軟體:leapftp2.7.4
閒著沒事,從網上拉下來分析了一下,發現這個軟體註冊演算法很有趣。他一共有兩種註冊碼演算法。
第一種註冊碼和使用者名稱無關,可以隨便輸入。運算手法只是將你輸入假碼經過運算,得出真正的註冊碼,格式為:
XXXX-XXXX-XXXX-XXXX。
第二種註冊碼是將使用者名稱運算出一個註冊碼,然後再和一個214065合在一起,也就是樓主所說的在記憶體中看到的不變的數字。格式為:
214065-XXXXXXXXX \\注:這裡的XXXXXXXXX是將使用者名稱運算出來的,不一定是九位。
以下是我粗粗的分析了一下,不對之處請大家指教。
:0048742A 8B45F8 mov eax, dword ptr [ebp-08] \\中斷在這裡,此時EAX值為輸入假碼。
:0048742D 8D55FC lea edx, dword ptr [ebp-04]
:00487430 E87B16F8FF call 00408AB0 \\這個Call雖然可疑,但不是關鍵點。
:00487435 80BBF402000000 cmp byte ptr [ebx+000002F4], 00
:0048743C 740E je 0048744C
:0048743E 8B55FC mov edx, dword ptr [ebp-04]
:00487441 8BC3 mov eax, ebx
:00487443 E888030000 call 004877D0 \\第一個關健Call,算出第一種註冊碼,格式為:XXXX-XXXX-XXXX-XXXX。
:00487448 84C0 test al, al
:0048744A 7526 jne 00487472 \\一開始已經說過,這個軟體有兩種註冊碼演算法,所以如果第一個註冊碼是對的就直接跳到註冊成功處,如果第一個註冊碼是錯的話這裡將不跳繼續算出第二種註冊碼。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048743C(C)
|
:0048744C 8B83F0020000 mov eax, dword ptr [ebx+000002F0] \\第一次註冊碼錯的話在這裡繼續運算。
:00487452 50 push eax
:00487453 8D55F4 lea edx, dword ptr [ebp-0C]
:00487456 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:0048745C E867C5FAFF call 004339C8
:00487461 8B55F4 mov edx, dword ptr [ebp-0C]
:00487464 8B4DFC mov ecx, dword ptr [ebp-04]
:00487467 8BC3 mov eax, ebx
:00487469 E8BA010000 call 00487628 \\第二個關健Call,算出第二種註冊碼,格式為:214065-XXXXXXXXX。
:0048746E 84C0 test al, al
:00487470 7462 je 004874D4 \\若第二種註冊碼也是錯的話,這裡將跳到出錯點。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048744A(C)
|
:00487472 8D55F0 lea edx, dword ptr [ebp-10]
:00487475 8B83E4020000 mov eax, dword ptr [ebx+000002E4]
:0048747B E848C5FAFF call 004339C8
:00487480 8B45F0 mov eax, dword ptr [ebp-10]
:00487483 50 push eax
:00487484 8D55EC lea edx, dword ptr [ebp-14]
:00487487 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:0048748D E836C5FAFF call 004339C8
:00487492 8B4DEC mov ecx, dword ptr [ebp-14]
:00487495 8B93EC020000 mov edx, dword ptr [ebx+000002EC]
:0048749B 8BC3 mov eax, ebx
:0048749D E8AE040000 call 00487950
* Possible StringData Ref from Code Obj ->"感謝你的註冊!"
|
:004874A2 B820754800 mov eax, 00487520
:004874A7 E87834FDFF call 0045A924
:004874AC C7833402000001000000 mov dword ptr [ebx+00000234], 00000001
:004874B6 8D55E8 lea edx, dword ptr [ebp-18]
:004874B9 8B83D0020000 mov eax, dword ptr [ebx+000002D0]
:004874BF E804C5FAFF call 004339C8
:004874C4 8B55E8 mov edx, dword ptr [ebp-18]
:004874C7 8D83E8020000 lea eax, dword ptr [ebx+000002E8]
:004874CD E806C8F7FF call 00403CD8
:004874D2 EB15 jmp 004874E9
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487470(C)
|
:004874D4 6A00 push 00000000
:004874D6 668B0D3C754800 mov cx, word ptr [0048753C]
:004874DD B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"你輸入的許可密匙是不正確的. 要確保準確, "
->"你應該直接總你的購買確認 E-Mail "
->"中複製並貼上序列號. 如果你繼續操作後碰到麻煩, "
->"請聯絡support@leapware.com."
|
:004874DF B848754800 mov eax, 00487548
:004874E4 E84333FDFF call 0045A82C \\跳到這裡已經完了。
這裡是第一個關健Call
:004877D0 55 push ebp
:004877D1 8BEC mov ebp, esp
:004877D3 83C4F4 add esp, FFFFFFF4
:004877D6 53 push ebx
:004877D7 56 push esi
:004877D8 57 push edi
:004877D9 8955FC mov dword ptr [ebp-04], edx
:004877DC 8B45FC mov eax, dword ptr [ebp-04]
:004877DF E8D4C8F7FF call 004040B8
:004877E4 33C0 xor eax, eax
:004877E6 55 push ebp
:004877E7 683D794800 push 0048793D
:004877EC 64FF30 push dword ptr fs:[eax]
:004877EF 648920 mov dword ptr fs:[eax], esp
:004877F2 C645FB00 mov [ebp-05], 00
:004877F6 8B45FC mov eax, dword ptr [ebp-04]
:004877F9 E806C7F7FF call 00403F04 \\這個Call得到註冊碼位數
:004877FE 83F813 cmp eax, 00000013
:00487801 0F8520010000 jne 00487927 \\若註冊碼位數不等於十六進位制13位,就跳出這個Call進行第二種註冊碼運算。
:00487807 8B45FC mov eax, dword ptr [ebp-04]
:0048780A 8078042D cmp byte ptr [eax+04], 2D \\註冊碼第5位必須是ASLL碼“-”
:0048780E 0F8513010000 jne 00487927
:00487814 8B45FC mov eax, dword ptr [ebp-04]
:00487817 8078092D cmp byte ptr [eax+09], 2D \\註冊碼第10位必須是ASLL碼“-”
:0048781B 0F8506010000 jne 00487927
:00487821 8B45FC mov eax, dword ptr [ebp-04]
:00487824 80780E2D cmp byte ptr [eax+0E], 2D \\註冊碼第15位必須是ASLL碼“-”
從這裡開始是將註冊碼的第一位至十四位運算出4個值分別儲存。我這裡就不註釋了。有興趣的朋友自己分析分析。
:00487828 0F85F9000000 jne 00487927
:0048782E 33F6 xor esi, esi
:00487830 33FF xor edi, edi
:00487832 33C0 xor eax, eax
:00487834 8945F4 mov dword ptr [ebp-0C], eax
:00487837 BB01000000 mov ebx, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004878C2(C)
|
:0048783C 8BC3 mov eax, ebx
:0048783E 2503000080 and eax, 80000003
:00487843 7905 jns 0048784A
:00487845 48 dec eax
:00487846 83C8FC or eax, FFFFFFFC
:00487849 40 inc eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487843(C)
|
:0048784A 85C0 test eax, eax
:0048784C 7516 jne 00487864
:0048784E 8B45FC mov eax, dword ptr [ebp-04]
:00487851 8A4418FF mov al, byte ptr [eax+ebx-01]
:00487855 E84EFFFFFF call 004877A8
:0048785A 84C0 test al, al
:0048785C 0F84C5000000 je 00487927
:00487862 EB22 jmp 00487886
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048784C(C)
|
:00487864 8BC3 mov eax, ebx
:00487866 B905000000 mov ecx, 00000005
:0048786B 99 cdq
:0048786C F7F9 idiv ecx
:0048786E 85D2 test edx, edx
:00487870 7414 je 00487886
:00487872 8B45FC mov eax, dword ptr [ebp-04]
:00487875 8A4418FF mov al, byte ptr [eax+ebx-01]
:00487879 E83EFFFFFF call 004877BC
:0048787E 84C0 test al, al
:00487880 0F84A1000000 je 00487927
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00487862(U), :00487870(C)
|
:00487886 8B45FC mov eax, dword ptr [ebp-04]
:00487889 8A4418FF mov al, byte ptr [eax+ebx-01]
:0048788D 3C2D cmp al, 2D
:0048788F 742D je 004878BE
:00487891 83FB05 cmp ebx, 00000005
:00487894 7D0C jge 004878A2
:00487896 8B55FC mov edx, dword ptr [ebp-04]
:00487899 25FF000000 and eax, 000000FF
:0048789E 03F0 add esi, eax
:004878A0 EB1C jmp 004878BE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487894(C)
|
:004878A2 83FB0A cmp ebx, 0000000A
:004878A5 7D0C jge 004878B3
:004878A7 8B55FC mov edx, dword ptr [ebp-04]
:004878AA 25FF000000 and eax, 000000FF
:004878AF 03F8 add edi, eax
:004878B1 EB0B jmp 004878BE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004878A5(C)
|
:004878B3 8B55FC mov edx, dword ptr [ebp-04]
:004878B6 25FF000000 and eax, 000000FF
:004878BB 0145F4 add dword ptr [ebp-0C], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0048788F(C), :004878A0(U), :004878B1(U)
|
:004878BE 43 inc ebx
:004878BF 83FB0F cmp ebx, 0000000F
:004878C2 0F8574FFFFFF jne 0048783C
:004878C8 8D0C37 lea ecx, dword ptr [edi+esi]
:004878CB 034DF4 add ecx, dword ptr [ebp-0C]
:004878CE 8BC6 mov eax, esi
從這裡開始再將上面運算出的4個值運算出最後四位註冊碼。
:004878D0 BB1A000000 mov ebx, 0000001A
:004878D5 99 cdq
:004878D6 F7FB idiv ebx
:004878D8 83C241 add edx, 00000041
:004878DB 8B45FC mov eax, dword ptr [ebp-04]
:004878DE 3A500F cmp dl, byte ptr [eax+0F]
:004878E1 7544 jne 00487927
:004878E3 8BC7 mov eax, edi
:004878E5 BB1A000000 mov ebx, 0000001A
:004878EA 99 cdq
:004878EB F7FB idiv ebx
:004878ED 83C241 add edx, 00000041
:004878F0 8B45FC mov eax, dword ptr [ebp-04]
:004878F3 3A5010 cmp dl, byte ptr [eax+10]
:004878F6 752F jne 00487927
:004878F8 8B45F4 mov eax, dword ptr [ebp-0C]
:004878FB BB1A000000 mov ebx, 0000001A
:00487900 99 cdq
:00487901 F7FB idiv ebx
:00487903 83C241 add edx, 00000041
:00487906 8B45FC mov eax, dword ptr [ebp-04]
:00487909 3A5011 cmp dl, byte ptr [eax+11]
:0048790C 7519 jne 00487927
:0048790E 8BC1 mov eax, ecx
:00487910 B91A000000 mov ecx, 0000001A
:00487915 99 cdq
:00487916 F7F9 idiv ecx
:00487918 83C241 add edx, 00000041
:0048791B 8B45FC mov eax, dword ptr [ebp-04]
:0048791E 3A5012 cmp dl, byte ptr [eax+12]
:00487921 7504 jne 00487927
:00487923 C645FB01 mov [ebp-05], 01
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00487801(C), :0048780E(C), :0048781B(C), :00487828(C), :0048785C(C)
|:00487880(C), :004878E1(C), :004878F6(C), :0048790C(C), :00487921(C)
|
:00487927 33C0 xor eax, eax
:00487929 5A pop edx
:0048792A 59 pop ecx
:0048792B 59 pop ecx
:0048792C 648910 mov dword ptr fs:[eax], edx
:0048792F 6844794800 push 00487944
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487942(U)
|
:00487934 8D45FC lea eax, dword ptr [ebp-04]
:00487937 E848C3F7FF call 00403C84
:0048793C C3 ret
:0048793D E9DABDF7FF jmp 0040371C
:00487942 EBF0 jmp 00487934
:00487944 8A45FB mov al, byte ptr [ebp-05]
:00487947 5F pop edi
:00487948 5E pop esi
:00487949 5B pop ebx
:0048794A 8BE5 mov esp, ebp
:0048794C 5D pop ebp
:0048794D C3 ret
這裡是第二個關健Call,也是樓主所找到的關健Call。
:00487628 55 push ebp
:00487629 8BEC mov ebp, esp
:0048762B 83C4DC add esp, FFFFFFDC
:0048762E 53 push ebx
:0048762F 33DB xor ebx, ebx
:00487631 895DDC mov dword ptr [ebp-24], ebx
:00487634 895DE0 mov dword ptr [ebp-20], ebx
:00487637 895DEC mov dword ptr [ebp-14], ebx
:0048763A 894DF8 mov dword ptr [ebp-08], ecx
:0048763D 8955FC mov dword ptr [ebp-04], edx \\初始化記憶體。
:00487640 8B45FC mov eax, dword ptr [ebp-04]
:00487643 E870CAF7FF call 004040B8
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004875CF(C)
|
:00487648 8B45F8 mov eax, dword ptr [ebp-08]
:0048764B E868CAF7FF call 004040B8
:00487650 8B4508 mov eax, dword ptr [ebp+08]
:00487653 E860CAF7FF call 004040B8
:00487658 33C0 xor eax, eax
:0048765A 55 push ebp
:0048765B 688B774800 push 0048778B
:00487660 64FF30 push dword ptr fs:[eax]
:00487663 648920 mov dword ptr fs:[eax], esp
:00487666 33C0 xor eax, eax
:00487668 8945F0 mov dword ptr [ebp-10], eax
:0048766B 8945F4 mov dword ptr [ebp-0C], eax
:0048766E 8B45FC mov eax, dword ptr [ebp-04]
:00487671 E88EC8F7FF call 00403F04
:00487676 8BD0 mov edx, eax
:00487678 85D2 test edx, edx
:0048767A 7E33 jle 004876AF
:0048767C B801000000 mov eax, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004876AD(C)
|
:00487681 8B4DFC mov ecx, dword ptr [ebp-04] \\取得使用者名稱
:00487684 0FB64C01FF movzx ecx, byte ptr [ecx+eax-01]
:00487689 0FAFC8 imul ecx, eax
:0048768C 8BD9 mov ebx, ecx
:0048768E C1E104 shl ecx, 04
:00487691 2BCB sub ecx, ebx
:00487693 894DE8 mov dword ptr [ebp-18], ecx
:00487696 DB45E8 fild dword ptr [ebp-18]
:00487699 DC45F0 fadd qword ptr [ebp-10]
:0048769C 8D0C80 lea ecx, dword ptr [eax+4*eax]
:0048769F 894DE4 mov dword ptr [ebp-1C], ecx
:004876A2 DB45E4 fild dword ptr [ebp-1C]
:004876A5 DEC1 faddp st(1), st(0)
:004876A7 DD5DF0 fstp qword ptr [ebp-10]
:004876AA 9B wait
:004876AB 40 inc eax
:004876AC 4A dec edx
:004876AD 75D2 jne 00487681 \\將使用者名稱分別取出迴圈運算出一個值,最後儲存到浮點暫存器中。
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048767A(C)
|
:004876AF 8B4508 mov eax, dword ptr [ebp+08] \\取出註冊碼常數214065。
:004876B2 E84D16F8FF call 00408D04
:004876B7 8945E8 mov dword ptr [ebp-18], eax \\這裡開始再將註冊常數和剛才使用者名稱運算到的值再用浮點數算出正確註冊碼。
:004876BA DB45E8 fild dword ptr [ebp-18]
:004876BD DD45F0 fld qword ptr [ebp-10]
:004876C0 DC4DF0 fmul qword ptr [ebp-10]
:004876C3 DEC1 faddp st(1), st(0)
:004876C5 DD5DF0 fstp qword ptr [ebp-10]
:004876C8 9B wait
:004876C9 DD45F0 fld qword ptr [ebp-10]
:004876CC 83C4F4 add esp, FFFFFFF4
:004876CF DB3C24 fstp tbyte ptr [esp]
:004876D2 9B wait
:004876D3 8D45EC lea eax, dword ptr [ebp-14] \\到這裡已經運算出正確的註冊碼。儲存在浮點暫存器中。
:004876D6 E85525F8FF call 00409C30
:004876DB 8D45E0 lea eax, dword ptr [ebp-20]
:004876DE 50 push eax
:004876DF 8B55F8 mov edx, dword ptr [ebp-08]
:004876E2 B8A4774800 mov eax, 004877A4
:004876E7 E804CBF7FF call 004041F0
:004876EC 8BC8 mov ecx, eax
:004876EE 49 dec ecx
:004876EF BA01000000 mov edx, 00000001
:004876F4 8B45F8 mov eax, dword ptr [ebp-08]
:004876F7 E810CAF7FF call 0040410C
:004876FC 8B45E0 mov eax, dword ptr [ebp-20]
:004876FF 8B5508 mov edx, dword ptr [ebp+08]
:00487702 E80DC9F7FF call 00404014 \\這個Call比較註冊碼的正錯。
:00487707 7548 jne 00487751 \\若返回0則說明你的註冊碼是錯的。
:00487709 8D45DC lea eax, dword ptr [ebp-24]
:0048770C 50 push eax
:0048770D 8B55F8 mov edx, dword ptr [ebp-08]
:00487710 B8A4774800 mov eax, 004877A4
:00487715 E8D6CAF7FF call 004041F0
:0048771A 50 push eax
:0048771B 8B45F8 mov eax, dword ptr [ebp-08]
:0048771E E8E1C7F7FF call 00403F04
:00487723 5A pop edx
:00487724 2BC2 sub eax, edx
:00487726 50 push eax
:00487727 8B55F8 mov edx, dword ptr [ebp-08]
:0048772A B8A4774800 mov eax, 004877A4
:0048772F E8BCCAF7FF call 004041F0
:00487734 8BD0 mov edx, eax
:00487736 42 inc edx
:00487737 8B45F8 mov eax, dword ptr [ebp-08]
:0048773A 59 pop ecx
:0048773B E8CCC9F7FF call 0040410C
:00487740 8B45DC mov eax, dword ptr [ebp-24]
:00487743 8B55EC mov edx, dword ptr [ebp-14]
:00487746 E8C9C8F7FF call 00404014
:0048774B 7504 jne 00487751
:0048774D B301 mov bl, 01
:0048774F EB02 jmp 00487753
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00487707(C), :0048774B(C)
|
:00487751 33DB xor ebx, ebx \\跳到這,ebx清0,程式已經完了,
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048774F(U)
|
:00487753 33C0 xor eax, eax
:00487755 5A pop edx
:00487756 59 pop ecx
:00487757 59 pop ecx
:00487758 648910 mov dword ptr fs:[eax], edx
:0048775B 6892774800 push 00487792
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00487790(U)
|
:00487760 8D45DC lea eax, dword ptr [ebp-24]
:00487763 BA02000000 mov edx, 00000002
:00487768 E83BC5F7FF call 00403CA8
:0048776D 8D45EC lea eax, dword ptr [ebp-14]
:00487770 E80FC5F7FF call 00403C84
:00487775 8D45F8 lea eax, dword ptr [ebp-08]
:00487778 BA02000000 mov edx, 00000002
:0048777D E826C5F7FF call 00403CA8
:00487782 8D4508 lea eax, dword ptr [ebp+08]
:00487785 E8FAC4F7FF call 00403C84
:0048778A C3 ret
最後給出兩個正確註冊碼供大家研究:
第一種:註冊碼
使用者名稱:小蝦
註冊碼:ABC1-FG1I-K1NM-NDTJ
第二種註冊碼:
使用者名稱:小蝦
註冊碼:214065-811039690
相關文章
- 軟體、軟體危機、軟體工程 (轉)2007-12-04軟體工程
- 軟體工程——軟體測試2014-01-21軟體工程
- 軟體工程——軟體計劃2013-12-11軟體工程
- 軟體工程 第一章 軟體與軟體工程2024-03-13軟體工程
- 軟體測試:軟體缺陷管理2019-08-01
- 軟體“吃”掉了軟體開發2014-04-25
- 軟體開發mac常用軟體2015-01-02Mac
- 軟體2024-04-10
- 《軟體加密與解密》——軟體加軟體相似性比對2012-04-18加密解密
- 軟體測試--中介軟體介紹2021-01-05
- 軟體開發與軟體研發2013-04-10
- 【軟體工程】軟體設計之總體設計2014-11-02軟體工程
- 微商分銷系統軟體(軟體微商)2020-07-30
- 重拾軟體工程—(2)軟體過程2017-11-06軟體工程
- 德國精品軟體Throttle網路加速軟體2017-11-15
- 軟體工程——軟體維護+物件導向2014-01-23軟體工程物件
- 【軟體工具】SecureCRT 軟體安裝與使用2016-01-06Securecrt
- Linux軟體管理之YUM軟體管理2013-05-23Linux
- websphere中介軟體安裝軟體需求requirement2013-05-23WebUIREM
- [軟體工程]軟體中的量化問題2011-01-13軟體工程
- 網路軟體與桌面軟體的融合2007-11-08
- 理解軟體2013-12-07
- 未知軟體2017-08-14
- 軟體工程 .2013-06-19軟體工程
- 軟體破解2008-06-02
- 科研軟體2024-04-21
- 軟體工程2024-03-31軟體工程
- 軟體驗收測試 第三方軟體測試 軟體功能測試 軟體資訊保安測試2021-12-08
- 軟體研發之道——有關軟體的思考2020-04-07
- 軟體測試真的比不上軟體開發嗎?2019-09-05
- 軟體序列號查詢軟體:Serial Box for Mac2024-01-12Mac
- 進出口軟體(進出口貿易管理軟體)2023-03-01
- 【軟體測試】軟體及其開發過程2017-01-06
- 應用版本控制軟體管理軟體開發2008-07-09
- [軟體人生]軟體人生中的危境與道德2010-05-17
- Zuora招聘JAVA軟體開發\軟體測試2010-07-13Java
- 為什麼軟體會被稱為“軟體”2012-03-13
- 中國軟體網-中國企業軟體選型2011-11-20