AnimateIt Screen Saver Toolkit(Ver 2.02)是一款制作屏保的工具,它也能
够提供声音图像的功能.更有一点就是,它能够让你自由的发布屏保或者以收费
的方式发送!前提是你要注册!你可以在http://www.allersoft.com得到该软件的
更多信息!
需要注意的是这个软件有两个版本就是Standard Edition和Power Edition,可
能跟输入的注册码有关!
好了,打开软件,在Ordering Info下输入:
Registered:dengkeng
Registration:123456
下断点
bpx hmemcpy
点击Register,拦截下来
bc *
pmodule
看看领空名字不是Launcher,而是Animateit,这一点需要注意.搜索Animateit
是屏保的后缀名.scr,想必就是它了打开它!我们看到了我们需要的字符"Thank
you for registering for the Standard Edition of %s %s"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00414739(C)
|
:0041476C 56 push esi
:0041476D 8D4C2410 lea ecx, dword ptr [esp+10]
:00414771 E8DCF90500 call 00474152
:00414776 8B8F90000000 mov ecx, dword ptr [edi+00000090]
:0041477C C744241800000000 mov [esp+18], 00000000
:00414784 51 push ecx
:00414785 51 push ecx
:00414786 8BCC mov ecx, esp
:00414788 89642410 mov dword ptr [esp+10], esp
:0041478C 56 push esi
:0041478D E8C0F90500 call 00474152
:00414792 E85997FFFF call 0040DEF0 ;关键Call,跟进
:00414797 83C408 add esp, 00000008
:0041479A 83F801 cmp eax, 00000001
:0041479D 7542 jne 004147E1
:0041479F 8D4C2408 lea ecx, dword ptr [esp+08]
:004147A3 E89AF90500 call 00474142
:004147A8 68B4714B00 push 004B71B4
:004147AD 68B46F4B00 push 004B6FB4
:004147B2 8D542410 lea edx, dword ptr [esp+10]
* Possible StringData Ref from Data Obj ->"Thank you for registering for "
->"the Standard Edition of %s %s."
|
:004147B6 68F4D54900 push 0049D5F4
:004147BB 52 push edx
:004147BC C644242801 mov [esp+28], 01
:004147C1 E81D9C0500 call 0046E3E3;出错提示
F8跟进关键Call
* Referenced by a CALL at Addresses:
|:0040DE9C , :00414792
|
:0040DEF0 6AFF push FFFFFFFF
:0040DEF2 6890334800 push 00483390
:0040DEF7 64A100000000 mov eax, dword ptr fs:[00000000]
:0040DEFD 50 push eax
:0040DEFE 64892500000000 mov dword ptr fs:[00000000], esp
:0040DF05 83EC08 sub esp, 00000008
:0040DF08 53 push ebx
:0040DF09 56 push esi
:0040DF0A 68B46F4B00 push 004B6FB4
:0040DF0F 8D4C240C lea ecx, dword ptr [esp+0C]
:0040DF13 C744241C00000000 mov [esp+1C], 00000000
:0040DF1B E8DB630600 call 004742FB
:0040DF20 8B742424 mov esi, dword ptr [esp+24]
:0040DF24 C644241801 mov [esp+18], 01
:0040DF29 85F6 test esi, esi
:0040DF2B 0F8408010000 je 0040E039
* Possible Reference to String Resource ID=00001: "AnimateIt"
|
:0040DF31 6A01 push 00000001
:0040DF33 8D44240C lea eax, dword ptr [esp+0C]
* Possible StringData Ref from Data Obj ->"STANDARD"
|
:0040DF37 68F0D14900 push 0049D1F0
:0040DF3C 8D4C242C lea ecx, dword ptr [esp+2C]
:0040DF40 50 push eax
:0040DF41 51 push ecx
:0040DF42 E89D650600 call 004744E4
:0040DF47 51 push ecx
:0040DF48 8D4C2428 lea ecx, dword ptr [esp+28]
:0040DF4C 8BD4 mov edx, esp
:0040DF4E 89642414 mov dword ptr [esp+14], esp
:0040DF52 51 push ecx
:0040DF53 50 push eax
:0040DF54 52 push edx
:0040DF55 C644242C02 mov [esp+2C], 02
:0040DF5A E81F650600 call 0047447E
:0040DF5F E81CD8FFFF call 0040B780 ;关键Call,GoOn.......
:0040DF64 83C408 add esp, 00000008
:0040DF67 33DB xor ebx, ebx
:0040DF69 3BC6 cmp eax, esi;? esi假注册码,? eax真的
:0040DF6B 8D4C2424 lea ecx, dword ptr [esp+24]
:0040DF6F 0F94C3 sete bl
:0040DF72 C644241801 mov [esp+18], 01
:0040DF77 E811630600 call 0047428D
:0040DF7C 84DB test bl, bl
:0040DF7E 7435 je 0040DFB5
:0040DF80 8D4C2408 lea ecx, dword ptr [esp+08]
:0040DF84 C644241800 mov [esp+18], 00
:0040DF89 E8FF620600 call 0047428D
:0040DF8E 8D4C2420 lea ecx, dword ptr [esp+20]
:0040DF92 C7442418FFFFFFFF mov [esp+18], FFFFFFFF
:0040DF9A E8EE620600 call 0047428D
* Possible Reference to String Resource ID=00001: "AnimateIt"
|
:0040DF9F B801000000 mov eax, 00000001
:0040DFA4 8B4C2410 mov ecx, dword ptr [esp+10]
:0040DFA8 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040DFAF 5E pop esi
:0040DFB0 5B pop ebx
:0040DFB1 83C414 add esp, 00000014
:0040DFB4 C3 ret
要写注册机跟进0040DF5F处的Call.....
* Referenced by a CALL at Addresses:
|:0040DB1F , :0040DF5F , :0040DFE3
|
:0040B780 64A100000000 mov eax, dword ptr fs:[00000000]
:0040B786 6AFF push FFFFFFFF
:0040B788 6858304800 push 00483058
:0040B78D 50 push eax
:0040B78E 64892500000000 mov dword ptr fs:[00000000], esp
:0040B795 56 push esi
:0040B796 33F6 xor esi, esi
:0040B798 8D4C2414 lea ecx, dword ptr [esp+14]
:0040B79C 8974240C mov dword ptr [esp+0C], esi
:0040B7A0 E89A2C0600 call 0046E43F;三个字符串连起来"AnimateItSTANDARDdengkeng"
:0040B7A5 8D4C2414 lea ecx, dword ptr [esp+14]
:0040B7A9 E8482C0600 call 0046E3F6
:0040B7AE 8B442414 mov eax, dword ptr [esp+14]
:0040B7B2 3970F8 cmp dword ptr [eax-08], esi
:0040B7B5 7523 jne 0040B7DA;关键计算注册码,继续....
:0040B7B7 8D4C2414 lea ecx, dword ptr [esp+14]
:0040B7BB C744240CFFFFFFFF mov [esp+0C], FFFFFFFF
:0040B7C3 E8C58A0600 call 0047428D
:0040B7C8 33C0 xor eax, eax
:0040B7CA 8B4C2404 mov ecx, dword ptr [esp+04]
:0040B7CE 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040B7D5 5E pop esi
:0040B7D6 83C40C add esp, 0000000C
:0040B7D9 C3 ret
要得到注册码就要到0040B7B5完成jne指令,GoOn.....
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B7B5(C)
|
:0040B7DA 57 push edi
:0040B7DB 8D4C2418 lea ecx, dword ptr [esp+18]
:0040B7DF E8538F0600 call 00474737;把连接起来的字符,全转换成大写
:0040B7E4 8B7C2418 mov edi, dword ptr [esp+18]
:0040B7E8 33C9 xor ecx, ecx
:0040B7EA 8B57F8 mov edx, dword ptr [edi-08]
:0040B7ED 3BD6 cmp edx, esi ;比较个数是否小于0
:0040B7EF 7E17 jle 0040B808
:0040B7F1 53 push ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B805(C)
|
:0040B7F2 0FBE0439 / movsx eax, byte ptr [ecx+edi];字符依次送给eax
:0040B7F6 8D5801 | lea ebx, dword ptr [eax+01] ;加1给ebx
:0040B7F9 0FAFD8 | imul ebx, eax ;相乘送给ebx
:0040B7FC 43 | inc ebx ;加1
:0040B7FD 0FAFD8 | imul ebx, eax ;在送给ebx
:0040B800 03F3 | add esi, ebx ;放入esi保存
:0040B802 41 | inc ecx
:0040B803 3BCA | cmp ecx, edx ;是否是最后一个
:0040B805 7CEB jl 0040B7F2
:0040B807 5B pop ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B7EF(C)
|
:0040B808 8D4C2418 lea ecx, dword ptr [esp+18]
:0040B80C C7442410FFFFFFFF mov [esp+10], FFFFFFFF
:0040B814 E8748A0600 call 0047428D
:0040B819 8B4C2408 mov ecx, dword ptr [esp+08]
:0040B81D 8BC6 mov eax, esi
:0040B81F 33D2 xor edx, edx
:0040B821 5F pop edi
:0040B822 F7742418 div [esp+18]
:0040B826 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040B82D 5E pop esi ;? esi 为假注册码
:0040B82E 83C40C add esp, 0000000C
:0040B831 C3 ret
以上就是我跟踪的流程....
好了在把整个过程在分析一遍,我们输入姓名和注册码,先把我们输入的名字和
"AnimateIt","STANDARD",连接起来形成"AnimateItSTANDARDdengkeng",然后在把
小写转换成大写"ANIMATEITSTANDARDDENGKENG",最后把整个字符串做运算!上面有
分析,具体的算法看上面!最后的运算结果存放在? esi中,最后附值给eax.使eax和
存放假注册码的esi相比较如果成功就注册为Standard Edition,如果不是就继续
比较看是否是Power Edition,因为Standard和Power的算法都一样只是字符变成了
"ANIMATEITPOWERDENGKENG".好了下面给出注册机.VC下编译成功!
#include "stdio.h"
#include "iostream.h"
#include "windows.h"
#include "conio.h"
#include "string.h"
int main()
{
char Name[256]="";
char StandardCopy[256]="ANIMATEITSTANDARD";
char PowerCopy[256]="ANIMATEITPOWER";
long NameLen=0;
long NameLenPower=0;
long Serial=0;
cout<<"##############################################"<<endl;
cout<<"AnimateIt Screen Saver KeyGen Made By dengkeng"<<endl;
cout<<"QQ:28895751 E-Mail:shellc0de@sohu.com"<<endl;
cout<<"##############################################"<<endl;
cout<<endl;
cout<<"Registered Name:";
cin.getline(Name,256);
strcat(StandardCopy,Name);
strcat(PowerCopy,Name);
NameLen=strlen(StandardCopy);
NameLenPower=strlen(PowerCopy);
strupr(StandardCopy);
strupr(PowerCopy);
if (NameLen<1)
{
cout<<"Your name is too short!"<<endl;
}
else
{
__asm
{
PUSH EBP
XOR ESI,ESI
XOR EBX,EBX
LEA EDI,StandardCopy
MOV EDX,[NameLen]
MOV ECX,00000000h
Loc_0040B7F2:
MOVSX EAX,BYTE PTR [EDI+ECX]
LEA EBX,[EAX+1]
IMUL EBX,EAX
INC EBX
IMUL EBX,EAX
ADD ESI,EBX
INC ECX
CMP ECX,EDX
JNZ Loc_0040B7F2
MOV [Serial], ESI
POP EBP
}
cout<<"Registration Key For Standard Edition:"<<Serial<<endl;
__asm
{
PUSH EBP
XOR ESI,ESI
XOR EBX,EBX
LEA EDI,PowerCopy
MOV EDX,[NameLenPower]
MOV ECX,00000000h
Loc_0040B7F3:
MOVSX EAX,BYTE PTR [EDI+ECX]
LEA EBX,[EAX+1]
IMUL EBX,EAX
INC EBX
IMUL EBX,EAX
ADD ESI,EBX
INC ECX
CMP ECX,EDX
JNZ Loc_0040B7F3
MOV [Serial], ESI
POP EBP
}
cout<<"Registration Key For Power Edition:"<<Serial<<endl;
}
getch();
return 0;
}
结果如下:
Registered Name:dengkeng
Registration Key For Standard Edition:10337368
Registration Key For Power Edition:9499310
Made By dengkeng
E-mail:shellc0de@sohu.com
欢迎转载,请保持文章的完整性