本文探讨了针对VMware产品的密钥生成算法的研究过程,包括遇到的技术难题及部分核心算法代码片段。作者尝试通过逆向工程理解密钥生成器的工作原理,并分析了特定的机器码指令序列。
鼓捣了2天,小有进展
可惜.net的程序是运行在.net Framework架构上的,.exe的代码是伪代码,不能直接修改机器码:(,转成.il后不能编译!制作内存补丁也不得其门,只得想办法从ZWT和ROR的keymaker里找找算法了,他们找到的产品号为:
"13c05cea-f74d3b85-e3862988-cc1ad12e-f466aa7a" --VC
"b9f0a12b-a37cc14d-bc55e407-cd062a45-533bc594" --ESX
"2b5dae77-3839b4be-1e696a90-f2019d46-107335f1"
"2c8fcb47-c6f0d982-22dc9e4c-7da0889e-393dad38" --GSX
"a9ff7191-a526a8df-dd2b8e28-2a21fb3b-1977eed3"
"ce7612c2-503f5ce8-6c43fc4a-a9b67e37-2cd1c599" --VMOTION
"d3b6c4ea-3eb5c369-8b525529-5e36ccd9-981775c8"
核心算法:
0040755D |. 83C4 20 add esp, 20
00407560 |. 33FF xor edi, edi
00407562 |. BD 63000000 mov ebp, 63
00407567 |. BE 5F000000 mov esi, 5F
0040756C |> 8D4424 30 /lea eax, [esp+30]
00407570 |. 50 |push eax
00407571 |. 56 |push esi
00407572 |. 55 |push ebp
00407573 |. E8 18F7FFFF |call 00406C90
00407578 |. 8A88 88F04000 |mov cl, [eax+40F088]
0040757E |. 83C4 0C |add esp, 0C
00407581 |. 884C3C 48 |mov [esp+edi+48], cl
00407585 |. 83EE 05 |sub esi, 5
00407588 |. 47 |inc edi
00407589 |. 83ED 05 |sub ebp, 5
0040758C |. 83FE FB |cmp esi, -5
0040758F |.^ 7F DB \jg short 0040756C
00407591 |. 8B8424 900000>mov eax, [esp+90]
00407598 |. 885C3C 48 mov [esp+edi+48], bl
0040759C |. 8A5424 48 mov dl, [esp+48]
004075A0 |. 8A4C24 49 mov cl, [esp+49]
004075A4 |. 8810 mov [eax], dl
004075A6 |. 8A5424 4A mov dl, [esp+4A]
004075AA |. 8848 06 mov [eax+6], cl
004075AD |. 8A4C24 4B mov cl, [esp+4B]
004075B1 |. 8850 0C mov [eax+C], dl
004075B4 |. 8B5424 4C mov edx, [esp+4C]
004075B8 |. 8848 12 mov [eax+12], cl
004075BB |. 8B4C24 50 mov ecx, [esp+50]
004075BF |. C640 05 2D mov byte ptr [eax+5], 2D
004075C3 |. C640 0B 2D mov byte ptr [eax+B], 2D
004075C7 |. C640 11 2D mov byte ptr [eax+11], 2D
004075CB |. 8950 01 mov [eax+1], edx
004075CE |. 8B5424 54 mov edx, [esp+54]
004075D2 |. 8948 07 mov [eax+7], ecx
004075D5 |. 8B4C24 58 mov ecx, [esp+58]
004075D9 |. 8950 0D mov [eax+D], edx
004075DC |. 5F pop edi
004075DD |. 8948 13 mov [eax+13], ecx
004075E0 |. 5E pop esi
004075E1 |. 8858 17 mov [eax+17], bl
004075E4 |. 5D pop ebp
004075E5 |. 5B pop ebx
004075E6 |. 83C4 78 add esp, 78
004075E9 \. C3 retn
00407560 |. 33FF xor edi, edi
00407562 |. BD 63000000 mov ebp, 63
00407567 |. BE 5F000000 mov esi, 5F
0040756C |> 8D4424 30 /lea eax, [esp+30]
00407570 |. 50 |push eax
00407571 |. 56 |push esi
00407572 |. 55 |push ebp
00407573 |. E8 18F7FFFF |call 00406C90
00407578 |. 8A88 88F04000 |mov cl, [eax+40F088]
0040757E |. 83C4 0C |add esp, 0C
00407581 |. 884C3C 48 |mov [esp+edi+48], cl
00407585 |. 83EE 05 |sub esi, 5
00407588 |. 47 |inc edi
00407589 |. 83ED 05 |sub ebp, 5
0040758C |. 83FE FB |cmp esi, -5
0040758F |.^ 7F DB \jg short 0040756C
00407591 |. 8B8424 900000>mov eax, [esp+90]
00407598 |. 885C3C 48 mov [esp+edi+48], bl
0040759C |. 8A5424 48 mov dl, [esp+48]
004075A0 |. 8A4C24 49 mov cl, [esp+49]
004075A4 |. 8810 mov [eax], dl
004075A6 |. 8A5424 4A mov dl, [esp+4A]
004075AA |. 8848 06 mov [eax+6], cl
004075AD |. 8A4C24 4B mov cl, [esp+4B]
004075B1 |. 8850 0C mov [eax+C], dl
004075B4 |. 8B5424 4C mov edx, [esp+4C]
004075B8 |. 8848 12 mov [eax+12], cl
004075BB |. 8B4C24 50 mov ecx, [esp+50]
004075BF |. C640 05 2D mov byte ptr [eax+5], 2D
004075C3 |. C640 0B 2D mov byte ptr [eax+B], 2D
004075C7 |. C640 11 2D mov byte ptr [eax+11], 2D
004075CB |. 8950 01 mov [eax+1], edx
004075CE |. 8B5424 54 mov edx, [esp+54]
004075D2 |. 8948 07 mov [eax+7], ecx
004075D5 |. 8B4C24 58 mov ecx, [esp+58]
004075D9 |. 8950 0D mov [eax+D], edx
004075DC |. 5F pop edi
004075DD |. 8948 13 mov [eax+13], ecx
004075E0 |. 5E pop esi
004075E1 |. 8858 17 mov [eax+17], bl
004075E4 |. 5D pop ebp
004075E5 |. 5B pop ebx
004075E6 |. 83C4 78 add esp, 78
004075E9 \. C3 retn
-------------------------------------------------------------------------
00406C90 /$ 53 push ebx
00406C91 |. 55 push ebp
00406C92 |. 56 push esi
00406C93 |. 8B7424 10 mov esi, [esp+10]
00406C97 |. 57 push edi
00406C98 |. 8B7C24 18 mov edi, [esp+18]
00406C9C |. 3BF7 cmp esi, edi
00406C9E |. 7D 06 jge short 00406CA6
00406CA0 |. 8BC6 mov eax, esi
00406CA2 |. 8BF7 mov esi, edi
00406CA4 |. 8BF8 mov edi, eax
00406CA6 |> 33DB xor ebx, ebx
00406CA8 |. 33ED xor ebp, ebp
00406CAA |. 3BF7 cmp esi, edi
00406CAC |. 7C 34 jl short 00406CE2
00406CAE |> 8B5424 1C /mov edx, [esp+1C]
00406CB2 |. 8BCE |mov ecx, esi
00406CB4 |. 83E1 1F |and ecx, 1F
00406CB7 |. B8 01000000 |mov eax, 1
00406CBC |. D3E0 |shl eax, cl
00406CBE |. 8BCE |mov ecx, esi
00406CC0 |. C1F9 05 |sar ecx, 5
00406CC3 |. 85448A 08 |test [edx+ecx*4+8], eax
00406CC7 |. 74 14 |je short 00406CDD
00406CC9 |. 8BCE |mov ecx, esi
00406CCB |. B8 01000000 |mov eax, 1
00406CD0 |. 2BCF |sub ecx, edi
00406CD2 |. 33D2 |xor edx, edx
00406CD4 |. E8 275F0000 |call 0040CC00
00406CD9 |. 0BD8 |or ebx, eax
00406CDB |. 0BEA |or ebp, edx
00406CDD |> 4E |dec esi
00406CDE |. 3BF7 |cmp esi, edi
00406CE0 |.^ 7D CC \jge short 00406CAE
00406CE2 |> 5F pop edi
00406CE3 |. 8BD5 mov edx, ebp
00406CE5 |. 5E pop esi
00406CE6 |. 8BC3 mov eax, ebx
00406CE8 |. 5D pop ebp
00406CE9 |. 5B pop ebx
00406CEA \. C3 retn
00406C91 |. 55 push ebp
00406C92 |. 56 push esi
00406C93 |. 8B7424 10 mov esi, [esp+10]
00406C97 |. 57 push edi
00406C98 |. 8B7C24 18 mov edi, [esp+18]
00406C9C |. 3BF7 cmp esi, edi
00406C9E |. 7D 06 jge short 00406CA6
00406CA0 |. 8BC6 mov eax, esi
00406CA2 |. 8BF7 mov esi, edi
00406CA4 |. 8BF8 mov edi, eax
00406CA6 |> 33DB xor ebx, ebx
00406CA8 |. 33ED xor ebp, ebp
00406CAA |. 3BF7 cmp esi, edi
00406CAC |. 7C 34 jl short 00406CE2
00406CAE |> 8B5424 1C /mov edx, [esp+1C]
00406CB2 |. 8BCE |mov ecx, esi
00406CB4 |. 83E1 1F |and ecx, 1F
00406CB7 |. B8 01000000 |mov eax, 1
00406CBC |. D3E0 |shl eax, cl
00406CBE |. 8BCE |mov ecx, esi
00406CC0 |. C1F9 05 |sar ecx, 5
00406CC3 |. 85448A 08 |test [edx+ecx*4+8], eax
00406CC7 |. 74 14 |je short 00406CDD
00406CC9 |. 8BCE |mov ecx, esi
00406CCB |. B8 01000000 |mov eax, 1
00406CD0 |. 2BCF |sub ecx, edi
00406CD2 |. 33D2 |xor edx, edx
00406CD4 |. E8 275F0000 |call 0040CC00
00406CD9 |. 0BD8 |or ebx, eax
00406CDB |. 0BEA |or ebp, edx
00406CDD |> 4E |dec esi
00406CDE |. 3BF7 |cmp esi, edi
00406CE0 |.^ 7D CC \jge short 00406CAE
00406CE2 |> 5F pop edi
00406CE3 |. 8BD5 mov edx, ebp
00406CE5 |. 5E pop esi
00406CE6 |. 8BC3 mov eax, ebx
00406CE8 |. 5D pop ebp
00406CE9 |. 5B pop ebx
00406CEA \. C3 retn
由于目前无法搞到VMware Server的代码号,破解工作暂时陷入僵局……
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
