SitMan PC 复读机 2.0 beta 2 注册算法分析
【软件功能】:
◇ 复读功能
◇ 录音跟读对比功能
◇ 听写文本与语音的完美结合
◇ 听力资料管理
◇ 列表播放支持
◇ 其他特色功能
【软件主页】:http://www.yyhorse.com/
【功能限制】:试用15天,15天后要求注册
【破解工具】:DeDe,Trw2000,Caspr,Language2000
【本文作者】:eCool[BCG]
【整理时间】:2001.10.23
转载请保持原文完整,谢谢。
把这个东东拉下来后,立马用Language2000看看有没有加壳,呵呵,原来加了Aspack,好办,马上用
Caspr搞定它,运行Trw2000,然后运行SitMan,靠,怎么没有发现注册的地方?????,我倒,先不管它,
关闭,将时间调后一年,再次运行,讨厌的对话框出来了,不理他,点确定,要求注册,我靠,还是没有注册
的地方,What?作者骗人?????,用Language2000看看是什么语言写的再说,呵呵,Delphi啊,DeDe
(弟弟?)马上用上,防编译,看看那个注册Form有什么东东,哈哈,发现有注册按钮,玩我,哼,看我怎么
收拾你,看到那个“未注册”Label有个双击事件,好,马上运行SitMan,双击未注册这个地方,呵呵,注册
提示出来了,有戏看了,马上用DeDe找到了注册点:
0048B740 55
push ebp
0048B741 8BEC
mov ebp, esp
0048B743 B905000000 mov
ecx, $00000005
0048B748 6A00
push $00
0048B74A 6A00
push $00
0048B74C 49
dec ecx
0048B74D 75F9
jnz 0048B748
0048B74F 53
push ebx
0048B750 56
push esi
0048B751 8BD8
mov ebx, eax
0048B753 33C0
xor eax, eax
0048B755 55
push ebp
0048B756 6894B94800 push
$0048B994
0048B75B 64FF30
push dword ptr fs:[eax]
0048B75E 648920
mov fs:[eax], esp
0048B761 8D55FC
lea edx, [ebp-$04]
0048B764 8B83F4020000 mov
eax, [ebx+$02F4]
0048B76A E831B3FAFF call
00436AA0
0048B76F 837DFC00 cmp
dword ptr [ebp-$04], +$00
0048B773 0F84D3010000 jz
0048B94C
0048B779 8D55F8
lea edx, [ebp-$08]
0048B77C 8B83F8020000 mov
eax, [ebx+$02F8]
0048B782 E819B3FAFF call
00436AA0
0048B787 837DF800 cmp
dword ptr [ebp-$08], +$00
0048B78B 0F84BB010000 jz
0048B94C
0048B791 33D2
xor edx, edx
0048B793 8B8338030000 mov
eax, [ebx+$0338]
0048B799 8B08
mov ecx, [eax]
0048B79B FF515C
call dword ptr [ecx+$5C]
0048B79E 8B15A0D24900 mov
edx, [$49D2A0]
0048B7A4 8B12
mov edx, [edx]
0048B7A6 8B833C030000 mov
eax, [ebx+$033C]
0048B7AC E81FB3FAFF call
00436AD0
0048B7B1 BE03000000 mov
esi, $00000003
0048B7B6 B201
mov dl, $01
0048B7B8 8B833C030000 mov
eax, [ebx+$033C]
0048B7BE E8F5B1FAFF call
004369B8
0048B7C3 66B8BC02 mov
ax, $02BC
0048B7C7 E8B8350000 call
0048ED84
0048B7CC 33D2
xor edx, edx
0048B7CE 8B833C030000 mov
eax, [ebx+$033C]
0048B7D4 E8DFB1FAFF call
004369B8
0048B7D9 66B82C01 mov
ax, $012C
0048B7DD E8A2350000 call
0048ED84
0048B7E2 4E
dec esi
0048B7E3 75D1
jnz 0048B7B6
0048B7E5 8D55F4
lea edx, [ebp-$0C]
0048B7E8 8B83F8020000 mov
eax, [ebx+$02F8]
0048B7EE E8ADB2FAFF call
00436AA0
0048B7F3 8B45F4
mov eax, [ebp-$0C]
0048B7F6 50
push eax
0048B7F7 8D55F0
lea edx, [ebp-$10]
0048B7FA 8B83F4020000 mov
eax, [ebx+$02F4]
0048B800 E89BB2FAFF call
00436AA0
0048B805 8B45F0
mov eax, [ebp-$10]
0048B808 5A
pop edx
0048B809 E86AFDFFFF call
0048B578--------->进入
0048B80E 84C0
test al, al----------->Woo.... 经典的对比
0048B810 0F84FF000000 jz
0048B915
0048B816 E8051DF8FF call
0040D520
0048B81B A1A8D44900 mov
eax, dword ptr [$49D4A8]
0048B820 8B00
mov eax, [eax]
0048B822 E8BDB2FCFF call
00456AE4
0048B827 8D55E8
lea edx, [ebp-$18]
0048B82A 8B83F4020000 mov
eax, [ebx+$02F4]
0048B830 E86BB2FAFF call
00436AA0
0048B835 8B45E8
mov eax, [ebp-$18]
0048B838 8D55EC
lea edx, [ebp-$14]
0048B83B E8F8E0F7FF call
00409938
0048B840 8B55EC
mov edx, [ebp-$14]
0048B843 A1B8D54900 mov
eax, dword ptr [$49D5B8]
0048B848 E82784F7FF call
00403C74
0048B84D 8D55E0
lea edx, [ebp-$20]
0048B850 8B83F8020000 mov
eax, [ebx+$02F8]
0048B856 E845B2FAFF call
00436AA0
0048B85B 8B45E0
mov eax, [ebp-$20]
0048B85E 8D55E4
lea edx, [ebp-$1C]
0048B861 E8D2E0F7FF call
00409938
0048B866 8B55E4
mov edx, [ebp-$1C]
0048B869 A110D34900 mov
eax, dword ptr [$49D310]
0048B86E E80184F7FF call
00403C74
0048B873 A160D54900 mov
eax, dword ptr [$49D560]
0048B878 C7003E330100 mov
dword ptr [eax], $0001333E
0048B87E A134D44900 mov
eax, dword ptr [$49D434]
0048B883 833800
cmp dword ptr [eax], +$00
0048B886 7536
jnz 0048B8BE
0048B888 A1ECD44900 mov
eax, dword ptr [$49D4EC]
0048B88D FF30
push dword ptr [eax]
0048B88F A18CD44900 mov
eax, dword ptr [$49D48C]
0048B894 FF30
push dword ptr [eax]
0048B896 68ACB94800 push
$0048B9AC
0048B89B A1DCD74900 mov
eax, dword ptr [$49D7DC]
0048B8A0 FF30
push dword ptr [eax]
0048B8A2 8D45DC
lea eax, [ebp-$24]
0048B8A5 BA04000000 mov
edx, $00000004
0048B8AA E8B186F7FF call
00403F60
0048B8AF 8B55DC
mov edx, [ebp-$24]
0048B8B2 A134D34900 mov
eax, dword ptr [$49D334]
0048B8B7 8B00
mov eax, [eax]
0048B8B9 E812B2FAFF call
00436AD0
0048B8BE E869850000 call
00493E2C
0048B8C3 E8BC860000 call
00493F84
0048B8C8 A170D74900 mov
eax, dword ptr [$49D770]
0048B8CD FF30
push dword ptr [eax]
这个Call在这里
* Referenced by a CALL at Address:
|:0048B809
|
:0048B578 55
push ebp
:0048B579 8BEC
mov ebp, esp
:0048B57B 83C4F0
add esp, FFFFFFF0
:0048B57E 53
push ebx
:0048B57F 56
push esi
:0048B580 57
push edi
:0048B581 33C9
xor ecx, ecx
:0048B583 894DF0
mov dword ptr [ebp-10], ecx
:0048B586 8955F8
mov dword ptr [ebp-08], edx------->取注册码
:0048B589 8945FC
mov dword ptr [ebp-04], eax ------->取用户名
:0048B58C 8B45FC
mov eax, dword ptr [ebp-04]
:0048B58F E8C08AF7FF call 00404054---------------------->判断用户名是否为空?
:0048B594 8B45F8
mov eax, dword ptr [ebp-08]
:0048B597 E8B88AF7FF call 00404054---------------------->判断注册码是否为空?
:0048B59C 33C0
xor eax, eax
:0048B59E 55
push ebp
:0048B59F 68FEB64800 push 0048B6FE
:0048B5A4 64FF30
push dword ptr fs:[eax]
:0048B5A7 648920
mov dword ptr fs:[eax], esp
:0048B5AA C645F700 mov
[ebp-09], 00
:0048B5AE 8D55F0
lea edx, dword ptr [ebp-10]
:0048B5B1 8B45FC
mov eax, dword ptr [ebp-04]
:0048B5B4 E87FE3F7FF call 00409938
:0048B5B9 8B55F0
mov edx, dword ptr [ebp-10]
:0048B5BC 8D45FC
lea eax, dword ptr [ebp-04]
:0048B5BF E8F486F7FF call 00403CB8
:0048B5C4 8B45FC
mov eax, dword ptr [ebp-04]
:0048B5C7 E8D488F7FF call 00403EA0
:0048B5CC 8BC8
mov ecx, eax
:0048B5CE 83F903
cmp ecx, 00000003------------
:0048B5D1 0F8C04010000 jl 0048B6DB
|用户名在3-20个字符之间
:0048B5D7 83F914
cmp ecx, 00000014------------
:0048B5DA 0F8FFB000000 jg 0048B6DB
:0048B5E0 8B45F8
mov eax, dword ptr [ebp-08]
:0048B5E3 E8B888F7FF call 00403EA0
:0048B5E8 83F812
cmp eax, 00000012---------->注册码必须是18个字符
:0048B5EB 0F85EA000000 jne 0048B6DB
:0048B5F1 B904000000 mov ecx,
00000004--------------------|
|这部分判断
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|注册码的第4-10位
|:0048B60B(C)
|是否为数字
|
|
:0048B5F6 8B45F8
mov eax, dword ptr [ebp-08] |
:0048B5F9 8A4408FF mov
al, byte ptr [eax+ecx-01] |
:0048B5FD 04D0
add al, D0 -->由x+d0-0a=ff |
:0048B5FF 2C0A
sub al, 0A -->推出x=39,即'9' |
:0048B601 0F83D4000000 jnb 0048B6DB
|
:0048B607 41
inc ecx
|
:0048B608 83F90A
cmp ecx, 0000000A-------------------->
:0048B60B 75E9
jne 0048B5F6
:0048B60D B901000000 mov ecx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B62D(C)
|
:0048B612 8B45F8
mov eax, dword ptr [ebp-08]----------|
:0048B615 8A4408FF mov
al, byte ptr [eax+ecx-01] |
:0048B619 04D0
add al, D0
|
:0048B61B 2C0A
sub al, 0A
|
:0048B61D 720A
jb 0048B629
|判断注册码的所有
:0048B61F 04D9
add al, D9
|位是否在'0'-'9'
:0048B621 2C1A
sub al, 1A
|或 'a'-'z'中(不知是否有错?)
:0048B623 0F83B2000000 jnb 0048B6DB
|
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
|:0048B61D(C)
|
|
|
:0048B629 41
inc ecx
|
:0048B62A 83F913
cmp ecx, 00000013
|
:0048B62D 75E3
jne 0048B612------------------------ |
:0048B62F BE01000000 mov esi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:--->这段开始算前3位注册码
|:0048B687(C)
|
:0048B634 BB01000000 mov ebx,
00000001
:0048B639 8B45FC
mov eax, dword ptr [ebp-04]
:0048B63C E85F88F7FF call 00403EA0
:0048B641 8BF8
mov edi, eax
:0048B643 85FF
test edi, edi
:0048B645 7E21
jle 0048B668
:0048B647 B901000000 mov ecx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B666(C)
|
:0048B64C 8B45FC
mov eax, dword ptr [ebp-04]------------>用户名
:0048B64F 0FB64408FF movzx eax,
byte ptr [eax+ecx-01]
:0048B654 F7EB
imul ebx
:0048B656 03C6
add eax, esi
:0048B658 03C1
add eax, ecx
:0048B65A BB65010000 mov ebx,
00000165
:0048B65F 99
cdq
:0048B660 F7FB
idiv ebx
:0048B662 8BDA
mov ebx, edx
:0048B664 41
inc ecx
:0048B665 4F
dec edi
:0048B666 75E4
jne 0048B64C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B645(C)
|
:0048B668 8BC3
mov eax, ebx
:0048B66A B924000000 mov ecx,
00000024
:0048B66F 99
cdq
:0048B670 F7F9
idiv ecx
* Possible StringData Ref from Code Obj ->"0123456789abcdefghijklmnopqrstuvwxyz"
|
:0048B672 B818B74800 mov eax,
0048B718
:0048B677 8A0410
mov al, byte ptr [eax+edx]----->从上面的字符串中取值
:0048B67A 8B55F8
mov edx, dword ptr [ebp-08]
:0048B67D 3A4432FF cmp
al, byte ptr [edx+esi-01]
:0048B681 7558
jne 0048B6DB
:0048B683 46
inc esi
:0048B684 83FE04
cmp esi, 00000004-------->上面的代码通过用户名算出
:0048B687 75AB
jne 0048B634 ---------前3位注册码
:0048B689 BB01000000 mov ebx,
00000001
:0048B68E BE0A000000 mov esi,
0000000A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B6D5(C)
|
:0048B693 B901000000 mov ecx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:---->这段开始算第10-18位注册码
|:0048B6B4(C)
|
:0048B698 8B45F8
mov eax, dword ptr [ebp-08]--------------->注册码
:0048B69B 0FB64408FF movzx eax,
byte ptr [eax+ecx-01]
:0048B6A0 F7EB
imul ebx
:0048B6A2 03C1
add eax, ecx
:0048B6A4 03C6
add eax, esi
:0048B6A6 BB79010000 mov ebx,
00000179
:0048B6AB 99
cdq
:0048B6AC F7FB
idiv ebx
:0048B6AE 8BDA
mov ebx, edx
:0048B6B0 41
inc ecx
:0048B6B1 83F90A
cmp ecx, 0000000A --------------->处理第1-9位注册码
:0048B6B4 75E2
jne 0048B698
:0048B6B6 8BC3
mov eax, ebx
:0048B6B8 B924000000 mov ecx,
00000024
:0048B6BD 99
cdq
:0048B6BE F7F9
idiv ecx
* Possible StringData Ref from Code Obj ->"0123456789abcdefghijklmnopqrstuvwxyz"
|
:0048B6C0 B818B74800 mov eax,
0048B718
:0048B6C5 8A0410
mov al, byte ptr [eax+edx]------->从上面的字符串中取值
:0048B6C8 8B55F8
mov edx, dword ptr [ebp-08]
:0048B6CB 3A4432FF cmp
al, byte ptr [edx+esi-01]----------->由第1-9位注册码
:0048B6CF 750A
jne 0048B6DB ----------->算出第10-18位注册码
:0048B6D1 46
inc esi
:0048B6D2 83FE13
cmp esi, 00000013
:0048B6D5 75BC
jne 0048B693
:0048B6D7 C645F701 mov
[ebp-09], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048B5D1(C), :0048B5DA(C), :0048B5EB(C), :0048B601(C), :0048B623(C)
|:0048B681(C), :0048B6CF(C)
|
:0048B6DB 33C0
xor eax, eax
:0048B6DD 5A
pop edx
:0048B6DE 59
pop ecx
:0048B6DF 59
pop ecx
:0048B6E0 648910
mov dword ptr fs:[eax], edx
:0048B6E3 6805B74800 push 0048B705
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B703(U)
|
:0048B6E8 8D45F0
lea eax, dword ptr [ebp-10]
:0048B6EB E83085F7FF call 00403C20
:0048B6F0 8D45F8
lea eax, dword ptr [ebp-08]
:0048B6F3 BA02000000 mov edx,
00000002
:0048B6F8 E84785F7FF call 00403C44
:0048B6FD C3 ret
注册机如下(VB6)编写:
标 题:重新贴过注册机,有空帮忙到http://crackme.longcity.net下载测试 (1千字)
详细信息:
Public Function GetSN(strName as string) As String
Dim strName As String
Dim strTemp As String
Const strFlag As String = "0123456789abcdefghijklmnopqrstuvwxyz"
Dim i As Long
Dim j As Long
Dim lngLen As Long
Dim esi As Long
Dim ebx As Long
Dim eax As Long
Dim ecx As Long
Dim edx As Long
Dim X As Long
esi = 1: eax = 0: ecx = 0: edx = 0: strTemp = ""
lngLen = Len(strName)
For j = 1 To 3
ebx = 1: esi = j
For i = 1 To lngLen
ecx = i
eax = Asc(Mid(strName, i, 1))
eax = eax * ebx
eax = eax + esi
eax = eax + ecx
ebx = &H165
ebx = eax Mod ebx
Next i
eax = ebx
ecx = &H24
edx = eax Mod ecx
strTemp = strTemp & Mid(strFlag, edx + 1, 1)
Next j
X = 899999 * Rnd + 100000
strTemp = strTemp & CStr(X)
ebx = 1
For j = 10 To 18
esi = j
For i = 1 To 9
ecx = i
eax = Asc(Mid(strTemp, i, 1))
eax = eax * ebx
eax = eax + ecx
eax = eax + esi
ebx = &H179
ebx = eax Mod ebx
Next i
eax = ebx
ecx = &H24
edx = eax Mod ecx
strTemp = strTemp & Mid(strFlag, edx + 1, 1)
Next j
GetSN = strTemp
End Function