Software:EmEditor Version 3.29(English Edition)
http://www.emurasoft.com/
Tools:OllyDbg 1.09,W32Dasm 10,Win98Se
Cracker:lq7972[bruceyu13@sina.com]
Notes:我用它来代替Win98的记事本,有很强大的功能,不过需要注册。下面就来研究它的注册算法
用OllyDbg跟踪,用W32Dasm反汇编
载入->F9->查找字符"EmEditor"
有两处:0041AB4A和0041AC05,先在41AB4A下断点试试F2->F9,点About Registration中断,F7->F9,输入1711-7878-7972-9494,注册,拦住(运气好啊)
(为什么第一个是1711?-这是软件的要求,第一处必须是171X(0<X<=9);对第二处也...见后)
这里设定注册码格式为:S1-S2-S3-S4
:0041AB41 55 push ebp
;......
;这中间有一大段,是USER32.wsprintfA以及ADVAPI32.RegQueryValueExA;为了简洁和节省,略去
:0041ABAE 50 push eax
:0041ABAF E8E8A90000 call 0042559C ;【1】
:0041ABB4 EB02 jmp 0041ABB8
;......
;【1】
:0042559C 56 push esi
:0042559D 8B742408 mov esi, dword ptr [esp+08] ;S1
:004255A1 0FB706 movzx eax, word ptr [esi]
:004255A4 6A0A push 0000000A
:004255A6 99 cdq ;edx=0
:004255A7 59 pop ecx ;ecx=0x0a
:004255A8 F7F9 idiv ecx ;eax=eax\ecx(整数),edx为余数
:004255AA 3DAB000000 cmp eax, 000000AB ;ABh=171D
:004255AF 7405 je 004255B6 ;明白了为什么S1=171X
:004255B1 83C8FF or eax, FFFFFFFF
:004255B4 EB1E jmp 004255D4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004255AF(C)
:004255B6 57 push edi ;
:004255B7 668B7E06 mov di, word ptr [esi+06] ;S2
:004255BB 56 push esi
:004255BC E8D2FEFFFF call 00425493 ;【2】
:004255C1 83F801 cmp eax, 00000001 ;比较注册
:004255C4 750D jne 004255D3
:004255C6 33C0 xor eax, eax
:004255C8 663B7E06 cmp di, word ptr [esi+06]
:004255CC 0F94C0 sete al
:004255CF 8D4400FF lea eax, dword ptr [eax+eax-01]
:004255D3 5F pop edi
;【2】
:00425493 51 push ecx
:00425494 56 push esi
:00425495 8B74240C mov esi, dword ptr [esp+0C]
:00425499 668B4602 mov ax, word ptr [esi+02] ;S2
:0042549D 6683660600 and word ptr [esi+06], 0000
:004254A2 663D0F27 cmp ax, 270F ;270Fh=9999D
:004254A6 0F87E8000000 ja 00425594 ;不可能大于9999D(S2只有四位数,下同)
:004254AC 668B5604 mov dx, word ptr [esi+04] ;S3
:004254B0 6681FA0F27 cmp dx, 270F ;同上
:004254B5 0F87D9000000 ja 00425594
:004254BB 6685C0 test ax, ax
:004254BE 0F84CC000000 je 00425590
:004254C4 663DAE08 cmp ax, 08AE ;S2不能等于08AEh=2222D
:004254C8 0F84C2000000 je 00425590
:004254CE 663D2E16 cmp ax, 162E ;不能等于162Eh=5678D
:004254D2 0F84B8000000 je 00425590
:004254D8 663D1625 cmp ax, 2516 ;不能等于2516h=9494D
:004254DC 0F84AE000000 je 00425590
:004254E2 33C9 xor ecx, ecx
:004254E4 668B0E mov cx, word ptr [esi] ;S1
:004254E7 6681F9AE06 cmp cx, 06AE
:004254EC 894C2404 mov dword ptr [esp+04], ecx
:004254F0 0F849A000000 je 00425590 ;S1不能等于6AEh=1710D,这与以往版本不同;所以171X(0<X<=9)
:004254F6 663D2C0B cmp ax, 0B2C ;S2不能等于0B2Ch=2860D
:004254FA 0F8490000000 je 00425590
:00425500 663D801F cmp ax, 1F80 ;S2不能等于1F80h=8064D
:00425504 0F8486000000 je 00425590
:0042550A 53 push ebx
:0042550B 0FB7C0 movzx eax, ax
:0042550E 55 push ebp
:0042550F 57 push edi
:00425510 0FB7FA movzx edi, dx ;S3
:00425513 89442418 mov dword ptr [esp+18], eax ;S2
:00425517 6A64 push 00000064
:00425519 5B pop ebx ;ebx=64h
:0042551A 8BC7 mov eax, edi
:0042551C 99 cdq
:0042551D F7FB idiv ebx ;eax=eax\ebx(整数),edx为余数
:0042551F 6A0A push 0000000A
:00425521 5D pop ebp ;ebp=0Ah
:00425522 0FB7C9 movzx ecx, cx ;S1
:00425525 6A64 push 00000064
:00425527 8BD8 mov ebx, eax
:00425529 8BC1 mov eax, ecx
:0042552B 99 cdq
:0042552C F7FD idiv ebp ;eax=eax\ebp(整数),edx为余数
:0042552E 8B54241C mov edx, dword ptr [esp+1C] ;S2
:00425532 03D3 add edx, ebx ;edx=S2+S3\64h
:00425534 03C2 add eax, edx ;eax=edx+S1\0Ah
:00425536 03C7 add eax, edi ;eax=eax+S3
:00425538 99 cdq
:00425539 5F pop edi ;edi=64h
:0042553A F7FF idiv edi ;eax=eax\edi(整数),edx为余数
:0042553C 8B442418 mov eax, dword ptr [esp+18] ;S2
:00425540 6A64 push 00000064
:00425542 5B pop ebx
:00425543 6A64 push 00000064
:00425545 5D pop ebp
:00425546 55 push ebp
:00425547 668B3C95308B4400 mov di, word ptr [4*edx+00448B30];【3】从密码表中取出(edx)位置的值
:0042554F 99 cdq
:00425550 666BFF64 imul di, 0064 ;di=di*64h
:00425554 F7FB idiv ebx ;eax=eax\ebx(整数),edx为余数
:00425556 8BD8 mov ebx, eax
:00425558 8BC1 mov eax, ecx ;S1
:0042555A 99 cdq
:0042555B F7FD idiv ebp ;eax=eax\ebp(整数),edx为余数
:0042555D 03CB add ecx, ebx ;ecx=S1+ebx
:0042555F 03C1 add eax, ecx ;eax=ecx+eax
:00425561 59 pop ecx ;ecx=64h
:00425562 99 cdq
:00425563 F7F9 idiv ecx ;eax=eax\ecx(整数),edx为余数
:00425565 66033C95308B4400 add di, word ptr [4*edx+00448B30];【3】从密码表中取出(edx)位置的值
:0042556D 66817C2410B306 cmp word ptr [esp+10], 06B3 ;S1与1715D比较,是就注册为"Academic Use",什么意思—无意义的用户!
:00425574 66897E06 mov word ptr [esi+06], di
:00425578 5F pop edi
:00425579 5D pop ebp
:0042557A 5B pop ebx
:0042557B 740E je 0042558B
:0042557D 66817C2404B206 cmp word ptr [esp+04], 06B2 ;S1与1714D比较,同上
:00425584 7405 je 0042558B
:00425586 33C0 xor eax, eax
:00425588 40 inc eax
:00425589 EB0C jmp 00425597
;......
;【3】
00448B30 26 00 00 00 5B 00 00 00 &...[...
00448B38 62 00 00 00 36 00 00 00 b...6...
00448B40 34 00 00 00 60 00 00 00 4...`...
00448B48 13 00 00 00 35 00 00 00 ...5...
00448B50 19 00 00 00 54 00 00 00 ...T...
00448B58 3F 00 00 00 44 00 00 00 ?...D...
00448B60 4C 00 00 00 38 00 00 00 L...8...
00448B68 5D 00 00 00 33 00 00 00 ]...3...
00448B70 56 00 00 00 61 00 00 00 V...a...
00448B78 42 00 00 00 21 00 00 00 B...!...
00448B80 3E 00 00 00 2D 00 00 00 >...-...
00448B88 23 00 00 00 0E 00 00 00 #......
00448B90 1E 00 00 00 5F 00 00 00 ..._...
00448B98 57 00 00 00 12 00 00 00 W......
00448BA0 1B 00 00 00 17 00 00 00 ......
00448BA8 22 00 00 00 58 00 00 00 "...X...
00448BB0 2C 00 00 00 63 00 00 00 ,...c...
00448BB8 5C 00 00 00 18 00 00 00 \......
00448BC0 37 00 00 00 41 00 00 00 7...A...
00448BC8 59 00 00 00 4D 00 00 00 Y...M...
00448BD0 15 00 00 00 5A 00 00 00 ...Z...
00448BD8 53 00 00 00 0B 00 00 00 S...
...
00448BE0 05 00 00 00 1C 00 00 00 ......
00448BE8 10 00 00 00 2E 00 00 00 .......
00448BF0 49 00 00 00 40 00 00 00 I...@...
00448BF8 0D 00 00 00 07 00 00 00 .......
00448C00 50 00 00 00 3D 00 00 00 P...=...
00448C08 32 00 00 00 46 00 00 00 2...F...
00448C10 0A 00 00 00 43 00 00 00 ....C...
00448C18 2B 00 00 00 00 00 00 00 +.......
00448C20 3B 00 00 00 48 00 00 00 ;...H...
00448C28 5E 00 00 00 4E 00 00 00 ^...N...
00448C30 51 00 00 00 1F 00 00 00 Q......
00448C38 20 00 00 00 3A 00 00 00 ...:...
00448C40 01 00 00 00 2A 00 00 00 ...*...
00448C48 45 00 00 00 55 00 00 00 E...U...
00448C50 4A 00 00 00 02 00 00 00 J......
00448C58 52 00 00 00 27 00 00 00 R...'...
00448C60 03 00 00 00 4B 00 00 00 ...K...
00448C68 08 00 00 00 3C 00 00 00 ...<...
00448C70 0F 00 00 00 14 00 00 00 ......
00448C78 24 00 00 00 25 00 00 00 $...%...
00448C80 28 00 00 00 29 00 00 00 (...)...
00448C88 16 00 00 00 1D 00 00 00 ......
00448C90 1A 00 00 00 11 00 00 00 ......
00448C98 2F 00 00 00 39 00 00 00 /...9...
00448CA0 09 00 00 00 47 00 00 00 ....G...
00448CA8 06 00 00 00 4F 00 00 00 ...O...
00448CB0 04 00 00 00 31 00 00 00 ...1...
00448CB8 0C 00 00 00 30 00 00 00 ....0...
【总结】还是总结一下算法
S1<>1710、1714、1715
S2<>2222、5678、9494、2860、8064
S3任意;S4依次由前三组数字计算,然后从密码表中取出相应的字符的ASCII,最后连接:
[(s2+s3\100+s1\10+s3) mod 100]表中相应位置的值 & [(s1+s2\100+s1\100) mod 100]表中相应位置的值
【注册机】
下面给出【注册机】(VB6)
'//////////////////////////////////////////////////////
' The KeyGen by lq7972,with Vb6
' E-mail:bruceyu13@sina.com
' EmEditor V 3.29 KeyGen
'/////////////////////////////////////////////////////
'生成第四组
Private Sub Command1_Click()
Dim SnTab
Dim i, j
Dim S1, S2, S3, S4
SnTab = Array("&h26", "&h5B", "&h62", "&h36", "&h34", "&h66", "&h13", "&h35", "&h19", "&h54", "&h3F", "&h44", "&h4C", "&h38", "&h5D", "&h33", "&h56", "&h61", "&h42", "&h21", "&h3E", "&h2D", "&h23", "&h0E", "&h1E", "&h5F", "&h57", "&h12", "&h1B", "&h17", "&h22", "&h58", "&h2C", "&h63", "&h5C", "&h18", "&h27", "&h41", "&h59", "&h4D", "&h15", "&h5A", "&h53", "&h0B", "&h05", "&h1C", "&h10", "&h2E", "&h49", "&h40", "&hD", "&h07", "&h50", "&h3D", "&h32", "&h46", "&h0A", "&h43", "&h2B", "&h00", "&h3B", "&h48", "&h5E", "&h4E", "&h51", "&h1F", "&h20", "&h3A", "&h01", "&h2A", "&h45", "&h55", "&h4A", "&h02", "&h52", "&h27", "&h03", "&h4B", "&h08", "&h3C", "&h0F", "&h14", "&h24", "&h25", "&h28", "&h29", "&h16", "&h1D", "&h1A", "&h11", "&h2F", "&h39", "&h09", "&h47", "&h06", "&h4F", "&h04", "&h31", "&h0C", "&h30")
S1 = "171" + Text1.Text
S2 = Text2.Text
S3 = Text3.Text
i = ((CInt(S1) \ &HA) + CInt(S2) + (CInt(S3) \ &H64) + CInt(S3)) Mod &H64
j = (CInt(S1) + (CInt(S1) \ &H64) + (CInt(S2) \ &H64)) Mod &H64
S4 = SnTab(i) * &H64 + SnTab(j)
Text4.Text = S4
Command1.Enabled = False
End Sub
'退出
Private Sub Command2_Click()
'MsgBox "The KeyGen by lq7972,bruceyu13@sina.com", vbOKOnly, "Info"
End
End Sub
'第一组的第四位不能是0、4、5
Private Sub Text1_Change()
If Len(Text1.Text) = 1 Then
If Text1.Text = "0" Then
GoTo Err
ElseIf Text1.Text = "4" Then
GoTo Err
ElseIf Text1.Text = "5" Then
GoTo Err
Err:
MsgBox "Sorry,The number wrong!" & vbCrLf & "They can't 1710、1714 & 1715", vbOKOnly, "Info"
Text1.Text = ""
Else
Text1.Enabled = False: Text2.SetFocus
End If
End If
End Sub
'第二组不能是2222、5678、9494、2860、8064
Private Sub Text2_Change()
If Len(Text2.Text) = 4 Then
Select Case Text2.Text
Case "2222"
GoTo Err1
Case "5678"
GoTo Err1
Case "9494"
GoTo Err1
Case "2860"
GoTo Err1
Case "8064"
GoTo Err1
Err1:
MsgBox "Sorry,The number wrong!", vbOKOnly, "Info"
Text2.Text = ""
Case Else
Text2.Enabled = False
Text3.SetFocus
End Select
End If
End Sub
'三组都填满了,就激活“生成”按钮
Private Sub Text3_Change()
If Len(Text3.Text) = 4 Then Text3.Enabled = False: Command1.Enabled = True
End Sub论坛和作者,注明转自