Teleport Pro算法分析
【破文标题】 Teleport Pro Version 1.39 for Windows【破文作者】shine
【破解平台】winxpsp3
【破解工具】PEiD0.94、TheOD
【作者邮箱】[email protected]
【软件名称】Teleport Pro Version 1.39 for Windows
【软件大小】664k
【软件简介】As of Version 1.39, Teleport Pro uses an internal Java applet binary parser,and doesn't need to use the older "JavaPack" system distributed with previousversions of Teleport Pro.If you have upgraded a Teleport Pro v1.28 orprevious installation, you can delete the files in the "bin" subdirectory(there should be two files in that folder, CLASSES.ZIP and JAVAP.EXE), as those files are no longer necessary .
1.PEID-----Microsoft Visual C++ 6.0base64 和crc32算法。
2.OD载入,可以用查找字符串,F12堆栈调用,查找按钮事件到达关键处。
==================================================================================================
0042B421 .E8 2F680000 call pro.00431C55 ;edx用户名长度5
0042B426 .8BF0 mov esi, eax
0042B428 .A1 D4014900 mov eax, dword ptr ds:
0042B42D .83C4 0C add esp, 0C
0042B430 .897424 10 mov dword ptr ss:, esi
0042B434 .3898 CD040000 cmp byte ptr ds:, bl
0042B43A .0F84 33010000 je pro.0042B573
0042B440 .3BF3 cmp esi, ebx
0042B442 .BD C4604800 mov ebp, pro.004860C4 ;ASCII "User"
0042B447 .74 59 je short pro.0042B4A2
0042B449 .FFB7 D5000000 push dword ptr ds: ;用户名
0042B44F .E8 BA090000 call pro.0042BE0E ;F7进
0042B454 .3BF0 cmp esi, eax ;eax真码,esi假码
0042B456 .59 pop ecx
0042B457 .75 0F jnz short pro.0042B468 ;关键跳
0042B459 .53 push ebx ; /Arg3
0042B45A .53 push ebx ; |Arg2
0042B45B .FF35 A46A4800 push dword ptr ds: ; |Arg1 = 0048BD6C ASCII "Thank you!Your copy of Teleport Pro is now registered.All limits have been removed."
0042B461 .E8 8C550200 call pro.004509F2 ; \pro.004509F2
0042B466 .EB 75 jmp short pro.0042B4DD
==================================================================================================
进入0042B44F处call,来到这里
0042BE0E/$57 push edi
0042BE0F|.8B7C24 08 mov edi, dword ptr ss: ;用户名给edi
0042BE13|.85FF test edi, edi
0042BE15|.74 09 je short pro.0042BE20 ;没输入就措
0042BE17|.57 push edi
0042BE18|.E8 935A0000 call pro.004318B0 ;eax是用户名长度
0042BE1D|.59 pop ecx
0042BE1E|.EB 02 jmp short pro.0042BE22
0042BE20|>33C0 xor eax, eax
0042BE22|>83F8 05 cmp eax, 5 ;长度和5比较
0042BE25|.73 04 jnb short pro.0042BE2B ;不小就跳
0042BE27|.33C0 xor eax, eax
0042BE29|.5F pop edi
0042BE2A|.C3 retn
0042BE2B|>53 push ebx
0042BE2C|.56 push esi
0042BE2D|.BE A4E4FE5D mov esi, 5DFEE4A4 ;esi=5DFEE4A4
0042BE32|.33DB xor ebx, ebx ;ebx清零
0042BE34|>85FF /test edi, edi
0042BE36|.74 09 |je short pro.0042BE41
0042BE38|.57 |push edi
0042BE39|.E8 725A0000 |call pro.004318B0 ;用户名长度eax=7
0042BE3E|.59 |pop ecx
0042BE3F|.EB 02 |jmp short pro.0042BE43
0042BE41|>33C0 |xor eax, eax
0042BE43|>83C0 FC |add eax, -4 ;长度减四位
0042BE46|.3BD8 |cmp ebx, eax
0042BE48|.73 0C |jnb short pro.0042BE56
0042BE4A|.33343B |xor esi, dword ptr ds: ;前四位倒序ascii值和esi异或从第二位开始再取四位
0042BE4D|.F6C3 40 |test bl, 40 ;最多只运算40H次
0042BE50|.74 01 |je short pro.0042BE53
0042BE52|.43 |inc ebx
0042BE53|>43 |inc ebx
0042BE54|.^ EB DE \jmp short pro.0042BE34
0042BE56|>8BC6 mov eax, esi
0042BE58|.5E pop esi
0042BE59|.5B pop ebx
0042BE5A|.5F pop edi
0042BE5B\.C3 retn
0042BE5C .E9 00000000 jmp pro.0042BE61
0042BE61 >68 204D4800 push pro.00484D20
0042BE66 .FF35 086A4800 push dword ptr ds: ;pro.00486A48
0042BE6C .E8 CE6F0000 call pro.00432E3F
0042BE71 .50 push eax
0042BE72 .FF35 106A4800 push dword ptr ds: ;pro.00486A14
0042BE78 .E8 B35A0000 call pro.00431930
0042BE7D .2B05 106A4800 sub eax, dword ptr ds: ;pro.00486A14
0042BE83 .83C4 10 add esp, 10
0042BE86 .6A 03 push 3
0042BE88 .99 cdq
0042BE89 .59 pop ecx
0042BE8A .F7F9 idiv ecx
0042BE8C .40 inc eax
0042BE8D .A3 28184900 mov dword ptr ds:, eax
0042BE92 .C3 retn
==================================================================================================
算法步骤:
==================================================================================================
1.用户名位数必须大于等于5;
2.5DFEE4A4H和从用户名第一位开始取四位倒序后,转换成ascii的值异或
3.第二部的结果和从用户名第二位开始取四位倒序后的ascii码异或;
4.以此类推,循环的次数n等于用户名长度-4;
5.最后的16进制数转换成10进制的就是注册码。
shine
ASCII:7368696E65
第一次取:6E696873
异或后esi:5DFEE4A4
esi:33978CD7H 10进制:865570007注册码
==================================================================================================
delphi注册机源码
==================================================================================================
var
Scode : String;
Sname : String;
Stemp : String;
i , j: Integer;
Itemp : Int64;
iconst : Integer; //定义几个变量
begin
iconst := $5DFEE4A4; //esi的初值
itemp := 0;
Stemp := '';
if Edit1.Text = '' then Exit;
if Length(Edit1.Text) < 5 then
begin
Edit2.Text := '用户名长度必须大于5';
end
else if Length(Edit1.Text) >= 5 then
begin
for i := 1 to length(Edit1.Text) - 4 do //算法循环
begin
Scode := Copy(Edit1.Text,i,4);
for j := 1 to 4 do
begin
Stemp := Format( '%.2x',[ Ord(Scode) ] ) + Stemp;//反向输出ascii值
end;
itemp := StrToInt64('$'+Stemp); //Format是格式化字符串
iconst := iconst Xor itemp;
Stemp := '';
end;
Edit2.Text := IntToStr(iconst); //计算结果
end;
end;
c++的注册机,我想了半天没想出来,大家可以教教我。/:011 有实力,有潜力/:good 补上c++注册机咯/:014
#include "stdafx.h"
#include <iostream>
#include <string>
using namespace std;
void main()
{
int i = 0;
int j = 0;
int k = 0;
int len = 0;
int nTemp = 0;
unsigned long lReg = 0x5DFEE4A4;
unsigned long lResult = 0;
char RegUser = {0};
char RegCode = {0};
char RegUsTmp = {0};
char RegCoTmp = {0};
cout << "Please input your username.." << endl;
cin>> RegUser;
len = strlen(RegUser);
strcat(RegCode,"0x");
for (i = 0; i < len-4; i ++)
{
for (j = 0; j <= 3; j ++)
{
RegUsTmp = RegUser;
}
for(k = 0;k <= 3 ;k ++)
{
nTemp = RegUsTmp;
itoa(nTemp, RegCoTmp, 16);
strcat(RegCode, RegCoTmp);
}
lResult = strtol(RegCode, '\0', 16);
lReg = lReg ^ lResult ;
memset( RegCode, 0, sizeof(RegCode) );
}
cout << "Your regcode is:" << lReg <<endl;
} 看着是得慢慢研究了呀 /:002 注册机写不出,就**了它
页:
[1]