搜尋引擎工廠專業版演算法分析+演算法序號產生器

看雪資料發表於2015-11-15

【破解作者】 stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]
【作者郵箱】 stasi@163.com
【作者主頁】 stasi.7169.com
【使用工具】 ollydbg  vc++6.0
【破解平臺】 Win9x/NT/2000/XP
【軟體名稱】 搜尋引擎工廠專業版v1.68
【下載地址】 http://www.aleadsoft.com/
【軟體大小】 1.24m
【加殼方式】 無
【破解宣告】 我是一隻小菜鳥,偶得一點心得,願與大家分享:)
--------------------------------------------------------------------------------
【破解內容】


前幾天,上海下了十年來最大的一場雪,好福氣啊:)正是朋友聚聚的好時候,忙了好幾天:(
今天才有空在論壇上看看,一來就看到fcg徵召新年文章,我水平不濟,所以先寫,要不等師傅
的文章出來,就浪費看的大家時間了:)手上沒什麼東西,在dfcg論壇上看到一篇搜尋引擎工廠
專業版的文章,作者在演算法上難住了,我看了一下,佔用午睡的時候,塗了一篇,貽笑大方。

RegOpenKeyA斷下:

* Possible StringData Ref from Data Obj ->"RegInfo"
                                  |
:0042DE9D 6804614A00              push 004A6104
:0042DEA2 52                      push edx
:0042DEA3 8BCE                    mov ecx, esi
:0042DEA5 E8227C0400              call 00475ACC
:0042DEAA 50                      push eax
:0042DEAB 8D4C2420                lea ecx, dword ptr [esp+20]
:0042DEAF C68424540200000B        mov byte ptr [esp+00000254], 0B
:0042DEB7 E8F21A0300              call 0045F9AE
:0042DEBC 8D4C2410                lea ecx, dword ptr [esp+10]
:0042DEC0 889C2450020000          mov byte ptr [esp+00000250], bl
:0042DEC7 E8A9190300              call 0045F875
:0042DECC 51                      push ecx
:0042DECD 8D442420                lea eax, dword ptr [esp+20]
:0042DED1 8BCC                    mov ecx, esp
:0042DED3 89642424                mov dword ptr [esp+24], esp
:0042DED7 50                      push eax
:0042DED8 E80D170300              call 0045F5EA
:0042DEDD 51                      push ecx
:0042DEDE 8D542420                lea edx, dword ptr [esp+20]
:0042DEE2 8BCC                    mov ecx, esp
:0042DEE4 8964241C                mov dword ptr [esp+1C], esp
:0042DEE8 52                      push edx
:0042DEE9 C684245C0200000C        mov byte ptr [esp+0000025C], 0C
:0042DEF1 E8F4160300              call 0045F5EA
:0042DEF6 8BCE                    mov ecx, esi
:0042DEF8 889C2458020000          mov byte ptr [esp+00000258], bl
:0042DEFF E8AC440000              call 004323B0               //演算法
:0042DF04 33ED                    xor ebp, ebp
:0042DF06 3BC5                    cmp eax, ebp
:0042DF08 740C                    je 0042DF16
:0042DF0A C786E800000001000000    mov dword ptr [esi+000000E8], 00000001
:0042DF14 EB59                    jmp 0042DF6F



:004323B0 6AFF                    push FFFFFFFF
:004323B2 68D03A4800              push 00483AD0
:004323B7 64A100000000            mov eax, dword ptr fs:[00000000]
:004323BD 50                      push eax
:004323BE 64892500000000          mov dword ptr fs:[00000000], esp
:004323C5 81ECD4000000            sub esp, 000000D4
:004323CB 53                      push ebx
:004323CC 56                      push esi
:004323CD 8BF1                    mov esi, ecx
:004323CF B801000000              mov eax, 00000001
:004323D4 6870DB4A00              push 004ADB70
:004323D9 898424E8000000          mov dword ptr [esp+000000E8], eax
:004323E0 8986EC000000            mov dword ptr [esi+000000EC], eax
:004323E6 8B8424F0000000          mov eax, dword ptr [esp+000000F0]
:004323ED 50                      push eax
:004323EE E82B5B0100              call 00447F1E
:004323F3 83C408                  add esp, 00000008
:004323F6 85C0                    test eax, eax
:004323F8 0F8477010000            je 00432575
:004323FE 8B8C24F0000000          mov ecx, dword ptr [esp+000000F0]
:00432405 6870DB4A00              push 004ADB70
:0043240A 51                      push ecx
:0043240B E80E5B0100              call 00447F1E
:00432410 83C408                  add esp, 00000008
:00432413 85C0                    test eax, eax
:00432415 0F845A010000            je 00432575

* Possible StringData Ref from Data Obj ->"ttdown"            //黑名單
                                  |
:0043241B 68F0964A00              push 004A96F0
:00432420 8D8C24F0000000          lea ecx, dword ptr [esp+000000F0]
:00432427 E8FB580200              call 00457D27
:0043242C 33DB                    xor ebx, ebx
:0043242E 83F8FF                  cmp eax, FFFFFFFF
:00432431 7542                    jne 00432475

* Possible StringData Ref from Data Obj ->"crsky"
                                  |
:00432433 68E8964A00              push 004A96E8
:00432438 8D8C24F0000000          lea ecx, dword ptr [esp+000000F0]
:0043243F E8E3580200              call 00457D27
:00432444 83F8FF                  cmp eax, FFFFFFFF
:00432447 752C                    jne 00432475

* Possible StringData Ref from Data Obj ->".com"
                                  |
:00432449 68D8964A00              push 004A96D8
:0043244E 8D8C24F0000000          lea ecx, dword ptr [esp+000000F0]
:00432455 E8CD580200              call 00457D27
:0043245A 83F8FF                  cmp eax, FFFFFFFF
:0043245D 7516                    jne 00432475

* Possible StringData Ref from Data Obj ->"jetdown"
                                  |
:0043245F 68D0964A00              push 004A96D0
:00432464 8D8C24F0000000          lea ecx, dword ptr [esp+000000F0]
:0043246B E8B7580200              call 00457D27
:00432470 83F8FF                  cmp eax, FFFFFFFF
:00432473 7406                    je 0043247B

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00432431(C), :00432447(C), :0043245D(C)
|
:00432475 899EEC000000            mov dword ptr [esi+000000EC], ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432473(C)
|
:0043247B 55                      push ebp
:0043247C 8BAC24F0000000          mov ebp, dword ptr [esp+000000F0]
:00432483 33C9                    xor ecx, ecx
:00432485 C644240C73              mov [esp+0C], 73            //'s'
:0043248A 8B75F8                  mov esi, dword ptr [ebp-08] 
:0043248D C644240D65              mov [esp+0D], 65            //'e'
:00432492 3BF3                    cmp esi, ebx
:00432494 C644240E61              mov [esp+0E], 61            //'a'
:00432499 C644240F72              mov [esp+0F], 72            //'r'
:0043249E C644241062              mov [esp+10], 62            //'b'     
:004324A3 C644241175              mov [esp+11], 75            //'u'
:004324A8 C644241269              mov [esp+12], 69            //'i'
:004324AD C64424136C              mov [esp+13], 6C            //'l'
:004324B2 885C2414                mov byte ptr [esp+14], bl
:004324B6 7E3D                    jle 004324F5
:004324B8 57                      push edi
:004324B9 8D7C341B                lea edi, dword ptr [esp+esi+1B]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004324F0(C)
|
:004324BD 8A0429                  mov al, byte ptr [ecx+ebp]
:004324C0 8BD1                    mov edx, ecx
:004324C2 81E207000080            and edx, 80000007
:004324C8 7905                    jns 004324CF
:004324CA 4A                      dec edx
:004324CB 83CAF8                  or edx, FFFFFFF8
:004324CE 42                      inc edx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004324C8(C)
|
:004324CF 0FBE541410              movsx edx, byte ptr [esp+edx+10]
:004324D4 0FBEC0                  movsx eax, al
:004324D7 8BD9                    mov ebx, ecx              
:004324D9 03DA                    add ebx, edx
:004324DB 03C3                    add eax, ebx              
:004324DD BB09000000              mov ebx, 00000009           
:004324E2 03C6                    add eax, esi             //註冊名字元+對應字元+對應位數+註冊名長度
:004324E4 99                      cdq
:004324E5 F7FB                    idiv ebx                   //除ebx=9,得餘數
:004324E7 80C230                  add dl, 30
:004324EA 41                      inc ecx
:004324EB 8817                    mov byte ptr [edi], dl
:004324ED 4F                      dec edi
:004324EE 3BCE                    cmp ecx, esi
:004324F0 7CCB                    jl 004324BD              //全部比完,連線成註冊碼前面的部分
:004324F2 33DB                    xor ebx, ebx
:004324F4 5F                      pop edi

:004324F5 8D4668                  lea eax, dword ptr [esi+68]        //註冊名長度+0x68
:004324F8 B909000000              mov ecx, 00000009                  //除9
:004324FD 99                      cdq
:004324FE F7F9                    idiv ecx
:00432500 8B8424F4000000          mov eax, dword ptr [esp+000000F4]  //註冊碼的最後一位
:00432507 5D                      pop ebp
:00432508 80C230                  add dl, 30
:0043250B 88543414                mov byte ptr [esp+esi+14], dl
:0043250F 885C3415                mov byte ptr [esp+esi+15], bl
:00432513 8D742414                lea esi, dword ptr [esp+14]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00432535(C)
|
:00432517 8A10                    mov dl, byte ptr [eax]
:00432519 8ACA                    mov cl, dl
:0043251B 3A16                    cmp dl, byte ptr [esi]     
:0043251D 751C                    jne 0043253B
:0043251F 3ACB                    cmp cl, bl
:00432521 7414                    je 00432537
:00432523 8A5001                  mov dl, byte ptr [eax+01]
:00432526 8ACA                    mov cl, dl
:00432528 3A5601                  cmp dl, byte ptr [esi+01]
:0043252B 750E                    jne 0043253B
:0043252D 83C002                  add eax, 00000002
:00432530 83C602                  add esi, 00000002
:00432533 3ACB                    cmp cl, bl
:00432535 75E0                    jne 00432517

--------------------------------------------------------------------------------
【破解總結】

1)註冊名不能超過50個字元。
2)“searbuil”是參考字元,參與演算法運算。
3)註冊名取一位,參考字元裡也取一位,註冊名長度超過8個字元時,迴圈取參考字元。
4)每次運算相當於:(註冊名字元+參考對應字元+對應位數+註冊名長度)mod 9 的計算,
   依次連線結果,儲存為註冊碼的首部分。
5)(註冊名長度+0x68) mod 9 的結果是註冊碼的最後一位。

--------------------------------------------------------------------------------
【演算法序號產生器】


ps:vb 那張盤被借去了,只能c++的程式碼將就了:(
ps:論壇上說的中文註冊名的問題也解決了,註冊名中可以使用漢字字元:)

#include"iostream.h"
#include"stdio.h"
#include"string.h"

void main()
{   char n[80];
    int len(0),i,m(0),s(0),t(0);
    puts("code for 搜尋引擎工廠專業版v1.68");
    puts("////////////////////////////////////////////////////////////////////////////");
    puts("  Cracker : stasi[DCM][BCG][DFCG][FCG][OCN][CZG][D.4s]"  );  
    puts("  Email   : stasi@163.com");
    puts("  Homepage: http://stasi.7169.com");
    puts("  OS      : Win2kADV sp4 & vc++ 6.0");
    puts("  Date    : 2004-1-1 ");
    puts("  Note    : If you have one or more question, email me please,thank you! ");
    puts("////////////////////////////////////////////////////////////////////////////");

  while(1)
  {   
    puts("\nPlease enter your name:");
        gets(n);
        len=strlen(n);
        if (len<=50) break;
  else cout<<"sorry! The length of the regname can not be more than 50!";
  }

  puts("\nregcode is :");
  for(i=0;i<(len);i++)
  {
     s=(int)n[len-i-1];

                 m=(len-i)%8;
     switch(m)
     {
                case 0: m=108;break;  
        case 1: m=115;break;     
           case 2: m=101;break;  
        case 3: m=97;break;  
        case 4: m=114;break;
        case 5: m=98;break;     
        case 6: m=117;break;  
         case 7: m=105;break;  
                         default:puts("maybe have had a mistake:(");break;
     }

                t=(len-i-1)+s+len+m;
       t%=9;
       cout<<(t);
  }
     cout<<(len+104)%9;

     cout<<"\nThank you for using & enjoy yourself in the new year!";


}

--------------------------------------------------------------------------------
【記憶體序號產生器】


中斷地址:42DEFF
中斷次數:1 
第一位元組:E8 
指令長度:5

中斷地址:43251B 
中斷次數:1 
第一位元組:3A 
指令長度:2

--------------------------------------------------------------------------------
【使用者名稱、密碼】


regname:stasi
regcode:533711

--------------------------------------------------------------------------------
【版權宣告】 本文純屬技術交流, 轉載請註明作者並保持文章的完整, 謝謝! 
                                                 2005-1-1

相關文章