豪傑大眼睛(II)註冊碼分析(演算法與XXXX3000英雄版基本一樣,哈哈) (15千字)
這幾天比較無聊,找了個豪傑大眼睛II,發現它的註冊的演算法基本與豪傑II3000英雄版的演算法很相似,第一組的註冊碼是一樣的,從第二組開始的變化稍有不同,以下是它的演算法的分析過程。
* Reference To: USER32.GetWindowTextA, Ord:015Eh
|
:00401CCA 8B35F8604000
mov esi, dword ptr [004060F8]
:00401CD0 8D442404
lea eax, dword ptr [esp+04]
:00401CD4
6A08 push
00000008
:00401CD6 50
push eax
:00401CD7 51
push ecx
:00401CD8 FFD6
call esi
:00401CDA
A128984000 mov eax, dword ptr
[00409828]
:00401CDF 8D542409
lea edx, dword ptr [esp+09]
:00401CE3 6A08
push 00000008
:00401CE5 52
push edx
:00401CE6 50
push eax
:00401CE7 FFD6
call esi
:00401CE9 8B1534984000
mov edx, dword ptr [00409834]
:00401CEF 8D4C240E
lea ecx, dword ptr [esp+0E]
:00401CF3 6A08
push 00000008
:00401CF5 51
push ecx
:00401CF6 52
push edx
:00401CF7 FFD6
call esi
:00401CF9
8B0D30984000 mov ecx, dword ptr [00409830]
:00401CFF 8D442413
lea eax, dword ptr [esp+13]
:00401D03 6A08
push 00000008
:00401D05 50
push eax
:00401D06
51
push ecx
:00401D07 FFD6
call esi
:00401D09 8B1524984000
mov edx, dword ptr [00409824]
:00401D0F 6800010000
push 00000100
:00401D14 B02D
mov al, 2D
:00401D16
6860994000 push 00409960
:00401D1B 52
push edx
:00401D1C 8844241E
mov byte ptr [esp+1E], al
:00401D20 88442419
mov byte ptr [esp+19], al
:00401D24 88442414
mov byte ptr [esp+14], al
:00401D28 C644242300 mov [esp+23],
00
:00401D2D FFD6
call esi
:00401D2F 8D442404
lea eax, dword ptr [esp+04]
:00401D33 50
push eax
:00401D34
6860994000 push 00409960 <----經過動態跟蹤,發現409960處存放的是輸入的使用者名稱
:00401D39 E842090000 call
00402680 <----進行註冊碼比較的關鍵CALL,要用F8跟入
:00401D3E F7D8
neg eax <---- 如果返回值為0,則註冊失敗
:00401D40 1BC0
sbb eax, eax
:00401D42 8D4C2404
lea ecx, dword ptr [esp+04]
:00401D46 F7D8
neg eax
:00401D48
51
push ecx
:00401D49 6860994000
push 00409960
:00401D4E A3689A4000
mov dword ptr [00409A68], eax<----將EAX的值寫入[409A68]
:00401D53 E838000000
call 00401D90 <----此CALL將使用者名稱與註冊碼寫入登錄檔
:00401D58 8B442450
mov eax, dword ptr [esp+50]
:00401D5C 8B0D44994000
mov ecx, dword ptr [00409944]
:00401D62 83C408
add esp, 00000008
:00401D65
8D542404 lea edx, dword
ptr [esp+04]
:00401D69 52
push edx
:00401D6A 68201C4000
push 00401C20
:00401D6F 50
push eax
* Possible
Reference to Dialog: DialogID_0069
|
:00401D70 6A69
push 00000069
:00401D72 51
push ecx
* Reference To: USER32.DialogBoxParamA,
Ord:0093h
|
:00401D73 FF15E8604000
Call dword ptr [004060E8]<----如果[409A68]為0,顯示註冊失敗,為1時顯示註冊成功
:00401D79 A1689A4000 mov
eax, dword ptr [00409A68]
:00401D7E 5E
pop esi
:00401D7F 83C440
add esp, 00000040
:00401D82 C3
ret
---------------------按F8進入註冊碼比較的關鍵CALL----------------------
:00402680 83EC20
sub esp, 00000020
:00402683 56
push esi
:00402684 57
push edi
:00402685 B908000000
mov ecx, 00000008
:0040268A 33C0
xor eax, eax
:0040268C 8D7C2408 lea
edi, dword ptr [esp+08]<----存放第一組註冊碼的地址,以下記為reg1
:00402690 F3
repz
:00402691
AB
stosd
:00402692 8B44242C
mov eax, dword ptr [esp+2C]
:00402696 50
push eax<----將使用者名稱作為引數,壓棧。
:00402697 E8A4010000 call
00402840 <----此CALL將使用者名稱進入變換後,變為一個DWORD型別,從EAX中返回,它內部的演算法與XXXX3000英雄版完全相同,這裡不再詳細說明,可以參考XXXX3000英雄版的分析
:0040269C 83C404
add esp, 00000004
:0040269F 89442408
mov dword ptr [esp+08], eax 將返回值存入reg1
:004026A3 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004026C8(C)
|
:004026A5 0FBE443408
movsx eax, byte ptr [esp+esi+08] 取出reg1中的一個位元組。(共4位元組)
:004026AA
83F841 cmp eax,
00000041
:004026AD 7C08
jl 004026B7
:004026AF 83F85A
cmp eax, 0000005A
:004026B2 7F03
jg 004026B7
:004026B4
83C020 add eax,
00000020 <----這裡是將大寫的變為小寫
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:004026AD(C), :004026B2(C)
|
:004026B7 50
push eax
:004026B8 E853020000 call
00402910 <----此CALL將取出的值轉換為一個字元。
:004026BD 83C404
add esp, 00000004
:004026C0 88443408
mov byte ptr [esp+esi+08], al
<----將變換後的值再存入。
:004026C4 46
inc esi
:004026C5 83FE04
cmp esi, 00000004 <---四個位元組是否處理完
:004026C8 7CDB
jl 004026A5
:004026CA 8B7C2430
mov edi, dword ptr [esp+30]
:004026CE 8D4C2408
lea ecx, dword ptr [esp+08]
:004026D2
8BF7 mov
esi, edi
:004026D4 33D2
xor edx, edx
:004026D6 2BF1
sub esi, ecx
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004026FC(C)
|
:004026D8 8D4C1408
lea ecx, dword ptr [esp+edx+08]
:004026DC 0FBE040E
movsx eax, byte ptr [esi+ecx]<----取出我們輸入的第一組註冊碼的1個位元組。
:004026E0 83F841
cmp eax, 00000041
:004026E3 7C08
jl 004026ED
:004026E5 83F85A
cmp eax, 0000005A
:004026E8 7F03
jg 004026ED
:004026EA 83C020
add eax, 00000020
<----如果是大寫則轉為小寫
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:004026E3(C), :004026E8(C)
|
:004026ED 0FBE09
movsx ecx, byte ptr [ecx]<----取出真正註冊碼的1位
:004026F0 3BC1
cmp eax, ecx <----比較
:004026F2 0F8514010000
jne 0040280C
:004026F8 42
inc edx
:004026F9 83FA04
cmp edx, 00000004 <----第一組註冊碼共4位是否比較完畢。
:004026FC 7CDA
jl 004026D8
:004026FE 8B442408
mov eax, dword ptr [esp+08]
:00402702 8D5008
lea edx, dword ptr [eax+08] 將reg1的值加上8後,作為第2組註冊碼
:00402705 0FAFD0
imul edx, eax
:00402708 8954240C
mov dword ptr [esp+0C], edx<----此地址記為reg2 = (reg1+8)*reg1
:0040270C 33F6
xor esi, esi
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:0040272F(C)
|
:0040270E 8A44340C
mov al, byte ptr [esp+esi+0C]<----取出第2組中的一個位元組
:00402712 50
push eax
:00402713 56
push esi
:00402714 E807010000
call 00402820<----先進行一次變換
:00402719
25FF000000 and eax, 000000FF
:0040271E 50
push eax
:0040271F E8EC010000
call 00402910 <----將變換後的值再轉變為字元形式
:00402724 83C40C
add esp, 0000000C
:00402727
8844340C mov byte ptr [esp+esi+0C],
al
:0040272B 46
inc esi
:0040272C 83FE04
cmp esi, 00000004 <----是否處理完4個字元
:0040272F
7CDD jl 0040270E
:00402731 33C9
xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00402756(C)
|
:00402733 0FBE440F05
movsx eax, byte ptr [edi+ecx+05]<----這裡開始取出第2組進行比較
:00402738 83F841
cmp eax, 00000041
:0040273B 7C08
jl 00402745
:0040273D 83F85A
cmp eax, 0000005A
:00402740 7F03
jg 00402745
:00402742 83C020
add eax, 00000020
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:0040273B(C), :00402740(C)
|
:00402745 0FBE540C0C
movsx edx, byte ptr [esp+ecx+0C]
:0040274A 3BC2
cmp eax, edx<----比較註冊碼
:0040274C 0F85BA000000
jne 0040280C
:00402752 41
inc ecx
:00402753 83F904
cmp ecx, 00000004
:00402756 7CDB
jl 00402733
:00402758 8B44240C
mov eax, dword ptr [esp+0C]
:0040275C 8B4C2408
mov ecx, dword ptr [esp+08]
:00402760
8BD0 mov
edx, eax
:00402762 33D1
xor edx, ecx
:00402764 42
inc edx
:00402765 0FAFD1
imul edx, ecx
:00402768
03D0 add
edx, eax
:0040276A 33F6
xor esi, esi
:0040276C 89542410
mov dword ptr [esp+10], edx<----第三組註冊碼 reg3 = reg2
+((reg1 ^ reg2)+1)*reg1
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:00402786(C)
|
:00402770 0FBE443410
movsx eax, byte ptr [esp+esi+10]
:00402775
50
push eax
:00402776 E895010000
call 00402910<----將第三組轉變為字元形式的註冊碼
:0040277B 83C404
add esp, 00000004
:0040277E 88443410
mov byte ptr [esp+esi+10], al
:00402782 46
inc esi
:00402783 83FE04
cmp esi, 00000004<---4個位元組是否都完成了
:00402786
7CE8 jl 00402770
:00402788 33C9
xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004027A9(C)
|
:0040278A 0FBE440F0A
movsx eax, byte ptr [edi+ecx+0A]<----這裡開始比較第3組註冊碼
:0040278F 83F841
cmp eax, 00000041
:00402792 7C08
jl 0040279C
:00402794 83F85A
cmp eax, 0000005A
:00402797 7F03
jg 0040279C
:00402799 83C020
add eax, 00000020
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:00402792(C), :00402797(C)
|
:0040279C 0FBE540C10
movsx edx, byte ptr [esp+ecx+10]
:004027A1 3BC2
cmp eax, edx<----比較註冊碼
:004027A3 7567
jne 0040280C
:004027A5 41
inc ecx
:004027A6
83F904 cmp ecx,
00000004
:004027A9 7CDF
jl 0040278A
:004027AB 8B4C240C
mov ecx, dword ptr [esp+0C]
:004027AF 8B442408
mov eax, dword ptr [esp+08]
:004027B3 0FAFC8
imul ecx, eax
:004027B6 41
inc ecx
:004027B7 0FAF4C2410
imul ecx, dword ptr [esp+10]
:004027BC 03C8
add ecx, eax
:004027BE 33F6
xor esi, esi
:004027C0 894C2414
mov dword ptr [esp+14], ecx<----第四組註冊碼reg4 = reg1 +((reg2 * reg1)+1)*reg3
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004027DA(C)
|
:004027C4 0FBE543414
movsx edx, byte ptr [esp+esi+14]
:004027C9 52
push edx
:004027CA E841010000 call
00402910<----將第4組轉變化字元形式的註冊碼
:004027CF 83C404
add esp, 00000004
:004027D2 88443414
mov byte ptr [esp+esi+14], al
:004027D6 46
inc esi
:004027D7 83FE04
cmp esi, 00000004
:004027DA 7CE8
jl 004027C4
:004027DC
33C9 xor
ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004027FD(C)
|
:004027DE 0FBE440F0F
movsx eax, byte ptr [edi+ecx+0F]<----這裡開始比較第4組註冊碼
:004027E3 83F841
cmp eax, 00000041
:004027E6 7C08
jl 004027F0
:004027E8 83F85A
cmp eax, 0000005A
:004027EB 7F03
jg 004027F0
:004027ED 83C020
add eax, 00000020
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:004027E6(C), :004027EB(C)
|
:004027F0 0FBE540C14
movsx edx, byte ptr [esp+ecx+14]
:004027F5 3BC2
cmp eax, edx<----比較註冊碼
:004027F7 7513
jne 0040280C
:004027F9 41
inc ecx
:004027FA
83F904 cmp ecx,
00000004
:004027FD 7CDF
jl 004027DE
:004027FF 5F
pop edi
* Possible Reference
to String Resource ID=00001: "Register Success"
|
:00402800 B801000000
mov eax, 00000001
:00402805 5E
pop esi
:00402806 83C420
add esp, 00000020
:00402809 C20800
ret 0008
----------------此CALL是將EAX的值轉化為一個字元形式--------------
* Referenced
by a CALL at Addresses:
|:004026B8 , :0040271F , :00402776
, :004027CA
|
:00402910 8B442404
mov eax, dword ptr [esp+04]
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00402932(U), :00402943(U), :0040295E(U)
|
:00402914 83E07F
and eax, 0000007F<---取低7位的值
:00402917 83F841
cmp eax, 00000041
:0040291A 7C07
jl 00402923
:0040291C 83F85A
cmp eax, 0000005A
:0040291F 7F02
jg 00402923
:00402921 0C20
or al, 20<----如果是大寫字母,則轉為小寫
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040291A(C), :0040291F(C)
|
:00402923 83F86F
cmp eax, 0000006F<----如果是字母'o',不要它
:00402926 750C
jne 00402934
:00402928 B890000000
mov eax, 00000090
:0040292D 83F00E
xor eax, 0000000E
:00402930 0C31
or al, 31
:00402932 EBE0
jmp 00402914
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00402926(C)
|
:00402934 83F830
cmp eax, 00000030<----如果是字母'0',也不要它
:00402937 750C
jne 00402945
:00402939 B8CF000000
mov eax, 000000CF
:0040293E 83F00E
xor eax, 0000000E
:00402941 0C31
or al, 31
:00402943 EBCF
jmp 00402914
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00402937(C)
|
:00402945 83F861
cmp eax, 00000061 <----如果已經是小寫字母了,則返回
:00402948 7C05
jl 0040294F
:0040294A 83F87A
cmp eax, 0000007A
:0040294D 7E11
jle 00402960
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:00402948(C)
|
:0040294F 83F831
cmp eax, 00000031<---如果已經是數學了,則返回
:00402952 7C05
jl 00402959
:00402954 83F839
cmp eax, 00000039
:00402957 7E07
jle 00402960
* Referenced by a (U)nconditional or (C)onditional Jump
at Address:
|:00402952(C)
|
:00402959 83F00E
xor eax, 0000000E<----繼續變化
:0040295C
0C31 or al,
31
:0040295E EBB4
jmp 00402914
-----------------------------------------------------------
序號產生器的程式碼與XXXX3000英雄版基本相同,只需要修改以下幾處即可:
reg2 = (reg1+8)*reg1
reg3 =
reg2 +((reg1 ^ reg2)+1)*reg1
reg4 = reg1 +((reg2 * reg1)+1)*reg3
相關文章
- 豪傑大眼睛共享版註冊碼破解 (1千字)2001-07-08
- 豪傑螢幕錄影機 V2.0.1 註冊演算法分析2015-11-15演算法
- Green Tea 2.60註冊碼演算法分析 (3千字)2000-07-17演算法
- 註冊碼演算法 (2千字)2001-01-14演算法
- EZ MP3 Recorder 1.15 註冊演算法分析 (14千字)2015-11-15演算法
- SuperCleaner 2.31註冊碼演算法分析 - OCG (13千字)2002-04-02演算法
- Registry Crawler 4.0註冊碼演算法分析 - OCG
(20千字)2002-04-07演算法
- UltraEdit-32
10註冊碼演算法分析 (19千字)2003-05-17演算法
- **********.exe註冊碼演算法分析--高手莫笑 (31千字)2015-11-15演算法
- 豪傑超級解霸3000英雄版序號產生器(MASM32),比較老 (6千字)2015-11-15ASM
- FolderView 1.7
註冊演算法分析 (14千字)2015-11-15View演算法
- Konvertor 3.03的註冊碼演算法模組的分析
(7千字)2015-11-15演算法
- Magic convertor 2.8註冊碼演算法分析
- OCG (9千字)2015-11-15演算法
- Quickness 3.1
註冊演算法分析 + 序號產生器原始碼(tc2) (15千字)2003-04-13UI演算法原始碼
- 《APIS32》的註冊碼演算法 還請各位大俠幫忙寫一下注冊機!!!! (15千字)2001-08-07APIS3演算法
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- 重新貼過註冊演算法分析 (16千字)2001-10-23演算法
- ClockWise 3.22e註冊碼演算法分析 - OCG (17千字)2002-04-10演算法
- 一個區域網工具的註冊演算法分析
(5千字)2015-11-15演算法
- CPUCOOL 5.1000註冊碼分析 (6千字)2001-01-19
- EffeTech HTTP Sniffer 3.2註冊演算法分析 (5千字)2002-06-24HTTP演算法
- Github 註冊與基本使用2015-05-20Github
- 豪傑超極解霸視訊轉換
(6千字)2015-11-15
- Photocaster xtra v3.0.3 註冊過程的分析 (15千字)2001-11-22AST
- 完美解除安裝6.0註冊演算法分析 (2千字)2002-02-27演算法
- Directory Scanner v1.5 註冊演算法分析 (6千字)2015-11-15演算法
- MouseStar V3.01註冊演算法分析 (18千字)2015-11-15演算法
- Cleaner 3.2註冊分析 (18千字)2001-12-09
- supercleaner註冊演算法分析2015-11-15演算法
- 有聲有色4.0註冊演算法 一 (11千字)2001-05-01演算法
- EmEditor v3 Version 3.09 漢化版註冊碼演算法分析
(8千字)2001-01-09演算法
- Screen Demo Maker
V3.0註冊演算法分析 (8千字)2002-09-10演算法
- CoolClock V1.02註冊演算法分析 ---OCG (14千字)2015-11-15演算法
- 飄雪動畫秀3.02註冊演算法分析!
(11千字)2015-11-15動畫演算法
- 檔案密使2.6註冊碼分析詳解 (11千字)2001-11-30
- 豪傑選單處理函式分析和研究2015-11-15函式
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- 〖網際營銷〗V2.4 註冊演算法分析 (11千字)2001-11-03演算法