小李注册表大师 v1.41 注册算法分析--献给 LILITH 和解密算法初学者
作者:PaulYoung ( 属于 China Cracking Group )
难度:0 级 (共分 10 级,0 级最易)
软件:小李注册表大师 v1.41
下载:http://www.csdn.net/soft/openfile.asp?kind=1&id=14499 ( 456 KB
)
简介:看软件名就知道干啥用的了
工具:SoftICE V4.05
日期:2001.11.07
************************************************************************************************
今天,“理你死”??!!哦……不是,是“LILITH”(MM ?! :)~ No, 靓仔一名 :( ),在看雪论坛发篇关于小李注册表大师
v1.41 的注册码 D 注册码大法,可惜此兄太懒,不愿跟算法,无奈,就让我这个当师父的来代劳吧。
这个软件是明码比较,非常傻瓜的那种,如何取注册码, LILITH 兄已经说得非常清楚了,在此我就省略那些无关枝节吧,重点分析它的注册算法。
Let's Go!! 想学算法的 Cracker 们!
为方便大家理解,以我的注册序列号" 1D6D-17E5 "和输入的用户名是" CCG "为例,说说这个软件的注册算法。跟踪法请看 LILITH 大侠的文章
:) 。
== 1 ==
* Possible StringData Ref from Code Obj ->"key"
|
:00490EF1 BAD4104900 mov edx,
004910D4
:00490EF6 E88562FEFF call 00477180
:00490EFB A1D4034A00 mov eax,
dword ptr [004A03D4]
:00490F00 8B00
mov eax, dword ptr [eax]
:00490F02 E8D95BFEFF call 00476AE0
:00490F07 8D55E8
lea edx, dword ptr [ebp-18]
:00490F0A A1EC024A00 mov eax,
dword ptr [004A02EC]
:00490F0F 8B00
mov eax, dword ptr [eax]
:00490F11 E88673F7FF call 0040829C
//取序列号"1D6D-17E5"
:00490F16 8D45E8
lea eax, dword ptr [ebp-18]
:00490F19 50
push eax
:00490F1A 8D55E4
lea edx, dword ptr [ebp-1C]
:00490F1D 8B83DC020000 mov eax, dword
ptr [ebx+000002DC]
:00490F23 E89403FAFF call 004312BC
:00490F28 8B55E4
mov edx, dword ptr [ebp-1C]
:00490F2B 58
pop eax
:00490F2C E8372EF7FF call 00403D68
//取用户名"CCG"
:00490F31 8B45E8
mov eax, dword ptr [ebp-18]
:00490F34 8D55EC
lea edx, dword ptr [ebp-14]
:00490F37 E86875F7FF call 004084A4
//把序列号小写和用户名连成一串"1d6d-17e5CCG"
:00490F3C 8B55EC
mov edx, dword ptr [ebp-14]
:00490F3F A174014A00 mov eax,
dword ptr [004A0174]
:00490F44 8B00
mov eax, dword ptr [eax]
:00490F46 8B8064030000 mov eax, dword
ptr [eax+00000364]
:00490F4C E8EB2DFEFF call 00473D3C
//开始计算,F8跟进
:00490F51 8D45FC
lea eax, dword ptr [ebp-04] //下面都是些老掉牙的东东,不用多说
:00490F54 8B1574014A00 mov edx, dword
ptr [004A0174]
:00490F5A 8B12
mov edx, dword ptr [edx]
:00490F5C 8B9264030000 mov edx, dword
ptr [edx+00000364]
:00490F62 8B524C
mov edx, dword ptr [edx+4C]
:00490F65 E80E2CF7FF call 00403B78
:00490F6A 8D55E0
lea edx, dword ptr [ebp-20]
:00490F6D 8B83E0020000 mov eax, dword
ptr [ebx+000002E0]
:00490F73 E84403FAFF call 004312BC
:00490F78 8B45E0
mov eax, dword ptr [ebp-20]
:00490F7B 8B55FC
mov edx, dword ptr [ebp-04]
:00490F7E E8ED2EF7FF call 00403E70
:00490F83 7567
jne 00490FEC
:00490F85 8D55D8
lea edx, dword ptr [ebp-28]
:00490F88 8B83DC020000 mov eax, dword
ptr [ebx+000002DC]
:00490F8E E82903FAFF call 004312BC
:00490F93 8B4DD8
mov ecx, dword ptr [ebp-28]
:00490F96 8D45DC
lea eax, dword ptr [ebp-24]
* Possible StringData Ref from Code Obj ->"小李注册表大师已经注册给"
|
:00490F99 BAE0104900 mov edx,
004910E0
== 2 ==
:00473D3C 55
push ebp
:00473D3D 8BEC
mov ebp, esp
:00473D3F 83C4F8
add esp, FFFFFFF8
:00473D42 53
push ebx
:00473D43 56
push esi
:00473D44 33C9
xor ecx, ecx
:00473D46 894DF8
mov dword ptr [ebp-08], ecx
:00473D49 8955FC
mov dword ptr [ebp-04], edx
:00473D4C 8BD8
mov ebx, eax
:00473D4E 8B45FC
mov eax, dword ptr [ebp-04]
:00473D51 E8BE01F9FF call 00403F14
:00473D56 33C0
xor eax, eax
:00473D58 55
push ebp
:00473D59 68E33D4700 push 00473DE3
:00473D5E 64FF30
push dword ptr fs:[eax]
:00473D61 648920
mov dword ptr fs:[eax], esp
:00473D64 33F6
xor esi, esi
:00473D66 8D4350
lea eax, dword ptr [ebx+50]
:00473D69 8B55FC
mov edx, dword ptr [ebp-04]
:00473D6C E8C3FDF8FF call 00403B34
:00473D71 8B4350
mov eax, dword ptr [ebx+50]
:00473D74 E8E7FFF8FF call 00403D60
//取字符串"1d6d-17e5CCG"长度,保存到 eax
:00473D79 85C0
test eax, eax
:00473D7B 7E20
jle 00473D9D
:00473D7D 8B4350
mov eax, dword ptr [ebx+50]
:00473D80 E8DBFFF8FF call 00403D60
//取字符串"1d6d-17e5CCG"长度,保存到 eax
:00473D85 85C0
test eax, eax
:00473D87 7C14
jl 00473D9D
:00473D89 40
inc eax // eax+1 ,即字符串长度加1,就是下面的循环次数
:00473D8A 33D2
xor edx, edx // edx 初始值为 0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00473D9B(C)
|
:00473D8C 8B4B50
mov ecx, dword ptr [ebx+50] //载入字符串
:00473D8F 0FB64C11FF movzx ecx,
byte ptr [ecx+edx-01] //依次取字符串以ASCII形式保存到 ecx ,第一次循环值为0
:00473D94 03F1
add esi, ecx
//与上一次循环后得到的累加值相加
:00473D96 037354
add esi, dword ptr [ebx+54] //当前字符 ASCII 值 + 57791
:00473D99 42
inc edx
// edx 递增
:00473D9A 48
dec eax
// eax 即循环次数递减
:00473D9B 75EF
jne 00473D8C
// eax>0 ?未算完,继续吧…… :(
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00473D7B(C), :00473D87(C)
|
:00473D9D 8D55F8
lea edx, dword ptr [ebp-08]
:00473DA0 8BC6
mov eax, esi //把累加值"752094"放到 eax
:00473DA2 E87D48F9FF call 00408624
:00473DA7 FF7344
push [ebx+44]
:00473DAA FF75F8
push [ebp-08]
:00473DAD FF7348
push [ebx+48]
:00473DB0 8D45F8
lea eax, dword ptr [ebp-08]
:00473DB3 BA03000000 mov edx,
00000003 //把 edx 置值为3,即下面循环的次数
:00473DB8 E86300F9FF call 00403E20
//再次运算,F8进入
:00473DBD 8D434C
lea eax, dword ptr [ebx+4C]
== 3 ==
:00403E20 53
push ebx
:00403E21 56
push esi
:00403E22 52
push edx
:00403E23 50
push eax
:00403E24 89D3
mov ebx, edx
:00403E26 31C0
xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403E34(C)
|
:00403E28 8B4C9410 mov
ecx, dword ptr [esp+4*edx+10] -----
:00403E2C 85C9
test ecx, ecx
|
:00403E2E 7403
je 00403E33
|
:00403E30 0341FC
add eax, dword ptr [ecx-04] |循环 3 次,
|在"752094"前后分别
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|加上"8" , "2"
|:00403E2E(C)
|
|
|
:00403E33 4A
dec edx //循环次数递减 |
:00403E34 75F2
jne 00403E28 -----------------------
:00403E36 E869FDFFFF call 00403BA4
:00403E3B 50
push eax
:00403E3C 89C6
mov esi, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403E53(C)
|
:00403E3E 8B449C14 mov
eax, dword ptr [esp+4*ebx+14] -------------
:00403E42 89F2
mov edx, esi
|
:00403E44 85C0
test eax, eax
|
:00403E46 740A
je 00403E52
|
:00403E48 8B48FC
mov ecx, dword ptr [eax-04]
|
:00403E4B 01CE
add esi, ecx
|再循环3次,
:00403E4D E8F6EAFFFF call 00402948
|检查注册码格式
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
|:00403E46(C)
|
|
|
:00403E52 4B
dec ebx //循环次数递减
|
:00403E53 75E9
jne 00403E3E-----------------------------------
:00403E55 5A
pop edx
:00403E56 58
pop eax
:00403E57 85D2
test edx, edx
:00403E59 7403
je 00403E5E
:00403E5B FF4AF8
dec [edx-08]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00403E59(C)
|
:00403E5E E8D1FCFFFF call 00403B34
//至此,正确的注册码已经生成!
:00403E63 5A
pop edx
:00403E64 5E
pop esi
:00403E65 5B
pop ebx
:00403E66 58
pop eax
:00403E67 8D2494
lea esp, dword ptr [esp+4*edx]
:00403E6A FFE0
jmp eax
:00403E6C C3
ret
算法总结:
1、软件取你的硬盘序列号并转换成十六进制,然后在中间加上"-",作为你的注册序列号(此步可忽略);
2、将你的注册序列号转换成小写并与用户名组成一个字符串;
3、将字符串的每个字符都转换成 ASCII ,并逐个循环与 57791 相加并将每次的值累加,循环次数是字符串长度加一,初次循环的累加值为 57791
,直到取完所有字符为止,如以"1d6d-17e5CCG"为例,计算公式为:57791+(49+57791)+(100+57791)+(54+57791)+(100+57791)+(45+57791)+(49+57791)+(55+57791)+(101+57791)+(53+57791)+(67+57791)+(67+57791)+(71+57791)=(49+100+54+100+45+49+55+101+53+67+67+71)+(13*57791)=752094
4、最后,再在752094前后分别加上8、2,变成 87520942 ,就是正确的序列号了。
是不是好弱智???注册机就有劳伪装者[CCG]教大家如何写了,还有我,呵……
- 标 题:小李注册表大师 v1.41 注册算法分析--献给 LILITH 和解密算法初学者 (10千字)
- 作 者:PaulYoung[CCG]
- 时 间:2001-11-9 19:09:59
- 链 接:http://bbs.pediy.com