找出BootStar V6.02的註冊碼
BootStar V6.02是一款能夠控制多作業系統的軟體,看雪學院<<論壇精華四>>裡面
有arbiter[CCG]寫的BootStar v7.33 keygen in pure win32asm的序號產生器,但是沒
有分析過程.碰巧我有BootStar V6.02的版本,所以就把分析過程寫了出來.如果你想
練手可以到http://www.star-tools.com下載新的版本.
首先檢查是UPX的殼,脫掉!我們輸入下面的資訊:
User-ID:dengkeng[DFCG]
Key:123-45678-9ABCD-EFGH
這個是指定的格式輸入,因為如果你輸入錯誤的話,它會告訴你出錯了,然後在Key
這一欄裡面用***-*****-*****-****這個格式表示出來,告訴你輸入的正確格式.
我們跟蹤到如下關鍵點:(4AB02D)
004AB02D |. FF51 14 CALL DWORD PTR DS:[ECX+14]
004AB030 |. 8BD8 MOV EBX,EAX
004AB032 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004AB035 |. E8 2E8CF5FF CALL BSWIN.00403C68
004AB03A |. 80FB 05 CMP BL,5
004AB03D |. 75 10 JNZ SHORT BSWIN.004AB04F
004AB03F |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
004AB042 |. 8B15 D0494B00 MOV EDX,DWORD PTR DS:[4B49D0] ; BSWIN.004ADBF4
004AB048 |. 8B12 MOV EDX,DWORD PTR DS:[EDX]
004AB04A |. E8 B18CF5FF CALL BSWIN.00403D00
004AB04F |> 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
004AB052 |. 8BD3 MOV EDX,EBX
004AB054 |. 66:B8 1C00 MOV AX,1C
004AB058 |. E8 ABE6FDFF CALL BSWIN.00489708
004AB05D |> 84DB TEST BL,BL
004AB05F |. 75 34 JNZ SHORT BSWIN.004AB095
004AB061 |. 8D4D FF LEA ECX,DWORD PTR SS:[EBP-1]
004AB064 |. A1 284F4B00 MOV EAX,DWORD PTR DS:[4B4F28]
004AB069 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004AB06B |. 8D90 EC020000 LEA EDX,DWORD PTR DS:[EAX+2EC]
004AB071 |. 8B86 8C040000 MOV EAX,DWORD PTR DS:[ESI+48C]
004AB077 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004AB079 |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
004AB07B |. FF53 10 CALL DWORD PTR DS:[EBX+10]
004AB07E |. 8BD8 MOV EBX,EAX
004AB080 |. 807D FF 00 CMP BYTE PTR SS:[EBP-1],0
004AB084 |. 75 02 JNZ SHORT BSWIN.004AB088
004AB086 |. B3 54 MOV BL,54 ;用於下面的Call的比較!
004AB088 |> 33C9 XOR ECX,ECX
004AB08A |. 8BD3 MOV EDX,EBX
004AB08C |. 66:B8 1D00 MOV AX,1D
004AB090 |. E8 73E6FDFF CALL BSWIN.00489708 ;這裡提示出錯!需要跟進:
004AB095 |> 33C0 XOR EAX,EAX
我們跟進4AB090的Call:
00489708 /$ 55 PUSH EBP
00489709 |. 8BEC MOV EBP,ESP
.....
.....
.....
0048973C |. 83F8 54 CMP EAX,54 ; Switch (cases 2..E4)
0048973F |. 7F 39 JG SHORT BSWIN.0048977A
00489741 |. 0F84 64010000 JE BSWIN.004898AB ;如果相等則出錯了!
.....
.....省略了
.....
所以在4AB090上面的幾個Call十分的重要,我們需要跟進!
經過跟蹤分析4AB02D處的Call重要所以我們進入:
0046B148 /. 55 PUSH EBP
0046B149 |. 8BEC MOV EBP,ESP
.....
.....
.....
0046B18D |. 8D55 F3 LEA EDX,DWORD PTR SS:[EBP-D]
0046B190 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0046B193 |. E8 28EFFFFF CALL BSWIN.0046A0C0 ;重要,F7跟入
我們進入46B193處的Call
0046A0C0 /$ 55 PUSH EBP
0046A0C1 |. 8BEC MOV EBP,ESP
.....
.....省略若干行
.....
0046A0FD |. C606 00 MOV BYTE PTR DS:[ESI],0
0046A100 |. 8BD6 MOV EDX,ESI
0046A102 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
0046A105 |. E8 DE85FEFF CALL BSWIN.004526E8 ;F7跟進
按照上面的0046A105處,跟進
004526E8 /$ 55 PUSH EBP
004526E9 |. 8BEC MOV EBP,ESP
004526EB |. 83C4 D8 ADD ESP,-28
.....
.....
.....
0045272B |. E8 A0FBFFFF CALL BSWIN.004522D0
00452730 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452733 |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
00452736 |. E8 E162FBFF CALL BSWIN.00408A1C ;把輸入的名字的小寫轉換成大寫
0045273B |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
0045273E |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
.....
.....省略若干行
.....
0045279E |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004527A1 |. E8 3E17FBFF CALL BSWIN.00403EE4 ;求名字的長度
004527A6 |. 83F8 0A CMP EAX,0A ;是否大於等於10個
004527A9 |. 7D 04 JGE SHORT BSWIN.004527AF
004527AB |> 33C0 XOR EAX,EAX
004527AD |. EB 02 JMP SHORT BSWIN.004527B1 ;一跳就出錯,所以名字必須>=10個
004527AF |> B0 01 MOV AL,1
004527B1 |> 8BD8 MOV EBX,EAX
004527B3 |. 84DB TEST BL,BL
004527B5 |. 74 26 JE SHORT BSWIN.004527DD
004527B7 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004527BA |. 50 PUSH EAX
004527BB |. B9 04000000 MOV ECX,4
004527C0 |. BA 01000000 MOV EDX,1
004527C5 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004527C8 |. E8 1B19FBFF CALL BSWIN.004040E8
004527CD |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ;前4個字元
004527D0 |. BA 802B4500 MOV EDX,BSWIN.00452B80 ;ASCII "BM1-"
004527D5 |. E8 1A18FBFF CALL BSWIN.00403FF4 ;是否相等
004527DA |. 0F94C3 SETE BL ;BL置1
004527DD |> 84DB TEST BL,BL
004527DF |. 74 56 JE SHORT BSWIN.00452837 ;不等則跳走
所以到這裡我們可以確定前3位是固定的"BM1-",繼續往下:
;算第2部分
004527E1 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004527E4 |. E8 FB16FBFF CALL BSWIN.00403EE4
004527E9 |. 8BD0 MOV EDX,EAX ;名字長度送給EDX
004527EB |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004527EE |. E8 1916FBFF CALL BSWIN.00403E0C
004527F3 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004527F6 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004527F9 |. E8 B2FDFFFF CALL BSWIN.004525B0 ;計算第2部分的關鍵 @_@
004527FE |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452801 |. 50 PUSH EAX
00452802 |. B9 02000000 MOV ECX,2 ;取的個數
00452807 |. BA 05000000 MOV EDX,5 ;取數的位置
0045280C |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ;註冊碼
0045280F |. E8 D418FBFF CALL BSWIN.004040E8 ;取數,即取"45"
00452814 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] ;"45"的地址送入EAX
00452817 |. 50 PUSH EAX ;壓入
00452818 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
0045281B |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0045281E |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00452821 |. BA 02000000 MOV EDX,2
00452826 |. E8 9564FBFF CALL BSWIN.00408CC0 ;運算得出兩個字元"E0"
0045282B |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;送入EDX中
0045282E |. 58 POP EAX ;剛才壓入的談出
0045282F |. E8 C017FBFF CALL BSWIN.00403FF4 ;比較是否相等
00452834 |. 0F94C3 SETE BL
00452837 |> 84DB TEST BL,BL
00452839 |. 0F84 94000000 JE BSWIN.004528D3
到這裡我們可以得出5,6位的值"E0",繼續....BM1-E0678-9ABCD-EFGH
;算第3部分
0045283F |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00452842 |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00452845 |. E8 B614FBFF CALL BSWIN.00403D00
0045284A |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0045284D |. B9 02000000 MOV ECX,2
00452852 |. BA 07000000 MOV EDX,7
00452857 |. E8 CC18FBFF CALL BSWIN.00404128 ;去掉從7位開始的兩個字元,即去掉"67"
0045285C |. 33F6 XOR ESI,ESI
0045285E |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00452861 |. E8 7E16FBFF CALL BSWIN.00403EE4 ;計算去掉"67"兩個字元後,字串的長度
00452866 |. 84C0 TEST AL,AL
00452868 |. 76 16 JBE SHORT BSWIN.00452880
0045286A |. B2 01 MOV DL,1
0045286C |> 33C9 /XOR ECX,ECX ;註冊碼部分參與運算
0045286E |. 8ACA |MOV CL,DL
00452870 |. 8B5D F0 |MOV EBX,DWORD PTR SS:[EBP-10]
00452873 |. 0FB64C0B FF |MOVZX ECX,BYTE PTR DS:[EBX+ECX-1]
00452878 |. 66:03F1 |ADD SI,CX
0045287B |. 42 |INC EDX
0045287C |. FEC8 |DEC AL
0045287E |.^75 EC JNZ SHORT BSWIN.0045286C ;把所有的字元相加,存入SI中
00452880 |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452883 |. 8BD6 MOV EDX,ESI ;結果送入EDX中
00452885 |. 66:81E2 FF00 AND DX,0FF ;AND 0FFH
0045288A |. E8 7D15FBFF CALL BSWIN.00403E0C
0045288F |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452892 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00452895 |. E8 16FDFFFF CALL BSWIN.004525B0 ;關鍵部分,計算第3部分的關鍵 @_@
0045289A |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0045289D |. 50 PUSH EAX
0045289E |. B9 02000000 MOV ECX,2
004528A3 |. BA 07000000 MOV EDX,7
004528A8 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004528AB |. E8 3818FBFF CALL BSWIN.004040E8 ;從第7位開始在取兩位,即"67"
004528B0 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004528B3 |. 50 PUSH EAX
004528B4 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004528B7 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004528BA |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
004528BD |. BA 02000000 MOV EDX,2
004528C2 |. E8 F963FBFF CALL BSWIN.00408CC0
004528C7 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;這裡得到另外的兩位"BF"
004528CA |. 58 POP EAX ;字元"67"
004528CB |. E8 2417FBFF CALL BSWIN.00403FF4 ;比較是否相等
004528D0 |. 0F94C3 SETE BL
004528D3 |> 84DB TEST BL,BL
004528D5 |. 0F84 8B000000 JE BSWIN.00452966
我們得到了註冊碼的7,8位,BM1-E0BF8-9ABCD-EFGH
;計算第4部分
004528DB |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004528DE |. B8 902B4500 MOV EAX,BSWIN.00452B90
004528E3 |. E8 E418FBFF CALL BSWIN.004041CC
004528E8 |. 85C0 TEST EAX,EAX
004528EA |. 7E 15 JLE SHORT BSWIN.00452901
004528EC |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004528EF |. B8 902B4500 MOV EAX,BSWIN.00452B90
004528F4 |. E8 D318FBFF CALL BSWIN.004041CC
004528F9 |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
004528FC |. 8A1C02 MOV BL,BYTE PTR DS:[EDX+EAX]
004528FF |. EB 06 JMP SHORT BSWIN.00452907
00452901 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ;名字的地址給EAX,即"DENGKENG[DFCG]
00452904 |. 8A58 01 MOV BL,BYTE PTR DS:[EAX+1] ;第二個字元的ASCII送入BL,即'E'
00452907 |> 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0045290A |. 50 PUSH EAX
0045290B |. B9 02000000 MOV ECX,2
00452910 |. BA 09000000 MOV EDX,9
00452915 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00452918 |. E8 CB17FBFF CALL BSWIN.004040E8 ;從第9個位置開始取兩個,即"8-"
0045291D |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452920 |. 50 PUSH EAX
00452921 |. 8BC3 MOV EAX,EBX
00452923 |. E8 3C01FBFF CALL BSWIN.00402A64
00452928 |. 8BD0 MOV EDX,EAX
0045292A |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0045292D |. 8850 01 MOV BYTE PTR DS:[EAX+1],DL ;即剛才的字元'E'
00452930 |. C600 01 MOV BYTE PTR DS:[EAX],1
00452933 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00452936 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00452939 |. E8 1602FBFF CALL BSWIN.00402B54
0045293E |. BA 942B4500 MOV EDX,BSWIN.00452B94
00452943 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00452946 |. B1 02 MOV CL,2
00452948 |. E8 D701FBFF CALL BSWIN.00402B24
0045294D |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00452950 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00452953 |. E8 3015FBFF CALL BSWIN.00403E88 ;算出9,10兩位
00452958 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;"E-",而'E'則是剛才取出的字元'E'
0045295B |. 58 POP EAX ;"8-"
0045295C |. E8 9316FBFF CALL BSWIN.00403FF4 ;相比較
00452961 |. 0F94C0 SETE AL
00452964 |. 8BD8 MOV EBX,EAX
00452966 |> 84DB TEST BL,BL
00452968 |. 0F84 CB000000 JE BSWIN.00452A39
我們得到了9,10兩位,註冊碼BM1-E0BFE-9ABCD-EFGH
;計算第5部分
0045296E |. 33F6 XOR ESI,ESI
00452970 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00452973 |. E8 6C15FBFF CALL BSWIN.00403EE4 ;求名字的長度
00452978 |. 84C0 TEST AL,AL
0045297A |. 76 16 JBE SHORT BSWIN.00452992
0045297C |. B2 01 MOV DL,1
0045297E |> 33C9 /XOR ECX,ECX
00452980 |. 8ACA |MOV CL,DL
00452982 |. 8B5D F8 |MOV EBX,DWORD PTR SS:[EBP-8]
00452985 |. 0FB64C0B FF |MOVZX ECX,BYTE PTR DS:[EBX+ECX-1]
0045298A |. 66:03F1 |ADD SI,CX
0045298D |. 42 |INC EDX
0045298E |. FEC8 |DEC AL
00452990 |.^75 EC JNZ SHORT BSWIN.0045297E ;名字的所有字元求和
00452992 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00452995 |. 8BD6 MOV EDX,ESI ;結果送入EDX中
00452997 |. 66:C1EA 08 SHR DX,8 ;SHR
0045299B |. 8850 01 MOV BYTE PTR DS:[EAX+1],DL ;送入[eax+1]中
0045299E |. C600 01 MOV BYTE PTR DS:[EAX],1
004529A1 |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
004529A4 |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004529A7 |. E8 A801FBFF CALL BSWIN.00402B54
004529AC |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
004529AF |. 8BD6 MOV EDX,ESI ;結果送入EDX中
004529B1 |. 66:81E2 FF00 AND DX,0FF
004529B6 |. 8850 01 MOV BYTE PTR DS:[EAX+1],DL
004529B9 |. C600 01 MOV BYTE PTR DS:[EAX],1
004529BC |. 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
004529BF |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
004529C2 |. B1 02 MOV CL,2
004529C4 |. E8 5B01FBFF CALL BSWIN.00402B24
004529C9 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
004529CC |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004529CF |. E8 B414FBFF CALL BSWIN.00403E88
004529D4 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004529D7 |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
004529DA |. E8 D1FBFFFF CALL BSWIN.004525B0 ;關鍵部分,計算第5部分 @_@
004529DF |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
004529E2 |. 50 PUSH EAX
004529E3 |. B9 04000000 MOV ECX,4
004529E8 |. BA 0B000000 MOV EDX,0B
004529ED |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004529F0 |. E8 F316FBFF CALL BSWIN.004040E8 ;按位置,再取四個字元,即"9ABC"
004529F5 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004529F8 |. 50 PUSH EAX
004529F9 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004529FC |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004529FF |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX] ;取出字元
00452A02 |. BA 02000000 MOV EDX,2
00452A07 |. E8 B462FBFF CALL BSWIN.00408CC0
00452A0C |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00452A0F |. 50 PUSH EAX
00452A10 |. 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00452A13 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00452A16 |. 0FB640 01 MOVZX EAX,BYTE PTR DS:[EAX+1]
00452A1A |. BA 02000000 MOV EDX,2
00452A1F |. E8 9C62FBFF CALL BSWIN.00408CC0
00452A24 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00452A27 |. 58 POP EAX
00452A28 |. E8 BF14FBFF CALL BSWIN.00403EEC ;把剛取得的兩個字元連線起來
00452A2D |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;所得的四個字元"EA3C"
00452A30 |. 58 POP EAX ;假的"9ABC"
00452A31 |. E8 BE15FBFF CALL BSWIN.00403FF4 ;相比較
00452A36 |. 0F94C3 SETE BL
00452A39 |> 84DB TEST BL,BL
00452A3B |. 74 60 JE SHORT BSWIN.00452A9D
我們得到了11~14位"EA3C",為:BM1-E0BFE-EA3CD-EFGH
;計算第6部分
00452A3B |. 74 60 JE SHORT BSWIN.00452A9D
00452A3D |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452A40 |. 50 PUSH EAX
00452A41 |. B9 02000000 MOV ECX,2
00452A46 |. BA 0F000000 MOV EDX,0F
00452A4B |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00452A4E |. E8 9516FBFF CALL BSWIN.004040E8 ;按位置在取兩位,即"D-"
00452A53 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452A56 |. 50 PUSH EAX
00452A57 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00452A5A |. 8A00 MOV AL,BYTE PTR DS:[EAX] ;名字的第一個字元送給AL
00452A5C |. E8 0300FBFF CALL BSWIN.00402A64
00452A61 |. 8BD0 MOV EDX,EAX
00452A63 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00452A66 |. 8850 01 MOV BYTE PTR DS:[EAX+1],DL
00452A69 |. C600 01 MOV BYTE PTR DS:[EAX],1
00452A6C |. 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
00452A6F |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00452A72 |. E8 DD00FBFF CALL BSWIN.00402B54
00452A77 |. BA 942B4500 MOV EDX,BSWIN.00452B94
00452A7C |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
00452A7F |. B1 02 MOV CL,2
00452A81 |. E8 9E00FBFF CALL BSWIN.00402B24
00452A86 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00452A89 |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00452A8C |. E8 F713FBFF CALL BSWIN.00403E88 ;計算出15,16位的值
00452A91 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18];這裡算出的是'D-'
00452A94 |. 58 POP EAX
00452A95 |. E8 5A15FBFF CALL BSWIN.00403FF4 ;相比較
00452A9A |. 0F94C3 SETE BL
00452A9D |> 84DB TEST BL,BL
00452A9F |. 74 7B JE SHORT BSWIN.00452B1C
我們得到15,16位'D-',即"BM1-E0BFE-EA3CD-EFGH"
;計算第7部分
00452AA1 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452AA4 |. 50 PUSH EAX
00452AA5 |. B9 02000000 MOV ECX,2
00452AAA |. BA 01000000 MOV EDX,1
00452AAF |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00452AB2 |. E8 3116FBFF CALL BSWIN.004040E8 ;取使用者名稱的前兩個字元,即"DE"(大寫哦)
00452AB7 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452ABA |. 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00452ABD |. E8 EEFAFFFF CALL BSWIN.004525B0 ;透過"DE"參與運算,得到最後的4位 關鍵7 @_@
00452AC2 |. 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00452AC5 |. 50 PUSH EAX
00452AC6 |. B9 09000000 MOV ECX,9
00452ACB |. BA 11000000 MOV EDX,11
00452AD0 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00452AD3 |. E8 1016FBFF CALL BSWIN.004040E8 ;取最後的四個字元了
00452AD8 |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
00452ADB |. 50 PUSH EAX
00452ADC |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00452ADF |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00452AE2 |. 0FB600 MOVZX EAX,BYTE PTR DS:[EAX]
00452AE5 |. BA 02000000 MOV EDX,2
00452AEA |. E8 D161FBFF CALL BSWIN.00408CC0 ;生成兩個字元
00452AEF |. 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00452AF2 |. 50 PUSH EAX
00452AF3 |. 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
00452AF6 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00452AF9 |. 0FB640 01 MOVZX EAX,BYTE PTR DS:[EAX+1]
00452AFD |. BA 02000000 MOV EDX,2
00452B02 |. E8 B961FBFF CALL BSWIN.00408CC0 ;在生成兩個字元
00452B07 |. 8B55 D8 MOV EDX,DWORD PTR SS:[EBP-28]
00452B0A |. 58 POP EAX
00452B0B |. E8 DC13FBFF CALL BSWIN.00403EEC ;連線生成的兩個字元
00452B10 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] ;最後的四個字元"AA76"
00452B13 |. 58 POP EAX ;"EFGH"
00452B14 |. E8 DB14FBFF CALL BSWIN.00403FF4 ;比較是否相等
00452B19 |. 0F94C3 SETE BL
我們得到17~20位的註冊碼,"BM1-E0BFE-EA3CD-AA76",用該註冊碼試一下,還沒有成功,
再跟蹤一下,發現7,8位的註冊碼變成了"DE",其他的則沒有變化(Why?因為要用到註冊碼的資訊,
而後面的於輸入的註冊碼無關,而是隻是用到了使用者名稱)所以其他的則不發生變化,後來發現
9,10位的值為使用者名稱的第2位與'-'的組合,即"E-",而第15,16位的值則是使用者名稱的第1位的值
與'-'的組合,即"D-"(都是大寫哦!!).所以最終的註冊資訊為:
User-ID:dengkeng[DFCG]
Key:BM1-E0DEE-EA3CD-AA76
至於序號產生器嘛!我已經把計算的關鍵部分(計算註冊碼的部分用@_@符號表示出來了,你可以自己
試試看啊!就是CALL BSWIN.004525B0這個部分)看雪學院<<論壇精華四>>裡面有arbiter[CCG]寫的
BootStar v7.33 keygen in pure win32asm的序號產生器.有時間的話我在看看,估計不會有很大的變化!
Made By dengkeng[DFCG][YCG]
E-mail:shellc0de@sohu.com
歡迎轉載,請保持文章的完整性
相關文章
- 快捷反垃圾郵件破解手記--找出註冊碼2015-11-15
- Emeditor 註冊碼2017-08-14
- WebStorm註冊碼2014-04-29WebORM
- PhpStorm註冊碼2020-04-07PHPORM
- Navicat for MySQL註冊碼2020-04-07MySql
- SecureCRT 7 註冊碼2016-09-02Securecrt
- 註冊中心 Eureka 原始碼解析 —— 應用例項註冊發現(一)之註冊2019-03-03原始碼
- Viscosity for Mac 註冊碼:2019-09-19Mac
- PLSQL Developer 12 註冊碼2018-06-07SQLDeveloper
- PLSQL Developer 9.0註冊碼2013-01-22SQLDeveloper
- sublime text for Mac註冊啟用 sublime text4註冊碼2023-10-11Mac
- Instant Source 註冊演算法分析+註冊器原始碼2015-11-15演算法原始碼
- 很對不起,因為出了兩天差。動態找出winhex的註冊碼.請進...... (2千字)2001-07-23
- VMware Workstation各個版本的註冊碼2020-11-13
- wing ftp server 註冊碼2020-11-23FTPServer
- phpstrom 註冊碼獲取2018-05-23PHP
- IntelliJ IDEA 註冊碼2017-05-05IntelliJIdea
- Pycharm安裝破解 註冊碼2017-06-25PyCharm
- Myeclipse10註冊碼2014-05-20Eclipse
- myeclipse獲取註冊碼2011-12-07Eclipse
- Theme Builder註冊碼分析2015-11-15UI
- ShadowDefender 註冊碼 分析2024-08-17
- 一種非明碼比較程式的註冊------NS-SHAFT註冊碼破解 (9千字)2015-11-15
- Navicat for MySQL 11註冊碼\啟用碼2019-02-11MySql
- ffmpeg分析系列之一(註冊該註冊的)2010-11-04
- oracle的靜態註冊和動態註冊2024-11-11Oracle
- 今天好多人 phpstrom 編譯器註冊碼失效了,最新可用註冊碼2019-12-24PHP編譯
- 誰能找出BrainsBreaker3.0(巨好的拼圖遊戲)註冊碼?《論壇精華2》沒搞定!
(16千字)2001-02-27AI遊戲
- 【Java】NIO中Channel的註冊原始碼分析2019-05-17Java原始碼
- 給自己的軟體製作註冊碼2020-11-14
- 某穿牆輔助的註冊碼破解2018-03-10
- mybatis原始碼解析(四)--- MapperStatement的註冊2018-05-14MyBatis原始碼APP
- nacos註冊中心原始碼流程分析2020-12-23原始碼
- IntelliJ IDEA 14 註冊碼2017-04-09IntelliJIdea
- pycharm 2016.3.2註冊碼2017-05-15PyCharm
- Pycharm 2016註冊碼2017-11-22PyCharm
- PLSQL Developer V9 註冊碼2013-03-22SQLDeveloper
- 動態註冊和靜態註冊2018-05-21