- UID
- 59934
注册时间2009-3-1
阅读权限0
最后登录1970-1-1
禁止访问
该用户从未签到
|
【文章标题】: XX抽奖软件算法分析
【文章作者】: 丑男无敌
【软件名称】: XX抽奖软件
【保护方式】: 注册码
【编写语言】: Delphi
【使用工具】: OD
【操作平台】: XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
填入公司地址,邮箱地址,假码,软件有错误提示“注册失败,请输入正确的电子邮箱和注册号码!”。其中机器码是
固定的(用户码),估计是邮箱地址和机器码参与了运算。同过查找字符串找到关键处,下断,输入邮箱
chounan@126.com,其他随便填。
004E6B28 /. 55 push ebp
004E6B29 |. 8BEC mov ebp, esp
004E6B2B |. B9 07000000 mov ecx, 7
004E6B30 |> 6A 00 /push 0
004E6B32 |. 6A 00 |push 0
004E6B34 |. 49 |dec ecx
004E6B35 |.^ 75 F9 \jnz short 004E6B30
004E6B37 |. 53 push ebx
004E6B38 |. 56 push esi
004E6B39 |. 8BD8 mov ebx, eax
004E6B3B |. 33C0 xor eax, eax
004E6B3D |. 55 push ebp
004E6B3E |. 68 8D6D4E00 push 004E6D8D
004E6B43 |. 64:FF30 push dword ptr fs:[eax]
004E6B46 |. 64:8920 mov dword ptr fs:[eax], esp
004E6B49 |. 8D55 E8 lea edx, dword ptr [ebp-18]
004E6B4C |. 8B83 0C030000 mov eax, dword ptr [ebx+30C]
004E6B52 |. E8 692FF8FF call 00469AC0
004E6B57 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004E6B5A |. 8D55 FC lea edx, dword ptr [ebp-4]
004E6B5D |. E8 0E27F2FF call 00409270
004E6B62 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
004E6B65 |. 8B83 14030000 mov eax, dword ptr [ebx+314]
004E6B6B |. E8 502FF8FF call 00469AC0
004E6B70 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
004E6B73 |. 8D55 F4 lea edx, dword ptr [ebp-C]
004E6B76 |. E8 F526F2FF call 00409270
004E6B7B |. 8D55 E0 lea edx, dword ptr [ebp-20]
004E6B7E |. 8B83 20030000 mov eax, dword ptr [ebx+320]
004E6B84 |. E8 372FF8FF call 00469AC0
004E6B89 |. 8B45 E0 mov eax, dword ptr [ebp-20] ; 机器码 "2686172163"
004E6B8C |. 8D55 F8 lea edx, dword ptr [ebp-8]
004E6B8F |. E8 DC26F2FF call 00409270
004E6B94 |. 8D55 DC lea edx, dword ptr [ebp-24]
004E6B97 |. 8B83 2C030000 mov eax, dword ptr [ebx+32C]
004E6B9D |. E8 1E2FF8FF call 00469AC0
004E6BA2 |. 837D DC 00 cmp dword ptr [ebp-24], 0
004E6BA6 |. 75 1F jnz short 004E6BC7
004E6BA8 |. BA A46D4E00 mov edx, 004E6DA4 ; 请输入公司名称!
004E6BAD |. 33C0 xor eax, eax
004E6BAF |. E8 8017FFFF call 004D8334
004E6BB4 |. 8B83 2C030000 mov eax, dword ptr [ebx+32C]
004E6BBA |. 8B10 mov edx, dword ptr [eax]
004E6BBC |. FF92 C4000000 call dword ptr [edx+C4]
004E6BC2 |. E9 8E010000 jmp 004E6D55
004E6BC7 |> 8D55 D8 lea edx, dword ptr [ebp-28]
004E6BCA |. 8B83 0C030000 mov eax, dword ptr [ebx+30C]
004E6BD0 |. E8 EB2EF8FF call 00469AC0 ; 检查有没有填写邮箱以及格式是否正
确
004E6BD5 |. 837D D8 00 cmp dword ptr [ebp-28], 0
004E6BD9 |. 75 1F jnz short 004E6BFA
004E6BDB |. BA BC6D4E00 mov edx, 004E6DBC ; 请输入电子邮箱!
004E6BE0 |. 33C0 xor eax, eax
004E6BE2 |. E8 4D17FFFF call 004D8334
004E6BE7 |. 8B83 0C030000 mov eax, dword ptr [ebx+30C]
004E6BED |. 8B10 mov edx, dword ptr [eax]
004E6BEF |. FF92 C4000000 call dword ptr [edx+C4]
004E6BF5 |. E9 5B010000 jmp 004E6D55
004E6BFA |> 8B55 FC mov edx, dword ptr [ebp-4]
004E6BFD |. B8 D46D4E00 mov eax, 004E6DD4 ; @
004E6C02 |. E8 BDE3F1FF call 00404FC4
004E6C07 |. 85C0 test eax, eax
004E6C09 |. 75 1F jnz short 004E6C2A
004E6C0B |. BA E06D4E00 mov edx, 004E6DE0 ; 电子邮箱错误,请输入正确的电子邮
箱!
004E6C10 |. 33C0 xor eax, eax
004E6C12 |. E8 1D17FFFF call 004D8334
004E6C17 |. 8B83 0C030000 mov eax, dword ptr [ebx+30C]
004E6C1D |. 8B10 mov edx, dword ptr [eax]
004E6C1F |. FF92 C4000000 call dword ptr [edx+C4]
004E6C25 |. E9 2B010000 jmp 004E6D55
004E6C2A |> 8D55 D4 lea edx, dword ptr [ebp-2C]
004E6C2D |. 8B83 14030000 mov eax, dword ptr [ebx+314]
004E6C33 |. E8 882EF8FF call 00469AC0
004E6C38 |. 837D D4 00 cmp dword ptr [ebp-2C], 0
004E6C3C |. 75 1F jnz short 004E6C5D
004E6C3E |. BA 0C6E4E00 mov edx, 004E6E0C ; 请输入注册号码!
004E6C43 |. 33C0 xor eax, eax
004E6C45 |. E8 EA16FFFF call 004D8334
004E6C4A |. 8B83 14030000 mov eax, dword ptr [ebx+314]
004E6C50 |. 8B10 mov edx, dword ptr [eax]
004E6C52 |. FF92 C4000000 call dword ptr [edx+C4]
004E6C58 |. E9 F8000000 jmp 004E6D55
004E6C5D |> 8D55 D0 lea edx, dword ptr [ebp-30]
004E6C60 |. 8B83 20030000 mov eax, dword ptr [ebx+320]
004E6C66 |. E8 552EF8FF call 00469AC0
004E6C6B |. 837D D0 00 cmp dword ptr [ebp-30], 0
004E6C6F |. 0F84 E0000000 je 004E6D55
004E6C75 |. 8D45 F0 lea eax, dword ptr [ebp-10]
004E6C78 |. 50 push eax
004E6C79 |. 8B4D F8 mov ecx, dword ptr [ebp-8]
004E6C7C |. 8B93 30030000 mov edx, dword ptr [ebx+330]
004E6C82 |. 8B45 FC mov eax, dword ptr [ebp-4]
004E6C85 |. E8 4ACEFDFF call 004C3AD4 ; 关键call,进去吧
004E6C8A |. 8B45 F0 mov eax, dword ptr [ebp-10]
004E6C8D |. 8B55 F4 mov edx, dword ptr [ebp-C]
004E6C90 |. E8 37E1F1FF call 00404DCC ; 真假比较
004E6C95 |. 0F85 AE000000 jnz 004E6D49 ; 成功则存入注册表,启动时验证
004E6C9B |. 68 246E4E00 push 004E6E24 ; software\
004E6CA0 |. FFB3 34030000 push dword ptr [ebx+334]
004E6CA6 |. 68 386E4E00 push 004E6E38 ; \
004E6CAB |. FFB3 30030000 push dword ptr [ebx+330]
004E6CB1 |. 8D45 EC lea eax, dword ptr [ebp-14]
004E6CB4 |. BA 04000000 mov edx, 4
004E6CB9 |. E8 82E0F1FF call 00404D40
004E6CBE |. B2 01 mov dl, 1
004E6CC0 |. A1 9CE24300 mov eax, dword ptr [43E29C]
004E6CC5 |. E8 D276F5FF call 0043E39C
004E6CCA |. 8BF0 mov esi, eax
004E6CCC |. BA 02000080 mov edx, 80000002
004E6CD1 |. 8BC6 mov eax, esi
004E6CD3 |. E8 6477F5FF call 0043E43C
004E6CD8 |. B1 01 mov cl, 1
004E6CDA |. 8B55 EC mov edx, dword ptr [ebp-14]
004E6CDD |. 8BC6 mov eax, esi
004E6CDF |. E8 BC77F5FF call 0043E4A0
004E6CE4 |. 8B4D FC mov ecx, dword ptr [ebp-4]
004E6CE7 |. BA 446E4E00 mov edx, 004E6E44 ; mail
004E6CEC |. 8BC6 mov eax, esi
004E6CEE |. E8 4979F5FF call 0043E63C
004E6CF3 |. 8B4D F4 mov ecx, dword ptr [ebp-C]
004E6CF6 |. BA 546E4E00 mov edx, 004E6E54 ; regnbr
004E6CFB |. 8BC6 mov eax, esi
004E6CFD |. E8 3A79F5FF call 0043E63C
004E6D02 |. 8D55 C8 lea edx, dword ptr [ebp-38]
004E6D05 |. 8B83 2C030000 mov eax, dword ptr [ebx+32C]
004E6D0B |. E8 B02DF8FF call 00469AC0
004E6D10 |. 8B45 C8 mov eax, dword ptr [ebp-38]
004E6D13 |. 8D55 CC lea edx, dword ptr [ebp-34]
004E6D16 |. E8 5525F2FF call 00409270
004E6D1B |. 8B4D CC mov ecx, dword ptr [ebp-34]
004E6D1E |. BA 646E4E00 mov edx, 004E6E64 ; username
004E6D23 |. 8BC6 mov eax, esi
004E6D25 |. E8 1279F5FF call 0043E63C
004E6D2A |. 8BC6 mov eax, esi
004E6D2C |. E8 1FCEF1FF call 00403B50
004E6D31 |. BA 786E4E00 mov edx, 004E6E78 ; 注册成功!
004E6D36 |. B8 01000000 mov eax, 1
004E6D3B |. E8 F415FFFF call 004D8334
004E6D40 |. 8BC3 mov eax, ebx
004E6D42 |. E8 45F5F9FF call 0048628C
004E6D47 |. EB 0C jmp short 004E6D55
004E6D49 |> BA 8C6E4E00 mov edx, 004E6E8C ; 注册失败,请输入正确的电子邮箱和
注册号码!
004E6D4E |. 33C0 xor eax, eax
004E6D50 |. E8 DF15FFFF call 004D8334
004E6D55 |> 33C0 xor eax, eax
004E6D57 |. 5A pop edx
004E6D58 |. 59 pop ecx
004E6D59 |. 59 pop ecx
004E6D5A |. 64:8910 mov dword ptr fs:[eax], edx
004E6D5D |. 68 946D4E00 push 004E6D94
004E6D62 |> 8D45 C8 lea eax, dword ptr [ebp-38]
004E6D65 |. E8 56DCF1FF call 004049C0
004E6D6A |. 8D45 CC lea eax, dword ptr [ebp-34]
004E6D6D |. E8 4EDCF1FF call 004049C0
004E6D72 |. 8D45 D0 lea eax, dword ptr [ebp-30]
004E6D75 |. BA 07000000 mov edx, 7
004E6D7A |. E8 65DCF1FF call 004049E4
004E6D7F |. 8D45 EC lea eax, dword ptr [ebp-14]
004E6D82 |. BA 05000000 mov edx, 5
004E6D87 |. E8 58DCF1FF call 004049E4
004E6D8C \. C3 retn
004E6D8D .^ E9 52D5F1FF jmp 004042E4
004E6D92 .^ EB CE jmp short 004E6D62
004E6D94 . 5E pop esi
004E6D95 . 5B pop ebx
004E6D96 . 8BE5 mov esp, ebp
004E6D98 . 5D pop ebp
004E6D99 . C3 retn
------------------------------------------------------------
004C3AD4 /$ 55 push ebp
004C3AD5 |. 8BEC mov ebp, esp
004C3AD7 |. 83C4 F0 add esp, -10
004C3ADA |. 53 push ebx
004C3ADB |. 56 push esi
004C3ADC |. 33DB xor ebx, ebx
004C3ADE |. 895D F0 mov dword ptr [ebp-10], ebx
004C3AE1 |. 894D F4 mov dword ptr [ebp-C], ecx
004C3AE4 |. 8955 F8 mov dword ptr [ebp-8], edx
004C3AE7 |. 8945 FC mov dword ptr [ebp-4], eax
004C3AEA |. 8B75 08 mov esi, dword ptr [ebp+8]
004C3AED |. 8B45 FC mov eax, dword ptr [ebp-4]
004C3AF0 |. E8 7B13F4FF call 00404E70
004C3AF5 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004C3AF8 |. E8 7313F4FF call 00404E70
004C3AFD |. 8B45 F4 mov eax, dword ptr [ebp-C]
004C3B00 |. E8 6B13F4FF call 00404E70
004C3B05 |. 33C0 xor eax, eax
004C3B07 |. 55 push ebp
004C3B08 |. 68 AB3B4C00 push 004C3BAB
004C3B0D |. 64:FF30 push dword ptr fs:[eax]
004C3B10 |. 64:8920 mov dword ptr fs:[eax], esp
004C3B13 |. 8BC6 mov eax, esi
004C3B15 |. E8 A60EF4FF call 004049C0
004C3B1A |. 8B45 FC mov eax, dword ptr [ebp-4]
004C3B1D |. E8 5E11F4FF call 00404C80
004C3B22 |. 48 dec eax
004C3B23 |. 85C0 test eax, eax
004C3B25 |. 7C 11 jl short 004C3B38
004C3B27 |. 40 inc eax
004C3B28 |. 33D2 xor edx, edx
004C3B2A |> 8B4D FC /mov ecx, dword ptr [ebp-4]
004C3B2D |. 0FB64C11 FF |movzx ecx, byte ptr [ecx+edx-1] ; 逐次取邮箱字符转成ASCII码
004C3B32 |. 03D9 |add ebx, ecx ; 累加,最终得X
004C3B34 |. 42 |inc edx
004C3B35 |. 48 |dec eax
004C3B36 |.^ 75 F2 \jnz short 004C3B2A ; 循环(邮箱字符长度 - 1)次
004C3B38 |> 8B45 F8 mov eax, dword ptr [ebp-8] ; 固定字符 LUCK_STAR 参与运算
004C3B3B |. E8 4011F4FF call 00404C80
004C3B40 |. 48 dec eax
004C3B41 |. 85C0 test eax, eax
004C3B43 |. 7C 11 jl short 004C3B56
004C3B45 |. 40 inc eax
004C3B46 |. 33D2 xor edx, edx
004C3B48 |> 8B4D F8 /mov ecx, dword ptr [ebp-8]
004C3B4B |. 0FB64C11 FF |movzx ecx, byte ptr [ecx+edx-1] ; 逐次取固定码字符转成ASCII码
004C3B50 |. 03D9 |add ebx, ecx ; 与X累加,最终得Y
004C3B52 |. 42 |inc edx
004C3B53 |. 48 |dec eax
004C3B54 |.^ 75 F2 \jnz short 004C3B48
004C3B56 |> 8B45 F4 mov eax, dword ptr [ebp-C]
004C3B59 |. E8 2A5CF4FF call 00409788 ; 将机器码转成十六进制
004C3B5E |. 8BC8 mov ecx, eax
004C3B60 |. 0FAFCB imul ecx, ebx ; 机器码乘以Y
004C3B63 |. 69C1 4DDACB0B imul eax, ecx, 0BCBDA4D ; 上面的结果乘以 0BCBDA4D ,得Z
004C3B69 |. B9 00E1F505 mov ecx, 5F5E100
004C3B6E |. 99 cdq
004C3B6F |. F7F9 idiv ecx ; Z 除以 5F5E100 余数放入EDX
004C3B71 |. 8BDA mov ebx, edx
004C3B73 |. 8BC3 mov eax, ebx
004C3B75 |. 99 cdq
004C3B76 |. 33C2 xor eax, edx
004C3B78 |. 2BC2 sub eax, edx
004C3B7A |. 8BD8 mov ebx, eax
004C3B7C |. 8D55 F0 lea edx, dword ptr [ebp-10]
004C3B7F |. 8BC3 mov eax, ebx ; 将edx的值放进eax
004C3B81 |. E8 525AF4FF call 004095D8 ; 把值转化成十进制,就是注册码了
004C3B86 |. 8BC6 mov eax, esi
004C3B88 |. 8B55 F0 mov edx, dword ptr [ebp-10] ; 真码
004C3B8B |. E8 840EF4FF call 00404A14
004C3B90 |. 33C0 xor eax, eax
004C3B92 |. 5A pop edx
004C3B93 |. 59 pop ecx
004C3B94 |. 59 pop ecx
004C3B95 |. 64:8910 mov dword ptr fs:[eax], edx
004C3B98 |. 68 B23B4C00 push 004C3BB2
004C3B9D |> 8D45 F0 lea eax, dword ptr [ebp-10]
004C3BA0 |. BA 04000000 mov edx, 4
004C3BA5 |. E8 3A0EF4FF call 004049E4
004C3BAA \. C3 retn
004C3BAB .^ E9 3407F4FF jmp 004042E4
004C3BB0 .^ EB EB jmp short 004C3B9D
004C3BB2 . 5E pop esi
004C3BB3 . 5B pop ebx
004C3BB4 . 8BE5 mov esp, ebp
004C3BB6 . 5D pop ebp
004C3BB7 . C2 0400 retn 4
--------------------------------------------------------------------------------
【经验总结】
算法非常简单:
1、将电子邮箱的每个字符转化成ACSII码并累加,得X
2、将固定码“LUCK_STAR”的每个字符转化成ACSII码并累加,并加上X,得Y
3、注册码=((机器码 * Y)* 0BCBDA4D ) mod 5F5E100
附上vb注册机源码,第三段不会写,因为计算出来的数非常大,经常会溢出,后来网上说可以写一段函数来实现大数相
乘,我找到了,但是问题仍未解决,因为后面一个很大的数在最后求余的时候又会出错了,高手能不能帮我完善一下?
虽然是很简单的问题,希望大家不要嫌弃。O(∩_∩)O
Private Sub Command1_Click()
a = Text1.Text '邮箱地址
b = Text2.Text '机器码
c = "LUCK_STAR" '固定码
For i = 1 To (Len(a) - 1) '邮箱地址的ASCII码累加
d = d + (Asc(Mid(a, i, 1)))
Next i
For j = 1 To (Len(c) - 1) '固定码LUCK_STAR的ASCII码累加
e = e + (Asc(Mid(c, j, 1)))
Next j
y = Val(e + d) '两者相加
g = b * y '机器码 * Y
.......... 后面就不会写了,因为数非常大,有没有人可以帮我补全?
Text3.Text = x
-------------------------------------------------------------------------------- |
|