TA的每日心情 | 开心
2018-12-18 12:34 |
|---|
签到天数: 4 天 [LV.2]偶尔看看I
|
【文章标题】: 3D Art Screen Saver 5.0算法分析和C注册机源码
【文章作者】: qifeon
【软件名称】: 3D Art Screen Saver 5.0
【下载地址】: http://www.onlinedown.net/soft/33724.htm
【保护方式】: 注册码
【编写语言】: 英文
【使用工具】: OD
【软件介绍】: 3D Art Screen Saver 是一个精美的3D艺术屏幕保护程
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一、破解过程
这是一个屏保程序,安装后看不到主程序。运行文件夹里的Launch Setup后启动主程序,然后利用OD的附加功能,附加进程里的 3D Art.SCR
未命名的窗口
进程 名称 窗口 路径
00001244 3D Art 3D Art Screen Saver C:\WINDOWS\system32\3D Art.SCR 附加程序
000013CC Launch Se C:\Program Files\3D Art\Launch Setup.exe
然后就可以正常调试了。about项里找到注册项,输入“qifeon,123456”,出现错误提示“this user name does not match the registration code entered”,
利用插件查找此字符串
Ultra String Reference, 条目 20
Address=0040172F
Disassembly=push 0045E258
Text String=this user name does not match the registration code entered.
双击后来到
*******************************************************************************************************************************************************
00401705 |. 68 F8E14500 push 0045E1F8 ; registration successful!
0040170A |. 68 14E24500 push 0045E214 ; thank you for registering the program.
0040170F |. 8B8D 64FFFFFF mov ecx, dword ptr [ebp-9C]
00401715 |. E8 B13E0400 call 004455CB
0040171A |. C645 FC 02 mov byte ptr [ebp-4], 2
0040171E |. 8D4D 80 lea ecx, dword ptr [ebp-80]
00401721 |. E8 2B5A0400 call 00447151
00401726 |. EB 17 jmp short 0040173F
00401728 |> 6A 10 push 10
0040172A |. 68 3CE24500 push 0045E23C ; registration unsuccessful
0040172F |. 68 58E24500 push 0045E258 ; this user name does not match the registration code entered.
返回处
*********************************************************************************************************************************************************
向上可以找到段首
************************************************************************************************************************************************************
004013BD /. 55 push ebp 段首
004013BE |. 8BEC mov ebp, esp
004013C0 |. 6A FF push -1
004013C2 |. 68 09DD4400 push 0044DD09 ; SE 处理程序安装
004013C7 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
004013CD |. 50 push eax
004013CE |. 64:8925 00000>mov dword ptr fs:[0], esp
004013D5 |. 81EC C4000000 sub esp, 0C4
004013DB |. 898D 64FFFFFF mov dword ptr [ebp-9C], ecx
004013E1 |. 8D4D E8 lea ecx, dword ptr [ebp-18]
004013E4 |. E8 C7070000 call 00401BB0
004013E9 |. C745 FC 00000>mov dword ptr [ebp-4], 0
004013F0 |. 8D4D EC lea ecx, dword ptr [ebp-14]
004013F3 |. E8 B8070000 call 00401BB0
004013F8 |. C645 FC 01 mov byte ptr [ebp-4], 1
004013FC |. 8B85 64FFFFFF mov eax, dword ptr [ebp-9C]
00401402 |. 50 push eax
00401403 |. 8D4D 84 lea ecx, dword ptr [ebp-7C]
00401406 |. E8 652F0100 call 00414370
0040140B |. C645 FC 02 mov byte ptr [ebp-4], 2
0040140F |. 8D4D 84 lea ecx, dword ptr [ebp-7C]
00401412 |. E8 7D220400 call 00443694 ; 出现程序注册对话框
00401417 |. 8945 F0 mov dword ptr [ebp-10], eax
0040141A |. 837D F0 01 cmp dword ptr [ebp-10], 1 ; 判断注册或取消按钮,点注册则返回eax=1
0040141E |. 0F85 1B030000 jnz 0040173F ; 点注册按钮则不跳
00401424 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
00401427 |. 51 push ecx
00401428 |. 8D4D E8 lea ecx, dword ptr [ebp-18]
0040142B |. E8 0E5E0400 call 0044723E
00401430 |. 8D55 E0 lea edx, dword ptr [ebp-20]
00401433 |. 52 push edx
00401434 |. 8D4D EC lea ecx, dword ptr [ebp-14]
00401437 |. E8 025E0400 call 0044723E
0040143C |. 8D4D E8 lea ecx, dword ptr [ebp-18]
0040143F |. E8 8C070000 call 00401BD0 ; 检查用户名是否为空
00401444 |. 85C0 test eax, eax ; 不为空eax=0
00401446 |. 74 43 je short 0040148B
00401448 |. 6A 10 push 10
0040144A |. 68 60E14500 push 0045E160 ; registration unsuccessful
0040144F |. 68 7CE14500 push 0045E17C ; please enter a username
00401454 |. 8B8D 64FFFFFF mov ecx, dword ptr [ebp-9C]
0040145A |. E8 6C410400 call 004455CB
0040145F |. C645 FC 01 mov byte ptr [ebp-4], 1
00401463 |. 8D4D 84 lea ecx, dword ptr [ebp-7C]
00401466 |. E8 95060000 call 00401B00
0040146B |. C645 FC 00 mov byte ptr [ebp-4], 0
0040146F |. 8D4D EC lea ecx, dword ptr [ebp-14]
00401472 |. E8 DA5C0400 call 00447151
00401477 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
0040147E |. 8D4D E8 lea ecx, dword ptr [ebp-18]
00401481 |. E8 CB5C0400 call 00447151
00401486 |. E9 DB020000 jmp 00401766
0040148B |> 8D4D EC lea ecx, dword ptr [ebp-14]
0040148E |. E8 3D070000 call 00401BD0 ; 试炼码是否为空?
00401493 |. 85C0 test eax, eax ; 不为空则返回eax=0
00401495 |. 74 43 je short 004014DA
00401497 |. 6A 10 push 10
00401499 |. 68 94E14500 push 0045E194 ; registration unsuccessful
0040149E |. 68 B0E14500 push 0045E1B0 ; please enter a registration code
004014A3 |. 8B8D 64FFFFFF mov ecx, dword ptr [ebp-9C]
004014A9 |. E8 1D410400 call 004455CB
004014AE |. C645 FC 01 mov byte ptr [ebp-4], 1
004014B2 |. 8D4D 84 lea ecx, dword ptr [ebp-7C]
004014B5 |. E8 46060000 call 00401B00
004014BA |. C645 FC 00 mov byte ptr [ebp-4], 0
004014BE |. 8D4D EC lea ecx, dword ptr [ebp-14]
004014C1 |. E8 8B5C0400 call 00447151
004014C6 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
004014CD |. 8D4D E8 lea ecx, dword ptr [ebp-18]
004014D0 |. E8 7C5C0400 call 00447151
004014D5 |. E9 8C020000 jmp 00401766
004014DA |> 51 push ecx
004014DB |. 8BCC mov ecx, esp
004014DD |. 89A5 7CFFFFFF mov dword ptr [ebp-84], esp
004014E3 |. 8D45 EC lea eax, dword ptr [ebp-14]
004014E6 |. 50 push eax
004014E7 |. E8 DA590400 call 00446EC6
004014EC |. 8985 60FFFFFF mov dword ptr [ebp-A0], eax
004014F2 |. 8B8D 60FFFFFF mov ecx, dword ptr [ebp-A0]
004014F8 |. 898D 5CFFFFFF mov dword ptr [ebp-A4], ecx
004014FE |. C645 FC 03 mov byte ptr [ebp-4], 3
00401502 |. 51 push ecx
00401503 |. 8BCC mov ecx, esp
00401505 |. 89A5 78FFFFFF mov dword ptr [ebp-88], esp
0040150B |. 8D55 E8 lea edx, dword ptr [ebp-18]
0040150E |. 52 push edx
0040150F |. E8 B2590400 call 00446EC6
00401514 |. 8985 58FFFFFF mov dword ptr [ebp-A8], eax
0040151A |. 8B85 58FFFFFF mov eax, dword ptr [ebp-A8]
00401520 |. 8985 54FFFFFF mov dword ptr [ebp-AC], eax
00401526 |. C645 FC 04 mov byte ptr [ebp-4], 4
0040152A |. E8 F1060000 call 00401C20
0040152F |. 8BC8 mov ecx, eax
00401531 |. C645 FC 02 mov byte ptr [ebp-4], 2
00401535 |. E8 F25F0100 call 0041752C ; 算法CALL
0040153A |. 8985 50FFFFFF mov dword ptr [ebp-B0], eax
00401540 |. 83BD 50FFFFFF>cmp dword ptr [ebp-B0], 0
00401547 |. 0F84 DB010000 je 00401728 ; 关键跳转
0040154D |. 51 push ecx
0040154E |. 8BCC mov ecx, esp
00401550 |. 89A5 74FFFFFF mov dword ptr [ebp-8C], esp
00401556 |. 8D55 EC lea edx, dword ptr [ebp-14]
00401559 |. 52 push edx
0040155A |. E8 67590400 call 00446EC6
0040155F |. 8985 4CFFFFFF mov dword ptr [ebp-B4], eax
00401565 |. 8B85 4CFFFFFF mov eax, dword ptr [ebp-B4]
0040156B |. 8985 48FFFFFF mov dword ptr [ebp-B8], eax
00401571 |. C645 FC 05 mov byte ptr [ebp-4], 5
00401575 |. 51 push ecx
00401576 |. 8BCC mov ecx, esp
00401578 |. 89A5 70FFFFFF mov dword ptr [ebp-90], esp
0040157E |. 8D55 E8 lea edx, dword ptr [ebp-18]
00401581 |. 52 push edx
00401582 |. E8 3F590400 call 00446EC6
00401587 |. 8985 44FFFFFF mov dword ptr [ebp-BC], eax
0040158D |. 8B85 44FFFFFF mov eax, dword ptr [ebp-BC]
00401593 |. 8985 40FFFFFF mov dword ptr [ebp-C0], eax
00401599 |. C645 FC 06 mov byte ptr [ebp-4], 6
0040159D |. E8 7E060000 call 00401C20
004015A2 |. 8BC8 mov ecx, eax
004015A4 |. C645 FC 02 mov byte ptr [ebp-4], 2
004015A8 |. E8 D1620100 call 0041787E
004015AD |. 8D4D 80 lea ecx, dword ptr [ebp-80]
004015B0 |. E8 FB050000 call 00401BB0
004015B5 |. C645 FC 07 mov byte ptr [ebp-4], 7
004015B9 |. 68 D4E14500 push 0045E1D4 ; .
004015BE |. E8 5D060000 call 00401C20
004015C3 |. 05 04020000 add eax, 204
004015C8 |. 50 push eax
004015C9 |. 68 D8E14500 push 0045E1D8 ; this program is registered to
004015CE |. 8D8D 6CFFFFFF lea ecx, dword ptr [ebp-94]
004015D4 |. 51 push ecx
----------------------------————————————————————————————————-
略去若干代码
————————————————————————————————————————————————
00401703 |. 6A 40 push 40
00401705 |. 68 F8E14500 push 0045E1F8 ; registration successful!
0040170A |. 68 14E24500 push 0045E214 ; thank you for registering the program.
0040170F |. 8B8D 64FFFFFF mov ecx, dword ptr [ebp-9C]
00401715 |. E8 B13E0400 call 004455CB
0040171A |. C645 FC 02 mov byte ptr [ebp-4], 2
0040171E |. 8D4D 80 lea ecx, dword ptr [ebp-80]
00401721 |. E8 2B5A0400 call 00447151
00401726 |. EB 17 jmp short 0040173F
00401728 |> 6A 10 push 10
0040172A |. 68 3CE24500 push 0045E23C ; registration unsuccessful
0040172F |. 68 58E24500 push 0045E258 ; this user name does not match the registration code entered.
00401734 |. 8B8D 64FFFFFF mov ecx, dword ptr [ebp-9C]
0040173A |. E8 8C3E0400 call 004455CB
****************************************************************************************************************************************
段首下断,重载。点ABOUT,再点Regster now 断下,单步,中间输入试炼码,进入算法CALL call 0041752C
***************************************************************************************************************************************
0041752C /$ 55 push ebp
0041752D |. 8BEC mov ebp, esp
0041752F |. 6A FF push -1
00417531 |. 68 51F24400 push 0044F251 ; SE 处理程序安装
00417536 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0041753C |. 50 push eax
0041753D |. 64:8925 00000>mov dword ptr fs:[0], esp
00417544 |. 83EC 44 sub esp, 44
00417547 |. 894D CC mov dword ptr [ebp-34], ecx
0041754A |. C745 FC 01000>mov dword ptr [ebp-4], 1
00417551 |. 68 000F4600 push 00460F00 ; 141040
00417556 |. 8D45 0C lea eax, dword ptr [ebp+C]
00417559 |. 50 push eax
0041755A |. E8 91BDFEFF call 004032F0 ; 判断是否是固定注册码码“141040”
0041755F |. 25 FF000000 and eax, 0FF
00417564 |. 85C0 test eax, eax
00417566 |. 75 17 jnz short 0041757F ; 验证失败则进入第2组注册码判断
00417568 |. 68 080F4600 push 00460F08 ; 117445
0041756D |. 8D4D 0C lea ecx, dword ptr [ebp+C]
00417570 |. 51 push ecx
00417571 |. E8 7ABDFEFF call 004032F0 ; 判断是否是固定注册码码“117445”
00417576 |. 25 FF000000 and eax, 0FF
0041757B |. 85C0 test eax, eax
0041757D |. 74 64 je short 004175E3 ; 验证失败则进入另一组注册码判断
0041757F |> 51 push ecx
00417580 |. 8BCC mov ecx, esp
00417582 |. 8965 E8 mov dword ptr [ebp-18], esp
00417585 |. 8D55 0C lea edx, dword ptr [ebp+C]
00417588 |. 52 push edx
00417589 |. E8 38F90200 call 00446EC6
0041758E |. 8945 C8 mov dword ptr [ebp-38], eax
00417591 |. 8B45 C8 mov eax, dword ptr [ebp-38]
00417594 |. 8945 C4 mov dword ptr [ebp-3C], eax
00417597 |. C645 FC 02 mov byte ptr [ebp-4], 2
0041759B |. 51 push ecx
0041759C |. 8BCC mov ecx, esp
0041759E |. 8965 E4 mov dword ptr [ebp-1C], esp
004175A1 |. 8D55 08 lea edx, dword ptr [ebp+8]
004175A4 |. 52 push edx
004175A5 |. E8 1CF90200 call 00446EC6
004175AA |. 8945 C0 mov dword ptr [ebp-40], eax
004175AD |. 8B4D CC mov ecx, dword ptr [ebp-34]
004175B0 |. C645 FC 01 mov byte ptr [ebp-4], 1
004175B4 |. E8 C5020000 call 0041787E
004175B9 |. C745 E0 FFFFF>mov dword ptr [ebp-20], -1
004175C0 |. C645 FC 00 mov byte ptr [ebp-4], 0
004175C4 |. 8D4D 08 lea ecx, dword ptr [ebp+8]
004175C7 |. E8 85FB0200 call 00447151
004175CC |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
004175D3 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
004175D6 |. E8 76FB0200 call 00447151
004175DB |. 8B45 E0 mov eax, dword ptr [ebp-20]
004175DE |. E9 0A010000 jmp 004176ED
004175E3 |> 8D4D EC lea ecx, dword ptr [ebp-14] ; 第2组注册码失败后跳到这里
004175E6 |. E8 C5A5FEFF call 00401BB0
004175EB |. C645 FC 03 mov byte ptr [ebp-4], 3
004175EF |. 6A 0A push 0A
004175F1 |. 68 00010000 push 100
004175F6 |. 8D4D EC lea ecx, dword ptr [ebp-14]
004175F9 |. E8 F6FE0200 call 004474F4
004175FE |. 50 push eax
004175FF |. 68 2C010000 push 12C
00417604 |. E8 909E0000 call 00421499
00417609 |. 83C4 0C add esp, 0C
0041760C |. 6A FF push -1
0041760E |. 8D4D EC lea ecx, dword ptr [ebp-14]
00417611 |. E8 2DFF0200 call 00447543
00417616 |. 51 push ecx
00417617 |. 8BCC mov ecx, esp
00417619 |. 8965 DC mov dword ptr [ebp-24], esp
0041761C |. 8D45 EC lea eax, dword ptr [ebp-14]
0041761F |. 50 push eax
00417620 |. E8 A1F80200 call 00446EC6
00417625 |. 8945 BC mov dword ptr [ebp-44], eax
00417628 |. 8B4D BC mov ecx, dword ptr [ebp-44]
0041762B |. 894D B8 mov dword ptr [ebp-48], ecx
0041762E |. C645 FC 04 mov byte ptr [ebp-4], 4
00417632 |. 51 push ecx
00417633 |. 8BCC mov ecx, esp
00417635 |. 8965 D8 mov dword ptr [ebp-28], esp
00417638 |. 8D55 08 lea edx, dword ptr [ebp+8]
0041763B |. 52 push edx
0041763C |. E8 85F80200 call 00446EC6
00417641 |. 8945 B4 mov dword ptr [ebp-4C], eax
00417644 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00417647 |. 50 push eax
00417648 |. 8B4D CC mov ecx, dword ptr [ebp-34]
0041764B |. C645 FC 03 mov byte ptr [ebp-4], 3
0041764F |. E8 A9000000 call 004176FD ; 算法CALL
00417654 |. 8945 B0 mov dword ptr [ebp-50], eax
00417657 |. C645 FC 05 mov byte ptr [ebp-4], 5
0041765B |. 8D4D 0C lea ecx, dword ptr [ebp+C]
0041765E |. 51 push ecx
0041765F |. 8D55 F0 lea edx, dword ptr [ebp-10]
00417662 |. 52 push edx
00417663 |. E8 7805FFFF call 00407BE0 ; 上面计算得到注册码与试炼码比较
00417668 |. 25 FF000000 and eax, 0FF
0041766D |. 85C0 test eax, eax
0041766F |. 74 3F je short 004176B0
00417671 |. C745 D4 01000>mov dword ptr [ebp-2C], 1
00417678 |. C645 FC 03 mov byte ptr [ebp-4], 3
0041767C |. 8D4D F0 lea ecx, dword ptr [ebp-10]
0041767F |. E8 CDFA0200 call 00447151
00417684 |. C645 FC 01 mov byte ptr [ebp-4], 1
00417688 |. 8D4D EC lea ecx, dword ptr [ebp-14]
0041768B |. E8 C1FA0200 call 00447151
00417690 |. C645 FC 00 mov byte ptr [ebp-4], 0
00417694 |. 8D4D 08 lea ecx, dword ptr [ebp+8]
00417697 |. E8 B5FA0200 call 00447151
0041769C |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
004176A3 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
004176A6 |. E8 A6FA0200 call 00447151
004176AB |. 8B45 D4 mov eax, dword ptr [ebp-2C]
004176AE |. EB 3D jmp short 004176ED
004176B0 |> C745 D0 00000>mov dword ptr [ebp-30], 0
004176B7 |. C645 FC 03 mov byte ptr [ebp-4], 3
004176BB |. 8D4D F0 lea ecx, dword ptr [ebp-10]
004176BE |. E8 8EFA0200 call 00447151
004176C3 |. C645 FC 01 mov byte ptr [ebp-4], 1
004176C7 |. 8D4D EC lea ecx, dword ptr [ebp-14]
004176CA |. E8 82FA0200 call 00447151
004176CF |. C645 FC 00 mov byte ptr [ebp-4], 0
004176D3 |. 8D4D 08 lea ecx, dword ptr [ebp+8]
004176D6 |. E8 76FA0200 call 00447151
004176DB |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
004176E2 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
004176E5 |. E8 67FA0200 call 00447151
004176EA |. 8B45 D0 mov eax, dword ptr [ebp-30]
004176ED |> 8B4D F4 mov ecx, dword ptr [ebp-C]
004176F0 |. 64:890D 00000>mov dword ptr fs:[0], ecx
004176F7 |. 8BE5 mov esp, ebp
004176F9 |. 5D pop ebp
004176FA \. C2 0800 retn 8
***********************************************************************************************************************
进入第3组注册码算法CALL 004176FD
*************************************************************************************************************************
004176FD /$ 55 push ebp
004176FE |. 8BEC mov ebp, esp
00417700 |. 6A FF push -1
00417702 |. 68 9FF24400 push 0044F29F ; SE 处理程序安装
00417707 |. 64:A1 0000000>mov eax, dword ptr fs:[0]
0041770D |. 50 push eax
0041770E |. 64:8925 00000>mov dword ptr fs:[0], esp
00417715 |. 83EC 30 sub esp, 30
00417718 |. 894D CC mov dword ptr [ebp-34], ecx
0041771B |. C745 D0 00000>mov dword ptr [ebp-30], 0
00417722 |. C745 FC 02000>mov dword ptr [ebp-4], 2
00417729 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
0041772C |. E8 7FA4FEFF call 00401BB0
00417731 |. C645 FC 03 mov byte ptr [ebp-4], 3
00417735 |. 8D4D D8 lea ecx, dword ptr [ebp-28]
00417738 |. E8 73A4FEFF call 00401BB0
0041773D |. C645 FC 04 mov byte ptr [ebp-4], 4
00417741 |. C745 E8 00000>mov dword ptr [ebp-18], 0
00417748 |. 8D45 10 lea eax, dword ptr [ebp+10]
0041774B |. 50 push eax
0041774C |. 8D4D 0C lea ecx, dword ptr [ebp+C]
0041774F |. 51 push ecx
00417750 |. 8D55 D4 lea edx, dword ptr [ebp-2C]
00417753 |. 52 push edx
00417754 |. E8 9AFB0200 call 004472F3
00417759 |. 8945 C8 mov dword ptr [ebp-38], eax
0041775C |. 8B45 C8 mov eax, dword ptr [ebp-38]
0041775F |. 8945 C4 mov dword ptr [ebp-3C], eax
00417762 |. C645 FC 05 mov byte ptr [ebp-4], 5
00417766 |. 8B4D C4 mov ecx, dword ptr [ebp-3C]
00417769 |. 51 push ecx
0041776A |. 8D4D 0C lea ecx, dword ptr [ebp+C]
0041776D |. E8 CCFA0200 call 0044723E
00417772 |. C645 FC 04 mov byte ptr [ebp-4], 4
00417776 |. 8D4D D4 lea ecx, dword ptr [ebp-2C]
00417779 |. E8 D3F90200 call 00447151
0041777E |. 8D4D 0C lea ecx, dword ptr [ebp+C]
00417781 |. E8 4ABBFEFF call 004032D0
00417786 |. 8945 EC mov dword ptr [ebp-14], eax
00417789 |. 68 00010000 push 100
0041778E |. 8D4D 10 lea ecx, dword ptr [ebp+10]
00417791 |. E8 5EFD0200 call 004474F4
00417796 |. 50 push eax
00417797 |. E8 E1A60000 call 00421E7D
0041779C |. 83C4 04 add esp, 4
0041779F |. 8945 DC mov dword ptr [ebp-24], eax
004177A2 |. 6A FF push -1
004177A4 |. 8D4D 10 lea ecx, dword ptr [ebp+10]
004177A7 |. E8 97FD0200 call 00447543
004177AC |. 68 00010000 push 100
004177B1 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
004177B4 |. E8 3BFD0200 call 004474F4 ; 试炼码与固定字符串“300”连接
004177B9 |. 8945 F0 mov dword ptr [ebp-10], eax
004177BC |. C745 E0 00000>mov dword ptr [ebp-20], 0
004177C3 |. EB 09 jmp short 004177CE
004177C5 |> 8B55 E0 /mov edx, dword ptr [ebp-20] ; ebp-20的值传送回edx
004177C8 |. 83C2 01 |add edx, 1 ; edx值增1
004177CB |. 8955 E0 |mov dword ptr [ebp-20], edx ; edx值放入ebp-20,以便于后面参与计算
004177CE |> 8B45 E0 mov eax, dword ptr [ebp-20] ; ebp-20的值放入eax
004177D1 |. 3B45 EC |cmp eax, dword ptr [ebp-14] ; 判断是否是否最后一位字符,ebp-14放置字符串长度len
004177D4 |. 7D 13 |jge short 004177E9 ; 大于或等于则跳出循环
004177D6 |. 8B4D F0 |mov ecx, dword ptr [ebp-10] ; 连接后字符串放入ecx
004177D9 |. 034D E0 |add ecx, dword ptr [ebp-20] ; ecx值由ebp-20传送,每次循环增1
004177DC |. 0FBE11 |movsx edx, byte ptr [ecx] ; 连接后字符串逐位扩充放入edx
004177DF |. 8B45 E8 |mov eax, dword ptr [ebp-18] ; ebp-18 值放入eax
004177E2 |. 03C2 |add eax, edx ; eax与edx值相加
004177E4 |. 8945 E8 |mov dword ptr [ebp-18], eax ; 相加后的值存入ebp-18
004177E7 |.^ EB DC \jmp short 004177C5
004177E9 |> 8B4D E8 mov ecx, dword ptr [ebp-18] ; 连接后字符串ASCII值之和设为sum
004177EC |. 2B4D DC sub ecx, dword ptr [ebp-24] ; 减去300的16进制12Ch
004177EF |. 894D E8 mov dword ptr [ebp-18], ecx ; sum-12Ch值放入ebp-18
004177F2 |. 8B55 DC mov edx, dword ptr [ebp-24] ; 12Ch放入edx
004177F5 |. 2B55 EC sub edx, dword ptr [ebp-14] ; edx=12Ch-len
004177F8 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; eax=sum-12Ch
004177FB |. 0FAFC2 imul eax, edx ; eax相乘edx
004177FE |. 8945 E8 mov dword ptr [ebp-18], eax ; 相乘结果放在ebp-18
00417801 |. 6A 0A push 0A
00417803 |. 68 00010000 push 100
00417808 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
0041780B |. E8 E4FC0200 call 004474F4
00417810 |. 50 push eax
00417811 |. 8B4D E8 mov ecx, dword ptr [ebp-18] ; 相乘结果放入ecx
00417814 |. 51 push ecx
00417815 |. E8 7F9C0000 call 00421499 ; 相乘结果10进制转为字符串,即为注册码
0041781A |. 83C4 0C add esp, 0C
0041781D |. 6A FF push -1
0041781F |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
00417822 |. E8 1CFD0200 call 00447543 ; 取计算后长度
00417827 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
0041782A |. 52 push edx
0041782B |. 8B4D 08 mov ecx, dword ptr [ebp+8]
0041782E |. E8 93F60200 call 00446EC6
00417833 |. 8B45 D0 mov eax, dword ptr [ebp-30]
00417836 |. 0C 01 or al, 1
00417838 |. 8945 D0 mov dword ptr [ebp-30], eax
0041783B |. C645 FC 03 mov byte ptr [ebp-4], 3
0041783F |. 8D4D D8 lea ecx, dword ptr [ebp-28]
00417842 |. E8 0AF90200 call 00447151
00417847 |. C645 FC 02 mov byte ptr [ebp-4], 2
0041784B |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
0041784E |. E8 FEF80200 call 00447151
00417853 |. C645 FC 01 mov byte ptr [ebp-4], 1
00417857 |. 8D4D 0C lea ecx, dword ptr [ebp+C]
0041785A |. E8 F2F80200 call 00447151
0041785F |. C645 FC 00 mov byte ptr [ebp-4], 0
00417863 |. 8D4D 10 lea ecx, dword ptr [ebp+10]
00417866 |. E8 E6F80200 call 00447151
0041786B |. 8B45 08 mov eax, dword ptr [ebp+8]
0041786E |. 8B4D F4 mov ecx, dword ptr [ebp-C]
00417871 |. 64:890D 00000>mov dword ptr fs:[0], ecx
00417878 |. 8BE5 mov esp, ebp
0041787A |. 5D pop ebp
0041787B \. C2 0C00 retn 0C
*********************************************************************************************************
限于篇幅,有些CALL调试时都跟进了,这里破文就略去了。兄弟们如果玩玩需要进去看看。比如
0040143F |. E8 8C070000 call 00401BD0 ; 检查用户名是否为空
还有
0041755A |. E8 91BDFEFF call 004032F0 ; 判断是否是固定注册码码“141040”
***************************************************************************************************************
二。算法总结
1、注册码有3组,前2组为固定字符串,与用户名无关。第一组可用注册码“141040”
第二组可用注册码“117445"”
2、第3组注册码由用户名与固定字符串“300”计算而来:
用户名与固定字符串“300”连接后字符串ASCII值之和设为sum,长度设为len,300的16进制为12Ch
(sum-300)乘以(300-len)十进制的值转化为字符串即为对应用户名的注册码
************************************************************************************************************************
三、C算法注册机源代码
#include "stdio.h"
#include "string.h"
void main()
{
int i,cheng,sum=0,len;
char name[20];
scanf("%s",name);
strcat (name,"300");
len=strlen(name);
for (i=0;i<len;i++)
sum=sum+name;
cheng=(sum-300)*(300-len);
printf("%d",cheng);
system("PAUSE");
}
[ 本帖最后由 qifeon 于 2008-8-6 01:46 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2008-8-6 01:45:00
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-8-6 10:41:05
发表于 2008-9-11 23:17:21
楼主
发表于 2008-9-29 10:35:07