休闲麻将 P-CODE 浅析

VB 2020-02-16
标 题: 【原创】休闲麻将 P-CODE 浅析
作 者:GoOdLeiSuRe
时 间:2007-03-31,20:18:37
链 接:http://bbs.pediy.com/showthread.PHP?t=41926
文章作者】GoOdLeiSuRe
【分析时间】2007年3月30日
【分析说明】本人很菜,完全入门水准,恳请指正,谢谢。

【软件名称】休闲麻将3.4
【软件大小】4.43MB
【下载地址】 http://zj1.51.net/mj.htm
【软件限制】这是一个共享软件(有30次使用及每次7局限制),注册费:30元,注册后将无任何使用限制。
注册类型】机器码+用户名->注册码,网络验证
【破解过程】
主程序:Mj.exe
PEiD检查:ASPack2.12->AlexeySolodovnikov
脱壳:用AspackDie直接脱
PEiD再检查:MicrosoftVisualBasic5.0/6.0
编译方式:用OllyDBG加载,感觉是P-CODE,用WKTVBDebugger加载,果然是P-CODE
代码: 
//加载后停于此
0049A850:00LargeBos
//一路F8瞧瞧
0049A852:00LargeBos
0049A854:4BOnErrorGotoNext
0049A857:00LargeBos
0049A859:04FLdRfVar0070FB56h
0049A85C:04FLdRfVar0070FB58h
0049A85F:05ImpAdLdRf
0049A862:24NewIfNullPr0041CEA8
0049A865:0DVCallHresultCVBApp::get_App
0049A86A:08FLdPr
0049A86D:0DVCallHresultget__ipropPrevInstanceAPP
0049A872:6BFLdI2
0049A875:1AFFree1Ad
0049A878:1CBranchF0049A87F(Jump)
0049A87B:00LargeBos
0049A87D:FCLead1/End
0049A87F:00LargeBos
//读取安装目录吧?
0049A881:1BLitStr:'SetupDir'
0049A884:43FStStrcopy
0049A87B:00LargeBos
0049A87D:FCLead1/End
0049A87F:00LargeBos
0049A881:1BLitStr:'SetupDir'
0049A884:43FStStrcopy
0049A887:04FLdRfVar0070FB48h
//注册表字符串,说不定用户名注册码也会储存在这儿
0049A88A:1BLitStr:'SoftWare\NetMJ\Infomation'
0049A88D:43FStStrcopy
0049A890:04FLdRfVar0070FB4Ch
0049A893:F5LitI4:->80000002h-2147483646
0049A898:59PopTmpLdAdStr
//读取注册表“SoftWare\NetMJ\Infomation”,获取“SetupDir”值
0049A89B:0BImpAdCallI2modPubTools!0044C5C4h
0049A8A0:31FStStr
……
//F5运行
点击:FormManager
在窗口下拉列表中看到了重要窗口:frmUserReg
点击:Command
在弹出窗口选择:cmdOK
点击:BPX,进行中断
接着返回主程序,输入一些注册信息,一但“确定”就会中断:
0044485C:04FLdRfVar0070F378h 0044485F:21FLdPrThis004FC52Ch 00444860:0FVCallAdfrmUserReg.txtUserName 00444863:19FStAdFunc0070F37C 00444866:08FLdPr 00444869:0DVCallHresultget__ipropTEXTEDIT 0044486E:6CILdRf00000000h 00444871:0BImpAdCallI2rtcTrimBstronaddress660E6AC5h //用户名 00444876:FDLead2/PopTmpLdAdStr 0044487A:1BLitStr:'RegName' 0044487D:43FStStrcopy 00444880:04FLdRfVar0070F36Ch 00444883:1BLitStr:'SoftWare\NetMJ\Infomation' 00444886:43FStStrcopy 00444889:04FLdRfVar0070F370h 0044488C:F5LitI4:->80000002h-2147483646 00444891:59PopTmpLdAdStr 00444894:0aimpAdCallFPR4modPubTools!0044507Ch 00444899:32FFreeStr 004448A4:1AFFree1Ad 004448A7:04FLdRfVar0070F378h 004448AA:21FLdPrThis004FC52Ch 004448AB:0FVCallAdfrmUserReg.txtPassword 004448AE:19FStAdFunc 004448B1:08FLdPr 004448B4:0DVCallHresultget__ipropTEXTEDIT 004448B9:6CILdRf00000000h 004448BC:0BImpAdCallI2rtcTrimBstronaddress660E6AC5h //注册码 004448C1:FDLead2/PopTmpLdAdStr 004448C5:1BLitStr:'RegCode' 004448C8:43FStStrcopy 004448CB:04FLdRfVar0070F36Ch 004448CE:1BLitStr:'SoftWare\NetMJ\Infomation' 004448D1:43FStStrcopy 004448D4:04FLdRfVar0070F370h 004448D7:F5LitI4:->80000002h-2147483646 004448DC:59PopTmpLdAdStr 004448DF:0aimpAdCallFPR4modPubTools!0044507Ch 004448E4:32FFreeStr
很明显,注册信息存储于注册表项:SoftWare\NetMJ\Infomation
RegName用户名
RegCode注册
F5,主程序要求退出
重新加载,并由以上信息“ImpAdCallI2modPubTools!0044C5C4h”找出调用注册信息的位置
//用户名在此使用:GoOdLeiSuRe 00449928:23FStStrnopop->'GoOdLeiSuRe' 0044992B:0BImpAdCallI2rtcLowerCaseBstronaddress660E6A2Dh 00449930:31FStStr->'goodleisure' 00449933:32FFreeStr 0044993C:1BLitStr:'regcode' 0044993F:43FStStrcopy 00449942:04FLdRfVar0070F690h 00449945:1BLitStr:'SoftWare\NetMJ\Infomation' 00449948:43FStStrcopy 0044994B:04FLdRfVar0070F694h 0044994E:F5LitI4:->80000002h-2147483646 00449953:59PopTmpLdAdStr 00449956:0BImpAdCallI2modPubTools!0044C5C4h //注册码在此使用:7878787878 0044995B:31FStStr->'7878787878' 0044995E:32FFreeStr 00449965:05ImpAdLdRf 00449968:F4LitI2_Byte:->1h1 0044996A:FCLead1/FnUBound 0044996C:F5LitI4:->1h1 00449971:AAAddI4 00449972:71FStR4 00449975:6CILdRf004F08F8h //用户名长度 00449978:4AFnLenStr004F08F4h,11chars 00449979:F5LitI4:->1h1 0044997E:DBGtI4 0044997F:6CILdRf004F0E44h //注册码长度 00449982:4AFnLenStr004F0E40h,10chars 00449983:F5LitI4:->Ah10 //比较 00449988:C7EqI4 00449989:C4AndI4 0044998A:1CBranchF00449A03 0044998D:6CILdRf004F0E44h //反置注册码StrReverse() 00449990:0BImpAdCallI2rtcStrReverSEOnaddress660F7DF1h 00449995:31FStStr004F1590hto0070F7A4h->'8787878787' 00449998:F5LitI4:->0h0 0044999D:04FLdRfVar0070F69Ch 004499A0:05ImpAdLdRf 004499A3:F4LitI2_Byte:->1h1 004499A5:FCLead1/FnUBound 004499A7:FELead3/ForI4: 004499AD:6CILdRf00000003h 004499B0:05ImpAdLdRf 004499B3:9EAry1LdI4 //注册码长度 004499B4:4AFnLenStr004E5594h,10chars 004499B5:F5LitI4:->Ah10 //比较 004499BA:C7EqI4 004499BB:1CBranchF004499FB 004499BE:1BLitStr:'听' //取其7位长度 004499C1:F5LitI4:->7h7 004499C6:6CILdRf00000000h 004499C9:05ImpAdLdRf 004499CC:9EAry1LdI4 004499CD:0BImpAdCallI2rtcRightCharBstronaddress660E6362h 004499D2:23FStStrnopop ->'8888889' ->'3925743' 004499D5:2AConcatStr 004499D6:31FStStr ->'zjm8888889' ->'zjm3925743' 004499D9:2FFFree1Str004F82B0h 004499DC:6CILdRf004F1590h 004499DF:04FLdRfVar0070F694h 004499E2:04FLdRfVar0070F6A8h 004499E5:04FLdRfVar0070F6A0h //关键处 004499E8:10ThisVCallHresult0043EF68->0043EF68 004499ED:6CILdRf00000000h //字符串比较 004499F0:30EqStr 004499F2:2FFFree1Str 004499F5:1CBranchF004499FB(Jump? 004499F8:1EBranch00449A03 004499FB:04FLdRfVar0070F69Ch //循环一次 004499FE:66NextI4:jumpto004499AD 00449A03:6CILdRf00000000h 00449A06:05ImpAdLdRf 00449A09:F4LitI2_Byte:->1h1 00449A0B:FCLead1/FnUBound 00449A0D:D6LeI4 00449A0E:1CBranchF00449A50 00449A11:F4LitI2_Byte:->0h0 00449A13:21FLdPrThis004E5EF8h 00449A14:0FVCallAdfrmGameMain.mnuReg 00449A17:19FStAdFunc 00449A1A:08FLdPr 00449A1D:0DVCallHresultput__ipropVISIBLEMENU
关键处
0043EE68:FFLead4/ZeroRetVal 0043EE6A:80ILdI4 //用户名长度 0043EE6D:4AFnLenStr 0043EE6E:F5LitI4:->7h7 0043EE73:DBGtI4 //10>7? 0043EE74:1CBranchF0043EE8A 0043EE77:F5LitI4:->7h7 0043EE7C:80ILdI4 //取右边7位:goodleisure 0043EE7F:0BImpAdCallI2rtcRightCharBstronaddress660E6362h 0043EE84:31FStStr->'leisure' 0043EE87:1EBranch0043EE9 0043EE8A:80ILdI4 0043EE8D:43FStStrcopy 0043EE90:F5LitI4:->1h1 0043EE95:6CILdRf00000000h //取左边1位:leisure 0043EE98:0BImpAdCallI2rtcLeftCharBstronaddress660E625Eh 0043EE9D:31FStStr->'l' 0043EEA0:F5LitI4:->0h0 0043EEA5:F5LitI4:->FFFFFFFFh-1 0043EEAA:F5LitI4:->1h1 0043EEAF:F5LitI4:->0h0 0043EEB4:6CILdRf004E2EBCh 0043EEB7:6CILdRf004F0E44h //去除字符“l”:leisure 0043EEBA:0BImpAdCallI2rtcReplaceonaddress660F7E44h 0043EEBF:31FStStr004F2CA4hto0070F6C4h->eisure 0043EEC2:6CILdRf004E2EBCh 0043EEC5:F5LitI4:->0h0 //比较字符串,是否为空? //以前版本存在同字符漏洞。 0043EECA:30EqStr 0043EECC:1CBranchF0043EED5 0043EECF:FFLead4/ExitProcCbHresult 0043EED5:80ILdI4 //zjm8888889 0043EED8:6CILdRf004F0E44h 0043EEDB:2AConcatStr 0043EEDC:31FStStr004E5EB4hto0070F6C4h->zjm8888889leisure 0043EEDF:F5LitI4:->0h0 0043EEE4:43FStStrcopy 0043EEE7:F5LitI4:->1h1 0043EEEC:04FLdRfVar0070F5C8h 0043EEEF:6CILdRf004F2CA4h 0043EEF2:4AFnLenStr->17char //FOR循环,字符串长 0043EEF3:FELead3/ForI4: 0043EEF9:6CILdRf00000000h 0043EEFC:28LitvarI21h,1 0043EF01:6CILdRf00000001h //zjm8888889leisure 0043EF04:6CILdRf004E5EB4h 0043EF07:0BImpAdCallI2rtcMidCharBstronaddress660E64A6h 0043EF0C:23FStStrnopop->逐个字符(z,j,m,...) //各字符ASC()码 0043EF0F:0BImpAdCallI2rtcAnsiValueBstronaddress660E657Bh 0043EF14:E7CI4UI1 //与上一循环而得的商值相加 0043EF15:AAAddI4 //ABS() 0043EF16:BCFnAbsI4 //str() 0043EF17:71FStR4 0043EF1A:2FFFree1Str 0043EF1D:35FFree1Var 0043EF20:6CILdRf00000000h //上述求得的值 0043EF23:6CILdRf0000007Ah 0043EF26:F5LitI4:->Ah10 //与10求余 0043EF2B:C2ModI4 //str() 0043EF2C:FECStrI4 0043EF2E:23FStStrnopop->余值字符串 0043EF31:2AConcatStr 0043EF32:31FStStr 0043EF35:2FFFree1Str 0043EF38:6CILdRf0000007Ah 0043EF3B:F5LitI4:->Ah10 //与10相除的商 0043EF40:C0IDvI4 //str() 0043EF41:71FStR4 0043EF44:04FLdRfVar0070F5C8h //Next循环 0043EF47:66NextI4:jumpto0043EEF9 0043EF4C:F5LitI4:->Ah10 0043EF51:6CILdRf004F2CFCh //取右边10位长:2234266963->实际上反置过来就是需要的注册码了 0043EF54:0BImpAdCallI2rtcRightCharBstronaddress660E6362h 0043EF59:31FStStr 0043EF5C:6CILdRf004F2CFCh
【算法分析】
1,用户名长度要大于2位,转化为小写;
2,注册码长度为10位;
3,zjm+机器码右7位+用户名右7位
4,逐个取字符,求ASCII码,与10除,余数转化为字符,商值与下一字符的ASCII码相加
5,余数字符串反置即为注册
【网络验证】
软件在连网的状态下,会进行验证(用Iris捕获):
HTTP://zj1.51.net/cgi%2Dbin/mjlink.cgi?work=update&rgn=用户名&hid=XXXXXXX&mid=机器码右7位&mid0=YYYYYYY&mid1=&ver=312
返回ckerror则清除注册表内的注册码,返回ckok则验证正确
缺少用户名等信息不全,会返回一些升级信息
具体分析代码就省略了。
(参考)避开网络通验证,通常可修改hosts文件(位于WINDOWS\system32\drivers\etc),添加:

127.0.0.1zj1.51.net


C++伪代码

#include <iostream>
 

using namespace std;
 

 

 

 

/*
 

 * zjm 前缀
 

 * 7124277 机器码右7位
 

 * abc 用户名
 

 */
 

char a[100] = "zjm7124277abc";
 

char b[100] = {0};
 

int main()
 

{
 

    int i = 0, j = 0,k = 0;
 

 

    while(a[i]!=0)
 

    {
 

        b[i] = (a[i] % 10) + '0';
 

        if(a[i+1] == 0) {
 

            break;
 

        }
 

        a[i+1] += a[i]/10;
 

        i++;
 

    }
 

    for(j = i ; j >= 0 ;j--){
 

        if(k<10){
 

            printf("%c",b[j]);
 

            k++;
 

        } else {
 

            break;
 

        }
 

 

    }
 

    printf("\n");
 

    system("pause");
 

    return 0;
 

}

                

              

          
            
            


            

              

                
相关文章

              

                VB Format函数
              

              
Format[$] ( expr [ , fmt ] ) format 返回变体型 format$ 强...

            

              

                vb6/ASP FORMAT MM/DD/YYYY
              

              
VB6或者ASP 格式化时间为 MM/dd/yyyy 格式,竟然没有好的办...

            

              

                VB.net 捕获项目全局异常
              

              
在项目中添加如下代码:新建窗口来显示异常信息。 Namespace...

            

              

                实现用VB.Net/(C#)开发K/3 BOS 插件的真正可行方法
              

              
转了这一篇文章,原来一直想用C#做k3的插件开发,vb没有C#用...

            

              

                vb,wps,excel 分裂
              

              
Sub 分列()
    ‘以空格为分隔符,连续空格只算1个。对所选...

            

              

                VB文件 hash 查看器
              

              
  窗体代码  1 Private Sub Text1_OLEDragDrop(Data As Dat...