算法分析 好冷清啊,来一篇破文吧 (32千字)
-
本人旨在给入门者一个破解的途径,高手者请勿入内。该软件是一个彩票软件,注册方法是用光盘的注册方法,未注册时不能使用分析和选号功能。
该软件用aspack 1.07版加密压缩,可以用unaspack1.09来脱壳,但脱壳后不能使用,只可以反汇编,反汇编后查找“提示:请插入“白金版”光盘进行注册。”这个字符串,双击后来到下面的代码:
:00401D5A E8BDC80000 call 0040E61C <====注册码运算对比
:00401D5F 84C0 test al, al
:00401D61 0F8545010000 jne 00401EAC <====注册码正确,则跳到注册成功的地方
:00401D67 66C78558FFFFFFE000 mov word ptr [ebp+FFFFFF58], 00E0
* Possible StringData Ref from Data Obj ->"提示:请插入“白金版”光盘进行注册。"
|
:00401D70 BA1A2A6C00 mov edx, 006C2A1A
:00401D75 8D4598 lea eax, dword ptr [ebp-68]
:00401D78 E82FD92B00 call 006BF6AC
:00401D7D FF8564FFFFFF inc dword ptr [ebp+FFFFFF64]
:00401D83 8B00 mov eax, dword ptr [eax]
:00401D85 E8BA2B2600 call 00664944
:00401D8A FF8D64FFFFFF dec dword ptr [ebp+FFFFFF64]
:00401D90 8D4598 lea eax, dword ptr [ebp-68]
:00401D93 BA02000000 mov edx, 00000002
:00401D98 E8ABDB2B00 call 006BF948
:00401D9D E85AC60000 call 0040E3FC
:00401DA2 84C0 test al, al
:00401DA4 7545 jne 00401DEB
:00401DA6 66C78558FFFFFFEC00 mov word ptr [ebp+FFFFFF58], 00EC
* Possible StringData Ref from Data Obj ->"提示:注册失败。"
|
:00401DAF BA3F2A6C00 mov edx, 006C2A3F
:00401DB4 8D4594 lea eax, dword ptr [ebp-6C]
:00401DB7 E8F0D82B00 call 006BF6AC
我们进入00401D5A这个CALL看看怎么运算注册码的:
:0040E61C 55 push ebp
:0040E61D 8BEC mov ebp, esp
:0040E61F 83C4B4 add esp, FFFFFFB4
:0040E622 53 push ebx
:0040E623 56 push esi
:0040E624 57 push edi
:0040E625 B818726C00 mov eax, 006C7218
:0040E62A E891582A00 call 006B3EC0
:0040E62F 66C745CC0800 mov [ebp-34], 0008
:0040E635 8D45FC lea eax, dword ptr [ebp-04]
:0040E638 E85B3AFFFF call 00402098
:0040E63D FF45D8 inc [ebp-28]
:0040E640 66C745CC1400 mov [ebp-34], 0014
:0040E646 66C745CC2000 mov [ebp-34], 0020
:0040E64C 8D45F8 lea eax, dword ptr [ebp-08]
:0040E64F E8443AFFFF call 00402098
:0040E654 FF45D8 inc [ebp-28]
:0040E657 66C745CC1400 mov [ebp-34], 0014
:0040E65D B201 mov dl, 01
:0040E65F A184116300 mov eax, dword ptr [00631184]
:0040E664 E8C72C2200 call 00631330
:0040E669 8945B4 mov dword ptr [ebp-4C], eax
:0040E66C BA02000080 mov edx, 80000002
:0040E671 8B45B4 mov eax, dword ptr [ebp-4C]
:0040E674 E89F0F2B00 call 006BF618
:0040E679 66C745CC2C00 mov [ebp-34], 002C
* Possible StringData Ref from Data Obj ->"Software\Microsoft\MSE\9.0" <====查询注册表中软件有没有注册过
|
:0040E67F BAD0566C00 mov edx, 006C56D0
:0040E684 8D45F4 lea eax, dword ptr [ebp-0C]
:0040E687 E820102B00 call 006BF6AC
:0040E68C FF45D8 inc [ebp-28]
:0040E68F 8B10 mov edx, dword ptr [eax]
:0040E691 B101 mov cl, 01
:0040E693 8B45B4 mov eax, dword ptr [ebp-4C]
:0040E696 E8892E2200 call 00631524
:0040E69B 3C01 cmp al, 01
:0040E69D 0F94C2 sete dl
:0040E6A0 83E201 and edx, 00000001
:0040E6A3 52 push edx
:0040E6A4 FF4DD8 dec [ebp-28]
:0040E6A7 8D45F4 lea eax, dword ptr [ebp-0C]
:0040E6AA BA02000000 mov edx, 00000002
:0040E6AF E894122B00 call 006BF948
:0040E6B4 59 pop ecx
:0040E6B5 84C9 test cl, cl
:0040E6B7 0F84CC000000 je 0040E789
:0040E6BD 66C745CC3800 mov [ebp-34], 0038
:0040E6C3 66C745CC4400 mov [ebp-34], 0044
:0040E6C9 8D45EC lea eax, dword ptr [ebp-14]
:0040E6CC E8C739FFFF call 00402098
:0040E6D1 50 push eax
:0040E6D2 FF45D8 inc [ebp-28]
* Possible StringData Ref from Data Obj ->"Code" <=====注册码存放的地方
|
:0040E6D5 BAEB566C00 mov edx, 006C56EB
:0040E6DA 8D45F0 lea eax, dword ptr [ebp-10]
:0040E6DD E8CA0F2B00 call 006BF6AC
:0040E6E2 FF45D8 inc [ebp-28]
:0040E6E5 8B10 mov edx, dword ptr [eax]
:0040E6E7 8B45B4 mov eax, dword ptr [ebp-4C]
:0040E6EA 59 pop ecx
:0040E6EB E8DC312200 call 006318CC
:0040E6F0 8D55EC lea edx, dword ptr [ebp-14]
:0040E6F3 8D45FC lea eax, dword ptr [ebp-04]
:0040E6F6 E87D122B00 call 006BF978
:0040E6FB FF4DD8 dec [ebp-28]
:0040E6FE 8D45EC lea eax, dword ptr [ebp-14]
:0040E701 BA02000000 mov edx, 00000002
:0040E706 E83D122B00 call 006BF948
:0040E70B FF4DD8 dec [ebp-28]
:0040E70E 8D45F0 lea eax, dword ptr [ebp-10]
:0040E711 BA02000000 mov edx, 00000002
:0040E716 E82D122B00 call 006BF948
:0040E71B 66C745CC1400 mov [ebp-34], 0014
:0040E721 EB17 jmp 0040E73A
:0040E723 C645BB00 mov [ebp-45], 00
:0040E727 66C745CC1400 mov [ebp-34], 0014
:0040E72D EB64 jmp 0040E793
:0040E72F 66C745CC4000 mov [ebp-34], 0040
:0040E735 E818E02A00 call 006BC752
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E721(U)
|
:0040E73A 66C745CC5000 mov [ebp-34], 0050
:0040E740 8D45E8 lea eax, dword ptr [ebp-18]
:0040E743 E85039FFFF call 00402098
:0040E748 FF45D8 inc [ebp-28]
:0040E74B E8B0000000 call 0040E800 <=====运算注册码
:0040E750 8D45E8 lea eax, dword ptr [ebp-18] <====注册表中的键值
:0040E753 8D55FC lea edx, dword ptr [ebp-04] <====运算出来的注册码
:0040E756 E8D1122B00 call 006BFA2C <====比较
下面是比较注册码的CALL:
:006BFA2C 55 push ebp
:006BFA2D 8BEC mov ebp, esp
:006BFA2F 53 push ebx
:006BFA30 8B00 mov eax, dword ptr [eax] <====注册表中的键值
:006BFA32 8B12 mov edx, dword ptr [edx] <====运算出来的注册码
:006BFA34 E89774FEFF call 006A6ED0
:006BFA39 0F94C0 sete al <====设标志
:006BFA3C 83E001 and eax, 00000001
:006BFA3F 5B pop ebx
:006BFA40 5D pop ebp
:006BFA41 C3 ret
我们进入0040E74B运算注册码的CALL:
* Referenced by a CALL at Addresses:
|:0040E475 , :0040E74B , :0054CE8B
|
:0040E800 55 push ebp
:0040E801 8BEC mov ebp, esp
:0040E803 81C470FFFFFF add esp, FFFFFF70
:0040E809 53 push ebx
:0040E80A 8945CC mov dword ptr [ebp-34], eax
:0040E80D B888736C00 mov eax, 006C7388
:0040E812 E8A9562A00 call 006B3EC0
:0040E817 66C745B80800 mov [ebp-48], 0008
:0040E81D 8D45FC lea eax, dword ptr [ebp-04]
:0040E820 E87338FFFF call 00402098
:0040E825 FF45C4 inc [ebp-3C]
:0040E828 66C745B81400 mov [ebp-48], 0014
:0040E82E 66C745B82000 mov [ebp-48], 0020
:0040E834 8D45F8 lea eax, dword ptr [ebp-08]
:0040E837 E85C38FFFF call 00402098
:0040E83C FF45C4 inc [ebp-3C]
:0040E83F 66C745B81400 mov [ebp-48], 0014
:0040E845 66C745B82C00 mov [ebp-48], 002C
:0040E84B 8D45F4 lea eax, dword ptr [ebp-0C]
:0040E84E E84538FFFF call 00402098
:0040E853 FF45C4 inc [ebp-3C]
:0040E856 66C745B81400 mov [ebp-48], 0014
:0040E85C 6A00 push 00000000
:0040E85E 6A00 push 00000000
:0040E860 6A00 push 00000000
:0040E862 6A00 push 00000000
:0040E864 8D9574FFFFFF lea edx, dword ptr [ebp+FFFFFF74]
:0040E86A 52 push edx
:0040E86B 6A00 push 00000000
:0040E86D 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"C:\"
|
:0040E86F 68F0566C00 push 006C56F0
* Reference To: KERNEL32.GetVolumeInformationA, Ord:0000h <====获得硬盘序列号
|
:0040E874 E841232B00 Call 006C0BBA
:0040E879 66C745B83800 mov [ebp-48], 0038
:0040E87F 8D45F0 lea eax, dword ptr [ebp-10]
:0040E882 8B9574FFFFFF mov edx, dword ptr [ebp+FFFFFF74] <===取硬盘序列号
:0040E888 E80B102B00 call 006BF898
:0040E88D 8BD0 mov edx, eax
:0040E88F FF45C4 inc [ebp-3C]
:0040E892 8D45FC lea eax, dword ptr [ebp-04]
:0040E895 E8DE102B00 call 006BF978
:0040E89A FF4DC4 dec [ebp-3C]
:0040E89D 8D45F0 lea eax, dword ptr [ebp-10]
:0040E8A0 BA02000000 mov edx, 00000002
:0040E8A5 E89E102B00 call 006BF948 <====将硬盘序列号转换成十进制
:0040E8AA 8D45FC lea eax, dword ptr [ebp-04]
:0040E8AD E8AA112B00 call 006BFA5C <====获得硬盘序列号的长度(HDLN)
:0040E8B2 89458C mov dword ptr [ebp-74], eax <====保存HDLN
:0040E8B5 C7459C07000000 mov [ebp-64], 00000007 <====变量V1
:0040E8BC C7459801000000 mov [ebp-68], 00000001 <====变量V2
:0040E8C3 C7459403000000 mov [ebp-6C], 00000003 <====变量V3
:0040E8CA 33D2 xor edx, edx
:0040E8CC 895590 mov dword ptr [ebp-70], edx <====变量V4
:0040E8CF 66C745B84400 mov [ebp-48], 0044
:0040E8D5 BA2E536C00 mov edx, 006C532E
:0040E8DA 8D45EC lea eax, dword ptr [ebp-14]
:0040E8DD E8CA0D2B00 call 006BF6AC
:0040E8E2 FF45C4 inc [ebp-3C]
:0040E8E5 8D55EC lea edx, dword ptr [ebp-14]
:0040E8E8 8D45F8 lea eax, dword ptr [ebp-08]
:0040E8EB E888102B00 call 006BF978
:0040E8F0 FF4DC4 dec [ebp-3C]
:0040E8F3 8D45EC lea eax, dword ptr [ebp-14]
:0040E8F6 BA02000000 mov edx, 00000002
:0040E8FB E848102B00 call 006BF948
:0040E900 33C9 xor ecx, ecx
:0040E902 894DA4 mov dword ptr [ebp-5C], ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <====循环计算注册码,共20位
|:0040EBFD(C)
|
:0040E905 B806000000 mov eax, 00000006
:0040E90A 99 cdq <====EDX清0
:0040E90B F77D8C idiv [ebp-74] <====6 MOD HDLN
:0040E90E 42 inc edx <====(6 MOD HDLN)+1
:0040E90F 8B4594 mov eax, dword ptr [ebp-6C] <====取变量V3
:0040E912 40 inc eax <====V3+1
:0040E913 8BCA mov ecx, edx <====(6 MOD HDLN)+1
:0040E915 99 cdq
:0040E916 F7F9 idiv ecx <====(V3+1) MOD ((6 MOD HDLN)+1)
:0040E918 42 inc edx <====((V3+1) MOD ((6 MOD HDLN)+1))+1
:0040E919 895594 mov dword ptr [ebp-6C], edx <====V3:=((V3+1) MOD ((6 MOD HDLN)+1))+1 这个结果是要取硬盘序列号的位数
:0040E91C 8B459C mov eax, dword ptr [ebp-64] <====取V1
:0040E91F 014590 add dword ptr [ebp-70], eax <====V4:=V4+V1
:0040E922 8B459C mov eax, dword ptr [ebp-64] <====取V1
:0040E925 058B010000 add eax, 0000018B <====V1+$18B
:0040E92A B90A000000 mov ecx, 0000000A
:0040E92F 99 cdq
:0040E930 F7F9 idiv ecx <====(V1+$18B) MOD 0A
:0040E932 89559C mov dword ptr [ebp-64], edx <====V1:=(V1+$18B) MOD 0A
:0040E935 66C745B85000 mov [ebp-48], 0050
:0040E93B BA2E536C00 mov edx, 006C532E
:0040E940 8D45E8 lea eax, dword ptr [ebp-18]
:0040E943 E8640D2B00 call 006BF6AC
:0040E948 FF45C4 inc [ebp-3C]
:0040E94B 8D55E8 lea edx, dword ptr [ebp-18]
:0040E94E 8D45F4 lea eax, dword ptr [ebp-0C]
:0040E951 E822102B00 call 006BF978
:0040E956 FF4DC4 dec [ebp-3C]
:0040E959 8D45E8 lea eax, dword ptr [ebp-18]
:0040E95C BA02000000 mov edx, 00000002
:0040E961 E8E20F2B00 call 006BF948
:0040E966 33C9 xor ecx, ecx
:0040E968 894DA0 mov dword ptr [ebp-60], ecx
:0040E96B 8B45A0 mov eax, dword ptr [ebp-60]
:0040E96E 8B5594 mov edx, dword ptr [ebp-6C]
:0040E971 3BC2 cmp eax, edx
:0040E973 0F8D97000000 jnl 0040EA10
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <====取V3位的硬盘序列号
|:0040EA0A(C)
|
:0040E979 8B4590 mov eax, dword ptr [ebp-70] <====取V4
:0040E97C 8B5598 mov edx, dword ptr [ebp-68] <====取V2
:0040E97F 03C2 add eax, edx <====V4+V2
:0040E981 99 cdq
:0040E982 F77D8C idiv [ebp-74] <====(V4+V2) MOD HDLN
:0040E985 42 inc edx <====((V4+V2) MOD HDLN)+1
:0040E986 895590 mov dword ptr [ebp-70], edx <====C4:=((V4+V2) MOD HDLN)+1
:0040E989 8B4598 mov eax, dword ptr [ebp-68] <====取V2
:0040E98C 40 inc eax <====V2+1
:0040E98D B906000000 mov ecx, 00000006
:0040E992 99 cdq
:0040E993 F7F9 idiv ecx <====(V2+1) MOD 6
:0040E995 895598 mov dword ptr [ebp-68], edx <====V2:=(V2+1) MOD 6
:0040E998 66C745B85C00 mov [ebp-48], 005C
:0040E99E 8D45E4 lea eax, dword ptr [ebp-1C]
:0040E9A1 E8F236FFFF call 00402098
:0040E9A6 50 push eax
:0040E9A7 FF45C4 inc [ebp-3C]
:0040E9AA 8D45FC lea eax, dword ptr [ebp-04]
:0040E9AD B901000000 mov ecx, 00000001
:0040E9B2 8B5590 mov edx, dword ptr [ebp-70]
:0040E9B5 E85A142B00 call 006BFE14 <====取第V4位的硬盘序列号
:0040E9BA 8D45E4 lea eax, dword ptr [ebp-1C]
:0040E9BD 50 push eax
:0040E9BE 8D45E0 lea eax, dword ptr [ebp-20]
:0040E9C1 E8D236FFFF call 00402098
:0040E9C6 8BC8 mov ecx, eax
:0040E9C8 FF45C4 inc [ebp-3C]
:0040E9CB 8D45F4 lea eax, dword ptr [ebp-0C]
:0040E9CE 5A pop edx
:0040E9CF E8CC0F2B00 call 006BF9A0
:0040E9D4 8D55E0 lea edx, dword ptr [ebp-20]
:0040E9D7 8D45F4 lea eax, dword ptr [ebp-0C]
:0040E9DA E8990F2B00 call 006BF978
:0040E9DF FF4DC4 dec [ebp-3C]
:0040E9E2 8D45E0 lea eax, dword ptr [ebp-20]
:0040E9E5 BA02000000 mov edx, 00000002
:0040E9EA E8590F2B00 call 006BF948
:0040E9EF FF4DC4 dec [ebp-3C]
:0040E9F2 8D45E4 lea eax, dword ptr [ebp-1C]
:0040E9F5 BA02000000 mov edx, 00000002
:0040E9FA E8490F2B00 call 006BF948
:0040E9FF FF45A0 inc [ebp-60]
:0040EA02 8B4DA0 mov ecx, dword ptr [ebp-60]
:0040EA05 8B4594 mov eax, dword ptr [ebp-6C]
:0040EA08 3BC8 cmp ecx, eax
:0040EA0A 0F8C69FFFFFF jl 0040E979 <====取够V3位没有?
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E973(C)
|
:0040EA10 8D45F4 lea eax, dword ptr [ebp-0C]
:0040EA13 E8C436FFFF call 004020DC <====取上面的运算结果NEWBIT
:0040EA18 50 push eax
:0040EA19 E82A912A00 call 006B7B48 <====转为十六进制
:0040EA1E 59 pop ecx
:0040EA1F 898570FFFFFF mov dword ptr [ebp+FFFFFF70], eax <====保存NEWBIT
:0040EA25 C7458485000000 mov [ebp-7C], 00000085 <====变量V5
:0040EA2C C745806F000000 mov [ebp-80], 0000006F <====变量V6
:0040EA33 C7857CFFFFFF42000000 mov dword ptr [ebp+FFFFFF7C], 00000042 <====变量V7
:0040EA3D C78578FFFFFFA6000000 mov dword ptr [ebp+FFFFFF78], 000000A6 <====变量V8
:0040EA47 33D2 xor edx, edx
:0040EA49 8955A0 mov dword ptr [ebp-60], edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <====循环6次计算注册码
|:0040EBEE(C)
|
:0040EA4C 8B4D84 mov ecx, dword ptr [ebp-7C] <====取V5
:0040EA4F 41 inc ecx <====V5+1
:0040EA50 8B8570FFFFFF mov eax, dword ptr [ebp+FFFFFF70] 取NEWBIT
:0040EA56 33D2 xor edx, edx
:0040EA58 F7F1 div ecx <====NEWBIT MOD (V5+1)
:0040EA5A 8BCA mov ecx, edx
:0040EA5C 8B4580 mov eax, dword ptr [ebp-80] <====取V6
:0040EA5F 40 inc eax <====V6+1
:0040EA60 50 push eax
:0040EA61 8B8570FFFFFF mov eax, dword ptr [ebp+FFFFFF70] <====取NEWBIT
:0040EA67 5A pop edx
:0040EA68 8BDA mov ebx, edx
:0040EA6A 33D2 xor edx, edx
:0040EA6C F7F3 div ebx <====NEWBIT MOD (V6+1)
:0040EA6E 03CA add ecx, edx <====(NEWBIT MOD (V5+1))+(NEWBIT MOD (V6+1))
:0040EA70 8B857CFFFFFF mov eax, dword ptr [ebp+FFFFFF7C] <====取V7
:0040EA76 40 inc eax <====V7+1
:0040EA77 50 push eax
:0040EA78 8B8570FFFFFF mov eax, dword ptr [ebp+FFFFFF70] <====取NEWBIT
:0040EA7E 5A pop edx
:0040EA7F 8BDA mov ebx, edx
:0040EA81 33D2 xor edx, edx
:0040EA83 F7F3 div ebx <====NEWBIT MOD (V7+1)
:0040EA85 03CA add ecx, edx <====(NEWBIT MOD (V5+1))+(NEWBIT MOD (V6+1))+(NEWBIT MOD (V7+1))
:0040EA87 8BC1 mov eax, ecx
:0040EA89 8B9578FFFFFF mov edx, dword ptr [ebp+FFFFFF78] <====取V8
:0040EA8F 42 inc edx <====V8+1
:0040EA90 8BCA mov ecx, edx
:0040EA92 33D2 xor edx, edx
:0040EA94 F7F1 div ecx <====((NEWBIT MOD (V5+1))+(NEWBIT MOD (V6+1))+(NEWBIT MOD (V7+1))) MOD (V8+1)
:0040EA96 895588 mov dword ptr [ebp-78], edx <====保存结果(即计算出来的注册码)
:0040EA99 83458402 add dword ptr [ebp-7C], 00000002 <====V5:=V5+2
:0040EA9D 836D8007 sub dword ptr [ebp-80], 00000007 <====V6:=V6-7
:0040EAA1 83857CFFFFFF05 add dword ptr [ebp+FFFFFF7C], 00000005 <====V7:=V7+5
:0040EAA8 83AD78FFFFFF03 sub dword ptr [ebp+FFFFFF78], 00000003 <====V8:=V8-3
:0040EAAF 8B4588 mov eax, dword ptr [ebp-78]
:0040EAB2 83F830 cmp eax, 00000030
:0040EAB5 7C08 jl 0040EABF
:0040EAB7 8B4588 mov eax, dword ptr [ebp-78]
:0040EABA 83F839 cmp eax, 00000039
:0040EABD 7E20 jle 0040EADF <====注册码是不是数字?
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EAB5(C)
|
:0040EABF 8B5588 mov edx, dword ptr [ebp-78]
:0040EAC2 83FA41 cmp edx, 00000041
:0040EAC5 7C08 jl 0040EACF
:0040EAC7 8B4D88 mov ecx, dword ptr [ebp-78]
:0040EACA 83F95A cmp ecx, 0000005A
:0040EACD 7E10 jle 0040EADF <====注册码是不是大写字母?
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EAC5(C)
|
:0040EACF 8B4588 mov eax, dword ptr [ebp-78]
:0040EAD2 83F861 cmp eax, 00000061
:0040EAD5 7C63 jl 0040EB3A
:0040EAD7 8B5588 mov edx, dword ptr [ebp-78]
:0040EADA 83FA7A cmp edx, 0000007A
:0040EADD 7F5B jg 0040EB3A <====注册码是不是小写
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040EABD(C), :0040EACD(C)
|
:0040EADF 66C745B86800 mov [ebp-48], 0068
:0040EAE5 8D45D8 lea eax, dword ptr [ebp-28]
:0040EAE8 E8AB35FFFF call 00402098
:0040EAED 50 push eax
:0040EAEE FF45C4 inc [ebp-3C]
:0040EAF1 8A5588 mov dl, byte ptr [ebp-78]
:0040EAF4 8D45DC lea eax, dword ptr [ebp-24]
:0040EAF7 E8800C2B00 call 006BF77C
:0040EAFC 8BD0 mov edx, eax
:0040EAFE FF45C4 inc [ebp-3C]
:0040EB01 8D45F8 lea eax, dword ptr [ebp-08]
:0040EB04 59 pop ecx
:0040EB05 E8960E2B00 call 006BF9A0
:0040EB0A 8D55D8 lea edx, dword ptr [ebp-28]
:0040EB0D 8D45F8 lea eax, dword ptr [ebp-08]
:0040EB10 E8630E2B00 call 006BF978
:0040EB15 FF4DC4 dec [ebp-3C]
:0040EB18 8D45D8 lea eax, dword ptr [ebp-28]
:0040EB1B BA02000000 mov edx, 00000002
:0040EB20 E8230E2B00 call 006BF948
:0040EB25 FF4DC4 dec [ebp-3C]
:0040EB28 8D45DC lea eax, dword ptr [ebp-24]
:0040EB2B BA02000000 mov edx, 00000002
:0040EB30 E8130E2B00 call 006BF948
:0040EB35 E9BA000000 jmp 0040EBF4
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: <====6次循环后不符合条件则跳到这里
|:0040EAD5(C), :0040EADD(C)
|
:0040EB3A 8B4DA0 mov ecx, dword ptr [ebp-60]
:0040EB3D 83F905 cmp ecx, 00000005
:0040EB40 0F859F000000 jne 0040EBE5
:0040EB46 8B4588 mov eax, dword ptr [ebp-78]
:0040EB49 83F83D cmp eax, 0000003D <====比较结果是不是大于等于3D
:0040EB4C 7D13 jge 0040EB61 <====是则跳
:0040EB4E 8B4588 mov eax, dword ptr [ebp-78] <====取运算结果REGCODEBIT
:0040EB51 B90A000000 mov ecx, 0000000A
:0040EB56 99 cdq
:0040EB57 F7F9 idiv ecx <====REGCODEBIT MOD 0A
:0040EB59 83C230 add edx, 00000030 <====(REGCODEBIT MOD 0A)+30
:0040EB5C 895588 mov dword ptr [ebp-78], edx <====保存注册码
:0040EB5F EB2C jmp 0040EB8D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EB4C(C)
|
:0040EB61 8B4588 mov eax, dword ptr [ebp-78]
:0040EB64 83F85D cmp eax, 0000005D <====比较结果是不是小于等于5D
:0040EB67 7E13 jle 0040EB7C <====是则跳
:0040EB69 8B4588 mov eax, dword ptr [ebp-78] <====取运算结果REGCODEBIT
:0040EB6C B91A000000 mov ecx, 0000001A
:0040EB71 99 cdq
:0040EB72 F7F9 idiv ecx <====REGCODEBIT MOD 1A
:0040EB74 83C261 add edx, 00000061 <====(REGCODEBIT MOD 1A)+61
:0040EB77 895588 mov dword ptr [ebp-78], edx <====保存注册码
:0040EB7A EB11 jmp 0040EB8D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EB67(C)
|
:0040EB7C 8B4588 mov eax, dword ptr [ebp-78] <====取运算结果REGCODEBIT
:0040EB7F B91A000000 mov ecx, 0000001A
:0040EB84 99 cdq
:0040EB85 F7F9 idiv ecx <====REGCODEBIT MOD 1A
:0040EB87 83C241 add edx, 00000041 <====(REGCODEBIT MOD 1A)+41
:0040EB8A 895588 mov dword ptr [ebp-78], edx <====保存注册码
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040EB5F(U), :0040EB7A(U)
|
:0040EB8D 66C745B87400 mov [ebp-48], 0074
:0040EB93 8D45D0 lea eax, dword ptr [ebp-30]
:0040EB96 E8FD34FFFF call 00402098
:0040EB9B 50 push eax
:0040EB9C FF45C4 inc [ebp-3C]
:0040EB9F 8A5588 mov dl, byte ptr [ebp-78]
:0040EBA2 8D45D4 lea eax, dword ptr [ebp-2C]
:0040EBA5 E8D20B2B00 call 006BF77C
:0040EBAA 8BD0 mov edx, eax
:0040EBAC FF45C4 inc [ebp-3C]
:0040EBAF 8D45F8 lea eax, dword ptr [ebp-08]
:0040EBB2 59 pop ecx
:0040EBB3 E8E80D2B00 call 006BF9A0
:0040EBB8 8D55D0 lea edx, dword ptr [ebp-30]
:0040EBBB 8D45F8 lea eax, dword ptr [ebp-08]
:0040EBBE E8B50D2B00 call 006BF978
:0040EBC3 FF4DC4 dec [ebp-3C]
:0040EBC6 8D45D0 lea eax, dword ptr [ebp-30]
:0040EBC9 BA02000000 mov edx, 00000002
:0040EBCE E8750D2B00 call 006BF948
:0040EBD3 FF4DC4 dec [ebp-3C]
:0040EBD6 8D45D4 lea eax, dword ptr [ebp-2C]
:0040EBD9 BA02000000 mov edx, 00000002
:0040EBDE E8650D2B00 call 006BF948
:0040EBE3 EB0F jmp 0040EBF4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040EB40(C)
|
:0040EBE5 FF45A0 inc [ebp-60]
:0040EBE8 8B4DA0 mov ecx, dword ptr [ebp-60]
:0040EBEB 83F906 cmp ecx, 00000006
:0040EBEE 0F8C58FEFFFF jl 0040EA4C
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040EB35(U), :0040EBE3(U)
|
:0040EBF4 FF45A4 inc [ebp-5C]
:0040EBF7 8B45A4 mov eax, dword ptr [ebp-5C]
:0040EBFA 83F814 cmp eax, 00000014 <====注册码共20位
:0040EBFD 0F8C02FDFFFF jl 0040E905 <====循环计算注册码
:0040EC03 66C745B88000 mov [ebp-48], 0080
:0040EC09 8D55F8 lea edx, dword ptr [ebp-08]
:0040EC0C 8B45CC mov eax, dword ptr [ebp-34]
:0040EC0F E8640D2B00 call 006BF978
:0040EC14 8B45CC mov eax, dword ptr [ebp-34]
:0040EC17 66C745B88C00 mov [ebp-48], 008C
:0040EC1D 50 push eax
:0040EC1E FF4DC4 dec [ebp-3C]
:0040EC21 8D45F4 lea eax, dword ptr [ebp-0C]
:0040EC24 BA02000000 mov edx, 00000002
:0040EC29 E81A0D2B00 call 006BF948
:0040EC2E FF4DC4 dec [ebp-3C]
:0040EC31 8D45F8 lea eax, dword ptr [ebp-08]
:0040EC34 BA02000000 mov edx, 00000002
:0040EC39 E80A0D2B00 call 006BF948
:0040EC3E FF4DC4 dec [ebp-3C]
:0040EC41 8D45FC lea eax, dword ptr [ebp-04]
:0040EC44 BA02000000 mov edx, 00000002
:0040EC49 E8FA0C2B00 call 006BF948
:0040EC4E 58 pop eax
:0040EC4F 66C745B88000 mov [ebp-48], 0080
:0040EC55 FF45C4 inc [ebp-3C]
:0040EC58 8B55A8 mov edx, dword ptr [ebp-58]
:0040EC5B 64891500000000 mov dword ptr fs:[00000000], edx
:0040EC62 5B pop ebx
:0040EC63 8BE5 mov esp, ebp
:0040EC65 5D pop ebp
:0040EC66 C3 ret
至此,整个运算过程结束了,下面用DELPHI写出注册机:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, XP_Form, XP_Button, jpeg, ExtCtrls, XP_GroupBox, StdCtrls,registry;
type
TForm1 = class(TForm)
frmain: TXP_Form;
reg: TXP_Button;
about: TXP_Button;
exitprogram: TXP_Button;
XP_GroupBox1: TXP_GroupBox;
Image1: TImage;
procedure aboutClick(Sender: TObject);
procedure exitprogramClick(Sender: TObject);
procedure regClick(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
function GetHardDiskSerieNumber(): integer;
var
Form1: TForm1;
implementation
uses Unit2;
{$R *.dfm}
function GetHardDiskSerieNumber: integer;
var
sysinfo:tsysteminfo;
lpRootPathName : PChar; // address of root directory of the file system
lpVolumeNameBuffer : PChar; // address of name of the volume
nVolumeNameSize : DWORD; // length of lpVolumeNameBuffer
lpVolumeSerialNumber : DWORD; // address of volume serial number
lpMaximumComponentLength : DWORD; // address of system's maximum filename length
lpFileSystemFlags : DWORD; // address of file system flags
lpFileSystemNameBuffer : PChar; // address of name of file system
nFileSystemNameSize : DWORD; // length of lpFileSystemNameBuffer
begin
lpRootPathName:=pchar('c:\');
windows.GetSystemInfo(sysinfo);
GetMem( lpVolumeNameBuffer, MAX_PATH + 1 );
GetMem( lpFileSystemNameBuffer, MAX_PATH + 1 );
nVolumeNameSize := MAX_PATH + 1;
nFileSystemNameSize := MAX_PATH + 1;
Windows.GetVolumeInformation( lpRootPathName,
lpVolumeNameBuffer,
nVolumeNameSize,
@lpVolumeSerialNumber,
lpMaximumComponentLength,
lpFileSystemFlags,
lpFileSystemNameBuffer,
nFileSystemNameSize );
Result := lpVolumeSerialNumber;
end;
procedure TForm1.aboutClick(Sender: TObject);
begin
form2.show;
end;
procedure TForm1.exitprogramClick(Sender: TObject);
begin
form1.Close;
end;
procedure TForm1.regClick(Sender: TObject);
label
isregcode,quitloop;
var
v1,v2,v3,v4,v5,v6,v7,v8:integer;
hdid:longword;
hdln:integer;
idstr:string;
i,j,k:integer;
regcode:array[1..20] of char ;
cmod:integer;
cdiv:integer;
lidbit,idbit:integer;
idbitstr:string;
newidbit:integer;
regcodebit:integer;
reg:TRegistry;
begin
hdid:=GetHardDiskSerieNumber;
hdln:=length(inttostr(hdid) );
idstr:=inttostr(hdid); ;
v1:=7;
v2:=1;
v3:=3;
v4:=0;
for i:=1 to 20 do
begin
v3:=((v3+1) mod ((6 mod hdln)+1))+1;
v4:=v4+v1;
v1:=(v1+$18b) mod $0A;
idbitstr:='';
for j:=1 to v3 do
begin
v4:=((v4+v2) mod hdln)+1;
v2:=(v2+1) mod 6;
idbitstr:=idbitstr+idstr[v4];
end;
newidbit:=strtoint(idbitstr);
v5:=$85;
v6:=$6f;
v7:=$42;
v8:=$a6;
for k:=1 to 6 do
begin
regcodebit:=((newidbit mod (v5+1))+(newidbit mod (v6+1))+(newidbit mod (v7+1))) mod (v8+1);
v5:=v5+2;
v6:=v6-7;
v7:=v7+5;
v8:=v8-3;
if (regcodebit>=48) and (regcodebit<=57) then goto isregcode;
if (regcodebit>=65) and (regcodebit<=90) then goto isregcode;
if (regcodebit>=97) and (regcodebit<=122) then goto isregcode;
end;
if regcodebit<61 then
begin
regcode[i]:=chr((regcodebit mod 10)+48);
goto quitloop;
end;
if regcodebit>93 then
begin
regcode[i]:=chr((regcodebit mod 26)+97);
goto quitloop;
end;
if (regcodebit<=93) then
begin
regcode[i]:=chr((regcodebit mod 26)+65);
goto quitloop;
end;
isregcode:
regcode[i]:=chr(regcodebit);
quitloop:
end;
Reg := TRegistry.Create;
try
Reg.RootKey := HKEY_LOCAL_MACHINE;
if Reg.
相关视频
相关阅读 Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
- 文章评论
-
热门文章
去除winrar注册框方法
最新文章
比特币病毒怎么破解 比去除winrar注册框方法
华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)通过Access破解MSSQL获得数据人气排行 华为无线路由器HG522-C破解教程(附超级密码JEB格式文件京东电子书下载和阅读限制破解教UltraISO注册码全集(最新)qq相册密码破解方法去除winrar注册框方法(适应任何版本)怎么用手机破解收费游戏华为无线猫HG522破解如何给软件脱壳基础教程
查看所有0条评论>>