某一login.zip軟體註冊 (12千字)

輸入14個數字後,下bpx hmemcpy,f12 12次,來到這裡
:004494C0 8B45E4 mov eax, dword ptr [ebp-1C] <--bpm eax r
:004494C3 8D55E8 lea edx, dword ptr [ebp-18]
:004494C6 E81DE2FBFF call 004076E8
按f10繼續,回在這裡停下
:00407705 807C1FFF20 cmp byte ptr [edi+ebx-01], 20 <--是否空格
:0040770A 76F4 jbe 00407700
繼續走在這個地方移動資料到記憶體的另一個地方
:004027BF F3 repz
:004027C0 A5 movsd
:004027C1 89C1 mov ecx, eax
:004027C3 83E103 and ecx, 00000003
:004027C6 F3 repz
:004027C7 A4 movsb
:004027C8 5F pop edi
:004027C9 5E pop esi
:004027CA C3 ret

:00449528 FF75D8 push [ebp-28]
:0044952B 8B45FC mov eax, dword ptr [ebp-04]
:0044952E 0554030000 add eax, 00000354
:00449533 BA04000000 mov edx, 00000004
:00449538 E8DFA5FBFF call 00403B1C <---f8 跟進

:00445CA9 885C38FF mov byte ptr [eax+edi-01], bl
:00445CAD 8B45F0 mov eax, dword ptr [ebp-10]
:00445CB0 8A4438FF mov al, byte ptr [eax+edi-01]
:00445CB4 3C30 cmp al, 30           //是否在0~9之間
:00445CB6 7207 jb 00445CBF
:00445CB8 8B55F0 mov edx, dword ptr [ebp-10]
:00445CBB 3C39 cmp al, 39
:00445CBD 760D jbe 00445CCC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445CB6(C)
|
:00445CBF 8B45F8 mov eax, dword ptr [ebp-08]
:00445CC2 E819DBFBFF call 004037E0
:00445CC7 E9ED030000 jmp 004460B9

----------------------
:00445D33 80FB30 cmp bl, 30
:00445D36 0F85B8010000 jne 00445EF4
:00445D3C 8D45F0 lea eax, dword ptr [ebp-10]
:00445D3F 8B55F4 mov edx, dword ptr [ebp-0C]
:00445D42 E831DBFBFF call 00403878
:00445D47 8D45F0 lea eax, dword ptr [ebp-10]
:00445D4A E8DDDEFBFF call 00403C2C
:00445D4F 8B55F4 mov edx, dword ptr [ebp-0C]
:00445D52 8A12 mov dl, byte ptr [edx]   //[edx]存放Regcode[1..12]
:00445D54 885007 mov byte ptr [eax+07], dl   //eax[7]=regcode[1]
:00445D57 8D45F0 lea eax, dword ptr [ebp-10]
:00445D5A E8CDDEFBFF call 00403C2C
:00445D5F 8B55F4 mov edx, dword ptr [ebp-0C]
:00445D62 8A5201 mov dl, byte ptr [edx+01]
:00445D65 88500B mov byte ptr [eax+0B], dl   //eax[11]=regcode[2]
:00445D68 8D45F0 lea eax, dword ptr [ebp-10]
:00445D6B E8BCDEFBFF call 00403C2C
:00445D70 8B55F4 mov edx, dword ptr [ebp-0C]
:00445D73 8A5202 mov dl, byte ptr [edx+02]
:00445D76 8810 mov byte ptr [eax], dl   //eax[1]=regcode[3]
:00445D78 8D45F0 lea eax, dword ptr [ebp-10]
:00445D7B E8ACDEFBFF call 00403C2C
:00445D80 8B55F4 mov edx, dword ptr [ebp-0C]
:00445D83 8A5203 mov dl, byte ptr [edx+03]
:00445D86 88500A mov byte ptr [eax+0A], dl   //eax[10]=regcode[4]
:00445D89 8D45F0 lea eax, dword ptr [ebp-10]
:00445D8C E89BDEFBFF call 00403C2C
:00445D91 8B55F4 mov edx, dword ptr [ebp-0C]
:00445D94 8A5204 mov dl, byte ptr [edx+04]
:00445D97 885009 mov byte ptr [eax+09], dl   //eax[9]=regcode[5]
:00445D9A 8D45F0 lea eax, dword ptr [ebp-10]
:00445D9D E88ADEFBFF call 00403C2C
:00445DA2 8B55F4 mov edx, dword ptr [ebp-0C]
:00445DA5 8A5205 mov dl, byte ptr [edx+05]
:00445DA8 885003 mov byte ptr [eax+03], dl   //eax[4]=regcode[6]
:00445DAB 8D45F0 lea eax, dword ptr [ebp-10]
:00445DAE E879DEFBFF call 00403C2C
:00445DB3 8B55F4 mov edx, dword ptr [ebp-0C]
:00445DB6 8A5206 mov dl, byte ptr [edx+06]
:00445DB9 885005 mov byte ptr [eax+05], dl   //eax[5]=regcode[7]
:00445DBC 8D45F0 lea eax, dword ptr [ebp-10]
:00445DBF E868DEFBFF call 00403C2C
:00445DC4 8B55F4 mov edx, dword ptr [ebp-0C]
:00445DC7 8A5207 mov dl, byte ptr [edx+07]
:00445DCA 885002 mov byte ptr [eax+02], dl   //eax[2]=regcode[8]
:00445DCD 8D45F0 lea eax, dword ptr [ebp-10]
:00445DD0 E857DEFBFF call 00403C2C
:00445DD5 8B55F4 mov edx, dword ptr [ebp-0C]
:00445DD8 8A5208 mov dl, byte ptr [edx+08]
:00445DDB 885004 mov byte ptr [eax+04], dl   //eax[4]=regcode[9]
:00445DDE 8D45F0 lea eax, dword ptr [ebp-10]
:00445DE1 E846DEFBFF call 00403C2C
:00445DE6 8B55F4 mov edx, dword ptr [ebp-0C]
:00445DE9 8A5209 mov dl, byte ptr [edx+09]
:00445DEC 885001 mov byte ptr [eax+01], dl   //eax[1]=regcode[10]
:00445DEF 8D45F0 lea eax, dword ptr [ebp-10]
:00445DF2 E835DEFBFF call 00403C2C
:00445DF7 8B55F4 mov edx, dword ptr [ebp-0C]
:00445DFA 8A520A mov dl, byte ptr [edx+0A]
:00445DFD 885006 mov byte ptr [eax+06], dl   //eax[6]=regcode[11]
:00445E00 8D45F0 lea eax, dword ptr [ebp-10]
:00445E03 E824DEFBFF call 00403C2C
:00445E08 8B55F4 mov edx, dword ptr [ebp-0C]
:00445E0B 8A520B mov dl, byte ptr [edx+0B]
:00445E0E 885008 mov byte ptr [eax+08], dl   //eax[8]=regcode[12]
:00445E11 8D45F4 lea eax, dword ptr [ebp-0C]
:00445E14 8B55F0 mov edx, dword ptr [ebp-10]
:00445E17 E85CDAFBFF call 00403878
:00445E1C 8B75E8 mov esi, dword ptr [ebp-18]
:00445E1F 85F6 test esi, esi
:00445E21 7E7D jle 00445EA0
:00445E23 BF01000000 mov edi, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445E9E(C)
|
:00445E28 8B45F4 mov eax, dword ptr [ebp-0C]
:00445E2B 0FB64438FF movzx eax, byte ptr [eax+edi-01]
:00445E30 BB39000000 mov ebx, 00000039
:00445E35 2BD8 sub ebx, eax
:00445E37 83C330 add ebx, 00000030
:00445E3A 80FB37 cmp bl, 37
:00445E3D 7722 ja 00445E61
:00445E3F 33C0 xor eax, eax       //計算第2步
:00445E41 8AC3 mov al, bl       //詳細請看
:00445E43 8BD7 mov edx, edi       //下面的
:00445E45 D1FA sar edx, 1       //註釋
:00445E47 7903 jns 00445E4C       //
:00445E49 83D200 adc edx, 00000000   //

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445E47(C)
|
:00445E4C 42 inc edx       //
:00445E4D 33C2 xor eax, edx       //
:00445E4F 8945EC mov dword ptr [ebp-14], eax
:00445E52 8D45F4 lea eax, dword ptr [ebp-0C]
:00445E55 E8D2DDFBFF call 00403C2C
:00445E5A 8B55EC mov edx, dword ptr [ebp-14]
:00445E5D 885438FF mov byte ptr [eax+edi-01], dl

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445E3D(C)
|
:00445E61 80FB38 cmp bl, 38
:00445E64 750D jne 00445E73
:00445E66 8D45F4 lea eax, dword ptr [ebp-0C]
:00445E69 E8BEDDFBFF call 00403C2C
:00445E6E C64438FF39 mov [eax+edi-01], 39

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445E64(C)
|
:00445E73 80FB39 cmp bl, 39
:00445E76 750D jne 00445E85
:00445E78 8D45F4 lea eax, dword ptr [ebp-0C]
:00445E7B E8ACDDFBFF call 00403C2C
:00445E80 C64438FF38 mov [eax+edi-01], 38

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445E76(C)
|
:00445E85 8B45F4 mov eax, dword ptr [ebp-0C]
:00445E88 807C38FF27 cmp byte ptr [eax+edi-01], 27
:00445E8D 750D jne 00445E9C
:00445E8F 8D45F4 lea eax, dword ptr [ebp-0C]
:00445E92 E895DDFBFF call 00403C2C
:00445E97 C64438FF24 mov [eax+edi-01], 24

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00445E8D(C)
|
:00445E9C 47 inc edi
:00445E9D 4E dec esi
:00445E9E 7588 jne 00445E28

:00449595 8B45FC mov eax, dword ptr [ebp-04]
:00449598 8B804C030000 mov eax, dword ptr [eax+0000034C]
:0044959E 8B55FC mov edx, dword ptr [ebp-04]
:004495A1 8B9250030000 mov edx, dword ptr [edx+00000350]
:004495A7 E8C0A5FBFF call 00403B6C
:004495AC 0F85B3040000 jne 00449A65           //if jump badguy

:004495FD E86AA5FBFF call 00403B6C
:00449602 0F855C010000 jne 00449764           //if jump invalid register

* Possible StringData Ref from Code Obj ->"正式註冊成功"
|
:0044973B B8589C4400 mov eax, 00449C58
:00449740 E8EBAEFFFF call 00444630
:00449745 33C0 xor eax, eax
:00449747 5A pop edx
:00449748 59 pop ecx
:00449749 59 pop ecx

* Possible StringData Ref from Code Obj ->"非法註冊成功"
|
:004499DE B8949C4400 mov eax, 00449C94
:004499E3 E848ACFFFF call 00444630
:004499E8 33C0 xor eax, eax
:004499EA 5A pop edx
:004499EB 59 pop ecx
:004499EC 59 pop ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004495AC(C)
|

* Possible StringData Ref from Code Obj ->"註冊失敗,請輸入正確的註冊號"
|
:00449A65 B8C49C4400 mov eax, 00449CC4
:00449A6A E8C1ABFFFF call 00444630

上面的程式碼無非就是對我們輸入的Regcode進行一系列的變換
由GetText()取得,LstrCat()連結,Trim()去掉首位0後,剩下來的13位數中,取12位用來變換,過程如下
比如我輸入的Regcode=02-6448-2915-8742
    || |||| |||| |||
1、         || |||| |||| |||
  不要 <----|| |||| |||| |||
存到第 8位上<----| |||| |||| |||
12 <-------|||| |||| |||
    1 <--------||| |||| |||
    11 <---------|| |||| |||
    10 <----------| |||| |||
    4 <------------|||| |||
    6 <-------------||| |||
    3 <--------------|| |||
    5 <---------------| |||
    2 <-----------------|||
7 <------------------||
9 <-------------------|
結果變成4812-5972-4846

2、把上面得到的12位數按如下規律再一次轉換
先取第一個數，這裡是4，和0、1比較，是1變成9，是0變成8，都不是的話
變成這樣：0x39-0x34^(i/2)+1 <------i是4在上面字串中的位置
……………………
結果變成4394-7462-0734
3、倒序。將上面得到的字元倒序排列變成4370-2647-4934
4、在首位加一個0。變成0-4370-2647-4934
5、和你的機器號比較，嘿嘿，不一樣，就沒戲了。一樣的話繼續下一步
6、取你的Regcod的2個數和最後一個數比較，如果相等則正式註冊成功。否則會出現非法註冊成功。

序號產生器如下
*************************************start here*************************************************
#include <stdio.h>
main()
{char a[13],regcode[14]; int i=1; char t,temp;
clrscr();
printf("Keymaker by CoolBob/China cracker group\n\n");
printf("Machine code: ");
scanf("%s",a);
for(i=12;i>6;i--)
{t=a[i];
a[i]=a[12-i+1];
a[12-i+1]=t;
};
for(i=1;i<13;i++){if(a[i]==0x39) a[i]=0x31;
else if(a[i]==0x38) a[i]=0x30;
else
{temp=(a[i])^((i/2)+1);
a[i]=0x39+0x0-

收藏分享

宣告：該文觀點僅代表作者本人，轉載請註明來自看雪專欄

最新評論 (0)
登入後即可評論

某一login.zip軟體註冊 (12千字)

相關文章