重新貼過註冊演算法分析 (16千字)
SitMan PC 復讀機 2.0 beta 2 註冊演算法分析
【軟體功能】:
◇ 復讀功能
◇ 錄音跟讀對比功能
◇ 聽寫文字與語音的完美結合
◇ 聽力資料管理
◇ 列表播放支援
◇ 其他特色功能
【軟體主頁】:http://www.yyhorse.com/
【功能限制】:試用15天,15天后要求註冊
【破解工具】:DeDe,Trw2000,Caspr,Language2000
【本文作者】:eCool[BCG]
【整理時間】:2001.10.23
轉載請保持原文完整,謝謝。
把這個東東拉下來後,立馬用Language2000看看有沒有加殼,呵呵,原來加了Aspack,好辦,馬上用
Caspr搞定它,執行Trw2000,然後執行SitMan,靠,怎麼沒有發現註冊的地方?????,我倒,先不管它,
關閉,將時間調後一年,再次執行,討厭的對話方塊出來了,不理他,點確定,要求註冊,我靠,還是沒有註冊
的地方,What?作者騙人?????,用Language2000看看是什麼語言寫的再說,呵呵,Delphi啊,DeDe
(弟弟?)馬上用上,防編譯,看看那個註冊Form有什麼東東,哈哈,發現有註冊按鈕,玩我,哼,看我怎麼
收拾你,看到那個“未註冊”Label有個雙擊事件,好,馬上執行SitMan,雙擊未註冊這個地方,呵呵,註冊
提示出來了,有戲看了,馬上用DeDe找到了註冊點:
0048B740 55
push ebp
0048B741 8BEC
mov ebp, esp
0048B743 B905000000 mov
ecx, $00000005
0048B748 6A00
push $00
0048B74A 6A00
push $00
0048B74C 49
dec ecx
0048B74D 75F9
jnz 0048B748
0048B74F 53
push ebx
0048B750 56
push esi
0048B751 8BD8
mov ebx, eax
0048B753 33C0
xor eax, eax
0048B755 55
push ebp
0048B756 6894B94800 push
$0048B994
0048B75B 64FF30
push dword ptr fs:[eax]
0048B75E 648920
mov fs:[eax], esp
0048B761 8D55FC
lea edx, [ebp-$04]
0048B764 8B83F4020000 mov
eax, [ebx+$02F4]
0048B76A E831B3FAFF call
00436AA0
0048B76F 837DFC00 cmp
dword ptr [ebp-$04], +$00
0048B773 0F84D3010000 jz
0048B94C
0048B779 8D55F8
lea edx, [ebp-$08]
0048B77C 8B83F8020000 mov
eax, [ebx+$02F8]
0048B782 E819B3FAFF call
00436AA0
0048B787 837DF800 cmp
dword ptr [ebp-$08], +$00
0048B78B 0F84BB010000 jz
0048B94C
0048B791 33D2
xor edx, edx
0048B793 8B8338030000 mov
eax, [ebx+$0338]
0048B799 8B08
mov ecx, [eax]
0048B79B FF515C
call dword ptr [ecx+$5C]
0048B79E 8B15A0D24900 mov
edx, [$49D2A0]
0048B7A4 8B12
mov edx, [edx]
0048B7A6 8B833C030000 mov
eax, [ebx+$033C]
0048B7AC E81FB3FAFF call
00436AD0
0048B7B1 BE03000000 mov
esi, $00000003
0048B7B6 B201
mov dl, $01
0048B7B8 8B833C030000 mov
eax, [ebx+$033C]
0048B7BE E8F5B1FAFF call
004369B8
0048B7C3 66B8BC02 mov
ax, $02BC
0048B7C7 E8B8350000 call
0048ED84
0048B7CC 33D2
xor edx, edx
0048B7CE 8B833C030000 mov
eax, [ebx+$033C]
0048B7D4 E8DFB1FAFF call
004369B8
0048B7D9 66B82C01 mov
ax, $012C
0048B7DD E8A2350000 call
0048ED84
0048B7E2 4E
dec esi
0048B7E3 75D1
jnz 0048B7B6
0048B7E5 8D55F4
lea edx, [ebp-$0C]
0048B7E8 8B83F8020000 mov
eax, [ebx+$02F8]
0048B7EE E8ADB2FAFF call
00436AA0
0048B7F3 8B45F4
mov eax, [ebp-$0C]
0048B7F6 50
push eax
0048B7F7 8D55F0
lea edx, [ebp-$10]
0048B7FA 8B83F4020000 mov
eax, [ebx+$02F4]
0048B800 E89BB2FAFF call
00436AA0
0048B805 8B45F0
mov eax, [ebp-$10]
0048B808 5A
pop edx
0048B809 E86AFDFFFF call
0048B578--------->進入
0048B80E 84C0
test al, al----------->Woo.... 經典的對比
0048B810 0F84FF000000 jz
0048B915
0048B816 E8051DF8FF call
0040D520
0048B81B A1A8D44900 mov
eax, dword ptr [$49D4A8]
0048B820 8B00
mov eax, [eax]
0048B822 E8BDB2FCFF call
00456AE4
0048B827 8D55E8
lea edx, [ebp-$18]
0048B82A 8B83F4020000 mov
eax, [ebx+$02F4]
0048B830 E86BB2FAFF call
00436AA0
0048B835 8B45E8
mov eax, [ebp-$18]
0048B838 8D55EC
lea edx, [ebp-$14]
0048B83B E8F8E0F7FF call
00409938
0048B840 8B55EC
mov edx, [ebp-$14]
0048B843 A1B8D54900 mov
eax, dword ptr [$49D5B8]
0048B848 E82784F7FF call
00403C74
0048B84D 8D55E0
lea edx, [ebp-$20]
0048B850 8B83F8020000 mov
eax, [ebx+$02F8]
0048B856 E845B2FAFF call
00436AA0
0048B85B 8B45E0
mov eax, [ebp-$20]
0048B85E 8D55E4
lea edx, [ebp-$1C]
0048B861 E8D2E0F7FF call
00409938
0048B866 8B55E4
mov edx, [ebp-$1C]
0048B869 A110D34900 mov
eax, dword ptr [$49D310]
0048B86E E80184F7FF call
00403C74
0048B873 A160D54900 mov
eax, dword ptr [$49D560]
0048B878 C7003E330100 mov
dword ptr [eax], $0001333E
0048B87E A134D44900 mov
eax, dword ptr [$49D434]
0048B883 833800
cmp dword ptr [eax], +$00
0048B886 7536
jnz 0048B8BE
0048B888 A1ECD44900 mov
eax, dword ptr [$49D4EC]
0048B88D FF30
push dword ptr [eax]
0048B88F A18CD44900 mov
eax, dword ptr [$49D48C]
0048B894 FF30
push dword ptr [eax]
0048B896 68ACB94800 push
$0048B9AC
0048B89B A1DCD74900 mov
eax, dword ptr [$49D7DC]
0048B8A0 FF30
push dword ptr [eax]
0048B8A2 8D45DC
lea eax, [ebp-$24]
0048B8A5 BA04000000 mov
edx, $00000004
0048B8AA E8B186F7FF call
00403F60
0048B8AF 8B55DC
mov edx, [ebp-$24]
0048B8B2 A134D34900 mov
eax, dword ptr [$49D334]
0048B8B7 8B00
mov eax, [eax]
0048B8B9 E812B2FAFF call
00436AD0
0048B8BE E869850000 call
00493E2C
0048B8C3 E8BC860000 call
00493F84
0048B8C8 A170D74900 mov
eax, dword ptr [$49D770]
0048B8CD FF30
push dword ptr [eax]
這個Call在這裡
* Referenced by a CALL at Address:
|:0048B809
|
:0048B578 55
push ebp
:0048B579 8BEC
mov ebp, esp
:0048B57B 83C4F0
add esp, FFFFFFF0
:0048B57E 53
push ebx
:0048B57F 56
push esi
:0048B580 57
push edi
:0048B581 33C9
xor ecx, ecx
:0048B583 894DF0
mov dword ptr [ebp-10], ecx
:0048B586 8955F8
mov dword ptr [ebp-08], edx------->取註冊碼
:0048B589 8945FC
mov dword ptr [ebp-04], eax ------->取使用者名稱
:0048B58C 8B45FC
mov eax, dword ptr [ebp-04]
:0048B58F E8C08AF7FF call 00404054---------------------->判斷使用者名稱是否為空?
:0048B594 8B45F8
mov eax, dword ptr [ebp-08]
:0048B597 E8B88AF7FF call 00404054---------------------->判斷註冊碼是否為空?
:0048B59C 33C0
xor eax, eax
:0048B59E 55
push ebp
:0048B59F 68FEB64800 push 0048B6FE
:0048B5A4 64FF30
push dword ptr fs:[eax]
:0048B5A7 648920
mov dword ptr fs:[eax], esp
:0048B5AA C645F700 mov
[ebp-09], 00
:0048B5AE 8D55F0
lea edx, dword ptr [ebp-10]
:0048B5B1 8B45FC
mov eax, dword ptr [ebp-04]
:0048B5B4 E87FE3F7FF call 00409938
:0048B5B9 8B55F0
mov edx, dword ptr [ebp-10]
:0048B5BC 8D45FC
lea eax, dword ptr [ebp-04]
:0048B5BF E8F486F7FF call 00403CB8
:0048B5C4 8B45FC
mov eax, dword ptr [ebp-04]
:0048B5C7 E8D488F7FF call 00403EA0
:0048B5CC 8BC8
mov ecx, eax
:0048B5CE 83F903
cmp ecx, 00000003------------
:0048B5D1 0F8C04010000 jl 0048B6DB
|使用者名稱在3-20個字元之間
:0048B5D7 83F914
cmp ecx, 00000014------------
:0048B5DA 0F8FFB000000 jg 0048B6DB
:0048B5E0 8B45F8
mov eax, dword ptr [ebp-08]
:0048B5E3 E8B888F7FF call 00403EA0
:0048B5E8 83F812
cmp eax, 00000012---------->註冊碼必須是18個字元
:0048B5EB 0F85EA000000 jne 0048B6DB
:0048B5F1 B904000000 mov ecx,
00000004--------------------|
|這部分判斷
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|註冊碼的第4-10位
|:0048B60B(C)
|是否為數字
|
|
:0048B5F6 8B45F8
mov eax, dword ptr [ebp-08] |
:0048B5F9 8A4408FF mov
al, byte ptr [eax+ecx-01] |
:0048B5FD 04D0
add al, D0 -->由xw0a=ff |
:0048B5FF 2C0A
sub al, 0A -->推出x=39,即'9' |
:0048B601 0F83D4000000 jnb 0048B6DB
|
:0048B607 41
inc ecx
|
:0048B608 83F90A
cmp ecx, 0000000A-------------------->
:0048B60B 75E9
jne 0048B5F6
:0048B60D B901000000 mov ecx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B62D(C)
|
:0048B612 8B45F8
mov eax, dword ptr [ebp-08]----------|
:0048B615 8A4408FF mov
al, byte ptr [eax+ecx-01] |
:0048B619 04D0
add al, D0
|
:0048B61B 2C0A
sub al, 0A
|
:0048B61D 720A
jb 0048B629
|判斷註冊碼的所有
:0048B61F 04D9
add al, D9
|位是否在'0'-'9'
:0048B621 2C1A
sub al, 1A
|或 'a'-'z'中(不知是否有錯?)
:0048B623 0F83B2000000 jnb 0048B6DB
|
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
|:0048B61D(C)
|
|
|
:0048B629 41
inc ecx
|
:0048B62A 83F913
cmp ecx, 00000013
|
:0048B62D 75E3
jne 0048B612------------------------ |
:0048B62F BE01000000 mov esi,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:--->這段開始算前3位註冊碼
|:0048B687(C)
|
:0048B634 BB01000000 mov ebx,
00000001
:0048B639 8B45FC
mov eax, dword ptr [ebp-04]
:0048B63C E85F88F7FF call 00403EA0
:0048B641 8BF8
mov edi, eax
:0048B643 85FF
test edi, edi
:0048B645 7E21
jle 0048B668
:0048B647 B901000000 mov ecx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B666(C)
|
:0048B64C 8B45FC
mov eax, dword ptr [ebp-04]------------>使用者名稱
:0048B64F 0FB64408FF movzx eax,
byte ptr [eax+ecx-01]
:0048B654 F7EB
imul ebx
:0048B656 03C6
add eax, esi
:0048B658 03C1
add eax, ecx
:0048B65A BB65010000 mov ebx,
00000165
:0048B65F 99
cdq
:0048B660 F7FB
idiv ebx
:0048B662 8BDA
mov ebx, edx
:0048B664 41
inc ecx
:0048B665 4F
dec edi
:0048B666 75E4
jne 0048B64C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B645(C)
|
:0048B668 8BC3
mov eax, ebx
:0048B66A B924000000 mov ecx,
00000024
:0048B66F 99
cdq
:0048B670 F7F9
idiv ecx
* Possible StringData Ref from Code Obj ->"0123456789abcdefghijklmnopqrstuvwxyz"
|
:0048B672 B818B74800 mov eax,
0048B718
:0048B677 8A0410
mov al, byte ptr [eax+edx]----->從上面的字串中取值
:0048B67A 8B55F8
mov edx, dword ptr [ebp-08]
:0048B67D 3A4432FF cmp
al, byte ptr [edx+esi-01]
:0048B681 7558
jne 0048B6DB
:0048B683 46
inc esi
:0048B684 83FE04
cmp esi, 00000004-------->上面的程式碼透過使用者名稱算出
:0048B687 75AB
jne 0048B634 ---------前3位註冊碼
:0048B689 BB01000000 mov ebx,
00000001
:0048B68E BE0A000000 mov esi,
0000000A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B6D5(C)
|
:0048B693 B901000000 mov ecx,
00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:---->這段開始算第10-18位註冊碼
|:0048B6B4(C)
|
:0048B698 8B45F8
mov eax, dword ptr [ebp-08]--------------->註冊碼
:0048B69B 0FB64408FF movzx eax,
byte ptr [eax+ecx-01]
:0048B6A0 F7EB
imul ebx
:0048B6A2 03C1
add eax, ecx
:0048B6A4 03C6
add eax, esi
:0048B6A6 BB79010000 mov ebx,
00000179
:0048B6AB 99
cdq
:0048B6AC F7FB
idiv ebx
:0048B6AE 8BDA
mov ebx, edx
:0048B6B0 41
inc ecx
:0048B6B1 83F90A
cmp ecx, 0000000A --------------->處理第1-9位註冊碼
:0048B6B4 75E2
jne 0048B698
:0048B6B6 8BC3
mov eax, ebx
:0048B6B8 B924000000 mov ecx,
00000024
:0048B6BD 99
cdq
:0048B6BE F7F9
idiv ecx
* Possible StringData Ref from Code Obj ->"0123456789abcdefghijklmnopqrstuvwxyz"
|
:0048B6C0 B818B74800 mov eax,
0048B718
:0048B6C5 8A0410
mov al, byte ptr [eax+edx]------->從上面的字串中取值
:0048B6C8 8B55F8
mov edx, dword ptr [ebp-08]
:0048B6CB 3A4432FF cmp
al, byte ptr [edx+esi-01]----------->由第1-9位註冊碼
:0048B6CF 750A
jne 0048B6DB ----------->算出第10-18位註冊碼
:0048B6D1 46
inc esi
:0048B6D2 83FE13
cmp esi, 00000013
:0048B6D5 75BC
jne 0048B693
:0048B6D7 C645F701 mov
[ebp-09], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048B5D1(C), :0048B5DA(C), :0048B5EB(C), :0048B601(C), :0048B623(C)
|:0048B681(C), :0048B6CF(C)
|
:0048B6DB 33C0
xor eax, eax
:0048B6DD 5A
pop edx
:0048B6DE 59
pop ecx
:0048B6DF 59
pop ecx
:0048B6E0 648910
mov dword ptr fs:[eax], edx
:0048B6E3 6805B74800 push 0048B705
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048B703(U)
|
:0048B6E8 8D45F0
lea eax, dword ptr [ebp-10]
:0048B6EB E83085F7FF call 00403C20
:0048B6F0 8D45F8
lea eax, dword ptr [ebp-08]
:0048B6F3 BA02000000 mov edx,
00000002
:0048B6F8 E84785F7FF call 00403C44
:0048B6FD C3 ret
序號產生器如下(VB6)編寫:
標 題:重新貼過序號產生器,有空幫忙到http://crackme.longcity.net下載測試 (1千字)
詳細資訊:
Public Function GetSN(strName as string) As String
Dim strName As String
Dim strTemp As String
Const strFlag As String = "0123456789abcdefghijklmnopqrstuvwxyz"
Dim i As Long
Dim j As Long
Dim lngLen As Long
Dim esi As Long
Dim ebx As Long
Dim eax As Long
Dim ecx As Long
Dim edx As Long
Dim X As Long
esi = 1: eax = 0: ecx = 0: edx = 0: strTemp = ""
lngLen = Len(strName)
For j = 1 To 3
ebx = 1: esi = j
For i = 1 To lngLen
ecx = i
eax = Asc(Mid(strName, i, 1))
eax = eax * ebx
eax = eax + esi
eax = eax + ecx
ebx = &H165
ebx = eax Mod ebx
Next i
eax = ebx
ecx = &H24
edx = eax Mod ecx
strTemp = strTemp & Mid(strFlag, edx + 1, 1)
Next j
X = 899999 * Rnd + 100000
strTemp = strTemp & CStr(X)
ebx = 1
For j = 10 To 18
esi = j
For i = 1 To 9
ecx = i
eax = Asc(Mid(strTemp, i, 1))
eax = eax * ebx
eax = eax + ecx
eax = eax + esi
ebx = &H179
ebx = eax Mod ebx
Next i
eax = ebx
ecx = &H24
edx = eax Mod ecx
strTemp = strTemp & Mid(strFlag, edx + 1, 1)
Next j
GetSN = strTemp
End Function
相關文章
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- DataFit V7.0.36註冊過程的分析 (9千字)2001-11-09
- Cute Email Searcher2.2註冊過程分析 (5千字)2001-11-18AI
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- 註冊碼演算法 (2千字)2001-01-14演算法
- supercleaner註冊演算法分析2015-11-15演算法
- getPassword2.3註冊碼計算分析過程 (3千字)2001-11-07
- Photocaster xtra v3.0.3 註冊過程的分析 (15千字)2001-11-22AST
- Screen Demo Maker
V3.0註冊演算法分析 (8千字)2002-09-10演算法
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- Netscan pro 3.3 註冊演算法分析全過程2015-11-15演算法
- OICQ 圖形留言系統 v3.2註冊碼演算法 不知有沒有人貼過,呵呵! (11千字)2001-06-23演算法
- ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)2002-04-10演算法
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法
- GSview V4.12 for Windows註冊演算法分析 -
OCG (8千字)2015-11-15ViewWindows演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- 一個區域網工具的註冊演算法分析
(5千字)2015-11-15演算法
- SpeedFlash註冊演算法分析(VB)2015-11-15演算法
- 財智老闆通3.04註冊版---註冊演算法分析2003-03-16演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- S-DEMO2 註冊分析 (14千字)2002-06-25
- DreamWaver3.0註冊流程分析 (17千字)2001-09-10
- CDSpace Power+註冊演算法 (7千字)2001-07-27演算法
- 《棋隱》的註冊演算法 (19千字)2001-08-26演算法
- Search32-PRO
v6.05註冊演算法分析 - OCG (46千字)2002-04-07演算法
- 五筆輸入通1.x註冊演算法分析
(10千字)2015-11-15演算法