休闲麻将 P-CODE 浅析

休闲麻将 P-CODE 浅析,第1张

概述标 题:  【原创】休闲麻将 P-CODE 浅析 作 者: GoOdLeiSuRe 时 间: 2007-03-31,20:18:37 链 接: http://bbs.pediy.com/showthread.php?t=41926 【文章作者】GoOdLeiSuRe 【分析时间】2007年3月30日 【分析说明】本人很菜,完全入门水准,恳请指正,谢谢。 【软件名称】休闲麻将 3.4 【软件大小】4 标 题: 【原创】休闲麻将 P-CODE 浅析
作 者:GoOdLeiSuRe
时 间:2007-03-31,20:18:37
链 接:http://bbs.pediy.com/showthread.PHP?t=41926

【文章作者】GoOdLeiSuRe
【分析时间】2007年3月30日
【分析说明】本人很菜,完全入门水准,恳请指正,谢谢。

【软件名称】休闲麻将3.4
【软件大小】4.43MB
【下载地址】 http://zj1.51.net/mj.htm
【软件限制】这是一个共享软件(有30次使用及每次7局限制),注册费:30元,注册后将无任何使用限制。
【注册类型】机器码+用户名->注册码,网络验证
【破解过程】
主程序:Mj.exe
PEID检查:ASPack2.12->AlexeySolodovnikov
脱壳:用AspackDIE直接脱
PEID再检查:MicrosoftVisualBasic5.0/6.0
编译方式:用ollyDBG加载,感觉是P-CODE,用WKTVBDeBUGger加载,果然是P-CODE
代码:
//加载后停于此0049A850:00LargeBos//一路F8瞧瞧0049A852:00LargeBos0049A854:4BOnErrorGotoNext0049A857:00LargeBos0049A859:04FLdRfVar0070FB56h0049A85C:04FLdRfVar0070FB58h0049A85F:05ImpAdLdRf0049A862:24NewIfNullPr0041CEA80049A865:0DVCallHresultCVBApp::get_App0049A86A:08FLdPr0049A86D:0DVCallHresultget__ipropPrevInstanceAPP0049A872:6BFLdI20049A875:1AFFree1Ad0049A878:1CBranchF0049A87F(Jump)0049A87B:00LargeBos0049A87D:FCLead1/End0049A87F:00LargeBos//读取安装目录吧?0049A881:1BlitStr:'SetupDir'0049A884:43FStStrcopy0049A87B:00LargeBos0049A87D:FCLead1/End0049A87F:00LargeBos0049A881:1BlitStr:'SetupDir'0049A884:43FStStrcopy0049A887:04FLdRfVar0070FB48h//注册表字符串,说不定用户名与注册码也会储存在这儿0049A88A:1BlitStr:'SoftWare\NetMJ\Infomation'0049A88D:43FStStrcopy0049A890:04FLdRfVar0070FB4Ch0049A893:F5litI4:->80000002h-21474836460049A898:59PopTmpLdAdStr//读取注册表“SoftWare\NetMJ\Infomation”,获取“SetupDir”值0049A89B:0BImpAdCalli2modPubTools!0044C5C4h0049A8A0:31FStStr……//F5运行
点击:FormManager
在窗口下拉列表中看到了重要窗口:frmUserReg
点击:Command
在d出窗口选择:cmdOK
点击:BPX,进行中断
接着返回主程序,输入一些注册信息,一但“确定”就会中断:
0044485C:04FLdRfVar0070F378h0044485F:21FLdPrThis004FC52Ch00444860:0FVCallAdfrmUserReg.txtUsername00444863:19FStAdFunc0070F37C00444866:08FLdPr00444869:0DVCallHresultget__ipropTEXTEDIT0044486E:6CILdRf00000000h00444871:0BImpAdCalli2rtcTrimBstronaddress660E6AC5h//用户名00444876:FDLead2/PopTmpLdAdStr0044487A:1BlitStr:'Regname'0044487D:43FStStrcopy00444880:04FLdRfVar0070F36Ch00444883:1BlitStr:'SoftWare\NetMJ\Infomation'00444886:43FStStrcopy00444889:04FLdRfVar0070F370h0044488C:F5litI4:->80000002h-214748364600444891:59PopTmpLdAdStr00444894:0aimpAdCallFPR4modPubTools!0044507Ch00444899:32FFreeStr004448A4:1AFFree1Ad004448A7:04FLdRfVar0070F378h004448AA:21FLdPrThis004FC52Ch004448AB:0FVCallAdfrmUserReg.txtPassword004448AE:19FStAdFunc004448B1:08FLdPr004448B4:0DVCallHresultget__ipropTEXTEDIT004448B9:6CILdRf00000000h004448BC:0BImpAdCalli2rtcTrimBstronaddress660E6AC5h//注册码004448C1:FDLead2/PopTmpLdAdStr004448C5:1BlitStr:'RegCode'004448C8:43FStStrcopy004448CB:04FLdRfVar0070F36Ch004448CE:1BlitStr:'SoftWare\NetMJ\Infomation'004448D1:43FStStrcopy004448D4:04FLdRfVar0070F370h004448D7:F5litI4:->80000002h-2147483646004448DC:59PopTmpLdAdStr004448DF:0aimpAdCallFPR4modPubTools!0044507Ch004448E4:32FFreeStr 很明显,注册信息存储于注册表项:SoftWare\NetMJ\Infomation
Regname用户名
RegCode注册码
F5,主程序要求退出
重新加载,并由以上信息“ImpAdCalli2modPubTools!0044C5C4h”找出调用注册信息的位置
//用户名在此使用:GoOdLeiSuRe00449928:23FStStrnopop->'GoOdLeiSuRe'0044992B:0BImpAdCalli2rtcLowerCaseBstronaddress660E6A2Dh00449930:31FStStr->'goodleisure'00449933:32FFreeStr0044993C:1BlitStr:'regcode'0044993F:43FStStrcopy00449942:04FLdRfVar0070F690h00449945:1BlitStr:'SoftWare\NetMJ\Infomation'00449948:43FStStrcopy0044994B:04FLdRfVar0070F694h0044994E:F5litI4:->80000002h-214748364600449953:59PopTmpLdAdStr00449956:0BImpAdCalli2modPubTools!0044C5C4h//注册码在此使用:78787878780044995B:31FStStr->'7878787878'0044995E:32FFreeStr00449965:05ImpAdLdRf00449968:F4litI2_Byte:->1h10044996A:FCLead1/FnUBound0044996C:F5litI4:->1h100449971:AAAddI400449972:71FStR400449975:6CILdRf004F08F8h//用户名长度00449978:4AFnLenStr004F08F4h,11chars00449979:F5litI4:->1h10044997E:DBGtI40044997F:6CILdRf004F0E44h//注册码长度00449982:4AFnLenStr004F0E40h,10chars00449983:F5litI4:->Ah10//比较00449988:C7EqI400449989:C4AndI40044998A:1CBranchF00449A030044998D:6CILdRf004F0E44h//反置注册码StrReverse()00449990:0BImpAdCalli2rtcStrReverSEOnaddress660F7DF1h00449995:31FStStr004F1590hto0070F7A4h->'8787878787'00449998:F5litI4:->0h00044999D:04FLdRfVar0070F69Ch004499A0:05ImpAdLdRf004499A3:F4litI2_Byte:->1h1004499A5:FCLead1/FnUBound004499A7:FELead3/ForI4:004499AD:6CILdRf00000003h004499B0:05ImpAdLdRf004499B3:9EAry1LdI4//注册码长度004499B4:4AFnLenStr004E5594h,10chars004499B5:F5litI4:->Ah10//比较004499BA:C7EqI4004499BB:1CBranchF004499FB004499BE:1BlitStr:'听'//取其7位长度004499C1:F5litI4:->7h7004499C6:6CILdRf00000000h004499C9:05ImpAdLdRf004499CC:9EAry1LdI4004499CD:0BImpAdCalli2rtcRightCharBstronaddress660E6362h004499D2:23FStStrnopop->'8888889'->'3925743'004499D5:2AConcatStr004499D6:31FStStr->'zjm8888889'->'zjm3925743'004499D9:2FFFree1Str004F82B0h004499DC:6CILdRf004F1590h004499DF:04FLdRfVar0070F694h004499E2:04FLdRfVar0070F6A8h004499E5:04FLdRfVar0070F6A0h//关键处004499E8:10ThisVCallHresult0043EF68->0043EF68004499ED:6CILdRf00000000h//字符串比较004499F0:30EqStr004499F2:2FFFree1Str004499F5:1CBranchF004499FB(Jump?004499F8:1EBranch00449A03004499FB:04FLdRfVar0070F69Ch//循环一次004499FE:66NextI4:jumpto004499AD00449A03:6CILdRf00000000h00449A06:05ImpAdLdRf00449A09:F4litI2_Byte:->1h100449A0B:FCLead1/FnUBound00449A0D:D6LeI400449A0E:1CBranchF00449A5000449A11:F4litI2_Byte:->0h000449A13:21FLdPrThis004E5EF8h00449A14:0FVCallAdfrmGameMain.mnuReg00449A17:19FStAdFunc00449A1A:08FLdPr00449A1D:0DVCallHresultput__ipropVISIBLEMENU 关键处
0043EE68:FFLead4/ZeroRetVal0043EE6A:80ILdI4//用户名长度0043EE6D:4AFnLenStr0043EE6E:F5litI4:->7h70043EE73:DBGtI4//10>7?0043EE74:1CBranchF0043EE8A0043EE77:F5litI4:->7h70043EE7C:80ILdI4//取右边7位:goodleisure0043EE7F:0BImpAdCalli2rtcRightCharBstronaddress660E6362h0043EE84:31FStStr->'leisure'0043EE87:1EBranch0043EE90043EE8A:80ILdI40043EE8D:43FStStrcopy0043EE90:F5litI4:->1h10043EE95:6CILdRf00000000h//取左边1位:leisure0043EE98:0BImpAdCalli2rtcleftCharBstronaddress660E625Eh0043EE9D:31FStStr->'l'0043EEA0:F5litI4:->0h00043EEA5:F5litI4:->FFFFFFFFh-10043EEAA:F5litI4:->1h10043EEAF:F5litI4:->0h00043EEB4:6CILdRf004E2EBCh0043EEB7:6CILdRf004F0E44h//去除字符“l”:leisure0043EEBA:0BImpAdCalli2rtcReplaceonaddress660F7E44h0043EEBF:31FStStr004F2CA4hto0070F6C4h->eisure0043EEC2:6CILdRf004E2EBCh0043EEC5:F5litI4:->0h0//比较字符串,是否为空?//以前版本存在同字符漏洞。0043EECA:30EqStr0043EECC:1CBranchF0043EED50043EECF:FFLead4/ExitProcCbHresult0043EED5:80ILdI4//zjm88888890043EED8:6CILdRf004F0E44h0043EEDB:2AConcatStr0043EEDC:31FStStr004E5EB4hto0070F6C4h->zjm8888889leisure0043EEDF:F5litI4:->0h00043EEE4:43FStStrcopy0043EEE7:F5litI4:->1h10043EEEC:04FLdRfVar0070F5C8h0043EEEF:6CILdRf004F2CA4h0043EEF2:4AFnLenStr->17char//FOR循环,字符串长0043EEF3:FELead3/ForI4:0043EEF9:6CILdRf00000000h0043EEFC:28litvarI21h,10043EF01:6CILdRf00000001h//zjm8888889leisure0043EF04:6CILdRf004E5EB4h0043EF07:0BImpAdCalli2rtcMIDCharBstronaddress660E64A6h0043EF0C:23FStStrnopop->逐个字符(z,j,m,...)//各字符ASC()码0043EF0F:0BImpAdCalli2rtcAnsiValueBstronaddress660E657Bh0043EF14:E7CI4UI1//与上一循环而得的商值相加0043EF15:AAAddI4//ABS()0043EF16:BCFnAbsI4//str()0043EF17:71FStR40043EF1A:2FFFree1Str0043EF1D:35FFree1Var0043EF20:6CILdRf00000000h//上述求得的值0043EF23:6CILdRf0000007Ah0043EF26:F5litI4:->Ah10//与10求余0043EF2B:C2ModI4//str()0043EF2C:FECStrI40043EF2E:23FStStrnopop->余值字符串0043EF31:2AConcatStr0043EF32:31FStStr0043EF35:2FFFree1Str0043EF38:6CILdRf0000007Ah0043EF3B:F5litI4:->Ah10//与10相除的商0043EF40:C0IDvI4//str()0043EF41:71FStR40043EF44:04FLdRfVar0070F5C8h//Next循环0043EF47:66NextI4:jumpto0043EEF90043EF4C:F5litI4:->Ah100043EF51:6CILdRf004F2CFCh//取右边10位长:2234266963->实际上反置过来就是需要的注册码了0043EF54:0BImpAdCalli2rtcRightCharBstronaddress660E6362h0043EF59:31FStStr0043EF5C:6CILdRf004F2CFCh 【算法分析】
1,用户名长度要大于2位,转化为小写;
2,注册码长度为10位;
3,zjm+机器码右7位+用户名右7位
4,逐个取字符,求ASCII码,与10除,余数转化为字符,商值与下一字符的ASCII码相加
5,余数字符串反置即为注册码
【网络验证】
软件在连网的状态下,会进行验证(用Iris捕获):
HTTP://zj1.51.net/cgi%2Dbin/mjlink.cgi?work=update&rgn=用户名&hID=XXXXXXX&mID=机器码右7位&mID0=YYYYYYY&mID1=&ver=312
返回ckerror则清除注册表内的注册码,返回ckok则验证正确
缺少用户名等信息不全,会返回一些升级信息
具体分析代码就省略了。
(参考)避开网络通验证,通常可修改hosts文件(位于windows\system32\drivers\etc),添加:

127.0.0.1zj1.51.net


C++伪代码

#include <iostream>
 
using namespace std;
 
 
 
/*
 * zjm 前缀
 * 7124277 机器码右7位
 * abc 用户名
 */
char a[100] = "zjm7124277abc";
char b[100] = {0};
int main()
{
    int i = 0, j = 0,k = 0;
 
    while(a[i]!=0)
    {
        b[i] = (a[i] % 10) + '0';
        if(a[i+1] == 0) {
            break;
        }
        a[i+1] += a[i]/10;
        i++;
    }
    for(j = i ; j >= 0 ;j--){
        if(k<10){
            printf("%c",b[j]);
            k++;
        } else {
            break;
        }
 
    }
    printf("\n");
    system("pause");
    return 0;
}
总结

以上是内存溢出为你收集整理的休闲麻将 P-CODE 浅析全部内容,希望文章能够帮你解决休闲麻将 P-CODE 浅析所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/langs/1272340.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-06-08
下一篇 2022-06-08

发表评论

登录后才能评论

评论列表(0条)

保存