休闲麻将 P-CODE 浅析

VB 前端之家
前端之家收集整理的这篇文章主要介绍了休闲麻将 P-CODE 浅析前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
标 题: 【原创】休闲麻将 P-CODE 浅析
作 者:GoOdLeiSuRe
时 间:2007-03-31,20:18:37
链 接:http://bbs.pediy.com/showthread.PHP?t=41926
文章作者】GoOdLeiSuRe
【分析时间】2007年3月30日
【分析说明】本人很菜,完全入门水准,恳请指正,谢谢。

【软件名称】休闲麻将3.4
【软件大小】4.43MB
【下载地址】 http://zj1.51.net/mj.htm
【软件限制】这是一个共享软件(有30次使用及每次7局限制),注册费:30元,注册后将无任何使用限制。
注册类型】机器码+用户名->注册码,网络验证
【破解过程】
主程序:Mj.exe
PEiD检查:ASPack2.12->AlexeySolodovnikov
脱壳:用AspackDie直接脱
PEiD再检查:MicrosoftVisualBasic5.0/6.0
编译方式:用OllyDBG加载,感觉是P-CODE,用WKTVBDebugger加载,果然是P-CODE
代码: 
//加载后停于此
0049A850:00LargeBos
//一路F8瞧瞧
0049A852:00LargeBos
0049A854:4BOnErrorGotoNext
0049A857:00LargeBos
0049A859:04FLdRfVar0070FB56h
0049A85C:04FLdRfVar0070FB58h
0049A85F:05ImpAdLdRf
0049A862:24NewIfNullPr0041CEA8
0049A865:0DVCallHresultCVBApp::get_App
0049A86A:08FLdPr
0049A86D:0DVCallHresultget__ipropPrevInstanceAPP
0049A872:6BFLdI2
0049A875:1AFFree1Ad
0049A878:1CBranchF0049A87F(Jump)
0049A87B:00LargeBos
0049A87D:FCLead1/End
0049A87F:00LargeBos
//读取安装目录吧?
0049A881:1BLitStr:'SetupDir'
0049A884:43FStStrCopy
0049A87B:00LargeBos
0049A87D:FCLead1/End
0049A87F:00LargeBos
0049A881:1BLitStr:'SetupDir'
0049A884:43FStStrCopy
0049A887:04FLdRfVar0070FB48h
//注册表字符串,说不定用户名注册码也会储存在这儿
0049A88A:1BLitStr:'SoftWare\NetMJ\Infomation'
0049A88D:43FStStrCopy
0049A890:04FLdRfVar0070FB4Ch
0049A893:F5LitI4:->80000002h-2147483646
0049A898:59PopTmpLdAdStr
//读取注册表“SoftWare\NetMJ\Infomation”,获取“SetupDir”值
0049A89B:0BImpAdCallI2modPubTools!0044C5C4h
0049A8A0:31FStStr
……
//F5运行
点击:FormManager
在窗口下拉列表中看到了重要窗口:frmUserReg
点击:Command
在弹出窗口选择:cmdOK
点击:BPX,进行中断
接着返回主程序,输入一些注册信息,一但“确定”就会中断:
0044485C:04FLdRfVar0070F378h 0044485F:21FLdPrThis004FC52Ch 00444860:0FVCallAdfrmUserReg.txtUserName 00444863:19FStAdFunc0070F37C 00444866:08FLdPr 00444869:0DVCallHresultget__ipropTEXTEDIT 0044486E:6CILdRf00000000h 00444871:0BImpAdCallI2rtcTrimBstronaddress660E6AC5h //用户名 00444876:FDLead2/PopTmpLdAdStr 0044487A:1BLitStr:'RegName' 0044487D:43FStStrCopy 00444880:04FLdRfVar0070F36Ch 00444883:1BLitStr:'SoftWare\NetMJ\Infomation' 00444886:43FStStrCopy 00444889:04FLdRfVar0070F370h 0044488C:F5LitI4:->80000002h-2147483646 00444891:59PopTmpLdAdStr 00444894:0AImpAdCallFPR4modPubTools!0044507Ch 00444899:32FFreeStr 004448A4:1AFFree1Ad 004448A7:04FLdRfVar0070F378h 004448AA:21FLdPrThis004FC52Ch 004448AB:0FVCallAdfrmUserReg.txtPassword 004448AE:19FStAdFunc 004448B1:08FLdPr 004448B4:0DVCallHresultget__ipropTEXTEDIT 004448B9:6CILdRf00000000h 004448BC:0BImpAdCallI2rtcTrimBstronaddress660E6AC5h //注册码 004448C1:FDLead2/PopTmpLdAdStr 004448C5:1BLitStr:'RegCode' 004448C8:43FStStrCopy 004448CB:04FLdRfVar0070F36Ch 004448CE:1BLitStr:'SoftWare\NetMJ\Infomation' 004448D1:43FStStrCopy 004448D4:04FLdRfVar0070F370h 004448D7:F5LitI4:->80000002h-2147483646 004448DC:59PopTmpLdAdStr 004448DF:0AImpAdCallFPR4modPubTools!0044507Ch 004448E4:32FFreeStr
很明显,注册信息存储于注册表项:SoftWare\NetMJ\Infomation
RegName用户名
RegCode注册
F5,主程序要求退出
重新加载,并由以上信息“ImpAdCallI2modPubTools!0044C5C4h”找出调用注册信息的位置
//用户名在此使用:GoOdLeiSuRe 00449928:23FStStrNoPop->'GoOdLeiSuRe' 0044992B:0BImpAdCallI2rtcLowerCaseBstronaddress660E6A2Dh 00449930:31FStStr->'goodleisure' 00449933:32FFreeStr 0044993C:1BLitStr:'regcode' 0044993F:43FStStrCopy 00449942:04FLdRfVar0070F690h 00449945:1BLitStr:'SoftWare\NetMJ\Infomation' 00449948:43FStStrCopy 0044994B:04FLdRfVar0070F694h 0044994E:F5LitI4:->80000002h-2147483646 00449953:59PopTmpLdAdStr 00449956:0BImpAdCallI2modPubTools!0044C5C4h //注册码在此使用:7878787878 0044995B:31FStStr->'7878787878' 0044995E:32FFreeStr 00449965:05ImpAdLdRf 00449968:F4LitI2_Byte:->1h1 0044996A:FCLead1/FnUBound 0044996C:F5LitI4:->1h1 00449971:AAAddI4 00449972:71FStR4 00449975:6CILdRf004F08F8h //用户名长度 00449978:4AFnLenStr004F08F4h,11chars 00449979:F5LitI4:->1h1 0044997E:DBGtI4 0044997F:6CILdRf004F0E44h //注册码长度 00449982:4AFnLenStr004F0E40h,10chars 00449983:F5LitI4:->Ah10 //比较 00449988:C7EqI4 00449989:C4AndI4 0044998A:1CBranchF00449A03 0044998D:6CILdRf004F0E44h //反置注册码StrReverse() 00449990:0BImpAdCallI2rtcStrReverSEOnaddress660F7DF1h 00449995:31FStStr004F1590hto0070F7A4h->'8787878787' 00449998:F5LitI4:->0h0 0044999D:04FLdRfVar0070F69Ch 004499A0:05ImpAdLdRf 004499A3:F4LitI2_Byte:->1h1 004499A5:FCLead1/FnUBound 004499A7:FELead3/ForI4: 004499AD:6CILdRf00000003h 004499B0:05ImpAdLdRf 004499B3:9EAry1LdI4 //注册码长度 004499B4:4AFnLenStr004E5594h,10chars 004499B5:F5LitI4:->Ah10 //比较 004499BA:C7EqI4 004499BB:1CBranchF004499FB 004499BE:1BLitStr:'听' //取其7位长度 004499C1:F5LitI4:->7h7 004499C6:6CILdRf00000000h 004499C9:05ImpAdLdRf 004499CC:9EAry1LdI4 004499CD:0BImpAdCallI2rtcRightCharBstronaddress660E6362h 004499D2:23FStStrNoPop ->'8888889' ->'3925743' 004499D5:2AConcatStr 004499D6:31FStStr ->'zjm8888889' ->'zjm3925743' 004499D9:2FFFree1Str004F82B0h 004499DC:6CILdRf004F1590h 004499DF:04FLdRfVar0070F694h 004499E2:04FLdRfVar0070F6A8h 004499E5:04FLdRfVar0070F6A0h //关键处 004499E8:10ThisVCallHresult0043EF68->0043EF68 004499ED:6CILdRf00000000h //字符串比较 004499F0:30EqStr 004499F2:2FFFree1Str 004499F5:1CBranchF004499FB(Jump? 004499F8:1EBranch00449A03 004499FB:04FLdRfVar0070F69Ch //循环一次 004499FE:66NextI4:jumpto004499AD 00449A03:6CILdRf00000000h 00449A06:05ImpAdLdRf 00449A09:F4LitI2_Byte:->1h1 00449A0B:FCLead1/FnUBound 00449A0D:D6LeI4 00449A0E:1CBranchF00449A50 00449A11:F4LitI2_Byte:->0h0 00449A13:21FLdPrThis004E5EF8h 00449A14:0FVCallAdfrmGameMain.mnuReg 00449A17:19FStAdFunc 00449A1A:08FLdPr 00449A1D:0DVCallHresultput__ipropVISIBLEMENU
关键处
0043EE68:FFLead4/ZeroRetVal 0043EE6A:80ILdI4 //用户名长度 0043EE6D:4AFnLenStr 0043EE6E:F5LitI4:->7h7 0043EE73:DBGtI4 //10>7? 0043EE74:1CBranchF0043EE8A 0043EE77:F5LitI4:->7h7 0043EE7C:80ILdI4 //取右边7位:goodleisure 0043EE7F:0BImpAdCallI2rtcRightCharBstronaddress660E6362h 0043EE84:31FStStr->'leisure' 0043EE87:1EBranch0043EE9 0043EE8A:80ILdI4 0043EE8D:43FStStrCopy 0043EE90:F5LitI4:->1h1 0043EE95:6CILdRf00000000h //取左边1位:leisure 0043EE98:0BImpAdCallI2rtcLeftCharBstronaddress660E625Eh 0043EE9D:31FStStr->'l' 0043EEA0:F5LitI4:->0h0 0043EEA5:F5LitI4:->FFFFFFFFh-1 0043EEAA:F5LitI4:->1h1 0043EEAF:F5LitI4:->0h0 0043EEB4:6CILdRf004E2EBCh 0043EEB7:6CILdRf004F0E44h //去除字符“l”:leisure 0043EEBA:0BImpAdCallI2rtcReplaceonaddress660F7E44h 0043EEBF:31FStStr004F2CA4hto0070F6C4h->eisure 0043EEC2:6CILdRf004E2EBCh 0043EEC5:F5LitI4:->0h0 //比较字符串,是否为空? //以前版本存在同字符漏洞。 0043EECA:30EqStr 0043EECC:1CBranchF0043EED5 0043EECF:FFLead4/ExitProcCbHresult 0043EED5:80ILdI4 //zjm8888889 0043EED8:6CILdRf004F0E44h 0043EEDB:2AConcatStr 0043EEDC:31FStStr004E5EB4hto0070F6C4h->zjm8888889leisure 0043EEDF:F5LitI4:->0h0 0043EEE4:43FStStrCopy 0043EEE7:F5LitI4:->1h1 0043EEEC:04FLdRfVar0070F5C8h 0043EEEF:6CILdRf004F2CA4h 0043EEF2:4AFnLenStr->17char //FOR循环,字符串长 0043EEF3:FELead3/ForI4: 0043EEF9:6CILdRf00000000h 0043EEFC:28LitVarI21h,1 0043EF01:6CILdRf00000001h //zjm8888889leisure 0043EF04:6CILdRf004E5EB4h 0043EF07:0BImpAdCallI2rtcMidCharBstronaddress660E64A6h 0043EF0C:23FStStrNoPop->逐个字符(z,j,m,...) //各字符ASC()码 0043EF0F:0BImpAdCallI2rtcAnsiValueBstronaddress660E657Bh 0043EF14:E7CI4UI1 //与上一循环而得的商值相加 0043EF15:AAAddI4 //ABS() 0043EF16:BCFnAbsI4 //STR() 0043EF17:71FStR4 0043EF1A:2FFFree1Str 0043EF1D:35FFree1Var 0043EF20:6CILdRf00000000h //上述求得的值 0043EF23:6CILdRf0000007Ah 0043EF26:F5LitI4:->Ah10 //与10求余 0043EF2B:C2ModI4 //STR() 0043EF2C:FECStrI4 0043EF2E:23FStStrNoPop->余值字符串 0043EF31:2AConcatStr 0043EF32:31FStStr 0043EF35:2FFFree1Str 0043EF38:6CILdRf0000007Ah 0043EF3B:F5LitI4:->Ah10 //与10相除的商 0043EF40:C0IDvI4 //STR() 0043EF41:71FStR4 0043EF44:04FLdRfVar0070F5C8h //Next循环 0043EF47:66NextI4:jumpto0043EEF9 0043EF4C:F5LitI4:->Ah10 0043EF51:6CILdRf004F2CFCh //取右边10位长:2234266963->实际上反置过来就是需要的注册码了 0043EF54:0BImpAdCallI2rtcRightCharBstronaddress660E6362h 0043EF59:31FStStr 0043EF5C:6CILdRf004F2CFCh
【算法分析】
1,用户名长度要大于2位,转化为小写;
2,注册码长度为10位;
3,zjm+机器码右7位+用户名右7位
4,逐个取字符,求ASCII码,与10除,余数转化为字符,商值与下一字符的ASCII码相加
5,余数字符串反置即为注册
【网络验证】
软件在连网的状态下,会进行验证(用Iris捕获):
HTTP://zj1.51.net/cgi%2Dbin/mjlink.cgi?work=update&rgn=用户名&hid=XXXXXXX&mid=机器码右7位&mid0=YYYYYYY&mid1=&ver=312
返回ckerror则清除注册表内的注册码,返回ckok则验证正确
缺少用户名等信息不全,会返回一些升级信息
具体分析代码就省略了。
(参考)避开网络通验证,通常可修改hosts文件(位于WINDOWS\system32\drivers\etc),添加:

127.0.0.1zj1.51.net


C++伪代码

#include <iostream>
 

using namespace std;
 

 

 

 

/*
 

 * zjm 前缀
 

 * 7124277 机器码右7位
 

 * abc 用户名
 

 */
 

char a[100] = "zjm7124277abc";
 

char b[100] = {0};
 

int main()
 

{
 

    int i = 0, j = 0,k = 0;
 

 

    while(a[i]!=0)
 

    {
 

        b[i] = (a[i] % 10) + '0';
 

        if(a[i+1] == 0) {
 

            break;
 

        }
 

        a[i+1] += a[i]/10;
 

        i++;
 

    }
 

    for(j = i ; j >= 0 ;j--){
 

        if(k<10){
 

            printf("%c",b[j]);
 

            k++;
 

        } else {
 

            break;
 

        }
 

 

    }
 

    printf("\n");
 

    system("pause");
 

    return 0;
 

}
 原文链接:https://www.f2er.com/vb/257770.html

      

      
                 
              

            

          

          
          
          

            

              




            

          


          

            

              

                  
    
猜你在找的VB相关文章



                                    
VB Format函数

                                
Format[$] ( expr [ , fmt ] ) format 返回变体型 format$ 强制返回为文本 --------------...

                                
                                
                            



                                    
vb6/ASP FORMAT MM/DD/YYYY

                                
VB6或者ASP 格式化时间为 MM/dd/yyyy 格式,竟然没有好的办法, Format 或者FormatDateTi...

                                
                                
                            



                                    
VB.net 捕获项目全局异常

                                
在项目中添加如下代码:新建窗口来显示异常信息。 Namespace My
    ‘全局错误处理,新的...

                                
                                
                            



                                    
实现用VB.Net/(C#)开发K/3 BOS 插件的真正可行方法

                                
转了这一篇文章,原来一直想用C#做k3的插件开发,vb没有C#用的爽呀,这篇文章写与2011年,...

                                
                                
                            



                                    
vb,wps,excel 分裂

                                
Sub 分列()
    ‘以空格为分隔符,连续空格只算1个。对所选中的单元格进行处理
    Dim m...

                                
                                
                            







                                    
VB.NET MYSQL DataGridView 增删改查(INSERT,SELECT,UPDATE,DELETE)

                                
  Imports MySql.Data.MySqlClient


Public Class Form1


    ‘ GLOBAL DECLARATIONS
...

                                
                                
                            



                                    
VB.NET 使用ADODB連接資料庫滙出到EXCEL

                                
‘導入命名空間 Imports ADODB Imports Microsoft.Office.Interop   Private Sub A1() Di...

                                
                                
                            



                                    
vb.net 多线程運用 ping

                                
Imports System.IO Imports System.Threading Imports System.Diagnostics Public Class F...

                                
                                
                            



                                    
VB等待进程结束

                                
VB运行EXE程序,并等待其运行结束 参考:https://blog.csdn.net/useway/article/details/5...

                                
                                
                            



                                    
vb中去掉string数组的一部分

                                
今天碰到一个问题,登陆的时候,如果不需要验证手机号为空,则不去验证手机号 因为登陆的时...

                                
                                
                            







            

          

        
        
        
        
        

          
          

            

              

                
                
PHPJavaJava SEPythonC#C&C++RubyVBasp.NetGoPerlnettyDjangoDelphiJsp.NET CoreSpringFlaskSpringbootSpringMVCLuaLaravelMybatisAspGroovyThinkPHPYiiswoole

                

              

            

          

          
         
          

            

              
 



              

            

          

          
          
          
          

            

              

                
                
              

            

          

          


          
          

            

              

                
                
文件时间pythonm相等性PHP Warning时间问题问题解决pcntl_signal采样点wav模块动态文本调用频率限制对外暴露多个访问请求更新数据表模型结构type()方法比较速度手写体sobel算子保存模型Image类nn.Conv2dpytorch1.0kaggleDCGAN交并比range()用法打印模型反卷积卷积