快捷反垃圾郵件破解手記--找出註冊碼
快捷反垃圾郵件破解手記--找出註冊碼
作者:newlaos[DFCG]
軟體名稱: 快捷反垃圾郵件 [國產]
軟體授權: 共享軟體
註冊費用:
使用平臺: Win9X/Me/NT/2000/XP
軟體開發: http://www.chinaantispam.com/
聯絡信箱: support@chinaantispam.com?subject=From_海闊天空下載站
軟體簡介:
為每個擁有email地址的使用者快速殺除垃圾郵件!提供多種郵件過濾方式,支援特有的萬用字元及國家程式碼郵件規則,完整的個人使用者反垃圾郵件解決方案。多POP3帳戶同時處理,可設定僅預讀郵件前幾行資訊,速度飛快;無需接收郵件全部資訊即可以最快速度殺除包括“求職信”在內的郵件病毒;可向垃圾郵件傳送人自動或手工傳送投訴及報錯郵件;支援垃圾郵件特徵庫隨時網上升級。快捷反垃圾郵件,垃圾郵件終結者,讓垃圾郵件無處可逃!
加密方式:註冊碼
功能限制:未註冊資訊提示
PJ工具:TRW20001.23註冊版,W32Dasm8.93黃金版,FI2.5,eXeScope6.30
PJ日期:2003-03-31
作者newlaos申明:只是學習,請不用於商業用途或是將本文方法制作的序號產生器任意傳播,造成後果,本人一概不負。
1、先用FI2.5看一下主檔案“AntiSpam.exe”,沒加殼。程式是用BC++編的
2、用W32Dasm8.93黃金版對AntiSpam.exe進行靜態反彙編,再用串式資料參考,找不到什麼經典的句子,怎麼辦?先用eXeScope6.30對檔案的資源進行分析,在“資源\字串表\85”,可以看見:
1357,對不起,您的註冊碼輸入有誤。請重新輸入。
1358,恭喜您!軟體註冊成功!$0D$0A您的姓名:%0:s$0D$0A註冊碼:%1:s$0D$0A請記住這個註冊碼。今後若您重灌系統、更換硬碟或升級電腦,需要重新安裝本軟體,這時軟體可能又會提示您註冊,您用這個註冊碼註冊即可。
再回到W32Dasm8.93,找到"String
Resource ID=01357: "?we?魍e"(這就是註冊碼輸入有誤)
雙擊來到下列程式碼段
3、再用TRW20001.23註冊版進行動態跟蹤,下斷BPX
0058BFE4(通常在註冊成功與否的前面一些下斷,這樣,才能找到關鍵部分),
先輸入註冊名:newlaos[DFCG]
假碼: 78787878
.......
.......
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058BF51(C)
|
:0058BFE4
66C746103800 mov [esi+10], 0038
:0058BFEA
33C0 xor
eax, eax
:0058BFEC 8945F8
mov dword ptr [ebp-08], eax
:0058BFEF 8D55F8
lea edx, dword ptr [ebp-08]
:0058BFF2
FF461C inc [esi+1C]
:0058BFF5
8B8300030000 mov eax, dword ptr [ebx+00000300]
:0058BFFB
E890A1F5FF call 004E6190
:0058C000
66C746100800 mov [esi+10], 0008
:0058C006
8B55F8 mov edx,
dword ptr [ebp-08]<===EDX=78787878
:0058C009 52
push edx
:0058C00A E8AD330000
call 0058F3BC <===毫無疑問,這就是演算法CALL了,F8跟進
:0058C00F
59 pop
ecx
:0058C010 84C0
test al, al <===要想註冊成功,則AL不能為0
:0058C012
0F859E000000 jne 0058C0B6
<===呵呵,這裡就是關鍵的跳轉了。跳了,就正確註冊成功
:0058C018 6A30
push 00000030
:0058C01A 833DF8F4600000
cmp dword ptr [0060F4F8], 00000000
:0058C021
7408 je 0058C02B
:0058C023
8B0DF8F46000 mov ecx, dword ptr [0060F4F8]
:0058C029
EB05 jmp
0058C030
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0058C021(C)
|
:0058C02B
B981F25F00 mov ecx, 005FF281
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C029(U)
|
:0058C030
51 push
ecx
:0058C031 33C0
xor eax, eax
:0058C033 66C746104400
mov [esi+10], 0044
:0058C039 8945DC
mov dword ptr [ebp-24], eax
*
Possible Reference to String Resource ID=01357: "?we?魍e"
<===1357,對不起,您的註冊碼輸入有誤。請重新輸入。
|
:0058C03C B84D050000
mov eax, 0000054D
:0058C041 FF461C
inc [esi+1C]
:0058C044 8D55DC
lea edx, dword ptr [ebp-24]
:0058C047
E8AC74F9FF call 005234F8
:0058C04C
837DDC00 cmp dword ptr
[ebp-24], 00000000
:0058C050 7405
je 0058C057
:0058C052 8B55DC
mov edx, dword ptr [ebp-24]
:0058C055
EB05 jmp
0058C05C
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0058C050(C)
|
:0058C057
BA80F25F00 mov edx, 005FF280
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C055(U)
|
:0058C05C
52 push
edx
:0058C05D 8BC3
mov eax, ebx
:0058C05F E80402F6FF
call 004EC268
:0058C064 50
push eax
*
Reference To: USER32.MessageBoxA, Ord:0000h
|
:0058C065
E83EFD0200 Call 005BBDA8
:0058C06A
FF4E1C dec [esi+1C]
:0058C06D
8D45DC lea eax,
dword ptr [ebp-24]
:0058C070 BA02000000
mov edx, 00000002
:0058C075 E866E90200
call 005BA9E0
:0058C07A 8B8300030000
mov eax, dword ptr [ebx+00000300]
:0058C080 8B10
mov edx, dword ptr
[eax]
:0058C082 FF92B0000000 call
dword ptr [edx+000000B0]
:0058C088 FF4E1C
dec [esi+1C]
:0058C08B 8D45F8
lea eax, dword ptr [ebp-08]
:0058C08E
BA02000000 mov edx, 00000002
:0058C093
E848E90200 call 005BA9E0
:0058C098
FF4E1C dec [esi+1C]
:0058C09B
8D45FC lea eax,
dword ptr [ebp-04]
:0058C09E BA02000000
mov edx, 00000002
:0058C0A3 E838E90200
call 005BA9E0
:0058C0A8 8B0E
mov ecx, dword ptr [esi]
:0058C0AA
64890D00000000 mov dword ptr fs:[00000000],
ecx
:0058C0B1 E9E0010000 jmp
0058C296 <===註冊資訊錯誤提示完後,跳走
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C012(C)
<===這裡可以看到,要正確是從哪裡跳來的,向上看
|
:0058C0B6 66C746105000
mov [esi+10], 0050
:0058C0BC 8D45EC
lea eax, dword ptr
[ebp-14]
:0058C0BF 50
push eax
:0058C0C0 E8EB200000
call 0058E1B0
:0058C0C5 59
pop ecx
:0058C0C6 83461C03
add dword ptr [esi+1C],
00000003
:0058C0CA 66C746100800 mov
[esi+10], 0008
:0058C0D0 8B55FC
mov edx, dword ptr [ebp-04]
:0058C0D3 52
push edx
:0058C0D4 8D4DEC
lea ecx, dword ptr
[ebp-14]
:0058C0D7 51
push ecx
:0058C0D8 E8F30F0000
call 0058D0D0
:0058C0DD 83C408
add esp, 00000008
:0058C0E0 8B45F8
mov eax, dword ptr [ebp-08]
:0058C0E3
50 push
eax
:0058C0E4 8D55EC
lea edx, dword ptr [ebp-14]
:0058C0E7 52
push edx
:0058C0E8 E813110000
call 0058D200
:0058C0ED 83C408
add esp, 00000008
:0058C0F0
833DF8F4600000 cmp dword ptr [0060F4F8], 00000000
:0058C0F7
6A40 push
00000040
:0058C0F9 7408
je 0058C103 <===這裡也可以跳向成功
:0058C0FB 8B0DF8F46000
mov ecx, dword ptr [0060F4F8]
:0058C101
EB05 jmp
0058C108 <===這裡可以跳向成功
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058C0F9(C)
|
:0058C103
B984F25F00 mov ecx, 005FF284
.......
***********************************
此處省略一段程式碼,功能是將驗證為正確的註冊資訊,進行儲存,與演算法無關
***********************************
.......
:0058C17F
FF461C inc [esi+1C]
:0058C182
894DA0 mov dword
ptr [ebp-60], ecx
:0058C185 8B45A0
mov eax, dword ptr [ebp-60]
:0058C188 33C9
xor ecx, ecx
:0058C18A
8B10 mov
edx, dword ptr [eax]
*
Possible Reference to String Resource ID=01358: "mo鯊??<===這裡就是註冊成功的標誌
?%0:s
%1:s
靼O??濞團bl?G?"
<===1358,恭喜您!軟體註冊成功!$0D$0A您的姓名:%0:s$0D$0A註冊碼:%1:s$0D$0A請記住這個註冊碼。今後若您重灌系統、更換硬碟或升級電腦,需要重新安裝本軟體,這時軟體可能又會提示您註冊,您用這個註冊碼註冊即可。
|
:0058C18C B84E050000
mov eax, 0000054E
:0058C191 52
push edx
:0058C192 894DD8
mov dword ptr [ebp-28],
ecx
:0058C195 FF461C
inc [esi+1C]
:0058C198 8D55D8
lea edx, dword ptr [ebp-28]
:0058C19B E85873F9FF
call 005234F8
:0058C1A0 837DD800
cmp dword ptr [ebp-28], 00000000
:0058C1A4
7405 je 0058C1AB
:0058C1A6
8B55D8 mov edx,
dword ptr [ebp-28]
:0058C1A9 EB05
jmp 0058C1B0
.......
.......
------0058C00A
call 0058F3BC 演算法CALL了,F8跟進-----------------------
:0058F3BC
55 push
ebp
:0058F3BD 8BEC
mov ebp, esp
:0058F3BF 83C4B8
add esp, FFFFFFB8
:0058F3C2 B83C096000
mov eax, 0060093C
:0058F3C7 53
push ebx
:0058F3C8
8D5DB8 lea ebx,
dword ptr [ebp-48]
:0058F3CB 56
push esi
:0058F3CC E813EB0100
call 005ADEE4
:0058F3D1 C7431C01000000
mov [ebx+1C], 00000001
:0058F3D8 8D5508
lea edx, dword ptr [ebp+08]
:0058F3DB
8D4508 lea eax,
dword ptr [ebp+08]
:0058F3DE E8D5B40200
call 005BA8B8
:0058F3E3 FF431C
inc [ebx+1C]
:0058F3E6 66C743100800
mov [ebx+10], 0008
:0058F3EC 833D4807600000
cmp dword ptr [00600748], 00000000
:0058F3F3 740B
je 0058F400
:0058F3F5
8B1548076000 mov edx, dword ptr [00600748]<===EDX=KJAS100-(一看就知道,這是正確註冊碼的字首)
:0058F3FB
8B72FC mov esi,
dword ptr [edx-04]
:0058F3FE EB02
jmp 0058F402
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F3F3(C)
|
:0058F400
33F6 xor
esi, esi
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0058F3FE(U)
|
:0058F402
837D0800 cmp dword ptr
[ebp+08], 00000000
:0058F406 7408
je 0058F410
:0058F408 8B4508
mov eax, dword ptr [ebp+08]<===EAX=78787878
:0058F40B
8B50FC mov edx,
dword ptr [eax-04]<===EDX=8(註冊碼的長度)
:0058F40E EB02
jmp 0058F412
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F406(C)
|
:0058F410
33D2 xor
edx, edx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0058F40E(U)
|
:0058F412
8D4611 lea eax,
dword ptr [esi+11]
<===EAX=19(也就是長註冊碼的長度為25),將註冊碼改為KJAS100-1234567890abcdefg(因為後面要對後面部分按不同位置取值,所以用78787878已經不合適,因為很難判斷程式具體取的是哪個位置上的值),重新來
:0058F415
3BD0 cmp
edx, eax <===註冊碼的長度對比
:0058F417 754C
jne 0058F465 <===如果輸入的註冊碼長度沒有25,就跳向OVER!
:0058F419
66C743101400 mov [ebx+10], 0014
:0058F41F
33C9 xor
ecx, ecx
:0058F421 8D45F4
lea eax, dword ptr [ebp-0C]
:0058F424 894DF4
mov dword ptr [ebp-0C], ecx
:0058F427
50 push
eax
:0058F428 FF431C
inc [ebx+1C]
:0058F42B 8D4508
lea eax, dword ptr [ebp+08]
:0058F42E 8BCE
mov ecx, esi
:0058F430
BA01000000 mov edx, 00000001
:0058F435
E8EAB90200 call 005BAE24
:0058F43A
8D45F4 lea eax,
dword ptr [ebp-0C]
:0058F43D BA48076000
mov edx, 00600748
:0058F442 E895B60200
call 005BAADC
:0058F447 84C0
test al, al
:0058F449 8D45F4
lea eax, dword ptr [ebp-0C]
:0058F44C
0F95C1 setne cl
:0058F44F
83E101 and ecx,
00000001
:0058F452 BA02000000 mov
edx, 00000002
:0058F457 51
push ecx
:0058F458 FF4B1C
dec [ebx+1C]
:0058F45B E880B50200
call 005BA9E0
:0058F460 59
pop ecx
:0058F461
85C9 test
ecx, ecx
:0058F463 7422
je 0058F487 <===程式從這裡跳走
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F417(C)
|
:0058F465
33C0 xor
eax, eax
:0058F467 BA02000000 mov
edx, 00000002
:0058F46C 50
push eax
:0058F46D 8D4508
lea eax, dword ptr [ebp+08]
:0058F470 FF4B1C
dec [ebx+1C]
:0058F473
E868B50200 call 005BA9E0
:0058F478
58 pop
eax
:0058F479 8B13
mov edx, dword ptr [ebx]
:0058F47B 64891500000000
mov dword ptr fs:[00000000], edx
:0058F482 E905020000
jmp 0058F68C <===如果到這裡,就等於OVER了。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F463(C)
|
:0058F487
66C743102000 mov [ebx+10], 0020 <===從上面跳到這裡
:0058F48D
33C9 xor
ecx, ecx
:0058F48F 8D45F0
lea eax, dword ptr [ebp-10]
:0058F492 894DF0
mov dword ptr [ebp-10], ecx
:0058F495
50 push
eax
:0058F496 FF431C
inc [ebx+1C]
:0058F499 837D0800
cmp dword ptr [ebp+08], 00000000
:0058F49D 7408
je 0058F4A7
:0058F49F
8B5508 mov edx,
dword ptr [ebp+08]
:0058F4A2 8B4AFC
mov ecx, dword ptr [edx-04]
:0058F4A5 EB02
jmp 0058F4A9
<===從這裡跳走
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F49D(C)
|
:0058F4A7
33C9 xor
ecx, ecx
* Referenced
by a (U)nconditional or (C)onditional Jump at Address:
|:0058F4A5(U)
|
:0058F4A9
2BCE sub
ecx, esi <===從上面跳到這裡
:0058F4AB 8D5601
lea edx, dword ptr [esi+01]
:0058F4AE
8D4508 lea eax,
dword ptr [ebp+08]
:0058F4B1 E86EB90200
call 005BAE24
:0058F4B6 8D55F0
lea edx, dword ptr [ebp-10]
:0058F4B9 8D4508
lea eax, dword ptr [ebp+08]
:0058F4BC
E84FB50200 call 005BAA10
:0058F4C1
FF4B1C dec [ebx+1C]
:0058F4C4
8D45F0 lea eax,
dword ptr [ebp-10]
:0058F4C7 BA02000000
mov edx, 00000002
:0058F4CC E80FB50200
call 005BA9E0
<===提出註冊碼的後面部分1234567890abcdefg,放在EDX裡
:0058F4D1
66C743102C00 mov [ebx+10], 002C
:0058F4D7
33C9 xor
ecx, ecx
:0058F4D9 8D45E8
lea eax, dword ptr [ebp-18]
:0058F4DC 894DE8
mov dword ptr [ebp-18], ecx
:0058F4DF
50 push
eax
:0058F4E0 FF431C
inc [ebx+1C]
:0058F4E3 8D4508
lea eax, dword ptr [ebp+08]
:0058F4E6 B903000000
mov ecx, 00000003 <===取值的長度(針對註冊碼的後部分)
:0058F4EB
BA07000000 mov edx, 00000007 <===取值的起始位置
:0058F4F0
E82FB90200 call 005BAE24
<===取出的值為789
:0058F4F5 8D45E8
lea eax, dword ptr [ebp-18]
:0058F4F8 33D2
xor edx, edx
:0058F4FA
50 push
eax
:0058F4FB 8955EC
mov dword ptr [ebp-14], edx
:0058F4FE 8D4DEC
lea ecx, dword ptr [ebp-14]
:0058F501 BA01000000
mov edx, 00000001 <===取值的長度
:0058F506
51 push
ecx
* Possible Reference
to String Resource ID=00005: "Cannot Remove System Shell Notification Icon"
|
:0058F507 B905000000
mov ecx, 00000005 <===取值的起始位置
:0058F50C FF431C
inc [ebx+1C]
:0058F50F
8D4508 lea eax,
dword ptr [ebp+08]
:0058F512 E80DB90200
call 005BAE24 <===取出的值為12345
:0058F517 8D45EC
lea eax, dword ptr
[ebp-14]
:0058F51A 33D2
xor edx, edx
:0058F51C 8955FC
mov dword ptr [ebp-04], edx
:0058F51F 8D4DFC
lea ecx, dword ptr [ebp-04]
:0058F522
FF431C inc [ebx+1C]
:0058F525
5A pop
edx
:0058F526 E80DB50200 call
005BAA38
:0058F52B FF4B1C
dec [ebx+1C]
:0058F52E 8D45E8
lea eax, dword ptr [ebp-18]
:0058F531 BA02000000
mov edx, 00000002
:0058F536
E8A5B40200 call 005BA9E0
:0058F53B
FF4B1C dec [ebx+1C]
:0058F53E
8D45EC lea eax,
dword ptr [ebp-14]
:0058F541 BA02000000
mov edx, 00000002
:0058F546 E895B40200
call 005BA9E0
:0058F54B 66C743100800
mov [ebx+10], 0008
:0058F551 66C743103800
mov [ebx+10], 0038
:0058F557 33C0
xor eax, eax
:0058F559
8D4DE0 lea ecx,
dword ptr [ebp-20]
:0058F55C 8945E0
mov dword ptr [ebp-20], eax
:0058F55F 51
push ecx
:0058F560
FF431C inc [ebx+1C]
*
Possible Reference to String Resource ID=00005: "Cannot Remove System Shell
Notification Icon"
|
:0058F563 B905000000
mov ecx, 00000005 <===取值的長度
:0058F568
8D4508 lea eax,
dword ptr [ebp+08]
:0058F56B BA0D000000
mov edx, 0000000D <===取值的起始位置
:0058F570 E8AFB80200
call 005BAE24 <===取出的值為cdefg
(關鍵1)
:0058F575 8D45E0
lea eax, dword ptr [ebp-20]
:0058F578 33D2
xor edx, edx
:0058F57A 50
push eax
:0058F57B
8955E4 mov dword
ptr [ebp-1C], edx
:0058F57E 8D4DE4
lea ecx, dword ptr [ebp-1C]
:0058F581 BA0A000000
mov edx, 0000000A <===取值的起始位置
:0058F586
51 push
ecx
:0058F587 B902000000 mov
ecx, 00000002 <===取值的長度
:0058F58C FF431C
inc [ebx+1C]
:0058F58F 8D4508
lea eax, dword ptr [ebp+08]
:0058F592
E88DB80200 call 005BAE24
<===取出的值為0a (關鍵2)
:0058F597 8D45E4
lea eax, dword ptr [ebp-1C]
:0058F59A
33D2 xor
edx, edx
:0058F59C 8955F8
mov dword ptr [ebp-08], edx
:0058F59F 8D4DF8
lea ecx, dword ptr [ebp-08]
:0058F5A2
FF431C inc [ebx+1C]
:0058F5A5
5A pop
edx
:0058F5A6 E88DB40200 call
005BAA38
<===將關鍵1和關鍵2的值合起來,為0acedfg(這樣大家都可以看清軟體對輸入的註冊碼的取值情況)
:0058F5AB
FF4B1C dec [ebx+1C]
:0058F5AE
8D45E0 lea eax,
dword ptr [ebp-20]
:0058F5B1 BA02000000
mov edx, 00000002
:0058F5B6 E825B40200
call 005BA9E0
:0058F5BB FF4B1C
dec [ebx+1C]
:0058F5BE 8D45E4
lea eax, dword ptr [ebp-1C]
:0058F5C1
BA02000000 mov edx, 00000002
:0058F5C6
E815B40200 call 005BA9E0
:0058F5CB
66C743100800 mov [ebx+10], 0008
:0058F5D1
66C743104400 mov [ebx+10], 0044
:0058F5D7
8B45FC mov eax,
dword ptr [ebp-04]
:0058F5DA 33C9
xor ecx, ecx
:0058F5DC 50
push eax
:0058F5DD 8D45DC
lea eax, dword ptr [ebp-24]
:0058F5E0
894DDC mov dword
ptr [ebp-24], ecx
:0058F5E3 50
push eax
:0058F5E4 FF431C
inc [ebx+1C]
:0058F5E7 E8FCFAFFFF
call 0058F0E8
<===算出需要驗證的註冊碼段,對於後面部分1234567890abcdefg而言,是用前9位變形為7位值,對應第10,11,13,14,15,16,17位的值,第12位無關
:0058F5EC
83C408 add esp,
00000008
:0058F5EF 8D45DC
lea eax, dword ptr [ebp-24] <===EAX裡放了一個地址指標,指向4221943(前9位字元的變形結果)
:0058F5F2
8D55F8 lea edx,
dword ptr [ebp-08] <===EDX裡放了一個地址指標,指向0acedfg(除第12)
:0058F5F5 E8E2B40200
call 005BAADC
<===上面的EAX和EDX的指標的值必須相等,返回時EAX等於0,才能正確註冊,到此我們就能推斷出正確註冊碼是
KJAS100-12345678942b21943,如果還要研究演算法,就向上看0058F5E7
:0058F5FA 50
push eax
<===將EAX的值壓入堆疊,由下面可以得知,EAX必須為0
:0058F5FB FF4B1C
dec [ebx+1C]
:0058F5FE 8D45DC
lea eax, dword ptr
[ebp-24]
:0058F601 BA02000000 mov
edx, 00000002
:0058F606 E8D5B30200
call 005BA9E0<===這個CALL並不會改為堆疊頂的值
:0058F60B 59
pop ecx <===這裡就要看堆疊頂的值了
:0058F60C
84C9 test
cl, cl <===CL必須等於0
:0058F60E 743F
je 0058F64F <===要想正確註冊,這裡必跳走
:0058F610
33C0 xor
eax, eax
:0058F612 BA02000000 mov
edx, 00000002
:0058F617 50
push eax
:0058F618 8D45F8
lea eax, dword ptr [ebp-08]
:0058F61B FF4B1C
dec [ebx+1C]
:0058F61E
E8BDB30200 call 005BA9E0
:0058F623
FF4B1C dec [ebx+1C]
:0058F626
8D45FC lea eax,
dword ptr [ebp-04]
:0058F629 BA02000000
mov edx, 00000002
:0058F62E E8ADB30200
call 005BA9E0
:0058F633 FF4B1C
dec [ebx+1C]
:0058F636 8D4508
lea eax, dword ptr [ebp+08]
:0058F639
BA02000000 mov edx, 00000002
:0058F63E
E89DB30200 call 005BA9E0
:0058F643
58 pop
eax
:0058F644 8B13
mov edx, dword ptr [ebx]
:0058F646 64891500000000
mov dword ptr fs:[00000000], edx
:0058F64D EB3D
jmp 0058F68C
<===從這裡跳走,就等於OVER了。
*
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0058F60E(C)
|
:0058F64F
B001 mov
al, 01 <===很關鍵的標誌位賦值
:0058F651 BA02000000
mov edx, 00000002
:0058F656 50
push eax
:0058F657 8D45F8
lea eax, dword ptr
[ebp-08]
:0058F65A FF4B1C
dec [ebx+1C]
:0058F65D E87EB30200
call 005BA9E0
:0058F662 FF4B1C
dec [ebx+1C]
:0058F665 8D45FC
lea eax, dword ptr [ebp-04]
:0058F668
BA02000000 mov edx, 00000002
:0058F66D
E86EB30200 call 005BA9E0
:0058F672
FF4B1C dec [ebx+1C]
:0058F675
8D4508 lea eax,
dword ptr [ebp+08]
:0058F678 BA02000000
mov edx, 00000002
:0058F67D E85EB30200
call 005BA9E0
:0058F682 58
pop eax
:0058F683 8B13
mov edx, dword ptr
[ebx]
:0058F685 64891500000000 mov dword
ptr fs:[00000000], edx
*
Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0058F482(U),
:0058F64D(U)
|
:0058F68C 5E
pop esi
:0058F68D 5B
pop ebx
:0058F68E 8BE5
mov esp, ebp
:0058F690
5D pop
ebp
:0058F691 C3
ret
-----------------------------------------------------------------------
4、演算法說明:由於本人實力有限只能找出註冊碼,而沒辦法分析出演算法,還請高手指點
a、型別是隻對註冊碼進行驗證,與使用者名稱無關。KJAS100-1234567890a?cdefg(?為任意字元)
b、由後面部分的前9個字元,經過兩次變形處理後,再與後面部分的第10,11,13,14,15,16,17位的值做比較,如果相等就註冊成功,第12位無用
5、註冊資訊存放在登錄檔:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\zycascn]
"xbrmd110"=hex:cb,c9,cd,c7,ce,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"xbrun"=hex:b7,be,a4,bd,a3,b8,8f,a0,8e,8a,99,92,93,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"xbrrc"=hex:ca,c8,ce,cf,9c,cd,ca,c8,cf,ca,c8,c6,ca,ce,cc,d0,d1,cc,ce,d0,d1,c0,\
b4,ab,b6,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
和檔案reginfo.dat裡,必須將它都刪除,才能回到未註冊狀態。
6、我的註冊註冊資訊:
newlaos[DFCG]
KJAS100-12345678942b21943
相關文章
- <郵件的反垃圾反病毒>2014-07-15
- 反垃圾郵件和資訊審計2017-11-15
- i-view32註冊碼的破解手記 (778字)2001-02-03View
- SMailserver2.5註冊碼的破解手記 (1千字)2001-03-01AIServer
- 32bit Convert
It 9.52.01破解手記--找到註冊碼2015-11-15
- 反垃圾郵件閘道器原理(轉)2007-08-10
- 有哪些反垃圾郵件效果好的企業郵箱2022-02-07
- 找出BootStar V6.02的註冊碼2015-11-15boot
- 廣東盈世獲網易郵箱反垃圾服務的授權,郵件反垃圾更全面2024-03-15
- 郵件內容安全防護之反垃圾郵件開源軟體ASSP2019-02-27
- 商務郵件專家2.0破解手記 (509字)2001-02-02
- 模擬郵件伺服器,批量註冊利器2019-04-01伺服器
- 電子郵件地址註冊過程詳解2023-10-17
- steam電子郵件地址怎麼註冊 2022使用電子郵箱註冊steam教程2022-10-05
- 奇門遁甲演義V6.3破解手記--註冊碼演算法分析2015-11-15演算法
- SurfControl人工智慧新突破領跑反垃圾郵件2018-03-15人工智慧
- SurfControl人工智慧新突破 領跑反垃圾郵件2018-03-15人工智慧
- 選擇反垃圾郵件產品應考慮幾個方面2016-08-09
- 外貿郵箱註冊:谷歌企業郵箱註冊詳細教程2024-07-28谷歌
- 註冊時,給使用者郵箱傳送啟用連結(java 傳送郵件)2015-08-26Java
- Mailplane for Mac(Gmail郵件客戶端) v 4.3.1註冊啟用版2021-02-03AIMac客戶端
- 反垃圾郵件閘道器工作原理-Coremail帶你瞭解傑創智慧如何使用郵件閘道器安全升級2022-07-13REMAI
- 自動註冊gmail郵箱構想2020-04-06AI
- Emeditor 註冊碼2017-08-14
- WebStorm註冊碼2014-04-29WebORM
- Coremail郵件閘道器:【反垃圾反釣魚防盜號】教育大咖圓桌論壇共商郵件校園安全策略2022-05-23REMAI
- 為什麼註冊163vip郵箱?電子郵箱怎麼註冊到3位呢?2020-12-08
- 超級魔法兔子設定
V4.0破 解(得到完全註冊碼)2002-01-14
- 工作郵箱怎麼註冊?企業郵箱有哪些功能?2023-03-26
- 忘記密碼功能的安全實現(郵件方式)2013-08-18密碼
- PhpStorm註冊碼2020-04-07PHPORM
- Navicat for MySQL註冊碼2020-04-07MySql
- SecureCRT 7 註冊碼2016-09-02Securecrt
- 『凌雲郵神』 註冊碼破解 (非明碼比較的哦 ^_^) (6千字)2001-11-05
- 谷歌郵箱,配置傳送郵件密碼2021-01-28谷歌密碼
- 註冊庫克群島公司的(CookIslands) 條件2021-12-24
- 註冊中心 Eureka 原始碼解析 —— 應用例項註冊發現(一)之註冊2019-03-03原始碼
- 郵件傳送庫原始碼2004-09-20原始碼