昨天下午刚接上网,然后就是疯狂的下载东西,先下了flashget v1.65, 未注册有广告的,竟敢占用我花了几个月时间才磨来的宽带!顺手破了它
无意间发现它算法简单,考虑到以后经常用的,就想写出注册机来;
它是重启效验,注册码正确就去除广告条,不过输入注册码后会弹出MessageBox让你重启,在这儿跟一下就发现存放注册信息的键值叫“RegName”保存在“HKEY_CURRENT_USER\Software\JetCar\JetCar\General”里,下面是算法部分。
有错误的地方还请大家指出!谢谢!!
0041DC80 /$ 6A FF push -1
0041DC82 |. 68 20334F00 push flashget.004F3320 ; SE handler installation
0041DC87 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
0041DC8D |. 50 push eax
0041DC8E |. 64:8925 00000000 mov dword ptr fs:[0],esp
0041DC95 |. 83EC 20 sub esp,20
0041DC98 |. 53 push ebx
0041DC99 |. 55 push ebp
0041DC9A |. 56 push esi
0041DC9B |. 57 push edi
0041DC9C |. 68 E8B85300 push flashget.0053B8E8
0041DCA1 |. 68 A0E55200 push flashget.0052E5A0 ; ASCII "RegName"
0041DCA6 |. 8D4424 18 lea eax,dword ptr ss:[esp+18]
0041DCAA |. 8BE9 mov ebp,ecx
0041DCAC |. 68 A0C15200 push flashget.0052C1A0 ; ASCII "General"
0041DCB1 |. 50 push eax
0041DCB2 |. 896C24 28 mov dword ptr ss:[esp+28],ebp
0041DCB6 |. E8 95C70C00 call flashget.004EA450 ;取用户名
0041DCBB |. 8DB5 60030000 lea esi,dword ptr ss:[ebp+360]
0041DCC1 |. 50 push eax
0041DCC2 |. 8BCE mov ecx,esi
0041DCC4 |. C74424 3C 0000000>mov dword ptr ss:[esp+3C],0
0041DCCC |. E8 83660B00 call flashget.004D4354
0041DCD1 |. 83CF FF or edi,FFFFFFFF
0041DCD4 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0041DCD8 |. 897C24 38 mov dword ptr ss:[esp+38],edi
0041DCDC |. E8 3A650B00 call flashget.004D421B
0041DCE1 |. 68 E8B85300 push flashget.0053B8E8
0041DCE6 |. 68 98E55200 push flashget.0052E598 ; ASCII "RegPass"
0041DCEB |. 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
0041DCEF |. 68 A0C15200 push flashget.0052C1A0 ; ASCII "General"
0041DCF4 |. 51 push ecx
0041DCF5 |. 8BCD mov ecx,ebp
0041DCF7 |. E8 54C70C00 call flashget.004EA450 ;取注册码
0041DCFC |. 81C5 64030000 add ebp,364
0041DD02 |. BB 01000000 mov ebx,1 ; ebx=1,下面有用呢
0041DD07 |. 50 push eax
0041DD08 |. 8BCD mov ecx,ebp
0041DD0A |. 895C24 3C mov dword ptr ss:[esp+3C],ebx
0041DD0E |. E8 41660B00 call flashget.004D4354
0041DD13 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0041DD17 |. 897C24 38 mov dword ptr ss:[esp+38],edi
0041DD1B |. E8 FB640B00 call flashget.004D421B
0041DD20 |. 8B16 mov edx,dword ptr ds:[esi]
0041DD22 |. 8B42 F8 mov eax,dword ptr ds:[edx-8]
0041DD25 |. 85C0 test eax,eax ; 邮箱长度
0041DD27 |. 0F84 4E010000 je flashget.0041DE7B
0041DD2D |. 8B45 00 mov eax,dword ptr ss:[ebp]
0041DD30 |. 8B48 F8 mov ecx,dword ptr ds:[eax-8]
0041DD33 |. 85C9 test ecx,ecx ; 注册码长度
0041DD35 |. 0F84 40010000 je flashget.0041DE7B
0041DD3B |. 8BCE mov ecx,esi
0041DD3D |. E8 89210B00 call flashget.004CFECB
0041DD42 |. 8BCE mov ecx,esi
0041DD44 |. E8 36210B00 call flashget.004CFE7F
0041DD49 |. 8B0E mov ecx,dword ptr ds:[esi]
0041DD4B |. 8379 F8 05 cmp dword ptr ds:[ecx-8],5 ; 邮箱至少5个字符
0041DD4F |. 0F8E 26010000 jle flashget.0041DE7B
0041DD55 |. 68 BCE55200 push flashget.0052E5BC
0041DD5A |. 8BCE mov ecx,esi
0041DD5C |. E8 851D0B00 call flashget.004CFAE6
0041DD61 |. 85C0 test eax,eax ; 注册名长度
0041DD63 |. 0F8C 12010000 jl flashget.0041DE7B
0041DD69 |. 68 B8E55200 push flashget.0052E5B8
0041DD6E |. 8BCE mov ecx,esi
0041DD70 |. E8 711D0B00 call flashget.004CFAE6
0041DD75 |. 85C0 test eax,eax ; 邮箱长度减去".com"的长度
0041DD77 |. 0F8C FE000000 jl flashget.0041DE7B
0041DD7D |. 8BCD mov ecx,ebp
0041DD7F |. E8 47210B00 call flashget.004CFECB
0041DD84 |. 8BCD mov ecx,ebp
0041DD86 |. E8 F4200B00 call flashget.004CFE7F
0041DD8B |. 8B55 00 mov edx,dword ptr ss:[ebp]
0041DD8E |. 8B42 F8 mov eax,dword ptr ds:[edx-8]
0041DD91 |. 83F8 2C cmp eax,2C ; 注册码长度=0x2c,40个字符,吓死我了-------它好像只检查前12个字符,我还没有验证
0041DD94 |. 0F85 E1000000 jnz flashget.0041DE7B ; 上面都是往"0041DE7B"跳,即GameOver
0041DD9A |. 68 B0E55200 push flashget.0052E5B0 ; ASCII "fgc-"
0041DD9F |. 8BCD mov ecx,ebp
0041DDA1 |. E8 401D0B00 call flashget.004CFAE6 ; 找"fgc-"
0041DDA6 |. 85C0 test eax,eax
0041DDA8 |. 75 06 jnz short flashget.0041DDB0
0041DDAA |. 895C24 10 mov dword ptr ss:[esp+10],ebx ; 如果是"fgc-",则ebx=1,就是上面的(0041DD02)mov ebx,1
0041DDAE |. EB 18 jmp short flashget.0041DDC8
0041DDB0 |> 68 A8E55200 push flashget.0052E5A8 ; ASCII "fgf-"
0041DDB5 |. 8BCD mov ecx,ebp
0041DDB7 |. E8 2A1D0B00 call flashget.004CFAE6 ; 找不到的话找"fgf-"
0041DDBC |. 85C0 test eax,eax ; 如果是"fgf-",则eax=0,
0041DDBE |. 0F85 B7000000 jnz flashget.0041DE7B
0041DDC4 |. 894424 10 mov dword ptr ss:[esp+10],eax
0041DDC8 |> 6A 2C push 2C
0041DDCA |. 8BCD mov ecx,ebp
0041DDCC |. E8 7A680B00 call flashget.004D464B
0041DDD1 |. 8BF8 mov edi,eax
0041DDD3 |. 33C9 xor ecx,ecx
0041DDD5 |. 83C7 04 add edi,4 ; 下面计算用"fgc-"或"fgf-"后的字符
0041DDD8 |. 33F6 xor esi,esi
0041DDDA |> 8B07 /mov eax,dword ptr ds:[edi]
0041DDDC |. 8BD6 |mov edx,esi
0041DDDE |. 83C7 04 |add edi,4 ; 准备下一步计算
0041DDE1 |. 83EA 00 |sub edx,0 ; Switch (cases 0..2)
0041DDE4 |. 894424 1C |mov dword ptr ss:[esp+1C],eax ; 前四个字符的HEX相连的int值
0041DDE8 |. 74 26 |je short flashget.0041DE10 ; edx=esi为零跳,esi每次加1,三次用不同的算法,这是第一次
0041DDEA |. 4A |dec edx
0041DDEB |. 74 17 |je short flashget.0041DE04 ; 第一次成功就计算第二次
0041DDED |. 4A |dec edx
0041DDEE |. 75 38 |jnz short flashget.0041DE28 ; 第三次
0041DDF0 |. 0FBE4C24 1E |movsx ecx,byte ptr ss:[esp+1E] ; 第11个字符的HEX值
0041DDF5 |. 0FBED4 |movsx edx,ah ; ah即第10个字符的HEX值
0041DDF8 |. 0FAFCA |imul ecx,edx ; 转换为int后相乘
0041DDFB |. 0FBE5424 1F |movsx edx,byte ptr ss:[esp+1F] ; 第12个字符的HEX值
0041DE00 |. 03CA |add ecx,edx ; 相加
0041DE02 |. EB 1F |jmp short flashget.0041DE23 ; 跳到下面继续
0041DE04 |> 0FBE4C24 1E |movsx ecx,byte ptr ss:[esp+1E] ; 第7个字符的HEX值
0041DE09 |. 0FBED4 |movsx edx,ah ; ah即第6个字符的HEX值
0041DE0C |. 23CA |and ecx,edx ; 与运算
0041DE0E |. EB 0B |jmp short flashget.0041DE1B ; 跳到下面继续
0041DE10 |> 8A4C24 1E |mov cl,byte ptr ss:[esp+1E] ; 即第3个字符的HEX
0041DE14 |. 8AD4 |mov dl,ah ; ah即第2个字符的HEX
0041DE16 |. 33CA |xor ecx,edx ; 异或
0041DE18 |. 83E1 7F |and ecx,7F ; 与运算,这两步结果小于0x7f,不至于出现奇怪的字符
0041DE1B |> 0FBE5424 1F |movsx edx,byte ptr ss:[esp+1F] ; 在把第x(x=4、8、12)个的HEX送入edx
0041DE20 |. 0FAFCA |imul ecx,edx ; 相乘
0041DE23 |> 0FBEC0 |movsx eax,al ; al当然是第y(1、5、9)个的HEX啦
0041DE26 |. 03C8 |add ecx,eax ; 与上面结果相加
0041DE28 |> 8B4424 10 |mov eax,dword ptr ss:[esp+10] ; 根据"fgc-"或"fgf-"决定跳转,可以看上面的(0041DDAA和0041DDC4)
0041DE2C |. 85C0 |test eax,eax
0041DE2E |. 74 0C |je short flashget.0041DE3C
0041DE30 |. 0FBE1D 2BC75200 |movsx ebx,byte ptr ds:[52C72B] ; 52C72B 处的"kevinhyx12345"
0041DE37 |. 83FE 02 |cmp esi,2 ; 两种情况ebx值非别为
1:6b(k) 65(e) 69(i)
2: 6b(k) 65(e) 76(v)
0041DE3A |. 74 07 |je short flashget.0041DE43
0041DE3C |> 0FBE9E 28C75200 |movsx ebx,byte ptr ds:[esi+52C728] ; "8"和"B",是有区别的^-^
0041DE43 |> 8BC1 |mov eax,ecx ; 还记得ecx吗:)
0041DE45 |. 33D2 |xor edx,edx ; 先清零
0041DE47 |. F7F3 |div ebx
0041DE49 |. 8BC6 |mov eax,esi
0041DE4B |. 83E8 00 |sub eax,0 ; Switch (cases 0..2)
0041DE4E |. 74 13 |je short flashget.0041DE63
0041DE50 |. 48 |dec eax
0041DE51 |. 74 09 |je short flashget.0041DE5C
0041DE53 |. 48 |dec eax
0041DE54 |. 75 11 |jnz short flashget.0041DE67
0041DE56 |. 85D2 |test edx,edx ; 第三次余数=0; Case 2 of switch 0041DE4B
0041DE58 |. 75 18 |jnz short flashget.0041DE72
0041DE5A |. EB 0B |jmp short flashget.0041DE67
0041DE5C |> 83FA 08 |cmp edx,8 ; 第二次余数=8; Case 1 of switch 0041DE4B
0041DE5F |. 75 11 |jnz short flashget.0041DE72
0041DE61 |. EB 04 |jmp short flashget.0041DE67
0041DE63 |> 85D2 |test edx,edx ; 第一次余数=0; Case 0 of switch 0041DE4B
0041DE65 |. 75 0B |jnz short flashget.0041DE72
0041DE67 |> 46 |inc esi ; Default case of switch 0041DE4B
0041DE68 |. 83FE 03 |cmp esi,3
0041DE6B |. 7D 23 |jge short flashget.0041DE90
0041DE6D |.^ E9 68FFFFFF \jmp flashget.0041DDDA
0041DE72 |> 6A FF push -1
0041DE74 |. 8BCD mov ecx,ebp
0041DE76 |. E8 1F680B00 call flashget.004D469A
0041DE7B |> 5F pop edi
0041DE7C |. 5E pop esi
0041DE7D |. 5D pop ebp
0041DE7E |. 33C0 xor eax,eax ;over!
0041DE80 |. 5B pop ebx
0041DE81 |. 8B4C24 20 mov ecx,dword ptr ss:[esp+20]
0041DE85 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
0041DE8C |. 83C4 2C add esp,2C
0041DE8F |. C3 retn
0041DE90 |> 6A FF push -1 ;ok!
0041DE92 |. 8BCD mov ecx,ebp
0041DE94 |. E8 01680B00 call flashget.004D469A
0041DE99 |. 8B45 00 mov eax,dword ptr ss:[ebp]
0041DE9C |. 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
0041DEA0 |. 6A 01 push 1
0041DEA2 |. 50 push eax
0041DEA3 |. 68 A0C15200 push flashget.0052C1A0 ; ASCII "General"
0041DEA8 |. E8 37C50C00 call flashget.004EA3E4
0041DEAD |. 8B4C24 30 mov ecx,dword ptr ss:[esp+30]
0041DEB1 |. 5F pop edi
0041DEB2 |. F7D8 neg eax
0041DEB4 |. 1BC0 sbb eax,eax
0041DEB6 |. 5E pop esi
0041DEB7 |. 5D pop ebp
0041DEB8 |. 5B pop ebx
0041DEB9 |. F7D8 neg eax
0041DEBB |. 64:890D 00000000 mov dword ptr fs:[0],ecx
0041DEC2 |. 83C4 2C add esp,2C
0041DEC5 \. C3 retn
编注册机:
我以前四个字符的计算为例,说一下我的思路:
设前四个字符为"abcd"当然不包括"fgc-"和"fgf-"
Hex分别为:
61 62 63 64
按第一次的算法:
(61*62+64+61)结果与0x6b即"k"的Hex取余,结果须为零;
但这个结果=0x5a,用0x61-0x5a=0x7 (又是不可显示的~~~);第一个字符的Hex=0x7就通过第一次计算啦
下面是代码(C#)
private void button1_Click(object sender, System.EventArgs e)
{
string result=""; //result放结果
int select=comboBox1.SelectedIndex ; //放了个comboBox,Item1="fgf-" Item2="fgc-"
int tmp,div;
int[,] sn=new int [3,4];
int[] val0={0x6b,0x65,0x76}; //即"kevinhyx12345"中的"k","e","i"的HEX
int[] val1={0x6b,0x65,0x69}; //"k","e","v"的HEX
Random rand=new Random (); //用来产生随机数,当然你也可以叫它“伪随机数”
for(int j=0;j<3;j++)
{
for(int i=0;i<4;i++)
{
sn[j,i]=rand.Next (0x61,0x7a); //随机数的最小值大一点,可以减少不可显示字符,这是偷懒,还有更好的方法,太麻烦了
}
}
for(int k=0;k<3;k++) //下面按照程序编
{
switch(k)
{
case 0:
goto n1;
case 1:
goto n2;
case 2:
goto n3;
default:
break;
}
n3:
tmp=sn[k,1]*sn[k,2]+sn[k,3];
goto b;
n2:
tmp=sn[k,1]&sn[k,2];
goto a;
n1:
tmp=(sn[k,1]^sn[k,2])&0x7f;
a:
tmp=sn[k,3]*tmp;
b:
tmp=tmp+sn[k,0]; //这里的sn[k,0]就是须要求的字符HEX值,先是随机产生,等会儿再修改
if(select==0)
{
div=tmp%val0[k];
}
else
{
div=tmp%val1[k];
}
if(k==1) //修改错误的随机数为正确结果
{
sn[k,0]=sn[k,0]-div+8;
}
else
{
sn[k,0]=sn[k,0]-div;
}
}
for(int j=0;j<3;j++)
{
for(int i=0;i<4;i++)
{
char chars=(char)sn[j,i];
result=result+chars.ToString();
}
}
textBox1.Text =comboBox1.SelectedItem.ToString() +result +"0123456789012345678901234567"; //后28个字符就作个个性签名啦
}
}
运行后每次都会算出一些奇怪的字符
,试了好几个,都通过了。
