFFFFF lea eax, [ebp $FFFFFF5C]



|

00407919 E8C2B9FFFF call 004032E0

0040791E 66C745C82C00 mov word ptr [ebp-$38], $002C

00407924 33C9 xor ecx, ecx

00407926 894DF4 mov [ebp-$0C], ecx

00407929 8D55F4 lea edx, [ebp-$0C]

0040792C FF45D4 inc dword ptr [ebp-$2C]

0040792F 8B45B4 mov eax, [ebp-$4C]



* Reference to control btnDel : TResButton

|

00407932 8B80EC010000 mov eax, [eax $01EC]



* Reference to: controls.TControl.GetText(TControl):System.String;

|

00407938 E88B0B0300 call 004384C8

0040793D 8D45F4 lea eax, [ebp-$0C] <--d *eax 看到你输入的密码



|

00407940 E8A3660500 call 0045DFE8

为了更快的找到关键比对核心,可以下bpr,或者,bpm等断点。当你看到这段代码:

0167:0040CA38 PUSH EBP

0167:0040CA39 MOV EBP,ESP

0167:0040CA3B ADD ESP,BYTE -1C

0167:0040CA3E MOV [EBP-0C],ECX

0167:0040CA41 MOV [EBP-08],EDX

0167:0040CA44 MOV [EBP-04],EAX

0167:0040CA47 MOV BYTE [EBP-16],00

0167:0040CA4B LEA EAX,[EBP-16]

0167:0040CA4E MOV EDX,0040CB90

0167:0040CA53 MOV CL,09

0167:0040CA55 CALL 0045B014

0167:0040CA5A LEA EAX,[EBP-1C]

0167:0040CA5D MOV EDX,[EBP-08]

0167:0040CA60 SHR EDX,1C

0167:0040CA63 AND EDX,BYTE 0F

0167:0040CA66 MOV DL,[EDX 0046EE4C]

0167:0040CA6C MOV [EAX 01],DL

0167:0040CA6F MOV BYTE [EAX],01

0167:0040CA72 LEA EDX,[EBP-1C]

0167:0040CA75 LEA EAX,[EBP-16]

0167:0040CA78 MOV CL,09

0167:0040CA7A CALL 0045B014

0167:0040CA7F LEA EAX,[EBP-1C]

0167:0040CA82 MOV EDX,[EBP-08]

0167:0040CA85 SHR EDX,18

0167:0040CA88 AND EDX,BYTE 0F

0167:0040CA8B MOV DL,[EDX 0046EE4C]

0167:0040CA91 MOV [EAX 01],DL

0167:0040CA94 MOV BYTE [EAX],01

0167:0040CA97 LEA EDX,[EBP-1C]

0167:0040CA9A LEA EAX,[EBP-16]

0167:0040CA9D MOV CL,09

0167:0040CA9F CALL 0045B014

0167:0040CAA4 LEA EAX,[EBP-1C]

0167:0040CAA7 MOV EDX,[EBP-08]

0167:0040CAAA SHR EDX,14

0167:0040CAAD AND EDX,BYTE 0F

0167:0040CAB0 MOV DL,[EDX 0046EE4C]

0167:0040CAB6 MOV [EAX 01],DL

0167:0040CAB9 MOV BYTE [EAX],01

0167:0040CABC LEA EDX,[EBP-1C]

0167:0040CABF LEA EAX,[EBP-16]

0167:0040CAC2 MOV CL,09

0167:0040CAC4 CALL 0045B014

0167:0040CAC9 LEA EAX,[EBP-1C]

0167:0040CACC MOV EDX,[EBP-08]

0167:0040CACF SHR EDX,10

0167:0040CAD2 AND EDX,BYTE 0F

0167:0040CAD5 MOV DL,[EDX 0046EE4C]

0167:0040CADB MOV [EAX 01],DL

0167:0040CADE MOV BYTE [EAX],01

0167:0040CAE1 LEA EDX,[EBP-1C]

0167:0040CAE4 LEA EAX,[EBP-16]

0167:0040CAE7 MOV CL,09

0167:0040CAE9 CALL 0045B014

0167:0040CAEE LEA EAX,[EBP-1C]

0167:0040CAF1 MOV EDX,[EBP-08]

0167:0040CAF4 SHR EDX,0C

0167:0040CAF7 AND EDX,BYTE 0F

0167:0040CAFA MOV DL,[EDX 0046EE4C]

0167:0040CB00 MOV [EAX 01],DL

0167:0040CB03 MOV BYTE [EAX],01

0167:0040CB06 LEA EDX,[EBP-1C]

0167:0040CB09 LEA EAX,[EBP-16]

0167:0040CB0C MOV CL,09

0167:0040CB0E CALL 0045B014

0167:0040CB13 LEA EAX,[EBP-1C]

0167:0040CB16 MOV EDX,[EBP-08]

0167:0040CB19 SHR EDX,08

0167:0040CB1C AND EDX,BYTE 0F

0167:0040CB1F MOV DL,[EDX 0046EE4C]

0167:0040CB25 MOV [EAX 01],DL

0167:0040CB28 MOV BYTE [EAX],01

0167:0040CB2B LEA EDX,[EBP-1C]

0167:0040CB2E LEA EAX,[EBP-16]

0167:0040CB31 MOV CL,09

0167:0040CB33 CALL 0045B014

0167:0040CB38 LEA EAX,[EBP-1C]

0167:0040CB3B MOV EDX,[EBP-08]

0167:0040CB3E SHR EDX,04

0167:0040CB41 AND EDX,BYTE 0F

0167:0040CB44 MOV DL,[EDX 0046EE4C]

0167:0040CB4A MOV [EAX 01],DL

0167:0040CB4D MOV BYTE [EAX],01

0167:0040CB50 LEA EDX,[EBP-1C]

0167:0040CB53 LEA EAX,[EBP-16]

0167:0040CB56 MOV CL,09

0167:0040CB58 CALL 0045B014

0167:0040CB5D LEA EAX,[EBP-1C]

0167:0040CB60 MOV EDX,[EBP-08]

0167:0040CB63 AND EDX,BYTE 0F

0167:0040CB66 MOV DL,[EDX 0046EE4C]

0167:0040CB6C MOV [EAX 01],DL

0167:0040CB6F MOV BYTE [EAX],01

0167:0040CB72 LEA EDX,[EBP-1C]

0167:0040CB75 LEA EAX,[EBP-16]

0167:0040CB78 MOV CL,09

0167:0040CB7A CALL 0045B014

0167:0040CB7F MOV EAX,[EBP-0C]

0167:0040CB82 LEA EDX,[EBP-16]

0167:0040CB85 MOV CL,09

0167:0040CB87 CALL 0045B060

0167:0040CB8C MOV ESP,EBP

0167:0040CB8E POP EBP

0167:0040CB8F RET



其实就是把一个4字节的十六进制数转换为字符串。比如它第一次是把一个0x426B2FA9转换为$426B2FA9

第二次把0x6FB73A24转换为$6FB73A24.

-----------------------------------------

0167:0040CBBF MOV AL,[EBP-4D]

0167:0040CBC2 INC EAX

0167:0040CBC3 CMP EAX,BYTE 32

0167:0040CBC6 JG 0040CBDC

0167:0040CBC8 MOV [EBP-10],EAX

0167:0040CBCB MOV EAX,[EBP-10]

0167:0040CBCE MOV BYTE [EBP EAX-4D],2A

0167:0040CBD3 INC DWORD [EBP-10]

0167:0040CBD6 CMP DWORD [EBP-10],BYTE 33

0167:0040CBDA JNZ 0040CBCB

0167:0040CBDC LEA EAX,[EBP FFFFFF6C]

0167:0040CBE2 MOV [EBP-0C],EAX

0167:0040CBE5 LEA ECX,[EBP FFFFFF60]

0167:0040CBEB MOV EAX,[EBP-04]

0167:0040CBEE MOV EDX,[EAX 0224]

0167:0040CBF4 MOV EAX,[EBP-04]

0167:0040CBF7 CALL 0040CA38

这段代码就是把name不足50个字符的地方全部用’*’添满。然后再把上面的两个字符串加到你的名字像下面那样

--------------------------------------------------------------

$426B2FA9 CoolBob******************************************* $6FB73A24



|------------------一共71个字符------------------|



下面就要小心跟踪了,来到这里:

0167:0040C9E3 MOV [EBP-08],EDX

0167:0040C9E6 MOV [EBP-04],EAX

0167:0040C9E9 MOV BYTE [EBP-15],00

0167:0040C9ED MOV EAX,[EBP-08] <---EAX初始化为0xABCDEF

0167:0040C9F0 SHR EAX,08

0167:0040C9F3 AND EAX,00FFFFFF

0167:0040C9F8 MOV [EBP-10],EAX

0167:0040C9FB XOR EAX,EAX

0167:0040C9FD MOV AL,[EBP-15]

0167:0040CA00 MOVZX EAX,BYTE [EBP EAX-5C] <---这里也就是刚才那个71个字符了

0167:0040CA05 XOR EAX,[EBP-08]

0167:0040CA08 AND EAX,FF

0167:0040CA0D MOV EAX,[EAX*4 0046EA44] <----在TRW2000下把这段数据用 <----w 46EA44 fe*4 46EA44 c:\data.bin抓下来

<----后面作注册机少不了这个。

0167:0040CA14 MOV [EBP-14],EAX

0167:0040CA17 MOV EAX,[EBP-10]

0167:0040CA1A XOR EAX,[EBP-14]

0167:0040CA1D MOV [EBP-08],EAX

0167:0040CA20 INC BYTE [EBP-15]

0167:0040CA23 CMP BYTE [EBP-15],47

0167:0040CA27 JNZ 0040C9ED <----循环0x47次,也就是71次

这里算出来的EAX就是注册码的原型了,只是要把EAX包含的十六进制数转换为字符串输出即可!

----------------------------

0167:0040CE14 MOV CL,[EAX 0375]

0167:0040CE1A LEA EDX,[EBP-42]

0167:0040CE1D MOV EAX,[EBP-04]

0167:0040CE20 CALL 0040CB94

0167:0040CE25 LEA EAX,[EBP-50] <-----d EAX (real code)

0167:0040CE28 LEA EDX,[EBP-0E] <-----d edx (our code)

0167:0040CE2B XOR ECX,ECX

0167:0040CE2D MOV CL,[EAX]

0167:0040CE2F INC ECX

0167:0040CE30 CALL 0045B114 <-----比较是否相等

0167:0040CE35 SETZ [EBP-0F] <-----相等的话置注册成功标志1到[EBP-0F]

0167:0040CE39 CMP BYTE [EBP-0F],00

0167:0040CE3D JNZ 0040CE85 <-----if jump good boy:)

0167:0040CE3F MOV EAX,[EBP-04]

0167:0040CE42 MOV BYTE [EAX 0375],01

0167:0040CE49 LEA EAX,[EBP-50]

0167:0040CE4C PUSH EAX

0167:0040CE4D MOV EAX,[EBP-04]

0167:0040CE50 MOV CL,[EAX 0375]

0167:0040CE56 LEA EDX,[EBP-42]

0167:0040CE59 MOV EAX,[EBP-04]

0167:0040CE5C CALL 0040CB94

0167:0040CE61 LEA EAX,[EBP-50]

0167:0040CE64 LEA EDX,[EBP-0E]

0167:0040CE67 XOR ECX,ECX

0167:0040CE69 MOV CL,[EAX]

0167:0040CE6B INC ECX

0167:0040CE6C CALL 0045B114

0167:0040CE71 SETZ [EBP-0F]

0167:0040CE75 CMP BYTE [EBP-0F],01

0167:0040CE79 JNZ 0040CE85

0167:0040CE7B MOV EAX,[EBP-04]

0167:0040CE7E MOV BYTE [EAX 0375],01

0167:0040CE85 MOV AL,[EBP-0F]

0167:0040CE88 POP EDI

0167:0040CE89 POP ESI

0167:0040CE8A MOV ESP,EBP

0167:0040CE8C POP EBP

0167:0040CE8D RET

该程序注册正确后,会在其目录下生成一个叫iTime.key的文件。



3、在作注册机前的准备:

我们要对那个TRW2000抓下来的data.bin进行一番处理。可以编个小程序来处理:

------------------------------------Start here--------------------------------------

#include

main(){

FILE *fp1,*fp2;

unsigned long buffer[0xfe];

int i;

clrscr();

fp=fopen("c:\\data.bin","rb ");

fp2=fopen("c:\\x.bin","w ");

for(i=0;i<0xfe;i )

{fread(&buffer[i],4,1,fp1);

printf("0x%lX,",buffer[i]);

fprintf(fp2,"0x%lX,",buffer[i]);

if (i%6==0) fprintf(fp2,"\n");

}

}

------------------------------------Cut here----------------------------------------

上面这个程序就是把data.bin里面的二进制数据转换成4字节的长整数。

4、注册机

-------------------start here------------------

#include

#include

main()

{

char string1[]={0x9,0x24,0x34,0x32,0x36,0x42,0x32,0x46,0x41,0x39};

char string2[]={0x9,0x24,0x36,0x46,0x42,0x37,0x33,0x41,0x32,0x34};

char name[50];

char code[8];

char sns[71];

unsigned long data[]={0x0,

0x77073096,0xEE0E612C,0x990951BA,0x76DC419,0x706AF48F,0xE963A535,

0x9E6495A3,0xEDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,0x9B64C2B,

0x7EB17CBD,0xE7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2,0xF3B97148,

0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0xF4D4B551,0x83D385C7,0x136C9856,

0x646BA8C0,0xFD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9,0xFA0F3D63,

0x8D080DF5,0x3B6E20C8,0x4C69105E,0xD56041E4,0xA2677172,0x3C03E4D1,

0x4B04D447,0xD20D85FD,0xA50AB56B,0x35B5A8FA,0x42B2986C,0xDBBBC9D6,

0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,0x26D930AC,

0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423,0xCFBA9599,

0xB8BDA50F,0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,0x2F6F7C87,

0x58684C11,0xC1611DAB,0xB6662D3D,0x76DC4190,0x1DB7106,0x98D220BC,

0xEFD5102A,0x71B18589,0x6B6B51F,0x9FBFE4A5,0xE8B8D433,0x7807C9A2,

0xF00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,0x86D3D2D,0x91646C97,

0xE6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,0x6C0695ED,

0x1B01A57B,0x8208F4C1,0xF50FC457,0x65B0D9C6,0x12B7E950,0x8BBEB8EA,

0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,0x4DB26158,

0x3AB551CE,0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7,0xA4D1C46D,

0xD3D6F4FB,0x4369E96A,0x346ED9FC,0xAD678846,0xDA60B8D0,0x44042D73,

0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,0x5005713C,0x270241AA,0xBE0B1010,

0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,0xCE61E49F,0x5EDEF90E,

0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81,0xB7BD5C3B,

0xC0BA6CAD,0xEDB88320,0x9ABFB3B6,0x3B6E20C,0x74B1D29A,0xEAD54739,

0x9DD277AF,0x4DB2615,0x73DC1683,0xE3630B12,0x94643B84,0xD6D6A3E,

0x7A6A5AA8,0xE40ECF0B,0x9309FF9D,0xA00AE27,0x7D079EB1,0xF00F9344,

0x8708A3D2,0x1E01F268,0x6906C2FE,0xF762575D,0x806567CB,0x196C3671,

0x6E6B06E7,0xFED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,0xF9B9DF6F,

0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0xD6D6A3E8,0xA1D1937E,0x38D8C2C4,

0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,0xD80D2BDA,

0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55,0x316E8EEF,

0x4669BE79,0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,0xCC0C7795,

0xBB0B4703,0x220216B9,0x5505262F,0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,

0x5CB36A04,0xC2D7FFA7,0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,0x9B64C2B0,

0xEC63F226,0x756AA39C,0x26D930A,0x9C0906A9,0xEB0E363F,0x72076785,

0x5005713,0x95BF4A82,0xE2B87A14,0x7BB12BAE,0xCB61B38,0x92D28E9B,

0xE5D5BE0D,0x7CDCEFB7,0xBDBDF21,0x86D3D2D4,0xF1D4E242,0x68DDB3F8,

0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,0x88085AE6,

0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69,0x616BFFD3,

0x166CCF45,0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,0xA7672661,

0xD06016F7,0x4969474D,0x3E6E77DB,0xAED16A4A,0xD9D65ADC,0x40DF0B66,

0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,0x47B2CF7F,0x30B5FFE9,0xBDBDF21C,

0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,0xCDD70693,0x54DE5729,

0x23D967BF,0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,0xB40BBE37,

0xC30C8EA1};

int i,j;unsigned long ebp=0xABCDEF,eax;

clrscr();

printf("iTime (International Version) Keymaker by CoolBob[CCG]\n");

printf("written at 2001.4.25\n");

printf("name: ");

scanf("%s",name);printf("\n");

for(i=0;i<10;i )sns[i]=string1[i];

sns[10]=strlen(name);

for(i=11;i
if (strlen(name)<50) {for(i=strlen(name) 11;i<61;i ) sns[i]=’*’;};

for(i=61;i<71;i ) sns[i]=string2[i-61];

for(i=0;i<0x47;i )

{

eax=ebp;

eax=(eax>>8)&0x00FFFFFF;

j=(sns[i]^ebp)&0xFF;

ebp=eax^data[j];

}

printf("code: %lX\n\n",ebp);

printf("Hmm,OK,that’s your code!!enjoy yourself! Contact me at CoolBob@21cn.com :-)\n");

printf("press any key to exit!!");

getch();

}







--------------------cut here---------------------



written by CoolBob[CCG]

2001.4.26

(CIH??)

CopyRight reserved by China Cracker Group


收藏 分享 邀请

最新评论

相关分类

QQ|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )

GMT+8, 2024-9-30 01:40 , Processed in 0.236263 second(s), 12 queries , Gzip On, MemCache On.

Powered by Discuz! X3.5

© 2001-2023 Discuz! Team.

返回顶部