中国税收法律法规 V1.5.0注册算法破解
下载地址:http://www.skycn.com/soft/11898.html
本软件的保护方式为采用了注册码求逆形成机器码,即:机器码=F(注册码)
下断点简单就不说了。
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
00411D52 |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],7
00411D5A |. E8 A96C0200 call Statute.00438A08
00411D5F |. 8D8C24 6C070000 lea ecx,dword ptr ss:[esp+76C]
00411D66 |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],6
00411D6E |. E8 956C0200 call Statute.00438A08
00411D73 |. 8D8C24 14050000 lea ecx,dword ptr ss:[esp+514]
00411D7A |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],5
00411D82 |. E8 F905FFFF call Statute.00402380
00411D87 |. 8D8C24 BC020000 lea ecx,dword ptr ss:[esp+2BC]
00411D8E |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],4
00411D96 |. E8 E505FFFF call Statute.00402380
00411D9B |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],3
00411DA3 |. E9 66010000 jmp Statute.00411F0E
00411DA8 |> 8D8C24 70070000 lea ecx,dword ptr ss:[esp+770]
00411DAF |. E8 76710200 call Statute.00438F2A
00411DB4 |. 8D8424 70070000 lea eax,dword ptr ss:[esp+770]
00411DBB |. 8D8C24 6C070000 lea ecx,dword ptr ss:[esp+76C]
00411DC2 |. 50 push eax ; /输入的假码
00411DC3 |. 51 push ecx ; |机器码
00411DC4 |. 8BCE mov ecx,esi ; |
00411DC6 |. E8 85040000 call Statute.00412250 ; \关键算法函数
00411DCB |. 85C0 test eax,eax
00411DCD |. 0F85 A1000000 jnz Statute.00411E74 ; 关键跳转
00411DD3 |. 51 push ecx
00411DD4 |. 8BCC mov ecx,esp
00411DD6 |. 896424 08 mov dword ptr ss:[esp+8],esp
00411DDA |. 68 78374700 push Statute.00473778 ; 非法注册码!
00411DDF |. E8 926C0200 call Statute.00438A76
00411DE4 |. E8 076FFFFF call Statute.00408CF0
00411DE9 |. 83C4 04 add esp,4
00411DEC |. 8D8C24 34080000 lea ecx,dword ptr ss:[esp+834]
00411DF3 |. C78424 B00B0000 >mov dword ptr ss:[esp+BB0],10
00411DFE |. E8 AD39FFFF call Statute.004057B0
00411E03 |. 8D8C24 74070000 lea ecx,dword ptr ss:[esp+774]
00411E0A |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],0F
00411E12 |. E8 9939FFFF call Statute.004057B0
00411E17 |. 8D8C24 70070000 lea ecx,dword ptr ss:[esp+770]
00411E1E |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],0E
00411E26 |. E8 DD6B0200 call Statute.00438A08
00411E2B |. 8D8C24 6C070000 lea ecx,dword ptr ss:[esp+76C]
00411E32 |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],0D
00411E3A |. E8 C96B0200 call Statute.00438A08
00411E3F |. 8D8C24 14050000 lea ecx,dword ptr ss:[esp+514]
00411E46 |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],0C
00411E4E |. E8 2D05FFFF call Statute.00402380
00411E53 |. 8D8C24 BC020000 lea ecx,dword ptr ss:[esp+2BC]
00411E5A |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],0B
00411E62 |. E8 1905FFFF call Statute.00402380
00411E67 |. C68424 B00B0000 >mov byte ptr ss:[esp+BB0],0A
00411E6F |. E9 9A000000 jmp Statute.00411F0E
00411E74 |> 8D9424 70070000 lea edx,dword ptr ss:[esp+770]
00411E7B |. 8D8424 6C070000 lea eax,dword ptr ss:[esp+76C]
00411E82 |. 52 push edx ; /Arg2
00411E83 |. 50 push eax ; |Arg1
00411E84 |. 8BCE mov ecx,esi ; |
00411E86 |. E8 25F3FFFF call Statute.004111B0 ; \Statute.004111B0
关键算法函数>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
00412250 /$ 64:A1 00000000 mov eax,dword ptr fs:[0]
00412256 |. 6A FF push -1
00412258 |. 68 A86D4500 push Statute.00456DA8
0041225D |. 50 push eax
0041225E |. 64:8925 00000000 mov dword ptr fs:[0],esp
00412265 |. 83EC 50 sub esp,50
00412268 |. 56 push esi
00412269 |. 8B7424 64 mov esi,dword ptr ss:[esp+64]
0041226D |. 57 push edi
0041226E |. 8B06 mov eax,dword ptr ds:[esi]
00412270 |. 8B50 F8 mov edx,dword ptr ds:[eax-8]
00412273 |. 85D2 test edx,edx
00412275 |. 75 2B jnz short Statute.004122A2
00412277 |. 8D5424 68 lea edx,dword ptr ss:[esp+68]
0041227B |. 52 push edx ; /Arg1
0041227C |. E8 0FFEFFFF call Statute.00412090 ; \Statute.00412090
00412281 |. 50 push eax
00412282 |. 8BCE mov ecx,esi
00412284 |. C74424 64 000000>mov dword ptr ss:[esp+64],0
0041228C |. E8 B0680200 call Statute.00438B41
00412291 |. 8D4C24 68 lea ecx,dword ptr ss:[esp+68]
00412295 |. C74424 60 FFFFFF>mov dword ptr ss:[esp+60],-1
0041229D |. E8 66670200 call Statute.00438A08
004122A2 |> 8B06 mov eax,dword ptr ds:[esi]
004122A4 |. 8378 F8 08 cmp dword ptr ds:[eax-8],8 ; 机器码大于等于8位
004122A8 |. 7D 15 jge short Statute.004122BF
004122AA |> 5F pop edi
004122AB |. 33C0 xor eax,eax
004122AD |. 5E pop esi
004122AE |. 8B4C24 50 mov ecx,dword ptr ss:[esp+50]
004122B2 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
004122B9 |. 83C4 5C add esp,5C
004122BC |. C2 0800 retn 8
004122BF |> 8B4C24 6C mov ecx,dword ptr ss:[esp+6C]
004122C3 |. 8B31 mov esi,dword ptr ds:[ecx]
004122C5 |. 837E F8 22 cmp dword ptr ds:[esi-8],22 ; 注册码必须大于等于34位
004122C9 |. 7D 15 jge short Statute.004122E0
004122CB |. 5F pop edi
004122CC |. 33C0 xor eax,eax
004122CE |. 5E pop esi
004122CF |. 8B4C24 50 mov ecx,dword ptr ss:[esp+50]
004122D3 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
004122DA |. 83C4 5C add esp,5C
004122DD |. C2 0800 retn 8
004122E0 |> B9 08000000 mov ecx,8
004122E5 |. 8D7C24 34 lea edi,dword ptr ss:[esp+34]
004122E9 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004122EB |. 8B10 mov edx,dword ptr ds:[eax]
004122ED |. 8B40 04 mov eax,dword ptr ds:[eax+4]
004122F0 |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
004122F2 |. 8A4C24 54 mov cl,byte ptr ss:[esp+54] ; 倒数第2位的注册码
004122F6 |. 895424 08 mov dword ptr ss:[esp+8],edx ; 保存前4位机器码16进制数
004122FA |. 80F9 41 cmp cl,41
004122FD |. 894424 0C mov dword ptr ss:[esp+C],eax ; 后4位机器码的16进制数
00412301 |. 72 05 jb short Statute.00412308
00412303 |. 80C1 C9 add cl,0C9
00412306 |. EB 03 jmp short Statute.0041230B
00412308 |> 80C1 D0 add cl,0D0 ; 加上.0D0
0041230B |> 8A4424 55 mov al,byte ptr ss:[esp+55] ; 最后一位注册码
0041230F |. 884C24 54 mov byte ptr ss:[esp+54],cl ; 保存
00412313 |. 3C 41 cmp al,41
00412315 |. 72 04 jb short Statute.0041231B
00412317 |. 04 C9 add al,0C9
00412319 |. EB 02 jmp short Statute.0041231D
0041231B |> 04 D0 add al,0D0 ; 加上.0D0
0041231D |> 884424 55 mov byte ptr ss:[esp+55],al ; 保存
00412321 |. 24 0F and al,0F
00412323 |. C0E1 04 shl cl,4
00412326 |. 0AC1 or al,cl
00412328 |. 53 push ebx
00412329 |. 8AD0 mov dl,al ; 以上是取后两位注册码的过程
0041232B |. 33F6 xor esi,esi ; ESI=0
0041232D |. 8D4424 38 lea eax,dword ptr ss:[esp+38] ; 输入的假码
00412331 |> 8A08 /mov cl,byte ptr ds:[eax]
00412333 |. 80F9 41 |cmp cl,41
00412336 |. 72 05 |jb short Statute.0041233D
00412338 |. 80E9 37 |sub cl,37
0041233B |. EB 03 |jmp short Statute.00412340
0041233D |> 80E9 30 |sub cl,30 ; 减0X30
00412340 |> 8808 |mov byte ptr ds:[eax],cl ; 保存
00412342 |. 8A48 01 |mov cl,byte ptr ds:[eax+1]
00412345 |. 80F9 41 |cmp cl,41
00412348 |. 72 05 |jb short Statute.0041234F
0041234A |. 80E9 37 |sub cl,37
0041234D |. EB 03 |jmp short Statute.00412352
0041234F |> 80E9 30 |sub cl,30 ; 减0X30
00412352 |> 8848 01 |mov byte ptr ds:[eax+1],cl ; 保存
00412355 |. 8A08 |mov cl,byte ptr ds:[eax]
00412357 |. 8A58 01 |mov bl,byte ptr ds:[eax+1]
0041235A |. 83C0 02 |add eax,2 ; EAX+2
0041235D |. C0E1 04 |shl cl,4 ; CL*0X10
00412360 |. 80E3 0F |and bl,0F
00412363 |. 0ACB |or cl,bl ; 以上是从注册码前面取两位数的过程
00412365 |. 32CA |xor cl,dl ; CL和后两位注册码相异或
00412367 |. 884C34 24 |mov byte ptr ss:[esp+esi+24],cl
0041236B |. 46 |inc esi
0041236C |. 83FE 10 |cmp esi,10
0041236F |.^ 7C C0 \jl short Statute.00412331
00412371 |. 33D2 xor edx,edx ; EDX=0
00412373 |. 5B pop ebx
00412374 |> 33C0 /xor eax,eax ; EAX=0
00412376 |. 8A4414 20 |mov al,byte ptr ss:[esp+edx+20] ; 从上面计算的结果取单个字符赋给AL
0041237A |. 8BC8 |mov ecx,eax ; ECX=EAX
0041237C |. 83E1 0F |and ecx,0F ; ECX&0F
0041237F |. 8D0C89 |lea ecx,dword ptr ds:[ecx+ecx*4]
00412382 |. 81E1 0F000080 |and ecx,8000000F
00412388 |. 79 05 |jns short Statute.0041238F
0041238A |. 49 |dec ecx
0041238B |. 83C9 F0 |or ecx,FFFFFFF0
0041238E |. 41 |inc ecx
0041238F |> 41 |inc ecx ; ECX++
00412390 |. 83E1 0F |and ecx,0F ; ECX&0F
00412393 |. C1E8 04 |shr eax,4 ; EAX右移4 就是除以10(16进制数)
00412396 |. 33C8 |xor ecx,eax ; ECX和EAX必须相等 计算的结果个位小于十位1
00412398 |.^ 0F85 0CFFFFFF |jnz Statute.004122AA ; 不能跳
0041239E |. 42 |inc edx ; EDX++
0041239F |. 83FA 10 |cmp edx,10 ; EDX小于16吗
004123A2 |.^ 7C D0 \jl short Statute.00412374
004123A4 |. 33C0 xor eax,eax
004123A6 |. 8D7424 20 lea esi,dword ptr ss:[esp+20]
004123AA |> 8A56 01 mov dl,byte ptr ds:[esi+1] ; 从前取2位注册码
004123AD |. 8A0E mov cl,byte ptr ds:[esi] ; 再取两位注册码
004123AF |. 80E2 0F and dl,0F
004123B2 |. 83C6 02 add esi,2
004123B5 |. C0E1 04 shl cl,4
004123B8 |. 0AD1 or dl,cl
004123BA |. 885404 14 mov byte ptr ss:[esp+eax+14],dl ; 从上面取到的注册码从个位截取后形成一个两位数
004123BE |. 40 inc eax
004123BF |. 83F8 08 cmp eax,8
004123C2 |.^ 7C E6 jl short Statute.004123AA
004123C4 |. B9 02000000 mov ecx,2
004123C9 |. 8D7C24 08 lea edi,dword ptr ss:[esp+8]
004123CD |. 8D7424 14 lea esi,dword ptr ss:[esp+14]
004123D1 |. 33D2 xor edx,edx ; edx=0
004123D3 |. C64424 1C 00 mov byte ptr ss:[esp+1C],0
004123D8 |. 8BC2 mov eax,edx
004123DA |. F3:A7 repe cmps dword ptr es:[edi],dword ptr ds:[esi] ; 由上面计算的结果和机器码相比较相等就正确
004123DC |. 8B4C24 58 mov ecx,dword ptr ss:[esp+58] ; 由此可以分析出注册码的格式
004123E0 |. 5F pop edi
004123E1 |. 0F94C0 sete al ; 相等,则AL置1!
004123E4 |. 5E pop esi
004123E5 |. 64:890D 00000000 mov dword ptr fs:[0],ecx
004123EC |. 83C4 5C add esp,5C
004123EF \. C2 0800 retn 8
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>..
总结:注册码形成规律是这样的,每个注册码的前一位和后一位的关系是K1=((K2*5)&0XF+1)&0XF,K3=((K4*5)&0XF+1)&0XF,.....这样形成32位16进制数字
最后2位用00填充即可.因为和0 XOR还是原数.
例如:以我的机器码为例,77522C66的ASCII是3737353232433636
第一步((3*5)&0XF+1)&0XF=0所以KEY1=0,KEY2=3
第二步((7*5)&0XF+1)&0XF=0所以KEY3=4,KEY4=7
第三步((3*5)&0XF+1)&0XF=0所以KEY5=0,KEY6=3
第四步((7*5)&0XF+1)&0XF=0所以KEY7=4,KEY8=7
第五步((3*5)&0XF+1)&0XF=0所以KEY9=0,KEY8=3
第六步((5*5)&0XF+1)&0XF=0所以KEY9=A,KEY8=5
........................
依次类推
注册码保存在:HKEY_CURRENT_USER\Software\昇华科技\中国税收法律法规\Settings
我的机器码:77522C66
我的注册码:0347034703a503b203b2540303f603f600
注册机算法:
#include<iostream>
#include <stdlib.h>
using namespace std;
void main()
{
char jqm[9]={0};
unsigned int key[16]={0},jwei,code[34]={0};
cin>>jqm;
cout<<"您的机器码是: ";
cout<<jqm<<endl;
for(int i=0;i<8;i++)
{
key[i*2]=jqm[i]/0x10;//奇数位
key[i*2+1]=jqm[i]%0x10;//偶数位
}
for( i=0;i<16;i++)
{
jwei=key[i];
jwei=(((jwei*5)&0xf)+1)&0xf;
code[i*2]=jwei;//奇数位
code[i*2+1]=key[i];//偶数位
}
cout<<"您的注册码是: ";
for( i=0;i<34;i++)
{
cout<<hex<<code[i];
}
cout<<endl;
system("pause");
}