Registry Crawler 4.0註冊碼演算法分析 - OCG (20千字)
=====Open Cracking Group======
=
=
=Registry Crawler 4.0註冊碼演算法分析
=
=
= CrAcKeD BY alphakk/OCG
=====================
=====================================
=軟體簡介:
=
= Registry Crawler 是強大的使用者和開發者快速定位並配置登錄檔的工具軟 =
=件。一個強大的搜尋引擎允許你基於搜尋標準查詢註冊資訊。允許你單擊超鏈 =
=接顯示條目。支援書籤功能,可在登錄檔中的任何鍵中新增書籤並直接從系統 =
=托盤讀取。此特徵允許你訪問你經常存取的註冊鍵而無需手工開啟
REGEDIT。 =
=每天需要操作登錄檔的使用者會發現 Registry Crawler 是一個節約時間的工具。=
=====================================
=========================================================
破解工具:SOFTICE,W32DASM
分析:
本軟體採用使用者名稱,註冊碼的驗證方式,不註冊的話會有30天的試用期,過期會提示使用者註冊,還未註冊的話,將不能繼續使用。
此軟體無功能限制。
在註冊視窗中輸入以下資訊:
使用者名稱:alphakk/OCG
註冊碼:98765432
用GETWINDOWTEXT作斷點,點選“解鎖”,被SOFTICE中斷,接著按F11跳出GETWINDOWTEXT函式,來到:
* Reference To: USER32.GetWindowTextA, Ord:015Eh
|
:0042DA07 FF1550844400
Call dword ptr [00448450]
:0042DA0D EB12
jmp 0042DA21 <<-------按F11後來到的地方
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D9FA(C)
|
:0042DA0F FF742408
push [esp+08]
:0042DA13 8B10
mov edx, dword ptr [eax]
:0042DA15
8BC8 mov
ecx, eax
:0042DA17 FF742408
push [esp+08]
:0042DA1B FF9284000000
call dword ptr [edx+00000084]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0042DA0D(U)
|
:0042DA21 C20800
ret 0008
======================F10單步跟蹤過上面後,來到:
* Possible Reference to Dialog:
|
:0040AFDC 6810E54500 push
0045E510
:0040AFE1 8D8EBC030000
lea ecx, dword ptr [esi+000003BC]
:0040AFE7 E8092A0200
call 0042D9F5
:0040AFEC 68FF000000
push 000000FF
* Possible Reference
to Dialog:
|
:0040AFF1 6810E64500
push 0045E610 <<-----輸入的註冊碼入棧
:0040AFF6 8D8E80030000 lea ecx,
dword ptr [esi+00000380]
:0040AFFC E8F4290200
call 0042D9F5
* Possible Reference to Dialog:
|
:0040B001 6810E54500
push 0045E510 <<------使用者名稱入棧
:0040B006
8D4C240C lea ecx, dword
ptr [esp+0C]
:0040B00A E8F6330200
call 0042E405
:0040B00F 8B00
mov eax, dword ptr [eax] <<------使用者名稱首地址->EAX
* Possible Reference to Dialog:
|
:0040B011 68848C4500 push
00458C84 <<------“TRIAL USER”入棧
:0040B016 50
push eax <<------使用者名稱入棧
:0040B017 E8BFE60000 call
004196DB <<------比較函式,不同則EAX=1
:0040B01C 83C408
add esp, 00000008
:0040B01F 8D4C2408
lea ecx, dword ptr [esp+08]
:0040B023 85C0
test eax, eax
:0040B025 0F94C3
sete bl <<------BL置0
:0040B028 E86A330200
call 0042E397
:0040B02D 84DB
test bl, bl
:0040B02F
740F je 0040B040 <<------跳
:0040B031 6A01
push 00000001
:0040B033 8BCE
mov ecx, esi
:0040B035 E8DB3F0200
call 0042F015
:0040B03A 5E
pop esi
:0040B03B
5B
pop ebx
:0040B03C 83C408
add esp, 00000008
:0040B03F C3
ret
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040B02F(C)
|
:0040B040 E8ABFCFFFF
call 0040ACF0 <<-----注意這個CALL,此處先用F10帶過
:0040B045 85C0
test eax, eax
:0040B047 0F849D000000
je 0040B0EA <<-------上面的CALL用F10過的話,這裡就會跳
* Possible StringData
Ref from Data Obj ->"Software\4Developers\RCrawler"
|
:0040B04D 8B15F88A4500
mov edx, dword ptr [00458AF8]
:0040B053 8D44240C
lea eax, dword ptr [esp+0C]
:0040B057 8D4C2408
lea ecx, dword ptr [esp+08]
:0040B05B 33DB
xor ebx, ebx
:0040B05D 50
push eax
:0040B05E 51
push ecx
:0040B05F 53
push ebx
:0040B060 683F000F00 push
000F003F
:0040B065 53
push ebx
:0040B066 53
push ebx
:0040B067 53
push ebx
:0040B068
52
push edx
:0040B069 6802000080
push 80000002
:0040B06E 895C2430
mov dword ptr [esp+30], ebx
:0040B072 895C242C
mov dword ptr [esp+2C], ebx
* Reference To: ADVAPI32.RegCreateKeyExA, Ord:015Fh
|
:0040B076 FF1534804400
Call dword ptr [00448034]
:0040B07C 3BC3
cmp eax, ebx
:0040B07E 7531
jne 0040B0B1
* Possible StringData Ref from Data Obj ->"4D"
|
:0040B080 A1048B4500 mov
eax, dword ptr [00458B04]
:0040B085 8B4C2408
mov ecx, dword ptr [esp+08]
:0040B089 57
push edi
:0040B08A
6800020000 push 00000200
:0040B08F 6810E54500 push 0045E510
:0040B094 6A03
push 00000003
:0040B096 53
push ebx
:0040B097 50
push eax
:0040B098
51
push ecx
* Reference To: ADVAPI32.RegSetvalueExA, Ord:0186h
|
:0040B099 FF1524804400
Call dword ptr [00448024]
:0040B09F 8B54240C
mov edx, dword ptr [esp+0C]
:0040B0A3
8BF8 mov
edi, eax
:0040B0A5 52
push edx
* Reference To: ADVAPI32.RegCloseKey,
Ord:015Bh
|
:0040B0A6 FF1520804400
Call dword ptr [00448020]
:0040B0AC 3BFB
cmp edi, ebx
:0040B0AE 5F
pop edi
:0040B0AF 7419
je 0040B0CA
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:0040B07E(C)
|
:0040B0B1 53
push ebx
:0040B0B2 53
push ebx
* Possible StringData Ref from Data Obj ->"無法記錄註冊資訊.
請聯絡 crawler@4dev.com"
|
:0040B0B3
68A88F4500 push 00458FA8
:0040B0B8 E866B50200 call 00436623
:0040B0BD 8BCE
mov ecx, esi
:0040B0BF E8DE400200
call 0042F1A2
:0040B0C4 5E
pop esi
:0040B0C5 5B
pop ebx
:0040B0C6
83C408 add esp,
00000008
:0040B0C9 C3
ret
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040B0AF(C)
|
:0040B0CA 6A40
push 00000040
* Possible Reference to Dialog:
|
:0040B0CC 68988F4500 push
00458F98
* Possible StringData Ref from Data Obj ->"歡迎使用 Registry Crawle
的完整版本. "
->"感謝你註冊軟體.
請重新啟動程式,以解除所有未注"
->"冊版本的功能限制."
|
:0040B0D1 68FC8E4500
push 00458EFC
:0040B0D6 8BCE
mov ecx, esi
:0040B0D8 E80F110200
call 0042C1EC
:0040B0DD 8BCE
mov ecx, esi
:0040B0DF E8BE400200 call 0042F1A2
:0040B0E4 5E
pop esi
:0040B0E5 5B
pop ebx
:0040B0E6 83C408
add esp, 00000008
:0040B0E9
C3
ret
======看看0040B047處的跳轉是到哪兒了:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040B047(C)
|
:0040B0EA 8BCE
mov ecx, esi
:0040B0EC E80FFAFFFF call 0040AB00 <<-------注意這個CALL,F10帶過的話,EAX=0
:0040B0F1 85C0
test eax, eax
:0040B0F3 7419
je 0040B10E <<------跳
:0040B0F5 6A40
push 00000040
* Possible Reference to Dialog:
|
:0040B0F7 68E88E4500 push
00458EE8
* Possible StringData Ref from Data Obj ->"你輸入的註冊資訊僅能用於 Registry
"
->"Crawler 3.x 版本.
要註冊 4.0 "
->"以上版本,你需要新的註冊資訊.請與我們聯絡,將你?
->"淖⒉崧肷兜?Registry Crawler
"
->"4.0 (E-mail sales@4dev.com).
注意在 "
->"E-mail 中你必須提供舊版本的註冊碼.
謝謝,
4Dev"
->"elopers Team."
|
:0040B0FC 68AC8D4500
push 00458DAC
:0040B101 8BCE
mov ecx, esi
:0040B103 E8E4100200 call 0042C1EC
:0040B108 5E
pop esi
:0040B109 5B
pop ebx
:0040B10A 83C408
add esp, 00000008
:0040B10D
C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040B0F3(C)
|
:0040B10E 6A30
push 00000030
* Possible Reference
to Dialog:
|
:0040B110 68A08D4500
push 00458DA0
* Possible StringData
Ref from Data Obj ->"你輸入的註冊資訊是無效的.
請重新輸入你從 "
->"4Developers LLC 得到的使用者 ID "
->"及相應的註冊碼.
如果你尚未註冊,你可以點選下面"
->"的 '馬上定購' 軟體.如果你需要幫助,請發 "
->"E-mail 到: crawler@4dev.com"
|
:0040B115 68908C4500
push 00458C90
:0040B11A 8BCE
mov ecx, esi
:0040B11C E8CB100200
call 0042C1EC
:0040B121 5E
pop esi
:0040B122 5B
pop ebx
:0040B123 83C408
add esp, 00000008
:0040B126 C3
ret
===================================================
由上面這段程式碼不難看出,Regstry Crawler 的註冊碼運算有兩處:0040B040處的CALL,0040B0EC處的CALL,其中前者為4.0版的註冊碼運算,而後者為3.x版註冊碼的運算,3.x版的註冊碼運算與4.0版的有點像。註冊碼驗證流程為:先將使用者名稱用4.0版的註冊碼演算法進行運算,並與使用者輸入的註冊碼進行比較,不同的話,再將使用者名稱用3.x版的註冊碼演算法進行運算,並與使用者輸入的註冊碼進行比較,如果相同,則提示使用者更新註冊碼,如果不同,則跳出註冊失敗對話方塊。本文只是對4.0版的註冊碼運算進行分析,不討論3.x版的演算法,因此不進入第二個CALL。
===================================================
初步分析完成,進入第二次分析:
來到 0040B040處,按F8進入CALL,此時來到:
* Referenced by a CALL at Addresses:
|:0040AAF3 , :0040B040
|
:0040ACF0 83EC24
sub esp, 00000024
:0040ACF3
83C9FF or ecx, FFFFFFFF
:0040ACF6 33C0
xor eax, eax
:0040ACF8 55
push ebp
:0040ACF9 57
push edi
* Possible
Reference to Dialog:
|
:0040ACFA
BF10E54500 mov edi, 0045E510 <<------0045E510為使用者名稱首地址 \
:0040ACFF F2
repnz
\
:0040AD00 AE
scasb
測試使用者名稱長度->ECX
:0040AD01 F7D1
not ecx
/
:0040AD03 49
dec ecx
/
:0040AD04 8BE9
mov ebp, ecx
:0040AD06 83FD08
cmp ebp, 00000008
:0040AD09
7D06 jge
0040AD11 <--------大於或等於8則跳,如果不跳,則不進行4.0版的註冊碼演算法(此例中的使用者名稱符合條件)
:0040AD0B
5F
pop edi
:0040AD0C 5D
pop ebp
:0040AD0D 83C424
add esp, 00000024
:0040AD10 C3
ret
==================下面開始註冊碼演算法======================
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040AD09(C)
|
:0040AD11 53
push ebx
:0040AD12 56
push esi
:0040AD13 6810E54500
push 0045E510 <<-------使用者名稱入棧
:0040AD18 E845D00100
call 00427D62 <<-------將使用者名稱中所有的大寫字母轉成小寫字母
:0040AD1D B907000000 mov
ecx, 00000007
:0040AD22 33C0
xor eax, eax
:0040AD24 8D7C2419
lea edi, dword ptr [esp+19]
:0040AD28
C644241800 mov [esp+18], 00
:0040AD2D F3
repz
:0040AD2E AB
stosd
:0040AD2F 66AB
stosw
:0040AD31 83C404
add esp, 00000004
:0040AD34
AA
stosb
:0040AD35 8D442414
lea eax, dword ptr [esp+14]
* Possible Reference to Dialog:
|
:0040AD39 68E48B4500
push 00458BE4 <<---------“8267-”入棧
:0040AD3E
50
push eax
* Reference To: KERNEL32.lstrcpyA, Ord:0302h
|
:0040AD3F FF155C834400
Call dword ptr [0044835C] <<-------“8267-”首地址->EAX
:0040AD45
33DB xor
ebx, ebx <<-------EBX清零,準備計數
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040ADFA(C)
|
* Possible
StringData Ref from Data Obj ->"0123456789"
|
:0040AD47 8B35FC8A4500 mov esi,
dword ptr [00458AFC] <<--------字串“0123456789”的首地址->ESI
:0040AD4D
83C9FF or ecx, FFFFFFFF
:0040AD50 8BFE
mov edi, esi \
:0040AD52 33C0
xor eax, eax \
:0040AD54 F2
repnz
\
:0040AD55 AE
scasb
測試“0123456789”的長度->ECX
:0040AD56 F7D1
not ecx /
:0040AD58
49
dec ecx /
:0040AD59 8BC3
mov eax, ebx
:0040AD5B 33D2
xor edx, edx
:0040AD5D 8BFE
mov edi, esi
:0040AD5F F7F1
div ecx <<--------此處運算後,EDX存放餘數
:0040AD61 8BC3
mov eax, ebx
:0040AD63 6A01
push 00000001
:0040AD65 0FBE0C32
movsx ecx, byte ptr [edx+esi] <<-------字串“0123456789”的每個字元按順序依次送入ECX,每次迴圈送入一個
:0040AD69 33D2
xor edx, edx
:0040AD6B F7F5
div ebp <<=======EBP存放使用者名稱長度,始終不變
:0040AD6D
0FBE8210E54500 movsx eax, byte ptr [edx+0045E510] <<---------使用者名稱的第個字元按順序依次送入EAX,每次迴圈送入一個,如果使用者名稱長度小於迴圈次數,則遍歷完一次使用者名稱後,重新從使用者名稱的第一位開始
:0040AD74 8BD0
mov edx, eax
:0040AD76 C1E205
shl edx, 05
:0040AD79 03D0
add edx, eax
:0040AD7B 8D0450
lea eax, dword ptr [eax+2*edx]
:0040AD7E 03C8
add ecx, eax
:0040AD80 8BC3
mov eax, ebx
:0040AD82 0FAFC3
imul eax, ebx
:0040AD85 0FAFC3
imul eax, ebx
:0040AD8B
8D1480 lea edx,
dword ptr [eax+4*eax]
:0040AD8E 8D0450
lea eax, dword ptr [eax+2*edx]
:0040AD91 03C8
add ecx, eax
:0040AD93 33C0
xor eax, eax
:0040AD95 8BD1
mov edx, ecx
:0040AD97 83C9FF
or ecx, FFFFFFFF \
:0040AD9A F2
repnz
\
:0040AD9B AE
scasb
測試“0123456789”的長度->ECX
:0040AD9C F7D1
not ecx
/
:0040AD9E 8BC2
mov eax, edx /
:0040ADA0 49
dec ecx /
:0040ADA1 33D2
xor edx, edx
:0040ADA3 F7F1
div ecx <<------運算的餘數->EDX
:0040ADA5 8D442418
lea eax, dword ptr [esp+18]
:0040ADA9
03D6 add
edx, esi <<-------ESI為“0123456789”的首地址
:0040ADAB 52
push edx
:0040ADAC
50
push eax
:0040ADAD E82EEB0000
call 004198E0
:0040ADB2 83C40C
add esp, 0000000C
:0040ADB5 85DB
test ebx, ebx
:0040ADB7 743D
je 0040ADF6 <<------------僅第一次迴圈時(EBX=0)跳 \
:0040ADB9 8BC3
mov eax, ebx
\
:0040ADBB 33D2
xor edx, edx
\
:0040ADBD B903000000
mov ecx, 00000003
此處控制註冊碼的形式
:0040ADC2 F7F1
div ecx
/
:0040ADC4 85D2
test edx, edx
/
:0040ADC6
752E jne
0040ADF6 <<---------餘數不為0則跳
/
* Possible Reference to Dialog:
|
:0040ADC8 BFEC8B4500 mov
edi, 00458BEC
:0040ADCD 83C9FF
or ecx, FFFFFFFF
:0040ADD0 33C0
xor eax, eax
:0040ADD2 8D542414
lea edx, dword ptr [esp+14]
:0040ADD6 F2
repnz
:0040ADD7 AE
scasb
:0040ADD8 F7D1
not ecx
:0040ADDA 2BF9
sub edi, ecx
:0040ADDC
8BF7 mov
esi, edi
:0040ADDE 8BFA
mov edi, edx
:0040ADE0 8BD1
mov edx, ecx
:0040ADE2 83C9FF
or ecx, FFFFFFFF
:0040ADE5
F2
repnz
:0040ADE6 AE
scasb
:0040ADE7 8BCA
mov ecx, edx
:0040ADE9 4F
dec edi
:0040ADEA
C1E902 shr ecx,
02
:0040ADED F3
repz
:0040ADEE A5
movsd
:0040ADEF 8BCA
mov ecx, edx
:0040ADF1 83E103
and ecx, 00000003
:0040ADF4 F3
repz
:0040ADF5 A4
movsb
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0040ADB7(C), :0040ADC6(C)
|
:0040ADF6 43
inc ebx
:0040ADF7 83FB09
cmp ebx, 00000009
:0040ADFA 0F8247FFFFFF
jb 0040AD47
:0040AE00 8D442414
lea eax, dword ptr [esp+14]
:0040AE04
6810E64500 push 0045E610
:0040AE09 50
push eax
:0040AE0A E801570100
call 00420510
:0040AE0F 83C408
add esp, 00000008
:0040AE12 F7D8
neg eax
:0040AE14 5E
pop esi
:0040AE15 5B
pop ebx
:0040AE16 1BC0
sbb eax, eax
:0040AE18 5F
pop edi
:0040AE19
40
inc eax
:0040AE1A 5D
pop ebp
:0040AE1B 83C424
add esp, 00000024
:0040AE1E C3
ret
=====================================================
演算法思想:
將使用者名稱與固定字串“0123456789”進行運算,以運算結果的EDX(餘數)中的值為偏移量,取得此偏移量所指向的“0123456789”中的值並輸出,共迴圈9次。註冊碼形式為:8267-XXXX-XXX-XX
本例中:
使用者名稱:alphakk/OCG
註冊碼:8267-7626-579-75
=====================================================
=====Open Cracking Group======
=
=
=Registry Crawler 4.0註冊碼演算法分析
= (附:序號產生器)
=
= CrAcKeD
BY alphakk/OCG
=====================
序號產生器在:http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
相關文章
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)2002-04-10演算法
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- GSview V4.12 for Windows註冊演算法分析 -
OCG (8千字)2015-11-15ViewWindows演算法
- 鬥地主4.0註冊演算法,序號產生器在OCG論壇
(22千字)2015-11-15演算法
- Registry Crawler 4.0.0.3破解 (6千字)2002-02-28
- Search32-PRO
v6.05註冊演算法分析 - OCG (46千字)2002-04-07演算法
- 有聲有色4.0註冊演算法 一 (11千字)2001-05-01演算法
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- 註冊碼演算法 (2千字)2001-01-14演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- 中文撥號上網計時計費器 V4.12註冊演算法分析--[OCG] (23千字)2002-03-26演算法
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- CPUCOOL 5.1000註冊碼分析 (6千字)2001-01-19
- 關於ShowDep 4.0 beta 1的註冊碼判斷演算法求逆問題
(1千字)2000-06-07演算法
- 幻影2003 V3.0註冊碼分析
(12千字)2003-01-25
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- 讓SyGate 4.0 build712自己告訴你註冊碼. (2千字)2001-05-03UI
- supercleaner註冊演算法分析2015-11-15演算法
- EmEditor v3 Version 3.09 漢化版註冊碼演算法分析
(8千字)2001-01-09演算法
- Screen Demo Maker
V3.0註冊演算法分析 (8千字)2002-09-10演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- Sublime Text 4 Dev 4.0註冊碼漢化版2023-11-21dev
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- Cute FTP Ver 4.0 build 19 的註冊碼破解
(820字)2001-02-05FTPUI
- 離線註冊你的Fast Browser v4.0 (2千字)2001-09-14AST
- SpeedFlash註冊演算法分析(VB)2015-11-15演算法
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法