CoolClock V1.02註冊演算法分析 ---OCG (14千字)

===================Open Cracking Group========================
=
= CoolClock V1.02註冊演算法分析
=
= ssljx/OCG
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
===================Open Cracking Group========================
:00401C46 E84D3D0200 call 00425998=======>讀取註冊名,機械碼,你輸入的註冊碼
:00401C4B A108264400 mov eax, dword ptr [00442608]
:00401C50 89442410 mov dword ptr [esp+10], eax
:00401C54 6894000000 push 00000094
:00401C59 8D4C2414 lea ecx, dword ptr [esp+14]
:00401C5D C744242000000000 mov [esp+20], 00000000
:00401C65 E8296B0200 call 00428793
:00401C6A 8D5F5C lea ebx, dword ptr [edi+5C]
:00401C6D 8D6F60 lea ebp, dword ptr [edi+60]
:00401C70 53 push ebx
:00401C71 55 push ebp
:00401C72 8BCE mov ecx, esi
:00401C74 E847880000 call 0040A4C0====>註冊碼計算比較
:00401C79 85C0 test eax, eax
:00401C7B 7430 je 00401CAD======>關鍵轉向!!!!
=========================== END =================================

==========================SUB 0040AC0=============================
:0040A4C0 6AFF push FFFFFFFF
:0040A4C2 68B0254300 push 004325B0
:0040A4C7 64A100000000 mov eax, dword ptr fs:[00000000]
:0040A4CD 50 push eax
:0040A4CE 64892500000000 mov dword ptr fs:[00000000], esp
:0040A4D5 83EC10 sub esp, 00000010
:0040A4D8 A108264400 mov eax, dword ptr [00442608]
:0040A4DD 53 push ebx
:0040A4DE 55 push ebp
:0040A4DF 56 push esi
:0040A4E0 8BE9 mov ebp, ecx
:0040A4E2 89442414 mov dword ptr [esp+14], eax
:0040A4E6 33F6 xor esi, esi
:0040A4E8 89442410 mov dword ptr [esp+10], eax
:0040A4EC 89742424 mov dword ptr [esp+24], esi
:0040A4F0 8D4C2414 lea ecx, dword ptr [esp+14]
:0040A4F4 C644242401 mov [esp+24], 01
:0040A4F9 E8D7C80100 call 00426DD5
:0040A4FE 8B5C242C mov ebx, dword ptr [esp+2C]
:0040A502 C644240F00 mov [esp+0F], 00
:0040A507 8B03 mov eax, dword ptr [ebx]
:0040A509 8B40F8 mov eax, dword ptr [eax-08]
:0040A50C 3BC6 cmp eax, esi
:0040A50E 89442418 mov dword ptr [esp+18], eax
:0040A512 0F8444010000 je 0040A65C
:0040A518 83F814 cmp eax, 00000014================>註冊名長度小於等於$14位
:0040A51B 0F8F3B010000 jg 0040A65C
:0040A521 8B4C2430 mov ecx, dword ptr [esp+30]
:0040A525 8B11 mov edx, dword ptr [ecx]
:0040A527 837AF818 cmp dword ptr [edx-08], 00000018==>輸入註冊碼長度大於等於$18位
:0040A52B 0F8C2B010000 jl 0040A65C
:0040A531 57 push edi
:0040A532 89742430 mov dword ptr [esp+30], esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A613(C)
|
:0040A536 33F6 xor esi, esi
:0040A538 85C0 test eax, eax
:0040A53A 0F8EC2000000 jle 0040A602======>為零,轉到下面..

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A5F2(C)
|
:0040A540 8B442430 mov eax, dword ptr [esp+30]
:0040A544 8D3C30 lea edi, dword ptr [eax+esi]
:0040A547 83FF28 cmp edi, 00000028
:0040A54A 0F8DAA000000 jnl 0040A5FA=========>計算註冊碼大於等於$28位,不幹了!!
:0040A550 8BCE mov ecx, esi=========>計算了註冊名的位數
:0040A552 81E101000080 and ecx, 80000001====>是否正數,並作奇偶校驗!!
:0040A558 7905 jns 0040A55F=========>正數轉向
:0040A55A 49 dec ecx ==========\
:0040A55B 83C9FE or ecx, FFFFFFFE 負數,將其求補碼
:0040A55E 41 inc ecx===========/

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A558(C)
|
:0040A55F 751E jne 0040A57F===================>奇數,到下面計算

////////////////////////////偶數處理/////////////////////////////////
:0040A561 8B13 mov edx, dword ptr [ebx]
:0040A563 8BC7 mov eax, edi========>indexj
====================說明這個edi的計算=====================
edi是註冊名的長度
:0040A565 8A0C32 mov cl, byte ptr [edx+esi]=====>StrName[index]
:0040A568 99 cdq
:0040A569 2BC2 sub eax, edx
:0040A56B 33D2 xor edx, edx
:0040A56D D1F8 sar eax, 1 =========>indexj=indexj div 2
:0040A56F 0FBEC9 movsx ecx, cl=======>如果大於$80,將符號位擴充套件,即為負數,主要是中文註冊名時cl>$80則為負數
:0040A572 8A9445F0000000 mov dl, byte ptr [ebp+2*eax+000000F0]==>Buf[2*indexj]取機械碼

=====================================機械碼錶的說明===============================
將註冊視窗的機械碼的奇偶位元組對調,如:
D4A4 E701 D8FE D8EE D8FE D8FE D8C1 D8FE D8FE D8FE
EBB6 8BCC 9CCE EDB2 F8DE F8DE F8DE FED8 F8DE F8DE
轉換成:(這個方式才是程式存放的格式,後面有說明)
A4D4 01E7 FED8 EED8 FED8 FED8 C1D8 FED8 FED8 FED8
B6EB CC8B CE9C B2ED DEF8 DEF8 DEF8 D8FE D8FE D8FE
用Buf[indexj]表示
==================================================================================
///////////////////////////////////說明機械嗎取位演算法/////////////////////////////
index==>每輪讀取註冊名的指標 indexj==>計算註冊碼指標

///////////////當註冊名長度為奇數時的取位演算法(長度:5)/////////////////////////////

index indexj eax=indexj div 2 (index為偶數)2*eax (index為奇數)2*eax+1
0 0 0 0
1 1 0 1
2 2 1 2
3 3 1 3
4 4 2 4
0 5 2 4
1 6 3 7
2 7 3 6
3 8 4 9
4 9 4 8
就這樣一直計算下去,那麼取機械碼的指標就是:0,1,2,3,4,4,7,6,9,8......
///////////////////////////////奇數結束//////////////////////////////////////////

///////////////當註冊名長度為偶數時的取位演算法(長度:6)/////////////////////////////

index indexj eax=indexj div 2 (index為偶數)2*eax (index為奇數)2*eax+1
0 0 0 0
1 1 0 1
2 2 1 2
3 3 1 3
4 4 2 4
5 5 2 5
0 6 3 6
1 7 3 7
2 8 4 8
3 9 4 9
4 10 5 10
5 11 5 11
就這樣一直計算下去,那麼取機械碼的指標就是:0,1,2,3,4,5,6,7,8,9,10,11......
///////////////////////////////偶數結束//////////////////////////////////////////

:0040A579 8BC2 mov eax, edx
:0040A57B 03C1 add eax, ecx======>StrName[index]+buf[2*indexj]
:0040A57D EB20 jmp 0040A59F
////////////////////////////偶數處理結束/////////////////////////////////

////////////////////////////奇數處理/////////////////////////////////
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A55F(C)
|
:0040A57F 8B03 mov eax, dword ptr [ebx]========\
:0040A581 8A0C30 mov cl, byte ptr [eax+esi]
:0040A584 8BC7 mov eax, edi 這裡跟偶數一樣
:0040A586 99 cdq
:0040A587 2BC2 sub eax, edx
:0040A589 33D2 xor edx, edx
:0040A58B D1F8 sar eax, 1=====================/
:0040A58D 8A9445F1000000 mov dl, byte ptr [ebp+2*eax+000000F1]==>Buf[2*indexj+1]
:0040A594 0FBEC1 movsx eax, cl
:0040A597 81E2FF000000 and edx, 000000FF
:0040A59D 03C2 add eax, edx=======>StrName[index]+buf[2*indexj+1]
//////////////////////////奇數處理結束///////////////////////////////

/////////////////////////計算,比較註冊碼////////////////////////////
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A57D(U)
|
:0040A59F 99 cdq
:0040A5A0 B91A000000 mov ecx, 0000001A
:0040A5A5 F7F9 idiv ecx==========>edx:=edx mod $1a
:0040A5A7 83C241 add edx, 00000041===>edx:=edx+$41
:0040A5AA 52 push edx============>儲存計算出來的註冊碼
:0040A5AB 8D542418 lea edx, dword ptr [esp+18]
:0040A5AF 689C1E4400 push 00441E9C
:0040A5B4 52 push edx
:0040A5B5 E8347A0100 call 00421FEE
:0040A5BA 8B4C2440 mov ecx, dword ptr [esp+40]
:0040A5BE 8BC7 mov eax, edi
:0040A5C0 99 cdq
:0040A5C1 8B39 mov edi, dword ptr [ecx]
:0040A5C3 83E203 and edx, 00000003
:0040A5C6 03C2 add eax, edx
:0040A5C8 8B54243C mov edx, dword ptr [esp+3C]
:0040A5CC C1F802 sar eax, 02
:0040A5CF 03C7 add eax, edi
:0040A5D1 83C40C add esp, 0000000C
:0040A5D4 03C2 add eax, edx
:0040A5D6 8B542414 mov edx, dword ptr [esp+14]
:0040A5DA 8A0430 mov al, byte ptr [eax+esi]==>取出你輸入的註冊碼
:0040A5DD 8A0A mov cl, byte ptr [edx]======>計算出來的註冊碼
:0040A5DF 8A542413 mov dl, byte ptr [esp+13]
:0040A5E3 2AC1 sub al, cl========>輸入的註冊碼減計算出來的註冊碼
:0040A5E5 02D0 add dl, al========>將差累加
:0040A5E7 8B44241C mov eax, dword ptr [esp+1C]
:0040A5EB 46 inc esi
:0040A5EC 88542413 mov byte ptr [esp+13], dl
:0040A5F0 3BF0 cmp esi, eax=====>如果取完註冊碼,則結束一輪計算
:0040A5F2 0F8C48FFFFFF jl 0040A540======>沒取完繼續計算
:0040A5F8 EB08 jmp 0040A602=====>轉到下面再初始化

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A54A(C)
|
:0040A5FA C7442430E8030000 mov [esp+30], 000003E8

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040A53A(C), :0040A5F8(U)
|
:0040A602 8B4C2430 mov ecx, dword ptr [esp+30]
:0040A606 8B44241C mov eax, dword ptr [esp+1C]
:0040A60A 03C8 add ecx, eax========>ecx=ecx+lenName(註冊名長度)
:0040A60C 83F928 cmp ecx, 00000028
:0040A60F 894C2430 mov dword ptr [esp+30], ecx
:0040A613 0F8C1DFFFFFF jl 0040A536=====>是否計算完$28位註冊碼,沒完繼續
:0040A619 8A4C2413 mov cl, byte ptr [esp+13]=====>上面的累加和
:0040A61D 33C0 xor eax, eax
:0040A61F 84C9 test cl, cl===================>累加和一定為零
:0040A621 0F94C0 sete al=======================>設定標誌
:0040A624 8D4C2414 lea ecx, dword ptr [esp+14]
:0040A628 8BF0 mov esi, eax
:0040A62A C644242800 mov [esp+28], 00
:0040A62F E816C80100 call 00426E4A
:0040A634 8D4C2418 lea ecx, dword ptr [esp+18]
:0040A638 C7442428FFFFFFFF mov [esp+28], FFFFFFFF
:0040A640 E805C80100 call 00426E4A
:0040A645 8BC6 mov eax, esi
:0040A647 5F pop edi
:0040A648 5E pop esi
:0040A649 5D pop ebp
:0040A64A 5B pop ebx
:0040A64B 8B4C2410 mov ecx, dword ptr [esp+10]
:0040A64F 64890D00000000 mov dword ptr fs:[00000000], ecx
:0040A656 83C41C add esp, 0000001C
:0040A659 C20800 ret 0008
=========================END 0040AC0==============================

======================機械碼取出並轉換字串過程==================
:00401AF5 BB14000000 mov ebx, 00000014==============>機械碼的長度

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401B25(C)
|
:00401AFA 33C0 xor eax, eax
:00401AFC 8D4C2410 lea ecx, dword ptr [esp+10]
:00401B00 668B4500 mov ax, word ptr [ebp+00]======>按字方式取出機械碼
:00401B04 50 push eax
:00401B05 6838114400 push 00441138
:00401B0A 51 push ecx
:00401B0B E8DE040200 call 00421FEE===========>將取出的機械碼奇偶位元組對調並化成字串
:00401B10 83C40C add esp, 0000000C
:00401B13 8D542410 lea edx, dword ptr [esp+10]
:00401B17 8D4C2414 lea ecx, dword ptr [esp+14]
:00401B1B 52 push edx
:00401B1C E8E0560200 call 00427201=================>把上面的字串串起來
:00401B21 83C502 add ebp, 00000002
:00401B24 4B dec ebx
:00401B25 75D3 jne 00401AFA
這裡轉後的字串就是我們在註冊視窗看到的機械碼,當我們計算註冊碼的時候就要把註冊視窗的機械碼再轉換回來!!
==============================END===================================
把CoolClock目錄下的CoolClock.ini的
UserName=
RegKey=
刪了又是未註冊...
序號產生器在OCG論壇提供下載
===================Open Cracking Group========================
=
= CoolClock V1.02註冊演算法分析
=
= ssljx/OCG
= http://www.newclw.com/lllufh/cgi-bin/leoboard.cgi
=
===================Open Cracking Group========================

CoolClock V1.02註冊演算法分析 ---OCG (14千字)

相關文章