英格驾驶员学习考试系统——科目一 2013版 注册机代码
本帖最后由 vipcrack 于 2014-4-28 16:10 编辑论坛内有几位已经搞了内存注册机等破解,闲来无事,OD调试下,写个小机。
英格:快速、有效的驾考学习模式!
15小时通过驾考理论考试秘诀:由驾驶员试题网根据近百万驾考经验,整理成一套学习方式,按此学习,可轻松通过2013年科目一及科目四即安全文明考试。
英格驾考采用2013年最新版题库,业内领先不止一步!
科目一小车973题,科目四小车800题,大车1023题。
http://www.jsyst.cn/product/
跟踪注册码简单,明码,但是分析算法把我给搞晕了,万恶的VB。
=======================================================================
硬盘序列号(ASCII "CVMP222300SS180CGN")
循环XOR37 18 17 4A 30 3E 79 D4 B7 93
得到新数据:74 4E 5A 1A 02 0C 4B E7 87 A3 64 4B 26 72 00 7D 3E 9A
数据MOD 3E后查表abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
字符串处理后得到,中间穿插a,b,c,d
S q 2 0 c m n J l D C n C Q a b a 4
b b b a a a b d c c b b a b a c b c//这里的a,b,c,d分别代表商,而查表的数据用的是余数
Sbqb2b0acamanbJdlcDcCbnbCaQbaabcab4c
53 62 71 62 32 62 30 61 63 61 6D 61 6E 62 4A 64 6C 63 44 63 43 62 6E 62 43 61 51 62 61 61 62 63 61 62 34 63
继续循环XOR得到新数据
64 7A 66 28 02 5C 49 B5 D4 F2 5A 79 79 28 7A 5A 15 B7 F3 F0 74 7A 79 28 73 5F 28 B6 D6 F2 55 7B 76 28 04 5D
MOD 3E
继续查表
========================
CbYbEbEaca4blbVc0dUd2bXbXbEaYb2bvaXcVdSdSbYbXbEaRb7bEaWc2dUdxbZbUbEaea5b //机器码
C Y E E c 4 l V 0 U 2 X X E Y 2 v X V S S Y X E R 7 E W 2 U x Z U E e 5
C E c l 0 2 X Y v V S X R E 2 x U e
还原机器码处理第一次结果
abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
循环XOR37 18 17 4A 30 3E 79 D4 B7 93
逆回去看看
C----在表中位置是第38位,0x26+3E=0x64XOR 0x37=0x53------0x53对应字符是S, S在表中的位置是54位,0x36+3E=0x74 XOR 0x37=0x430x43对应的字符是C
E----在表中位置是第40位,0x28+3E=0x66XOR 0x17=0x71------0x71对应字符是q, q在表中的位置是16位,0x10+3E=0x4E XOR 0x18=0x560x56对应的字符是V
=======================================================================================================
00491C44 .8BD0 mov edx, eax ;eax=005E3F2C, (UNICODE "CVMP222300SS180CGN")
00491C46 .8D4D D4 lea ecx, dword ptr
00491C49 .FFD7 call edi
00491C4B .50 push eax
00491C4C .E8 4FF6FFFF call 004912A0
00491C51 .8BD0 mov edx, eax
00491C53 .8D4D D0 lea ecx, dword ptr
00491C56 .FFD7 call edi
00491C58 .8B0E mov ecx, dword ptr
00491C5A .8D55 CC lea edx, dword ptr
00491C5D .52 push edx
00491C5E .8D45 D0 lea eax, dword ptr
00491C61 .50 push eax
00491C62 .56 push esi
00491C63 .FF51 2C call dword ptr
00491C66 .DBE2 fclex
00491C68 .85C0 test eax, eax
00491C6A .7D 0F jge short 00491C7B
00491C6C .6A 2C push 0x2C
00491C6E .68 CCA04200 push 0042A0CC
00491C73 .56 push esi
00491C74 .50 push eax
00491C75 .FF15 78104000 call dword ptr [<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00491C7B >8B4D CC mov ecx, dword ptr
00491C7E .51 push ecx ;注册文件reg.dat里正确内容
00491C7F .8B55 D8 mov edx, dword ptr
00491C82 .52 push edx ;输入保存的假码的MD5
00491C83 .FF15 08114000 call dword ptr [<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp
00491C89 .8BF0 mov esi, eax
00491C8B .F7DE neg esi
--------------------------------------------
0048E4B6 .E8 E52D0000 call 004912A0 ;硬盘序列号处理
0048E4BB .8BD0 mov edx, eax ;eax=00635DDC, (UNICODE "Sbqb2b0acamanbJdlcDcCbnbCaQbaabcab4c")
0048E4BD .8D4D E4 lea ecx, dword ptr
0048E4C0 .FFD7 call edi
0048E4C2 .50 push eax ;再处理
0048E4C3 .E8 D82D0000 call 004912A0
0048E4C8 .8BD0 mov edx, eax ;eax=005C64C4, (UNICODE "CbYbEbEaca4blbVc0dUd2bXbXbEaYb2bvaXcVdSdSbYbXbEaRb7bEaWc2dUdxbZbUbEaea5b")
----------------------------------------------
下面就是求余数查表,并用a,b,c,d来代表商,然后组成字符串,连接得到机器码。因为当时有多次处理,所以记录也比较乱,大家可以自己调试看。
查表用: abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
例如机器码第一位C,HEX是0x430x43 xor 0x37=0x740x74 mod 0x3e=0x36 0x36=54 查表,表的下标是从0开始,所以第55个字符"S"就是处理后的第一个字符; 0x74 \ 0x3e=1 (用a,b,c,d表示的商,0=a,1=b,2=c,3=d,4=e这里记作b)因此处理第一个字母得到的结果是Sb
同样处理其他的,得到“Sbqb2b0acamanbJdlcDcCbnbCaQbaabcab4c”//其实这个就是注册码了
继续对“Sbqb2b0acamanbJdlcDcCbnbCaQbaabcab4c”同样处理,得到机器码“CbYbEbEaca4blbVc0dUd2bXbXbEaYb2bvaXcVdSdSbYbXbEaRb7bEaWc2dUdxbZbUbEaea5b”
对注册码求MD5,就是reg.dat里的内容
调试代码部分:
00491449 .8B4D C0 mov ecx, dword ptr
0049144C >8B49 0C mov ecx, dword ptr ;ds:=005E1E48, (ASCII "CVMP222300SS180CGN") ds:=00635F70, (ASCII "Sbqb2b0acamanbJdlcDcCbnbCaQbaabcab4c")
0049144F .8B15 5C304900 mov edx, dword ptr
00491455 .8B52 0C mov edx, dword ptr
00491458 .8A141A mov dl, byte ptr ;ds:=37 ('7')37 18 17 4A 30 3E 79 D4 B7 93
0049145B .8BBD FCFEFFFF mov edi, dword ptr
00491461 .321439 xor dl, byte ptr ;ds:=43 ('C')
00491464 .881401 mov byte ptr , dl
00491467 .B8 01000000 mov eax, 0x1
0049146C .03C6 add eax, esi
0049146E .0F80 4F020000 jo 004916C3
00491474 .8BF0 mov esi, eax
00491476 .8B7D D8 mov edi, dword ptr
00491479 .33DB xor ebx, ebx
0049147B .^ E9 27FFFFFF jmp 004913A7
00491480 >BA 5CA34200 mov edx, 0042A35C ;abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
00491485 .8D4D D4 lea ecx, dword ptr
00491488 .FF15 08124000 call dword ptr [<&MSVBVM60.__vbaStrCo>;MSVBVM60.__vbaStrCopy
0049148E .8B45 C0 mov eax, dword ptr
00491491 .50 push eax
00491492 .6A 01 push 0x1
00491494 .FF15 C0114000 call dword ptr [<&MSVBVM60.__vbaUboun>;MSVBVM60.__vbaUbound
0049149A .8985 10FFFFFF mov dword ptr , eax
004914A0 .33FF xor edi, edi
004914A2 >3BBD 10FFFFFF cmp edi, dword ptr
004914A8 .0F8F 77010000 jg 00491625
004914AE .8B45 C0 mov eax, dword ptr
004914B1 .3BC3 cmp eax, ebx
004914B3 .74 18 je short 004914CD
004914B5 .66:8338 01 cmp word ptr , 0x1
004914B9 .75 12 jnz short 004914CD
004914BB .8BF7 mov esi, edi
004914BD .2B70 14 sub esi, dword ptr
004914C0 .3B70 10 cmp esi, dword ptr
004914C3 .72 10 jb short 004914D5
004914C5 .FF15 04114000 call dword ptr [<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
004914CB .EB 08 jmp short 004914D5
004914CD >FF15 04114000 call dword ptr [<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
004914D3 .8BF0 mov esi, eax
004914D5 >8B4D D4 mov ecx, dword ptr ;堆栈 ss:=005E5EA4, (UNICODE "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ")
004914D8 .51 push ecx
004914D9 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
004914DF .8BD8 mov ebx, eax ;eax=0000003E
004914E1 .8B4D C0 mov ecx, dword ptr
004914E4 .8B51 0C mov edx, dword ptr ;ds:=005E1E08处理后的机器码
004914E7 .33C0 xor eax, eax
004914E9 .8A0432 mov al, byte ptr ;ds:=74 ('t')处理后的机器码的第一位
004914EC .99 cdq
004914ED .F7FB idiv ebx ;ebx=0000003E
004914EF .8BF0 mov esi, eax ;eax=00000001
004914F1 .85C9 test ecx, ecx
004914F3 .74 18 je short 0049150D
004914F5 .66:8339 01 cmp word ptr , 0x1
004914F9 .75 12 jnz short 0049150D
004914FB .8BDF mov ebx, edi
004914FD .2B59 14 sub ebx, dword ptr
00491500 .3B59 10 cmp ebx, dword ptr
00491503 .72 10 jb short 00491515
00491505 .FF15 04114000 call dword ptr [<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
0049150B .EB 08 jmp short 00491515
0049150D >FF15 04114000 call dword ptr [<&MSVBVM60.__vbaGener>;MSVBVM60.__vbaGenerateBoundsError
00491513 .8BD8 mov ebx, eax
00491515 >8B45 D4 mov eax, dword ptr ;堆栈 ss:=005E5EA4, (UNICODE "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ")
00491518 .50 push eax
00491519 .FF15 2C104000 call dword ptr [<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
0049151F .8BC8 mov ecx, eax
00491521 .8B55 C0 mov edx, dword ptr
00491524 .8B42 0C mov eax, dword ptr ;ds:=005E1E08
00491527 .33D2 xor edx, edx
00491529 .8A1418 mov dl, byte ptr ;机器码处理后数据ds:=74 ('t') //码表64 7A 66 28 02 5C 49 B5 D4 F2 5A 79 79 28 7A 5A 15 B7 F3 F0 74 7A 79 28 73 5F 28 B6 D6 F2 55 7B 76 28 04 5D
0049152C .8BC2 mov eax, edx
0049152E .99 cdq
0049152F .F7F9 idiv ecx
00491531 .C745 B8 01000>mov dword ptr , 0x1
00491538 .C745 B0 02000>mov dword ptr , 0x2
0049153F .8D45 D4 lea eax, dword ptr
00491542 .8985 64FFFFFF mov dword ptr , eax
00491548 .C785 5CFFFFFF>mov dword ptr , 0x4008
00491552 .8D4D B0 lea ecx, dword ptr
00491555 .51 push ecx
00491556 .83C2 01 add edx, 0x1
00491559 .0F80 64010000 jo 004916C3
0049155F .52 push edx
00491560 .8D95 5CFFFFFF lea edx, dword ptr
00491566 .52 push edx
00491567 .8D45 A0 lea eax, dword ptr
0049156A .50 push eax
0049156B .8B1D E8104000 mov ebx, dword ptr [<&MSVBVM60.#632>>;MSVBVM60.rtcMidCharVar
00491571 .FFD3 call ebx ;<&MSVBVM60.#632>
00491573 .C745 98 01000>mov dword ptr , 0x1
0049157A .C745 90 02000>mov dword ptr , 0x2
00491581 .8D4D D4 lea ecx, dword ptr
00491584 .898D 44FFFFFF mov dword ptr , ecx
0049158A .C785 3CFFFFFF>mov dword ptr , 0x4008
00491594 .8D55 90 lea edx, dword ptr
00491597 .52 push edx
00491598 .83C6 01 add esi, 0x1
0049159B .0F80 22010000 jo 004916C3
004915A1 .56 push esi
004915A2 .8D85 3CFFFFFF lea eax, dword ptr
004915A8 .50 push eax
004915A9 .8D4D 80 lea ecx, dword ptr
004915AC .51 push ecx
004915AD .FFD3 call ebx
004915AF .8D55 A0 lea edx, dword ptr
004915B2 .52 push edx
004915B3 .8D45 80 lea eax, dword ptr
004915B6 .50 push eax
004915B7 .8D8D 70FFFFFF lea ecx, dword ptr
004915BD .51 push ecx
004915BE .FF15 44124000 call dword ptr [<&MSVBVM60.__vbaVarAd>;MSVBVM60.__vbaVarAdd
004915C4 .50 push eax
004915C5 .FF15 28104000 call dword ptr [<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarMove
004915CB .8BD0 mov edx, eax
004915CD .8D4D C8 lea ecx, dword ptr
004915D0 .8B35 80124000 mov esi, dword ptr [<&MSVBVM60.__vba>;MSVBVM60.__vbaStrMove
004915D6 .FFD6 call esi ;<&MSVBVM60.__vbaStrMove>
004915D8 .8D95 70FFFFFF lea edx, dword ptr
004915DE .52 push edx
004915DF .8D45 80 lea eax, dword ptr
004915E2 .50 push eax
004915E3 .8D4D A0 lea ecx, dword ptr
004915E6 .51 push ecx
004915E7 .8D55 90 lea edx, dword ptr
004915EA .52 push edx
004915EB .8D45 B0 lea eax, dword ptr
004915EE .50 push eax
004915EF .6A 05 push 0x5
004915F1 .FF15 30104000 call dword ptr [<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
004915F7 .83C4 18 add esp, 0x18
004915FA .8B4D C4 mov ecx, dword ptr
004915FD .51 push ecx
004915FE .8B55 C8 mov edx, dword ptr
00491601 .52 push edx ;得到用余数查到的字符,以及用a,b,c,d表示的商,0=a,1=b,2=c,3=d,4=e
00491602 .FF15 5C104000 call dword ptr [<&MSVBVM60.__vbaStrCa>;MSVBVM60.__vbaStrCat
00491608 .8BD0 mov edx, eax ;连接每位处理后的结果
0049160A .8D4D C4 lea ecx, dword ptr
0049160D .FFD6 call esi
0049160F .B8 01000000 mov eax, 0x1
00491614 .03C7 add eax, edi
00491616 .0F80 A7000000 jo 004916C3
0049161C .8BF8 mov edi, eax
0049161E .33DB xor ebx, ebx
00491620 .^ E9 7DFEFFFF jmp 004914A2
==================================================
来个Delphi代码:
unit key;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, SF_MD5;
type
TForm1 = class(TForm)
Edit1: TEdit;
Edit2: TEdit;
Button1: TButton;
Edit3: TEdit;
Edit4: TEdit;
Edit5: TEdit;
Label1: TLabel;
Label2: TLabel;
Label3: TLabel;
Label4: TLabel;
Label5: TLabel;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
function TransChar(AChar: Char): Integer;
begin
if AChar in ['0'..'9'] then
Result := Ord(AChar) - Ord('0')
else
Result := 10 + Ord(AChar) - Ord('A');
end;
function StrToHex(AStr: string): string;
var
I ,Len: Integer;
s:char;
begin
len:=length(AStr);
Result:='';
for i:=1 to lendo
begin
s:=AStr;
Result:=Result +' '+IntToHex(Ord(s),2); //将字符串转化为16进制字符串,
//并以空格间隔。
end;
Delete(Result,1,1); //删去字符串中第一个空格
end;
function HexToStr(AStr: string): string;
var
I,len : Integer;
CharValue: Word;
Tmp:string;
s:char;
begin
Tmp:='';
len:=length(Astr);
for i:=1 to lendo
begin
s:=Astr;
if s <> ' ' then Tmp:=Tmp+ string(s);
end;
Result := '';
For I := 1 to Trunc(Length(Tmp)/2) do
begin
Result := Result + ' ';
CharValue := TransChar(Tmp)*16 + TransChar(Tmp);
if (charvalue < 32) or (charvalue > 126)then Result := '.' //非可见字符填充
else Result := Char(CharValue);
end;
end;
function hextoint(s: string): Integer;
begin//$代表16进制
Result:=StrToInt('$'+s);
end;
procedure TForm1.Button1Click(Sender: TObject);
var
s,s1,s2,s3,s4,sn,str,str1:String;
a,b,c,i,l:integer;
m:MD5;
begin
s1:=Edit1.Text;
l:=length(s1);
if l=0 then exit;
for i:=1 to ldo
begin
s2:=s2+copy(s1,(i-1)*2+1,2); //CbEbcalb0d2bXbYbvaVdSbXbRbEa2dxbUbea
end;
str:='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ';
str1:='3718174A303E79D4B7933718174A303E79D4B7933718174A303E79D4B7933718174A303E79D4B7933718174A303E79D4B7933718174A303E79D4B7933718174A303E79D4B7933718174A303E79D4B7933718174A303E79D4B793';
l:=length(s2);
for i:=1 to l div 2 do
begin
a:=pos(s2[(i-1)*2+1],str)-1;
if s2='a' then
begin
a:=a xor hextoint(copy(str1,(i-1)*2+1,2));
end;
if s2='b' then
begin
a:=(a+$3e) xor hextoint(copy(str1,(i-1)*2+1,2));
end;
if s2='c' then
begin
a:=(a+2*$3e) xor hextoint(copy(str1,(i-1)*2+1,2));
end;
if s2='d' then
begin
a:=(a+3*$3e) xor hextoint(copy(str1,(i-1)*2+1,2));
end;
if s2='e then
begin
a:=(a+4*$3e) xor hextoint(copy(str1,(i-1)*2+1,2));
end;
s3:=s3+char(a);
end;
l:=length(s3);
for i:=1 to l div 2 do
begin
a:=pos(s3[(i-1)*2+1],str)-1;
if s3='a' then
begin
a:=a xor hextoint(copy(str1,(i-1)*2+1,2));
end;
if s3='b' then
begin
a:=(a+$3e) xor hextoint(copy(str1,(i-1)*2+1,2));
end;
if s3='c' then
begin
a:=(a+2*$3e) xor hextoint(copy(str1,(i-1)*2+1,2));
end;
if s3='d' then
begin
a:=(a+3*$3e) xor hextoint(copy(str1,(i-1)*2+1,2));
end;
if s3='e then
begin
a:=(a+4*$3e) xor hextoint(copy(str1,(i-1)*2+1,2));
end;
s4:=s4+char(a);
end;
m:=MD5.Create;
m.bmsj(s3);
sn:=m.MD5bm;
Edit2.Text:=s2;
Edit3.Text:=s3;
Edit4.Text:=s4;
Edit5.Text:=sn;
end;
end.
//科目4的是:str1:='412C174A303E97D47B89412C174A303E97D47B89412C174A303E97D47B89412C174A303E97D47B89412C174A303E97D47B89412C174A303E97D47B89412C174A303E97D47B89412C174A303E97D47B89412C174A303E97D47B89';
大牛威武,顶起来{:hug:} 强~~~
前排学习 强 ! 赞一个 ! 强力支持楼主原创分析。 膜拜大牛!不过怎么感觉注册码的那个地方有点像机器码啊 分析的太好了,看的我有些反应不过来!!谢谢!!我会多看几遍!!
标准答案?
wxq 发表于 2014-4-29 16:44
标准答案?
这些路段好像不会到30公里的样子,考试过去N年了,忘记了。