aida64

aida64 记录

最近换了电脑,微星主板带了aida64程序,结果只能试用60天 0.0

aida64.exe程序信息

32位程序,编译器: Borland Delphi(7)[-]

image-20240324212715804

IDR

Delphi程序直接祭出大杀器IDR
定位注册窗口和注册事件

object Form_EnterProductKey: TForm_EnterProductKey
  Left = 285
  Top = 314
  BorderStyle = bsDialog
  Caption = 'Enter Product Key'
  ClientHeight = 265
  ClientWidth = 355
  Color = clBtnFace
  ParentFont = True
  OldCreateOrder = False
  Position = poOwnerFormCenter
  OnCreate = FormCreate
  OnShow = FormShow
  PixelsPerInch = 96
  TextHeight = 13
  object TabControl_EnterProductKey: TTabControl
    Left = 7
    Top = 7
    Width = 341
    Height = 222
    TabOrder = 0
    TabStop = False
    object Label_EnterCommandLine: TLabel
      Left = 64
      Top = 25
      Width = 144
      Height = 13
      Caption = 'Please enter your product key:'
      Transparent = True
    end
    object Image_Simple: TImage
      Left = 16
      Top = 16
      Width = 32
      Height = 32
      Transparent = True
    end
    object Label_InvalidKey: TLabel
      Left = 64
      Top = 99
      Width = 52
      Height = 13
      Cursor = crHandPoint
      Caption = 'Invalid Key'
      ParentShowHint = False
      ShowHint = True
      Transparent = True
      Visible = False
      OnClick = Label_InvalidKeyClick
    end
    object Label_Expired: TLabel
      Left = 64
      Top = 80
      Width = 87
      Height = 13
      Caption = 'License is expired!'
      Transparent = True
      Visible = False
    end
    object Edit_ProductKey: TEdit
      Left = 64
      Top = 48
      Width = 261
      Height = 21
      TabOrder = 0
      OnChange = UpdateScreen
    end
  end
  object Button_Cancel: TButton
    Left = 273
    Top = 235
    Width = 75
    Height = 23
    Cancel = True
    Caption = 'Cancel'
    ModalResult = 2
    TabOrder = 2
  end
  object Button_OK: TButton
    Left = 192
    Top = 235
    Width = 75
    Height = 23
    Caption = 'OK'
    Default = True
    ModalResult = 1
    TabOrder = 1
  end
end

可定位输入框事件TForm_EnterProductKey.UpdateScreen

image-20240324212948028

TForm_EnterProductKey_UpdateScreen

结合IDA 进行注册分析

ida 相关设置请参考Delphi程序逆向反汇编技巧小记 | Lyon's blog (youngroe.com)

TForm_EnterProductKey_UpdateScreen 对输入进行‘-’,‘_’,' '字符的去除后,校验长度是否为0x19 (25),之后调用check_F85B98进行关键判断

image-20240324213722106

check_F85B98

相关函数checksum_F85B0C、KGEncode3_F8593C、Power_F85A58可参考后面的python代码

//                     &maintenance_period,        // 维护期限
//                     &authorization_period,      // 授权期限
//                     &purchase_date,             // 购买日期
//                     &number_of_licenses);       // 授权数
bool __userpurge check_F85B98@<al>(
        char *serial@<eax>,
        int *version_id@<edx>,
        __int32 a3@<ecx>,
        double st7_0@<st0>,
        _BYTE *out_error_ROGtype,
        _BYTE *out_error_revoked,
        _BYTE *out_error_black,
        _BYTE *check_checksum,
        int *maintenance_period,
        int *authorization_period,
        double *purchase_date,
        int *number_of_licenses)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]

  part3__1 = (int *)_InterlockedExchange((volatile __int32 *)&serial1, a3);
  version_id1 = version_id;
  serial1 = serial;
  LStrAddRef_Pointer((int)serial);
  v45 = &savedregs;
  v44[1] = (unsigned int)&loc_F8633C;
  v44[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
  __writefsdword(0, (unsigned int)v44);
  check_success = 0;
  *version_id1 = 0;
  *part3__1 = 0;
  *number_of_licenses = 0;
  *purchase_date = 0.0;
  *authorization_period = 0;
  *maintenance_period = 0;
  *check_checksum = 0;
  *out_error_black = 0;
  *out_error_revoked = 0;
  *out_error_ROGtype = 0;
  Trim_AnsiString(serial1, (char *)&temp);
  while ( LStrPos_Integer(&str___1339[1], temp) )
  {
    v12 = LStrPos_Integer(&str___1339[1], temp);
    System::__linkproc__ LStrDelete(&temp, v12, 1);
  }

  // _
  while ( LStrPos_Integer(&str___1340[1], temp) )
  {
    v13 = LStrPos_Integer(&str___1340[1], temp);
    System::__linkproc__ LStrDelete(&temp, v13, 1);
  }

  while ( LStrPos_Integer(&str___1341[1], temp) )
  {
    v14 = LStrPos_Integer(&str___1341[1], temp);
    System::__linkproc__ LStrDelete(&temp, v14, 1);
  }

  while ( LStrPos_Integer(&str___1342[1], temp) )
  {
    v15 = LStrPos_Integer(&str___1342[1], temp);
    System::__linkproc__ LStrDelete(&temp, v15, 1);
  }

  while ( LStrPos_Integer(&str___1343[1], temp) )
  {
    v16 = LStrPos_Integer(&str___1343[1], temp);
    System::__linkproc__ LStrDelete(&temp, v16, 1);
  }

  Trim_AnsiString(temp, (char *)&v62);
  UpperCase_AnsiString(v62, &src);
  Delphi_Copy_4059C4(src, 1, 0x19, (char *)&temp);
  if ( temp )
  {
    // delphi字符串 index从1开始??
    // 取前0x18位
    Delphi_Copy_4059C4(temp, 1, 24, dest);
    hash = checksum_F85B0C(*(char **)dest);
    KGEncode3_F8593C((unsigned __int16)hash % 0x9987u, (int)&v60);
    Delphi_Copy_4059C4(v60, 2, 1, v61);
    v43 = *(int **)v61;
    Delphi_Copy_4059C4(temp, 25, 1, v58);
    // 最后一位作为校验位,
    Delphi_CompareCall_4058B0((int)v43, *(int **)v58);
    *check_checksum = v18;
    if ( *check_checksum )
    {
      // revoked 
      v19 = 0x262;
      v20 = (int *)&revoked_keys_119C054;
      do
      {
        Delphi_CompareCall_4058B0(*v20, (int *)temp);//校验是否为被撤销的注册码
        if ( v18 )
        {
          *out_error_revoked = 1;
          goto LABEL_92;
        }

        ++v20;
        --v19;
      }
      while ( v19 );

      UpperCase_AnsiString(temp, &v83);
      LStrInsert(&str___1339[1], &v83);
      LStrInsert(&str___1339[1], &v83);
      LStrInsert(&str___1339[1], &v83);
      LStrInsert(&str___1339[1], &v83);
      LStrLAsg(&v80, v83);//重新拼接成 XXXXX-XXXXX-XXXXX-XXXXX-XXXXX的格式
      v43 = (int *)LStrLen_Integer(v80);
      v21 = (char *)LStrToPChar_PChar(v80);
        //计算md5
      md5_A41434(v21, (int)v43, (char *)&md5lowerstr);
      if ( LStrLen_Integer((int)md5lowerstr) == 0x20 )
      {
        v22 = 0;
        v23 = &v64;
        do
        {
          Delphi_Copy_4059C4(md5lowerstr, 2 * v22 + 1, 2, v57);
          *v23 = strTdig_A35498(*(int *)v57);
          ++v22;
          ++v23;
        }
        while ( v22 != 0x10 );

        v24 = 0x75C;
        v25 = &revoked_15D6ECC;
          //检验md5值是否为被禁数据中
        while ( *v25 != v64
             || v25[1] != v65
             || v25[2] != v66
             || v25[3] != v67
             || v25[4] != v68
             || v25[5] != v69
             || v25[6] != v70
             || v25[7] != v71
             || v25[8] != v72
             || v25[9] != v73
             || v25[0xA] != v74
             || v25[0xB] != v75
             || v25[0xC] != v76
             || v25[0xD] != v77
             || v25[0xE] != v78
             || v25[0xF] != v79 )
        {
          v25 += 0x10;
          if ( !--v24 )
            goto LABEL_44;
        }

        *out_error_revoked = 1;
      }
      else
      {
LABEL_44:
        v26 = 0x1470;
        v27 = black_117ACF4;
        do
        {
          LStrFromString(&v56, v27);
          Delphi_CompareCall_4058B0(v56, (int *)temp);
          if ( v18 )
          {
            *out_error_black = 1;
            goto LABEL_92;
          }

          v27 = (char ***)((char *)v27 + 0x1A);
          --v26;
        }
        while ( v26 );

        if ( LStrLen_Integer((int)md5lowerstr) == 0x20 )
        {
          v28 = 0;
          v29 = &v64;
          do
          {
            Delphi_Copy_4059C4(md5lowerstr, 2 * v28 + 1, 2, v55);
            *v29 = strTdig_A35498(*(int *)v55);
            ++v28;
            ++v29;
          }
          while ( v28 != 0x10 );

          v30 = 0x43A4F;
          v31 = (char *)&black_119C9DC;
          while ( *v31 != v64
               || v31[1] != v65
               || v31[2] != v66
               || v31[3] != v67
               || v31[4] != v68
               || v31[5] != v69
               || v31[6] != v70
               || v31[7] != v71
               || v31[8] != v72
               || v31[9] != v73
               || v31[0xA] != v74
               || v31[0xB] != v75
               || v31[0xC] != v76
               || v31[0xD] != v77
               || v31[0xE] != v78
               || v31[0xF] != v79 )
          {
            v31 += 0x10;
            if ( !--v30 )
              goto LABEL_70;
          }

          *out_error_black = 1;
        }
        else
        {
LABEL_70:
            //下面开始注册解析
          Delphi_Copy_4059C4(temp, 23, 2, v54);
          xordata = Power_F85A58(*(int *)v54);
          Delphi_Copy_4059C4(temp, 1, 2, v53);
          part1_ = Power_F85A58(*(int *)v53);
          *version_id1 = (unsigned __int8)xordata ^ part1_ ^ 0xBF;
          Delphi_Copy_4059C4(temp, 3, 2, v52);
          part3_tmp = Power_F85A58(*(int *)v52);
          *part3__1 = (unsigned __int8)xordata ^ part3_tmp ^ 0xED;
          Delphi_Copy_4059C4(temp, 5, 2, v51);
          part5_ = (unsigned __int8)xordata ^ (unsigned __int16)Power_F85A58(*(int *)v51) ^ 0x77;
          Delphi_Copy_4059C4(temp, 7, 2, v50);
          part7_ = (unsigned __int8)xordata ^ (unsigned __int16)Power_F85A58(*(int *)v50) ^ 0xDF;
          Delphi_Copy_4059C4(temp, 9, 4, v49);
          *number_of_licenses = xordata ^ Power_F85A58(*(int *)v49) ^ 0x4755;
          Delphi_Copy_4059C4(temp, 13, 4, v48);
          purchase_date_ = xordata ^ Power_F85A58(*(int *)v48) ^ 0x7CC1;
          Delphi_Copy_4059C4(temp, 17, 3, v47);
          *authorization_period = (unsigned __int8)xordata ^ Power_F85A58(*(int *)v47) ^ 0x3FD;
          Delphi_Copy_4059C4(temp, 20, 3, v46);
          *maintenance_period = (unsigned __int8)xordata ^ Power_F85A58(*(int *)v46) ^ 0x935;
          if ( *part3__1 != 999
            && part5_ <= 100u
            && part7_ <= 100u
            && *number_of_licenses != 0xFFFF
            && *authorization_period < 3653
            && *maintenance_period < 3653 )
          {
            year = ((purchase_date_ >> 9) & 0x1F) + 0x7D3;
            month = (purchase_date_ >> 5) & 0xF;// month
            day = purchase_date_ & 0x1F;
            if ( year >= 0x7D4u && year <= 0x833u && month && (unsigned __int16)month <= 0xCu && day )
            {
              v43 = &savedregs;
              v42[1] = (unsigned int)&loc_F862B1;
              v42[0] = (unsigned int)NtCurrentTeb()->NtTib.ExceptionList;
              __writefsdword(0, (unsigned int)v42);
              *purchase_date = Sysutils::EncodeDate(year, month, day);
              __writefsdword(0, v42[0]);
            }

            check_success_1 = *version_id1 == 2
                           && *part3__1 >= 100
                           && *part3__1 < 990
                           && *number_of_licenses
                           && *number_of_licenses < 798
                           && *purchase_date != 0.0
                           && *maintenance_period;
            check_success = check_success_1;
          }
        }
      }
    }
  }

LABEL_92:
  __writefsdword(0, v44[0]);
  v45 = (int *)&loc_F86343;
  LStrArrayClr((int *)v46, 0x12);
  LStrArrayClr(&v80, 4);
  LStrClr(&serial1);
  return check_success;
}

py


from datetime import datetime, timedelta
from typing import Union
import random
import hashlib


def Checksum_F85B0C(buf: Union[str | bytes])->int:
    if isinstance(buf, str):
        buf = buf.encode()
    hash_val = 0
    len_val = len(buf)

    for i in range(len_val):
        hash_val ^= (buf[i] << 8)
        for j in range(8):
            if (hash_val & 0x8000) == 0:
                hash_val *= 2
            else:
                hash_val = (2*hash_val) ^ 0x8201
        hash_val &= 0xffff
    return hash_val


def KGEncode3_F8593C(hash_val)->str:
    table_117ACD0 = "DY14UF3RHWCXLQB6IKJT9N5AGS2PM8VZ7E" #
    out = ''
    if hash_val <= 0x9987:
        v2 = hash_val % 0x484 // 0x22
        v3 = hash_val % 0x484 % 0x22

        if hash_val // 0x484 <= 0x21 and v2 <= 0x21 and v3 <= 0x21:
            out = table_117ACD0[hash_val // 0x484] + \
                table_117ACD0[v2]+table_117ACD0[v3]
    else:
        # KGEncode3: Invalid Argument!
        out = "Invalid Argument!"
    return out


def Power_F85A58(data: bytes)->int:
    table_117ACD0 = b"DY14UF3RHWCXLQB6IKJT9N5AGS2PM8VZ7E"
    ret = 0
    sz = len(data)
    for i in range(sz):
        for j in range(34):
            if data[i] == table_117ACD0[j]:
                tmp = 34**(sz-i-1)
                ret += int(j*tmp)
    return ret


def Inverse_Power_F85A58(num: int, data_length: int)->bytes:
    if isinstance(num, bytes):
        num = int.from_bytes(num, 'little')
    table_117ACD0 = b"DY14UF3RHWCXLQB6IKJT9N5AGS2PM8VZ7E"
    result = []
    while num > 0:
        remainder = num % 34
        result.insert(0, table_117ACD0[remainder])
        num = num // 34

    # 补齐位数
    while len(result) < data_length:
        result.insert(0, table_117ACD0[0])  # 假设缺失的位数用表中的第一个字符填充

    return bytes(result)


def GenDate(year, month, day)->int:
    date = day
    date |= month << 5
    date |= (year-2003) << 9
    return date


def ParseDate(date: int):
    year = ((date >> 9) & 0x1f)+2003
    month = (date >> 5) & 0xf
    day = date & 0x1f
    info = '[+]year:%d,month:%d,day:%d' % (year, month, day)
    return (info, year, month, day)


def keygen(version_id: int, year: int, month: int, day: int, xordata: int = random.randint(0, 0xff), part3_=random.randint(100, 998), part5_=random.randint(0, 100), part7_=random.randint(0, 100), number_of_licenses=797, authorization_period=3650, maintenance_period=3650):
    serial = bytearray()

    # xordata=0x66#random.randint(0,0xff)
    print('[+]xordata:', hex(xordata))

    # version_id=2
    tmp = Inverse_Power_F85A58(version_id ^ xordata ^ 0xbf, 2)
    serial[:2] = tmp

    # part3_=random.randint(100,998)
    print('[+]random part3_:', part3_)
    # !=999 >=100
    tmp = Inverse_Power_F85A58(part3_ ^ xordata ^ 0xed, 2)
    serial[2:4] = tmp

    # part5_=random.randint(0,100)
    # <=100
    print('[+]random part5_:', part5_)
    tmp = Inverse_Power_F85A58(part5_ ^ xordata ^ 0x77, 2)
    serial[4:6] = tmp

    # part7_=random.randint(0,100)
    # <=100
    tmp = Inverse_Power_F85A58(part7_ ^ xordata ^ 0xdf, 2)
    print('[+]random part7_:', part7_)
    serial[6:8] = tmp

    # number_of_licenses=797
    # 授权数 !=0xffff <0x31e  798d
    tmp = Inverse_Power_F85A58(number_of_licenses ^ xordata ^ 0x4755, 4)
    serial[8:12] = tmp

    purchase_date = GenDate(year, month, day)
    # 购买日期
    tmp = Inverse_Power_F85A58(purchase_date ^ xordata ^ 0x7CC1, 4)
    serial[12:16] = tmp

    # <0xe45 3653d
    # authorization_period=3650
    # 授权期限
    tmp = Inverse_Power_F85A58(authorization_period ^ xordata ^ 0x3FD, 3)
    serial[16:19] = tmp

    # maintenance_period=3651
    # 维护期限
    tmp = Inverse_Power_F85A58(maintenance_period ^ xordata ^ 0x935, 3)
    serial[19:22] = tmp

    tmp = Inverse_Power_F85A58(xordata, 2)
    serial[22:24] = tmp

    sum = Checksum_F85B0C(serial[:0x18])
    checksum = KGEncode3_F8593C(sum % 0X9987)
    serial[24:25] = checksum[1].encode()
    # print('[#]serial:',serial.decode())
    return serial


def check(serial: Union[bytes | str]):
    if isinstance(serial, str):
        serial = serial.encode()
    serial = serial.replace(b'-', b'')
    result = False
    sum = Checksum_F85B0C(serial[:0x18])
    checksum = KGEncode3_F8593C(sum % 0X9987)
    if serial[0x18] != ord(checksum[1]):
        print('[!]serial checksum error')
        return result

    xordata = Power_F85A58(serial[22:24])
    print('\t[-]xordata:', hex(xordata))
    tmp = Power_F85A58(serial[:2])
    version_id = (xordata ^ tmp ^ 0xbf) & 0xffffffff
    # version_id 2
    print('\t[-]version_id:', (version_id))

    tmp = Power_F85A58(serial[2:4])
    part3_ = (xordata ^ tmp ^ 0xed) & 0xffffffff
    # >=0x64 100d <0x3de 990d
    print('\t[-]part3_:', (part3_))

    tmp = Power_F85A58(serial[4:6])
    part5_ = (xordata ^ tmp ^ 0x77) & 0xffffffff
    # <=0x64 100d
    print('\t[-]part5_:', (part5_))

    tmp = Power_F85A58(serial[6:8])
    part7_ = (xordata ^ tmp ^ 0xdf) & 0xffffffff
    # <=0x64 100d
    print('\t[-]part7_:', (part7_))

    tmp = Power_F85A58(serial[8:12])
    number_of_licenses = (xordata ^ tmp ^ 0x4755) & 0xffffffff
    # !=0xffff <0x31e
    print('\t[-]number_of_licenses:', (number_of_licenses))

    tmp = Power_F85A58(serial[12:16])
    purchase_date = (xordata ^ tmp ^ 0x7CC1) & 0xffffffff
    info, year, month, day = ParseDate(purchase_date)
    print('\t[-]purchase_date_:', hex(purchase_date), info)
    start_date = datetime(year, month, day)

    tmp = Power_F85A58(serial[16:19])
    authorization_period = (xordata ^ tmp ^ 0x3fd) & 0xffffffff
    # <0xe45 3653d
    print('\t[-]authorization_period:', (authorization_period),
          start_date + timedelta(days=authorization_period))

    tmp = Power_F85A58(serial[19:22])
    maintenance_period = (xordata ^ tmp ^ 0x935) & 0xffffffff
    # <3653
    print('\t[-]maintenance_period:', (maintenance_period),
          start_date + timedelta(days=maintenance_period))
    while True:
        if number_of_licenses == 0xffff:
            print("[!]error-->number_of_licenses!=0xffff")
            break

        if part3_ != 999 and part5_ <= 0x64 and part7_ <= 0x64 and authorization_period < 3653 and maintenance_period < 3653:
            if version_id != 2:
                print('[!]version error:', version_id)
                break
            if part3_ < 100 or part3_ > 990:
                print('[!]part3 error:', part3_)
                break
            if number_of_licenses == 0 or number_of_licenses >= 798:
                print('[!]number_of_licenses error:', number_of_licenses)
                break
            result = True
            print('[#]success!')
        else:
            print('[!]error-->part3/5/7_')
            break
        break
    return result


if __name__ == '__main__':
    # serial=keygen(2,2024,3,24,0x66,100,100,100,0x123,3650,3650) 
    now = datetime.now()
    current_year = now.year
    current_month = now.month
    current_day = now.day
    serial = keygen(2, current_year, current_month, current_day)
    print('\n[#]serial:', serial.decode())
    print('\n\n###############################CHECK###############################')
    check(serial)

img

posted @ 2024-03-24 22:02  DirWangK  阅读(92)  评论(0编辑  收藏  举报