- UID
- 76625
注册时间2014-7-9
阅读权限20
最后登录1970-1-1
以武会友
 
TA的每日心情 | 擦汗
2018-2-19 15:22 |
|---|
签到天数: 224 天 [LV.7]常住居民III
|
如不合适,请立即删除,呵呵。。
简单分析下算法,有兴趣的朋友可以写下注册机。
1.
PEID检测无壳,Microsoft Visual C++ 6.0
输入注册信息
User name:user
Registration code:123456789
提示出错“Invalid username or registration code.”
2.
004048F0 . 6A FF push -1
004048F2 . 68 088F4100 push 00418F08 ; SE 处理程序安装 //////////F2
004048F7 . 64:A1 0000000>mov eax, dword ptr fs:[0]
004048FD . 50 push eax
004048FE . 64:8925 00000>mov dword ptr fs:[0], esp
00404905 . 51 push ecx
00404906 . 56 push esi
00404907 . 57 push edi
00404908 . 6A 01 push 1
0040490A . 8BF1 mov esi, ecx
0040490C . E8 FD340100 call <jmp.&MFC42.#6334_CWnd::UpdateData>
00404911 . 8B46 60 mov eax, dword ptr [esi+60] ; 堆栈 ds:[0012DB64]=022CF358, (ASCII "123456789")
00404914 . 8B4E 64 mov ecx, dword ptr [esi+64] ; 堆栈 ds:[0012DB68]=00632C88, (ASCII "user")
00404917 . 8D7E 64 lea edi, dword ptr [esi+64]
0040491A . 50 push eax ; eax=022CF358, (ASCII "123456789")
0040491B . 51 push ecx ; ecx=00632C88, (ASCII "user")
0040491C . E8 FF990000 call 0040E320
00404921 . 83C4 08 add esp, 8
00404924 . 84C0 test al, al
00404926 . 75 1C jnz short 00404944
00404928 . 6A 40 push 40
0040492A . 68 A4334200 push 004233A4 ; sorry
0040492F . 68 78334200 push 00423378 ; invalid username or registration code
00404934 . 8BCE mov ecx, esi
00404936 . E8 51350100 call <jmp.&MFC42.#4224_CWnd::MessageBoxA>
0040493B . C605 4C484200>mov byte ptr [42484C], 0
00404942 . EB 57 jmp short 0040499B
00404944 > 57 push edi
00404945 . 8D4424 0C lea eax, dword ptr [esp+C]
00404949 . 68 6C334200 push 0042336C ; license to
0040E320 /$ 8B5424 04 mov edx, dword ptr [esp+4]
0040E324 |. 56 push esi
0040E325 |. 57 push edi
0040E326 |. BF 7C474200 mov edi, 0042477C
0040E32B |. 8BF2 mov esi, edx
0040E32D |. B9 01000000 mov ecx, 1
0040E332 |. 33C0 xor eax, eax
0040E334 |. F3:A6 repe cmps byte ptr es:[edi], byte ptr [esi]
0040E336 |. 74 2A je short 0040E362
0040E338 |. 8B4424 10 mov eax, dword ptr [esp+10]
0040E33C |. 53 push ebx
0040E33D |. BF 7C474200 mov edi, 0042477C
0040E342 |. 8BF0 mov esi, eax
0040E344 |. B9 01000000 mov ecx, 1
0040E349 |. 33DB xor ebx, ebx
0040E34B |. F3:A6 repe cmps byte ptr es:[edi], byte ptr [esi]
0040E34D |. 5B pop ebx
0040E34E |. 74 12 je short 0040E362
0040E350 |. 50 push eax
0040E351 |. 52 push edx
0040E352 |. E8 99FDFFFF call 0040E0F0
0040E357 |. 83C4 08 add esp, 8
0040E35A |. 85C0 test eax, eax
0040E35C |. 5F pop edi
0040E35D |. 5E pop esi
0040E35E |. 0F95C0 setne al
0040E361 |. C3 retn
0040E362 |> 5F pop edi
0040E363 |. 32C0 xor al, al
0040E365 |. 5E pop esi
0040E366 \. C3 retn
0040E0F0 /$ 6A FF push -1
0040E0F2 |. 68 40A04100 push 0041A040 ; 杠; SE 处理程序安装
0040E0F7 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0040E0FD |. 50 push eax
0040E0FE |. 64:8925 00000>mov dword ptr fs:[0], esp
0040E105 |. 83EC 14 sub esp, 14
0040E108 |. 8B4424 24 mov eax, dword ptr [esp+24]
0040E10C |. 53 push ebx
0040E10D |. 55 push ebp
0040E10E |. 56 push esi
0040E10F |. 57 push edi
0040E110 |. 50 push eax
0040E111 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
0040E115 |. E8 D49B0000 call <jmp.&MFC42.#537_CString::CString>
0040E11A |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0040E11E |. C74424 2C 000>mov dword ptr [esp+2C], 0
0040E126 |. E8 7FA00000 call <jmp.&MFC42.#6282_CString::TrimLeft>
0040E12B |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0040E12F |. E8 70A00000 call <jmp.&MFC42.#6283_CString::TrimRight>
0040E134 |. 6A 20 push 20
0040E136 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
0040E13A |. E8 BF9D0000 call <jmp.&MFC42.#2915_CString::GetBuffer>
0040E13F |. 8B4C24 38 mov ecx, dword ptr [esp+38]
0040E143 |. 8BD8 mov ebx, eax
0040E145 |. 51 push ecx
0040E146 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0040E14A |. E8 9F9B0000 call <jmp.&MFC42.#537_CString::CString>
0040E14F |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0040E153 |. C64424 2C 01 mov byte ptr [esp+2C], 1
0040E158 |. E8 4DA00000 call <jmp.&MFC42.#6282_CString::TrimLeft>
0040E15D |. 8D4C24 10 lea ecx, dword ptr [esp+10]
0040E161 |. E8 3EA00000 call <jmp.&MFC42.#6283_CString::TrimRight>
0040E166 |. 6A 20 push 20
0040E168 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0040E16C |. E8 8D9D0000 call <jmp.&MFC42.#2915_CString::GetBuffer>
0040E171 |. 8BD0 mov edx, eax
0040E173 |. 83CE FF or esi, FFFFFFFF
0040E176 |. 8BFA mov edi, edx
0040E178 |. 8BCE mov ecx, esi
0040E17A |. 33C0 xor eax, eax
0040E17C |. 895424 20 mov dword ptr [esp+20], edx
0040E180 |. F2:AE repne scas byte ptr es:[edi]
0040E182 |. F7D1 not ecx
0040E184 |. 49 dec ecx
0040E185 |. 8BFB mov edi, ebx
0040E187 |. 8BE9 mov ebp, ecx
0040E189 |. 8BCE mov ecx, esi
0040E18B |. F2:AE repne scas byte ptr es:[edi]
0040E18D |. F7D1 not ecx
0040E18F |. 49 dec ecx
0040E190 |. 3BCD cmp ecx, ebp
0040E192 |. 0F87 54010000 ja 0040E2EC
0040E198 |. 8BFB mov edi, ebx
0040E19A |. 8BCE mov ecx, esi
0040E19C |. F2:AE repne scas byte ptr es:[edi]
0040E19E |. F7D1 not ecx
0040E1A0 |. 49 dec ecx
0040E1A1 |. 0F84 45010000 je 0040E2EC
0040E1A7 |. 8BFA mov edi, edx
0040E1A9 |. 8BCE mov ecx, esi
0040E1AB |. F2:AE repne scas byte ptr es:[edi]
0040E1AD |. F7D1 not ecx
0040E1AF |. 49 dec ecx
0040E1B0 |. 0F84 36010000 je 0040E2EC
0040E1B6 |. 894424 38 mov dword ptr [esp+38], eax
0040E1BA |> 8B5424 38 /mov edx, dword ptr [esp+38]
0040E1BE |. 8D4C24 34 |lea ecx, dword ptr [esp+34]
0040E1C2 |. 8A82 00444200 |mov al, byte ptr [edx+424400]
0040E1C8 |. 884424 18 |mov byte ptr [esp+18], al
0040E1CC |. E8 AF990000 |call <jmp.&MFC42.#540_CString::CString>
0040E1D1 |. 8BFB |mov edi, ebx
0040E1D3 |. 83C9 FF |or ecx, FFFFFFFF
0040E1D6 |. 33C0 |xor eax, eax
0040E1D8 |. 33ED |xor ebp, ebp
0040E1DA |. F2:AE |repne scas byte ptr es:[edi]
0040E1DC |. F7D1 |not ecx
0040E1DE |. 49 |dec ecx
0040E1DF |. C64424 2C 02 |mov byte ptr [esp+2C], 2
0040E1E4 |. 74 4B |je short 0040E231
0040E1E6 |> 8A042B |/mov al, byte ptr [ebx+ebp]
0040E1E9 |. 33F6 ||xor esi, esi
0040E1EB |> 3A0475 984342>||/cmp al, byte ptr [esi*2+424398]
比较用户user第1位75(u)是否等于表中第1位41(A)
找到匹配字符后,取后一位,
u------l
s------P
e------X
r------S
第1张表
00424398 41 78 42 69 43 49 64 41 65 58 66 4D 67 6A 68 45 AxBiCIdAeXfMgjhE
004243A8 69 56 6A 5A 6B 65 6C 52 6D 79 6E 42 6F 4B 70 64 iVjZkelRmynBoKpd
004243B8 71 54 72 53 73 50 74 57 75 6C 76 6B 77 44 78 48 qTrSsPtWulvkwDxH
004243C8 79 46 7A 7A 61 71 62 70 43 4F 44 6B 45 67 46 59 yFzzaqbpCODkEgFY
004243D8 47 6D 48 74 49 61 4A 72 4B 51 4C 6E 4D 73 4E 75 GmHtIaJrKQLnMsNu
004243E8 4F 55 50 47 51 4A 52 4C 53 4E 54 62 55 63 56 66 OUPGQJRLSNTbUcVf
004243F8 57 68 58 6F 59 77 5A 43 65 74 46 WhXoYwZCetF
0040E1F2 |. 74 08 |||je short 0040E1FC
0040E1F4 |. 46 |||inc esi
0040E1F5 |. 83FE 34 |||cmp esi, 34
0040E1F8 |.^ 7C F1 ||\jl short 0040E1EB
0040E1FA |. EB 11 ||jmp short 0040E20D
0040E1FC |> 8A0C75 994342>||mov cl, byte ptr [esi*2+424399]
0040E203 |. 51 ||push ecx
0040E204 |. 8D4C24 38 ||lea ecx, dword ptr [esp+38]
0040E208 |. E8 919F0000 ||call <jmp.&MFC42.#940_CString::operator+=>
0040E20D |> 83FE 34 ||cmp esi, 34
0040E210 |. 75 0E ||jnz short 0040E220
0040E212 |. 8B5424 18 ||mov edx, dword ptr [esp+18]
0040E216 |. 8D4C24 34 ||lea ecx, dword ptr [esp+34]
0040E21A |. 52 ||push edx
0040E21B |. E8 7E9F0000 ||call <jmp.&MFC42.#940_CString::operator+=>
0040E220 |> 8BFB ||mov edi, ebx
0040E222 |. 83C9 FF ||or ecx, FFFFFFFF
0040E225 |. 33C0 ||xor eax, eax
0040E227 |. 45 ||inc ebp
0040E228 |. F2:AE ||repne scas byte ptr es:[edi]
0040E22A |. F7D1 ||not ecx
0040E22C |. 49 ||dec ecx
0040E22D |. 3BE9 ||cmp ebp, ecx
0040E22F |.^ 72 B5 |\jb short 0040E1E6
0040E231 |> \8B4424 34 |mov eax, dword ptr [esp+34] ; 堆栈 ss:[0012D0B0]=022CF498, (ASCII "lPXS")
0040E235 |. 8B48 F8 |mov ecx, dword ptr [eax-8]
0040E238 |. 83F9 10 |cmp ecx, 10
0040E23B |. 7D 3A |jge short 0040E277
0040E23D |. 8BC1 |mov eax, ecx
0040E23F |. B9 10000000 |mov ecx, 10
0040E244 |. 2BC8 |sub ecx, eax
0040E246 |. 8D5424 1C |lea edx, dword ptr [esp+1C]
0040E24A |. 51 |push ecx
0040E24B |. 52 |push edx
0040E24C |. B9 60484200 |mov ecx, 00424860
0040E251 |. E8 129F0000 |call <jmp.&MFC42.#4129_CString::Left>
0040E256 |. 50 |push eax
0040E257 |. 8D4C24 38 |lea ecx, dword ptr [esp+38]
0040E25B |. C64424 30 03 |mov byte ptr [esp+30], 3
0040E260 |. E8 2D9C0000 |call <jmp.&MFC42.#939_CString::operator+=>
0040E265 |. 8D4C24 1C |lea ecx, dword ptr [esp+1C]
0040E269 |. C64424 2C 02 |mov byte ptr [esp+2C], 2
0040E26E |. E8 01990000 |call <jmp.&MFC42.#800_CString::~CString>
0040E273 |. 8B4424 34 |mov eax, dword ptr [esp+34]; 堆栈 ss:[0012D0B0]=022CF498, (ASCII "lPXSaeLHlXiwoPeB")
0040E277 |> \8B4C24 20 |mov ecx, dword ptr [esp+20]; 堆栈 ss:[0012D09C]=022CF448, (ASCII "123456789")
0040E27B |. 51 |push ecx ; /s2
0040E27C |. 50 |push eax ; |s1
0040E27D |. FF15 2CB74100 |call dword ptr [<&MSVCRT._mbscmp>] ; \_mbscmp相等则注册成功
0040E283 |. 83C4 08 |add esp, 8
0040E286 |. 8D4C24 34 |lea ecx, dword ptr [esp+34]
0040E28A |. 85C0 |test eax, eax
0040E28C |. C64424 2C 01 |mov byte ptr [esp+2C], 1
0040E291 |. 74 1B |je short 0040E2AE
0040E293 |. 33F6 |xor esi, esi
0040E295 |. E8 DA980000 |call <jmp.&MFC42.#800_CString::~CString>
0040E29A |. 8B4424 38 |mov eax, dword ptr [esp+38]
0040E29E |. 40 |inc eax
0040E29F |. 83F8 03 |cmp eax, 3
0040E2A2 |. 894424 38 |mov dword ptr [esp+38], eax
0040E2A6 |.^ 0F8C 0EFFFFFF \jl 0040E1BA
0040E2AC |. EB 0A jmp short 0040E2B8
0040E2AE |> BE 01000000 mov esi, 1
0040E2B3 |. E8 BC980000 call <jmp.&MFC42.#800_CString::~CString>
0040E2B8 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
0040E2BC |. C64424 2C 00 mov byte ptr [esp+2C], 0
0040E2C1 |. E8 AE980000 call <jmp.&MFC42.#800_CString::~CString>
0040E2C6 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0040E2CA |. C74424 2C FFF>mov dword ptr [esp+2C], -1
0040E2D2 |. E8 9D980000 call <jmp.&MFC42.#800_CString::~CString>
0040E2D7 |. 8BC6 mov eax, esi
0040E2D9 |. 5F pop edi
0040E2DA |. 5E pop esi
0040E2DB |. 5D pop ebp
0040E2DC |. 5B pop ebx
0040E2DD |. 8B4C24 14 mov ecx, dword ptr [esp+14]
0040E2E1 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0040E2E8 |. 83C4 20 add esp, 20
0040E2EB |. C3 retn
call <jmp.&MFC42.#4129_CString::Left>
5EC2D233 > 8BFF mov edi, edi
5EC2D235 55 push ebp
5EC2D236 8BEC mov ebp, esp
5EC2D238 6A FF push -1
5EC2D23A 68 A6FBCC5E push 5ECCFBA6
5EC2D23F 64:A1 00000000 mov eax, dword ptr fs:[0]
5EC2D245 50 push eax
5EC2D246 51 push ecx
5EC2D247 56 push esi
5EC2D248 57 push edi
5EC2D249 A1 38D9CE5E mov eax, dword ptr [5ECED938]
5EC2D24E 33C5 xor eax, ebp
5EC2D250 50 push eax
5EC2D251 8D45 F4 lea eax, dword ptr [ebp-C]
5EC2D254 64:A3 00000000 mov dword ptr fs:[0], eax
5EC2D25A 8BF9 mov edi, ecx
5EC2D25C C745 F0 0000000>mov dword ptr [ebp-10], 0
5EC2D263 8B75 0C mov esi, dword ptr [ebp+C]
5EC2D266 85F6 test esi, esi
5EC2D268 7D 02 jge short 5EC2D26C
5EC2D26A 33F6 xor esi, esi
5EC2D26C E8 63E3FDFF call 5EC0B5D4
5EC0B5D4 8B01 mov eax, dword ptr [ecx]//ds:[00424860]=006A2B98, (ASCII "aeLHlXiwoPeBGfgh")
5EC0B5D6 83E8 0C sub eax, 0C
5EC0B5D9 C3 retn
第2张表
00642B98 61 65 4C 48 6C 58 69 77 6F 50 65 42 47 66 67 68 aeLHlXiwoPeBGfgh
算法总结:
注册码由两部分组成,前部分由注册名对应表1中相同的字符位置,取后一位,注册名有几位,就取几位,
后部分取表2中的固定字符,满足总共16位。如果注册名中带有数字,那么注册码用e表示。
有用的注册信息:
User name:user
Registration code:lPXSaeLHlXiwoPeB
User name:pendan
Registration code:dXBAqBaeLHlXiwoP
User name:pendan2001
Registration code:dXBAqBeeeeaeLHlX
注册信息保存在Settings.ini中
[register]
username=pendan2001
registercode=dXBAqBeeeeaeLHlX
|
|
IP卡
发表于 2014-9-17 20:01:07
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2014-9-17 21:38:42
发表于 2014-9-18 21:57:54
发表于 2014-9-21 00:35:40
发表于 2014-11-1 19:56:34