URL Address Book V6.05简单算法分析+VB注册机源代码
软件名称:URL Address Book V6.05
软件介绍 :好用的书签及E-MAIL通讯录整理工具,它可将书签及E-MAIL名单建立成一个个的文件,且每个文件还可分门别类,可预设任何种浏览器、当您使用书签时只需点选书签即可打开浏览器浏览网站或打开E-MAIL、管理上相当方便、尤其在分类、移动、编辑皆相当的容易管理,当然它也可将正在浏览的网站直接加入。启动时会常驻于System Tray上、点选一下即可打开使用。
下载地址:http://www.skycn.com/soft/4393.html
破解人:BurSH (于2003.7.16)
所属组织:FCG-CCG-BCG-OCN-DFCG
破解工具:OllDbg 1.09c
如何寻找关键点,大家可以去看you_known在网吧通宵的时候写的《URL Address Book V6.05破解过程》,贴在了FCG论坛(新论坛www.51itcool.com/fcg,大家多多捧场^_^!).这篇算法分析算帮他补完整哈!:-)
========================
直接进入关键Call吧:
========================
0048A834 /$ 55 PUSH EBP
0048A835 |. 8BEC MOV EBP,ESP
0048A837 |. 83C4 E4 ADD ESP,-1C
0048A83A |. 53 PUSH EBX
0048A83B |. 56 PUSH ESI
0048A83C |. 57 PUSH EDI
0048A83D |. 33DB XOR EBX,EBX
0048A83F |. 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX
0048A842 |. 895D F4 MOV DWORD PTR SS:[EBP-C],EBX
0048A845 |. 8BF9 MOV EDI,ECX
0048A847 |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX //将用户名放入SS:[EBP-4]
0048A84A |. 8BF0 MOV ESI,EAX
0048A84C |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048A84F |. E8 4C98F7FF CALL URLBOOK.004040A0
0048A854 |. 33C0 XOR EAX,EAX
0048A856 |. 55 PUSH EBP
0048A857 |. 68 59A94800 PUSH URLBOOK.0048A959
0048A85C |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0048A85F |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0048A862 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048A865 |. E8 8296F7FF CALL URLBOOK.00403EEC
0048A86A |. 3B86 C8000000 CMP EAX,DWORD PTR DS:[ESI+C8] //用户名不能大于30位
0048A870 |. 7F 10 JG SHORT URLBOOK.0048A882
0048A872 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048A875 |. E8 7296F7FF CALL URLBOOK.00403EEC
0048A87A |. 3B86 CC000000 CMP EAX,DWORD PTR DS:[ESI+CC] //用户名必须大于等于3位
0048A880 |. 7D 0C JGE SHORT URLBOOK.0048A88E
0048A882 |> 8BC7 MOV EAX,EDI
0048A884 |. E8 E393F7FF CALL URLBOOK.00403C6C
0048A889 |. E9 A5000000 JMP URLBOOK.0048A933
0048A88E |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048A891 |. E8 5696F7FF CALL URLBOOK.00403EEC
0048A896 |. 8BD8 MOV EBX,EAX //将用户名位数放入EBX
0048A898 |. EB 37 JMP SHORT URLBOOK.0048A8D1
0048A89A |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4] //将用户名得ASCII码移入EAX
0048A89D |. 4B |DEC EBX //计数器EBX减一
0048A89E |. 3B58 FC |CMP EBX,DWORD PTR DS:[EAX-4] //EBX小于用户名位数就跳
0048A8A1 |. 72 05 |JB SHORT URLBOOK.0048A8A8
0048A8A3 |. E8 9C85F7FF |CALL URLBOOK.00402E44
0048A8A8 |> 43 |INC EBX //计数器EBX加一
0048A8A9 |. 0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1] //从右往左取用户名
0048A8AE |. 50 |PUSH EAX
0048A8AF |. 8B86 14010000 |MOV EAX,DWORD PTR DS:[ESI+114]//EAX=&H54639
0048A8B5 |. 5A |POP EDX
0048A8B6 |. 8BCA |MOV ECX,EDX //将用户名得ASCII码移入ECX
0048A8B8 |. 99 |CDQ
0048A8B9 |. F7F9 |IDIV ECX //EAX除以ECX,余数放入EDX
0048A8BB |. 8BC2 |MOV EAX,EDX //将余数转移到EAX
0048A8BD |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C]
0048A8C0 |. E8 C7E7F7FF |CALL URLBOOK.0040908C //依次将EAX的值从十六进制转换为十进制,并与上次得到的结果连起来放到SS:[EBP-C]指向的地址!结果设为SN_TEMP!
0048A8C5 |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
0048A8C8 |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C] //注意SS:[EBP-C]指向的地址!
0048A8CB |. E8 2496F7FF |CALL URLBOOK.00403EF4
0048A8D0 |. 4B |DEC EBX //计数器减一
0048A8D1 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0048A8D4 |. E8 1396F7FF |CALL URLBOOK.00403EEC
0048A8D9 |. 83E8 06 |SUB EAX,6
0048A8DC |. 3BD8 |CMP EBX,EAX //只计算六位的用户名
0048A8DE |. 7C 04 |JL SHORT URLBOOK.0048A8E4
0048A8E0 |. 85DB |TEST EBX,EBX //全部用户名都计算完了?
0048A8E2 |.^ 7F B6 \JG SHORT URLBOOK.0048A89A
0048A8E4 |> 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0048A8E7 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0048A8EA |. E8 D9ABF7FF CALL URLBOOK.004054C8 //将前面得到的SN_TEMP转换为十六进制,放入EAX!设EAX值为SN_TEMP2!
0048A8EF |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
0048A8F2 |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
0048A8F5 |. 8B5E 3C MOV EBX,DWORD PTR DS:[ESI+3C]
0048A8F8 |. 85DB TEST EBX,EBX
0048A8FA |. 7F 11 JG SHORT URLBOOK.0048A90D
0048A8FC |. FF75 EC PUSH DWORD PTR SS:[EBP-14]
0048A8FF |. FF75 E8 PUSH DWORD PTR SS:[EBP-18]
0048A902 |. 8BD7 MOV EDX,EDI
0048A904 |. 33C0 XOR EAX,EAX
0048A906 |. E8 E5E7F7FF CALL URLBOOK.004090F0
0048A90B |. EB 26 JMP SHORT URLBOOK.0048A933
0048A90D |> FF75 EC PUSH DWORD PTR SS:[EBP-14]
0048A910 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18]
0048A913 |. 8BD7 MOV EDX,EDI
0048A915 |. 8BC3 MOV EAX,EBX
0048A917 |. E8 D4E7F7FF CALL URLBOOK.004090F0 //将SN_TEMP2转换为字符型,不足12位前面补零!
0048A91C |. 8B07 MOV EAX,DWORD PTR DS:[EDI] //将结果放入EAX!结果设为SN_TEMP3
0048A91E |. E8 C995F7FF CALL URLBOOK.00403EEC
0048A923 |. 8BC8 MOV ECX,EAX
0048A925 |. 2B4E 3C SUB ECX,DWORD PTR DS:[ESI+3C]
0048A928 |. 8B56 3C MOV EDX,DWORD PTR DS:[ESI+3C]
0048A92B |. 42 INC EDX
0048A92C |. 8BC7 MOV EAX,EDI
0048A92E |. E8 0198F7FF CALL URLBOOK.00404134 //如果SN_TEMP3大于12位就只取前12位!
0048A933 |> 33C0 XOR EAX,EAX //这里D EAX就是正确的注册码!^0^!
0048A935 |. 5A POP EDX
0048A936 |. 59 POP ECX
0048A937 |. 59 POP ECX
0048A938 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0048A93B |. 68 60A94800 PUSH URLBOOK.0048A960
0048A940 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0048A943 |. E8 2493F7FF CALL URLBOOK.00403C6C
0048A948 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0048A94B |. E8 1C93F7FF CALL URLBOOK.00403C6C
0048A950 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0048A953 |. E8 1493F7FF CALL URLBOOK.00403C6C
0048A958 \. C3 RETN
0048A959 .^ E9 068DF7FF JMP URLBOOK.00403664
0048A95E .^ EB E0 JMP SHORT URLBOOK.0048A940
0048A960 . 5F POP EDI
0048A961 . 5E POP ESI
0048A962 . 5B POP EBX
0048A963 . 8BE5 MOV ESP,EBP
0048A965 . 5D POP EBP
0048A966 . C3 RETN
=============
总 结
=============
举个例,比如BurSH这个用户名:
B u r S H
从右往左取Ascii码(如果用户名大于6位只取后六位) 72 83 114 117 66
54639 Mod 每一位 57 45 9 39 15
把这几个数连起来 574593915
转换成十六进制的 223F9B7B
若不足12位前面补零,若大于则只取前12位 0000223F9B7B
0000223F9B7B就是正确的注册码了,很简单吧?*^_^*
==========================
附上VB注册机源码
==========================
'这个"大数转换成十六进制"的代码是PowerBoy给我的,谢谢!没有他给我这段代码,我写不出这个注册机:P
'但是如果数太大,比如18463581274745还是无法转换成十六进制,虽然这种情况很少见,但是毕竟不完美:(
'请各位指点一下,VB中如何处理大数.Aming的代码没有注释,偶看得糊涂呀……>_<
Function Dec2Hex(InputData As Double) As String
Dim i As Double
Dim HexOut As String
Dim d1, d2, d3, d4 As Double
Dim s1, s2 As String
Dim j, k As Integer
d1 = InputData
Do While (d1 / 16) > 1
i = Int(d1 - Int(d1 / 16) * 16)
Select Case i
Case 0
s1 = "0"
Case 1
s1 = "1"
Case 2
s1 = "2"
Case 3
s1 = "3"
Case 4
s1 = "4"
Case 5
s1 = "5"
Case 6
s1 = "6"
Case 7
s1 = "7"
Case 8
s1 = "8"
Case 9
s1 = "9"
Case 10
s1 = "A"
Case 11
s1 = "B"
Case 12
s1 = "C"
Case 13
s1 = "D"
Case 14
s1 = "E"
Case 15
s1 = "F"
Case Else
GoTo n1
End Select
s2 = s2 + s1
d1 = Int(d1 / 16)
Loop
Select Case d1
Case 0
s1 = "0"
Case 1
s1 = "1"
Case 2
s1 = "2"
Case 3
s1 = "3"
Case 4
s1 = "4"
Case 5
s1 = "5"
Case 6
s1 = "6"
Case 7
s1 = "7"
Case 8
s1 = "8"
Case 9
s1 = "9"
Case 10
s1 = "A"
Case 11
s1 = "B"
Case 12
s1 = "C"
Case 13
s1 = "D"
Case 14
s1 = "E"
Case 15
s1 = "F"
Case Else
GoTo n1
End Select
s2 = s2 + s1
Dec2Hex = StrReverse(s2)
GoTo n2
n1:
Dec2Hex = "Error"
n2:
End Function
'下面是注册机
Private Sub CmdGenKey_Click(Index As Integer)
On Error Resume Next
Dim i As Long, j As Long, Name_len As Long
Dim sn_temp As String
Dim sn As String
Dim AscArray() As Byte
Dim bignum As Double
txtSerial.Text = ""
If txtUserName.Text = "" Then
txtSerial.Text = "请输入用户名!"
Exit Sub
End If
AscArray = StrConv(txtUserName.Text, vbFromUnicode)
Name_len = UBound(AscArray)
j = UBound(AscArray)
Select Case Name_len
Case 0 To 1
txtSerial.Text = "用户名必须大于两位!"
Exit Sub
Case Is > 30
txtSerial.Text = "用户名不能大于30位!"
Exit Sub
End Select
For i = 0 To Name_len
sn_temp = sn_temp & Trim(Str((345657 Mod AscArray(j))))
j = j - 1
If j < Name_len - 6 Then
Exit For
End If
Next i
bignum = Val(sn_temp)
sn = Dec2Hex(bignum)'这里用了PowerBoy的Dec2Hex()函数,再次说声谢谢!^_^!
If sn = "Error" Then
txtSerial.Text = "Invalid Licence!Plz use another one!"
Else
Do While Len(sn) < 12
sn = "0" & sn
Loop
txtSerial.Text = Left(sn, 12)
End If
End Sub