- UID
- 37613
注册时间2007-12-1
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
发表于 2007-12-26 18:08:53
|
显示全部楼层
先说这里注册用的公式:
余数 = (ID-1989)对27.0取余
(int)((余数+注册码之和)*4) = 用户名之和, 这个等式成立就通过, 注意余数是Double的, Double转为int有损失
Check按钮的响应代码:(在这下断)
0041B32D 55 PUSH EBP
0041B32E 8BEC MOV EBP,ESP
0041B330 81EC 38000000 SUB ESP,38
0041B336 E8 00040000 CALL 破解我5.0041B73B ; 计算用户名ASCII码之和并转为字符串, 上述等式的右边
0041B33B 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0041B33E E8 38050000 CALL 破解我5.0041B87B ; 由注册码和ID运算产生一个字符串, 上述等式的左边
0041B343 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0041B346 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0041B349 50 PUSH EAX
0041B34A FF75 FC PUSH DWORD PTR SS:[EBP-4]
0041B34D E8 77FEFFFF CALL 破解我5.0041B1C9 ; 这个是字符串比较函数
0041B352 83C4 08 ADD ESP,8 ; 上面两字符串比较,,不等完蛋, 相等成功
0041B355 83F8 00 CMP EAX,0
0041B358 B8 00000000 MOV EAX,0
0041B35D 0F94C0 SETE AL
0041B360 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; 比较结果保存在[ebp-c]
0041B363 8B5D FC MOV EBX,DWORD PTR SS:[EBP-4]
0041B366 85DB TEST EBX,EBX
0041B368 74 09 JE SHORT 破解我5.0041B373
0041B36A 53 PUSH EBX
0041B36B E8 4F140000 CALL 破解我5.0041C7BF
0041B370 83C4 04 ADD ESP,4
0041B373 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8]
0041B376 85DB TEST EBX,EBX
0041B378 74 09 JE SHORT 破解我5.0041B383
0041B37A 53 PUSH EBX
0041B37B E8 3F140000 CALL 破解我5.0041C7BF
0041B380 83C4 04 ADD ESP,4
0041B383 837D F4 00 CMP DWORD PTR SS:[EBP-C],0 ; 取出比较结果, 与0
0041B387 0F84 83030000 JE 破解我5.0041B710 ; 不跳转就成功
等式右边的产生过程, 即用户名ASCII码值累加, 函数一:
0041B73B 55 PUSH EBP
0041B73C 8BEC MOV EBP,ESP
0041B73E 81EC 2C000000 SUB ESP,2C
0041B744 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0
0041B74B C745 F4 0000000>MOV DWORD PTR SS:[EBP-C],0
0041B752 C745 F8 0000000>MOV DWORD PTR SS:[EBP-8],0
0041B759 6A FF PUSH -1
0041B75B 6A 08 PUSH 8
0041B75D 68 C4000116 PUSH 160100C4
0041B762 68 01000152 PUSH 52010001
0041B767 E8 6B100000 CALL 破解我5.0041C7D7 ; 获取用户名
0041B76C 83C4 10 ADD ESP,10
0041B76F 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; 用户名放到[ebp-10]
0041B772 68 04000080 PUSH 80000004
0041B777 6A 00 PUSH 0
0041B779 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0041B77C 85C0 TEST EAX,EAX
0041B77E 75 05 JNZ SHORT 破解我5.0041B785
0041B780 B8 A76B4100 MOV EAX,破解我5.00416BA7
0041B785 50 PUSH EAX
0041B786 68 01000000 PUSH 1
0041B78B BB 30010000 MOV EBX,130
0041B790 E8 36100000 CALL 破解我5.0041C7CB ; 获得用户名的长度
0041B795 83C4 10 ADD ESP,10
0041B798 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0041B79B 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
0041B79E 85DB TEST EBX,EBX
0041B7A0 74 09 JE SHORT 破解我5.0041B7AB
0041B7A2 53 PUSH EBX
0041B7A3 E8 17100000 CALL 破解我5.0041C7BF
0041B7A8 83C4 04 ADD ESP,4
0041B7AB 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0041B7AE 33C9 XOR ECX,ECX
0041B7B0 50 PUSH EAX
0041B7B1 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0041B7B4 8BD8 MOV EBX,EAX
0041B7B6 58 POP EAX
0041B7B7 41 INC ECX ; 下面是一个循环..这里是循环开始处
0041B7B8 51 PUSH ECX ; 遍历用户名的每个字母.并将每个字母的ASCII码值相加
0041B7B9 53 PUSH EBX
0041B7BA 890B MOV DWORD PTR DS:[EBX],ECX
0041B7BC 50 PUSH EAX
0041B7BD 3BC8 CMP ECX,EAX
0041B7BF 0F8F 87000000 JG 破解我5.0041B84C
0041B7C5 6A FF PUSH -1
0041B7C7 6A 08 PUSH 8
0041B7C9 68 C4000116 PUSH 160100C4
0041B7CE 68 01000152 PUSH 52010001
0041B7D3 E8 FF0F0000 CALL 破解我5.0041C7D7 ; 获取用户名
0041B7D8 83C4 10 ADD ESP,10
0041B7DB 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0041B7DE 68 01030080 PUSH 80000301
0041B7E3 6A 00 PUSH 0
0041B7E5 FF75 FC PUSH DWORD PTR SS:[EBP-4]
0041B7E8 68 04000080 PUSH 80000004
0041B7ED 6A 00 PUSH 0
0041B7EF 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0041B7F2 85C0 TEST EAX,EAX
0041B7F4 75 05 JNZ SHORT 破解我5.0041B7FB
0041B7F6 B8 A76B4100 MOV EAX,破解我5.00416BA7
0041B7FB 50 PUSH EAX
0041B7FC 68 02000000 PUSH 2
0041B801 BB 44010000 MOV EBX,144
0041B806 E8 C00F0000 CALL 破解我5.0041C7CB ; 依次获取用户名各个字母的ASCII值
0041B80B 83C4 1C ADD ESP,1C
0041B80E 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0041B811 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
0041B814 85DB TEST EBX,EBX
0041B816 74 09 JE SHORT 破解我5.0041B821
0041B818 53 PUSH EBX
0041B819 E8 A10F0000 CALL 破解我5.0041C7BF
0041B81E 83C4 04 ADD ESP,4
0041B821 DF6D F4 FILD QWORD PTR SS:[EBP-C]
0041B824 DD5D E4 FSTP QWORD PTR SS:[EBP-1C]
0041B827 DD45 E4 FLD QWORD PTR SS:[EBP-1C]
0041B82A DB45 EC FILD DWORD PTR SS:[EBP-14]
0041B82D DD5D DC FSTP QWORD PTR SS:[EBP-24]
0041B830 DC45 DC FADD QWORD PTR SS:[EBP-24] ; 依次相加ASCII值
0041B833 DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
0041B836 DD45 D4 FLD QWORD PTR SS:[EBP-2C]
0041B839 E8 D6FEFFFF CALL 破解我5.0041B714 ; 将计算的结果转为整数
0041B83E 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0041B841 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0041B844 58 POP EAX
0041B845 5B POP EBX
0041B846 59 POP ECX
0041B847 ^ E9 6BFFFFFF JMP 破解我5.0041B7B7
0041B84C 83C4 0C ADD ESP,0C
0041B84F 68 01040080 PUSH 80000401
0041B854 FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; 压入刚才计算得到的ASCII码值之和
0041B857 FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0041B85A 68 01000000 PUSH 1
0041B85F BB 68010000 MOV EBX,168
0041B864 E8 620F0000 CALL 破解我5.0041C7CB ; 将ASCII码值之和转为字符串
0041B869 83C4 10 ADD ESP,10
0041B86C 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0041B86F 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0041B872 E9 00000000 JMP 破解我5.0041B877
0041B877 8BE5 MOV ESP,EBP
0041B879 5D POP EBP
0041B87A C3 RETN
再看等式左边的产生过程, 函数二:
0041B87B 55 PUSH EBP
0041B87C 8BEC MOV EBP,ESP
0041B87E 81EC 4C000000 SUB ESP,4C
0041B884 C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0
0041B88B C745 F4 0000000>MOV DWORD PTR SS:[EBP-C],0
0041B892 C745 F8 0000000>MOV DWORD PTR SS:[EBP-8],0
0041B899 6A FF PUSH -1
0041B89B 6A 08 PUSH 8
0041B89D 68 C3000116 PUSH 160100C3
0041B8A2 68 01000152 PUSH 52010001
0041B8A7 E8 2B0F0000 CALL 破解我5.0041C7D7 ; 获取注册码
0041B8AC 83C4 10 ADD ESP,10
0041B8AF 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0041B8B2 68 04000080 PUSH 80000004
0041B8B7 6A 00 PUSH 0
0041B8B9 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0041B8BC 85C0 TEST EAX,EAX
0041B8BE 75 05 JNZ SHORT 破解我5.0041B8C5
0041B8C0 B8 A76B4100 MOV EAX,破解我5.00416BA7
0041B8C5 50 PUSH EAX
0041B8C6 68 01000000 PUSH 1
0041B8CB BB 30010000 MOV EBX,130
0041B8D0 E8 F60E0000 CALL 破解我5.0041C7CB ; 获取注册码长度
0041B8D5 83C4 10 ADD ESP,10
0041B8D8 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0041B8DB 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
0041B8DE 85DB TEST EBX,EBX
0041B8E0 74 09 JE SHORT 破解我5.0041B8EB
0041B8E2 53 PUSH EBX
0041B8E3 E8 D70E0000 CALL 破解我5.0041C7BF
0041B8E8 83C4 04 ADD ESP,4
0041B8EB 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0041B8EE 33C9 XOR ECX,ECX
0041B8F0 50 PUSH EAX
0041B8F1 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
0041B8F4 8BD8 MOV EBX,EAX
0041B8F6 58 POP EAX
0041B8F7 41 INC ECX ; 下面是一个循环,这里是循环开始
0041B8F8 51 PUSH ECX
0041B8F9 53 PUSH EBX
0041B8FA 890B MOV DWORD PTR DS:[EBX],ECX
0041B8FC 50 PUSH EAX
0041B8FD 3BC8 CMP ECX,EAX
0041B8FF 0F8F 87000000 JG 破解我5.0041B98C
0041B905 6A FF PUSH -1
0041B907 6A 08 PUSH 8
0041B909 68 C3000116 PUSH 160100C3
0041B90E 68 01000152 PUSH 52010001
0041B913 E8 BF0E0000 CALL 破解我5.0041C7D7 ; 取注册码
0041B918 83C4 10 ADD ESP,10
0041B91B 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0041B91E 68 01030080 PUSH 80000301
0041B923 6A 00 PUSH 0
0041B925 FF75 FC PUSH DWORD PTR SS:[EBP-4]
0041B928 68 04000080 PUSH 80000004
0041B92D 6A 00 PUSH 0
0041B92F 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0041B932 85C0 TEST EAX,EAX
0041B934 75 05 JNZ SHORT 破解我5.0041B93B
0041B936 B8 A76B4100 MOV EAX,破解我5.00416BA7
0041B93B 50 PUSH EAX
0041B93C 68 02000000 PUSH 2
0041B941 BB 44010000 MOV EBX,144
0041B946 E8 800E0000 CALL 破解我5.0041C7CB ; 依次取注册码中的各个字母ASCII值
0041B94B 83C4 1C ADD ESP,1C
0041B94E 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0041B951 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
0041B954 85DB TEST EBX,EBX
0041B956 74 09 JE SHORT 破解我5.0041B961
0041B958 53 PUSH EBX
0041B959 E8 610E0000 CALL 破解我5.0041C7BF
0041B95E 83C4 04 ADD ESP,4
0041B961 DF6D F4 FILD QWORD PTR SS:[EBP-C]
0041B964 DD5D E4 FSTP QWORD PTR SS:[EBP-1C]
0041B967 DD45 E4 FLD QWORD PTR SS:[EBP-1C]
0041B96A DB45 EC FILD DWORD PTR SS:[EBP-14]
0041B96D DD5D DC FSTP QWORD PTR SS:[EBP-24]
0041B970 DC45 DC FADD QWORD PTR SS:[EBP-24] ; 依次相加..
0041B973 DD5D D4 FSTP QWORD PTR SS:[EBP-2C]
0041B976 DD45 D4 FLD QWORD PTR SS:[EBP-2C]
0041B979 E8 96FDFFFF CALL 破解我5.0041B714 ; 转为整数
0041B97E 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; 将累加结果先保存起来
0041B981 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0041B984 58 POP EAX
0041B985 5B POP EBX
0041B986 59 POP ECX
0041B987 ^ E9 6BFFFFFF JMP 破解我5.0041B8F7
0041B98C 83C4 0C ADD ESP,0C
0041B98F 6A FF PUSH -1
0041B991 6A 08 PUSH 8
0041B993 68 C5010116 PUSH 160101C5
0041B998 68 01000152 PUSH 52010001
0041B99D E8 350E0000 CALL 破解我5.0041C7D7 ; 获取ID
0041B9A2 83C4 10 ADD ESP,10
0041B9A5 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0041B9A8 68 04000080 PUSH 80000004
0041B9AD 6A 00 PUSH 0
0041B9AF 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0041B9B2 85C0 TEST EAX,EAX
0041B9B4 75 05 JNZ SHORT 破解我5.0041B9BB
0041B9B6 B8 A76B4100 MOV EAX,破解我5.00416BA7
0041B9BB 50 PUSH EAX
0041B9BC 68 01000000 PUSH 1
0041B9C1 BB DC090000 MOV EBX,9DC
0041B9C6 E8 000E0000 CALL 破解我5.0041C7CB ; 将ID转为整数
0041B9CB 83C4 10 ADD ESP,10
0041B9CE 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
0041B9D1 8B5D F0 MOV EBX,DWORD PTR SS:[EBP-10]
0041B9D4 85DB TEST EBX,EBX
0041B9D6 74 09 JE SHORT 破解我5.0041B9E1
0041B9D8 53 PUSH EBX
0041B9D9 E8 E10D0000 CALL 破解我5.0041C7BF
0041B9DE 83C4 04 ADD ESP,4
0041B9E1 DB45 EC FILD DWORD PTR SS:[EBP-14]
0041B9E4 DD5D E4 FSTP QWORD PTR SS:[EBP-1C]
0041B9E7 DD45 E4 FLD QWORD PTR SS:[EBP-1C]
0041B9EA DC25 A86B4100 FSUB QWORD PTR DS:[416BA8] ; ID = ID - 1989
0041B9F0 DD5D DC FSTP QWORD PTR SS:[EBP-24]
0041B9F3 68 01060080 PUSH 80000601
0041B9F8 FF75 E0 PUSH DWORD PTR SS:[EBP-20]
0041B9FB FF75 DC PUSH DWORD PTR SS:[EBP-24]
0041B9FE 68 01000000 PUSH 1
0041BA03 BB 70000000 MOV EBX,70
0041BA08 E8 BE0D0000 CALL 破解我5.0041C7CB ; 开方函数, 将ID开方
0041BA0D 83C4 10 ADD ESP,10
0041BA10 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
0041BA13 8955 D8 MOV DWORD PTR SS:[EBP-28],EDX
0041BA16 68 01060080 PUSH 80000601
0041BA1B 68 00003B40 PUSH 403B0000
0041BA20 68 00000000 PUSH 0
0041BA25 68 01060080 PUSH 80000601
0041BA2A FF75 D8 PUSH DWORD PTR SS:[EBP-28]
0041BA2D FF75 D4 PUSH DWORD PTR SS:[EBP-2C]
0041BA30 68 02000000 PUSH 2
0041BA35 BB 48000000 MOV EBX,48
0041BA3A E8 8C0D0000 CALL 破解我5.0041C7CB ; ID除27取余数
0041BA3F 83C4 1C ADD ESP,1C
0041BA42 8945 CC MOV DWORD PTR SS:[EBP-34],EAX
0041BA45 8955 D0 MOV DWORD PTR SS:[EBP-30],EDX
0041BA48 DD45 CC FLD QWORD PTR SS:[EBP-34]
0041BA4B DF6D F4 FILD QWORD PTR SS:[EBP-C] ; 取出保存的注册码各位之和
0041BA4E DD5D C4 FSTP QWORD PTR SS:[EBP-3C]
0041BA51 DC45 C4 FADD QWORD PTR SS:[EBP-3C] ; 余数与注册码各位之和相加
0041BA54 DD5D BC FSTP QWORD PTR SS:[EBP-44]
0041BA57 DD45 BC FLD QWORD PTR SS:[EBP-44]
0041BA5A DC0D B06B4100 FMUL QWORD PTR DS:[416BB0] ; 相加后乘4
0041BA60 DD5D B4 FSTP QWORD PTR SS:[EBP-4C]
0041BA63 DD45 B4 FLD QWORD PTR SS:[EBP-4C]
0041BA66 E8 A9FCFFFF CALL 破解我5.0041B714 ; double转为整数, 将乘4后的积转整
0041BA6B 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0041BA6E 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0041BA71 68 01040080 PUSH 80000401
0041BA76 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
0041BA79 FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0041BA7C 68 01000000 PUSH 1
0041BA81 BB 68010000 MOV EBX,168
0041BA86 E8 400D0000 CALL 破解我5.0041C7CB ; 再将刚才的整数转为字符串
0041BA8B 83C4 10 ADD ESP,10
0041BA8E 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0041BA91 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0041BA94 E9 00000000 JMP 破解我5.0041BA99
0041BA99 8BE5 MOV ESP,EBP
0041BA9B 5D POP EBP
0041BA9C C3 RETN
附注册机代码(写的有点乱..~):
#include <iostream>
#include <cmath>
#include <fstream>
using namespace std;
int main()
{
int ID = 805495; //ID
char name[20] = "vecri"; //用户名
int namesum = 0, regcodesum = 0; //用户名ASCII值之和, 注册码ASCII值之和
bool flag = false; //有些用户名是没有对应注册码的, 这里flag表示有解否
int len = strlen(name), i;
for (i=0; i<len; i++) //求出用户名ASCII值之和
{
namesum += name[i ];
}
ID -= 1989;
double remain = fmod(sqrt((double)ID), 27.0); //ID开方后对27.0取余
regcodesum = namesum - remain*4.0; //由公式: (int)((余数+注册码之和)*4) = 用户名之和
regcodesum /= 4.0; //由于这里涉及到double转int的误差, 所以先粗略求之
for (i=regcodesum-4; i<regcodesum+3; i++) //这个循环是用来求精确值的
{
if ( int((remain+i)*4) == namesum) //满足公式的才是正确的
{
regcodesum = i;
flag = true;
break;
}
}
if (!flag)
{
cout << "无解" << endl;
}
else
{
cout << "注册码ASCII码值之和为: " << regcodesum << endl;
ofstream fout("result.txt");
while (regcodesum > '0')
{
cout << "0";
fout << "0";
regcodesum -= '0';
}
if (regcodesum > 0)
{
cout << (char)regcodesum; //这里可能出现一些不可见字符, 大家可以知道去
fout << (char)regcodesum; //文件result.txt里 Copy + Paste
}
fout.close();
}
system("pause");
return 0;
}
如果有什么不对..请指正..~
[ 本帖最后由 vecri 于 2008-1-1 22:35 编辑 ] |
|