程序版本:EditPlus v3.2(310)
核心代码1:
代码:
004A7720 /$ 8B4C24 08 mov ecx,dword ptr ss:[esp+8] 004A7724 |. 8B4424 0C mov eax,dword ptr ss:[esp+C] 004A7728 |. 8D1401 lea edx,dword ptr ds:[ecx+eax] 004A772B |. 3BCA cmp ecx,edx 004A772D |. 73 25 jnb short 004A7754 004A772F |. 8B4424 04 mov eax,dword ptr ss:[esp+4] 004A7733 |. 56 push esi 004A7734 |. 57 push edi 004A7735 |> 0FB639 /movzx edi,byte ptr ds:[ecx] 004A7738 |. 0FB6F0 |movzx esi,al 004A773B |. 66:C1E8 08 |shr ax,8 004A773F |. 33F7 |xor esi,edi 004A7741 |. 66:330475 303A5B00 |xor ax,word ptr ds:[esi*2+5B3A30] ; 005B3A30 是表头 004A7749 |. 41 |inc ecx 004A774A |. 0FB7C0 |movzx eax,ax 004A774D |. 3BCA |cmp ecx,edx 004A774F |.^ 72 E4 \jb short 004A7735 004A7751 |. 5F pop edi 004A7752 |. 5E pop esi 004A7753 |. C3 retn 004A7754 |> 66:8B4424 04 mov ax,word ptr ss:[esp+4] 004A7759 \. C3 retn
-----------------------------------------------------------------
USHORT table[] = {
0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241,
0xC601, 0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440,
0xCC01, 0x0CC0, 0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40,
0x0A00, 0xCAC1, 0xCB81, 0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841,
0xD801, 0x18C0, 0x1980, 0xD941, 0x1B00, 0xDBC1, 0xDA81, 0x1A40,
0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01, 0x1DC0, 0x1C80, 0xDC41,
0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0, 0x1680, 0xD641,
0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081, 0x1040,
0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240,
0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441,
0x3C00, 0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41,
0xFA01, 0x3AC0, 0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840,
0x2800, 0xE8C1, 0xE981, 0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41,
0xEE01, 0x2EC0, 0x2F80, 0xEF41, 0x2D00, 0xEDC1, 0xEC81, 0x2C40,
0xE401, 0x24C0, 0x2580, 0xE541, 0x2700, 0xE7C1, 0xE681, 0x2640,
0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0, 0x2080, 0xE041,
0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281, 0x6240,
0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441,
0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41,
0xAA01, 0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840,
0x7800, 0xB8C1, 0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41,
0xBE01, 0x7EC0, 0x7F80, 0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40,
0xB401, 0x74C0, 0x7580, 0xB541, 0x7700, 0xB7C1, 0xB681, 0x7640,
0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101, 0x71C0, 0x7080, 0xB041,
0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0, 0x5280, 0x9241,
0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481, 0x5440,
0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40,
0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841,
0x8801, 0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40,
0x4E00, 0x8EC1, 0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41,
0x4400, 0x84C1, 0x8581, 0x4540, 0x8701, 0x47C0, 0x4680, 0x8641,
0x8201, 0x42C0, 0x4380, 0x8341, 0x4100, 0x81C1, 0x8081, 0x4040
};
int CoreFunc1(UINT u, LPSTR s, int len)
{
if (s && len)
{
if (s[0] == '\0')
return u;
int i = 0;
do
{
int a = s[i];
int b = LOBYTE(u);
u = (UINT)((LOWORD(u) >> 8) ^ table[a ^ b]);
} while (s[++i]);
}
return u;
}
-----------------------------------------------------------------
核心代码2:
代码:
004A84FC |. 33C9 xor ecx,ecx 004A84FE |. 3BC1 cmp eax,ecx 004A8500 |. C60407 00 mov byte ptr ds:[edi+eax],0 004A8504 |. 0F8E B0000000 jle 004A85BA 004A850A |. 83F8 02 cmp eax,2 004A850D |. 894C24 18 mov dword ptr ss:[esp+18],ecx 004A8511 |. 894C24 14 mov dword ptr ss:[esp+14],ecx 004A8515 |. 8D51 01 lea edx,dword ptr ds:[ecx+1] 004A8518 |. 7C 1B jl short 004A8535 004A851A |> 0FB61C0F /movzx ebx,byte ptr ds:[edi+ecx] 004A851E |. 015C24 18 |add dword ptr ss:[esp+18],ebx 004A8522 |. 0FB65C0F 01 |movzx ebx,byte ptr ds:[edi+ecx+1] 004A8527 |. 015C24 14 |add dword ptr ss:[esp+14],ebx 004A852B |. 83C1 02 |add ecx,2 004A852E |. 8D58 FF |lea ebx,dword ptr ds:[eax-1] 004A8531 |. 3BCB |cmp ecx,ebx 004A8533 |.^ 7C E5 \jl short 004A851A 004A8535 |> 3BC8 cmp ecx,eax 004A8537 |. 7D 05 jge short 004A853E 004A8539 |. 0FB61439 movzx edx,byte ptr ds:[ecx+edi] 004A853D |. 42 inc edx 004A853E |> 8B4C24 14 mov ecx,dword ptr ss:[esp+14] 004A8542 |. 8B4424 18 mov eax,dword ptr ss:[esp+18] 004A8546 |. 03C1 add eax,ecx 004A8548 |. 03D0 add edx,eax 004A854A |. 8D54D2 0A lea edx,dword ptr ds:[edx+edx*8+A] 004A854E |. B8 56555555 mov eax,55555556 004A8553 |. F7EA imul edx 004A8555 |. 8BC2 mov eax,edx 004A8557 |. C1E8 1F shr eax,1F 004A855A |. 8D4C02 24 lea ecx,dword ptr ds:[edx+eax+24] 004A855E |. 81E1 0F000080 and ecx,8000000F 004A8564 |. 79 05 jns short 004A856B 004A8566 |. 49 dec ecx 004A8567 |. 83C9 F0 or ecx,FFFFFFF0 004A856A |. 41 inc ecx 004A856B |> 51 push ecx
-----------------------------------------------------------------
char CoreFunc2(LPSTR s, int len)
{
char ch[4] = {0};
if (s)
{
int i = 0, j = 0;
int k = 0;
if (len >= 2)
{
j = 1;
do
{
k += s[i++];
k += s[i++];
} while (i < (len - 1));
}
if (i < len)
j = s[i] + 1;
j = (j + k) * 9 + 10;
j = ((j / 3) + 36) % 16;
wsprintf(ch, "%1X", j);
}
return ch[0];
}
-----------------------------------------------------------------
验证步骤:
1、用注册名作参数调用 CoreFunc1,返回值转换成字符串,前两个字符就是注册码第3、4位;
2、注册码去掉前2位,作为 CoreFunc1 的参数,返回值转换成字符串,前两个字符就是注册码第1、2位;
3、用注册名作参数调用 CoreFunc2,返回值转换成字符作为注册码第5位;
前2步验证成功后到
代码:
004A8A14 . 8B85 2C010000 mov eax,dword ptr ss:[ebp+12C] 004A8A1A . 8BCD mov ecx,ebp 004A8A1C . C700 00000000 mov dword ptr ds:[eax],0 // 必须赋 0 值 004A8A22 . E8 D3DF0200 call 004D69FA
代码:
004A85AC |. /74 0C je short 004A85BA 004A85AE |> |8B8E 2C010000 mov ecx,dword ptr ds:[esi+12C] 004A85B4 |. |C701 01000000 mov dword ptr ds:[ecx],1 // 验证失败赋 1 值
注册码生成函数:
-----------------------------------------------------------------
void ShowKey(HWND hwnd)
{
char szName[64];
char szKey[64];
char sz1[16], sz2[16], sz3[32];
int nLen = GetDlgItemTextEx(hwnd, IDC_NAME, szName, 64);
if (nLen)
{
int i = CoreFunc1(0, szName, nLen);
int j = wsprintf(sz2, "%02X", i); // key[3] and key[4]
int k = RandKeyString(sz3);
sz2[2] = CoreFunc2(szName, nLen); // key[5]
sz2[3] = '\0';
wsprintf(szName, "%s%s", sz2, sz3);
i = CoreFunc1(0, szName, j + k);
j = wsprintf(sz1, "%02X", i); // key[1] and key[2]
sz1[2] = '\0';
wsprintf(szKey, "%s%s%s", sz1, sz2, sz3);
SetDlgItemText(hwnd, IDC_CODE, szKey);
}
}
-----------------------------------------------------------------
附:表生成函数
void MakeTable()
{
for (int i=0; i<256; i++)
{
for (int j=1, k=0xC0C1; j<256; j+=j)
{
if (i & j)
table[i] ^= k;
k += k;
k ^= 0x4003;
}
}
}
相关代码:
1)
代码:
00520A17 . E8 99FFFFFF call 005209B5 00520A1C . A3 40935B00 mov dword ptr ds:[5B9340],eax 00520A21 . 33C0 xor eax,eax 00520A23 . C3 retn
代码:
00520979 . C745 E4 01000000 mov dword ptr ss:[ebp-1C],1 00520980 . EB 23 jmp short 005209A5
代码:
004A79AB |. FFD5 call ebp ; \WideCharToMultiByte 004A79AD |. 8BF8 mov edi,eax 004A79AF |. C6443C 1C 00 mov byte ptr ss:[esp+edi+1C],0 004A79B4 |. E8 07FDFFFF call 004A76C0 ; 表生成函数 004A76C0 $ 68 00020000 push 200 004A76C5 . 6A 00 push 0 004A76C7 . 68 303A5B00 push 005B3A30 004A76CC . E8 EFFC0600 call 005173C0 ; 初始化table 004A76D1 . 83C4 0C add esp,0C 004A76D4 . 33D2 xor edx,edx 004A76D6 . EB 08 jmp short 004A76E0 004A76D8 . 8DA424 00000000 lea esp,dword ptr ss:[esp] 004A76DF . 90 nop 004A76E0 > B8 C1C00000 mov eax,0C0C1 004A76E5 . B9 01000000 mov ecx,1 004A76EA . 8D9B 00000000 lea ebx,dword ptr ds:[ebx] 004A76F0 > 85CA test edx,ecx 004A76F2 . 74 08 je short 004A76FC 004A76F4 . 66:310455 303A5B00 xor word ptr ds:[edx*2+5B3A30],ax 004A76FC > 03C0 add eax,eax 004A76FE . 35 03400000 xor eax,4003 004A7703 . 03C9 add ecx,ecx 004A7705 . 81F9 00010000 cmp ecx,100 004A770B . 0FB7C0 movzx eax,ax 004A770E .^ 7C E0 jl short 004A76F0 004A7710 . 42 inc edx 004A7711 . 81FA 00010000 cmp edx,100 004A7717 .^ 7C C7 jl short 004A76E0 004A7719 . C3 retn
代码:
00520A33 . C1E9 07 shr ecx,7 00520A36 . 66:0FEFC0 pxor mm0,mm0 00520A3A . EB 08 jmp short 00520A44 00520A3C . 8DA424 00000000 lea esp,dword ptr ss:[esp] 00520A43 . 90 nop 00520A44 > 66:0F7F07 movq qword ptr ds:[edi],mm0 00520A48 . 66:0F7F47 10 movq qword ptr ds:[edi+10],mm0 00520A4D . 66:0F7F47 20 movq qword ptr ds:[edi+20],mm0 00520A52 . 66:0F7F47 30 movq qword ptr ds:[edi+30],mm0 00520A57 . 66:0F7F47 40 movq qword ptr ds:[edi+40],mm0 00520A5C . 66:0F7F47 50 movq qword ptr ds:[edi+50],mm0 00520A61 . 66:0F7F47 60 movq qword ptr ds:[edi+60],mm0 00520A66 . 66:0F7F47 70 movq qword ptr ds:[edi+70],mm0 00520A6B . 8DBF 80000000 lea edi,dword ptr ds:[edi+80] 00520A71 . 49 dec ecx 00520A72 .^ 75 D0 jnz short 00520A44
疏漏之处,多多包涵。。。