《APIS32》的註冊碼演算法 還請各位大俠幫忙寫一下注冊機!!!! (15千字)
《APIS32》的註冊碼演算法
目標:APIS32
不用多說,相信大家都用過!
作者:RATARICE[BCG]
工具:FI、WB2000、TRW2000 1.23、W32DSM89
過程:
一、 用FI檢查,發現是用PETITE 1.2壓過。用WB2000找到程式入口,在用TRW脫掉。
二、 執行軟體,填註冊資訊後,下BPX HMEMCPY。被攔,來到下面程式碼:
******************************************************************
* Referenced by a CALL at Addresses:
|:00401711 , :004018AF , :0040248C , :004026B9 , :00402E96
----------->共有5處檢查
|
:00405040 51
push ecx
:00405041 53
push ebx
:00405042 55
push ebp
:00405043 56
push esi
:00405044 57
push edi
:00405045 6A50
push 00000050
:00405047 6840B74000 push 0040B740
* Possible StringData Ref from Data Obj ->"UserKey"
|
:0040504C 6888A64000 push 0040A688
:00405051 E81A030000 call 00405370
:00405056 83C40C
add esp, 0000000C
:00405059 83F810
cmp eax, 00000010 ---------------->註冊碼必須大於等於16
:0040505C 7D08
jge 00405066
:0040505E 33C0
xor eax, eax
:00405060 5F
pop edi
:00405061 5E
pop esi
:00405062 5D
pop ebp
:00405063 5B
pop ebx
:00405064 59
pop ecx
:00405065 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040505C(C)
|
:00405066 6A2F
push 0000002F
:00405068 68C0C34000 push 0040C3C0
* Possible StringData Ref from Data Obj ->"UserName"
|
:0040506D 6878A64000 push 0040A678
:00405072 E8F9020000 call 00405370
:00405077 83C40C
add esp, 0000000C
:0040507A 83F805
cmp eax, 00000005 --------------------->名字必須大於等於5
:0040507D 7D08
jge 00405087
:0040507F 33C0
xor eax, eax
:00405081 5F
pop edi
:00405082 5E
pop esi
:00405083 5D
pop ebp
:00405084 5B
pop ebx
:00405085 59
pop ecx
:00405086 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040507D(C)
|
:00405087 BF40B74000 mov edi,
0040B740
:0040508C 83C9FF
or ecx, FFFFFFFF
:0040508F 33C0
xor eax, eax
:00405091 C60551B7400000 mov byte ptr [0040B751],
00
:00405098 F2
repnz
:00405099 AE
scasb
:0040509A F7D1
not ecx
:0040509C 2BF9
sub edi, ecx
:0040509E 8BC1
mov eax, ecx
:004050A0 8BF7
mov esi, edi
:004050A2 BF54B74000 mov edi,
0040B754
:004050A7 C1E902
shr ecx, 02
:004050AA F3
repz
:004050AB A5
movsd
:004050AC 8BC8
mov ecx, eax
:004050AE 33C0
xor eax, eax
:004050B0 83E103
and ecx, 00000003
:004050B3 F3
repz
:004050B4 A4
movsb
:004050B5 BF49B74000 mov edi,
0040B749
:004050BA 83C9FF
or ecx, FFFFFFFF
:004050BD F2
repnz
:004050BE AE
scasb
:004050BF F7D1
not ecx
:004050C1 2BF9
sub edi, ecx
:004050C3 8BD1
mov edx, ecx
:004050C5 8BF7
mov esi, edi
:004050C7 BF5CB74000 mov edi,
0040B75C
:004050CC C1E902
shr ecx, 02
:004050CF F3
repz
:004050D0 A5
movsd
:004050D1 8BCA
mov ecx, edx
:004050D3 83E103
and ecx, 00000003
:004050D6 32DB
xor bl, bl
:004050D8 F3
repz
:004050D9 A4
movsb
:004050DA BE41B74000 mov esi,
0040B741
:004050DF BF54B74000 mov edi,
0040B754
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405103(C)
|
註冊碼第一次變形
:004050E4 57
push edi ------------------
:004050E5 E8E6010000 call 004052D0
|---->要追進去,它算出的數給al
:004050EA 8ACB
mov cl, bl |---->bl初值等於0
:004050EC 83C404
add esp, 00000004 |
:004050EF 80C150
add cl, 50 |---->cl=bl+50
:004050F2 83C702
add edi, 00000002 |
:004050F5 32C1
xor al, cl |---->al與cl異或運算
:004050F7 FEC3
inc bl
|---->bl加一
:004050F9 8846FF
mov byte ptr [esi-01], al |---->將結果放入esi-01
:004050FC C60600
mov byte ptr [esi], 00 |---->將結果的下一位置0
:004050FF 46
inc esi
|---->將指標進一
:00405100 80FB08
cmp bl, 08 |---->要迴圈8次
:00405103 72DF
jb 004050E4 ---------------
:00405105 6854B74000 push 0040B754
注意: 註冊碼計算後變形,記作:(1)
:0040510A 6840B74000 push 0040B740
:0040510F E8EC010000 call 00405300
------------------>註冊碼的第二次變形,要追入!
:00405114 BFC0C34000 mov edi,
0040C3C0
:00405119 83C9FF
or ecx, FFFFFFFF
:0040511C 33C0
xor eax, eax
:0040511E 83C408
add esp, 00000008
:00405121 F2
repnz
:00405122 AE
scasb
:00405123 F7D1
not ecx
:00405125 2BF9
sub edi, ecx
:00405127 33ED
xor ebp, ebp
:00405129 8BD1
mov edx, ecx
:0040512B 8BF7
mov esi, edi
:0040512D BF5EB74000 mov edi,
0040B75E
:00405132 C1E902
shr ecx, 02
:00405135 F3
repz
:00405136 A5
movsd
:00405137 8BCA
mov ecx, edx
:00405139 83E103
and ecx, 00000003
:0040513C F3
repz
:0040513D A4
movsb
:0040513E BFC0C34000 mov edi,
0040C3C0
:00405143 83C9FF
or ecx, FFFFFFFF
:00405146 F2
repnz
:00405147 AE
scasb
:00405148 F7D1
not ecx
:0040514A 49
dec ecx
:0040514B 80F908
cmp cl, 08
:0040514E 884C2410 mov
byte ptr [esp+10], cl
:00405152 7330
jnb 00405184
:00405154 8B542410 mov
edx, dword ptr [esp+10]
:00405158 BFC0C34000 mov edi,
0040C3C0
:0040515D 81E2FF000000 and edx, 000000FF
:00405163 83C9FF
or ecx, FFFFFFFF
:00405166 81C25EB74000 add edx, 0040B75E
:0040516C F2
repnz
:0040516D AE
scasb
:0040516E F7D1
not ecx
:00405170 2BF9
sub edi, ecx
:00405172 8BC1
mov eax, ecx
:00405174 8BF7
mov esi, edi
:00405176 8BFA
mov edi, edx
:00405178 C1E902
shr ecx, 02
:0040517B F3
repz
:0040517C A5
movsd
:0040517D 8BC8
mov ecx, eax
:0040517F 83E103
and ecx, 00000003
:00405182 F3
repz
:00405183 A4
movsb
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405152(C)
|
:00405184 C60566B7400000 mov byte ptr [0040B766],
00 -------------->取名字的前8位!
:0040518B B954B74000 mov ecx,
0040B754
:00405190 BE08000000 mov esi,
00000008
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004051B9(C)
|
:00405195 8A01
mov al, byte ptr [ecx] --------------
:00405197 3C20
cmp al, 20
|
:00405199 730E
jnb 004051A9
|
:0040519B 33D2
xor edx, edx
|
:0040519D 25FF000000 and eax,
000000FF |
:004051A2 8A510A
mov dl, byte ptr [ecx+0A] |
:004051A5 0BD0
or edx, eax
|
:004051A7 EB0C
jmp 004051B5
|
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
|:00405199(C)
| 分別取(2)與名字
|
| 進行異或運算
:004051A9 33D2
xor edx, edx
| 結果累加到ebp
:004051AB 25FF000000 and eax,
000000FF
|
:004051B0 8A510A
mov dl, byte ptr [ecx+0A] |
:004051B3 33D0
xor edx, eax
|
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
|:004051A7(U)
|
|
|
:004051B5 03EA
add ebp, edx
|
:004051B7 41
inc ecx
|
:004051B8 4E
dec esi
|
:004051B9 75DA
jne 00405195 ------------------------
:004051BB 33C0
xor eax, eax
:004051BD 5F
pop edi
:004051BE 85ED
test ebp, ebp ----------------------->檢查ebp是否為0,若為0
:004051C0 5E
pop esi
則註冊成功,反之失敗!
:004051C1 5D
pop ebp
:004051C2 0F94C0
sete al ----------------------------->置標誌位
:004051C5 5B
pop ebx
:004051C6 59
pop ecx
:004051C7 C3
ret
*************************************************************
* Referenced by a CALL at Address:
|:004050E5
|
:004052D0 8B4C2404 mov
ecx, dword ptr [esp+04] ---------->將註冊碼的地址賦給ecx
:004052D4 8A01
mov al, byte ptr [ecx] --------------->取第一個數給al
:004052D6 3C39
cmp al, 39 --------------------------->與39比較
:004052D8 7E04
jle 004052DE ------------------------->小於等於就跳
:004052DA 04C9
add al, C9 --------------------------->若大於al=al+c9
:004052DC EB02
jmp 004052E0 ------------------------->跳
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004052D8(C)
|
:004052DE 04D0
add al, D0 --------------------------->al=al+d0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004052DC(U)
|
:004052E0 8A4901
mov cl, byte ptr [ecx+01] ------------>取第二個數給cl
:004052E3 80F939
cmp cl, 39 --------------------------->與39比較
:004052E6 7E09
jle 004052F1 ------------------------->小於等於就跳
:004052E8 C0E004
shl al, 04 --------------------------->若大於al邏輯左移4位
:004052EB 80E937
sub cl, 37 --------------------------->cl=cl-37
:004052EE 0AC1
or al, cl ---------------------------->al與cl進行或運算
:004052F0 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004052E6(C)
|
:004052F1 C0E004
shl al, 04 -------------------------->al邏輯左移4位
:004052F4 80E930
sub cl, 30 -------------------------->cl=cl-30
:004052F7 0AC1
or al, cl --------------------------->al與cl進行或運算
:004052F9 C3
ret
**************************************************************
* Referenced by a CALL at Address: 共兩重迴圈,見下:
|:0040510F
|
:00405300 53
push ebx
:00405301 55
push ebp
:00405302 8B6C2410 mov
ebp, dword ptr [esp+10]
:00405306 56
push esi
:00405307 57
push edi
:00405308 8B7C2414 mov
edi, dword ptr [esp+14]
:0040530C 33C9
xor ecx, ecx
:0040530E 2BFD
sub edi, ebp
:00405310 897C2418 mov
dword ptr [esp+18], edi
:00405314 EB04
jmp 0040531A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405364(C)
|
:00405316 8B7C2418 mov
edi, dword ptr [esp+18]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405314(U)
|
:0040531A 8D3429
lea esi, dword ptr [ecx+ebp]
:0040531D 33D2
xor edx, edx
:0040531F B801000000 mov eax,
00000001
:00405324 C744241407000000 mov [esp+14], 00000007
:0040532C 8A1437
mov dl, byte ptr [edi+esi]
:0040532F 8BFA
mov edi, edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405350(C)
|
:00405331 8BD7
mov edx, edi ----------------------- 取出(1)中的數,自己與
:00405333 0FAFC2
imul eax, edx
| 自己相乘得一個數,直到
:00405336 3D99880000 cmp eax,
00008899 | 這個數大於8899,再將這個
:0040533B 7E0A
jle 00405347
| 數與8899相除,取餘。共乘
:0040533D 99
cdq
| 8會(1)中的數。最後將
:0040533E BB99880000 mov ebx,
00008899 | 得數賦給eax。
:00405343 F7FB
idiv ebx
|
:00405345 8BC2
mov eax, edx
| 退出第一重迴圈,進入第二
| 重迴圈!
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |
|:0040533B(C)
|
|
|
:00405347 8B542414 mov
edx, dword ptr [esp+14] |
:0040534B 4A
dec edx
|
:0040534C 89542414 mov
dword ptr [esp+14], edx |
:00405350 75DF
jne 00405331 -----------------------
:00405352 99
cdq -------------------------------- 再將eax與bb相除,把餘數
:00405353 BFBB000000 mov edi,
000000BB | 作為結果儲存。
:00405358 F7FF
idiv edi
|
:0040535A 41
inc ecx
| 這是第二重迴圈,共8回!
:0040535B 83F908
cmp ecx, 00000008
|
:0040535E 8816
mov byte ptr [esi], dl | 得到註冊碼的最終變形
:00405360 C6042900 mov
byte ptr [ecx+ebp], 00 | 記位(2)
:00405364 7CB0
jl 00405316 ------------------------
:00405366 5F
pop edi
:00405367 5E
pop esi
:00405368 5D
pop ebp
:00405369 5B
pop ebx
:0040536A C3
ret
三、 雖然明白了它的註冊演算法,但終因本人功力不夠,沒能寫出序號產生器,還請大俠們幫忙寫出它的序號產生器, 讓我也可早日拿到註冊碼!!!也能從中多學點知識!!!
!!!!!!!!!!!!!!!!!!靜待佳音!!!!!!!!!!!!!!!!!!
相關文章
- 檔案密使2.1破解及註冊演算法,請偽哥幫忙些個機! (4千字)2001-07-18演算法
- Jbuilder 問題,請大俠幫忙!!!2003-09-12UI
- 請各位高手幫忙!2004-07-09
- 註冊碼演算法 (2千字)2001-01-14演算法
- 請問各位高手這個程式能不能寫註冊器出來?還是要用窮舉法來算註冊碼?
(802字)2001-03-29
- 本人初學JAVA請各位幫幫忙...2008-06-26Java
- 一個執行緒的問題。請大俠進來幫幫忙看看2008-02-25執行緒
- 急!!!!!!!!!jdon的SimpleJdonFrameworkTest例子不能在tomcat+jb下執行,請各位大俠幫忙2005-09-14FrameworkTomcat
- 各位高手請幫忙,不勝感激!!!!2004-12-16
- 初學者,希望大俠幫忙~~~~~!2005-09-11
- Nktools(手機工具箱)註冊碼計算處,請高手指點~~~~ (15千字)2001-03-06
- 請教關於jive原始碼,請各位高手幫忙 ,謝謝!!!2003-07-04原始碼
- 請教各位大俠一個JavaBean的問題2004-03-28JavaBean
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- 有關javaAPI,請各位高手幫忙,拜謝2004-03-20JavaAPI
- 《棋隱》的註冊演算法 (19千字)2001-08-26演算法
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- 初學者請進,看far.exe的註冊碼! (7千字)2001-04-24
- 窮人幫窮人--大英自學輔導的破解過程和註冊碼---請進! (1千字)2001-04-28
- 有聲有色4.0註冊演算法 一 (11千字)2001-05-01演算法
- 實在是解決不了,請各位高手幫忙2004-02-29
- Flash ActionScript Tool 的註冊碼! (22千字)2001-05-04
- 《TxEdit 4.6》的註冊碼破解 (11千字)2001-07-28
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- 麻煩各位高手幫忙2006-05-03
- 請各位幫幫忙――怎樣在Jbuilder x中加入sql的驅動2005-08-09UISQL
- CDSpace Power+註冊演算法 (7千字)2001-07-27演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- 請教關於DremEdit2.28如何算註冊碼? (3千字)2000-07-13REM
- 註冊中心 Eureka 原始碼解析 —— 應用例項註冊發現(一)之註冊2019-03-03原始碼
- estiprojm 註冊 (12千字)2001-11-08
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法