1 用fi檢視,其是用VC 6.0編寫,無殼^^。
2 用W32Dasm反彙編,發現關鍵函式loadresource
bpx loadresource
40a160 cmp [ebp-8],esi ;ebp-8是我輸入的假碼,esi中是真碼!
40a163 jz 40a182 ;
3 flt 3444902694
註冊成功會在readbook.ini的[File]中寫入相應的值,刪除其內容後又變成未註冊了:)
User=flt
Register=848598617 ?為什麼不是3444902694我沒深思過:(
4 演算法分析
016F:0040A089 LEA EAX,[EBP-00BC]
016F:0040A08F PUSH EAX ;eax中是註冊名
016F:0040A090 CALL 00434386 ;!註冊名以ASCII碼00結束
016F:0040A095 MOV EAX,[EBP-00B4] ;將輸入的註冊名4個位元組一組
016F:0040A09B MOV ECX,[EBP-00B8] ;空格為20H,最多四組。
016F:0040A0A1 MOV ESI,[EBP-00BC] ;將第二組,第三組和第四組相加
016F:0040A0A7 ADD ECX,EAX ;然後*7531-->ecx,
016F:0040A0A9 ADD ECX,[EBP-00B0]
016F:0040A0AF IMUL ESI,ESI,00007531 ;將第一組*7531,-->esi
016F:0040A0B5 IMUL ECX,ECX,00007531 ;esi-ecx的值就是註冊碼!
016F:0040A0BB MOV DWORD PTR [ESP],0046430C
016F:0040A0C2 PUSH 000000B5 ;記得將結果轉換成10進位制數^^
016F:0040A0C7 PUSH EBX
016F:0040A0C8 SUB ESI,ECX
016F:0040A0CA CALL [KERNEL32!FindResourceA]
016F:0040A0D0 PUSH EAX
016F:0040A0D1 PUSH EBX
016F:0040A0D2 CALL [KERNEL32!LoadResource]
016F:0040A0D8 PUSH 00464894
016F:0040A0DD PUSH EDI
016F:0040A0DE MOV [EBP-14],EAX
016F:0040A0E1 CALL 004173D8
016F:0040A0E6 PUSH 00464880
flt-------66 6c 74 註冊名以ASCII碼00結束
00 74 6c 66 20 20 20 20 20 20 20 20 20 20 20 20
----------- ---------- ----------- -----------
A B C D
註冊碼 =A*7531-(B+C+D)*7531
=746c66*7531-60606060*7531
=4BD35D86-7E7E5260
=CD550B26H,轉為10進位制3444902694
記住乘法運算只取32位,4個位元組的資料!
5 附C語言序號產生器
#include
main()
{ int len,i,j,m,n,temp
char str[15];
unsigned long reg,*p,a,b,c,d;
printf("\n\nYshsoft(R) little Program ver 1.0\n ");
printf(" (C)Copryright Yshsoft Corp 2001-2004.\n");
printf("\nEnter a name (less than 16 char):");
scanf("%s",&str);
len=strlen(str); /*輸入的字元不足16個位元組的用空格填20H */
for(i=len+1;i<=15;i++)
str[i]=' ';
p=str;
a=*p; /*取第1組數*/
b=*(p+1); /*取第2組數*/
c=*(p+2); /*取第3組數*/
d=*(p+3); /*取第4組數*/
a*=0x7531;
reg=a-(b+c+d)*0x7531;
printf("The regeister code is: %lu ,and good lunck ^^!\n",reg);
}