快乐园丁离线注册分析与注册机核心代码
软件可以直接去百度找,版本可能更新了,算法不知道变化没有,以手头的版本和程序进行调试分析,并简单记录如下:程序在调试过程中发现有在线注册和离线注册两种方式,直接离线本地验证,分析算法。
00295635|.E8 2E790800 call 0031CF68 ; \bdMain.013BCF68
0029563A|.803D 24B24900 00 cmp byte ptr , 0x0
00295641|.C605 25B24900 00 mov byte ptr , 0x0
00295648 0F85 AA000000 jnz 002956F8 ;nop 离线注册
0029564E|.68 A42D4600 push 00462DA4 ; /OLDE
00295653|.68 8CB44900 push 0049B48C ; |Arg1 = 0049B48C
00295658|.E8 B3540000 call 0029AB10 ; \bdMain.0133AB10
0029565D|.83C4 08 add esp, 0x8
00295660|.8D4C24 18 lea ecx, dword ptr
00295664|.84C0 test al, al
00295666|.74 32 je short 0029569A
00295668|.68 74B44900 push 0049B474 ; /Arg3 = 0049B474
0029566D|.68 E02F4600 push 00462FE0 ; |file:///
00295672|.51 push ecx ; |Arg1
00295673|.E8 A84E0000 call 0029A520 ; \bdMain.0133A520
00295678|.83C4 0C add esp, 0xC
0029567B|.68 B02F4600 push 00462FB0 ; /\Data\Reg\register.html
00295680|.50 push eax ; |Arg2
00295681|.8D5424 34 lea edx, dword ptr ; |
00295685|.52 push edx ; |Arg1
00295686|.C64424 74 15 mov byte ptr , 0x15 ; |
0029568B|.E8 B0520000 call 0029A940 ; \bdMain.0133A940
00295690|.83C4 0C add esp, 0xC
00295693|.C64424 68 16 mov byte ptr , 0x16
00295698|.EB 30 jmp short 002956CA
0029569A|>68 B8B44900 push 0049B4B8 ; /Arg3 = 0049B4B8
0029569F|.68 1C304600 push 0046301C ; |http://localhost:
002956A4|.51 push ecx ; |Arg1
002956A5|.E8 764E0000 call 0029A520 ; \bdMain.0133A520
002956AA|.83C4 0C add esp, 0xC
002956AD|.68 F42F4600 push 00462FF4 ; //Reg/register.html
002956B2|.50 push eax ; |Arg2
002956B3|.8D5424 34 lea edx, dword ptr ; |
002956B7|.52 push edx ; |Arg1
002956B8|.C64424 74 17 mov byte ptr , 0x17 ; |
002956BD|.E8 7E520000 call 0029A940 ; \bdMain.0133A940
002956C2|.83C4 0C add esp, 0xC
002956C5|.C64424 68 18 mov byte ptr , 0x18
002956CA|>8B00 mov eax, dword ptr ;堆栈 ds:=00AE9E18, (UNICODE "http://localhost:2719/Reg/register.html")
002956CC|.6A 00 push 0x0
002956CE|.6A 00 push 0x0
002956D0|.6A 00 push 0x0
002956D2|.6A 00 push 0x0
002956D4|.68 02040000 push 0x402
002956D9|.50 push eax
002956DA|.8BCF mov ecx, edi
002956DC|.E8 23AB0700 call 00310204
002956E1|.8D4C24 2C lea ecx, dword ptr
002956E5|.E8 76D3FFFF call 00292A60
002956EA|.8D4C24 18 lea ecx, dword ptr
002956EE|.E8 6DD3FFFF call 00292A60
002956F3|.^ E9 A7FBFFFF jmp 0029529F
002956F8|>68 70B44900 push 0049B470 ; /Arg3 = 0049B470
002956FD|.8D4C24 20 lea ecx, dword ptr ; |
00295701|.68 A0304600 push 004630A0 ; |http://
00295706|.51 push ecx ; |Arg1
00295707|.E8 144E0000 call 0029A520 ; \bdMain.0133A520
0029570C|.83C4 0C add esp, 0xC
0029570F|.68 58304600 push 00463058 ; //Register/SoftReg.php?ProductCode=
00295714|.50 push eax ; |Arg2
00295715|.8D5424 30 lea edx, dword ptr ; |
00295719|.52 push edx ; |Arg1
0029571A|.C64424 74 19 mov byte ptr , 0x19 ; |
0029571F|.E8 1C520000 call 0029A940 ; \bdMain.0133A940
00295724|.83C4 0C add esp, 0xC
00295727|.68 94B44900 push 0049B494 ; /Arg3 = 0049B494
0029572C|.50 push eax ; |Arg2
0029572D|.8D4424 1C lea eax, dword ptr ; |
00295731|.50 push eax ; |Arg1
00295732|.C64424 74 1A mov byte ptr , 0x1A ; |
00295737|.E8 24470000 call 00299E60 ; \bdMain.01339E60
0029573C|.83C4 0C add esp, 0xC
0029573F|.68 40304600 push 00463040 ; /&MacCode=
00295744|.50 push eax ; |Arg2
00295745|.8D4C24 20 lea ecx, dword ptr ; |
00295749|.51 push ecx ; |Arg1
0029574A|.C64424 74 1B mov byte ptr , 0x1B ; |
0029574F|.E8 EC510000 call 0029A940 ; \bdMain.0133A940
00295754|.83C4 0C add esp, 0xC
00295757|.68 78B44900 push 0049B478 ; /Arg3 = 0049B478
0029575C|.50 push eax ; |Arg2
0029575D|.8D5424 34 lea edx, dword ptr ; |
00295761|.52 push edx ; |Arg1
00295762|.C64424 74 1C mov byte ptr , 0x1C ; |
00295767|.E8 F4460000 call 00299E60 ; \bdMain.01339E60
0029576C|.83C4 0C add esp, 0xC
0029576F|.6A 00 push 0x0
00295771|.6A 00 push 0x0
00295773|.6A 00 push 0x0
00295775|.6A 00 push 0x0
=======================================================
出现离线注册界面,输入16个0作为序列号,继续调试
0016658B .8B4424 14 mov eax, dword ptr ;注册方式为离线注册 ss:=00C8B290, (UNICODE "OfflineReg")
0016658F .B9 80323300 mov ecx, 00333280 ;GetRegFlag
00166594 .33FF xor edi, edi
00166596 >66:8B10 mov dx, word ptr
00166599 .66:3B11 cmp dx, word ptr
0016659C .75 1E jnz short 001665BC
0016659E .66:3BD7 cmp dx, di
001665A1 .74 15 je short 001665B8
001665A3 .66:8B50 02 mov dx, word ptr
001665A7 .66:3B51 02 cmp dx, word ptr
001665AB .75 0F jnz short 001665BC
001665AD .83C0 04 add eax, 0x4
001665B0 .83C1 04 add ecx, 0x4
001665B3 .66:3BD7 cmp dx, di
001665B6 .^ 75 DE jnz short 00166596
001665B8 >33C0 xor eax, eax
001665BA .EB 05 jmp short 001665C1
001665BC >1BC0 sbb eax, eax
001665BE .83D8 FF sbb eax, -0x1
001665C1 >3BC7 cmp eax, edi
001665C3 .0F94C0 sete al
001665C6 .84C0 test al, al
001665C8 .0F84 55010000 je 00166723 ;若AL=1则为注册,否则进行算法处理判断
001665CE .8D5424 18 lea edx, dword ptr
001665D2 .52 push edx ; /Arg1
001665D3 .B9 B0B43600 mov ecx, 0036B4B0 ; |
001665D8 .E8 13C4FFFF call 001629F0 ; \bdMain.013329F0
001665DD .68 B0B43600 push 0036B4B0 ; /Arg3 = 0036B4B0
001665E2 .8D4424 2C lea eax, dword ptr ; |
001665E6 .68 A0323300 push 003332A0 ; |setRegFlag('
001665EB .50 push eax ; |Arg1
001665EC .E8 2F3F0000 call 0016A520 ; \bdMain.0133A520
001665F1 .83C4 0C add esp, 0xC
001665F4 .68 78B43600 push 0036B478 ; /Arg3 = 0036B478
001665F9 .50 push eax ; |Arg2
001665FA .8D4C24 38 lea ecx, dword ptr ; |
001665FE .51 push ecx ; |Arg1
001665FF .C68424 CC040000 06mov byte ptr , 0x6 ; |
00166607 .E8 54380000 call 00169E60 ; \bdMain.01339E60
0016660C .83C4 0C add esp, 0xC
0016660F .68 94B43600 push 0036B494 ; /Arg3 = 0036B494
00166614 .50 push eax ; |Arg2
00166615 .8D5424 40 lea edx, dword ptr ; |
00166619 .B3 07 mov bl, 0x7 ; |
0016661B .52 push edx ; |Arg1
0016661C .889C24 CC040000 mov byte ptr , bl ; |
00166623 .E8 38380000 call 00169E60 ; \bdMain.01339E60
00166628 .83C4 0C add esp, 0xC
0016662B .68 98323300 push 00333298 ; /');
00166630 .50 push eax ; |Arg2
00166631 .8D4424 28 lea eax, dword ptr ; |
00166635 .50 push eax ; |Arg1
00166636 .C68424 CC040000 08mov byte ptr , 0x8 ; |
0016663E .E8 FD420000 call 0016A940 ; \bdMain.0133A940
00166643 .83C4 0C add esp, 0xC
00166646 .50 push eax ; /Arg1
00166647 .B9 88B43600 mov ecx, 0036B488 ; |
0016664C .C68424 C4040000 09mov byte ptr , 0x9 ; |
==========================================================================================
出现机器码0000 0000 0000 0000 7001 6707 0030 1101
其中后面的7001 6707 00301101的前两端是根据CPUID进行MD5计算取值得到的,后两端时间长了忘了,好像是取主板BIOS还是CPUID计算的来的。
下一步,输入12个任意数字作为注册码,继续调试
00166723 > \8D4C24 14 lea ecx, dword ptr ;离线注册
00166727 .68 BC323300 push 003332BC ; /OfflineReg
0016672C .51 push ecx ; |Arg1
0016672D .E8 DE430000 call 0016AB10 ; \bdMain.0133AB10
00166732 .83C4 08 add esp, 0x8
00166735 .84C0 test al, al
00166737 .0F84 AB050000 je 00166CE8
0016673D .E8 FB410700 call 001DA93D
00166742 .33C9 xor ecx, ecx
00166744 .3BC7 cmp eax, edi
00166746 .0F95C1 setne cl
00166749 .3BCF cmp ecx, edi
0016674B .75 0A jnz short 00166757
0016674D .68 05400080 push 0x80004005 ; /Arg1 = 80004005
00166752 .E8 29C3FFFF call 00162A80 ; \bdMain.01332A80
00166757 >8B10 mov edx, dword ptr
00166759 .8BC8 mov ecx, eax
0016675B .8B42 0C mov eax, dword ptr
0016675E .FFD0 call eax
00166760 .83C0 10 add eax, 0x10
00166763 .894424 10 mov dword ptr , eax
00166767 .68 B0B43600 push 0036B4B0 ; /Arg3 = 0036B4B0
0016676C .8D4C24 2C lea ecx, dword ptr ; |
00166770 .68 902F3300 push 00332F90 ; |固定字符串013C2F90=013C2F90 (UNICODE "Reg2012zfbywfbj")
00166775 .51 push ecx ; |Arg1
00166776 .C68424 CC040000 0Amov byte ptr , 0xA ; |
0016677E .E8 9D3D0000 call 0016A520 ; \bdMain.0133A520
00166783 .83C4 0C add esp, 0xC ;连接上16位纯数字序列号0044B53C 00CF5870UNICODE "Reg2012zfbywfbj0000000000000000"
00166786 .68 78B43600 push 0036B478 ; /Arg3 = 0036B478
0016678B .50 push eax ; |Arg2
0016678C .8D5424 38 lea edx, dword ptr ; |
00166790 .52 push edx ; |Arg1
00166791 .C68424 CC040000 0Bmov byte ptr , 0xB ; |
00166799 .E8 C2360000 call 00169E60 ; \去获取机器码的倒数4,3段
0016679E .83C4 0C add esp, 0xC ; 0044B544 00CE99D0UNICODE "Reg2012zfbywfbj000000000000000070016707"
001667A1 .68 94B43600 push 0036B494 ; /00FFB494=00FFB494 (ASCII "p?")
001667A6 .50 push eax ; |Arg2
001667A7 .8D4424 40 lea eax, dword ptr ; |
001667AB .50 push eax ; |Arg1
001667AC .C68424 CC040000 0Cmov byte ptr , 0xC ; |
001667B4 E8 A7360000 call 00169E60 ; \去获取机器码的倒数2,1段
001667B9 .83C4 0C add esp, 0xC ;0044B54C 00C8C4D8UNICODE "Reg2012zfbywfbj00000000000000007001670700301101"
001667BC .C68424 C0040000 0Dmov byte ptr , 0xD
001667C4 .8B00 mov eax, dword ptr ;堆栈 ds:=00B41568, (UNICODE "Reg2012zfbywfbj12345678909999995711315300301101")
001667C6 .8DB424 B8000000 lea esi, dword ptr
001667CD .E8 FEAAFFFF call 001612D0
001667D2 .B3 0E mov bl, 0xE
001667D4 .BF 10000000 mov edi, 0x10
001667D9 .889C24 C0040000 mov byte ptr , bl
001667E0 .3978 14 cmp dword ptr , edi
001667E3 .72 02 jb short 001667E7
001667E5 .8B00 mov eax, dword ptr
001667E7 >8BD0 mov edx, eax ;eax=00B17AD0, (ASCII "Reg2012zfbywfbj12345678909999995711315300301101")
001667E9 .E8 72AFFFFF call 00161760
001667EE .50 push eax ; /求MD5结果 eax=00C8B310, (ASCII "3628edc06ee6771f365f047266e05a52")
001667EF .8D4C24 24 lea ecx, dword ptr ; |
001667F3 .E8 E8BDFFFF call 001625E0 ; \bdMain.013325E0
001667F8 .50 push eax ; /Arg1
001667F9 .8D4C24 14 lea ecx, dword ptr ; |
001667FD .C68424 C4040000 0Fmov byte ptr , 0xF ; |
00166805 .E8 E6C1FFFF call 001629F0 ; \bdMain.013329F0
0016680A .889C24 C0040000 mov byte ptr , bl
00166811 .8B4424 20 mov eax, dword ptr
00166815 .83C0 F0 add eax, -0x10
00166818 .8D48 0C lea ecx, dword ptr
0016681B .83CA FF or edx, 0xFFFFFFFF
0016681E .F0:0FC111 lock xadd dword ptr , edx
00166822 .4A dec edx
00166823 .85D2 test edx, edx
00166825 .7F 0A jg short 00166831
00166827 .8B08 mov ecx, dword ptr
00166829 .8B11 mov edx, dword ptr
0016682B .50 push eax
0016682C .8B42 04 mov eax, dword ptr
0016682F .FFD0 call eax
00166831 >39BC24 CC000000 cmp dword ptr , edi
00166838 .72 10 jb short 0016684A
0016683A .8B8C24 B8000000 mov ecx, dword ptr ;堆栈 ss:=00C899E0, (ASCII "Reg2012zfbywfbj00000000000000007001670700301101")
00166841 .51 push ecx
00166842 .E8 8F400700 call 001DA8D6
00166847 .83C4 04 add esp, 0x4
0016684A >C68424 C0040000 0Cmov byte ptr , 0xC
00166852 .8B4424 38 mov eax, dword ptr
00166856 .83C0 F0 add eax, -0x10
00166859 .C78424 CC000000 0F0>mov dword ptr , 0xF
00166864 .C78424 C8000000 000>mov dword ptr , 0x0
0016686F .C68424 B8000000 00mov byte ptr , 0x0
00166877 .8D50 0C lea edx, dword ptr
0016687A .83C9 FF or ecx, 0xFFFFFFFF
0016687D .F0:0FC10A lock xadd dword ptr , ecx
00166881 .49 dec ecx
00166882 .85C9 test ecx, ecx
00166884 .7F 0A jg short 00166890
00166886 .8B08 mov ecx, dword ptr
00166888 .8B11 mov edx, dword ptr
0016688A .50 push eax
0016688B .8B42 04 mov eax, dword ptr
0016688E .FFD0 call eax
00166890 >C68424 C0040000 0Bmov byte ptr , 0xB
00166898 .8B4424 30 mov eax, dword ptr
0016689C .83C0 F0 add eax, -0x10
0016689F .8D48 0C lea ecx, dword ptr
001668A2 .83CA FF or edx, 0xFFFFFFFF
001668A5 .F0:0FC111 lock xadd dword ptr , edx
001668A9 .4A dec edx
001668AA .85D2 test edx, edx
001668AC .7F 0A jg short 001668B8
001668AE .8B08 mov ecx, dword ptr
001668B0 .8B11 mov edx, dword ptr
001668B2 .50 push eax
001668B3 .8B42 04 mov eax, dword ptr
001668B6 .FFD0 call eax
001668B8 >C68424 C0040000 0Amov byte ptr , 0xA
001668C0 .8B4424 28 mov eax, dword ptr
001668C4 .83C0 F0 add eax, -0x10
001668C7 .8D48 0C lea ecx, dword ptr
001668CA .83CA FF or edx, 0xFFFFFFFF
001668CD .F0:0FC111 lock xadd dword ptr , edx
001668D1 .4A dec edx
001668D2 .85D2 test edx, edx
001668D4 .7F 0A jg short 001668E0
001668D6 .8B08 mov ecx, dword ptr
001668D8 .8B11 mov edx, dword ptr
001668DA .50 push eax
001668DB .8B42 04 mov eax, dword ptr
001668DE .FFD0 call eax ; 把MD5结果里面的字符替换成数字,对照关系如下,开始替换字符
001668E0 68 442E3300 push 00332E44 ;1
001668E5 .68 482E3300 push 00332E48 ;a
001668EA .8D4C24 18 lea ecx, dword ptr
001668EE .E8 5D300000 call 00169950
001668F3 .68 4C2E3300 push 00332E4C ;3
001668F8 .68 502E3300 push 00332E50 ;b
001668FD .8D4C24 18 lea ecx, dword ptr
00166901 .E8 4A300000 call 00169950
00166906 .68 542E3300 push 00332E54 ;5
0016690B .68 582E3300 push 00332E58 ;c
00166910 .8D4C24 18 lea ecx, dword ptr
00166914 .E8 37300000 call 00169950
00166919 .68 5C2E3300 push 00332E5C ;7
0016691E .68 602E3300 push 00332E60 ;d
00166923 .8D4C24 18 lea ecx, dword ptr
00166927 .E8 24300000 call 00169950
0016692C .68 642E3300 push 00332E64 ;9
00166931 .68 682E3300 push 00332E68 ;e
00166936 .8D4C24 18 lea ecx, dword ptr
0016693A .E8 11300000 call 00169950
0016693F .68 6C2E3300 push 00332E6C ;0
00166944 .68 702E3300 push 00332E70 ;f
00166949 .8D4C24 18 lea ecx, dword ptr
0016694D .E8 FE2F0000 call 00169950
00166952 .6A 0C push 0xC ; /Arg3 = 0000000C
00166954 .6A 08 push 0x8 ; |Arg2 = 00000008
00166956 .8D4C24 28 lea ecx, dword ptr ; |替换字符后的结果9到20位,0044B524 00CECCD8UNICODE "36289750699677103650047266905152"
0016695A .51 push ecx ; |Arg1
0016695B .8D4C24 1C lea ecx, dword ptr ; |
0016695F .E8 0C3B0000 call 0016A470 ; \bdMain.0133A470
00166964 .50 push eax ; /Arg1
00166965 .8D4C24 14 lea ecx, dword ptr ; |
00166969 .C68424 C4040000 10mov byte ptr , 0x10 ; |
00166971 .E8 7AC0FFFF call 001629F0 ; \bdMain.013329F0
00166976 .C68424 C0040000 0Amov byte ptr , 0xA
0016697E .8B4424 20 mov eax, dword ptr ;取结果的第9-20位就是注册码 堆栈 ss:=00C899F0, (UNICODE "699677103650")
00166982 .83C0 F0 add eax, -0x10
00166985 .8D50 0C lea edx, dword ptr
00166988 .83C9 FF or ecx, 0xFFFFFFFF
0016698B .F0:0FC10A lock xadd dword ptr , ecx
0016698F .49 dec ecx
00166990 .85C9 test ecx, ecx
00166992 .7F 0A jg short 0016699E
00166994 .8B08 mov ecx, dword ptr
00166996 .8B11 mov edx, dword ptr
00166998 .50 push eax
00166999 .8B42 04 mov eax, dword ptr
0016699C .FFD0 call eax
0016699E >8D4C24 10 lea ecx, dword ptr
001669A2 .51 push ecx ; /Arg2
001669A3 .8D5424 1C lea edx, dword ptr ; |
001669A7 .52 push edx ; |Arg1
001669A8 .E8 533C0000 call 0016A600 ; \bdMain.0133A600
001669AD .83C4 08 add esp, 0x8
001669B0 .84C0 test al, al
001669B2 .0F84 F6020000 je 00166CAE
001669B8 .68 78B43600 push 0036B478 ; /Arg3 = 0036B478
001669BD .8D4424 50 lea eax, dword ptr ; |
001669C1 .68 0C333300 push 0033330C ; |update UserData set MacCode='
001669C6 .50 push eax ; |Arg1
DELPHI注册机核心代码
procedure TForm1.Button1Click(Sender: TObject);
var
m:MD5;
s,num,sn:String;
begin
s:=StringReplace (Edit1.Text, ' ', '', );
s:='Reg2012zfbywfbj'+s;
m:=MD5.Create;
m.bmsj(s);
s:=m.MD5bm;
s:=copy(LowerCase(s),9,12);
s:=StringReplace (s, 'a', '1', );
s:=StringReplace (s, 'b', '3', );
s:=StringReplace (s, 'c', '5', );
s:=StringReplace (s, 'd', '7', );
s:=StringReplace (s, 'e', '9', );
s:=StringReplace (s, 'f', '0', );
edit2.Text:=s;
end;
一下子发了三个,哇,ABC大牛,你这么屌,你wife知道吗?? 怎么设置那么高的权限呀,能不能一起分享呢? 好东西不一样 嘿嘿申请荣誉成员组的节奏...
非常棒....
努力学习,争取早日看懂~~ 本帖最后由 GGLHY 于 2014-9-5 10:22 编辑
crackvip 发表于 2014-9-4 12:31
一下子发了三个,哇,ABC大牛,你这么屌,你wife知道吗??
他wife是否知道,我们不知道。。。
不过老飘和nisy都知道了{:titter:}
我们围观的群众也都知道了~~{:biggrin:}
精品额,楼主算法太厉害了 高手就是不一样 进来支持。呵呵。莱鸟一个。只能感叹。
页:
[1]
2