再來一篇演算法分析,eryl兄弟你要的東西!! (15千字)

===================Open Cracking Group========================
=
= 郵件先知 v2.5.2.50註冊演算法分析
=
= ssljx/OCG
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
===================Open Cracking Group========================

* Possible StringData Ref from Code Obj ->"SOFTWARE\Microsoft\tpcip\CurrentVersion"
\\\\\\\\\\讀取登錄檔的鍵名///////////////
//////////////////////////讀取登錄檔的過程\\\\\\\\\\\\\\\\\\\\\
|
:004C25CE 6848294C00 push 004C2948
:004C25D3 6802000080 push 80000002

* Reference To: advapi32.RegCreateKeyExA, Ord:0000h
|
:004C25D8 E85F4DF4FF Call 0040733C
:004C25DD 85C0 test eax, eax
:004C25DF 7548 jne 004C2629
:004C25E1 8D45FC lea eax, dword ptr [ebp-04]
:004C25E4 50 push eax

* Possible StringData Ref from Code Obj ->"PPPPP"
|
:004C25E5 B978294C00 mov ecx, 004C2978

* Possible StringData Ref from Code Obj ->"Rotescode"=========>登錄檔的註冊名
|
:004C25EA BA88294C00 mov edx, 004C2988
:004C25EF 8B45F0 mov eax, dword ptr [ebp-10]
:004C25F2 E8C182FCFF call 0048A8B8
:004C25F7 8D45F8 lea eax, dword ptr [ebp-08]
:004C25FA 50 push eax

* Possible StringData Ref from Code Obj ->"H012123"
|
:004C25FB B99C294C00 mov ecx, 004C299C

* Possible StringData Ref from Code Obj ->"RotesNum"==========>登錄檔的使用者編號
|
:004C2600 BAAC294C00 mov edx, 004C29AC
:004C2605 8B45F0 mov eax, dword ptr [ebp-10]
:004C2608 E8AB82FCFF call 0048A8B8
:004C260D 8D45F4 lea eax, dword ptr [ebp-0C]
:004C2610 50 push eax
:004C2611 33C9 xor ecx, ecx

* Possible StringData Ref from Code Obj ->"Object"===========>登錄檔的註冊碼
|
:004C2613 BAC0294C00 mov edx, 004C29C0
:004C2618 8B45F0 mov eax, dword ptr [ebp-10]
:004C261B E89882FCFF call 0048A8B8
:004C2620 8B45F0 mov eax, dword ptr [ebp-10]
:004C2623 50 push eax

* Reference To: advapi32.RegCloseKey, Ord:0000h
|
:004C2624 E80B4DF4FF Call 00407334

////////////////////////////////讀去登錄檔過程結束\\\\\\\\\\\\\\\\\\\\\\\\\\\

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C25DF(C)
|
:004C2629 8B45F8 mov eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"AHF000186"
|
:004C262C BAD0294C00 mov edx, 004C29D0
:004C2631 E83E28F4FF call 00404E74========>使用者編號與'AHF000186'比較
:004C2636 7516 jne 004C264E=========>一定要不等,轉向!!
:004C2638 8D55D8 lea edx, dword ptr [ebp-28]
:004C263B 8B45F8 mov eax, dword ptr [ebp-08]
:004C263E E8196AF4FF call 0040905C
:004C2643 8B55D8 mov edx, dword ptr [ebp-28]
:004C2646 8D45F8 lea eax, dword ptr [ebp-08]
:004C2649 E8C224F4FF call 00404B10
\\\\\\\使用者編號與'AHF000186'相等就把'AHF000186'轉為小寫字母,這樣到後面判斷就會出錯\\\\\\\\\
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2636(C)
|
:004C264E A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C2653 833800 cmp dword ptr [eax], 00000000
:004C2656 7516 jne 004C266E
:004C2658 8BCF mov ecx, edi
:004C265A B201 mov dl, 01

* Possible StringData Ref from Code Obj ->"mD"
|
:004C265C A1C0694B00 mov eax, dword ptr [004B69C0]
:004C2661 E87A5DF9FF call 004583E0
:004C2666 8B15D49F4C00 mov edx, dword ptr [004C9FD4]
:004C266C 8902 mov dword ptr [edx], eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2656(C)
|
:004C266E 8D4DD4 lea ecx, dword ptr [ebp-2C]
:004C2671 8B55F8 mov edx, dword ptr [ebp-08]
:004C2674 8B45FC mov eax, dword ptr [ebp-04]
:004C2677 E80074FCFF call 00489A7C
:004C267C 8B45D4 mov eax, dword ptr [ebp-2C]=>根據註冊名計算出來的註冊碼,怎麼計算註冊碼都是零
:004C267F 8B55F4 mov edx, dword ptr [ebp-0C]=>輸入的註冊碼,只要輸入0就行
:004C2682 E8ED27F4FF call 00404E74===============>比較
:004C2687 740C je 004C2695=================>要等,轉到下面比較
:004C2689 C605BC9E4C0001 mov byte ptr [004C9EBC], 01==>不等,給標誌賦值,1表示失敗
:004C2690 E9E6000000 jmp 004C277B

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C2687(C)
|
:004C2695 C605BC9E4C0000 mov byte ptr [004C9EBC], 00==>註冊碼相同,標誌為賦值0,0表示成功
:004C269C 837DF800 cmp dword ptr [ebp-08], 00000000===>使用者編號是空的,直接結束比較
:004C26A0 0F84D5000000 je 004C277B
//////////使用者編號不是空值,進行下面比較\\\\\\\\\\\\\\\\\\\\\
:004C26A6 8B45F8 mov eax, dword ptr [ebp-08]
:004C26A9 8A00 mov al, byte ptr [eax]====>使用者編號第一位(N1)
:004C26AB 04BF add al, BF===============>這裡控制要大於'A'
:004C26AD 2C1A sub al, 1A===============>這裡控制要小於'Z'
:004C26AF 731E jnb 004C26CF=============>不再A-Z範圍就出錯
//////////////使用者編號第一位要在A-Z範圍,$1A-$BF=$5B注意這是位元組運算,下面簡單說說這演算法\\\\\\
我們先了解jnb的轉向條件是CF=0,那麼CF受什麼影響,CF==>進位標誌,在進行字/位元組運算產生進位或借位是置1,這是我以前的書上講的,不知現在有沒改變..
舉例:
當AL=$40時,CF=0
AL=$40+$BF=$FF CF=0(沒變)
AL=$FF-$1A=$E6 CF=0(沒變)
所以jnb 004C26CF合乎轉向條件,跳轉出錯!!
當AL=$5B,CF=0
AL=$5B+$BF=$11A CF=1(改變)
AL=$11A-$1A=100 CF=0(改變)
這樣jnb 004C26CF合乎轉向條件,跳轉出錯!!
當AL=$41, CF=0
AL=$41+$BF=101 CF=1(改變)
AL=$101-$1A=$E6 CF=1(沒變)
這樣jnb 004C26CF不合乎轉向條件,繼續比較!!
/////////////////下面的比較同理就不羅嗦了!!!\\\\\\\\\\\\\\\\

:004C26B1 8B45F8 mov eax, dword ptr [ebp-08]
:004C26B4 8A4001 mov al, byte ptr [eax+01]
:004C26B7 04BF add al, BF
:004C26B9 2C0C sub al, 0C
:004C26BB 7312 jnb 004C26CF=======>第二位使用者編號範圍A-L
:004C26BD 8B45F8 mov eax, dword ptr [ebp-08]
:004C26C0 8A4002 mov al, byte ptr [eax+02]
:004C26C3 04BF add al, BF
:004C26C5 2C1A sub al, 1A
:004C26C7 722E jb 004C26F7=======>第三位使用者編碼在A-Z就轉向,不再繼續
:004C26C9 04FA add al, FA
:004C26CB 2C06 sub al, 06
:004C26CD 7228 jb 004C26F7======>第三位使用者編碼在a-f就轉向

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C26AF(C), :004C26BB(C)
|
:004C26CF C605BC9E4C0001 mov byte ptr [004C9EBC], 01==>上面不透過設標誌為1
:004C26D6 B804000000 mov eax, 00000004

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C26F5(C)
|
:004C26DB 8B55F8 mov edx, dword ptr [ebp-08]
:004C26DE 8A5402FF mov dl, byte ptr [edx+eax-01]
:004C26E2 80C2D0 add dl, D0
:004C26E5 80EA0A sub dl, 0A
:004C26E8 7207 jb 004C26F1
:004C26EA C605BC9E4C0001 mov byte ptr [004C9EBC], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C26E8(C)
|
:004C26F1 40 inc eax
:004C26F2 83F80A cmp eax, 0000000A
:004C26F5 75E4 jne 004C26DB
///////////上面是當使用者編號前面三位不透過就進行比較後面是否全是數字,但這比較沒用的\\\
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C26C7(C), :004C26CD(C)
|
:004C26F7 803DBC9E4C0000 cmp byte ptr [004C9EBC], 00======>比較標誌是否0
:004C26FE 757B jne 004C277B=====================>不為0,OVER!!!!
:004C2700 A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C2705 8B00 mov eax, dword ptr [eax]
:004C2707 8B8020030000 mov eax, dword ptr [eax+00000320]
:004C270D 8B55FC mov edx, dword ptr [ebp-04]
:004C2710 E8E7D3F7FF call 0043FAFC
:004C2715 A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C271A 8B00 mov eax, dword ptr [eax]
:004C271C 8B8028030000 mov eax, dword ptr [eax+00000328]
:004C2722 8B55F8 mov edx, dword ptr [ebp-08]
:004C2725 E8D2D3F7FF call 0043FAFC
:004C272A A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C272F 8B00 mov eax, dword ptr [eax]
:004C2731 8B8024030000 mov eax, dword ptr [eax+00000324]
:004C2737 8B55F4 mov edx, dword ptr [ebp-0C]
:004C273A E8BDD3F7FF call 0043FAFC
:004C273F A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C2744 8B00 mov eax, dword ptr [eax]
:004C2746 8B8020030000 mov eax, dword ptr [eax+00000320]
:004C274C 33D2 xor edx, edx
:004C274E 8B08 mov ecx, dword ptr [eax]
:004C2750 FF5164 call [ecx+64]
:004C2753 A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C2758 8B00 mov eax, dword ptr [eax]
:004C275A 8B8028030000 mov eax, dword ptr [eax+00000328]
:004C2760 33D2 xor edx, edx
:004C2762 8B08 mov ecx, dword ptr [eax]
:004C2764 FF5164 call [ecx+64]
:004C2767 A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C276C 8B00 mov eax, dword ptr [eax]
:004C276E 8B8024030000 mov eax, dword ptr [eax+00000324]
:004C2774 33D2 xor edx, edx
:004C2776 8B08 mov ecx, dword ptr [eax]
:004C2778 FF5164 call [ecx+64]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004C2690(U), :004C26A0(C), :004C26FE(C)
|
:004C277B 8D55C8 lea edx, dword ptr [ebp-38]
:004C277E A1F4A24C00 mov eax, dword ptr [004CA2F4]
:004C2783 8B00 mov eax, dword ptr [eax]
:004C2785 E8DED8F9FF call 00460068
:004C278A 8B45C8 mov eax, dword ptr [ebp-38]
:004C278D 8D55CC lea edx, dword ptr [ebp-34]
:004C2790 E8FB71FCFF call 00489990
:004C2795 8B4DCC mov ecx, dword ptr [ebp-34]
:004C2798 8D45D0 lea eax, dword ptr [ebp-30]

* Possible StringData Ref from Code Obj ->"當前版本號："
|
:004C279B BAE4294C00 mov edx, 004C29E4
:004C27A0 E8D725F4FF call 00404D7C
:004C27A5 8B55D0 mov edx, dword ptr [ebp-30]
:004C27A8 A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C27AD 8B00 mov eax, dword ptr [eax]
:004C27AF 8B801C030000 mov eax, dword ptr [eax+0000031C]
:004C27B5 E842D3F7FF call 0043FAFC
:004C27BA 33F6 xor esi, esi
:004C27BC 803DBC9E4C0000 cmp byte ptr [004C9EBC], 00=======>再次比較標誌
:004C27C3 743A je 004C27FF=======================>這裡要跳!!!
:004C27C5 A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C27CA 8B00 mov eax, dword ptr [eax]
:004C27CC 8B8018030000 mov eax, dword ptr [eax+00000318]

* Possible StringData Ref from Code Obj ->"本版為未註冊試用版，部分功能只能在註冊後才能使"
->"用！"
|
:004C27D2 BAFC294C00 mov edx, 004C29FC
:004C27D7 E820D3F7FF call 0043FAFC
:004C27DC 8D55C4 lea edx, dword ptr [ebp-3C]
:004C27DF 8BC7 mov eax, edi
:004C27E1 E8E6D2F7FF call 0043FACC
:004C27E6 8D45C4 lea eax, dword ptr [ebp-3C]

* Possible StringData Ref from Code Obj ->"[未註冊功能限制版]"
|
:004C27E9 BA382A4C00 mov edx, 004C2A38
:004C27EE E84525F4FF call 00404D38
:004C27F3 8B55C4 mov edx, dword ptr [ebp-3C]
:004C27F6 8BC7 mov eax, edi
:004C27F8 E8FFD2F7FF call 0043FAFC
:004C27FD EB55 jmp 004C2854

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C27C3(C)
|
:004C27FF A1D49F4C00 mov eax, dword ptr [004C9FD4]
:004C2804 8B00 mov eax, dword ptr [eax]
:004C2806 8B8018030000 mov eax, dword ptr [eax+00000318]

* Possible StringData Ref from Code Obj ->"恭喜您成為完全版的榮譽註冊使用者！"
|
:004C280C BA542A4C00 mov edx, 004C2A54
:004C2811 E8E6D2F7FF call 0043FAFC
:004C2816 8D55BC lea edx, dword ptr [ebp-44]
:004C2819 8BC7 mov eax, edi
:004C281B E8ACD2F7FF call 0043FACC
:004C2820 FF75BC push [ebp-44]

* Possible StringData Ref from Code Obj ->" [榮譽註冊使用者："
|
:004C2823 68802A4C00 push 004C2A80
:004C2828 FF75FC push [ebp-04]
:004C282B 689C2A4C00 push 004C2A9C
:004C2830 8D45C0 lea eax, dword ptr [ebp-40]
:004C2833 BA04000000 mov edx, 00000004
:004C2838 E8B325F4FF call 00404DF0
:004C283D 8B55C0 mov edx, dword ptr [ebp-40]
:004C2840 8BC7 mov eax, edi
:004C2842 E8B5D2F7FF call 0043FAFC
:004C2847 33DB xor ebx, ebx
:004C2849 8B8734030000 mov eax, dword ptr [edi+00000334]
:004C284F E8A0D7F7FF call 0043FFF4

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004C27FD(U)
|
:004C2854 84DB test bl, bl
:004C2856 7413 je 004C286B
:004C2858 6A00 push 00000000

* Possible StringData Ref from Code Obj ->"提示！"
|
:004C285A 68A02A4C00 push 004C2AA0

* Possible StringData Ref from Code Obj ->"本軟體的試用版只能使用15次!
如果您對試用結果滿"
->"意，可以向我們註冊。
註冊資訊請訪問“幫助”菜?
->"サ摹白⒉帷弊酉?註冊費用為12元。"
|
:004C285F 68A82A4C00 push 004C2AA8
:004C2864 6A00 push 00000000

* Reference To: user32.MessageBoxA, Ord:0000h
|
:004C2866 E8B153F4FF Call 00407C1C
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\END\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
總結:
1.註冊名是任意
2.註冊碼永遠是0
3.使用者編號有兩種情況
A.使用者編號可以空值
B.使用者編號第一位在:A-Z範圍
使用者編號第二位在:A-L範圍
使用者編號第三位在:A-L或a-f範圍
還有使用者編號一定不能為'AHF000186'

登錄檔:
"SOFTWARE\Microsoft\tpcip\CurrentVersion"
怎麼還要寫序號產生器..不用吧...哈哈...
===================Open Cracking Group========================
=
= 郵件先知 v2.5.2.50註冊演算法分析
=
= ssljx/OCG
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
===================Open Cracking Group========================

再來一篇演算法分析,eryl兄弟你要的東西!! (15千字)

相關文章