博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
kengenme2
阅读量:5296 次
发布时间:2019-06-14

本文共 12546 字,大约阅读时间需要 41 分钟。

这个程序采用SendDlgItemMessageA  限制 文本框的输入  但我们只要 修改push 

0040130D  /$  50            push eax0040130E  |.  33C0          xor eax,eax00401310  |.  A1 14324000   mov eax,dword ptr ds:[0x403214]00401315      6A 00         push 0x000401317      6A 01         push 0x100401319      68 C5000000   push 0xC50040131E      68 E9000000   push 0xE9                                ; |ControlID = E9 (233.)00401323      50            push eax                                 ; |hWnd => 02800232 ('KeygenMe #1 by Kostya',class='#32770')00401324  |.  E8 A1000000   call 
    
        ; \SendDlgItemMessageA00401329  |.  33C0          xor eax,eax0040132B  |.  A1 14324000   mov eax,dword ptr ds:[0x403214]00401330  |.  6A 00         push 0x0                                 ; /lParam = 000401332      6A 01         push 0x1                                 ; |wParam = 100401334      68 00000000   push 0x000401339  |.  68 EA030000   push 0x3EA                               ; |ControlID = 3EA (1002.)0040133E  |.  50            push eax                                 ; |hWnd => 02800232 ('KeygenMe #1 by Kostya',class='#32770')0040133F  |.  E8 86000000   call 
     
         ; \SendDlgItemMessageA00401344  |.  58            pop eax00401345  \.  C3            retn
程序实现  解除限制: 
BOOL CKeygenDlg::EditCm(CString strPathName){	CFile pFile;	if (!pFile.Open(strPathName,CFile::modeWrite|CFile::typeBinary|CFile::shareDenyNone,NULL))       	{   		return FALSE;       	}	BYTE	Cnt1 = 0x50;	BYTE	Cnt2 = 0x01;	BYTE	My1 = 0x00;// 	pFile.Seek(0x718,CFile::begin);// 	pFile.Write(&Cnt1,0x1);// 	pFile.Seek(0x733,CFile::begin);// 	pFile.Write(&Cnt1,0x1);// 	pFile.Seek(0x549,CFile::begin);// 	pFile.Write(&Cnt2,0x1);		pFile.Seek(0x720,CFile::begin);  //改两个地方为PUSH 0 	pFile.Write(&My1,0x1);	pFile.Seek(0x735,CFile::begin); 	pFile.Write(&My1,0x1);	pFile.Close();	return TRUE;}
第一个加密地方: 

004010FF  |.  53            push ebx00401100  |.  FF35 0C324000 push dword ptr ds:[0x40320C]             ; /hWnd = 01F80286 (class='Edit',parent=02800232)00401106  |.  E8 B3020000   call 
    
       ; \GetWindowTextLengthA0040110B  |.  33C9          xor ecx,ecx0040110D  |.  8BD8          mov ebx,eax0040110F  |.  B8 0C304000   mov eax,KeygenMe.0040300C                ;  ASCII "administrator"00401114  |.  E8 B8010000   call KeygenMe.004012D1
    
{004012D1  /$  8A10          mov dl,byte ptr ds:[eax]004012D3  |.  6BC9 48       imul ecx,ecx,0x48004012D6  |.  2BCA          sub ecx,edx004012D8  |.  83E9 6F       sub ecx,0x6F004012DB  |.  8BD1          mov edx,ecx004012DD  |.  81F1 AFAC0B00 xor ecx,0xBACAF004012E3  |.  40            inc eax004012E4  |.  4B            dec ebx004012E5  |.  83FB 00       cmp ebx,0x0004012E8  |.^ 75 E7         jnz XKeygenMe.004012D1004012EA  \.  C3            retn}
接着  再次记录管理员账号 

00401169  |.  33C0          xor eax,eax0040116B  |.  68 00304000   push KeygenMe.00403000                   ; /pBufCount = KeygenMe.0040300000401170  |.  68 0C304000   push KeygenMe.0040300C                   ; |Buffer = KeygenMe.0040300C00401175  |.  E8 62020000   call 
    
             ; \GetUserNameA0040117A  |.  33D2          xor edx,edx0040117C  |.  33C9          xor ecx,ecx0040117E  |.^ E9 7BFFFFFF   jmp KeygenMe.004010FE
    
004010FF  |.  53            push ebx00401100  |.  FF35 0C324000 push dword ptr ds:[0x40320C]             ; /hWnd = 01F80286 (class='Edit',parent=02800232)00401106  |.  E8 B3020000   call 
    
       ; \GetWindowTextLengthA0040110B  |.  33C9          xor ecx,ecx0040110D  |.  8BD8          mov ebx,eax0040110F  |.  B8 0C304000   mov eax,KeygenMe.0040300C                ;  ASCII "Administrator"00401114  |.  E8 B8010000   call KeygenMe.004012D100401119  |.  EB 40         jmp XKeygenMe.0040115B
    
{004012D1  /$  8A10          mov dl,byte ptr ds:[eax]004012D3  |.  6BC9 48       imul ecx,ecx,0x48004012D6  |.  2BCA          sub ecx,edx004012D8  |.  83E9 6F       sub ecx,0x6F004012DB  |.  8BD1          mov edx,ecx004012DD  |.  81F1 AFAC0B00 xor ecx,0xBACAF004012E3  |.  40            inc eax004012E4  |.  4B            dec ebx004012E5  |.  83FB 00       cmp ebx,0x0004012E8  |.^ 75 E7         jnz XKeygenMe.004012D1004012EA  \.  C3            retn}
两次是相同的  如果输入administrator 作为账号  后面要多加一次加密  如果不相同则要加几次加密

折后两次加密最重要

00401197  |.  E8 DE000000   call KeygenMe.0040127A                   ;  CkSn1
{
0040127A  /$  55            push ebp
0040127B  |.  8BEC          mov ebp,esp0040127D  |.  33C0          xor eax,eax0040127F  |.  33DB          xor ebx,ebx00401281  |.  8B45 08       mov eax,[arg.1]00401284  |.  8B5D 0C       mov ebx,[arg.2]00401287  |.  8BD0          mov edx,eax00401289  |.  33D3          xor edx,ebx0040128B  |.  81F2 ACFF0000 xor edx,0xFFAC00401291  |.  81F3 53050000 xor ebx,0x55300401297  |.  03C3          add eax,ebx00401299  |.  03DA          add ebx,edx0040129B  |.  4B            dec ebx0040129C  |.  03C3          add eax,ebx0040129E  |.  C9            leave0040129F  \.  C2 0800       retn 0x8
}0040119C  |.  A3 20324000   mov dword ptr ds:[0x403220],eax004011A1  |.  E8 A0010000   call KeygenMe.00401346                   ;  CkSn2
{
00401346  /$  A1 1C324000   mov eax,dword ptr ds:[0x40321C]0040134B  |.  8B1D 18324000 mov ebx,dword ptr ds:[0x403218]00401351  |.  3BC3          cmp eax,ebx00401353  |.  75 0E         jnz XKeygenMe.0040136300401355  |.  81F3 8E000000 xor ebx,0x8E0040135B  |.  03D8          add ebx,eax0040135D  |.  891D 18324000 mov dword ptr ds:[0x403218],ebx00401363  \>  C3            retn
}004011A6  |.  FF35 1C324000 push dword ptr ds:[0x40321C]004011AC  |.  68 24324000   push KeygenMe.00403224004011B1  |.  E8 EC000000   call KeygenMe.004012A2             这些后面的函数将前两次加密得到的16进制 -》字符串 连接起来004011B6  |.  B8 24324000   mov eax,KeygenMe.00403224004011BB  |.  83C0 08       add eax,0x8004011BE  |.  FF35 20324000 push dword ptr ds:[0x403220]004011C4  |.  8D00          lea eax,dword ptr ds:[eax]004011C6  |.  50            push eax004011C7  |.  E8 D6000000   call KeygenMe.004012A2004011CC  |.  B8 24324000   mov eax,KeygenMe.00403224004011D1  |.  83C0 10       add eax,0x10004011D4  |.  FF35 18324000 push dword ptr ds:[0x403218]004011DA  |.  8D00          lea eax,dword ptr ds:[eax]004011DC  |.  50            push eax004011DD  |.  E8 C0000000   call KeygenMe.004012A2004011E2  |.  A1 10324000   mov eax,dword ptr ds:[0x403210]004011E7  |.  50            push eax                                 ; /hWnd => 03800274 (class='Edit',parent=02800232)004011E8  |.  E8 D1010000   call 
    
       ; \GetWindowTextLengthA004011ED  |.  B9 00000000   mov ecx,0x0004011F2  |.  83F8 18       cmp eax,0x18004011F5  |.^ 0F85 20FFFFFF jnz KeygenMe.0040111B004011FB  |.  40            inc eax004011FC  |.  50            push eax                                 ; /Count004011FD  |.  68 0C314000   push KeygenMe.0040310C                   ; |Buffer = KeygenMe.0040310C00401202  |.  68 EA030000   push 0x3EA                               ; |ControlID = 3EA (1002.)00401207  |.  FF75 08       push [arg.1]                             ; |hWnd0040120A  |.  E8 A9010000   call 
     
             ; \GetDlgItemTextA0040120F  |.  B8 0C314000   mov eax,KeygenMe.0040310C00401214  |.  E8 D2000000   call KeygenMe.004012EB	             增加  字符  '-'
     
    
{
004012EB  /$  BA 24324000   mov edx,KeygenMe.00403224                ;  ASCII "36B02FE8B6297B092D2C3AE8"004012F0  |.  83C2 04       add edx,0x4004012F3  |.  C602 2D       mov byte ptr ds:[edx],0x2D004012F6  |.  83C2 0A       add edx,0xA004012F9  |.  C602 2D       mov byte ptr ds:[edx],0x2D004012FC  |.  BA 24324000   mov edx,KeygenMe.00403224                ;  ASCII "36B02FE8B6297B092D2C3AE8"00401301  |.  C602 4B       mov byte ptr ds:[edx],0x4B00401304  |.  42            inc edx00401305  |.  C602 4F       mov byte ptr ds:[edx],0x4F00401308  |.  42            inc edx00401309  |.  C602 53       mov byte ptr ds:[edx],0x530040130C  \.  C3            retn
}00401219  |.  B8 0C314000   mov eax,KeygenMe.0040310C0040121E  |.  83C0 04       add eax,0x400401221  |.  8038 2D       cmp byte ptr ds:[eax],0x2D00401224  |.^ 0F85 F1FEFFFF jnz KeygenMe.0040111B0040122A  |.  83C0 0A       add eax,0xA0040122D  |.  8038 2D       cmp byte ptr ds:[eax],0x2D00401230  |.^ 0F85 E5FEFFFF jnz KeygenMe.0040111B00401236  |.  68 24324000   push KeygenMe.004032240040123B  |.  68 0C314000   push KeygenMe.0040310C00401240  |.  E8 1F010000   call KeygenMe.0040136400401245  |.  8BC8          mov ecx,eax00401247  |.  83F9 01       cmp ecx,0x10040124A  |.^ 0F84 CBFEFFFF je KeygenMe.0040111B
这次学到东西  主要  是可以利用  原本程序的 汇编指令去制作  KEYGENME 

BOOL CKeygenDlg::FindCM(){	DWORD dwThreadId;	DWORD dwProcessId;	CString sClassName= "";	m_hPwnd = ::FindWindow(NULL,"KeygenMe #1 by Kostya");//得到窗口句柄	if(m_hPwnd == NULL)	{		return FALSE;	}	int hFunc=GetClassName(m_hPwnd,sClassName.GetBuffer(0),2000);	if(hFunc != 0 && 0 <= sClassName.Find("#32770"))	{		if( dwThreadId = ::GetWindowThreadProcessId(m_hPwnd, &dwProcessId))		{				m_hProcess = ::OpenProcess(PROCESS_ALL_ACCESS,											FALSE, dwProcessId);				if(m_hProcess != NULL)  				{					return TRUE;				}		}	}	return FALSE;}
CString CKeygenDlg::GetCMInfo(){	CString PathName;	CString PName;	PROCESSENTRY32 pe32;	pe32.dwSize=sizeof(pe32);	HANDLE hProcessSnap=::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);	if(hProcessSnap==INVALID_HANDLE_VALUE)	{		  SetDlgItemText(IDC_TISHI,"提示:CreateToolhelp32Snapshot调用失败!");		  return -1;	}	BOOL bMore=::Process32First(hProcessSnap,&pe32);	while(bMore)	{		char szProcessName[_MAX_PATH] = "unknown";		HANDLE hProcess = OpenProcess ( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,										FALSE, pe32.th32ProcessID ) ;		if ( hProcess )		{			HMODULE hMod;			DWORD cbNeeded;			if (EnumProcessModules(	hProcess, &hMod, sizeof(hMod), &cbNeeded) )			{				GetModuleFileNameEx( hProcess, hMod, szProcessName, 									sizeof(szProcessName) );				PName = pe32.szExeFile;				PName.MakeUpper();				if(PName.Find("KEYGENMENO1") == 0)				{					PathName = szProcessName;				}			}			CloseHandle( hProcess );		}		bMore=::Process32Next(hProcessSnap,&pe32);	}	::CloseHandle(hProcessSnap);	return PathName;}
int CKeygenDlg::KillProcess(){    return ::TerminateProcess( m_hProcess, 4 );}
DWORD CKeygenDlg::CLName(char *Name){	DWORD result;	int len = strlen(Name);	_asm{			mov	  eax,Name			mov	  ebx,len			xor	  edx,edx			xor     ecx,ecx		L000:			mov     dl, byte ptr [eax]			imul    ecx, ecx, 0x48			sub     ecx, edx			sub     ecx, 0x6F			mov     edx, ecx			xor     ecx, 0x0BACAF			inc     eax			dec     ebx			cmp     ebx, 0			jnz     L000			mov		result,ecx	}	return result;}
DWORD CKeygenDlg::CkSn1(DWORD code){	DWORD result;	_asm{		xor     eax, eax		xor     ebx, ebx		mov     eax, code		mov     ebx, code		mov     edx, eax		xor     edx, ebx		xor     edx, 0x0FFAC		xor     ebx, 0x553		add     eax, ebx		add     ebx, edx		dec     ebx		add     eax, ebx		mov		result,eax	}	return result;}
DWORD CKeygenDlg::CkSn2(DWORD code){	DWORD	result;	_asm{		mov     eax, code		mov     ebx, code		xor     ebx, 0x8E		add     ebx, eax		mov     result, ebx	}	return result;}
void CKeygenDlg::CkSn3(char *_addr,DWORD _code){	itoa(_code,_addr,16); }char * CKeygenDlg::GetSerial(DWORD _addr){	char *Serial = NULL;	_asm{		mov     edx, _addr		add     edx, 4		mov     byte ptr [edx], 0x2D		add     edx, 0x0A		mov     byte ptr [edx], 0x2D		mov     edx, _addr		mov     byte ptr [edx], 0x4B		inc     edx		mov     byte ptr [edx], 0x4F		inc     edx		mov		byte ptr [edx], 0x53	}	Serial = (char *)_addr;	return Serial;}

STARTUPINFO si;	PROCESS_INFORMATION pi;	ZeroMemory( &pi, sizeof(pi) );	ZeroMemory( &si, sizeof(si) );	//查找CM的窗口,确定程序是否已经启动!	if(FindCM())		{		CString PathName = GetCMInfo();		KillProcess();		//先PATCH掉它的限制		if(!EditCm(PathName))			SetDlgItemText(IDC_TISHI,"提示:解除CM的各种限制时出现问题了!");		if(!CreateProcess(PathName,NULL, NULL, NULL,FALSE, 0, NULL, NULL, &si, &pi))			SetDlgItemText(IDC_TISHI,"提示:启动进程失败!");		//再写一下它的算法了			const int nBufSize = 128; 			TCHAR chBuf[nBufSize]; 			ZeroMemory(chBuf,nBufSize); 			DWORD t_rst;			DWORD dwRet = nBufSize; 			if (::GetUserName(chBuf,&dwRet))			{				DWORD	tmpsn = 0;				char	*tmpserial = new char[24];				m_Name = chBuf;				tmpsn = CLName(chBuf);				CkSn3(tmpserial,tmpsn); //itoa				tmpserial += 8;				t_rst = CkSn1(tmpsn);				CkSn3(tmpserial,t_rst);//itoa				tmpserial += 8;				t_rst = CkSn2(tmpsn);					CkSn3(tmpserial,t_rst);//itoa				tmpserial -= 16;				m_Serial = GetSerial((DWORD )tmpserial);			}			m_Serial.MakeUpper();			UpdateData(FALSE);			SetDlgItemText(IDC_TISHI,"提示:操作完成,请自行验证用户名和序列号!");	}	else			SetDlgItemText(IDC_TISHI,"提示:请先启动CM,以便与解除CM的各种限制!");}

转载于:https://www.cnblogs.com/zcc1414/p/3982536.html

你可能感兴趣的文章
关键词挖掘工具_关键词拓展工具集合
查看>>
关于【做一名软件测试工程师,需要具备什么】的我的看法
查看>>
CentOS使用yum安装jdk
查看>>
如何利用 JConsole观察分析Java程序的运行,进行排错调优(转)
查看>>
【题解】SCOI2006萌萌哒
查看>>
ThreadLocal锁
查看>>
PostgreSQL数据库单机扩展为流复制
查看>>
【正视CSS 08】巅峰对武之float你为什么要坍塌我的元素!!!
查看>>
1500: [NOI2005]维修数列
查看>>
jsp内置对象
查看>>
Linux学习-开机过程的问题解决
查看>>
从事件event获取源组件
查看>>
.Jmeter 使用手册(一)
查看>>
Octopress 之 Mac 版环境配置
查看>>
第四篇:dll的隐式调用(不用loadlibrary加载)
查看>>
【转】[JavaScript]只需一行代码,轻松搞定快捷留言功能 小助手功能
查看>>
Anaconda conda 虚拟环境常用命令
查看>>
python 飞机大战 实例
查看>>
1035 插入与归并
查看>>
在vscode中启用python的virtualenv
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-11-26 20:42:28   当前IP: 18.220.242.160   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我