OICQ 圖形留言系統 v3.2註冊碼演算法 不知有沒有人貼過,呵呵! (11千字)
軟體名稱:OICQ 圖形留言系統 v3.2
保護方式:註冊碼
破解人:TAE![BCG] TAE![FCG]
軟體簡介:一個ascii塗鴉工具,可以在QQ上使用!
下載地址:http://software.wx88.net/down/OICQ_setup.exe
前言:現在有許多cracker初學者總是指望在記憶體中找到註冊碼,本人以前也是如此,呵呵,但現在越來越難了,所以一定要掌握軟體的演算法,然後自己算註冊碼,這樣對你的水平提高有很大好處的!這次應朋友所邀破解此軟體!這個軟體是在軟體啟動是判斷註冊碼,現在很多軟體都是如此了,呵呵廣大Crack初學者一定要熟悉此類程式的跟蹤方法!
它將輸入的註冊資訊放在了登錄檔裡,啟動時讀出資訊,加以判斷。
下斷點Hmemcpy應該不難跟蹤到這裡:
:004B7C9C B201
mov dl, 01
:004B7C9E A134AE4900 mov eax,
dword ptr [0049AE34]
:004B7CA3 E88C32FEFF call 0049AF34
:004B7CA8 8BD8
mov ebx, eax
:004B7CAA BA03000080 mov edx,
80000003
:004B7CAF 8BC3
mov eax, ebx
:004B7CB1 E81E33FEFF call 0049AFD4
:004B7CB6 6A40
push 00000040
:004B7CB8 68487D4B00 push 004B7D48
* Possible StringData Ref from Code Obj ->"需要重新啟動OICQ圖形留言系統檢測註冊名/碼匹配?
->"敕瘢?
|
:004B7CBD 68507D4B00 push 004B7D50
:004B7CC2 8B45FC
mov eax, dword ptr [ebp-04]
:004B7CC5 E816FDF7FF call 004379E0
:004B7CCA 50
push eax
* Reference To: user32.MessageBoxA, Ord:0000h
|
:004B7CCB E810FBF4FF Call 004077E0
:004B7CD0 B101
mov cl, 01
* Possible StringData Ref from Code Obj ->".DEFAULT\Software\ABCSoft\Oicqpic"
\\原來將註冊資訊存在登錄檔裡!
|
:004B7CD2 BA8C7D4B00 mov edx,
004B7D8C
:004B7CD7 8BC3
mov eax, ebx
:004B7CD9 E85E33FEFF call 0049B03C
:004B7CDE 8D55F4
lea edx, dword ptr [ebp-0C]
:004B7CE1 8B45FC
mov eax, dword ptr [ebp-04]
:004B7CE4 8B80E0020000 mov eax, dword
ptr [eax+000002E0]
:004B7CEA E8C99BF7FF call 004318B8
:004B7CEF 8B4DF4
mov ecx, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->"Name"
\\姓名
|
:004B7CF2 BAB87D4B00 mov edx,
004B7DB8
:004B7CF7 8BC3
mov eax, ebx
:004B7CF9 E8BA36FEFF call 0049B3B8
:004B7CFE 8BCE
mov ecx, esi
* Possible StringData Ref from Code Obj ->"Pass"
\\註冊碼
|
:004B7D00 BAC87D4B00 mov edx,
004B7DC8
:004B7D05 8BC3
mov eax, ebx
:004B7D07 E85037FEFF call 0049B45C
:004B7D0C 8BC3
mov eax, ebx
:004B7D0E E8DDB1F4FF call 00402EF0
:004B7D13 A1DC364C00 mov eax,
dword ptr [004C36DC]
:004B7D18 8B00
mov eax, dword ptr [eax]
:004B7D1A E89D7DF9FF call 0044FABC
:004B7D1F 33C0
xor eax, eax
:004B7D21 5A
pop edx
:004B7D22 59
pop ecx
:004B7D23 59
pop ecx
:004B7D24 648910
mov dword ptr fs:[eax], edx
:004B7D27 68417D4B00 push 004B7D41
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B7D3F(U)
|
:004B7D2C 8D45F4
lea eax, dword ptr [ebp-0C]
:004B7D2F BA02000000 mov edx,
00000002
:004B7D34 E8A3BEF4FF call 00403BDC
:004B7D39 C3
ret
既然知道它將資訊放入登錄檔,那就好辦多了!程式是在啟動時判斷是否註冊的,所以用w32dasm反編譯程式,然後查詢Name,第一次找到的就是上面那裡,再搜尋一次可以找到下面這一處:
這裡就是從登錄檔讀出註冊資訊,然後判斷註冊碼是否正確,正確則不再顯示“未註冊”字樣。
* Possible StringData Ref from Code Obj ->".DEFAULT\Software\ABCSoft\Oicqpic"
|
:004BAE43 BA44AF4B00 mov edx,
004BAF44
:004BAE48 8BC6
mov eax, esi
:004BAE4A E8ED01FEFF call 0049B03C
\\這裡判斷登錄檔中是否有註冊資訊
:004BAE4F 84C0
test al, al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BADEA(C)
|
:004BAE51 744F
je 004BAEA2
:004BAE53 8D4DFC
lea ecx, dword ptr [ebp-04]
* Possible StringData Ref from Code Obj ->"Name"
|
:004BAE56 BA70AF4B00 mov edx,
004BAF70
:004BAE5B 8BC6
mov eax, esi
:004BAE5D E88205FEFF call 0049B3E4
:004BAE62 8B55FC
mov edx, dword ptr [ebp-04]
:004BAE65 8D8358040000 lea eax, dword
ptr [ebx+00000458]
:004BAE6B E89C8DF4FF call 00403C0C
* Possible StringData Ref from Code Obj ->"Pass"
|
:004BAE70 BA80AF4B00 mov edx,
004BAF80
:004BAE75 8BC6
mov eax, esi
:004BAE77 E8F405FEFF call 0049B470
:004BAE7C 89832C040000 mov dword ptr
[ebx+0000042C], eax
:004BAE82 8BC6
mov eax, esi
:004BAE84 E86780F4FF call 00402EF0
:004BAE89 8B8B2C040000 mov ecx, dword
ptr [ebx+0000042C]
:004BAE8F 8B9358040000 mov edx, dword
ptr [ebx+00000458]
:004BAE95 8BC3
mov eax, ebx
:004BAE97 E814010000 call 004BAFB0
\\這裡是算碼關鍵call,進去瞧瞧
:004BAE9C 888331040000 mov byte ptr
[ebx+00000431], al \\要注意al
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BAE51(C)
|
:004BAEA2 80BB3104000000 cmp byte ptr [ebx+00000431],
00 \\看,其實關鍵就是返回的al值!
:004BAEA9 743A
je 004BAEE5
\\不跳就爽了!呵呵。
:004BAEAB A1B0494C00 mov eax,
dword ptr [004C49B0]
:004BAEB0 8B80E0030000 mov eax, dword
ptr [eax+000003E0]
:004BAEB6 8B80F0010000 mov eax, dword
ptr [eax+000001F0]
:004BAEBC BA03000000 mov edx,
00000003
:004BAEC1 E8F61EFAFF call 0045CDBC
:004BAEC6 50
push eax
:004BAEC7 8D45F8
lea eax, dword ptr [ebp-08]
:004BAECA 8B8B58040000 mov ecx, dword
ptr [ebx+00000458]
* Possible StringData Ref from Code Obj ->"註冊人:"
|
:004BAED0 BA90AF4B00 mov edx,
004BAF90
:004BAED5 E8AA8FF4FF call 00403E84
:004BAEDA 8B55F8
mov edx, dword ptr [ebp-08]
:004BAEDD 58
pop eax
:004BAEDE E8511EFAFF call 0045CD34
:004BAEE3 EB27
jmp 004BAF0C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BAEA9(C)
|
:004BAEE5 8D55F4
lea edx, dword ptr [ebp-0C]
:004BAEE8 A1B0494C00 mov eax,
dword ptr [004C49B0]
:004BAEED E8C669F7FF call 004318B8
:004BAEF2 8D45F4
lea eax, dword ptr [ebp-0C]
* Possible StringData Ref from Code Obj ->" (未註冊版本)"
|
:004BAEF5 BAA0AF4B00 mov edx,
004BAFA0
:004BAEFA E8418FF4FF call 00403E40
:004BAEFF 8B55F4
mov edx, dword ptr [ebp-0C]
:004BAF02 A1B0494C00 mov eax,
dword ptr [004C49B0]
:004BAF07 E8DC69F7FF call 004318E8
那我們就去那個關鍵call看看吧!
:004BAFB0 55
push ebp
:004BAFB1 8BEC
mov ebp, esp
:004BAFB3 83C4EC
add esp, FFFFFFEC
:004BAFB6 53
push ebx
:004BAFB7 56
push esi
:004BAFB8 33DB
xor ebx, ebx
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004BAF53(C), :004BAF5C(C)
|
:004BAFBA 895DEC
mov dword ptr [ebp-14], ebx
:004BAFBD 895DF4
mov dword ptr [ebp-0C], ebx
:004BAFC0 894DF8
mov dword ptr [ebp-08], ecx
:004BAFC3 8955FC
mov dword ptr [ebp-04], edx
:004BAFC6 8B45FC
mov eax, dword ptr [ebp-04]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BAF50(C)
|
:004BAFC9 E81E90F4FF call 00403FEC
:004BAFCE 33C0
xor eax, eax
:004BAFD0 55
push ebp
:004BAFD1 686EB04B00 push 004BB06E
:004BAFD6 64FF30
push dword ptr fs:[eax]
:004BAFD9 648920
mov dword ptr fs:[eax], esp
:004BAFDC 33F6
xor esi, esi
:004BAFDE 8D45F4
lea eax, dword ptr [ebp-0C]
:004BAFE1 8B55FC
mov edx, dword ptr [ebp-04]
:004BAFE4 E8678CF4FF call 00403C50
:004BAFE9 8B45F4
mov eax, dword ptr [ebp-0C]
:004BAFEC E8478EF4FF call 00403E38
:004BAFF1 85C0
test eax, eax
:004BAFF3 7E3D
jle 004BB032
:004BAFF5 8945F0
mov dword ptr [ebp-10], eax
:004BAFF8 BB01000000 mov ebx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BB030(C)
|
:004BAFFD 8D45EC
lea eax, dword ptr [ebp-14]
:004BB000 50
push eax
:004BB001 B901000000 mov ecx,
00000001
:004BB006 8BD3
mov edx, ebx
:004BB008 8B45F4
mov eax, dword ptr [ebp-0C]
:004BB00B E83090F4FF call 00404040
:004BB010 8B45EC
mov eax, dword ptr [ebp-14]
:004BB013 E8E48FF4FF call 00403FFC
:004BB018 8A00
mov al, byte ptr [eax] \\依次取名字的字元
:004BB01A 33D2
xor edx, edx \\清空暫存器
:004BB01C 8AD0
mov dl, al
\\將取出的字元ascii給dl
:004BB01E 8BCA
mov ecx, edx \\再給ecx
:004BB020 0FAFCA
imul ecx, edx \\ecx*edx,也就是將取出字元的ascii碼開方!
:004BB023 8D4317
lea eax, dword ptr [ebx+17] \\ebx+17中依次是18、19。。。傳給eax
:004BB026 F7EE
imul esi
\\乘esi,這裡第一次esi是0,
:004BB028 03C8
add ecx, eax \\ecx+eax相加
:004BB02A 8BF1
mov esi, ecx \\儲存運算結果到esi中
:004BB02C 43
inc ebx
\\計數,迴圈多少次?名字的字串個數!
:004BB02D FF4DF0
dec [ebp-10]
:004BB030 75CB
jne 004BAFFD
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004BAFF3(C)
|
:004BB032 8B45F8
mov eax, dword ptr [ebp-08] \\這個是將輸入的註冊碼Hex值給eax
:004BB035 2D4D050000 sub eax,
0000054D \\eax-0x54D傳給eax
:004BB03A 3BF0
cmp esi, eax \\看結果是不是等於esi(上面運算出的值)
:004BB03C 7508
jne 004BB046 \\不能跳喲!
:004BB03E 85F6
test esi, esi
:004BB040 7404
je 004BB046
:004BB042 B301
mov bl, 01 \\看到這個了吧!哈哈哈哈!舒服呀!
:004BB044 EB02
jmp 004BB048
演算法:
以姓名TAE!為例
A=0x54^2+0x18*0
B=0x41^2+0x19*A
C=0x45^2+0x20*B
D=0x21^2+0x21*C
SN=D+0x54D
得到註冊碼的簡單方法:
到了 004BB032那一行,可以用下命令 ? esi+54D,即可得到正確註冊碼!!
一個可用的註冊碼:
Name:TAE!
Sn:126929743
下面這個ascii塗鴉就是用這個軟體做的,呵呵!
.----.
_.'__ `.
.--(#)(##)---/#\
.' @ /###\
: , #####
`-..__.-' _.-\###/
`;_:
`"'
.'"""""`.
/, JOE ,\
// COOL! \\
`-._______.-'
___`. | .'___
(______|______)
相關文章
- OICQ圖形留言系統(1千字)2015-11-15
- :OICQ圖形留言系統 OICQ PIC 3.20(430字)2015-11-15
- 破解QQ圖形留言器3.0(不是OICQ圖形留言系統)及序號產生器編寫!! (6千字)2001-07-15
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- 有聲有色4.0註冊演算法 一 (11千字)2001-05-01演算法
- 哈哈,我又上來了,cd-check的文章不知有沒有人看?.......這次改貼一篇有關注冊碼的譯文吧!
(3千字)2000-09-09
- 註冊碼演算法 (2千字)2001-01-14演算法
- 有沒有人對郵件系統有興趣2003-04-06
- 《TxEdit 4.6》的註冊碼破解 (11千字)2001-07-28
- 圖片沒有註冊類怎麼辦_win10開啟圖片沒有註冊類的解決方法2020-01-06Win10
- CMailServer V3.2 註冊碼演算法及CrackCode
2000 的序號產生器 (4千字)2001-08-18AIServer演算法
- 破解OICQ的密碼演算法 (6千字)2001-06-25密碼演算法
- 搞了個超級簡單的正好出出氣,呵呵,不知道分析有錯誤沒有!! (6千字)2002-01-04
- IconToy 3.1 註冊碼快速破解 (11千字)2001-03-02
- winimp1.11註冊碼破解 (2千字)2000-07-16
- 有沒有人用過t:inputFileUpload??2007-03-08
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- 盲打之友V2.5破解(包括註冊演算法) (11千字)2001-10-29演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- win10系統執行IIS沒有註冊.netFrameWoek4.0註冊不了的解決方法2017-06-09Win10
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- OICQ HACK 1.0 破解過程 (9千字)2001-04-23
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法
- 有沒有人真正搞過weblogic portal?如何實現與原有業務系統的整合?2002-12-09Web
- Windows 98 在沒有註冊的情況下對系統進行更新(轉)2007-08-12Windows
- getPassword2.3註冊碼計算分析過程 (3千字)2001-11-07
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- 有沒有人見過這樣的開發工具?2003-02-20
- Diskbase 5.11的破解和註冊演算法(俺是新手) (18千字)2001-05-21演算法
- CDSpace Power+註冊演算法 (7千字)2001-07-27演算法
- 《棋隱》的註冊演算法 (19千字)2001-08-26演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- KeyGhost V3.2 破解實錄 (11千字)2000-08-17