- UID
- 34236
注册时间2007-8-13
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【文章标题】: 环球卫星网络电视9.8注册算法分析+C注册机
【文章作者】: anan
【作者邮箱】: [email protected]
【软件名称】: 环球卫星网络电视9.8
【下载地址】: http://www.lwdown.com
【保护方式】: S/N
【使用工具】: peid,od
【软件介绍】: 可以收看国内外上百个精彩电视频道(包括中央电视台
【作者声明】: 9.5版本有人分析过了但是未写算法分析直接给结果 所以我也拿了 9.8版的分析和9.5算法一样,无聊写了C注册机 冒下泡
--------------------------------------------------------------------------------
【详细过程】
破解: 无壳 字符串住能查到 注册成功 不过一般注册失败的CALL就在 成功附近 为求精确 用XP万能断点
004F4443 . 55 push ebp ; 断在此处
004F4444 . 68 58474F00 push 004F4758
004F4449 . 64:FF30 push dword ptr fs:[eax]
004F444C . 64:8920 mov dword ptr fs:[eax], esp
004F444F . A1 9C4F5000 mov eax, dword ptr [504F9C]
==================================================================
004F4454 . 8038 00 cmp byte ptr [eax], 0
004F4457 . 74 1A je short 004F4473
004F4459 . 6A 00 push 0 ; /Arg1 = 00000000
004F445B . 66:8B0D 68474>mov cx, word ptr [4F4768] ; |
004F4462 . B2 02 mov dl, 2 ; |
004F4464 . B8 74474F00 mov eax, 004F4774 ; |
004F4469 . E8 BAD5F3FF call 00431A28 ; \环球卫星.00431A28
004F446E . E9 88020000 jmp 004F46FB
004F4473 > 8D55 F0 lea edx, dword ptr [ebp-10]
004F4476 . 8B45 FC mov eax, dword ptr [ebp-4]
004F4479 . 8B80 00030000 mov eax, dword ptr [eax+300]
004F447F . E8 CC1AF5FF call 00445F50
004F4484 . 837D F0 00 cmp dword ptr [ebp-10], 0 ; 检验N是否为空
004F4488 . 74 1E je short 004F44A8
004F448A . 8D55 EC lea edx, dword ptr [ebp-14]
004F448D . 8B45 FC mov eax, dword ptr [ebp-4]
004F4490 . 8B80 00030000 mov eax, dword ptr [eax+300]
004F4496 . E8 B51AF5FF call 00445F50 ; 计算注册码N的位数
004F449B . 8B45 EC mov eax, dword ptr [ebp-14] ; N送EAX
004F449E . E8 F900F1FF call 0040459C
004F44A3 . 83F8 08 cmp eax, 8 ; N要小于等于8位否则失败
004F44A6 . 7E 30 jle short 004F44D8
004F44A8 > B8 A0474F00 mov eax, 004F47A0
004F44AD . E8 6ED6F3FF call 00431B20 ; 注册失败CALL
004F44B2 . 8B45 FC mov eax, dword ptr [ebp-4]
004F44B5 . 8B80 00030000 mov eax, dword ptr [eax+300]
004F44BB . 33D2 xor edx, edx
004F44BD . E8 BE1AF5FF call 00445F80
004F44C2 . 8B45 FC mov eax, dword ptr [ebp-4]
004F44C5 . 8B80 00030000 mov eax, dword ptr [eax+300]
004F44CB . 8B10 mov edx, dword ptr [eax]
004F44CD . FF92 C4000000 call dword ptr [edx+C4]
004F44D3 . E9 23020000 jmp 004F46FB
004F44D8 > 8D45 E4 lea eax, dword ptr [ebp-1C]
004F44DB . 50 push eax
004F44DC . 8D55 E0 lea edx, dword ptr [ebp-20]
004F44DF . 8B45 FC mov eax, dword ptr [ebp-4]
004F44E2 . 8B80 08030000 mov eax, dword ptr [eax+308]
004F44E8 . E8 631AF5FF call 00445F50 ; 计算机器码J的位数
004F44ED . 8B45 E0 mov eax, dword ptr [ebp-20] ; J送EAX
004F44F0 . B9 06000000 mov ecx, 6 ; 机器码需要保留的位数是6位
004F44F5 . BA 01000000 mov edx, 1
004F44FA . E8 FD02F1FF call 004047FC ; 保留机器码前6位=J1
004F44FF . 8B4D E4 mov ecx, dword ptr [ebp-1C]
004F4502 . 8D45 E8 lea eax, dword ptr [ebp-18]
004F4505 . BA B8474F00 mov edx, 004F47B8 ; 0x
004F450A . E8 D900F1FF call 004045E8 ; 0x与J1相连=J2(如果J2是个实数 其实就是16进制的表示方法)
004F450F . 8B45 E8 mov eax, dword ptr [ebp-18]
004F4512 . E8 214EF1FF call 00409338 ; 关键CALL(算法过程中0x实际上未参与运算)
004F4517 . 8BF0 mov esi, eax ; 上面CALL出来后得到J3
004F4519 . 33C0 xor eax, eax
004F451B . 55 push ebp
004F451C . 68 B2464F00 push 004F46B2
004F4521 . 64:FF30 push dword ptr fs:[eax]
004F4524 . 64:8920 mov dword ptr fs:[eax], esp
004F4527 . 8D55 DC lea edx, dword ptr [ebp-24]
004F452A . 8B45 FC mov eax, dword ptr [ebp-4]
004F452D . 8B80 00030000 mov eax, dword ptr [eax+300]
004F4533 . E8 181AF5FF call 00445F50
004F4538 . 8B45 DC mov eax, dword ptr [ebp-24]
004F453B . E8 F84DF1FF call 00409338 ; N转化为16进制=N1
004F4540 . 8BD8 mov ebx, eax
004F4542 . 8BC3 mov eax, ebx
004F4544 . 2BC6 sub eax, esi ; N1-J3
004F4546 . 3B05 14485000 cmp eax, dword ptr [504814] ; 比较N1-J3,C0F1E(十进制790302)
004F454C . 74 59 je short 004F45A7 ; 相等注册成功(爆破点)
004F454E . 68 C4474F00 push 004F47C4
004F4553 . 8D55 D4 lea edx, dword ptr [ebp-2C]
004F4556 . 8B45 FC mov eax, dword ptr [ebp-4]
004F4559 . 8B80 00030000 mov eax, dword ptr [eax+300]
004F455F . E8 EC19F5FF call 00445F50
004F4564 . FF75 D4 push dword ptr [ebp-2C]
004F4567 . 68 E0474F00 push 004F47E0
004F456C . 8D45 D8 lea eax, dword ptr [ebp-28]
004F456F . BA 03000000 mov edx, 3
004F4574 . E8 E300F1FF call 0040465C
004F4579 . 8B45 D8 mov eax, dword ptr [ebp-28]
004F457C . E8 9FD5F3FF call 00431B20
004F4581 . 8B45 FC mov eax, dword ptr [ebp-4]
004F4584 . 8B80 00030000 mov eax, dword ptr [eax+300]
004F458A . 33D2 xor edx, edx
004F458C . E8 EF19F5FF call 00445F80
004F4591 . 8B45 FC mov eax, dword ptr [ebp-4]
004F4594 . 8B80 00030000 mov eax, dword ptr [eax+300]
004F459A . 8B10 mov edx, dword ptr [eax]
004F459C . FF92 C4000000 call dword ptr [edx+C4]
004F45A2 . E9 01010000 jmp 004F46A8
004F45A7 > 8D55 F4 lea edx, dword ptr [ebp-C]
004F45AA . A1 18485000 mov eax, dword ptr [504818]
004F45AF . 03C3 add eax, ebx
004F45B1 . E8 624BF1FF call 00409118
004F45B6 . 8D55 C8 lea edx, dword ptr [ebp-38]
004F45B9 . A1 3C4E5000 mov eax, dword ptr [504E3C]
004F45BE . 8B00 mov eax, dword ptr [eax]
004F45C0 . E8 4720F7FF call 0046660C
004F45C5 . 8B45 C8 mov eax, dword ptr [ebp-38]
004F45C8 . 8D55 CC lea edx, dword ptr [ebp-34]
004F45CB . E8 5852F1FF call 00409828
004F45D0 . FF75 CC push dword ptr [ebp-34]
004F45D3 . 68 F4474F00 push 004F47F4 ; ASCII "set"
004F45D8 . FF75 F4 push dword ptr [ebp-C]
004F45DB . 68 00484F00 push 004F4800 ; .ini
004F45E0 . 8D45 D0 lea eax, dword ptr [ebp-30]
004F45E3 . BA 04000000 mov edx, 4
004F45E8 . E8 6F00F1FF call 0040465C
004F45ED . 8B4D D0 mov ecx, dword ptr [ebp-30]
004F45F0 . B2 01 mov dl, 1
004F45F2 . A1 2C914300 mov eax, dword ptr [43912C]
004F45F7 . E8 E04BF4FF call 004391DC
004F45FC . 8945 F8 mov dword ptr [ebp-8], eax
004F45FF . 33C0 xor eax, eax
004F4601 . 55 push ebp
004F4602 . 68 37464F00 push 004F4637
004F4607 . 64:FF30 push dword ptr fs:[eax]
004F460A . 64:8920 mov dword ptr fs:[eax], esp
004F460D . 6A 01 push 1
004F460F . B9 10484F00 mov ecx, 004F4810 ; ASCII "Reg"
004F4614 . BA 1C484F00 mov edx, 004F481C ; option
004F4619 . 8B45 F8 mov eax, dword ptr [ebp-8]
004F461C . 8B18 mov ebx, dword ptr [eax]
004F461E . FF53 14 call dword ptr [ebx+14]
004F4621 . 33C0 xor eax, eax
004F4623 . 5A pop edx
004F4624 . 59 pop ecx
004F4625 . 59 pop ecx
004F4626 . 64:8910 mov dword ptr fs:[eax], edx
004F4629 . 68 3E464F00 push 004F463E
004F462E > 8B45 F8 mov eax, dword ptr [ebp-8]
004F4631 . E8 D2EDF0FF call 00403408
004F4636 . C3 retn
004F4637 .^ E9 20F5F0FF jmp 00403B5C
004F463C .^ EB F0 jmp short 004F462E
004F463E . 6A 00 push 0 ; /Arg1 = 00000000
004F4640 . 66:8B0D 68474>mov cx, word ptr [4F4768] ; |
004F4647 . B2 02 mov dl, 2 ; |
004F4649 . B8 2C484F00 mov eax, 004F482C ; |注册成功。谢谢你支持我们!
004F464E . E8 D5D3F3FF call 00431A28 ; \环球卫星.00431A28
======================================================================================================
跟进关键CALL后 发现里面有2个CALL 其中第1个为算法CALL
算法CALL:
00402E30 /$ 53 push ebx
00402E31 |. 56 push esi
00402E32 |. 57 push edi
00402E33 |. 89C6 mov esi, eax
00402E35 |. 50 push eax
00402E36 |. 85C0 test eax, eax
00402E38 |. 74 6C je short 00402EA6
00402E3A |. 31C0 xor eax, eax
00402E3C |. 31DB xor ebx, ebx
00402E3E |. BF CCCCCC0C mov edi, 0CCCCCCC
00402E43 |> 8A1E /mov bl, byte ptr [esi] ; J2首位0送BL
00402E45 |. 46 |inc esi
00402E46 |. 80FB 20 |cmp bl, 20
00402E49 |.^ 74 F8 \je short 00402E43
00402E4B |. B5 00 mov ch, 0
00402E4D |. 80FB 2D cmp bl, 2D ; 与 - 比较
00402E50 |. 74 62 je short 00402EB4
00402E52 |. 80FB 2B cmp bl, 2B
00402E55 |. 74 5F je short 00402EB6 ; 与 + 比较
00402E57 |> 80FB 24 cmp bl, 24 ; Switch (cases 0..78)
00402E5A |. 74 5F je short 00402EBB
00402E5C |. 80FB 78 cmp bl, 78
00402E5F |. 74 5A je short 00402EBB
00402E61 |. 80FB 58 cmp bl, 58
00402E64 |. 74 55 je short 00402EBB
00402E66 |. 80FB 30 cmp bl, 30
00402E69 |. 75 13 jnz short 00402E7E
00402E6B |. 8A1E mov bl, byte ptr [esi] ; Case 30 ('0') of switch 00402E57
00402E6D |. 46 inc esi ; J2第2位送BL ESI移到J2第3位
00402E6E |. 80FB 78 cmp bl, 78
00402E71 |. 74 48 je short 00402EBB
00402E73 |. 80FB 58 cmp bl, 58
00402E76 |. 74 43 je short 00402EBB
00402E78 |. 84DB test bl, bl
00402E7A |. 74 20 je short 00402E9C
00402E7C |. EB 04 jmp short 00402E82
00402E7E |> 84DB test bl, bl
00402E80 |. 74 2D je short 00402EAF
00402E82 |> 80EB 30 /sub bl, 30 ; Default case of switch 00402E57
00402E85 |. 80FB 09 |cmp bl, 9
00402E88 |. 77 25 |ja short 00402EAF
00402E8A |. 39F8 |cmp eax, edi
00402E8C |. 77 21 |ja short 00402EAF
00402E8E |. 8D0480 |lea eax, dword ptr [eax+eax*4]
00402E91 |. 01C0 |add eax, eax
00402E93 |. 01D8 |add eax, ebx
00402E95 |. 8A1E |mov bl, byte ptr [esi]
00402E97 |. 46 |inc esi
00402E98 |. 84DB |test bl, bl
00402E9A |.^ 75 E6 \jnz short 00402E82
00402E9C |> FECD dec ch
00402E9E |. 74 09 je short 00402EA9
00402EA0 |. 85C0 test eax, eax
00402EA2 |. 7D 54 jge short 00402EF8
00402EA4 |. EB 09 jmp short 00402EAF
00402EA6 |> 46 inc esi
00402EA7 |. EB 06 jmp short 00402EAF
00402EA9 |> F7D8 neg eax
00402EAB |. 7E 4B jle short 00402EF8
00402EAD |. 78 49 js short 00402EF8
00402EAF |> 5B pop ebx ; Default case of switch 00402ECF
00402EB0 |. 29DE sub esi, ebx
00402EB2 |. EB 47 jmp short 00402EFB
00402EB4 |> FEC5 inc ch
00402EB6 |> 8A1E mov bl, byte ptr [esi]
00402EB8 |. 46 inc esi
00402EB9 |.^ EB 9C jmp short 00402E57
00402EBB |> BF FFFFFF0F mov edi, 0FFFFFFF ; Cases 24 ('$'),58 ('X'),78 ('x') of switch
上面一段在算法里不具实际意义只是检验J2前2位是否为0x
=============================================================================
00402EC0 |. 8A1E mov bl, byte ptr [esi] ; J2第3位J2[3]送BL
00402EC2 |. 46 inc esi ; ESI移到第4位
00402EC3 |. 84DB test bl, bl
00402EC5 |.^ 74 DF je short 00402EA6 ; 检验J2[3]是否为0
00402EC7 |> 80FB 61 /cmp bl, 61 ; 与a比较
00402ECA |. 72 03 |jb short 00402ECF
00402ECC |. 80EB 20 |sub bl, 20
00402ECF |> 80EB 30 |sub bl, 30 ; Switch (cases 30..46)
00402ED2 |. 80FB 09 |cmp bl, 9 ; 与9做比较
00402ED5 |. 76 0B |jbe short 00402EE2
00402ED7 |. 80EB 11 |sub bl, 11 ; 这里是分辨J2[I]是数字还是字符
00402EDA |. 80FB 05 |cmp bl, 5
00402EDD |.^ 77 D0 |ja short 00402EAF
00402EDF |. 80C3 0A |add bl, 0A ; Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F') of switch 00402ECF
00402EE2 |> 39F8 |cmp eax, edi ; Cases 30 ('0'),31 ('1'),32 ('2'),33 ('3'),34 ('4'),35 ('5'),36 ('6'),37 ('7'),38 ('8'),39 ('9') of switch 00402ECF
00402EE4 |.^ 77 C9 |ja short 00402EAF
00402EE6 |. C1E0 04 |shl eax, 4 ; EAX左移4位即扩大16倍
00402EE9 |. 01D8 |add eax, ebx ; EAX+J2[I](I>=3)
00402EEB |. 8A1E |mov bl, byte ptr [esi] ; J2[I+1]
00402EED |. 46 |inc esi
00402EEE |. 84DB |test bl, bl
00402EF0 |.^ 75 D5 \jnz short 00402EC7 ; 循环结束J3出现
00402EF2 |. FECD dec ch
00402EF4 |. 75 02 jnz short 00402EF8
00402EF6 |. F7D8 neg eax
00402EF8 |> 59 pop ecx
00402EF9 |. 31F6 xor esi, esi
00402EFB |> 8932 mov dword ptr [edx], esi
00402EFD |. 5F pop edi
00402EFE |. 5E pop esi
00402EFF |. 5B pop ebx
00402F00 \. C3 retn
========================================================================
算法主要的实现过程:将0x与机器码相连产生一个字符串(为了方便以J2[I]代替)
实际运算是从J2[3]开始的(即从机器码的第1位到第6位)
如果J2[I]是字符的话运算{J2[I]-41H+0AH}*16的[8-I]次方
如果J2[I]是数字的话运算J2[I]*16的[8-I]次方
将J2[I]通过上面的运算所得值再累加得J3
如果你计算一下的话发现所得值J3用16进制来表示实际上就是
机器码的前6位
注册码: 只需要把机器码的前6位转化成10进制数再加上790302就可以了或者
将机器码前6位先与C0F1E相加再将结果转为10进制就可以了
C语言注册机 VC 6++编译通过- #include <stdio.h>
- main()
- {char name[20];
- int i=0,j;
- long sum1=0,a[20];
- loop: printf("请输入机器码: ");
- scanf("%s",name);
- while(name[i]!='\0')i++;
- if(i<6)
- {printf("机器码至少需要6位\n");
- goto loop;}
-
- for(i=0;i<6;i++)
- {if(name[i]>0x39)a[i]=name[i]-55;
- else a[i]=name[i]-0x30;
- }
- sum1=a[0]*0x100000+a[1]*0x10000+a[2]*0x1000+a[3]*0x100+a[4]*0x10+a[5]+0xc0f1e;
- printf("你的注册码为: %ld\n",sum1);
- goto loop;}
注册码13177966
--------------------------------------------------------------------------------
2007年08月26日 16:10:09
[ 本帖最后由 xhn1002 于 2007-10-5 16:15 编辑 ] |
|
IP卡
发表于 2007-8-26 16:11:52
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-8-29 23:27:21
楼主
发表于 2007-9-5 23:15:04
