公文写作助手 V2.0注册算法分析
『软件名称』: 公文写作助手 V2.0
『下载地址』: http://yncnc.onlinedown.net/soft/4957.htm
『破解声明』:初学Crack,只是感兴趣,,失误之处敬请诸位大侠赐教!
『破解工具』:OllyDbg.V1.10 聆风听雨汉化第二版、PeID 0.93,Dede 3.50
『破解过程』:
.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>..
00478750 /. 55 push ebp
00478751 |. 8BEC mov ebp,esp ; 下断
00478753 |. 6A 00 push 0
00478755 |. 6A 00 push 0
00478757 |. 53 push ebx
00478758 |. 8BD8 mov ebx,eax
0047875A |. 33C0 xor eax,eax
0047875C |. 55 push ebp
0047875D |. 68 F6874700 push 999.004787F6
00478762 |. 64:FF30 push dword ptr fs:[eax]
00478765 |. 64:8920 mov dword ptr fs:[eax],esp
00478768 |. 8BC3 mov eax,ebx
0047876A |. 8B10 mov edx,dword ptr ds:[eax]
0047876C |. FF92 F0000000 call dword ptr ds:[edx+F0] ; 关键算法
00478772 |. 8B15 68E54700 mov edx,dword ptr ds:[47E568] ; 999.00480A68
00478778 |. 8802 mov byte ptr ds:[edx],al
0047877A |. A1 68E54700 mov eax,dword ptr ds:[47E568]
0047877F |. 8038 00 cmp byte ptr ds:[eax],0
00478782 |. 75 19 jnz short 999.0047879D ; 必须跳
00478784 |. 6A 00 push 0 ; /Arg1 = 00000000
00478786 |. A1 30E94700 mov eax,dword ptr ds:[47E930] ; |
0047878B |. 8B00 mov eax,dword ptr ds:[eax] ; |
0047878D |. 66:8B0D 04884700 mov cx,word ptr ds:[478804] ; |
00478794 |. B2 01 mov dl,1 ; |
<<<<<<<<<<<<<<<<<<<<<<<<<<<<0047876C call dword ptr ds:[edx+F0] ; 关键算法<<<<<<<<<<<<<
00478698 /. 55 push ebp
00478699 |. 8BEC mov ebp,esp
0047869B |. 6A 00 push 0
0047869D |. 6A 00 push 0
0047869F |. 53 push ebx
004786A0 |. 8BD8 mov ebx,eax
004786A2 |. 33C0 xor eax,eax
004786A4 |. 55 push ebp
004786A5 |. 68 FA864700 push 999.004786FA
004786AA |. 64:FF30 push dword ptr fs:[eax]
004786AD |. 64:8920 mov dword ptr fs:[eax],esp
004786B0 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
004786B3 |. 8BC3 mov eax,ebx
004786B5 |. 8B08 mov ecx,dword ptr ds:[eax]
004786B7 |. FF91 E0000000 call dword ptr ds:[ecx+E0]
004786BD |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码
004786C0 |. 50 push eax
004786C1 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004786C4 |. 8BC3 mov eax,ebx
004786C6 |. 8B08 mov ecx,dword ptr ds:[eax]
004786C8 |. FF91 E4000000 call dword ptr ds:[ecx+E4]
004786CE |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 机器码
004786D1 |. 8B8B F8020000 mov ecx,dword ptr ds:[ebx+2F8]
004786D7 |. 5A pop edx
004786D8 |. E8 1FF7FFFF call 999.00477DFC ; 关键
004786DD |. 8BD8 mov ebx,eax
004786DF |. 33C0 xor eax,eax
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<,call 999.00477DFC ; 关键
00477DFC /$ 55 push ebp
00477DFD |. 8BEC mov ebp,esp
00477DFF |. 81C4 FCFEFFFF add esp,-104
00477E05 |. 53 push ebx
00477E06 |. 56 push esi
00477E07 |. 57 push edi
00477E08 |. 33DB xor ebx,ebx
00477E0A |. 895D FC mov dword ptr ss:[ebp-4],ebx
00477E0D |. 8BF9 mov edi,ecx
00477E0F |. 8BF2 mov esi,edx
00477E11 |. 8BD8 mov ebx,eax
00477E13 |. 33C0 xor eax,eax
00477E15 |. 55 push ebp
00477E16 |. 68 637E4700 push 999.00477E63
00477E1B |. 64:FF30 push dword ptr fs:[eax]
00477E1E |. 64:8920 mov dword ptr fs:[eax],esp
00477E21 |. 8D8D FCFEFFFF lea ecx,dword ptr ss:[ebp-104]
00477E27 |. 8BD7 mov edx,edi
00477E29 |. 8BC3 mov eax,ebx
00477E2B |. E8 64FEFFFF call 999.00477C94 ; 关键
00477E30 |. 8D95 FCFEFFFF lea edx,dword ptr ss:[ebp-104]
00477E36 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
00477E39 |. E8 8ABFF8FF call 999.00403DC8
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<,,,,
00477E2B |. call 999.00477C94 ; 关键
<<<,,
00477C94 /$ 55 push ebp
00477C95 |. 8BEC mov ebp,esp
00477C97 |. 83C4 E0 add esp,-20
00477C9A |. 53 push ebx
00477C9B |. 56 push esi
00477C9C |. 57 push edi
00477C9D |. 33DB xor ebx,ebx
00477C9F |. 895D E0 mov dword ptr ss:[ebp-20],ebx
00477CA2 |. 895D E4 mov dword ptr ss:[ebp-1C],ebx
00477CA5 |. 895D E8 mov dword ptr ss:[ebp-18],ebx
00477CA8 |. 8BF9 mov edi,ecx
00477CAA |. 8955 F8 mov dword ptr ss:[ebp-8],edx
00477CAD |. 8945 FC mov dword ptr ss:[ebp-4],eax
00477CB0 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00477CB3 |. E8 20C3F8FF call 999.00403FD8
00477CB8 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00477CBB |. E8 18C3F8FF call 999.00403FD8
00477CC0 |. 33C0 xor eax,eax
00477CC2 |. 55 push ebp
00477CC3 |. 68 ED7D4700 push 999.00477DED
00477CC8 |. 64:FF30 push dword ptr fs:[eax]
00477CCB |. 64:8920 mov dword ptr fs:[eax],esp
00477CCE |. 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 机器码是否等于0
00477CD2 |. 74 6F je short 999.00477D43
00477CD4 |. BB 01000000 mov ebx,1 ; ebx=1
00477CD9 |. 8D75 EF lea esi,dword ptr ss:[ebp-11]
00477CDC |> 8B45 FC /mov eax,dword ptr ss:[ebp-4] ; 机器码
00477CDF |. E8 40C1F8FF |call 999.00403E24 ; 机器码长度
00477CE4 |. 50 |push eax ; 保存长度
00477CE5 |. 8BC3 |mov eax,ebx ; eax=ebx
00477CE7 |. 48 |dec eax ; eax--
00477CE8 |. 5A |pop edx ; 弹出长度
00477CE9 |. 8BCA |mov ecx,edx ; 机器码长度
00477CEB |. 99 |cdq
00477CEC |. F7F9 |idiv ecx
00477CEE |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; 机器码
00477CF1 |. 8A0410 |mov al,byte ptr ds:[eax+edx] ; AL=机器码[I]
00477CF4 |. 50 |push eax ; 保存
00477CF5 |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; 机器码
00477CF8 |. E8 27C1F8FF |call 999.00403E24 ; 机器码长度
00477CFD |. 5A |pop edx ; 弹出机器码[I]
00477CFE |. 32D0 |xor dl,al ; 机器码[I]和机器码长度XOR
00477D00 |. 32D3 |xor dl,bl ; 和BL XOR
00477D02 |. 8816 |mov byte ptr ds:[esi],dl ; 保存取名为T1[]
00477D04 |. 43 |inc ebx ; EBX++
00477D05 |. 46 |inc esi ; ESI++
00477D06 |. 83FB 0A |cmp ebx,0A
00477D09 |.^ 75 D1 \jnz short 999.00477CDC
00477D0B |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 机器码
00477D0E |. E8 11C1F8FF call 999.00403E24 ; 机器码长度
00477D13 |. 8BF0 mov esi,eax
00477D15 |. 85F6 test esi,esi
00477D17 |. 7E 2A jle short 999.00477D43
00477D19 |. BB 01000000 mov ebx,1 ; EBX=1
00477D1E |> 8B45 FC /mov eax,dword ptr ss:[ebp-4] ; 机器码
00477D21 |. E8 FEC0F8FF |call 999.00403E24 ; 机器码长度
00477D26 |. 2BC3 |sub eax,ebx ; EAX-EBX
00477D28 |. 8B55 FC |mov edx,dword ptr ss:[ebp-4] ; 机器码
00477D2B |. 8A0C02 |mov cl,byte ptr ds:[edx+eax] ; CL=机器码[9-I]
00477D2E |. 8BC3 |mov eax,ebx
00477D30 |. 48 |dec eax
00477D31 |. 51 |push ecx
00477D32 |. B9 09000000 |mov ecx,9
00477D37 |. 99 |cdq
00477D38 |. F7F9 |idiv ecx
00477D3A |. 59 |pop ecx
00477D3B |. 304C15 EF |xor byte ptr ss:[ebp+edx-11],cl ; TI[I]^CL
00477D3F |. 43 |inc ebx
00477D40 |. 4E |dec esi
00477D41 |.^ 75 DB \jnz short 999.00477D1E
00477D43 |> 837D F8 00 cmp dword ptr ss:[ebp-8],0
00477D47 |. 74 39 je short 999.00477D82
00477D49 |. BB 01000000 mov ebx,1
00477D4E |. 8D75 EF lea esi,dword ptr ss:[ebp-11]
00477D51 |> 8B45 F8 /mov eax,dword ptr ss:[ebp-8]
00477D54 |. E8 CBC0F8FF |call 999.00403E24
00477D59 |. 50 |push eax
00477D5A |. 8BC3 |mov eax,ebx
00477D5C |. 48 |dec eax
00477D5D |. 5A |pop edx
00477D5E |. 8BCA |mov ecx,edx
00477D60 |. 99 |cdq
00477D61 |. F7F9 |idiv ecx
00477D63 |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
00477D66 |. 8A0410 |mov al,byte ptr ds:[eax+edx]
00477D69 |. 3206 |xor al,byte ptr ds:[esi]
00477D6B |. 50 |push eax
00477D6C |. 8B45 F8 |mov eax,dword ptr ss:[ebp-8]
00477D6F |. E8 B0C0F8FF |call 999.00403E24
00477D74 |. 5A |pop edx
00477D75 |. 32D0 |xor dl,al
00477D77 |. 32D3 |xor dl,bl
00477D79 |. 8816 |mov byte ptr ds:[esi],dl
00477D7B |. 43 |inc ebx
00477D7C |. 46 |inc esi
00477D7D |. 83FB 0A |cmp ebx,0A
00477D80 |.^ 75 CF \jnz short 999.00477D51
00477D82 |> 8D45 E8 lea eax,dword ptr ss:[ebp-18] ; 跳到这里
00477D85 |. E8 1ABEF8FF call 999.00403BA4
00477D8A |. BB 09000000 mov ebx,9 ; ebx=9
00477D8F |. 8D75 EF lea esi,dword ptr ss:[ebp-11] ; esi=t1[]
00477D92 |> 8D45 E4 /lea eax,dword ptr ss:[ebp-1C]
00477D95 |. 8A16 |mov dl,byte ptr ds:[esi] ; dl=t1[i]
00477D97 |. E8 B0BFF8FF |call 999.00403D4C
00477D9C |. 8B55 E4 |mov edx,dword ptr ss:[ebp-1C]
00477D9F |. 8D45 E8 |lea eax,dword ptr ss:[ebp-18]
00477DA2 |. E8 85C0F8FF |call 999.00403E2C
00477DA7 |. 46 |inc esi
00477DA8 |. 4B |dec ebx
00477DA9 |.^ 75 E7 \jnz short 999.00477D92 ; 这个循环没有什么作用
00477DAB |. 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00477DAE |. 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; eax=t1[]
00477DB1 |. E8 9AFDFFFF call 999.00477B50 ; 关键算法
00477DB6 |. 8B55 E0 mov edx,dword ptr ss:[ebp-20] ; 真码
00477DB9 |. 8BC7 mov eax,edi
00477DBB |. B9 FF000000 mov ecx,0FF
00477DC0 |. E8 3BC0F8FF call 999.00403E00 ; 比较注册码
00477DC5 |. 33C0 xor eax,eax
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.00477DB1 call 999.00477B50 ; 关键算法
00477B50 /$ 55 push ebp
00477B51 |. 8BEC mov ebp,esp
00477B53 |. 83C4 F0 add esp,-10
00477B56 |. 53 push ebx
00477B57 |. 56 push esi
00477B58 |. 57 push edi
00477B59 |. 33C9 xor ecx,ecx
00477B5B |. 894D F0 mov dword ptr ss:[ebp-10],ecx
00477B5E |. 8BFA mov edi,edx
00477B60 |. 8945 FC mov dword ptr ss:[ebp-4],eax
00477B63 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00477B66 |. E8 6DC4F8FF call 999.00403FD8
00477B6B |. 33C0 xor eax,eax
00477B6D |. 55 push ebp
00477B6E |. 68 847C4700 push 999.00477C84
00477B73 |. 64:FF30 push dword ptr fs:[eax]
00477B76 |. 64:8920 mov dword ptr fs:[eax],esp
00477B79 |. 8BC7 mov eax,edi
00477B7B |. E8 24C0F8FF call 999.00403BA4
00477B80 |. E9 D7000000 jmp 999.00477C5C
00477B85 |> 8B45 FC /mov eax,dword ptr ss:[ebp-4] ; eax=t1[]
00477B88 |. E8 97C2F8FF |call 999.00403E24 ; 求长度
00477B8D |. 8BC8 |mov ecx,eax
00477B8F |. 8BC1 |mov eax,ecx
00477B91 |. BB 03000000 |mov ebx,3 ; ebx=3
00477B96 |. 99 |cdq
00477B97 |. F7FB |idiv ebx
00477B99 |. 85C0 |test eax,eax
00477B9B |. 7E 07 |jle short 999.00477BA4
00477B9D |. BB 03000000 |mov ebx,3 ; ebx=3
00477BA2 |. EB 02 |jmp short 999.00477BA6
00477BA4 |> 8BD9 |mov ebx,ecx
00477BA6 |> 8D45 F9 |lea eax,dword ptr ss:[ebp-7]
00477BA9 |. 33C9 |xor ecx,ecx
00477BAB |. BA 03000000 |mov edx,3 ; edx=3
00477BB0 |. E8 B3AFF8FF |call 999.00402B68
00477BB5 |. 8D45 F5 |lea eax,dword ptr ss:[ebp-B]
00477BB8 |. B9 40000000 |mov ecx,40
00477BBD |. BA 04000000 |mov edx,4
00477BC2 |. E8 A1AFF8FF |call 999.00402B68
00477BC7 |. 8D45 FC |lea eax,dword ptr ss:[ebp-4]
00477BCA |. E8 25C4F8FF |call 999.00403FF4
00477BCF |. 8D55 F9 |lea edx,dword ptr ss:[ebp-7]
00477BD2 |. 8BCB |mov ecx,ebx
00477BD4 |. E8 B7ACF8FF |call 999.00402890
00477BD9 |. 83FB 03 |cmp ebx,3
00477BDC |. 7C 08 |jl short 999.00477BE6
00477BDE |. 8A45 FB |mov al,byte ptr ss:[ebp-5] ; 依次倒序取T1[]的前三个元素
00477BE1 |. 24 3F |and al,3F ; al&03f
00477BE3 |. 8845 F8 |mov byte ptr ss:[ebp-8],al ; 保存
00477BE6 |> 83FB 02 |cmp ebx,2
00477BE9 |. 7C 15 |jl short 999.00477C00
00477BEB |. 8A45 FA |mov al,byte ptr ss:[ebp-6] ; 再次倒序取T1[]的前一个元素
00477BEE |. C1E0 02 |shl eax,2 ; 进行左移
00477BF1 |. 33D2 |xor edx,edx
00477BF3 |. 8A55 FB |mov dl,byte ptr ss:[ebp-5] ; 取T1[]的一个元素
00477BF6 |. C1EA 06 |shr edx,6 ; 右移
00477BF9 |. 0AC2 |or al,dl
00477BFB |. 24 3F |and al,3F ; 和3F相与
00477BFD |. 8845 F7 |mov byte ptr ss:[ebp-9],al ; 保存
00477C00 |> 8A45 F9 |mov al,byte ptr ss:[ebp-7] ; 取T1[]的一个元素
00477C03 |. 8BD0 |mov edx,eax
00477C05 |. C1E2 04 |shl edx,4 ; 进行左移
00477C08 |. 33C9 |xor ecx,ecx
00477C0A |. 8A4D FA |mov cl,byte ptr ss:[ebp-6]
00477C0D |. C1E9 04 |shr ecx,4 ; 右移4
00477C10 |. 0AD1 |or dl,cl
00477C12 |. 80E2 3F |and dl,3F
00477C15 |. 8855 F6 |mov byte ptr ss:[ebp-A],dl ; 保存
00477C18 |. 25 FF000000 |and eax,0FF ; 继续使用AL
00477C1D |. C1E8 02 |shr eax,2 ; 右移2位
00477C20 |. 24 3F |and al,3F
00477C22 |. 8845 F5 |mov byte ptr ss:[ebp-B],al ; 保存
00477C25 |. 8D45 FC |lea eax,dword ptr ss:[ebp-4]
00477C28 |. 8BCB |mov ecx,ebx
00477C2A |. BA 01000000 |mov edx,1
00477C2F |. E8 38C4F8FF |call 999.0040406C
00477C34 |. BE 04000000 |mov esi,4 ; esi=4
00477C39 |. 8D5D F5 |lea ebx,dword ptr ss:[ebp-B]
00477C3C |> 8D45 F0 |/lea eax,dword ptr ss:[ebp-10]
00477C3F |. 33D2 ||xor edx,edx ; edx=0
00477C41 |. 8A13 ||mov dl,byte ptr ds:[ebx]
00477C43 |. 8A92 9DE44700 ||mov dl,byte ptr ds:[edx+47E49D] ; 从这个字典依次取注册码
00477C49 |. E8 FEC0F8FF ||call 999.00403D4C
00477C4E |. 8B55 F0 ||mov edx,dword ptr ss:[ebp-10]
00477C51 |. 8BC7 ||mov eax,edi
00477C53 |. E8 D4C1F8FF ||call 999.00403E2C
00477C58 |. 43 ||inc ebx ; ebx++
00477C59 |. 4E ||dec esi ; esi--
00477C5A |.^ 75 E0 |\jnz short 999.00477C3C
00477C5C |> 837D FC 00 cmp dword ptr ss:[ebp-4],0
00477C60 |.^ 0F85 1FFFFFFF \jnz 999.00477B85
00477C66 |. 33C0 xor eax,eax
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
『算法总结』:
略过,不喜欢总结。
注册机源码:
#include <iostream>
using namespace std;
void main()
{
char jqm[11]={0},code[23]={0},tmp[13],t1[11]={0},table[255]="IYAGPXDJQWMHVCNFUZRBKESOLTtfkysbohlujwecpmiaqndxzvgr46+02573/81=9";
unsigned int key,jqmlen,itmp;
cout<<"请输入机器码:"<<endl;
cin>>jqm;
jqmlen=strlen(jqm);
for(int i=0;i<9;i++)
{
key=jqm[i];
key=key^jqmlen;
t1[i]=key^(i+1);
}
for( i=0;i<10;i++)
{
key=jqm[9-i];
t1[i%9]=key^t1[i%9];
}
int j;
for( j=0,i=0;i<9,j<3;j++)
{
itmp=t1[i+0]&0xff;
tmp[i+j]=(itmp>>2)&0x3f;
itmp=t1[i+0];
itmp=itmp<<4;
tmp[i+j+1]=(itmp|(t1[i+1]>>4))&0x3f;
itmp=t1[i+1];
tmp[i+j+2]=(itmp<<2)|(t1[i+2]>>6)&0x3f;
itmp=t1[2+i];
itmp=itmp&0x3f;
tmp[i+j+3]=itmp;
i+=3;
}
for(i=0;i<12;i++)
{
itmp=tmp[i];
code[i]=table[itmp];
}
cout<<"你的注册码是: "<<code<<endl;
}
---------------------------------------------------------------------------------------------
我的注册信息:
机器码:4671145184
注册码:FzLFAopWAUUC