网页先锋 V1.5算法分析+TC2源码
下载地址:http://www.downloadsky.com/soft/12579.html
注册名:leexoyo
假码:87654321(d)---5397FB1(h)
注册码:7682353(d)---753931(h)
软件 Delphi编写,无壳,反汇编很容易找到关键,而且因为是免费注册,所以反汇编后可以看到作者预留的注册码,^_^,我们的目的是看算法,所以继续喽。。。
:00476D88 64FF30
push dword ptr fs:[eax]
:00476D8B 648920 mov
dword ptr fs:[eax], esp
:00476D8E 8D55FC lea
edx, dword ptr [ebp-04]
:00476D91 8B83A4030000 mov eax, dword
ptr [ebx+000003A4]
:00476D97 E8540AFCFF call
004377F0
:00476D9C 837DFC00 cmp
dword ptr [ebp-04], 00000000 //注册码是否输入
:00476DA0 750C
jne 00476DAE //没输?over
* Possible StringData Ref from
Code Obj ->"注册码不正确,无法注册"
|
:00476DA2 B8F86D4700 mov eax,
00476DF8
:00476DA7 E848A5FBFF call
004312F4
:00476DAC EB1E
jmp 00476DCC
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00476DA0(C)
|
:00476DAE 8BC3
mov eax, ebx
:00476DB0 E87FFCFFFF call
00476A34 //关键call
:00476DB5 84C0
test al, al
:00476DB7 7409
je 00476DC2 //跳则over,74->75则爆破成功!重启注册成功,说明在注册表里留下了标志位,呵呵~~,看算法那就跟进上面的关键call啦。
:00476DB9 8BC3
mov eax, ebx
:00476DBB E8DCF9FFFF call
0047679C
:00476DC0 EB0A
jmp 00476DCC
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00476DB7(C)
|
* Possible StringData Ref from
Code Obj ->"注册码不正确,无法注册"
|
:00476DC2 B8F86D4700 mov eax,
00476DF8
:00476DC7 E828A5FBFF call
004312F4
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00476D50(C), :00476DAC(U), :00476DC0(U)
|
:00476DCC 33C0
xor eax, eax
***********************************************************
跟进476DB0 E87FFCFFFF call 00476A34此call:
:00476A34 55
push ebp
:00476A35 8BEC
mov ebp, esp
:00476A37 83C4E8 add
esp, FFFFFFE8
:00476A3A 53
push ebx
:00476A3B 56
push esi
:00476A3C 33D2
xor edx, edx
:00476A3E 8955E8 mov
dword ptr [ebp-18], edx
:00476A41 8955EC mov
dword ptr [ebp-14], edx
:00476A44 8955F4 mov
dword ptr [ebp-0C], edx
:00476A47 8945FC mov
dword ptr [ebp-04], eax
:00476A4A 33C0
xor eax, eax
:00476A4C 55
push ebp
:00476A4D 681A6B4700 push
00476B1A
:00476A52 64FF30 push
dword ptr fs:[eax]
:00476A55 648920 mov
dword ptr fs:[eax], esp
:00476A58 BBE7EA0B00 mov ebx,
000BEAE7 //ebx=0xBEAE7
:00476A5D 8D55F4 lea
edx, dword ptr [ebp-0C]
:00476A60 8B45FC mov
eax, dword ptr [ebp-04]
:00476A63 8B80A0030000 mov eax, dword
ptr [eax+000003A0]
:00476A69 E8820DFCFF call
004377F0
:00476A6E 8B45F4 mov
eax, dword ptr [ebp-0C] //eax=leexoyo
:00476A71 E8A2DAF8FF call
00404518 //取得注册名的位数
:00476A76 8BF0
mov esi, eax //esi=eax=7
:00476A78 85F6
test esi, esi
:00476A7A 7E3E
jle 00476ABA
:00476A7C C745F001000000 mov [ebp-10], 00000001
//[ebp-10]置1
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00476AB8(C)
|
:00476A83 8D45EC lea
eax, dword ptr [ebp-14]
:00476A86 50
push eax
:00476A87 B901000000 mov ecx,
00000001 //ecx置1
:00476A8C 8B55F0 mov
edx, dword ptr [ebp-10] //edx置1
:00476A8F 8B45F4 mov
eax, dword ptr [ebp-0C] //eax=leexoyo
:00476A92 E8D9DCF8FF call
00404770
:00476A97 8B45EC mov
eax, dword ptr [ebp-14]
:00476A9A E871DCF8FF call
00404710
:00476A9F 8A00
mov al, byte ptr [eax] //依次取用户名字符的hex值送al:6C,65,65,78,6F,79,6F
:00476AA1 25FF000000 and eax,
000000FF
:00476AA6 69C0821E0000 imul eax,
00001E82 //eax=eax*1E82=
1、6C*1E82=CDED8
2、65*1E82=C094A
3、65*1E82=C094A
4、78*1E82=E4CF0
5、6F*1E82=D3A5E
6、79*1E82=E6B72
7、6F*1E82=D3A5E
:00476AAC 03D8
add ebx, eax //ebx=ebx+eax=
1、BEAE7+CDED8=18C9BF
2、1AABFF+C094A=26B549
3、289789+C094A=34A0D3
4、368313+E4CF0=44D003
5、46B243+D3A5E=53ECA1
6、55CEE1+E6B72=643A53
7、661C93+D3A5E=7356F1
:00476AAE 81C340E20100 add ebx, 0001E240
//ebx=ebx+0x1E240=
1、1AABFF
2、289789
3、368313
4、46B243
5、55CEE1
6、661C93
7、753931
:00476AB4 FF45F0 inc
[ebp-10] //计数器[ebp-10]加1
:00476AB7 4E
dec esi //计数器esi减1
:00476AB8 75C9
jne 00476A83 //不为0跳回循环
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00476A7A(C)
|
:00476ABA 8D55E8 lea
edx, dword ptr [ebp-18]
:00476ABD 8B45FC mov
eax, dword ptr [ebp-04]
:00476AC0 8B80A4030000 mov eax, dword
ptr [eax+000003A4]
:00476AC6 E8250DFCFF call
004377F0
:00476ACB 8B45E8 mov
eax, dword ptr [ebp-18] //eax=87654321
:00476ACE E89D1BF9FF call
00408670 //把假码转换成16进制
:00476AD3 3BD8
cmp ebx, eax //关键比较,eax假码,ebx真码
:00476AD5 7519
jne 00476AF0 //不等则跳
:00476AD7 C645FB01 mov
[ebp-05], 01 //[ebp-05]=1
:00476ADB B8C47C4800 mov eax,
00487CC4
:00476AE0 8B55F4 mov
edx, dword ptr [ebp-0C]
:00476AE3 E8CCD7F8FF call
004042B4
:00476AE8 891DC87C4800 mov dword
ptr [00487CC8], ebx
:00476AEE EB04
jmp 00476AF4
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00476AD5(C)
|
:00476AF0 C645FB00 mov
[ebp-05], 00 //[ebp-05]=0
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00476AEE(U)
|
:00476AF4 33C0
xor eax, eax
:00476AF6 5A
pop edx
:00476AF7 59
pop ecx
:00476AF8 59
pop ecx
:00476AF9 648910 mov
dword ptr fs:[eax], edx
:00476AFC 68216B4700 push
00476B21
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:00476B1F(U)
|
:00476B01 8D45E8 lea
eax, dword ptr [ebp-18]
:00476B04 E857D7F8FF call
00404260
:00476B09 8D45EC lea
eax, dword ptr [ebp-14]
:00476B0C E84FD7F8FF call
00404260
:00476B11 8D45F4 lea
eax, dword ptr [ebp-0C]
:00476B14 E847D7F8FF call
00404260
:00476B19 C3
ret
:00476B1A E969D1F8FF
jmp 00403C88
:00476B1F EBE0
jmp 00476B01
:00476B21 8A45FB mov
al, byte ptr [ebp-05] //al是标志位,注册成功置1,否则置0
:00476B24 5E
pop esi
:00476B25 5B
pop ebx
:00476B26 8BE5
mov esp, ebp
:00476B28 5D
pop ebp
:00476B29 C3
ret
*******************************************************
算法总结:(涉及数值都为16进制)
(注册名各字符hex值的累加值)*1E82+1E240*注册名字符的位数+BEAE7,结果再换成10进制,就是注册码啦,^_^
注册名:李逍遥
注册码=4D8*1E82+1E240*6+BEAE7=93C5B0+B4D80+BEAE7=AAFE17=11206167(d)
*****************************************************
REGEDIT4
[HKEY_USERS\.DEFAULT\Software\Ldx]
"Name"=""
"Pass"=dword:00000000 <=====注册成功后的标志位
********************************************************
TC2源码,支持中文名注册:
#include<stdio.h>
main()
{
int n=0;
unsigned char c;
unsigned long i,sn=0;
clrscr();
printf("\n\n网页先锋 V1.5 注册机 by *李逍遥[cschina]*\n\n***********网址:www.cschina.org***********\n\n**********Email:leexoyo@cschina.org*********\n\n请输入你的注册名:");
for(i=0;(c=getchar())!='\n';i+=c,n++);
sn=i*7810+123456*n+781031;
printf(" 你的注册码:%lu",sn);
printf("\n\nGood Luck !!!");
getch();
}
李逍遥[cschina]
2003.07.04