-
您的位置:首页 → 精文荟萃 → 破解文章 → eXeScope 6.30注册码算法分析
eXeScope 6.30注册码算法分析
时间:2004/10/15 0:57:00来源:本站整理作者:蓝点我要评论(0)
-
软件名称:eXeScope 6.30
下载地址: http://www.kagi.com/
大 小:843KB(汉化后)
加密方式:注册码
使用工具:TRW2000中文1.23注册版,fi2.5,keymake1.73,w32dasm黄金版中文版
pj日期:2003年3月13日
***************************************************
软件说明:用于查看,修改,添加和删除 Win32 可执行文件的资源,当然也是最好的汉化工具
PJ说明:这是我第一仔细研究软件注册码算法的软件(因为程序里注册码不是明码比较),呵呵,汇编?我没学过,对一些地方的理解肯定有不对的地方,请各位高手批评指正! 还有就是我无法验证注册码第6到第8位应该是什么数字,或是有什么关系,我任意试了很多都可以通过,只有输入字符时无法通过。
1、先用fi2.5发现此软件没有加壳,也许我用的是汉化版的原因,壳已经DUMP掉了。
2、用w32dasm黄金版中文版对EXESCOPE.exe(也就是eXeScope 6.30的主文件)静态态反汇编,再用“串式数据参考”,找到"无效 ID 或名称"(多经典的句子呀),双击来到下面代码段:
注:用w32dasm黄金版中文版静态反汇编的注要目的在于,能够很快定位到软件注册部分的关键部分,而软件具体是如何运行的,还是要在TRW2000中文1.23注册版里调试
3、用TRW2000 1.23注册版,调入主程序EXESCOPE.exe,立刻被TRW2000断下,F5进入注册画面,
姓名填上newlaos ID填上个78787878(受前人的影响),先不要按“确定”,
CTRL+N进入TRW2000,用BPX 4A60FA设断(把断点设在关键跳转前面一些的地方,有利于分析软件的运行)。F5返回eXeScope 6.30,再点击“确定”,再次被TRW2000断下,来到这里
......
......
:004A60FA 8D55FC lea edx, dword ptr [ebp-04] <===程序停在这一行
:004A60FD 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:004A6103 E8F4DAF8FF call 00433BFC <===算出输入的姓名长度,并放入EAX=7 (newlaos)
:004A6108 8B55FC mov edx, dword ptr [ebp-04]
:004A610B A1C4294B00 mov eax, dword ptr [004B29C4]
:004A6110 E8F7DAF5FF call 00403C0C
:004A6115 8D55F8 lea edx, dword ptr [ebp-08]
:004A6118 8B83D4020000 mov eax, dword ptr [ebx+000002D4]
:004A611E E8D9DAF8FF call 00433BFC <===算出输入的ID长度,并放入EAX=8 (78787878)
:004A6123 8B55F8 mov edx, dword ptr [ebp-08] <===EDX=78787878
:004A6126 A140294B00 mov eax, dword ptr [004B2940]
:004A612B E8DCDAF5FF call 00403C0C
:004A6130 8B1540294B00 mov edx, dword ptr [004B2940] <===EDX=78787878
:004A6136 8B12 mov edx, dword ptr [edx]
:004A6138 A17C274B00 mov eax, dword ptr [004B277C]
:004A613D 8B00 mov eax, dword ptr [eax]
:004A613F E8D8800000 call 004AE21C <===这里是算法CALL,F8跟进(要能正确注册,则EAX返回不能为0)
:004A6144 84C0 test al, al <===看AL的值是否为0
:004A6146 0F848D000000 je 004A61D9 <===如果AL=0就跳过去,OVER
:004A614C A1C4294B00 mov eax, dword ptr [004B29C4]
:004A6151 8B00 mov eax, dword ptr [eax]
:004A6153 E8E0DCF5FF call 00403E38
:004A6158 85C0 test eax, eax
:004A615A 7E7D jle 004A61D9 <===跳过去,就OVER
:004A615C 8D55F0 lea edx, dword ptr [ebp-10]
:004A615F A1D0294B00 mov eax, dword ptr [004B29D0]
:004A6164 8B00 mov eax, dword ptr [eax]
:004A6166 E8A5BEFAFF call 00452010
:004A616B 8B45F0 mov eax, dword ptr [ebp-10]
:004A616E 8D4DF4 lea ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->".ini"
|
:004A6171 BA38624A00 mov edx, 004A6238
<===能到这里,就说明注册码对了,这里是将注册信息保存在EXESCOPE.ini中
:004A6176 E8C134F6FF call 0040963C
:004A617B 8B4DF4 mov ecx, dword ptr [ebp-0C]
:004A617E B201 mov dl, 01
:004A6180 A138774700 mov eax, dword ptr [00477738]
:004A6185 E85616FDFF call 004777E0
:004A618A 8BF0 mov esi, eax
:004A618C A1C4294B00 mov eax, dword ptr [004B29C4]
:004A6191 8B00 mov eax, dword ptr [eax]
:004A6193 50 push eax
* Possible StringData Ref from Code Obj ->"Name"
|
:004A6194 B948624A00 mov ecx, 004A6248 <===姓名保存
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A6199 BA58624A00 mov edx, 004A6258
:004A619E 8BC6 mov eax, esi
:004A61A0 8B38 mov edi, dword ptr [eax]
:004A61A2 FF5704 call [edi+04]
:004A61A5 A140294B00 mov eax, dword ptr [004B2940]
:004A61AA 8B00 mov eax, dword ptr [eax]
:004A61AC 50 push eax
* Possible StringData Ref from Code Obj ->"Reg"
|
:004A61AD BA58624A00 mov edx, 004A6258 <===注册号保存,每次启动都会验证注册号
:004A61B2 B964624A00 mov ecx, 004A6264
:004A61B7 8BC6 mov eax, esi
:004A61B9 8B38 mov edi, dword ptr [eax]
:004A61BB FF5704 call [edi+04]
:004A61BE 8BC6 mov eax, esi
:004A61C0 E80FCDF5FF call 00402ED4
:004A61C5 A184274B00 mov eax, dword ptr [004B2784]
:004A61CA C60001 mov byte ptr [eax], 01
:004A61CD C7833402000001000000 mov dword ptr [ebx+00000234], 00000001
:004A61D7 EB20 jmp 004A61F9 <===跳下去,正确执行
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A6146(C), :004A615A(C)
|
:004A61D9 6A00 push 00000000
:004A61DB 8D55EC lea edx, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"无效 ID 或名称"
|
:004A61DE B870624A00 mov eax, 004A6270 <===有两处004A6146和004A615A跳来报错。
:004A61E3 E808900000 call 004AF1F0
:004A61E8 8B45EC mov eax, dword ptr [ebp-14]
:004A61EB 668B0DA0624A00 mov cx, word ptr [004A62A0]
:004A61F2 B201 mov dl, 01
:004A61F4 E80B25FBFF call 00458704
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A60F5(U), :004A61D7(U)
|
:004A61F9 33C0 xor eax, eax
:004A61FB 5A pop edx
:004A61FC 59 pop ecx
:004A61FD 59 pop ecx
:004A61FE 648910 mov dword ptr fs:[eax], edx
:004A6201 6828624A00 push 004A6228
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A6226(U)
|
:004A6206 8D45EC lea eax, dword ptr [ebp-14]
:004A6209 BA03000000 mov edx, 00000003
:004A620E E8C9D9F5FF call 00403BDC
:004A6213 8D45F8 lea eax, dword ptr [ebp-08]
:004A6216 BA02000000 mov edx, 00000002
:004A621B E8BCD9F5FF call 00403BDC
:004A6220 C3 ret
:004A6221 E90ED4F5FF jmp 00403634
:004A6226 EBDE jmp 004A6206
:004A6228 5F pop edi
:004A6229 5E pop esi
:004A622A 5B pop ebx
:004A622B 8BE5 mov esp, ebp
:004A622D 5D pop ebp
:004A622E C3 ret
......
......
-------:004A613F call 004AE21C------F8跟进后,来到下列代码段(注:此段运行完后EAX不能为0)---------------------------
:004AE21C 55 push ebp
:004AE21D 8BEC mov ebp, esp
:004AE21F 51 push ecx
:004AE220 53 push ebx
:004AE221 8955FC mov dword ptr [ebp-04], edx
:004AE224 8B45FC mov eax, dword ptr [ebp-04]
:004AE227 E8C05DF5FF call 00403FEC
:004AE22C 33C0 xor eax, eax
:004AE22E 55 push ebp
:004AE22F 68BEE24A00 push 004AE2BE
:004AE234 64FF30 push dword ptr fs:[eax]
:004AE237 648920 mov dword ptr fs:[eax], esp
:004AE23A 33DB xor ebx, ebx
:004AE23C 8B45FC mov eax, dword ptr [ebp-04] <===EAX=7878787878
:004AE23F E8F45BF5FF call 00403E38
:004AE244 83F80A cmp eax, 0000000A <===看输入的ID长度是否为10(0X0A)
:004AE247 755F jne 004AE2A8 <===不为10,就跳转,并将EAX置0
:004AE249 8B55FC mov edx, dword ptr [ebp-04] <===EDX=7878787878
* Possible StringData Ref from Code Obj ->"A1910"
|
:004AE24C B8D4E24A00 mov eax, 004AE2D4 <===在这里面放一个算ID的数字A1910进行比较
:004AE251 E8CE5EF5FF call 00404124 <===一个关键的CALL(看输入的ID前5个是不是A1910),F8跟进
:004AE256 48 dec eax
:004AE257 7410 je 004AE269 <===当输入的ID前5位是A1910则正确跳转
:004AE259 8B55FC mov edx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"A1423"<===如果不是A1910,则看是不是A1423
|
:004AE25C B8E4E24A00 mov eax, 004AE2E4
:004AE261 E8BE5EF5FF call 00404124 <===一个关键的CALL(看输入的ID前5个是不是A1423)
:004AE266 48 dec eax
:004AE267 753F jne 004AE2A8 <===当输入的ID前5位是A1423则不跳转了,执行下一行
<===一个关键的CALL(看输入的ID前5个是不是A1423),有两次机会,到这里我们可以初步推断ID的形式是A1910XXXXX或A1423XXXXX(必须是10位),将ID改为A191078787,重新来。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AE257(C)
|
:004AE269 B802000000 mov eax, 00000002 <===EAX的初始值是2
<===如果ID前5位是A1910或A1423,则运行到这里
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AE286(C)
|
:004AE26E 8B55FC mov edx, dword ptr [ebp-04] <===将EDX置C665F8=A191078787
:004AE271 8A5402FF mov dl, byte ptr [edx+eax-01]
<===每次循环,依次取ID数字,加上0x30后(我不知该如何表述),替换到EDX里的尾部,例如取到第一个7的时候,EDX=C66537,取到8的的时候,EDX=C66538
:004AE275 80FA30 cmp dl, 30
:004AE278 722E jb 004AE2A8 <===这一行的条件是什么,我不明白,请懂汇编诉我一声
:004AE27A 8B4DFC mov ecx, dword ptr [ebp-04]
:004AE27D 80FA39 cmp dl, 39
:004AE280 7726 ja 004AE2A8 <===(如果输入的ID第6到第8位不是数字,就跳到报错)
:004AE282 40 inc eax <===EAX=EAX+1,共循环10次
:004AE283 83F80B cmp eax, 0000000B <===循环退出的判断条件,EAX=B时则退出循环
:004AE286 75E6 jne 004AE26E <===循环10次后,就不再跳转了
:004AE288 8B45FC mov eax, dword ptr [ebp-04]
:004AE28B 0FB64008 movzx eax, byte ptr [eax+08]
<===先零扩展再传送,EAX=0x38(十六进制),即为倒数第二数字加上0x30后,放入EAX
:004AE28F 8B55FC mov edx, dword ptr [ebp-04]
:004AE292 0FB65209 movzx edx, byte ptr [edx+09]
<===先零扩展再传送,EAX=0x37(十六进制),即为倒数第二数字加上0x30后,放入EDX
:004AE296 03C2 add eax, edx
<===最后两个数值相加,放入EAX,作为除数EAX=0x38+0x37=0x65
:004AE298 B90A000000 mov ecx, 0000000A
<===将0x0A放入ECX,作为被除数
:004AE29D 33D2 xor edx, edx <===将EDX清零
:004AE29F F7F1 div ecx <===用EAX除以ECX,将商返回EAX,余数送到EDX
:004AE2A1 83FA04 cmp edx, 00000004 <===比较余数是否为4,最最关键的地方就是这里了 ***
:004AE2A4 7502 jne 004AE2A8 <===如果不是,则跳向报错
:004AE2A6 B301 mov bl, 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004AE247(C), :004AE267(C), :004AE278(C), :004AE280(C), :004AE2A4(C)
|
:004AE2A8 33C0 xor eax, eax
:004AE2AA 5A pop edx
:004AE2AB 59 pop ecx
:004AE2AC 59 pop ecx
:004AE2AD 648910 mov dword ptr fs:[eax], edx
:004AE2B0 68C5E24A00 push 004AE2C5
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AE2C3(U)
|
:004AE2B5 8D45FC lea eax, dword ptr [ebp-04] <===将EAX置1
:004AE2B8 E8FB58F5FF call 00403BB8
:004AE2BD C3 ret
:004AE2BE E97153F5FF jmp 00403634
:004AE2C3 EBF0 jmp 004AE2B5
:004AE2C5 8BC3 mov eax, ebx <===将EAX置0
:004AE2C7 5B pop ebx
:004AE2C8 59 pop ecx
:004AE2C9 5D pop ebp
:004AE2CA C3 ret
此段小结:
a、可以看得出注册码的形式应该是A1910XXXAB或A1423XXXMN(X为任意字符,M为倒数第二个数字,N为倒数第一的数字)
b、M转换为0x3M(十六进制数),N转换为0x3N(十六进制数),两个数相加,再除以0x0A,余数一定要为0x04
c、可以推断3M+3N=0x68,那么正确的后两位数字可以为08,17,26,35,44,53,62,71,80
或者3M+3N=0x72,(只要除以A,余数为0x04就可以了)正确的后两位数字可以为99
---:004AE251 call 00404124 ---F8 来到下列代码段------------------------
---一个关键的CALL(看输入的ID前5个是不是A1910或A1423)---------------
:00404124 85C0 test eax, eax
:00404126 7440 je 00404168
:00404128 85D2 test edx, edx <===看是否输入了ID
:0040412A 7431 je 0040415D <===如果输入ID为空,则跳走,报错!
:0040412C 53 push ebx
:0040412D 56 push esi
:0040412E 57 push edi
:0040412F 89C6 mov esi, eax <===EAX=A1910
:00404131 89D7 mov edi, edx <===EDX=第二次输入的假ID(A191078787)
:00404133 8B4FFC mov ecx, dword ptr [edi-04] <===ecx=10假码长度
:00404136 57 push edi
:00404137 8B56FC mov edx, dword ptr [esi-04] <===edx=5(A1910长度)
:0040413A 4A dec edx <===EDX=EDX-1=4
:0040413B 781B js 00404158 <===不会跳
:0040413D 8A06 mov al, byte ptr [esi]
:0040413F 46 inc esi
:00404140 29D1 sub ecx, edx <===ECX=ECX-EDX=10-4=6
:00404142 7E14 jle 00404158 <===不会跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404156(U)
|
:00404144 F2 repnz
:00404145 AE scasb <===检测输入的ID第一个是不是A(大写)
:00404146 7510 jne 00404158
:00404148 89CB mov ebx, ecx
:0040414A 56 push esi
:0040414B 57 push edi
:0040414C 89D1 mov ecx, edx
:0040414E F3 repz
:0040414F A6 cmpsb <===依次检测输入的ID第2位到5是不是1910或1423
:00404150 5F pop edi
:00404151 5E pop esi
:00404152 740C je 00404160 <===如果上面字符都匹配,则这里正确跳转
:00404154 89D9 mov ecx, ebx
:00404156 EBEC jmp 00404144
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040413B(C), :00404142(C), :00404146(C)
|
:00404158 5A pop edx
:00404159 31C0 xor eax, eax
:0040415B EB08 jmp 00404165
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040412A(C)
|
:0040415D 31C0 xor eax, eax
:0040415F C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404152(C)
|
:00404160 5A pop edx <===跳到这里
:00404161 89F8 mov eax, edi
:00404163 29D0 sub eax, edx <===将EAX置1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040415B(U)
|
:00404165 5F pop edi
:00404166 5E pop esi
:00404167 5B pop ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404126(C)
|
:00404168 C3 ret
4、总结:
a、注册码与用户名无关
b、注册码的形式应该是A1910XXXAB或A1423XXXMN(注:第一个A一定要大写)
c、X为任意数字,但不能是字符,M为倒数第二个数字,N为倒数第一的数字
d、正确的后两位数字可以为08,17,26,35,44,53,62,71,80或99
5、注册信息放在EXESCOPE.ini文件中
[Reg]
Name=newlaos
ID=A191090008
|
相关阅读
Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据
人气排行
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>