城市猎人 1.30 算法分析
-
注册码出现方式为明码
NAME:powerboy
SN:14661382
:004037EE 53 push ebx
:004037EF 56 push esi
:004037F0 57 push edi
:004037F1 8BF1 mov esi, ecx
:004037F3 6A01 push 00000001
* Reference To: MFC42.Ordinal:18BE, Ord:18BEh
|
:004037F5 E884550000 Call 00408D7E
:004037FA 6A05 push 00000005
:004037FC 8D4E60 lea ecx, dword ptr [esi+60]
* Reference To: MFC42.Ordinal:1847, Ord:1847h
|
:004037FF E89A560000 Call 00408E9E
:00403804 33DB xor ebx, ebx
:00403806 33FF xor edi, edi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040382C(C)
|
:00403808 8BC7 mov eax, edi----------------------->从这里开始
:0040380A B92C010000 mov ecx, 0000012C
:0040380F 99 cdq
:00403810 F7F9 idiv ecx
:00403812 53 push ebx
:00403813 50 push eax
:00403814 6802040000 push 00000402
:00403819 FFB680000000 push dword ptr [esi+00000080]
* Reference To: USER32.SendMessageA, Ord:0214h
|
:0040381F FF154CB74000 Call dword ptr [0040B74C]
:00403825 47 inc edi
:00403826 81FF30750000 cmp edi, 00007530
:0040382C 7CDA jl 00403808----------------------->以上程序是进度条
:0040382E MOV EAX,[ESI+A4]---------------->EAX=SN
:00403834 MOV EDI,00989680---------------->EDI=0x989680=10000000
:00403839 CMP EAX,EDI--------------------->比较EAX和EDI
:0040383B JNA 00403898-------------------->小于则跳,跳则死
:0040383D CMP EAX,05F5E0FF---------------->0x5F5E0FF=99999999
:00403842 JNC 00403898-------------------->大于则跳,跳则死
:00403844 PUSH EBP 因此注册码必须是10000000~99999999的数
:00403845 XOR EDX,EDX
:00403847 MOV EBP,EDI
:00403849 MOV ECX,[ESI+A0]
:0040384F F7F5 div ebp
:00403851 50 push eax
:00403852 51 push ecx
:00403853 8BCE mov ecx, esi
:00403855 E8AA000000 call 00403904************************关键CALL
:0040385A 8BC8 mov ecx, eax------------------------>ECX=EAX
:0040385C 8B86A4000000 mov eax, dword ptr [esi+000000A4]--->EAX=[ESI+A4]
:00403862 33D2 xor edx, edx------------------------>EDX=0
:00403864 5D pop ebp----------------------------->EBP出栈
:00403865 F7F7 div edi----------------------------->EDX=EBP-EDI=SN-10000000(假注册码减去10000000)
:00403867 3BCA cmp ecx, edx------------------------>比较减去10000000的真假注册码ECX和EDX
:00403869 752D jne 00403898------------------------>不等则跳,跳则死
:0040386B 53 push ebx
:0040386C 53 push ebx
* Possible Reference to Dialog:
|
:0040386D 68A8024100 push 004102A8
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:00403872 E8A9550000 Call 00408E20
:00403877 C705BC07410083FFFFFF mov dword ptr [004107BC], FFFFFF83
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004038E1(U)
|
* Reference To: MFC42.Ordinal:0490, Ord:0490h
|
:00403881 E828550000 Call 00408DAE
:00403886 8B4004 mov eax, dword ptr [eax+04]
* Possible StringData Ref from Data Obj ->"程式猎人 版本 1.27- 兄弟制作组 "
->"荣誉出品"
|
:00403889 687C024100 push 0041027C
:0040388E 8B4820 mov ecx, dword ptr [eax+20]
* Reference To: MFC42.Ordinal:1837, Ord:1837h
|
:00403891 E8D2550000 Call 00408E68
:00403896 EB61 jmp 004038F9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403869(C)
|
* Possible StringData Ref from Data Obj ->"guest"
|
:00403898 6874024100 push 00410274
:0040389D FFB6A0000000 push dword ptr [esi+000000A0]
* Reference To: MSVCRT.strcmp, Ord:02B8h
|
:004038A3 E84E5B0000 Call 004093F6
:004038A8 59 pop ecx
:004038A9 85C0 test eax, eax
:004038AB 59 pop ecx
:004038AC 7535 jne 004038E3
:004038AE 8B86A4000000 mov eax, dword ptr [esi+000000A4]
:004038B4 25FF0F0000 and eax, 00000FFF
:004038B9 3DB5040000 cmp eax, 000004B5
:004038BE 7523 jne 004038E3
:004038C0 53 push ebx
:004038C1 53 push ebx
* Possible StringData Ref from Data Obj ->"注册码校验成功!
这个注册码有日期限制,请您注意"
->"及时更换."
|
:004038C2 683C024100 push 0041023C
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004038C7 E854550000 Call 00408E20
:004038CC C705BC07410082FFFFFF mov dword ptr [004107BC], FFFFFF82
:004038D6 8B86A4000000 mov eax, dword ptr [esi+000000A4]
:004038DC A3C0074100 mov dword ptr [004107C0], eax
:004038E1 EB9E jmp 00403881
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004038AC(C), :004038BE(C)
|
:004038E3 53 push ebx
:004038E4 53 push ebx
* Possible StringData Ref from Data Obj ->"注册码校验失败!"
|
:004038E5 682C024100 push 0041022C
:004038EA C705BC0741007D000000 mov dword ptr [004107BC], 0000007D
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004038F4 E827550000 Call 00408E20
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403896(U)
|
:004038F9 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:12F5, Ord:12F5h
|
:004038FB E8F8520000 Call 00408BF8
:00403900 5F pop edi
:00403901 5E pop esi
:00403902 5B pop ebx
:00403903 C3 ret
==================================================================================================
F8进入算法的关键CALL..............
:00403904 55 push ebp
:00403905 8BEC mov ebp, esp
:00403907 83EC10 sub esp, 00000010
:0040390A 56 push esi
:0040390B 57 push edi
:0040390C FF7508 push [ebp+08]
:0040390F 8D45F0 lea eax, dword ptr [ebp-10]
:00403912 33F6 xor esi, esi
:00403914 33FF xor edi, edi
:00403916 50 push eax
* Reference To: MSVCRT.strcpy, Ord:02BAh
|
:00403917 E8EC5A0000 Call 00409408
:0040391C 59 pop ecx
:0040391D 59 pop ecx
:0040391E 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403939(C)
|
:00403920 807C0DF000 cmp byte ptr [ebp+ecx-10], 00------->比较注册名是否为0
:00403925 8D440DF0 lea eax, dword ptr [ebp+ecx-10]----->EAX=NAME
:00403929 7404 je 0040392F------------------------->等于0则跳,跳则死
:0040392B 85F6 test esi, esi
:0040392D 7406 je 00403935
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403929(C)
|
:0040392F 6A01 push 00000001
:00403931 C6007D mov byte ptr [eax], 7D------>不满16位的后面以7D补齐
:00403934 5E pop esi 生成新字符串NEW
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040392D(C)
|
:00403935 41 inc ecx
:00403936 83F910 cmp ecx, 00000010------>比较是否为16位
:00403939 7CE5 jl 00403920------------>小于则跳
:0040393B 6A10 push 00000010
:0040393D 33C0 xor eax, eax
:0040393F 59 pop ecx
以上程序判断注册名NAME是否为16位,如果小于16位,就将用户名后面以0x7D补齐,生成新字符串NEW 。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403953(C)
| ECX初始值为0x10=16
:00403940 0FBE5405F0 movsx edx, byte ptr [ebp+eax-10]----->EDX=NEW
:00403945 6A01 push 000000010
:00403947 5E pop esi------------------------------>ESI=1
:00403948 D3E6 shl esi, cl-------------------------->ESI=ESI << ECX
:0040394A 0FAFD6 imul edx, esi------------------------>EDX=EDX*ESI
:0040394D 03FA add edi, edx------------------------->EDI=EDI+EDX
:0040394F 40 inc eax------------------------------>EAX=EAX+1
:00403950 49 dec ecx------------------------------>ECX=ECX-1
:00403951 85C9 test ecx, ecx------------------------>比较ECX是否为0
:00403953 7FEB jg 00403940-------------------------->不为0则循环
:00403955 8BC7 mov eax, edi--------------------------->EAX=EDI (这时的EAX是真正的注册码)
:00403957 B980969800 mov ecx, 00989680---------------------->ECX=0x989680=10000000
:0040395C 0FAF450C imul eax, dword ptr [ebp+0C]----------->EAX=EAX*[EBP+C]=EAX*1 (EAX值不变)
:00403960 99 cdq
:00403961 F7F9 idiv ecx------------------------------->EDX=EAX-ECX (将真注册码减去10000000)
:00403963 5F pop edi
:00403964 5E pop esi
:00403965 8BC2 mov eax, edx--------------------------->EAX=EDX
:00403967 C9 leave
:00403968 C20800 ret 0008
=========================================================================================================
算法整理:
1.首先判断注册码SN是否是一个10000000~99999999之间的数;
2.判断注册名NAME是否为16位,如果小于16位,就将用户名后面以0x7D补齐,生成新字符串NEW;
举例:假设注册名为:NAME="abcd"就生成字符串NEW="abcd}}}}}}}}}}}}";
3.取新字符串NEW,并进行计算;
4.最后将其变成十进制数,就是最终的正确注册码;
以NAME为abcd为例说明:(ECX初始值为0x10=16、EDI初始值为0)
NAME="abcd"就生成字符串NEW="abcd}}}}}}}}}}}}"
NEW1="a" NEW2="b"
EDX=NEW1=0x61 EDX=NEW2=0x62
ESI=1 ESI=1
ESI=ESI<
EDI=EDI+EDX=0+0x610000=0x610000 EDI=EDI+EDX=0x610000+0x310000=0x920000
ECX=ECX-1=0x10-1=0xF ECX=ECX-1=0xF-1=0xE
NEW3="c" NEW4="d"
EDX=NEW3=0x63 EDX=NEW4=0x64
ESI=1 ESI=1
ESI=ESI<
EDI=EDI+EDX=0x920000+0x18C000=0xAAC000 EDI=EDI+EDX=0xAAC000+0xC6000=0xB72000
ECX=ECX-1=0xE-1=0xD ECX=ECX-1=0xD-1=0xC
NEW5=0x7D NEW6=0x7D
EDX=NEW5=0x7D EDX=NEW6=0x7D
ESI=1 ESI=1
ESI=ESI<
EDI=EDI+EDX=0xB72000+0x7D000=0xBEF000 EDI=EDI+EDX=0xBEF000+0x3E800=0xC2D800
ECX=ECX-1=0xB ECX=ECX-1=0xA
........................
最后得出EDI=0xC6DF06=13033222
注意:该软件在真假注册码进行比较时,将真假注册码都减去十进制数10000000,把注册码变成7位后在进行比较
这样就防止破解人很简单的就做出内存注册机!!!!
内存注册机:
中断地址: 403855 中断地址:403957
中断次数: 1 中断次数:1
第一字节: E8 第一字节:B9
指令长度: 5 指令长度:5
选择寄存器方式、EAX、十进制;
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>