語音介面2.0

貼它的演算法分析及序號產生器原始碼！
破解者：HMILY[CCG][BCG]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004042ED(C)
|
:004042D9 56 push esi
:004042DA 8BCF mov ecx, edi
:004042DC E82F000000 call 00404310 ->註冊碼的計算，跟進去
:004042E1 83F8FE cmp eax, FFFFFFFE
:004042E4 741A je 00404300
:004042E6 3BC6 cmp eax, esi
:004042E8 7416 je 00404300
:004042EA 4E dec esi
:004042EB 85F6 test esi, esi
:004042ED 7FEA jg 004042D9
:004042EF 6A00 push 00000000
:004042F1 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"註冊碼有誤"
|
:004042F3 684C774000 push 0040774C

* Reference To: MFC42.Ordinal:04B0, Ord:04B0h
|
:004042F8 E873050000 Call 00404870
:004042FD 5F pop edi
:004042FE 5E pop esi
:004042FF C3 ret
=============================================================================================
上面還有，不重要！略………………

* Reference To: MFC42.Ordinal:0F21, Ord:0F21h
|
:00404392 E82F060000 Call 004049C6 ->計算從這裡開始
:00404397 8B7C2468 mov edi, dword ptr [esp+68]
:0040439B 33DB xor ebx, ebx ->ebx清零，為計算做準備！
:0040439D 33C9 xor ecx, ecx ->同上
:0040439F 8D04BF lea eax, dword ptr [edi+4*edi] ->從trw中可看到edi=3;eax=3+3*4
:004043A2 8D0480 lea eax, dword ptr [eax+4*eax] ->eax=eax+eax*4
:004043A5 8D3480 lea esi, dword ptr [eax+4*eax] ->esi=eax+eax*4
:004043A8 C1E602 shl esi, 02 ->esi左移2;esi=esi<<2;

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00404404(C)
|
:004043AB 0FBE440C50 movsx eax, byte ptr [esp+ecx+50] ->取機器碼的第一位
:004043B0 03C6 add eax, esi ->eax=eax+esi
:004043B2 BD3E000000 mov ebp, 0000003E ->ebp=0x3E;
:004043B7 99 cdq ->edx清零
:004043B8 F7FD idiv ebp ->eax=eax/ebp,edx=eax%ebp
:004043BA 0FBE440C54 movsx eax, byte ptr [esp+ecx+54] ->取機器碼第五位
:004043BF 03C6 add eax, esi ->eax=eax+esi
:004043C1 8A92E4704000 mov dl, byte ptr [edx+004070E4] ->eax求ebp得到的餘數就是密碼錶中字元的位數
:004043C7 88540C30 mov byte ptr [esp+ecx+30], dl ->將取到的密碼錶中的字元儲存
:004043CB 99 cdq
:004043CC F7FD idiv ebp | 算
:004043CE 8A82E4704000 mov al, byte ptr [edx+004070E4] | 法
:004043D4 88440C38 mov byte ptr [esp+ecx+38], al | 大
:004043D8 0FBE440C58 movsx eax, byte ptr [esp+ecx+58] | 都
:004043DD 03C6 add eax, esi | 相
:004043DF 99 cdq | 同
:004043E0 F7FD idiv ebp | 看
:004043E2 0FBE440C5C movsx eax, byte ptr [esp+ecx+5C] | 注
:004043E7 03C6 add eax, esi | 冊
:004043E9 8A92E4704000 mov dl, byte ptr [edx+004070E4] | 機
:004043EF 88540C40 mov byte ptr [esp+ecx+40], dl | 源
:004043F3 99 cdq | 碼
:004043F4 F7FD idiv ebp | 便知！
:004043F6 41 inc ecx ->ecx++;
:004043F7 83F904 cmp ecx, 00000004 ->比較ecx是否為4
:004043FA 8A82E4704000 mov al, byte ptr [edx+004070E4]
:00404400 88440C47 mov byte ptr [esp+ecx+47], al
:00404404 7CA5 jl 004043AB ->比如ecx<4則跳
=============================================================================================
* Reference To: MSVCRT.rand, Ord:02A6h
|
:00402758 FF15A8524000 Call dword ptr [004052A8]
:0040275E 8BD0 mov edx, eax
:00402760 83C9FF or ecx, FFFFFFFF
:00402763 0FAFD3 imul edx, ebx
:00402766 0FAFD7 imul edx, edi

* Possible StringData Ref from Data Obj ->"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJ"
->"KLMNOPQRSTUVWXYZ" ->密碼錶
|
:00402769 BFE4704000 mov edi, 004070E4
:0040276E 33C0 xor eax, eax
:00402770 F2 repnz
:00402771 AE scasb
:00402772 F7D1 not ecx
:00402774 8BC2 mov eax, edx
:00402776 49 dec ecx
:00402777 33D2 xor edx, edx
:00402779 F7F1 div ecx
:0040277B 46 inc esi
:0040277C 83FE10 cmp esi, 00000010
:0040277F 8A82E4704000 mov al, byte ptr [edx+004070E4]
:00402785 88442EFF mov byte ptr [esi+ebp-01], al
:00402789 7CB2 jl 0040273D
:0040278B 8D4C2410 lea ecx, dword ptr [esp+10]
:0040278F 51 push ecx

* Possible StringData Ref from Data Obj ->"Software\Microsoft\BLUEReg"
|
:00402790 6820724000 push 00407220
:00402795 6802000080 push 80000002
==============================================================================================
以下為c++ builder 6.0的序號產生器原始碼！win98 SE、c++ builder 6.0下除錯透過！
#include <vcl.h>
#pragma hdrstop

#include "KeygenBox.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
Tform1 *form1;
char key[]={'0','1','2','3','4','5','6','7','8','9','a','b',
'c','d','e','f','g','h','i','j','k','l','m','n',
'o','p','q','r','s','t','u','v','w','x','y','z',
'A','B','C','D','E','F','G','H','I','J','K','L',
'M','N','O','P','Q','R','S','T','U','V','W','X',
'Y','Z'};
String name,S1,S2,S3,S4;int a,b=1,ebp;
unsigned long esi,ea,eb,e1,e2,e3,e4;
char code1,code2,code3,code4;
//---------------------------------------------------------------------------
void __fastcall Tform1::OKBtnClick(TObject *Sender)
{
if(UEdit->Text=="") {Label2->Caption="未輸入機器碼！";return;}
if(UEdit->Text!="")
{
name=UEdit->Text;
a=UEdit->Text.Length();
if(a<16) {Label2->Caption="輸入的機器碼不正確";return;}
else
{
while(b<=4)
{
ea=3+3*4;
eb=ea+ea*4;
esi=(eb+eb*4)<<2;ebp=62;
e1=(name[b]+esi)%ebp;code1=key[e1];
b++;
CEdit->Text=CEdit->Text+code1;
}
S1=CEdit->Text;CEdit->Clear();
b=5;
while(b<=8)
{
ea=3+3*4;
eb=ea+ea*4;
esi=(eb+eb*4)<<2;ebp=62;
e2=(name[b]+esi)%ebp;code2=key[e2];
b++;
CEdit->Text=CEdit->Text+code2;
}
S2=CEdit->Text;CEdit->Clear();
b=9;
while(b<=12)
{
ea=3+3*4;
eb=ea+ea*4;
esi=(eb+eb*4)<<2;ebp=62;
e3=(name[b]+esi)%ebp;code3=key[e3];
b++;
CEdit->Text=CEdit->Text+code3;
}
S3=CEdit->Text;CEdit->Clear();
b=13;
while(b<=16)
{
ea=3+3*4;
eb=ea+ea*4;
esi=(eb+eb*4)<<2;ebp=62;
e4=(name[b]+esi)%ebp;code4=key[e4];
b++;
CEdit->Text=CEdit->Text+code4;
}
S4=CEdit->Text;CEdit->Clear();
CEdit->Text=CEdit->Text+S1+"-"+S2+"-"+S3+"-"+S4;
sndPlaySound(cuWavHandle,SND_MEMORY|SND_SYNC);
Label2->Caption="已經完成計算！";
}
}
}
//-----------------------------------------------------------------------------

語音介面2.0

相關文章