- UID
- 32678
注册时间2007-8-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【文章作者】: 网络断魂
【软件名称】: emailverify V3.5
【下载地址】: 自己搜索
【加壳方式】: ASPack 2.12 -> Alexey Solodovnikov
【保护方式】: 序列号
【编写语言】: Borland Delphi 4.0 - 5.0
【使用工具】: PEID,OD,
【操作平台】: XP SP3,
【软件介绍】: EMAIL地址验证软件
【作者声明】: 菜鸟学习算法,失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
本机注册信息:
机器码:38076666219
CPUID:000006D8
真码:38181114
1、根据字符串提示找到注册码关键函数:
004B70E8 /. 55 push ebp
004B70E9 |. 8BEC mov ebp, esp
004B70EB |. 83C4 D4 add esp, -2C
004B70EE |. 53 push ebx
004B70EF |. 33C9 xor ecx, ecx
004B70F1 |. 894D D4 mov dword ptr [ebp-2C], ecx
004B70F4 |. 894D FC mov dword ptr [ebp-4], ecx
004B70F7 |. 8BD8 mov ebx, eax
004B70F9 |. 33C0 xor eax, eax
004B70FB |. 55 push ebp
004B70FC |. 68 35724B00 push 004B7235
004B7101 |. 64:FF30 push dword ptr fs:[eax]
004B7104 |. 64:8920 mov dword ptr fs:[eax], esp
004B7107 |. 8D45 FC lea eax, dword ptr [ebp-4]
004B710A |. BA 4C724B00 mov edx, 004B724C ; 00000000
004B710F |. E8 9CCBF4FF call 00403CB0
004B7114 |. 8D4D FC lea ecx, dword ptr [ebp-4]
004B7117 |. BA 60724B00 mov edx, 004B7260 ; 请输入您的软件注册号
004B711C |. B8 88724B00 mov eax, 004B7288 ; 登记注册
004B7121 |. E8 1EEDF9FF call 00455E44
004B7126 |. 3C 01 cmp al, 1
004B7128 |. 0F85 E9000000 jnz 004B7217 ; //未输入注册码则跳
004B712E |. 8D55 D4 lea edx, dword ptr [ebp-2C]
004B7131 |. 8B45 FC mov eax, dword ptr [ebp-4] ; //送假码
004B7134 |. E8 2316F5FF call 0040875C
004B7139 |. 8B45 D4 mov eax, dword ptr [ebp-2C] ; //送假码
004B713C |. E8 3B18F5FF call 0040897C ; //将假码转换为十六进制
004B7141 |. 8945 F0 mov dword ptr [ebp-10], eax ; //结果存入堆栈FA40中
004B7144 |. 8955 F4 mov dword ptr [ebp-C], edx ; //假码数组下标送给FA2C堆栈中
004B7147 |. 6A 00 push 0
004B7149 |. 68 9A020000 push 29A ; //常量压进去,
004B714E |. 8B45 F0 mov eax, dword ptr [ebp-10] ; //转换后的十六进制值返送给EAX
004B7151 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; //数组下标起始位送给EDX
004B7154 |. E8 A1F2F4FF call 004063FA ; //假码十六进制除以29A,余数异或
004B7159 |. 8945 F0 mov dword ptr [ebp-10], eax ; //商存入堆栈FA28中
004B715C |. 8955 F4 mov dword ptr [ebp-C], edx ; //余数异或结果送入FA2C堆栈中
004B715F |. 8B45 F0 mov eax, dword ptr [ebp-10]
004B7162 |. 8B55 F4 mov edx, dword ptr [ebp-C]
004B7165 |. 2D 19D90000 sub eax, 0D919 ; //商-0d919
004B716A |. 83DA 00 sbb edx, 0 ; //异或结果-0,再减去CF进位标志
004B716D |. 8945 F0 mov dword ptr [ebp-10], eax ; //相减结果存入FA28堆栈中
004B7170 |. 8955 F4 mov dword ptr [ebp-C], edx ; //异或结果相减后的结果保存
004B7173 |. 8D45 D8 lea eax, dword ptr [ebp-28]
004B7176 |. E8 E1BBFFFF call 004B2D5C ; //取CPUID
004B717B |. 8B45 D8 mov eax, dword ptr [ebp-28]
004B717E |. 99 cdq ; //把edx扩展为eax的高位
004B717F |. 8945 E8 mov dword ptr [ebp-18], eax ; //CPUID存入FA20堆栈中,
004B7182 |. 8955 EC mov dword ptr [ebp-14], edx ; //CPU高位送入FA24中
004B7185 |. 8B45 F0 mov eax, dword ptr [ebp-10] ; //假码相减后的结果送给EAX
004B7188 |. 8B55 F4 mov edx, dword ptr [ebp-C] ; //FA2C中的值送给EDX,余数异或结果
004B718B |. 3B55 EC cmp edx, dword ptr [ebp-14] ; //余数异或结果与CPU高位比较
004B718E |. 75 72 jnz short 004B7202 ; //不等则跳往注册号错误
004B7190 |. 3B45 E8 cmp eax, dword ptr [ebp-18] ; //假码相减结果与CPUID比较
004B7193 |. 75 6D jnz short 004B7202 ; //不等跳往注册号错误
004B7195 |. 6A 00 push 0
004B7197 |. 66:8B0D 94724>mov cx, word ptr [4B7294]
004B719E |. B2 02 mov dl, 2
004B71A0 |. B8 A0724B00 mov eax, 004B72A0 ; 软件登记注册成功!
004B71A5 |. E8 7EEBF9FF call 00455D28
004B71AA |. 8B83 18050000 mov eax, dword ptr [ebx+518]
004B71B0 |. E8 1F4EFEFF call 0049BFD4
004B71B5 |. 33D2 xor edx, edx
004B71B7 |. 8B83 00030000 mov eax, dword ptr [ebx+300]
004B71BD |. E8 5E7DF8FF call 0043EF20
004B71C2 |. A1 D0814C00 mov eax, dword ptr [4C81D0]
004B71C7 |. 8B00 mov eax, dword ptr [eax]
004B71C9 |. 8B80 E0020000 mov eax, dword ptr [eax+2E0]
004B71CF |. BA BC724B00 mov edx, 004B72BC ; 已注册版本
004B71D4 |. E8 2B76F7FF call 0042E804
004B71D9 |. 8B83 0C050000 mov eax, dword ptr [ebx+50C]
004B71DF |. C740 0C 09000>mov dword ptr [eax+C], 9
004B71E6 |. B2 01 mov dl, 1
004B71E8 |. 8B83 E4020000 mov eax, dword ptr [ebx+2E4]
004B71EE |. 8B08 mov ecx, dword ptr [eax]
004B71F0 |. FF51 5C call dword ptr [ecx+5C]
004B71F3 |. B2 01 mov dl, 1
004B71F5 |. 8B83 D4020000 mov eax, dword ptr [ebx+2D4]
004B71FB |. E8 207DF8FF call 0043EF20
004B7200 |. EB 15 jmp short 004B7217
004B7202 |> 6A 00 push 0
004B7204 |. 66:8B0D 94724>mov cx, word ptr [4B7294]
004B720B |. B2 01 mov dl, 1
004B720D |. B8 D0724B00 mov eax, 004B72D0 ; 软件注册号错误!
004B7212 |. E8 11EBF9FF call 00455D28
004B7217 |> 33C0 xor eax, eax
004B7219 |. 5A pop edx
004B721A |. 59 pop ecx
004B721B |. 59 pop ecx
004B721C |. 64:8910 mov dword ptr fs:[eax], edx
004B721F |. 68 3C724B00 push 004B723C
004B7224 |> 8D45 D4 lea eax, dword ptr [ebp-2C]
004B7227 |. E8 ECC9F4FF call 00403C18
004B722C |. 8D45 FC lea eax, dword ptr [ebp-4]
004B722F |. E8 E4C9F4FF call 00403C18
004B7234 \. C3 retn
2、从注册码算法中可以知道注册码经几次转换后与CPUID进行比较,软件开发商要远程计算注册码的话必定要用到CPUID,因此机器码一定是从CPUID计算得来,全局搜索cpuid命令,
来到:
004A3448 /$ 53 push ebx
004A3449 |. 57 push edi
004A344A |. 89C7 mov edi, eax
004A344C |. B8 01000000 mov eax, 1
004A3451 |. 0FA2 cpuid
004A3453 |. AB stos dword ptr es:[edi]
004A3454 |. 89D8 mov eax, ebx
004A3456 |. AB stos dword ptr es:[edi]
004A3457 |. 89C8 mov eax, ecx
004A3459 |. AB stos dword ptr es:[edi]
004A345A |. 89D0 mov eax, edx
004A345C |. AB stos dword ptr es:[edi]
004A345D |. 5F pop edi
004A345E |. 5B pop ebx
004A345F \. C3 retn
返回后来到机器码计算函数:
004A3460 /. 55 push ebp
004A3461 |. 8BEC mov ebp, esp
004A3463 |. 83C4 E4 add esp, -1C
004A3466 |. 53 push ebx
004A3467 |. 33C9 xor ecx, ecx
004A3469 |. 894D E4 mov dword ptr [ebp-1C], ecx
004A346C |. 8BD8 mov ebx, eax
004A346E |. 33C0 xor eax, eax
004A3470 |. 55 push ebp
004A3471 |. 68 5D354A00 push 004A355D ; 槭
004A3476 |. 64:FF30 push dword ptr fs:[eax]
004A3479 |. 64:8920 mov dword ptr fs:[eax], esp
004A347C |. A1 98814C00 mov eax, dword ptr [4C8198]
004A3481 |. 8B00 mov eax, dword ptr [eax]
004A3483 |. 8B80 0C050000 mov eax, dword ptr [eax+50C]
004A3489 |. 8378 0C 09 cmp dword ptr [eax+C], 9
004A348D |. 75 22 jnz short 004A34B1
004A348F |. BA 74354A00 mov edx, 004A3574 ; 已注册版本
004A3494 |. 8B83 E0020000 mov eax, dword ptr [ebx+2E0]
004A349A |. E8 65B3F8FF call 0042E804
004A349F |. 33D2 xor edx, edx
004A34A1 |. 8B83 F0020000 mov eax, dword ptr [ebx+2F0]
004A34A7 |. E8 58B3F8FF call 0042E804
004A34AC |. E9 96000000 jmp 004A3547
004A34B1 |> BA 88354A00 mov edx, 004A3588 ; 未注册版本
004A34B6 |. 8B83 E0020000 mov eax, dword ptr [ebx+2E0]
004A34BC |. E8 43B3F8FF call 0042E804
004A34C1 |. 8D45 E8 lea eax, dword ptr [ebp-18]
004A34C4 |. E8 7FFFFFFF call 004A3448 ; //取CPUID
004A34C9 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; //CPUID送给EAX
004A34CC |. 99 cdq ; //扩展EAX高位到EDX中
004A34CD |. 8945 F8 mov dword ptr [ebp-8], eax ; //CPUID存入FE10堆栈中,
004A34D0 |. 8955 FC mov dword ptr [ebp-4], edx ; //CPU高位存入FE14堆栈中
004A34D3 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004A34D6 |. 8B55 FC mov edx, dword ptr [ebp-4]
004A34D9 |. 05 19D90000 add eax, 0D919 ; //CPUID+0D919
004A34DE |. 83D2 00 adc edx, 0 ; //CPU高位+0;带CF进位标志相加,
004A34E1 |. 8945 F8 mov dword ptr [ebp-8], eax ; //CPUID相加结果(DFF1)存入FE10堆栈中
004A34E4 |. 8955 FC mov dword ptr [ebp-4], edx ; //高位相加结果(00000000)存入FE14堆栈中,
004A34E7 |. 6A 00 push 0
004A34E9 |. 68 9A020000 push 29A
004A34EE |. 8B45 F8 mov eax, dword ptr [ebp-8]
004A34F1 |. 8B55 FC mov edx, dword ptr [ebp-4]
004A34F4 |. E8 BB2EF6FF call 004063B4 ; //乘于常量29A(666),结果转换成十进制就是真正注册码,
004A34F9 |. 8945 F8 mov dword ptr [ebp-8], eax ; //相乘结果存入FE10堆栈中,
004A34FC |. 8955 FC mov dword ptr [ebp-4], edx
004A34FF |. 8B45 F8 mov eax, dword ptr [ebp-8]
004A3502 |. 8B55 FC mov edx, dword ptr [ebp-4]
004A3505 |. 2D 1D030100 sub eax, 1031D ; //-1031D
004A350A |. 83DA 00 sbb edx, 0
004A350D |. 8945 F8 mov dword ptr [ebp-8], eax ; //相减结果存入FE10堆栈中
004A3510 |. 8955 FC mov dword ptr [ebp-4], edx
004A3513 |. 6A 00 push 0
004A3515 |. 68 E7030000 push 3E7
004A351A |. 8B45 F8 mov eax, dword ptr [ebp-8]
004A351D |. 8B55 FC mov edx, dword ptr [ebp-4]
004A3520 |. E8 8F2EF6FF call 004063B4 ; //乘于常量3E7(999)
004A3525 |. 8945 F8 mov dword ptr [ebp-8], eax ; //存低位结果
004A3528 |. 8955 FC mov dword ptr [ebp-4], edx ; //存高位结果
004A352B |. FF75 FC push dword ptr [ebp-4]
004A352E |. FF75 F8 push dword ptr [ebp-8]
004A3531 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
004A3534 |. E8 D353F6FF call 0040890C ; //转换为十进制得出机器码,8DD8BD16B
004A3539 |. 8B55 E4 mov edx, dword ptr [ebp-1C]
004A353C |. 8B83 F0020000 mov eax, dword ptr [ebx+2F0]
004A3542 |. E8 BDB2F8FF call 0042E804
004A3547 |> 33C0 xor eax, eax
004A3549 |. 5A pop edx
004A354A |. 59 pop ecx
004A354B |. 59 pop ecx
004A354C |. 64:8910 mov dword ptr fs:[eax], edx
004A354F |. 68 64354A00 push 004A3564
004A3554 |> 8D45 E4 lea eax, dword ptr [ebp-1C]
004A3557 |. E8 BC06F6FF call 00403C18
004A355C \. C3 retn
3、算法总结:
1、[(cpuid+0d919)*29a-1031d]*3e7,转换为十进制后作为机器码
2、逆推CPUID:CPUID=(机器码/999+66333)/666-55577=(38076666219/999+66333)/666-55577
3、注册码=(CPUID+D919)*29A=[(机器码/999+66333)/666-55577+55577]*666=(机器码/999+66333)/666*666=38181114(本机的)
4、注册机源码:
void CemailverifyV35注册机Dlg::OnBnClickedOk()
{
// TODO: 在此添加控件通知处理程序代码
CString Jqm,Zcm;
GetDlgItemText(IDC_EDIT1,Jqm);
if(Jqm.GetLength() <= 0)
{
MessageBox("请输入机器码!!");
return;
}
double JqmTemp = 0;
double ZcmTemp = 0;
JqmTemp = atof((LPCTSTR)Jqm );
ZcmTemp = JqmTemp / 999;
ZcmTemp = ZcmTemp + 66333;
Zcm.Format("%.0f",ZcmTemp);
SetDlgItemText(IDC_EDIT2,Zcm);
}
[ 本帖最后由 网络断魂 于 2008-3-5 18:47 编辑 ] |
|
IP卡
发表于 2008-3-5 15:59:28
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2008-3-5 17:50:01
发表于 2008-4-4 11:53:43
发表于 2008-4-9 12:04:06