3D Art Screen Saver 5.0算法分析和C注册机源码
【文章标题】: 3D Art Screen Saver 5.0算法分析和C注册机源码【文章作者】: qifeon
【软件名称】: 3D Art Screen Saver 5.0
【下载地址】: http://www.onlinedown.net/soft/33724.htm
【保护方式】: 注册码
【编写语言】: 英文
【使用工具】: OD
【软件介绍】: 3D Art Screen Saver 是一个精美的3D艺术屏幕保护程
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一、破解过程
这是一个屏保程序,安装后看不到主程序。运行文件夹里的Launch Setup后启动主程序,然后利用OD的附加功能,附加进程里的 3D Art.SCR
未命名的窗口
进程 名称 窗口 路径
00001244 3D Art 3D Art Screen Saver C:\WINDOWS\system32\3D Art.SCR 附加程序
000013CC Launch Se C:\Program Files\3D Art\Launch Setup.exe
然后就可以正常调试了。about项里找到注册项,输入“qifeon,123456”,出现错误提示“this user name does not match the registration code entered”,
利用插件查找此字符串
Ultra String Reference, 条目 20
Address=0040172F
Disassembly=push 0045E258
Text String=this user name does not match the registration code entered.
双击后来到
*******************************************************************************************************************************************************
00401705|.68 F8E14500 push 0045E1F8 ;registration successful!
0040170A|.68 14E24500 push 0045E214 ;thank you for registering the program.
0040170F|.8B8D 64FFFFFF mov ecx, dword ptr
00401715|.E8 B13E0400 call 004455CB
0040171A|.C645 FC 02 mov byte ptr , 2
0040171E|.8D4D 80 lea ecx, dword ptr
00401721|.E8 2B5A0400 call 00447151
00401726|.EB 17 jmp short 0040173F
00401728|>6A 10 push 10
0040172A|.68 3CE24500 push 0045E23C ;registration unsuccessful
0040172F|.68 58E24500 push 0045E258 ;this user name does not match the registration code entered.
返回处
*********************************************************************************************************************************************************
向上可以找到段首
************************************************************************************************************************************************************
004013BD/.55 push ebp 段首
004013BE|.8BEC mov ebp, esp
004013C0|.6A FF push -1
004013C2|.68 09DD4400 push 0044DD09 ;SE 处理程序安装
004013C7|.64:A1 0000000>mov eax, dword ptr fs:
004013CD|.50 push eax
004013CE|.64:8925 00000>mov dword ptr fs:, esp
004013D5|.81EC C4000000 sub esp, 0C4
004013DB|.898D 64FFFFFF mov dword ptr , ecx
004013E1|.8D4D E8 lea ecx, dword ptr
004013E4|.E8 C7070000 call 00401BB0
004013E9|.C745 FC 00000>mov dword ptr , 0
004013F0|.8D4D EC lea ecx, dword ptr
004013F3|.E8 B8070000 call 00401BB0
004013F8|.C645 FC 01 mov byte ptr , 1
004013FC|.8B85 64FFFFFF mov eax, dword ptr
00401402|.50 push eax
00401403|.8D4D 84 lea ecx, dword ptr
00401406|.E8 652F0100 call 00414370
0040140B|.C645 FC 02 mov byte ptr , 2
0040140F|.8D4D 84 lea ecx, dword ptr
00401412|.E8 7D220400 call 00443694 ;出现程序注册对话框
00401417|.8945 F0 mov dword ptr , eax
0040141A|.837D F0 01 cmp dword ptr , 1 ;判断注册或取消按钮,点注册则返回eax=1
0040141E|.0F85 1B030000 jnz 0040173F ;点注册按钮则不跳
00401424|.8D4D E4 lea ecx, dword ptr
00401427|.51 push ecx
00401428|.8D4D E8 lea ecx, dword ptr
0040142B|.E8 0E5E0400 call 0044723E
00401430|.8D55 E0 lea edx, dword ptr
00401433|.52 push edx
00401434|.8D4D EC lea ecx, dword ptr
00401437|.E8 025E0400 call 0044723E
0040143C|.8D4D E8 lea ecx, dword ptr
0040143F|.E8 8C070000 call 00401BD0 ;检查用户名是否为空
00401444|.85C0 test eax, eax ;不为空eax=0
00401446|.74 43 je short 0040148B
00401448|.6A 10 push 10
0040144A|.68 60E14500 push 0045E160 ;registration unsuccessful
0040144F|.68 7CE14500 push 0045E17C ;please enter a username
00401454|.8B8D 64FFFFFF mov ecx, dword ptr
0040145A|.E8 6C410400 call 004455CB
0040145F|.C645 FC 01 mov byte ptr , 1
00401463|.8D4D 84 lea ecx, dword ptr
00401466|.E8 95060000 call 00401B00
0040146B|.C645 FC 00 mov byte ptr , 0
0040146F|.8D4D EC lea ecx, dword ptr
00401472|.E8 DA5C0400 call 00447151
00401477|.C745 FC FFFFF>mov dword ptr , -1
0040147E|.8D4D E8 lea ecx, dword ptr
00401481|.E8 CB5C0400 call 00447151
00401486|.E9 DB020000 jmp 00401766
0040148B|>8D4D EC lea ecx, dword ptr
0040148E|.E8 3D070000 call 00401BD0 ;试炼码是否为空?
00401493|.85C0 test eax, eax ;不为空则返回eax=0
00401495|.74 43 je short 004014DA
00401497|.6A 10 push 10
00401499|.68 94E14500 push 0045E194 ;registration unsuccessful
0040149E|.68 B0E14500 push 0045E1B0 ;please enter a registration code
004014A3|.8B8D 64FFFFFF mov ecx, dword ptr
004014A9|.E8 1D410400 call 004455CB
004014AE|.C645 FC 01 mov byte ptr , 1
004014B2|.8D4D 84 lea ecx, dword ptr
004014B5|.E8 46060000 call 00401B00
004014BA|.C645 FC 00 mov byte ptr , 0
004014BE|.8D4D EC lea ecx, dword ptr
004014C1|.E8 8B5C0400 call 00447151
004014C6|.C745 FC FFFFF>mov dword ptr , -1
004014CD|.8D4D E8 lea ecx, dword ptr
004014D0|.E8 7C5C0400 call 00447151
004014D5|.E9 8C020000 jmp 00401766
004014DA|>51 push ecx
004014DB|.8BCC mov ecx, esp
004014DD|.89A5 7CFFFFFF mov dword ptr , esp
004014E3|.8D45 EC lea eax, dword ptr
004014E6|.50 push eax
004014E7|.E8 DA590400 call 00446EC6
004014EC|.8985 60FFFFFF mov dword ptr , eax
004014F2|.8B8D 60FFFFFF mov ecx, dword ptr
004014F8|.898D 5CFFFFFF mov dword ptr , ecx
004014FE|.C645 FC 03 mov byte ptr , 3
00401502|.51 push ecx
00401503|.8BCC mov ecx, esp
00401505|.89A5 78FFFFFF mov dword ptr , esp
0040150B|.8D55 E8 lea edx, dword ptr
0040150E|.52 push edx
0040150F|.E8 B2590400 call 00446EC6
00401514|.8985 58FFFFFF mov dword ptr , eax
0040151A|.8B85 58FFFFFF mov eax, dword ptr
00401520|.8985 54FFFFFF mov dword ptr , eax
00401526|.C645 FC 04 mov byte ptr , 4
0040152A|.E8 F1060000 call 00401C20
0040152F|.8BC8 mov ecx, eax
00401531|.C645 FC 02 mov byte ptr , 2
00401535|.E8 F25F0100 call 0041752C ;算法CALL
0040153A|.8985 50FFFFFF mov dword ptr , eax
00401540|.83BD 50FFFFFF>cmp dword ptr , 0
00401547|.0F84 DB010000 je 00401728 ;关键跳转
0040154D|.51 push ecx
0040154E|.8BCC mov ecx, esp
00401550|.89A5 74FFFFFF mov dword ptr , esp
00401556|.8D55 EC lea edx, dword ptr
00401559|.52 push edx
0040155A|.E8 67590400 call 00446EC6
0040155F|.8985 4CFFFFFF mov dword ptr , eax
00401565|.8B85 4CFFFFFF mov eax, dword ptr
0040156B|.8985 48FFFFFF mov dword ptr , eax
00401571|.C645 FC 05 mov byte ptr , 5
00401575|.51 push ecx
00401576|.8BCC mov ecx, esp
00401578|.89A5 70FFFFFF mov dword ptr , esp
0040157E|.8D55 E8 lea edx, dword ptr
00401581|.52 push edx
00401582|.E8 3F590400 call 00446EC6
00401587|.8985 44FFFFFF mov dword ptr , eax
0040158D|.8B85 44FFFFFF mov eax, dword ptr
00401593|.8985 40FFFFFF mov dword ptr , eax
00401599|.C645 FC 06 mov byte ptr , 6
0040159D|.E8 7E060000 call 00401C20
004015A2|.8BC8 mov ecx, eax
004015A4|.C645 FC 02 mov byte ptr , 2
004015A8|.E8 D1620100 call 0041787E
004015AD|.8D4D 80 lea ecx, dword ptr
004015B0|.E8 FB050000 call 00401BB0
004015B5|.C645 FC 07 mov byte ptr , 7
004015B9|.68 D4E14500 push 0045E1D4 ;.
004015BE|.E8 5D060000 call 00401C20
004015C3|.05 04020000 add eax, 204
004015C8|.50 push eax
004015C9|.68 D8E14500 push 0045E1D8 ;this program is registered to
004015CE|.8D8D 6CFFFFFF lea ecx, dword ptr
004015D4|.51 push ecx
----------------------------————————————————————————————————-
略去若干代码
————————————————————————————————————————————————
00401703|.6A 40 push 40
00401705|.68 F8E14500 push 0045E1F8 ;registration successful!
0040170A|.68 14E24500 push 0045E214 ;thank you for registering the program.
0040170F|.8B8D 64FFFFFF mov ecx, dword ptr
00401715|.E8 B13E0400 call 004455CB
0040171A|.C645 FC 02 mov byte ptr , 2
0040171E|.8D4D 80 lea ecx, dword ptr
00401721|.E8 2B5A0400 call 00447151
00401726|.EB 17 jmp short 0040173F
00401728|>6A 10 push 10
0040172A|.68 3CE24500 push 0045E23C ;registration unsuccessful
0040172F|.68 58E24500 push 0045E258 ;this user name does not match the registration code entered.
00401734|.8B8D 64FFFFFF mov ecx, dword ptr
0040173A|.E8 8C3E0400 call 004455CB
****************************************************************************************************************************************
段首下断,重载。点ABOUT,再点Regster now 断下,单步,中间输入试炼码,进入算法CALL call 0041752C
***************************************************************************************************************************************
0041752C/$55 push ebp
0041752D|.8BEC mov ebp, esp
0041752F|.6A FF push -1
00417531|.68 51F24400 push 0044F251 ;SE 处理程序安装
00417536|.64:A1 0000000>mov eax, dword ptr fs:
0041753C|.50 push eax
0041753D|.64:8925 00000>mov dword ptr fs:, esp
00417544|.83EC 44 sub esp, 44
00417547|.894D CC mov dword ptr , ecx
0041754A|.C745 FC 01000>mov dword ptr , 1
00417551|.68 000F4600 push 00460F00 ;141040
00417556|.8D45 0C lea eax, dword ptr
00417559|.50 push eax
0041755A|.E8 91BDFEFF call 004032F0 ;判断是否是固定注册码码“141040”
0041755F|.25 FF000000 and eax, 0FF
00417564|.85C0 test eax, eax
00417566|.75 17 jnz short 0041757F ;验证失败则进入第2组注册码判断
00417568|.68 080F4600 push 00460F08 ;117445
0041756D|.8D4D 0C lea ecx, dword ptr
00417570|.51 push ecx
00417571|.E8 7ABDFEFF call 004032F0 ;判断是否是固定注册码码“117445”
00417576|.25 FF000000 and eax, 0FF
0041757B|.85C0 test eax, eax
0041757D|.74 64 je short 004175E3 ;验证失败则进入另一组注册码判断
0041757F|>51 push ecx
00417580|.8BCC mov ecx, esp
00417582|.8965 E8 mov dword ptr , esp
00417585|.8D55 0C lea edx, dword ptr
00417588|.52 push edx
00417589|.E8 38F90200 call 00446EC6
0041758E|.8945 C8 mov dword ptr , eax
00417591|.8B45 C8 mov eax, dword ptr
00417594|.8945 C4 mov dword ptr , eax
00417597|.C645 FC 02 mov byte ptr , 2
0041759B|.51 push ecx
0041759C|.8BCC mov ecx, esp
0041759E|.8965 E4 mov dword ptr , esp
004175A1|.8D55 08 lea edx, dword ptr
004175A4|.52 push edx
004175A5|.E8 1CF90200 call 00446EC6
004175AA|.8945 C0 mov dword ptr , eax
004175AD|.8B4D CC mov ecx, dword ptr
004175B0|.C645 FC 01 mov byte ptr , 1
004175B4|.E8 C5020000 call 0041787E
004175B9|.C745 E0 FFFFF>mov dword ptr , -1
004175C0|.C645 FC 00 mov byte ptr , 0
004175C4|.8D4D 08 lea ecx, dword ptr
004175C7|.E8 85FB0200 call 00447151
004175CC|.C745 FC FFFFF>mov dword ptr , -1
004175D3|.8D4D 0C lea ecx, dword ptr
004175D6|.E8 76FB0200 call 00447151
004175DB|.8B45 E0 mov eax, dword ptr
004175DE|.E9 0A010000 jmp 004176ED
004175E3|>8D4D EC lea ecx, dword ptr ;第2组注册码失败后跳到这里
004175E6|.E8 C5A5FEFF call 00401BB0
004175EB|.C645 FC 03 mov byte ptr , 3
004175EF|.6A 0A push 0A
004175F1|.68 00010000 push 100
004175F6|.8D4D EC lea ecx, dword ptr
004175F9|.E8 F6FE0200 call 004474F4
004175FE|.50 push eax
004175FF|.68 2C010000 push 12C
00417604|.E8 909E0000 call 00421499
00417609|.83C4 0C add esp, 0C
0041760C|.6A FF push -1
0041760E|.8D4D EC lea ecx, dword ptr
00417611|.E8 2DFF0200 call 00447543
00417616|.51 push ecx
00417617|.8BCC mov ecx, esp
00417619|.8965 DC mov dword ptr , esp
0041761C|.8D45 EC lea eax, dword ptr
0041761F|.50 push eax
00417620|.E8 A1F80200 call 00446EC6
00417625|.8945 BC mov dword ptr , eax
00417628|.8B4D BC mov ecx, dword ptr
0041762B|.894D B8 mov dword ptr , ecx
0041762E|.C645 FC 04 mov byte ptr , 4
00417632|.51 push ecx
00417633|.8BCC mov ecx, esp
00417635|.8965 D8 mov dword ptr , esp
00417638|.8D55 08 lea edx, dword ptr
0041763B|.52 push edx
0041763C|.E8 85F80200 call 00446EC6
00417641|.8945 B4 mov dword ptr , eax
00417644|.8D45 F0 lea eax, dword ptr
00417647|.50 push eax
00417648|.8B4D CC mov ecx, dword ptr
0041764B|.C645 FC 03 mov byte ptr , 3
0041764F|.E8 A9000000 call 004176FD ;算法CALL
00417654|.8945 B0 mov dword ptr , eax
00417657|.C645 FC 05 mov byte ptr , 5
0041765B|.8D4D 0C lea ecx, dword ptr
0041765E|.51 push ecx
0041765F|.8D55 F0 lea edx, dword ptr
00417662|.52 push edx
00417663|.E8 7805FFFF call 00407BE0 ;上面计算得到注册码与试炼码比较
00417668|.25 FF000000 and eax, 0FF
0041766D|.85C0 test eax, eax
0041766F|.74 3F je short 004176B0
00417671|.C745 D4 01000>mov dword ptr , 1
00417678|.C645 FC 03 mov byte ptr , 3
0041767C|.8D4D F0 lea ecx, dword ptr
0041767F|.E8 CDFA0200 call 00447151
00417684|.C645 FC 01 mov byte ptr , 1
00417688|.8D4D EC lea ecx, dword ptr
0041768B|.E8 C1FA0200 call 00447151
00417690|.C645 FC 00 mov byte ptr , 0
00417694|.8D4D 08 lea ecx, dword ptr
00417697|.E8 B5FA0200 call 00447151
0041769C|.C745 FC FFFFF>mov dword ptr , -1
004176A3|.8D4D 0C lea ecx, dword ptr
004176A6|.E8 A6FA0200 call 00447151
004176AB|.8B45 D4 mov eax, dword ptr
004176AE|.EB 3D jmp short 004176ED
004176B0|>C745 D0 00000>mov dword ptr , 0
004176B7|.C645 FC 03 mov byte ptr , 3
004176BB|.8D4D F0 lea ecx, dword ptr
004176BE|.E8 8EFA0200 call 00447151
004176C3|.C645 FC 01 mov byte ptr , 1
004176C7|.8D4D EC lea ecx, dword ptr
004176CA|.E8 82FA0200 call 00447151
004176CF|.C645 FC 00 mov byte ptr , 0
004176D3|.8D4D 08 lea ecx, dword ptr
004176D6|.E8 76FA0200 call 00447151
004176DB|.C745 FC FFFFF>mov dword ptr , -1
004176E2|.8D4D 0C lea ecx, dword ptr
004176E5|.E8 67FA0200 call 00447151
004176EA|.8B45 D0 mov eax, dword ptr
004176ED|>8B4D F4 mov ecx, dword ptr
004176F0|.64:890D 00000>mov dword ptr fs:, ecx
004176F7|.8BE5 mov esp, ebp
004176F9|.5D pop ebp
004176FA\.C2 0800 retn 8
***********************************************************************************************************************
进入第3组注册码算法CALL004176FD
*************************************************************************************************************************
004176FD/$55 push ebp
004176FE|.8BEC mov ebp, esp
00417700|.6A FF push -1
00417702|.68 9FF24400 push 0044F29F ;SE 处理程序安装
00417707|.64:A1 0000000>mov eax, dword ptr fs:
0041770D|.50 push eax
0041770E|.64:8925 00000>mov dword ptr fs:, esp
00417715|.83EC 30 sub esp, 30
00417718|.894D CC mov dword ptr , ecx
0041771B|.C745 D0 00000>mov dword ptr , 0
00417722|.C745 FC 02000>mov dword ptr , 2
00417729|.8D4D E4 lea ecx, dword ptr
0041772C|.E8 7FA4FEFF call 00401BB0
00417731|.C645 FC 03 mov byte ptr , 3
00417735|.8D4D D8 lea ecx, dword ptr
00417738|.E8 73A4FEFF call 00401BB0
0041773D|.C645 FC 04 mov byte ptr , 4
00417741|.C745 E8 00000>mov dword ptr , 0
00417748|.8D45 10 lea eax, dword ptr
0041774B|.50 push eax
0041774C|.8D4D 0C lea ecx, dword ptr
0041774F|.51 push ecx
00417750|.8D55 D4 lea edx, dword ptr
00417753|.52 push edx
00417754|.E8 9AFB0200 call 004472F3
00417759|.8945 C8 mov dword ptr , eax
0041775C|.8B45 C8 mov eax, dword ptr
0041775F|.8945 C4 mov dword ptr , eax
00417762|.C645 FC 05 mov byte ptr , 5
00417766|.8B4D C4 mov ecx, dword ptr
00417769|.51 push ecx
0041776A|.8D4D 0C lea ecx, dword ptr
0041776D|.E8 CCFA0200 call 0044723E
00417772|.C645 FC 04 mov byte ptr , 4
00417776|.8D4D D4 lea ecx, dword ptr
00417779|.E8 D3F90200 call 00447151
0041777E|.8D4D 0C lea ecx, dword ptr
00417781|.E8 4ABBFEFF call 004032D0
00417786|.8945 EC mov dword ptr , eax
00417789|.68 00010000 push 100
0041778E|.8D4D 10 lea ecx, dword ptr
00417791|.E8 5EFD0200 call 004474F4
00417796|.50 push eax
00417797|.E8 E1A60000 call 00421E7D
0041779C|.83C4 04 add esp, 4
0041779F|.8945 DC mov dword ptr , eax
004177A2|.6A FF push -1
004177A4|.8D4D 10 lea ecx, dword ptr
004177A7|.E8 97FD0200 call 00447543
004177AC|.68 00010000 push 100
004177B1|.8D4D 0C lea ecx, dword ptr
004177B4|.E8 3BFD0200 call 004474F4 ;试炼码与固定字符串“300”连接
004177B9|.8945 F0 mov dword ptr , eax
004177BC|.C745 E0 00000>mov dword ptr , 0
004177C3|.EB 09 jmp short 004177CE
004177C5|>8B55 E0 /mov edx, dword ptr ;ebp-20的值传送回edx
004177C8|.83C2 01 |add edx, 1 ;edx值增1
004177CB|.8955 E0 |mov dword ptr , edx ;edx值放入ebp-20,以便于后面参与计算
004177CE|>8B45 E0 mov eax, dword ptr ;ebp-20的值放入eax
004177D1|.3B45 EC |cmp eax, dword ptr ;判断是否是否最后一位字符,ebp-14放置字符串长度len
004177D4|.7D 13 |jge short 004177E9 ;大于或等于则跳出循环
004177D6|.8B4D F0 |mov ecx, dword ptr ;连接后字符串放入ecx
004177D9|.034D E0 |add ecx, dword ptr ;ecx值由ebp-20传送,每次循环增1
004177DC|.0FBE11 |movsx edx, byte ptr ;连接后字符串逐位扩充放入edx
004177DF|.8B45 E8 |mov eax, dword ptr ;ebp-18 值放入eax
004177E2|.03C2 |add eax, edx ;eax与edx值相加
004177E4|.8945 E8 |mov dword ptr , eax ;相加后的值存入ebp-18
004177E7|.^ EB DC \jmp short 004177C5
004177E9|>8B4D E8 mov ecx, dword ptr ;连接后字符串ASCII值之和设为sum
004177EC|.2B4D DC sub ecx, dword ptr ;减去300的16进制12Ch
004177EF|.894D E8 mov dword ptr , ecx ;sum-12Ch值放入ebp-18
004177F2|.8B55 DC mov edx, dword ptr ;12Ch放入edx
004177F5|.2B55 EC sub edx, dword ptr ;edx=12Ch-len
004177F8|.8B45 E8 mov eax, dword ptr ;eax=sum-12Ch
004177FB|.0FAFC2 imul eax, edx ;eax相乘edx
004177FE|.8945 E8 mov dword ptr , eax ;相乘结果放在ebp-18
00417801|.6A 0A push 0A
00417803|.68 00010000 push 100
00417808|.8D4D E4 lea ecx, dword ptr
0041780B|.E8 E4FC0200 call 004474F4
00417810|.50 push eax
00417811|.8B4D E8 mov ecx, dword ptr ;相乘结果放入ecx
00417814|.51 push ecx
00417815|.E8 7F9C0000 call 00421499 ;相乘结果10进制转为字符串,即为注册码
0041781A|.83C4 0C add esp, 0C
0041781D|.6A FF push -1
0041781F|.8D4D E4 lea ecx, dword ptr
00417822|.E8 1CFD0200 call 00447543 ;取计算后长度
00417827|.8D55 E4 lea edx, dword ptr
0041782A|.52 push edx
0041782B|.8B4D 08 mov ecx, dword ptr
0041782E|.E8 93F60200 call 00446EC6
00417833|.8B45 D0 mov eax, dword ptr
00417836|.0C 01 or al, 1
00417838|.8945 D0 mov dword ptr , eax
0041783B|.C645 FC 03 mov byte ptr , 3
0041783F|.8D4D D8 lea ecx, dword ptr
00417842|.E8 0AF90200 call 00447151
00417847|.C645 FC 02 mov byte ptr , 2
0041784B|.8D4D E4 lea ecx, dword ptr
0041784E|.E8 FEF80200 call 00447151
00417853|.C645 FC 01 mov byte ptr , 1
00417857|.8D4D 0C lea ecx, dword ptr
0041785A|.E8 F2F80200 call 00447151
0041785F|.C645 FC 00 mov byte ptr , 0
00417863|.8D4D 10 lea ecx, dword ptr
00417866|.E8 E6F80200 call 00447151
0041786B|.8B45 08 mov eax, dword ptr
0041786E|.8B4D F4 mov ecx, dword ptr
00417871|.64:890D 00000>mov dword ptr fs:, ecx
00417878|.8BE5 mov esp, ebp
0041787A|.5D pop ebp
0041787B\.C2 0C00 retn 0C
*********************************************************************************************************
限于篇幅,有些CALL调试时都跟进了,这里破文就略去了。兄弟们如果玩玩需要进去看看。比如
0040143F|.E8 8C070000 call 00401BD0 ;检查用户名是否为空
还有
0041755A|.E8 91BDFEFF call 004032F0 ;判断是否是固定注册码码“141040”
***************************************************************************************************************
二。算法总结
1、注册码有3组,前2组为固定字符串,与用户名无关。第一组可用注册码“141040”
第二组可用注册码“117445"”
2、第3组注册码由用户名与固定字符串“300”计算而来:
用户名与固定字符串“300”连接后字符串ASCII值之和设为sum,长度设为len,300的16进制为12Ch
(sum-300)乘以(300-len)十进制的值转化为字符串即为对应用户名的注册码
************************************************************************************************************************
三、C算法注册机源代码
#include "stdio.h"
#include "string.h"
void main()
{
int i,cheng,sum=0,len;
char name;
scanf("%s",name);
strcat (name,"300");
len=strlen(name);
for (i=0;i<len;i++)
sum=sum+name;
cheng=(sum-300)*(300-len);
printf("%d",cheng);
system("PAUSE");
}
[ 本帖最后由 qifeon 于 2008-8-6 01:46 编辑 ] /:018 下软件对照学习一下感谢~~~~~
问一下~!!
你用的是什么插件查找字符串~!!我怎么查不到~! 原帖由 nv21 于 2008-9-11 23:17 发表 https://www.chinapyg.com/images/common/back.gif
你用的是什么插件查找字符串~!!
我怎么查不到~!
Ultra String Reference 插件,OD 里没有的话,自己找个下载放进去就可以 #include "stdio.h"
#include "string.h"
void main()
{
int i,cheng,sum=0,len;
char name;
scanf("%s",name);
strcat (name,"300");
len=strlen(name);
for (i=0;i<len;i++)
sum=sum+name; // 请教一下楼主,这里是不是应该是sum=sum+name;啊?
cheng=(sum-300)*(300-len);
printf("%d",cheng);
system("PAUSE");
}
晕,知道了,原来是论坛代码屏蔽了数组后边的下标变量
[ 本帖最后由 hdy981 于 2008-9-29 10:43 编辑 ]
页:
[1]