- UID
- 48119
注册时间2008-3-4
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2018-5-24 12:03 |
|---|
签到天数: 5 天 [LV.2]偶尔看看I
|
【破文标题】【yqlxj申请加入PYG】 会员卡管理豪华版算法分析及注册机 (一)
【破文作者】yqlxj
【作者邮箱】[email protected]
【破解工具】PEID OD
【破解平台】XP SP2
【软件名称】会员卡管理豪华版
【软件大小】
【原版下载】http://www.hykgl.com/proam/hykgldch.rar
【保护方式】无
【软件简介】包括店铺信息,会员类别,会员类别自动升级,会员信息,商品类别,商品信息,商品进退货,员工信息管理;会员
消费、充值、积分管理;生日、卡到期提醒;可以查询销售利润,会员提成; 可自定义会员资料的标题,使软件更能适应自己的要
求;会员、会员卡管理将更全面方便。
【作者声明】: 菜鸟学习算法,失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【算法分析过程 】:
用PEID查,无壳,Borland Delphi 6.0 - 7.0.
OD载入,查找到字符串'注册码不对,程序未成功',双击来到,
注册开始:
------------------------------------------------------------------------------------------------------------------
00506984 push ebp
00506985 mov ebp, esp
00506987 mov ecx, 9 ;ecx=9,循环9次
0050698C push 0
0050698E push 0
00506990 dec ecx
00506991 jnz short 0050698C ;循环完,不跳了
00506993 push ecx ;ecx入栈
00506994 push ebx ;ebx入栈
00506995 mov ebx, eax
00506997 xor eax, eax
00506999 push ebp
0050699A push 00506C02
0050699F push dword ptr fs:[eax]
005069A2 mov dword ptr fs:[eax], esp
005069A5 lea edx, dword ptr [ebp-10]
005069A8 mov eax, dword ptr [ebx+304]
005069AE call 0046D6DC ;这个CALL应该是取得编辑框信息,用户名放到ebp-10中去
005069B3 mov eax, dword ptr [ebp-10] ;用户名地址给eax
005069B6 lea edx, dword ptr [ebp-C]
005069B9 call 00409130
005069BE cmp dword ptr [ebp-C], 0 ;判断是否未空,非空跳
005069C2 jnz short 005069D3
005069C4 mov eax, 00506C18 ; 请输入用户名
005069C9 call 004E9688
005069CE jmp 00506B88
005069D3 lea edx, dword ptr [ebp-18]
005069D6 mov eax, dword ptr [ebx+30C]
005069DC call 0046D6DC ;同上,这个CALL也应该是取得编辑框信息,注册码放到ebp-
18中去
005069E1 mov eax, dword ptr [ebp-18] ; 注册码地址给eax
005069E4 lea edx, dword ptr [ebp-14]
005069E7 call 00409130
005069EC cmp dword ptr [ebp-14], 0 ;判断是否未空,非空跳
005069F0 jnz short 00506A01
005069F2 mov eax, 00506C30 ; 请输入注册码
005069F7 call 004E9688
005069FC jmp 00506B88
00506A01 lea edx, dword ptr [ebp-20]
00506A04 mov eax, dword ptr [ebx+30C]
00506A0A call 0046D6DC
00506A0F mov eax, dword ptr [ebp-20]
00506A12 lea edx, dword ptr [ebp-1C]
00506A15 call 00409130
00506A1A mov eax, dword ptr [ebp-1C]
00506A1D push eax
00506A1E lea edx, dword ptr [ebp-24]
00506A21 mov eax, dword ptr [ebx+304]
00506A27 call 0046D6DC
00506A2C mov eax, dword ptr [ebp-24]
00506A2F pop edx
00506A30 call 004EC6EC ;关键CALL ---跟进
00506A35 test al, al
00506A37 jnz short 00506A48
00506A39 mov eax, 00506C48 ; 注册码不对,注册未成功
-----------------------------------------------------------------------------------------------------------------
关键CALL:
004EC6EC push ebp
004EC6ED mov ebp, esp
004EC6EF mov ecx, 5
004EC6F4 /push 0
004EC6F6 |push 0
004EC6F8 |dec ecx
004EC6F9 \jnz short 004EC6F4
004EC6FB push ecx
004EC6FC push ebx
004EC6FD push esi
004EC6FE push edi
004EC6FF mov dword ptr [ebp-8], edx ;把注册码放在ebp-8,可以认为是放到第二个变量中去b
004EC702 mov dword ptr [ebp-4], eax ;把用户名放在ebp-8,可以认为是放到第一个变量中去a
004EC705 mov eax, dword ptr [ebp-4]
004EC708 call 00404D44
004EC70D mov eax, dword ptr [ebp-8]
004EC710 call 00404D44
004EC715 xor eax, eax
004EC717 push ebp
004EC718 push 004EC921
004EC71D push dword ptr fs:[eax]
004EC720 mov dword ptr fs:[eax], esp
004EC723 lea eax, dword ptr [ebp-C]
004EC726 call 004EC2C8 ;取得序列号,地址放到EDX中去
004EC72B mov dword ptr [ebp-14], 0D948F ;固定值十进制889999 ,放到EBP-14中取
004EC732 mov eax, dword ptr [ebp-4]
004EC735 call 00404B54 ;取得用户名长度的值放到eax中去
004EC73A mov edi, eax ;eax=esi
004EC73C test edi, edi ;测试是否相等,相等不跳
004EC73E jle short 004EC777
004EC740 mov esi, 1
------------------------------------------------------------------------------------------------------------------
这个在用户名的循环中:
{
004EC745 /mov eax, dword ptr [ebp-C] ;序列号放到EAX中
004EC748 |call 00404B54 ;取序列号长度
004EC74D |test eax, eax
004EC74F |jle short 004EC773
004EC751 |mov ebx, 1
------------------------------------------------------------------------------------------------------------------
这个在序列号的循环中:
{
004EC756 |/mov edx, dword ptr [ebp-4] ;用户名放到EDX中
004EC759 ||mov dl, byte ptr [edx+esi-1] ;按位取用户名ASCII码值
004EC75D ||mov ecx, dword ptr [ebp-C] ;序列号放到ECX
004EC760 ||mov cl, byte ptr [ecx+ebx-1] ;按位取序列号ASCII码值
004EC764 ||or dl, cl ;进行按位或运算
004EC766 ||and edx, 0FF ;把或运算的值放到EDX中去,因为原来是放到EDX中的低位中去,和0FF做与运算,前面清零
004EC76C ||add dword ptr [ebp-14], edx ;和固定值889999相加
004EC76F ||inc ebx ;加1
004EC770 ||dec eax ;递减
004EC771 |\jnz short 004EC756
}
------------------------------------------------------------------------------------------------------------------
004EC773 |inc esi
004EC774 |dec edi
004EC775 \jnz short 004EC745
}
------------------------------------------------------------------------------------------------------------------
004EC777 lea edx, dword ptr [ebp-10] ;输入注册码的值
004EC77A mov eax, dword ptr [ebp-14] ;经过上面循环运算的值
004EC77D call 00409390 ;又是一个算法CALL
----------------------------------------------------------------------------------------------------------
进入004EC77D 算法CALL:
00409390 push esi
00409391 mov esi, esp
00409393 sub esp, 10
00409396 xor ecx, ecx
00409398 push edx
00409399 xor edx, edx
0040939B call 00409344
--------------------------------------------------------------------------------------------------
进入0040939B 算法CALL:
0040935A mov ecx, 0A ;把10放到ECX中
0040935F push edx
00409360 push esi
00409361 /xor edx, edx
00409363 |div ecx ;EAX/ECX就是我们上面经过运算的值,商放到eax中,余数放到EDX
00409365 |dec esi
00409366 |add dl, 30
00409369 |cmp dl, 3A ;加30和3A进行比较,没上面真实价值
0040936C |jb short 00409371
0040936E |add dl, 7
00409371 |mov byte ptr [esi], dl
00409373 |or eax, eax ;等于0就不跳
00409375 \jnz short 00409361
00409377 pop ecx
00409378 pop edx
00409379 sub ecx, esi
0040937B sub edx, ecx
0040937D jbe short 0040938F
0040937F add ecx, edx
00409381 mov al, 30
00409383 sub esi, edx
00409385 jmp short 0040938A
00409387 /mov byte ptr [edx+esi], al
0040938A dec edx
0040938B \jnz short 00409387
0040938D mov byte ptr [esi], al
--------------------------------------------------------------------------------------------------
004093A0 mov edx, esi
004093A2 pop eax
004093A3 call 00404984
004093A8 add esp, 10
004093AB pop esi
004093AC retn
----------------------------------------------------------------------------------------------------------
004EC782 mov eax, dword ptr [ebp-10] ;;得到余数放到EAX中去
004EC785 call 00404B54
------------------------------------------------------------------------------------------------------------------
004EC78A mov esi, eax ;按位取EAX中的值,然后进入下面的Switch循环,
004EC78C mov edi, esi
004EC78E test edi, edi
004EC790 jle 004EC86F
004EC796 mov ebx, 1
004EC79B /mov eax, dword ptr [ebp-10]
004EC79E |mov al, byte ptr [eax+ebx-1]
004EC7A2 |cmp al, 30 ; Switch (cases 30..39)
004EC7A4 |jnz short 004EC7B8
004EC7A6 |lea eax, dword ptr [ebp-10] ; Case 30 ('0') of switch 004EC7A2
004EC7A9 |call 00404DAC
004EC7AE |mov byte ptr [eax+ebx-1], 44 ;等于1 就变为‘F’ 44就是十六进制的ASCII码值,以下类似
004EC7B3 |jmp 004EC867
004EC7B8 |cmp al, 31
004EC7BA |jnz short 004EC7CE
004EC7BC |lea eax, dword ptr [ebp-10] ; Case 31 ('1') of switch 004EC7A2
004EC7BF |call 00404DAC
004EC7C4 |mov byte ptr [eax+ebx-1], 46 ;‘w'
004EC7C9 |jmp 004EC867
004EC7CE |cmp al, 32
004EC7D0 |jnz short 004EC7E4
004EC7D2 |lea eax, dword ptr [ebp-10] ; Case 32 ('2') of switch 004EC7A2
004EC7D5 |call 00404DAC
004EC7DA |mov byte ptr [eax+ebx-1], 57 ;
004EC7DF |jmp 004EC867
004EC7E4 |cmp al, 33
004EC7E6 |jnz short 004EC7F7
004EC7E8 |lea eax, dword ptr [ebp-10] ; Case 33 ('3') of switch 004EC7A2
004EC7EB |call 00404DAC
004EC7F0 |mov byte ptr [eax+ebx-1], 51
004EC7F5 |jmp short 004EC867
004EC7F7 |cmp al, 34
004EC7F9 |jnz short 004EC80A
004EC7FB |lea eax, dword ptr [ebp-10] ; Case 34 ('4') of switch 004EC7A2
004EC7FE |call 00404DAC
004EC803 |mov byte ptr [eax+ebx-1], 41
004EC808 |jmp short 004EC867
004EC80A |cmp al, 35
004EC80C |jnz short 004EC81D
004EC80E |lea eax, dword ptr [ebp-10] ; Case 35 ('5') of switch 004EC7A2
004EC811 |call 00404DAC
004EC816 |mov byte ptr [eax+ebx-1], 58
004EC81B |jmp short 004EC867
004EC81D |cmp al, 36
004EC81F |jnz short 004EC830
004EC821 |lea eax, dword ptr [ebp-10] ; Case 36 ('6') of switch 004EC7A2
004EC824 |call 00404DAC
004EC829 |mov byte ptr [eax+ebx-1], 4B
004EC82E |jmp short 004EC867
004EC830 |cmp al, 37
004EC832 |jnz short 004EC843
004EC834 |lea eax, dword ptr [ebp-10] ; Case 37 ('7') of switch 004EC7A2
004EC837 |call 00404DAC
004EC83C |mov byte ptr [eax+ebx-1], 44
004EC841 |jmp short 004EC867
004EC843 |cmp al, 38
004EC845 |jnz short 004EC856
004EC847 |lea eax, dword ptr [ebp-10] ; Case 38 ('8') of switch 004EC7A2
004EC84A |call 00404DAC
004EC84F |mov byte ptr [eax+ebx-1], 4D
004EC854 |jmp short 004EC867
004EC856 |cmp al, 39
004EC858 |jnz short 004EC867
004EC85A |lea eax, dword ptr [ebp-10] ; Case 39 ('9') of switch 004EC7A2
004EC85D |call 00404DAC
004EC862 |mov byte ptr [eax+ebx-1], 55
004EC867 |inc ebx ; Default case of switch 004EC7A2
004EC868 |dec edi
004EC869 \jnz 004EC79B
------------------------------------------------------------------------------------------------------------------
004EC86F push 004EC93C ; 把字符HY放到这个地址中去
004EC874 lea eax, dword ptr [ebp-18]
004EC877 mov edx, dword ptr [ebp-10]
004EC87A mov dl, byte ptr [edx+3]
004EC87D call 00404A7C
004EC882 push dword ptr [ebp-18]
004EC885 lea eax, dword ptr [ebp-1C]
004EC888 mov edx, dword ptr [ebp-10]
004EC88B mov dl, byte ptr [edx+2]
004EC88E call 00404A7C
004EC893 push dword ptr [ebp-1C]
004EC896 lea eax, dword ptr [ebp-20]
004EC899 mov edx, dword ptr [ebp-10]
004EC89C mov dl, byte ptr [edx]
004EC89E call 00404A7C
004EC8A3 push dword ptr [ebp-20]
004EC8A6 lea eax, dword ptr [ebp-24]
004EC8A9 mov edx, dword ptr [ebp-10]
004EC8AC mov dl, byte ptr [edx+1]
004EC8AF call 00404A7C
004EC8B4 push dword ptr [ebp-24]
004EC8B7 lea eax, dword ptr [ebp-28]
004EC8BA mov edx, dword ptr [ebp-10]
004EC8BD mov dl, byte ptr [edx+5]
004EC8C0 call 00404A7C
004EC8C5 push dword ptr [ebp-28]
004EC8C8 lea eax, dword ptr [ebp-2C]
004EC8CB mov edx, dword ptr [ebp-10]
004EC8CE mov dl, byte ptr [edx+4]
004EC8D1 call 00404A7C
004EC8D6 push dword ptr [ebp-2C]
004EC8D9 lea eax, dword ptr [ebp-10]
004EC8DC mov edx, 7
004EC8E1 call 00404C14 ;HY+前面的到的字符,进行换位3--1 4--2 2---3 1--4 6--5 5-
-6
004EC8E6 mov eax, dword ptr [ebp-10] ;真码 (可做内存注册机)
004EC8E9 mov edx, dword ptr [ebp-8] ;假码
004EC8EC call 00404CA0 ;比较CALL
004EC8F1 jnz short 004EC8F7 ;(可以爆破)
004EC8F3 mov bl, 1
004EC8F5 jmp short 004EC8F9
004EC8F7 xor ebx, ebx
004EC8F9 xor eax, eax
004EC8FB pop edx
004EC8FC pop ecx
004EC8FD pop ecx
004EC8FE mov dword ptr fs:[eax], edx
004EC901 push 004EC928
004EC906 lea eax, dword ptr [ebp-2C]
004EC909 mov edx, 6
004EC90E call 004048B8
004EC913 lea eax, dword ptr [ebp-10]
004EC916 mov edx, 4
004EC91B call 004048B8
004EC920 retn
004EC921 jmp 004041B8
004EC926 jmp short 004EC906
004EC928 mov eax, ebx
004EC92A pop edi
004EC92B pop esi
004EC92C pop ebx
004EC92D mov esp, ebp
004EC92F pop ebp
004EC930 retn
------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------
【算法总结】:
1).取得用户名和序列号长度,序列号与用户名按位得到ASCII码进行或运算,得到的值加起来
2).然后把得到的值和固定值889999相加。
3).把相加得到的值除以10,每次得到的余数排列起来
4).把每一位进行变值,如果是1变为F,2变为W,3变为Q,4变为A,5变为X,6变为K,7变为D,8变为M,9变为U
5).然后HY+前面得到的字符,进行换位3--1 4--2 2---3 1--4 6--5 5--6
6).最后输出
------------------------------------------------------------------------
【注册机源码(c语言)】:
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#define Svalue 889999
void main(void)
{
int i=0,j=0,k=0,g=0,h=0,l=0,m=0,n=0;
char name[50]={0};
char sernumber[10]={0};
char value[10]={0};
char value1[10]={0};
char value2[10]={0};
printf("请输入序列号:");
scanf("%s",sernumber);
printf("请输入你的用户名:");
scanf("%s",name);
char buf[65];
char buf1[65];
char buf2[65];
int length,length2;
length=strlen(name);
length2=strlen(sernumber);
for(i=0;i<length;i++)
{
k=0;
for(j=0;j<length2;j++)
{
k+= (int)name | (int)sernumber[j];
}
g+=k;
}
m=g+Svalue;
l=m;
while(l)
{
l=l/10;
h++;
}
for(i=0;i<h;i++)
{
value=m%10;
m=m/10;
}
for(i=h-1;i>=0;i--)
{
switch((int)value)
{
case 1:
value='F';
break;
case 2:
value='W';
break;
case 3:
value='Q';
break;
case 4:
value='A';
break;
case 5:
value='X';
break;
case 6:
value='K';
break;
case 7:
value='D';
break;
case 8:
value='M';
break;
case 9:
value='U';
break;
default :
break;
}
value1[abs(i-h+1)]=value;
}
value2[2]=value1[0] ;
value2[3]=value1[1] ;
value2[1]=value1[2] ;
value2[0]=value1[3] ;
value2[5]=value1[4] ;
value2[4]=value1[5] ;
printf("注册码: HY%s\n",value2);
printf("请直接关掉黑色界面\n");
scanf("%s",name);
}
------------------------------------------------------------------------
【版权声明】本文原创于PYG论坛,转载请注明作者并保持文章的完整, 谢谢! |
|
IP卡
发表于 2009-5-25 20:27:41
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2009-11-14 21:51:27
发表于 2009-12-3 17:42:43