社群遊戲伴侶 V1.0註冊碼的計算,序號產生器 (30千字)
軟體名稱: 社群遊戲伴侶 V1.0
軟體大小: 213 KB
應用平臺: Win9x
軟體類別: 遊戲記牌器
軟體介紹:聯眾,邊鋒遊戲牌類記牌器,註冊後全部功能可用。
破解工具:ollydbg 1.08 ,W32DASM10,UltraEdit8.0,AspackDie,fi2.5
破解方法: 註冊演算法
朋友玩聯眾遊戲,說有記牌器《****伴侶1.1》要註冊才能玩夠級,讓我看看。他的註冊方法有些獨特,登錄檔驗證,而且必須連線聯眾後才驗證,分不同地方驗證,而且必須用遊戲ID,這就是說你只能用一個使用者ID玩遊戲。上網也沒查到有序號產生器。自己動手吧。
先脫殼,aspack2.12,用AspackDie好脫。
用W32DASM反彙編,查詢可疑字串等。再用ollydbg
1.08除錯,斷點就好設了。
--------------------------------------------------------------------------------------
0045D16C /. 55 PUSH EBP
0045D16D |. 8BEC
MOV EBP,ESP
0045D16F |. B9 0C000000 MOV ECX,0C
; ecx=0x0C
0045D174 |> 6A 00
/PUSH 0
; 初始化
0045D176
|. 6A 00 |PUSH 0
0045D178 |. 49
|DEC ECX
0045D179 |.^75 F9
\JNZ SHORT UNPACKED.0045D174
0045D17B |.
53 PUSH EBX
; ebx=011ca3f8,不知道什麼用
0045D17C |. 56
PUSH ESI
0045D17D |. 8945 FC
MOV DWORD PTR SS:[EBP-4],EAX
0045D180 |. 33C0
XOR EAX,EAX
0045D182 |. 55
PUSH EBP
0045D183 |. 68 A1D34500 PUSH UNPACKED.0045D3A1
0045D188 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0045D18B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0045D18E |. 8D55 C8 LEA EDX,DWORD PTR SS:[EBP-38]
0045D191 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D194 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D19A |. E8 5996FDFF CALL UNPACKED.004367F8
; 取假註冊碼:12345678
0045D19F
|. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
; 給eax地址處存放假註冊碼12345678
0045D1A2
|. 33D2 XOR EDX,EDX
0045D1A4 |. E8
07B9FAFF CALL UNPACKED.00408AB0
0045D1A9 |. 8BC8
MOV ECX,EAX
; eax的值給ecx
0045D1AB |. 81F9 80969800 CMP ECX,989680
;
0x989680=10000000,ecx大於就跳。看暫存器視窗ecx雙擊看到12345678
0045D1B1 |. 7D 0F
JGE SHORT UNPACKED.0045D1C2
0045D1B3 |.
B8 B8D34500 MOV EAX,UNPACKED.0045D3B8
0045D1B8 |. E8 3F31FDFF
CALL UNPACKED.004302FC
0045D1BD |. E9 92010000
JMP UNPACKED.0045D354
0045D1C2 |> 8D45 C4
LEA EAX,DWORD PTR SS:[EBP-3C]
0045D1C5 |. 50
PUSH EAX
0045D1C6 |. 8D55 C0
LEA EDX,DWORD PTR SS:[EBP-40]
0045D1C9 |. 8B45 FC
MOV EAX,DWORD PTR SS:[EBP-4]
0045D1CC |. 8B80 08030000
MOV EAX,DWORD PTR DS:[EAX+308]
0045D1D2 |. E8 2196FDFF
CALL UNPACKED.004367F8
0045D1D7 |. 8B45 C0
MOV EAX,DWORD PTR SS:[EBP-40]
0045D1DA |. B9 04000000
MOV ECX,4
0045D1DF |. 33D2 XOR EDX,EDX
0045D1E1 |. E8 B277FAFF CALL UNPACKED.00404998
; 取假註冊碼的前4位,1234
0045D1E6
|. 8B45 C4 MOV EAX,DWORD PTR SS:[EBP-3C]
; 給eax地址處存放假註冊碼eax=1234
0045D1E9
|. E8 86B8FAFF CALL UNPACKED.00408A74
0045D1EE |. 8945
F0 MOV DWORD PTR SS:[EBP-10],EAX
; eax=1234存ebp-10
0045D1F1 |. 8D55 B8
LEA EDX,DWORD PTR SS:[EBP-48]
0045D1F4 |. 8B45
FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D1F7
|. 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
0045D1FD |. E8
F695FDFF CALL UNPACKED.004367F8
; 取使用者名稱laoqian
0045D202 |. 8B45 B8
MOV EAX,DWORD PTR SS:[EBP-48]
; eax=7
0045D205 |. 8D55 BC
LEA EDX,DWORD PTR SS:[EBP-44]
0045D208 |. E8 0BB5FAFF
CALL UNPACKED.00408718
0045D20D |. 8B45 BC
MOV EAX,DWORD PTR SS:[EBP-44]
; 給eax地址處存放laoqian
0045D210 |. 8D55 F4
LEA EDX,DWORD PTR SS:[EBP-C] ;
eax=7
0045D213 |. E8 DCB5FAFF CALL UNPACKED.004087F4
0045D218 |. 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
0045D21B |. 50 PUSH EAX
0045D21C |. 8D55 B0 LEA EDX,DWORD PTR SS:[EBP-50]
0045D21F |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D222 |. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D228 |. E8 CB95FDFF CALL UNPACKED.004367F8
0045D22D
|. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
; eax=8,12345678
0045D230 |. B9 04000000
MOV ECX,4
0045D235 |. BA 05000000 MOV EDX,5
0045D23A |. E8 5977FAFF CALL UNPACKED.00404998
; 取假註冊碼的後4位:5678
0045D23F
|. 8B55 B4 MOV EDX,DWORD PTR SS:[EBP-4C]
; edx=5678
0045D242 |. 8D45 F4
LEA EAX,DWORD PTR SS:[EBP-C]
0045D245 |. E8 FE74FAFF
CALL UNPACKED.00404748
; 合併laoqian5678為字串
0045D24A |. 8B45 F4
MOV EAX,DWORD PTR SS:[EBP-C]
; 存eax
0045D24D |. E8 EE74FAFF CALL UNPACKED.00404740
; 取“假使用者名稱加假註冊碼後四位”的長度
0045D252 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
; eax=0xB,存的長度
0045D255 |.
8D45 CD LEA EAX,DWORD PTR SS:[EBP-33]
0045D258
|. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
; edx=laoqian5678為字串,原來是5678
0045D25B
|. E8 F0BBFAFF CALL UNPACKED.00408E50
0045D260 |. BB DE040000
MOV EBX,4DE
; 令ebx=0x4de(1246)
0045D265
|. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
; 取假使用者名稱加假註冊碼後四位的長度B給eax
0045D268
|. 48 DEC EAX
; eax-1
0045D269 |. 85C0
TEST EAX,EAX
; 測試
0045D26B |. 7C 37
JL SHORT UNPACKED.0045D2A4
0045D26D |. 40
INC EAX
;
eax+1還原
0045D26E |. 8945 EC MOV DWORD PTR
SS:[EBP-14],EAX ; 取假使用者名稱加假註冊碼後四位的長度B賦值存ebp-4
0045D271 |. 33C9 XOR ECX,ECX
; 清零ecx
0045D273 |. 8D45 CD
LEA EAX,DWORD PTR SS:[EBP-33]
; 裝入“假使用者名稱加假註冊碼後四位”laoqian5678
0045D276 |> 8BD1
/MOV EDX,ECX
; ecx=edx
0045D278
|. 0FAFD1 |IMUL EDX,ECX
;
edx=edx*ecx 整數乘法
0045D27B |. 03DA
|ADD EBX,EDX
; ebx=ebx+edx
0045D27D |. 33D2
|XOR EDX,EDX
; edx=0
0045D27F
|. 8A10 |MOV DL,BYTE PTR DS:[EAX]
; 取依次eax“laoqian5678”字串的第n個ASCII值
0045D281 |. 0FAFD1 |IMUL EDX,ECX
; edx=edx*ecx
0045D284 |. 03DA
|ADD EBX,EDX
; ebx=ebx+edx
0045D286 |. 8B55 F8
|MOV EDX,DWORD PTR SS:[EBP-8]
; 取假使用者名稱加假註冊碼後四位的長度給edx=B
0045D289 |. 4A
|DEC EDX
;
edx=edx-1
0045D28A |. 83FA 00 |CMP EDX,0
; 比較是否小於0
0045D28D |. 7C 0E
|JL SHORT UNPACKED.0045D29D
; 迴圈到0045D276
0045D28F |> 8D1C19
|/LEA EBX,DWORD PTR DS:[ECX+EBX] ; ebx=ebx+ecx
0045D292 |. 0FB630 ||MOVZX ESI,BYTE PTR
DS:[EAX] ; 依次傳送eax“laoqian5678”字串的第n個ASCII值給esi
0045D295 |. 03DE ||ADD EBX,ESI
; ebx=ebx+esi
0045D297 |. 4A
||DEC EDX
; edx=edx-1
0045D298 |. 83FA FF ||CMP EDX,-1
; 比較是否小於-1
0045D29B |.^75 F2 |\JNZ
SHORT UNPACKED.0045D28F ; 迴圈0045D28F
0045D29D |> 41 |INC ECX
; ecx+1
0045D29E |. 40
|INC EAX
; eax+1地址
0045D29F |. FF4D EC |DEC DWORD PTR SS:[EBP-14]
; “假使用者名稱加假註冊碼後四位”的長度-1
0045D2A2
|.^75 D2 \JNZ SHORT UNPACKED.0045D276
; 迴圈0045D276
0045D2A4 |> 85DB
TEST EBX,EBX
;
0045D2A6
|. 7D 0D JGE SHORT UNPACKED.0045D2B5
0045D2A8
|. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0045D2AB
|. BA D4D34500 MOV EDX,UNPACKED.0045D3D4
; ASCII "gg"
0045D2B0 |. E8 6B72FAFF
CALL UNPACKED.00404520
0045D2B5 |> 8BC3
MOV EAX,EBX
; eax存ebx結果
0045D2B7
|. B9 10270000 MOV ECX,2710
; ecx=0X2710=10000
0045D2BC |. 99 CDQ
0045D2BD
|. F7F9 IDIV ECX
0045D2BF |. 8BDA
MOV EBX,EDX
; eax除ecx=0X2710的餘數為edx
0045D2C1 |. 81FB E8030000 CMP EBX,3E8
;
是否小於0x3e8=1000
0045D2C7 |. 7D 06
JGE SHORT UNPACKED.0045D2CF
0045D2C9 |. 81C3 70170000 ADD EBX,1770
; 小於0x3e8=1000就加0x1770=6000
0045D2CF |> 3B5D F0
CMP EBX,DWORD PTR SS:[EBP-10]
; ebx,與假註冊碼前四位1234比較,記住ebx的值,我們把他作註冊碼的前4位即可!!後四位是我們的不變。就是說我們可以任意設定後四位!?註冊碼找到。
0045D2D2 |. 74 0C JE SHORT UNPACKED.0045D2E0
; 關鍵跳,相等註冊成功,此處爆破不行,因為還有登錄檔檢測,需要上聯眾才能驗證。<===可以爆破
0045D2D4 |. B8 E0D34500 MOV EAX,UNPACKED.0045D3E0
0045D2D9 |. E8 1E30FDFF CALL UNPACKED.004302FC
0045D2DE
|. EB 74 JMP SHORT UNPACKED.0045D354
0045D2E0
|> B2 01 MOV DL,1
;我們可以不經爆破成功寫入登錄檔,但是.....
0045D2E2 |. A1 C4B44500
MOV EAX,DWORD PTR DS:[45B4C4]
0045D2E7 |. E8 D8E2FFFF
CALL UNPACKED.0045B5C4
0045D2EC |. 8BD8
MOV EBX,EAX
0045D2EE |. B1 01
MOV CL,1
0045D2F0 |. BA 2CD44500 MOV EDX,UNPACKED.0045D42C
; ASCII "Software\zgsq\lzUser"
0045D2F5 |. 8BC3 MOV EAX,EBX
0045D2F7 |. E8 CCE3FFFF CALL UNPACKED.0045B6C8
0045D2FC
|. 8D55 AC LEA EDX,DWORD PTR SS:[EBP-54]
0045D2FF
|. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045D302
|. 8B80 08030000 MOV EAX,DWORD PTR DS:[EAX+308]
0045D308 |. E8
EB94FDFF CALL UNPACKED.004367F8
0045D30D |. 8B45 AC
MOV EAX,DWORD PTR SS:[EBP-54]
-----------------------------------------------------------------------
以上以為找到聯眾註冊碼,我們可以用它註冊成功(邊鋒的註冊差不多)。注意是“以為”!!!
注意使用者名稱必須是聯眾註冊使用者名稱,我試用一下,但是遊戲夠級,梭哈等只顯示記牌視窗不能記牌,不註冊不顯示記牌視窗。去他的主頁論壇,好像也有人說不能用夠級,而且是購買的正式註冊使用者。不知道是他的程式的bug,還是他設定的陷阱,我沒有找到破解方法?如果按我的方法,那麼每個使用者可以有無數的註冊碼,顯然不行吧?那就是還有問題沒解決。
那麼我想其實s2應該與使用者名稱有對應演算法,我動態除錯沒有找到,因為我不能上網,好像雖然成功寫入登錄檔,但是它還需要驗證,但可能需要上聯眾才能驗證。我暫時無法解決。只好反編譯看看。
*********************************************************************
用W32DASM反編譯,查詢可疑字串,找到"聯眾校驗 1 OK"
以下為聯眾校驗的反編譯部分,但是無法找到s2與使用者名稱有對應演算法,
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B34F(C)
|
:0046B35D 40
inc eax
:0046B35E 43
inc ebx
:0046B35F
83F814 cmp eax,
00000014
:0046B362 75BD
jne 0046B321
:0046B364 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B367 BA28B44700
mov edx, 0047B428
:0046B36C B915000000
mov ecx, 00000015
:0046B371 E87A93F9FF
call 004046F0
:0046B376 8D9574D0FFFF
lea edx, dword ptr [ebp+FFFFD074]
:0046B37C
8B45E4 mov eax,
dword ptr [ebp-1C]
:0046B37F E894D3F9FF
call 00408718
:0046B384 8B9574D0FFFF
mov edx, dword ptr [ebp+FFFFD074]
:0046B38A 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B38D E88E91F9FF call 00404520
:0046B392 8B45E4
mov eax, dword ptr [ebp-1C]
:0046B395 E8A693F9FF
call 00404740
:0046B39A A344B44700
mov dword ptr [0047B444], eax
:0046B39F B828B44700
mov eax, 0047B428
:0046B3A4 8B55E4
mov edx, dword ptr [ebp-1C]
:0046B3A7 E8A4DAF9FF call
00408E50
:0046B3AC B201
mov dl, 01
:0046B3AE A1C4B44500
mov eax, dword ptr [0045B4C4]
:0046B3B3 E80C02FFFF
call 0045B5C4
:0046B3B8 8BF8
mov edi, eax
:0046B3BA B101
mov cl, 01
* Possible StringData Ref from Code Obj ->"Software\zgsq\lzuser"
|
:0046B3BC BAF8B84600
mov edx, 0046B8F8
:0046B3C1 8BC7
mov eax, edi
:0046B3C3 E80003FFFF call 0045B6C8
<====好像在這裡取
:0046B3C8
8B55E4 mov edx,
dword ptr [ebp-1C]
:0046B3CB 8BC7
mov eax, edi
:0046B3CD E89A06FFFF
call 0045BA6C
<====好像在這裡取
:0046B3D2 8BD8
mov ebx, eax
:0046B3D4 889E95030000 mov byte ptr [esi+00000395],
bl
:0046B3DA 84DB
test bl, bl
:0046B3DC 0F8481000000
je 0046B463
:0046B3E2 8D8D70D0FFFF
lea ecx, dword ptr [ebp+FFFFD070]
:0046B3E8 8B55E4
mov edx, dword ptr [ebp-1C]
:0046B3EB 8BC7
mov eax, edi
:0046B3ED E8BE04FFFF
call 0045B8B0
:0046B3F2 8B9570D0FFFF
mov edx, dword ptr [ebp+FFFFD070]
:0046B3F8 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B3FB
E82091F9FF call 00404520
:0046B400 B840B44700 mov eax,
0047B440
:0046B405 8B55E4
mov edx, dword ptr [ebp-1C]
:0046B408 E8CF90F9FF
call 004044DC
:0046B40D 8D856CD0FFFF
lea eax, dword ptr [ebp+FFFFD06C]
:0046B413
50
push eax
:0046B414 B904000000
mov ecx, 00000004
<====好像在這裡取4個數
:0046B419 BA05000000
mov edx, 00000005
<====在這裡從第5位取
:0046B41E 8B45E4
mov eax, dword ptr [ebp-1C]
:0046B421 E87295F9FF
call 00404998
<====在這裡call
:0046B426 8B856CD0FFFF
mov eax, dword ptr [ebp+FFFFD06C]
:0046B42C
33D2 xor
edx, edx
:0046B42E E87DD6F9FF
call 00408AB0
:0046B433 A348B44700
mov dword ptr [0047B448], eax
《===假註冊碼後四位存
:0046B438 8D8568D0FFFF
lea eax, dword ptr [ebp+FFFFD068]
:0046B43E 50
push eax
:0046B43F B904000000
mov ecx, 00000004
<====好像在這裡取4個數
:0046B444 BA01000000 mov
edx, 00000001
<====在這裡從第1位取
:0046B449 8B45E4
mov eax, dword ptr [ebp-1C]
:0046B44C
E84795F9FF call 00404998
<====在這裡call
:0046B451 8B8568D0FFFF
mov eax, dword ptr [ebp+FFFFD068]
:0046B457 33D2
xor edx, edx
:0046B459 E852D6F9FF call 00408AB0
:0046B45E A34CB44700 mov
dword ptr [0047B44C], eax 《===假註冊碼前四位存
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B3DC(C)
|
:0046B463 8BC7
mov eax, edi
:0046B465 E82E82F9FF
call 00403698
:0046B46A 8D8564D0FFFF
lea eax, dword ptr [ebp+FFFFD064]
:0046B470
50
push eax
:0046B471 B904000000
mov ecx, 00000004
:0046B476 BA05000000
mov edx, 00000005
:0046B47B 8B45E4
mov eax, dword ptr [ebp-1C]
:0046B47E
E81595F9FF call 00404998
:0046B483 8B8564D0FFFF mov eax, dword
ptr [ebp+FFFFD064]
:0046B489 50
push eax
:0046B48A 8D8560D0FFFF
lea eax, dword ptr [ebp+FFFFD060]
:0046B490
BA28B44700 mov edx, 0047B428
:0046B495 B915000000 mov ecx,
00000015
:0046B49A E85192F9FF
call 004046F0
:0046B49F 8B9560D0FFFF
mov edx, dword ptr [ebp+FFFFD060]
:0046B4A5 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B4A8
59
pop ecx
:0046B4A9 E8DE92F9FF
call 0040478C
:0046B4AE 8D85A6D8FFFF
lea eax, dword ptr [ebp+FFFFD8A6]
:0046B4B4 8B55E4
mov edx, dword ptr [ebp-1C]
:0046B4B7
E894D9F9FF call 00408E50
:0046B4BC BFDE040000 mov edi,
000004DE <===看到10000,以下演算法同上
:0046B4C1 A144B44700 mov
eax, dword ptr [0047B444]
:0046B4C6 83C004
add eax, 00000004
:0046B4C9 48
dec eax
:0046B4CA
85C0 test
eax, eax
:0046B4CC 7C49
jl 0046B517
:0046B4CE 40
inc eax
:0046B4CF 8945D8
mov dword ptr [ebp-28],
eax
:0046B4D2 33C0
xor eax, eax
:0046B4D4 8D9DA6D8FFFF
lea ebx, dword ptr [ebp+FFFFD8A6]
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0046B515(C)
|
:0046B4DA 8BD0
mov edx, eax
:0046B4DC 0FAFD0
imul edx, eax
:0046B4DF 03FA
add edi, edx
:0046B4E1 33D2
xor edx, edx
:0046B4E3 8A13
mov dl, byte ptr
[ebx]
:0046B4E5 0FAFD0
imul edx, eax
:0046B4E8 03FA
add edi, edx
:0046B4EA 8B1544B44700
mov edx, dword ptr [0047B444]
:0046B4F0 83C204
add edx, 00000004
:0046B4F3 4A
dec edx
:0046B4F4 83FA00
cmp edx, 00000000
:0046B4F7 7C17
jl 0046B510
:0046B4F9 8955F8
mov dword ptr [ebp-08],
edx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B50E(C)
|
:0046B4FC 8D1438
lea edx, dword ptr [eax+edi]
:0046B4FF 33C9
xor ecx, ecx
:0046B501 8A0B
mov cl, byte ptr [ebx]
:0046B503 03D1
add edx, ecx
:0046B505 8BFA
mov edi, edx
:0046B507 FF4DF8
dec [ebp-08]
:0046B50A
837DF8FF cmp dword ptr
[ebp-08], FFFFFFFF
:0046B50E 75EC
jne 0046B4FC
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0046B4F7(C)
|
:0046B510 40
inc eax
:0046B511 43
inc ebx
:0046B512 FF4DD8
dec [ebp-28]
:0046B515 75C3
jne 0046B4DA
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0046B4CC(C)
|
:0046B517 85FF
test edi, edi
:0046B519 7D0D
jge 0046B528
:0046B51B 8D45E4
lea eax, dword ptr [ebp-1C]
:0046B51E
BA18B94600 mov edx, 0046B918
:0046B523 E8F88FF9FF call 00404520
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046B519(C)
|
:0046B528 8BC7
mov eax, edi
:0046B52A B910270000
mov ecx, 00002710
:0046B52F 99
cdq
:0046B530 F7F9
idiv ecx
:0046B532 8BFA
mov edi, edx
:0046B534 81FFE8030000
cmp edi, 000003E8
:0046B53A 7D06
jge 0046B542
:0046B53C 81C770170000
add edi, 00001770
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:0046B53A(C)
|
:0046B542 3B3D4CB44700 cmp edi,
dword ptr [0047B44C] <=== 與假註冊碼前四位比較
:0046B548 7515
jne 0046B55F
<===可以爆破
* Possible StringData Ref from Code
Obj ->"聯眾校驗 1 OK"
|
:0046B54A
BA24B94600 mov edx, 0046B924
:0046B54F 8BC6
mov eax, esi
:0046B551 E896550000
call 00470AEC
:0046B556 C60550B4470001
mov byte ptr [0047B450], 01 <===成功標誌
:0046B55D EB13
jmp 0046B572
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:0046B548(C)
|
* Possible StringData Ref
from Code Obj ->"聯眾校驗 1 false"
|
:0046B55F BA3CB94600 mov
edx, 0046B93C
:0046B564 8BC6
mov eax, esi
:0046B566 E881550000
call 00470AEC
:0046B56B C60550B4470000
mov byte ptr [0047B450], 00
<===失敗標誌
* Referenced by a (U)nconditional or (C)onditional
Jump at Addresses:
|:0046B30A(C), :0046B314(C), :0046B55D(U)
|
:0046B572 8A8567E8FFFF mov al, byte ptr
[ebp+FFFFE867]
:0046B578 3CCD
cmp al, CD
:0046B57A 7408
je 0046B584
:0046B57C 3CCD
cmp al, CD
:0046B57E 0F858D010000 jne 0046B711
.........
------------------------------------------------------------------------------------
************************************************************
再找,功夫不負有心人!
用W32DASM反編譯,查詢可疑字串,"聯眾註冊檢測2透過"
找到以下為聯眾註冊檢測s2的反編譯部分,這裡是關鍵了!!!
連線聯眾後,從登錄檔讀出註冊資訊,來到以下call:
* Referenced by a CALL at Address:
|:00460DF1
|
:00463404 55
push ebp
:00463405 8BEC
mov ebp, esp
:00463407 83C4E4
add esp, FFFFFFE4
:0046340A 53
push ebx
:0046340B
56
push esi
:0046340C 57
push edi
:0046340D 894DF8
mov dword ptr [ebp-08], ecx
:00463410
8945FC mov dword
ptr [ebp-04], eax
:00463413 8B7508
mov esi, dword ptr [ebp+08]
:00463416 8BDA
mov ebx, edx
:00463418
8B83109D0000 mov eax, dword ptr [ebx+00009D10]
:0046341E 8945F0
mov dword ptr [ebp-10], eax
:00463421 8B83089D0000
mov eax, dword ptr [ebx+00009D08]
:00463427 8D940330080000
lea edx, dword ptr [ebx+eax+00000830]
:0046342E
8B45F8 mov eax,
dword ptr [ebp-08]
:00463431 8BCE
mov ecx, esi
:00463433 E8ACF4F9FF
call 004028E4
:00463438 01B3089D0000
add dword ptr [ebx+00009D08], esi
:0046343E
81BB089D000088130000 cmp dword ptr [ebx+00009D08], 00001388
:00463448 7E17
jle 00463461
:0046344A 33C0
xor eax, eax
:0046344C 8983089D0000
mov dword ptr [ebx+00009D08], eax
:00463452 C783109D0000FFFFFFFF
mov dword ptr [ebx+00009D10], FFFFFFFF
:0046345C E9E8020000
jmp 00463749
* Referenced
by a (U)nconditional or (C)onditional Jump at Addresses:
|:00463448(C), :00463743(C)
|
:00463461 8B83089D0000 mov
eax, dword ptr [ebx+00009D08]
:00463467 8945F4
mov dword ptr [ebp-0C], eax
:0046346A
837DF40A cmp dword ptr
[ebp-0C], 0000000A
:0046346E 0F8CD5020000
jl 00463749
:00463474 80BB3308000000
cmp byte ptr [ebx+00000833], 00
:0046347B 7507
jne 00463484
:0046347D BE08000000
mov esi, 00000008
:00463482 EB05
jmp 00463489
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046347B(C)
|
:00463484 BE0C000000
mov esi, 0000000C
* Referenced by a (U)nconditional or
(C)onditional Jump at Address:
|:00463482(U)
|
:00463489 8D55EC
lea edx, dword ptr [ebp-14]
:0046348C 8D8334080000 lea eax,
dword ptr [ebx+00000834]
:00463492 B904000000
mov ecx, 00000004
:00463497 E848F4F9FF
call 004028E4
:0046349C 0375EC
add esi, dword ptr [ebp-14]
:0046349F 3B75F4
cmp esi, dword ptr [ebp-0C]
:004634A2 7E03
jle 004634A7
:004634A4 83CEFF
or esi, FFFFFFFF
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004634A2(C)
|
:004634A7 83FEFF
cmp esi, FFFFFFFF
:004634AA 0F8499020000
je 00463749
:004634B0 80BB3008000000
cmp byte ptr [ebx+00000830], 00
:004634B7 0F8589000000
jne 00463546
:004634BD A1A04D4900
mov eax, dword ptr [00494DA0]
:004634C2
8945E8 mov dword
ptr [ebp-18], eax <====取“使用者名稱”
:004634C5 33C9
xor ecx, ecx
<====ecx清零
:004634C7 8B45E8
mov eax, dword ptr [ebp-18]
:004634CA 8B401C
mov eax, dword ptr [eax+1C]
:004634CD 85C0
test eax, eax
:004634CF 7E23
jle 004634F4
:004634D1 8945E4
mov dword ptr [ebp-1C], eax
<====“使用者名稱”的位數
:004634D4 B801000000
mov eax, 00000001
<====eax=1賦值
* Referenced by a (U)nconditional or (C)onditional
Jump at Address:
|:004634F2(C)
|
:004634D9 8B55E8
mov edx, dword ptr [ebp-18]
<====取“使用者名稱”給edx
:004634DC 0FB65402FF
movzx edx, byte ptr [edx+eax-01] <====依次取“使用者名稱”的ASCII碼
:004634E1 8D787A
lea edi, dword ptr [eax+7A] <====edi=eax+7A
:004634E4 0FAFD7
imul edx, edi <====
edx=edx*edi
:004634E7 8D0C08
lea ecx, dword ptr [eax+ecx] <==== ecx=eax+ecx
:004634EA 03D1
add edx, ecx <====
edx=edx+ecx
:004634EC 8BCA
mov ecx, edx
<====ecx=edx
:004634EE 40
inc eax
<==== eax+1
:004634EF FF4DE4
dec [ebp-1C]
<====“使用者名稱”的位數遞減
:004634F2 75E5
jne 004634D9
<==== 迴圈
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:004634CF(C)
|
:004634F4 8BC1
mov eax, ecx <====
eax=ecx
:004634F6 B910270000
mov ecx, 00002710 <==== ecx=0X2710=10000
:004634FB 99
cdq
:004634FC F7F9
idiv ecx
<====eax除ecx=0X2710的餘數為edx
:004634FE 8BCA
mov ecx, edx
<====ecx=edx
:00463500 837DF01A
cmp dword ptr [ebp-10], 0000001A
<====這裡因為不是動態除錯,不知道是什麼?不過好像沒什麼用,以下是否是為了補足3位前面的0?。不明白以下的作用,請高手指點。
:00463504 7C1C
jl 00463522 <====一般不會跳走吧,可以爆破。不明白以下的作用,請高手指點。
:00463506 8BC1
mov eax, ecx
:00463508 BF10270000
mov edi, 00002710
:0046350D 99
cdq
:0046350E F7FF
idiv edi
<====再來一次取餘?eax除edx=0X2710的餘數為edx
:00463510
8B45E8 mov eax,
dword ptr [ebp-18] <====使用者名稱
:00463513 3B5020
cmp edx, dword ptr [eax+20]
<====註冊碼後四位比較
:00463516 740A
je 00463522
<====相等跳,可以爆破
:00463518 C783109D0000FFFFFFFF
mov dword ptr [ebx+00009D10], FFFFFFFF
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00463504(C), :00463516(C)
|
:00463522 8B45E8
mov eax, dword ptr [ebp-18] <====使用者名稱
:00463525 3B4820
cmp ecx, dword ptr [eax+20]
<====真註冊碼後四位就是ecx!!!!
:00463528 750F
jne 00463539
<====關鍵跳,爆破可以嗎?可能行
* Possible StringData
Ref from Code Obj ->"聯眾註冊檢測2透過" 《===注意這是什麼??
|
:0046352A BA5C374600
mov edx, 0046375C
:0046352F 8B45FC
mov eax, dword ptr [ebp-04]
:00463532 E8B5D50000
call 00470AEC
:00463537 EB0D
jmp 00463546
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00463528(C)
|
* Possible StringData Ref from Code Obj ->"聯眾註冊檢測2錯誤"
|
:00463539 BA78374600
mov edx, 00463778
:0046353E 8B45FC
mov eax, dword ptr [ebp-04]
:00463541 E8A6D50000 call
00470AEC
* Referenced by a (U)nconditional or (C)onditional Jump at
Addresses:
|:004634B7(C), :00463537(U)
|
:00463546 3B75F4
cmp esi, dword ptr [ebp-0C]
:00463549 0F8FEB010000 jg 0046373A
:0046354F 8B45F0
mov eax, dword ptr [ebp-10]
:00463552 83F81F
cmp eax, 0000001F
:00463555 0F87C1010000
ja 0046371C
:0046355B FF248562354600
jmp dword ptr [4*eax+00463562]
:00463562
F7354600 DWORD 004635F7
:00463566 E2354600
DWORD 004635E2
:0046356A 1C374600
DWORD 0046371C
終於找到了,連蒙帶猜。
以下部分為序號產生器程式,delphi,聯眾經過驗證。
邊鋒的我不玩,有興趣的朋友可以自己作驗證。
//======================================================================
//聯眾部分序號產生器程式
//------------------------------------------------------------
procedure TForm1.Button1Click(Sender: TObject);
var
s1,s2,s3 :
string;
m,n,i,inc :integer;
c1 : char;
begin
s1:=trim(edit1.Text);
m:=length(s1);
n:=0;
for i:=1 to m do begin
c1:=s1[i];
inc:= ord(c1);
n:=n+inc*(i+122)+i;
end;
n:=n mod 10000;
s2:=inttostr(n);
if (length(s2)=3
) then s2:='0'+s2;
s3:=s1+s2;
m:=length(s3);
n:=1246;
for i:=1 to m do begin
c1:=s3[i];
inc:= ord(c1);
n:=n+(i-1)*m+ inc*(m1)+(i-1)*(i-1);
end;
n:=n mod 10000;
if n<1000
then n:=n+6000;
edit2.Text := inttostr(n)+S2;
end;
//------------------------------------------------------------
//邊鋒部分序號產生器程式
//------------------------------------------------------------
procedure
TForm1.Button3Click(Sender: TObject);
var
s1,s2,s3 : string;
m,n,i,inc
:integer;
c1 : char;
begin
s1:=trim(edit3.Text);
m:=length(s1);
n:=0;
for i:=1 to m do begin
c1:=s1[i];
inc:= ord(c1);
n:=n+inc*(i+255);
//此部分沒經過驗證,不知道對錯
end;
n:=n mod 10000;
s2:=inttostr(n);
if (length(s2)=3
) then s2:='0'+s2;
s3:=s1+s2;
m:=length(s3);
n:=3210;
for i:=1 to m do begin
c1:=s3[i];
inc:= ord(c1);
n:=n+(i-1)*m+ inc*(m1)+(i-1)*(i-1);
end;
n:=n mod 100000;
if n<10000
then n:=n+80000;
edit4.Text := inttostr(n)+S2;
end;
========================================================================
隨想:是否可以找到他的連線聯眾時的斷點,改變跳過或者跳到註冊檢測2部分,那我們就不需要上網
就可以動態除錯他的檢測部分了,是否可行?
有興趣的朋友還可以試一下爆破,爆破點我已經註明,邊鋒的類似。
你可以註冊你的所有遊戲ID了。不知道爆破後是否所有遊戲ID都能用呢?試試吧。我是累了。
相關文章
- Audio compositor註冊碼及序號產生器 (5千字)2002-04-06
- ePublisher Gold v1.3 的註冊碼及序號產生器2000-12-03Go
- 守財奴1.9註冊分析+序號產生器原始碼2015-11-15原始碼
- Universe 1.63註冊碼生成分析及序號產生器原碼(上) (2千字)2001-11-12
- 《中華壓縮 6.01》註冊碼破解及序號產生器 (14千字)2001-08-19
- MobileSearch(手機號碼歸屬地查詢) v2.0註冊演算法,附序號產生器~~~~~~
(30千字)2002-03-29演算法
- 音樂處理acoustica2.0註冊碼破解及序號產生器 (8千字)2002-04-06
- 《DesktopX v1.0》PJ 記錄 + 序號產生器原始碼 (13千字)2015-11-15原始碼
- Quickness 3.1
註冊演算法分析 + 序號產生器原始碼(tc2) (15千字)2003-04-13UI演算法原始碼
- Beyond Compare 1.9f註冊演算法&序號產生器 (8千字)2002-04-28演算法
- winzip序號產生器 (1千字)2001-04-12
- 鬥地主4.0註冊演算法,序號產生器在OCG論壇
(22千字)2015-11-15演算法
- AntiSpy PRO 1.02
註冊演算法分析 + 序號產生器原始碼(tc2) (12千字)2003-04-11演算法原始碼
- winzip的通用序號產生器 (2千字)2001-12-10
- 序號產生器制分析: (1千字)2001-11-19
- CMailServer V3.2 註冊碼演算法及CrackCode
2000 的序號產生器 (4千字)2001-08-18AIServer演算法
- NetTerm 4.2.c註冊過程分析及序號產生器制作SBS (6千字)2015-11-15
- 進位專家註冊演算法分析及序號產生器C原始碼2004-08-19演算法原始碼
- AddRemove 4GOOD 註冊演算法+序號產生器2003-07-25REMGo演算法
- 蒼鷹象棋1.0
註冊演算法分析和序號產生器2004-05-16演算法
- 製作自己的記憶體序號產生器--------檔案隱藏精靈註冊碼獲取 (4千字)2015-11-15記憶體
- Flash Cam 1.79註冊演算法分析與序號產生器制作以及爆破方法
(7千字)2015-11-15演算法
- mIRC v5.81版註冊碼演算法分析和序號產生器編寫2000-12-11演算法
- 序號產生器合集2024-03-17
- supercapture3.0的版序號產生器!
(4千字)2002-04-23APT
- 《C程式設計伴侶》誕生記2012-08-13C程式程式設計
- HappyIcon序號產生器TC原始碼 (1千字)2001-04-08APP原始碼
- 美萍安全衛士V8.45序號產生器制作分析過程,及序號產生器! (11千字)2001-10-28
- Gif2Swf Ver 2.1 TC20序號產生器 && MASM32序號產生器 (4千字)2001-12-10ASM
- 製作mIRC6.02序號產生器(給別人寫的初學者序號產生器教材) (14千字)2015-11-15
- 即時語音提示 &
校對軟體InsTalk註冊碼及序號產生器-初學者請看 (24千字)2002-04-13
- 時間到了 v1.5 簡單註冊演算法分析
+ 序號產生器原始碼(tc2) (9千字)2003-04-12演算法原始碼
- 影音神探V2.02 bY E語言 (註冊碼與爆破附記憶體序號產生器) (8千字)2015-11-15記憶體
- EmEditor V3.29和它的序號產生器 (12千字)2015-11-15
- Lc3&Lc4
註冊演算法分析及序號產生器的製作2004-06-18演算法
- [轉]Wing IDE 6.0 安裝及算號器序號產生器程式碼2017-04-28IDE
- 申請加入BCG破文3--加密精靈EncryptGenie22註冊碼破解及序號產生器制作 (5千字)2001-10-28加密
- IrfanView 序號產生器分析(初級版)
(13千字)2015-11-15View