探索杂志第八期

【杂志宗旨】知识共享资料共享资源共享��

【制作成员】程式猎人

【发行时间】2000-8-19

【期刊号码】第八期

【网站地址】http://programhunter.wanwang.com

【编辑寄语】

    
    {~._.~} 
     ( Y )  
    ()~*~() 
    (_)-(_)

��今天的杂志首先向大家介绍一下我已经在wanwang.com处审主了主页空间，它的服务强大，运行稳定，所以大家如果访问网站的话，最好去它。其次是介绍一下已经成为朋友的wind的网站，详情见网站介绍栏目。现在还要告诉大家的是，我的网站正在进入改版，再过几天大家将看到一个全新的探索网站，希望大家到时去看一看，也谢谢大家的支持。

��今天收到了网友liangs的作品，虽然作品属于easy级的，但是对于破解人来说，我们不都是从简单的开始，对于初学者来说第二，三个都是比较好的学习作品。

��由于这几天正在改版网站，所以初学天地这期不能按时写出来，所以希望大家能够理解。

【目 �� 录】

��&破解心得
	1……Particle Fire V1.1a	程式猎人
	2……KeyGhost V3.2 破解实录	liangs
	3……Font Creator Program	程式猎人
	4……Hacking Windows 95 Screen Saver Passwords	Lonely Hawk
��%初学天地
��O问题答疑
��4网站介绍
��,杂志信箱

&【破解心得】

                    Particle Fire V1.1a
                                 程式猎人

简介：这是一个相当好的屏幕保护程序。
追踪：RN:01234567
��这个软件的破解过程对于初学者来说有一定的难度，因为通常的软件在注册过程中就可
以看到它的比较过程，而这个软件它不是输入注册码后就进行比较的。它是在软件运算的过
程中不断的去比较，所以这个软件在难度上应当属于中级水平。
因为这个软件是当你输入正确的注册码后才注册成功也就是它使用实时检证的方法，所
以现在先输入0123456后，再设bpx hmemcpy后，输入7后被拦下。

:0040254F FFD7                    call edi
:00402551 85C0                    test eax, eax  <-出来的地方，eax=0012d687
:00402553 7423                    je 00402578
:00402555 8D442410                lea eax, dword ptr [esp+10]
:00402559 6A00                    push 00000000
:0040255B 50                      push eax
:0040255C 68F0030000              push 000003F0
:00402561 56                      push esi
:00402562 FFD7                    call edi
:00402564 5D                      pop ebp
:00402565 A314214100              mov dword ptr [00412114], eax <-eax=12d687

* Possible Reference to String Resource ID=00001: "Particle Fire!"
                                  |
:0040256A B801000000              mov eax, 00000001
:0040256F 5F                      pop edi
:00402570 5E                      pop esi
:00402571 5B                      pop ebx
:00402572 83C414                  add esp, 00000014
:00402575 C21000                  ret 0010

��我们在上面的地方被拦下来，仔细分析一下上面的程式，你可以发现在上面程式将我们
入的注册码放在了00412114这个固定地址上。如果你现在向下追踪的话，你将是一无发现
因为程序就如我在前面所说的那样，它不是在下面就进行比较，而是在某个时间来进行比的。
现在我们就得使用W32dasm来分析这个软件，查找00412114这个地址，我们将找到几个地
址，其中下面的地址是关键的地方，如下所示：

:00402726 A114214100              mov eax, dword ptr [00412114]
:0040272B 50                      push eax
:0040272C E8CFE8FFFF              call 00401000
:00402731 83C404                  add esp, 00000004
:00402734 85C0                    test eax, eax
:00402736 0F852D030000            jne 00402A69

��在这里可是这个软件的比较关键之处，而且如果你在这里设下断点的话，你将无法回到
正常的地方，因为程序一值在调用它，用它来不断的验证注册码的正确性。下面是这个软
如何计算注册码的。因为它使用了令人讨厌的XOR操作，而我使用C语言又没有将它给算出
（可能C语言处理XOR时有问题）。

:00401000 8B442404                mov eax, dword ptr [esp+04]
:00401004 56                      push esi
:00401005 3D00CA9A3B              cmp eax, 3B9ACA00   <-1000000000
:0040100A 763D                    jbe 00401049
:0040100C 3D00943577              cmp eax, 77359400   <-2000000000
:00401011 7336                    jnb 00401049
:00401013 8BC8                    mov ecx, eax
:00401015 8BF0                    mov esi, eax
:00401017 C1E114                  shl ecx, 14
:0040101A 8BD0                    mov edx, eax
:0040101C C1E610                  shl esi, 10
:0040101F 81E10000F0FF            and ecx, FFF00000
:00401025 C1EA10                  shr edx, 10
:00401028 0BF2                    or esi, edx
:0040102A 2BD2                    sub edx, edx
:0040102C 33F1                    xor esi, ecx
:0040102E 8BC8                    mov ecx, eax
:00401030 C1E90C                  shr ecx, 0C
:00401033 33F1                    xor esi, ecx
:00401035 B994260000              mov ecx, 00002694
:0040103A 33C6                    xor eax, esi
:0040103C F7F1                    div ecx
:0040103E 85D2                    test edx, edx
:00401040 7507                    jne 00401049   ***

* Possible Reference to String Resource ID=00001: "Particle Fire!"
                                  |
:00401042 B801000000              mov eax, 00000001
:00401047 5E                      pop esi
:00401048 C3                      ret

��好了，现在我使用修改方法来进行这个软件注册，我在这里先输入1234567890后，再修改
***处，具体方法如下：

 
                       ****************************
                       *   查找：85 D2 75 07 B8   *
                       *   替换：85 D2 90 90 B8   *
                       ****************************

��我现在想同大家说的是，我因为没有得到这个软件的注册码而不死心，毕竟我离注册码只
有一步之隔，因为我已经知道了这个软件是如何运算的过程。于是我就使用C语言编写了下
面的程序，我准备使用穷举法来得到注册码。但是通过下面的程序算出来的注册码是不对的
，我仔细的验证了我编写的过程，相信它是绝对没有错误的，所以在这里想请高手来帮助一
下，如何能够得到这个软件的注册码（你不论使用什么语言都可以）。

main()
{
 unsigned long i,j;
 unsigned long eax,ebx,ecx,edx;

 clrscr();

 for(i=0x3b9aca00;i<0x4190ab00;i++)
  {
   eax=i<<16;
   ebx=i>>16;
   ecx=eax|ebx;

   eax=i<<20;
   ebx=i>>12;
   edx=eax|ebx;

   eax=ecx|edx|i;

   j=eax%0x2694;
   if(j==0)
     {
      printf("\n  Your register number is %lx",i);
      break;
     }
   }
   printf("\n your seach is over!!!");
   getch();
 }

KeyGhost V3.2 破解实录

作者:liangs
E-mail:liang_s@263.net

软件名称：KeyGhost V3.2
下载地址：http://sunhy.126.com

使用的工具 W32Dasm V8.93 超级中文版 Trw2000 ver1.22

首先连按两次ALT+F12呼出KeyGhost,在注册框中输入：liangs-787878,为什么是'liangs-787878'
而不是'liangs787878',下面你就知道了。然后下bpx hmemcpy，中断后，首先bd *,去掉所有中断，
再按18次F12。

* Possible StringData Ref from Code Obj ->"请合法使用软件"
                                  |
:00475580 B888564700              mov eax, 00475688
:00475585 E842ADFDFF              call 004502CC
:0047558A 837DFC00                cmp dword ptr [ebp-04], 00000000 <---我们停在这；
:0047558E 0F8499000000            je 0047562D
:00475594 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC]
:0047559A 8B55FC                  mov edx, dword ptr [ebp-04] <---此处edx=liangs-787878;
:0047559D B9FF000000              mov ecx, 000000FF
:004755A2 E881E8F8FF              call 00403E28 
:004755A7 8D85FCFEFFFF            lea eax, dword ptr [ebp+FFFFFEFC]

:004755AD E8CAC2FFFF              call 0047187C <---判断输入的注册码的合法性,此处按F8跟入;
:004755B2 84C0                    test al, al
:004755B4 7477                    je 0047562D <---注册码错误就跳走;

:004755B6 B201                    mov dl, 01
:004755B8 8B8340030000            mov eax, dword ptr [ebx+00000340]
:004755BE E8F570FBFF              call 0042C6B8
:004755C3 33D2                    xor edx, edx
:004755C5 8B8318030000            mov eax, dword ptr [ebx+00000318]
:004755CB E8E870FBFF              call 0042C6B8
:004755D0 B201                    mov dl, 01
:004755D2 8B8340040000            mov eax, dword ptr [ebx+00000440]
:004755D8 8B08                    mov ecx, dword ptr [eax]
:004755DA FF515C                  call [ecx+5C]
:004755DD C605D1BA470001          mov byte ptr [0047BAD1], 01

* Possible StringData Ref from Code Obj ->"Code"
                                  |
:004755E4 68A0564700              push 004756A0
:004755E9 8D95E8FEFFFF            lea edx, dword ptr [ebp+FFFFFEE8]
:004755EF 8B45FC                  mov eax, dword ptr [ebp-04]
:004755F2 E84595FEFF              call 0045EB3C
:004755F7 8B95E8FEFFFF            mov edx, dword ptr [ebp+FFFFFEE8]
:004755FD 8D85ECFEFFFF            lea eax, dword ptr [ebp+FFFFFEEC]
:00475603 E8A4F9F8FF              call 00404FAC
:00475608 8D85ECFEFFFF            lea eax, dword ptr [ebp+FFFFFEEC]
:0047560E 50                      push eax

* Possible StringData Ref from Code Obj ->"Software\Sun\Keyghost3xx"
                                  |
:0047560F B9B0564700              mov ecx, 004756B0
:00475614 B202                    mov dl, 02
:00475616 8B8310030000            mov eax, dword ptr [ebx+00000310]
:0047561C E85F21FEFF              call 00457780

* Possible StringData Ref from Code Obj ->"注册成功！谢谢您的支持！"
                                  |
:00475621 B8D4564700              mov eax, 004756D4 <---注册码正确跳到此处;
:00475626 E885A9FDFF              call 0044FFB0
:0047562B EB0A                    jmp 00475637

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047558E(C), :004755B4(C)
|

* Possible StringData Ref from Code Obj ->"请购买本软件！见右侧注册说明！"
                                  |
:0047562D B8F8564700              mov eax, 004756F8 <---注册码错误跳到此处;
:00475632 E879A9FDFF              call 0044FFB0

---------------------------------------------------------------------------

跟入 call 0047187C 中：此Call用来判断输入的注册码的合法性

* Referenced by a CALL at Addresses:
|:004755AD   , :00475979   
|
:0047187C 55                      push ebp
:0047187D 8BEC                    mov ebp, esp
:0047187F 81C4ECFCFFFF            add esp, FFFFFCEC
:00471885 53                      push ebx
:00471886 56                      push esi
:00471887 57                      push edi
:00471888 33D2                    xor edx, edx
:0047188A 8995F0FCFFFF            mov dword ptr [ebp+FFFFFCF0], edx
:00471890 8995ECFCFFFF            mov dword ptr [ebp+FFFFFCEC], edx
:00471896 8995F8FCFFFF            mov dword ptr [ebp+FFFFFCF8], edx
:0047189C 8995F4FCFFFF            mov dword ptr [ebp+FFFFFCF4], edx
:004718A2 8BF0                    mov esi, eax
:004718A4 8DBDFFFEFFFF            lea edi, dword ptr [ebp+FFFFFEFF]
:004718AA 33C9                    xor ecx, ecx
:004718AC 8A0E                    mov cl, byte ptr [esi]
:004718AE 41                      inc ecx
:004718AF F3                      repz
:004718B0 A4                      movsb
:004718B1 33C0                    xor eax, eax
:004718B3 55                      push ebp
:004718B4 68DE194700              push 004719DE
:004718B9 64FF30                  push dword ptr fs:[eax]
:004718BC 648920                  mov dword ptr fs:[eax], esp
:004718BF C645FF00                mov [ebp-01], 00
:004718C3 8D85F4FCFFFF            lea eax, dword ptr [ebp+FFFFFCF4]
:004718C9 8D95FFFEFFFF            lea edx, dword ptr [ebp+FFFFFEFF]
:004718CF E81C25F9FF              call 00403DF0
:004718D4 8B85F4FCFFFF            mov eax, dword ptr [ebp+FFFFFCF4]
:004718DA 8D95F8FCFFFF            lea edx, dword ptr [ebp+FFFFFCF8]
:004718E0 E82374F9FF              call 00408D08
:004718E5 8B95F8FCFFFF            mov edx, dword ptr [ebp+FFFFFCF8]
:004718EB 8D85FFFEFFFF            lea eax, dword ptr [ebp+FFFFFEFF]
:004718F1 B9FF000000              mov ecx, 000000FF
:004718F6 E82D25F9FF              call 00403E28
:004718FB 33DB                    xor ebx, ebx
:004718FD C685FFFDFFFF00          mov byte ptr [ebp+FFFFFDFF], 00
:00471904 C685FFFCFFFF00          mov byte ptr [ebp+FFFFFCFF], 00
:0047190B 8D95FFFEFFFF            lea edx, dword ptr [ebp+FFFFFEFF]
:00471911 B8F0194700              mov eax, 004719F0

:00471916 E80511F9FF              call 00402A20 <---判断输入的注册号是否是xxxx-yyyy的形式；
                                                    按F8跟入可知。
:0047191B 8BF0                    mov esi, eax
:0047191D 85F6                    test esi, esi
:0047191F 0F8E9B000000            jle 004719C0 <---注册号若不是xxxx-yyyy的形式则跳
                                                   这里千万不能跳，不然就OVER了。:-)

:00471925 8D85FFFDFFFF            lea eax, dword ptr [ebp+FFFFFDFF]
:0047192B 50                      push eax
:0047192C 8BCE                    mov ecx, esi
:0047192E 49                      dec ecx
:0047192F BA01000000              mov edx, 00000001
:00471934 8D85FFFEFFFF            lea eax, dword ptr [ebp+FFFFFEFF]
:0047193A E8250FF9FF              call 00402864
:0047193F 8D85FFFCFFFF            lea eax, dword ptr [ebp+FFFFFCFF]
:00471945 50                      push eax
:00471946 33C9                    xor ecx, ecx
:00471948 8A8DFFFEFFFF            mov cl, byte ptr [ebp+FFFFFEFF]
:0047194E 2BCE                    sub ecx, esi
:00471950 8D5601                  lea edx, dword ptr [esi+01]
:00471953 8D85FFFEFFFF            lea eax, dword ptr [ebp+FFFFFEFF]
:00471959 E8060FF9FF              call 00402864 
:0047195E 33D2                    xor edx, edx
:00471960 8A95FFFDFFFF            mov dl, byte ptr [ebp+FFFFFDFF]
:00471966 85D2                    test edx, edx
:00471968 7E16                    jle 00471980
:0047196A 8D8500FEFFFF            lea eax, dword ptr [ebp+FFFFFE00]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047197E(C)
|
:00471970 33C9                    xor ecx, ecx
:00471972 8A08                    mov cl, byte ptr [eax]
:00471974 03D9                    add ebx, ecx
:00471976 81C3A41D0F00            add ebx, 000F1DA4
:0047197C 40                      inc eax
:0047197D 4A                      dec edx
:0047197E 75F0                    jne 00471970

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471968(C)
|
:00471980 8D85F0FCFFFF            lea eax, dword ptr [ebp+FFFFFCF0]
:00471986 8D95FFFCFFFF            lea edx, dword ptr [ebp+FFFFFCFF]
:0047198C E85F24F9FF              call 00403DF0
:00471991 8B85F0FCFFFF            mov eax, dword ptr [ebp+FFFFFCF0]
:00471997 50                      push eax
:00471998 8D95ECFCFFFF            lea edx, dword ptr [ebp+FFFFFCEC]
:0047199E 8BC3                    mov eax, ebx

:004719A0 E8E374F9FF              call 00408E88 <---用xxxx算出正确的注册码;
                                                执行完上面这条语句后,EDX中就是
                                                正确的注册码,我的是：5944406

:004719A5 8B95ECFCFFFF            mov edx, dword ptr [ebp+FFFFFCEC]
:004719AB 58                      pop eax

:004719AC E8AB25F9FF              call 00403F5C <---判断yyyy与上面用xxxx算出的
                                                    注册码是否相等；                              
:004719B1 750D                    jne 004719C0  <---不等就跳走;

:004719B3 80BD00FFFFFF61          cmp byte ptr [ebp+FFFFFF00], 61
:004719BA 7204                    jb 004719C0
:004719BC C645FF01                mov [ebp-01], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0047191F(C), :004719B1(C), :004719BA(C)
|
:004719C0 33C0                    xor eax, eax <---可爱的EAX标志被置0，就OVER了
:004719C2 5A                      pop edx
:004719C3 59                      pop ecx
:004719C4 59                      pop ecx
:004719C5 648910                  mov dword ptr fs:[eax], edx
:004719C8 68E5194700              push 004719E5

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004719E3(U)
|
:004719CD 8D85ECFCFFFF            lea eax, dword ptr [ebp+FFFFFCEC]
:004719D3 BA04000000              mov edx, 00000004
:004719D8 E81322F9FF              call 00403BF0
:004719DD C3                      ret

由 call 00402A20 跟入：此Call判断注册码是否为xxxx-yyyy的形式.

:00402A20 53                      push ebx
:00402A21 56                      push esi
:00402A22 57                      push edi
:00402A23 89C6                    mov esi, eax
:00402A25 89D7                    mov edi, edx
:00402A27 31C9                    xor ecx, ecx
:00402A29 8A0F                    mov cl, byte ptr [edi]
:00402A2B 47                      inc edi
:00402A2C 57                      push edi
:00402A2D 31D2                    xor edx, edx
:00402A2F 8A16                    mov dl, byte ptr [esi]
:00402A31 46                      inc esi
:00402A32 4A                      dec edx
:00402A33 781B                    js 00402A50
:00402A35 8A06                    mov al, byte ptr [esi] <---将AL赋值'2D',也就是符号'-';
:00402A37 46                      inc esi
:00402A38 29D1                    sub ecx, edx
:00402A3A 7E14                    jle 00402A50

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402A4E(U)
|
:00402A3C F2                      repnz
:00402A3D AE                      scasb <---循环依次取输入的注册码与AL中的'-'比较
:00402A3E 7510                    jne 00402A50 <---注册码中没有'-'符就跳走；

:00402A40 89CB                    mov ebx, ecx
:00402A42 56                      push esi
:00402A43 57                      push edi
:00402A44 89D1                    mov ecx, edx
:00402A46 F3                      repz
:00402A47 A6                      cmpsb
:00402A48 5F                      pop edi
:00402A49 5E                      pop esi
:00402A4A 7409                    je 00402A55
:00402A4C 89D9                    mov ecx, ebx
:00402A4E EBEC                    jmp 00402A3C

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00402A33(C), :00402A3A(C), :00402A3E(C)
|
:00402A50 5A                      pop edx
:00402A51 31C0                    xor eax, eax
:00402A53 EB05                    jmp 00402A5A

整理一下我的注册码为：liangs-5944406

                  Font Creator Program 
                          程式猎人

软件名称： Font Creator Program
软件版本： 2.2
软件大小： 1165KB
软件授权：共享软件
使用平台： Win95/98/NT
发布公司： http://members.xoom.com/lccw/
软件简介：可用来制作字体(TTF)的程序，除可自行制作外也能够直接编辑修改视窗操作
��系统上的任何TrueType字体，制作好的字体或修改好的字体能够让你储存和使用。
name:dahuilang
company:programhunter
RN:012-345-678-901

��这几天光制作主页了，差不多已经忘记了破解软件这个我爱好的工作。今天又开始破解
工作了。这个软件破解是相当的简单，没有什么难度，适合初学者。

:004B74AC FF75F0                  push [ebp-10]
:004B74AF 8D55EC                  lea edx, dword ptr [ebp-14]
:004B74B2 8B45FC                  mov eax, dword ptr [ebp-04]
:004B74B5 8B8004030000            mov eax, dword ptr [eax+00000304]
:004B74BB E874D0F7FF              call 00434534
:004B74C0 FF75EC                  push [ebp-14]
:004B74C3 8D55E8                  lea edx, dword ptr [ebp-18]
:004B74C6 8B45FC                  mov eax, dword ptr [ebp-04]
:004B74C9 8B800C030000            mov eax, dword ptr [eax+0000030C]
:004B74CF E860D0F7FF              call 00434534
:004B74D4 FF75E8                  push [ebp-18]
:004B74D7 8D55E4                  lea edx, dword ptr [ebp-1C]
:004B74DA 8B45FC                  mov eax, dword ptr [ebp-04]
:004B74DD 8B8014030000            mov eax, dword ptr [eax+00000314]
:004B74E3 E84CD0F7FF              call 00434534
:004B74E8 FF75E4                  push [ebp-1C]
:004B74EB 8D45F8                  lea eax, dword ptr [ebp-08]
:004B74EE BA04000000              mov edx, 00000004
:004B74F3 E8ACCBF4FF              call 004040A4
:004B74F8 8D55DC                  lea edx, dword ptr [ebp-24]
:004B74FB 8B45FC                  mov eax, dword ptr [ebp-04]
:004B74FE 8B800C030000            mov eax, dword ptr [eax+0000030C]
:004B7504 E82BD0F7FF              call 00434534
:004B7509 8B45DC                  mov eax, dword ptr [ebp-24]
:004B750C BA03000000              mov edx, 00000003
:004B7511 4A                      dec edx
:004B7512 3B50FC                  cmp edx, dword ptr [eax-04]
:004B7515 7205                    jb 004B751C
:004B7517 E818BAF4FF              call 00402F34

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B7515(C)
|
:004B751C 42                      inc edx
:004B751D 8A4410FF                mov al, byte ptr [eax+edx-01]
:004B7521 50                      push eax
:004B7522 8D55D8                  lea edx, dword ptr [ebp-28]
:004B7525 8B45FC                  mov eax, dword ptr [ebp-04]
:004B7528 8B80E0020000            mov eax, dword ptr [eax+000002E0]
:004B752E E801D0F7FF              call 00434534
:004B7533 8B45D8                  mov eax, dword ptr [ebp-28]
:004B7536 8D4DE0                  lea ecx, dword ptr [ebp-20]
:004B7539 5A                      pop edx
:004B753A E82DD4FFFF              call 004B496C
:004B753F 8B45E0                  mov eax, dword ptr [ebp-20]
:004B7542 50                      push eax
:004B7543 8D55D4                  lea edx, dword ptr [ebp-2C]
:004B7546 8B45F8                  mov eax, dword ptr [ebp-08]
:004B7549 E8A614F5FF              call 004089F4
:004B754E 8B55D4                  mov edx, dword ptr [ebp-2C]  ***
:004B7551 58                      pop eax                      ***
:004B7552 E89DCBF4FF              call 004040F4
:004B7557 7556                    jne 004B75AF
:004B7559 8D55D0                  lea edx, dword ptr [ebp-30]

比较关键地方，如果你要是向下看的话，可以发现更为重要的地方如下：

:004B758B 6A00                    push 00000000
:004B758D 668B0D24764B00          mov cx, word ptr [004B7624]
:004B7594 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Thank you for registering the "
                                        ->"Font Creator Program."
                                  |
:004B7596 B830764B00              mov eax, 004B7630
:004B759B E86023FAFF              call 00459900
:004B75A0 8B45FC                  mov eax, dword ptr [ebp-04]
:004B75A3 C7803402000001000000    mov dword ptr [ebx+00000234], 00000001
:004B75AD EB22                    jmp 004B75D1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B7557(C)
|
:004B75AF 6A00                    push 00000000
:004B75B1 668B0D24764B00          mov cx, word ptr [004B7624]
:004B75B8 B201                    mov dl, 01

* Possible StringData Ref from Code Obj ->"Registration failed: Invalid Password"
                                  |
:004B75BA B86C764B00              mov eax, 004B766C
:004B75BF E83C23FAFF              call 00459900
:004B75C4 8B45FC                  mov eax, dword ptr [ebp-04]
:004B75C7 C7803402000002000000    mov dword ptr [ebx+00000234], 00000002

��在这里你可以看到注册成功和出错的地方，所以在上面可以得到注册码，破解也就结束了。

             **********************************
             *      name:dahuilang            *
             *      company:programhunter     *
             *      RN:G6E-966-494-232        *
             **********************************

��Hacking Windows 95 Screen Saver Passwords
��(and a bit of cryptography)
��by Lonely Hawk

Courtesy of Fravia's page of reverse engineering

--------------------------------------------------------------------------------

��I have been cracking programs ever since I owned a ZX Spectrum. To be
honest, the only ones I was really interested in at first, were the
games I played and couldn't win. I remember my first crack was at a
game called JetPac, and I was only 15 years old.
But then came the horrible times of studying in the Univ. Non stop.
Completely destroying any creative impulse God gave me, by trying to
'guide' it. Oh well. It was until I saw the great +ORC's tutorials
that I realized my supressed 'hobby' could not die. I immediately
scanned the Web for the necessary tools and started spying Win 95
programs.
��I litteraly cracked my way in every direction: I created 4 pages of
program codes, producing my own serials for every shareware program I
had. Some of the programs I cracked needed a little bit more of 'zen'
thinking, to put it in +ORC's words. Most of them though, were of the
BOZO-PROGRAMMERS-R-LIVE-HERE kind. So I relaxed, and enjoyed my supreme
power over the Windows 95 architecture.
Then one day, in the lab I work, I wanted to get something from a
friend's hard disk. I already knew the machine's password (not by hacking,
he's my friend), so I sat down in front of the monitor and moved the
mouse to remove the screen saver. Yikes! A dialog box popped up, asking
for the screen saver password. I tried my friend's 'global' password,
but it didn't work. Hmmm. I returned to my machine and searched the
Web for screen saver hacks. I found one for Windows 3.1 and tested it on
my NT 4.0. Great! I just run the program and it says the password. Good.
Let's run it on my friend's PC (rebooted and logged in - I had already
lost my interest in what I wanted from his disk and wanted to know his
screen saver password). I run it and it says 'screen saver password is
'BacB'. I try it - nothing. It's wrong. Hmm, time to do some hacking.
Allright, Microsoft, where do you store these passwords? In Windows 3.1,
says the proggy I downloaded, it's inside control.ini. The same happens
in Windows NT 4.0, but not in Windows 95! Strange... (obviously some mixup
in the sources used inside these monster OS's). I GREP'ed inside all my
friend's PC *.ini files for 'pass'. Nothing related to my needs. In most
of these situations, one must then try the registry. I fired up regedit,
and looked for "saver". After some searching, I got in the following
interesting place:

\HKEY_CURRENT_USER\Control Panel\desktop\ScreenSave_Data

��This hosted a list of numbers, which in the test I immediately did, was
exactly twice the size of the password I gave. If for example I gave the
password "testing", the list had 14 numbers. This looked suspicious enough,
so I fired SoftIce, and got to the dialog box asking for the new password
two times. I wrote my favorite one, 'POTATOES', in both edit fields, and
pressed CTRL-D. I then searched the memory to BPR in, so

s 30:0 lffffffff "POTAT"

��BTW, always use a subset of the password, since this way you avoid mixing
up the real password image with the one in the OS dustbin. The real one
will show up in the data window as POTATOES, the false one as POTAT.
I found two occurences, one immediately after the other (remember, you
input it twice in the dialog box), so I BPR there.

BPR 30:80XXXXXX 30:80XXXXXX+8 RW
BPR 30:80ZZZZZZ 30:80ZZZZZZ+8 RW

Ctrl-D again, and pressing OK, made Softice pop up again, this time in
the well known KERNEL HMEMCPY part. The two password images were copied in
memory, and by BPR in the new positions, I found out that they were
compared bytewise to see if they match. A normal operation for passwords,
so I cotinued. The next SoftIce popup was inside a REP MOVSB to a new
location, so I BPR it again. I was beggining to feel frustrated - how
many times does this stupid OS copy the string - I already had 5 copies
of it! (no wonder Win 95 needs 16 MB RAM). Oh well, Ctrl-D again (continue
running).
��Luckily, the next popup was right where I wanted it:

sub ebp, ebp ; ebp=0, first character of the password
; will be processed
...
loop1:
....
.... ; code that produces a special number into eax
.... ; eax is in range of 0-255
....
mov cl, [7E125010+eax] ; read from a table of 256 values
mov eax, offset password
xor [eax+ebp], al ; xor the ebp-letter of the password
inc ebp
cmp ebp, [length of password]
jl looop1

��After this ridiculous xoring loop, the transformed password was read,
and typed into a string, using wsprintf. If for example POTATOES was
transformed to 8 numbers like a1, 54, a2, 32, ... then with wsprintf
these numbers will be typed in the registry as 41, 31, (asciiz of a1)
35, 34 (asciiz of 54), etc. What a coincidence, when I discovered that
these numbers were the same with the ones in the registry!
OK, so how do I crack this? Well, first I examined how the table was
getting filled (the table is supposed to be pseudorandom) and I recreated
the table, using C (i mean the table placed at 7E125010 in the above code
snip). Then I started scratching my head to find a way back to the original
password, when I realized this: each output value, was produced from
exactly one character of the password! there was no interleaving in the
XOR's! Each letter of the original password was XOR'ed with a value, and
that's it! This means that by checking every entry in the table to see
which one produces the value you search after XORING, you could find the
original password!
��For example: Suppose you have a table of random values a(i),i=0..N-1,
where each a(i) is different from all others a(j), j<>i. You then choose
i randomly, and XOR password[0] with a(i). The same is done with all
letters of the password. To crack this code, all you have to do is:

for each transformed code of the password, password[k]
find by testing all the matrix elements, matrix[j]
which ASCII code XOR'd with matrix[j] gives password[k]

This is not computationally expensive brute force, since you check 256
values for each letter! A ZX Spectrum would compute the password in
half a second. A PC, say, in 1 sec :)

OK, here's the code:

<--
#include
#include
#include

unsigned char matrix[256+2];
unsigned char matrixok[256+2];
unsigned char mystery[4]={ 0xb2, 0xdc, 0x90, 0x8f };
unsigned char h1;
unsigned char pa[79], passwd[80];
unsigned char tofind[30];
int h2=4;
unsigned int lentofind;
int len;

void fixmatrix()
{
unsigned char orig, mys, help1, last;
int i,j, help2;

for(i=0; i<256; i++)
matrix[i]=i;
matrix[256]=0; matrix[256+1]=0;
h1=0; last=0;
for(j=0;j<256;j++) {
orig=matrix[j];
mys=mystery[h1];
help2=(mys+last+matrix[j]) & 0xff;
help1=matrix[help2];
matrix[j]=help1;
matrix[help2]=orig;
last=help2;
h1++; h1=h1%4;
}
memcpy(matrixok, matrix, sizeof(matrix));
}

void check(char *test)
{
unsigned char help1, oldh2;
int i;

strcpy(passwd, test);
strcpy(pa, passwd);
len=strlen(pa);

memcpy(matrix, matrixok, sizeof(matrix));

h1=0; h2=0;
for(i=0;i='0'))
return 1;
else if ((a<='F') && (a>='A'))
return 1;
else
return 0;
}

int nibble(char c)
{
if((c>='A') && (c<='F'))
return (10+c-'A');
else if((c>='0') && (c<='9'))
return (c-'0');
}

void parse(char *inpt)
{
char *tok;
char num[2];

lentofind=0;
tok=strtok(inpt, "\t ,\n");
while(tok!=NULL) {
num[0]=tok[0]; num[1]=tok[1];
if ((!is_ok(num[0])) || (!is_ok(num[1])))
{
puts("Please input strings like: a1,b1,05,c3,d2,f3");
exit(0);
}
tofind[lentofind++]=16*nibble(num[0])+nibble(num[1]);

tok=strtok(NULL, "\t ,\n");
}
tofind[lentofind]=0;
}

void main()
{
unsigned int i;
int j,found=0;
unsigned char tst[80];
char inpt[120];

fixmatrix();
printf("Windows 95 Screen Saver Cracker.\nMade by Lonely Hawk.\n\n");
printf("Give me the codes, separated by commas (in hex):\n >");
gets(inpt);
for(i=0;i
��This kind of stupid Microsoft coding makes me think a little. What would be
the ideal way to hide these passwords? The reason I cracked Microsoft's code
is NOT because I have SoftIce. The reason is because the algorithm is
ridiculous. The way I see it, to do real cryptography, you must use an
algorithm that cannot be reversed, but cannot also be cracked by brute
force. Take the UNIX algorithm for instance: everyone has the code for
it, but no one can reverse it. And to brute force it, you need a
supercomputer running for ages. If Microsoft used such an algorithm,
I would have to crack the system to get in: alter the code to do a
jnz instead of a jz. And if the code is only deletable from administrative
accounts, I would not be able to do anything.
Or at least, that's what I would let them think... :)

Lonely Hawk

%【初学天地】

O【问题答疑】

jin:how to crack winzip password?

Hi, there

I am a newbie of software cracking. I learned a lot from your magazine.
They are great!

I tried to use some cracking software to do this job, but it seems that
it will take an incredible long time to make it on my slow computer. So
I give this up.

I just wonder, if I can use SI or TRW to crack winzip file password. I
tried to use "bpx hmemcpy" to trace winzip, but can not find anything.
After I enter the fake password, TRW pops up, but before I do any
tracing, the error message already comes up. Can you give me some idea?

Thanks!

Jin

��jin，你可以使用收窗拦截法来追踪它试一试，设bpx lockmytask，后当出现错误窗口时，点击OK后，将被拦下来，这时你可以跳到主程序中查找可以跳到出错地方的call或je，jne等，这只是一个方法，不一定成功。如果大家有什么更好的建议，可以向我的信箱写信。

4【网站介绍】

wind的安全网站：http://biggow.8u8.com

��wind--风，一个很好听的名字，象一个女孩子的名子，他的网站就如他的名字一样有着让你心动的地方。我同wid网站的斑竹从不相识到相知，这使我更多的了解他的网站。今天向大家推荐这个解密网站值得大家去看一看。首先这个网站的内容虽然不如果其它比较出名的解密站点的全而多，但是她却有着一种年青的朝气。因为她的斑竹是一个正在上学的学生。如果你想查找某个软件的注册码或是注册机的话，你一定要去这个网站，因为他专为各位提供这方面的网站，而我的网站却是教学网站。当你需要注册码或注册机时，不妨去这里，相信她一定不会让你失望的。

,【杂志信箱】

投稿信箱：discoveredit@china.com

答疑信箱：discoveranswer@china.com

斑竹信箱：programhunter@china.com