|
Win Image v5.0 |
|
amois |
|
Program Tipi: * |
|
Araçlar:
SoftIce |
|
|
|
|
"Mr_Stop hic durmaz, durdurulamaz. Hadi Stop, kim tutar seni ? "
|
Yazı |
"amois", "1907" -> [bpx hmemcpy] -> birkac [F12] ->
0167:0042F08F MOV EDI,00443D18 <- buradayiz
0167:0042F094 PUSH 7F
0167:0042F096 PUSH EDI
0167:0042F097 PUSH 00000817
0167:0042F09C PUSH DWORD PTR [EBP+08]
0167:0042F09F CALL ESI
0167:0042F0A1 PUSH 004440E8
0167:0042F0A6 PUSH EDI <- 1907
0167:0042F0A7 PUSH EBX <- amois
0167:0042F0A8 CALL 004347C9 <- ?
0167:0042F0AD MOV ECX,[004440E8]
[bpx 42F0A8] -> [F8] ->
...
0167:004347ED PUSH DWORD PTR [EBP+08]
0167:004347F0 CALL 004346F9
0167:004347F5 MOV EDI,EAX
<- eax = 4D2F?? oldu
0167:004347F7 ADD ESP,0C
0167:004347FA CMP EDI,B8DCDD26 <- bu da kim acaba ?
0167:00434800 JZ 00434904
0167:00434806 LEA EAX,[EBP-0100] <- 1907
0167:0043480C PUSH EAX
0167:0043480D LEA EAX,[EBP-0200]
0167:00434813 PUSH EDI
0167:00434814 PUSH EAX
0167:00434815 CALL 0043477C
0167:0043481A POP ECX
<- 4D2F??
0167:0043481B POP ECX
0167:0043481C PUSH EAX
0167:0043481D CALL 00437BA0
0167:00434822 POP ECX
0167:00434823 TEST EAX,EAX
0167:00434825 POP ECX
0167:00434826 JZ 004348CC
0167:0043482C LEA EAX,[EBP-0100]
0167:00434832 PUSH EAX
0167:00434833 LEA EAX,[EDI+14051948] <- 4D2F??+14051948=14524???
0167:00434839 PUSH EAX
0167:0043483A LEA EAX,[EBP-0200]
0167:00434840 PUSH EAX
0167:00434841 CALL 0043477C
0167:00434846 POP ECX
<- 14524???
...
Cagri sonuna kadar, Memory'de bircok serial olabilecek sayiya rastliyoruz. Bu
sayilar, 4D2F??'e eklenen sabit sayilarla olusuyor. Programin, Standard veya
Professional modda calismasini sagliyorlar.
Ayrica, 4347FA'da bir kontrol var. B8DCDD26 degeri, belirli bir username icin
olusuyor. Programcinin veya Black List'deki birinin adi olabilir.
Ana serialin nasil hesaplandigina bakalim. [bpx 4347F0] -> [F8] ->
0167:00434712 PUSH EAX
0167:00434713 CALL 004346CD <- AMOIS <- buyuk harf
0167:00434718 POP ECX
0167:00434719 LEA EAX,[EBP-0104]
0167:0043471F POP ECX
0167:00434720 PUSH EAX
0167:00434721 CALL [00446894] <- 5 <- uzunluk
0167:00434727 XOR ECX,ECX <- ecx = 0 <- sayac
0167:00434729 MOV [EBP+08],EAX
0167:0043472C TEST EAX,EAX
0167:0043472E JLE 00434777
0167:00434730 PUSH EBX
0167:00434731 PUSH ESI
0167:00434732 LEA ESI,[EBP-0104]
0167:00434738 PUSH EDI
0167:00434739 MOV EDI,[EBP+08]
0167:0043473C SUB ESI,03
0167:0043473F MOV EAX,ECX
0167:00434741 PUSH 0E <- 0Eh
0167:00434743 CDQ
0167:00434744 POP EBX <- ebx = 0Eh
0167:00434745 IDIV EBX
0167:00434747 TEST EDX,EDX
0167:00434749 JNZ 0043474E
0167:0043474B PUSH 27 <- 27h
0167:0043474D POP EDI <- edi = 27h
0167:0043474E MOVZX EDX,BYTE PTR [ECX+ESI+03] <- A M O I S
0167:00434753 LEA EAX,[ECX+03]
0167:00434756 IMUL EDX,EDI
0167:00434759 ADD [EBP-04],EDX <- sonuc buraya
0167:0043475C PUSH 0E <- 0Eh
0167:0043475E CDQ
0167:0043475F POP EBX <- ebx = 0Eh
0167:00434760 IDIV EBX
0167:00434762 TEST EDX,EDX
0167:00434764 JZ 0043476B
0167:00434766 LEA EDI,[EDI*2+EDI]
0167:00434769 JMP 0043476E
0167:0043476B IMUL EDI,EDI,07
0167:0043476E INC ECX
0167:0043476F CMP ECX,[EBP+08] <-
karakter kaldi mi ?
0167:00434772 JL 0043473F
43473F ile 434772 arasinda bir dongu var. Bu dongu sonucunda, 434759'daki
[ebp-04] bolgesinde 4D2F?? degeri olusuyor. Bu bolgedeki baslangic degeri ise
47694?h.
Bu bolum sona erdikten sonra, ufak bir trick daha var.
0167:00434792 CALL [USER32!wsprintfA] <- "%lX" formatinda yaz
0167:00434798 MOV AL,[EBP-10] <-
4 D 2 F ? ?
0167:0043479B ADD ESP,0C
0167:0043479E TEST AL,AL
0167:004347A0 JZ 004347C0
0167:004347A2 LEA ECX,[EBP-10]
0167:004347A5 SUB ECX,ESI
0167:004347A7 CMP AL,38 <- digit "8" mi ?
0167:004347A9 JNZ 004347AF <- degil
0167:004347AB ADD AL,0A <- o zaman "B" olsun
0167:004347AD JMP 004347B5 <- yaziver
0167:004347AF CMP AL,42 <- digit "B" mi ?
0167:004347B1 JNZ 004347B5 <- degil
0167:004347B3 ADD AL,F6 <- o zaman "8" olsun
0167:004347B5 MOV [ESI],AL <- son hali burada
0167:004347B7 MOV AL,[ESI+ECX+01] <-
4 D 2 F ? ?
0167:004347BB INC ESI
0167:004347BC TEST AL,AL
0167:004347BE JNZ 004347A7
Yani, dongu sonucu olusan serialde "B" ve "8" karakterleri birbirleri ile
degistiriliyor. "amois" icin olusan deger
4D2F?? oldugu icin, herhangi bir
degisiklik olmayacak.
KeyGen kodumuz su sekilde olabilir ->
.data
isim db "amois",0
sonuc db 32h dup(?)
tur db "%lX",0
isim_uz dd 0h
serial dd 047694?h ; sabit sayi
serial_uz dd 0h
.code
start:
invoke ucase, addr isim ; buyuk harfe cevir
invoke StrLen, addr isim ; name uzunlugu
mov isim_uz, eax ; sakla
xor ecx, ecx ; sayac = 0
lea esi, isim
@43473F:
mov eax, ecx ; bu bolumler orjinal programdan
push 0Eh ; sadece kucuk degisiklikler var
cdq
pop ebx
idiv ebx
test edx, edx
jnz @43474E
push 027h
pop edi
@43474E:
movzx edx, byte ptr [ecx+esi]
lea eax, [ecx+3]
imul edx, edi
add serial, edx
push 0Eh
cdq
pop ebx
idiv ebx
test edx, edx
jz @43476B
lea edi, [edi*2+edi]
jmp @43476E
@43476B:
imul edi, edi, 07
@43476E:
inc ecx
cmp ecx, isim_uz
jl @43473F
invoke wsprintf, addr sonuc, addr tur, serial
call @degistir ; "B" ve "8" icin kontrol et
@cikis:
invoke ExitProcess, 0
@degistir:
invoke StrLen, addr sonuc ; serial uzunlugu
mov serial_uz, eax ; sakla
lea esi, sonuc ; serial offset degeri
xor ecx, ecx
@dongu:
mov al, [ecx+esi] ;
4 D 2 F ? ?
cmp al, 038h
jnz @sonraki
add al, 0Ah
jmp @duzelt
@sonraki:
cmp al, 042h
jnz @duzelt
add al, 0F6h
@duzelt:
mov [esi+ecx], al ;
4 D 2 F ? ?
cmp ecx, serial_uz
je @tamam
inc ecx
jmp @dongu
@tamam:
ret
end start
|
|
Bir programı kullanarak para kazanıyorsanız, programı satın alın.