有聲有色4.0註冊演算法一 (11千字)

有聲有色4.0註冊演算法

作者：華仔
組織：China Cracking Group
時間：2001.05.01

我的上網時間幾乎為0，這篇文章還是在朋友家發出來的（朋友讓我搞定這個軟體，回報
就是獲得(30 mod 20) or (60 xor 57)分鐘的上網時間）

一、實戰：

1、進入註冊視窗，輸入如下資訊
序列號：1974923
使用者名稱：華仔[CCG]
註冊碼：1974923

2、載入TRW2000，下“bpx hmemcpy”設斷，再下“g”執行程式，單擊“確定”，程式馬
上被攔下。下“pmodule”、再按59次F10 來到005439F1

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00543952(C)
|
:005439F1 33C0 xor eax, eax
:005439F3 55 push ebp
:005439F4 685C3E5400 push 00543E5C
:005439F9 64FF30 push dword ptr fs:[eax]
:005439FC 648920 mov dword ptr fs:[eax], esp
:005439FF B8807D5600 mov eax, 00567D80
:00543A04 BA14405400 mov edx, 00544014
:00543A09 E81E04ECFF call 00403E2C
:00543A0E 68687D5600 push 00567D68
:00543A13 8D55DC lea edx, dword ptr [ebp-24]
:00543A16 8B45FC mov eax, dword ptr [ebp-04]
:00543A19 8B80EC020000 mov eax, dword ptr [eax+000002EC]
:00543A1F E87C2EEFFF call 004368A0
:00543A24 8B45DC mov eax, dword ptr [ebp-24]
*//取輸入的序列號：1974923

* Possible Reference to String Resource ID=00001: "Today"
|
:00543A27 B901000000 mov ecx, 00000001
*//第一位：1

:00543A2C BA04000000 mov edx, 00000004
*//取第四位：4

:00543A31 E82A08ECFF call 00404260
:00543A36 686C7D5600 push 00567D6C
:00543A3B 8D55D8 lea edx, dword ptr [ebp-28]
:00543A3E 8B45FC mov eax, dword ptr [ebp-04]
:00543A41 8B80EC020000 mov eax, dword ptr [eax+000002EC]
:00543A47 E8542EEFFF call 004368A0
:00543A4C 8B45D8 mov eax, dword ptr [ebp-28]
*//取輸入的序列號：1974923

* Possible Reference to String Resource ID=00001: "Today"
|
:00543A4F B901000000 mov ecx, 00000001
*//第一位：1

* Possible Reference to String Resource ID=00001: "Today"
|
:00543A54 BA01000000 mov edx, 00000001
*//取第一位：1

:00543A59 E80208ECFF call 00404260
:00543A5E 68707D5600 push 00567D70
:00543A63 8D55D4 lea edx, dword ptr [ebp-2C]
:00543A66 8B45FC mov eax, dword ptr [ebp-04]
:00543A69 8B80EC020000 mov eax, dword ptr [eax+000002EC]
:00543A6F E82C2EEFFF call 004368A0
:00543A74 8B45D4 mov eax, dword ptr [ebp-2C]
*//取輸入的序列號：1974923

* Possible Reference to String Resource ID=00001: "Today"
|
:00543A77 B901000000 mov ecx, 00000001
*//第一位：1

:00543A7C BA06000000 mov edx, 00000006
*//取第六位：2

:00543A81 E8DA07ECFF call 00404260
:00543A86 68747D5600 push 00567D74
:00543A8B 8D55D0 lea edx, dword ptr [ebp-30]
:00543A8E 8B45FC mov eax, dword ptr [ebp-04]
:00543A91 8B80EC020000 mov eax, dword ptr [eax+000002EC]
:00543A97 E8042EEFFF call 004368A0
:00543A9C 8B45D0 mov eax, dword ptr [ebp-30]
*//取輸入的序列號：1974923

* Possible Reference to String Resource ID=00001: "Today"
|
:00543A9F B901000000 mov ecx, 00000001
*//第一位：1

:00543AA4 BA03000000 mov edx, 00000003
*//取第三位：7

:00543AA9 E8B207ECFF call 00404260
:00543AAE 68787D5600 push 00567D78
:00543AB3 8D55CC lea edx, dword ptr [ebp-34]
:00543AB6 8B45FC mov eax, dword ptr [ebp-04]
:00543AB9 8B80EC020000 mov eax, dword ptr [eax+000002EC]
:00543ABF E8DC2DEFFF call 004368A0
:00543AC4 8B45CC mov eax, dword ptr [ebp-34]
*//取輸入的序列號：1974923

* Possible Reference to String Resource ID=00001: "Today"
|
:00543AC7 B901000000 mov ecx, 00000001
*//第一位：1

:00543ACC BA02000000 mov edx, 00000002
*//取第二位：9

:00543AD1 E88A07ECFF call 00404260
:00543AD6 687C7D5600 push 00567D7C
:00543ADB 8D55C8 lea edx, dword ptr [ebp-38]
:00543ADE 8B45FC mov eax, dword ptr [ebp-04]
:00543AE1 8B80EC020000 mov eax, dword ptr [eax+000002EC]
:00543AE7 E8B42DEFFF call 004368A0
:00543AEC 8B45C8 mov eax, dword ptr [ebp-38]
*//取輸入的序列號：1974923

* Possible Reference to String Resource ID=00001: "Today"
|
:00543AEF B901000000 mov ecx, 00000001
*//第一位：1

:00543AF4 BA05000000 mov edx, 00000005
*//取第五位：9

:00543AF9 E86207ECFF call 00404260
:00543AFE FF35687D5600 push dword ptr [00567D68]
:00543B04 FF356C7D5600 push dword ptr [00567D6C]
:00543B0A FF35807D5600 push dword ptr [00567D80]
:00543B10 FF35707D5600 push dword ptr [00567D70]
:00543B16 FF35747D5600 push dword ptr [00567D74]
:00543B1C FF35807D5600 push dword ptr [00567D80]
:00543B22 FF35787D5600 push dword ptr [00567D78]
:00543B28 FF357C7D5600 push dword ptr [00567D7C]
:00543B2E B8647D5600 mov eax, 00567D64
:00543B33 BA08000000 mov edx, 00000008
:00543B38 E8DB05ECFF call 00404118
:00543B3D 33C0 xor eax, eax
:00543B3F 5A pop edx
:00543B40 59 pop ecx
:00543B41 59 pop ecx
:00543B42 648910 mov dword ptr fs:[eax], edx
:00543B45 68663E5400 push 00543E66

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00543E61(U)
|
:00543B4A A1647D5600 mov eax, dword ptr [00567D64]
*//EAX=41/27/99

:00543B4F 8B15607D5600 mov edx, dword ptr [00567D60]
*//取主機板BIOS資料日期：11/06/00 ==> EDX

:00543B55 E80E06ECFF call 00404168
:00543B5A 0F848F000000 je 00543BEF
*//EAX=EDX才跳。

:00543B60 33C0 xor eax, eax
:00543B62 55 push ebp
:00543B63 68E83B5400 push 00543BE8
:00543B68 64FF30 push dword ptr fs:[eax]
:00543B6B 648920 mov dword ptr fs:[eax], esp
:00543B6E 6A30 push 00000030

* Possible StringData Ref from Code Obj ->"註冊軟體"
|
:00543B70 68C43E5400 push 00543EC4

* Possible StringData Ref from Code Obj ->"序列號、使用者名稱或註冊碼錯誤，請重新輸入！"
|
:00543B75 68D03E5400 push 00543ED0
:00543B7A 8B45FC mov eax, dword ptr [ebp-04]
:00543B7D E8C28FEFFF call 0043CB44
:00543B82 50 push eax

.........
.........
.........

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00543B5A(C)
|
:00543BEF 8B4DFC mov ecx, dword ptr [ebp-04]
:00543BF2 B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"?A"
|
:00543BF4 A174EF4800 mov eax, dword ptr [0048EF74]
:00543BF9 E81A74EDFF call 0041B018
:00543BFE A3547D5600 mov dword ptr [00567D54], eax
:00543C03 BA0D3E0000 mov edx, 00003E0D
*//EDX=3E0D（下面要用到）

:00543C08 A1547D5600 mov eax, dword ptr [00567D54]
:00543C0D E846B5F4FF call 0048F158
:00543C12 8D55C4 lea edx, dword ptr [ebp-3C]
:00543C15 8B45FC mov eax, dword ptr [ebp-04]
:00543C18 8B80E4020000 mov eax, dword ptr [eax+000002E4]
:00543C1E E87D2CEFFF call 004368A0
:00543C23 8B55C4 mov edx, dword ptr [ebp-3C]
*//取使用者名稱：華仔[CCG]

:00543C26 A1547D5600 mov eax, dword ptr [00567D54]
:00543C2B E8B0B4F4FF call 0048F0E0
*//計算註冊碼的CALL，程式碼在下面。（標記為①）

:00543C30 8D55C0 lea edx, dword ptr [ebp-40]
:00543C33 8B45FC mov eax, dword ptr [ebp-04]
:00543C36 8B80E8020000 mov eax, dword ptr [eax+000002E8]
:00543C3C E85F2CEFFF call 004368A0
:00543C41 8B45C0 mov eax, dword ptr [ebp-40]
*//取註冊碼：1974923

:00543C44 8B15547D5600 mov edx, dword ptr [00567D54]
:00543C4A 8B522C mov edx, dword ptr [edx+2C]
*//程式說註冊碼應該是這個：267507-365370885-11145564

:00543C4D E81605ECFF call 00404168
:00543C52 7549 jne 00543C9D
*//不等就跳到錯誤視窗

.........
.........
.........

①計算註冊碼的CALL：
* Referenced by a CALL at Addresses:
|:00543C2B , :0054A5F1
|
:0048F0E0 55 push ebp
:0048F0E1 8BEC mov ebp, esp
:0048F0E3 83C4F8 add esp, FFFFFFF8
:0048F0E6 53 push ebx
:0048F0E7 33C9 xor ecx, ecx
:0048F0E9 894DF8 mov dword ptr [ebp-08], ecx
:0048F0EC 8955FC mov dword ptr [ebp-04], edx
:0048F0EF 8BD8 mov ebx, eax
:0048F0F1 8B45FC mov eax, dword ptr [ebp-04]
:0048F0F4 E81351F7FF call 0040420C
:0048F0F9 33C0 xor eax, eax
:0048F0FB 55 push ebp
:0048F0FC 6849F14800 push 0048F149
:0048F101 64FF30 push dword ptr fs:[eax]
:0048F104 648920 mov dword ptr fs:[eax], esp
:0048F107 8D4324 lea eax, dword ptr [ebx+24]
:0048F10A 8B55FC mov edx, dword ptr [ebp-04]
:0048F10D E81A4DF7FF call 00403E2C
:0048F112 8D45F8 lea eax, dword ptr [ebp-08]
:0048F115 50 push eax
:0048F116 8B4B24 mov ecx, dword ptr [ebx+24]
*//取輸入的使用者名稱：華仔[CCG]

:0048F119 8B5328 mov edx, dword ptr [ebx+28]
:0048F11C 8BC3 mov eax, ebx
:0048F11E E891000000 call 0048F1B4
*//計算註冊碼的CALL，程式碼在下面。（標記為②）

:0048F123 8B55F8 mov edx, dword ptr [ebp-08]
*//將計算後正確的註冊碼送給EDX

:0048F126 8D432C lea eax, dword ptr [ebx+2C]
:0048F129 E8FE4CF7FF call 00403E2C
:0048F12E 33C0 xor eax, eax
:0048F130 5A pop edx
:0048F131 59 pop ecx
:0048F132 59 pop ecx
:0048F133 648910 mov dword ptr fs:[eax], edx
:0048F136 6850F14800 push 0048F150

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048F14E(U)
|
:0048F13B 8D45F8 lea eax, dword ptr [ebp-08]
:0048F13E BA02000000 mov edx, 00000002
:0048F143 E8B44CF7FF call 00403DFC
:0048F148 C3 ret

有聲有色4.0註冊演算法 一 (11千字)

相關文章

有聲有色4.0註冊演算法一 (11千字)