有声有色4.0注册算法
作者:华仔
组织:China Cracking Group
时间:2001.05.01
我的上网时间几乎为0,这篇文章还是在朋友家发出来的(朋友让我搞定这个软件,回报
就是获得(30 mod 20) or (60 xor 57)分钟的上网时间)
一、实战:
1、进入注册窗口,输入如下信息
序列号:1974923
用户名:华仔[CCG]
注册码:1974923
2、载入TRW2000,下“bpx hmemcpy”设断,再下“g”运行程序,单击“确定”,程序马
上被拦下。下“pmodule”、再按59次F10 来到005439F1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00543952(C)
|
:005439F1 33C0
xor eax, eax
:005439F3 55
push ebp
:005439F4 685C3E5400 push 00543E5C
:005439F9 64FF30
push dword ptr fs:[eax]
:005439FC 648920
mov dword ptr fs:[eax], esp
:005439FF B8807D5600 mov eax,
00567D80
:00543A04 BA14405400 mov edx,
00544014
:00543A09 E81E04ECFF call 00403E2C
:00543A0E 68687D5600 push 00567D68
:00543A13 8D55DC
lea edx, dword ptr [ebp-24]
:00543A16 8B45FC
mov eax, dword ptr [ebp-04]
:00543A19 8B80EC020000 mov eax, dword
ptr [eax+000002EC]
:00543A1F E87C2EEFFF call 004368A0
:00543A24 8B45DC
mov eax, dword ptr [ebp-24]
*//取输入的序列号:1974923
* Possible Reference to String Resource ID=00001: "Today"
|
:00543A27 B901000000 mov ecx,
00000001
*//第一位:1
:00543A2C BA04000000 mov edx,
00000004
*//取第四位:4
:00543A31 E82A08ECFF call 00404260
:00543A36 686C7D5600 push 00567D6C
:00543A3B 8D55D8
lea edx, dword ptr [ebp-28]
:00543A3E 8B45FC
mov eax, dword ptr [ebp-04]
:00543A41 8B80EC020000 mov eax, dword
ptr [eax+000002EC]
:00543A47 E8542EEFFF call 004368A0
:00543A4C 8B45D8
mov eax, dword ptr [ebp-28]
*//取输入的序列号:1974923
* Possible Reference to String Resource ID=00001: "Today"
|
:00543A4F B901000000 mov ecx,
00000001
*//第一位:1
* Possible Reference to String Resource ID=00001: "Today"
|
:00543A54 BA01000000 mov edx,
00000001
*//取第一位:1
:00543A59 E80208ECFF call 00404260
:00543A5E 68707D5600 push 00567D70
:00543A63 8D55D4
lea edx, dword ptr [ebp-2C]
:00543A66 8B45FC
mov eax, dword ptr [ebp-04]
:00543A69 8B80EC020000 mov eax, dword
ptr [eax+000002EC]
:00543A6F E82C2EEFFF call 004368A0
:00543A74 8B45D4
mov eax, dword ptr [ebp-2C]
*//取输入的序列号:1974923
* Possible Reference to String Resource ID=00001: "Today"
|
:00543A77 B901000000 mov ecx,
00000001
*//第一位:1
:00543A7C BA06000000 mov edx,
00000006
*//取第六位:2
:00543A81 E8DA07ECFF call 00404260
:00543A86 68747D5600 push 00567D74
:00543A8B 8D55D0
lea edx, dword ptr [ebp-30]
:00543A8E 8B45FC
mov eax, dword ptr [ebp-04]
:00543A91 8B80EC020000 mov eax, dword
ptr [eax+000002EC]
:00543A97 E8042EEFFF call 004368A0
:00543A9C 8B45D0
mov eax, dword ptr [ebp-30]
*//取输入的序列号:1974923
* Possible Reference to String Resource ID=00001: "Today"
|
:00543A9F B901000000 mov ecx,
00000001
*//第一位:1
:00543AA4 BA03000000 mov edx,
00000003
*//取第三位:7
:00543AA9 E8B207ECFF call 00404260
:00543AAE 68787D5600 push 00567D78
:00543AB3 8D55CC
lea edx, dword ptr [ebp-34]
:00543AB6 8B45FC
mov eax, dword ptr [ebp-04]
:00543AB9 8B80EC020000 mov eax, dword
ptr [eax+000002EC]
:00543ABF E8DC2DEFFF call 004368A0
:00543AC4 8B45CC
mov eax, dword ptr [ebp-34]
*//取输入的序列号:1974923
* Possible Reference to String Resource ID=00001: "Today"
|
:00543AC7 B901000000 mov ecx,
00000001
*//第一位:1
:00543ACC BA02000000 mov edx,
00000002
*//取第二位:9
:00543AD1 E88A07ECFF call 00404260
:00543AD6 687C7D5600 push 00567D7C
:00543ADB 8D55C8
lea edx, dword ptr [ebp-38]
:00543ADE 8B45FC
mov eax, dword ptr [ebp-04]
:00543AE1 8B80EC020000 mov eax, dword
ptr [eax+000002EC]
:00543AE7 E8B42DEFFF call 004368A0
:00543AEC 8B45C8
mov eax, dword ptr [ebp-38]
*//取输入的序列号:1974923
* Possible Reference to String Resource ID=00001: "Today"
|
:00543AEF B901000000 mov ecx,
00000001
*//第一位:1
:00543AF4 BA05000000 mov edx,
00000005
*//取第五位:9
:00543AF9 E86207ECFF call 00404260
:00543AFE FF35687D5600 push dword ptr
[00567D68]
:00543B04 FF356C7D5600 push dword ptr
[00567D6C]
:00543B0A FF35807D5600 push dword ptr
[00567D80]
:00543B10 FF35707D5600 push dword ptr
[00567D70]
:00543B16 FF35747D5600 push dword ptr
[00567D74]
:00543B1C FF35807D5600 push dword ptr
[00567D80]
:00543B22 FF35787D5600 push dword ptr
[00567D78]
:00543B28 FF357C7D5600 push dword ptr
[00567D7C]
:00543B2E B8647D5600 mov eax,
00567D64
:00543B33 BA08000000 mov edx,
00000008
:00543B38 E8DB05ECFF call 00404118
:00543B3D 33C0
xor eax, eax
:00543B3F 5A
pop edx
:00543B40 59
pop ecx
:00543B41 59
pop ecx
:00543B42 648910
mov dword ptr fs:[eax], edx
:00543B45 68663E5400 push 00543E66
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00543E61(U)
|
:00543B4A A1647D5600 mov eax,
dword ptr [00567D64]
*//EAX=41/27/99
:00543B4F 8B15607D5600 mov edx, dword
ptr [00567D60]
*//取主板BIOS数据日期:11/06/00 ==> EDX
:00543B55 E80E06ECFF call 00404168
:00543B5A 0F848F000000 je 00543BEF
*//EAX=EDX才跳。
:00543B60 33C0
xor eax, eax
:00543B62 55
push ebp
:00543B63 68E83B5400 push 00543BE8
:00543B68 64FF30
push dword ptr fs:[eax]
:00543B6B 648920
mov dword ptr fs:[eax], esp
:00543B6E 6A30
push 00000030
* Possible StringData Ref from Code Obj ->"注册软件"
|
:00543B70 68C43E5400 push 00543EC4
* Possible StringData Ref from Code Obj ->"序列号、用户名或注册码错误,请重新输入!"
|
:00543B75 68D03E5400 push 00543ED0
:00543B7A 8B45FC
mov eax, dword ptr [ebp-04]
:00543B7D E8C28FEFFF call 0043CB44
:00543B82 50
push eax
.........
.........
.........
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00543B5A(C)
|
:00543BEF 8B4DFC
mov ecx, dword ptr [ebp-04]
:00543BF2 B201
mov dl, 01
* Possible StringData Ref from Code Obj ->"?A"
|
:00543BF4 A174EF4800 mov eax,
dword ptr [0048EF74]
:00543BF9 E81A74EDFF call 0041B018
:00543BFE A3547D5600 mov dword
ptr [00567D54], eax
:00543C03 BA0D3E0000 mov edx,
00003E0D
*//EDX=3E0D(下面要用到)
:00543C08 A1547D5600 mov eax,
dword ptr [00567D54]
:00543C0D E846B5F4FF call 0048F158
:00543C12 8D55C4
lea edx, dword ptr [ebp-3C]
:00543C15 8B45FC
mov eax, dword ptr [ebp-04]
:00543C18 8B80E4020000 mov eax, dword
ptr [eax+000002E4]
:00543C1E E87D2CEFFF call 004368A0
:00543C23 8B55C4
mov edx, dword ptr [ebp-3C]
*//取用户名:华仔[CCG]
:00543C26 A1547D5600 mov eax,
dword ptr [00567D54]
:00543C2B E8B0B4F4FF call 0048F0E0
*//计算注册码的CALL,代码在下面。(标记为①)
:00543C30 8D55C0
lea edx, dword ptr [ebp-40]
:00543C33 8B45FC
mov eax, dword ptr [ebp-04]
:00543C36 8B80E8020000 mov eax, dword
ptr [eax+000002E8]
:00543C3C E85F2CEFFF call 004368A0
:00543C41 8B45C0
mov eax, dword ptr [ebp-40]
*//取注册码:1974923
:00543C44 8B15547D5600 mov edx, dword
ptr [00567D54]
:00543C4A 8B522C
mov edx, dword ptr [edx+2C]
*//程序说注册码应该是这个:267507-365370885-11145564
:00543C4D E81605ECFF call 00404168
:00543C52 7549
jne 00543C9D
*//不等就跳到错误窗口
.........
.........
.........
①计算注册码的CALL:
* Referenced by a CALL at Addresses:
|:00543C2B , :0054A5F1
|
:0048F0E0 55
push ebp
:0048F0E1 8BEC
mov ebp, esp
:0048F0E3 83C4F8
add esp, FFFFFFF8
:0048F0E6 53
push ebx
:0048F0E7 33C9
xor ecx, ecx
:0048F0E9 894DF8
mov dword ptr [ebp-08], ecx
:0048F0EC 8955FC
mov dword ptr [ebp-04], edx
:0048F0EF 8BD8
mov ebx, eax
:0048F0F1 8B45FC
mov eax, dword ptr [ebp-04]
:0048F0F4 E81351F7FF call 0040420C
:0048F0F9 33C0
xor eax, eax
:0048F0FB 55
push ebp
:0048F0FC 6849F14800 push 0048F149
:0048F101 64FF30
push dword ptr fs:[eax]
:0048F104 648920
mov dword ptr fs:[eax], esp
:0048F107 8D4324
lea eax, dword ptr [ebx+24]
:0048F10A 8B55FC
mov edx, dword ptr [ebp-04]
:0048F10D E81A4DF7FF call 00403E2C
:0048F112 8D45F8
lea eax, dword ptr [ebp-08]
:0048F115 50
push eax
:0048F116 8B4B24
mov ecx, dword ptr [ebx+24]
*//取输入的用户名:华仔[CCG]
:0048F119 8B5328
mov edx, dword ptr [ebx+28]
:0048F11C 8BC3
mov eax, ebx
:0048F11E E891000000 call 0048F1B4
*//计算注册码的CALL,代码在下面。(标记为②)
:0048F123 8B55F8
mov edx, dword ptr [ebp-08]
*//将计算后正确的注册码送给EDX
:0048F126 8D432C
lea eax, dword ptr [ebx+2C]
:0048F129 E8FE4CF7FF call 00403E2C
:0048F12E 33C0
xor eax, eax
:0048F130 5A
pop edx
:0048F131 59
pop ecx
:0048F132 59
pop ecx
:0048F133 648910
mov dword ptr fs:[eax], edx
:0048F136 6850F14800 push 0048F150
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048F14E(U)
|
:0048F13B 8D45F8
lea eax, dword ptr [ebp-08]
:0048F13E BA02000000 mov edx,
00000002
:0048F143 E8B44CF7FF call 00403DFC
:0048F148 C3
ret
- 标 题:有声有色4.0注册算法 一 (11千字)
- 作 者:华仔[CCG]
- 时 间:2001-5-1 0:55:42
- 链 接:http://bbs.pediy.com