6月25日,《堡垒之夜(Fortnite)》官方博客上公布拯救世界模式中的首次行动坎尼山谷(Canny Valley)战役将在游戏7月份的v5.0更新后不久推出,一同增加的还有一个新的沙漠生物群落
【软件限制】:30天试用 【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教! 【破解工具】:TRW2000娃娃修改版、Ollydbg1.09、FI2.5、W32Dasm 9.0白金版 ————————————————————————————————— 【过 程】: 英宇职介管理V5.exe 用FI2.5看是Softsentry 2.11壳,晕,现在居然还用 V2.11加壳。 有专用的For Softsentry2.11的脱壳工具:Crkss211.com,脱完壳后就取消一切限制了。这篇我写的稍微简单点,其实Softsentry壳的算法都大同小异,具体的可以看我以前分析过的笔记。这个程序不同的是取了用户名和单位名进行运算。 序列号:95065 用户名:fly 单位名:[OCN][FCG] 试炼码:ABCDEFGH-12345678-KLMNOPQ ————————————————————————————————— 可以下bpx getdlgitemtexta 一般 Softsentry 壳下这个断点挺好用。 拦下后返回程序细心跟踪会来到下面: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721ABD(C) | :00721B55 8B3D44BC7200 mov edi, dword ptr [0072BC44] ====>EDI=YYG-YYZJ- 这就是String 1 :00721B5B B9FFFFFFFF mov ecx, FFFFFFFF :00721B60 2BC0 sub eax, eax :00721B62 F2 repnz :00721B63 AE scasb :00721B64 F7D1 not ecx :00721B66 49 dec ecx ====>取长度 ECX=9 :00721B67 6649 dec cx :00721B69 6683F9FF cmp cx, FFFF :00721B6D 7426 je 00721B95 :00721B6F 6685C9 test cx, cx :00721B72 7C1B jl 00721B8F * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721B8D(C) :00721B74 8B1544BC7200 mov edx, dword ptr [0072BC44] ====>EDX=YYG-YYZJ- :00721B7A 0FBFC1 movsx eax, cx :00721B7D 8A1402 mov dl, byte ptr [edx+eax] ====>DI=依次倒序取YYG-YYZJ- :00721B80 80FA3F cmp dl, 3F :00721B83 7406 je 00721B8B :00721B85 3854041C cmp byte ptr [esp+eax+1C], dl ====>逐位比较试炼码前9位是否是YYG-YYZJ- :00721B89 7504 jne 00721B8F ====>跳则OVER!可以NOP掉,方便调试 ^O^ ^O^ 一、 ====>所以注册码前9位固定是 YYG-YYZJ- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721B83(C) | :00721B8B 6649 dec cx :00721B8D 79E5 jns 00721B74 ====>循环比较! * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00721B72(C), :00721B89(C) | :00721B8F 6683F9FF cmp cx, FFFF :00721B93 7505 jne 00721B9A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721B6D(C) | :00721B95 BD01000000 mov ebp, 00000001 ====>EBP=1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721B93(C) | :00721B9A 8B3DCCBB7200 mov edi, dword ptr [0072BBCC] ====>EDI=-1002002 这就是String 2 :00721BA0 B9FFFFFFFF mov ecx, FFFFFFFF :00721BA5 2BC0 sub eax, eax :00721BA7 F2 repnz :00721BA8 AE scasb :00721BA9 F7D1 not ecx :00721BAB 49 dec ecx ====>取长度 ECX=8 :00721BAC 8D7C241C lea edi, dword ptr [esp+1C] ====>EDI=ABCDEFGH-12345678-KLMNOPQ 试炼码 :00721BB0 668BD1 mov dx, cx ====>DX=CX=8 :00721BB3 2BC0 sub eax, eax :00721BB5 B9FFFFFFFF mov ecx, FFFFFFFF :00721BBA F2 repnz :00721BBB AE scasb :00721BBC F7D1 not ecx :00721BBE 49 dec ecx ====>取长度 ECX=19 :00721BBF 662BCA sub cx, dx ====>CX=19 - 8=11 :00721BC2 6685C9 test cx, cx :00721BC5 7E2F jle 00721BF6 :00721BC7 6633F6 xor si, si :00721BCA 6685D2 test dx, dx :00721BCD 7E21 jle 00721BF0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721BEE(C) | :00721BCF A1CCBB7200 mov eax, dword ptr [0072BBCC] :00721BD4 0FBFFE movsx edi, si :00721BD7 8A0438 mov al, byte ptr [eax+edi] ====>AI=依次倒序取-1002002 :00721BDA 3C3F cmp al, 3F :00721BDC 740B je 00721BE9 :00721BDE 0FBFD9 movsx ebx, cx :00721BE1 03DF add ebx, edi :00721BE3 38441C1C cmp byte ptr [esp+ebx+1C], al ====>逐位比较试炼码最后8位是否是-1002002 :00721BE7 7507 jne 00721BF0 ====>跳则OVER!可以NOP掉,方便调试 ^O^ ^O^ 二、 ====>所以注册码最后8位固定是 -1002002 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721BDC(C) | :00721BE9 6646 inc si :00721BEB 663BD6 cmp dx, si :00721BEE 7FDF jg 00721BCF ====>循环比较! * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00721BCD(C), :00721BE7(C) | :00721BF0 663BD6 cmp dx, si :00721BF3 7501 jne 00721BF6 :00721BF5 45 inc ebp ====>EBP=1 + 1=2 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00721BC5(C), :00721BF3(C) | :00721BF6 83FD02 cmp ebp, 00000002 ====>是否已比较2次? :00721BF9 740A je 00721C05 ====>跳下去 :00721BFB BDFEFFFFFF mov ebp, FFFFFFFE :00721C00 E900010000 jmp 00721D05 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721BF9(C) | :00721C05 8B3D44BC7200 mov edi, dword ptr [0072BC44] :00721C0B B9FFFFFFFF mov ecx, FFFFFFFF :00721C10 2BC0 sub eax, eax :00721C12 F2 repnz :00721C13 AE scasb :00721C14 F7D1 not ecx :00721C16 2BC0 sub eax, eax :00721C18 8D740C1B lea esi, dword ptr [esp+ecx+1B] :00721C1C 8BFE mov edi, esi :00721C1E B9FFFFFFFF mov ecx, FFFFFFFF :00721C23 F2 repnz :00721C24 AE scasb :00721C25 F7D1 not ecx :00721C27 8B3DCCBB7200 mov edi, dword ptr [0072BBCC] :00721C2D 2BC0 sub eax, eax :00721C2F 8D51FF lea edx, dword ptr [ecx-01] :00721C32 B9FFFFFFFF mov ecx, FFFFFFFF :00721C37 F2 repnz :00721C38 AE scasb :00721C39 F7D1 not ecx :00721C3B 49 dec ecx :00721C3C 8BC6 mov eax, esi :00721C3E 2BC1 sub eax, ecx :00721C40 8BCE mov ecx, esi :00721C42 C6041000 mov byte ptr [eax+edx], 00 :00721C46 E8C54D0000 call 00726A10 ====>测试试炼码中间的12345678是否是数字? :00721C4B 85C0 test eax, eax :00721C4D 750A jne 00721C59 ====>是则跳下去 :00721C4F BDFDFFFFFF mov ebp, FFFFFFFD :00721C54 E9AC000000 jmp 00721D05 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721C4D(C) | :00721C59 BAE8807200 mov edx, 007280E8 ====>EDX=0604 :00721C5E 8BCE mov ecx, esi ====>ECX=12345678 试炼码中间的8位 :00721C60 BDFCFFFFFF mov ebp, FFFFFFFC :00721C65 E8F64D0000 call 00726A60 ====>取12345678的16进制值=00BC614E :00721C6A 66833D38BC720001 cmp word ptr [0072BC38], 0001 :00721C72 8BF0 mov esi, eax ====>ESI=00BC614E(H)=12345678(D) :00721C74 7559 jne 00721CCF ====>跳下去 :00721C76 668B3D3EBC7200 mov di, word ptr [0072BC3E] :00721C7D 8B15C0BB7200 mov edx, dword ptr [0072BBC0] :00721C83 66C1EF08 shr di, 08 :00721C87 668B0D3EBC7200 mov cx, word ptr [0072BC3E] :00721C8E 6681E1FF00 and cx, 00FF :00721C93 E8F8FAFFFF call 00721790 :00721C98 03F0 add esi, eax :00721C9A 6685FF test di, di :00721C9D 750A jne 00721CA9 :00721C9F 8B15C4BB7200 mov edx, dword ptr [0072BBC4] :00721CA5 8BCF mov ecx, edi :00721CA7 EB0B jmp 00721CB4 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721C9D(C) | :00721CA9 668BCF mov cx, di :00721CAC 8B15C4BB7200 mov edx, dword ptr [0072BBC4] :00721CB2 6641 inc cx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721CA7(U) | :00721CB4 E8D7FAFFFF call 00721790 :00721CB9 8BC8 mov ecx, eax :00721CBB 85C9 test ecx, ecx :00721CBD 7507 jne 00721CC6 :00721CBF BDFBFFFFFF mov ebp, FFFFFFFB :00721CC4 EB36 jmp 00721CFC * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721CBD(C) | :00721CC6 8BC6 mov eax, esi :00721CC8 99 cdq :00721CC9 F7F9 idiv ecx :00721CCB 8BEA mov ebp, edx :00721CCD EB2D jmp 00721CFC * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721C74(C) | :00721CCF 66833D38BC720002 cmp word ptr [0072BC38], 0002 :00721CD7 7523 jne 00721CFC :00721CD9 668B153EBC7200 mov dx, word ptr [0072BC3E] ====>DX=3221 这个似乎是固定值 :00721CE0 A1C4BB7200 mov eax, dword ptr [0072BBC4] ====>EAX=[OCN][FCG] 单位名 :00721CE5 50 push eax :00721CE6 8B0DC0BB7200 mov ecx, dword ptr [0072BBC0] ====>ECX=fly 用户名 :00721CEC 51 push ecx :00721CED 8B0DD4B97200 mov ecx, dword ptr [0072B9D4] ====>ECX=00017359(H)=95065(D) 序列号 :00721CF3 E828FBFFFF call 00721820 ====>关键CALL!进入!对用户名、单位和序列号进行运算 :00721CF8 8BE8 mov ebp, eax ====>EBP=EAX=0002B750(H)=178000(D) 运算的结果 :00721CFA 2BEE sub ebp, esi ====>EBX=0002B750 - 00BC614E=FF465602 ====>其实就是比较注册码中间几位是否和上面运算的结果相等! 三、 ====>所以我的注册码中间几位是 178000 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00721CC4(U), :00721CCD(U), :00721CD7(C) | :00721CFC 85ED test ebp, ebp :00721CFE 7429 je 00721D29 …… ……省 略…… …… :00721E74 FF15B0C57200 call dword ptr [0072C5B0] ====>BAD BOY! ————————————————————————————————— 进入关键CALL:00721CF3 call 00721820 * Referenced by a CALL at Address: |:00721CF3 | :00721820 53 push ebx :00721821 56 push esi :00721822 57 push edi :00721823 8BD9 mov ebx, ecx :00721825 668BCA mov cx, dx ====>CX=DX=3221 :00721828 668BFA mov di, dx ====>DI=DX=3221 :0072182B 8B542410 mov edx, dword ptr [esp+10] ====>EDX=fly :0072182F 6681E1FF00 and cx, 00FF ====>CX=3221 AND FF=21 :00721834 66C1EF08 shr di, 08 ====>DI=3221 SHR 08=32 :00721838 E853FFFFFF call 00721790 ====>关键CALL!进入!对用户名fly进行运算 :0072183D 668BCF mov cx, di :00721840 8BF0 mov esi, eax :00721842 6685C9 test cx, cx :00721845 7517 jne 0072185E :00721847 8B542414 mov edx, dword ptr [esp+14] :0072184B E840FFFFFF call 00721790 :00721850 8D0C33 lea ecx, dword ptr [ebx+esi] :00721853 5F pop edi :00721854 0FAFC8 imul ecx, eax :00721857 8BC1 mov eax, ecx :00721859 5E pop esi :0072185A 5B pop ebx :0072185B C20800 ret 0008 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00721845(C) | :0072185E 6641 inc cx :00721860 8B542414 mov edx, dword ptr [esp+14] ====>EDX=[OCN][FCG] :00721864 E827FFFFFF call 00721790 ====>对单位名[OCN][FCG]进行运算! :00721869 03C6 add eax, esi ====>对用户名和单位名运算的结果相加 ====>EAX=00006760 + 0000DC97=000143F7 :0072186B 5F pop edi :0072186C 03C3 add eax, ebx ====>EBX=00017359(H)=95065(D) 即:序列号 ====>EAX=000143F7 + 00017359=0002B750 :0072186E 5E pop esi :0072186F 5B pop ebx :00721870 C20800 ret 0008 ————————————————————————————————— 进入0072184B call 00721790 因为对用户名和单位名的运算流程是相同的,所以只是记录了用户名的运算数据。 * Referenced by a CALL at Addresses: |:00721838 , :0072184B , :00721864 , :00721C93 , :00721CB4 | :00721790 53 push ebx :00721791 56 push esi :00721792 668BD9 mov bx, cx ====>BX=21 :00721795 57 push edi :00721796 55 push ebp :00721797 8BF2 mov esi, edx :00721799 85F6 test esi, esi ====>ESI=fly :0072179B 7475 je 00721812 :0072179D 803E00 cmp byte ptr [esi], 00 :007217A0 7470 je 00721812 :007217A2 8BFE mov edi, esi :007217A4 B9FFFFFFFF mov ecx, FFFFFFFF :007217A9 2BC0 sub eax, eax :007217AB F2 repnz :007217AC AE scasb :007217AD F7D1 not ecx :007217AF 49 dec ecx ====>取fly长度 ECX=3 :007217B0 6685DB test bx, bx :007217B3 7444 je 007217F9 :007217B5 6683FB01 cmp bx, 0001 :007217B9 743E je 007217F9 :007217BB 0FB7FB movzx edi, bx :007217BE 8BC7 mov eax, edi ====>EAX=21 :007217C0 99 cdq :007217C1 F7F9 idiv ecx ====>EDX=21 % 3=0 :007217C3 0FBE0416 movsx eax, byte ptr [esi+edx] ====>EAX=66 根据余数EDX的值0取fly的第一位 :007217C7 0FAFC2 imul eax, edx ====>EAX=66 * 0=0 :007217CA 0FAFC7 imul eax, edi ====>EAX=0 * 21=0 :007217CD 03C1 add eax, ecx ====>EAX=0 + 3=3 :007217CF 33D2 xor edx, edx :007217D1 85C9 test ecx, ecx :007217D3 7E19 jle 007217EE :007217D5 8BD9 mov ebx, ecx ====>EBX=ECX=3 :007217D7 2BDF sub ebx, edi ====>EBX=3 - 21=FFFFFFE2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:007217EC(C) | :007217D9 0FBE3C16 movsx edi, byte ptr [esi+edx] ====>EDI=依次取fly字符的HEX值:66、6C、79 :007217DD 8BEB mov ebp, ebx ====>EBP=EBX=FFFFFFE2 :007217DF 2BEA sub ebp, edx 1、 ====>EBP=FFFFFFE2 - 0=FFFFFFE2 2、 ====>EBP=FFFFFFE2 - 1=FFFFFFE1 3、 ====>EBP=FFFFFFE2 - 2=FFFFFFE0 :007217E1 42 inc edx ====>EDX依次增1 :007217E2 83C56F add ebp, 0000006F 1、 ====>EBP=FFFFFFE2 + 6F=51 2、 ====>EBP=FFFFFFE1 + 6F=50 3、 ====>EBP=FFFFFFE0 + 6F=4F :007217E5 0FAFFD imul edi, ebp 1、 ====>EDI=00000066 * 51=00002046 2、 ====>EDI=0000006C * 50=000021C0 3、 ====>EDI=00000079 * 4F=00002557 :007217E8 03C7 add eax, edi 1、 ====>EAX=00000003 + 00002046=00002049 2、 ====>EAX=00002049 + 000021C0=00004209 3、 ====>EAX=00004209 + 00002557=00006760 :007217EA 3BCA cmp ecx, edx :007217EC 7FEB jg 007217D9 ====>继续循环 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:007217D3(C) | :007217EE 85C0 test eax, eax 对用户名 fly运算得出 ====>EAX=00006760 对[OCN][FCG]运算得出 ====>EAX=0000DC97 :007217F0 7D25 jge 00721817 :007217F2 F7D8 neg eax :007217F4 5D pop ebp :007217F5 5F pop edi :007217F6 5E pop esi :007217F7 5B pop ebx :007217F8 C3 ret ————————————————————————————————— 【算 法 总 结】: 1、注册码前9位固定为:YYG-YYZJ- 2、注册码最后8位固定:-1002002 3、注册码中间几位是通过对用户名、单位名、序列号运算得出的。 ————————————————————————————————— 【注册信息保存】: 1、REGEDIT4 [HKEY_CLASSES_ROOT\{1N1AXAvCav}] @="NUQ=&!!9!(Q!!!#!!#!\"G!T5Q.4)U!!!!!!\"=R1!!>`^:75=N76F;3CUR.TAQN-$!N-4!Q-D!Q-A!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#!!!!!!!!N!!!!(A!!!.-(\"1!'!\"]!!!!A!!A!:A-!!!)!!!!!!!!!!+(`E.B>HU!" 3、C:\WINDOWS\SYSTEM 下的access.ctl文件。 ————————————————————————————————— 【整 理】: 序列号:95065 用户名:fly 单位名:[OCN][FCG] 注册码:YYG-YYZJ-178000-1002002
