贴它的算法分析及注册机源码!
破解者:HMILY[CCG][BCG]
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004042ED(C)
|
:004042D9 56
push esi
:004042DA
8BCF mov
ecx, edi
:004042DC E82F000000 call
00404310 ->注册码的计算,跟进去
:004042E1 83F8FE
cmp eax, FFFFFFFE
:004042E4 741A
je 00404300
:004042E6 3BC6
cmp eax, esi
:004042E8 7416
je 00404300
:004042EA 4E
dec esi
:004042EB 85F6
test esi, esi
:004042ED
7FEA jg 004042D9
:004042EF 6A00
push 00000000
:004042F1 6A40
push 00000040
* Possible StringData Ref from
Data Obj ->"注册码有误"
|
:004042F3 684C774000 push
0040774C
* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004042F8 E873050000
Call 00404870
:004042FD 5F
pop edi
:004042FE 5E
pop esi
:004042FF
C3 ret
=============================================================================================
上面还有,不重要!略………………
* Reference To: MFC42.Ordinal:0F21, Ord:0F21h
|
:00404392 E82F060000
Call 004049C6 ->计算从这里开始
:00404397
8B7C2468 mov edi, dword
ptr [esp+68]
:0040439B 33DB
xor ebx, ebx ->ebx清零,为计算做准备!
:0040439D
33C9 xor
ecx, ecx ->同上
:0040439F 8D04BF
lea eax, dword ptr [edi+4*edi] ->从trw中可看到edi=3;eax=3+3*4
:004043A2 8D0480 lea
eax, dword ptr [eax+4*eax] ->eax=eax+eax*4
:004043A5 8D3480
lea esi, dword ptr [eax+4*eax]
->esi=eax+eax*4
:004043A8 C1E602
shl esi, 02
->esi左移2;esi=esi<<2;
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00404404(C)
|
:004043AB 0FBE440C50 movsx
eax, byte ptr [esp+ecx+50] ->取机器码的第一位
:004043B0 03C6
add eax, esi
->eax=eax+esi
:004043B2
BD3E000000 mov ebp, 0000003E
->ebp=0x3E;
:004043B7
99 cdq
->edx清零
:004043B8 F7FD
idiv ebp
->eax=eax/ebp,edx=eax%ebp
:004043BA 0FBE440C54 movsx
eax, byte ptr [esp+ecx+54] ->取机器码第五位
:004043BF 03C6
add eax, esi
->eax=eax+esi
:004043C1
8A92E4704000 mov dl, byte ptr [edx+004070E4]
->eax求ebp得到的余数就是密码表中字符的位数
:004043C7 88540C30
mov byte ptr [esp+ecx+30], dl ->将取到的密码表中的字符保存
:004043CB 99
cdq
:004043CC F7FD
idiv ebp
| 算
:004043CE
8A82E4704000 mov al, byte ptr [edx+004070E4]
| 法
:004043D4 88440C38
mov byte ptr [esp+ecx+38], al
| 大
:004043D8 0FBE440C58 movsx
eax, byte ptr [esp+ecx+58] | 都
:004043DD 03C6
add eax, esi
|
相
:004043DF 99
cdq
| 同
:004043E0 F7FD
idiv ebp
| 看
:004043E2 0FBE440C5C
movsx eax, byte ptr [esp+ecx+5C] | 注
:004043E7
03C6 add
eax, esi
| 册
:004043E9 8A92E4704000
mov dl, byte ptr [edx+004070E4] | 机
:004043EF
88540C40 mov byte ptr [esp+ecx+40],
dl | 源
:004043F3 99
cdq
| 码
:004043F4 F7FD
idiv ebp
| 便知!
:004043F6 41
inc
ecx ->ecx++;
:004043F7 83F904
cmp ecx, 00000004 ->比较ecx是否为4
:004043FA 8A82E4704000
mov al, byte ptr [edx+004070E4]
:00404400
88440C47 mov byte ptr [esp+ecx+47],
al
:00404404 7CA5
jl 004043AB ->比如ecx<4则跳
=============================================================================================
* Reference To: MSVCRT.rand, Ord:02A6h
|
:00402758 FF15A8524000 Call dword
ptr [004052A8]
:0040275E 8BD0
mov edx, eax
:00402760 83C9FF
or ecx, FFFFFFFF
:00402763 0FAFD3
imul edx, ebx
:00402766
0FAFD7 imul edx,
edi
* Possible StringData Ref from Data Obj ->"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJ"
->"KLMNOPQRSTUVWXYZ"
->密码表
|
:00402769 BFE4704000
mov edi, 004070E4
:0040276E
33C0 xor
eax, eax
:00402770 F2
repnz
:00402771 AE
scasb
:00402772 F7D1
not ecx
:00402774 8BC2
mov eax,
edx
:00402776 49
dec ecx
:00402777 33D2
xor edx, edx
:00402779 F7F1
div ecx
:0040277B 46
inc esi
:0040277C
83FE10 cmp esi,
00000010
:0040277F 8A82E4704000 mov
al, byte ptr [edx+004070E4]
:00402785 88442EFF
mov byte ptr [esi+ebp-01], al
:00402789 7CB2
jl 0040273D
:0040278B
8D4C2410 lea ecx, dword
ptr [esp+10]
:0040278F 51
push ecx
* Possible StringData Ref from Data
Obj ->"Software\Microsoft\BLUEReg"
|
:00402790 6820724000 push
00407220
:00402795 6802000080 push
80000002
==============================================================================================
以下为c++ builder 6.0的注册机源码!win98 SE、c++ builder 6.0下调试通过!
#include <vcl.h>
#pragma hdrstop
#include "KeygenBox.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
Tform1
*form1;
char key[]={'0','1','2','3','4','5','6','7','8','9','a','b',
'c','d','e','f','g','h','i','j','k','l','m','n',
'o','p','q','r','s','t','u','v','w','x','y','z',
'A','B','C','D','E','F','G','H','I','J','K','L',
'M','N','O','P','Q','R','S','T','U','V','W','X',
'Y','Z'};
String name,S1,S2,S3,S4;int
a,b=1,ebp;
unsigned long esi,ea,eb,e1,e2,e3,e4;
char code1,code2,code3,code4;
//---------------------------------------------------------------------------
void __fastcall Tform1::OKBtnClick(TObject *Sender)
{
if(UEdit->Text=="")
{Label2->Caption="未输入机器码!";return;}
if(UEdit->Text!="")
{
name=UEdit->Text;
a=UEdit->Text.Length();
if(a<16) {Label2->Caption="输入的机器码不正确";return;}
else
{
while(b<=4)
{
ea=3+3*4;
eb=ea+ea*4;
esi=(eb+eb*4)<<2;ebp=62;
e1=(name[b]+esi)%ebp;code1=key[e1];
b++;
CEdit->Text=CEdit->Text+code1;
}
S1=CEdit->Text;CEdit->Clear();
b=5;
while(b<=8)
{
ea=3+3*4;
eb=ea+ea*4;
esi=(eb+eb*4)<<2;ebp=62;
e2=(name[b]+esi)%ebp;code2=key[e2];
b++;
CEdit->Text=CEdit->Text+code2;
}
S2=CEdit->Text;CEdit->Clear();
b=9;
while(b<=12)
{
ea=3+3*4;
eb=ea+ea*4;
esi=(eb+eb*4)<<2;ebp=62;
e3=(name[b]+esi)%ebp;code3=key[e3];
b++;
CEdit->Text=CEdit->Text+code3;
}
S3=CEdit->Text;CEdit->Clear();
b=13;
while(b<=16)
{
ea=3+3*4;
eb=ea+ea*4;
esi=(eb+eb*4)<<2;ebp=62;
e4=(name[b]+esi)%ebp;code4=key[e4];
b++;
CEdit->Text=CEdit->Text+code4;
}
S4=CEdit->Text;CEdit->Clear();
CEdit->Text=CEdit->Text+S1+"-"+S2+"-"+S3+"-"+S4;
sndPlaySound(cuWavHandle,SND_MEMORY|SND_SYNC);
Label2->Caption="已经完成计算!";
}
}
}
//-----------------------------------------------------------------------------
- 标 题:语音界面2.0
- 作 者:HMILYBCG
- 时 间:2003/02/16 01:35pm
- 链 接:http://bbs.pediy.com