根据总坛主的算法写的注册机。
在我的机器上注册成功(windows 2000 professinal)
写的好,正适合我等新人,谢谢了,楼主
0050C783 E8EC260000 call 0050EE74 算法call,跟进去
:0050C788 8BD8 mov ebx, eax
:0050C78A 8B45FC mov eax, dword ptr
:0050C78D E84ACDEFFF call 004094DC
:0050C792 3BD8 cmp ebx, eax 这里ebx的十六进制是真码
为什么不是第二个CALL是算法CALL呢?怎么知道第一个CALL是算法CALL呢?谢谢!
还看不懂,先复制,收下了.楼主水平好高.
这个弄了半天也是不懂,下的软件和楼主的不太一样
太强了
谢谢
学习中。。。。
我的破文和注册机....如果有不对的地方还请大虾指导下..
//OD下断在这里
0050B0F8 55 push ebp
0050B0F9 8BEC mov ebp,esp
0050B0FB 33C9 xor ecx,ecx //ecx清零
0050B0FD 51 push ecx
0050B0FE 51 push ecx
0050B0FF 51 push ecx
0050B100 51 push ecx
0050B101 51 push ecx
0050B102 53 push ebx
0050B103 56 push esi
0050B104 8BF0 mov esi,eax
0050B106 33C0 xor eax,eax
0050B108 55 push ebp
0050B109 68 88B25000 push dumped_.0050B288
0050B10E 64:FF30 push dword ptr fs:
0050B111 64:8920 mov dword ptr fs:,esp
0050B114 8D55 F8 lea edx,dword ptr ss:
0050B117 8B86 00030000 mov eax,dword ptr ds:
0050B11D E8 8E75F3FF call dumped_.004426B0 //得到注册码放在101C4FC
0050B122 837D F8 00 cmp dword ptr ss:,0
0050B126 75 1F jnz short dumped_.0050B147 //拿到注册码就跳到0050B147
0050B128 B8 A0B25000 mov eax,dumped_.0050B2A0
0050B12D E8 9A07F3FF call dumped_.0043B8CC //如果没有拿到就显示一个对话框。"请输入注册认证码!"
0050B132 8B96 00030000 mov edx,dword ptr ds:
0050B138 A1 F8055400 mov eax,dword ptr ds:
0050B13D E8 CE26F5FF call dumped_.0045D810 //无关的CALL
0050B142 E9 1E010000 jmp dumped_.0050B265
0050B147 8D55 FC lea edx,dword ptr ss:
0050B14A 8B86 00030000 mov eax,dword ptr ds:
0050B150 E8 5B75F3FF call dumped_.004426B0 //...
0050B155 8D55 F4 lea edx,dword ptr ss:
0050B158 8B86 00030000 mov eax,dword ptr ds:
0050B15E E8 4D75F3FF call dumped_.004426B0 //...
0050B163 8B45 F4 mov eax,dword ptr ss:
0050B166 E8 DD9DEFFF call dumped_.00404F48 //返回注册码的长度 放在EAX中
0050B16B 8BD0 mov edx,eax
0050B16D 85D2 test edx,edx //检测注册码长度为不为零
0050B16F 7E 3C jle short dumped_.0050B1AD //<=0跳到50B1AD
0050B171 B8 01000000 mov eax,1 //累加以后可以得到下一个字符
0050B176 8B4D FC mov ecx,dword ptr ss:
0050B179 8A4C01 FF mov cl,byte ptr ds: //得到EAX对应位数的字符 放入cl
0050B17D 80F9 30 cmp cl,30
0050B180 72 08 jb short dumped_.0050B18A //cl中的字符ASCII码<30h则跳转到 50b18a
0050B182 8B5D FC mov ebx,dword ptr ss:
0050B185 80F9 39 cmp cl,39
0050B188 76 1F jbe short dumped_.0050B1A9 //cl中的字符ASCII<=39h则跳转到 50b1a9
0050B18A B8 BCB25000 mov eax,dumped_.0050B2BC
0050B18F E8 3807F3FF call dumped_.0043B8CC //提示"注册码输入有误!" 无关CALL
0050B194 8B96 00030000 mov edx,dword ptr ds:
0050B19A A1 F8055400 mov eax,dword ptr ds:
0050B19F E8 6C26F5FF call dumped_.0045D810 //无关的CALL
0050B1A4 E9 BC000000 jmp dumped_.0050B265
0050B1A9 40 inc eax //指向下一字符
0050B1AA 4A dec edx //待比较的字符数
0050B1AB ^ 75 C9 jnz short dumped_.0050B176 //还有字符没校验则跳转到 50b176 PS:注册码必须是数字
0050B1AD 8D55 F0 lea edx,dword ptr ss:
0050B1B0 8B86 FC020000 mov eax,dword ptr ds:
0050B1B6 E8 F574F3FF call dumped_.004426B0 //得到注册码放在1013024 长度放在EAX
0050B1BB 8B45 F0 mov eax,dword ptr ss: //机器码放入EAX
0050B1BE E8 19E3EFFF call dumped_.004094DC //16进制转换
0050B1C3 E8 F8360000 call dumped_.0050E8C0 //计算wangshuang + yaoyuan + JSBuilder + 前一个CALL的结果
0050B1C8 8BD8 mov ebx,eax
0050B1CA 8B45 FC mov eax,dword ptr ss:
0050B1CD E8 0AE3EFFF call dumped_.004094DC //上两个CALL产生的值和输入的注册码运算
0050B1D2 3BD8 cmp ebx,eax
0050B1D4 0F85 81000000 jnz dumped_.0050B25B //ebx != eax 跳转到 502B25B 跳必死 PS:爆破点
0050B1DA B2 01 mov dl,1
0050B1DC A1 34B94600 mov eax,dword ptr ds:
0050B1E1 E8 4E08F6FF call dumped_.0046BA34
0050B1E6 8BD8 mov ebx,eax
0050B1E8 BA 02000080 mov edx,80000002
0050B1ED 8BC3 mov eax,ebx
0050B1EF E8 E008F6FF call dumped_.0046BAD4
0050B1F4 33C9 xor ecx,ecx
0050B1F6 BA E0B25000 mov edx,dumped_.0050B2E0 ; ASCII "System\CurrentControlSet\Services\Class\knightsoft\JSBuilder"
0050B1FB 8BC3 mov eax,ebx
0050B1FD E8 120AF6FF call dumped_.0046BC14
0050B202 8D55 EC lea edx,dword ptr ss:
0050B205 8B86 FC020000 mov eax,dword ptr ds:
0050B20B E8 A074F3FF call dumped_.004426B0
0050B210 8B45 EC mov eax,dword ptr ss:
0050B213 E8 C4E2EFFF call dumped_.004094DC
0050B218 E8 A3360000 call dumped_.0050E8C0
0050B21D 8BC8 mov ecx,eax
0050B21F BA 28B35000 mov edx,dumped_.0050B328 ; ASCII "registecode"
0050B224 8BC3 mov eax,ebx
0050B226 E8 390BF6FF call dumped_.0046BD64
0050B22B 8BC3 mov eax,ebx
0050B22D E8 7208F6FF call dumped_.0046BAA4
0050B232 8BC3 mov eax,ebx
0050B234 E8 678CEFFF call dumped_.00403EA0
0050B239 B8 3CB35000 mov eax,dumped_.0050B33C
0050B23E E8 8906F3FF call dumped_.0043B8CC
0050B243 B8 8CB35000 mov eax,dumped_.0050B38C
0050B248 E8 7F06F3FF call dumped_.0043B8CC
0050B24D A1 AC305300 mov eax,dword ptr ds:
0050B252 8B00 mov eax,dword ptr ds:
0050B254 E8 C775F5FF call dumped_.00462820
0050B259 EB 0A jmp short dumped_.0050B265
0050B25B B8 B8B35000 mov eax,dumped_.0050B3B8
0050B260 E8 6706F3FF call dumped_.0043B8CC
0050B265 33C0 xor eax,eax
0050B267 5A pop edx
0050B268 59 pop ecx
0050B269 59 pop ecx
0050B26A 64:8910 mov dword ptr fs:,edx
0050B26D 68 8FB25000 push dumped_.0050B28F
0050B272 8D45 EC lea eax,dword ptr ss:
0050B275 BA 04000000 mov edx,4
0050B27A E8 359AEFFF call dumped_.00404CB4
0050B27F 8D45 FC lea eax,dword ptr ss:
0050B282 E8 099AEFFF call dumped_.00404C90
0050B287 C3 retn
//CALL from 50B1BE
004094DC /$53 push ebx
004094DD |.56 push esi
004094DE |.83C4 F4 add esp,-0C
004094E1 |.8BD8 mov ebx,eax //EBX = 机器码
004094E3 |.8BD4 mov edx,esp
004094E5 |.8BC3 mov eax,ebx //EAX = 机器码
004094E7 |.E8 58A2FFFF call dumped_.00403744 //运算机器码 EAX = 3EA3989 返回值为eax ; eax = 0; eax = 10 * eax + 机器码每一位的ASCII码
004094EC |.8BF0 mov esi,eax
004094EE |.833C24 00 cmp dword ptr ss:,0
004094F2 |.74 19 je short dumped_.0040950D //检测结果
004094F4 |.895C24 04 mov dword ptr ss:,ebx
004094F8 |.C64424 08 0B mov byte ptr ss:,0B
004094FD |.8D5424 04 lea edx,dword ptr ss:
00409501 |.A1 402F5300 mov eax,dword ptr ds:
00409506 |.33C9 xor ecx,ecx
00409508 |.E8 EBF9FFFF call dumped_.00408EF8
0040950D |>8BC6 mov eax,esi
0040950F |.83C4 0C add esp,0C
00409512 |.5E pop esi
00409513 |.5B pop ebx
00409514 \.C3 retn
CALL from 4094e7 函数功能:检测注册码是不是数字.. eax = 0; eax = ((eax + eax * 4) * 2) + 机器码每一位的ASCII码
00403744 /$53 push ebx
00403745 |.56 push esi
00403746 |.57 push edi
00403747 |.89C6 mov esi,eax
00403749 |.50 push eax
0040374A |.85C0 test eax,eax
0040374C |.74 6C je short dumped_.004037BA
0040374E |.31C0 xor eax,eax
00403750 |.31DB xor ebx,ebx
00403752 |.BF CCCCCC0C mov edi,0CCCCCCC
00403757 |>8A1E /mov bl,byte ptr ds:
00403759 |.46 |inc esi
0040375A |.80FB 20 |cmp bl,20
0040375D |.^ 74 F8 \je short dumped_.00403757 //第一个字符如果是空格的话就跳到403757
0040375F |.B5 00 mov ch,0
00403761 |.80FB 2D cmp bl,2D
00403764 |.74 62 je short dumped_.004037C8 //第一个字符如果是'-'的话就跳到 4037c8
00403766 |.80FB 2B cmp bl,2B
00403769 |.74 5F je short dumped_.004037CA //第一个字符如果是'+'的话就跳到 4037ca
0040376B |.80FB 24 cmp bl,24
0040376E |.74 5F je short dumped_.004037CF //第一个字符如果是'$'的话就跳到 4037cf
00403770 |.80FB 78 cmp bl,78
00403773 |.74 5A je short dumped_.004037CF //第一个字符如果是'x'的话就跳到 4037cf
00403775 |.80FB 58 cmp bl,58
00403778 |.74 55 je short dumped_.004037CF //第一个字符如果是'X'的话就跳到 4037cf
0040377A |.80FB 30 cmp bl,30
0040377D |.75 13 jnz short dumped_.00403792 //第一个字符如果是零的话就跳到 403792 测试有没有字符.没有的话跳到4037b0
0040377F |.8A1E mov bl,byte ptr ds: //得到第二个字符
00403781 |.46 inc esi //指向下一个字符
00403782 |.80FB 78 cmp bl,78
00403785 |.74 48 je short dumped_.004037CF //第二个字符是'x'的话就跳到 4037cf
00403787 |.80FB 58 cmp bl,58
0040378A |.74 43 je short dumped_.004037CF //第二个字符是'X'的话就跳到 4037cf
0040378C |.84DB test bl,bl
0040378E |.74 20 je short dumped_.004037B0 //没有字符的话跳到4037b0
00403790 |.EB 04 jmp short dumped_.00403796
00403792 |>84DB test bl,bl
00403794 |.74 2D je short dumped_.004037C3 //测试bl是否有字符
00403796 |>80EB 30 /sub bl,30
00403799 |.80FB 09 |cmp bl,9
0040379C |.77 25 |ja short dumped_.004037C3 //第二个字符不是数字的话跳到 4037c3
0040379E |.39F8 |cmp eax,edi
004037A0 |.77 21 |ja short dumped_.004037C3 //eax里面的值大于0CCCCCCC时跳到 4037c3
004037A2 |.8D0480 |lea eax,dword ptr ds: //eax = eax + eax * 4
004037A5 |.01C0 |add eax,eax //eax = eax + eax
004037A7 |.01D8 |add eax,ebx //eax = eax + ebx
004037A9 |.8A1E |mov bl,byte ptr ds: //取得字符
004037AB |.46 |inc esi //指向下一个字符
004037AC |.84DB |test bl,bl
004037AE |.^ 75 E6 \jnz short dumped_.00403796 //还有字符的话就继续循环 PS:机器码必须是数字否则跳出累加循环
004037B0 |>FECD dec ch
004037B2 |.74 09 je short dumped_.004037BD
004037B4 |.85C0 test eax,eax
004037B6 |.7D 4E jge short dumped_.00403806
004037B8 |.EB 09 jmp short dumped_.004037C3
004037BA |>46 inc esi
004037BB |.EB 06 jmp short dumped_.004037C3
004037BD |>F7D8 neg eax
004037BF |.7E 45 jle short dumped_.00403806
004037C1 |.78 43 js short dumped_.00403806
004037C3 |>5B pop ebx ;Default case of switch 004037E3
004037C4 |.29DE sub esi,ebx
004037C6 |.EB 41 jmp short dumped_.00403809
004037C8 |>FEC5 inc ch
004037CA |>8A1E mov bl,byte ptr ds:
004037CC |.46 inc esi
004037CD |.^ EB C3 jmp short dumped_.00403792
004037CF |>BF FFFFFF0F mov edi,0FFFFFFF
004037D4 |.8A1E mov bl,byte ptr ds:
004037D6 |.46 inc esi
004037D7 |.84DB test bl,bl
004037D9 |.^ 74 DF je short dumped_.004037BA
004037DB |>80FB 61 /cmp bl,61
004037DE |.72 03 |jb short dumped_.004037E3
004037E0 |.80EB 20 |sub bl,20
004037E3 |>80EB 30 |sub bl,30 ;Switch (cases 30..46)
004037E6 |.80FB 09 |cmp bl,9
004037E9 |.76 0B |jbe short dumped_.004037F6
004037EB |.80EB 11 |sub bl,11
004037EE |.80FB 05 |cmp bl,5
004037F1 |.^ 77 D0 |ja short dumped_.004037C3
004037F3 |.80C3 0A |add bl,0A ;Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 004037E3
004037F6 |>39F8 |cmp eax,edi ;Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 004037E3
004037F8 |.^ 77 C9 |ja short dumped_.004037C3
004037FA |.C1E0 04 |shl eax,4
004037FD |.01D8 |add eax,ebx
004037FF |.8A1E |mov bl,byte ptr ds:
00403801 |.46 |inc esi
00403802 |.84DB |test bl,bl
00403804 |.^ 75 D5 \jnz short dumped_.004037DB
00403806 |>59 pop ecx
00403807 |.31F6 xor esi,esi
00403809 |>8932 mov dword ptr ds:,esi
0040380B |.5F pop edi
0040380C |.5E pop esi
0040380D |.5B pop ebx
0040380E \.C3 retn
CALL from 50B1C3
0050E8C0 /$55 push ebp
0050E8C1 |.8BEC mov ebp,esp
0050E8C3 |.6A 00 push 0
0050E8C5 |.53 push ebx
0050E8C6 |.56 push esi //输入的注册码的地址
0050E8C7 |.8BF0 mov esi,eax
0050E8C9 |.33C0 xor eax,eax //EAX清零
0050E8CB |.55 push ebp
0050E8CC |.68 8EE95000 push dumped_.0050E98E
0050E8D1 |.64:FF30 push dword ptr fs:
0050E8D4 |.64:8920 mov dword ptr fs:,esp
0050E8D7 |.BB D9D10E00 mov ebx,0ED1D9
0050E8DC |.8D45 FC lea eax,dword ptr ss:
0050E8DF |.BA A4E95000 mov edx,dumped_.0050E9A4 ;ASCII "wangshuang"
0050E8E4 |.E8 3F64EFFF call dumped_.00404D28 //无关CALL
0050E8E9 |.8B45 FC mov eax,dword ptr ss:
0050E8EC |.E8 5766EFFF call dumped_.00404F48 //计算传入字符串长度"wangshuang" 返回值在 EAX
0050E8F1 |.85C0 test eax,eax
0050E8F3 |.7E 1B jle short dumped_.0050E910 //长度 <= 0 跳转到 50E910
0050E8F5 |.BA 01000000 mov edx,1
0050E8FA |>8B4D FC /mov ecx,dword ptr ss:
0050E8FD |.0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-1>
0050E902 |.8D0C89 |lea ecx,dword ptr ds: //ECX = ECX + ECX * 4
0050E905 |.8D0C89 |lea ecx,dword ptr ds: //ECX = ECX + ECX * 4
0050E908 |.03D9 |add ebx,ecx //ebx = ecx + 0ED1D9
0050E90A |.03DE |add ebx,esi //ebx = ebx + esi
0050E90C |.42 |inc edx
0050E90D |.48 |dec eax
0050E90E |.^ 75 EA \jnz short dumped_.0050E8FA // 十六进制转换
0050E910 |>8D45 FC lea eax,dword ptr ss:
0050E913 |.BA B8E95000 mov edx,dumped_.0050E9B8 ;ASCII "yaoyuan"
0050E918 |.E8 0B64EFFF call dumped_.00404D28 //同上,无关CALL
0050E91D |.8B45 FC mov eax,dword ptr ss:
0050E920 |.E8 2366EFFF call dumped_.00404F48 //计算字符串"yaoyuan"的长度结果放在 eax
0050E925 |.85C0 test eax,eax
0050E927 |.7E 1B jle short dumped_.0050E944
0050E929 |.BA 01000000 mov edx,1
0050E92E |>8B4D FC /mov ecx,dword ptr ss:
0050E931 |.0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-1>
0050E936 |.8D0C89 |lea ecx,dword ptr ds:
0050E939 |.8D0C89 |lea ecx,dword ptr ds:
0050E93C |.03D9 |add ebx,ecx
0050E93E |.03DE |add ebx,esi
0050E940 |.42 |inc edx
0050E941 |.48 |dec eax
0050E942 |.^ 75 EA \jnz short dumped_.0050E92E
0050E944 |>8D45 FC lea eax,dword ptr ss:
0050E947 |.BA C8E95000 mov edx,dumped_.0050E9C8 ;ASCII "JSBuilder"
0050E94C |.E8 D763EFFF call dumped_.00404D28
0050E951 |.8B45 FC mov eax,dword ptr ss:
0050E954 |.E8 EF65EFFF call dumped_.00404F48
0050E959 |.85C0 test eax,eax
0050E95B |.7E 1B jle short dumped_.0050E978
0050E95D |.BA 01000000 mov edx,1
0050E962 |>8B4D FC /mov ecx,dword ptr ss:
0050E965 |.0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-1>
0050E96A |.8D0C89 |lea ecx,dword ptr ds:
0050E96D |.8D0C89 |lea ecx,dword ptr ds:
0050E970 |.03D9 |add ebx,ecx
0050E972 |.03DE |add ebx,esi
0050E974 |.42 |inc edx
0050E975 |.48 |dec eax
0050E976 |.^ 75 EA \jnz short dumped_.0050E962
0050E978 |>33C0 xor eax,eax
0050E97A |.5A pop edx
0050E97B |.59 pop ecx
0050E97C |.59 pop ecx
0050E97D |.64:8910 mov dword ptr fs:,edx
0050E980 |.68 95E95000 push dumped_.0050E995
0050E985 |>8D45 FC lea eax,dword ptr ss:
0050E988 |.E8 0363EFFF call dumped_.00404C90
0050E98D \.C3 retn
下面是注册机:
#include <iostream.h>
int main(int argc, char *argv[])
{
if (argc != 2)
{
cout << "Usage: Key.exe <UserName>";
return 0;
}
int UserNameLen = 0;
unsigned int MachineCode = 0;
while (*argv != '\0')
{
if (*argv < 0x30 || *argv > 0x39)
{
cout << "0 - 9 only! can't contain other!";
return 0;
}
++UserNameLen;
MachineCode = MachineCode + MachineCode * 4;
MachineCode += MachineCode;
MachineCode += *argv - 0x30;
++argv;
}
argv -= UserNameLen;
char key = {{"wangshuang"},{"yaoyuan"},{"JSBuilder"}};
unsigned int RegCode = 0x0ED1D9;
for (int i = 0; i < 3; ++i)
{
char *p = key[ i ];
while (*p != '\0')
{
unsigned int ecx = *p++;
ecx = ecx + ecx * 4;
ecx = ecx + ecx * 4;
RegCode = RegCode + ecx;
RegCode = RegCode + MachineCode;
}
}
cout << "The " << MachineCode << "\'s regcode is : " << RegCode;
return 1;
}
我进引导小组了..开心中..下面开始学习引导小组的内容..大大的教程就暂停一下..:)
支持老大,学习算法.
收藏、、、、、学习