Computer Alarm Clock v2.2注册算法分析【附上注册机】

crackvip · 发表于 2014-6-25 01:54:02

004839A8  /.  55          PUSH EBP                                     ;  难道这是启动验证
004839A9  |.  8BEC       MOV    EBP, ESP                               ;  启动时果然在这里停下
004839AB  |.  B9 40000000 MOV    ECX, 0x40
004839B0  |>  6A 00       /PUSH 0x0
004839B2  |.  6A 00       |PUSH 0x0
004839B4  |.  49          |DEC    ECX
004839B5  |.^ 75 F9       \JNZ    SHORT cac.004839B0
004839B7  |.  53          PUSH EBX
004839B8  |.  8BD8       MOV    EBX, EAX
004839BA  |.  33C0       XOR    EAX, EAX
004839BC  |.  55          PUSH EBP
004839BD  |.  68 FF3B4800 PUSH cac.00483BFF
004839C2  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
004839C5  |.  64:8920    MOV    DWORD PTR FS:[EAX], ESP
004839C8  |.  8D45 F8    LEA    EAX, DWORD PTR SS:[EBP-0x8]
004839CB  |.  B9 143C4800 MOV    ECX, cac.00483C14                      ;  cac.ini，第二处
004839D0  |.  8B93 78030000 MOV    EDX, DWORD PTR DS:[EBX+0x378]
004839D6  |.  E8 0911F8FF CALL cac.00404AE4
004839DB  |.  8D45 F4    LEA    EAX, DWORD PTR SS:[EBP-0xC]
004839DE  |.  E8 FD0DF8FF CALL cac.004047E0
004839E3  |.  8D45 F0    LEA    EAX, DWORD PTR SS:[EBP-0x10]
004839E6  |.  E8 F50DF8FF CALL cac.004047E0
004839EB  |.  8B45 F8    MOV    EAX, DWORD PTR SS:[EBP-0x8]
004839EE  |.  E8 5556F8FF CALL cac.00409048
004839F3  |.  84C0       TEST AL, AL
004839F5  |.  0F84 A0000000 JE    cac.00483A9B
004839FB  |.  8B55 F8    MOV    EDX, DWORD PTR SS:[EBP-0x8]
004839FE  |.  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A04  |.  E8 03F4F7FF CALL cac.00402E0C
00483A09  |.  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A0F  |.  E8 88F1F7FF CALL cac.00402B9C
00483A14  |.  E8 D3EEF7FF CALL cac.004028EC
00483A19  |.  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A1F  |.  E8 18F6F7FF CALL cac.0040303C
00483A24  |.  E8 C3EEF7FF CALL cac.004028EC
00483A29  |.  84C0       TEST AL, AL
00483A2B  |.  75 1E       JNZ    SHORT cac.00483A4B
00483A2D  |.  8D55 F4    LEA    EDX, DWORD PTR SS:[EBP-0xC]
00483A30  |.  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A36  |.  E8 81F7F7FF CALL cac.004031BC
00483A3B  |.  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A41  |.  E8 E2F7F7FF CALL cac.00403228
00483A46  |.  E8 A1EEF7FF CALL cac.004028EC
00483A4B  |>  8D83 3C040000 LEA    EAX, DWORD PTR DS:[EBX+0x43C]
00483A51  |.  8B55 F4    MOV    EDX, DWORD PTR SS:[EBP-0xC]             ;  取出注册名
00483A54  |.  E8 DB0DF8FF CALL cac.00404834
00483A59  |.  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A5F  |.  E8 D8F5F7FF CALL cac.0040303C
00483A64  |.  E8 83EEF7FF CALL cac.004028EC                            ;  取出假码
00483A69  |.  84C0       TEST AL, AL
00483A6B  |.  75 1E       JNZ    SHORT cac.00483A8B
00483A6D  |.  8D55 F0    LEA    EDX, DWORD PTR SS:[EBP-0x10]
00483A70  |.  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A76  |.  E8 41F7F7FF CALL cac.004031BC
00483A7B  |.  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A81  |.  E8 A2F7F7FF CALL cac.00403228
00483A86  |.  E8 61EEF7FF CALL cac.004028EC
00483A8B  |>  8D85 0CFEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x1F4]
00483A91  |.  E8 3EF4F7FF CALL cac.00402ED4
00483A96  |.  E8 51EEF7FF CALL cac.004028EC
00483A9B  |>  33C0       XOR    EAX, EAX
00483A9D  |.  8945 FC    MOV    DWORD PTR SS:[EBP-0x4], EAX
00483AA0  |.  837D F4 00 CMP    DWORD PTR SS:[EBP-0xC], 0x0             ;  判断用户名是否为0
00483AA4  |.  74 5B       JE    SHORT cac.00483B01
00483AA6  |.  8D4D EC    LEA    ECX, DWORD PTR SS:[EBP-0x14]
00483AA9  |.  BA 03000000 MOV    EDX, 0x3
00483AAE  |.  8B45 F0    MOV    EAX, DWORD PTR SS:[EBP-0x10]             ;  假码
00483AB1  |.  E8 024CFBFF CALL cac.004386B8
00483AB6  |.  8D8D 08FEFFFF LEA    ECX, DWORD PTR SS:[EBP-0x1F8]
00483ABC  |.  BA 0E000000 MOV    EDX, 0xE                               ;  E=14
00483AC1  |.  8B45 F0    MOV    EAX, DWORD PTR SS:[EBP-0x10]
00483AC4  |.  E8 EF4BFBFF CALL cac.004386B8                            ;  只取注册码的前14位进行计算比较
00483AC9  |.  8B85 08FEFFFF MOV    EAX, DWORD PTR SS:[EBP-0x1F8]
00483ACF  |.  8D4D E8    LEA    ECX, DWORD PTR SS:[EBP-0x18]
00483AD2  |.  BA 02000000 MOV    EDX, 0x2
00483AD7  |.  E8 F84BFBFF CALL cac.004386D4
00483ADC  |.  8B45 F4    MOV    EAX, DWORD PTR SS:[EBP-0xC]
00483ADF  |.  E8 B40FF8FF CALL cac.00404A98
00483AE4  |.  85C0       TEST EAX, EAX
00483AE6  |.  7E 19       JLE    SHORT cac.00483B01
00483AE8  |.  BA 01000000 MOV    EDX, 0x1
00483AED  |>  8B4D F4    /MOV    ECX, DWORD PTR SS:[EBP-0xC]             ;  算法一部分
00483AF0  |.  8A4C11 FF    |MOV    CL, BYTE PTR DS:[ECX+EDX-0x1]
00483AF4  |.  81E1 FF000000 |AND    ECX, 0xFF
00483AFA  |.  014D FC    |ADD    DWORD PTR SS:[EBP-0x4], ECX
00483AFD  |.  42          |INC    EDX
00483AFE  |.  48          |DEC    EAX
00483AFF  |.^ 75 EC       \JNZ    SHORT cac.00483AED
00483B01  |>  8D55 F4    LEA    EDX, DWORD PTR SS:[EBP-0xC]
00483B04  |.  8B45 FC    MOV    EAX, DWORD PTR SS:[EBP-0x4]
00483B07  |.  E8 A052F8FF CALL cac.00408DAC                            ;  819？？？？？
00483B0C  |.  8D4D E4    LEA    ECX, DWORD PTR SS:[EBP-0x1C]
00483B0F  |.  BA 01000000 MOV    EDX, 0x1                               ;  注册名的ASCII和（十进制）
00483B14  |.  8B45 F4    MOV    EAX, DWORD PTR SS:[EBP-0xC]
00483B17  |.  E8 B84BFBFF CALL cac.004386D4
00483B1C  |.  8D4D E0    LEA    ECX, DWORD PTR SS:[EBP-0x20]
00483B1F  |.  BA 01000000 MOV    EDX, 0x1
00483B24  |.  8B45 F4    MOV    EAX, DWORD PTR SS:[EBP-0xC]
00483B27  |.  E8 8C4BFBFF CALL cac.004386B8
00483B2C  |.  8D8D 04FEFFFF LEA    ECX, DWORD PTR SS:[EBP-0x1FC]
00483B32  |.  BA 04000000 MOV    EDX, 0x4
00483B37  |.  8B45 F0    MOV    EAX, DWORD PTR SS:[EBP-0x10]
00483B3A  |.  E8 794BFBFF CALL cac.004386B8                            ;  假码取前四个
00483B3F  |.  8B85 04FEFFFF MOV    EAX, DWORD PTR SS:[EBP-0x1FC]
00483B45  |.  8D4D DC    LEA    ECX, DWORD PTR SS:[EBP-0x24]
00483B48  |.  BA 01000000 MOV    EDX, 0x1
00483B4D  |.  E8 824BFBFF CALL cac.004386D4
00483B52  |.  8D8D 00FEFFFF LEA    ECX, DWORD PTR SS:[EBP-0x200]
00483B58  |.  BA 09000000 MOV    EDX, 0x9
00483B5D  |.  8B45 F0    MOV    EAX, DWORD PTR SS:[EBP-0x10]
00483B60  |.  E8 534BFBFF CALL cac.004386B8                            ;  假码取前9个
00483B65  |.  8B85 00FEFFFF MOV    EAX, DWORD PTR SS:[EBP-0x200]
00483B6B  |.  8D4D D8    LEA    ECX, DWORD PTR SS:[EBP-0x28]
00483B6E  |.  BA 01000000 MOV    EDX, 0x1
00483B73  |.  E8 5C4BFBFF CALL cac.004386D4
00483B78  |.  C683 38040000>MOV    BYTE PTR DS:[EBX+0x438], 0x0
00483B7F  |.  8B45 E4    MOV    EAX, DWORD PTR SS:[EBP-0x1C]             ;  9
00483B82  |.  8B55 DC    MOV    EDX, DWORD PTR SS:[EBP-0x24]             ;  这里是取假码的第四位，与用户名之和的最后一位比较
00483B85  |.  E8 5210F8FF CALL cac.00404BDC                            ;  前面有个1和4
00483B8A    75 32       JNZ    SHORT cac.00483BBE                      ;  只要改掉这几处跳就可以了（改成nop）
00483B8C  |.  8B45 E0    MOV    EAX, DWORD PTR SS:[EBP-0x20]             ;  8，第一位
00483B8F  |.  8B55 D8    MOV    EDX, DWORD PTR SS:[EBP-0x28]             ;  注册码的第9位比较
00483B92  |.  E8 4510F8FF CALL cac.00404BDC
00483B97    75 25       JNZ    SHORT cac.00483BBE                      ;  改nop
00483B99  |.  8B45 EC    MOV    EAX, DWORD PTR SS:[EBP-0x14]             ;  注册码的前三位与e3k比较
00483B9C  |.  BA 243C4800 MOV    EDX, cac.00483C24                      ;  e3k
00483BA1  |.  E8 3610F8FF CALL cac.00404BDC                            ;  这个函数应该是比较
00483BA6    75 16       JNZ    SHORT cac.00483BBE                      ;  改nop
00483BA8  |.  8B45 E8    MOV    EAX, DWORD PTR SS:[EBP-0x18]             ;  难道这是最后两位？等下再验证一下与n3比较，只取注册码的前14位，所以是最后两位
00483BAB  |.  BA 303C4800 MOV    EDX, cac.00483C30                      ;  n3
00483BB0  |.  E8 2710F8FF CALL cac.00404BDC
00483BB5    75 07       JNZ    SHORT cac.00483BBE                      ;  改nop
00483BB7  |.  C683 38040000>MOV    BYTE PTR DS:[EBX+0x438], 0x1
00483BBE  |>  80BB 38040000>CMP    BYTE PTR DS:[EBX+0x438], 0x0
00483BC5    74 0D       JE    SHORT cac.00483BD4                      ;  改nop，改不改都无所谓
00483BC7  |.  33D2       XOR    EDX, EDX
00483BC9  |.  8B83 34030000 MOV    EAX, DWORD PTR DS:[EBX+0x334]
00483BCF  |.  E8 3CD2FCFF CALL cac.00450E10
00483BD4  |>  33C0       XOR    EAX, EAX
00483BD6  |.  5A          POP    EDX
00483BD7  |.  59          POP    ECX
00483BD8  |.  59          POP    ECX
00483BD9  |.  64:8910    MOV    DWORD PTR FS:[EAX], EDX
00483BDC  |.  68 063C4800 PUSH cac.00483C06
00483BE1  |>  8D85 00FEFFFF LEA    EAX, DWORD PTR SS:[EBP-0x200]
00483BE7  |.  BA 03000000 MOV    EDX, 0x3
00483BEC  |.  E8 130CF8FF CALL cac.00404804
00483BF1  |.  8D45 D8    LEA    EAX, DWORD PTR SS:[EBP-0x28]
00483BF4  |.  BA 09000000 MOV    EDX, 0x9
00483BF9  |.  E8 060CF8FF CALL cac.00404804
00483BFE  \.  C3          RETN
========================================

算法总结
1.计算用户名的ASCII和（十进制的），设为A
2.取假码的第四位与A的最后一位比较
3.取假码的第9位与A的第一位比较
4.注册码的前三位必须是e3k
5.注册码的最后两位必须是n3
6.只取注册码的前14位，后面的可以随便加，呵呵

附上一组注册码：
飘云阁
e3k957AC1IIKn3ChinaPYG

测试了一下，2.01及2.5都可以注册成功
注册机源码

unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
type
TForm1 = class(TForm)
edt1: TEdit;
edt2: TEdit;
lbl1: TLabel;
lbl2: TLabel;
Button1: TButton;
lbl3: TLabel;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
function RandomStr(majuscule: boolean; lowercase: boolean; number: boolean; digit: integer): string;
//大写字母,小写字母,数字,字符串的位数
//这个函数网上找的，呵呵，其实还有很多写法
var
i: Byte;
s: string;
begin
if majuscule then
s := 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
else
s := '';
if lowercase then
s := s + 'abcdefghijklmnopqrstuvwxyz';
if number then
s := s + '0123456789';
if s = '' then exit;
Result := '';
for i := 0 to digit - 1 do //根据长度来循环
begin
Randomize; //每次都初始化随机种子
Result := Result + s[Random(Length(s) - 1) + 1];
end;
end;
procedure TForm1.Button1Click(Sender: TObject);
var i, SUM: Integer;
str1, str2, str3: string;
begin
SUM := 0;
for i := 1 to Length(edt1.Text) do
begin
SUM := SUM + ord(edt1.Text[i]);
end;
str1 := IntToStr(SUM);
Str2 := RandomStr(True, True, True, 4);
str3 := RandomStr(True, True, True, 3);
edt2.Text := 'e3k' + str1[Length(str1)] + Str2 + str1[1] + str3 + 'n3ChinaPYG';
end;
end.

复制代码

Computer Alarm Clock v2.5 KeyGen.rar (415.73 KB, 下载次数: 23)

某大牛说我的软件界面太难看，所以加个皮肤，呵呵
QQ截圖20140625015453.jpg

GeekCat · 发表于 2014-6-25 02:26:53

大牛，佩服！我对算法都分析不了更不要说自己也注册机！！

sdnyzjzx · 发表于 2014-6-25 07:31:33

皮肤如何加？

醉月清风 · 发表于 2014-6-25 08:58:56

果然是牛啊

cfc1680 · 发表于 2014-6-25 10:36:50

很给力，学习了，顶起了

xz00311 · 发表于 2014-6-25 11:46:10

不知道这软件干嘛的应该是闹钟之类的吧

DaShanRen · 发表于 2014-6-26 08:47:16

本帖最后由 DaShanRen 于 2014-6-26 08:50 编辑

写注册机用VB好，用VB仿制一个：

Private Sub Command1_Click()
Dim Sum As Integer, i As Integer, IDbyt() As Byte, n As Integer
Dim Str1 As String, Str2 As String, Str3 As String

IDbyt = StrConv(Text1, vbFromUnicode)
n = UBound(IDbyt)
For i = 0 To n
Sum = Sum + IDbyt(i)
Next
Str1 = Sum
Str2 = RandomStr(True, True, True, 4)
Str3 = RandomStr(True, True, True, 3)
Text2 = "e3k" & Right(Str1, 1) & Str2 & Left(Str1, 1) & Str3 & "n3ChinaPYG"
End Sub

Private Function RandomStr(majuscule As Boolean, lowercase As Boolean, number As Boolean, digit As Integer) As String
Dim i As Integer, s As String, m As Integer, Stmp As String

If majuscule Then s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
If lowercase Then s = s & "abcdefghijklmnopqrstuvwxyz"
If number Then s = s & "0123456789"

If s = "" Then Exit Function

m = Len(s)
Randomize
For i = 1 To digit
Stmp = Stmp & Mid(s, (m - 1) * Rnd + 1, 1)
Next
RandomStr = Stmp
End Function

DaShanRen · 发表于 2014-6-26 08:51:10

咋加代码就变成乱码了？

DragonLoft · 发表于 2014-7-5 09:42:10

果真是大牛啊。

y8160000 · 发表于 2014-7-6 10:35:36

学习了,对于我这个新手来说还有好多的看不明白.

		自动登录	找回密码
密码			加入我们

[原创] Computer Alarm Clock v2.2注册算法分析【附上注册机】

评分